From 2d858f4d8ef63e834c0352793d2af95ec3320c20 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Oct 2025 11:13:47 +0200 Subject: [PATCH] 6.12-stable patches added patches: cdx-fix-device-node-reference-leak-in-cdx_msi_domain_init.patch cpufreq-cppc-avoid-using-cpufreq_eternal-as-transition-delay.patch drm-amd-check-whether-secure-display-ta-loaded-successfully.patch drm-exynos-exynos7_drm_decon-fix-uninitialized-crtc-reference-in-functions.patch drm-exynos-exynos7_drm_decon-properly-clear-channels-during-bind.patch drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch drm-msm-a6xx-fix-pdc-sleep-sequence.patch irqdomain-cdx-switch-to-of_fwnode_handle.patch media-nxp-imx8-isi-drop-unused-argument-to-mxc_isi_channel_chain.patch media-nxp-imx8-isi-m2m-fix-streaming-cleanup-on-release.patch usb-gadget-f_acm-refactor-bind-path-to-use-__free.patch usb-gadget-f_ecm-refactor-bind-path-to-use-__free.patch usb-gadget-f_ncm-refactor-bind-path-to-use-__free.patch usb-gadget-f_rndis-refactor-bind-path-to-use-__free.patch usb-gadget-introduce-free_usb_request-helper.patch usb-gadget-store-endpoint-pointer-in-usb_request.patch --- ...eference-leak-in-cdx_msi_domain_init.patch | 37 ++ ...-cpufreq_eternal-as-transition-delay.patch | 69 ++++ ...ecure-display-ta-loaded-successfully.patch | 40 ++ ...tialized-crtc-reference-in-functions.patch | 67 ++++ ...-properly-clear-channels-during-bind.patch | 117 ++++++ ...ynos7_drm_decon-remove-ctx-suspended.patch | 166 +++++++++ .../drm-msm-a6xx-fix-pdc-sleep-sequence.patch | 133 +++++++ ...omain-cdx-switch-to-of_fwnode_handle.patch | 49 +++ ...ed-argument-to-mxc_isi_channel_chain.patch | 101 +++++ ...m2m-fix-streaming-cleanup-on-release.patch | 344 ++++++++++++++++++ queue-6.12/series | 16 + ...acm-refactor-bind-path-to-use-__free.patch | 173 +++++++++ ...ecm-refactor-bind-path-to-use-__free.patch | 157 ++++++++ ...ncm-refactor-bind-path-to-use-__free.patch | 230 ++++++++++++ ...dis-refactor-bind-path-to-use-__free.patch | 212 +++++++++++ ...et-introduce-free_usb_request-helper.patch | 68 ++++ ...tore-endpoint-pointer-in-usb_request.patch | 66 ++++ 17 files changed, 2045 insertions(+) create mode 100644 queue-6.12/cdx-fix-device-node-reference-leak-in-cdx_msi_domain_init.patch create mode 100644 queue-6.12/cpufreq-cppc-avoid-using-cpufreq_eternal-as-transition-delay.patch create mode 100644 queue-6.12/drm-amd-check-whether-secure-display-ta-loaded-successfully.patch create mode 100644 queue-6.12/drm-exynos-exynos7_drm_decon-fix-uninitialized-crtc-reference-in-functions.patch create mode 100644 queue-6.12/drm-exynos-exynos7_drm_decon-properly-clear-channels-during-bind.patch create mode 100644 queue-6.12/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch create mode 100644 queue-6.12/drm-msm-a6xx-fix-pdc-sleep-sequence.patch create mode 100644 queue-6.12/irqdomain-cdx-switch-to-of_fwnode_handle.patch create mode 100644 queue-6.12/media-nxp-imx8-isi-drop-unused-argument-to-mxc_isi_channel_chain.patch create mode 100644 queue-6.12/media-nxp-imx8-isi-m2m-fix-streaming-cleanup-on-release.patch create mode 100644 queue-6.12/usb-gadget-f_acm-refactor-bind-path-to-use-__free.patch create mode 100644 queue-6.12/usb-gadget-f_ecm-refactor-bind-path-to-use-__free.patch create mode 100644 queue-6.12/usb-gadget-f_ncm-refactor-bind-path-to-use-__free.patch create mode 100644 queue-6.12/usb-gadget-f_rndis-refactor-bind-path-to-use-__free.patch create mode 100644 queue-6.12/usb-gadget-introduce-free_usb_request-helper.patch create mode 100644 queue-6.12/usb-gadget-store-endpoint-pointer-in-usb_request.patch diff --git a/queue-6.12/cdx-fix-device-node-reference-leak-in-cdx_msi_domain_init.patch b/queue-6.12/cdx-fix-device-node-reference-leak-in-cdx_msi_domain_init.patch new file mode 100644 index 0000000000..cf453ac846 --- /dev/null +++ b/queue-6.12/cdx-fix-device-node-reference-leak-in-cdx_msi_domain_init.patch @@ -0,0 +1,37 @@ +From stable+bounces-187844-greg=kroah.com@vger.kernel.org Sat Oct 18 17:14:19 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 11:14:10 -0400 +Subject: cdx: Fix device node reference leak in cdx_msi_domain_init +To: stable@vger.kernel.org +Cc: Miaoqian Lin , Nipun Gupta , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251018151410.809778-2-sashal@kernel.org> + +From: Miaoqian Lin + +[ Upstream commit 76254bc489d39dae9a3427f0984fe64213d20548 ] + +Add missing of_node_put() call to release +the device node reference obtained via of_parse_phandle(). + +Fixes: 0e439ba38e61 ("cdx: add MSI support for CDX bus") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Acked-by: Nipun Gupta +Link: https://lore.kernel.org/r/20250902084933.2418264-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cdx/cdx_msi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/cdx/cdx_msi.c ++++ b/drivers/cdx/cdx_msi.c +@@ -174,6 +174,7 @@ struct irq_domain *cdx_msi_domain_init(s + } + + parent = irq_find_matching_fwnode(of_fwnode_handle(parent_node), DOMAIN_BUS_NEXUS); ++ of_node_put(parent_node); + if (!parent || !msi_get_domain_info(parent)) { + dev_err(dev, "unable to locate ITS domain\n"); + return NULL; diff --git a/queue-6.12/cpufreq-cppc-avoid-using-cpufreq_eternal-as-transition-delay.patch b/queue-6.12/cpufreq-cppc-avoid-using-cpufreq_eternal-as-transition-delay.patch new file mode 100644 index 0000000000..be8879fa4e --- /dev/null +++ b/queue-6.12/cpufreq-cppc-avoid-using-cpufreq_eternal-as-transition-delay.patch @@ -0,0 +1,69 @@ +From stable+bounces-187850-greg=kroah.com@vger.kernel.org Sat Oct 18 18:13:48 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 12:13:41 -0400 +Subject: cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , "Mario Limonciello (AMD)" , Jie Zhan , Viresh Kumar , Qais Yousef , Sasha Levin +Message-ID: <20251018161341.836384-1-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit f965d111e68f4a993cc44d487d416e3d954eea11 ] + +If cppc_get_transition_latency() returns CPUFREQ_ETERNAL to indicate a +failure to retrieve the transition latency value from the platform +firmware, the CPPC cpufreq driver will use that value (converted to +microseconds) as the policy transition delay, but it is way too large +for any practical use. + +Address this by making the driver use the cpufreq's default +transition latency value (in microseconds) as the transition delay +if CPUFREQ_ETERNAL is returned by cppc_get_transition_latency(). + +Fixes: d4f3388afd48 ("cpufreq / CPPC: Set platform specific transition_delay_us") +Cc: 5.19+ # 5.19 +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mario Limonciello (AMD) +Reviewed-by: Jie Zhan +Acked-by: Viresh Kumar +Reviewed-by: Qais Yousef +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -339,6 +339,16 @@ static int cppc_verify_policy(struct cpu + return 0; + } + ++static unsigned int __cppc_cpufreq_get_transition_delay_us(unsigned int cpu) ++{ ++ unsigned int transition_latency_ns = cppc_get_transition_latency(cpu); ++ ++ if (transition_latency_ns == CPUFREQ_ETERNAL) ++ return CPUFREQ_DEFAULT_TRANSITION_LATENCY_NS / NSEC_PER_USEC; ++ ++ return transition_latency_ns / NSEC_PER_USEC; ++} ++ + /* + * The PCC subspace describes the rate at which platform can accept commands + * on the shared PCC channel (including READs which do not count towards freq +@@ -361,12 +371,12 @@ static unsigned int cppc_cpufreq_get_tra + return 10000; + } + } +- return cppc_get_transition_latency(cpu) / NSEC_PER_USEC; ++ return __cppc_cpufreq_get_transition_delay_us(cpu); + } + #else + static unsigned int cppc_cpufreq_get_transition_delay_us(unsigned int cpu) + { +- return cppc_get_transition_latency(cpu) / NSEC_PER_USEC; ++ return __cppc_cpufreq_get_transition_delay_us(cpu); + } + #endif + diff --git a/queue-6.12/drm-amd-check-whether-secure-display-ta-loaded-successfully.patch b/queue-6.12/drm-amd-check-whether-secure-display-ta-loaded-successfully.patch new file mode 100644 index 0000000000..9a4a0b2f2b --- /dev/null +++ b/queue-6.12/drm-amd-check-whether-secure-display-ta-loaded-successfully.patch @@ -0,0 +1,40 @@ +From c760bcda83571e07b72c10d9da175db5051ed971 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 25 Sep 2025 14:10:57 -0500 +Subject: drm/amd: Check whether secure display TA loaded successfully + +From: Mario Limonciello + +commit c760bcda83571e07b72c10d9da175db5051ed971 upstream. + +[Why] +Not all renoir hardware supports secure display. If the TA is present +but the feature isn't supported it will fail to load or send commands. +This shows ERR messages to the user that make it seems like there is +a problem. + +[How] +Check the resp_status of the context to see if there was an error +before trying to send any secure display commands. + +Reviewed-by: Alex Deucher +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1415 +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +Signed-off-by: Adrian Yip +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -2171,7 +2171,7 @@ static int psp_securedisplay_initialize( + } + + ret = psp_ta_load(psp, &psp->securedisplay_context.context); +- if (!ret) { ++ if (!ret && !psp->securedisplay_context.context.resp_status) { + psp->securedisplay_context.context.initialized = true; + mutex_init(&psp->securedisplay_context.mutex); + } else diff --git a/queue-6.12/drm-exynos-exynos7_drm_decon-fix-uninitialized-crtc-reference-in-functions.patch b/queue-6.12/drm-exynos-exynos7_drm_decon-fix-uninitialized-crtc-reference-in-functions.patch new file mode 100644 index 0000000000..846eb912c3 --- /dev/null +++ b/queue-6.12/drm-exynos-exynos7_drm_decon-fix-uninitialized-crtc-reference-in-functions.patch @@ -0,0 +1,67 @@ +From stable+bounces-187782-greg=kroah.com@vger.kernel.org Sat Oct 18 04:07:06 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 22:05:13 -0400 +Subject: drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in functions +To: stable@vger.kernel.org +Cc: Kaustabh Chakraborty , Inki Dae , Sasha Levin +Message-ID: <20251018020515.208843-1-sashal@kernel.org> + +From: Kaustabh Chakraborty + +[ Upstream commit d31bbacf783daf1e71fbe5c68df93550c446bf44 ] + +Modify the functions to accept a pointer to struct decon_context +instead. + +Signed-off-by: Kaustabh Chakraborty +Signed-off-by: Inki Dae +Stable-dep-of: e1361a4f1be9 ("drm/exynos: exynos7_drm_decon: remove ctx->suspended") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c +@@ -81,10 +81,8 @@ static const enum drm_plane_type decon_w + DRM_PLANE_TYPE_CURSOR, + }; + +-static void decon_wait_for_vblank(struct exynos_drm_crtc *crtc) ++static void decon_wait_for_vblank(struct decon_context *ctx) + { +- struct decon_context *ctx = crtc->ctx; +- + if (ctx->suspended) + return; + +@@ -100,9 +98,8 @@ static void decon_wait_for_vblank(struct + DRM_DEV_DEBUG_KMS(ctx->dev, "vblank wait timed out.\n"); + } + +-static void decon_clear_channels(struct exynos_drm_crtc *crtc) ++static void decon_clear_channels(struct decon_context *ctx) + { +- struct decon_context *ctx = crtc->ctx; + unsigned int win, ch_enabled = 0; + + /* Check if any channel is enabled. */ +@@ -118,7 +115,7 @@ static void decon_clear_channels(struct + + /* Wait for vsync, as disable channel takes effect at next vsync */ + if (ch_enabled) +- decon_wait_for_vblank(ctx->crtc); ++ decon_wait_for_vblank(ctx); + } + + static int decon_ctx_initialize(struct decon_context *ctx, +@@ -126,7 +123,7 @@ static int decon_ctx_initialize(struct d + { + ctx->drm_dev = drm_dev; + +- decon_clear_channels(ctx->crtc); ++ decon_clear_channels(ctx); + + return exynos_drm_register_dma(drm_dev, ctx->dev, &ctx->dma_priv); + } diff --git a/queue-6.12/drm-exynos-exynos7_drm_decon-properly-clear-channels-during-bind.patch b/queue-6.12/drm-exynos-exynos7_drm_decon-properly-clear-channels-during-bind.patch new file mode 100644 index 0000000000..7627c535a1 --- /dev/null +++ b/queue-6.12/drm-exynos-exynos7_drm_decon-properly-clear-channels-during-bind.patch @@ -0,0 +1,117 @@ +From stable+bounces-187783-greg=kroah.com@vger.kernel.org Sat Oct 18 04:07:23 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 22:05:14 -0400 +Subject: drm/exynos: exynos7_drm_decon: properly clear channels during bind +To: stable@vger.kernel.org +Cc: Kaustabh Chakraborty , Inki Dae , Sasha Levin +Message-ID: <20251018020515.208843-2-sashal@kernel.org> + +From: Kaustabh Chakraborty + +[ Upstream commit 5f1a453974204175f20b3788824a0fe23cc36f79 ] + +The DECON channels are not cleared properly as the windows aren't +shadow protected. When accompanied with an IOMMU, it pagefaults, and +the kernel panics. + +Implement shadow protect/unprotect, along with a standalone update, +for channel clearing to properly take effect. + +Signed-off-by: Kaustabh Chakraborty +Signed-off-by: Inki Dae +Stable-dep-of: e1361a4f1be9 ("drm/exynos: exynos7_drm_decon: remove ctx->suspended") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 55 ++++++++++++++++------------- + 1 file changed, 32 insertions(+), 23 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c +@@ -81,6 +81,28 @@ static const enum drm_plane_type decon_w + DRM_PLANE_TYPE_CURSOR, + }; + ++/** ++ * decon_shadow_protect_win() - disable updating values from shadow registers at vsync ++ * ++ * @ctx: display and enhancement controller context ++ * @win: window to protect registers for ++ * @protect: 1 to protect (disable updates) ++ */ ++static void decon_shadow_protect_win(struct decon_context *ctx, ++ unsigned int win, bool protect) ++{ ++ u32 bits, val; ++ ++ bits = SHADOWCON_WINx_PROTECT(win); ++ ++ val = readl(ctx->regs + SHADOWCON); ++ if (protect) ++ val |= bits; ++ else ++ val &= ~bits; ++ writel(val, ctx->regs + SHADOWCON); ++} ++ + static void decon_wait_for_vblank(struct decon_context *ctx) + { + if (ctx->suspended) +@@ -101,18 +123,27 @@ static void decon_wait_for_vblank(struct + static void decon_clear_channels(struct decon_context *ctx) + { + unsigned int win, ch_enabled = 0; ++ u32 val; + + /* Check if any channel is enabled. */ + for (win = 0; win < WINDOWS_NR; win++) { +- u32 val = readl(ctx->regs + WINCON(win)); ++ val = readl(ctx->regs + WINCON(win)); + + if (val & WINCONx_ENWIN) { ++ decon_shadow_protect_win(ctx, win, true); ++ + val &= ~WINCONx_ENWIN; + writel(val, ctx->regs + WINCON(win)); + ch_enabled = 1; ++ ++ decon_shadow_protect_win(ctx, win, false); + } + } + ++ val = readl(ctx->regs + DECON_UPDATE); ++ val |= DECON_UPDATE_STANDALONE_F; ++ writel(val, ctx->regs + DECON_UPDATE); ++ + /* Wait for vsync, as disable channel takes effect at next vsync */ + if (ch_enabled) + decon_wait_for_vblank(ctx); +@@ -340,28 +371,6 @@ static void decon_win_set_colkey(struct + writel(keycon1, ctx->regs + WKEYCON1_BASE(win)); + } + +-/** +- * decon_shadow_protect_win() - disable updating values from shadow registers at vsync +- * +- * @ctx: display and enhancement controller context +- * @win: window to protect registers for +- * @protect: 1 to protect (disable updates) +- */ +-static void decon_shadow_protect_win(struct decon_context *ctx, +- unsigned int win, bool protect) +-{ +- u32 bits, val; +- +- bits = SHADOWCON_WINx_PROTECT(win); +- +- val = readl(ctx->regs + SHADOWCON); +- if (protect) +- val |= bits; +- else +- val &= ~bits; +- writel(val, ctx->regs + SHADOWCON); +-} +- + static void decon_atomic_begin(struct exynos_drm_crtc *crtc) + { + struct decon_context *ctx = crtc->ctx; diff --git a/queue-6.12/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch b/queue-6.12/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch new file mode 100644 index 0000000000..62d8fac70c --- /dev/null +++ b/queue-6.12/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch @@ -0,0 +1,166 @@ +From stable+bounces-187784-greg=kroah.com@vger.kernel.org Sat Oct 18 04:07:25 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 22:05:15 -0400 +Subject: drm/exynos: exynos7_drm_decon: remove ctx->suspended +To: stable@vger.kernel.org +Cc: Kaustabh Chakraborty , Inki Dae , Sasha Levin +Message-ID: <20251018020515.208843-3-sashal@kernel.org> + +From: Kaustabh Chakraborty + +[ Upstream commit e1361a4f1be9cb69a662c6d7b5ce218007d6e82b ] + +Condition guards are found to be redundant, as the call flow is properly +managed now, as also observed in the Exynos5433 DECON driver. Since +state checking is no longer necessary, remove it. + +This also fixes an issue which prevented decon_commit() from +decon_atomic_enable() due to an incorrect state change setting. + +Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver") +Cc: stable@vger.kernel.org +Suggested-by: Inki Dae +Signed-off-by: Kaustabh Chakraborty +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 ----------------------------- + 1 file changed, 36 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c +@@ -51,7 +51,6 @@ struct decon_context { + void __iomem *regs; + unsigned long irq_flags; + bool i80_if; +- bool suspended; + wait_queue_head_t wait_vsync_queue; + atomic_t wait_vsync_event; + +@@ -105,9 +104,6 @@ static void decon_shadow_protect_win(str + + static void decon_wait_for_vblank(struct decon_context *ctx) + { +- if (ctx->suspended) +- return; +- + atomic_set(&ctx->wait_vsync_event, 1); + + /* +@@ -183,9 +179,6 @@ static void decon_commit(struct exynos_d + struct drm_display_mode *mode = &crtc->base.state->adjusted_mode; + u32 val, clkdiv; + +- if (ctx->suspended) +- return; +- + /* nothing to do if we haven't set the mode yet */ + if (mode->htotal == 0 || mode->vtotal == 0) + return; +@@ -247,9 +240,6 @@ static int decon_enable_vblank(struct ex + struct decon_context *ctx = crtc->ctx; + u32 val; + +- if (ctx->suspended) +- return -EPERM; +- + if (!test_and_set_bit(0, &ctx->irq_flags)) { + val = readl(ctx->regs + VIDINTCON0); + +@@ -272,9 +262,6 @@ static void decon_disable_vblank(struct + struct decon_context *ctx = crtc->ctx; + u32 val; + +- if (ctx->suspended) +- return; +- + if (test_and_clear_bit(0, &ctx->irq_flags)) { + val = readl(ctx->regs + VIDINTCON0); + +@@ -376,9 +363,6 @@ static void decon_atomic_begin(struct ex + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + for (i = 0; i < WINDOWS_NR; i++) + decon_shadow_protect_win(ctx, i, true); + } +@@ -398,9 +382,6 @@ static void decon_update_plane(struct ex + unsigned int cpp = fb->format->cpp[0]; + unsigned int pitch = fb->pitches[0]; + +- if (ctx->suspended) +- return; +- + /* + * SHADOWCON/PRTCON register is used for enabling timing. + * +@@ -488,9 +469,6 @@ static void decon_disable_plane(struct e + unsigned int win = plane->index; + u32 val; + +- if (ctx->suspended) +- return; +- + /* protect windows */ + decon_shadow_protect_win(ctx, win, true); + +@@ -509,9 +487,6 @@ static void decon_atomic_flush(struct ex + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + for (i = 0; i < WINDOWS_NR; i++) + decon_shadow_protect_win(ctx, i, false); + exynos_crtc_handle_event(crtc); +@@ -539,9 +514,6 @@ static void decon_atomic_enable(struct e + struct decon_context *ctx = crtc->ctx; + int ret; + +- if (!ctx->suspended) +- return; +- + ret = pm_runtime_resume_and_get(ctx->dev); + if (ret < 0) { + DRM_DEV_ERROR(ctx->dev, "failed to enable DECON device.\n"); +@@ -555,8 +527,6 @@ static void decon_atomic_enable(struct e + decon_enable_vblank(ctx->crtc); + + decon_commit(ctx->crtc); +- +- ctx->suspended = false; + } + + static void decon_atomic_disable(struct exynos_drm_crtc *crtc) +@@ -564,9 +534,6 @@ static void decon_atomic_disable(struct + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + /* + * We need to make sure that all windows are disabled before we + * suspend that connector. Otherwise we might try to scan from +@@ -576,8 +543,6 @@ static void decon_atomic_disable(struct + decon_disable_plane(crtc, &ctx->planes[i]); + + pm_runtime_put_sync(ctx->dev); +- +- ctx->suspended = true; + } + + static const struct exynos_drm_crtc_ops decon_crtc_ops = { +@@ -698,7 +663,6 @@ static int decon_probe(struct platform_d + return -ENOMEM; + + ctx->dev = dev; +- ctx->suspended = true; + + i80_if_timings = of_get_child_by_name(dev->of_node, "i80-if-timings"); + if (i80_if_timings) diff --git a/queue-6.12/drm-msm-a6xx-fix-pdc-sleep-sequence.patch b/queue-6.12/drm-msm-a6xx-fix-pdc-sleep-sequence.patch new file mode 100644 index 0000000000..486872d34d --- /dev/null +++ b/queue-6.12/drm-msm-a6xx-fix-pdc-sleep-sequence.patch @@ -0,0 +1,133 @@ +From stable+bounces-187794-greg=kroah.com@vger.kernel.org Sat Oct 18 04:28:45 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 22:28:32 -0400 +Subject: drm/msm/a6xx: Fix PDC sleep sequence +To: stable@vger.kernel.org +Cc: Akhil P Oommen , Rob Clark , Sasha Levin +Message-ID: <20251018022832.219177-1-sashal@kernel.org> + +From: Akhil P Oommen + +[ Upstream commit f248d5d5159a88ded55329f0b1b463d0f4094228 ] + +Since the PDC resides out of the GPU subsystem and cannot be reset in +case it enters bad state, utmost care must be taken to trigger the PDC +wake/sleep routines in the correct order. + +The PDC wake sequence can be exercised only after a PDC sleep sequence. +Additionally, GMU firmware should initialize a few registers before the +KMD can trigger a PDC sleep sequence. So PDC sleep can't be done if the +GMU firmware has not initialized. Track these dependencies using a new +status variable and trigger PDC sleep/wake sequences appropriately. + +Cc: stable@vger.kernel.org +Fixes: 4b565ca5a2cb ("drm/msm: Add A6XX device support") +Signed-off-by: Akhil P Oommen +Patchwork: https://patchwork.freedesktop.org/patch/673362/ +Signed-off-by: Rob Clark +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 28 +++++++++++++++++----------- + drivers/gpu/drm/msm/adreno/a6xx_gmu.h | 6 ++++++ + 2 files changed, 23 insertions(+), 11 deletions(-) + +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -236,6 +236,8 @@ static int a6xx_gmu_start(struct a6xx_gm + if (ret) + DRM_DEV_ERROR(gmu->dev, "GMU firmware initialization timed out\n"); + ++ set_bit(GMU_STATUS_FW_START, &gmu->status); ++ + return ret; + } + +@@ -482,6 +484,9 @@ static int a6xx_rpmh_start(struct a6xx_g + int ret; + u32 val; + ++ if (!test_and_clear_bit(GMU_STATUS_PDC_SLEEP, &gmu->status)) ++ return 0; ++ + gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, BIT(1)); + + ret = gmu_poll_timeout(gmu, REG_A6XX_GMU_RSCC_CONTROL_ACK, val, +@@ -509,6 +514,9 @@ static void a6xx_rpmh_stop(struct a6xx_g + int ret; + u32 val; + ++ if (test_and_clear_bit(GMU_STATUS_FW_START, &gmu->status)) ++ return; ++ + gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, 1); + + ret = gmu_poll_timeout_rscc(gmu, REG_A6XX_GPU_RSCC_RSC_STATUS0_DRV0, +@@ -517,6 +525,8 @@ static void a6xx_rpmh_stop(struct a6xx_g + DRM_DEV_ERROR(gmu->dev, "Unable to power off the GPU RSC\n"); + + gmu_write(gmu, REG_A6XX_GMU_RSCC_CONTROL_REQ, 0); ++ ++ set_bit(GMU_STATUS_PDC_SLEEP, &gmu->status); + } + + static inline void pdc_write(void __iomem *ptr, u32 offset, u32 value) +@@ -645,8 +655,6 @@ setup_pdc: + /* ensure no writes happen before the uCode is fully written */ + wmb(); + +- a6xx_rpmh_stop(gmu); +- + err: + if (!IS_ERR_OR_NULL(pdcptr)) + iounmap(pdcptr); +@@ -799,19 +807,15 @@ static int a6xx_gmu_fw_start(struct a6xx + else + gmu_write(gmu, REG_A6XX_GMU_GENERAL_7, 1); + +- if (state == GMU_WARM_BOOT) { +- ret = a6xx_rpmh_start(gmu); +- if (ret) +- return ret; +- } else { ++ ret = a6xx_rpmh_start(gmu); ++ if (ret) ++ return ret; ++ ++ if (state == GMU_COLD_BOOT) { + if (WARN(!adreno_gpu->fw[ADRENO_FW_GMU], + "GMU firmware is not loaded\n")) + return -ENOENT; + +- ret = a6xx_rpmh_start(gmu); +- if (ret) +- return ret; +- + ret = a6xx_gmu_fw_load(gmu); + if (ret) + return ret; +@@ -980,6 +984,8 @@ static void a6xx_gmu_force_off(struct a6 + + /* Reset GPU core blocks */ + a6xx_gpu_sw_reset(gpu, true); ++ ++ a6xx_rpmh_stop(gmu); + } + + static void a6xx_gmu_set_initial_freq(struct msm_gpu *gpu, struct a6xx_gmu *gmu) +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.h ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.h +@@ -99,6 +99,12 @@ struct a6xx_gmu { + struct completion pd_gate; + + struct qmp *qmp; ++ ++/* To check if we can trigger sleep seq at PDC. Cleared in a6xx_rpmh_stop() */ ++#define GMU_STATUS_FW_START 0 ++/* To track if PDC sleep seq was done */ ++#define GMU_STATUS_PDC_SLEEP 1 ++ unsigned long status; + }; + + static inline u32 gmu_read(struct a6xx_gmu *gmu, u32 offset) diff --git a/queue-6.12/irqdomain-cdx-switch-to-of_fwnode_handle.patch b/queue-6.12/irqdomain-cdx-switch-to-of_fwnode_handle.patch new file mode 100644 index 0000000000..43ffcae13b --- /dev/null +++ b/queue-6.12/irqdomain-cdx-switch-to-of_fwnode_handle.patch @@ -0,0 +1,49 @@ +From stable+bounces-187845-greg=kroah.com@vger.kernel.org Sat Oct 18 17:14:19 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 11:14:09 -0400 +Subject: irqdomain: cdx: Switch to of_fwnode_handle() +To: stable@vger.kernel.org +Cc: "Jiri Slaby (SUSE)" , Nipun Gupta , Nikhil Agarwal , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251018151410.809778-1-sashal@kernel.org> + +From: "Jiri Slaby (SUSE)" + +[ Upstream commit 2a87a55f2281a1096d9e77ac6309b9128c107d97 ] + +of_node_to_fwnode() is irqdomain's reimplementation of the "officially" +defined of_fwnode_handle(). The former is in the process of being +removed, so use the latter instead. + +Signed-off-by: Jiri Slaby (SUSE) +Cc: Nipun Gupta +Cc: Nikhil Agarwal +Acked-by: Nipun Gupta +Link: https://lore.kernel.org/r/20250415104734.106849-1-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 76254bc489d3 ("cdx: Fix device node reference leak in cdx_msi_domain_init") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cdx/cdx_msi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/cdx/cdx_msi.c ++++ b/drivers/cdx/cdx_msi.c +@@ -165,7 +165,7 @@ struct irq_domain *cdx_msi_domain_init(s + struct device_node *parent_node; + struct irq_domain *parent; + +- fwnode_handle = of_node_to_fwnode(np); ++ fwnode_handle = of_fwnode_handle(np); + + parent_node = of_parse_phandle(np, "msi-map", 1); + if (!parent_node) { +@@ -173,7 +173,7 @@ struct irq_domain *cdx_msi_domain_init(s + return NULL; + } + +- parent = irq_find_matching_fwnode(of_node_to_fwnode(parent_node), DOMAIN_BUS_NEXUS); ++ parent = irq_find_matching_fwnode(of_fwnode_handle(parent_node), DOMAIN_BUS_NEXUS); + if (!parent || !msi_get_domain_info(parent)) { + dev_err(dev, "unable to locate ITS domain\n"); + return NULL; diff --git a/queue-6.12/media-nxp-imx8-isi-drop-unused-argument-to-mxc_isi_channel_chain.patch b/queue-6.12/media-nxp-imx8-isi-drop-unused-argument-to-mxc_isi_channel_chain.patch new file mode 100644 index 0000000000..9a0b2fcc14 --- /dev/null +++ b/queue-6.12/media-nxp-imx8-isi-drop-unused-argument-to-mxc_isi_channel_chain.patch @@ -0,0 +1,101 @@ +From stable+bounces-187720-greg=kroah.com@vger.kernel.org Sat Oct 18 01:19:25 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:19:13 -0400 +Subject: media: nxp: imx8-isi: Drop unused argument to mxc_isi_channel_chain() +To: stable@vger.kernel.org +Cc: Laurent Pinchart , Frank Li , Hans Verkuil , Sasha Levin +Message-ID: <20251017231915.30718-1-sashal@kernel.org> + +From: Laurent Pinchart + +[ Upstream commit 9a21ffeade25cbf310f5db39a1f9932695dd41bb ] + +The bypass argument to the mxc_isi_channel_chain() function is unused. +Drop it. + +Link: https://lore.kernel.org/r/20250813225501.20762-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Laurent Pinchart +Reviewed-by: Frank Li +Signed-off-by: Hans Verkuil +Stable-dep-of: 178aa3360220 ("media: nxp: imx8-isi: m2m: Fix streaming cleanup on release") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx8-isi/imx8-isi-core.h | 2 +- + drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c | 2 +- + drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 11 +++++------ + drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c | 2 +- + 4 files changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.h ++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-core.h +@@ -361,7 +361,7 @@ void mxc_isi_channel_get(struct mxc_isi_ + void mxc_isi_channel_put(struct mxc_isi_pipe *pipe); + void mxc_isi_channel_enable(struct mxc_isi_pipe *pipe); + void mxc_isi_channel_disable(struct mxc_isi_pipe *pipe); +-int mxc_isi_channel_chain(struct mxc_isi_pipe *pipe, bool bypass); ++int mxc_isi_channel_chain(struct mxc_isi_pipe *pipe); + void mxc_isi_channel_unchain(struct mxc_isi_pipe *pipe); + + void mxc_isi_channel_config(struct mxc_isi_pipe *pipe, +--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c ++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c +@@ -587,7 +587,7 @@ void mxc_isi_channel_release(struct mxc_ + * + * TODO: Support secondary line buffer for downscaling YUV420 images. + */ +-int mxc_isi_channel_chain(struct mxc_isi_pipe *pipe, bool bypass) ++int mxc_isi_channel_chain(struct mxc_isi_pipe *pipe) + { + /* Channel chaining requires both line and output buffer. */ + const u8 resources = MXC_ISI_CHANNEL_RES_OUTPUT_BUF +--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c ++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c +@@ -493,7 +493,6 @@ static int mxc_isi_m2m_streamon(struct f + const struct mxc_isi_format_info *cap_info = ctx->queues.cap.info; + const struct mxc_isi_format_info *out_info = ctx->queues.out.info; + struct mxc_isi_m2m *m2m = ctx->m2m; +- bool bypass; + int ret; + + if (q->streaming) +@@ -506,15 +505,15 @@ static int mxc_isi_m2m_streamon(struct f + goto unlock; + } + +- bypass = cap_pix->width == out_pix->width && +- cap_pix->height == out_pix->height && +- cap_info->encoding == out_info->encoding; +- + /* + * Acquire the pipe and initialize the channel with the first user of + * the M2M device. + */ + if (m2m->usage_count == 0) { ++ bool bypass = cap_pix->width == out_pix->width && ++ cap_pix->height == out_pix->height && ++ cap_info->encoding == out_info->encoding; ++ + ret = mxc_isi_channel_acquire(m2m->pipe, + &mxc_isi_m2m_frame_write_done, + bypass); +@@ -531,7 +530,7 @@ static int mxc_isi_m2m_streamon(struct f + * buffer chaining. + */ + if (!ctx->chained && out_pix->width > MXC_ISI_MAX_WIDTH_UNCHAINED) { +- ret = mxc_isi_channel_chain(m2m->pipe, bypass); ++ ret = mxc_isi_channel_chain(m2m->pipe); + if (ret) + goto deinit; + +--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c ++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-pipe.c +@@ -855,7 +855,7 @@ int mxc_isi_pipe_acquire(struct mxc_isi_ + + /* Chain the channel if needed for wide resolutions. */ + if (sink_fmt->width > MXC_ISI_MAX_WIDTH_UNCHAINED) { +- ret = mxc_isi_channel_chain(pipe, bypass); ++ ret = mxc_isi_channel_chain(pipe); + if (ret) + mxc_isi_channel_release(pipe); + } diff --git a/queue-6.12/media-nxp-imx8-isi-m2m-fix-streaming-cleanup-on-release.patch b/queue-6.12/media-nxp-imx8-isi-m2m-fix-streaming-cleanup-on-release.patch new file mode 100644 index 0000000000..47f18269f4 --- /dev/null +++ b/queue-6.12/media-nxp-imx8-isi-m2m-fix-streaming-cleanup-on-release.patch @@ -0,0 +1,344 @@ +From stable+bounces-187721-greg=kroah.com@vger.kernel.org Sat Oct 18 01:19:28 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:19:14 -0400 +Subject: media: nxp: imx8-isi: m2m: Fix streaming cleanup on release +To: stable@vger.kernel.org +Cc: Guoniu Zhou , Laurent Pinchart , Frank Li , Hans Verkuil , Sasha Levin +Message-ID: <20251017231915.30718-2-sashal@kernel.org> + +From: Guoniu Zhou + +[ Upstream commit 178aa3360220231dd91e7dbc2eb984525886c9c1 ] + +If streamon/streamoff calls are imbalanced, such as when exiting an +application with Ctrl+C when streaming, the m2m usage_count will never +reach zero and the ISI channel won't be freed. Besides from that, if the +input line width is more than 2K, it will trigger a WARN_ON(): + +[ 59.222120] ------------[ cut here ]------------ +[ 59.226758] WARNING: drivers/media/platform/nxp/imx8-isi/imx8-isi-hw.c:631 at mxc_isi_channel_chain+0xa4/0x120, CPU#4: v4l2-ctl/654 +[ 59.238569] Modules linked in: ap1302 +[ 59.242231] CPU: 4 UID: 0 PID: 654 Comm: v4l2-ctl Not tainted 6.16.0-rc4-next-20250704-06511-gff0e002d480a-dirty #258 PREEMPT +[ 59.253597] Hardware name: NXP i.MX95 15X15 board (DT) +[ 59.258720] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 59.265669] pc : mxc_isi_channel_chain+0xa4/0x120 +[ 59.270358] lr : mxc_isi_channel_chain+0x44/0x120 +[ 59.275047] sp : ffff8000848c3b40 +[ 59.278348] x29: ffff8000848c3b40 x28: ffff0000859b4c98 x27: ffff800081939f00 +[ 59.285472] x26: 000000000000000a x25: ffff0000859b4cb8 x24: 0000000000000001 +[ 59.292597] x23: ffff0000816f4760 x22: ffff0000816f4258 x21: ffff000084ceb780 +[ 59.299720] x20: ffff000084342ff8 x19: ffff000084340000 x18: 0000000000000000 +[ 59.306845] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffdb369e1c +[ 59.313969] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +[ 59.321093] x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 +[ 59.328217] x8 : ffff8000848c3d48 x7 : ffff800081930b30 x6 : ffff800081930b30 +[ 59.335340] x5 : ffff0000859b6000 x4 : ffff80008193ae80 x3 : ffff800081022420 +[ 59.342464] x2 : ffff0000852f6900 x1 : 0000000000000001 x0 : ffff000084341000 +[ 59.349590] Call trace: +[ 59.352025] mxc_isi_channel_chain+0xa4/0x120 (P) +[ 59.356722] mxc_isi_m2m_streamon+0x160/0x20c +[ 59.361072] v4l_streamon+0x24/0x30 +[ 59.364556] __video_do_ioctl+0x40c/0x4a0 +[ 59.368560] video_usercopy+0x2bc/0x690 +[ 59.372382] video_ioctl2+0x18/0x24 +[ 59.375857] v4l2_ioctl+0x40/0x60 +[ 59.379168] __arm64_sys_ioctl+0xac/0x104 +[ 59.383172] invoke_syscall+0x48/0x104 +[ 59.386916] el0_svc_common.constprop.0+0xc0/0xe0 +[ 59.391613] do_el0_svc+0x1c/0x28 +[ 59.394915] el0_svc+0x34/0xf4 +[ 59.397966] el0t_64_sync_handler+0xa0/0xe4 +[ 59.402143] el0t_64_sync+0x198/0x19c +[ 59.405801] ---[ end trace 0000000000000000 ]--- + +Address this issue by moving the streaming preparation and cleanup to +the vb2 .prepare_streaming() and .unprepare_streaming() operations. This +also simplifies the driver by allowing direct usage of the +v4l2_m2m_ioctl_streamon() and v4l2_m2m_ioctl_streamoff() helpers. + +Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250821135123.29462-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Guoniu Zhou +Co-developed-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Tested-by: Guoniu Zhou +Reviewed-by: Frank Li +Signed-off-by: Hans Verkuil +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 224 ++++++++------------- + 1 file changed, 92 insertions(+), 132 deletions(-) + +--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c ++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c +@@ -43,7 +43,6 @@ struct mxc_isi_m2m_ctx_queue_data { + struct v4l2_pix_format_mplane format; + const struct mxc_isi_format_info *info; + u32 sequence; +- bool streaming; + }; + + struct mxc_isi_m2m_ctx { +@@ -236,6 +235,65 @@ static void mxc_isi_m2m_vb2_buffer_queue + v4l2_m2m_buf_queue(ctx->fh.m2m_ctx, vbuf); + } + ++static int mxc_isi_m2m_vb2_prepare_streaming(struct vb2_queue *q) ++{ ++ struct mxc_isi_m2m_ctx *ctx = vb2_get_drv_priv(q); ++ const struct v4l2_pix_format_mplane *out_pix = &ctx->queues.out.format; ++ const struct v4l2_pix_format_mplane *cap_pix = &ctx->queues.cap.format; ++ const struct mxc_isi_format_info *cap_info = ctx->queues.cap.info; ++ const struct mxc_isi_format_info *out_info = ctx->queues.out.info; ++ struct mxc_isi_m2m *m2m = ctx->m2m; ++ int ret; ++ ++ guard(mutex)(&m2m->lock); ++ ++ if (m2m->usage_count == INT_MAX) ++ return -EOVERFLOW; ++ ++ /* ++ * Acquire the pipe and initialize the channel with the first user of ++ * the M2M device. ++ */ ++ if (m2m->usage_count == 0) { ++ bool bypass = cap_pix->width == out_pix->width && ++ cap_pix->height == out_pix->height && ++ cap_info->encoding == out_info->encoding; ++ ++ ret = mxc_isi_channel_acquire(m2m->pipe, ++ &mxc_isi_m2m_frame_write_done, ++ bypass); ++ if (ret) ++ return ret; ++ ++ mxc_isi_channel_get(m2m->pipe); ++ } ++ ++ m2m->usage_count++; ++ ++ /* ++ * Allocate resources for the channel, counting how many users require ++ * buffer chaining. ++ */ ++ if (!ctx->chained && out_pix->width > MXC_ISI_MAX_WIDTH_UNCHAINED) { ++ ret = mxc_isi_channel_chain(m2m->pipe); ++ if (ret) ++ goto err_deinit; ++ ++ m2m->chained_count++; ++ ctx->chained = true; ++ } ++ ++ return 0; ++ ++err_deinit: ++ if (--m2m->usage_count == 0) { ++ mxc_isi_channel_put(m2m->pipe); ++ mxc_isi_channel_release(m2m->pipe); ++ } ++ ++ return ret; ++} ++ + static int mxc_isi_m2m_vb2_start_streaming(struct vb2_queue *q, + unsigned int count) + { +@@ -265,6 +323,35 @@ static void mxc_isi_m2m_vb2_stop_streami + } + } + ++static void mxc_isi_m2m_vb2_unprepare_streaming(struct vb2_queue *q) ++{ ++ struct mxc_isi_m2m_ctx *ctx = vb2_get_drv_priv(q); ++ struct mxc_isi_m2m *m2m = ctx->m2m; ++ ++ guard(mutex)(&m2m->lock); ++ ++ /* ++ * If the last context is this one, reset it to make sure the device ++ * will be reconfigured when streaming is restarted. ++ */ ++ if (m2m->last_ctx == ctx) ++ m2m->last_ctx = NULL; ++ ++ /* Free the channel resources if this is the last chained context. */ ++ if (ctx->chained && --m2m->chained_count == 0) ++ mxc_isi_channel_unchain(m2m->pipe); ++ ctx->chained = false; ++ ++ /* Turn off the light with the last user. */ ++ if (--m2m->usage_count == 0) { ++ mxc_isi_channel_disable(m2m->pipe); ++ mxc_isi_channel_put(m2m->pipe); ++ mxc_isi_channel_release(m2m->pipe); ++ } ++ ++ WARN_ON(m2m->usage_count < 0); ++} ++ + static const struct vb2_ops mxc_isi_m2m_vb2_qops = { + .queue_setup = mxc_isi_m2m_vb2_queue_setup, + .buf_init = mxc_isi_m2m_vb2_buffer_init, +@@ -272,8 +359,10 @@ static const struct vb2_ops mxc_isi_m2m_ + .buf_queue = mxc_isi_m2m_vb2_buffer_queue, + .wait_prepare = vb2_ops_wait_prepare, + .wait_finish = vb2_ops_wait_finish, ++ .prepare_streaming = mxc_isi_m2m_vb2_prepare_streaming, + .start_streaming = mxc_isi_m2m_vb2_start_streaming, + .stop_streaming = mxc_isi_m2m_vb2_stop_streaming, ++ .unprepare_streaming = mxc_isi_m2m_vb2_unprepare_streaming, + }; + + static int mxc_isi_m2m_queue_init(void *priv, struct vb2_queue *src_vq, +@@ -483,135 +572,6 @@ static int mxc_isi_m2m_s_fmt_vid(struct + return 0; + } + +-static int mxc_isi_m2m_streamon(struct file *file, void *fh, +- enum v4l2_buf_type type) +-{ +- struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(fh); +- struct mxc_isi_m2m_ctx_queue_data *q = mxc_isi_m2m_ctx_qdata(ctx, type); +- const struct v4l2_pix_format_mplane *out_pix = &ctx->queues.out.format; +- const struct v4l2_pix_format_mplane *cap_pix = &ctx->queues.cap.format; +- const struct mxc_isi_format_info *cap_info = ctx->queues.cap.info; +- const struct mxc_isi_format_info *out_info = ctx->queues.out.info; +- struct mxc_isi_m2m *m2m = ctx->m2m; +- int ret; +- +- if (q->streaming) +- return 0; +- +- mutex_lock(&m2m->lock); +- +- if (m2m->usage_count == INT_MAX) { +- ret = -EOVERFLOW; +- goto unlock; +- } +- +- /* +- * Acquire the pipe and initialize the channel with the first user of +- * the M2M device. +- */ +- if (m2m->usage_count == 0) { +- bool bypass = cap_pix->width == out_pix->width && +- cap_pix->height == out_pix->height && +- cap_info->encoding == out_info->encoding; +- +- ret = mxc_isi_channel_acquire(m2m->pipe, +- &mxc_isi_m2m_frame_write_done, +- bypass); +- if (ret) +- goto unlock; +- +- mxc_isi_channel_get(m2m->pipe); +- } +- +- m2m->usage_count++; +- +- /* +- * Allocate resources for the channel, counting how many users require +- * buffer chaining. +- */ +- if (!ctx->chained && out_pix->width > MXC_ISI_MAX_WIDTH_UNCHAINED) { +- ret = mxc_isi_channel_chain(m2m->pipe); +- if (ret) +- goto deinit; +- +- m2m->chained_count++; +- ctx->chained = true; +- } +- +- /* +- * Drop the lock to start the stream, as the .device_run() operation +- * needs to acquire it. +- */ +- mutex_unlock(&m2m->lock); +- ret = v4l2_m2m_ioctl_streamon(file, fh, type); +- if (ret) { +- /* Reacquire the lock for the cleanup path. */ +- mutex_lock(&m2m->lock); +- goto unchain; +- } +- +- q->streaming = true; +- +- return 0; +- +-unchain: +- if (ctx->chained && --m2m->chained_count == 0) +- mxc_isi_channel_unchain(m2m->pipe); +- ctx->chained = false; +- +-deinit: +- if (--m2m->usage_count == 0) { +- mxc_isi_channel_put(m2m->pipe); +- mxc_isi_channel_release(m2m->pipe); +- } +- +-unlock: +- mutex_unlock(&m2m->lock); +- return ret; +-} +- +-static int mxc_isi_m2m_streamoff(struct file *file, void *fh, +- enum v4l2_buf_type type) +-{ +- struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(fh); +- struct mxc_isi_m2m_ctx_queue_data *q = mxc_isi_m2m_ctx_qdata(ctx, type); +- struct mxc_isi_m2m *m2m = ctx->m2m; +- +- v4l2_m2m_ioctl_streamoff(file, fh, type); +- +- if (!q->streaming) +- return 0; +- +- mutex_lock(&m2m->lock); +- +- /* +- * If the last context is this one, reset it to make sure the device +- * will be reconfigured when streaming is restarted. +- */ +- if (m2m->last_ctx == ctx) +- m2m->last_ctx = NULL; +- +- /* Free the channel resources if this is the last chained context. */ +- if (ctx->chained && --m2m->chained_count == 0) +- mxc_isi_channel_unchain(m2m->pipe); +- ctx->chained = false; +- +- /* Turn off the light with the last user. */ +- if (--m2m->usage_count == 0) { +- mxc_isi_channel_disable(m2m->pipe); +- mxc_isi_channel_put(m2m->pipe); +- mxc_isi_channel_release(m2m->pipe); +- } +- +- WARN_ON(m2m->usage_count < 0); +- +- mutex_unlock(&m2m->lock); +- +- q->streaming = false; +- +- return 0; +-} +- + static const struct v4l2_ioctl_ops mxc_isi_m2m_ioctl_ops = { + .vidioc_querycap = mxc_isi_m2m_querycap, + +@@ -632,8 +592,8 @@ static const struct v4l2_ioctl_ops mxc_i + .vidioc_prepare_buf = v4l2_m2m_ioctl_prepare_buf, + .vidioc_create_bufs = v4l2_m2m_ioctl_create_bufs, + +- .vidioc_streamon = mxc_isi_m2m_streamon, +- .vidioc_streamoff = mxc_isi_m2m_streamoff, ++ .vidioc_streamon = v4l2_m2m_ioctl_streamon, ++ .vidioc_streamoff = v4l2_m2m_ioctl_streamoff, + + .vidioc_subscribe_event = v4l2_ctrl_subscribe_event, + .vidioc_unsubscribe_event = v4l2_event_unsubscribe, diff --git a/queue-6.12/series b/queue-6.12/series index ed6f726255..77efafb9ac 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -23,3 +23,19 @@ drm-amdgpu-fix-gfx12-mes-packet-status-return-check.patch perf-core-fix-address-filter-match-with-backing-files.patch perf-core-fix-mmap-event-path-names-with-backing-files.patch perf-core-fix-mmap2-event-device-with-backing-files.patch +drm-amd-check-whether-secure-display-ta-loaded-successfully.patch +irqdomain-cdx-switch-to-of_fwnode_handle.patch +cdx-fix-device-node-reference-leak-in-cdx_msi_domain_init.patch +drm-msm-a6xx-fix-pdc-sleep-sequence.patch +media-nxp-imx8-isi-drop-unused-argument-to-mxc_isi_channel_chain.patch +media-nxp-imx8-isi-m2m-fix-streaming-cleanup-on-release.patch +drm-exynos-exynos7_drm_decon-fix-uninitialized-crtc-reference-in-functions.patch +drm-exynos-exynos7_drm_decon-properly-clear-channels-during-bind.patch +drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch +usb-gadget-store-endpoint-pointer-in-usb_request.patch +usb-gadget-introduce-free_usb_request-helper.patch +usb-gadget-f_ncm-refactor-bind-path-to-use-__free.patch +usb-gadget-f_acm-refactor-bind-path-to-use-__free.patch +usb-gadget-f_ecm-refactor-bind-path-to-use-__free.patch +usb-gadget-f_rndis-refactor-bind-path-to-use-__free.patch +cpufreq-cppc-avoid-using-cpufreq_eternal-as-transition-delay.patch diff --git a/queue-6.12/usb-gadget-f_acm-refactor-bind-path-to-use-__free.patch b/queue-6.12/usb-gadget-f_acm-refactor-bind-path-to-use-__free.patch new file mode 100644 index 0000000000..a363748877 --- /dev/null +++ b/queue-6.12/usb-gadget-f_acm-refactor-bind-path-to-use-__free.patch @@ -0,0 +1,173 @@ +From stable+bounces-187744-greg=kroah.com@vger.kernel.org Sat Oct 18 02:29:38 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 20:29:27 -0400 +Subject: usb: gadget: f_acm: Refactor bind path to use __free() +To: stable@vger.kernel.org +Cc: Kuen-Han Tsai , stable@kernel.org, Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251018002927.85194-3-sashal@kernel.org> + +From: Kuen-Han Tsai + +[ Upstream commit 47b2116e54b4a854600341487e8b55249e926324 ] + +After an bind/unbind cycle, the acm->notify_req is left stale. If a +subsequent bind fails, the unified error label attempts to free this +stale request, leading to a NULL pointer dereference when accessing +ep->ops->free_request. + +Refactor the error handling in the bind path to use the __free() +automatic cleanup mechanism. + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 +Call trace: + usb_ep_free_request+0x2c/0xec + gs_free_req+0x30/0x44 + acm_bind+0x1b8/0x1f4 + usb_add_function+0xcc/0x1f0 + configfs_composite_bind+0x468/0x588 + gadget_bind_driver+0x104/0x270 + really_probe+0x190/0x374 + __driver_probe_device+0xa0/0x12c + driver_probe_device+0x3c/0x218 + __device_attach_driver+0x14c/0x188 + bus_for_each_drv+0x10c/0x168 + __device_attach+0xfc/0x198 + device_initial_probe+0x14/0x24 + bus_probe_device+0x94/0x11c + device_add+0x268/0x48c + usb_add_gadget+0x198/0x28c + dwc3_gadget_init+0x700/0x858 + __dwc3_set_mode+0x3cc/0x664 + process_scheduled_works+0x1d8/0x488 + worker_thread+0x244/0x334 + kthread+0x114/0x1bc + ret_from_fork+0x10/0x20 + +Fixes: 1f1ba11b6494 ("usb gadget: issue notifications from ACM function") +Cc: stable@kernel.org +Signed-off-by: Kuen-Han Tsai +Link: https://lore.kernel.org/r/20250916-ready-v1-4-4997bf277548@google.com +Signed-off-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20250916-ready-v1-4-4997bf277548@google.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_acm.c | 42 ++++++++++++++++-------------------- + 1 file changed, 19 insertions(+), 23 deletions(-) + +--- a/drivers/usb/gadget/function/f_acm.c ++++ b/drivers/usb/gadget/function/f_acm.c +@@ -11,12 +11,15 @@ + + /* #define VERBOSE_DEBUG */ + ++#include + #include + #include + #include + #include + #include + ++#include ++ + #include "u_serial.h" + + +@@ -613,6 +616,7 @@ acm_bind(struct usb_configuration *c, st + struct usb_string *us; + int status; + struct usb_ep *ep; ++ struct usb_request *request __free(free_usb_request) = NULL; + + /* REVISIT might want instance-specific strings to help + * distinguish instances ... +@@ -630,7 +634,7 @@ acm_bind(struct usb_configuration *c, st + /* allocate instance-specific interface IDs, and patch descriptors */ + status = usb_interface_id(c, f); + if (status < 0) +- goto fail; ++ return status; + acm->ctrl_id = status; + acm_iad_descriptor.bFirstInterface = status; + +@@ -639,43 +643,41 @@ acm_bind(struct usb_configuration *c, st + + status = usb_interface_id(c, f); + if (status < 0) +- goto fail; ++ return status; + acm->data_id = status; + + acm_data_interface_desc.bInterfaceNumber = status; + acm_union_desc.bSlaveInterface0 = status; + acm_call_mgmt_descriptor.bDataInterface = status; + +- status = -ENODEV; +- + /* allocate instance-specific endpoints */ + ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_in_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + acm->port.in = ep; + + ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_out_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + acm->port.out = ep; + + ep = usb_ep_autoconfig(cdev->gadget, &acm_fs_notify_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + acm->notify = ep; + + acm_iad_descriptor.bFunctionProtocol = acm->bInterfaceProtocol; + acm_control_interface_desc.bInterfaceProtocol = acm->bInterfaceProtocol; + + /* allocate notification */ +- acm->notify_req = gs_alloc_req(ep, +- sizeof(struct usb_cdc_notification) + 2, +- GFP_KERNEL); +- if (!acm->notify_req) +- goto fail; ++ request = gs_alloc_req(ep, ++ sizeof(struct usb_cdc_notification) + 2, ++ GFP_KERNEL); ++ if (!request) ++ return -ENODEV; + +- acm->notify_req->complete = acm_cdc_notify_complete; +- acm->notify_req->context = acm; ++ request->complete = acm_cdc_notify_complete; ++ request->context = acm; + + /* support all relevant hardware speeds... we expect that when + * hardware is dual speed, all bulk-capable endpoints work at +@@ -692,7 +694,9 @@ acm_bind(struct usb_configuration *c, st + status = usb_assign_descriptors(f, acm_fs_function, acm_hs_function, + acm_ss_function, acm_ss_function); + if (status) +- goto fail; ++ return status; ++ ++ acm->notify_req = no_free_ptr(request); + + dev_dbg(&cdev->gadget->dev, + "acm ttyGS%d: IN/%s OUT/%s NOTIFY/%s\n", +@@ -700,14 +704,6 @@ acm_bind(struct usb_configuration *c, st + acm->port.in->name, acm->port.out->name, + acm->notify->name); + return 0; +- +-fail: +- if (acm->notify_req) +- gs_free_req(acm->notify, acm->notify_req); +- +- ERROR(cdev, "%s/%p: can't bind, err %d\n", f->name, f, status); +- +- return status; + } + + static void acm_unbind(struct usb_configuration *c, struct usb_function *f) diff --git a/queue-6.12/usb-gadget-f_ecm-refactor-bind-path-to-use-__free.patch b/queue-6.12/usb-gadget-f_ecm-refactor-bind-path-to-use-__free.patch new file mode 100644 index 0000000000..202accfa6e --- /dev/null +++ b/queue-6.12/usb-gadget-f_ecm-refactor-bind-path-to-use-__free.patch @@ -0,0 +1,157 @@ +From stable+bounces-187761-greg=kroah.com@vger.kernel.org Sat Oct 18 02:52:47 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 20:52:36 -0400 +Subject: usb: gadget: f_ecm: Refactor bind path to use __free() +To: stable@vger.kernel.org +Cc: Kuen-Han Tsai , stable@kernel.org, Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251018005236.98052-3-sashal@kernel.org> + +From: Kuen-Han Tsai + +[ Upstream commit 42988380ac67c76bb9dff8f77d7ef3eefd50b7b5 ] + +After an bind/unbind cycle, the ecm->notify_req is left stale. If a +subsequent bind fails, the unified error label attempts to free this +stale request, leading to a NULL pointer dereference when accessing +ep->ops->free_request. + +Refactor the error handling in the bind path to use the __free() +automatic cleanup mechanism. + +Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function") +Cc: stable@kernel.org +Signed-off-by: Kuen-Han Tsai +Link: https://lore.kernel.org/r/20250916-ready-v1-5-4997bf277548@google.com +Signed-off-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20250916-ready-v1-5-4997bf277548@google.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ecm.c | 48 +++++++++++++++--------------------- + 1 file changed, 20 insertions(+), 28 deletions(-) + +--- a/drivers/usb/gadget/function/f_ecm.c ++++ b/drivers/usb/gadget/function/f_ecm.c +@@ -8,12 +8,15 @@ + + /* #define VERBOSE_DEBUG */ + ++#include + #include + #include + #include + #include + #include + ++#include ++ + #include "u_ether.h" + #include "u_ether_configfs.h" + #include "u_ecm.h" +@@ -678,6 +681,7 @@ ecm_bind(struct usb_configuration *c, st + struct usb_ep *ep; + + struct f_ecm_opts *ecm_opts; ++ struct usb_request *request __free(free_usb_request) = NULL; + + if (!can_support_ecm(cdev->gadget)) + return -EINVAL; +@@ -711,7 +715,7 @@ ecm_bind(struct usb_configuration *c, st + /* allocate instance-specific interface IDs */ + status = usb_interface_id(c, f); + if (status < 0) +- goto fail; ++ return status; + ecm->ctrl_id = status; + ecm_iad_descriptor.bFirstInterface = status; + +@@ -720,24 +724,22 @@ ecm_bind(struct usb_configuration *c, st + + status = usb_interface_id(c, f); + if (status < 0) +- goto fail; ++ return status; + ecm->data_id = status; + + ecm_data_nop_intf.bInterfaceNumber = status; + ecm_data_intf.bInterfaceNumber = status; + ecm_union_desc.bSlaveInterface0 = status; + +- status = -ENODEV; +- + /* allocate instance-specific endpoints */ + ep = usb_ep_autoconfig(cdev->gadget, &fs_ecm_in_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + ecm->port.in_ep = ep; + + ep = usb_ep_autoconfig(cdev->gadget, &fs_ecm_out_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + ecm->port.out_ep = ep; + + /* NOTE: a status/notification endpoint is *OPTIONAL* but we +@@ -746,20 +748,18 @@ ecm_bind(struct usb_configuration *c, st + */ + ep = usb_ep_autoconfig(cdev->gadget, &fs_ecm_notify_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + ecm->notify = ep; + +- status = -ENOMEM; +- + /* allocate notification request and buffer */ +- ecm->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL); +- if (!ecm->notify_req) +- goto fail; +- ecm->notify_req->buf = kmalloc(ECM_STATUS_BYTECOUNT, GFP_KERNEL); +- if (!ecm->notify_req->buf) +- goto fail; +- ecm->notify_req->context = ecm; +- ecm->notify_req->complete = ecm_notify_complete; ++ request = usb_ep_alloc_request(ep, GFP_KERNEL); ++ if (!request) ++ return -ENOMEM; ++ request->buf = kmalloc(ECM_STATUS_BYTECOUNT, GFP_KERNEL); ++ if (!request->buf) ++ return -ENOMEM; ++ request->context = ecm; ++ request->complete = ecm_notify_complete; + + /* support all relevant hardware speeds... we expect that when + * hardware is dual speed, all bulk-capable endpoints work at +@@ -778,7 +778,7 @@ ecm_bind(struct usb_configuration *c, st + status = usb_assign_descriptors(f, ecm_fs_function, ecm_hs_function, + ecm_ss_function, ecm_ss_function); + if (status) +- goto fail; ++ return status; + + /* NOTE: all that is done without knowing or caring about + * the network link ... which is unavailable to this code +@@ -788,20 +788,12 @@ ecm_bind(struct usb_configuration *c, st + ecm->port.open = ecm_open; + ecm->port.close = ecm_close; + ++ ecm->notify_req = no_free_ptr(request); ++ + DBG(cdev, "CDC Ethernet: IN/%s OUT/%s NOTIFY/%s\n", + ecm->port.in_ep->name, ecm->port.out_ep->name, + ecm->notify->name); + return 0; +- +-fail: +- if (ecm->notify_req) { +- kfree(ecm->notify_req->buf); +- usb_ep_free_request(ecm->notify, ecm->notify_req); +- } +- +- ERROR(cdev, "%s: can't bind, err %d\n", f->name, status); +- +- return status; + } + + static inline struct f_ecm_opts *to_f_ecm_opts(struct config_item *item) diff --git a/queue-6.12/usb-gadget-f_ncm-refactor-bind-path-to-use-__free.patch b/queue-6.12/usb-gadget-f_ncm-refactor-bind-path-to-use-__free.patch new file mode 100644 index 0000000000..a1ddda3087 --- /dev/null +++ b/queue-6.12/usb-gadget-f_ncm-refactor-bind-path-to-use-__free.patch @@ -0,0 +1,230 @@ +From stable+bounces-187732-greg=kroah.com@vger.kernel.org Sat Oct 18 01:58:50 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:58:26 -0400 +Subject: usb: gadget: f_ncm: Refactor bind path to use __free() +To: stable@vger.kernel.org +Cc: Kuen-Han Tsai , stable@kernel.org, Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251017235826.62546-3-sashal@kernel.org> + +From: Kuen-Han Tsai + +[ Upstream commit 75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295ef ] + +After an bind/unbind cycle, the ncm->notify_req is left stale. If a +subsequent bind fails, the unified error label attempts to free this +stale request, leading to a NULL pointer dereference when accessing +ep->ops->free_request. + +Refactor the error handling in the bind path to use the __free() +automatic cleanup mechanism. + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 +Call trace: + usb_ep_free_request+0x2c/0xec + ncm_bind+0x39c/0x3dc + usb_add_function+0xcc/0x1f0 + configfs_composite_bind+0x468/0x588 + gadget_bind_driver+0x104/0x270 + really_probe+0x190/0x374 + __driver_probe_device+0xa0/0x12c + driver_probe_device+0x3c/0x218 + __device_attach_driver+0x14c/0x188 + bus_for_each_drv+0x10c/0x168 + __device_attach+0xfc/0x198 + device_initial_probe+0x14/0x24 + bus_probe_device+0x94/0x11c + device_add+0x268/0x48c + usb_add_gadget+0x198/0x28c + dwc3_gadget_init+0x700/0x858 + __dwc3_set_mode+0x3cc/0x664 + process_scheduled_works+0x1d8/0x488 + worker_thread+0x244/0x334 + kthread+0x114/0x1bc + ret_from_fork+0x10/0x20 + +Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") +Cc: stable@kernel.org +Signed-off-by: Kuen-Han Tsai +Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com +Signed-off-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20250916-ready-v1-3-4997bf277548@google.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 78 +++++++++++++++--------------------- + 1 file changed, 33 insertions(+), 45 deletions(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -11,6 +11,7 @@ + * Copyright (C) 2008 Nokia Corporation + */ + ++#include + #include + #include + #include +@@ -19,6 +20,7 @@ + #include + + #include ++#include + + #include "u_ether.h" + #include "u_ether_configfs.h" +@@ -1435,18 +1437,18 @@ static int ncm_bind(struct usb_configura + struct usb_ep *ep; + struct f_ncm_opts *ncm_opts; + ++ struct usb_os_desc_table *os_desc_table __free(kfree) = NULL; ++ struct usb_request *request __free(free_usb_request) = NULL; ++ + if (!can_support_ecm(cdev->gadget)) + return -EINVAL; + + ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst); + + if (cdev->use_os_string) { +- f->os_desc_table = kzalloc(sizeof(*f->os_desc_table), +- GFP_KERNEL); +- if (!f->os_desc_table) ++ os_desc_table = kzalloc(sizeof(*os_desc_table), GFP_KERNEL); ++ if (!os_desc_table) + return -ENOMEM; +- f->os_desc_n = 1; +- f->os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc; + } + + mutex_lock(&ncm_opts->lock); +@@ -1458,16 +1460,15 @@ static int ncm_bind(struct usb_configura + mutex_unlock(&ncm_opts->lock); + + if (status) +- goto fail; ++ return status; + + ncm_opts->bound = true; + + us = usb_gstrings_attach(cdev, ncm_strings, + ARRAY_SIZE(ncm_string_defs)); +- if (IS_ERR(us)) { +- status = PTR_ERR(us); +- goto fail; +- } ++ if (IS_ERR(us)) ++ return PTR_ERR(us); ++ + ncm_control_intf.iInterface = us[STRING_CTRL_IDX].id; + ncm_data_nop_intf.iInterface = us[STRING_DATA_IDX].id; + ncm_data_intf.iInterface = us[STRING_DATA_IDX].id; +@@ -1477,20 +1478,16 @@ static int ncm_bind(struct usb_configura + /* allocate instance-specific interface IDs */ + status = usb_interface_id(c, f); + if (status < 0) +- goto fail; ++ return status; + ncm->ctrl_id = status; + ncm_iad_desc.bFirstInterface = status; + + ncm_control_intf.bInterfaceNumber = status; + ncm_union_desc.bMasterInterface0 = status; + +- if (cdev->use_os_string) +- f->os_desc_table[0].if_id = +- ncm_iad_desc.bFirstInterface; +- + status = usb_interface_id(c, f); + if (status < 0) +- goto fail; ++ return status; + ncm->data_id = status; + + ncm_data_nop_intf.bInterfaceNumber = status; +@@ -1499,35 +1496,31 @@ static int ncm_bind(struct usb_configura + + ecm_desc.wMaxSegmentSize = cpu_to_le16(ncm_opts->max_segment_size); + +- status = -ENODEV; +- + /* allocate instance-specific endpoints */ + ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_in_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + ncm->port.in_ep = ep; + + ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_out_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + ncm->port.out_ep = ep; + + ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_notify_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + ncm->notify = ep; + +- status = -ENOMEM; +- + /* allocate notification request and buffer */ +- ncm->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL); +- if (!ncm->notify_req) +- goto fail; +- ncm->notify_req->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL); +- if (!ncm->notify_req->buf) +- goto fail; +- ncm->notify_req->context = ncm; +- ncm->notify_req->complete = ncm_notify_complete; ++ request = usb_ep_alloc_request(ep, GFP_KERNEL); ++ if (!request) ++ return -ENOMEM; ++ request->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL); ++ if (!request->buf) ++ return -ENOMEM; ++ request->context = ncm; ++ request->complete = ncm_notify_complete; + + /* + * support all relevant hardware speeds... we expect that when +@@ -1547,7 +1540,7 @@ static int ncm_bind(struct usb_configura + status = usb_assign_descriptors(f, ncm_fs_function, ncm_hs_function, + ncm_ss_function, ncm_ss_function); + if (status) +- goto fail; ++ return status; + + /* + * NOTE: all that is done without knowing or caring about +@@ -1561,23 +1554,18 @@ static int ncm_bind(struct usb_configura + hrtimer_init(&ncm->task_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_SOFT); + ncm->task_timer.function = ncm_tx_timeout; + ++ if (cdev->use_os_string) { ++ os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc; ++ os_desc_table[0].if_id = ncm_iad_desc.bFirstInterface; ++ f->os_desc_table = no_free_ptr(os_desc_table); ++ f->os_desc_n = 1; ++ } ++ ncm->notify_req = no_free_ptr(request); ++ + DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n", + ncm->port.in_ep->name, ncm->port.out_ep->name, + ncm->notify->name); + return 0; +- +-fail: +- kfree(f->os_desc_table); +- f->os_desc_n = 0; +- +- if (ncm->notify_req) { +- kfree(ncm->notify_req->buf); +- usb_ep_free_request(ncm->notify, ncm->notify_req); +- } +- +- ERROR(cdev, "%s: can't bind, err %d\n", f->name, status); +- +- return status; + } + + static inline struct f_ncm_opts *to_f_ncm_opts(struct config_item *item) diff --git a/queue-6.12/usb-gadget-f_rndis-refactor-bind-path-to-use-__free.patch b/queue-6.12/usb-gadget-f_rndis-refactor-bind-path-to-use-__free.patch new file mode 100644 index 0000000000..f3b79a0012 --- /dev/null +++ b/queue-6.12/usb-gadget-f_rndis-refactor-bind-path-to-use-__free.patch @@ -0,0 +1,212 @@ +From sashal@kernel.org Sat Oct 18 04:03:58 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 22:03:50 -0400 +Subject: usb: gadget: f_rndis: Refactor bind path to use __free() +To: stable@vger.kernel.org +Cc: Kuen-Han Tsai , stable@kernel.org, Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251018020351.207730-3-sashal@kernel.org> + +From: Kuen-Han Tsai + +[ Upstream commit 08228941436047bdcd35a612c1aec0912a29d8cd ] + +After an bind/unbind cycle, the rndis->notify_req is left stale. If a +subsequent bind fails, the unified error label attempts to free this +stale request, leading to a NULL pointer dereference when accessing +ep->ops->free_request. + +Refactor the error handling in the bind path to use the __free() +automatic cleanup mechanism. + +Fixes: 45fe3b8e5342 ("usb ethernet gadget: split RNDIS function") +Cc: stable@kernel.org +Signed-off-by: Kuen-Han Tsai +Link: https://lore.kernel.org/r/20250916-ready-v1-6-4997bf277548@google.com +Signed-off-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20250916-ready-v1-6-4997bf277548@google.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_rndis.c | 85 ++++++++++++++-------------------- + 1 file changed, 35 insertions(+), 50 deletions(-) + +--- a/drivers/usb/gadget/function/f_rndis.c ++++ b/drivers/usb/gadget/function/f_rndis.c +@@ -19,6 +19,8 @@ + + #include + ++#include ++ + #include "u_ether.h" + #include "u_ether_configfs.h" + #include "u_rndis.h" +@@ -662,6 +664,8 @@ rndis_bind(struct usb_configuration *c, + struct usb_ep *ep; + + struct f_rndis_opts *rndis_opts; ++ struct usb_os_desc_table *os_desc_table __free(kfree) = NULL; ++ struct usb_request *request __free(free_usb_request) = NULL; + + if (!can_support_rndis(c)) + return -EINVAL; +@@ -669,12 +673,9 @@ rndis_bind(struct usb_configuration *c, + rndis_opts = container_of(f->fi, struct f_rndis_opts, func_inst); + + if (cdev->use_os_string) { +- f->os_desc_table = kzalloc(sizeof(*f->os_desc_table), +- GFP_KERNEL); +- if (!f->os_desc_table) ++ os_desc_table = kzalloc(sizeof(*os_desc_table), GFP_KERNEL); ++ if (!os_desc_table) + return -ENOMEM; +- f->os_desc_n = 1; +- f->os_desc_table[0].os_desc = &rndis_opts->rndis_os_desc; + } + + rndis_iad_descriptor.bFunctionClass = rndis_opts->class; +@@ -692,16 +693,14 @@ rndis_bind(struct usb_configuration *c, + gether_set_gadget(rndis_opts->net, cdev->gadget); + status = gether_register_netdev(rndis_opts->net); + if (status) +- goto fail; ++ return status; + rndis_opts->bound = true; + } + + us = usb_gstrings_attach(cdev, rndis_strings, + ARRAY_SIZE(rndis_string_defs)); +- if (IS_ERR(us)) { +- status = PTR_ERR(us); +- goto fail; +- } ++ if (IS_ERR(us)) ++ return PTR_ERR(us); + rndis_control_intf.iInterface = us[0].id; + rndis_data_intf.iInterface = us[1].id; + rndis_iad_descriptor.iFunction = us[2].id; +@@ -709,36 +708,30 @@ rndis_bind(struct usb_configuration *c, + /* allocate instance-specific interface IDs */ + status = usb_interface_id(c, f); + if (status < 0) +- goto fail; ++ return status; + rndis->ctrl_id = status; + rndis_iad_descriptor.bFirstInterface = status; + + rndis_control_intf.bInterfaceNumber = status; + rndis_union_desc.bMasterInterface0 = status; + +- if (cdev->use_os_string) +- f->os_desc_table[0].if_id = +- rndis_iad_descriptor.bFirstInterface; +- + status = usb_interface_id(c, f); + if (status < 0) +- goto fail; ++ return status; + rndis->data_id = status; + + rndis_data_intf.bInterfaceNumber = status; + rndis_union_desc.bSlaveInterface0 = status; + +- status = -ENODEV; +- + /* allocate instance-specific endpoints */ + ep = usb_ep_autoconfig(cdev->gadget, &fs_in_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + rndis->port.in_ep = ep; + + ep = usb_ep_autoconfig(cdev->gadget, &fs_out_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + rndis->port.out_ep = ep; + + /* NOTE: a status/notification endpoint is, strictly speaking, +@@ -747,21 +740,19 @@ rndis_bind(struct usb_configuration *c, + */ + ep = usb_ep_autoconfig(cdev->gadget, &fs_notify_desc); + if (!ep) +- goto fail; ++ return -ENODEV; + rndis->notify = ep; + +- status = -ENOMEM; +- + /* allocate notification request and buffer */ +- rndis->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL); +- if (!rndis->notify_req) +- goto fail; +- rndis->notify_req->buf = kmalloc(STATUS_BYTECOUNT, GFP_KERNEL); +- if (!rndis->notify_req->buf) +- goto fail; +- rndis->notify_req->length = STATUS_BYTECOUNT; +- rndis->notify_req->context = rndis; +- rndis->notify_req->complete = rndis_response_complete; ++ request = usb_ep_alloc_request(ep, GFP_KERNEL); ++ if (!request) ++ return -ENOMEM; ++ request->buf = kmalloc(STATUS_BYTECOUNT, GFP_KERNEL); ++ if (!request->buf) ++ return -ENOMEM; ++ request->length = STATUS_BYTECOUNT; ++ request->context = rndis; ++ request->complete = rndis_response_complete; + + /* support all relevant hardware speeds... we expect that when + * hardware is dual speed, all bulk-capable endpoints work at +@@ -778,7 +769,7 @@ rndis_bind(struct usb_configuration *c, + status = usb_assign_descriptors(f, eth_fs_function, eth_hs_function, + eth_ss_function, eth_ss_function); + if (status) +- goto fail; ++ return status; + + rndis->port.open = rndis_open; + rndis->port.close = rndis_close; +@@ -789,9 +780,18 @@ rndis_bind(struct usb_configuration *c, + if (rndis->manufacturer && rndis->vendorID && + rndis_set_param_vendor(rndis->params, rndis->vendorID, + rndis->manufacturer)) { +- status = -EINVAL; +- goto fail_free_descs; ++ usb_free_all_descriptors(f); ++ return -EINVAL; ++ } ++ ++ if (cdev->use_os_string) { ++ os_desc_table[0].os_desc = &rndis_opts->rndis_os_desc; ++ os_desc_table[0].if_id = rndis_iad_descriptor.bFirstInterface; ++ f->os_desc_table = no_free_ptr(os_desc_table); ++ f->os_desc_n = 1; ++ + } ++ rndis->notify_req = no_free_ptr(request); + + /* NOTE: all that is done without knowing or caring about + * the network link ... which is unavailable to this code +@@ -802,21 +802,6 @@ rndis_bind(struct usb_configuration *c, + rndis->port.in_ep->name, rndis->port.out_ep->name, + rndis->notify->name); + return 0; +- +-fail_free_descs: +- usb_free_all_descriptors(f); +-fail: +- kfree(f->os_desc_table); +- f->os_desc_n = 0; +- +- if (rndis->notify_req) { +- kfree(rndis->notify_req->buf); +- usb_ep_free_request(rndis->notify, rndis->notify_req); +- } +- +- ERROR(cdev, "%s: can't bind, err %d\n", f->name, status); +- +- return status; + } + + void rndis_borrow_net(struct usb_function_instance *f, struct net_device *net) diff --git a/queue-6.12/usb-gadget-introduce-free_usb_request-helper.patch b/queue-6.12/usb-gadget-introduce-free_usb_request-helper.patch new file mode 100644 index 0000000000..4d02a2df89 --- /dev/null +++ b/queue-6.12/usb-gadget-introduce-free_usb_request-helper.patch @@ -0,0 +1,68 @@ +From stable+bounces-187731-greg=kroah.com@vger.kernel.org Sat Oct 18 01:58:48 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:58:25 -0400 +Subject: usb: gadget: Introduce free_usb_request helper +To: stable@vger.kernel.org +Cc: Kuen-Han Tsai , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251017235826.62546-2-sashal@kernel.org> + +From: Kuen-Han Tsai + +[ Upstream commit 201c53c687f2b55a7cc6d9f4000af4797860174b ] + +Introduce the free_usb_request() function that frees both the request's +buffer and the request itself. + +This function serves as the cleanup callback for DEFINE_FREE() to enable +automatic, scope-based cleanup for usb_request pointers. + +Signed-off-by: Kuen-Han Tsai +Link: https://lore.kernel.org/r/20250916-ready-v1-2-4997bf277548@google.com +Signed-off-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20250916-ready-v1-2-4997bf277548@google.com +Stable-dep-of: 75a5b8d4ddd4 ("usb: gadget: f_ncm: Refactor bind path to use __free()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/usb/gadget.h | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/include/linux/usb/gadget.h ++++ b/include/linux/usb/gadget.h +@@ -15,6 +15,7 @@ + #ifndef __LINUX_USB_GADGET_H + #define __LINUX_USB_GADGET_H + ++#include + #include + #include + #include +@@ -293,6 +294,28 @@ static inline void usb_ep_fifo_flush(str + + /*-------------------------------------------------------------------------*/ + ++/** ++ * free_usb_request - frees a usb_request object and its buffer ++ * @req: the request being freed ++ * ++ * This helper function frees both the request's buffer and the request object ++ * itself by calling usb_ep_free_request(). Its signature is designed to be used ++ * with DEFINE_FREE() to enable automatic, scope-based cleanup for usb_request ++ * pointers. ++ */ ++static inline void free_usb_request(struct usb_request *req) ++{ ++ if (!req) ++ return; ++ ++ kfree(req->buf); ++ usb_ep_free_request(req->ep, req); ++} ++ ++DEFINE_FREE(free_usb_request, struct usb_request *, free_usb_request(_T)) ++ ++/*-------------------------------------------------------------------------*/ ++ + struct usb_dcd_config_params { + __u8 bU1devExitLat; /* U1 Device exit Latency */ + #define USB_DEFAULT_U1_DEV_EXIT_LAT 0x01 /* Less then 1 microsec */ diff --git a/queue-6.12/usb-gadget-store-endpoint-pointer-in-usb_request.patch b/queue-6.12/usb-gadget-store-endpoint-pointer-in-usb_request.patch new file mode 100644 index 0000000000..ee4f6b8cc8 --- /dev/null +++ b/queue-6.12/usb-gadget-store-endpoint-pointer-in-usb_request.patch @@ -0,0 +1,66 @@ +From stable+bounces-187730-greg=kroah.com@vger.kernel.org Sat Oct 18 01:58:47 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:58:24 -0400 +Subject: usb: gadget: Store endpoint pointer in usb_request +To: stable@vger.kernel.org +Cc: Kuen-Han Tsai , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251017235826.62546-1-sashal@kernel.org> + +From: Kuen-Han Tsai + +[ Upstream commit bfb1d99d969fe3b892db30848aeebfa19d21f57f ] + +Gadget function drivers often have goto-based error handling in their +bind paths, which can be bug-prone. Refactoring these paths to use +__free() scope-based cleanup is desirable, but currently blocked. + +The blocker is that usb_ep_free_request(ep, req) requires two +parameters, while the __free() mechanism can only pass a pointer to the +request itself. + +Store an endpoint pointer in the struct usb_request. The pointer is +populated centrally in usb_ep_alloc_request() on every successful +allocation, making the request object self-contained. + +Signed-off-by: Kuen-Han Tsai +Link: https://lore.kernel.org/r/20250916-ready-v1-1-4997bf277548@google.com +Signed-off-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20250916-ready-v1-1-4997bf277548@google.com +Stable-dep-of: 75a5b8d4ddd4 ("usb: gadget: f_ncm: Refactor bind path to use __free()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 3 +++ + include/linux/usb/gadget.h | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -194,6 +194,9 @@ struct usb_request *usb_ep_alloc_request + + req = ep->ops->alloc_request(ep, gfp_flags); + ++ if (req) ++ req->ep = ep; ++ + trace_usb_ep_alloc_request(ep, req, req ? 0 : -ENOMEM); + + return req; +--- a/include/linux/usb/gadget.h ++++ b/include/linux/usb/gadget.h +@@ -32,6 +32,7 @@ struct usb_ep; + + /** + * struct usb_request - describes one i/o request ++ * @ep: The associated endpoint set by usb_ep_alloc_request(). + * @buf: Buffer used for data. Always provide this; some controllers + * only use PIO, or don't use DMA for some endpoints. + * @dma: DMA address corresponding to 'buf'. If you don't set this +@@ -98,6 +99,7 @@ struct usb_ep; + */ + + struct usb_request { ++ struct usb_ep *ep; + void *buf; + unsigned length; + dma_addr_t dma; -- 2.47.3