From 7b8fa15035df7a280ecdbea82abb6b59d2e3c7ee Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 15 May 2026 17:03:43 +0200 Subject: [PATCH] 6.1-stable patches added patches: bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch mtd-spi-nor-sst-factor-out-common-write-operation-to-sst_nor_write_data.patch mtd-spi-nor-sst-fix-write-enable-before-aai-sequence.patch pwm-imx-tpm-count-the-number-of-enabled-channels-in-probe.patch --- ...-deref-in-l2cap_sock_get_sndtimeo_cb.patch | 33 ++++++ ...rite-operation-to-sst_nor_write_data.patch | 107 ++++++++++++++++++ ...fix-write-enable-before-aai-sequence.patch | 61 ++++++++++ ...-number-of-enabled-channels-in-probe.patch | 60 ++++++++++ queue-6.1/series | 4 + 5 files changed, 265 insertions(+) create mode 100644 queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch create mode 100644 queue-6.1/mtd-spi-nor-sst-factor-out-common-write-operation-to-sst_nor_write_data.patch create mode 100644 queue-6.1/mtd-spi-nor-sst-fix-write-enable-before-aai-sequence.patch create mode 100644 queue-6.1/pwm-imx-tpm-count-the-number-of-enabled-channels-in-probe.patch diff --git a/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch b/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch new file mode 100644 index 0000000000..5d3698f7b6 --- /dev/null +++ b/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch @@ -0,0 +1,33 @@ +From 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:53:36 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() + +From: Siwei Zhang + +commit 78a88d43dab8d23aeef934ed8ce34d40e6b3d613 upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 8d836d71e222 ("Bluetooth: Access sk_sndtimeo indirectly in l2cap_core.c") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1767,6 +1767,9 @@ static long l2cap_sock_get_sndtimeo_cb(s + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return 0; ++ + return sk->sk_sndtimeo; + } + diff --git a/queue-6.1/mtd-spi-nor-sst-factor-out-common-write-operation-to-sst_nor_write_data.patch b/queue-6.1/mtd-spi-nor-sst-factor-out-common-write-operation-to-sst_nor_write_data.patch new file mode 100644 index 0000000000..d020956bd5 --- /dev/null +++ b/queue-6.1/mtd-spi-nor-sst-factor-out-common-write-operation-to-sst_nor_write_data.patch @@ -0,0 +1,107 @@ +From 18bcb4aa54eab75dce41e5c176a1c2bff94f0f79 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cs=C3=B3k=C3=A1s=2C=20Bence?= +Date: Wed, 10 Jul 2024 11:14:01 +0200 +Subject: mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bence Csókás + +commit 18bcb4aa54eab75dce41e5c176a1c2bff94f0f79 upstream. + +Writing to the Flash in `sst_nor_write()` is a 3-step process: +first an optional one-byte write to get 2-byte-aligned, then the +bulk of the data is written out in vendor-specific 2-byte writes. +Finally, if there's a byte left over, another one-byte write. +This was implemented 3 times in the body of `sst_nor_write()`. +To reduce code duplication, factor out these sub-steps to their +own function. + +Signed-off-by: Csókás, Bence +Reviewed-by: Pratyush Yadav +[pratyush@kernel.org: fixup whitespace, use %zu instead of %i in WARN()] +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20240710091401.1282824-1-csokas.bence@prolan.hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sst.c | 39 +++++++++++++++++++-------------------- + 1 file changed, 19 insertions(+), 20 deletions(-) + +--- a/drivers/mtd/spi-nor/sst.c ++++ b/drivers/mtd/spi-nor/sst.c +@@ -117,6 +117,21 @@ static const struct flash_info sst_nor_p + .fixups = &sst26vf_nor_fixups }, + }; + ++static int sst_nor_write_data(struct spi_nor *nor, loff_t to, size_t len, ++ const u_char *buf) ++{ ++ u8 op = (len == 1) ? SPINOR_OP_BP : SPINOR_OP_AAI_WP; ++ int ret; ++ ++ nor->program_opcode = op; ++ ret = spi_nor_write_data(nor, to, 1, buf); ++ if (ret < 0) ++ return ret; ++ WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret); ++ ++ return spi_nor_wait_till_ready(nor); ++} ++ + static int sst_nor_write(struct mtd_info *mtd, loff_t to, size_t len, + size_t *retlen, const u_char *buf) + { +@@ -138,16 +153,10 @@ static int sst_nor_write(struct mtd_info + + /* Start write from odd address. */ + if (to % 2) { +- nor->program_opcode = SPINOR_OP_BP; +- + /* write one byte. */ +- ret = spi_nor_write_data(nor, to, 1, buf); ++ ret = sst_nor_write_data(nor, to, 1, buf); + if (ret < 0) + goto out; +- WARN(ret != 1, "While writing 1 byte written %i bytes\n", ret); +- ret = spi_nor_wait_till_ready(nor); +- if (ret) +- goto out; + + to++; + actual++; +@@ -155,16 +164,11 @@ static int sst_nor_write(struct mtd_info + + /* Write out most of the data here. */ + for (; actual < len - 1; actual += 2) { +- nor->program_opcode = SPINOR_OP_AAI_WP; +- + /* write two bytes. */ +- ret = spi_nor_write_data(nor, to, 2, buf + actual); ++ ret = sst_nor_write_data(nor, to, 2, buf + actual); + if (ret < 0) + goto out; +- WARN(ret != 2, "While writing 2 bytes written %i bytes\n", ret); +- ret = spi_nor_wait_till_ready(nor); +- if (ret) +- goto out; ++ + to += 2; + nor->sst_write_second = true; + } +@@ -184,14 +188,9 @@ static int sst_nor_write(struct mtd_info + if (ret) + goto out; + +- nor->program_opcode = SPINOR_OP_BP; +- ret = spi_nor_write_data(nor, to, 1, buf + actual); ++ ret = sst_nor_write_data(nor, to, 1, buf + actual); + if (ret < 0) + goto out; +- WARN(ret != 1, "While writing 1 byte written %i bytes\n", ret); +- ret = spi_nor_wait_till_ready(nor); +- if (ret) +- goto out; + + actual += 1; + diff --git a/queue-6.1/mtd-spi-nor-sst-fix-write-enable-before-aai-sequence.patch b/queue-6.1/mtd-spi-nor-sst-fix-write-enable-before-aai-sequence.patch new file mode 100644 index 0000000000..070c19ba0c --- /dev/null +++ b/queue-6.1/mtd-spi-nor-sst-fix-write-enable-before-aai-sequence.patch @@ -0,0 +1,61 @@ +From a0f64241d3566a49c0a9b33ba7ae458ae22003a9 Mon Sep 17 00:00:00 2001 +From: Sanjaikumar V S +Date: Wed, 11 Mar 2026 10:30:56 +0000 +Subject: mtd: spi-nor: sst: Fix write enable before AAI sequence + +From: Sanjaikumar V S + +commit a0f64241d3566a49c0a9b33ba7ae458ae22003a9 upstream. + +When writing to SST flash starting at an odd address, a single byte is +first programmed using the byte program (BP) command. After this +operation completes, the flash hardware automatically clears the Write +Enable Latch (WEL) bit. + +If an AAI (Auto Address Increment) word program sequence follows, it +requires WEL to be set. Without re-enabling writes, the AAI sequence +fails. + +Add spi_nor_write_enable() after the odd-address byte program when more +data needs to be written. Use a local boolean for clarity. + +Fixes: b199489d37b2 ("mtd: spi-nor: add the framework for SPI NOR") +Cc: stable@vger.kernel.org +Signed-off-by: Sanjaikumar V S +Tested-by: Hendrik Donner +Reviewed-by: Hendrik Donner +Signed-off-by: Pratyush Yadav (Google) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sst.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/mtd/spi-nor/sst.c ++++ b/drivers/mtd/spi-nor/sst.c +@@ -153,6 +153,8 @@ static int sst_nor_write(struct mtd_info + + /* Start write from odd address. */ + if (to % 2) { ++ bool needs_write_enable = (len > 1); ++ + /* write one byte. */ + ret = sst_nor_write_data(nor, to, 1, buf); + if (ret < 0) +@@ -160,6 +162,17 @@ static int sst_nor_write(struct mtd_info + + to++; + actual++; ++ ++ /* ++ * Byte program clears the write enable latch. If more ++ * data needs to be written using the AAI sequence, ++ * re-enable writes. ++ */ ++ if (needs_write_enable) { ++ ret = spi_nor_write_enable(nor); ++ if (ret) ++ goto out; ++ } + } + + /* Write out most of the data here. */ diff --git a/queue-6.1/pwm-imx-tpm-count-the-number-of-enabled-channels-in-probe.patch b/queue-6.1/pwm-imx-tpm-count-the-number-of-enabled-channels-in-probe.patch new file mode 100644 index 0000000000..e483a57e9f --- /dev/null +++ b/queue-6.1/pwm-imx-tpm-count-the-number-of-enabled-channels-in-probe.patch @@ -0,0 +1,60 @@ +From 3962c24f2d14e8a7f8a23f56b7ce320523947342 Mon Sep 17 00:00:00 2001 +From: "Viorel Suman (OSS)" +Date: Wed, 11 Mar 2026 14:33:09 +0200 +Subject: pwm: imx-tpm: Count the number of enabled channels in probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Viorel Suman (OSS) + +commit 3962c24f2d14e8a7f8a23f56b7ce320523947342 upstream. + +On a soft reset TPM PWM IP may preserve its internal state from previous +runtime, therefore on a subsequent OS boot and driver probe +"enable_count" value and TPM PWM IP internal channels "enabled" states +may get unaligned. In consequence on a suspend/resume cycle the call "if +(--tpm->enable_count == 0)" may lead to "enable_count" overflow the +system being blocked from entering suspend due to: + + if (tpm->enable_count > 0) + return -EBUSY; + +Fix the problem by counting the enabled channels in probe function. + +Signed-off-by: Viorel Suman (OSS) +Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support") +Link: https://patch.msgid.link/20260311123309.348904-1-viorel.suman@oss.nxp.com +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +[ukleinek: backport to linux-6.6.y] +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-imx-tpm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/pwm/pwm-imx-tpm.c ++++ b/drivers/pwm/pwm-imx-tpm.c +@@ -350,6 +350,7 @@ static int pwm_imx_tpm_probe(struct plat + { + struct imx_tpm_pwm_chip *tpm; + int ret; ++ unsigned int i; + u32 val; + + tpm = devm_kzalloc(&pdev->dev, sizeof(*tpm), GFP_KERNEL); +@@ -383,6 +384,13 @@ static int pwm_imx_tpm_probe(struct plat + + mutex_init(&tpm->lock); + ++ /* count the enabled channels */ ++ for (i = 0; i < tpm->chip.npwm; ++i) { ++ val = readl(tpm->base + PWM_IMX_TPM_CnSC(i)); ++ if (FIELD_GET(PWM_IMX_TPM_CnSC_ELS, val)) ++ ++tpm->enable_count; ++ } ++ + ret = pwmchip_add(&tpm->chip); + if (ret) { + dev_err(&pdev->dev, "failed to add PWM chip: %d\n", ret); diff --git a/queue-6.1/series b/queue-6.1/series index 2add9ae7c6..012b946040 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -420,3 +420,7 @@ batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch batman-adv-bla-only-purge-non-released-claims.patch batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch +mtd-spi-nor-sst-factor-out-common-write-operation-to-sst_nor_write_data.patch +mtd-spi-nor-sst-fix-write-enable-before-aai-sequence.patch +pwm-imx-tpm-count-the-number-of-enabled-channels-in-probe.patch -- 2.47.3