--- /dev/null
+From 500e1368e46928f4b2259612dcabb6999afae2a6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 25 Sep 2025 17:00:07 +0200
+Subject: amba: tegra-ahb: Fix device leak on SMMU enable
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 500e1368e46928f4b2259612dcabb6999afae2a6 upstream.
+
+Make sure to drop the reference taken to the AHB platform device when
+looking up its driver data while enabling the SMMU.
+
+Note that holding a reference to a device does not prevent its driver
+data from going away.
+
+Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB")
+Cc: stable@vger.kernel.org # 3.5
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/amba/tegra-ahb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/amba/tegra-ahb.c
++++ b/drivers/amba/tegra-ahb.c
+@@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_
+ if (!dev)
+ return -EPROBE_DEFER;
+ ahb = dev_get_drvdata(dev);
++ put_device(dev);
+ val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL);
+ val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE;
+ gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL);
--- /dev/null
+From 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce Mon Sep 17 00:00:00 2001
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+Date: Fri, 14 Nov 2025 15:02:25 +0100
+Subject: ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce upstream.
+
+Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo
+size of 32 data. Fix flexcom/spi nodes where this property is wrong.
+
+Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions")
+Cc: stable@vger.kernel.org # 5.8+
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/boot/dts/microchip/sama5d2.dtsi
++++ b/arch/arm/boot/dts/microchip/sama5d2.dtsi
+@@ -568,7 +568,7 @@
+ AT91_XDMAC_DT_PER_IF(1) |
+ AT91_XDMAC_DT_PERID(12))>;
+ dma-names = "tx", "rx";
+- atmel,fifo-size = <16>;
++ atmel,fifo-size = <32>;
+ status = "disabled";
+ };
+
+@@ -639,7 +639,7 @@
+ AT91_XDMAC_DT_PER_IF(1) |
+ AT91_XDMAC_DT_PERID(14))>;
+ dma-names = "tx", "rx";
+- atmel,fifo-size = <16>;
++ atmel,fifo-size = <32>;
+ status = "disabled";
+ };
+
+@@ -851,7 +851,7 @@
+ AT91_XDMAC_DT_PER_IF(1) |
+ AT91_XDMAC_DT_PERID(16))>;
+ dma-names = "tx", "rx";
+- atmel,fifo-size = <16>;
++ atmel,fifo-size = <32>;
+ status = "disabled";
+ };
+
+@@ -922,7 +922,7 @@
+ AT91_XDMAC_DT_PER_IF(1) |
+ AT91_XDMAC_DT_PERID(18))>;
+ dma-names = "tx", "rx";
+- atmel,fifo-size = <16>;
++ atmel,fifo-size = <32>;
+ status = "disabled";
+ };
+
+@@ -994,7 +994,7 @@
+ AT91_XDMAC_DT_PER_IF(1) |
+ AT91_XDMAC_DT_PERID(20))>;
+ dma-names = "tx", "rx";
+- atmel,fifo-size = <16>;
++ atmel,fifo-size = <32>;
+ status = "disabled";
+ };
+
--- /dev/null
+From 6f6e309328d53a10c0fe1f77dec2db73373179b6 Mon Sep 17 00:00:00 2001
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Tue, 23 Sep 2025 23:01:48 -0700
+Subject: crypto: af_alg - zero initialize memory allocated via sock_kmalloc
+
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+
+commit 6f6e309328d53a10c0fe1f77dec2db73373179b6 upstream.
+
+Several crypto user API contexts and requests allocated with
+sock_kmalloc() were left uninitialized, relying on callers to
+set fields explicitly. This resulted in the use of uninitialized
+data in certain error paths or when new fields are added in the
+future.
+
+The ACVP patches also contain two user-space interface files:
+algif_kpp.c and algif_akcipher.c. These too rely on proper
+initialization of their context structures.
+
+A particular issue has been observed with the newly added
+'inflight' variable introduced in af_alg_ctx by commit:
+
+ 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
+
+Because the context is not memset to zero after allocation,
+the inflight variable has contained garbage values. As a result,
+af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when
+the garbage value was interpreted as true:
+
+ https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209
+
+The check directly tests ctx->inflight without explicitly
+comparing against true/false. Since inflight is only ever set to
+true or false later, an uninitialized value has triggered
+-EBUSY failures. Zero-initializing memory allocated with
+sock_kmalloc() ensures inflight and other fields start in a known
+state, removing random issues caused by uninitialized data.
+
+Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations")
+Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support")
+Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code")
+Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 5 ++---
+ crypto/algif_hash.c | 3 +--
+ crypto/algif_rng.c | 3 +--
+ 3 files changed, 4 insertions(+), 7 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -1211,15 +1211,14 @@ struct af_alg_async_req *af_alg_alloc_ar
+ if (unlikely(!areq))
+ return ERR_PTR(-ENOMEM);
+
++ memset(areq, 0, areqlen);
++
+ ctx->inflight = true;
+
+ areq->areqlen = areqlen;
+ areq->sk = sk;
+ areq->first_rsgl.sgl.sgt.sgl = areq->first_rsgl.sgl.sgl;
+- areq->last_rsgl = NULL;
+ INIT_LIST_HEAD(&areq->rsgl_list);
+- areq->tsgl = NULL;
+- areq->tsgl_entries = 0;
+
+ return areq;
+ }
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -416,9 +416,8 @@ static int hash_accept_parent_nokey(void
+ if (!ctx)
+ return -ENOMEM;
+
+- ctx->result = NULL;
++ memset(ctx, 0, len);
+ ctx->len = len;
+- ctx->more = false;
+ crypto_init_wait(&ctx->wait);
+
+ ask->private = ctx;
+--- a/crypto/algif_rng.c
++++ b/crypto/algif_rng.c
+@@ -248,9 +248,8 @@ static int rng_accept_parent(void *priva
+ if (!ctx)
+ return -ENOMEM;
+
++ memset(ctx, 0, len);
+ ctx->len = len;
+- ctx->addtl = NULL;
+- ctx->addtl_len = 0;
+
+ /*
+ * No seeding done at that point -- if multiple accepts are
--- /dev/null
+From 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Tue, 23 Sep 2025 20:44:18 +0800
+Subject: crypto: caam - Add check for kcalloc() in test_len()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 upstream.
+
+As kcalloc() may fail, check its return value to avoid a NULL pointer
+dereference when passing the buffer to rng->read(). On allocation
+failure, log the error and return since test_len() returns void.
+
+Fixes: 2be0d806e25e ("crypto: caam - add a test for the RNG")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/caam/caamrng.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
+index b3d14a7f4dd1..0eb43c862516 100644
+--- a/drivers/crypto/caam/caamrng.c
++++ b/drivers/crypto/caam/caamrng.c
+@@ -181,7 +181,9 @@ static inline void test_len(struct hwrng *rng, size_t len, bool wait)
+ struct device *dev = ctx->ctrldev;
+
+ buf = kcalloc(CAAM_RNG_MAX_FIFO_STORE_SIZE, sizeof(u8), GFP_KERNEL);
+-
++ if (!buf) {
++ return;
++ }
+ while (len > 0) {
+ read_len = rng->read(rng, buf, len, wait);
+
+--
+2.52.0
+
--- /dev/null
+From b8d5acdcf525f44e521ca4ef51dce4dac403dab4 Mon Sep 17 00:00:00 2001
+From: Gui-Dong Han <hanguidong02@gmail.com>
+Date: Fri, 28 Nov 2025 20:47:09 +0800
+Subject: hwmon: (max16065) Use local variable to avoid TOCTOU
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+commit b8d5acdcf525f44e521ca4ef51dce4dac403dab4 upstream.
+
+In max16065_current_show, data->curr_sense is read twice: once for the
+error check and again for the calculation. Since
+i2c_smbus_read_byte_data returns negative error codes on failure, if the
+data changes to an error code between the check and the use, ADC_TO_CURR
+results in an incorrect calculation.
+
+Read data->curr_sense into a local variable to ensure consistency. Note
+that data->curr_gain is constant and safe to access directly.
+
+This aligns max16065_current_show with max16065_input_show, which
+already uses a local variable for the same reason.
+
+Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
+Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Link: https://lore.kernel.org/r/20251128124709.3876-1-hanguidong02@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/max16065.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwmon/max16065.c
++++ b/drivers/hwmon/max16065.c
+@@ -216,12 +216,13 @@ static ssize_t max16065_current_show(str
+ struct device_attribute *da, char *buf)
+ {
+ struct max16065_data *data = max16065_update_device(dev);
++ int curr_sense = data->curr_sense;
+
+- if (unlikely(data->curr_sense < 0))
+- return data->curr_sense;
++ if (unlikely(curr_sense < 0))
++ return curr_sense;
+
+ return sysfs_emit(buf, "%d\n",
+- ADC_TO_CURR(data->curr_sense, data->curr_gain));
++ ADC_TO_CURR(curr_sense, data->curr_gain));
+ }
+
+ static ssize_t max16065_limit_store(struct device *dev,
--- /dev/null
+From 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 Mon Sep 17 00:00:00 2001
+From: Gui-Dong Han <hanguidong02@gmail.com>
+Date: Wed, 3 Dec 2025 02:01:05 +0800
+Subject: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+commit 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 upstream.
+
+The macro FAN_FROM_REG evaluates its arguments multiple times. When used
+in lockless contexts involving shared driver data, this leads to
+Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
+causing divide-by-zero errors.
+
+Convert the macro to a static function. This guarantees that arguments
+are evaluated only once (pass-by-value), preventing the race
+conditions.
+
+Additionally, in store_fan_div, move the calculation of the minimum
+limit inside the update lock. This ensures that the read-modify-write
+sequence operates on consistent data.
+
+Adhere to the principle of minimal changes by only converting macros
+that evaluate arguments multiple times and are used in lockless
+contexts.
+
+Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
+Fixes: 9873964d6eb2 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/w83791d.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/hwmon/w83791d.c
++++ b/drivers/hwmon/w83791d.c
+@@ -218,9 +218,14 @@ static u8 fan_to_reg(long rpm, int div)
+ return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
+ }
+
+-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \
+- ((val) == 255 ? 0 : \
+- 1350000 / ((val) * (div))))
++static int fan_from_reg(int val, int div)
++{
++ if (val == 0)
++ return -1;
++ if (val == 255)
++ return 0;
++ return 1350000 / (val * div);
++}
+
+ /* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */
+ #define TEMP1_FROM_REG(val) ((val) * 1000)
+@@ -521,7 +526,7 @@ static ssize_t show_##reg(struct device
+ struct w83791d_data *data = w83791d_update_device(dev); \
+ int nr = sensor_attr->index; \
+ return sprintf(buf, "%d\n", \
+- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
++ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
+ }
+
+ show_fan_reg(fan);
+@@ -585,10 +590,10 @@ static ssize_t store_fan_div(struct devi
+ if (err)
+ return err;
+
++ mutex_lock(&data->update_lock);
+ /* Save fan_min */
+- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
++ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
+
+- mutex_lock(&data->update_lock);
+ data->fan_div[nr] = div_to_reg(nr, val);
+
+ switch (nr) {
--- /dev/null
+From 07272e883fc61574b8367d44de48917f622cdd83 Mon Sep 17 00:00:00 2001
+From: Gui-Dong Han <hanguidong02@gmail.com>
+Date: Fri, 28 Nov 2025 20:38:16 +0800
+Subject: hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+commit 07272e883fc61574b8367d44de48917f622cdd83 upstream.
+
+The macros FAN_FROM_REG and TEMP_FROM_REG evaluate their arguments
+multiple times. When used in lockless contexts involving shared driver
+data, this causes Time-of-Check to Time-of-Use (TOCTOU) race
+conditions.
+
+Convert the macros to static functions. This guarantees that arguments
+are evaluated only once (pass-by-value), preventing the race
+conditions.
+
+Adhere to the principle of minimal changes by only converting macros
+that evaluate arguments multiple times and are used in lockless
+contexts.
+
+Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
+Fixes: 85f03bccd6e0 ("hwmon: Add support for Winbond W83L786NG/NR")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Link: https://lore.kernel.org/r/20251128123816.3670-1-hanguidong02@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/w83l786ng.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/hwmon/w83l786ng.c
++++ b/drivers/hwmon/w83l786ng.c
+@@ -76,15 +76,25 @@ FAN_TO_REG(long rpm, int div)
+ return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
+ }
+
+-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \
+- ((val) == 255 ? 0 : \
+- 1350000 / ((val) * (div))))
++static int fan_from_reg(int val, int div)
++{
++ if (val == 0)
++ return -1;
++ if (val == 255)
++ return 0;
++ return 1350000 / (val * div);
++}
+
+ /* for temp */
+ #define TEMP_TO_REG(val) (clamp_val(((val) < 0 ? (val) + 0x100 * 1000 \
+ : (val)) / 1000, 0, 0xff))
+-#define TEMP_FROM_REG(val) (((val) & 0x80 ? \
+- (val) - 0x100 : (val)) * 1000)
++
++static int temp_from_reg(int val)
++{
++ if (val & 0x80)
++ return (val - 0x100) * 1000;
++ return val * 1000;
++}
+
+ /*
+ * The analog voltage inputs have 8mV LSB. Since the sysfs output is
+@@ -280,7 +290,7 @@ static ssize_t show_##reg(struct device
+ int nr = to_sensor_dev_attr(attr)->index; \
+ struct w83l786ng_data *data = w83l786ng_update_device(dev); \
+ return sprintf(buf, "%d\n", \
+- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
++ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
+ }
+
+ show_fan_reg(fan);
+@@ -347,7 +357,7 @@ store_fan_div(struct device *dev, struct
+
+ /* Save fan_min */
+ mutex_lock(&data->update_lock);
+- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
++ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
+
+ data->fan_div[nr] = DIV_TO_REG(val);
+
+@@ -409,7 +419,7 @@ show_temp(struct device *dev, struct dev
+ int nr = sensor_attr->nr;
+ int index = sensor_attr->index;
+ struct w83l786ng_data *data = w83l786ng_update_device(dev);
+- return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[nr][index]));
++ return sprintf(buf, "%d\n", temp_from_reg(data->temp[nr][index]));
+ }
+
+ static ssize_t
--- /dev/null
+From a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Wed, 22 Oct 2025 17:54:02 +0800
+Subject: i2c: amd-mp2: fix reference leak in MP2 PCI device
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 upstream.
+
+In i2c_amd_probe(), amd_mp2_find_device() utilizes
+driver_find_next_device() which internally calls driver_find_device()
+to locate the matching device. driver_find_device() increments the
+reference count of the found device by calling get_device(), but
+amd_mp2_find_device() fails to call put_device() to decrement the
+reference count before returning. This results in a reference count
+leak of the PCI device each time i2c_amd_probe() is executed, which
+may prevent the device from being properly released and cause a memory
+leak.
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20251022095402.8846-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-amd-mp2-pci.c
++++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c
+@@ -461,13 +461,16 @@ struct amd_mp2_dev *amd_mp2_find_device(
+ {
+ struct device *dev;
+ struct pci_dev *pci_dev;
++ struct amd_mp2_dev *mp2_dev;
+
+ dev = driver_find_next_device(&amd_mp2_pci_driver.driver, NULL);
+ if (!dev)
+ return NULL;
+
+ pci_dev = to_pci_dev(dev);
+- return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev);
++ mp2_dev = (struct amd_mp2_dev *)pci_get_drvdata(pci_dev);
++ put_device(dev);
++ return mp2_dev;
+ }
+ EXPORT_SYMBOL_GPL(amd_mp2_find_device);
+
--- /dev/null
+From 527250cd9092461f1beac3e4180a4481bffa01b5 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Fri, 21 Nov 2025 11:04:50 +0100
+Subject: platform/x86: intel: chtwc_int33fe: don't dereference swnode args
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 527250cd9092461f1beac3e4180a4481bffa01b5 upstream.
+
+Members of struct software_node_ref_args should not be dereferenced
+directly but set using the provided macros. Commit d7cdbbc93c56
+("software node: allow referencing firmware nodes") changed the name of
+the software node member and caused a build failure. Remove all direct
+dereferences of the ref struct as a fix.
+
+However, this driver also seems to abuse the software node interface by
+waiting for a node with an arbitrary name "intel-xhci-usb-sw" to appear
+in the system before setting up the reference for the I2C device, while
+the actual software node already exists in the intel-xhci-usb-role-switch
+module and should be used to set up a static reference. Add a FIXME for
+a future improvement.
+
+Fixes: d7cdbbc93c56 ("software node: allow referencing firmware nodes")
+Fixes: 53c24c2932e5 ("platform/x86: intel_cht_int33fe: use inline reference properties")
+Cc: stable@vger.kernel.org
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Closes: https://lore.kernel.org/all/20251121111534.7cdbfe5c@canb.auug.org.au/
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
+Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel/chtwc_int33fe.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+--- a/drivers/platform/x86/intel/chtwc_int33fe.c
++++ b/drivers/platform/x86/intel/chtwc_int33fe.c
+@@ -77,7 +77,7 @@ static const struct software_node max170
+ * software node.
+ */
+ static struct software_node_ref_args fusb302_mux_refs[] = {
+- { .node = NULL },
++ SOFTWARE_NODE_REFERENCE(NULL),
+ };
+
+ static const struct property_entry fusb302_properties[] = {
+@@ -190,11 +190,6 @@ static void cht_int33fe_remove_nodes(str
+ {
+ software_node_unregister_node_group(node_group);
+
+- if (fusb302_mux_refs[0].node) {
+- fwnode_handle_put(software_node_fwnode(fusb302_mux_refs[0].node));
+- fusb302_mux_refs[0].node = NULL;
+- }
+-
+ if (data->dp) {
+ data->dp->secondary = NULL;
+ fwnode_handle_put(data->dp);
+@@ -202,7 +197,15 @@ static void cht_int33fe_remove_nodes(str
+ }
+ }
+
+-static int cht_int33fe_add_nodes(struct cht_int33fe_data *data)
++static void cht_int33fe_put_swnode(void *data)
++{
++ struct fwnode_handle *fwnode = data;
++
++ fwnode_handle_put(fwnode);
++ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(NULL);
++}
++
++static int cht_int33fe_add_nodes(struct device *dev, struct cht_int33fe_data *data)
+ {
+ const struct software_node *mux_ref_node;
+ int ret;
+@@ -212,17 +215,25 @@ static int cht_int33fe_add_nodes(struct
+ * until the mux driver has created software node for the mux device.
+ * It means we depend on the mux driver. This function will return
+ * -EPROBE_DEFER until the mux device is registered.
++ *
++ * FIXME: the relevant software node exists in intel-xhci-usb-role-switch
++ * and - if exported - could be used to set up a static reference.
+ */
+ mux_ref_node = software_node_find_by_name(NULL, "intel-xhci-usb-sw");
+ if (!mux_ref_node)
+ return -EPROBE_DEFER;
+
++ ret = devm_add_action_or_reset(dev, cht_int33fe_put_swnode,
++ software_node_fwnode(mux_ref_node));
++ if (ret)
++ return ret;
++
+ /*
+ * Update node used in "usb-role-switch" property. Note that we
+ * rely on software_node_register_node_group() to use the original
+ * instance of properties instead of copying them.
+ */
+- fusb302_mux_refs[0].node = mux_ref_node;
++ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(mux_ref_node);
+
+ ret = software_node_register_node_group(node_group);
+ if (ret)
+@@ -345,7 +356,7 @@ static int cht_int33fe_typec_probe(struc
+ return fusb302_irq;
+ }
+
+- ret = cht_int33fe_add_nodes(data);
++ ret = cht_int33fe_add_nodes(dev, data);
+ if (ret)
+ return ret;
+
--- /dev/null
+From a53e356df548f6b0e82529ef3cc6070f42622189 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Date: Fri, 22 Aug 2025 11:00:42 +0100
+Subject: rpmsg: glink: fix rpmsg device leak
+
+From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+
+commit a53e356df548f6b0e82529ef3cc6070f42622189 upstream.
+
+While testing rpmsg-char interface it was noticed that duplicate sysfs
+entries are getting created and below warning is noticed.
+
+Reason for this is that we are leaking rpmsg device pointer, setting it
+null without actually unregistering device.
+Any further attempts to unregister fail because rpdev is NULL,
+resulting in a leak.
+
+Fix this by unregistering rpmsg device before removing its reference
+from rpmsg channel.
+
+sysfs: cannot create duplicate filename '/devices/platform/soc@0/3700000.remot
+eproc/remoteproc/remoteproc1/3700000.remoteproc:glink-edge/3700000.remoteproc:
+glink-edge.adsp_apps.-1.-1'
+[ 114.115347] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not
+ tainted 6.16.0-rc4 #7 PREEMPT
+[ 114.115355] Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 (DT)
+[ 114.115358] Workqueue: events qcom_glink_work
+[ 114.115371] Call trace:8
+[ 114.115374] show_stack+0x18/0x24 (C)
+[ 114.115382] dump_stack_lvl+0x60/0x80
+[ 114.115388] dump_stack+0x18/0x24
+[ 114.115393] sysfs_warn_dup+0x64/0x80
+[ 114.115402] sysfs_create_dir_ns+0xf4/0x120
+[ 114.115409] kobject_add_internal+0x98/0x260
+[ 114.115416] kobject_add+0x9c/0x108
+[ 114.115421] device_add+0xc4/0x7a0
+[ 114.115429] rpmsg_register_device+0x5c/0xb0
+[ 114.115434] qcom_glink_work+0x4bc/0x820
+[ 114.115438] process_one_work+0x148/0x284
+[ 114.115446] worker_thread+0x2c4/0x3e0
+[ 114.115452] kthread+0x12c/0x204
+[ 114.115457] ret_from_fork+0x10/0x20
+[ 114.115464] kobject: kobject_add_internal failed for 3700000.remoteproc:
+glink-edge.adsp_apps.-1.-1 with -EEXIST, don't try to register things with
+the same name in the same directory.
+[ 114.250045] rpmsg 3700000.remoteproc:glink-edge.adsp_apps.-1.-1:
+device_add failed: -17
+
+Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c")
+Cc: Stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250822100043.2604794-2-srinivas.kandagatla@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -1317,6 +1317,7 @@ static void qcom_glink_destroy_ept(struc
+ {
+ struct glink_channel *channel = to_glink_channel(ept);
+ struct qcom_glink *glink = channel->glink;
++ struct rpmsg_channel_info chinfo;
+ unsigned long flags;
+
+ spin_lock_irqsave(&channel->recv_lock, flags);
+@@ -1324,6 +1325,13 @@ static void qcom_glink_destroy_ept(struc
+ spin_unlock_irqrestore(&channel->recv_lock, flags);
+
+ /* Decouple the potential rpdev from the channel */
++ if (channel->rpdev) {
++ strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name));
++ chinfo.src = RPMSG_ADDR_ANY;
++ chinfo.dst = RPMSG_ADDR_ANY;
++
++ rpmsg_unregister_device(glink->dev, &chinfo);
++ }
+ channel->rpdev = NULL;
+
+ qcom_glink_send_close_req(glink, channel);
io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch
drm-amd-display-use-gfp_atomic-in-dc_create_plane_state.patch
selftests-openvswitch-fix-escape-chars-in-regexp.patch
+crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch
+crypto-caam-add-check-for-kcalloc-in-test_len.patch
+amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch
+tracing-fix-fixed-array-of-synthetic-event.patch
+soc-qcom-ocmem-fix-device-leak-on-lookup.patch
+soc-amlogic-canvas-fix-device-leak-on-lookup.patch
+rpmsg-glink-fix-rpmsg-device-leak.patch
+platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch
+i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch
+hwmon-max16065-use-local-variable-to-avoid-toctou.patch
+hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch
+hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch
+arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch
--- /dev/null
+From 32200f4828de9d7e6db379909898e718747f4e18 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 26 Sep 2025 16:24:53 +0200
+Subject: soc: amlogic: canvas: fix device leak on lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 32200f4828de9d7e6db379909898e718747f4e18 upstream.
+
+Make sure to drop the reference taken to the canvas platform device when
+looking up its driver data.
+
+Note that holding a reference to a device does not prevent its driver
+data from going away so there is no point in keeping the reference.
+
+Also note that commit 28f851e6afa8 ("soc: amlogic: canvas: add missing
+put_device() call in meson_canvas_get()") fixed the leak in a lookup
+error path, but the reference is still leaking on success.
+
+Fixes: d4983983d987 ("soc: amlogic: add meson-canvas driver")
+Cc: stable@vger.kernel.org # 4.20: 28f851e6afa8
+Cc: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://patch.msgid.link/20250926142454.5929-2-johan@kernel.org
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/amlogic/meson-canvas.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/soc/amlogic/meson-canvas.c
++++ b/drivers/soc/amlogic/meson-canvas.c
+@@ -73,10 +73,9 @@ struct meson_canvas *meson_canvas_get(st
+ * current state, this driver probe cannot return -EPROBE_DEFER
+ */
+ canvas = dev_get_drvdata(&canvas_pdev->dev);
+- if (!canvas) {
+- put_device(&canvas_pdev->dev);
++ put_device(&canvas_pdev->dev);
++ if (!canvas)
+ return ERR_PTR(-EINVAL);
+- }
+
+ return canvas;
+ }
--- /dev/null
+From b5c16ea57b030b8e9428ec726e26219dfe05c3d9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 26 Sep 2025 16:35:10 +0200
+Subject: soc: qcom: ocmem: fix device leak on lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b5c16ea57b030b8e9428ec726e26219dfe05c3d9 upstream.
+
+Make sure to drop the reference taken to the ocmem platform device when
+looking up its driver data.
+
+Note that holding a reference to a device does not prevent its driver
+data from going away so there is no point in keeping the reference.
+
+Also note that commit 0ff027027e05 ("soc: qcom: ocmem: Fix missing
+put_device() call in of_get_ocmem") fixed the leak in a lookup error
+path, but the reference is still leaking on success.
+
+Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
+Cc: stable@vger.kernel.org # 5.5: 0ff027027e05
+Cc: Brian Masney <bmasney@redhat.com>
+Cc: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250926143511.6715-2-johan@kernel.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/ocmem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/ocmem.c
++++ b/drivers/soc/qcom/ocmem.c
+@@ -204,9 +204,9 @@ struct ocmem *of_get_ocmem(struct device
+ of_node_put(devnode);
+
+ ocmem = platform_get_drvdata(pdev);
++ put_device(&pdev->dev);
+ if (!ocmem) {
+ dev_err(dev, "Cannot get ocmem\n");
+- put_device(&pdev->dev);
+ return ERR_PTR(-ENODEV);
+ }
+ return ocmem;
--- /dev/null
+From 47ef834209e5981f443240d8a8b45bf680df22aa Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 4 Dec 2025 15:19:35 -0500
+Subject: tracing: Fix fixed array of synthetic event
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 47ef834209e5981f443240d8a8b45bf680df22aa upstream.
+
+The commit 4d38328eb442d ("tracing: Fix synth event printk format for str
+fields") replaced "%.*s" with "%s" but missed removing the number size of
+the dynamic and static strings. The commit e1a453a57bc7 ("tracing: Do not
+add length to print format in synthetic events") fixed the dynamic part
+but did not fix the static part. That is, with the commands:
+
+ # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
+ # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger
+ # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger
+
+That caused the output of:
+
+ <idle>-0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155
+ sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58
+ <idle>-0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91
+
+The commit e1a453a57bc7 fixed the part where the synthetic event had
+"char[] wakee". But if one were to replace that with a static size string:
+
+ # echo 's:wake_lat char[16] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
+
+Where "wakee" is defined as "char[16]" and not "char[]" making it a static
+size, the code triggered the "(efaul)" again.
+
+Remove the added STR_VAR_LEN_MAX size as the string is still going to be
+nul terminated.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Douglas Raillard <douglas.raillard@arm.com>
+Link: https://patch.msgid.link/20251204151935.5fa30355@gandalf.local.home
+Fixes: e1a453a57bc7 ("tracing: Do not add length to print format in synthetic events")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_synth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -382,7 +382,6 @@ static enum print_line_t print_synth_eve
+ n_u64++;
+ } else {
+ trace_seq_printf(s, print_fmt, se->fields[i]->name,
+- STR_VAR_LEN_MAX,
+ (char *)&entry->fields[n_u64].as_u64,
+ i == se->n_fields - 1 ? "" : " ");
+ n_u64 += STR_VAR_LEN_MAX / sizeof(u64);
projects / thirdparty / kernel / stable-queue.git / commitdiff
