--- /dev/null
+From stable+bounces-240433-greg=kroah.com@vger.kernel.org Thu Apr 23 09:39:57 2026
+From: Robert Garcia <rob_garcia@163.com>
+Date: Thu, 23 Apr 2026 15:38:42 +0800
+Subject: btrfs: lock the inode in shared mode before starting fiemap
+To: stable@vger.kernel.org, Filipe Manana <fdmanana@suse.com>
+Cc: David Sterba <dsterba@suse.com>, Josef Bacik <josef@toxicpanda.com>, Chris Mason <clm@fb.com>, Robert Garcia <rob_garcia@163.com>, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org
+Message-ID: <20260423073842.3827122-1-rob_garcia@163.com>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 519b7e13b5ae8dd38da1e52275705343be6bb508 ]
+
+Currently fiemap does not take the inode's lock (VFS lock), it only locks
+a file range in the inode's io tree. This however can lead to a deadlock
+if we have a concurrent fsync on the file and fiemap code triggers a fault
+when accessing the user space buffer with fiemap_fill_next_extent(). The
+deadlock happens on the inode's i_mmap_lock semaphore, which is taken both
+by fsync and btrfs_page_mkwrite(). This deadlock was recently reported by
+syzbot and triggers a trace like the following:
+
+ task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004
+ Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5293 [inline]
+ __schedule+0x995/0xe20 kernel/sched/core.c:6606
+ schedule+0xcb/0x190 kernel/sched/core.c:6682
+ wait_on_state fs/btrfs/extent-io-tree.c:707 [inline]
+ wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751
+ lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742
+ find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488
+ writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863
+ __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174
+ extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091
+ extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211
+ do_writepages+0x3c3/0x680 mm/page-writeback.c:2581
+ filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388
+ __filemap_fdatawrite_range mm/filemap.c:421 [inline]
+ filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439
+ btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline]
+ start_ordered_ops fs/btrfs/file.c:1737 [inline]
+ btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839
+ generic_write_sync include/linux/fs.h:2885 [inline]
+ btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684
+ call_write_iter include/linux/fs.h:2189 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x7dc/0xc50 fs/read_write.c:584
+ ksys_write+0x177/0x2a0 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ RIP: 0033:0x7f7d4054e9b9
+ RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+ RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9
+ RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006
+ RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69
+ R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8
+ </TASK>
+ INFO: task syz-executor361:5697 blocked for more than 145 seconds.
+ Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004
+ Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5293 [inline]
+ __schedule+0x995/0xe20 kernel/sched/core.c:6606
+ schedule+0xcb/0x190 kernel/sched/core.c:6682
+ rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095
+ __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260
+ btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526
+ do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947
+ wp_page_shared+0x15e/0x380 mm/memory.c:3295
+ handle_pte_fault mm/memory.c:4949 [inline]
+ __handle_mm_fault mm/memory.c:5073 [inline]
+ handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219
+ do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428
+ handle_page_fault arch/x86/mm/fault.c:1519 [inline]
+ exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575
+ asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
+ RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233
+ Code: 74 0a 89 (...)
+ RSP: 0018:ffffc9000570f330 EFLAGS: 00050202
+ RAX: ffffffff843e6601 RBX: 00007fffffffefc8 RCX: 0000000000000007
+ RDX: 0000000000000000 RSI: ffffc9000570f3e0 RDI: 0000000020000120
+ RBP: ffffc9000570f490 R08: 0000000000000000 R09: fffff52000ae1e83
+ R10: fffff52000ae1e83 R11: 1ffff92000ae1e7c R12: 0000000000000038
+ R13: ffffc9000570f3e0 R14: 0000000020000120 R15: ffffc9000570f3e0
+ copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline]
+ raw_copy_to_user arch/x86/include/asm/uaccess_64.h:58 [inline]
+ _copy_to_user+0xe9/0x130 lib/usercopy.c:34
+ copy_to_user include/linux/uaccess.h:169 [inline]
+ fiemap_fill_next_extent+0x22e/0x410 fs/ioctl.c:144
+ emit_fiemap_extent+0x22d/0x3c0 fs/btrfs/extent_io.c:3458
+ fiemap_process_hole+0xa00/0xad0 fs/btrfs/extent_io.c:3716
+ extent_fiemap+0xe27/0x2100 fs/btrfs/extent_io.c:3922
+ btrfs_fiemap+0x172/0x1e0 fs/btrfs/inode.c:8209
+ ioctl_fiemap fs/ioctl.c:219 [inline]
+ do_vfs_ioctl+0x185b/0x2980 fs/ioctl.c:810
+ __do_sys_ioctl fs/ioctl.c:868 [inline]
+ __se_sys_ioctl+0x83/0x170 fs/ioctl.c:856
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ RIP: 0033:0x7f7d4054e9b9
+ RSP: 002b:00007f7d390d92f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ RAX: ffffffffffffffda RBX: 00007f7d405d87b0 RCX: 00007f7d4054e9b9
+ RDX: 0000000020000100 RSI: 00000000c020660b RDI: 0000000000000005
+ RBP: 00007f7d405a51d0 R08: 00007f7d390d9700 R09: 0000000000000000
+ R10: 00007f7d390d9700 R11: 0000000000000246 R12: 61635f65646f6e69
+ R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87b8
+ </TASK>
+
+What happens is the following:
+
+1) Task A is doing an fsync, enters btrfs_sync_file() and flushes delalloc
+ before locking the inode and the i_mmap_lock semaphore, that is, before
+ calling btrfs_inode_lock();
+
+2) After task A flushes delalloc and before it calls btrfs_inode_lock(),
+ another task dirties a page;
+
+3) Task B starts a fiemap without FIEMAP_FLAG_SYNC, so the page dirtied
+ at step 2 remains dirty and unflushed. Then when it enters
+ extent_fiemap() and it locks a file range that includes the range of
+ the page dirtied in step 2;
+
+4) Task A calls btrfs_inode_lock() and locks the inode (VFS lock) and the
+ inode's i_mmap_lock semaphore in write mode. Then it tries to flush
+ delalloc by calling start_ordered_ops(), which will block, at
+ find_lock_delalloc_range(), when trying to lock the range of the page
+ dirtied at step 2, since this range was locked by the fiemap task (at
+ step 3);
+
+5) Task B generates a page fault when accessing the user space fiemap
+ buffer with a call to fiemap_fill_next_extent().
+
+ The fault handler needs to call btrfs_page_mkwrite() for some other
+ page of our inode, and there we deadlock when trying to lock the
+ inode's i_mmap_lock semaphore in read mode, since the fsync task locked
+ it in write mode (step 4) and the fsync task can not progress because
+ it's waiting to lock a file range that is currently locked by us (the
+ fiemap task, step 3).
+
+Fix this by taking the inode's lock (VFS lock) in shared mode when
+entering fiemap. This effectively serializes fiemap with fsync (except the
+most expensive part of fsync, the log sync), preventing this deadlock.
+
+Reported-by: syzbot+cc35f55c41e34c30dcb5@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/00000000000032dc7305f2a66f46@google.com/
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -5590,6 +5590,7 @@ int extent_fiemap(struct btrfs_inode *in
+ last_for_get_extent = isize;
+ }
+
++ btrfs_inode_lock(&inode->vfs_inode, BTRFS_ILOCK_SHARED);
+ lock_extent_bits(&inode->io_tree, start, start + len - 1,
+ &cached_state);
+
+@@ -5705,6 +5706,7 @@ out_free:
+ out:
+ unlock_extent_cached(&inode->io_tree, start, start + len - 1,
+ &cached_state);
++ btrfs_inode_unlock(&inode->vfs_inode, BTRFS_ILOCK_SHARED);
+
+ out_free_ulist:
+ btrfs_free_path(path);
--- /dev/null
+From lanbincn@139.com Tue Mar 24 09:22:43 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Tue, 24 Mar 2026 16:21:13 +0800
+Subject: cpufreq: Avoid a bad reference count on CPU node
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-pm@vger.kernel.org, "Miquel Sabaté Solà" <mikisabate@gmail.com>, "Viresh Kumar" <viresh.kumar@linaro.org>, "Rafael J . Wysocki" <rafael.j.wysocki@intel.com>, "Bin Lan" <lanbincn@139.com>
+Message-ID: <20260324082113.6275-2-lanbincn@139.com>
+
+From: Miquel Sabaté Solà <mikisabate@gmail.com>
+
+[ Upstream commit c0f02536fffbbec71aced36d52a765f8c4493dc2 ]
+
+In the parse_perf_domain function, if the call to
+of_parse_phandle_with_args returns an error, then the reference to the
+CPU device node that was acquired at the start of the function would not
+be properly decremented.
+
+Address this by declaring the variable with the __free(device_node)
+cleanup attribute.
+
+Signed-off-by: Miquel Sabaté Solà <mikisabate@gmail.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://patch.msgid.link/20240917134246.584026-1-mikisabate@gmail.com
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[ Minor context conflict resolved. ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/cpufreq.h | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/include/linux/cpufreq.h
++++ b/include/linux/cpufreq.h
+@@ -1014,11 +1014,10 @@ static inline int cpufreq_table_count_va
+ static inline int parse_perf_domain(int cpu, const char *list_name,
+ const char *cell_name)
+ {
+- struct device_node *cpu_np;
+ struct of_phandle_args args;
+ int ret;
+
+- cpu_np = of_cpu_device_node_get(cpu);
++ struct device_node *cpu_np __free(device_node) = of_cpu_device_node_get(cpu);
+ if (!cpu_np)
+ return -ENODEV;
+
+@@ -1027,8 +1026,6 @@ static inline int parse_perf_domain(int
+ if (ret < 0)
+ return ret;
+
+- of_node_put(cpu_np);
+-
+ return args.args[0];
+ }
+
--- /dev/null
+From stable+bounces-233895-greg=kroah.com@vger.kernel.org Wed Apr 8 14:55:55 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 08:55:50 -0400
+Subject: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
+To: stable@vger.kernel.org
+Cc: Guangshuo Li <lgs201920130244@gmail.com>, Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>, Viresh Kumar <viresh.kumar@linaro.org>, "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260408125550.1049042-2-sashal@kernel.org>
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+[ Upstream commit 6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e ]
+
+When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls
+kobject_put(&dbs_data->attr_set.kobj).
+
+The kobject release callback cpufreq_dbs_data_release() calls
+gov->exit(dbs_data) and kfree(dbs_data), but the current error path
+then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a
+double free.
+
+Keep the direct kfree(dbs_data) for the gov->init() failure path, but
+after kobject_init_and_add() has been called, let kobject_put() handle
+the cleanup through cpufreq_dbs_data_release().
+
+Fixes: 4ebe36c94aed ("cpufreq: Fix kobject memleak")
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20260401024535.1395801-1-lgs201920130244@gmail.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq_governor.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -468,13 +468,13 @@ int cpufreq_dbs_governor_init(struct cpu
+ /* Failure, so roll back. */
+ pr_err("initialization failed (dbs_data kobject init error %d)\n", ret);
+
+- kobject_put(&dbs_data->attr_set.kobj);
+-
+ policy->governor_data = NULL;
+
+ if (!have_governor_per_policy())
+ gov->gdbs_data = NULL;
+- gov->exit(dbs_data);
++
++ kobject_put(&dbs_data->attr_set.kobj);
++ goto free_policy_dbs_info;
+
+ free_dbs_data:
+ kfree(dbs_data);
--- /dev/null
+From stable+bounces-233894-greg=kroah.com@vger.kernel.org Wed Apr 8 15:00:10 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Apr 2026 08:55:49 -0400
+Subject: cpufreq: governor: Free dbs_data directly when gov->init() fails
+To: stable@vger.kernel.org
+Cc: Liao Chang <liaochang1@huawei.com>, Viresh Kumar <viresh.kumar@linaro.org>, "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260408125550.1049042-1-sashal@kernel.org>
+
+From: Liao Chang <liaochang1@huawei.com>
+
+[ Upstream commit 916f13884042f615cfbfc0b42cc68dadee826f2a ]
+
+Due to the kobject embedded in the dbs_data doest not has a release()
+method yet, it needs to use kfree() to free dbs_data directly when
+governor fails to allocate the tunner field of dbs_data.
+
+Signed-off-by: Liao Chang <liaochang1@huawei.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Stable-dep-of: 6dcf9d0064ce ("cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq_governor.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -440,7 +440,7 @@ int cpufreq_dbs_governor_init(struct cpu
+
+ ret = gov->init(dbs_data);
+ if (ret)
+- goto free_policy_dbs_info;
++ goto free_dbs_data;
+
+ /*
+ * The sampling interval should not be less than the transition latency
+@@ -475,6 +475,8 @@ int cpufreq_dbs_governor_init(struct cpu
+ if (!have_governor_per_policy())
+ gov->gdbs_data = NULL;
+ gov->exit(dbs_data);
++
++free_dbs_data:
+ kfree(dbs_data);
+
+ free_policy_dbs_info:
--- /dev/null
+From 1468888505@139.com Tue Mar 24 09:14:43 2026
+From: Li hongliang <1468888505@139.com>
+Date: Tue, 24 Mar 2026 16:14:38 +0800
+Subject: drivers: base: Free devm resources when unregistering a device
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, davidgow@google.com
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, rafael@kernel.org, tom.leiming@gmail.com, mripard@kernel.org
+Message-ID: <20260324081438.1182050-1-1468888505@139.com>
+
+From: David Gow <davidgow@google.com>
+
+[ Upstream commit 699fb50d99039a50e7494de644f96c889279aca3 ]
+
+In the current code, devres_release_all() only gets called if the device
+has a bus and has been probed.
+
+This leads to issues when using bus-less or driver-less devices where
+the device might never get freed if a managed resource holds a reference
+to the device. This is happening in the DRM framework for example.
+
+We should thus call devres_release_all() in the device_del() function to
+make sure that the device-managed actions are properly executed when the
+device is unregistered, even if it has neither a bus nor a driver.
+
+This is effectively the same change than commit 2f8d16a996da ("devres:
+release resources on device_del()") that got reverted by commit
+a525a3ddeaca ("driver core: free devres in device_release") over
+memory leaks concerns.
+
+This patch effectively combines the two commits mentioned above to
+release the resources both on device_del() and device_release() and get
+the best of both worlds.
+
+Fixes: a525a3ddeaca ("driver core: free devres in device_release")
+Signed-off-by: David Gow <davidgow@google.com>
+Signed-off-by: Maxime Ripard <mripard@kernel.org>
+Link: https://lore.kernel.org/r/20230720-kunit-devm-inconsistencies-test-v3-3-6aa7e074f373@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/core.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -3604,9 +3604,21 @@ void device_del(struct device *dev)
+ device_remove_properties(dev);
+ device_links_purge(dev);
+
++ /*
++ * If a device does not have a driver attached, we need to clean
++ * up any managed resources. We do this in device_release(), but
++ * it's never called (and we leak the device) if a managed
++ * resource holds a reference to the device. So release all
++ * managed resources here, like we do in driver_detach(). We
++ * still need to do so again in device_release() in case someone
++ * adds a new resource after this point, though.
++ */
++ devres_release_all(dev);
++
+ if (dev->bus)
+ blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
+ BUS_NOTIFY_REMOVED_DEVICE, dev);
++
+ kobject_uevent(&dev->kobj, KOBJ_REMOVE);
+ glue_dir = get_glue_dir(dev);
+ kobject_del(&dev->kobj);
--- /dev/null
+From alvalan9@foxmail.com Wed Mar 25 06:44:09 2026
+From: Alva Lan <alvalan9@foxmail.com>
+Date: Wed, 25 Mar 2026 13:43:39 +0800
+Subject: fbdev: efifb: Register sysfs groups through driver core
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-fbdev@vger.kernel.org, "Thomas Weißschuh" <linux@weissschuh.net>, "Helge Deller" <deller@gmx.de>, "Alva Lan" <alvalan9@foxmail.com>
+Message-ID: <tencent_DAD116D7DC7CB44A8E5BB7E2CCC0E835F00A@qq.com>
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 95cdd538e0e5677efbdf8aade04ec098ab98f457 ]
+
+The driver core can register and cleanup sysfs groups already.
+Make use of that functionality to simplify the error handling and
+cleanup.
+
+Also avoid a UAF race during unregistering where the sysctl attributes
+were usable after the info struct was freed.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+[ Minor context conflict resolved. ]
+Signed-off-by: Alva Lan <alvalan9@foxmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/efifb.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/video/fbdev/efifb.c
++++ b/drivers/video/fbdev/efifb.c
+@@ -581,15 +581,10 @@ static int efifb_probe(struct platform_d
+ break;
+ }
+
+- err = sysfs_create_groups(&dev->dev.kobj, efifb_groups);
+- if (err) {
+- pr_err("efifb: cannot add sysfs attrs\n");
+- goto err_unmap;
+- }
+ err = fb_alloc_cmap(&info->cmap, 256, 0);
+ if (err < 0) {
+ pr_err("efifb: cannot allocate colormap\n");
+- goto err_groups;
++ goto err_unmap;
+ }
+
+ if (efifb_pci_dev)
+@@ -608,8 +603,6 @@ err_put_rpm_ref:
+ pm_runtime_put(&efifb_pci_dev->dev);
+
+ fb_dealloc_cmap(&info->cmap);
+-err_groups:
+- sysfs_remove_groups(&dev->dev.kobj, efifb_groups);
+ err_unmap:
+ if (mem_flags & (EFI_MEMORY_UC | EFI_MEMORY_WC))
+ iounmap(info->screen_base);
+@@ -629,7 +622,6 @@ static int efifb_remove(struct platform_
+
+ /* efifb_destroy takes care of info cleanup */
+ unregister_framebuffer(info);
+- sysfs_remove_groups(&pdev->dev.kobj, efifb_groups);
+
+ return 0;
+ }
+@@ -637,6 +629,7 @@ static int efifb_remove(struct platform_
+ static struct platform_driver efifb_driver = {
+ .driver = {
+ .name = "efi-framebuffer",
++ .dev_groups = efifb_groups,
+ },
+ .probe = efifb_probe,
+ .remove = efifb_remove,
--- /dev/null
+From stable+bounces-240430-greg=kroah.com@vger.kernel.org Thu Apr 23 09:02:46 2026
+From: Robert Garcia <rob_garcia@163.com>
+Date: Thu, 23 Apr 2026 15:01:59 +0800
+Subject: fs/ntfs3: Add more attributes checks in mi_enum_attr()
+To: stable@vger.kernel.org, Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Cc: ntfs3@lists.linux.dev, Robert Garcia <rob_garcia@163.com>, linux-kernel@vger.kernel.org
+Message-ID: <20260423070159.3246415-1-rob_garcia@163.com>
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+[ Upstream commit 013ff63b649475f0ee134e2c8d0c8e65284ede50 ]
+
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+[ Overflow check deleted to keep context consistent. ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/record.c | 63 ++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 50 insertions(+), 13 deletions(-)
+
+--- a/fs/ntfs3/record.c
++++ b/fs/ntfs3/record.c
+@@ -193,8 +193,9 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ {
+ const struct MFT_REC *rec = mi->mrec;
+ u32 used = le32_to_cpu(rec->used);
+- u32 t32, off, asize;
++ u32 t32, off, asize, prev_type;
+ u16 t16;
++ u64 data_size, alloc_size, tot_size;
+
+ if (!attr) {
+ u32 total = le32_to_cpu(rec->total);
+@@ -213,6 +214,7 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ if (!is_rec_inuse(rec))
+ return NULL;
+
++ prev_type = 0;
+ attr = Add2Ptr(rec, off);
+ } else {
+ /* Check if input attr inside record. */
+@@ -226,6 +228,7 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ return NULL;
+ }
+
++ prev_type = le32_to_cpu(attr->type);
+ attr = Add2Ptr(attr, asize);
+ off += asize;
+ }
+@@ -245,7 +248,11 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+
+ /* 0x100 is last known attribute for now. */
+ t32 = le32_to_cpu(attr->type);
+- if ((t32 & 0xf) || (t32 > 0x100))
++ if (!t32 || (t32 & 0xf) || (t32 > 0x100))
++ return NULL;
++
++ /* attributes in record must be ordered by type */
++ if (t32 < prev_type)
+ return NULL;
+
+ /* Check overflow and boundary. */
+@@ -254,16 +261,15 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+
+ /* Check size of attribute. */
+ if (!attr->non_res) {
++ /* Check resident fields. */
+ if (asize < SIZEOF_RESIDENT)
+ return NULL;
+
+ t16 = le16_to_cpu(attr->res.data_off);
+-
+ if (t16 > asize)
+ return NULL;
+
+- t32 = le32_to_cpu(attr->res.data_size);
+- if (t16 + t32 > asize)
++ if (t16 + le32_to_cpu(attr->res.data_size) > asize)
+ return NULL;
+
+ if (attr->name_len &&
+@@ -274,21 +280,52 @@ struct ATTRIB *mi_enum_attr(struct mft_i
+ return attr;
+ }
+
+- /* Check some nonresident fields. */
+- if (attr->name_len &&
+- le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len >
+- le16_to_cpu(attr->nres.run_off)) {
++ /* Check nonresident fields. */
++ if (attr->non_res != 1)
++ return NULL;
++
++ t16 = le16_to_cpu(attr->nres.run_off);
++ if (t16 > asize)
++ return NULL;
++
++ t32 = sizeof(short) * attr->name_len;
++ if (t32 && le16_to_cpu(attr->name_off) + t32 > t16)
++ return NULL;
++
++ /* Check start/end vcn. */
++ if (le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nres.evcn) + 1)
++ return NULL;
++
++ data_size = le64_to_cpu(attr->nres.data_size);
++ if (le64_to_cpu(attr->nres.valid_size) > data_size)
+ return NULL;
+- }
+
+- if (attr->nres.svcn || !is_attr_ext(attr)) {
++ alloc_size = le64_to_cpu(attr->nres.alloc_size);
++ if (data_size > alloc_size)
++ return NULL;
++
++ t32 = mi->sbi->cluster_mask;
++ if (alloc_size & t32)
++ return NULL;
++
++ if (!attr->nres.svcn && is_attr_ext(attr)) {
++ /* First segment of sparse/compressed attribute */
++ if (asize + 8 < SIZEOF_NONRESIDENT_EX)
++ return NULL;
++
++ tot_size = le64_to_cpu(attr->nres.total_size);
++ if (tot_size & t32)
++ return NULL;
++
++ if (tot_size > alloc_size)
++ return NULL;
++ } else {
+ if (asize + 8 < SIZEOF_NONRESIDENT)
+ return NULL;
+
+ if (attr->nres.c_unit)
+ return NULL;
+- } else if (asize + 8 < SIZEOF_NONRESIDENT_EX)
+- return NULL;
++ }
+
+ return attr;
+ }
--- /dev/null
+From stable+bounces-230271-greg=kroah.com@vger.kernel.org Wed Mar 25 07:29:14 2026
+From: Johnny Hao <johnny_haocn@sina.com>
+Date: Wed, 25 Mar 2026 14:28:24 +0800
+Subject: md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Yu Kuai <yukuai3@huawei.com>, Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>, Song Liu <song@kernel.org>, Johnny Hao <johnny_haocn@sina.com>
+Message-ID: <20260325062824.2373999-1-johnny_haocn@sina.com>
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 8d28d0ddb986f56920ac97ae704cc3340a699a30 ]
+
+After commit ec6bb299c7c3 ("md/md-bitmap: add 'sync_size' into struct
+md_bitmap_stats"), following panic is reported:
+
+Oops: general protection fault, probably for non-canonical address
+RIP: 0010:bitmap_get_stats+0x2b/0xa0
+Call Trace:
+ <TASK>
+ md_seq_show+0x2d2/0x5b0
+ seq_read_iter+0x2b9/0x470
+ seq_read+0x12f/0x180
+ proc_reg_read+0x57/0xb0
+ vfs_read+0xf6/0x380
+ ksys_read+0x6c/0xf0
+ do_syscall_64+0x82/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Root cause is that bitmap_get_stats() can be called at anytime if mddev
+is still there, even if bitmap is destroyed, or not fully initialized.
+Deferenceing bitmap in this case can crash the kernel. Meanwhile, the
+above commit start to deferencing bitmap->storage, make the problem
+easier to trigger.
+
+Fix the problem by protecting bitmap_get_stats() with bitmap_info.mutex.
+
+Cc: stable@vger.kernel.org # v6.12+
+Fixes: 32a7627cf3a3 ("[PATCH] md: optimised resync using Bitmap based intent logging")
+Reported-and-tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Closes: https://lore.kernel.org/linux-raid/ca3a91a2-50ae-4f68-b317-abd9889f3907@oracle.com/T/#m6e5086c95201135e4941fe38f9efa76daf9666c5
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20250124092055.4050195-1-yukuai1@huaweicloud.com
+Signed-off-by: Song Liu <song@kernel.org>
+[ The context change is due to the commit 38f287d7e495
+("md/md-bitmap: replace md_bitmap_status() with a new helper md_bitmap_get_stats()")
+in v6.12 and the commit f9cfe7e7f96a ("md: Fix md_seq_ops() regressions") in v6.8
+which are irrelevant to the logic of this patch. ]
+Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-bitmap.c | 4 ++++
+ drivers/md/md.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -2033,6 +2033,10 @@ void md_bitmap_status(struct seq_file *s
+
+ if (!bitmap)
+ return;
++ if (bitmap->mddev->bitmap_info.external)
++ return;
++ if (!bitmap->storage.sb_page) /* no superblock */
++ return;
+
+ counts = &bitmap->counts;
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8300,6 +8300,9 @@ static int md_seq_show(struct seq_file *
+ return 0;
+ }
+
++ /* prevent bitmap to be freed after checking */
++ mutex_lock(&mddev->bitmap_info.mutex);
++
+ spin_lock(&mddev->lock);
+ if (mddev->pers || mddev->raid_disks || !list_empty(&mddev->disks)) {
+ seq_printf(seq, "%s : %sactive", mdname(mddev),
+@@ -8371,6 +8374,7 @@ static int md_seq_show(struct seq_file *
+ seq_printf(seq, "\n");
+ }
+ spin_unlock(&mddev->lock);
++ mutex_unlock(&mddev->bitmap_info.mutex);
+
+ return 0;
+ }
--- /dev/null
+From johnny_haocn@sina.com Wed Mar 25 02:45:12 2026
+From: Johnny Hao <johnny_haocn@sina.com>
+Date: Wed, 25 Mar 2026 09:45:04 +0800
+Subject: net: clear the dst when changing skb protocol
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, "Jakub Kicinski" <kuba@kernel.org>, "Maciej Żenczykowski" <maze@google.com>, "Daniel Borkmann" <daniel@iogearbox.net>, "Willem de Bruijn" <willemb@google.com>, "Johnny Hao" <johnny_haocn@sina.com>
+Message-ID: <20260325014504.2853667-1-johnny_haocn@sina.com>
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ba9db6f907ac02215e30128770f85fbd7db2fcf9 ]
+
+A not-so-careful NAT46 BPF program can crash the kernel
+if it indiscriminately flips ingress packets from v4 to v6:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ ip6_rcv_core (net/ipv6/ip6_input.c:190:20)
+ ipv6_rcv (net/ipv6/ip6_input.c:306:8)
+ process_backlog (net/core/dev.c:6186:4)
+ napi_poll (net/core/dev.c:6906:9)
+ net_rx_action (net/core/dev.c:7028:13)
+ do_softirq (kernel/softirq.c:462:3)
+ netif_rx (net/core/dev.c:5326:3)
+ dev_loopback_xmit (net/core/dev.c:4015:2)
+ ip_mc_finish_output (net/ipv4/ip_output.c:363:8)
+ NF_HOOK (./include/linux/netfilter.h:314:9)
+ ip_mc_output (net/ipv4/ip_output.c:400:5)
+ dst_output (./include/net/dst.h:459:9)
+ ip_local_out (net/ipv4/ip_output.c:130:9)
+ ip_send_skb (net/ipv4/ip_output.c:1496:8)
+ udp_send_skb (net/ipv4/udp.c:1040:8)
+ udp_sendmsg (net/ipv4/udp.c:1328:10)
+
+The output interface has a 4->6 program attached at ingress.
+We try to loop the multicast skb back to the sending socket.
+Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr
+and changes skb->protocol to v6. We enter ip6_rcv_core which
+tries to use skb_dst(). But the dst is still an IPv4 one left
+after IPv4 mcast output.
+
+Clear the dst in all BPF helpers which change the protocol.
+Try to preserve metadata dsts, those may carry non-routing
+metadata.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Fixes: d219df60a70e ("bpf: Add ipip6 and ip6ip decap support for bpf_skb_adjust_room()")
+Fixes: 1b00e0dfe7d0 ("bpf: update skb->protocol in bpf_skb_net_grow")
+Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper")
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20250610001245.1981782-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ The context change is due to the commit d219df60a70e
+("bpf: Add ipip6 and ip6ip decap support for bpf_skb_adjust_room()")
+in v6.3 which is irrelevant to the logic of this patch. ]
+Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -3219,6 +3219,13 @@ static const struct bpf_func_proto bpf_s
+ .arg1_type = ARG_PTR_TO_CTX,
+ };
+
++static void bpf_skb_change_protocol(struct sk_buff *skb, u16 proto)
++{
++ skb->protocol = htons(proto);
++ if (skb_valid_dst(skb))
++ skb_dst_drop(skb);
++}
++
+ static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len)
+ {
+ /* Caller already did skb_cow() with len as headroom,
+@@ -3315,7 +3322,7 @@ static int bpf_skb_proto_4_to_6(struct s
+ }
+ }
+
+- skb->protocol = htons(ETH_P_IPV6);
++ bpf_skb_change_protocol(skb, ETH_P_IPV6);
+ skb_clear_hash(skb);
+
+ return 0;
+@@ -3345,7 +3352,7 @@ static int bpf_skb_proto_6_to_4(struct s
+ }
+ }
+
+- skb->protocol = htons(ETH_P_IP);
++ bpf_skb_change_protocol(skb, ETH_P_IP);
+ skb_clear_hash(skb);
+
+ return 0;
+@@ -3532,10 +3539,10 @@ static int bpf_skb_net_grow(struct sk_bu
+ /* Match skb->protocol to new outer l3 protocol */
+ if (skb->protocol == htons(ETH_P_IP) &&
+ flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV6)
+- skb->protocol = htons(ETH_P_IPV6);
++ bpf_skb_change_protocol(skb, ETH_P_IPV6);
+ else if (skb->protocol == htons(ETH_P_IPV6) &&
+ flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV4)
+- skb->protocol = htons(ETH_P_IP);
++ bpf_skb_change_protocol(skb, ETH_P_IP);
+ }
+
+ if (skb_is_gso(skb)) {
--- /dev/null
+From prvs=8564c0333c=guocai.he.cn@windriver.com Tue Apr 14 05:20:35 2026
+From: guocai.he.cn@windriver.com
+Date: Tue, 14 Apr 2026 11:20:06 +0800
+Subject: Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"
+To: gregkh@linuxfoundation.org
+Cc: stable@vger.kernel.org, johannes.berg@intel.com, netdev@vger.kernel.org, regressions@lists.linux.dev, miriam.rachel.korenblit@intel.com, linux-kernel@vger.kernel.org
+Message-ID: <20260414032006.2887625-1-guocai.he.cn@windriver.com>
+
+From: Guocai He <guocai.he.cn@windriver.com>
+
+This reverts commit 31344ffecd7a34335ce2b52e8c205bce3cbfca4b which is commit
+e1696c8bd0056bc1a5f7766f58ac333adc203e8a upstream.
+
+The reverted patch introduced a deadlock. The locking situation in mainline is
+totally different, so it is incorrect to directly backport the commit from mainline.
+
+Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1300,10 +1300,8 @@ void __cfg80211_leave(struct cfg80211_re
+ __cfg80211_leave_ocb(rdev, dev);
+ break;
+ case NL80211_IFTYPE_P2P_DEVICE:
+- cfg80211_stop_p2p_device(rdev, wdev);
+- break;
+ case NL80211_IFTYPE_NAN:
+- cfg80211_stop_nan(rdev, wdev);
++ /* cannot happen, has no netdev */
+ break;
+ case NL80211_IFTYPE_AP_VLAN:
+ case NL80211_IFTYPE_MONITOR:
--- /dev/null
+From stable+bounces-240394-greg=kroah.com@vger.kernel.org Thu Apr 23 00:25:52 2026
+From: Jay Wang <wanjay@amazon.com>
+Date: Wed, 22 Apr 2026 22:24:32 +0000
+Subject: rxrpc: Fix recvmsg() unconditional requeue
+To: <stable@vger.kernel.org>
+Cc: <dhowells@redhat.com>, <marc.dionne@auristor.com>, <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>, <pabeni@redhat.com>, <netdev@vger.kernel.org>, <linux-afs@lists.infradead.org>, <jay.wang.upstream@gmail.com>, Faith <faith@zellic.io>, Pumpkin Chang <pumpkin@devco.re>
+Message-ID: <20260422222432.7211-1-wanjay@amazon.com>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 2c28769a51deb6022d7fbd499987e237a01dd63a ]
+
+If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call
+at the front of the recvmsg queue already has its mutex locked, it
+requeues the call - whether or not the call is already queued. The call
+may be on the queue because MSG_PEEK was also passed and so the call was
+not dequeued or because the I/O thread requeued it.
+
+The unconditional requeue may then corrupt the recvmsg queue, leading to
+things like UAFs or refcount underruns.
+
+Fix this by only requeuing the call if it isn't already on the queue -
+and moving it to the front if it is already queued. If we don't queue
+it, we have to put the ref we obtained by dequeuing it.
+
+Also, MSG_PEEK doesn't dequeue the call so shouldn't call
+rxrpc_notify_socket() for the call if we didn't use up all the data on
+the queue, so fix that also.
+
+Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg")
+Reported-by: Faith <faith@zellic.io>
+Reported-by: Pumpkin Chang <pumpkin@devco.re>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: stable@vger.kernel.org
+[Adapted to 5.15: use write_lock_bh/write_unlock_bh, trace_rxrpc_call
+ directly for see-call tracing, 5.15 trace enum naming convention, and
+ added entries to both plain enum and EM() macro list.]
+Signed-off-by: Jay Wang <wanjay@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/rxrpc.h | 8 ++++++++
+ net/rxrpc/recvmsg.c | 22 ++++++++++++++++++----
+ 2 files changed, 26 insertions(+), 4 deletions(-)
+
+--- a/include/trace/events/rxrpc.h
++++ b/include/trace/events/rxrpc.h
+@@ -93,9 +93,13 @@ enum rxrpc_call_trace {
+ rxrpc_call_put_notimer,
+ rxrpc_call_put_timer,
+ rxrpc_call_put_userid,
++ rxrpc_call_put_recvmsg_peek_nowait,
+ rxrpc_call_queued,
+ rxrpc_call_queued_ref,
+ rxrpc_call_release,
++ rxrpc_call_see_recvmsg_requeue,
++ rxrpc_call_see_recvmsg_requeue_first,
++ rxrpc_call_see_recvmsg_requeue_move,
+ rxrpc_call_seen,
+ };
+
+@@ -291,9 +295,13 @@ enum rxrpc_tx_point {
+ EM(rxrpc_call_put_notimer, "PnT") \
+ EM(rxrpc_call_put_timer, "PTM") \
+ EM(rxrpc_call_put_userid, "Pus") \
++ EM(rxrpc_call_put_recvmsg_peek_nowait, "PpN") \
+ EM(rxrpc_call_queued, "QUE") \
+ EM(rxrpc_call_queued_ref, "QUR") \
+ EM(rxrpc_call_release, "RLS") \
++ EM(rxrpc_call_see_recvmsg_requeue, "SrQ") \
++ EM(rxrpc_call_see_recvmsg_requeue_first,"SrF") \
++ EM(rxrpc_call_see_recvmsg_requeue_move, "SrM") \
+ E_(rxrpc_call_seen, "SEE")
+
+ #define rxrpc_transmit_traces \
+--- a/net/rxrpc/recvmsg.c
++++ b/net/rxrpc/recvmsg.c
+@@ -607,7 +607,8 @@ try_again:
+
+ if (after(call->rx_top, call->rx_hard_ack) &&
+ call->rxtx_buffer[(call->rx_hard_ack + 1) & RXRPC_RXTX_BUFF_MASK])
+- rxrpc_notify_socket(call);
++ if (!(flags & MSG_PEEK))
++ rxrpc_notify_socket(call);
+ break;
+ default:
+ ret = 0;
+@@ -642,11 +643,24 @@ error_unlock_call:
+ error_requeue_call:
+ if (!(flags & MSG_PEEK)) {
+ write_lock_bh(&rx->recvmsg_lock);
+- list_add(&call->recvmsg_link, &rx->recvmsg_q);
+- write_unlock_bh(&rx->recvmsg_lock);
++ if (list_empty(&call->recvmsg_link)) {
++ list_add(&call->recvmsg_link, &rx->recvmsg_q);
++ trace_rxrpc_call(call->debug_id,
++ rxrpc_call_see_recvmsg_requeue,
++ refcount_read(&call->ref),
++ __builtin_return_address(0), NULL);
++ write_unlock_bh(&rx->recvmsg_lock);
++ } else if (list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) {
++ write_unlock_bh(&rx->recvmsg_lock);
++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first);
++ } else {
++ list_move(&call->recvmsg_link, &rx->recvmsg_q);
++ write_unlock_bh(&rx->recvmsg_lock);
++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move);
++ }
+ trace_rxrpc_recvmsg(call, rxrpc_recvmsg_requeue, 0, 0, 0, 0);
+ } else {
+- rxrpc_put_call(call, rxrpc_call_put);
++ rxrpc_put_call(call, rxrpc_call_put_recvmsg_peek_nowait);
+ }
+ error_no_call:
+ release_sock(&rx->sk);
f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_blocks-in-lfs-mode.patch
sunrpc-lock-against-sock-changing-during-sysfs-read.patch
net-usb-lan78xx-fix-double-free-issue-with-interrupt-buffer-allocation.patch
+btrfs-lock-the-inode-in-shared-mode-before-starting-fiemap.patch
+fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch
+rxrpc-fix-recvmsg-unconditional-requeue.patch
+cpufreq-governor-free-dbs_data-directly-when-gov-init-fails.patch
+cpufreq-governor-fix-double-free-in-cpufreq_dbs_governor_init-error-path.patch
+md-md-bitmap-synchronize-bitmap_get_stats-with-bitmap-lifetime.patch
+fbdev-efifb-register-sysfs-groups-through-driver-core.patch
+net-clear-the-dst-when-changing-skb-protocol.patch
+cpufreq-avoid-a-bad-reference-count-on-cpu-node.patch
+drivers-base-free-devm-resources-when-unregistering-a-device.patch
+revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
