From: Greg Kroah-Hartman Date: Wed, 4 Feb 2026 14:12:34 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.10.249~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b7e74f3d999543d795865e838e97d740f95c99b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch comedi-fix-getting-range-information-for-subdevices-16-to-255.patch drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch drm-imx-imx-tve-move-initialization-into-probe.patch drm-imx-imx-tve-use-local-encoder-and-connector-variables.patch drm-imx-tve-fix-probe-device-leak.patch hid-uclogic-add-null-check-in-uclogic_input_configured.patch hid-uclogic-correct-devm-device-reference-for-hidinput-input_dev-name.patch ipv6-sr-fix-mac-comparison-to-be-constant-time.patch netfilter-nf_tables-typo-null-check-in-_clone-function.patch of-platform-use-default-match-table-for-firmware.patch pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch revert-selftests-replace-sleep-with-slowwait.patch writeback-fix-100-cpu-usage-when-dirtytime_expire_interval-is-0.patch --- diff --git a/queue-5.10/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-5.10/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..b6fb52d3e1 --- /dev/null +++ b/queue-5.10/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,59 @@ +From 5a4391bdc6c8357242f62f22069c865b792406b3 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 5a4391bdc6c8357242f62f22069c865b792406b3 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In esd_usb_open(), the URBs for USB-in transfers are allocated, added to +the dev->rx_submitted anchor and submitted. In the complete callback +esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In +esd_usb_close() the URBs are freed by calling +usb_kill_anchored_urbs(&dev->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in esd_usb_close(). + +Fix the memory leak by anchoring the URB in the +esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-2-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/esd_usb2.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -441,13 +441,20 @@ resubmit_urb: + urb->transfer_buffer, RX_BUFFER_SIZE, + esd_usb2_read_bulk_callback, dev); + ++ usb_anchor_urb(urb, &dev->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); ++ + if (retval == -ENODEV) { + for (i = 0; i < dev->net_count; i++) { + if (dev->nets[i]) + netif_device_detach(dev->nets[i]->netdev); + } +- } else if (retval) { ++ } else { + dev_err(dev->udev->dev.parent, + "failed resubmitting read bulk urb: %d\n", retval); + } diff --git a/queue-5.10/comedi-fix-getting-range-information-for-subdevices-16-to-255.patch b/queue-5.10/comedi-fix-getting-range-information-for-subdevices-16-to-255.patch new file mode 100644 index 0000000000..cac5e9337f --- /dev/null +++ b/queue-5.10/comedi-fix-getting-range-information-for-subdevices-16-to-255.patch @@ -0,0 +1,100 @@ +From 10d28cffb3f6ec7ad67f0a4cd32c2afa92909452 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 3 Dec 2025 16:24:38 +0000 +Subject: comedi: Fix getting range information for subdevices 16 to 255 + +From: Ian Abbott + +commit 10d28cffb3f6ec7ad67f0a4cd32c2afa92909452 upstream. + +The `COMEDI_RANGEINFO` ioctl does not work properly for subdevice +indices above 15. Currently, the only in-tree COMEDI drivers that +support more than 16 subdevices are the "8255" driver and the +"comedi_bond" driver. Making the ioctl work for subdevice indices up to +255 is achievable. It needs minor changes to the handling of the +`COMEDI_RANGEINFO` and `COMEDI_CHANINFO` ioctls that should be mostly +harmless to user-space, apart from making them less broken. Details +follow... + +The `COMEDI_RANGEINFO` ioctl command gets the list of supported ranges +(usually with units of volts or milliamps) for a COMEDI subdevice or +channel. (Only some subdevices have per-channel range tables, indicated +by the `SDF_RANGETYPE` flag in the subdevice information.) It uses a +`range_type` value and a user-space pointer, both supplied by +user-space, but the `range_type` value should match what was obtained +using the `COMEDI_CHANINFO` ioctl (if the subdevice has per-channel +range tables) or `COMEDI_SUBDINFO` ioctl (if the subdevice uses a +single range table for all channels). Bits 15 to 0 of the `range_type` +value contain the length of the range table, which is the only part that +user-space should care about (so it can use a suitably sized buffer to +fetch the range table). Bits 23 to 16 store the channel index, which is +assumed to be no more than 255 if the subdevice has per-channel range +tables, and is set to 0 if the subdevice has a single range table. For +`range_type` values produced by the `COMEDI_SUBDINFO` ioctl, bits 31 to +24 contain the subdevice index, which is assumed to be no more than 255. +But for `range_type` values produced by the `COMEDI_CHANINFO` ioctl, +bits 27 to 24 contain the subdevice index, which is assumed to be no +more than 15, and bits 31 to 28 contain the COMEDI device's minor device +number for some unknown reason lost in the mists of time. The +`COMEDI_RANGEINFO` ioctl extract the length from bits 15 to 0 of the +user-supplied `range_type` value, extracts the channel index from bits +23 to 16 (only used if the subdevice has per-channel range tables), +extracts the subdevice index from bits 27 to 24, and ignores bits 31 to +28. So for subdevice indices 16 to 255, the `COMEDI_SUBDINFO` or +`COMEDI_CHANINFO` ioctl will report a `range_type` value that doesn't +work with the `COMEDI_RANGEINFO` ioctl. It will either get the range +table for the subdevice index modulo 16, or will fail with `-EINVAL`. + +To fix this, always use bits 31 to 24 of the `range_type` value to hold +the subdevice index (assumed to be no more than 255). This affects the +`COMEDI_CHANINFO` and `COMEDI_RANGEINFO` ioctls. There should not be +anything in user-space that depends on the old, broken usage, although +it may now see different values in bits 31 to 28 of the `range_type` +values reported by the `COMEDI_CHANINFO` ioctl for subdevices that have +per-channel subdevices. User-space should not be trying to decode bits +31 to 16 of the `range_type` values anyway. + +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Cc: stable@vger.kernel.org #5.17+ +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20251203162438.176841-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/comedi.h | 2 +- + drivers/staging/comedi/comedi_fops.c | 2 +- + drivers/staging/comedi/range.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/comedi/comedi.h ++++ b/drivers/staging/comedi/comedi.h +@@ -640,7 +640,7 @@ struct comedi_chaninfo { + + /** + * struct comedi_rangeinfo - used to retrieve the range table for a channel +- * @range_type: Encodes subdevice index (bits 27:24), channel index ++ * @range_type: Encodes subdevice index (bits 31:24), channel index + * (bits 23:16) and range table length (bits 15:0). + * @range_ptr: Pointer to array of @struct comedi_krange to be filled + * in with the range table for the channel or subdevice. +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1095,7 +1095,7 @@ static int do_chaninfo_ioctl(struct come + for (i = 0; i < s->n_chan; i++) { + int x; + +- x = (dev->minor << 28) | (it->subdev << 24) | (i << 16) | ++ x = (it->subdev << 24) | (i << 16) | + (s->range_table_list[i]->length); + if (put_user(x, it->rangelist + i)) + return -EFAULT; +--- a/drivers/staging/comedi/range.c ++++ b/drivers/staging/comedi/range.c +@@ -52,7 +52,7 @@ int do_rangeinfo_ioctl(struct comedi_dev + const struct comedi_lrange *lr; + struct comedi_subdevice *s; + +- subd = (it->range_type >> 24) & 0xf; ++ subd = (it->range_type >> 24) & 0xff; + chan = (it->range_type >> 16) & 0xff; + + if (!dev->attached) diff --git a/queue-5.10/drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch b/queue-5.10/drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch new file mode 100644 index 0000000000..a2a62783f1 --- /dev/null +++ b/queue-5.10/drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch @@ -0,0 +1,67 @@ +From 80614c509810fc051312d1a7ccac8d0012d6b8d0 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 8 Jan 2026 15:18:22 +0800 +Subject: drm/amdkfd: fix a memory leak in device_queue_manager_init() + +From: Haoxiang Li + +commit 80614c509810fc051312d1a7ccac8d0012d6b8d0 upstream. + +If dqm->ops.initialize() fails, add deallocate_hiq_sdma_mqd() +to release the memory allocated by allocate_hiq_sdma_mqd(). +Move deallocate_hiq_sdma_mqd() up to ensure proper function +visibility at the point of use. + +Fixes: 11614c36bc8f ("drm/amdkfd: Allocate MQD trunk for HIQ and SDMA") +Signed-off-by: Haoxiang Li +Signed-off-by: Felix Kuehling +Reviewed-by: Oak Zeng +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +(cherry picked from commit b7cccc8286bb9919a0952c812872da1dcfe9d390) +Cc: stable@vger.kernel.org +Signed-off-by: Felix Kuehling +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1832,6 +1832,14 @@ static int allocate_hiq_sdma_mqd(struct + return retval; + } + ++static void deallocate_hiq_sdma_mqd(struct kfd_dev *dev, ++ struct kfd_mem_obj *mqd) ++{ ++ WARN(!mqd, "No hiq sdma mqd trunk to free"); ++ ++ amdgpu_amdkfd_free_gtt_mem(dev->kgd, mqd->gtt_mem); ++} ++ + struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev) + { + struct device_queue_manager *dqm; +@@ -1961,19 +1969,13 @@ struct device_queue_manager *device_queu + if (!dqm->ops.initialize(dqm)) + return dqm; + ++ deallocate_hiq_sdma_mqd(dev, &dqm->hiq_sdma_mqd); ++ + out_free: + kfree(dqm); + return NULL; + } + +-static void deallocate_hiq_sdma_mqd(struct kfd_dev *dev, +- struct kfd_mem_obj *mqd) +-{ +- WARN(!mqd, "No hiq sdma mqd trunk to free"); +- +- amdgpu_amdkfd_free_gtt_mem(dev->kgd, mqd->gtt_mem); +-} +- + void device_queue_manager_uninit(struct device_queue_manager *dqm) + { + dqm->ops.uninitialize(dqm); diff --git a/queue-5.10/drm-imx-imx-tve-move-initialization-into-probe.patch b/queue-5.10/drm-imx-imx-tve-move-initialization-into-probe.patch new file mode 100644 index 0000000000..576ee1d7d9 --- /dev/null +++ b/queue-5.10/drm-imx-imx-tve-move-initialization-into-probe.patch @@ -0,0 +1,100 @@ +From stable+bounces-213328-greg=kroah.com@vger.kernel.org Wed Feb 4 01:39:42 2026 +From: Sasha Levin +Date: Tue, 3 Feb 2026 19:39:32 -0500 +Subject: drm/imx: imx-tve: move initialization into probe +To: stable@vger.kernel.org +Cc: Philipp Zabel , Daniel Vetter , Sasha Levin +Message-ID: <20260204003933.1467160-2-sashal@kernel.org> + +From: Philipp Zabel + +[ Upstream commit a91cfaf6e6503150ed1ef08454f2c03e1f95a4ec ] + +Parts of the initialization that do not require the drm device can be +done once during probe instead of possibly multiple times during bind. +The bind function only creates the encoder. + +Signed-off-by: Philipp Zabel +Acked-by: Daniel Vetter +Stable-dep-of: e535c23513c6 ("drm/imx/tve: fix probe device leak") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imx/imx-tve.c | 42 +++++++++++++++++++----------------------- + 1 file changed, 19 insertions(+), 23 deletions(-) + +--- a/drivers/gpu/drm/imx/imx-tve.c ++++ b/drivers/gpu/drm/imx/imx-tve.c +@@ -439,6 +439,9 @@ static int imx_tve_register(struct drm_d + encoder_type = tve->mode == TVE_MODE_VGA ? + DRM_MODE_ENCODER_DAC : DRM_MODE_ENCODER_TVDAC; + ++ memset(connector, 0, sizeof(*connector)); ++ memset(encoder, 0, sizeof(*encoder)); ++ + ret = imx_drm_encoder_parse_of(drm, encoder, tve->dev->of_node); + if (ret) + return ret; +@@ -504,8 +507,19 @@ static int of_get_tve_mode(struct device + + static int imx_tve_bind(struct device *dev, struct device *master, void *data) + { +- struct platform_device *pdev = to_platform_device(dev); + struct drm_device *drm = data; ++ struct imx_tve *tve = dev_get_drvdata(dev); ++ ++ return imx_tve_register(drm, tve); ++} ++ ++static const struct component_ops imx_tve_ops = { ++ .bind = imx_tve_bind, ++}; ++ ++static int imx_tve_probe(struct platform_device *pdev) ++{ ++ struct device *dev = &pdev->dev; + struct device_node *np = dev->of_node; + struct device_node *ddc_node; + struct imx_tve *tve; +@@ -515,8 +529,9 @@ static int imx_tve_bind(struct device *d + int irq; + int ret; + +- tve = dev_get_drvdata(dev); +- memset(tve, 0, sizeof(*tve)); ++ tve = devm_kzalloc(dev, sizeof(*tve), GFP_KERNEL); ++ if (!tve) ++ return -ENOMEM; + + tve->dev = dev; + +@@ -623,28 +638,9 @@ static int imx_tve_bind(struct device *d + if (ret) + return ret; + +- ret = imx_tve_register(drm, tve); +- if (ret) +- return ret; +- +- return 0; +-} +- +-static const struct component_ops imx_tve_ops = { +- .bind = imx_tve_bind, +-}; +- +-static int imx_tve_probe(struct platform_device *pdev) +-{ +- struct imx_tve *tve; +- +- tve = devm_kzalloc(&pdev->dev, sizeof(*tve), GFP_KERNEL); +- if (!tve) +- return -ENOMEM; +- + platform_set_drvdata(pdev, tve); + +- return component_add(&pdev->dev, &imx_tve_ops); ++ return component_add(dev, &imx_tve_ops); + } + + static int imx_tve_remove(struct platform_device *pdev) diff --git a/queue-5.10/drm-imx-imx-tve-use-local-encoder-and-connector-variables.patch b/queue-5.10/drm-imx-imx-tve-use-local-encoder-and-connector-variables.patch new file mode 100644 index 0000000000..a769ce8ac3 --- /dev/null +++ b/queue-5.10/drm-imx-imx-tve-use-local-encoder-and-connector-variables.patch @@ -0,0 +1,62 @@ +From stable+bounces-213327-greg=kroah.com@vger.kernel.org Wed Feb 4 01:39:40 2026 +From: Sasha Levin +Date: Tue, 3 Feb 2026 19:39:31 -0500 +Subject: drm/imx: imx-tve: use local encoder and connector variables +To: stable@vger.kernel.org +Cc: Philipp Zabel , Daniel Vetter , Sasha Levin +Message-ID: <20260204003933.1467160-1-sashal@kernel.org> + +From: Philipp Zabel + +[ Upstream commit 396852df02b9ff49fe256ba459605fc680fe8d89 ] + +Introduce local variables for encoder and connector. +This simplifies the following commits. + +Signed-off-by: Philipp Zabel +Acked-by: Daniel Vetter +Stable-dep-of: e535c23513c6 ("drm/imx/tve: fix probe device leak") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imx/imx-tve.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/imx/imx-tve.c ++++ b/drivers/gpu/drm/imx/imx-tve.c +@@ -431,27 +431,28 @@ static int tve_clk_init(struct imx_tve * + + static int imx_tve_register(struct drm_device *drm, struct imx_tve *tve) + { ++ struct drm_encoder *encoder = &tve->encoder; ++ struct drm_connector *connector = &tve->connector; + int encoder_type; + int ret; + + encoder_type = tve->mode == TVE_MODE_VGA ? + DRM_MODE_ENCODER_DAC : DRM_MODE_ENCODER_TVDAC; + +- ret = imx_drm_encoder_parse_of(drm, &tve->encoder, tve->dev->of_node); ++ ret = imx_drm_encoder_parse_of(drm, encoder, tve->dev->of_node); + if (ret) + return ret; + +- drm_encoder_helper_add(&tve->encoder, &imx_tve_encoder_helper_funcs); +- drm_simple_encoder_init(drm, &tve->encoder, encoder_type); ++ drm_encoder_helper_add(encoder, &imx_tve_encoder_helper_funcs); ++ drm_simple_encoder_init(drm, encoder, encoder_type); + +- drm_connector_helper_add(&tve->connector, +- &imx_tve_connector_helper_funcs); +- drm_connector_init_with_ddc(drm, &tve->connector, ++ drm_connector_helper_add(connector, &imx_tve_connector_helper_funcs); ++ drm_connector_init_with_ddc(drm, connector, + &imx_tve_connector_funcs, + DRM_MODE_CONNECTOR_VGA, + tve->ddc); + +- drm_connector_attach_encoder(&tve->connector, &tve->encoder); ++ drm_connector_attach_encoder(connector, encoder); + + return 0; + } diff --git a/queue-5.10/drm-imx-tve-fix-probe-device-leak.patch b/queue-5.10/drm-imx-tve-fix-probe-device-leak.patch new file mode 100644 index 0000000000..4600500f11 --- /dev/null +++ b/queue-5.10/drm-imx-tve-fix-probe-device-leak.patch @@ -0,0 +1,57 @@ +From stable+bounces-213329-greg=kroah.com@vger.kernel.org Wed Feb 4 01:39:43 2026 +From: Sasha Levin +Date: Tue, 3 Feb 2026 19:39:33 -0500 +Subject: drm/imx/tve: fix probe device leak +To: stable@vger.kernel.org +Cc: Johan Hovold , Philipp Zabel , Frank Li , Maxime Ripard , Sasha Levin +Message-ID: <20260204003933.1467160-3-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit e535c23513c63f02f67e3e09e0787907029efeaf ] + +Make sure to drop the reference taken to the DDC device during probe on +probe failure (e.g. probe deferral) and on driver unbind. + +Fixes: fcbc51e54d2a ("staging: drm/imx: Add support for Television Encoder (TVEv2)") +Cc: stable@vger.kernel.org # 3.10 +Cc: Philipp Zabel +Reviewed-by: Frank Li +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251030163456.15807-1-johan@kernel.org +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imx/imx-tve.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/gpu/drm/imx/imx-tve.c ++++ b/drivers/gpu/drm/imx/imx-tve.c +@@ -517,6 +517,13 @@ static const struct component_ops imx_tv + .bind = imx_tve_bind, + }; + ++static void imx_tve_put_device(void *_dev) ++{ ++ struct device *dev = _dev; ++ ++ put_device(dev); ++} ++ + static int imx_tve_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +@@ -539,6 +546,12 @@ static int imx_tve_probe(struct platform + if (ddc_node) { + tve->ddc = of_find_i2c_adapter_by_node(ddc_node); + of_node_put(ddc_node); ++ if (tve->ddc) { ++ ret = devm_add_action_or_reset(dev, imx_tve_put_device, ++ &tve->ddc->dev); ++ if (ret) ++ return ret; ++ } + } + + tve->mode = of_get_tve_mode(np); diff --git a/queue-5.10/hid-uclogic-add-null-check-in-uclogic_input_configured.patch b/queue-5.10/hid-uclogic-add-null-check-in-uclogic_input_configured.patch new file mode 100644 index 0000000000..51934867f3 --- /dev/null +++ b/queue-5.10/hid-uclogic-add-null-check-in-uclogic_input_configured.patch @@ -0,0 +1,44 @@ +From stable+bounces-213150-greg=kroah.com@vger.kernel.org Tue Feb 3 03:30:04 2026 +From: jetlan9@163.com +Date: Tue, 3 Feb 2026 02:29:25 +0000 +Subject: HID: uclogic: Add NULL check in uclogic_input_configured() +To: stable@vger.kernel.org +Cc: Henry Martin , Jiri Kosina , Wenshan Lan +Message-ID: <20260203022925.4133-2-jetlan9@163.com> + +From: Henry Martin + +[ Upstream commit bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +uclogic_input_configured() does not check for this case, which results +in a NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: dd613a4e45f8 ("HID: uclogic: Correct devm device reference for hidinput input_dev name") +Signed-off-by: Henry Martin +Signed-off-by: Jiri Kosina +[ Adjust context ] +Signed-off-by: Wenshan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-uclogic-core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-uclogic-core.c ++++ b/drivers/hid/hid-uclogic-core.c +@@ -143,9 +143,12 @@ static int uclogic_input_configured(stru + break; + } + +- if (suffix) ++ if (suffix) { + hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, + "%s %s", hdev->name, suffix); ++ if (!hi->input->name) ++ return -ENOMEM; ++ } + + return 0; + } diff --git a/queue-5.10/hid-uclogic-correct-devm-device-reference-for-hidinput-input_dev-name.patch b/queue-5.10/hid-uclogic-correct-devm-device-reference-for-hidinput-input_dev-name.patch new file mode 100644 index 0000000000..116c879aa8 --- /dev/null +++ b/queue-5.10/hid-uclogic-correct-devm-device-reference-for-hidinput-input_dev-name.patch @@ -0,0 +1,70 @@ +From stable+bounces-213151-greg=kroah.com@vger.kernel.org Tue Feb 3 03:31:32 2026 +From: jetlan9@163.com +Date: Tue, 3 Feb 2026 02:29:24 +0000 +Subject: HID: uclogic: Correct devm device reference for hidinput input_dev name +To: stable@vger.kernel.org +Cc: Rahul Rameshbabu , syzbot+3a0ebe8a52b89c63739d@syzkaller.appspotmail.com, Maxime Ripard , Dmitry Torokhov , Benjamin Tissoires , Wenshan Lan +Message-ID: <20260203022925.4133-1-jetlan9@163.com> + +From: Rahul Rameshbabu + +[ Upstream commit dd613a4e45f8d35f49a63a2064e5308fa5619e29 ] + +Reference the HID device rather than the input device for the devm +allocation of the input_dev name. Referencing the input_dev would lead to a +use-after-free when the input_dev was unregistered and subsequently fires a +uevent that depends on the name. At the point of firing the uevent, the +name would be freed by devres management. + +Use devm_kasprintf to simplify the logic for allocating memory and +formatting the input_dev name string. + +Reported-by: syzbot+3a0ebe8a52b89c63739d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/ +Reported-by: Maxime Ripard +Closes: https://lore.kernel.org/linux-input/ZOZIZCND+L0P1wJc@penguin/T/#m443f3dce92520f74b6cf6ffa8653f9c92643d4ae +Fixes: cce2dbdf258e ("HID: uclogic: name the input nodes based on their tool") +Suggested-by: Maxime Ripard +Suggested-by: Dmitry Torokhov +Signed-off-by: Rahul Rameshbabu +Reviewed-by: Maxime Ripard +Link: https://lore.kernel.org/r/20230824061308.222021-2-sergeantsagara@protonmail.com +Signed-off-by: Benjamin Tissoires +[ Adjust context ] +Signed-off-by: Wenshan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-uclogic-core.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/hid/hid-uclogic-core.c ++++ b/drivers/hid/hid-uclogic-core.c +@@ -104,10 +104,8 @@ static int uclogic_input_configured(stru + { + struct uclogic_drvdata *drvdata = hid_get_drvdata(hdev); + struct uclogic_params *params = &drvdata->params; +- char *name; + const char *suffix = NULL; + struct hid_field *field; +- size_t len; + + /* no report associated (HID_QUIRK_MULTI_INPUT not set) */ + if (!hi->report) +@@ -145,14 +143,9 @@ static int uclogic_input_configured(stru + break; + } + +- if (suffix) { +- len = strlen(hdev->name) + 2 + strlen(suffix); +- name = devm_kzalloc(&hi->input->dev, len, GFP_KERNEL); +- if (name) { +- snprintf(name, len, "%s %s", hdev->name, suffix); +- hi->input->name = name; +- } +- } ++ if (suffix) ++ hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL, ++ "%s %s", hdev->name, suffix); + + return 0; + } diff --git a/queue-5.10/ipv6-sr-fix-mac-comparison-to-be-constant-time.patch b/queue-5.10/ipv6-sr-fix-mac-comparison-to-be-constant-time.patch new file mode 100644 index 0000000000..1c4af16dd0 --- /dev/null +++ b/queue-5.10/ipv6-sr-fix-mac-comparison-to-be-constant-time.patch @@ -0,0 +1,44 @@ +From a458b2902115b26a25d67393b12ddd57d1216aaa Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 18 Aug 2025 13:27:24 -0700 +Subject: ipv6: sr: Fix MAC comparison to be constant-time + +From: Eric Biggers + +commit a458b2902115b26a25d67393b12ddd57d1216aaa upstream. + +To prevent timing attacks, MACs need to be compared in constant time. +Use the appropriate helper function for this. + +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Reviewed-by: Andrea Mayer +Link: https://patch.msgid.link/20250818202724.15713-1-ebiggers@kernel.org +Signed-off-by: Jakub Kicinski +[ Include crypto/algapi.h instead of crypto/utils.h in v5.10.y. ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/seg6_hmac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -36,6 +36,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -270,7 +271,7 @@ bool seg6_hmac_validate_skb(struct sk_bu + if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output)) + return false; + +- if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0) ++ if (crypto_memneq(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN)) + return false; + + return true; diff --git a/queue-5.10/netfilter-nf_tables-typo-null-check-in-_clone-function.patch b/queue-5.10/netfilter-nf_tables-typo-null-check-in-_clone-function.patch new file mode 100644 index 0000000000..991c3c6efb --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-typo-null-check-in-_clone-function.patch @@ -0,0 +1,37 @@ +From 51edb2ff1c6fc27d3fa73f0773a31597ecd8e230 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 10 Jan 2022 20:48:17 +0100 +Subject: netfilter: nf_tables: typo NULL check in _clone() function + +From: Pablo Neira Ayuso + +commit 51edb2ff1c6fc27d3fa73f0773a31597ecd8e230 upstream. + +This should check for NULL in case memory allocation fails. + +Reported-by: Julian Wiedmann +Fixes: 3b9e2ea6c11b ("netfilter: nft_limit: move stateful fields out of expression data") +Fixes: 37f319f37d90 ("netfilter: nft_connlimit: move stateful fields out of expression data") +Fixes: 33a24de37e81 ("netfilter: nft_last: move stateful fields out of expression data") +Fixes: ed0a0c60f0e5 ("netfilter: nft_quota: move stateful fields out of expression data") +Signed-off-by: Pablo Neira Ayuso +Link: https://lore.kernel.org/r/20220110194817.53481-1-pablo@netfilter.org +Signed-off-by: Jakub Kicinski +Cc: Ben Hutchings +[ Portion of this patch applied - gregkh ] +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_connlimit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_connlimit.c ++++ b/net/netfilter/nft_connlimit.c +@@ -209,7 +209,7 @@ static int nft_connlimit_clone(struct nf + struct nft_connlimit *priv_src = nft_expr_priv(src); + + priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC); +- if (priv_dst->list) ++ if (!priv_dst->list) + return -ENOMEM; + + nf_conncount_list_init(priv_dst->list); diff --git a/queue-5.10/of-platform-use-default-match-table-for-firmware.patch b/queue-5.10/of-platform-use-default-match-table-for-firmware.patch new file mode 100644 index 0000000000..2d1f9d65d5 --- /dev/null +++ b/queue-5.10/of-platform-use-default-match-table-for-firmware.patch @@ -0,0 +1,40 @@ +From 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 Mon Sep 17 00:00:00 2001 +From: "Rob Herring (Arm)" +Date: Tue, 13 Jan 2026 19:51:58 -0600 +Subject: of: platform: Use default match table for /firmware + +From: Rob Herring (Arm) + +commit 48e6a9c4a20870e09f85ff1a3628275d6bce31c0 upstream. + +Calling of_platform_populate() without a match table will only populate +the immediate child nodes under /firmware. This is usually fine, but in +the case of something like a "simple-mfd" node such as +"raspberrypi,bcm2835-firmware", those child nodes will not be populated. +And subsequent calls won't work either because the /firmware node is +marked as processed already. + +Switch the call to of_platform_default_populate() to solve this problem. +It should be a nop for existing cases. + +Fixes: 3aa0582fdb82 ("of: platform: populate /firmware/ node from of_platform_default_populate_init()") +Cc: stable@vger.kernel.org +Reviewed-by: Sudeep Holla +Link: https://patch.msgid.link/20260114015158.692170-2-robh@kernel.org +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/platform.c ++++ b/drivers/of/platform.c +@@ -533,7 +533,7 @@ static int __init of_platform_default_po + + node = of_find_node_by_path("/firmware"); + if (node) { +- of_platform_populate(node, NULL, NULL, NULL); ++ of_platform_default_populate(node, NULL, NULL); + of_node_put(node); + } + diff --git a/queue-5.10/pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch b/queue-5.10/pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch new file mode 100644 index 0000000000..d451b6dcb5 --- /dev/null +++ b/queue-5.10/pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch @@ -0,0 +1,95 @@ +From stable+bounces-213274-greg=kroah.com@vger.kernel.org Tue Feb 3 17:34:54 2026 +From: Sasha Levin +Date: Tue, 3 Feb 2026 11:24:15 -0500 +Subject: pinctrl: meson: mark the GPIO controller as sleeping +To: stable@vger.kernel.org +Cc: Bartosz Golaszewski , Marek Szyprowski , Martin Blumenstingl , Neil Armstrong , Linus Walleij , Sasha Levin +Message-ID: <20260203162415.1307360-1-sashal@kernel.org> + +From: Bartosz Golaszewski + +[ Upstream commit 28f24068387169722b508bba6b5257cb68b86e74 ] + +The GPIO controller is configured as non-sleeping but it uses generic +pinctrl helpers which use a mutex for synchronization. + +This can cause the following lockdep splat with shared GPIOs enabled on +boards which have multiple devices using the same GPIO: + +BUG: sleeping function called from invalid context at +kernel/locking/mutex.c:591 +in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 142, name: +kworker/u25:3 +preempt_count: 1, expected: 0 +RCU nest depth: 0, expected: 0 +INFO: lockdep is turned off. +irq event stamp: 46379 +hardirqs last enabled at (46379): [] +_raw_spin_unlock_irqrestore+0x74/0x78 +hardirqs last disabled at (46378): [] +_raw_spin_lock_irqsave+0x84/0x88 +softirqs last enabled at (46330): [] +handle_softirqs+0x4c4/0x4dc +softirqs last disabled at (46295): [] +__do_softirq+0x14/0x20 +CPU: 1 UID: 0 PID: 142 Comm: kworker/u25:3 Tainted: G C +6.19.0-rc4-next-20260105+ #11963 PREEMPT +Tainted: [C]=CRAP +Hardware name: Khadas VIM3 (DT) +Workqueue: events_unbound deferred_probe_work_func +Call trace: + show_stack+0x18/0x24 (C) + dump_stack_lvl+0x90/0xd0 + dump_stack+0x18/0x24 + __might_resched+0x144/0x248 + __might_sleep+0x48/0x98 + __mutex_lock+0x5c/0x894 + mutex_lock_nested+0x24/0x30 + pinctrl_get_device_gpio_range+0x44/0x128 + pinctrl_gpio_set_config+0x40/0xdc + gpiochip_generic_config+0x28/0x3c + gpio_do_set_config+0xa8/0x194 + gpiod_set_config+0x34/0xfc + gpio_shared_proxy_set_config+0x6c/0xfc [gpio_shared_proxy] + gpio_do_set_config+0xa8/0x194 + gpiod_set_transitory+0x4c/0xf0 + gpiod_configure_flags+0xa4/0x480 + gpiod_find_and_request+0x1a0/0x574 + gpiod_get_index+0x58/0x84 + devm_gpiod_get_index+0x20/0xb4 + devm_gpiod_get+0x18/0x24 + mmc_pwrseq_emmc_probe+0x40/0xb8 + platform_probe+0x5c/0xac + really_probe+0xbc/0x298 + __driver_probe_device+0x78/0x12c + driver_probe_device+0xdc/0x164 + __device_attach_driver+0xb8/0x138 + bus_for_each_drv+0x80/0xdc + __device_attach+0xa8/0x1b0 + +Fixes: 6ac730951104 ("pinctrl: add driver for Amlogic Meson SoCs") +Cc: stable@vger.kernel.org +Reported-by: Marek Szyprowski +Closes: https://lore.kernel.org/all/00107523-7737-4b92-a785-14ce4e93b8cb@samsung.com/ +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Signed-off-by: Linus Walleij +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/meson/pinctrl-meson.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/meson/pinctrl-meson.c ++++ b/drivers/pinctrl/meson/pinctrl-meson.c +@@ -614,7 +614,7 @@ static int meson_gpiolib_register(struct + pc->chip.set = meson_gpio_set; + pc->chip.base = -1; + pc->chip.ngpio = pc->data->num_pins; +- pc->chip.can_sleep = false; ++ pc->chip.can_sleep = true; + pc->chip.of_node = pc->of_node; + pc->chip.of_gpio_n_cells = 2; + diff --git a/queue-5.10/revert-selftests-replace-sleep-with-slowwait.patch b/queue-5.10/revert-selftests-replace-sleep-with-slowwait.patch new file mode 100644 index 0000000000..a725dd97b1 --- /dev/null +++ b/queue-5.10/revert-selftests-replace-sleep-with-slowwait.patch @@ -0,0 +1,36 @@ +From a1e14abe10579a4fbcd06fa58ab3ff7e539d5546 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 4 Feb 2026 15:02:58 +0100 +Subject: Revert "selftests: Replace sleep with slowwait" + +From: Greg Kroah-Hartman + +This reverts commit 780095c51e34ec7cdf6f651b4c4f2b35680779e4 which is +commit 2f186dd5585c3afb415df80e52f71af16c9d3655 upstream. + +To quote Ben: + The slowwait function isn't defined in 5.10 (or any stable + branch older than 6.9). + +Link: https://lore.kernel.org/r/b052b71589bb576dcad441eba38c20da81443a46.camel@decadent.org.uk +Reported-by: Ben Hutchings +Cc: David Ahern +Cc: Simon Horman +Cc: Jakub Kicinski +Cc: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/fcnal-test.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -183,7 +183,7 @@ show_hint() + kill_procs() + { + killall nettest ping ping6 >/dev/null 2>&1 +- slowwait 2 sh -c 'test -z "$(pgrep '"'^(nettest|ping|ping6)$'"')"' ++ sleep 1 + } + + do_run_cmd() diff --git a/queue-5.10/series b/queue-5.10/series index bd51e9d82d..84018bb970 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -148,3 +148,17 @@ mei-trace-treat-reg-parameter-as-string.patch driver-core-fix-potential-null-ptr-deref-in-device_add.patch mm-pagewalk-add-walk_page_range_vma.patch ksm-use-range-walk-function-to-jump-over-holes-in-scan_get_next_rmap_item.patch +drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch +comedi-fix-getting-range-information-for-subdevices-16-to-255.patch +can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch +of-platform-use-default-match-table-for-firmware.patch +ipv6-sr-fix-mac-comparison-to-be-constant-time.patch +netfilter-nf_tables-typo-null-check-in-_clone-function.patch +revert-selftests-replace-sleep-with-slowwait.patch +writeback-fix-100-cpu-usage-when-dirtytime_expire_interval-is-0.patch +pinctrl-meson-mark-the-gpio-controller-as-sleeping.patch +hid-uclogic-correct-devm-device-reference-for-hidinput-input_dev-name.patch +hid-uclogic-add-null-check-in-uclogic_input_configured.patch +drm-imx-imx-tve-use-local-encoder-and-connector-variables.patch +drm-imx-imx-tve-move-initialization-into-probe.patch +drm-imx-tve-fix-probe-device-leak.patch diff --git a/queue-5.10/writeback-fix-100-cpu-usage-when-dirtytime_expire_interval-is-0.patch b/queue-5.10/writeback-fix-100-cpu-usage-when-dirtytime_expire_interval-is-0.patch new file mode 100644 index 0000000000..cce6da238f --- /dev/null +++ b/queue-5.10/writeback-fix-100-cpu-usage-when-dirtytime_expire_interval-is-0.patch @@ -0,0 +1,77 @@ +From stable+bounces-213309-greg=kroah.com@vger.kernel.org Tue Feb 3 21:35:09 2026 +From: Sasha Levin +Date: Tue, 3 Feb 2026 15:32:17 -0500 +Subject: writeback: fix 100% CPU usage when dirtytime_expire_interval is 0 +To: stable@vger.kernel.org +Cc: Laveesh Bansal , Jan Kara , Christian Brauner , Sasha Levin +Message-ID: <20260203203217.1392938-1-sashal@kernel.org> + +From: Laveesh Bansal + +[ Upstream commit 543467d6fe97e27e22a26e367fda972dbefebbff ] + +When vm.dirtytime_expire_seconds is set to 0, wakeup_dirtytime_writeback() +schedules delayed work with a delay of 0, causing immediate execution. +The function then reschedules itself with 0 delay again, creating an +infinite busy loop that causes 100% kworker CPU usage. + +Fix by: +- Only scheduling delayed work in wakeup_dirtytime_writeback() when + dirtytime_expire_interval is non-zero +- Cancelling the delayed work in dirtytime_interval_handler() when + the interval is set to 0 +- Adding a guard in start_dirtytime_writeback() for defensive coding + +Tested by booting kernel in QEMU with virtme-ng: +- Before fix: kworker CPU spikes to ~73% +- After fix: CPU remains at normal levels +- Setting interval back to non-zero correctly resumes writeback + +Fixes: a2f4870697a5 ("fs: make sure the timestamps for lazytime inodes eventually get written") +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220227 +Signed-off-by: Laveesh Bansal +Link: https://patch.msgid.link/20260106145059.543282-2-laveeshb@laveeshbansal.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +[ adapted system_percpu_wq to system_wq for the workqueue used in dirtytime_interval_handler() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fs-writeback.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -2187,12 +2187,14 @@ static void wakeup_dirtytime_writeback(s + wb_wakeup(wb); + } + rcu_read_unlock(); +- schedule_delayed_work(&dirtytime_work, dirtytime_expire_interval * HZ); ++ if (dirtytime_expire_interval) ++ schedule_delayed_work(&dirtytime_work, dirtytime_expire_interval * HZ); + } + + static int __init start_dirtytime_writeback(void) + { +- schedule_delayed_work(&dirtytime_work, dirtytime_expire_interval * HZ); ++ if (dirtytime_expire_interval) ++ schedule_delayed_work(&dirtytime_work, dirtytime_expire_interval * HZ); + return 0; + } + __initcall(start_dirtytime_writeback); +@@ -2203,8 +2205,12 @@ int dirtytime_interval_handler(struct ct + int ret; + + ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); +- if (ret == 0 && write) +- mod_delayed_work(system_wq, &dirtytime_work, 0); ++ if (ret == 0 && write) { ++ if (dirtytime_expire_interval) ++ mod_delayed_work(system_wq, &dirtytime_work, 0); ++ else ++ cancel_delayed_work_sync(&dirtytime_work); ++ } + return ret; + } +