Author: Gregor Herburger <[email protected]> Date: Thu Feb 26 09:55:58 2026 +0100 arm64: dts: broadcom: bcm2712-d-rpi-5-b: add fixes for pinctrl/pinctrl_aon commit aeb078cebc40d421f61a8f07b0e7919aeb44d751 upstream. On the -d revision of the bcm2712 the pinctrl differs from the c0 revision. The driver already supports both and distinguishes the two with the compatible string. Update the compatible string and reg length to reflect the different pinctrl. Signed-off-by: Gregor Herburger <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Florian Fainelli <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Gregor Herburger <[email protected]> Date: Thu Feb 26 09:55:59 2026 +0100 arm64: dts: broadcom: bcm2712-d-rpi-5-b: update uart10 interrupt commit 18d4a06e10051681de074a9250e54afc1f3ee312 upstream. On the -d revision of bcm2712 the uart interrupt is on 120. Update it accordingly. Signed-off-by: Gregor Herburger <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Florian Fainelli <[email protected]> Cc: Rasmus Villemoes <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Josua Mayer <[email protected]> Date: Tue Mar 24 13:40:55 2026 +0100 arm64: dts: lx2160a-cex7/lx2162a-sr-som: fix usd-cd & gpio pinmux commit 70008aee892bbb5c2969bbe9e5778fc081b14bd2 upstream. Commit 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery") introduced pinmux nodes for lx2160 i2c interfaces, allowing runtime change between i2c and gpio functions implementing bus recovery. However, the dynamic configuration area (overwrite MUX) used by the pinctrl-single driver initially reads as zero and does not reflect the actual hardware state set by the Reset Configuration Word (RCW) at power-on. Because multiple groups of pins are configured from a single 32-bit register, the first write from the pinctrl driver unintentionally clears all other bits to zero. For example, on the LX2162A Clearfog, RCWSR12 is initialized to 0x08000006. When any i2c pinmux is applied, it clears all other fields. This inadvertently disables SD card-detect (IIC2_PMUX) and some GPIOs (SDHC1_DIR_PMUX): LX2162-CF RCWSR12: 0b0000100000000000 0000000000000110 IIC2_PMUX ||| ||| || | ||| |||XXX : I2C/GPIO/CD-WP SDHC1_DIR_PMUX XXX ||| || | ||| ||| : SDHC/GPIO/SPI Reverting the commit in question was considered but bus recovery is an important feature. Instead add pinmux nodes for those pins that were unintentionally reconfigured on SolidRun LX2160A Clearfog-CX and LX2162A Clearfog boards. Fixes: 8a1365c7bbc1 ("arm64: dts: lx2160a: add pinmux and i2c gpio to support bus recovery") Cc: [email protected] Signed-off-by: Josua Mayer <[email protected]> Signed-off-by: Frank Li <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Viken Dadhaniya <[email protected]> Date: Wed Mar 25 18:30:37 2026 +0530 arm64: dts: qcom: lemans: Correct QUP interrupt numbers commit c5b22c88cc09b180e3a23010b29f4d02ec117a44 upstream. Fix GIC_SPI interrupt numbers for QUPv3 SE6 nodes on Lemans SoC. Using incorrect interrupt lines can prevent IRQs from triggering and break I2C, SPI, and UART operation. Fixes: 34a407316b7d3 ("arm64: dts: qcom: sa8775p: Populate additional UART DT nodes") Fixes: 1b2d7ad5ac14d ("arm64: dts: qcom: sa8775p: add missing spi nodes") Fixes: ee2f5f906d69d ("arm64: dts: qcom: sa8775p: add missing i2c nodes") Cc: [email protected] Signed-off-by: Viken Dadhaniya <[email protected]> Reviewed-by: Dmitry Baryshkov <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Bjorn Andersson <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Siddharth Vadapalli <[email protected]> Date: Mon Mar 9 10:25:32 2026 +0530 arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22 commit 6ee0792d83d5c690205c350825a4c30746c0e0a2 upstream. The pin for GPMC0_CLK.GPIO0_31 at address 0x000F407C is N22 and not M19. Hence, fix the pin name in the comment to avoid confusion. Fixes: 8f023012eb4a ("arm64: dts: ti: k3-am62a: Enable UHS mode support for SD cards") Cc: [email protected] Signed-off-by: Siddharth Vadapalli <[email protected]> Reviewed-by: Andrew Davis <[email protected]> Reviewed-by: Bryan Brattlof <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Vignesh Raghavendra <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sven Eckelmann <[email protected]> Date: Wed May 6 22:20:51 2026 +0200 batman-adv: bla: only purge non-released claims commit cf6b604011591865ae39ac82de8978c1120d17af upstream. When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of. Cc: [email protected] Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Sven Eckelmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sven Eckelmann <[email protected]> Date: Wed May 6 22:20:50 2026 +0200 batman-adv: bla: prevent use-after-free when deleting claims commit 4ae1709a314060a196981b344610d023ea841e57 upstream. When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped. Cc: [email protected] Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Sven Eckelmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sven Eckelmann <[email protected]> Date: Wed May 6 22:20:52 2026 +0200 batman-adv: bla: put backbone reference on failed claim hash insert commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream. When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object. Cc: [email protected] Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access") Signed-off-by: Sven Eckelmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Lyes Bourennani <[email protected]> Date: Wed Apr 22 00:20:22 2026 +0200 batman-adv: fix integer overflow on buff_pos commit 0799e5943611006b346b8813c7daf7dd5aa26bfd upstream. Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read. Cc: [email protected] Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Signed-off-by: Lyes Bourennani <[email protected]> Signed-off-by: Alexis Pinson <[email protected]> Signed-off-by: Sven Eckelmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jiexun Wang <[email protected]> Date: Mon Apr 27 14:43:33 2026 +0800 batman-adv: reject new tp_meter sessions during teardown commit 3243543592425beec83d453793e9d27caa0d8e66 upstream. Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE. Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") Cc: [email protected] Reported-by: Yuan Tan <[email protected]> Reported-by: Yifan Wu <[email protected]> Reported-by: Juefei Pu <[email protected]> Reported-by: Xin Liu <[email protected]> Co-developed-by: Luxing Yin <[email protected]> Signed-off-by: Luxing Yin <[email protected]> Signed-off-by: Jiexun Wang <[email protected]> Signed-off-by: Ren Wei <[email protected]> Signed-off-by: Sven Eckelmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jiexun Wang <[email protected]> Date: Sun May 3 12:28:58 2026 +0800 batman-adv: stop caching unowned originator pointers in BAT IV commit f03e8583532941b07761c5429de7d50766fa3110 upstream. BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Cc: [email protected] Reported-by: Yuan Tan <[email protected]> Reported-by: Yifan Wu <[email protected]> Reported-by: Juefei Pu <[email protected]> Reported-by: Xin Liu <[email protected]> Signed-off-by: Jiexun Wang <[email protected]> Signed-off-by: Ren Wei <[email protected]> [sven: avoid bonding logic for outgoing OGM] Signed-off-by: Sven Eckelmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jiexun Wang <[email protected]> Date: Mon Apr 27 14:43:34 2026 +0800 batman-adv: stop tp_meter sessions during mesh teardown commit 3d3cf6a7314aca4df0a6dde28ce784a2a30d0166 upstream. TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues. Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") Cc: [email protected] Reported-by: Yuan Tan <[email protected]> Reported-by: Yifan Wu <[email protected]> Reported-by: Juefei Pu <[email protected]> Reported-by: Xin Liu <[email protected]> Co-developed-by: Luxing Yin <[email protected]> Signed-off-by: Luxing Yin <[email protected]> Signed-off-by: Jiexun Wang <[email protected]> Signed-off-by: Ren Wei <[email protected]> Signed-off-by: Sven Eckelmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sven Eckelmann <[email protected]> Date: Fri May 15 13:44:28 2026 +0200 batman-adv: tp_meter: fix tp_num leak on kmalloc failure commit ce425dd05d0fe7594930a0fb103634f35ac47bb6 upstream. When batadv_tp_start() or batadv_tp_init_recv() fail to allocate a new tp_vars object, the previously incremented bat_priv->tp_num counter is never decremented. This causes tp_num to drift upward on each allocation failure. Since only BATADV_TP_MAX_NUM sessions can be started and the count is never reduced for these failed allocations, it causes to an exhaustion of throughput meter sessions. In worst case, no new throughput meter session can be started until the mesh interface is removed. The error handling must decrement tp_num releasing the lock and aborting the creation of an throughput meter session Cc: [email protected] Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") [ Context ] Signed-off-by: Sven Eckelmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Damien Le Moal <[email protected]> Date: Thu May 14 11:52:20 2026 -0400 block: fix zone write plug removal [ Upstream commit b7d4ffb510373cc6ecf16022dd0e510a023034fb ] Commit 7b295187287e ("block: Do not remove zone write plugs still in use") modified disk_should_remove_zone_wplug() to add a check on the reference count of a zone write plug to prevent removing zone write plugs from a disk hash table when the plugs are still being referenced by BIOs or requests in-flight. However, this check does not take into account that a BIO completion may happen right after its submission by a zone write plug BIO work, and before the zone write plug BIO work releases the zone write plug reference count. This situation leads to disk_should_remove_zone_wplug() returning false as in this case the zone write plug reference count is at least equal to 3. If the BIO that completes in such manner transitioned the zone to the FULL condition, the zone write plug for the FULL zone will remain in the disk hash table. Furthermore, relying on a particular value of a zone write plug reference count to set the BLK_ZONE_WPLUG_UNHASHED flag is fragile as reading the atomic reference count and doing a comparison with some value is not overall atomic at all. Address these issues by reworking the reference counting of zone write plugs so that removing plugs from a disk hash table can be done directly from disk_put_zone_wplug() when the last reference on a plug is dropped. To do so, replace the function disk_remove_zone_wplug() with disk_mark_zone_wplug_dead(). This new function sets the zone write plug flag BLK_ZONE_WPLUG_DEAD (which replaces BLK_ZONE_WPLUG_UNHASHED) and drops the initial reference on the zone write plug taken when the plug was added to the disk hash table. This function is called either for zones that are empty or full, or directly in the case of a forced plug removal (e.g. when the disk hash table is being destroyed on disk removal). With this change, disk_should_remove_zone_wplug() is also removed. disk_put_zone_wplug() is modified to call the function disk_free_zone_wplug() to remove a zone write plug from a disk hash table and free the plug structure (with a call_rcu()), when the last reference on a zone write plug is dropped. disk_free_zone_wplug() always checks that the BLK_ZONE_WPLUG_DEAD flag is set. In order to avoid having multiple zone write plugs for the same zone in the disk hash table, disk_get_and_lock_zone_wplug() checked for the BLK_ZONE_WPLUG_UNHASHED flag. This check is removed and a check for the new BLK_ZONE_WPLUG_DEAD flag is added to blk_zone_wplug_handle_write(). With this change, we continue preventing adding multiple zone write plugs for the same zone and at the same time re-inforce checks on the user behavior by failing new incoming write BIOs targeting a zone that is marked as dead. This case can happen only if the user erroneously issues write BIOs to zones that are full, or to zones that are currently being reset or finished. Fixes: 7b295187287e ("block: Do not remove zone write plugs still in use") Cc: [email protected] Signed-off-by: Damien Le Moal <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]> Reviewed-by: Johannes Thumshirn <[email protected]> Signed-off-by: Jens Axboe <[email protected]> [ dropped upstream blk_zone_set_cond() call and disk_zone_wplug_update_cond() context line ] Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: David Carlier <[email protected]> Date: Wed May 13 13:10:03 2026 -0400 Bluetooth: hci_conn: fix potential UAF in create_big_sync [ Upstream commit 0beddb0c380bed5f5b8e61ddbe14635bb73d0b41 ] Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del(). Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections") Cc: [email protected] Co-developed-by: Luiz Augusto von Dentz <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]> Signed-off-by: David Carlier <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]> [ kept stable's `qos->bcast.out.phy == 0x02` context line instead of upstream's renamed `qos->bcast.out.phys == BIT(1)` ] Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yochai Eisenrich <[email protected]> Date: Fri May 15 07:45:37 2026 -0400 btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak [ Upstream commit 973e57c726c1f8e77259d1c8e519519f1e9aea77 ] btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace. Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data. Fixes: 7fde62bffb57 ("Btrfs: buffer results in the space_info ioctl") CC: [email protected] # 3.0 Signed-off-by: Yochai Eisenrich <[email protected]> Reviewed-by: David Sterba <[email protected]> Signed-off-by: David Sterba <[email protected]> [ adapted upstream's `return -EFAULT;` to stable's `ret = -EFAULT;` fall-through to existing `out:` cleanup label ] Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Guangshuo Li <[email protected]> Date: Fri May 15 08:06:15 2026 -0400 btrfs: fix double free in create_space_info_sub_group() error path [ Upstream commit a7449edf96143f192606ec8647e3167e1ecbd728 ] When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup. Fixes: f92ee31e031c ("btrfs: introduce btrfs_space_info sub-group") CC: [email protected] # 6.18+ Reviewed-by: Qu Wenruo <[email protected]> Signed-off-by: Guangshuo Li <[email protected]> Signed-off-by: David Sterba <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Filipe Manana <[email protected]> Date: Fri May 15 08:06:14 2026 -0400 btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() [ Upstream commit 771af6ff72e0ed0eb8bf97e5ae4fa5094e0c5d1d ] We don't need it since we can grab fs_info from the given space_info. So remove the fs_info argument. Reviewed-by: Johannes Thumshirn <[email protected]> Signed-off-by: Filipe Manana <[email protected]> Reviewed-by: David Sterba <[email protected]> Signed-off-by: David Sterba <[email protected]> Stable-dep-of: a7449edf9614 ("btrfs: fix double free in create_space_info_sub_group() error path") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Mario Kleiner <[email protected]> Date: Sat Mar 21 06:20:33 2026 +0100 drm/amd/display: Change dither policy for 10 bpc output back to dithering commit d65bfb1782304b03862c8c725fac608015dffd36 upstream. Commit d5df648ec830 ("drm/amd/display: Change dither policy for 10bpc to round") degraded display of 12 bpc color precision output to 10 bpc sinks by switching 10 bpc output from dithering to "truncate to 10 bpc". I don't find the argumentation in that commit convincing, but the consequences highly unfortunate, especially for applications that require effective > 10 bpc precision output of > 10 bpc framebuffers. The argument wasn't something strong like "there are hardware design defects or limitations which require us to work around broken dithering to 10 bpc", or "there are some special use cases which do require truncation to 10 bpc", but essentially "at some point in the past we used truncation in Polaris/Vega times and it looks like it got inadvertently changed for Navi, so let's do that again". I couldn't find evidence for that in the git commit logs for this. The commit message also acknowledges that using dithering "...makes some sense for FP16... ...but not for ARGB2101010 surfaces..." The problem with this is that it makes fp16 surfaces, and especially rgba16 fixed point surfaces, less useful. These are now well supported by Mesa 25.3 and later via OpenGL + EGL, Vulkan/WSI, and by OSS AMDVLK Vulkan/WSI/display, and also by GNOME 50 mutter under Wayland, and they used to provide more than 10 bpc effective precision at the output. Even for 8 or 10 bpc surfaces, the color pipeline behind the framebuffer, e.g., gamma tables, CTM, can be used for color correction and will benefit from an effective > 10 bpc output precision via dithering, retaining some precision that would get lost on the way through the pipeline, e.g., due to non-linear gamma functions. Scientific apps rely on this for > 10 bpc display precision. Truncating to 10 bpc, instead of dithering the pipeline internal 12 bpc precision down to 10 bpc, causes a serious loss of precision. This also creates the undesirable and slightly absurd situation that using a cheap monitor with only 8 bpc input and display panel will yield roughly 12 bpc precision via dithering from 12 -> 8 bpc, whereas investment into a more expensive monitor with 10 bpc input and native 10 bpc display will only yield 10 bpc, even if a fp16 or rgb16 framebuffer and/or a properly set up color pipeline (gamma tables, CTM's etc. with more than 10 bpc out precision) would allow effective 12 bpc precision output. Therefore this patch proposes reverting that commit and going back to dithering down to 10 bpc, consistent with the behaviour for 6 bpc or 8 bpc output. Successfully tested on AMD Polaris DCE 11.2 and Raven Ridge DCN 1.0 with a native 10 bpc capable monitor, outputting a RGBA16 unorm framebuffer and measuring resulting color precision with a photometer. No apparent visual artifacts or problems were observed, and effective precision was measured to be 12 bpc again, as expected. Fixes: d5df648ec830 ("drm/amd/display: Change dither policy for 10bpc to round") Signed-off-by: Mario Kleiner <[email protected]> Tested-by: Mario Kleiner <[email protected]> Cc: [email protected] Cc: Aric Cyr <[email protected]> Cc: Anthony Koo <[email protected]> Cc: Rodrigo Siqueira <[email protected]> Cc: Krunoslav Kovac <[email protected]> Cc: Alex Deucher <[email protected]> Reported-by: Mario Kleiner <[email protected]> Signed-off-by: Harry Wentland <[email protected]> Reviewed-by: Harry Wentland <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yang Wang <[email protected]> Date: Thu Apr 2 22:44:29 2026 -0400 drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x commit 504f0098ebd074ac8c0ce3471795d79f68e3d265 upstream. OverDriveTable.FanMinimumPwm and FeatureCtrlMask.PP_OD_FEATURE_FAN_LEGACY_BIT have a hard dependency. Invalid handling of this dependency leads to disabled thermal monitoring and temperature boundary validation. v2: squash in typo fix (Yang) Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3") Cc: [email protected] Signed-off-by: Yang Wang <[email protected]> Acked-by: Alex Deucher <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: John B. Moore <[email protected]> Date: Tue Apr 28 11:35:12 2026 -0500 drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ commit 7bbfb2559bcec39d1a4e1182d931a2046112c352 upstream. Remove the BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT) assertion from gfx_v9_0_ring_emit_fence_kiq(). The KIQ hardware supports 64-bit fence writes; the 32-bit writeback address constraint is an upper-layer convention, not a hardware limitation. The check serves no purpose and should not be present. Found by code inspection while investigating related BUG_ON assertions in the GFX and compute ring emission paths. Reviewed-by: Christian König <[email protected]> Signed-off-by: John B. Moore <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit 1b1101a46a426bb4328116bb5273c326a2780389) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Alex Deucher <[email protected]> Date: Mon Apr 27 11:38:58 2026 -0400 drm/amdgpu/pm: add missing revision check for CI commit 2a561b361b7681509710f3cfc3d95d54c87ac69f upstream. The ci_populate_all_memory_levels() workaround only applies to revision 0 SKUs. Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)") Reviewed-by: Timur Kristóf <[email protected]> Reviewed-by: Kent Russell <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit 1db15ba8f72f400bbad8ae0ce24fafc43429d4bd) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Alex Deucher <[email protected]> Date: Tue Apr 28 10:42:49 2026 -0400 drm/amdgpu/pm: align Hawaii mclk workaround with radeon commit 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d upstream. Align the hawaii mclk workaround with radeon and windows. Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)") Reviewed-by: Timur Kristóf <[email protected]> Reviewed-by: Kent Russell <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit 9649528b637f668c5af9f2b83ca4ad8576ae2121) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: John B. Moore <[email protected]> Date: Mon Apr 27 16:06:28 2026 -0500 drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission commit 78d2e624fa073c14970aa097adcf3ea31c157a66 upstream. sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread. Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace. The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it. Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)") Reviewed-by: Christian König <[email protected]> Signed-off-by: John B. Moore <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Benjamin Cheng <[email protected]> Date: Mon Mar 30 15:01:27 2026 -0400 drm/amdgpu/vce: Prevent partial address patches commit de2a02cc28d6d5d37db07d00a9a684c754a5fd74 upstream. In the case that only one of lo/hi is valid, the patching could result in a bad address written to in FW. Signed-off-by: Benjamin Cheng <[email protected]> Reviewed-by: Alex Deucher <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Benjamin Cheng <[email protected]> Date: Mon Apr 13 09:22:15 2026 -0400 drm/amdgpu/vcn3: Avoid overflow on msg bound check commit e6e9faba8100628990cccd13f0f044a648c303cf upstream. As pointed out by SDL, the previous condition may be vulnerable to overflow. Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg") Cc: SDL <[email protected]> Signed-off-by: Benjamin Cheng <[email protected]> Reviewed-by: Ruijing Dong <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10) Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Benjamin Cheng <[email protected]> Date: Tue Mar 24 16:25:56 2026 -0400 drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg commit b193019860d61e92da395eae2011f2f6716b182f upstream. Check bounds against the end of the BO whenever we access the msg. Signed-off-by: Benjamin Cheng <[email protected]> Reviewed-by: Christian König <[email protected]> Reviewed-by: Ruijing Dong <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Benjamin Cheng <[email protected]> Date: Mon Apr 13 09:22:15 2026 -0400 drm/amdgpu/vcn4: Avoid overflow on msg bound check commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream. As pointed out by SDL, the previous condition may be vulnerable to overflow. Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg") Cc: SDL <[email protected]> Signed-off-by: Benjamin Cheng <[email protected]> Reviewed-by: Ruijing Dong <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885) Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Benjamin Cheng <[email protected]> Date: Wed Mar 25 09:09:27 2026 -0400 drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg commit 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 upstream. Check bounds against the end of the BO whenever we access the msg. Signed-off-by: Benjamin Cheng <[email protected]> Reviewed-by: Christian König <[email protected]> Reviewed-by: Ruijing Dong <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Benjamin Cheng <[email protected]> Date: Tue Mar 24 16:42:05 2026 -0400 drm/amdgpu/vcn4: Prevent OOB reads when parsing IB commit 2444eb0ec8283f4a3845eb7febad378476e1ba3c upstream. Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks. Signed-off-by: Benjamin Cheng <[email protected]> Acked-by: Christian König <[email protected]> Reviewed-by: Ruijing Dong <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Benjamin Cheng <[email protected]> Date: Wed Mar 25 08:39:19 2026 -0400 drm/amdgpu: Add bounds checking to ib_{get,set}_value commit 66085e206431ef88ce36f53c1f53d570790ccc9e upstream. The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values. Also make the idx a uint32_t to prevent overflows causing the condition to fail. Signed-off-by: Benjamin Cheng <[email protected]> Reviewed-by: Christian König <[email protected]> Reviewed-by: Ruijing Dong <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Timur Kristóf <[email protected]> Date: Sun Jan 18 13:57:46 2026 +0100 drm/amdgpu: Fix validating flush_gpu_tlb_pasid() commit e3a6eff92bbd960b471966d9afccb4d584546d17 upstream. When a function holds a lock and we return without unlocking it, it deadlocks the kernel. We should always unlock before returning. This commit fixes suspend/resume on SI. Tested on two Tahiti GPUs: FirePro W9000 and R9 280X. Fixes: f4db9913e4d3 ("drm/amdgpu: validate the flush_gpu_tlb_pasid()") Reported-by: kernel test robot <[email protected]> Reported-by: Dan Carpenter <[email protected]> Closes: https://lore.kernel.org/r/[email protected]/ Signed-off-by: Timur Kristóf <[email protected]> Signed-off-by: Prike Liang <[email protected]> Reviewed-by: Prike Liang <[email protected]> Reviewed-by: Christian König <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Chenglei Xie <[email protected]> Date: Tue Apr 7 10:51:24 2026 -0400 drm/amdgpu: gate VM CPU HDP flush on reset lock commit ddda81c4d7e71e41b1be91d921fd85747eddbd12 upstream. During GPU reset, the application could still run CPU page table updates. Each commit called amdgpu_device_flush_hdp(), which on SR-IOV sends work through the KIQ ring. That can advance sync_seq while the GPU is being reset, leaving fence writeback out of sync and causing amdgpu_fence_emit_polling() to time out on later KIQ use. Fix: amdgpu_vm_cpu_commit(): Reset will flush HDP anyway, the HDP flush in amdgpu_vm_cpu_commit() can be skipped when a reset is ongoging. Take reset_domain->sem with down_read_trylock() before amdgpu_device_flush_hdp(). If the reset path holds the write lock, skip the HDP flush so no HDP-related HW access (including KIQ) runs during reset; state is re-established after reset. Signed-off-by: Chenglei Xie <[email protected]> Reviewed-by: Christian König <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Alex Deucher <[email protected]> Date: Mon Mar 16 11:04:46 2026 -0400 drm/amdgpu: rework how we handle TLB fences commit 69c5fbd2b93b5ced77c6e79afe83371bca84c788 upstream. Add a new VM flag to indicate whether or not we need a TLB fence. Userqs (KFD or KGD) require a TLB fence. A TLB fence is not strictly required for kernel queues, but it shouldn't hurt. That said, enabling this unconditionally should be fine, but it seems to tickle some issues in KIQ/MES. Only enable them for KFD, or when KGD userq queues are enabled (currently via module parameter). Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4798 Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4749 Fixes: f3854e04b708 ("drm/amdgpu: attach tlb fence to the PTs update") Cc: Christian König <[email protected]> Cc: Prike Liang <[email protected]> Reviewed-by: Prike Liang <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ramalingeswara Reddy, Kanala <[email protected]> Date: Tue Mar 31 17:23:22 2026 +0530 drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count. commit 574b3b14f7d1b329fc6e67b79328f0e6f4d4b3d4 upstream. Define and use regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0 and regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0 for TSC upper and lower count. Acked-by: Alex Deucher <[email protected]> Reviewed-by: Pratik Vishwakarma <[email protected]> Signed-off-by: Ramalingeswara Reddy, Kanala <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Prike Liang <[email protected]> Date: Tue Jan 6 17:00:57 2026 +0800 drm/amdgpu: validate the flush_gpu_tlb_pasid() commit f4db9913e4d3dabe9ff3ea6178f2c1bc286012b8 upstream. Validate flush_gpu_tlb_pasid() availability before flushing tlb. Signed-off-by: Prike Liang <[email protected]> Reviewed-by: Christian König <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Philip Yang <[email protected]> Date: Mon Apr 27 09:30:23 2026 -0400 drm/amdgpu: zero-initialize GART table on allocation commit e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 upstream. GART TLB is flushed after unmapping but not after mapping. Since amdgpu_bo_create_kernel() does not zero-initialize the buffer, when a single PTE is written the TLB may speculatively load other uninitialized entries from the same cacheline. Those garbage entries can appear valid, and a subsequent write to another PTE in the same cacheline may cause the GPU to use a stale garbage PTE from the TLB. Fix this by calling memset_io() to zero-initialize the GART table with gart_pte_flags immediately after allocation. Using AMDGPU_GEM_CREATE_VRAM_CLEARED, SDMA-based clear will not work since SDMA needs GART to be initialized to work. Suggested-by: Felix Kuehling <[email protected]> Signed-off-by: Philip Yang <[email protected]> Reviewed-by: Christian König <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit d9af8263b82b6eaa60c5718e0c6631c5037e4b24) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Alysa Liu <[email protected]> Date: Mon Mar 30 10:50:07 2026 -0400 drm/amdkfd: Add upper bound check for num_of_nodes commit 74b73fa56a395d46745e4f245225963e9f8be7f1 upstream. drm/amdkfd: Add upper bound check for num_of_nodes in kfd_ioctl_get_process_apertures_new. Reviewed-by: Harish Kasiviswanathan <[email protected]> Signed-off-by: Alysa Liu <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit 98ff46a5ea090c14d2cdb4f5b993b05d74f3949f) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Amir Shetaia <[email protected]> Date: Fri Apr 10 10:38:13 2026 -0400 drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure commit ad52d61d82181dbdb7f05826de38352d5e550cc2 upstream. KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels. The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers. This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake. Signed-off-by: Amir Shetaia <[email protected]> Reviewed-by: Christian König <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Felix Kuehling <[email protected]> Date: Mon Apr 20 11:55:57 2026 -0400 drm/amdkfd: Make all TLB-flushes heavy-weight commit 9b4e3495d1bd2469bf94b74930c153c2d534ddb7 upstream. With only one sequence number we cannot track the need for legacy vs heavy-weight flushes reliably. Always use heavy-weight. Signed-off-by: Felix Kuehling <[email protected]> Reviewed-by: Philip Yang <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit c1a3ff1d327820cd9a52bc1056b98681fc088949) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Alysa Liu <[email protected]> Date: Tue Apr 21 10:18:28 2026 -0400 drm/amdkfd: validate SVM ioctl nattr against buffer size commit 045e0ff208f0838a246c10204105126611b267a1 upstream. Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count. Reviewed-by: Amir Shetaia <[email protected]> Signed-off-by: Alysa Liu <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sasha Finkelstein <[email protected]> Date: Mon Apr 20 14:17:43 2026 +0200 drm/appletbdrm: Use kvzalloc for big allocations commit aaaa684bab1f6d9ecfc49db328facb1771fd0eb2 upstream. This driver is attached to a ~2000x80 screen, which is a lot more than a single page. This causes out of memory errors in some rare cases. Reported-by: soopyc <[email protected]> Closes: https://github.com/t2linux/fedora/issues/51 Signed-off-by: Sasha Finkelstein <[email protected]> Signed-off-by: Thomas Zimmermann <[email protected]> Reviewed-by: Aditya Garg <[email protected]> Reviewed-by: Thomas Zimmermann <[email protected]> Fixes: 0670c2f56e45 ("drm/tiny: add driver for Apple Touch Bars in x86 Macs") Cc: <[email protected]> # v6.15+ Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Kory Maincent (TI) <[email protected]> Date: Tue Apr 28 11:04:56 2026 +0200 drm/bridge: tda998x: Use __be32 for audio port OF property pointer commit 2a46a9356ba7b1bdd741c8b41e5374edcd960557 upstream. of_get_property() returns a pointer to big-endian (__be32) data, but port_data in tda998x_get_audio_ports() was declared as const u32 *, causing a sparse endianness type mismatch warning. Fix the declaration to use const __be32 *. Fixes: 7e567624dc5a4 ("drm/i2c: tda998x: Register ASoC hdmi-codec and add audio DT binding") Cc: [email protected] Signed-off-by: Kory Maincent (TI) <[email protected]> Reviewed-by: Russell King (Oracle) <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Luca Ceresoli <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Osama Abdelkader <[email protected]> Date: Thu Apr 23 22:06:20 2026 +0200 drm/exynos: remove bridge when component_add fails commit 26f6654a9a60eb4d241f42a0ec85412e8821480b upstream. Use devm_drm_bridge_add() so the bridge is released if probe fails after registration, and drop the manual drm_bridge_remove() in remove(). Check the return value of devm_drm_bridge_add(). Signed-off-by: Osama Abdelkader <[email protected]> Fixes: 576d72fbfb45 ("drm/exynos: mic: add a bridge at probe") Cc: [email protected] Reviewed-by: Raphaël Gallais-Pou <[email protected]> Reviewed-by: Luca Ceresoli <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Luca Ceresoli <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ashutosh Desai <[email protected]> Date: Mon Apr 20 01:36:37 2026 +0000 drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream. drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division: unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1); However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations. For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds. Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check(). Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library") Cc: [email protected] # v4.14+ Reviewed-by: Thomas Zimmermann <[email protected]> Signed-off-by: Ashutosh Desai <[email protected]> Signed-off-by: Thomas Zimmermann <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Matthew Brost <[email protected]> Date: Fri Jan 30 11:49:27 2026 -0800 drm/gpusvm: Force unmapping on error in drm_gpusvm_get_pages commit 556dba95473900073a6c03121361c11f646dc551 upstream. drm_gpusvm_get_pages() only sets the local flags prior to committing the pages. If an error occurs mid-mapping, has_dma_mapping will be clear, causing the unmap function to skip unmapping pages that were successfully mapped before the error. Fix this by forcibly setting has_dma_mapping in the error path to ensure all previously mapped pages are properly unmapped. Fixes: 99624bdff867 ("drm/gpusvm: Add support for GPU Shared Virtual Memory") Cc: [email protected] Signed-off-by: Matthew Brost <[email protected]> Reviewed-by: Francois Dugast <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jouni Högander <[email protected]> Date: Mon Apr 13 14:23:45 2026 +0300 drm/i915/psr: Init variable to avoid early exit from et alignment loop commit 314f6179e370988ac00dadf373a4f6166eb3db15 upstream. Uninitialized boolean variable may cause unwanted exit from et alignment loop. Fix this by initializing it as false. Fixes: 1be2fca84f52 ("drm/i915/psr: Repeat Selective Update area alignment") Cc: <[email protected]> # v6.9+ Signed-off-by: Jouni Högander <[email protected]> Reviewed-by: Nemesa Garg <[email protected]> Reported-by: Dan Carpenter <[email protected]> Reviewed-by: Andi Shyti <[email protected]> Link: https://patch.msgid.link/[email protected] (cherry picked from commit 289678a90b8cf81e3514c9d6c667235cd39c7acf) Signed-off-by: Tvrtko Ursulin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Marek Vasut <[email protected]> Date: Sat Jan 10 18:14:10 2026 +0100 drm/imx: parallel-display: Prefer bus format set via legacy "interface-pix-fmt" DT property commit cdf26e1462c220629bb79d487263b66f8b679eab upstream. Prefer bus format set via legacy "interface-pix-fmt" DT property over panel bus format. This is necessary to retain support for DTs which configure the IPUv3 parallel output as 24bit DPI, but connect 18bit DPI panels to it with hardware swizzling. This used to work up to Linux 6.12, but stopped working in 6.13, reinstate the behavior to support old DTs. Cc: [email protected] Fixes: 5f6e56d3319d ("drm/imx: parallel-display: switch to drm_panel_bridge") Signed-off-by: Marek Vasut <[email protected]> Reviewed-by: Philipp Zabel <[email protected]> Signed-off-by: Philipp Zabel <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Yasuaki Torimaru <[email protected]> Date: Wed Mar 25 20:46:34 2026 +0900 drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() commit 47cbfe2608314b833ad61a65827d8fb363bc2d2d upstream. msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not. Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call. Add the missing NULL check for kmemdup() and return ret instead of 0. Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret. Fixes: 9902cb999e4e ("drm/msm/gem: Add metadata") Cc: [email protected] Signed-off-by: Yasuaki Torimaru <[email protected]> Patchwork: https://patchwork.freedesktop.org/patch/714478/ Message-ID: <[email protected]> Signed-off-by: Rob Clark <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Krzysztof Kozlowski <[email protected]> Date: Wed Mar 11 20:16:21 2026 +0100 drm/msm/hdmi: Fix wrong CTRL1 register used in writing info frames commit 8c6c93b7db42d15c6e8c2540a648d32986a04b1a upstream. Commit 384d2b03d0a1 ("drm/msm/hdmi: make use of the drm_connector_hdmi framework") changed the unconditional register writes in few places to updates: read, apply mask, write. The new code reads REG_HDMI_INFOFRAME_CTRL1 register, applies fields/mask for HDMI_INFOFRAME_CTRL0 register and finally writes to HDMI_INFOFRAME_CTRL0. This difference between CTRL1 and CTRL0 looks unintended and may result in wrong data being written to HDMI bridge registers. Cc: <[email protected]> Fixes: 384d2b03d0a1 ("drm/msm/hdmi: make use of the drm_connector_hdmi framework") Signed-off-by: Krzysztof Kozlowski <[email protected]> Reviewed-by: Dmitry Baryshkov <[email protected]> Patchwork: https://patchwork.freedesktop.org/patch/711156/ Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Dmitry Baryshkov <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Anna Maniscalco <[email protected]> Date: Tue Feb 10 17:29:42 2026 +0100 drm/msm: always recover the gpu commit 01a0d6cd7032e9993feea19fadb03ef9d5b488f2 upstream. Previously, in case there was no more work to do, recover worker wouldn't trigger recovery and would instead rely on the gpu going to sleep and then resuming when more work is submitted. Recover_worker will first increment the fence of the hung ring so, if there's only one job submitted to a ring and that causes an hang, it will early out. There's no guarantee that the gpu will suspend and resume before more work is submitted and if the gpu is in a hung state it will stay in that state and probably trigger a timeout again. Just stop checking and always recover the gpu. Signed-off-by: Anna Maniscalco <[email protected]> Cc: [email protected] Patchwork: https://patchwork.freedesktop.org/patch/704066/ Message-ID: <[email protected]> Signed-off-by: Rob Clark <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Icenowy Zheng <[email protected]> Date: Sun May 3 17:17:08 2026 +0800 drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds commit 570cf799e87ae805eacfab3b4ba66676b5fccdb6 upstream. When preparing the panel, it seems that it always expects commands to be transferred in LP mode. However, the disable function removes the MIPI_DSI_MODE_LPM flag, and no other function re-adds it. As the unprepare function contains no DSI commands, re-adding the flag just after disabling the panel should be safe. Add the code re-adding the flag after the two commands for disabling the panel are sent. This fixes error messages shown in kernel log when unblanking on mt8183-kukui-kodama-sku32 device. Cc: [email protected] Fixes: a869b9db7adf ("drm/panel: support for boe tv101wum-nl6 wuxga dsi video mode panel") Signed-off-by: Icenowy Zheng <[email protected]> Reviewed-by: Neil Armstrong <[email protected]> Reviewed-by: Douglas Anderson <[email protected]> Signed-off-by: Neil Armstrong <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Icenowy Zheng <[email protected]> Date: Sun Apr 26 00:57:51 2026 +0800 drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds commit 2d4e80271f784aa0c7b17676e9762c7e8156be1c upstream. When preparing the panel, it seems that it always expects commands to be transferred in LP mode. However, the disable function removes the MIPI_DSI_MODE_LPM flag, and no other function re-adds it. As the unprepare function contains no DSI commands, re-adding the flag just after disabling the panel should be safe. Add the code re-adding the flag after the two commands for disabling the panel are sent. This fixes screen unblanking (after blanking once) on mt8188-geralt-ciri-sku1 device. Cc: [email protected] # 6.11+ Fixes: 0ef94554dc40 ("drm/panel: himax-hx83102: Break out as separate driver") Signed-off-by: Icenowy Zheng <[email protected]> Reviewed-by: Neil Armstrong <[email protected]> Reviewed-by: Douglas Anderson <[email protected]> Signed-off-by: Neil Armstrong <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Alex Deucher <[email protected]> Date: Mon Apr 27 11:40:25 2026 -0400 drm/radeon: add missing revision check for CI commit 17223816498f7b117d138d18eb0eba63604dc74e upstream. The memory level workarounds only apply to revision 0 SKUs. Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 Fixes: 127e056e2a82 ("drm/radeon: fix mclk vddc configuration for cards for hawaii") Fixes: 21b8a369046f ("drm/radeon: fix dram timing for certain hawaii boards") Fixes: 90b2fee35cb9 ("drm/radeon: fix dpm mc init for certain hawaii boards") Reviewed-by: Timur Kristóf <[email protected]> Reviewed-by: Kent Russell <[email protected]> Signed-off-by: Alex Deucher <[email protected]> (cherry picked from commit 4d8dcc14311515077062b5740f39f427075de5c9) Cc: [email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Shixiong Ou <[email protected]> Date: Fri Apr 24 20:44:27 2026 +0800 drm/udl: Increase GET_URB_TIMEOUT commit ac2c996675755c725a0065dbe3e2ebffded9080b upstream. [WHY] A situation has occurred where udl_handle_damage() executed successfully and the kernel log appears normal, but the display fails to show any output. This is because the call to udl_get_urb() in udl_crtc_helper_atomic_enable() failed without generating any error message. [HOW] 1. Increase timeout of getting urb. 2. Add error messages when calling udl_get_urb() failed in udl_crtc_helper_atomic_enable(). Signed-off-by: Shixiong Ou <[email protected]> Reviewed-by: Thomas Zimmermann <[email protected]> Fixes: 5320918b9a87 ("drm/udl: initial UDL driver (v4)") Signed-off-by: Thomas Zimmermann <[email protected]> Cc: <[email protected]> # v3.4+ Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Shuicheng Lin <[email protected]> Date: Wed Apr 8 17:52:53 2026 +0000 drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked() commit 1d0adf2fd94fb0c0037c643fadd8f2cf3cffc009 upstream. When XE_BO_FLAG_GGTT_ALL is set without XE_BO_FLAG_GGTT, the function returns an error without freeing a caller-provided bo, violating the documented contract that bo is freed on failure. Add xe_bo_free(bo) before returning the error. Fixes: 5a3b0df25d6a ("drm/xe: Allow bo mapping on multiple ggtts") Cc: [email protected] Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Matthew Brost <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Shuicheng Lin <[email protected]> (cherry picked from commit 3fbd6cf43cac7b60757f3ce3d95195d3843a902c) Signed-off-by: Rodrigo Vivi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Shuicheng Lin <[email protected]> Date: Wed Apr 8 17:52:52 2026 +0000 drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked() commit 09a8f3c1c11977a6e10c167f26dd298790b31c32 upstream. When type is ttm_bo_type_device and aligned_size != size, the function returns an error without freeing a caller-provided bo, violating the documented contract that bo is freed on failure. Add xe_bo_free(bo) before returning the error. Fixes: 4e03b584143e ("drm/xe/uapi: Reject bo creation of unaligned size") Cc: [email protected] Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Matthew Brost <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Shuicheng Lin <[email protected]> (cherry picked from commit 601c2aa087b6f21014300a3f107a08ee4dde7bdf) Signed-off-by: Rodrigo Vivi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jia Yao <[email protected]> Date: Fri Apr 17 05:59:16 2026 +0000 drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise commit 4e5591c2fc1b30f4ea5e2eab4c3a695acc404e39 upstream. Add validation in xe_vm_madvise_ioctl() to reject PAT indices with XE_COH_NONE coherency mode when applied to CPU cached memory. Using coh_none with CPU cached buffers is a security issue. When the kernel clears pages before reallocation, the clear operation stays in CPU cache (dirty). GPU with coh_none can bypass CPU caches and read stale sensitive data directly from DRAM, potentially leaking data from previously freed pages of other processes. This aligns with the existing validation in vm_bind path (xe_vm_bind_ioctl_validate_bo). v2(Matthew brost) - Add fixes - Move one debug print to better place v3(Matthew Auld) - Should be drm/xe/uapi - More Cc v4(Shuicheng Lin) - Fix kmem leak issues by the way v5 - Remove kmem leak because it has been merged by another patch v6 - Remove the fix which is not related to current fix v7 - No change v8 - Rebase v9 - Limit the restrictions to iGPU v10 - No change Fixes: ada7486c5668 ("drm/xe: Implement madvise ioctl for xe") Cc: <[email protected]> # v6.18+ Cc: Shuicheng Lin <[email protected]> Cc: Mathew Alwin <[email protected]> Cc: Michal Mrozek <[email protected]> Cc: Matthew Brost <[email protected]> Cc: Matthew Auld <[email protected]> Signed-off-by: Jia Yao <[email protected]> Reviewed-by: Matthew Auld <[email protected]> Acked-by: Michal Mrozek <[email protected]> Acked-by: José Roberto de Souza <[email protected]> Signed-off-by: Matthew Auld <[email protected]> Link: https://patch.msgid.link/[email protected] (cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a) Signed-off-by: Rodrigo Vivi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Shuicheng Lin <[email protected]> Date: Wed Apr 8 17:52:54 2026 +0000 drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure commit 93a528f67ce5095bcab46a69839eca97f43dd352 upstream. When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error. xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed. Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning. v2: Add comments to explain the free logic. Fixes: eb289a5f6cc6 ("drm/xe: Convert xe_dma_buf.c for exhaustive eviction") Cc: [email protected] Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Matthew Brost <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Shuicheng Lin <[email protected]> (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9) Signed-off-by: Rodrigo Vivi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Shuicheng Lin <[email protected]> Date: Wed Apr 8 17:52:55 2026 +0000 drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() commit 111ab678471bf1f90d078d5513bb086b70596c3c upstream. When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: [email protected] Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Mattheq Brost <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Shuicheng Lin <[email protected]> (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51) Signed-off-by: Rodrigo Vivi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Francis, David <[email protected]> Date: Tue Apr 28 19:25:50 2026 +0000 drm: Set old handle to NULL before prime swap in change_handle commit 5e28b7b94408897e41c63477aabc9e1db439bc8c upstream. There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free. To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it. create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration. v2: cleanups of error paths Signed-off-by: David Francis <[email protected]> Co-authored-by: Dave Airlie <[email protected]> Reported-by: Puttimet Thammasaeng <[email protected]> Tested-by: Vitaly Prosyak <[email protected]> Cc: Simona Vetter <[email protected]> Cc: [email protected] Cc: Christian Koenig <[email protected]> Fixes: 53096728b8910 ("drm: Add DRM prime interface to reassign GEM handle") Signed-off-by: Dave Airlie <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Prasanna Kumar T S M <[email protected]> Date: Thu May 14 11:52:31 2026 -0400 EDAC/versalnet: Fix device name memory leak [ Upstream commit 8cf5dd235eff6008cb04c3d8064d2acfa90616f1 ] The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory. Use a stack-local char array instead of using kzalloc() for name. Fixes: d5fe2fec6c40 ("EDAC: Add a driver for the AMD Versal NET DDR controller") Signed-off-by: Prasanna Kumar T S M <[email protected]> Signed-off-by: Borislav Petkov (AMD) <[email protected]> Cc: [email protected] Link: https://patch.msgid.link/[email protected] [ adapted fix from `init_one_mc()` helper to the equivalent loop in `init_versalnet()` using literal `32` instead of `MC_NAME_LEN` ] Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Thomas Zimmermann <[email protected]> Date: Thu May 14 13:58:45 2026 -0400 fbcon: Avoid OOB font access if console rotation fails [ Upstream commit e4ef723d8975a2694cc90733a6b888a5e2841842 ] Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example. Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer. v2: - fix typos in commit message Signed-off-by: Thomas Zimmermann <[email protected]> Fixes: 6cc50e1c5b57 ("[PATCH] fbcon: Console Rotation - Add support to rotate font bitmap") Cc: [email protected] # v2.6.15+ Link: https://elixir.bootlin.com/linux/v6.19/source/drivers/video/fbdev/core/fbcon_ccw.c#L144 # [1] Signed-off-by: Helge Deller <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Thomas Zimmermann <[email protected]> Date: Thu May 14 13:58:44 2026 -0400 fbcon: Rename struct fbcon_ops to struct fbcon_par [ Upstream commit a6adbbc4c32a016146e117b1e9e5242724a75e10 ] The type struct fbcon_ops contains fbcon state and callbacks. As the callbacks will be removed from struct fbcon_ops, rename the data type to struct fbcon_par. Also rename the variables from ops to par. The _par postfix ("private access registers") is used throughout the fbdev subsystem for per-driver state. The fbcon pointer within struct fb_info is also named fbcon_par. Hence, the new naming fits existing practice. v2: - rename struct fbcon_ops to struct fbcon_par - fix build for CONFIG_FB_TILEBITTING=n (kernel test robot) - fix indention Signed-off-by: Thomas Zimmermann <[email protected]> Reviewed-by: Sam Ravnborg <[email protected]> Link: https://lore.kernel.org/r/[email protected] Stable-dep-of: e4ef723d8975 ("fbcon: Avoid OOB font access if console rotation fails") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sangyun Kim <[email protected]> Date: Mon Apr 20 14:13:17 2026 +0900 HID: appletb-kbd: fix UAF in inactivity-timer cleanup path commit 4db2af929279c799b5653a39eb0795c72baffca4 upstream. Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows. Window A -- put_device() before timer_delete_sync(): put_device(&kbd->backlight_dev->dev); timer_delete_sync(&kbd->inactivity_timer); The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock). If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory. Window B -- backlight cleanup before hid_hw_stop(): if (kbd->backlight_dev) { timer_delete_sync(...); put_device(...); } hid_hw_close(hdev); hid_hw_stop(hdev); Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late ".event" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference. That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer. The freshly re-armed timer can then fire on the about-to-be-freed backlight_device. Both windows produce the same KASAN slab-use-after-free: BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0 Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0 Call Trace: <IRQ> __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq handle_softirqs Allocated by task N: devm_backlight_device_register appletb_bl_probe Freed by task M: (concurrent hid_appletb_bl unbind path) Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that 1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup, guaranteeing no further .event callback can fire and re-arm the timer, and 2) inside the "if (kbd->backlight_dev)" block, timer_delete_sync() runs before put_device(), so the softirq is drained before the final reference is dropped. Fixes: 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe") Cc: [email protected] Signed-off-by: Sangyun Kim <[email protected]> Signed-off-by: Jiri Kosina <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sangyun Kim <[email protected]> Date: Mon Apr 20 14:13:18 2026 +0900 HID: appletb-kbd: run inactivity autodim from workqueues commit 1654e53349d4e657b331de354313461f401f5063 upstream. The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts: * appletb_inactivity_timer() is a struct timer_list callback, so it runs in softirq context. Every expiry triggers BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq * reset_inactivity_timer() is called from appletb_kbd_hid_event() and appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning. Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue: * Convert the inactivity timer from struct timer_list to struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal. * Add a dedicated struct work_struct restore_brightness_work and have reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly. Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop. The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer". Fixes: 93a0fc489481 ("HID: hid-appletb-kbd: add support for automatic brightness control while using the touchbar") Cc: [email protected] Signed-off-by: Sangyun Kim <[email protected]> Signed-off-by: Jiri Kosina <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Tomasz Pakuła <[email protected]> Date: Sun May 10 14:23:52 2026 +0200 HID: pidff: Fix integer overflow in pidff_rescale commit 48d1677779ad6816978ad4a4f7588aec5ec960fe upstream. Rescaling values close to the max (U16_MAX) temporarily creates values that exceed the s32 range. This caused value overflow in case when, for example, a periodic effect phase was higer than 180 degrees. In turn, rescale function could return values outised of the logical range of the HID field. Fix by using 64 bit signed integer to store the value during calculation but still return only 32 bit integer. Closes: https://github.com/JacKeTUs/universal-pidff/issues/116 Fixes: 224ee88fe395 ("Input: add force feedback driver for PID devices") Cc: [email protected] Signed-off-by: Tomasz Pakuła <[email protected]> Signed-off-by: Jiri Kosina <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: T.J. Mercier <[email protected]> Date: Fri Apr 17 08:47:02 2026 -0700 HID: playstation: Clamp num_touch_reports commit cac61b58a3b6340c52afa06bb15eac033158db2f upstream. A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array. Fixes: 752038248808 ("HID: playstation: add DualShock4 touchpad support.") Cc: [email protected] Reported-by: Xingyu Jin <[email protected]> Signed-off-by: T.J. Mercier <[email protected]> Signed-off-by: Jiri Kosina <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pavel Begunkov <[email protected]> Date: Mon Mar 23 12:43:57 2026 +0000 io_uring/zcrx: use guards for locking commit 898ad80d1207cbdb22b21bafb6de4adfd7627bd0 upstream. Convert last several places using manual locking to guards to simplify the code. Signed-off-by: Pavel Begunkov <[email protected]> Link: https://patch.msgid.link/eb4667cfaf88c559700f6399da9e434889f5b04a.1774261953.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <[email protected]> Signed-off-by: Harshit Mogalapalli <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pavel Begunkov <[email protected]> Date: Tue Apr 21 09:45:29 2026 +0100 io_uring/zcrx: warn on freelist violations commit 770594e78c3964cf23cf5287f849437cdde9b7d0 upstream. The freelist is appropriately sized to always be able to take a free niov, but let's be more defensive and check the invariant with a warning. That should help to catch any double-free issues. Suggested-by: Kai Aizen <[email protected]> Signed-off-by: Pavel Begunkov <[email protected]> Link: https://patch.msgid.link/2f3cea363b04649755e3b6bb9ab66485a95936d5.1776760901.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <[email protected]> Signed-off-by: Harshit Mogalapalli <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Greg Kroah-Hartman <[email protected]> Date: Sun May 17 17:15:37 2026 +0200 Linux 6.18.32 Link: https://lore.kernel.org/r/[email protected] Tested-by: Florian Fainelli <[email protected]> Tested-by: Pavel Machek (CIP) <[email protected]> Tested-by: Shuah Khan <[email protected]> Tested-by: Miguel Ojeda <[email protected]> Tested-by: Mark Brown <[email protected]> Tested-by: Brett A C Sheffield <[email protected]> Link: https://lore.kernel.org/r/[email protected] Tested-by: Brett A C Sheffield <[email protected]> Tested-by: Ron Economos <[email protected]> Tested-by: Peter Schneider <[email protected]> Tested-by: Miguel Ojeda <[email protected]> Tested-by: Wentao Guan <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Xianglai Li <[email protected]> Date: Mon May 4 09:00:37 2026 +0800 LoongArch: KVM: Compile switch.S directly into the kernel commit 5203012fa6045aac4b69d4e7c212e16dcf38ef10 upstream. If we directly compile the switch.S file into the kernel, the address of the kvm_exc_entry function will definitely be within the DMW memory area. Therefore, we will no longer need to perform a copy relocation of the kvm_exc_entry. So this patch compiles switch.S directly into the kernel, and then remove the copy relocation execution logic for the kvm_exc_entry function. Cc: [email protected] Signed-off-by: Xianglai Li <[email protected]> Signed-off-by: Huacai Chen <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ziyi Guo <[email protected]> Date: Sat Jan 31 22:19:07 2026 +0000 media: chips-media: wave5: add missing spinlock protection for handle_dynamic_resolution_change() commit cb8bdd3ffca280d014311ab395651d33f58a8708 upstream. Add spin_lock_irqsave()/spin_unlock_irqrestore() around the handle_dynamic_resolution_change() call in initialize_sequence() to fix the missing lock protection. initialize_sequence() calls handle_dynamic_resolution_change() without holding inst->state_spinlock. However, handle_dynamic_resolution_change() has lockdep_assert_held(&inst->state_spinlock) indicating that callers must hold this lock. Other callers of handle_dynamic_resolution_change() properly acquire the spinlock: - wave5_vpu_dec_finish_decode() - wave5_vpu_dec_device_run() Signed-off-by: Ziyi Guo <[email protected]> Reviewed-by: Nicolas Dufresne <[email protected]> Fixes: 9707a6254a8a6b ("media: chips-media: wave5: Add the v4l2 layer") Cc: [email protected] Signed-off-by: Nicolas Dufresne <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ziyi Guo <[email protected]> Date: Sat Jan 31 22:03:23 2026 +0000 media: chips-media: wave5: add missing spinlock protection for send_eos_event() commit f48050436746be75227fbc90066a8658cbe94d17 upstream. Add spin_lock_irqsave()/spin_unlock_irqrestore() around send_eos_event() calls in the VB2 buffer queue and streamoff callbacks to fix the missing lock protection. wave5_vpu_dec_buf_queue_dst() and streamoff_output() call send_eos_event() without holding inst->state_spinlock. However, send_eos_event() has lockdep_assert_held(&inst->state_spinlock) indicating that callers must hold this lock. Other callers of send_eos_event() properly acquire the spinlock: - wave5_vpu_dec_finish_decode() acquires lock at line 431 - wave5_vpu_dec_encoder_cmd() acquires lock at line 821 - wave5_vpu_dec_device_run() acquires lock at line 1592 Signed-off-by: Ziyi Guo <[email protected]> Reviewed-by: Nicolas Dufresne <[email protected]> Fixes: 9707a6254a8a6b ("media: chips-media: wave5: Add the v4l2 layer") Cc: [email protected] Signed-off-by: Nicolas Dufresne <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Haoxiang Li <[email protected]> Date: Sun Jan 25 22:19:15 2026 +0800 media: chips-media: wave5: fix a potential memory leak in wave5_vdi_init() commit 95bd174a453f77b09ea66e1e22834680754ba501 upstream. Add wave5_vdi_free_dma_memory() in the error path of wave5_vdi_init() to prevent a potential memory leak. Fixes: 45d1a2b93277 ("media: chips-media: wave5: Add vpuapi layer") Cc: [email protected] Signed-off-by: Haoxiang Li <[email protected]> Reviewed-by: Nicolas Dufresne <[email protected]> Signed-off-by: Nicolas Dufresne <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sergey Shtylyov <[email protected]> Date: Fri Feb 6 17:22:26 2026 +0300 media: dib8000: avoid division by 0 in dib8000_set_dds() commit dde3c37af95cd6fa301c4906f33d627bc9dd874c upstream. In dib8000_set_dds(), 1 << 26 (67108864) divided by e.g. 1 apparently can't fit into 16-bit variable unit_khz_dds_val, being truncated to 0; this will cause division by 0 while calling dprintk() with debugging enabled (via the module parameter). Use s32 instead of s16 to declare the variable, getting rid of the cast to u16 in the *else* branch as well... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Fixes: 173a64cb3fcf ("[media] dib8000: enhancement") Cc: [email protected] Signed-off-by: Sergey Shtylyov <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Cristian Ciocaltea <[email protected]> Date: Wed Mar 4 23:00:41 2026 +0200 media: dt-bindings: rockchip,vdec: Add alternative reg-names order for RK35{76,88} commit 35c8178ed2bd9821a75a406d762b2f2e161f9c70 upstream. With the introduction of the RK3588 SoC, and RK3576 afterwards, three register blocks have been provided for the video decoder unit instead of just one, which are further referenced in vendor's datasheet by 'link table', 'function' and 'cache'. The former is present at the top of the listing, starting at video decoder unit base address. However, while documenting RK3588, the binding broke the convention expecting the unit address to indicate the start of the primary register range, i.e. the 'function' block got listed before the 'link' one. Since the binding changes have been already released and a fix would bring up an ABI break, mark the current 'reg-names' ordering as deprecated and introduce an alternative 'link,function,cache' listing which follows the address-based ordering according to the TRM. Additionally, drop the 'reg' description items as the order is not fixed anymore, while the information they offer is not very relevant anyway. It's worth noting there are currently no (known) users impacted by these binding changes, since the video decoder support for the aforementioned SoCs in mainline driver and devicetrees hasn't been released yet - it landed in v7.0-rc1 while all DTS updates resulting from this will be handled before v7.0 is out. Fixes: c6ffb7e1fb90 ("media: dt-bindings: rockchip: Document RK3588 Video Decoder bindings") Fixes: a5c4a6526476 ("media: dt-bindings: rockchip: Add RK3576 Video Decoder bindings") Cc: [email protected] Reviewed-by: Nicolas Dufresne <[email protected]> Reviewed-by: Krzysztof Kozlowski <[email protected]> Signed-off-by: Cristian Ciocaltea <[email protected]> Signed-off-by: Nicolas Dufresne <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Cristian Ciocaltea <[email protected]> Date: Wed Mar 4 23:00:40 2026 +0200 media: dt-bindings: rockchip,vdec: Mark reg-names required for RK35{76,88} commit a11db8d8b403eba1f82728f440727128e9997edd upstream. The Rockchip Video Decoder driver expects reg-names to be mandatory for RK3576 and RK3588 SoCs, however the binding does not currently require the use of them. As a consequence, driver would fail to probe with a hypothetical devicetree that doesn't provide the reg-names for these SoCs, but which is otherwise a perfectly valid DT from the binding perspective. Update the binding and make reg-names required for the aforementioned SoCs. While this change introduces an ABI break, the expected impact on potential users would be minimal, if any, since the old SoCs are unaffected, while the video decoder support for these newer variants in mainline driver and devicetrees hasn't been released yet. Moreover, this is also a prerequisite for a subsequent binding update introducing an alternative reg-names order, according to the address-based listing in the vendor's datasheet. Reported-by: Conor Dooley <[email protected]> Closes: https://lore.kernel.org/all/20260227-urologist-gratitude-7984733f2d41@spud/ Fixes: c6ffb7e1fb90 ("media: dt-bindings: rockchip: Document RK3588 Video Decoder bindings") Fixes: a5c4a6526476 ("media: dt-bindings: rockchip: Add RK3576 Video Decoder bindings") Cc: [email protected] Signed-off-by: Cristian Ciocaltea <[email protected]> Acked-by: Conor Dooley <[email protected]> Reviewed-by: Nicolas Dufresne <[email protected]> Signed-off-by: Nicolas Dufresne <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jai Luthra <[email protected]> Date: Sat Feb 14 18:35:21 2026 +0530 media: i2c: imx283: Enter full standby when stopping streaming commit bce1349dbf6348ddee47308e2ed08878356de317 upstream. Use IMX283_STANDBY (bit 0) instead of IMX283_STBLOGIC (bit 1) when stopping streaming. STBLOGIC only puts the sensor logic into standby but leaves the MIPI interface (along with other components) in an indeterminate state. This (presumably) causes the CSI receiver (e.g. Raspberry Pi's CFE) to miss the LP-11 to HS transition when streaming restarts, resulting in a hang of 10+ seconds. The issue is most visible when immediately restarting a full-resolution stream after stopping a 3x3 binned one, so that runtime suspend hasn't yet been triggered. Writing IMX283_STANDBY puts the entire sensor into standby. The imx283_standby_cancel() sequence already handles the full wakeup from this suspended state. Cc: [email protected] Link: https://github.com/raspberrypi/linux/issues/7153 Link: https://github.com/will127534/OneInchEye/issues/12 Fixes: ccb4eb4496fa ("media: i2c: Add imx283 camera sensor driver") Signed-off-by: Jai Luthra <[email protected]> Tested-by: Kieran Bingham <[email protected]> Reviewed-by: Kieran Bingham <[email protected]> Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Jai Luthra <[email protected]> Date: Sat Feb 14 18:35:22 2026 +0530 media: i2c: imx283: Fix hang when going from large to small resolution commit 9206359b2c396ff594adf39bc7daaadab0fcb367 upstream. When switching between modes (e.g. full resolution to binned), standby_cancel() previously cleared XMSTA (starting master mode data output) before the new mode's MDSEL, crop, and timing registers were programmed in start_streaming(). This caused the sensor to briefly output MIPI data using the previous mode's configuration. On receivers like imx-mipi-csis, this leads to FIFO overflow errors when switching from a higher to a lower resolution, as the receiver is configured for the new smaller frame size but receives stale full-resolution data. Fix this by moving the XMSTA and SYNCDRV register writes from standby_cancel() to the end of start_streaming(), after all mode, crop, and timing registers have been configured. Also explicitly stop master mode (XMSTA=1) when stopping the stream, matching the pattern used by other Sony sensor drivers (imx290, imx415). Use named macros IMX283_XMSTA_START/STOP instead of raw 0/BIT(0) for readability. Cc: [email protected] Fixes: ccb4eb4496fa ("media: i2c: Add imx283 camera sensor driver") Signed-off-by: Jai Luthra <[email protected]> Tested-by: Kieran Bingham <[email protected]> Reviewed-by: Kieran Bingham <[email protected]> Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Wenmeng Liu <[email protected]> Date: Fri Jan 23 17:19:55 2026 +0800 media: i2c: imx412: Assert reset GPIO during probe commit 8467c5ff5acae28513bc1e0af535e06b41b04344 upstream. Assert the reset GPIO before first power up. This avoids a mismatch where the first power up (when the reset GPIO defaults deasserted) differs from subsequent cycles. Signed-off-by: Wenmeng Liu <[email protected]> Fixes: 9214e86c0cc1 ("media: i2c: Add imx412 camera sensor driver") Cc: [email protected] Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Matthias Fend <[email protected]> Date: Tue Mar 24 11:41:36 2026 +0100 media: i2c: ov08d10: fix image vertical start setting commit 5d150fa0f16096d736bd24d13e04495da5116fab upstream. The current settings for the "image vertical start" register appear to be incorrect. While this only results in an incorrect start line for native modes, this faulty setting causes actual problems in binning mode. At least on an i.MX8MP test system, only corrupted frames could be received. To correct this, the recommended settings from the reference register sets are used for all modes. Since this shifts the start by one line, the Bayer pattern also changes, which has also been corrected. Fixes: 7be91e02ed57 ("media: i2c: Add ov08d10 camera sensor driver") Cc: [email protected] Signed-off-by: Matthias Fend <[email protected]> Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Matthias Fend <[email protected]> Date: Tue Mar 24 11:41:35 2026 +0100 media: i2c: ov08d10: fix runtime PM handling in probe commit 35c7046be2be5e60be8128facb359a47f39e99cd upstream. Set the device's runtime PM status and enable runtime PM before registering the async sub-device. This is needed to avoid the case where the device is runtime PM resumed while runtime PM has not been enabled yet. Remove the related, non-driver-specific comment while at it. Fixes: 7be91e02ed57 ("media: i2c: Add ov08d10 camera sensor driver") Cc: [email protected] Reviewed-by: Philipp Zabel <[email protected]> Signed-off-by: Matthias Fend <[email protected]> Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Alexander Koskovich <[email protected]> Date: Thu Mar 12 17:16:20 2026 +0000 media: i2c: ov8856: free control handler on error in ov8856_init_controls() commit f75e160745663ce9b13362ae6e90bd439c58df69 upstream. The control handler wasn't freed if adding controls failed, add an error exit label and convert the existing error return to use it. Fixes: 879347f0c258 ("media: ov8856: Add support for OV8856 sensor") Cc: [email protected] Signed-off-by: Alexander Koskovich <[email protected]> Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ethan Tidmore <[email protected]> Date: Fri Mar 6 21:03:55 2026 -0600 media: intel/ipu6: fix error pointer dereference commit 8dd088b8b106f7b119664f965b691785998edcfb upstream. In a error path isp->psys is confirmed to be an error pointer not NULL so this condition is true and the error pointer is dereferenced. So isp-psys should be set to NULL before going to out_ipu6_bus_del_devices. Detected by Smatch: drivers/media/pci/intel/ipu6/ipu6.c:690 ipu6_pci_probe() error: 'isp->psys' dereferencing possible ERR_PTR() Fixes: 25fedc021985a ("media: intel/ipu6: add Intel IPU6 PCI device driver") Cc: [email protected] Signed-off-by: Ethan Tidmore <[email protected]> [Sakari Ailus: Fix commit message.] Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Thomas Fourier <[email protected]> Date: Fri Feb 13 10:13:27 2026 +0100 media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init() commit 4a49ae56b0e4268d48fd96babe0cc68596bc301a upstream. The core->iface_q_table_vaddr buffer is alloc'd with size queue_size but freed with sizeof(*q_tbl_hdr) which is different. Change the dma_free_attrs() size. Signed-off-by: Thomas Fourier <[email protected]> Reviewed-by: Dikshita Agarwal <[email protected]> Fixes: d7378f84e94e ("media: iris: introduce iris core state management with shared queues") Cc: [email protected] Signed-off-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Arnd Bergmann <[email protected]> Date: Thu Feb 5 15:56:19 2026 +0100 media: iris: fix QCOM_MDT_LOADER dependency commit a297c5165f91366cbc3490e630aabd1c0f70efb8 upstream. When build-testined with CONFIG_QCOM_MDT_LOADER=m and VIDEO_QCOM_IRIS=y, the kernel fails to link: x86_64-linux-ld: drivers/media/platform/qcom/iris/iris_firmware.o: in function `iris_fw_load': iris_firmware.c:(.text+0xb0): undefined reference to `qcom_mdt_get_size' iris_firmware.c:(.text+0xfd): undefined reference to `qcom_mdt_load' The problem is the conditional 'select' statement. Change this to make the driver built-in here regardless of CONFIG_ARCH_QCOM. Signed-off-by: Arnd Bergmann <[email protected]> Reviewed-by: Konrad Dybcio <[email protected]> Reviewed-by: Dikshita Agarwal <[email protected]> Reviewed-by: Bryan O'Donoghue <[email protected]> Fixes: d19b163356b8 ("media: iris: implement video firmware load/unload") Cc: [email protected] Signed-off-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Dikshita Agarwal <[email protected]> Date: Mon Feb 16 12:37:42 2026 +0530 media: iris: Fix use-after-free in iris_release_internal_buffers() commit f27cfdcfc916bb59297825805f4c3499f89f9e76 upstream. The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing. Reported-by: Dan Carpenter <[email protected]> Closes: https://lore.kernel.org/lkml/[email protected]/#r Signed-off-by: Dikshita Agarwal <[email protected]> Reviewed-by: Vikash Garodia <[email protected]> Fixes: 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") Cc: [email protected] Signed-off-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Guoniu Zhou <[email protected]> Date: Thu Mar 12 11:12:34 2026 +0800 media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0 commit 2f38622d0f85f317be9e6b131da6cd511db94fd2 upstream. Fix a hang issue when capturing a single frame with applications like cam in libcamera. It would hang waiting for the driver to complete the buffer, but streaming never starts because min_queued_buffers was set to 2. The ISI module uses a ping-pong buffer mechanism that requires two buffers to be programmed at all times. However, when fewer than 2 user buffers are available, the driver use internal discard buffers to fill the remaining slot(s). Reduce minimum queued buffers from 2 to 0 allows streaming to start without any queued buffers. Fixes: cf21f328fcaf ("media: nxp: Add i.MX8 ISI driver") Cc: [email protected] Signed-off-by: Guoniu Zhou <[email protected]> Reviewed-by: Laurent Pinchart <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Laurent Pinchart <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Haoxiang Li <[email protected]> Date: Mon Jan 26 09:44:12 2026 +0800 media: omap3isp: drop the use count of v4l2 pipeline commit 9da49bd9d4224035cff39b40d7395310abb10201 upstream. In isp_video_open(), drop the use count of v4l2 pipeline if vb2_queue_init() fails. Fixes: 8fd390b89cc8 ("media: Split v4l2_pipeline_pm_use into v4l2_pipeline_pm_{get, put}") Cc: [email protected] Signed-off-by: Haoxiang Li <[email protected]> Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Abdun Nihaal <[email protected]> Date: Thu Mar 12 18:02:56 2026 +0530 media: pci: zoran: fix potential memory leak in zoran_probe() commit 8ea21435fe36fb853706f4935d78bc11beb63fb4 upstream. The memory allocated for codec in videocodec_attach() is not freed in one of the error paths, due to an incorrect goto label. Fix the label to free it on error. Fixes: 8f7cc5c0b0eb ("media: staging: media: zoran: introduce zoran_i2c_init") Cc: [email protected] Signed-off-by: Abdun Nihaal <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Wenmeng Liu <[email protected]> Date: Fri Mar 13 18:13:04 2026 +0800 media: qcom: camss: Add missing clocks for VFE lite on sa8775p commit d31fac47b39f5e1ed85a587688ca70b793e421b4 upstream. Add missing required clocks (cpas_ahb and camnoc_axi) for VFE lite instances on sa8775p platform. These clocks are necessary for proper VFE lite operation: Reviewed-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Wenmeng Liu <[email protected]> Fixes: e7b59e1d06fb ("media: qcom: camss: Add support for VFE 690") Cc: [email protected] Signed-off-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Wenmeng Liu <[email protected]> Date: Fri Mar 13 18:13:03 2026 +0800 media: qcom: camss: Fix csid clock configuration for sa8775p commit fe56c674118aa46da1a3e65aa22ca709ebd7d812 upstream. Fix the mismatch between clock list and clock rate table for CSID lite instances. The current implementation has 5 clocks defined but only 2 are actually needed (vfe_lite_csid and vfe_lite_cphy_rx), while the clock rate table doesn't match this configuration. Update both clock list and rate table to maintain consistency: - Remove unused clocks: cpas_vfe_lite, vfe_lite_ahb, vfe_lite - Update clock rate table to match the remaining two clocks Signed-off-by: Wenmeng Liu <[email protected]> Reviewed-by: Bryan O'Donoghue <[email protected]> Fixes: ed03e99de0fa ("media: qcom: camss: Add support for CSID 690") Cc: [email protected] Signed-off-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Wenmeng Liu <[email protected]> Date: Fri Mar 13 18:13:02 2026 +0800 media: qcom: camss: Fix csid IRQ offset for sa8775p commit dd1b373941079cc102cc18bc68884e18245f5912 upstream. Fix BUF_DONE_IRQ_STATUS_RDI_OFFSET calculation for csid lite on sa8775p platform. The offset should be 0 for csid lite on sa8775p, Signed-off-by: Wenmeng Liu <[email protected]> Reviewed-by: Bryan O'Donoghue <[email protected]> Fixes: ed03e99de0fa ("media: qcom: camss: Add support for CSID 690") Cc: [email protected] Signed-off-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Dmitry Baryshkov <[email protected]> Date: Fri Mar 27 22:19:55 2026 +0200 media: qcom: iris: increase H265D_MAX_SLICE to fix H.265 decoding on SC7280 commit 3e0b2053751657ed2924adfe3ff25b1450231e33 upstream. Follow the commit bfe1326573ff ("venus: Fix for H265 decoding failure.") and increase H265D_MAX_SLICE following firmware requirements on that platform. Otherwise decoding of the H.265 streams fails with the "insufficient scratch_1 buffer size" from the firmware. Signed-off-by: Dmitry Baryshkov <[email protected]> Reviewed-by: Dikshita Agarwal <[email protected]> Reviewed-by: Vikash Garodia <[email protected]> Reviewed-by: Konrad Dybcio <[email protected]> [bod: Fixed commit log withthe => with the] Fixes: e1f5d32608ec ("media: iris: Add internal buffer calculation for HEVC and VP9 decoders") Cc: [email protected] Signed-off-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Oliver Neukum <[email protected]> Date: Wed Feb 11 19:06:21 2026 +0100 media: rc: streamzap: Error handling in probe commit 42844992664f03ef9f930e64f7370fa481e9c267 upstream. If submitting the URB fails, the device will be unusable. Probe() must fail. Fixes: 7a569f524dd36 ("V4L/DVB: IR/streamzap: functional in-kernel decoding") Cc: [email protected] Signed-off-by: Oliver Neukum <[email protected]> Signed-off-by: Sean Young <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Oliver Neukum <[email protected]> Date: Wed Feb 11 19:09:44 2026 +0100 media: rc: xbox_remote: heed DMA restrictions commit e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff upstream. The buffer for IO must not be part of the device structure because that violates the DMA coherency rules. Fixes: 02d32bdad3123 ("media: rc: add driver for Xbox DVD Movie Playback Kit") Cc: [email protected] Signed-off-by: Oliver Neukum <[email protected]> Signed-off-by: Sean Young <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Tomi Valkeinen <[email protected]> Date: Tue Jan 27 10:56:12 2026 +0200 media: renesas: vin: Fix RAW8 (again) commit 40c6da8a9c0f897f99a439330584d93ca7d41226 upstream. Commit e7376745ad5c ("media: rcar-vin: Fix stride setting for RAW8 formats") removed dividing the stride by two for RAW8 formats. It is unclear how this was tested, but in any of the recent tests this does not seem to work and produces quite distorted images. However, reverting the patch fixes the issues only partially. VNIS_REG requires alignment to 16 bytes, and when dividing the stride by 2, in some cases we end up with a non-aligned stride, producing a tilted image. This issue has to be fixed in rvin_format_bytesperline() where we do the alignment for bytesperline. Adding back the stride division and increasing the alignment for RAW8 formats to 0x20 fixes the problems related to RAW8. Fixes: e7376745ad5c ("media: rcar-vin: Fix stride setting for RAW8 formats") Cc: [email protected] Signed-off-by: Tomi Valkeinen <[email protected]> Reviewed-by: Niklas Söderlund <[email protected]> Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Tomi Valkeinen <[email protected]> Date: Thu Jan 15 11:22:35 2026 +0200 media: renesas: vsp1: Fix NULL pointer deref on module unload commit 58b1e9664d8f74d55d8411cc7a7b275a76a6f24f upstream. When unloading the module on gen 4, we hit a NULL pointer dereference. This is caused by the cleanup code calling vsp1_drm_cleanup() where it should be calling vsp1_vspx_cleanup(). Fix this by checking the IP version and calling the drm or vspx function accordingly, the same way as the init code does. Fixes: d06c1a9f348d ("media: vsp1: Add VSPX support") Cc: [email protected] Signed-off-by: Tomi Valkeinen <[email protected]> Reviewed-by: Kieran Bingham <[email protected]> Reviewed-by: Jacopo Mondi <[email protected]> Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Wang Jun <[email protected]> Date: Mon Mar 16 20:24:01 2026 +0800 media: saa7164: add ioremap return checks and cleanups commit d51c60a498e83c9a79884c8e420f97e3885c9583 upstream. Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV. This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures. Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon") Cc: [email protected] Signed-off-by: Wang Jun <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Michael Tretter <[email protected]> Date: Fri Nov 7 11:34:33 2025 +0100 media: staging: imx: request mbus_config in csi_start commit 9df2aaa64890c0b6226057eb6fcb6352bd2df432 upstream. Request the upstream mbus_config in csi_start, which starts the stream, instead of caching it in link_validate. This allows to get rid of the mbus_cfg field in the struct csi_priv and avoids state in the driver. Fixes: 4a34ec8e470c ("[media] media: imx: Add CSI subdev driver") Cc: [email protected] Reviewed-by: Frank Li <[email protected]> Signed-off-by: Michael Tretter <[email protected]> Reviewed-by: Philipp Zabel <[email protected]> Signed-off-by: Frank Li <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ricardo Ribalda <[email protected]> Date: Mon Mar 9 15:01:54 2026 +0000 media: uvcvideo: Enable VB2_DMABUF for metadata stream commit fbac03467e53d8d72e5099c03df26d9adae11416 upstream. The UVC driver has two video streams, one for the frames and another one for the metadata. Both streams share most of the codebase, but only the data stream declares support for DMABUF transfer mode. I have tried the DMABUF transfer mode with CONFIG_DMABUF_HEAPS_SYSTEM and the frames looked correct. This patch announces the support for DMABUF for the metadata stream. This is useful for apps/HALs that only want to support DMABUF. Cc: [email protected] Fixes: 088ead2552458 ("media: uvcvideo: Add a metadata device node") Signed-off-by: Ricardo Ribalda <[email protected]> Reviewed-by: Laurent Pinchart <[email protected]> Reviewed-by: Hans de Goede <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Laurent Pinchart <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Arnd Bergmann <[email protected]> Date: Mon Mar 30 12:08:21 2026 +0100 media: venus: fix QCOM_MDT_LOADER dependency commit aa23c94cc433b145d1ce93820ecdfe16d8940e28 upstream. When build-testined with CONFIG_QCOM_MDT_LOADER=m and VIDEO_QCOM_VENUS=y, the kernel fails to link: x86_64-linux-ld: drivers/media/platform/qcom/venus/firmware.o: in function `venus_boot': firmware.c:(.text+0x1e3): undefined reference to `qcom_mdt_get_size' firmware.c:(.text+0x25a): undefined reference to `qcom_mdt_load' firmware.c:(.text+0x272): undefined reference to `qcom_mdt_load_no_init' The problem is the conditional 'select' statement. Change this to make the driver built-in here regardless of CONFIG_ARCH_QCOM, same as for the similar IRIS driver. Signed-off-by: Arnd Bergmann <[email protected]> Reviewed-by: Konrad Dybcio <[email protected]> Reviewed-by: Dikshita Agarwal <[email protected]> Fixes: 0399b696f7f4 ("media: venus: fix compile-test build on non-qcom ARM platform") Cc: [email protected] Signed-off-by: Bryan O'Donoghue <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Janne Grunau <[email protected]> Date: Sun Feb 15 18:42:59 2026 +0100 media: videobuf2: Set vma_flags in vb2_dma_sg_mmap commit 7254b31a13aaa0c2c0f9ffbc335b718656117ff4 upstream. vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not see a reason why vb2_dma_sg should behave differently. This avoids hitting `WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));` in drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of tree Apple ISP camera capture driver which uses vb2_dma_sg_memops. gst-launch-1.0 v4l2src ! gtk4paintablesink [ 38.201528] ------------[ cut here ]------------ [ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210 [ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device uinput nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2 snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3 snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon apple_sart apple_dockchannel macsmc apple_rtkit_helper spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core spi_apple [ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram [ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full) [ 38.219040] Tainted: [W]=WARN [ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210 [ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210 [ 38.222178] sp : ffffc0008dc678e0 [ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480 [ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968 [ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0 [ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968 [ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8 [ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff [ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8 [ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000 [ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038 [ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb [ 38.231488] Call trace: [ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P) [ 38.232342] drm_gem_mmap+0x140/0x260 [ 38.232813] __mmap_region+0x488/0x9a0 [ 38.233277] mmap_region+0xd0/0x148 [ 38.233703] do_mmap+0x350/0x5c0 [ 38.234148] vm_mmap_pgoff+0x14c/0x200 [ 38.234612] ksys_mmap_pgoff+0x150/0x208 [ 38.235107] __arm64_sys_mmap+0x34/0x50 [ 38.235611] invoke_syscall+0x50/0x120 [ 38.236075] el0_svc_common.constprop.0+0x48/0xf0 [ 38.236680] do_el0_svc+0x24/0x38 [ 38.237113] el0_svc+0x38/0x168 [ 38.237507] el0t_64_sync_handler+0xa0/0xe8 [ 38.238034] el0t_64_sync+0x198/0x1a0 [ 38.238491] ---[ end trace 0000000000000000 ]--- There were discussions in [1] at the end of 2023 that mmap() on imported dma-bufs should not be supported but as of v6.17 drm_gem_shmem_mmap() in drm_gem_shmem_helper.c still supports it. This might affect all gpu or accel drivers using drm_gem_shmem_mmap() or the wrapper drm_gem_shmem_object_mmap(). [1] https://lore.kernel.org/dri-devel/[email protected]/ Cc: [email protected] Fixes: 5ba3f757f059 ("[media] v4l: videobuf2: add DMA scatter/gather allocator") Signed-off-by: Janne Grunau <[email protected]> Acked-by: Marek Szyprowski <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: SeongJae Park <[email protected]> Date: Mon Apr 6 17:31:52 2026 -0700 mm/damon/core: disallow time-quota setting zero esz commit 8bbde987c2b84f80da0853f739f0a920386f8b99 upstream. When the throughput of a DAMOS scheme is very slow, DAMOS time quota can make the effective size quota smaller than damon_ctx->min_region_sz. In the case, damos_apply_scheme() will skip applying the action, because the action is tried at region level, which requires >=min_region_sz size. That is, the quota is effectively exceeded for the quota charge window. Because no action will be applied, the total_charged_sz and total_charged_ns are also not updated. damos_set_effective_quota() will try to update the effective size quota before starting the next charge window. However, because the total_charged_sz and total_charged_ns have not updated, the throughput and effective size quota are also not changed. Since effective size quota can only be decreased, other effective size quota update factors including DAMOS quota goals and size quota cannot make any change, either. As a result, the scheme is unexpectedly deactivated until the user notices and mitigates the situation. The users can mitigate this situation by changing the time quota online or re-install the scheme. While the mitigation is somewhat straightforward, finding the situation would be challenging, because DAMON is not providing good observabilities for that. Even if such observability is provided, doing the additional monitoring and the mitigation is somewhat cumbersome and not aligned to the intention of the time quota. The time quota was intended to help reduce the user's administration overhead. Fix the problem by setting time quota-modified effective size quota be at least min_region_sz always. The issue was discovered [1] by sashiko. Link: https://lore.kernel.org/[email protected] Link: https://lore.kernel.org/[email protected] [1] Fixes: 1cd243030059 ("mm/damon/schemes: implement time quota") Signed-off-by: SeongJae Park <[email protected]> Cc: <[email protected]> # 5.16.x Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: SeongJae Park <[email protected]> Date: Thu Jan 15 07:20:41 2026 -0800 mm/damon/core: implement damon_kdamond_pid() commit 4262c53236977de3ceaa3bf2aefdf772c9b874dd upstream. Patch series "mm/damon: hide kdamond and kdamond_lock from API callers". 'kdamond' and 'kdamond_lock' fields initially exposed to DAMON API callers for flexible synchronization and use cases. As DAMON API became somewhat complicated compared to the early days, Keeping those exposed could only encourage the API callers to invent more creative but complicated and difficult-to-debug use cases. Fortunately DAMON API callers didn't invent that many creative use cases. There exist only two use cases of 'kdamond' and 'kdamond_lock'. Finding whether the kdamond is actively running, and getting the pid of the kdamond. For the first use case, a dedicated API function, namely 'damon_is_running()' is provided, and all DAMON API callers are using the function for the use case. Hence only the second use case is where the fields are directly being used by DAMON API callers. To prevent future invention of complicated and erroneous use cases of the fields, hide the fields from the API callers. For that, provide new dedicated DAMON API functions for the remaining use case, namely damon_kdamond_pid(), migrate DAMON API callers to use the new function, and mark the fields as private fields. This patch (of 5): 'kdamond' and 'kdamond_lock' are directly being used by DAMON API callers for getting the pid of the corresponding kdamond. To discourage invention of creative but complicated and erroneous new usages of the fields that require careful synchronization, implement a new API function that can simply be used without the manual synchronizations. Link: https://lkml.kernel.org/r/[email protected] Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: SeongJae Park <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: SeongJae Park <[email protected]> Date: Sun Apr 19 09:10:01 2026 -0700 mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values commit b98b7ff6025ae82570d4915e083f0cbd8d48b3cf upstream. DAMON_LRU_SORT updates 'enabled' and 'kdamond_pid' parameter values, which represents the running status of its kdamond, when the user explicitly requests start/stop of the kdamond. The kdamond can, however, be stopped in events other than the explicit user request in the following three events. 1. ctx->regions_score_histogram allocation failure at beginning of the execution, 2. damon_commit_ctx() failure due to invalid user input, and 3. damon_commit_ctx() failure due to its internal allocation failures. Hence, if the kdamond is stopped by the above three events, the values of the status parameters can be stale. Users could show the stale values and be confused. This is already bad, but the real consequence is worse. DAMON_LRU_SORT avoids unnecessary damon_start() and damon_stop() calls based on the 'enabled' parameter value. And the update of 'enabled' parameter value depends on the damon_start() and damon_stop() call results. Hence, once the kdamond has stopped by the unintentional events, the user cannot restart the kdamond before the system reboot. For example, the issue can be reproduced via below steps. # cd /sys/module/damon_lru_sort/parameters # # # start DAMON_LRU_SORT # echo Y > enabled # ps -ef | grep kdamond root 806 2 0 17:53 ? 00:00:00 [kdamond.0] root 808 803 0 17:53 pts/4 00:00:00 grep kdamond # # # commit wrong input to stop kdamond withou explicit stop request # echo 3 > addr_unit # echo Y > commit_inputs bash: echo: write error: Invalid argument # # # confirm kdamond is stopped # ps -ef | grep kdamond root 811 803 0 17:53 pts/4 00:00:00 grep kdamond # # # users casn now show stable status # cat enabled Y # cat kdamond_pid 806 # # # even after fixing the wrong parameter, # # kdamond cannot be restarted. # echo 1 > addr_unit # echo Y > enabled # ps -ef | grep kdamond root 815 803 0 17:54 pts/4 00:00:00 grep kdamond The problem will only rarely happen in real and common setups for the following reasons. The allocation failures are unlikely in such setups since those allocations are arguably too small to fail. Also sane users on real production environments may not commit wrong input parameters. But once it happens, the consequence is quite bad. And the bug is a bug. The issue stems from the fact that there are multiple events that can change the status, and following all the events is challenging. Dynamically detect and use the fresh status for the parameters when those are requested. Link: https://lore.kernel.org/[email protected] Fixes: 40e983cca927 ("mm/damon: introduce DAMON-based LRU-lists Sorting") Co-developed-by: Liew Rui Yan <[email protected]> Signed-off-by: Liew Rui Yan <[email protected]> Signed-off-by: SeongJae Park <[email protected]> Cc: <[email protected]> # 6.0.x Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: SeongJae Park <[email protected]> Date: Sun Apr 19 09:10:00 2026 -0700 mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values commit 64a140afa5ed1c6f5ba6d451512cbdbbab1ba339 upstream. Patch series "mm/damon/modules: detect and use fresh status", v3. DAMON modules including DAMON_RECLAIM, DAMON_LRU_SORT and DAMON_STAT commonly expose the kdamond running status via their parameters. Under certain scenarios including wrong user inputs and memory allocation failures, those parameter values can be stale. It can confuse users. For DAMON_RECLAIM and DAMON_LRU_SORT, it even makes the kdamond unable to be restarted before the system reboot. The problem comes from the fact that there are multiple events for the status changes and it is difficult to follow up all the scenarios. Fix the issue by detecting and using the status on demand, instead of using a cached status that is difficult to be updated. Patches 1-3 fix the bugs in DAMON_RECLAIM, DAMON_LRU_SORT and DAMON_STAT in the order. This patch (of 3): DAMON_RECLAIM updates 'enabled' and 'kdamond_pid' parameter values, which represents the running status of its kdamond, when the user explicitly requests start/stop of the kdamond. The kdamond can, however, be stopped in events other than the explicit user request in the following three events. 1. ctx->regions_score_histogram allocation failure at beginning of the execution, 2. damon_commit_ctx() failure due to invalid user input, and 3. damon_commit_ctx() failure due to its internal allocation failures. Hence, if the kdamond is stopped by the above three events, the values of the status parameters can be stale. Users could show the stale values and be confused. This is already bad, but the real consequence is worse. DAMON_RECLAIM avoids unnecessary damon_start() and damon_stop() calls based on the 'enabled' parameter value. And the update of 'enabled' parameter value depends on the damon_start() and damon_stop() call results. Hence, once the kdamond has stopped by the unintentional events, the user cannot restart the kdamond before the system reboot. For example, the issue can be reproduced via below steps. # cd /sys/module/damon_reclaim/parameters # # # start DAMON_RECLAIM # echo Y > enabled # ps -ef | grep kdamond root 806 2 0 17:53 ? 00:00:00 [kdamond.0] root 808 803 0 17:53 pts/4 00:00:00 grep kdamond # # # commit wrong input to stop kdamond withou explicit stop request # echo 3 > addr_unit # echo Y > commit_inputs bash: echo: write error: Invalid argument # # # confirm kdamond is stopped # ps -ef | grep kdamond root 811 803 0 17:53 pts/4 00:00:00 grep kdamond # # # users casn now show stable status # cat enabled Y # cat kdamond_pid 806 # # # even after fixing the wrong parameter, # # kdamond cannot be restarted. # echo 1 > addr_unit # echo Y > enabled # ps -ef | grep kdamond root 815 803 0 17:54 pts/4 00:00:00 grep kdamond The problem will only rarely happen in real and common setups for the following reasons. The allocation failures are unlikely in such setups since those allocations are arguably too small to fail. Also sane users on real production environments may not commit wrong input parameters. But once it happens, the consequence is quite bad. And the bug is a bug. The issue stems from the fact that there are multiple events that can change the status, and following all the events is challenging. Dynamically detect and use the fresh status for the parameters when those are requested. Link: https://lore.kernel.org/[email protected] Link: https://lore.kernel.org/[email protected] Fixes: e035c280f6df ("mm/damon/reclaim: support online inputs update") Co-developed-by: Liew Rui Yan <[email protected]> Signed-off-by: Liew Rui Yan <[email protected]> Signed-off-by: SeongJae Park <[email protected]> Cc: <[email protected]> # 5.19.x Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Christian Brauner <[email protected]> Date: Thu May 14 11:08:19 2026 -0400 papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE() [ Upstream commit 6d3789d347a7af5c4b0b2da3af47b8d9da607ab2 ] Fixes a UAF for src_info as well. Link: https://patch.msgid.link/[email protected] Signed-off-by: Christian Brauner <[email protected]> Stable-dep-of: 7a4f0846ee6c ("pseries/papr-hvpipe: Fix race with interrupt handler") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Krishna Chomal <[email protected]> Date: Fri Apr 3 13:31:55 2026 +0530 platform/x86: hp-wmi: Ignore backlight and FnLock events commit e8c597368b8500a824c639bfb5ed0044068c6870 upstream. On HP OmniBook 7 the keyboard backlight and FnLock keys are handled directly by the firmware. However, they still trigger WMI events which results in "Unknown key code" warnings in dmesg. Add these key codes to the keymap with KE_IGNORE to silence the warnings since no software action is needed. Tested-by: Artem S. Tashkinov <[email protected]> Reported-by: Artem S. Tashkinov <[email protected]> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221181 Signed-off-by: Krishna Chomal <[email protected]> Link: https://patch.msgid.link/[email protected] Reviewed-by: Ilpo Järvinen <[email protected]> Signed-off-by: Ilpo Järvinen <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ritesh Harjani (IBM) <[email protected]> Date: Thu May 14 11:08:20 2026 -0400 pseries/papr-hvpipe: Fix race with interrupt handler [ Upstream commit 7a4f0846ee6cc8cf44ae0046ed42e3259d1dd45b ] While executing ->ioctl handler or ->release handler, if an interrupt fires on the same cpu, then we can enter into a deadlock. This patch fixes both these handlers to take spin_lock_irq{save|restore} versions of the lock to prevent this deadlock. Cc: [email protected] Fixes: 814ef095f12c9 ("powerpc/pseries: Add papr-hvpipe char driver for HVPIPE interfaces") Signed-off-by: Ritesh Harjani (IBM) <[email protected]> Signed-off-by: Madhavan Srinivasan <[email protected]> Link: https://patch.msgid.link/e4ed435c44fc191f2eb23c7907ba6f72f193e6aa.1777606826.git.ritesh.list@gmail.com Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed Apr 8 09:30:54 2026 +0200 regulator: act8945a: fix OF node reference imbalance commit 0d15ce31375ccef4162f960b34547a821b7619d2 upstream. The driver reuses the OF node of the parent multi-function device but fails to take another reference to balance the one dropped by the platform bus code when unbinding the MFD and deregistering the child devices. Fix this by using the intended helper for reusing OF nodes. Fixes: 38c09961048b ("regulator: act8945a: add regulator driver for ACT8945A") Cc: [email protected] # 4.6 Cc: Wenyou Yang <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed Apr 8 09:30:55 2026 +0200 regulator: bd9571mwv: fix OF node reference imbalance commit 8498100ee1d00422b8c5b161b3e332278b92a59a upstream. The driver reuses the OF node of the parent multi-function device but fails to take another reference to balance the one dropped by the platform bus code when unbinding the MFD and deregistering the child devices. Fix this by using the intended helper for reusing OF nodes. Fixes: e85c5a153fe2 ("regulator: Add ROHM BD9571MWV-M PMIC regulator driver") Cc: [email protected] # 4.12 Cc: Marek Vasut <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed Apr 8 09:30:49 2026 +0200 regulator: bq257xx: fix OF node reference imbalance commit 7ea07bc030d8d6395524dec22ff3267441a28c0d upstream. The driver reuses the OF node of the parent multi-function device but fails to take another reference to balance the one dropped by the platform bus code when unbinding the MFD and deregistering the child devices. Fix this by using the intended helper for reusing OF nodes. Fixes: 981dd162b635 ("regulator: bq257xx: Add bq257xx boost regulator driver") Cc: [email protected] # 6.18 Cc: Chris Morgan <[email protected]> Reviewed-by: Douglas Anderson <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed Apr 8 09:30:51 2026 +0200 regulator: max77650: fix OF node reference imbalance commit 2edaf5f7ada0ab5c9ec1f0836bd19779a8d85262 upstream. The driver reuses the OF node of the parent multi-function device but fails to take another reference to balance the one dropped by the platform bus code when unbinding the MFD and deregistering the child devices. Fix this by using the intended helper for reusing OF nodes. Fixes: bcc61f1c44fd ("regulator: max77650: add regulator support") Cc: [email protected] # 5.1 Reviewed-by: Bartosz Golaszewski <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed Apr 8 09:30:52 2026 +0200 regulator: mt6357: fix OF node reference imbalance commit 2f38e96c273e15f5e9f5d1fc2c0cbba703751602 upstream. The driver reuses the OF node of the parent multi-function device but fails to take another reference to balance the one dropped by the platform bus code when unbinding the MFD and deregistering the child devices. Fix this by using the intended helper for reusing OF nodes. Fixes: dafc7cde23dc ("regulator: add mt6357 regulator") Cc: [email protected] # 6.2 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed Apr 8 09:30:50 2026 +0200 regulator: rk808: fix OF node reference imbalance commit 65290b24d8a5f0b8cd065201e653db824c4a4da6 upstream. The driver reuses the OF node of the parent multi-function device but fails to take another reference to balance the one dropped by the platform bus code when unbinding the MFD and deregistering the child devices. Fix this by using the intended helper for reusing OF nodes. Fixes: 647e57351f8e ("regulator: rk808: reduce 'struct rk808' usage") Cc: [email protected] # 6.2 Reviewed-by: Sebastian Reichel <[email protected]> Reviewed-by: Douglas Anderson <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed Apr 8 09:30:53 2026 +0200 regulator: s2dos05: fix OF node reference imbalance commit ebe694d67f159899b063eee61bacda4cb825ed7b upstream. The driver reuses the OF node of the parent multi-function device but fails to take another reference to balance the one dropped by the platform bus code when unbinding the MFD and deregistering the child devices. Fix this by using the intended helper for reusing OF nodes. Fixes: bb2441402392 ("regulator: add s2dos05 regulator support") Cc: [email protected] # 6.18 Cc: Dzmitry Sankouski <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Prike Liang <[email protected]> Date: Fri Jan 9 16:15:11 2026 +0800 Revert "drm/amdgpu: don't attach the tlb fence for SI" commit 9163fe4d790fb4e16d6b0e23f55b43cddd3d4a65 upstream. This reverts commit 820b3d376e8a102c6aeab737ec6edebbbb710e04. It’s better to validate VM TLB flushes in the flush‑TLB backend rather than in the generic VM layer. Reverting this patch depends on commit fa7c231fc2b0 ("drm/amdgpu: validate the flush_gpu_tlb_pasid()") being present in the tree. Signed-off-by: Prike Liang <[email protected]> Reviewed-by: Christian König <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: zhidao su <[email protected]> Date: Wed May 13 12:33:21 2026 -0400 sched/ext: Implement cgroup_set_idle() callback [ Upstream commit 347ed2d566dabb06c7970fff01129c4f59995ed6 ] Implement the missing cgroup_set_idle() callback that was marked as a TODO. This allows BPF schedulers to be notified when a cgroup's idle state changes, enabling them to adjust their scheduling behavior accordingly. The implementation follows the same pattern as other cgroup callbacks like cgroup_set_weight() and cgroup_set_bandwidth(). It checks if the BPF scheduler has implemented the callback and invokes it with the appropriate parameters. Fixes a spelling error in the cgroup_set_bandwidth() documentation. tj: s/scx_cgroup_rwsem/scx_cgroup_ops_rwsem/ to fix build breakage. Signed-off-by: zhidao su <[email protected]> Signed-off-by: Tejun Heo <[email protected]> Stable-dep-of: 80afd4c84bc8 ("sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Tejun Heo <[email protected]> Date: Wed May 13 12:33:22 2026 -0400 sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters [ Upstream commit 80afd4c84bc8f5e80145ce35279f5ce53f6043db ] scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot. Fixes: a5bd6ba30b33 ("sched_ext: Use cgroup_lock/unlock() to synchronize against cgroup operations") Cc: [email protected] # v6.18+ Reported-by: Chris Mason <[email protected]> Signed-off-by: Tejun Heo <[email protected]> Reviewed-by: Andrea Righi <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Ben Morris <[email protected]> Date: Thu May 7 17:14:55 2026 -0700 sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL commit abb5f36771cc4c05899b34000829a787572a8817 upstream. The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf(). While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped. sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *). Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer. Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive. The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for. Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") Cc: [email protected] Signed-off-by: Ben Morris <[email protected]> Acked-by: Xin Long <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:00 2026 +0200 spi: amlogic-spisg: fix controller deregistration commit 84d31bb1f6256eea0db6cf64a3c7a53145f92bb9 upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: cef9991e04ae ("spi: Add Amlogic SPISG driver") Cc: [email protected] # 6.17: b8db95529979 Cc: [email protected] # 6.17 Cc: Sunny Luo <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:01 2026 +0200 spi: aspeed-smc: fix controller deregistration commit 1044e5a4ccd57bf5a64f90100a321b498e0267a2 upstream. Make sure to deregister the controller before disabling it to allow SPI device drivers to do I/O during deregistration. Fixes: e3228ed92893 ("spi: spi-mem: Convert Aspeed SMC driver to spi-mem") Cc: [email protected] # 5.19 Cc: Cédric Le Goater <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:02 2026 +0200 spi: at91-usart: fix controller deregistration commit 9acecc9bcff058eaef40fd7a4c3650e88b06b220 upstream. Make sure to deregister the controller before disabling and releasing underlying resources like clocks and DMA during driver unbind. Fixes: e1892546ff66 ("spi: at91-usart: Add driver for at91-usart as SPI") Cc: [email protected] # 4.20 Cc: Radu Pirea <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:03 2026 +0200 spi: atmel: fix controller deregistration commit 8d4de97e83520be89d0ff40610ca633b3963a7de upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: 754ce4f29937 ("[PATCH] SPI: atmel_spi driver") Cc: [email protected] # 2.6.21 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:04 2026 +0200 spi: bcm63xx: fix controller deregistration commit c39e65a4e3b8e764efed0b2f5152a1a8547b80fd upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: b42dfed83d95 ("spi: add Broadcom BCM63xx SPI controller driver") Cc: [email protected] # 3.4 Cc: Florian Fainelli <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:06 2026 +0200 spi: bcmbca-hsspi: fix controller deregistration commit c3d97c3320b9a1ebbd6119857341be034f7b3efc upstream. Make sure to deregister the controller before disabling underlying resources like interrupts during driver unbind to allow SPI drivers to do I/O during deregistration. Note that clocks were also disabled before the recent commit e532e21a246d ("spi: bcm63xx-hsspi: Simplify clock handling with devm_clk_get_enabled()"). Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller") Cc: [email protected] # 6.3: deb269e0394f Cc: [email protected] # 6.3 Cc: William Zhang <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 21 14:36:13 2026 +0200 spi: cadence: fix clock imbalance on probe failure commit ecea4f0e9db2fb6ab4a68a59c5aba0d8f59a9566 upstream. Make sure that the controller is active before disabling clocks on probe failure to avoid unbalanced clock disable. Also drop the usage count before returning (so that the controller can be suspended after a probe deferral) and restore the autosuspend setting. Fixes: d36ccd9f7ea4 ("spi: cadence: Runtime pm adaptation") Cc: [email protected] # 4.7 Cc: Shubhrajyoti Datta <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 14 15:43:12 2026 +0200 spi: cadence: fix controller deregistration commit 666fa7e9ca98e71c880086ca24147ae843f1ed6e upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: c474b3866546 ("spi: Add driver for Cadence SPI controller") Cc: [email protected] # 3.16 Cc: Harini Katakam <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 21 14:36:12 2026 +0200 spi: cadence: fix unclocked access on unbind commit 5b1689a41f02955c5361944f748a4812a6ff9307 upstream. Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid unclocked register access and unbalanced clock disable. Also restore the autosuspend setting. This issue was flagged by Sashiko when reviewing a controller deregistration fix. Fixes: d36ccd9f7ea4 ("spi: cadence: Runtime pm adaptation") Cc: [email protected] # 4.7 Cc: Shubhrajyoti Datta <[email protected]> Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=1 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:08 2026 +0200 spi: cavium-thunderx: fix controller deregistration commit dbb6b01267c0c866eaac4019cec19f414beec61d upstream. Make sure to deregister the controller before disabling it to avoid hanging or leaking resources associated with the queue when the queue non-empty. Fixes: 7347a6c7af8d ("spi: octeon: Add ThunderX driver") Cc: [email protected] # 4.9 Cc: Jan Glauber <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Mar 27 11:43:05 2026 +0100 spi: ch341: fix devres lifetime commit abe572f630bc1f0e77041012ab075869036ede4f upstream. USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the controller and driver data lifetime so that they are released on driver unbind. Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree. Fixes: 8846739f52af ("spi: add ch341a usb2spi driver") Cc: [email protected] # 6.11 Cc: Johannes Thumshirn <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:09 2026 +0200 spi: coldfire-qspi: fix controller deregistration commit e7c510e192ff2a1264d999575eea39a506424264 upstream. Make sure to deregister the controller before disabling underlying resources like clocks (via runtime pm) during driver unbind. Fixes: 34b8c6617366 ("spi: Add Freescale/Motorola Coldfire QSPI driver") Cc: [email protected] # 2.6.34 Cc: Steven King <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:10 2026 +0200 spi: dln2: fix controller deregistration commit c353020fbfa8514ee91a6de2d88de4e5edca5803 upstream. Make sure to deregister the controller before disabling it to allow SPI device drivers to do I/O during deregistration. Fixes: 3d8c0d749da3 ("spi: add support for DLN-2 USB-SPI adapter") Cc: [email protected] # 4.0 Cc: Laurentiu Palcu <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:12 2026 +0200 spi: fsl-espi: fix controller deregistration commit e506a700a7ad229f5c8f01f4b8350119cccb4158 upstream. Make sure to deregister the controller before disabling runtime PM (which can leave the controller disabled) to allow SPI device drivers to do I/O during deregistration. Fixes: e9abb4db8d10 ("spi: fsl-espi: add runtime PM") Cc: [email protected] # 4.3 Cc: Heiner Kallweit <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 08:47:49 2026 +0200 spi: fsl: fix controller deregistration commit 9b7abfed4c3754062d1f3ffd452e65a38667f586 upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: 4178b6b1b595 ("spi: fsl-(e)spi: migrate to using devm_ functions to simplify cleanup") Cc: [email protected] # 4.3 Cc: Heiner Kallweit <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:14 2026 +0200 spi: img-spfi: fix controller deregistration commit fc3a83b0d9c16b941c9028f5a8db9541dce4ddf2 upstream. Make sure to deregister the controller before disabling and releasing underlying resources like clocks and DMA during driver unbind. Fixes: deba25800a12 ("spi: Add driver for IMG SPFI controller") Cc: [email protected] # 3.19 Cc: Andrew Bresticker <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 21 14:56:32 2026 +0200 spi: imx: fix runtime pm leak on probe deferral commit a1d50a37d3b1df84f536a982f692371039df4a48 upstream. Make sure to balance the runtime PM usage count before returning on probe failure (e.g. probe deferral) so that the controller can be suspended when a driver is later bound. Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM") Cc: [email protected] # 5.10 Cc: Sascha Hauer <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:15 2026 +0200 spi: lantiq-ssc: fix controller deregistration commit b99206710d032c16b7f8b75e4bc18414d8e4b9f4 upstream. Make sure to deregister the controller before releasing underlying resources like clocks during driver unbind. Fixes: 17f84b793c01 ("spi: lantiq-ssc: add support for Lantiq SSC SPI controller") Cc: [email protected] # 4.11 Cc: Hauke Mehrtens <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:16 2026 +0200 spi: meson-spicc: fix controller deregistration commit 77953c76bec9af4191f8692a10225dd816208718 upstream. Make sure to deregister the controller before disabling it to allow SPI device drivers to do I/O during deregistration. Fixes: 454fa271bc4e ("spi: Add Meson SPICC driver") Cc: [email protected] # 4.13 Cc: Neil Armstrong <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 14 15:43:14 2026 +0200 spi: mpc52xx: fix controller deregistration commit 0f997fdae819a8c2cc83bd4ff7d935ad76c727c9 upstream. Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind. Fixes: 42bbb70980f3 ("powerpc/5200: Add mpc5200-spi (non-PSC) device driver") Fixes: b8d4e2ce60b6 ("mpc52xx_spi: add gpio chipselect") Cc: [email protected] # 2.6.33 Cc: Grant Likely <[email protected]> Cc: Luotao Fu <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 21 14:58:00 2026 +0200 spi: mpc52xx: fix use-after-free on registration failure commit f62c060272b9d7423b1650b844e8e4e7b8f9f925 upstream. Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak. This issue was flagged by Sashiko when reviewing a controller deregistration fix. Fixes: 42bbb70980f3 ("powerpc/5200: Add mpc5200-spi (non-PSC) device driver") Cc: [email protected] # 2.6.33 Cc: Grant Likely <[email protected]> Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=3 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 14 15:43:15 2026 +0200 spi: mpc52xx: fix use-after-free on unbind commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream. The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free. Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove") Cc: [email protected] Cc: Pei Xiao <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu Apr 9 14:04:19 2026 +0200 spi: mpfs: fix controller deregistration commit 573c7db8fce91a1b07dd64a260bb44b9e6d05943 upstream. Make sure to deregister the controller before disabling underlying resources like interrupts during driver unbind. Fixes: 9ac8d17694b6 ("spi: add support for microchip fpga spi controllers") Cc: [email protected] # 6.0 Cc: Conor Dooley <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Acked-by: Conor Dooley <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:31 2026 +0200 spi: mt65xx: fix controller deregistration commit 2ad30599cccc572ba2fc11010670eb6e01ea6bfc upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173") Cc: [email protected] # 4.3: ace145802350 Cc: [email protected] # 4.3 Cc: Leilk Liu <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:32 2026 +0200 spi: mtk-nor: fix controller deregistration commit 76336f24934621db286cabb20b483773ee01dcaa upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: 881d1ee9fe81 ("spi: add support for mediatek spi-nor controller") Cc: [email protected] # 5.7 Cc: Chuanhong Guo <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 14 15:43:16 2026 +0200 spi: mxic: fix controller deregistration commit adbc595e272052181d40ec307a4c5ba98571b0fe upstream. Make sure to deregister the controller before disabling underlying resources like clocks (via runtime pm) during driver unbind. Fixes: b942d80b0a39 ("spi: Add MXIC controller driver") Cc: [email protected] # 5.0: cc53711b2191 Cc: [email protected] # 5.0 Cc: Mason Yang <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:33 2026 +0200 spi: mxs: fix controller deregistration commit 8b0d0011af20fb547aa67a1cefbf320992fd5e92 upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: 33e195acf268 ("spi: mxs: use devm_spi_register_master()") Cc: [email protected] # 3.13 Cc: Jingoo Han <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:34 2026 +0200 spi: npcm-pspi: fix controller deregistration commit ebd81199e00e107980bf8c4d2c747ae50158f797 upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: 2a22f1b30cee ("spi: npcm: add NPCM PSPI controller driver") Cc: [email protected] # 5.0 Cc: Tomer Maimon <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:35 2026 +0200 spi: omap2-mcspi: fix controller deregistration commit fb45f95c377e4a4bdece2c5e17643b459c9c13e7 upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: ccdc7bf92573 ("SPI: omap2_mcspi driver") Cc: [email protected] # 2.6.23 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 21 15:02:10 2026 +0200 spi: orion: fix clock imbalance on registration failure commit 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 upstream. Make sure that the controller is not runtime suspended before disabling clocks on probe failure. Also restore the autosuspend setting. Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support") Cc: [email protected] # 3.17 Cc: Russell King <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 14 15:43:17 2026 +0200 spi: orion: fix controller deregistration commit 220f4f11104a7f83b71543ef0e48dde1da2bc5d3 upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: 60cadec9da7b ("spi: new orion_spi driver") Cc: [email protected] # 2.6.27 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Tue Apr 21 15:02:09 2026 +0200 spi: orion: fix runtime pm leak on unbind commit 97b17dd8266d2e26d9ee3c75a0fa34ecde6944f0 upstream. Make sure to balance the runtime PM usage count on driver unbind so that the controller can be suspended when a driver is rebound. Also restore the autosuspend setting. This issue was flagged by Sashiko when reviewing a controller deregistration fix. Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support") Cc: [email protected] # 3.17 Cc: Russell King <[email protected]> Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=6 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:37 2026 +0200 spi: pic32-sqi: fix controller deregistration commit 420df79d1a618951eb0eb4331df95c9f4f763b8b upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: 3270ac230f66 ("spi: pic32-sqi: add SPI driver for PIC32 SQI controller.") Cc: [email protected] # 4.7 Cc: Purna Chandra Mandal <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:36 2026 +0200 spi: pic32: fix controller deregistration commit 6b627bfe0c44e064aba464839e430dc1ca2b0bb8 upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver") Cc: [email protected] # 4.7 Cc: Purna Chandra Mandal <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:38 2026 +0200 spi: pl022: fix controller deregistration commit 994b33366be9148240690e3e94bffe17c4d89458 upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: b43d65f7e818 ("[ARM] 5546/1: ARM PL022 SSP/SPI driver v3") Cc: [email protected] # 2.6.31 Cc: Linus Walleij <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:39 2026 +0200 spi: qup: fix controller deregistration commit 443e3a0005a4342b218b6dbd4c6387d3c7fed85a upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: 64ff247a978f ("spi: Add Qualcomm QUP SPI controller support") Cc: [email protected] # 3.15 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:40 2026 +0200 spi: rspi: fix controller deregistration commit 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: 9e03d05eee4c ("spi: rcar: Use devm_spi_register_master()") Cc: [email protected] # 3.14 Cc: Jingoo Han <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:41 2026 +0200 spi: s3c64xx: fix controller deregistration commit c1446b61e472da24d1547525193467b4bea4a7cb upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: 91800f0e9005 ("spi/s3c64xx: Use managed registration") Cc: [email protected] # 3.13: 76fbad410c0f Cc: [email protected] # 3.13 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:42 2026 +0200 spi: sh-hspi: fix controller deregistration commit e63982e6392e45a6ecd68d6c317a081cc8e70143 upstream. Make sure to deregister the controller before releasing underlying resources like clocks during driver unbind. Fixes: 49e599b8595f ("spi: sh-hspi: control spi clock more correctly") Cc: [email protected] # 3.4 Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:43 2026 +0200 spi: sh-msiof: fix controller deregistration commit 45170f67a08b912ead6ccc387ba06954d1d4e53a upstream. Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Fixes: 1bd6363bc0c6 ("spi: sh-msiof: Use core message handling instead of spi-bitbang") Cc: [email protected] # 3.15 Cc: Geert Uytterhoeven <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:45 2026 +0200 spi: slave-mt27xx: fix controller deregistration commit ab840cbda4fe6c40e52f6415c47056797c663bb2 upstream. Make sure to deregister the controller before disabling underlying resources like clocks (by disabling runtime PM) during driver unbind. Fixes: 805be7ddf367 ("spi: mediatek: add spi slave for Mediatek MT2712") Cc: [email protected] # 4.20 Cc: Leilk Liu <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:46 2026 +0200 spi: sprd: fix controller deregistration commit 123d17dbc5f07059752fa5e616385ca29a8f935a upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Note that the controller is suspended before disabling and releasing resources since commit de082d866cce ("spi: sprd: Add the SPI irq function for the SPI DMA mode") which avoids issues like unclocked accesses but prevents SPI device drivers from doing I/O during deregistration. Fixes: e7d973a31c24 ("spi: sprd: Add SPI driver for Spreadtrum SC9860") Cc: [email protected] # 4.20 Cc: Lanqing Liu <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Fri Apr 10 10:17:47 2026 +0200 spi: st-ssc4: fix controller deregistration commit 19857374010d06ca6a2f7c2c53464122eb804df0 upstream. Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: 9e862375c542 ("spi: Add new driver for STMicroelectronics' SPI Controller") Cc: [email protected] # 4.0 Cc: Lee Jones <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed May 13 23:10:37 2026 -0400 spi: tegra114: fix controller deregistration [ Upstream commit 9c9c27ff2058142d8f800de3186d6864184958de ] Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: 5c8096439600 ("spi: tegra114: use devm_spi_register_master()") Cc: [email protected] # 3.13 Cc: Jingoo Han <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> [ kept `host->dev.of_node = pdev->dev.of_node;` context line above the `spi_register_controller()` conversion ] Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu May 14 00:14:46 2026 -0400 spi: tegra20-sflash: fix controller deregistration [ Upstream commit ad7310e983327f939dd6c4e801eab13238992572 ] Make sure to deregister the controller before disabling underlying resources like clocks during driver unbind. Fixes: f12f7318c44a ("spi: tegra20-sflash: use devm_spi_register_master()") Cc: [email protected] # 3.13 Cc: Jingoo Han <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> [ kept the redundant `host->dev.of_node = pdev->dev.of_node;` line above the registration call ] Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Thu May 14 00:58:33 2026 -0400 spi: uniphier: fix controller deregistration [ Upstream commit 0245435f777264ac45945ed2f325dd095a41d1af ] Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. Note that clocks were also disabled before the recent commit fdca270f8f87 ("spi: uniphier: Simplify clock handling with devm_clk_get_enabled()"). Fixes: 5ba155a4d4cc ("spi: add SPI controller driver for UniPhier SoC") Cc: [email protected] # 4.19 Cc: Keiji Hayashibara <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pei Xiao <[email protected]> Date: Thu May 14 00:58:32 2026 -0400 spi: uniphier: Simplify clock handling with devm_clk_get_enabled() [ Upstream commit fdca270f8f87cae2eb5b619234b9dd11a863ce6b ] Replace devm_clk_get() followed by clk_prepare_enable() with devm_clk_get_enabled() for the clock. This removes the need for explicit clock enable and disable calls, as the managed API automatically handles clock disabling on device removal or probe failure. Remove the now-unnecessary clk_disable_unprepare() calls from the probe error path and the remove callback. Adjust error labels accordingly. Signed-off-by: Pei Xiao <[email protected]> Reviewed-by: Kunihiko Hayashi <[email protected]> Link: https://patch.msgid.link/b2deeefd4ef1a4bce71116aabfcb7e81400f6d37.1775546948.git.xiaopei01@kylinos.cn Signed-off-by: Mark Brown <[email protected]> Stable-dep-of: 0245435f7772 ("spi: uniphier: fix controller deregistration") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Johan Hovold <[email protected]> Date: Wed May 13 14:08:36 2026 -0400 spi: zynq-qspi: fix controller deregistration [ Upstream commit c9c012706c9fa8ca6d129a9161caf92ab625a3fd ] Make sure to deregister the controller before disabling it during driver unbind. Note that clocks were also disabled before the recent commit 1f8fd9490e31 ("spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()"). Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller") Cc: [email protected] # 5.2: 8eb2fd00f65a Cc: [email protected] # 5.2 Cc: Naga Sureshkumar Relli <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Pei Xiao <[email protected]> Date: Wed May 13 14:08:35 2026 -0400 spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled() [ Upstream commit 1f8fd9490e3184e9a2394df2e682901a1d57ce71 ] Replace devm_clk_get() followed by clk_prepare_enable() with devm_clk_get_enabled() for both "pclk" and "ref_clk". This removes the need for explicit clock enable and disable calls, as the managed API automatically disables the clocks on device removal or probe failure. Remove the now-unnecessary clk_disable_unprepare() calls from the probe error paths and the remove callback. Simplify error handling by jumping directly to the remove_ctlr label. Signed-off-by: Pei Xiao <[email protected]> Acked-by: Michal Simek <[email protected]> Link: https://patch.msgid.link/24043625f89376da36feca2408f990a85be7ab36.1775555500.git.xiaopei01@kylinos.cn Signed-off-by: Mark Brown <[email protected]> Stable-dep-of: c9c012706c9f ("spi: zynq-qspi: fix controller deregistration") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Sakari Ailus <[email protected]> Date: Thu Feb 26 15:10:54 2026 +0200 staging: media: atomisp: Disallow all private IOCTLs commit 2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7c upstream. Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy. Reported-by: Soufiane Dani <[email protected]> Closes: https://lore.kernel.org/linux-staging/[email protected]/ Cc: [email protected] Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") Fixes: ad85094b293e ("Revert "media: staging: atomisp: Remove driver"") Signed-off-by: Sakari Ailus <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Masami Hiramatsu (Google) <[email protected]> Date: Fri May 15 07:32:26 2026 -0400 tracing/fprobe: Remove fprobe from hash in failure path [ Upstream commit 845947aca6814f5723ed65e556eb5ee09493f05b ] When register_fprobe_ips() fails, it tries to remove a list of fprobe_hash_node from fprobe_ip_table, but it missed to remove fprobe itself from fprobe_table. Moreover, when removing the fprobe_hash_node which is added to rhltable once, it must use kfree_rcu() after removing from rhltable. To fix these issues, this reuses unregister_fprobe() internal code to rollback the half-way registered fprobe. Link: https://lore.kernel.org/all/177669366417.132053.17874946321744910456.stgit@mhiramat.tok.corp.google.com/ Fixes: 4346ba160409 ("fprobe: Rewrite fprobe on function-graph tracer") Cc: [email protected] Signed-off-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Masami Hiramatsu (Google) <[email protected]> Date: Fri May 15 07:32:25 2026 -0400 tracing/fprobe: Unregister fprobe even if memory allocation fails [ Upstream commit 1aec9e5c3e31ce1e28f914427fb7f90b91d310df ] unregister_fprobe() can fail under memory pressure because of memory allocation failure, but this maybe called from module unloading, and usually there is no way to retry it. Moreover. trace_fprobe does not check the return value. To fix this problem, unregister fprobe and fprobe_hash_node even if working memory allocation fails. Anyway, if the last fprobe is removed, the filter will be freed. Link: https://lore.kernel.org/all/177669365629.132053.8433032896213721288.stgit@mhiramat.tok.corp.google.com/ Fixes: 4346ba160409 ("fprobe: Rewrite fprobe on function-graph tracer") Cc: [email protected] Signed-off-by: Masami Hiramatsu (Google) <[email protected]> Stable-dep-of: 845947aca681 ("tracing/fprobe: Remove fprobe from hash in failure path") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Menglong Dong <[email protected]> Date: Fri May 15 07:32:24 2026 -0400 tracing: fprobe: optimization for entry only case [ Upstream commit 2c67dc457bc67367dc8fcd8f471ce2d5bb5f7b2b ] For now, fgraph is used for the fprobe, even if we need trace the entry only. However, the performance of ftrace is better than fgraph, and we can use ftrace_ops for this case. Then performance of kprobe-multi increases from 54M to 69M. Before this commit: $ ./benchs/run_bench_trigger.sh kprobe-multi kprobe-multi : 54.663 ± 0.493M/s After this commit: $ ./benchs/run_bench_trigger.sh kprobe-multi kprobe-multi : 69.447 ± 0.143M/s Mitigation is disable during the bench testing above. Link: https://lore.kernel.org/all/[email protected]/ Signed-off-by: Menglong Dong <[email protected]> Signed-off-by: Masami Hiramatsu (Google) <[email protected]> Stable-dep-of: 845947aca681 ("tracing/fprobe: Remove fprobe from hash in failure path") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Menglong Dong <[email protected]> Date: Fri May 15 07:32:23 2026 -0400 tracing: fprobe: use rhltable for fprobe_ip_table [ Upstream commit 0de4c70d04a46a3c266547dd4275ce25f623796a ] For now, all the kernel functions who are hooked by the fprobe will be added to the hash table "fprobe_ip_table". The key of it is the function address, and the value of it is "struct fprobe_hlist_node". The budget of the hash table is FPROBE_IP_TABLE_SIZE, which is 256. And this means the overhead of the hash table lookup will grow linearly if the count of the functions in the fprobe more than 256. When we try to hook all the kernel functions, the overhead will be huge. Therefore, replace the hash table with rhltable to reduce the overhead. Link: https://lore.kernel.org/all/[email protected]/ Signed-off-by: Menglong Dong <[email protected]> Signed-off-by: Masami Hiramatsu (Google) <[email protected]> Stable-dep-of: 845947aca681 ("tracing/fprobe: Remove fprobe from hash in failure path") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Prashanth K <[email protected]> Date: Wed May 13 07:27:43 2026 -0400 usb: dwc3: Add dwc pointer to dwc3_readl/writel [ Upstream commit 9accc68b1cf0a2b220f51d53641128bb32598070 ] Use dwc pointer in dwc3_readl() dwc3_writel() instead of passing the dwc->regs. This would help us access the dwc structure and log the base address in traces. There's no functional changes in this patch, just refactoring existing APIs. Signed-off-by: Prashanth K <[email protected]> Acked-by: Thinh Nguyen <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Stable-dep-of: aad35f9c926e ("usb: dwc3: Move GUID programming after PHY initialization") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Selvarasu Ganesan <[email protected]> Date: Wed May 13 07:27:44 2026 -0400 usb: dwc3: Move GUID programming after PHY initialization [ Upstream commit aad35f9c926ec220b0742af1ada45666ae667956 ] The Linux Version Code is currently written to the GUID register before PHY initialization. Certain PHY implementations (such as Synopsys eUSB PHY performing link_sw_reset) clear the GUID register to its default value during initialization, causing the kernel version information to be lost. Move the GUID register programming to occur after PHY initialization completes to ensure the Linux version information persists. Fixes: fa0ea13e9f1c ("usb: dwc3: core: write LINUX_VERSION_CODE to our GUID register") Cc: stable <[email protected]> Reported-by: Pritam Manohar Sutar <[email protected]> Signed-off-by: Selvarasu Ganesan <[email protected]> Acked-by: Thinh Nguyen <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Prashanth K <[email protected]> Date: Wed May 13 07:27:42 2026 -0400 usb: dwc3: Remove of dep->regs [ Upstream commit abdd1eef04f0cb3b1707cd1fa243d574d5e07024 ] Remove dep->regs from struct dwc3_ep and reuse dwc->regs instead. Thus eliminating redundant iomem addresses and making register access more consistent across the driver. Signed-off-by: Prashanth K <[email protected]> Acked-by: Thinh Nguyen <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Stable-dep-of: aad35f9c926e ("usb: dwc3: Move GUID programming after PHY initialization") Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Amit Sunil Dhamne <[email protected]> Date: Tue Apr 14 00:58:32 2026 +0000 usb: typec: tcpm: reset internal port states on soft reset AMS commit 2909f0d4994fb4306bf116df5ccee797791fce2c upstream. Reset internal port states (such as vdm_sm_running and explicit_contract) on soft reset AMS as the port needs to negotiate a new contract. The consequence of leaving the states in as-is cond are as follows: * port is in SRC power role and an explicit contract is negotiated with the port partner (in sink role) * port partner sends a Soft Reset AMS while VDM State Machine is running * port accepts the Soft Reset request and the port advertises src caps * port partner sends a Request message but since the explicit_contract and vdm_sm_running are true from previous negotiation, the port ends up sending Soft Reset instead of Accept msg. Stub Log: [ 203.653942] AMS DISCOVER_IDENTITY start [ 203.653947] PD TX, header: 0x176f [ 203.655901] PD TX complete, status: 0 [ 203.657470] PD RX, header: 0x124f [1] [ 203.657477] Rx VDM cmd 0xff008081 type 2 cmd 1 len 1 [ 203.657482] AMS DISCOVER_IDENTITY finished [ 203.657484] cc:=4 [ 204.155698] PD RX, header: 0x144f [1] [ 204.155718] Rx VDM cmd 0xeeee8001 type 0 cmd 1 len 1 [ 204.155741] PD TX, header: 0x196f [ 204.157622] PD TX complete, status: 0 [ 204.160060] PD RX, header: 0x4d [1] [ 204.160066] state change SRC_READY -> SOFT_RESET [rev2 SOFT_RESET_AMS] [ 204.160076] PD TX, header: 0x163 [ 204.162486] PD TX complete, status: 0 [ 204.162832] AMS SOFT_RESET_AMS finished [ 204.162840] cc:=4 [ 204.162891] AMS POWER_NEGOTIATION start [ 204.162896] state change SOFT_RESET -> AMS_START [rev2 POWER_NEGOTIATION] [ 204.162908] state change AMS_START -> SRC_SEND_CAPABILITIES [rev2 POWER_NEGOTIATION] [ 204.162913] PD TX, header: 0x1361 [ 204.165529] PD TX complete, status: 0 [ 204.165571] pending state change SRC_SEND_CAPABILITIES -> SRC_SEND_CAPABILITIES_TIMEOUT @ 60 ms [rev2 POWER_NEGOTIATION] [ 204.166996] PD RX, header: 0x1242 [1] [ 204.167009] state change SRC_SEND_CAPABILITIES -> SRC_SOFT_RESET_WAIT_SNK_TX [rev2 POWER_NEGOTIATION] [ 204.167019] AMS POWER_NEGOTIATION finished [ 204.167020] cc:=4 [ 204.167083] AMS SOFT_RESET_AMS start [ 204.167086] state change SRC_SOFT_RESET_WAIT_SNK_TX -> SOFT_RESET_SEND [rev2 SOFT_RESET_AMS] [ 204.167092] PD TX, header: 0x16d [ 204.168824] PD TX complete, status: 0 [ 204.168854] pending state change SOFT_RESET_SEND -> HARD_RESET_SEND @ 60 ms [rev2 SOFT_RESET_AMS] [ 204.171876] PD RX, header: 0x43 [1] [ 204.171879] AMS SOFT_RESET_AMS finished This causes COMMON.PROC.PD.11.2 check failure for TEST.PD.VDM.SRC.2_Rev2Src test on the PD compliance tester. Signed-off-by: Amit Sunil Dhamne <[email protected]> Fixes: 8d3a0578ad1a ("usb: typec: tcpm: Respond Wait if VDM state machine is running") Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)") Cc: stable <[email protected]> Reviewed-by: Badhri Jagan Sridharan <[email protected]> Acked-by: Heikki Krogerus <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Dudu Lu <[email protected]> Date: Mon Apr 13 21:14:09 2026 +0800 vsock/virtio: fix accept queue count leak on transport mismatch commit 52bcb57a4e8a0865a76c587c2451906342ae1b2d upstream. virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog. After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections. Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport. Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") Signed-off-by: Dudu Lu <[email protected]> Reviewed-by: Bobby Eshleman <[email protected]> Reviewed-by: Luigi Leonardi <[email protected]> Reviewed-by: Stefano Garzarella <[email protected]> Acked-by: Michael S. Tsirkin <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> Cc: Luigi Leonardi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Stefano Garzarella <[email protected]> Date: Fri May 8 18:44:11 2026 +0200 vsock/virtio: fix empty payload in tap skb for non-linear buffers commit 3a3e3d90cbc79600544536723911657730759af3 upstream. For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized. Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb(). While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail. Fixes: 4b0bf10eb077 ("vsock/virtio: non-linear skb handling for tap") Reported-by: Yiqi Sun <[email protected]> Signed-off-by: Stefano Garzarella <[email protected]> Reviewed-by: Bobby Eshleman <[email protected]> Reviewed-by: Arseniy Krasnov <[email protected]> Link: https://patch.msgid.link/[email protected] Acked-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Paolo Abeni <[email protected]> Cc: Luigi Leonardi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Stefano Garzarella <[email protected]> Date: Fri May 8 18:44:10 2026 +0200 vsock/virtio: fix length and offset in tap skb for split packets commit 5f344d809e015fba3709e5219428c00b8ac5d7df upstream. virtio_transport_build_skb() builds a new skb to be delivered to the vsockmon tap device. To build the new skb, it uses the original skb data length as payload length, but as the comment notes, the original packet stored in the skb may have been split in multiple packets, so we need to use the length in the header, which is correctly updated before the packet is delivered to the tap, and the offset for the data. This was also similar to what we did before commit 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") where we probably missed something during the skb conversion. Also update the comment above, which was left stale by the skb conversion and still mentioned a buffer pointer that no longer exists. Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") Signed-off-by: Stefano Garzarella <[email protected]> Reviewed-by: Bobby Eshleman <[email protected]> Reviewed-by: Arseniy Krasnov <[email protected]> Link: https://patch.msgid.link/[email protected] Acked-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Paolo Abeni <[email protected]> Cc: Luigi Leonardi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Luigi Leonardi <[email protected]> Date: Wed Apr 15 17:09:28 2026 +0200 vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to copy commit 080f22f5d30233faf3d83be3098f35b8be9b7a00 upstream. `virtio_transport_stream_do_peek()` does not account for the skb offset when computing the number of bytes to copy. This means that, after a partial recv() that advances the offset, a peek requesting more bytes than are available in the sk_buff causes `skb_copy_datagram_iter()` to go past the valid payload, resulting in a -EFAULT. The dequeue path already handles this correctly. Apply the same logic to the peek path. Fixes: 0df7cd3c13e4 ("vsock/virtio/vhost: read data from non-linear skb") Reviewed-by: Stefano Garzarella <[email protected]> Acked-by: Arseniy Krasnov <[email protected]> Signed-off-by: Luigi Leonardi <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
Author: Norbert Szetei <[email protected]> Date: Thu Apr 9 18:34:12 2026 +0200 vsock: fix buffer size clamping order commit d114bfdc9b76bf93b881e195b7ec957c14227bab upstream. In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint. This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size. Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size. Fixes: b9f2b0ffde0c ("vsock: handle buffer_size sockopts in the core") Suggested-by: Stefano Garzarella <[email protected]> Signed-off-by: Norbert Szetei <[email protected]> Reviewed-by: Stefano Garzarella <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Cc: Luigi Leonardi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>