6.11-stable patches

added patches:
	can-cc770-sja1000-_isa-allow-building-on-x86_64.patch
	can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch
	can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch
	can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch
	drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch
	drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch
	drm-xe-set-mask-bits-for-ccs_mode-register.patch
	ksmbd-check-outstanding-simultaneous-smb-operations.patch
	ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch
	ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch
	ksmbd-fix-the-missing-xa_store-error-check.patch
	media-ar0521-don-t-overflow-when-checking-pll-values.patch
	media-av7110-fix-a-spectre-vulnerability.patch
	media-cx24116-prevent-overflows-on-snr-calculus.patch
	media-dvb-core-add-missing-buffer-index-check.patch
	media-mgb4-protect-driver-against-spectre.patch
	media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
	media-s5p-jpeg-prevent-buffer-overflows.patch
	media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch
	media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
	media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch

diff --git a/queue-6.11/can-cc770-sja1000-_isa-allow-building-on-x86_64.patch b/queue-6.11/can-cc770-sja1000-_isa-allow-building-on-x86_64.patch
new file mode 100644 (file)
index 0000000..1b3a01f
--- /dev/null
+++ b/queue-6.11/can-cc770-sja1000-_isa-allow-building-on-x86_64.patch
@@ -0,0 +1,58 @@
+From 7b22846f8af5ab2f267de9eb209fb1835ee9978c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20M=C3=BChlbacher?= <tmuehlbacher@posteo.net>
+Date: Thu, 19 Sep 2024 17:35:22 +0000
+Subject: can: {cc770,sja1000}_isa: allow building on x86_64
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Mühlbacher <tmuehlbacher@posteo.net>
+
+commit 7b22846f8af5ab2f267de9eb209fb1835ee9978c upstream.
+
+The ISA variable is only defined if X86_32 is also defined. However,
+these drivers are still useful and in use on at least some modern 64-bit
+x86 industrial systems as well. With the correct module parameters, they
+work as long as IO port communication is possible, despite their name
+having ISA in them.
+
+Fixes: a29689e60ed3 ("net: handle HAS_IOPORT dependencies")
+Signed-off-by: Thomas Mühlbacher <tmuehlbacher@posteo.net>
+Link: https://patch.msgid.link/20240919174151.15473-2-tmuehlbacher@posteo.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/cc770/Kconfig   | 2 +-
+ drivers/net/can/sja1000/Kconfig | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/cc770/Kconfig b/drivers/net/can/cc770/Kconfig
+index 467ef19de1c1..aae25c2f849e 100644
+--- a/drivers/net/can/cc770/Kconfig
++++ b/drivers/net/can/cc770/Kconfig
+@@ -7,7 +7,7 @@ if CAN_CC770
+ 
+ config CAN_CC770_ISA
+       tristate "ISA Bus based legacy CC770 driver"
+-      depends on ISA
++      depends on HAS_IOPORT
+       help
+         This driver adds legacy support for CC770 and AN82527 chips
+         connected to the ISA bus using I/O port, memory mapped or
+diff --git a/drivers/net/can/sja1000/Kconfig b/drivers/net/can/sja1000/Kconfig
+index 01168db4c106..2f516cc6d22c 100644
+--- a/drivers/net/can/sja1000/Kconfig
++++ b/drivers/net/can/sja1000/Kconfig
+@@ -87,7 +87,7 @@ config CAN_PLX_PCI
+ 
+ config CAN_SJA1000_ISA
+       tristate "ISA Bus based legacy SJA1000 driver"
+-      depends on ISA
++      depends on HAS_IOPORT
+       help
+         This driver adds legacy support for SJA1000 chips connected to
+         the ISA bus using I/O port, memory mapped or indirect access.
+-- 
+2.47.0
+

diff --git a/queue-6.11/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch b/queue-6.11/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch
new file mode 100644 (file)
index 0000000..dfe1331
--- /dev/null
+++ b/queue-6.11/can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch
@@ -0,0 +1,42 @@
+From e4de81f9e134c78ff7c75a00e43bd819643530d0 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 30 Sep 2024 19:02:30 +0200
+Subject: can: m_can: m_can_close(): don't call free_irq() for IRQ-less devices
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit e4de81f9e134c78ff7c75a00e43bd819643530d0 upstream.
+
+In commit b382380c0d2d ("can: m_can: Add hrtimer to generate software
+interrupt") support for IRQ-less devices was added. Instead of an
+interrupt, the interrupt routine is called by a hrtimer-based polling
+loop.
+
+That patch forgot to change free_irq() to be only called for devices
+with IRQs. Fix this, by calling free_irq() conditionally only if an
+IRQ is available for the device (and thus has been requested
+previously).
+
+Fixes: b382380c0d2d ("can: m_can: Add hrtimer to generate software interrupt")
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Link: https://patch.msgid.link/20240930-m_can-cleanups-v1-1-001c579cdee4@pengutronix.de
+Cc: <stable@vger.kernel.org> # v6.6+
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/m_can/m_can.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1764,7 +1764,8 @@ static int m_can_close(struct net_device
+       netif_stop_queue(dev);
+ 
+       m_can_stop(dev);
+-      free_irq(dev->irq, dev);
++      if (dev->irq)
++              free_irq(dev->irq, dev);
+ 
+       m_can_clean(dev);
+ 

diff --git a/queue-6.11/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch b/queue-6.11/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch
new file mode 100644 (file)
index 0000000..b80158d
--- /dev/null
+++ b/queue-6.11/can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch
@@ -0,0 +1,63 @@
+From 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Tue, 1 Oct 2024 16:56:22 +0200
+Subject: can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a upstream.
+
+Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround
+broken TEF FIFO tail index erratum") introduced
+mcp251xfd_get_tef_len() to get the number of unhandled transmit events
+from the Transmit Event FIFO (TEF).
+
+As the TEF has no head pointer, the driver uses the TX FIFO's tail
+pointer instead, assuming that send frames are completed. However the
+check for the TEF being full was not correct. This leads to the driver
+stop working if the TEF is full.
+
+Fix the TEF full check by assuming that if, from the driver's point of
+view, there are no free TX buffers in the chip and the TX FIFO is
+empty, all messages must have been sent and the TEF must therefore be
+full.
+
+Reported-by: Sven Schuchmann <schuchmann@schleissheimer.de>
+Closes: https://patch.msgid.link/FR3P281MB155216711EFF900AD9791B7ED9692@FR3P281MB1552.DEUP281.PROD.OUTLOOK.COM
+Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum")
+Tested-by: Sven Schuchmann <schuchmann@schleissheimer.de>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20241104-mcp251xfd-fix-length-calculation-v3-1-608b6e7e2197@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
+@@ -16,9 +16,9 @@
+ 
+ #include "mcp251xfd.h"
+ 
+-static inline bool mcp251xfd_tx_fifo_sta_full(u32 fifo_sta)
++static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta)
+ {
+-      return !(fifo_sta & MCP251XFD_REG_FIFOSTA_TFNRFNIF);
++      return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF;
+ }
+ 
+ static inline int
+@@ -122,7 +122,11 @@ mcp251xfd_get_tef_len(struct mcp251xfd_p
+       if (err)
+               return err;
+ 
+-      if (mcp251xfd_tx_fifo_sta_full(fifo_sta)) {
++      /* If the chip says the TX-FIFO is empty, but there are no TX
++       * buffers free in the ring, we assume all have been sent.
++       */
++      if (mcp251xfd_tx_fifo_sta_empty(fifo_sta) &&
++          mcp251xfd_get_tx_free(tx_ring) == 0) {
+               *len_p = tx_ring->obj_num;
+               return 0;
+       }

diff --git a/queue-6.11/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch b/queue-6.11/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch
new file mode 100644 (file)
index 0000000..d5c176b
--- /dev/null
+++ b/queue-6.11/can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch
@@ -0,0 +1,69 @@
+From eb9a839b3d8a989be5970035a5cf29bcd6ffd24d Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 25 Oct 2024 14:34:40 +0200
+Subject: can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit eb9a839b3d8a989be5970035a5cf29bcd6ffd24d upstream.
+
+Since commit 50ea5449c563 ("can: mcp251xfd: fix ring configuration
+when switching from CAN-CC to CAN-FD mode"), the current ring and
+coalescing configuration is passed to can_ram_get_layout(). That fixed
+the issue when switching between CAN-CC and CAN-FD mode with
+configured ring (rx, tx) and/or coalescing parameters (rx-frames-irq,
+tx-frames-irq).
+
+However 50ea5449c563 ("can: mcp251xfd: fix ring configuration when
+switching from CAN-CC to CAN-FD mode"), introduced a regression when
+switching CAN modes with disabled coalescing configuration: Even if
+the previous CAN mode has no coalescing configured, the new mode is
+configured with active coalescing. This leads to delayed receiving of
+CAN-FD frames.
+
+This comes from the fact, that ethtool uses usecs = 0 and max_frames =
+1 to disable coalescing, however the driver uses internally
+priv->{rx,tx}_obj_num_coalesce_irq = 0 to indicate disabled
+coalescing.
+
+Fix the regression by assigning struct ethtool_coalesce
+ec->{rx,tx}_max_coalesced_frames_irq = 1 if coalescing is disabled in
+the driver as can_ram_get_layout() expects this.
+
+Reported-by: https://github.com/vdh-robothania
+Closes: https://github.com/raspberrypi/linux/issues/6407
+Fixes: 50ea5449c563 ("can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD mode")
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241025-mcp251xfd-fix-coalesing-v1-1-9d11416de1df@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
+@@ -2,7 +2,7 @@
+ //
+ // mcp251xfd - Microchip MCP251xFD Family CAN controller driver
+ //
+-// Copyright (c) 2019, 2020, 2021 Pengutronix,
++// Copyright (c) 2019, 2020, 2021, 2024 Pengutronix,
+ //               Marc Kleine-Budde <kernel@pengutronix.de>
+ //
+ // Based on:
+@@ -483,9 +483,11 @@ int mcp251xfd_ring_alloc(struct mcp251xf
+               };
+               const struct ethtool_coalesce ec = {
+                       .rx_coalesce_usecs_irq = priv->rx_coalesce_usecs_irq,
+-                      .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq,
++                      .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq == 0 ?
++                              1 : priv->rx_obj_num_coalesce_irq,
+                       .tx_coalesce_usecs_irq = priv->tx_coalesce_usecs_irq,
+-                      .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq,
++                      .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq == 0 ?
++                              1 : priv->tx_obj_num_coalesce_irq,
+               };
+               struct can_ram_layout layout;
+ 

diff --git a/queue-6.11/drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch b/queue-6.11/drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch
new file mode 100644 (file)
index 0000000..5983df9
--- /dev/null
+++ b/queue-6.11/drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch
@@ -0,0 +1,34 @@
+From 64a2b6ed4bfd890a0e91955dd8ef8422a3944ed9 Mon Sep 17 00:00:00 2001
+From: Matthew Brost <matthew.brost@intel.com>
+Date: Mon, 4 Nov 2024 20:35:24 -0800
+Subject: drm/xe: Drop VM dma-resv lock on xe_sync_in_fence_get failure in exec IOCTL
+
+From: Matthew Brost <matthew.brost@intel.com>
+
+commit 64a2b6ed4bfd890a0e91955dd8ef8422a3944ed9 upstream.
+
+Upon failure all locks need to be dropped before returning to the user.
+
+Fixes: 58480c1c912f ("drm/xe: Skip VMAs pin when requesting signal to the last XE_EXEC")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Tejas Upadhyay <tejas.upadhyay@intel.com>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241105043524.4062774-3-matthew.brost@intel.com
+(cherry picked from commit 7d1a4258e602ffdce529f56686925034c1b3b095)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_exec.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/xe/xe_exec.c
++++ b/drivers/gpu/drm/xe/xe_exec.c
+@@ -212,6 +212,7 @@ retry:
+                       fence = xe_sync_in_fence_get(syncs, num_syncs, q, vm);
+                       if (IS_ERR(fence)) {
+                               err = PTR_ERR(fence);
++                              xe_vm_unlock(vm);
+                               goto err_unlock_list;
+                       }
+                       for (i = 0; i < num_syncs; i++)

diff --git a/queue-6.11/drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch b/queue-6.11/drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch
new file mode 100644 (file)
index 0000000..39dec48
--- /dev/null
+++ b/queue-6.11/drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch
@@ -0,0 +1,49 @@
+From af797b831d8975cb4610f396dcb7f03f4b9908e7 Mon Sep 17 00:00:00 2001
+From: Matthew Brost <matthew.brost@intel.com>
+Date: Mon, 4 Nov 2024 20:35:23 -0800
+Subject: drm/xe: Fix possible exec queue leak in exec IOCTL
+
+From: Matthew Brost <matthew.brost@intel.com>
+
+commit af797b831d8975cb4610f396dcb7f03f4b9908e7 upstream.
+
+In a couple of places after an exec queue is looked up the exec IOCTL
+returns on input errors without dropping the exec queue ref. Fix this
+ensuring the exec queue ref is dropped on input error.
+
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Tejas Upadhyay <tejas.upadhyay@intel.com>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241105043524.4062774-2-matthew.brost@intel.com
+(cherry picked from commit 07064a200b40ac2195cb6b7b779897d9377e5e6f)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_exec.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_exec.c
++++ b/drivers/gpu/drm/xe/xe_exec.c
+@@ -129,12 +129,16 @@ int xe_exec_ioctl(struct drm_device *dev
+       if (XE_IOCTL_DBG(xe, !q))
+               return -ENOENT;
+ 
+-      if (XE_IOCTL_DBG(xe, q->flags & EXEC_QUEUE_FLAG_VM))
+-              return -EINVAL;
++      if (XE_IOCTL_DBG(xe, q->flags & EXEC_QUEUE_FLAG_VM)) {
++              err = -EINVAL;
++              goto err_exec_queue;
++      }
+ 
+       if (XE_IOCTL_DBG(xe, args->num_batch_buffer &&
+-                       q->width != args->num_batch_buffer))
+-              return -EINVAL;
++                       q->width != args->num_batch_buffer)) {
++              err = -EINVAL;
++              goto err_exec_queue;
++      }
+ 
+       if (XE_IOCTL_DBG(xe, q->ops->reset_status(q))) {
+               err = -ECANCELED;

diff --git a/queue-6.11/drm-xe-set-mask-bits-for-ccs_mode-register.patch b/queue-6.11/drm-xe-set-mask-bits-for-ccs_mode-register.patch
new file mode 100644 (file)
index 0000000..5d85590
--- /dev/null
+++ b/queue-6.11/drm-xe-set-mask-bits-for-ccs_mode-register.patch
@@ -0,0 +1,53 @@
+From 7fd3fa006fa56c0ec299c61ecf5c572c723adad5 Mon Sep 17 00:00:00 2001
+From: Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
+Date: Tue, 8 Oct 2024 13:06:27 +0530
+Subject: drm/xe: Set mask bits for CCS_MODE register
+
+From: Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
+
+commit 7fd3fa006fa56c0ec299c61ecf5c572c723adad5 upstream.
+
+CCS_MODE register requires setting mask bits from Xe2+ platforms. Set
+the mask bits unconditionally, as those bits are unused for older
+platforms.
+
+Signed-off-by: Balasubramani Vivekanandan <balasubramani.vivekanandan@intel.com>
+Cc: stable@vger.kernel.org # v6.11+
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241008073628.377433-2-balasubramani.vivekanandan@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit 23ea2c7572d4735ef66beb1e4feb8ae510b78247)
+[ Fix conflict with mmio refactors ]
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/regs/xe_gt_regs.h |    2 +-
+ drivers/gpu/drm/xe/xe_gt_ccs_mode.c  |    6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/xe/regs/xe_gt_regs.h
++++ b/drivers/gpu/drm/xe/regs/xe_gt_regs.h
+@@ -509,7 +509,7 @@
+  *   [4-6]     RSVD
+  *   [7]       Disabled
+  */
+-#define CCS_MODE                              XE_REG(0x14804)
++#define CCS_MODE                              XE_REG(0x14804, XE_REG_OPTION_MASKED)
+ #define   CCS_MODE_CSLICE_0_3_MASK            REG_GENMASK(11, 0) /* 3 bits per cslice */
+ #define   CCS_MODE_CSLICE_MASK                        0x7 /* CCS0-3 + rsvd */
+ #define   CCS_MODE_CSLICE_WIDTH                       ilog2(CCS_MODE_CSLICE_MASK + 1)
+--- a/drivers/gpu/drm/xe/xe_gt_ccs_mode.c
++++ b/drivers/gpu/drm/xe/xe_gt_ccs_mode.c
+@@ -68,6 +68,12 @@ static void __xe_gt_apply_ccs_mode(struc
+               }
+       }
+ 
++      /*
++       * Mask bits need to be set for the register. Though only Xe2+
++       * platforms require setting of mask bits, it won't harm for older
++       * platforms as these bits are unused there.
++       */
++      mode |= CCS_MODE_CSLICE_0_3_MASK << 16;
+       xe_mmio_write32(gt, CCS_MODE, mode);
+ 
+       xe_gt_dbg(gt, "CCS_MODE=%x config:%08x, num_engines:%d, num_slices:%d\n",

diff --git a/queue-6.11/ksmbd-check-outstanding-simultaneous-smb-operations.patch b/queue-6.11/ksmbd-check-outstanding-simultaneous-smb-operations.patch
new file mode 100644 (file)
index 0000000..237cf71
--- /dev/null
+++ b/queue-6.11/ksmbd-check-outstanding-simultaneous-smb-operations.patch
@@ -0,0 +1,137 @@
+From 0a77d947f599b1f39065015bec99390d0c0022ee Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Mon, 4 Nov 2024 13:43:06 +0900
+Subject: ksmbd: check outstanding simultaneous SMB operations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0a77d947f599b1f39065015bec99390d0c0022ee upstream.
+
+If Client send simultaneous SMB operations to ksmbd, It exhausts too much
+memory through the "ksmbd_work_cache”. It will cause OOM issue.
+ksmbd has a credit mechanism but it can't handle this problem. This patch
+add the check if it exceeds max credits to prevent this problem by assuming
+that one smb request consumes at least one credit.
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/connection.c |    1 +
+ fs/smb/server/connection.h |    1 +
+ fs/smb/server/server.c     |   16 ++++++++++------
+ fs/smb/server/smb_common.c |   10 +++++++---
+ fs/smb/server/smb_common.h |    2 +-
+ 5 files changed, 20 insertions(+), 10 deletions(-)
+
+--- a/fs/smb/server/connection.c
++++ b/fs/smb/server/connection.c
+@@ -70,6 +70,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void
+       atomic_set(&conn->req_running, 0);
+       atomic_set(&conn->r_count, 0);
+       atomic_set(&conn->refcnt, 1);
++      atomic_set(&conn->mux_smb_requests, 0);
+       conn->total_credits = 1;
+       conn->outstanding_credits = 0;
+ 
+--- a/fs/smb/server/connection.h
++++ b/fs/smb/server/connection.h
+@@ -107,6 +107,7 @@ struct ksmbd_conn {
+       __le16                          signing_algorithm;
+       bool                            binding;
+       atomic_t                        refcnt;
++      atomic_t                        mux_smb_requests;
+ };
+ 
+ struct ksmbd_conn_ops {
+--- a/fs/smb/server/server.c
++++ b/fs/smb/server/server.c
+@@ -270,6 +270,7 @@ static void handle_ksmbd_work(struct wor
+ 
+       ksmbd_conn_try_dequeue_request(work);
+       ksmbd_free_work_struct(work);
++      atomic_dec(&conn->mux_smb_requests);
+       /*
+        * Checking waitqueue to dropping pending requests on
+        * disconnection. waitqueue_active is safe because it
+@@ -291,6 +292,15 @@ static int queue_ksmbd_work(struct ksmbd
+       struct ksmbd_work *work;
+       int err;
+ 
++      err = ksmbd_init_smb_server(conn);
++      if (err)
++              return 0;
++
++      if (atomic_inc_return(&conn->mux_smb_requests) >= conn->vals->max_credits) {
++              atomic_dec_return(&conn->mux_smb_requests);
++              return -ENOSPC;
++      }
++
+       work = ksmbd_alloc_work_struct();
+       if (!work) {
+               pr_err("allocation for work failed\n");
+@@ -301,12 +311,6 @@ static int queue_ksmbd_work(struct ksmbd
+       work->request_buf = conn->request_buf;
+       conn->request_buf = NULL;
+ 
+-      err = ksmbd_init_smb_server(work);
+-      if (err) {
+-              ksmbd_free_work_struct(work);
+-              return 0;
+-      }
+-
+       ksmbd_conn_enqueue_request(work);
+       atomic_inc(&conn->r_count);
+       /* update activity on connection */
+--- a/fs/smb/server/smb_common.c
++++ b/fs/smb/server/smb_common.c
+@@ -388,6 +388,10 @@ static struct smb_version_ops smb1_serve
+       .set_rsp_status = set_smb1_rsp_status,
+ };
+ 
++static struct smb_version_values smb1_server_values = {
++      .max_credits = SMB2_MAX_CREDITS,
++};
++
+ static int smb1_negotiate(struct ksmbd_work *work)
+ {
+       return ksmbd_smb_negotiate_common(work, SMB_COM_NEGOTIATE);
+@@ -399,18 +403,18 @@ static struct smb_version_cmds smb1_serv
+ 
+ static int init_smb1_server(struct ksmbd_conn *conn)
+ {
++      conn->vals = &smb1_server_values;
+       conn->ops = &smb1_server_ops;
+       conn->cmds = smb1_server_cmds;
+       conn->max_cmds = ARRAY_SIZE(smb1_server_cmds);
+       return 0;
+ }
+ 
+-int ksmbd_init_smb_server(struct ksmbd_work *work)
++int ksmbd_init_smb_server(struct ksmbd_conn *conn)
+ {
+-      struct ksmbd_conn *conn = work->conn;
+       __le32 proto;
+ 
+-      proto = *(__le32 *)((struct smb_hdr *)work->request_buf)->Protocol;
++      proto = *(__le32 *)((struct smb_hdr *)conn->request_buf)->Protocol;
+       if (conn->need_neg == false) {
+               if (proto == SMB1_PROTO_NUMBER)
+                       return -EINVAL;
+--- a/fs/smb/server/smb_common.h
++++ b/fs/smb/server/smb_common.h
+@@ -427,7 +427,7 @@ bool ksmbd_smb_request(struct ksmbd_conn
+ 
+ int ksmbd_lookup_dialect_by_id(__le16 *cli_dialects, __le16 dialects_count);
+ 
+-int ksmbd_init_smb_server(struct ksmbd_work *work);
++int ksmbd_init_smb_server(struct ksmbd_conn *conn);
+ 
+ struct ksmbd_kstat;
+ int ksmbd_populate_dot_dotdot_entries(struct ksmbd_work *work,

diff --git a/queue-6.11/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch b/queue-6.11/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch
new file mode 100644 (file)
index 0000000..0edc2af
--- /dev/null
+++ b/queue-6.11/ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch
@@ -0,0 +1,57 @@
+From 0a77715db22611df50b178374c51e2ba0d58866e Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sat, 2 Nov 2024 18:46:38 +0900
+Subject: ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0a77715db22611df50b178374c51e2ba0d58866e upstream.
+
+There is a race condition between ksmbd_smb2_session_create and
+ksmbd_expire_session. This patch add missing sessions_table_lock
+while adding/deleting session from global session table.
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/mgmt/user_session.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -175,6 +175,7 @@ static void ksmbd_expire_session(struct
+       unsigned long id;
+       struct ksmbd_session *sess;
+ 
++      down_write(&sessions_table_lock);
+       down_write(&conn->session_lock);
+       xa_for_each(&conn->sessions, id, sess) {
+               if (atomic_read(&sess->refcnt) == 0 &&
+@@ -188,6 +189,7 @@ static void ksmbd_expire_session(struct
+               }
+       }
+       up_write(&conn->session_lock);
++      up_write(&sessions_table_lock);
+ }
+ 
+ int ksmbd_session_register(struct ksmbd_conn *conn,
+@@ -229,7 +231,6 @@ void ksmbd_sessions_deregister(struct ks
+                       }
+               }
+       }
+-      up_write(&sessions_table_lock);
+ 
+       down_write(&conn->session_lock);
+       xa_for_each(&conn->sessions, id, sess) {
+@@ -249,6 +250,7 @@ void ksmbd_sessions_deregister(struct ks
+               }
+       }
+       up_write(&conn->session_lock);
++      up_write(&sessions_table_lock);
+ }
+ 
+ struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,

diff --git a/queue-6.11/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch b/queue-6.11/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch
new file mode 100644 (file)
index 0000000..a315670
--- /dev/null
+++ b/queue-6.11/ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch
@@ -0,0 +1,38 @@
+From b8fc56fbca7482c1e5c0e3351c6ae78982e25ada Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Mon, 4 Nov 2024 13:40:41 +0900
+Subject: ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit b8fc56fbca7482c1e5c0e3351c6ae78982e25ada upstream.
+
+ksmbd_user_session_put should be called under smb3_preauth_hash_rsp().
+It will avoid freeing session before calling smb3_preauth_hash_rsp().
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/server.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/server.c
++++ b/fs/smb/server/server.c
+@@ -238,11 +238,11 @@ static void __handle_ksmbd_work(struct k
+       } while (is_chained == true);
+ 
+ send:
+-      if (work->sess)
+-              ksmbd_user_session_put(work->sess);
+       if (work->tcon)
+               ksmbd_tree_connect_put(work->tcon);
+       smb3_preauth_hash_rsp(work);
++      if (work->sess)
++              ksmbd_user_session_put(work->sess);
+       if (work->sess && work->sess->enc && work->encrypted &&
+           conn->ops->encrypt_resp) {
+               rc = conn->ops->encrypt_resp(work);

diff --git a/queue-6.11/ksmbd-fix-the-missing-xa_store-error-check.patch b/queue-6.11/ksmbd-fix-the-missing-xa_store-error-check.patch
new file mode 100644 (file)
index 0000000..9e53ece
--- /dev/null
+++ b/queue-6.11/ksmbd-fix-the-missing-xa_store-error-check.patch
@@ -0,0 +1,57 @@
+From 3abab905b14f4ba756d413f37f1fb02b708eee93 Mon Sep 17 00:00:00 2001
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+Date: Mon, 28 Oct 2024 08:28:30 +0900
+Subject: ksmbd: Fix the missing xa_store error check
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+commit 3abab905b14f4ba756d413f37f1fb02b708eee93 upstream.
+
+xa_store() can fail, it return xa_err(-EINVAL) if the entry cannot
+be stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed,
+so check error for xa_store() to fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/mgmt/user_session.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -90,7 +90,7 @@ static int __rpc_method(char *rpc_name)
+ 
+ int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name)
+ {
+-      struct ksmbd_session_rpc *entry;
++      struct ksmbd_session_rpc *entry, *old;
+       struct ksmbd_rpc_command *resp;
+       int method;
+ 
+@@ -106,16 +106,19 @@ int ksmbd_session_rpc_open(struct ksmbd_
+       entry->id = ksmbd_ipc_id_alloc();
+       if (entry->id < 0)
+               goto free_entry;
+-      xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL);
++      old = xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL);
++      if (xa_is_err(old))
++              goto free_id;
+ 
+       resp = ksmbd_rpc_open(sess, entry->id);
+       if (!resp)
+-              goto free_id;
++              goto erase_xa;
+ 
+       kvfree(resp);
+       return entry->id;
+-free_id:
++erase_xa:
+       xa_erase(&sess->rpc_handle_list, entry->id);
++free_id:
+       ksmbd_rpc_id_free(entry->id);
+ free_entry:
+       kfree(entry);

diff --git a/queue-6.11/media-ar0521-don-t-overflow-when-checking-pll-values.patch b/queue-6.11/media-ar0521-don-t-overflow-when-checking-pll-values.patch
new file mode 100644 (file)
index 0000000..b0b8cdd
--- /dev/null
+++ b/queue-6.11/media-ar0521-don-t-overflow-when-checking-pll-values.patch
@@ -0,0 +1,39 @@
+From 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 11:38:10 +0200
+Subject: media: ar0521: don't overflow when checking PLL values
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 upstream.
+
+The PLL checks are comparing 64 bit integers with 32 bit
+ones, as reported by Coverity. Depending on the values of
+the variables, this may underflow.
+
+Fix it ensuring that both sides of the expression are u64.
+
+Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ar0521.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ar0521.c
++++ b/drivers/media/i2c/ar0521.c
+@@ -255,10 +255,10 @@ static u32 calc_pll(struct ar0521_dev *s
+                       continue; /* Minimum value */
+               if (new_mult > 254)
+                       break; /* Maximum, larger pre won't work either */
+-              if (sensor->extclk_freq * (u64)new_mult < AR0521_PLL_MIN *
++              if (sensor->extclk_freq * (u64)new_mult < (u64)AR0521_PLL_MIN *
+                   new_pre)
+                       continue;
+-              if (sensor->extclk_freq * (u64)new_mult > AR0521_PLL_MAX *
++              if (sensor->extclk_freq * (u64)new_mult > (u64)AR0521_PLL_MAX *
+                   new_pre)
+                       break; /* Larger pre won't work either */
+               new_pll = div64_round_up(sensor->extclk_freq * (u64)new_mult,

diff --git a/queue-6.11/media-av7110-fix-a-spectre-vulnerability.patch b/queue-6.11/media-av7110-fix-a-spectre-vulnerability.patch
new file mode 100644 (file)
index 0000000..c41a119
--- /dev/null
+++ b/queue-6.11/media-av7110-fix-a-spectre-vulnerability.patch
@@ -0,0 +1,102 @@
+From 458ea1c0be991573ec436aa0afa23baacfae101a Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 09:24:24 +0200
+Subject: media: av7110: fix a spectre vulnerability
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 458ea1c0be991573ec436aa0afa23baacfae101a upstream.
+
+As warned by smatch:
+       drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap)
+
+There is a spectre-related vulnerability at the code. Fix it.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/av7110/av7110.h    |    4 +++-
+ drivers/staging/media/av7110/av7110_ca.c |   25 +++++++++++++++++--------
+ 2 files changed, 20 insertions(+), 9 deletions(-)
+
+--- a/drivers/staging/media/av7110/av7110.h
++++ b/drivers/staging/media/av7110/av7110.h
+@@ -88,6 +88,8 @@ struct infrared {
+       u32                     ir_config;
+ };
+ 
++#define MAX_CI_SLOTS  2
++
+ /* place to store all the necessary device information */
+ struct av7110 {
+       /* devices */
+@@ -163,7 +165,7 @@ struct av7110 {
+ 
+       /* CA */
+ 
+-      struct ca_slot_info     ci_slot[2];
++      struct ca_slot_info     ci_slot[MAX_CI_SLOTS];
+ 
+       enum av7110_video_mode  vidmode;
+       struct dmxdev           dmxdev;
+--- a/drivers/staging/media/av7110/av7110_ca.c
++++ b/drivers/staging/media/av7110/av7110_ca.c
+@@ -26,23 +26,28 @@
+ 
+ void CI_handle(struct av7110 *av7110, u8 *data, u16 len)
+ {
++      unsigned slot_num;
++
+       dprintk(8, "av7110:%p\n", av7110);
+ 
+       if (len < 3)
+               return;
+       switch (data[0]) {
+       case CI_MSG_CI_INFO:
+-              if (data[2] != 1 && data[2] != 2)
++              if (data[2] != 1 && data[2] != MAX_CI_SLOTS)
+                       break;
++
++              slot_num = array_index_nospec(data[2] - 1, MAX_CI_SLOTS);
++
+               switch (data[1]) {
+               case 0:
+-                      av7110->ci_slot[data[2] - 1].flags = 0;
++                      av7110->ci_slot[slot_num].flags = 0;
+                       break;
+               case 1:
+-                      av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_PRESENT;
++                      av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_PRESENT;
+                       break;
+               case 2:
+-                      av7110->ci_slot[data[2] - 1].flags |= CA_CI_MODULE_READY;
++                      av7110->ci_slot[slot_num].flags |= CA_CI_MODULE_READY;
+                       break;
+               }
+               break;
+@@ -262,15 +267,19 @@ static int dvb_ca_ioctl(struct file *fil
+       case CA_GET_SLOT_INFO:
+       {
+               struct ca_slot_info *info = (struct ca_slot_info *)parg;
++              unsigned int slot_num;
+ 
+               if (info->num < 0 || info->num > 1) {
+                       mutex_unlock(&av7110->ioctl_mutex);
+                       return -EINVAL;
+               }
+-              av7110->ci_slot[info->num].num = info->num;
+-              av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
+-                                                      CA_CI_LINK : CA_CI;
+-              memcpy(info, &av7110->ci_slot[info->num], sizeof(struct ca_slot_info));
++              slot_num = array_index_nospec(info->num, MAX_CI_SLOTS);
++
++              av7110->ci_slot[slot_num].num = info->num;
++              av7110->ci_slot[slot_num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
++                                               CA_CI_LINK : CA_CI;
++              memcpy(info, &av7110->ci_slot[slot_num],
++                     sizeof(struct ca_slot_info));
+               break;
+       }
+ 

diff --git a/queue-6.11/media-cx24116-prevent-overflows-on-snr-calculus.patch b/queue-6.11/media-cx24116-prevent-overflows-on-snr-calculus.patch
new file mode 100644 (file)
index 0000000..92da5b9
--- /dev/null
+++ b/queue-6.11/media-cx24116-prevent-overflows-on-snr-calculus.patch
@@ -0,0 +1,46 @@
+From 576a307a7650bd544fbb24df801b9b7863b85e2f Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 12:14:11 +0200
+Subject: media: cx24116: prevent overflows on SNR calculus
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream.
+
+as reported by Coverity, if reading SNR registers fail, a negative
+number will be returned, causing an underflow when reading SNR
+registers.
+
+Prevent that.
+
+Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/cx24116.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/cx24116.c
++++ b/drivers/media/dvb-frontends/cx24116.c
+@@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct d
+ {
+       struct cx24116_state *state = fe->demodulator_priv;
+       u8 snr_reading;
++      int ret;
+       static const u32 snr_tab[] = { /* 10 x Table (rounded up) */
+               0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667,
+               0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667,
+@@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct d
+ 
+       dprintk("%s()\n", __func__);
+ 
+-      snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0);
++      ret = cx24116_readreg(state, CX24116_REG_QUALITY0);
++      if (ret  < 0)
++              return ret;
++
++      snr_reading = ret;
+ 
+       if (snr_reading >= 0xa0 /* 100% */)
+               *snr = 0xffff;

diff --git a/queue-6.11/media-dvb-core-add-missing-buffer-index-check.patch b/queue-6.11/media-dvb-core-add-missing-buffer-index-check.patch
new file mode 100644 (file)
index 0000000..c3c3c20
--- /dev/null
+++ b/queue-6.11/media-dvb-core-add-missing-buffer-index-check.patch
@@ -0,0 +1,43 @@
+From fa88dc7db176c79b50adb132a56120a1d4d9d18b Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Tue, 1 Oct 2024 11:01:34 +0200
+Subject: media: dvb-core: add missing buffer index check
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit fa88dc7db176c79b50adb132a56120a1d4d9d18b upstream.
+
+dvb_vb2_expbuf() didn't check if the given buffer index was
+for a valid buffer. Add this check.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Closes: https://lore.kernel.org/linux-media/?q=WARNING+in+vb2_core_reqbufs
+Fixes: 7dc866df4012 ("media: dvb-core: Use vb2_get_buffer() instead of directly access to buffers array")
+Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvb_vb2.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-core/dvb_vb2.c
++++ b/drivers/media/dvb-core/dvb_vb2.c
+@@ -366,9 +366,15 @@ int dvb_vb2_querybuf(struct dvb_vb2_ctx
+ int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
+ {
+       struct vb2_queue *q = &ctx->vb_q;
++      struct vb2_buffer *vb2 = vb2_get_buffer(q, exp->index);
+       int ret;
+ 
+-      ret = vb2_core_expbuf(&ctx->vb_q, &exp->fd, q->type, q->bufs[exp->index],
++      if (!vb2) {
++              dprintk(1, "[%s] invalid buffer index\n", ctx->name);
++              return -EINVAL;
++      }
++
++      ret = vb2_core_expbuf(&ctx->vb_q, &exp->fd, q->type, vb2,
+                             0, exp->flags);
+       if (ret) {
+               dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,

diff --git a/queue-6.11/media-mgb4-protect-driver-against-spectre.patch b/queue-6.11/media-mgb4-protect-driver-against-spectre.patch
new file mode 100644 (file)
index 0000000..b1639d3
--- /dev/null
+++ b/queue-6.11/media-mgb4-protect-driver-against-spectre.patch
@@ -0,0 +1,45 @@
+From 2aee207e5b3c94ef859316008119ea06d6798d49 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 10:33:10 +0200
+Subject: media: mgb4: protect driver against spectre
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 2aee207e5b3c94ef859316008119ea06d6798d49 upstream.
+
+Frequency range is set from sysfs via frequency_range_store(),
+being vulnerable to spectre, as reported by smatch:
+
+       drivers/media/pci/mgb4/mgb4_cmt.c:231 mgb4_cmt_set_vin_freq_range() warn: potential spectre issue 'cmt_vals_in' [r]
+       drivers/media/pci/mgb4/mgb4_cmt.c:238 mgb4_cmt_set_vin_freq_range() warn: possible spectre second half.  'reg_set'
+
+Fix it.
+
+Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/mgb4/mgb4_cmt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/pci/mgb4/mgb4_cmt.c b/drivers/media/pci/mgb4/mgb4_cmt.c
+index 70dc78ef193c..a25b68403bc6 100644
+--- a/drivers/media/pci/mgb4/mgb4_cmt.c
++++ b/drivers/media/pci/mgb4/mgb4_cmt.c
+@@ -227,6 +227,8 @@ void mgb4_cmt_set_vin_freq_range(struct mgb4_vin_dev *vindev,
+       u32 config;
+       size_t i;
+ 
++      freq_range = array_index_nospec(freq_range, ARRAY_SIZE(cmt_vals_in));
++
+       addr = cmt_addrs_in[vindev->config->id];
+       reg_set = cmt_vals_in[freq_range];
+ 
+-- 
+2.47.0
+

diff --git a/queue-6.11/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch b/queue-6.11/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
new file mode 100644 (file)
index 0000000..1250989
--- /dev/null
+++ b/queue-6.11/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
@@ -0,0 +1,57 @@
+From ba9cf6b430433e57bfc8072364e944b7c0eca2a4 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Wed, 16 Oct 2024 11:24:15 +0200
+Subject: media: pulse8-cec: fix data timestamp at pulse8_setup()
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit ba9cf6b430433e57bfc8072364e944b7c0eca2a4 upstream.
+
+As pointed by Coverity, there is a hidden overflow condition there.
+As date is signed and u8 is unsigned, doing:
+
+       date = (data[0] << 24)
+
+With a value bigger than 07f will make all upper bits of date
+0xffffffff. This can be demonstrated with this small code:
+
+<code>
+typedef int64_t time64_t;
+typedef uint8_t u8;
+
+int main(void)
+{
+       u8 data[] = { 0xde ,0xad , 0xbe, 0xef };
+       time64_t date;
+
+       date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+       printf("Invalid data = 0x%08lx\n", date);
+
+       date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+       printf("Expected data = 0x%08lx\n", date);
+
+       return 0;
+}
+</code>
+
+Fix it by converting the upper bit calculation to unsigned.
+
+Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/cec/usb/pulse8/pulse8-cec.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/cec/usb/pulse8/pulse8-cec.c
++++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c
+@@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *p
+       err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4);
+       if (err)
+               return err;
+-      date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
++      date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+       dev_info(pulse8->dev, "Firmware build date %ptT\n", &date);
+ 
+       dev_dbg(pulse8->dev, "Persistent config:\n");

diff --git a/queue-6.11/media-s5p-jpeg-prevent-buffer-overflows.patch b/queue-6.11/media-s5p-jpeg-prevent-buffer-overflows.patch
new file mode 100644 (file)
index 0000000..9b0f172
--- /dev/null
+++ b/queue-6.11/media-s5p-jpeg-prevent-buffer-overflows.patch
@@ -0,0 +1,87 @@
+From 14a22762c3daeac59a5a534e124acbb4d7a79b3a Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 11:10:31 +0200
+Subject: media: s5p-jpeg: prevent buffer overflows
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream.
+
+The current logic allows word to be less than 2. If this happens,
+there will be buffer overflows, as reported by smatch. Add extra
+checks to prevent it.
+
+While here, remove an unused word = 0 assignment.
+
+Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
++++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
+@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_
+               (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
+       jpeg_buffer.curr = 0;
+ 
+-      word = 0;
+-
+       if (get_word_be(&jpeg_buffer, &word))
+               return;
+-      jpeg_buffer.size = (long)word - 2;
++
++      if (word < 2)
++              jpeg_buffer.size = 0;
++      else
++              jpeg_buffer.size = (long)word - 2;
++
+       jpeg_buffer.data += 2;
+       jpeg_buffer.curr = 0;
+ 
+@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_b
+       if (byte == -1)
+               return -1;
+       *word = (unsigned int)byte | temp;
++
+       return 0;
+ }
+ 
+@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+                       if (get_word_be(&jpeg_buffer, &word))
+                               break;
+                       length = (long)word - 2;
+-                      if (!length)
++                      if (length <= 0)
+                               return false;
+                       sof = jpeg_buffer.curr; /* after 0xffc0 */
+                       sof_len = length;
+@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+                       if (get_word_be(&jpeg_buffer, &word))
+                               break;
+                       length = (long)word - 2;
+-                      if (!length)
++                      if (length <= 0)
+                               return false;
+                       if (n_dqt >= S5P_JPEG_MAX_MARKER)
+                               return false;
+@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+                       if (get_word_be(&jpeg_buffer, &word))
+                               break;
+                       length = (long)word - 2;
+-                      if (!length)
++                      if (length <= 0)
+                               return false;
+                       if (n_dht >= S5P_JPEG_MAX_MARKER)
+                               return false;
+@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+                       if (get_word_be(&jpeg_buffer, &word))
+                               break;
+                       length = (long)word - 2;
++                      /* No need to check underflows as skip() does it  */
+                       skip(&jpeg_buffer, length);
+                       break;
+               }

diff --git a/queue-6.11/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch b/queue-6.11/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch
new file mode 100644 (file)
index 0000000..158608f
--- /dev/null
+++ b/queue-6.11/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch
@@ -0,0 +1,68 @@
+From 4c76f331a9a173ac8fe1297a9231c2a38f88e368 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 14:23:38 +0200
+Subject: media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 4c76f331a9a173ac8fe1297a9231c2a38f88e368 upstream.
+
+As detected by Coverity, the error check logic at get_ctrl() is
+broken: if ptr_to_user() fails to fill a control due to an error,
+no errors are returned and v4l2_g_ctrl() returns success on a
+failed operation, which may cause applications to fail.
+
+Add an error check at get_ctrl() and ensure that it will
+be returned to userspace without filling the control value if
+get_ctrl() fails.
+
+Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-api.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c
+@@ -753,9 +753,10 @@ static int get_ctrl(struct v4l2_ctrl *ct
+               for (i = 0; i < master->ncontrols; i++)
+                       cur_to_new(master->cluster[i]);
+               ret = call_op(master, g_volatile_ctrl);
+-              new_to_user(c, ctrl);
++              if (!ret)
++                      ret = new_to_user(c, ctrl);
+       } else {
+-              cur_to_user(c, ctrl);
++              ret = cur_to_user(c, ctrl);
+       }
+       v4l2_ctrl_unlock(master);
+       return ret;
+@@ -770,7 +771,10 @@ int v4l2_g_ctrl(struct v4l2_ctrl_handler
+       if (!ctrl || !ctrl->is_int)
+               return -EINVAL;
+       ret = get_ctrl(ctrl, &c);
+-      control->value = c.value;
++
++      if (!ret)
++              control->value = c.value;
++
+       return ret;
+ }
+ EXPORT_SYMBOL(v4l2_g_ctrl);
+@@ -811,10 +815,11 @@ static int set_ctrl_lock(struct v4l2_fh
+       int ret;
+ 
+       v4l2_ctrl_lock(ctrl);
+-      user_to_new(c, ctrl);
+-      ret = set_ctrl(fh, ctrl, 0);
++      ret = user_to_new(c, ctrl);
++      if (!ret)
++              ret = set_ctrl(fh, ctrl, 0);
+       if (!ret)
+-              cur_to_user(c, ctrl);
++              ret = cur_to_user(c, ctrl);
+       v4l2_ctrl_unlock(ctrl);
+       return ret;
+ }

diff --git a/queue-6.11/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch b/queue-6.11/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
new file mode 100644 (file)
index 0000000..8927e22
--- /dev/null
+++ b/queue-6.11/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
@@ -0,0 +1,36 @@
+From e6a3ea83fbe15d4818d01804e904cbb0e64e543b Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Wed, 16 Oct 2024 11:53:15 +0200
+Subject: media: v4l2-tpg: prevent the risk of a division by zero
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream.
+
+As reported by Coverity, the logic at tpg_precalculate_line()
+blindly rescales the buffer even when scaled_witdh is equal to
+zero. If this ever happens, this will cause a division by zero.
+
+Instead, add a WARN_ON_ONCE() to trigger such cases and return
+without doing any precalculation.
+
+Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/v4l2-tpg/v4l2-tpg-core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -1795,6 +1795,9 @@ static void tpg_precalculate_line(struct
+       unsigned p;
+       unsigned x;
+ 
++      if (WARN_ON_ONCE(!tpg->src_width || !tpg->scaled_width))
++              return;
++
+       switch (tpg->pattern) {
+       case TPG_PAT_GREEN:
+               contrast = TPG_COLOR_100_RED;

diff --git a/queue-6.11/media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch b/queue-6.11/media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch
new file mode 100644 (file)
index 0000000..3e09b4b
--- /dev/null
+++ b/queue-6.11/media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch
@@ -0,0 +1,85 @@
+From 96d8569563916fe2f8fe17317e20e43f54f9ba4b Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Thu, 24 Oct 2024 10:21:30 +0200
+Subject: media: vivid: fix buffer overwrite when using > 32 buffers
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit 96d8569563916fe2f8fe17317e20e43f54f9ba4b upstream.
+
+The maximum number of buffers that can be requested was increased to
+64 for the video capture queue. But video capture used a must_blank
+array that was still sized for 32 (VIDEO_MAX_FRAME). This caused an
+out-of-bounds write when using buffer indices >= 32.
+
+Create a new define MAX_VID_CAP_BUFFERS that is used to access the
+must_blank array and set max_num_buffers for the video capture queue.
+
+This solves a crash reported by:
+
+       https://bugzilla.kernel.org/show_bug.cgi?id=219258
+
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Fixes: cea70ed416b4 ("media: test-drivers: vivid: Increase max supported buffers for capture queues")
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vivid/vivid-core.c    |    2 +-
+ drivers/media/test-drivers/vivid/vivid-core.h    |    4 +++-
+ drivers/media/test-drivers/vivid/vivid-ctrls.c   |    2 +-
+ drivers/media/test-drivers/vivid/vivid-vid-cap.c |    2 +-
+ 4 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/test-drivers/vivid/vivid-core.c
++++ b/drivers/media/test-drivers/vivid/vivid-core.c
+@@ -910,7 +910,7 @@ static int vivid_create_queue(struct viv
+        * videobuf2-core.c to MAX_BUFFER_INDEX.
+        */
+       if (buf_type == V4L2_BUF_TYPE_VIDEO_CAPTURE)
+-              q->max_num_buffers = 64;
++              q->max_num_buffers = MAX_VID_CAP_BUFFERS;
+       if (buf_type == V4L2_BUF_TYPE_SDR_CAPTURE)
+               q->max_num_buffers = 1024;
+       if (buf_type == V4L2_BUF_TYPE_VBI_CAPTURE)
+--- a/drivers/media/test-drivers/vivid/vivid-core.h
++++ b/drivers/media/test-drivers/vivid/vivid-core.h
+@@ -26,6 +26,8 @@
+ #define MAX_INPUTS 16
+ /* The maximum number of outputs */
+ #define MAX_OUTPUTS 16
++/* The maximum number of video capture buffers */
++#define MAX_VID_CAP_BUFFERS 64
+ /* The maximum up or down scaling factor is 4 */
+ #define MAX_ZOOM  4
+ /* The maximum image width/height are set to 4K DMT */
+@@ -481,7 +483,7 @@ struct vivid_dev {
+       /* video capture */
+       struct tpg_data                 tpg;
+       unsigned                        ms_vid_cap;
+-      bool                            must_blank[VIDEO_MAX_FRAME];
++      bool                            must_blank[MAX_VID_CAP_BUFFERS];
+ 
+       const struct vivid_fmt          *fmt_cap;
+       struct v4l2_fract               timeperframe_vid_cap;
+--- a/drivers/media/test-drivers/vivid/vivid-ctrls.c
++++ b/drivers/media/test-drivers/vivid/vivid-ctrls.c
+@@ -553,7 +553,7 @@ static int vivid_vid_cap_s_ctrl(struct v
+               break;
+       case VIVID_CID_PERCENTAGE_FILL:
+               tpg_s_perc_fill(&dev->tpg, ctrl->val);
+-              for (i = 0; i < VIDEO_MAX_FRAME; i++)
++              for (i = 0; i < MAX_VID_CAP_BUFFERS; i++)
+                       dev->must_blank[i] = ctrl->val < 100;
+               break;
+       case VIVID_CID_INSERT_SAV:
+--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+@@ -213,7 +213,7 @@ static int vid_cap_start_streaming(struc
+ 
+       dev->vid_cap_seq_count = 0;
+       dprintk(dev, 1, "%s\n", __func__);
+-      for (i = 0; i < VIDEO_MAX_FRAME; i++)
++      for (i = 0; i < MAX_VID_CAP_BUFFERS; i++)
+               dev->must_blank[i] = tpg_g_perc_fill(&dev->tpg) < 100;
+       if (dev->start_streaming_error) {
+               dev->start_streaming_error = false;

diff --git a/queue-6.11/series b/queue-6.11/series
index 5527e190a5e08445bc3183380c6ff0c1ce8b2434..ed42b9298857517423e7c3480994950170ac704c 100644 (file)
--- a/queue-6.11/series
+++ b/queue-6.11/series
@@ -72,3 +72,24 @@ tools-lib-thermal-fix-sampling-handler-context-ptr.patch
 thermal-of-support-thermal-zones-w-o-trips-subnode.patch
 asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch
 asoc-sof-sof-client-probes-ipc4-set-param_size-exten.patch
+media-dvb-core-add-missing-buffer-index-check.patch
+media-mgb4-protect-driver-against-spectre.patch
+media-ar0521-don-t-overflow-when-checking-pll-values.patch
+media-s5p-jpeg-prevent-buffer-overflows.patch
+media-cx24116-prevent-overflows-on-snr-calculus.patch
+media-av7110-fix-a-spectre-vulnerability.patch
+media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
+media-vivid-fix-buffer-overwrite-when-using-32-buffers.patch
+media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
+media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch
+can-m_can-m_can_close-don-t-call-free_irq-for-irq-less-devices.patch
+can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch
+can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch
+can-cc770-sja1000-_isa-allow-building-on-x86_64.patch
+ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch
+ksmbd-check-outstanding-simultaneous-smb-operations.patch
+ksmbd-fix-the-missing-xa_store-error-check.patch
+ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch
+drm-xe-fix-possible-exec-queue-leak-in-exec-ioctl.patch
+drm-xe-drop-vm-dma-resv-lock-on-xe_sync_in_fence_get-failure-in-exec-ioctl.patch
+drm-xe-set-mask-bits-for-ccs_mode-register.patch