Fixes for all trees

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.10/revert-scsi-ufs-core-improve-scsi-abort-handling.patch b/queue-5.10/revert-scsi-ufs-core-improve-scsi-abort-handling.patch
new file mode 100644 (file)
index 0000000..ad99171
--- /dev/null
+++ b/queue-5.10/revert-scsi-ufs-core-improve-scsi-abort-handling.patch
@@ -0,0 +1,27 @@
+From 7fe394cba7f757b6636965a9abd1e035cb4c03fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Apr 2026 09:50:40 -0400
+Subject: Revert "scsi: ufs: core: Improve SCSI abort handling"
+
+This reverts commit 133811fbc1cc171477281c829eb5fd567f013ba7.
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 1b8072f47e7e8..c7bf0e6bc303d 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -6788,7 +6788,6 @@ static int ufshcd_abort(struct scsi_cmnd *cmd)
+               __ufshcd_transfer_req_compl(hba, (1UL << tag));
+               spin_unlock_irqrestore(host->host_lock, flags);
+ out:
+-              lrbp->cmd = NULL;
+               err = SUCCESS;
+       } else {
+               dev_err(hba->dev, "%s: failed with err %d\n", __func__, err);
+-- 
+2.53.0
+

diff --git a/queue-5.10/rxrpc-fix-recvmsg-unconditional-requeue.patch b/queue-5.10/rxrpc-fix-recvmsg-unconditional-requeue.patch
new file mode 100644 (file)
index 0000000..6b892cf
--- /dev/null
+++ b/queue-5.10/rxrpc-fix-recvmsg-unconditional-requeue.patch
@@ -0,0 +1,120 @@
+From d3f440424bf18f9b9cc4234b7379b1fc18f77b7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Apr 2026 22:24:32 +0000
+Subject: rxrpc: Fix recvmsg() unconditional requeue
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 2c28769a51deb6022d7fbd499987e237a01dd63a ]
+
+If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call
+at the front of the recvmsg queue already has its mutex locked, it
+requeues the call - whether or not the call is already queued.  The call
+may be on the queue because MSG_PEEK was also passed and so the call was
+not dequeued or because the I/O thread requeued it.
+
+The unconditional requeue may then corrupt the recvmsg queue, leading to
+things like UAFs or refcount underruns.
+
+Fix this by only requeuing the call if it isn't already on the queue -
+and moving it to the front if it is already queued.  If we don't queue
+it, we have to put the ref we obtained by dequeuing it.
+
+Also, MSG_PEEK doesn't dequeue the call so shouldn't call
+rxrpc_notify_socket() for the call if we didn't use up all the data on
+the queue, so fix that also.
+
+Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
+Reported-by: Faith <faith@zellic.io>
+Reported-by: Pumpkin Chang <pumpkin@devco.re>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: stable@vger.kernel.org
+[Adapted to 5.10: use write_lock_bh/write_unlock_bh, trace_rxrpc_call
+ directly for see-call tracing, 5.10 trace enum naming convention, and
+ added entries to both plain enum and EM() macro list.]
+Signed-off-by: Jay Wang <wanjay@amazon.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/rxrpc.h |  8 ++++++++
+ net/rxrpc/recvmsg.c          | 22 ++++++++++++++++++----
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+
+diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
+index 221856f2d295c..6cde10ae4445d 100644
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -93,9 +93,13 @@ enum rxrpc_call_trace {
+       rxrpc_call_put_notimer,
+       rxrpc_call_put_timer,
+       rxrpc_call_put_userid,
++      rxrpc_call_put_recvmsg_peek_nowait,
+       rxrpc_call_queued,
+       rxrpc_call_queued_ref,
+       rxrpc_call_release,
++      rxrpc_call_see_recvmsg_requeue,
++      rxrpc_call_see_recvmsg_requeue_first,
++      rxrpc_call_see_recvmsg_requeue_move,
+       rxrpc_call_seen,
+ };
+ 
+@@ -291,9 +295,13 @@ enum rxrpc_tx_point {
+       EM(rxrpc_call_put_notimer,              "PnT") \
+       EM(rxrpc_call_put_timer,                "PTM") \
+       EM(rxrpc_call_put_userid,               "Pus") \
++      EM(rxrpc_call_put_recvmsg_peek_nowait,  "PpN") \
+       EM(rxrpc_call_queued,                   "QUE") \
+       EM(rxrpc_call_queued_ref,               "QUR") \
+       EM(rxrpc_call_release,                  "RLS") \
++      EM(rxrpc_call_see_recvmsg_requeue,      "SrQ") \
++      EM(rxrpc_call_see_recvmsg_requeue_first,"SrF") \
++      EM(rxrpc_call_see_recvmsg_requeue_move, "SrM") \
+       E_(rxrpc_call_seen,                     "SEE")
+ 
+ #define rxrpc_transmit_traces \
+diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
+index 7878267739378..301b8acf78f55 100644
+--- a/net/rxrpc/recvmsg.c
++++ b/net/rxrpc/recvmsg.c
+@@ -607,7 +607,8 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ 
+               if (after(call->rx_top, call->rx_hard_ack) &&
+                   call->rxtx_buffer[(call->rx_hard_ack + 1) & RXRPC_RXTX_BUFF_MASK])
+-                      rxrpc_notify_socket(call);
++                      if (!(flags & MSG_PEEK))
++                              rxrpc_notify_socket(call);
+               break;
+       default:
+               ret = 0;
+@@ -642,11 +643,24 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ error_requeue_call:
+       if (!(flags & MSG_PEEK)) {
+               write_lock_bh(&rx->recvmsg_lock);
+-              list_add(&call->recvmsg_link, &rx->recvmsg_q);
+-              write_unlock_bh(&rx->recvmsg_lock);
++              if (list_empty(&call->recvmsg_link)) {
++                      list_add(&call->recvmsg_link, &rx->recvmsg_q);
++                      trace_rxrpc_call(call->debug_id,
++                                       rxrpc_call_see_recvmsg_requeue,
++                                       refcount_read(&call->ref),
++                                       __builtin_return_address(0), NULL);
++                      write_unlock_bh(&rx->recvmsg_lock);
++              } else if (list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) {
++                      write_unlock_bh(&rx->recvmsg_lock);
++                      rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first);
++              } else {
++                      list_move(&call->recvmsg_link, &rx->recvmsg_q);
++                      write_unlock_bh(&rx->recvmsg_lock);
++                      rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move);
++              }
+               trace_rxrpc_recvmsg(call, rxrpc_recvmsg_requeue, 0, 0, 0, 0);
+       } else {
+-              rxrpc_put_call(call, rxrpc_call_put);
++              rxrpc_put_call(call, rxrpc_call_put_recvmsg_peek_nowait);
+       }
+ error_no_call:
+       release_sock(&rx->sk);
+-- 
+2.53.0
+

diff --git a/queue-5.10/series b/queue-5.10/series
index 4f7bb112e828a7f533b5928ef2796e7ab97f98ab..72fdb203b949a7c9310def439bf5e6fa211cbe5f 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -124,3 +124,5 @@ gfs2-validate-i_depth-for-exhash-directories.patch
 drm-amd-display-do-not-add-mhard-float-to-calcs-dsc-and-dcn30-fp-files-for-clang.patch
 scripts-dtc-remove-unused-dts_version-in-dtc-lexer.l.patch
 i3c-fix-uninitialized-variable-use-in-i2c-setup.patch
+revert-scsi-ufs-core-improve-scsi-abort-handling.patch
+rxrpc-fix-recvmsg-unconditional-requeue.patch