From: Greg Kroah-Hartman Date: Wed, 17 Sep 2025 08:00:52 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.153~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=adfed2eacefc0721fcb1dca59f068b8efa3144f6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch ksmbd-fix-null-pointer-dereference-in-alloc_preauth_hash.patch net-mdiobus-release-reset_gpio-in-mdiobus_unregister_device.patch phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch phy-ti-pipe3-fix-device-leak-at-unbind.patch usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch --- diff --git a/queue-6.6/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch b/queue-6.6/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch new file mode 100644 index 0000000000..8cc3bbe385 --- /dev/null +++ b/queue-6.6/dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch @@ -0,0 +1,63 @@ +From aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Tue, 2 Sep 2025 17:03:58 +0800 +Subject: dmaengine: dw: dmamux: Fix device reference leak in rzn1_dmamux_route_allocate + +From: Miaoqian Lin + +commit aa2e1e4563d3ab689ffa86ca1412ecbf9fd3b308 upstream. + +The reference taken by of_find_device_by_node() +must be released when not needed anymore. +Add missing put_device() call to fix device reference leaks. + +Fixes: 134d9c52fca2 ("dmaengine: dw: dmamux: Introduce RZN1 DMA router support") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Miquel Raynal +Link: https://lore.kernel.org/r/20250902090358.2423285-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/dw/rzn1-dmamux.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/dma/dw/rzn1-dmamux.c ++++ b/drivers/dma/dw/rzn1-dmamux.c +@@ -48,12 +48,16 @@ static void *rzn1_dmamux_route_allocate( + u32 mask; + int ret; + +- if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS) +- return ERR_PTR(-EINVAL); ++ if (dma_spec->args_count != RNZ1_DMAMUX_NCELLS) { ++ ret = -EINVAL; ++ goto put_device; ++ } + + map = kzalloc(sizeof(*map), GFP_KERNEL); +- if (!map) +- return ERR_PTR(-ENOMEM); ++ if (!map) { ++ ret = -ENOMEM; ++ goto put_device; ++ } + + chan = dma_spec->args[0]; + map->req_idx = dma_spec->args[4]; +@@ -94,12 +98,15 @@ static void *rzn1_dmamux_route_allocate( + if (ret) + goto clear_bitmap; + ++ put_device(&pdev->dev); + return map; + + clear_bitmap: + clear_bit(map->req_idx, dmamux->used_chans); + free_map: + kfree(map); ++put_device: ++ put_device(&pdev->dev); + + return ERR_PTR(ret); + } diff --git a/queue-6.6/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch b/queue-6.6/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch new file mode 100644 index 0000000000..afb707b49a --- /dev/null +++ b/queue-6.6/dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch @@ -0,0 +1,65 @@ +From 5068b5254812433e841a40886e695633148d362d Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 12 Feb 2025 18:03:54 +0100 +Subject: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees + +From: Stephan Gerhold + +commit 5068b5254812433e841a40886e695633148d362d upstream. + +When we don't have a clock specified in the device tree, we have no way to +ensure the BAM is on. This is often the case for remotely-controlled or +remotely-powered BAM instances. In this case, we need to read num-channels +from the DT to have all the necessary information to complete probing. + +However, at the moment invalid device trees without clock and without +num-channels still continue probing, because the error handling is missing +return statements. The driver will then later try to read the number of +channels from the registers. This is unsafe, because it relies on boot +firmware and lucky timing to succeed. Unfortunately, the lack of proper +error handling here has been abused for several Qualcomm SoCs upstream, +causing early boot crashes in several situations [1, 2]. + +Avoid these early crashes by erroring out when any of the required DT +properties are missing. Note that this will break some of the existing DTs +upstream (mainly BAM instances related to the crypto engine). However, +clearly these DTs have never been tested properly, since the error in the +kernel log was just ignored. It's safer to disable the crypto engine for +these broken DTBs. + +[1]: https://lore.kernel.org/r/CY01EKQVWE36.B9X5TDXAREPF@fairphone.com/ +[2]: https://lore.kernel.org/r/20230626145959.646747-1-krzysztof.kozlowski@linaro.org/ + +Cc: stable@vger.kernel.org +Fixes: 48d163b1aa6e ("dmaengine: qcom: bam_dma: get num-channels and num-ees from dt") +Signed-off-by: Stephan Gerhold +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250212-bam-dma-fixes-v1-8-f560889e65d8@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/bam_dma.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/dma/qcom/bam_dma.c ++++ b/drivers/dma/qcom/bam_dma.c +@@ -1283,13 +1283,17 @@ static int bam_dma_probe(struct platform + if (!bdev->bamclk) { + ret = of_property_read_u32(pdev->dev.of_node, "num-channels", + &bdev->num_channels); +- if (ret) ++ if (ret) { + dev_err(bdev->dev, "num-channels unspecified in dt\n"); ++ return ret; ++ } + + ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees", + &bdev->num_ees); +- if (ret) ++ if (ret) { + dev_err(bdev->dev, "num-ees unspecified in dt\n"); ++ return ret; ++ } + } + + ret = clk_prepare_enable(bdev->bamclk); diff --git a/queue-6.6/drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch b/queue-6.6/drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch new file mode 100644 index 0000000000..62a750bcc9 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch @@ -0,0 +1,46 @@ +From stable+bounces-179595-greg=kroah.com@vger.kernel.org Mon Sep 15 04:19:43 2025 +From: Sasha Levin +Date: Sun, 14 Sep 2025 22:19:33 -0400 +Subject: drm/amdgpu: fix a memory leak in fence cleanup when unloading +To: stable@vger.kernel.org +Cc: "Alex Deucher" , "Lin.Cao" , "Vitaly Prosyak" , "Christian König" , "Sasha Levin" +Message-ID: <20250915021933.371266-1-sashal@kernel.org> + +From: Alex Deucher + +[ Upstream commit 7838fb5f119191403560eca2e23613380c0e425e ] + +Commit b61badd20b44 ("drm/amdgpu: fix usage slab after free") +reordered when amdgpu_fence_driver_sw_fini() was called after +that patch, amdgpu_fence_driver_sw_fini() effectively became +a no-op as the sched entities we never freed because the +ring pointers were already set to NULL. Remove the NULL +setting. + +Reported-by: Lin.Cao +Cc: Vitaly Prosyak +Cc: Christian König +Fixes: b61badd20b44 ("drm/amdgpu: fix usage slab after free") +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit a525fa37aac36c4591cc8b07ae8957862415fbd5) +Cc: stable@vger.kernel.org +[ Adapt to conditional check ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -396,9 +396,6 @@ void amdgpu_ring_fini(struct amdgpu_ring + dma_fence_put(ring->vmid_wait); + ring->vmid_wait = NULL; + ring->me = 0; +- +- if (!ring->is_mes_queue) +- ring->adev->rings[ring->idx] = NULL; + } + + /** diff --git a/queue-6.6/drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch b/queue-6.6/drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch new file mode 100644 index 0000000000..820fc02668 --- /dev/null +++ b/queue-6.6/drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch @@ -0,0 +1,59 @@ +From stable+bounces-179586-greg=kroah.com@vger.kernel.org Sun Sep 14 21:09:19 2025 +From: Sasha Levin +Date: Sun, 14 Sep 2025 15:09:11 -0400 +Subject: drm/i915/power: fix size for for_each_set_bit() in abox iteration +To: stable@vger.kernel.org +Cc: "Jani Nikula" , "Ville Syrjälä" , "Matt Roper" , "Tvrtko Ursulin" , "Sasha Levin" +Message-ID: <20250914190911.183186-1-sashal@kernel.org> + +From: Jani Nikula + +[ Upstream commit cfa7b7659757f8d0fc4914429efa90d0d2577dd7 ] + +for_each_set_bit() expects size to be in bits, not bytes. The abox mask +iteration uses bytes, but it works by coincidence, because the local +variable holding the mask is unsigned long, and the mask only ever has +bit 2 as the highest bit. Using a smaller type could lead to subtle and +very hard to track bugs. + +Fixes: 62afef2811e4 ("drm/i915/rkl: RKL uses ABOX0 for pixel transfers") +Cc: Ville Syrjälä +Cc: Matt Roper +Cc: stable@vger.kernel.org # v5.9+ +Reviewed-by: Matt Roper +Link: https://lore.kernel.org/r/20250905104149.1144751-1-jani.nikula@intel.com +Signed-off-by: Jani Nikula +(cherry picked from commit 7ea3baa6efe4bb93d11e1c0e6528b1468d7debf6) +Signed-off-by: Tvrtko Ursulin +[ adapted struct intel_display *display parameters to struct drm_i915_private *dev_priv ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_display_power.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_display_power.c ++++ b/drivers/gpu/drm/i915/display/intel_display_power.c +@@ -1170,7 +1170,7 @@ static void icl_mbus_init(struct drm_i91 + if (DISPLAY_VER(dev_priv) == 12) + abox_regs |= BIT(0); + +- for_each_set_bit(i, &abox_regs, sizeof(abox_regs)) ++ for_each_set_bit(i, &abox_regs, BITS_PER_TYPE(abox_regs)) + intel_de_rmw(dev_priv, MBUS_ABOX_CTL(i), mask, val); + } + +@@ -1623,11 +1623,11 @@ static void tgl_bw_buddy_init(struct drm + if (table[config].page_mask == 0) { + drm_dbg(&dev_priv->drm, + "Unknown memory configuration; disabling address buddy logic.\n"); +- for_each_set_bit(i, &abox_mask, sizeof(abox_mask)) ++ for_each_set_bit(i, &abox_mask, BITS_PER_TYPE(abox_mask)) + intel_de_write(dev_priv, BW_BUDDY_CTL(i), + BW_BUDDY_DISABLE); + } else { +- for_each_set_bit(i, &abox_mask, sizeof(abox_mask)) { ++ for_each_set_bit(i, &abox_mask, BITS_PER_TYPE(abox_mask)) { + intel_de_write(dev_priv, BW_BUDDY_PAGE_MASK(i), + table[config].page_mask); + diff --git a/queue-6.6/ksmbd-fix-null-pointer-dereference-in-alloc_preauth_hash.patch b/queue-6.6/ksmbd-fix-null-pointer-dereference-in-alloc_preauth_hash.patch new file mode 100644 index 0000000000..fbfc9f3b50 --- /dev/null +++ b/queue-6.6/ksmbd-fix-null-pointer-dereference-in-alloc_preauth_hash.patch @@ -0,0 +1,131 @@ +From c8b5b7c5da7d0c31c9b7190b4a7bba5281fc4780 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Wed, 2 Apr 2025 09:11:23 +0900 +Subject: ksmbd: fix null pointer dereference in alloc_preauth_hash() + +From: Namjae Jeon + +commit c8b5b7c5da7d0c31c9b7190b4a7bba5281fc4780 upstream. + +The Client send malformed smb2 negotiate request. ksmbd return error +response. Subsequently, the client can send smb2 session setup even +thought conn->preauth_info is not allocated. +This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore +session setup request if smb2 negotiate phase is not complete. + +Cc: stable@vger.kernel.org +Tested-by: Steve French +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-26505 +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Jan Alexander Preissler +Signed-off-by: Sujana Subramaniam +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.h | 11 +++++++++++ + fs/smb/server/mgmt/user_session.c | 4 ++-- + fs/smb/server/smb2pdu.c | 14 +++++++++++--- + 3 files changed, 24 insertions(+), 5 deletions(-) + +--- a/fs/smb/server/connection.h ++++ b/fs/smb/server/connection.h +@@ -27,6 +27,7 @@ enum { + KSMBD_SESS_EXITING, + KSMBD_SESS_NEED_RECONNECT, + KSMBD_SESS_NEED_NEGOTIATE, ++ KSMBD_SESS_NEED_SETUP, + KSMBD_SESS_RELEASING + }; + +@@ -195,6 +196,11 @@ static inline bool ksmbd_conn_need_negot + return READ_ONCE(conn->status) == KSMBD_SESS_NEED_NEGOTIATE; + } + ++static inline bool ksmbd_conn_need_setup(struct ksmbd_conn *conn) ++{ ++ return READ_ONCE(conn->status) == KSMBD_SESS_NEED_SETUP; ++} ++ + static inline bool ksmbd_conn_need_reconnect(struct ksmbd_conn *conn) + { + return READ_ONCE(conn->status) == KSMBD_SESS_NEED_RECONNECT; +@@ -225,6 +231,11 @@ static inline void ksmbd_conn_set_need_n + WRITE_ONCE(conn->status, KSMBD_SESS_NEED_NEGOTIATE); + } + ++static inline void ksmbd_conn_set_need_setup(struct ksmbd_conn *conn) ++{ ++ WRITE_ONCE(conn->status, KSMBD_SESS_NEED_SETUP); ++} ++ + static inline void ksmbd_conn_set_need_reconnect(struct ksmbd_conn *conn) + { + WRITE_ONCE(conn->status, KSMBD_SESS_NEED_RECONNECT); +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -373,12 +373,12 @@ void destroy_previous_session(struct ksm + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT); + err = ksmbd_conn_wait_idle_sess_id(conn, id); + if (err) { +- ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP); + goto out; + } + ksmbd_destroy_file_table(&prev_sess->file_table); + prev_sess->state = SMB2_SESSION_EXPIRED; +- ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ++ ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_SETUP); + out: + up_write(&conn->session_lock); + up_write(&sessions_table_lock); +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1252,7 +1252,7 @@ int smb2_handle_negotiate(struct ksmbd_w + } + + conn->srv_sec_mode = le16_to_cpu(rsp->SecurityMode); +- ksmbd_conn_set_need_negotiate(conn); ++ ksmbd_conn_set_need_setup(conn); + + err_out: + if (rc) +@@ -1273,6 +1273,9 @@ static int alloc_preauth_hash(struct ksm + if (sess->Preauth_HashValue) + return 0; + ++ if (!conn->preauth_info) ++ return -ENOMEM; ++ + sess->Preauth_HashValue = kmemdup(conn->preauth_info->Preauth_HashValue, + PREAUTH_HASHVALUE_SIZE, GFP_KERNEL); + if (!sess->Preauth_HashValue) +@@ -1688,6 +1691,11 @@ int smb2_sess_setup(struct ksmbd_work *w + + ksmbd_debug(SMB, "Received request for session setup\n"); + ++ if (!ksmbd_conn_need_setup(conn) && !ksmbd_conn_good(conn)) { ++ work->send_no_response = 1; ++ return rc; ++ } ++ + WORK_BUFFERS(work, req, rsp); + + rsp->StructureSize = cpu_to_le16(9); +@@ -1919,7 +1927,7 @@ out_err: + if (try_delay) { + ksmbd_conn_set_need_reconnect(conn); + ssleep(5); +- ksmbd_conn_set_need_negotiate(conn); ++ ksmbd_conn_set_need_setup(conn); + } + } + smb2_set_err_rsp(work); +@@ -2249,7 +2257,7 @@ int smb2_session_logoff(struct ksmbd_wor + ksmbd_free_user(sess->user); + sess->user = NULL; + } +- ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE); ++ ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP); + + rsp->StructureSize = cpu_to_le16(4); + err = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_logoff_rsp)); diff --git a/queue-6.6/net-mdiobus-release-reset_gpio-in-mdiobus_unregister_device.patch b/queue-6.6/net-mdiobus-release-reset_gpio-in-mdiobus_unregister_device.patch new file mode 100644 index 0000000000..64e6750d86 --- /dev/null +++ b/queue-6.6/net-mdiobus-release-reset_gpio-in-mdiobus_unregister_device.patch @@ -0,0 +1,54 @@ +From 8ea25274ebaf2f6be8be374633b2ed8348ec0e70 Mon Sep 17 00:00:00 2001 +From: Buday Csaba +Date: Thu, 7 Aug 2025 15:54:49 +0200 +Subject: net: mdiobus: release reset_gpio in mdiobus_unregister_device() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Buday Csaba + +commit 8ea25274ebaf2f6be8be374633b2ed8348ec0e70 upstream. + +reset_gpio is claimed in mdiobus_register_device(), but it is not +released in mdiobus_unregister_device(). It is instead only +released when the whole MDIO bus is unregistered. +When a device uses the reset_gpio property, it becomes impossible +to unregister it and register it again, because the GPIO remains +claimed. +This patch resolves that issue. + +Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support") # see notes +Reviewed-by: Andrew Lunn +Cc: Csókás Bence +[ csokas.bence: Resolve rebase conflict and clarify msg ] +Signed-off-by: Buday Csaba +Link: https://patch.msgid.link/20250807135449.254254-2-csokas.bence@prolan.hu +Signed-off-by: Paolo Abeni +[ csokas.bence: Use the v1 patch on top of 6.6, as specified in notes ] +Signed-off-by: Bence Csókás +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio_bus.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -99,6 +99,7 @@ int mdiobus_unregister_device(struct mdi + if (mdiodev->bus->mdio_map[mdiodev->addr] != mdiodev) + return -EINVAL; + ++ gpiod_put(mdiodev->reset_gpio); + reset_control_put(mdiodev->reset_ctrl); + + mdiodev->bus->mdio_map[mdiodev->addr] = NULL; +@@ -775,9 +776,6 @@ void mdiobus_unregister(struct mii_bus * + if (!mdiodev) + continue; + +- if (mdiodev->reset_gpio) +- gpiod_put(mdiodev->reset_gpio); +- + mdiodev->device_remove(mdiodev); + mdiodev->device_free(mdiodev); + } diff --git a/queue-6.6/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch b/queue-6.6/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch new file mode 100644 index 0000000000..6f91903709 --- /dev/null +++ b/queue-6.6/phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch @@ -0,0 +1,54 @@ +From bca065733afd1e3a89a02f05ffe14e966cd5f78e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 24 Jul 2025 15:12:04 +0200 +Subject: phy: tegra: xusb: fix device and OF node leak at probe + +From: Johan Hovold + +commit bca065733afd1e3a89a02f05ffe14e966cd5f78e upstream. + +Make sure to drop the references taken to the PMC OF node and device by +of_parse_phandle() and of_find_device_by_node() during probe. + +Note the holding a reference to the PMC device does not prevent the +PMC regmap from going away (e.g. if the PMC driver is unbound) so there +is no need to keep the reference. + +Fixes: 2d1021487273 ("phy: tegra: xusb: Add wake/sleepwalk for Tegra210") +Cc: stable@vger.kernel.org # 5.14 +Cc: JC Kuo +Signed-off-by: Johan Hovold +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20250724131206.2211-2-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/tegra/xusb-tegra210.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/phy/tegra/xusb-tegra210.c ++++ b/drivers/phy/tegra/xusb-tegra210.c +@@ -3164,18 +3164,22 @@ tegra210_xusb_padctl_probe(struct device + } + + pdev = of_find_device_by_node(np); ++ of_node_put(np); + if (!pdev) { + dev_warn(dev, "PMC device is not available\n"); + goto out; + } + +- if (!platform_get_drvdata(pdev)) ++ if (!platform_get_drvdata(pdev)) { ++ put_device(&pdev->dev); + return ERR_PTR(-EPROBE_DEFER); ++ } + + padctl->regmap = dev_get_regmap(&pdev->dev, "usb_sleepwalk"); + if (!padctl->regmap) + dev_info(dev, "failed to find PMC regmap\n"); + ++ put_device(&pdev->dev); + out: + return &padctl->base; + } diff --git a/queue-6.6/phy-ti-pipe3-fix-device-leak-at-unbind.patch b/queue-6.6/phy-ti-pipe3-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..0ca445e095 --- /dev/null +++ b/queue-6.6/phy-ti-pipe3-fix-device-leak-at-unbind.patch @@ -0,0 +1,58 @@ +From e19bcea99749ce8e8f1d359f68ae03210694ad56 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 24 Jul 2025 15:12:06 +0200 +Subject: phy: ti-pipe3: fix device leak at unbind + +From: Johan Hovold + +commit e19bcea99749ce8e8f1d359f68ae03210694ad56 upstream. + +Make sure to drop the reference to the control device taken by +of_find_device_by_node() during probe when the driver is unbound. + +Fixes: 918ee0d21ba4 ("usb: phy: omap-usb3: Don't use omap_get_control_dev()") +Cc: stable@vger.kernel.org # 3.13 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724131206.2211-4-johan@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/ti/phy-ti-pipe3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/phy/ti/phy-ti-pipe3.c ++++ b/drivers/phy/ti/phy-ti-pipe3.c +@@ -666,12 +666,20 @@ static int ti_pipe3_get_clk(struct ti_pi + return 0; + } + ++static void ti_pipe3_put_device(void *_dev) ++{ ++ struct device *dev = _dev; ++ ++ put_device(dev); ++} ++ + static int ti_pipe3_get_sysctrl(struct ti_pipe3 *phy) + { + struct device *dev = phy->dev; + struct device_node *node = dev->of_node; + struct device_node *control_node; + struct platform_device *control_pdev; ++ int ret; + + phy->phy_power_syscon = syscon_regmap_lookup_by_phandle(node, + "syscon-phy-power"); +@@ -703,6 +711,11 @@ static int ti_pipe3_get_sysctrl(struct t + } + + phy->control_dev = &control_pdev->dev; ++ ++ ret = devm_add_action_or_reset(dev, ti_pipe3_put_device, ++ phy->control_dev); ++ if (ret) ++ return ret; + } + + if (phy->mode == PIPE3_MODE_PCIE) { diff --git a/queue-6.6/series b/queue-6.6/series index f091dc3910..0c4b3be2d1 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -87,3 +87,16 @@ hrtimer-remove-unused-function.patch hrtimer-rename-__hrtimer_hres_active-to-hrtimer_hres.patch hrtimers-unconditionally-update-target-cpu-base-afte.patch risc-v-remove-unnecessary-include-from-compat.h.patch +xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch +xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch +usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch +usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch +usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch +dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch +dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch +phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch +phy-ti-pipe3-fix-device-leak-at-unbind.patch +ksmbd-fix-null-pointer-dereference-in-alloc_preauth_hash.patch +net-mdiobus-release-reset_gpio-in-mdiobus_unregister_device.patch +drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch +drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch diff --git a/queue-6.6/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch b/queue-6.6/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch new file mode 100644 index 0000000000..b1a5f3868f --- /dev/null +++ b/queue-6.6/usb-gadget-dummy-hcd-fix-locking-bug-in-rt-enabled-kernels.patch @@ -0,0 +1,90 @@ +From 8d63c83d8eb922f6c316320f50c82fa88d099bea Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 25 Aug 2025 12:00:22 -0400 +Subject: USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels + +From: Alan Stern + +commit 8d63c83d8eb922f6c316320f50c82fa88d099bea upstream. + +Yunseong Kim and the syzbot fuzzer both reported a problem in +RT-enabled kernels caused by the way dummy-hcd mixes interrupt +management and spin-locking. The pattern was: + + local_irq_save(flags); + spin_lock(&dum->lock); + ... + spin_unlock(&dum->lock); + ... // calls usb_gadget_giveback_request() + local_irq_restore(flags); + +The code was written this way because usb_gadget_giveback_request() +needs to be called with interrupts disabled and the private lock not +held. + +While this pattern works fine in non-RT kernels, it's not good when RT +is enabled. RT kernels handle spinlocks much like mutexes; in particular, +spin_lock() may sleep. But sleeping is not allowed while local +interrupts are disabled. + +To fix the problem, rewrite the code to conform to the pattern used +elsewhere in dummy-hcd and other UDC drivers: + + spin_lock_irqsave(&dum->lock, flags); + ... + spin_unlock(&dum->lock); + usb_gadget_giveback_request(...); + spin_lock(&dum->lock); + ... + spin_unlock_irqrestore(&dum->lock, flags); + +This approach satisfies the RT requirements. + +Signed-off-by: Alan Stern +Cc: stable +Fixes: b4dbda1a22d2 ("USB: dummy-hcd: disable interrupts during req->complete") +Reported-by: Yunseong Kim +Closes: +Reported-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com +Closes: +Tested-by: syzbot+8baacc4139f12fa77909@syzkaller.appspotmail.com +CC: Sebastian Andrzej Siewior +CC: stable@vger.kernel.org +Reviewed-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/bb192ae2-4eee-48ee-981f-3efdbbd0d8f0@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/dummy_hcd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -764,8 +764,7 @@ static int dummy_dequeue(struct usb_ep * + if (!dum->driver) + return -ESHUTDOWN; + +- local_irq_save(flags); +- spin_lock(&dum->lock); ++ spin_lock_irqsave(&dum->lock, flags); + list_for_each_entry(iter, &ep->queue, queue) { + if (&iter->req != _req) + continue; +@@ -775,15 +774,16 @@ static int dummy_dequeue(struct usb_ep * + retval = 0; + break; + } +- spin_unlock(&dum->lock); + + if (retval == 0) { + dev_dbg(udc_dev(dum), + "dequeued req %p from %s, len %d buf %p\n", + req, _ep->name, _req->length, _req->buf); ++ spin_unlock(&dum->lock); + usb_gadget_giveback_request(_ep, _req); ++ spin_lock(&dum->lock); + } +- local_irq_restore(flags); ++ spin_unlock_irqrestore(&dum->lock, flags); + return retval; + } + diff --git a/queue-6.6/usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch b/queue-6.6/usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch new file mode 100644 index 0000000000..6a6bb27d56 --- /dev/null +++ b/queue-6.6/usb-gadget-midi2-fix-midi2-in-ep-max-packet-size.patch @@ -0,0 +1,56 @@ +From 116e79c679a1530cf833d0ff3007061d7a716bd9 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 5 Sep 2025 15:32:34 +0200 +Subject: usb: gadget: midi2: Fix MIDI2 IN EP max packet size + +From: Takashi Iwai + +commit 116e79c679a1530cf833d0ff3007061d7a716bd9 upstream. + +The EP-IN of MIDI2 (altset 1) wasn't initialized in +f_midi2_create_usb_configs() as it's an INT EP unlike others BULK +EPs. But this leaves rather the max packet size unchanged no matter +which speed is used, resulting in the very slow access. +And the wMaxPacketSize values set there look legit for INT EPs, so +let's initialize the MIDI2 EP-IN there for achieving the equivalent +speed as well. + +Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver") +Cc: stable +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20250905133240.20966-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_midi2.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_midi2.c ++++ b/drivers/usb/gadget/function/f_midi2.c +@@ -1739,9 +1739,12 @@ static int f_midi2_create_usb_configs(st + case USB_SPEED_HIGH: + midi2_midi1_ep_out_desc.wMaxPacketSize = cpu_to_le16(512); + midi2_midi1_ep_in_desc.wMaxPacketSize = cpu_to_le16(512); +- for (i = 0; i < midi2->num_eps; i++) ++ for (i = 0; i < midi2->num_eps; i++) { + midi2_midi2_ep_out_desc[i].wMaxPacketSize = + cpu_to_le16(512); ++ midi2_midi2_ep_in_desc[i].wMaxPacketSize = ++ cpu_to_le16(512); ++ } + fallthrough; + case USB_SPEED_FULL: + midi1_in_eps = midi2_midi1_ep_in_descs; +@@ -1750,9 +1753,12 @@ static int f_midi2_create_usb_configs(st + case USB_SPEED_SUPER: + midi2_midi1_ep_out_desc.wMaxPacketSize = cpu_to_le16(1024); + midi2_midi1_ep_in_desc.wMaxPacketSize = cpu_to_le16(1024); +- for (i = 0; i < midi2->num_eps; i++) ++ for (i = 0; i < midi2->num_eps; i++) { + midi2_midi2_ep_out_desc[i].wMaxPacketSize = + cpu_to_le16(1024); ++ midi2_midi2_ep_in_desc[i].wMaxPacketSize = ++ cpu_to_le16(1024); ++ } + midi1_in_eps = midi2_midi1_ep_in_ss_descs; + midi1_out_eps = midi2_midi1_ep_out_ss_descs; + break; diff --git a/queue-6.6/usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch b/queue-6.6/usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch new file mode 100644 index 0000000000..05ee06ba70 --- /dev/null +++ b/queue-6.6/usb-gadget-midi2-fix-missing-ump-group-attributes-initialization.patch @@ -0,0 +1,35 @@ +From 21d8525d2e061cde034277d518411b02eac764e2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 4 Sep 2025 17:39:24 +0200 +Subject: usb: gadget: midi2: Fix missing UMP group attributes initialization + +From: Takashi Iwai + +commit 21d8525d2e061cde034277d518411b02eac764e2 upstream. + +The gadget card driver forgot to call snd_ump_update_group_attrs() +after adding FBs, and this leaves the UMP group attributes +uninitialized. As a result, -ENODEV error is returned at opening a +legacy rawmidi device as an inactive group. + +This patch adds the missing call to address the behavior above. + +Fixes: 8b645922b223 ("usb: gadget: Add support for USB MIDI 2.0 function driver") +Cc: stable +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20250904153932.13589-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_midi2.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_midi2.c ++++ b/drivers/usb/gadget/function/f_midi2.c +@@ -1601,6 +1601,7 @@ static int f_midi2_create_card(struct f_ + strscpy(fb->info.name, ump_fb_name(b), + sizeof(fb->info.name)); + } ++ snd_ump_update_group_attrs(ump); + } + + for (i = 0; i < midi2->num_eps; i++) { diff --git a/queue-6.6/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch b/queue-6.6/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch new file mode 100644 index 0000000000..228d493337 --- /dev/null +++ b/queue-6.6/xhci-dbc-fix-full-dbc-transfer-ring-after-several-reconnects.patch @@ -0,0 +1,86 @@ +From a5c98e8b1398534ae1feb6e95e2d3ee5215538ed Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 2 Sep 2025 13:53:05 +0300 +Subject: xhci: dbc: Fix full DbC transfer ring after several reconnects + +From: Mathias Nyman + +commit a5c98e8b1398534ae1feb6e95e2d3ee5215538ed upstream. + +Pending requests will be flushed on disconnect, and the corresponding +TRBs will be turned into No-op TRBs, which are ignored by the xHC +controller once it starts processing the ring. + +If the USB debug cable repeatedly disconnects before ring is started +then the ring will eventually be filled with No-op TRBs. +No new transfers can be queued when the ring is full, and driver will +print the following error message: + + "xhci_hcd 0000:00:14.0: failed to queue trbs" + +This is a normal case for 'in' transfers where TRBs are always enqueued +in advance, ready to take on incoming data. If no data arrives, and +device is disconnected, then ring dequeue will remain at beginning of +the ring while enqueue points to first free TRB after last cancelled +No-op TRB. +s +Solve this by reinitializing the rings when the debug cable disconnects +and DbC is leaving the configured state. +Clear the whole ring buffer and set enqueue and dequeue to the beginning +of ring, and set cycle bit to its initial state. + +Cc: stable@vger.kernel.org +Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250902105306.877476-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-dbgcap.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-dbgcap.c ++++ b/drivers/usb/host/xhci-dbgcap.c +@@ -421,6 +421,25 @@ dbc_alloc_ctx(struct device *dev, gfp_t + return ctx; + } + ++static int xhci_dbc_reinit_ep_rings(struct xhci_dbc *dbc) ++{ ++ struct xhci_ring *in_ring = dbc->eps[BULK_IN].ring; ++ struct xhci_ring *out_ring = dbc->eps[BULK_OUT].ring; ++ ++ if (!in_ring || !out_ring || !dbc->ctx) { ++ dev_warn(dbc->dev, "Can't re-init unallocated endpoints\n"); ++ return -ENODEV; ++ } ++ ++ xhci_dbc_ring_init(in_ring); ++ xhci_dbc_ring_init(out_ring); ++ ++ /* set ep context enqueue, dequeue, and cycle to initial values */ ++ xhci_dbc_init_ep_contexts(dbc); ++ ++ return 0; ++} ++ + static struct xhci_ring * + xhci_dbc_ring_alloc(struct device *dev, enum xhci_ring_type type, gfp_t flags) + { +@@ -850,7 +869,7 @@ static enum evtreturn xhci_dbc_do_handle + dev_info(dbc->dev, "DbC cable unplugged\n"); + dbc->state = DS_ENABLED; + xhci_dbc_flush_requests(dbc); +- ++ xhci_dbc_reinit_ep_rings(dbc); + return EVT_DISC; + } + +@@ -860,7 +879,7 @@ static enum evtreturn xhci_dbc_do_handle + writel(portsc, &dbc->regs->portsc); + dbc->state = DS_ENABLED; + xhci_dbc_flush_requests(dbc); +- ++ xhci_dbc_reinit_ep_rings(dbc); + return EVT_DISC; + } + diff --git a/queue-6.6/xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch b/queue-6.6/xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch new file mode 100644 index 0000000000..22a2891f2b --- /dev/null +++ b/queue-6.6/xhci-fix-memory-leak-regression-when-freeing-xhci-vdev-devices-depth-first.patch @@ -0,0 +1,46 @@ +From edcbe06453ddfde21f6aa763f7cab655f26133cc Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 2 Sep 2025 13:53:06 +0300 +Subject: xhci: fix memory leak regression when freeing xhci vdev devices depth first + +From: Mathias Nyman + +commit edcbe06453ddfde21f6aa763f7cab655f26133cc upstream. + +Suspend-resume cycle test revealed a memory leak in 6.17-rc3 + +Turns out the slot_id race fix changes accidentally ends up calling +xhci_free_virt_device() with an incorrect vdev parameter. +The vdev variable was reused for temporary purposes right before calling +xhci_free_virt_device(). + +Fix this by passing the correct vdev parameter. + +The slot_id race fix that caused this regression was targeted for stable, +so this needs to be applied there as well. + +Fixes: 2eb03376151b ("usb: xhci: Fix slot_id resource race conflict") +Reported-by: David Wang <00107082@163.com> +Closes: https://lore.kernel.org/linux-usb/20250829181354.4450-1-00107082@163.com +Suggested-by: Michal Pecio +Suggested-by: David Wang <00107082@163.com> +Cc: stable@vger.kernel.org +Tested-by: David Wang <00107082@163.com> +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250902105306.877476-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -945,7 +945,7 @@ static void xhci_free_virt_devices_depth + out: + /* we are now at a leaf device */ + xhci_debugfs_remove_slot(xhci, slot_id); +- xhci_free_virt_device(xhci, vdev, slot_id); ++ xhci_free_virt_device(xhci, xhci->devs[slot_id], slot_id); + } + + int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,