drm-amdgpu-limit-bo-list-entry-count-to-prevent-reso.patch
device-property-make-modifications-of-fwnode-flags-thread-safe.patch
ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch
+zram-do-not-forget-to-endio-for-partial-discard-requests.patch
+wifi-rtw88-check-for-pci-upstream-bridge-existence.patch
+vfio-cdx-serialize-vfio_device_set_irqs-with-a-per-device-mutex.patch
+vfio-cdx-fix-null-pointer-dereference-in-interrupt-trigger-path.patch
+um-drivers-call-kernel_strrchr-explicitly-in-cow_user.c.patch
+spi-imx-fix-use-after-free-on-unbind.patch
+spi-ch341-fix-memory-leaks-on-probe-failures.patch
--- /dev/null
+From b99e3ddb91b499d920e63a2daff8880be68cfe9e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 27 Mar 2026 11:43:04 +0100
+Subject: spi: ch341: fix memory leaks on probe failures
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b99e3ddb91b499d920e63a2daff8880be68cfe9e upstream.
+
+Make sure to deregister the controller, disable pins, and kill and free
+the RX URB on probe failures to mirror disconnect and avoid memory
+leaks and use-after-free.
+
+Also add an explicit URB kill on disconnect for symmetry (even if that
+is not strictly required as USB core would have stopped it in the
+current setup).
+
+Fixes: 8846739f52af ("spi: add ch341a usb2spi driver")
+Cc: stable@vger.kernel.org # 6.11
+Cc: Johannes Thumshirn <jth@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260327104305.1309915-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-ch341.c | 36 +++++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+--- a/drivers/spi/spi-ch341.c
++++ b/drivers/spi/spi-ch341.c
+@@ -173,17 +173,17 @@ static int ch341_probe(struct usb_interf
+
+ ch341->tx_buf =
+ devm_kzalloc(&udev->dev, CH341_PACKET_LENGTH, GFP_KERNEL);
+- if (!ch341->tx_buf)
+- return -ENOMEM;
++ if (!ch341->tx_buf) {
++ ret = -ENOMEM;
++ goto err_free_urb;
++ }
+
+ usb_fill_bulk_urb(ch341->rx_urb, udev, ch341->read_pipe, ch341->rx_buf,
+ ch341->rx_len, ch341_recv, ch341);
+
+ ret = usb_submit_urb(ch341->rx_urb, GFP_KERNEL);
+- if (ret) {
+- usb_free_urb(ch341->rx_urb);
+- return -ENOMEM;
+- }
++ if (ret)
++ goto err_free_urb;
+
+ ctrl->bus_num = -1;
+ ctrl->mode_bits = SPI_CPHA;
+@@ -195,21 +195,34 @@ static int ch341_probe(struct usb_interf
+
+ ret = ch341_config_stream(ch341);
+ if (ret)
+- return ret;
++ goto err_kill_urb;
+
+ ret = ch341_enable_pins(ch341, true);
+ if (ret)
+- return ret;
++ goto err_kill_urb;
+
+ ret = spi_register_controller(ctrl);
+ if (ret)
+- return ret;
++ goto err_disable_pins;
+
+ ch341->spidev = spi_new_device(ctrl, &chip);
+- if (!ch341->spidev)
+- return -ENOMEM;
++ if (!ch341->spidev) {
++ ret = -ENOMEM;
++ goto err_unregister;
++ }
+
+ return 0;
++
++err_unregister:
++ spi_unregister_controller(ctrl);
++err_disable_pins:
++ ch341_enable_pins(ch341, false);
++err_kill_urb:
++ usb_kill_urb(ch341->rx_urb);
++err_free_urb:
++ usb_free_urb(ch341->rx_urb);
++
++ return ret;
+ }
+
+ static void ch341_disconnect(struct usb_interface *intf)
+@@ -219,6 +232,7 @@ static void ch341_disconnect(struct usb_
+ spi_unregister_device(ch341->spidev);
+ spi_unregister_controller(ch341->ctrl);
+ ch341_enable_pins(ch341, false);
++ usb_kill_urb(ch341->rx_urb);
+ usb_free_urb(ch341->rx_urb);
+ }
+
--- /dev/null
+From 1c78c2002380a1fe31bfb01a3d5f29809e55a096 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 24 Mar 2026 09:23:22 +0100
+Subject: spi: imx: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1c78c2002380a1fe31bfb01a3d5f29809e55a096 upstream.
+
+The SPI subsystem frees the controller and any subsystem allocated
+driver data as part of deregistration (unless the allocation is device
+managed).
+
+Take another reference before deregistering the controller so that the
+driver data is not freed until the driver is done with it.
+
+Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller")
+Cc: stable@vger.kernel.org # 5.19
+Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260324082326.901043-2-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-imx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1893,6 +1893,8 @@ static void spi_imx_remove(struct platfo
+ struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
+ int ret;
+
++ spi_controller_get(controller);
++
+ spi_unregister_controller(controller);
+
+ ret = pm_runtime_get_sync(spi_imx->dev);
+@@ -1906,6 +1908,8 @@ static void spi_imx_remove(struct platfo
+ pm_runtime_disable(spi_imx->dev);
+
+ spi_imx_sdma_exit(spi_imx);
++
++ spi_controller_put(controller);
+ }
+
+ static int spi_imx_runtime_resume(struct device *dev)
--- /dev/null
+From 91e901c65b4da02a6fd543e3f0049829ae9645b7 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Wed, 8 Apr 2026 03:01:02 -0400
+Subject: um: drivers: call kernel_strrchr() explicitly in cow_user.c
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 91e901c65b4da02a6fd543e3f0049829ae9645b7 upstream.
+
+Building ARCH=um on glibc >= 2.43 fails:
+
+ arch/um/drivers/cow_user.c: error: implicit declaration of
+ function 'strrchr' [-Wimplicit-function-declaration]
+
+glibc 2.43's C23 const-preserving strrchr() macro does not survive
+UML's global -Dstrrchr=kernel_strrchr remap from arch/um/Makefile.
+Call kernel_strrchr() directly in cow_user.c so the source no longer
+depends on the -D rewrite.
+
+Fixes: 2c51a4bc0233 ("um: fix strrchr() problems")
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-6
+Assisted-by: Codex:gpt-5-4
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Link: https://patch.msgid.link/20260408070102.2325572-1-michael.bommarito@gmail.com
+[remove unnecessary 'extern']
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/drivers/cow_user.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/arch/um/drivers/cow_user.c
++++ b/arch/um/drivers/cow_user.c
+@@ -15,6 +15,12 @@
+ #include "cow.h"
+ #include "cow_sys.h"
+
++/*
++ * arch/um/Makefile remaps strrchr to kernel_strrchr; call the kernel
++ * name directly to avoid glibc >= 2.43's C23 strrchr macro.
++ */
++char *kernel_strrchr(const char *, int);
++
+ #define PATH_LEN_V1 256
+
+ /* unsigned time_t works until year 2106 */
+@@ -153,7 +159,7 @@ static int absolutize(char *to, int size
+ errno);
+ return -1;
+ }
+- slash = strrchr(from, '/');
++ slash = kernel_strrchr(from, '/');
+ if (slash != NULL) {
+ *slash = '\0';
+ if (chdir(from)) {
--- /dev/null
+From 5ea5880764cbb164afb17a62e76ca75dc371409d Mon Sep 17 00:00:00 2001
+From: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
+Date: Fri, 17 Apr 2026 14:27:56 -0600
+Subject: vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
+
+From: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
+
+commit 5ea5880764cbb164afb17a62e76ca75dc371409d upstream.
+
+Add validation to ensure MSI is configured before accessing cdx_irqs
+array in vfio_cdx_set_msi_trigger(). Without this check, userspace
+can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS
+with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before
+ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD.
+
+The vfio_cdx_msi_enable() function allocates the cdx_irqs array and
+sets config_msi to 1 only when called through the EVENTFD path. The
+trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been
+done, but there was no enforcement of this call ordering.
+
+This matches the protection used in the PCI VFIO driver where
+vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop.
+
+Fixes: 848e447e000c ("vfio/cdx: add interrupt support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Prasanna Kumar T S M <ptsm@linux.microsoft.com>
+Acked-by: Nipun Gupta <nipun.gupta@amd.com>
+Signed-off-by: Alex Williamson <alex.williamson@nvidia.com>
+Acked-by: Nikhil Agarwal <nikhil.agarwal@amd.com>
+Link: https://lore.kernel.org/r/20260417202800.88287-2-alex.williamson@nvidia.com
+Signed-off-by: Alex Williamson <alex@shazbot.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/cdx/intr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/vfio/cdx/intr.c
++++ b/drivers/vfio/cdx/intr.c
+@@ -177,6 +177,10 @@ static int vfio_cdx_set_msi_trigger(stru
+ return ret;
+ }
+
++ /* Ensure MSI is configured before accessing cdx_irqs */
++ if (!vdev->config_msi)
++ return -EINVAL;
++
+ for (i = start; i < start + count; i++) {
+ if (!vdev->cdx_irqs[i].trigger)
+ continue;
--- /dev/null
+From 670e8864b1a218d72f08db40d0103adf38fa1d9b Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@nvidia.com>
+Date: Fri, 17 Apr 2026 14:27:57 -0600
+Subject: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
+
+From: Alex Williamson <alex.williamson@nvidia.com>
+
+commit 670e8864b1a218d72f08db40d0103adf38fa1d9b upstream.
+
+vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the
+vdev->cdx_irqs array based on its value, but provides no serialization
+against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race
+such that one observes config_msi as set while another clears it and
+frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free
+of the cdx_irqs array.
+
+Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in
+vfio_cdx_set_msi_trigger(), which is the single chokepoint through
+which all updates to config_msi, cdx_irqs, and msi_count flow, covering
+both the ioctl path and the close-device cleanup path. This keeps the
+test of config_msi atomic with the subsequent enable, disable, or
+trigger operations.
+
+Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part
+of this change: the optimization it provided is redundant with the
+!config_msi early-return inside vfio_cdx_msi_disable(), and leaving the
+test in place would be an unsynchronized read of state the new lock is
+meant to protect.
+
+Fixes: 848e447e000c ("vfio/cdx: add interrupt support")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Alex Williamson <alex.williamson@nvidia.com>
+Acked-by: Nikhil Agarwal <nikhil.agarwal@amd.com>
+Link: https://lore.kernel.org/r/20260417202800.88287-3-alex.williamson@nvidia.com
+Signed-off-by: Alex Williamson <alex@shazbot.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/cdx/intr.c | 9 ++-------
+ drivers/vfio/cdx/main.c | 19 +++++++++++++++++++
+ drivers/vfio/cdx/private.h | 3 +++
+ 3 files changed, 24 insertions(+), 7 deletions(-)
+
+--- a/drivers/vfio/cdx/intr.c
++++ b/drivers/vfio/cdx/intr.c
+@@ -152,6 +152,8 @@ static int vfio_cdx_set_msi_trigger(stru
+ if (start + count > cdx_dev->num_msi)
+ return -EINVAL;
+
++ guard(mutex)(&vdev->cdx_irqs_lock);
++
+ if (!count && (flags & VFIO_IRQ_SET_DATA_NONE)) {
+ vfio_cdx_msi_disable(vdev);
+ return 0;
+@@ -206,12 +208,5 @@ int vfio_cdx_set_irqs_ioctl(struct vfio_
+ /* Free All IRQs for the given device */
+ void vfio_cdx_irqs_cleanup(struct vfio_cdx_device *vdev)
+ {
+- /*
+- * Device does not support any interrupt or the interrupts
+- * were not configured
+- */
+- if (!vdev->cdx_irqs)
+- return;
+-
+ vfio_cdx_set_msi_trigger(vdev, 0, 0, 0, VFIO_IRQ_SET_DATA_NONE, NULL);
+ }
+--- a/drivers/vfio/cdx/main.c
++++ b/drivers/vfio/cdx/main.c
+@@ -8,6 +8,23 @@
+
+ #include "private.h"
+
++static int vfio_cdx_init_dev(struct vfio_device *core_vdev)
++{
++ struct vfio_cdx_device *vdev =
++ container_of(core_vdev, struct vfio_cdx_device, vdev);
++
++ mutex_init(&vdev->cdx_irqs_lock);
++ return 0;
++}
++
++static void vfio_cdx_release_dev(struct vfio_device *core_vdev)
++{
++ struct vfio_cdx_device *vdev =
++ container_of(core_vdev, struct vfio_cdx_device, vdev);
++
++ mutex_destroy(&vdev->cdx_irqs_lock);
++}
++
+ static int vfio_cdx_open_device(struct vfio_device *core_vdev)
+ {
+ struct vfio_cdx_device *vdev =
+@@ -281,6 +298,8 @@ static int vfio_cdx_mmap(struct vfio_dev
+
+ static const struct vfio_device_ops vfio_cdx_ops = {
+ .name = "vfio-cdx",
++ .init = vfio_cdx_init_dev,
++ .release = vfio_cdx_release_dev,
+ .open_device = vfio_cdx_open_device,
+ .close_device = vfio_cdx_close_device,
+ .ioctl = vfio_cdx_ioctl,
+--- a/drivers/vfio/cdx/private.h
++++ b/drivers/vfio/cdx/private.h
+@@ -6,6 +6,8 @@
+ #ifndef VFIO_CDX_PRIVATE_H
+ #define VFIO_CDX_PRIVATE_H
+
++#include <linux/mutex.h>
++
+ #define VFIO_CDX_OFFSET_SHIFT 40
+
+ static inline u64 vfio_cdx_index_to_offset(u32 index)
+@@ -31,6 +33,7 @@ struct vfio_cdx_region {
+ struct vfio_cdx_device {
+ struct vfio_device vdev;
+ struct vfio_cdx_region *regions;
++ struct mutex cdx_irqs_lock;
+ struct vfio_cdx_irq *cdx_irqs;
+ u32 flags;
+ #define BME_SUPPORT BIT(0)
--- /dev/null
+From eb101d2abdcccb514ca4fccd3b278dd8267374f6 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Fri, 20 Feb 2026 12:47:30 +0300
+Subject: wifi: rtw88: check for PCI upstream bridge existence
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit eb101d2abdcccb514ca4fccd3b278dd8267374f6 upstream.
+
+pci_upstream_bridge() returns NULL if the device is on a root bus. If
+8821CE is installed in the system with such a PCI topology, the probing
+routine will crash. This has probably been unnoticed as 8821CE is mostly
+supplied in laptops where there is a PCI-to-PCI bridge located upstream
+from the device. However the card might be installed on a system with
+different configuration.
+
+Check if the bridge does exist for the specific workaround to be applied.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+Fixes: 24f5e38a13b5 ("rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20260220094730.49791-1-pchelkin@ispras.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/pci.c
++++ b/drivers/net/wireless/realtek/rtw88/pci.c
+@@ -1767,7 +1767,8 @@ int rtw_pci_probe(struct pci_dev *pdev,
+ }
+
+ /* Disable PCIe ASPM L1 while doing NAPI poll for 8821CE */
+- if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C && bridge->vendor == PCI_VENDOR_ID_INTEL)
++ if (rtwdev->chip->id == RTW_CHIP_TYPE_8821C &&
++ bridge && bridge->vendor == PCI_VENDOR_ID_INTEL)
+ rtwpci->rx_no_aspm = true;
+
+ rtw_pci_phy_cfg(rtwdev);
--- /dev/null
+From e3668b371329ea036ff022ce8ecc82f8befcf003 Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+Date: Tue, 31 Mar 2026 16:42:44 +0900
+Subject: zram: do not forget to endio for partial discard requests
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+commit e3668b371329ea036ff022ce8ecc82f8befcf003 upstream.
+
+As reported by Qu Wenruo and Avinesh Kumar, the following
+
+ getconf PAGESIZE
+ 65536
+ blkdiscard -p 4k /dev/zram0
+
+takes literally forever to complete. zram doesn't support partial
+discards and just returns immediately w/o doing any discard work in such
+cases. The problem is that we forget to endio on our way out, so
+blkdiscard sleeps forever in submit_bio_wait(). Fix this by jumping to
+end_bio label, which does bio_endio().
+
+Link: https://lore.kernel.org/20260331074255.777019-1-senozhatsky@chromium.org
+Fixes: 0120dd6e4e20 ("zram: make zram_bio_discard more self-contained")
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reported-by: Qu Wenruo <wqu@suse.com>
+Closes: https://lore.kernel.org/linux-block/92361cd3-fb8b-482e-bc89-15ff1acb9a59@suse.com
+Tested-by: Qu Wenruo <wqu@suse.com>
+Reported-by: Avinesh Kumar <avinesh.kumar@suse.com>
+Closes: https://bugzilla.suse.com/show_bug.cgi?id=1256530
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: Brian Geffon <bgeffon@google.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -2017,7 +2017,7 @@ static void zram_bio_discard(struct zram
+ */
+ if (offset) {
+ if (n <= (PAGE_SIZE - offset))
+- return;
++ goto end_bio;
+
+ n -= (PAGE_SIZE - offset);
+ index++;
+@@ -2032,6 +2032,7 @@ static void zram_bio_discard(struct zram
+ n -= PAGE_SIZE;
+ }
+
++end_bio:
+ bio_endio(bio);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
