From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 16:01:02 +0000 (+0100) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=874c3dcdfcede40fa4b773cd85f2101c8e267700;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch arm-dts-microchip-sama7d65-fix-uart-fifo-size-to-32.patch arm-dts-microchip-sama7g5-fix-uart-fifo-size-to-32.patch crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch crypto-arm64-ghash-fix-incorrect-output-from-ghash-neon.patch crypto-caam-add-check-for-kcalloc-in-test_len.patch dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch hwmon-max16065-use-local-variable-to-avoid-toctou.patch hwmon-max6697-fix-regmap-leak-on-probe-failure.patch hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch io_uring-rsrc-fix-lost-entries-after-cloned-range.patch lib-crypto-riscv-depend-on-riscv_efficient_vector_unaligned_access.patch platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch pwm-rzg2l-gpt-allow-checking-period_tick-cache-value-only-if-sibling-channel-is-enabled.patch rpmsg-glink-fix-rpmsg-device-leak.patch rtla-timerlat_bpf-stop-tracing-on-user-latency.patch soc-amlogic-canvas-fix-device-leak-on-lookup.patch soc-apple-mailbox-fix-device-leak-on-lookup.patch soc-qcom-ocmem-fix-device-leak-on-lookup.patch soc-qcom-pbs-fix-device-leak-on-lookup.patch soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch tracing-fix-fixed-array-of-synthetic-event.patch vfio-fix-ksize-arg-while-copying-user-struct-in-vfio_df_ioctl_bind_iommufd.patch virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch zloop-fail-zone-append-operations-that-are-targeting-full-zones.patch zloop-make-the-write-pointer-of-full-zones-invalid.patch --- diff --git a/queue-6.18/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch b/queue-6.18/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch new file mode 100644 index 0000000000..1c822677bf --- /dev/null +++ b/queue-6.18/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch @@ -0,0 +1,34 @@ +From 500e1368e46928f4b2259612dcabb6999afae2a6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 25 Sep 2025 17:00:07 +0200 +Subject: amba: tegra-ahb: Fix device leak on SMMU enable + +From: Johan Hovold + +commit 500e1368e46928f4b2259612dcabb6999afae2a6 upstream. + +Make sure to drop the reference taken to the AHB platform device when +looking up its driver data while enabling the SMMU. + +Note that holding a reference to a device does not prevent its driver +data from going away. + +Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB") +Cc: stable@vger.kernel.org # 3.5 +Signed-off-by: Johan Hovold +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/amba/tegra-ahb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/amba/tegra-ahb.c ++++ b/drivers/amba/tegra-ahb.c +@@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_ + if (!dev) + return -EPROBE_DEFER; + ahb = dev_get_drvdata(dev); ++ put_device(dev); + val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL); + val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE; + gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL); diff --git a/queue-6.18/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch b/queue-6.18/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch new file mode 100644 index 0000000000..2e32b98c26 --- /dev/null +++ b/queue-6.18/arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch @@ -0,0 +1,69 @@ +From 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Fri, 14 Nov 2025 15:02:25 +0100 +Subject: ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 + +From: Nicolas Ferre + +commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce upstream. + +Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo +size of 32 data. Fix flexcom/spi nodes where this property is wrong. + +Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions") +Cc: stable@vger.kernel.org # 5.8+ +Signed-off-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/microchip/sama5d2.dtsi ++++ b/arch/arm/boot/dts/microchip/sama5d2.dtsi +@@ -571,7 +571,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(12))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + +@@ -642,7 +642,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(14))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + +@@ -854,7 +854,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(16))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + +@@ -925,7 +925,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(18))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + +@@ -997,7 +997,7 @@ + AT91_XDMAC_DT_PER_IF(1) | + AT91_XDMAC_DT_PERID(20))>; + dma-names = "tx", "rx"; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + diff --git a/queue-6.18/arm-dts-microchip-sama7d65-fix-uart-fifo-size-to-32.patch b/queue-6.18/arm-dts-microchip-sama7d65-fix-uart-fifo-size-to-32.patch new file mode 100644 index 0000000000..20018cb080 --- /dev/null +++ b/queue-6.18/arm-dts-microchip-sama7d65-fix-uart-fifo-size-to-32.patch @@ -0,0 +1,53 @@ +From 1f591be0a02c697f65a21be35f1d74117bbf4be2 Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Fri, 14 Nov 2025 11:33:12 +0100 +Subject: ARM: dts: microchip: sama7d65: fix uart fifo size to 32 + +From: Nicolas Ferre + +commit 1f591be0a02c697f65a21be35f1d74117bbf4be2 upstream. + +On some flexcom nodes related to uart, the fifo sizes were wrong: fix +them to 32 data. Note that product datasheet is being reviewed to fix +inconsistency, but this value is validated by product's designers. + +Fixes: 261dcfad1b59 ("ARM: dts: microchip: add sama7d65 SoC DT") +Fixes: b51e4aea3ecf ("ARM: dts: microchip: sama7d65: Add FLEXCOMs to sama7d65 SoC") +Cc: stable@vger.kernel.org # 6.16+ +Signed-off-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20251114103313.20220-1-nicolas.ferre@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/microchip/sama7d65.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/microchip/sama7d65.dtsi ++++ b/arch/arm/boot/dts/microchip/sama7d65.dtsi +@@ -557,7 +557,7 @@ + dma-names = "tx", "rx"; + atmel,use-dma-rx; + atmel,use-dma-tx; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + atmel,usart-mode = ; + status = "disabled"; + }; +@@ -618,7 +618,7 @@ + clocks = <&pmc PMC_TYPE_PERIPHERAL 40>; + clock-names = "usart"; + atmel,usart-mode = ; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + }; +@@ -643,7 +643,7 @@ + dma-names = "tx", "rx"; + atmel,use-dma-rx; + atmel,use-dma-tx; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + atmel,usart-mode = ; + status = "disabled"; + }; diff --git a/queue-6.18/arm-dts-microchip-sama7g5-fix-uart-fifo-size-to-32.patch b/queue-6.18/arm-dts-microchip-sama7g5-fix-uart-fifo-size-to-32.patch new file mode 100644 index 0000000000..30475f6eeb --- /dev/null +++ b/queue-6.18/arm-dts-microchip-sama7g5-fix-uart-fifo-size-to-32.patch @@ -0,0 +1,42 @@ +From 5654889a94b0de5ad6ceae3793e7f5e0b61b50b6 Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Fri, 14 Nov 2025 11:33:13 +0100 +Subject: ARM: dts: microchip: sama7g5: fix uart fifo size to 32 + +From: Nicolas Ferre + +commit 5654889a94b0de5ad6ceae3793e7f5e0b61b50b6 upstream. + +On some flexcom nodes related to uart, the fifo sizes were wrong: fix +them to 32 data. + +Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek") +Cc: stable@vger.kernel.org # 5.15+ +Signed-off-by: Nicolas Ferre +Link: https://lore.kernel.org/r/20251114103313.20220-2-nicolas.ferre@microchip.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/microchip/sama7g5.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/microchip/sama7g5.dtsi ++++ b/arch/arm/boot/dts/microchip/sama7g5.dtsi +@@ -824,7 +824,7 @@ + dma-names = "tx", "rx"; + atmel,use-dma-rx; + atmel,use-dma-tx; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + }; +@@ -850,7 +850,7 @@ + dma-names = "tx", "rx"; + atmel,use-dma-rx; + atmel,use-dma-tx; +- atmel,fifo-size = <16>; ++ atmel,fifo-size = <32>; + status = "disabled"; + }; + }; diff --git a/queue-6.18/crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch b/queue-6.18/crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch new file mode 100644 index 0000000000..12f3b1c2d5 --- /dev/null +++ b/queue-6.18/crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch @@ -0,0 +1,98 @@ +From 6f6e309328d53a10c0fe1f77dec2db73373179b6 Mon Sep 17 00:00:00 2001 +From: Shivani Agarwal +Date: Tue, 23 Sep 2025 23:01:48 -0700 +Subject: crypto: af_alg - zero initialize memory allocated via sock_kmalloc + +From: Shivani Agarwal + +commit 6f6e309328d53a10c0fe1f77dec2db73373179b6 upstream. + +Several crypto user API contexts and requests allocated with +sock_kmalloc() were left uninitialized, relying on callers to +set fields explicitly. This resulted in the use of uninitialized +data in certain error paths or when new fields are added in the +future. + +The ACVP patches also contain two user-space interface files: +algif_kpp.c and algif_akcipher.c. These too rely on proper +initialization of their context structures. + +A particular issue has been observed with the newly added +'inflight' variable introduced in af_alg_ctx by commit: + + 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") + +Because the context is not memset to zero after allocation, +the inflight variable has contained garbage values. As a result, +af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when +the garbage value was interpreted as true: + + https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209 + +The check directly tests ctx->inflight without explicitly +comparing against true/false. Since inflight is only ever set to +true or false later, an uninitialized value has triggered +-EBUSY failures. Zero-initializing memory allocated with +sock_kmalloc() ensures inflight and other fields start in a known +state, removing random issues caused by uninitialized data. + +Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations") +Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support") +Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code") +Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests") +Cc: stable@vger.kernel.org +Signed-off-by: Shivani Agarwal +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/af_alg.c | 5 ++--- + crypto/algif_hash.c | 3 +-- + crypto/algif_rng.c | 3 +-- + 3 files changed, 4 insertions(+), 7 deletions(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1212,15 +1212,14 @@ struct af_alg_async_req *af_alg_alloc_ar + if (unlikely(!areq)) + return ERR_PTR(-ENOMEM); + ++ memset(areq, 0, areqlen); ++ + ctx->inflight = true; + + areq->areqlen = areqlen; + areq->sk = sk; + areq->first_rsgl.sgl.sgt.sgl = areq->first_rsgl.sgl.sgl; +- areq->last_rsgl = NULL; + INIT_LIST_HEAD(&areq->rsgl_list); +- areq->tsgl = NULL; +- areq->tsgl_entries = 0; + + return areq; + } +--- a/crypto/algif_hash.c ++++ b/crypto/algif_hash.c +@@ -416,9 +416,8 @@ static int hash_accept_parent_nokey(void + if (!ctx) + return -ENOMEM; + +- ctx->result = NULL; ++ memset(ctx, 0, len); + ctx->len = len; +- ctx->more = false; + crypto_init_wait(&ctx->wait); + + ask->private = ctx; +--- a/crypto/algif_rng.c ++++ b/crypto/algif_rng.c +@@ -248,9 +248,8 @@ static int rng_accept_parent(void *priva + if (!ctx) + return -ENOMEM; + ++ memset(ctx, 0, len); + ctx->len = len; +- ctx->addtl = NULL; +- ctx->addtl_len = 0; + + /* + * No seeding done at that point -- if multiple accepts are diff --git a/queue-6.18/crypto-arm64-ghash-fix-incorrect-output-from-ghash-neon.patch b/queue-6.18/crypto-arm64-ghash-fix-incorrect-output-from-ghash-neon.patch new file mode 100644 index 0000000000..6f6d0aad89 --- /dev/null +++ b/queue-6.18/crypto-arm64-ghash-fix-incorrect-output-from-ghash-neon.patch @@ -0,0 +1,42 @@ +From f6a458746f905adb7d70e50e8b9383dc9e3fd75f Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 9 Dec 2025 14:34:17 -0800 +Subject: crypto: arm64/ghash - Fix incorrect output from ghash-neon + +From: Eric Biggers + +commit f6a458746f905adb7d70e50e8b9383dc9e3fd75f upstream. + +Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block +handling") made ghash_finup() pass the wrong buffer to +ghash_do_simd_update(). As a result, ghash-neon now produces incorrect +outputs when the message length isn't divisible by 16 bytes. Fix this. + +(I didn't notice this earlier because this code is reached only on CPUs +that support NEON but not PMULL. I haven't yet found a way to get +qemu-system-aarch64 to emulate that configuration.) + +Fixes: 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") +Cc: stable@vger.kernel.org +Reported-by: Diederik de Haas +Closes: https://lore.kernel.org/linux-crypto/DETXT7QI62KE.F3CGH2VWX1SC@cknow-tech.com/ +Tested-by: Diederik de Haas +Acked-by: Herbert Xu +Link: https://lore.kernel.org/r/20251209223417.112294-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/crypto/ghash-ce-glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/crypto/ghash-ce-glue.c ++++ b/arch/arm64/crypto/ghash-ce-glue.c +@@ -133,7 +133,7 @@ static int ghash_finup(struct shash_desc + u8 buf[GHASH_BLOCK_SIZE] = {}; + + memcpy(buf, src, len); +- ghash_do_simd_update(1, ctx->digest, src, key, NULL, ++ ghash_do_simd_update(1, ctx->digest, buf, key, NULL, + pmull_ghash_update_p8); + memzero_explicit(buf, sizeof(buf)); + } diff --git a/queue-6.18/crypto-caam-add-check-for-kcalloc-in-test_len.patch b/queue-6.18/crypto-caam-add-check-for-kcalloc-in-test_len.patch new file mode 100644 index 0000000000..07fab70f4b --- /dev/null +++ b/queue-6.18/crypto-caam-add-check-for-kcalloc-in-test_len.patch @@ -0,0 +1,40 @@ +From 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Tue, 23 Sep 2025 20:44:18 +0800 +Subject: crypto: caam - Add check for kcalloc() in test_len() + +From: Guangshuo Li + +commit 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 upstream. + +As kcalloc() may fail, check its return value to avoid a NULL pointer +dereference when passing the buffer to rng->read(). On allocation +failure, log the error and return since test_len() returns void. + +Fixes: 2be0d806e25e ("crypto: caam - add a test for the RNG") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/caam/caamrng.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c +index b3d14a7f4dd1..0eb43c862516 100644 +--- a/drivers/crypto/caam/caamrng.c ++++ b/drivers/crypto/caam/caamrng.c +@@ -181,7 +181,9 @@ static inline void test_len(struct hwrng *rng, size_t len, bool wait) + struct device *dev = ctx->ctrldev; + + buf = kcalloc(CAAM_RNG_MAX_FIFO_STORE_SIZE, sizeof(u8), GFP_KERNEL); +- ++ if (!buf) { ++ return; ++ } + while (len > 0) { + read_len = rng->read(rng, buf, len, wait); + +-- +2.52.0 + diff --git a/queue-6.18/dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch b/queue-6.18/dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..e301d3cfb0 --- /dev/null +++ b/queue-6.18/dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From ef99c2efeacac7758cc8c2d00e3200100a4da16c Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:45 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit ef99c2efeacac7758cc8c2d00e3200100a4da16c upstream. + +Commit 756485bfbb85 ("dt-bindings: PCI: qcom,pcie-sc7280: Move SC7280 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 756485bfbb85 ("dt-bindings: PCI: qcom,pcie-sc7280: Move SC7280 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-2-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml +@@ -76,6 +76,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.18/dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch b/queue-6.18/dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..e8f137dd8e --- /dev/null +++ b/queue-6.18/dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,37 @@ +From ea551601404d286813aef6819ddf0bf1d7d69a24 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:46 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sc8280xp: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit ea551601404d286813aef6819ddf0bf1d7d69a24 upstream. + +Commit c007a5505504 ("dt-bindings: PCI: qcom,pcie-sc8280xp: Move +SC8280XP to dedicated schema") move the device schema to separate file, +but it missed a "if:not:...then:" clause in the original binding which +was requiring power-domains and resets for this particular chip. + +Fixes: c007a5505504 ("dt-bindings: PCI: qcom,pcie-sc8280xp: Move SC8280XP to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-3-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml +@@ -61,6 +61,9 @@ properties: + required: + - interconnects + - interconnect-names ++ - power-domains ++ - resets ++ - reset-names + + allOf: + - $ref: qcom,pcie-common.yaml# diff --git a/queue-6.18/dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..3e7896a3aa --- /dev/null +++ b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From 31cb432b62fb796e0c1084542ba39311d2f716d5 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:47 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8150: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit 31cb432b62fb796e0c1084542ba39311d2f716d5 upstream. + +Commit 51bc04d5b49d ("dt-bindings: PCI: qcom,pcie-sm8150: Move SM8150 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 51bc04d5b49d ("dt-bindings: PCI: qcom,pcie-sm8150: Move SM8150 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-4-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml +@@ -74,6 +74,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.18/dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..f382658d5c --- /dev/null +++ b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From 2620c6bcd8c141b79ff2afe95dc814dfab644f63 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:48 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8250: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit 2620c6bcd8c141b79ff2afe95dc814dfab644f63 upstream. + +Commit 4891b66185c1 ("dt-bindings: PCI: qcom,pcie-sm8250: Move SM8250 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 4891b66185c1 ("dt-bindings: PCI: qcom,pcie-sm8250: Move SM8250 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-5-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml +@@ -83,6 +83,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.18/dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..b35bd2cc14 --- /dev/null +++ b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From 012ba0d5f02e1f192eda263b5f9f826e47d607bb Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:49 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8350: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit 012ba0d5f02e1f192eda263b5f9f826e47d607bb upstream. + +Commit 2278b8b54773 ("dt-bindings: PCI: qcom,pcie-sm8350: Move SM8350 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 2278b8b54773 ("dt-bindings: PCI: qcom,pcie-sm8350: Move SM8350 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-6-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml +@@ -73,6 +73,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.18/dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..8ef615dc20 --- /dev/null +++ b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From 667facc4000c49a7c280097ef6638f133bcb1e59 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:50 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8450: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit 667facc4000c49a7c280097ef6638f133bcb1e59 upstream. + +Commit 88c9b3af4e31 ("dt-bindings: PCI: qcom,pcie-sm8450: Move SM8450 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: 88c9b3af4e31 ("dt-bindings: PCI: qcom,pcie-sm8450: Move SM8450 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-7-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml +@@ -77,6 +77,11 @@ properties: + items: + - const: pci + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.18/dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch new file mode 100644 index 0000000000..3b0323e5f7 --- /dev/null +++ b/queue-6.18/dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch @@ -0,0 +1,39 @@ +From e60c6f34b9f3a83f96006243c0ef96c134520257 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 30 Oct 2025 09:50:51 +0100 +Subject: dt-bindings: PCI: qcom,pcie-sm8550: Add missing required power-domains and resets + +From: Krzysztof Kozlowski + +commit e60c6f34b9f3a83f96006243c0ef96c134520257 upstream. + +Commit b8d3404058a6 ("dt-bindings: PCI: qcom,pcie-sm8550: Move SM8550 to +dedicated schema") move the device schema to separate file, but it +missed a "if:not:...then:" clause in the original binding which was +requiring power-domains and resets for this particular chip. + +Fixes: b8d3404058a6 ("dt-bindings: PCI: qcom,pcie-sm8550: Move SM8550 to dedicated schema") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Rob Herring (Arm) +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-8-28c1f11599fe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml ++++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml +@@ -83,6 +83,11 @@ properties: + - const: pci # PCIe core reset + - const: link_down # PCIe link down reset + ++required: ++ - power-domains ++ - resets ++ - reset-names ++ + allOf: + - $ref: qcom,pcie-common.yaml# + diff --git a/queue-6.18/hwmon-max16065-use-local-variable-to-avoid-toctou.patch b/queue-6.18/hwmon-max16065-use-local-variable-to-avoid-toctou.patch new file mode 100644 index 0000000000..c6bbe5df10 --- /dev/null +++ b/queue-6.18/hwmon-max16065-use-local-variable-to-avoid-toctou.patch @@ -0,0 +1,51 @@ +From b8d5acdcf525f44e521ca4ef51dce4dac403dab4 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 28 Nov 2025 20:47:09 +0800 +Subject: hwmon: (max16065) Use local variable to avoid TOCTOU + +From: Gui-Dong Han + +commit b8d5acdcf525f44e521ca4ef51dce4dac403dab4 upstream. + +In max16065_current_show, data->curr_sense is read twice: once for the +error check and again for the calculation. Since +i2c_smbus_read_byte_data returns negative error codes on failure, if the +data changes to an error code between the check and the use, ADC_TO_CURR +results in an incorrect calculation. + +Read data->curr_sense into a local variable to ensure consistency. Note +that data->curr_gain is constant and safe to access directly. + +This aligns max16065_current_show with max16065_input_show, which +already uses a local variable for the same reason. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251128124709.3876-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/max16065.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/max16065.c ++++ b/drivers/hwmon/max16065.c +@@ -216,12 +216,13 @@ static ssize_t max16065_current_show(str + struct device_attribute *da, char *buf) + { + struct max16065_data *data = max16065_update_device(dev); ++ int curr_sense = data->curr_sense; + +- if (unlikely(data->curr_sense < 0)) +- return data->curr_sense; ++ if (unlikely(curr_sense < 0)) ++ return curr_sense; + + return sysfs_emit(buf, "%d\n", +- ADC_TO_CURR(data->curr_sense, data->curr_gain)); ++ ADC_TO_CURR(curr_sense, data->curr_gain)); + } + + static ssize_t max16065_limit_store(struct device *dev, diff --git a/queue-6.18/hwmon-max6697-fix-regmap-leak-on-probe-failure.patch b/queue-6.18/hwmon-max6697-fix-regmap-leak-on-probe-failure.patch new file mode 100644 index 0000000000..cb24305193 --- /dev/null +++ b/queue-6.18/hwmon-max6697-fix-regmap-leak-on-probe-failure.patch @@ -0,0 +1,36 @@ +From 02f0ad8e8de8cf5344f8f0fa26d9529b8339da47 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 27 Nov 2025 14:43:51 +0100 +Subject: hwmon: (max6697) fix regmap leak on probe failure + +From: Johan Hovold + +commit 02f0ad8e8de8cf5344f8f0fa26d9529b8339da47 upstream. + +The i2c regmap allocated during probe is never freed. + +Switch to using the device managed allocator so that the regmap is +released on probe failures (e.g. probe deferral) and on driver unbind. + +Fixes: 3a2a8cc3fe24 ("hwmon: (max6697) Convert to use regmap") +Cc: stable@vger.kernel.org # 6.12 +Cc: Guenter Roeck +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20251127134351.1585-1-johan@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/max6697.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/max6697.c ++++ b/drivers/hwmon/max6697.c +@@ -548,7 +548,7 @@ static int max6697_probe(struct i2c_clie + struct regmap *regmap; + int err; + +- regmap = regmap_init_i2c(client, &max6697_regmap_config); ++ regmap = devm_regmap_init_i2c(client, &max6697_regmap_config); + if (IS_ERR(regmap)) + return PTR_ERR(regmap); + diff --git a/queue-6.18/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch b/queue-6.18/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch new file mode 100644 index 0000000000..3361db0219 --- /dev/null +++ b/queue-6.18/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch @@ -0,0 +1,79 @@ +From 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Wed, 3 Dec 2025 02:01:05 +0800 +Subject: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU + +From: Gui-Dong Han + +commit 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 upstream. + +The macro FAN_FROM_REG evaluates its arguments multiple times. When used +in lockless contexts involving shared driver data, this leads to +Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially +causing divide-by-zero errors. + +Convert the macro to a static function. This guarantees that arguments +are evaluated only once (pass-by-value), preventing the race +conditions. + +Additionally, in store_fan_div, move the calculation of the minimum +limit inside the update lock. This ensures that the read-modify-write +sequence operates on consistent data. + +Adhere to the principle of minimal changes by only converting macros +that evaluate arguments multiple times and are used in lockless +contexts. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: 9873964d6eb2 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/w83791d.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/hwmon/w83791d.c ++++ b/drivers/hwmon/w83791d.c +@@ -218,9 +218,14 @@ static u8 fan_to_reg(long rpm, int div) + return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254); + } + +-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \ +- ((val) == 255 ? 0 : \ +- 1350000 / ((val) * (div)))) ++static int fan_from_reg(int val, int div) ++{ ++ if (val == 0) ++ return -1; ++ if (val == 255) ++ return 0; ++ return 1350000 / (val * div); ++} + + /* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */ + #define TEMP1_FROM_REG(val) ((val) * 1000) +@@ -521,7 +526,7 @@ static ssize_t show_##reg(struct device + struct w83791d_data *data = w83791d_update_device(dev); \ + int nr = sensor_attr->index; \ + return sprintf(buf, "%d\n", \ +- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ ++ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ + } + + show_fan_reg(fan); +@@ -585,10 +590,10 @@ static ssize_t store_fan_div(struct devi + if (err) + return err; + ++ mutex_lock(&data->update_lock); + /* Save fan_min */ +- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); ++ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); + +- mutex_lock(&data->update_lock); + data->fan_div[nr] = div_to_reg(nr, val); + + switch (nr) { diff --git a/queue-6.18/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch b/queue-6.18/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch new file mode 100644 index 0000000000..46119bd067 --- /dev/null +++ b/queue-6.18/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch @@ -0,0 +1,93 @@ +From 07272e883fc61574b8367d44de48917f622cdd83 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 28 Nov 2025 20:38:16 +0800 +Subject: hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU + +From: Gui-Dong Han + +commit 07272e883fc61574b8367d44de48917f622cdd83 upstream. + +The macros FAN_FROM_REG and TEMP_FROM_REG evaluate their arguments +multiple times. When used in lockless contexts involving shared driver +data, this causes Time-of-Check to Time-of-Use (TOCTOU) race +conditions. + +Convert the macros to static functions. This guarantees that arguments +are evaluated only once (pass-by-value), preventing the race +conditions. + +Adhere to the principle of minimal changes by only converting macros +that evaluate arguments multiple times and are used in lockless +contexts. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: 85f03bccd6e0 ("hwmon: Add support for Winbond W83L786NG/NR") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251128123816.3670-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/w83l786ng.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/drivers/hwmon/w83l786ng.c ++++ b/drivers/hwmon/w83l786ng.c +@@ -76,15 +76,25 @@ FAN_TO_REG(long rpm, int div) + return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254); + } + +-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \ +- ((val) == 255 ? 0 : \ +- 1350000 / ((val) * (div)))) ++static int fan_from_reg(int val, int div) ++{ ++ if (val == 0) ++ return -1; ++ if (val == 255) ++ return 0; ++ return 1350000 / (val * div); ++} + + /* for temp */ + #define TEMP_TO_REG(val) (clamp_val(((val) < 0 ? (val) + 0x100 * 1000 \ + : (val)) / 1000, 0, 0xff)) +-#define TEMP_FROM_REG(val) (((val) & 0x80 ? \ +- (val) - 0x100 : (val)) * 1000) ++ ++static int temp_from_reg(int val) ++{ ++ if (val & 0x80) ++ return (val - 0x100) * 1000; ++ return val * 1000; ++} + + /* + * The analog voltage inputs have 8mV LSB. Since the sysfs output is +@@ -280,7 +290,7 @@ static ssize_t show_##reg(struct device + int nr = to_sensor_dev_attr(attr)->index; \ + struct w83l786ng_data *data = w83l786ng_update_device(dev); \ + return sprintf(buf, "%d\n", \ +- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ ++ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ + } + + show_fan_reg(fan); +@@ -347,7 +357,7 @@ store_fan_div(struct device *dev, struct + + /* Save fan_min */ + mutex_lock(&data->update_lock); +- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); ++ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); + + data->fan_div[nr] = DIV_TO_REG(val); + +@@ -409,7 +419,7 @@ show_temp(struct device *dev, struct dev + int nr = sensor_attr->nr; + int index = sensor_attr->index; + struct w83l786ng_data *data = w83l786ng_update_device(dev); +- return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[nr][index])); ++ return sprintf(buf, "%d\n", temp_from_reg(data->temp[nr][index])); + } + + static ssize_t diff --git a/queue-6.18/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch b/queue-6.18/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch new file mode 100644 index 0000000000..c2244824dd --- /dev/null +++ b/queue-6.18/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch @@ -0,0 +1,51 @@ +From a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 22 Oct 2025 17:54:02 +0800 +Subject: i2c: amd-mp2: fix reference leak in MP2 PCI device + +From: Ma Ke + +commit a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 upstream. + +In i2c_amd_probe(), amd_mp2_find_device() utilizes +driver_find_next_device() which internally calls driver_find_device() +to locate the matching device. driver_find_device() increments the +reference count of the found device by calling get_device(), but +amd_mp2_find_device() fails to call put_device() to decrement the +reference count before returning. This results in a reference count +leak of the PCI device each time i2c_amd_probe() is executed, which +may prevent the device from being properly released and cause a memory +leak. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller") +Signed-off-by: Ma Ke +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20251022095402.8846-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-amd-mp2-pci.c ++++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c +@@ -458,13 +458,16 @@ struct amd_mp2_dev *amd_mp2_find_device( + { + struct device *dev; + struct pci_dev *pci_dev; ++ struct amd_mp2_dev *mp2_dev; + + dev = driver_find_next_device(&amd_mp2_pci_driver.driver, NULL); + if (!dev) + return NULL; + + pci_dev = to_pci_dev(dev); +- return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); ++ mp2_dev = (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); ++ put_device(dev); ++ return mp2_dev; + } + EXPORT_SYMBOL_GPL(amd_mp2_find_device); + diff --git a/queue-6.18/interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch b/queue-6.18/interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch new file mode 100644 index 0000000000..413c2c68d8 --- /dev/null +++ b/queue-6.18/interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch @@ -0,0 +1,119 @@ +From 295f58fdccd05b2d6da1f4a4f81952ccb565c4dc Mon Sep 17 00:00:00 2001 +From: Raviteja Laggyshetty +Date: Fri, 26 Sep 2025 12:12:09 +0530 +Subject: interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes + +From: Raviteja Laggyshetty + +commit 295f58fdccd05b2d6da1f4a4f81952ccb565c4dc upstream. + +As like other SDX SoCs, SDX75 SoC's QPIC BCM resource was modeled as a +RPMh clock in clk-rpmh driver. However, for SDX75, this resource was also +described as an interconnect and BCM node mistakenly. It is incorrect to +describe the same resource in two different providers, as it will lead to +votes from clients overriding each other. + +Hence, drop the QPIC interconnect and BCM nodes and let the clients use +clk-rpmh driver to vote for this resource. + +Without this change, the NAND driver fails to probe on SDX75, as the +interconnect sync state disables the QPIC nodes as there were no clients +voting for this ICC resource. However, the NAND driver had already voted +for this BCM resource through the clk-rpmh driver. Since both votes come +from Linux, RPMh was unable to distinguish between these two and ends up +disabling the QPIC resource during sync state. + +Cc: stable@vger.kernel.org +Fixes: 3642b4e5cbfe ("interconnect: qcom: Add SDX75 interconnect provider driver") +Signed-off-by: Raviteja Laggyshetty +[mani: dropped the reference to bcm_qp0, reworded description] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Konrad Dybcio +Tested-by: Lakshmi Sowjanya D # on SDX75 +Link: https://lore.kernel.org/r/20250926-sdx75-icc-v2-1-20d6820e455c@oss.qualcomm.com +Signed-off-by: Georgi Djakov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/interconnect/qcom/sdx75.c | 26 -------------------------- + drivers/interconnect/qcom/sdx75.h | 2 -- + 2 files changed, 28 deletions(-) + +--- a/drivers/interconnect/qcom/sdx75.c ++++ b/drivers/interconnect/qcom/sdx75.c +@@ -16,15 +16,6 @@ + #include "icc-rpmh.h" + #include "sdx75.h" + +-static struct qcom_icc_node qpic_core_master = { +- .name = "qpic_core_master", +- .id = SDX75_MASTER_QPIC_CORE, +- .channels = 1, +- .buswidth = 4, +- .num_links = 1, +- .links = { SDX75_SLAVE_QPIC_CORE }, +-}; +- + static struct qcom_icc_node qup0_core_master = { + .name = "qup0_core_master", + .id = SDX75_MASTER_QUP_CORE_0, +@@ -375,14 +366,6 @@ static struct qcom_icc_node xm_usb3 = { + .links = { SDX75_SLAVE_A1NOC_CFG }, + }; + +-static struct qcom_icc_node qpic_core_slave = { +- .name = "qpic_core_slave", +- .id = SDX75_SLAVE_QPIC_CORE, +- .channels = 1, +- .buswidth = 4, +- .num_links = 0, +-}; +- + static struct qcom_icc_node qup0_core_slave = { + .name = "qup0_core_slave", + .id = SDX75_SLAVE_QUP_CORE_0, +@@ -831,12 +814,6 @@ static struct qcom_icc_bcm bcm_mc0 = { + .nodes = { &ebi }, + }; + +-static struct qcom_icc_bcm bcm_qp0 = { +- .name = "QP0", +- .num_nodes = 1, +- .nodes = { &qpic_core_slave }, +-}; +- + static struct qcom_icc_bcm bcm_qup0 = { + .name = "QUP0", + .keepalive = true, +@@ -898,14 +875,11 @@ static struct qcom_icc_bcm bcm_sn4 = { + }; + + static struct qcom_icc_bcm * const clk_virt_bcms[] = { +- &bcm_qp0, + &bcm_qup0, + }; + + static struct qcom_icc_node * const clk_virt_nodes[] = { +- [MASTER_QPIC_CORE] = &qpic_core_master, + [MASTER_QUP_CORE_0] = &qup0_core_master, +- [SLAVE_QPIC_CORE] = &qpic_core_slave, + [SLAVE_QUP_CORE_0] = &qup0_core_slave, + }; + +--- a/drivers/interconnect/qcom/sdx75.h ++++ b/drivers/interconnect/qcom/sdx75.h +@@ -33,7 +33,6 @@ + #define SDX75_MASTER_QDSS_ETR 24 + #define SDX75_MASTER_QDSS_ETR_1 25 + #define SDX75_MASTER_QPIC 26 +-#define SDX75_MASTER_QPIC_CORE 27 + #define SDX75_MASTER_QUP_0 28 + #define SDX75_MASTER_QUP_CORE_0 29 + #define SDX75_MASTER_SDCC_1 30 +@@ -76,7 +75,6 @@ + #define SDX75_SLAVE_QDSS_CFG 67 + #define SDX75_SLAVE_QDSS_STM 68 + #define SDX75_SLAVE_QPIC 69 +-#define SDX75_SLAVE_QPIC_CORE 70 + #define SDX75_SLAVE_QUP_0 71 + #define SDX75_SLAVE_QUP_CORE_0 72 + #define SDX75_SLAVE_SDCC_1 73 diff --git a/queue-6.18/io_uring-rsrc-fix-lost-entries-after-cloned-range.patch b/queue-6.18/io_uring-rsrc-fix-lost-entries-after-cloned-range.patch new file mode 100644 index 0000000000..6031453f79 --- /dev/null +++ b/queue-6.18/io_uring-rsrc-fix-lost-entries-after-cloned-range.patch @@ -0,0 +1,51 @@ +From 525916ce496615f531091855604eab9ca573b195 Mon Sep 17 00:00:00 2001 +From: Joanne Koong +Date: Thu, 4 Dec 2025 13:51:16 -0800 +Subject: io_uring/rsrc: fix lost entries after cloned range + +From: Joanne Koong + +commit 525916ce496615f531091855604eab9ca573b195 upstream. + +When cloning with node replacements (IORING_REGISTER_DST_REPLACE), +destination entries after the cloned range are not copied over. + +Add logic to copy them over to the new destination table. + +Fixes: c1329532d5aa ("io_uring/rsrc: allow cloning with node replacements") +Cc: stable@vger.kernel.org +Signed-off-by: Joanne Koong +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rsrc.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -1200,7 +1200,7 @@ static int io_clone_buffers(struct io_ri + if (ret) + return ret; + +- /* Fill entries in data from dst that won't overlap with src */ ++ /* Copy original dst nodes from before the cloned range */ + for (i = 0; i < min(arg->dst_off, ctx->buf_table.nr); i++) { + struct io_rsrc_node *src_node = ctx->buf_table.nodes[i]; + +@@ -1248,6 +1248,16 @@ static int io_clone_buffers(struct io_ri + i++; + } + ++ /* Copy original dst nodes from after the cloned range */ ++ for (i = nbufs; i < ctx->buf_table.nr; i++) { ++ struct io_rsrc_node *node = ctx->buf_table.nodes[i]; ++ ++ if (node) { ++ data.nodes[i] = node; ++ node->refs++; ++ } ++ } ++ + /* + * If asked for replace, put the old table. data->nodes[] holds both + * old and new nodes at this point. diff --git a/queue-6.18/lib-crypto-riscv-depend-on-riscv_efficient_vector_unaligned_access.patch b/queue-6.18/lib-crypto-riscv-depend-on-riscv_efficient_vector_unaligned_access.patch new file mode 100644 index 0000000000..fb4a41eb11 --- /dev/null +++ b/queue-6.18/lib-crypto-riscv-depend-on-riscv_efficient_vector_unaligned_access.patch @@ -0,0 +1,117 @@ +From 1cd5bb6e9e027bab33aafd58fe8340124869ba62 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 6 Dec 2025 13:37:50 -0800 +Subject: lib/crypto: riscv: Depend on RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS + +From: Eric Biggers + +commit 1cd5bb6e9e027bab33aafd58fe8340124869ba62 upstream. + +Replace the RISCV_ISA_V dependency of the RISC-V crypto code with +RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS, which implies RISCV_ISA_V as +well as vector unaligned accesses being efficient. + +This is necessary because this code assumes that vector unaligned +accesses are supported and are efficient. (It does so to avoid having +to use lots of extra vsetvli instructions to switch the element width +back and forth between 8 and either 32 or 64.) + +This was omitted from the code originally just because the RISC-V kernel +support for detecting this feature didn't exist yet. Support has now +been added, but it's fragmented into per-CPU runtime detection, a +command-line parameter, and a kconfig option. The kconfig option is the +only reasonable way to do it, though, so let's just rely on that. + +Fixes: eb24af5d7a05 ("crypto: riscv - add vector crypto accelerated AES-{ECB,CBC,CTR,XTS}") +Fixes: bb54668837a0 ("crypto: riscv - add vector crypto accelerated ChaCha20") +Fixes: 600a3853dfa0 ("crypto: riscv - add vector crypto accelerated GHASH") +Fixes: 8c8e40470ffe ("crypto: riscv - add vector crypto accelerated SHA-{256,224}") +Fixes: b3415925a08b ("crypto: riscv - add vector crypto accelerated SHA-{512,384}") +Fixes: 563a5255afa2 ("crypto: riscv - add vector crypto accelerated SM3") +Fixes: b8d06352bbf3 ("crypto: riscv - add vector crypto accelerated SM4") +Cc: stable@vger.kernel.org +Reported-by: Vivian Wang +Closes: https://lore.kernel.org/r/b3cfcdac-0337-4db0-a611-258f2868855f@iscas.ac.cn/ +Reviewed-by: Jerry Shih +Link: https://lore.kernel.org/r/20251206213750.81474-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/crypto/Kconfig | 12 ++++++++---- + lib/crypto/Kconfig | 9 ++++++--- + 2 files changed, 14 insertions(+), 7 deletions(-) + +--- a/arch/riscv/crypto/Kconfig ++++ b/arch/riscv/crypto/Kconfig +@@ -4,7 +4,8 @@ menu "Accelerated Cryptographic Algorith + + config CRYPTO_AES_RISCV64 + tristate "Ciphers: AES, modes: ECB, CBC, CTS, CTR, XTS" +- depends on 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO ++ depends on 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ ++ RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS + select CRYPTO_ALGAPI + select CRYPTO_LIB_AES + select CRYPTO_SKCIPHER +@@ -20,7 +21,8 @@ config CRYPTO_AES_RISCV64 + + config CRYPTO_GHASH_RISCV64 + tristate "Hash functions: GHASH" +- depends on 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO ++ depends on 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ ++ RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS + select CRYPTO_GCM + help + GCM GHASH function (NIST SP 800-38D) +@@ -30,7 +32,8 @@ config CRYPTO_GHASH_RISCV64 + + config CRYPTO_SM3_RISCV64 + tristate "Hash functions: SM3 (ShangMi 3)" +- depends on 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO ++ depends on 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ ++ RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS + select CRYPTO_HASH + select CRYPTO_LIB_SM3 + help +@@ -42,7 +45,8 @@ config CRYPTO_SM3_RISCV64 + + config CRYPTO_SM4_RISCV64 + tristate "Ciphers: SM4 (ShangMi 4)" +- depends on 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO ++ depends on 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ ++ RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS + select CRYPTO_ALGAPI + select CRYPTO_SM4 + help +--- a/lib/crypto/Kconfig ++++ b/lib/crypto/Kconfig +@@ -50,7 +50,8 @@ config CRYPTO_LIB_CHACHA_ARCH + default y if ARM64 && KERNEL_MODE_NEON + default y if MIPS && CPU_MIPS32_R2 + default y if PPC64 && CPU_LITTLE_ENDIAN && VSX +- default y if RISCV && 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO ++ default y if RISCV && 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ ++ RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS + default y if S390 + default y if X86_64 + +@@ -161,7 +162,8 @@ config CRYPTO_LIB_SHA256_ARCH + default y if ARM64 + default y if MIPS && CPU_CAVIUM_OCTEON + default y if PPC && SPE +- default y if RISCV && 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO ++ default y if RISCV && 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ ++ RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS + default y if S390 + default y if SPARC64 + default y if X86_64 +@@ -179,7 +181,8 @@ config CRYPTO_LIB_SHA512_ARCH + default y if ARM && !CPU_V7M + default y if ARM64 + default y if MIPS && CPU_CAVIUM_OCTEON +- default y if RISCV && 64BIT && RISCV_ISA_V && TOOLCHAIN_HAS_VECTOR_CRYPTO ++ default y if RISCV && 64BIT && TOOLCHAIN_HAS_VECTOR_CRYPTO && \ ++ RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS + default y if S390 + default y if SPARC64 + default y if X86_64 diff --git a/queue-6.18/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch b/queue-6.18/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch new file mode 100644 index 0000000000..17f7a688ae --- /dev/null +++ b/queue-6.18/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch @@ -0,0 +1,115 @@ +From 527250cd9092461f1beac3e4180a4481bffa01b5 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 21 Nov 2025 11:04:50 +0100 +Subject: platform/x86: intel: chtwc_int33fe: don't dereference swnode args +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bartosz Golaszewski + +commit 527250cd9092461f1beac3e4180a4481bffa01b5 upstream. + +Members of struct software_node_ref_args should not be dereferenced +directly but set using the provided macros. Commit d7cdbbc93c56 +("software node: allow referencing firmware nodes") changed the name of +the software node member and caused a build failure. Remove all direct +dereferences of the ref struct as a fix. + +However, this driver also seems to abuse the software node interface by +waiting for a node with an arbitrary name "intel-xhci-usb-sw" to appear +in the system before setting up the reference for the I2C device, while +the actual software node already exists in the intel-xhci-usb-role-switch +module and should be used to set up a static reference. Add a FIXME for +a future improvement. + +Fixes: d7cdbbc93c56 ("software node: allow referencing firmware nodes") +Fixes: 53c24c2932e5 ("platform/x86: intel_cht_int33fe: use inline reference properties") +Cc: stable@vger.kernel.org +Reported-by: Stephen Rothwell +Closes: https://lore.kernel.org/all/20251121111534.7cdbfe5c@canb.auug.org.au/ +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Hans de Goede +Acked-by: Ilpo Järvinen +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/chtwc_int33fe.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/platform/x86/intel/chtwc_int33fe.c ++++ b/drivers/platform/x86/intel/chtwc_int33fe.c +@@ -77,7 +77,7 @@ static const struct software_node max170 + * software node. + */ + static struct software_node_ref_args fusb302_mux_refs[] = { +- { .node = NULL }, ++ SOFTWARE_NODE_REFERENCE(NULL), + }; + + static const struct property_entry fusb302_properties[] = { +@@ -190,11 +190,6 @@ static void cht_int33fe_remove_nodes(str + { + software_node_unregister_node_group(node_group); + +- if (fusb302_mux_refs[0].node) { +- fwnode_handle_put(software_node_fwnode(fusb302_mux_refs[0].node)); +- fusb302_mux_refs[0].node = NULL; +- } +- + if (data->dp) { + data->dp->secondary = NULL; + fwnode_handle_put(data->dp); +@@ -202,7 +197,15 @@ static void cht_int33fe_remove_nodes(str + } + } + +-static int cht_int33fe_add_nodes(struct cht_int33fe_data *data) ++static void cht_int33fe_put_swnode(void *data) ++{ ++ struct fwnode_handle *fwnode = data; ++ ++ fwnode_handle_put(fwnode); ++ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(NULL); ++} ++ ++static int cht_int33fe_add_nodes(struct device *dev, struct cht_int33fe_data *data) + { + const struct software_node *mux_ref_node; + int ret; +@@ -212,17 +215,25 @@ static int cht_int33fe_add_nodes(struct + * until the mux driver has created software node for the mux device. + * It means we depend on the mux driver. This function will return + * -EPROBE_DEFER until the mux device is registered. ++ * ++ * FIXME: the relevant software node exists in intel-xhci-usb-role-switch ++ * and - if exported - could be used to set up a static reference. + */ + mux_ref_node = software_node_find_by_name(NULL, "intel-xhci-usb-sw"); + if (!mux_ref_node) + return -EPROBE_DEFER; + ++ ret = devm_add_action_or_reset(dev, cht_int33fe_put_swnode, ++ software_node_fwnode(mux_ref_node)); ++ if (ret) ++ return ret; ++ + /* + * Update node used in "usb-role-switch" property. Note that we + * rely on software_node_register_node_group() to use the original + * instance of properties instead of copying them. + */ +- fusb302_mux_refs[0].node = mux_ref_node; ++ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(mux_ref_node); + + ret = software_node_register_node_group(node_group); + if (ret) +@@ -345,7 +356,7 @@ static int cht_int33fe_typec_probe(struc + return fusb302_irq; + } + +- ret = cht_int33fe_add_nodes(data); ++ ret = cht_int33fe_add_nodes(dev, data); + if (ret) + return ret; + diff --git a/queue-6.18/pwm-rzg2l-gpt-allow-checking-period_tick-cache-value-only-if-sibling-channel-is-enabled.patch b/queue-6.18/pwm-rzg2l-gpt-allow-checking-period_tick-cache-value-only-if-sibling-channel-is-enabled.patch new file mode 100644 index 0000000000..f84ae7f8f7 --- /dev/null +++ b/queue-6.18/pwm-rzg2l-gpt-allow-checking-period_tick-cache-value-only-if-sibling-channel-is-enabled.patch @@ -0,0 +1,63 @@ +From fae00ea9f00367771003ace78f29549dead58fc7 Mon Sep 17 00:00:00 2001 +From: Biju Das +Date: Wed, 26 Nov 2025 10:42:48 +0000 +Subject: pwm: rzg2l-gpt: Allow checking period_tick cache value only if sibling channel is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Biju Das + +commit fae00ea9f00367771003ace78f29549dead58fc7 upstream. + +The rzg2l_gpt_config() tests the rzg2l_gpt->period_tick variable when +both channels of a hardware channel are in use. This check is not valid +if rzg2l_gpt_config() is called after disabling all the channels, as it +tests against the cached value. Hence, allow checking and setting the +cached value only if the sibling channel is enabled. + +While at it, drop else after return statement to fix the check patch +warning. + +Cc: stable@kernel.org +Fixes: 061f087f5d0b ("pwm: Add support for RZ/G2L GPT") +Signed-off-by: Biju Das +Link: https://patch.msgid.link/20251126104308.142302-1-biju.das.jz@bp.renesas.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-rzg2l-gpt.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/pwm/pwm-rzg2l-gpt.c ++++ b/drivers/pwm/pwm-rzg2l-gpt.c +@@ -96,6 +96,11 @@ static inline unsigned int rzg2l_gpt_sub + return hwpwm & 0x1; + } + ++static inline unsigned int rzg2l_gpt_sibling(unsigned int hwpwm) ++{ ++ return hwpwm ^ 0x1; ++} ++ + static void rzg2l_gpt_write(struct rzg2l_gpt_chip *rzg2l_gpt, u32 reg, u32 data) + { + writel(data, rzg2l_gpt->mmio + reg); +@@ -271,10 +276,14 @@ static int rzg2l_gpt_config(struct pwm_c + * in use with different settings. + */ + if (rzg2l_gpt->channel_request_count[ch] > 1) { +- if (period_ticks < rzg2l_gpt->period_ticks[ch]) +- return -EBUSY; +- else ++ u8 sibling_ch = rzg2l_gpt_sibling(pwm->hwpwm); ++ ++ if (rzg2l_gpt_is_ch_enabled(rzg2l_gpt, sibling_ch)) { ++ if (period_ticks < rzg2l_gpt->period_ticks[ch]) ++ return -EBUSY; ++ + period_ticks = rzg2l_gpt->period_ticks[ch]; ++ } + } + + prescale = rzg2l_gpt_calculate_prescale(rzg2l_gpt, period_ticks); diff --git a/queue-6.18/rpmsg-glink-fix-rpmsg-device-leak.patch b/queue-6.18/rpmsg-glink-fix-rpmsg-device-leak.patch new file mode 100644 index 0000000000..0a5ef70ce7 --- /dev/null +++ b/queue-6.18/rpmsg-glink-fix-rpmsg-device-leak.patch @@ -0,0 +1,83 @@ +From a53e356df548f6b0e82529ef3cc6070f42622189 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 22 Aug 2025 11:00:42 +0100 +Subject: rpmsg: glink: fix rpmsg device leak + +From: Srinivas Kandagatla + +commit a53e356df548f6b0e82529ef3cc6070f42622189 upstream. + +While testing rpmsg-char interface it was noticed that duplicate sysfs +entries are getting created and below warning is noticed. + +Reason for this is that we are leaking rpmsg device pointer, setting it +null without actually unregistering device. +Any further attempts to unregister fail because rpdev is NULL, +resulting in a leak. + +Fix this by unregistering rpmsg device before removing its reference +from rpmsg channel. + +sysfs: cannot create duplicate filename '/devices/platform/soc@0/3700000.remot +eproc/remoteproc/remoteproc1/3700000.remoteproc:glink-edge/3700000.remoteproc: +glink-edge.adsp_apps.-1.-1' +[ 114.115347] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not + tainted 6.16.0-rc4 #7 PREEMPT +[ 114.115355] Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 (DT) +[ 114.115358] Workqueue: events qcom_glink_work +[ 114.115371] Call trace:8 +[ 114.115374] show_stack+0x18/0x24 (C) +[ 114.115382] dump_stack_lvl+0x60/0x80 +[ 114.115388] dump_stack+0x18/0x24 +[ 114.115393] sysfs_warn_dup+0x64/0x80 +[ 114.115402] sysfs_create_dir_ns+0xf4/0x120 +[ 114.115409] kobject_add_internal+0x98/0x260 +[ 114.115416] kobject_add+0x9c/0x108 +[ 114.115421] device_add+0xc4/0x7a0 +[ 114.115429] rpmsg_register_device+0x5c/0xb0 +[ 114.115434] qcom_glink_work+0x4bc/0x820 +[ 114.115438] process_one_work+0x148/0x284 +[ 114.115446] worker_thread+0x2c4/0x3e0 +[ 114.115452] kthread+0x12c/0x204 +[ 114.115457] ret_from_fork+0x10/0x20 +[ 114.115464] kobject: kobject_add_internal failed for 3700000.remoteproc: +glink-edge.adsp_apps.-1.-1 with -EEXIST, don't try to register things with +the same name in the same directory. +[ 114.250045] rpmsg 3700000.remoteproc:glink-edge.adsp_apps.-1.-1: +device_add failed: -17 + +Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250822100043.2604794-2-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/qcom_glink_native.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -1399,6 +1399,7 @@ static void qcom_glink_destroy_ept(struc + { + struct glink_channel *channel = to_glink_channel(ept); + struct qcom_glink *glink = channel->glink; ++ struct rpmsg_channel_info chinfo; + unsigned long flags; + + spin_lock_irqsave(&channel->recv_lock, flags); +@@ -1406,6 +1407,13 @@ static void qcom_glink_destroy_ept(struc + spin_unlock_irqrestore(&channel->recv_lock, flags); + + /* Decouple the potential rpdev from the channel */ ++ if (channel->rpdev) { ++ strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name)); ++ chinfo.src = RPMSG_ADDR_ANY; ++ chinfo.dst = RPMSG_ADDR_ANY; ++ ++ rpmsg_unregister_device(glink->dev, &chinfo); ++ } + channel->rpdev = NULL; + + qcom_glink_send_close_req(glink, channel); diff --git a/queue-6.18/rtla-timerlat_bpf-stop-tracing-on-user-latency.patch b/queue-6.18/rtla-timerlat_bpf-stop-tracing-on-user-latency.patch new file mode 100644 index 0000000000..dca74333aa --- /dev/null +++ b/queue-6.18/rtla-timerlat_bpf-stop-tracing-on-user-latency.patch @@ -0,0 +1,46 @@ +From e4240db9336c25826a2d6634adcca86d5ee01bde Mon Sep 17 00:00:00 2001 +From: Tomas Glozar +Date: Mon, 6 Oct 2025 16:31:00 +0200 +Subject: rtla/timerlat_bpf: Stop tracing on user latency + +From: Tomas Glozar + +commit e4240db9336c25826a2d6634adcca86d5ee01bde upstream. + +rtla-timerlat allows a *thread* latency threshold to be set via the +-T/--thread option. However, the timerlat tracer calls this *total* +latency (stop_tracing_total_us), and stops tracing also when the +return-to-user latency is over the threshold. + +Change the behavior of the timerlat BPF program to reflect what the +timerlat tracer is doing, to avoid discrepancy between stopping +collecting data in the BPF program and stopping tracing in the timerlat +tracer. + +Cc: stable@vger.kernel.org +Fixes: e34293ddcebd ("rtla/timerlat: Add BPF skeleton to collect samples") +Reviewed-by: Wander Lairson Costa +Link: https://lore.kernel.org/r/20251006143100.137255-1-tglozar@redhat.com +Signed-off-by: Tomas Glozar +Signed-off-by: Greg Kroah-Hartman +--- + tools/tracing/rtla/src/timerlat.bpf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/tracing/rtla/src/timerlat.bpf.c b/tools/tracing/rtla/src/timerlat.bpf.c +index 084cd10c21fc..e2265b5d6491 100644 +--- a/tools/tracing/rtla/src/timerlat.bpf.c ++++ b/tools/tracing/rtla/src/timerlat.bpf.c +@@ -148,6 +148,9 @@ int handle_timerlat_sample(struct trace_event_raw_timerlat_sample *tp_args) + } else { + update_main_hist(&hist_user, bucket); + update_summary(&summary_user, latency, bucket); ++ ++ if (thread_threshold != 0 && latency_us >= thread_threshold) ++ set_stop_tracing(); + } + + return 0; +-- +2.52.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 0099f433c4..f77d28bb88 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -387,3 +387,39 @@ drm-amd-display-use-gfp_atomic-in-dc_create_plane_state.patch drm-amd-display-fix-scratch-registers-offsets-for-dcn35.patch drm-amd-display-fix-scratch-registers-offsets-for-dcn351.patch drm-displayid-pass-iter-to-drm_find_displayid_extension.patch +dt-bindings-pci-qcom-pcie-sc7280-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sc8280xp-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8150-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8250-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8350-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8450-add-missing-required-power-domains-and-resets.patch +dt-bindings-pci-qcom-pcie-sm8550-add-missing-required-power-domains-and-resets.patch +crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch +crypto-caam-add-check-for-kcalloc-in-test_len.patch +crypto-arm64-ghash-fix-incorrect-output-from-ghash-neon.patch +amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch +zloop-fail-zone-append-operations-that-are-targeting-full-zones.patch +zloop-make-the-write-pointer-of-full-zones-invalid.patch +virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch +vfio-fix-ksize-arg-while-copying-user-struct-in-vfio_df_ioctl_bind_iommufd.patch +tracing-fix-fixed-array-of-synthetic-event.patch +soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch +soc-qcom-pbs-fix-device-leak-on-lookup.patch +soc-qcom-ocmem-fix-device-leak-on-lookup.patch +soc-apple-mailbox-fix-device-leak-on-lookup.patch +soc-amlogic-canvas-fix-device-leak-on-lookup.patch +rtla-timerlat_bpf-stop-tracing-on-user-latency.patch +rpmsg-glink-fix-rpmsg-device-leak.patch +pwm-rzg2l-gpt-allow-checking-period_tick-cache-value-only-if-sibling-channel-is-enabled.patch +platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch +lib-crypto-riscv-depend-on-riscv_efficient_vector_unaligned_access.patch +i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch +interconnect-qcom-sdx75-drop-qpic-interconnect-and-bcm-nodes.patch +io_uring-rsrc-fix-lost-entries-after-cloned-range.patch +hwmon-max16065-use-local-variable-to-avoid-toctou.patch +hwmon-max6697-fix-regmap-leak-on-probe-failure.patch +hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch +hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch +arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch +arm-dts-microchip-sama7d65-fix-uart-fifo-size-to-32.patch +arm-dts-microchip-sama7g5-fix-uart-fifo-size-to-32.patch diff --git a/queue-6.18/soc-amlogic-canvas-fix-device-leak-on-lookup.patch b/queue-6.18/soc-amlogic-canvas-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..4acf84b240 --- /dev/null +++ b/queue-6.18/soc-amlogic-canvas-fix-device-leak-on-lookup.patch @@ -0,0 +1,46 @@ +From 32200f4828de9d7e6db379909898e718747f4e18 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:24:53 +0200 +Subject: soc: amlogic: canvas: fix device leak on lookup + +From: Johan Hovold + +commit 32200f4828de9d7e6db379909898e718747f4e18 upstream. + +Make sure to drop the reference taken to the canvas platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Also note that commit 28f851e6afa8 ("soc: amlogic: canvas: add missing +put_device() call in meson_canvas_get()") fixed the leak in a lookup +error path, but the reference is still leaking on success. + +Fixes: d4983983d987 ("soc: amlogic: add meson-canvas driver") +Cc: stable@vger.kernel.org # 4.20: 28f851e6afa8 +Cc: Yu Kuai +Signed-off-by: Johan Hovold +Reviewed-by: Martin Blumenstingl +Link: https://patch.msgid.link/20250926142454.5929-2-johan@kernel.org +Signed-off-by: Neil Armstrong +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/amlogic/meson-canvas.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/soc/amlogic/meson-canvas.c ++++ b/drivers/soc/amlogic/meson-canvas.c +@@ -73,10 +73,9 @@ struct meson_canvas *meson_canvas_get(st + * current state, this driver probe cannot return -EPROBE_DEFER + */ + canvas = dev_get_drvdata(&canvas_pdev->dev); +- if (!canvas) { +- put_device(&canvas_pdev->dev); ++ put_device(&canvas_pdev->dev); ++ if (!canvas) + return ERR_PTR(-EINVAL); +- } + + return canvas; + } diff --git a/queue-6.18/soc-apple-mailbox-fix-device-leak-on-lookup.patch b/queue-6.18/soc-apple-mailbox-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..d7ed5d68b5 --- /dev/null +++ b/queue-6.18/soc-apple-mailbox-fix-device-leak-on-lookup.patch @@ -0,0 +1,50 @@ +From f401671e90ccc26b3022f177c4156a429c024f6c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:31:31 +0200 +Subject: soc: apple: mailbox: fix device leak on lookup + +From: Johan Hovold + +commit f401671e90ccc26b3022f177c4156a429c024f6c upstream. + +Make sure to drop the reference taken to the mbox platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Fixes: 6e1457fcad3f ("soc: apple: mailbox: Add ASC/M3 mailbox driver") +Cc: stable@vger.kernel.org # 6.8 +Signed-off-by: Johan Hovold +Reviewed-by: Neal Gompa +Signed-off-by: Sven Peter +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/apple/mailbox.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/soc/apple/mailbox.c ++++ b/drivers/soc/apple/mailbox.c +@@ -302,11 +302,18 @@ struct apple_mbox *apple_mbox_get(struct + return ERR_PTR(-EPROBE_DEFER); + + mbox = platform_get_drvdata(pdev); +- if (!mbox) +- return ERR_PTR(-EPROBE_DEFER); ++ if (!mbox) { ++ mbox = ERR_PTR(-EPROBE_DEFER); ++ goto out_put_pdev; ++ } ++ ++ if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) { ++ mbox = ERR_PTR(-ENODEV); ++ goto out_put_pdev; ++ } + +- if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) +- return ERR_PTR(-ENODEV); ++out_put_pdev: ++ put_device(&pdev->dev); + + return mbox; + } diff --git a/queue-6.18/soc-qcom-ocmem-fix-device-leak-on-lookup.patch b/queue-6.18/soc-qcom-ocmem-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..b698a8795d --- /dev/null +++ b/queue-6.18/soc-qcom-ocmem-fix-device-leak-on-lookup.patch @@ -0,0 +1,45 @@ +From b5c16ea57b030b8e9428ec726e26219dfe05c3d9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:35:10 +0200 +Subject: soc: qcom: ocmem: fix device leak on lookup + +From: Johan Hovold + +commit b5c16ea57b030b8e9428ec726e26219dfe05c3d9 upstream. + +Make sure to drop the reference taken to the ocmem platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Also note that commit 0ff027027e05 ("soc: qcom: ocmem: Fix missing +put_device() call in of_get_ocmem") fixed the leak in a lookup error +path, but the reference is still leaking on success. + +Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver") +Cc: stable@vger.kernel.org # 5.5: 0ff027027e05 +Cc: Brian Masney +Cc: Miaoqian Lin +Signed-off-by: Johan Hovold +Reviewed-by: Brian Masney +Link: https://lore.kernel.org/r/20250926143511.6715-2-johan@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/ocmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/ocmem.c ++++ b/drivers/soc/qcom/ocmem.c +@@ -202,9 +202,9 @@ struct ocmem *of_get_ocmem(struct device + } + + ocmem = platform_get_drvdata(pdev); ++ put_device(&pdev->dev); + if (!ocmem) { + dev_err(dev, "Cannot get ocmem\n"); +- put_device(&pdev->dev); + return ERR_PTR(-ENODEV); + } + return ocmem; diff --git a/queue-6.18/soc-qcom-pbs-fix-device-leak-on-lookup.patch b/queue-6.18/soc-qcom-pbs-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..7fcddaca20 --- /dev/null +++ b/queue-6.18/soc-qcom-pbs-fix-device-leak-on-lookup.patch @@ -0,0 +1,37 @@ +From 94124bf253d24b13e89c45618a168d5a1d8a61e7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:35:11 +0200 +Subject: soc: qcom: pbs: fix device leak on lookup + +From: Johan Hovold + +commit 94124bf253d24b13e89c45618a168d5a1d8a61e7 upstream. + +Make sure to drop the reference taken to the pbs platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Fixes: 5b2dd77be1d8 ("soc: qcom: add QCOM PBS driver") +Cc: stable@vger.kernel.org # 6.9 +Cc: Anjelique Melendez +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250926143511.6715-3-johan@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/qcom-pbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/soc/qcom/qcom-pbs.c ++++ b/drivers/soc/qcom/qcom-pbs.c +@@ -173,6 +173,8 @@ struct pbs_dev *get_pbs_client_device(st + return ERR_PTR(-EINVAL); + } + ++ platform_device_put(pdev); ++ + return pbs; + } + EXPORT_SYMBOL_GPL(get_pbs_client_device); diff --git a/queue-6.18/soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch b/queue-6.18/soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch new file mode 100644 index 0000000000..38a1e80280 --- /dev/null +++ b/queue-6.18/soc-samsung-exynos-pmu-fix-device-leak-on-regmap-lookup.patch @@ -0,0 +1,37 @@ +From 990eb9a8eb4540ab90c7b34bb07b87ff13881cad Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 21 Nov 2025 13:18:52 +0100 +Subject: soc: samsung: exynos-pmu: fix device leak on regmap lookup + +From: Johan Hovold + +commit 990eb9a8eb4540ab90c7b34bb07b87ff13881cad upstream. + +Make sure to drop the reference taken when looking up the PMU device and +its regmap. + +Note that holding a reference to a device does not prevent its regmap +from going away so there is no point in keeping the reference. + +Fixes: 0b7c6075022c ("soc: samsung: exynos-pmu: Add regmap support for SoCs that protect PMU regs") +Cc: stable@vger.kernel.org # 6.9 +Cc: Peter Griffin +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251121121852.16825-1-johan@kernel.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/samsung/exynos-pmu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/soc/samsung/exynos-pmu.c ++++ b/drivers/soc/samsung/exynos-pmu.c +@@ -346,6 +346,8 @@ struct regmap *exynos_get_pmu_regmap_by_ + if (!dev) + return ERR_PTR(-EPROBE_DEFER); + ++ put_device(dev); ++ + return syscon_node_to_regmap(pmu_np); + } + EXPORT_SYMBOL_GPL(exynos_get_pmu_regmap_by_phandle); diff --git a/queue-6.18/tracing-fix-fixed-array-of-synthetic-event.patch b/queue-6.18/tracing-fix-fixed-array-of-synthetic-event.patch new file mode 100644 index 0000000000..c8e4ae4389 --- /dev/null +++ b/queue-6.18/tracing-fix-fixed-array-of-synthetic-event.patch @@ -0,0 +1,58 @@ +From 47ef834209e5981f443240d8a8b45bf680df22aa Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Thu, 4 Dec 2025 15:19:35 -0500 +Subject: tracing: Fix fixed array of synthetic event + +From: Steven Rostedt + +commit 47ef834209e5981f443240d8a8b45bf680df22aa upstream. + +The commit 4d38328eb442d ("tracing: Fix synth event printk format for str +fields") replaced "%.*s" with "%s" but missed removing the number size of +the dynamic and static strings. The commit e1a453a57bc7 ("tracing: Do not +add length to print format in synthetic events") fixed the dynamic part +but did not fix the static part. That is, with the commands: + + # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events + # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger + # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger + +That caused the output of: + + -0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155 + sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58 + -0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91 + +The commit e1a453a57bc7 fixed the part where the synthetic event had +"char[] wakee". But if one were to replace that with a static size string: + + # echo 's:wake_lat char[16] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events + +Where "wakee" is defined as "char[16]" and not "char[]" making it a static +size, the code triggered the "(efaul)" again. + +Remove the added STR_VAR_LEN_MAX size as the string is still going to be +nul terminated. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Douglas Raillard +Link: https://patch.msgid.link/20251204151935.5fa30355@gandalf.local.home +Fixes: e1a453a57bc7 ("tracing: Do not add length to print format in synthetic events") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events_synth.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -375,7 +375,6 @@ static enum print_line_t print_synth_eve + n_u64++; + } else { + trace_seq_printf(s, print_fmt, se->fields[i]->name, +- STR_VAR_LEN_MAX, + (char *)&entry->fields[n_u64].as_u64, + i == se->n_fields - 1 ? "" : " "); + n_u64 += STR_VAR_LEN_MAX / sizeof(u64); diff --git a/queue-6.18/vfio-fix-ksize-arg-while-copying-user-struct-in-vfio_df_ioctl_bind_iommufd.patch b/queue-6.18/vfio-fix-ksize-arg-while-copying-user-struct-in-vfio_df_ioctl_bind_iommufd.patch new file mode 100644 index 0000000000..c1018d282f --- /dev/null +++ b/queue-6.18/vfio-fix-ksize-arg-while-copying-user-struct-in-vfio_df_ioctl_bind_iommufd.patch @@ -0,0 +1,42 @@ +From 2f03f21fe7516902283b135de272d3c7b10672de Mon Sep 17 00:00:00 2001 +From: Raghavendra Rao Ananta +Date: Fri, 31 Oct 2025 17:06:02 +0000 +Subject: vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd() + +From: Raghavendra Rao Ananta + +commit 2f03f21fe7516902283b135de272d3c7b10672de upstream. + +For the cases where user includes a non-zero value in 'token_uuid_ptr' +field of 'struct vfio_device_bind_iommufd', the copy_struct_from_user() +in vfio_df_ioctl_bind_iommufd() fails with -E2BIG. For the 'minsz' passed, +copy_struct_from_user() expects the newly introduced field to be zero-ed, +which would be incorrect in this case. + +Fix this by passing the actual size of the kernel struct. If working +with a newer userspace, copy_struct_from_user() would copy the +'token_uuid_ptr' field, and if working with an old userspace, it would +zero out this field, thus still retaining backward compatibility. + +Fixes: 86624ba3b522 ("vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD") +Cc: stable@vger.kernel.org +Signed-off-by: Raghavendra Rao Ananta +Reviewed-by: Jason Gunthorpe +Link: https://lore.kernel.org/r/20251031170603.2260022-2-rananta@google.com +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/device_cdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/vfio/device_cdev.c ++++ b/drivers/vfio/device_cdev.c +@@ -99,7 +99,7 @@ long vfio_df_ioctl_bind_iommufd(struct v + return ret; + if (user_size < minsz) + return -EINVAL; +- ret = copy_struct_from_user(&bind, minsz, arg, user_size); ++ ret = copy_struct_from_user(&bind, sizeof(bind), arg, user_size); + if (ret) + return ret; + diff --git a/queue-6.18/virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch b/queue-6.18/virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch new file mode 100644 index 0000000000..19a840cbe9 --- /dev/null +++ b/queue-6.18/virtio-vdpa-fix-reference-count-leak-in-octep_sriov_enable.patch @@ -0,0 +1,39 @@ +From b41ca62c0019de1321d75f2b2f274a28784a41ed Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 14:07:35 +0800 +Subject: virtio: vdpa: Fix reference count leak in octep_sriov_enable() + +From: Miaoqian Lin + +commit b41ca62c0019de1321d75f2b2f274a28784a41ed upstream. + +pci_get_device() will increase the reference count for the returned +pci_dev, and also decrease the reference count for the input parameter +from if it is not NULL. + +If we break the loop in with 'vf_pdev' not NULL. We +need to call pci_dev_put() to decrease the reference count. + +Found via static anlaysis and this is similar to commit c508eb042d97 +("perf/x86/intel/uncore: Fix reference count leak in sad_cfg_iio_topology()") + +Fixes: 8b6c724cdab8 ("virtio: vdpa: vDPA driver for Marvell OCTEON DPU devices") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Michael S. Tsirkin +Message-Id: <20251027060737.33815-1-linmq006@gmail.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/octeon_ep/octep_vdpa_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vdpa/octeon_ep/octep_vdpa_main.c ++++ b/drivers/vdpa/octeon_ep/octep_vdpa_main.c +@@ -736,6 +736,7 @@ static int octep_sriov_enable(struct pci + octep_vdpa_assign_barspace(vf_pdev, pdev, index); + if (++index == num_vfs) { + done = true; ++ pci_dev_put(vf_pdev); + break; + } + } diff --git a/queue-6.18/zloop-fail-zone-append-operations-that-are-targeting-full-zones.patch b/queue-6.18/zloop-fail-zone-append-operations-that-are-targeting-full-zones.patch new file mode 100644 index 0000000000..dec8a8d843 --- /dev/null +++ b/queue-6.18/zloop-fail-zone-append-operations-that-are-targeting-full-zones.patch @@ -0,0 +1,40 @@ +From cf28f6f923cb1dd2765b5c3d7697bb4dcf2096a0 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 15 Nov 2025 21:15:52 +0900 +Subject: zloop: fail zone append operations that are targeting full zones + +From: Damien Le Moal + +commit cf28f6f923cb1dd2765b5c3d7697bb4dcf2096a0 upstream. + +zloop_rw() will fail any regular write operation that targets a full +sequential zone. The check for this is indirect and achieved by checking +the write pointer alignment of the write operation. But this check is +ineffective for zone append operations since these are alwasy +automatically directed at a zone write pointer. + +Prevent zone append operations from being executed in a full zone with +an explicit check of the zone condition. + +Fixes: eb0570c7df23 ("block: new zoned loop block device driver") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/zloop.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/block/zloop.c ++++ b/drivers/block/zloop.c +@@ -407,6 +407,10 @@ static void zloop_rw(struct zloop_cmd *c + mutex_lock(&zone->lock); + + if (is_append) { ++ if (zone->cond == BLK_ZONE_COND_FULL) { ++ ret = -EIO; ++ goto unlock; ++ } + sector = zone->wp; + cmd->sector = sector; + } diff --git a/queue-6.18/zloop-make-the-write-pointer-of-full-zones-invalid.patch b/queue-6.18/zloop-make-the-write-pointer-of-full-zones-invalid.patch new file mode 100644 index 0000000000..d77a641432 --- /dev/null +++ b/queue-6.18/zloop-make-the-write-pointer-of-full-zones-invalid.patch @@ -0,0 +1,54 @@ +From 866d65745b635927c3d1343ab67e6fd4a99d116d Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Sat, 15 Nov 2025 21:15:51 +0900 +Subject: zloop: make the write pointer of full zones invalid + +From: Damien Le Moal + +commit 866d65745b635927c3d1343ab67e6fd4a99d116d upstream. + +The write pointer of zones that are in the full condition is always +invalid. Reflect that fact by setting the write pointer of full zones +to ULLONG_MAX. + +Fixes: eb0570c7df23 ("block: new zoned loop block device driver") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/zloop.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/block/zloop.c ++++ b/drivers/block/zloop.c +@@ -177,7 +177,7 @@ static int zloop_update_seq_zone(struct + zone->wp = zone->start; + } else if (file_sectors == zlo->zone_capacity) { + zone->cond = BLK_ZONE_COND_FULL; +- zone->wp = zone->start + zlo->zone_size; ++ zone->wp = ULLONG_MAX; + } else { + zone->cond = BLK_ZONE_COND_CLOSED; + zone->wp = zone->start + file_sectors; +@@ -326,7 +326,7 @@ static int zloop_finish_zone(struct zloo + } + + zone->cond = BLK_ZONE_COND_FULL; +- zone->wp = zone->start + zlo->zone_size; ++ zone->wp = ULLONG_MAX; + clear_bit(ZLOOP_ZONE_SEQ_ERROR, &zone->flags); + + unlock: +@@ -437,8 +437,10 @@ static void zloop_rw(struct zloop_cmd *c + * copmpletes. + */ + zone->wp += nr_sectors; +- if (zone->wp == zone_end) ++ if (zone->wp == zone_end) { + zone->cond = BLK_ZONE_COND_FULL; ++ zone->wp = ULLONG_MAX; ++ } + } + + rq_for_each_bvec(tmp, rq, rq_iter)