From: Greg Kroah-Hartman Date: Mon, 1 Dec 2025 16:07:39 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.4.302~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e46f8aafc8f115b9749995b36f5a0631cf28c58d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch atm-fore200e-fix-possible-data-race-in-fore200e_open.patch can-sja1000-fix-max-irq-loop-handling.patch can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch dm-verity-fix-unreliable-memory-allocation.patch drivers-usb-dwc3-fix-pci-parent-check.patch firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch smb-client-fix-memory-leak-in-cifs_construct_tcon.patch thunderbolt-add-support-for-intel-wildcat-lake.patch --- diff --git a/queue-6.1/alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch b/queue-6.1/alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch new file mode 100644 index 0000000000..d76d18360d --- /dev/null +++ b/queue-6.1/alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch @@ -0,0 +1,46 @@ +From c83fc13960643c4429cd9dfef1321e6430a81b47 Mon Sep 17 00:00:00 2001 +From: Ivan Zhaldak +Date: Mon, 17 Nov 2025 15:58:35 +0300 +Subject: ALSA: usb-audio: Add DSD quirk for LEAK Stereo 230 + +From: Ivan Zhaldak + +commit c83fc13960643c4429cd9dfef1321e6430a81b47 upstream. + +Integrated amplifier LEAK Stereo 230 by IAG Limited has built-in +ESS9038Q2M DAC served by XMOS controller. It supports both DSD Native +and DSD-over-PCM (DoP) operational modes. But it doesn't work properly +by default and tries DSD-to-PCM conversion. USB quirks below allow it +to operate as designed. + +Add DSD_RAW quirk flag for IAG Limited devices (vendor ID 0x2622) +Add DSD format quirk for LEAK Stereo 230 (USB ID 0x2622:0x0061) + +Signed-off-by: Ivan Zhaldak +Cc: +Link: https://patch.msgid.link/20251117125848.30769-1-i.v.zhaldak@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1926,6 +1926,7 @@ u64 snd_usb_interface_dsd_format_quirks( + case USB_ID(0x249c, 0x9326): /* M2Tech Young MkIII */ + case USB_ID(0x2616, 0x0106): /* PS Audio NuWave DAC */ + case USB_ID(0x2622, 0x0041): /* Audiolab M-DAC+ */ ++ case USB_ID(0x2622, 0x0061): /* LEAK Stereo 230 */ + case USB_ID(0x278b, 0x5100): /* Rotel RC-1590 */ + case USB_ID(0x27f7, 0x3002): /* W4S DAC-2v2SE */ + case USB_ID(0x29a2, 0x0086): /* Mutec MC3+ USB */ +@@ -2309,6 +2310,8 @@ static const struct usb_audio_quirk_flag + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x25ce, /* Mytek devices */ + QUIRK_FLAG_DSD_RAW), ++ VENDOR_FLG(0x2622, /* IAG Limited devices */ ++ QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x278b, /* Rotel? */ + QUIRK_FLAG_DSD_RAW), + VENDOR_FLG(0x292b, /* Gustard/Ess based devices */ diff --git a/queue-6.1/atm-fore200e-fix-possible-data-race-in-fore200e_open.patch b/queue-6.1/atm-fore200e-fix-possible-data-race-in-fore200e_open.patch new file mode 100644 index 0000000000..296cd60daf --- /dev/null +++ b/queue-6.1/atm-fore200e-fix-possible-data-race-in-fore200e_open.patch @@ -0,0 +1,57 @@ +From 82fca3d8a4a34667f01ec2351a607135249c9cff Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Thu, 20 Nov 2025 20:06:57 +0800 +Subject: atm/fore200e: Fix possible data race in fore200e_open() + +From: Gui-Dong Han + +commit 82fca3d8a4a34667f01ec2351a607135249c9cff upstream. + +Protect access to fore200e->available_cell_rate with rate_mtx lock in the +error handling path of fore200e_open() to prevent a data race. + +The field fore200e->available_cell_rate is a shared resource used to track +available bandwidth. It is concurrently accessed by fore200e_open(), +fore200e_close(), and fore200e_change_qos(). + +In fore200e_open(), the lock rate_mtx is correctly held when subtracting +vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. +However, if the subsequent call to fore200e_activate_vcin() fails, the +function restores the reserved bandwidth by adding back to +available_cell_rate without holding the lock. + +This introduces a race condition because available_cell_rate is a global +device resource shared across all VCCs. If the error path in +fore200e_open() executes concurrently with operations like +fore200e_close() or fore200e_change_qos() on other VCCs, a +read-modify-write race occurs. + +Specifically, the error path reads the rate without the lock. If another +CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in +fore200e_close()) between this read and the subsequent write, the error +path will overwrite the concurrent update with a stale value. This results +in incorrect bandwidth accounting. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20251120120657.2462194-1-hanguidong02@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/fore200e.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/atm/fore200e.c ++++ b/drivers/atm/fore200e.c +@@ -1377,7 +1377,9 @@ fore200e_open(struct atm_vcc *vcc) + + vcc->dev_data = NULL; + ++ mutex_lock(&fore200e->rate_mtx); + fore200e->available_cell_rate += vcc->qos.txtp.max_pcr; ++ mutex_unlock(&fore200e->rate_mtx); + + kfree(fore200e_vcc); + return -EINVAL; diff --git a/queue-6.1/can-sja1000-fix-max-irq-loop-handling.patch b/queue-6.1/can-sja1000-fix-max-irq-loop-handling.patch new file mode 100644 index 0000000000..4839e49ec1 --- /dev/null +++ b/queue-6.1/can-sja1000-fix-max-irq-loop-handling.patch @@ -0,0 +1,45 @@ +From 30db4451c7f6aabcada029b15859a76962ec0cf8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= +Date: Sat, 15 Nov 2025 15:34:56 +0000 +Subject: can: sja1000: fix max irq loop handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Mühlbacher + +commit 30db4451c7f6aabcada029b15859a76962ec0cf8 upstream. + +Reading the interrupt register `SJA1000_IR` causes all of its bits to be +reset. If we ever reach the condition of handling more than +`SJA1000_MAX_IRQ` IRQs, we will have read the register and reset all its +bits but without actually handling the interrupt inside of the loop +body. + +This may, among other issues, cause us to never `netif_wake_queue()` +again after a transmission interrupt. + +Fixes: 429da1cc841b ("can: Driver for the SJA1000 CAN controller") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Mühlbacher +Acked-by: Oliver Hartkopp +Link: https://patch.msgid.link/20251115153437.11419-1-tmuehlbacher@posteo.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/sja1000/sja1000.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -521,8 +521,8 @@ irqreturn_t sja1000_interrupt(int irq, v + if (priv->read_reg(priv, SJA1000_IER) == IRQ_OFF) + goto out; + +- while ((isrc = priv->read_reg(priv, SJA1000_IR)) && +- (n < SJA1000_MAX_IRQ)) { ++ while ((n < SJA1000_MAX_IRQ) && ++ (isrc = priv->read_reg(priv, SJA1000_IR))) { + + status = priv->read_reg(priv, SJA1000_SR); + /* check for absent controller due to hw unplug */ diff --git a/queue-6.1/can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch b/queue-6.1/can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch new file mode 100644 index 0000000000..7109eb68a4 --- /dev/null +++ b/queue-6.1/can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch @@ -0,0 +1,45 @@ +From 76544beea7cfe5bcce6d60f53811657b88ec8be1 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sun, 16 Nov 2025 16:55:26 +0100 +Subject: can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +commit 76544beea7cfe5bcce6d60f53811657b88ec8be1 upstream. + +Reading the interrupt register `SUN4I_REG_INT_ADDR` causes all of its bits +to be reset. If we ever reach the condition of handling more than +`SUN4I_CAN_MAX_IRQ` IRQs, we will have read the register and reset all its +bits but without actually handling the interrupt inside of the loop body. + +This may, among other issues, cause us to never `netif_wake_queue()` again +after a transmission interrupt. + +Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") +Cc: stable@vger.kernel.org +Co-developed-by: Thomas Mühlbacher +Signed-off-by: Thomas Mühlbacher +Acked-by: Jernej Skrabec +Link: https://patch.msgid.link/20251116-sun4i-fix-loop-v1-1-3d76d3f81950@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/sun4i_can.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/sun4i_can.c ++++ b/drivers/net/can/sun4i_can.c +@@ -658,8 +658,8 @@ static irqreturn_t sun4i_can_interrupt(i + u8 isrc, status; + int n = 0; + +- while ((isrc = readl(priv->base + SUN4I_REG_INT_ADDR)) && +- (n < SUN4I_CAN_MAX_IRQ)) { ++ while ((n < SUN4I_CAN_MAX_IRQ) && ++ (isrc = readl(priv->base + SUN4I_REG_INT_ADDR))) { + n++; + status = readl(priv->base + SUN4I_REG_STA_ADDR); + diff --git a/queue-6.1/dm-verity-fix-unreliable-memory-allocation.patch b/queue-6.1/dm-verity-fix-unreliable-memory-allocation.patch new file mode 100644 index 0000000000..70d7057179 --- /dev/null +++ b/queue-6.1/dm-verity-fix-unreliable-memory-allocation.patch @@ -0,0 +1,36 @@ +From fe680d8c747f4e676ac835c8c7fb0f287cd98758 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 17 Nov 2025 21:42:02 +0100 +Subject: dm-verity: fix unreliable memory allocation + +From: Mikulas Patocka + +commit fe680d8c747f4e676ac835c8c7fb0f287cd98758 upstream. + +GFP_NOWAIT allocation may fail anytime. It needs to be changed to +GFP_NOIO. There's no need to handle an error because mempool_alloc with +GFP_NOIO can't fail. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Reviewed-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -330,11 +330,7 @@ static int fec_alloc_bufs(struct dm_veri + if (fio->bufs[n]) + continue; + +- fio->bufs[n] = mempool_alloc(&v->fec->prealloc_pool, GFP_NOWAIT); +- if (unlikely(!fio->bufs[n])) { +- DMERR("failed to allocate FEC buffer"); +- return -ENOMEM; +- } ++ fio->bufs[n] = mempool_alloc(&v->fec->prealloc_pool, GFP_NOIO); + } + + /* try to allocate the maximum number of buffers */ diff --git a/queue-6.1/drivers-usb-dwc3-fix-pci-parent-check.patch b/queue-6.1/drivers-usb-dwc3-fix-pci-parent-check.patch new file mode 100644 index 0000000000..a3e9b7ca5c --- /dev/null +++ b/queue-6.1/drivers-usb-dwc3-fix-pci-parent-check.patch @@ -0,0 +1,48 @@ +From 40f8d17eed7533ed2bbb5e3cc680049b19411b2e Mon Sep 17 00:00:00 2001 +From: Jamie Iles +Date: Fri, 7 Nov 2025 10:44:37 +0000 +Subject: drivers/usb/dwc3: fix PCI parent check + +From: Jamie Iles + +commit 40f8d17eed7533ed2bbb5e3cc680049b19411b2e upstream. + +The sysdev_is_parent check was being used to infer PCI devices that have +the DMA mask set from the PCI capabilities, but sysdev_is_parent is also +used for non-PCI ACPI devices in which case the DMA mask would be the +bus default or as set by the _DMA method. + +Without this fix the DMA mask would default to 32-bits and so allocation +would fail if there was no DRAM below 4GB. + +Fixes: 47ce45906ca9 ("usb: dwc3: leave default DMA for PCI devices") +Cc: stable +Signed-off-by: Jamie Iles +Signed-off-by: Punit Agrawal +Acked-by: Thinh Nguyen +Link: https://patch.msgid.link/20251107104437.1602509-1-punit.agrawal@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1996,7 +1997,7 @@ static int dwc3_probe(struct platform_de + platform_set_drvdata(pdev, dwc); + dwc3_cache_hwparams(dwc); + +- if (!dwc->sysdev_is_parent && ++ if (!dev_is_pci(dwc->sysdev) && + DWC3_GHWPARAMS0_AWIDTH(dwc->hwparams.hwparams0) == 64) { + ret = dma_set_mask_and_coherent(dwc->sysdev, DMA_BIT_MASK(64)); + if (ret) diff --git a/queue-6.1/firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch b/queue-6.1/firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch new file mode 100644 index 0000000000..f00ac2b081 --- /dev/null +++ b/queue-6.1/firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch @@ -0,0 +1,69 @@ +From d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 Mon Sep 17 00:00:00 2001 +From: Khairul Anuar Romli +Date: Mon, 3 Nov 2025 07:21:28 +0800 +Subject: firmware: stratix10-svc: fix bug in saving controller data + +From: Khairul Anuar Romli + +commit d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 upstream. + +Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They +both are of the same data and overrides each other. This resulted in the +rmmod of the svc driver to fail and throw a kernel panic for kthread_stop +and fifo free. + +Fixes: b5dc75c915cd ("firmware: stratix10-svc: extend svc to support new RSU features") +Cc: stable@vger.kernel.org # 6.6+ +Signed-off-by: Ang Tien Sung +Signed-off-by: Khairul Anuar Romli +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -133,6 +133,7 @@ struct stratix10_svc_data { + * @complete_status: state for completion + * @svc_fifo_lock: protect access to service message data queue + * @invoke_fn: function to issue secure monitor call or hypervisor call ++ * @svc: manages the list of client svc drivers + * + * This struct is used to create communication channels for service clients, to + * handle secure monitor or hypervisor call. +@@ -149,6 +150,7 @@ struct stratix10_svc_controller { + struct completion complete_status; + spinlock_t svc_fifo_lock; + svc_invoke_fn *invoke_fn; ++ struct stratix10_svc *svc; + }; + + /** +@@ -1191,6 +1193,7 @@ static int stratix10_svc_drv_probe(struc + ret = -ENOMEM; + goto err_free_kfifo; + } ++ controller->svc = svc; + + svc->stratix10_svc_rsu = platform_device_alloc(STRATIX10_RSU, 0); + if (!svc->stratix10_svc_rsu) { +@@ -1218,8 +1221,6 @@ static int stratix10_svc_drv_probe(struc + goto err_unregister_dev; + } + +- dev_set_drvdata(dev, svc); +- + pr_info("Intel Service Layer Driver Initialized\n"); + + return 0; +@@ -1235,8 +1236,8 @@ err_destroy_pool: + + static int stratix10_svc_drv_remove(struct platform_device *pdev) + { +- struct stratix10_svc *svc = dev_get_drvdata(&pdev->dev); + struct stratix10_svc_controller *ctrl = platform_get_drvdata(pdev); ++ struct stratix10_svc *svc = ctrl->svc; + + platform_device_unregister(svc->intel_svc_fcs); + platform_device_unregister(svc->stratix10_svc_rsu); diff --git a/queue-6.1/serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch b/queue-6.1/serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch new file mode 100644 index 0000000000..e6d88ec72c --- /dev/null +++ b/queue-6.1/serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch @@ -0,0 +1,41 @@ +From eb4917f557d43c7a1c805dd73ffcdfddb2aba39a Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 17:20:50 +0800 +Subject: serial: amba-pl011: prefer dma_mapping_error() over explicit address checking + +From: Miaoqian Lin + +commit eb4917f557d43c7a1c805dd73ffcdfddb2aba39a upstream. + +Check for returned DMA addresses using specialized dma_mapping_error() +helper which is generally recommended for this purpose by +Documentation/core-api/dma-api.rst: + + "In some circumstances dma_map_single(), ... +will fail to create a mapping. A driver can check for these errors +by testing the returned DMA address with dma_mapping_error()." + +Found via static analysis and this is similar to commit fa0308134d26 +("ALSA: memalloc: prefer dma_mapping_error() over explicit address checking") + +Fixes: 58ac1b379979 ("ARM: PL011: Fix DMA support") +Cc: stable +Signed-off-by: Miaoqian Lin +Reviewed-by: Gregory CLEMENT +Link: https://patch.msgid.link/20251027092053.87937-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/amba-pl011.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -635,7 +635,7 @@ static int pl011_dma_tx_refill(struct ua + dmatx->len = count; + dmatx->dma = dma_map_single(dma_dev->dev, dmatx->buf, count, + DMA_TO_DEVICE); +- if (dmatx->dma == DMA_MAPPING_ERROR) { ++ if (dma_mapping_error(dma_dev->dev, dmatx->dma)) { + uap->dmatx.queued = false; + dev_dbg(uap->port.dev, "unable to map TX DMA\n"); + return -EBUSY; diff --git a/queue-6.1/series b/queue-6.1/series index b2ea899baa..6321dc92ab 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -523,3 +523,14 @@ iio-accel-fix-adxl355-startup-race-condition.patch iio-adc-ad7280a-fix-ad7280_store_balance_timer.patch mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflow.patch +alsa-usb-audio-add-dsd-quirk-for-leak-stereo-230.patch +atm-fore200e-fix-possible-data-race-in-fore200e_open.patch +can-sja1000-fix-max-irq-loop-handling.patch +can-sun4i_can-sun4i_can_interrupt-fix-max-irq-loop-handling.patch +dm-verity-fix-unreliable-memory-allocation.patch +drivers-usb-dwc3-fix-pci-parent-check.patch +smb-client-fix-memory-leak-in-cifs_construct_tcon.patch +thunderbolt-add-support-for-intel-wildcat-lake.patch +slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch +firmware-stratix10-svc-fix-bug-in-saving-controller-data.patch +serial-amba-pl011-prefer-dma_mapping_error-over-explicit-address-checking.patch diff --git a/queue-6.1/slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch b/queue-6.1/slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch new file mode 100644 index 0000000000..8195333b6b --- /dev/null +++ b/queue-6.1/slimbus-ngd-fix-reference-count-leak-in-qcom_slim_ngd_notify_slaves.patch @@ -0,0 +1,38 @@ +From 96cf8500934e0ce2a6c486f1dbc3b1fff12f7a5e Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 14:06:01 +0800 +Subject: slimbus: ngd: Fix reference count leak in qcom_slim_ngd_notify_slaves + +From: Miaoqian Lin + +commit 96cf8500934e0ce2a6c486f1dbc3b1fff12f7a5e upstream. + +The function qcom_slim_ngd_notify_slaves() calls of_slim_get_device() which +internally uses device_find_child() to obtain a device reference. +According to the device_find_child() documentation, +the caller must drop the reference with put_device() after use. + +Found via static analysis and this is similar to commit 4e65bda8273c +("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Cc: stable +Signed-off-by: Miaoqian Lin +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20251027060601.33228-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/qcom-ngd-ctrl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1164,6 +1164,7 @@ static void qcom_slim_ngd_notify_slaves( + + if (slim_get_logical_addr(sbdev)) + dev_err(ctrl->dev, "Failed to get logical address\n"); ++ put_device(&sbdev->dev); + } + } + diff --git a/queue-6.1/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch b/queue-6.1/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch new file mode 100644 index 0000000000..136c434353 --- /dev/null +++ b/queue-6.1/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch @@ -0,0 +1,65 @@ +From 3184b6a5a24ec9ee74087b2a550476f386df7dc2 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Mon, 24 Nov 2025 17:00:36 -0300 +Subject: smb: client: fix memory leak in cifs_construct_tcon() + +From: Paulo Alcantara + +commit 3184b6a5a24ec9ee74087b2a550476f386df7dc2 upstream. + +When having a multiuser mount with domain= specified and using +cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, +so it needs to be freed before leaving cifs_construct_tcon(). + +This fixes the following memory leak reported by kmemleak: + + mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... + su - testuser + cifscreds add -d ZELDA -u testuser + ... + ls /mnt/1 + ... + umount /mnt + echo scan > /sys/kernel/debug/kmemleak + cat /sys/kernel/debug/kmemleak + unreferenced object 0xffff8881203c3f08 (size 8): + comm "ls", pid 5060, jiffies 4307222943 + hex dump (first 8 bytes): + 5a 45 4c 44 41 00 cc cc ZELDA... + backtrace (crc d109a8cf): + __kmalloc_node_track_caller_noprof+0x572/0x710 + kstrdup+0x3a/0x70 + cifs_sb_tlink+0x1209/0x1770 [cifs] + cifs_get_fattr+0xe1/0xf50 [cifs] + cifs_get_inode_info+0xb5/0x240 [cifs] + cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] + cifs_getattr+0x28e/0x450 [cifs] + vfs_getattr_nosec+0x126/0x180 + vfs_statx+0xf6/0x220 + do_statx+0xab/0x110 + __x64_sys_statx+0xd5/0x130 + do_syscall_64+0xbb/0x380 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: f2aee329a68f ("cifs: set domainName when a domain-key is used in multiuser") +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Jay Shin +Cc: stable@vger.kernel.org +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -4417,6 +4417,7 @@ cifs_construct_tcon(struct cifs_sb_info + + out: + kfree(ctx->username); ++ kfree(ctx->domainname); + kfree_sensitive(ctx->password); + kfree(ctx); + diff --git a/queue-6.1/thunderbolt-add-support-for-intel-wildcat-lake.patch b/queue-6.1/thunderbolt-add-support-for-intel-wildcat-lake.patch new file mode 100644 index 0000000000..068b7a759e --- /dev/null +++ b/queue-6.1/thunderbolt-add-support-for-intel-wildcat-lake.patch @@ -0,0 +1,43 @@ +From 3575254546a27210a4b661ea37fbbfb836c0815d Mon Sep 17 00:00:00 2001 +From: Alan Borzeszkowski +Date: Thu, 14 Nov 2024 10:55:44 +0100 +Subject: thunderbolt: Add support for Intel Wildcat Lake + +From: Alan Borzeszkowski + +commit 3575254546a27210a4b661ea37fbbfb836c0815d upstream. + +Intel Wildcat Lake derives its Thunderbolt/USB4 controller from Lunar +Lake platform. Add Wildcat Lake PCI ID to the driver list of supported +devices. + +Signed-off-by: Alan Borzeszkowski +Cc: stable@vger.kernel.org +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/nhi.c | 2 ++ + drivers/thunderbolt/nhi.h | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -1491,6 +1491,8 @@ static struct pci_device_id nhi_ids[] = + .driver_data = (kernel_ulong_t)&icl_nhi_ops }, + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_PTL_P_NHI1), + .driver_data = (kernel_ulong_t)&icl_nhi_ops }, ++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_WCL_NHI0), ++ .driver_data = (kernel_ulong_t)&icl_nhi_ops }, + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI) }, + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI) }, + +--- a/drivers/thunderbolt/nhi.h ++++ b/drivers/thunderbolt/nhi.h +@@ -75,6 +75,7 @@ extern const struct tb_nhi_ops icl_nhi_o + #define PCI_DEVICE_ID_INTEL_TITAN_RIDGE_DD_BRIDGE 0x15ef + #define PCI_DEVICE_ID_INTEL_ADL_NHI0 0x463e + #define PCI_DEVICE_ID_INTEL_ADL_NHI1 0x466d ++#define PCI_DEVICE_ID_INTEL_WCL_NHI0 0x4d33 + #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_80G_NHI 0x5781 + #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HOST_40G_NHI 0x5784 + #define PCI_DEVICE_ID_INTEL_BARLOW_RIDGE_HUB_80G_BRIDGE 0x5786