From: Greg Kroah-Hartman Date: Mon, 13 Oct 2025 12:02:29 +0000 (+0200) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9fa10f9f368a799047290d3ae2abf509b3416422;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bus-fsl-mc-check-return-value-of-platform_get_resource.patch input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch misc-fastrpc-fix-fastrpc_map_lookup-operation.patch misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_args.patch misc-fastrpc-skip-reference-for-dma-handles.patch mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch net-usb-asix-hold-pm-usage-ref-to-avoid-pm-mdio-rtnl-deadlock.patch nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch usb-typec-tipd-clear-interrupts-first.patch --- diff --git a/queue-6.1/bus-fsl-mc-check-return-value-of-platform_get_resource.patch b/queue-6.1/bus-fsl-mc-check-return-value-of-platform_get_resource.patch new file mode 100644 index 0000000000..e39f37e8a8 --- /dev/null +++ b/queue-6.1/bus-fsl-mc-check-return-value-of-platform_get_resource.patch @@ -0,0 +1,36 @@ +From 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae Mon Sep 17 00:00:00 2001 +From: Salah Triki +Date: Mon, 25 Aug 2025 10:34:35 +0100 +Subject: bus: fsl-mc: Check return value of platform_get_resource() + +From: Salah Triki + +commit 25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae upstream. + +platform_get_resource() returns NULL in case of failure, so check its +return value and propagate the error in order to prevent NULL pointer +dereference. + +Fixes: 6305166c8771 ("bus: fsl-mc: Add ACPI support for fsl-mc") +Cc: stable@vger.kernel.org +Signed-off-by: Salah Triki +Acked-by: Ioana Ciornei +Link: https://lore.kernel.org/r/aKwuK6TRr5XNYQ8u@pc +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -1172,6 +1172,9 @@ static int fsl_mc_bus_probe(struct platf + * Get physical address of MC portal for the root DPRC: + */ + plat_res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!plat_res) ++ return -EINVAL; ++ + mc_portal_phys_addr = plat_res->start; + mc_portal_size = resource_size(plat_res); + mc_portal_base_phys_addr = mc_portal_phys_addr & ~0x3ffffff; diff --git a/queue-6.1/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch b/queue-6.1/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch new file mode 100644 index 0000000000..d84638fac8 --- /dev/null +++ b/queue-6.1/input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch @@ -0,0 +1,33 @@ +From c7866ee0a9ddd9789faadf58cdac6abd7aabf045 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sun, 5 Oct 2025 04:33:10 +0200 +Subject: Input: atmel_mxt_ts - allow reset GPIO to sleep + +From: Marek Vasut + +commit c7866ee0a9ddd9789faadf58cdac6abd7aabf045 upstream. + +The reset GPIO is not toggled in any critical section where it couldn't +sleep, allow the reset GPIO to sleep. This allows the driver to operate +reset GPIOs connected to I2C GPIO expanders. + +Signed-off-by: Marek Vasut +Link: https://lore.kernel.org/r/20251005023335.166483-1-marek.vasut@mailbox.org +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -3239,7 +3239,7 @@ static int mxt_probe(struct i2c_client * + if (data->reset_gpio) { + /* Wait a while and then de-assert the RESET GPIO line */ + msleep(MXT_RESET_GPIO_TIME); +- gpiod_set_value(data->reset_gpio, 0); ++ gpiod_set_value_cansleep(data->reset_gpio, 0); + msleep(MXT_RESET_INVALID_CHG); + } + diff --git a/queue-6.1/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch b/queue-6.1/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch new file mode 100644 index 0000000000..1d7cc52f06 --- /dev/null +++ b/queue-6.1/input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch @@ -0,0 +1,37 @@ +From d3366a04770eea807f2826cbdb96934dd8c9bf79 Mon Sep 17 00:00:00 2001 +From: Zhen Ni +Date: Sun, 28 Sep 2025 14:37:37 +0800 +Subject: Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak + +From: Zhen Ni + +commit d3366a04770eea807f2826cbdb96934dd8c9bf79 upstream. + +Struct ff_effect_compat is embedded twice inside +uinput_ff_upload_compat, contains internal padding. In particular, there +is a hole after struct ff_replay to satisfy alignment requirements for +the following union member. Without clearing the structure, +copy_to_user() may leak stack data to userspace. + +Initialize ff_up_compat to zero before filling valid fields. + +Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput") +Cc: stable@vger.kernel.org +Signed-off-by: Zhen Ni +Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/uinput.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -741,6 +741,7 @@ static int uinput_ff_upload_to_user(char + if (in_compat_syscall()) { + struct uinput_ff_upload_compat ff_up_compat; + ++ memset(&ff_up_compat, 0, sizeof(ff_up_compat)); + ff_up_compat.request_id = ff_up->request_id; + ff_up_compat.retval = ff_up->retval; + /* diff --git a/queue-6.1/misc-fastrpc-fix-fastrpc_map_lookup-operation.patch b/queue-6.1/misc-fastrpc-fix-fastrpc_map_lookup-operation.patch new file mode 100644 index 0000000000..aa44da7178 --- /dev/null +++ b/queue-6.1/misc-fastrpc-fix-fastrpc_map_lookup-operation.patch @@ -0,0 +1,49 @@ +From 9031626ade38b092b72638dfe0c6ffce8d8acd43 Mon Sep 17 00:00:00 2001 +From: Ling Xu +Date: Fri, 12 Sep 2025 14:12:34 +0100 +Subject: misc: fastrpc: Fix fastrpc_map_lookup operation + +From: Ling Xu + +commit 9031626ade38b092b72638dfe0c6ffce8d8acd43 upstream. + +Fastrpc driver creates maps for user allocated fd buffers. Before +creating a new map, the map list is checked for any already existing +maps using map fd. Checking with just map fd is not sufficient as the +user can pass offsetted buffer with less size when the map is created +and then a larger size the next time which could result in memory +issues. Check for dma_buf object also when looking up for the map. + +Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") +Cc: stable@kernel.org +Co-developed-by: Ekansh Gupta +Signed-off-by: Ekansh Gupta +Signed-off-by: Ling Xu +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250912131236.303102-3-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -346,11 +346,16 @@ static int fastrpc_map_lookup(struct fas + { + struct fastrpc_session_ctx *sess = fl->sctx; + struct fastrpc_map *map = NULL; ++ struct dma_buf *buf; + int ret = -ENOENT; + ++ buf = dma_buf_get(fd); ++ if (IS_ERR(buf)) ++ return PTR_ERR(buf); ++ + spin_lock(&fl->lock); + list_for_each_entry(map, &fl->maps, node) { +- if (map->fd != fd) ++ if (map->fd != fd || map->buf != buf) + continue; + + if (take_ref) { diff --git a/queue-6.1/misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_args.patch b/queue-6.1/misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_args.patch new file mode 100644 index 0000000000..1f26202977 --- /dev/null +++ b/queue-6.1/misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_args.patch @@ -0,0 +1,66 @@ +From da1ba64176e0138f2bfa96f9e43e8c3640d01e1e Mon Sep 17 00:00:00 2001 +From: Ling Xu +Date: Fri, 12 Sep 2025 14:12:35 +0100 +Subject: misc: fastrpc: fix possible map leak in fastrpc_put_args + +From: Ling Xu + +commit da1ba64176e0138f2bfa96f9e43e8c3640d01e1e upstream. + +copy_to_user() failure would cause an early return without cleaning up +the fdlist, which has been updated by the DSP. This could lead to map +leak. Fix this by redirecting to a cleanup path on failure, ensuring +that all mapped buffers are properly released before returning. + +Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") +Cc: stable@kernel.org +Co-developed-by: Ekansh Gupta +Signed-off-by: Ekansh Gupta +Signed-off-by: Ling Xu +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250912131236.303102-4-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1018,6 +1018,7 @@ static int fastrpc_put_args(struct fastr + struct fastrpc_phy_page *pages; + u64 *fdlist; + int i, inbufs, outbufs, handles; ++ int ret = 0; + + inbufs = REMOTE_SCALARS_INBUFS(ctx->sc); + outbufs = REMOTE_SCALARS_OUTBUFS(ctx->sc); +@@ -1033,14 +1034,17 @@ static int fastrpc_put_args(struct fastr + u64 len = rpra[i].buf.len; + + if (!kernel) { +- if (copy_to_user((void __user *)dst, src, len)) +- return -EFAULT; ++ if (copy_to_user((void __user *)dst, src, len)) { ++ ret = -EFAULT; ++ goto cleanup_fdlist; ++ } + } else { + memcpy(dst, src, len); + } + } + } + ++cleanup_fdlist: + /* Clean up fdlist which is updated by DSP */ + for (i = 0; i < FASTRPC_MAX_FDLIST; i++) { + if (!fdlist[i]) +@@ -1049,7 +1053,7 @@ static int fastrpc_put_args(struct fastr + fastrpc_map_put(mmap); + } + +- return 0; ++ return ret; + } + + static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx, diff --git a/queue-6.1/misc-fastrpc-skip-reference-for-dma-handles.patch b/queue-6.1/misc-fastrpc-skip-reference-for-dma-handles.patch new file mode 100644 index 0000000000..4c795f8157 --- /dev/null +++ b/queue-6.1/misc-fastrpc-skip-reference-for-dma-handles.patch @@ -0,0 +1,127 @@ +From 10df039834f84a297c72ec962c0f9b7c8c5ca31a Mon Sep 17 00:00:00 2001 +From: Ling Xu +Date: Fri, 12 Sep 2025 14:12:36 +0100 +Subject: misc: fastrpc: Skip reference for DMA handles + +From: Ling Xu + +commit 10df039834f84a297c72ec962c0f9b7c8c5ca31a upstream. + +If multiple dma handles are passed with same fd over a remote call +the kernel driver takes a reference and expects that put for the +map will be called as many times to free the map. But DSP only +updates the fd one time in the fd list when the DSP refcount +goes to zero and hence kernel make put call only once for the +fd. This can cause SMMU fault issue as the same fd can be used +in future for some other call. + +Fixes: 35a82b87135d ("misc: fastrpc: Add dma handle implementation") +Cc: stable@kernel.org +Co-developed-by: Ekansh Gupta +Signed-off-by: Ekansh Gupta +Signed-off-by: Ling Xu +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20250912131236.303102-5-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 45 +++++++++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 18 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -342,9 +342,8 @@ static int fastrpc_map_get(struct fastrp + + + static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, +- struct fastrpc_map **ppmap, bool take_ref) ++ struct fastrpc_map **ppmap) + { +- struct fastrpc_session_ctx *sess = fl->sctx; + struct fastrpc_map *map = NULL; + struct dma_buf *buf; + int ret = -ENOENT; +@@ -358,15 +357,6 @@ static int fastrpc_map_lookup(struct fas + if (map->fd != fd || map->buf != buf) + continue; + +- if (take_ref) { +- ret = fastrpc_map_get(map); +- if (ret) { +- dev_dbg(sess->dev, "%s: Failed to get map fd=%d ret=%d\n", +- __func__, fd, ret); +- break; +- } +- } +- + *ppmap = map; + ret = 0; + break; +@@ -711,7 +701,7 @@ static const struct dma_buf_ops fastrpc_ + .release = fastrpc_release, + }; + +-static int fastrpc_map_create(struct fastrpc_user *fl, int fd, ++static int fastrpc_map_attach(struct fastrpc_user *fl, int fd, + u64 len, u32 attr, struct fastrpc_map **ppmap) + { + struct fastrpc_session_ctx *sess = fl->sctx; +@@ -719,9 +709,6 @@ static int fastrpc_map_create(struct fas + struct sg_table *table; + int err = 0; + +- if (!fastrpc_map_lookup(fl, fd, ppmap, true)) +- return 0; +- + map = kzalloc(sizeof(*map), GFP_KERNEL); + if (!map) + return -ENOMEM; +@@ -789,6 +776,24 @@ get_err: + return err; + } + ++static int fastrpc_map_create(struct fastrpc_user *fl, int fd, ++ u64 len, u32 attr, struct fastrpc_map **ppmap) ++{ ++ struct fastrpc_session_ctx *sess = fl->sctx; ++ int err = 0; ++ ++ if (!fastrpc_map_lookup(fl, fd, ppmap)) { ++ if (!fastrpc_map_get(*ppmap)) ++ return 0; ++ dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n", ++ __func__, fd); ++ } ++ ++ err = fastrpc_map_attach(fl, fd, len, attr, ppmap); ++ ++ return err; ++} ++ + /* + * Fastrpc payload buffer with metadata looks like: + * +@@ -861,8 +866,12 @@ static int fastrpc_create_maps(struct fa + ctx->args[i].length == 0) + continue; + +- err = fastrpc_map_create(ctx->fl, ctx->args[i].fd, +- ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); ++ if (i < ctx->nbufs) ++ err = fastrpc_map_create(ctx->fl, ctx->args[i].fd, ++ ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); ++ else ++ err = fastrpc_map_attach(ctx->fl, ctx->args[i].fd, ++ ctx->args[i].length, ctx->args[i].attr, &ctx->maps[i]); + if (err) { + dev_err(dev, "Error Creating map %d\n", err); + return -EINVAL; +@@ -1049,7 +1058,7 @@ cleanup_fdlist: + for (i = 0; i < FASTRPC_MAX_FDLIST; i++) { + if (!fdlist[i]) + break; +- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false)) ++ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap)) + fastrpc_map_put(mmap); + } + diff --git a/queue-6.1/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch b/queue-6.1/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch new file mode 100644 index 0000000000..195dba9aea --- /dev/null +++ b/queue-6.1/mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch @@ -0,0 +1,88 @@ +From f52ce0ea90c83a28904c7cc203a70e6434adfecb Mon Sep 17 00:00:00 2001 +From: Yang Shi +Date: Mon, 29 Sep 2025 13:24:02 -0700 +Subject: mm: hugetlb: avoid soft lockup when mprotect to large memory area +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yang Shi + +commit f52ce0ea90c83a28904c7cc203a70e6434adfecb upstream. + +When calling mprotect() to a large hugetlb memory area in our customer's +workload (~300GB hugetlb memory), soft lockup was observed: + +watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] + +CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 +Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 +pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : mte_clear_page_tags+0x14/0x24 +lr : mte_sync_tags+0x1c0/0x240 +sp : ffff80003150bb80 +x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 +x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 +x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 +x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c +x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 +x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 +x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 + +Call trace: +  mte_clear_page_tags+0x14/0x24 +  set_huge_pte_at+0x25c/0x280 +  hugetlb_change_protection+0x220/0x430 +  change_protection+0x5c/0x8c +  mprotect_fixup+0x10c/0x294 +  do_mprotect_pkey.constprop.0+0x2e0/0x3d4 +  __arm64_sys_mprotect+0x24/0x44 +  invoke_syscall+0x50/0x160 +  el0_svc_common+0x48/0x144 +  do_el0_svc+0x30/0xe0 +  el0_svc+0x30/0xf0 +  el0t_64_sync_handler+0xc4/0x148 +  el0t_64_sync+0x1a4/0x1a8 + +Soft lockup is not triggered with THP or base page because there is +cond_resched() called for each PMD size. + +Although the soft lockup was triggered by MTE, it should be not MTE +specific. The other processing which takes long time in the loop may +trigger soft lockup too. + +So add cond_resched() for hugetlb to avoid soft lockup. + +Link: https://lkml.kernel.org/r/20250929202402.1663290-1-yang@os.amperecomputing.com +Fixes: 8f860591ffb2 ("[PATCH] Enable mprotect on huge pages") +Signed-off-by: Yang Shi +Tested-by: Carl Worth +Reviewed-by: Christoph Lameter (Ampere) +Reviewed-by: Catalin Marinas +Acked-by: David Hildenbrand +Acked-by: Oscar Salvador +Reviewed-by: Anshuman Khandual +Reviewed-by: Dev Jain +Cc: Muchun Song +Cc: Will Deacon +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -6779,6 +6779,8 @@ unsigned long hugetlb_change_protection( + make_pte_marker(PTE_MARKER_UFFD_WP)); + } + spin_unlock(ptl); ++ ++ cond_resched(); + } + /* + * Must flush TLB before releasing i_mmap_rwsem: x86's huge_pmd_unshare diff --git a/queue-6.1/net-usb-asix-hold-pm-usage-ref-to-avoid-pm-mdio-rtnl-deadlock.patch b/queue-6.1/net-usb-asix-hold-pm-usage-ref-to-avoid-pm-mdio-rtnl-deadlock.patch new file mode 100644 index 0000000000..426f2f5ca9 --- /dev/null +++ b/queue-6.1/net-usb-asix-hold-pm-usage-ref-to-avoid-pm-mdio-rtnl-deadlock.patch @@ -0,0 +1,109 @@ +From 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Sun, 5 Oct 2025 10:12:03 +0200 +Subject: net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oleksij Rempel + +commit 3d3c4cd5c62f24bb3cb4511b7a95df707635e00a upstream. + +Prevent USB runtime PM (autosuspend) for AX88772* in bind. + +usbnet enables runtime PM (autosuspend) by default, so disabling it via +the usb_driver flag is ineffective. On AX88772B, autosuspend shows no +measurable power saving with current driver (no link partner, admin +up/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib powering +the PHY off on admin-down, not from USB autosuspend. + +The real hazard is that with runtime PM enabled, ndo_open() (under RTNL) +may synchronously trigger autoresume (usb_autopm_get_interface()) into +asix_resume() while the USB PM lock is held. Resume paths then invoke +phylink/phylib and MDIO, which also expect RTNL, leading to possible +deadlocks or PM lock vs MDIO wake issues. + +To avoid this, keep the device runtime-PM active by taking a usage +reference in ax88772_bind() and dropping it in unbind(). A non-zero PM +usage count blocks runtime suspend regardless of userspace policy +(.../power/control - pm_runtime_allow/forbid), making this approach +robust against sysfs overrides. + +Holding a runtime-PM usage ref does not affect system-wide suspend; +system sleep/resume callbacks continue to run as before. + +Fixes: 4a2c7217cd5a ("net: usb: asix: ax88772: manage PHY PM from MAC") +Reported-by: Hubert Wiśniewski +Closes: https://lore.kernel.org/all/DCGHG5UJT9G3.2K1GHFZ3H87T0@gmail.com +Tested-by: Hubert Wiśniewski +Reported-by: Marek Szyprowski +Closes: https://lore.kernel.org/all/b5ea8296-f981-445d-a09a-2f389d7f6fdd@samsung.com +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://patch.msgid.link/20251005081203.3067982-1-o.rempel@pengutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/asix_devices.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -625,6 +625,21 @@ static void ax88772_suspend(struct usbne + asix_read_medium_status(dev, 1)); + } + ++/* Notes on PM callbacks and locking context: ++ * ++ * - asix_suspend()/asix_resume() are invoked for both runtime PM and ++ * system-wide suspend/resume. For struct usb_driver the ->resume() ++ * callback does not receive pm_message_t, so the resume type cannot ++ * be distinguished here. ++ * ++ * - The MAC driver must hold RTNL when calling phylink interfaces such as ++ * phylink_suspend()/resume(). Those calls will also perform MDIO I/O. ++ * ++ * - Taking RTNL and doing MDIO from a runtime-PM resume callback (while ++ * the USB PM lock is held) is fragile. Since autosuspend brings no ++ * measurable power saving here, we block it by holding a PM usage ++ * reference in ax88772_bind(). ++ */ + static int asix_suspend(struct usb_interface *intf, pm_message_t message) + { + struct usbnet *dev = usb_get_intfdata(intf); +@@ -922,6 +937,13 @@ static int ax88772_bind(struct usbnet *d + if (ret) + goto initphy_err; + ++ /* Keep this interface runtime-PM active by taking a usage ref. ++ * Prevents runtime suspend while bound and avoids resume paths ++ * that could deadlock (autoresume under RTNL while USB PM lock ++ * is held, phylink/MDIO wants RTNL). ++ */ ++ pm_runtime_get_noresume(&intf->dev); ++ + return 0; + + initphy_err: +@@ -951,6 +973,8 @@ static void ax88772_unbind(struct usbnet + phylink_destroy(priv->phylink); + ax88772_mdio_unregister(priv); + asix_rx_fixup_common_free(dev->driver_priv); ++ /* Drop the PM usage ref taken in bind() */ ++ pm_runtime_put(&intf->dev); + } + + static void ax88178_unbind(struct usbnet *dev, struct usb_interface *intf) +@@ -1575,6 +1599,11 @@ static struct usb_driver asix_driver = { + .resume = asix_resume, + .reset_resume = asix_resume, + .disconnect = usbnet_disconnect, ++ /* usbnet enables autosuspend by default (supports_autosuspend=1). ++ * We keep runtime-PM active for AX88772* by taking a PM usage ++ * reference in ax88772_bind() (pm_runtime_get_noresume()) and ++ * dropping it in unbind(), which effectively blocks autosuspend. ++ */ + .supports_autosuspend = 1, + .disable_hub_initiated_lpm = 1, + }; diff --git a/queue-6.1/nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch b/queue-6.1/nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch new file mode 100644 index 0000000000..8716658a4c --- /dev/null +++ b/queue-6.1/nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch @@ -0,0 +1,56 @@ +From a9e6aa994917ee602798bbb03180a194b37865bb Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Thu, 25 Sep 2025 14:44:48 +0800 +Subject: nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() + +From: Guangshuo Li + +commit a9e6aa994917ee602798bbb03180a194b37865bb upstream. + +devm_kcalloc() may fail. ndtest_probe() allocates three DMA address +arrays (dcr_dma, label_dma, dimm_dma) and later unconditionally uses +them in ndtest_nvdimm_init(), which can lead to a NULL pointer +dereference under low-memory conditions. + +Check all three allocations and return -ENOMEM if any allocation fails, +jumping to the common error path. Do not emit an extra error message +since the allocator already warns on allocation failure. + +Fixes: 9399ab61ad82 ("ndtest: Add dimms to the two buses") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li +Reviewed-by: Alison Schofield +Reviewed-by: Ira Weiny +Reviewed-by: Dave Jiang +Signed-off-by: Ira Weiny +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/nvdimm/test/ndtest.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/tools/testing/nvdimm/test/ndtest.c ++++ b/tools/testing/nvdimm/test/ndtest.c +@@ -845,11 +845,22 @@ static int ndtest_probe(struct platform_ + + p->dcr_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, + sizeof(dma_addr_t), GFP_KERNEL); ++ if (!p->dcr_dma) { ++ rc = -ENOMEM; ++ goto err; ++ } + p->label_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, + sizeof(dma_addr_t), GFP_KERNEL); ++ if (!p->label_dma) { ++ rc = -ENOMEM; ++ goto err; ++ } + p->dimm_dma = devm_kcalloc(&p->pdev.dev, NUM_DCR, + sizeof(dma_addr_t), GFP_KERNEL); +- ++ if (!p->dimm_dma) { ++ rc = -ENOMEM; ++ goto err; ++ } + rc = ndtest_nvdimm_init(p); + if (rc) + goto err; diff --git a/queue-6.1/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch b/queue-6.1/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch new file mode 100644 index 0000000000..2e1508c2e0 --- /dev/null +++ b/queue-6.1/pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch @@ -0,0 +1,37 @@ +From 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 2 Sep 2025 13:59:10 +0200 +Subject: pinctrl: check the return value of pinmux_ops::get_function_name() + +From: Bartosz Golaszewski + +commit 4002ee98c022d671ecc1e4a84029e9ae7d8a5603 upstream. + +While the API contract in docs doesn't specify it explicitly, the +generic implementation of the get_function_name() callback from struct +pinmux_ops - pinmux_generic_get_function_name() - can fail and return +NULL. This is already checked in pinmux_check_ops() so add a similar +check in pinmux_func_name_to_selector() instead of passing the returned +pointer right down to strcmp() where the NULL can get dereferenced. This +is normal operation when adding new pinfunctions. + +Cc: stable@vger.kernel.org +Tested-by: Neil Armstrong +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinmux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinmux.c ++++ b/drivers/pinctrl/pinmux.c +@@ -328,7 +328,7 @@ static int pinmux_func_name_to_selector( + while (selector < nfuncs) { + const char *fname = ops->get_function_name(pctldev, selector); + +- if (!strcmp(function, fname)) ++ if (fname && !strcmp(function, fname)) + return selector; + + selector++; diff --git a/queue-6.1/series b/queue-6.1/series index c64da3ff86..8241965d01 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -179,3 +179,15 @@ dm-fix-queue-start-stop-imbalance-under-suspend-load-resume-races.patch dm-fix-null-pointer-dereference-in-__dm_suspend.patch ksmbd-fix-error-code-overwriting-in-smb2_get_info_filesystem.patch ext4-fix-checks-for-orphan-inodes.patch +mm-hugetlb-avoid-soft-lockup-when-mprotect-to-large-memory-area.patch +nvdimm-ndtest-return-enomem-if-devm_kcalloc-fails-in-ndtest_probe.patch +misc-fastrpc-fix-fastrpc_map_lookup-operation.patch +misc-fastrpc-fix-possible-map-leak-in-fastrpc_put_args.patch +misc-fastrpc-skip-reference-for-dma-handles.patch +input-atmel_mxt_ts-allow-reset-gpio-to-sleep.patch +input-uinput-zero-initialize-uinput_ff_upload_compat-to-avoid-info-leak.patch +pinctrl-check-the-return-value-of-pinmux_ops-get_function_name.patch +bus-fsl-mc-check-return-value-of-platform_get_resource.patch +net-usb-asix-hold-pm-usage-ref-to-avoid-pm-mdio-rtnl-deadlock.patch +usb-typec-tipd-clear-interrupts-first.patch +usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch diff --git a/queue-6.1/usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch b/queue-6.1/usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch new file mode 100644 index 0000000000..f4c68557b0 --- /dev/null +++ b/queue-6.1/usb-cdns3-cdnsp-pci-remove-redundant-pci_disable_device-call.patch @@ -0,0 +1,47 @@ +From e9c206324eeb213957a567a9d066bdeb355c7491 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Wed, 3 Sep 2025 22:16:13 +0800 +Subject: usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call + +From: Miaoqian Lin + +commit e9c206324eeb213957a567a9d066bdeb355c7491 upstream. + +The cdnsp-pci driver uses pcim_enable_device() to enable a PCI device, +which means the device will be automatically disabled on driver detach +through the managed device framework. The manual pci_disable_device() +call in the error path is therefore redundant. + +Found via static anlaysis and this is similar to commit 99ca0b57e49f +("thermal: intel: int340x: processor: Fix warning during module unload"). + +Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20250903141613.2535472-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/cdns3/cdnsp-pci.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/usb/cdns3/cdnsp-pci.c ++++ b/drivers/usb/cdns3/cdnsp-pci.c +@@ -90,7 +90,7 @@ static int cdnsp_pci_probe(struct pci_de + cdnsp = kzalloc(sizeof(*cdnsp), GFP_KERNEL); + if (!cdnsp) { + ret = -ENOMEM; +- goto disable_pci; ++ goto put_pci; + } + } + +@@ -173,9 +173,6 @@ free_cdnsp: + if (!pci_is_enabled(func)) + kfree(cdnsp); + +-disable_pci: +- pci_disable_device(pdev); +- + put_pci: + pci_dev_put(func); + diff --git a/queue-6.1/usb-typec-tipd-clear-interrupts-first.patch b/queue-6.1/usb-typec-tipd-clear-interrupts-first.patch new file mode 100644 index 0000000000..5c0eead6a5 --- /dev/null +++ b/queue-6.1/usb-typec-tipd-clear-interrupts-first.patch @@ -0,0 +1,104 @@ +From be5ae730ffa6fd774a00a4705c1e11e078b08ca1 Mon Sep 17 00:00:00 2001 +From: Sven Peter +Date: Sun, 14 Sep 2025 12:56:06 +0000 +Subject: usb: typec: tipd: Clear interrupts first + +From: Sven Peter + +commit be5ae730ffa6fd774a00a4705c1e11e078b08ca1 upstream. + +Right now the interrupt handler first reads all updated status registers +and only then clears the interrupts. It's possible that a duplicate +interrupt for a changed register or plug state comes in after the +interrupts have been processed but before they have been cleared: + +* plug is inserted, TPS_REG_INT_PLUG_EVENT is set +* TPS_REG_INT_EVENT1 is read +* tps6598x_handle_plug_event() has run and registered the plug +* plug is removed again, TPS_REG_INT_PLUG_EVENT is set (again) +* TPS_REG_INT_CLEAR1 is written, TPS_REG_INT_PLUG_EVENT is cleared + +We then have no plug connected and no pending interrupt but the tipd +core still thinks there is a plug. It's possible to trigger this with +e.g. a slightly broken Type-C to USB A converter. + +Fix this by first clearing the interrupts and only then reading the +updated registers. + +Fixes: 45188f27b3d0 ("usb: typec: tipd: Add support for Apple CD321X") +Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") +Cc: stable@kernel.org +Reviewed-by: Heikki Krogerus +Reviewed-by: Neal Gompa +Signed-off-by: Sven Peter +Link: https://lore.kernel.org/r/20250914-apple-usb3-tipd-v1-1-4e99c8649024@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tipd/core.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/usb/typec/tipd/core.c ++++ b/drivers/usb/typec/tipd/core.c +@@ -491,24 +491,23 @@ static irqreturn_t cd321x_interrupt(int + if (!event) + goto err_unlock; + ++ tps6598x_write64(tps, TPS_REG_INT_CLEAR1, event); ++ + if (!tps6598x_read_status(tps, &status)) +- goto err_clear_ints; ++ goto err_unlock; + + if (event & APPLE_CD_REG_INT_POWER_STATUS_UPDATE) + if (!tps6598x_read_power_status(tps)) +- goto err_clear_ints; ++ goto err_unlock; + + if (event & APPLE_CD_REG_INT_DATA_STATUS_UPDATE) + if (!tps6598x_read_data_status(tps)) +- goto err_clear_ints; ++ goto err_unlock; + + /* Handle plug insert or removal */ + if (event & APPLE_CD_REG_INT_PLUG_EVENT) + tps6598x_handle_plug_event(tps, status); + +-err_clear_ints: +- tps6598x_write64(tps, TPS_REG_INT_CLEAR1, event); +- + err_unlock: + mutex_unlock(&tps->lock); + +@@ -555,25 +554,24 @@ static irqreturn_t tps6598x_interrupt(in + if (!(event1[0] | event1[1] | event2[0] | event2[1])) + goto err_unlock; + ++ tps6598x_block_write(tps, TPS_REG_INT_CLEAR1, event1, intev_len); ++ tps6598x_block_write(tps, TPS_REG_INT_CLEAR2, event2, intev_len); ++ + if (!tps6598x_read_status(tps, &status)) +- goto err_clear_ints; ++ goto err_unlock; + + if ((event1[0] | event2[0]) & TPS_REG_INT_POWER_STATUS_UPDATE) + if (!tps6598x_read_power_status(tps)) +- goto err_clear_ints; ++ goto err_unlock; + + if ((event1[0] | event2[0]) & TPS_REG_INT_DATA_STATUS_UPDATE) + if (!tps6598x_read_data_status(tps)) +- goto err_clear_ints; ++ goto err_unlock; + + /* Handle plug insert or removal */ + if ((event1[0] | event2[0]) & TPS_REG_INT_PLUG_EVENT) + tps6598x_handle_plug_event(tps, status); + +-err_clear_ints: +- tps6598x_block_write(tps, TPS_REG_INT_CLEAR1, event1, intev_len); +- tps6598x_block_write(tps, TPS_REG_INT_CLEAR2, event2, intev_len); +- + err_unlock: + mutex_unlock(&tps->lock); +