--- /dev/null
+From 69a79ada8eb034ce016b5b78fb7d08d8687223de Mon Sep 17 00:00:00 2001
+From: Karol Wachowski <karol.wachowski@intel.com>
+Date: Fri, 8 Aug 2025 13:09:39 +0200
+Subject: accel/ivpu: Prevent recovery work from being queued during device removal
+
+From: Karol Wachowski <karol.wachowski@intel.com>
+
+commit 69a79ada8eb034ce016b5b78fb7d08d8687223de upstream.
+
+Use disable_work_sync() instead of cancel_work_sync() in ivpu_dev_fini()
+to ensure that no new recovery work items can be queued after device
+removal has started. Previously, recovery work could be scheduled even
+after canceling existing work, potentially leading to use-after-free
+bugs if recovery accessed freed resources.
+
+Rename ivpu_pm_cancel_recovery() to ivpu_pm_disable_recovery() to better
+reflect its new behavior.
+
+Fixes: 58cde80f45a2 ("accel/ivpu: Use dedicated work for job timeout detection")
+Cc: stable@vger.kernel.org # v6.8+
+Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
+Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Link: https://lore.kernel.org/r/20250808110939.328366-1-jacek.lawrynowicz@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_drv.c | 2 +-
+ drivers/accel/ivpu/ivpu_pm.c | 4 ++--
+ drivers/accel/ivpu/ivpu_pm.h | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/accel/ivpu/ivpu_drv.c
++++ b/drivers/accel/ivpu/ivpu_drv.c
+@@ -689,7 +689,7 @@ static void ivpu_bo_unbind_all_user_cont
+ static void ivpu_dev_fini(struct ivpu_device *vdev)
+ {
+ ivpu_jobs_abort_all(vdev);
+- ivpu_pm_cancel_recovery(vdev);
++ ivpu_pm_disable_recovery(vdev);
+ ivpu_pm_disable(vdev);
+ ivpu_prepare_for_reset(vdev);
+ ivpu_shutdown(vdev);
+--- a/drivers/accel/ivpu/ivpu_pm.c
++++ b/drivers/accel/ivpu/ivpu_pm.c
+@@ -382,10 +382,10 @@ void ivpu_pm_init(struct ivpu_device *vd
+ ivpu_dbg(vdev, PM, "Autosuspend delay = %d\n", delay);
+ }
+
+-void ivpu_pm_cancel_recovery(struct ivpu_device *vdev)
++void ivpu_pm_disable_recovery(struct ivpu_device *vdev)
+ {
+ drm_WARN_ON(&vdev->drm, delayed_work_pending(&vdev->pm->job_timeout_work));
+- cancel_work_sync(&vdev->pm->recovery_work);
++ disable_work_sync(&vdev->pm->recovery_work);
+ }
+
+ void ivpu_pm_enable(struct ivpu_device *vdev)
+--- a/drivers/accel/ivpu/ivpu_pm.h
++++ b/drivers/accel/ivpu/ivpu_pm.h
+@@ -25,7 +25,7 @@ struct ivpu_pm_info {
+ void ivpu_pm_init(struct ivpu_device *vdev);
+ void ivpu_pm_enable(struct ivpu_device *vdev);
+ void ivpu_pm_disable(struct ivpu_device *vdev);
+-void ivpu_pm_cancel_recovery(struct ivpu_device *vdev);
++void ivpu_pm_disable_recovery(struct ivpu_device *vdev);
+
+ int ivpu_pm_suspend_cb(struct device *dev);
+ int ivpu_pm_resume_cb(struct device *dev);
--- /dev/null
+From f3ef7110924b897f4b79db9f7ac75d319ec09c4a Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Thu, 28 Aug 2025 19:22:43 +0800
+Subject: ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit f3ef7110924b897f4b79db9f7ac75d319ec09c4a upstream.
+
+If krealloc_array() fails in iort_rmr_alloc_sids(), the function returns
+NULL but does not free the original 'sids' allocation. This results in a
+memory leak since the caller overwrites the original pointer with the
+NULL return value.
+
+Fixes: 491cf4a6735a ("ACPI/IORT: Add support to retrieve IORT RMR reserved regions")
+Cc: <stable@vger.kernel.org> # 6.0.x
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
+Link: https://lore.kernel.org/r/20250828112243.61460-1-linmq006@gmail.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/arm64/iort.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/arm64/iort.c
++++ b/drivers/acpi/arm64/iort.c
+@@ -937,8 +937,10 @@ static u32 *iort_rmr_alloc_sids(u32 *sid
+
+ new_sids = krealloc_array(sids, count + new_count,
+ sizeof(*new_sids), GFP_KERNEL);
+- if (!new_sids)
++ if (!new_sids) {
++ kfree(sids);
+ return NULL;
++ }
+
+ for (i = count; i < total_count; i++)
+ new_sids[i] = id_start++;
--- /dev/null
+From 9c6182843b0d02ca04cc1d946954a65a2286c7db Mon Sep 17 00:00:00 2001
+From: Cryolitia PukNgae <cryolitia@uniontech.com>
+Date: Fri, 22 Aug 2025 20:58:08 +0800
+Subject: ALSA: usb-audio: Add mute TLV for playback volumes on some devices
+
+From: Cryolitia PukNgae <cryolitia@uniontech.com>
+
+commit 9c6182843b0d02ca04cc1d946954a65a2286c7db upstream.
+
+Applying the quirk of that, the lowest Playback mixer volume setting
+mutes the audio output, on more devices.
+
+Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/2514
+Cc: <stable@vger.kernel.org>
+Tested-by: Guoli An <anguoli@uniontech.com>
+Signed-off-by: Cryolitia PukNgae <cryolitia@uniontech.com>
+Link: https://patch.msgid.link/20250822-mixer-quirk-v1-1-b19252239c1c@uniontech.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -4212,9 +4212,11 @@ void snd_usb_mixer_fu_apply_quirk(struct
+ snd_dragonfly_quirk_db_scale(mixer, cval, kctl);
+ break;
+ /* lowest playback value is muted on some devices */
++ case USB_ID(0x0572, 0x1b09): /* Conexant Systems (Rockwell), Inc. */
+ case USB_ID(0x0d8c, 0x000c): /* C-Media */
+ case USB_ID(0x0d8c, 0x0014): /* C-Media */
+ case USB_ID(0x19f7, 0x0003): /* RODE NT-USB */
++ case USB_ID(0x2d99, 0x0026): /* HECATE G2 GAMING HEADSET */
+ if (strstr(kctl->id.name, "Playback"))
+ cval->min_mute = 1;
+ break;
--- /dev/null
+From a7ed7b9d0ebb038db9963d574da0311cab0b666a Mon Sep 17 00:00:00 2001
+From: panfan <panfan@qti.qualcomm.com>
+Date: Thu, 4 Sep 2025 20:22:36 -0700
+Subject: arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE
+
+From: panfan <panfan@qti.qualcomm.com>
+
+commit a7ed7b9d0ebb038db9963d574da0311cab0b666a upstream.
+
+On arm64, it has been possible for a module's sections to be placed more
+than 128M away from each other since commit:
+
+ commit 3e35d303ab7d ("arm64: module: rework module VA range selection")
+
+Due to this, an ftrace callsite in a module's .init.text section can be
+out of branch range for the module's ftrace PLT entry (in the module's
+.text section). Any attempt to enable tracing of that callsite will
+result in a BRK being patched into the callsite, resulting in a fatal
+exception when the callsite is later executed.
+
+Fix this by adding an additional trampoline for .init.text, which will
+be within range.
+
+No additional trampolines are necessary due to the way a given
+module's executable sections are packed together. Any executable
+section beginning with ".init" will be placed in MOD_INIT_TEXT,
+and any other executable section, including those beginning with ".exit",
+ will be placed in MOD_TEXT.
+
+Fixes: 3e35d303ab7d ("arm64: module: rework module VA range selection")
+Cc: <stable@vger.kernel.org> # 6.5.x
+Signed-off-by: panfan <panfan@qti.qualcomm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20250905032236.3220885-1-panfan@qti.qualcomm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/module.h | 1 +
+ arch/arm64/include/asm/module.lds.h | 1 +
+ arch/arm64/kernel/ftrace.c | 13 ++++++++++---
+ arch/arm64/kernel/module-plts.c | 12 +++++++++++-
+ arch/arm64/kernel/module.c | 11 +++++++++++
+ 5 files changed, 34 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/include/asm/module.h
++++ b/arch/arm64/include/asm/module.h
+@@ -19,6 +19,7 @@ struct mod_arch_specific {
+
+ /* for CONFIG_DYNAMIC_FTRACE */
+ struct plt_entry *ftrace_trampolines;
++ struct plt_entry *init_ftrace_trampolines;
+ };
+
+ u64 module_emit_plt_entry(struct module *mod, Elf64_Shdr *sechdrs,
+--- a/arch/arm64/include/asm/module.lds.h
++++ b/arch/arm64/include/asm/module.lds.h
+@@ -2,6 +2,7 @@ SECTIONS {
+ .plt 0 : { BYTE(0) }
+ .init.plt 0 : { BYTE(0) }
+ .text.ftrace_trampoline 0 : { BYTE(0) }
++ .init.text.ftrace_trampoline 0 : { BYTE(0) }
+
+ #ifdef CONFIG_KASAN_SW_TAGS
+ /*
+--- a/arch/arm64/kernel/ftrace.c
++++ b/arch/arm64/kernel/ftrace.c
+@@ -195,10 +195,17 @@ int ftrace_update_ftrace_func(ftrace_fun
+ return ftrace_modify_code(pc, 0, new, false);
+ }
+
+-static struct plt_entry *get_ftrace_plt(struct module *mod)
++static struct plt_entry *get_ftrace_plt(struct module *mod, unsigned long addr)
+ {
+ #ifdef CONFIG_MODULES
+- struct plt_entry *plt = mod->arch.ftrace_trampolines;
++ struct plt_entry *plt = NULL;
++
++ if (within_module_mem_type(addr, mod, MOD_INIT_TEXT))
++ plt = mod->arch.init_ftrace_trampolines;
++ else if (within_module_mem_type(addr, mod, MOD_TEXT))
++ plt = mod->arch.ftrace_trampolines;
++ else
++ return NULL;
+
+ return &plt[FTRACE_PLT_IDX];
+ #else
+@@ -270,7 +277,7 @@ static bool ftrace_find_callable_addr(st
+ if (WARN_ON(!mod))
+ return false;
+
+- plt = get_ftrace_plt(mod);
++ plt = get_ftrace_plt(mod, pc);
+ if (!plt) {
+ pr_err("ftrace: no module PLT for %ps\n", (void *)*addr);
+ return false;
+--- a/arch/arm64/kernel/module-plts.c
++++ b/arch/arm64/kernel/module-plts.c
+@@ -283,7 +283,7 @@ int module_frob_arch_sections(Elf_Ehdr *
+ unsigned long core_plts = 0;
+ unsigned long init_plts = 0;
+ Elf64_Sym *syms = NULL;
+- Elf_Shdr *pltsec, *tramp = NULL;
++ Elf_Shdr *pltsec, *tramp = NULL, *init_tramp = NULL;
+ int i;
+
+ /*
+@@ -298,6 +298,9 @@ int module_frob_arch_sections(Elf_Ehdr *
+ else if (!strcmp(secstrings + sechdrs[i].sh_name,
+ ".text.ftrace_trampoline"))
+ tramp = sechdrs + i;
++ else if (!strcmp(secstrings + sechdrs[i].sh_name,
++ ".init.text.ftrace_trampoline"))
++ init_tramp = sechdrs + i;
+ else if (sechdrs[i].sh_type == SHT_SYMTAB)
+ syms = (Elf64_Sym *)sechdrs[i].sh_addr;
+ }
+@@ -363,5 +366,12 @@ int module_frob_arch_sections(Elf_Ehdr *
+ tramp->sh_size = NR_FTRACE_PLTS * sizeof(struct plt_entry);
+ }
+
++ if (init_tramp) {
++ init_tramp->sh_type = SHT_NOBITS;
++ init_tramp->sh_flags = SHF_EXECINSTR | SHF_ALLOC;
++ init_tramp->sh_addralign = __alignof__(struct plt_entry);
++ init_tramp->sh_size = NR_FTRACE_PLTS * sizeof(struct plt_entry);
++ }
++
+ return 0;
+ }
+--- a/arch/arm64/kernel/module.c
++++ b/arch/arm64/kernel/module.c
+@@ -453,6 +453,17 @@ static int module_init_ftrace_plt(const
+ __init_plt(&plts[FTRACE_PLT_IDX], FTRACE_ADDR);
+
+ mod->arch.ftrace_trampolines = plts;
++
++ s = find_section(hdr, sechdrs, ".init.text.ftrace_trampoline");
++ if (!s)
++ return -ENOEXEC;
++
++ plts = (void *)s->sh_addr;
++
++ __init_plt(&plts[FTRACE_PLT_IDX], FTRACE_ADDR);
++
++ mod->arch.init_ftrace_trampolines = plts;
++
+ #endif
+ return 0;
+ }
--- /dev/null
+From 44822df89e8f3386871d9cad563ece8e2fd8f0e7 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Tue, 12 Aug 2025 15:25:09 +0800
+Subject: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 44822df89e8f3386871d9cad563ece8e2fd8f0e7 upstream.
+
+In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to
+res and used in pci_bus_alloc_resource(). There is a dereference of res
+in pci_bus_alloc_resource(), which could lead to a NULL pointer
+dereference on failure of pcmcia_make_resource().
+
+Fix this bug by adding a check of res.
+
+Cc: stable@vger.kernel.org
+Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pcmcia/rsrc_iodyn.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pcmcia/rsrc_iodyn.c
++++ b/drivers/pcmcia/rsrc_iodyn.c
+@@ -62,6 +62,9 @@ static struct resource *__iodyn_find_io_
+ unsigned long min = base;
+ int ret;
+
++ if (!res)
++ return NULL;
++
+ data.mask = align - 1;
+ data.offset = base & data.mask;
+
ppp-fix-memory-leak-in-pad_compress_skb.patch
selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch
phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch
+alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch
+accel-ivpu-prevent-recovery-work-from-being-queued-during-device-removal.patch
+acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch
+arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch
+pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
