From: Greg Kroah-Hartman Date: Fri, 20 Mar 2026 17:39:47 +0000 (+0100) Subject: 6.6-stable patches X-Git-Tag: v6.1.167~81 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=abbe3e4aa43bf36ae4b66fd57ff76898538315f3;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch spi-fix-statistics-allocation.patch spi-fix-use-after-free-on-controller-registration-failure.patch --- diff --git a/queue-6.6/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch b/queue-6.6/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch new file mode 100644 index 0000000000..a6ef518fd9 --- /dev/null +++ b/queue-6.6/iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch @@ -0,0 +1,54 @@ +From fe89277c9ceb0d6af0aa665bcf24a41d8b1b79cd Mon Sep 17 00:00:00 2001 +From: Guanghui Feng +Date: Mon, 16 Mar 2026 15:16:39 +0800 +Subject: iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry + +From: Guanghui Feng + +commit fe89277c9ceb0d6af0aa665bcf24a41d8b1b79cd upstream. + +During the qi_check_fault process after an IOMMU ITE event, requests at +odd-numbered positions in the queue are set to QI_ABORT, only satisfying +single-request submissions. However, qi_submit_sync now supports multiple +simultaneous submissions, and can't guarantee that the wait_desc will be +at an odd-numbered position. Therefore, if an item times out, IOMMU can't +re-initiate the request, resulting in an infinite polling wait. + +This modifies the process by setting the status of all requests already +fetched by IOMMU and recorded as QI_IN_USE status (including wait_desc +requests) to QI_ABORT, thus enabling multiple requests to be resubmitted. + +Fixes: 8a1d82462540 ("iommu/vt-d: Multiple descriptors per qi_submit_sync()") +Cc: stable@vger.kernel.org +Signed-off-by: Guanghui Feng +Tested-by: Shuai Xue +Reviewed-by: Shuai Xue +Reviewed-by: Samiullah Khawaja +Link: https://lore.kernel.org/r/20260306101516.3885775-1-guanghuifeng@linux.alibaba.com +Signed-off-by: Lu Baolu +Fixes: 8a1d82462540 ("iommu/vt-d: Multiple descriptors per qi_submit_sync()") +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/dmar.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iommu/intel/dmar.c ++++ b/drivers/iommu/intel/dmar.c +@@ -1309,7 +1309,6 @@ static int qi_check_fault(struct intel_i + if (fault & DMA_FSTS_ITE) { + head = readl(iommu->reg + DMAR_IQH_REG); + head = ((head >> shift) - 1 + QI_LENGTH) % QI_LENGTH; +- head |= 1; + tail = readl(iommu->reg + DMAR_IQT_REG); + tail = ((tail >> shift) - 1 + QI_LENGTH) % QI_LENGTH; + +@@ -1319,7 +1318,7 @@ static int qi_check_fault(struct intel_i + do { + if (qi->desc_status[head] == QI_IN_USE) + qi->desc_status[head] = QI_ABORT; +- head = (head - 2 + QI_LENGTH) % QI_LENGTH; ++ head = (head - 1 + QI_LENGTH) % QI_LENGTH; + } while (head != tail); + + if (qi->desc_status[wait_index] == QI_ABORT) diff --git a/queue-6.6/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch b/queue-6.6/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch new file mode 100644 index 0000000000..2fe716c497 --- /dev/null +++ b/queue-6.6/mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch @@ -0,0 +1,47 @@ +From 5e3486e64094c28a526543f1e8aa0d5964b7f02d Mon Sep 17 00:00:00 2001 +From: Luke Wang +Date: Wed, 11 Mar 2026 17:50:06 +0800 +Subject: mmc: sdhci: fix timing selection for 1-bit bus width + +From: Luke Wang + +commit 5e3486e64094c28a526543f1e8aa0d5964b7f02d upstream. + +When 1-bit bus width is used with HS200/HS400 capabilities set, +mmc_select_hs200() returns 0 without actually switching. This +causes mmc_select_timing() to skip mmc_select_hs(), leaving eMMC +in legacy mode (26MHz) instead of High Speed SDR (52MHz). + +Per JEDEC eMMC spec section 5.3.2, 1-bit mode supports High Speed +SDR. Drop incompatible HS200/HS400/UHS/DDR caps early so timing +selection falls through to mmc_select_hs() correctly. + +Fixes: f2119df6b764 ("mmc: sd: add support for signal voltage switch procedure") +Signed-off-by: Luke Wang +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -4497,8 +4497,15 @@ int sdhci_setup_host(struct sdhci_host * + * their platform code before calling sdhci_add_host(), and we + * won't assume 8-bit width for hosts without that CAP. + */ +- if (!(host->quirks & SDHCI_QUIRK_FORCE_1_BIT_DATA)) ++ if (host->quirks & SDHCI_QUIRK_FORCE_1_BIT_DATA) { ++ host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50); ++ if (host->quirks2 & SDHCI_QUIRK2_CAPS_BIT63_FOR_HS400) ++ host->caps1 &= ~SDHCI_SUPPORT_HS400; ++ mmc->caps2 &= ~(MMC_CAP2_HS200 | MMC_CAP2_HS400 | MMC_CAP2_HS400_ES); ++ mmc->caps &= ~(MMC_CAP_DDR | MMC_CAP_UHS); ++ } else { + mmc->caps |= MMC_CAP_4_BIT_DATA; ++ } + + if (host->quirks2 & SDHCI_QUIRK2_HOST_NO_CMD23) + mmc->caps &= ~MMC_CAP_CMD23; diff --git a/queue-6.6/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch b/queue-6.6/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch new file mode 100644 index 0000000000..c9e141c62f --- /dev/null +++ b/queue-6.6/mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch @@ -0,0 +1,60 @@ +From 2b76e0cc7803e5ab561c875edaba7f6bbd87fbb0 Mon Sep 17 00:00:00 2001 +From: Matthew Schwartz +Date: Mon, 2 Mar 2026 13:07:17 -0800 +Subject: mmc: sdhci-pci-gli: fix GL9750 DMA write corruption + +From: Matthew Schwartz + +commit 2b76e0cc7803e5ab561c875edaba7f6bbd87fbb0 upstream. + +The GL9750 SD host controller has intermittent data corruption during +DMA write operations. The GM_BURST register's R_OSRC_Lmt field +(bits 17:16), which limits outstanding DMA read requests from system +memory, is not being cleared during initialization. The Windows driver +sets R_OSRC_Lmt to zero, limiting requests to the smallest unit. + +Clear R_OSRC_Lmt to match the Windows driver behavior. This eliminates +write corruption verified with f3write/f3read tests while maintaining +DMA performance. + +Cc: stable@vger.kernel.org +Fixes: e51df6ce668a ("mmc: host: sdhci-pci: Add Genesys Logic GL975x support") +Closes: https://lore.kernel.org/linux-mmc/33d12807-5c72-41ce-8679-57aa11831fad@linux.dev/ +Acked-by: Adrian Hunter +Signed-off-by: Matthew Schwartz +Reviewed-by: Ben Chuang +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-gli.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-gli.c ++++ b/drivers/mmc/host/sdhci-pci-gli.c +@@ -70,6 +70,9 @@ + #define GLI_9750_MISC_TX1_DLY_VALUE 0x5 + #define SDHCI_GLI_9750_MISC_SSC_OFF BIT(26) + ++#define SDHCI_GLI_9750_GM_BURST_SIZE 0x510 ++#define SDHCI_GLI_9750_GM_BURST_SIZE_R_OSRC_LMT GENMASK(17, 16) ++ + #define SDHCI_GLI_9750_TUNING_CONTROL 0x540 + #define SDHCI_GLI_9750_TUNING_CONTROL_EN BIT(4) + #define GLI_9750_TUNING_CONTROL_EN_ON 0x1 +@@ -277,10 +280,16 @@ static void gli_set_9750(struct sdhci_ho + u32 misc_value; + u32 parameter_value; + u32 control_value; ++ u32 burst_value; + u16 ctrl2; + + gl9750_wt_on(host); + ++ /* clear R_OSRC_Lmt to avoid DMA write corruption */ ++ burst_value = sdhci_readl(host, SDHCI_GLI_9750_GM_BURST_SIZE); ++ burst_value &= ~SDHCI_GLI_9750_GM_BURST_SIZE_R_OSRC_LMT; ++ sdhci_writel(host, burst_value, SDHCI_GLI_9750_GM_BURST_SIZE); ++ + driving_value = sdhci_readl(host, SDHCI_GLI_9750_DRIVING); + pll_value = sdhci_readl(host, SDHCI_GLI_9750_PLL); + sw_ctrl_value = sdhci_readl(host, SDHCI_GLI_9750_SW_CTRL); diff --git a/queue-6.6/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch b/queue-6.6/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch new file mode 100644 index 0000000000..ce5e52f0fc --- /dev/null +++ b/queue-6.6/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch @@ -0,0 +1,56 @@ +From 8e2f8020270af7777d49c2e7132260983e4fc566 Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Mon, 16 Feb 2026 18:01:30 +1100 +Subject: mtd: Avoid boot crash in RedBoot partition table parser + +From: Finn Thain + +commit 8e2f8020270af7777d49c2e7132260983e4fc566 upstream. + +Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, +commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when +available") produces the warning below and an oops. + + Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 + ------------[ cut here ]------------ + WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 + memcmp: detected buffer overflow: 15 byte read of buffer size 14 + Modules linked in: + CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE + +As Kees said, "'names' is pointing to the final 'namelen' many bytes +of the allocation ... 'namelen' could be basically any length at all. +This fortify warning looks legit to me -- this code used to be reading +beyond the end of the allocation." + +Since the size of the dynamic allocation is calculated with strlen() +we can use strcmp() instead of memcmp() and remain within bounds. + +Cc: Kees Cook +Cc: stable@vger.kernel.org +Cc: linux-hardening@vger.kernel.org +Link: https://lore.kernel.org/all/202602151911.AD092DFFCD@keescook/ +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Suggested-by: Kees Cook +Signed-off-by: Finn Thain +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/parsers/redboot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/parsers/redboot.c ++++ b/drivers/mtd/parsers/redboot.c +@@ -270,9 +270,9 @@ nogood: + + strcpy(names, fl->img->name); + #ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY +- if (!memcmp(names, "RedBoot", 8) || +- !memcmp(names, "RedBoot config", 15) || +- !memcmp(names, "FIS directory", 14)) { ++ if (!strcmp(names, "RedBoot") || ++ !strcmp(names, "RedBoot config") || ++ !strcmp(names, "FIS directory")) { + parts[i].mask_flags = MTD_WRITEABLE; + } + #endif diff --git a/queue-6.6/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch b/queue-6.6/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch new file mode 100644 index 0000000000..bc5cb7c74c --- /dev/null +++ b/queue-6.6/mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch @@ -0,0 +1,34 @@ +From 0410e1a4c545c769c59c6eda897ad5d574d0c865 Mon Sep 17 00:00:00 2001 +From: Chen Ni +Date: Mon, 9 Feb 2026 15:56:18 +0800 +Subject: mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in cadence_nand_init() + +From: Chen Ni + +commit 0410e1a4c545c769c59c6eda897ad5d574d0c865 upstream. + +Fix wrong variable used for error checking after dma_alloc_coherent() +call. The function checks cdns_ctrl->dma_cdma_desc instead of +cdns_ctrl->cdma_desc, which could lead to incorrect error handling. + +Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem") +Cc: stable@vger.kernel.org +Signed-off-by: Chen Ni +Reviewed-by: Alok Tiwari +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -2883,7 +2883,7 @@ static int cadence_nand_init(struct cdns + sizeof(*cdns_ctrl->cdma_desc), + &cdns_ctrl->dma_cdma_desc, + GFP_KERNEL); +- if (!cdns_ctrl->dma_cdma_desc) ++ if (!cdns_ctrl->cdma_desc) + return -ENOMEM; + + cdns_ctrl->buf_size = SZ_16K; diff --git a/queue-6.6/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch b/queue-6.6/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch new file mode 100644 index 0000000000..b36b09f519 --- /dev/null +++ b/queue-6.6/mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch @@ -0,0 +1,41 @@ +From b9465b04de4b90228de03db9a1e0d56b00814366 Mon Sep 17 00:00:00 2001 +From: Olivier Sobrie +Date: Tue, 17 Mar 2026 18:18:07 +0100 +Subject: mtd: rawnand: pl353: make sure optimal timings are applied + +From: Olivier Sobrie + +commit b9465b04de4b90228de03db9a1e0d56b00814366 upstream. + +Timings of the nand are adjusted by pl35x_nfc_setup_interface() but +actually applied by the pl35x_nand_select_target() function. +If there is only one nand chip, the pl35x_nand_select_target() will only +apply the timings once since the test at its beginning will always be true +after the first call to this function. As a result, the hardware will +keep using the default timings set at boot to detect the nand chip, not +the optimal ones. + +With this patch, we program directly the new timings when +pl35x_nfc_setup_interface() is called. + +Fixes: 08d8c62164a3 ("mtd: rawnand: pl353: Add support for the ARM PL353 SMC NAND controller") +Signed-off-by: Olivier Sobrie +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/pl35x-nand-controller.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/nand/raw/pl35x-nand-controller.c ++++ b/drivers/mtd/nand/raw/pl35x-nand-controller.c +@@ -862,6 +862,9 @@ static int pl35x_nfc_setup_interface(str + PL35X_SMC_NAND_TAR_CYCLES(tmgs.t_ar) | + PL35X_SMC_NAND_TRR_CYCLES(tmgs.t_rr); + ++ writel(plnand->timings, nfc->conf_regs + PL35X_SMC_CYCLES); ++ pl35x_smc_update_regs(nfc); ++ + return 0; + } + diff --git a/queue-6.6/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch b/queue-6.6/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch new file mode 100644 index 0000000000..39aed68a72 --- /dev/null +++ b/queue-6.6/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch @@ -0,0 +1,76 @@ +From b826d2c0b0ecb844c84431ba6b502e744f5d919a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ma=C3=ADra=20Canal?= +Date: Tue, 17 Mar 2026 19:41:49 -0300 +Subject: pmdomain: bcm: bcm2835-power: Increase ASB control timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maíra Canal + +commit b826d2c0b0ecb844c84431ba6b502e744f5d919a upstream. + +The bcm2835_asb_control() function uses a tight polling loop to wait +for the ASB bridge to acknowledge a request. During intensive workloads, +this handshake intermittently fails for V3D's master ASB on BCM2711, +resulting in "Failed to disable ASB master for v3d" errors during +runtime PM suspend. As a consequence, the failed power-off leaves V3D in +a broken state, leading to bus faults or system hangs on later accesses. + +As the timeout is insufficient in some scenarios, increase the polling +timeout from 1us to 5us, which is still negligible in the context of a +power domain transition. Also, replace the open-coded ktime_get_ns()/ +cpu_relax() polling loop with readl_poll_timeout_atomic(). + +Cc: stable@vger.kernel.org +Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.") +Signed-off-by: Maíra Canal +Reviewed-by: Stefan Wahren +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pmdomain/bcm/bcm2835-power.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/pmdomain/bcm/bcm2835-power.c ++++ b/drivers/pmdomain/bcm/bcm2835-power.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -152,7 +153,6 @@ struct bcm2835_power { + static int bcm2835_asb_control(struct bcm2835_power *power, u32 reg, bool enable) + { + void __iomem *base = power->asb; +- u64 start; + u32 val; + + switch (reg) { +@@ -165,8 +165,6 @@ static int bcm2835_asb_control(struct bc + break; + } + +- start = ktime_get_ns(); +- + /* Enable the module's async AXI bridges. */ + if (enable) { + val = readl(base + reg) & ~ASB_REQ_STOP; +@@ -175,11 +173,9 @@ static int bcm2835_asb_control(struct bc + } + writel(PM_PASSWORD | val, base + reg); + +- while (!!(readl(base + reg) & ASB_ACK) == enable) { +- cpu_relax(); +- if (ktime_get_ns() - start >= 1000) +- return -ETIMEDOUT; +- } ++ if (readl_poll_timeout_atomic(base + reg, val, ++ !!(val & ASB_ACK) != enable, 0, 5)) ++ return -ETIMEDOUT; + + return 0; + } diff --git a/queue-6.6/series b/queue-6.6/series index 612a89dccb..fe13e3afad 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -471,3 +471,12 @@ nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch net-macb-queue-tie-off-or-disable-during-wol-suspend.patch net-macb-introduce-gem_init_rx_ring.patch net-macb-reinitialize-tx-rx-queue-pointer-registers-and-rx-ring-during-resume.patch +mmc-sdhci-pci-gli-fix-gl9750-dma-write-corruption.patch +mmc-sdhci-fix-timing-selection-for-1-bit-bus-width.patch +pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch +spi-fix-use-after-free-on-controller-registration-failure.patch +spi-fix-statistics-allocation.patch +mtd-rawnand-pl353-make-sure-optimal-timings-are-applied.patch +mtd-rawnand-cadence-fix-error-check-for-dma_alloc_coherent-in-cadence_nand_init.patch +mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch +iommu-vt-d-fix-intel-iommu-iotlb-sync-hardlockup-and-retry.patch diff --git a/queue-6.6/spi-fix-statistics-allocation.patch b/queue-6.6/spi-fix-statistics-allocation.patch new file mode 100644 index 0000000000..b28cf74117 --- /dev/null +++ b/queue-6.6/spi-fix-statistics-allocation.patch @@ -0,0 +1,76 @@ +From dee0774bbb2abb172e9069ce5ffef579b12b3ae9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Mar 2026 16:18:14 +0100 +Subject: spi: fix statistics allocation + +From: Johan Hovold + +commit dee0774bbb2abb172e9069ce5ffef579b12b3ae9 upstream. + +The controller per-cpu statistics is not allocated until after the +controller has been registered with driver core, which leaves a window +where accessing the sysfs attributes can trigger a NULL-pointer +dereference. + +Fix this by moving the statistics allocation to controller allocation +while tying its lifetime to that of the controller (rather than using +implicit devres). + +Fixes: 6598b91b5ac3 ("spi: spi.c: Convert statistics to per-cpu u64_stats_t") +Cc: stable@vger.kernel.org # 6.0 +Cc: David Jander +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260312151817.32100-3-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -2777,6 +2777,8 @@ static void spi_controller_release(struc + struct spi_controller *ctlr; + + ctlr = container_of(dev, struct spi_controller, dev); ++ ++ free_percpu(ctlr->pcpu_statistics); + kfree(ctlr); + } + +@@ -2928,6 +2930,12 @@ struct spi_controller *__spi_alloc_contr + if (!ctlr) + return NULL; + ++ ctlr->pcpu_statistics = spi_alloc_pcpu_stats(NULL); ++ if (!ctlr->pcpu_statistics) { ++ kfree(ctlr); ++ return NULL; ++ } ++ + device_initialize(&ctlr->dev); + INIT_LIST_HEAD(&ctlr->queue); + spin_lock_init(&ctlr->queue_lock); +@@ -3216,13 +3224,6 @@ int spi_register_controller(struct spi_c + if (status) + goto del_ctrl; + } +- /* Add statistics */ +- ctlr->pcpu_statistics = spi_alloc_pcpu_stats(dev); +- if (!ctlr->pcpu_statistics) { +- dev_err(dev, "Error allocating per-cpu statistics\n"); +- status = -ENOMEM; +- goto destroy_queue; +- } + + mutex_lock(&board_lock); + list_add_tail(&ctlr->list, &spi_controller_list); +@@ -3235,8 +3236,6 @@ int spi_register_controller(struct spi_c + acpi_register_spi_devices(ctlr); + return status; + +-destroy_queue: +- spi_destroy_queue(ctlr); + del_ctrl: + device_del(&ctlr->dev); + free_bus_id: diff --git a/queue-6.6/spi-fix-use-after-free-on-controller-registration-failure.patch b/queue-6.6/spi-fix-use-after-free-on-controller-registration-failure.patch new file mode 100644 index 0000000000..073461a1cc --- /dev/null +++ b/queue-6.6/spi-fix-use-after-free-on-controller-registration-failure.patch @@ -0,0 +1,49 @@ +From 8634e05b08ead636e926022f4a98416e13440df9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Mar 2026 16:18:13 +0100 +Subject: spi: fix use-after-free on controller registration failure + +From: Johan Hovold + +commit 8634e05b08ead636e926022f4a98416e13440df9 upstream. + +Make sure to deregister from driver core also in the unlikely event that +per-cpu statistics allocation fails during controller registration to +avoid use-after-free (of driver resources) and unclocked register +accesses. + +Fixes: 6598b91b5ac3 ("spi: spi.c: Convert statistics to per-cpu u64_stats_t") +Cc: stable@vger.kernel.org # 6.0 +Cc: David Jander +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260312151817.32100-2-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -3213,10 +3213,8 @@ int spi_register_controller(struct spi_c + dev_info(dev, "controller is unqueued, this is deprecated\n"); + } else if (ctlr->transfer_one || ctlr->transfer_one_message) { + status = spi_controller_initialize_queue(ctlr); +- if (status) { +- device_del(&ctlr->dev); +- goto free_bus_id; +- } ++ if (status) ++ goto del_ctrl; + } + /* Add statistics */ + ctlr->pcpu_statistics = spi_alloc_pcpu_stats(dev); +@@ -3239,6 +3237,8 @@ int spi_register_controller(struct spi_c + + destroy_queue: + spi_destroy_queue(ctlr); ++del_ctrl: ++ device_del(&ctlr->dev); + free_bus_id: + mutex_lock(&board_lock); + idr_remove(&spi_master_idr, ctlr->bus_num);