--- /dev/null
+From stable+bounces-187844-greg=kroah.com@vger.kernel.org Sat Oct 18 17:14:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 11:14:10 -0400
+Subject: cdx: Fix device node reference leak in cdx_msi_domain_init
+To: stable@vger.kernel.org
+Cc: Miaoqian Lin <linmq006@gmail.com>, Nipun Gupta <nipun.gupta@amd.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018151410.809778-2-sashal@kernel.org>
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 76254bc489d39dae9a3427f0984fe64213d20548 ]
+
+Add missing of_node_put() call to release
+the device node reference obtained via of_parse_phandle().
+
+Fixes: 0e439ba38e61 ("cdx: add MSI support for CDX bus")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Acked-by: Nipun Gupta <nipun.gupta@amd.com>
+Link: https://lore.kernel.org/r/20250902084933.2418264-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cdx/cdx_msi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/cdx/cdx_msi.c
++++ b/drivers/cdx/cdx_msi.c
+@@ -174,6 +174,7 @@ struct irq_domain *cdx_msi_domain_init(s
+ }
+
+ parent = irq_find_matching_fwnode(of_fwnode_handle(parent_node), DOMAIN_BUS_NEXUS);
++ of_node_put(parent_node);
+ if (!parent || !msi_get_domain_info(parent)) {
+ dev_err(dev, "unable to locate ITS domain\n");
+ return NULL;
--- /dev/null
+From stable+bounces-187850-greg=kroah.com@vger.kernel.org Sat Oct 18 18:13:48 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 12:13:41 -0400
+Subject: cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay
+To: stable@vger.kernel.org
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, "Mario Limonciello (AMD)" <superm1@kernel.org>, Jie Zhan <zhanjie9@hisilicon.com>, Viresh Kumar <viresh.kumar@linaro.org>, Qais Yousef <qyousef@layalina.io>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018161341.836384-1-sashal@kernel.org>
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit f965d111e68f4a993cc44d487d416e3d954eea11 ]
+
+If cppc_get_transition_latency() returns CPUFREQ_ETERNAL to indicate a
+failure to retrieve the transition latency value from the platform
+firmware, the CPPC cpufreq driver will use that value (converted to
+microseconds) as the policy transition delay, but it is way too large
+for any practical use.
+
+Address this by making the driver use the cpufreq's default
+transition latency value (in microseconds) as the transition delay
+if CPUFREQ_ETERNAL is returned by cppc_get_transition_latency().
+
+Fixes: d4f3388afd48 ("cpufreq / CPPC: Set platform specific transition_delay_us")
+Cc: 5.19+ <stable@vger.kernel.org> # 5.19
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Reviewed-by: Jie Zhan <zhanjie9@hisilicon.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Qais Yousef <qyousef@layalina.io>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -339,6 +339,16 @@ static int cppc_verify_policy(struct cpu
+ return 0;
+ }
+
++static unsigned int __cppc_cpufreq_get_transition_delay_us(unsigned int cpu)
++{
++ unsigned int transition_latency_ns = cppc_get_transition_latency(cpu);
++
++ if (transition_latency_ns == CPUFREQ_ETERNAL)
++ return CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS / NSEC_PER_USEC;
++
++ return transition_latency_ns / NSEC_PER_USEC;
++}
++
+ /*
+ * The PCC subspace describes the rate at which platform can accept commands
+ * on the shared PCC channel (including READs which do not count towards freq
+@@ -361,12 +371,12 @@ static unsigned int cppc_cpufreq_get_tra
+ return 10000;
+ }
+ }
+- return cppc_get_transition_latency(cpu) / NSEC_PER_USEC;
++ return __cppc_cpufreq_get_transition_delay_us(cpu);
+ }
+ #else
+ static unsigned int cppc_cpufreq_get_transition_delay_us(unsigned int cpu)
+ {
+- return cppc_get_transition_latency(cpu) / NSEC_PER_USEC;
++ return __cppc_cpufreq_get_transition_delay_us(cpu);
+ }
+ #endif
+
--- /dev/null
+From c760bcda83571e07b72c10d9da175db5051ed971 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 25 Sep 2025 14:10:57 -0500
+Subject: drm/amd: Check whether secure display TA loaded successfully
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit c760bcda83571e07b72c10d9da175db5051ed971 upstream.
+
+[Why]
+Not all renoir hardware supports secure display. If the TA is present
+but the feature isn't supported it will fail to load or send commands.
+This shows ERR messages to the user that make it seems like there is
+a problem.
+
+[How]
+Check the resp_status of the context to see if there was an error
+before trying to send any secure display commands.
+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1415
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Adrian Yip <adrian.ytw@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+@@ -2171,7 +2171,7 @@ static int psp_securedisplay_initialize(
+ }
+
+ ret = psp_ta_load(psp, &psp->securedisplay_context.context);
+- if (!ret) {
++ if (!ret && !psp->securedisplay_context.context.resp_status) {
+ psp->securedisplay_context.context.initialized = true;
+ mutex_init(&psp->securedisplay_context.mutex);
+ } else
--- /dev/null
+From stable+bounces-187782-greg=kroah.com@vger.kernel.org Sat Oct 18 04:07:06 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 22:05:13 -0400
+Subject: drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in functions
+To: stable@vger.kernel.org
+Cc: Kaustabh Chakraborty <kauschluss@disroot.org>, Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018020515.208843-1-sashal@kernel.org>
+
+From: Kaustabh Chakraborty <kauschluss@disroot.org>
+
+[ Upstream commit d31bbacf783daf1e71fbe5c68df93550c446bf44 ]
+
+Modify the functions to accept a pointer to struct decon_context
+instead.
+
+Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Stable-dep-of: e1361a4f1be9 ("drm/exynos: exynos7_drm_decon: remove ctx->suspended")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos7_drm_decon.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c
++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c
+@@ -81,10 +81,8 @@ static const enum drm_plane_type decon_w
+ DRM_PLANE_TYPE_CURSOR,
+ };
+
+-static void decon_wait_for_vblank(struct exynos_drm_crtc *crtc)
++static void decon_wait_for_vblank(struct decon_context *ctx)
+ {
+- struct decon_context *ctx = crtc->ctx;
+-
+ if (ctx->suspended)
+ return;
+
+@@ -100,9 +98,8 @@ static void decon_wait_for_vblank(struct
+ DRM_DEV_DEBUG_KMS(ctx->dev, "vblank wait timed out.\n");
+ }
+
+-static void decon_clear_channels(struct exynos_drm_crtc *crtc)
++static void decon_clear_channels(struct decon_context *ctx)
+ {
+- struct decon_context *ctx = crtc->ctx;
+ unsigned int win, ch_enabled = 0;
+
+ /* Check if any channel is enabled. */
+@@ -118,7 +115,7 @@ static void decon_clear_channels(struct
+
+ /* Wait for vsync, as disable channel takes effect at next vsync */
+ if (ch_enabled)
+- decon_wait_for_vblank(ctx->crtc);
++ decon_wait_for_vblank(ctx);
+ }
+
+ static int decon_ctx_initialize(struct decon_context *ctx,
+@@ -126,7 +123,7 @@ static int decon_ctx_initialize(struct d
+ {
+ ctx->drm_dev = drm_dev;
+
+- decon_clear_channels(ctx->crtc);
++ decon_clear_channels(ctx);
+
+ return exynos_drm_register_dma(drm_dev, ctx->dev, &ctx->dma_priv);
+ }
--- /dev/null
+From stable+bounces-187783-greg=kroah.com@vger.kernel.org Sat Oct 18 04:07:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 22:05:14 -0400
+Subject: drm/exynos: exynos7_drm_decon: properly clear channels during bind
+To: stable@vger.kernel.org
+Cc: Kaustabh Chakraborty <kauschluss@disroot.org>, Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018020515.208843-2-sashal@kernel.org>
+
+From: Kaustabh Chakraborty <kauschluss@disroot.org>
+
+[ Upstream commit 5f1a453974204175f20b3788824a0fe23cc36f79 ]
+
+The DECON channels are not cleared properly as the windows aren't
+shadow protected. When accompanied with an IOMMU, it pagefaults, and
+the kernel panics.
+
+Implement shadow protect/unprotect, along with a standalone update,
+for channel clearing to properly take effect.
+
+Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Stable-dep-of: e1361a4f1be9 ("drm/exynos: exynos7_drm_decon: remove ctx->suspended")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos7_drm_decon.c | 55 ++++++++++++++++-------------
+ 1 file changed, 32 insertions(+), 23 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c
++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c
+@@ -81,6 +81,28 @@ static const enum drm_plane_type decon_w
+ DRM_PLANE_TYPE_CURSOR,
+ };
+
++/**
++ * decon_shadow_protect_win() - disable updating values from shadow registers at vsync
++ *
++ * @ctx: display and enhancement controller context
++ * @win: window to protect registers for
++ * @protect: 1 to protect (disable updates)
++ */
++static void decon_shadow_protect_win(struct decon_context *ctx,
++ unsigned int win, bool protect)
++{
++ u32 bits, val;
++
++ bits = SHADOWCON_WINx_PROTECT(win);
++
++ val = readl(ctx->regs + SHADOWCON);
++ if (protect)
++ val |= bits;
++ else
++ val &= ~bits;
++ writel(val, ctx->regs + SHADOWCON);
++}
++
+ static void decon_wait_for_vblank(struct decon_context *ctx)
+ {
+ if (ctx->suspended)
+@@ -101,18 +123,27 @@ static void decon_wait_for_vblank(struct
+ static void decon_clear_channels(struct decon_context *ctx)
+ {
+ unsigned int win, ch_enabled = 0;
++ u32 val;
+
+ /* Check if any channel is enabled. */
+ for (win = 0; win < WINDOWS_NR; win++) {
+- u32 val = readl(ctx->regs + WINCON(win));
++ val = readl(ctx->regs + WINCON(win));
+
+ if (val & WINCONx_ENWIN) {
++ decon_shadow_protect_win(ctx, win, true);
++
+ val &= ~WINCONx_ENWIN;
+ writel(val, ctx->regs + WINCON(win));
+ ch_enabled = 1;
++
++ decon_shadow_protect_win(ctx, win, false);
+ }
+ }
+
++ val = readl(ctx->regs + DECON_UPDATE);
++ val |= DECON_UPDATE_STANDALONE_F;
++ writel(val, ctx->regs + DECON_UPDATE);
++
+ /* Wait for vsync, as disable channel takes effect at next vsync */
+ if (ch_enabled)
+ decon_wait_for_vblank(ctx);
+@@ -340,28 +371,6 @@ static void decon_win_set_colkey(struct
+ writel(keycon1, ctx->regs + WKEYCON1_BASE(win));
+ }
+
+-/**
+- * decon_shadow_protect_win() - disable updating values from shadow registers at vsync
+- *
+- * @ctx: display and enhancement controller context
+- * @win: window to protect registers for
+- * @protect: 1 to protect (disable updates)
+- */
+-static void decon_shadow_protect_win(struct decon_context *ctx,
+- unsigned int win, bool protect)
+-{
+- u32 bits, val;
+-
+- bits = SHADOWCON_WINx_PROTECT(win);
+-
+- val = readl(ctx->regs + SHADOWCON);
+- if (protect)
+- val |= bits;
+- else
+- val &= ~bits;
+- writel(val, ctx->regs + SHADOWCON);
+-}
+-
+ static void decon_atomic_begin(struct exynos_drm_crtc *crtc)
+ {
+ struct decon_context *ctx = crtc->ctx;
--- /dev/null
+From stable+bounces-187784-greg=kroah.com@vger.kernel.org Sat Oct 18 04:07:25 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 22:05:15 -0400
+Subject: drm/exynos: exynos7_drm_decon: remove ctx->suspended
+To: stable@vger.kernel.org
+Cc: Kaustabh Chakraborty <kauschluss@disroot.org>, Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018020515.208843-3-sashal@kernel.org>
+
+From: Kaustabh Chakraborty <kauschluss@disroot.org>
+
+[ Upstream commit e1361a4f1be9cb69a662c6d7b5ce218007d6e82b ]
+
+Condition guards are found to be redundant, as the call flow is properly
+managed now, as also observed in the Exynos5433 DECON driver. Since
+state checking is no longer necessary, remove it.
+
+This also fixes an issue which prevented decon_commit() from
+decon_atomic_enable() due to an incorrect state change setting.
+
+Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver")
+Cc: stable@vger.kernel.org
+Suggested-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 -----------------------------
+ 1 file changed, 36 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c
++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c
+@@ -51,7 +51,6 @@ struct decon_context {
+ void __iomem *regs;
+ unsigned long irq_flags;
+ bool i80_if;
+- bool suspended;
+ wait_queue_head_t wait_vsync_queue;
+ atomic_t wait_vsync_event;
+
+@@ -105,9 +104,6 @@ static void decon_shadow_protect_win(str
+
+ static void decon_wait_for_vblank(struct decon_context *ctx)
+ {
+- if (ctx->suspended)
+- return;
+-
+ atomic_set(&ctx->wait_vsync_event, 1);
+
+ /*
+@@ -183,9 +179,6 @@ static void decon_commit(struct exynos_d
+ struct drm_display_mode *mode = &crtc->base.state->adjusted_mode;
+ u32 val, clkdiv;
+
+- if (ctx->suspended)
+- return;
+-
+ /* nothing to do if we haven't set the mode yet */
+ if (mode->htotal == 0 || mode->vtotal == 0)
+ return;
+@@ -247,9 +240,6 @@ static int decon_enable_vblank(struct ex
+ struct decon_context *ctx = crtc->ctx;
+ u32 val;
+
+- if (ctx->suspended)
+- return -EPERM;
+-
+ if (!test_and_set_bit(0, &ctx->irq_flags)) {
+ val = readl(ctx->regs + VIDINTCON0);
+
+@@ -272,9 +262,6 @@ static void decon_disable_vblank(struct
+ struct decon_context *ctx = crtc->ctx;
+ u32 val;
+
+- if (ctx->suspended)
+- return;
+-
+ if (test_and_clear_bit(0, &ctx->irq_flags)) {
+ val = readl(ctx->regs + VIDINTCON0);
+
+@@ -376,9 +363,6 @@ static void decon_atomic_begin(struct ex
+ struct decon_context *ctx = crtc->ctx;
+ int i;
+
+- if (ctx->suspended)
+- return;
+-
+ for (i = 0; i < WINDOWS_NR; i++)
+ decon_shadow_protect_win(ctx, i, true);
+ }
+@@ -398,9 +382,6 @@ static void decon_update_plane(struct ex
+ unsigned int cpp = fb->format->cpp[0];
+ unsigned int pitch = fb->pitches[0];
+
+- if (ctx->suspended)
+- return;
+-
+ /*
+ * SHADOWCON/PRTCON register is used for enabling timing.
+ *
+@@ -488,9 +469,6 @@ static void decon_disable_plane(struct e
+ unsigned int win = plane->index;
+ u32 val;
+
+- if (ctx->suspended)
+- return;
+-
+ /* protect windows */
+ decon_shadow_protect_win(ctx, win, true);
+
+@@ -509,9 +487,6 @@ static void decon_atomic_flush(struct ex
+ struct decon_context *ctx = crtc->ctx;
+ int i;
+
+- if (ctx->suspended)
+- return;
+-
+ for (i = 0; i < WINDOWS_NR; i++)
+ decon_shadow_protect_win(ctx, i, false);
+ exynos_crtc_handle_event(crtc);
+@@ -539,9 +514,6 @@ static void decon_atomic_enable(struct e
+ struct decon_context *ctx = crtc->ctx;
+ int ret;
+
+- if (!ctx->suspended)
+- return;
+-
+ ret = pm_runtime_resume_and_get(ctx->dev);
+ if (ret < 0) {
+ DRM_DEV_ERROR(ctx->dev, "failed to enable DECON device.\n");
+@@ -555,8 +527,6 @@ static void decon_atomic_enable(struct e
+ decon_enable_vblank(ctx->crtc);
+
+ decon_commit(ctx->crtc);
+-
+- ctx->suspended = false;
+ }
+
+ static void decon_atomic_disable(struct exynos_drm_crtc *crtc)
+@@ -564,9 +534,6 @@ static void decon_atomic_disable(struct
+ struct decon_context *ctx = crtc->ctx;
+ int i;
+
+- if (ctx->suspended)
+- return;
+-
+ /*
+ * We need to make sure that all windows are disabled before we
+ * suspend that connector. Otherwise we might try to scan from
+@@ -576,8 +543,6 @@ static void decon_atomic_disable(struct
+ decon_disable_plane(crtc, &ctx->planes[i]);
+
+ pm_runtime_put_sync(ctx->dev);
+-
+- ctx->suspended = true;
+ }
+
+ static const struct exynos_drm_crtc_ops decon_crtc_ops = {
+@@ -698,7 +663,6 @@ static int decon_probe(struct platform_d
+ return -ENOMEM;
+
+ ctx->dev = dev;
+- ctx->suspended = true;
+
+ i80_if_timings = of_get_child_by_name(dev->of_node, "i80-if-timings");
+ if (i80_if_timings)
--- /dev/null
+From stable+bounces-187794-greg=kroah.com@vger.kernel.org Sat Oct 18 04:28:45 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 22:28:32 -0400
+Subject: drm/msm/a6xx: Fix PDC sleep sequence
+To: stable@vger.kernel.org
+Cc: Akhil P Oommen <akhilpo@oss.qualcomm.com>, Rob Clark <robin.clark@oss.qualcomm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018022832.219177-1-sashal@kernel.org>
+
+From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+
+[ Upstream commit f248d5d5159a88ded55329f0b1b463d0f4094228 ]
+
+Since the PDC resides out of the GPU subsystem and cannot be reset in
+case it enters bad state, utmost care must be taken to trigger the PDC
+wake/sleep routines in the correct order.
+
+The PDC wake sequence can be exercised only after a PDC sleep sequence.
+Additionally, GMU firmware should initialize a few registers before the
+KMD can trigger a PDC sleep sequence. So PDC sleep can't be done if the
+GMU firmware has not initialized. Track these dependencies using a new
+status variable and trigger PDC sleep/wake sequences appropriately.
+
+Cc: stable@vger.kernel.org
+Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support")
+Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/673362/
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 28 +++++++++++++++++-----------
+ drivers/gpu/drm/msm/adreno/a6xx_gmu.h | 6 ++++++
+ 2 files changed, 23 insertions(+), 11 deletions(-)
+
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c
+@@ -236,6 +236,8 @@ static int a6xx_gmu_start(struct a6xx_gm
+ if (ret)
+ DRM_DEV_ERROR(gmu->dev, "GMU firmware initialization timed out\n");
+
++ set_bit(GMU_STATUS_FW_START, &gmu->status);
++
+ return ret;
+ }
+
+@@ -482,6 +484,9 @@ static int a6xx_rpmh_start(struct a6xx_g
+ int ret;
+ u32 val;
+
++ if (!test_and_clear_bit(GMU_STATUS_PDC_SLEEP, &gmu->status))
++ return 0;
++
+ gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, BIT(1));
+
+ ret = gmu_poll_timeout(gmu, REG_A6XX_GMU_RSCC_CONTROL_ACK, val,
+@@ -509,6 +514,9 @@ static void a6xx_rpmh_stop(struct a6xx_g
+ int ret;
+ u32 val;
+
++ if (test_and_clear_bit(GMU_STATUS_FW_START, &gmu->status))
++ return;
++
+ gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, 1);
+
+ ret = gmu_poll_timeout_rscc(gmu, REG_A6XX_GPU_RSCC_RSC_STATUS0_DRV0,
+@@ -517,6 +525,8 @@ static void a6xx_rpmh_stop(struct a6xx_g
+ DRM_DEV_ERROR(gmu->dev, "Unable to power off the GPU RSC\n");
+
+ gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, 0);
++
++ set_bit(GMU_STATUS_PDC_SLEEP, &gmu->status);
+ }
+
+ static inline void pdc_write(void __iomem *ptr, u32 offset, u32 value)
+@@ -645,8 +655,6 @@ setup_pdc:
+ /* ensure no writes happen before the uCode is fully written */
+ wmb();
+
+- a6xx_rpmh_stop(gmu);
+-
+ err:
+ if (!IS_ERR_OR_NULL(pdcptr))
+ iounmap(pdcptr);
+@@ -799,19 +807,15 @@ static int a6xx_gmu_fw_start(struct a6xx
+ else
+ gmu_write(gmu, REG_A6XX_GMU_GENERAL_7, 1);
+
+- if (state == GMU_WARM_BOOT) {
+- ret = a6xx_rpmh_start(gmu);
+- if (ret)
+- return ret;
+- } else {
++ ret = a6xx_rpmh_start(gmu);
++ if (ret)
++ return ret;
++
++ if (state == GMU_COLD_BOOT) {
+ if (WARN(!adreno_gpu->fw[ADRENO_FW_GMU],
+ "GMU firmware is not loaded\n"))
+ return -ENOENT;
+
+- ret = a6xx_rpmh_start(gmu);
+- if (ret)
+- return ret;
+-
+ ret = a6xx_gmu_fw_load(gmu);
+ if (ret)
+ return ret;
+@@ -980,6 +984,8 @@ static void a6xx_gmu_force_off(struct a6
+
+ /* Reset GPU core blocks */
+ a6xx_gpu_sw_reset(gpu, true);
++
++ a6xx_rpmh_stop(gmu);
+ }
+
+ static void a6xx_gmu_set_initial_freq(struct msm_gpu *gpu, struct a6xx_gmu *gmu)
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.h
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.h
+@@ -99,6 +99,12 @@ struct a6xx_gmu {
+ struct completion pd_gate;
+
+ struct qmp *qmp;
++
++/* To check if we can trigger sleep seq at PDC. Cleared in a6xx_rpmh_stop() */
++#define GMU_STATUS_FW_START 0
++/* To track if PDC sleep seq was done */
++#define GMU_STATUS_PDC_SLEEP 1
++ unsigned long status;
+ };
+
+ static inline u32 gmu_read(struct a6xx_gmu *gmu, u32 offset)
--- /dev/null
+From stable+bounces-187845-greg=kroah.com@vger.kernel.org Sat Oct 18 17:14:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 11:14:09 -0400
+Subject: irqdomain: cdx: Switch to of_fwnode_handle()
+To: stable@vger.kernel.org
+Cc: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>, Nipun Gupta <nipun.gupta@amd.com>, Nikhil Agarwal <nikhil.agarwal@amd.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018151410.809778-1-sashal@kernel.org>
+
+From: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
+
+[ Upstream commit 2a87a55f2281a1096d9e77ac6309b9128c107d97 ]
+
+of_node_to_fwnode() is irqdomain's reimplementation of the "officially"
+defined of_fwnode_handle(). The former is in the process of being
+removed, so use the latter instead.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Cc: Nipun Gupta <nipun.gupta@amd.com>
+Cc: Nikhil Agarwal <nikhil.agarwal@amd.com>
+Acked-by: Nipun Gupta <nipun.gupta@amd.com>
+Link: https://lore.kernel.org/r/20250415104734.106849-1-jirislaby@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 76254bc489d3 ("cdx: Fix device node reference leak in cdx_msi_domain_init")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cdx/cdx_msi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/cdx/cdx_msi.c
++++ b/drivers/cdx/cdx_msi.c
+@@ -165,7 +165,7 @@ struct irq_domain *cdx_msi_domain_init(s
+ struct device_node *parent_node;
+ struct irq_domain *parent;
+
+- fwnode_handle = of_node_to_fwnode(np);
++ fwnode_handle = of_fwnode_handle(np);
+
+ parent_node = of_parse_phandle(np, "msi-map", 1);
+ if (!parent_node) {
+@@ -173,7 +173,7 @@ struct irq_domain *cdx_msi_domain_init(s
+ return NULL;
+ }
+
+- parent = irq_find_matching_fwnode(of_node_to_fwnode(parent_node), DOMAIN_BUS_NEXUS);
++ parent = irq_find_matching_fwnode(of_fwnode_handle(parent_node), DOMAIN_BUS_NEXUS);
+ if (!parent || !msi_get_domain_info(parent)) {
+ dev_err(dev, "unable to locate ITS domain\n");
+ return NULL;
--- /dev/null
+From stable+bounces-187720-greg=kroah.com@vger.kernel.org Sat Oct 18 01:19:25 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:19:13 -0400
+Subject: media: nxp: imx8-isi: Drop unused argument to mxc_isi_channel_chain()
+To: stable@vger.kernel.org
+Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Frank Li <Frank.Li@nxp.com>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017231915.30718-1-sashal@kernel.org>
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 9a21ffeade25cbf310f5db39a1f9932695dd41bb ]
+
+The bypass argument to the mxc_isi_channel_chain() function is unused.
+Drop it.
+
+Link: https://lore.kernel.org/r/20250813225501.20762-1-laurent.pinchart@ideasonboard.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Stable-dep-of: 178aa3360220 ("media: nxp: imx8-isi: m2m: Fix streaming cleanup on release")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx8-isi/imx8-isi-core.h | 2 +-
+ drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c | 2 +-
+ drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 11 +++++------
+ drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c | 2 +-
+ 4 files changed, 8 insertions(+), 9 deletions(-)
+
+--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.h
++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.h
+@@ -361,7 +361,7 @@ void mxc_isi_channel_get(struct mxc_isi_
+ void mxc_isi_channel_put(struct mxc_isi_pipe *pipe);
+ void mxc_isi_channel_enable(struct mxc_isi_pipe *pipe);
+ void mxc_isi_channel_disable(struct mxc_isi_pipe *pipe);
+-int mxc_isi_channel_chain(struct mxc_isi_pipe *pipe, bool bypass);
++int mxc_isi_channel_chain(struct mxc_isi_pipe *pipe);
+ void mxc_isi_channel_unchain(struct mxc_isi_pipe *pipe);
+
+ void mxc_isi_channel_config(struct mxc_isi_pipe *pipe,
+--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c
++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c
+@@ -587,7 +587,7 @@ void mxc_isi_channel_release(struct mxc_
+ *
+ * TODO: Support secondary line buffer for downscaling YUV420 images.
+ */
+-int mxc_isi_channel_chain(struct mxc_isi_pipe *pipe, bool bypass)
++int mxc_isi_channel_chain(struct mxc_isi_pipe *pipe)
+ {
+ /* Channel chaining requires both line and output buffer. */
+ const u8 resources = MXC_ISI_CHANNEL_RES_OUTPUT_BUF
+--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c
++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c
+@@ -493,7 +493,6 @@ static int mxc_isi_m2m_streamon(struct f
+ const struct mxc_isi_format_info *cap_info = ctx->queues.cap.info;
+ const struct mxc_isi_format_info *out_info = ctx->queues.out.info;
+ struct mxc_isi_m2m *m2m = ctx->m2m;
+- bool bypass;
+ int ret;
+
+ if (q->streaming)
+@@ -506,15 +505,15 @@ static int mxc_isi_m2m_streamon(struct f
+ goto unlock;
+ }
+
+- bypass = cap_pix->width == out_pix->width &&
+- cap_pix->height == out_pix->height &&
+- cap_info->encoding == out_info->encoding;
+-
+ /*
+ * Acquire the pipe and initialize the channel with the first user of
+ * the M2M device.
+ */
+ if (m2m->usage_count == 0) {
++ bool bypass = cap_pix->width == out_pix->width &&
++ cap_pix->height == out_pix->height &&
++ cap_info->encoding == out_info->encoding;
++
+ ret = mxc_isi_channel_acquire(m2m->pipe,
+ &mxc_isi_m2m_frame_write_done,
+ bypass);
+@@ -531,7 +530,7 @@ static int mxc_isi_m2m_streamon(struct f
+ * buffer chaining.
+ */
+ if (!ctx->chained && out_pix->width > MXC_ISI_MAX_WIDTH_UNCHAINED) {
+- ret = mxc_isi_channel_chain(m2m->pipe, bypass);
++ ret = mxc_isi_channel_chain(m2m->pipe);
+ if (ret)
+ goto deinit;
+
+--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c
++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c
+@@ -855,7 +855,7 @@ int mxc_isi_pipe_acquire(struct mxc_isi_
+
+ /* Chain the channel if needed for wide resolutions. */
+ if (sink_fmt->width > MXC_ISI_MAX_WIDTH_UNCHAINED) {
+- ret = mxc_isi_channel_chain(pipe, bypass);
++ ret = mxc_isi_channel_chain(pipe);
+ if (ret)
+ mxc_isi_channel_release(pipe);
+ }
--- /dev/null
+From stable+bounces-187721-greg=kroah.com@vger.kernel.org Sat Oct 18 01:19:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:19:14 -0400
+Subject: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release
+To: stable@vger.kernel.org
+Cc: Guoniu Zhou <guoniu.zhou@nxp.com>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Frank Li <Frank.Li@nxp.com>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017231915.30718-2-sashal@kernel.org>
+
+From: Guoniu Zhou <guoniu.zhou@nxp.com>
+
+[ Upstream commit 178aa3360220231dd91e7dbc2eb984525886c9c1 ]
+
+If streamon/streamoff calls are imbalanced, such as when exiting an
+application with Ctrl+C when streaming, the m2m usage_count will never
+reach zero and the ISI channel won't be freed. Besides from that, if the
+input line width is more than 2K, it will trigger a WARN_ON():
+
+[ 59.222120] ------------[ cut here ]------------
+[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654
+[ 59.238569] Modules linked in: ap1302
+[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT
+[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT)
+[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120
+[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120
+[ 59.275047] sp : ffff8000848c3b40
+[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00
+[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001
+[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780
+[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000
+[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c
+[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
+[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30
+[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420
+[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000
+[ 59.349590] Call trace:
+[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P)
+[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c
+[ 59.361072] v4l_streamon+0x24/0x30
+[ 59.364556] __video_do_ioctl+0x40c/0x4a0
+[ 59.368560] video_usercopy+0x2bc/0x690
+[ 59.372382] video_ioctl2+0x18/0x24
+[ 59.375857] v4l2_ioctl+0x40/0x60
+[ 59.379168] __arm64_sys_ioctl+0xac/0x104
+[ 59.383172] invoke_syscall+0x48/0x104
+[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0
+[ 59.391613] do_el0_svc+0x1c/0x28
+[ 59.394915] el0_svc+0x34/0xf4
+[ 59.397966] el0t_64_sync_handler+0xa0/0xe4
+[ 59.402143] el0t_64_sync+0x198/0x19c
+[ 59.405801] ---[ end trace 0000000000000000 ]---
+
+Address this issue by moving the streaming preparation and cleanup to
+the vb2 .prepare_streaming() and .unprepare_streaming() operations. This
+also simplifies the driver by allowing direct usage of the
+v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers.
+
+Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250821135123.29462-1-laurent.pinchart@ideasonboard.com
+Signed-off-by: Guoniu Zhou <guoniu.zhou@nxp.com>
+Co-developed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Tested-by: Guoniu Zhou <guoniu.zhou@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 224 ++++++++-------------
+ 1 file changed, 92 insertions(+), 132 deletions(-)
+
+--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c
++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c
+@@ -43,7 +43,6 @@ struct mxc_isi_m2m_ctx_queue_data {
+ struct v4l2_pix_format_mplane format;
+ const struct mxc_isi_format_info *info;
+ u32 sequence;
+- bool streaming;
+ };
+
+ struct mxc_isi_m2m_ctx {
+@@ -236,6 +235,65 @@ static void mxc_isi_m2m_vb2_buffer_queue
+ v4l2_m2m_buf_queue(ctx->fh.m2m_ctx, vbuf);
+ }
+
++static int mxc_isi_m2m_vb2_prepare_streaming(struct vb2_queue *q)
++{
++ struct mxc_isi_m2m_ctx *ctx = vb2_get_drv_priv(q);
++ const struct v4l2_pix_format_mplane *out_pix = &ctx->queues.out.format;
++ const struct v4l2_pix_format_mplane *cap_pix = &ctx->queues.cap.format;
++ const struct mxc_isi_format_info *cap_info = ctx->queues.cap.info;
++ const struct mxc_isi_format_info *out_info = ctx->queues.out.info;
++ struct mxc_isi_m2m *m2m = ctx->m2m;
++ int ret;
++
++ guard(mutex)(&m2m->lock);
++
++ if (m2m->usage_count == INT_MAX)
++ return -EOVERFLOW;
++
++ /*
++ * Acquire the pipe and initialize the channel with the first user of
++ * the M2M device.
++ */
++ if (m2m->usage_count == 0) {
++ bool bypass = cap_pix->width == out_pix->width &&
++ cap_pix->height == out_pix->height &&
++ cap_info->encoding == out_info->encoding;
++
++ ret = mxc_isi_channel_acquire(m2m->pipe,
++ &mxc_isi_m2m_frame_write_done,
++ bypass);
++ if (ret)
++ return ret;
++
++ mxc_isi_channel_get(m2m->pipe);
++ }
++
++ m2m->usage_count++;
++
++ /*
++ * Allocate resources for the channel, counting how many users require
++ * buffer chaining.
++ */
++ if (!ctx->chained && out_pix->width > MXC_ISI_MAX_WIDTH_UNCHAINED) {
++ ret = mxc_isi_channel_chain(m2m->pipe);
++ if (ret)
++ goto err_deinit;
++
++ m2m->chained_count++;
++ ctx->chained = true;
++ }
++
++ return 0;
++
++err_deinit:
++ if (--m2m->usage_count == 0) {
++ mxc_isi_channel_put(m2m->pipe);
++ mxc_isi_channel_release(m2m->pipe);
++ }
++
++ return ret;
++}
++
+ static int mxc_isi_m2m_vb2_start_streaming(struct vb2_queue *q,
+ unsigned int count)
+ {
+@@ -265,6 +323,35 @@ static void mxc_isi_m2m_vb2_stop_streami
+ }
+ }
+
++static void mxc_isi_m2m_vb2_unprepare_streaming(struct vb2_queue *q)
++{
++ struct mxc_isi_m2m_ctx *ctx = vb2_get_drv_priv(q);
++ struct mxc_isi_m2m *m2m = ctx->m2m;
++
++ guard(mutex)(&m2m->lock);
++
++ /*
++ * If the last context is this one, reset it to make sure the device
++ * will be reconfigured when streaming is restarted.
++ */
++ if (m2m->last_ctx == ctx)
++ m2m->last_ctx = NULL;
++
++ /* Free the channel resources if this is the last chained context. */
++ if (ctx->chained && --m2m->chained_count == 0)
++ mxc_isi_channel_unchain(m2m->pipe);
++ ctx->chained = false;
++
++ /* Turn off the light with the last user. */
++ if (--m2m->usage_count == 0) {
++ mxc_isi_channel_disable(m2m->pipe);
++ mxc_isi_channel_put(m2m->pipe);
++ mxc_isi_channel_release(m2m->pipe);
++ }
++
++ WARN_ON(m2m->usage_count < 0);
++}
++
+ static const struct vb2_ops mxc_isi_m2m_vb2_qops = {
+ .queue_setup = mxc_isi_m2m_vb2_queue_setup,
+ .buf_init = mxc_isi_m2m_vb2_buffer_init,
+@@ -272,8 +359,10 @@ static const struct vb2_ops mxc_isi_m2m_
+ .buf_queue = mxc_isi_m2m_vb2_buffer_queue,
+ .wait_prepare = vb2_ops_wait_prepare,
+ .wait_finish = vb2_ops_wait_finish,
++ .prepare_streaming = mxc_isi_m2m_vb2_prepare_streaming,
+ .start_streaming = mxc_isi_m2m_vb2_start_streaming,
+ .stop_streaming = mxc_isi_m2m_vb2_stop_streaming,
++ .unprepare_streaming = mxc_isi_m2m_vb2_unprepare_streaming,
+ };
+
+ static int mxc_isi_m2m_queue_init(void *priv, struct vb2_queue *src_vq,
+@@ -483,135 +572,6 @@ static int mxc_isi_m2m_s_fmt_vid(struct
+ return 0;
+ }
+
+-static int mxc_isi_m2m_streamon(struct file *file, void *fh,
+- enum v4l2_buf_type type)
+-{
+- struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(fh);
+- struct mxc_isi_m2m_ctx_queue_data *q = mxc_isi_m2m_ctx_qdata(ctx, type);
+- const struct v4l2_pix_format_mplane *out_pix = &ctx->queues.out.format;
+- const struct v4l2_pix_format_mplane *cap_pix = &ctx->queues.cap.format;
+- const struct mxc_isi_format_info *cap_info = ctx->queues.cap.info;
+- const struct mxc_isi_format_info *out_info = ctx->queues.out.info;
+- struct mxc_isi_m2m *m2m = ctx->m2m;
+- int ret;
+-
+- if (q->streaming)
+- return 0;
+-
+- mutex_lock(&m2m->lock);
+-
+- if (m2m->usage_count == INT_MAX) {
+- ret = -EOVERFLOW;
+- goto unlock;
+- }
+-
+- /*
+- * Acquire the pipe and initialize the channel with the first user of
+- * the M2M device.
+- */
+- if (m2m->usage_count == 0) {
+- bool bypass = cap_pix->width == out_pix->width &&
+- cap_pix->height == out_pix->height &&
+- cap_info->encoding == out_info->encoding;
+-
+- ret = mxc_isi_channel_acquire(m2m->pipe,
+- &mxc_isi_m2m_frame_write_done,
+- bypass);
+- if (ret)
+- goto unlock;
+-
+- mxc_isi_channel_get(m2m->pipe);
+- }
+-
+- m2m->usage_count++;
+-
+- /*
+- * Allocate resources for the channel, counting how many users require
+- * buffer chaining.
+- */
+- if (!ctx->chained && out_pix->width > MXC_ISI_MAX_WIDTH_UNCHAINED) {
+- ret = mxc_isi_channel_chain(m2m->pipe);
+- if (ret)
+- goto deinit;
+-
+- m2m->chained_count++;
+- ctx->chained = true;
+- }
+-
+- /*
+- * Drop the lock to start the stream, as the .device_run() operation
+- * needs to acquire it.
+- */
+- mutex_unlock(&m2m->lock);
+- ret = v4l2_m2m_ioctl_streamon(file, fh, type);
+- if (ret) {
+- /* Reacquire the lock for the cleanup path. */
+- mutex_lock(&m2m->lock);
+- goto unchain;
+- }
+-
+- q->streaming = true;
+-
+- return 0;
+-
+-unchain:
+- if (ctx->chained && --m2m->chained_count == 0)
+- mxc_isi_channel_unchain(m2m->pipe);
+- ctx->chained = false;
+-
+-deinit:
+- if (--m2m->usage_count == 0) {
+- mxc_isi_channel_put(m2m->pipe);
+- mxc_isi_channel_release(m2m->pipe);
+- }
+-
+-unlock:
+- mutex_unlock(&m2m->lock);
+- return ret;
+-}
+-
+-static int mxc_isi_m2m_streamoff(struct file *file, void *fh,
+- enum v4l2_buf_type type)
+-{
+- struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(fh);
+- struct mxc_isi_m2m_ctx_queue_data *q = mxc_isi_m2m_ctx_qdata(ctx, type);
+- struct mxc_isi_m2m *m2m = ctx->m2m;
+-
+- v4l2_m2m_ioctl_streamoff(file, fh, type);
+-
+- if (!q->streaming)
+- return 0;
+-
+- mutex_lock(&m2m->lock);
+-
+- /*
+- * If the last context is this one, reset it to make sure the device
+- * will be reconfigured when streaming is restarted.
+- */
+- if (m2m->last_ctx == ctx)
+- m2m->last_ctx = NULL;
+-
+- /* Free the channel resources if this is the last chained context. */
+- if (ctx->chained && --m2m->chained_count == 0)
+- mxc_isi_channel_unchain(m2m->pipe);
+- ctx->chained = false;
+-
+- /* Turn off the light with the last user. */
+- if (--m2m->usage_count == 0) {
+- mxc_isi_channel_disable(m2m->pipe);
+- mxc_isi_channel_put(m2m->pipe);
+- mxc_isi_channel_release(m2m->pipe);
+- }
+-
+- WARN_ON(m2m->usage_count < 0);
+-
+- mutex_unlock(&m2m->lock);
+-
+- q->streaming = false;
+-
+- return 0;
+-}
+-
+ static const struct v4l2_ioctl_ops mxc_isi_m2m_ioctl_ops = {
+ .vidioc_querycap = mxc_isi_m2m_querycap,
+
+@@ -632,8 +592,8 @@ static const struct v4l2_ioctl_ops mxc_i
+ .vidioc_prepare_buf = v4l2_m2m_ioctl_prepare_buf,
+ .vidioc_create_bufs = v4l2_m2m_ioctl_create_bufs,
+
+- .vidioc_streamon = mxc_isi_m2m_streamon,
+- .vidioc_streamoff = mxc_isi_m2m_streamoff,
++ .vidioc_streamon = v4l2_m2m_ioctl_streamon,
++ .vidioc_streamoff = v4l2_m2m_ioctl_streamoff,
+
+ .vidioc_subscribe_event = v4l2_ctrl_subscribe_event,
+ .vidioc_unsubscribe_event = v4l2_event_unsubscribe,
perf-core-fix-address-filter-match-with-backing-files.patch
perf-core-fix-mmap-event-path-names-with-backing-files.patch
perf-core-fix-mmap2-event-device-with-backing-files.patch
+drm-amd-check-whether-secure-display-ta-loaded-successfully.patch
+irqdomain-cdx-switch-to-of_fwnode_handle.patch
+cdx-fix-device-node-reference-leak-in-cdx_msi_domain_init.patch
+drm-msm-a6xx-fix-pdc-sleep-sequence.patch
+media-nxp-imx8-isi-drop-unused-argument-to-mxc_isi_channel_chain.patch
+media-nxp-imx8-isi-m2m-fix-streaming-cleanup-on-release.patch
+drm-exynos-exynos7_drm_decon-fix-uninitialized-crtc-reference-in-functions.patch
+drm-exynos-exynos7_drm_decon-properly-clear-channels-during-bind.patch
+drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch
+usb-gadget-store-endpoint-pointer-in-usb_request.patch
+usb-gadget-introduce-free_usb_request-helper.patch
+usb-gadget-f_ncm-refactor-bind-path-to-use-__free.patch
+usb-gadget-f_acm-refactor-bind-path-to-use-__free.patch
+usb-gadget-f_ecm-refactor-bind-path-to-use-__free.patch
+usb-gadget-f_rndis-refactor-bind-path-to-use-__free.patch
+cpufreq-cppc-avoid-using-cpufreq_eternal-as-transition-delay.patch
--- /dev/null
+From stable+bounces-187744-greg=kroah.com@vger.kernel.org Sat Oct 18 02:29:38 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 20:29:27 -0400
+Subject: usb: gadget: f_acm: Refactor bind path to use __free()
+To: stable@vger.kernel.org
+Cc: Kuen-Han Tsai <khtsai@google.com>, stable@kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018002927.85194-3-sashal@kernel.org>
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+[ Upstream commit 47b2116e54b4a854600341487e8b55249e926324 ]
+
+After an bind/unbind cycle, the acm->notify_req is left stale. If a
+subsequent bind fails, the unified error label attempts to free this
+stale request, leading to a NULL pointer dereference when accessing
+ep->ops->free_request.
+
+Refactor the error handling in the bind path to use the __free()
+automatic cleanup mechanism.
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
+Call trace:
+ usb_ep_free_request+0x2c/0xec
+ gs_free_req+0x30/0x44
+ acm_bind+0x1b8/0x1f4
+ usb_add_function+0xcc/0x1f0
+ configfs_composite_bind+0x468/0x588
+ gadget_bind_driver+0x104/0x270
+ really_probe+0x190/0x374
+ __driver_probe_device+0xa0/0x12c
+ driver_probe_device+0x3c/0x218
+ __device_attach_driver+0x14c/0x188
+ bus_for_each_drv+0x10c/0x168
+ __device_attach+0xfc/0x198
+ device_initial_probe+0x14/0x24
+ bus_probe_device+0x94/0x11c
+ device_add+0x268/0x48c
+ usb_add_gadget+0x198/0x28c
+ dwc3_gadget_init+0x700/0x858
+ __dwc3_set_mode+0x3cc/0x664
+ process_scheduled_works+0x1d8/0x488
+ worker_thread+0x244/0x334
+ kthread+0x114/0x1bc
+ ret_from_fork+0x10/0x20
+
+Fixes: 1f1ba11b6494 ("usb gadget: issue notifications from ACM function")
+Cc: stable@kernel.org
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://lore.kernel.org/r/20250916-ready-v1-4-4997bf277548@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250916-ready-v1-4-4997bf277548@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_acm.c | 42 ++++++++++++++++--------------------
+ 1 file changed, 19 insertions(+), 23 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_acm.c
++++ b/drivers/usb/gadget/function/f_acm.c
+@@ -11,12 +11,15 @@
+
+ /* #define VERBOSE_DEBUG */
+
++#include <linux/cleanup.h>
+ #include <linux/slab.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+
++#include <linux/usb/gadget.h>
++
+ #include "u_serial.h"
+
+
+@@ -613,6 +616,7 @@ acm_bind(struct usb_configuration *c, st
+ struct usb_string *us;
+ int status;
+ struct usb_ep *ep;
++ struct usb_request *request __free(free_usb_request) = NULL;
+
+ /* REVISIT might want instance-specific strings to help
+ * distinguish instances ...
+@@ -630,7 +634,7 @@ acm_bind(struct usb_configuration *c, st
+ /* allocate instance-specific interface IDs, and patch descriptors */
+ status = usb_interface_id(c, f);
+ if (status < 0)
+- goto fail;
++ return status;
+ acm->ctrl_id = status;
+ acm_iad_descriptor.bFirstInterface = status;
+
+@@ -639,43 +643,41 @@ acm_bind(struct usb_configuration *c, st
+
+ status = usb_interface_id(c, f);
+ if (status < 0)
+- goto fail;
++ return status;
+ acm->data_id = status;
+
+ acm_data_interface_desc.bInterfaceNumber = status;
+ acm_union_desc.bSlaveInterface0 = status;
+ acm_call_mgmt_descriptor.bDataInterface = status;
+
+- status = -ENODEV;
+-
+ /* allocate instance-specific endpoints */
+ ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_in_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ acm->port.in = ep;
+
+ ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_out_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ acm->port.out = ep;
+
+ ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_notify_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ acm->notify = ep;
+
+ acm_iad_descriptor.bFunctionProtocol = acm->bInterfaceProtocol;
+ acm_control_interface_desc.bInterfaceProtocol = acm->bInterfaceProtocol;
+
+ /* allocate notification */
+- acm->notify_req = gs_alloc_req(ep,
+- sizeof(struct usb_cdc_notification) + 2,
+- GFP_KERNEL);
+- if (!acm->notify_req)
+- goto fail;
++ request = gs_alloc_req(ep,
++ sizeof(struct usb_cdc_notification) + 2,
++ GFP_KERNEL);
++ if (!request)
++ return -ENODEV;
+
+- acm->notify_req->complete = acm_cdc_notify_complete;
+- acm->notify_req->context = acm;
++ request->complete = acm_cdc_notify_complete;
++ request->context = acm;
+
+ /* support all relevant hardware speeds... we expect that when
+ * hardware is dual speed, all bulk-capable endpoints work at
+@@ -692,7 +694,9 @@ acm_bind(struct usb_configuration *c, st
+ status = usb_assign_descriptors(f, acm_fs_function, acm_hs_function,
+ acm_ss_function, acm_ss_function);
+ if (status)
+- goto fail;
++ return status;
++
++ acm->notify_req = no_free_ptr(request);
+
+ dev_dbg(&cdev->gadget->dev,
+ "acm ttyGS%d: IN/%s OUT/%s NOTIFY/%s\n",
+@@ -700,14 +704,6 @@ acm_bind(struct usb_configuration *c, st
+ acm->port.in->name, acm->port.out->name,
+ acm->notify->name);
+ return 0;
+-
+-fail:
+- if (acm->notify_req)
+- gs_free_req(acm->notify, acm->notify_req);
+-
+- ERROR(cdev, "%s/%p: can't bind, err %d\n", f->name, f, status);
+-
+- return status;
+ }
+
+ static void acm_unbind(struct usb_configuration *c, struct usb_function *f)
--- /dev/null
+From stable+bounces-187761-greg=kroah.com@vger.kernel.org Sat Oct 18 02:52:47 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 20:52:36 -0400
+Subject: usb: gadget: f_ecm: Refactor bind path to use __free()
+To: stable@vger.kernel.org
+Cc: Kuen-Han Tsai <khtsai@google.com>, stable@kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018005236.98052-3-sashal@kernel.org>
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+[ Upstream commit 42988380ac67c76bb9dff8f77d7ef3eefd50b7b5 ]
+
+After an bind/unbind cycle, the ecm->notify_req is left stale. If a
+subsequent bind fails, the unified error label attempts to free this
+stale request, leading to a NULL pointer dereference when accessing
+ep->ops->free_request.
+
+Refactor the error handling in the bind path to use the __free()
+automatic cleanup mechanism.
+
+Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function")
+Cc: stable@kernel.org
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://lore.kernel.org/r/20250916-ready-v1-5-4997bf277548@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250916-ready-v1-5-4997bf277548@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_ecm.c | 48 +++++++++++++++---------------------
+ 1 file changed, 20 insertions(+), 28 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -8,12 +8,15 @@
+
+ /* #define VERBOSE_DEBUG */
+
++#include <linux/cleanup.h>
+ #include <linux/slab.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/device.h>
+ #include <linux/etherdevice.h>
+
++#include <linux/usb/gadget.h>
++
+ #include "u_ether.h"
+ #include "u_ether_configfs.h"
+ #include "u_ecm.h"
+@@ -678,6 +681,7 @@ ecm_bind(struct usb_configuration *c, st
+ struct usb_ep *ep;
+
+ struct f_ecm_opts *ecm_opts;
++ struct usb_request *request __free(free_usb_request) = NULL;
+
+ if (!can_support_ecm(cdev->gadget))
+ return -EINVAL;
+@@ -711,7 +715,7 @@ ecm_bind(struct usb_configuration *c, st
+ /* allocate instance-specific interface IDs */
+ status = usb_interface_id(c, f);
+ if (status < 0)
+- goto fail;
++ return status;
+ ecm->ctrl_id = status;
+ ecm_iad_descriptor.bFirstInterface = status;
+
+@@ -720,24 +724,22 @@ ecm_bind(struct usb_configuration *c, st
+
+ status = usb_interface_id(c, f);
+ if (status < 0)
+- goto fail;
++ return status;
+ ecm->data_id = status;
+
+ ecm_data_nop_intf.bInterfaceNumber = status;
+ ecm_data_intf.bInterfaceNumber = status;
+ ecm_union_desc.bSlaveInterface0 = status;
+
+- status = -ENODEV;
+-
+ /* allocate instance-specific endpoints */
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_ecm_in_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ ecm->port.in_ep = ep;
+
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_ecm_out_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ ecm->port.out_ep = ep;
+
+ /* NOTE: a status/notification endpoint is *OPTIONAL* but we
+@@ -746,20 +748,18 @@ ecm_bind(struct usb_configuration *c, st
+ */
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_ecm_notify_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ ecm->notify = ep;
+
+- status = -ENOMEM;
+-
+ /* allocate notification request and buffer */
+- ecm->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL);
+- if (!ecm->notify_req)
+- goto fail;
+- ecm->notify_req->buf = kmalloc(ECM_STATUS_BYTECOUNT, GFP_KERNEL);
+- if (!ecm->notify_req->buf)
+- goto fail;
+- ecm->notify_req->context = ecm;
+- ecm->notify_req->complete = ecm_notify_complete;
++ request = usb_ep_alloc_request(ep, GFP_KERNEL);
++ if (!request)
++ return -ENOMEM;
++ request->buf = kmalloc(ECM_STATUS_BYTECOUNT, GFP_KERNEL);
++ if (!request->buf)
++ return -ENOMEM;
++ request->context = ecm;
++ request->complete = ecm_notify_complete;
+
+ /* support all relevant hardware speeds... we expect that when
+ * hardware is dual speed, all bulk-capable endpoints work at
+@@ -778,7 +778,7 @@ ecm_bind(struct usb_configuration *c, st
+ status = usb_assign_descriptors(f, ecm_fs_function, ecm_hs_function,
+ ecm_ss_function, ecm_ss_function);
+ if (status)
+- goto fail;
++ return status;
+
+ /* NOTE: all that is done without knowing or caring about
+ * the network link ... which is unavailable to this code
+@@ -788,20 +788,12 @@ ecm_bind(struct usb_configuration *c, st
+ ecm->port.open = ecm_open;
+ ecm->port.close = ecm_close;
+
++ ecm->notify_req = no_free_ptr(request);
++
+ DBG(cdev, "CDC Ethernet: IN/%s OUT/%s NOTIFY/%s\n",
+ ecm->port.in_ep->name, ecm->port.out_ep->name,
+ ecm->notify->name);
+ return 0;
+-
+-fail:
+- if (ecm->notify_req) {
+- kfree(ecm->notify_req->buf);
+- usb_ep_free_request(ecm->notify, ecm->notify_req);
+- }
+-
+- ERROR(cdev, "%s: can't bind, err %d\n", f->name, status);
+-
+- return status;
+ }
+
+ static inline struct f_ecm_opts *to_f_ecm_opts(struct config_item *item)
--- /dev/null
+From stable+bounces-187732-greg=kroah.com@vger.kernel.org Sat Oct 18 01:58:50 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:58:26 -0400
+Subject: usb: gadget: f_ncm: Refactor bind path to use __free()
+To: stable@vger.kernel.org
+Cc: Kuen-Han Tsai <khtsai@google.com>, stable@kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017235826.62546-3-sashal@kernel.org>
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+[ Upstream commit 75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef ]
+
+After an bind/unbind cycle, the ncm->notify_req is left stale. If a
+subsequent bind fails, the unified error label attempts to free this
+stale request, leading to a NULL pointer dereference when accessing
+ep->ops->free_request.
+
+Refactor the error handling in the bind path to use the __free()
+automatic cleanup mechanism.
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
+Call trace:
+ usb_ep_free_request+0x2c/0xec
+ ncm_bind+0x39c/0x3dc
+ usb_add_function+0xcc/0x1f0
+ configfs_composite_bind+0x468/0x588
+ gadget_bind_driver+0x104/0x270
+ really_probe+0x190/0x374
+ __driver_probe_device+0xa0/0x12c
+ driver_probe_device+0x3c/0x218
+ __device_attach_driver+0x14c/0x188
+ bus_for_each_drv+0x10c/0x168
+ __device_attach+0xfc/0x198
+ device_initial_probe+0x14/0x24
+ bus_probe_device+0x94/0x11c
+ device_add+0x268/0x48c
+ usb_add_gadget+0x198/0x28c
+ dwc3_gadget_init+0x700/0x858
+ __dwc3_set_mode+0x3cc/0x664
+ process_scheduled_works+0x1d8/0x488
+ worker_thread+0x244/0x334
+ kthread+0x114/0x1bc
+ ret_from_fork+0x10/0x20
+
+Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added")
+Cc: stable@kernel.org
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_ncm.c | 78 +++++++++++++++---------------------
+ 1 file changed, 33 insertions(+), 45 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -11,6 +11,7 @@
+ * Copyright (C) 2008 Nokia Corporation
+ */
+
++#include <linux/cleanup.h>
+ #include <linux/kernel.h>
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
+@@ -19,6 +20,7 @@
+ #include <linux/crc32.h>
+
+ #include <linux/usb/cdc.h>
++#include <linux/usb/gadget.h>
+
+ #include "u_ether.h"
+ #include "u_ether_configfs.h"
+@@ -1435,18 +1437,18 @@ static int ncm_bind(struct usb_configura
+ struct usb_ep *ep;
+ struct f_ncm_opts *ncm_opts;
+
++ struct usb_os_desc_table *os_desc_table __free(kfree) = NULL;
++ struct usb_request *request __free(free_usb_request) = NULL;
++
+ if (!can_support_ecm(cdev->gadget))
+ return -EINVAL;
+
+ ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst);
+
+ if (cdev->use_os_string) {
+- f->os_desc_table = kzalloc(sizeof(*f->os_desc_table),
+- GFP_KERNEL);
+- if (!f->os_desc_table)
++ os_desc_table = kzalloc(sizeof(*os_desc_table), GFP_KERNEL);
++ if (!os_desc_table)
+ return -ENOMEM;
+- f->os_desc_n = 1;
+- f->os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc;
+ }
+
+ mutex_lock(&ncm_opts->lock);
+@@ -1458,16 +1460,15 @@ static int ncm_bind(struct usb_configura
+ mutex_unlock(&ncm_opts->lock);
+
+ if (status)
+- goto fail;
++ return status;
+
+ ncm_opts->bound = true;
+
+ us = usb_gstrings_attach(cdev, ncm_strings,
+ ARRAY_SIZE(ncm_string_defs));
+- if (IS_ERR(us)) {
+- status = PTR_ERR(us);
+- goto fail;
+- }
++ if (IS_ERR(us))
++ return PTR_ERR(us);
++
+ ncm_control_intf.iInterface = us[STRING_CTRL_IDX].id;
+ ncm_data_nop_intf.iInterface = us[STRING_DATA_IDX].id;
+ ncm_data_intf.iInterface = us[STRING_DATA_IDX].id;
+@@ -1477,20 +1478,16 @@ static int ncm_bind(struct usb_configura
+ /* allocate instance-specific interface IDs */
+ status = usb_interface_id(c, f);
+ if (status < 0)
+- goto fail;
++ return status;
+ ncm->ctrl_id = status;
+ ncm_iad_desc.bFirstInterface = status;
+
+ ncm_control_intf.bInterfaceNumber = status;
+ ncm_union_desc.bMasterInterface0 = status;
+
+- if (cdev->use_os_string)
+- f->os_desc_table[0].if_id =
+- ncm_iad_desc.bFirstInterface;
+-
+ status = usb_interface_id(c, f);
+ if (status < 0)
+- goto fail;
++ return status;
+ ncm->data_id = status;
+
+ ncm_data_nop_intf.bInterfaceNumber = status;
+@@ -1499,35 +1496,31 @@ static int ncm_bind(struct usb_configura
+
+ ecm_desc.wMaxSegmentSize = cpu_to_le16(ncm_opts->max_segment_size);
+
+- status = -ENODEV;
+-
+ /* allocate instance-specific endpoints */
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_in_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ ncm->port.in_ep = ep;
+
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_out_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ ncm->port.out_ep = ep;
+
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_notify_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ ncm->notify = ep;
+
+- status = -ENOMEM;
+-
+ /* allocate notification request and buffer */
+- ncm->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL);
+- if (!ncm->notify_req)
+- goto fail;
+- ncm->notify_req->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL);
+- if (!ncm->notify_req->buf)
+- goto fail;
+- ncm->notify_req->context = ncm;
+- ncm->notify_req->complete = ncm_notify_complete;
++ request = usb_ep_alloc_request(ep, GFP_KERNEL);
++ if (!request)
++ return -ENOMEM;
++ request->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL);
++ if (!request->buf)
++ return -ENOMEM;
++ request->context = ncm;
++ request->complete = ncm_notify_complete;
+
+ /*
+ * support all relevant hardware speeds... we expect that when
+@@ -1547,7 +1540,7 @@ static int ncm_bind(struct usb_configura
+ status = usb_assign_descriptors(f, ncm_fs_function, ncm_hs_function,
+ ncm_ss_function, ncm_ss_function);
+ if (status)
+- goto fail;
++ return status;
+
+ /*
+ * NOTE: all that is done without knowing or caring about
+@@ -1561,23 +1554,18 @@ static int ncm_bind(struct usb_configura
+ hrtimer_init(&ncm->task_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_SOFT);
+ ncm->task_timer.function = ncm_tx_timeout;
+
++ if (cdev->use_os_string) {
++ os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc;
++ os_desc_table[0].if_id = ncm_iad_desc.bFirstInterface;
++ f->os_desc_table = no_free_ptr(os_desc_table);
++ f->os_desc_n = 1;
++ }
++ ncm->notify_req = no_free_ptr(request);
++
+ DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n",
+ ncm->port.in_ep->name, ncm->port.out_ep->name,
+ ncm->notify->name);
+ return 0;
+-
+-fail:
+- kfree(f->os_desc_table);
+- f->os_desc_n = 0;
+-
+- if (ncm->notify_req) {
+- kfree(ncm->notify_req->buf);
+- usb_ep_free_request(ncm->notify, ncm->notify_req);
+- }
+-
+- ERROR(cdev, "%s: can't bind, err %d\n", f->name, status);
+-
+- return status;
+ }
+
+ static inline struct f_ncm_opts *to_f_ncm_opts(struct config_item *item)
--- /dev/null
+From sashal@kernel.org Sat Oct 18 04:03:58 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 22:03:50 -0400
+Subject: usb: gadget: f_rndis: Refactor bind path to use __free()
+To: stable@vger.kernel.org
+Cc: Kuen-Han Tsai <khtsai@google.com>, stable@kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018020351.207730-3-sashal@kernel.org>
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+[ Upstream commit 08228941436047bdcd35a612c1aec0912a29d8cd ]
+
+After an bind/unbind cycle, the rndis->notify_req is left stale. If a
+subsequent bind fails, the unified error label attempts to free this
+stale request, leading to a NULL pointer dereference when accessing
+ep->ops->free_request.
+
+Refactor the error handling in the bind path to use the __free()
+automatic cleanup mechanism.
+
+Fixes: 45fe3b8e5342 ("usb ethernet gadget: split RNDIS function")
+Cc: stable@kernel.org
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://lore.kernel.org/r/20250916-ready-v1-6-4997bf277548@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250916-ready-v1-6-4997bf277548@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_rndis.c | 85 ++++++++++++++--------------------
+ 1 file changed, 35 insertions(+), 50 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -19,6 +19,8 @@
+
+ #include <linux/atomic.h>
+
++#include <linux/usb/gadget.h>
++
+ #include "u_ether.h"
+ #include "u_ether_configfs.h"
+ #include "u_rndis.h"
+@@ -662,6 +664,8 @@ rndis_bind(struct usb_configuration *c,
+ struct usb_ep *ep;
+
+ struct f_rndis_opts *rndis_opts;
++ struct usb_os_desc_table *os_desc_table __free(kfree) = NULL;
++ struct usb_request *request __free(free_usb_request) = NULL;
+
+ if (!can_support_rndis(c))
+ return -EINVAL;
+@@ -669,12 +673,9 @@ rndis_bind(struct usb_configuration *c,
+ rndis_opts = container_of(f->fi, struct f_rndis_opts, func_inst);
+
+ if (cdev->use_os_string) {
+- f->os_desc_table = kzalloc(sizeof(*f->os_desc_table),
+- GFP_KERNEL);
+- if (!f->os_desc_table)
++ os_desc_table = kzalloc(sizeof(*os_desc_table), GFP_KERNEL);
++ if (!os_desc_table)
+ return -ENOMEM;
+- f->os_desc_n = 1;
+- f->os_desc_table[0].os_desc = &rndis_opts->rndis_os_desc;
+ }
+
+ rndis_iad_descriptor.bFunctionClass = rndis_opts->class;
+@@ -692,16 +693,14 @@ rndis_bind(struct usb_configuration *c,
+ gether_set_gadget(rndis_opts->net, cdev->gadget);
+ status = gether_register_netdev(rndis_opts->net);
+ if (status)
+- goto fail;
++ return status;
+ rndis_opts->bound = true;
+ }
+
+ us = usb_gstrings_attach(cdev, rndis_strings,
+ ARRAY_SIZE(rndis_string_defs));
+- if (IS_ERR(us)) {
+- status = PTR_ERR(us);
+- goto fail;
+- }
++ if (IS_ERR(us))
++ return PTR_ERR(us);
+ rndis_control_intf.iInterface = us[0].id;
+ rndis_data_intf.iInterface = us[1].id;
+ rndis_iad_descriptor.iFunction = us[2].id;
+@@ -709,36 +708,30 @@ rndis_bind(struct usb_configuration *c,
+ /* allocate instance-specific interface IDs */
+ status = usb_interface_id(c, f);
+ if (status < 0)
+- goto fail;
++ return status;
+ rndis->ctrl_id = status;
+ rndis_iad_descriptor.bFirstInterface = status;
+
+ rndis_control_intf.bInterfaceNumber = status;
+ rndis_union_desc.bMasterInterface0 = status;
+
+- if (cdev->use_os_string)
+- f->os_desc_table[0].if_id =
+- rndis_iad_descriptor.bFirstInterface;
+-
+ status = usb_interface_id(c, f);
+ if (status < 0)
+- goto fail;
++ return status;
+ rndis->data_id = status;
+
+ rndis_data_intf.bInterfaceNumber = status;
+ rndis_union_desc.bSlaveInterface0 = status;
+
+- status = -ENODEV;
+-
+ /* allocate instance-specific endpoints */
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_in_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ rndis->port.in_ep = ep;
+
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_out_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ rndis->port.out_ep = ep;
+
+ /* NOTE: a status/notification endpoint is, strictly speaking,
+@@ -747,21 +740,19 @@ rndis_bind(struct usb_configuration *c,
+ */
+ ep = usb_ep_autoconfig(cdev->gadget, &fs_notify_desc);
+ if (!ep)
+- goto fail;
++ return -ENODEV;
+ rndis->notify = ep;
+
+- status = -ENOMEM;
+-
+ /* allocate notification request and buffer */
+- rndis->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL);
+- if (!rndis->notify_req)
+- goto fail;
+- rndis->notify_req->buf = kmalloc(STATUS_BYTECOUNT, GFP_KERNEL);
+- if (!rndis->notify_req->buf)
+- goto fail;
+- rndis->notify_req->length = STATUS_BYTECOUNT;
+- rndis->notify_req->context = rndis;
+- rndis->notify_req->complete = rndis_response_complete;
++ request = usb_ep_alloc_request(ep, GFP_KERNEL);
++ if (!request)
++ return -ENOMEM;
++ request->buf = kmalloc(STATUS_BYTECOUNT, GFP_KERNEL);
++ if (!request->buf)
++ return -ENOMEM;
++ request->length = STATUS_BYTECOUNT;
++ request->context = rndis;
++ request->complete = rndis_response_complete;
+
+ /* support all relevant hardware speeds... we expect that when
+ * hardware is dual speed, all bulk-capable endpoints work at
+@@ -778,7 +769,7 @@ rndis_bind(struct usb_configuration *c,
+ status = usb_assign_descriptors(f, eth_fs_function, eth_hs_function,
+ eth_ss_function, eth_ss_function);
+ if (status)
+- goto fail;
++ return status;
+
+ rndis->port.open = rndis_open;
+ rndis->port.close = rndis_close;
+@@ -789,9 +780,18 @@ rndis_bind(struct usb_configuration *c,
+ if (rndis->manufacturer && rndis->vendorID &&
+ rndis_set_param_vendor(rndis->params, rndis->vendorID,
+ rndis->manufacturer)) {
+- status = -EINVAL;
+- goto fail_free_descs;
++ usb_free_all_descriptors(f);
++ return -EINVAL;
++ }
++
++ if (cdev->use_os_string) {
++ os_desc_table[0].os_desc = &rndis_opts->rndis_os_desc;
++ os_desc_table[0].if_id = rndis_iad_descriptor.bFirstInterface;
++ f->os_desc_table = no_free_ptr(os_desc_table);
++ f->os_desc_n = 1;
++
+ }
++ rndis->notify_req = no_free_ptr(request);
+
+ /* NOTE: all that is done without knowing or caring about
+ * the network link ... which is unavailable to this code
+@@ -802,21 +802,6 @@ rndis_bind(struct usb_configuration *c,
+ rndis->port.in_ep->name, rndis->port.out_ep->name,
+ rndis->notify->name);
+ return 0;
+-
+-fail_free_descs:
+- usb_free_all_descriptors(f);
+-fail:
+- kfree(f->os_desc_table);
+- f->os_desc_n = 0;
+-
+- if (rndis->notify_req) {
+- kfree(rndis->notify_req->buf);
+- usb_ep_free_request(rndis->notify, rndis->notify_req);
+- }
+-
+- ERROR(cdev, "%s: can't bind, err %d\n", f->name, status);
+-
+- return status;
+ }
+
+ void rndis_borrow_net(struct usb_function_instance *f, struct net_device *net)
--- /dev/null
+From stable+bounces-187731-greg=kroah.com@vger.kernel.org Sat Oct 18 01:58:48 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:58:25 -0400
+Subject: usb: gadget: Introduce free_usb_request helper
+To: stable@vger.kernel.org
+Cc: Kuen-Han Tsai <khtsai@google.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017235826.62546-2-sashal@kernel.org>
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+[ Upstream commit 201c53c687f2b55a7cc6d9f4000af4797860174b ]
+
+Introduce the free_usb_request() function that frees both the request's
+buffer and the request itself.
+
+This function serves as the cleanup callback for DEFINE_FREE() to enable
+automatic, scope-based cleanup for usb_request pointers.
+
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://lore.kernel.org/r/20250916-ready-v1-2-4997bf277548@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250916-ready-v1-2-4997bf277548@google.com
+Stable-dep-of: 75a5b8d4ddd4 ("usb: gadget: f_ncm: Refactor bind path to use __free()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/usb/gadget.h | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/include/linux/usb/gadget.h
++++ b/include/linux/usb/gadget.h
+@@ -15,6 +15,7 @@
+ #ifndef __LINUX_USB_GADGET_H
+ #define __LINUX_USB_GADGET_H
+
++#include <linux/cleanup.h>
+ #include <linux/configfs.h>
+ #include <linux/device.h>
+ #include <linux/errno.h>
+@@ -293,6 +294,28 @@ static inline void usb_ep_fifo_flush(str
+
+ /*-------------------------------------------------------------------------*/
+
++/**
++ * free_usb_request - frees a usb_request object and its buffer
++ * @req: the request being freed
++ *
++ * This helper function frees both the request's buffer and the request object
++ * itself by calling usb_ep_free_request(). Its signature is designed to be used
++ * with DEFINE_FREE() to enable automatic, scope-based cleanup for usb_request
++ * pointers.
++ */
++static inline void free_usb_request(struct usb_request *req)
++{
++ if (!req)
++ return;
++
++ kfree(req->buf);
++ usb_ep_free_request(req->ep, req);
++}
++
++DEFINE_FREE(free_usb_request, struct usb_request *, free_usb_request(_T))
++
++/*-------------------------------------------------------------------------*/
++
+ struct usb_dcd_config_params {
+ __u8 bU1devExitLat; /* U1 Device exit Latency */
+ #define USB_DEFAULT_U1_DEV_EXIT_LAT 0x01 /* Less then 1 microsec */
--- /dev/null
+From stable+bounces-187730-greg=kroah.com@vger.kernel.org Sat Oct 18 01:58:47 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:58:24 -0400
+Subject: usb: gadget: Store endpoint pointer in usb_request
+To: stable@vger.kernel.org
+Cc: Kuen-Han Tsai <khtsai@google.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017235826.62546-1-sashal@kernel.org>
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+[ Upstream commit bfb1d99d969fe3b892db30848aeebfa19d21f57f ]
+
+Gadget function drivers often have goto-based error handling in their
+bind paths, which can be bug-prone. Refactoring these paths to use
+__free() scope-based cleanup is desirable, but currently blocked.
+
+The blocker is that usb_ep_free_request(ep, req) requires two
+parameters, while the __free() mechanism can only pass a pointer to the
+request itself.
+
+Store an endpoint pointer in the struct usb_request. The pointer is
+populated centrally in usb_ep_alloc_request() on every successful
+allocation, making the request object self-contained.
+
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://lore.kernel.org/r/20250916-ready-v1-1-4997bf277548@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250916-ready-v1-1-4997bf277548@google.com
+Stable-dep-of: 75a5b8d4ddd4 ("usb: gadget: f_ncm: Refactor bind path to use __free()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/core.c | 3 +++
+ include/linux/usb/gadget.h | 2 ++
+ 2 files changed, 5 insertions(+)
+
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -194,6 +194,9 @@ struct usb_request *usb_ep_alloc_request
+
+ req = ep->ops->alloc_request(ep, gfp_flags);
+
++ if (req)
++ req->ep = ep;
++
+ trace_usb_ep_alloc_request(ep, req, req ? 0 : -ENOMEM);
+
+ return req;
+--- a/include/linux/usb/gadget.h
++++ b/include/linux/usb/gadget.h
+@@ -32,6 +32,7 @@ struct usb_ep;
+
+ /**
+ * struct usb_request - describes one i/o request
++ * @ep: The associated endpoint set by usb_ep_alloc_request().
+ * @buf: Buffer used for data. Always provide this; some controllers
+ * only use PIO, or don't use DMA for some endpoints.
+ * @dma: DMA address corresponding to 'buf'. If you don't set this
+@@ -98,6 +99,7 @@ struct usb_ep;
+ */
+
+ struct usb_request {
++ struct usb_ep *ep;
+ void *buf;
+ unsigned length;
+ dma_addr_t dma;
projects / thirdparty / kernel / stable-queue.git / commitdiff
