--- /dev/null
+From af98b0157adf6504fade79b3e6cb260c4ff68e37 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Wed, 14 May 2025 22:08:55 +0900
+Subject: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit af98b0157adf6504fade79b3e6cb260c4ff68e37 upstream.
+
+Since handle->h_transaction may be a NULL pointer, so we should change it
+to call is_handle_aborted(handle) first before dereferencing it.
+
+And the following data-race was reported in my fuzzer:
+
+==================================================================
+BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata
+
+write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:
+ jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556
+ __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358
+ ext4_do_update_inode fs/ext4/inode.c:5220 [inline]
+ ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869
+ __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074
+ ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103
+....
+
+read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:
+ jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512
+ __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358
+ ext4_do_update_inode fs/ext4/inode.c:5220 [inline]
+ ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869
+ __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074
+ ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103
+....
+
+value changed: 0x00000000 -> 0x00000001
+==================================================================
+
+This issue is caused by missing data-race annotation for jh->b_modified.
+Therefore, the missing annotation needs to be added.
+
+Reported-by: syzbot+de24c3fe3c4091051710@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=de24c3fe3c4091051710
+Fixes: 6e06ae88edae ("jbd2: speedup jbd2_journal_dirty_metadata()")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250514130855.99010-1-aha310510@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/transaction.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1519,7 +1519,7 @@ int jbd2_journal_dirty_metadata(handle_t
+ jh->b_next_transaction == transaction);
+ spin_unlock(&jh->b_state_lock);
+ }
+- if (jh->b_modified == 1) {
++ if (data_race(jh->b_modified == 1)) {
+ /* If it's in our transaction it must be in BJ_Metadata list. */
+ if (data_race(jh->b_transaction == transaction &&
+ jh->b_jlist != BJ_Metadata)) {
+@@ -1538,7 +1538,6 @@ int jbd2_journal_dirty_metadata(handle_t
+ goto out;
+ }
+
+- journal = transaction->t_journal;
+ spin_lock(&jh->b_state_lock);
+
+ if (is_handle_aborted(handle)) {
+@@ -1553,6 +1552,8 @@ int jbd2_journal_dirty_metadata(handle_t
+ goto out_unlock_bh;
+ }
+
++ journal = transaction->t_journal;
++
+ if (jh->b_modified == 0) {
+ /*
+ * This buffer's got modified and becoming part
--- /dev/null
+From 6868b955acd6e5d7405a2b730c2ffb692ad50d2c Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Thu, 20 Feb 2025 10:54:44 +0200
+Subject: media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 6868b955acd6e5d7405a2b730c2ffb692ad50d2c upstream.
+
+The check for VT PLL upper limit in dual PLL case was missing. Add it now.
+
+Fixes: 6c7469e46b60 ("media: ccs-pll: Add trivial dual PLL support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs-pll.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/i2c/ccs-pll.c
++++ b/drivers/media/i2c/ccs-pll.c
+@@ -312,6 +312,11 @@ __ccs_pll_calculate_vt_tree(struct devic
+ dev_dbg(dev, "more_mul2: %u\n", more_mul);
+
+ pll_fr->pll_multiplier = mul * more_mul;
++ if (pll_fr->pll_multiplier > lim_fr->max_pll_multiplier) {
++ dev_dbg(dev, "pll multiplier %u too high\n",
++ pll_fr->pll_multiplier);
++ return -EINVAL;
++ }
+
+ if (pll_fr->pll_multiplier * pll_fr->pll_ip_clk_freq_hz >
+ lim_fr->max_pll_op_clk_freq_hz)
--- /dev/null
+From f639494db450770fa30d6845d9c84b9cb009758f Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Wed, 19 Feb 2025 15:06:11 +0200
+Subject: media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit f639494db450770fa30d6845d9c84b9cb009758f upstream.
+
+The PLL calculator does a search of the PLL configuration space for all
+valid OP pre-PLL clock dividers. The maximum did not take into account the
+CCS PLL flag CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER in which case also odd PLL
+dividers (other than 1) are valid. Do that now.
+
+Fixes: 4e1e8d240dff ("media: ccs-pll: Add support for extended input PLL clock divider")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs-pll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/ccs-pll.c
++++ b/drivers/media/i2c/ccs-pll.c
+@@ -794,7 +794,7 @@ int ccs_pll_calculate(struct device *dev
+ op_lim_fr->min_pre_pll_clk_div, op_lim_fr->max_pre_pll_clk_div);
+ max_op_pre_pll_clk_div =
+ min_t(u16, op_lim_fr->max_pre_pll_clk_div,
+- clk_div_even(pll->ext_clk_freq_hz /
++ DIV_ROUND_UP(pll->ext_clk_freq_hz,
+ op_lim_fr->min_pll_ip_clk_freq_hz));
+ min_op_pre_pll_clk_div =
+ max_t(u16, op_lim_fr->min_pre_pll_clk_div,
--- /dev/null
+From 660e613d05e449766784c549faf5927ffaf281f1 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Tue, 18 Feb 2025 23:43:58 +0200
+Subject: media: ccs-pll: Start OP pre-PLL multiplier search from correct value
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 660e613d05e449766784c549faf5927ffaf281f1 upstream.
+
+The ccs_pll_calculate() function does a search over possible PLL
+configurations to find the "best" one. If the sensor does not support odd
+pre-PLL divisors and the minimum value (with constraints) isn't 1, other
+odd values could be errorneously searched (and selected) for the pre-PLL
+divisor. Fix this.
+
+Fixes: 415ddd993978 ("media: ccs-pll: Split limits and PLL configuration into front and back parts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs-pll.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/ccs-pll.c
++++ b/drivers/media/i2c/ccs-pll.c
+@@ -817,6 +817,8 @@ int ccs_pll_calculate(struct device *dev
+ one_or_more(
+ DIV_ROUND_UP(op_lim_fr->max_pll_op_clk_freq_hz,
+ pll->ext_clk_freq_hz))));
++ if (!(pll->flags & CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER))
++ min_op_pre_pll_clk_div = clk_div_even(min_op_pre_pll_clk_div);
+ dev_dbg(dev, "pll_op check: min / max op_pre_pll_clk_div: %u / %u\n",
+ min_op_pre_pll_clk_div, max_op_pre_pll_clk_div);
+
--- /dev/null
+From 06d2d478b09e6764fb6161d1621fc10d9f0f2860 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Tue, 18 Feb 2025 23:47:13 +0200
+Subject: media: ccs-pll: Start VT pre-PLL multiplier search from correct value
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 06d2d478b09e6764fb6161d1621fc10d9f0f2860 upstream.
+
+The ccs_pll_calculate_vt_tree() function does a search over possible VT
+PLL configurations to find the "best" one. If the sensor does not support
+odd pre-PLL divisors and the minimum value (with constraints) isn't 1,
+other odd values could be errorneously searched (and selected) for the
+pre-PLL divisor. Fix this.
+
+Fixes: 415ddd993978 ("media: ccs-pll: Split limits and PLL configuration into front and back parts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs-pll.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/ccs-pll.c
++++ b/drivers/media/i2c/ccs-pll.c
+@@ -397,6 +397,8 @@ static int ccs_pll_calculate_vt_tree(str
+ min_pre_pll_clk_div = max_t(u16, min_pre_pll_clk_div,
+ pll->ext_clk_freq_hz /
+ lim_fr->max_pll_ip_clk_freq_hz);
++ if (!(pll->flags & CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER))
++ min_pre_pll_clk_div = clk_div_even(min_pre_pll_clk_div);
+
+ dev_dbg(dev, "vt min/max_pre_pll_clk_div: %u,%u\n",
+ min_pre_pll_clk_div, max_pre_pll_clk_div);
--- /dev/null
+From 73fb3b92da84637e3817580fa205d48065924e15 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Sat, 5 Apr 2025 19:56:41 +0800
+Subject: media: cxusb: no longer judge rbuf when the write fails
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 73fb3b92da84637e3817580fa205d48065924e15 upstream.
+
+syzbot reported a uninit-value in cxusb_i2c_xfer. [1]
+
+Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()
+succeeds and rlen is greater than 0, the read operation of usb_bulk_msg()
+will be executed to read rlen bytes of data from the dvb device into the
+rbuf.
+
+In this case, although rlen is 1, the write operation failed which resulted
+in the dvb read operation not being executed, and ultimately variable i was
+not initialized.
+
+[1]
+BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]
+BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196
+ cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]
+ cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196
+ __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1
+ i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315
+ i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343
+ i2c_master_send include/linux/i2c.h:109 [inline]
+ i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183
+ do_loop_readv_writev fs/read_write.c:848 [inline]
+ vfs_writev+0x963/0x14e0 fs/read_write.c:1057
+ do_writev+0x247/0x5c0 fs/read_write.c:1101
+ __do_sys_writev fs/read_write.c:1169 [inline]
+ __se_sys_writev fs/read_write.c:1166 [inline]
+ __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166
+ x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Reported-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=526bd95c0ec629993bf3
+Tested-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com
+Fixes: 22c6d93a7310 ("[PATCH] dvb: usb: support Medion hybrid USB2.0 DVB-T/analogue box")
+Cc: stable@vger.kernel.org
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb/cxusb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/cxusb.c
++++ b/drivers/media/usb/dvb-usb/cxusb.c
+@@ -119,9 +119,8 @@ static void cxusb_gpio_tuner(struct dvb_
+
+ o[0] = GPIO_TUNER;
+ o[1] = onoff;
+- cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1);
+
+- if (i != 0x01)
++ if (!cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1) && i != 0x01)
+ dev_info(&d->udev->dev, "gpio_write failed.\n");
+
+ st->gpio_write_state[GPIO_TUNER] = onoff;
--- /dev/null
+From 398a1b33f1479af35ca915c5efc9b00d6204f8fa Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Tue, 22 Apr 2025 11:07:39 +0800
+Subject: media: gspca: Add error handling for stv06xx_read_sensor()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 398a1b33f1479af35ca915c5efc9b00d6204f8fa upstream.
+
+In hdcs_init(), the return value of stv06xx_read_sensor() needs to be
+checked. A proper implementation can be found in vv6410_dump(). Add a
+check in loop condition and propergate error code to fix this issue.
+
+Fixes: 4c98834addfe ("V4L/DVB (10048): gspca - stv06xx: New subdriver.")
+Cc: stable@vger.kernel.org # v2.6+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
+@@ -520,12 +520,13 @@ static int hdcs_init(struct sd *sd)
+ static int hdcs_dump(struct sd *sd)
+ {
+ u16 reg, val;
++ int err = 0;
+
+ pr_info("Dumping sensor registers:\n");
+
+- for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH; reg++) {
+- stv06xx_read_sensor(sd, reg, &val);
++ for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH && !err; reg++) {
++ err = stv06xx_read_sensor(sd, reg, &val);
+ pr_info("reg 0x%02x = 0x%02x\n", reg, val);
+ }
+- return 0;
++ return (err < 0) ? err : 0;
+ }
--- /dev/null
+From e3d86847fba58cf71f66e81b6a2515e07039ae17 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 25 Apr 2025 14:52:38 +0200
+Subject: media: ov8856: suppress probe deferral errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit e3d86847fba58cf71f66e81b6a2515e07039ae17 upstream.
+
+Probe deferral should not be logged as an error:
+
+ ov8856 24-0010: failed to get HW configuration: -517
+
+Use dev_err_probe() for the clock lookup and drop the (mostly) redundant
+dev_err() from sensor probe() to suppress it.
+
+Note that errors during regulator lookup is already correctly logged
+using dev_err_probe().
+
+Fixes: 0c2c7a1e0d69 ("media: ov8856: Add devicetree support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov8856.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/i2c/ov8856.c
++++ b/drivers/media/i2c/ov8856.c
+@@ -2297,8 +2297,8 @@ static int ov8856_get_hwcfg(struct ov885
+ if (!is_acpi_node(fwnode)) {
+ ov8856->xvclk = devm_clk_get(dev, "xvclk");
+ if (IS_ERR(ov8856->xvclk)) {
+- dev_err(dev, "could not get xvclk clock (%pe)\n",
+- ov8856->xvclk);
++ dev_err_probe(dev, PTR_ERR(ov8856->xvclk),
++ "could not get xvclk clock\n");
+ return PTR_ERR(ov8856->xvclk);
+ }
+
+@@ -2404,11 +2404,8 @@ static int ov8856_probe(struct i2c_clien
+ return -ENOMEM;
+
+ ret = ov8856_get_hwcfg(ov8856, &client->dev);
+- if (ret) {
+- dev_err(&client->dev, "failed to get HW configuration: %d",
+- ret);
++ if (ret)
+ return ret;
+- }
+
+ v4l2_i2c_subdev_init(&ov8856->sd, client, &ov8856_subdev_ops);
+
--- /dev/null
+From 387e8939307192d5a852a2afeeb83427fa477151 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Thu, 13 Mar 2025 12:20:39 +0000
+Subject: media: uvcvideo: Fix deferred probing error
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 387e8939307192d5a852a2afeeb83427fa477151 upstream.
+
+uvc_gpio_parse() can return -EPROBE_DEFER when the GPIOs it depends on
+have not yet been probed. This return code should be propagated to the
+caller of uvc_probe() to ensure that probing is retried when the required
+GPIOs become available.
+
+Currently, this error code is incorrectly converted to -ENODEV,
+causing some internal cameras to be ignored.
+
+This commit fixes this issue by propagating the -EPROBE_DEFER error.
+
+Cc: stable@vger.kernel.org
+Fixes: 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT")
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250313-uvc-eprobedefer-v3-1-a1d312708eef@chromium.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2447,13 +2447,16 @@ static int uvc_probe(struct usb_interfac
+ #endif
+
+ /* Parse the Video Class control descriptor. */
+- if (uvc_parse_control(dev) < 0) {
++ ret = uvc_parse_control(dev);
++ if (ret < 0) {
++ ret = -ENODEV;
+ uvc_dbg(dev, PROBE, "Unable to parse UVC descriptors\n");
+ goto error;
+ }
+
+ /* Parse the associated GPIOs. */
+- if (uvc_gpio_parse(dev) < 0) {
++ ret = uvc_gpio_parse(dev);
++ if (ret < 0) {
+ uvc_dbg(dev, PROBE, "Unable to parse UVC GPIOs\n");
+ goto error;
+ }
+@@ -2479,24 +2482,32 @@ static int uvc_probe(struct usb_interfac
+ }
+
+ /* Register the V4L2 device. */
+- if (v4l2_device_register(&intf->dev, &dev->vdev) < 0)
++ ret = v4l2_device_register(&intf->dev, &dev->vdev);
++ if (ret < 0)
+ goto error;
+
+ /* Scan the device for video chains. */
+- if (uvc_scan_device(dev) < 0)
++ if (uvc_scan_device(dev) < 0) {
++ ret = -ENODEV;
+ goto error;
++ }
+
+ /* Initialize controls. */
+- if (uvc_ctrl_init_device(dev) < 0)
++ if (uvc_ctrl_init_device(dev) < 0) {
++ ret = -ENODEV;
+ goto error;
++ }
+
+ /* Register video device nodes. */
+- if (uvc_register_chains(dev) < 0)
++ if (uvc_register_chains(dev) < 0) {
++ ret = -ENODEV;
+ goto error;
++ }
+
+ #ifdef CONFIG_MEDIA_CONTROLLER
+ /* Register the media device node */
+- if (media_device_register(&dev->mdev) < 0)
++ ret = media_device_register(&dev->mdev);
++ if (ret < 0)
+ goto error;
+ #endif
+ /* Save our data pointer in the interface data. */
+@@ -2523,7 +2534,7 @@ static int uvc_probe(struct usb_interfac
+ error:
+ uvc_unregister_video(dev);
+ kref_put(&dev->ref, uvc_delete);
+- return -ENODEV;
++ return ret;
+ }
+
+ static void uvc_disconnect(struct usb_interface *intf)
--- /dev/null
+From ba4fafb02ad6a4eb2e00f861893b5db42ba54369 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 10:34:53 +0000
+Subject: media: uvcvideo: Return the number of processed controls
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit ba4fafb02ad6a4eb2e00f861893b5db42ba54369 upstream.
+
+If we let know our callers that we have not done anything, they will be
+able to optimize their decisions.
+
+Cc: stable@kernel.org
+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250224-uvc-data-backup-v2-1-de993ed9823b@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1679,12 +1679,17 @@ int uvc_ctrl_begin(struct uvc_video_chai
+ return mutex_lock_interruptible(&chain->ctrl_mutex) ? -ERESTARTSYS : 0;
+ }
+
++/*
++ * Returns the number of uvc controls that have been correctly set, or a
++ * negative number if there has been an error.
++ */
+ static int uvc_ctrl_commit_entity(struct uvc_device *dev,
+ struct uvc_fh *handle,
+ struct uvc_entity *entity,
+ int rollback,
+ struct uvc_control **err_ctrl)
+ {
++ unsigned int processed_ctrls = 0;
+ struct uvc_control *ctrl;
+ unsigned int i;
+ int ret;
+@@ -1718,6 +1723,9 @@ static int uvc_ctrl_commit_entity(struct
+ else
+ ret = 0;
+
++ if (!ret)
++ processed_ctrls++;
++
+ if (rollback || ret < 0)
+ memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+ uvc_ctrl_data(ctrl, UVC_CTRL_DATA_BACKUP),
+@@ -1736,7 +1744,7 @@ static int uvc_ctrl_commit_entity(struct
+ uvc_ctrl_set_handle(handle, ctrl, handle);
+ }
+
+- return 0;
++ return processed_ctrls;
+ }
+
+ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity,
+@@ -1783,6 +1791,7 @@ int __uvc_ctrl_commit(struct uvc_fh *han
+
+ if (!rollback)
+ uvc_ctrl_send_events(handle, ctrls->controls, ctrls->count);
++ ret = 0;
+ done:
+ mutex_unlock(&chain->ctrl_mutex);
+ return ret;
--- /dev/null
+From 5c791467aea6277430da5f089b9b6c2a9d8a4af7 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 10:34:54 +0000
+Subject: media: uvcvideo: Send control events for partial succeeds
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 5c791467aea6277430da5f089b9b6c2a9d8a4af7 upstream.
+
+Today, when we are applying a change to entities A, B. If A succeeds and B
+fails the events for A are not sent.
+
+This change changes the code so the events for A are send right after
+they happen.
+
+Cc: stable@kernel.org
+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250224-uvc-data-backup-v2-2-de993ed9823b@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1540,7 +1540,9 @@ static bool uvc_ctrl_xctrls_has_control(
+ }
+
+ static void uvc_ctrl_send_events(struct uvc_fh *handle,
+- const struct v4l2_ext_control *xctrls, unsigned int xctrls_count)
++ struct uvc_entity *entity,
++ const struct v4l2_ext_control *xctrls,
++ unsigned int xctrls_count)
+ {
+ struct uvc_control_mapping *mapping;
+ struct uvc_control *ctrl;
+@@ -1551,6 +1553,9 @@ static void uvc_ctrl_send_events(struct
+ u32 changes = V4L2_EVENT_CTRL_CH_VALUE;
+
+ ctrl = uvc_find_control(handle->chain, xctrls[i].id, &mapping);
++ if (ctrl->entity != entity)
++ continue;
++
+ if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
+ /* Notification will be sent from an Interrupt event. */
+ continue;
+@@ -1786,11 +1791,12 @@ int __uvc_ctrl_commit(struct uvc_fh *han
+ uvc_ctrl_find_ctrl_idx(entity, ctrls,
+ err_ctrl);
+ goto done;
++ } else if (ret > 0 && !rollback) {
++ uvc_ctrl_send_events(handle, entity,
++ ctrls->controls, ctrls->count);
+ }
+ }
+
+- if (!rollback)
+- uvc_ctrl_send_events(handle, ctrls->controls, ctrls->count);
+ ret = 0;
+ done:
+ mutex_unlock(&chain->ctrl_mutex);
--- /dev/null
+From 2a934fdb01db6458288fc9386d3d8ceba6dd551a Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Wed, 19 Mar 2025 16:02:48 +0800
+Subject: media: v4l2-dev: fix error handling in __video_register_device()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 2a934fdb01db6458288fc9386d3d8ceba6dd551a upstream.
+
+Once device_register() failed, we should call put_device() to
+decrement reference count for cleanup. Or it could cause memory leak.
+And move callback function v4l2_device_release() and v4l2_device_get()
+before put_device().
+
+As comment of device_register() says, 'NOTE: _Never_ directly free
+@dev after calling this function, even if it returned an error! Always
+use put_device() to give up the reference initialized in this function
+instead.'
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: dc93a70cc7f9 ("V4L/DVB (9973): v4l2-dev: use the release callback from device instead of cdev")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-dev.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-dev.c
++++ b/drivers/media/v4l2-core/v4l2-dev.c
+@@ -1032,25 +1032,25 @@ int __video_register_device(struct video
+ vdev->dev.class = &video_class;
+ vdev->dev.devt = MKDEV(VIDEO_MAJOR, vdev->minor);
+ vdev->dev.parent = vdev->dev_parent;
++ vdev->dev.release = v4l2_device_release;
+ dev_set_name(&vdev->dev, "%s%d", name_base, vdev->num);
++
++ /* Increase v4l2_device refcount */
++ v4l2_device_get(vdev->v4l2_dev);
++
+ mutex_lock(&videodev_lock);
+ ret = device_register(&vdev->dev);
+ if (ret < 0) {
+ mutex_unlock(&videodev_lock);
+ pr_err("%s: device_register failed\n", __func__);
+- goto cleanup;
++ put_device(&vdev->dev);
++ return ret;
+ }
+- /* Register the release callback that will be called when the last
+- reference to the device goes away. */
+- vdev->dev.release = v4l2_device_release;
+
+ if (nr != -1 && nr != vdev->num && warn_if_nr_in_use)
+ pr_warn("%s: requested %s%d, got %s\n", __func__,
+ name_base, nr, video_device_node_name(vdev));
+
+- /* Increase v4l2_device refcount */
+- v4l2_device_get(vdev->v4l2_dev);
+-
+ /* Part 5: Register the entity. */
+ ret = video_register_media_controller(vdev);
+
--- /dev/null
+From 523cea3a19f0b3b020a4745344c136a636e6ffd7 Mon Sep 17 00:00:00 2001
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Date: Thu, 27 Mar 2025 13:53:04 +0100
+Subject: media: venus: Fix probe error handling
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+commit 523cea3a19f0b3b020a4745344c136a636e6ffd7 upstream.
+
+Video device registering has been moved earlier in the probe function,
+but the new order has not been propagated to error handling. This means
+we can end with unreleased resources on error (e.g dangling video device
+on missing firmware probe aborting).
+
+Fixes: 08b1cf474b7f7 ("media: venus: core, venc, vdec: Fix probe dependency error")
+Cc: stable@vger.kernel.org
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -333,7 +333,7 @@ static int venus_probe(struct platform_d
+
+ ret = v4l2_device_register(dev, &core->v4l2_dev);
+ if (ret)
+- goto err_core_deinit;
++ goto err_hfi_destroy;
+
+ platform_set_drvdata(pdev, core);
+
+@@ -365,24 +365,24 @@ static int venus_probe(struct platform_d
+
+ ret = venus_enumerate_codecs(core, VIDC_SESSION_TYPE_DEC);
+ if (ret)
+- goto err_venus_shutdown;
++ goto err_core_deinit;
+
+ ret = venus_enumerate_codecs(core, VIDC_SESSION_TYPE_ENC);
+ if (ret)
+- goto err_venus_shutdown;
++ goto err_core_deinit;
+
+ ret = pm_runtime_put_sync(dev);
+ if (ret) {
+ pm_runtime_get_noresume(dev);
+- goto err_dev_unregister;
++ goto err_core_deinit;
+ }
+
+ venus_dbgfs_init(core);
+
+ return 0;
+
+-err_dev_unregister:
+- v4l2_device_unregister(&core->v4l2_dev);
++err_core_deinit:
++ hfi_core_deinit(core, false);
+ err_venus_shutdown:
+ venus_shutdown(core);
+ err_firmware_deinit:
+@@ -393,9 +393,9 @@ err_runtime_disable:
+ pm_runtime_put_noidle(dev);
+ pm_runtime_disable(dev);
+ pm_runtime_set_suspended(dev);
++ v4l2_device_unregister(&core->v4l2_dev);
++err_hfi_destroy:
+ hfi_destroy(core);
+-err_core_deinit:
+- hfi_core_deinit(core, false);
+ err_core_put:
+ if (core->pm_ops->core_put)
+ core->pm_ops->core_put(core);
--- /dev/null
+From a704a3c503ae1cfd9de8a2e2d16a0c9430e98162 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 7 May 2025 18:09:11 +0200
+Subject: media: videobuf2: use sgtable-based scatterlist wrappers
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit a704a3c503ae1cfd9de8a2e2d16a0c9430e98162 upstream.
+
+Use common wrappers operating directly on the struct sg_table objects to
+fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*()
+functions have to be called with the number of elements originally passed
+to dma_map_sg_*() function, not the one returned in sgt->nents.
+
+Fixes: d4db5eb57cab ("media: videobuf2: add begin/end cpu_access callbacks to dma-sg")
+CC: stable@vger.kernel.org
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Acked-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
++++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
+@@ -471,7 +471,7 @@ vb2_dma_sg_dmabuf_ops_begin_cpu_access(s
+ struct vb2_dma_sg_buf *buf = dbuf->priv;
+ struct sg_table *sgt = buf->dma_sgt;
+
+- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++ dma_sync_sgtable_for_cpu(buf->dev, sgt, buf->dma_dir);
+ return 0;
+ }
+
+@@ -482,7 +482,7 @@ vb2_dma_sg_dmabuf_ops_end_cpu_access(str
+ struct vb2_dma_sg_buf *buf = dbuf->priv;
+ struct sg_table *sgt = buf->dma_sgt;
+
+- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++ dma_sync_sgtable_for_device(buf->dev, sgt, buf->dma_dir);
+ return 0;
+ }
+
--- /dev/null
+From 1d5f88f053480326873115092bc116b7d14916ba Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Tue, 11 Mar 2025 15:20:14 +0800
+Subject: media: vidtv: Terminating the subsequent process of initialization failure
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 1d5f88f053480326873115092bc116b7d14916ba upstream.
+
+syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]
+
+After PSI initialization fails, the si member is accessed again, resulting
+in this uaf.
+
+After si initialization fails, the subsequent process needs to be exited.
+
+[1]
+BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]
+BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524
+Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059
+
+CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0
+Hardware name: Google Compute Engine, BIOS Google 02/12/2025
+Call Trace:
+<TASK>
+__dump_stack lib/dump_stack.c:94 [inline]
+dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+print_address_description mm/kasan/report.c:408 [inline]
+print_report+0xc3/0x670 mm/kasan/report.c:521
+kasan_report+0xd9/0x110 mm/kasan/report.c:634
+vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78
+vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524
+vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
+vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
+dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
+dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
+dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
+dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
+dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
+dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
+__fput+0x3ff/0xb70 fs/file_table.c:464
+task_work_run+0x14e/0x250 kernel/task_work.c:227
+exit_task_work include/linux/task_work.h:40 [inline]
+do_exit+0xad8/0x2d70 kernel/exit.c:938
+do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
+__do_sys_exit_group kernel/exit.c:1098 [inline]
+__se_sys_exit_group kernel/exit.c:1096 [inline]
+__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
+x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232
+do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f871d58d169
+Code: Unable to access opcode bytes at 0x7f871d58d13f.
+RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169
+RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0
+R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003
+R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840
+ </TASK>
+
+Allocated by task 6059:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
+ kmalloc_noprof include/linux/slab.h:901 [inline]
+ kzalloc_noprof include/linux/slab.h:1037 [inline]
+ vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970
+ vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423
+ vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519
+ vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
+ vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
+ dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
+ dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
+ dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
+ dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
+ dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
+ dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
+ __fput+0x3ff/0xb70 fs/file_table.c:464
+ task_work_run+0x14e/0x250 kernel/task_work.c:227
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xad8/0x2d70 kernel/exit.c:938
+ do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
+ __do_sys_exit_group kernel/exit.c:1098 [inline]
+ __se_sys_exit_group kernel/exit.c:1096 [inline]
+ __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
+ x64_sys_call arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 6059:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2353 [inline]
+ slab_free mm/slub.c:4609 [inline]
+ kfree+0x2c4/0x4d0 mm/slub.c:4757
+ vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:499
+ vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519
+ vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
+ vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
+ dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
+ dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
+ dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
+ dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
+ dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
+ dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
+ __fput+0x3ff/0xb70 fs/file_table.c:464
+ task_work_run+0x14e/0x250 kernel/task_work.c:227
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xad8/0x2d70 kernel/exit.c:938
+ do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
+ __do_sys_exit_group kernel/exit.c:1098 [inline]
+ __se_sys_exit_group kernel/exit.c:1096 [inline]
+ __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
+ x64_sys_call arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 3be8037960bc ("media: vidtv: add error checks")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+0d33ab192bd50b6c91e6@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0d33ab192bd50b6c91e6
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_channel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
+@@ -497,7 +497,7 @@ free_sdt:
+ vidtv_psi_sdt_table_destroy(m->si.sdt);
+ free_pat:
+ vidtv_psi_pat_table_destroy(m->si.pat);
+- return 0;
++ return -EINVAL;
+ }
+
+ void vidtv_channel_si_destroy(struct vidtv_mux *m)
--- /dev/null
+From f83ac8d30c43fd902af7c84c480f216157b60ef0 Mon Sep 17 00:00:00 2001
+From: Denis Arefev <arefev@swemel.ru>
+Date: Tue, 15 Apr 2025 11:27:21 +0300
+Subject: media: vivid: Change the siize of the composing
+
+From: Denis Arefev <arefev@swemel.ru>
+
+commit f83ac8d30c43fd902af7c84c480f216157b60ef0 upstream.
+
+syzkaller found a bug:
+
+BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
+BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
+Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304
+
+CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:489
+ kasan_report+0x143/0x180 mm/kasan/report.c:602
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
+ tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
+ tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
+ vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]
+ vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
+ vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
+ kthread+0x7a9/0x920 kernel/kthread.c:464
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+The composition size cannot be larger than the size of fmt_cap_rect.
+So execute v4l2_rect_map_inside() even if has_compose_cap == 0.
+
+Fixes: 94a7ad928346 ("media: vivid: fix compose size exceed boundary")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+365005005522b70a36f2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?id=8ed8e8cc30cbe0d86c9a25bd1d6a5775129b8ea3
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+@@ -962,8 +962,8 @@ int vivid_vid_cap_s_selection(struct fil
+ if (dev->has_compose_cap) {
+ v4l2_rect_set_min_size(compose, &min_rect);
+ v4l2_rect_set_max_size(compose, &max_rect);
+- v4l2_rect_map_inside(compose, &fmt);
+ }
++ v4l2_rect_map_inside(compose, &fmt);
+ dev->fmt_cap_rect = fmt;
+ tpg_s_buf_height(&dev->tpg, fmt.height);
+ } else if (dev->has_compose_cap) {
--- /dev/null
+From b31da62889e6d610114d81dc7a6edbcaa503fcf8 Mon Sep 17 00:00:00 2001
+From: Li Lingfeng <lilingfeng3@huawei.com>
+Date: Mon, 14 Apr 2025 22:38:52 +0800
+Subject: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+commit b31da62889e6d610114d81dc7a6edbcaa503fcf8 upstream.
+
+In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through
+nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized,
+this can cause NULL pointer dereference.
+
+Normally the delayed start of laundromat_work allows sufficient time for
+nfsd_ssc initialization to complete. However, when the kernel waits too
+long for userspace responses (e.g. in nfs4_state_start_net ->
+nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done ->
+cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the
+delayed work may start before nfsd_ssc initialization finishes.
+
+Fix this by moving nfsd_ssc initialization before starting laundromat_work.
+
+Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -427,13 +427,13 @@ static int nfsd_startup_net(struct net *
+ if (ret)
+ goto out_filecache;
+
++#ifdef CONFIG_NFSD_V4_2_INTER_SSC
++ nfsd4_ssc_init_umount_work(nn);
++#endif
+ ret = nfs4_state_start_net(net);
+ if (ret)
+ goto out_reply_cache;
+
+-#ifdef CONFIG_NFSD_V4_2_INTER_SSC
+- nfsd4_ssc_init_umount_work(nn);
+-#endif
+ nn->nfsd_net_up = true;
+ return 0;
+
--- /dev/null
+From 1244f0b2c3cecd3f349a877006e67c9492b41807 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Fri, 28 Mar 2025 11:05:59 +1100
+Subject: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
+
+From: NeilBrown <neil@brown.name>
+
+commit 1244f0b2c3cecd3f349a877006e67c9492b41807 upstream.
+
+If the request being processed is not a v4 compound request, then
+examining the cstate can have undefined results.
+
+This patch adds a check that the rpc procedure being executed
+(rq_procinfo) is the NFSPROC4_COMPOUND procedure.
+
+Reported-by: Olga Kornievskaia <okorniev@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: NeilBrown <neil@brown.name>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -3537,7 +3537,8 @@ bool nfsd4_spo_must_allow(struct svc_rqs
+ struct nfs4_op_map *allow = &cstate->clp->cl_spo_must_allow;
+ u32 opiter;
+
+- if (!cstate->minorversion)
++ if (rqstp->rq_procinfo != &nfsd_version4.vs_proc[NFSPROC4_COMPOUND] ||
++ cstate->minorversion == 0)
+ return false;
+
+ if (cstate->spo_must_allowed)
net-mlx5_core-add-error-handling-inmlx5_query_nic_vport_qkey_viol_cntr.patch
net-mlx5-add-error-handling-in-mlx5_query_nic_vport_node_guid.patch
wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch
+nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch
+nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch
+jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch
+wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch
+media-ov8856-suppress-probe-deferral-errors.patch
+media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch
+media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch
+media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch
+media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch
+media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch
+media-gspca-add-error-handling-for-stv06xx_read_sensor.patch
+media-v4l2-dev-fix-error-handling-in-__video_register_device.patch
+media-venus-fix-probe-error-handling.patch
+media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch
+media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch
+media-vivid-change-the-siize-of-the-composing.patch
+media-uvcvideo-return-the-number-of-processed-controls.patch
+media-uvcvideo-send-control-events-for-partial-succeeds.patch
+media-uvcvideo-fix-deferred-probing-error.patch
--- /dev/null
+From 77a6407c6ab240527166fb19ee96e95f5be4d3cd Mon Sep 17 00:00:00 2001
+From: Mingcong Bai <jeffbai@aosc.io>
+Date: Tue, 22 Apr 2025 14:17:54 +0800
+Subject: wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723
+
+From: Mingcong Bai <jeffbai@aosc.io>
+
+commit 77a6407c6ab240527166fb19ee96e95f5be4d3cd upstream.
+
+RTL8723BE found on some ASUSTek laptops, such as F441U and X555UQ with
+subsystem ID 11ad:1723 are known to output large amounts of PCIe AER
+errors during and after boot up, causing heavy lags and at times lock-ups:
+
+ pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5
+ pcieport 0000:00:1c.5: PCIe Bus Error: severity=Correctable, type=Physical Layer, (Receiver ID)
+ pcieport 0000:00:1c.5: device [8086:9d15] error status/mask=00000001/00002000
+ pcieport 0000:00:1c.5: [ 0] RxErr
+
+Disable ASPM on this combo as a quirk.
+
+This patch is a revision of a previous patch (linked below) which
+attempted to disable ASPM for RTL8723BE on all Intel Skylake and Kaby Lake
+PCIe bridges. I take a more conservative approach as all known reports
+point to ASUSTek laptops of these two generations with this particular
+wireless card.
+
+Please note, however, before the rtl8723be finishes probing, the AER
+errors remained. After the module finishes probing, all AER errors would
+indeed be eliminated, along with heavy lags, poor network throughput,
+and/or occasional lock-ups.
+
+Cc: <stable@vger.kernel.org>
+Fixes: a619d1abe20c ("rtlwifi: rtl8723be: Add new driver")
+Reported-by: Liangliang Zou <rawdiamondmc@outlook.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218127
+Link: https://lore.kernel.org/lkml/05390e0b-27fd-4190-971e-e70a498c8221@lwfinger.net/T/
+Tested-by: Liangliang Zou <rawdiamondmc@outlook.com>
+Signed-off-by: Mingcong Bai <jeffbai@aosc.io>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250422061755.356535-1-jeffbai@aosc.io
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -155,6 +155,16 @@ static void _rtl_pci_update_default_sett
+ if (rtlpriv->rtlhal.hw_type == HARDWARE_TYPE_RTL8192SE &&
+ init_aspm == 0x43)
+ ppsc->support_aspm = false;
++
++ /* RTL8723BE found on some ASUSTek laptops, such as F441U and
++ * X555UQ with subsystem ID 11ad:1723 are known to output large
++ * amounts of PCIe AER errors during and after boot up, causing
++ * heavy lags, poor network throughput, and occasional lock-ups.
++ */
++ if (rtlpriv->rtlhal.hw_type == HARDWARE_TYPE_RTL8723BE &&
++ (rtlpci->pdev->subsystem_vendor == 0x11ad &&
++ rtlpci->pdev->subsystem_device == 0x1723))
++ ppsc->support_aspm = false;
+ }
+
+ static bool _rtl_pci_platform_switch_device_pci_aspm(
projects / thirdparty / kernel / stable-queue.git / commitdiff
