From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 14:54:41 +0000 (+0200) Subject: 7.0-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3b6a876a891a1eda17a6893cb546d537a3583308;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: accel-ethosu-fix-arithmetic-issues-in-dma_length.patch accel-ethosu-fix-ifm-region-index-out-of-bounds-in-command-stream-parser.patch accel-ethosu-fix-oob-write-in-ethosu_gem_cmdstream_copy_and_validate.patch accel-ethosu-fix-wrong-weight-index-in-npu_set_scale1_length-on-u85.patch accel-ethosu-reject-dma-commands-with-uninitialized-length.patch accel-ethosu-reject-npu_op_resize-commands-from-userspace.patch firmware-samsung-acpm-fix-mailbox-channel-leak-on-probe-error.patch fs-qnx6-fix-pointer-arithmetic-in-directory-iteration.patch fuse-limit-fuse_notify_retrieve-to-uptodate-folios.patch fuse-reject-fuse_notify-pagecache-ops-on-directories.patch futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch i2c-imx-fix-clock-and-pinctrl-state-inconsistency-in-runtime-pm.patch i2c-imx-lpi2c-fix-resource-leaks-switching-to-devm_dma_request_chan.patch i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch i2c-tegra-fix-noirq-suspend-resume.patch input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch iomap-avoid-potential-null-folio-mapping-deref-during-error-reporting.patch iommu-dma-do-not-try-to-iommu_map-a-0-length-region-in-swiotlb.patch ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch memcg-use-round-robin-victim-selection-in-refill_stock.patch memory-atmel-ebi-allow-deferred-probing.patch misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch net-airoha-add-null-check-for-of_reserved_mem_lookup-in-airoha_qdma_init_hfwd_queues.patch net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch net-mv643xx-fix-of-node-refcount.patch net-phonet-free-phonet_device-after-rcu-grace-period.patch net-rds-clear-i_sends-on-setup-unwind.patch net-sfp-initialize-i2c_block_size-at-adapter-configure-time.patch nvmem-core-fix-use-after-free-bugs-in-error-paths.patch nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch pinctrl-mcp23s08-read-spi-present-mask-as-u8-not-u32.patch --- diff --git a/queue-7.0/accel-ethosu-fix-arithmetic-issues-in-dma_length.patch b/queue-7.0/accel-ethosu-fix-arithmetic-issues-in-dma_length.patch new file mode 100644 index 0000000000..d09e64a7fd --- /dev/null +++ b/queue-7.0/accel-ethosu-fix-arithmetic-issues-in-dma_length.patch @@ -0,0 +1,91 @@ +From ee6d9b6e51626f259c6f0e38d94f91be4fd14754 Mon Sep 17 00:00:00 2001 +From: Muhammad Bilal +Date: Sun, 24 May 2026 10:37:10 +0000 +Subject: accel/ethosu: fix arithmetic issues in dma_length() + +From: Muhammad Bilal + +commit ee6d9b6e51626f259c6f0e38d94f91be4fd14754 upstream. + +dma_length() derives DMA region usage from command stream values and +updates region_size[]: + + len = ((len + stride[0]) * size0 + stride[1]) * size1 + region_size[region] = max(..., len + dma->offset) + +Several arithmetic issues can corrupt the derived region size: + +- signed stride values may underflow when added to len +- intermediate multiplications may overflow +- len + dma->offset may overflow during region_size updates +- dma_length() error returns were not validated by the caller + +region_size[] is later used by ethosu_job.c to validate command stream +accesses against GEM buffer sizes. Arithmetic wraparound can therefore +under-report region usage and bypass the bounds validation. + +Fix by validating signed additions, using overflow helpers for +multiplications and offset updates, and propagating dma_length() +failures to the caller. + +Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Bilal +Link: https://patch.msgid.link/20260524103710.47397-1-meatuni001@gmail.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ethosu/ethosu_gem.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/accel/ethosu/ethosu_gem.c ++++ b/drivers/accel/ethosu/ethosu_gem.c +@@ -2,6 +2,7 @@ + /* Copyright 2025 Arm, Ltd. */ + + #include ++#include + #include + + #include +@@ -164,16 +165,26 @@ static u64 dma_length(struct ethosu_vali + u64 len = dma->len; + + if (mode >= 1) { ++ if (dma->stride[0] < 0 && (u64)(-dma->stride[0]) > len) ++ return U64_MAX; + len += dma->stride[0]; +- len *= dma_st->size0; ++ if (check_mul_overflow(len, (u64)dma_st->size0, &len)) ++ return U64_MAX; + } + if (mode == 2) { ++ if (dma->stride[1] < 0 && (u64)(-dma->stride[1]) > len) ++ return U64_MAX; + len += dma->stride[1]; +- len *= dma_st->size1; ++ if (check_mul_overflow(len, (u64)dma_st->size1, &len)) ++ return U64_MAX; ++ } ++ if (dma->region >= 0) { ++ u64 end; ++ ++ if (check_add_overflow(len, dma->offset, &end)) ++ return U64_MAX; ++ info->region_size[dma->region] = max(info->region_size[dma->region], end); + } +- if (dma->region >= 0) +- info->region_size[dma->region] = max(info->region_size[dma->region], +- len + dma->offset); + + return len; + } +@@ -397,6 +408,8 @@ static int ethosu_gem_cmdstream_copy_and + case NPU_OP_DMA_START: + srclen = dma_length(info, &st.dma, &st.dma.src); + dstlen = dma_length(info, &st.dma, &st.dma.dst); ++ if (srclen == U64_MAX || dstlen == U64_MAX) ++ return -EINVAL; + + if (st.dma.dst.region >= 0) + info->output_region[st.dma.dst.region] = true; diff --git a/queue-7.0/accel-ethosu-fix-ifm-region-index-out-of-bounds-in-command-stream-parser.patch b/queue-7.0/accel-ethosu-fix-ifm-region-index-out-of-bounds-in-command-stream-parser.patch new file mode 100644 index 0000000000..900040165c --- /dev/null +++ b/queue-7.0/accel-ethosu-fix-ifm-region-index-out-of-bounds-in-command-stream-parser.patch @@ -0,0 +1,54 @@ +From 00f547e0dfecf83014fb32bcba587c6b684c1362 Mon Sep 17 00:00:00 2001 +From: Muhammad Bilal +Date: Sat, 23 May 2026 19:51:59 +0000 +Subject: accel/ethosu: fix IFM region index out-of-bounds in command stream parser + +From: Muhammad Bilal + +commit 00f547e0dfecf83014fb32bcba587c6b684c1362 upstream. + +NPU_SET_IFM_REGION extracts the region index with param & 0x7f, giving +a maximum value of 127. However region_size[] and output_region[] in +struct ethosu_validated_cmdstream_info are both sized to +NPU_BASEP_REGION_MAX (8), giving valid indices [0..7]. + +Every other region assignment in the same switch uses param & 0x7: + NPU_SET_OFM_REGION: st.ofm.region = param & 0x7; + NPU_SET_IFM2_REGION: st.ifm2.region = param & 0x7; + NPU_SET_WEIGHT_REGION: st.weight[0].region = param & 0x7; + NPU_SET_SCALE_REGION: st.scale[0].region = param & 0x7; + +The 0x7f mask on IFM is inconsistent and appears to be a typo. + +feat_matrix_length() and calc_sizes() use the region index directly +as an array subscript into the kzalloc'd info struct: + info->region_size[fm->region] = max(...); + +A userspace caller supplying NPU_SET_IFM_REGION with param > 7 causes +a write up to 127*8 = 1016 bytes past the start of region_size[], +corrupting adjacent kernel heap data. + +Fix by applying the same & 0x7 mask used by all other region +assignments. + +Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Bilal +Link: https://patch.msgid.link/20260523195159.55801-1-meatuni001@gmail.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ethosu/ethosu_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accel/ethosu/ethosu_gem.c ++++ b/drivers/accel/ethosu/ethosu_gem.c +@@ -466,7 +466,7 @@ static int ethosu_gem_cmdstream_copy_and + st.ifm.broadcast = param; + break; + case NPU_SET_IFM_REGION: +- st.ifm.region = param & 0x7f; ++ st.ifm.region = param & 0x7; + break; + case NPU_SET_IFM_WIDTH0_M1: + st.ifm.width0 = param; diff --git a/queue-7.0/accel-ethosu-fix-oob-write-in-ethosu_gem_cmdstream_copy_and_validate.patch b/queue-7.0/accel-ethosu-fix-oob-write-in-ethosu_gem_cmdstream_copy_and_validate.patch new file mode 100644 index 0000000000..91a06c51f4 --- /dev/null +++ b/queue-7.0/accel-ethosu-fix-oob-write-in-ethosu_gem_cmdstream_copy_and_validate.patch @@ -0,0 +1,57 @@ +From c0837b9cf6eabbad8b8cbddaff1a46a6d0a2e29d Mon Sep 17 00:00:00 2001 +From: Muhammad Bilal +Date: Sat, 23 May 2026 19:08:43 +0000 +Subject: accel/ethosu: fix OOB write in ethosu_gem_cmdstream_copy_and_validate() + +From: Muhammad Bilal + +commit c0837b9cf6eabbad8b8cbddaff1a46a6d0a2e29d upstream. + +The command stream parsing loop increments the index variable a second +time when a 64-bit command word is encountered (bit 14 set), but does +not re-check the loop bound before writing the second word: + + for (i = 0; i < size / 4; i++) { + bocmds[i] = cmds[0]; + if (cmd & 0x4000) { + i++; + bocmds[i] = cmds[1]; /* unchecked */ + } + } + +The buffer bocmds is backed by a DMA allocation of exactly size bytes +from drm_gem_dma_create(ddev, size), giving valid indices [0, size/4-1]. + +When i == size/4 - 1 on entry to an iteration and bit 14 of cmds[0] is +set, bocmds[size/4-1] is written in bounds, i is then incremented to +size/4, and bocmds[size/4] writes four bytes past the end of the +allocation. + +Userspace controls both the buffer contents and the size argument via +the ioctl, making this a userspace-triggerable heap out-of-bounds write. + +Fix by checking the incremented index against the buffer bound before +the second write and returning -EINVAL if the buffer is too small to +contain the extended command. + +Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Bilal +Link: https://patch.msgid.link/20260523190843.33977-1-meatuni001@gmail.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ethosu/ethosu_gem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/accel/ethosu/ethosu_gem.c ++++ b/drivers/accel/ethosu/ethosu_gem.c +@@ -387,6 +387,8 @@ static int ethosu_gem_cmdstream_copy_and + return -EFAULT; + + i++; ++ if (i >= size / 4) ++ return -EINVAL; + bocmds[i] = cmds[1]; + addr = cmd_to_addr(cmds); + } diff --git a/queue-7.0/accel-ethosu-fix-wrong-weight-index-in-npu_set_scale1_length-on-u85.patch b/queue-7.0/accel-ethosu-fix-wrong-weight-index-in-npu_set_scale1_length-on-u85.patch new file mode 100644 index 0000000000..8dda8c1d62 --- /dev/null +++ b/queue-7.0/accel-ethosu-fix-wrong-weight-index-in-npu_set_scale1_length-on-u85.patch @@ -0,0 +1,41 @@ +From e703843f242b28e35ac79408de571ae110c740b5 Mon Sep 17 00:00:00 2001 +From: Muhammad Bilal +Date: Sat, 23 May 2026 21:07:53 +0000 +Subject: accel/ethosu: fix wrong weight index in NPU_SET_SCALE1_LENGTH on U85 + +From: Muhammad Bilal + +commit e703843f242b28e35ac79408de571ae110c740b5 upstream. + +On non-U65 hardware (e.g. U85), opcode 0x4093 is NPU_SET_WEIGHT2_LENGTH. +The BASE handler for the same opcode correctly assigns to +st.weight[2].base, but the LENGTH handler mistakenly assigns cmds[1] +to st.weight[1].length instead of st.weight[2].length. + +This leaves weight[2].length at its initialised sentinel value of +0xffffffff and corrupts weight[1].length with the user-supplied value, +breaking the software bounds-check state for both weight buffers on U85. + +Fix the index to match the BASE handler. + +Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Bilal +Link: https://patch.msgid.link/20260523210840.92039-3-meatuni001@gmail.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ethosu/ethosu_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/accel/ethosu/ethosu_gem.c ++++ b/drivers/accel/ethosu/ethosu_gem.c +@@ -601,7 +601,7 @@ static int ethosu_gem_cmdstream_copy_and + if (ethosu_is_u65(edev)) + st.scale[1].length = cmds[1]; + else +- st.weight[1].length = cmds[1]; ++ st.weight[2].length = cmds[1]; + break; + case NPU_SET_WEIGHT3_BASE: + st.weight[3].base = addr; diff --git a/queue-7.0/accel-ethosu-reject-dma-commands-with-uninitialized-length.patch b/queue-7.0/accel-ethosu-reject-dma-commands-with-uninitialized-length.patch new file mode 100644 index 0000000000..a23c6d4cfd --- /dev/null +++ b/queue-7.0/accel-ethosu-reject-dma-commands-with-uninitialized-length.patch @@ -0,0 +1,47 @@ +From d9d021218162b6c4fe0bdf42b2b340f1aae23a12 Mon Sep 17 00:00:00 2001 +From: Muhammad Bilal +Date: Sun, 24 May 2026 13:03:19 +0000 +Subject: accel/ethosu: reject DMA commands with uninitialized length + +From: Muhammad Bilal + +commit d9d021218162b6c4fe0bdf42b2b340f1aae23a12 upstream. + +cmd_state_init() initializes the command state with memset(0xff), +leaving dma->len at U64_MAX to signal missing setup. The only setter +is NPU_SET_DMA0_LEN; if userspace omits this command and issues +NPU_OP_DMA_START, dma->len remains U64_MAX. + +In dma_length(), a positive stride added to U64_MAX wraps to a small +value. With size0 == 1, check_mul_overflow() does not trigger and +dma_length() returns 0 instead of U64_MAX. The caller's U64_MAX check +then passes, region_size[] stays 0, and the bounds check in +ethosu_job.c is bypassed, allowing hardware to execute DMA with stale +physical addresses. + +Fix by checking for U64_MAX at the start of dma_length() before any +arithmetic, consistent with the sentinel value used throughout the +driver to detect uninitialized fields. + +Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Bilal +Link: https://patch.msgid.link/20260524130319.12747-1-meatuni001@gmail.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ethosu/ethosu_gem.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/accel/ethosu/ethosu_gem.c ++++ b/drivers/accel/ethosu/ethosu_gem.c +@@ -164,6 +164,9 @@ static u64 dma_length(struct ethosu_vali + s8 mode = dma_st->mode; + u64 len = dma->len; + ++ if (len == U64_MAX) ++ return U64_MAX; ++ + if (mode >= 1) { + if (dma->stride[0] < 0 && (u64)(-dma->stride[0]) > len) + return U64_MAX; diff --git a/queue-7.0/accel-ethosu-reject-npu_op_resize-commands-from-userspace.patch b/queue-7.0/accel-ethosu-reject-npu_op_resize-commands-from-userspace.patch new file mode 100644 index 0000000000..0a930a2c07 --- /dev/null +++ b/queue-7.0/accel-ethosu-reject-npu_op_resize-commands-from-userspace.patch @@ -0,0 +1,42 @@ +From ef911805d86a05363d3ec2fa9835a41def83bb7e Mon Sep 17 00:00:00 2001 +From: Muhammad Bilal +Date: Sat, 23 May 2026 21:07:52 +0000 +Subject: accel/ethosu: reject NPU_OP_RESIZE commands from userspace + +From: Muhammad Bilal + +commit ef911805d86a05363d3ec2fa9835a41def83bb7e upstream. + +NPU_OP_RESIZE is a U85-only command that the driver does not yet +implement. The existing WARN_ON(1) placeholder fires unconditionally +whenever userspace submits this command via DRM_IOCTL_ETHOSU_GEM_CREATE, +causing unbounded kernel log spam. + +If panic_on_warn is set the kernel panics, giving any unprivileged user +with access to the DRM device a trivial denial-of-service primitive. + +Replace the WARN_ON(1) with an explicit -EINVAL return so the ioctl +rejects the command before it reaches hardware. + +Fixes: 5a5e9c0228e6 ("accel: Add Arm Ethos-U NPU driver") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Bilal +Link: https://patch.msgid.link/20260523210840.92039-2-meatuni001@gmail.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ethosu/ethosu_gem.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/accel/ethosu/ethosu_gem.c ++++ b/drivers/accel/ethosu/ethosu_gem.c +@@ -449,8 +449,7 @@ static int ethosu_gem_cmdstream_copy_and + return ret; + break; + case NPU_OP_RESIZE: // U85 only +- WARN_ON(1); // TODO +- break; ++ return -EINVAL; + case NPU_SET_KERNEL_WIDTH_M1: + st.ifm.width = param; + break; diff --git a/queue-7.0/firmware-samsung-acpm-fix-mailbox-channel-leak-on-probe-error.patch b/queue-7.0/firmware-samsung-acpm-fix-mailbox-channel-leak-on-probe-error.patch new file mode 100644 index 0000000000..c335c78b61 --- /dev/null +++ b/queue-7.0/firmware-samsung-acpm-fix-mailbox-channel-leak-on-probe-error.patch @@ -0,0 +1,74 @@ +From b66829b17f6385cc9ffbcbe2476d532d2e3121ad Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Tue, 5 May 2026 13:12:59 +0000 +Subject: firmware: samsung: acpm: Fix mailbox channel leak on probe error + +From: Tudor Ambarus + +commit b66829b17f6385cc9ffbcbe2476d532d2e3121ad upstream. + +Sashiko identified the leak at [1]. + +The ACPM driver allocates hardware mailbox channels using +`mbox_request_channel()` during `acpm_channels_init()`. However, the +driver lacked a `.remove` callback and did not free these channels on +subsequent error paths inside `acpm_probe()`. + +Additionally, if `acpm_achan_alloc_cmds()` failed during the channel +initialization loop, the function returned immediately, bypassing the +manual cleanup and permanently leaking any channels successfully +requested in previous loop iterations. + +Fix this by modifying `acpm_free_mbox_chans()` to match the `devres` +action signature and registering it via `devm_add_action_or_reset()`. + +Cc: stable@vger.kernel.org +Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") +Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%40linaro.org [1] +Signed-off-by: Tudor Ambarus +Link: https://patch.msgid.link/20260505-acpm-fixes-sashiko-reports-v5-2-43b5ee7f1674@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/samsung/exynos-acpm.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/firmware/samsung/exynos-acpm.c ++++ b/drivers/firmware/samsung/exynos-acpm.c +@@ -526,10 +526,11 @@ static int acpm_achan_alloc_cmds(struct + + /** + * acpm_free_mbox_chans() - free mailbox channels. +- * @acpm: pointer to driver data. ++ * @data: pointer to driver data. + */ +-static void acpm_free_mbox_chans(struct acpm_info *acpm) ++static void acpm_free_mbox_chans(void *data) + { ++ struct acpm_info *acpm = data; + int i; + + for (i = 0; i < acpm->num_chans; i++) +@@ -557,6 +558,10 @@ static int acpm_channels_init(struct acp + if (!acpm->chans) + return -ENOMEM; + ++ ret = devm_add_action_or_reset(dev, acpm_free_mbox_chans, acpm); ++ if (ret) ++ return dev_err_probe(dev, ret, "Failed to add mbox free action.\n"); ++ + chans_shmem = acpm->sram_base + readl(&shmem->chans); + + for (i = 0; i < acpm->num_chans; i++) { +@@ -578,10 +583,8 @@ static int acpm_channels_init(struct acp + cl->dev = dev; + + achan->chan = mbox_request_channel(cl, 0); +- if (IS_ERR(achan->chan)) { +- acpm_free_mbox_chans(acpm); ++ if (IS_ERR(achan->chan)) + return PTR_ERR(achan->chan); +- } + } + + return 0; diff --git a/queue-7.0/fs-qnx6-fix-pointer-arithmetic-in-directory-iteration.patch b/queue-7.0/fs-qnx6-fix-pointer-arithmetic-in-directory-iteration.patch new file mode 100644 index 0000000000..071cab891c --- /dev/null +++ b/queue-7.0/fs-qnx6-fix-pointer-arithmetic-in-directory-iteration.patch @@ -0,0 +1,58 @@ +From 89c4a1167f3a0a0efd2ec3e1801036d2eb65ae1a Mon Sep 17 00:00:00 2001 +From: Arpith Kalaginanavoor +Date: Tue, 26 May 2026 05:38:58 -0700 +Subject: fs/qnx6: fix pointer arithmetic in directory iteration + +From: Arpith Kalaginanavoor + +commit 89c4a1167f3a0a0efd2ec3e1801036d2eb65ae1a upstream. + +The conversion to qnx6_get_folio() in commit b2aa61556fcf +("qnx6: Convert qnx6_get_page() to qnx6_get_folio()") +introduced a regression in directory iteration. The pointer 'de' +and the 'limit' address were calculated using byte offsets from +a char pointer without scaling by the size of a QNX6 directory +entry. + +This causes the driver to read from incorrect memory offsets, +leading to "invalid direntry size" errors and premature +termination of directory scans. + +Fix this by casting 'kaddr' to 'struct qnx6_dir_entry *' before +applying the offset and last_entry(...) increments. This allows the +compiler to correctly scale the pointer arithmetic by the 32-byte +stride of the directory entry structure. + +Fixes: b2aa61556fcf ("qnx6: Convert qnx6_get_page() to qnx6_get_folio()") +Cc: stable@vger.kernel.org +Signed-off-by: Arpith Kalaginanavoor +Link: https://patch.msgid.link/20260526123858.1683035-1-arpithk@nvidia.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + fs/qnx6/dir.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/qnx6/dir.c ++++ b/fs/qnx6/dir.c +@@ -132,16 +132,16 @@ static int qnx6_readdir(struct file *fil + struct qnx6_dir_entry *de; + struct folio *folio; + char *kaddr = qnx6_get_folio(inode, n, &folio); +- char *limit; ++ struct qnx6_dir_entry *limit; + + if (IS_ERR(kaddr)) { + pr_err("%s(): read failed\n", __func__); + ctx->pos = (n + 1) << PAGE_SHIFT; + return PTR_ERR(kaddr); + } +- de = (struct qnx6_dir_entry *)(kaddr + offset); +- limit = kaddr + last_entry(inode, n); +- for (; (char *)de < limit; de++, ctx->pos += QNX6_DIR_ENTRY_SIZE) { ++ de = (struct qnx6_dir_entry *)kaddr + offset; ++ limit = (struct qnx6_dir_entry *)kaddr + last_entry(inode, n); ++ for (; de < limit; de++, ctx->pos += QNX6_DIR_ENTRY_SIZE) { + int size = de->de_size; + u32 no_inode = fs32_to_cpu(sbi, de->de_inode); + diff --git a/queue-7.0/fuse-limit-fuse_notify_retrieve-to-uptodate-folios.patch b/queue-7.0/fuse-limit-fuse_notify_retrieve-to-uptodate-folios.patch new file mode 100644 index 0000000000..d40e8fce3b --- /dev/null +++ b/queue-7.0/fuse-limit-fuse_notify_retrieve-to-uptodate-folios.patch @@ -0,0 +1,43 @@ +From 4e3d1b2c48ca6c55f1e9ca7f8dccc76f120f276c Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 19 May 2026 16:40:34 +0200 +Subject: fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios + +From: Jann Horn + +commit 4e3d1b2c48ca6c55f1e9ca7f8dccc76f120f276c upstream. + +FUSE_NOTIFY_RETRIEVE must be limited to uptodate folios; !uptodate folios +can contain uninitialized data. +Since FUSE_NOTIFY_RETRIEVE is intended to only return data that is already +in the page cache and not wait for data from the FUSE daemon, treat +!uptodate folios as if they weren't present. + +This only has security impact on systems that don't enable automatic +zero-initialization of all page allocations via +CONFIG_INIT_ON_ALLOC_DEFAULT_ON or init_on_alloc=1. + +Cc: stable@kernel.org +Fixes: 2d45ba381a74 ("fuse: add retrieve request") +Signed-off-by: Jann Horn +Link: https://patch.msgid.link/20260519-fuse-retrieve-uptodate-v1-1-a7a1912a37f9@google.com +Acked-by: Miklos Szeredi +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1927,6 +1927,10 @@ static int fuse_retrieve(struct fuse_mou + folio = filemap_get_folio(mapping, index); + if (IS_ERR(folio)) + break; ++ if (!folio_test_uptodate(folio)) { ++ folio_put(folio); ++ break; ++ } + + folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset; + nr_bytes = min(folio_size(folio) - folio_offset, num); diff --git a/queue-7.0/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch b/queue-7.0/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch new file mode 100644 index 0000000000..2e61026b87 --- /dev/null +++ b/queue-7.0/fuse-reject-fuse_notify-pagecache-ops-on-directories.patch @@ -0,0 +1,56 @@ +From 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 19 May 2026 16:29:38 +0200 +Subject: fuse: reject fuse_notify() pagecache ops on directories + +From: Jann Horn + +commit 9c954499d43aefac01c5dfb57a82b13d2dcf4b94 upstream. + +The operations FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE allow the +FUSE daemon to actively write/read pagecache contents. + +For directories with FOPEN_CACHE_DIR, the pagecache is used as +kernel-internal cache storage, and userspace is not supposed to have +direct access to this cache - in particular, fuse_parse_cache() will hit +WARN_ON() if the cache contains bogus data. + +Reject FUSE_NOTIFY_STORE and FUSE_NOTIFY_RETRIEVE on anything other than +regular files with -EINVAL. + +Fixes: 5d7bc7e8680c ("fuse: allow using readdir cache") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Link: https://patch.msgid.link/20260519-fuse-dir-pagecache-v2-1-5428fa48e175@google.com +Acked-by: Miklos Szeredi +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -1797,6 +1797,10 @@ static int fuse_notify_store(struct fuse + inode = fuse_ilookup(fc, nodeid, NULL); + if (!inode) + goto out_up_killsb; ++ if (!S_ISREG(inode->i_mode)) { ++ err = -EINVAL; ++ goto out_iput; ++ } + + mapping = inode->i_mapping; + index = outarg.offset >> PAGE_SHIFT; +@@ -1976,7 +1980,10 @@ static int fuse_notify_retrieve(struct f + + inode = fuse_ilookup(fc, nodeid, &fm); + if (inode) { +- err = fuse_retrieve(fm, inode, &outarg); ++ if (!S_ISREG(inode->i_mode)) ++ err = -EINVAL; ++ else ++ err = fuse_retrieve(fm, inode, &outarg); + iput(inode); + } + up_read(&fc->killsb); diff --git a/queue-7.0/futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch b/queue-7.0/futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch new file mode 100644 index 0000000000..6ab744ea86 --- /dev/null +++ b/queue-7.0/futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch @@ -0,0 +1,44 @@ +From 74e144274af39935b0f410c0ee4d2b91c3730414 Mon Sep 17 00:00:00 2001 +From: Ji'an Zhou +Date: Tue, 2 Jun 2026 09:12:04 +0000 +Subject: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock + +From: Ji'an Zhou + +commit 74e144274af39935b0f410c0ee4d2b91c3730414 upstream. + +When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the +target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting +waiter->task. + +The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences +the NULL waiter->task, causing a kernel crash. + +Add a self-deadlock check for non-top waiters before calling +rt_mutex_start_proxy_lock(), analogous to the top-waiter check in +futex_lock_pi_atomic(). + +Fixes: 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 ("rtmutex: Use waiter::task instead of current in remove_waiter()") +Signed-off-by: Ji'an Zhou +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + kernel/futex/requeue.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/futex/requeue.c ++++ b/kernel/futex/requeue.c +@@ -643,6 +643,12 @@ retry_private: + continue; + } + ++ /* Self-deadlock: non-top waiter already owns the PI futex. */ ++ if (rt_mutex_owner(&pi_state->pi_mutex) == this->task) { ++ ret = -EDEADLK; ++ break; ++ } ++ + ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex, + this->rt_waiter, + this->task); diff --git a/queue-7.0/i2c-imx-fix-clock-and-pinctrl-state-inconsistency-in-runtime-pm.patch b/queue-7.0/i2c-imx-fix-clock-and-pinctrl-state-inconsistency-in-runtime-pm.patch new file mode 100644 index 0000000000..664d3624a1 --- /dev/null +++ b/queue-7.0/i2c-imx-fix-clock-and-pinctrl-state-inconsistency-in-runtime-pm.patch @@ -0,0 +1,67 @@ +From 8783fb8031799f1230997c16df8c8dce9fcd1841 Mon Sep 17 00:00:00 2001 +From: Carlos Song +Date: Thu, 21 May 2026 14:50:38 +0800 +Subject: i2c: imx: fix clock and pinctrl state inconsistency in runtime PM + +From: Carlos Song + +commit 8783fb8031799f1230997c16df8c8dce9fcd1841 upstream. + +In i2c_imx_runtime_suspend(), the clock is disabled before switching +the pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails, +the runtime suspend is aborted but the clock remains disabled, causing +a system crash when the hardware is subsequently accessed. + +Fix this by switching the pinctrl state before disabling the clock so +that a pinctrl failure leaves the clock enabled and the hardware +accessible. + +In i2c_imx_runtime_resume(), restore the pinctrl state back to sleep +if clk_enable() fails to keep the consistent. + +Fixes: 576eba03c994 ("i2c: imx: switch different pinctrl state in different system power status") +Signed-off-by: Carlos Song +Cc: # v6.14+ +Reviewed-by: Frank Li +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260521065038.2954998-1-carlos.song@oss.nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-imx.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx.c ++++ b/drivers/i2c/busses/i2c-imx.c +@@ -1892,9 +1892,15 @@ static void i2c_imx_remove(struct platfo + static int i2c_imx_runtime_suspend(struct device *dev) + { + struct imx_i2c_struct *i2c_imx = dev_get_drvdata(dev); ++ int ret; ++ ++ ret = pinctrl_pm_select_sleep_state(dev); ++ if (ret) ++ return ret; + + clk_disable(i2c_imx->clk); +- return pinctrl_pm_select_sleep_state(dev); ++ ++ return 0; + } + + static int i2c_imx_runtime_resume(struct device *dev) +@@ -1907,10 +1913,13 @@ static int i2c_imx_runtime_resume(struct + return ret; + + ret = clk_enable(i2c_imx->clk); +- if (ret) ++ if (ret) { + dev_err(dev, "can't enable I2C clock, ret=%d\n", ret); ++ pinctrl_pm_select_sleep_state(dev); ++ return ret; ++ } + +- return ret; ++ return 0; + } + + static int i2c_imx_suspend(struct device *dev) diff --git a/queue-7.0/i2c-imx-lpi2c-fix-resource-leaks-switching-to-devm_dma_request_chan.patch b/queue-7.0/i2c-imx-lpi2c-fix-resource-leaks-switching-to-devm_dma_request_chan.patch new file mode 100644 index 0000000000..9eaada7eaa --- /dev/null +++ b/queue-7.0/i2c-imx-lpi2c-fix-resource-leaks-switching-to-devm_dma_request_chan.patch @@ -0,0 +1,126 @@ +From 695fcefd4a81466ef9c529790b4e96f1ea2ba051 Mon Sep 17 00:00:00 2001 +From: Carlos Song +Date: Wed, 20 May 2026 17:33:23 +0800 +Subject: i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan() + +From: Carlos Song + +commit 695fcefd4a81466ef9c529790b4e96f1ea2ba051 upstream. + +The LPI2C driver requests DMA channels using dma_request_chan(), but +never releases them in lpi2c_imx_remove(), resulting in DMA channel +leaks every time the driver is unloaded. + +Additionally, when lpi2c_dma_init() successfully requests the TX DMA +channel but fails to request the RX DMA channel, the probe falls back +to PIO mode and completes successfully. Since probe succeeds, the devres +framework will not trigger any cleanup, leaving the TX DMA channel and +the memory allocated for the dma structure held for the lifetime of the +device even though DMA is never used. + +Switch to devm_dma_request_chan() to let the device core manage DMA +channel lifetime automatically. Wrap all allocations within a devres +group so that devres_release_group() can release all partially acquired +resources when DMA init fails and probe continues in PIO mode. + +Fixes: a09c8b3f9047 ("i2c: imx-lpi2c: add eDMA mode support for LPI2C") +Signed-off-by: Carlos Song +Cc: # v6.14+ +Reviewed-by: Frank Li +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260520093323.2882070-1-carlos.song@oss.nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-imx-lpi2c.c | 53 ++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 21 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx-lpi2c.c ++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c +@@ -1383,55 +1383,66 @@ static int lpi2c_imx_init_recovery_info( + return 0; + } + +-static void dma_exit(struct device *dev, struct lpi2c_imx_dma *dma) +-{ +- if (dma->chan_rx) +- dma_release_channel(dma->chan_rx); +- +- if (dma->chan_tx) +- dma_release_channel(dma->chan_tx); +- +- devm_kfree(dev, dma); +-} +- + static int lpi2c_dma_init(struct device *dev, dma_addr_t phy_addr) + { + struct lpi2c_imx_struct *lpi2c_imx = dev_get_drvdata(dev); + struct lpi2c_imx_dma *dma; ++ void *group; + int ret; + +- dma = devm_kzalloc(dev, sizeof(*dma), GFP_KERNEL); +- if (!dma) ++ /* ++ * Open a devres group so that all resources allocated within ++ * this function can be released together if DMA init fails but ++ * probe continues in PIO mode. ++ */ ++ group = devres_open_group(dev, NULL, GFP_KERNEL); ++ if (!group) + return -ENOMEM; + ++ dma = devm_kzalloc(dev, sizeof(*dma), GFP_KERNEL); ++ if (!dma) { ++ ret = -ENOMEM; ++ goto release_group; ++ } ++ + dma->phy_addr = phy_addr; + + /* Prepare for TX DMA: */ +- dma->chan_tx = dma_request_chan(dev, "tx"); ++ dma->chan_tx = devm_dma_request_chan(dev, "tx"); + if (IS_ERR(dma->chan_tx)) { + ret = PTR_ERR(dma->chan_tx); + if (ret != -ENODEV && ret != -EPROBE_DEFER) + dev_err(dev, "can't request DMA tx channel (%d)\n", ret); +- dma->chan_tx = NULL; +- goto dma_exit; ++ goto release_group; + } + + /* Prepare for RX DMA: */ +- dma->chan_rx = dma_request_chan(dev, "rx"); ++ dma->chan_rx = devm_dma_request_chan(dev, "rx"); + if (IS_ERR(dma->chan_rx)) { + ret = PTR_ERR(dma->chan_rx); + if (ret != -ENODEV && ret != -EPROBE_DEFER) + dev_err(dev, "can't request DMA rx channel (%d)\n", ret); +- dma->chan_rx = NULL; +- goto dma_exit; ++ goto release_group; + } + ++ /* ++ * DMA init succeeded. Remove the group marker but keep all resources ++ * bound to the device, they will be freed at device removal. ++ */ ++ devres_remove_group(dev, group); ++ + lpi2c_imx->can_use_dma = true; + lpi2c_imx->dma = dma; + return 0; + +-dma_exit: +- dma_exit(dev, dma); ++release_group: ++ /* ++ * DMA init failed. Release ALL resources allocated inside this ++ * group (dma memory, TX channel if already acquired, etc.) so ++ * that a successful PIO-mode probe does not hold unused resources ++ * for the entire device lifetime. ++ */ ++ devres_release_group(dev, group); + return ret; + } + diff --git a/queue-7.0/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch b/queue-7.0/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch new file mode 100644 index 0000000000..174434f547 --- /dev/null +++ b/queue-7.0/i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch @@ -0,0 +1,55 @@ +From 729ac5a4b966aac42e08a94dea966f4429008548 Mon Sep 17 00:00:00 2001 +From: Vladimir Zapolskiy +Date: Sat, 16 May 2026 02:41:18 +0300 +Subject: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() + +From: Vladimir Zapolskiy + +commit 729ac5a4b966aac42e08a94dea966f4429008548 upstream. + +On all modern platforms Qualcomm CCI controller provides two I2C masters, +and on particular boards only one I2C master may be initialized, and in +such cases the device unbinding or driver removal causes a NULL pointer +dereference, because cci_halt() is called for all two I2C masters, but +a completion is initialized only for the single enabled master: + + % rmmod i2c-qcom-cci + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 + + Call trace: + __wait_for_common+0x194/0x1a8 (P) + wait_for_completion_timeout+0x20/0x2c + cci_remove+0xc4/0x138 [i2c_qcom_cci] + platform_remove+0x20/0x30 + device_remove+0x4c/0x80 + device_release_driver_internal+0x1c8/0x224 + driver_detach+0x50/0x98 + bus_remove_driver+0x6c/0xbc + driver_unregister+0x30/0x60 + platform_driver_unregister+0x14/0x20 + qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci] + .... + +Fixes: e517526195de ("i2c: Add Qualcomm CCI I2C driver") +Signed-off-by: Vladimir Zapolskiy +Cc: # v5.8+ +Reviewed-by: Konrad Dybcio +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260515234121.1607425-2-vladimir.zapolskiy@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-qcom-cci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-qcom-cci.c ++++ b/drivers/i2c/busses/i2c-qcom-cci.c +@@ -663,8 +663,8 @@ static void cci_remove(struct platform_d + if (cci->master[i].cci) { + i2c_del_adapter(&cci->master[i].adap); + of_node_put(cci->master[i].adap.dev.of_node); ++ cci_halt(cci, i); + } +- cci_halt(cci, i); + } + + disable_irq(cci->irq); diff --git a/queue-7.0/i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch b/queue-7.0/i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch new file mode 100644 index 0000000000..08012c094b --- /dev/null +++ b/queue-7.0/i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch @@ -0,0 +1,59 @@ +From a124579c0763da7bc408f4cd7e8f606cadc94855 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Guillermo=20Rodr=C3=ADguez?= +Date: Tue, 26 May 2026 11:12:09 +0200 +Subject: i2c: stm32f7: fix timing computation ignoring i2c-analog-filter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guillermo Rodríguez + +commit a124579c0763da7bc408f4cd7e8f606cadc94855 upstream. + +stm32f7_i2c_compute_timing() uses i2c_dev->analog_filter to pick +the analog filter delay, but i2c_dev->analog_filter is parsed from +the "i2c-analog-filter" DT property only after the compute_timing +loop in stm32f7_i2c_setup_timing(), so in practice the timing +calculations always ignore the analog filter. On an STM32MP1 board +with clock-frequency = <400000> and i2c-analog-filter set, measured +SCL frequency was ~382 kHz. + +This also affects (widens) the computed SDADEL range. At high bus +clock speeds, this can select an SDADEL value that violates tVD;DAT +(data valid time). + +Fix by parsing "i2c-analog-filter" before the compute_timing loop. + +Fixes: 83c3408f7b9c ("i2c: stm32f7: support DT binding i2c-analog-filter") +Signed-off-by: Guillermo Rodríguez +Cc: # v5.13+ +Acked-by: Alain Volmat +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260526091210.20383-1-guille.rodriguez@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-stm32f7.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/i2c/busses/i2c-stm32f7.c ++++ b/drivers/i2c/busses/i2c-stm32f7.c +@@ -694,6 +694,9 @@ static int stm32f7_i2c_setup_timing(stru + if (!of_property_read_bool(i2c_dev->dev->of_node, "i2c-digital-filter")) + i2c_dev->dnf_dt = STM32F7_I2C_DNF_DEFAULT; + ++ i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node, ++ "i2c-analog-filter"); ++ + do { + ret = stm32f7_i2c_compute_timing(i2c_dev, setup, + &i2c_dev->timing); +@@ -715,9 +718,6 @@ static int stm32f7_i2c_setup_timing(stru + return ret; + } + +- i2c_dev->analog_filter = of_property_read_bool(i2c_dev->dev->of_node, +- "i2c-analog-filter"); +- + dev_dbg(i2c_dev->dev, "I2C Speed(%i), Clk Source(%i)\n", + setup->speed_freq, setup->clock_src); + dev_dbg(i2c_dev->dev, "I2C Rise(%i) and Fall(%i) Time\n", diff --git a/queue-7.0/i2c-tegra-fix-noirq-suspend-resume.patch b/queue-7.0/i2c-tegra-fix-noirq-suspend-resume.patch new file mode 100644 index 0000000000..227537f9f8 --- /dev/null +++ b/queue-7.0/i2c-tegra-fix-noirq-suspend-resume.patch @@ -0,0 +1,121 @@ +From 656646b3847ac6a21b074a813223feef2aadd6e2 Mon Sep 17 00:00:00 2001 +From: Akhil R +Date: Mon, 18 May 2026 17:10:13 +0530 +Subject: i2c: tegra: Fix NOIRQ suspend/resume + +From: Akhil R + +commit 656646b3847ac6a21b074a813223feef2aadd6e2 upstream. + +The Tegra I2C driver relies on runtime PM to wake up the controller before +each transfer. However, runtime PM is disabled between the system suspend +and NOIRQ suspend. If an I2C device initiates a transfer during this +window, the I2C controller fails to wake up and the transfer fails. To +handle this, the controller must be kept available for this period to +allow transfers. + +Rework the I2C controller's system PM callbacks such that the controller +is resumed from runtime suspend during system suspend and it stays +RPM_ACTIVE throughout the suspend-resume cycle until it is runtime +suspended back in the system resume. The clocks are disabled in NOIRQ +suspend and enabled back in NOIRQ resume by calling the controller's +runtime PM functions directly. + +Fixes: 8ebf15e9c869 ("i2c: tegra: Move suspend handling to NOIRQ phase") +Assisted-by: Cursor:claude-4.6-opus +Signed-off-by: Akhil R +Cc: # v5.4+ +Reviewed-by: Jon Hunter +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/20260518114013.62065-5-akhilrajeev@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-tegra.c | 53 +++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 23 deletions(-) + +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -2147,28 +2147,37 @@ static int __maybe_unused tegra_i2c_runt + + static int __maybe_unused tegra_i2c_suspend(struct device *dev) + { ++ /* ++ * Bring the controller up and hold a usage count so it stays ++ * available until the noirq phase. ++ */ ++ return pm_runtime_resume_and_get(dev); ++} ++ ++static int __maybe_unused tegra_i2c_suspend_noirq(struct device *dev) ++{ + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); +- int err; + + i2c_mark_adapter_suspended(&i2c_dev->adapter); + +- if (!pm_runtime_status_suspended(dev)) { +- err = tegra_i2c_runtime_suspend(dev); +- if (err) +- return err; +- } +- +- return 0; ++ /* ++ * Runtime PM is already disabled at this point, so invoke the ++ * runtime_suspend callback directly to put the controller down. ++ */ ++ return tegra_i2c_runtime_suspend(dev); + } + +-static int __maybe_unused tegra_i2c_resume(struct device *dev) ++static int __maybe_unused tegra_i2c_resume_noirq(struct device *dev) + { + struct tegra_i2c_dev *i2c_dev = dev_get_drvdata(dev); + int err; + + /* +- * We need to ensure that clocks are enabled so that registers can be +- * restored in tegra_i2c_init(). ++ * Runtime PM is still disabled at this point, so invoke the ++ * runtime_resume callback directly to bring the controller back up ++ * before re-initializing the hardware. The adapter is then marked ++ * resumed so that consumers can issue transfers from their own ++ * resume_noirq() handlers and onwards. + */ + err = tegra_i2c_runtime_resume(dev); + if (err) +@@ -2178,24 +2187,22 @@ static int __maybe_unused tegra_i2c_resu + if (err) + return err; + +- /* +- * In case we are runtime suspended, disable clocks again so that we +- * don't unbalance the clock reference counts during the next runtime +- * resume transition. +- */ +- if (pm_runtime_status_suspended(dev)) { +- err = tegra_i2c_runtime_suspend(dev); +- if (err) +- return err; +- } +- + i2c_mark_adapter_resumed(&i2c_dev->adapter); + + return 0; + } + ++static int __maybe_unused tegra_i2c_resume(struct device *dev) ++{ ++ pm_runtime_put(dev); ++ ++ return 0; ++} ++ + static const struct dev_pm_ops tegra_i2c_pm = { +- SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume) ++ SET_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend, tegra_i2c_resume) ++ SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(tegra_i2c_suspend_noirq, ++ tegra_i2c_resume_noirq) + SET_RUNTIME_PM_OPS(tegra_i2c_runtime_suspend, tegra_i2c_runtime_resume, + NULL) + }; diff --git a/queue-7.0/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch b/queue-7.0/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch new file mode 100644 index 0000000000..a3b6e45a65 --- /dev/null +++ b/queue-7.0/input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch @@ -0,0 +1,52 @@ +From ad0979fe053e9f2db82da82188256ef6eb41095a Mon Sep 17 00:00:00 2001 +From: Zeyu WANG +Date: Wed, 3 Jun 2026 01:09:09 +0800 +Subject: Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) + +From: Zeyu WANG + +commit ad0979fe053e9f2db82da82188256ef6eb41095a upstream. + +The Lenovo Yoga Air 14 (83QK) laptop keyboard becomes unresponsive +after the standard atkbd init sequence. Controlled testing on the +actual hardware shows the F5 (ATKBD_CMD_RESET_DIS / deactivate) +command specifically corrupts the EC state, causing zero IRQ1 +interrupts after init. + +Skipping only the deactivate command (while keeping F4 ENABLE) +resolves the issue completely: both keystroke input and CapsLock +LED toggle work correctly. The reverse test - skipping only F4 +while keeping F5 - makes the problem worse (zero keystroke +interrupts), confirming F5 is the sole culprit. + +Add a DMI quirk entry for LENOVO/83QK using the existing +atkbd_deactivate_fixup callback, consistent with the existing +entries for LG Electronics and HONOR FMB-P that address the +same EC F5 deactivate issue. + +Signed-off-by: Zeyu WANG +Link: https://patch.msgid.link/20260602170909.14725-1-zeyu.thomas.wang@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atkbd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/input/keyboard/atkbd.c ++++ b/drivers/input/keyboard/atkbd.c +@@ -1944,6 +1944,14 @@ static const struct dmi_system_id atkbd_ + }, + .callback = atkbd_deactivate_fixup, + }, ++ { ++ /* Lenovo Yoga Air 14 (83QK) */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83QK"), ++ }, ++ .callback = atkbd_deactivate_fixup, ++ }, + { } + }; + diff --git a/queue-7.0/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch b/queue-7.0/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch new file mode 100644 index 0000000000..72b9b82b59 --- /dev/null +++ b/queue-7.0/input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch @@ -0,0 +1,45 @@ +From fb402386af4cdce108ff991a796386de55439735 Mon Sep 17 00:00:00 2001 +From: Cryolitia PukNgae +Date: Fri, 5 Jun 2026 15:27:21 +0800 +Subject: Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard + +From: Cryolitia PukNgae + +commit fb402386af4cdce108ff991a796386de55439735 upstream. + +After commit 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - +do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID"), HONOR +BCC-N, aka HONOR MagicBook 14 2026's internal keyboard stops +working. Adding the atkbd_deactivate_fixup quirk fixes it. + +DMI: HONOR BCC-N/BCC-N-PCB, BIOS 1.04 04/07/2026 + +Fixes: 9cf6e24c9fbf17e52de9fff07f12be7565ea6d61 ("Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID") +Reported-by: Hongfei Ren +Link: https://github.com/colorcube/Linux-on-Honor-Magicbook-14-Pro/issues/1#issuecomment-4562679891 +Tested-by: Hongfei Ren +Cc: stable@kernel.org +Signed-off-by: Cryolitia PukNgae +Link: https://patch.msgid.link/20260605-honor-v1-1-78e05e491193@linux.dev +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/atkbd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/keyboard/atkbd.c ++++ b/drivers/input/keyboard/atkbd.c +@@ -1952,6 +1952,13 @@ static const struct dmi_system_id atkbd_ + }, + .callback = atkbd_deactivate_fixup, + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HONOR"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "BCC-N"), ++ }, ++ .callback = atkbd_deactivate_fixup, ++ }, + { } + }; + diff --git a/queue-7.0/iomap-avoid-potential-null-folio-mapping-deref-during-error-reporting.patch b/queue-7.0/iomap-avoid-potential-null-folio-mapping-deref-during-error-reporting.patch new file mode 100644 index 0000000000..3ad48538ea --- /dev/null +++ b/queue-7.0/iomap-avoid-potential-null-folio-mapping-deref-during-error-reporting.patch @@ -0,0 +1,85 @@ +From 2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327 Mon Sep 17 00:00:00 2001 +From: Joanne Koong +Date: Wed, 3 Jun 2026 18:18:58 -0700 +Subject: iomap: avoid potential null folio->mapping deref during error reporting + +From: Joanne Koong + +commit 2eea7f44b9c8b42fd7d3a1a87c06a7cd1b99c327 upstream. + +When a buffered read fails, iomap_finish_folio_read() reports the error +with fserror_report_io(folio->mapping->host, ...). This is called after +ifs->read_bytes_pending has been decremented by the bytes attempted to +be read. + +For a folio split across multiple read completions, the folio is only +guaranteed to stay locked while read_bytes_pending > 0. Once +iomap_finish_folio_read() decrements read_bytes_pending, another +in-flight read can complete and end the read on the folio, which unlocks +it. This allows truncate logic to run and detach the folio (set +folio->mapping to NULL). The error reporting path then can dereference a +NULL folio->mapping. As reported by Sam Sun, this is the race that can +occur: + +CPU0: failed completion CPU1: final completion CPU2: truncate +----------------------- ---------------------- -------------- +read_bytes_pending -= len +finished = false +/* preempted before + fserror_report_io() */ + read_bytes_pending -= len + finished = true + folio_end_read() + truncate clears + folio->mapping +fserror_report_io( + folio->mapping->host, ...) + ^ NULL deref + +Fix this by reporting the error first before decrementing +ifs->read_bytes_pending. + +Fixes: a9d573ee88af ("iomap: report file I/O errors to the VFS") +Cc: stable@vger.kernel.org +Reported-by: Sam Sun +Closes: https://lore.kernel.org/linux-fsdevel/CAEkJfYPhWdd59RKmuNLJg-bkypHz7xiOwaWyNVu3A8CUqQCnvg@mail.gmail.com/ +Signed-off-by: Joanne Koong +Link: https://patch.msgid.link/20260604011858.2297561-1-joannelkoong@gmail.com +Reviewed-by: "Darrick J. Wong" +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + fs/iomap/buffered-io.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index d7b648421a70..d55b936e6986 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -400,6 +400,11 @@ void iomap_finish_folio_read(struct folio *folio, size_t off, size_t len, + bool uptodate = !error; + bool finished = true; + ++ if (error) ++ fserror_report_io(folio->mapping->host, FSERR_BUFFERED_READ, ++ folio_pos(folio) + off, len, error, ++ GFP_ATOMIC); ++ + if (ifs) { + unsigned long flags; + +@@ -411,11 +416,6 @@ void iomap_finish_folio_read(struct folio *folio, size_t off, size_t len, + spin_unlock_irqrestore(&ifs->state_lock, flags); + } + +- if (error) +- fserror_report_io(folio->mapping->host, FSERR_BUFFERED_READ, +- folio_pos(folio) + off, len, error, +- GFP_ATOMIC); +- + if (finished) + folio_end_read(folio, uptodate); + } +-- +2.54.0 + diff --git a/queue-7.0/iommu-dma-do-not-try-to-iommu_map-a-0-length-region-in-swiotlb.patch b/queue-7.0/iommu-dma-do-not-try-to-iommu_map-a-0-length-region-in-swiotlb.patch new file mode 100644 index 0000000000..bece6cc89f --- /dev/null +++ b/queue-7.0/iommu-dma-do-not-try-to-iommu_map-a-0-length-region-in-swiotlb.patch @@ -0,0 +1,75 @@ +From 6ec91df8aff77e2e8fe3179c1f3fc15b43a40ba3 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 8 Jun 2026 15:10:04 -0300 +Subject: iommu/dma: Do not try to iommu_map a 0 length region in swiotlb + +From: Jason Gunthorpe + +commit 6ec91df8aff77e2e8fe3179c1f3fc15b43a40ba3 upstream. + +iommu_dma_iova_link_swiotlb() processes a mapping that is unaligned in three +parts, the head, middle and trailer. If the middle is empty because there +are no aligned pages it will call down to iommu_map() with a 0 size +which the iommupt implementation will fail as illegal. + +It then tries to do an error unwind and starts from the wrong spot +corrupting the mapping so the eventual destruction triggers a WARN_ON. + +Check for 0 length and avoid mapping and use offset not 0 as the starting +point to unlink. + +This is frequently triggered by using some kinds of thunderbolt NVMe +drives that trigger forced SWIOTLB for unaligned memory. NVMe seems to +pass in oddly aligned buffers for the passthrough commands from smartctl +that hit this condition. + +Cc: stable@vger.kernel.org +Fixes: 433a76207dcf ("dma-mapping: Implement link/unlink ranges API") +Reported-by: Mark Lord +Signed-off-by: Jason Gunthorpe +Reviewed-by: Christoph Hellwig +Reviewed-by: Leon Romanovsky +Reviewed-by: Samiullah Khawaja +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/0-v1-8536728bc89f+469-swiotlb_warn_jgg@nvidia.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/dma-iommu.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -1895,12 +1895,18 @@ static int iommu_dma_iova_link_swiotlb(s + return 0; + } + ++ /* ++ * After removing the partial head and tail, there may be no aligned ++ * middle left to map. The tail still gets bounced below. ++ */ + size -= iova_end_pad; +- error = __dma_iova_link(dev, addr + mapped, phys + mapped, size, dir, +- attrs); +- if (error) +- goto out_unmap; +- mapped += size; ++ if (size) { ++ error = __dma_iova_link(dev, addr + mapped, phys + mapped, ++ size, dir, attrs); ++ if (error) ++ goto out_unmap; ++ mapped += size; ++ } + + if (iova_end_pad) { + error = iommu_dma_iova_bounce_and_link(dev, addr + mapped, +@@ -1913,7 +1919,8 @@ static int iommu_dma_iova_link_swiotlb(s + return 0; + + out_unmap: +- dma_iova_unlink(dev, state, 0, mapped, dir, attrs); ++ if (mapped) ++ dma_iova_unlink(dev, state, offset, mapped, dir, attrs); + return error; + } + diff --git a/queue-7.0/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch b/queue-7.0/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch new file mode 100644 index 0000000000..c46670306f --- /dev/null +++ b/queue-7.0/ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch @@ -0,0 +1,68 @@ +From 2e5c6f4fd4001562781e99bbfc7f1f0127187542 Mon Sep 17 00:00:00 2001 +From: Yilin Zhu +Date: Thu, 30 Apr 2026 13:21:34 +0800 +Subject: ipc/shm: serialize orphan cleanup with shm_nattch updates + +From: Yilin Zhu + +commit 2e5c6f4fd4001562781e99bbfc7f1f0127187542 upstream. + +shm_destroy_orphaned() walks the shm idr under shm_ids(ns).rwsem, but that +does not serialize all fields tested by shm_may_destroy(). In particular, +shm_nattch is updated while holding shm_perm.lock, and attach paths can do +that without holding the rwsem. + +Do not decide that an orphaned segment is unused before taking the object +lock. Move the shm_may_destroy() check under shm_perm.lock, matching the +other destroy paths, and unlock the segment when it no longer qualifies +for removal. + +Link: https://lore.kernel.org/9d97cc1031de2d0bace0edf3a668818aa2f4eca6.1777410234.git.zylzyl2333@gmail.com +Fixes: 4c677e2eefdb ("shm: optimize locking and ipc_namespace getting") +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Yilin Zhu +Signed-off-by: Ren Wei +Cc: Christian Brauner +Cc: Jeongjun Park +Cc: Kees Cook +Cc: Liam Howlett +Cc: Lorenzo Stoakes +Cc: Serge Hallyn +Cc: Vasiliy Kulikov +Cc: Davidlohr Bueso +Cc: Oleg Nesterov +Cc: Serge Hallyn +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + ipc/shm.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -418,15 +418,17 @@ static int shm_try_destroy_orphaned(int + * We want to destroy segments without users and with already + * exit'ed originating process. + * +- * As shp->* are changed under rwsem, it's safe to skip shp locking. ++ * shm_nattch can be changed under shm_perm.lock without holding the ++ * rwsem, so take the object lock before checking shm_may_destroy(). + */ + if (!list_empty(&shp->shm_clist)) + return 0; + +- if (shm_may_destroy(shp)) { +- shm_lock_by_ptr(shp); ++ shm_lock_by_ptr(shp); ++ if (shm_may_destroy(shp)) + shm_destroy(ns, shp); +- } ++ else ++ shm_unlock(shp); + return 0; + } + diff --git a/queue-7.0/locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch b/queue-7.0/locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch new file mode 100644 index 0000000000..8e3f8a21c5 --- /dev/null +++ b/queue-7.0/locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch @@ -0,0 +1,65 @@ +From 40a25d59e85b3c8709ac2424d44f65610467871e Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Thu, 7 May 2026 04:29:13 -0700 +Subject: locking/rtmutex: Skip remove_waiter() when waiter is not enqueued + +From: Davidlohr Bueso + +commit 40a25d59e85b3c8709ac2424d44f65610467871e upstream. + +syzbot triggered the following splat in remove_waiter() via +FUTEX_CMP_REQUEUE_PI: + + KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] + class_raw_spinlock_constructor + remove_waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 + rt_mutex_start_proxy_lock+0x103/0x120 + futex_requeue+0x10e4/0x20d0 + __x64_sys_futex+0x34f/0x4d0 + +task_blocks_on_rt_mutex() does not arm the waiter upon deadlock detection, +leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead +of current in remove_waiter()") made this fatal. + +Furthermore, rt_mutex_start_proxy_lock() should not be calling into remove_waiter() +upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock +return correctly"), moved the remove_waiter() out of __rt_mutex_start_proxy_lock() +(where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to +account for try_to_take_rt_mutex(). + +Fixes: 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove_waiter()") +Reported-by: syzbot+78147abe6c524f183ee9@syzkaller.appspotmail.com +Signed-off-by: Davidlohr Bueso +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/all/69f114ac.050a0220.ac8b.0003.GAE@google.com/ +Link: https://patch.msgid.link/20260507112913.1019537-1-dave@stgolabs.net +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/rtmutex.c | 3 +++ + kernel/locking/rtmutex_api.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/locking/rtmutex.c ++++ b/kernel/locking/rtmutex.c +@@ -1548,6 +1548,9 @@ static void __sched remove_waiter(struct + + lockdep_assert_held(&lock->wait_lock); + ++ if (!waiter_task) /* never enqueued */ ++ return; ++ + scoped_guard(raw_spinlock, &waiter_task->pi_lock) { + rt_mutex_dequeue(lock, waiter); + waiter_task->pi_blocked_on = NULL; +--- a/kernel/locking/rtmutex_api.c ++++ b/kernel/locking/rtmutex_api.c +@@ -365,7 +365,7 @@ int __sched rt_mutex_start_proxy_lock(st + + raw_spin_lock_irq(&lock->wait_lock); + ret = __rt_mutex_start_proxy_lock(lock, waiter, task, &wake_q); +- if (unlikely(ret)) ++ if (unlikely(ret < 0)) + remove_waiter(lock, waiter); + preempt_disable(); + raw_spin_unlock_irq(&lock->wait_lock); diff --git a/queue-7.0/memcg-use-round-robin-victim-selection-in-refill_stock.patch b/queue-7.0/memcg-use-round-robin-victim-selection-in-refill_stock.patch new file mode 100644 index 0000000000..52e25f0884 --- /dev/null +++ b/queue-7.0/memcg-use-round-robin-victim-selection-in-refill_stock.patch @@ -0,0 +1,62 @@ +From c0cafe24d3f6534294c4b2bc2d47734ff7cbd313 Mon Sep 17 00:00:00 2001 +From: Shakeel Butt +Date: Thu, 21 May 2026 15:37:51 -0700 +Subject: memcg: use round-robin victim selection in refill_stock + +From: Shakeel Butt + +commit c0cafe24d3f6534294c4b2bc2d47734ff7cbd313 upstream. + +Harry Yoo reported that get_random_u32_below() is not safe to call in the +nmi context and memcg charge draining can happen in nmi context. + +More specifically get_random_u32_below() is neither reentrant- nor +NMI-safe: it acquires a per-cpu local_lock via local_lock_irqsave() on the +batched_entropy_u32 state. An NMI that lands on a CPU mid-update of the +ChaCha batch state and recurses into the random subsystem would corrupt +that state. The memcg_stock local_trylock prevents re-entry on the percpu +stock itself, but cannot protect an unrelated subsystem's per-cpu lock. + +Replace the random pick with a per-cpu round-robin counter stored in +memcg_stock_pcp and serialized by the same local_trylock that already +guards cached[] and nr_pages[]. No atomics, no random calls, no extra +locks needed. + +Link: https://lore.kernel.org/20260521223751.3794625-1-shakeel.butt@linux.dev +Fixes: f735eebe55f8f ("memcg: multi-memcg percpu charge cache") +Signed-off-by: Shakeel Butt +Reported-by: Harry Yoo +Closes: https://lore.kernel.org/4e20f643-6983-4b6e-b12d-c6c4eb20ae0c@kernel.org/ +Acked-by: Harry Yoo (Oracle) +Acked-by: Michal Hocko +Cc: Johannes Weiner +Cc: Muchun Song +Cc: Roman Gushchin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -1799,6 +1799,7 @@ struct memcg_stock_pcp { + + struct work_struct work; + unsigned long flags; ++ uint8_t drain_idx; + }; + + static DEFINE_PER_CPU_ALIGNED(struct memcg_stock_pcp, memcg_stock) = { +@@ -1982,7 +1983,9 @@ static void refill_stock(struct mem_cgro + if (!success) { + i = empty_slot; + if (i == -1) { +- i = get_random_u32_below(NR_MEMCG_STOCK); ++ i = stock->drain_idx++; ++ if (stock->drain_idx == NR_MEMCG_STOCK) ++ stock->drain_idx = 0; + drain_stock(stock, i); + } + css_get(&memcg->css); diff --git a/queue-7.0/memory-atmel-ebi-allow-deferred-probing.patch b/queue-7.0/memory-atmel-ebi-allow-deferred-probing.patch new file mode 100644 index 0000000000..4c760f38b2 --- /dev/null +++ b/queue-7.0/memory-atmel-ebi-allow-deferred-probing.patch @@ -0,0 +1,49 @@ +From 754d60ad1c91895be0bc7d771fbf9fb3c9448640 Mon Sep 17 00:00:00 2001 +From: Alexander Dahl +Date: Wed, 29 Apr 2026 14:59:30 +0200 +Subject: memory: atmel-ebi: Allow deferred probing + +From: Alexander Dahl + +commit 754d60ad1c91895be0bc7d771fbf9fb3c9448640 upstream. + +After removing of_platform_default_populate() calls the atmel-ebi driver +was affected by deferred probing. platform_driver_probe() is +incompatible with deferred probing. This led to atmel-ebi driver +eventually not being probed on at91 sam9x60-curiosity and other sam9x60 +based boards. Subsequently the nand-controller driver (nand-controller +being a child node of ebi) on that platform was not probed and thus raw +NAND flash was inaccessible, preventing devices to boot with rootfs on +raw NAND flash (e.g. with UBI/UBIFS). + +Fixes: 0b0f7e6539a7 ("ARM: at91: remove unnecessary of_platform_default_populate calls") +Cc: stable@vger.kernel.org +Suggested-by: Miquel Raynal +Signed-off-by: Alexander Dahl +Link: https://patch.msgid.link/20260429125930.844790-1-ada@thorsis.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/memory/atmel-ebi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/memory/atmel-ebi.c b/drivers/memory/atmel-ebi.c +index 8db970da9af9..1e8e8aba2542 100644 +--- a/drivers/memory/atmel-ebi.c ++++ b/drivers/memory/atmel-ebi.c +@@ -628,10 +628,11 @@ static __maybe_unused int atmel_ebi_resume(struct device *dev) + static SIMPLE_DEV_PM_OPS(atmel_ebi_pm_ops, NULL, atmel_ebi_resume); + + static struct platform_driver atmel_ebi_driver = { ++ .probe = atmel_ebi_probe, + .driver = { + .name = "atmel-ebi", + .of_match_table = atmel_ebi_id_table, + .pm = &atmel_ebi_pm_ops, + }, + }; +-builtin_platform_driver_probe(atmel_ebi_driver, atmel_ebi_probe); ++builtin_platform_driver(atmel_ebi_driver); +-- +2.54.0 + diff --git a/queue-7.0/misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch b/queue-7.0/misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch new file mode 100644 index 0000000000..a590f396c4 --- /dev/null +++ b/queue-7.0/misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch @@ -0,0 +1,40 @@ +From 464c6ad2aa16e1e1df9d559289199356493d1e00 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Sat, 30 May 2026 21:45:26 +0100 +Subject: misc: fastrpc: fix DMA address corruption due to find_vma misuse + +From: Junrui Luo + +commit 464c6ad2aa16e1e1df9d559289199356493d1e00 upstream. + +fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided +pointer and compute a DMA address offset. When the address falls in a gap +before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows, +corrupting the DMA address sent to the DSP. + +Replace find_vma() with vma_lookup(), which returns NULL when the address +is not contained within any VMA. + +Cc: stable@vger.kernel.org +Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP") +Reported-by: Yuhao Jiang +Signed-off-by: Junrui Luo +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-3-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1087,7 +1087,7 @@ static int fastrpc_get_args(u32 kernel, + pages[i].addr = ctx->maps[i]->dma_addr; + + mmap_read_lock(current->mm); +- vma = find_vma(current->mm, ctx->args[i].ptr); ++ vma = vma_lookup(current->mm, ctx->args[i].ptr); + if (vma) + pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) - + vma->vm_start; diff --git a/queue-7.0/misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch b/queue-7.0/misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch new file mode 100644 index 0000000000..5a26b516cd --- /dev/null +++ b/queue-7.0/misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch @@ -0,0 +1,79 @@ +From 5401fb4fe10fac6134c308495df18ed74aebb9c4 Mon Sep 17 00:00:00 2001 +From: Mukesh Ojha +Date: Sat, 30 May 2026 21:45:27 +0100 +Subject: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback + +From: Mukesh Ojha + +commit 5401fb4fe10fac6134c308495df18ed74aebb9c4 upstream. + +A NULL pointer dereference was observed on Hawi at boot when the DSP +sends a glink message before fastrpc_rpmsg_probe() has completed +initialization: + + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 + pc : _raw_spin_lock_irqsave+0x34/0x8c + lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] + ... + Call trace: + _raw_spin_lock_irqsave+0x34/0x8c (P) + fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] + qcom_glink_native_rx+0x538/0x6a4 + qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] + +The faulting address 0x178 corresponds to the lock variable inside +struct fastrpc_channel_ctx, confirming that cctx is NULL when +fastrpc_rpmsg_callback() attempts to take the spinlock. + +There are two issues here. First, dev_set_drvdata() is called before +spin_lock_init() and idr_init(), leaving a window where the callback +can retrieve a valid cctx pointer but operate on an uninitialized +spinlock. Second, the rpmsg channel becomes live as soon as the driver +is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() +is called at all, resulting in dev_get_drvdata() returning NULL. + +Fix both issues by moving all cctx initialization ahead of +dev_set_drvdata() so the structure is fully initialized before it +becomes visible to the callback, and add a NULL check in +fastrpc_rpmsg_callback() as a guard against any remaining window. + +Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") +Cc: stable@vger.kernel.org +Signed-off-by: Mukesh Ojha +Reviewed-by: Bjorn Andersson +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-4-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -2457,7 +2457,6 @@ static int fastrpc_rpmsg_probe(struct rp + + kref_init(&data->refcount); + +- dev_set_drvdata(&rpdev->dev, data); + rdev->dma_mask = &data->dma_mask; + dma_set_mask_and_coherent(rdev, DMA_BIT_MASK(32)); + INIT_LIST_HEAD(&data->users); +@@ -2466,6 +2465,7 @@ static int fastrpc_rpmsg_probe(struct rp + idr_init(&data->ctx_idr); + data->domain_id = domain_id; + data->rpdev = rpdev; ++ dev_set_drvdata(&rpdev->dev, data); + + err = of_platform_populate(rdev->of_node, NULL, NULL, rdev); + if (err) +@@ -2539,6 +2539,9 @@ static int fastrpc_rpmsg_callback(struct + if (len < sizeof(*rsp)) + return -EINVAL; + ++ if (!cctx) ++ return -ENODEV; ++ + ctxid = ((rsp->ctx & FASTRPC_CTXID_MASK) >> 4); + + spin_lock_irqsave(&cctx->lock, flags); diff --git a/queue-7.0/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch b/queue-7.0/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch new file mode 100644 index 0000000000..b07ce21c50 --- /dev/null +++ b/queue-7.0/misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch @@ -0,0 +1,207 @@ +From e85eb5feca8e254905ffa6c57a3c99c89a674a0f Mon Sep 17 00:00:00 2001 +From: Anandu Krishnan E +Date: Sat, 30 May 2026 21:45:25 +0100 +Subject: misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anandu Krishnan E + +commit e85eb5feca8e254905ffa6c57a3c99c89a674a0f upstream. + +There is a race between fastrpc_device_release() and the workqueue +that processes DSP responses. When the user closes the file descriptor, +fastrpc_device_release() frees the fastrpc_user structure. Concurrently, +an in-flight DSP invocation can complete and fastrpc_rpmsg_callback() +schedules context cleanup via schedule_work(&ctx->put_work). If the +workqueue runs fastrpc_context_free() in parallel with or after +fastrpc_device_release() has freed the user structure, it dereferences +the freed fastrpc_user. Depending on the state of the context at the +time of the race, any one of the following accesses can be hit: + + 1. fastrpc_buf_free() calls fastrpc_ipa_to_dma_addr(buf->fl->cctx, ...) + to strip the SID bits from the stored IOVA before passing the + physical address to dma_free_coherent(). + + 2. fastrpc_free_map() reads map->fl->cctx->vmperms[0].vmid to + reconstruct the source permission bitmask needed for the + qcom_scm_assign_mem() call that returns memory from the DSP VM + back to HLOS. + + 3. fastrpc_free_map() acquires map->fl->lock to safely remove the + map node from the fl->maps list. + +The resulting use-after-free manifests as: + + pc : fastrpc_buf_free+0x38/0x80 [fastrpc] + lr : fastrpc_context_free+0xa8/0x1b0 [fastrpc] + fastrpc_context_free+0xa8/0x1b0 [fastrpc] + fastrpc_context_put_wq+0x78/0xa0 [fastrpc] + process_one_work+0x180/0x450 + worker_thread+0x26c/0x388 + +Add kref-based reference counting to fastrpc_user. Have each invoke +context take a reference on the user at allocation time and release it +when the context is freed. Release the initial reference in +fastrpc_device_release() at file close. Move the teardown of the user +structure — freeing pending contexts, maps, mmaps, and the channel +context reference — into the kref release callback fastrpc_user_free(), +so that it runs only when the last reference is dropped, regardless of +whether that happens at device close or after the final in-flight +context completes. + +Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") +Cc: stable@kernel.org +Signed-off-by: Anandu Krishnan E +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-2-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 75 +++++++++++++++++++++++++++++++++---------------- + 1 file changed, 52 insertions(+), 23 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -310,6 +310,8 @@ struct fastrpc_user { + spinlock_t lock; + /* lock for allocations */ + struct mutex mutex; ++ /* Reference count */ ++ struct kref refcount; + }; + + /* Extract SMMU PA from consolidated IOVA */ +@@ -497,15 +499,57 @@ static void fastrpc_channel_ctx_put(stru + kref_put(&cctx->refcount, fastrpc_channel_ctx_free); + } + ++static void fastrpc_context_put(struct fastrpc_invoke_ctx *ctx); ++ ++static void fastrpc_user_free(struct kref *ref) ++{ ++ struct fastrpc_user *fl = container_of(ref, struct fastrpc_user, refcount); ++ struct fastrpc_invoke_ctx *ctx, *n; ++ struct fastrpc_map *map, *m; ++ struct fastrpc_buf *buf, *b; ++ ++ if (fl->init_mem) ++ fastrpc_buf_free(fl->init_mem); ++ ++ list_for_each_entry_safe(ctx, n, &fl->pending, node) { ++ list_del(&ctx->node); ++ fastrpc_context_put(ctx); ++ } ++ ++ list_for_each_entry_safe(map, m, &fl->maps, node) ++ fastrpc_map_put(map); ++ ++ list_for_each_entry_safe(buf, b, &fl->mmaps, node) { ++ list_del(&buf->node); ++ fastrpc_buf_free(buf); ++ } ++ ++ fastrpc_channel_ctx_put(fl->cctx); ++ mutex_destroy(&fl->mutex); ++ kfree(fl); ++} ++ ++static void fastrpc_user_get(struct fastrpc_user *fl) ++{ ++ kref_get(&fl->refcount); ++} ++ ++static void fastrpc_user_put(struct fastrpc_user *fl) ++{ ++ kref_put(&fl->refcount, fastrpc_user_free); ++} ++ + static void fastrpc_context_free(struct kref *ref) + { + struct fastrpc_invoke_ctx *ctx; + struct fastrpc_channel_ctx *cctx; ++ struct fastrpc_user *fl; + unsigned long flags; + int i; + + ctx = container_of(ref, struct fastrpc_invoke_ctx, refcount); + cctx = ctx->cctx; ++ fl = ctx->fl; + + for (i = 0; i < ctx->nbufs; i++) + fastrpc_map_put(ctx->maps[i]); +@@ -521,6 +565,8 @@ static void fastrpc_context_free(struct + kfree(ctx->olaps); + kfree(ctx); + ++ /* Release the reference taken in fastrpc_context_alloc() */ ++ fastrpc_user_put(fl); + fastrpc_channel_ctx_put(cctx); + } + +@@ -628,6 +674,8 @@ static struct fastrpc_invoke_ctx *fastrp + + /* Released in fastrpc_context_put() */ + fastrpc_channel_ctx_get(cctx); ++ /* Take a reference to user, released in fastrpc_context_free() */ ++ fastrpc_user_get(user); + + ctx->sc = sc; + ctx->retval = -1; +@@ -658,6 +706,7 @@ err_idr: + spin_lock(&user->lock); + list_del(&ctx->node); + spin_unlock(&user->lock); ++ fastrpc_user_put(user); + fastrpc_channel_ctx_put(cctx); + kfree(ctx->maps); + kfree(ctx->olaps); +@@ -1579,9 +1628,6 @@ static int fastrpc_device_release(struct + { + struct fastrpc_user *fl = (struct fastrpc_user *)file->private_data; + struct fastrpc_channel_ctx *cctx = fl->cctx; +- struct fastrpc_invoke_ctx *ctx, *n; +- struct fastrpc_map *map, *m; +- struct fastrpc_buf *buf, *b; + unsigned long flags; + + fastrpc_release_current_dsp_process(fl); +@@ -1590,28 +1636,10 @@ static int fastrpc_device_release(struct + list_del(&fl->user); + spin_unlock_irqrestore(&cctx->lock, flags); + +- if (fl->init_mem) +- fastrpc_buf_free(fl->init_mem); +- +- list_for_each_entry_safe(ctx, n, &fl->pending, node) { +- list_del(&ctx->node); +- fastrpc_context_put(ctx); +- } +- +- list_for_each_entry_safe(map, m, &fl->maps, node) +- fastrpc_map_put(map); +- +- list_for_each_entry_safe(buf, b, &fl->mmaps, node) { +- list_del(&buf->node); +- fastrpc_buf_free(buf); +- } +- + fastrpc_session_free(cctx, fl->sctx); +- fastrpc_channel_ctx_put(cctx); +- +- mutex_destroy(&fl->mutex); +- kfree(fl); + file->private_data = NULL; ++ /* Release the reference taken in fastrpc_device_open */ ++ fastrpc_user_put(fl); + + return 0; + } +@@ -1655,6 +1683,7 @@ static int fastrpc_device_open(struct in + spin_lock_irqsave(&cctx->lock, flags); + list_add_tail(&fl->user, &cctx->users); + spin_unlock_irqrestore(&cctx->lock, flags); ++ kref_init(&fl->refcount); + + return 0; + } diff --git a/queue-7.0/misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch b/queue-7.0/misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch new file mode 100644 index 0000000000..f94e4c944f --- /dev/null +++ b/queue-7.0/misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch @@ -0,0 +1,85 @@ +From 07ebe87915d8accdaba20c4f88c5ae430fe62fbb Mon Sep 17 00:00:00 2001 +From: Zhenghang Xiao +Date: Sat, 30 May 2026 21:45:28 +0100 +Subject: misc: fastrpc: fix use-after-free race in fastrpc_map_create + +From: Zhenghang Xiao + +commit 07ebe87915d8accdaba20c4f88c5ae430fe62fbb upstream. + +fastrpc_map_lookup returns a raw pointer after releasing fl->lock. The +caller fastrpc_map_create then calls fastrpc_map_get (kref_get_unless_zero) +on this unprotected pointer. A concurrent MEM_UNMAP can free the map +between the lock release and the kref operation, resulting in a +use-after-free on the freed slab object. + +Restore the take_ref parameter to fastrpc_map_lookup so the reference +is acquired atomically under fl->lock before the pointer is exposed to +the caller. + +Fixes: 10df039834f8 ("misc: fastrpc: Skip reference for DMA handles") +Cc: stable@vger.kernel.org +Signed-off-by: Zhenghang Xiao +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204528.116920-5-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -388,7 +388,7 @@ static int fastrpc_map_get(struct fastrp + + + static int fastrpc_map_lookup(struct fastrpc_user *fl, int fd, +- struct fastrpc_map **ppmap) ++ struct fastrpc_map **ppmap, bool take_ref) + { + struct fastrpc_map *map = NULL; + struct dma_buf *buf; +@@ -403,6 +403,12 @@ static int fastrpc_map_lookup(struct fas + if (map->fd != fd || map->buf != buf) + continue; + ++ if (take_ref) { ++ ret = fastrpc_map_get(map); ++ if (ret) ++ break; ++ } ++ + *ppmap = map; + ret = 0; + break; +@@ -920,19 +926,10 @@ get_err: + static int fastrpc_map_create(struct fastrpc_user *fl, int fd, + u64 len, u32 attr, struct fastrpc_map **ppmap) + { +- struct fastrpc_session_ctx *sess = fl->sctx; +- int err = 0; ++ if (!fastrpc_map_lookup(fl, fd, ppmap, true)) ++ return 0; + +- if (!fastrpc_map_lookup(fl, fd, ppmap)) { +- if (!fastrpc_map_get(*ppmap)) +- return 0; +- dev_dbg(sess->dev, "%s: Failed to get map fd=%d\n", +- __func__, fd); +- } +- +- err = fastrpc_map_attach(fl, fd, len, attr, ppmap); +- +- return err; ++ return fastrpc_map_attach(fl, fd, len, attr, ppmap); + } + + /* +@@ -1202,7 +1199,7 @@ cleanup_fdlist: + for (i = 0; i < FASTRPC_MAX_FDLIST; i++) { + if (!fdlist[i]) + break; +- if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap)) ++ if (!fastrpc_map_lookup(fl, (int)fdlist[i], &mmap, false)) + fastrpc_map_put(mmap); + } + diff --git a/queue-7.0/net-airoha-add-null-check-for-of_reserved_mem_lookup-in-airoha_qdma_init_hfwd_queues.patch b/queue-7.0/net-airoha-add-null-check-for-of_reserved_mem_lookup-in-airoha_qdma_init_hfwd_queues.patch new file mode 100644 index 0000000000..6dda12b8e4 --- /dev/null +++ b/queue-7.0/net-airoha-add-null-check-for-of_reserved_mem_lookup-in-airoha_qdma_init_hfwd_queues.patch @@ -0,0 +1,45 @@ +From f9f25118faa4dd2b6e3d14a03d123bbdbd59925d Mon Sep 17 00:00:00 2001 +From: ZhaoJinming +Date: Thu, 4 Jun 2026 15:03:52 +0800 +Subject: net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues() + +From: ZhaoJinming + +commit f9f25118faa4dd2b6e3d14a03d123bbdbd59925d upstream. + +of_reserved_mem_lookup() may return NULL if the reserved memory region +referenced by the "memory-region" phandle is not found in the reserved +memory table (e.g. due to a misconfigured DTS or a removed +memory-region node). The current code dereferences the returned +pointer without checking for NULL, leading to a kernel NULL pointer +dereference at the following lines: + + dma_addr = rmem->base; // line 1156 + num_desc = div_u64(rmem->size, buf_size); // line 1160 + +Add a NULL check after of_reserved_mem_lookup() and return -ENODEV if +the lookup fails, which is consistent with the existing error handling +for of_parse_phandle() failure in the same code block. + +Fixes: 3a1ce9e3d01b ("net: airoha: Add the capability to allocate hwfd buffers via reserved-memory") +Cc: stable@vger.kernel.org +Signed-off-by: ZhaoJinming +Acked-by: Lorenzo Bianconi +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/airoha/airoha_eth.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/airoha/airoha_eth.c ++++ b/drivers/net/ethernet/airoha/airoha_eth.c +@@ -1153,6 +1153,9 @@ static int airoha_qdma_init_hfwd_queues( + + rmem = of_reserved_mem_lookup(np); + of_node_put(np); ++ if (!rmem) ++ return -ENODEV; ++ + dma_addr = rmem->base; + /* Compute the number of hw descriptors according to the + * reserved memory size and the payload buffer size diff --git a/queue-7.0/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch b/queue-7.0/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch new file mode 100644 index 0000000000..c04f785bbc --- /dev/null +++ b/queue-7.0/net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch @@ -0,0 +1,57 @@ +From a764b0e8317a863006e05732e1aefe821b9d8c2d Mon Sep 17 00:00:00 2001 +From: ZhaoJinming +Date: Mon, 1 Jun 2026 16:56:49 +0800 +Subject: net: bonding: fix NULL pointer dereference in bond_do_ioctl() + +From: ZhaoJinming + +commit a764b0e8317a863006e05732e1aefe821b9d8c2d upstream. + +In bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which +can return NULL if the requested interface name does not exist. However, +the subsequent slave_dbg() call is placed before the NULL check: + + slave_dev = __dev_get_by_name(net, ifr->ifr_slave); + slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); //here + if (!slave_dev) + return -ENODEV; + +The slave_dbg() macro expands to netdev_dbg(bond_dev, "(slave %s): " fmt, +(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name +before the NULL check is performed. This results in a NULL pointer +dereference kernel oops when a user calls bonding ioctl (e.g. +SIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave +interface name. + +This is reachable from userspace via the bonding ioctl interface with +CAP_NET_ADMIN capability, making it a potential local denial-of-service +vector. + +Fix by moving the slave_dbg() call after the NULL check. + +Fixes: e2a7420df2e0 ("bonding/main: convert to using slave printk macros") +Cc: stable@vger.kernel.org # v5.2+ +Signed-off-by: ZhaoJinming +Link: https://patch.msgid.link/20260601085649.4029067-1-zhaojinming@uniontech.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4623,11 +4623,11 @@ static int bond_do_ioctl(struct net_devi + + slave_dev = __dev_get_by_name(net, ifr->ifr_slave); + +- slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); +- + if (!slave_dev) + return -ENODEV; + ++ slave_dbg(bond_dev, slave_dev, "slave_dev=%p:\n", slave_dev); ++ + switch (cmd) { + case SIOCBONDENSLAVE: + res = bond_enslave(bond_dev, slave_dev, NULL); diff --git a/queue-7.0/net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch b/queue-7.0/net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch new file mode 100644 index 0000000000..314a54df11 --- /dev/null +++ b/queue-7.0/net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch @@ -0,0 +1,64 @@ +From 02896a7fa4cd3ec61d60ba30136841e4f04bdeac Mon Sep 17 00:00:00 2001 +From: Nikolay Kuratov +Date: Tue, 26 May 2026 19:29:32 +0300 +Subject: net/mlx5: Reorder completion before putting command entry in cmd_work_handler + +From: Nikolay Kuratov + +commit 02896a7fa4cd3ec61d60ba30136841e4f04bdeac upstream. + +Assuming callback != NULL && !page_queue, cmd_work_handler takes +command entry with refcnt == 1 from mlx5_cmd_invoke. +If either semaphore timeout or index allocation error happens, +it does final cmd_ent_put(ent). To avoid access to freed memory, +notify slotted completion before cmd_ent_put. + +This is theoretical issue found by Svace static analyser. + +Cc: stable@vger.kernel.org +Fixes: 485d65e135712 ("net/mlx5: Add a timeout to acquire the command queue semaphore") +Fixes: 0e2909c6bec90 ("net/mlx5: Fix variable not being completed when function returns") +Signed-off-by: Nikolay Kuratov +Reviewed-by: Md Haris Iqbal +Reviewed-by: Moshe Shemesh +Acked-by: Tariq Toukan +Link: https://patch.msgid.link/20260526162932.501584-1-kniv@yandex-team.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1001,12 +1001,13 @@ static void cmd_work_handler(struct work + ent->callback(-EBUSY, ent->context); + mlx5_free_cmd_msg(dev, ent->out); + free_msg(dev, ent->in); ++ complete(&ent->slotted); + cmd_ent_put(ent); + } else { + ent->ret = -EBUSY; + complete(&ent->done); ++ complete(&ent->slotted); + } +- complete(&ent->slotted); + return; + } + alloc_ret = cmd_alloc_index(cmd, ent); +@@ -1016,13 +1017,14 @@ static void cmd_work_handler(struct work + ent->callback(-EAGAIN, ent->context); + mlx5_free_cmd_msg(dev, ent->out); + free_msg(dev, ent->in); ++ complete(&ent->slotted); + cmd_ent_put(ent); + } else { + ent->ret = -EAGAIN; + complete(&ent->done); ++ complete(&ent->slotted); + } + up(&cmd->vars.sem); +- complete(&ent->slotted); + return; + } + } else { diff --git a/queue-7.0/net-mv643xx-fix-of-node-refcount.patch b/queue-7.0/net-mv643xx-fix-of-node-refcount.patch new file mode 100644 index 0000000000..0f38b7a689 --- /dev/null +++ b/queue-7.0/net-mv643xx-fix-of-node-refcount.patch @@ -0,0 +1,38 @@ +From 4aacf509e537a711fa71bca9f234e5eb6968850e Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Tue, 2 Jun 2026 09:34:14 +0200 +Subject: net: mv643xx: fix OF node refcount + +From: Bartosz Golaszewski + +commit 4aacf509e537a711fa71bca9f234e5eb6968850e upstream. + +Platform devices created with platform_device_alloc() call +platform_device_release() when the last reference to the device's +kobject is dropped. This function calls of_node_put() unconditionally. +This works fine for devices created with platform_device_register_full() +but users of the split approach (platform_device_alloc() + +platform_device_add()) must bump the reference of the of_node they +assign manually. Add the missing call to of_node_get(). + +Cc: stable@vger.kernel.org +Fixes: 76723bca2802 ("net: mv643xx_eth: add DT parsing support") +Signed-off-by: Bartosz Golaszewski +Link: https://patch.msgid.link/20260602073414.22500-1-bartosz.golaszewski@oss.qualcomm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2780,7 +2780,7 @@ static int mv643xx_eth_shared_of_add_por + goto put_err; + } + ppdev->dev.coherent_dma_mask = DMA_BIT_MASK(32); +- ppdev->dev.of_node = pnp; ++ ppdev->dev.of_node = of_node_get(pnp); + + ret = platform_device_add_resources(ppdev, &res, 1); + if (ret) diff --git a/queue-7.0/net-phonet-free-phonet_device-after-rcu-grace-period.patch b/queue-7.0/net-phonet-free-phonet_device-after-rcu-grace-period.patch new file mode 100644 index 0000000000..73c1a6f065 --- /dev/null +++ b/queue-7.0/net-phonet-free-phonet_device-after-rcu-grace-period.patch @@ -0,0 +1,42 @@ +From 71de0177b28da751f407581a4515cf4d762f6296 Mon Sep 17 00:00:00 2001 +From: Santosh Kalluri +Date: Wed, 3 Jun 2026 17:08:43 -0700 +Subject: net: phonet: free phonet_device after RCU grace period +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Santosh Kalluri + +commit 71de0177b28da751f407581a4515cf4d762f6296 upstream. + +phonet_device_destroy() removes a phonet_device from the per-net device +list with list_del_rcu(), but frees it immediately. RCU readers walking +the same list can still hold a pointer to the object after it has been +removed, leading to a slab-use-after-free. + +Use kfree_rcu(), matching the lifetime rule already used by +phonet_address_del() for the same object type. + +Fixes: eeb74a9d45f7 ("Phonet: convert devices list to RCU") +Cc: stable@vger.kernel.org +Signed-off-by: Santosh Kalluri +Acked-by: Rémi Denis-Courmont +Reviewed-by: Simon Horman +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/phonet/pn_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/phonet/pn_dev.c ++++ b/net/phonet/pn_dev.c +@@ -108,7 +108,7 @@ static void phonet_device_destroy(struct + for_each_set_bit(addr, pnd->addrs, 64) + phonet_address_notify(net, RTM_DELADDR, ifindex, addr); + +- kfree(pnd); ++ kfree_rcu(pnd, rcu); + } + } + diff --git a/queue-7.0/net-rds-clear-i_sends-on-setup-unwind.patch b/queue-7.0/net-rds-clear-i_sends-on-setup-unwind.patch new file mode 100644 index 0000000000..49d696afd8 --- /dev/null +++ b/queue-7.0/net-rds-clear-i_sends-on-setup-unwind.patch @@ -0,0 +1,47 @@ +From 20cf0fb715c41111469577e85e35d15f099473e0 Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Fri, 29 May 2026 21:01:44 +0800 +Subject: net: rds: clear i_sends on setup unwind + +From: Yuqi Xu + +commit 20cf0fb715c41111469577e85e35d15f099473e0 upstream. + +The RDS IB connection teardown path is written so it can run during +partial startup and on repeated shutdown attempts. It uses NULL +pointers to distinguish resources that are still owned from resources +that have already been released. + +When rds_ib_setup_qp() fails after allocating i_sends but before +allocating i_recvs, the sends_out path frees i_sends without clearing +the pointer. A later shutdown pass can still treat that stale pointer +as a live send ring allocation. + +Clear i_sends after vfree() in the error unwind path so the existing +shutdown logic continues to use the correct ownership state. + +Fixes: 3b12f73a5c29 ("rds: ib: add error handle") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Reviewed-by: Allison Henderson +Link: https://patch.msgid.link/5a0f7624bb9845a7b67d26166a150b59e7f394ce.1779632468.git.xuyq21@lenovo.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_cm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rds/ib_cm.c ++++ b/net/rds/ib_cm.c +@@ -656,6 +656,7 @@ static int rds_ib_setup_qp(struct rds_co + + sends_out: + vfree(ic->i_sends); ++ ic->i_sends = NULL; + + ack_dma_out: + rds_dma_hdr_free(rds_ibdev->dev, ic->i_ack, ic->i_ack_dma, diff --git a/queue-7.0/net-sfp-initialize-i2c_block_size-at-adapter-configure-time.patch b/queue-7.0/net-sfp-initialize-i2c_block_size-at-adapter-configure-time.patch new file mode 100644 index 0000000000..4148caa8bc --- /dev/null +++ b/queue-7.0/net-sfp-initialize-i2c_block_size-at-adapter-configure-time.patch @@ -0,0 +1,49 @@ +From 56d0885514491e5ed8f7593400879ab77c52504c Mon Sep 17 00:00:00 2001 +From: Jonas Jelonek +Date: Thu, 28 May 2026 20:52:40 +0000 +Subject: net: sfp: initialize i2c_block_size at adapter configure time + +From: Jonas Jelonek + +commit 56d0885514491e5ed8f7593400879ab77c52504c upstream. + +sfp->i2c_block_size is only assigned in sfp_sm_mod_probe(), which runs +from the state machine timer after SFP_F_PRESENT has been set. Between +those two points, sfp_module_eeprom() (the ethtool -m callback) gates +only on SFP_F_PRESENT and can be entered with i2c_block_size still at +its kzalloc'd value of 0. + +On a pure-I2C adapter, sfp_i2c_read() then issues an i2c_transfer() +with msgs[1].len = 0 inside a loop that subtracts this_len from len +each iteration; on adapters that succeed a zero-length read the loop +never advances, spinning while holding rtnl_lock. + +This was previously addressed by initializing i2c_block_size in +sfp_alloc() (commit 813c2dd78618), but the initialization was dropped +when i2c_block_size was split from i2c_max_block_size. + +Initialize sfp->i2c_block_size from sfp->i2c_max_block_size in +sfp_i2c_configure(), so the field is valid as soon as the adapter is +known. sfp_sm_mod_probe() still reassigns it on each module insertion +to recover from a per-module clamp to 1 (sfp_id_needs_byte_io). + +Fixes: 7662abf4db94 ("net: phy: sfp: Add support for SMBus module access") +Cc: stable@vger.kernel.org +Signed-off-by: Jonas Jelonek +Link: https://patch.msgid.link/20260528205242.971410-2-jelonek.jonas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/sfp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/phy/sfp.c ++++ b/drivers/net/phy/sfp.c +@@ -820,6 +820,7 @@ static int sfp_i2c_configure(struct sfp + return -EINVAL; + } + ++ sfp->i2c_block_size = sfp->i2c_max_block_size; + return 0; + } + diff --git a/queue-7.0/nvmem-core-fix-use-after-free-bugs-in-error-paths.patch b/queue-7.0/nvmem-core-fix-use-after-free-bugs-in-error-paths.patch new file mode 100644 index 0000000000..44aeaf80bb --- /dev/null +++ b/queue-7.0/nvmem-core-fix-use-after-free-bugs-in-error-paths.patch @@ -0,0 +1,62 @@ +From 5b6b6fc491899d583eaa75344e094796ae9b530b Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Sat, 30 May 2026 21:43:40 +0100 +Subject: nvmem: core: fix use-after-free bugs in error paths + +From: Bartosz Golaszewski + +commit 5b6b6fc491899d583eaa75344e094796ae9b530b upstream. + +Fix several instances of error paths in which we call +__nvmem_device_put() - which may end up freeing the underlying memory +and other resources - and then keep on using the nvmem structure. Always +put the reference to the nvmem device as the last step before returning +the error code. + +Cc: stable@vger.kernel.org +Fixes: 7ae6478b304b ("nvmem: core: rework nvmem cell instance creation") +Fixes: e888d445ac33 ("nvmem: resolve cells from DT at registration time") +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204340.116743-3-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -1468,18 +1468,16 @@ struct nvmem_cell *of_nvmem_cell_get(str + cell_entry = nvmem_find_cell_entry_by_node(nvmem, cell_np); + of_node_put(cell_np); + if (!cell_entry) { +- __nvmem_device_put(nvmem); + nvmem_layout_module_put(nvmem); +- if (nvmem->layout) +- return ERR_PTR(-EPROBE_DEFER); +- else +- return ERR_PTR(-ENOENT); ++ ret = nvmem->layout ? -EPROBE_DEFER : -ENOENT; ++ __nvmem_device_put(nvmem); ++ return ERR_PTR(ret); + } + + cell = nvmem_create_cell(cell_entry, id, cell_index); + if (IS_ERR(cell)) { +- __nvmem_device_put(nvmem); + nvmem_layout_module_put(nvmem); ++ __nvmem_device_put(nvmem); + } + + return cell; +@@ -1593,8 +1591,8 @@ void nvmem_cell_put(struct nvmem_cell *c + kfree_const(cell->id); + + kfree(cell); +- __nvmem_device_put(nvmem); + nvmem_layout_module_put(nvmem); ++ __nvmem_device_put(nvmem); + } + EXPORT_SYMBOL_GPL(nvmem_cell_put); + diff --git a/queue-7.0/nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch b/queue-7.0/nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch new file mode 100644 index 0000000000..3bcc2dc0bf --- /dev/null +++ b/queue-7.0/nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch @@ -0,0 +1,46 @@ +From ea41020b9018e31c2ea7e9d89021e3e6d7470883 Mon Sep 17 00:00:00 2001 +From: Andre Heider +Date: Sat, 30 May 2026 21:43:39 +0100 +Subject: nvmem: layouts: onie-tlv: fix hang on unknown types + +From: Andre Heider + +commit ea41020b9018e31c2ea7e9d89021e3e6d7470883 upstream. + +The EEPROM on my board has a vendor specific entry of type 0x41. When +stumbling upon that, this driver hangs in an endless loop. + +Fix it by keep incrementing the offset on unknown entries, so the loop +will eventually stop. + +Fixes: d3c0d12f6474 ("nvmem: layouts: onie-tlv: Add new layout driver") +Cc: Stable@vger.kernel.org +Signed-off-by: Andre Heider +Reviewed-by: Miquel Raynal +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204340.116743-2-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/layouts/onie-tlv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvmem/layouts/onie-tlv.c ++++ b/drivers/nvmem/layouts/onie-tlv.c +@@ -119,7 +119,7 @@ static int onie_tlv_add_cells(struct dev + + cell.name = onie_tlv_cell_name(tlv.type); + if (!cell.name) +- continue; ++ goto next; + + cell.offset = hdr_len + offset + sizeof(tlv.type) + sizeof(tlv.len); + cell.bytes = tlv.len; +@@ -132,6 +132,7 @@ static int onie_tlv_add_cells(struct dev + return ret; + } + ++next: + offset += sizeof(tlv) + tlv.len; + } + diff --git a/queue-7.0/octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch b/queue-7.0/octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch new file mode 100644 index 0000000000..be8419f95d --- /dev/null +++ b/queue-7.0/octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch @@ -0,0 +1,49 @@ +From 09a5bf856aa759513afc4afd233d15bcc711b84e Mon Sep 17 00:00:00 2001 +From: Dawei Feng +Date: Thu, 4 Jun 2026 22:37:56 +0800 +Subject: octeontx2-af: fix memory leak in rvu_setup_hw_resources() + +From: Dawei Feng + +commit 09a5bf856aa759513afc4afd233d15bcc711b84e upstream. + +If rvu_npc_exact_init() fails in rvu_setup_hw_resources(), the function +returns directly instead of jumping to the error handling path. This +causes a resource leak for the previously initialized CGX, NPC, fwdata, +and MSI-X states. + +Fix this by replacing the direct return with goto cgx_err to ensure +proper cleanup. + +The bug was first flagged by an experimental analysis tool we are +developing for kernel memory-management bugs while analyzing +v6.13-rc1. The tool is still under development and is not yet publicly +available. Manual inspection confirms that the bug is still present in +v7.1-rc6. + +An x86_64 allyesconfig build showed no new warnings. As we do not have +access to Marvell OcteonTX2 RVU AF hardware to test with, no runtime +testing was able to be performed. + +Fixes: 3571fe07a090 ("octeontx2-af: Drop rules for NPC MCAM") +Cc: stable@vger.kernel.org +Signed-off-by: Dawei Feng +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20260604143756.1524482-1-dawei.feng@seu.edu.cn +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1135,7 +1135,7 @@ cpt: + err = rvu_npc_exact_init(rvu); + if (err) { + dev_err(rvu->dev, "failed to initialize exact match table\n"); +- return err; ++ goto cgx_err; + } + + /* Assign MACs for CGX mapped functions */ diff --git a/queue-7.0/pinctrl-mcp23s08-read-spi-present-mask-as-u8-not-u32.patch b/queue-7.0/pinctrl-mcp23s08-read-spi-present-mask-as-u8-not-u32.patch new file mode 100644 index 0000000000..e0db0fd9e0 --- /dev/null +++ b/queue-7.0/pinctrl-mcp23s08-read-spi-present-mask-as-u8-not-u32.patch @@ -0,0 +1,42 @@ +From b0c13ec17438577f90b379d448dfed1233e2c0a4 Mon Sep 17 00:00:00 2001 +From: Judith Mendez +Date: Wed, 13 May 2026 18:11:54 -0500 +Subject: pinctrl: mcp23s08: Read spi-present-mask as u8 not u32 + +From: Judith Mendez + +commit b0c13ec17438577f90b379d448dfed1233e2c0a4 upstream. + +The binding (microchip,mcp23s08) specifies microchip,spi-present-mask +as uint8, but driver would read u32, causing type mismatch. Use +device_property_read_u8 to match binding spec, hardware (8 chips max), +& prevent probe failure. + +Cc: stable@vger.kernel.org +Fixes: 3ad8d3ec6d87 ("dt-bindings: pinctrl: convert pinctrl-mcp23s08.txt to yaml format") +Signed-off-by: Judith Mendez +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-mcp23s08_spi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c +@@ -144,13 +144,13 @@ static int mcp23s08_probe(struct spi_dev + unsigned int addr; + int chips; + int ret; +- u32 v; ++ u8 v; + + info = spi_get_device_match_data(spi); + +- ret = device_property_read_u32(dev, "microchip,spi-present-mask", &v); ++ ret = device_property_read_u8(dev, "microchip,spi-present-mask", &v); + if (ret) { +- ret = device_property_read_u32(dev, "mcp,spi-present-mask", &v); ++ ret = device_property_read_u8(dev, "mcp,spi-present-mask", &v); + if (ret) { + dev_err(dev, "missing spi-present-mask"); + return ret; diff --git a/queue-7.0/series b/queue-7.0/series index 9330851d43..5e49ab677e 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -256,3 +256,42 @@ inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch ovl-keep-err-zero-after-successful-ovl_cache_get.patch pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch s390-remove-generic_lockbreak-kconfig-option.patch +accel-ethosu-fix-oob-write-in-ethosu_gem_cmdstream_copy_and_validate.patch +accel-ethosu-fix-ifm-region-index-out-of-bounds-in-command-stream-parser.patch +accel-ethosu-fix-wrong-weight-index-in-npu_set_scale1_length-on-u85.patch +accel-ethosu-fix-arithmetic-issues-in-dma_length.patch +accel-ethosu-reject-dma-commands-with-uninitialized-length.patch +accel-ethosu-reject-npu_op_resize-commands-from-userspace.patch +fs-qnx6-fix-pointer-arithmetic-in-directory-iteration.patch +fuse-reject-fuse_notify-pagecache-ops-on-directories.patch +fuse-limit-fuse_notify_retrieve-to-uptodate-folios.patch +futex-requeue-prevent-null-pointer-dereference-in-remove_waiter-on-self-deadlock.patch +i2c-imx-lpi2c-fix-resource-leaks-switching-to-devm_dma_request_chan.patch +i2c-imx-fix-clock-and-pinctrl-state-inconsistency-in-runtime-pm.patch +i2c-qcom-cci-fix-null-pointer-dereference-in-cci_remove.patch +i2c-stm32f7-fix-timing-computation-ignoring-i2c-analog-filter.patch +i2c-tegra-fix-noirq-suspend-resume.patch +input-atkbd-add-dmi-quirk-for-lenovo-yoga-air-14-83qk.patch +input-atkbd-skip-deactivate-for-honor-bcc-n-s-internal-keyboard.patch +iomap-avoid-potential-null-folio-mapping-deref-during-error-reporting.patch +iommu-dma-do-not-try-to-iommu_map-a-0-length-region-in-swiotlb.patch +ipc-shm-serialize-orphan-cleanup-with-shm_nattch-updates.patch +locking-rtmutex-skip-remove_waiter-when-waiter-is-not-enqueued.patch +memcg-use-round-robin-victim-selection-in-refill_stock.patch +memory-atmel-ebi-allow-deferred-probing.patch +misc-fastrpc-fix-use-after-free-of-fastrpc_user-in-workqueue-context.patch +misc-fastrpc-fix-use-after-free-race-in-fastrpc_map_create.patch +misc-fastrpc-fix-dma-address-corruption-due-to-find_vma-misuse.patch +misc-fastrpc-fix-null-pointer-dereference-in-rpmsg-callback.patch +firmware-samsung-acpm-fix-mailbox-channel-leak-on-probe-error.patch +net-mlx5-reorder-completion-before-putting-command-entry-in-cmd_work_handler.patch +net-airoha-add-null-check-for-of_reserved_mem_lookup-in-airoha_qdma_init_hfwd_queues.patch +net-bonding-fix-null-pointer-dereference-in-bond_do_ioctl.patch +net-mv643xx-fix-of-node-refcount.patch +net-phonet-free-phonet_device-after-rcu-grace-period.patch +net-rds-clear-i_sends-on-setup-unwind.patch +net-sfp-initialize-i2c_block_size-at-adapter-configure-time.patch +nvmem-core-fix-use-after-free-bugs-in-error-paths.patch +nvmem-layouts-onie-tlv-fix-hang-on-unknown-types.patch +octeontx2-af-fix-memory-leak-in-rvu_setup_hw_resources.patch +pinctrl-mcp23s08-read-spi-present-mask-as-u8-not-u32.patch