--- /dev/null
+From c5b22c88cc09b180e3a23010b29f4d02ec117a44 Mon Sep 17 00:00:00 2001
+From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
+Date: Wed, 25 Mar 2026 18:30:37 +0530
+Subject: arm64: dts: qcom: lemans: Correct QUP interrupt numbers
+
+From: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
+
+commit c5b22c88cc09b180e3a23010b29f4d02ec117a44 upstream.
+
+Fix GIC_SPI interrupt numbers for QUPv3 SE6 nodes on Lemans SoC.
+Using incorrect interrupt lines can prevent IRQs from triggering
+and break I2C, SPI, and UART operation.
+
+Fixes: 34a407316b7d3 ("arm64: dts: qcom: sa8775p: Populate additional UART DT nodes")
+Fixes: 1b2d7ad5ac14d ("arm64: dts: qcom: sa8775p: add missing spi nodes")
+Fixes: ee2f5f906d69d ("arm64: dts: qcom: sa8775p: add missing i2c nodes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260325-lemans-irq-num-v1-1-a470d544966a@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/lemans.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/boot/dts/qcom/lemans.dtsi
++++ b/arch/arm64/boot/dts/qcom/lemans.dtsi
+@@ -1563,7 +1563,7 @@
+ reg = <0x0 0x898000 0x0 0x4000>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+- interrupts = <GIC_SPI 834 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 833 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&gcc GCC_QUPV3_WRAP2_S6_CLK>;
+ clock-names = "se";
+ pinctrl-0 = <&qup_i2c20_default>;
+@@ -1590,7 +1590,7 @@
+ reg = <0x0 0x898000 0x0 0x4000>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+- interrupts = <GIC_SPI 834 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 833 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&gcc GCC_QUPV3_WRAP2_S6_CLK>;
+ clock-names = "se";
+ pinctrl-0 = <&qup_spi20_default>;
+@@ -1615,7 +1615,7 @@
+ uart20: serial@898000 {
+ compatible = "qcom,geni-uart";
+ reg = <0x0 0x00898000 0x0 0x4000>;
+- interrupts = <GIC_SPI 834 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 833 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&gcc GCC_QUPV3_WRAP2_S6_CLK>;
+ clock-names = "se";
+ pinctrl-0 = <&qup_uart20_default>;
+@@ -2561,7 +2561,7 @@
+ reg = <0x0 0xa98000 0x0 0x4000>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+- interrupts = <GIC_SPI 836 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 835 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&gcc GCC_QUPV3_WRAP1_S6_CLK>;
+ clock-names = "se";
+ pinctrl-0 = <&qup_i2c13_default>;
--- /dev/null
+From 6ee0792d83d5c690205c350825a4c30746c0e0a2 Mon Sep 17 00:00:00 2001
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+Date: Mon, 9 Mar 2026 10:25:32 +0530
+Subject: arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+commit 6ee0792d83d5c690205c350825a4c30746c0e0a2 upstream.
+
+The pin for GPMC0_CLK.GPIO0_31 at address 0x000F407C is N22 and not M19.
+Hence, fix the pin name in the comment to avoid confusion.
+
+Fixes: 8f023012eb4a ("arm64: dts: ti: k3-am62a: Enable UHS mode support for SD cards")
+Cc: stable@vger.kernel.org
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Reviewed-by: Andrew Davis <afd@ti.com>
+Reviewed-by: Bryan Brattlof <bb@ti.com>
+Link: https://patch.msgid.link/20260309045539.2070793-1-s-vadapalli@ti.com
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62a7-sk.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/ti/k3-am62a7-sk.dts
++++ b/arch/arm64/boot/dts/ti/k3-am62a7-sk.dts
+@@ -394,7 +394,7 @@
+
+ vddshv_sdio_pins_default: vddshv-sdio-default-pins {
+ pinctrl-single,pins = <
+- AM62AX_IOPAD(0x07c, PIN_OUTPUT, 7) /* (M19) GPMC0_CLK.GPIO0_31 */
++ AM62AX_IOPAD(0x07c, PIN_OUTPUT, 7) /* (N22) GPMC0_CLK.GPIO0_31 */
+ >;
+ };
+
--- /dev/null
+From cf6b604011591865ae39ac82de8978c1120d17af Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:51 +0200
+Subject: batman-adv: bla: only purge non-released claims
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit cf6b604011591865ae39ac82de8978c1120d17af upstream.
+
+When batadv_bla_purge_claims() goes through the list of claims, it is only
+traversing the hash list with an rcu_read_lock(). Due to a potential
+parallel batadv_claim_put(), it can happen that it encounters a claim which
+was actually in the process of being released+freed by
+batadv_claim_release(). In this case, backbone_gw is set to NULL before the
+delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is
+then no longer allowed because it would cause a NULL-ptr derefence.
+
+To avoid this, only claims with a valid reference counter must be purged.
+All others are already taken care of.
+
+Cc: stable@kernel.org
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1289,6 +1289,13 @@ static void batadv_bla_purge_claims(stru
+
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(claim, head, hash_entry) {
++ /* only purge claims not currently in the process of being released.
++ * Such claims could otherwise have a NULL-ptr backbone_gw set because
++ * they already went through batadv_claim_release()
++ */
++ if (!kref_get_unless_zero(&claim->refcount))
++ continue;
++
+ backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
+ if (now)
+ goto purge_now;
+@@ -1314,6 +1321,7 @@ purge_now:
+ claim->addr, claim->vid);
+ skip:
+ batadv_backbone_gw_put(backbone_gw);
++ batadv_claim_put(claim);
+ }
+ rcu_read_unlock();
+ }
--- /dev/null
+From 4ae1709a314060a196981b344610d023ea841e57 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:50 +0200
+Subject: batman-adv: bla: prevent use-after-free when deleting claims
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 4ae1709a314060a196981b344610d023ea841e57 upstream.
+
+When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
+does this by dropping the link entry in the hash list. This list entry
+itself was one of the references which need to be dropped at the same time
+via batadv_claim_put().
+
+But the batadv_claim_put() must not be done before the last access to the
+claim object in this function. Otherwise the claim might be freed already
+by the batadv_claim_release() function before the list entry was dropped.
+
+Cc: stable@kernel.org
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -319,8 +319,8 @@ batadv_bla_del_backbone_claims(struct ba
+ if (claim->backbone_gw != backbone_gw)
+ continue;
+
+- batadv_claim_put(claim);
+ hlist_del_rcu(&claim->hash_entry);
++ batadv_claim_put(claim);
+ }
+ spin_unlock_bh(list_lock);
+ }
--- /dev/null
+From ba9d20ee9076dac32c371116bacbe72480eb356c Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:52 +0200
+Subject: batman-adv: bla: put backbone reference on failed claim hash insert
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream.
+
+When batadv_bla_add_claim() fails to insert a new claim into the hash, it
+leaked a reference to the backbone_gw for which the claim was intended.
+Call batadv_backbone_gw_put() on the error path to release the reference
+and avoid leaking the backbone_gw object.
+
+Cc: stable@kernel.org
+Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -724,6 +724,7 @@ static void batadv_bla_add_claim(struct
+
+ if (unlikely(hash_added != 0)) {
+ /* only local changes happened. */
++ batadv_backbone_gw_put(backbone_gw);
+ kfree(claim);
+ return;
+ }
--- /dev/null
+From 0799e5943611006b346b8813c7daf7dd5aa26bfd Mon Sep 17 00:00:00 2001
+From: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+Date: Wed, 22 Apr 2026 00:20:22 +0200
+Subject: batman-adv: fix integer overflow on buff_pos
+
+From: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+
+commit 0799e5943611006b346b8813c7daf7dd5aa26bfd upstream.
+
+Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size
+check is done using the int type in batadv_iv_ogm_aggr_packet whereas the
+buff_pos variable uses the s16 type. This could lead to an out-of-bound
+read.
+
+Cc: stable@vger.kernel.org
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Signed-off-by: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+Signed-off-by: Alexis Pinson <apinson@fuzzinglabs.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(str
+ struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
+ const char *fwd_str;
+ u8 packet_num;
+- s16 buff_pos;
++ int buff_pos;
+ struct batadv_ogm_packet *batadv_ogm_packet;
+ struct sk_buff *skb;
+ u8 *packet_pos;
--- /dev/null
+From 3243543592425beec83d453793e9d27caa0d8e66 Mon Sep 17 00:00:00 2001
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+Date: Mon, 27 Apr 2026 14:43:33 +0800
+Subject: batman-adv: reject new tp_meter sessions during teardown
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit 3243543592425beec83d453793e9d27caa0d8e66 upstream.
+
+Prevent tp_meter from starting new sender or receiver sessions after
+mesh_state has left BATADV_MESH_ACTIVE.
+
+Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/tp_meter.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/tp_meter.c
++++ b/net/batman-adv/tp_meter.c
+@@ -947,6 +947,13 @@ void batadv_tp_start(struct batadv_priv
+
+ /* look for an already existing test towards this node */
+ spin_lock_bh(&bat_priv->tp_list_lock);
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) {
++ spin_unlock_bh(&bat_priv->tp_list_lock);
++ batadv_tp_batctl_error_notify(BATADV_TP_REASON_DST_UNREACHABLE,
++ dst, bat_priv, session_cookie);
++ return;
++ }
++
+ tp_vars = batadv_tp_list_find(bat_priv, dst);
+ if (tp_vars) {
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+@@ -1329,9 +1336,12 @@ static struct batadv_tp_vars *
+ batadv_tp_init_recv(struct batadv_priv *bat_priv,
+ const struct batadv_icmp_tp_packet *icmp)
+ {
+- struct batadv_tp_vars *tp_vars;
++ struct batadv_tp_vars *tp_vars = NULL;
+
+ spin_lock_bh(&bat_priv->tp_list_lock);
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
++ goto out_unlock;
++
+ tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
+ icmp->session);
+ if (tp_vars)
+@@ -1464,6 +1474,9 @@ void batadv_tp_meter_recv(struct batadv_
+ {
+ struct batadv_icmp_tp_packet *icmp;
+
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
++ goto out;
++
+ icmp = (struct batadv_icmp_tp_packet *)skb->data;
+
+ switch (icmp->subtype) {
+@@ -1478,6 +1491,8 @@ void batadv_tp_meter_recv(struct batadv_
+ "Received unknown TP Metric packet type %u\n",
+ icmp->subtype);
+ }
++
++out:
+ consume_skb(skb);
+ }
+
--- /dev/null
+From f03e8583532941b07761c5429de7d50766fa3110 Mon Sep 17 00:00:00 2001
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+Date: Sun, 3 May 2026 12:28:58 +0800
+Subject: batman-adv: stop caching unowned originator pointers in BAT IV
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit f03e8583532941b07761c5429de7d50766fa3110 upstream.
+
+BAT IV keeps the last-hop neighbor address in each neigh_node, but some
+paths also cache an originator pointer derived from a temporary lookup.
+That pointer is not owned by the neigh_node and may no longer refer to a
+live originator entry after purge handling runs.
+
+Stop storing the auxiliary originator pointer in the BAT IV neighbor
+state. When BAT IV needs the neighbor originator data, resolve it from
+the stored neighbor address and drop the reference again after use.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+[sven: avoid bonding logic for outgoing OGM]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 83 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 59 insertions(+), 24 deletions(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -173,19 +173,12 @@ free_orig_node_hash:
+ static struct batadv_neigh_node *
+ batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface,
+ const u8 *neigh_addr,
+- struct batadv_orig_node *orig_node,
+- struct batadv_orig_node *orig_neigh)
++ struct batadv_orig_node *orig_node)
+ {
+ struct batadv_neigh_node *neigh_node;
+
+ neigh_node = batadv_neigh_node_get_or_create(orig_node,
+ hard_iface, neigh_addr);
+- if (!neigh_node)
+- goto out;
+-
+- neigh_node->orig_node = orig_neigh;
+-
+-out:
+ return neigh_node;
+ }
+
+@@ -907,6 +900,31 @@ static u8 batadv_iv_orig_ifinfo_sum(stru
+ }
+
+ /**
++ * batadv_iv_ogm_neigh_ifinfo_sum() - Get bcast_own sum for a last-hop neighbor
++ * @bat_priv: the bat priv with all the mesh interface information
++ * @neigh_node: last-hop neighbor of an originator
++ *
++ * Return: Number of replied (rebroadcasted) OGMs for the originator currently
++ * announced by the neighbor. Returns 0 if the neighbor's originator entry is
++ * not available anymore.
++ */
++static u8 batadv_iv_ogm_neigh_ifinfo_sum(struct batadv_priv *bat_priv,
++ const struct batadv_neigh_node *neigh_node)
++{
++ struct batadv_orig_node *orig_neigh;
++ u8 sum;
++
++ orig_neigh = batadv_orig_hash_find(bat_priv, neigh_node->addr);
++ if (!orig_neigh)
++ return 0;
++
++ sum = batadv_iv_orig_ifinfo_sum(orig_neigh, neigh_node->if_incoming);
++ batadv_orig_node_put(orig_neigh);
++
++ return sum;
++}
++
++/**
+ * batadv_iv_ogm_orig_update() - use OGM to update corresponding data in an
+ * originator
+ * @bat_priv: the bat priv with all the mesh interface information
+@@ -975,17 +993,9 @@ batadv_iv_ogm_orig_update(struct batadv_
+ }
+
+ if (!neigh_node) {
+- struct batadv_orig_node *orig_tmp;
+-
+- orig_tmp = batadv_iv_ogm_orig_get(bat_priv, ethhdr->h_source);
+- if (!orig_tmp)
+- goto unlock;
+-
+ neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
+ ethhdr->h_source,
+- orig_node, orig_tmp);
+-
+- batadv_orig_node_put(orig_tmp);
++ orig_node);
+ if (!neigh_node)
+ goto unlock;
+ } else {
+@@ -1037,10 +1047,9 @@ batadv_iv_ogm_orig_update(struct batadv_
+ */
+ if (router_ifinfo &&
+ neigh_ifinfo->bat_iv.tq_avg == router_ifinfo->bat_iv.tq_avg) {
+- sum_orig = batadv_iv_orig_ifinfo_sum(router->orig_node,
+- router->if_incoming);
+- sum_neigh = batadv_iv_orig_ifinfo_sum(neigh_node->orig_node,
+- neigh_node->if_incoming);
++ sum_orig = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, router);
++ sum_neigh = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv,
++ neigh_node);
+ if (sum_orig >= sum_neigh)
+ goto out;
+ }
+@@ -1106,7 +1115,6 @@ static bool batadv_iv_ogm_calc_tq(struct
+ if (!neigh_node)
+ neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
+ orig_neigh_node->orig,
+- orig_neigh_node,
+ orig_neigh_node);
+
+ if (!neigh_node)
+@@ -1303,6 +1311,32 @@ out:
+ }
+
+ /**
++ * batadv_orig_to_direct_router() - get direct next hop neighbor to an orig address
++ * @bat_priv: the bat priv with all the mesh interface information
++ * @orig_addr: the originator MAC address to search the best next hop router for
++ * @if_outgoing: the interface where the OGM should be sent to
++ *
++ * Return: A neighbor node which is the best router towards the given originator
++ * address. Bonding candidates are ignored.
++ */
++static struct batadv_neigh_node *
++batadv_orig_to_direct_router(struct batadv_priv *bat_priv, u8 *orig_addr,
++ struct batadv_hard_iface *if_outgoing)
++{
++ struct batadv_neigh_node *neigh_node;
++ struct batadv_orig_node *orig_node;
++
++ orig_node = batadv_orig_hash_find(bat_priv, orig_addr);
++ if (!orig_node)
++ return NULL;
++
++ neigh_node = batadv_orig_router_get(orig_node, if_outgoing);
++ batadv_orig_node_put(orig_node);
++
++ return neigh_node;
++}
++
++/**
+ * batadv_iv_ogm_process_per_outif() - process a batman iv OGM for an outgoing
+ * interface
+ * @skb: the skb containing the OGM
+@@ -1372,8 +1406,9 @@ batadv_iv_ogm_process_per_outif(const st
+
+ router = batadv_orig_router_get(orig_node, if_outgoing);
+ if (router) {
+- router_router = batadv_orig_router_get(router->orig_node,
+- if_outgoing);
++ router_router = batadv_orig_to_direct_router(bat_priv,
++ router->addr,
++ if_outgoing);
+ router_ifinfo = batadv_neigh_ifinfo_get(router, if_outgoing);
+ }
+
--- /dev/null
+From 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 Mon Sep 17 00:00:00 2001
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+Date: Mon, 27 Apr 2026 14:43:34 +0800
+Subject: batman-adv: stop tp_meter sessions during mesh teardown
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 upstream.
+
+TP meter sessions remain linked on bat_priv->tp_list after the netlink
+request has already finished. When the mesh interface is removed,
+batadv_mesh_free() currently tears down the mesh without first draining
+these sessions.
+
+A running sender thread or a late incoming tp_meter packet can then keep
+processing against a mesh instance which is already shutting down.
+Synchronize tp_meter with the mesh lifetime by stopping all active
+sessions from batadv_mesh_free() and waiting for sender threads to exit
+before teardown continues.
+
+Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/main.c | 1
+ net/batman-adv/tp_meter.c | 94 +++++++++++++++++++++++++++++++++++++---------
+ net/batman-adv/tp_meter.h | 1
+ net/batman-adv/types.h | 4 +
+ 4 files changed, 82 insertions(+), 18 deletions(-)
+
+--- a/net/batman-adv/main.c
++++ b/net/batman-adv/main.c
+@@ -249,6 +249,7 @@ void batadv_mesh_free(struct net_device
+ atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
+
+ batadv_purge_outstanding_packets(bat_priv, NULL);
++ batadv_tp_stop_all(bat_priv);
+
+ batadv_gw_node_free(bat_priv);
+
+--- a/net/batman-adv/tp_meter.c
++++ b/net/batman-adv/tp_meter.c
+@@ -12,6 +12,7 @@
+ #include <linux/byteorder/generic.h>
+ #include <linux/cache.h>
+ #include <linux/compiler.h>
++#include <linux/completion.h>
+ #include <linux/container_of.h>
+ #include <linux/err.h>
+ #include <linux/etherdevice.h>
+@@ -365,23 +366,38 @@ static void batadv_tp_vars_put(struct ba
+ }
+
+ /**
+- * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
+- * @bat_priv: the bat priv with all the mesh interface information
+- * @tp_vars: the private data of the current TP meter session to cleanup
++ * batadv_tp_list_detach() - remove tp session from mesh session list once
++ * @tp_vars: the private data of the current TP meter session
+ */
+-static void batadv_tp_sender_cleanup(struct batadv_priv *bat_priv,
+- struct batadv_tp_vars *tp_vars)
++static void batadv_tp_list_detach(struct batadv_tp_vars *tp_vars)
+ {
+- cancel_delayed_work(&tp_vars->finish_work);
++ bool detached = false;
+
+ spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
+- hlist_del_rcu(&tp_vars->list);
++ if (!hlist_unhashed(&tp_vars->list)) {
++ hlist_del_init_rcu(&tp_vars->list);
++ detached = true;
++ }
+ spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
+
++ if (!detached)
++ return;
++
++ atomic_dec(&tp_vars->bat_priv->tp_num);
++
+ /* drop list reference */
+ batadv_tp_vars_put(tp_vars);
++}
+
+- atomic_dec(&tp_vars->bat_priv->tp_num);
++/**
++ * batadv_tp_sender_cleanup() - cleanup sender data and drop and timer
++ * @tp_vars: the private data of the current TP meter session to cleanup
++ */
++static void batadv_tp_sender_cleanup(struct batadv_tp_vars *tp_vars)
++{
++ cancel_delayed_work_sync(&tp_vars->finish_work);
++
++ batadv_tp_list_detach(tp_vars);
+
+ /* kill the timer and remove its reference */
+ timer_delete_sync(&tp_vars->timer);
+@@ -886,7 +902,8 @@ out:
+ batadv_orig_node_put(orig_node);
+
+ batadv_tp_sender_end(bat_priv, tp_vars);
+- batadv_tp_sender_cleanup(bat_priv, tp_vars);
++ batadv_tp_sender_cleanup(tp_vars);
++ complete(&tp_vars->finished);
+
+ batadv_tp_vars_put(tp_vars);
+
+@@ -918,7 +935,8 @@ static void batadv_tp_start_kthread(stru
+ batadv_tp_vars_put(tp_vars);
+
+ /* cleanup of failed tp meter variables */
+- batadv_tp_sender_cleanup(bat_priv, tp_vars);
++ batadv_tp_sender_cleanup(tp_vars);
++ complete(&tp_vars->finished);
+ return;
+ }
+
+@@ -1024,6 +1042,7 @@ void batadv_tp_start(struct batadv_priv
+ tp_vars->start_time = jiffies;
+
+ init_waitqueue_head(&tp_vars->more_bytes);
++ init_completion(&tp_vars->finished);
+
+ spin_lock_init(&tp_vars->unacked_lock);
+ INIT_LIST_HEAD(&tp_vars->unacked_list);
+@@ -1126,14 +1145,7 @@ static void batadv_tp_receiver_shutdown(
+ "Shutting down for inactivity (more than %dms) from %pM\n",
+ BATADV_TP_RECV_TIMEOUT, tp_vars->other_end);
+
+- spin_lock_bh(&tp_vars->bat_priv->tp_list_lock);
+- hlist_del_rcu(&tp_vars->list);
+- spin_unlock_bh(&tp_vars->bat_priv->tp_list_lock);
+-
+- /* drop list reference */
+- batadv_tp_vars_put(tp_vars);
+-
+- atomic_dec(&bat_priv->tp_num);
++ batadv_tp_list_detach(tp_vars);
+
+ spin_lock_bh(&tp_vars->unacked_lock);
+ list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
+@@ -1497,6 +1509,52 @@ out:
+ }
+
+ /**
++ * batadv_tp_stop_all() - stop all currently running tp meter sessions
++ * @bat_priv: the bat priv with all the mesh interface information
++ */
++void batadv_tp_stop_all(struct batadv_priv *bat_priv)
++{
++ struct batadv_tp_vars *tp_vars[BATADV_TP_MAX_NUM];
++ struct batadv_tp_vars *tp_var;
++ size_t count = 0;
++ size_t i;
++
++ spin_lock_bh(&bat_priv->tp_list_lock);
++ hlist_for_each_entry(tp_var, &bat_priv->tp_list, list) {
++ if (WARN_ON_ONCE(count >= BATADV_TP_MAX_NUM))
++ break;
++
++ if (!kref_get_unless_zero(&tp_var->refcount))
++ continue;
++
++ tp_vars[count++] = tp_var;
++ }
++ spin_unlock_bh(&bat_priv->tp_list_lock);
++
++ for (i = 0; i < count; i++) {
++ tp_var = tp_vars[i];
++
++ switch (tp_var->role) {
++ case BATADV_TP_SENDER:
++ batadv_tp_sender_shutdown(tp_var,
++ BATADV_TP_REASON_CANCEL);
++ wake_up(&tp_var->more_bytes);
++ wait_for_completion(&tp_var->finished);
++ break;
++ case BATADV_TP_RECEIVER:
++ batadv_tp_list_detach(tp_var);
++ if (timer_shutdown_sync(&tp_var->timer))
++ batadv_tp_vars_put(tp_var);
++ break;
++ }
++
++ batadv_tp_vars_put(tp_var);
++ }
++
++ synchronize_net();
++}
++
++/**
+ * batadv_tp_meter_init() - initialize global tp_meter structures
+ */
+ void __init batadv_tp_meter_init(void)
+--- a/net/batman-adv/tp_meter.h
++++ b/net/batman-adv/tp_meter.h
+@@ -17,6 +17,7 @@ void batadv_tp_start(struct batadv_priv
+ u32 test_length, u32 *cookie);
+ void batadv_tp_stop(struct batadv_priv *bat_priv, const u8 *dst,
+ u8 return_value);
++void batadv_tp_stop_all(struct batadv_priv *bat_priv);
+ void batadv_tp_meter_recv(struct batadv_priv *bat_priv, struct sk_buff *skb);
+
+ #endif /* _NET_BATMAN_ADV_TP_METER_H_ */
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -14,6 +14,7 @@
+ #include <linux/average.h>
+ #include <linux/bitops.h>
+ #include <linux/compiler.h>
++#include <linux/completion.h>
+ #include <linux/if.h>
+ #include <linux/if_ether.h>
+ #include <linux/kref.h>
+@@ -1328,6 +1329,9 @@ struct batadv_tp_vars {
+ /** @finish_work: work item for the finishing procedure */
+ struct delayed_work finish_work;
+
++ /** @finished: completion signaled when a sender thread exits */
++ struct completion finished;
++
+ /** @test_length: test length in milliseconds */
+ u32 test_length;
+
--- /dev/null
+From d65bfb1782304b03862c8c725fac608015dffd36 Mon Sep 17 00:00:00 2001
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+Date: Sat, 21 Mar 2026 06:20:33 +0100
+Subject: drm/amd/display: Change dither policy for 10 bpc output back to dithering
+
+From: Mario Kleiner <mario.kleiner.de@gmail.com>
+
+commit d65bfb1782304b03862c8c725fac608015dffd36 upstream.
+
+Commit d5df648ec830 ("drm/amd/display: Change dither policy for 10bpc to
+round") degraded display of 12 bpc color precision output to 10 bpc sinks
+by switching 10 bpc output from dithering to "truncate to 10 bpc".
+
+I don't find the argumentation in that commit convincing, but the
+consequences highly unfortunate, especially for applications that
+require effective > 10 bpc precision output of > 10 bpc framebuffers.
+
+The argument wasn't something strong like "there are hardware design
+defects or limitations which require us to work around broken dithering
+to 10 bpc", or "there are some special use cases which do require
+truncation to 10 bpc", but essentially "at some point in the past we
+used truncation in Polaris/Vega times and it looks like it got
+inadvertently changed for Navi, so let's do that again". I couldn't find
+evidence for that in the git commit logs for this. The commit message also
+acknowledges that using dithering "...makes some sense for FP16...
+...but not for ARGB2101010 surfaces..."
+
+The problem with this is that it makes fp16 surfaces, and especially
+rgba16 fixed point surfaces, less useful. These are now well
+supported by Mesa 25.3 and later via OpenGL + EGL, Vulkan/WSI, and by
+OSS AMDVLK Vulkan/WSI/display, and also by GNOME 50 mutter under Wayland,
+and they used to provide more than 10 bpc effective precision at the
+output.
+
+Even for 8 or 10 bpc surfaces, the color pipeline behind the framebuffer,
+e.g., gamma tables, CTM, can be used for color correction and will
+benefit from an effective > 10 bpc output precision via dithering,
+retaining some precision that would get lost on the way through the
+pipeline, e.g., due to non-linear gamma functions.
+
+Scientific apps rely on this for > 10 bpc display precision. Truncating
+to 10 bpc, instead of dithering the pipeline internal 12 bpc precision
+down to 10 bpc, causes a serious loss of precision. This also creates the
+undesirable and slightly absurd situation that using a cheap monitor
+with only 8 bpc input and display panel will yield roughly 12 bpc
+precision via dithering from 12 -> 8 bpc, whereas investment into a
+more expensive monitor with 10 bpc input and native 10 bpc display will
+only yield 10 bpc, even if a fp16 or rgb16 framebuffer and/or a properly
+set up color pipeline (gamma tables, CTM's etc. with more than 10 bpc out
+precision) would allow effective 12 bpc precision output.
+
+Therefore this patch proposes reverting that commit and going back to
+dithering down to 10 bpc, consistent with the behaviour for 6 bpc or 8 bpc
+output.
+
+Successfully tested on AMD Polaris DCE 11.2 and Raven Ridge DCN 1.0 with
+a native 10 bpc capable monitor, outputting a RGBA16 unorm framebuffer and
+measuring resulting color precision with a photometer. No apparent visual
+artifacts or problems were observed, and effective precision was measured
+to be 12 bpc again, as expected.
+
+Fixes: d5df648ec830 ("drm/amd/display: Change dither policy for 10bpc to round")
+Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Tested-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Cc: stable@vger.kernel.org
+Cc: Aric Cyr <aric.cyr@amd.com>
+Cc: Anthony Koo <anthony.koo@amd.com>
+Cc: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Cc: Krunoslav Kovac <krunoslav.kovac@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Reported-by: Mario Kleiner <mario.kleiner.de@gmail.com>
+Signed-off-by: Harry Wentland <harry.wentland@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+@@ -4954,7 +4954,7 @@ void resource_build_bit_depth_reduction_
+ option = DITHER_OPTION_SPATIAL8;
+ break;
+ case COLOR_DEPTH_101010:
+- option = DITHER_OPTION_TRUN10;
++ option = DITHER_OPTION_SPATIAL10;
+ break;
+ default:
+ option = DITHER_OPTION_DISABLE;
--- /dev/null
+From 504f0098ebd074ac8c0ce3471795d79f68e3d265 Mon Sep 17 00:00:00 2001
+From: Yang Wang <kevinyang.wang@amd.com>
+Date: Thu, 2 Apr 2026 22:44:29 -0400
+Subject: drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x
+
+From: Yang Wang <kevinyang.wang@amd.com>
+
+commit 504f0098ebd074ac8c0ce3471795d79f68e3d265 upstream.
+
+OverDriveTable.FanMinimumPwm and FeatureCtrlMask.PP_OD_FEATURE_FAN_LEGACY_BIT
+have a hard dependency.
+Invalid handling of this dependency leads to disabled thermal monitoring
+and temperature boundary validation.
+
+v2: squash in typo fix (Yang)
+
+Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+@@ -2442,6 +2442,7 @@ static int smu_v14_0_2_od_restore_table_
+ }
+ od_table->OverDriveTable.FanMode = FAN_MODE_AUTO;
+ od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
++ od_table->OverDriveTable.FeatureCtrlMask &= ~BIT(PP_OD_FEATURE_FAN_LEGACY_BIT);
+ break;
+ case PP_OD_EDIT_FAN_ZERO_RPM_ENABLE:
+ od_table->OverDriveTable.FanZeroRpmEnable =
+@@ -2470,7 +2471,8 @@ static int smu_v14_0_2_od_restore_table_
+ od_table->OverDriveTable.FanMinimumPwm =
+ boot_overdrive_table->OverDriveTable.FanMinimumPwm;
+ od_table->OverDriveTable.FanMode = FAN_MODE_AUTO;
+- od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
++ od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_LEGACY_BIT);
++ od_table->OverDriveTable.FeatureCtrlMask &= ~BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
+ break;
+ default:
+ dev_info(adev->dev, "Invalid table index: %ld\n", input);
+@@ -2640,6 +2642,7 @@ static int smu_v14_0_2_od_edit_dpm_table
+ od_table->OverDriveTable.FanLinearPwmPoints[input[0]] = input[2];
+ od_table->OverDriveTable.FanMode = FAN_MODE_MANUAL_LINEAR;
+ od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
++ od_table->OverDriveTable.FeatureCtrlMask &= ~BIT(PP_OD_FEATURE_FAN_LEGACY_BIT);
+ break;
+
+ case PP_OD_EDIT_ACOUSTIC_LIMIT:
+@@ -2709,7 +2712,7 @@ static int smu_v14_0_2_od_edit_dpm_table
+ break;
+
+ case PP_OD_EDIT_FAN_MINIMUM_PWM:
+- if (!smu_v14_0_2_is_od_feature_supported(smu, PP_OD_FEATURE_FAN_CURVE_BIT)) {
++ if (!smu_v14_0_2_is_od_feature_supported(smu, PP_OD_FEATURE_FAN_LEGACY_BIT)) {
+ dev_warn(adev->dev, "Fan curve setting not supported!\n");
+ return -ENOTSUPP;
+ }
+@@ -2727,7 +2730,8 @@ static int smu_v14_0_2_od_edit_dpm_table
+
+ od_table->OverDriveTable.FanMinimumPwm = input[0];
+ od_table->OverDriveTable.FanMode = FAN_MODE_AUTO;
+- od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
++ od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_LEGACY_BIT);
++ od_table->OverDriveTable.FeatureCtrlMask &= ~BIT(PP_OD_FEATURE_FAN_CURVE_BIT);
+ break;
+
+ case PP_OD_EDIT_FAN_ZERO_RPM_ENABLE:
--- /dev/null
+From 66085e206431ef88ce36f53c1f53d570790ccc9e Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Wed, 25 Mar 2026 08:39:19 -0400
+Subject: drm/amdgpu: Add bounds checking to ib_{get,set}_value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 66085e206431ef88ce36f53c1f53d570790ccc9e upstream.
+
+The uvd/vce/vcn code accesses the IB at predefined offsets without
+checking that the IB is large enough. Check the bounds here. The caller
+is responsible for making sure it can handle arbitrary return values.
+
+Also make the idx a uint32_t to prevent overflows causing the condition
+to fail.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
+@@ -547,15 +547,18 @@ void amdgpu_debugfs_ring_init(struct amd
+
+ int amdgpu_ring_init_mqd(struct amdgpu_ring *ring);
+
+-static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, int idx)
++static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, uint32_t idx)
+ {
+- return ib->ptr[idx];
++ if (idx < ib->length_dw)
++ return ib->ptr[idx];
++ return 0;
+ }
+
+-static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, int idx,
++static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, uint32_t idx,
+ uint32_t value)
+ {
+- ib->ptr[idx] = value;
++ if (idx < ib->length_dw)
++ ib->ptr[idx] = value;
+ }
+
+ int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm,
--- /dev/null
+From ddda81c4d7e71e41b1be91d921fd85747eddbd12 Mon Sep 17 00:00:00 2001
+From: Chenglei Xie <Chenglei.Xie@amd.com>
+Date: Tue, 7 Apr 2026 10:51:24 -0400
+Subject: drm/amdgpu: gate VM CPU HDP flush on reset lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chenglei Xie <Chenglei.Xie@amd.com>
+
+commit ddda81c4d7e71e41b1be91d921fd85747eddbd12 upstream.
+
+During GPU reset, the application could still run CPU page table updates. Each commit called
+amdgpu_device_flush_hdp(), which on SR-IOV sends work through the KIQ ring.
+That can advance sync_seq while the GPU is being reset,
+leaving fence writeback out of sync and causing amdgpu_fence_emit_polling()
+to time out on later KIQ use.
+
+Fix:
+amdgpu_vm_cpu_commit():
+ Reset will flush HDP anyway, the HDP flush in amdgpu_vm_cpu_commit() can be skipped
+ when a reset is ongoging.
+ Take reset_domain->sem with down_read_trylock() before amdgpu_device_flush_hdp().
+ If the reset path holds the write lock, skip the HDP flush so no HDP-related HW
+ access (including KIQ) runs during reset; state is re-established after reset.
+
+Signed-off-by: Chenglei Xie <Chenglei.Xie@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm_cpu.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_cpu.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_cpu.c
+@@ -21,6 +21,8 @@
+ */
+
+ #include "amdgpu_vm.h"
++#include "amdgpu.h"
++#include "amdgpu_reset.h"
+ #include "amdgpu_object.h"
+ #include "amdgpu_trace.h"
+
+@@ -108,11 +110,19 @@ static int amdgpu_vm_cpu_update(struct a
+ static int amdgpu_vm_cpu_commit(struct amdgpu_vm_update_params *p,
+ struct dma_fence **fence)
+ {
++ struct amdgpu_device *adev = p->adev;
++
+ if (p->needs_flush)
+ atomic64_inc(&p->vm->tlb_seq);
+
+ mb();
+- amdgpu_device_flush_hdp(p->adev, NULL);
++ /* A reset flushed the HDP anyway, so that here can be skipped when a reset is ongoing */
++ if (!down_read_trylock(&adev->reset_domain->sem))
++ return 0;
++
++ amdgpu_device_flush_hdp(adev, NULL);
++ up_read(&adev->reset_domain->sem);
++
+ return 0;
+ }
+
--- /dev/null
+From 7bbfb2559bcec39d1a4e1182d931a2046112c352 Mon Sep 17 00:00:00 2001
+From: "John B. Moore" <jbmoore61@gmail.com>
+Date: Tue, 28 Apr 2026 11:35:12 -0500
+Subject: drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John B. Moore <jbmoore61@gmail.com>
+
+commit 7bbfb2559bcec39d1a4e1182d931a2046112c352 upstream.
+
+Remove the BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT) assertion from
+gfx_v9_0_ring_emit_fence_kiq(). The KIQ hardware supports 64-bit
+fence writes; the 32-bit writeback address constraint is an
+upper-layer convention, not a hardware limitation. The check serves
+no purpose and should not be present.
+
+Found by code inspection while investigating related BUG_ON
+assertions in the GFX and compute ring emission paths.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: John B. Moore <jbmoore61@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 1b1101a46a426bb4328116bb5273c326a2780389)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -5640,9 +5640,6 @@ static void gfx_v9_0_ring_emit_fence_kiq
+ {
+ struct amdgpu_device *adev = ring->adev;
+
+- /* we only allocate 32bit for each seq wb address */
+- BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT);
+-
+ /* write fence seq to the "addr" */
+ amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, 3));
+ amdgpu_ring_write(ring, (WRITE_DATA_ENGINE_SEL(0) |
--- /dev/null
+From 2a561b361b7681509710f3cfc3d95d54c87ac69f Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 27 Apr 2026 11:38:58 -0400
+Subject: drm/amdgpu/pm: add missing revision check for CI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 2a561b361b7681509710f3cfc3d95d54c87ac69f upstream.
+
+The ci_populate_all_memory_levels() workaround only
+applies to revision 0 SKUs.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 1db15ba8f72f400bbad8ae0ce24fafc43429d4bd)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+@@ -1326,8 +1326,9 @@ static int ci_populate_all_memory_levels
+
+ dev_id = adev->pdev->device;
+
+- if ((dpm_table->mclk_table.count >= 2)
+- && ((dev_id == 0x67B0) || (dev_id == 0x67B1))) {
++ if ((dpm_table->mclk_table.count >= 2) &&
++ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
++ (adev->pdev->revision == 0)) {
+ smu_data->smc_state_table.MemoryLevel[1].MinVddci =
+ smu_data->smc_state_table.MemoryLevel[0].MinVddci;
+ smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
--- /dev/null
+From 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 28 Apr 2026 10:42:49 -0400
+Subject: drm/amdgpu/pm: align Hawaii mclk workaround with radeon
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d upstream.
+
+Align the hawaii mclk workaround with radeon and windows.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 9649528b637f668c5af9f2b83ca4ad8576ae2121)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+@@ -1329,10 +1329,10 @@ static int ci_populate_all_memory_levels
+ if ((dpm_table->mclk_table.count >= 2) &&
+ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
+ (adev->pdev->revision == 0)) {
+- smu_data->smc_state_table.MemoryLevel[1].MinVddci =
+- smu_data->smc_state_table.MemoryLevel[0].MinVddci;
+- smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
+- smu_data->smc_state_table.MemoryLevel[0].MinMvdd;
++ smu_data->smc_state_table.MemoryLevel[1].MinVddc =
++ smu_data->smc_state_table.MemoryLevel[0].MinVddc;
++ smu_data->smc_state_table.MemoryLevel[1].MinVddcPhases =
++ smu_data->smc_state_table.MemoryLevel[0].MinVddcPhases;
+ }
+ smu_data->smc_state_table.MemoryLevel[0].ActivityLevel = 0x1F;
+ CONVERT_FROM_HOST_TO_SMC_US(smu_data->smc_state_table.MemoryLevel[0].ActivityLevel);
--- /dev/null
+From 78d2e624fa073c14970aa097adcf3ea31c157a66 Mon Sep 17 00:00:00 2001
+From: "John B. Moore" <jbmoore61@gmail.com>
+Date: Mon, 27 Apr 2026 16:06:28 -0500
+Subject: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John B. Moore <jbmoore61@gmail.com>
+
+commit 78d2e624fa073c14970aa097adcf3ea31c157a66 upstream.
+
+sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
+that verify fence writeback addresses are dword-aligned. These
+assertions can be reached from unprivileged userspace via crafted
+DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a
+scheduler worker thread.
+
+Replace both BUG_ON() calls with WARN_ON() to log the condition without
+crashing the kernel. A misaligned fence address at this point indicates
+a driver bug, but crashing the kernel is never the correct response when
+the assertion is reachable from userspace.
+
+The CS IOCTL path is the correct place to filter invalid submissions;
+the ring emission callback is too late to do anything about it.
+
+Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: John B. Moore <jbmoore61@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+@@ -890,7 +890,7 @@ static void sdma_v4_0_ring_emit_fence(st
+ /* write the fence */
+ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
+ /* zero in first two bits */
+- BUG_ON(addr & 0x3);
++ WARN_ON(addr & 0x3);
+ amdgpu_ring_write(ring, lower_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(addr));
+ amdgpu_ring_write(ring, lower_32_bits(seq));
+@@ -900,7 +900,7 @@ static void sdma_v4_0_ring_emit_fence(st
+ addr += 4;
+ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
+ /* zero in first two bits */
+- BUG_ON(addr & 0x3);
++ WARN_ON(addr & 0x3);
+ amdgpu_ring_write(ring, lower_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(seq));
--- /dev/null
+From 574b3b14f7d1b329fc6e67b79328f0e6f4d4b3d4 Mon Sep 17 00:00:00 2001
+From: "Ramalingeswara Reddy, Kanala" <Kanala.RamalingeswaraReddy@amd.com>
+Date: Tue, 31 Mar 2026 17:23:22 +0530
+Subject: drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.
+
+From: Ramalingeswara Reddy, Kanala <Kanala.RamalingeswaraReddy@amd.com>
+
+commit 574b3b14f7d1b329fc6e67b79328f0e6f4d4b3d4 upstream.
+
+Define and use regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0 and
+regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0 for TSC upper and lower count.
+
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Pratik Vishwakarma <Pratik.Vishwakarma@amd.com>
+Signed-off-by: Ramalingeswara Reddy, Kanala <Kanala.RamalingeswaraReddy@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+@@ -64,6 +64,11 @@
+ #define regPC_CONFIG_CNTL_1 0x194d
+ #define regPC_CONFIG_CNTL_1_BASE_IDX 1
+
++#define regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0 0x0030
++#define regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0_BASE_IDX 1
++#define regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0 0x0031
++#define regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0_BASE_IDX 1
++
+ #define regCP_GFX_MQD_CONTROL_DEFAULT 0x00000100
+ #define regCP_GFX_HQD_VMID_DEFAULT 0x00000000
+ #define regCP_GFX_HQD_QUEUE_PRIORITY_DEFAULT 0x00000000
+@@ -5174,11 +5179,27 @@ static uint64_t gfx_v11_0_get_gpu_clock_
+ amdgpu_gfx_off_ctrl(adev, true);
+ } else {
+ preempt_disable();
+- clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER);
+- clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER);
+- clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER);
+- if (clock_counter_hi_pre != clock_counter_hi_after)
+- clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER);
++ if (amdgpu_ip_version(adev, SMUIO_HWIP, 0) < IP_VERSION(15, 0, 0)) {
++ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0,
++ regGOLDEN_TSC_COUNT_UPPER);
++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0,
++ regGOLDEN_TSC_COUNT_LOWER);
++ clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0,
++ regGOLDEN_TSC_COUNT_UPPER);
++ if (clock_counter_hi_pre != clock_counter_hi_after)
++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0,
++ regGOLDEN_TSC_COUNT_LOWER);
++ } else {
++ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0,
++ regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0);
++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0,
++ regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0);
++ clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0,
++ regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0);
++ if (clock_counter_hi_pre != clock_counter_hi_after)
++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0,
++ regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0);
++ }
+ preempt_enable();
+ }
+ clock = clock_counter_lo | (clock_counter_hi_after << 32ULL);
--- /dev/null
+From de2a02cc28d6d5d37db07d00a9a684c754a5fd74 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 30 Mar 2026 15:01:27 -0400
+Subject: drm/amdgpu/vce: Prevent partial address patches
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit de2a02cc28d6d5d37db07d00a9a684c754a5fd74 upstream.
+
+In the case that only one of lo/hi is valid, the patching could result
+in a bad address written to in FW.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+@@ -656,6 +656,9 @@ static int amdgpu_vce_cs_reloc(struct am
+ uint64_t addr;
+ int r;
+
++ if (lo >= ib->length_dw || hi >= ib->length_dw)
++ return -EINVAL;
++
+ if (index == 0xffffffff)
+ index = 0;
+
--- /dev/null
+From b193019860d61e92da395eae2011f2f6716b182f Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Tue, 24 Mar 2026 16:25:56 -0400
+Subject: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit b193019860d61e92da395eae2011f2f6716b182f upstream.
+
+Check bounds against the end of the BO whenever we access the msg.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+@@ -1908,7 +1908,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ {
+ struct ttm_operation_ctx ctx = { false, false };
+ struct amdgpu_bo_va_mapping *map;
+- uint32_t *msg, num_buffers;
++ uint32_t *msg, num_buffers, len_dw;
+ struct amdgpu_bo *bo;
+ uint64_t start, end;
+ unsigned int i;
+@@ -1929,6 +1929,11 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ return -EINVAL;
+ }
+
++ if (end - addr < 16) {
++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
++ return -EINVAL;
++ }
++
+ bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
+ amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
+ r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
+@@ -1945,8 +1950,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
+
+ msg = ptr + addr - start;
+
+- /* Check length */
+ if (msg[1] > end - addr) {
++ DRM_ERROR("VCN message header does not fit in BO!\n");
+ r = -EINVAL;
+ goto out;
+ }
+@@ -1954,7 +1959,16 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ if (msg[3] != RDECODE_MSG_CREATE)
+ goto out;
+
++ len_dw = msg[1] / 4;
+ num_buffers = msg[2];
++
++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
++ DRM_ERROR("VCN message has too many buffers!\n");
++ r = -EINVAL;
++ goto out;
++ }
++
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
+
+@@ -1964,14 +1978,15 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (offset + size > end) {
++ if (size < 4 || offset + size > end - addr) {
++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
+ }
+
+ create = ptr + addr + offset - start;
+
+- /* H246, HEVC and VP9 can run on any instance */
++ /* H264, HEVC and VP9 can run on any instance */
+ if (create[0] == 0x7 || create[0] == 0x10 || create[0] == 0x11)
+ continue;
+
--- /dev/null
+From 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Wed, 25 Mar 2026 09:09:27 -0400
+Subject: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 upstream.
+
+Check bounds against the end of the BO whenever we access the msg.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1825,7 +1825,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ {
+ struct ttm_operation_ctx ctx = { false, false };
+ struct amdgpu_bo_va_mapping *map;
+- uint32_t *msg, num_buffers;
++ uint32_t *msg, num_buffers, len_dw;
+ struct amdgpu_bo *bo;
+ uint64_t start, end;
+ unsigned int i;
+@@ -1846,6 +1846,11 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ return -EINVAL;
+ }
+
++ if (end - addr < 16) {
++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
++ return -EINVAL;
++ }
++
+ bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
+ amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
+ r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
+@@ -1862,8 +1867,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+
+ msg = ptr + addr - start;
+
+- /* Check length */
+ if (msg[1] > end - addr) {
++ DRM_ERROR("VCN message header does not fit in BO!\n");
+ r = -EINVAL;
+ goto out;
+ }
+@@ -1871,7 +1876,16 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ if (msg[3] != RDECODE_MSG_CREATE)
+ goto out;
+
++ len_dw = msg[1] / 4;
+ num_buffers = msg[2];
++
++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
++ DRM_ERROR("VCN message has too many buffers!\n");
++ r = -EINVAL;
++ goto out;
++ }
++
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
+
+@@ -1881,7 +1895,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (offset + size > end) {
++ if (size < 4 || offset + size > end - addr) {
++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From 2444eb0ec8283f4a3845eb7febad378476e1ba3c Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Tue, 24 Mar 2026 16:42:05 -0400
+Subject: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 2444eb0ec8283f4a3845eb7febad378476e1ba3c upstream.
+
+Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the
+bounds checks.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1912,9 +1912,10 @@ out:
+ static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int start)
+ {
+ int i;
++ uint32_t len;
+
+- for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 4) {
+- if (ib->ptr[i + 1] == id)
++ for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) {
++ if (amdgpu_ib_get_value(ib, i + 1) == id)
+ return i;
+ }
+ return -1;
+@@ -1925,8 +1926,6 @@ static int vcn_v4_0_ring_patch_cs_in_pla
+ struct amdgpu_ib *ib)
+ {
+ struct amdgpu_ring *ring = amdgpu_job_ring(job);
+- struct amdgpu_vcn_decode_buffer *decode_buffer;
+- uint64_t addr;
+ uint32_t val;
+ int idx = 0, sidx;
+
+@@ -1937,20 +1936,22 @@ static int vcn_v4_0_ring_patch_cs_in_pla
+ while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO, idx)) >= 0) {
+ val = amdgpu_ib_get_value(ib, idx + 2); /* RADEON_VCN_ENGINE_TYPE */
+ if (val == RADEON_VCN_ENGINE_TYPE_DECODE) {
+- decode_buffer = (struct amdgpu_vcn_decode_buffer *)&ib->ptr[idx + 6];
++ uint32_t valid_buf_flag = amdgpu_ib_get_value(ib, idx + 6);
++ uint64_t msg_buffer_addr;
+
+- if (!(decode_buffer->valid_buf_flag & 0x1))
++ if (!(valid_buf_flag & 0x1))
+ return 0;
+
+- addr = ((u64)decode_buffer->msg_buffer_address_hi) << 32 |
+- decode_buffer->msg_buffer_address_lo;
+- return vcn_v4_0_dec_msg(p, job, addr);
++ msg_buffer_addr = ((u64)amdgpu_ib_get_value(ib, idx + 7)) << 32 |
++ amdgpu_ib_get_value(ib, idx + 8);
++ return vcn_v4_0_dec_msg(p, job, msg_buffer_addr);
+ } else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) {
+ sidx = vcn_v4_0_enc_find_ib_param(ib, RENCODE_IB_PARAM_SESSION_INIT, idx);
+- if (sidx >= 0 && ib->ptr[sidx + 2] == RENCODE_ENCODE_STANDARD_AV1)
++ if (sidx >= 0 &&
++ amdgpu_ib_get_value(ib, sidx + 2) == RENCODE_ENCODE_STANDARD_AV1)
+ return vcn_v4_0_limit_sched(p, job);
+ }
+- idx += ib->ptr[idx] / 4;
++ idx += amdgpu_ib_get_value(ib, idx) / 4;
+ }
+ return 0;
+ }
--- /dev/null
+From e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 Mon Sep 17 00:00:00 2001
+From: Philip Yang <Philip.Yang@amd.com>
+Date: Mon, 27 Apr 2026 09:30:23 -0400
+Subject: drm/amdgpu: zero-initialize GART table on allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philip Yang <Philip.Yang@amd.com>
+
+commit e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 upstream.
+
+GART TLB is flushed after unmapping but not after mapping. Since
+amdgpu_bo_create_kernel() does not zero-initialize the buffer, when a
+single PTE is written the TLB may speculatively load other uninitialized
+entries from the same cacheline. Those garbage entries can appear valid,
+and a subsequent write to another PTE in the same cacheline may cause the
+GPU to use a stale garbage PTE from the TLB.
+
+Fix this by calling memset_io() to zero-initialize the GART table with
+gart_pte_flags immediately after allocation.
+
+Using AMDGPU_GEM_CREATE_VRAM_CLEARED, SDMA-based clear will not work
+since SDMA needs GART to be initialized to work.
+
+Suggested-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Philip Yang <Philip.Yang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit d9af8263b82b6eaa60c5718e0c6631c5037e4b24)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+@@ -262,12 +262,19 @@ void amdgpu_gart_table_ram_free(struct a
+ */
+ int amdgpu_gart_table_vram_alloc(struct amdgpu_device *adev)
+ {
++ int r;
++
+ if (adev->gart.bo != NULL)
+ return 0;
+
+- return amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
+- AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
+- NULL, (void *)&adev->gart.ptr);
++ r = amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
++ AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
++ NULL, (void *)&adev->gart.ptr);
++ if (r)
++ return r;
++
++ memset_io(adev->gart.ptr, adev->gart.gart_pte_flags, adev->gart.table_size);
++ return 0;
+ }
+
+ /**
--- /dev/null
+From 74b73fa56a395d46745e4f245225963e9f8be7f1 Mon Sep 17 00:00:00 2001
+From: Alysa Liu <Alysa.Liu@amd.com>
+Date: Mon, 30 Mar 2026 10:50:07 -0400
+Subject: drm/amdkfd: Add upper bound check for num_of_nodes
+
+From: Alysa Liu <Alysa.Liu@amd.com>
+
+commit 74b73fa56a395d46745e4f245225963e9f8be7f1 upstream.
+
+drm/amdkfd: Add upper bound check for num_of_nodes
+in kfd_ioctl_get_process_apertures_new.
+
+Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 98ff46a5ea090c14d2cdb4f5b993b05d74f3949f)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +++
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 1 +
+ drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 11 +++++++++++
+ 3 files changed, 15 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -763,6 +763,9 @@ static int kfd_ioctl_get_process_apertur
+ goto out_unlock;
+ }
+
++ if (args->num_of_nodes > kfd_topology_get_num_devices())
++ return -EINVAL;
++
+ /* Fill in process-aperture information for all available
+ * nodes, but not more than args->num_of_nodes as that is
+ * the amount of memory allocated by user
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -1175,6 +1175,7 @@ static inline struct kfd_node *kfd_node_
+ return NULL;
+ }
+ int kfd_topology_enum_kfd_devices(uint8_t idx, struct kfd_node **kdev);
++uint32_t kfd_topology_get_num_devices(void);
+ int kfd_numa_node_to_apic_id(int numa_node_id);
+
+ /* Interrupts */
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
+@@ -2295,6 +2295,17 @@ int kfd_topology_remove_device(struct kf
+ return res;
+ }
+
++uint32_t kfd_topology_get_num_devices(void)
++{
++ uint32_t num_devices;
++
++ down_read(&topology_lock);
++ num_devices = sys_props.num_devices;
++ up_read(&topology_lock);
++
++ return num_devices;
++}
++
+ /* kfd_topology_enum_kfd_devices - Enumerate through all devices in KFD
+ * topology. If GPU device is found @idx, then valid kfd_dev pointer is
+ * returned through @kdev
--- /dev/null
+From ad52d61d82181dbdb7f05826de38352d5e550cc2 Mon Sep 17 00:00:00 2001
+From: Amir Shetaia <Amir.Shetaia@amd.com>
+Date: Fri, 10 Apr 2026 10:38:13 -0400
+Subject: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amir Shetaia <Amir.Shetaia@amd.com>
+
+commit ad52d61d82181dbdb7f05826de38352d5e550cc2 upstream.
+
+KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE
+but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated
+VRAM with stale data from prior use observable by compute kernels.
+
+The GEM ioctl path already sets VRAM_CLEARED for all userspace
+allocations via amdgpu_gem_create_ioctl() and
+amdgpu_mode_dumb_create(). The KFD path was missing this flag,
+allowing stale page table remnants to leak into user buffers.
+
+This causes crashes in RCCL P2P transport where non-zero data in
+ptrExchange/head/tail fields corrupts the protocol handshake.
+
+Signed-off-by: Amir Shetaia <Amir.Shetaia@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -1717,7 +1717,8 @@ int amdgpu_amdkfd_gpuvm_alloc_memory_of_
+ alloc_domain = AMDGPU_GEM_DOMAIN_GTT;
+ alloc_flags = 0;
+ } else {
+- alloc_flags = AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE;
++ alloc_flags = AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE |
++ AMDGPU_GEM_CREATE_VRAM_CLEARED;
+ alloc_flags |= (flags & KFD_IOC_ALLOC_MEM_FLAGS_PUBLIC) ?
+ AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED : 0;
+
--- /dev/null
+From 9b4e3495d1bd2469bf94b74930c153c2d534ddb7 Mon Sep 17 00:00:00 2001
+From: Felix Kuehling <felix.kuehling@amd.com>
+Date: Mon, 20 Apr 2026 11:55:57 -0400
+Subject: drm/amdkfd: Make all TLB-flushes heavy-weight
+
+From: Felix Kuehling <felix.kuehling@amd.com>
+
+commit 9b4e3495d1bd2469bf94b74930c153c2d534ddb7 upstream.
+
+With only one sequence number we cannot track the need for legacy vs
+heavy-weight flushes reliably. Always use heavy-weight.
+
+Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
+Reviewed-by: Philip Yang <philip.yang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit c1a3ff1d327820cd9a52bc1056b98681fc088949)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 4 ++--
+ drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 6 +++---
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 6 +++---
+ drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 4 ++--
+ 4 files changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -1341,7 +1341,7 @@ static int kfd_ioctl_map_memory_to_gpu(s
+ peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]);
+ if (WARN_ON_ONCE(!peer_pdd))
+ continue;
+- kfd_flush_tlb(peer_pdd, TLB_FLUSH_LEGACY);
++ kfd_flush_tlb(peer_pdd);
+ }
+ kfree(devices_arr);
+
+@@ -1436,7 +1436,7 @@ static int kfd_ioctl_unmap_memory_from_g
+ if (WARN_ON_ONCE(!peer_pdd))
+ continue;
+ if (flush_tlb)
+- kfd_flush_tlb(peer_pdd, TLB_FLUSH_HEAVYWEIGHT);
++ kfd_flush_tlb(peer_pdd);
+
+ /* Remove dma mapping after tlb flush to avoid IO_PAGE_FAULT */
+ err = amdgpu_amdkfd_gpuvm_dmaunmap_mem(mem, peer_pdd->drm_priv);
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -569,7 +569,7 @@ static int allocate_vmid(struct device_q
+ qpd->vmid,
+ qpd->page_table_base);
+ /* invalidate the VM context after pasid and vmid mapping is set up */
+- kfd_flush_tlb(qpd_to_pdd(qpd), TLB_FLUSH_LEGACY);
++ kfd_flush_tlb(qpd_to_pdd(qpd));
+
+ if (dqm->dev->kfd2kgd->set_scratch_backing_va)
+ dqm->dev->kfd2kgd->set_scratch_backing_va(dqm->dev->adev,
+@@ -607,7 +607,7 @@ static void deallocate_vmid(struct devic
+ if (flush_texture_cache_nocpsch(q->device, qpd))
+ dev_err(dev, "Failed to flush TC\n");
+
+- kfd_flush_tlb(qpd_to_pdd(qpd), TLB_FLUSH_LEGACY);
++ kfd_flush_tlb(qpd_to_pdd(qpd));
+
+ /* Release the vmid mapping */
+ set_pasid_vmid_mapping(dqm, 0, qpd->vmid);
+@@ -1282,7 +1282,7 @@ static int restore_process_queues_nocpsc
+ dqm->dev->adev,
+ qpd->vmid,
+ qpd->page_table_base);
+- kfd_flush_tlb(pdd, TLB_FLUSH_LEGACY);
++ kfd_flush_tlb(pdd);
+ }
+
+ /* Take a safe reference to the mm_struct, which may otherwise
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -1533,13 +1533,13 @@ void kfd_signal_reset_event(struct kfd_n
+
+ void kfd_signal_poison_consumed_event(struct kfd_node *dev, u32 pasid);
+
+-static inline void kfd_flush_tlb(struct kfd_process_device *pdd,
+- enum TLB_FLUSH_TYPE type)
++static inline void kfd_flush_tlb(struct kfd_process_device *pdd)
+ {
+ struct amdgpu_device *adev = pdd->dev->adev;
+ struct amdgpu_vm *vm = drm_priv_to_vm(pdd->drm_priv);
+
+- amdgpu_vm_flush_compute_tlb(adev, vm, type, pdd->dev->xcc_mask);
++ amdgpu_vm_flush_compute_tlb(adev, vm, TLB_FLUSH_HEAVYWEIGHT,
++ pdd->dev->xcc_mask);
+ }
+
+ static inline bool kfd_flush_tlb_after_unmap(struct kfd_dev *dev)
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+@@ -1391,7 +1391,7 @@ svm_range_unmap_from_gpus(struct svm_ran
+ if (r)
+ break;
+ }
+- kfd_flush_tlb(pdd, TLB_FLUSH_HEAVYWEIGHT);
++ kfd_flush_tlb(pdd);
+ }
+
+ return r;
+@@ -1525,7 +1525,7 @@ svm_range_map_to_gpus(struct svm_range *
+ }
+ }
+
+- kfd_flush_tlb(pdd, TLB_FLUSH_LEGACY);
++ kfd_flush_tlb(pdd);
+ }
+
+ return r;
--- /dev/null
+From 045e0ff208f0838a246c10204105126611b267a1 Mon Sep 17 00:00:00 2001
+From: Alysa Liu <Alysa.Liu@amd.com>
+Date: Tue, 21 Apr 2026 10:18:28 -0400
+Subject: drm/amdkfd: validate SVM ioctl nattr against buffer size
+
+From: Alysa Liu <Alysa.Liu@amd.com>
+
+commit 045e0ff208f0838a246c10204105126611b267a1 upstream.
+
+Validate nattr field against the buffer size, preventing
+out-of-bounds buffer access via user-controlled attribute count.
+
+Reviewed-by: Amir Shetaia <Amir.Shetaia@amd.com>
+Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 26 ++++++++++++++++++++++++--
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 3 +++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -25,6 +25,7 @@
+ #include <linux/err.h>
+ #include <linux/fs.h>
+ #include <linux/file.h>
++#include <linux/overflow.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/uaccess.h>
+@@ -1676,6 +1677,16 @@ static int kfd_ioctl_smi_events(struct f
+ return kfd_smi_event_open(pdd->dev, &args->anon_fd);
+ }
+
++static int kfd_ioctl_svm_validate(void *kdata, unsigned int usize)
++{
++ struct kfd_ioctl_svm_args *args = kdata;
++ size_t expected = struct_size(args, attrs, args->nattr);
++
++ if (expected == SIZE_MAX || usize < expected)
++ return -EINVAL;
++ return 0;
++}
++
+ #if IS_ENABLED(CONFIG_HSA_AMD_SVM)
+
+ static int kfd_ioctl_set_xnack_mode(struct file *filep,
+@@ -3122,7 +3133,11 @@ out:
+
+ #define AMDKFD_IOCTL_DEF(ioctl, _func, _flags) \
+ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
+- .cmd_drv = 0, .name = #ioctl}
++ .validate = NULL, .cmd_drv = 0, .name = #ioctl}
++
++#define AMDKFD_IOCTL_DEF_V(ioctl, _func, _validate, _flags) \
++ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
++ .validate = _validate, .cmd_drv = 0, .name = #ioctl}
+
+ /** Ioctl table */
+ static const struct amdkfd_ioctl_desc amdkfd_ioctls[] = {
+@@ -3219,7 +3234,8 @@ static const struct amdkfd_ioctl_desc am
+ AMDKFD_IOCTL_DEF(AMDKFD_IOC_SMI_EVENTS,
+ kfd_ioctl_smi_events, 0),
+
+- AMDKFD_IOCTL_DEF(AMDKFD_IOC_SVM, kfd_ioctl_svm, 0),
++ AMDKFD_IOCTL_DEF_V(AMDKFD_IOC_SVM, kfd_ioctl_svm,
++ kfd_ioctl_svm_validate, 0),
+
+ AMDKFD_IOCTL_DEF(AMDKFD_IOC_SET_XNACK_MODE,
+ kfd_ioctl_set_xnack_mode, 0),
+@@ -3341,6 +3357,12 @@ static long kfd_ioctl(struct file *filep
+ memset(kdata, 0, usize);
+ }
+
++ if (ioctl->validate) {
++ retcode = ioctl->validate(kdata, usize);
++ if (retcode)
++ goto err_i1;
++ }
++
+ retcode = func(filep, process, kdata);
+
+ if (cmd & IOC_OUT)
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -1036,10 +1036,13 @@ extern struct srcu_struct kfd_processes_
+ typedef int amdkfd_ioctl_t(struct file *filep, struct kfd_process *p,
+ void *data);
+
++typedef int amdkfd_ioctl_validate_t(void *kdata, unsigned int usize);
++
+ struct amdkfd_ioctl_desc {
+ unsigned int cmd;
+ int flags;
+ amdkfd_ioctl_t *func;
++ amdkfd_ioctl_validate_t *validate;
+ unsigned int cmd_drv;
+ const char *name;
+ };
--- /dev/null
+From aaaa684bab1f6d9ecfc49db328facb1771fd0eb2 Mon Sep 17 00:00:00 2001
+From: Sasha Finkelstein <k@chaosmail.tech>
+Date: Mon, 20 Apr 2026 14:17:43 +0200
+Subject: drm/appletbdrm: Use kvzalloc for big allocations
+
+From: Sasha Finkelstein <k@chaosmail.tech>
+
+commit aaaa684bab1f6d9ecfc49db328facb1771fd0eb2 upstream.
+
+This driver is attached to a ~2000x80 screen, which is a lot more than
+a single page. This causes out of memory errors in some rare cases.
+
+Reported-by: soopyc <cassie@soopy.moe>
+Closes: https://github.com/t2linux/fedora/issues/51
+Signed-off-by: Sasha Finkelstein <k@chaosmail.tech>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Aditya Garg <gargaditya08@live.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: 0670c2f56e45 ("drm/tiny: add driver for Apple Touch Bars in x86 Macs")
+Cc: <stable@vger.kernel.org> # v6.15+
+Link: https://patch.msgid.link/20260420-x86-tb-vmalloc-v1-1-7757ff657223@chaosmail.tech
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tiny/appletbdrm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/tiny/appletbdrm.c
++++ b/drivers/gpu/drm/tiny/appletbdrm.c
+@@ -353,7 +353,7 @@ static int appletbdrm_primary_plane_help
+ frames_size +
+ sizeof(struct appletbdrm_fb_request_footer), 16);
+
+- appletbdrm_state->request = kzalloc(request_size, GFP_KERNEL);
++ appletbdrm_state->request = kvzalloc(request_size, GFP_KERNEL);
+
+ if (!appletbdrm_state->request)
+ return -ENOMEM;
+@@ -543,7 +543,7 @@ static void appletbdrm_primary_plane_des
+ {
+ struct appletbdrm_plane_state *appletbdrm_state = to_appletbdrm_plane_state(state);
+
+- kfree(appletbdrm_state->request);
++ kvfree(appletbdrm_state->request);
+ kfree(appletbdrm_state->response);
+
+ __drm_gem_destroy_shadow_plane_state(&appletbdrm_state->base);
--- /dev/null
+From 2a46a9356ba7b1bdd741c8b41e5374edcd960557 Mon Sep 17 00:00:00 2001
+From: "Kory Maincent (TI)" <kory.maincent@bootlin.com>
+Date: Tue, 28 Apr 2026 11:04:56 +0200
+Subject: drm/bridge: tda998x: Use __be32 for audio port OF property pointer
+
+From: Kory Maincent (TI) <kory.maincent@bootlin.com>
+
+commit 2a46a9356ba7b1bdd741c8b41e5374edcd960557 upstream.
+
+of_get_property() returns a pointer to big-endian (__be32) data, but
+port_data in tda998x_get_audio_ports() was declared as const u32 *,
+causing a sparse endianness type mismatch warning. Fix the declaration
+to use const __be32 *.
+
+Fixes: 7e567624dc5a4 ("drm/i2c: tda998x: Register ASoC hdmi-codec and add audio DT binding")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kory Maincent (TI) <kory.maincent@bootlin.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://patch.msgid.link/20260428090457.121894-1-kory.maincent@bootlin.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/tda998x_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/bridge/tda998x_drv.c
++++ b/drivers/gpu/drm/bridge/tda998x_drv.c
+@@ -1697,7 +1697,7 @@ static const struct drm_bridge_funcs tda
+ static int tda998x_get_audio_ports(struct tda998x_priv *priv,
+ struct device_node *np)
+ {
+- const u32 *port_data;
++ const __be32 *port_data;
+ u32 size;
+ int i;
+
--- /dev/null
+From 26f6654a9a60eb4d241f42a0ec85412e8821480b Mon Sep 17 00:00:00 2001
+From: Osama Abdelkader <osama.abdelkader@gmail.com>
+Date: Thu, 23 Apr 2026 22:06:20 +0200
+Subject: drm/exynos: remove bridge when component_add fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Osama Abdelkader <osama.abdelkader@gmail.com>
+
+commit 26f6654a9a60eb4d241f42a0ec85412e8821480b upstream.
+
+Use devm_drm_bridge_add() so the bridge is released if probe fails after
+registration, and drop the manual drm_bridge_remove() in remove().
+
+Check the return value of devm_drm_bridge_add().
+
+Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
+Fixes: 576d72fbfb45 ("drm/exynos: mic: add a bridge at probe")
+Cc: stable@vger.kernel.org
+Reviewed-by: Raphaël Gallais-Pou <rgallaispou@gmail.com>
+Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Link: https://patch.msgid.link/20260423200622.325076-2-osama.abdelkader@gmail.com
+Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_mic.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_mic.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_mic.c
+@@ -423,7 +423,9 @@ static int exynos_mic_probe(struct platf
+
+ mic->bridge.of_node = dev->of_node;
+
+- drm_bridge_add(&mic->bridge);
++ ret = devm_drm_bridge_add(dev, &mic->bridge);
++ if (ret)
++ goto err;
+
+ pm_runtime_enable(dev);
+
+@@ -443,12 +445,8 @@ err:
+
+ static void exynos_mic_remove(struct platform_device *pdev)
+ {
+- struct exynos_mic *mic = platform_get_drvdata(pdev);
+-
+ component_del(&pdev->dev, &exynos_mic_component_ops);
+ pm_runtime_disable(&pdev->dev);
+-
+- drm_bridge_remove(&mic->bridge);
+ }
+
+ static const struct of_device_id exynos_mic_of_match[] = {
--- /dev/null
+From 3d4c2268bd7243c3780fe32bf24ff876da272acf Mon Sep 17 00:00:00 2001
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Date: Mon, 20 Apr 2026 01:36:37 +0000
+Subject: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
+
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+
+commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream.
+
+drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
+using plain integer division:
+
+ unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
+ unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
+
+However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
+drm_format_info_plane_width/height() which round up dimensions via
+DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
+size check for certain pixel format and dimension combinations.
+
+For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
+GEM size validation path sees height=0 instead of height=1. The
+expression (height - 1) then wraps to UINT_MAX as an unsigned int,
+causing min_size to overflow and wrap back to a small value. A tiny
+GEM object therefore passes the size guard, yet when the GPU accesses
+the chroma plane it will read or write memory beyond the object's
+bounds.
+
+Fix by replacing the open-coded divisions with drm_format_info_plane_width()
+and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
+the calculation already used in framebuffer_check().
+
+Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library")
+Cc: stable@vger.kernel.org # v4.14+
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c
++++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
+@@ -171,8 +171,8 @@ int drm_gem_fb_init_with_funcs(struct dr
+ }
+
+ for (i = 0; i < info->num_planes; i++) {
+- unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
+- unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
++ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i);
++ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i);
+ unsigned int min_size;
+
+ objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]);
--- /dev/null
+From 314f6179e370988ac00dadf373a4f6166eb3db15 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jouni=20H=C3=B6gander?= <jouni.hogander@intel.com>
+Date: Mon, 13 Apr 2026 14:23:45 +0300
+Subject: drm/i915/psr: Init variable to avoid early exit from et alignment loop
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jouni Högander <jouni.hogander@intel.com>
+
+commit 314f6179e370988ac00dadf373a4f6166eb3db15 upstream.
+
+Uninitialized boolean variable may cause unwanted exit from et alignment
+loop. Fix this by initializing it as false.
+
+Fixes: 1be2fca84f52 ("drm/i915/psr: Repeat Selective Update area alignment")
+Cc: <stable@vger.kernel.org> # v6.9+
+Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
+Reviewed-by: Nemesa Garg <nemesa.garg@intel.com>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patch.msgid.link/20260413112345.88853-1-jouni.hogander@intel.com
+(cherry picked from commit 289678a90b8cf81e3514c9d6c667235cd39c7acf)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -2840,7 +2840,7 @@ int intel_psr2_sel_fetch_update(struct i
+ return ret;
+
+ do {
+- bool cursor_in_su_area;
++ bool cursor_in_su_area = false;
+
+ /*
+ * Adjust su area to cover cursor fully as necessary
--- /dev/null
+From cdf26e1462c220629bb79d487263b66f8b679eab Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@nabladev.com>
+Date: Sat, 10 Jan 2026 18:14:10 +0100
+Subject: drm/imx: parallel-display: Prefer bus format set via legacy "interface-pix-fmt" DT property
+
+From: Marek Vasut <marex@nabladev.com>
+
+commit cdf26e1462c220629bb79d487263b66f8b679eab upstream.
+
+Prefer bus format set via legacy "interface-pix-fmt" DT property
+over panel bus format. This is necessary to retain support for
+DTs which configure the IPUv3 parallel output as 24bit DPI, but
+connect 18bit DPI panels to it with hardware swizzling.
+
+This used to work up to Linux 6.12, but stopped working in 6.13,
+reinstate the behavior to support old DTs.
+
+Cc: stable@vger.kernel.org
+Fixes: 5f6e56d3319d ("drm/imx: parallel-display: switch to drm_panel_bridge")
+Signed-off-by: Marek Vasut <marex@nabladev.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Link: https://patch.msgid.link/20260110171510.692666-1-marex@nabladev.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/imx/ipuv3/parallel-display.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/imx/ipuv3/parallel-display.c
++++ b/drivers/gpu/drm/imx/ipuv3/parallel-display.c
+@@ -110,8 +110,7 @@ imx_pd_bridge_atomic_get_input_bus_fmts(
+ output_fmt = imxpd->bus_format ? : MEDIA_BUS_FMT_RGB888_1X24;
+
+ /* Now make sure the requested output format is supported. */
+- if ((imxpd->bus_format && imxpd->bus_format != output_fmt) ||
+- !imx_pd_format_supported(output_fmt)) {
++ if (!imx_pd_format_supported(output_fmt)) {
+ *num_input_fmts = 0;
+ return NULL;
+ }
+@@ -121,7 +120,17 @@ imx_pd_bridge_atomic_get_input_bus_fmts(
+ if (!input_fmts)
+ return NULL;
+
+- input_fmts[0] = output_fmt;
++ /*
++ * Prefer bus format set via legacy "interface-pix-fmt" DT property
++ * over panel bus format. This is necessary to retain support for
++ * DTs which configure the IPUv3 parallel output as 24bit, but
++ * connect 18bit DPI panels to it with hardware swizzling.
++ */
++ if (imxpd->bus_format && imxpd->bus_format != output_fmt)
++ input_fmts[0] = imxpd->bus_format;
++ else
++ input_fmts[0] = output_fmt;
++
+ return input_fmts;
+ }
+
--- /dev/null
+From 01a0d6cd7032e9993feea19fadb03ef9d5b488f2 Mon Sep 17 00:00:00 2001
+From: Anna Maniscalco <anna.maniscalco2000@gmail.com>
+Date: Tue, 10 Feb 2026 17:29:42 +0100
+Subject: drm/msm: always recover the gpu
+
+From: Anna Maniscalco <anna.maniscalco2000@gmail.com>
+
+commit 01a0d6cd7032e9993feea19fadb03ef9d5b488f2 upstream.
+
+Previously, in case there was no more work to do, recover worker
+wouldn't trigger recovery and would instead rely on the gpu going to
+sleep and then resuming when more work is submitted.
+
+Recover_worker will first increment the fence of the hung ring so, if
+there's only one job submitted to a ring and that causes an hang, it
+will early out.
+
+There's no guarantee that the gpu will suspend and resume before more
+work is submitted and if the gpu is in a hung state it will stay in that
+state and probably trigger a timeout again.
+
+Just stop checking and always recover the gpu.
+
+Signed-off-by: Anna Maniscalco <anna.maniscalco2000@gmail.com>
+Cc: stable@vger.kernel.org
+Patchwork: https://patchwork.freedesktop.org/patch/704066/
+Message-ID: <20260210-recovery_suspend_fix-v1-1-00ed9013da04@gmail.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gpu.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gpu.c
++++ b/drivers/gpu/drm/msm/msm_gpu.c
+@@ -548,32 +548,30 @@ static void recover_worker(struct kthrea
+ msm_update_fence(ring->fctx, fence);
+ }
+
+- if (msm_gpu_active(gpu)) {
+- /* retire completed submits, plus the one that hung: */
+- retire_submits(gpu);
++ /* retire completed submits, plus the one that hung: */
++ retire_submits(gpu);
+
+- gpu->funcs->recover(gpu);
++ gpu->funcs->recover(gpu);
+
+- /*
+- * Replay all remaining submits starting with highest priority
+- * ring
+- */
+- for (i = 0; i < gpu->nr_rings; i++) {
+- struct msm_ringbuffer *ring = gpu->rb[i];
+- unsigned long flags;
++ /*
++ * Replay all remaining submits starting with highest priority
++ * ring
++ */
++ for (i = 0; i < gpu->nr_rings; i++) {
++ struct msm_ringbuffer *ring = gpu->rb[i];
++ unsigned long flags;
+
+- spin_lock_irqsave(&ring->submit_lock, flags);
+- list_for_each_entry(submit, &ring->submits, node) {
+- /*
+- * If the submit uses an unusable vm make sure
+- * we don't actually run it
+- */
+- if (to_msm_vm(submit->vm)->unusable)
+- submit->nr_cmds = 0;
+- gpu->funcs->submit(gpu, submit);
+- }
+- spin_unlock_irqrestore(&ring->submit_lock, flags);
++ spin_lock_irqsave(&ring->submit_lock, flags);
++ list_for_each_entry(submit, &ring->submits, node) {
++ /*
++ * If the submit uses an unusable vm make sure
++ * we don't actually run it
++ */
++ if (to_msm_vm(submit->vm)->unusable)
++ submit->nr_cmds = 0;
++ gpu->funcs->submit(gpu, submit);
+ }
++ spin_unlock_irqrestore(&ring->submit_lock, flags);
+ }
+
+ pm_runtime_put(&gpu->pdev->dev);
--- /dev/null
+From 47cbfe2608314b833ad61a65827d8fb363bc2d2d Mon Sep 17 00:00:00 2001
+From: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+Date: Wed, 25 Mar 2026 20:46:34 +0900
+Subject: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
+
+From: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+
+commit 47cbfe2608314b833ad61a65827d8fb363bc2d2d upstream.
+
+msm_ioctl_gem_info_get_metadata() always returns 0 regardless of
+errors. When copy_to_user() fails or the user buffer is too small,
+the error code stored in ret is ignored because the function
+unconditionally returns 0. This causes userspace to believe the
+ioctl succeeded when it did not.
+
+Additionally, kmemdup() can return NULL on allocation failure, but
+the return value is not checked. This leads to a NULL pointer
+dereference in the subsequent copy_to_user() call.
+
+Add the missing NULL check for kmemdup() and return ret instead of 0.
+
+Note that the SET counterpart (msm_ioctl_gem_info_set_metadata)
+correctly returns ret.
+
+Fixes: 9902cb999e4e ("drm/msm/gem: Add metadata")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/714478/
+Message-ID: <20260325114635.383241-1-yasuakitorimaru@gmail.com>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -536,6 +536,11 @@ static int msm_ioctl_gem_info_get_metada
+ len = msm_obj->metadata_size;
+ buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL);
+
++ if (!buf) {
++ msm_gem_unlock(obj);
++ return -ENOMEM;
++ }
++
+ msm_gem_unlock(obj);
+
+ if (*metadata_size < len) {
+@@ -548,7 +553,7 @@ static int msm_ioctl_gem_info_get_metada
+
+ kfree(buf);
+
+- return 0;
++ return ret;
+ }
+
+ static int msm_ioctl_gem_info(struct drm_device *dev, void *data,
--- /dev/null
+From 570cf799e87ae805eacfab3b4ba66676b5fccdb6 Mon Sep 17 00:00:00 2001
+From: Icenowy Zheng <zhengxingda@iscas.ac.cn>
+Date: Sun, 3 May 2026 17:17:08 +0800
+Subject: drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds
+
+From: Icenowy Zheng <zhengxingda@iscas.ac.cn>
+
+commit 570cf799e87ae805eacfab3b4ba66676b5fccdb6 upstream.
+
+When preparing the panel, it seems that it always expects commands to be
+transferred in LP mode. However, the disable function removes the
+MIPI_DSI_MODE_LPM flag, and no other function re-adds it.
+
+As the unprepare function contains no DSI commands, re-adding the flag
+just after disabling the panel should be safe. Add the code re-adding
+the flag after the two commands for disabling the panel are sent.
+
+This fixes error messages shown in kernel log when unblanking on
+mt8183-kukui-kodama-sku32 device.
+
+Cc: stable@vger.kernel.org
+Fixes: a869b9db7adf ("drm/panel: support for boe tv101wum-nl6 wuxga dsi video mode panel")
+Signed-off-by: Icenowy Zheng <zhengxingda@iscas.ac.cn>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patch.msgid.link/20260503091708.1079962-1-zhengxingda@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c
++++ b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c
+@@ -1324,6 +1324,8 @@ static int boe_panel_disable(struct drm_
+ mipi_dsi_dcs_set_display_off_multi(&ctx);
+ mipi_dsi_dcs_enter_sleep_mode_multi(&ctx);
+
++ boe->dsi->mode_flags |= MIPI_DSI_MODE_LPM;
++
+ mipi_dsi_msleep(&ctx, 150);
+
+ return ctx.accum_err;
--- /dev/null
+From 2d4e80271f784aa0c7b17676e9762c7e8156be1c Mon Sep 17 00:00:00 2001
+From: Icenowy Zheng <zhengxingda@iscas.ac.cn>
+Date: Sun, 26 Apr 2026 00:57:51 +0800
+Subject: drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds
+
+From: Icenowy Zheng <zhengxingda@iscas.ac.cn>
+
+commit 2d4e80271f784aa0c7b17676e9762c7e8156be1c upstream.
+
+When preparing the panel, it seems that it always expects commands to be
+transferred in LP mode. However, the disable function removes the
+MIPI_DSI_MODE_LPM flag, and no other function re-adds it.
+
+As the unprepare function contains no DSI commands, re-adding the flag
+just after disabling the panel should be safe. Add the code re-adding
+the flag after the two commands for disabling the panel are sent.
+
+This fixes screen unblanking (after blanking once) on
+mt8188-geralt-ciri-sku1 device.
+
+Cc: stable@vger.kernel.org # 6.11+
+Fixes: 0ef94554dc40 ("drm/panel: himax-hx83102: Break out as separate driver")
+Signed-off-by: Icenowy Zheng <zhengxingda@iscas.ac.cn>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patch.msgid.link/20260425165751.1716569-1-zhengxingda@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-himax-hx83102.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/panel/panel-himax-hx83102.c
++++ b/drivers/gpu/drm/panel/panel-himax-hx83102.c
+@@ -850,6 +850,8 @@ static int hx83102_disable(struct drm_pa
+ mipi_dsi_dcs_set_display_off_multi(&dsi_ctx);
+ mipi_dsi_dcs_enter_sleep_mode_multi(&dsi_ctx);
+
++ dsi->mode_flags |= MIPI_DSI_MODE_LPM;
++
+ mipi_dsi_msleep(&dsi_ctx, 150);
+
+ return dsi_ctx.accum_err;
--- /dev/null
+From 17223816498f7b117d138d18eb0eba63604dc74e Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 27 Apr 2026 11:40:25 -0400
+Subject: drm/radeon: add missing revision check for CI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 17223816498f7b117d138d18eb0eba63604dc74e upstream.
+
+The memory level workarounds only apply to revision 0 SKUs.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 127e056e2a82 ("drm/radeon: fix mclk vddc configuration for cards for hawaii")
+Fixes: 21b8a369046f ("drm/radeon: fix dram timing for certain hawaii boards")
+Fixes: 90b2fee35cb9 ("drm/radeon: fix dpm mc init for certain hawaii boards")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 4d8dcc14311515077062b5740f39f427075de5c9)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -2461,7 +2461,8 @@ static void ci_register_patching_mc_arb(
+
+ if (patch &&
+ ((rdev->pdev->device == 0x67B0) ||
+- (rdev->pdev->device == 0x67B1))) {
++ (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ if ((memory_clock > 100000) && (memory_clock <= 125000)) {
+ tmp2 = (((0x31 * engine_clock) / 125000) - 1) & 0xff;
+ *dram_timimg2 &= ~0x00ff0000;
+@@ -3304,7 +3305,8 @@ static int ci_populate_all_memory_levels
+ pi->smc_state_table.MemoryLevel[0].EnabledForActivity = 1;
+
+ if ((dpm_table->mclk_table.count >= 2) &&
+- ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1))) {
++ ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ pi->smc_state_table.MemoryLevel[1].MinVddc =
+ pi->smc_state_table.MemoryLevel[0].MinVddc;
+ pi->smc_state_table.MemoryLevel[1].MinVddcPhases =
+@@ -4493,7 +4495,8 @@ static int ci_register_patching_mc_seq(s
+
+ if (patch &&
+ ((rdev->pdev->device == 0x67B0) ||
+- (rdev->pdev->device == 0x67B1))) {
++ (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ for (i = 0; i < table->last; i++) {
+ if (table->last >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
--- /dev/null
+From 5e28b7b94408897e41c63477aabc9e1db439bc8c Mon Sep 17 00:00:00 2001
+From: "Francis, David" <David.Francis@amd.com>
+Date: Tue, 28 Apr 2026 19:25:50 +0000
+Subject: drm: Set old handle to NULL before prime swap in change_handle
+
+From: Francis, David <David.Francis@amd.com>
+
+commit 5e28b7b94408897e41c63477aabc9e1db439bc8c upstream.
+
+There was a potential race condition in change_handle. The ioctl
+briefly had a single object with two idr entries; a concurrent
+gem_close could delete the object and remove one of the handles
+while leaving the other one dangling, which could subsequently
+be dereferenced for a use-after-free.
+
+To fix this, do the same dance that gem_close itself does.
+(f6cd7daecff5 drm: Release driver references to handle before making it available again)
+First idr_replace the old handle to NULL. Later, if the prime
+operations are successful, actually close it.
+
+create_tail required a similar dance to avoid a similar problem.
+(bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail())
+It idr_allocs the new handle with NULL, then swaps in the correct
+object later to avoid races. We don't need to do that here, since
+the only operations that could race are drm_prime, and
+change_handle holds the prime lock for the entire duration.
+
+v2: cleanups of error paths
+
+Signed-off-by: David Francis <David.Francis@amd.com>
+Co-authored-by: Dave Airlie <airlied@gmail.com>
+Reported-by: Puttimet Thammasaeng <pwn8official@gmail.com>
+Tested-by: Vitaly Prosyak <Vitaly.Prosyak@amd.com>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: stable@vger.kernel.org
+Cc: Christian Koenig <Christian.Koenig@amd.com>
+Fixes: 53096728b8910 ("drm: Add DRM prime interface to reassign GEM handle")
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_gem.c
++++ b/drivers/gpu/drm/drm_gem.c
+@@ -969,7 +969,7 @@ int drm_gem_change_handle_ioctl(struct d
+ struct drm_file *file_priv)
+ {
+ struct drm_gem_change_handle *args = data;
+- struct drm_gem_object *obj;
++ struct drm_gem_object *obj, *idrobj;
+ int handle, ret;
+
+ if (!drm_core_check_feature(dev, DRIVER_GEM))
+@@ -992,8 +992,29 @@ int drm_gem_change_handle_ioctl(struct d
+ mutex_lock(&file_priv->prime.lock);
+
+ spin_lock(&file_priv->table_lock);
++
++ /* When create_tail allocs an obj idr, it needs to first alloc as NULL,
++ * then later replace with the correct object. This is not necessary
++ * here, because the only operations that could race are drm_prime
++ * bookkeeping, and we hold the prime lock.
++ */
+ ret = idr_alloc(&file_priv->object_idr, obj, handle, handle + 1,
+ GFP_NOWAIT);
++
++ if (ret < 0) {
++ spin_unlock(&file_priv->table_lock);
++ goto out_unlock;
++ }
++
++ idrobj = idr_replace(&file_priv->object_idr, NULL, handle);
++ if (idrobj != obj) {
++ idr_replace(&file_priv->object_idr, idrobj, handle);
++ idr_remove(&file_priv->object_idr, args->new_handle);
++ spin_unlock(&file_priv->table_lock);
++ ret = -ENOENT;
++ goto out_unlock;
++ }
++
+ spin_unlock(&file_priv->table_lock);
+
+ if (ret < 0)
+@@ -1005,6 +1026,8 @@ int drm_gem_change_handle_ioctl(struct d
+ if (ret < 0) {
+ spin_lock(&file_priv->table_lock);
+ idr_remove(&file_priv->object_idr, handle);
++ idrobj = idr_replace(&file_priv->object_idr, obj, handle);
++ WARN_ON(idrobj != NULL);
+ spin_unlock(&file_priv->table_lock);
+ goto out_unlock;
+ }
--- /dev/null
+From ac2c996675755c725a0065dbe3e2ebffded9080b Mon Sep 17 00:00:00 2001
+From: Shixiong Ou <oushixiong@kylinos.cn>
+Date: Fri, 24 Apr 2026 20:44:27 +0800
+Subject: drm/udl: Increase GET_URB_TIMEOUT
+
+From: Shixiong Ou <oushixiong@kylinos.cn>
+
+commit ac2c996675755c725a0065dbe3e2ebffded9080b upstream.
+
+[WHY]
+A situation has occurred where udl_handle_damage() executed successfully
+and the kernel log appears normal, but the display fails to show any output.
+This is because the call to udl_get_urb() in udl_crtc_helper_atomic_enable()
+failed without generating any error message.
+
+[HOW]
+1. Increase timeout of getting urb.
+2. Add error messages when calling udl_get_urb() failed in
+udl_crtc_helper_atomic_enable().
+
+Signed-off-by: Shixiong Ou <oushixiong@kylinos.cn>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: 5320918b9a87 ("drm/udl: initial UDL driver (v4)")
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: <stable@vger.kernel.org> # v3.4+
+Link: https://patch.msgid.link/20260424124427.657-1-oushixiong1025@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/udl/udl_main.c | 3 +--
+ drivers/gpu/drm/udl/udl_modeset.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/udl/udl_main.c
++++ b/drivers/gpu/drm/udl/udl_main.c
+@@ -285,13 +285,12 @@ static struct urb *udl_get_urb_locked(st
+ return unode->urb;
+ }
+
+-#define GET_URB_TIMEOUT HZ
+ struct urb *udl_get_urb(struct udl_device *udl)
+ {
+ struct urb *urb;
+
+ spin_lock_irq(&udl->urbs.lock);
+- urb = udl_get_urb_locked(udl, GET_URB_TIMEOUT);
++ urb = udl_get_urb_locked(udl, HZ * 2);
+ spin_unlock_irq(&udl->urbs.lock);
+ return urb;
+ }
+--- a/drivers/gpu/drm/udl/udl_modeset.c
++++ b/drivers/gpu/drm/udl/udl_modeset.c
+@@ -21,6 +21,7 @@
+ #include <drm/drm_gem_framebuffer_helper.h>
+ #include <drm/drm_gem_shmem_helper.h>
+ #include <drm/drm_modeset_helper_vtables.h>
++#include <drm/drm_print.h>
+ #include <drm/drm_probe_helper.h>
+ #include <drm/drm_vblank.h>
+
+@@ -342,8 +343,10 @@ static void udl_crtc_helper_atomic_enabl
+ return;
+
+ urb = udl_get_urb(udl);
+- if (!urb)
++ if (!urb) {
++ drm_err_ratelimited(dev, "get urb failed when enabling crtc\n");
+ goto out;
++ }
+
+ buf = (char *)urb->transfer_buffer;
+ buf = udl_vidreg_lock(buf);
--- /dev/null
+From 1d0adf2fd94fb0c0037c643fadd8f2cf3cffc009 Mon Sep 17 00:00:00 2001
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+Date: Wed, 8 Apr 2026 17:52:53 +0000
+Subject: drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked()
+
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+
+commit 1d0adf2fd94fb0c0037c643fadd8f2cf3cffc009 upstream.
+
+When XE_BO_FLAG_GGTT_ALL is set without XE_BO_FLAG_GGTT, the function
+returns an error without freeing a caller-provided bo, violating the
+documented contract that bo is freed on failure.
+
+Add xe_bo_free(bo) before returning the error.
+
+Fixes: 5a3b0df25d6a ("drm/xe: Allow bo mapping on multiple ggtts")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4.6
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patch.msgid.link/20260408175255.3402838-3-shuicheng.lin@intel.com
+Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
+(cherry picked from commit 3fbd6cf43cac7b60757f3ce3d95195d3843a902c)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_bo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/xe/xe_bo.c
++++ b/drivers/gpu/drm/xe/xe_bo.c
+@@ -2112,8 +2112,10 @@ struct xe_bo *xe_bo_init_locked(struct x
+ }
+
+ /* XE_BO_FLAG_GGTTx requires XE_BO_FLAG_GGTT also be set */
+- if ((flags & XE_BO_FLAG_GGTT_ALL) && !(flags & XE_BO_FLAG_GGTT))
++ if ((flags & XE_BO_FLAG_GGTT_ALL) && !(flags & XE_BO_FLAG_GGTT)) {
++ xe_bo_free(bo);
+ return ERR_PTR(-EINVAL);
++ }
+
+ if (flags & (XE_BO_FLAG_VRAM_MASK | XE_BO_FLAG_STOLEN) &&
+ !(flags & XE_BO_FLAG_IGNORE_MIN_PAGE_SIZE) &&
--- /dev/null
+From 09a8f3c1c11977a6e10c167f26dd298790b31c32 Mon Sep 17 00:00:00 2001
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+Date: Wed, 8 Apr 2026 17:52:52 +0000
+Subject: drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked()
+
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+
+commit 09a8f3c1c11977a6e10c167f26dd298790b31c32 upstream.
+
+When type is ttm_bo_type_device and aligned_size != size, the function
+returns an error without freeing a caller-provided bo, violating the
+documented contract that bo is freed on failure.
+
+Add xe_bo_free(bo) before returning the error.
+
+Fixes: 4e03b584143e ("drm/xe/uapi: Reject bo creation of unaligned size")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4.6
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patch.msgid.link/20260408175255.3402838-2-shuicheng.lin@intel.com
+Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
+(cherry picked from commit 601c2aa087b6f21014300a3f107a08ee4dde7bdf)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_bo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/xe/xe_bo.c
++++ b/drivers/gpu/drm/xe/xe_bo.c
+@@ -2134,8 +2134,10 @@ struct xe_bo *xe_bo_init_locked(struct x
+ alignment = SZ_4K >> PAGE_SHIFT;
+ }
+
+- if (type == ttm_bo_type_device && aligned_size != size)
++ if (type == ttm_bo_type_device && aligned_size != size) {
++ xe_bo_free(bo);
+ return ERR_PTR(-EINVAL);
++ }
+
+ if (!bo) {
+ bo = xe_bo_alloc();
--- /dev/null
+From 93a528f67ce5095bcab46a69839eca97f43dd352 Mon Sep 17 00:00:00 2001
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+Date: Wed, 8 Apr 2026 17:52:54 +0000
+Subject: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure
+
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+
+commit 93a528f67ce5095bcab46a69839eca97f43dd352 upstream.
+
+When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo
+is not freed. Add xe_bo_free(storage) before returning the error.
+
+xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on
+error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own
+error paths. Otherwise, since xe_gem_prime_import() cannot distinguish
+whether the failure originated from xe_dma_buf_init_obj() or from
+xe_bo_init_locked(), it cannot safely decide whether the bo should be
+freed.
+
+Add comments documenting the ownership semantics: on success, ownership
+of storage is transferred to the returned drm_gem_object; on failure,
+storage is freed before returning.
+
+v2: Add comments to explain the free logic.
+
+Fixes: eb289a5f6cc6 ("drm/xe: Convert xe_dma_buf.c for exhaustive eviction")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4.6
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patch.msgid.link/20260408175255.3402838-4-shuicheng.lin@intel.com
+Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
+(cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_dma_buf.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/xe/xe_dma_buf.c
++++ b/drivers/gpu/drm/xe/xe_dma_buf.c
+@@ -227,6 +227,13 @@ struct dma_buf *xe_gem_prime_export(stru
+ return buf;
+ }
+
++/*
++ * Takes ownership of @storage: on success it is transferred to the returned
++ * drm_gem_object; on failure it is freed before returning the error.
++ * This matches the contract of xe_bo_init_locked() which frees @storage on
++ * its error paths, so callers need not (and must not) free @storage after
++ * this call.
++ */
+ static struct drm_gem_object *
+ xe_dma_buf_init_obj(struct drm_device *dev, struct xe_bo *storage,
+ struct dma_buf *dma_buf)
+@@ -240,8 +247,10 @@ xe_dma_buf_init_obj(struct drm_device *d
+ int ret = 0;
+
+ dummy_obj = drm_gpuvm_resv_object_alloc(&xe->drm);
+- if (!dummy_obj)
++ if (!dummy_obj) {
++ xe_bo_free(storage);
+ return ERR_PTR(-ENOMEM);
++ }
+
+ dummy_obj->resv = resv;
+ xe_validation_guard(&ctx, &xe->val, &exec, (struct xe_val_flags) {}, ret) {
+@@ -250,6 +259,7 @@ xe_dma_buf_init_obj(struct drm_device *d
+ if (ret)
+ break;
+
++ /* xe_bo_init_locked() frees storage on error */
+ bo = xe_bo_init_locked(xe, storage, NULL, resv, NULL, dma_buf->size,
+ 0, /* Will require 1way or 2way for vm_bind */
+ ttm_bo_type_sg, XE_BO_FLAG_SYSTEM, &exec);
--- /dev/null
+From 111ab678471bf1f90d078d5513bb086b70596c3c Mon Sep 17 00:00:00 2001
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+Date: Wed, 8 Apr 2026 17:52:55 +0000
+Subject: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
+
+From: Shuicheng Lin <shuicheng.lin@intel.com>
+
+commit 111ab678471bf1f90d078d5513bb086b70596c3c upstream.
+
+When xe_dma_buf_init_obj() fails, the attachment from
+dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before
+returning the error. Note: we cannot use goto out_err here because
+xe_dma_buf_init_obj() already frees bo on failure, and out_err would
+double-free it.
+
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4.6
+Reviewed-by: Mattheq Brost <matthew.brost@intel.com>
+Link: https://patch.msgid.link/20260408175255.3402838-5-shuicheng.lin@intel.com
+Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
+(cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_dma_buf.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_dma_buf.c
++++ b/drivers/gpu/drm/xe/xe_dma_buf.c
+@@ -347,12 +347,15 @@ struct drm_gem_object *xe_gem_prime_impo
+ goto out_err;
+ }
+
+- /* Errors here will take care of freeing the bo. */
++ /*
++ * xe_dma_buf_init_obj() takes ownership of bo on both success
++ * and failure, so we must not touch bo after this call.
++ */
+ obj = xe_dma_buf_init_obj(dev, bo, dma_buf);
+- if (IS_ERR(obj))
++ if (IS_ERR(obj)) {
++ dma_buf_detach(dma_buf, attach);
+ return obj;
+-
+-
++ }
+ get_dma_buf(dma_buf);
+ obj->import_attach = attach;
+ return obj;
--- /dev/null
+From 4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39 Mon Sep 17 00:00:00 2001
+From: Jia Yao <jia.yao@intel.com>
+Date: Fri, 17 Apr 2026 05:59:16 +0000
+Subject: drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jia Yao <jia.yao@intel.com>
+
+commit 4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39 upstream.
+
+Add validation in xe_vm_madvise_ioctl() to reject PAT indices with
+XE_COH_NONE coherency mode when applied to CPU cached memory.
+
+Using coh_none with CPU cached buffers is a security issue. When the
+kernel clears pages before reallocation, the clear operation stays in
+CPU cache (dirty). GPU with coh_none can bypass CPU caches and read
+stale sensitive data directly from DRAM, potentially leaking data from
+previously freed pages of other processes.
+
+This aligns with the existing validation in vm_bind path
+(xe_vm_bind_ioctl_validate_bo).
+
+v2(Matthew brost)
+- Add fixes
+- Move one debug print to better place
+
+v3(Matthew Auld)
+- Should be drm/xe/uapi
+- More Cc
+
+v4(Shuicheng Lin)
+- Fix kmem leak issues by the way
+
+v5
+- Remove kmem leak because it has been merged by another patch
+
+v6
+- Remove the fix which is not related to current fix
+
+v7
+- No change
+
+v8
+- Rebase
+
+v9
+- Limit the restrictions to iGPU
+
+v10
+- No change
+
+Fixes: ada7486c5668 ("drm/xe: Implement madvise ioctl for xe")
+Cc: <stable@vger.kernel.org> # v6.18+
+Cc: Shuicheng Lin <shuicheng.lin@intel.com>
+Cc: Mathew Alwin <alwin.mathew@intel.com>
+Cc: Michal Mrozek <michal.mrozek@intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Signed-off-by: Jia Yao <jia.yao@intel.com>
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Acked-by: Michal Mrozek <michal.mrozek@intel.com>
+Acked-by: José Roberto de Souza <jose.souza@intel.com>
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patch.msgid.link/20260417055917.2027459-2-jia.yao@intel.com
+(cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_vm_madvise.c | 47 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 47 insertions(+)
+
+--- a/drivers/gpu/drm/xe/xe_vm_madvise.c
++++ b/drivers/gpu/drm/xe/xe_vm_madvise.c
+@@ -299,6 +299,45 @@ static bool madvise_args_are_sane(struct
+ return true;
+ }
+
++static bool check_pat_args_are_sane(struct xe_device *xe,
++ struct xe_vmas_in_madvise_range *madvise_range,
++ u16 pat_index)
++{
++ u16 coh_mode = xe_pat_index_get_coh_mode(xe, pat_index);
++ int i;
++
++ /*
++ * Using coh_none with CPU cached buffers is not allowed on iGPU.
++ * On iGPU the GPU shares the LLC with the CPU, so with coh_none
++ * the GPU bypasses CPU caches and reads directly from DRAM,
++ * potentially seeing stale sensitive data from previously freed
++ * pages. On dGPU this restriction does not apply, because the
++ * platform does not provide a non-coherent system memory access
++ * path that would violate the DMA coherency contract.
++ */
++ if (coh_mode != XE_COH_NONE || IS_DGFX(xe))
++ return true;
++
++ for (i = 0; i < madvise_range->num_vmas; i++) {
++ struct xe_vma *vma = madvise_range->vmas[i];
++ struct xe_bo *bo = xe_vma_bo(vma);
++
++ if (bo) {
++ /* BO with WB caching + COH_NONE is not allowed */
++ if (XE_IOCTL_DBG(xe, bo->cpu_caching == DRM_XE_GEM_CPU_CACHING_WB))
++ return false;
++ /* Imported dma-buf without caching info, assume cached */
++ if (XE_IOCTL_DBG(xe, !bo->cpu_caching))
++ return false;
++ } else if (XE_IOCTL_DBG(xe, xe_vma_is_cpu_addr_mirror(vma) ||
++ xe_vma_is_userptr(vma)))
++ /* System memory (userptr/SVM) is always CPU cached */
++ return false;
++ }
++
++ return true;
++}
++
+ static bool check_bo_args_are_sane(struct xe_vm *vm, struct xe_vma **vmas,
+ int num_vmas, u32 atomic_val)
+ {
+@@ -384,6 +423,14 @@ int xe_vm_madvise_ioctl(struct drm_devic
+ if (err || !madvise_range.num_vmas)
+ goto unlock_vm;
+
++ if (args->type == DRM_XE_MEM_RANGE_ATTR_PAT) {
++ if (!check_pat_args_are_sane(xe, &madvise_range,
++ args->pat_index.val)) {
++ err = -EINVAL;
++ goto free_vmas;
++ }
++ }
++
+ if (madvise_range.has_bo_vmas) {
+ if (args->type == DRM_XE_MEM_RANGE_ATTR_ATOMIC) {
+ if (!check_bo_args_are_sane(vm, madvise_range.vmas,
--- /dev/null
+From 6ae315d37924435516d697ea7dde0b799a5928e0 Mon Sep 17 00:00:00 2001
+From: Andrea Righi <arighi@nvidia.com>
+Date: Wed, 13 May 2026 13:24:38 +0200
+Subject: sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation
+
+From: Andrea Righi <arighi@nvidia.com>
+
+commit 6ae315d37924435516d697ea7dde0b799a5928e0 upstream.
+
+scx_enable() refuses to attach a BPF scheduler when isolcpus=domain is
+in effect by comparing housekeeping_cpumask(HK_TYPE_DOMAIN) against
+cpu_possible_mask.
+
+Since commit 27c3a5967f05 ("sched/isolation: Convert housekeeping
+cpumasks to rcu pointers"), HK_TYPE_DOMAIN's cpumask is RCU protected
+and dereferencing it requires either RCU read lock, the cpu_hotplug
+write lock, or the cpuset lock; scx_enable() holds none of these, so
+booting with isolcpus=domain and attaching any BPF scheduler triggers
+the following lockdep splat:
+
+ =============================
+ WARNING: suspicious RCU usage
+ -----------------------------
+ kernel/sched/isolation.c:60 suspicious rcu_dereference_check() usage!
+
+ 1 lock held by scx_flash/281:
+ #0: ffffffff8379fce0 (update_mutex){+.+.}-{4:4}, at:
+ bpf_struct_ops_link_create+0x134/0x1c0
+
+ Call Trace:
+ dump_stack_lvl+0x6f/0xb0
+ lockdep_rcu_suspicious.cold+0x37/0x70
+ housekeeping_cpumask+0xcd/0xe0
+ scx_enable.isra.0+0x17/0x120
+ bpf_scx_reg+0x5e/0x80
+ bpf_struct_ops_link_create+0x151/0x1c0
+ __sys_bpf+0x1e4b/0x33c0
+ __x64_sys_bpf+0x21/0x30
+ do_syscall_64+0x117/0xf80
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+In addition, commit 03ff73510169 ("cpuset: Update HK_TYPE_DOMAIN cpumask
+from cpuset") made HK_TYPE_DOMAIN include cpuset isolated partitions as
+well, which means the current check also rejects BPF schedulers when a
+cpuset partition is active. That contradicts the original intent of
+commit 9f391f94a173 ("sched_ext: Disallow loading BPF scheduler if
+isolcpus= domain isolation is in effect"), which explicitly noted that
+cpuset partitions are honored through per-task cpumasks and should not
+be rejected.
+
+Switch to housekeeping_enabled(HK_TYPE_DOMAIN_BOOT), which reads only
+the housekeeping flag bit (no RCU dereference) and reflects exactly the
+boot-time isolcpus= configuration that the error message refers to.
+
+Fixes: 27c3a5967f05 ("sched/isolation: Convert housekeeping cpumasks to rcu pointers")
+Cc: stable@vger.kernel.org # v7.0+
+Signed-off-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Acked-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -4906,8 +4906,7 @@ static int scx_enable(struct sched_ext_o
+ static DEFINE_MUTEX(helper_mutex);
+ struct scx_enable_cmd cmd;
+
+- if (!cpumask_equal(housekeeping_cpumask(HK_TYPE_DOMAIN),
+- cpu_possible_mask)) {
++ if (housekeeping_enabled(HK_TYPE_DOMAIN_BOOT)) {
+ pr_err("sched_ext: Not compatible with \"isolcpus=\" domain isolation\n");
+ return -EINVAL;
+ }
--- /dev/null
+From abb5f36771cc4c05899b34000829a787572a8817 Mon Sep 17 00:00:00 2001
+From: Ben Morris <bmorris@anthropic.com>
+Date: Thu, 7 May 2026 17:14:55 -0700
+Subject: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
+
+From: Ben Morris <bmorris@anthropic.com>
+
+commit abb5f36771cc4c05899b34000829a787572a8817 upstream.
+
+The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
+list_for_each_entry_safe(), which caches the next entry in @tmp before
+the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
+drop the socket lock inside sctp_wait_for_sndbuf().
+
+While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
+association cached in @tmp, migrating it to a new endpoint via
+sctp_sock_migrate() (list_del_init() + list_add_tail() to
+newep->asocs), and optionally close the new socket which frees the
+association via kfree_rcu(). The cached @tmp can also be freed by a
+network ABORT for that association, processed in softirq while the
+lock is dropped.
+
+sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
+via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
+revalidates @tmp. After a successful return, the iterator advances to
+the stale @tmp, yielding either a use-after-free (if the peeled socket
+was closed) or a list-walk onto the new endpoint's list head (type
+confusion of &newep->asocs as a struct sctp_association *).
+
+Both are reachable from CapEff=0; the type-confusion path gives
+controlled indirect call via the outqueue.sched->init_sid pointer.
+
+Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
+returns. @asoc is known to still be on ep->asocs at that point: the
+only callers that list_del an association from ep->asocs are
+sctp_association_free() (which sets asoc->base.dead) and
+sctp_assoc_migrate() (which changes asoc->base.sk), and
+sctp_wait_for_sndbuf() checks both under the lock before any
+successful return; a tripped check propagates as err < 0 and the loop
+bails before the re-derive.
+
+The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
+loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
+the @tmp cached by list_for_each_entry_safe() still covers the
+lock-held free that ba59fb027307 ("sctp: walk the list of asoc
+safely") was added for.
+
+Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Morris <bmorris@anthropic.com>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1985,6 +1985,15 @@ static int sctp_sendmsg(struct sock *sk,
+ goto out_unlock;
+
+ iov_iter_revert(&msg->msg_iter, err);
++
++ /* sctp_sendmsg_to_asoc() may have released the socket
++ * lock (sctp_wait_for_sndbuf), during which other
++ * associations on ep->asocs could have been peeled
++ * off or freed. @asoc itself is revalidated by the
++ * base.dead and base.sk checks in sctp_wait_for_sndbuf,
++ * so re-derive the cached cursor from it.
++ */
++ tmp = list_next_entry(asoc, asocs);
+ }
+
+ goto out_unlock;
spi-pic32-fix-controller-deregistration.patch
spi-mtk-nor-fix-controller-deregistration.patch
spi-pl022-fix-controller-deregistration.patch
+spi-ch341-fix-devres-lifetime.patch
+spi-sh-hspi-fix-controller-deregistration.patch
+spi-fsl-fix-controller-deregistration.patch
+spi-bcmbca-hsspi-fix-controller-deregistration.patch
+spi-coldfire-qspi-fix-controller-deregistration.patch
+spi-npcm-pspi-fix-controller-deregistration.patch
+spi-cavium-thunderx-fix-controller-deregistration.patch
+spi-pic32-sqi-fix-controller-deregistration.patch
+spi-sprd-fix-controller-deregistration.patch
+spi-rspi-fix-controller-deregistration.patch
+spi-sh-msiof-fix-controller-deregistration.patch
+spi-slave-mt27xx-fix-controller-deregistration.patch
+spi-img-spfi-fix-controller-deregistration.patch
+spi-mpfs-fix-controller-deregistration.patch
+spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch
+spi-mxic-fix-controller-deregistration.patch
+spi-orion-fix-controller-deregistration.patch
+spi-orion-fix-runtime-pm-leak-on-unbind.patch
+spi-orion-fix-clock-imbalance-on-registration-failure.patch
+spi-mpc52xx-fix-use-after-free-on-registration-failure.patch
+spi-mpc52xx-fix-controller-deregistration.patch
+spi-mpc52xx-fix-use-after-free-on-unbind.patch
+spi-cadence-fix-controller-deregistration.patch
+spi-cadence-fix-unclocked-access-on-unbind.patch
+spi-cadence-fix-clock-imbalance-on-probe-failure.patch
+drm-msm-gem-fix-error-handling-in-msm_ioctl_gem_info_get_metadata.patch
+drm-imx-parallel-display-prefer-bus-format-set-via-legacy-interface-pix-fmt-dt-property.patch
+drm-msm-always-recover-the-gpu.patch
+drm-i915-psr-init-variable-to-avoid-early-exit-from-et-alignment-loop.patch
+drm-amdkfd-clear-vram-on-allocation-to-prevent-stale-data-exposure.patch
+drm-amdgpu-use-smuio-15.0.0-offsets-for-tsc-upper-and-lower-count.patch
+drm-amdgpu-gate-vm-cpu-hdp-flush-on-reset-lock.patch
+drm-amd-pm-fix-incorrect-featurectrlmask-setting-on-smu-v14.0.x.patch
+drm-amdkfd-add-upper-bound-check-for-num_of_nodes.patch
+drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch
+drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-ib.patch
+drm-amdgpu-vce-prevent-partial-address-patches.patch
+drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch
+drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch
+drm-amd-display-change-dither-policy-for-10-bpc-output-back-to-dithering.patch
+drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch
+drm-appletbdrm-use-kvzalloc-for-big-allocations.patch
+drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch
+drm-udl-increase-get_urb_timeout.patch
+drm-xe-fix-bo-leak-in-xe_dma_buf_init_obj-on-allocation-failure.patch
+drm-xe-bo-fix-bo-leak-on-ggtt-flag-validation-in-xe_bo_init_locked.patch
+drm-xe-fix-dma-buf-attachment-leak-in-xe_gem_prime_import.patch
+drm-xe-bo-fix-bo-leak-on-unaligned-size-validation-in-xe_bo_init_locked.patch
+drm-xe-uapi-reject-coh_none-pat-index-for-cpu-cached-memory-in-madvise.patch
+drm-set-old-handle-to-null-before-prime-swap-in-change_handle.patch
+drm-radeon-add-missing-revision-check-for-ci.patch
+drm-amdgpu-zero-initialize-gart-table-on-allocation.patch
+drm-exynos-remove-bridge-when-component_add-fails.patch
+drm-panel-himax-hx83102-restore-mode_lpm-after-sending-disable-cmds.patch
+drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch
+drm-bridge-tda998x-use-__be32-for-audio-port-of-property-pointer.patch
+drm-panel-boe-tv101wum-nl6-restore-mode_lpm-after-sending-disable-cmds.patch
+drm-amdkfd-make-all-tlb-flushes-heavy-weight.patch
+drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch
+drm-amdgpu-pm-add-missing-revision-check-for-ci.patch
+drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch
+arm64-dts-qcom-lemans-correct-qup-interrupt-numbers.patch
+arm64-dts-ti-k3-am62a7-sk-fix-pin-name-in-comment-from-m19-to-n22.patch
+sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch
+batman-adv-fix-integer-overflow-on-buff_pos.patch
+batman-adv-reject-new-tp_meter-sessions-during-teardown.patch
+batman-adv-stop-tp_meter-sessions-during-mesh-teardown.patch
+batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch
+batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch
+batman-adv-bla-only-purge-non-released-claims.patch
+batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch
+sched_ext-use-hk_type_domain_boot-to-detect-isolcpus-domain-isolation.patch
--- /dev/null
+From c3d97c3320b9a1ebbd6119857341be034f7b3efc Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Apr 2026 14:04:06 +0200
+Subject: spi: bcmbca-hsspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c3d97c3320b9a1ebbd6119857341be034f7b3efc upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like interrupts during driver unbind to allow SPI drivers to
+do I/O during deregistration.
+
+Note that clocks were also disabled before the recent commit
+e532e21a246d ("spi: bcm63xx-hsspi: Simplify clock handling with
+devm_clk_get_enabled()").
+
+Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller")
+Cc: stable@vger.kernel.org # 6.3: deb269e0394f
+Cc: stable@vger.kernel.org # 6.3
+Cc: William Zhang <william.zhang@broadcom.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260409120419.388546-8-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcmbca-hsspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-bcmbca-hsspi.c
++++ b/drivers/spi/spi-bcmbca-hsspi.c
+@@ -550,7 +550,7 @@ static int bcmbca_hsspi_probe(struct pla
+ }
+
+ /* register and we are done */
+- ret = devm_spi_register_controller(dev, host);
++ ret = spi_register_controller(host);
+ if (ret)
+ goto out_sysgroup_disable;
+
+@@ -572,6 +572,8 @@ static void bcmbca_hsspi_remove(struct p
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct bcmbca_hsspi *bs = spi_controller_get_devdata(host);
+
++ spi_unregister_controller(host);
++
+ /* reset the hardware and block queue progress */
+ __raw_writel(0, bs->regs + HSSPI_INT_MASK_REG);
+ clk_disable_unprepare(bs->pll_clk);
--- /dev/null
+From ecea4f0e9db2fb6ab4a68a59c5aba0d8f59a9566 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 14:36:13 +0200
+Subject: spi: cadence: fix clock imbalance on probe failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ecea4f0e9db2fb6ab4a68a59c5aba0d8f59a9566 upstream.
+
+Make sure that the controller is active before disabling clocks on probe
+failure to avoid unbalanced clock disable.
+
+Also drop the usage count before returning (so that the controller can
+be suspended after a probe deferral) and restore the autosuspend
+setting.
+
+Fixes: d36ccd9f7ea4 ("spi: cadence: Runtime pm adaptation")
+Cc: stable@vger.kernel.org # 4.7
+Cc: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421123615.1533617-3-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -662,7 +662,6 @@ static int cdns_spi_probe(struct platfor
+ /* Set to default valid value */
+ ctlr->max_speed_hz = xspi->clk_rate / 4;
+ xspi->speed_hz = ctlr->max_speed_hz;
+- pm_runtime_put_autosuspend(&pdev->dev);
+ } else {
+ ctlr->mode_bits |= SPI_NO_CS;
+ ctlr->target_abort = cdns_target_abort;
+@@ -673,12 +672,17 @@ static int cdns_spi_probe(struct platfor
+ goto clk_dis_all;
+ }
+
++ if (!spi_controller_is_target(ctlr))
++ pm_runtime_put_autosuspend(&pdev->dev);
++
+ return ret;
+
+ clk_dis_all:
+ if (!spi_controller_is_target(ctlr)) {
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ }
+ remove_ctlr:
+ spi_controller_put(ctlr);
--- /dev/null
+From 666fa7e9ca98e71c880086ca24147ae843f1ed6e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:12 +0200
+Subject: spi: cadence: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 666fa7e9ca98e71c880086ca24147ae843f1ed6e upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: c474b3866546 ("spi: Add driver for Cadence SPI controller")
+Cc: stable@vger.kernel.org # 3.16
+Cc: Harini Katakam <harinik@xilinx.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -698,6 +698,10 @@ static void cdns_spi_remove(struct platf
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct cdns_spi *xspi = spi_controller_get_devdata(ctlr);
+
++ spi_controller_get(ctlr);
++
++ spi_unregister_controller(ctlr);
++
+ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
+
+ if (!spi_controller_is_target(ctlr)) {
+@@ -705,7 +709,7 @@ static void cdns_spi_remove(struct platf
+ pm_runtime_set_suspended(&pdev->dev);
+ }
+
+- spi_unregister_controller(ctlr);
++ spi_controller_put(ctlr);
+ }
+
+ /**
--- /dev/null
+From 5b1689a41f02955c5361944f748a4812a6ff9307 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 14:36:12 +0200
+Subject: spi: cadence: fix unclocked access on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5b1689a41f02955c5361944f748a4812a6ff9307 upstream.
+
+Make sure that the controller is runtime resumed before disabling it
+during driver unbind to avoid unclocked register access and unbalanced
+clock disable.
+
+Also restore the autosuspend setting.
+
+This issue was flagged by Sashiko when reviewing a controller
+deregistration fix.
+
+Fixes: d36ccd9f7ea4 ("spi: cadence: Runtime pm adaptation")
+Cc: stable@vger.kernel.org # 4.7
+Cc: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=1
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421123615.1533617-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -697,16 +697,23 @@ static void cdns_spi_remove(struct platf
+ {
+ struct spi_controller *ctlr = platform_get_drvdata(pdev);
+ struct cdns_spi *xspi = spi_controller_get_devdata(ctlr);
++ int ret = 0;
++
++ if (!spi_controller_is_target(ctlr))
++ ret = pm_runtime_get_sync(&pdev->dev);
+
+ spi_controller_get(ctlr);
+
+ spi_unregister_controller(ctlr);
+
+- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
++ if (ret >= 0)
++ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
+
+ if (!spi_controller_is_target(ctlr)) {
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ }
+
+ spi_controller_put(ctlr);
--- /dev/null
+From dbb6b01267c0c866eaac4019cec19f414beec61d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Apr 2026 14:04:08 +0200
+Subject: spi: cavium-thunderx: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit dbb6b01267c0c866eaac4019cec19f414beec61d upstream.
+
+Make sure to deregister the controller before disabling it to avoid
+hanging or leaking resources associated with the queue when the queue
+non-empty.
+
+Fixes: 7347a6c7af8d ("spi: octeon: Add ThunderX driver")
+Cc: stable@vger.kernel.org # 4.9
+Cc: Jan Glauber <jan.glauber@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260409120419.388546-10-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cavium-thunderx.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-cavium-thunderx.c
++++ b/drivers/spi/spi-cavium-thunderx.c
+@@ -71,7 +71,7 @@ static int thunderx_spi_probe(struct pci
+
+ pci_set_drvdata(pdev, host);
+
+- ret = devm_spi_register_controller(dev, host);
++ ret = spi_register_controller(host);
+ if (ret)
+ goto error;
+
+@@ -91,8 +91,14 @@ static void thunderx_spi_remove(struct p
+ if (!p)
+ return;
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ /* Put everything in a known state. */
+ writeq(0, p->register_base + OCTEON_SPI_CFG(p));
++
++ spi_controller_put(host);
+ }
+
+ static const struct pci_device_id thunderx_spi_pci_id_table[] = {
--- /dev/null
+From abe572f630bc1f0e77041012ab075869036ede4f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 27 Mar 2026 11:43:05 +0100
+Subject: spi: ch341: fix devres lifetime
+
+From: Johan Hovold <johan@kernel.org>
+
+commit abe572f630bc1f0e77041012ab075869036ede4f upstream.
+
+USB drivers bind to USB interfaces and any device managed resources
+should have their lifetime tied to the interface rather than parent USB
+device. This avoids issues like memory leaks when drivers are unbound
+without their devices being physically disconnected (e.g. on probe
+deferral or configuration changes).
+
+Fix the controller and driver data lifetime so that they are released
+on driver unbind.
+
+Note that this also makes sure that the SPI controller is placed
+correctly under the USB interface in the device tree.
+
+Fixes: 8846739f52af ("spi: add ch341a usb2spi driver")
+Cc: stable@vger.kernel.org # 6.11
+Cc: Johannes Thumshirn <jth@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260327104305.1309915-3-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-ch341.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-ch341.c
++++ b/drivers/spi/spi-ch341.c
+@@ -152,7 +152,7 @@ static int ch341_probe(struct usb_interf
+ if (ret)
+ return ret;
+
+- ctrl = devm_spi_alloc_host(&udev->dev, sizeof(struct ch341_spi_dev));
++ ctrl = devm_spi_alloc_host(&intf->dev, sizeof(struct ch341_spi_dev));
+ if (!ctrl)
+ return -ENOMEM;
+
+@@ -163,7 +163,7 @@ static int ch341_probe(struct usb_interf
+ ch341->read_pipe = usb_rcvbulkpipe(udev, usb_endpoint_num(in));
+
+ ch341->rx_len = usb_endpoint_maxp(in);
+- ch341->rx_buf = devm_kzalloc(&udev->dev, ch341->rx_len, GFP_KERNEL);
++ ch341->rx_buf = devm_kzalloc(&intf->dev, ch341->rx_len, GFP_KERNEL);
+ if (!ch341->rx_buf)
+ return -ENOMEM;
+
+@@ -171,8 +171,7 @@ static int ch341_probe(struct usb_interf
+ if (!ch341->rx_urb)
+ return -ENOMEM;
+
+- ch341->tx_buf =
+- devm_kzalloc(&udev->dev, CH341_PACKET_LENGTH, GFP_KERNEL);
++ ch341->tx_buf = devm_kzalloc(&intf->dev, CH341_PACKET_LENGTH, GFP_KERNEL);
+ if (!ch341->tx_buf) {
+ ret = -ENOMEM;
+ goto err_free_urb;
--- /dev/null
+From e7c510e192ff2a1264d999575eea39a506424264 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Apr 2026 14:04:09 +0200
+Subject: spi: coldfire-qspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e7c510e192ff2a1264d999575eea39a506424264 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks (via runtime pm) during driver unbind.
+
+Fixes: 34b8c6617366 ("spi: Add Freescale/Motorola Coldfire QSPI driver")
+Cc: stable@vger.kernel.org # 2.6.34
+Cc: Steven King <sfking@fdwdc.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260409120419.388546-11-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-coldfire-qspi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-coldfire-qspi.c
++++ b/drivers/spi/spi-coldfire-qspi.c
+@@ -410,9 +410,9 @@ static int mcfqspi_probe(struct platform
+ platform_set_drvdata(pdev, host);
+ pm_runtime_enable(&pdev->dev);
+
+- status = devm_spi_register_controller(&pdev->dev, host);
++ status = spi_register_controller(host);
+ if (status) {
+- dev_dbg(&pdev->dev, "devm_spi_register_controller failed\n");
++ dev_dbg(&pdev->dev, "failed to register controller\n");
+ goto fail1;
+ }
+
+@@ -436,11 +436,17 @@ static void mcfqspi_remove(struct platfo
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct mcfqspi *mcfqspi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ pm_runtime_disable(&pdev->dev);
+ /* disable the hardware (set the baud rate to 0) */
+ mcfqspi_wr_qmr(mcfqspi, MCFQSPI_QMR_MSTR);
+
+ mcfqspi_cs_teardown(mcfqspi);
++
++ spi_controller_put(host);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
--- /dev/null
+From 9b7abfed4c3754062d1f3ffd452e65a38667f586 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 08:47:49 +0200
+Subject: spi: fsl: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9b7abfed4c3754062d1f3ffd452e65a38667f586 upstream.
+
+Make sure to deregister the controller before releasing underlying
+resources like DMA during driver unbind.
+
+Fixes: 4178b6b1b595 ("spi: fsl-(e)spi: migrate to using devm_ functions to simplify cleanup")
+Cc: stable@vger.kernel.org # 4.3
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410064749.496888-1-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsl-spi.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-fsl-spi.c
++++ b/drivers/spi/spi-fsl-spi.c
+@@ -614,7 +614,7 @@ static struct spi_controller *fsl_spi_pr
+
+ mpc8xxx_spi_write_reg(®_base->mode, regval);
+
+- ret = devm_spi_register_controller(dev, host);
++ ret = spi_register_controller(host);
+ if (ret < 0)
+ goto err_probe;
+
+@@ -705,7 +705,13 @@ static void of_fsl_spi_remove(struct pla
+ struct spi_controller *host = platform_get_drvdata(ofdev);
+ struct mpc8xxx_spi *mpc8xxx_spi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ fsl_spi_cpm_free(mpc8xxx_spi);
++
++ spi_controller_put(host);
+ }
+
+ static struct platform_driver of_fsl_spi_driver = {
+@@ -751,7 +757,13 @@ static void plat_mpc8xxx_spi_remove(stru
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct mpc8xxx_spi *mpc8xxx_spi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ fsl_spi_cpm_free(mpc8xxx_spi);
++
++ spi_controller_put(host);
+ }
+
+ MODULE_ALIAS("platform:mpc8xxx_spi");
--- /dev/null
+From fc3a83b0d9c16b941c9028f5a8db9541dce4ddf2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Apr 2026 14:04:14 +0200
+Subject: spi: img-spfi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit fc3a83b0d9c16b941c9028f5a8db9541dce4ddf2 upstream.
+
+Make sure to deregister the controller before disabling and releasing
+underlying resources like clocks and DMA during driver unbind.
+
+Fixes: deba25800a12 ("spi: Add driver for IMG SPFI controller")
+Cc: stable@vger.kernel.org # 3.19
+Cc: Andrew Bresticker <abrestic@chromium.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260409120419.388546-16-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-img-spfi.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-img-spfi.c
++++ b/drivers/spi/spi-img-spfi.c
+@@ -644,7 +644,7 @@ static int img_spfi_probe(struct platfor
+ pm_runtime_set_active(spfi->dev);
+ pm_runtime_enable(spfi->dev);
+
+- ret = devm_spi_register_controller(spfi->dev, host);
++ ret = spi_register_controller(host);
+ if (ret)
+ goto disable_pm;
+
+@@ -670,6 +670,10 @@ static void img_spfi_remove(struct platf
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct img_spfi *spfi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ if (spfi->tx_ch)
+ dma_release_channel(spfi->tx_ch);
+ if (spfi->rx_ch)
+@@ -680,6 +684,8 @@ static void img_spfi_remove(struct platf
+ clk_disable_unprepare(spfi->spfi_clk);
+ clk_disable_unprepare(spfi->sys_clk);
+ }
++
++ spi_controller_put(host);
+ }
+
+ #ifdef CONFIG_PM
--- /dev/null
+From a1d50a37d3b1df84f536a982f692371039df4a48 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 14:56:32 +0200
+Subject: spi: imx: fix runtime pm leak on probe deferral
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a1d50a37d3b1df84f536a982f692371039df4a48 upstream.
+
+Make sure to balance the runtime PM usage count before returning on
+probe failure (e.g. probe deferral) so that the controller can be
+suspended when a driver is later bound.
+
+Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM")
+Cc: stable@vger.kernel.org # 5.10
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421125632.1537235-1-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-imx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1948,6 +1948,7 @@ out_register_controller:
+ out_runtime_pm_put:
+ pm_runtime_dont_use_autosuspend(spi_imx->dev);
+ pm_runtime_disable(spi_imx->dev);
++ pm_runtime_put_noidle(spi_imx->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+
+ clk_disable_unprepare(spi_imx->clk_ipg);
--- /dev/null
+From 0f997fdae819a8c2cc83bd4ff7d935ad76c727c9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:14 +0200
+Subject: spi: mpc52xx: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0f997fdae819a8c2cc83bd4ff7d935ad76c727c9 upstream.
+
+Make sure to deregister the controller before disabling and releasing
+underlying resources like interrupts and gpios during driver unbind.
+
+Fixes: 42bbb70980f3 ("powerpc/5200: Add mpc5200-spi (non-PSC) device driver")
+Fixes: b8d4e2ce60b6 ("mpc52xx_spi: add gpio chipselect")
+Cc: stable@vger.kernel.org # 2.6.33
+Cc: Grant Likely <grant.likely@secretlab.ca>
+Cc: Luotao Fu <l.fu@pengutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-4-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-mpc52xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-mpc52xx.c
++++ b/drivers/spi/spi-mpc52xx.c
+@@ -523,6 +523,8 @@ static void mpc52xx_spi_remove(struct pl
+ struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
+ int i;
+
++ spi_unregister_controller(host);
++
+ cancel_work_sync(&ms->work);
+ free_irq(ms->irq0, ms);
+ free_irq(ms->irq1, ms);
+@@ -531,7 +533,6 @@ static void mpc52xx_spi_remove(struct pl
+ gpiod_put(ms->gpio_cs[i]);
+
+ kfree(ms->gpio_cs);
+- spi_unregister_controller(host);
+ iounmap(ms->regs);
+ spi_controller_put(host);
+ }
--- /dev/null
+From f62c060272b9d7423b1650b844e8e4e7b8f9f925 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 14:58:00 +0200
+Subject: spi: mpc52xx: fix use-after-free on registration failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f62c060272b9d7423b1650b844e8e4e7b8f9f925 upstream.
+
+Make sure to disable and free the interrupts in case controller
+registration fails to avoid a potential use-after-free and resource
+leak.
+
+This issue was flagged by Sashiko when reviewing a controller
+deregistration fix.
+
+Fixes: 42bbb70980f3 ("powerpc/5200: Add mpc5200-spi (non-PSC) device driver")
+Cc: stable@vger.kernel.org # 2.6.33
+Cc: Grant Likely <grant.likely@secretlab.ca>
+Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=3
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421125800.1537361-1-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-mpc52xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/spi/spi-mpc52xx.c
++++ b/drivers/spi/spi-mpc52xx.c
+@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct plat
+
+ err_register:
+ dev_err(&ms->host->dev, "initialization failed\n");
++ free_irq(ms->irq0, ms);
++ free_irq(ms->irq1, ms);
++ cancel_work_sync(&ms->work);
+ err_gpio:
+ while (i-- > 0)
+ gpiod_put(ms->gpio_cs[i]);
--- /dev/null
+From 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:15 +0200
+Subject: spi: mpc52xx: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream.
+
+The state machine work is scheduled by the interrupt handler and
+therefore needs to be cancelled after disabling interrupts to avoid a
+potential use-after-free.
+
+Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove")
+Cc: stable@vger.kernel.org
+Cc: Pei Xiao <xiaopei01@kylinos.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-mpc52xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-mpc52xx.c
++++ b/drivers/spi/spi-mpc52xx.c
+@@ -525,10 +525,11 @@ static void mpc52xx_spi_remove(struct pl
+
+ spi_unregister_controller(host);
+
+- cancel_work_sync(&ms->work);
+ free_irq(ms->irq0, ms);
+ free_irq(ms->irq1, ms);
+
++ cancel_work_sync(&ms->work);
++
+ for (i = 0; i < ms->gpio_cs_count; i++)
+ gpiod_put(ms->gpio_cs[i]);
+
--- /dev/null
+From 573c7db8fce91a1b07dd64a260bb44b9e6d05943 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 9 Apr 2026 14:04:19 +0200
+Subject: spi: mpfs: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 573c7db8fce91a1b07dd64a260bb44b9e6d05943 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like interrupts during driver unbind.
+
+Fixes: 9ac8d17694b6 ("spi: add support for microchip fpga spi controllers")
+Cc: stable@vger.kernel.org # 6.0
+Cc: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://patch.msgid.link/20260409120419.388546-21-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-mpfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-mpfs.c
++++ b/drivers/spi/spi-mpfs.c
+@@ -575,7 +575,7 @@ static int mpfs_spi_probe(struct platfor
+
+ mpfs_spi_init(host, spi);
+
+- ret = devm_spi_register_controller(&pdev->dev, host);
++ ret = spi_register_controller(host);
+ if (ret) {
+ mpfs_spi_disable_ints(spi);
+ mpfs_spi_disable(spi);
+@@ -593,6 +593,8 @@ static void mpfs_spi_remove(struct platf
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct mpfs_spi *spi = spi_controller_get_devdata(host);
+
++ spi_unregister_controller(host);
++
+ mpfs_spi_disable_ints(spi);
+ mpfs_spi_disable(spi);
+ }
--- /dev/null
+From adbc595e272052181d40ec307a4c5ba98571b0fe Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:16 +0200
+Subject: spi: mxic: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit adbc595e272052181d40ec307a4c5ba98571b0fe upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks (via runtime pm) during driver unbind.
+
+Fixes: b942d80b0a39 ("spi: Add MXIC controller driver")
+Cc: stable@vger.kernel.org # 5.0: cc53711b2191
+Cc: stable@vger.kernel.org # 5.0
+Cc: Mason Yang <masonccyang@mxic.com.tw>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-6-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-mxic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-mxic.c
++++ b/drivers/spi/spi-mxic.c
+@@ -833,9 +833,10 @@ static void mxic_spi_remove(struct platf
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct mxic_spi *mxic = spi_controller_get_devdata(host);
+
++ spi_unregister_controller(host);
++
+ pm_runtime_disable(&pdev->dev);
+ mxic_spi_mem_ecc_remove(mxic);
+- spi_unregister_controller(host);
+ }
+
+ static const struct of_device_id mxic_spi_of_ids[] = {
--- /dev/null
+From ebd81199e00e107980bf8c4d2c747ae50158f797 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:34 +0200
+Subject: spi: npcm-pspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ebd81199e00e107980bf8c4d2c747ae50158f797 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: 2a22f1b30cee ("spi: npcm: add NPCM PSPI controller driver")
+Cc: stable@vger.kernel.org # 5.0
+Cc: Tomer Maimon <tmaimon77@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-5-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-npcm-pspi.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-npcm-pspi.c
++++ b/drivers/spi/spi-npcm-pspi.c
+@@ -414,7 +414,7 @@ static int npcm_pspi_probe(struct platfo
+ /* set to default clock rate */
+ npcm_pspi_set_baudrate(priv, NPCM_PSPI_DEFAULT_CLK);
+
+- ret = devm_spi_register_controller(&pdev->dev, host);
++ ret = spi_register_controller(host);
+ if (ret)
+ goto out_disable_clk;
+
+@@ -435,8 +435,14 @@ static void npcm_pspi_remove(struct plat
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct npcm_pspi *priv = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ npcm_pspi_reset_hw(priv);
+ clk_disable_unprepare(priv->clk);
++
++ spi_controller_put(host);
+ }
+
+ static const struct of_device_id npcm_pspi_match[] = {
--- /dev/null
+From 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 15:02:10 +0200
+Subject: spi: orion: fix clock imbalance on registration failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 upstream.
+
+Make sure that the controller is not runtime suspended before disabling
+clocks on probe failure.
+
+Also restore the autosuspend setting.
+
+Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support")
+Cc: stable@vger.kernel.org # 3.17
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421130211.1537628-3-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-orion.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/spi/spi-orion.c
++++ b/drivers/spi/spi-orion.c
+@@ -774,6 +774,7 @@ static int orion_spi_probe(struct platfo
+ pm_runtime_set_active(&pdev->dev);
+ pm_runtime_use_autosuspend(&pdev->dev);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
++ pm_runtime_get_noresume(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+
+ status = orion_spi_reset(spi);
+@@ -785,10 +786,15 @@ static int orion_spi_probe(struct platfo
+ if (status < 0)
+ goto out_rel_pm;
+
++ pm_runtime_put_autosuspend(&pdev->dev);
++
+ return status;
+
+ out_rel_pm:
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ out_rel_axi_clk:
+ clk_disable_unprepare(spi->axi_clk);
+ out:
--- /dev/null
+From 220f4f11104a7f83b71543ef0e48dde1da2bc5d3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:17 +0200
+Subject: spi: orion: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 220f4f11104a7f83b71543ef0e48dde1da2bc5d3 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: 60cadec9da7b ("spi: new orion_spi driver")
+Cc: stable@vger.kernel.org # 2.6.27
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-7-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-orion.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-orion.c
++++ b/drivers/spi/spi-orion.c
+@@ -802,10 +802,15 @@ static void orion_spi_remove(struct plat
+ struct spi_controller *host = platform_get_drvdata(pdev);
+ struct orion_spi *spi = spi_controller_get_devdata(host);
+
++ spi_controller_get(host);
++
++ spi_unregister_controller(host);
++
+ pm_runtime_get_sync(&pdev->dev);
+ clk_disable_unprepare(spi->axi_clk);
+
+- spi_unregister_controller(host);
++ spi_controller_put(host);
++
+ pm_runtime_disable(&pdev->dev);
+ }
+
--- /dev/null
+From 97b17dd8266d2e26d9ee3c75a0fa34ecde6944f0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 15:02:09 +0200
+Subject: spi: orion: fix runtime pm leak on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 97b17dd8266d2e26d9ee3c75a0fa34ecde6944f0 upstream.
+
+Make sure to balance the runtime PM usage count on driver unbind so that
+the controller can be suspended when a driver is rebound.
+
+Also restore the autosuspend setting.
+
+This issue was flagged by Sashiko when reviewing a controller
+deregistration fix.
+
+Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support")
+Cc: stable@vger.kernel.org # 3.17
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=6
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421130211.1537628-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-orion.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/spi/spi-orion.c
++++ b/drivers/spi/spi-orion.c
+@@ -812,6 +812,9 @@ static void orion_spi_remove(struct plat
+ spi_controller_put(host);
+
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ }
+
+ MODULE_ALIAS("platform:" DRIVER_NAME);
--- /dev/null
+From 420df79d1a618951eb0eb4331df95c9f4f763b8b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:37 +0200
+Subject: spi: pic32-sqi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 420df79d1a618951eb0eb4331df95c9f4f763b8b upstream.
+
+Make sure to deregister the controller before releasing underlying
+resources like DMA during driver unbind.
+
+Fixes: 3270ac230f66 ("spi: pic32-sqi: add SPI driver for PIC32 SQI controller.")
+Cc: stable@vger.kernel.org # 4.7
+Cc: Purna Chandra Mandal <purna.mandal@microchip.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-8-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-pic32-sqi.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-pic32-sqi.c
++++ b/drivers/spi/spi-pic32-sqi.c
+@@ -642,7 +642,7 @@ static int pic32_sqi_probe(struct platfo
+ host->prepare_transfer_hardware = pic32_sqi_prepare_hardware;
+ host->unprepare_transfer_hardware = pic32_sqi_unprepare_hardware;
+
+- ret = devm_spi_register_controller(&pdev->dev, host);
++ ret = spi_register_controller(host);
+ if (ret) {
+ dev_err(&host->dev, "failed registering spi host\n");
+ free_irq(sqi->irq, sqi);
+@@ -665,9 +665,15 @@ static void pic32_sqi_remove(struct plat
+ {
+ struct pic32_sqi *sqi = platform_get_drvdata(pdev);
+
++ spi_controller_get(sqi->host);
++
++ spi_unregister_controller(sqi->host);
++
+ /* release resources */
+ free_irq(sqi->irq, sqi);
+ ring_desc_ring_free(sqi);
++
++ spi_controller_put(sqi->host);
+ }
+
+ static const struct of_device_id pic32_sqi_of_ids[] = {
--- /dev/null
+From 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:40 +0200
+Subject: spi: rspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc upstream.
+
+Make sure to deregister the controller before releasing underlying
+resources like DMA during driver unbind.
+
+Fixes: 9e03d05eee4c ("spi: rcar: Use devm_spi_register_master()")
+Cc: stable@vger.kernel.org # 3.14
+Cc: Jingoo Han <jg1.han@samsung.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-11-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-rspi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -1171,8 +1171,14 @@ static void rspi_remove(struct platform_
+ {
+ struct rspi_data *rspi = platform_get_drvdata(pdev);
+
++ spi_controller_get(rspi->ctlr);
++
++ spi_unregister_controller(rspi->ctlr);
++
+ rspi_release_dma(rspi->ctlr);
+ pm_runtime_disable(&pdev->dev);
++
++ spi_controller_put(rspi->ctlr);
+ }
+
+ static const struct spi_ops rspi_ops = {
+@@ -1377,9 +1383,9 @@ static int rspi_probe(struct platform_de
+ if (ret < 0)
+ dev_warn(&pdev->dev, "DMA not available, using PIO\n");
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret < 0) {
+- dev_err(&pdev->dev, "devm_spi_register_controller error.\n");
++ dev_err(&pdev->dev, "failed to register controller\n");
+ goto error3;
+ }
+
--- /dev/null
+From e63982e6392e45a6ecd68d6c317a081cc8e70143 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:42 +0200
+Subject: spi: sh-hspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e63982e6392e45a6ecd68d6c317a081cc8e70143 upstream.
+
+Make sure to deregister the controller before releasing underlying
+resources like clocks during driver unbind.
+
+Fixes: 49e599b8595f ("spi: sh-hspi: control spi clock more correctly")
+Cc: stable@vger.kernel.org # 3.4
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-13-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sh-hspi.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-sh-hspi.c
++++ b/drivers/spi/spi-sh-hspi.c
+@@ -258,9 +258,9 @@ static int hspi_probe(struct platform_de
+ ctlr->transfer_one_message = hspi_transfer_one_message;
+ ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret < 0) {
+- dev_err(&pdev->dev, "devm_spi_register_controller error.\n");
++ dev_err(&pdev->dev, "failed to register controller\n");
+ goto error2;
+ }
+
+@@ -280,9 +280,15 @@ static void hspi_remove(struct platform_
+ {
+ struct hspi_priv *hspi = platform_get_drvdata(pdev);
+
++ spi_controller_get(hspi->ctlr);
++
++ spi_unregister_controller(hspi->ctlr);
++
+ pm_runtime_disable(&pdev->dev);
+
+ clk_put(hspi->clk);
++
++ spi_controller_put(hspi->ctlr);
+ }
+
+ static const struct of_device_id hspi_of_match[] = {
--- /dev/null
+From 45170f67a08b912ead6ccc387ba06954d1d4e53a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:43 +0200
+Subject: spi: sh-msiof: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 45170f67a08b912ead6ccc387ba06954d1d4e53a upstream.
+
+Make sure to deregister the controller before releasing underlying
+resources like DMA during driver unbind.
+
+Fixes: 1bd6363bc0c6 ("spi: sh-msiof: Use core message handling instead of spi-bitbang")
+Cc: stable@vger.kernel.org # 3.15
+Cc: Geert Uytterhoeven <geert+renesas@linux-m68k.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-14-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sh-msiof.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -1290,9 +1290,9 @@ static int sh_msiof_spi_probe(struct pla
+ if (ret < 0)
+ dev_warn(dev, "DMA not available, using PIO\n");
+
+- ret = devm_spi_register_controller(dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret < 0) {
+- dev_err(dev, "devm_spi_register_controller error.\n");
++ dev_err(dev, "failed to register controller\n");
+ goto err2;
+ }
+
+@@ -1310,8 +1310,14 @@ static void sh_msiof_spi_remove(struct p
+ {
+ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev);
+
++ spi_controller_get(p->ctlr);
++
++ spi_unregister_controller(p->ctlr);
++
+ sh_msiof_release_dma(p);
+ pm_runtime_disable(&pdev->dev);
++
++ spi_controller_put(p->ctlr);
+ }
+
+ static const struct platform_device_id spi_driver_ids[] = {
--- /dev/null
+From ab840cbda4fe6c40e52f6415c47056797c663bb2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:45 +0200
+Subject: spi: slave-mt27xx: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ab840cbda4fe6c40e52f6415c47056797c663bb2 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks (by disabling runtime PM) during driver unbind.
+
+Fixes: 805be7ddf367 ("spi: mediatek: add spi slave for Mediatek MT2712")
+Cc: stable@vger.kernel.org # 4.20
+Cc: Leilk Liu <leilk.liu@mediatek.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-16-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-slave-mt27xx.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-slave-mt27xx.c
++++ b/drivers/spi/spi-slave-mt27xx.c
+@@ -454,7 +454,7 @@ static int mtk_spi_slave_probe(struct pl
+
+ pm_runtime_enable(&pdev->dev);
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ clk_disable_unprepare(mdata->spi_clk);
+ if (ret) {
+ dev_err(&pdev->dev,
+@@ -474,7 +474,15 @@ err_put_ctlr:
+
+ static void mtk_spi_slave_remove(struct platform_device *pdev)
+ {
++ struct spi_controller *ctlr = platform_get_drvdata(pdev);
++
++ spi_controller_get(ctlr);
++
++ spi_unregister_controller(ctlr);
++
+ pm_runtime_disable(&pdev->dev);
++
++ spi_controller_put(ctlr);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
--- /dev/null
+From 123d17dbc5f07059752fa5e616385ca29a8f935a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:46 +0200
+Subject: spi: sprd: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 123d17dbc5f07059752fa5e616385ca29a8f935a upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Note that the controller is suspended before disabling and releasing
+resources since commit de082d866cce ("spi: sprd: Add the SPI irq
+function for the SPI DMA mode") which avoids issues like unclocked
+accesses but prevents SPI device drivers from doing I/O during
+deregistration.
+
+Fixes: e7d973a31c24 ("spi: sprd: Add SPI driver for Spreadtrum SC9860")
+Cc: stable@vger.kernel.org # 4.20
+Cc: Lanqing Liu <lanqing.liu@spreadtrum.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-17-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-sprd.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-sprd.c
++++ b/drivers/spi/spi-sprd.c
+@@ -978,7 +978,7 @@ static int sprd_spi_probe(struct platfor
+ goto err_rpm_put;
+ }
+
+- ret = devm_spi_register_controller(&pdev->dev, sctlr);
++ ret = spi_register_controller(sctlr);
+ if (ret)
+ goto err_rpm_put;
+
+@@ -1009,7 +1009,9 @@ static void sprd_spi_remove(struct platf
+ if (ret < 0)
+ dev_err(ss->dev, "failed to resume SPI controller\n");
+
+- spi_controller_suspend(sctlr);
++ spi_controller_get(sctlr);
++
++ spi_unregister_controller(sctlr);
+
+ if (ret >= 0) {
+ if (ss->dma.enable)
+@@ -1018,6 +1020,8 @@ static void sprd_spi_remove(struct platf
+ }
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
++
++ spi_controller_put(sctlr);
+ }
+
+ static int __maybe_unused sprd_spi_runtime_suspend(struct device *dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
