From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 16:00:50 +0000 (+0100) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=109d6a55889663a6e547c1605c5c427bb0ec7189;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch crypto-caam-add-check-for-kcalloc-in-test_len.patch dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch hwmon-max16065-use-local-variable-to-avoid-toctou.patch hwmon-max6697-fix-regmap-leak-on-probe-failure.patch hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch rpmsg-glink-fix-rpmsg-device-leak.patch soc-amlogic-canvas-fix-device-leak-on-lookup.patch soc-apple-mailbox-fix-device-leak-on-lookup.patch soc-qcom-ocmem-fix-device-leak-on-lookup.patch soc-qcom-pbs-fix-device-leak-on-lookup.patch soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch tracing-fix-fixed-array-of-synthetic-event.patch virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch x86-msi-make-irq_retrigger-functional-for-posted-msi.patch --- diff --git a/queue-6.12/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch b/queue-6.12/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch new file mode 100644 index 0000000000..1c822677bf --- /dev/null +++ b/queue-6.12/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch @@ -0,0 +1,34 @@ +From 500e1368e46928f4b2259612dcabb6999afae2a6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 25 Sep 2025 17:00:07 +0200 +Subject: amba: tegra-ahb: Fix device leak on SMMU enable + +From: Johan Hovold + +commit 500e1368e46928f4b2259612dcabb6999afae2a6 upstream. + +Make sure to drop the reference taken to the AHB platform device when +looking up its driver data while enabling the SMMU. + +Note that holding a reference to a device does not prevent its driver +data from going away. + +Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB") +Cc: stable@vger.kernel.org # 3.5 +Signed-off-by: Johan Hovold +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/amba/tegra-ahb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/amba/tegra-ahb.c ++++ b/drivers/amba/tegra-ahb.c +@@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_ + if (!dev) + return -EPROBE_DEFER; + ahb = dev_get_drvdata(dev); ++ put_device(dev); + val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL); + val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE; + gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL); diff --git a/queue-6.12/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch b/queue-6.12/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch new file mode 100644 index 0000000000..28a4a9ddc4 --- /dev/null +++ b/queue-6.12/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch @@ -0,0 +1,69 @@ +From 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Fri, 14 Nov 2025 15:02:25 +0100 +Subject: ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 + +From: Nicolas Ferre + +commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce upstream. + +Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo +size of 32 data. Fix flexcom/spi nodes where this property is wrong. + +Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions") +Cc: stable@vger.kernel.org # 5.8+ +Signed-off-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/microchip/sama5d2.dtsi ++++ b/arch/arm/boot/dts/microchip/sama5d2.dtsi +@@ -568,7 +568,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(12))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + +@@ -639,7 +639,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(14))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + +@@ -851,7 +851,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(16))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + +@@ -922,7 +922,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(18))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + +@@ -994,7 +994,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(20))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + diff --git a/queue-6.12/crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch b/queue-6.12/crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch new file mode 100644 index 0000000000..12f3b1c2d5 --- /dev/null +++ b/queue-6.12/crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch @@ -0,0 +1,98 @@ +From 6f6e309328d53a10c0fe1f77dec2db73373179b6 Mon Sep 17 00:00:00 2001 +From: Shivani Agarwal +Date: Tue, 23 Sep 2025 23:01:48 -0700 +Subject: crypto: af_alg - zero initialize memory allocated via sock_kmalloc + +From: Shivani Agarwal + +commit 6f6e309328d53a10c0fe1f77dec2db73373179b6 upstream. + +Several crypto user API contexts and requests allocated with +sock_kmalloc() were left uninitialized, relying on callers to +set fields explicitly. This resulted in the use of uninitialized +data in certain error paths or when new fields are added in the +future. + +The ACVP patches also contain two user-space interface files: +algif_kpp.c and algif_akcipher.c. These too rely on proper +initialization of their context structures. + +A particular issue has been observed with the newly added +'inflight' variable introduced in af_alg_ctx by commit: + + 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") + +Because the context is not memset to zero after allocation, +the inflight variable has contained garbage values. As a result, +af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when +the garbage value was interpreted as true: + + https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 + +The check directly tests ctx->inflight without explicitly +comparing against true/false. Since inflight is only ever set to +true or false later, an uninitialized value has triggered +-EBUSY failures. Zero-initializing memory allocated with +sock_kmalloc() ensures inflight and other fields start in a known +state, removing random issues caused by uninitialized data. + +Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations") +Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support") +Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code") +Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") +Cc: stable@vger.kernel.org +Signed-off-by: Shivani Agarwal +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/af_alg.c | 5 ++--- + crypto/algif_hash.c | 3 +-- + crypto/algif_rng.c | 3 +-- + 3 files changed, 4 insertions(+), 7 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1212,15 +1212,14 @@ struct af_alg_async_req *af_alg_alloc_ar + if (unlikely(!areq)) + return ERR_PTR(-ENOMEM); + ++ memset(areq, 0, areqlen); ++ + ctx->inflight = true; + + areq->areqlen = areqlen; + areq->sk = sk; + areq->first_rsgl.sgl.sgt.sgl = areq->first_rsgl.sgl.sgl; +- areq->last_rsgl = NULL; + INIT_LIST_HEAD(&areq->rsgl_list); +- areq->tsgl = NULL; +- areq->tsgl_entries = 0; + + return areq; + } +--- a/crypto/algif_hash.c ++++ b/crypto/algif_hash.c +@@ -416,9 +416,8 @@ static int hash_accept_parent_nokey(void + if (!ctx) + return -ENOMEM; + +- ctx->result = NULL; ++ memset(ctx, 0, len); + ctx->len = len; +- ctx->more = false; + crypto_init_wait(&ctx->wait); + + ask->private = ctx; +--- a/crypto/algif_rng.c ++++ b/crypto/algif_rng.c +@@ -248,9 +248,8 @@ static int rng_accept_parent(void *priva + if (!ctx) + return -ENOMEM; + ++ memset(ctx, 0, len); + ctx->len = len; +- ctx->addtl = NULL; +- ctx->addtl_len = 0; + + /* + * No seeding done at that point -- if multiple accepts are diff --git a/queue-6.12/crypto-caam-add-check-for-kcalloc-in-test_len.patch b/queue-6.12/crypto-caam-add-check-for-kcalloc-in-test_len.patch new file mode 100644 index 0000000000..ba68fc45ea --- /dev/null +++ b/queue-6.12/crypto-caam-add-check-for-kcalloc-in-test_len.patch @@ -0,0 +1,35 @@ +From 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Tue, 23 Sep 2025 20:44:18 +0800 +Subject: crypto: caam - Add check for kcalloc() in test_len() + +From: Guangshuo Li + +commit 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 upstream. + +As kcalloc() may fail, check its return value to avoid a NULL pointer +dereference when passing the buffer to rng->read(). On allocation +failure, log the error and return since test_len() returns void. + +Fixes: 2be0d806e25e ("crypto: caam - add a test for the RNG") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/caam/caamrng.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/crypto/caam/caamrng.c ++++ b/drivers/crypto/caam/caamrng.c +@@ -181,7 +181,9 @@ static inline void test_len(struct hwrng + struct device *dev = ctx->ctrldev; + + buf = kcalloc(CAAM_RNG_MAX_FIFO_STORE_SIZE, sizeof(u8), GFP_KERNEL); +- ++ if (!buf) { ++ return; ++ } + while (len > 0) { + read_len = rng->read(rng, buf, len, wait); + diff --git a/queue-6.12/dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch b/queue-6.12/dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..5c53d98d0c --- /dev/null +++ b/queue-6.12/dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From ef99c2efeacac7758cc8c2d00e3200100a4da16c Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:45 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit ef99c2efeacac7758cc8c2d00e3200100a4da16c upstream. + +Commit 756485bfbb85 ("dt-bindings: PCI: qcom,pcie-sc7280: Move SC7280 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 756485bfbb85 ("dt-bindings: PCI: qcom,pcie-sc7280: Move SC7280 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-2-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml +@@ -74,6 +74,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.12/dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch b/queue-6.12/dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..d5b7bd3929 --- /dev/null +++ b/queue-6.12/dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,42 @@ +From ea551601404d286813aef6819ddf0bf1d7d69a24 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:46 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sc8280xp: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit ea551601404d286813aef6819ddf0bf1d7d69a24 upstream. + +Commit c007a5505504 ("dt-bindings: PCI: qcom,pcie-sc8280xp: Move +SC8280XP to dedicated schema") move the device schema to separate file, +but it missed a "if:not:...then:" clause in the original binding which +was requiring power-domains and resets for this particular chip. + +Fixes: c007a5505504 ("dt-bindings: PCI: qcom,pcie-sc8280xp: Move SC8280XP to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-3-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml b/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml +index a18cba10acea..bc0e71dc06a3 100644 +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml +@@ -61,6 +61,9 @@ properties: + required: + - interconnects + - interconnect-names ++ - power-domains ++ - resets ++ - reset-names + + allOf: + - $ref: qcom,pcie-common.yaml# +-- +2.52.0 + diff --git a/queue-6.12/dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..cdedfa49be --- /dev/null +++ b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From 31cb432b62fb796e0c1084542ba39311d2f716d5 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:47 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8150: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit 31cb432b62fb796e0c1084542ba39311d2f716d5 upstream. + +Commit 51bc04d5b49d ("dt-bindings: PCI: qcom,pcie-sm8150: Move SM8150 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 51bc04d5b49d ("dt-bindings: PCI: qcom,pcie-sm8150: Move SM8150 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-4-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml +@@ -69,6 +69,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.12/dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..eb0327b8be --- /dev/null +++ b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From 2620c6bcd8c141b79ff2afe95dc814dfab644f63 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:48 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8250: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit 2620c6bcd8c141b79ff2afe95dc814dfab644f63 upstream. + +Commit 4891b66185c1 ("dt-bindings: PCI: qcom,pcie-sm8250: Move SM8250 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 4891b66185c1 ("dt-bindings: PCI: qcom,pcie-sm8250: Move SM8250 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-5-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml +@@ -81,6 +81,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.12/dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..63f86f7371 --- /dev/null +++ b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From 012ba0d5f02e1f192eda263b5f9f826e47d607bb Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:49 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8350: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit 012ba0d5f02e1f192eda263b5f9f826e47d607bb upstream. + +Commit 2278b8b54773 ("dt-bindings: PCI: qcom,pcie-sm8350: Move SM8350 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 2278b8b54773 ("dt-bindings: PCI: qcom,pcie-sm8350: Move SM8350 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-6-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml +@@ -71,6 +71,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.12/dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..7b0346faf9 --- /dev/null +++ b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From 667facc4000c49a7c280097ef6638f133bcb1e59 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:50 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8450: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit 667facc4000c49a7c280097ef6638f133bcb1e59 upstream. + +Commit 88c9b3af4e31 ("dt-bindings: PCI: qcom,pcie-sm8450: Move SM8450 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 88c9b3af4e31 ("dt-bindings: PCI: qcom,pcie-sm8450: Move SM8450 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-7-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml +@@ -81,6 +81,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.12/dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..0bf9a0703f --- /dev/null +++ b/queue-6.12/dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From e60c6f34b9f3a83f96006243c0ef96c134520257 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:51 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8550: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit e60c6f34b9f3a83f96006243c0ef96c134520257 upstream. + +Commit b8d3404058a6 ("dt-bindings: PCI: qcom,pcie-sm8550: Move SM8550 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: b8d3404058a6 ("dt-bindings: PCI: qcom,pcie-sm8550: Move SM8550 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-8-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml +@@ -78,6 +78,11 @@ properties: + - const: pci # PCIe core reset + - const: link_down # PCIe link down reset + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.12/hwmon-max16065-use-local-variable-to-avoid-toctou.patch b/queue-6.12/hwmon-max16065-use-local-variable-to-avoid-toctou.patch new file mode 100644 index 0000000000..c6bbe5df10 --- /dev/null +++ b/queue-6.12/hwmon-max16065-use-local-variable-to-avoid-toctou.patch @@ -0,0 +1,51 @@ +From b8d5acdcf525f44e521ca4ef51dce4dac403dab4 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 28 Nov 2025 20:47:09 +0800 +Subject: hwmon: (max16065) Use local variable to avoid TOCTOU + +From: Gui-Dong Han + +commit b8d5acdcf525f44e521ca4ef51dce4dac403dab4 upstream. + +In max16065_current_show, data->curr_sense is read twice: once for the +error check and again for the calculation. Since +i2c_smbus_read_byte_data returns negative error codes on failure, if the +data changes to an error code between the check and the use, ADC_TO_CURR +results in an incorrect calculation. + +Read data->curr_sense into a local variable to ensure consistency. Note +that data->curr_gain is constant and safe to access directly. + +This aligns max16065_current_show with max16065_input_show, which +already uses a local variable for the same reason. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251128124709.3876-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/max16065.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/max16065.c ++++ b/drivers/hwmon/max16065.c +@@ -216,12 +216,13 @@ static ssize_t max16065_current_show(str + struct device_attribute *da, char *buf) + { + struct max16065_data *data = max16065_update_device(dev); ++ int curr_sense = data->curr_sense; + +- if (unlikely(data->curr_sense < 0)) +- return data->curr_sense; ++ if (unlikely(curr_sense < 0)) ++ return curr_sense; + + return sysfs_emit(buf, "%d\n", +- ADC_TO_CURR(data->curr_sense, data->curr_gain)); ++ ADC_TO_CURR(curr_sense, data->curr_gain)); + } + + static ssize_t max16065_limit_store(struct device *dev, diff --git a/queue-6.12/hwmon-max6697-fix-regmap-leak-on-probe-failure.patch b/queue-6.12/hwmon-max6697-fix-regmap-leak-on-probe-failure.patch new file mode 100644 index 0000000000..cb24305193 --- /dev/null +++ b/queue-6.12/hwmon-max6697-fix-regmap-leak-on-probe-failure.patch @@ -0,0 +1,36 @@ +From 02f0ad8e8de8cf5344f8f0fa26d9529b8339da47 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 27 Nov 2025 14:43:51 +0100 +Subject: hwmon: (max6697) fix regmap leak on probe failure + +From: Johan Hovold + +commit 02f0ad8e8de8cf5344f8f0fa26d9529b8339da47 upstream. + +The i2c regmap allocated during probe is never freed. + +Switch to using the device managed allocator so that the regmap is +released on probe failures (e.g. probe deferral) and on driver unbind. + +Fixes: 3a2a8cc3fe24 ("hwmon: (max6697) Convert to use regmap") +Cc: stable@vger.kernel.org # 6.12 +Cc: Guenter Roeck +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20251127134351.1585-1-johan@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/max6697.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/max6697.c ++++ b/drivers/hwmon/max6697.c +@@ -548,7 +548,7 @@ static int max6697_probe(struct i2c_clie + struct regmap *regmap; + int err; + +- regmap = regmap_init_i2c(client, &max6697_regmap_config); ++ regmap = devm_regmap_init_i2c(client, &max6697_regmap_config); + if (IS_ERR(regmap)) + return PTR_ERR(regmap); + diff --git a/queue-6.12/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch b/queue-6.12/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch new file mode 100644 index 0000000000..3361db0219 --- /dev/null +++ b/queue-6.12/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch @@ -0,0 +1,79 @@ +From 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Wed, 3 Dec 2025 02:01:05 +0800 +Subject: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU + +From: Gui-Dong Han + +commit 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 upstream. + +The macro FAN_FROM_REG evaluates its arguments multiple times. When used +in lockless contexts involving shared driver data, this leads to +Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially +causing divide-by-zero errors. + +Convert the macro to a static function. This guarantees that arguments +are evaluated only once (pass-by-value), preventing the race +conditions. + +Additionally, in store_fan_div, move the calculation of the minimum +limit inside the update lock. This ensures that the read-modify-write +sequence operates on consistent data. + +Adhere to the principle of minimal changes by only converting macros +that evaluate arguments multiple times and are used in lockless +contexts. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: 9873964d6eb2 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/w83791d.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/hwmon/w83791d.c ++++ b/drivers/hwmon/w83791d.c +@@ -218,9 +218,14 @@ static u8 fan_to_reg(long rpm, int div) + return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254); + } + +-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \ +- ((val) == 255 ? 0 : \ +- 1350000 / ((val) * (div)))) ++static int fan_from_reg(int val, int div) ++{ ++ if (val == 0) ++ return -1; ++ if (val == 255) ++ return 0; ++ return 1350000 / (val * div); ++} + + /* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */ + #define TEMP1_FROM_REG(val) ((val) * 1000) +@@ -521,7 +526,7 @@ static ssize_t show_##reg(struct device + struct w83791d_data *data = w83791d_update_device(dev); \ + int nr = sensor_attr->index; \ + return sprintf(buf, "%d\n", \ +- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ ++ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ + } + + show_fan_reg(fan); +@@ -585,10 +590,10 @@ static ssize_t store_fan_div(struct devi + if (err) + return err; + ++ mutex_lock(&data->update_lock); + /* Save fan_min */ +- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); ++ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); + +- mutex_lock(&data->update_lock); + data->fan_div[nr] = div_to_reg(nr, val); + + switch (nr) { diff --git a/queue-6.12/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch b/queue-6.12/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch new file mode 100644 index 0000000000..46119bd067 --- /dev/null +++ b/queue-6.12/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch @@ -0,0 +1,93 @@ +From 07272e883fc61574b8367d44de48917f622cdd83 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 28 Nov 2025 20:38:16 +0800 +Subject: hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU + +From: Gui-Dong Han + +commit 07272e883fc61574b8367d44de48917f622cdd83 upstream. + +The macros FAN_FROM_REG and TEMP_FROM_REG evaluate their arguments +multiple times. When used in lockless contexts involving shared driver +data, this causes Time-of-Check to Time-of-Use (TOCTOU) race +conditions. + +Convert the macros to static functions. This guarantees that arguments +are evaluated only once (pass-by-value), preventing the race +conditions. + +Adhere to the principle of minimal changes by only converting macros +that evaluate arguments multiple times and are used in lockless +contexts. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: 85f03bccd6e0 ("hwmon: Add support for Winbond W83L786NG/NR") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251128123816.3670-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/w83l786ng.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/drivers/hwmon/w83l786ng.c ++++ b/drivers/hwmon/w83l786ng.c +@@ -76,15 +76,25 @@ FAN_TO_REG(long rpm, int div) + return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254); + } + +-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \ +- ((val) == 255 ? 0 : \ +- 1350000 / ((val) * (div)))) ++static int fan_from_reg(int val, int div) ++{ ++ if (val == 0) ++ return -1; ++ if (val == 255) ++ return 0; ++ return 1350000 / (val * div); ++} + + /* for temp */ + #define TEMP_TO_REG(val) (clamp_val(((val) < 0 ? (val) + 0x100 * 1000 \ + : (val)) / 1000, 0, 0xff)) +-#define TEMP_FROM_REG(val) (((val) & 0x80 ? \ +- (val) - 0x100 : (val)) * 1000) ++ ++static int temp_from_reg(int val) ++{ ++ if (val & 0x80) ++ return (val - 0x100) * 1000; ++ return val * 1000; ++} + + /* + * The analog voltage inputs have 8mV LSB. Since the sysfs output is +@@ -280,7 +290,7 @@ static ssize_t show_##reg(struct device + int nr = to_sensor_dev_attr(attr)->index; \ + struct w83l786ng_data *data = w83l786ng_update_device(dev); \ + return sprintf(buf, "%d\n", \ +- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ ++ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ + } + + show_fan_reg(fan); +@@ -347,7 +357,7 @@ store_fan_div(struct device *dev, struct + + /* Save fan_min */ + mutex_lock(&data->update_lock); +- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); ++ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); + + data->fan_div[nr] = DIV_TO_REG(val); + +@@ -409,7 +419,7 @@ show_temp(struct device *dev, struct dev + int nr = sensor_attr->nr; + int index = sensor_attr->index; + struct w83l786ng_data *data = w83l786ng_update_device(dev); +- return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[nr][index])); ++ return sprintf(buf, "%d\n", temp_from_reg(data->temp[nr][index])); + } + + static ssize_t diff --git a/queue-6.12/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch b/queue-6.12/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch new file mode 100644 index 0000000000..5f34e2681b --- /dev/null +++ b/queue-6.12/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch @@ -0,0 +1,51 @@ +From a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 22 Oct 2025 17:54:02 +0800 +Subject: i2c: amd-mp2: fix reference leak in MP2 PCI device + +From: Ma Ke + +commit a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 upstream. + +In i2c_amd_probe(), amd_mp2_find_device() utilizes +driver_find_next_device() which internally calls driver_find_device() +to locate the matching device. driver_find_device() increments the +reference count of the found device by calling get_device(), but +amd_mp2_find_device() fails to call put_device() to decrement the +reference count before returning. This results in a reference count +leak of the PCI device each time i2c_amd_probe() is executed, which +may prevent the device from being properly released and cause a memory +leak. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller") +Signed-off-by: Ma Ke +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20251022095402.8846-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-amd-mp2-pci.c ++++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c +@@ -461,13 +461,16 @@ struct amd_mp2_dev *amd_mp2_find_device( + { + struct device *dev; + struct pci_dev *pci_dev; ++ struct amd_mp2_dev *mp2_dev; + + dev = driver_find_next_device(&amd_mp2_pci_driver.driver, NULL); + if (!dev) + return NULL; + + pci_dev = to_pci_dev(dev); +- return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); ++ mp2_dev = (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); ++ put_device(dev); ++ return mp2_dev; + } + EXPORT_SYMBOL_GPL(amd_mp2_find_device); + diff --git a/queue-6.12/interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch b/queue-6.12/interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch new file mode 100644 index 0000000000..413c2c68d8 --- /dev/null +++ b/queue-6.12/interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch @@ -0,0 +1,119 @@ +From 295f58fdccd05b2d6da1f4a4f81952ccb565c4dc Mon Sep 17 00:00:00 2001 +From: Raviteja Laggyshetty +Date: Fri, 26 Sep 2025 12:12:09 +0530 +Subject: interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes + +From: Raviteja Laggyshetty + +commit 295f58fdccd05b2d6da1f4a4f81952ccb565c4dc upstream. + +As like other SDX SoCs, SDX75 SoC's QPIC BCM resource was modeled as a +RPMh clock in clk-rpmh driver. However, for SDX75, this resource was also +described as an interconnect and BCM node mistakenly. It is incorrect to +describe the same resource in two different providers, as it will lead to +votes from clients overriding each other. + +Hence, drop the QPIC interconnect and BCM nodes and let the clients use +clk-rpmh driver to vote for this resource. + +Without this change, the NAND driver fails to probe on SDX75, as the +interconnect sync state disables the QPIC nodes as there were no clients +voting for this ICC resource. However, the NAND driver had already voted +for this BCM resource through the clk-rpmh driver. Since both votes come +from Linux, RPMh was unable to distinguish between these two and ends up +disabling the QPIC resource during sync state. + +Cc: stable@vger.kernel.org +Fixes: 3642b4e5cbfe ("interconnect: qcom: Add SDX75 interconnect provider driver") +Signed-off-by: Raviteja Laggyshetty +[mani: dropped the reference to bcm_qp0, reworded description] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Konrad Dybcio +Tested-by: Lakshmi Sowjanya D # on SDX75 +Link: https://lore.kernel.org/r/20250926-sdx75-icc-v2-1-20d6820e455c@oss.qualcomm.com +Signed-off-by: Georgi Djakov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/interconnect/qcom/sdx75.c | 26 -------------------------- + drivers/interconnect/qcom/sdx75.h | 2 -- + 2 files changed, 28 deletions(-) + +--- a/drivers/interconnect/qcom/sdx75.c ++++ b/drivers/interconnect/qcom/sdx75.c +@@ -16,15 +16,6 @@ + #include "icc-rpmh.h" + #include "sdx75.h" + +-static struct qcom_icc_node qpic_core_master = { +- .name = "qpic_core_master", +- .id = SDX75_MASTER_QPIC_CORE, +- .channels = 1, +- .buswidth = 4, +- .num_links = 1, +- .links = { SDX75_SLAVE_QPIC_CORE }, +-}; +- + static struct qcom_icc_node qup0_core_master = { + .name = "qup0_core_master", + .id = SDX75_MASTER_QUP_CORE_0, +@@ -375,14 +366,6 @@ static struct qcom_icc_node xm_usb3 = { + .links = { SDX75_SLAVE_A1NOC_CFG }, + }; + +-static struct qcom_icc_node qpic_core_slave = { +- .name = "qpic_core_slave", +- .id = SDX75_SLAVE_QPIC_CORE, +- .channels = 1, +- .buswidth = 4, +- .num_links = 0, +-}; +- + static struct qcom_icc_node qup0_core_slave = { + .name = "qup0_core_slave", + .id = SDX75_SLAVE_QUP_CORE_0, +@@ -831,12 +814,6 @@ static struct qcom_icc_bcm bcm_mc0 = { + .nodes = { &ebi }, + }; + +-static struct qcom_icc_bcm bcm_qp0 = { +- .name = "QP0", +- .num_nodes = 1, +- .nodes = { &qpic_core_slave }, +-}; +- + static struct qcom_icc_bcm bcm_qup0 = { + .name = "QUP0", + .keepalive = true, +@@ -898,14 +875,11 @@ static struct qcom_icc_bcm bcm_sn4 = { + }; + + static struct qcom_icc_bcm * const clk_virt_bcms[] = { +- &bcm_qp0, + &bcm_qup0, + }; + + static struct qcom_icc_node * const clk_virt_nodes[] = { +- [MASTER_QPIC_CORE] = &qpic_core_master, + [MASTER_QUP_CORE_0] = &qup0_core_master, +- [SLAVE_QPIC_CORE] = &qpic_core_slave, + [SLAVE_QUP_CORE_0] = &qup0_core_slave, + }; + +--- a/drivers/interconnect/qcom/sdx75.h ++++ b/drivers/interconnect/qcom/sdx75.h +@@ -33,7 +33,6 @@ + #define SDX75_MASTER_QDSS_ETR 24 + #define SDX75_MASTER_QDSS_ETR_1 25 + #define SDX75_MASTER_QPIC 26 +-#define SDX75_MASTER_QPIC_CORE 27 + #define SDX75_MASTER_QUP_0 28 + #define SDX75_MASTER_QUP_CORE_0 29 + #define SDX75_MASTER_SDCC_1 30 +@@ -76,7 +75,6 @@ + #define SDX75_SLAVE_QDSS_CFG 67 + #define SDX75_SLAVE_QDSS_STM 68 + #define SDX75_SLAVE_QPIC 69 +-#define SDX75_SLAVE_QPIC_CORE 70 + #define SDX75_SLAVE_QUP_0 71 + #define SDX75_SLAVE_QUP_CORE_0 72 + #define SDX75_SLAVE_SDCC_1 73 diff --git a/queue-6.12/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch b/queue-6.12/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch new file mode 100644 index 0000000000..17f7a688ae --- /dev/null +++ b/queue-6.12/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch @@ -0,0 +1,115 @@ +From 527250cd9092461f1beac3e4180a4481bffa01b5 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 21 Nov 2025 11:04:50 +0100 +Subject: platform/x86: intel: chtwc_int33fe: don't dereference swnode args +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bartosz Golaszewski + +commit 527250cd9092461f1beac3e4180a4481bffa01b5 upstream. + +Members of struct software_node_ref_args should not be dereferenced +directly but set using the provided macros. Commit d7cdbbc93c56 +("software node: allow referencing firmware nodes") changed the name of +the software node member and caused a build failure. Remove all direct +dereferences of the ref struct as a fix. + +However, this driver also seems to abuse the software node interface by +waiting for a node with an arbitrary name "intel-xhci-usb-sw" to appear +in the system before setting up the reference for the I2C device, while +the actual software node already exists in the intel-xhci-usb-role-switch +module and should be used to set up a static reference. Add a FIXME for +a future improvement. + +Fixes: d7cdbbc93c56 ("software node: allow referencing firmware nodes") +Fixes: 53c24c2932e5 ("platform/x86: intel_cht_int33fe: use inline reference properties") +Cc: stable@vger.kernel.org +Reported-by: Stephen Rothwell +Closes: https://lore.kernel.org/all/20251121111534.7cdbfe5c@canb.auug.org.au/ +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Hans de Goede +Acked-by: Ilpo Järvinen +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/chtwc_int33fe.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/platform/x86/intel/chtwc_int33fe.c ++++ b/drivers/platform/x86/intel/chtwc_int33fe.c +@@ -77,7 +77,7 @@ static const struct software_node max170 + * software node. + */ + static struct software_node_ref_args fusb302_mux_refs[] = { +- { .node = NULL }, ++ SOFTWARE_NODE_REFERENCE(NULL), + }; + + static const struct property_entry fusb302_properties[] = { +@@ -190,11 +190,6 @@ static void cht_int33fe_remove_nodes(str + { + software_node_unregister_node_group(node_group); + +- if (fusb302_mux_refs[0].node) { +- fwnode_handle_put(software_node_fwnode(fusb302_mux_refs[0].node)); +- fusb302_mux_refs[0].node = NULL; +- } +- + if (data->dp) { + data->dp->secondary = NULL; + fwnode_handle_put(data->dp); +@@ -202,7 +197,15 @@ static void cht_int33fe_remove_nodes(str + } + } + +-static int cht_int33fe_add_nodes(struct cht_int33fe_data *data) ++static void cht_int33fe_put_swnode(void *data) ++{ ++ struct fwnode_handle *fwnode = data; ++ ++ fwnode_handle_put(fwnode); ++ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(NULL); ++} ++ ++static int cht_int33fe_add_nodes(struct device *dev, struct cht_int33fe_data *data) + { + const struct software_node *mux_ref_node; + int ret; +@@ -212,17 +215,25 @@ static int cht_int33fe_add_nodes(struct + * until the mux driver has created software node for the mux device. + * It means we depend on the mux driver. This function will return + * -EPROBE_DEFER until the mux device is registered. ++ * ++ * FIXME: the relevant software node exists in intel-xhci-usb-role-switch ++ * and - if exported - could be used to set up a static reference. + */ + mux_ref_node = software_node_find_by_name(NULL, "intel-xhci-usb-sw"); + if (!mux_ref_node) + return -EPROBE_DEFER; + ++ ret = devm_add_action_or_reset(dev, cht_int33fe_put_swnode, ++ software_node_fwnode(mux_ref_node)); ++ if (ret) ++ return ret; ++ + /* + * Update node used in "usb-role-switch" property. Note that we + * rely on software_node_register_node_group() to use the original + * instance of properties instead of copying them. + */ +- fusb302_mux_refs[0].node = mux_ref_node; ++ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(mux_ref_node); + + ret = software_node_register_node_group(node_group); + if (ret) +@@ -345,7 +356,7 @@ static int cht_int33fe_typec_probe(struc + return fusb302_irq; + } + +- ret = cht_int33fe_add_nodes(data); ++ ret = cht_int33fe_add_nodes(dev, data); + if (ret) + return ret; + diff --git a/queue-6.12/rpmsg-glink-fix-rpmsg-device-leak.patch b/queue-6.12/rpmsg-glink-fix-rpmsg-device-leak.patch new file mode 100644 index 0000000000..0a5ef70ce7 --- /dev/null +++ b/queue-6.12/rpmsg-glink-fix-rpmsg-device-leak.patch @@ -0,0 +1,83 @@ +From a53e356df548f6b0e82529ef3cc6070f42622189 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 22 Aug 2025 11:00:42 +0100 +Subject: rpmsg: glink: fix rpmsg device leak + +From: Srinivas Kandagatla + +commit a53e356df548f6b0e82529ef3cc6070f42622189 upstream. + +While testing rpmsg-char interface it was noticed that duplicate sysfs +entries are getting created and below warning is noticed. + +Reason for this is that we are leaking rpmsg device pointer, setting it +null without actually unregistering device. +Any further attempts to unregister fail because rpdev is NULL, +resulting in a leak. + +Fix this by unregistering rpmsg device before removing its reference +from rpmsg channel. + +sysfs: cannot create duplicate filename '/devices/platform/soc@0/3700000.remot +eproc/remoteproc/remoteproc1/3700000.remoteproc:glink-edge/3700000.remoteproc: +glink-edge.adsp_apps.-1.-1' +[ 114.115347] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not + tainted 6.16.0-rc4 #7 PREEMPT +[ 114.115355] Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 (DT) +[ 114.115358] Workqueue: events qcom_glink_work +[ 114.115371] Call trace:8 +[ 114.115374] show_stack+0x18/0x24 (C) +[ 114.115382] dump_stack_lvl+0x60/0x80 +[ 114.115388] dump_stack+0x18/0x24 +[ 114.115393] sysfs_warn_dup+0x64/0x80 +[ 114.115402] sysfs_create_dir_ns+0xf4/0x120 +[ 114.115409] kobject_add_internal+0x98/0x260 +[ 114.115416] kobject_add+0x9c/0x108 +[ 114.115421] device_add+0xc4/0x7a0 +[ 114.115429] rpmsg_register_device+0x5c/0xb0 +[ 114.115434] qcom_glink_work+0x4bc/0x820 +[ 114.115438] process_one_work+0x148/0x284 +[ 114.115446] worker_thread+0x2c4/0x3e0 +[ 114.115452] kthread+0x12c/0x204 +[ 114.115457] ret_from_fork+0x10/0x20 +[ 114.115464] kobject: kobject_add_internal failed for 3700000.remoteproc: +glink-edge.adsp_apps.-1.-1 with -EEXIST, don't try to register things with +the same name in the same directory. +[ 114.250045] rpmsg 3700000.remoteproc:glink-edge.adsp_apps.-1.-1: +device_add failed: -17 + +Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250822100043.2604794-2-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/qcom_glink_native.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -1399,6 +1399,7 @@ static void qcom_glink_destroy_ept(struc + { + struct glink_channel *channel = to_glink_channel(ept); + struct qcom_glink *glink = channel->glink; ++ struct rpmsg_channel_info chinfo; + unsigned long flags; + + spin_lock_irqsave(&channel->recv_lock, flags); +@@ -1406,6 +1407,13 @@ static void qcom_glink_destroy_ept(struc + spin_unlock_irqrestore(&channel->recv_lock, flags); + + /* Decouple the potential rpdev from the channel */ ++ if (channel->rpdev) { ++ strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name)); ++ chinfo.src = RPMSG_ADDR_ANY; ++ chinfo.dst = RPMSG_ADDR_ANY; ++ ++ rpmsg_unregister_device(glink->dev, &chinfo); ++ } + channel->rpdev = NULL; + + qcom_glink_send_close_req(glink, channel); diff --git a/queue-6.12/series b/queue-6.12/series index 8f36a3622a..45436707ec 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -262,3 +262,30 @@ sched-rt-fix-race-in-push_rt_task.patch kvm-arm64-initialize-hcr_el2.e2h-early.patch kvm-arm64-initialize-sctlr_el1-in-__kvm_hyp_init_cpu.patch arm64-revamp-hcr_el2.e2h-res1-detection.patch +dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch +crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch +crypto-caam-add-check-for-kcalloc-in-test_len.patch +amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch +virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch +tracing-fix-fixed-array-of-synthetic-event.patch +soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch +soc-qcom-pbs-fix-device-leak-on-lookup.patch +soc-qcom-ocmem-fix-device-leak-on-lookup.patch +soc-apple-mailbox-fix-device-leak-on-lookup.patch +soc-amlogic-canvas-fix-device-leak-on-lookup.patch +rpmsg-glink-fix-rpmsg-device-leak.patch +platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch +i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch +interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch +hwmon-max16065-use-local-variable-to-avoid-toctou.patch +hwmon-max6697-fix-regmap-leak-on-probe-failure.patch +hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch +hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch +arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch +x86-msi-make-irq_retrigger-functional-for-posted-msi.patch diff --git a/queue-6.12/soc-amlogic-canvas-fix-device-leak-on-lookup.patch b/queue-6.12/soc-amlogic-canvas-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..4acf84b240 --- /dev/null +++ b/queue-6.12/soc-amlogic-canvas-fix-device-leak-on-lookup.patch @@ -0,0 +1,46 @@ +From 32200f4828de9d7e6db379909898e718747f4e18 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:24:53 +0200 +Subject: soc: amlogic: canvas: fix device leak on lookup + +From: Johan Hovold + +commit 32200f4828de9d7e6db379909898e718747f4e18 upstream. + +Make sure to drop the reference taken to the canvas platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Also note that commit 28f851e6afa8 ("soc: amlogic: canvas: add missing +put_device() call in meson_canvas_get()") fixed the leak in a lookup +error path, but the reference is still leaking on success. + +Fixes: d4983983d987 ("soc: amlogic: add meson-canvas driver") +Cc: stable@vger.kernel.org # 4.20: 28f851e6afa8 +Cc: Yu Kuai +Signed-off-by: Johan Hovold +Reviewed-by: Martin Blumenstingl +Link: https://patch.msgid.link/20250926142454.5929-2-johan@kernel.org +Signed-off-by: Neil Armstrong +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/amlogic/meson-canvas.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/soc/amlogic/meson-canvas.c ++++ b/drivers/soc/amlogic/meson-canvas.c +@@ -73,10 +73,9 @@ struct meson_canvas *meson_canvas_get(st + * current state, this driver probe cannot return -EPROBE_DEFER + */ + canvas = dev_get_drvdata(&canvas_pdev->dev); +- if (!canvas) { +- put_device(&canvas_pdev->dev); ++ put_device(&canvas_pdev->dev); ++ if (!canvas) + return ERR_PTR(-EINVAL); +- } + + return canvas; + } diff --git a/queue-6.12/soc-apple-mailbox-fix-device-leak-on-lookup.patch b/queue-6.12/soc-apple-mailbox-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..0b50ddec01 --- /dev/null +++ b/queue-6.12/soc-apple-mailbox-fix-device-leak-on-lookup.patch @@ -0,0 +1,50 @@ +From f401671e90ccc26b3022f177c4156a429c024f6c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:31:31 +0200 +Subject: soc: apple: mailbox: fix device leak on lookup + +From: Johan Hovold + +commit f401671e90ccc26b3022f177c4156a429c024f6c upstream. + +Make sure to drop the reference taken to the mbox platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Fixes: 6e1457fcad3f ("soc: apple: mailbox: Add ASC/M3 mailbox driver") +Cc: stable@vger.kernel.org # 6.8 +Signed-off-by: Johan Hovold +Reviewed-by: Neal Gompa +Signed-off-by: Sven Peter +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/apple/mailbox.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/soc/apple/mailbox.c ++++ b/drivers/soc/apple/mailbox.c +@@ -299,11 +299,18 @@ struct apple_mbox *apple_mbox_get(struct + return ERR_PTR(-EPROBE_DEFER); + + mbox = platform_get_drvdata(pdev); +- if (!mbox) +- return ERR_PTR(-EPROBE_DEFER); ++ if (!mbox) { ++ mbox = ERR_PTR(-EPROBE_DEFER); ++ goto out_put_pdev; ++ } ++ ++ if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) { ++ mbox = ERR_PTR(-ENODEV); ++ goto out_put_pdev; ++ } + +- if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) +- return ERR_PTR(-ENODEV); ++out_put_pdev: ++ put_device(&pdev->dev); + + return mbox; + } diff --git a/queue-6.12/soc-qcom-ocmem-fix-device-leak-on-lookup.patch b/queue-6.12/soc-qcom-ocmem-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..b698a8795d --- /dev/null +++ b/queue-6.12/soc-qcom-ocmem-fix-device-leak-on-lookup.patch @@ -0,0 +1,45 @@ +From b5c16ea57b030b8e9428ec726e26219dfe05c3d9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:35:10 +0200 +Subject: soc: qcom: ocmem: fix device leak on lookup + +From: Johan Hovold + +commit b5c16ea57b030b8e9428ec726e26219dfe05c3d9 upstream. + +Make sure to drop the reference taken to the ocmem platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Also note that commit 0ff027027e05 ("soc: qcom: ocmem: Fix missing +put_device() call in of_get_ocmem") fixed the leak in a lookup error +path, but the reference is still leaking on success. + +Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver") +Cc: stable@vger.kernel.org # 5.5: 0ff027027e05 +Cc: Brian Masney +Cc: Miaoqian Lin +Signed-off-by: Johan Hovold +Reviewed-by: Brian Masney +Link: https://lore.kernel.org/r/20250926143511.6715-2-johan@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/ocmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/ocmem.c ++++ b/drivers/soc/qcom/ocmem.c +@@ -202,9 +202,9 @@ struct ocmem *of_get_ocmem(struct device + } + + ocmem = platform_get_drvdata(pdev); ++ put_device(&pdev->dev); + if (!ocmem) { + dev_err(dev, "Cannot get ocmem\n"); +- put_device(&pdev->dev); + return ERR_PTR(-ENODEV); + } + return ocmem; diff --git a/queue-6.12/soc-qcom-pbs-fix-device-leak-on-lookup.patch b/queue-6.12/soc-qcom-pbs-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..82f039e9bc --- /dev/null +++ b/queue-6.12/soc-qcom-pbs-fix-device-leak-on-lookup.patch @@ -0,0 +1,37 @@ +From 94124bf253d24b13e89c45618a168d5a1d8a61e7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:35:11 +0200 +Subject: soc: qcom: pbs: fix device leak on lookup + +From: Johan Hovold + +commit 94124bf253d24b13e89c45618a168d5a1d8a61e7 upstream. + +Make sure to drop the reference taken to the pbs platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Fixes: 5b2dd77be1d8 ("soc: qcom: add QCOM PBS driver") +Cc: stable@vger.kernel.org # 6.9 +Cc: Anjelique Melendez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250926143511.6715-3-johan@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/qcom-pbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/soc/qcom/qcom-pbs.c ++++ b/drivers/soc/qcom/qcom-pbs.c +@@ -179,6 +179,8 @@ struct pbs_dev *get_pbs_client_device(st + return ERR_PTR(-EINVAL); + } + ++ platform_device_put(pdev); ++ + return pbs; + } + EXPORT_SYMBOL_GPL(get_pbs_client_device); diff --git a/queue-6.12/soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch b/queue-6.12/soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch new file mode 100644 index 0000000000..6f258d356e --- /dev/null +++ b/queue-6.12/soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch @@ -0,0 +1,37 @@ +From 990eb9a8eb4540ab90c7b34bb07b87ff13881cad Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 21 Nov 2025 13:18:52 +0100 +Subject: soc: samsung: exynos-pmu: fix device leak on regmap lookup + +From: Johan Hovold + +commit 990eb9a8eb4540ab90c7b34bb07b87ff13881cad upstream. + +Make sure to drop the reference taken when looking up the PMU device and +its regmap. + +Note that holding a reference to a device does not prevent its regmap +from going away so there is no point in keeping the reference. + +Fixes: 0b7c6075022c ("soc: samsung: exynos-pmu: Add regmap support for SoCs that protect PMU regs") +Cc: stable@vger.kernel.org # 6.9 +Cc: Peter Griffin +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251121121852.16825-1-johan@kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/samsung/exynos-pmu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/soc/samsung/exynos-pmu.c ++++ b/drivers/soc/samsung/exynos-pmu.c +@@ -322,6 +322,8 @@ struct regmap *exynos_get_pmu_regmap_by_ + if (!dev) + return ERR_PTR(-EPROBE_DEFER); + ++ put_device(dev); ++ + return syscon_node_to_regmap(pmu_np); + } + EXPORT_SYMBOL_GPL(exynos_get_pmu_regmap_by_phandle); diff --git a/queue-6.12/tracing-fix-fixed-array-of-synthetic-event.patch b/queue-6.12/tracing-fix-fixed-array-of-synthetic-event.patch new file mode 100644 index 0000000000..ec0989ff6d --- /dev/null +++ b/queue-6.12/tracing-fix-fixed-array-of-synthetic-event.patch @@ -0,0 +1,58 @@ +From 47ef834209e5981f443240d8a8b45bf680df22aa Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 4 Dec 2025 15:19:35 -0500 +Subject: tracing: Fix fixed array of synthetic event + +From: Steven Rostedt + +commit 47ef834209e5981f443240d8a8b45bf680df22aa upstream. + +The commit 4d38328eb442d ("tracing: Fix synth event printk format for str +fields") replaced "%.*s" with "%s" but missed removing the number size of +the dynamic and static strings. The commit e1a453a57bc7 ("tracing: Do not +add length to print format in synthetic events") fixed the dynamic part +but did not fix the static part. That is, with the commands: + + # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events + # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger + # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger + +That caused the output of: + + -0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155 + sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58 + -0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91 + +The commit e1a453a57bc7 fixed the part where the synthetic event had +"char[] wakee". But if one were to replace that with a static size string: + + # echo 's:wake_lat char[16] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events + +Where "wakee" is defined as "char[16]" and not "char[]" making it a static +size, the code triggered the "(efaul)" again. + +Remove the added STR_VAR_LEN_MAX size as the string is still going to be +nul terminated. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Douglas Raillard +Link: https://patch.msgid.link/20251204151935.5fa30355@gandalf.local.home +Fixes: e1a453a57bc7 ("tracing: Do not add length to print format in synthetic events") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_synth.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -382,7 +382,6 @@ static enum print_line_t print_synth_eve + n_u64++; + } else { + trace_seq_printf(s, print_fmt, se->fields[i]->name, +- STR_VAR_LEN_MAX, + (char *)&entry->fields[n_u64].as_u64, + i == se->n_fields - 1 ? "" : " "); + n_u64 += STR_VAR_LEN_MAX / sizeof(u64); diff --git a/queue-6.12/virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch b/queue-6.12/virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch new file mode 100644 index 0000000000..5d422bda0e --- /dev/null +++ b/queue-6.12/virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch @@ -0,0 +1,39 @@ +From b41ca62c0019de1321d75f2b2f274a28784a41ed Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 14:07:35 +0800 +Subject: virtio: vdpa: Fix reference count leak in octep_sriov_enable() + +From: Miaoqian Lin + +commit b41ca62c0019de1321d75f2b2f274a28784a41ed upstream. + +pci_get_device() will increase the reference count for the returned +pci_dev, and also decrease the reference count for the input parameter +from if it is not NULL. + +If we break the loop in with 'vf_pdev' not NULL. We +need to call pci_dev_put() to decrease the reference count. + +Found via static anlaysis and this is similar to commit c508eb042d97 +("perf/x86/intel/uncore: Fix reference count leak in sad_cfg_iio_topology()") + +Fixes: 8b6c724cdab8 ("virtio: vdpa: vDPA driver for Marvell OCTEON DPU devices") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Michael S. Tsirkin +Message-Id: <20251027060737.33815-1-linmq006@gmail.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/octeon_ep/octep_vdpa_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vdpa/octeon_ep/octep_vdpa_main.c ++++ b/drivers/vdpa/octeon_ep/octep_vdpa_main.c +@@ -692,6 +692,7 @@ static int octep_sriov_enable(struct pci + octep_vdpa_assign_barspace(vf_pdev, pdev, index); + if (++index == num_vfs) { + done = true; ++ pci_dev_put(vf_pdev); + break; + } + } diff --git a/queue-6.12/x86-msi-make-irq_retrigger-functional-for-posted-msi.patch b/queue-6.12/x86-msi-make-irq_retrigger-functional-for-posted-msi.patch new file mode 100644 index 0000000000..4bf8a0b196 --- /dev/null +++ b/queue-6.12/x86-msi-make-irq_retrigger-functional-for-posted-msi.patch @@ -0,0 +1,160 @@ +From stable+bounces-203327-greg=kroah.com@vger.kernel.org Tue Dec 23 19:20:09 2025 +From: Sasha Levin +Date: Tue, 23 Dec 2025 13:19:53 -0500 +Subject: x86/msi: Make irq_retrigger() functional for posted MSI +To: stable@vger.kernel.org +Cc: Thomas Gleixner , Luigi Rizzo , Sasha Levin +Message-ID: <20251223181953.2946236-1-sashal@kernel.org> + +From: Thomas Gleixner + +[ Upstream commit 0edc78b82bea85e1b2165d8e870a5c3535919695 ] + +Luigi reported that retriggering a posted MSI interrupt does not work +correctly. + +The reason is that the retrigger happens at the vector domain by sending an +IPI to the actual vector on the target CPU. That works correctly exactly +once because the posted MSI interrupt chip does not issue an EOI as that's +only required for the posted MSI notification vector itself. + +As a consequence the vector becomes stale in the ISR, which not only +affects this vector but also any lower priority vector in the affected +APIC because the ISR bit is not cleared. + +Luigi proposed to set the vector in the remap PIR bitmap and raise the +posted MSI notification vector. That works, but that still does not cure a +related problem: + + If there is ever a stray interrupt on such a vector, then the related + APIC ISR bit becomes stale due to the lack of EOI as described above. + Unlikely to happen, but if it happens it's not debuggable at all. + +So instead of playing games with the PIR, this can be actually solved +for both cases by: + + 1) Keeping track of the posted interrupt vector handler state + + 2) Implementing a posted MSI specific irq_ack() callback which checks that + state. If the posted vector handler is inactive it issues an EOI, + otherwise it delegates that to the posted handler. + +This is correct versus affinity changes and concurrent events on the posted +vector as the actual handler invocation is serialized through the interrupt +descriptor lock. + +Fixes: ed1e48ea4370 ("iommu/vt-d: Enable posted mode for device MSIs") +Reported-by: Luigi Rizzo +Signed-off-by: Thomas Gleixner +Tested-by: Luigi Rizzo +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251125214631.044440658@linutronix.de +Closes: https://lore.kernel.org/lkml/20251124104836.3685533-1-lrizzo@google.com +[ DEFINE_PER_CPU_CACHE_HOT => DEFINE_PER_CPU ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/irq_remapping.h | 7 +++++++ + arch/x86/kernel/irq.c | 23 +++++++++++++++++++++++ + drivers/iommu/intel/irq_remapping.c | 8 ++++---- + 3 files changed, 34 insertions(+), 4 deletions(-) + +--- a/arch/x86/include/asm/irq_remapping.h ++++ b/arch/x86/include/asm/irq_remapping.h +@@ -72,4 +72,11 @@ static inline void panic_if_irq_remap(co + } + + #endif /* CONFIG_IRQ_REMAP */ ++ ++#ifdef CONFIG_X86_POSTED_MSI ++void intel_ack_posted_msi_irq(struct irq_data *irqd); ++#else ++#define intel_ack_posted_msi_irq NULL ++#endif ++ + #endif /* __X86_IRQ_REMAPPING_H */ +--- a/arch/x86/kernel/irq.c ++++ b/arch/x86/kernel/irq.c +@@ -391,6 +391,7 @@ DEFINE_IDTENTRY_SYSVEC_SIMPLE(sysvec_kvm + + /* Posted Interrupt Descriptors for coalesced MSIs to be posted */ + DEFINE_PER_CPU_ALIGNED(struct pi_desc, posted_msi_pi_desc); ++static DEFINE_PER_CPU(bool, posted_msi_handler_active); + + void intel_posted_msi_init(void) + { +@@ -408,6 +409,25 @@ void intel_posted_msi_init(void) + this_cpu_write(posted_msi_pi_desc.ndst, destination); + } + ++void intel_ack_posted_msi_irq(struct irq_data *irqd) ++{ ++ irq_move_irq(irqd); ++ ++ /* ++ * Handle the rare case that irq_retrigger() raised the actual ++ * assigned vector on the target CPU, which means that it was not ++ * invoked via the posted MSI handler below. In that case APIC EOI ++ * is required as otherwise the ISR entry becomes stale and lower ++ * priority interrupts are never going to be delivered after that. ++ * ++ * If the posted handler invoked the device interrupt handler then ++ * the EOI would be premature because it would acknowledge the ++ * posted vector. ++ */ ++ if (unlikely(!__this_cpu_read(posted_msi_handler_active))) ++ apic_eoi(); ++} ++ + /* + * De-multiplexing posted interrupts is on the performance path, the code + * below is written to optimize the cache performance based on the following +@@ -483,6 +503,8 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_posted_msi + + pid = this_cpu_ptr(&posted_msi_pi_desc); + ++ /* Mark the handler active for intel_ack_posted_msi_irq() */ ++ __this_cpu_write(posted_msi_handler_active, true); + inc_irq_stat(posted_msi_notification_count); + irq_enter(); + +@@ -511,6 +533,7 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_posted_msi + + apic_eoi(); + irq_exit(); ++ __this_cpu_write(posted_msi_handler_active, false); + set_irq_regs(old_regs); + } + #endif /* X86_POSTED_MSI */ +--- a/drivers/iommu/intel/irq_remapping.c ++++ b/drivers/iommu/intel/irq_remapping.c +@@ -1309,17 +1309,17 @@ static struct irq_chip intel_ir_chip = { + * irq_enter(); + * handle_edge_irq() + * irq_chip_ack_parent() +- * irq_move_irq(); // No EOI ++ * intel_ack_posted_msi_irq(); // No EOI + * handle_irq_event() + * driver_handler() + * handle_edge_irq() + * irq_chip_ack_parent() +- * irq_move_irq(); // No EOI ++ * intel_ack_posted_msi_irq(); // No EOI + * handle_irq_event() + * driver_handler() + * handle_edge_irq() + * irq_chip_ack_parent() +- * irq_move_irq(); // No EOI ++ * intel_ack_posted_msi_irq(); // No EOI + * handle_irq_event() + * driver_handler() + * apic_eoi() +@@ -1328,7 +1328,7 @@ static struct irq_chip intel_ir_chip = { + */ + static struct irq_chip intel_ir_chip_post_msi = { + .name = "INTEL-IR-POST", +- .irq_ack = irq_move_irq, ++ .irq_ack = intel_ack_posted_msi_irq, + .irq_set_affinity = intel_ir_set_affinity, + .irq_compose_msi_msg = intel_ir_compose_msi_msg, + .irq_set_vcpu_affinity = intel_ir_set_vcpu_affinity,