--- /dev/null
+From 1378ffec30367233152b7dbf4fa6a25ee98585d1 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Thu, 17 Oct 2024 23:34:16 +0300
+Subject: media: imx-jpeg: Fix potential error pointer dereference in detach_pm()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 1378ffec30367233152b7dbf4fa6a25ee98585d1 upstream.
+
+The proble is on the first line:
+
+ if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i]))
+
+If jpeg->pd_dev[i] is an error pointer, then passing it to
+pm_runtime_suspended() will lead to an Oops. The other conditions
+check for both error pointers and NULL, but it would be more clear to
+use the IS_ERR_OR_NULL() check for that.
+
+Fixes: fd0af4cd35da ("media: imx-jpeg: Ensure power suppliers be suspended before detach them")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c
+@@ -2097,11 +2097,12 @@ static void mxc_jpeg_detach_pm_domains(s
+ int i;
+
+ for (i = 0; i < jpeg->num_domains; i++) {
+- if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i]))
++ if (!IS_ERR_OR_NULL(jpeg->pd_dev[i]) &&
++ !pm_runtime_suspended(jpeg->pd_dev[i]))
+ pm_runtime_force_suspend(jpeg->pd_dev[i]);
+- if (jpeg->pd_link[i] && !IS_ERR(jpeg->pd_link[i]))
++ if (!IS_ERR_OR_NULL(jpeg->pd_link[i]))
+ device_link_del(jpeg->pd_link[i]);
+- if (jpeg->pd_dev[i] && !IS_ERR(jpeg->pd_dev[i]))
++ if (!IS_ERR_OR_NULL(jpeg->pd_dev[i]))
+ dev_pm_domain_detach(jpeg->pd_dev[i], true);
+ jpeg->pd_dev[i] = NULL;
+ jpeg->pd_link[i] = NULL;
--- /dev/null
+From c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Date: Fri, 8 Nov 2024 01:51:30 +0200
+Subject: media: uvcvideo: Fix double free in error path
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+commit c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac upstream.
+
+If the uvc_status_init() function fails to allocate the int_urb, it will
+free the dev->status pointer but doesn't reset the pointer to NULL. This
+results in the kfree() call in uvc_status_cleanup() trying to
+double-free the memory. Fix it by resetting the dev->status pointer to
+NULL after freeing it.
+
+Fixes: a31a4055473b ("V4L/DVB:usbvideo:don't use part of buffer for USB transfer #4")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20241107235130.31372-1-laurent.pinchart@ideasonboard.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_status.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/usb/uvc/uvc_status.c
++++ b/drivers/media/usb/uvc/uvc_status.c
+@@ -267,6 +267,7 @@ int uvc_status_init(struct uvc_device *d
+ dev->int_urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (dev->int_urb == NULL) {
+ kfree(dev->status);
++ dev->status = NULL;
+ return -ENOMEM;
+ }
+
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- net/mptcp/options.c | 13 +++++--------
- net/mptcp/protocol.h | 30 ++++++++++++++++--------------
+ net/mptcp/options.c | 13 +++++--------
+ net/mptcp/protocol.h | 30 ++++++++++++++++--------------
2 files changed, 21 insertions(+), 22 deletions(-)
-diff --git a/net/mptcp/options.c b/net/mptcp/options.c
-index 123f3f297284..fd2de185bc93 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
-@@ -108,7 +108,6 @@ static void mptcp_parse_option(const struct sk_buff *skb,
+@@ -103,7 +103,6 @@ static void mptcp_parse_option(const str
mp_opt->suboptions |= OPTION_MPTCP_DSS;
mp_opt->use_map = 1;
mp_opt->mpc_map = 1;
mp_opt->data_len = get_unaligned_be16(ptr);
ptr += 2;
}
-@@ -157,11 +156,6 @@ static void mptcp_parse_option(const struct sk_buff *skb,
+@@ -152,11 +151,6 @@ static void mptcp_parse_option(const str
pr_debug("DSS\n");
ptr++;
flags = (*ptr++) & MPTCP_DSS_FLAG_MASK;
mp_opt->data_fin = (flags & MPTCP_DSS_DATA_FIN) != 0;
mp_opt->dsn64 = (flags & MPTCP_DSS_DSN64) != 0;
-@@ -369,8 +363,11 @@ void mptcp_get_options(const struct sk_buff *skb,
+@@ -364,8 +358,11 @@ void mptcp_get_options(const struct sk_b
const unsigned char *ptr;
int length;
length = (th->doff * 4) - sizeof(struct tcphdr);
ptr = (const unsigned char *)(th + 1);
-diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
-index 0174a5aad279..f6a207958459 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
-@@ -149,22 +149,24 @@ struct mptcp_options_received {
+@@ -141,22 +141,24 @@ struct mptcp_options_received {
u32 subflow_seq;
u16 data_len;
__sum16 csum;
u64 thmac;
u8 hmac[MPTCPOPT_HMAC_LEN];
struct mptcp_addr_info addr;
---
-2.48.1
-
--- /dev/null
+From 619af16b3b57a3a4ee50b9a30add9ff155541e71 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 23 Jan 2025 19:05:56 +0100
+Subject: mptcp: handle fastopen disconnect correctly
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 619af16b3b57a3a4ee50b9a30add9ff155541e71 upstream.
+
+Syzbot was able to trigger a data stream corruption:
+
+ WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
+ Modules linked in:
+ CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0
+ Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
+ RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024
+ Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07
+ RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293
+ RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928
+ R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000
+ R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000
+ FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <TASK>
+ __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074
+ mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493
+ release_sock+0x1aa/0x1f0 net/core/sock.c:3640
+ inet_wait_for_connect net/ipv4/af_inet.c:609 [inline]
+ __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703
+ mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755
+ mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830
+ sock_sendmsg_nosec net/socket.c:711 [inline]
+ __sock_sendmsg+0x1a6/0x270 net/socket.c:726
+ ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583
+ ___sys_sendmsg net/socket.c:2637 [inline]
+ __sys_sendmsg+0x269/0x350 net/socket.c:2669
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f6e86ebfe69
+ Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+ RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69
+ RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003
+ RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc
+ R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508
+ </TASK>
+
+The root cause is the bad handling of disconnect() generated internally
+by the MPTCP protocol in case of connect FASTOPEN errors.
+
+Address the issue increasing the socket disconnect counter even on such
+a case, to allow other threads waiting on the same socket lock to
+properly error out.
+
+Fixes: c2b2ae3925b6 ("mptcp: handle correctly disconnect() failures")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+ebc0b8ae5d3590b2c074@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/67605870.050a0220.37aaf.0137.GAE@google.com
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/537
+Tested-by: syzbot+ebc0b8ae5d3590b2c074@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250123-net-mptcp-syzbot-issues-v1-3-af73258a726f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -1779,8 +1779,10 @@ static int mptcp_sendmsg_fastopen(struct
+ * see mptcp_disconnect().
+ * Attempt it again outside the problematic scope.
+ */
+- if (!mptcp_disconnect(sk, 0))
++ if (!mptcp_disconnect(sk, 0)) {
++ sk->sk_disconnects++;
+ sk->sk_socket->state = SS_UNCONNECTED;
++ }
+ }
+
+ return ret;
--- /dev/null
+From 7378aeb664e5ebc396950b36a1f2dedf5aabec20 Mon Sep 17 00:00:00 2001
+From: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+Date: Fri, 22 Nov 2024 18:51:27 +0100
+Subject: remoteproc: core: Fix ida_free call while not allocated
+
+From: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+
+commit 7378aeb664e5ebc396950b36a1f2dedf5aabec20 upstream.
+
+In the rproc_alloc() function, on error, put_device(&rproc->dev) is
+called, leading to the call of the rproc_type_release() function.
+An error can occurs before ida_alloc is called.
+
+In such case in rproc_type_release(), the condition (rproc->index >= 0) is
+true as rproc->index has been initialized to 0.
+ida_free() is called reporting a warning:
+[ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164
+[ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0
+[ 4.188854] ida_free called for id=0 which is not allocated.
+[ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000
+[ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+)
+[ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442
+[ 4.231481] Hardware name: STM32 (Device Tree Support)
+[ 4.236627] Workqueue: events_unbound deferred_probe_work_func
+[ 4.242504] Call trace:
+[ 4.242522] unwind_backtrace from show_stack+0x10/0x14
+[ 4.250218] show_stack from dump_stack_lvl+0x50/0x64
+[ 4.255274] dump_stack_lvl from __warn+0x80/0x12c
+[ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188
+[ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164
+[ 4.270565] ida_free from rproc_type_release+0x38/0x60
+[ 4.275832] rproc_type_release from device_release+0x30/0xa0
+[ 4.281601] device_release from kobject_put+0xc4/0x294
+[ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c
+[ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4
+[ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc]
+[ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc
+
+Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is
+properly set.
+
+Fixes: 08333b911f01 ("remoteproc: Directly use ida_alloc()/free()")
+Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20241122175127.2188037-1-arnaud.pouliquen@foss.st.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/remoteproc_core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -2464,6 +2464,13 @@ struct rproc *rproc_alloc(struct device
+ rproc->dev.driver_data = rproc;
+ idr_init(&rproc->notifyids);
+
++ /* Assign a unique device index and name */
++ rproc->index = ida_alloc(&rproc_dev_index, GFP_KERNEL);
++ if (rproc->index < 0) {
++ dev_err(dev, "ida_alloc failed: %d\n", rproc->index);
++ goto put_device;
++ }
++
+ rproc->name = kstrdup_const(name, GFP_KERNEL);
+ if (!rproc->name)
+ goto put_device;
+@@ -2474,13 +2481,6 @@ struct rproc *rproc_alloc(struct device
+ if (rproc_alloc_ops(rproc, ops))
+ goto put_device;
+
+- /* Assign a unique device index and name */
+- rproc->index = ida_alloc(&rproc_dev_index, GFP_KERNEL);
+- if (rproc->index < 0) {
+- dev_err(dev, "ida_alloc failed: %d\n", rproc->index);
+- goto put_device;
+- }
+-
+ dev_set_name(&rproc->dev, "remoteproc%d", rproc->index);
+
+ atomic_set(&rproc->power, 0);
usb-typec-tcpm-set-src_send_capabilities-timeout-to-pd_t_sender_response.patch
usb-typec-tcpci-prevent-sink-disconnection-before-vppsshutdown-in-spr-pps.patch
mptcp-consolidate-suboption-status.patch
+mptcp-handle-fastopen-disconnect-correctly.patch
+remoteproc-core-fix-ida_free-call-while-not-allocated.patch
+media-uvcvideo-fix-double-free-in-error-path.patch
+usb-gadget-f_tcm-don-t-free-command-immediately.patch
+staging-media-max96712-fix-kernel-oops-when-removing-module.patch
+media-imx-jpeg-fix-potential-error-pointer-dereference-in-detach_pm.patch
--- /dev/null
+From ee1b5046d5cd892a0754ab982aeaaad3702083a5 Mon Sep 17 00:00:00 2001
+From: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+Date: Tue, 17 Dec 2024 08:51:50 +0200
+Subject: staging: media: max96712: fix kernel oops when removing module
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+
+commit ee1b5046d5cd892a0754ab982aeaaad3702083a5 upstream.
+
+The following kernel oops is thrown when trying to remove the max96712
+module:
+
+Unable to handle kernel paging request at virtual address 00007375746174db
+Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+Data abort info:
+ ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000
+[00007375746174db] pgd=0000000000000000, p4d=0000000000000000
+Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan
+ snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2
+ imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev
+ snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils
+ max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse
+ [last unloaded: imx8_isi]
+CPU: 0 UID: 0 PID: 754 Comm: rmmod
+ Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17
+Tainted: [C]=CRAP
+Hardware name: NXP i.MX95 19X19 board (DT)
+pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : led_put+0x1c/0x40
+lr : v4l2_subdev_put_privacy_led+0x48/0x58
+sp : ffff80008699bbb0
+x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000
+x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
+x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8
+x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000
+x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010
+x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
+x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1
+x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473
+Call trace:
+ led_put+0x1c/0x40
+ v4l2_subdev_put_privacy_led+0x48/0x58
+ v4l2_async_unregister_subdev+0x2c/0x1a4
+ max96712_remove+0x1c/0x38 [max96712]
+ i2c_device_remove+0x2c/0x9c
+ device_remove+0x4c/0x80
+ device_release_driver_internal+0x1cc/0x228
+ driver_detach+0x4c/0x98
+ bus_remove_driver+0x6c/0xbc
+ driver_unregister+0x30/0x60
+ i2c_del_driver+0x54/0x64
+ max96712_i2c_driver_exit+0x18/0x1d0 [max96712]
+ __arm64_sys_delete_module+0x1a4/0x290
+ invoke_syscall+0x48/0x10c
+ el0_svc_common.constprop.0+0xc0/0xe0
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x34/0xd8
+ el0t_64_sync_handler+0x120/0x12c
+ el0t_64_sync+0x190/0x194
+Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400)
+---[ end trace 0000000000000000 ]---
+
+This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata()
+is called again and the data is overwritten to point to sd, instead of
+priv. So, in remove(), the wrong pointer is passed to
+v4l2_async_unregister_subdev(), leading to a crash.
+
+Fixes: 5814f32fef13 ("media: staging: max96712: Add basic support for MAX96712 GMSL2 deserializer")
+Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/max96712/max96712.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/media/max96712/max96712.c
++++ b/drivers/staging/media/max96712/max96712.c
+@@ -376,7 +376,6 @@ static int max96712_probe(struct i2c_cli
+ return -ENOMEM;
+
+ priv->client = client;
+- i2c_set_clientdata(client, priv);
+
+ priv->regmap = devm_regmap_init_i2c(client, &max96712_i2c_regmap);
+ if (IS_ERR(priv->regmap))
+@@ -409,7 +408,8 @@ static int max96712_probe(struct i2c_cli
+
+ static void max96712_remove(struct i2c_client *client)
+ {
+- struct max96712_priv *priv = i2c_get_clientdata(client);
++ struct v4l2_subdev *sd = i2c_get_clientdata(client);
++ struct max96712_priv *priv = container_of(sd, struct max96712_priv, sd);
+
+ v4l2_async_unregister_subdev(&priv->sd);
+
--- /dev/null
+From c225d006a31949d673e646d585d9569bc28feeb9 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:31:36 +0000
+Subject: usb: gadget: f_tcm: Don't free command immediately
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit c225d006a31949d673e646d585d9569bc28feeb9 upstream.
+
+Don't prematurely free the command. Wait for the status completion of
+the sense status. It can be freed then. Otherwise we will double-free
+the command.
+
+Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/ae919ac431f16275e05ec819bdffb3ac5f44cbe1.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -1066,7 +1066,6 @@ static void usbg_cmd_work(struct work_st
+ out:
+ transport_send_check_condition_and_sense(se_cmd,
+ TCM_UNSUPPORTED_SCSI_OPCODE, 1);
+- transport_generic_free_cmd(&cmd->se_cmd, 0);
+ }
+
+ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
+@@ -1195,7 +1194,6 @@ static void bot_cmd_work(struct work_str
+ out:
+ transport_send_check_condition_and_sense(se_cmd,
+ TCM_UNSUPPORTED_SCSI_OPCODE, 1);
+- transport_generic_free_cmd(&cmd->se_cmd, 0);
+ }
+
+ static int bot_submit_command(struct f_uas *fu,
projects / thirdparty / kernel / stable-queue.git / commitdiff
