From: Greg Kroah-Hartman Date: Wed, 17 Sep 2025 08:00:40 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.153~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=31c497fedb96fc95b445ccf4ce2f4f3f95ed0958;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch phy-ti-pipe3-fix-device-leak-at-unbind.patch usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch --- diff --git a/queue-6.1/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch b/queue-6.1/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch new file mode 100644 index 0000000000..4d07547f64 --- /dev/null +++ b/queue-6.1/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch @@ -0,0 +1,63 @@ +From aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 2 Sep 2025 17:03:58 +0800 +Subject: dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate + +From: Miaoqian Lin + +commit aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 upstream. + +The reference taken by of_find_device_by_node() +must be released when not needed anymore. +Add missing put_device() call to fix device reference leaks. + +Fixes: 134d9c52fca2 ("dmaengine: dw: dmamux: Introduce RZN1 DMA router support") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/r/20250902090358.2423285-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dw/rzn1-dmamux.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/dma/dw/rzn1-dmamux.c ++++ b/drivers/dma/dw/rzn1-dmamux.c +@@ -46,12 +46,16 @@ static void *rzn1_dmamux_route_allocate( + u32 mask; + int ret; + +- if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS) +- return ERR_PTR(-EINVAL); ++ if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS) { ++ ret = -EINVAL; ++ goto put_device; ++ } + + map = kzalloc(sizeof(*map), GFP_KERNEL); +- if (!map) +- return ERR_PTR(-ENOMEM); ++ if (!map) { ++ ret = -ENOMEM; ++ goto put_device; ++ } + + chan = dma_spec->args[0]; + map->req_idx = dma_spec->args[4]; +@@ -92,12 +96,15 @@ static void *rzn1_dmamux_route_allocate( + if (ret) + goto clear_bitmap; + ++ put_device(&pdev->dev); + return map; + + clear_bitmap: + clear_bit(map->req_idx, dmamux->used_chans); + free_map: + kfree(map); ++put_device: ++ put_device(&pdev->dev); + + return ERR_PTR(ret); + } diff --git a/queue-6.1/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch b/queue-6.1/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch new file mode 100644 index 0000000000..b5f61e9e32 --- /dev/null +++ b/queue-6.1/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch @@ -0,0 +1,65 @@ +From 5068b5254812433e841a40886e695633148d362d Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 12 Feb 2025 18:03:54 +0100 +Subject: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees + +From: Stephan Gerhold + +commit 5068b5254812433e841a40886e695633148d362d upstream. + +When we don't have a clock specified in the device tree, we have no way to +ensure the BAM is on. This is often the case for remotely-controlled or +remotely-powered BAM instances. In this case, we need to read num-channels +from the DT to have all the necessary information to complete probing. + +However, at the moment invalid device trees without clock and without +num-channels still continue probing, because the error handling is missing +return statements. The driver will then later try to read the number of +channels from the registers. This is unsafe, because it relies on boot +firmware and lucky timing to succeed. Unfortunately, the lack of proper +error handling here has been abused for several Qualcomm SoCs upstream, +causing early boot crashes in several situations [1, 2]. + +Avoid these early crashes by erroring out when any of the required DT +properties are missing. Note that this will break some of the existing DTs +upstream (mainly BAM instances related to the crypto engine). However, +clearly these DTs have never been tested properly, since the error in the +kernel log was just ignored. It's safer to disable the crypto engine for +these broken DTBs. + +[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/ +[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/ + +Cc: stable@vger.kernel.org +Fixes: 48d163b1aa6e ("dmaengine: qcom: bam_dma: get num-channels and num-ees from dt") +Signed-off-by: Stephan Gerhold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250212-bam-dma-fixes-v1-8-f560889e65d8@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/bam_dma.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/dma/qcom/bam_dma.c ++++ b/drivers/dma/qcom/bam_dma.c +@@ -1277,13 +1277,17 @@ static int bam_dma_probe(struct platform + if (bdev->controlled_remotely || bdev->powered_remotely) { + ret = of_property_read_u32(pdev->dev.of_node, "num-channels", + &bdev->num_channels); +- if (ret) ++ if (ret) { + dev_err(bdev->dev, "num-channels unspecified in dt\n"); ++ return ret; ++ } + + ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees", + &bdev->num_ees); +- if (ret) ++ if (ret) { + dev_err(bdev->dev, "num-ees unspecified in dt\n"); ++ return ret; ++ } + } + + if (bdev->controlled_remotely || bdev->powered_remotely) diff --git a/queue-6.1/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch b/queue-6.1/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch new file mode 100644 index 0000000000..b6d31c6936 --- /dev/null +++ b/queue-6.1/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch @@ -0,0 +1,54 @@ +From bca065733afd1e3a89a02f05ffe14e966cd5f78e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 24 Jul 2025 15:12:04 +0200 +Subject: phy: tegra: xusb: fix device and OF node leak at probe + +From: Johan Hovold + +commit bca065733afd1e3a89a02f05ffe14e966cd5f78e upstream. + +Make sure to drop the references taken to the PMC OF node and device by +of_parse_phandle() and of_find_device_by_node() during probe. + +Note the holding a reference to the PMC device does not prevent the +PMC regmap from going away (e.g. if the PMC driver is unbound) so there +is no need to keep the reference. + +Fixes: 2d1021487273 ("phy: tegra: xusb: Add wake/sleepwalk for Tegra210") +Cc: stable@vger.kernel.org # 5.14 +Cc: JC Kuo +Signed-off-by: Johan Hovold +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250724131206.2211-2-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb-tegra210.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/phy/tegra/xusb-tegra210.c ++++ b/drivers/phy/tegra/xusb-tegra210.c +@@ -3165,18 +3165,22 @@ tegra210_xusb_padctl_probe(struct device + } + + pdev = of_find_device_by_node(np); ++ of_node_put(np); + if (!pdev) { + dev_warn(dev, "PMC device is not available\n"); + goto out; + } + +- if (!platform_get_drvdata(pdev)) ++ if (!platform_get_drvdata(pdev)) { ++ put_device(&pdev->dev); + return ERR_PTR(-EPROBE_DEFER); ++ } + + padctl->regmap = dev_get_regmap(&pdev->dev, "usb_sleepwalk"); + if (!padctl->regmap) + dev_info(dev, "failed to find PMC regmap\n"); + ++ put_device(&pdev->dev); + out: + return &padctl->base; + } diff --git a/queue-6.1/phy-ti-pipe3-fix-device-leak-at-unbind.patch b/queue-6.1/phy-ti-pipe3-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..0ca445e095 --- /dev/null +++ b/queue-6.1/phy-ti-pipe3-fix-device-leak-at-unbind.patch @@ -0,0 +1,58 @@ +From e19bcea99749ce8e8f1d359f68ae03210694ad56 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 24 Jul 2025 15:12:06 +0200 +Subject: phy: ti-pipe3: fix device leak at unbind + +From: Johan Hovold + +commit e19bcea99749ce8e8f1d359f68ae03210694ad56 upstream. + +Make sure to drop the reference to the control device taken by +of_find_device_by_node() during probe when the driver is unbound. + +Fixes: 918ee0d21ba4 ("usb: phy: omap-usb3: Don't use omap_get_control_dev()") +Cc: stable@vger.kernel.org # 3.13 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724131206.2211-4-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/ti/phy-ti-pipe3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/phy/ti/phy-ti-pipe3.c ++++ b/drivers/phy/ti/phy-ti-pipe3.c +@@ -666,12 +666,20 @@ static int ti_pipe3_get_clk(struct ti_pi + return 0; + } + ++static void ti_pipe3_put_device(void *_dev) ++{ ++ struct device *dev = _dev; ++ ++ put_device(dev); ++} ++ + static int ti_pipe3_get_sysctrl(struct ti_pipe3 *phy) + { + struct device *dev = phy->dev; + struct device_node *node = dev->of_node; + struct device_node *control_node; + struct platform_device *control_pdev; ++ int ret; + + phy->phy_power_syscon = syscon_regmap_lookup_by_phandle(node, + "syscon-phy-power"); +@@ -703,6 +711,11 @@ static int ti_pipe3_get_sysctrl(struct t + } + + phy->control_dev = &control_pdev->dev; ++ ++ ret = devm_add_action_or_reset(dev, ti_pipe3_put_device, ++ phy->control_dev); ++ if (ret) ++ return ret; + } + + if (phy->mode == PIPE3_MODE_PCIE) { diff --git a/queue-6.1/series b/queue-6.1/series index 84393fb08b..0bcdb96171 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -67,3 +67,9 @@ regulator-sy7636a-fix-lifecycle-of-power-good-gpio.patch hrtimer-remove-unused-function.patch hrtimer-rename-__hrtimer_hres_active-to-hrtimer_hres.patch hrtimers-unconditionally-update-target-cpu-base-afte.patch +xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch +usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch +dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch +dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch +phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch +phy-ti-pipe3-fix-device-leak-at-unbind.patch diff --git a/queue-6.1/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch b/queue-6.1/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch new file mode 100644 index 0000000000..b1a5f3868f --- /dev/null +++ b/queue-6.1/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch @@ -0,0 +1,90 @@ +From 8d63c83d8eb922f6c316320f50c82fa88d099bea Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 25 Aug 2025 12:00:22 -0400 +Subject: USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels + +From: Alan Stern + +commit 8d63c83d8eb922f6c316320f50c82fa88d099bea upstream. + +Yunseong Kim and the syzbot fuzzer both reported a problem in +RT-enabled kernels caused by the way dummy-hcd mixes interrupt +management and spin-locking. The pattern was: + + local_irq_save(flags); + spin_lock(&dum->lock); + ... + spin_unlock(&dum->lock); + ... // calls usb_gadget_giveback_request() + local_irq_restore(flags); + +The code was written this way because usb_gadget_giveback_request() +needs to be called with interrupts disabled and the private lock not +held. + +While this pattern works fine in non-RT kernels, it's not good when RT +is enabled. RT kernels handle spinlocks much like mutexes; in particular, +spin_lock() may sleep. But sleeping is not allowed while local +interrupts are disabled. + +To fix the problem, rewrite the code to conform to the pattern used +elsewhere in dummy-hcd and other UDC drivers: + + spin_lock_irqsave(&dum->lock, flags); + ... + spin_unlock(&dum->lock); + usb_gadget_giveback_request(...); + spin_lock(&dum->lock); + ... + spin_unlock_irqrestore(&dum->lock, flags); + +This approach satisfies the RT requirements. + +Signed-off-by: Alan Stern +Cc: stable +Fixes: b4dbda1a22d2 ("USB: dummy-hcd: disable interrupts during req->complete") +Reported-by: Yunseong Kim +Closes: +Reported-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com +Closes: +Tested-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com +CC: Sebastian Andrzej Siewior +CC: stable@vger.kernel.org +Reviewed-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/bb192ae2-4eee-48ee-981f-3efdbbd0d8f0@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/dummy_hcd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -764,8 +764,7 @@ static int dummy_dequeue(struct usb_ep * + if (!dum->driver) + return -ESHUTDOWN; + +- local_irq_save(flags); +- spin_lock(&dum->lock); ++ spin_lock_irqsave(&dum->lock, flags); + list_for_each_entry(iter, &ep->queue, queue) { + if (&iter->req != _req) + continue; +@@ -775,15 +774,16 @@ static int dummy_dequeue(struct usb_ep * + retval = 0; + break; + } +- spin_unlock(&dum->lock); + + if (retval == 0) { + dev_dbg(udc_dev(dum), + "dequeued req %p from %s, len %d buf %p\n", + req, _ep->name, _req->length, _req->buf); ++ spin_unlock(&dum->lock); + usb_gadget_giveback_request(_ep, _req); ++ spin_lock(&dum->lock); + } +- local_irq_restore(flags); ++ spin_unlock_irqrestore(&dum->lock, flags); + return retval; + } + diff --git a/queue-6.1/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch b/queue-6.1/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch new file mode 100644 index 0000000000..228d493337 --- /dev/null +++ b/queue-6.1/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch @@ -0,0 +1,86 @@ +From a5c98e8b1398534ae1feb6e95e2d3ee5215538ed Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 2 Sep 2025 13:53:05 +0300 +Subject: xhci: dbc: Fix full DbC transfer ring after several reconnects + +From: Mathias Nyman + +commit a5c98e8b1398534ae1feb6e95e2d3ee5215538ed upstream. + +Pending requests will be flushed on disconnect, and the corresponding +TRBs will be turned into No-op TRBs, which are ignored by the xHC +controller once it starts processing the ring. + +If the USB debug cable repeatedly disconnects before ring is started +then the ring will eventually be filled with No-op TRBs. +No new transfers can be queued when the ring is full, and driver will +print the following error message: + + "xhci_hcd 0000:00:14.0: failed to queue trbs" + +This is a normal case for 'in' transfers where TRBs are always enqueued +in advance, ready to take on incoming data. If no data arrives, and +device is disconnected, then ring dequeue will remain at beginning of +the ring while enqueue points to first free TRB after last cancelled +No-op TRB. +s +Solve this by reinitializing the rings when the debug cable disconnects +and DbC is leaving the configured state. +Clear the whole ring buffer and set enqueue and dequeue to the beginning +of ring, and set cycle bit to its initial state. + +Cc: stable@vger.kernel.org +Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250902105306.877476-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-dbgcap.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-dbgcap.c ++++ b/drivers/usb/host/xhci-dbgcap.c +@@ -421,6 +421,25 @@ dbc_alloc_ctx(struct device *dev, gfp_t + return ctx; + } + ++static int xhci_dbc_reinit_ep_rings(struct xhci_dbc *dbc) ++{ ++ struct xhci_ring *in_ring = dbc->eps[BULK_IN].ring; ++ struct xhci_ring *out_ring = dbc->eps[BULK_OUT].ring; ++ ++ if (!in_ring || !out_ring || !dbc->ctx) { ++ dev_warn(dbc->dev, "Can't re-init unallocated endpoints\n"); ++ return -ENODEV; ++ } ++ ++ xhci_dbc_ring_init(in_ring); ++ xhci_dbc_ring_init(out_ring); ++ ++ /* set ep context enqueue, dequeue, and cycle to initial values */ ++ xhci_dbc_init_ep_contexts(dbc); ++ ++ return 0; ++} ++ + static struct xhci_ring * + xhci_dbc_ring_alloc(struct device *dev, enum xhci_ring_type type, gfp_t flags) + { +@@ -850,7 +869,7 @@ static enum evtreturn xhci_dbc_do_handle + dev_info(dbc->dev, "DbC cable unplugged\n"); + dbc->state = DS_ENABLED; + xhci_dbc_flush_requests(dbc); +- ++ xhci_dbc_reinit_ep_rings(dbc); + return EVT_DISC; + } + +@@ -860,7 +879,7 @@ static enum evtreturn xhci_dbc_do_handle + writel(portsc, &dbc->regs->portsc); + dbc->state = DS_ENABLED; + xhci_dbc_flush_requests(dbc); +- ++ xhci_dbc_reinit_ep_rings(dbc); + return EVT_DISC; + } +