From: Greg Kroah-Hartman Date: Wed, 8 Apr 2026 06:57:03 +0000 (+0200) Subject: 6.19-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6fb22b204bc2fed9889842ba03a20396f8c0590e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.19-stable patches added patches: auxdisplay-line-display-fix-null-dereference-in-linedisp_release.patch bridge-br_nd_send-validate-nd-option-lengths.patch cdc-acm-new-quirk-for-epson-hmd.patch comedi-dt2815-add-hardware-detection-to-prevent-crash.patch comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch comedi-runflags-cannot-determine-whether-to-reclaim-chanlist.patch dt-bindings-connector-add-pd-disable-dependency.patch firmware-microchip-fail-auto-update-probe-if-no-flash-found.patch gpib-fix-fluke-driver-s390-compile-issue.patch netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch nvmem-imx-assign-nvmem_cell_info-raw_len.patch nvmem-zynqmp_nvmem-fix-buffer-size-in-dma-and-memcpy.patch pm-em-fix-null-pointer-dereference-when-perf-domain-id-is-not-found.patch reset-gpio-fix-double-free-in-reset_add_gpio_aux_device-error-path.patch s390-cpum_sf-cap-sampling-rate-to-prevent-lsctl-exception.patch s390-zcrypt-fix-memory-leak-with-cca-cards-used-as-accelerator.patch spi-cadence-qspi-fix-exec_mem_op-error-handling.patch --- diff --git a/queue-6.19/auxdisplay-line-display-fix-null-dereference-in-linedisp_release.patch b/queue-6.19/auxdisplay-line-display-fix-null-dereference-in-linedisp_release.patch new file mode 100644 index 0000000000..303823df78 --- /dev/null +++ b/queue-6.19/auxdisplay-line-display-fix-null-dereference-in-linedisp_release.patch @@ -0,0 +1,48 @@ +From 7f138de156b20d9f9da6f72f90b63c01941d97d3 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Fri, 27 Mar 2026 01:14:12 +0800 +Subject: auxdisplay: line-display: fix NULL dereference in linedisp_release + +From: Guangshuo Li + +commit 7f138de156b20d9f9da6f72f90b63c01941d97d3 upstream. + +linedisp_release() currently retrieves the enclosing struct linedisp via +to_linedisp(). That lookup depends on the attachment list, but the +attachment may already have been removed before put_device() invokes the +release callback. This can happen in linedisp_unregister(), and can also +be reached from some linedisp_register() error paths. + +In that case, to_linedisp() returns NULL and linedisp_release() +dereferences it while freeing the display resources. + +The struct device released here is the embedded linedisp->dev used by +linedisp_register(), so retrieve the enclosing object directly with +container_of() instead. + +Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/auxdisplay/line-display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/auxdisplay/line-display.c b/drivers/auxdisplay/line-display.c +index 81b4aac65807..fb6d9294140d 100644 +--- a/drivers/auxdisplay/line-display.c ++++ b/drivers/auxdisplay/line-display.c +@@ -365,7 +365,7 @@ static DEFINE_IDA(linedisp_id); + + static void linedisp_release(struct device *dev) + { +- struct linedisp *linedisp = to_linedisp(dev); ++ struct linedisp *linedisp = container_of(dev, struct linedisp, dev); + + kfree(linedisp->map); + kfree(linedisp->message); +-- +2.53.0 + diff --git a/queue-6.19/bridge-br_nd_send-validate-nd-option-lengths.patch b/queue-6.19/bridge-br_nd_send-validate-nd-option-lengths.patch new file mode 100644 index 0000000000..01c369a8c0 --- /dev/null +++ b/queue-6.19/bridge-br_nd_send-validate-nd-option-lengths.patch @@ -0,0 +1,54 @@ +From 850837965af15707fd3142c1cf3c5bfaf022299b Mon Sep 17 00:00:00 2001 +From: Yang Yang +Date: Thu, 26 Mar 2026 03:44:40 +0000 +Subject: bridge: br_nd_send: validate ND option lengths + +From: Yang Yang + +commit 850837965af15707fd3142c1cf3c5bfaf022299b upstream. + +br_nd_send() walks ND options according to option-provided lengths. +A malformed option can make the parser advance beyond the computed +option span or use a too-short source LLADDR option payload. + +Validate option lengths against the remaining NS option area before +advancing, and only read source LLADDR when the option is large enough +for an Ethernet address. + +Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports") +Cc: stable@vger.kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Tested-by: Ao Zhou +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Signed-off-by: Yang Yang +Reviewed-by: Ido Schimmel +Acked-by: Nikolay Aleksandrov +Link: https://patch.msgid.link/20260326034441.2037420-3-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_arp_nd_proxy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/bridge/br_arp_nd_proxy.c ++++ b/net/bridge/br_arp_nd_proxy.c +@@ -288,12 +288,14 @@ static void br_nd_send(struct net_bridge + ns_olen = request->len - (skb_network_offset(request) + + sizeof(struct ipv6hdr)) - sizeof(*ns); + for (i = 0; i < ns_olen - 1; i += (ns->opt[i + 1] << 3)) { +- if (!ns->opt[i + 1]) { ++ if (!ns->opt[i + 1] || i + (ns->opt[i + 1] << 3) > ns_olen) { + kfree_skb(reply); + return; + } + if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) { +- daddr = ns->opt + i + sizeof(struct nd_opt_hdr); ++ if ((ns->opt[i + 1] << 3) >= ++ sizeof(struct nd_opt_hdr) + ETH_ALEN) ++ daddr = ns->opt + i + sizeof(struct nd_opt_hdr); + break; + } + } diff --git a/queue-6.19/cdc-acm-new-quirk-for-epson-hmd.patch b/queue-6.19/cdc-acm-new-quirk-for-epson-hmd.patch new file mode 100644 index 0000000000..98b39f1054 --- /dev/null +++ b/queue-6.19/cdc-acm-new-quirk-for-epson-hmd.patch @@ -0,0 +1,60 @@ +From f97e96c303d689708f7f713d8f3afcc31f1237e9 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 17 Mar 2026 09:41:10 +0100 +Subject: cdc-acm: new quirk for EPSON HMD + +From: Oliver Neukum + +commit f97e96c303d689708f7f713d8f3afcc31f1237e9 upstream. + +This device has a union descriptor that is just garbage +and needs a custom descriptor. +In principle this could be done with a (conditionally +activated) heuristic. That would match more devices +without a need for defining a new quirk. However, +this always carries the risk that the heuristics +does the wrong thing and leads to more breakage. +Defining the quirk and telling it exactly what to do +is the safe and conservative approach. + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://patch.msgid.link/20260317084139.1461008-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 9 +++++++++ + drivers/usb/class/cdc-acm.h | 1 + + 2 files changed, 10 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1225,6 +1225,12 @@ static int acm_probe(struct usb_interfac + if (!data_interface || !control_interface) + return -ENODEV; + goto skip_normal_probe; ++ } else if (quirks == NO_UNION_12) { ++ data_interface = usb_ifnum_to_if(usb_dev, 2); ++ control_interface = usb_ifnum_to_if(usb_dev, 1); ++ if (!data_interface || !control_interface) ++ return -ENODEV; ++ goto skip_normal_probe; + } + + /* normal probing*/ +@@ -1748,6 +1754,9 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x045b, 0x024D), /* Renesas R-Car E3 USB Download mode */ + .driver_info = DISABLE_ECHO, /* Don't echo banner */ + }, ++ { USB_DEVICE(0x04b8, 0x0d12), /* EPSON HMD Com&Sens */ ++ .driver_info = NO_UNION_12, /* union descriptor is garbage */ ++ }, + { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, +--- a/drivers/usb/class/cdc-acm.h ++++ b/drivers/usb/class/cdc-acm.h +@@ -114,3 +114,4 @@ struct acm { + #define SEND_ZERO_PACKET BIT(6) + #define DISABLE_ECHO BIT(7) + #define MISSING_CAP_BRK BIT(8) ++#define NO_UNION_12 BIT(9) diff --git a/queue-6.19/comedi-dt2815-add-hardware-detection-to-prevent-crash.patch b/queue-6.19/comedi-dt2815-add-hardware-detection-to-prevent-crash.patch new file mode 100644 index 0000000000..aad3a49e5b --- /dev/null +++ b/queue-6.19/comedi-dt2815-add-hardware-detection-to-prevent-crash.patch @@ -0,0 +1,63 @@ +From 93853512f565e625df2397f0d8050d6aafd7c3ad Mon Sep 17 00:00:00 2001 +From: Deepanshu Kartikey +Date: Mon, 9 Mar 2026 16:18:59 +0530 +Subject: comedi: dt2815: add hardware detection to prevent crash + +From: Deepanshu Kartikey + +commit 93853512f565e625df2397f0d8050d6aafd7c3ad upstream. + +The dt2815 driver crashes when attached to I/O ports without actual +hardware present. This occurs because syzkaller or users can attach +the driver to arbitrary I/O addresses via COMEDI_DEVCONFIG ioctl. + +When no hardware exists at the specified port, inb() operations return +0xff (floating bus), but outb() operations can trigger page faults due +to undefined behavior, especially under race conditions: + + BUG: unable to handle page fault for address: 000000007fffff90 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + RIP: 0010:dt2815_attach+0x6e0/0x1110 + +Add hardware detection by reading the status register before attempting +any write operations. If the read returns 0xff, assume no hardware is +present and fail the attach with -ENODEV. This prevents crashes from +outb() operations on non-existent hardware. + +Reported-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com +Cc: stable +Closes: https://syzkaller.appspot.com/bug?extid=72f94b474d6e50b71ffc +Tested-by: syzbot+72f94b474d6e50b71ffc@syzkaller.appspotmail.com +Reviewed-by: Ian Abbott +Signed-off-by: Deepanshu Kartikey +Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/] +Link: [https://lore.kernel.org/all/20260126070458.10974-1-kartikey406@gmail.com/T/ +Link: https://patch.msgid.link/20260309104859.503529-1-kartikey406@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/dt2815.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/comedi/drivers/dt2815.c ++++ b/drivers/comedi/drivers/dt2815.c +@@ -175,6 +175,18 @@ static int dt2815_attach(struct comedi_d + ? current_range_type : voltage_range_type; + } + ++ /* ++ * Check if hardware is present before attempting any I/O operations. ++ * Reading 0xff from status register typically indicates no hardware ++ * on the bus (floating bus reads as all 1s). ++ */ ++ if (inb(dev->iobase + DT2815_STATUS) == 0xff) { ++ dev_err(dev->class_dev, ++ "No hardware detected at I/O base 0x%lx\n", ++ dev->iobase); ++ return -ENODEV; ++ } ++ + /* Init the 2815 */ + outb(0x00, dev->iobase + DT2815_STATUS); + for (i = 0; i < 100; i++) { diff --git a/queue-6.19/comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch b/queue-6.19/comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch new file mode 100644 index 0000000000..6f2187e0a9 --- /dev/null +++ b/queue-6.19/comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch @@ -0,0 +1,65 @@ +From 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Thu, 5 Feb 2026 13:39:49 +0000 +Subject: comedi: me4000: Fix potential overrun of firmware buffer + +From: Ian Abbott + +commit 3fb43a7a5b44713f892c58ead2e5f3a1bc9f4ee7 upstream. + +`me4000_xilinx_download()` loads the firmware that was requested by +`request_firmware()`. It is possible for it to overrun the source +buffer because it blindly trusts the file format. It reads a data +stream length from the first 4 bytes into variable `file_length` and +reads the data stream contents of length `file_length` from offset 16 +onwards. + +Add a test to ensure that the supplied firmware is long enough to +contain the header and the data stream. On failure, log an error and +return `-EINVAL`. + +Note: The firmware loading was totally broken before commit ac584af59945 +("staging: comedi: me4000: fix firmware downloading"), but that is the +most sensible target for this fix. + +Fixes: ac584af59945 ("staging: comedi: me4000: fix firmware downloading") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260205133949.71722-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/me4000.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/comedi/drivers/me4000.c ++++ b/drivers/comedi/drivers/me4000.c +@@ -315,6 +315,18 @@ static int me4000_xilinx_download(struct + unsigned int val; + unsigned int i; + ++ /* Get data stream length from header. */ ++ if (size >= 4) { ++ file_length = (((unsigned int)data[0] & 0xff) << 24) + ++ (((unsigned int)data[1] & 0xff) << 16) + ++ (((unsigned int)data[2] & 0xff) << 8) + ++ ((unsigned int)data[3] & 0xff); ++ } ++ if (size < 16 || file_length > size - 16) { ++ dev_err(dev->class_dev, "Firmware length inconsistency\n"); ++ return -EINVAL; ++ } ++ + if (!xilinx_iobase) + return -ENODEV; + +@@ -346,10 +358,6 @@ static int me4000_xilinx_download(struct + outl(val, devpriv->plx_regbase + PLX9052_CNTRL); + + /* Download Xilinx firmware */ +- file_length = (((unsigned int)data[0] & 0xff) << 24) + +- (((unsigned int)data[1] & 0xff) << 16) + +- (((unsigned int)data[2] & 0xff) << 8) + +- ((unsigned int)data[3] & 0xff); + usleep_range(10, 1000); + + for (i = 0; i < file_length; i++) { diff --git a/queue-6.19/comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch b/queue-6.19/comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch new file mode 100644 index 0000000000..f0dc9e98fe --- /dev/null +++ b/queue-6.19/comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch @@ -0,0 +1,82 @@ +From cc797d4821c754c701d9714b58bea947e31dbbe0 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Thu, 5 Feb 2026 14:01:30 +0000 +Subject: comedi: me_daq: Fix potential overrun of firmware buffer + +From: Ian Abbott + +commit cc797d4821c754c701d9714b58bea947e31dbbe0 upstream. + +`me2600_xilinx_download()` loads the firmware that was requested by +`request_firmware()`. It is possible for it to overrun the source +buffer because it blindly trusts the file format. It reads a data +stream length from the first 4 bytes into variable `file_length` and +reads the data stream contents of length `file_length` from offset 16 +onwards. Although it checks that the supplied firmware is at least 16 +bytes long, it does not check that it is long enough to contain the data +stream. + +Add a test to ensure that the supplied firmware is long enough to +contain the header and the data stream. On failure, log an error and +return `-EINVAL`. + +Fixes: 85acac61096f9 ("Staging: comedi: add me_daq driver") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260205140130.76697-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/me_daq.c | 35 +++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +--- a/drivers/comedi/drivers/me_daq.c ++++ b/drivers/comedi/drivers/me_daq.c +@@ -344,6 +344,25 @@ static int me2600_xilinx_download(struct + unsigned int file_length; + unsigned int i; + ++ /* ++ * Format of the firmware ++ * Build longs from the byte-wise coded header ++ * Byte 1-3: length of the array ++ * Byte 4-7: version ++ * Byte 8-11: date ++ * Byte 12-15: reserved ++ */ ++ if (size >= 4) { ++ file_length = (((unsigned int)data[0] & 0xff) << 24) + ++ (((unsigned int)data[1] & 0xff) << 16) + ++ (((unsigned int)data[2] & 0xff) << 8) + ++ ((unsigned int)data[3] & 0xff); ++ } ++ if (size < 16 || file_length > size - 16) { ++ dev_err(dev->class_dev, "Firmware length inconsistency\n"); ++ return -EINVAL; ++ } ++ + /* disable irq's on PLX */ + writel(0x00, devpriv->plx_regbase + PLX9052_INTCSR); + +@@ -358,22 +377,6 @@ static int me2600_xilinx_download(struct + sleep(1); + + /* +- * Format of the firmware +- * Build longs from the byte-wise coded header +- * Byte 1-3: length of the array +- * Byte 4-7: version +- * Byte 8-11: date +- * Byte 12-15: reserved +- */ +- if (size < 16) +- return -EINVAL; +- +- file_length = (((unsigned int)data[0] & 0xff) << 24) + +- (((unsigned int)data[1] & 0xff) << 16) + +- (((unsigned int)data[2] & 0xff) << 8) + +- ((unsigned int)data[3] & 0xff); +- +- /* + * Loop for writing firmware byte by byte to xilinx + * Firmware data start at offset 16 + */ diff --git a/queue-6.19/comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch b/queue-6.19/comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch new file mode 100644 index 0000000000..3c9992f815 --- /dev/null +++ b/queue-6.19/comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch @@ -0,0 +1,47 @@ +From 101ab946b79ad83b36d5cfd47de587492a80acf0 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 28 Jan 2026 15:00:10 +0000 +Subject: comedi: ni_atmio16d: Fix invalid clean-up after failed attach + +From: Ian Abbott + +commit 101ab946b79ad83b36d5cfd47de587492a80acf0 upstream. + +If the driver's COMEDI "attach" handler function (`atmio16d_attach()`) +returns an error, the COMEDI core will call the driver's "detach" +handler function (`atmio16d_detach()`) to clean up. This calls +`reset_atmio16d()` unconditionally, but depending on where the error +occurred in the attach handler, the device may not have been +sufficiently initialized to call `reset_atmio16d()`. It uses +`dev->iobase` as the I/O port base address and `dev->private` as the +pointer to the COMEDI device's private data structure. `dev->iobase` +may still be set to its initial value of 0, which would result in +undesired writes to low I/O port addresses. `dev->private` may still be +`NULL`, which would result in null pointer dereferences. + +Fix `atmio16d_detach()` by checking that `dev->private` is valid +(non-null) before calling `reset_atmio16d()`. This implies that +`dev->iobase` was set correctly since that is set up before +`dev->private`. + +Fixes: 2323b276308a ("Staging: comedi: add ni_at_atmio16d driver") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260128150011.5006-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/ni_atmio16d.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/comedi/drivers/ni_atmio16d.c ++++ b/drivers/comedi/drivers/ni_atmio16d.c +@@ -698,7 +698,8 @@ static int atmio16d_attach(struct comedi + + static void atmio16d_detach(struct comedi_device *dev) + { +- reset_atmio16d(dev); ++ if (dev->private) ++ reset_atmio16d(dev); + comedi_legacy_detach(dev); + } + diff --git a/queue-6.19/comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch b/queue-6.19/comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch new file mode 100644 index 0000000000..652e8cbc39 --- /dev/null +++ b/queue-6.19/comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch @@ -0,0 +1,54 @@ +From 4b9a9a6d71e3e252032f959fb3895a33acb5865c Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 25 Feb 2026 13:24:27 +0000 +Subject: comedi: Reinit dev->spinlock between attachments to low-level drivers + +From: Ian Abbott + +commit 4b9a9a6d71e3e252032f959fb3895a33acb5865c upstream. + +`struct comedi_device` is the main controlling structure for a COMEDI +device created by the COMEDI subsystem. It contains a member `spinlock` +containing a spin-lock that is initialized by the COMEDI subsystem, but +is reserved for use by a low-level driver attached to the COMEDI device +(at least since commit 25436dc9d84f ("Staging: comedi: remove RT +code")). + +Some COMEDI devices (those created on initialization of the COMEDI +subsystem when the "comedi.comedi_num_legacy_minors" parameter is +non-zero) can be attached to different low-level drivers over their +lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in +inconsistent lock states being reported when there is a mismatch in the +spin-lock locking levels used by each low-level driver to which the +COMEDI device has been attached. Fix it by reinitializing +`dev->spinlock` before calling the low-level driver's `attach` function +pointer if `CONFIG_LOCKDEP` is enabled. + +Reported-by: syzbot+cc9f7f4a7df09f53c4a4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cc9f7f4a7df09f53c4a4 +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260225132427.86578-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/comedi/drivers.c ++++ b/drivers/comedi/drivers.c +@@ -1063,6 +1063,14 @@ int comedi_device_attach(struct comedi_d + ret = -EIO; + goto out; + } ++ if (IS_ENABLED(CONFIG_LOCKDEP)) { ++ /* ++ * dev->spinlock is for private use by the attached low-level ++ * driver. Reinitialize it to stop lock-dependency tracking ++ * between attachments to different low-level drivers. ++ */ ++ spin_lock_init(&dev->spinlock); ++ } + dev->driver = driv; + dev->board_name = dev->board_ptr ? *(const char **)dev->board_ptr + : dev->driver->driver_name; diff --git a/queue-6.19/comedi-runflags-cannot-determine-whether-to-reclaim-chanlist.patch b/queue-6.19/comedi-runflags-cannot-determine-whether-to-reclaim-chanlist.patch new file mode 100644 index 0000000000..03058dddac --- /dev/null +++ b/queue-6.19/comedi-runflags-cannot-determine-whether-to-reclaim-chanlist.patch @@ -0,0 +1,65 @@ +From 29f644f14b89e6c4965e3c89251929e451190a66 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Tue, 10 Mar 2026 11:11:04 +0000 +Subject: comedi: runflags cannot determine whether to reclaim chanlist + +From: Edward Adam Davis + +commit 29f644f14b89e6c4965e3c89251929e451190a66 upstream. + +syzbot reported a memory leak [1], because commit 4e1da516debb ("comedi: +Add reference counting for Comedi command handling") did not consider +the exceptional exit case in do_cmd_ioctl() where runflags is not set. +This caused chanlist not to be properly freed by do_become_nonbusy(), +as it only frees chanlist when runflags is correctly set. + +Added a check in do_become_nonbusy() for the case where runflags is not +set, to properly free the chanlist memory. + +[1] +BUG: memory leak + backtrace (crc 844a0efa): + __comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline] + do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890 + do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline] + +Fixes: 4e1da516debb ("comedi: Add reference counting for Comedi command handling") +Reported-by: syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e +Signed-off-by: Edward Adam Davis +Reviewed-by: Ian Abbott +Cc: stable # 6.19 +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20260310111104.70959-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/comedi_fops.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c +index 48a8a607a84c..0df9f4636fb6 100644 +--- a/drivers/comedi/comedi_fops.c ++++ b/drivers/comedi/comedi_fops.c +@@ -793,13 +793,15 @@ static void do_become_nonbusy(struct comedi_device *dev, + __comedi_clear_subdevice_runflags(s, COMEDI_SRF_RUNNING | + COMEDI_SRF_BUSY); + spin_unlock_irqrestore(&s->spin_lock, flags); +- if (comedi_is_runflags_busy(runflags)) { ++ if (async) { + /* + * "Run active" counter was set to 1 when setting up the + * command. Decrement it and wait for it to become 0. + */ +- comedi_put_is_subdevice_running(s); +- wait_for_completion(&async->run_complete); ++ if (comedi_is_runflags_busy(runflags)) { ++ comedi_put_is_subdevice_running(s); ++ wait_for_completion(&async->run_complete); ++ } + comedi_buf_reset(s); + async->inttrig = NULL; + kfree(async->cmd.chanlist); +-- +2.53.0 + diff --git a/queue-6.19/dt-bindings-connector-add-pd-disable-dependency.patch b/queue-6.19/dt-bindings-connector-add-pd-disable-dependency.patch new file mode 100644 index 0000000000..aa7a90cd6e --- /dev/null +++ b/queue-6.19/dt-bindings-connector-add-pd-disable-dependency.patch @@ -0,0 +1,32 @@ +From 269c26464dcf8b54b0dd9c333721c30ee44ae297 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Mon, 30 Mar 2026 14:35:18 +0800 +Subject: dt-bindings: connector: add pd-disable dependency + +From: Xu Yang + +commit 269c26464dcf8b54b0dd9c333721c30ee44ae297 upstream. + +When Power Delivery is not supported, the source is unable to obtain the +current capability from the Source PDO. As a result, typec-power-opmode +needs to be added to advertise such capability. + +Acked-by: Conor Dooley +Cc: stable +Signed-off-by: Xu Yang +Link: https://patch.msgid.link/20260330063518.719345-1-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/connector/usb-connector.yaml | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/devicetree/bindings/connector/usb-connector.yaml ++++ b/Documentation/devicetree/bindings/connector/usb-connector.yaml +@@ -301,6 +301,7 @@ properties: + maxItems: 4 + + dependencies: ++ pd-disable: [typec-power-opmode] + sink-vdos-v1: [ sink-vdos ] + sink-vdos: [ sink-vdos-v1 ] + diff --git a/queue-6.19/firmware-microchip-fail-auto-update-probe-if-no-flash-found.patch b/queue-6.19/firmware-microchip-fail-auto-update-probe-if-no-flash-found.patch new file mode 100644 index 0000000000..ab18736f46 --- /dev/null +++ b/queue-6.19/firmware-microchip-fail-auto-update-probe-if-no-flash-found.patch @@ -0,0 +1,53 @@ +From c7596f9001e2b83293e3658e4e1addde69bb335d Mon Sep 17 00:00:00 2001 +From: Conor Dooley +Date: Tue, 3 Mar 2026 11:24:06 +0000 +Subject: firmware: microchip: fail auto-update probe if no flash found + +From: Conor Dooley + +commit c7596f9001e2b83293e3658e4e1addde69bb335d upstream. + +There's no point letting the driver probe if there is no flash, as +trying to do a firmware upload will fail. Move the code that attempts +to get the flash from firmware upload to probe, and let it emit a +message to users stating why auto-update is not supported. +The code currently could have a problem if there's a flash in +devicetree, but the system controller driver fails to get a pointer to +it from the mtd subsystem, which will cause +mpfs_sys_controller_get_flash() to return an error. Check for errors and +null, instead of just null, in the new clause. + +CC: stable@vger.kernel.org +Fixes: ec5b0f1193ad4 ("firmware: microchip: add PolarFire SoC Auto Update support") +Signed-off-by: Conor Dooley +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/microchip/mpfs-auto-update.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/firmware/microchip/mpfs-auto-update.c ++++ b/drivers/firmware/microchip/mpfs-auto-update.c +@@ -113,10 +113,6 @@ static enum fw_upload_err mpfs_auto_upda + * be added here. + */ + +- priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller); +- if (!priv->flash) +- return FW_UPLOAD_ERR_HW_ERROR; +- + erase_size = round_up(erase_size, (u64)priv->flash->erasesize); + + /* +@@ -427,6 +423,12 @@ static int mpfs_auto_update_probe(struct + return dev_err_probe(dev, PTR_ERR(priv->sys_controller), + "Could not register as a sub device of the system controller\n"); + ++ priv->flash = mpfs_sys_controller_get_flash(priv->sys_controller); ++ if (IS_ERR_OR_NULL(priv->flash)) { ++ dev_dbg(dev, "No flash connected to the system controller, auto-update not supported\n"); ++ return -ENODEV; ++ } ++ + priv->dev = dev; + platform_set_drvdata(pdev, priv); + diff --git a/queue-6.19/gpib-fix-fluke-driver-s390-compile-issue.patch b/queue-6.19/gpib-fix-fluke-driver-s390-compile-issue.patch new file mode 100644 index 0000000000..5e17d6d10d --- /dev/null +++ b/queue-6.19/gpib-fix-fluke-driver-s390-compile-issue.patch @@ -0,0 +1,50 @@ +From 579af7204d762587f9cce0d6236a710a771f1f6f Mon Sep 17 00:00:00 2001 +From: Dave Penkler +Date: Mon, 2 Feb 2026 10:47:55 +0100 +Subject: gpib: Fix fluke driver s390 compile issue + +From: Dave Penkler + +commit 579af7204d762587f9cce0d6236a710a771f1f6f upstream. + +The following errors were reported for a s390 randconfig build +of the fluke gpib driver: + +>> drivers/gpib/eastwood/fluke_gpib.c:1002:23: error: call to undeclared function 'ioremap'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] + 1002 | nec_priv->mmiobase = ioremap(e_priv->gpib_iomem_res->start, + | ^ +>> drivers/gpib/eastwood/fluke_gpib.c:1002:21: error: incompatible integer to pointer conversion assigning to 'void *' from 'int' [-Wint-conversion] + 1002 | nec_priv->mmiobase = ioremap(e_priv->gpib_iomem_res->start, + | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 1003 | resource_size(e_priv->gpib_iomem_res)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/gpib/eastwood/fluke_gpib.c:1036:33: error: incompatible integer to pointer conversion assigning to 'void *' from 'int' [-Wint-conversion] + 1036 | e_priv->write_transfer_counter = ioremap(e_priv->write_transfer_counter_res->start, + | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 1037 | resource_size(e_priv->write_transfer_counter_res)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Add HAS_IOMEM dependency to Kconfig for fluke driver option + +Suggested-by: Arnd Bergmann +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202601221748.AFAqHieJ-lkp@intel.com/ +Fixes: baf8855c9160 ("staging: gpib: fix address space mixup") +Cc: stable +Signed-off-by: Dave Penkler +Link: https://patch.msgid.link/20260202094755.4259-1-dpenkler@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpib/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpib/Kconfig ++++ b/drivers/gpib/Kconfig +@@ -122,6 +122,7 @@ config GPIB_FLUKE + depends on OF + select GPIB_COMMON + select GPIB_NEC7210 ++ depends on HAS_IOMEM + help + GPIB driver for Fluke based cda devices. + diff --git a/queue-6.19/netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch b/queue-6.19/netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch new file mode 100644 index 0000000000..35703576c1 --- /dev/null +++ b/queue-6.19/netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch @@ -0,0 +1,41 @@ +From 9862ef9ab0a116c6dca98842aab7de13a252ae02 Mon Sep 17 00:00:00 2001 +From: Yifan Wu +Date: Mon, 30 Mar 2026 14:39:24 -0700 +Subject: netfilter: ipset: drop logically empty buckets in mtype_del + +From: Yifan Wu + +commit 9862ef9ab0a116c6dca98842aab7de13a252ae02 upstream. + +mtype_del() counts empty slots below n->pos in k, but it only drops the +bucket when both n->pos and k are zero. This misses buckets whose live +entries have all been removed while n->pos still points past deleted slots. + +Treat a bucket as empty when all positions below n->pos are unused and +release it directly instead of shrinking it further. + +Fixes: 8af1c6fbd923 ("netfilter: ipset: Fix forceadd evaluation path") +Cc: stable@vger.kernel.org +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Yifan Wu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Reviewed-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipset/ip_set_hash_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_hash_gen.h ++++ b/net/netfilter/ipset/ip_set_hash_gen.h +@@ -1099,7 +1099,7 @@ mtype_del(struct ip_set *set, void *valu + if (!test_bit(i, n->used)) + k++; + } +- if (n->pos == 0 && k == 0) { ++ if (k == n->pos) { + t->hregion[r].ext_size -= ext_size(n->size, dsize); + rcu_assign_pointer(hbucket(t, key), NULL); + kfree_rcu(n, rcu); diff --git a/queue-6.19/nvmem-imx-assign-nvmem_cell_info-raw_len.patch b/queue-6.19/nvmem-imx-assign-nvmem_cell_info-raw_len.patch new file mode 100644 index 0000000000..5d063b12f4 --- /dev/null +++ b/queue-6.19/nvmem-imx-assign-nvmem_cell_info-raw_len.patch @@ -0,0 +1,50 @@ +From 48b5163c957548f5854f14c90bfdedc33afbea3c Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Fri, 27 Mar 2026 13:16:44 +0000 +Subject: nvmem: imx: assign nvmem_cell_info::raw_len + +From: Christian Eggers + +commit 48b5163c957548f5854f14c90bfdedc33afbea3c upstream. + +Avoid getting error messages at startup like the following on i.MX6ULL: + +nvmem imx-ocotp0: cell mac-addr raw len 6 unaligned to nvmem word size 4 +nvmem imx-ocotp0: cell mac-addr raw len 6 unaligned to nvmem word size 4 + +This shouldn't cause any functional change as this alignment would +otherwise be done in nvmem_cell_info_to_nvmem_cell_entry_nodup(). + +Cc: stable@vger.kernel.org +Fixes: 13bcd440f2ff ("nvmem: core: verify cell's raw_len") +Signed-off-by: Christian Eggers +Signed-off-by: Fabio Estevam +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260327131645.3025781-2-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/imx-ocotp-ele.c | 1 + + drivers/nvmem/imx-ocotp.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/nvmem/imx-ocotp-ele.c ++++ b/drivers/nvmem/imx-ocotp-ele.c +@@ -131,6 +131,7 @@ static int imx_ocotp_cell_pp(void *conte + static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem, + struct nvmem_cell_info *cell) + { ++ cell->raw_len = round_up(cell->bytes, 4); + cell->read_post_process = imx_ocotp_cell_pp; + } + +--- a/drivers/nvmem/imx-ocotp.c ++++ b/drivers/nvmem/imx-ocotp.c +@@ -589,6 +589,7 @@ MODULE_DEVICE_TABLE(of, imx_ocotp_dt_ids + static void imx_ocotp_fixup_dt_cell_info(struct nvmem_device *nvmem, + struct nvmem_cell_info *cell) + { ++ cell->raw_len = round_up(cell->bytes, 4); + cell->read_post_process = imx_ocotp_cell_pp; + } + diff --git a/queue-6.19/nvmem-zynqmp_nvmem-fix-buffer-size-in-dma-and-memcpy.patch b/queue-6.19/nvmem-zynqmp_nvmem-fix-buffer-size-in-dma-and-memcpy.patch new file mode 100644 index 0000000000..d149cf07ca --- /dev/null +++ b/queue-6.19/nvmem-zynqmp_nvmem-fix-buffer-size-in-dma-and-memcpy.patch @@ -0,0 +1,64 @@ +From f9b88613ff402aa6fe8fd020573cb95867ae947e Mon Sep 17 00:00:00 2001 +From: Ivan Vera +Date: Fri, 27 Mar 2026 13:16:45 +0000 +Subject: nvmem: zynqmp_nvmem: Fix buffer size in DMA and memcpy + +From: Ivan Vera + +commit f9b88613ff402aa6fe8fd020573cb95867ae947e upstream. + +Buffer size used in dma allocation and memcpy is wrong. +It can lead to undersized DMA buffer access and possible +memory corruption. use correct buffer size in dma_alloc_coherent +and memcpy. + +Fixes: 737c0c8d07b5 ("nvmem: zynqmp_nvmem: Add support to access efuse") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Vera +Signed-off-by: Harish Ediga +Signed-off-by: Harsh Jain +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260327131645.3025781-3-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/zynqmp_nvmem.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/nvmem/zynqmp_nvmem.c ++++ b/drivers/nvmem/zynqmp_nvmem.c +@@ -66,7 +66,7 @@ static int zynqmp_efuse_access(void *con + dma_addr_t dma_buf; + size_t words = bytes / WORD_INBYTES; + int ret; +- int value; ++ unsigned int value; + char *data; + + if (bytes % WORD_INBYTES != 0) { +@@ -80,7 +80,7 @@ static int zynqmp_efuse_access(void *con + } + + if (pufflag == 1 && flag == EFUSE_WRITE) { +- memcpy(&value, val, bytes); ++ memcpy(&value, val, sizeof(value)); + if ((offset == EFUSE_PUF_START_OFFSET || + offset == EFUSE_PUF_MID_OFFSET) && + value & P_USER_0_64_UPPER_MASK) { +@@ -100,7 +100,7 @@ static int zynqmp_efuse_access(void *con + if (!efuse) + return -ENOMEM; + +- data = dma_alloc_coherent(dev, sizeof(bytes), ++ data = dma_alloc_coherent(dev, bytes, + &dma_buf, GFP_KERNEL); + if (!data) { + ret = -ENOMEM; +@@ -134,7 +134,7 @@ static int zynqmp_efuse_access(void *con + if (flag == EFUSE_READ) + memcpy(val, data, bytes); + efuse_access_err: +- dma_free_coherent(dev, sizeof(bytes), ++ dma_free_coherent(dev, bytes, + data, dma_buf); + efuse_data_fail: + dma_free_coherent(dev, sizeof(struct xilinx_efuse), diff --git a/queue-6.19/pm-em-fix-null-pointer-dereference-when-perf-domain-id-is-not-found.patch b/queue-6.19/pm-em-fix-null-pointer-dereference-when-perf-domain-id-is-not-found.patch new file mode 100644 index 0000000000..3a1443d9b6 --- /dev/null +++ b/queue-6.19/pm-em-fix-null-pointer-dereference-when-perf-domain-id-is-not-found.patch @@ -0,0 +1,50 @@ +From 9badc2a84e688be1275bb740942d5f6f51746908 Mon Sep 17 00:00:00 2001 +From: Changwoo Min +Date: Sun, 29 Mar 2026 16:36:15 +0900 +Subject: PM: EM: Fix NULL pointer dereference when perf domain ID is not found + +From: Changwoo Min + +commit 9badc2a84e688be1275bb740942d5f6f51746908 upstream. + +dev_energymodel_nl_get_perf_domains_doit() calls +em_perf_domain_get_by_id() but does not check the return value before +passing it to __em_nl_get_pd_size(). When a caller supplies a +non-existent perf domain ID, em_perf_domain_get_by_id() returns NULL, +and __em_nl_get_pd_size() immediately dereferences pd->cpus +(struct offset 0x30), causing a NULL pointer dereference. + +The sister handler dev_energymodel_nl_get_perf_table_doit() already +handles this correctly via __em_nl_get_pd_table_id(), which returns +NULL and causes the caller to return -EINVAL. Add the same NULL check +in the get-perf-domains do handler. + +Fixes: 380ff27af25e ("PM: EM: Add dump to get-perf-domains in the EM YNL spec") +Reported-by: Yi Lai +Closes: https://lore.kernel.org/lkml/aXiySM79UYfk+ytd@ly-workstation/ +Signed-off-by: Changwoo Min +Cc: 6.19+ # 6.19+ +[ rjw: Subject and changelog edits ] +Link: https://patch.msgid.link/20260329073615.649976-1-changwoo@igalia.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + kernel/power/em_netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/power/em_netlink.c b/kernel/power/em_netlink.c +index 5a611d3950fd..4d4fd29bd2be 100644 +--- a/kernel/power/em_netlink.c ++++ b/kernel/power/em_netlink.c +@@ -109,6 +109,8 @@ int dev_energymodel_nl_get_perf_domains_doit(struct sk_buff *skb, + + id = nla_get_u32(info->attrs[DEV_ENERGYMODEL_A_PERF_DOMAIN_PERF_DOMAIN_ID]); + pd = em_perf_domain_get_by_id(id); ++ if (!pd) ++ return -EINVAL; + + __em_nl_get_pd_size(pd, &msg_sz); + msg = genlmsg_new(msg_sz, GFP_KERNEL); +-- +2.53.0 + diff --git a/queue-6.19/reset-gpio-fix-double-free-in-reset_add_gpio_aux_device-error-path.patch b/queue-6.19/reset-gpio-fix-double-free-in-reset_add_gpio_aux_device-error-path.patch new file mode 100644 index 0000000000..217a339c84 --- /dev/null +++ b/queue-6.19/reset-gpio-fix-double-free-in-reset_add_gpio_aux_device-error-path.patch @@ -0,0 +1,44 @@ +From fbffb8c7c7bb4d38e9f65e0bee446685011de5d8 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Sat, 21 Mar 2026 15:42:40 +0800 +Subject: reset: gpio: fix double free in reset_add_gpio_aux_device() error path + +From: Guangshuo Li + +commit fbffb8c7c7bb4d38e9f65e0bee446685011de5d8 upstream. + +When __auxiliary_device_add() fails, reset_add_gpio_aux_device() +calls auxiliary_device_uninit(adev). + +The device release callback reset_gpio_aux_device_release() frees +adev, but the current error path then calls kfree(adev) again, +causing a double free. + +Keep kfree(adev) for the auxiliary_device_init() failure path, but +avoid freeing adev after auxiliary_device_uninit(). + +Fixes: 5fc4e4cf7a22 ("reset: gpio: use software nodes to setup the GPIO lookup") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/reset/core.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/reset/core.c b/drivers/reset/core.c +index fceec45c8afc..352c2360603b 100644 +--- a/drivers/reset/core.c ++++ b/drivers/reset/core.c +@@ -856,7 +856,6 @@ static int reset_add_gpio_aux_device(struct device *parent, + ret = __auxiliary_device_add(adev, "reset"); + if (ret) { + auxiliary_device_uninit(adev); +- kfree(adev); + return ret; + } + +-- +2.53.0 + diff --git a/queue-6.19/s390-cpum_sf-cap-sampling-rate-to-prevent-lsctl-exception.patch b/queue-6.19/s390-cpum_sf-cap-sampling-rate-to-prevent-lsctl-exception.patch new file mode 100644 index 0000000000..fd74284428 --- /dev/null +++ b/queue-6.19/s390-cpum_sf-cap-sampling-rate-to-prevent-lsctl-exception.patch @@ -0,0 +1,57 @@ +From 57ad0d4a00f5d3e80f33ba2da8d560c73d83dc22 Mon Sep 17 00:00:00 2001 +From: Thomas Richter +Date: Fri, 6 Mar 2026 13:50:31 +0100 +Subject: s390/cpum_sf: Cap sampling rate to prevent lsctl exception + +From: Thomas Richter + +commit 57ad0d4a00f5d3e80f33ba2da8d560c73d83dc22 upstream. + +commit fcc43a7e294f ("s390/configs: Set HZ=1000") changed the interrupt +frequency of the system. On machines with heavy load and many perf event +overflows, this might lead to an exception. Dmesg displays these entries: + [112.242542] cpum_sf: Loading sampling controls failed: op 1 err -22 +One line per CPU online. + +The root cause is the CPU Measurement sampling facility overflow +adjustment. Whenever an overflow (too much samples per tick) occurs, the +sampling rate is adjusted and increased. This was done without observing +the maximum sampling rate limit. When the current sampling interval is +higher than the maximum sampling rate limit, the lsctl instruction raises +an exception. The error messages is the result of such an exception. +Observe the upper limit when the new sampling rate is recalculated. + +Cc: stable@vger.kernel.org +Fixes: 39d4a501a9ef ("s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits") +Signed-off-by: Thomas Richter +Reviewed-by: Sumanth Korikkar +Reviewed-by: Hendrik Brueckner +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/perf_cpum_sf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1168,6 +1168,7 @@ static void hw_collect_samples(struct pe + static void hw_perf_event_update(struct perf_event *event, int flush_all) + { + unsigned long long event_overflow, sampl_overflow, num_sdb; ++ struct cpu_hw_sf *cpuhw = this_cpu_ptr(&cpu_hw_sf); + struct hw_perf_event *hwc = &event->hw; + union hws_trailer_header prev, new; + struct hws_trailer_entry *te; +@@ -1247,8 +1248,11 @@ static void hw_perf_event_update(struct + * are dropped. + * Slightly increase the interval to avoid hitting this limit. + */ +- if (event_overflow) ++ if (event_overflow) { + SAMPL_RATE(hwc) += DIV_ROUND_UP(SAMPL_RATE(hwc), 10); ++ if (SAMPL_RATE(hwc) > cpuhw->qsi.max_sampl_rate) ++ SAMPL_RATE(hwc) = cpuhw->qsi.max_sampl_rate; ++ } + } + + static inline unsigned long aux_sdb_index(struct aux_buffer *aux, diff --git a/queue-6.19/s390-zcrypt-fix-memory-leak-with-cca-cards-used-as-accelerator.patch b/queue-6.19/s390-zcrypt-fix-memory-leak-with-cca-cards-used-as-accelerator.patch new file mode 100644 index 0000000000..1b5801eb0e --- /dev/null +++ b/queue-6.19/s390-zcrypt-fix-memory-leak-with-cca-cards-used-as-accelerator.patch @@ -0,0 +1,124 @@ +From c8d46f17c2fc7d25c18e60c008928aecab26184d Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Thu, 19 Mar 2026 09:06:52 +0100 +Subject: s390/zcrypt: Fix memory leak with CCA cards used as accelerator + +From: Harald Freudenberger + +commit c8d46f17c2fc7d25c18e60c008928aecab26184d upstream. + +Tests showed that there is a memory leak if CCA cards are used as +accelerator for clear key RSA requests (ME and CRT). With the last +rework for the memory allocation the AP messages are allocated by +ap_init_apmsg() but for some reason on two places (ME and CRT) the +older allocation was still in place. So the first allocation simple +was never freed. + +Fixes: 57db62a130ce ("s390/ap/zcrypt: Rework AP message buffer allocation") +Reported-by: Yi Zhang +Closes: https://lore.kernel.org/linux-s390/CAHj4cs9H67Uz0iVaRQv447p7JFPRPy3TKAT4=Y6_e=wSHCZM5w@mail.gmail.com/ +Reported-by: Nadja Hariz +Cc: stable@vger.kernel.org +Reviewed-by: Ingo Franzki +Reviewed-by: Holger Dengler +Acked-by: Heiko Carstens +Signed-off-by: Harald Freudenberger +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/zcrypt_msgtype6.c | 32 ++++++++++++++------------------ + 1 file changed, 14 insertions(+), 18 deletions(-) + +--- a/drivers/s390/crypto/zcrypt_msgtype6.c ++++ b/drivers/s390/crypto/zcrypt_msgtype6.c +@@ -953,6 +953,10 @@ static atomic_t zcrypt_step = ATOMIC_INI + /* + * The request distributor calls this function if it picked the CEXxC + * device to handle a modexpo request. ++ * This function assumes that ap_msg has been initialized with ++ * ap_init_apmsg() and thus a valid buffer with the size of ++ * ap_msg->bufsize is available within ap_msg. Also the caller has ++ * to make sure ap_release_apmsg() is always called even on failure. + * @zq: pointer to zcrypt_queue structure that identifies the + * CEXxC device to the request distributor + * @mex: pointer to the modexpo request buffer +@@ -964,21 +968,17 @@ static long zcrypt_msgtype6_modexpo(stru + struct ap_response_type *resp_type = &ap_msg->response; + int rc; + +- ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL); +- if (!ap_msg->msg) +- return -ENOMEM; +- ap_msg->bufsize = PAGE_SIZE; + ap_msg->receive = zcrypt_msgtype6_receive; + ap_msg->psmid = (((unsigned long)current->pid) << 32) + + atomic_inc_return(&zcrypt_step); + rc = icamex_msg_to_type6mex_msgx(zq, ap_msg, mex); + if (rc) +- goto out_free; ++ goto out; + resp_type->type = CEXXC_RESPONSE_TYPE_ICA; + init_completion(&resp_type->work); + rc = ap_queue_message(zq->queue, ap_msg); + if (rc) +- goto out_free; ++ goto out; + rc = wait_for_completion_interruptible(&resp_type->work); + if (rc == 0) { + rc = ap_msg->rc; +@@ -991,15 +991,17 @@ static long zcrypt_msgtype6_modexpo(stru + ap_cancel_message(zq->queue, ap_msg); + } + +-out_free: +- free_page((unsigned long)ap_msg->msg); +- ap_msg->msg = NULL; ++out: + return rc; + } + + /* + * The request distributor calls this function if it picked the CEXxC + * device to handle a modexpo_crt request. ++ * This function assumes that ap_msg has been initialized with ++ * ap_init_apmsg() and thus a valid buffer with the size of ++ * ap_msg->bufsize is available within ap_msg. Also the caller has ++ * to make sure ap_release_apmsg() is always called even on failure. + * @zq: pointer to zcrypt_queue structure that identifies the + * CEXxC device to the request distributor + * @crt: pointer to the modexpoc_crt request buffer +@@ -1011,21 +1013,17 @@ static long zcrypt_msgtype6_modexpo_crt( + struct ap_response_type *resp_type = &ap_msg->response; + int rc; + +- ap_msg->msg = (void *)get_zeroed_page(GFP_KERNEL); +- if (!ap_msg->msg) +- return -ENOMEM; +- ap_msg->bufsize = PAGE_SIZE; + ap_msg->receive = zcrypt_msgtype6_receive; + ap_msg->psmid = (((unsigned long)current->pid) << 32) + + atomic_inc_return(&zcrypt_step); + rc = icacrt_msg_to_type6crt_msgx(zq, ap_msg, crt); + if (rc) +- goto out_free; ++ goto out; + resp_type->type = CEXXC_RESPONSE_TYPE_ICA; + init_completion(&resp_type->work); + rc = ap_queue_message(zq->queue, ap_msg); + if (rc) +- goto out_free; ++ goto out; + rc = wait_for_completion_interruptible(&resp_type->work); + if (rc == 0) { + rc = ap_msg->rc; +@@ -1038,9 +1036,7 @@ static long zcrypt_msgtype6_modexpo_crt( + ap_cancel_message(zq->queue, ap_msg); + } + +-out_free: +- free_page((unsigned long)ap_msg->msg); +- ap_msg->msg = NULL; ++out: + return rc; + } + diff --git a/queue-6.19/series b/queue-6.19/series index 1b0a6e014e..b5d6745e44 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -248,3 +248,23 @@ usb-cdns3-gadget-fix-state-inconsistency-on-gadget-init-failure.patch usb-core-use-dedicated-spinlock-for-offload-state.patch x86-platform-geode-fix-on-stack-property-data-use-after-return-bug.patch io_uring-protect-remaining-lockless-ctx-rings-access.patch +auxdisplay-line-display-fix-null-dereference-in-linedisp_release.patch +bridge-br_nd_send-validate-nd-option-lengths.patch +cdc-acm-new-quirk-for-epson-hmd.patch +comedi-dt2815-add-hardware-detection-to-prevent-crash.patch +comedi-runflags-cannot-determine-whether-to-reclaim-chanlist.patch +comedi-reinit-dev-spinlock-between-attachments-to-low-level-drivers.patch +comedi-ni_atmio16d-fix-invalid-clean-up-after-failed-attach.patch +comedi-me_daq-fix-potential-overrun-of-firmware-buffer.patch +comedi-me4000-fix-potential-overrun-of-firmware-buffer.patch +firmware-microchip-fail-auto-update-probe-if-no-flash-found.patch +dt-bindings-connector-add-pd-disable-dependency.patch +spi-cadence-qspi-fix-exec_mem_op-error-handling.patch +s390-zcrypt-fix-memory-leak-with-cca-cards-used-as-accelerator.patch +s390-cpum_sf-cap-sampling-rate-to-prevent-lsctl-exception.patch +reset-gpio-fix-double-free-in-reset_add_gpio_aux_device-error-path.patch +pm-em-fix-null-pointer-dereference-when-perf-domain-id-is-not-found.patch +nvmem-imx-assign-nvmem_cell_info-raw_len.patch +nvmem-zynqmp_nvmem-fix-buffer-size-in-dma-and-memcpy.patch +netfilter-ipset-drop-logically-empty-buckets-in-mtype_del.patch +gpib-fix-fluke-driver-s390-compile-issue.patch diff --git a/queue-6.19/spi-cadence-qspi-fix-exec_mem_op-error-handling.patch b/queue-6.19/spi-cadence-qspi-fix-exec_mem_op-error-handling.patch new file mode 100644 index 0000000000..abcad097ce --- /dev/null +++ b/queue-6.19/spi-cadence-qspi-fix-exec_mem_op-error-handling.patch @@ -0,0 +1,67 @@ +From 59e1be1278f064d7172b00473b7e0c453cb1ec52 Mon Sep 17 00:00:00 2001 +From: Emanuele Ghidoli +Date: Fri, 13 Mar 2026 14:52:31 +0100 +Subject: spi: cadence-qspi: Fix exec_mem_op error handling + +From: Emanuele Ghidoli + +commit 59e1be1278f064d7172b00473b7e0c453cb1ec52 upstream. + +cqspi_exec_mem_op() increments the runtime PM usage counter before all +refcount checks are performed. If one of these checks fails, the function +returns without dropping the PM reference. + +Move the pm_runtime_resume_and_get() call after the refcount checks so +that runtime PM is only acquired when the operation can proceed and +drop the inflight_ops refcount if the PM resume fails. + +Cc: stable@vger.kernel.org +Fixes: 7446284023e8 ("spi: cadence-quadspi: Implement refcount to handle unbind during busy") +Signed-off-by: Emanuele Ghidoli +Link: https://patch.msgid.link/20260313135236.46642-1-ghidoliemanuele@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -1478,14 +1478,6 @@ static int cqspi_exec_mem_op(struct spi_ + if (refcount_read(&cqspi->inflight_ops) == 0) + return -ENODEV; + +- if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) { +- ret = pm_runtime_resume_and_get(dev); +- if (ret) { +- dev_err(&mem->spi->dev, "resume failed with %d\n", ret); +- return ret; +- } +- } +- + if (!refcount_read(&cqspi->refcount)) + return -EBUSY; + +@@ -1497,6 +1489,14 @@ static int cqspi_exec_mem_op(struct spi_ + return -EBUSY; + } + ++ if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) { ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret) { ++ dev_err(&mem->spi->dev, "resume failed with %d\n", ret); ++ goto dec_inflight_refcount; ++ } ++ } ++ + ret = cqspi_mem_process(mem, op); + + if (!(ddata && (ddata->quirks & CQSPI_DISABLE_RUNTIME_PM))) +@@ -1505,6 +1505,7 @@ static int cqspi_exec_mem_op(struct spi_ + if (ret) + dev_err(&mem->spi->dev, "operation failed with %d\n", ret); + ++dec_inflight_refcount: + if (refcount_read(&cqspi->inflight_ops) > 1) + refcount_dec(&cqspi->inflight_ops); +