--- /dev/null
+From 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae Mon Sep 17 00:00:00 2001
+From: Salah Triki <salah.triki@gmail.com>
+Date: Mon, 25 Aug 2025 10:34:35 +0100
+Subject: bus: fsl-mc: Check return value of platform_get_resource()
+
+From: Salah Triki <salah.triki@gmail.com>
+
+commit 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae upstream.
+
+platform_get_resource() returns NULL in case of failure, so check its
+return value and propagate the error in order to prevent NULL pointer
+dereference.
+
+Fixes: 6305166c8771 ("bus: fsl-mc: Add ACPI support for fsl-mc")
+Cc: stable@vger.kernel.org
+Signed-off-by: Salah Triki <salah.triki@gmail.com>
+Acked-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/aKwuK6TRr5XNYQ8u@pc
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -1172,6 +1172,9 @@ static int fsl_mc_bus_probe(struct platf
+ * Get physical address of MC portal for the root DPRC:
+ */
+ plat_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!plat_res)
++ return -EINVAL;
++
+ mc_portal_phys_addr = plat_res->start;
+ mc_portal_size = resource_size(plat_res);
+ mc_portal_base_phys_addr = mc_portal_phys_addr & ~0x3ffffff;
--- /dev/null
+From c7866ee0a9ddd9789faadf58cdac6abd7aabf045 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut@mailbox.org>
+Date: Sun, 5 Oct 2025 04:33:10 +0200
+Subject: Input: atmel_mxt_ts - allow reset GPIO to sleep
+
+From: Marek Vasut <marek.vasut@mailbox.org>
+
+commit c7866ee0a9ddd9789faadf58cdac6abd7aabf045 upstream.
+
+The reset GPIO is not toggled in any critical section where it couldn't
+sleep, allow the reset GPIO to sleep. This allows the driver to operate
+reset GPIOs connected to I2C GPIO expanders.
+
+Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
+Link: https://lore.kernel.org/r/20251005023335.166483-1-marek.vasut@mailbox.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3239,7 +3239,7 @@ static int mxt_probe(struct i2c_client *
+ if (data->reset_gpio) {
+ /* Wait a while and then de-assert the RESET GPIO line */
+ msleep(MXT_RESET_GPIO_TIME);
+- gpiod_set_value(data->reset_gpio, 0);
++ gpiod_set_value_cansleep(data->reset_gpio, 0);
+ msleep(MXT_RESET_INVALID_CHG);
+ }
+
--- /dev/null
+From d3366a04770eea807f2826cbdb96934dd8c9bf79 Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Sun, 28 Sep 2025 14:37:37 +0800
+Subject: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit d3366a04770eea807f2826cbdb96934dd8c9bf79 upstream.
+
+Struct ff_effect_compat is embedded twice inside
+uinput_ff_upload_compat, contains internal padding. In particular, there
+is a hole after struct ff_replay to satisfy alignment requirements for
+the following union member. Without clearing the structure,
+copy_to_user() may leak stack data to userspace.
+
+Initialize ff_up_compat to zero before filling valid fields.
+
+Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/uinput.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -741,6 +741,7 @@ static int uinput_ff_upload_to_user(char
+ if (in_compat_syscall()) {
+ struct uinput_ff_upload_compat ff_up_compat;
+
++ memset(&ff_up_compat, 0, sizeof(ff_up_compat));
+ ff_up_compat.request_id = ff_up->request_id;
+ ff_up_compat.retval = ff_up->retval;
+ /*
--- /dev/null
+From 9031626ade38b092b72638dfe0c6ffce8d8acd43 Mon Sep 17 00:00:00 2001
+From: Ling Xu <quic_lxu5@quicinc.com>
+Date: Fri, 12 Sep 2025 14:12:34 +0100
+Subject: misc: fastrpc: Fix fastrpc_map_lookup operation
+
+From: Ling Xu <quic_lxu5@quicinc.com>
+
+commit 9031626ade38b092b72638dfe0c6ffce8d8acd43 upstream.
+
+Fastrpc driver creates maps for user allocated fd buffers. Before
+creating a new map, the map list is checked for any already existing
+maps using map fd. Checking with just map fd is not sufficient as the
+user can pass offsetted buffer with less size when the map is created
+and then a larger size the next time which could result in memory
+issues. Check for dma_buf object also when looking up for the map.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Cc: stable@kernel.org
+Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://lore.kernel.org/r/20250912131236.303102-3-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -346,11 +346,16 @@ static int fastrpc_map_lookup(struct fas
+ {
+ struct fastrpc_session_ctx *sess = fl->sctx;
+ struct fastrpc_map *map = NULL;
++ struct dma_buf *buf;
+ int ret = -ENOENT;
+
++ buf = dma_buf_get(fd);
++ if (IS_ERR(buf))
++ return PTR_ERR(buf);
++
+ spin_lock(&fl->lock);
+ list_for_each_entry(map, &fl->maps, node) {
+- if (map->fd != fd)
++ if (map->fd != fd || map->buf != buf)
+ continue;
+
+ if (take_ref) {
--- /dev/null
+From da1ba64176e0138f2bfa96f9e43e8c3640d01e1e Mon Sep 17 00:00:00 2001
+From: Ling Xu <quic_lxu5@quicinc.com>
+Date: Fri, 12 Sep 2025 14:12:35 +0100
+Subject: misc: fastrpc: fix possible map leak in fastrpc_put_args
+
+From: Ling Xu <quic_lxu5@quicinc.com>
+
+commit da1ba64176e0138f2bfa96f9e43e8c3640d01e1e upstream.
+
+copy_to_user() failure would cause an early return without cleaning up
+the fdlist, which has been updated by the DSP. This could lead to map
+leak. Fix this by redirecting to a cleanup path on failure, ensuring
+that all mapped buffers are properly released before returning.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Cc: stable@kernel.org
+Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://lore.kernel.org/r/20250912131236.303102-4-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1018,6 +1018,7 @@ static int fastrpc_put_args(struct fastr
+ struct fastrpc_phy_page *pages;
+ u64 *fdlist;
+ int i, inbufs, outbufs, handles;
++ int ret = 0;
+
+ inbufs = REMOTE_SCALARS_INBUFS(ctx->sc);
+ outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc);
+@@ -1033,14 +1034,17 @@ static int fastrpc_put_args(struct fastr
+ u64 len = rpra[i].buf.len;
+
+ if (!kernel) {
+- if (copy_to_user((void __user *)dst, src, len))
+- return -EFAULT;
++ if (copy_to_user((void __user *)dst, src, len)) {
++ ret = -EFAULT;
++ goto cleanup_fdlist;
++ }
+ } else {
+ memcpy(dst, src, len);
+ }
+ }
+ }
+
++cleanup_fdlist:
+ /* Clean up fdlist which is updated by DSP */
+ for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
+ if (!fdlist[i])
+@@ -1049,7 +1053,7 @@ static int fastrpc_put_args(struct fastr
+ fastrpc_map_put(mmap);
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx,
--- /dev/null
+From 10df039834f84a297c72ec962c0f9b7c8c5ca31a Mon Sep 17 00:00:00 2001
+From: Ling Xu <quic_lxu5@quicinc.com>
+Date: Fri, 12 Sep 2025 14:12:36 +0100
+Subject: misc: fastrpc: Skip reference for DMA handles
+
+From: Ling Xu <quic_lxu5@quicinc.com>
+
+commit 10df039834f84a297c72ec962c0f9b7c8c5ca31a upstream.
+
+If multiple dma handles are passed with same fd over a remote call
+the kernel driver takes a reference and expects that put for the
+map will be called as many times to free the map. But DSP only
+updates the fd one time in the fd list when the DSP refcount
+goes to zero and hence kernel make put call only once for the
+fd. This can cause SMMU fault issue as the same fd can be used
+in future for some other call.
+
+Fixes: 35a82b87135d ("misc: fastrpc: Add dma handle implementation")
+Cc: stable@kernel.org
+Co-developed-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ekansh Gupta <ekansh.gupta@oss.qualcomm.com>
+Signed-off-by: Ling Xu <quic_lxu5@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Link: https://lore.kernel.org/r/20250912131236.303102-5-srini@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 45 +++++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 18 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -342,9 +342,8 @@ static int fastrpc_map_get(struct fastrp
+
+
+ static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd,
+- struct fastrpc_map **ppmap, bool take_ref)
++ struct fastrpc_map **ppmap)
+ {
+- struct fastrpc_session_ctx *sess = fl->sctx;
+ struct fastrpc_map *map = NULL;
+ struct dma_buf *buf;
+ int ret = -ENOENT;
+@@ -358,15 +357,6 @@ static int fastrpc_map_lookup(struct fas
+ if (map->fd != fd || map->buf != buf)
+ continue;
+
+- if (take_ref) {
+- ret = fastrpc_map_get(map);
+- if (ret) {
+- dev_dbg(sess->dev, "%s: Failed to get map fd=%d ret=%d\n",
+- __func__, fd, ret);
+- break;
+- }
+- }
+-
+ *ppmap = map;
+ ret = 0;
+ break;
+@@ -711,7 +701,7 @@ static const struct dma_buf_ops fastrpc_
+ .release = fastrpc_release,
+ };
+
+-static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
++static int fastrpc_map_attach(struct fastrpc_user *fl, int fd,
+ u64 len, u32 attr, struct fastrpc_map **ppmap)
+ {
+ struct fastrpc_session_ctx *sess = fl->sctx;
+@@ -719,9 +709,6 @@ static int fastrpc_map_create(struct fas
+ struct sg_table *table;
+ int err = 0;
+
+- if (!fastrpc_map_lookup(fl, fd, ppmap, true))
+- return 0;
+-
+ map = kzalloc(sizeof(*map), GFP_KERNEL);
+ if (!map)
+ return -ENOMEM;
+@@ -789,6 +776,24 @@ get_err:
+ return err;
+ }
+
++static int fastrpc_map_create(struct fastrpc_user *fl, int fd,
++ u64 len, u32 attr, struct fastrpc_map **ppmap)
++{
++ struct fastrpc_session_ctx *sess = fl->sctx;
++ int err = 0;
++
++ if (!fastrpc_map_lookup(fl, fd, ppmap)) {
++ if (!fastrpc_map_get(*ppmap))
++ return 0;
++ dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n",
++ __func__, fd);
++ }
++
++ err = fastrpc_map_attach(fl, fd, len, attr, ppmap);
++
++ return err;
++}
++
+ /*
+ * Fastrpc payload buffer with metadata looks like:
+ *
+@@ -861,8 +866,12 @@ static int fastrpc_create_maps(struct fa
+ ctx->args[i].length == 0)
+ continue;
+
+- err = fastrpc_map_create(ctx->fl, ctx->args[i].fd,
+- ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
++ if (i < ctx->nbufs)
++ err = fastrpc_map_create(ctx->fl, ctx->args[i].fd,
++ ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
++ else
++ err = fastrpc_map_attach(ctx->fl, ctx->args[i].fd,
++ ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]);
+ if (err) {
+ dev_err(dev, "Error Creating map %d\n", err);
+ return -EINVAL;
+@@ -1049,7 +1058,7 @@ cleanup_fdlist:
+ for (i = 0; i < FASTRPC_MAX_FDLIST; i++) {
+ if (!fdlist[i])
+ break;
+- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false))
++ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap))
+ fastrpc_map_put(mmap);
+ }
+
--- /dev/null
+From f52ce0ea90c83a28904c7cc203a70e6434adfecb Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang@os.amperecomputing.com>
+Date: Mon, 29 Sep 2025 13:24:02 -0700
+Subject: mm: hugetlb: avoid soft lockup when mprotect to large memory area
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+commit f52ce0ea90c83a28904c7cc203a70e6434adfecb upstream.
+
+When calling mprotect() to a large hugetlb memory area in our customer's
+workload (~300GB hugetlb memory), soft lockup was observed:
+
+watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916]
+
+CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7
+Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025
+pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : mte_clear_page_tags+0x14/0x24
+lr : mte_sync_tags+0x1c0/0x240
+sp : ffff80003150bb80
+x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000
+x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458
+x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000
+x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c
+x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
+x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000
+x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000
+
+Call trace:
+ mte_clear_page_tags+0x14/0x24
+ set_huge_pte_at+0x25c/0x280
+ hugetlb_change_protection+0x220/0x430
+ change_protection+0x5c/0x8c
+ mprotect_fixup+0x10c/0x294
+ do_mprotect_pkey.constprop.0+0x2e0/0x3d4
+ __arm64_sys_mprotect+0x24/0x44
+ invoke_syscall+0x50/0x160
+ el0_svc_common+0x48/0x144
+ do_el0_svc+0x30/0xe0
+ el0_svc+0x30/0xf0
+ el0t_64_sync_handler+0xc4/0x148
+ el0t_64_sync+0x1a4/0x1a8
+
+Soft lockup is not triggered with THP or base page because there is
+cond_resched() called for each PMD size.
+
+Although the soft lockup was triggered by MTE, it should be not MTE
+specific. The other processing which takes long time in the loop may
+trigger soft lockup too.
+
+So add cond_resched() for hugetlb to avoid soft lockup.
+
+Link: https://lkml.kernel.org/r/20250929202402.1663290-1-yang@os.amperecomputing.com
+Fixes: 8f860591ffb2 ("[PATCH] Enable mprotect on huge pages")
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Tested-by: Carl Worth <carl@os.amperecomputing.com>
+Reviewed-by: Christoph Lameter (Ampere) <cl@gentwo.org>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Will Deacon <will@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -6779,6 +6779,8 @@ unsigned long hugetlb_change_protection(
+ make_pte_marker(PTE_MARKER_UFFD_WP));
+ }
+ spin_unlock(ptl);
++
++ cond_resched();
+ }
+ /*
+ * Must flush TLB before releasing i_mmap_rwsem: x86's huge_pmd_unshare
--- /dev/null
+From 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Sun, 5 Oct 2025 10:12:03 +0200
+Subject: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a upstream.
+
+Prevent USB runtime PM (autosuspend) for AX88772* in bind.
+
+usbnet enables runtime PM (autosuspend) by default, so disabling it via
+the usb_driver flag is ineffective. On AX88772B, autosuspend shows no
+measurable power saving with current driver (no link partner, admin
+up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering
+the PHY off on admin-down, not from USB autosuspend.
+
+The real hazard is that with runtime PM enabled, ndo_open() (under RTNL)
+may synchronously trigger autoresume (usb_autopm_get_interface()) into
+asix_resume() while the USB PM lock is held. Resume paths then invoke
+phylink/phylib and MDIO, which also expect RTNL, leading to possible
+deadlocks or PM lock vs MDIO wake issues.
+
+To avoid this, keep the device runtime-PM active by taking a usage
+reference in ax88772_bind() and dropping it in unbind(). A non-zero PM
+usage count blocks runtime suspend regardless of userspace policy
+(.../power/control - pm_runtime_allow/forbid), making this approach
+robust against sysfs overrides.
+
+Holding a runtime-PM usage ref does not affect system-wide suspend;
+system sleep/resume callbacks continue to run as before.
+
+Fixes: 4a2c7217cd5a ("net: usb: asix: ax88772: manage PHY PM from MAC")
+Reported-by: Hubert Wiśniewski <hubert.wisniewski.25632@gmail.com>
+Closes: https://lore.kernel.org/all/DCGHG5UJT9G3.2K1GHFZ3H87T0@gmail.com
+Tested-by: Hubert Wiśniewski <hubert.wisniewski.25632@gmail.com>
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Closes: https://lore.kernel.org/all/b5ea8296-f981-445d-a09a-2f389d7f6fdd@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20251005081203.3067982-1-o.rempel@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/asix_devices.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -625,6 +625,21 @@ static void ax88772_suspend(struct usbne
+ asix_read_medium_status(dev, 1));
+ }
+
++/* Notes on PM callbacks and locking context:
++ *
++ * - asix_suspend()/asix_resume() are invoked for both runtime PM and
++ * system-wide suspend/resume. For struct usb_driver the ->resume()
++ * callback does not receive pm_message_t, so the resume type cannot
++ * be distinguished here.
++ *
++ * - The MAC driver must hold RTNL when calling phylink interfaces such as
++ * phylink_suspend()/resume(). Those calls will also perform MDIO I/O.
++ *
++ * - Taking RTNL and doing MDIO from a runtime-PM resume callback (while
++ * the USB PM lock is held) is fragile. Since autosuspend brings no
++ * measurable power saving here, we block it by holding a PM usage
++ * reference in ax88772_bind().
++ */
+ static int asix_suspend(struct usb_interface *intf, pm_message_t message)
+ {
+ struct usbnet *dev = usb_get_intfdata(intf);
+@@ -922,6 +937,13 @@ static int ax88772_bind(struct usbnet *d
+ if (ret)
+ goto initphy_err;
+
++ /* Keep this interface runtime-PM active by taking a usage ref.
++ * Prevents runtime suspend while bound and avoids resume paths
++ * that could deadlock (autoresume under RTNL while USB PM lock
++ * is held, phylink/MDIO wants RTNL).
++ */
++ pm_runtime_get_noresume(&intf->dev);
++
+ return 0;
+
+ initphy_err:
+@@ -951,6 +973,8 @@ static void ax88772_unbind(struct usbnet
+ phylink_destroy(priv->phylink);
+ ax88772_mdio_unregister(priv);
+ asix_rx_fixup_common_free(dev->driver_priv);
++ /* Drop the PM usage ref taken in bind() */
++ pm_runtime_put(&intf->dev);
+ }
+
+ static void ax88178_unbind(struct usbnet *dev, struct usb_interface *intf)
+@@ -1575,6 +1599,11 @@ static struct usb_driver asix_driver = {
+ .resume = asix_resume,
+ .reset_resume = asix_resume,
+ .disconnect = usbnet_disconnect,
++ /* usbnet enables autosuspend by default (supports_autosuspend=1).
++ * We keep runtime-PM active for AX88772* by taking a PM usage
++ * reference in ax88772_bind() (pm_runtime_get_noresume()) and
++ * dropping it in unbind(), which effectively blocks autosuspend.
++ */
+ .supports_autosuspend = 1,
+ .disable_hub_initiated_lpm = 1,
+ };
--- /dev/null
+From a9e6aa994917ee602798bbb03180a194b37865bb Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Thu, 25 Sep 2025 14:44:48 +0800
+Subject: nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit a9e6aa994917ee602798bbb03180a194b37865bb upstream.
+
+devm_kcalloc() may fail. ndtest_probe() allocates three DMA address
+arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses
+them in ndtest_nvdimm_init(), which can lead to a NULL pointer
+dereference under low-memory conditions.
+
+Check all three allocations and return -ENOMEM if any allocation fails,
+jumping to the common error path. Do not emit an extra error message
+since the allocator already warns on allocation failure.
+
+Fixes: 9399ab61ad82 ("ndtest: Add dimms to the two buses")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/nvdimm/test/ndtest.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/nvdimm/test/ndtest.c
++++ b/tools/testing/nvdimm/test/ndtest.c
+@@ -845,11 +845,22 @@ static int ndtest_probe(struct platform_
+
+ p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+ sizeof(dma_addr_t), GFP_KERNEL);
++ if (!p->dcr_dma) {
++ rc = -ENOMEM;
++ goto err;
++ }
+ p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+ sizeof(dma_addr_t), GFP_KERNEL);
++ if (!p->label_dma) {
++ rc = -ENOMEM;
++ goto err;
++ }
+ p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR,
+ sizeof(dma_addr_t), GFP_KERNEL);
+-
++ if (!p->dimm_dma) {
++ rc = -ENOMEM;
++ goto err;
++ }
+ rc = ndtest_nvdimm_init(p);
+ if (rc)
+ goto err;
--- /dev/null
+From 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 2 Sep 2025 13:59:10 +0200
+Subject: pinctrl: check the return value of pinmux_ops::get_function_name()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 upstream.
+
+While the API contract in docs doesn't specify it explicitly, the
+generic implementation of the get_function_name() callback from struct
+pinmux_ops - pinmux_generic_get_function_name() - can fail and return
+NULL. This is already checked in pinmux_check_ops() so add a similar
+check in pinmux_func_name_to_selector() instead of passing the returned
+pointer right down to strcmp() where the NULL can get dereferenced. This
+is normal operation when adding new pinfunctions.
+
+Cc: stable@vger.kernel.org
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinmux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinmux.c
++++ b/drivers/pinctrl/pinmux.c
+@@ -328,7 +328,7 @@ static int pinmux_func_name_to_selector(
+ while (selector < nfuncs) {
+ const char *fname = ops->get_function_name(pctldev, selector);
+
+- if (!strcmp(function, fname))
++ if (fname && !strcmp(function, fname))
+ return selector;
+
+ selector++;
dm-fix-null-pointer-dereference-in-__dm_suspend.patch
ksmbd-fix-error-code-overwriting-in-smb2_get_info_filesystem.patch
ext4-fix-checks-for-orphan-inodes.patch
+mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch
+nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch
+misc-fastrpc-fix-fastrpc_map_lookup-operation.patch
+misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_args.patch
+misc-fastrpc-skip-reference-for-dma-handles.patch
+input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch
+input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch
+pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch
+bus-fsl-mc-check-return-value-of-platform_get_resource.patch
+net-usb-asix-hold-pm-usage-ref-to-avoid-pm-mdio-rtnl-deadlock.patch
+usb-typec-tipd-clear-interrupts-first.patch
+usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch
--- /dev/null
+From e9c206324eeb213957a567a9d066bdeb355c7491 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Wed, 3 Sep 2025 22:16:13 +0800
+Subject: usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit e9c206324eeb213957a567a9d066bdeb355c7491 upstream.
+
+The cdnsp-pci driver uses pcim_enable_device() to enable a PCI device,
+which means the device will be automatically disabled on driver detach
+through the managed device framework. The manual pci_disable_device()
+call in the error path is therefore redundant.
+
+Found via static anlaysis and this is similar to commit 99ca0b57e49f
+("thermal: intel: int340x: processor: Fix warning during module unload").
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20250903141613.2535472-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-pci.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-pci.c
++++ b/drivers/usb/cdns3/cdnsp-pci.c
+@@ -90,7 +90,7 @@ static int cdnsp_pci_probe(struct pci_de
+ cdnsp = kzalloc(sizeof(*cdnsp), GFP_KERNEL);
+ if (!cdnsp) {
+ ret = -ENOMEM;
+- goto disable_pci;
++ goto put_pci;
+ }
+ }
+
+@@ -173,9 +173,6 @@ free_cdnsp:
+ if (!pci_is_enabled(func))
+ kfree(cdnsp);
+
+-disable_pci:
+- pci_disable_device(pdev);
+-
+ put_pci:
+ pci_dev_put(func);
+
--- /dev/null
+From be5ae730ffa6fd774a00a4705c1e11e078b08ca1 Mon Sep 17 00:00:00 2001
+From: Sven Peter <sven@kernel.org>
+Date: Sun, 14 Sep 2025 12:56:06 +0000
+Subject: usb: typec: tipd: Clear interrupts first
+
+From: Sven Peter <sven@kernel.org>
+
+commit be5ae730ffa6fd774a00a4705c1e11e078b08ca1 upstream.
+
+Right now the interrupt handler first reads all updated status registers
+and only then clears the interrupts. It's possible that a duplicate
+interrupt for a changed register or plug state comes in after the
+interrupts have been processed but before they have been cleared:
+
+* plug is inserted, TPS_REG_INT_PLUG_EVENT is set
+* TPS_REG_INT_EVENT1 is read
+* tps6598x_handle_plug_event() has run and registered the plug
+* plug is removed again, TPS_REG_INT_PLUG_EVENT is set (again)
+* TPS_REG_INT_CLEAR1 is written, TPS_REG_INT_PLUG_EVENT is cleared
+
+We then have no plug connected and no pending interrupt but the tipd
+core still thinks there is a plug. It's possible to trigger this with
+e.g. a slightly broken Type-C to USB A converter.
+
+Fix this by first clearing the interrupts and only then reading the
+updated registers.
+
+Fixes: 45188f27b3d0 ("usb: typec: tipd: Add support for Apple CD321X")
+Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers")
+Cc: stable@kernel.org
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Neal Gompa <neal@gompa.dev>
+Signed-off-by: Sven Peter <sven@kernel.org>
+Link: https://lore.kernel.org/r/20250914-apple-usb3-tipd-v1-1-4e99c8649024@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tipd/core.c | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/usb/typec/tipd/core.c
++++ b/drivers/usb/typec/tipd/core.c
+@@ -491,24 +491,23 @@ static irqreturn_t cd321x_interrupt(int
+ if (!event)
+ goto err_unlock;
+
++ tps6598x_write64(tps, TPS_REG_INT_CLEAR1, event);
++
+ if (!tps6598x_read_status(tps, &status))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ if (event & APPLE_CD_REG_INT_POWER_STATUS_UPDATE)
+ if (!tps6598x_read_power_status(tps))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ if (event & APPLE_CD_REG_INT_DATA_STATUS_UPDATE)
+ if (!tps6598x_read_data_status(tps))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ /* Handle plug insert or removal */
+ if (event & APPLE_CD_REG_INT_PLUG_EVENT)
+ tps6598x_handle_plug_event(tps, status);
+
+-err_clear_ints:
+- tps6598x_write64(tps, TPS_REG_INT_CLEAR1, event);
+-
+ err_unlock:
+ mutex_unlock(&tps->lock);
+
+@@ -555,25 +554,24 @@ static irqreturn_t tps6598x_interrupt(in
+ if (!(event1[0] | event1[1] | event2[0] | event2[1]))
+ goto err_unlock;
+
++ tps6598x_block_write(tps, TPS_REG_INT_CLEAR1, event1, intev_len);
++ tps6598x_block_write(tps, TPS_REG_INT_CLEAR2, event2, intev_len);
++
+ if (!tps6598x_read_status(tps, &status))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ if ((event1[0] | event2[0]) & TPS_REG_INT_POWER_STATUS_UPDATE)
+ if (!tps6598x_read_power_status(tps))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ if ((event1[0] | event2[0]) & TPS_REG_INT_DATA_STATUS_UPDATE)
+ if (!tps6598x_read_data_status(tps))
+- goto err_clear_ints;
++ goto err_unlock;
+
+ /* Handle plug insert or removal */
+ if ((event1[0] | event2[0]) & TPS_REG_INT_PLUG_EVENT)
+ tps6598x_handle_plug_event(tps, status);
+
+-err_clear_ints:
+- tps6598x_block_write(tps, TPS_REG_INT_CLEAR1, event1, intev_len);
+- tps6598x_block_write(tps, TPS_REG_INT_CLEAR2, event2, intev_len);
+-
+ err_unlock:
+ mutex_unlock(&tps->lock);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
