From 4604e008aecea29d0640c700d41c94e30b58798d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 27 Jan 2026 14:26:44 +0100 Subject: [PATCH] 5.10-stable patches added patches: alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch arm64-set-__nocfi-on-swsusp_arch_resume.patch can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch iio-adc-ad9467-fix-ad9434-vref-mask.patch iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch intel_th-fix-device-leak-on-output-open.patch irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch netrom-fix-double-free-in-nr_route_frame.patch octeontx2-fix-otx2_dma_map_page-error-return-code.patch of-fix-reference-count-leak-in-of_alias_scan.patch perf-x86-intel-do-not-enable-bts-for-guests.patch slimbus-core-fix-device-reference-leak-on-report-present.patch slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch uacce-ensure-safe-queue-release-with-state-management.patch uacce-fix-cdev-handling-in-the-cleanup-path.patch uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch wifi-ath10k-fix-dma_free_coherent-pointer.patch wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch --- ...l-oob-access-in-audio-mixer-handling.patch | 54 +++++++++++ ...use-after-free-in-snd_usb_mixer_free.patch | 65 +++++++++++++ ...64-set-__nocfi-on-swsusp_arch_resume.patch | 94 +++++++++++++++++++ ...ad_bulk_callback-fix-urb-memory-leak.patch | 56 +++++++++++ ...ad_bulk_callback-fix-urb-memory-leak.patch | 62 ++++++++++++ ...ad_bulk_callback-fix-urb-memory-leak.patch | 56 +++++++++++ ...ad_bulk_callback-fix-urb-memory-leak.patch | 56 +++++++++++ .../iio-adc-ad9467-fix-ad9434-vref-mask.patch | 40 ++++++++ ...use-after-free-in-sama5d2_adc-driver.patch | 48 ++++++++++ ...-add-ad5695r-to-ad5686_chip_info_tbl.patch | 45 +++++++++ ...el_th-fix-device-leak-on-output-open.patch | 69 ++++++++++++++ ...ts-avoid-truncating-memory-addresses.patch | 74 +++++++++++++++ ...-to-leds_list-when-it-is-fully-ready.patch | 80 ++++++++++++++++ ...c-implement-sdmmc_card_busy-function.patch | 84 +++++++++++++++++ ...om-fix-double-free-in-nr_route_frame.patch | 69 ++++++++++++++ ...-otx2_dma_map_page-error-return-code.patch | 46 +++++++++ ...eference-count-leak-in-of_alias_scan.patch | 49 ++++++++++ ...6-intel-do-not-enable-bts-for-guests.patch | 59 ++++++++++++ queue-5.10/series | 26 +++++ ...ice-reference-leak-on-report-present.patch | 46 +++++++++ ...ntime-pm-imbalance-on-report-present.patch | 55 +++++++++++ ...-queue-release-with-state-management.patch | 89 ++++++++++++++++++ ...ix-cdev-handling-in-the-cleanup-path.patch | 50 ++++++++++ ...emap-in-uacce_vm_ops-to-return-eperm.patch | 52 ++++++++++ ...ath10k-fix-dma_free_coherent-pointer.patch | 70 ++++++++++++++ ...op-in-mwifiex_update_ampdu_rxwinsize.patch | 46 +++++++++ ...-due-to-not-set-vif-driver-data-size.patch | 57 +++++++++++ 27 files changed, 1597 insertions(+) create mode 100644 queue-5.10/alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch create mode 100644 queue-5.10/alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch create mode 100644 queue-5.10/arm64-set-__nocfi-on-swsusp_arch_resume.patch create mode 100644 queue-5.10/can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch create mode 100644 queue-5.10/can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch create mode 100644 queue-5.10/can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch create mode 100644 queue-5.10/can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch create mode 100644 queue-5.10/iio-adc-ad9467-fix-ad9434-vref-mask.patch create mode 100644 queue-5.10/iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch create mode 100644 queue-5.10/iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch create mode 100644 queue-5.10/intel_th-fix-device-leak-on-output-open.patch create mode 100644 queue-5.10/irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch create mode 100644 queue-5.10/leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch create mode 100644 queue-5.10/mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch create mode 100644 queue-5.10/netrom-fix-double-free-in-nr_route_frame.patch create mode 100644 queue-5.10/octeontx2-fix-otx2_dma_map_page-error-return-code.patch create mode 100644 queue-5.10/of-fix-reference-count-leak-in-of_alias_scan.patch create mode 100644 queue-5.10/perf-x86-intel-do-not-enable-bts-for-guests.patch create mode 100644 queue-5.10/slimbus-core-fix-device-reference-leak-on-report-present.patch create mode 100644 queue-5.10/slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch create mode 100644 queue-5.10/uacce-ensure-safe-queue-release-with-state-management.patch create mode 100644 queue-5.10/uacce-fix-cdev-handling-in-the-cleanup-path.patch create mode 100644 queue-5.10/uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch create mode 100644 queue-5.10/wifi-ath10k-fix-dma_free_coherent-pointer.patch create mode 100644 queue-5.10/wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch create mode 100644 queue-5.10/wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch diff --git a/queue-5.10/alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch b/queue-5.10/alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch new file mode 100644 index 0000000000..338a1ec30d --- /dev/null +++ b/queue-5.10/alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch @@ -0,0 +1,54 @@ +From 61006c540cbdedea83b05577dc7fb7fa18fe1276 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 19 Jan 2026 14:32:07 +0100 +Subject: ALSA: ctxfi: Fix potential OOB access in audio mixer handling + +From: Takashi Iwai + +commit 61006c540cbdedea83b05577dc7fb7fa18fe1276 upstream. + +In the audio mixer handling code of ctxfi driver, the conf field is +used as a kind of loop index, and it's referred in the index callbacks +(amixer_index() and sum_index()). + +As spotted recently by fuzzers, the current code causes OOB access at +those functions. +| UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 +| index 8 is out of range for type 'unsigned char [8]' + +After the analysis, the cause was found to be the lack of the proper +(re-)initialization of conj field. + +This patch addresses those OOB accesses by adding the proper +initializations of the loop indices. + +Reported-by: Salvatore Bonaccorso +Tested-by: Karsten Hohmeier +Closes: https://bugs.debian.org/1121535 +Cc: +Link: https://lore.kernel.org/all/aSk8KJI35H7gFru6@eldamar.lan/ +Link: https://patch.msgid.link/20260119133212.189129-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ctxfi/ctamixer.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/ctxfi/ctamixer.c ++++ b/sound/pci/ctxfi/ctamixer.c +@@ -205,6 +205,7 @@ static int amixer_rsc_init(struct amixer + + /* Set amixer specific operations */ + amixer->rsc.ops = &amixer_basic_rsc_ops; ++ amixer->rsc.conj = 0; + amixer->ops = &amixer_ops; + amixer->input = NULL; + amixer->sum = NULL; +@@ -369,6 +370,7 @@ static int sum_rsc_init(struct sum *sum, + return err; + + sum->rsc.ops = &sum_basic_rsc_ops; ++ sum->rsc.conj = 0; + + return 0; + } diff --git a/queue-5.10/alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch b/queue-5.10/alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch new file mode 100644 index 0000000000..82a1c386a6 --- /dev/null +++ b/queue-5.10/alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch @@ -0,0 +1,65 @@ +From 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 Mon Sep 17 00:00:00 2001 +From: Berk Cem Goksel +Date: Tue, 20 Jan 2026 13:28:55 +0300 +Subject: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() + +From: Berk Cem Goksel + +commit 930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 upstream. + +When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees +mixer->id_elems but the controls already added to the card still +reference the freed memory. Later when snd_card_register() runs, +the OSS mixer layer calls their callbacks and hits a use-after-free read. + +Call trace: + get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 + get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 + mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 + snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 + ... + snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 + usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 + +Fix by calling snd_ctl_remove() for all mixer controls before freeing +id_elems. We save the next pointer first because snd_ctl_remove() +frees the current element. + +Fixes: 6639b6c2367f ("[ALSA] usb-audio - add mixer control notifications") +Cc: stable@vger.kernel.org +Cc: Andrey Konovalov +Signed-off-by: Berk Cem Goksel +Link: https://patch.msgid.link/20260120102855.7300-1-berkcgoksel@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2858,10 +2858,23 @@ static int parse_audio_unit(struct mixer + + static void snd_usb_mixer_free(struct usb_mixer_interface *mixer) + { ++ struct usb_mixer_elem_list *list, *next; ++ int id; ++ + /* kill pending URBs */ + snd_usb_mixer_disconnect(mixer); + +- kfree(mixer->id_elems); ++ /* Unregister controls first, snd_ctl_remove() frees the element */ ++ if (mixer->id_elems) { ++ for (id = 0; id < MAX_ID_ELEMS; id++) { ++ for (list = mixer->id_elems[id]; list; list = next) { ++ next = list->next_id_elem; ++ if (list->kctl) ++ snd_ctl_remove(mixer->chip->card, list->kctl); ++ } ++ } ++ kfree(mixer->id_elems); ++ } + if (mixer->urb) { + kfree(mixer->urb->transfer_buffer); + usb_free_urb(mixer->urb); diff --git a/queue-5.10/arm64-set-__nocfi-on-swsusp_arch_resume.patch b/queue-5.10/arm64-set-__nocfi-on-swsusp_arch_resume.patch new file mode 100644 index 0000000000..cf9bc3e94f --- /dev/null +++ b/queue-5.10/arm64-set-__nocfi-on-swsusp_arch_resume.patch @@ -0,0 +1,94 @@ +From e2f8216ca2d8e61a23cb6ec355616339667e0ba6 Mon Sep 17 00:00:00 2001 +From: Zhaoyang Huang +Date: Thu, 22 Jan 2026 19:49:25 +0800 +Subject: arm64: Set __nocfi on swsusp_arch_resume() + +From: Zhaoyang Huang + +commit e2f8216ca2d8e61a23cb6ec355616339667e0ba6 upstream. + +A DABT is reported[1] on an android based system when resume from hiberate. +This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*() +and does not have a CFI hash, but swsusp_arch_resume() will attempt to +verify the CFI hash when calling a copy of swsusp_arch_suspend_exit(). + +Given that there's an existing requirement that the entrypoint to +swsusp_arch_suspend_exit() is the first byte of the .hibernate_exit.text +section, we cannot fix this by marking swsusp_arch_suspend_exit() with +SYM_FUNC_*(). The simplest fix for now is to disable the CFI check in +swsusp_arch_resume(). + +Mark swsusp_arch_resume() as __nocfi to disable the CFI check. + +[1] +[ 22.991934][ T1] Unable to handle kernel paging request at virtual address 0000000109170ffc +[ 22.991934][ T1] Mem abort info: +[ 22.991934][ T1] ESR = 0x0000000096000007 +[ 22.991934][ T1] EC = 0x25: DABT (current EL), IL = 32 bits +[ 22.991934][ T1] SET = 0, FnV = 0 +[ 22.991934][ T1] EA = 0, S1PTW = 0 +[ 22.991934][ T1] FSC = 0x07: level 3 translation fault +[ 22.991934][ T1] Data abort info: +[ 22.991934][ T1] ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 +[ 22.991934][ T1] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 22.991934][ T1] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 22.991934][ T1] [0000000109170ffc] user address but active_mm is swapper +[ 22.991934][ T1] Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP +[ 22.991934][ T1] Dumping ftrace buffer: +[ 22.991934][ T1] (ftrace buffer empty) +[ 22.991934][ T1] Modules linked in: +[ 22.991934][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.98-android15-8-g0b1d2aee7fc3-dirty-4k #1 688c7060a825a3ac418fe53881730b355915a419 +[ 22.991934][ T1] Hardware name: Unisoc UMS9360-base Board (DT) +[ 22.991934][ T1] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 22.991934][ T1] pc : swsusp_arch_resume+0x2ac/0x344 +[ 22.991934][ T1] lr : swsusp_arch_resume+0x294/0x344 +[ 22.991934][ T1] sp : ffffffc08006b960 +[ 22.991934][ T1] x29: ffffffc08006b9c0 x28: 0000000000000000 x27: 0000000000000000 +[ 22.991934][ T1] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000820 +[ 22.991934][ T1] x23: ffffffd0817e3000 x22: ffffffd0817e3000 x21: 0000000000000000 +[ 22.991934][ T1] x20: ffffff8089171000 x19: ffffffd08252c8c8 x18: ffffffc080061058 +[ 22.991934][ T1] x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 0000000000000004 +[ 22.991934][ T1] x14: ffffff8178c88000 x13: 0000000000000006 x12: 0000000000000000 +[ 22.991934][ T1] x11: 0000000000000015 x10: 0000000000000001 x9 : ffffffd082533000 +[ 22.991934][ T1] x8 : 0000000109171000 x7 : 205b5d3433393139 x6 : 392e32322020205b +[ 22.991934][ T1] x5 : 000000010916f000 x4 : 000000008164b000 x3 : ffffff808a4e0530 +[ 22.991934][ T1] x2 : ffffffd08058e784 x1 : 0000000082326000 x0 : 000000010a283000 +[ 22.991934][ T1] Call trace: +[ 22.991934][ T1] swsusp_arch_resume+0x2ac/0x344 +[ 22.991934][ T1] hibernation_restore+0x158/0x18c +[ 22.991934][ T1] load_image_and_restore+0xb0/0xec +[ 22.991934][ T1] software_resume+0xf4/0x19c +[ 22.991934][ T1] software_resume_initcall+0x34/0x78 +[ 22.991934][ T1] do_one_initcall+0xe8/0x370 +[ 22.991934][ T1] do_initcall_level+0xc8/0x19c +[ 22.991934][ T1] do_initcalls+0x70/0xc0 +[ 22.991934][ T1] do_basic_setup+0x1c/0x28 +[ 22.991934][ T1] kernel_init_freeable+0xe0/0x148 +[ 22.991934][ T1] kernel_init+0x20/0x1a8 +[ 22.991934][ T1] ret_from_fork+0x10/0x20 +[ 22.991934][ T1] Code: a9400a61 f94013e0 f9438923 f9400a64 (b85fc110) + +Co-developed-by: Jeson Gao +Signed-off-by: Jeson Gao +Signed-off-by: Zhaoyang Huang +Acked-by: Will Deacon +Acked-by: Mark Rutland +Cc: +[catalin.marinas@arm.com: commit log updated by Mark Rutland] +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/hibernate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/hibernate.c ++++ b/arch/arm64/kernel/hibernate.c +@@ -639,7 +639,7 @@ static int trans_pgd_create_copy(pgd_t * + * Memory allocated by get_safe_page() will be dealt with by the hibernate code, + * we don't need to free it here. + */ +-int swsusp_arch_resume(void) ++int __nocfi swsusp_arch_resume(void) + { + int rc; + void *zero_page; diff --git a/queue-5.10/can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-5.10/can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..4121a4aab3 --- /dev/null +++ b/queue-5.10/can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,56 @@ +From 0ce73a0eb5a27070957b67fd74059b6da89cc516 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 0ce73a0eb5a27070957b67fd74059b6da89cc516 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In ems_usb_open(), the URBs for USB-in transfers are allocated, added to +the dev->rx_submitted anchor and submitted. In the complete callback +ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In +ems_usb_close() the URBs are freed by calling +usb_kill_anchored_urbs(&dev->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in ems_usb_close(). + +Fix the memory leak by anchoring the URB in the +ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. + +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-1-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/ems_usb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -479,11 +479,17 @@ resubmit_urb: + urb->transfer_buffer, RX_BUFFER_SIZE, + ems_usb_read_bulk_callback, dev); + ++ usb_anchor_urb(urb, &dev->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); + + if (retval == -ENODEV) + netif_device_detach(netdev); +- else if (retval) ++ else + netdev_err(netdev, + "failed resubmitting read bulk urb: %d\n", retval); + } diff --git a/queue-5.10/can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-5.10/can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..ca86e3ac90 --- /dev/null +++ b/queue-5.10/can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,62 @@ +From 248e8e1a125fa875158df521b30f2cc7e27eeeaa Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 248e8e1a125fa875158df521b30f2cc7e27eeeaa upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the +URBs for USB-in transfers are allocated, added to the dev->rx_submitted +anchor and submitted. In the complete callback +kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In +kvaser_usb_remove_interfaces() the URBs are freed by calling +usb_kill_anchored_urbs(&dev->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in usb_kill_anchored_urbs(). + +Fix the memory leak by anchoring the URB in the +kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. + +Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-3-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c ++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c +@@ -325,7 +325,14 @@ resubmit_urb: + urb->transfer_buffer, KVASER_USB_RX_BUFFER_SIZE, + kvaser_usb_read_bulk_callback, dev); + ++ usb_anchor_urb(urb, &dev->rx_submitted); ++ + err = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!err) ++ return; ++ ++ usb_unanchor_urb(urb); ++ + if (err == -ENODEV) { + for (i = 0; i < dev->nchannels; i++) { + if (!dev->nets[i]) +@@ -333,7 +340,7 @@ resubmit_urb: + + netif_device_detach(dev->nets[i]->netdev); + } +- } else if (err) { ++ } else { + dev_err(&dev->intf->dev, + "Failed resubmitting read bulk urb: %d\n", err); + } diff --git a/queue-5.10/can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-5.10/can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..1df5bdb3a7 --- /dev/null +++ b/queue-5.10/can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,56 @@ +From 710a7529fb13c5a470258ff5508ed3c498d54729 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 710a7529fb13c5a470258ff5508ed3c498d54729 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are +allocated, added to the priv->rx_submitted anchor and submitted. In the +complete callback mcba_usb_read_bulk_callback(), the URBs are processed and +resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by +calling usb_kill_anchored_urbs(&priv->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in usb_kill_anchored_urbs(). + +Fix the memory leak by anchoring the URB in the +mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. + +Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-4-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/mcba_usb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/mcba_usb.c ++++ b/drivers/net/can/usb/mcba_usb.c +@@ -614,11 +614,17 @@ resubmit_urb: + urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE, + mcba_usb_read_bulk_callback, priv); + ++ usb_anchor_urb(urb, &priv->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); + + if (retval == -ENODEV) + netif_device_detach(netdev); +- else if (retval) ++ else + netdev_err(netdev, "failed resubmitting read bulk urb: %d\n", + retval); + } diff --git a/queue-5.10/can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch b/queue-5.10/can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..bd38280d68 --- /dev/null +++ b/queue-5.10/can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,56 @@ +From f7a980b3b8f80fe367f679da376cf76e800f9480 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit f7a980b3b8f80fe367f679da376cf76e800f9480 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are +allocated, added to the priv->rx_submitted anchor and submitted. In the +complete callback usb_8dev_read_bulk_callback(), the URBs are processed and +resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by +calling usb_kill_anchored_urbs(&priv->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in usb_kill_anchored_urbs(). + +Fix the memory leak by anchoring the URB in the +usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. + +Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-5-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/usb_8dev.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/usb_8dev.c ++++ b/drivers/net/can/usb/usb_8dev.c +@@ -546,11 +546,17 @@ resubmit_urb: + urb->transfer_buffer, RX_BUFFER_SIZE, + usb_8dev_read_bulk_callback, priv); + ++ usb_anchor_urb(urb, &priv->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); + + if (retval == -ENODEV) + netif_device_detach(netdev); +- else if (retval) ++ else + netdev_err(netdev, + "failed resubmitting read bulk urb: %d\n", retval); + } diff --git a/queue-5.10/iio-adc-ad9467-fix-ad9434-vref-mask.patch b/queue-5.10/iio-adc-ad9467-fix-ad9434-vref-mask.patch new file mode 100644 index 0000000000..3892e6fbc4 --- /dev/null +++ b/queue-5.10/iio-adc-ad9467-fix-ad9434-vref-mask.patch @@ -0,0 +1,40 @@ +From 92452b1760ff2d1d411414965d4d06f75e1bda9a Mon Sep 17 00:00:00 2001 +From: Tomas Melin +Date: Wed, 3 Dec 2025 09:28:11 +0000 +Subject: iio: adc: ad9467: fix ad9434 vref mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomas Melin + +commit 92452b1760ff2d1d411414965d4d06f75e1bda9a upstream. + +The mask setting is 5 bits wide for the ad9434 +(ref. data sheet register 0x18 FLEX_VREF). Apparently the settings +from ad9265 were copied by mistake when support for the device was added +to the driver. + +Fixes: 4606d0f4b05f ("iio: adc: ad9467: add support for AD9434 high-speed ADC") +Reviewed-by: Andy Shevchenko +Reviewed-by: Nuno Sá +Reviewed-by: David Lechner +Signed-off-by: Tomas Melin +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad9467.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad9467.c ++++ b/drivers/iio/adc/ad9467.c +@@ -90,7 +90,7 @@ + + #define CHIPID_AD9434 0x6A + #define AD9434_DEF_OUTPUT_MODE 0x00 +-#define AD9434_REG_VREF_MASK 0xC0 ++#define AD9434_REG_VREF_MASK GENMASK(4, 0) + + /* + * Analog Devices AD9467 16-Bit, 200/250 MSPS ADC diff --git a/queue-5.10/iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch b/queue-5.10/iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch new file mode 100644 index 0000000000..a54e77814d --- /dev/null +++ b/queue-5.10/iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch @@ -0,0 +1,48 @@ +From dbdb442218cd9d613adeab31a88ac973f22c4873 Mon Sep 17 00:00:00 2001 +From: Pei Xiao +Date: Wed, 29 Oct 2025 10:40:16 +0800 +Subject: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver + +From: Pei Xiao + +commit dbdb442218cd9d613adeab31a88ac973f22c4873 upstream. + +at91_adc_interrupt can call at91_adc_touch_data_handler function +to start the work by schedule_work(&st->touch_st.workq). + +If we remove the module which will call at91_adc_remove to +make cleanup, it will free indio_dev through iio_device_unregister but +quite a bit later. While the work mentioned above will be used. The +sequence of operations that may lead to a UAF bug is as follows: + +CPU0 CPU1 + + | at91_adc_workq_handler +at91_adc_remove | +iio_device_unregister(indio_dev) | +//free indio_dev a bit later | + | iio_push_to_buffers(indio_dev) + | //use indio_dev + +Fix it by ensuring that the work is canceled before proceeding with +the cleanup in at91_adc_remove. + +Fixes: 23ec2774f1cc ("iio: adc: at91-sama5d2_adc: add support for position and pressure channels") +Signed-off-by: Pei Xiao +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/at91-sama5d2_adc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -1891,6 +1891,7 @@ static int at91_adc_remove(struct platfo + struct at91_adc_state *st = iio_priv(indio_dev); + + iio_device_unregister(indio_dev); ++ cancel_work_sync(&st->touch_st.workq); + + at91_adc_dma_disable(pdev); + diff --git a/queue-5.10/iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch b/queue-5.10/iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch new file mode 100644 index 0000000000..5fc80996e5 --- /dev/null +++ b/queue-5.10/iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch @@ -0,0 +1,45 @@ +From 441ac29923c9172bc5e4b2c4f52ae756192f5715 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?K=C3=BCbrich=2C=20Andreas?= + +Date: Mon, 17 Nov 2025 12:35:13 +0000 +Subject: iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kübrich, Andreas + +commit 441ac29923c9172bc5e4b2c4f52ae756192f5715 upstream. + +The chip info for this variant (I2C, four channels, 14 bit, internal +reference) seems to have been left out due to oversight, so +ad5686_chip_info_tbl[ID_AD5695R] is all zeroes. Initialisation of an +AD5695R still succeeds, but the resulting IIO device has no channels and no +/dev/iio:device* node. + +Add the missing chip info to the table. + +Fixes: 4177381b4401 ("iio:dac:ad5686: Add AD5671R/75R/94/94R/95R/96/96R support") +Signed-off-by: Andreas Kübrich +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5686.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iio/dac/ad5686.c ++++ b/drivers/iio/dac/ad5686.c +@@ -402,6 +402,12 @@ static const struct ad5686_chip_info ad5 + .num_channels = 4, + .regmap_type = AD5686_REGMAP, + }, ++ [ID_AD5695R] = { ++ .channels = ad5685r_channels, ++ .int_vref_mv = 2500, ++ .num_channels = 4, ++ .regmap_type = AD5686_REGMAP, ++ }, + [ID_AD5696] = { + .channels = ad5686_channels, + .num_channels = 4, diff --git a/queue-5.10/intel_th-fix-device-leak-on-output-open.patch b/queue-5.10/intel_th-fix-device-leak-on-output-open.patch new file mode 100644 index 0000000000..877c4e9785 --- /dev/null +++ b/queue-5.10/intel_th-fix-device-leak-on-output-open.patch @@ -0,0 +1,69 @@ +From 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 8 Dec 2025 16:35:23 +0100 +Subject: intel_th: fix device leak on output open() + +From: Johan Hovold + +commit 95fc36a234da24bbc5f476f8104a5a15f99ed3e3 upstream. + +Make sure to drop the reference taken when looking up the th device +during output device open() on errors and on close(). + +Note that a recent commit fixed the leak in a couple of open() error +paths but not all of them, and the reference is still leaking on +successful open(). + +Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") +Fixes: 6d5925b667e4 ("intel_th: Fix error handling in intel_th_output_open") +Cc: stable@vger.kernel.org # 4.4: 6d5925b667e4 +Cc: Alexander Shishkin +Cc: Ma Ke +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251208153524.68637-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/core.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -810,9 +810,12 @@ static int intel_th_output_open(struct i + int err; + + dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev); +- if (!dev || !dev->driver) { ++ if (!dev) ++ return -ENODEV; ++ ++ if (!dev->driver) { + err = -ENODEV; +- goto out_no_device; ++ goto out_put_device; + } + + thdrv = to_intel_th_driver(dev->driver); +@@ -836,12 +839,22 @@ static int intel_th_output_open(struct i + + out_put_device: + put_device(dev); +-out_no_device: ++ + return err; + } + ++static int intel_th_output_release(struct inode *inode, struct file *file) ++{ ++ struct intel_th_device *thdev = file->private_data; ++ ++ put_device(&thdev->dev); ++ ++ return 0; ++} ++ + static const struct file_operations intel_th_output_fops = { + .open = intel_th_output_open, ++ .release = intel_th_output_release, + .llseek = noop_llseek, + }; + diff --git a/queue-5.10/irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch b/queue-5.10/irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch new file mode 100644 index 0000000000..1d1eb99cb8 --- /dev/null +++ b/queue-5.10/irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch @@ -0,0 +1,74 @@ +From 8d76a7d89c12d08382b66e2f21f20d0627d14859 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 19 Jan 2026 21:15:12 +0100 +Subject: irqchip/gic-v3-its: Avoid truncating memory addresses + +From: Arnd Bergmann + +commit 8d76a7d89c12d08382b66e2f21f20d0627d14859 upstream. + +On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem +allocations to be backed by addresses physical memory above the 32-bit +address limit, as found while experimenting with larger VMSPLIT +configurations. + +This caused the qemu virt model to crash in the GICv3 driver, which +allocates the 'itt' object using GFP_KERNEL. Since all memory below +the 4GB physical address limit is in ZONE_DMA in this configuration, +kmalloc() defaults to higher addresses for ZONE_NORMAL, and the +ITS driver stores the physical address in a 32-bit 'unsigned long' +variable. + +Change the itt_addr variable to the correct phys_addr_t type instead, +along with all other variables in this driver that hold a physical +address. + +The gicv5 driver correctly uses u64 variables, while all other irqchip +drivers don't call virt_to_phys or similar interfaces. It's expected that +other device drivers have similar issues, but fixing this one is +sufficient for booting a virtio based guest. + +Fixes: cc2d3216f53c ("irqchip: GICv3: ITS command queue") +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Reviewed-by: Marc Zyngier +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260119201603.2713066-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -609,7 +609,7 @@ static struct its_collection *its_build_ + struct its_cmd_block *cmd, + struct its_cmd_desc *desc) + { +- unsigned long itt_addr; ++ phys_addr_t itt_addr; + u8 size = ilog2(desc->its_mapd_cmd.dev->nr_ites); + + itt_addr = virt_to_phys(desc->its_mapd_cmd.dev->itt); +@@ -780,7 +780,7 @@ static struct its_vpe *its_build_vmapp_c + struct its_cmd_desc *desc) + { + struct its_vpe *vpe = valid_vpe(its, desc->its_vmapp_cmd.vpe); +- unsigned long vpt_addr, vconf_addr; ++ phys_addr_t vpt_addr, vconf_addr; + u64 target; + bool alloc; + +@@ -2408,10 +2408,10 @@ retry_baser: + baser->psz = psz; + tmp = indirect ? GITS_LVL1_ENTRY_SIZE : esz; + +- pr_info("ITS@%pa: allocated %d %s @%lx (%s, esz %d, psz %dK, shr %d)\n", ++ pr_info("ITS@%pa: allocated %d %s @%llx (%s, esz %d, psz %dK, shr %d)\n", + &its->phys_base, (int)(PAGE_ORDER_TO_SIZE(order) / (int)tmp), + its_base_type_string[type], +- (unsigned long)virt_to_phys(base), ++ (u64)virt_to_phys(base), + indirect ? "indirect" : "flat", (int)esz, + psz / SZ_1K, (int)shr >> GITS_BASER_SHAREABILITY_SHIFT); + diff --git a/queue-5.10/leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch b/queue-5.10/leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch new file mode 100644 index 0000000000..07675aad26 --- /dev/null +++ b/queue-5.10/leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch @@ -0,0 +1,80 @@ +From d1883cefd31752f0504b94c3bcfa1f6d511d6e87 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 11 Dec 2025 17:37:27 +0100 +Subject: leds: led-class: Only Add LED to leds_list when it is fully ready + +From: Hans de Goede + +commit d1883cefd31752f0504b94c3bcfa1f6d511d6e87 upstream. + +Before this change the LED was added to leds_list before led_init_core() +gets called adding it the list before led_classdev.set_brightness_work gets +initialized. + +This leaves a window where led_trigger_register() of a LED's default +trigger will call led_trigger_set() which calls led_set_brightness() +which in turn will end up queueing the *uninitialized* +led_classdev.set_brightness_work. + +This race gets hit by the lenovo-thinkpad-t14s EC driver which registers +2 LEDs with a default trigger provided by snd_ctl_led.ko in quick +succession. The first led_classdev_register() causes an async modprobe of +snd_ctl_led to run and that async modprobe manages to exactly hit +the window where the second LED is on the leds_list without led_init_core() +being called for it, resulting in: + + ------------[ cut here ]------------ + WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 + Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 + ... + Call trace: + __flush_work+0x344/0x390 (P) + flush_work+0x2c/0x50 + led_trigger_set+0x1c8/0x340 + led_trigger_register+0x17c/0x1c0 + led_trigger_register_simple+0x84/0xe8 + snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] + do_one_initcall+0x5c/0x318 + do_init_module+0x9c/0x2b8 + load_module+0x7e0/0x998 + +Close the race window by moving the adding of the LED to leds_list to +after the led_init_core() call. + +Cc: stable@vger.kernel.org +Fixes: d23a22a74fde ("leds: delay led_set_brightness if stopping soft-blink") +Signed-off-by: Hans de Goede +Reviewed-by: Sebastian Reichel +Link: https://patch.msgid.link/20251211163727.366441-1-johannes.goede@oss.qualcomm.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/led-class.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/leds/led-class.c ++++ b/drivers/leds/led-class.c +@@ -408,11 +408,6 @@ int led_classdev_register_ext(struct dev + #ifdef CONFIG_LEDS_BRIGHTNESS_HW_CHANGED + led_cdev->brightness_hw_changed = -1; + #endif +- /* add to the list of leds */ +- down_write(&leds_list_lock); +- list_add_tail(&led_cdev->node, &leds_list); +- up_write(&leds_list_lock); +- + if (!led_cdev->max_brightness) + led_cdev->max_brightness = LED_FULL; + +@@ -420,6 +415,11 @@ int led_classdev_register_ext(struct dev + + led_init_core(led_cdev); + ++ /* add to the list of leds */ ++ down_write(&leds_list_lock); ++ list_add_tail(&led_cdev->node, &leds_list); ++ up_write(&leds_list_lock); ++ + #ifdef CONFIG_LEDS_TRIGGERS + led_trigger_set_default(led_cdev); + #endif diff --git a/queue-5.10/mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch b/queue-5.10/mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch new file mode 100644 index 0000000000..d18d21ae5a --- /dev/null +++ b/queue-5.10/mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch @@ -0,0 +1,84 @@ +From 122610220134b32c742cc056eaf64f7017ac8cd9 Mon Sep 17 00:00:00 2001 +From: Matthew Schwartz +Date: Mon, 29 Dec 2025 12:45:26 -0800 +Subject: mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function + +From: Matthew Schwartz + +commit 122610220134b32c742cc056eaf64f7017ac8cd9 upstream. + +rtsx_pci_sdmmc does not have an sdmmc_card_busy function, so any voltage +switches cause a kernel warning, "mmc0: cannot verify signal voltage +switch." + +Copy the sdmmc_card_busy function from rtsx_pci_usb to rtsx_pci_sdmmc to +fix this. + +Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver") +Signed-off-by: Matthew Schwartz +Tested-by: Ricky WU +Reviewed-by: Ricky WU +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/rtsx_pci_sdmmc.c | 41 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +--- a/drivers/mmc/host/rtsx_pci_sdmmc.c ++++ b/drivers/mmc/host/rtsx_pci_sdmmc.c +@@ -1277,6 +1277,46 @@ out: + return err; + } + ++static int sdmmc_card_busy(struct mmc_host *mmc) ++{ ++ struct realtek_pci_sdmmc *host = mmc_priv(mmc); ++ struct rtsx_pcr *pcr = host->pcr; ++ int err; ++ u8 stat; ++ u8 mask = SD_DAT3_STATUS | SD_DAT2_STATUS | SD_DAT1_STATUS ++ | SD_DAT0_STATUS; ++ ++ mutex_lock(&pcr->pcr_mutex); ++ ++ rtsx_pci_start_run(pcr); ++ ++ err = rtsx_pci_write_register(pcr, SD_BUS_STAT, ++ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, ++ SD_CLK_TOGGLE_EN); ++ if (err) ++ goto out; ++ ++ mdelay(1); ++ ++ err = rtsx_pci_read_register(pcr, SD_BUS_STAT, &stat); ++ if (err) ++ goto out; ++ ++ err = rtsx_pci_write_register(pcr, SD_BUS_STAT, ++ SD_CLK_TOGGLE_EN | SD_CLK_FORCE_STOP, 0); ++out: ++ mutex_unlock(&pcr->pcr_mutex); ++ ++ if (err) ++ return err; ++ ++ /* check if any pin between dat[0:3] is low */ ++ if ((stat & mask) != mask) ++ return 1; ++ else ++ return 0; ++} ++ + static int sdmmc_execute_tuning(struct mmc_host *mmc, u32 opcode) + { + struct realtek_pci_sdmmc *host = mmc_priv(mmc); +@@ -1336,6 +1376,7 @@ static const struct mmc_host_ops realtek + .get_ro = sdmmc_get_ro, + .get_cd = sdmmc_get_cd, + .start_signal_voltage_switch = sdmmc_switch_voltage, ++ .card_busy = sdmmc_card_busy, + .execute_tuning = sdmmc_execute_tuning, + }; + diff --git a/queue-5.10/netrom-fix-double-free-in-nr_route_frame.patch b/queue-5.10/netrom-fix-double-free-in-nr_route_frame.patch new file mode 100644 index 0000000000..79eff30be5 --- /dev/null +++ b/queue-5.10/netrom-fix-double-free-in-nr_route_frame.patch @@ -0,0 +1,69 @@ +From ba1096c315283ee3292765f6aea4cca15816c4f7 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 19 Jan 2026 15:33:59 +0900 +Subject: netrom: fix double-free in nr_route_frame() + +From: Jeongjun Park + +commit ba1096c315283ee3292765f6aea4cca15816c4f7 upstream. + +In nr_route_frame(), old_skb is immediately freed without checking if +nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, +the caller function will free old_skb again, causing a double-free bug. + +Therefore, to prevent this, we need to modify it to check whether +nr_neigh->ax25 is NULL before freeing old_skb. + +Cc: +Reported-by: syzbot+999115c3bf275797dc27@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69694d6f.050a0220.58bed.0029.GAE@google.com/ +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jeongjun Park +Link: https://patch.msgid.link/20260119063359.10604-1-aha310510@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/netrom/nr_route.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/netrom/nr_route.c ++++ b/net/netrom/nr_route.c +@@ -749,7 +749,7 @@ int nr_route_frame(struct sk_buff *skb, + unsigned char *dptr; + ax25_cb *ax25s; + int ret; +- struct sk_buff *skbn; ++ struct sk_buff *nskb, *oskb; + + /* + * Reject malformed packets early. Check that it contains at least 2 +@@ -808,14 +808,16 @@ int nr_route_frame(struct sk_buff *skb, + /* We are going to change the netrom headers so we should get our + own skb, we also did not know until now how much header space + we had to reserve... - RXQ */ +- if ((skbn=skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC)) == NULL) { ++ nskb = skb_copy_expand(skb, dev->hard_header_len, 0, GFP_ATOMIC); ++ ++ if (!nskb) { + nr_node_unlock(nr_node); + nr_node_put(nr_node); + dev_put(dev); + return 0; + } +- kfree_skb(skb); +- skb=skbn; ++ oskb = skb; ++ skb = nskb; + skb->data[14]--; + + dptr = skb_push(skb, 1); +@@ -834,6 +836,9 @@ int nr_route_frame(struct sk_buff *skb, + nr_node_unlock(nr_node); + nr_node_put(nr_node); + ++ if (ret) ++ kfree_skb(oskb); ++ + return ret; + } + diff --git a/queue-5.10/octeontx2-fix-otx2_dma_map_page-error-return-code.patch b/queue-5.10/octeontx2-fix-otx2_dma_map_page-error-return-code.patch new file mode 100644 index 0000000000..22ac3fb22d --- /dev/null +++ b/queue-5.10/octeontx2-fix-otx2_dma_map_page-error-return-code.patch @@ -0,0 +1,46 @@ +From d998b0e5afffa90d0f03770bad31083767079858 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 14 Jan 2026 13:31:06 +0100 +Subject: octeontx2: Fix otx2_dma_map_page() error return code + +From: Thomas Fourier + +commit d998b0e5afffa90d0f03770bad31083767079858 upstream. + +0 is a valid DMA address [1] so using it as the error value can lead to +errors. The error value of dma_map_XXX() functions is DMA_MAPPING_ERROR +which is ~0. The callers of otx2_dma_map_page() use dma_mapping_error() +to test the return value of otx2_dma_map_page(). This means that they +would not detect an error in otx2_dma_map_page(). + +Make otx2_dma_map_page() return the raw value of dma_map_page_attrs(). + +[1] https://lore.kernel.org/all/f977f68b-cec5-4ab7-b4bd-2cf6aca46267@intel.com + +Fixes: caa2da34fd25 ("octeontx2-pf: Initialize and config queues") +Cc: +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260114123107.42387-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h +@@ -562,13 +562,8 @@ static inline dma_addr_t otx2_dma_map_pa + size_t offset, size_t size, + enum dma_data_direction dir) + { +- dma_addr_t iova; +- +- iova = dma_map_page_attrs(pfvf->dev, page, ++ return dma_map_page_attrs(pfvf->dev, page, + offset, size, dir, DMA_ATTR_SKIP_CPU_SYNC); +- if (unlikely(dma_mapping_error(pfvf->dev, iova))) +- return (dma_addr_t)NULL; +- return iova; + } + + static inline void otx2_dma_unmap_page(struct otx2_nic *pfvf, diff --git a/queue-5.10/of-fix-reference-count-leak-in-of_alias_scan.patch b/queue-5.10/of-fix-reference-count-leak-in-of_alias_scan.patch new file mode 100644 index 0000000000..f635c29af1 --- /dev/null +++ b/queue-5.10/of-fix-reference-count-leak-in-of_alias_scan.patch @@ -0,0 +1,49 @@ +From 81122fba08fa3ccafab6ed272a5c6f2203923a7e Mon Sep 17 00:00:00 2001 +From: Weigang He +Date: Sat, 17 Jan 2026 09:12:38 +0000 +Subject: of: fix reference count leak in of_alias_scan() + +From: Weigang He + +commit 81122fba08fa3ccafab6ed272a5c6f2203923a7e upstream. + +of_find_node_by_path() returns a device_node with its refcount +incremented. When kstrtoint() fails or dt_alloc() fails, the function +continues to the next iteration without calling of_node_put(), causing +a reference count leak. + +Add of_node_put(np) before continue on both error paths to properly +release the device_node reference. + +Fixes: 611cad720148 ("dt: add of_alias_scan and of_alias_get_id") +Cc: stable@vger.kernel.org +Signed-off-by: Weigang He +Link: https://patch.msgid.link/20260117091238.481243-1-geoffreyhe2@gmail.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -2018,13 +2018,17 @@ void of_alias_scan(void * (*dt_alloc)(u6 + end--; + len = end - start; + +- if (kstrtoint(end, 10, &id) < 0) ++ if (kstrtoint(end, 10, &id) < 0) { ++ of_node_put(np); + continue; ++ } + + /* Allocate an alias_prop with enough space for the stem */ + ap = dt_alloc(sizeof(*ap) + len + 1, __alignof__(*ap)); +- if (!ap) ++ if (!ap) { ++ of_node_put(np); + continue; ++ } + memset(ap, 0, sizeof(*ap) + len + 1); + ap->alias = start; + of_alias_add(ap, np, id, start, len); diff --git a/queue-5.10/perf-x86-intel-do-not-enable-bts-for-guests.patch b/queue-5.10/perf-x86-intel-do-not-enable-bts-for-guests.patch new file mode 100644 index 0000000000..097d0b8d56 --- /dev/null +++ b/queue-5.10/perf-x86-intel-do-not-enable-bts-for-guests.patch @@ -0,0 +1,59 @@ +From 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 Mon Sep 17 00:00:00 2001 +From: Fernand Sieber +Date: Thu, 11 Dec 2025 20:36:04 +0200 +Subject: perf/x86/intel: Do not enable BTS for guests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fernand Sieber + +commit 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 upstream. + +By default when users program perf to sample branch instructions +(PERF_COUNT_HW_BRANCH_INSTRUCTIONS) with a sample period of 1, perf +interprets this as a special case and enables BTS (Branch Trace Store) +as an optimization to avoid taking an interrupt on every branch. + +Since BTS doesn't virtualize, this optimization doesn't make sense when +the request originates from a guest. Add an additional check that +prevents this optimization for virtualized events (exclude_host). + +Reported-by: Jan H. Schönherr +Suggested-by: Peter Zijlstra +Signed-off-by: Fernand Sieber +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Link: https://patch.msgid.link/20251211183604.868641-1-sieberf@amazon.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/perf_event.h | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -1088,13 +1088,22 @@ static inline bool intel_pmu_has_bts_per + struct hw_perf_event *hwc = &event->hw; + unsigned int hw_event, bts_event; + +- if (event->attr.freq) ++ /* ++ * Only use BTS for fixed rate period==1 events. ++ */ ++ if (event->attr.freq || period != 1) ++ return false; ++ ++ /* ++ * BTS doesn't virtualize. ++ */ ++ if (event->attr.exclude_host) + return false; + + hw_event = hwc->config & INTEL_ARCH_EVENT_MASK; + bts_event = x86_pmu.event_map(PERF_COUNT_HW_BRANCH_INSTRUCTIONS); + +- return hw_event == bts_event && period == 1; ++ return hw_event == bts_event; + } + + static inline bool intel_pmu_has_bts(struct perf_event *event) diff --git a/queue-5.10/series b/queue-5.10/series index ad8a8eb953..c280ef7959 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -87,3 +87,29 @@ net-bonding-refactor-bond_xmit_hash-for-use-with-xdp.patch bonding-provide-a-net-pointer-to-__skb_flow_dissect.patch octeontx2-af-fix-error-handling.patch net-sched-act_ife-avoid-possible-null-deref.patch +leds-led-class-only-add-led-to-leds_list-when-it-is-fully-ready.patch +of-fix-reference-count-leak-in-of_alias_scan.patch +iio-adc-ad9467-fix-ad9434-vref-mask.patch +iio-adc-at91-sama5d2_adc-fix-potential-use-after-free-in-sama5d2_adc-driver.patch +iio-dac-ad5686-add-ad5695r-to-ad5686_chip_info_tbl.patch +alsa-ctxfi-fix-potential-oob-access-in-audio-mixer-handling.patch +alsa-usb-audio-fix-use-after-free-in-snd_usb_mixer_free.patch +mmc-rtsx_pci_sdmmc-implement-sdmmc_card_busy-function.patch +wifi-ath10k-fix-dma_free_coherent-pointer.patch +wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch +wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch +arm64-set-__nocfi-on-swsusp_arch_resume.patch +octeontx2-fix-otx2_dma_map_page-error-return-code.patch +slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch +slimbus-core-fix-device-reference-leak-on-report-present.patch +intel_th-fix-device-leak-on-output-open.patch +uacce-fix-cdev-handling-in-the-cleanup-path.patch +uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch +uacce-ensure-safe-queue-release-with-state-management.patch +netrom-fix-double-free-in-nr_route_frame.patch +perf-x86-intel-do-not-enable-bts-for-guests.patch +irqchip-gic-v3-its-avoid-truncating-memory-addresses.patch +can-ems_usb-ems_usb_read_bulk_callback-fix-urb-memory-leak.patch +can-kvaser_usb-kvaser_usb_read_bulk_callback-fix-urb-memory-leak.patch +can-mcba_usb-mcba_usb_read_bulk_callback-fix-urb-memory-leak.patch +can-usb_8dev-usb_8dev_read_bulk_callback-fix-urb-memory-leak.patch diff --git a/queue-5.10/slimbus-core-fix-device-reference-leak-on-report-present.patch b/queue-5.10/slimbus-core-fix-device-reference-leak-on-report-present.patch new file mode 100644 index 0000000000..43a9aa6c90 --- /dev/null +++ b/queue-5.10/slimbus-core-fix-device-reference-leak-on-report-present.patch @@ -0,0 +1,46 @@ +From 9391380eb91ea5ac792aae9273535c8da5b9aa01 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 26 Nov 2025 15:53:26 +0100 +Subject: slimbus: core: fix device reference leak on report present + +From: Johan Hovold + +commit 9391380eb91ea5ac792aae9273535c8da5b9aa01 upstream. + +Slimbus devices can be allocated dynamically upon reception of +report-present messages. + +Make sure to drop the reference taken when looking up already registered +devices. + +Note that this requires taking an extra reference in case the device has +not yet been registered and has to be allocated. + +Fixes: 46a2bb5a7f7e ("slimbus: core: Add slim controllers support") +Cc: stable@vger.kernel.org # 4.16 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251126145329.5022-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -380,6 +380,8 @@ struct slim_device *slim_get_device(stru + sbdev = slim_alloc_device(ctrl, e_addr, NULL); + if (!sbdev) + return ERR_PTR(-ENOMEM); ++ ++ get_device(&sbdev->dev); + } + + return sbdev; +@@ -514,6 +516,7 @@ int slim_device_report_present(struct sl + ret = slim_device_alloc_laddr(sbdev, true); + } + ++ put_device(&sbdev->dev); + out_put_rpm: + pm_runtime_mark_last_busy(ctrl->dev); + pm_runtime_put_autosuspend(ctrl->dev); diff --git a/queue-5.10/slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch b/queue-5.10/slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch new file mode 100644 index 0000000000..b87c5b74f0 --- /dev/null +++ b/queue-5.10/slimbus-core-fix-runtime-pm-imbalance-on-report-present.patch @@ -0,0 +1,55 @@ +From 0eb4ff6596114aabba1070a66afa2c2f5593739f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 26 Nov 2025 15:53:25 +0100 +Subject: slimbus: core: fix runtime PM imbalance on report present + +From: Johan Hovold + +commit 0eb4ff6596114aabba1070a66afa2c2f5593739f upstream. + +Make sure to balance the runtime PM usage count in case slimbus device +or address allocation fails on report present, which would otherwise +prevent the controller from suspending. + +Fixes: 4b14e62ad3c9 ("slimbus: Add support for 'clock-pause' feature") +Cc: stable@vger.kernel.org # 4.16 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20251126145329.5022-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/core.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/slimbus/core.c ++++ b/drivers/slimbus/core.c +@@ -498,21 +498,23 @@ int slim_device_report_present(struct sl + if (ctrl->sched.clk_state != SLIM_CLK_ACTIVE) { + dev_err(ctrl->dev, "slim ctrl not active,state:%d, ret:%d\n", + ctrl->sched.clk_state, ret); +- goto slimbus_not_active; ++ goto out_put_rpm; + } + + sbdev = slim_get_device(ctrl, e_addr); +- if (IS_ERR(sbdev)) +- return -ENODEV; ++ if (IS_ERR(sbdev)) { ++ ret = -ENODEV; ++ goto out_put_rpm; ++ } + + if (sbdev->is_laddr_valid) { + *laddr = sbdev->laddr; +- return 0; ++ ret = 0; ++ } else { ++ ret = slim_device_alloc_laddr(sbdev, true); + } + +- ret = slim_device_alloc_laddr(sbdev, true); +- +-slimbus_not_active: ++out_put_rpm: + pm_runtime_mark_last_busy(ctrl->dev); + pm_runtime_put_autosuspend(ctrl->dev); + return ret; diff --git a/queue-5.10/uacce-ensure-safe-queue-release-with-state-management.patch b/queue-5.10/uacce-ensure-safe-queue-release-with-state-management.patch new file mode 100644 index 0000000000..0fa8ff490e --- /dev/null +++ b/queue-5.10/uacce-ensure-safe-queue-release-with-state-management.patch @@ -0,0 +1,89 @@ +From 26c08dabe5475d99a13f353d8dd70e518de45663 Mon Sep 17 00:00:00 2001 +From: Chenghai Huang +Date: Tue, 2 Dec 2025 14:12:56 +0800 +Subject: uacce: ensure safe queue release with state management + +From: Chenghai Huang + +commit 26c08dabe5475d99a13f353d8dd70e518de45663 upstream. + +Directly calling `put_queue` carries risks since it cannot +guarantee that resources of `uacce_queue` have been fully released +beforehand. So adding a `stop_queue` operation for the +UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to +the final resource release ensures safety. + +Queue states are defined as follows: +- UACCE_Q_ZOMBIE: Initial state +- UACCE_Q_INIT: After opening `uacce` +- UACCE_Q_STARTED: After `start` is issued via `ioctl` + +When executing `poweroff -f` in virt while accelerator are still +working, `uacce_fops_release` and `uacce_remove` may execute +concurrently. This can cause `uacce_put_queue` within +`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add +state checks to prevent accessing freed pointers. + +Fixes: 015d239ac014 ("uacce: add uacce driver") +Cc: stable@vger.kernel.org +Signed-off-by: Chenghai Huang +Signed-off-by: Yang Shen +Acked-by: Zhangfei Gao +Link: https://patch.msgid.link/20251202061256.4158641-5-huangchenghai2@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/uacce/uacce.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/misc/uacce/uacce.c ++++ b/drivers/misc/uacce/uacce.c +@@ -37,20 +37,34 @@ static int uacce_start_queue(struct uacc + return 0; + } + +-static int uacce_put_queue(struct uacce_queue *q) ++static int uacce_stop_queue(struct uacce_queue *q) + { + struct uacce_device *uacce = q->uacce; + +- if ((q->state == UACCE_Q_STARTED) && uacce->ops->stop_queue) ++ if (q->state != UACCE_Q_STARTED) ++ return 0; ++ ++ if (uacce->ops->stop_queue) + uacce->ops->stop_queue(q); + +- if ((q->state == UACCE_Q_INIT || q->state == UACCE_Q_STARTED) && +- uacce->ops->put_queue) ++ q->state = UACCE_Q_INIT; ++ ++ return 0; ++} ++ ++static void uacce_put_queue(struct uacce_queue *q) ++{ ++ struct uacce_device *uacce = q->uacce; ++ ++ uacce_stop_queue(q); ++ ++ if (q->state != UACCE_Q_INIT) ++ return; ++ ++ if (uacce->ops->put_queue) + uacce->ops->put_queue(q); + + q->state = UACCE_Q_ZOMBIE; +- +- return 0; + } + + static long uacce_fops_unl_ioctl(struct file *filep, +@@ -77,7 +91,7 @@ static long uacce_fops_unl_ioctl(struct + ret = uacce_start_queue(q); + break; + case UACCE_CMD_PUT_Q: +- ret = uacce_put_queue(q); ++ ret = uacce_stop_queue(q); + break; + default: + if (uacce->ops->ioctl) diff --git a/queue-5.10/uacce-fix-cdev-handling-in-the-cleanup-path.patch b/queue-5.10/uacce-fix-cdev-handling-in-the-cleanup-path.patch new file mode 100644 index 0000000000..8776b7f8ff --- /dev/null +++ b/queue-5.10/uacce-fix-cdev-handling-in-the-cleanup-path.patch @@ -0,0 +1,50 @@ +From a3bece3678f6c88db1f44c602b2a63e84b4040ac Mon Sep 17 00:00:00 2001 +From: Wenkai Lin +Date: Tue, 2 Dec 2025 14:12:53 +0800 +Subject: uacce: fix cdev handling in the cleanup path + +From: Wenkai Lin + +commit a3bece3678f6c88db1f44c602b2a63e84b4040ac upstream. + +When cdev_device_add fails, it internally releases the cdev memory, +and if cdev_device_del is then executed, it will cause a hang error. +To fix it, we check the return value of cdev_device_add() and clear +uacce->cdev to avoid calling cdev_device_del in the uacce_remove. + +Fixes: 015d239ac014 ("uacce: add uacce driver") +Cc: stable@vger.kernel.org +Signed-off-by: Wenkai Lin +Signed-off-by: Chenghai Huang +Acked-by: Zhangfei Gao +Link: https://patch.msgid.link/20251202061256.4158641-2-huangchenghai2@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/uacce/uacce.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/misc/uacce/uacce.c ++++ b/drivers/misc/uacce/uacce.c +@@ -482,6 +482,8 @@ EXPORT_SYMBOL_GPL(uacce_alloc); + */ + int uacce_register(struct uacce_device *uacce) + { ++ int ret; ++ + if (!uacce) + return -ENODEV; + +@@ -492,7 +494,11 @@ int uacce_register(struct uacce_device * + uacce->cdev->ops = &uacce_fops; + uacce->cdev->owner = THIS_MODULE; + +- return cdev_device_add(uacce->cdev, &uacce->dev); ++ ret = cdev_device_add(uacce->cdev, &uacce->dev); ++ if (ret) ++ uacce->cdev = NULL; ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(uacce_register); + diff --git a/queue-5.10/uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch b/queue-5.10/uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch new file mode 100644 index 0000000000..47790d7ccb --- /dev/null +++ b/queue-5.10/uacce-implement-mremap-in-uacce_vm_ops-to-return-eperm.patch @@ -0,0 +1,52 @@ +From 02695347be532b628f22488300d40c4eba48b9b7 Mon Sep 17 00:00:00 2001 +From: Yang Shen +Date: Tue, 2 Dec 2025 14:12:55 +0800 +Subject: uacce: implement mremap in uacce_vm_ops to return -EPERM + +From: Yang Shen + +commit 02695347be532b628f22488300d40c4eba48b9b7 upstream. + +The current uacce_vm_ops does not support the mremap operation of +vm_operations_struct. Implement .mremap to return -EPERM to remind +users. + +The reason we need to explicitly disable mremap is that when the +driver does not implement .mremap, it uses the default mremap +method. This could lead to a risk scenario: + +An application might first mmap address p1, then mremap to p2, +followed by munmap(p1), and finally munmap(p2). Since the default +mremap copies the original vma's vm_private_data (i.e., q) to the +new vma, both munmap operations would trigger vma_close, causing +q->qfr to be freed twice(qfr will be set to null here, so repeated +release is ok). + +Fixes: 015d239ac014 ("uacce: add uacce driver") +Cc: stable@vger.kernel.org +Signed-off-by: Yang Shen +Signed-off-by: Chenghai Huang +Acked-by: Zhangfei Gao +Link: https://patch.msgid.link/20251202061256.4158641-4-huangchenghai2@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/uacce/uacce.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/misc/uacce/uacce.c ++++ b/drivers/misc/uacce/uacce.c +@@ -208,8 +208,14 @@ static void uacce_vma_close(struct vm_ar + kfree(qfr); + } + ++static int uacce_vma_mremap(struct vm_area_struct *area) ++{ ++ return -EPERM; ++} ++ + static const struct vm_operations_struct uacce_vm_ops = { + .close = uacce_vma_close, ++ .mremap = uacce_vma_mremap, + }; + + static int uacce_fops_mmap(struct file *filep, struct vm_area_struct *vma) diff --git a/queue-5.10/wifi-ath10k-fix-dma_free_coherent-pointer.patch b/queue-5.10/wifi-ath10k-fix-dma_free_coherent-pointer.patch new file mode 100644 index 0000000000..93cbe2d65a --- /dev/null +++ b/queue-5.10/wifi-ath10k-fix-dma_free_coherent-pointer.patch @@ -0,0 +1,70 @@ +From 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 5 Jan 2026 22:04:38 +0100 +Subject: wifi: ath10k: fix dma_free_coherent() pointer + +From: Thomas Fourier + +commit 9282a1e171ad8d2205067e8ec3bbe4e3cef4f29f upstream. + +dma_alloc_coherent() allocates a DMA mapped buffer and stores the +addresses in XXX_unaligned fields. Those should be reused when freeing +the buffer rather than the aligned addresses. + +Fixes: 2a1e1ad3fd37 ("ath10k: Add support for 64 bit ce descriptor") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20260105210439.20131-2-fourier.thomas@gmail.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/ce.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/ce.c ++++ b/drivers/net/wireless/ath/ath10k/ce.c +@@ -1791,8 +1791,8 @@ static void _ath10k_ce_free_pipe(struct + (ce_state->src_ring->nentries * + sizeof(struct ce_desc) + + CE_DESC_RING_ALIGN), +- ce_state->src_ring->base_addr_owner_space, +- ce_state->src_ring->base_addr_ce_space); ++ ce_state->src_ring->base_addr_owner_space_unaligned, ++ ce_state->src_ring->base_addr_ce_space_unaligned); + kfree(ce_state->src_ring); + } + +@@ -1801,8 +1801,8 @@ static void _ath10k_ce_free_pipe(struct + (ce_state->dest_ring->nentries * + sizeof(struct ce_desc) + + CE_DESC_RING_ALIGN), +- ce_state->dest_ring->base_addr_owner_space, +- ce_state->dest_ring->base_addr_ce_space); ++ ce_state->dest_ring->base_addr_owner_space_unaligned, ++ ce_state->dest_ring->base_addr_ce_space_unaligned); + kfree(ce_state->dest_ring); + } + +@@ -1822,8 +1822,8 @@ static void _ath10k_ce_free_pipe_64(stru + (ce_state->src_ring->nentries * + sizeof(struct ce_desc_64) + + CE_DESC_RING_ALIGN), +- ce_state->src_ring->base_addr_owner_space, +- ce_state->src_ring->base_addr_ce_space); ++ ce_state->src_ring->base_addr_owner_space_unaligned, ++ ce_state->src_ring->base_addr_ce_space_unaligned); + kfree(ce_state->src_ring); + } + +@@ -1832,8 +1832,8 @@ static void _ath10k_ce_free_pipe_64(stru + (ce_state->dest_ring->nentries * + sizeof(struct ce_desc_64) + + CE_DESC_RING_ALIGN), +- ce_state->dest_ring->base_addr_owner_space, +- ce_state->dest_ring->base_addr_ce_space); ++ ce_state->dest_ring->base_addr_owner_space_unaligned, ++ ce_state->dest_ring->base_addr_ce_space_unaligned); + kfree(ce_state->dest_ring); + } + diff --git a/queue-5.10/wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch b/queue-5.10/wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch new file mode 100644 index 0000000000..82bf42feaf --- /dev/null +++ b/queue-5.10/wifi-mwifiex-fix-a-loop-in-mwifiex_update_ampdu_rxwinsize.patch @@ -0,0 +1,46 @@ +From 2120f3a3738a65730c81bf10447b1ff776078915 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 8 Jan 2026 23:00:24 +0300 +Subject: wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() + +From: Dan Carpenter + +commit 2120f3a3738a65730c81bf10447b1ff776078915 upstream. + +The "i" iterator variable is used to count two different things but +unfortunately we can't store two different numbers in the same variable. +Use "i" for the outside loop and "j" for the inside loop. + +Cc: stable@vger.kernel.org +Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size") +Signed-off-by: Dan Carpenter +Reviewed-by: Jeff Chen +Link: https://patch.msgid.link/aWAM2MGUWRP0zWUd@stanley.mountain +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +@@ -839,7 +839,7 @@ void mwifiex_update_rxreor_flags(struct + static void mwifiex_update_ampdu_rxwinsize(struct mwifiex_adapter *adapter, + bool coex_flag) + { +- u8 i; ++ u8 i, j; + u32 rx_win_size; + struct mwifiex_private *priv; + +@@ -879,8 +879,8 @@ static void mwifiex_update_ampdu_rxwinsi + if (rx_win_size != priv->add_ba_param.rx_win_size) { + if (!priv->media_connected) + continue; +- for (i = 0; i < MAX_NUM_TID; i++) +- mwifiex_11n_delba(priv, i); ++ for (j = 0; j < MAX_NUM_TID; j++) ++ mwifiex_11n_delba(priv, j); + } + } + } diff --git a/queue-5.10/wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch b/queue-5.10/wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch new file mode 100644 index 0000000000..155fe87a05 --- /dev/null +++ b/queue-5.10/wifi-rsi-fix-memory-corruption-due-to-not-set-vif-driver-data-size.patch @@ -0,0 +1,57 @@ +From 4f431d88ea8093afc7ba55edf4652978c5a68f33 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sat, 10 Jan 2026 00:56:29 +0100 +Subject: wifi: rsi: Fix memory corruption due to not set vif driver data size + +From: Marek Vasut + +commit 4f431d88ea8093afc7ba55edf4652978c5a68f33 upstream. + +The struct ieee80211_vif contains trailing space for vif driver data, +when struct ieee80211_vif is allocated, the total memory size that is +allocated is sizeof(struct ieee80211_vif) + size of vif driver data. +The size of vif driver data is set by each WiFi driver as needed. + +The RSI911x driver does not set vif driver data size, no trailing space +for vif driver data is therefore allocated past struct ieee80211_vif . +The RSI911x driver does however use the vif driver data to store its +vif driver data structure "struct vif_priv". An access to vif->drv_priv +leads to access out of struct ieee80211_vif bounds and corruption of +some memory. + +In case of the failure observed locally, rsi_mac80211_add_interface() +would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; +vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member +struct list_head new_flows . The flow = list_first_entry(head, struct +fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus +address, which when accessed causes a crash. + +The trigger is very simple, boot the machine with init=/bin/sh , mount +devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", +"ip link set wlan0 down" and the crash occurs. + +Fix this by setting the correct size of vif driver data, which is the +size of "struct vif_priv", so that memory is allocated and the driver +can store its driver data in it, instead of corrupting memory around +it. + +Cc: stable@vger.kernel.org +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Signed-off-by: Marek Vasut +Link: https://patch.msgid.link/20260109235817.150330-1-marex@nabladev.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c ++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c +@@ -2005,6 +2005,7 @@ int rsi_mac80211_attach(struct rsi_commo + + hw->queues = MAX_HW_QUEUES; + hw->extra_tx_headroom = RSI_NEEDED_HEADROOM; ++ hw->vif_data_size = sizeof(struct vif_priv); + + hw->max_rates = 1; + hw->max_rate_tries = MAX_RETRIES; -- 2.47.3