[Deepin-Kernel-SIG] [linux 6.18-y] [Upstream] Update kernel base to 6.18.22-p2 by opsiff · Pull Request #1624 · deepin-community/kernel

opsiff · 2026-04-14T03:52:28Z

Update kernel base to 6.18.22. #1613

git log --oneline v6.18.22~~177..v6.18.22~~77 | wc
100 922 7415

Summary by Sourcery

Update to upstream 6.18.22-p2 kernel base and pull in assorted subsystem fixes and small enhancements across SMB server, GPIO, IIO, DRM, USB, Bluetooth, hwmon, sched, architecture-specific code, and various drivers.

Bug Fixes:

Harden ksmbd security descriptor handling and response pinning for SMB2 query and open operations to avoid overflows and invalid buffer use.
Prevent races and use-after-free in the staging GPIB driver by reference-counting descriptors and blocking close while I/O is in progress.
Fix GPIO descriptor-to-hardware offset handling by consistently using gpiod_hwgpio() in core, sysfs, cdev, and Aspeed GPIO code.
Correct QAIC control path handling of deactivation and interrupted waits to avoid hangs and leaked DBC allocations.
Fix efidrm framebuffer mapping and error handling for different EFI memory types.
Prevent NULL and error handling mistakes in various IIO drivers (ti-adc161s626, ti-ads7950, ti-ads1119, ade9000, ad5770r, adxl313, adxl355, adxl380, adis16550, bno055, st_lsm6dsx, veml6070, vcnl4035, mpu3050).
Resolve races, state handling, or cleanup issues in MEI, usbio, usbtmc, usbio GPIB, and usb serial drivers (io_edgeport, option).
Fix multiple GPU driver issues in AMDGPU, amdkfd, AST, Intel i915, AMD display, QAIC accel, and Xe PXP, including reset locking, reserved VA sizes, clock/bounding-box updates, DSC timing adjustments, DP init, DMCUB FAMS gating, and PXP state transitions.
Address architecture-specific bugs for MIPS, RISC-V, and x86, including cache init, TLB uniquify allocation context, __multi3 intrinsic gating, kgdb register mappings, tagged address control, ACPI RIMT IOMMU linking, KCOV instrumentation for kexec paths, and physaddr.

[ Upstream commit b0db1accbc7395657c2b79db59fa9fae0d6656f3 ] check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern. Fixes: 20b2aff ("bpf: Introduce MEM_RDONLY flag") Signed-off-by: Qi Tang <tpluszz77@gmail.com> Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20260402092923.38357-2-tpluszz77@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 63276547debc4d8a73eefb2c5273b2a905c961b0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit eb7024bfcc5f68ed11ed9dd4891a3073c15f04a8 ] kprobe.multi programs run in atomic/RCU context and cannot sleep. However, bpf_kprobe_multi_link_attach() did not validate whether the program being attached had the sleepable flag set, allowing sleepable helpers such as bpf_copy_from_user() to be invoked from a non-sleepable context. This causes a "sleeping function called from invalid context" splat: BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:169 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1787, name: sudo preempt_count: 1, expected: 0 RCU nest depth: 2, expected: 0 Fix this by rejecting sleepable programs early in bpf_kprobe_multi_link_attach(), before any further processing. Fixes: 0dcac27 ("bpf: Add multi kprobe link") Signed-off-by: Varun R Mallya <varunrmallya@gmail.com> Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Acked-by: Leon Hwang <leon.hwang@linux.dev> Acked-by: Jiri Olsa <jolsa@kernel.org> Link: https://lore.kernel.org/r/20260401191126.440683-1-varunrmallya@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit dc9a060d76c12b23c5f378ee115d5e5d03d8bbf3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

…en calling drm_dev_unplug" commit 45ebe43ea00d6b9f5b3e0db9c35b8ca2a96b7e70 upstream. This reverts commit 6bee098b91417654703e17eb5c1822c6dfd0c01d. Den 2026-03-25 kl. 22:11, skrev Simona Vetter: > On Wed, Mar 25, 2026 at 10:26:40AM -0700, Guenter Roeck wrote: >> Hi, >> >> On Fri, Mar 13, 2026 at 04:17:27PM +0100, Maarten Lankhorst wrote: >>> When trying to do a rather aggressive test of igt's "xe_module_load >>> --r reload" with a full desktop environment and game running I noticed >>> a few OOPSes when dereferencing freed pointers, related to >>> framebuffers and property blobs after the compositor exits. >>> >>> Solve this by guarding the freeing in drm_file with drm_dev_enter/exit, >>> and immediately put the references from struct drm_file objects during >>> drm_dev_unplug(). >>> >> >> With this patch in v6.18.20, I get the warning backtraces below. >> The backtraces are gone with the patch reverted. > > Yeah, this needs to be reverted, reasoning below. Maarten, can you please > take care of that and feed the revert through the usual channels? I don't > think it's critical enough that we need to fast-track this into drm.git > directly. > > Quoting the patch here again: > >> drivers/gpu/drm/drm_file.c | 5 ++++- >> drivers/gpu/drm/drm_mode_config.c | 9 ++++++--- >> 2 files changed, 10 insertions(+), 4 deletions(-) >> >> diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c >> index ec82068..f52141f842a1f 100644 >> --- a/drivers/gpu/drm/drm_file.c >> +++ b/drivers/gpu/drm/drm_file.c >> @@ -233,6 +233,7 @@ static void drm_events_release(struct drm_file *file_priv) >> void drm_file_free(struct drm_file *file) >> { >> struct drm_device *dev; >> + int idx; >> >> if (!file) >> return; >> @@ -249,9 +250,11 @@ void drm_file_free(struct drm_file *file) >> >> drm_events_release(file); >> >> - if (drm_core_check_feature(dev, DRIVER_MODESET)) { >> + if (drm_core_check_feature(dev, DRIVER_MODESET) && >> + drm_dev_enter(dev, &idx)) { > > This is misplaced for two reasons: > > - Even if we'd want to guarantee that we hold a drm_dev_enter/exit > reference during framebuffer teardown, we'd need to do this > _consistently over all callsites. Not ad-hoc in just one place that a > testcase hits. This also means kerneldoc updates of the relevant hooks > and at least a bunch of acks from other driver people to document the > consensus. > > - More importantly, this is driver responsibilities in general unless we > have extremely good reasons to the contrary. Which means this must be > placed in xe. > >> drm_fb_release(file); >> drm_property_destroy_user_blobs(dev, file); >> + drm_dev_exit(idx); >> } >> >> if (drm_core_check_feature(dev, DRIVER_SYNCOBJ)) >> diff --git a/drivers/gpu/drm/drm_mode_config.c b/drivers/gpu/drm/drm_mode_config.c >> index 84ae8a23a3678..e349418978f79 100644 >> --- a/drivers/gpu/drm/drm_mode_config.c >> +++ b/drivers/gpu/drm/drm_mode_config.c >> @@ -583,10 +583,13 @@ void drm_mode_config_cleanup(struct drm_device *dev) >> */ >> WARN_ON(!list_empty(&dev->mode_config.fb_list)); >> list_for_each_entry_safe(fb, fbt, &dev->mode_config.fb_list, head) { >> - struct drm_printer p = drm_dbg_printer(dev, DRM_UT_KMS, "[leaked fb]"); >> + if (list_empty(&fb->filp_head) || drm_framebuffer_read_refcount(fb) > 1) { >> + struct drm_printer p = drm_dbg_printer(dev, DRM_UT_KMS, "[leaked fb]"); > > This is also wrong: > > - Firstly, it's a completely independent bug, we do not smash two bugfixes > into one patch. > > - Secondly, it's again a driver bug: drm_mode_cleanup must be called when > the last drm_device reference disappears (hence the existence of > drmm_mode_config_init), not when the driver gets unbound. The fact that > this shows up in a callchain from a devres cleanup means the intel > driver gets this wrong (like almost everyone else because historically > we didn't know better). > > If we don't follow this rule, then we get races with this code here > running concurrently with drm_file fb cleanups, which just does not > work. Review pointed that out, but then shrugged it off with a confused > explanation: > > https://lore.kernel.org/all/e61e64c796ccfb17ae673331a3df4b877bf42d82.camel@linux.intel.com/ > > Yes this also means a lot of the other drm_device teardown that drivers > do happens way too early. There is a massive can of worms here of a > magnitude that most likely is much, much bigger than what you can > backport to stable kernels. Hotunplug is _hard_. Back to the drawing board, and fixing it in the intel display driver instead. Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Fixes: 6bee098b9141 ("drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug") Reported-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Simona Vetter <simona.vetter@ffwll.ch> Signed-off-by: Maarten Lankhorst <dev@lankhorst.se> Link: https://patch.msgid.link/20260326082217.39941-2-dev@lankhorst.se Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 89c3a4ba60309cc6333a8f3940a1866fc21a9000) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 773ef9f95385bae52dcb7fd129fefba3a71a04db ] Fix an off-by-one error in the BNO055_SCAN_CH_COUNT macro. The count is derived by taking the difference of the last and first register addresses, dividing by the size of each channel (2 bytes). It needs to also add 1 to account for the fact that the count is inclusive of both the first and last channels. Thanks to the aligned_s64 timestamp field, there was already extra padding in the buffer, so there were no runtime issues caused by this bug. Fixes: 4aefe1c ("iio: imu: add Bosch Sensortec BNO055 core driver") Signed-off-by: David Lechner <dlechner@baylibre.com> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9e5495d216bff04c91fd22448c2e0fc6b3b81486) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit df90053 ] This function takes a GPIO descriptor as first argument. Make its naming consistent with the rest of the GPIO codebase and use the gpiod_ prefix. Reviewed-by: Linus Walleij <linus.walleij@linaro.org> Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au> Link: https://lore.kernel.org/r/20251016-aspeed-gpiolib-include-v1-1-31201c06d124@linaro.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Stable-dep-of: 6df6ea4b3d15 ("gpiolib: clear requested flag if line is invalid") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 606f88c162b274be03b6c8e9785dc3f1229f482b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 6df6ea4b3d1567dbe6442f308735c23b63007c7f ] If `gpiochip_line_is_valid()` fails, then `-EINVAL` is returned, but `desc->flags` will have `GPIOD_FLAG_REQUESTED` set, which will result in subsequent calls misleadingly returning `-EBUSY`. Fix that by clearing the flag in case of failure. Fixes: a501624 ("gpio: Respect valid_mask when requesting GPIOs") Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com> Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com> Link: https://patch.msgid.link/20260310204359.1202451-1-pobrn@protonmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 33b54c7793cf7a347b7d643efc175f933778cf8d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 2feec5ae5df785658924ab6bd91280dc3926507c ] When a DBC is released, the device sends a QAIC_TRANS_DEACTIVATE_FROM_DEV transaction to the host over the QAIC_CONTROL MHI channel. QAIC handles this by calling decode_deactivate() to release the resources allocated for that DBC. Since that handling is done in the qaic_manage_ioctl() context, if the user goes away before receiving and handling the deactivation, the host will be out-of-sync with the DBCs available for use, and the DBC resources will not be freed unless the device is removed. If another user loads and requests to activate a network, then the device assigns the same DBC to that network, QAIC will "indefinitely" wait for dbc->in_use = false, leading the user process to hang. As a solution to this, handle QAIC_TRANS_DEACTIVATE_FROM_DEV transactions that are received after the user has gone away. Fixes: 129776a ("accel/qaic: Add control path") Signed-off-by: Youssef Samir <youssef.abdulrahman@oss.qualcomm.com> Reviewed-by: Lizhi Hou <lizhi.hou@amd.com> Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com> Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com> Link: https://patch.msgid.link/20260205123415.3870898-1-youssef.abdulrahman@oss.qualcomm.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f403094d9075d7c565a3d81002b781c325cb3c07) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 111a12b422a8cfa93deabaef26fec48237163214 ] validate_fixed_range() admits buf_addr at the exact end of the registered region when len is zero, because the check uses strict greater-than (buf_end > imu->ubuf + imu->len). io_import_fixed() then computes offset == imu->len, which causes the bvec skip logic to advance past the last bio_vec entry and read bv_offset from out-of-bounds slab memory. Return early from io_import_fixed() when len is zero. A zero-length import has no data to transfer and should not walk the bvec array at all. BUG: KASAN: slab-out-of-bounds in io_import_reg_buf+0x697/0x7f0 Read of size 4 at addr ffff888002bcc254 by task poc/103 Call Trace: io_import_reg_buf+0x697/0x7f0 io_write_fixed+0xd9/0x250 __io_issue_sqe+0xad/0x710 io_issue_sqe+0x7d/0x1100 io_submit_sqes+0x86a/0x23c0 __do_sys_io_uring_enter+0xa98/0x1590 Allocated by task 103: The buggy address is located 12 bytes to the right of allocated 584-byte region [ffff888002bcc000, ffff888002bcc248) Fixes: 8622b20 ("io_uring: add validate_fixed_range() for validate fixed buffer") Signed-off-by: Qi Tang <tpluszz77@gmail.com> Link: https://patch.msgid.link/20260329164936.240871-1-tpluszz77@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 040a1e7e0e2f01851fec1dd2d96906f8636a9f75) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 0e211f6aaa6a00fd0ee0c1eea5498f168c6725e6 ] i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack. Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access. Also fix a typo in the adjacent comment: "if present" instead of duplicate "if". Fixes: 75ca1e5 ("hwmon: (pmbus/tps53679) Add support for TPS53685") Signed-off-by: Sanman Pradhan <psanman@juniper.net> Link: https://lore.kernel.org/r/20260329170925.34581-2-sanman.pradhan@hpe.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 79b7e588399bb55f4c10bea6ca41b6c3b944d2bb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit ccf70c41e562b29d1c05d1bbf53391785e09c6fb ] pxe1610_probe() writes PMBUS_PAGE to select page 0 but does not check the return value. If the write fails, subsequent register reads operate on an indeterminate page, leading to silent misconfiguration. Check the return value and propagate the error using dev_err_probe(), which also handles -EPROBE_DEFER correctly without log spam. Fixes: 344757b ("hwmon: (pmbus) Add Infineon PXE1610 VR driver") Signed-off-by: Sanman Pradhan <psanman@juniper.net> Link: https://lore.kernel.org/r/20260329170925.34581-4-sanman.pradhan@hpe.com [groeck: Fix "Fixes" SHA] Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 13b0cb9963652f132ba21840c30e45132535d937) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit a9d2fbd3ad0e6ac588386e699beeccfe7516755f ] ltc4286.c uses PMBus core symbols exported in the PMBUS namespace, such as pmbus_do_probe(), but does not declare MODULE_IMPORT_NS("PMBUS"). Add the missing namespace import to avoid modpost warnings. Fixes: 0c45975 ("hwmon: (pmbus) Add ltc4286 driver") Signed-off-by: Sanman Pradhan <psanman@juniper.net> Link: https://lore.kernel.org/r/20260329170925.34581-5-sanman.pradhan@hpe.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit dfe3a785ae7fce28dab809944a9eb47eca971328) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 6b5ef8c88854b343b733b574ea8754c9dab61f41 ] The GPIO controller on PolarFire SoC supports more than one type of interrupt and needs two interrupt cells. Fixes: 735806d ("dt-bindings: gpio: add bindings for microchip mpfs gpio") Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com> Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Link: https://patch.msgid.link/20260326-wise-gumdrop-49217723a72a@spud Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 3a8b66a84f0580061c342a12889a037845b0a9c4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 73cd1f97946ae3796544448ff12c07f399bb2881 ] The remove() callback returned early if pm_runtime_resume_and_get() failed, skipping the cleanup of spi controller and other resources. Remove the early return so cleanup completes regardless of PM resume result. Fixes: 79b8a70 ("spi: stm32: Add OSPI driver") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com> Link: https://patch.msgid.link/20260329-ospi-v1-1-cc8cf1c82c4a@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit b4ec54c974c6ea68b309989dcc3d3511068f45f3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 5a570c8d6e55689253f6fcc4a198c56cca7e39d6 ] When spi_register_controller() fails after reset_control_acquire() succeeds, the reset control is never released. This causes a resource leak in the error path. Add the missing reset_control_release() call in the error path. Fixes: cf2c3ec ("spi: stm32-ospi: Make usage of reset_control_acquire/release() API") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com> Link: https://patch.msgid.link/20260329-stm32-ospi-v1-1-142122466412@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e8298e0cc68de7fb33926f2f473eeee19a3e9df9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit e2628e670bb0923fcdc00828bfcd67b26a7df020 ] If the PXP HW termination fails during PXP start, the normal completion code won't be called, so the termination will remain uncomplete. To avoid unnecessary waits, mark the termination as completed from the error path. Note that we already do this if the termination fails when handling a termination irq from the HW. Fixes: f8caa80 ("drm/xe/pxp: Add PXP queue tracking and session start") Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com> Cc: Alan Previn Teres Alexis <alan.previn.teres.alexis@intel.com> Cc: Julia Filipchuk <julia.filipchuk@intel.com> Reviewed-by: Julia Filipchuk <julia.filipchuk@intel.com> Link: https://patch.msgid.link/20260324153718.3155504-7-daniele.ceraolospurio@intel.com (cherry picked from commit 5d9e708d2a69ab1f64a17aec810cd7c70c5b9fab) Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ec4530967192064b3df3e44e93f71b83b1a549b0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 4fed244954c2dc9aafa333d08f66b14345225e03 ] The default case of the PXP suspend switch is incorrectly exiting without releasing the lock. However, this case is impossible to hit because we're switching on an enum and all the valid enum values have their own cases. Therefore, we can just get rid of the default case and rely on the compiler to warn us if a new enum value is added and we forget to add it to the switch. Fixes: 5146221 ("drm/xe/pxp: add PXP PM support") Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com> Cc: Alan Previn Teres Alexis <alan.previn.teres.alexis@intel.com> Cc: Julia Filipchuk <julia.filipchuk@intel.com> Reviewed-by: Julia Filipchuk <julia.filipchuk@intel.com> Link: https://patch.msgid.link/20260324153718.3155504-8-daniele.ceraolospurio@intel.com (cherry picked from commit f1b5a77fc9b6a90cd9a5e3db9d4c73ae1edfcfac) Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 5633454e28d306e27ba70a107b23052da7b322c2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 76903b2057c8677c2c006e87fede15f496555dc0 ] If we don't clear the flag we'll keep jumping back at the beginning of the function once we reach the end. Fixes: ccd3c68 ("drm/xe/pxp: Decouple queue addition from PXP start") Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com> Cc: Julia Filipchuk <julia.filipchuk@intel.com> Reviewed-by: Julia Filipchuk <julia.filipchuk@intel.com> Link: https://patch.msgid.link/20260324153718.3155504-9-daniele.ceraolospurio@intel.com (cherry picked from commit 0850ec7bb2459602351639dccf7a68a03c9d1ee0) Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9e962e68a9d26135af67c423767c0983d9ad94c3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

…dentify() [ Upstream commit ca34ee6d0307a0b4e52c870dfc1bb8a3c3eb956e ] tps53676_identify() uses strncmp() to compare the device ID buffer against a byte sequence containing embedded non-printable bytes (\x53\x67\x60). strncmp() is semantically wrong for binary data comparison; use memcmp() instead. Additionally, the buffer from i2c_smbus_read_block_data() is not NUL-terminated, so printing it with "%s" in the error path is undefined behavior and may read past the buffer. Use "%*ph" to hex-dump the actual bytes returned. Per the datasheet, the expected device ID is the 6-byte sequence 54 49 53 67 60 00 ("TI\x53\x67\x60\x00"), so compare all 6 bytes including the trailing NUL. Fixes: cb3d37b ("hwmon: (pmbus/tps53679) Add support for TI TPS53676") Signed-off-by: Sanman Pradhan <psanman@juniper.net> Link: https://lore.kernel.org/r/20260330155618.77403-1-sanman.pradhan@hpe.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fdbfa1bf2c759c892429aa506b9b0a562d208533) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

…move() callback [ Upstream commit b0dc7e7c56573e7a52080f25f3179a45f3dd7e6f ] aml_sfc_probe() registers the on-host NAND ECC engine, but teardown was missing from both probe unwind and remove-time cleanup. Add a devm cleanup action after successful registration so nand_ecc_unregister_on_host_hw_engine() runs automatically on probe failures and during device removal. Fixes: 4670db6 ("spi: amlogic: add driver for Amlogic SPI Flash Controller") Signed-off-by: Felix Gu <ustc.gu@gmail.com> Link: https://patch.msgid.link/20260322-spifc-a4-v1-1-2dc5ebcbe0a9@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit ee4c064e37d4d0ddc5a7580933dbe79a2c6acafc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 09773978879ecf71a7990fe9a28ce4eb92bce645 ] In occ_show_extended() case 0, when the EXTN_FLAG_SENSOR_ID flag is set, the sysfs_emit format string "%u" is missing the trailing newline that the sysfs ABI expects. The else branch correctly uses "%4phN\n", and all other show functions in this file include the trailing newline. Add the missing "\n" for consistency and correct sysfs output. Fixes: c10e753 ("hwmon (occ): Add sensor types and versions") Signed-off-by: Sanman Pradhan <psanman@juniper.net> Link: https://lore.kernel.org/r/20260326224510.294619-3-sanman.pradhan@hpe.com Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6205de166dfb258209e23c5d2b5c7d35c145e833) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 5e77923a3eb39cce91bf08ed7670f816bf86d4af ] Fix incorrect error checking and memory type confusion in efidrm_device_create(). devm_memremap() returns error pointers, not NULL, and returns system memory while devm_ioremap() returns I/O memory. The code incorrectly passes system memory to iosys_map_set_vaddr_iomem(). Restructure to handle each memory type separately. Use devm_ioremap*() with ERR_PTR(-ENXIO) for WC/UC, and devm_memremap() with ERR_CAST() for WT/WB. Fixes: 32ae90c ("drm/sysfb: Add efidrm for EFI displays") Signed-off-by: Chen Ni <nichen@iscas.ac.cn> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patch.msgid.link/20260311064652.2903449-1-nichen@iscas.ac.cn Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d16f8716c927fe18aa2b8056d7530cfd4a37c903) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit cffff6df669a438ecac506dadd49a53d4475a796 ] On the Asus PRIME X670E-PRO WIFI, the driver reports a constant value of zero for T_Sensor. On this board, the register for T_Sensor is at a different address, as found by experimentation and confirmed by comparison to an independent temperature reading. * sensor disconnected: -62.0°C * ambient temperature: +22.0°C * held between fingers: +30.0°C Introduce SENSOR_TEMP_T_SENSOR_ALT1 to support the PRIME X670E-PRO WIFI without causing a regression for other 600-series boards Fixes: e044475 ("hwmon: (asus-ec-sensors) add PRIME X670E-PRO WIFI") Signed-off-by: Corey Hickey <bugfood-c@fatooh.org> Link: https://lore.kernel.org/r/20260331215414.368785-1-bugfood-ml@fatooh.org [groeck: Fixed typo, updated Fixes: reference] Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d6fbc5750f382b23da83e2bd385ac67f3bef9942) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 43985a62bab9d35e5e9af41118ce2f44c01b97d2 ] Update CPU clock index to match the clock driver changes. Fixes: d34db68 ("clk: ralink: mtmips: fix clocks probe order in oldest ralink SoCs") Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com> Signed-off-by: Shiji Yang <yangshiji66@outlook.com> Reviewed-by: Sergio Paracuellos <sergio.paracuellos@gmail.com> Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a99f94e4f28a3c289bd397d521de1187b6320158) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 1319ea57529e131822bab56bf417c8edc2db9ae8 ] John reported that stress-ng-yield could make his machine unhappy and managed to bisect it to commit b3d99f4 ("sched/fair: Fix zero_vruntime tracking"). The combination of yield and that commit was specific enough to hypothesize the following scenario: Suppose we have 2 runnable tasks, both doing yield. Then one will be eligible and one will not be, because the average position must be in between these two entities. Therefore, the runnable task will be eligible, and be promoted a full slice (all the tasks do is yield after all). This causes it to jump over the other task and now the other task is eligible and current is no longer. So we schedule. Since we are runnable, there is no {de,en}queue. All we have is the __{en,de}queue_entity() from {put_prev,set_next}_task(). But per the fingered commit, those two no longer move zero_vruntime. All that moves zero_vruntime are tick and full {de,en}queue. This means, that if the two tasks playing leapfrog can reach the critical speed to reach the overflow point inside one tick's worth of time, we're up a creek. Additionally, when multiple cgroups are involved, there is no guarantee the tick will in fact hit every cgroup in a timely manner. Statistically speaking it will, but that same statistics does not rule out the possibility of one cgroup not getting a tick for a significant amount of time -- however unlikely. Therefore, just like with the yield() case, force an update at the end of every slice. This ensures the update is never more than a single slice behind and the whole thing is within 2 lag bounds as per the comment on entity_key(). Fixes: b3d99f4 ("sched/fair: Fix zero_vruntime tracking") Reported-by: John Stultz <jstultz@google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org> Tested-by: K Prateek Nayak <kprateek.nayak@amd.com> Tested-by: John Stultz <jstultz@google.com> Link: https://patch.msgid.link/20260401132355.081530332@infradead.org Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 87573883c30f1a8555ff720836bb6ea231058539) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit dbde07f06226438cd2cf1179745fa1bec5d8914a ] Auto counter reload may have a group of events with software events present within it. The software event PMU isn't the x86_hybrid_pmu and a container_of operation in intel_pmu_set_acr_caused_constr (via the hybrid helper) could cause out of bound memory reads. Avoid this by guarding the call to intel_pmu_set_acr_caused_constr with an is_x86_event check. Fixes: ec980e4 ("perf/x86/intel: Support auto counter reload") Signed-off-by: Ian Rogers <irogers@google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Thomas Falcon <thomas.falcon@intel.com> Link: https://patch.msgid.link/20260312194305.1834035-1-irogers@google.com Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e435a30ca6fe14c9611b1fc731c98a6d28410247) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 834911eb8eef2501485d819b4eabebadc25c3497 ] Fix several bugs in the RISC-V kgdb implementation: - The element of dbg_reg_def[] that is supposed to pertain to the S1 register embeds instead the struct pt_regs offset of the A1 register. Fix this to use the S1 register offset in struct pt_regs. - The sleeping_thread_to_gdb_regs() function copies the value of the S10 register into the gdb_regs[] array element meant for the S9 register, and copies the value of the S11 register into the array element meant for the S10 register. It also neglects to copy the value of the S11 register. Fix all of these issues. Fixes: fe89bd2 ("riscv: Add KGDB support") Cc: Vincent Chen <vincent.chen@sifive.com> Link: https://patch.msgid.link/fde376f8-bcfd-bfe4-e467-07d8f7608d05@kernel.org Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit e1425ff578c4a4b83654402071de4413af71e2ad) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 3033b2b1e3949274f33a140e2a97571b5a307298 ] In set_tagged_addr_ctrl(), when PR_TAGGED_ADDR_ENABLE is not set, pmlen is correctly set to 0, but it forgets to reset pmm. This results in the CPU pmm state not corresponding to the software pmlen state. Fix this by resetting pmm along with pmlen. Fixes: 2e17430 ("riscv: Add support for the tagged address ABI") Signed-off-by: Zishun Yi <vulab@iscas.ac.cn> Reviewed-by: Samuel Holland <samuel.holland@sifive.com> Link: https://patch.msgid.link/20260322160022.21908-1-vulab@iscas.ac.cn Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 50392cdfe95e0cd40b03ed95b50d3d53be3fa624) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

[ Upstream commit 9156585280f161fc1c3552cf1860559edb2bb7e3 ] EPROBE_DEFER ensures IOMMU devices are probed before the devices that depend on them. During shutdown, however, the IOMMU may be removed first, leading to issues. To avoid this, a device link is added which enforces the correct removal order. Fixes: 8f77295 ("ACPI: RISC-V: Add support for RIMT") Signed-off-by: Sunil V L <sunilvl@oss.qualcomm.com> Link: https://patch.msgid.link/20260303061605.722949-1-sunilvl@oss.qualcomm.com Signed-off-by: Paul Walmsley <pjw@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1200f4240c07d4b507eebb3a7577ba1712fd3b7b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit f8995c2df519f382525ca4bc90553ad2ec611067 upstream. The drm compat ioctl path takes a user controlled pointer, and then dereferences it into a table of function pointers, the signature method of spectre problems. Fix this up by calling array_index_nospec() on the index to the function pointer list. Fixes: 505b524 ("drm/ioctl: Fix Spectre v1 vulnerabilities") Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Maxime Ripard <mripard@kernel.org> Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: David Airlie <airlied@gmail.com> Cc: Simona Vetter <simona@ffwll.ch> Cc: stable <stable@kernel.org> Assisted-by: gkh_clanker_2000 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Thomas Zimmermann <tzimmermann@suse.de> Acked-by: Maxime Ripard <mripard@kernel.org> Reviewed-by: Simona Vetter <simona@ffwll.ch> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patch.msgid.link/2026032451-playing-rummage-8fa2@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f0e441be08a2eab10b2d06fccfa267ee599dd6b3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit ec327abae5edd1d5b60ea9f920212970133171d2 upstream. When declaring an immutable global variable in Rust, the compiler checks that it looks thread safe, because it is generally safe to access said global variable. When using C bindings types for these globals, we don't really want this check, because it is conservative and assumes pointers are not thread safe. In the case of BINDER_VM_OPS, this is a challenge when combined with the patch 'userfaultfd: introduce vm_uffd_ops' [1], which introduces a pointer field to vm_operations_struct. It previously only held function pointers, which are considered thread safe. Rust Binder should not be assuming that vm_operations_struct contains no pointer fields, so to fix this, use AssertSync (which Rust Binder has already declared for another similar global of type struct file_operations with the same problem). This ensures that even if another commit adds a pointer field to vm_operations_struct, this does not cause problems. Fixes: 8ef2c15aeae0 ("rust_binder: check ownership before using vma") Cc: stable <stable@kernel.org> Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202603121235.tpnRxFKO-lkp@intel.com/ Link: https://lore.kernel.org/r/20260306171815.3160826-8-rppt@kernel.org [1] Signed-off-by: Alice Ryhl <aliceryhl@google.com> Reviewed-by: Gary Guo <gary@garyguo.net> Link: https://patch.msgid.link/20260314111951.4139029-1-aliceryhl@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 20e2418b98369e9b1977e043661b85ee1037b675) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit bd66aa1c8b8cabf459064a46d3430a5ec5138418 upstream. FIELD_PREP(BIT(0), fifo_samples & BIT(8)) produces either 0 or 256, and since FIELD_PREP masks to bit 0, 256 & 1 evaluates to 0. Use !! to convert the result to a proper 0-or-1 value. Fixes: df36de1 ("iio: accel: add ADXL380 driver") Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b6d6f6e2e329fb4b8ac017832058e61a49ee7dec) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 9d3fa23d5d55a137fd4396d3d4799102587a7f2b upstream. Check the return value of the FIFO bypass regmap_write() before proceeding to disable interrupts. Fixes: ff8093f ("iio: accel: adxl313: add buffered FIFO watermark with interrupt handling") Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d7161e8b6211a13da89797df8e23388e9cfbd214) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit c354521708175d776d896f8bdae44b18711eccb6 upstream. Return the error code from regmap_bulk_read() instead of 0 so that I/O failures are properly propagated. Fixes: cbbb819 ("iio: dac: ad5770r: Add AD5770R support") Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com> Cc: <stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2ed3d9bc86b66edc547e0638f1ec90685faf409c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit ea7e2e43d768102e2601dbbda42041c78d7a99f9 upstream. The low-pass filter handlers for IIO_ANGL_VEL and IIO_ACCEL call each other's filter functions in both read_raw and write_raw. Swap them so each channel type uses its correct filter accessor. Fixes: bac4368 ("iio: imu: adis16550: add adis16550 support") Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com> Acked-by: Robert Budai <robert.budai@analog.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b0e1fec0a0d07c506e1c6d5ec52c23f3834970cd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit fdc7aa54a5d44c05880a4aad7cfb41aacfd16d7b upstream. Rework vcnl4035_trigger_consumer_handler() so that we are not passing what should be a u16 value as an int * to regmap_read(). This won't work on bit endian systems. Instead, add a new unsigned int variable to pass to regmap_read(). Then copy that value into the buffer struct. The buffer array is replaced with a struct since there is only one value being read. This allows us to use the correct u16 data type and has a side-effect of simplifying the alignment specification. Also fix the endianness of the scan format from little-endian to CPU endianness. Since we are using regmap to read the value, it will be CPU-endian. Fixes: 5570729 ("iio: light: Add support for vishay vcnl4035") Signed-off-by: David Lechner <dlechner@baylibre.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 0ad74c370e8de8ab7a72d07159df851c891ccdf0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit d0b224cf9ab12e86a4d1ca55c760dfaa5c19cbe7 upstream. veml6070_read() computes the sensor value in ret but returns 0 instead of the actual result. This causes veml6070_read_raw() to always report 0. Return the computed value instead of 0. Running make W=1 returns no errors. I was unable to test the patch because I do not have the hardware. Found by code inspection. Fixes: fc38525 ("iio: light: veml6070: use guard to handle mutex") Signed-off-by: Aldo Conte <aldocontelk@gmail.com> Reviewed-by: Nuno Sá <nuno.sa@analog.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 04d8f0a785dc0a859902a87d1adb1d98a3c4ae14) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

…g_pin() commit c05a87d9ec3bf8727a5d746ce855003c6f2f8bb4 upstream. If 'pin' is not one of its expected values, the value of 'int_out_ctrl_shift' is undefined. With UBSAN enabled, this causes Clang to generate undefined behavior, resulting in the following warning: drivers/iio/imu/bmi160/bmi160_core.o: warning: objtool: bmi160_setup_irq() falls through to next function __cfi_bmi160_core_runtime_resume() Prevent the UB and improve error handling by returning an error if 'pin' has an unexpected value. While at it, simplify the code a bit by moving the 'pin_name' assignment to the first switch statement. Fixes: 895bf81 ("iio:bmi160: add drdy interrupt support") Reported-by: Arnd Bergmann <arnd@arndb.de> Closes: https://lore.kernel.org/a426d669-58bb-4be1-9eaa-6f3d83109e2d@app.fastmail.com Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> Reviewed-by: Nuno Sá <nuno.sa@analog.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d6e078c63409483a731324bbd1c26d365b4940a6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 630748afa7030b272b7bee5df857e7bcf132ed51 upstream. The st_lsm6dsx_set_fifo_odr() function, which is called when enabling and disabling the hardware FIFO, checks the contents of the hw->settings->batch array at index sensor->id, and then sets the current ODR value in sensor registers that depend on whether the register address is set in the above array element. This logic is valid for internal sensors only, i.e. the accelerometer and gyroscope; however, since commit c91c1c8 ("iio: imu: st_lsm6dsx: add i2c embedded controller support"), this function is called also when configuring the hardware FIFO for external sensors (i.e. sensors accessed through the sensor hub functionality), which can result in unrelated device registers being written. Add a check to the beginning of st_lsm6dsx_set_fifo_odr() so that it does not touch any registers unless it is called for internal sensors. Fixes: c91c1c8 ("iio: imu: st_lsm6dsx: add i2c embedded controller support") Signed-off-by: Francesco Lavra <flavra@baylibre.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7f14b52a81f9403ae7f3fe870f95644946d964f4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit edb11a1aef4011a4b7b22cc3c3396c6fe371f4a6 upstream. The handler for the IRQ part of this driver is mpu3050->trig but, in the teardown free_irq() is called with handler mpu3050. Use correct IRQ handler when calling free_irq(). Fixes: 3904b28 ("iio: gyro: Add driver for the MPU-3050 gyroscope") Reviewed-by: Linus Walleij <linusw@kernel.org> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ac1233397f4cfe55d71f6aa459b42c256c951531) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 4216db1043a3be72ef9c2b7b9f393d7fa72496e6 upstream. The interrupt handler is setup but only a few lines down if iio_trigger_register() fails the function returns without properly releasing the handler. Add cleanup goto to resolve resource leak. Detected by Smatch: drivers/iio/gyro/mpu3050-core.c:1128 mpu3050_trigger_probe() warn: 'irq' from request_threaded_irq() not released on lines: 1124. Fixes: 3904b28 ("iio: gyro: Add driver for the MPU-3050 gyroscope") Reviewed-by: Linus Walleij <linusw@kernel.org> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 3a8e68d65a443de05061818823037931674740e0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 4c05799449108fb0e0a6bd30e65fffc71e60db4d upstream. iio_device_register() should be at the end of the probe function to prevent race conditions. Place iio_device_register() at the end of the probe function and place iio_device_unregister() accordingly. Fixes: 3904b28 ("iio: gyro: Add driver for the MPU-3050 gyroscope") Suggested-by: Jonathan Cameron <jic23@kernel.org> Reviewed-by: Linus Walleij <linusw@kernel.org> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit cc3de12a5612ee25df7fb549cb7b3e4cc8bfaf9c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit d14116f6529fa085b1a1b1f224dc9604e4d2a29c upstream. The triggered buffer is initialized before the IRQ is requested. The removal path currently calls iio_triggered_buffer_cleanup() before free_irq(). This violates the expected LIFO. Place free_irq() in the correct location relative to iio_triggered_buffer_cleanup(). Fixes: 3904b28 ("iio: gyro: Add driver for the MPU-3050 gyroscope") Suggested-by: Jonathan Cameron <jic23@kernel.org> Reviewed-by: Linus Walleij <linusw@kernel.org> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit fefd0bceac15faf2fbaf423c1d6e81412658ed5f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 8c27b1bce059a11a8d3c8682984e13866f0714af upstream. After commit 2cedb29 ("mei: me: trigger link reset if hw ready is unexpected") some devices started to show long resume times (5-7 seconds). This happens as mei falsely detects unready hardware, starts parallel link reset flow and triggers link reset timeouts in the resume callback. Address it by performing detection of unready hardware only when driver is in the MEI_DEV_ENABLED state instead of blacklisting states as done in the original patch. This eliminates active waitqueue check as in MEI_DEV_ENABLED state there will be no active waitqueue. Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org> Reported-by: Todd Brandt <todd.e.brandt@linux.intel.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221023 Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com> Fixes: 2cedb29 ("mei: me: trigger link reset if hw ready is unexpected") Cc: stable <stable@kernel.org> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Link: https://patch.msgid.link/20260330083830.536056-1-alexander.usyskin@intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ffacfe07177d37cbf6548a4c40f0e7cb96f024f0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 5cefb52c1af6f69ea719e42788f6ec6a087eb74c upstream. The driver iterates over the registered USB interfaces during GPIB attach and takes a reference to their USB devices until a match is found. These references are never released which leads to a memory leak when devices are disconnected. Fix the leak by dropping the unnecessary references. Fixes: fce7951 ("staging: gpib: Add LPVO DIY USB GPIB driver") Cc: stable <stable@kernel.org> # 6.13 Cc: Dave Penkler <dpenkler@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20260310105127.17538-1-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 21f942879f86108b300a23683e67483f8c358fc7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit dd36014ec6042f424ef51b923e607772f7502ee7 upstream. Another Silicon Motion flash drive also randomly work incorrectly (lsusb does not list the device) on Huawei hisi platforms during 500 reboot cycles, and the DELAY_INIT quirk fixes this issue. Signed-off-by: Miao Li <limiao@kylinos.cn> Cc: stable <stable@kernel.org> Link: https://patch.msgid.link/20260319053927.264840-1-limiao870622@163.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 882bdb01ff12cdf9580c26b0cee7e6c412c32abd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 01af542392b5d41fd659d487015a71f627accce3 upstream. When device_register() fails, ulpi_register() calls put_device() on ulpi->dev. The device release callback ulpi_dev_release() drops the OF node reference and frees ulpi, but the current error path in ulpi_register_interface() then calls kfree(ulpi) again, causing a double free. Let put_device() handle the cleanup through ulpi_dev_release() and avoid freeing ulpi again in ulpi_register_interface(). Fixes: 289fcff ("usb: add bus type for USB ULPI") Cc: stable <stable@kernel.org> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Link: https://patch.msgid.link/20260401025142.1398996-1-lgs201920130244@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 38c28fe25611099230f0965c925499bfcf46a795) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 8a768552f7a8276fb9e01d49773d2094ace7c8f1 upstream. When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw_down() to allow anchored URBs to be completed. Fixes: 4f3c8d6 ("usb: usbtmc: Support Read Status Byte with SRQ per file") Reported-by: syzbot+9a3c54f52bd1edbd975f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9a3c54f52bd1edbd975f Cc: stable <stable@kernel.org> Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com> Link: https://patch.msgid.link/20260312-usbtmc-flush-release-v1-1-5755e9f4336f@igalia.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 977b632db51d231dec0bc571089a5c2402674139) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

commit 33cfe0709b6bf1a7f1a16d5e8d65d003a71b6a21 upstream. When usb_submit_urb() fails in usbio_probe(), the previously allocated URB is never freed, causing a memory leak. Fix this by jumping to err_free_urb label to properly release the URB on the error path. Fixes: 121a0f8 ("usb: misc: Add Intel USBIO bridge driver") Cc: stable <stable@kernel.org> Signed-off-by: Felix Gu <ustc.gu@gmail.com> Reviewed-by: Oliver Neukum <oneukum@suse.com> Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com> Link: https://patch.msgid.link/20260331-usbio-v2-1-d8c48dad9463@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 65ff09f48b0e72e4049096a989723406aabcf091) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

sourcery-ai · 2026-04-14T03:52:36Z

Reviewer's Guide

Upstream rebase to Linux 6.18.22-p2 incorporating a wide set of bug fixes and small feature updates across subsystems (ksmbd, GPIO, IIO, hwmon, DRM/AMD, USB, Bluetooth, MIPS/RISCV arch code, etc.), with notable focus on correctness, race fixes, bounds checks, and ABI/behavioral compat improvements.

Class diagram for updated GPIB descriptor and IO paths

classDiagram
    class gpib_descriptor {
        +unsigned_int pad
        +int sad
        +atomic_t io_in_progress
        +atomic_t descriptor_busy
        +unsigned is_board
        +unsigned autopoll_enabled
    }

    class gpib_file_private {
        +struct_mutex descriptors_mutex
        +gpib_descriptor* descriptors[GPIB_MAX_NUM_DESCRIPTORS]
    }

    class gpib_board {
        +wait_queue_head_t wait
        +struct_list_head device_list
    }

    class read_ioctl {
        +int read_ioctl(gpib_file_private* file_priv, gpib_board* board, unsigned_long arg)
    }

    class write_ioctl {
        +int write_ioctl(gpib_file_private* file_priv, gpib_board* board, unsigned_long arg)
    }

    class command_ioctl {
        +int command_ioctl(gpib_file_private* file_priv, gpib_board* board, unsigned_long arg)
    }

    class wait_ioctl {
        +int wait_ioctl(gpib_file_private* file_priv, gpib_board* board, unsigned_long arg)
    }

    class close_dev_ioctl {
        +int close_dev_ioctl(file* filep, gpib_board* board, unsigned_long arg)
    }

    class init_gpib_descriptor {
        +void init_gpib_descriptor(gpib_descriptor* desc)
    }

    gpib_file_private "1" --> "*" gpib_descriptor : owns_descriptors
    gpib_descriptor "*" --> "1" gpib_board : associated_device

    read_ioctl --> gpib_file_private : locks_descriptors_mutex
    write_ioctl --> gpib_file_private : locks_descriptors_mutex
    command_ioctl --> gpib_file_private : locks_descriptors_mutex
    wait_ioctl --> gpib_file_private : locks_descriptors_mutex
    close_dev_ioctl --> gpib_file_private : locks_descriptors_mutex

    read_ioctl --> gpib_descriptor : atomic_inc descriptor_busy
    write_ioctl --> gpib_descriptor : atomic_inc descriptor_busy
    command_ioctl --> gpib_descriptor : atomic_inc descriptor_busy
    wait_ioctl --> gpib_descriptor : atomic_inc descriptor_busy
    read_ioctl --> gpib_descriptor : atomic_set io_in_progress
    write_ioctl --> gpib_descriptor : atomic_set io_in_progress
    command_ioctl --> gpib_descriptor : atomic_set io_in_progress

    read_ioctl --> gpib_board : wake_up_interruptible
    write_ioctl --> gpib_board : wake_up_interruptible
    command_ioctl --> gpib_board : wake_up_interruptible
    wait_ioctl --> gpib_board : ibwait

    close_dev_ioctl --> gpib_descriptor : checks descriptor_busy
    close_dev_ioctl --> gpib_board : decrement_open_device_count

    init_gpib_descriptor --> gpib_descriptor : initialize_fields

Class diagram for dev_rot_state quaternion scan buffer alignment and ABI compatibility

classDiagram
    class dev_rot_state {
        +struct_hid_sensor_hub_device* hsdev
        +struct_hid_sensor_common common_attributes
        +hid_sensor_hub_attribute_info quaternion
        +scan_struct scan
        +int scale_pre_decml
        +int scale_post_decml
        +int scale_precision
        +int value_offset
        +s64 timestamp
    }

    class scan_struct {
        +IIO_QUATERNION_s32 sampled_vals
        +aligned_s64 timestamp[2]
    }

    class IIO_QUATERNION_s32 {
        +s32 data[4]
    }

    class dev_rot_proc_event {
        +int dev_rot_proc_event(hid_sensor_hub_device* hsdev, unsigned_usage_id, void* buf, int size)
    }

    class iio_interfaces {
        +void iio_push_to_buffers(iio_dev* indio_dev, void* data)
        +s64 iio_get_time_ns(iio_dev* indio_dev)
    }

    dev_rot_state --> scan_struct : has
    scan_struct --> IIO_QUATERNION_s32 : contains

    dev_rot_proc_event --> dev_rot_state : updates_scan
    dev_rot_proc_event --> iio_interfaces : pushes_data

    dev_rot_proc_event : on_event()
    dev_rot_proc_event : step1 fill scan.sampled_vals
    dev_rot_proc_event : step2 if timestamp == 0 set from iio_get_time_ns
    dev_rot_proc_event : step3 scan.timestamp[0] = timestamp
    dev_rot_proc_event : step4 scan.timestamp[1] = timestamp
    dev_rot_proc_event : step5 iio_push_to_buffers(indio_dev, &scan)

File-Level Changes

Change	Details	Files
Harden ksmbd SMB2 security descriptor handling and IOV pinning to avoid buffer overflows and ensure correct response pinning.	Replace manual ACE counting and kmalloc with smb_acl_sec_desc_scratch_len() + kvzalloc() for sizing security descriptors. Add new helper smb_acl_sec_desc_scratch_len() that computes safe scratch buffer length with overflow checks. Refactor smb2_get_info_file/filesystem/sec to always pin responses via ksmbd_iov_pin_rsp/ksmbd_iov_pin_rsp_read and to validate max output length. Ensure errors in smb2_query_info map -EINVAL to STATUS_INVALID_PARAMETER when no status is set and consistently initialize StructureSize/OutputBufferOffset.	`fs/smb/server/smb2pdu.c` `fs/smb/server/smbacl.c` `fs/smb/server/smbacl.h`
Fix race conditions and lifetime issues in staging GPIB driver by protecting descriptors with a busy counter and mutex.	Move descriptor lookup under descriptors_mutex in read/command/write/wait ioctls and increment a new descriptor_busy refcount while I/O is in progress. Decrement descriptor_busy after I/O completion or error paths and wake waiters appropriately. Update close_dev_ioctl to fail with -EBUSY when descriptor_busy is non-zero, remove descriptor from table under lock, then free after adjusting device counts. Initialize descriptor_busy in init_gpib_descriptor and clarify semantics in gpib_types.h comments.	`drivers/staging/gpib/common/gpib_os.c` `drivers/staging/gpib/include/gpib_types.h`
Standardize use of gpiod_hwgpio() instead of gpio_chip_hwgpio() and harden GPIO core/cdev/sysfs paths.	Introduce gpiod_hwgpio() inline helper and replace gpio_chip_hwgpio() callers in core gpiolib, gpiolib-cdev, gpiolib-sysfs, and drivers that need hardware offsets. Fix error paths in gpiod_request_commit/export to clear REQUESTED flag on invalid line and improve debug messages. Ensure interrupts/IRQs use gpiod_hwgpio() consistently, including sysfs and cdev event reporting.	`drivers/gpio/gpiolib.c` `drivers/gpio/gpiolib-sysfs.c` `drivers/gpio/gpiolib-cdev.c` `drivers/gpio/gpio-aspeed.c` `drivers/gpio/gpiolib.h`
Multiple IIO driver fixes: alignment/endianness, buffer layout, IRQ handling, and error paths.	ti-adc161s626: use a small unaligned buffer and get_unaligned_be16/be24, and push properly structured scan data with timestamp. mpu3050: fix trigger probe/cleanup error paths, ensure IRQ freed with correct dev_id and iio_device_register ordered after trigger setup. hid-sensor-rotation: introduce IIO_DECLARE_QUATERNION and duplicate timestamp field to preserve buggy ABI while pushing via iio_push_to_buffers(). vcnl4035: switch to struct with aligned timestamp, use IIO_CPU endianness for ALS/prox channels, and fix regmap_read + buffer population. ade9000: fix IRQ thread error handling, correct AWATT vs AWATTOS register selection, and probe ordering (mutex before IRQs). ads1119: reinit completion only when IRQ is present and request IRQ with IRQF_NO_THREAD. bmi160: validate pin enum and simplify error logging using pin_name set in switch. adxl313/adxl355/adxl380/veml6070: small logic/return-value fixes (FIFO disable path, sign bit, FIFO samples high bit, and veml6070_read return).	`drivers/iio/adc/ti-adc161s626.c` `drivers/iio/gyro/mpu3050-core.c` `drivers/iio/orientation/hid-sensor-rotation.c` `drivers/iio/light/vcnl4035.c` `drivers/iio/adc/ade9000.c` `drivers/iio/adc/ti-ads1119.c` `drivers/iio/imu/bmi160/bmi160_core.c` `drivers/iio/accel/adxl313_core.c` `drivers/iio/accel/adxl355_core.c` `drivers/iio/accel/adxl380.c` `drivers/iio/light/veml6070.c`
USB and serial subsystem fixes: resource cleanup, quirks, and new device IDs.	usbio: on probe failure, free URB explicitly and propagate error; on success, keep behavior unchanged. usbtmc: in release, flush anchored URBs via usbtmc_draw_down() before dropping final ref. usb core quirks: add delayed-init quirk for another Silicon Motion flash ID and NO_LPM quirk for Razer Kiyo Pro. usb serial option/io_edgeport: add new MeiG Smart SRM825WN and Rolling RW135R-GL IDs, plus BlackBox IC135A OEM device; hook them into combined tables and product handling. lpvo_usb_gpib: drop extraneous usb_get_dev() refcounting when matching device paths.	`drivers/usb/misc/usbio.c` `drivers/usb/class/usbtmc.c` `drivers/usb/core/quirks.c` `drivers/usb/serial/option.c` `drivers/usb/serial/io_edgeport.c` `drivers/staging/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c` `drivers/usb/serial/io_usbvend.h`
DRM / GPU driver updates (AMD, Intel, AST, XE, sysfb, fb cleanup, etc.) for robustness and behavior fixes.	AMD amdgpu: guard ASIC reset in pmops_freeze with reset_domain lock; validate doorbell_offset against BO size in userq; adjust reserved VA sizes and trap area; tweak SMU fw-version logging to be less noisy; in psp_v11, treat S4 like S3 for TOS unloading; avoid unexpected error on PXP suspend state; fix PASID idr allocation to use GFP_ATOMIC. AMD display: in dcn401_init_hw, recompute dchub_ref_freq_changed and call update_bw_bounding_box only when needed and when clk_mgr/bw_params are available. AMD KFD: tie CWSR TBA/TMA sizes to AMDGPU_GPU_PAGE_SIZE instead of PAGE_SIZE. Intel i915: in g4x_dp, only enable enhanced framing based on pipe_state.enhanced_framing; in icl_dsi, only scale link timings by DSC bpp in video mode; fix drm_ioc32 compat ioctl to use array_index_nospec. AST: correct SCU write for analog init to use proper offset. DRM sysfb/efidrm: remap framebuffer with appropriate API per memory attribute, check for errors for each path, and store into iosys_map; handle invalid mem_flags with -EINVAL. DRM core: in drm_mode_config_cleanup, always log leaked framebuffers and free them via refcount. DRM xe: fix PXP start state handling (restart init) and ensure termination completion is signaled on failure.	`drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c` `drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c` `drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h` `drivers/gpu/drm/amd/amdgpu/psp_v11_0.c` `drivers/gpu/drm/amd/amdkfd/kfd_priv.h` `drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c` `drivers/gpu/drm/i915/display/g4x_dp.c` `drivers/gpu/drm/i915/display/icl_dsi.c` `drivers/gpu/drm/drm_mode_config.c` `drivers/gpu/drm/drm_ioc32.c` `drivers/gpu/drm/ast/ast_dp501.c` `drivers/gpu/drm/xe/xe_pxp.c` `drivers/gpu/drm/sysfb/efidrm.c`
Networking and Bluetooth/security fixes (SMP, SMP MITM, io_uring, hci, WiFi).	Bluetooth SMP: derive STK auth flag from MITM flag rather than sec level, ensure MITM bit is set in auth_req when required, and reject pairing if only Just Works/Confirm is possible while requiring MITM. io_uring: validate sendmsg/recvmsg sqe->len is non-negative and treat zero-length fixed-buffer import specially by initializing an empty iterator. hci_sync: limit BIG create sync bis count to HCI_MAX_ISO_BIS to avoid overrun. iwlwifi: validate scan match info length against matches_len before processing to avoid OOB access. wilc1000: fix scan request buffer sizing by using u32 valuesize so large SSID lists are handled correctly.	`net/bluetooth/smp.c` `io_uring/net.c` `io_uring/rsrc.c` `net/bluetooth/hci_sync.c` `drivers/net/wireless/intel/iwlwifi/mvm/d3.c` `drivers/net/wireless/microchip/wilc1000/hif.c`
Arch and low-level scheduler/debugger fixes for MIPS and RISC-V (cache, TLB, kgdb, process tagging, multi3).	MIPS: extend __multi3 implementation workaround to GCC < 10; ensure r4k cache init also covers SB1 with 4k cache; allocate tlb_vpns with GFP_ATOMIC after boot; adjust clk_cpu idx for several SoCs; disable KCOV for machine_kexec_64 and physaddr.o to avoid crashes during kexec. RISC-V: fix dbg_reg_def and sleeping_thread_to_gdb_regs mappings for S-registers in kgdb; in set_tagged_addr_ctrl, ensure PMM PMA length is reset to PMLEN_0 and proper pmm when disabling tagged addresses; in ACPI RIMT iommu xlate, add DL_FLAG_AUTOREMOVE_CONSUMER device_link to preserve teardown ordering. process.c: tagged address control updated with proper pmlen/pmm when disabling PR_TAGGED_ADDR_ENABLE.	`arch/mips/lib/multi3.c` `arch/mips/mm/cache.c` `arch/mips/mm/tlb-r4k.c` `arch/mips/ralink/clk.c` `arch/x86/kernel/Makefile` `arch/x86/mm/Makefile` `arch/riscv/kernel/kgdb.c` `arch/riscv/kernel/process.c` `drivers/acpi/riscv/rimt.c`
Scheduler and BPF/tracing fixes for correctness and security.	CFS: move avg_vruntime() call from entity_tick() into update_deadline() so zero_vruntime advances on slice expiration instead of each tick; in yield_task_fair(), reuse update_deadline() rather than ad-hoc deadline increment. sched_ext: use scx_cpu_node_if_enabled() when locating waker node in scx_select_cpu_dfl to honor SCX node disabling. BPF verifier: disallow PTR_TO_BUF accesses when the type is nullable to avoid NULL dereference in helper memory accesses. bpf_kprobe_multi: reject sleepable programs for kprobe_multi links, enforcing non-sleepable constraint.	`kernel/sched/fair.c` `kernel/sched/ext_idle.c` `kernel/bpf/verifier.c` `kernel/trace/bpf_trace.c`
Misc driver fixes across input, HDA, hwmon/pmbus, SPI, SPI-NAND ECC, Android binder, MEI, AMD OCC, ADE, sensors, etc.	Input bcm5974: add a workqueue to reset "wellspring" mode when HID packets indicate we're out of mode; track last reset time to limit frequency and hook work into probe/disconnect. i8042: add DMI quirk for board X6KK45xU_X6SP45xU with standard serio quirks. xpad: add IDs for new Razer Wolverine V3 Pro variants and BETOP Xinput dongles. Realtek ALC codecs: add quirks for specific HP and ASUS boards to set appropriate mute LED and pin configs. hwmon OCC: refactor occ_get_powr_avg, fix power averaging to handle samples=0 safely, and ensure sensor_id extended attribute emits newline. pmbus tps53679/tps53676/pxe1610: harden IC_DEVICE_ID reading and logging, validate length and content; import PMBUS namespace in ltc4286; ensure PXE1610 sets page 0 with error handling. SPI: stm32-ospi cleanup (ensure reset_control_release on error; simpler remove path), spi-amlogic-spifc-a4 adds devm action to unregister ECC engine on teardown. Android binder Rust: wrap vm_ops in AssertSync and use it when comparing vm_ops; adjust comment to reflect use for C binding types. mei: change hw-ready interrupt handling to force link reset only in MEI_DEV_ENABLED state; otherwise, wake waiters to start device. sound: ctxfi add SPDIFI1 handling for SB0880, caiaq fix potential overflow of card->id when copying shortname, realtek alc269 new quirks. IIO BNO055: fix scan count macro to include final register; adc/aspeed: clear ref voltage bits before setting; hwmon/occ extended attribute prints newline; asus-ec-sensors add alternate T_Sensor definition. AMD PM SMU v11/12/14: keep debug log but drop info message about mismatched SMU driver IF version to reduce log spam. USB ulpi: on register_interface failure, return ERR_PTR directly without kfree to keep devm semantics intact.	`drivers/input/mouse/bcm5974.c` `drivers/input/serio/i8042-acpipnpio.h` `drivers/input/joystick/xpad.c` `sound/hda/codecs/realtek/alc269.c` `drivers/hwmon/occ/common.c` `drivers/hwmon/pmbus/tps53679.c` `drivers/hwmon/pmbus/pxe1610.c` `drivers/hwmon/pmbus/ltc4286.c` `drivers/spi/spi-stm32-ospi.c` `drivers/spi/spi-amlogic-spifc-a4.c` `drivers/android/binder/page_range.rs` `drivers/android/binder/rust_binder_main.rs` `drivers/misc/mei/hw-me.c` `drivers/hwmon/asus-ec-sensors.c` `drivers/iio/imu/bno055/bno055.c` `drivers/iio/adc/aspeed_adc.c` `sound/usb/caiaq/device.c` `sound/pci/ctxfi/ctdaio.c`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

deepin-ci-robot · 2026-04-14T03:53:24Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from opsiff. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

sourcery-ai

Hey - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

Copilot

Pull request overview

Updates the Deepin-Kernel-SIG kernel base to upstream 6.18.22-p2, pulling in a broad set of upstream fixes across networking (SMB/Bluetooth), scheduling, crypto, DRM/GPU, USB, IIO, hwmon, GPIO, and multiple architecture-specific areas.

Changes:

Pulls in upstream bugfixes/hardening for SMB server (ksmbd), Bluetooth SMP/HCI, io_uring, and various drivers/subsystems.
Improves robustness/cleanup in several drivers (USB misc/class, SPI, staging GPIB, IIO sensors).
Includes arch-specific correctness fixes (x86 KCOV/kexec handling, RISC-V tagged addressing/kgdb, MIPS cache/TLB/libgcc intrinsic gating) and DT binding updates.

Reviewed changes

Copilot reviewed 94 out of 94 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
sound/usb/caiaq/device.c	Avoid card ID overflow (leave NUL)
sound/pci/ctxfi/ctdaio.c	Add missing SPDIFI1 device index
sound/hda/codecs/realtek/alc269.c	Add new ALC269/HP/ASUS quirks
net/bluetooth/smp.c	MITM/auth handling adjustments
net/bluetooth/hci_sync.c	Fix BIG create flex allocation sizing
lib/crypto/chacha-block-generic.c	Zeroize permuted state after use
kernel/trace/bpf_trace.c	Reject sleepable kprobe_multi programs
kernel/sched/fair.c	EEVDF deadline/avg_vruntime adjustments
kernel/sched/ext_idle.c	Use scx_cpu_node_if_enabled()
kernel/bpf/verifier.c	Refine PTR_TO_BUF access checks
io_uring/rsrc.c	Handle zero-length fixed import
io_uring/net.c	Reject negative send/recv lengths
include/linux/iio/iio.h	Add quaternion declaration helper macro
fs/smb/server/smbacl.h	Declare secdesc scratch sizing helper
fs/smb/server/smbacl.c	Add bounded scratch length computation
fs/smb/server/smb2pdu.c	ksmbd secdesc sizing + rsp pinning fixes
drivers/usb/serial/option.c	Add new modem device IDs
drivers/usb/serial/io_usbvend.h	Add ION Blackbox product ID
drivers/usb/serial/io_edgeport.c	Support new Edgeport rebrand ID
drivers/usb/misc/usbio.c	Fix URB submit error cleanup
drivers/usb/core/quirks.c	Add quirk entries (delay init / no LPM)
drivers/usb/common/ulpi.c	Adjust ULPI interface registration error path
drivers/usb/class/usbtmc.c	Flush anchored URBs on release
drivers/staging/gpib/lpvo_usb_gpib/lpvo_usb_gpib.c	Avoid usb_get_dev refcount misuse
drivers/staging/gpib/include/gpib_types.h	Add descriptor busy refcount
drivers/staging/gpib/common/gpib_os.c	Close-vs-IO race hardening
drivers/spi/spi-stm32-ospi.c	Fix probe/remove/reset+PM cleanup paths
drivers/spi/spi-amlogic-spifc-a4.c	Add devm action to unregister ECC engine
drivers/net/wireless/microchip/wilc1000/hif.c	Widen scan value size type
drivers/net/wireless/intel/iwlwifi/mvm/d3.c	Fix net-detect notif length validation
drivers/misc/mei/hw-me.c	IRQ-thread state handling adjustment
drivers/input/serio/i8042-acpipnpio.h	Add DMI quirk entry
drivers/input/rmi4/rmi_f54.c	Fix locking order in work handler
drivers/input/mouse/bcm5974.c	Add mode reset work for HID packet issue
drivers/input/joystick/xpad.c	Add new controller/dongle IDs
drivers/iio/orientation/hid-sensor-rotation.c	Quaternion alignment + ABI timestamp workaround
drivers/iio/light/veml6070.c	Return sensor value correctly
drivers/iio/light/vcnl4035.c	Fix trigger buffer handling + endianness
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c	Guard FIFO ODR config for external sensors
drivers/iio/imu/bno055/bno055.c	Fix scan channel count
drivers/iio/imu/bmi160/bmi160_core.c	Pin config validation + clearer errors
drivers/iio/imu/adis16550.c	Fix gyro/accel filter mapping
drivers/iio/gyro/mpu3050-core.c	Fix trigger IRQ cleanup + register ordering
drivers/iio/dac/ad5770r.c	Propagate read error correctly
drivers/iio/adc/ti-ads7950.c	Fix GPIO get return semantics
drivers/iio/adc/ti-ads1119.c	IRQ handling + conversion completion init
drivers/iio/adc/ti-adc161s626.c	Use unaligned helpers + correct scan push
drivers/iio/adc/aspeed_adc.c	Clear ref voltage bits before config
drivers/iio/adc/ade9000.c	Fix return codes + register selection + init ordering
drivers/iio/accel/adxl380.c	Fix FIFO sample bit setting
drivers/iio/accel/adxl355_core.c	Fix scan_type sign for channel
drivers/iio/accel/adxl313_core.c	Check FIFO_CTL write errors
drivers/hwmon/pmbus/tps53679.c	Harden ID reads + improved error output
drivers/hwmon/pmbus/pxe1610.c	Check PMBUS page select result
drivers/hwmon/pmbus/ltc4286.c	Add PMBUS import namespace
drivers/hwmon/occ/common.c	Fix formatting + reuse power avg helper
drivers/hwmon/asus-ec-sensors.c	Add alternate T_Sensor address support
drivers/gpu/drm/xe/xe_pxp.c	PXP start/termination state fixes
drivers/gpu/drm/sysfb/efidrm.c	Fix EFI fb mapping + error handling
drivers/gpu/drm/i915/display/icl_dsi.c	Gate DSC timing logic to video mode
drivers/gpu/drm/i915/display/g4x_dp.c	Use enhanced_framing from pipe config
drivers/gpu/drm/drm_mode_config.c	Adjust leaked framebuffer reporting/freeing
drivers/gpu/drm/drm_ioc32.c	Add nospec mitigation for compat ioctl index
drivers/gpu/drm/drm_file.c	Simplify modeset cleanup in file free
drivers/gpu/drm/ast/ast_dp501.c	Fix register write address
drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0.c	Remove noisy fw mismatch log
drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c	Remove noisy fw mismatch log
drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c	Remove noisy fw mismatch log
drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c	Safer bounding-box update conditions
drivers/gpu/drm/amd/amdkfd/kfd_priv.h	Use AMDGPU GPU page size constants
drivers/gpu/drm/amd/amdgpu/psp_v11_0.c	Handle S4 alongside S3 reset case
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h	Adjust reserved trap VA size
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c	Validate doorbell offset bounds
drivers/gpu/drm/amd/amdgpu/amdgpu_ids.c	Use GFP_ATOMIC under spinlock
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c	Serialize reset in freeze path
drivers/gpio/gpiolib.h	Rename helper to gpiod_hwgpio()
drivers/gpio/gpiolib.c	Use gpiod_hwgpio() + fix request error unwind
drivers/gpio/gpiolib-sysfs.c	Use gpiod_hwgpio() consistently
drivers/gpio/gpiolib-cdev.c	Use gpiod_hwgpio() consistently
drivers/gpio/gpio-aspeed.c	Use gpiod_hwgpio() consistently
drivers/android/binder/rust_binder_main.rs	Clarify Sync safety comment
drivers/android/binder/page_range.rs	Use AssertSync for static vm_ops
drivers/acpi/riscv/rimt.c	Add device link for shutdown removal ordering
drivers/accel/qaic/qaic_control.c	Fix deactivate/status handling and response parsing
arch/x86/mm/Makefile	Disable KCOV for physaddr.o
arch/x86/kernel/Makefile	Disable KCOV for machine_kexec_64.o
arch/x86/events/intel/core.c	Guard sibling ACR constr update for x86 events
arch/riscv/kernel/process.c	Fix disabling tagged addr control state
arch/riscv/kernel/kgdb.c	Fix register mapping/offsets
arch/mips/ralink/clk.c	Fix sysc node index selection
arch/mips/mm/tlb-r4k.c	Use GFP_ATOMIC for kmalloc in uniquify
arch/mips/mm/cache.c	Include SB1 in r4k_cache_init condition
arch/mips/lib/multi3.c	Update GCC gating for __multi3 workaround
Documentation/devicetree/bindings/gpio/microchip,mpfs-gpio.yaml	Fix interrupt-cells value + example

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-14T04:26:26Z

drivers/usb/common/ulpi.c

 	ulpi = kzalloc(sizeof(*ulpi), GFP_KERNEL);
 	if (!ulpi)
 		return ERR_PTR(-ENOMEM);

 	ulpi->ops = ops;

 	ret = ulpi_register(dev, ulpi);
-	if (ret) {
-		kfree(ulpi);
+	if (ret)
 		return ERR_PTR(ret);
-	}
+


ulpi_register_interface() allocates ulpi with kzalloc(), but if ulpi_register() fails the function returns ERR_PTR(ret) without freeing the allocated ulpi, leaking memory on the error path. Free the ulpi struct (and any other locally-owned resources, if added later) before returning the error.

Copilot · 2026-04-14T04:26:27Z

drivers/spi/spi-stm32-ospi.c

 static void stm32_ospi_remove(struct platform_device *pdev)
 {
 	struct stm32_ospi *ospi = platform_get_drvdata(pdev);
-	int ret;

-	ret = pm_runtime_resume_and_get(ospi->dev);
-	if (ret < 0)
-		return;
+	pm_runtime_resume_and_get(ospi->dev);

 	spi_unregister_controller(ospi->ctrl);


stm32_ospi_remove() now ignores the return value of pm_runtime_resume_and_get(). If that call fails, the runtime PM usage count won't be incremented (pm_runtime_resume_and_get() undoes the get on error), but the function will still run cleanup and later call pm_runtime_put_sync_suspend(), which can unbalance the PM usage count and potentially suspend an already-suspended device. Handle ret < 0 explicitly (e.g., skip the matching pm_runtime_put_sync_suspend() / use a boolean to track whether the get succeeded).

Copilot · 2026-04-14T04:26:27Z

drivers/accel/qaic/qaic_control.c

+
+			trans_hdr = (struct wire_trans_hdr *)(msg->data + len);
+			if (le32_to_cpu(trans_hdr->type) == QAIC_TRANS_DEACTIVATE_FROM_DEV) {
+				if (decode_deactivate(qdev, trans_hdr, &len, NULL))
+					len += le32_to_cpu(trans_hdr->len);
+			} else {
+				len += le32_to_cpu(trans_hdr->len);


resp_worker() parses device-provided message contents by advancing len with trans_hdr->len, but it doesn't validate that trans_hdr->len is non-zero/minimum-sized or that len + trans_len stays within msg_len. A malformed message (e.g., trans_hdr->len == 0 or too small) can cause an infinite loop and/or out-of-bounds reads. Add bounds checks (e.g., require trans_len >= sizeof(*trans_hdr) and len + trans_len <= msg_len; break or drop the packet on violation).

Suggested change

trans_hdr = (struct wire_trans_hdr *)(msg->data + len);

if (le32_to_cpu(trans_hdr->type) == QAIC_TRANS_DEACTIVATE_FROM_DEV) {

if (decode_deactivate(qdev, trans_hdr, &len, NULL))

len += le32_to_cpu(trans_hdr->len);

} else {

len += le32_to_cpu(trans_hdr->len);

u32 trans_len;

if (msg_len - len < sizeof(*trans_hdr))

break;

trans_hdr = (struct wire_trans_hdr *)(msg->data + len);

trans_len = le32_to_cpu(trans_hdr->len);

if (trans_len < sizeof(*trans_hdr) || trans_len > msg_len - len)

break;

if (le32_to_cpu(trans_hdr->type) == QAIC_TRANS_DEACTIVATE_FROM_DEV) {

if (decode_deactivate(qdev, trans_hdr, &len, NULL))

len += trans_len;

} else {

len += trans_len;

Qi Tang and others added 30 commits April 14, 2026 11:48

amiclaus and others added 18 commits April 14, 2026 11:48

deepin-ci-robot requested review from Ink-Paper, hello666888999 and winnscode April 14, 2026 03:53

sourcery-ai bot reviewed Apr 14, 2026

View reviewed changes

Avenger-285714 requested review from Avenger-285714 and Copilot April 14, 2026 04:19

Copilot started reviewing on behalf of Avenger-285714 April 14, 2026 04:21 View session

Copilot AI reviewed Apr 14, 2026

View reviewed changes

opsiff merged commit e1862af into deepin-community:linux-6.18.y Apr 14, 2026
13 of 15 checks passed

opsiff mentioned this pull request Apr 14, 2026

[Deepin-Kernel-SIG] [linux 6.18-y] [Upstream] Update kernel base to 6.18.22-p3 #1625

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Deepin-Kernel-SIG] [linux 6.18-y] [Upstream] Update kernel base to 6.18.22-p2#1624

[Deepin-Kernel-SIG] [linux 6.18-y] [Upstream] Update kernel base to 6.18.22-p2#1624
opsiff merged 100 commits intodeepin-community:linux-6.18.yfrom
opsiff:linux-6.18-update-6.18.22-p2

opsiff commented Apr 14, 2026 •

edited by sourcery-ai bot

Loading

Uh oh!

sourcery-ai bot commented Apr 14, 2026 •

edited

Loading

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

deepin-ci-robot commented Apr 14, 2026

Uh oh!

sourcery-ai bot left a comment

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Apr 14, 2026

Uh oh!

Copilot AI Apr 14, 2026

Uh oh!

Copilot AI Apr 14, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Conversation

opsiff commented Apr 14, 2026 • edited by sourcery-ai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by Sourcery

Uh oh!

sourcery-ai bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide

Class diagram for updated GPIB descriptor and IO paths

Class diagram for dev_rot_state quaternion scan buffer alignment and ABI compatibility

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

deepin-ci-robot commented Apr 14, 2026

Uh oh!

sourcery-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Apr 14, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

opsiff commented Apr 14, 2026 •

edited by sourcery-ai bot

Loading

sourcery-ai bot commented Apr 14, 2026 •

edited

Loading