--- /dev/null
+From aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Tue, 2 Sep 2025 17:03:58 +0800
+Subject: dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 upstream.
+
+The reference taken by of_find_device_by_node()
+must be released when not needed anymore.
+Add missing put_device() call to fix device reference leaks.
+
+Fixes: 134d9c52fca2 ("dmaengine: dw: dmamux: Introduce RZN1 DMA router support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20250902090358.2423285-1-linmq006@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/dw/rzn1-dmamux.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/drivers/dma/dw/rzn1-dmamux.c
++++ b/drivers/dma/dw/rzn1-dmamux.c
+@@ -48,12 +48,16 @@ static void *rzn1_dmamux_route_allocate(
+ u32 mask;
+ int ret;
+
+- if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS)
+- return ERR_PTR(-EINVAL);
++ if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS) {
++ ret = -EINVAL;
++ goto put_device;
++ }
+
+ map = kzalloc(sizeof(*map), GFP_KERNEL);
+- if (!map)
+- return ERR_PTR(-ENOMEM);
++ if (!map) {
++ ret = -ENOMEM;
++ goto put_device;
++ }
+
+ chan = dma_spec->args[0];
+ map->req_idx = dma_spec->args[4];
+@@ -94,12 +98,15 @@ static void *rzn1_dmamux_route_allocate(
+ if (ret)
+ goto clear_bitmap;
+
++ put_device(&pdev->dev);
+ return map;
+
+ clear_bitmap:
+ clear_bit(map->req_idx, dmamux->used_chans);
+ free_map:
+ kfree(map);
++put_device:
++ put_device(&pdev->dev);
+
+ return ERR_PTR(ret);
+ }
--- /dev/null
+From 5068b5254812433e841a40886e695633148d362d Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Wed, 12 Feb 2025 18:03:54 +0100
+Subject: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit 5068b5254812433e841a40886e695633148d362d upstream.
+
+When we don't have a clock specified in the device tree, we have no way to
+ensure the BAM is on. This is often the case for remotely-controlled or
+remotely-powered BAM instances. In this case, we need to read num-channels
+from the DT to have all the necessary information to complete probing.
+
+However, at the moment invalid device trees without clock and without
+num-channels still continue probing, because the error handling is missing
+return statements. The driver will then later try to read the number of
+channels from the registers. This is unsafe, because it relies on boot
+firmware and lucky timing to succeed. Unfortunately, the lack of proper
+error handling here has been abused for several Qualcomm SoCs upstream,
+causing early boot crashes in several situations [1, 2].
+
+Avoid these early crashes by erroring out when any of the required DT
+properties are missing. Note that this will break some of the existing DTs
+upstream (mainly BAM instances related to the crypto engine). However,
+clearly these DTs have never been tested properly, since the error in the
+kernel log was just ignored. It's safer to disable the crypto engine for
+these broken DTBs.
+
+[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/
+[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/
+
+Cc: stable@vger.kernel.org
+Fixes: 48d163b1aa6e ("dmaengine: qcom: bam_dma: get num-channels and num-ees from dt")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250212-bam-dma-fixes-v1-8-f560889e65d8@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/qcom/bam_dma.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/qcom/bam_dma.c
++++ b/drivers/dma/qcom/bam_dma.c
+@@ -1283,13 +1283,17 @@ static int bam_dma_probe(struct platform
+ if (!bdev->bamclk) {
+ ret = of_property_read_u32(pdev->dev.of_node, "num-channels",
+ &bdev->num_channels);
+- if (ret)
++ if (ret) {
+ dev_err(bdev->dev, "num-channels unspecified in dt\n");
++ return ret;
++ }
+
+ ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees",
+ &bdev->num_ees);
+- if (ret)
++ if (ret) {
+ dev_err(bdev->dev, "num-ees unspecified in dt\n");
++ return ret;
++ }
+ }
+
+ ret = clk_prepare_enable(bdev->bamclk);
--- /dev/null
+From stable+bounces-179595-greg=kroah.com@vger.kernel.org Mon Sep 15 04:19:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Sep 2025 22:19:33 -0400
+Subject: drm/amdgpu: fix a memory leak in fence cleanup when unloading
+To: stable@vger.kernel.org
+Cc: "Alex Deucher" <alexander.deucher@amd.com>, "Lin.Cao" <lincao12@amd.com>, "Vitaly Prosyak" <vitaly.prosyak@amd.com>, "Christian König" <christian.koenig@amd.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250915021933.371266-1-sashal@kernel.org>
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 7838fb5f119191403560eca2e23613380c0e425e ]
+
+Commit b61badd20b44 ("drm/amdgpu: fix usage slab after free")
+reordered when amdgpu_fence_driver_sw_fini() was called after
+that patch, amdgpu_fence_driver_sw_fini() effectively became
+a no-op as the sched entities we never freed because the
+ring pointers were already set to NULL. Remove the NULL
+setting.
+
+Reported-by: Lin.Cao <lincao12@amd.com>
+Cc: Vitaly Prosyak <vitaly.prosyak@amd.com>
+Cc: Christian König <christian.koenig@amd.com>
+Fixes: b61badd20b44 ("drm/amdgpu: fix usage slab after free")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit a525fa37aac36c4591cc8b07ae8957862415fbd5)
+Cc: stable@vger.kernel.org
+[ Adapt to conditional check ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+@@ -396,9 +396,6 @@ void amdgpu_ring_fini(struct amdgpu_ring
+ dma_fence_put(ring->vmid_wait);
+ ring->vmid_wait = NULL;
+ ring->me = 0;
+-
+- if (!ring->is_mes_queue)
+- ring->adev->rings[ring->idx] = NULL;
+ }
+
+ /**
--- /dev/null
+From stable+bounces-179586-greg=kroah.com@vger.kernel.org Sun Sep 14 21:09:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Sep 2025 15:09:11 -0400
+Subject: drm/i915/power: fix size for for_each_set_bit() in abox iteration
+To: stable@vger.kernel.org
+Cc: "Jani Nikula" <jani.nikula@intel.com>, "Ville Syrjälä" <ville.syrjala@linux.intel.com>, "Matt Roper" <matthew.d.roper@intel.com>, "Tvrtko Ursulin" <tursulin@ursulin.net>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250914190911.183186-1-sashal@kernel.org>
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+[ Upstream commit cfa7b7659757f8d0fc4914429efa90d0d2577dd7 ]
+
+for_each_set_bit() expects size to be in bits, not bytes. The abox mask
+iteration uses bytes, but it works by coincidence, because the local
+variable holding the mask is unsigned long, and the mask only ever has
+bit 2 as the highest bit. Using a smaller type could lead to subtle and
+very hard to track bugs.
+
+Fixes: 62afef2811e4 ("drm/i915/rkl: RKL uses ABOX0 for pixel transfers")
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: stable@vger.kernel.org # v5.9+
+Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://lore.kernel.org/r/20250905104149.1144751-1-jani.nikula@intel.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 7ea3baa6efe4bb93d11e1c0e6528b1468d7debf6)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+[ adapted struct intel_display *display parameters to struct drm_i915_private *dev_priv ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_display_power.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_display_power.c
++++ b/drivers/gpu/drm/i915/display/intel_display_power.c
+@@ -1170,7 +1170,7 @@ static void icl_mbus_init(struct drm_i91
+ if (DISPLAY_VER(dev_priv) == 12)
+ abox_regs |= BIT(0);
+
+- for_each_set_bit(i, &abox_regs, sizeof(abox_regs))
++ for_each_set_bit(i, &abox_regs, BITS_PER_TYPE(abox_regs))
+ intel_de_rmw(dev_priv, MBUS_ABOX_CTL(i), mask, val);
+ }
+
+@@ -1623,11 +1623,11 @@ static void tgl_bw_buddy_init(struct drm
+ if (table[config].page_mask == 0) {
+ drm_dbg(&dev_priv->drm,
+ "Unknown memory configuration; disabling address buddy logic.\n");
+- for_each_set_bit(i, &abox_mask, sizeof(abox_mask))
++ for_each_set_bit(i, &abox_mask, BITS_PER_TYPE(abox_mask))
+ intel_de_write(dev_priv, BW_BUDDY_CTL(i),
+ BW_BUDDY_DISABLE);
+ } else {
+- for_each_set_bit(i, &abox_mask, sizeof(abox_mask)) {
++ for_each_set_bit(i, &abox_mask, BITS_PER_TYPE(abox_mask)) {
+ intel_de_write(dev_priv, BW_BUDDY_PAGE_MASK(i),
+ table[config].page_mask);
+
--- /dev/null
+From c8b5b7c5da7d0c31c9b7190b4a7bba5281fc4780 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 2 Apr 2025 09:11:23 +0900
+Subject: ksmbd: fix null pointer dereference in alloc_preauth_hash()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c8b5b7c5da7d0c31c9b7190b4a7bba5281fc4780 upstream.
+
+The Client send malformed smb2 negotiate request. ksmbd return error
+response. Subsequently, the client can send smb2 session setup even
+thought conn->preauth_info is not allocated.
+This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore
+session setup request if smb2 negotiate phase is not complete.
+
+Cc: stable@vger.kernel.org
+Tested-by: Steve French <stfrench@microsoft.com>
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-26505
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Jan Alexander Preissler <akendo@akendo.eu>
+Signed-off-by: Sujana Subramaniam <sujana.subramaniam@sap.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/connection.h | 11 +++++++++++
+ fs/smb/server/mgmt/user_session.c | 4 ++--
+ fs/smb/server/smb2pdu.c | 14 +++++++++++---
+ 3 files changed, 24 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/server/connection.h
++++ b/fs/smb/server/connection.h
+@@ -27,6 +27,7 @@ enum {
+ KSMBD_SESS_EXITING,
+ KSMBD_SESS_NEED_RECONNECT,
+ KSMBD_SESS_NEED_NEGOTIATE,
++ KSMBD_SESS_NEED_SETUP,
+ KSMBD_SESS_RELEASING
+ };
+
+@@ -195,6 +196,11 @@ static inline bool ksmbd_conn_need_negot
+ return READ_ONCE(conn->status) == KSMBD_SESS_NEED_NEGOTIATE;
+ }
+
++static inline bool ksmbd_conn_need_setup(struct ksmbd_conn *conn)
++{
++ return READ_ONCE(conn->status) == KSMBD_SESS_NEED_SETUP;
++}
++
+ static inline bool ksmbd_conn_need_reconnect(struct ksmbd_conn *conn)
+ {
+ return READ_ONCE(conn->status) == KSMBD_SESS_NEED_RECONNECT;
+@@ -225,6 +231,11 @@ static inline void ksmbd_conn_set_need_n
+ WRITE_ONCE(conn->status, KSMBD_SESS_NEED_NEGOTIATE);
+ }
+
++static inline void ksmbd_conn_set_need_setup(struct ksmbd_conn *conn)
++{
++ WRITE_ONCE(conn->status, KSMBD_SESS_NEED_SETUP);
++}
++
+ static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_conn *conn)
+ {
+ WRITE_ONCE(conn->status, KSMBD_SESS_NEED_RECONNECT);
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -373,12 +373,12 @@ void destroy_previous_session(struct ksm
+ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT);
+ err = ksmbd_conn_wait_idle_sess_id(conn, id);
+ if (err) {
+- ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);
++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);
+ goto out;
+ }
+ ksmbd_destroy_file_table(&prev_sess->file_table);
+ prev_sess->state = SMB2_SESSION_EXPIRED;
+- ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE);
++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP);
+ out:
+ up_write(&conn->session_lock);
+ up_write(&sessions_table_lock);
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1252,7 +1252,7 @@ int smb2_handle_negotiate(struct ksmbd_w
+ }
+
+ conn->srv_sec_mode = le16_to_cpu(rsp->SecurityMode);
+- ksmbd_conn_set_need_negotiate(conn);
++ ksmbd_conn_set_need_setup(conn);
+
+ err_out:
+ if (rc)
+@@ -1273,6 +1273,9 @@ static int alloc_preauth_hash(struct ksm
+ if (sess->Preauth_HashValue)
+ return 0;
+
++ if (!conn->preauth_info)
++ return -ENOMEM;
++
+ sess->Preauth_HashValue = kmemdup(conn->preauth_info->Preauth_HashValue,
+ PREAUTH_HASHVALUE_SIZE, GFP_KERNEL);
+ if (!sess->Preauth_HashValue)
+@@ -1688,6 +1691,11 @@ int smb2_sess_setup(struct ksmbd_work *w
+
+ ksmbd_debug(SMB, "Received request for session setup\n");
+
++ if (!ksmbd_conn_need_setup(conn) && !ksmbd_conn_good(conn)) {
++ work->send_no_response = 1;
++ return rc;
++ }
++
+ WORK_BUFFERS(work, req, rsp);
+
+ rsp->StructureSize = cpu_to_le16(9);
+@@ -1919,7 +1927,7 @@ out_err:
+ if (try_delay) {
+ ksmbd_conn_set_need_reconnect(conn);
+ ssleep(5);
+- ksmbd_conn_set_need_negotiate(conn);
++ ksmbd_conn_set_need_setup(conn);
+ }
+ }
+ smb2_set_err_rsp(work);
+@@ -2249,7 +2257,7 @@ int smb2_session_logoff(struct ksmbd_wor
+ ksmbd_free_user(sess->user);
+ sess->user = NULL;
+ }
+- ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE);
++ ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP);
+
+ rsp->StructureSize = cpu_to_le16(4);
+ err = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_logoff_rsp));
--- /dev/null
+From 8ea25274ebaf2f6be8be374633b2ed8348ec0e70 Mon Sep 17 00:00:00 2001
+From: Buday Csaba <buday.csaba@prolan.hu>
+Date: Thu, 7 Aug 2025 15:54:49 +0200
+Subject: net: mdiobus: release reset_gpio in mdiobus_unregister_device()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Buday Csaba <buday.csaba@prolan.hu>
+
+commit 8ea25274ebaf2f6be8be374633b2ed8348ec0e70 upstream.
+
+reset_gpio is claimed in mdiobus_register_device(), but it is not
+released in mdiobus_unregister_device(). It is instead only
+released when the whole MDIO bus is unregistered.
+When a device uses the reset_gpio property, it becomes impossible
+to unregister it and register it again, because the GPIO remains
+claimed.
+This patch resolves that issue.
+
+Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support") # see notes
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Cc: Csókás Bence <csokas.bence@prolan.hu>
+[ csokas.bence: Resolve rebase conflict and clarify msg ]
+Signed-off-by: Buday Csaba <buday.csaba@prolan.hu>
+Link: https://patch.msgid.link/20250807135449.254254-2-csokas.bence@prolan.hu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+[ csokas.bence: Use the v1 patch on top of 6.6, as specified in notes ]
+Signed-off-by: Bence Csókás <csokas.bence@prolan.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -99,6 +99,7 @@ int mdiobus_unregister_device(struct mdi
+ if (mdiodev->bus->mdio_map[mdiodev->addr] != mdiodev)
+ return -EINVAL;
+
++ gpiod_put(mdiodev->reset_gpio);
+ reset_control_put(mdiodev->reset_ctrl);
+
+ mdiodev->bus->mdio_map[mdiodev->addr] = NULL;
+@@ -775,9 +776,6 @@ void mdiobus_unregister(struct mii_bus *
+ if (!mdiodev)
+ continue;
+
+- if (mdiodev->reset_gpio)
+- gpiod_put(mdiodev->reset_gpio);
+-
+ mdiodev->device_remove(mdiodev);
+ mdiodev->device_free(mdiodev);
+ }
--- /dev/null
+From bca065733afd1e3a89a02f05ffe14e966cd5f78e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 24 Jul 2025 15:12:04 +0200
+Subject: phy: tegra: xusb: fix device and OF node leak at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bca065733afd1e3a89a02f05ffe14e966cd5f78e upstream.
+
+Make sure to drop the references taken to the PMC OF node and device by
+of_parse_phandle() and of_find_device_by_node() during probe.
+
+Note the holding a reference to the PMC device does not prevent the
+PMC regmap from going away (e.g. if the PMC driver is unbound) so there
+is no need to keep the reference.
+
+Fixes: 2d1021487273 ("phy: tegra: xusb: Add wake/sleepwalk for Tegra210")
+Cc: stable@vger.kernel.org # 5.14
+Cc: JC Kuo <jckuo@nvidia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250724131206.2211-2-johan@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/tegra/xusb-tegra210.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/phy/tegra/xusb-tegra210.c
++++ b/drivers/phy/tegra/xusb-tegra210.c
+@@ -3164,18 +3164,22 @@ tegra210_xusb_padctl_probe(struct device
+ }
+
+ pdev = of_find_device_by_node(np);
++ of_node_put(np);
+ if (!pdev) {
+ dev_warn(dev, "PMC device is not available\n");
+ goto out;
+ }
+
+- if (!platform_get_drvdata(pdev))
++ if (!platform_get_drvdata(pdev)) {
++ put_device(&pdev->dev);
+ return ERR_PTR(-EPROBE_DEFER);
++ }
+
+ padctl->regmap = dev_get_regmap(&pdev->dev, "usb_sleepwalk");
+ if (!padctl->regmap)
+ dev_info(dev, "failed to find PMC regmap\n");
+
++ put_device(&pdev->dev);
+ out:
+ return &padctl->base;
+ }
--- /dev/null
+From e19bcea99749ce8e8f1d359f68ae03210694ad56 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 24 Jul 2025 15:12:06 +0200
+Subject: phy: ti-pipe3: fix device leak at unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e19bcea99749ce8e8f1d359f68ae03210694ad56 upstream.
+
+Make sure to drop the reference to the control device taken by
+of_find_device_by_node() during probe when the driver is unbound.
+
+Fixes: 918ee0d21ba4 ("usb: phy: omap-usb3: Don't use omap_get_control_dev()")
+Cc: stable@vger.kernel.org # 3.13
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724131206.2211-4-johan@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/ti/phy-ti-pipe3.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/phy/ti/phy-ti-pipe3.c
++++ b/drivers/phy/ti/phy-ti-pipe3.c
+@@ -666,12 +666,20 @@ static int ti_pipe3_get_clk(struct ti_pi
+ return 0;
+ }
+
++static void ti_pipe3_put_device(void *_dev)
++{
++ struct device *dev = _dev;
++
++ put_device(dev);
++}
++
+ static int ti_pipe3_get_sysctrl(struct ti_pipe3 *phy)
+ {
+ struct device *dev = phy->dev;
+ struct device_node *node = dev->of_node;
+ struct device_node *control_node;
+ struct platform_device *control_pdev;
++ int ret;
+
+ phy->phy_power_syscon = syscon_regmap_lookup_by_phandle(node,
+ "syscon-phy-power");
+@@ -703,6 +711,11 @@ static int ti_pipe3_get_sysctrl(struct t
+ }
+
+ phy->control_dev = &control_pdev->dev;
++
++ ret = devm_add_action_or_reset(dev, ti_pipe3_put_device,
++ phy->control_dev);
++ if (ret)
++ return ret;
+ }
+
+ if (phy->mode == PIPE3_MODE_PCIE) {
hrtimer-rename-__hrtimer_hres_active-to-hrtimer_hres.patch
hrtimers-unconditionally-update-target-cpu-base-afte.patch
risc-v-remove-unnecessary-include-from-compat.h.patch
+xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch
+xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch
+usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch
+usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch
+usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch
+dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch
+dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch
+phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch
+phy-ti-pipe3-fix-device-leak-at-unbind.patch
+ksmbd-fix-null-pointer-dereference-in-alloc_preauth_hash.patch
+net-mdiobus-release-reset_gpio-in-mdiobus_unregister_device.patch
+drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch
+drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch
--- /dev/null
+From 8d63c83d8eb922f6c316320f50c82fa88d099bea Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 25 Aug 2025 12:00:22 -0400
+Subject: USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 8d63c83d8eb922f6c316320f50c82fa88d099bea upstream.
+
+Yunseong Kim and the syzbot fuzzer both reported a problem in
+RT-enabled kernels caused by the way dummy-hcd mixes interrupt
+management and spin-locking. The pattern was:
+
+ local_irq_save(flags);
+ spin_lock(&dum->lock);
+ ...
+ spin_unlock(&dum->lock);
+ ... // calls usb_gadget_giveback_request()
+ local_irq_restore(flags);
+
+The code was written this way because usb_gadget_giveback_request()
+needs to be called with interrupts disabled and the private lock not
+held.
+
+While this pattern works fine in non-RT kernels, it's not good when RT
+is enabled. RT kernels handle spinlocks much like mutexes; in particular,
+spin_lock() may sleep. But sleeping is not allowed while local
+interrupts are disabled.
+
+To fix the problem, rewrite the code to conform to the pattern used
+elsewhere in dummy-hcd and other UDC drivers:
+
+ spin_lock_irqsave(&dum->lock, flags);
+ ...
+ spin_unlock(&dum->lock);
+ usb_gadget_giveback_request(...);
+ spin_lock(&dum->lock);
+ ...
+ spin_unlock_irqrestore(&dum->lock, flags);
+
+This approach satisfies the RT requirements.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@kernel.org>
+Fixes: b4dbda1a22d2 ("USB: dummy-hcd: disable interrupts during req->complete")
+Reported-by: Yunseong Kim <ysk@kzalloc.com>
+Closes: <https://lore.kernel.org/linux-usb/5b337389-73b9-4ee4-a83e-7e82bf5af87a@kzalloc.com/>
+Reported-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com
+Closes: <https://lore.kernel.org/linux-usb/68ac2411.050a0220.37038e.0087.GAE@google.com/>
+Tested-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com
+CC: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+CC: stable@vger.kernel.org
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/bb192ae2-4eee-48ee-981f-3efdbbd0d8f0@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -764,8 +764,7 @@ static int dummy_dequeue(struct usb_ep *
+ if (!dum->driver)
+ return -ESHUTDOWN;
+
+- local_irq_save(flags);
+- spin_lock(&dum->lock);
++ spin_lock_irqsave(&dum->lock, flags);
+ list_for_each_entry(iter, &ep->queue, queue) {
+ if (&iter->req != _req)
+ continue;
+@@ -775,15 +774,16 @@ static int dummy_dequeue(struct usb_ep *
+ retval = 0;
+ break;
+ }
+- spin_unlock(&dum->lock);
+
+ if (retval == 0) {
+ dev_dbg(udc_dev(dum),
+ "dequeued req %p from %s, len %d buf %p\n",
+ req, _ep->name, _req->length, _req->buf);
++ spin_unlock(&dum->lock);
+ usb_gadget_giveback_request(_ep, _req);
++ spin_lock(&dum->lock);
+ }
+- local_irq_restore(flags);
++ spin_unlock_irqrestore(&dum->lock, flags);
+ return retval;
+ }
+
--- /dev/null
+From 116e79c679a1530cf833d0ff3007061d7a716bd9 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 5 Sep 2025 15:32:34 +0200
+Subject: usb: gadget: midi2: Fix MIDI2 IN EP max packet size
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 116e79c679a1530cf833d0ff3007061d7a716bd9 upstream.
+
+The EP-IN of MIDI2 (altset 1) wasn't initialized in
+f_midi2_create_usb_configs() as it's an INT EP unlike others BULK
+EPs. But this leaves rather the max packet size unchanged no matter
+which speed is used, resulting in the very slow access.
+And the wMaxPacketSize values set there look legit for INT EPs, so
+let's initialize the MIDI2 EP-IN there for achieving the equivalent
+speed as well.
+
+Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20250905133240.20966-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_midi2.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_midi2.c
++++ b/drivers/usb/gadget/function/f_midi2.c
+@@ -1739,9 +1739,12 @@ static int f_midi2_create_usb_configs(st
+ case USB_SPEED_HIGH:
+ midi2_midi1_ep_out_desc.wMaxPacketSize = cpu_to_le16(512);
+ midi2_midi1_ep_in_desc.wMaxPacketSize = cpu_to_le16(512);
+- for (i = 0; i < midi2->num_eps; i++)
++ for (i = 0; i < midi2->num_eps; i++) {
+ midi2_midi2_ep_out_desc[i].wMaxPacketSize =
+ cpu_to_le16(512);
++ midi2_midi2_ep_in_desc[i].wMaxPacketSize =
++ cpu_to_le16(512);
++ }
+ fallthrough;
+ case USB_SPEED_FULL:
+ midi1_in_eps = midi2_midi1_ep_in_descs;
+@@ -1750,9 +1753,12 @@ static int f_midi2_create_usb_configs(st
+ case USB_SPEED_SUPER:
+ midi2_midi1_ep_out_desc.wMaxPacketSize = cpu_to_le16(1024);
+ midi2_midi1_ep_in_desc.wMaxPacketSize = cpu_to_le16(1024);
+- for (i = 0; i < midi2->num_eps; i++)
++ for (i = 0; i < midi2->num_eps; i++) {
+ midi2_midi2_ep_out_desc[i].wMaxPacketSize =
+ cpu_to_le16(1024);
++ midi2_midi2_ep_in_desc[i].wMaxPacketSize =
++ cpu_to_le16(1024);
++ }
+ midi1_in_eps = midi2_midi1_ep_in_ss_descs;
+ midi1_out_eps = midi2_midi1_ep_out_ss_descs;
+ break;
--- /dev/null
+From 21d8525d2e061cde034277d518411b02eac764e2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 4 Sep 2025 17:39:24 +0200
+Subject: usb: gadget: midi2: Fix missing UMP group attributes initialization
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 21d8525d2e061cde034277d518411b02eac764e2 upstream.
+
+The gadget card driver forgot to call snd_ump_update_group_attrs()
+after adding FBs, and this leaves the UMP group attributes
+uninitialized. As a result, -ENODEV error is returned at opening a
+legacy rawmidi device as an inactive group.
+
+This patch adds the missing call to address the behavior above.
+
+Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20250904153932.13589-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_midi2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/f_midi2.c
++++ b/drivers/usb/gadget/function/f_midi2.c
+@@ -1601,6 +1601,7 @@ static int f_midi2_create_card(struct f_
+ strscpy(fb->info.name, ump_fb_name(b),
+ sizeof(fb->info.name));
+ }
++ snd_ump_update_group_attrs(ump);
+ }
+
+ for (i = 0; i < midi2->num_eps; i++) {
--- /dev/null
+From a5c98e8b1398534ae1feb6e95e2d3ee5215538ed Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 2 Sep 2025 13:53:05 +0300
+Subject: xhci: dbc: Fix full DbC transfer ring after several reconnects
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit a5c98e8b1398534ae1feb6e95e2d3ee5215538ed upstream.
+
+Pending requests will be flushed on disconnect, and the corresponding
+TRBs will be turned into No-op TRBs, which are ignored by the xHC
+controller once it starts processing the ring.
+
+If the USB debug cable repeatedly disconnects before ring is started
+then the ring will eventually be filled with No-op TRBs.
+No new transfers can be queued when the ring is full, and driver will
+print the following error message:
+
+ "xhci_hcd 0000:00:14.0: failed to queue trbs"
+
+This is a normal case for 'in' transfers where TRBs are always enqueued
+in advance, ready to take on incoming data. If no data arrives, and
+device is disconnected, then ring dequeue will remain at beginning of
+the ring while enqueue points to first free TRB after last cancelled
+No-op TRB.
+s
+Solve this by reinitializing the rings when the debug cable disconnects
+and DbC is leaving the configured state.
+Clear the whole ring buffer and set enqueue and dequeue to the beginning
+of ring, and set cycle bit to its initial state.
+
+Cc: stable@vger.kernel.org
+Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250902105306.877476-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-dbgcap.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-dbgcap.c
++++ b/drivers/usb/host/xhci-dbgcap.c
+@@ -421,6 +421,25 @@ dbc_alloc_ctx(struct device *dev, gfp_t
+ return ctx;
+ }
+
++static int xhci_dbc_reinit_ep_rings(struct xhci_dbc *dbc)
++{
++ struct xhci_ring *in_ring = dbc->eps[BULK_IN].ring;
++ struct xhci_ring *out_ring = dbc->eps[BULK_OUT].ring;
++
++ if (!in_ring || !out_ring || !dbc->ctx) {
++ dev_warn(dbc->dev, "Can't re-init unallocated endpoints\n");
++ return -ENODEV;
++ }
++
++ xhci_dbc_ring_init(in_ring);
++ xhci_dbc_ring_init(out_ring);
++
++ /* set ep context enqueue, dequeue, and cycle to initial values */
++ xhci_dbc_init_ep_contexts(dbc);
++
++ return 0;
++}
++
+ static struct xhci_ring *
+ xhci_dbc_ring_alloc(struct device *dev, enum xhci_ring_type type, gfp_t flags)
+ {
+@@ -850,7 +869,7 @@ static enum evtreturn xhci_dbc_do_handle
+ dev_info(dbc->dev, "DbC cable unplugged\n");
+ dbc->state = DS_ENABLED;
+ xhci_dbc_flush_requests(dbc);
+-
++ xhci_dbc_reinit_ep_rings(dbc);
+ return EVT_DISC;
+ }
+
+@@ -860,7 +879,7 @@ static enum evtreturn xhci_dbc_do_handle
+ writel(portsc, &dbc->regs->portsc);
+ dbc->state = DS_ENABLED;
+ xhci_dbc_flush_requests(dbc);
+-
++ xhci_dbc_reinit_ep_rings(dbc);
+ return EVT_DISC;
+ }
+
--- /dev/null
+From edcbe06453ddfde21f6aa763f7cab655f26133cc Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 2 Sep 2025 13:53:06 +0300
+Subject: xhci: fix memory leak regression when freeing xhci vdev devices depth first
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit edcbe06453ddfde21f6aa763f7cab655f26133cc upstream.
+
+Suspend-resume cycle test revealed a memory leak in 6.17-rc3
+
+Turns out the slot_id race fix changes accidentally ends up calling
+xhci_free_virt_device() with an incorrect vdev parameter.
+The vdev variable was reused for temporary purposes right before calling
+xhci_free_virt_device().
+
+Fix this by passing the correct vdev parameter.
+
+The slot_id race fix that caused this regression was targeted for stable,
+so this needs to be applied there as well.
+
+Fixes: 2eb03376151b ("usb: xhci: Fix slot_id resource race conflict")
+Reported-by: David Wang <00107082@163.com>
+Closes: https://lore.kernel.org/linux-usb/20250829181354.4450-1-00107082@163.com
+Suggested-by: Michal Pecio <michal.pecio@gmail.com>
+Suggested-by: David Wang <00107082@163.com>
+Cc: stable@vger.kernel.org
+Tested-by: David Wang <00107082@163.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250902105306.877476-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -945,7 +945,7 @@ static void xhci_free_virt_devices_depth
+ out:
+ /* we are now at a leaf device */
+ xhci_debugfs_remove_slot(xhci, slot_id);
+- xhci_free_virt_device(xhci, vdev, slot_id);
++ xhci_free_virt_device(xhci, xhci->devs[slot_id], slot_id);
+ }
+
+ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,
projects / thirdparty / kernel / stable-queue.git / commitdiff
