From cdeb2c5bf45d98cd128faea64e6a56a7fdcfc859 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 17:00:31 +0100 Subject: [PATCH] 6.1-stable patches added patches: amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch hwmon-max16065-use-local-variable-to-avoid-toctou.patch hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch rpmsg-glink-fix-rpmsg-device-leak.patch soc-amlogic-canvas-fix-device-leak-on-lookup.patch soc-qcom-ocmem-fix-device-leak-on-lookup.patch --- ...a-ahb-fix-device-leak-on-smmu-enable.patch | 34 ++++++ ...5-use-local-variable-to-avoid-toctou.patch | 51 ++++++++ ...-macros-to-functions-to-avoid-toctou.patch | 79 ++++++++++++ ...-macros-to-functions-to-avoid-toctou.patch | 93 ++++++++++++++ ...fix-reference-leak-in-mp2-pci-device.patch | 51 ++++++++ ...nt33fe-don-t-dereference-swnode-args.patch | 115 ++++++++++++++++++ .../rpmsg-glink-fix-rpmsg-device-leak.patch | 83 +++++++++++++ queue-6.1/series | 9 ++ ...gic-canvas-fix-device-leak-on-lookup.patch | 46 +++++++ ...qcom-ocmem-fix-device-leak-on-lookup.patch | 45 +++++++ 10 files changed, 606 insertions(+) create mode 100644 queue-6.1/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch create mode 100644 queue-6.1/hwmon-max16065-use-local-variable-to-avoid-toctou.patch create mode 100644 queue-6.1/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch create mode 100644 queue-6.1/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch create mode 100644 queue-6.1/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch create mode 100644 queue-6.1/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch create mode 100644 queue-6.1/rpmsg-glink-fix-rpmsg-device-leak.patch create mode 100644 queue-6.1/soc-amlogic-canvas-fix-device-leak-on-lookup.patch create mode 100644 queue-6.1/soc-qcom-ocmem-fix-device-leak-on-lookup.patch diff --git a/queue-6.1/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch b/queue-6.1/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch new file mode 100644 index 0000000000..1c822677bf --- /dev/null +++ b/queue-6.1/amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch @@ -0,0 +1,34 @@ +From 500e1368e46928f4b2259612dcabb6999afae2a6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 25 Sep 2025 17:00:07 +0200 +Subject: amba: tegra-ahb: Fix device leak on SMMU enable + +From: Johan Hovold + +commit 500e1368e46928f4b2259612dcabb6999afae2a6 upstream. + +Make sure to drop the reference taken to the AHB platform device when +looking up its driver data while enabling the SMMU. + +Note that holding a reference to a device does not prevent its driver +data from going away. + +Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB") +Cc: stable@vger.kernel.org # 3.5 +Signed-off-by: Johan Hovold +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/amba/tegra-ahb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/amba/tegra-ahb.c ++++ b/drivers/amba/tegra-ahb.c +@@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_ + if (!dev) + return -EPROBE_DEFER; + ahb = dev_get_drvdata(dev); ++ put_device(dev); + val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL); + val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE; + gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL); diff --git a/queue-6.1/hwmon-max16065-use-local-variable-to-avoid-toctou.patch b/queue-6.1/hwmon-max16065-use-local-variable-to-avoid-toctou.patch new file mode 100644 index 0000000000..c6bbe5df10 --- /dev/null +++ b/queue-6.1/hwmon-max16065-use-local-variable-to-avoid-toctou.patch @@ -0,0 +1,51 @@ +From b8d5acdcf525f44e521ca4ef51dce4dac403dab4 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 28 Nov 2025 20:47:09 +0800 +Subject: hwmon: (max16065) Use local variable to avoid TOCTOU + +From: Gui-Dong Han + +commit b8d5acdcf525f44e521ca4ef51dce4dac403dab4 upstream. + +In max16065_current_show, data->curr_sense is read twice: once for the +error check and again for the calculation. Since +i2c_smbus_read_byte_data returns negative error codes on failure, if the +data changes to an error code between the check and the use, ADC_TO_CURR +results in an incorrect calculation. + +Read data->curr_sense into a local variable to ensure consistency. Note +that data->curr_gain is constant and safe to access directly. + +This aligns max16065_current_show with max16065_input_show, which +already uses a local variable for the same reason. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251128124709.3876-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/max16065.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/max16065.c ++++ b/drivers/hwmon/max16065.c +@@ -216,12 +216,13 @@ static ssize_t max16065_current_show(str + struct device_attribute *da, char *buf) + { + struct max16065_data *data = max16065_update_device(dev); ++ int curr_sense = data->curr_sense; + +- if (unlikely(data->curr_sense < 0)) +- return data->curr_sense; ++ if (unlikely(curr_sense < 0)) ++ return curr_sense; + + return sysfs_emit(buf, "%d\n", +- ADC_TO_CURR(data->curr_sense, data->curr_gain)); ++ ADC_TO_CURR(curr_sense, data->curr_gain)); + } + + static ssize_t max16065_limit_store(struct device *dev, diff --git a/queue-6.1/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch b/queue-6.1/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch new file mode 100644 index 0000000000..3361db0219 --- /dev/null +++ b/queue-6.1/hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch @@ -0,0 +1,79 @@ +From 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Wed, 3 Dec 2025 02:01:05 +0800 +Subject: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU + +From: Gui-Dong Han + +commit 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 upstream. + +The macro FAN_FROM_REG evaluates its arguments multiple times. When used +in lockless contexts involving shared driver data, this leads to +Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially +causing divide-by-zero errors. + +Convert the macro to a static function. This guarantees that arguments +are evaluated only once (pass-by-value), preventing the race +conditions. + +Additionally, in store_fan_div, move the calculation of the minimum +limit inside the update lock. This ensures that the read-modify-write +sequence operates on consistent data. + +Adhere to the principle of minimal changes by only converting macros +that evaluate arguments multiple times and are used in lockless +contexts. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: 9873964d6eb2 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/w83791d.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/hwmon/w83791d.c ++++ b/drivers/hwmon/w83791d.c +@@ -218,9 +218,14 @@ static u8 fan_to_reg(long rpm, int div) + return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254); + } + +-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \ +- ((val) == 255 ? 0 : \ +- 1350000 / ((val) * (div)))) ++static int fan_from_reg(int val, int div) ++{ ++ if (val == 0) ++ return -1; ++ if (val == 255) ++ return 0; ++ return 1350000 / (val * div); ++} + + /* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */ + #define TEMP1_FROM_REG(val) ((val) * 1000) +@@ -521,7 +526,7 @@ static ssize_t show_##reg(struct device + struct w83791d_data *data = w83791d_update_device(dev); \ + int nr = sensor_attr->index; \ + return sprintf(buf, "%d\n", \ +- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ ++ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ + } + + show_fan_reg(fan); +@@ -585,10 +590,10 @@ static ssize_t store_fan_div(struct devi + if (err) + return err; + ++ mutex_lock(&data->update_lock); + /* Save fan_min */ +- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); ++ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); + +- mutex_lock(&data->update_lock); + data->fan_div[nr] = div_to_reg(nr, val); + + switch (nr) { diff --git a/queue-6.1/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch b/queue-6.1/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch new file mode 100644 index 0000000000..2b4a935d6c --- /dev/null +++ b/queue-6.1/hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch @@ -0,0 +1,93 @@ +From 07272e883fc61574b8367d44de48917f622cdd83 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 28 Nov 2025 20:38:16 +0800 +Subject: hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU + +From: Gui-Dong Han + +commit 07272e883fc61574b8367d44de48917f622cdd83 upstream. + +The macros FAN_FROM_REG and TEMP_FROM_REG evaluate their arguments +multiple times. When used in lockless contexts involving shared driver +data, this causes Time-of-Check to Time-of-Use (TOCTOU) race +conditions. + +Convert the macros to static functions. This guarantees that arguments +are evaluated only once (pass-by-value), preventing the race +conditions. + +Adhere to the principle of minimal changes by only converting macros +that evaluate arguments multiple times and are used in lockless +contexts. + +Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/ +Fixes: 85f03bccd6e0 ("hwmon: Add support for Winbond W83L786NG/NR") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Link: https://lore.kernel.org/r/20251128123816.3670-1-hanguidong02@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/w83l786ng.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/drivers/hwmon/w83l786ng.c ++++ b/drivers/hwmon/w83l786ng.c +@@ -77,15 +77,25 @@ FAN_TO_REG(long rpm, int div) + return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254); + } + +-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \ +- ((val) == 255 ? 0 : \ +- 1350000 / ((val) * (div)))) ++static int fan_from_reg(int val, int div) ++{ ++ if (val == 0) ++ return -1; ++ if (val == 255) ++ return 0; ++ return 1350000 / (val * div); ++} + + /* for temp */ + #define TEMP_TO_REG(val) (clamp_val(((val) < 0 ? (val) + 0x100 * 1000 \ + : (val)) / 1000, 0, 0xff)) +-#define TEMP_FROM_REG(val) (((val) & 0x80 ? \ +- (val) - 0x100 : (val)) * 1000) ++ ++static int temp_from_reg(int val) ++{ ++ if (val & 0x80) ++ return (val - 0x100) * 1000; ++ return val * 1000; ++} + + /* + * The analog voltage inputs have 8mV LSB. Since the sysfs output is +@@ -281,7 +291,7 @@ static ssize_t show_##reg(struct device + int nr = to_sensor_dev_attr(attr)->index; \ + struct w83l786ng_data *data = w83l786ng_update_device(dev); \ + return sprintf(buf, "%d\n", \ +- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ ++ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \ + } + + show_fan_reg(fan); +@@ -348,7 +358,7 @@ store_fan_div(struct device *dev, struct + + /* Save fan_min */ + mutex_lock(&data->update_lock); +- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); ++ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr])); + + data->fan_div[nr] = DIV_TO_REG(val); + +@@ -410,7 +420,7 @@ show_temp(struct device *dev, struct dev + int nr = sensor_attr->nr; + int index = sensor_attr->index; + struct w83l786ng_data *data = w83l786ng_update_device(dev); +- return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[nr][index])); ++ return sprintf(buf, "%d\n", temp_from_reg(data->temp[nr][index])); + } + + static ssize_t diff --git a/queue-6.1/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch b/queue-6.1/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch new file mode 100644 index 0000000000..6df1b2c498 --- /dev/null +++ b/queue-6.1/i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch @@ -0,0 +1,51 @@ +From a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 22 Oct 2025 17:54:02 +0800 +Subject: i2c: amd-mp2: fix reference leak in MP2 PCI device + +From: Ma Ke + +commit a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 upstream. + +In i2c_amd_probe(), amd_mp2_find_device() utilizes +driver_find_next_device() which internally calls driver_find_device() +to locate the matching device. driver_find_device() increments the +reference count of the found device by calling get_device(), but +amd_mp2_find_device() fails to call put_device() to decrement the +reference count before returning. This results in a reference count +leak of the PCI device each time i2c_amd_probe() is executed, which +may prevent the device from being properly released and cause a memory +leak. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller") +Signed-off-by: Ma Ke +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20251022095402.8846-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-amd-mp2-pci.c ++++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c +@@ -449,13 +449,16 @@ struct amd_mp2_dev *amd_mp2_find_device( + { + struct device *dev; + struct pci_dev *pci_dev; ++ struct amd_mp2_dev *mp2_dev; + + dev = driver_find_next_device(&amd_mp2_pci_driver.driver, NULL); + if (!dev) + return NULL; + + pci_dev = to_pci_dev(dev); +- return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); ++ mp2_dev = (struct amd_mp2_dev *)pci_get_drvdata(pci_dev); ++ put_device(dev); ++ return mp2_dev; + } + EXPORT_SYMBOL_GPL(amd_mp2_find_device); + diff --git a/queue-6.1/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch b/queue-6.1/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch new file mode 100644 index 0000000000..17f7a688ae --- /dev/null +++ b/queue-6.1/platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch @@ -0,0 +1,115 @@ +From 527250cd9092461f1beac3e4180a4481bffa01b5 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Fri, 21 Nov 2025 11:04:50 +0100 +Subject: platform/x86: intel: chtwc_int33fe: don't dereference swnode args +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bartosz Golaszewski + +commit 527250cd9092461f1beac3e4180a4481bffa01b5 upstream. + +Members of struct software_node_ref_args should not be dereferenced +directly but set using the provided macros. Commit d7cdbbc93c56 +("software node: allow referencing firmware nodes") changed the name of +the software node member and caused a build failure. Remove all direct +dereferences of the ref struct as a fix. + +However, this driver also seems to abuse the software node interface by +waiting for a node with an arbitrary name "intel-xhci-usb-sw" to appear +in the system before setting up the reference for the I2C device, while +the actual software node already exists in the intel-xhci-usb-role-switch +module and should be used to set up a static reference. Add a FIXME for +a future improvement. + +Fixes: d7cdbbc93c56 ("software node: allow referencing firmware nodes") +Fixes: 53c24c2932e5 ("platform/x86: intel_cht_int33fe: use inline reference properties") +Cc: stable@vger.kernel.org +Reported-by: Stephen Rothwell +Closes: https://lore.kernel.org/all/20251121111534.7cdbfe5c@canb.auug.org.au/ +Signed-off-by: Bartosz Golaszewski +Reviewed-by: Hans de Goede +Acked-by: Ilpo Järvinen +Signed-off-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/chtwc_int33fe.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +--- a/drivers/platform/x86/intel/chtwc_int33fe.c ++++ b/drivers/platform/x86/intel/chtwc_int33fe.c +@@ -77,7 +77,7 @@ static const struct software_node max170 + * software node. + */ + static struct software_node_ref_args fusb302_mux_refs[] = { +- { .node = NULL }, ++ SOFTWARE_NODE_REFERENCE(NULL), + }; + + static const struct property_entry fusb302_properties[] = { +@@ -190,11 +190,6 @@ static void cht_int33fe_remove_nodes(str + { + software_node_unregister_node_group(node_group); + +- if (fusb302_mux_refs[0].node) { +- fwnode_handle_put(software_node_fwnode(fusb302_mux_refs[0].node)); +- fusb302_mux_refs[0].node = NULL; +- } +- + if (data->dp) { + data->dp->secondary = NULL; + fwnode_handle_put(data->dp); +@@ -202,7 +197,15 @@ static void cht_int33fe_remove_nodes(str + } + } + +-static int cht_int33fe_add_nodes(struct cht_int33fe_data *data) ++static void cht_int33fe_put_swnode(void *data) ++{ ++ struct fwnode_handle *fwnode = data; ++ ++ fwnode_handle_put(fwnode); ++ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(NULL); ++} ++ ++static int cht_int33fe_add_nodes(struct device *dev, struct cht_int33fe_data *data) + { + const struct software_node *mux_ref_node; + int ret; +@@ -212,17 +215,25 @@ static int cht_int33fe_add_nodes(struct + * until the mux driver has created software node for the mux device. + * It means we depend on the mux driver. This function will return + * -EPROBE_DEFER until the mux device is registered. ++ * ++ * FIXME: the relevant software node exists in intel-xhci-usb-role-switch ++ * and - if exported - could be used to set up a static reference. + */ + mux_ref_node = software_node_find_by_name(NULL, "intel-xhci-usb-sw"); + if (!mux_ref_node) + return -EPROBE_DEFER; + ++ ret = devm_add_action_or_reset(dev, cht_int33fe_put_swnode, ++ software_node_fwnode(mux_ref_node)); ++ if (ret) ++ return ret; ++ + /* + * Update node used in "usb-role-switch" property. Note that we + * rely on software_node_register_node_group() to use the original + * instance of properties instead of copying them. + */ +- fusb302_mux_refs[0].node = mux_ref_node; ++ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(mux_ref_node); + + ret = software_node_register_node_group(node_group); + if (ret) +@@ -345,7 +356,7 @@ static int cht_int33fe_typec_probe(struc + return fusb302_irq; + } + +- ret = cht_int33fe_add_nodes(data); ++ ret = cht_int33fe_add_nodes(dev, data); + if (ret) + return ret; + diff --git a/queue-6.1/rpmsg-glink-fix-rpmsg-device-leak.patch b/queue-6.1/rpmsg-glink-fix-rpmsg-device-leak.patch new file mode 100644 index 0000000000..39485a853e --- /dev/null +++ b/queue-6.1/rpmsg-glink-fix-rpmsg-device-leak.patch @@ -0,0 +1,83 @@ +From a53e356df548f6b0e82529ef3cc6070f42622189 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 22 Aug 2025 11:00:42 +0100 +Subject: rpmsg: glink: fix rpmsg device leak + +From: Srinivas Kandagatla + +commit a53e356df548f6b0e82529ef3cc6070f42622189 upstream. + +While testing rpmsg-char interface it was noticed that duplicate sysfs +entries are getting created and below warning is noticed. + +Reason for this is that we are leaking rpmsg device pointer, setting it +null without actually unregistering device. +Any further attempts to unregister fail because rpdev is NULL, +resulting in a leak. + +Fix this by unregistering rpmsg device before removing its reference +from rpmsg channel. + +sysfs: cannot create duplicate filename '/devices/platform/soc@0/3700000.remot +eproc/remoteproc/remoteproc1/3700000.remoteproc:glink-edge/3700000.remoteproc: +glink-edge.adsp_apps.-1.-1' +[ 114.115347] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not + tainted 6.16.0-rc4 #7 PREEMPT +[ 114.115355] Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 (DT) +[ 114.115358] Workqueue: events qcom_glink_work +[ 114.115371] Call trace:8 +[ 114.115374] show_stack+0x18/0x24 (C) +[ 114.115382] dump_stack_lvl+0x60/0x80 +[ 114.115388] dump_stack+0x18/0x24 +[ 114.115393] sysfs_warn_dup+0x64/0x80 +[ 114.115402] sysfs_create_dir_ns+0xf4/0x120 +[ 114.115409] kobject_add_internal+0x98/0x260 +[ 114.115416] kobject_add+0x9c/0x108 +[ 114.115421] device_add+0xc4/0x7a0 +[ 114.115429] rpmsg_register_device+0x5c/0xb0 +[ 114.115434] qcom_glink_work+0x4bc/0x820 +[ 114.115438] process_one_work+0x148/0x284 +[ 114.115446] worker_thread+0x2c4/0x3e0 +[ 114.115452] kthread+0x12c/0x204 +[ 114.115457] ret_from_fork+0x10/0x20 +[ 114.115464] kobject: kobject_add_internal failed for 3700000.remoteproc: +glink-edge.adsp_apps.-1.-1 with -EEXIST, don't try to register things with +the same name in the same directory. +[ 114.250045] rpmsg 3700000.remoteproc:glink-edge.adsp_apps.-1.-1: +device_add failed: -17 + +Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250822100043.2604794-2-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/qcom_glink_native.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -1242,6 +1242,7 @@ static void qcom_glink_destroy_ept(struc + { + struct glink_channel *channel = to_glink_channel(ept); + struct qcom_glink *glink = channel->glink; ++ struct rpmsg_channel_info chinfo; + unsigned long flags; + + spin_lock_irqsave(&channel->recv_lock, flags); +@@ -1249,6 +1250,13 @@ static void qcom_glink_destroy_ept(struc + spin_unlock_irqrestore(&channel->recv_lock, flags); + + /* Decouple the potential rpdev from the channel */ ++ if (channel->rpdev) { ++ strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name)); ++ chinfo.src = RPMSG_ADDR_ANY; ++ chinfo.dst = RPMSG_ADDR_ANY; ++ ++ rpmsg_unregister_device(glink->dev, &chinfo); ++ } + channel->rpdev = NULL; + + qcom_glink_send_close_req(glink, channel); diff --git a/queue-6.1/series b/queue-6.1/series index 42dfb91371..6e44219806 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -376,3 +376,12 @@ powerpc-kexec-enable-smt-before-waking-offline-cpus.patch io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch io_uring-fix-filename-leak-in-__io_openat_prep.patch drm-amd-display-use-gfp_atomic-in-dc_create_plane_state.patch +amba-tegra-ahb-fix-device-leak-on-smmu-enable.patch +soc-qcom-ocmem-fix-device-leak-on-lookup.patch +soc-amlogic-canvas-fix-device-leak-on-lookup.patch +rpmsg-glink-fix-rpmsg-device-leak.patch +platform-x86-intel-chtwc_int33fe-don-t-dereference-swnode-args.patch +i2c-amd-mp2-fix-reference-leak-in-mp2-pci-device.patch +hwmon-max16065-use-local-variable-to-avoid-toctou.patch +hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch +hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch diff --git a/queue-6.1/soc-amlogic-canvas-fix-device-leak-on-lookup.patch b/queue-6.1/soc-amlogic-canvas-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..41df535388 --- /dev/null +++ b/queue-6.1/soc-amlogic-canvas-fix-device-leak-on-lookup.patch @@ -0,0 +1,46 @@ +From 32200f4828de9d7e6db379909898e718747f4e18 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:24:53 +0200 +Subject: soc: amlogic: canvas: fix device leak on lookup + +From: Johan Hovold + +commit 32200f4828de9d7e6db379909898e718747f4e18 upstream. + +Make sure to drop the reference taken to the canvas platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Also note that commit 28f851e6afa8 ("soc: amlogic: canvas: add missing +put_device() call in meson_canvas_get()") fixed the leak in a lookup +error path, but the reference is still leaking on success. + +Fixes: d4983983d987 ("soc: amlogic: add meson-canvas driver") +Cc: stable@vger.kernel.org # 4.20: 28f851e6afa8 +Cc: Yu Kuai +Signed-off-by: Johan Hovold +Reviewed-by: Martin Blumenstingl +Link: https://patch.msgid.link/20250926142454.5929-2-johan@kernel.org +Signed-off-by: Neil Armstrong +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/amlogic/meson-canvas.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/soc/amlogic/meson-canvas.c ++++ b/drivers/soc/amlogic/meson-canvas.c +@@ -72,10 +72,9 @@ struct meson_canvas *meson_canvas_get(st + * current state, this driver probe cannot return -EPROBE_DEFER + */ + canvas = dev_get_drvdata(&canvas_pdev->dev); +- if (!canvas) { +- put_device(&canvas_pdev->dev); ++ put_device(&canvas_pdev->dev); ++ if (!canvas) + return ERR_PTR(-EINVAL); +- } + + return canvas; + } diff --git a/queue-6.1/soc-qcom-ocmem-fix-device-leak-on-lookup.patch b/queue-6.1/soc-qcom-ocmem-fix-device-leak-on-lookup.patch new file mode 100644 index 0000000000..f56c435435 --- /dev/null +++ b/queue-6.1/soc-qcom-ocmem-fix-device-leak-on-lookup.patch @@ -0,0 +1,45 @@ +From b5c16ea57b030b8e9428ec726e26219dfe05c3d9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 26 Sep 2025 16:35:10 +0200 +Subject: soc: qcom: ocmem: fix device leak on lookup + +From: Johan Hovold + +commit b5c16ea57b030b8e9428ec726e26219dfe05c3d9 upstream. + +Make sure to drop the reference taken to the ocmem platform device when +looking up its driver data. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Also note that commit 0ff027027e05 ("soc: qcom: ocmem: Fix missing +put_device() call in of_get_ocmem") fixed the leak in a lookup error +path, but the reference is still leaking on success. + +Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver") +Cc: stable@vger.kernel.org # 5.5: 0ff027027e05 +Cc: Brian Masney +Cc: Miaoqian Lin +Signed-off-by: Johan Hovold +Reviewed-by: Brian Masney +Link: https://lore.kernel.org/r/20250926143511.6715-2-johan@kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/ocmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/ocmem.c ++++ b/drivers/soc/qcom/ocmem.c +@@ -211,9 +211,9 @@ struct ocmem *of_get_ocmem(struct device + of_node_put(devnode); + + ocmem = platform_get_drvdata(pdev); ++ put_device(&pdev->dev); + if (!ocmem) { + dev_err(dev, "Cannot get ocmem\n"); +- put_device(&pdev->dev); + return ERR_PTR(-ENODEV); + } + return ocmem; -- 2.47.3