--- /dev/null
+From 36d202241d234fa4ac50743510d098ad52bd193a Mon Sep 17 00:00:00 2001
+From: Gabor Juhos <j4g8y7@gmail.com>
+Date: Tue, 22 Oct 2024 11:45:56 +0200
+Subject: clk: qcom: gcc-qcs404: fix initial rate of GPLL3
+
+From: Gabor Juhos <j4g8y7@gmail.com>
+
+commit 36d202241d234fa4ac50743510d098ad52bd193a upstream.
+
+The comment before the config of the GPLL3 PLL says that the
+PLL should run at 930 MHz. In contrary to this, calculating
+the frequency from the current configuration values by using
+19.2 MHz as input frequency defined in 'qcs404.dtsi', it gives
+921.6 MHz:
+
+ $ xo=19200000; l=48; alpha=0x0; alpha_hi=0x0
+ $ echo "$xo * ($((l)) + $(((alpha_hi << 32 | alpha) >> 8)) / 2^32)" | bc -l
+ 921600000.00000000000000000000
+
+Set 'alpha_hi' in the configuration to a value used in downstream
+kernels [1][2] in order to get the correct output rate:
+
+ $ xo=19200000; l=48; alpha=0x0; alpha_hi=0x70
+ $ echo "$xo * ($((l)) + $(((alpha_hi << 32 | alpha) >> 8)) / 2^32)" | bc -l
+ 930000000.00000000000000000000
+
+The change is based on static code analysis, compile tested only.
+
+[1] https://git.codelinaro.org/clo/la/kernel/msm-5.4/-/blob/kernel.lnx.5.4.r56-rel/drivers/clk/qcom/gcc-qcs404.c?ref_type=heads#L335
+[2} https://git.codelinaro.org/clo/la/kernel/msm-5.15/-/blob/kernel.lnx.5.15.r49-rel/drivers/clk/qcom/gcc-qcs404.c?ref_type=heads#L127
+
+Cc: stable@vger.kernel.org
+Fixes: 652f1813c113 ("clk: qcom: gcc: Add global clock controller driver for QCS404")
+Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
+Link: https://lore.kernel.org/r/20241022-fix-gcc-qcs404-gpll3-v1-1-c4d30d634d19@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gcc-qcs404.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/clk/qcom/gcc-qcs404.c
++++ b/drivers/clk/qcom/gcc-qcs404.c
+@@ -131,6 +131,7 @@ static struct clk_alpha_pll gpll1_out_ma
+ /* 930MHz configuration */
+ static const struct alpha_pll_config gpll3_config = {
+ .l = 48,
++ .alpha_hi = 0x70,
+ .alpha = 0x0,
+ .alpha_en_mask = BIT(24),
+ .post_div_mask = 0xf << 8,
--- /dev/null
+From 06d39d79cbd5a91a33707951ebf2512d0e759847 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Sun, 13 Oct 2024 15:19:04 +0200
+Subject: efi/libstub: Free correct pointer on failure
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 06d39d79cbd5a91a33707951ebf2512d0e759847 upstream.
+
+cmdline_ptr is an out parameter, which is not allocated by the function
+itself, and likely points into the caller's stack.
+
+cmdline refers to the pool allocation that should be freed when cleaning
+up after a failure, so pass this instead to free_pool().
+
+Fixes: 42c8ea3dca09 ("efi: libstub: Factor out EFI stub entrypoint ...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/libstub/efi-stub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/libstub/efi-stub.c
++++ b/drivers/firmware/efi/libstub/efi-stub.c
+@@ -149,7 +149,7 @@ efi_status_t efi_handle_cmdline(efi_load
+ return EFI_SUCCESS;
+
+ fail_free_cmdline:
+- efi_bs_call(free_pool, cmdline_ptr);
++ efi_bs_call(free_pool, cmdline);
+ return status;
+ }
+
--- /dev/null
+From 45af52e7d3b8560f21d139b3759735eead8b1653 Mon Sep 17 00:00:00 2001
+From: guoweikang <guoweikang.kernel@gmail.com>
+Date: Wed, 20 Nov 2024 13:27:49 +0800
+Subject: ftrace: Fix regression with module command in stack_trace_filter
+
+From: guoweikang <guoweikang.kernel@gmail.com>
+
+commit 45af52e7d3b8560f21d139b3759735eead8b1653 upstream.
+
+When executing the following command:
+
+ # echo "write*:mod:ext3" > /sys/kernel/tracing/stack_trace_filter
+
+The current mod command causes a null pointer dereference. While commit
+0f17976568b3f ("ftrace: Fix regression with module command in stack_trace_filter")
+has addressed part of the issue, it left a corner case unhandled, which still
+results in a kernel crash.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://lore.kernel.org/20241120052750.275463-1-guoweikang.kernel@gmail.com
+Fixes: 04ec7bb642b77 ("tracing: Have the trace_array hold the list of registered func probes");
+Signed-off-by: guoweikang <guoweikang.kernel@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -4562,6 +4562,9 @@ ftrace_mod_callback(struct trace_array *
+ char *func;
+ int ret;
+
++ if (!tr)
++ return -ENODEV;
++
+ /* match_records() modifies func, and we need the original */
+ func = kstrdup(func_orig, GFP_KERNEL);
+ if (!func)
--- /dev/null
+From d71fa842d33c48ac2809ae11d2379b5a788792cb Mon Sep 17 00:00:00 2001
+From: Mostafa Saleh <smostafa@google.com>
+Date: Thu, 24 Oct 2024 16:25:15 +0000
+Subject: iommu/io-pgtable-arm: Fix stage-2 map/unmap for concatenated tables
+
+From: Mostafa Saleh <smostafa@google.com>
+
+commit d71fa842d33c48ac2809ae11d2379b5a788792cb upstream.
+
+ARM_LPAE_LVL_IDX() takes into account concatenated PGDs and can return
+an index spanning multiple page-table pages given a sufficiently large
+input address. However, when the resulting index is used to calculate
+the number of remaining entries in the page, the possibility of
+concatenation is ignored and we end up computing a negative upper bound:
+
+ max_entries = ARM_LPAE_PTES_PER_TABLE(data) - map_idx_start;
+
+On the map path, this results in a negative 'mapped' value being
+returned but on the unmap path we can leak child tables if they are
+skipped in __arm_lpae_free_pgtable().
+
+Introduce an arm_lpae_max_entries() helper to convert a table index into
+the remaining number of entries within a single page-table page.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mostafa Saleh <smostafa@google.com>
+Link: https://lore.kernel.org/r/20241024162516.2005652-2-smostafa@google.com
+[will: Tweaked comment and commit message]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/io-pgtable-arm.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/io-pgtable-arm.c
++++ b/drivers/iommu/io-pgtable-arm.c
+@@ -180,6 +180,18 @@ static phys_addr_t iopte_to_paddr(arm_lp
+ return (paddr | (paddr << (48 - 12))) & (ARM_LPAE_PTE_ADDR_MASK << 4);
+ }
+
++/*
++ * Convert an index returned by ARM_LPAE_PGD_IDX(), which can point into
++ * a concatenated PGD, into the maximum number of entries that can be
++ * mapped in the same table page.
++ */
++static inline int arm_lpae_max_entries(int i, struct arm_lpae_io_pgtable *data)
++{
++ int ptes_per_table = ARM_LPAE_PTES_PER_TABLE(data);
++
++ return ptes_per_table - (i & (ptes_per_table - 1));
++}
++
+ static bool selftest_running = false;
+
+ static dma_addr_t __arm_lpae_dma_addr(void *pages)
+@@ -357,7 +369,7 @@ static int __arm_lpae_map(struct arm_lpa
+
+ /* If we can install a leaf entry at this level, then do so */
+ if (size == block_size) {
+- max_entries = ARM_LPAE_PTES_PER_TABLE(data) - map_idx_start;
++ max_entries = arm_lpae_max_entries(map_idx_start, data);
+ num_entries = min_t(int, pgcount, max_entries);
+ ret = arm_lpae_init_pte(data, iova, paddr, prot, lvl, num_entries, ptep);
+ if (!ret)
+@@ -557,7 +569,7 @@ static size_t arm_lpae_split_blk_unmap(s
+
+ if (size == split_sz) {
+ unmap_idx_start = ARM_LPAE_LVL_IDX(iova, lvl, data);
+- max_entries = ptes_per_table - unmap_idx_start;
++ max_entries = arm_lpae_max_entries(unmap_idx_start, data);
+ num_entries = min_t(int, pgcount, max_entries);
+ }
+
+@@ -615,7 +627,7 @@ static size_t __arm_lpae_unmap(struct ar
+
+ /* If the size matches this level, we're in the right place */
+ if (size == ARM_LPAE_BLOCK_SIZE(lvl, data)) {
+- max_entries = ARM_LPAE_PTES_PER_TABLE(data) - unmap_idx_start;
++ max_entries = arm_lpae_max_entries(unmap_idx_start, data);
+ num_entries = min_t(int, pgcount, max_entries);
+
+ while (i < num_entries) {
--- /dev/null
+From 09b1ef9813a0742674f7efe26104403ca94a1b4a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20Vok=C3=A1=C4=8D?= <michal.vokac@ysoft.com>
+Date: Thu, 17 Oct 2024 17:08:12 +0200
+Subject: leds: lp55xx: Remove redundant test for invalid channel number
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Vokáč <michal.vokac@ysoft.com>
+
+commit 09b1ef9813a0742674f7efe26104403ca94a1b4a upstream.
+
+Since commit 92a81562e695 ("leds: lp55xx: Add multicolor framework
+support to lp55xx") there are two subsequent tests if the chan_nr
+(reg property) is in valid range. One in the lp55xx_init_led()
+function and one in the lp55xx_parse_common_child() function that
+was added with the mentioned commit.
+
+There are two issues with that.
+
+First is in the lp55xx_parse_common_child() function where the reg
+property is tested right after it is read from the device tree.
+Test for the upper range is not correct though. Valid reg values are
+0 to (max_channel - 1) so it should be >=.
+
+Second issue is that in case the parsed value is out of the range
+the probe just fails and no error message is shown as the code never
+reaches the second test that prints and error message.
+
+Remove the test form lp55xx_parse_common_child() function completely
+and keep the one in lp55xx_init_led() function to deal with it.
+
+Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx")
+Cc: stable@vger.kernel.org
+Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
+Link: https://lore.kernel.org/r/20241017150812.3563629-1-michal.vokac@ysoft.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-lp55xx-common.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/leds/leds-lp55xx-common.c
++++ b/drivers/leds/leds-lp55xx-common.c
+@@ -580,9 +580,6 @@ static int lp55xx_parse_common_child(str
+ if (ret)
+ return ret;
+
+- if (*chan_nr < 0 || *chan_nr > cfg->max_channel)
+- return -EINVAL;
+-
+ return 0;
+ }
+
--- /dev/null
+From 0ea120b278ad7f7cfeeb606e150ad04b192df60b Mon Sep 17 00:00:00 2001
+From: Wei Yang <richard.weiyang@gmail.com>
+Date: Thu, 31 Oct 2024 23:16:26 +0000
+Subject: maple_tree: refine mas_store_root() on storing NULL
+
+From: Wei Yang <richard.weiyang@gmail.com>
+
+commit 0ea120b278ad7f7cfeeb606e150ad04b192df60b upstream.
+
+Currently, when storing NULL on mas_store_root(), the behavior could be
+improved.
+
+Storing NULLs over the entire tree may result in a node being used to
+store a single range. Further stores of NULL may cause the node and
+tree to be corrupt and cause incorrect behaviour. Fixing the store to
+the root null fixes the issue by ensuring that a range of 0 - ULONG_MAX
+results in an empty tree.
+
+Users of the tree may experience incorrect values returned if the tree
+was expanded to store values, then overwritten by all NULLS, then
+continued to store NULLs over the empty area.
+
+For example possible cases are:
+
+ * store NULL at any range result a new node
+ * store NULL at range [m, n] where m > 0 to a single entry tree result
+ a new node with range [m, n] set to NULL
+ * store NULL at range [m, n] where m > 0 to an empty tree result
+ consecutive NULL slot
+ * it allows for multiple NULL entries by expanding root
+ to store NULLs to an empty tree
+
+This patch tries to improve in:
+
+ * memory efficient by setting to empty tree instead of using a node
+ * remove the possibility of consecutive NULL slot which will prohibit
+ extended null in later operation
+
+Link: https://lkml.kernel.org/r/20241031231627.14316-5-richard.weiyang@gmail.com
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
+Reviewed-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
+Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
+Cc: Sidhartha Kumar <sidhartha.kumar@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -3547,9 +3547,20 @@ static inline int mas_root_expand(struct
+ return slot;
+ }
+
++/*
++ * mas_store_root() - Storing value into root.
++ * @mas: The maple state
++ * @entry: The entry to store.
++ *
++ * There is no root node now and we are storing a value into the root - this
++ * function either assigns the pointer or expands into a node.
++ */
+ static inline void mas_store_root(struct ma_state *mas, void *entry)
+ {
+- if (likely((mas->last != 0) || (mas->index != 0)))
++ if (!entry) {
++ if (!mas->index)
++ rcu_assign_pointer(mas->tree->ma_root, NULL);
++ } else if (likely((mas->last != 0) || (mas->index != 0)))
+ mas_root_expand(mas, entry);
+ else if (((unsigned long) (entry) & 3) == 2)
+ mas_root_expand(mas, entry);
--- /dev/null
+From 316e74500d1c6589cba28cebe2864a0bceeb2396 Mon Sep 17 00:00:00 2001
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+Date: Fri, 1 Nov 2024 17:40:49 +0800
+Subject: media: amphion: Fix pm_runtime_set_suspended() with runtime pm enabled
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+commit 316e74500d1c6589cba28cebe2864a0bceeb2396 upstream.
+
+It is not valid to call pm_runtime_set_suspended() for devices
+with runtime PM enabled because it returns -EAGAIN if it is enabled
+already and working. So, call pm_runtime_disable() before to fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: b50a64fc54af ("media: amphion: add amphion vpu device driver")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/amphion/vpu_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/amphion/vpu_drv.c
++++ b/drivers/media/platform/amphion/vpu_drv.c
+@@ -151,8 +151,8 @@ err_add_decoder:
+ media_device_cleanup(&vpu->mdev);
+ v4l2_device_unregister(&vpu->v4l2_dev);
+ err_vpu_deinit:
+- pm_runtime_set_suspended(dev);
+ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
+
+ return ret;
+ }
--- /dev/null
+From d2842dec577900031826dc44e9bf0c66416d7173 Mon Sep 17 00:00:00 2001
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+Date: Mon, 28 Oct 2024 16:02:56 +0800
+Subject: media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+commit d2842dec577900031826dc44e9bf0c66416d7173 upstream.
+
+In set_frame_rate(), select a rate in rate_0 or rate_1 by checking
+sd->frame_rate >= r->fps in a loop, but the loop condition terminates when
+the index reaches zero, which fails to check the last elememt in rate_0 or
+rate_1.
+
+Check for >= 0 so that the last one in rate_0 or rate_1 is also checked.
+
+Fixes: 189d92af707e ("V4L/DVB (13422): gspca - ov534: ov772x changes from Richard Kaswy.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/gspca/ov534.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/gspca/ov534.c
++++ b/drivers/media/usb/gspca/ov534.c
+@@ -847,7 +847,7 @@ static void set_frame_rate(struct gspca_
+ r = rate_1;
+ i = ARRAY_SIZE(rate_1);
+ }
+- while (--i > 0) {
++ while (--i >= 0) {
+ if (sd->frame_rate >= r->fps)
+ break;
+ r++;
--- /dev/null
+From 869f38ae07f7df829da4951c3d1f7a2be09c2e9a Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+Date: Wed, 9 Oct 2024 09:05:44 +0300
+Subject: media: i2c: tc358743: Fix crash in the probe error path when using polling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+
+commit 869f38ae07f7df829da4951c3d1f7a2be09c2e9a upstream.
+
+If an error occurs in the probe() function, we should remove the polling
+timer that was alarmed earlier, otherwise the timer is called with
+arguments that are already freed, which results in a crash.
+
+------------[ cut here ]------------
+WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268
+Modules linked in:
+CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226
+Hardware name: Diasom DS-RK3568-SOM-EVB (DT)
+pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : __run_timers+0x244/0x268
+lr : __run_timers+0x1d4/0x268
+sp : ffffff80eff2baf0
+x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00
+x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00
+x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000
+x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff
+x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e
+x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000
+x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009
+x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480
+x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240
+x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0
+Call trace:
+ __run_timers+0x244/0x268
+ timer_expire_remote+0x50/0x68
+ tmigr_handle_remote+0x388/0x39c
+ run_timer_softirq+0x38/0x44
+ handle_softirqs+0x138/0x298
+ __do_softirq+0x14/0x20
+ ____do_softirq+0x10/0x1c
+ call_on_irq_stack+0x24/0x4c
+ do_softirq_own_stack+0x1c/0x2c
+ irq_exit_rcu+0x9c/0xcc
+ el1_interrupt+0x48/0xc0
+ el1h_64_irq_handler+0x18/0x24
+ el1h_64_irq+0x7c/0x80
+ default_idle_call+0x34/0x68
+ do_idle+0x23c/0x294
+ cpu_startup_entry+0x38/0x3c
+ secondary_start_kernel+0x128/0x160
+ __secondary_switched+0xb8/0xbc
+---[ end trace 0000000000000000 ]---
+
+Fixes: 4e66a52a2e4c ("[media] tc358743: Add support for platforms without IRQ line")
+Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/tc358743.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -2159,8 +2159,10 @@ static int tc358743_probe(struct i2c_cli
+
+ err_work_queues:
+ cec_unregister_adapter(state->cec_adap);
+- if (!state->i2c_client->irq)
++ if (!state->i2c_client->irq) {
++ del_timer(&state->timer);
+ flush_work(&state->work_i2c_poll);
++ }
+ cancel_delayed_work(&state->delayed_work_enable_hotplug);
+ mutex_destroy(&state->confctl_mutex);
+ err_hdl:
--- /dev/null
+From fd0af4cd35da0eb550ef682b71cda70a4e36f6b9 Mon Sep 17 00:00:00 2001
+From: Ming Qian <ming.qian@nxp.com>
+Date: Fri, 13 Sep 2024 15:22:54 +0900
+Subject: media: imx-jpeg: Ensure power suppliers be suspended before detach them
+
+From: Ming Qian <ming.qian@nxp.com>
+
+commit fd0af4cd35da0eb550ef682b71cda70a4e36f6b9 upstream.
+
+The power suppliers are always requested to suspend asynchronously,
+dev_pm_domain_detach() requires the caller to ensure proper
+synchronization of this function with power management callbacks.
+otherwise the detach may led to kernel panic, like below:
+
+[ 1457.107934] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040
+[ 1457.116777] Mem abort info:
+[ 1457.119589] ESR = 0x0000000096000004
+[ 1457.123358] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 1457.128692] SET = 0, FnV = 0
+[ 1457.131764] EA = 0, S1PTW = 0
+[ 1457.134920] FSC = 0x04: level 0 translation fault
+[ 1457.139812] Data abort info:
+[ 1457.142707] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+[ 1457.148196] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 1457.153256] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 1457.158563] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001138b6000
+[ 1457.165000] [0000000000000040] pgd=0000000000000000, p4d=0000000000000000
+[ 1457.171792] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+[ 1457.178045] Modules linked in: v4l2_jpeg wave6_vpu_ctrl(-) [last unloaded: mxc_jpeg_encdec]
+[ 1457.186383] CPU: 0 PID: 51938 Comm: kworker/0:3 Not tainted 6.6.36-gd23d64eea511 #66
+[ 1457.194112] Hardware name: NXP i.MX95 19X19 board (DT)
+[ 1457.199236] Workqueue: pm pm_runtime_work
+[ 1457.203247] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 1457.210188] pc : genpd_runtime_suspend+0x20/0x290
+[ 1457.214886] lr : __rpm_callback+0x48/0x1d8
+[ 1457.218968] sp : ffff80008250bc50
+[ 1457.222270] x29: ffff80008250bc50 x28: 0000000000000000 x27: 0000000000000000
+[ 1457.229394] x26: 0000000000000000 x25: 0000000000000008 x24: 00000000000f4240
+[ 1457.236518] x23: 0000000000000000 x22: ffff00008590f0e4 x21: 0000000000000008
+[ 1457.243642] x20: ffff80008099c434 x19: ffff00008590f000 x18: ffffffffffffffff
+[ 1457.250766] x17: 5300326563697665 x16: 645f676e696c6f6f x15: 63343a6d726f6674
+[ 1457.257890] x14: 0000000000000004 x13: 00000000000003a4 x12: 0000000000000002
+[ 1457.265014] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff80008250bbb0
+[ 1457.272138] x8 : ffff000092937200 x7 : ffff0003fdf6af80 x6 : 0000000000000000
+[ 1457.279262] x5 : 00000000410fd050 x4 : 0000000000200000 x3 : 0000000000000000
+[ 1457.286386] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008590f000
+[ 1457.293510] Call trace:
+[ 1457.295946] genpd_runtime_suspend+0x20/0x290
+[ 1457.300296] __rpm_callback+0x48/0x1d8
+[ 1457.304038] rpm_callback+0x6c/0x78
+[ 1457.307515] rpm_suspend+0x10c/0x570
+[ 1457.311077] pm_runtime_work+0xc4/0xc8
+[ 1457.314813] process_one_work+0x138/0x248
+[ 1457.318816] worker_thread+0x320/0x438
+[ 1457.322552] kthread+0x110/0x114
+[ 1457.325767] ret_from_fork+0x10/0x20
+
+Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Reviewed-by: TaoJiang <tao.jiang_2@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+@@ -2674,6 +2674,8 @@ static void mxc_jpeg_detach_pm_domains(s
+ int i;
+
+ for (i = 0; i < jpeg->num_domains; i++) {
++ if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i]))
++ pm_runtime_force_suspend(jpeg->pd_dev[i]);
+ if (jpeg->pd_link[i] && !IS_ERR(jpeg->pd_link[i]))
+ device_link_del(jpeg->pd_link[i]);
+ if (jpeg->pd_dev[i] && !IS_ERR(jpeg->pd_dev[i]))
--- /dev/null
+From 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Wed, 9 Oct 2024 16:28:02 +0800
+Subject: media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 upstream.
+
+The buffer in the loop should be released under the exception path,
+otherwise there may be a memory leak here.
+
+To mitigate this, free the buffer when allegro_alloc_buffer fails.
+
+Fixes: f20387dfd065 ("media: allegro: add Allegro DVT video IP core driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/allegro-dvt/allegro-core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/allegro-dvt/allegro-core.c
++++ b/drivers/media/platform/allegro-dvt/allegro-core.c
+@@ -1509,8 +1509,10 @@ static int allocate_buffers_internal(str
+ INIT_LIST_HEAD(&buffer->head);
+
+ err = allegro_alloc_buffer(dev, buffer, size);
+- if (err)
++ if (err) {
++ kfree(buffer);
+ goto err;
++ }
+ list_add(&buffer->head, list);
+ }
+
--- /dev/null
+From 8964eb23408243ae0016d1f8473c76f64ff25d20 Mon Sep 17 00:00:00 2001
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Date: Mon, 4 Nov 2024 19:01:19 +0900
+Subject: media: platform: exynos4-is: Fix an OF node reference leak in fimc_md_is_isp_available
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+commit 8964eb23408243ae0016d1f8473c76f64ff25d20 upstream.
+
+In fimc_md_is_isp_available(), of_get_child_by_name() is called to check
+if FIMC-IS is available. Current code does not decrement the refcount of
+the returned device node, which causes an OF node reference leak. Fix it
+by calling of_node_put() at the end of the variable scope.
+
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Fixes: e781bbe3fecf ("[media] exynos4-is: Add fimc-is subdevs registration")
+Cc: stable@vger.kernel.org
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[hverkuil: added CC to stable]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/samsung/exynos4-is/media-dev.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/samsung/exynos4-is/media-dev.h
++++ b/drivers/media/platform/samsung/exynos4-is/media-dev.h
+@@ -178,8 +178,9 @@ int fimc_md_set_camclk(struct v4l2_subde
+ #ifdef CONFIG_OF
+ static inline bool fimc_md_is_isp_available(struct device_node *node)
+ {
+- node = of_get_child_by_name(node, FIMC_IS_OF_NODE_NAME);
+- return node ? of_device_is_available(node) : false;
++ struct device_node *child __free(device_node) =
++ of_get_child_by_name(node, FIMC_IS_OF_NODE_NAME);
++ return child ? of_device_is_available(child) : false;
+ }
+ #else
+ #define fimc_md_is_isp_available(node) (false)
--- /dev/null
+From 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba Mon Sep 17 00:00:00 2001
+From: Li Zetao <lizetao1@huawei.com>
+Date: Thu, 10 Oct 2024 23:41:13 +0800
+Subject: media: ts2020: fix null-ptr-deref in ts2020_probe()
+
+From: Li Zetao <lizetao1@huawei.com>
+
+commit 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba upstream.
+
+KASAN reported a null-ptr-deref issue when executing the following
+command:
+
+ # echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device
+ KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+ CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)
+ RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020]
+ RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202
+ RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809
+ RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010
+ RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6
+ R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790
+ R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001
+ FS: 00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <TASK>
+ ts2020_probe+0xad/0xe10 [ts2020]
+ i2c_device_probe+0x421/0xb40
+ really_probe+0x266/0x850
+ ...
+
+The cause of the problem is that when using sysfs to dynamically register
+an i2c device, there is no platform data, but the probe process of ts2020
+needs to use platform data, resulting in a null pointer being accessed.
+
+Solve this problem by adding checks to platform data.
+
+Fixes: dc245a5f9b51 ("[media] ts2020: implement I2C client bindings")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/ts2020.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/ts2020.c
++++ b/drivers/media/dvb-frontends/ts2020.c
+@@ -553,13 +553,19 @@ static void ts2020_regmap_unlock(void *_
+ static int ts2020_probe(struct i2c_client *client)
+ {
+ struct ts2020_config *pdata = client->dev.platform_data;
+- struct dvb_frontend *fe = pdata->fe;
++ struct dvb_frontend *fe;
+ struct ts2020_priv *dev;
+ int ret;
+ u8 u8tmp;
+ unsigned int utmp;
+ char *chip_str;
+
++ if (!pdata) {
++ dev_err(&client->dev, "platform data is mandatory\n");
++ return -EINVAL;
++ }
++
++ fe = pdata->fe;
+ dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ if (!dev) {
+ ret = -ENOMEM;
--- /dev/null
+From 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Fri, 13 Sep 2024 15:06:01 -0300
+Subject: media: uvcvideo: Require entities to have a non-zero unique ID
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195 upstream.
+
+Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero
+unique ID.
+
+```
+Each Unit and Terminal within the video function is assigned a unique
+identification number, the Unit ID (UID) or Terminal ID (TID), contained in
+the bUnitID or bTerminalID field of the descriptor. The value 0x00 is
+reserved for undefined ID,
+```
+
+So, deny allocating an entity with ID 0 or an ID that belongs to a unit
+that is already added to the list of entities.
+
+This also prevents some syzkaller reproducers from triggering warnings due
+to a chain of entities referring to themselves. In one particular case, an
+Output Unit is connected to an Input Unit, both with the same ID of 1. But
+when looking up for the source ID of the Output Unit, that same entity is
+found instead of the input entity, which leads to such warnings.
+
+In another case, a backward chain was considered finished as the source ID
+was 0. Later on, that entity was found, but its pads were not valid.
+
+Here is a sample stack trace for one of those cases.
+
+[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd
+[ 20.830206] usb 1-1: Using ep0 maxpacket: 8
+[ 20.833501] usb 1-1: config 0 descriptor??
+[ 21.038518] usb 1-1: string descriptor 0 read error: -71
+[ 21.038893] usb 1-1: Found UVC 0.00 device <unnamed> (2833:0201)
+[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized!
+[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized!
+[ 21.042218] ------------[ cut here ]------------
+[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0
+[ 21.043195] Modules linked in:
+[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444
+[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+[ 21.044639] Workqueue: usb_hub_wq hub_event
+[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0
+[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00
+[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246
+[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1
+[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290
+[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000
+[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003
+[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000
+[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
+[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0
+[ 21.051136] PKRU: 55555554
+[ 21.051331] Call Trace:
+[ 21.051480] <TASK>
+[ 21.051611] ? __warn+0xc4/0x210
+[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0
+[ 21.052252] ? report_bug+0x11b/0x1a0
+[ 21.052540] ? trace_hardirqs_on+0x31/0x40
+[ 21.052901] ? handle_bug+0x3d/0x70
+[ 21.053197] ? exc_invalid_op+0x1a/0x50
+[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20
+[ 21.053924] ? media_create_pad_link+0x91/0x2e0
+[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0
+[ 21.054834] ? media_create_pad_link+0x91/0x2e0
+[ 21.055131] ? _raw_spin_unlock+0x1e/0x40
+[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210
+[ 21.055837] uvc_mc_register_entities+0x358/0x400
+[ 21.056144] uvc_register_chains+0x1fd/0x290
+[ 21.056413] uvc_probe+0x380e/0x3dc0
+[ 21.056676] ? __lock_acquire+0x5aa/0x26e0
+[ 21.056946] ? find_held_lock+0x33/0xa0
+[ 21.057196] ? kernfs_activate+0x70/0x80
+[ 21.057533] ? usb_match_dynamic_id+0x1b/0x70
+[ 21.057811] ? find_held_lock+0x33/0xa0
+[ 21.058047] ? usb_match_dynamic_id+0x55/0x70
+[ 21.058330] ? lock_release+0x124/0x260
+[ 21.058657] ? usb_match_one_id_intf+0xa2/0x100
+[ 21.058997] usb_probe_interface+0x1ba/0x330
+[ 21.059399] really_probe+0x1ba/0x4c0
+[ 21.059662] __driver_probe_device+0xb2/0x180
+[ 21.059944] driver_probe_device+0x5a/0x100
+[ 21.060170] __device_attach_driver+0xe9/0x160
+[ 21.060427] ? __pfx___device_attach_driver+0x10/0x10
+[ 21.060872] bus_for_each_drv+0xa9/0x100
+[ 21.061312] __device_attach+0xed/0x190
+[ 21.061812] device_initial_probe+0xe/0x20
+[ 21.062229] bus_probe_device+0x4d/0xd0
+[ 21.062590] device_add+0x308/0x590
+[ 21.062912] usb_set_configuration+0x7b6/0xaf0
+[ 21.063403] usb_generic_driver_probe+0x36/0x80
+[ 21.063714] usb_probe_device+0x7b/0x130
+[ 21.063936] really_probe+0x1ba/0x4c0
+[ 21.064111] __driver_probe_device+0xb2/0x180
+[ 21.064577] driver_probe_device+0x5a/0x100
+[ 21.065019] __device_attach_driver+0xe9/0x160
+[ 21.065403] ? __pfx___device_attach_driver+0x10/0x10
+[ 21.065820] bus_for_each_drv+0xa9/0x100
+[ 21.066094] __device_attach+0xed/0x190
+[ 21.066535] device_initial_probe+0xe/0x20
+[ 21.066992] bus_probe_device+0x4d/0xd0
+[ 21.067250] device_add+0x308/0x590
+[ 21.067501] usb_new_device+0x347/0x610
+[ 21.067817] hub_event+0x156b/0x1e30
+[ 21.068060] ? process_scheduled_works+0x48b/0xaf0
+[ 21.068337] process_scheduled_works+0x5a3/0xaf0
+[ 21.068668] worker_thread+0x3cf/0x560
+[ 21.068932] ? kthread+0x109/0x1b0
+[ 21.069133] kthread+0x197/0x1b0
+[ 21.069343] ? __pfx_worker_thread+0x10/0x10
+[ 21.069598] ? __pfx_kthread+0x10/0x10
+[ 21.069908] ret_from_fork+0x32/0x40
+[ 21.070169] ? __pfx_kthread+0x10/0x10
+[ 21.070424] ret_from_fork_asm+0x1a/0x30
+[ 21.070737] </TASK>
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675
+Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b
+Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20240913180601.1400596-2-cascardo@igalia.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 70 ++++++++++++++++++++++---------------
+ 1 file changed, 43 insertions(+), 27 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -775,14 +775,27 @@ static const u8 uvc_media_transport_inpu
+ UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT;
+ static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING;
+
+-static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id,
+- unsigned int num_pads, unsigned int extra_size)
++static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type,
++ u16 id, unsigned int num_pads,
++ unsigned int extra_size)
+ {
+ struct uvc_entity *entity;
+ unsigned int num_inputs;
+ unsigned int size;
+ unsigned int i;
+
++ /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */
++ if (id == 0) {
++ dev_err(&dev->udev->dev, "Found Unit with invalid ID 0.\n");
++ return ERR_PTR(-EINVAL);
++ }
++
++ /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */
++ if (uvc_entity_by_id(dev, id)) {
++ dev_err(&dev->udev->dev, "Found multiple Units with ID %u\n", id);
++ return ERR_PTR(-EINVAL);
++ }
++
+ extra_size = roundup(extra_size, sizeof(*entity->pads));
+ if (num_pads)
+ num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1;
+@@ -792,7 +805,7 @@ static struct uvc_entity *uvc_alloc_enti
+ + num_inputs;
+ entity = kzalloc(size, GFP_KERNEL);
+ if (entity == NULL)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+ entity->id = id;
+ entity->type = type;
+@@ -904,10 +917,10 @@ static int uvc_parse_vendor_control(stru
+ break;
+ }
+
+- unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3],
+- p + 1, 2*n);
+- if (unit == NULL)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT,
++ buffer[3], p + 1, 2 * n);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ memcpy(unit->guid, &buffer[4], 16);
+ unit->extension.bNumControls = buffer[20];
+@@ -1016,10 +1029,10 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3],
+- 1, n + p);
+- if (term == NULL)
+- return -ENOMEM;
++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT,
++ buffer[3], 1, n + p);
++ if (IS_ERR(term))
++ return PTR_ERR(term);
+
+ if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) {
+ term->camera.bControlSize = n;
+@@ -1075,10 +1088,10 @@ static int uvc_parse_standard_control(st
+ return 0;
+ }
+
+- term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3],
+- 1, 0);
+- if (term == NULL)
+- return -ENOMEM;
++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT,
++ buffer[3], 1, 0);
++ if (IS_ERR(term))
++ return PTR_ERR(term);
+
+ memcpy(term->baSourceID, &buffer[7], 1);
+
+@@ -1097,9 +1110,10 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0);
+- if (unit == NULL)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
++ p + 1, 0);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ memcpy(unit->baSourceID, &buffer[5], p);
+
+@@ -1119,9 +1133,9 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n);
+- if (unit == NULL)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ memcpy(unit->baSourceID, &buffer[4], 1);
+ unit->processing.wMaxMultiplier =
+@@ -1148,9 +1162,10 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n);
+- if (unit == NULL)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
++ p + 1, n);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ memcpy(unit->guid, &buffer[4], 16);
+ unit->extension.bNumControls = buffer[20];
+@@ -1290,9 +1305,10 @@ static int uvc_gpio_parse(struct uvc_dev
+ return dev_err_probe(&dev->udev->dev, irq,
+ "No IRQ for privacy GPIO\n");
+
+- unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1);
+- if (!unit)
+- return -ENOMEM;
++ unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT,
++ UVC_EXT_GPIO_UNIT_ID, 0, 1);
++ if (IS_ERR(unit))
++ return PTR_ERR(unit);
+
+ unit->gpio.gpio_privacy = gpio_privacy;
+ unit->gpio.irq = irq;
--- /dev/null
+From c9ec6f1736363b2b2bb4e266997389740f628441 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Thu, 26 Sep 2024 05:59:06 +0000
+Subject: media: uvcvideo: Stop stream during unregister
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit c9ec6f1736363b2b2bb4e266997389740f628441 upstream.
+
+uvc_unregister_video() can be called asynchronously from
+uvc_disconnect(). If the device is still streaming when that happens, a
+plethora of race conditions can occur.
+
+Make sure that the device has stopped streaming before exiting this
+function.
+
+If the user still holds handles to the driver's file descriptors, any
+ioctl will return -ENODEV from the v4l2 core.
+
+This change makes uvc more consistent with the rest of the v4l2 drivers
+using the vb2_fop_* and vb2_ioctl_* helpers.
+
+This driver (and many other usb drivers) always had this problem, but it
+wasn't possible to easily fix this until the vb2_video_unregister_device()
+helper was added. So the Fixes tag points to the creation of that helper.
+
+Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
+Suggested-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Fixes: f729ef5796d8 ("media: videobuf2-v4l2.c: add vb2_video_unregister_device helper function")
+Cc: stable@vger.kernel.org # 5.10.x
+[hverkuil: add note regarding Fixes version]
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 32 +++++++++++++++++++++++++++++++-
+ 1 file changed, 31 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -1919,11 +1919,41 @@ static void uvc_unregister_video(struct
+ struct uvc_streaming *stream;
+
+ list_for_each_entry(stream, &dev->streams, list) {
++ /* Nothing to do here, continue. */
+ if (!video_is_registered(&stream->vdev))
+ continue;
+
++ /*
++ * For stream->vdev we follow the same logic as:
++ * vb2_video_unregister_device().
++ */
++
++ /* 1. Take a reference to vdev */
++ get_device(&stream->vdev.dev);
++
++ /* 2. Ensure that no new ioctls can be called. */
+ video_unregister_device(&stream->vdev);
+- video_unregister_device(&stream->meta.vdev);
++
++ /* 3. Wait for old ioctls to finish. */
++ mutex_lock(&stream->mutex);
++
++ /* 4. Stop streaming. */
++ uvc_queue_release(&stream->queue);
++
++ mutex_unlock(&stream->mutex);
++
++ put_device(&stream->vdev.dev);
++
++ /*
++ * For stream->meta.vdev we can directly call:
++ * vb2_video_unregister_device().
++ */
++ vb2_video_unregister_device(&stream->meta.vdev);
++
++ /*
++ * Now both vdevs are not streaming and all the ioctls will
++ * return -ENODEV.
++ */
+
+ uvc_debugfs_cleanup_stream(stream);
+ }
--- /dev/null
+From 2a20869f7d798aa2b69e45b863eaf1b1ecf98278 Mon Sep 17 00:00:00 2001
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+Date: Fri, 1 Nov 2024 17:40:50 +0800
+Subject: media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+commit 2a20869f7d798aa2b69e45b863eaf1b1ecf98278 upstream.
+
+It is not valid to call pm_runtime_set_suspended() for devices
+with runtime PM enabled because it returns -EAGAIN if it is enabled
+already and working. So, call pm_runtime_disable() before to fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Acked-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -406,8 +406,8 @@ err_of_depopulate:
+ of_platform_depopulate(dev);
+ err_runtime_disable:
+ pm_runtime_put_noidle(dev);
+- pm_runtime_set_suspended(dev);
+ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
+ hfi_destroy(core);
+ err_core_deinit:
+ hfi_core_deinit(core, false);
--- /dev/null
+From 672f24ed6ebcd986688c6674a6d994a265fefc25 Mon Sep 17 00:00:00 2001
+From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+Date: Tue, 10 Sep 2024 14:10:09 +0000
+Subject: media: verisilicon: av1: Fix reference video buffer pointer assignment
+
+From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+
+commit 672f24ed6ebcd986688c6674a6d994a265fefc25 upstream.
+
+Always get new destination buffer for reference frame because nothing
+garantees the one set previously is still valid or unused.
+
+Fixes this chromium test suite:
+https://chromium.googlesource.com/chromium/src/media/+/refs/heads/main/test/data/test-25fps.av1.ivf
+
+Fixes: 727a400686a2 ("media: verisilicon: Add Rockchip AV1 decoder")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+[hverkuil: fix typo and add link to chromium test suite]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/verisilicon/rockchip_vpu981_hw_av1_dec.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/platform/verisilicon/rockchip_vpu981_hw_av1_dec.c
++++ b/drivers/media/platform/verisilicon/rockchip_vpu981_hw_av1_dec.c
+@@ -161,8 +161,7 @@ static int rockchip_vpu981_av1_dec_frame
+ av1_dec->frame_refs[i].timestamp = timestamp;
+ av1_dec->frame_refs[i].frame_type = frame->frame_type;
+ av1_dec->frame_refs[i].order_hint = frame->order_hint;
+- if (!av1_dec->frame_refs[i].vb2_ref)
+- av1_dec->frame_refs[i].vb2_ref = hantro_get_dst_buf(ctx);
++ av1_dec->frame_refs[i].vb2_ref = hantro_get_dst_buf(ctx);
+
+ for (j = 0; j < V4L2_AV1_TOTAL_REFS_PER_FRAME; j++)
+ av1_dec->frame_refs[i].order_hints[j] = frame->order_hints[j];
--- /dev/null
+From c8b359dddb418c60df1a69beea01d1b3322bfe83 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+Date: Tue, 19 Nov 2024 18:58:17 +0300
+Subject: ovl: Filter invalid inodes with missing lookup function
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+commit c8b359dddb418c60df1a69beea01d1b3322bfe83 upstream.
+
+Add a check to the ovl_dentry_weird() function to prevent the
+processing of directory inodes that lack the lookup function.
+This is important because such inodes can cause errors in overlayfs
+when passed to the lowerstack.
+
+Reported-by: syzbot+a8c9d476508bd14a90e5@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=a8c9d476508bd14a90e5
+Suggested-by: Miklos Szeredi <miklos@szeredi.hu>
+Link: https://lore.kernel.org/linux-unionfs/CAJfpegvx-oS9XGuwpJx=Xe28_jzWx5eRo1y900_ZzWY+=gGzUg@mail.gmail.com/
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/overlayfs/util.c
++++ b/fs/overlayfs/util.c
+@@ -171,6 +171,9 @@ void ovl_dentry_init_flags(struct dentry
+
+ bool ovl_dentry_weird(struct dentry *dentry)
+ {
++ if (!d_can_lookup(dentry) && !d_is_file(dentry) && !d_is_symlink(dentry))
++ return true;
++
+ return dentry->d_flags & (DCACHE_NEED_AUTOMOUNT |
+ DCACHE_MANAGE_TRANSIT |
+ DCACHE_OP_HASH |
media-mtk-jpeg-fix-null-ptr-deref-during-unload-module.patch
media-i2c-dw9768-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch
arm64-dts-freescale-imx8mp-verdin-fix-sd-regulator-startup-delay.patch
+media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch
+media-imx-jpeg-ensure-power-suppliers-be-suspended-before-detach-them.patch
+media-verisilicon-av1-fix-reference-video-buffer-pointer-assignment.patch
+media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch
+media-platform-exynos4-is-fix-an-of-node-reference-leak-in-fimc_md_is_isp_available.patch
+efi-libstub-free-correct-pointer-on-failure.patch
+media-amphion-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch
+media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch
+media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch
+media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch
+media-uvcvideo-stop-stream-during-unregister.patch
+media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch
+ovl-filter-invalid-inodes-with-missing-lookup-function.patch
+maple_tree-refine-mas_store_root-on-storing-null.patch
+ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch
+vmstat-call-fold_vm_zone_numa_events-before-show-per-zone-numa-event.patch
+zram-clear-idle-flag-after-recompression.patch
+iommu-io-pgtable-arm-fix-stage-2-map-unmap-for-concatenated-tables.patch
+leds-lp55xx-remove-redundant-test-for-invalid-channel-number.patch
+clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch
--- /dev/null
+From 2ea80b039b9af0b71c00378523b71c254fb99c23 Mon Sep 17 00:00:00 2001
+From: MengEn Sun <mengensun@tencent.com>
+Date: Fri, 1 Nov 2024 12:06:38 +0800
+Subject: vmstat: call fold_vm_zone_numa_events() before show per zone NUMA event
+
+From: MengEn Sun <mengensun@tencent.com>
+
+commit 2ea80b039b9af0b71c00378523b71c254fb99c23 upstream.
+
+Since 5.14-rc1, NUMA events will only be folded from per-CPU statistics to
+per zone and global statistics when the user actually needs it.
+
+Currently, the kernel has performs the fold operation when reading
+/proc/vmstat, but does not perform the fold operation in /proc/zoneinfo.
+This can lead to inaccuracies in the following statistics in zoneinfo:
+- numa_hit
+- numa_miss
+- numa_foreign
+- numa_interleave
+- numa_local
+- numa_other
+
+Therefore, before printing per-zone vm_numa_event when reading
+/proc/zoneinfo, we should also perform the fold operation.
+
+Link: https://lkml.kernel.org/r/1730433998-10461-1-git-send-email-mengensun@tencent.com
+Fixes: f19298b9516c ("mm/vmstat: convert NUMA statistics to basic NUMA counters")
+Signed-off-by: MengEn Sun <mengensun@tencent.com>
+Reviewed-by: JinLiang Zheng <alexjlzheng@tencent.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmstat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -1723,6 +1723,7 @@ static void zoneinfo_show_print(struct s
+ zone_page_state(zone, i));
+
+ #ifdef CONFIG_NUMA
++ fold_vm_zone_numa_events(zone);
+ for (i = 0; i < NR_VM_NUMA_EVENT_ITEMS; i++)
+ seq_printf(m, "\n %-12s %lu", numa_stat_name(i),
+ zone_numa_event_state(zone, i));
--- /dev/null
+From f85219096648b251a81e9fe24a1974590cfc417d Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+Date: Tue, 29 Oct 2024 00:36:14 +0900
+Subject: zram: clear IDLE flag after recompression
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+commit f85219096648b251a81e9fe24a1974590cfc417d upstream.
+
+Patch series "zram: IDLE flag handling fixes", v2.
+
+zram can wrongly preserve ZRAM_IDLE flag on its entries which can result
+in premature post-processing (writeback and recompression) of such
+entries.
+
+This patch (of 2)
+
+Recompression should clear ZRAM_IDLE flag on the entries it has accessed,
+because otherwise some entries, specifically those for which recompression
+has failed, become immediate candidate entries for another post-processing
+(e.g. writeback).
+
+Consider the following case:
+- recompression marks entries IDLE every 4 hours and attempts
+ to recompress them
+- some entries are incompressible, so we keep them intact and
+ hence preserve IDLE flag
+- writeback marks entries IDLE every 8 hours and writebacks
+ IDLE entries, however we have IDLE entries left from
+ recompression, so writeback prematurely writebacks those
+ entries.
+
+The bug was reported by Shin Kawamura.
+
+Link: https://lkml.kernel.org/r/20241028153629.1479791-1-senozhatsky@chromium.org
+Link: https://lkml.kernel.org/r/20241028153629.1479791-2-senozhatsky@chromium.org
+Fixes: 84b33bf78889 ("zram: introduce recompress sysfs knob")
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reported-by: Shin Kawamura <kawasin@google.com>
+Acked-by: Brian Geffon <bgeffon@google.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zram/zram_drv.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/block/zram/zram_drv.c
++++ b/drivers/block/zram/zram_drv.c
+@@ -1600,6 +1600,13 @@ static int zram_recompress(struct zram *
+ if (ret)
+ return ret;
+
++ /*
++ * We touched this entry so mark it as non-IDLE. This makes sure that
++ * we don't preserve IDLE flag and don't incorrectly pick this entry
++ * for different post-processing type (e.g. writeback).
++ */
++ zram_clear_flag(zram, index, ZRAM_IDLE);
++
+ class_index_old = zs_lookup_class_index(zram->mem_pool, comp_len_old);
+ /*
+ * Iterate the secondary comp algorithms list (in order of priority)
projects / thirdparty / kernel / stable-queue.git / commitdiff
