6.12-stable patches

added patches:
	fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch
	jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch
	media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch
	media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch
	media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch
	media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch
	media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch
	media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch
	media-gspca-add-error-handling-for-stv06xx_read_sensor.patch
	media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch
	media-i2c-imx335-fix-frame-size-enumeration.patch
	media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch
	media-imx-jpeg-cleanup-after-an-allocation-error.patch
	media-imx-jpeg-drop-the-first-error-frames.patch
	media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch
	media-imx-jpeg-reset-slot-data-pointers-when-freed.patch
	media-imx335-use-correct-register-width-for-hnum.patch
	media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch
	media-ipu6-remove-workaround-for-meteor-lake-es2.patch
	media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch
	media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch
	media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch
	media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch
	media-ov5675-suppress-probe-deferral-errors.patch
	media-ov8856-suppress-probe-deferral-errors.patch
	media-uvcvideo-fix-deferred-probing-error.patch
	media-uvcvideo-return-the-number-of-processed-controls.patch
	media-uvcvideo-send-control-events-for-partial-succeeds.patch
	media-v4l2-dev-fix-error-handling-in-__video_register_device.patch
	media-venus-fix-probe-error-handling.patch
	media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch
	media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch
	media-vivid-change-the-siize-of-the-composing.patch
	nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch
	nfsd-implement-fattr4_clone_blksize-attribute.patch
	nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch
	nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch
	nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch
	nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch
	sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch
	svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch
	wifi-ath11k-fix-ring-buffer-corruption.patch
	wifi-ath11k-fix-rx-completion-meta-data-corruption.patch
	wifi-ath12k-fix-ring-buffer-corruption.patch
	wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch
	wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch
	wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch

diff --git a/queue-6.12/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch b/queue-6.12/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch
new file mode 100644 (file)
index 0000000..fac7c2a
--- /dev/null
+++ b/queue-6.12/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch
@@ -0,0 +1,70 @@
+From 4c10fa44bc5f700e2ea21de2fbae520ba21f19d9 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@ionos.com>
+Date: Wed, 23 Apr 2025 15:22:50 +0200
+Subject: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()
+
+From: Max Kellermann <max.kellermann@ionos.com>
+
+commit 4c10fa44bc5f700e2ea21de2fbae520ba21f19d9 upstream.
+
+Sometimes, when a file was read while it was being truncated by
+another NFS client, the kernel could deadlock because folio_unlock()
+was called twice, and the second call would XOR back the `PG_locked`
+flag.
+
+Most of the time (depending on the timing of the truncation), nobody
+notices the problem because folio_unlock() gets called three times,
+which flips `PG_locked` back off:
+
+ 1. vfs_read, nfs_read_folio, ... nfs_read_add_folio,
+    nfs_return_empty_folio
+ 2. vfs_read, nfs_read_folio, ... netfs_read_collection,
+    netfs_unlock_abandoned_read_pages
+ 3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio,
+    nfs_return_empty_folio
+
+The problem is that nfs_read_add_folio() is not supposed to unlock the
+folio if fscache is enabled, and a nfs_netfs_folio_unlock() check is
+missing in nfs_return_empty_folio().
+
+Rarely this leads to a warning in netfs_read_collection():
+
+ ------------[ cut here ]------------
+ R=0000031c: folio 10 is not locked
+ WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00
+ [...]
+ Workqueue: events_unbound netfs_read_collection_worker
+ RIP: 0010:netfs_read_collection+0x7c0/0xf00
+ [...]
+ Call Trace:
+  <TASK>
+  netfs_read_collection_worker+0x67/0x80
+  process_one_work+0x12e/0x2c0
+  worker_thread+0x295/0x3a0
+
+Most of the time, however, processes just get stuck forever in
+folio_wait_bit_common(), waiting for `PG_locked` to disappear, which
+never happens because nobody is really holding the folio lock.
+
+Fixes: 000dbe0bec05 ("NFS: Convert buffered read paths to use netfs when fscache is enabled")
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
+Reviewed-by: Dave Wysochanski <dwysocha@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/read.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/read.c
++++ b/fs/nfs/read.c
+@@ -56,7 +56,8 @@ static int nfs_return_empty_folio(struct
+ {
+       folio_zero_segment(folio, 0, folio_size(folio));
+       folio_mark_uptodate(folio);
+-      folio_unlock(folio);
++      if (nfs_netfs_folio_unlock(folio))
++              folio_unlock(folio);
+       return 0;
+ }
+ 

diff --git a/queue-6.12/jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch b/queue-6.12/jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch
new file mode 100644 (file)
index 0000000..39746d0
--- /dev/null
+++ b/queue-6.12/jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch
@@ -0,0 +1,82 @@
+From af98b0157adf6504fade79b3e6cb260c4ff68e37 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Wed, 14 May 2025 22:08:55 +0900
+Subject: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit af98b0157adf6504fade79b3e6cb260c4ff68e37 upstream.
+
+Since handle->h_transaction may be a NULL pointer, so we should change it
+to call is_handle_aborted(handle) first before dereferencing it.
+
+And the following data-race was reported in my fuzzer:
+
+==================================================================
+BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata
+
+write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1:
+ jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556
+ __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358
+ ext4_do_update_inode fs/ext4/inode.c:5220 [inline]
+ ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869
+ __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074
+ ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103
+....
+
+read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0:
+ jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512
+ __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358
+ ext4_do_update_inode fs/ext4/inode.c:5220 [inline]
+ ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869
+ __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074
+ ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103
+....
+
+value changed: 0x00000000 -> 0x00000001
+==================================================================
+
+This issue is caused by missing data-race annotation for jh->b_modified.
+Therefore, the missing annotation needs to be added.
+
+Reported-by: syzbot+de24c3fe3c4091051710@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=de24c3fe3c4091051710
+Fixes: 6e06ae88edae ("jbd2: speedup jbd2_journal_dirty_metadata()")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250514130855.99010-1-aha310510@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/transaction.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1513,7 +1513,7 @@ int jbd2_journal_dirty_metadata(handle_t
+                               jh->b_next_transaction == transaction);
+               spin_unlock(&jh->b_state_lock);
+       }
+-      if (jh->b_modified == 1) {
++      if (data_race(jh->b_modified == 1)) {
+               /* If it's in our transaction it must be in BJ_Metadata list. */
+               if (data_race(jh->b_transaction == transaction &&
+                   jh->b_jlist != BJ_Metadata)) {
+@@ -1532,7 +1532,6 @@ int jbd2_journal_dirty_metadata(handle_t
+               goto out;
+       }
+ 
+-      journal = transaction->t_journal;
+       spin_lock(&jh->b_state_lock);
+ 
+       if (is_handle_aborted(handle)) {
+@@ -1547,6 +1546,8 @@ int jbd2_journal_dirty_metadata(handle_t
+               goto out_unlock_bh;
+       }
+ 
++      journal = transaction->t_journal;
++
+       if (jh->b_modified == 0) {
+               /*
+                * This buffer's got modified and becoming part

diff --git a/queue-6.12/media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch b/queue-6.12/media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch
new file mode 100644 (file)
index 0000000..231af48
--- /dev/null
+++ b/queue-6.12/media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch
@@ -0,0 +1,35 @@
+From 6868b955acd6e5d7405a2b730c2ffb692ad50d2c Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Thu, 20 Feb 2025 10:54:44 +0200
+Subject: media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 6868b955acd6e5d7405a2b730c2ffb692ad50d2c upstream.
+
+The check for VT PLL upper limit in dual PLL case was missing. Add it now.
+
+Fixes: 6c7469e46b60 ("media: ccs-pll: Add trivial dual PLL support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs-pll.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/media/i2c/ccs-pll.c
++++ b/drivers/media/i2c/ccs-pll.c
+@@ -312,6 +312,11 @@ __ccs_pll_calculate_vt_tree(struct devic
+       dev_dbg(dev, "more_mul2: %u\n", more_mul);
+ 
+       pll_fr->pll_multiplier = mul * more_mul;
++      if (pll_fr->pll_multiplier > lim_fr->max_pll_multiplier) {
++              dev_dbg(dev, "pll multiplier %u too high\n",
++                      pll_fr->pll_multiplier);
++              return -EINVAL;
++      }
+ 
+       if (pll_fr->pll_multiplier * pll_fr->pll_ip_clk_freq_hz >
+           lim_fr->max_pll_op_clk_freq_hz)

diff --git a/queue-6.12/media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch b/queue-6.12/media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch
new file mode 100644 (file)
index 0000000..6d786cd
--- /dev/null
+++ b/queue-6.12/media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch
@@ -0,0 +1,35 @@
+From f639494db450770fa30d6845d9c84b9cb009758f Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Wed, 19 Feb 2025 15:06:11 +0200
+Subject: media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit f639494db450770fa30d6845d9c84b9cb009758f upstream.
+
+The PLL calculator does a search of the PLL configuration space for all
+valid OP pre-PLL clock dividers. The maximum did not take into account the
+CCS PLL flag CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER in which case also odd PLL
+dividers (other than 1) are valid. Do that now.
+
+Fixes: 4e1e8d240dff ("media: ccs-pll: Add support for extended input PLL clock divider")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs-pll.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/ccs-pll.c
++++ b/drivers/media/i2c/ccs-pll.c
+@@ -794,7 +794,7 @@ int ccs_pll_calculate(struct device *dev
+               op_lim_fr->min_pre_pll_clk_div, op_lim_fr->max_pre_pll_clk_div);
+       max_op_pre_pll_clk_div =
+               min_t(u16, op_lim_fr->max_pre_pll_clk_div,
+-                    clk_div_even(pll->ext_clk_freq_hz /
++                    DIV_ROUND_UP(pll->ext_clk_freq_hz,
+                                  op_lim_fr->min_pll_ip_clk_freq_hz));
+       min_op_pre_pll_clk_div =
+               max_t(u16, op_lim_fr->min_pre_pll_clk_div,

diff --git a/queue-6.12/media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch b/queue-6.12/media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch
new file mode 100644 (file)
index 0000000..1f86382
--- /dev/null
+++ b/queue-6.12/media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch
@@ -0,0 +1,36 @@
+From 660e613d05e449766784c549faf5927ffaf281f1 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Tue, 18 Feb 2025 23:43:58 +0200
+Subject: media: ccs-pll: Start OP pre-PLL multiplier search from correct value
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 660e613d05e449766784c549faf5927ffaf281f1 upstream.
+
+The ccs_pll_calculate() function does a search over possible PLL
+configurations to find the "best" one. If the sensor does not support odd
+pre-PLL divisors and the minimum value (with constraints) isn't 1, other
+odd values could be errorneously searched (and selected) for the pre-PLL
+divisor. Fix this.
+
+Fixes: 415ddd993978 ("media: ccs-pll: Split limits and PLL configuration into front and back parts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs-pll.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/ccs-pll.c
++++ b/drivers/media/i2c/ccs-pll.c
+@@ -817,6 +817,8 @@ int ccs_pll_calculate(struct device *dev
+                             one_or_more(
+                                     DIV_ROUND_UP(op_lim_fr->max_pll_op_clk_freq_hz,
+                                                  pll->ext_clk_freq_hz))));
++      if (!(pll->flags & CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER))
++              min_op_pre_pll_clk_div = clk_div_even(min_op_pre_pll_clk_div);
+       dev_dbg(dev, "pll_op check: min / max op_pre_pll_clk_div: %u / %u\n",
+               min_op_pre_pll_clk_div, max_op_pre_pll_clk_div);
+ 

diff --git a/queue-6.12/media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch b/queue-6.12/media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch
new file mode 100644 (file)
index 0000000..b44645f
--- /dev/null
+++ b/queue-6.12/media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch
@@ -0,0 +1,36 @@
+From 06d2d478b09e6764fb6161d1621fc10d9f0f2860 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Tue, 18 Feb 2025 23:47:13 +0200
+Subject: media: ccs-pll: Start VT pre-PLL multiplier search from correct value
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 06d2d478b09e6764fb6161d1621fc10d9f0f2860 upstream.
+
+The ccs_pll_calculate_vt_tree() function does a search over possible VT
+PLL configurations to find the "best" one. If the sensor does not support
+odd pre-PLL divisors and the minimum value (with constraints) isn't 1,
+other odd values could be errorneously searched (and selected) for the
+pre-PLL divisor. Fix this.
+
+Fixes: 415ddd993978 ("media: ccs-pll: Split limits and PLL configuration into front and back parts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs-pll.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/ccs-pll.c
++++ b/drivers/media/i2c/ccs-pll.c
+@@ -397,6 +397,8 @@ static int ccs_pll_calculate_vt_tree(str
+       min_pre_pll_clk_div = max_t(u16, min_pre_pll_clk_div,
+                                   pll->ext_clk_freq_hz /
+                                   lim_fr->max_pll_ip_clk_freq_hz);
++      if (!(pll->flags & CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER))
++              min_pre_pll_clk_div = clk_div_even(min_pre_pll_clk_div);
+ 
+       dev_dbg(dev, "vt min/max_pre_pll_clk_div: %u,%u\n",
+               min_pre_pll_clk_div, max_pre_pll_clk_div);

diff --git a/queue-6.12/media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch b/queue-6.12/media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch
new file mode 100644 (file)
index 0000000..f24c67b
--- /dev/null
+++ b/queue-6.12/media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch
@@ -0,0 +1,66 @@
+From 73fb3b92da84637e3817580fa205d48065924e15 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Sat, 5 Apr 2025 19:56:41 +0800
+Subject: media: cxusb: no longer judge rbuf when the write fails
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 73fb3b92da84637e3817580fa205d48065924e15 upstream.
+
+syzbot reported a uninit-value in cxusb_i2c_xfer. [1]
+
+Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw()
+succeeds and rlen is greater than 0, the read operation of usb_bulk_msg()
+will be executed to read rlen bytes of data from the dvb device into the
+rbuf.
+
+In this case, although rlen is 1, the write operation failed which resulted
+in the dvb read operation not being executed, and ultimately variable i was
+not initialized.
+
+[1]
+BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]
+BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196
+ cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline]
+ cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196
+ __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1
+ i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315
+ i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343
+ i2c_master_send include/linux/i2c.h:109 [inline]
+ i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183
+ do_loop_readv_writev fs/read_write.c:848 [inline]
+ vfs_writev+0x963/0x14e0 fs/read_write.c:1057
+ do_writev+0x247/0x5c0 fs/read_write.c:1101
+ __do_sys_writev fs/read_write.c:1169 [inline]
+ __se_sys_writev fs/read_write.c:1166 [inline]
+ __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166
+ x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Reported-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=526bd95c0ec629993bf3
+Tested-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com
+Fixes: 22c6d93a7310 ("[PATCH] dvb: usb: support Medion hybrid USB2.0 DVB-T/analogue box")
+Cc: stable@vger.kernel.org
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb/cxusb.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/cxusb.c
++++ b/drivers/media/usb/dvb-usb/cxusb.c
+@@ -119,9 +119,8 @@ static void cxusb_gpio_tuner(struct dvb_
+ 
+       o[0] = GPIO_TUNER;
+       o[1] = onoff;
+-      cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1);
+ 
+-      if (i != 0x01)
++      if (!cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1) && i != 0x01)
+               dev_info(&d->udev->dev, "gpio_write failed.\n");
+ 
+       st->gpio_write_state[GPIO_TUNER] = onoff;

diff --git a/queue-6.12/media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch b/queue-6.12/media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch
new file mode 100644 (file)
index 0000000..d0ba3e9
--- /dev/null
+++ b/queue-6.12/media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch
@@ -0,0 +1,47 @@
+From 024bf40edf1155e7a587f0ec46294049777d9b02 Mon Sep 17 00:00:00 2001
+From: Dmitry Nikiforov <Dm1tryNk@yandex.ru>
+Date: Wed, 16 Apr 2025 23:51:19 +0300
+Subject: media: davinci: vpif: Fix memory leak in probe error path
+
+From: Dmitry Nikiforov <Dm1tryNk@yandex.ru>
+
+commit 024bf40edf1155e7a587f0ec46294049777d9b02 upstream.
+
+If an error occurs during the initialization of `pdev_display`,
+the allocated platform device `pdev_capture` is not released properly,
+leading to a memory leak.
+
+Adjust error path handling to fix the leak.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 43acb728bbc4 ("media: davinci: vpif: fix use-after-free on driver unbind")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Nikiforov <Dm1tryNk@yandex.ru>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/ti/davinci/vpif.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/ti/davinci/vpif.c
++++ b/drivers/media/platform/ti/davinci/vpif.c
+@@ -504,7 +504,7 @@ static int vpif_probe(struct platform_de
+       pdev_display = kzalloc(sizeof(*pdev_display), GFP_KERNEL);
+       if (!pdev_display) {
+               ret = -ENOMEM;
+-              goto err_put_pdev_capture;
++              goto err_del_pdev_capture;
+       }
+ 
+       pdev_display->name = "vpif_display";
+@@ -527,6 +527,8 @@ static int vpif_probe(struct platform_de
+ 
+ err_put_pdev_display:
+       platform_device_put(pdev_display);
++err_del_pdev_capture:
++      platform_device_del(pdev_capture);
+ err_put_pdev_capture:
+       platform_device_put(pdev_capture);
+ err_put_rpm:

diff --git a/queue-6.12/media-gspca-add-error-handling-for-stv06xx_read_sensor.patch b/queue-6.12/media-gspca-add-error-handling-for-stv06xx_read_sensor.patch
new file mode 100644 (file)
index 0000000..411b38d
--- /dev/null
+++ b/queue-6.12/media-gspca-add-error-handling-for-stv06xx_read_sensor.patch
@@ -0,0 +1,41 @@
+From 398a1b33f1479af35ca915c5efc9b00d6204f8fa Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Tue, 22 Apr 2025 11:07:39 +0800
+Subject: media: gspca: Add error handling for stv06xx_read_sensor()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 398a1b33f1479af35ca915c5efc9b00d6204f8fa upstream.
+
+In hdcs_init(), the return value of stv06xx_read_sensor() needs to be
+checked. A proper implementation can be found in vv6410_dump(). Add a
+check in loop condition and propergate error code to fix this issue.
+
+Fixes: 4c98834addfe ("V4L/DVB (10048): gspca - stv06xx: New subdriver.")
+Cc: stable@vger.kernel.org # v2.6+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c
+@@ -520,12 +520,13 @@ static int hdcs_init(struct sd *sd)
+ static int hdcs_dump(struct sd *sd)
+ {
+       u16 reg, val;
++      int err = 0;
+ 
+       pr_info("Dumping sensor registers:\n");
+ 
+-      for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH; reg++) {
+-              stv06xx_read_sensor(sd, reg, &val);
++      for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH && !err; reg++) {
++              err = stv06xx_read_sensor(sd, reg, &val);
+               pr_info("reg 0x%02x = 0x%02x\n", reg, val);
+       }
+-      return 0;
++      return (err < 0) ? err : 0;
+ }

diff --git a/queue-6.12/media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch b/queue-6.12/media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch
new file mode 100644 (file)
index 0000000..4c7e483
--- /dev/null
+++ b/queue-6.12/media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch
@@ -0,0 +1,39 @@
+From ef205273132bdc9bcfa1540eef8105475a453300 Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Date: Mon, 3 Mar 2025 21:32:05 +0530
+Subject: media: i2c: ds90ub913: Fix returned fmt from .set_fmt()
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+commit ef205273132bdc9bcfa1540eef8105475a453300 upstream.
+
+When setting the sink pad's stream format, set_fmt accidentally changes
+the returned format's code to 'outcode', while the purpose is to only
+use the 'outcode' for the propagated source stream format.
+
+Fixes: c158d0d4ff15 ("media: i2c: add DS90UB913 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Jai Luthra <jai.luthra@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ds90ub913.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ds90ub913.c
++++ b/drivers/media/i2c/ds90ub913.c
+@@ -450,10 +450,10 @@ static int ub913_set_fmt(struct v4l2_sub
+       if (!fmt)
+               return -EINVAL;
+ 
+-      format->format.code = finfo->outcode;
+-
+       *fmt = format->format;
+ 
++      fmt->code = finfo->outcode;
++
+       return 0;
+ }
+ 

diff --git a/queue-6.12/media-i2c-imx335-fix-frame-size-enumeration.patch b/queue-6.12/media-i2c-imx335-fix-frame-size-enumeration.patch
new file mode 100644 (file)
index 0000000..10df241
--- /dev/null
+++ b/queue-6.12/media-i2c-imx335-fix-frame-size-enumeration.patch
@@ -0,0 +1,43 @@
+From b240df2913d396638033b86af0f0ff76aa1aafc8 Mon Sep 17 00:00:00 2001
+From: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Date: Wed, 30 Apr 2025 08:36:49 +0100
+Subject: media: i2c: imx335: Fix frame size enumeration
+
+From: Kieran Bingham <kieran.bingham@ideasonboard.com>
+
+commit b240df2913d396638033b86af0f0ff76aa1aafc8 upstream.
+
+In commit cfa49ff0558a ("media: i2c: imx335: Support 2592x1940 10-bit
+mode") the IMX335 driver was extended to support multiple output
+bitdepth modes.
+
+This incorrectly extended the frame size enumeration to check against
+the supported mbus_codes array instead of the supported mode/frame
+array. This has the unwanted side effect of reporting the currently
+supported frame size 2592x1944 three times.
+
+Fix the check accordingly to report a frame size for each supported
+size, which is presently only a single entry.
+
+Fixes: cfa49ff0558a ("media: i2c: imx335: Support 2592x1940 10-bit mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx335.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/imx335.c
++++ b/drivers/media/i2c/imx335.c
+@@ -660,7 +660,8 @@ static int imx335_enum_frame_size(struct
+       struct imx335 *imx335 = to_imx335(sd);
+       u32 code;
+ 
+-      if (fsize->index > ARRAY_SIZE(imx335_mbus_codes))
++      /* Only a single supported_mode available. */
++      if (fsize->index > 0)
+               return -EINVAL;
+ 
+       code = imx335_get_format_code(imx335, fsize->code);

diff --git a/queue-6.12/media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch b/queue-6.12/media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch
new file mode 100644 (file)
index 0000000..ddfd864
--- /dev/null
+++ b/queue-6.12/media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch
@@ -0,0 +1,53 @@
+From 609ba05b9484856b08869f827a6edee51d51b5f3 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Wed, 26 Feb 2025 20:49:22 +0800
+Subject: media: imagination: fix a potential memory leak in e5010_probe()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 609ba05b9484856b08869f827a6edee51d51b5f3 upstream.
+
+Add video_device_release() to release the memory allocated by
+video_device_alloc() if something goes wrong.
+
+Fixes: a1e294045885 ("media: imagination: Add E5010 JPEG Encoder driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/imagination/e5010-jpeg-enc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/imagination/e5010-jpeg-enc.c b/drivers/media/platform/imagination/e5010-jpeg-enc.c
+index c194f830577f..ae868d9f73e1 100644
+--- a/drivers/media/platform/imagination/e5010-jpeg-enc.c
++++ b/drivers/media/platform/imagination/e5010-jpeg-enc.c
+@@ -1057,8 +1057,11 @@ static int e5010_probe(struct platform_device *pdev)
+       e5010->vdev->lock = &e5010->mutex;
+ 
+       ret = v4l2_device_register(dev, &e5010->v4l2_dev);
+-      if (ret)
+-              return dev_err_probe(dev, ret, "failed to register v4l2 device\n");
++      if (ret) {
++              dev_err_probe(dev, ret, "failed to register v4l2 device\n");
++              goto fail_after_video_device_alloc;
++      }
++
+ 
+       e5010->m2m_dev = v4l2_m2m_init(&e5010_m2m_ops);
+       if (IS_ERR(e5010->m2m_dev)) {
+@@ -1118,6 +1121,8 @@ static int e5010_probe(struct platform_device *pdev)
+       v4l2_m2m_release(e5010->m2m_dev);
+ fail_after_v4l2_register:
+       v4l2_device_unregister(&e5010->v4l2_dev);
++fail_after_video_device_alloc:
++      video_device_release(e5010->vdev);
+       return ret;
+ }
+ 
+-- 
+2.50.0
+

diff --git a/queue-6.12/media-imx-jpeg-cleanup-after-an-allocation-error.patch b/queue-6.12/media-imx-jpeg-cleanup-after-an-allocation-error.patch
new file mode 100644 (file)
index 0000000..10a8c01
--- /dev/null
+++ b/queue-6.12/media-imx-jpeg-cleanup-after-an-allocation-error.patch
@@ -0,0 +1,35 @@
+From 7500bb9cf164edbb2c8117d57620227b1a4a8369 Mon Sep 17 00:00:00 2001
+From: Ming Qian <ming.qian@oss.nxp.com>
+Date: Mon, 21 Apr 2025 16:12:54 +0800
+Subject: media: imx-jpeg: Cleanup after an allocation error
+
+From: Ming Qian <ming.qian@oss.nxp.com>
+
+commit 7500bb9cf164edbb2c8117d57620227b1a4a8369 upstream.
+
+When allocation failures are not cleaned up by the driver, further
+allocation errors will be false-positives, which will cause buffers to
+remain uninitialized and cause NULL pointer dereferences.
+Ensure proper cleanup of failed allocations to prevent these issues.
+
+Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+@@ -820,6 +820,7 @@ skip_alloc:
+       return true;
+ err:
+       dev_err(jpeg->dev, "Could not allocate descriptors for slot %d", jpeg->slot_data.slot);
++      mxc_jpeg_free_slot_data(jpeg);
+ 
+       return false;
+ }

diff --git a/queue-6.12/media-imx-jpeg-drop-the-first-error-frames.patch b/queue-6.12/media-imx-jpeg-drop-the-first-error-frames.patch
new file mode 100644 (file)
index 0000000..6803792
--- /dev/null
+++ b/queue-6.12/media-imx-jpeg-drop-the-first-error-frames.patch
@@ -0,0 +1,54 @@
+From d52b9b7e2f10d22a49468128540533e8d76910cd Mon Sep 17 00:00:00 2001
+From: Ming Qian <ming.qian@oss.nxp.com>
+Date: Mon, 21 Apr 2025 15:06:12 +0800
+Subject: media: imx-jpeg: Drop the first error frames
+
+From: Ming Qian <ming.qian@oss.nxp.com>
+
+commit d52b9b7e2f10d22a49468128540533e8d76910cd upstream.
+
+When an output buffer contains error frame header,
+v4l2_jpeg_parse_header() will return error, then driver will mark this
+buffer and a capture buffer done with error flag in device_run().
+
+But if the error occurs in the first frames, before setup the capture
+queue, there is no chance to schedule device_run(), and there may be no
+capture to mark error.
+
+So we need to drop this buffer with error flag, and make the decoding
+can continue.
+
+Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+@@ -1918,9 +1918,19 @@ static void mxc_jpeg_buf_queue(struct vb
+       jpeg_src_buf = vb2_to_mxc_buf(vb);
+       jpeg_src_buf->jpeg_parse_error = false;
+       ret = mxc_jpeg_parse(ctx, vb);
+-      if (ret)
++      if (ret) {
+               jpeg_src_buf->jpeg_parse_error = true;
+ 
++              /*
++               * if the capture queue is not setup, the device_run() won't be scheduled,
++               * need to drop the error buffer, so that the decoding can continue
++               */
++              if (!vb2_is_streaming(v4l2_m2m_get_dst_vq(ctx->fh.m2m_ctx))) {
++                      v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
++                      return;
++              }
++      }
++
+ end:
+       v4l2_m2m_buf_queue(ctx->fh.m2m_ctx, vbuf);
+ }

diff --git a/queue-6.12/media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch b/queue-6.12/media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch
new file mode 100644 (file)
index 0000000..bccbea4
--- /dev/null
+++ b/queue-6.12/media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch
@@ -0,0 +1,81 @@
+From 46e9c092f850bd7b4d06de92d3d21877f49a3fcb Mon Sep 17 00:00:00 2001
+From: Ming Qian <ming.qian@oss.nxp.com>
+Date: Mon, 21 Apr 2025 16:12:52 +0800
+Subject: media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead
+
+From: Ming Qian <ming.qian@oss.nxp.com>
+
+commit 46e9c092f850bd7b4d06de92d3d21877f49a3fcb upstream.
+
+Move function mxc_jpeg_free_slot_data() above mxc_jpeg_alloc_slot_data()
+allowing to call that function during allocation failures.
+No functional changes are made.
+
+Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c |   40 ++++++++++++-------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+@@ -752,6 +752,26 @@ static int mxc_get_free_slot(struct mxc_
+       return -1;
+ }
+ 
++static void mxc_jpeg_free_slot_data(struct mxc_jpeg_dev *jpeg)
++{
++      /* free descriptor for decoding/encoding phase */
++      dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
++                        jpeg->slot_data.desc,
++                        jpeg->slot_data.desc_handle);
++
++      /* free descriptor for encoder configuration phase / decoder DHT */
++      dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
++                        jpeg->slot_data.cfg_desc,
++                        jpeg->slot_data.cfg_desc_handle);
++
++      /* free configuration stream */
++      dma_free_coherent(jpeg->dev, MXC_JPEG_MAX_CFG_STREAM,
++                        jpeg->slot_data.cfg_stream_vaddr,
++                        jpeg->slot_data.cfg_stream_handle);
++
++      jpeg->slot_data.used = false;
++}
++
+ static bool mxc_jpeg_alloc_slot_data(struct mxc_jpeg_dev *jpeg)
+ {
+       struct mxc_jpeg_desc *desc;
+@@ -798,26 +818,6 @@ err:
+       return false;
+ }
+ 
+-static void mxc_jpeg_free_slot_data(struct mxc_jpeg_dev *jpeg)
+-{
+-      /* free descriptor for decoding/encoding phase */
+-      dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
+-                        jpeg->slot_data.desc,
+-                        jpeg->slot_data.desc_handle);
+-
+-      /* free descriptor for encoder configuration phase / decoder DHT */
+-      dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
+-                        jpeg->slot_data.cfg_desc,
+-                        jpeg->slot_data.cfg_desc_handle);
+-
+-      /* free configuration stream */
+-      dma_free_coherent(jpeg->dev, MXC_JPEG_MAX_CFG_STREAM,
+-                        jpeg->slot_data.cfg_stream_vaddr,
+-                        jpeg->slot_data.cfg_stream_handle);
+-
+-      jpeg->slot_data.used = false;
+-}
+-
+ static void mxc_jpeg_check_and_set_last_buffer(struct mxc_jpeg_ctx *ctx,
+                                              struct vb2_v4l2_buffer *src_buf,
+                                              struct vb2_v4l2_buffer *dst_buf)

diff --git a/queue-6.12/media-imx-jpeg-reset-slot-data-pointers-when-freed.patch b/queue-6.12/media-imx-jpeg-reset-slot-data-pointers-when-freed.patch
new file mode 100644 (file)
index 0000000..78e328e
--- /dev/null
+++ b/queue-6.12/media-imx-jpeg-reset-slot-data-pointers-when-freed.patch
@@ -0,0 +1,51 @@
+From faa8051b128f4b34277ea8a026d02d83826f8122 Mon Sep 17 00:00:00 2001
+From: Ming Qian <ming.qian@oss.nxp.com>
+Date: Mon, 21 Apr 2025 16:12:53 +0800
+Subject: media: imx-jpeg: Reset slot data pointers when freed
+
+From: Ming Qian <ming.qian@oss.nxp.com>
+
+commit faa8051b128f4b34277ea8a026d02d83826f8122 upstream.
+
+Ensure that the slot data pointers are reset to NULL and handles are
+set to 0 after freeing the coherent memory. This makes he function
+mxc_jpeg_alloc_slot_data() and mxc_jpeg_free_slot_data() safe to be
+called multiple times.
+
+Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+@@ -758,16 +758,22 @@ static void mxc_jpeg_free_slot_data(stru
+       dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
+                         jpeg->slot_data.desc,
+                         jpeg->slot_data.desc_handle);
++      jpeg->slot_data.desc = NULL;
++      jpeg->slot_data.desc_handle = 0;
+ 
+       /* free descriptor for encoder configuration phase / decoder DHT */
+       dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc),
+                         jpeg->slot_data.cfg_desc,
+                         jpeg->slot_data.cfg_desc_handle);
++      jpeg->slot_data.cfg_desc_handle = 0;
++      jpeg->slot_data.cfg_desc = NULL;
+ 
+       /* free configuration stream */
+       dma_free_coherent(jpeg->dev, MXC_JPEG_MAX_CFG_STREAM,
+                         jpeg->slot_data.cfg_stream_vaddr,
+                         jpeg->slot_data.cfg_stream_handle);
++      jpeg->slot_data.cfg_stream_vaddr = NULL;
++      jpeg->slot_data.cfg_stream_handle = 0;
+ 
+       jpeg->slot_data.used = false;
+ }

diff --git a/queue-6.12/media-imx335-use-correct-register-width-for-hnum.patch b/queue-6.12/media-imx335-use-correct-register-width-for-hnum.patch
new file mode 100644 (file)
index 0000000..093cc95
--- /dev/null
+++ b/queue-6.12/media-imx335-use-correct-register-width-for-hnum.patch
@@ -0,0 +1,39 @@
+From b122c9cfcb39c8ef520d50eddfbe15f3e6551a50 Mon Sep 17 00:00:00 2001
+From: Umang Jain <umang.jain@ideasonboard.com>
+Date: Tue, 22 Apr 2025 13:20:52 +0100
+Subject: media: imx335: Use correct register width for HNUM
+
+From: Umang Jain <umang.jain@ideasonboard.com>
+
+commit b122c9cfcb39c8ef520d50eddfbe15f3e6551a50 upstream.
+
+CCI_REG_HNUM should be using CCI_REG16_LE() instead of CCI_REG8()
+as HNUM spans from 0x302e[0:7] to 0x302f[0:3].
+
+Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
+Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Fixes: 8f0926dba799 ("media: imx335: Use V4L2 CCI for accessing sensor registers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx335.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/imx335.c b/drivers/media/i2c/imx335.c
+index 0beb80b8c458..d400a019f6b3 100644
+--- a/drivers/media/i2c/imx335.c
++++ b/drivers/media/i2c/imx335.c
+@@ -31,7 +31,7 @@
+ #define IMX335_REG_CPWAIT_TIME                CCI_REG8(0x300d)
+ #define IMX335_REG_WINMODE            CCI_REG8(0x3018)
+ #define IMX335_REG_HTRIMMING_START    CCI_REG16_LE(0x302c)
+-#define IMX335_REG_HNUM                       CCI_REG8(0x302e)
++#define IMX335_REG_HNUM                       CCI_REG16_LE(0x302e)
+ 
+ /* Lines per frame */
+ #define IMX335_REG_VMAX                       CCI_REG24_LE(0x3030)
+-- 
+2.50.0
+

diff --git a/queue-6.12/media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch b/queue-6.12/media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch
new file mode 100644 (file)
index 0000000..a49a636
--- /dev/null
+++ b/queue-6.12/media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch
@@ -0,0 +1,51 @@
+From 0209916ebe2475079ce6d8dc4114afbc0ccad1c2 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Date: Thu, 10 Apr 2025 11:47:06 +0200
+Subject: media: intel/ipu6: Fix dma mask for non-secure mode
+
+From: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+
+commit 0209916ebe2475079ce6d8dc4114afbc0ccad1c2 upstream.
+
+We use dma_get_mask() of auxdev device for calculate iova pfn limit.
+This is always 32 bit mask as we do not initialize the mask (and we can
+not do so, since dev->dev_mask is NULL anyways for auxdev).
+
+Since we need 31 bit mask for non-secure mode use mmu_info->aperture_end
+which is properly initialized to correct mask for both modes.
+
+Fixes: daabc5c64703 ("media: ipu6: not override the dma_ops of device in driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/intel/ipu6/ipu6-dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/pci/intel/ipu6/ipu6-dma.c b/drivers/media/pci/intel/ipu6/ipu6-dma.c
+index 1ca60ca79dba..7296373d36b0 100644
+--- a/drivers/media/pci/intel/ipu6/ipu6-dma.c
++++ b/drivers/media/pci/intel/ipu6/ipu6-dma.c
+@@ -172,7 +172,7 @@ void *ipu6_dma_alloc(struct ipu6_bus_device *sys, size_t size,
+       count = PHYS_PFN(size);
+ 
+       iova = alloc_iova(&mmu->dmap->iovad, count,
+-                        PHYS_PFN(dma_get_mask(dev)), 0);
++                        PHYS_PFN(mmu->dmap->mmu_info->aperture_end), 0);
+       if (!iova)
+               goto out_kfree;
+ 
+@@ -398,7 +398,7 @@ int ipu6_dma_map_sg(struct ipu6_bus_device *sys, struct scatterlist *sglist,
+               nents, npages);
+ 
+       iova = alloc_iova(&mmu->dmap->iovad, npages,
+-                        PHYS_PFN(dma_get_mask(dev)), 0);
++                        PHYS_PFN(mmu->dmap->mmu_info->aperture_end), 0);
+       if (!iova)
+               return 0;
+ 
+-- 
+2.50.0
+

diff --git a/queue-6.12/media-ipu6-remove-workaround-for-meteor-lake-es2.patch b/queue-6.12/media-ipu6-remove-workaround-for-meteor-lake-es2.patch
new file mode 100644 (file)
index 0000000..a014faf
--- /dev/null
+++ b/queue-6.12/media-ipu6-remove-workaround-for-meteor-lake-es2.patch
@@ -0,0 +1,42 @@
+From d471fb06b21ae54bf76464731ae1dcb26ef1ca68 Mon Sep 17 00:00:00 2001
+From: Hao Yao <hao.yao@intel.com>
+Date: Tue, 11 Mar 2025 16:41:55 +0800
+Subject: media: ipu6: Remove workaround for Meteor Lake ES2
+
+From: Hao Yao <hao.yao@intel.com>
+
+commit d471fb06b21ae54bf76464731ae1dcb26ef1ca68 upstream.
+
+There was a hardware bug which need IPU6 driver to disable the ATS. This
+workaround is not needed anymore as the bug was fixed in hardware level.
+
+Additionally, Arrow Lake has the same IPU6 PCI ID and x86 stepping but
+does not have the bug. Removing the Meteor Lake workaround is also
+required for the driver to function on Arrow Lake.
+
+Signed-off-by: Hao Yao <hao.yao@intel.com>
+Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Fixes: 25fedc021985 ("media: intel/ipu6: add Intel IPU6 PCI device driver")
+Cc: stable@vger.kernel.org
+[Sakari Ailus: Added tags and explanation of what is fixed.]
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/intel/ipu6/ipu6.c |    5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/media/pci/intel/ipu6/ipu6.c
++++ b/drivers/media/pci/intel/ipu6/ipu6.c
+@@ -463,11 +463,6 @@ static int ipu6_pci_config_setup(struct
+ {
+       int ret;
+ 
+-      /* disable IPU6 PCI ATS on mtl ES2 */
+-      if (is_ipu6ep_mtl(hw_ver) && boot_cpu_data.x86_stepping == 0x2 &&
+-          pci_ats_supported(dev))
+-              pci_disable_ats(dev);
+-
+       /* No PCI msi capability for IPU6EP */
+       if (is_ipu6ep(hw_ver) || is_ipu6ep_mtl(hw_ver)) {
+               /* likely do nothing as msi not enabled by default */

diff --git a/queue-6.12/media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch b/queue-6.12/media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch
new file mode 100644 (file)
index 0000000..22ff038
--- /dev/null
+++ b/queue-6.12/media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch
@@ -0,0 +1,37 @@
+From f19035b86382f635a0d13d177b601babaf263a12 Mon Sep 17 00:00:00 2001
+From: Fei Shao <fshao@chromium.org>
+Date: Fri, 14 Mar 2025 15:56:17 +0800
+Subject: media: mediatek: vcodec: Correct vsi_core framebuffer size
+
+From: Fei Shao <fshao@chromium.org>
+
+commit f19035b86382f635a0d13d177b601babaf263a12 upstream.
+
+The framebuffer size for decoder instances was being incorrectly set -
+inst->vsi_core->fb.y.size was assigned twice consecutively.
+
+Assign the second picinfo framebuffer size to the C framebuffer instead,
+which appears to be the intended target based on the surrounding code.
+
+Fixes: 2674486aac7d ("media: mediatek: vcodec: support stateless hevc decoder")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fei Shao <fshao@chromium.org>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c
++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c
+@@ -821,7 +821,7 @@ static int vdec_hevc_slice_setup_core_bu
+       inst->vsi_core->fb.y.dma_addr = y_fb_dma;
+       inst->vsi_core->fb.y.size = ctx->picinfo.fb_sz[0];
+       inst->vsi_core->fb.c.dma_addr = c_fb_dma;
+-      inst->vsi_core->fb.y.size = ctx->picinfo.fb_sz[1];
++      inst->vsi_core->fb.c.size = ctx->picinfo.fb_sz[1];
+ 
+       inst->vsi_core->dec.vdec_fb_va = (unsigned long)fb;
+ 

diff --git a/queue-6.12/media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch b/queue-6.12/media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch
new file mode 100644 (file)
index 0000000..918be4a
--- /dev/null
+++ b/queue-6.12/media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch
@@ -0,0 +1,95 @@
+From 910efa649076be9c2e1326059830327cf4228cf6 Mon Sep 17 00:00:00 2001
+From: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+Date: Wed, 23 Oct 2024 11:56:43 +0300
+Subject: media: nxp: imx8-isi: better handle the m2m usage_count
+
+From: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+
+commit 910efa649076be9c2e1326059830327cf4228cf6 upstream.
+
+Currently, if streamon/streamoff calls are imbalanced we can either end up
+with a negative ISI m2m usage_count (if streamoff() is called more times
+than streamon()) in which case we'll not be able to restart the ISI pipe
+next time, or the usage_count never gets to 0 and the pipe is never
+switched off.
+
+To avoid that, add a 'streaming' flag to mxc_isi_m2m_ctx_queue_data and use it
+in the streamon/streamoff to avoid incrementing/decrementing the usage_count
+uselessly, if called multiple times from the same context.
+
+Fixes: cf21f328fcafac ("media: nxp: Add i.MX8 ISI driver")
+Cc: stable@vger.kernel.org
+Suggested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20241023085643.978729-1-laurentiu.palcu@oss.nxp.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c
++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c
+@@ -43,6 +43,7 @@ struct mxc_isi_m2m_ctx_queue_data {
+       struct v4l2_pix_format_mplane format;
+       const struct mxc_isi_format_info *info;
+       u32 sequence;
++      bool streaming;
+ };
+ 
+ struct mxc_isi_m2m_ctx {
+@@ -486,15 +487,18 @@ static int mxc_isi_m2m_streamon(struct f
+                               enum v4l2_buf_type type)
+ {
+       struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(fh);
++      struct mxc_isi_m2m_ctx_queue_data *q = mxc_isi_m2m_ctx_qdata(ctx, type);
+       const struct v4l2_pix_format_mplane *out_pix = &ctx->queues.out.format;
+       const struct v4l2_pix_format_mplane *cap_pix = &ctx->queues.cap.format;
+       const struct mxc_isi_format_info *cap_info = ctx->queues.cap.info;
+       const struct mxc_isi_format_info *out_info = ctx->queues.out.info;
+       struct mxc_isi_m2m *m2m = ctx->m2m;
+       bool bypass;
+-
+       int ret;
+ 
++      if (q->streaming)
++              return 0;
++
+       mutex_lock(&m2m->lock);
+ 
+       if (m2m->usage_count == INT_MAX) {
+@@ -547,6 +551,8 @@ static int mxc_isi_m2m_streamon(struct f
+               goto unchain;
+       }
+ 
++      q->streaming = true;
++
+       return 0;
+ 
+ unchain:
+@@ -569,10 +575,14 @@ static int mxc_isi_m2m_streamoff(struct
+                                enum v4l2_buf_type type)
+ {
+       struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(fh);
++      struct mxc_isi_m2m_ctx_queue_data *q = mxc_isi_m2m_ctx_qdata(ctx, type);
+       struct mxc_isi_m2m *m2m = ctx->m2m;
+ 
+       v4l2_m2m_ioctl_streamoff(file, fh, type);
+ 
++      if (!q->streaming)
++              return 0;
++
+       mutex_lock(&m2m->lock);
+ 
+       /*
+@@ -598,6 +608,8 @@ static int mxc_isi_m2m_streamoff(struct
+ 
+       mutex_unlock(&m2m->lock);
+ 
++      q->streaming = false;
++
+       return 0;
+ }
+ 

diff --git a/queue-6.12/media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch b/queue-6.12/media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch
new file mode 100644 (file)
index 0000000..72e57ea
--- /dev/null
+++ b/queue-6.12/media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch
@@ -0,0 +1,72 @@
+From 3de572fe2189a4a0bd80295e1f478401e739498e Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 7 May 2025 18:09:13 +0200
+Subject: media: omap3isp: use sgtable-based scatterlist wrappers
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit 3de572fe2189a4a0bd80295e1f478401e739498e upstream.
+
+Use common wrappers operating directly on the struct sg_table objects to
+fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*()
+functions have to be called with the number of elements originally passed
+to dma_map_sg_*() function, not the one returned in sgtable's nents.
+
+Fixes: d33186d0be18 ("[media] omap3isp: ccdc: Use the DMA API for LSC")
+Fixes: 0e24e90f2ca7 ("[media] omap3isp: stat: Use the DMA API")
+CC: stable@vger.kernel.org
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/ti/omap3isp/ispccdc.c |    8 ++++----
+ drivers/media/platform/ti/omap3isp/ispstat.c |    6 ++----
+ 2 files changed, 6 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/platform/ti/omap3isp/ispccdc.c
++++ b/drivers/media/platform/ti/omap3isp/ispccdc.c
+@@ -446,8 +446,8 @@ static int ccdc_lsc_config(struct isp_cc
+               if (ret < 0)
+                       goto done;
+ 
+-              dma_sync_sg_for_cpu(isp->dev, req->table.sgt.sgl,
+-                                  req->table.sgt.nents, DMA_TO_DEVICE);
++              dma_sync_sgtable_for_cpu(isp->dev, &req->table.sgt,
++                                       DMA_TO_DEVICE);
+ 
+               if (copy_from_user(req->table.addr, config->lsc,
+                                  req->config.size)) {
+@@ -455,8 +455,8 @@ static int ccdc_lsc_config(struct isp_cc
+                       goto done;
+               }
+ 
+-              dma_sync_sg_for_device(isp->dev, req->table.sgt.sgl,
+-                                     req->table.sgt.nents, DMA_TO_DEVICE);
++              dma_sync_sgtable_for_device(isp->dev, &req->table.sgt,
++                                          DMA_TO_DEVICE);
+       }
+ 
+       spin_lock_irqsave(&ccdc->lsc.req_lock, flags);
+--- a/drivers/media/platform/ti/omap3isp/ispstat.c
++++ b/drivers/media/platform/ti/omap3isp/ispstat.c
+@@ -161,8 +161,7 @@ static void isp_stat_buf_sync_for_device
+       if (ISP_STAT_USES_DMAENGINE(stat))
+               return;
+ 
+-      dma_sync_sg_for_device(stat->isp->dev, buf->sgt.sgl,
+-                             buf->sgt.nents, DMA_FROM_DEVICE);
++      dma_sync_sgtable_for_device(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE);
+ }
+ 
+ static void isp_stat_buf_sync_for_cpu(struct ispstat *stat,
+@@ -171,8 +170,7 @@ static void isp_stat_buf_sync_for_cpu(st
+       if (ISP_STAT_USES_DMAENGINE(stat))
+               return;
+ 
+-      dma_sync_sg_for_cpu(stat->isp->dev, buf->sgt.sgl,
+-                          buf->sgt.nents, DMA_FROM_DEVICE);
++      dma_sync_sgtable_for_cpu(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE);
+ }
+ 
+ static void isp_stat_buf_clear(struct ispstat *stat)

diff --git a/queue-6.12/media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch b/queue-6.12/media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch
new file mode 100644 (file)
index 0000000..0d3cca9
--- /dev/null
+++ b/queue-6.12/media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch
@@ -0,0 +1,45 @@
+From 81cf4f46a03a07b0b86f9d677c34ba782df7d65e Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 24 Mar 2025 14:01:09 +0100
+Subject: media: ov2740: Move pm-runtime cleanup on probe-errors to proper place
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 81cf4f46a03a07b0b86f9d677c34ba782df7d65e upstream.
+
+When v4l2_subdev_init_finalize() fails no changes have been made to
+the runtime-pm device state yet, so the probe_error_media_entity_cleanup
+rollback path should not touch the runtime-pm device state.
+
+Instead this should be done from the probe_error_v4l2_subdev_cleanup
+rollback path. Note the pm_runtime_xxx() calls are put above
+the v4l2_subdev_cleanup() call to have the reverse call order of probe().
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Fixes: 289c25923ecd ("media: ov2740: Use sub-device active state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov2740.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ov2740.c
++++ b/drivers/media/i2c/ov2740.c
+@@ -1404,12 +1404,12 @@ static int ov2740_probe(struct i2c_clien
+       return 0;
+ 
+ probe_error_v4l2_subdev_cleanup:
++      pm_runtime_disable(&client->dev);
++      pm_runtime_set_suspended(&client->dev);
+       v4l2_subdev_cleanup(&ov2740->sd);
+ 
+ probe_error_media_entity_cleanup:
+       media_entity_cleanup(&ov2740->sd.entity);
+-      pm_runtime_disable(&client->dev);
+-      pm_runtime_set_suspended(&client->dev);
+ 
+ probe_error_v4l2_ctrl_handler_free:
+       v4l2_ctrl_handler_free(ov2740->sd.ctrl_handler);

diff --git a/queue-6.12/media-ov5675-suppress-probe-deferral-errors.patch b/queue-6.12/media-ov5675-suppress-probe-deferral-errors.patch
new file mode 100644 (file)
index 0000000..65d670e
--- /dev/null
+++ b/queue-6.12/media-ov5675-suppress-probe-deferral-errors.patch
@@ -0,0 +1,44 @@
+From 8268da3c474a43a79a6540fb06c5d3b730a0d5a5 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 25 Apr 2025 14:52:37 +0200
+Subject: media: ov5675: suppress probe deferral errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 8268da3c474a43a79a6540fb06c5d3b730a0d5a5 upstream.
+
+Probe deferral should not be logged as an error:
+
+       ov5675 24-0010: failed to get HW configuration: -517
+
+Drop the (mostly) redundant dev_err() from sensor probe() to suppress
+it.
+
+Note that errors during clock and regulator lookup are already correctly
+logged using dev_err_probe().
+
+Fixes: 49d9ad719e89 ("media: ov5675: add device-tree support and support runtime PM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov5675.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/media/i2c/ov5675.c
++++ b/drivers/media/i2c/ov5675.c
+@@ -1295,11 +1295,8 @@ static int ov5675_probe(struct i2c_clien
+               return -ENOMEM;
+ 
+       ret = ov5675_get_hwcfg(ov5675, &client->dev);
+-      if (ret) {
+-              dev_err(&client->dev, "failed to get HW configuration: %d",
+-                      ret);
++      if (ret)
+               return ret;
+-      }
+ 
+       v4l2_i2c_subdev_init(&ov5675->sd, client, &ov5675_subdev_ops);
+ 

diff --git a/queue-6.12/media-ov8856-suppress-probe-deferral-errors.patch b/queue-6.12/media-ov8856-suppress-probe-deferral-errors.patch
new file mode 100644 (file)
index 0000000..eb21254
--- /dev/null
+++ b/queue-6.12/media-ov8856-suppress-probe-deferral-errors.patch
@@ -0,0 +1,55 @@
+From e3d86847fba58cf71f66e81b6a2515e07039ae17 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 25 Apr 2025 14:52:38 +0200
+Subject: media: ov8856: suppress probe deferral errors
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit e3d86847fba58cf71f66e81b6a2515e07039ae17 upstream.
+
+Probe deferral should not be logged as an error:
+
+       ov8856 24-0010: failed to get HW configuration: -517
+
+Use dev_err_probe() for the clock lookup and drop the (mostly) redundant
+dev_err() from sensor probe() to suppress it.
+
+Note that errors during regulator lookup is already correctly logged
+using dev_err_probe().
+
+Fixes: 0c2c7a1e0d69 ("media: ov8856: Add devicetree support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov8856.c |    9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/i2c/ov8856.c
++++ b/drivers/media/i2c/ov8856.c
+@@ -2276,8 +2276,8 @@ static int ov8856_get_hwcfg(struct ov885
+       if (!is_acpi_node(fwnode)) {
+               ov8856->xvclk = devm_clk_get(dev, "xvclk");
+               if (IS_ERR(ov8856->xvclk)) {
+-                      dev_err(dev, "could not get xvclk clock (%pe)\n",
+-                              ov8856->xvclk);
++                      dev_err_probe(dev, PTR_ERR(ov8856->xvclk),
++                                    "could not get xvclk clock\n");
+                       return PTR_ERR(ov8856->xvclk);
+               }
+ 
+@@ -2382,11 +2382,8 @@ static int ov8856_probe(struct i2c_clien
+               return -ENOMEM;
+ 
+       ret = ov8856_get_hwcfg(ov8856, &client->dev);
+-      if (ret) {
+-              dev_err(&client->dev, "failed to get HW configuration: %d",
+-                      ret);
++      if (ret)
+               return ret;
+-      }
+ 
+       v4l2_i2c_subdev_init(&ov8856->sd, client, &ov8856_subdev_ops);
+ 

diff --git a/queue-6.12/media-uvcvideo-fix-deferred-probing-error.patch b/queue-6.12/media-uvcvideo-fix-deferred-probing-error.patch
new file mode 100644 (file)
index 0000000..2b362dd
--- /dev/null
+++ b/queue-6.12/media-uvcvideo-fix-deferred-probing-error.patch
@@ -0,0 +1,100 @@
+From 387e8939307192d5a852a2afeeb83427fa477151 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Thu, 13 Mar 2025 12:20:39 +0000
+Subject: media: uvcvideo: Fix deferred probing error
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 387e8939307192d5a852a2afeeb83427fa477151 upstream.
+
+uvc_gpio_parse() can return -EPROBE_DEFER when the GPIOs it depends on
+have not yet been probed. This return code should be propagated to the
+caller of uvc_probe() to ensure that probing is retried when the required
+GPIOs become available.
+
+Currently, this error code is incorrectly converted to -ENODEV,
+causing some internal cameras to be ignored.
+
+This commit fixes this issue by propagating the -EPROBE_DEFER error.
+
+Cc: stable@vger.kernel.org
+Fixes: 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT")
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250313-uvc-eprobedefer-v3-1-a1d312708eef@chromium.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c |   27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2217,13 +2217,16 @@ static int uvc_probe(struct usb_interfac
+ #endif
+ 
+       /* Parse the Video Class control descriptor. */
+-      if (uvc_parse_control(dev) < 0) {
++      ret = uvc_parse_control(dev);
++      if (ret < 0) {
++              ret = -ENODEV;
+               uvc_dbg(dev, PROBE, "Unable to parse UVC descriptors\n");
+               goto error;
+       }
+ 
+       /* Parse the associated GPIOs. */
+-      if (uvc_gpio_parse(dev) < 0) {
++      ret = uvc_gpio_parse(dev);
++      if (ret < 0) {
+               uvc_dbg(dev, PROBE, "Unable to parse UVC GPIOs\n");
+               goto error;
+       }
+@@ -2249,24 +2252,32 @@ static int uvc_probe(struct usb_interfac
+       }
+ 
+       /* Register the V4L2 device. */
+-      if (v4l2_device_register(&intf->dev, &dev->vdev) < 0)
++      ret = v4l2_device_register(&intf->dev, &dev->vdev);
++      if (ret < 0)
+               goto error;
+ 
+       /* Scan the device for video chains. */
+-      if (uvc_scan_device(dev) < 0)
++      if (uvc_scan_device(dev) < 0) {
++              ret = -ENODEV;
+               goto error;
++      }
+ 
+       /* Initialize controls. */
+-      if (uvc_ctrl_init_device(dev) < 0)
++      if (uvc_ctrl_init_device(dev) < 0) {
++              ret = -ENODEV;
+               goto error;
++      }
+ 
+       /* Register video device nodes. */
+-      if (uvc_register_chains(dev) < 0)
++      if (uvc_register_chains(dev) < 0) {
++              ret = -ENODEV;
+               goto error;
++      }
+ 
+ #ifdef CONFIG_MEDIA_CONTROLLER
+       /* Register the media device node */
+-      if (media_device_register(&dev->mdev) < 0)
++      ret = media_device_register(&dev->mdev);
++      if (ret < 0)
+               goto error;
+ #endif
+       /* Save our data pointer in the interface data. */
+@@ -2300,7 +2311,7 @@ static int uvc_probe(struct usb_interfac
+ error:
+       uvc_unregister_video(dev);
+       kref_put(&dev->ref, uvc_delete);
+-      return -ENODEV;
++      return ret;
+ }
+ 
+ static void uvc_disconnect(struct usb_interface *intf)

diff --git a/queue-6.12/media-uvcvideo-return-the-number-of-processed-controls.patch b/queue-6.12/media-uvcvideo-return-the-number-of-processed-controls.patch
new file mode 100644 (file)
index 0000000..772b9ad
--- /dev/null
+++ b/queue-6.12/media-uvcvideo-return-the-number-of-processed-controls.patch
@@ -0,0 +1,71 @@
+From ba4fafb02ad6a4eb2e00f861893b5db42ba54369 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 10:34:53 +0000
+Subject: media: uvcvideo: Return the number of processed controls
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit ba4fafb02ad6a4eb2e00f861893b5db42ba54369 upstream.
+
+If we let know our callers that we have not done anything, they will be
+able to optimize their decisions.
+
+Cc: stable@kernel.org
+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250224-uvc-data-backup-v2-1-de993ed9823b@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1830,12 +1830,17 @@ int uvc_ctrl_begin(struct uvc_video_chai
+       return mutex_lock_interruptible(&chain->ctrl_mutex) ? -ERESTARTSYS : 0;
+ }
+ 
++/*
++ * Returns the number of uvc controls that have been correctly set, or a
++ * negative number if there has been an error.
++ */
+ static int uvc_ctrl_commit_entity(struct uvc_device *dev,
+                                 struct uvc_fh *handle,
+                                 struct uvc_entity *entity,
+                                 int rollback,
+                                 struct uvc_control **err_ctrl)
+ {
++      unsigned int processed_ctrls = 0;
+       struct uvc_control *ctrl;
+       unsigned int i;
+       int ret;
+@@ -1870,6 +1875,9 @@ static int uvc_ctrl_commit_entity(struct
+               else
+                       ret = 0;
+ 
++              if (!ret)
++                      processed_ctrls++;
++
+               if (rollback || ret < 0)
+                       memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+                              uvc_ctrl_data(ctrl, UVC_CTRL_DATA_BACKUP),
+@@ -1888,7 +1896,7 @@ static int uvc_ctrl_commit_entity(struct
+                       uvc_ctrl_set_handle(handle, ctrl, handle);
+       }
+ 
+-      return 0;
++      return processed_ctrls;
+ }
+ 
+ static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity,
+@@ -1935,6 +1943,7 @@ int __uvc_ctrl_commit(struct uvc_fh *han
+ 
+       if (!rollback)
+               uvc_ctrl_send_events(handle, ctrls->controls, ctrls->count);
++      ret = 0;
+ done:
+       mutex_unlock(&chain->ctrl_mutex);
+       return ret;

diff --git a/queue-6.12/media-uvcvideo-send-control-events-for-partial-succeeds.patch b/queue-6.12/media-uvcvideo-send-control-events-for-partial-succeeds.patch
new file mode 100644 (file)
index 0000000..c3d57a9
--- /dev/null
+++ b/queue-6.12/media-uvcvideo-send-control-events-for-partial-succeeds.patch
@@ -0,0 +1,64 @@
+From 5c791467aea6277430da5f089b9b6c2a9d8a4af7 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 10:34:54 +0000
+Subject: media: uvcvideo: Send control events for partial succeeds
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 5c791467aea6277430da5f089b9b6c2a9d8a4af7 upstream.
+
+Today, when we are applying a change to entities A, B. If A succeeds and B
+fails the events for A are not sent.
+
+This change changes the code so the events for A are send right after
+they happen.
+
+Cc: stable@kernel.org
+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250224-uvc-data-backup-v2-2-de993ed9823b@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1689,7 +1689,9 @@ static bool uvc_ctrl_xctrls_has_control(
+ }
+ 
+ static void uvc_ctrl_send_events(struct uvc_fh *handle,
+-      const struct v4l2_ext_control *xctrls, unsigned int xctrls_count)
++                               struct uvc_entity *entity,
++                               const struct v4l2_ext_control *xctrls,
++                               unsigned int xctrls_count)
+ {
+       struct uvc_control_mapping *mapping;
+       struct uvc_control *ctrl;
+@@ -1700,6 +1702,9 @@ static void uvc_ctrl_send_events(struct
+               u32 changes = V4L2_EVENT_CTRL_CH_VALUE;
+ 
+               ctrl = uvc_find_control(handle->chain, xctrls[i].id, &mapping);
++              if (ctrl->entity != entity)
++                      continue;
++
+               if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
+                       /* Notification will be sent from an Interrupt event. */
+                       continue;
+@@ -1938,11 +1943,12 @@ int __uvc_ctrl_commit(struct uvc_fh *han
+                                       uvc_ctrl_find_ctrl_idx(entity, ctrls,
+                                                              err_ctrl);
+                       goto done;
++              } else if (ret > 0 && !rollback) {
++                      uvc_ctrl_send_events(handle, entity,
++                                           ctrls->controls, ctrls->count);
+               }
+       }
+ 
+-      if (!rollback)
+-              uvc_ctrl_send_events(handle, ctrls->controls, ctrls->count);
+       ret = 0;
+ done:
+       mutex_unlock(&chain->ctrl_mutex);

diff --git a/queue-6.12/media-v4l2-dev-fix-error-handling-in-__video_register_device.patch b/queue-6.12/media-v4l2-dev-fix-error-handling-in-__video_register_device.patch
new file mode 100644 (file)
index 0000000..ace9d24
--- /dev/null
+++ b/queue-6.12/media-v4l2-dev-fix-error-handling-in-__video_register_device.patch
@@ -0,0 +1,66 @@
+From 2a934fdb01db6458288fc9386d3d8ceba6dd551a Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Wed, 19 Mar 2025 16:02:48 +0800
+Subject: media: v4l2-dev: fix error handling in __video_register_device()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 2a934fdb01db6458288fc9386d3d8ceba6dd551a upstream.
+
+Once device_register() failed, we should call put_device() to
+decrement reference count for cleanup. Or it could cause memory leak.
+And move callback function v4l2_device_release() and v4l2_device_get()
+before put_device().
+
+As comment of device_register() says, 'NOTE: _Never_ directly free
+@dev after calling this function, even if it returned an error! Always
+use put_device() to give up the reference initialized in this function
+instead.'
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: dc93a70cc7f9 ("V4L/DVB (9973): v4l2-dev: use the release callback from device instead of cdev")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-dev.c |   14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-dev.c
++++ b/drivers/media/v4l2-core/v4l2-dev.c
+@@ -1052,25 +1052,25 @@ int __video_register_device(struct video
+       vdev->dev.class = &video_class;
+       vdev->dev.devt = MKDEV(VIDEO_MAJOR, vdev->minor);
+       vdev->dev.parent = vdev->dev_parent;
++      vdev->dev.release = v4l2_device_release;
+       dev_set_name(&vdev->dev, "%s%d", name_base, vdev->num);
++
++      /* Increase v4l2_device refcount */
++      v4l2_device_get(vdev->v4l2_dev);
++
+       mutex_lock(&videodev_lock);
+       ret = device_register(&vdev->dev);
+       if (ret < 0) {
+               mutex_unlock(&videodev_lock);
+               pr_err("%s: device_register failed\n", __func__);
+-              goto cleanup;
++              put_device(&vdev->dev);
++              return ret;
+       }
+-      /* Register the release callback that will be called when the last
+-         reference to the device goes away. */
+-      vdev->dev.release = v4l2_device_release;
+ 
+       if (nr != -1 && nr != vdev->num && warn_if_nr_in_use)
+               pr_warn("%s: requested %s%d, got %s\n", __func__,
+                       name_base, nr, video_device_node_name(vdev));
+ 
+-      /* Increase v4l2_device refcount */
+-      v4l2_device_get(vdev->v4l2_dev);
+-
+       /* Part 5: Register the entity. */
+       ret = video_register_media_controller(vdev);
+ 

diff --git a/queue-6.12/media-venus-fix-probe-error-handling.patch b/queue-6.12/media-venus-fix-probe-error-handling.patch
new file mode 100644 (file)
index 0000000..0d1659a
--- /dev/null
+++ b/queue-6.12/media-venus-fix-probe-error-handling.patch
@@ -0,0 +1,79 @@
+From 523cea3a19f0b3b020a4745344c136a636e6ffd7 Mon Sep 17 00:00:00 2001
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Date: Thu, 27 Mar 2025 13:53:04 +0100
+Subject: media: venus: Fix probe error handling
+
+From: Loic Poulain <loic.poulain@oss.qualcomm.com>
+
+commit 523cea3a19f0b3b020a4745344c136a636e6ffd7 upstream.
+
+Video device registering has been moved earlier in the probe function,
+but the new order has not been propagated to error handling. This means
+we can end with unreleased resources on error (e.g dangling video device
+on missing firmware probe aborting).
+
+Fixes: 08b1cf474b7f7 ("media: venus: core, venc, vdec: Fix probe dependency error")
+Cc: stable@vger.kernel.org
+Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
+Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.c |   16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -354,7 +354,7 @@ static int venus_probe(struct platform_d
+ 
+       ret = v4l2_device_register(dev, &core->v4l2_dev);
+       if (ret)
+-              goto err_core_deinit;
++              goto err_hfi_destroy;
+ 
+       platform_set_drvdata(pdev, core);
+ 
+@@ -386,24 +386,24 @@ static int venus_probe(struct platform_d
+ 
+       ret = venus_enumerate_codecs(core, VIDC_SESSION_TYPE_DEC);
+       if (ret)
+-              goto err_venus_shutdown;
++              goto err_core_deinit;
+ 
+       ret = venus_enumerate_codecs(core, VIDC_SESSION_TYPE_ENC);
+       if (ret)
+-              goto err_venus_shutdown;
++              goto err_core_deinit;
+ 
+       ret = pm_runtime_put_sync(dev);
+       if (ret) {
+               pm_runtime_get_noresume(dev);
+-              goto err_dev_unregister;
++              goto err_core_deinit;
+       }
+ 
+       venus_dbgfs_init(core);
+ 
+       return 0;
+ 
+-err_dev_unregister:
+-      v4l2_device_unregister(&core->v4l2_dev);
++err_core_deinit:
++      hfi_core_deinit(core, false);
+ err_venus_shutdown:
+       venus_shutdown(core);
+ err_firmware_deinit:
+@@ -414,9 +414,9 @@ err_runtime_disable:
+       pm_runtime_put_noidle(dev);
+       pm_runtime_disable(dev);
+       pm_runtime_set_suspended(dev);
++      v4l2_device_unregister(&core->v4l2_dev);
++err_hfi_destroy:
+       hfi_destroy(core);
+-err_core_deinit:
+-      hfi_core_deinit(core, false);
+ err_core_put:
+       if (core->pm_ops->core_put)
+               core->pm_ops->core_put(core);

diff --git a/queue-6.12/media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch b/queue-6.12/media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch
new file mode 100644 (file)
index 0000000..37df368
--- /dev/null
+++ b/queue-6.12/media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch
@@ -0,0 +1,45 @@
+From a704a3c503ae1cfd9de8a2e2d16a0c9430e98162 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 7 May 2025 18:09:11 +0200
+Subject: media: videobuf2: use sgtable-based scatterlist wrappers
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit a704a3c503ae1cfd9de8a2e2d16a0c9430e98162 upstream.
+
+Use common wrappers operating directly on the struct sg_table objects to
+fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*()
+functions have to be called with the number of elements originally passed
+to dma_map_sg_*() function, not the one returned in sgt->nents.
+
+Fixes: d4db5eb57cab ("media: videobuf2: add begin/end cpu_access callbacks to dma-sg")
+CC: stable@vger.kernel.org
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Acked-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/videobuf2/videobuf2-dma-sg.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
++++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
+@@ -469,7 +469,7 @@ vb2_dma_sg_dmabuf_ops_begin_cpu_access(s
+       struct vb2_dma_sg_buf *buf = dbuf->priv;
+       struct sg_table *sgt = buf->dma_sgt;
+ 
+-      dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++      dma_sync_sgtable_for_cpu(buf->dev, sgt, buf->dma_dir);
+       return 0;
+ }
+ 
+@@ -480,7 +480,7 @@ vb2_dma_sg_dmabuf_ops_end_cpu_access(str
+       struct vb2_dma_sg_buf *buf = dbuf->priv;
+       struct sg_table *sgt = buf->dma_sgt;
+ 
+-      dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir);
++      dma_sync_sgtable_for_device(buf->dev, sgt, buf->dma_dir);
+       return 0;
+ }
+ 

diff --git a/queue-6.12/media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch b/queue-6.12/media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch
new file mode 100644 (file)
index 0000000..727b0d8
--- /dev/null
+++ b/queue-6.12/media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch
@@ -0,0 +1,148 @@
+From 1d5f88f053480326873115092bc116b7d14916ba Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Tue, 11 Mar 2025 15:20:14 +0800
+Subject: media: vidtv: Terminating the subsequent process of initialization failure
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 1d5f88f053480326873115092bc116b7d14916ba upstream.
+
+syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1]
+
+After PSI initialization fails, the si member is accessed again, resulting
+in this uaf.
+
+After si initialization fails, the subsequent process needs to be exited.
+
+[1]
+BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline]
+BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524
+Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059
+
+CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0
+Hardware name: Google Compute Engine, BIOS Google 02/12/2025
+Call Trace:
+<TASK>
+__dump_stack lib/dump_stack.c:94 [inline]
+dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+print_address_description mm/kasan/report.c:408 [inline]
+print_report+0xc3/0x670 mm/kasan/report.c:521
+kasan_report+0xd9/0x110 mm/kasan/report.c:634
+vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78
+vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524
+vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
+vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
+dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
+dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
+dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
+dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
+dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
+dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
+__fput+0x3ff/0xb70 fs/file_table.c:464
+task_work_run+0x14e/0x250 kernel/task_work.c:227
+exit_task_work include/linux/task_work.h:40 [inline]
+do_exit+0xad8/0x2d70 kernel/exit.c:938
+do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
+__do_sys_exit_group kernel/exit.c:1098 [inline]
+__se_sys_exit_group kernel/exit.c:1096 [inline]
+__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
+x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232
+do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f871d58d169
+Code: Unable to access opcode bytes at 0x7f871d58d13f.
+RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169
+RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0
+R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003
+R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840
+ </TASK>
+
+Allocated by task 6059:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
+ kmalloc_noprof include/linux/slab.h:901 [inline]
+ kzalloc_noprof include/linux/slab.h:1037 [inline]
+ vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970
+ vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423
+ vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519
+ vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
+ vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
+ dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
+ dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
+ dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
+ dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
+ dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
+ dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
+ __fput+0x3ff/0xb70 fs/file_table.c:464
+ task_work_run+0x14e/0x250 kernel/task_work.c:227
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xad8/0x2d70 kernel/exit.c:938
+ do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
+ __do_sys_exit_group kernel/exit.c:1098 [inline]
+ __se_sys_exit_group kernel/exit.c:1096 [inline]
+ __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
+ x64_sys_call arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 6059:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2353 [inline]
+ slab_free mm/slub.c:4609 [inline]
+ kfree+0x2c4/0x4d0 mm/slub.c:4757
+ vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:499
+ vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519
+ vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194
+ vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239
+ dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973
+ dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline]
+ dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537
+ dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564
+ dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
+ dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
+ __fput+0x3ff/0xb70 fs/file_table.c:464
+ task_work_run+0x14e/0x250 kernel/task_work.c:227
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xad8/0x2d70 kernel/exit.c:938
+ do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
+ __do_sys_exit_group kernel/exit.c:1098 [inline]
+ __se_sys_exit_group kernel/exit.c:1096 [inline]
+ __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096
+ x64_sys_call arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 3be8037960bc ("media: vidtv: add error checks")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+0d33ab192bd50b6c91e6@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0d33ab192bd50b6c91e6
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_channel.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
+@@ -497,7 +497,7 @@ free_sdt:
+       vidtv_psi_sdt_table_destroy(m->si.sdt);
+ free_pat:
+       vidtv_psi_pat_table_destroy(m->si.pat);
+-      return 0;
++      return -EINVAL;
+ }
+ 
+ void vidtv_channel_si_destroy(struct vidtv_mux *m)

diff --git a/queue-6.12/media-vivid-change-the-siize-of-the-composing.patch b/queue-6.12/media-vivid-change-the-siize-of-the-composing.patch
new file mode 100644 (file)
index 0000000..0b7d38e
--- /dev/null
+++ b/queue-6.12/media-vivid-change-the-siize-of-the-composing.patch
@@ -0,0 +1,63 @@
+From f83ac8d30c43fd902af7c84c480f216157b60ef0 Mon Sep 17 00:00:00 2001
+From: Denis Arefev <arefev@swemel.ru>
+Date: Tue, 15 Apr 2025 11:27:21 +0300
+Subject: media: vivid: Change the siize of the composing
+
+From: Denis Arefev <arefev@swemel.ru>
+
+commit f83ac8d30c43fd902af7c84c480f216157b60ef0 upstream.
+
+syzkaller found a bug:
+
+BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
+BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
+Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304
+
+CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:489
+ kasan_report+0x143/0x180 mm/kasan/report.c:602
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
+ tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]
+ tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705
+ vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline]
+ vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629
+ vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767
+ kthread+0x7a9/0x920 kernel/kthread.c:464
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+The composition size cannot be larger than the size of fmt_cap_rect.
+So execute v4l2_rect_map_inside() even if has_compose_cap == 0.
+
+Fixes: 94a7ad928346 ("media: vivid: fix compose size exceed boundary")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+365005005522b70a36f2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?id=8ed8e8cc30cbe0d86c9a25bd1d6a5775129b8ea3
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vivid/vivid-vid-cap.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+@@ -947,8 +947,8 @@ int vivid_vid_cap_s_selection(struct fil
+                       if (dev->has_compose_cap) {
+                               v4l2_rect_set_min_size(compose, &min_rect);
+                               v4l2_rect_set_max_size(compose, &max_rect);
+-                              v4l2_rect_map_inside(compose, &fmt);
+                       }
++                      v4l2_rect_map_inside(compose, &fmt);
+                       dev->fmt_cap_rect = fmt;
+                       tpg_s_buf_height(&dev->tpg, fmt.height);
+               } else if (dev->has_compose_cap) {

diff --git a/queue-6.12/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch b/queue-6.12/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch
new file mode 100644 (file)
index 0000000..2fe2735
--- /dev/null
+++ b/queue-6.12/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch
@@ -0,0 +1,167 @@
+From f7fb730cac9aafda8b9813b55d04e28a9664d17c Mon Sep 17 00:00:00 2001
+From: Maninder Singh <maninder1.s@samsung.com>
+Date: Thu, 6 Mar 2025 14:50:07 +0530
+Subject: NFSD: fix race between nfsd registration and exports_proc
+
+From: Maninder Singh <maninder1.s@samsung.com>
+
+commit f7fb730cac9aafda8b9813b55d04e28a9664d17c upstream.
+
+As of now nfsd calls create_proc_exports_entry() at start of init_nfsd
+and cleanup by remove_proc_entry() at last of exit_nfsd.
+
+Which causes kernel OOPs if there is race between below 2 operations:
+(i) exportfs -r
+(ii) mount -t nfsd none /proc/fs/nfsd
+
+for 5.4 kernel ARM64:
+
+CPU 1:
+el1_irq+0xbc/0x180
+arch_counter_get_cntvct+0x14/0x18
+running_clock+0xc/0x18
+preempt_count_add+0x88/0x110
+prep_new_page+0xb0/0x220
+get_page_from_freelist+0x2d8/0x1778
+__alloc_pages_nodemask+0x15c/0xef0
+__vmalloc_node_range+0x28c/0x478
+__vmalloc_node_flags_caller+0x8c/0xb0
+kvmalloc_node+0x88/0xe0
+nfsd_init_net+0x6c/0x108 [nfsd]
+ops_init+0x44/0x170
+register_pernet_operations+0x114/0x270
+register_pernet_subsys+0x34/0x50
+init_nfsd+0xa8/0x718 [nfsd]
+do_one_initcall+0x54/0x2e0
+
+CPU 2 :
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
+
+PC is at : exports_net_open+0x50/0x68 [nfsd]
+
+Call trace:
+exports_net_open+0x50/0x68 [nfsd]
+exports_proc_open+0x2c/0x38 [nfsd]
+proc_reg_open+0xb8/0x198
+do_dentry_open+0x1c4/0x418
+vfs_open+0x38/0x48
+path_openat+0x28c/0xf18
+do_filp_open+0x70/0xe8
+do_sys_open+0x154/0x248
+
+Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu().
+
+and same is happening on latest 6.14 kernel as well:
+
+[    0.000000] Linux version 6.14.0-rc5-next-20250304-dirty
+...
+[  285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48
+...
+[  285.464902] pc : cache_seq_next_rcu+0x78/0xa4
+...
+[  285.469695] Call trace:
+[  285.470083]  cache_seq_next_rcu+0x78/0xa4 (P)
+[  285.470488]  seq_read+0xe0/0x11c
+[  285.470675]  proc_reg_read+0x9c/0xf0
+[  285.470874]  vfs_read+0xc4/0x2fc
+[  285.471057]  ksys_read+0x6c/0xf4
+[  285.471231]  __arm64_sys_read+0x1c/0x28
+[  285.471428]  invoke_syscall+0x44/0x100
+[  285.471633]  el0_svc_common.constprop.0+0x40/0xe0
+[  285.471870]  do_el0_svc_compat+0x1c/0x34
+[  285.472073]  el0_svc_compat+0x2c/0x80
+[  285.472265]  el0t_32_sync_handler+0x90/0x140
+[  285.472473]  el0t_32_sync+0x19c/0x1a0
+[  285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3)
+[  285.473422] ---[ end trace 0000000000000000 ]---
+
+It reproduced simply with below script:
+while [ 1 ]
+do
+/exportfs -r
+done &
+
+while [ 1 ]
+do
+insmod /nfsd.ko
+mount -t nfsd none /proc/fs/nfsd
+umount /proc/fs/nfsd
+rmmod nfsd
+done &
+
+So exporting interfaces to user space shall be done at last and
+cleanup at first place.
+
+With change there is no Kernel OOPs.
+
+Co-developed-by: Shubham Rana <s9.rana@samsung.com>
+Signed-off-by: Shubham Rana <s9.rana@samsung.com>
+Signed-off-by: Maninder Singh <maninder1.s@samsung.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfsctl.c |   17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -2331,12 +2331,9 @@ static int __init init_nfsd(void)
+       if (retval)
+               goto out_free_pnfs;
+       nfsd_lockd_init();      /* lockd->nfsd callbacks */
+-      retval = create_proc_exports_entry();
+-      if (retval)
+-              goto out_free_lockd;
+       retval = register_pernet_subsys(&nfsd_net_ops);
+       if (retval < 0)
+-              goto out_free_exports;
++              goto out_free_lockd;
+       retval = register_cld_notifier();
+       if (retval)
+               goto out_free_subsys;
+@@ -2348,11 +2345,16 @@ static int __init init_nfsd(void)
+               goto out_free_nfsd4;
+       retval = genl_register_family(&nfsd_nl_family);
+       if (retval)
++              goto out_free_filesystem;
++      retval = create_proc_exports_entry();
++      if (retval)
+               goto out_free_all;
+       nfsd_localio_ops_init();
+ 
+       return 0;
+ out_free_all:
++      genl_unregister_family(&nfsd_nl_family);
++out_free_filesystem:
+       unregister_filesystem(&nfsd_fs_type);
+ out_free_nfsd4:
+       nfsd4_destroy_laundry_wq();
+@@ -2360,9 +2362,6 @@ out_free_cld:
+       unregister_cld_notifier();
+ out_free_subsys:
+       unregister_pernet_subsys(&nfsd_net_ops);
+-out_free_exports:
+-      remove_proc_entry("fs/nfs/exports", NULL);
+-      remove_proc_entry("fs/nfs", NULL);
+ out_free_lockd:
+       nfsd_lockd_shutdown();
+       nfsd_drc_slab_free();
+@@ -2375,14 +2374,14 @@ out_free_slabs:
+ 
+ static void __exit exit_nfsd(void)
+ {
++      remove_proc_entry("fs/nfs/exports", NULL);
++      remove_proc_entry("fs/nfs", NULL);
+       genl_unregister_family(&nfsd_nl_family);
+       unregister_filesystem(&nfsd_fs_type);
+       nfsd4_destroy_laundry_wq();
+       unregister_cld_notifier();
+       unregister_pernet_subsys(&nfsd_net_ops);
+       nfsd_drc_slab_free();
+-      remove_proc_entry("fs/nfs/exports", NULL);
+-      remove_proc_entry("fs/nfs", NULL);
+       nfsd_lockd_shutdown();
+       nfsd4_free_slabs();
+       nfsd4_exit_pnfs();

diff --git a/queue-6.12/nfsd-implement-fattr4_clone_blksize-attribute.patch b/queue-6.12/nfsd-implement-fattr4_clone_blksize-attribute.patch
new file mode 100644 (file)
index 0000000..a820464
--- /dev/null
+++ b/queue-6.12/nfsd-implement-fattr4_clone_blksize-attribute.patch
@@ -0,0 +1,67 @@
+From d6ca7d2643eebe09cf46840bdc7d68b6e07aba77 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 7 May 2025 10:45:15 -0400
+Subject: NFSD: Implement FATTR4_CLONE_BLKSIZE attribute
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit d6ca7d2643eebe09cf46840bdc7d68b6e07aba77 upstream.
+
+RFC 7862 states that if an NFS server implements a CLONE operation,
+it MUST also implement FATTR4_CLONE_BLKSIZE. NFSD implements CLONE,
+but does not implement FATTR4_CLONE_BLKSIZE.
+
+Note that in Section 12.2, RFC 7862 claims that
+FATTR4_CLONE_BLKSIZE is RECOMMENDED, not REQUIRED. Likely this is
+because a minor version is not permitted to add a REQUIRED
+attribute. Confusing.
+
+We assume this attribute reports a block size as a count of bytes,
+as RFC 7862 does not specify a unit.
+
+Reported-by: Roland Mainz <roland.mainz@nrubsig.org>
+Suggested-by: Christoph Hellwig <hch@infradead.org>
+Reviewed-by: Roland Mainz <roland.mainz@nrubsig.org>
+Cc: stable@vger.kernel.org # v6.7+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4xdr.c |   19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3382,6 +3382,23 @@ static __be32 nfsd4_encode_fattr4_suppat
+       return nfsd4_encode_bitmap4(xdr, supp[0], supp[1], supp[2]);
+ }
+ 
++/*
++ * Copied from generic_remap_checks/generic_remap_file_range_prep.
++ *
++ * These generic functions use the file system's s_blocksize, but
++ * individual file systems aren't required to use
++ * generic_remap_file_range_prep. Until there is a mechanism for
++ * determining a particular file system's (or file's) clone block
++ * size, this is the best NFSD can do.
++ */
++static __be32 nfsd4_encode_fattr4_clone_blksize(struct xdr_stream *xdr,
++                                              const struct nfsd4_fattr_args *args)
++{
++      struct inode *inode = d_inode(args->dentry);
++
++      return nfsd4_encode_uint32_t(xdr, inode->i_sb->s_blocksize);
++}
++
+ #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+ static __be32 nfsd4_encode_fattr4_sec_label(struct xdr_stream *xdr,
+                                           const struct nfsd4_fattr_args *args)
+@@ -3487,7 +3504,7 @@ static const nfsd4_enc_attr nfsd4_enc_fa
+       [FATTR4_MODE_SET_MASKED]        = nfsd4_encode_fattr4__noop,
+       [FATTR4_SUPPATTR_EXCLCREAT]     = nfsd4_encode_fattr4_suppattr_exclcreat,
+       [FATTR4_FS_CHARSET_CAP]         = nfsd4_encode_fattr4__noop,
+-      [FATTR4_CLONE_BLKSIZE]          = nfsd4_encode_fattr4__noop,
++      [FATTR4_CLONE_BLKSIZE]          = nfsd4_encode_fattr4_clone_blksize,
+       [FATTR4_SPACE_FREED]            = nfsd4_encode_fattr4__noop,
+       [FATTR4_CHANGE_ATTR_TYPE]       = nfsd4_encode_fattr4__noop,
+ 

diff --git a/queue-6.12/nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch b/queue-6.12/nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch
new file mode 100644 (file)
index 0000000..03bee81
--- /dev/null
+++ b/queue-6.12/nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch
@@ -0,0 +1,51 @@
+From b31da62889e6d610114d81dc7a6edbcaa503fcf8 Mon Sep 17 00:00:00 2001
+From: Li Lingfeng <lilingfeng3@huawei.com>
+Date: Mon, 14 Apr 2025 22:38:52 +0800
+Subject: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+commit b31da62889e6d610114d81dc7a6edbcaa503fcf8 upstream.
+
+In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through
+nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized,
+this can cause NULL pointer dereference.
+
+Normally the delayed start of laundromat_work allows sufficient time for
+nfsd_ssc initialization to complete. However, when the kernel waits too
+long for userspace responses (e.g. in nfs4_state_start_net ->
+nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done ->
+cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the
+delayed work may start before nfsd_ssc initialization finishes.
+
+Fix this by moving nfsd_ssc initialization before starting laundromat_work.
+
+Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfssvc.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -406,13 +406,13 @@ static int nfsd_startup_net(struct net *
+       if (ret)
+               goto out_filecache;
+ 
++#ifdef CONFIG_NFSD_V4_2_INTER_SSC
++      nfsd4_ssc_init_umount_work(nn);
++#endif
+       ret = nfs4_state_start_net(net);
+       if (ret)
+               goto out_reply_cache;
+ 
+-#ifdef CONFIG_NFSD_V4_2_INTER_SSC
+-      nfsd4_ssc_init_umount_work(nn);
+-#endif
+       nn->nfsd_net_up = true;
+       return 0;
+ 

diff --git a/queue-6.12/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch b/queue-6.12/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch
new file mode 100644 (file)
index 0000000..72f6dfa
--- /dev/null
+++ b/queue-6.12/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch
@@ -0,0 +1,37 @@
+From 1244f0b2c3cecd3f349a877006e67c9492b41807 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neil@brown.name>
+Date: Fri, 28 Mar 2025 11:05:59 +1100
+Subject: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
+
+From: NeilBrown <neil@brown.name>
+
+commit 1244f0b2c3cecd3f349a877006e67c9492b41807 upstream.
+
+If the request being processed is not a v4 compound request, then
+examining the cstate can have undefined results.
+
+This patch adds a check that the rpc procedure being executed
+(rq_procinfo) is the NFSPROC4_COMPOUND procedure.
+
+Reported-by: Olga Kornievskaia <okorniev@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: NeilBrown <neil@brown.name>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -3658,7 +3658,8 @@ bool nfsd4_spo_must_allow(struct svc_rqs
+       struct nfs4_op_map *allow = &cstate->clp->cl_spo_must_allow;
+       u32 opiter;
+ 
+-      if (!cstate->minorversion)
++      if (rqstp->rq_procinfo != &nfsd_version4.vs_proc[NFSPROC4_COMPOUND] ||
++          cstate->minorversion == 0)
+               return false;
+ 
+       if (cstate->spo_must_allowed)

diff --git a/queue-6.12/nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch b/queue-6.12/nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch
new file mode 100644 (file)
index 0000000..ff3e593
--- /dev/null
+++ b/queue-6.12/nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch
@@ -0,0 +1,44 @@
+From ff12eb379554eea7932ad6caea55e3091701cce4 Mon Sep 17 00:00:00 2001
+From: Maninder Singh <maninder1.s@samsung.com>
+Date: Thu, 6 Mar 2025 14:50:06 +0530
+Subject: NFSD: unregister filesystem in case genl_register_family() fails
+
+From: Maninder Singh <maninder1.s@samsung.com>
+
+commit ff12eb379554eea7932ad6caea55e3091701cce4 upstream.
+
+With rpc_status netlink support, unregister of register_filesystem()
+was missed in case of genl_register_family() fails.
+
+Correcting it by making new label.
+
+Fixes: bd9d6a3efa97 ("NFSD: add rpc_status netlink support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Maninder Singh <maninder1.s@samsung.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfsctl.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfsctl.c
++++ b/fs/nfsd/nfsctl.c
+@@ -2345,7 +2345,7 @@ static int __init init_nfsd(void)
+               goto out_free_cld;
+       retval = register_filesystem(&nfsd_fs_type);
+       if (retval)
+-              goto out_free_all;
++              goto out_free_nfsd4;
+       retval = genl_register_family(&nfsd_nl_family);
+       if (retval)
+               goto out_free_all;
+@@ -2353,6 +2353,8 @@ static int __init init_nfsd(void)
+ 
+       return 0;
+ out_free_all:
++      unregister_filesystem(&nfsd_fs_type);
++out_free_nfsd4:
+       nfsd4_destroy_laundry_wq();
+ out_free_cld:
+       unregister_cld_notifier();

diff --git a/queue-6.12/nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch b/queue-6.12/nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch
new file mode 100644 (file)
index 0000000..896a94f
--- /dev/null
+++ b/queue-6.12/nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch
@@ -0,0 +1,37 @@
+From 4d4832ed13ff505fe0371544b4773e79be2bb964 Mon Sep 17 00:00:00 2001
+From: Scott Mayhew <smayhew@redhat.com>
+Date: Wed, 30 Apr 2025 07:12:29 -0400
+Subject: NFSv4: Don't check for OPEN feature support in v4.1
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+commit 4d4832ed13ff505fe0371544b4773e79be2bb964 upstream.
+
+fattr4_open_arguments is a v4.2 recommended attribute, so we shouldn't
+be sending it to v4.1 servers.
+
+Fixes: cb78f9b7d0c0 ("nfs: fix the fetch of FATTR4_OPEN_ARGUMENTS")
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Cc: stable@vger.kernel.org # 6.11+
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3957,8 +3957,9 @@ static int _nfs4_server_capabilities(str
+                    FATTR4_WORD0_CASE_INSENSITIVE |
+                    FATTR4_WORD0_CASE_PRESERVING;
+       if (minorversion)
+-              bitmask[2] = FATTR4_WORD2_SUPPATTR_EXCLCREAT |
+-                           FATTR4_WORD2_OPEN_ARGUMENTS;
++              bitmask[2] = FATTR4_WORD2_SUPPATTR_EXCLCREAT;
++      if (minorversion > 1)
++              bitmask[2] |= FATTR4_WORD2_OPEN_ARGUMENTS;
+ 
+       status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
+       if (status == 0) {

diff --git a/queue-6.12/series b/queue-6.12/series
index 9de2021d82ec5bbd03250629f3925efe7c8808b8..89c924715163eeef1301e710f4b68b201da27899 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -22,3 +22,50 @@ net-mlx5_core-add-error-handling-inmlx5_query_nic_vport_qkey_viol_cntr.patch
 net-mlx5-add-error-handling-in-mlx5_query_nic_vport_node_guid.patch
 wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch
 wifi-mt76-mt7925-fix-host-interrupt-register-initialization.patch
+wifi-ath11k-fix-rx-completion-meta-data-corruption.patch
+wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch
+wifi-ath11k-fix-ring-buffer-corruption.patch
+nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch
+nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch
+nfsd-implement-fattr4_clone_blksize-attribute.patch
+nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch
+nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch
+sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch
+nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch
+fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch
+wifi-ath12k-fix-ring-buffer-corruption.patch
+jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch
+svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch
+wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch
+wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch
+media-ov8856-suppress-probe-deferral-errors.patch
+media-ov5675-suppress-probe-deferral-errors.patch
+media-imx335-use-correct-register-width-for-hnum.patch
+media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch
+media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch
+media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch
+media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch
+media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch
+media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch
+media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch
+media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch
+media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch
+media-gspca-add-error-handling-for-stv06xx_read_sensor.patch
+media-i2c-imx335-fix-frame-size-enumeration.patch
+media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch
+media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch
+media-ipu6-remove-workaround-for-meteor-lake-es2.patch
+media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch
+media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch
+media-v4l2-dev-fix-error-handling-in-__video_register_device.patch
+media-venus-fix-probe-error-handling.patch
+media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch
+media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch
+media-vivid-change-the-siize-of-the-composing.patch
+media-imx-jpeg-drop-the-first-error-frames.patch
+media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch
+media-imx-jpeg-reset-slot-data-pointers-when-freed.patch
+media-imx-jpeg-cleanup-after-an-allocation-error.patch
+media-uvcvideo-return-the-number-of-processed-controls.patch
+media-uvcvideo-send-control-events-for-partial-succeeds.patch
+media-uvcvideo-fix-deferred-probing-error.patch

diff --git a/queue-6.12/sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch b/queue-6.12/sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch
new file mode 100644 (file)
index 0000000..d41dd18
--- /dev/null
+++ b/queue-6.12/sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch
@@ -0,0 +1,58 @@
+From 0bd2f6b8996d4f1ca4573652454987826730a04a Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 21 May 2025 16:34:13 -0400
+Subject: SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 0bd2f6b8996d4f1ca4573652454987826730a04a upstream.
+
+Engineers at Hammerspace noticed that sometimes mounting with
+"xprtsec=tls" hangs for a minute or so, and then times out, even
+when the NFS server is reachable and responsive.
+
+kTLS shuts off data_ready callbacks if strp->msg_ready is set to
+mitigate data_ready callbacks when a full TLS record is not yet
+ready to be read from the socket.
+
+Normally msg_ready is clear when the first TLS record arrives on
+a socket. However, I observed that sometimes tls_setsockopt() sets
+strp->msg_ready, and that prevents forward progress because
+tls_data_ready() becomes a no-op.
+
+Moreover, Jakub says: "If there's a full record queued at the time
+when [tlshd] passes the socket back to the kernel, it's up to the
+reader to read the already queued data out." So SunRPC cannot
+expect a data_ready call when ingress data is already waiting.
+
+Add an explicit poll after SunRPC's upper transport is set up to
+pick up any data that arrived after the TLS handshake but before
+transport set-up is complete.
+
+Reported-by: Steve Sears <sjs@hammerspace.com>
+Suggested-by: Jakub Kacinski <kuba@kernel.org>
+Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class")
+Tested-by: Mike Snitzer <snitzer@kernel.org>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtsock.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2743,6 +2743,11 @@ static void xs_tcp_tls_setup_socket(stru
+       }
+       rpc_shutdown_client(lower_clnt);
+ 
++      /* Check for ingress data that arrived before the socket's
++       * ->data_ready callback was set up.
++       */
++      xs_poll_check_readable(upper_transport);
++
+ out_unlock:
+       current_restore_flags(pflags, PF_MEMALLOC);
+       upper_transport->clnt = NULL;

diff --git a/queue-6.12/svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch b/queue-6.12/svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch
new file mode 100644 (file)
index 0000000..0c146dd
--- /dev/null
+++ b/queue-6.12/svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch
@@ -0,0 +1,34 @@
+From 8ac6fcae5dc0e801f1c82a83f5ae2c0a4db19932 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 27 Apr 2025 12:39:59 -0400
+Subject: svcrdma: Unregister the device if svc_rdma_accept() fails
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 8ac6fcae5dc0e801f1c82a83f5ae2c0a4db19932 upstream.
+
+To handle device removal, svc_rdma_accept() requests removal
+notification for the underlying device when accepting a connection.
+However svc_rdma_free() is not invoked if svc_rdma_accept() fails.
+There needs to be a matching "unregister" in that case; otherwise
+the device cannot be removed.
+
+Fixes: c4de97f7c454 ("svcrdma: Handle device removal outside of the CM event handler")
+Cc: stable@vger.kernel.org
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtrdma/svc_rdma_transport.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
+@@ -577,6 +577,7 @@ static struct svc_xprt *svc_rdma_accept(
+       if (newxprt->sc_qp && !IS_ERR(newxprt->sc_qp))
+               ib_destroy_qp(newxprt->sc_qp);
+       rdma_destroy_id(newxprt->sc_cm_id);
++      rpcrdma_rn_unregister(dev, &newxprt->sc_rn);
+       /* This call to put will destroy the transport */
+       svc_xprt_put(&newxprt->sc_xprt);
+       return NULL;

diff --git a/queue-6.12/wifi-ath11k-fix-ring-buffer-corruption.patch b/queue-6.12/wifi-ath11k-fix-ring-buffer-corruption.patch
new file mode 100644 (file)
index 0000000..9b7cb53
--- /dev/null
+++ b/queue-6.12/wifi-ath11k-fix-ring-buffer-corruption.patch
@@ -0,0 +1,98 @@
+From 6d037a372f817e9fcb56482f37917545596bd776 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 21 Mar 2025 10:49:16 +0100
+Subject: wifi: ath11k: fix ring-buffer corruption
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 6d037a372f817e9fcb56482f37917545596bd776 upstream.
+
+Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes
+breaks and the log fills up with errors like:
+
+    ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492
+    ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484
+
+which based on a quick look at the driver seemed to indicate some kind
+of ring-buffer corruption.
+
+Miaoqing Pan tracked it down to the host seeing the updated destination
+ring head pointer before the updated descriptor, and the error handling
+for that in turn leaves the ring buffer in an inconsistent state.
+
+Add the missing memory barrier to make sure that the descriptor is read
+after the head pointer to address the root cause of the corruption while
+fixing up the error handling in case there are ever any (ordering) bugs
+on the device side.
+
+Note that the READ_ONCE() are only needed to avoid compiler mischief in
+case the ring-buffer helpers are ever inlined.
+
+Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623
+Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com
+Cc: Miaoqing Pan <quic_miaoqing@quicinc.com>
+Cc: stable@vger.kernel.org     # 5.6
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Miaoqing Pan <quic_miaoqing@quicinc.com>
+Tested-by: Steev Klimaszewski <steev@kali.org>
+Tested-by: Jens Glathe <jens.glathe@oldschoolsolutions.biz>
+Tested-by: Clayton Craft <clayton@craftyguy.net>
+Link: https://patch.msgid.link/20250321094916.19098-1-johan+linaro@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/ce.c  |   11 +++++------
+ drivers/net/wireless/ath/ath11k/hal.c |    4 ++--
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/ce.c
++++ b/drivers/net/wireless/ath/ath11k/ce.c
+@@ -393,11 +393,10 @@ static int ath11k_ce_completed_recv_next
+               goto err;
+       }
+ 
++      /* Make sure descriptor is read after the head pointer. */
++      dma_rmb();
++
+       *nbytes = ath11k_hal_ce_dst_status_get_length(desc);
+-      if (*nbytes == 0) {
+-              ret = -EIO;
+-              goto err;
+-      }
+ 
+       *skb = pipe->dest_ring->skb[sw_index];
+       pipe->dest_ring->skb[sw_index] = NULL;
+@@ -430,8 +429,8 @@ static void ath11k_ce_recv_process_cb(st
+               dma_unmap_single(ab->dev, ATH11K_SKB_RXCB(skb)->paddr,
+                                max_nbytes, DMA_FROM_DEVICE);
+ 
+-              if (unlikely(max_nbytes < nbytes)) {
+-                      ath11k_warn(ab, "rxed more than expected (nbytes %d, max %d)",
++              if (unlikely(max_nbytes < nbytes || nbytes == 0)) {
++                      ath11k_warn(ab, "unexpected rx length (nbytes %d, max %d)",
+                                   nbytes, max_nbytes);
+                       dev_kfree_skb_any(skb);
+                       continue;
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -599,7 +599,7 @@ u32 ath11k_hal_ce_dst_status_get_length(
+       struct hal_ce_srng_dst_status_desc *desc = buf;
+       u32 len;
+ 
+-      len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, desc->flags);
++      len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, READ_ONCE(desc->flags));
+       desc->flags &= ~HAL_CE_DST_STATUS_DESC_FLAGS_LEN;
+ 
+       return len;
+@@ -829,7 +829,7 @@ void ath11k_hal_srng_access_begin(struct
+               srng->u.src_ring.cached_tp =
+                       *(volatile u32 *)srng->u.src_ring.tp_addr;
+       } else {
+-              srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr;
++              srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
+ 
+               /* Try to prefetch the next descriptor in the ring */
+               if (srng->flags & HAL_SRNG_FLAGS_CACHED)

diff --git a/queue-6.12/wifi-ath11k-fix-rx-completion-meta-data-corruption.patch b/queue-6.12/wifi-ath11k-fix-rx-completion-meta-data-corruption.patch
new file mode 100644 (file)
index 0000000..03cf536
--- /dev/null
+++ b/queue-6.12/wifi-ath11k-fix-rx-completion-meta-data-corruption.patch
@@ -0,0 +1,100 @@
+From ab52e3e44fe9b666281752e2481d11e25b0e3fdd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 21 Mar 2025 15:53:02 +0100
+Subject: wifi: ath11k: fix rx completion meta data corruption
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit ab52e3e44fe9b666281752e2481d11e25b0e3fdd upstream.
+
+Add the missing memory barrier to make sure that the REO dest ring
+descriptor is read after the head pointer to avoid using stale data on
+weakly ordered architectures like aarch64.
+
+This may fix the ring-buffer corruption worked around by commit
+f9fff67d2d7c ("wifi: ath11k: Fix SKB corruption in REO destination
+ring") by silently discarding data, and may possibly also address user
+reported errors like:
+
+       ath11k_pci 0006:01:00.0: msdu_done bit in attention is not set
+
+Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable@vger.kernel.org     # 5.6
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218005
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Clayton Craft <clayton@craftyguy.net>
+Link: https://patch.msgid.link/20250321145302.4775-1-johan+linaro@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c |   25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -2637,7 +2637,7 @@ int ath11k_dp_process_rx(struct ath11k_b
+       struct ath11k *ar;
+       struct hal_reo_dest_ring *desc;
+       enum hal_reo_dest_ring_push_reason push_reason;
+-      u32 cookie;
++      u32 cookie, info0, rx_msdu_info0, rx_mpdu_info0;
+       int i;
+ 
+       for (i = 0; i < MAX_RADIOS; i++)
+@@ -2650,11 +2650,14 @@ int ath11k_dp_process_rx(struct ath11k_b
+ try_again:
+       ath11k_hal_srng_access_begin(ab, srng);
+ 
++      /* Make sure descriptor is read after the head pointer. */
++      dma_rmb();
++
+       while (likely(desc =
+             (struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab,
+                                                                            srng))) {
+               cookie = FIELD_GET(BUFFER_ADDR_INFO1_SW_COOKIE,
+-                                 desc->buf_addr_info.info1);
++                                 READ_ONCE(desc->buf_addr_info.info1));
+               buf_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_BUF_ID,
+                                  cookie);
+               mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie);
+@@ -2683,8 +2686,9 @@ try_again:
+ 
+               num_buffs_reaped[mac_id]++;
+ 
++              info0 = READ_ONCE(desc->info0);
+               push_reason = FIELD_GET(HAL_REO_DEST_RING_INFO0_PUSH_REASON,
+-                                      desc->info0);
++                                      info0);
+               if (unlikely(push_reason !=
+                            HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION)) {
+                       dev_kfree_skb_any(msdu);
+@@ -2692,18 +2696,21 @@ try_again:
+                       continue;
+               }
+ 
+-              rxcb->is_first_msdu = !!(desc->rx_msdu_info.info0 &
++              rx_msdu_info0 = READ_ONCE(desc->rx_msdu_info.info0);
++              rx_mpdu_info0 = READ_ONCE(desc->rx_mpdu_info.info0);
++
++              rxcb->is_first_msdu = !!(rx_msdu_info0 &
+                                        RX_MSDU_DESC_INFO0_FIRST_MSDU_IN_MPDU);
+-              rxcb->is_last_msdu = !!(desc->rx_msdu_info.info0 &
++              rxcb->is_last_msdu = !!(rx_msdu_info0 &
+                                       RX_MSDU_DESC_INFO0_LAST_MSDU_IN_MPDU);
+-              rxcb->is_continuation = !!(desc->rx_msdu_info.info0 &
++              rxcb->is_continuation = !!(rx_msdu_info0 &
+                                          RX_MSDU_DESC_INFO0_MSDU_CONTINUATION);
+               rxcb->peer_id = FIELD_GET(RX_MPDU_DESC_META_DATA_PEER_ID,
+-                                        desc->rx_mpdu_info.meta_data);
++                                        READ_ONCE(desc->rx_mpdu_info.meta_data));
+               rxcb->seq_no = FIELD_GET(RX_MPDU_DESC_INFO0_SEQ_NUM,
+-                                       desc->rx_mpdu_info.info0);
++                                       rx_mpdu_info0);
+               rxcb->tid = FIELD_GET(HAL_REO_DEST_RING_INFO0_RX_QUEUE_NUM,
+-                                    desc->info0);
++                                    info0);
+ 
+               rxcb->mac_id = mac_id;
+               __skb_queue_tail(&msdu_list[mac_id], msdu);

diff --git a/queue-6.12/wifi-ath12k-fix-ring-buffer-corruption.patch b/queue-6.12/wifi-ath12k-fix-ring-buffer-corruption.patch
new file mode 100644 (file)
index 0000000..5401363
--- /dev/null
+++ b/queue-6.12/wifi-ath12k-fix-ring-buffer-corruption.patch
@@ -0,0 +1,99 @@
+From 6b67d2cf14ea997061f61e9c8afd4e1c0f22acb9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Fri, 21 Mar 2025 10:52:19 +0100
+Subject: wifi: ath12k: fix ring-buffer corruption
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 6b67d2cf14ea997061f61e9c8afd4e1c0f22acb9 upstream.
+
+Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes
+breaks and the log fills up with errors like:
+
+    ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492
+    ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484
+
+which based on a quick look at the ath11k driver seemed to indicate some
+kind of ring-buffer corruption.
+
+Miaoqing Pan tracked it down to the host seeing the updated destination
+ring head pointer before the updated descriptor, and the error handling
+for that in turn leaves the ring buffer in an inconsistent state.
+
+While this has not yet been observed with ath12k, the ring-buffer
+implementation is very similar to the ath11k one and it suffers from the
+same bugs.
+
+Add the missing memory barrier to make sure that the descriptor is read
+after the head pointer to address the root cause of the corruption while
+fixing up the error handling in case there are ever any (ordering) bugs
+on the device side.
+
+Note that the READ_ONCE() are only needed to avoid compiler mischief in
+case the ring-buffer helpers are ever inlined.
+
+Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Cc: stable@vger.kernel.org     # 6.3
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218623
+Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com
+Cc: Miaoqing Pan <quic_miaoqing@quicinc.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Miaoqing Pan <quic_miaoqing@quicinc.com>
+Link: https://patch.msgid.link/20250321095219.19369-1-johan+linaro@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath12k/ce.c  |   11 +++++------
+ drivers/net/wireless/ath/ath12k/hal.c |    4 ++--
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath12k/ce.c
++++ b/drivers/net/wireless/ath/ath12k/ce.c
+@@ -343,11 +343,10 @@ static int ath12k_ce_completed_recv_next
+               goto err;
+       }
+ 
++      /* Make sure descriptor is read after the head pointer. */
++      dma_rmb();
++
+       *nbytes = ath12k_hal_ce_dst_status_get_length(desc);
+-      if (*nbytes == 0) {
+-              ret = -EIO;
+-              goto err;
+-      }
+ 
+       *skb = pipe->dest_ring->skb[sw_index];
+       pipe->dest_ring->skb[sw_index] = NULL;
+@@ -380,8 +379,8 @@ static void ath12k_ce_recv_process_cb(st
+               dma_unmap_single(ab->dev, ATH12K_SKB_RXCB(skb)->paddr,
+                                max_nbytes, DMA_FROM_DEVICE);
+ 
+-              if (unlikely(max_nbytes < nbytes)) {
+-                      ath12k_warn(ab, "rxed more than expected (nbytes %d, max %d)",
++              if (unlikely(max_nbytes < nbytes || nbytes == 0)) {
++                      ath12k_warn(ab, "unexpected rx length (nbytes %d, max %d)",
+                                   nbytes, max_nbytes);
+                       dev_kfree_skb_any(skb);
+                       continue;
+--- a/drivers/net/wireless/ath/ath12k/hal.c
++++ b/drivers/net/wireless/ath/ath12k/hal.c
+@@ -1943,7 +1943,7 @@ u32 ath12k_hal_ce_dst_status_get_length(
+ {
+       u32 len;
+ 
+-      len = le32_get_bits(desc->flags, HAL_CE_DST_STATUS_DESC_FLAGS_LEN);
++      len = le32_get_bits(READ_ONCE(desc->flags), HAL_CE_DST_STATUS_DESC_FLAGS_LEN);
+       desc->flags &= ~cpu_to_le32(HAL_CE_DST_STATUS_DESC_FLAGS_LEN);
+ 
+       return len;
+@@ -2113,7 +2113,7 @@ void ath12k_hal_srng_access_begin(struct
+               srng->u.src_ring.cached_tp =
+                       *(volatile u32 *)srng->u.src_ring.tp_addr;
+       else
+-              srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr;
++              srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
+ }
+ 
+ /* Update cached ring head/tail pointers to HW. ath12k_hal_srng_access_begin()

diff --git a/queue-6.12/wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch b/queue-6.12/wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch
new file mode 100644 (file)
index 0000000..c00d778
--- /dev/null
+++ b/queue-6.12/wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch
@@ -0,0 +1,64 @@
+From 77a6407c6ab240527166fb19ee96e95f5be4d3cd Mon Sep 17 00:00:00 2001
+From: Mingcong Bai <jeffbai@aosc.io>
+Date: Tue, 22 Apr 2025 14:17:54 +0800
+Subject: wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723
+
+From: Mingcong Bai <jeffbai@aosc.io>
+
+commit 77a6407c6ab240527166fb19ee96e95f5be4d3cd upstream.
+
+RTL8723BE found on some ASUSTek laptops, such as F441U and X555UQ with
+subsystem ID 11ad:1723 are known to output large amounts of PCIe AER
+errors during and after boot up, causing heavy lags and at times lock-ups:
+
+  pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5
+  pcieport 0000:00:1c.5: PCIe Bus Error: severity=Correctable, type=Physical Layer, (Receiver ID)
+  pcieport 0000:00:1c.5:   device [8086:9d15] error status/mask=00000001/00002000
+  pcieport 0000:00:1c.5:    [ 0] RxErr
+
+Disable ASPM on this combo as a quirk.
+
+This patch is a revision of a previous patch (linked below) which
+attempted to disable ASPM for RTL8723BE on all Intel Skylake and Kaby Lake
+PCIe bridges. I take a more conservative approach as all known reports
+point to ASUSTek laptops of these two generations with this particular
+wireless card.
+
+Please note, however, before the rtl8723be finishes probing, the AER
+errors remained. After the module finishes probing, all AER errors would
+indeed be eliminated, along with heavy lags, poor network throughput,
+and/or occasional lock-ups.
+
+Cc: <stable@vger.kernel.org>
+Fixes: a619d1abe20c ("rtlwifi: rtl8723be: Add new driver")
+Reported-by: Liangliang Zou <rawdiamondmc@outlook.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218127
+Link: https://lore.kernel.org/lkml/05390e0b-27fd-4190-971e-e70a498c8221@lwfinger.net/T/
+Tested-by: Liangliang Zou <rawdiamondmc@outlook.com>
+Signed-off-by: Mingcong Bai <jeffbai@aosc.io>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250422061755.356535-1-jeffbai@aosc.io
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -155,6 +155,16 @@ static void _rtl_pci_update_default_sett
+           ((u8)init_aspm) == (PCI_EXP_LNKCTL_ASPM_L0S |
+                               PCI_EXP_LNKCTL_ASPM_L1 | PCI_EXP_LNKCTL_CCC))
+               ppsc->support_aspm = false;
++
++      /* RTL8723BE found on some ASUSTek laptops, such as F441U and
++       * X555UQ with subsystem ID 11ad:1723 are known to output large
++       * amounts of PCIe AER errors during and after boot up, causing
++       * heavy lags, poor network throughput, and occasional lock-ups.
++       */
++      if (rtlpriv->rtlhal.hw_type == HARDWARE_TYPE_RTL8723BE &&
++          (rtlpci->pdev->subsystem_vendor == 0x11ad &&
++           rtlpci->pdev->subsystem_device == 0x1723))
++              ppsc->support_aspm = false;
+ }
+ 
+ static bool _rtl_pci_platform_switch_device_pci_aspm(

diff --git a/queue-6.12/wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch b/queue-6.12/wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch
new file mode 100644 (file)
index 0000000..1e88209
--- /dev/null
+++ b/queue-6.12/wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch
@@ -0,0 +1,57 @@
+From 490340faddea461319652ce36dbc7c1b4482c35e Mon Sep 17 00:00:00 2001
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Date: Sat, 10 May 2025 15:21:25 +0300
+Subject: wifi: rtw88: usb: Reduce control message timeout to 500 ms
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+commit 490340faddea461319652ce36dbc7c1b4482c35e upstream.
+
+RTL8811AU stops responding during the firmware download on some systems:
+
+[  809.256440] rtw_8821au 5-2.1:1.0: Firmware version 42.4.0, H2C version 0
+[  812.759142] rtw_8821au 5-2.1:1.0 wlp48s0f4u2u1: renamed from wlan0
+[  837.315388] rtw_8821au 1-4:1.0: write register 0x1ef4 failed with -110
+[  867.524259] rtw_8821au 1-4:1.0: write register 0x1ef8 failed with -110
+[  868.930976] rtw_8821au 5-2.1:1.0 wlp48s0f4u2u1: entered promiscuous mode
+[  897.730952] rtw_8821au 1-4:1.0: write register 0x1efc failed with -110
+
+Each write takes 30 seconds to fail because that's the timeout currently
+used for control messages in rtw_usb_write().
+
+In this scenario the firmware download takes at least 2000 seconds.
+Because this is done from the USB probe function, the long delay makes
+other things in the system hang.
+
+Reduce the timeout to 500 ms. This is the value used by the official USB
+wifi drivers from Realtek.
+
+Of course this only makes things hang for ~30 seconds instead of ~30
+minutes. It doesn't fix the firmware download.
+
+Tested with RTL8822CU, RTL8812BU, RTL8811CU, RTL8814AU, RTL8811AU,
+RTL8812AU, RTL8821AU, RTL8723DU.
+
+Cc: stable@vger.kernel.org
+Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support")
+Link: https://github.com/lwfinger/rtw88/issues/344
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/1e35dd26-3f10-40b1-b2b4-f72184a26611@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/usb.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/usb.c
++++ b/drivers/net/wireless/realtek/rtw88/usb.c
+@@ -138,7 +138,7 @@ static void rtw_usb_write(struct rtw_dev
+ 
+       ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+                             RTW_USB_CMD_REQ, RTW_USB_CMD_WRITE,
+-                            addr, 0, data, len, 30000);
++                            addr, 0, data, len, 500);
+       if (ret < 0 && ret != -ENODEV && count++ < 4)
+               rtw_err(rtwdev, "write register 0x%x failed with %d\n",
+                       addr, ret);

diff --git a/queue-6.12/wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch b/queue-6.12/wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch
new file mode 100644 (file)
index 0000000..8e455d4
--- /dev/null
+++ b/queue-6.12/wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch
@@ -0,0 +1,219 @@
+From 80fe0bc1659c0ccc79d082e426fa376be5df9c04 Mon Sep 17 00:00:00 2001
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Date: Sat, 10 May 2025 15:22:24 +0300
+Subject: wifi: rtw88: usb: Upload the firmware in bigger chunks
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+commit 80fe0bc1659c0ccc79d082e426fa376be5df9c04 upstream.
+
+RTL8811AU stops responding during the firmware download on some systems:
+
+[  809.256440] rtw_8821au 5-2.1:1.0: Firmware version 42.4.0, H2C version 0
+[  812.759142] rtw_8821au 5-2.1:1.0 wlp48s0f4u2u1: renamed from wlan0
+[  837.315388] rtw_8821au 1-4:1.0: write register 0x1ef4 failed with -110
+[  867.524259] rtw_8821au 1-4:1.0: write register 0x1ef8 failed with -110
+[  868.930976] rtw_8821au 5-2.1:1.0 wlp48s0f4u2u1: entered promiscuous mode
+[  897.730952] rtw_8821au 1-4:1.0: write register 0x1efc failed with -110
+
+Maybe it takes too long when writing the firmware 4 bytes at a time.
+
+Write 196 bytes at a time for RTL8821AU, RTL8811AU, and RTL8812AU,
+and 254 bytes at a time for RTL8723DU. These are the sizes used in
+their official drivers. Tested with all these chips.
+
+Cc: stable@vger.kernel.org
+Link: https://github.com/lwfinger/rtw88/issues/344
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/43f1daad-3ec0-4a3b-a50c-9cd9eb2c2f52@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/hci.h  |    8 ++++
+ drivers/net/wireless/realtek/rtw88/mac.c  |   11 +++---
+ drivers/net/wireless/realtek/rtw88/mac.h  |    2 +
+ drivers/net/wireless/realtek/rtw88/pci.c  |    2 +
+ drivers/net/wireless/realtek/rtw88/sdio.c |    2 +
+ drivers/net/wireless/realtek/rtw88/usb.c  |   55 ++++++++++++++++++++++++++++++
+ 6 files changed, 76 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtw88/hci.h
++++ b/drivers/net/wireless/realtek/rtw88/hci.h
+@@ -19,6 +19,8 @@ struct rtw_hci_ops {
+       void (*link_ps)(struct rtw_dev *rtwdev, bool enter);
+       void (*interface_cfg)(struct rtw_dev *rtwdev);
+       void (*dynamic_rx_agg)(struct rtw_dev *rtwdev, bool enable);
++      void (*write_firmware_page)(struct rtw_dev *rtwdev, u32 page,
++                                  const u8 *data, u32 size);
+ 
+       int (*write_data_rsvd_page)(struct rtw_dev *rtwdev, u8 *buf, u32 size);
+       int (*write_data_h2c)(struct rtw_dev *rtwdev, u8 *buf, u32 size);
+@@ -79,6 +81,12 @@ static inline void rtw_hci_dynamic_rx_ag
+               rtwdev->hci.ops->dynamic_rx_agg(rtwdev, enable);
+ }
+ 
++static inline void rtw_hci_write_firmware_page(struct rtw_dev *rtwdev, u32 page,
++                                             const u8 *data, u32 size)
++{
++      rtwdev->hci.ops->write_firmware_page(rtwdev, page, data, size);
++}
++
+ static inline int
+ rtw_hci_write_data_rsvd_page(struct rtw_dev *rtwdev, u8 *buf, u32 size)
+ {
+--- a/drivers/net/wireless/realtek/rtw88/mac.c
++++ b/drivers/net/wireless/realtek/rtw88/mac.c
+@@ -854,8 +854,8 @@ fwdl_ready:
+       }
+ }
+ 
+-static void
+-write_firmware_page(struct rtw_dev *rtwdev, u32 page, const u8 *data, u32 size)
++void rtw_write_firmware_page(struct rtw_dev *rtwdev, u32 page,
++                           const u8 *data, u32 size)
+ {
+       u32 val32;
+       u32 block_nr;
+@@ -885,6 +885,7 @@ write_firmware_page(struct rtw_dev *rtwd
+               rtw_write32(rtwdev, write_addr, le32_to_cpu(remain_data));
+       }
+ }
++EXPORT_SYMBOL(rtw_write_firmware_page);
+ 
+ static int
+ download_firmware_legacy(struct rtw_dev *rtwdev, const u8 *data, u32 size)
+@@ -902,11 +903,13 @@ download_firmware_legacy(struct rtw_dev
+       rtw_write8_set(rtwdev, REG_MCUFW_CTRL, BIT_FWDL_CHK_RPT);
+ 
+       for (page = 0; page < total_page; page++) {
+-              write_firmware_page(rtwdev, page, data, DLFW_PAGE_SIZE_LEGACY);
++              rtw_hci_write_firmware_page(rtwdev, page, data,
++                                          DLFW_PAGE_SIZE_LEGACY);
+               data += DLFW_PAGE_SIZE_LEGACY;
+       }
+       if (last_page_size)
+-              write_firmware_page(rtwdev, page, data, last_page_size);
++              rtw_hci_write_firmware_page(rtwdev, page, data,
++                                          last_page_size);
+ 
+       if (!check_hw_ready(rtwdev, REG_MCUFW_CTRL, BIT_FWDL_CHK_RPT, 1)) {
+               rtw_err(rtwdev, "failed to check download firmware report\n");
+--- a/drivers/net/wireless/realtek/rtw88/mac.h
++++ b/drivers/net/wireless/realtek/rtw88/mac.h
+@@ -32,6 +32,8 @@ void rtw_set_channel_mac(struct rtw_dev
+                        u8 primary_ch_idx);
+ int rtw_mac_power_on(struct rtw_dev *rtwdev);
+ void rtw_mac_power_off(struct rtw_dev *rtwdev);
++void rtw_write_firmware_page(struct rtw_dev *rtwdev, u32 page,
++                           const u8 *data, u32 size);
+ int rtw_download_firmware(struct rtw_dev *rtwdev, struct rtw_fw_state *fw);
+ int rtw_mac_init(struct rtw_dev *rtwdev);
+ void rtw_mac_flush_queues(struct rtw_dev *rtwdev, u32 queues, bool drop);
+--- a/drivers/net/wireless/realtek/rtw88/pci.c
++++ b/drivers/net/wireless/realtek/rtw88/pci.c
+@@ -12,6 +12,7 @@
+ #include "fw.h"
+ #include "ps.h"
+ #include "debug.h"
++#include "mac.h"
+ 
+ static bool rtw_disable_msi;
+ static bool rtw_pci_disable_aspm;
+@@ -1602,6 +1603,7 @@ static struct rtw_hci_ops rtw_pci_ops =
+       .link_ps = rtw_pci_link_ps,
+       .interface_cfg = rtw_pci_interface_cfg,
+       .dynamic_rx_agg = NULL,
++      .write_firmware_page = rtw_write_firmware_page,
+ 
+       .read8 = rtw_pci_read8,
+       .read16 = rtw_pci_read16,
+--- a/drivers/net/wireless/realtek/rtw88/sdio.c
++++ b/drivers/net/wireless/realtek/rtw88/sdio.c
+@@ -10,6 +10,7 @@
+ #include <linux/mmc/host.h>
+ #include <linux/mmc/sdio_func.h>
+ #include "main.h"
++#include "mac.h"
+ #include "debug.h"
+ #include "fw.h"
+ #include "ps.h"
+@@ -1155,6 +1156,7 @@ static struct rtw_hci_ops rtw_sdio_ops =
+       .link_ps = rtw_sdio_link_ps,
+       .interface_cfg = rtw_sdio_interface_cfg,
+       .dynamic_rx_agg = NULL,
++      .write_firmware_page = rtw_write_firmware_page,
+ 
+       .read8 = rtw_sdio_read8,
+       .read16 = rtw_sdio_read16,
+--- a/drivers/net/wireless/realtek/rtw88/usb.c
++++ b/drivers/net/wireless/realtek/rtw88/usb.c
+@@ -164,6 +164,60 @@ static void rtw_usb_write32(struct rtw_d
+       rtw_usb_write(rtwdev, addr, val, 4);
+ }
+ 
++static void rtw_usb_write_firmware_page(struct rtw_dev *rtwdev, u32 page,
++                                      const u8 *data, u32 size)
++{
++      struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev);
++      struct usb_device *udev = rtwusb->udev;
++      u32 addr = FW_START_ADDR_LEGACY;
++      u8 *data_dup, *buf;
++      u32 n, block_size;
++      int ret;
++
++      switch (rtwdev->chip->id) {
++      case RTW_CHIP_TYPE_8723D:
++              block_size = 254;
++              break;
++      default:
++              block_size = 196;
++              break;
++      }
++
++      data_dup = kmemdup(data, size, GFP_KERNEL);
++      if (!data_dup)
++              return;
++
++      buf = data_dup;
++
++      rtw_write32_mask(rtwdev, REG_MCUFW_CTRL, BIT_ROM_PGE, page);
++
++      while (size > 0) {
++              if (size >= block_size)
++                      n = block_size;
++              else if (size >= 8)
++                      n = 8;
++              else
++                      n = 1;
++
++              ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
++                                    RTW_USB_CMD_REQ, RTW_USB_CMD_WRITE,
++                                    addr, 0, buf, n, 500);
++              if (ret != n) {
++                      if (ret != -ENODEV)
++                              rtw_err(rtwdev,
++                                      "write 0x%x len %d failed: %d\n",
++                                      addr, n, ret);
++                      break;
++              }
++
++              addr += n;
++              buf += n;
++              size -= n;
++      }
++
++      kfree(data_dup);
++}
++
+ static int dma_mapping_to_ep(enum rtw_dma_mapping dma_mapping)
+ {
+       switch (dma_mapping) {
+@@ -815,6 +869,7 @@ static struct rtw_hci_ops rtw_usb_ops =
+       .link_ps = rtw_usb_link_ps,
+       .interface_cfg = rtw_usb_interface_cfg,
+       .dynamic_rx_agg = rtw_usb_dynamic_rx_agg,
++      .write_firmware_page = rtw_usb_write_firmware_page,
+ 
+       .write8  = rtw_usb_write8,
+       .write16 = rtw_usb_write16,