--- /dev/null
+From 77de19b6867f2740cdcb6c9c7e50d522b47847a4 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Thu, 17 Jul 2025 21:26:33 +0800
+Subject: f2fs: fix to avoid out-of-boundary access in dnode page
+
+From: Chao Yu <chao@kernel.org>
+
+commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 upstream.
+
+As Jiaming Zhang reported:
+
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x17e/0x800 mm/kasan/report.c:480
+ kasan_report+0x147/0x180 mm/kasan/report.c:593
+ data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
+ f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
+ f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
+ f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
+ prepare_write_begin fs/f2fs/data.c:3395 [inline]
+ f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
+ generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
+ f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
+ f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x546/0xa90 fs/read_write.c:686
+ ksys_write+0x149/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The root cause is in the corrupted image, there is a dnode has the same
+node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
+access block address in dnode at offset 934, however it parses the dnode
+as inode node, so that get_dnode_addr() returns 360, then it tries to
+access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.
+
+To fix this issue, let's add sanity check for node id of all direct nodes
+during f2fs_get_dnode_of_data().
+
+Cc: stable@kernel.org
+Reported-by: Jiaming Zhang <r772577952@gmail.com>
+Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -799,6 +799,16 @@ int f2fs_get_dnode_of_data(struct dnode_
+ for (i = 1; i <= level; i++) {
+ bool done = false;
+
++ if (nids[i] && nids[i] == dn->inode->i_ino) {
++ err = -EFSCORRUPTED;
++ f2fs_err_ratelimited(sbi,
++ "inode mapping table is corrupted, run fsck to fix it, "
++ "ino:%lu, nid:%u, level:%d, offset:%d",
++ dn->inode->i_ino, nids[i], level, offset[level]);
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ goto release_pages;
++ }
++
+ if (!nids[i] && mode == ALLOC_NODE) {
+ /* alloc new node */
+ if (!f2fs_alloc_nid(sbi, &(nids[i]))) {
--- /dev/null
+From 9d98cf4632258720f18265a058e62fde120c0151 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Tue, 12 Aug 2025 14:37:52 +0800
+Subject: jbd2: prevent softlockup in jbd2_log_do_checkpoint()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit 9d98cf4632258720f18265a058e62fde120c0151 upstream.
+
+Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()
+periodically release j_list_lock after processing a batch of buffers to
+avoid long hold times on the j_list_lock. However, since both functions
+contend for j_list_lock, the combined time spent waiting and processing
+can be significant.
+
+jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when
+need_resched() is true to avoid softlockups during prolonged operations.
+But jbd2_log_do_checkpoint() only exits its loop when need_resched() is
+true, relying on potentially sleeping functions like __flush_batch() or
+wait_on_buffer() to trigger rescheduling. If those functions do not sleep,
+the kernel may hit a softlockup.
+
+watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]
+CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10
+Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017
+Workqueue: writeback wb_workfn (flush-7:2)
+pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : native_queued_spin_lock_slowpath+0x358/0x418
+lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]
+Call trace:
+ native_queued_spin_lock_slowpath+0x358/0x418
+ jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]
+ __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]
+ add_transaction_credits+0x3bc/0x418 [jbd2]
+ start_this_handle+0xf8/0x560 [jbd2]
+ jbd2__journal_start+0x118/0x228 [jbd2]
+ __ext4_journal_start_sb+0x110/0x188 [ext4]
+ ext4_do_writepages+0x3dc/0x740 [ext4]
+ ext4_writepages+0xa4/0x190 [ext4]
+ do_writepages+0x94/0x228
+ __writeback_single_inode+0x48/0x318
+ writeback_sb_inodes+0x204/0x590
+ __writeback_inodes_wb+0x54/0xf8
+ wb_writeback+0x2cc/0x3d8
+ wb_do_writeback+0x2e0/0x2f8
+ wb_workfn+0x80/0x2a8
+ process_one_work+0x178/0x3e8
+ worker_thread+0x234/0x3b8
+ kthread+0xf0/0x108
+ ret_from_fork+0x10/0x20
+
+So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid
+softlockup.
+
+Cc: stable@kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Link: https://patch.msgid.link/20250812063752.912130-1-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/checkpoint.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/jbd2/checkpoint.c
++++ b/fs/jbd2/checkpoint.c
+@@ -285,6 +285,7 @@ restart:
+ retry:
+ if (batch_count)
+ __flush_batch(journal, &batch_count);
++ cond_resched();
+ spin_lock(&journal->j_list_lock);
+ goto restart;
+ }
--- /dev/null
+From aef89c0b2417da79cb2062a95476288f9f203ab0 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 28 May 2025 23:22:14 +0300
+Subject: media: gspca: Add bounds checking to firmware parser
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit aef89c0b2417da79cb2062a95476288f9f203ab0 upstream.
+
+This sd_init() function reads the firmware. The firmware data holds a
+series of records and the function reads each record and sends the data
+to the device. The request_ihex_firmware() function
+calls ihex_validate_fw() which ensures that the total length of all the
+records won't read out of bounds of the fw->data[].
+
+However, a potential issue is if there is a single very large
+record (larger than PAGE_SIZE) and that would result in memory
+corruption. Generally we trust the firmware, but it's always better to
+double check.
+
+Fixes: 49b61ec9b5af ("[media] gspca: Add new vicam subdriver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/gspca/vicam.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/gspca/vicam.c
++++ b/drivers/media/usb/gspca/vicam.c
+@@ -227,6 +227,7 @@ static int sd_init(struct gspca_dev *gsp
+ const struct ihex_binrec *rec;
+ const struct firmware *fw;
+ u8 *firmware_buf;
++ int len;
+
+ ret = request_ihex_firmware(&fw, VICAM_FIRMWARE,
+ &gspca_dev->dev->dev);
+@@ -241,9 +242,14 @@ static int sd_init(struct gspca_dev *gsp
+ goto exit;
+ }
+ for (rec = (void *)fw->data; rec; rec = ihex_next_binrec(rec)) {
+- memcpy(firmware_buf, rec->data, be16_to_cpu(rec->len));
++ len = be16_to_cpu(rec->len);
++ if (len > PAGE_SIZE) {
++ ret = -EINVAL;
++ break;
++ }
++ memcpy(firmware_buf, rec->data, len);
+ ret = vicam_control_msg(gspca_dev, 0xff, 0, 0, firmware_buf,
+- be16_to_cpu(rec->len));
++ len);
+ if (ret < 0)
+ break;
+ }
--- /dev/null
+From 020f602b068c9ce18d5056d02c8302199377d98d Mon Sep 17 00:00:00 2001
+From: Bingbu Cao <bingbu.cao@intel.com>
+Date: Mon, 30 Jun 2025 17:04:20 +0800
+Subject: media: hi556: correct the test pattern configuration
+
+From: Bingbu Cao <bingbu.cao@intel.com>
+
+commit 020f602b068c9ce18d5056d02c8302199377d98d upstream.
+
+Hynix hi556 support 8 test pattern modes:
+hi556_test_pattern_menu[] = {
+{
+ "Disabled",
+ "Solid Colour",
+ "100% Colour Bars",
+ "Fade To Grey Colour Bars",
+ "PN9",
+ "Gradient Horizontal",
+ "Gradient Vertical",
+ "Check Board",
+ "Slant Pattern",
+}
+
+The test pattern is set by a 8-bit register according to the
+specification.
++--------+-------------------------------+
+| BIT[0] | Solid color |
++--------+-------------------------------+
+| BIT[1] | Color bar |
++--------+-------------------------------+
+| BIT[2] | Fade to grey color bar |
++--------+-------------------------------+
+| BIT[3] | PN9 |
++--------+-------------------------------+
+| BIT[4] | Gradient horizontal |
++--------+-------------------------------+
+| BIT[5] | Gradient vertical |
++--------+-------------------------------+
+| BIT[6] | Check board |
++--------+-------------------------------+
+| BIT[7] | Slant pattern |
++--------+-------------------------------+
+Based on function above, current test pattern programming is wrong.
+This patch fixes it by 'BIT(pattern - 1)'. If pattern is 0, driver
+will disable the test pattern generation and set the pattern to 0.
+
+Fixes: e62138403a84 ("media: hi556: Add support for Hi-556 sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/hi556.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+--- a/drivers/media/i2c/hi556.c
++++ b/drivers/media/i2c/hi556.c
+@@ -689,21 +689,23 @@ static int hi556_test_pattern(struct hi5
+ int ret;
+ u32 val;
+
+- if (pattern) {
+- ret = hi556_read_reg(hi556, HI556_REG_ISP,
+- HI556_REG_VALUE_08BIT, &val);
+- if (ret)
+- return ret;
+-
+- ret = hi556_write_reg(hi556, HI556_REG_ISP,
+- HI556_REG_VALUE_08BIT,
+- val | HI556_REG_ISP_TPG_EN);
+- if (ret)
+- return ret;
+- }
++ ret = hi556_read_reg(hi556, HI556_REG_ISP,
++ HI556_REG_VALUE_08BIT, &val);
++ if (ret)
++ return ret;
++
++ val = pattern ? (val | HI556_REG_ISP_TPG_EN) :
++ (val & ~HI556_REG_ISP_TPG_EN);
++
++ ret = hi556_write_reg(hi556, HI556_REG_ISP,
++ HI556_REG_VALUE_08BIT, val);
++ if (ret)
++ return ret;
++
++ val = pattern ? BIT(pattern - 1) : 0;
+
+ return hi556_write_reg(hi556, HI556_REG_TEST_PATTERN,
+- HI556_REG_VALUE_08BIT, pattern);
++ HI556_REG_VALUE_08BIT, val);
+ }
+
+ static int hi556_set_ctrl(struct v4l2_ctrl *ctrl)
--- /dev/null
+From fc5f8aec77704373ee804b5dba0e0e5029c0f180 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Thu, 27 Feb 2025 15:44:51 +0800
+Subject: media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit fc5f8aec77704373ee804b5dba0e0e5029c0f180 upstream.
+
+Add video_device_release() in label 'err_m2m' to release the memory
+allocated by video_device_alloc() and prevent potential memory leaks.
+Remove the reduntant code in label 'err_m2m'.
+
+Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/media/imx/imx-media-csc-scaler.c
++++ b/drivers/staging/media/imx/imx-media-csc-scaler.c
+@@ -914,7 +914,7 @@ imx_media_csc_scaler_device_init(struct
+ return &priv->vdev;
+
+ err_m2m:
+- video_set_drvdata(vfd, NULL);
++ video_device_release(vfd);
+ err_vfd:
+ kfree(priv);
+ return ERR_PTR(ret);
--- /dev/null
+From 0c92c49fc688cfadacc47ae99b06a31237702e9e Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hansg@kernel.org>
+Date: Sat, 21 Jun 2025 16:00:52 +0200
+Subject: media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls
+
+From: Hans de Goede <hansg@kernel.org>
+
+commit 0c92c49fc688cfadacc47ae99b06a31237702e9e upstream.
+
+Both the ACE and CSI driver are missing a mei_cldev_disable() call in
+their remove() function.
+
+This causes the mei_cl client to stay part of the mei_device->file_list
+list even though its memory is freed by mei_cl_bus_dev_release() calling
+kfree(cldev->cl).
+
+This leads to a use-after-free when mei_vsc_remove() runs mei_stop()
+which first removes all mei bus devices calling mei_ace_remove() and
+mei_csi_remove() followed by mei_cl_bus_dev_release() and then calls
+mei_cl_all_disconnect() which walks over mei_device->file_list dereferecing
+the just freed cldev->cl.
+
+And mei_vsc_remove() it self is run at shutdown because of the
+platform_device_unregister(tp->pdev) in vsc_tp_shutdown()
+
+When building a kernel with KASAN this leads to the following KASAN report:
+
+[ 106.634504] ==================================================================
+[ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei
+[ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1
+[ 106.634729]
+[ 106.634767] Tainted: [E]=UNSIGNED_MODULE
+[ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025
+[ 106.634773] Call Trace:
+[ 106.634777] <TASK>
+...
+[ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)
+[ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei
+[ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei
+[ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei
+...
+[ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei
+[ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc
+[ 106.635066] platform_remove (drivers/base/platform.c:1424)
+
+Add the missing mei_cldev_disable() calls so that the mei_cl gets removed
+from mei_device->file_list before it is freed to fix this.
+
+Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule")
+Fixes: 29006e196a56 ("media: pci: intel: ivsc: Add CSI submodule")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/intel/ivsc/mei_ace.c | 2 ++
+ drivers/media/pci/intel/ivsc/mei_csi.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/media/pci/intel/ivsc/mei_ace.c
++++ b/drivers/media/pci/intel/ivsc/mei_ace.c
+@@ -528,6 +528,8 @@ static void mei_ace_remove(struct mei_cl
+
+ ace_set_camera_owner(ace, ACE_CAMERA_IVSC);
+
++ mei_cldev_disable(cldev);
++
+ mutex_destroy(&ace->lock);
+ }
+
+--- a/drivers/media/pci/intel/ivsc/mei_csi.c
++++ b/drivers/media/pci/intel/ivsc/mei_csi.c
+@@ -807,6 +807,8 @@ static void mei_csi_remove(struct mei_cl
+
+ pm_runtime_disable(&cldev->dev);
+
++ mei_cldev_disable(cldev);
++
+ mutex_destroy(&csi->lock);
+ }
+
--- /dev/null
+From 76142b137b968d47b35cdd8d1dc924677d319c8b Mon Sep 17 00:00:00 2001
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+Date: Sun, 6 Jul 2025 00:31:09 +0800
+Subject: media: ov2659: Fix memory leaks in ov2659_probe()
+
+From: Zhang Shurong <zhang_shurong@foxmail.com>
+
+commit 76142b137b968d47b35cdd8d1dc924677d319c8b upstream.
+
+ov2659_probe() doesn't properly free control handler resources in failure
+paths, causing memory leaks. Add v4l2_ctrl_handler_free() to prevent these
+memory leaks and reorder the ctrl_handler assignment for better code flow.
+
+Fixes: c4c0283ab3cd ("[media] media: i2c: add support for omnivision's ov2659 sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov2659.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/ov2659.c
++++ b/drivers/media/i2c/ov2659.c
+@@ -1479,14 +1479,15 @@ static int ov2659_probe(struct i2c_clien
+ V4L2_CID_TEST_PATTERN,
+ ARRAY_SIZE(ov2659_test_pattern_menu) - 1,
+ 0, 0, ov2659_test_pattern_menu);
+- ov2659->sd.ctrl_handler = &ov2659->ctrls;
+
+ if (ov2659->ctrls.error) {
+ dev_err(&client->dev, "%s: control initialization error %d\n",
+ __func__, ov2659->ctrls.error);
++ v4l2_ctrl_handler_free(&ov2659->ctrls);
+ return ov2659->ctrls.error;
+ }
+
++ ov2659->sd.ctrl_handler = &ov2659->ctrls;
+ sd = &ov2659->sd;
+ client->flags |= I2C_CLIENT_SCCB;
+ #ifdef CONFIG_VIDEO_V4L2_SUBDEV_API
--- /dev/null
+From 7af160aea26c7dc9e6734d19306128cce156ec40 Mon Sep 17 00:00:00 2001
+From: Gui-Dong Han <hanguidong02@gmail.com>
+Date: Fri, 6 Jun 2025 03:04:59 +0000
+Subject: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+commit 7af160aea26c7dc9e6734d19306128cce156ec40 upstream.
+
+In the interrupt handler rain_interrupt(), the buffer full check on
+rain->buf_len is performed before acquiring rain->buf_lock. This
+creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as
+rain->buf_len is concurrently accessed and modified in the work
+handler rain_irq_work_handler() under the same lock.
+
+Multiple interrupt invocations can race, with each reading buf_len
+before it becomes full and then proceeding. This can lead to both
+interrupts attempting to write to the buffer, incrementing buf_len
+beyond its capacity (DATA_SIZE) and causing a buffer overflow.
+
+Fix this bug by moving the spin_lock() to before the buffer full
+check. This ensures that the check and the subsequent buffer modification
+are performed atomically, preventing the race condition. An corresponding
+spin_unlock() is added to the overflow path to correctly release the
+lock.
+
+This possible bug was found by an experimental static analysis tool
+developed by our team.
+
+Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c
++++ b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c
+@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct
+ {
+ struct rain *rain = serio_get_drvdata(serio);
+
++ spin_lock(&rain->buf_lock);
+ if (rain->buf_len == DATA_SIZE) {
++ spin_unlock(&rain->buf_lock);
+ dev_warn_once(rain->dev, "buffer overflow\n");
+ return IRQ_HANDLED;
+ }
+- spin_lock(&rain->buf_lock);
+ rain->buf_len++;
+ rain->buf[rain->buf_wr_idx] = data;
+ rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff;
--- /dev/null
+From 7e40e0bb778907b2441bff68d73c3eb6b6cd319f Mon Sep 17 00:00:00 2001
+From: Ludwig Disterhof <ludwig@disterhof.eu>
+Date: Mon, 28 Apr 2025 20:16:50 +0200
+Subject: media: usbtv: Lock resolution while streaming
+
+From: Ludwig Disterhof <ludwig@disterhof.eu>
+
+commit 7e40e0bb778907b2441bff68d73c3eb6b6cd319f upstream.
+
+When an program is streaming (ffplay) and another program (qv4l2)
+changes the TV standard from NTSC to PAL, the kernel crashes due to trying
+to copy to unmapped memory.
+
+Changing from NTSC to PAL increases the resolution in the usbtv struct,
+but the video plane buffer isn't adjusted, so it overflows.
+
+Fixes: 0e0fe3958fdd13d ("[media] usbtv: Add support for PAL video source")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ludwig Disterhof <ludwig@disterhof.eu>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[hverkuil: call vb2_is_busy instead of vb2_is_streaming]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/usbtv/usbtv-video.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/usb/usbtv/usbtv-video.c
++++ b/drivers/media/usb/usbtv/usbtv-video.c
+@@ -73,6 +73,10 @@ static int usbtv_configure_for_norm(stru
+ }
+
+ if (params) {
++ if (vb2_is_busy(&usbtv->vb2q) &&
++ (usbtv->width != params->cap_width ||
++ usbtv->height != params->cap_height))
++ return -EBUSY;
+ usbtv->width = params->cap_width;
+ usbtv->height = params->cap_height;
+ usbtv->n_chunks = usbtv->width * usbtv->height
--- /dev/null
+From 5a0400aca5fa7c6b8ba456c311a460e733571c88 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Thu, 8 May 2025 18:55:38 +0300
+Subject: media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 upstream.
+
+It's a common pattern in drivers to free the control handler's resources
+and then return the handler's error code on drivers' error handling paths.
+Alas, the v4l2_ctrl_handler_free() function also zeroes the error field,
+effectively indicating successful return to the caller.
+
+There's no apparent need to touch the error field while releasing the
+control handler's resources and cleaning up stale pointers. Not touching
+the handler's error field is a more certain way to address this problem
+than changing all the users, in which case the pattern would be likely to
+re-emerge in new drivers.
+
+Do just that, don't touch the control handler's error field in
+v4l2_ctrl_handler_free().
+
+Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+@@ -1578,7 +1578,6 @@ void v4l2_ctrl_handler_free(struct v4l2_
+ kvfree(hdl->buckets);
+ hdl->buckets = NULL;
+ hdl->cached = NULL;
+- hdl->error = 0;
+ mutex_unlock(hdl->lock);
+ mutex_destroy(&hdl->_lock);
+ }
--- /dev/null
+From 01350185fe02ae3ea2c12d578e06af0d5186f33e Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Mon, 17 Feb 2025 16:46:54 -0500
+Subject: media: verisilicon: Fix AV1 decoder clock frequency
+
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+
+commit 01350185fe02ae3ea2c12d578e06af0d5186f33e upstream.
+
+The desired clock frequency was correctly set to 400MHz in the device tree
+but was lowered by the driver to 300MHz breaking 4K 60Hz content playback.
+Fix the issue by removing the driver call to clk_set_rate(), which reduce
+the amount of board specific code.
+
+Fixes: 003afda97c65 ("media: verisilicon: Enable AV1 decoder on rk3588")
+Cc: stable@vger.kernel.org
+Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/verisilicon/rockchip_vpu_hw.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/media/platform/verisilicon/rockchip_vpu_hw.c
++++ b/drivers/media/platform/verisilicon/rockchip_vpu_hw.c
+@@ -17,7 +17,6 @@
+
+ #define RK3066_ACLK_MAX_FREQ (300 * 1000 * 1000)
+ #define RK3288_ACLK_MAX_FREQ (400 * 1000 * 1000)
+-#define RK3588_ACLK_MAX_FREQ (300 * 1000 * 1000)
+
+ #define ROCKCHIP_VPU981_MIN_SIZE 64
+
+@@ -441,13 +440,6 @@ static int rk3066_vpu_hw_init(struct han
+ return 0;
+ }
+
+-static int rk3588_vpu981_hw_init(struct hantro_dev *vpu)
+-{
+- /* Bump ACLKs to max. possible freq. to improve performance. */
+- clk_set_rate(vpu->clocks[0].clk, RK3588_ACLK_MAX_FREQ);
+- return 0;
+-}
+-
+ static int rockchip_vpu_hw_init(struct hantro_dev *vpu)
+ {
+ /* Bump ACLK to max. possible freq. to improve performance. */
+@@ -808,7 +800,6 @@ const struct hantro_variant rk3588_vpu98
+ .codec_ops = rk3588_vpu981_codec_ops,
+ .irqs = rk3588_vpu981_irqs,
+ .num_irqs = ARRAY_SIZE(rk3588_vpu981_irqs),
+- .init = rk3588_vpu981_hw_init,
+ .clk_names = rk3588_vpu981_vpu_clk_names,
+ .num_clocks = ARRAY_SIZE(rk3588_vpu981_vpu_clk_names)
+ };
--- /dev/null
+From 3e43442d4994c9e1e202c98129a87e330f7faaed Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Sun, 6 Jul 2025 12:55:40 +0200
+Subject: media: vivid: fix wrong pixel_array control size
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit 3e43442d4994c9e1e202c98129a87e330f7faaed upstream.
+
+The pixel_array control size was calculated incorrectly:
+the dimensions were swapped (dims[0] should be the height), and the
+values should be the width or height divided by PIXEL_ARRAY_DIV
+and rounded up. So don't use roundup, but use DIV_ROUND_UP instead.
+
+This bug is harmless in the sense that nothing will break, except that
+it consumes way too much memory for this control.
+
+Fixes: 6bc7643d1b9c ("media: vivid: add pixel_array test control")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vivid/vivid-ctrls.c | 3 ++-
+ drivers/media/test-drivers/vivid/vivid-vid-cap.c | 4 ++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/test-drivers/vivid/vivid-ctrls.c
++++ b/drivers/media/test-drivers/vivid/vivid-ctrls.c
+@@ -240,7 +240,8 @@ static const struct v4l2_ctrl_config viv
+ .min = 0x00,
+ .max = 0xff,
+ .step = 1,
+- .dims = { 640 / PIXEL_ARRAY_DIV, 360 / PIXEL_ARRAY_DIV },
++ .dims = { DIV_ROUND_UP(360, PIXEL_ARRAY_DIV),
++ DIV_ROUND_UP(640, PIXEL_ARRAY_DIV) },
+ };
+
+ static const struct v4l2_ctrl_config vivid_ctrl_s32_array = {
+--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+@@ -460,8 +460,8 @@ void vivid_update_format_cap(struct vivi
+ if (keep_controls)
+ return;
+
+- dims[0] = roundup(dev->src_rect.width, PIXEL_ARRAY_DIV);
+- dims[1] = roundup(dev->src_rect.height, PIXEL_ARRAY_DIV);
++ dims[0] = DIV_ROUND_UP(dev->src_rect.height, PIXEL_ARRAY_DIV);
++ dims[1] = DIV_ROUND_UP(dev->src_rect.width, PIXEL_ARRAY_DIV);
+ v4l2_ctrl_modify_dimensions(dev->pixel_array, dims);
+ }
+
--- /dev/null
+From 6c4dab38431fee3d39a841d66ba6f2890b31b005 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Mon, 7 Jul 2025 09:39:37 +0200
+Subject: mtd: rawnand: fsmc: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 6c4dab38431fee3d39a841d66ba6f2890b31b005 upstream.
+
+The DMA map functions can fail and should be tested for errors.
+
+Fixes: 4774fb0a48aa ("mtd: nand/fsmc: Add DMA support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Rule: add
+Link: https://lore.kernel.org/stable/20250702065806.20983-2-fourier.thomas%40gmail.com
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/fsmc_nand.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/nand/raw/fsmc_nand.c
++++ b/drivers/mtd/nand/raw/fsmc_nand.c
+@@ -503,6 +503,8 @@ static int dma_xfer(struct fsmc_nand_dat
+
+ dma_dev = chan->device;
+ dma_addr = dma_map_single(dma_dev->dev, buffer, len, direction);
++ if (dma_mapping_error(dma_dev->dev, dma_addr))
++ return -EINVAL;
+
+ if (direction == DMA_TO_DEVICE) {
+ dma_src = dma_addr;
--- /dev/null
+From 79e441ee47949376e3bc20f085cf017b70523d0f Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Wed, 2 Jul 2025 10:01:06 +0200
+Subject: mtd: rawnand: renesas: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit 79e441ee47949376e3bc20f085cf017b70523d0f upstream.
+
+The DMA map functions can fail and should be tested for errors.
+
+Fixes: d8701fe890ec ("mtd: rawnand: renesas: Add new NAND controller driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/renesas-nand-controller.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mtd/nand/raw/renesas-nand-controller.c
++++ b/drivers/mtd/nand/raw/renesas-nand-controller.c
+@@ -426,6 +426,9 @@ static int rnandc_read_page_hw_ecc(struc
+ /* Configure DMA */
+ dma_addr = dma_map_single(rnandc->dev, rnandc->buf, mtd->writesize,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(rnandc->dev, dma_addr))
++ return -ENOMEM;
++
+ writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG);
+ writel(mtd->writesize, rnandc->regs + DMA_CNT_REG);
+ writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG);
+@@ -606,6 +609,9 @@ static int rnandc_write_page_hw_ecc(stru
+ /* Configure DMA */
+ dma_addr = dma_map_single(rnandc->dev, (void *)rnandc->buf, mtd->writesize,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(rnandc->dev, dma_addr))
++ return -ENOMEM;
++
+ writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG);
+ writel(mtd->writesize, rnandc->regs + DMA_CNT_REG);
+ writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG);
--- /dev/null
+From 2e3a7476ec3989e77270b9481e76e137824b17c0 Mon Sep 17 00:00:00 2001
+From: Michael Walle <mwalle@kernel.org>
+Date: Tue, 1 Jul 2025 16:04:26 +0200
+Subject: mtd: spi-nor: Fix spi_nor_try_unlock_all()
+
+From: Michael Walle <mwalle@kernel.org>
+
+commit 2e3a7476ec3989e77270b9481e76e137824b17c0 upstream.
+
+Commit ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()")
+moved all initialization of the mtd fields at the end of spi_nor_scan().
+Normally, the mtd info is only needed for the mtd ops on the device,
+with one exception: spi_nor_try_unlock_all(), which will also make use
+of the mtd->size parameter. With that commit, the size will always be
+zero because it is not initialized. Fix that by not using the size of
+the mtd_info struct, but use the size from struct spi_nor_flash_parameter.
+
+Fixes: ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()")
+Cc: stable@vger.kernel.org
+Reported-by: Jean-Marc Ranger <jmranger@hotmail.com>
+Closes: https://lore.kernel.org/all/DM6PR06MB561177323DC5207E34AF2A06C547A@DM6PR06MB5611.namprd06.prod.outlook.com/
+Tested-by: Jean-Marc Ranger <jmranger@hotmail.com>
+Signed-off-by: Michael Walle <mwalle@kernel.org>
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Link: https://lore.kernel.org/r/20250701140426.2355182-1-mwalle@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/swp.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/drivers/mtd/spi-nor/swp.c
++++ b/drivers/mtd/spi-nor/swp.c
+@@ -50,7 +50,6 @@ static u64 spi_nor_get_min_prot_length_s
+ static void spi_nor_get_locked_range_sr(struct spi_nor *nor, u8 sr, loff_t *ofs,
+ uint64_t *len)
+ {
+- struct mtd_info *mtd = &nor->mtd;
+ u64 min_prot_len;
+ u8 mask = spi_nor_get_sr_bp_mask(nor);
+ u8 tb_mask = spi_nor_get_sr_tb_mask(nor);
+@@ -71,13 +70,13 @@ static void spi_nor_get_locked_range_sr(
+ min_prot_len = spi_nor_get_min_prot_length_sr(nor);
+ *len = min_prot_len << (bp - 1);
+
+- if (*len > mtd->size)
+- *len = mtd->size;
++ if (*len > nor->params->size)
++ *len = nor->params->size;
+
+ if (nor->flags & SNOR_F_HAS_SR_TB && sr & tb_mask)
+ *ofs = 0;
+ else
+- *ofs = mtd->size - *len;
++ *ofs = nor->params->size - *len;
+ }
+
+ /*
+@@ -153,7 +152,6 @@ static bool spi_nor_is_unlocked_sr(struc
+ */
+ static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, uint64_t len)
+ {
+- struct mtd_info *mtd = &nor->mtd;
+ u64 min_prot_len;
+ int ret, status_old, status_new;
+ u8 mask = spi_nor_get_sr_bp_mask(nor);
+@@ -178,7 +176,7 @@ static int spi_nor_sr_lock(struct spi_no
+ can_be_bottom = false;
+
+ /* If anything above us is unlocked, we can't use 'top' protection */
+- if (!spi_nor_is_locked_sr(nor, ofs + len, mtd->size - (ofs + len),
++ if (!spi_nor_is_locked_sr(nor, ofs + len, nor->params->size - (ofs + len),
+ status_old))
+ can_be_top = false;
+
+@@ -190,11 +188,11 @@ static int spi_nor_sr_lock(struct spi_no
+
+ /* lock_len: length of region that should end up locked */
+ if (use_top)
+- lock_len = mtd->size - ofs;
++ lock_len = nor->params->size - ofs;
+ else
+ lock_len = ofs + len;
+
+- if (lock_len == mtd->size) {
++ if (lock_len == nor->params->size) {
+ val = mask;
+ } else {
+ min_prot_len = spi_nor_get_min_prot_length_sr(nor);
+@@ -243,7 +241,6 @@ static int spi_nor_sr_lock(struct spi_no
+ */
+ static int spi_nor_sr_unlock(struct spi_nor *nor, loff_t ofs, uint64_t len)
+ {
+- struct mtd_info *mtd = &nor->mtd;
+ u64 min_prot_len;
+ int ret, status_old, status_new;
+ u8 mask = spi_nor_get_sr_bp_mask(nor);
+@@ -268,7 +265,7 @@ static int spi_nor_sr_unlock(struct spi_
+ can_be_top = false;
+
+ /* If anything above us is locked, we can't use 'bottom' protection */
+- if (!spi_nor_is_unlocked_sr(nor, ofs + len, mtd->size - (ofs + len),
++ if (!spi_nor_is_unlocked_sr(nor, ofs + len, nor->params->size - (ofs + len),
+ status_old))
+ can_be_bottom = false;
+
+@@ -280,7 +277,7 @@ static int spi_nor_sr_unlock(struct spi_
+
+ /* lock_len: length of region that should remain locked */
+ if (use_top)
+- lock_len = mtd->size - (ofs + len);
++ lock_len = nor->params->size - (ofs + len);
+ else
+ lock_len = ofs;
+
--- /dev/null
+From 091d9e35b85b0f8f7e1c73535299f91364a5c73a Mon Sep 17 00:00:00 2001
+From: Gabor Juhos <j4g8y7@gmail.com>
+Date: Tue, 8 Jul 2025 15:11:00 +0200
+Subject: mtd: spinand: propagate spinand_wait() errors from spinand_write_page()
+
+From: Gabor Juhos <j4g8y7@gmail.com>
+
+commit 091d9e35b85b0f8f7e1c73535299f91364a5c73a upstream.
+
+Since commit 3d1f08b032dc ("mtd: spinand: Use the external ECC engine
+logic") the spinand_write_page() function ignores the errors returned
+by spinand_wait(). Change the code to propagate those up to the stack
+as it was done before the offending change.
+
+Cc: stable@vger.kernel.org
+Fixes: 3d1f08b032dc ("mtd: spinand: Use the external ECC engine logic")
+Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/spi/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -624,7 +624,10 @@ static int spinand_write_page(struct spi
+ SPINAND_WRITE_INITIAL_DELAY_US,
+ SPINAND_WRITE_POLL_DELAY_US,
+ &status);
+- if (!ret && (status & STATUS_PROG_FAILED))
++ if (ret)
++ return ret;
++
++ if (status & STATUS_PROG_FAILED)
+ return -EIO;
+
+ return nand_ecc_finish_io_req(nand, (struct nand_page_io_req *)req);
--- /dev/null
+From 91428ca9320edbab1211851d82429d33b9cd73ef Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Mon, 21 Jul 2025 15:39:26 -0400
+Subject: parisc: Check region is readable by user in raw_copy_from_user()
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 91428ca9320edbab1211851d82429d33b9cd73ef upstream.
+
+Because of the way the _PAGE_READ is handled in the parisc PTE, an
+access interruption is not generated when the kernel reads from a
+region where the _PAGE_READ is zero. The current code was written
+assuming read access faults would also occur in the kernel.
+
+This change adds user access checks to raw_copy_from_user(). The
+prober_user() define checks whether user code has read access to
+a virtual address. Note that page faults are not handled in the
+exception support for the probe instruction. For this reason, we
+precede the probe by a ldb access check.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/special_insns.h | 28 ++++++++++++++++++++++++++++
+ arch/parisc/lib/memcpy.c | 19 ++++++++++++++++++-
+ 2 files changed, 46 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/include/asm/special_insns.h
++++ b/arch/parisc/include/asm/special_insns.h
+@@ -32,6 +32,34 @@
+ pa; \
+ })
+
++/**
++ * prober_user() - Probe user read access
++ * @sr: Space regster.
++ * @va: Virtual address.
++ *
++ * Return: Non-zero if address is accessible.
++ *
++ * Due to the way _PAGE_READ is handled in TLB entries, we need
++ * a special check to determine whether a user address is accessible.
++ * The ldb instruction does the initial access check. If it is
++ * successful, the probe instruction checks user access rights.
++ */
++#define prober_user(sr, va) ({ \
++ unsigned long read_allowed; \
++ __asm__ __volatile__( \
++ "copy %%r0,%0\n" \
++ "8:\tldb 0(%%sr%1,%2),%%r0\n" \
++ "\tproberi (%%sr%1,%2),%3,%0\n" \
++ "9:\n" \
++ ASM_EXCEPTIONTABLE_ENTRY(8b, 9b, \
++ "or %%r0,%%r0,%%r0") \
++ : "=&r" (read_allowed) \
++ : "i" (sr), "r" (va), "i" (PRIV_USER) \
++ : "memory" \
++ ); \
++ read_allowed; \
++})
++
+ #define CR_EIEM 15 /* External Interrupt Enable Mask */
+ #define CR_CR16 16 /* CR16 Interval Timer */
+ #define CR_EIRR 23 /* External Interrupt Request Register */
+--- a/arch/parisc/lib/memcpy.c
++++ b/arch/parisc/lib/memcpy.c
+@@ -12,6 +12,7 @@
+ #include <linux/module.h>
+ #include <linux/compiler.h>
+ #include <linux/uaccess.h>
++#include <linux/mm.h>
+
+ #define get_user_space() mfsp(SR_USER)
+ #define get_kernel_space() SR_KERNEL
+@@ -32,9 +33,25 @@ EXPORT_SYMBOL(raw_copy_to_user);
+ unsigned long raw_copy_from_user(void *dst, const void __user *src,
+ unsigned long len)
+ {
++ unsigned long start = (unsigned long) src;
++ unsigned long end = start + len;
++ unsigned long newlen = len;
++
+ mtsp(get_user_space(), SR_TEMP1);
+ mtsp(get_kernel_space(), SR_TEMP2);
+- return pa_memcpy(dst, (void __force *)src, len);
++
++ /* Check region is user accessible */
++ if (start)
++ while (start < end) {
++ if (!prober_user(SR_TEMP1, start)) {
++ newlen = (start - (unsigned long) src);
++ break;
++ }
++ start += PAGE_SIZE;
++ /* align to page boundry which may have different permission */
++ start = PAGE_ALIGN_DOWN(start);
++ }
++ return len - newlen + pa_memcpy(dst, (void __force *)src, newlen);
+ }
+ EXPORT_SYMBOL(raw_copy_from_user);
+
--- /dev/null
+From 802e55488bc2cc1ab6423b720255a785ccac42ce Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Mon, 21 Jul 2025 16:06:21 -0400
+Subject: parisc: Define and use set_pte_at()
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 802e55488bc2cc1ab6423b720255a785ccac42ce upstream.
+
+When a PTE is changed, we need to flush the PTE. set_pte_at()
+was lost in the folio update. PA-RISC version is the same as
+the generic version.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/pgtable.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/include/asm/pgtable.h
++++ b/arch/parisc/include/asm/pgtable.h
+@@ -276,7 +276,7 @@ extern unsigned long *empty_zero_page;
+ #define pte_none(x) (pte_val(x) == 0)
+ #define pte_present(x) (pte_val(x) & _PAGE_PRESENT)
+ #define pte_user(x) (pte_val(x) & _PAGE_USER)
+-#define pte_clear(mm, addr, xp) set_pte(xp, __pte(0))
++#define pte_clear(mm, addr, xp) set_pte_at((mm), (addr), (xp), __pte(0))
+
+ #define pmd_flag(x) (pmd_val(x) & PxD_FLAG_MASK)
+ #define pmd_address(x) ((unsigned long)(pmd_val(x) &~ PxD_FLAG_MASK) << PxD_VALUE_SHIFT)
+@@ -398,6 +398,7 @@ static inline void set_ptes(struct mm_st
+ }
+ }
+ #define set_ptes set_ptes
++#define set_pte_at(mm, addr, ptep, pte) set_ptes(mm, addr, ptep, pte, 1)
+
+ /* Used for deferring calls to flush_dcache_page() */
+
+@@ -462,7 +463,7 @@ static inline int ptep_test_and_clear_yo
+ if (!pte_young(pte)) {
+ return 0;
+ }
+- set_pte(ptep, pte_mkold(pte));
++ set_pte_at(vma->vm_mm, addr, ptep, pte_mkold(pte));
+ return 1;
+ }
+
+@@ -472,7 +473,7 @@ pte_t ptep_clear_flush(struct vm_area_st
+ struct mm_struct;
+ static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
+ {
+- set_pte(ptep, pte_wrprotect(*ptep));
++ set_pte_at(mm, addr, ptep, pte_wrprotect(*ptep));
+ }
+
+ #define pte_same(A,B) (pte_val(A) == pte_val(B))
--- /dev/null
+From 4eab1c27ce1f0e89ab67b01bf1e4e4c75215708a Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Mon, 21 Jul 2025 16:18:41 -0400
+Subject: parisc: Drop WARN_ON_ONCE() from flush_cache_vmap
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 4eab1c27ce1f0e89ab67b01bf1e4e4c75215708a upstream.
+
+I have observed warning to occassionally trigger.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/cache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/cache.c
++++ b/arch/parisc/kernel/cache.c
+@@ -841,7 +841,7 @@ void flush_cache_vmap(unsigned long star
+ }
+
+ vm = find_vm_area((void *)start);
+- if (WARN_ON_ONCE(!vm)) {
++ if (!vm) {
+ flush_cache_all();
+ return;
+ }
--- /dev/null
+From 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 25 Jun 2025 00:30:54 -0700
+Subject: parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 upstream.
+
+For building a 64-bit kernel, both 32-bit and 64-bit VDSO binaries
+are built, so both 32-bit and 64-bit compilers (and tools) should be
+in the PATH environment variable.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-parisc@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/Makefile | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/Makefile
++++ b/arch/parisc/Makefile
+@@ -39,7 +39,9 @@ endif
+
+ export LD_BFD
+
+-# Set default 32 bits cross compilers for vdso
++# Set default 32 bits cross compilers for vdso.
++# This means that for 64BIT, both the 64-bit tools and the 32-bit tools
++# need to be in the path.
+ CC_ARCHES_32 = hppa hppa2.0 hppa1.1
+ CC_SUFFIXES = linux linux-gnu unknown-linux-gnu suse-linux
+ CROSS32_COMPILE := $(call cc-cross-prefix, \
--- /dev/null
+From 52ce9406a9625c4498c4eaa51e7a7ed9dcb9db16 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Mon, 21 Jul 2025 15:56:04 -0400
+Subject: parisc: Rename pte_needs_flush() to pte_needs_cache_flush() in cache.c
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 52ce9406a9625c4498c4eaa51e7a7ed9dcb9db16 upstream.
+
+The local name used in cache.c conflicts the declaration in
+include/asm-generic/tlb.h.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/kernel/cache.c
++++ b/arch/parisc/kernel/cache.c
+@@ -425,7 +425,7 @@ static inline pte_t *get_ptep(struct mm_
+ return ptep;
+ }
+
+-static inline bool pte_needs_flush(pte_t pte)
++static inline bool pte_needs_cache_flush(pte_t pte)
+ {
+ return (pte_val(pte) & (_PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_NO_CACHE))
+ == (_PAGE_PRESENT | _PAGE_ACCESSED);
+@@ -630,7 +630,7 @@ static void flush_cache_page_if_present(
+ ptep = get_ptep(vma->vm_mm, vmaddr);
+ if (ptep) {
+ pte = ptep_get(ptep);
+- needs_flush = pte_needs_flush(pte);
++ needs_flush = pte_needs_cache_flush(pte);
+ pte_unmap(ptep);
+ }
+ if (needs_flush)
--- /dev/null
+From 89f686a0fb6e473a876a9a60a13aec67a62b9a7e Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Fri, 25 Jul 2025 13:51:32 -0400
+Subject: parisc: Revise __get_user() to probe user read access
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 89f686a0fb6e473a876a9a60a13aec67a62b9a7e upstream.
+
+Because of the way read access support is implemented, read access
+interruptions are only triggered at privilege levels 2 and 3. The
+kernel executes at privilege level 0, so __get_user() never triggers
+a read access interruption (code 26). Thus, it is currently possible
+for user code to access a read protected address via a system call.
+
+Fix this by probing read access rights at privilege level 3 (PRIV_USER)
+and setting __gu_err to -EFAULT (-14) if access isn't allowed.
+
+Note the cmpiclr instruction does a 32-bit compare because COND macro
+doesn't work inside asm.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/uaccess.h | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/include/asm/uaccess.h
++++ b/arch/parisc/include/asm/uaccess.h
+@@ -42,9 +42,24 @@
+ __gu_err; \
+ })
+
+-#define __get_user(val, ptr) \
+-({ \
+- __get_user_internal(SR_USER, val, ptr); \
++#define __probe_user_internal(sr, error, ptr) \
++({ \
++ __asm__("\tproberi (%%sr%1,%2),%3,%0\n" \
++ "\tcmpiclr,= 1,%0,%0\n" \
++ "\tldi %4,%0\n" \
++ : "=r"(error) \
++ : "i"(sr), "r"(ptr), "i"(PRIV_USER), \
++ "i"(-EFAULT)); \
++})
++
++#define __get_user(val, ptr) \
++({ \
++ register long __gu_err; \
++ \
++ __gu_err = __get_user_internal(SR_USER, val, ptr); \
++ if (likely(!__gu_err)) \
++ __probe_user_internal(SR_USER, __gu_err, ptr); \
++ __gu_err; \
+ })
+
+ #define __get_user_asm(sr, val, ldx, ptr) \
--- /dev/null
+From f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Fri, 25 Jul 2025 12:12:14 -0400
+Subject: parisc: Revise gateway LWS calls to probe user read access
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 upstream.
+
+We use load and stbys,e instructions to trigger memory reference
+interruptions without writing to memory. Because of the way read
+access support is implemented, read access interruptions are only
+triggered at privilege levels 2 and 3. The kernel and gateway
+page execute at privilege level 0, so this code never triggers
+a read access interruption. Thus, it is currently possible for
+user code to execute a LWS compare and swap operation at an
+address that is read protected at privilege level 3 (PRIV_USER).
+
+Fix this by probing read access rights at privilege level 3 and
+branching to lws_fault if access isn't allowed.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/syscall.S | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -613,6 +613,9 @@ lws_compare_and_swap32:
+ lws_compare_and_swap:
+ /* Trigger memory reference interruptions without writing to memory */
+ 1: ldw 0(%r26), %r28
++ proberi (%r26), PRIV_USER, %r28
++ comb,=,n %r28, %r0, lws_fault /* backwards, likely not taken */
++ nop
+ 2: stbys,e %r0, 0(%r26)
+
+ /* Calculate 8-bit hash index from virtual address */
+@@ -767,6 +770,9 @@ cas2_lock_start:
+ copy %r26, %r28
+ depi_safe 0, 31, 2, %r28
+ 10: ldw 0(%r28), %r1
++ proberi (%r28), PRIV_USER, %r1
++ comb,=,n %r1, %r0, lws_fault /* backwards, likely not taken */
++ nop
+ 11: stbys,e %r0, 0(%r28)
+
+ /* Calculate 8-bit hash index from virtual address */
+@@ -951,41 +957,47 @@ atomic_xchg_begin:
+
+ /* 8-bit exchange */
+ 1: ldb 0(%r24), %r20
++ proberi (%r24), PRIV_USER, %r20
++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
++ nop
+ copy %r23, %r20
+ depi_safe 0, 31, 2, %r20
+ b atomic_xchg_start
+ 2: stbys,e %r0, 0(%r20)
+- nop
+- nop
+- nop
+
+ /* 16-bit exchange */
+ 3: ldh 0(%r24), %r20
++ proberi (%r24), PRIV_USER, %r20
++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
++ nop
+ copy %r23, %r20
+ depi_safe 0, 31, 2, %r20
+ b atomic_xchg_start
+ 4: stbys,e %r0, 0(%r20)
+- nop
+- nop
+- nop
+
+ /* 32-bit exchange */
+ 5: ldw 0(%r24), %r20
++ proberi (%r24), PRIV_USER, %r20
++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
++ nop
+ b atomic_xchg_start
+ 6: stbys,e %r0, 0(%r23)
+ nop
+ nop
+- nop
+- nop
+- nop
+
+ /* 64-bit exchange */
+ #ifdef CONFIG_64BIT
+ 7: ldd 0(%r24), %r20
++ proberi (%r24), PRIV_USER, %r20
++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
++ nop
+ 8: stdby,e %r0, 0(%r23)
+ #else
+ 7: ldw 0(%r24), %r20
+ 8: ldw 4(%r24), %r20
++ proberi (%r24), PRIV_USER, %r20
++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */
++ nop
+ copy %r23, %r20
+ depi_safe 0, 31, 2, %r20
+ 9: stbys,e %r0, 0(%r20)
--- /dev/null
+From f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Mon, 21 Jul 2025 16:13:13 -0400
+Subject: parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault()
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 upstream.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/mm/fault.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/parisc/mm/fault.c
++++ b/arch/parisc/mm/fault.c
+@@ -363,6 +363,10 @@ bad_area:
+ mmap_read_unlock(mm);
+
+ bad_area_nosemaphore:
++ if (!user_mode(regs) && fixup_exception(regs)) {
++ return;
++ }
++
+ if (user_mode(regs)) {
+ int signo, si_code;
+
--- /dev/null
+From cb22f247f371bd206a88cf0e0c05d80b8b62fb26 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Mon, 21 Jul 2025 15:13:42 -0400
+Subject: parisc: Update comments in make_insert_tlb
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit cb22f247f371bd206a88cf0e0c05d80b8b62fb26 upstream.
+
+The following testcase exposed a problem with our read access checks
+in get_user() and raw_copy_from_user():
+
+#include <stdint.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+
+int main(int argc, char **argv)
+{
+ unsigned long page_size = sysconf(_SC_PAGESIZE);
+ char *p = malloc(3 * page_size);
+ char *p_aligned;
+
+ /* initialize memory region. If not initialized, write syscall below will correctly return EFAULT. */
+ if (1)
+ memset(p, 'X', 3 * page_size);
+
+ p_aligned = (char *) ((((uintptr_t) p) + (2*page_size - 1)) & ~(page_size - 1));
+ /* Drop PROT_READ protection. Kernel and userspace should fault when accessing that memory region */
+ mprotect(p_aligned, page_size, PROT_NONE);
+
+ /* the following write() should return EFAULT, since PROT_READ was dropped by previous mprotect() */
+ int ret = write(2, p_aligned, 1);
+ if (!ret || errno != EFAULT)
+ printf("\n FAILURE: write() did not returned expected EFAULT value\n");
+
+ return 0;
+}
+
+Because of the way _PAGE_READ is handled, kernel code never generates
+a read access fault when it access a page as the kernel privilege level
+is always less than PL1 in the PTE.
+
+This patch reworks the comments in the make_insert_tlb macro to try
+to make this clearer.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/entry.S | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/arch/parisc/kernel/entry.S
++++ b/arch/parisc/kernel/entry.S
+@@ -499,6 +499,12 @@
+ * this happens is quite subtle, read below */
+ .macro make_insert_tlb spc,pte,prot,tmp
+ space_to_prot \spc \prot /* create prot id from space */
++
++#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT
++ /* need to drop DMB bit, as it's used as SPECIAL flag */
++ depi 0,_PAGE_SPECIAL_BIT,1,\pte
++#endif
++
+ /* The following is the real subtlety. This is depositing
+ * T <-> _PAGE_REFTRAP
+ * D <-> _PAGE_DIRTY
+@@ -511,17 +517,18 @@
+ * Finally, _PAGE_READ goes in the top bit of PL1 (so we
+ * trigger an access rights trap in user space if the user
+ * tries to read an unreadable page */
+-#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT
+- /* need to drop DMB bit, as it's used as SPECIAL flag */
+- depi 0,_PAGE_SPECIAL_BIT,1,\pte
+-#endif
+ depd \pte,8,7,\prot
+
+ /* PAGE_USER indicates the page can be read with user privileges,
+ * so deposit X1|11 to PL1|PL2 (remember the upper bit of PL1
+- * contains _PAGE_READ) */
++ * contains _PAGE_READ). While the kernel can't directly write
++ * user pages which have _PAGE_WRITE zero, it can read pages
++ * which have _PAGE_READ zero (PL <= PL1). Thus, the kernel
++ * exception fault handler doesn't trigger when reading pages
++ * that aren't user read accessible */
+ extrd,u,*= \pte,_PAGE_USER_BIT+32,1,%r0
+ depdi 7,11,3,\prot
++
+ /* If we're a gateway page, drop PL2 back to zero for promotion
+ * to kernel privilege (so we can execute the page as kernel).
+ * Any privilege promotion page always denys read and write */
--- /dev/null
+From d79123d79a8154b4318529b7b2ff7e15806f480b Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Tue, 24 Jun 2025 20:45:43 +0900
+Subject: PCI: endpoint: Fix configfs group list head handling
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit d79123d79a8154b4318529b7b2ff7e15806f480b upstream.
+
+Doing a list_del() on the epf_group field of struct pci_epf_driver in
+pci_epf_remove_cfs() is not correct as this field is a list head, not
+a list entry. This list_del() call triggers a KASAN warning when an
+endpoint function driver which has a configfs attribute group is torn
+down:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198
+Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319
+
+CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE
+Hardware name: Radxa ROCK 5B (DT)
+Call trace:
+show_stack+0x2c/0x84 (C)
+dump_stack_lvl+0x70/0x98
+print_report+0x17c/0x538
+kasan_report+0xb8/0x190
+__asan_report_store8_noabort+0x20/0x2c
+pci_epf_remove_cfs+0x17c/0x198
+pci_epf_unregister_driver+0x18/0x30
+nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]
+__arm64_sys_delete_module+0x264/0x424
+invoke_syscall+0x70/0x260
+el0_svc_common.constprop.0+0xac/0x230
+do_el0_svc+0x40/0x58
+el0_svc+0x48/0xdc
+el0t_64_sync_handler+0x10c/0x138
+el0t_64_sync+0x198/0x19c
+...
+
+Remove this incorrect list_del() call from pci_epf_remove_cfs().
+
+Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250624114544.342159-2-dlemoal@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-epf-core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/pci/endpoint/pci-epf-core.c
++++ b/drivers/pci/endpoint/pci-epf-core.c
+@@ -311,7 +311,6 @@ static void pci_epf_remove_cfs(struct pc
+ mutex_lock(&pci_epf_mutex);
+ list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
+ pci_ep_cfs_remove_epf_group(group);
+- list_del(&driver->epf_group);
+ mutex_unlock(&pci_epf_mutex);
+ }
+
--- /dev/null
+From 910bdb8197f9322790c738bb32feaa11dba26909 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Tue, 24 Jun 2025 20:45:44 +0900
+Subject: PCI: endpoint: Fix configfs group removal on driver teardown
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 910bdb8197f9322790c738bb32feaa11dba26909 upstream.
+
+An endpoint driver configfs attributes group is added to the
+epf_group list of struct pci_epf_driver by pci_epf_add_cfs() but an
+added group is not removed from this list when the attribute group is
+unregistered with pci_ep_cfs_remove_epf_group().
+
+Add the missing list_del() call in pci_ep_cfs_remove_epf_group()
+to correctly remove the attribute group from the driver list.
+
+With this change, once the loop over all attribute groups in
+pci_epf_remove_cfs() completes, the driver epf_group list should be
+empty. Add a WARN_ON() to make sure of that.
+
+Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250624114544.342159-3-dlemoal@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-ep-cfs.c | 1 +
+ drivers/pci/endpoint/pci-epf-core.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/pci/endpoint/pci-ep-cfs.c
++++ b/drivers/pci/endpoint/pci-ep-cfs.c
+@@ -683,6 +683,7 @@ void pci_ep_cfs_remove_epf_group(struct
+ if (IS_ERR_OR_NULL(group))
+ return;
+
++ list_del(&group->group_entry);
+ configfs_unregister_default_group(group);
+ }
+ EXPORT_SYMBOL(pci_ep_cfs_remove_epf_group);
+--- a/drivers/pci/endpoint/pci-epf-core.c
++++ b/drivers/pci/endpoint/pci-epf-core.c
+@@ -311,6 +311,7 @@ static void pci_epf_remove_cfs(struct pc
+ mutex_lock(&pci_epf_mutex);
+ list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
+ pci_ep_cfs_remove_epf_group(group);
++ WARN_ON(!list_empty(&driver->epf_group));
+ mutex_unlock(&pci_epf_mutex);
+ }
+
--- /dev/null
+From 4a3556b81b99f0c8c0358f7cc6801a62b4538fe2 Mon Sep 17 00:00:00 2001
+From: Kathiravan Thirumoorthy <kathiravan.thirumoorthy@oss.qualcomm.com>
+Date: Mon, 30 Jun 2025 13:48:13 +0530
+Subject: phy: qcom: phy-qcom-m31: Update IPQ5332 M31 USB phy initialization sequence
+
+From: Kathiravan Thirumoorthy <kathiravan.thirumoorthy@oss.qualcomm.com>
+
+commit 4a3556b81b99f0c8c0358f7cc6801a62b4538fe2 upstream.
+
+The current configuration used for the IPQ5332 M31 USB PHY fails the
+Near End High Speed Signal Quality compliance test. To resolve this,
+update the initialization sequence as specified in the Hardware Design
+Document.
+
+Fixes: 08e49af50701 ("phy: qcom: Introduce M31 USB PHY driver")
+Cc: stable@kernel.org
+Signed-off-by: Kathiravan Thirumoorthy <kathiravan.thirumoorthy@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250630-ipq5332_hsphy_complaince-v2-1-63621439ebdb@oss.qualcomm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-m31.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-m31.c
++++ b/drivers/phy/qualcomm/phy-qcom-m31.c
+@@ -58,14 +58,16 @@
+ #define USB2_0_TX_ENABLE BIT(2)
+
+ #define USB2PHY_USB_PHY_M31_XCFGI_4 0xc8
+- #define HSTX_SLEW_RATE_565PS GENMASK(1, 0)
++ #define HSTX_SLEW_RATE_400PS GENMASK(2, 0)
+ #define PLL_CHARGING_PUMP_CURRENT_35UA GENMASK(4, 3)
+ #define ODT_VALUE_38_02_OHM GENMASK(7, 6)
+
+ #define USB2PHY_USB_PHY_M31_XCFGI_5 0xcc
+- #define ODT_VALUE_45_02_OHM BIT(2)
+ #define HSTX_PRE_EMPHASIS_LEVEL_0_55MA BIT(0)
+
++#define USB2PHY_USB_PHY_M31_XCFGI_9 0xdc
++ #define HSTX_CURRENT_17_1MA_385MV BIT(1)
++
+ #define USB2PHY_USB_PHY_M31_XCFGI_11 0xe4
+ #define XCFG_COARSE_TUNE_NUM BIT(1)
+ #define XCFG_FINE_TUNE_NUM BIT(3)
+@@ -120,7 +122,7 @@ static struct m31_phy_regs m31_ipq5332_r
+ },
+ {
+ USB2PHY_USB_PHY_M31_XCFGI_4,
+- HSTX_SLEW_RATE_565PS | PLL_CHARGING_PUMP_CURRENT_35UA | ODT_VALUE_38_02_OHM,
++ HSTX_SLEW_RATE_400PS | PLL_CHARGING_PUMP_CURRENT_35UA | ODT_VALUE_38_02_OHM,
+ 0
+ },
+ {
+@@ -130,10 +132,14 @@ static struct m31_phy_regs m31_ipq5332_r
+ },
+ {
+ USB2PHY_USB_PHY_M31_XCFGI_5,
+- ODT_VALUE_45_02_OHM | HSTX_PRE_EMPHASIS_LEVEL_0_55MA,
++ HSTX_PRE_EMPHASIS_LEVEL_0_55MA,
+ 4
+ },
+ {
++ USB2PHY_USB_PHY_M31_XCFGI_9,
++ HSTX_CURRENT_17_1MA_385MV,
++ },
++ {
+ USB_PHY_UTMI_CTRL5,
+ 0x0,
+ 0
pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
pwm-mediatek-fix-duty-and-period-setting.patch
hwmon-gsc-hwmon-fix-fan-pwm-setpoint-show-functions.patch
+mtd-spi-nor-fix-spi_nor_try_unlock_all.patch
+mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch
+mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch
+mtd-rawnand-renesas-add-missing-check-after-dma-map.patch
+pci-endpoint-fix-configfs-group-list-head-handling.patch
+pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch
+vsock-virtio-validate-length-in-packet-header-before-skb_put.patch
+vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch
+phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
+jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch
+soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch
+parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch
+parisc-define-and-use-set_pte_at.patch
+parisc-drop-warn_on_once-from-flush_cache_vmap.patch
+parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch
+parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch
+parisc-revise-__get_user-to-probe-user-read-access.patch
+parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch
+parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch
+parisc-update-comments-in-make_insert_tlb.patch
+media-gspca-add-bounds-checking-to-firmware-parser.patch
+media-hi556-correct-the-test-pattern-configuration.patch
+media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch
+media-vivid-fix-wrong-pixel_array-control-size.patch
+media-verisilicon-fix-av1-decoder-clock-frequency.patch
+media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch
+media-usbtv-lock-resolution-while-streaming.patch
+media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch
+media-ov2659-fix-memory-leaks-in-ov2659_probe.patch
+media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch
--- /dev/null
+From b6bcbce3359619d05bf387d4f5cc3af63668dbaa Mon Sep 17 00:00:00 2001
+From: Jon Hunter <jonathanh@nvidia.com>
+Date: Thu, 31 Jul 2025 13:18:32 +0100
+Subject: soc/tegra: pmc: Ensure power-domains are in a known state
+
+From: Jon Hunter <jonathanh@nvidia.com>
+
+commit b6bcbce3359619d05bf387d4f5cc3af63668dbaa upstream.
+
+After commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on
+until late_initcall_sync") was applied, the Tegra210 Jetson TX1 board
+failed to boot. Looking into this issue, before this commit was applied,
+if any of the Tegra power-domains were in 'on' state when the kernel
+booted, they were being turned off by the genpd core before any driver
+had chance to request them. This was purely by luck and a consequence of
+the power-domains being turned off earlier during boot. After this
+commit was applied, any power-domains in the 'on' state are kept on for
+longer during boot and therefore, may never transitioned to the off
+state before they are requested/used. The hang on the Tegra210 Jetson
+TX1 is caused because devices in some power-domains are accessed without
+the power-domain being turned off and on, indicating that the
+power-domain is not in a completely on state.
+
+>From reviewing the Tegra PMC driver code, if a power-domain is in the
+'on' state there is no guarantee that all the necessary clocks
+associated with the power-domain are on and even if they are they would
+not have been requested via the clock framework and so could be turned
+off later. Some power-domains also have a 'clamping' register that needs
+to be configured as well. In short, if a power-domain is already 'on' it
+is difficult to know if it has been configured correctly. Given that the
+power-domains happened to be switched off during boot previously, to
+ensure that they are in a good known state on boot, fix this by
+switching off any power-domains that are on initially when registering
+the power-domains with the genpd framework.
+
+Note that commit 05cfb988a4d0 ("soc/tegra: pmc: Initialise resets
+associated with a power partition") updated the
+tegra_powergate_of_get_resets() function to pass the 'off' to ensure
+that the resets for the power-domain are in the correct state on boot.
+However, now that we may power off a domain on boot, if it is on, it is
+better to move this logic into the tegra_powergate_add() function so
+that there is a single place where we are handling the initial state of
+the power-domain.
+
+Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support")
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250731121832.213671-1-jonathanh@nvidia.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/tegra/pmc.c | 51 +++++++++++++++++++++++++++---------------------
+ 1 file changed, 29 insertions(+), 22 deletions(-)
+
+--- a/drivers/soc/tegra/pmc.c
++++ b/drivers/soc/tegra/pmc.c
+@@ -1232,7 +1232,7 @@ err:
+ }
+
+ static int tegra_powergate_of_get_resets(struct tegra_powergate *pg,
+- struct device_node *np, bool off)
++ struct device_node *np)
+ {
+ struct device *dev = pg->pmc->dev;
+ int err;
+@@ -1247,22 +1247,6 @@ static int tegra_powergate_of_get_resets
+ err = reset_control_acquire(pg->reset);
+ if (err < 0) {
+ pr_err("failed to acquire resets: %d\n", err);
+- goto out;
+- }
+-
+- if (off) {
+- err = reset_control_assert(pg->reset);
+- } else {
+- err = reset_control_deassert(pg->reset);
+- if (err < 0)
+- goto out;
+-
+- reset_control_release(pg->reset);
+- }
+-
+-out:
+- if (err) {
+- reset_control_release(pg->reset);
+ reset_control_put(pg->reset);
+ }
+
+@@ -1307,20 +1291,43 @@ static int tegra_powergate_add(struct te
+ goto set_available;
+ }
+
+- err = tegra_powergate_of_get_resets(pg, np, off);
++ err = tegra_powergate_of_get_resets(pg, np);
+ if (err < 0) {
+ dev_err(dev, "failed to get resets for %pOFn: %d\n", np, err);
+ goto remove_clks;
+ }
+
+- if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) {
+- if (off)
+- WARN_ON(tegra_powergate_power_up(pg, true));
++ /*
++ * If the power-domain is off, then ensure the resets are asserted.
++ * If the power-domain is on, then power down to ensure that when is
++ * it turned on the power-domain, clocks and resets are all in the
++ * expected state.
++ */
++ if (off) {
++ err = reset_control_assert(pg->reset);
++ if (err) {
++ pr_err("failed to assert resets: %d\n", err);
++ goto remove_resets;
++ }
++ } else {
++ err = tegra_powergate_power_down(pg);
++ if (err) {
++ dev_err(dev, "failed to turn off PM domain %s: %d\n",
++ pg->genpd.name, err);
++ goto remove_resets;
++ }
++ }
+
++ /*
++ * If PM_GENERIC_DOMAINS is not enabled, power-on
++ * the domain and skip the genpd registration.
++ */
++ if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) {
++ WARN_ON(tegra_powergate_power_up(pg, true));
+ goto remove_resets;
+ }
+
+- err = pm_genpd_init(&pg->genpd, NULL, off);
++ err = pm_genpd_init(&pg->genpd, NULL, true);
+ if (err < 0) {
+ dev_err(dev, "failed to initialise PM domain %pOFn: %d\n", np,
+ err);
--- /dev/null
+From 10a886aaed293c4db3417951f396827216299e3d Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 17 Jul 2025 10:01:08 +0100
+Subject: vhost/vsock: Avoid allocating arbitrarily-sized SKBs
+
+From: Will Deacon <will@kernel.org>
+
+commit 10a886aaed293c4db3417951f396827216299e3d upstream.
+
+vhost_vsock_alloc_skb() returns NULL for packets advertising a length
+larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However,
+this is only checked once the SKB has been allocated and, if the length
+in the packet header is zero, the SKB may not be freed immediately.
+
+Hoist the size check before the SKB allocation so that an iovec larger
+than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected
+outright. The subsequent check on the length field in the header can
+then simply check that the allocated SKB is indeed large enough to hold
+the packet.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-2-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vsock.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -340,6 +340,9 @@ vhost_vsock_alloc_skb(struct vhost_virtq
+
+ len = iov_length(vq->iov, out);
+
++ if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
++ return NULL;
++
+ /* len contains both payload and hdr */
+ skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
+ if (!skb)
+@@ -363,8 +366,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq
+ return skb;
+
+ /* The pkt is too big or the length in the header is invalid */
+- if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE ||
+- payload_len + sizeof(*hdr) > len) {
++ if (payload_len + sizeof(*hdr) > len) {
+ kfree_skb(skb);
+ return NULL;
+ }
--- /dev/null
+From 0dab92484474587b82e8e0455839eaf5ac7bf894 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 17 Jul 2025 10:01:09 +0100
+Subject: vsock/virtio: Validate length in packet header before skb_put()
+
+From: Will Deacon <will@kernel.org>
+
+commit 0dab92484474587b82e8e0455839eaf5ac7bf894 upstream.
+
+When receiving a vsock packet in the guest, only the virtqueue buffer
+size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,
+virtio_vsock_skb_rx_put() uses the length from the packet header as the
+length argument to skb_put(), potentially resulting in SKB overflow if
+the host has gone wonky.
+
+Validate the length as advertised by the packet header before calling
+virtio_vsock_skb_rx_put().
+
+Cc: <stable@vger.kernel.org>
+Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-3-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -497,8 +497,9 @@ static void virtio_transport_rx_work(str
+ do {
+ virtqueue_disable_cb(vq);
+ for (;;) {
++ unsigned int len, payload_len;
++ struct virtio_vsock_hdr *hdr;
+ struct sk_buff *skb;
+- unsigned int len;
+
+ if (!virtio_transport_more_replies(vsock)) {
+ /* Stop rx until the device processes already
+@@ -515,11 +516,18 @@ static void virtio_transport_rx_work(str
+ vsock->rx_buf_nr--;
+
+ /* Drop short/long packets */
+- if (unlikely(len < sizeof(struct virtio_vsock_hdr) ||
++ if (unlikely(len < sizeof(*hdr) ||
+ len > virtio_vsock_skb_len(skb))) {
+ kfree_skb(skb);
+ continue;
+ }
++
++ hdr = virtio_vsock_hdr(skb);
++ payload_len = le32_to_cpu(hdr->len);
++ if (unlikely(payload_len > len - sizeof(*hdr))) {
++ kfree_skb(skb);
++ continue;
++ }
+
+ virtio_vsock_skb_rx_put(skb);
+ virtio_transport_deliver_tap_pkt(skb);
projects / thirdparty / kernel / stable-queue.git / commitdiff
