--- /dev/null
+From stable+bounces-236097-greg=kroah.com@vger.kernel.org Mon Apr 13 16:17:11 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 10:07:40 -0400
+Subject: arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V
+To: stable@vger.kernel.org
+Cc: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>, Martin Kepplinger <martin.kepplinger@puri.sm>, Shawn Guo <shawnguo@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413140742.2903986-2-sashal@kernel.org>
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 94b91e3ca6688fafd6a5dd70bd89fe9d3aee88da ]
+
+0.8V is outside of the operating voltage specified for imx8mq, see
+chapter 3.1.4 "Operating ranges" of the IMX8MDQLQCEC document.
+
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+@@ -821,7 +821,7 @@
+ regulator-ramp-delay = <1250>;
+ rohm,dvs-run-voltage = <880000>;
+ rohm,dvs-idle-voltage = <820000>;
+- rohm,dvs-suspend-voltage = <800000>;
++ rohm,dvs-suspend-voltage = <810000>;
+ regulator-always-on;
+ };
+
--- /dev/null
+From stable+bounces-236099-greg=kroah.com@vger.kernel.org Mon Apr 13 16:19:36 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 10:07:42 -0400
+Subject: arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
+To: stable@vger.kernel.org
+Cc: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>, Frank Li <Frank.Li@nxp.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413140742.2903986-4-sashal@kernel.org>
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 511f76bf1dce5acf8907b65a7d1bc8f7e7c0d637 ]
+
+The minimal voltage of VDD_SOC sourced from BUCK1 is 0.81V, which
+is the currently set value. However, BD71837 only guarantees accuracy
+of ±0.01V, and this still doesn't factor other reasons for actual
+voltage to slightly drop in, resulting in the possibility of running
+out of the operational range.
+
+Bump the voltage up to 0.85V, which should give enough headroom.
+
+Cc: stable@vger.kernel.org
+Fixes: 8f0216b006e5 ("arm64: dts: Add a device tree for the Librem 5 phone")
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+@@ -821,7 +821,7 @@
+ regulator-ramp-delay = <1250>;
+ rohm,dvs-run-voltage = <900000>;
+ rohm,dvs-idle-voltage = <850000>;
+- rohm,dvs-suspend-voltage = <810000>;
++ rohm,dvs-suspend-voltage = <850000>;
+ regulator-always-on;
+ };
+
--- /dev/null
+From stable+bounces-236096-greg=kroah.com@vger.kernel.org Mon Apr 13 16:16:10 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 10:07:39 -0400
+Subject: arm64: dts: imx8mq-librem5: Set the DVS voltages lower
+To: stable@vger.kernel.org
+Cc: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>, Martin Kepplinger <martin.kepplinger@puri.sm>, Shawn Guo <shawnguo@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413140742.2903986-1-sashal@kernel.org>
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit c24a9b698fb02cd0723fa8375abab07f94b97b10 ]
+
+They're still in the operating range according to i.MX 8M Quad
+datasheet. There's some headroom added over minimal values to
+account for voltage drop.
+
+Operational ranges (min - typ - max [selected]):
+ - VDD_SOC (BUCK1): 0.81 - 0.9 - 0.99 [0.88]
+ - VDD_ARM (BUCK2): 0.81 - 0.9 - 1.05 [0.84] (1000MHz)
+ 0.90 - 1.0 - 1.05 [0.93] (1500MHz)
+ - VDD_GPU (BUCK3): 0.81 - 0.9 - 1.05 [0.85] (800MHz)
+ 0.90 - 1.0 - 1.05 [ -- ] (1000MHz)
+ - VDD_VPU (BUCK4): 0.81 - 0.9 - 1.05 [ -- ] (550/500/588MHz)
+ 0.90 - 1.0 - 1.05 [0.93] (660/600/800MHz)
+
+Idle power consumption doesn't appear to be influenced much,
+but a simple load test (`cat /dev/urandom | pigz - > /dev/null`
+combined with running Animatch) seems to show about 0.3W of
+difference.
+
+Care is advised, as there may be differences between each
+units in how low can they be undervolted - in my experience,
+reaching that point usually makes the phone fail to boot.
+In my case, it appears that my Birch phone can go down the most.
+
+This is a somewhat conservative set of values that I've seen
+working well on all my devices; I haven't tried very hard to
+optimize it, so more experiments are welcome.
+
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 2 -
+ arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 22 ++++++++++++++------
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts
+@@ -7,7 +7,7 @@
+
+ &a53_opp_table {
+ opp-1000000000 {
+- opp-microvolt = <1000000>;
++ opp-microvolt = <950000>;
+ };
+ };
+
+--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+@@ -819,8 +819,8 @@
+ regulator-max-microvolt = <1300000>;
+ regulator-boot-on;
+ regulator-ramp-delay = <1250>;
+- rohm,dvs-run-voltage = <900000>;
+- rohm,dvs-idle-voltage = <850000>;
++ rohm,dvs-run-voltage = <880000>;
++ rohm,dvs-idle-voltage = <820000>;
+ rohm,dvs-suspend-voltage = <800000>;
+ regulator-always-on;
+ };
+@@ -831,8 +831,8 @@
+ regulator-max-microvolt = <1300000>;
+ regulator-boot-on;
+ regulator-ramp-delay = <1250>;
+- rohm,dvs-run-voltage = <1000000>;
+- rohm,dvs-idle-voltage = <900000>;
++ rohm,dvs-run-voltage = <950000>;
++ rohm,dvs-idle-voltage = <850000>;
+ regulator-always-on;
+ };
+
+@@ -841,14 +841,14 @@
+ regulator-min-microvolt = <700000>;
+ regulator-max-microvolt = <1300000>;
+ regulator-boot-on;
+- rohm,dvs-run-voltage = <900000>;
++ rohm,dvs-run-voltage = <850000>;
+ };
+
+ buck4_reg: BUCK4 {
+ regulator-name = "buck4";
+ regulator-min-microvolt = <700000>;
+ regulator-max-microvolt = <1300000>;
+- rohm,dvs-run-voltage = <1000000>;
++ rohm,dvs-run-voltage = <930000>;
+ };
+
+ buck5_reg: BUCK5 {
+@@ -1379,3 +1379,13 @@
+ fsl,ext-reset-output;
+ status = "okay";
+ };
++
++&a53_opp_table {
++ opp-1000000000 {
++ opp-microvolt = <850000>;
++ };
++
++ opp-1500000000 {
++ opp-microvolt = <950000>;
++ };
++};
--- /dev/null
+From stable+bounces-239957-greg=kroah.com@vger.kernel.org Mon Apr 20 20:37:27 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2026 13:17:43 -0400
+Subject: ASoC: qcom: q6apm: move component registration to unmanaged version
+To: stable@vger.kernel.org
+Cc: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>, Stable@vger.kernel.org, Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260420171743.1388144-2-sashal@kernel.org>
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+[ Upstream commit 6ec1235fc941dac6c011b30ee01d9220ff87e0cd ]
+
+q6apm component registers dais dynamically from ASoC toplology, which
+are allocated using device managed version apis. Allocating both
+component and dynamic dais using managed version could lead to incorrect
+free ordering, dai will be freed while component still holding references
+to it.
+
+Fix this issue by moving component to unmanged version so
+that the dai pointers are only freeded after the component is removed.
+
+==================================================================
+BUG: KASAN: slab-use-after-free in snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]
+Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426
+Tainted: [W]=WARN
+Hardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024
+Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface]
+Call trace:
+ show_stack+0x28/0x7c (C)
+ dump_stack_lvl+0x60/0x80
+ print_report+0x160/0x4b4
+ kasan_report+0xac/0xfc
+ __asan_report_load8_noabort+0x20/0x34
+ snd_soc_del_component_unlocked+0x3d4/0x400 [snd_soc_core]
+ snd_soc_unregister_component_by_driver+0x50/0x88 [snd_soc_core]
+ devm_component_release+0x30/0x5c [snd_soc_core]
+ devres_release_all+0x13c/0x210
+ device_unbind_cleanup+0x20/0x190
+ device_release_driver_internal+0x350/0x468
+ device_release_driver+0x18/0x30
+ bus_remove_device+0x1a0/0x35c
+ device_del+0x314/0x7f0
+ device_unregister+0x20/0xbc
+ apr_remove_device+0x5c/0x7c [apr]
+ device_for_each_child+0xd8/0x160
+ apr_pd_status+0x7c/0xa8 [apr]
+ pdr_notifier_work+0x114/0x240 [pdr_interface]
+ process_one_work+0x500/0xb70
+ worker_thread+0x630/0xfb0
+ kthread+0x370/0x6c0
+ ret_from_fork+0x10/0x20
+
+Allocated by task 77:
+ kasan_save_stack+0x40/0x68
+ kasan_save_track+0x20/0x40
+ kasan_save_alloc_info+0x44/0x58
+ __kasan_kmalloc+0xbc/0xdc
+ __kmalloc_node_track_caller_noprof+0x1f4/0x620
+ devm_kmalloc+0x7c/0x1c8
+ snd_soc_register_dai+0x50/0x4f0 [snd_soc_core]
+ soc_tplg_pcm_elems_load+0x55c/0x1eb8 [snd_soc_core]
+ snd_soc_tplg_component_load+0x4f8/0xb60 [snd_soc_core]
+ audioreach_tplg_init+0x124/0x1fc [snd_q6apm]
+ q6apm_audio_probe+0x10/0x1c [snd_q6apm]
+ snd_soc_component_probe+0x5c/0x118 [snd_soc_core]
+ soc_probe_component+0x44c/0xaf0 [snd_soc_core]
+ snd_soc_bind_card+0xad0/0x2370 [snd_soc_core]
+ snd_soc_register_card+0x3b0/0x4c0 [snd_soc_core]
+ devm_snd_soc_register_card+0x50/0xc8 [snd_soc_core]
+ x1e80100_platform_probe+0x208/0x368 [snd_soc_x1e80100]
+ platform_probe+0xc0/0x188
+ really_probe+0x188/0x804
+ __driver_probe_device+0x158/0x358
+ driver_probe_device+0x60/0x190
+ __device_attach_driver+0x16c/0x2a8
+ bus_for_each_drv+0x100/0x194
+ __device_attach+0x174/0x380
+ device_initial_probe+0x14/0x20
+ bus_probe_device+0x124/0x154
+ deferred_probe_work_func+0x140/0x220
+ process_one_work+0x500/0xb70
+ worker_thread+0x630/0xfb0
+ kthread+0x370/0x6c0
+ ret_from_fork+0x10/0x20
+
+Freed by task 3426:
+ kasan_save_stack+0x40/0x68
+ kasan_save_track+0x20/0x40
+ __kasan_save_free_info+0x4c/0x80
+ __kasan_slab_free+0x78/0xa0
+ kfree+0x100/0x4a4
+ devres_release_all+0x144/0x210
+ device_unbind_cleanup+0x20/0x190
+ device_release_driver_internal+0x350/0x468
+ device_release_driver+0x18/0x30
+ bus_remove_device+0x1a0/0x35c
+ device_del+0x314/0x7f0
+ device_unregister+0x20/0xbc
+ apr_remove_device+0x5c/0x7c [apr]
+ device_for_each_child+0xd8/0x160
+ apr_pd_status+0x7c/0xa8 [apr]
+ pdr_notifier_work+0x114/0x240 [pdr_interface]
+ process_one_work+0x500/0xb70
+ worker_thread+0x630/0xfb0
+ kthread+0x370/0x6c0
+ ret_from_fork+0x10/0x20
+
+Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support")
+Cc: Stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260402081118.348071-2-srinivas.kandagatla@oss.qualcomm.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm.c
++++ b/sound/soc/qcom/qdsp6/q6apm.c
+@@ -746,13 +746,22 @@ static int apm_probe(gpr_device_t *gdev)
+
+ q6apm_get_apm_state(apm);
+
+- ret = devm_snd_soc_register_component(dev, &q6apm_audio_component, NULL, 0);
++ ret = snd_soc_register_component(dev, &q6apm_audio_component, NULL, 0);
+ if (ret < 0) {
+ dev_err(dev, "failed to get register q6apm: %d\n", ret);
+ return ret;
+ }
+
+- return of_platform_populate(dev->of_node, NULL, NULL, dev);
++ ret = of_platform_populate(dev->of_node, NULL, NULL, dev);
++ if (ret)
++ snd_soc_unregister_component(dev);
++
++ return ret;
++}
++
++static void apm_remove(gpr_device_t *gdev)
++{
++ snd_soc_unregister_component(&gdev->dev);
+ }
+
+ struct audioreach_module *q6apm_find_module_by_mid(struct q6apm_graph *graph, uint32_t mid)
+@@ -819,6 +828,7 @@ MODULE_DEVICE_TABLE(of, apm_device_id);
+
+ static gpr_driver_t apm_driver = {
+ .probe = apm_probe,
++ .remove = apm_remove,
+ .gpr_callback = apm_callback,
+ .driver = {
+ .name = "qcom-apm",
--- /dev/null
+From stable+bounces-236136-greg=kroah.com@vger.kernel.org Mon Apr 13 17:26:04 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:20:05 -0400
+Subject: KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
+To: stable@vger.kernel.org
+Cc: David Woodhouse <dwmw@amazon.co.uk>, Sean Christopherson <seanjc@google.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413152005.3014972-1-sashal@kernel.org>
+
+From: David Woodhouse <dwmw@amazon.co.uk>
+
+[ Upstream commit 2619da73bb2f10d88f7e1087125c40144fdf0987 ]
+
+Commit 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with
+flexible-array members") broke the userspace API for C++.
+
+These structures ending in VLAs are typically a *header*, which can be
+followed by an arbitrary number of entries. Userspace typically creates
+a larger structure with some non-zero number of entries, for example in
+QEMU's kvm_arch_get_supported_msr_feature():
+
+ struct {
+ struct kvm_msrs info;
+ struct kvm_msr_entry entries[1];
+ } msr_data = {};
+
+While that works in C, it fails in C++ with an error like:
+ flexible array member 'kvm_msrs::entries' not at end of 'struct msr_data'
+
+Fix this by using __DECLARE_FLEX_ARRAY() for the VLA, which uses [0]
+for C++ compilation.
+
+Fixes: 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with flexible-array members")
+Cc: stable@vger.kernel.org
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Link: https://patch.msgid.link/3abaf6aefd6e5efeff3b860ac38421d9dec908db.camel@infradead.org
+[sean: tag for stable@]
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+[ applied `__DECLARE_FLEX_ARRAY(char, name)` change directly instead of inside missing `#ifdef __KERNEL__` else branch ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/uapi/asm/kvm.h | 12 ++++++------
+ include/uapi/linux/kvm.h | 11 ++++++-----
+ 2 files changed, 12 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/include/uapi/asm/kvm.h
++++ b/arch/x86/include/uapi/asm/kvm.h
+@@ -198,13 +198,13 @@ struct kvm_msrs {
+ __u32 nmsrs; /* number of msrs in entries */
+ __u32 pad;
+
+- struct kvm_msr_entry entries[];
++ __DECLARE_FLEX_ARRAY(struct kvm_msr_entry, entries);
+ };
+
+ /* for KVM_GET_MSR_INDEX_LIST */
+ struct kvm_msr_list {
+ __u32 nmsrs; /* number of msrs in entries */
+- __u32 indices[];
++ __DECLARE_FLEX_ARRAY(__u32, indices);
+ };
+
+ /* Maximum size of any access bitmap in bytes */
+@@ -241,7 +241,7 @@ struct kvm_cpuid_entry {
+ struct kvm_cpuid {
+ __u32 nent;
+ __u32 padding;
+- struct kvm_cpuid_entry entries[];
++ __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry, entries);
+ };
+
+ struct kvm_cpuid_entry2 {
+@@ -263,7 +263,7 @@ struct kvm_cpuid_entry2 {
+ struct kvm_cpuid2 {
+ __u32 nent;
+ __u32 padding;
+- struct kvm_cpuid_entry2 entries[];
++ __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry2, entries);
+ };
+
+ /* for KVM_GET_PIT and KVM_SET_PIT */
+@@ -394,7 +394,7 @@ struct kvm_xsave {
+ * the contents of CPUID leaf 0xD on the host.
+ */
+ __u32 region[1024];
+- __u32 extra[];
++ __DECLARE_FLEX_ARRAY(__u32, extra);
+ };
+
+ #define KVM_MAX_XCRS 16
+@@ -522,7 +522,7 @@ struct kvm_pmu_event_filter {
+ __u32 fixed_counter_bitmap;
+ __u32 flags;
+ __u32 pad[4];
+- __u64 events[];
++ __DECLARE_FLEX_ARRAY(__u64, events);
+ };
+
+ #define KVM_PMU_EVENT_ALLOW 0
+--- a/include/uapi/linux/kvm.h
++++ b/include/uapi/linux/kvm.h
+@@ -11,6 +11,7 @@
+ #include <linux/const.h>
+ #include <linux/types.h>
+ #include <linux/compiler.h>
++#include <linux/stddef.h>
+ #include <linux/ioctl.h>
+ #include <asm/kvm.h>
+
+@@ -556,7 +557,7 @@ struct kvm_coalesced_mmio {
+
+ struct kvm_coalesced_mmio_ring {
+ __u32 first, last;
+- struct kvm_coalesced_mmio coalesced_mmio[];
++ __DECLARE_FLEX_ARRAY(struct kvm_coalesced_mmio, coalesced_mmio);
+ };
+
+ #define KVM_COALESCED_MMIO_MAX \
+@@ -635,7 +636,7 @@ struct kvm_clear_dirty_log {
+ /* for KVM_SET_SIGNAL_MASK */
+ struct kvm_signal_mask {
+ __u32 len;
+- __u8 sigset[];
++ __DECLARE_FLEX_ARRAY(__u8, sigset);
+ };
+
+ /* for KVM_TPR_ACCESS_REPORTING */
+@@ -1242,7 +1243,7 @@ struct kvm_irq_routing_entry {
+ struct kvm_irq_routing {
+ __u32 nr;
+ __u32 flags;
+- struct kvm_irq_routing_entry entries[];
++ __DECLARE_FLEX_ARRAY(struct kvm_irq_routing_entry, entries);
+ };
+
+ #endif
+@@ -1362,7 +1363,7 @@ struct kvm_dirty_tlb {
+
+ struct kvm_reg_list {
+ __u64 n; /* number of regs */
+- __u64 reg[];
++ __DECLARE_FLEX_ARRAY(__u64, reg);
+ };
+
+ struct kvm_one_reg {
+@@ -2183,7 +2184,7 @@ struct kvm_stats_desc {
+ __u16 size;
+ __u32 offset;
+ __u32 bucket_size;
+- char name[];
++ __DECLARE_FLEX_ARRAY(char, name);
+ };
+
+ #define KVM_GET_STATS_FD _IO(KVMIO, 0xce)
Signed-off-by: Alva Lan <alvalan9@foxmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- net/dsa/dsa2.c | 38 +++++++++++++++++++++++++++++++++++---
+ net/dsa/dsa2.c | 38 +++++++++++++++++++++++++++++++++++---
1 file changed, 35 insertions(+), 3 deletions(-)
-diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
-index 415e856ba0acf..9ecb5e34e484e 100644
--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
-@@ -1738,12 +1738,44 @@ static int dsa_switch_parse(struct dsa_switch *ds, struct dsa_chip_data *cd)
+@@ -1738,12 +1738,44 @@ static int dsa_switch_parse(struct dsa_s
static void dsa_switch_release_ports(struct dsa_switch *ds)
{
list_del(&dp->list);
kfree(dp);
}
---
-2.53.0
-
--- /dev/null
+From stable+bounces-236148-greg=kroah.com@vger.kernel.org Mon Apr 13 17:50:09 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:43:43 -0400
+Subject: ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
+To: stable@vger.kernel.org
+Cc: Dmitry Antipov <dmantipov@yandex.ru>, syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com, Joseph Qi <joseph.qi@linux.alibaba.com>, Joseph Qi <jiangqi903@gmail.com>, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413154345.3124558-1-sashal@kernel.org>
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit a2b1c419ff72ec62ff5831684e30cd1d4f0b09ee ]
+
+In 'ocfs2_validate_inode_block()', add an extra check whether an inode
+with inline data (i.e. self-contained) has no clusters, thus preventing
+an invalid inode from being passed to 'ocfs2_evict_inode()' and below.
+
+Link: https://lkml.kernel.org/r/20251023141650.417129-1-dmantipov@yandex.ru
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct su
+ goto bail;
+ }
+
++ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
++ le32_to_cpu(di->i_clusters)) {
++ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
++ (unsigned long long)bh->b_blocknr,
++ le32_to_cpu(di->i_clusters));
++ goto bail;
++ }
++
+ rc = 0;
+
+ bail:
--- /dev/null
+From stable+bounces-236150-greg=kroah.com@vger.kernel.org Mon Apr 13 17:43:55 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:43:45 -0400
+Subject: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
+To: stable@vger.kernel.org
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>, syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413154345.3124558-3-sashal@kernel.org>
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+[ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ]
+
+KASAN reports a use-after-free write of 4086 bytes in
+ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
+copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on
+a loop device. The actual bug is an out-of-bounds write past the inode
+block buffer, not a true use-after-free. The write overflows into an
+adjacent freed page, which KASAN reports as UAF.
+
+The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk
+id_count field to determine whether a write fits in inline data. On a
+corrupted filesystem, id_count can exceed the physical maximum inline data
+capacity, causing writes to overflow the inode block buffer.
+
+Call trace (crash path):
+
+ vfs_copy_file_range (fs/read_write.c:1634)
+ do_splice_direct
+ splice_direct_to_actor
+ iter_file_splice_write
+ ocfs2_file_write_iter
+ generic_perform_write
+ ocfs2_write_end
+ ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
+ ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
+ memcpy_from_folio <-- KASAN: write OOB
+
+So add id_count upper bound check in ocfs2_validate_inode_block() to
+alongside the existing i_size check to fix it.
+
+Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1430,6 +1430,16 @@ int ocfs2_validate_inode_block(struct su
+ goto bail;
+ }
+
++ if (le16_to_cpu(data->id_count) >
++ ocfs2_max_inline_data_with_xattr(sb, di)) {
++ rc = ocfs2_error(sb,
++ "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n",
++ (unsigned long long)bh->b_blocknr,
++ le16_to_cpu(data->id_count),
++ ocfs2_max_inline_data_with_xattr(sb, di));
++ goto bail;
++ }
++
+ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
+ rc = ocfs2_error(sb,
+ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",
--- /dev/null
+From stable+bounces-236149-greg=kroah.com@vger.kernel.org Mon Apr 13 17:43:53 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:43:44 -0400
+Subject: ocfs2: validate inline data i_size during inode read
+To: stable@vger.kernel.org
+Cc: Deepanshu Kartikey <kartikey406@gmail.com>, syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi <joseph.qi@linux.alibaba.com>, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413154345.3124558-2-sashal@kernel.org>
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ]
+
+When reading an inode from disk, ocfs2_validate_inode_block() performs
+various sanity checks but does not validate the size of inline data. If
+the filesystem is corrupted, an inode's i_size can exceed the actual
+inline data capacity (id_count).
+
+This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data
+buffer, triggering a use-after-free when accessing directory entries from
+freed memory.
+
+In the syzbot report:
+ - i_size was 1099511627576 bytes (~1TB)
+ - Actual inline data capacity (id_count) is typically <256 bytes
+ - A garbage rec_len (54648) caused ctx->pos to jump out of bounds
+ - This triggered a UAF in ocfs2_check_dir_entry()
+
+Fix by adding a validation check in ocfs2_validate_inode_block() to ensure
+inodes with inline data have i_size <= id_count. This catches the
+corruption early during inode read and prevents all downstream code from
+operating on invalid data.
+
+Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4
+Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1]
+Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2]
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1419,12 +1419,25 @@ int ocfs2_validate_inode_block(struct su
+ goto bail;
+ }
+
+- if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+- le32_to_cpu(di->i_clusters)) {
+- rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+- (unsigned long long)bh->b_blocknr,
+- le32_to_cpu(di->i_clusters));
+- goto bail;
++ if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) {
++ struct ocfs2_inline_data *data = &di->id2.i_data;
++
++ if (le32_to_cpu(di->i_clusters)) {
++ rc = ocfs2_error(sb,
++ "Invalid dinode %llu: %u clusters\n",
++ (unsigned long long)bh->b_blocknr,
++ le32_to_cpu(di->i_clusters));
++ goto bail;
++ }
++
++ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
++ rc = ocfs2_error(sb,
++ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",
++ (unsigned long long)bh->b_blocknr,
++ (unsigned long long)le64_to_cpu(di->i_size),
++ le16_to_cpu(data->id_count));
++ goto bail;
++ }
+ }
+
+ rc = 0;
--- /dev/null
+From stable+bounces-239965-greg=kroah.com@vger.kernel.org Mon Apr 20 20:27:35 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2026 13:29:14 -0400
+Subject: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
+To: stable@vger.kernel.org
+Cc: Koichiro Den <den@valinux.co.jp>, Manivannan Sadhasivam <mani@kernel.org>, Frank Li <Frank.Li@nxp.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260420172914.1421779-1-sashal@kernel.org>
+
+From: Koichiro Den <den@valinux.co.jp>
+
+[ Upstream commit d799984233a50abd2667a7d17a9a710a3f10ebe2 ]
+
+Disable the delayed work before clearing BAR mappings and doorbells to
+avoid running the handler after resources have been torn down.
+
+ Unable to handle kernel paging request at virtual address ffff800083f46004
+ [...]
+ Internal error: Oops: 0000000096000007 [#1] SMP
+ [...]
+ Call trace:
+ epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P)
+ process_one_work+0x154/0x3b0
+ worker_thread+0x2c8/0x400
+ kthread+0x148/0x210
+ ret_from_fork+0x10/0x20
+
+Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP")
+Signed-off-by: Koichiro Den <den@valinux.co.jp>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260226084142.2226875-4-den@valinux.co.jp
+[ replaced disable_delayed_work_sync() with cancel_delayed_work_sync() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-vntb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c
++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c
+@@ -801,6 +801,7 @@ err_config_interrupt:
+ */
+ static void epf_ntb_epc_cleanup(struct epf_ntb *ntb)
+ {
++ cancel_delayed_work_sync(&ntb->cmd_handler);
+ epf_ntb_mw_bar_clear(ntb, ntb->num_mws);
+ epf_ntb_db_bar_clear(ntb);
+ epf_ntb_config_sspad_bar_clear(ntb);
--- /dev/null
+From stable+bounces-236098-greg=kroah.com@vger.kernel.org Mon Apr 13 16:19:37 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 10:07:41 -0400
+Subject: Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower"
+To: stable@vger.kernel.org
+Cc: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>, Frank Li <Frank.Li@nxp.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413140742.2903986-3-sashal@kernel.org>
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 4cd46ea0eb4504f7f4fea92cb4601c5c9a3e545e ]
+
+This reverts commit c24a9b698fb02cd0723fa8375abab07f94b97b10.
+
+It's been found that there's a significant per-unit variance in accepted
+supply voltages and the current set still makes some units unstable.
+
+Revert back to nominal values.
+
+Cc: stable@vger.kernel.org
+Fixes: c24a9b698fb0 ("arm64: dts: imx8mq-librem5: Set the DVS voltages lower")
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 2 -
+ arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 22 +++++---------------
+ 2 files changed, 7 insertions(+), 17 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts
+@@ -7,7 +7,7 @@
+
+ &a53_opp_table {
+ opp-1000000000 {
+- opp-microvolt = <950000>;
++ opp-microvolt = <1000000>;
+ };
+ };
+
+--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+@@ -819,8 +819,8 @@
+ regulator-max-microvolt = <1300000>;
+ regulator-boot-on;
+ regulator-ramp-delay = <1250>;
+- rohm,dvs-run-voltage = <880000>;
+- rohm,dvs-idle-voltage = <820000>;
++ rohm,dvs-run-voltage = <900000>;
++ rohm,dvs-idle-voltage = <850000>;
+ rohm,dvs-suspend-voltage = <810000>;
+ regulator-always-on;
+ };
+@@ -831,8 +831,8 @@
+ regulator-max-microvolt = <1300000>;
+ regulator-boot-on;
+ regulator-ramp-delay = <1250>;
+- rohm,dvs-run-voltage = <950000>;
+- rohm,dvs-idle-voltage = <850000>;
++ rohm,dvs-run-voltage = <1000000>;
++ rohm,dvs-idle-voltage = <900000>;
+ regulator-always-on;
+ };
+
+@@ -841,14 +841,14 @@
+ regulator-min-microvolt = <700000>;
+ regulator-max-microvolt = <1300000>;
+ regulator-boot-on;
+- rohm,dvs-run-voltage = <850000>;
++ rohm,dvs-run-voltage = <900000>;
+ };
+
+ buck4_reg: BUCK4 {
+ regulator-name = "buck4";
+ regulator-min-microvolt = <700000>;
+ regulator-max-microvolt = <1300000>;
+- rohm,dvs-run-voltage = <930000>;
++ rohm,dvs-run-voltage = <1000000>;
+ };
+
+ buck5_reg: BUCK5 {
+@@ -1379,13 +1379,3 @@
+ fsl,ext-reset-output;
+ status = "okay";
+ };
+-
+-&a53_opp_table {
+- opp-1000000000 {
+- opp-microvolt = <850000>;
+- };
+-
+- opp-1500000000 {
+- opp-microvolt = <950000>;
+- };
+-};
--- /dev/null
+From regressions+bounces-16329-greg=kroah.com@lists.linux.dev Tue Apr 14 04:17:08 2026
+From: guocai.he.cn@windriver.com
+Date: Tue, 14 Apr 2026 10:16:33 +0800
+Subject: Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"
+To: stable@vger.kernel.org
+Cc: gregkh@linuxfoundation.org, johannes.berg@intel.com, netdev@vger.kernel.org, regressions@lists.linux.dev, miriam.rachel.korenblit@intel.com
+Message-ID: <20260414021633.2765982-1-guocai.he.cn@windriver.com>
+
+From: Guocai He <guocai.he.cn@windriver.com>
+
+This reverts commit 0c4f1c02d27a880b10b58c63f574f13bed4f711d which is commit
+e1696c8bd0056bc1a5f7766f58ac333adc203e8a upstream.
+
+The reverted patch introduced a deadlock. The locking situation in mainline is
+totally different, so it is incorrect to directly backport the commit from mainline.
+
+Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1328,10 +1328,8 @@ void __cfg80211_leave(struct cfg80211_re
+ __cfg80211_leave_ocb(rdev, dev);
+ break;
+ case NL80211_IFTYPE_P2P_DEVICE:
+- cfg80211_stop_p2p_device(rdev, wdev);
+- break;
+ case NL80211_IFTYPE_NAN:
+- cfg80211_stop_nan(rdev, wdev);
++ /* cannot happen, has no netdev */
+ break;
+ case NL80211_IFTYPE_AP_VLAN:
+ case NL80211_IFTYPE_MONITOR:
--- /dev/null
+From stable+bounces-237694-greg=kroah.com@vger.kernel.org Tue Apr 14 03:28:56 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 21:28:47 -0400
+Subject: rxrpc: Fix call removal to use RCU safe deletion
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, Marc Dionne <marc.dionne@auristor.com>, Jeffrey Altman <jaltman@auristor.com>, Linus Torvalds <torvalds@linux-foundation.org>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260414012847.3835878-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 146d4ab94cf129ee06cd467cb5c71368a6b5bad6 ]
+
+Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu()
+rather than list_del_init() to prevent stuffing up reading
+/proc/net/rxrpc/calls from potentially getting into an infinite loop.
+
+This, however, means that list_empty() no longer works on an entry that's
+been deleted from the list, making it harder to detect prior deletion. Fix
+this by:
+
+Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that
+are unexpectedly still on the list. Limiting the number of steps means
+there's no need to call cond_resched() or to remove calls from the list
+here, thereby eliminating the need for rxrpc_put_call() to check for that.
+
+rxrpc_put_call() can then be fixed to unconditionally delete the call from
+the list as it is the only place that the deletion occurs.
+
+Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
+Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Linus Torvalds <torvalds@linux-foundation.org>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-5-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ adapted to older API ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/call_object.c | 22 ++++++++--------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+--- a/net/rxrpc/call_object.c
++++ b/net/rxrpc/call_object.c
+@@ -634,11 +634,9 @@ void rxrpc_put_call(struct rxrpc_call *c
+ _debug("call %d dead", call->debug_id);
+ ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE);
+
+- if (!list_empty(&call->link)) {
+- spin_lock_bh(&rxnet->call_lock);
+- list_del_init(&call->link);
+- spin_unlock_bh(&rxnet->call_lock);
+- }
++ spin_lock_bh(&rxnet->call_lock);
++ list_del_rcu(&call->link);
++ spin_unlock_bh(&rxnet->call_lock);
+
+ rxrpc_cleanup_call(call);
+ }
+@@ -709,24 +707,20 @@ void rxrpc_destroy_all_calls(struct rxrp
+ _enter("");
+
+ if (!list_empty(&rxnet->calls)) {
+- spin_lock_bh(&rxnet->call_lock);
++ int shown = 0;
+
+- while (!list_empty(&rxnet->calls)) {
+- call = list_entry(rxnet->calls.next,
+- struct rxrpc_call, link);
+- _debug("Zapping call %p", call);
++ spin_lock_bh(&rxnet->call_lock);
+
++ list_for_each_entry(call, &rxnet->calls, link) {
+ rxrpc_see_call(call);
+- list_del_init(&call->link);
+
+ pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n",
+ call, refcount_read(&call->ref),
+ rxrpc_call_states[call->state],
+ call->flags, call->events);
+
+- spin_unlock_bh(&rxnet->call_lock);
+- cond_resched();
+- spin_lock_bh(&rxnet->call_lock);
++ if (++shown >= 10)
++ break;
+ }
+
+ spin_unlock_bh(&rxnet->call_lock);
--- /dev/null
+From stable+bounces-237682-greg=kroah.com@vger.kernel.org Tue Apr 14 02:02:46 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 20:02:39 -0400
+Subject: rxrpc: Fix key quota calculation for multitoken keys
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, Marc Dionne <marc.dionne@auristor.com>, Jeffrey Altman <jaltman@auristor.com>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260414000239.3782404-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc ]
+
+In the rxrpc key preparsing, every token extracted sets the proposed quota
+value, but for multitoken keys, this will overwrite the previous proposed
+quota, losing it.
+
+Fix this by adding to the proposed quota instead.
+
+Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
+Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ dropped hunk for rxrpc_preparse_xdr_yfs_rxgk() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/key.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru
+ return -EKEYREJECTED;
+
+ plen = sizeof(*token) + sizeof(*token->kad) + tktlen;
+- prep->quotalen = datalen + plen;
++ prep->quotalen += datalen + plen;
+
+ plen -= sizeof(*token);
+ token = kzalloc(sizeof(*token), GFP_KERNEL);
+@@ -303,6 +303,7 @@ static int rxrpc_preparse(struct key_pre
+ memcpy(&kver, prep->data, sizeof(kver));
+ prep->data += sizeof(kver);
+ prep->datalen -= sizeof(kver);
++ prep->quotalen = 0;
+
+ _debug("KEY I/F VERSION: %u", kver);
+
+@@ -340,7 +341,7 @@ static int rxrpc_preparse(struct key_pre
+ goto error;
+
+ plen = sizeof(*token->kad) + v1->ticket_length;
+- prep->quotalen = plen + sizeof(*token);
++ prep->quotalen += plen + sizeof(*token);
+
+ ret = -ENOMEM;
+ token = kzalloc(sizeof(*token), GFP_KERNEL);
--- /dev/null
+From stable+bounces-240393-greg=kroah.com@vger.kernel.org Thu Apr 23 00:25:09 2026
+From: Jay Wang <wanjay@amazon.com>
+Date: Wed, 22 Apr 2026 22:24:31 +0000
+Subject: rxrpc: Fix recvmsg() unconditional requeue
+To: <stable@vger.kernel.org>
+Cc: <dhowells@redhat.com>, <marc.dionne@auristor.com>, <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>, <netdev@vger.kernel.org>, <linux-afs@lists.infradead.org>, <jay.wang.upstream@gmail.com>, Faith <faith@zellic.io>, Pumpkin Chang <pumpkin@devco.re>
+Message-ID: <20260422222431.7187-1-wanjay@amazon.com>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 2c28769a51deb6022d7fbd499987e237a01dd63a ]
+
+If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call
+at the front of the recvmsg queue already has its mutex locked, it
+requeues the call - whether or not the call is already queued. The call
+may be on the queue because MSG_PEEK was also passed and so the call was
+not dequeued or because the I/O thread requeued it.
+
+The unconditional requeue may then corrupt the recvmsg queue, leading to
+things like UAFs or refcount underruns.
+
+Fix this by only requeuing the call if it isn't already on the queue -
+and moving it to the front if it is already queued. If we don't queue
+it, we have to put the ref we obtained by dequeuing it.
+
+Also, MSG_PEEK doesn't dequeue the call so shouldn't call
+rxrpc_notify_socket() for the call if we didn't use up all the data on
+the queue, so fix that also.
+
+Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
+Reported-by: Faith <faith@zellic.io>
+Reported-by: Pumpkin Chang <pumpkin@devco.re>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: stable@vger.kernel.org
+[Adapted to 6.1: use write_lock_bh/write_unlock_bh, trace_rxrpc_call
+ directly for see-call tracing, and 6.1 trace enum naming convention.]
+Signed-off-by: Jay Wang <wanjay@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/rxrpc.h | 4 ++++
+ net/rxrpc/recvmsg.c | 22 ++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -82,9 +82,13 @@
+ EM(rxrpc_call_put_notimer, "PnT") \
+ EM(rxrpc_call_put_timer, "PTM") \
+ EM(rxrpc_call_put_userid, "Pus") \
++ EM(rxrpc_call_put_recvmsg_peek_nowait, "PpN") \
+ EM(rxrpc_call_queued, "QUE") \
+ EM(rxrpc_call_queued_ref, "QUR") \
+ EM(rxrpc_call_release, "RLS") \
++ EM(rxrpc_call_see_recvmsg_requeue, "SrQ") \
++ EM(rxrpc_call_see_recvmsg_requeue_first,"SrF") \
++ EM(rxrpc_call_see_recvmsg_requeue_move, "SrM") \
+ E_(rxrpc_call_seen, "SEE")
+
+ #define rxrpc_transmit_traces \
+--- a/net/rxrpc/recvmsg.c
++++ b/net/rxrpc/recvmsg.c
+@@ -607,7 +607,8 @@ try_again:
+
+ if (after(call->rx_top, call->rx_hard_ack) &&
+ call->rxtx_buffer[(call->rx_hard_ack + 1) & RXRPC_RXTX_BUFF_MASK])
+- rxrpc_notify_socket(call);
++ if (!(flags & MSG_PEEK))
++ rxrpc_notify_socket(call);
+ break;
+ default:
+ ret = 0;
+@@ -642,11 +643,24 @@ error_unlock_call:
+ error_requeue_call:
+ if (!(flags & MSG_PEEK)) {
+ write_lock_bh(&rx->recvmsg_lock);
+- list_add(&call->recvmsg_link, &rx->recvmsg_q);
+- write_unlock_bh(&rx->recvmsg_lock);
++ if (list_empty(&call->recvmsg_link)) {
++ list_add(&call->recvmsg_link, &rx->recvmsg_q);
++ trace_rxrpc_call(call->debug_id,
++ rxrpc_call_see_recvmsg_requeue,
++ refcount_read(&call->ref),
++ __builtin_return_address(0), NULL);
++ write_unlock_bh(&rx->recvmsg_lock);
++ } else if (list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) {
++ write_unlock_bh(&rx->recvmsg_lock);
++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first);
++ } else {
++ list_move(&call->recvmsg_link, &rx->recvmsg_q);
++ write_unlock_bh(&rx->recvmsg_lock);
++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move);
++ }
+ trace_rxrpc_recvmsg(call, rxrpc_recvmsg_requeue, 0, 0, 0, 0);
+ } else {
+- rxrpc_put_call(call, rxrpc_call_put);
++ rxrpc_put_call(call, rxrpc_call_put_recvmsg_peek_nowait);
+ }
+ error_no_call:
+ release_sock(&rx->sk);
--- /dev/null
+From stable+bounces-237838-greg=kroah.com@vger.kernel.org Tue Apr 14 13:56:27 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2026 07:52:36 -0400
+Subject: rxrpc: reject undecryptable rxkad response tickets
+To: stable@vger.kernel.org
+Cc: Yuqi Xu <xuyuqiabc@gmail.com>, Yifan Wu <yifanwucs@gmail.com>, Juefei Pu <tomapufckgml@gmail.com>, Yuan Tan <yuantan098@gmail.com>, Xin Liu <bird@lzu.edu.cn>, Ren Wei <enjou1224z@gmail.com>, Ren Wei <n05ec@lzu.edu.cn>, David Howells <dhowells@redhat.com>, Marc Dionne <marc.dionne@auristor.com>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260414115236.537968-1-sashal@kernel.org>
+
+From: Yuqi Xu <xuyuqiabc@gmail.com>
+
+[ Upstream commit fe4447cd95623b1cfacc15f280aab73a6d7340b2 ]
+
+rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then
+parses the buffer as plaintext without checking whether
+crypto_skcipher_decrypt() succeeded.
+
+A malformed RESPONSE can therefore use a non-block-aligned ticket
+length, make the decrypt operation fail, and still drive the ticket
+parser with attacker-controlled bytes.
+
+Check the decrypt result and abort the connection with RXKADBADTICKET
+when ticket decryption fails.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ren Wei <enjou1224z@gmail.com>
+Signed-off-by: Yuqi Xu <xuyuqiabc@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-12-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ adapted `rxrpc_abort_conn()` call to existing `goto other_error` error-handling pattern ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/rxkad.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/rxrpc/rxkad.c
++++ b/net/rxrpc/rxkad.c
+@@ -1013,8 +1013,13 @@ static int rxkad_decrypt_ticket(struct r
+ sg_init_one(&sg[0], ticket, ticket_len);
+ skcipher_request_set_callback(req, 0, NULL, NULL);
+ skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
+- crypto_skcipher_decrypt(req);
++ ret = crypto_skcipher_decrypt(req);
+ skcipher_request_free(req);
++ if (ret < 0) {
++ abort_code = RXKADBADTICKET;
++ ret = -EPROTO;
++ goto other_error;
++ }
+
+ p = ticket;
+ end = p + ticket_len;
--- /dev/null
+From stable+bounces-239947-greg=kroah.com@vger.kernel.org Mon Apr 20 20:11:41 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2026 12:38:51 -0400
+Subject: scripts: generate_rust_analyzer.py: define scripts
+To: stable@vger.kernel.org
+Cc: Tamir Duberstein <tamird@kernel.org>, Daniel Almeida <daniel.almeida@collabora.com>, Fiona Behrens <me@kloenk.dev>, Trevor Gross <tmgross@umich.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260420163851.1302521-1-sashal@kernel.org>
+
+From: Tamir Duberstein <tamird@kernel.org>
+
+[ Upstream commit 36c619f6bd793493294becb10a02fea370b67a91 ]
+
+Add IDE support for host-side scripts written in Rust. This support has
+been missing since these scripts were initially added in commit
+9a8ff24ce584 ("scripts: add `generate_rust_target.rs`"), thus add it.
+
+Change the existing instance of extension stripping to
+`pathlib.Path.stem` to maintain code consistency.
+
+Fixes: 9a8ff24ce584 ("scripts: add `generate_rust_target.rs`")
+Cc: stable@vger.kernel.org
+Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
+Reviewed-by: Fiona Behrens <me@kloenk.dev>
+Reviewed-by: Trevor Gross <tmgross@umich.edu>
+Link: https://patch.msgid.link/20260122-rust-analyzer-scripts-v1-1-ff6ba278170e@kernel.org
+Signed-off-by: Tamir Duberstein <tamird@kernel.org>
+[ changed `[std]` dep to `["std"]` and kept untyped `is_root_crate()` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/generate_rust_analyzer.py | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/scripts/generate_rust_analyzer.py
++++ b/scripts/generate_rust_analyzer.py
+@@ -113,6 +113,18 @@ def generate_crates(srctree, objtree, sy
+ "exclude_dirs": [],
+ }
+
++ scripts = srctree / "scripts"
++ makefile = (scripts / "Makefile").read_text()
++ for path in scripts.glob("*.rs"):
++ name = path.stem
++ if f"{name}-rust" not in makefile:
++ continue
++ append_crate(
++ name,
++ path,
++ ["std"],
++ )
++
+ def is_root_crate(build_file, target):
+ try:
+ contents = build_file.read_text()
+@@ -129,7 +141,7 @@ def generate_crates(srctree, objtree, sy
+ for folder in extra_dirs:
+ for path in folder.rglob("*.rs"):
+ logging.info("Checking %s", path)
+- name = path.name.replace(".rs", "")
++ name = path.stem
+
+ # Skip those that are not crate roots.
+ if not is_root_crate(path.parent / "Makefile", name) and \
--- /dev/null
+From stable+bounces-240432-greg=kroah.com@vger.kernel.org Thu Apr 23 09:30:07 2026
+From: Robert Garcia <rob_garcia@163.com>
+Date: Thu, 23 Apr 2026 15:28:21 +0800
+Subject: scsi: ufs: core: Fix use-after free in init error and remove paths
+To: stable@vger.kernel.org, "André Draszik" <andre.draszik@linaro.org>
+Cc: "Martin K . Petersen" <martin.petersen@oracle.com>, Robert Garcia <rob_garcia@163.com>, Bean Huo <beanhuo@micron.com>, Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>, Eric Biggers <ebiggers@kernel.org>, Alim Akhtar <alim.akhtar@samsung.com>, Avri Altman <avri.altman@wdc.com>, Bart Van Assche <bvanassche@acm.org>, "James E . J . Bottomley" <jejb@linux.ibm.com>, Sasha Levin <sashal@kernel.org>, Peter Wang <peter.wang@mediatek.com>, Wang Shuaiwei <wangshuaiwei1@xiaomi.com>, Eric Biggers <ebiggers@google.com>, Manish Pandey <quic_mapa@quicinc.com>, Brian Kao <powenkao@google.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Adrian Hunter <adrian.hunter@intel.com>, Archana Patni <archana.patni@intel.com>, Arnd Bergmann <arnd@arndb.de>, Jens Axboe <axboe@kernel.dk>, Ulf Hansson <ulf.hansson@linaro.org>, Mike Snitzer <snitzer@redhat.com>, Satya Tangirala <satyat@google.com>, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org
+Message-ID: <20260423072821.3454022-1-rob_garcia@163.com>
+
+From: André Draszik <andre.draszik@linaro.org>
+
+[ Upstream commit f8fb2403ddebb5eea0033d90d9daae4c88749ada ]
+
+devm_blk_crypto_profile_init() registers a cleanup handler to run when
+the associated (platform-) device is being released. For UFS, the
+crypto private data and pointers are stored as part of the ufs_hba's
+data structure 'struct ufs_hba::crypto_profile'. This structure is
+allocated as part of the underlying ufshcd and therefore Scsi_host
+allocation.
+
+During driver release or during error handling in ufshcd_pltfrm_init(),
+this structure is released as part of ufshcd_dealloc_host() before the
+(platform-) device associated with the crypto call above is released.
+Once this device is released, the crypto cleanup code will run, using
+the just-released 'struct ufs_hba::crypto_profile'. This causes a
+use-after-free situation:
+
+ Call trace:
+ kfree+0x60/0x2d8 (P)
+ kvfree+0x44/0x60
+ blk_crypto_profile_destroy_callback+0x28/0x70
+ devm_action_release+0x1c/0x30
+ release_nodes+0x6c/0x108
+ devres_release_all+0x98/0x100
+ device_unbind_cleanup+0x20/0x70
+ really_probe+0x218/0x2d0
+
+In other words, the initialisation code flow is:
+
+ platform-device probe
+ ufshcd_pltfrm_init()
+ ufshcd_alloc_host()
+ scsi_host_alloc()
+ allocation of struct ufs_hba
+ creation of scsi-host devices
+ devm_blk_crypto_profile_init()
+ devm registration of cleanup handler using platform-device
+
+and during error handling of ufshcd_pltfrm_init() or during driver
+removal:
+
+ ufshcd_dealloc_host()
+ scsi_host_put()
+ put_device(scsi-host)
+ release of struct ufs_hba
+ put_device(platform-device)
+ crypto cleanup handler
+
+To fix this use-after free, change ufshcd_alloc_host() to register a
+devres action to automatically cleanup the underlying SCSI device on
+ufshcd destruction, without requiring explicit calls to
+ufshcd_dealloc_host(). This way:
+
+ * the crypto profile and all other ufs_hba-owned resources are
+ destroyed before SCSI (as they've been registered after)
+ * a memleak is plugged in tc-dwc-g210-pci.c remove() as a
+ side-effect
+ * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as
+ it's not needed anymore
+ * no future drivers using ufshcd_alloc_host() could ever forget
+ adding the cleanup
+
+Fixes: cb77cb5abe1f ("blk-crypto: rename blk_keyslot_manager to blk_crypto_profile")
+Fixes: d76d9d7d1009 ("scsi: ufs: use devm_blk_ksm_init()")
+Cc: stable@vger.kernel.org
+Signed-off-by: André Draszik <andre.draszik@linaro.org>
+Link: https://lore.kernel.org/r/20250124-ufshcd-fix-v4-1-c5d0144aae59@linaro.org
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ Delete modifications about ufshcd_parse_operating_points() for it's added from
+commit 72208ebe181e3("scsi: ufs: core: Add support for parsing OPP")
+and that in ufshcd_pltfrm_remove() for it's added from commit
+897df60c16d54("scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()"). ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 31 +++++++++++++++++++++----------
+ drivers/ufs/host/ufshcd-pci.c | 2 --
+ drivers/ufs/host/ufshcd-pltfrm.c | 25 ++++++++-----------------
+ include/ufs/ufshcd.h | 1 -
+ 4 files changed, 29 insertions(+), 30 deletions(-)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -9662,16 +9662,6 @@ void ufshcd_remove(struct ufs_hba *hba)
+ EXPORT_SYMBOL_GPL(ufshcd_remove);
+
+ /**
+- * ufshcd_dealloc_host - deallocate Host Bus Adapter (HBA)
+- * @hba: pointer to Host Bus Adapter (HBA)
+- */
+-void ufshcd_dealloc_host(struct ufs_hba *hba)
+-{
+- scsi_host_put(hba->host);
+-}
+-EXPORT_SYMBOL_GPL(ufshcd_dealloc_host);
+-
+-/**
+ * ufshcd_set_dma_mask - Set dma mask based on the controller
+ * addressing capability
+ * @hba: per adapter instance
+@@ -9690,10 +9680,24 @@ static int ufshcd_set_dma_mask(struct uf
+ }
+
+ /**
++ * ufshcd_devres_release - devres cleanup handler, invoked during release of
++ * hba->dev
++ * @host: pointer to SCSI host
++ */
++static void ufshcd_devres_release(void *host)
++{
++ scsi_host_put(host);
++}
++
++/**
+ * ufshcd_alloc_host - allocate Host Bus Adapter (HBA)
+ * @dev: pointer to device handle
+ * @hba_handle: driver private handle
+ * Returns 0 on success, non-zero value on failure
++ *
++ * NOTE: There is no corresponding ufshcd_dealloc_host() because this function
++ * keeps track of its allocations using devres and deallocates everything on
++ * device removal automatically.
+ */
+ int ufshcd_alloc_host(struct device *dev, struct ufs_hba **hba_handle)
+ {
+@@ -9715,6 +9719,13 @@ int ufshcd_alloc_host(struct device *dev
+ err = -ENOMEM;
+ goto out_error;
+ }
++
++ err = devm_add_action_or_reset(dev, ufshcd_devres_release,
++ host);
++ if (err)
++ return dev_err_probe(dev, err,
++ "failed to add ufshcd dealloc action\n");
++
+ host->nr_maps = HCTX_TYPE_POLL + 1;
+ hba = shost_priv(host);
+ hba->host = host;
+--- a/drivers/ufs/host/ufshcd-pci.c
++++ b/drivers/ufs/host/ufshcd-pci.c
+@@ -629,7 +629,6 @@ static void ufshcd_pci_remove(struct pci
+ pm_runtime_forbid(&pdev->dev);
+ pm_runtime_get_noresume(&pdev->dev);
+ ufshcd_remove(hba);
+- ufshcd_dealloc_host(hba);
+ }
+
+ /**
+@@ -674,7 +673,6 @@ ufshcd_pci_probe(struct pci_dev *pdev, c
+ err = ufshcd_init(hba, mmio_base, pdev->irq);
+ if (err) {
+ dev_err(&pdev->dev, "Initialization failed\n");
+- ufshcd_dealloc_host(hba);
+ return err;
+ }
+
+--- a/drivers/ufs/host/ufshcd-pltfrm.c
++++ b/drivers/ufs/host/ufshcd-pltfrm.c
+@@ -343,21 +343,17 @@ int ufshcd_pltfrm_init(struct platform_d
+ struct device *dev = &pdev->dev;
+
+ mmio_base = devm_platform_ioremap_resource(pdev, 0);
+- if (IS_ERR(mmio_base)) {
+- err = PTR_ERR(mmio_base);
+- goto out;
+- }
++ if (IS_ERR(mmio_base))
++ return PTR_ERR(mmio_base);
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq < 0) {
+- err = irq;
+- goto out;
+- }
++ if (irq < 0)
++ return irq;
+
+ err = ufshcd_alloc_host(dev, &hba);
+ if (err) {
+ dev_err(dev, "Allocation failed\n");
+- goto out;
++ return err;
+ }
+
+ hba->vops = vops;
+@@ -366,13 +362,13 @@ int ufshcd_pltfrm_init(struct platform_d
+ if (err) {
+ dev_err(dev, "%s: clock parse failed %d\n",
+ __func__, err);
+- goto dealloc_host;
++ return err;
+ }
+ err = ufshcd_parse_regulator_info(hba);
+ if (err) {
+ dev_err(dev, "%s: regulator init failed %d\n",
+ __func__, err);
+- goto dealloc_host;
++ return err;
+ }
+
+ ufshcd_init_lanes_per_dir(hba);
+@@ -380,18 +376,13 @@ int ufshcd_pltfrm_init(struct platform_d
+ err = ufshcd_init(hba, mmio_base, irq);
+ if (err) {
+ dev_err(dev, "Initialization failed\n");
+- goto dealloc_host;
++ return err;
+ }
+
+ pm_runtime_set_active(dev);
+ pm_runtime_enable(dev);
+
+ return 0;
+-
+-dealloc_host:
+- ufshcd_dealloc_host(hba);
+-out:
+- return err;
+ }
+ EXPORT_SYMBOL_GPL(ufshcd_pltfrm_init);
+
+--- a/include/ufs/ufshcd.h
++++ b/include/ufs/ufshcd.h
+@@ -1063,7 +1063,6 @@ static inline void ufshcd_rmwl(struct uf
+ }
+
+ int ufshcd_alloc_host(struct device *, struct ufs_hba **);
+-void ufshcd_dealloc_host(struct ufs_hba *);
+ int ufshcd_hba_enable(struct ufs_hba *hba);
+ int ufshcd_init(struct ufs_hba *, void __iomem *, unsigned int);
+ int ufshcd_link_recovery(struct ufs_hba *hba);
gfs2-validate-i_depth-for-exhash-directories.patch
wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch
net-dsa-clean-up-fdb-mdb-vlan-entries-on-unbind.patch
+arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch
+arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch
+revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch
+arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch
+ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
+ocfs2-validate-inline-data-i_size-during-inode-read.patch
+ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
+rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
+rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
+revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch
+rxrpc-reject-undecryptable-rxkad-response-tickets.patch
+kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch
+ublk-fix-deadlock-when-reading-partition-table.patch
+scripts-generate_rust_analyzer.py-define-scripts.patch
+pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch
+soc-qcom-apr-make-remove-callback-of-apr-driver-void-returned.patch
+asoc-qcom-q6apm-move-component-registration-to-unmanaged-version.patch
+rxrpc-fix-recvmsg-unconditional-requeue.patch
+scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch
--- /dev/null
+From stable+bounces-239956-greg=kroah.com@vger.kernel.org Mon Apr 20 19:57:37 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Apr 2026 13:17:42 -0400
+Subject: soc: qcom: apr: make remove callback of apr driver void returned
+To: stable@vger.kernel.org
+Cc: Dawei Li <set_pte_at@outlook.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260420171743.1388144-1-sashal@kernel.org>
+
+From: Dawei Li <set_pte_at@outlook.com>
+
+[ Upstream commit 33ae3d0955943ac5bacfcb6911cf7cb74822bf8c ]
+
+Since commit fc7a6209d571 ("bus: Make remove callback return void")
+forces bus_type::remove be void-returned, it doesn't make much sense
+for any bus based driver implementing remove callbalk to return
+non-void to its caller.
+
+As such, change the remove function for apr bus based drivers to
+return void.
+
+Signed-off-by: Dawei Li <set_pte_at@outlook.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/TYCP286MB23232B7968D34DB8323B0F16CAFB9@TYCP286MB2323.JPNP286.PROD.OUTLOOK.COM
+Stable-dep-of: 6ec1235fc941 ("ASoC: qcom: q6apm: move component registration to unmanaged version")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/soc/qcom/apr.h | 2 +-
+ sound/soc/qcom/qdsp6/q6core.c | 4 +---
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/include/linux/soc/qcom/apr.h
++++ b/include/linux/soc/qcom/apr.h
+@@ -153,7 +153,7 @@ typedef struct apr_device gpr_device_t;
+
+ struct apr_driver {
+ int (*probe)(struct apr_device *sl);
+- int (*remove)(struct apr_device *sl);
++ void (*remove)(struct apr_device *sl);
+ int (*callback)(struct apr_device *a,
+ struct apr_resp_pkt *d);
+ int (*gpr_callback)(struct gpr_resp_pkt *d, void *data, int op);
+--- a/sound/soc/qcom/qdsp6/q6core.c
++++ b/sound/soc/qcom/qdsp6/q6core.c
+@@ -339,7 +339,7 @@ static int q6core_probe(struct apr_devic
+ return 0;
+ }
+
+-static int q6core_exit(struct apr_device *adev)
++static void q6core_exit(struct apr_device *adev)
+ {
+ struct q6core *core = dev_get_drvdata(&adev->dev);
+
+@@ -350,8 +350,6 @@ static int q6core_exit(struct apr_device
+
+ g_core = NULL;
+ kfree(core);
+-
+- return 0;
+ }
+
+ #ifdef CONFIG_OF
--- /dev/null
+From stable+bounces-238739-greg=kroah.com@vger.kernel.org Mon Apr 20 14:05:19 2026
+From: Ruohan Lan <ruohanlan@aliyun.com>
+Date: Mon, 20 Apr 2026 20:01:10 +0800
+Subject: ublk: fix deadlock when reading partition table
+To: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Cc: linux-block@vger.kernel.org, Ming Lei <ming.lei@redhat.com>, Caleb Sander Mateos <csander@purestorage.com>, Jens Axboe <axboe@kernel.dk>, Ruohan Lan <ruohanlan@aliyun.com>
+Message-ID: <20260420120110.864-1-ruohanlan@aliyun.com>
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit c258f5c4502c9667bccf5d76fa731ab9c96687c1 ]
+
+When one process(such as udev) opens ublk block device (e.g., to read
+the partition table via bdev_open()), a deadlock[1] can occur:
+
+1. bdev_open() grabs disk->open_mutex
+2. The process issues read I/O to ublk backend to read partition table
+3. In __ublk_complete_rq(), blk_update_request() or blk_mq_end_request()
+ runs bio->bi_end_io() callbacks
+4. If this triggers fput() on file descriptor of ublk block device, the
+ work may be deferred to current task's task work (see fput() implementation)
+5. This eventually calls blkdev_release() from the same context
+6. blkdev_release() tries to grab disk->open_mutex again
+7. Deadlock: same task waiting for a mutex it already holds
+
+The fix is to run blk_update_request() and blk_mq_end_request() with bottom
+halves disabled. This forces blkdev_release() to run in kernel work-queue
+context instead of current task work context, and allows ublk server to make
+forward progress, and avoids the deadlock.
+
+Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
+Link: https://github.com/ublk-org/ublksrv/issues/170 [1]
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
+[axboe: rewrite comment in ublk]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ The fix omits the change in __ublk_do_auto_buf_reg() since this function
+doesn't exist in 6.1. ]
+Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/ublk_drv.c | 28 ++++++++++++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -603,12 +603,20 @@ static inline bool ubq_daemon_is_dying(s
+ return ubq->ubq_daemon->flags & PF_EXITING;
+ }
+
++static void ublk_end_request(struct request *req, blk_status_t error)
++{
++ local_bh_disable();
++ blk_mq_end_request(req, error);
++ local_bh_enable();
++}
++
+ /* todo: handle partial completion */
+ static void ublk_complete_rq(struct request *req)
+ {
+ struct ublk_queue *ubq = req->mq_hctx->driver_data;
+ struct ublk_io *io = &ubq->ios[req->tag];
+ unsigned int unmapped_bytes;
++ bool requeue;
+
+ /* failed read IO if nothing is read */
+ if (!io->res && req_op(req) == REQ_OP_READ)
+@@ -641,7 +649,23 @@ static void ublk_complete_rq(struct requ
+ if (unlikely(unmapped_bytes < io->res))
+ io->res = unmapped_bytes;
+
+- if (blk_update_request(req, BLK_STS_OK, io->res))
++ /*
++ * Run bio->bi_end_io() with softirqs disabled. If the final fput
++ * happens off this path, then that will prevent ublk's blkdev_release()
++ * from being called on current's task work, see fput() implementation.
++ *
++ * Otherwise, ublk server may not provide forward progress in case of
++ * reading the partition table from bdev_open() with disk->open_mutex
++ * held, and causes dead lock as we could already be holding
++ * disk->open_mutex here.
++ *
++ * Preferably we would not be doing IO with a mutex held that is also
++ * used for release, but this work-around will suffice for now.
++ */
++ local_bh_disable();
++ requeue = blk_update_request(req, BLK_STS_OK, io->res);
++ local_bh_enable();
++ if (requeue)
+ blk_mq_requeue_request(req, true);
+ else
+ __blk_mq_end_request(req, BLK_STS_OK);
+@@ -694,7 +718,7 @@ static inline void __ublk_abort_rq(struc
+ if (ublk_queue_can_use_recovery(ubq))
+ blk_mq_requeue_request(rq, false);
+ else
+- blk_mq_end_request(rq, BLK_STS_IOERR);
++ ublk_end_request(rq, BLK_STS_IOERR);
+
+ mod_delayed_work(system_wq, &ubq->dev->monitor_work, 0);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
