5.10-stable patches

added patches:
	acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch
	asm-generic-add-memory-barrier-dma_mb.patch
	drm-amd-display-don-t-overclock-dce-6-by-15.patch
	drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
	ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch
	f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
	locking-barriers-kcsan-support-generic-instrumentation.patch
	media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
	media-v4l2-ctrls-always-copy-the-controls-on-completion.patch
	media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch
	media-venus-add-support-for-ssr-trigger-using-fault-injection.patch
	media-venus-don-t-de-reference-null-pointers-at-irq-time.patch
	media-venus-hfi-explicitly-release-irq-during-teardown.patch
	media-venus-protect-against-spurious-interrupts-during-probe.patch
	media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch
	minmax-add-umin-a-b-and-umax-a-b.patch
	platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch
	platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch
	platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch
	platform-chrome-cros_ec-use-per-device-lockdep-key.patch
	pwm-mediatek-fix-duty-and-period-setting.patch
	pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
	pwm-mediatek-implement-.apply-callback.patch
	wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch

diff --git a/queue-5.10/acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch b/queue-5.10/acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch
new file mode 100644 (file)
index 0000000..78b2862
--- /dev/null
+++ b/queue-5.10/acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch
@@ -0,0 +1,37 @@
+From 2437513a814b3e93bd02879740a8a06e52e2cf7d Mon Sep 17 00:00:00 2001
+From: Li Zhong <floridsleeves@gmail.com>
+Date: Fri, 2 Sep 2022 00:37:30 -0700
+Subject: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value
+
+From: Li Zhong <floridsleeves@gmail.com>
+
+commit 2437513a814b3e93bd02879740a8a06e52e2cf7d upstream.
+
+The return value of acpi_fetch_acpi_dev() could be NULL, which would
+cause a NULL pointer dereference to occur in acpi_device_hid().
+
+Signed-off-by: Li Zhong <floridsleeves@gmail.com>
+[ rjw: Subject and changelog edits, added empty line after if () ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Teddy Astie <teddy.astie@vates.tech>
+Signed-off-by: Yann Sionneau <yann.sionneau@vates.tech>
+Reported-by: Dillon C <dchan@dchan.tech>
+Tested-by: Dillon C <dchan@dchan.tech>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/processor_idle.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -1128,7 +1128,9 @@ static int acpi_processor_get_lpi_info(s
+ 
+       status = acpi_get_parent(handle, &pr_ahandle);
+       while (ACPI_SUCCESS(status)) {
+-              acpi_bus_get_device(pr_ahandle, &d);
++              if (acpi_bus_get_device(pr_ahandle, &d))
++                      break;
++
+               handle = pr_ahandle;
+ 
+               if (strcmp(acpi_device_hid(d), ACPI_PROCESSOR_CONTAINER_HID))

diff --git a/queue-5.10/asm-generic-add-memory-barrier-dma_mb.patch b/queue-5.10/asm-generic-add-memory-barrier-dma_mb.patch
new file mode 100644 (file)
index 0000000..8a43bf3
--- /dev/null
+++ b/queue-5.10/asm-generic-add-memory-barrier-dma_mb.patch
@@ -0,0 +1,81 @@
+From stable+bounces-172511-greg=kroah.com@vger.kernel.org Fri Aug 22 21:53:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:53:29 -0400
+Subject: asm-generic: Add memory barrier dma_mb()
+To: stable@vger.kernel.org
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>, Arnd Bergmann <arnd@arndb.de>, Marco Elver <elver@google.com>, Will Deacon <will@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822195330.1458412-2-sashal@kernel.org>
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+[ Upstream commit ed59dfd9509d172e4920994ed9cbebf93b0050cc ]
+
+The memory barrier dma_mb() is introduced by commit a76a37777f2c
+("iommu/arm-smmu-v3: Ensure queue is read after updating prod pointer"),
+which is used to ensure that prior (both reads and writes) accesses
+to memory by a CPU are ordered w.r.t. a subsequent MMIO write.
+
+Reviewed-by: Arnd Bergmann <arnd@arndb.de> # for asm-generic
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reviewed-by: Marco Elver <elver@google.com>
+Link: https://lore.kernel.org/r/20220523113126.171714-2-wangkefeng.wang@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/memory-barriers.txt |   11 ++++++-----
+ include/asm-generic/barrier.h     |    8 ++++++++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/Documentation/memory-barriers.txt
++++ b/Documentation/memory-barriers.txt
+@@ -1894,6 +1894,7 @@ There are some more advanced barrier fun
+ 
+  (*) dma_wmb();
+  (*) dma_rmb();
++ (*) dma_mb();
+ 
+      These are for use with consistent memory to guarantee the ordering
+      of writes or reads of shared memory accessible to both the CPU and a
+@@ -1925,11 +1926,11 @@ There are some more advanced barrier fun
+      The dma_rmb() allows us guarantee the device has released ownership
+      before we read the data from the descriptor, and the dma_wmb() allows
+      us to guarantee the data is written to the descriptor before the device
+-     can see it now has ownership.  Note that, when using writel(), a prior
+-     wmb() is not needed to guarantee that the cache coherent memory writes
+-     have completed before writing to the MMIO region.  The cheaper
+-     writel_relaxed() does not provide this guarantee and must not be used
+-     here.
++     can see it now has ownership.  The dma_mb() implies both a dma_rmb() and
++     a dma_wmb().  Note that, when using writel(), a prior wmb() is not needed
++     to guarantee that the cache coherent memory writes have completed before
++     writing to the MMIO region.  The cheaper writel_relaxed() does not provide
++     this guarantee and must not be used here.
+ 
+      See the subsection "Kernel I/O barrier effects" for more information on
+      relaxed I/O accessors and the Documentation/core-api/dma-api.rst file for
+--- a/include/asm-generic/barrier.h
++++ b/include/asm-generic/barrier.h
+@@ -37,6 +37,10 @@
+ #define wmb() do { kcsan_wmb(); __wmb(); } while (0)
+ #endif
+ 
++#ifdef __dma_mb
++#define dma_mb()      do { kcsan_mb(); __dma_mb(); } while (0)
++#endif
++
+ #ifdef __dma_rmb
+ #define dma_rmb()     do { kcsan_rmb(); __dma_rmb(); } while (0)
+ #endif
+@@ -64,6 +68,10 @@
+ #define wmb() mb()
+ #endif
+ 
++#ifndef dma_mb
++#define dma_mb()      mb()
++#endif
++
+ #ifndef dma_rmb
+ #define dma_rmb()     rmb()
+ #endif

diff --git a/queue-5.10/drm-amd-display-don-t-overclock-dce-6-by-15.patch b/queue-5.10/drm-amd-display-don-t-overclock-dce-6-by-15.patch
new file mode 100644 (file)
index 0000000..531bb09
--- /dev/null
+++ b/queue-5.10/drm-amd-display-don-t-overclock-dce-6-by-15.patch
@@ -0,0 +1,55 @@
+From stable+bounces-172679-greg=kroah.com@vger.kernel.org Sun Aug 24 03:19:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 21:18:57 -0400
+Subject: drm/amd/display: Don't overclock DCE 6 by 15%
+To: stable@vger.kernel.org
+Cc: "Timur Kristóf" <timur.kristof@gmail.com>, "Alex Deucher" <alexander.deucher@amd.com>, "Rodrigo Siqueira" <siqueira@igalia.com>, "Alex Hung" <alex.hung@amd.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250824011857.2574854-1-sashal@kernel.org>
+
+From: Timur Kristóf <timur.kristof@gmail.com>
+
+[ Upstream commit cb7b7ae53b557d168b4af5cd8549f3eff920bfb5 ]
+
+The extra 15% clock was added as a workaround for a Polaris issue
+which uses DCE 11, and should not have been used on DCE 6 which
+is already hardcoded to the highest possible display clock.
+Unfortunately, the extra 15% was mistakenly copied and kept
+even on code paths which don't affect Polaris.
+
+This commit fixes that and also adds a check to make sure
+not to exceed the maximum DCE 6 display clock.
+
+Fixes: 8cd61c313d8b ("drm/amd/display: Raise dispclk value for Polaris")
+Fixes: dc88b4a684d2 ("drm/amd/display: make clk mgr soc specific")
+Fixes: 3ecb3b794e2c ("drm/amd/display: dc/clk_mgr: add support for SI parts (v2)")
+Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 427980c1cbd22bb256b9385f5ce73c0937562408)
+Cc: stable@vger.kernel.org
+[ `MIN` => `min` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+@@ -112,11 +112,9 @@ static void dce60_update_clocks(struct c
+ {
+       struct clk_mgr_internal *clk_mgr_dce = TO_CLK_MGR_INTERNAL(clk_mgr_base);
+       struct dm_pp_power_level_change_request level_change_req;
+-      int patched_disp_clk = context->bw_ctx.bw.dce.dispclk_khz;
+-
+-      /*TODO: W/A for dal3 linux, investigate why this works */
+-      if (!clk_mgr_dce->dfs_bypass_active)
+-              patched_disp_clk = patched_disp_clk * 115 / 100;
++      const int max_disp_clk =
++              clk_mgr_dce->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz;
++      int patched_disp_clk = min(max_disp_clk, context->bw_ctx.bw.dce.dispclk_khz);
+ 
+       level_change_req.power_level = dce_get_required_clocks_state(clk_mgr_base, context);
+       /* get max clock state from PPLIB */

diff --git a/queue-5.10/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-5.10/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
new file mode 100644 (file)
index 0000000..359f070
--- /dev/null
+++ b/queue-5.10/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
@@ -0,0 +1,50 @@
+From stable+bounces-172601-greg=kroah.com@vger.kernel.org Sat Aug 23 16:14:41 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 10:14:31 -0400
+Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
+To: stable@vger.kernel.org
+Cc: "Imre Deak" <imre.deak@intel.com>, "Ville Syrjälä" <ville.syrjala@linux.intel.com>, "Jani Nikula" <jani.nikula@linux.intel.com>, "Jani Nikula" <jani.nikula@intel.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250823141432.2196555-1-sashal@kernel.org>
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ]
+
+Reading DPCD registers has side-effects in general. In particular
+accessing registers outside of the link training register range
+(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
+forbidden by the DP v2.1 Standard, see
+
+3.6.5.1 DPTX AUX Transaction Handling Mandates
+3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
+
+Based on my tests, accessing the DPCD_REV register during the link
+training of an UHBR TBT DP tunnel sink leads to link training failures.
+
+Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
+DPCD register access quirk.
+
+Cc: <stable@vger.kernel.org>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
+[ call to drm_dp_dpcd_access() instead of drm_dp_dpcd_probe() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_dp_helper.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_dp_helper.c
++++ b/drivers/gpu/drm/drm_dp_helper.c
+@@ -299,7 +299,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
+        * monitor doesn't power down exactly after the throw away read.
+        */
+       if (!aux->is_remote) {
+-              ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_DPCD_REV,
++              ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_LANE0_1_STATUS,
+                                        buffer, 1);
+               if (ret != 1)
+                       goto out;

diff --git a/queue-5.10/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch b/queue-5.10/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch
new file mode 100644 (file)
index 0000000..f48f747
--- /dev/null
+++ b/queue-5.10/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch
@@ -0,0 +1,84 @@
+From stable+bounces-172283-greg=kroah.com@vger.kernel.org Fri Aug 22 06:18:38 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 00:16:40 -0400
+Subject: ext4: fix hole length calculation overflow in non-extent inodes
+To: stable@vger.kernel.org
+Cc: Zhang Yi <yi.zhang@huawei.com>, stable@kernel.org, Qu Wenruo <wqu@suse.com>, Theodore Ts'o <tytso@mit.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822041640.1082105-2-sashal@kernel.org>
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 ]
+
+In a filesystem with a block size larger than 4KB, the hole length
+calculation for a non-extent inode in ext4_ind_map_blocks() can easily
+exceed INT_MAX. Then it could return a zero length hole and trigger the
+following waring and infinite in the iomap infrastructure.
+
+  ------------[ cut here ]------------
+  WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190
+  CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary)
+  Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
+  pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+  pc : iomap_iter_done+0x148/0x190
+  lr : iomap_iter+0x174/0x230
+  sp : ffff8000880af740
+  x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000
+  x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000
+  x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48
+  x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000
+  x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000
+  x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c
+  x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44
+  x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000
+  x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000
+  x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000
+  Call trace:
+   iomap_iter_done+0x148/0x190 (P)
+   iomap_iter+0x174/0x230
+   iomap_fiemap+0x154/0x1d8
+   ext4_fiemap+0x110/0x140 [ext4]
+   do_vfs_ioctl+0x4b8/0xbc0
+   __arm64_sys_ioctl+0x8c/0x120
+   invoke_syscall+0x6c/0x100
+   el0_svc_common.constprop.0+0x48/0xf0
+   do_el0_svc+0x24/0x38
+   el0_svc+0x38/0x120
+   el0t_64_sync_handler+0x10c/0x138
+   el0t_64_sync+0x198/0x1a0
+  ---[ end trace 0000000000000000 ]---
+
+Cc: stable@kernel.org
+Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()")
+Reported-by: Qu Wenruo <wqu@suse.com>
+Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/
+Tested-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/indirect.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/indirect.c
++++ b/fs/ext4/indirect.c
+@@ -537,7 +537,7 @@ int ext4_ind_map_blocks(handle_t *handle
+       int indirect_blks;
+       int blocks_to_boundary = 0;
+       int depth;
+-      int count = 0;
++      u64 count = 0;
+       ext4_fsblk_t first_block = 0;
+ 
+       trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags);
+@@ -586,7 +586,7 @@ int ext4_ind_map_blocks(handle_t *handle
+               count++;
+               /* Fill in size of a hole we found */
+               map->m_pblk = 0;
+-              map->m_len = min_t(unsigned int, map->m_len, count);
++              map->m_len = umin(map->m_len, count);
+               goto cleanup;
+       }
+ 

diff --git a/queue-5.10/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch b/queue-5.10/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
new file mode 100644 (file)
index 0000000..84b04d7
--- /dev/null
+++ b/queue-5.10/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
@@ -0,0 +1,76 @@
+From stable+bounces-172553-greg=kroah.com@vger.kernel.org Sat Aug 23 06:11:08 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 00:10:38 -0400
+Subject: f2fs: fix to avoid out-of-boundary access in dnode page
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, Jiaming Zhang <r772577952@gmail.com>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823041038.1834302-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ]
+
+As Jiaming Zhang reported:
+
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x17e/0x800 mm/kasan/report.c:480
+ kasan_report+0x147/0x180 mm/kasan/report.c:593
+ data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
+ f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
+ f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
+ f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
+ prepare_write_begin fs/f2fs/data.c:3395 [inline]
+ f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
+ generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
+ f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
+ f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x546/0xa90 fs/read_write.c:686
+ ksys_write+0x149/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The root cause is in the corrupted image, there is a dnode has the same
+node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
+access block address in dnode at offset 934, however it parses the dnode
+as inode node, so that get_dnode_addr() returns 360, then it tries to
+access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.
+
+To fix this issue, let's add sanity check for node id of all direct nodes
+during f2fs_get_dnode_of_data().
+
+Cc: stable@kernel.org
+Reported-by: Jiaming Zhang <r772577952@gmail.com>
+Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ replaced f2fs_err_ratelimited() with f2fs_err() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -760,6 +760,16 @@ int f2fs_get_dnode_of_data(struct dnode_
+       for (i = 1; i <= level; i++) {
+               bool done = false;
+ 
++              if (nids[i] && nids[i] == dn->inode->i_ino) {
++                      err = -EFSCORRUPTED;
++                      f2fs_err(sbi,
++                              "inode mapping table is corrupted, run fsck to fix it, "
++                              "ino:%lu, nid:%u, level:%d, offset:%d",
++                              dn->inode->i_ino, nids[i], level, offset[level]);
++                      set_sbi_flag(sbi, SBI_NEED_FSCK);
++                      goto release_pages;
++              }
++
+               if (!nids[i] && mode == ALLOC_NODE) {
+                       /* alloc new node */
+                       if (!f2fs_alloc_nid(sbi, &(nids[i]))) {

diff --git a/queue-5.10/locking-barriers-kcsan-support-generic-instrumentation.patch b/queue-5.10/locking-barriers-kcsan-support-generic-instrumentation.patch
new file mode 100644 (file)
index 0000000..f5a8e04
--- /dev/null
+++ b/queue-5.10/locking-barriers-kcsan-support-generic-instrumentation.patch
@@ -0,0 +1,70 @@
+From stable+bounces-172510-greg=kroah.com@vger.kernel.org Fri Aug 22 21:53:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:53:28 -0400
+Subject: locking/barriers, kcsan: Support generic instrumentation
+To: stable@vger.kernel.org
+Cc: Marco Elver <elver@google.com>, "Paul E. McKenney" <paulmck@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822195330.1458412-1-sashal@kernel.org>
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 2505a51ac6f249956735e0a369e2404f96eebef0 ]
+
+Thus far only smp_*() barriers had been defined by asm-generic/barrier.h
+based on __smp_*() barriers, because the !SMP case is usually generic.
+
+With the introduction of instrumentation, it also makes sense to have
+asm-generic/barrier.h assist in the definition of instrumented versions
+of mb(), rmb(), wmb(), dma_rmb(), and dma_wmb().
+
+Because there is no requirement to distinguish the !SMP case, the
+definition can be simpler: we can avoid also providing fallbacks for the
+__ prefixed cases, and only check if `defined(__<barrier>)`, to finally
+define the KCSAN-instrumented versions.
+
+This also allows for the compiler to complain if an architecture
+accidentally defines both the normal and __ prefixed variant.
+
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/asm-generic/barrier.h |   25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/include/asm-generic/barrier.h
++++ b/include/asm-generic/barrier.h
+@@ -21,6 +21,31 @@
+ #endif
+ 
+ /*
++ * Architectures that want generic instrumentation can define __ prefixed
++ * variants of all barriers.
++ */
++
++#ifdef __mb
++#define mb()  do { kcsan_mb(); __mb(); } while (0)
++#endif
++
++#ifdef __rmb
++#define rmb() do { kcsan_rmb(); __rmb(); } while (0)
++#endif
++
++#ifdef __wmb
++#define wmb() do { kcsan_wmb(); __wmb(); } while (0)
++#endif
++
++#ifdef __dma_rmb
++#define dma_rmb()     do { kcsan_rmb(); __dma_rmb(); } while (0)
++#endif
++
++#ifdef __dma_wmb
++#define dma_wmb()     do { kcsan_wmb(); __dma_wmb(); } while (0)
++#endif
++
++/*
+  * Force strict CPU ordering. And yes, this is required on UP too when we're
+  * talking to devices.
+  *

diff --git a/queue-5.10/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch b/queue-5.10/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
new file mode 100644 (file)
index 0000000..90f826c
--- /dev/null
+++ b/queue-5.10/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
@@ -0,0 +1,51 @@
+From stable+bounces-172555-greg=kroah.com@vger.kernel.org Sat Aug 23 06:24:03 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 00:23:52 -0400
+Subject: media: qcom: camss: cleanup media device allocated resource on error path
+To: stable@vger.kernel.org
+Cc: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823042352.1850575-1-sashal@kernel.org>
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+[ Upstream commit 69080ec3d0daba8a894025476c98ab16b5a505a4 ]
+
+A call to media_device_init() requires media_device_cleanup() counterpart
+to complete cleanup and release any allocated resources.
+
+This has been done in the driver .remove() right from the beginning, but
+error paths on .probe() shall also be fixed.
+
+Fixes: a1d7c116fcf7 ("media: camms: Add core files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ err_genpd_cleanup => err_cleanup ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/camss/camss.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/camss/camss.c
++++ b/drivers/media/platform/qcom/camss/camss.c
+@@ -888,7 +888,7 @@ static int camss_probe(struct platform_d
+       ret = v4l2_device_register(camss->dev, &camss->v4l2_dev);
+       if (ret < 0) {
+               dev_err(dev, "Failed to register V4L2 device: %d\n", ret);
+-              goto err_cleanup;
++              goto err_media_device_cleanup;
+       }
+ 
+       ret = camss_register_entities(camss);
+@@ -945,6 +945,8 @@ err_register_subdevs:
+       camss_unregister_entities(camss);
+ err_register_entities:
+       v4l2_device_unregister(&camss->v4l2_dev);
++err_media_device_cleanup:
++      media_device_cleanup(&camss->media_dev);
+ err_cleanup:
+       v4l2_async_notifier_cleanup(&camss->notifier);
+ err_free:

diff --git a/queue-5.10/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch b/queue-5.10/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch
new file mode 100644 (file)
index 0000000..5e8b508
--- /dev/null
+++ b/queue-5.10/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch
@@ -0,0 +1,94 @@
+From stable+bounces-172534-greg=kroah.com@vger.kernel.org Sat Aug 23 03:46:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 21:46:18 -0400
+Subject: media: v4l2-ctrls: always copy the controls on completion
+To: stable@vger.kernel.org
+Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>, Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823014619.1670865-1-sashal@kernel.org>
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit c3bf5129f33923c92bf3bddaf4359b7b25ecb4ba ]
+
+When v4l2_ctrl_request_complete() is called and there is no control
+handler object found in the request, then create such an object so
+that all controls at completion state can be stored and are available
+to userspace.
+
+Otherwise any attempt by userspace to read the completed request data
+will fail.
+
+If allocating the control handler object failed, then indicate that
+by returning ENOMEM when attempting to get the controls from the
+completed request instead of returning ENOENT.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Stable-dep-of: 5a0400aca5fa ("media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c |   36 +++++++++++++++++++++++++++++++----
+ 1 file changed, 32 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -3767,8 +3767,19 @@ v4l2_ctrls_find_req_obj(struct v4l2_ctrl
+       obj = media_request_object_find(req, &req_ops, hdl);
+       if (obj)
+               return obj;
++      /*
++       * If there are no controls in this completed request,
++       * then that can only happen if:
++       *
++       * 1) no controls were present in the queued request, and
++       * 2) v4l2_ctrl_request_complete() could not allocate a
++       *    control handler object to store the completed state in.
++       *
++       * So return ENOMEM to indicate that there was an out-of-memory
++       * error.
++       */
+       if (!set)
+-              return ERR_PTR(-ENOENT);
++              return ERR_PTR(-ENOMEM);
+ 
+       new_hdl = kzalloc(sizeof(*new_hdl), GFP_KERNEL);
+       if (!new_hdl)
+@@ -3779,8 +3790,8 @@ v4l2_ctrls_find_req_obj(struct v4l2_ctrl
+       if (!ret)
+               ret = v4l2_ctrl_request_bind(req, new_hdl, hdl);
+       if (ret) {
++              v4l2_ctrl_handler_free(new_hdl);
+               kfree(new_hdl);
+-
+               return ERR_PTR(ret);
+       }
+ 
+@@ -4369,8 +4380,25 @@ void v4l2_ctrl_request_complete(struct m
+        * wants to leave the controls unchanged.
+        */
+       obj = media_request_object_find(req, &req_ops, main_hdl);
+-      if (!obj)
+-              return;
++      if (!obj) {
++              int ret;
++
++              /* Create a new request so the driver can return controls */
++              hdl = kzalloc(sizeof(*hdl), GFP_KERNEL);
++              if (!hdl)
++                      return;
++
++              ret = v4l2_ctrl_handler_init(hdl, (main_hdl->nr_of_buckets - 1) * 8);
++              if (!ret)
++                      ret = v4l2_ctrl_request_bind(req, hdl, main_hdl);
++              if (ret) {
++                      v4l2_ctrl_handler_free(hdl);
++                      kfree(hdl);
++                      return;
++              }
++              hdl->request_is_queued = true;
++              obj = media_request_object_find(req, &req_ops, main_hdl);
++      }
+       hdl = container_of(obj, struct v4l2_ctrl_handler, req_obj);
+ 
+       list_for_each_entry(ref, &hdl->ctrl_refs, node) {

diff --git a/queue-5.10/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch b/queue-5.10/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch
new file mode 100644 (file)
index 0000000..29b5a29
--- /dev/null
+++ b/queue-5.10/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch
@@ -0,0 +1,49 @@
+From stable+bounces-172535-greg=kroah.com@vger.kernel.org Sat Aug 23 03:46:30 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 21:46:19 -0400
+Subject: media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()
+To: stable@vger.kernel.org
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>, Hans Verkuil <hverkuil@xs4all.nl>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823014619.1670865-2-sashal@kernel.org>
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+[ Upstream commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 ]
+
+It's a common pattern in drivers to free the control handler's resources
+and then return the handler's error code on drivers' error handling paths.
+Alas, the v4l2_ctrl_handler_free() function also zeroes the error field,
+effectively indicating successful return to the caller.
+
+There's no apparent need to touch the error field while releasing the
+control handler's resources and cleaning up stale pointers. Not touching
+the handler's error field is a more certain way to address this problem
+than changing all the users, in which case the pattern would be likely to
+re-emerge in new drivers.
+
+Do just that, don't touch the control handler's error field in
+v4l2_ctrl_handler_free().
+
+Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ v4l2-ctrls.c => v4l2-ctrls-core.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -2388,7 +2388,6 @@ void v4l2_ctrl_handler_free(struct v4l2_
+       kvfree(hdl->buckets);
+       hdl->buckets = NULL;
+       hdl->cached = NULL;
+-      hdl->error = 0;
+       mutex_unlock(hdl->lock);
+       mutex_destroy(&hdl->_lock);
+ }

diff --git a/queue-5.10/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch b/queue-5.10/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch
new file mode 100644 (file)
index 0000000..ee6470b
--- /dev/null
+++ b/queue-5.10/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch
@@ -0,0 +1,112 @@
+From stable+bounces-172549-greg=kroah.com@vger.kernel.org Sat Aug 23 05:54:57 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 23:54:47 -0400
+Subject: media: venus: Add support for SSR trigger using fault injection
+To: stable@vger.kernel.org
+Cc: Dikshita Agarwal <quic_dikshita@quicinc.com>, Stanimir Varbanov <stanimir.varbanov@linaro.org>, Stephen Boyd <swboyd@chromium.org>, Mauro Carvalho Chehab <mchehab@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823035448.1818703-1-sashal@kernel.org>
+
+From: Dikshita Agarwal <quic_dikshita@quicinc.com>
+
+[ Upstream commit 748b080f21678f2988b0da2d2b396a6f928d9b2c ]
+
+Here we introduce a new fault injection for SSR trigger.
+
+To trigger the SSR:
+ echo 100 >  /sys/kernel/debug/venus/fail_ssr/probability
+ echo 1 >  /sys/kernel/debug/venus/fail_ssr/times
+
+Co-developed-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Stable-dep-of: 3200144a2fa4 ("media: venus: protect against spurious interrupts during probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.c  |   15 ++++++++++++++-
+ drivers/media/platform/qcom/venus/dbgfs.c |    9 +++++++++
+ drivers/media/platform/qcom/venus/dbgfs.h |   13 +++++++++++++
+ 3 files changed, 36 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -220,6 +220,19 @@ static void venus_assign_register_offset
+       core->wrapper_base = core->base + WRAPPER_BASE;
+ }
+ 
++static irqreturn_t venus_isr_thread(int irq, void *dev_id)
++{
++      struct venus_core *core = dev_id;
++      irqreturn_t ret;
++
++      ret = hfi_isr_thread(irq, dev_id);
++
++      if (ret == IRQ_HANDLED && venus_fault_inject_ssr())
++              hfi_core_trigger_ssr(core, HFI_TEST_SSR_SW_ERR_FATAL);
++
++      return ret;
++}
++
+ static int venus_probe(struct platform_device *pdev)
+ {
+       struct device *dev = &pdev->dev;
+@@ -276,7 +289,7 @@ static int venus_probe(struct platform_d
+       mutex_init(&core->lock);
+       INIT_DELAYED_WORK(&core->work, venus_sys_error_handler);
+ 
+-      ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread,
++      ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
+                                       IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+                                       "venus", core);
+       if (ret)
+--- a/drivers/media/platform/qcom/venus/dbgfs.c
++++ b/drivers/media/platform/qcom/venus/dbgfs.c
+@@ -4,13 +4,22 @@
+  */
+ 
+ #include <linux/debugfs.h>
++#include <linux/fault-inject.h>
+ 
+ #include "core.h"
+ 
++#ifdef CONFIG_FAULT_INJECTION
++DECLARE_FAULT_ATTR(venus_ssr_attr);
++#endif
++
+ void venus_dbgfs_init(struct venus_core *core)
+ {
+       core->root = debugfs_create_dir("venus", NULL);
+       debugfs_create_x32("fw_level", 0644, core->root, &venus_fw_debug);
++
++#ifdef CONFIG_FAULT_INJECTION
++      fault_create_debugfs_attr("fail_ssr", core->root, &venus_ssr_attr);
++#endif
+ }
+ 
+ void venus_dbgfs_deinit(struct venus_core *core)
+--- a/drivers/media/platform/qcom/venus/dbgfs.h
++++ b/drivers/media/platform/qcom/venus/dbgfs.h
+@@ -4,8 +4,21 @@
+ #ifndef __VENUS_DBGFS_H__
+ #define __VENUS_DBGFS_H__
+ 
++#include <linux/fault-inject.h>
++
+ struct venus_core;
+ 
++#ifdef CONFIG_FAULT_INJECTION
++extern struct fault_attr venus_ssr_attr;
++static inline bool venus_fault_inject_ssr(void)
++{
++      return should_fail(&venus_ssr_attr, 1);
++}
++#else
++static inline bool venus_fault_inject_ssr(void) { return false; }
++#endif
++
++
+ void venus_dbgfs_init(struct venus_core *core);
+ void venus_dbgfs_deinit(struct venus_core *core);
+ 

diff --git a/queue-5.10/media-venus-don-t-de-reference-null-pointers-at-irq-time.patch b/queue-5.10/media-venus-don-t-de-reference-null-pointers-at-irq-time.patch
new file mode 100644 (file)
index 0000000..54d98b1
--- /dev/null
+++ b/queue-5.10/media-venus-don-t-de-reference-null-pointers-at-irq-time.patch
@@ -0,0 +1,78 @@
+From stable+bounces-172541-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 22:50:19 -0400
+Subject: media: venus: don't de-reference NULL pointers at IRQ time
+To: stable@vger.kernel.org
+Cc: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823025020.1694568-1-sashal@kernel.org>
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 686ee9b6253f9b6d7f1151e73114698940cc0894 ]
+
+Smatch is warning that:
+       drivers/media/platform/qcom/venus/hfi_venus.c:1100 venus_isr() warn: variable dereferenced before check 'hdev' (see line 1097)
+
+The logic basically does:
+       hdev = to_hfi_priv(core);
+
+with is translated to:
+       hdev = core->priv;
+
+If the IRQ code can receive a NULL pointer for hdev, there's
+a bug there, as it will first try to de-reference the pointer,
+and then check if it is null.
+
+After looking at the code, it seems that this indeed can happen:
+Basically, the venus IRQ thread is started with:
+       devm_request_threaded_irq()
+So, it will only be freed after the driver unbinds.
+
+In order to prevent the IRQ code to work with freed data,
+the logic at venus_hfi_destroy() sets core->priv to NULL,
+which would make the IRQ code to ignore any pending IRQs.
+
+There is, however a race condition, as core->priv is set
+to NULL only after being freed. So, we need also to move the
+core->priv = NULL to happen earlier.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Stable-dep-of: 640803003cd9 ("media: venus: hfi: explicitly release IRQ during teardown")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -1071,12 +1071,15 @@ static irqreturn_t venus_isr(struct venu
+ {
+       struct venus_hfi_device *hdev = to_hfi_priv(core);
+       u32 status;
+-      void __iomem *cpu_cs_base = hdev->core->cpu_cs_base;
+-      void __iomem *wrapper_base = hdev->core->wrapper_base;
++      void __iomem *cpu_cs_base;
++      void __iomem *wrapper_base;
+ 
+       if (!hdev)
+               return IRQ_NONE;
+ 
++      cpu_cs_base = hdev->core->cpu_cs_base;
++      wrapper_base = hdev->core->wrapper_base;
++
+       status = readl(wrapper_base + WRAPPER_INTR_STATUS);
+ 
+       if (status & WRAPPER_INTR_STATUS_A2H_MASK ||
+@@ -1613,10 +1616,10 @@ void venus_hfi_destroy(struct venus_core
+ {
+       struct venus_hfi_device *hdev = to_hfi_priv(core);
+ 
++      core->priv = NULL;
+       venus_interface_queues_release(hdev);
+       mutex_destroy(&hdev->lock);
+       kfree(hdev);
+-      core->priv = NULL;
+       core->ops = NULL;
+ }
+ 

diff --git a/queue-5.10/media-venus-hfi-explicitly-release-irq-during-teardown.patch b/queue-5.10/media-venus-hfi-explicitly-release-irq-during-teardown.patch
new file mode 100644 (file)
index 0000000..9e61e6c
--- /dev/null
+++ b/queue-5.10/media-venus-hfi-explicitly-release-irq-during-teardown.patch
@@ -0,0 +1,42 @@
+From stable+bounces-172542-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:58 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 22:50:20 -0400
+Subject: media: venus: hfi: explicitly release IRQ during teardown
+To: stable@vger.kernel.org
+Cc: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>, Dikshita Agarwal <quic_dikshita@quicinc.com>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823025020.1694568-2-sashal@kernel.org>
+
+From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+
+[ Upstream commit 640803003cd903cea73dc6a86bf6963e238e2b3f ]
+
+Ensure the IRQ is disabled - and all pending handlers completed - before
+dismantling the interrupt routing and clearing related pointers.
+
+This prevents any possibility of the interrupt triggering after the
+handler context has been invalidated.
+
+Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -1620,6 +1620,7 @@ void venus_hfi_destroy(struct venus_core
+       venus_interface_queues_release(hdev);
+       mutex_destroy(&hdev->lock);
+       kfree(hdev);
++      disable_irq(core->irq);
+       core->ops = NULL;
+ }
+ 

diff --git a/queue-5.10/media-venus-protect-against-spurious-interrupts-during-probe.patch b/queue-5.10/media-venus-protect-against-spurious-interrupts-during-probe.patch
new file mode 100644 (file)
index 0000000..7df0f96
--- /dev/null
+++ b/queue-5.10/media-venus-protect-against-spurious-interrupts-during-probe.patch
@@ -0,0 +1,56 @@
+From stable+bounces-172550-greg=kroah.com@vger.kernel.org Sat Aug 23 05:54:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 23:54:48 -0400
+Subject: media: venus: protect against spurious interrupts during probe
+To: stable@vger.kernel.org
+Cc: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Vikash Garodia <quic_vgarodia@quicinc.com>, Dikshita Agarwal <quic_dikshita@quicinc.com>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823035448.1818703-2-sashal@kernel.org>
+
+From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+
+[ Upstream commit 3200144a2fa4209dc084a19941b9b203b43580f0 ]
+
+Make sure the interrupt handler is initialized before the interrupt is
+registered.
+
+If the IRQ is registered before hfi_create(), it's possible that an
+interrupt fires before the handler setup is complete, leading to a NULL
+dereference.
+
+This error condition has been observed during system boot on Rb3Gen2.
+
+Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -289,13 +289,13 @@ static int venus_probe(struct platform_d
+       mutex_init(&core->lock);
+       INIT_DELAYED_WORK(&core->work, venus_sys_error_handler);
+ 
+-      ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
+-                                      IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+-                                      "venus", core);
++      ret = hfi_create(core, &venus_core_ops);
+       if (ret)
+               goto err_core_put;
+ 
+-      ret = hfi_create(core, &venus_core_ops);
++      ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
++                                      IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
++                                      "venus", core);
+       if (ret)
+               goto err_core_put;
+ 

diff --git a/queue-5.10/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch b/queue-5.10/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch
new file mode 100644 (file)
index 0000000..35c88ac
--- /dev/null
+++ b/queue-5.10/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch
@@ -0,0 +1,63 @@
+From stable+bounces-172552-greg=kroah.com@vger.kernel.org Sat Aug 23 06:09:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 00:08:59 -0400
+Subject: media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.
+To: stable@vger.kernel.org
+Cc: Ricardo Ribalda <ribalda@chromium.org>, Hans Verkuil <hverkuil@xs4all.nl>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Bryan O'Donoghue <bod@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823040859.1832832-1-sashal@kernel.org>
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 377dc500d253f0b26732b2cb062e89668aef890a ]
+
+The driver uses "whole" fps in all its calculations (e.g. in
+load_per_instance()). Those calculation expect an fps bigger than 1, and
+not big enough to overflow.
+
+Clamp the value if the user provides a param that will result in an invalid
+fps.
+
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0
+Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
+Cc: stable@vger.kernel.org
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # qrb5615-rb5
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+[bod: Change "parm" to "param"]
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.h |    2 ++
+ drivers/media/platform/qcom/venus/vdec.c |    5 ++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/core.h
++++ b/drivers/media/platform/qcom/venus/core.h
+@@ -25,6 +25,8 @@
+ #define VIDC_VCODEC_CLKS_NUM_MAX      2
+ #define VIDC_PMDOMAINS_NUM_MAX                3
+ 
++#define VENUS_MAX_FPS                 240
++
+ extern int venus_fw_debug;
+ 
+ struct freq_tbl {
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -427,11 +427,10 @@ static int vdec_s_parm(struct file *file
+       us_per_frame = timeperframe->numerator * (u64)USEC_PER_SEC;
+       do_div(us_per_frame, timeperframe->denominator);
+ 
+-      if (!us_per_frame)
+-              return -EINVAL;
+-
++      us_per_frame = clamp(us_per_frame, 1, USEC_PER_SEC);
+       fps = (u64)USEC_PER_SEC;
+       do_div(fps, us_per_frame);
++      fps = min(VENUS_MAX_FPS, fps);
+ 
+       inst->fps = fps;
+       inst->timeperframe = *timeperframe;

diff --git a/queue-5.10/minmax-add-umin-a-b-and-umax-a-b.patch b/queue-5.10/minmax-add-umin-a-b-and-umax-a-b.patch
new file mode 100644 (file)
index 0000000..898ba78
--- /dev/null
+++ b/queue-5.10/minmax-add-umin-a-b-and-umax-a-b.patch
@@ -0,0 +1,141 @@
+From stable+bounces-172282-greg=kroah.com@vger.kernel.org Fri Aug 22 06:18:37 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 00:16:39 -0400
+Subject: minmax: add umin(a, b) and umax(a, b)
+To: stable@vger.kernel.org
+Cc: David Laight <David.Laight@ACULAB.COM>, David Laight <david.laight@aculab.com>, Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Christoph Hellwig <hch@infradead.org>, "Jason A. Donenfeld" <Jason@zx2c4.com>, Linus Torvalds <torvalds@linux-foundation.org>, "Matthew Wilcox (Oracle)" <willy@infradead.org>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822041640.1082105-1-sashal@kernel.org>
+
+From: David Laight <David.Laight@ACULAB.COM>
+
+[ Upstream commit 80fcac55385ccb710d33a20dc1caaef29bd5a921 ]
+
+Patch series "minmax: Relax type checks in min() and max()", v4.
+
+The min() (etc) functions in minmax.h require that the arguments have
+exactly the same types.
+
+However when the type check fails, rather than look at the types and fix
+the type of a variable/constant, everyone seems to jump on min_t().  In
+reality min_t() ought to be rare - when something unusual is being done,
+not normality.
+
+The orginal min() (added in 2.4.9) replaced several inline functions and
+included the type - so matched the implicit casting of the function call.
+This was renamed min_t() in 2.4.10 and the current min() added.  There is
+no actual indication that the conversion of negatve values to large
+unsigned values has ever been an actual problem.
+
+A quick grep shows 5734 min() and 4597 min_t().  Having the casts on
+almost half of the calls shows that something is clearly wrong.
+
+If the wrong type is picked (and it is far too easy to pick the type of
+the result instead of the larger input) then significant bits can get
+discarded.
+
+Pretty much the worst example is in the derived clamp_val(), consider:
+        unsigned char x = 200u;
+        y = clamp_val(x, 10u, 300u);
+
+I also suspect that many of the min_t(u16, ...) are actually wrong.  For
+example copy_data() in printk_ringbuffer.c contains:
+
+        data_size = min_t(u16, buf_size, len);
+
+Here buf_size is 'unsigned int' and len 'u16', pass a 64k buffer (can you
+prove that doesn't happen?) and no data is returned.  Apparantly it did -
+and has since been fixed.
+
+The only reason that most of the min_t() are 'fine' is that pretty much
+all the values in the kernel are between 0 and INT_MAX.
+
+Patch 1 adds umin(), this uses integer promotions to convert both
+arguments to 'unsigned long long'.  It can be used to compare a signed
+type that is known to contain a non-negative value with an unsigned type.
+The compiler typically optimises it all away.  Added first so that it can
+be referred to in patch 2.
+
+Patch 2 replaces the 'same type' check with a 'same signedness' one.  This
+makes min(unsigned_int_var, sizeof()) be ok.  The error message is also
+improved and will contain the expanded form of both arguments (useful for
+seeing how constants are defined).
+
+Patch 3 just fixes some whitespace.
+
+Patch 4 allows comparisons of 'unsigned char' and 'unsigned short' to
+signed types.  The integer promotion rules convert them both to 'signed
+int' prior to the comparison so they can never cause a negative value be
+converted to a large positive one.
+
+Patch 5 (rewritted for v4) allows comparisons of unsigned values against
+non-negative constant integer expressions.  This makes
+min(unsigned_int_var, 4) be ok.
+
+The only common case that is still errored is the comparison of signed
+values against unsigned constant integer expressions below __INT_MAX__.
+Typcally min(int_val, sizeof (foo)), the real fix for this is casting the
+constant: min(int_var, (int)sizeof (foo)).
+
+With all the patches applied pretty much all the min_t() could be replaced
+by min(), and most of the rest by umin().  However they all need careful
+inspection due to code like:
+
+        sz = min_t(unsigned char, sz - 1, LIM - 1) + 1;
+
+which converts 0 to LIM.
+
+This patch (of 6):
+
+umin() and umax() can be used when min()/max() errors a signed v unsigned
+compare when the signed value is known to be non-negative.
+
+Unlike min_t(some_unsigned_type, a, b) umin() will never mask off high
+bits if an inappropriate type is selected.
+
+The '+ 0u + 0ul + 0ull' may look strange.
+The '+ 0u' is needed for 'signed int' on 64bit systems.
+The '+ 0ul' is needed for 'signed long' on 32bit systems.
+The '+ 0ull' is needed for 'signed long long'.
+
+Link: https://lkml.kernel.org/r/b97faef60ad24922b530241c5d7c933c@AcuMS.aculab.com
+Link: https://lkml.kernel.org/r/41d93ca827a248698ec64bf57e0c05a5@AcuMS.aculab.com
+Signed-off-by: David Laight <david.laight@aculab.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 02c7f7219ac0 ("ext4: fix hole length calculation overflow in non-extent inodes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/minmax.h |   17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/include/linux/minmax.h
++++ b/include/linux/minmax.h
+@@ -52,6 +52,23 @@
+ #define max(x, y)     __careful_cmp(x, y, >)
+ 
+ /**
++ * umin - return minimum of two non-negative values
++ *   Signed types are zero extended to match a larger unsigned type.
++ * @x: first value
++ * @y: second value
++ */
++#define umin(x, y)    \
++      __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, <)
++
++/**
++ * umax - return maximum of two non-negative values
++ * @x: first value
++ * @y: second value
++ */
++#define umax(x, y)    \
++      __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, >)
++
++/**
+  * min3 - return minimum of three values
+  * @x: first value
+  * @y: second value

diff --git a/queue-5.10/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch b/queue-5.10/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch
new file mode 100644 (file)
index 0000000..d7d3ea2
--- /dev/null
+++ b/queue-5.10/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch
@@ -0,0 +1,103 @@
+From stable+bounces-172185-greg=kroah.com@vger.kernel.org Thu Aug 21 18:14:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:14:34 -0400
+Subject: platform/chrome: cros_ec: Make cros_ec_unregister() return void
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Guenter Roeck" <groeck@chromium.org>, "Lee Jones" <lee.jones@linaro.org>, "Mark Brown" <broonie@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250821161437.775522-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit afb0a80e63d67e957b5d0eb4ade301aff6e13c8c ]
+
+Up to now cros_ec_unregister() returns zero unconditionally. Make it
+return void instead which makes it easier to see in the callers that
+there is no error to handle.
+
+Also the return value of i2c, platform and spi remove callbacks is
+ignored anyway.
+
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Link: https://lore.kernel.org/r/20211020071753.wltjslmimb6wtlp5@pengutronix.de
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20220123175201.34839-5-u.kleine-koenig@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c     |    4 +---
+ drivers/platform/chrome/cros_ec.h     |    2 +-
+ drivers/platform/chrome/cros_ec_i2c.c |    4 +++-
+ drivers/platform/chrome/cros_ec_lpc.c |    4 +++-
+ drivers/platform/chrome/cros_ec_spi.c |    4 +++-
+ 5 files changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -285,13 +285,11 @@ EXPORT_SYMBOL(cros_ec_register);
+  *
+  * Return: 0 on success or negative error code.
+  */
+-int cros_ec_unregister(struct cros_ec_device *ec_dev)
++void cros_ec_unregister(struct cros_ec_device *ec_dev)
+ {
+       if (ec_dev->pd)
+               platform_device_unregister(ec_dev->pd);
+       platform_device_unregister(ec_dev->ec);
+-
+-      return 0;
+ }
+ EXPORT_SYMBOL(cros_ec_unregister);
+ 
+--- a/drivers/platform/chrome/cros_ec.h
++++ b/drivers/platform/chrome/cros_ec.h
+@@ -9,7 +9,7 @@
+ #define __CROS_EC_H
+ 
+ int cros_ec_register(struct cros_ec_device *ec_dev);
+-int cros_ec_unregister(struct cros_ec_device *ec_dev);
++void cros_ec_unregister(struct cros_ec_device *ec_dev);
+ 
+ int cros_ec_suspend(struct cros_ec_device *ec_dev);
+ int cros_ec_resume(struct cros_ec_device *ec_dev);
+--- a/drivers/platform/chrome/cros_ec_i2c.c
++++ b/drivers/platform/chrome/cros_ec_i2c.c
+@@ -313,7 +313,9 @@ static int cros_ec_i2c_remove(struct i2c
+ {
+       struct cros_ec_device *ec_dev = i2c_get_clientdata(client);
+ 
+-      return cros_ec_unregister(ec_dev);
++      cros_ec_unregister(ec_dev);
++
++      return 0;
+ }
+ 
+ #ifdef CONFIG_PM_SLEEP
+--- a/drivers/platform/chrome/cros_ec_lpc.c
++++ b/drivers/platform/chrome/cros_ec_lpc.c
+@@ -439,7 +439,9 @@ static int cros_ec_lpc_remove(struct pla
+               acpi_remove_notify_handler(adev->handle, ACPI_ALL_NOTIFY,
+                                          cros_ec_lpc_acpi_notify);
+ 
+-      return cros_ec_unregister(ec_dev);
++      cros_ec_unregister(ec_dev);
++
++      return 0;
+ }
+ 
+ static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = {
+--- a/drivers/platform/chrome/cros_ec_spi.c
++++ b/drivers/platform/chrome/cros_ec_spi.c
+@@ -791,7 +791,9 @@ static int cros_ec_spi_remove(struct spi
+ {
+       struct cros_ec_device *ec_dev = spi_get_drvdata(spi);
+ 
+-      return cros_ec_unregister(ec_dev);
++      cros_ec_unregister(ec_dev);
++
++      return 0;
+ }
+ 
+ #ifdef CONFIG_PM_SLEEP

diff --git a/queue-5.10/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch b/queue-5.10/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch
new file mode 100644 (file)
index 0000000..c37a86a
--- /dev/null
+++ b/queue-5.10/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch
@@ -0,0 +1,75 @@
+From stable+bounces-172187-greg=kroah.com@vger.kernel.org Thu Aug 21 18:19:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:14:36 -0400
+Subject: platform/chrome: cros_ec: remove unneeded label and if-condition
+To: stable@vger.kernel.org
+Cc: Tzung-Bi Shih <tzungbi@kernel.org>, Guenter Roeck <groeck@chromium.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821161437.775522-3-sashal@kernel.org>
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit 554ec02c97254962bbb0a8776c3160d294fc7e51 ]
+
+Both `ec_dev->ec` and `ec_dev->pd` are initialized to NULL at the
+beginning of cros_ec_register().  Also, platform_device_unregister()
+takes care if the given platform_device is NULL.
+
+Remove the unneeded goto-label and if-condition.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Link: https://lore.kernel.org/r/20230308031247.2866401-1-tzungbi@kernel.org
+Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c |   10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -193,7 +193,7 @@ int cros_ec_register(struct cros_ec_devi
+       err = cros_ec_query_all(ec_dev);
+       if (err) {
+               dev_err(dev, "Cannot identify the EC: error %d\n", err);
+-              goto destroy_mutex;
++              goto exit;
+       }
+ 
+       if (ec_dev->irq > 0) {
+@@ -205,7 +205,7 @@ int cros_ec_register(struct cros_ec_devi
+               if (err) {
+                       dev_err(dev, "Failed to request IRQ %d: %d",
+                               ec_dev->irq, err);
+-                      goto destroy_mutex;
++                      goto exit;
+               }
+       }
+ 
+@@ -217,7 +217,7 @@ int cros_ec_register(struct cros_ec_devi
+               dev_err(ec_dev->dev,
+                       "Failed to create CrOS EC platform device\n");
+               err = PTR_ERR(ec_dev->ec);
+-              goto destroy_mutex;
++              goto exit;
+       }
+ 
+       if (ec_dev->max_passthru) {
+@@ -276,7 +276,6 @@ int cros_ec_register(struct cros_ec_devi
+ exit:
+       platform_device_unregister(ec_dev->ec);
+       platform_device_unregister(ec_dev->pd);
+-destroy_mutex:
+       mutex_destroy(&ec_dev->lock);
+       lockdep_unregister_key(&ec_dev->lockdep_key);
+       return err;
+@@ -293,8 +292,7 @@ EXPORT_SYMBOL(cros_ec_register);
+  */
+ void cros_ec_unregister(struct cros_ec_device *ec_dev)
+ {
+-      if (ec_dev->pd)
+-              platform_device_unregister(ec_dev->pd);
++      platform_device_unregister(ec_dev->pd);
+       platform_device_unregister(ec_dev->ec);
+       mutex_destroy(&ec_dev->lock);
+       lockdep_unregister_key(&ec_dev->lockdep_key);

diff --git a/queue-5.10/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch b/queue-5.10/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch
new file mode 100644 (file)
index 0000000..8bcff54
--- /dev/null
+++ b/queue-5.10/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch
@@ -0,0 +1,40 @@
+From stable+bounces-172188-greg=kroah.com@vger.kernel.org Thu Aug 21 18:18:30 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:14:37 -0400
+Subject: platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()
+To: stable@vger.kernel.org
+Cc: Tzung-Bi Shih <tzungbi@kernel.org>, Benson Leung <bleung@chromium.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821161437.775522-4-sashal@kernel.org>
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit e2374953461947eee49f69b3e3204ff080ef31b1 ]
+
+The blocking notifier is registered in cros_ec_register(); however, it
+isn't unregistered in cros_ec_unregister().
+
+Fix it.
+
+Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW")
+Cc: stable@vger.kernel.org
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Link: https://lore.kernel.org/r/20250722120513.234031-1-tzungbi@kernel.org
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -292,6 +292,9 @@ EXPORT_SYMBOL(cros_ec_register);
+  */
+ void cros_ec_unregister(struct cros_ec_device *ec_dev)
+ {
++      if (ec_dev->mkbp_event_supported)
++              blocking_notifier_chain_unregister(&ec_dev->event_notifier,
++                                                 &ec_dev->notifier_ready);
+       platform_device_unregister(ec_dev->pd);
+       platform_device_unregister(ec_dev->ec);
+       mutex_destroy(&ec_dev->lock);

diff --git a/queue-5.10/platform-chrome-cros_ec-use-per-device-lockdep-key.patch b/queue-5.10/platform-chrome-cros_ec-use-per-device-lockdep-key.patch
new file mode 100644 (file)
index 0000000..41f1cc0
--- /dev/null
+++ b/queue-5.10/platform-chrome-cros_ec-use-per-device-lockdep-key.patch
@@ -0,0 +1,144 @@
+From stable+bounces-172186-greg=kroah.com@vger.kernel.org Thu Aug 21 18:18:02 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:14:35 -0400
+Subject: platform/chrome: cros_ec: Use per-device lockdep key
+To: stable@vger.kernel.org
+Cc: Chen-Yu Tsai <wenst@chromium.org>, Tzung-Bi Shih <tzungbi@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821161437.775522-2-sashal@kernel.org>
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 961a325becd9a142ae5c8b258e5c2f221f8bfac8 ]
+
+Lockdep reports a bogus possible deadlock on MT8192 Chromebooks due to
+the following lock sequences:
+
+1. lock(i2c_register_adapter) [1]; lock(&ec_dev->lock)
+2. lock(&ec_dev->lock); lock(prepare_lock);
+
+The actual dependency chains are much longer. The shortened version
+looks somewhat like:
+
+1. cros-ec-rpmsg on mtk-scp
+   ec_dev->lock -> prepare_lock
+2. In rt5682_i2c_probe() on native I2C bus:
+   prepare_lock -> regmap->lock -> (possibly) i2c_adapter->bus_lock
+3. In rt5682_i2c_probe() on native I2C bus:
+   regmap->lock -> i2c_adapter->bus_lock
+4. In sbs_probe() on i2c-cros-ec-tunnel I2C bus attached on cros-ec:
+   i2c_adapter->bus_lock -> ec_dev->lock
+
+While lockdep is correct that the shared lockdep classes have a circular
+dependency, it is bogus because
+
+  a) 2+3 happen on a native I2C bus
+  b) 4 happens on the actual EC on ChromeOS devices
+  c) 1 happens on the SCP coprocessor on MediaTek Chromebooks that just
+     happens to expose a cros-ec interface, but does not have an
+     i2c-cros-ec-tunnel I2C bus
+
+In short, the "dependencies" are actually on different devices.
+
+Setup a per-device lockdep key for cros_ec devices so lockdep can tell
+the two instances apart. This helps with getting rid of the bogus
+lockdep warning. For ChromeOS devices that only have one cros-ec
+instance this doesn't change anything.
+
+Also add a missing mutex_destroy, just to make the teardown complete.
+
+[1] This is likely the per I2C bus lock with shared lockdep class
+
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20230111074146.2624496-1-wenst@chromium.org
+Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c           |   14 +++++++++++---
+ include/linux/platform_data/cros_ec_proto.h |    4 ++++
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -186,12 +186,14 @@ int cros_ec_register(struct cros_ec_devi
+       if (!ec_dev->dout)
+               return -ENOMEM;
+ 
++      lockdep_register_key(&ec_dev->lockdep_key);
+       mutex_init(&ec_dev->lock);
++      lockdep_set_class(&ec_dev->lock, &ec_dev->lockdep_key);
+ 
+       err = cros_ec_query_all(ec_dev);
+       if (err) {
+               dev_err(dev, "Cannot identify the EC: error %d\n", err);
+-              return err;
++              goto destroy_mutex;
+       }
+ 
+       if (ec_dev->irq > 0) {
+@@ -203,7 +205,7 @@ int cros_ec_register(struct cros_ec_devi
+               if (err) {
+                       dev_err(dev, "Failed to request IRQ %d: %d",
+                               ec_dev->irq, err);
+-                      return err;
++                      goto destroy_mutex;
+               }
+       }
+ 
+@@ -214,7 +216,8 @@ int cros_ec_register(struct cros_ec_devi
+       if (IS_ERR(ec_dev->ec)) {
+               dev_err(ec_dev->dev,
+                       "Failed to create CrOS EC platform device\n");
+-              return PTR_ERR(ec_dev->ec);
++              err = PTR_ERR(ec_dev->ec);
++              goto destroy_mutex;
+       }
+ 
+       if (ec_dev->max_passthru) {
+@@ -273,6 +276,9 @@ int cros_ec_register(struct cros_ec_devi
+ exit:
+       platform_device_unregister(ec_dev->ec);
+       platform_device_unregister(ec_dev->pd);
++destroy_mutex:
++      mutex_destroy(&ec_dev->lock);
++      lockdep_unregister_key(&ec_dev->lockdep_key);
+       return err;
+ }
+ EXPORT_SYMBOL(cros_ec_register);
+@@ -290,6 +296,8 @@ void cros_ec_unregister(struct cros_ec_d
+       if (ec_dev->pd)
+               platform_device_unregister(ec_dev->pd);
+       platform_device_unregister(ec_dev->ec);
++      mutex_destroy(&ec_dev->lock);
++      lockdep_unregister_key(&ec_dev->lockdep_key);
+ }
+ EXPORT_SYMBOL(cros_ec_unregister);
+ 
+--- a/include/linux/platform_data/cros_ec_proto.h
++++ b/include/linux/platform_data/cros_ec_proto.h
+@@ -9,6 +9,7 @@
+ #define __LINUX_CROS_EC_PROTO_H
+ 
+ #include <linux/device.h>
++#include <linux/lockdep_types.h>
+ #include <linux/mutex.h>
+ #include <linux/notifier.h>
+ 
+@@ -114,6 +115,8 @@ struct cros_ec_command {
+  *            command. The caller should check msg.result for the EC's result
+  *            code.
+  * @pkt_xfer: Send packet to EC and get response.
++ * @lockdep_key: Lockdep class for each instance. Unused if CONFIG_LOCKDEP is
++ *             not enabled.
+  * @lock: One transaction at a time.
+  * @mkbp_event_supported: 0 if MKBP not supported. Otherwise its value is
+  *                        the maximum supported version of the MKBP host event
+@@ -159,6 +162,7 @@ struct cros_ec_device {
+                       struct cros_ec_command *msg);
+       int (*pkt_xfer)(struct cros_ec_device *ec,
+                       struct cros_ec_command *msg);
++      struct lock_class_key lockdep_key;
+       struct mutex lock;
+       u8 mkbp_event_supported;
+       bool host_sleep_v1;

diff --git a/queue-5.10/pwm-mediatek-fix-duty-and-period-setting.patch b/queue-5.10/pwm-mediatek-fix-duty-and-period-setting.patch
new file mode 100644 (file)
index 0000000..e0757a1
--- /dev/null
+++ b/queue-5.10/pwm-mediatek-fix-duty-and-period-setting.patch
@@ -0,0 +1,82 @@
+From stable+bounces-172498-greg=kroah.com@vger.kernel.org Fri Aug 22 21:02:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:01:33 -0400
+Subject: pwm: mediatek: Fix duty and period setting
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@baylibre.com>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Uwe Kleine-König" <ukleinek@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822190133.1406293-3-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit f21d136caf8171f94159d975ea4620c164431bd9 ]
+
+The period generated by the hardware is
+
+       (PWMDWIDTH + 1) << CLKDIV) / freq
+
+according to my tests with a signal analyser and also the documentation.
+
+The current algorithm doesn't consider the `+ 1` part and so configures
+slightly too high periods. The same issue exists for the duty cycle
+setting. So subtract 1 from both the register values for period and
+duty cycle. If period is 0, bail out, if duty_cycle is 0, just disable
+the PWM which results in a constant low output.
+
+Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/6d1fa87a76f8020bfe3171529b8e19baffceab10.1753717973.git.u.kleine-koenig@baylibre.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c |   21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -169,7 +169,10 @@ static int pwm_mediatek_config(struct pw
+       do_div(resolution, clk_rate);
+ 
+       cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution);
+-      while (cnt_period > 8191) {
++      if (!cnt_period)
++              return -EINVAL;
++
++      while (cnt_period > 8192) {
+               resolution *= 2;
+               clkdiv++;
+               cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000,
+@@ -192,9 +195,16 @@ static int pwm_mediatek_config(struct pw
+       }
+ 
+       cnt_duty = DIV_ROUND_CLOSEST_ULL((u64)duty_ns * 1000, resolution);
++
+       pwm_mediatek_writel(pc, pwm->hwpwm, PWMCON, BIT(15) | clkdiv);
+-      pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period);
+-      pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty);
++      pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period - 1);
++
++      if (cnt_duty) {
++              pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty - 1);
++              pwm_mediatek_enable(chip, pwm);
++      } else {
++              pwm_mediatek_disable(chip, pwm);
++      }
+ 
+ out:
+       pwm_mediatek_clk_disable(chip, pwm);
+@@ -223,11 +233,8 @@ static int pwm_mediatek_apply(struct pwm
+       if (err)
+               return err;
+ 
+-      if (!pwm->state.enabled) {
++      if (!pwm->state.enabled)
+               err = pwm_mediatek_clk_enable(chip, pwm);
+-              if (!err)
+-                      pwm_mediatek_enable(chip, pwm);
+-      }
+ 
+       return err;
+ }

diff --git a/queue-5.10/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch b/queue-5.10/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
new file mode 100644 (file)
index 0000000..9f2a3e4
--- /dev/null
+++ b/queue-5.10/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
@@ -0,0 +1,123 @@
+From stable+bounces-172497-greg=kroah.com@vger.kernel.org Fri Aug 22 21:02:35 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:01:32 -0400
+Subject: pwm: mediatek: Handle hardware enable and clock enable separately
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@baylibre.com>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Uwe Kleine-König" <ukleinek@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822190133.1406293-2-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit 704d918341c378c5f9505dfdf32d315e256d3846 ]
+
+Stop handling the clocks in pwm_mediatek_enable() and
+pwm_mediatek_disable(). This is a preparing change for the next commit
+that requires that clocks and the enable bit are handled separately.
+
+Also move these two functions a bit further up in the source file to
+make them usable in pwm_mediatek_config(), which is needed in the next
+commit, too.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/55c94fe2917ece152ee1e998f4675642a7716f13.1753717973.git.u.kleine-koenig@baylibre.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c |   60 +++++++++++++++++++++------------------------
+ 1 file changed, 28 insertions(+), 32 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -120,6 +120,26 @@ static inline void pwm_mediatek_writel(s
+       writel(value, chip->regs + pwm_mediatek_reg_offset[num] + offset);
+ }
+ 
++static void pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
++{
++      struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
++      u32 value;
++
++      value = readl(pc->regs);
++      value |= BIT(pwm->hwpwm);
++      writel(value, pc->regs);
++}
++
++static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
++{
++      struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
++      u32 value;
++
++      value = readl(pc->regs);
++      value &= ~BIT(pwm->hwpwm);
++      writel(value, pc->regs);
++}
++
+ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
+                              int duty_ns, int period_ns)
+ {
+@@ -182,35 +202,6 @@ out:
+       return ret;
+ }
+ 
+-static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
+-{
+-      struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+-      u32 value;
+-      int ret;
+-
+-      ret = pwm_mediatek_clk_enable(chip, pwm);
+-      if (ret < 0)
+-              return ret;
+-
+-      value = readl(pc->regs);
+-      value |= BIT(pwm->hwpwm);
+-      writel(value, pc->regs);
+-
+-      return 0;
+-}
+-
+-static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
+-{
+-      struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+-      u32 value;
+-
+-      value = readl(pc->regs);
+-      value &= ~BIT(pwm->hwpwm);
+-      writel(value, pc->regs);
+-
+-      pwm_mediatek_clk_disable(chip, pwm);
+-}
+-
+ static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+                             const struct pwm_state *state)
+ {
+@@ -220,8 +211,10 @@ static int pwm_mediatek_apply(struct pwm
+               return -EINVAL;
+ 
+       if (!state->enabled) {
+-              if (pwm->state.enabled)
++              if (pwm->state.enabled) {
+                       pwm_mediatek_disable(chip, pwm);
++                      pwm_mediatek_clk_disable(chip, pwm);
++              }
+ 
+               return 0;
+       }
+@@ -230,8 +223,11 @@ static int pwm_mediatek_apply(struct pwm
+       if (err)
+               return err;
+ 
+-      if (!pwm->state.enabled)
+-              err = pwm_mediatek_enable(chip, pwm);
++      if (!pwm->state.enabled) {
++              err = pwm_mediatek_clk_enable(chip, pwm);
++              if (!err)
++                      pwm_mediatek_enable(chip, pwm);
++      }
+ 
+       return err;
+ }

diff --git a/queue-5.10/pwm-mediatek-implement-.apply-callback.patch b/queue-5.10/pwm-mediatek-implement-.apply-callback.patch
new file mode 100644 (file)
index 0000000..f02049f
--- /dev/null
+++ b/queue-5.10/pwm-mediatek-implement-.apply-callback.patch
@@ -0,0 +1,67 @@
+From stable+bounces-172496-greg=kroah.com@vger.kernel.org Fri Aug 22 21:02:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:01:31 -0400
+Subject: pwm: mediatek: Implement .apply() callback
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Thierry Reding" <thierry.reding@gmail.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822190133.1406293-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 758de66f4bd2cac2b1d71db917c65c3d611d4e74 ]
+
+To eventually get rid of all legacy drivers convert this driver to the
+modern world implementing .apply().
+This just pushed a variant of pwm_apply_legacy() into the driver that was
+slightly simplified because the driver doesn't provide a .set_polarity()
+callback.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c |   29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -211,10 +211,33 @@ static void pwm_mediatek_disable(struct
+       pwm_mediatek_clk_disable(chip, pwm);
+ }
+ 
++static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
++                            const struct pwm_state *state)
++{
++      int err;
++
++      if (state->polarity != PWM_POLARITY_NORMAL)
++              return -EINVAL;
++
++      if (!state->enabled) {
++              if (pwm->state.enabled)
++                      pwm_mediatek_disable(chip, pwm);
++
++              return 0;
++      }
++
++      err = pwm_mediatek_config(pwm->chip, pwm, state->duty_cycle, state->period);
++      if (err)
++              return err;
++
++      if (!pwm->state.enabled)
++              err = pwm_mediatek_enable(chip, pwm);
++
++      return err;
++}
++
+ static const struct pwm_ops pwm_mediatek_ops = {
+-      .config = pwm_mediatek_config,
+-      .enable = pwm_mediatek_enable,
+-      .disable = pwm_mediatek_disable,
++      .apply = pwm_mediatek_apply,
+       .owner = THIS_MODULE,
+ };
+ 

diff --git a/queue-5.10/series b/queue-5.10/series
index b0275b3be52ee009d36e3fcebe4d7816d261db74..ca02c6efca621ea73d3463c4b768fcc8bf75d2a2 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -467,3 +467,27 @@ soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
 usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch
 usb-musb-omap2430-fix-device-leak-at-unbind.patch
 btrfs-populate-otime-when-logging-an-inode-item.patch
+acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch
+minmax-add-umin-a-b-and-umax-a-b.patch
+ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch
+platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch
+platform-chrome-cros_ec-use-per-device-lockdep-key.patch
+platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch
+platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch
+pwm-mediatek-implement-.apply-callback.patch
+pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
+pwm-mediatek-fix-duty-and-period-setting.patch
+locking-barriers-kcsan-support-generic-instrumentation.patch
+asm-generic-add-memory-barrier-dma_mb.patch
+wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch
+media-v4l2-ctrls-always-copy-the-controls-on-completion.patch
+media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch
+media-venus-don-t-de-reference-null-pointers-at-irq-time.patch
+media-venus-hfi-explicitly-release-irq-during-teardown.patch
+media-venus-add-support-for-ssr-trigger-using-fault-injection.patch
+media-venus-protect-against-spurious-interrupts-during-probe.patch
+drm-amd-display-don-t-overclock-dce-6-by-15.patch
+drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
+media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
+media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch

diff --git a/queue-5.10/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch b/queue-5.10/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch
new file mode 100644 (file)
index 0000000..3cf698c
--- /dev/null
+++ b/queue-5.10/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch
@@ -0,0 +1,65 @@
+From stable+bounces-172512-greg=kroah.com@vger.kernel.org Fri Aug 22 21:54:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:53:30 -0400
+Subject: wifi: ath11k: fix dest ring-buffer corruption when ring is full
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan+linaro@kernel.org>, Baochen Qiang <quic_bqiang@quicinc.com>, Jeff Johnson <jeff.johnson@oss.qualcomm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822195330.1458412-3-sashal@kernel.org>
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit aa6956150f820e6a6deba44be325ddfcb5b10f88 ]
+
+Add the missing memory barriers to make sure that destination ring
+descriptors are read before updating the tail pointer (and passing
+ownership to the device) to avoid memory corruption on weakly ordered
+architectures like aarch64 when the ring is full.
+
+Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable@vger.kernel.org      # 5.6
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -833,7 +833,6 @@ void ath11k_hal_srng_access_end(struct a
+ {
+       lockdep_assert_held(&srng->lock);
+ 
+-      /* TODO: See if we need a write memory barrier here */
+       if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) {
+               /* For LMAC rings, ring pointer updates are done through FW and
+                * hence written to a shared memory location that is read by FW
+@@ -848,7 +847,11 @@ void ath11k_hal_srng_access_end(struct a
+                       WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
+               } else {
+                       srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
+-                      *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
++                      /* Make sure descriptor is read before updating the
++                       * tail pointer.
++                       */
++                      dma_mb();
++                      WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp);
+               }
+       } else {
+               if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
+@@ -864,6 +867,10 @@ void ath11k_hal_srng_access_end(struct a
+                                          srng->u.src_ring.hp);
+               } else {
+                       srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
++                      /* Make sure descriptor is read before updating the
++                       * tail pointer.
++                       */
++                      mb();
+                       ath11k_hif_write32(ab,
+                                          (unsigned long)srng->u.dst_ring.tp_addr -
+                                          (unsigned long)ab->mem,