--- /dev/null
+From 27f94b71532203b079537180924023a5f636fca1 Mon Sep 17 00:00:00 2001
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Date: Tue, 8 Jul 2025 12:28:42 +0200
+Subject: arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode
+
+From: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+
+commit 27f94b71532203b079537180924023a5f636fca1 upstream.
+
+2290 was found in the field to also require this quirk, as long &
+high-bandwidth workloads (e.g. USB ethernet) are consistently able to
+crash the controller otherwise.
+
+The same change has been made for a number of SoCs in [1], but QCM2290
+somehow escaped the list (even though the very closely related SM6115
+was there).
+
+Upon a controller crash, the log would read:
+
+xhci-hcd.12.auto: xHCI host not responding to stop endpoint command
+xhci-hcd.12.auto: xHCI host controller not responding, assume dead
+xhci-hcd.12.auto: HC died; cleaning up
+
+Add snps,parkmode-disable-ss-quirk to the DWC3 instance in order to
+prevent the aforementioned breakage.
+
+[1] https://lore.kernel.org/all/20240704152848.3380602-1-quic_kriskura@quicinc.com/
+
+Cc: stable@vger.kernel.org
+Reported-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Fixes: a64a0192b70c ("arm64: dts: qcom: Add initial QCM2290 device tree")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250708-topic-2290_usb-v1-1-661e70a63339@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/qcm2290.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/boot/dts/qcom/qcm2290.dtsi
++++ b/arch/arm64/boot/dts/qcom/qcm2290.dtsi
+@@ -1454,6 +1454,7 @@
+ snps,has-lpm-erratum;
+ snps,hird-threshold = /bits/ 8 <0x10>;
+ snps,usb3_lpm_capable;
++ snps,parkmode-disable-ss-quirk;
+ maximum-speed = "super-speed";
+ dr_mode = "otg";
+ usb-role-switch;
--- /dev/null
+From 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae Mon Sep 17 00:00:00 2001
+From: Salah Triki <salah.triki@gmail.com>
+Date: Mon, 25 Aug 2025 10:34:35 +0100
+Subject: bus: fsl-mc: Check return value of platform_get_resource()
+
+From: Salah Triki <salah.triki@gmail.com>
+
+commit 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae upstream.
+
+platform_get_resource() returns NULL in case of failure, so check its
+return value and propagate the error in order to prevent NULL pointer
+dereference.
+
+Fixes: 6305166c8771 ("bus: fsl-mc: Add ACPI support for fsl-mc")
+Cc: stable@vger.kernel.org
+Signed-off-by: Salah Triki <salah.triki@gmail.com>
+Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/aKwuK6TRr5XNYQ8u@pc
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -1104,6 +1104,9 @@ static int fsl_mc_bus_probe(struct platf
+ * Get physical address of MC portal for the root DPRC:
+ */
+ plat_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!plat_res)
++ return -EINVAL;
++
+ mc_portal_phys_addr = plat_res->start;
+ mc_portal_size = resource_size(plat_res);
+ mc_portal_base_phys_addr = mc_portal_phys_addr & ~0x3ffffff;
--- /dev/null
+From da1bb9135213744e7ec398826c8f2e843de4fb94 Mon Sep 17 00:00:00 2001
+From: Janne Grunau <j@jannau.net>
+Date: Mon, 15 Sep 2025 08:36:41 +0200
+Subject: fbdev: simplefb: Fix use after free in simplefb_detach_genpds()
+
+From: Janne Grunau <j@jannau.net>
+
+commit da1bb9135213744e7ec398826c8f2e843de4fb94 upstream.
+
+The pm_domain cleanup can not be devres managed as it uses struct
+simplefb_par which is allocated within struct fb_info by
+framebuffer_alloc(). This allocation is explicitly freed by
+unregister_framebuffer() in simplefb_remove().
+Devres managed cleanup runs after the device remove call and thus can no
+longer access struct simplefb_par.
+Call simplefb_detach_genpds() explicitly from simplefb_destroy() like
+the cleanup functions for clocks and regulators.
+
+Fixes an use after free on M2 Mac mini during
+aperture_remove_conflicting_devices() using the downstream asahi kernel
+with Debian's kernel config. For unknown reasons this started to
+consistently dereference an invalid pointer in v6.16.3 based kernels.
+
+[ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220
+[ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227
+[ 6.750697]
+[ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY
+[ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC
+[ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)
+[ 6.752189] Call trace:
+[ 6.752190] show_stack+0x34/0x98 (C)
+[ 6.752194] dump_stack_lvl+0x60/0x80
+[ 6.752197] print_report+0x17c/0x4d8
+[ 6.752201] kasan_report+0xb4/0x100
+[ 6.752206] __asan_report_load4_noabort+0x20/0x30
+[ 6.752209] simplefb_detach_genpds+0x58/0x220
+[ 6.752213] devm_action_release+0x50/0x98
+[ 6.752216] release_nodes+0xd0/0x2c8
+[ 6.752219] devres_release_all+0xfc/0x178
+[ 6.752221] device_unbind_cleanup+0x28/0x168
+[ 6.752224] device_release_driver_internal+0x34c/0x470
+[ 6.752228] device_release_driver+0x20/0x38
+[ 6.752231] bus_remove_device+0x1b0/0x380
+[ 6.752234] device_del+0x314/0x820
+[ 6.752238] platform_device_del+0x3c/0x1e8
+[ 6.752242] platform_device_unregister+0x20/0x50
+[ 6.752246] aperture_detach_platform_device+0x1c/0x30
+[ 6.752250] aperture_detach_devices+0x16c/0x290
+[ 6.752253] aperture_remove_conflicting_devices+0x34/0x50
+...
+[ 6.752343]
+[ 6.967409] Allocated by task 62:
+[ 6.970724] kasan_save_stack+0x3c/0x70
+[ 6.974560] kasan_save_track+0x20/0x40
+[ 6.978397] kasan_save_alloc_info+0x40/0x58
+[ 6.982670] __kasan_kmalloc+0xd4/0xd8
+[ 6.986420] __kmalloc_noprof+0x194/0x540
+[ 6.990432] framebuffer_alloc+0xc8/0x130
+[ 6.994444] simplefb_probe+0x258/0x2378
+...
+[ 7.054356]
+[ 7.055838] Freed by task 227:
+[ 7.058891] kasan_save_stack+0x3c/0x70
+[ 7.062727] kasan_save_track+0x20/0x40
+[ 7.066565] kasan_save_free_info+0x4c/0x80
+[ 7.070751] __kasan_slab_free+0x6c/0xa0
+[ 7.074675] kfree+0x10c/0x380
+[ 7.077727] framebuffer_release+0x5c/0x90
+[ 7.081826] simplefb_destroy+0x1b4/0x2c0
+[ 7.085837] put_fb_info+0x98/0x100
+[ 7.089326] unregister_framebuffer+0x178/0x320
+[ 7.093861] simplefb_remove+0x3c/0x60
+[ 7.097611] platform_remove+0x60/0x98
+[ 7.101361] device_remove+0xb8/0x160
+[ 7.105024] device_release_driver_internal+0x2fc/0x470
+[ 7.110256] device_release_driver+0x20/0x38
+[ 7.114529] bus_remove_device+0x1b0/0x380
+[ 7.118628] device_del+0x314/0x820
+[ 7.122116] platform_device_del+0x3c/0x1e8
+[ 7.126302] platform_device_unregister+0x20/0x50
+[ 7.131012] aperture_detach_platform_device+0x1c/0x30
+[ 7.136157] aperture_detach_devices+0x16c/0x290
+[ 7.140779] aperture_remove_conflicting_devices+0x34/0x50
+...
+
+Reported-by: Daniel Huhardeaux <tech@tootai.net>
+Cc: stable@vger.kernel.org
+Fixes: 92a511a568e44 ("fbdev/simplefb: Add support for generic power-domains")
+Signed-off-by: Janne Grunau <j@jannau.net>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/simplefb.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+--- a/drivers/video/fbdev/simplefb.c
++++ b/drivers/video/fbdev/simplefb.c
+@@ -93,6 +93,7 @@ struct simplefb_par {
+
+ static void simplefb_clocks_destroy(struct simplefb_par *par);
+ static void simplefb_regulators_destroy(struct simplefb_par *par);
++static void simplefb_detach_genpds(void *res);
+
+ /*
+ * fb_ops.fb_destroy is called by the last put_fb_info() call at the end
+@@ -105,6 +106,7 @@ static void simplefb_destroy(struct fb_i
+
+ simplefb_regulators_destroy(info->par);
+ simplefb_clocks_destroy(info->par);
++ simplefb_detach_genpds(info->par);
+ if (info->screen_base)
+ iounmap(info->screen_base);
+
+@@ -445,13 +447,14 @@ static void simplefb_detach_genpds(void
+ if (!IS_ERR_OR_NULL(par->genpds[i]))
+ dev_pm_domain_detach(par->genpds[i], true);
+ }
++ par->num_genpds = 0;
+ }
+
+ static int simplefb_attach_genpds(struct simplefb_par *par,
+ struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+- unsigned int i;
++ unsigned int i, num_genpds;
+ int err;
+
+ err = of_count_phandle_with_args(dev->of_node, "power-domains",
+@@ -465,26 +468,35 @@ static int simplefb_attach_genpds(struct
+ return err;
+ }
+
+- par->num_genpds = err;
++ num_genpds = err;
+
+ /*
+ * Single power-domain devices are handled by the driver core, so
+ * nothing to do here.
+ */
+- if (par->num_genpds <= 1)
++ if (num_genpds <= 1) {
++ par->num_genpds = num_genpds;
+ return 0;
++ }
+
+- par->genpds = devm_kcalloc(dev, par->num_genpds, sizeof(*par->genpds),
++ par->genpds = devm_kcalloc(dev, num_genpds, sizeof(*par->genpds),
+ GFP_KERNEL);
+ if (!par->genpds)
+ return -ENOMEM;
+
+- par->genpd_links = devm_kcalloc(dev, par->num_genpds,
++ par->genpd_links = devm_kcalloc(dev, num_genpds,
+ sizeof(*par->genpd_links),
+ GFP_KERNEL);
+ if (!par->genpd_links)
+ return -ENOMEM;
+
++ /*
++ * Set par->num_genpds only after genpds and genpd_links are allocated
++ * to exit early from simplefb_detach_genpds() without full
++ * initialisation.
++ */
++ par->num_genpds = num_genpds;
++
+ for (i = 0; i < par->num_genpds; i++) {
+ par->genpds[i] = dev_pm_domain_attach_by_id(dev, i);
+ if (IS_ERR(par->genpds[i])) {
+@@ -506,9 +518,10 @@ static int simplefb_attach_genpds(struct
+ dev_warn(dev, "failed to link power-domain %u\n", i);
+ }
+
+- return devm_add_action_or_reset(dev, simplefb_detach_genpds, par);
++ return 0;
+ }
+ #else
++static void simplefb_detach_genpds(void *res) { }
+ static int simplefb_attach_genpds(struct simplefb_par *par,
+ struct platform_device *pdev)
+ {
+@@ -622,18 +635,20 @@ static int simplefb_probe(struct platfor
+ ret = devm_aperture_acquire_for_platform_device(pdev, par->base, par->size);
+ if (ret) {
+ dev_err(&pdev->dev, "Unable to acquire aperture: %d\n", ret);
+- goto error_regulators;
++ goto error_genpds;
+ }
+ ret = register_framebuffer(info);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Unable to register simplefb: %d\n", ret);
+- goto error_regulators;
++ goto error_genpds;
+ }
+
+ dev_info(&pdev->dev, "fb%d: simplefb registered!\n", info->node);
+
+ return 0;
+
++error_genpds:
++ simplefb_detach_genpds(par);
+ error_regulators:
+ simplefb_regulators_destroy(par);
+ error_clocks:
--- /dev/null
+From c7866ee0a9ddd9789faadf58cdac6abd7aabf045 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut@mailbox.org>
+Date: Sun, 5 Oct 2025 04:33:10 +0200
+Subject: Input: atmel_mxt_ts - allow reset GPIO to sleep
+
+From: Marek Vasut <marek.vasut@mailbox.org>
+
+commit c7866ee0a9ddd9789faadf58cdac6abd7aabf045 upstream.
+
+The reset GPIO is not toggled in any critical section where it couldn't
+sleep, allow the reset GPIO to sleep. This allows the driver to operate
+reset GPIOs connected to I2C GPIO expanders.
+
+Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
+Link: https://lore.kernel.org/r/20251005023335.166483-1-marek.vasut@mailbox.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3317,7 +3317,7 @@ static int mxt_probe(struct i2c_client *
+ if (data->reset_gpio) {
+ /* Wait a while and then de-assert the RESET GPIO line */
+ msleep(MXT_RESET_GPIO_TIME);
+- gpiod_set_value(data->reset_gpio, 0);
++ gpiod_set_value_cansleep(data->reset_gpio, 0);
+ msleep(MXT_RESET_INVALID_CHG);
+ }
+
--- /dev/null
+From d3366a04770eea807f2826cbdb96934dd8c9bf79 Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Sun, 28 Sep 2025 14:37:37 +0800
+Subject: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit d3366a04770eea807f2826cbdb96934dd8c9bf79 upstream.
+
+Struct ff_effect_compat is embedded twice inside
+uinput_ff_upload_compat, contains internal padding. In particular, there
+is a hole after struct ff_replay to satisfy alignment requirements for
+the following union member. Without clearing the structure,
+copy_to_user() may leak stack data to userspace.
+
+Initialize ff_up_compat to zero before filling valid fields.
+
+Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/uinput.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -775,6 +775,7 @@ static int uinput_ff_upload_to_user(char
+ if (in_compat_syscall()) {
+ struct uinput_ff_upload_compat ff_up_compat;
+
++ memset(&ff_up_compat, 0, sizeof(ff_up_compat));
+ ff_up_compat.request_id = ff_up->request_id;
+ ff_up_compat.retval = ff_up->retval;
+ /*
--- /dev/null
+From 0910dd7c9ad45a2605c45fd2bf3d1bcac087687c Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 5 Aug 2025 12:05:09 -0700
+Subject: KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 0910dd7c9ad45a2605c45fd2bf3d1bcac087687c upstream.
+
+Skip the WRMSR and HLT fastpaths in SVM's VM-Exit handler if the next RIP
+isn't valid, e.g. because KVM is running with nrips=false. SVM must
+decode and emulate to skip the instruction if the CPU doesn't provide the
+next RIP, and getting the instruction bytes to decode requires reading
+guest memory. Reading guest memory through the emulator can fault, i.e.
+can sleep, which is disallowed since the fastpath handlers run with IRQs
+disabled.
+
+ BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106
+ in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu
+ preempt_count: 1, expected: 0
+ INFO: lockdep is turned off.
+ irq event stamp: 30580
+ hardirqs last enabled at (30579): [<ffffffffc08b2527>] vcpu_run+0x1787/0x1db0 [kvm]
+ hardirqs last disabled at (30580): [<ffffffffb4f62e32>] __schedule+0x1e2/0xed0
+ softirqs last enabled at (30570): [<ffffffffb4247a64>] fpu_swap_kvm_fpstate+0x44/0x210
+ softirqs last disabled at (30568): [<ffffffffb4247a64>] fpu_swap_kvm_fpstate+0x44/0x210
+ CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE
+ Tainted: [U]=USER
+ Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7d/0xb0
+ __might_resched+0x271/0x290
+ __might_fault+0x28/0x80
+ kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm]
+ kvm_fetch_guest_virt+0x92/0xc0 [kvm]
+ __do_insn_fetch_bytes+0xf3/0x1e0 [kvm]
+ x86_decode_insn+0xd1/0x1010 [kvm]
+ x86_emulate_instruction+0x105/0x810 [kvm]
+ __svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd]
+ handle_fastpath_invd+0xc4/0x1a0 [kvm]
+ vcpu_run+0x11a1/0x1db0 [kvm]
+ kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm]
+ kvm_vcpu_ioctl+0x578/0x6a0 [kvm]
+ __se_sys_ioctl+0x6d/0xb0
+ do_syscall_64+0x8a/0x2c0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ RIP: 0033:0x7f479d57a94b
+ </TASK>
+
+Note, this is essentially a reapply of commit 5c30e8101e8d ("KVM: SVM:
+Skip WRMSR fastpath on VM-Exit if next RIP isn't valid"), but with
+different justification (KVM now grabs SRCU when skipping the instruction
+for other reasons).
+
+Fixes: b439eb8ab578 ("Revert "KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isn't valid"")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250805190526.1453366-2-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/svm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -4180,13 +4180,21 @@ static int svm_vcpu_pre_run(struct kvm_v
+ static fastpath_t svm_exit_handlers_fastpath(struct kvm_vcpu *vcpu)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
++ struct vmcb_control_area *control = &svm->vmcb->control;
++
++ /*
++ * Next RIP must be provided as IRQs are disabled, and accessing guest
++ * memory to decode the instruction might fault, i.e. might sleep.
++ */
++ if (!nrips || !control->next_rip)
++ return EXIT_FASTPATH_NONE;
+
+ if (is_guest_mode(vcpu))
+ return EXIT_FASTPATH_NONE;
+
+- switch (svm->vmcb->control.exit_code) {
++ switch (control->exit_code) {
+ case SVM_EXIT_MSR:
+- if (!svm->vmcb->control.exit_info_1)
++ if (!control->exit_info_1)
+ break;
+ return handle_fastpath_set_msr_irqoff(vcpu);
+ case SVM_EXIT_HLT:
--- /dev/null
+From 9031626ade38b092b72638dfe0c6ffce8d8acd43 Mon Sep 17 00:00:00 2001
+From: Ling Xu <quic_lxu5@quicinc.com>
+Date: Fri, 12 Sep 2025 14:12:34 +0100
+Subject: misc: fastrpc: Fix fastrpc_map_lookup operation
+
+From: Ling Xu <quic_lxu5@quicinc.com>
+
+commit 9031626ade38b092b72638dfe0c6ffce8d8acd43 upstream.
+
+Fastrpc driver creates maps for user allocated fd buffers. Before
+creating a new map, the map list is checked for any already existing
+maps using map fd. Checking with just map fd is not sufficient as the
+user can pass offsetted buffer with less size when the map is created
+and then a larger size the next time which could result in memory
+issues. Check for dma_buf object also when looking up for the map.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Cc: stable@kernel.org
+Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://lore.kernel.org/r/20250912131236.303102-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -367,11 +367,16 @@ static int fastrpc_map_lookup(struct fas
+ {
+ struct fastrpc_session_ctx *sess = fl->sctx;
+ struct fastrpc_map *map = NULL;
++ struct dma_buf *buf;
+ int ret = -ENOENT;
+
++ buf = dma_buf_get(fd);
++ if (IS_ERR(buf))
++ return PTR_ERR(buf);
++
+ spin_lock(&fl->lock);
+ list_for_each_entry(map, &fl->maps, node) {
+- if (map->fd != fd)
++ if (map->fd != fd || map->buf != buf)
+ continue;
+
+ if (take_ref) {
--- /dev/null
+From da1ba64176e0138f2bfa96f9e43e8c3640d01e1e Mon Sep 17 00:00:00 2001
+From: Ling Xu <quic_lxu5@quicinc.com>
+Date: Fri, 12 Sep 2025 14:12:35 +0100
+Subject: misc: fastrpc: fix possible map leak in fastrpc_put_args
+
+From: Ling Xu <quic_lxu5@quicinc.com>
+
+commit da1ba64176e0138f2bfa96f9e43e8c3640d01e1e upstream.
+
+copy_to_user() failure would cause an early return without cleaning up
+the fdlist, which has been updated by the DSP. This could lead to map
+leak. Fix this by redirecting to a cleanup path on failure, ensuring
+that all mapped buffers are properly released before returning.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Cc: stable@kernel.org
+Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://lore.kernel.org/r/20250912131236.303102-4-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1085,6 +1085,7 @@ static int fastrpc_put_args(struct fastr
+ struct fastrpc_phy_page *pages;
+ u64 *fdlist;
+ int i, inbufs, outbufs, handles;
++ int ret = 0;
+
+ inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);
+ outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
+@@ -1100,14 +1101,17 @@ static int fastrpc_put_args(struct fastr
+ u64 len = rpra[i].buf.len;
+
+ if (!kernel) {
+- if (copy_to_user((void __user *)dst, src, len))
+- return -EFAULT;
++ if (copy_to_user((void __user *)dst, src, len)) {
++ ret = -EFAULT;
++ goto cleanup_fdlist;
++ }
+ } else {
+ memcpy(dst, src, len);
+ }
+ }
+ }
+
++cleanup_fdlist:
+ /* Clean up fdlist which is updated by DSP */
+ for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
+ if (!fdlist[i])
+@@ -1116,7 +1120,7 @@ static int fastrpc_put_args(struct fastr
+ fastrpc_map_put(mmap);
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx,
--- /dev/null
+From 8b5b456222fd604079b5cf2af1f25ad690f54a25 Mon Sep 17 00:00:00 2001
+From: Ling Xu <quic_lxu5@quicinc.com>
+Date: Fri, 12 Sep 2025 14:12:33 +0100
+Subject: misc: fastrpc: Save actual DMA size in fastrpc_map structure
+
+From: Ling Xu <quic_lxu5@quicinc.com>
+
+commit 8b5b456222fd604079b5cf2af1f25ad690f54a25 upstream.
+
+For user passed fd buffer, map is created using DMA calls. The
+map related information is stored in fastrpc_map structure. The
+actual DMA size is not stored in the structure. Store the actual
+size of buffer and check it against the user passed size.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Cc: stable@kernel.org
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://lore.kernel.org/r/20250912131236.303102-2-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -323,11 +323,11 @@ static void fastrpc_free_map(struct kref
+
+ perm.vmid = QCOM_SCM_VMID_HLOS;
+ perm.perm = QCOM_SCM_PERM_RWX;
+- err = qcom_scm_assign_mem(map->phys, map->size,
++ err = qcom_scm_assign_mem(map->phys, map->len,
+ &src_perms, &perm, 1);
+ if (err) {
+ dev_err(map->fl->sctx->dev, "Failed to assign memory phys 0x%llx size 0x%llx err %d\n",
+- map->phys, map->size, err);
++ map->phys, map->len, err);
+ return;
+ }
+ }
+@@ -758,7 +758,8 @@ static int fastrpc_map_create(struct fas
+ struct fastrpc_session_ctx *sess = fl->sctx;
+ struct fastrpc_map *map = NULL;
+ struct sg_table *table;
+- int err = 0;
++ struct scatterlist *sgl = NULL;
++ int err = 0, sgl_index = 0;
+
+ if (!fastrpc_map_lookup(fl, fd, ppmap, true))
+ return 0;
+@@ -798,7 +799,15 @@ static int fastrpc_map_create(struct fas
+ map->phys = sg_dma_address(map->table->sgl);
+ map->phys += ((u64)fl->sctx->sid << 32);
+ }
+- map->size = len;
++ for_each_sg(map->table->sgl, sgl, map->table->nents,
++ sgl_index)
++ map->size += sg_dma_len(sgl);
++ if (len > map->size) {
++ dev_dbg(sess->dev, "Bad size passed len 0x%llx map size 0x%llx\n",
++ len, map->size);
++ err = -EINVAL;
++ goto map_err;
++ }
+ map->va = sg_virt(map->table->sgl);
+ map->len = len;
+
+@@ -815,10 +824,10 @@ static int fastrpc_map_create(struct fas
+ dst_perms[1].vmid = fl->cctx->vmperms[0].vmid;
+ dst_perms[1].perm = QCOM_SCM_PERM_RWX;
+ map->attr = attr;
+- err = qcom_scm_assign_mem(map->phys, (u64)map->size, &src_perms, dst_perms, 2);
++ err = qcom_scm_assign_mem(map->phys, (u64)map->len, &src_perms, dst_perms, 2);
+ if (err) {
+ dev_err(sess->dev, "Failed to assign memory with phys 0x%llx size 0x%llx err %d\n",
+- map->phys, map->size, err);
++ map->phys, map->len, err);
+ goto map_err;
+ }
+ }
+@@ -2046,7 +2055,7 @@ static int fastrpc_req_mem_map(struct fa
+ args[0].length = sizeof(req_msg);
+
+ pages.addr = map->phys;
+- pages.size = map->size;
++ pages.size = map->len;
+
+ args[1].ptr = (u64) (uintptr_t) &pages;
+ args[1].length = sizeof(pages);
+@@ -2061,7 +2070,7 @@ static int fastrpc_req_mem_map(struct fa
+ err = fastrpc_internal_invoke(fl, true, FASTRPC_INIT_HANDLE, sc, &args[0]);
+ if (err) {
+ dev_err(dev, "mem mmap error, fd %d, vaddr %llx, size %lld\n",
+- req.fd, req.vaddrin, map->size);
++ req.fd, req.vaddrin, map->len);
+ goto err_invoke;
+ }
+
+@@ -2074,7 +2083,7 @@ static int fastrpc_req_mem_map(struct fa
+ if (copy_to_user((void __user *)argp, &req, sizeof(req))) {
+ /* unmap the memory and release the buffer */
+ req_unmap.vaddr = (uintptr_t) rsp_msg.vaddr;
+- req_unmap.length = map->size;
++ req_unmap.length = map->len;
+ fastrpc_req_mem_unmap_impl(fl, &req_unmap);
+ return -EFAULT;
+ }
--- /dev/null
+From 10df039834f84a297c72ec962c0f9b7c8c5ca31a Mon Sep 17 00:00:00 2001
+From: Ling Xu <quic_lxu5@quicinc.com>
+Date: Fri, 12 Sep 2025 14:12:36 +0100
+Subject: misc: fastrpc: Skip reference for DMA handles
+
+From: Ling Xu <quic_lxu5@quicinc.com>
+
+commit 10df039834f84a297c72ec962c0f9b7c8c5ca31a upstream.
+
+If multiple dma handles are passed with same fd over a remote call
+the kernel driver takes a reference and expects that put for the
+map will be called as many times to free the map. But DSP only
+updates the fd one time in the fd list when the DSP refcount
+goes to zero and hence kernel make put call only once for the
+fd. This can cause SMMU fault issue as the same fd can be used
+in future for some other call.
+
+Fixes: 35a82b87135d ("misc: fastrpc: Add dma handle implementation")
+Cc: stable@kernel.org
+Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://lore.kernel.org/r/20250912131236.303102-5-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 45 +++++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 18 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -363,9 +363,8 @@ static int fastrpc_map_get(struct fastrp
+
+
+ static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd,
+- struct fastrpc_map **ppmap, bool take_ref)
++ struct fastrpc_map **ppmap)
+ {
+- struct fastrpc_session_ctx *sess = fl->sctx;
+ struct fastrpc_map *map = NULL;
+ struct dma_buf *buf;
+ int ret = -ENOENT;
+@@ -379,15 +378,6 @@ static int fastrpc_map_lookup(struct fas
+ if (map->fd != fd || map->buf != buf)
+ continue;
+
+- if (take_ref) {
+- ret = fastrpc_map_get(map);
+- if (ret) {
+- dev_dbg(sess->dev, "%s: Failed to get map fd=%d ret=%d\n",
+- __func__, fd, ret);
+- break;
+- }
+- }
+-
+ *ppmap = map;
+ ret = 0;
+ break;
+@@ -757,7 +747,7 @@ static const struct dma_buf_ops fastrpc_
+ .release = fastrpc_release,
+ };
+
+-static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
++static int fastrpc_map_attach(struct fastrpc_user *fl, int fd,
+ u64 len, u32 attr, struct fastrpc_map **ppmap)
+ {
+ struct fastrpc_session_ctx *sess = fl->sctx;
+@@ -766,9 +756,6 @@ static int fastrpc_map_create(struct fas
+ struct scatterlist *sgl = NULL;
+ int err = 0, sgl_index = 0;
+
+- if (!fastrpc_map_lookup(fl, fd, ppmap, true))
+- return 0;
+-
+ map = kzalloc(sizeof(*map), GFP_KERNEL);
+ if (!map)
+ return -ENOMEM;
+@@ -853,6 +840,24 @@ get_err:
+ return err;
+ }
+
++static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
++ u64 len, u32 attr, struct fastrpc_map **ppmap)
++{
++ struct fastrpc_session_ctx *sess = fl->sctx;
++ int err = 0;
++
++ if (!fastrpc_map_lookup(fl, fd, ppmap)) {
++ if (!fastrpc_map_get(*ppmap))
++ return 0;
++ dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n",
++ __func__, fd);
++ }
++
++ err = fastrpc_map_attach(fl, fd, len, attr, ppmap);
++
++ return err;
++}
++
+ /*
+ * Fastrpc payload buffer with metadata looks like:
+ *
+@@ -925,8 +930,12 @@ static int fastrpc_create_maps(struct fa
+ ctx->args[i].length == 0)
+ continue;
+
+- err = fastrpc_map_create(ctx->fl, ctx->args[i].fd,
+- ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
++ if (i < ctx->nbufs)
++ err = fastrpc_map_create(ctx->fl, ctx->args[i].fd,
++ ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
++ else
++ err = fastrpc_map_attach(ctx->fl, ctx->args[i].fd,
++ ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
+ if (err) {
+ dev_err(dev, "Error Creating map %d\n", err);
+ return -EINVAL;
+@@ -1116,7 +1125,7 @@ cleanup_fdlist:
+ for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
+ if (!fdlist[i])
+ break;
+- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false))
++ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap))
+ fastrpc_map_put(mmap);
+ }
+
--- /dev/null
+From f52ce0ea90c83a28904c7cc203a70e6434adfecb Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang@os.amperecomputing.com>
+Date: Mon, 29 Sep 2025 13:24:02 -0700
+Subject: mm: hugetlb: avoid soft lockup when mprotect to large memory area
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+commit f52ce0ea90c83a28904c7cc203a70e6434adfecb upstream.
+
+When calling mprotect() to a large hugetlb memory area in our customer's
+workload (~300GB hugetlb memory), soft lockup was observed:
+
+watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
+
+CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
+Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
+pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : mte_clear_page_tags+0x14/0x24
+lr : mte_sync_tags+0x1c0/0x240
+sp : ffff80003150bb80
+x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
+x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
+x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
+x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
+x8Â : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
+x5Â : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
+x2Â : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
+
+Call trace:
+Â Â mte_clear_page_tags+0x14/0x24
+Â Â set_huge_pte_at+0x25c/0x280
+Â Â hugetlb_change_protection+0x220/0x430
+Â Â change_protection+0x5c/0x8c
+Â Â mprotect_fixup+0x10c/0x294
+Â Â do_mprotect_pkey.constprop.0+0x2e0/0x3d4
+Â Â __arm64_sys_mprotect+0x24/0x44
+Â Â invoke_syscall+0x50/0x160
+Â Â el0_svc_common+0x48/0x144
+Â Â do_el0_svc+0x30/0xe0
+Â Â el0_svc+0x30/0xf0
+Â Â el0t_64_sync_handler+0xc4/0x148
+Â Â el0t_64_sync+0x1a4/0x1a8
+
+Soft lockup is not triggered with THP or base page because there is
+cond_resched() called for each PMD size.
+
+Although the soft lockup was triggered by MTE, it should be not MTE
+specific. The other processing which takes long time in the loop may
+trigger soft lockup too.
+
+So add cond_resched() for hugetlb to avoid soft lockup.
+
+Link: https://lkml.kernel.org/r/20250929202402.1663290-1-yang@os.amperecomputing.com
+Fixes: 8f860591ffb2 ("[PATCH] Enable mprotect on huge pages")
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Tested-by: Carl Worth <carl@os.amperecomputing.com>
+Reviewed-by: Christoph Lameter (Ampere) <cl@gentwo.org>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Will Deacon <will@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -7203,6 +7203,8 @@ long hugetlb_change_protection(struct vm
+ psize);
+ }
+ spin_unlock(ptl);
++
++ cond_resched();
+ }
+ /*
+ * Must flush TLB before releasing i_mmap_rwsem: x86's huge_pmd_unshare
--- /dev/null
+From c04db81cd0288dfc68b7a0f7d09bd49b40bba451 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <asmadeus@codewreck.org>
+Date: Sun, 22 Jun 2025 22:39:56 +0900
+Subject: net/9p: Fix buffer overflow in USB transport layer
+
+From: Dominique Martinet <asmadeus@codewreck.org>
+
+commit c04db81cd0288dfc68b7a0f7d09bd49b40bba451 upstream.
+
+A buffer overflow vulnerability exists in the USB 9pfs transport layer
+where inconsistent size validation between packet header parsing and
+actual data copying allows a malicious USB host to overflow heap buffers.
+
+The issue occurs because:
+- usb9pfs_rx_header() validates only the declared size in packet header
+- usb9pfs_rx_complete() uses req->actual (actual received bytes) for
+memcpy
+
+This allows an attacker to craft packets with small declared size
+(bypassing validation) but large actual payload (triggering overflow
+in memcpy).
+
+Add validation in usb9pfs_rx_complete() to ensure req->actual does not
+exceed the buffer capacity before copying data.
+
+Reported-by: Yuhao Jiang <danisjiang@gmail.com>
+Closes: https://lkml.kernel.org/r/20250616132539.63434-1-danisjiang@gmail.com
+Fixes: a3be076dc174 ("net/9p/usbg: Add new usb gadget function transport")
+Cc: stable@vger.kernel.org
+Message-ID: <20250622-9p-usb_overflow-v3-1-ab172691b946@codewreck.org>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_usbg.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/net/9p/trans_usbg.c
++++ b/net/9p/trans_usbg.c
+@@ -231,6 +231,8 @@ static void usb9pfs_rx_complete(struct u
+ struct f_usb9pfs *usb9pfs = ep->driver_data;
+ struct usb_composite_dev *cdev = usb9pfs->function.config->cdev;
+ struct p9_req_t *p9_rx_req;
++ unsigned int req_size = req->actual;
++ int status = REQ_STATUS_RCVD;
+
+ if (req->status) {
+ dev_err(&cdev->gadget->dev, "%s usb9pfs complete --> %d, %d/%d\n",
+@@ -242,11 +244,19 @@ static void usb9pfs_rx_complete(struct u
+ if (!p9_rx_req)
+ return;
+
+- memcpy(p9_rx_req->rc.sdata, req->buf, req->actual);
++ if (req_size > p9_rx_req->rc.capacity) {
++ dev_err(&cdev->gadget->dev,
++ "%s received data size %u exceeds buffer capacity %zu\n",
++ ep->name, req_size, p9_rx_req->rc.capacity);
++ req_size = 0;
++ status = REQ_STATUS_ERROR;
++ }
++
++ memcpy(p9_rx_req->rc.sdata, req->buf, req_size);
+
+- p9_rx_req->rc.size = req->actual;
++ p9_rx_req->rc.size = req_size;
+
+- p9_client_cb(usb9pfs->client, p9_rx_req, REQ_STATUS_RCVD);
++ p9_client_cb(usb9pfs->client, p9_rx_req, status);
+ p9_req_put(usb9pfs->client, p9_rx_req);
+
+ complete(&usb9pfs->received);
--- /dev/null
+From 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Sun, 5 Oct 2025 10:12:03 +0200
+Subject: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a upstream.
+
+Prevent USB runtime PM (autosuspend) for AX88772* in bind.
+
+usbnet enables runtime PM (autosuspend) by default, so disabling it via
+the usb_driver flag is ineffective. On AX88772B, autosuspend shows no
+measurable power saving with current driver (no link partner, admin
+up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering
+the PHY off on admin-down, not from USB autosuspend.
+
+The real hazard is that with runtime PM enabled, ndo_open() (under RTNL)
+may synchronously trigger autoresume (usb_autopm_get_interface()) into
+asix_resume() while the USB PM lock is held. Resume paths then invoke
+phylink/phylib and MDIO, which also expect RTNL, leading to possible
+deadlocks or PM lock vs MDIO wake issues.
+
+To avoid this, keep the device runtime-PM active by taking a usage
+reference in ax88772_bind() and dropping it in unbind(). A non-zero PM
+usage count blocks runtime suspend regardless of userspace policy
+(.../power/control - pm_runtime_allow/forbid), making this approach
+robust against sysfs overrides.
+
+Holding a runtime-PM usage ref does not affect system-wide suspend;
+system sleep/resume callbacks continue to run as before.
+
+Fixes: 4a2c7217cd5a ("net: usb: asix: ax88772: manage PHY PM from MAC")
+Reported-by: Hubert Wiśniewski <hubert.wisniewski.25632@gmail.com>
+Closes: https://lore.kernel.org/all/DCGHG5UJT9G3.2K1GHFZ3H87T0@gmail.com
+Tested-by: Hubert Wiśniewski <hubert.wisniewski.25632@gmail.com>
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Closes: https://lore.kernel.org/all/b5ea8296-f981-445d-a09a-2f389d7f6fdd@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20251005081203.3067982-1-o.rempel@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/asix_devices.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -625,6 +625,21 @@ static void ax88772_suspend(struct usbne
+ asix_read_medium_status(dev, 1));
+ }
+
++/* Notes on PM callbacks and locking context:
++ *
++ * - asix_suspend()/asix_resume() are invoked for both runtime PM and
++ * system-wide suspend/resume. For struct usb_driver the ->resume()
++ * callback does not receive pm_message_t, so the resume type cannot
++ * be distinguished here.
++ *
++ * - The MAC driver must hold RTNL when calling phylink interfaces such as
++ * phylink_suspend()/resume(). Those calls will also perform MDIO I/O.
++ *
++ * - Taking RTNL and doing MDIO from a runtime-PM resume callback (while
++ * the USB PM lock is held) is fragile. Since autosuspend brings no
++ * measurable power saving here, we block it by holding a PM usage
++ * reference in ax88772_bind().
++ */
+ static int asix_suspend(struct usb_interface *intf, pm_message_t message)
+ {
+ struct usbnet *dev = usb_get_intfdata(intf);
+@@ -919,6 +934,13 @@ static int ax88772_bind(struct usbnet *d
+ if (ret)
+ goto initphy_err;
+
++ /* Keep this interface runtime-PM active by taking a usage ref.
++ * Prevents runtime suspend while bound and avoids resume paths
++ * that could deadlock (autoresume under RTNL while USB PM lock
++ * is held, phylink/MDIO wants RTNL).
++ */
++ pm_runtime_get_noresume(&intf->dev);
++
+ return 0;
+
+ initphy_err:
+@@ -948,6 +970,8 @@ static void ax88772_unbind(struct usbnet
+ phylink_destroy(priv->phylink);
+ ax88772_mdio_unregister(priv);
+ asix_rx_fixup_common_free(dev->driver_priv);
++ /* Drop the PM usage ref taken in bind() */
++ pm_runtime_put(&intf->dev);
+ }
+
+ static void ax88178_unbind(struct usbnet *dev, struct usb_interface *intf)
+@@ -1600,6 +1624,11 @@ static struct usb_driver asix_driver = {
+ .resume = asix_resume,
+ .reset_resume = asix_resume,
+ .disconnect = usbnet_disconnect,
++ /* usbnet enables autosuspend by default (supports_autosuspend=1).
++ * We keep runtime-PM active for AX88772* by taking a PM usage
++ * reference in ax88772_bind() (pm_runtime_get_noresume()) and
++ * dropping it in unbind(), which effectively blocks autosuspend.
++ */
+ .supports_autosuspend = 1,
+ .disable_hub_initiated_lpm = 1,
+ };
--- /dev/null
+From a9e6aa994917ee602798bbb03180a194b37865bb Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Thu, 25 Sep 2025 14:44:48 +0800
+Subject: nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit a9e6aa994917ee602798bbb03180a194b37865bb upstream.
+
+devm_kcalloc() may fail. ndtest_probe() allocates three DMA address
+arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses
+them in ndtest_nvdimm_init(), which can lead to a NULL pointer
+dereference under low-memory conditions.
+
+Check all three allocations and return -ENOMEM if any allocation fails,
+jumping to the common error path. Do not emit an extra error message
+since the allocator already warns on allocation failure.
+
+Fixes: 9399ab61ad82 ("ndtest: Add dimms to the two buses")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/nvdimm/test/ndtest.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/nvdimm/test/ndtest.c
++++ b/tools/testing/nvdimm/test/ndtest.c
+@@ -850,11 +850,22 @@ static int ndtest_probe(struct platform_
+
+ p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+ sizeof(dma_addr_t), GFP_KERNEL);
++ if (!p->dcr_dma) {
++ rc = -ENOMEM;
++ goto err;
++ }
+ p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+ sizeof(dma_addr_t), GFP_KERNEL);
++ if (!p->label_dma) {
++ rc = -ENOMEM;
++ goto err;
++ }
+ p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+ sizeof(dma_addr_t), GFP_KERNEL);
+-
++ if (!p->dimm_dma) {
++ rc = -ENOMEM;
++ goto err;
++ }
+ rc = ndtest_nvdimm_init(p);
+ if (rc)
+ goto err;
--- /dev/null
+From deb2f228388ff3a9d0623e3b59a053e9235c341d Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Mon, 29 Sep 2025 02:15:47 -0700
+Subject: PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()
+
+From: Breno Leitao <leitao@debian.org>
+
+commit deb2f228388ff3a9d0623e3b59a053e9235c341d upstream.
+
+When platform firmware supplies error information to the OS, e.g., via the
+ACPI APEI GHES mechanism, it may identify an error source device that
+doesn't advertise an AER Capability and therefore dev->aer_info, which
+contains AER stats and ratelimiting data, is NULL.
+
+pci_dev_aer_stats_incr() already checks dev->aer_info for NULL, but
+aer_ratelimit() did not, leading to NULL pointer dereferences like this one
+from the URL below:
+
+ {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 0
+ {1}[Hardware Error]: event severity: corrected
+ {1}[Hardware Error]: device_id: 0000:00:00.0
+ {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2020
+ {1}[Hardware Error]: aer_cor_status: 0x00001000, aer_cor_mask: 0x00002000
+ BUG: kernel NULL pointer dereference, address: 0000000000000264
+ RIP: 0010:___ratelimit+0xc/0x1b0
+ pci_print_aer+0x141/0x360
+ aer_recover_work_func+0xb5/0x130
+
+[8086:2020] is an Intel "Sky Lake-E DMI3 Registers" device that claims to
+be a Root Port but does not advertise an AER Capability.
+
+Add a NULL check in aer_ratelimit() to avoid the NULL pointer dereference.
+Note that this also prevents ratelimiting these events from GHES.
+
+Fixes: a57f2bfb4a5863 ("PCI/AER: Ratelimit correctable and non-fatal error logging")
+Link: https://lore.kernel.org/r/buduna6darbvwfg3aogl5kimyxkggu3n4romnmq6sozut6axeu@clnx7sfsy457/
+Signed-off-by: Breno Leitao <leitao@debian.org>
+[bhelgaas: add crash details to commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250929-aer_crash_2-v1-1-68ec4f81c356@debian.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/aer.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/pci/pcie/aer.c
++++ b/drivers/pci/pcie/aer.c
+@@ -786,6 +786,9 @@ static void pci_rootport_aer_stats_incr(
+
+ static int aer_ratelimit(struct pci_dev *dev, unsigned int severity)
+ {
++ if (!dev->aer_info)
++ return 1;
++
+ switch (severity) {
+ case AER_NONFATAL:
+ return __ratelimit(&dev->aer_info->nonfatal_ratelimit);
--- /dev/null
+From 85afa9ea122dd9d4a2ead104a951d318975dcd25 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Tue, 16 Sep 2025 11:57:56 +0900
+Subject: PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 85afa9ea122dd9d4a2ead104a951d318975dcd25 upstream.
+
+The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be
+NULL even after EPF initialization. Then it is prudent to check that
+they have non-NULL values before releasing the channels. Add the checks
+in pci_epf_test_clean_dma_chan().
+
+Without the checks, NULL pointer dereferences happen and they can lead
+to a kernel panic in some cases:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
+ Call trace:
+ dma_release_channel+0x2c/0x120 (P)
+ pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test]
+ pci_epc_deinit_notify+0x74/0xc0
+ tegra_pcie_ep_pex_rst_irq+0x250/0x5d8
+ irq_thread_fn+0x34/0xb8
+ irq_thread+0x18c/0x2e8
+ kthread+0x14c/0x210
+ ret_from_fork+0x10/0x20
+
+Fixes: 8353813c88ef ("PCI: endpoint: Enable DMA tests for endpoints with DMA capabilities")
+Fixes: 5ebf3fc59bd2 ("PCI: endpoint: functions/pci-epf-test: Add DMA support to transfer data")
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+[mani: trimmed the stack trace]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250916025756.34807-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-test.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/endpoint/functions/pci-epf-test.c
++++ b/drivers/pci/endpoint/functions/pci-epf-test.c
+@@ -301,15 +301,20 @@ static void pci_epf_test_clean_dma_chan(
+ if (!epf_test->dma_supported)
+ return;
+
+- dma_release_channel(epf_test->dma_chan_tx);
+- if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) {
++ if (epf_test->dma_chan_tx) {
++ dma_release_channel(epf_test->dma_chan_tx);
++ if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) {
++ epf_test->dma_chan_tx = NULL;
++ epf_test->dma_chan_rx = NULL;
++ return;
++ }
+ epf_test->dma_chan_tx = NULL;
+- epf_test->dma_chan_rx = NULL;
+- return;
+ }
+
+- dma_release_channel(epf_test->dma_chan_rx);
+- epf_test->dma_chan_rx = NULL;
++ if (epf_test->dma_chan_rx) {
++ dma_release_channel(epf_test->dma_chan_rx);
++ epf_test->dma_chan_rx = NULL;
++ }
+ }
+
+ static void pci_epf_test_print_rate(struct pci_epf_test *epf_test,
--- /dev/null
+From 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 2 Sep 2025 13:59:10 +0200
+Subject: pinctrl: check the return value of pinmux_ops::get_function_name()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 upstream.
+
+While the API contract in docs doesn't specify it explicitly, the
+generic implementation of the get_function_name() callback from struct
+pinmux_ops - pinmux_generic_get_function_name() - can fail and return
+NULL. This is already checked in pinmux_check_ops() so add a similar
+check in pinmux_func_name_to_selector() instead of passing the returned
+pointer right down to strcmp() where the NULL can get dereferenced. This
+is normal operation when adding new pinfunctions.
+
+Cc: stable@vger.kernel.org
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinmux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinmux.c
++++ b/drivers/pinctrl/pinmux.c
+@@ -337,7 +337,7 @@ static int pinmux_func_name_to_selector(
+ while (selector < nfuncs) {
+ const char *fname = ops->get_function_name(pctldev, selector);
+
+- if (!strcmp(function, fname))
++ if (fname && !strcmp(function, fname))
+ return selector;
+
+ selector++;
--- /dev/null
+From d41e075b077142bb9ae5df40b9ddf9fd7821a811 Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Tue, 23 Sep 2025 19:21:09 +0800
+Subject: remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit d41e075b077142bb9ae5df40b9ddf9fd7821a811 upstream.
+
+pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL
+check, which could lead to a null pointer dereference. Move the pru
+assignment, ensuring we never dereference a NULL rproc pointer.
+
+Fixes: 102853400321 ("remoteproc: pru: Add pru_rproc_set_ctable() function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250923112109.1165126-1-zhen.ni@easystack.cn
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/pru_rproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/pru_rproc.c
++++ b/drivers/remoteproc/pru_rproc.c
+@@ -340,7 +340,7 @@ EXPORT_SYMBOL_GPL(pru_rproc_put);
+ */
+ int pru_rproc_set_ctable(struct rproc *rproc, enum pru_ctable_idx c, u32 addr)
+ {
+- struct pru_rproc *pru = rproc->priv;
++ struct pru_rproc *pru;
+ unsigned int reg;
+ u32 mask, set;
+ u16 idx;
+@@ -352,6 +352,7 @@ int pru_rproc_set_ctable(struct rproc *r
+ if (!rproc->dev.parent || !is_pru_rproc(rproc->dev.parent))
+ return -ENODEV;
+
++ pru = rproc->priv;
+ /* pointer is 16 bit and index is 8-bit so mask out the rest */
+ idx_mask = (c >= PRU_C28) ? 0xFFFF : 0xFF;
+
--- /dev/null
+From 0389c305ef56cbadca4cbef44affc0ec3213ed30 Mon Sep 17 00:00:00 2001
+From: Lance Yang <lance.yang@linux.dev>
+Date: Wed, 17 Sep 2025 21:31:37 +0800
+Subject: selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is disabled
+
+From: Lance Yang <lance.yang@linux.dev>
+
+commit 0389c305ef56cbadca4cbef44affc0ec3213ed30 upstream.
+
+The madv_populate and soft-dirty kselftests currently fail on systems
+where CONFIG_MEM_SOFT_DIRTY is disabled.
+
+Introduce a new helper softdirty_supported() into vm_util.c/h to ensure
+tests are properly skipped when the feature is not enabled.
+
+Link: https://lkml.kernel.org/r/20250917133137.62802-1-lance.yang@linux.dev
+Fixes: 9f3265db6ae8 ("selftests: vm: add test for Soft-Dirty PTE bit")
+Signed-off-by: Lance Yang <lance.yang@linux.dev>
+Acked-by: David Hildenbrand <david@redhat.com>
+Suggested-by: David Hildenbrand <david@redhat.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Gabriel Krisman Bertazi <krisman@collabora.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/madv_populate.c | 21 ++-------------------
+ tools/testing/selftests/mm/soft-dirty.c | 5 ++++-
+ tools/testing/selftests/mm/vm_util.c | 17 +++++++++++++++++
+ tools/testing/selftests/mm/vm_util.h | 1 +
+ 4 files changed, 24 insertions(+), 20 deletions(-)
+
+--- a/tools/testing/selftests/mm/madv_populate.c
++++ b/tools/testing/selftests/mm/madv_populate.c
+@@ -264,23 +264,6 @@ static void test_softdirty(void)
+ munmap(addr, SIZE);
+ }
+
+-static int system_has_softdirty(void)
+-{
+- /*
+- * There is no way to check if the kernel supports soft-dirty, other
+- * than by writing to a page and seeing if the bit was set. But the
+- * tests are intended to check that the bit gets set when it should, so
+- * doing that check would turn a potentially legitimate fail into a
+- * skip. Fortunately, we know for sure that arm64 does not support
+- * soft-dirty. So for now, let's just use the arch as a corse guide.
+- */
+-#if defined(__aarch64__)
+- return 0;
+-#else
+- return 1;
+-#endif
+-}
+-
+ int main(int argc, char **argv)
+ {
+ int nr_tests = 16;
+@@ -288,7 +271,7 @@ int main(int argc, char **argv)
+
+ pagesize = getpagesize();
+
+- if (system_has_softdirty())
++ if (softdirty_supported())
+ nr_tests += 5;
+
+ ksft_print_header();
+@@ -300,7 +283,7 @@ int main(int argc, char **argv)
+ test_holes();
+ test_populate_read();
+ test_populate_write();
+- if (system_has_softdirty())
++ if (softdirty_supported())
+ test_softdirty();
+
+ err = ksft_get_fail_cnt();
+--- a/tools/testing/selftests/mm/soft-dirty.c
++++ b/tools/testing/selftests/mm/soft-dirty.c
+@@ -200,8 +200,11 @@ int main(int argc, char **argv)
+ int pagesize;
+
+ ksft_print_header();
+- ksft_set_plan(15);
+
++ if (!softdirty_supported())
++ ksft_exit_skip("soft-dirty is not support\n");
++
++ ksft_set_plan(15);
+ pagemap_fd = open(PAGEMAP_FILE_PATH, O_RDONLY);
+ if (pagemap_fd < 0)
+ ksft_exit_fail_msg("Failed to open %s\n", PAGEMAP_FILE_PATH);
+--- a/tools/testing/selftests/mm/vm_util.c
++++ b/tools/testing/selftests/mm/vm_util.c
+@@ -426,6 +426,23 @@ bool check_vmflag_io(void *addr)
+ }
+ }
+
++bool softdirty_supported(void)
++{
++ char *addr;
++ bool supported = false;
++ const size_t pagesize = getpagesize();
++
++ /* New mappings are expected to be marked with VM_SOFTDIRTY (sd). */
++ addr = mmap(0, pagesize, PROT_READ | PROT_WRITE,
++ MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
++ if (!addr)
++ ksft_exit_fail_msg("mmap failed\n");
++
++ supported = check_vmflag(addr, "sd");
++ munmap(addr, pagesize);
++ return supported;
++}
++
+ /*
+ * Open an fd at /proc/$pid/maps and configure procmap_out ready for
+ * PROCMAP_QUERY query. Returns 0 on success, or an error code otherwise.
+--- a/tools/testing/selftests/mm/vm_util.h
++++ b/tools/testing/selftests/mm/vm_util.h
+@@ -99,6 +99,7 @@ bool find_vma_procmap(struct procmap_fd
+ int close_procmap(struct procmap_fd *procmap);
+ int write_sysfs(const char *file_path, unsigned long val);
+ int read_sysfs(const char *file_path, unsigned long *val);
++bool softdirty_supported(void);
+
+ static inline int open_self_procmap(struct procmap_fd *procmap_out)
+ {
ksmbd-add-max-ip-connections-parameter.patch
ext4-fix-potential-null-deref-in-ext4_mb_init.patch
ext4-fix-checks-for-orphan-inodes.patch
+kvm-svm-skip-fastpath-emulation-on-vm-exit-if-next-rip-isn-t-valid.patch
+fbdev-simplefb-fix-use-after-free-in-simplefb_detach_genpds.patch
+mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
+selftests-mm-skip-soft-dirty-tests-when-config_mem_soft_dirty-is-disabled.patch
+nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch
+misc-fastrpc-save-actual-dma-size-in-fastrpc_map-structure.patch
+misc-fastrpc-fix-fastrpc_map_lookup-operation.patch
+misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_args.patch
+misc-fastrpc-skip-reference-for-dma-handles.patch
+input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
+input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
+sunrpc-fix-null-pointer-dereference-on-zero-length-checksum.patch
+pci-aer-avoid-null-pointer-dereference-in-aer_ratelimit.patch
+remoteproc-pru-fix-potential-null-pointer-dereference-in-pru_rproc_set_ctable.patch
+pci-endpoint-pci-epf-test-add-null-check-for-dma-channels-before-release.patch
+thunderbolt-fix-use-after-free-in-tb_dp_dprx_work.patch
+tee-fix-register_shm_helper.patch
+pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
+bus-fsl-mc-check-return-value-of-platform_get_resource.patch
+net-9p-fix-buffer-overflow-in-usb-transport-layer.patch
+net-usb-asix-hold-pm-usage-ref-to-avoid-pm-mdio-rtnl-deadlock.patch
+usb-typec-tipd-clear-interrupts-first.patch
+arm64-dts-qcom-qcm2290-disable-usb-ss-bus-instances-in-park-mode.patch
+usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch
--- /dev/null
+From 6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42 Mon Sep 17 00:00:00 2001
+From: Lei Lu <llfamsec@gmail.com>
+Date: Mon, 11 Aug 2025 21:58:48 +0800
+Subject: sunrpc: fix null pointer dereference on zero-length checksum
+
+From: Lei Lu <llfamsec@gmail.com>
+
+commit 6df164e29bd4e6505c5a2e0e5f1e1f6957a16a42 upstream.
+
+In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes
+checksum.data to be set to NULL. This triggers a NPD when accessing
+checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that
+the value of checksum.len is not less than XDR_UNIT.
+
+Fixes: 0653028e8f1c ("SUNRPC: Convert gss_verify_header() to use xdr_stream")
+Cc: stable@kernel.org
+Signed-off-by: Lei Lu <llfamsec@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -724,7 +724,7 @@ svcauth_gss_verify_header(struct svc_rqs
+ rqstp->rq_auth_stat = rpc_autherr_badverf;
+ return SVC_DENIED;
+ }
+- if (flavor != RPC_AUTH_GSS) {
++ if (flavor != RPC_AUTH_GSS || checksum.len < XDR_UNIT) {
+ rqstp->rq_auth_stat = rpc_autherr_badverf;
+ return SVC_DENIED;
+ }
--- /dev/null
+From d5cf5b37064b1699d946e8b7ab4ac7d7d101814c Mon Sep 17 00:00:00 2001
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Fri, 19 Sep 2025 10:48:31 +0200
+Subject: tee: fix register_shm_helper()
+
+From: Jens Wiklander <jens.wiklander@linaro.org>
+
+commit d5cf5b37064b1699d946e8b7ab4ac7d7d101814c upstream.
+
+In register_shm_helper(), fix incorrect error handling for a call to
+iov_iter_extract_pages(). A case is missing for when
+iov_iter_extract_pages() only got some pages and return a number larger
+than 0, but not the requested amount.
+
+This fixes a possible NULL pointer dereference following a bad input from
+ioctl(TEE_IOC_SHM_REGISTER) where parts of the buffer isn't mapped.
+
+Cc: stable@vger.kernel.org
+Reported-by: Masami Ichikawa <masami256@gmail.com>
+Closes: https://lore.kernel.org/op-tee/CACOXgS-Bo2W72Nj1_44c7bntyNYOavnTjJAvUbEiQfq=u9W+-g@mail.gmail.com/
+Tested-by: Masami Ichikawa <masami256@gmail.com>
+Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration")
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_shm.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -321,6 +321,14 @@ register_shm_helper(struct tee_context *
+ if (unlikely(len <= 0)) {
+ ret = len ? ERR_PTR(len) : ERR_PTR(-ENOMEM);
+ goto err_free_shm_pages;
++ } else if (DIV_ROUND_UP(len + off, PAGE_SIZE) != num_pages) {
++ /*
++ * If we only got a few pages, update to release the
++ * correct amount below.
++ */
++ shm->num_pages = len / PAGE_SIZE;
++ ret = ERR_PTR(-ENOMEM);
++ goto err_put_shm_pages;
+ }
+
+ /*
--- /dev/null
+From 67600ccfc4f38ebd331b9332ac94717bfbc87ea7 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Tue, 23 Sep 2025 13:13:57 +0800
+Subject: thunderbolt: Fix use-after-free in tb_dp_dprx_work
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 67600ccfc4f38ebd331b9332ac94717bfbc87ea7 upstream.
+
+The original code relies on cancel_delayed_work() in tb_dp_dprx_stop(),
+which does not ensure that the delayed work item tunnel->dprx_work has
+fully completed if it was already running. This leads to use-after-free
+scenarios where tb_tunnel is deallocated by tb_tunnel_put(), while
+tunnel->dprx_work remains active and attempts to dereference tb_tunnel
+in tb_dp_dprx_work().
+
+A typical race condition is illustrated below:
+
+CPU 0 | CPU 1
+tb_dp_tunnel_active() |
+ tb_deactivate_and_free_tunnel()| tb_dp_dprx_start()
+ tb_tunnel_deactivate() | queue_delayed_work()
+ tb_dp_activate() |
+ tb_dp_dprx_stop() | tb_dp_dprx_work() //delayed worker
+ cancel_delayed_work() |
+ tb_tunnel_put(tunnel); |
+ | tunnel = container_of(...); //UAF
+ | tunnel-> //UAF
+
+Replacing cancel_delayed_work() with cancel_delayed_work_sync() is
+not feasible as it would introduce a deadlock: both tb_dp_dprx_work()
+and the cleanup path acquire tb->lock, and cancel_delayed_work_sync()
+would wait indefinitely for the work item that cannot proceed.
+
+Instead, implement proper reference counting:
+- If cancel_delayed_work() returns true (work is pending), we release
+ the reference in the stop function.
+- If it returns false (work is executing or already completed), the
+ reference is released in delayed work function itself.
+
+This ensures the tb_tunnel remains valid during work item execution
+while preventing memory leaks.
+
+This bug was found by static analysis.
+
+Fixes: d6d458d42e1e ("thunderbolt: Handle DisplayPort tunnel activation asynchronously")
+Cc: stable@vger.kernel.org
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thunderbolt/tunnel.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/thunderbolt/tunnel.c
++++ b/drivers/thunderbolt/tunnel.c
+@@ -1073,6 +1073,7 @@ static void tb_dp_dprx_work(struct work_
+
+ if (tunnel->callback)
+ tunnel->callback(tunnel, tunnel->callback_data);
++ tb_tunnel_put(tunnel);
+ }
+
+ static int tb_dp_dprx_start(struct tb_tunnel *tunnel)
+@@ -1100,8 +1101,8 @@ static void tb_dp_dprx_stop(struct tb_tu
+ if (tunnel->dprx_started) {
+ tunnel->dprx_started = false;
+ tunnel->dprx_canceled = true;
+- cancel_delayed_work(&tunnel->dprx_work);
+- tb_tunnel_put(tunnel);
++ if (cancel_delayed_work(&tunnel->dprx_work))
++ tb_tunnel_put(tunnel);
+ }
+ }
+
--- /dev/null
+From e9c206324eeb213957a567a9d066bdeb355c7491 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Wed, 3 Sep 2025 22:16:13 +0800
+Subject: usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit e9c206324eeb213957a567a9d066bdeb355c7491 upstream.
+
+The cdnsp-pci driver uses pcim_enable_device() to enable a PCI device,
+which means the device will be automatically disabled on driver detach
+through the managed device framework. The manual pci_disable_device()
+call in the error path is therefore redundant.
+
+Found via static anlaysis and this is similar to commit 99ca0b57e49f
+("thermal: intel: int340x: processor: Fix warning during module unload").
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20250903141613.2535472-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-pci.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-pci.c
++++ b/drivers/usb/cdns3/cdnsp-pci.c
+@@ -85,7 +85,7 @@ static int cdnsp_pci_probe(struct pci_de
+ cdnsp = kzalloc(sizeof(*cdnsp), GFP_KERNEL);
+ if (!cdnsp) {
+ ret = -ENOMEM;
+- goto disable_pci;
++ goto put_pci;
+ }
+ }
+
+@@ -168,9 +168,6 @@ free_cdnsp:
+ if (!pci_is_enabled(func))
+ kfree(cdnsp);
+
+-disable_pci:
+- pci_disable_device(pdev);
+-
+ put_pci:
+ pci_dev_put(func);
+
--- /dev/null
+From be5ae730ffa6fd774a00a4705c1e11e078b08ca1 Mon Sep 17 00:00:00 2001
+From: Sven Peter <sven@kernel.org>
+Date: Sun, 14 Sep 2025 12:56:06 +0000
+Subject: usb: typec: tipd: Clear interrupts first
+
+From: Sven Peter <sven@kernel.org>
+
+commit be5ae730ffa6fd774a00a4705c1e11e078b08ca1 upstream.
+
+Right now the interrupt handler first reads all updated status registers
+and only then clears the interrupts. It's possible that a duplicate
+interrupt for a changed register or plug state comes in after the
+interrupts have been processed but before they have been cleared:
+
+* plug is inserted, TPS_REG_INT_PLUG_EVENT is set
+* TPS_REG_INT_EVENT1 is read
+* tps6598x_handle_plug_event() has run and registered the plug
+* plug is removed again, TPS_REG_INT_PLUG_EVENT is set (again)
+* TPS_REG_INT_CLEAR1 is written, TPS_REG_INT_PLUG_EVENT is cleared
+
+We then have no plug connected and no pending interrupt but the tipd
+core still thinks there is a plug. It's possible to trigger this with
+e.g. a slightly broken Type-C to USB A converter.
+
+Fix this by first clearing the interrupts and only then reading the
+updated registers.
+
+Fixes: 45188f27b3d0 ("usb: typec: tipd: Add support for Apple CD321X")
+Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers")
+Cc: stable@kernel.org
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Neal Gompa <neal@gompa.dev>
+Signed-off-by: Sven Peter <sven@kernel.org>
+Link: https://lore.kernel.org/r/20250914-apple-usb3-tipd-v1-1-4e99c8649024@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tipd/core.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/usb/typec/tipd/core.c
++++ b/drivers/usb/typec/tipd/core.c
+@@ -545,24 +545,23 @@ static irqreturn_t cd321x_interrupt(int
+ if (!event)
+ goto err_unlock;
+
++ tps6598x_write64(tps, TPS_REG_INT_CLEAR1, event);
++
+ if (!tps6598x_read_status(tps, &status))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ if (event & APPLE_CD_REG_INT_POWER_STATUS_UPDATE)
+ if (!tps6598x_read_power_status(tps))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ if (event & APPLE_CD_REG_INT_DATA_STATUS_UPDATE)
+ if (!tps6598x_read_data_status(tps))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ /* Handle plug insert or removal */
+ if (event & APPLE_CD_REG_INT_PLUG_EVENT)
+ tps6598x_handle_plug_event(tps, status);
+
+-err_clear_ints:
+- tps6598x_write64(tps, TPS_REG_INT_CLEAR1, event);
+-
+ err_unlock:
+ mutex_unlock(&tps->lock);
+
+@@ -668,25 +667,24 @@ static irqreturn_t tps6598x_interrupt(in
+ if (!(event1[0] | event1[1] | event2[0] | event2[1]))
+ goto err_unlock;
+
++ tps6598x_block_write(tps, TPS_REG_INT_CLEAR1, event1, intev_len);
++ tps6598x_block_write(tps, TPS_REG_INT_CLEAR2, event2, intev_len);
++
+ if (!tps6598x_read_status(tps, &status))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ if ((event1[0] | event2[0]) & TPS_REG_INT_POWER_STATUS_UPDATE)
+ if (!tps6598x_read_power_status(tps))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ if ((event1[0] | event2[0]) & TPS_REG_INT_DATA_STATUS_UPDATE)
+ if (!tps6598x_read_data_status(tps))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ /* Handle plug insert or removal */
+ if ((event1[0] | event2[0]) & TPS_REG_INT_PLUG_EVENT)
+ tps6598x_handle_plug_event(tps, status);
+
+-err_clear_ints:
+- tps6598x_block_write(tps, TPS_REG_INT_CLEAR1, event1, intev_len);
+- tps6598x_block_write(tps, TPS_REG_INT_CLEAR2, event2, intev_len);
+-
+ err_unlock:
+ mutex_unlock(&tps->lock);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
