From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 20 May 2026 16:00:33 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v6.6.141~42
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=f0d7ee0870913663959da7acfecb900562c4fa4f;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch
	io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch
---

diff --git a/queue-5.15/drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch b/queue-5.15/drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch
new file mode 100644
index 0000000000..e514d6946b
--- /dev/null
+++ b/queue-5.15/drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch
@@ -0,0 +1,32 @@
+From 950953f774b3f69da6f413e045ef075e1f3da2df Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 8 May 2026 16:44:44 +0200
+Subject: drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 950953f774b3f69da6f413e045ef075e1f3da2df upstream.
+
+Make sure to drop the reference taken to the I2C adapter (and its
+module) when setting up HDMI to allow the adapter to be deregistered.
+
+Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support")
+Cc: stable@vger.kernel.org	# 3.3
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patch.msgid.link/20260508144446.59722-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/gma500/oaktrail_hdmi.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c
++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c
+@@ -576,6 +576,7 @@ static int oaktrail_hdmi_get_modes(struc
+ 	} else {
+ 		edid = (struct edid *)raw_edid;
+ 		/* FIXME ? edid = drm_get_edid(connector, i2c_adap); */
++		i2c_put_adapter(i2c_adap);
+ 	}
+ 
+ 	if (edid) {
diff --git a/queue-5.15/io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch b/queue-5.15/io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch
new file mode 100644
index 0000000000..a92816a3e1
--- /dev/null
+++ b/queue-5.15/io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch
@@ -0,0 +1,49 @@
+From fb133351bed5c5aefc20129dcf3b3a62d44e16ea Mon Sep 17 00:00:00 2001
+From: Nicholas Carlini <nicholas@carlini.com>
+Date: Mon, 11 May 2026 18:02:16 +0000
+Subject: io-wq: check that the predecessor is hashed in io_wq_remove_pending()
+
+From: Nicholas Carlini <nicholas@carlini.com>
+
+io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled
+work was the tail of its hash bucket. When doing this, it checks whether
+the preceding entry in acct->work_list has the same hash value, but
+never checks that the predecessor is hashed at all. io_get_work_hash()
+is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash
+bits are never set for non-hashed work, so it returns 0. Thus, when a
+hashed bucket-0 work is cancelled while a non-hashed work is its list
+predecessor, the check spuriously passes and a pointer to the non-hashed
+io_kiocb is stored in wq->hash_tail[0].
+
+Because non-hashed work is dequeued via the fast path in
+io_get_next_work(), which never touches hash_tail[], the stale pointer
+is never cleared. Therefore, after the non-hashed io_kiocb completes and
+is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The
+io_wq is per-task (tctx->io_wq) and survives ring open/close, so the
+dangling pointer persists for the lifetime of the task; the next hashed
+bucket-0 enqueue dereferences it in io_wq_insert_work() and
+wq_list_add_after() writes through freed memory.
+
+Add the missing io_wq_is_hashed() check so a non-hashed predecessor
+never inherits a hash_tail[] slot.
+
+Cc: stable@vger.kernel.org # 5.7+
+Fixes: 204361a77f40 ("io-wq: fix hang after cancelling pending hashed work")
+Signed-off-by: Nicholas Carlini <nicholas@carlini.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io-wq.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1014,7 +1014,8 @@ static inline void io_wqe_remove_pending
+ 	if (io_wq_is_hashed(work) && work == wqe->hash_tail[hash]) {
+ 		if (prev)
+ 			prev_work = container_of(prev, struct io_wq_work, list);
+-		if (prev_work && io_get_work_hash(prev_work) == hash)
++		if (prev_work && io_wq_is_hashed(prev_work) &&
++		    io_get_work_hash(prev_work) == hash)
+ 			wqe->hash_tail[hash] = prev_work;
+ 		else
+ 			wqe->hash_tail[hash] = NULL;
diff --git a/queue-5.15/series b/queue-5.15/series
index 59c3db5f61..2b65bc7839 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -672,3 +672,5 @@ libceph-handle-rbtree-insertion-error-in-decode_choose_args.patch
 iommu-vt-d-disable-dmar-for-intel-q35-igfx.patch
 drm-i915-skip-__i915_request_skip-for-already-signaled-requests.patch
 drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch
+drm-gma500-oaktrail_hdmi-fix-i2c-adapter-leak-on-setup.patch
+io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch