- Linux-stable-mirror - lists.linaro.org

Please help to cherry-pick 25daf9af0ac1 ("soc: qcom: mdt_loader: Deal with zero e_shentsize") for the 5.4/5.0/5.15/6.1 versions

by Yongqin Liu

Hi, All Please help to cherry-pick the following commit 25daf9af0ac1 ("soc: qcom: mdt_loader: Deal with zero e_shentsize") into the following branches: linux-5.4.y linux-5.10.y linux-5.15.y linux-6.1.y Which is to fix the issue caused by the following commit in the branches already: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header") Just please note, for the linux-6.1.y branch the following commit needs to be cherry-picked first: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()") before the cherry-pick of the 25daf9af0ac1 commit. # if this needs to be in a separate cherry-pick request # please let me know. -- Best Regards, Yongqin Liu --------------------------------------------------------------- #mailing list linaro-android(a)lists.linaro.org http://lists.linaro.org/mailman/listinfo/linaro-android

1 month, 3 weeks

2
1
0 0

[PATCH 5.15 00/64] 5.15.192-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.192 release. There are 64 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue, 09 Sep 2025 19:55:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.192-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.192-rc1 Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Use value to check for invalid delays Taniya Das <quic_tdas(a)quicinc.com> clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Ian Rogers <irogers(a)google.com> perf bpf-event: Fix use-after-free in synthesis Michael Walle <mwalle(a)kernel.org> drm/bridge: ti-sn65dsi86: fix REFCLK setting Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Set correct chip-select polarity bit Larisa Grigore <larisa.grigore(a)nxp.com> spi: spi-fsl-lpspi: Fix transmissions when using CONT Wentao Liang <vulab(a)iscas.ac.cn> pcmcia: Add error handling for add_interval() in do_validate_mem() Takashi Iwai <tiwai(a)suse.de> ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Li Qiong <liqiong(a)nfschina.com> mm/slub: avoid accessing metadata when pointer is invalid in object_err() Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Fix attribute addition Kees Cook <kees(a)kernel.org> randstruct: gcc-plugin: Remove bogus void member Gabor Juhos <j4g8y7(a)gmail.com> arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Ronak Doshi <ronak.doshi(a)broadcom.com> vmxnet3: update MTU after device quiesce Jakob Unterwurzacher <jakobunt(a)gmail.com> net: dsa: microchip: linearize skb for tail-tagging switches Pieter Van Trappen <pieter.van.trappen(a)cern.ch> net: dsa: microchip: update tag_ksz masks for KSZ9477 family Qiu-ji Chen <chenqiuji666(a)gmail.com> dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Hyejeong Choi <hjeong.choi(a)samsung.com> dma-buf: insert memory barrier before updating num_fences Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> gpio: pca953x: fix IRQ storm on system wake up Luca Ceresoli <luca.ceresoli(a)bootlin.com> iio: light: opt3001: fix deadlock due to concurrent flag access David Lechner <dlechner(a)baylibre.com> iio: chemical: pms7003: use aligned_s64 for timestamp Aaron Kling <webgeek1234(a)gmail.com> spi: tegra114: Don't fail set_cs_timing when delays are zero Alexander Danilenko <al.b.danilenko(a)gmail.com> spi: tegra114: Remove unnecessary NULL-pointer checks Sean Christopherson <seanjc(a)google.com> KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq/sched: Explicitly synchronize limits_changed flag handling Jann Horn <jannh(a)google.com> mm/khugepaged: fix ->anon_vma race Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: fix heap overflow in e1000_set_eeprom Stanislav Fort <stanislav.fort(a)aisle.com> batman-adv: fix OOB read/write in network-coding decode John Evans <evans1210144(a)gmail.com> scsi: lpfc: Fix buffer free/clear order in deferred receive path Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: drop hw access in non-DC audio fini Qianfeng Rong <rongqianfeng(a)vivo.com> wifi: mwifiex: Initialize the chan_stats array to zero Harry Yoo <harry.yoo(a)oracle.com> mm: move page table sync declarations to linux/pgtable.h Harry Yoo <harry.yoo(a)oracle.com> x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Ma Ke <make24(a)iscas.ac.cn> pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on some devices Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Stop taking ts_lock for tx_queue and use its own lock Horatiu Vultur <horatiu.vultur(a)microchip.com> net: phy: mscc: Fix memory leak when using one step timestamping Kurt Kanzenbach <kurt(a)linutronix.de> ptp: Add generic PTP is_sync() function Qingfang Deng <dqfext(a)gmail.com> ppp: fix memory leak in pad_compress_skb Wang Liang <wangliang74(a)huawei.com> net: atm: fix memory leak in atm_register_sysfs when device_register fail Eric Dumazet <edumazet(a)google.com> ax25: properly unshare skbs in ax25_kiss_rcv() Dan Carpenter <dan.carpenter(a)linaro.org> ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: decrement cleanup index before use Rosen Penev <rosenp(a)gmail.com> net: thunder_bgx: add a missing of_node_put Dan Carpenter <dan.carpenter(a)linaro.org> wifi: libertas: cap SSID len in lbs_associate() Dan Carpenter <dan.carpenter(a)linaro.org> wifi: cw1200: cap SSID length in cw1200_do_join() Felix Fietkau <nbd(a)nbd.name> net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Zhen Ni <zhen.ni(a)easystack.cn> i40e: Fix potential invalid access when MAC list is empty Fabian Bläse <fabian(a)blaese.de> icmp: fix icmp_ndo_send address translation for reply direction Miaoqian Lin <linmq006(a)gmail.com> mISDN: Fix memory leak in dsp_hwec_enable() Alok Tiwari <alok.a.tiwari(a)oracle.com> xirc2ps_cs: fix register access when enabling FullDuplex Kuniyuki Iwashima <kuniyu(a)google.com> Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Phil Sutter <phil(a)nwl.cc> netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Wang Liang <wangliang74(a)huawei.com> netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Dmitry Antipov <dmantipov(a)yandex.ru> wifi: cfg80211: fix use-after-free in cmp_bss() Peter Robinson <pbrobinson(a)gmail.com> arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Pei Xiao <xiaopei01(a)kylinos.cn> tee: fix NULL pointer dereference in tee_shm_put Jiufei Xue <jiufei.xue(a)samsung.com> fs: writeback: fix use-after-free in __mark_inode_dirty() Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't warn when missing DCE encoder caps Daniel Borkmann <daniel(a)iogearbox.net> bpf: Fix oob access in cgroup local storage Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move bpf map owner out of common struct Daniel Borkmann <daniel(a)iogearbox.net> bpf: Move cgroup iterator helpers to bpf.h Daniel Borkmann <daniel(a)iogearbox.net> bpf: Add cookie object to bpf maps ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/marvell/armada-3720-uDPU.dts | 9 +- .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 + arch/x86/include/asm/pgtable_64_types.h | 3 + arch/x86/kvm/x86.c | 18 ++- arch/x86/mm/init_64.c | 18 +++ drivers/clk/qcom/gdsc.c | 21 ++-- drivers/dma-buf/dma-resv.c | 5 +- drivers/dma/mediatek/mtk-cqdma.c | 10 +- drivers/gpio/gpio-pca953x.c | 5 + drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 - drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 - .../gpu/drm/amd/display/dc/dce/dce_link_encoder.c | 8 +- drivers/gpu/drm/bridge/ti-sn65dsi86.c | 11 ++ drivers/iio/chemical/pms7003.c | 5 +- drivers/iio/light/opt3001.c | 5 +- drivers/isdn/mISDN/dsp_hwec.c | 6 +- drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 20 +-- drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +- drivers/net/ethernet/intel/i40e/i40e_client.c | 4 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 10 +- drivers/net/ethernet/xircom/xirc2ps_cs.c | 2 +- drivers/net/phy/mscc/mscc_ptp.c | 34 +++--- drivers/net/ppp/ppp_generic.c | 6 +- drivers/net/vmxnet3/vmxnet3_drv.c | 5 +- drivers/net/wireless/marvell/libertas/cfg.c | 9 +- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +- drivers/net/wireless/marvell/mwifiex/main.c | 4 +- drivers/net/wireless/st/cw1200/sta.c | 2 +- drivers/pcmcia/rsrc_iodyn.c | 3 + drivers/pcmcia/rsrc_nonstatic.c | 4 +- drivers/scsi/lpfc/lpfc_nvmet.c | 10 +- drivers/spi/spi-fsl-lpspi.c | 15 +-- drivers/spi/spi-tegra114.c | 18 ++- drivers/tee/tee_shm.c | 6 +- fs/fs-writeback.c | 9 +- include/linux/bpf-cgroup.h | 5 - include/linux/bpf.h | 134 ++++++++++++++++++--- include/linux/pgtable.h | 16 +++ include/linux/ptp_classify.h | 15 +++ include/linux/vmalloc.h | 16 --- kernel/bpf/arraymap.c | 1 - kernel/bpf/core.c | 83 ++++++++++--- kernel/bpf/syscall.c | 22 ++-- kernel/sched/cpufreq_schedutil.c | 28 ++++- mm/khugepaged.c | 15 ++- mm/slub.c | 7 +- net/atm/resources.c | 6 +- net/ax25/ax25_in.c | 4 + net/batman-adv/network-coding.c | 7 +- net/bluetooth/l2cap_sock.c | 3 + net/bridge/br_netfilter_hooks.c | 3 - net/core/ptp_classifier.c | 12 ++ net/dsa/tag_ksz.c | 22 +++- net/ipv4/devinet.c | 7 +- net/ipv4/icmp.c | 6 +- net/ipv6/ip6_icmp.c | 6 +- net/netfilter/nf_conntrack_helper.c | 4 +- net/wireless/scan.c | 3 +- scripts/gcc-plugins/gcc-common.h | 32 +++++ scripts/gcc-plugins/randomize_layout_plugin.c | 40 ++---- sound/pci/hda/patch_hdmi.c | 1 + sound/usb/mixer_quirks.c | 2 + tools/perf/util/bpf-event.c | 39 ++++-- 66 files changed, 600 insertions(+), 264 deletions(-)

1 month, 3 weeks

10
76
0 0

[PATCH 5/7 5.10.y] minmax: allow min()/max()/clamp() if the arguments have the same signedness.

by Eliav Farber

From: David Laight <David.Laight(a)ACULAB.COM> commit d03eba99f5bf7cbc6e2fdde3b6fa36954ad58e09 upstream. The type-check in min()/max() is there to stop unexpected results if a negative value gets converted to a large unsigned value. However it also rejects 'unsigned int' v 'unsigned long' compares which are common and never problematc. Replace the 'same type' check with a 'same signedness' check. The new test isn't itself a compile time error, so use static_assert() to report the error and give a meaningful error message. Due to the way builtin_choose_expr() works detecting the error in the 'non-constant' side (where static_assert() can be used) also detects errors when the arguments are constant. Link: https://lkml.kernel.org/r/fe7e6c542e094bfca655abcd323c1c98@AcuMS.aculab.com Signed-off-by: David Laight <david.laight(a)aculab.com> Cc: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason A. Donenfeld <Jason(a)zx2c4.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> (cherry picked from commit d03eba99f5bf7cbc6e2fdde3b6fa36954ad58e09) Signed-off-by: SeongJae Park <sj(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Eliav Farber <farbere(a)amazon.com> --- include/linux/minmax.h | 60 ++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 28 deletions(-) diff --git a/include/linux/minmax.h b/include/linux/minmax.h index e8e9642809e0..501fab582d68 100644 --- a/include/linux/minmax.h +++ b/include/linux/minmax.h @@ -11,9 +11,8 @@ * * - avoid multiple evaluations of the arguments (so side-effects like * "x++" happen only once) when non-constant. - * - perform strict type-checking (to generate warnings instead of - * nasty runtime surprises). See the "unnecessary" pointer comparison - * in __typecheck(). + * - perform signed v unsigned type-checking (to generate compile + * errors instead of nasty runtime surprises). * - retain result as a constant expressions when called with only * constant expressions (to avoid tripping VLA warnings in stack * allocation usage). @@ -21,23 +20,30 @@ #define __typecheck(x, y) \ (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) -#define __no_side_effects(x, y) \ - (__is_constexpr(x) && __is_constexpr(y)) +/* is_signed_type() isn't a constexpr for pointer types */ +#define __is_signed(x) \ + __builtin_choose_expr(__is_constexpr(is_signed_type(typeof(x))), \ + is_signed_type(typeof(x)), 0) -#define __safe_cmp(x, y) \ - (__typecheck(x, y) && __no_side_effects(x, y)) +#define __types_ok(x, y) \ + (__is_signed(x) == __is_signed(y)) -#define __cmp(x, y, op) ((x) op (y) ? (x) : (y)) +#define __cmp_op_min < +#define __cmp_op_max > -#define __cmp_once(x, y, unique_x, unique_y, op) ({ \ +#define __cmp(op, x, y) ((x) __cmp_op_##op (y) ? (x) : (y)) + +#define __cmp_once(op, x, y, unique_x, unique_y) ({ \ typeof(x) unique_x = (x); \ typeof(y) unique_y = (y); \ - __cmp(unique_x, unique_y, op); }) + static_assert(__types_ok(x, y), \ + #op "(" #x ", " #y ") signedness error, fix types or consider u" #op "() before " #op "_t()"); \ + __cmp(op, unique_x, unique_y); }) -#define __careful_cmp(x, y, op) \ - __builtin_choose_expr(__safe_cmp(x, y), \ - __cmp(x, y, op), \ - __cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op)) +#define __careful_cmp(op, x, y) \ + __builtin_choose_expr(__is_constexpr((x) - (y)), \ + __cmp(op, x, y), \ + __cmp_once(op, x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y))) #define __clamp(val, lo, hi) \ ((val) >= (hi) ? (hi) : ((val) <= (lo) ? (lo) : (val))) @@ -46,17 +52,15 @@ typeof(val) unique_val = (val); \ typeof(lo) unique_lo = (lo); \ typeof(hi) unique_hi = (hi); \ + static_assert(__builtin_choose_expr(__is_constexpr((lo) > (hi)), \ + (lo) <= (hi), true), \ + "clamp() low limit " #lo " greater than high limit " #hi); \ + static_assert(__types_ok(val, lo), "clamp() 'lo' signedness error"); \ + static_assert(__types_ok(val, hi), "clamp() 'hi' signedness error"); \ __clamp(unique_val, unique_lo, unique_hi); }) -#define __clamp_input_check(lo, hi) \ - (BUILD_BUG_ON_ZERO(__builtin_choose_expr( \ - __is_constexpr((lo) > (hi)), (lo) > (hi), false))) - #define __careful_clamp(val, lo, hi) ({ \ - __clamp_input_check(lo, hi) + \ - __builtin_choose_expr(__typecheck(val, lo) && __typecheck(val, hi) && \ - __typecheck(hi, lo) && __is_constexpr(val) && \ - __is_constexpr(lo) && __is_constexpr(hi), \ + __builtin_choose_expr(__is_constexpr((val) - (lo) + (hi)), \ __clamp(val, lo, hi), \ __clamp_once(val, lo, hi, __UNIQUE_ID(__val), \ __UNIQUE_ID(__lo), __UNIQUE_ID(__hi))); }) @@ -66,14 +70,14 @@ * @x: first value * @y: second value */ -#define min(x, y) __careful_cmp(x, y, <) +#define min(x, y) __careful_cmp(min, x, y) /** * max - return maximum of two values of the same or compatible types * @x: first value * @y: second value */ -#define max(x, y) __careful_cmp(x, y, >) +#define max(x, y) __careful_cmp(max, x, y) /** * umin - return minimum of two non-negative values @@ -82,7 +86,7 @@ * @y: second value */ #define umin(x, y) \ - __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, <) + __careful_cmp(min, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull) /** * umax - return maximum of two non-negative values @@ -90,7 +94,7 @@ * @y: second value */ #define umax(x, y) \ - __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, >) + __careful_cmp(max, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull) /** * min3 - return minimum of three values @@ -142,7 +146,7 @@ * @x: first value * @y: second value */ -#define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <) +#define min_t(type, x, y) __careful_cmp(min, (type)(x), (type)(y)) /** * max_t - return maximum of two values, using the specified type @@ -150,7 +154,7 @@ * @x: first value * @y: second value */ -#define max_t(type, x, y) __careful_cmp((type)(x), (type)(y), >) +#define max_t(type, x, y) __careful_cmp(max, (type)(x), (type)(y)) /** * clamp_t - return a value clamped to a given range using a given type -- 2.47.3

1 month, 3 weeks

2
1
0 0

[PATCH 5.10 0/4] x86/speculation: Make {JMP,CALL}_NOSPEC Consistent

by Suraj Jitindar Singh

The 4 patches in this series make the JMP_NOSPEC and CALL_NOSPEC macros used in the kernel consistent with what is generated by the compiler. ("x86,nospec: Simplify {JMP,CALL}_NOSPEC") was merged in v6.0 and the remaining 3 patches in this series were merged in v6.15. All 4 were included in kernels v5.15+ as prerequisites for the backport of the ITS mitigations [1]. None of these patches were included in the backport of the ITS mitigations to the 5.10 kernel [2]. They all apply cleanly and are applicable to the 5.10 kernel. Thus I see no reason that they weren't applied here, unless someone can correct me? I am sending them for inclusion in the 5.10 kernel as this kernel is still actively maintained for these kind of vulnerability mitigations and as such having these patches will unify the handling of these cases with subsequent kernel versions easing code understanding and the ease of backports in the future. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… [2] https://lore.kernel.org/stable/20250617-its-5-10-v2-0-3e925a1512a1@linux.in… Pawan Gupta (3): x86/speculation: Simplify and make CALL_NOSPEC consistent x86/speculation: Add a conditional CS prefix to CALL_NOSPEC x86/speculation: Remove the extra #ifdef around CALL_NOSPEC Peter Zijlstra (1): x86,nospec: Simplify {JMP,CALL}_NOSPEC arch/x86/include/asm/nospec-branch.h | 46 ++++++++++++++++++---------- 1 file changed, 30 insertions(+), 16 deletions(-) -- 2.34.1

1 month, 3 weeks

4
10
0 0

FAILED: patch "[PATCH] phy: ti: omap-usb2: fix device leak at unbind" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 64961557efa1b98f375c0579779e7eeda1a02c42 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091752-dizziness-decorated-ee3a@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 64961557efa1b98f375c0579779e7eeda1a02c42 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan(a)kernel.org> Date: Thu, 24 Jul 2025 15:12:05 +0200 Subject: [PATCH] phy: ti: omap-usb2: fix device leak at unbind Make sure to drop the reference to the control device taken by of_find_device_by_node() during probe when the driver is unbound. Fixes: 478b6c7436c2 ("usb: phy: omap-usb2: Don't use omap_get_control_dev()") Cc: stable(a)vger.kernel.org # 3.13 Cc: Roger Quadros <rogerq(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> Link: https://lore.kernel.org/r/20250724131206.2211-3-johan@kernel.org Signed-off-by: Vinod Koul <vkoul(a)kernel.org> diff --git a/drivers/phy/ti/phy-omap-usb2.c b/drivers/phy/ti/phy-omap-usb2.c index c1a0ef979142..c444bb2530ca 100644 --- a/drivers/phy/ti/phy-omap-usb2.c +++ b/drivers/phy/ti/phy-omap-usb2.c @@ -363,6 +363,13 @@ static void omap_usb2_init_errata(struct omap_usb *phy) phy->flags |= OMAP_USB2_DISABLE_CHRG_DET; } +static void omap_usb2_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static int omap_usb2_probe(struct platform_device *pdev) { struct omap_usb *phy; @@ -373,6 +380,7 @@ static int omap_usb2_probe(struct platform_device *pdev) struct device_node *control_node; struct platform_device *control_pdev; const struct usb_phy_data *phy_data; + int ret; phy_data = device_get_match_data(&pdev->dev); if (!phy_data) @@ -423,6 +431,11 @@ static int omap_usb2_probe(struct platform_device *pdev) return -EINVAL; } phy->control_dev = &control_pdev->dev; + + ret = devm_add_action_or_reset(&pdev->dev, omap_usb2_put_device, + phy->control_dev); + if (ret) + return ret; } else { if (of_property_read_u32_index(node, "syscon-phy-power", 1,

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: fix memory leak regression when freeing xhci vdev" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x edcbe06453ddfde21f6aa763f7cab655f26133cc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091758-flask-diligence-4c70@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From edcbe06453ddfde21f6aa763f7cab655f26133cc Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Tue, 2 Sep 2025 13:53:06 +0300 Subject: [PATCH] xhci: fix memory leak regression when freeing xhci vdev devices depth first Suspend-resume cycle test revealed a memory leak in 6.17-rc3 Turns out the slot_id race fix changes accidentally ends up calling xhci_free_virt_device() with an incorrect vdev parameter. The vdev variable was reused for temporary purposes right before calling xhci_free_virt_device(). Fix this by passing the correct vdev parameter. The slot_id race fix that caused this regression was targeted for stable, so this needs to be applied there as well. Fixes: 2eb03376151b ("usb: xhci: Fix slot_id resource race conflict") Reported-by: David Wang <00107082(a)163.com> Closes: https://lore.kernel.org/linux-usb/20250829181354.4450-1-00107082@163.com Suggested-by: Michal Pecio <michal.pecio(a)gmail.com> Suggested-by: David Wang <00107082(a)163.com> Cc: stable(a)vger.kernel.org Tested-by: David Wang <00107082(a)163.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250902105306.877476-4-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index 81eaad87a3d9..c4a6544aa107 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -962,7 +962,7 @@ static void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_i out: /* we are now at a leaf device */ xhci_debugfs_remove_slot(xhci, slot_id); - xhci_free_virt_device(xhci, vdev, slot_id); + xhci_free_virt_device(xhci, xhci->devs[slot_id], slot_id); } int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: fix memory leak regression when freeing xhci vdev" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x edcbe06453ddfde21f6aa763f7cab655f26133cc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091757-filler-dispose-635b@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From edcbe06453ddfde21f6aa763f7cab655f26133cc Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Tue, 2 Sep 2025 13:53:06 +0300 Subject: [PATCH] xhci: fix memory leak regression when freeing xhci vdev devices depth first Suspend-resume cycle test revealed a memory leak in 6.17-rc3 Turns out the slot_id race fix changes accidentally ends up calling xhci_free_virt_device() with an incorrect vdev parameter. The vdev variable was reused for temporary purposes right before calling xhci_free_virt_device(). Fix this by passing the correct vdev parameter. The slot_id race fix that caused this regression was targeted for stable, so this needs to be applied there as well. Fixes: 2eb03376151b ("usb: xhci: Fix slot_id resource race conflict") Reported-by: David Wang <00107082(a)163.com> Closes: https://lore.kernel.org/linux-usb/20250829181354.4450-1-00107082@163.com Suggested-by: Michal Pecio <michal.pecio(a)gmail.com> Suggested-by: David Wang <00107082(a)163.com> Cc: stable(a)vger.kernel.org Tested-by: David Wang <00107082(a)163.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250902105306.877476-4-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index 81eaad87a3d9..c4a6544aa107 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -962,7 +962,7 @@ static void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_i out: /* we are now at a leaf device */ xhci_debugfs_remove_slot(xhci, slot_id); - xhci_free_virt_device(xhci, vdev, slot_id); + xhci_free_virt_device(xhci, xhci->devs[slot_id], slot_id); } int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: fix memory leak regression when freeing xhci vdev" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x edcbe06453ddfde21f6aa763f7cab655f26133cc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091757-subsidy-arson-d8b7@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From edcbe06453ddfde21f6aa763f7cab655f26133cc Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Tue, 2 Sep 2025 13:53:06 +0300 Subject: [PATCH] xhci: fix memory leak regression when freeing xhci vdev devices depth first Suspend-resume cycle test revealed a memory leak in 6.17-rc3 Turns out the slot_id race fix changes accidentally ends up calling xhci_free_virt_device() with an incorrect vdev parameter. The vdev variable was reused for temporary purposes right before calling xhci_free_virt_device(). Fix this by passing the correct vdev parameter. The slot_id race fix that caused this regression was targeted for stable, so this needs to be applied there as well. Fixes: 2eb03376151b ("usb: xhci: Fix slot_id resource race conflict") Reported-by: David Wang <00107082(a)163.com> Closes: https://lore.kernel.org/linux-usb/20250829181354.4450-1-00107082@163.com Suggested-by: Michal Pecio <michal.pecio(a)gmail.com> Suggested-by: David Wang <00107082(a)163.com> Cc: stable(a)vger.kernel.org Tested-by: David Wang <00107082(a)163.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250902105306.877476-4-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index 81eaad87a3d9..c4a6544aa107 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -962,7 +962,7 @@ static void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_i out: /* we are now at a leaf device */ xhci_debugfs_remove_slot(xhci, slot_id); - xhci_free_virt_device(xhci, vdev, slot_id); + xhci_free_virt_device(xhci, xhci->devs[slot_id], slot_id); } int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: fix memory leak regression when freeing xhci vdev" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x edcbe06453ddfde21f6aa763f7cab655f26133cc # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091756-outskirts-monetize-6f6b@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From edcbe06453ddfde21f6aa763f7cab655f26133cc Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Tue, 2 Sep 2025 13:53:06 +0300 Subject: [PATCH] xhci: fix memory leak regression when freeing xhci vdev devices depth first Suspend-resume cycle test revealed a memory leak in 6.17-rc3 Turns out the slot_id race fix changes accidentally ends up calling xhci_free_virt_device() with an incorrect vdev parameter. The vdev variable was reused for temporary purposes right before calling xhci_free_virt_device(). Fix this by passing the correct vdev parameter. The slot_id race fix that caused this regression was targeted for stable, so this needs to be applied there as well. Fixes: 2eb03376151b ("usb: xhci: Fix slot_id resource race conflict") Reported-by: David Wang <00107082(a)163.com> Closes: https://lore.kernel.org/linux-usb/20250829181354.4450-1-00107082@163.com Suggested-by: Michal Pecio <michal.pecio(a)gmail.com> Suggested-by: David Wang <00107082(a)163.com> Cc: stable(a)vger.kernel.org Tested-by: David Wang <00107082(a)163.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250902105306.877476-4-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index 81eaad87a3d9..c4a6544aa107 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -962,7 +962,7 @@ static void xhci_free_virt_devices_depth_first(struct xhci_hcd *xhci, int slot_i out: /* we are now at a leaf device */ xhci_debugfs_remove_slot(xhci, slot_id); - xhci_free_virt_device(xhci, vdev, slot_id); + xhci_free_virt_device(xhci, xhci->devs[slot_id], slot_id); } int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id,

1 month, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] xhci: dbc: Fix full DbC transfer ring after several" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x a5c98e8b1398534ae1feb6e95e2d3ee5215538ed # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025091734-scouts-eligible-d693@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a5c98e8b1398534ae1feb6e95e2d3ee5215538ed Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Tue, 2 Sep 2025 13:53:05 +0300 Subject: [PATCH] xhci: dbc: Fix full DbC transfer ring after several reconnects Pending requests will be flushed on disconnect, and the corresponding TRBs will be turned into No-op TRBs, which are ignored by the xHC controller once it starts processing the ring. If the USB debug cable repeatedly disconnects before ring is started then the ring will eventually be filled with No-op TRBs. No new transfers can be queued when the ring is full, and driver will print the following error message: "xhci_hcd 0000:00:14.0: failed to queue trbs" This is a normal case for 'in' transfers where TRBs are always enqueued in advance, ready to take on incoming data. If no data arrives, and device is disconnected, then ring dequeue will remain at beginning of the ring while enqueue points to first free TRB after last cancelled No-op TRB. s Solve this by reinitializing the rings when the debug cable disconnects and DbC is leaving the configured state. Clear the whole ring buffer and set enqueue and dequeue to the beginning of ring, and set cycle bit to its initial state. Cc: stable(a)vger.kernel.org Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Link: https://lore.kernel.org/r/20250902105306.877476-3-mathias.nyman@linux.intel… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/host/xhci-dbgcap.c b/drivers/usb/host/xhci-dbgcap.c index d0faff233e3e..63edf2d8f245 100644 --- a/drivers/usb/host/xhci-dbgcap.c +++ b/drivers/usb/host/xhci-dbgcap.c @@ -462,6 +462,25 @@ static void xhci_dbc_ring_init(struct xhci_ring *ring) xhci_initialize_ring_info(ring); } +static int xhci_dbc_reinit_ep_rings(struct xhci_dbc *dbc) +{ + struct xhci_ring *in_ring = dbc->eps[BULK_IN].ring; + struct xhci_ring *out_ring = dbc->eps[BULK_OUT].ring; + + if (!in_ring || !out_ring || !dbc->ctx) { + dev_warn(dbc->dev, "Can't re-init unallocated endpoints\n"); + return -ENODEV; + } + + xhci_dbc_ring_init(in_ring); + xhci_dbc_ring_init(out_ring); + + /* set ep context enqueue, dequeue, and cycle to initial values */ + xhci_dbc_init_ep_contexts(dbc); + + return 0; +} + static struct xhci_ring * xhci_dbc_ring_alloc(struct device *dev, enum xhci_ring_type type, gfp_t flags) { @@ -885,7 +904,7 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) dev_info(dbc->dev, "DbC cable unplugged\n"); dbc->state = DS_ENABLED; xhci_dbc_flush_requests(dbc); - + xhci_dbc_reinit_ep_rings(dbc); return EVT_DISC; } @@ -895,7 +914,7 @@ static enum evtreturn xhci_dbc_do_handle_events(struct xhci_dbc *dbc) writel(portsc, &dbc->regs->portsc); dbc->state = DS_ENABLED; xhci_dbc_flush_requests(dbc); - + xhci_dbc_reinit_ep_rings(dbc); return EVT_DISC; }

1 month, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror