From: Greg Kroah-Hartman Date: Fri, 6 Dec 2024 10:17:28 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.64~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=42da5c821176aad62cee32f5a0f271746a75f804;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch cpufreq-scmi-fix-cleanup-path-when-boost-enablement-fails.patch efi-libstub-free-correct-pointer-on-failure.patch ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch iommu-io-pgtable-arm-fix-stage-2-map-unmap-for-concatenated-tables.patch kunit-fix-potential-null-dereference-in-kunit_device_driver_test.patch kunit-string-stream-fix-a-uaf-bug-in-kunit_init_suite.patch leds-lp55xx-remove-redundant-test-for-invalid-channel-number.patch maple_tree-refine-mas_store_root-on-storing-null.patch media-amphion-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch media-imx-jpeg-ensure-power-suppliers-be-suspended-before-detach-them.patch media-ov08x40-fix-burst-write-sequence.patch media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch media-platform-exynos4-is-fix-an-of-node-reference-leak-in-fimc_md_is_isp_available.patch media-platform-rga-fix-32-bit-dma-limitation.patch media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch media-uvcvideo-stop-stream-during-unregister.patch media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch media-verisilicon-av1-fix-reference-video-buffer-pointer-assignment.patch mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch net-phy-dp83869-fix-status-reporting-for-1000base-x-autonegotiation.patch ovl-filter-invalid-inodes-with-missing-lookup-function.patch powerpc-vdso-drop-mstack-protector-guard-flags-in-32-bit-files-with-clang.patch tracing-fix-function-timing-profiler-to-initialize-hashtable.patch vmstat-call-fold_vm_zone_numa_events-before-show-per-zone-numa-event.patch zram-clear-idle-flag-after-recompression.patch --- diff --git a/queue-6.12/clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch b/queue-6.12/clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch new file mode 100644 index 00000000000..a85c06a473f --- /dev/null +++ b/queue-6.12/clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch @@ -0,0 +1,51 @@ +From 36d202241d234fa4ac50743510d098ad52bd193a Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Tue, 22 Oct 2024 11:45:56 +0200 +Subject: clk: qcom: gcc-qcs404: fix initial rate of GPLL3 + +From: Gabor Juhos + +commit 36d202241d234fa4ac50743510d098ad52bd193a upstream. + +The comment before the config of the GPLL3 PLL says that the +PLL should run at 930 MHz. In contrary to this, calculating +the frequency from the current configuration values by using +19.2 MHz as input frequency defined in 'qcs404.dtsi', it gives +921.6 MHz: + + $ xo=19200000; l=48; alpha=0x0; alpha_hi=0x0 + $ echo "$xo * ($((l)) + $(((alpha_hi << 32 | alpha) >> 8)) / 2^32)" | bc -l + 921600000.00000000000000000000 + +Set 'alpha_hi' in the configuration to a value used in downstream +kernels [1][2] in order to get the correct output rate: + + $ xo=19200000; l=48; alpha=0x0; alpha_hi=0x70 + $ echo "$xo * ($((l)) + $(((alpha_hi << 32 | alpha) >> 8)) / 2^32)" | bc -l + 930000000.00000000000000000000 + +The change is based on static code analysis, compile tested only. + +[1] https://git.codelinaro.org/clo/la/kernel/msm-5.4/-/blob/kernel.lnx.5.4.r56-rel/drivers/clk/qcom/gcc-qcs404.c?ref_type=heads#L335 +[2} https://git.codelinaro.org/clo/la/kernel/msm-5.15/-/blob/kernel.lnx.5.15.r49-rel/drivers/clk/qcom/gcc-qcs404.c?ref_type=heads#L127 + +Cc: stable@vger.kernel.org +Fixes: 652f1813c113 ("clk: qcom: gcc: Add global clock controller driver for QCS404") +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/r/20241022-fix-gcc-qcs404-gpll3-v1-1-c4d30d634d19@gmail.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gcc-qcs404.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/qcom/gcc-qcs404.c ++++ b/drivers/clk/qcom/gcc-qcs404.c +@@ -131,6 +131,7 @@ static struct clk_alpha_pll gpll1_out_ma + /* 930MHz configuration */ + static const struct alpha_pll_config gpll3_config = { + .l = 48, ++ .alpha_hi = 0x70, + .alpha = 0x0, + .alpha_en_mask = BIT(24), + .post_div_mask = 0xf << 8, diff --git a/queue-6.12/cpufreq-scmi-fix-cleanup-path-when-boost-enablement-fails.patch b/queue-6.12/cpufreq-scmi-fix-cleanup-path-when-boost-enablement-fails.patch new file mode 100644 index 00000000000..14e016bef9a --- /dev/null +++ b/queue-6.12/cpufreq-scmi-fix-cleanup-path-when-boost-enablement-fails.patch @@ -0,0 +1,40 @@ +From 8c776a54d9ef3e945db2fe407ad6ad4525422943 Mon Sep 17 00:00:00 2001 +From: Sibi Sankar +Date: Thu, 31 Oct 2024 18:57:44 +0530 +Subject: cpufreq: scmi: Fix cleanup path when boost enablement fails + +From: Sibi Sankar + +commit 8c776a54d9ef3e945db2fe407ad6ad4525422943 upstream. + +Include free_cpufreq_table in the cleanup path when boost enablement fails. + +cc: stable@vger.kernel.org +Fixes: a8e949d41c72 ("cpufreq: scmi: Enable boost support") +Signed-off-by: Sibi Sankar +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/scmi-cpufreq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/cpufreq/scmi-cpufreq.c ++++ b/drivers/cpufreq/scmi-cpufreq.c +@@ -287,7 +287,7 @@ static int scmi_cpufreq_init(struct cpuf + ret = cpufreq_enable_boost_support(); + if (ret) { + dev_warn(cpu_dev, "failed to enable boost: %d\n", ret); +- goto out_free_opp; ++ goto out_free_table; + } else { + scmi_cpufreq_hw_attr[1] = &cpufreq_freq_attr_scaling_boost_freqs; + scmi_cpufreq_driver.boost_enabled = true; +@@ -296,6 +296,8 @@ static int scmi_cpufreq_init(struct cpuf + + return 0; + ++out_free_table: ++ dev_pm_opp_free_cpufreq_table(cpu_dev, &freq_table); + out_free_opp: + dev_pm_opp_remove_all_dynamic(cpu_dev); + diff --git a/queue-6.12/efi-libstub-free-correct-pointer-on-failure.patch b/queue-6.12/efi-libstub-free-correct-pointer-on-failure.patch new file mode 100644 index 00000000000..6ee83468ba1 --- /dev/null +++ b/queue-6.12/efi-libstub-free-correct-pointer-on-failure.patch @@ -0,0 +1,34 @@ +From 06d39d79cbd5a91a33707951ebf2512d0e759847 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Sun, 13 Oct 2024 15:19:04 +0200 +Subject: efi/libstub: Free correct pointer on failure + +From: Ard Biesheuvel + +commit 06d39d79cbd5a91a33707951ebf2512d0e759847 upstream. + +cmdline_ptr is an out parameter, which is not allocated by the function +itself, and likely points into the caller's stack. + +cmdline refers to the pool allocation that should be freed when cleaning +up after a failure, so pass this instead to free_pool(). + +Fixes: 42c8ea3dca09 ("efi: libstub: Factor out EFI stub entrypoint ...") +Cc: +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/efi-stub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/libstub/efi-stub.c ++++ b/drivers/firmware/efi/libstub/efi-stub.c +@@ -149,7 +149,7 @@ efi_status_t efi_handle_cmdline(efi_load + return EFI_SUCCESS; + + fail_free_cmdline: +- efi_bs_call(free_pool, cmdline_ptr); ++ efi_bs_call(free_pool, cmdline); + return status; + } + diff --git a/queue-6.12/ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch b/queue-6.12/ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch new file mode 100644 index 00000000000..d35b4d90eb2 --- /dev/null +++ b/queue-6.12/ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch @@ -0,0 +1,43 @@ +From 45af52e7d3b8560f21d139b3759735eead8b1653 Mon Sep 17 00:00:00 2001 +From: guoweikang +Date: Wed, 20 Nov 2024 13:27:49 +0800 +Subject: ftrace: Fix regression with module command in stack_trace_filter + +From: guoweikang + +commit 45af52e7d3b8560f21d139b3759735eead8b1653 upstream. + +When executing the following command: + + # echo "write*:mod:ext3" > /sys/kernel/tracing/stack_trace_filter + +The current mod command causes a null pointer dereference. While commit +0f17976568b3f ("ftrace: Fix regression with module command in stack_trace_filter") +has addressed part of the issue, it left a corner case unhandled, which still +results in a kernel crash. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mark Rutland +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20241120052750.275463-1-guoweikang.kernel@gmail.com +Fixes: 04ec7bb642b77 ("tracing: Have the trace_array hold the list of registered func probes"); +Signed-off-by: guoweikang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5080,6 +5080,9 @@ ftrace_mod_callback(struct trace_array * + char *func; + int ret; + ++ if (!tr) ++ return -ENODEV; ++ + /* match_records() modifies func, and we need the original */ + func = kstrdup(func_orig, GFP_KERNEL); + if (!func) diff --git a/queue-6.12/iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch b/queue-6.12/iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch new file mode 100644 index 00000000000..1030341d0df --- /dev/null +++ b/queue-6.12/iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch @@ -0,0 +1,81 @@ +From 229e6ee43d2a160a1592b83aad620d6027084aad Mon Sep 17 00:00:00 2001 +From: Pratyush Brahma +Date: Fri, 4 Oct 2024 14:34:28 +0530 +Subject: iommu/arm-smmu: Defer probe of clients after smmu device bound + +From: Pratyush Brahma + +commit 229e6ee43d2a160a1592b83aad620d6027084aad upstream. + +Null pointer dereference occurs due to a race between smmu +driver probe and client driver probe, when of_dma_configure() +for client is called after the iommu_device_register() for smmu driver +probe has executed but before the driver_bound() for smmu driver +has been called. + +Following is how the race occurs: + +T1:Smmu device probe T2: Client device probe + +really_probe() +arm_smmu_device_probe() +iommu_device_register() + really_probe() + platform_dma_configure() + of_dma_configure() + of_dma_configure_id() + of_iommu_configure() + iommu_probe_device() + iommu_init_device() + arm_smmu_probe_device() + arm_smmu_get_by_fwnode() + driver_find_device_by_fwnode() + driver_find_device() + next_device() + klist_next() + /* null ptr + assigned to smmu */ + /* null ptr dereference + while smmu->streamid_mask */ +driver_bound() + klist_add_tail() + +When this null smmu pointer is dereferenced later in +arm_smmu_probe_device, the device crashes. + +Fix this by deferring the probe of the client device +until the smmu device has bound to the arm smmu driver. + +Fixes: 021bb8420d44 ("iommu/arm-smmu: Wire up generic configuration support") +Cc: stable@vger.kernel.org +Co-developed-by: Prakash Gupta +Signed-off-by: Prakash Gupta +Signed-off-by: Pratyush Brahma +Link: https://lore.kernel.org/r/20241004090428.2035-1-quic_pbrahma@quicinc.com +[will: Add comment] +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm/arm-smmu/arm-smmu.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c +@@ -1437,6 +1437,17 @@ static struct iommu_device *arm_smmu_pro + goto out_free; + } else { + smmu = arm_smmu_get_by_fwnode(fwspec->iommu_fwnode); ++ ++ /* ++ * Defer probe if the relevant SMMU instance hasn't finished ++ * probing yet. This is a fragile hack and we'd ideally ++ * avoid this race in the core code. Until that's ironed ++ * out, however, this is the most pragmatic option on the ++ * table. ++ */ ++ if (!smmu) ++ return ERR_PTR(dev_err_probe(dev, -EPROBE_DEFER, ++ "smmu dev has not bound yet\n")); + } + + ret = -EINVAL; diff --git a/queue-6.12/iommu-io-pgtable-arm-fix-stage-2-map-unmap-for-concatenated-tables.patch b/queue-6.12/iommu-io-pgtable-arm-fix-stage-2-map-unmap-for-concatenated-tables.patch new file mode 100644 index 00000000000..9120b26d65c --- /dev/null +++ b/queue-6.12/iommu-io-pgtable-arm-fix-stage-2-map-unmap-for-concatenated-tables.patch @@ -0,0 +1,82 @@ +From d71fa842d33c48ac2809ae11d2379b5a788792cb Mon Sep 17 00:00:00 2001 +From: Mostafa Saleh +Date: Thu, 24 Oct 2024 16:25:15 +0000 +Subject: iommu/io-pgtable-arm: Fix stage-2 map/unmap for concatenated tables + +From: Mostafa Saleh + +commit d71fa842d33c48ac2809ae11d2379b5a788792cb upstream. + +ARM_LPAE_LVL_IDX() takes into account concatenated PGDs and can return +an index spanning multiple page-table pages given a sufficiently large +input address. However, when the resulting index is used to calculate +the number of remaining entries in the page, the possibility of +concatenation is ignored and we end up computing a negative upper bound: + + max_entries = ARM_LPAE_PTES_PER_TABLE(data) - map_idx_start; + +On the map path, this results in a negative 'mapped' value being +returned but on the unmap path we can leak child tables if they are +skipped in __arm_lpae_free_pgtable(). + +Introduce an arm_lpae_max_entries() helper to convert a table index into +the remaining number of entries within a single page-table page. + +Cc: +Signed-off-by: Mostafa Saleh +Link: https://lore.kernel.org/r/20241024162516.2005652-2-smostafa@google.com +[will: Tweaked comment and commit message] +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/io-pgtable-arm.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/io-pgtable-arm.c ++++ b/drivers/iommu/io-pgtable-arm.c +@@ -199,6 +199,18 @@ static phys_addr_t iopte_to_paddr(arm_lp + return (paddr | (paddr << (48 - 12))) & (ARM_LPAE_PTE_ADDR_MASK << 4); + } + ++/* ++ * Convert an index returned by ARM_LPAE_PGD_IDX(), which can point into ++ * a concatenated PGD, into the maximum number of entries that can be ++ * mapped in the same table page. ++ */ ++static inline int arm_lpae_max_entries(int i, struct arm_lpae_io_pgtable *data) ++{ ++ int ptes_per_table = ARM_LPAE_PTES_PER_TABLE(data); ++ ++ return ptes_per_table - (i & (ptes_per_table - 1)); ++} ++ + static bool selftest_running = false; + + static dma_addr_t __arm_lpae_dma_addr(void *pages) +@@ -390,7 +402,7 @@ static int __arm_lpae_map(struct arm_lpa + + /* If we can install a leaf entry at this level, then do so */ + if (size == block_size) { +- max_entries = ARM_LPAE_PTES_PER_TABLE(data) - map_idx_start; ++ max_entries = arm_lpae_max_entries(map_idx_start, data); + num_entries = min_t(int, pgcount, max_entries); + ret = arm_lpae_init_pte(data, iova, paddr, prot, lvl, num_entries, ptep); + if (!ret) +@@ -592,7 +604,7 @@ static size_t arm_lpae_split_blk_unmap(s + + if (size == split_sz) { + unmap_idx_start = ARM_LPAE_LVL_IDX(iova, lvl, data); +- max_entries = ptes_per_table - unmap_idx_start; ++ max_entries = arm_lpae_max_entries(unmap_idx_start, data); + num_entries = min_t(int, pgcount, max_entries); + } + +@@ -650,7 +662,7 @@ static size_t __arm_lpae_unmap(struct ar + + /* If the size matches this level, we're in the right place */ + if (size == ARM_LPAE_BLOCK_SIZE(lvl, data)) { +- max_entries = ARM_LPAE_PTES_PER_TABLE(data) - unmap_idx_start; ++ max_entries = arm_lpae_max_entries(unmap_idx_start, data); + num_entries = min_t(int, pgcount, max_entries); + + /* Find and handle non-leaf entries */ diff --git a/queue-6.12/kunit-fix-potential-null-dereference-in-kunit_device_driver_test.patch b/queue-6.12/kunit-fix-potential-null-dereference-in-kunit_device_driver_test.patch new file mode 100644 index 00000000000..4b0ae37321e --- /dev/null +++ b/queue-6.12/kunit-fix-potential-null-dereference-in-kunit_device_driver_test.patch @@ -0,0 +1,40 @@ +From 435c20eed572a95709b1536ff78832836b2f91b1 Mon Sep 17 00:00:00 2001 +From: Zichen Xie +Date: Thu, 14 Nov 2024 23:43:36 -0600 +Subject: kunit: Fix potential null dereference in kunit_device_driver_test() + +From: Zichen Xie + +commit 435c20eed572a95709b1536ff78832836b2f91b1 upstream. + +kunit_kzalloc() may return a NULL pointer, dereferencing it without +NULL check may lead to NULL dereference. +Add a NULL check for test_state. + +Link: https://lore.kernel.org/r/20241115054335.21673-1-zichenxie0106@gmail.com +Fixes: d03c720e03bd ("kunit: Add APIs for managing devices") +Signed-off-by: Zichen Xie +Cc: stable@vger.kernel.org +Reviewed-by: David Gow +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + lib/kunit/kunit-test.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/kunit/kunit-test.c b/lib/kunit/kunit-test.c +index 37e02be1e710..d9c781c859fd 100644 +--- a/lib/kunit/kunit-test.c ++++ b/lib/kunit/kunit-test.c +@@ -805,6 +805,8 @@ static void kunit_device_driver_test(struct kunit *test) + struct device *test_device; + struct driver_test_state *test_state = kunit_kzalloc(test, sizeof(*test_state), GFP_KERNEL); + ++ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, test_state); ++ + test->priv = test_state; + test_driver = kunit_driver_create(test, "my_driver"); + +-- +2.47.1 + diff --git a/queue-6.12/kunit-string-stream-fix-a-uaf-bug-in-kunit_init_suite.patch b/queue-6.12/kunit-string-stream-fix-a-uaf-bug-in-kunit_init_suite.patch new file mode 100644 index 00000000000..1b12d829f21 --- /dev/null +++ b/queue-6.12/kunit-string-stream-fix-a-uaf-bug-in-kunit_init_suite.patch @@ -0,0 +1,100 @@ +From 39e21403c978862846fa68b7f6d06f9cca235194 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Tue, 12 Nov 2024 16:03:14 +0800 +Subject: kunit: string-stream: Fix a UAF bug in kunit_init_suite() + +From: Jinjie Ruan + +commit 39e21403c978862846fa68b7f6d06f9cca235194 upstream. + +In kunit_debugfs_create_suite(), if alloc_string_stream() fails in the +kunit_suite_for_each_test_case() loop, the "suite->log = stream" +has assigned before, and the error path only free the suite->log's stream +memory but not set it to NULL, so the later string_stream_clear() of +suite->log in kunit_init_suite() will cause below UAF bug. + +Set stream pointer to NULL after free to fix it. + + Unable to handle kernel paging request at virtual address 006440150000030d + Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + Data abort info: + ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 + [006440150000030d] address between user and kernel address ranges + Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP + Dumping ftrace buffer: + (ftrace buffer empty) + Modules linked in: iio_test_gts industrialio_gts_helper cfg80211 rfkill ipv6 [last unloaded: iio_test_gts] + CPU: 5 UID: 0 PID: 6253 Comm: modprobe Tainted: G B W N 6.12.0-rc4+ #458 + Tainted: [B]=BAD_PAGE, [W]=WARN, [N]=TEST + Hardware name: linux,dummy-virt (DT) + pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : string_stream_clear+0x54/0x1ac + lr : string_stream_clear+0x1a8/0x1ac + sp : ffffffc080b47410 + x29: ffffffc080b47410 x28: 006440550000030d x27: ffffff80c96b5e98 + x26: ffffff80c96b5e80 x25: ffffffe461b3f6c0 x24: 0000000000000003 + x23: ffffff80c96b5e88 x22: 1ffffff019cdf4fc x21: dfffffc000000000 + x20: ffffff80ce6fa7e0 x19: 032202a80000186d x18: 0000000000001840 + x17: 0000000000000000 x16: 0000000000000000 x15: ffffffe45c355cb4 + x14: ffffffe45c35589c x13: ffffffe45c03da78 x12: ffffffb810168e75 + x11: 1ffffff810168e74 x10: ffffffb810168e74 x9 : dfffffc000000000 + x8 : 0000000000000004 x7 : 0000000000000003 x6 : 0000000000000001 + x5 : ffffffc080b473a0 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : 0000000000000001 x1 : ffffffe462fbf620 x0 : dfffffc000000000 + Call trace: + string_stream_clear+0x54/0x1ac + __kunit_test_suites_init+0x108/0x1d8 + kunit_exec_run_tests+0xb8/0x100 + kunit_module_notify+0x400/0x55c + notifier_call_chain+0xfc/0x3b4 + blocking_notifier_call_chain+0x68/0x9c + do_init_module+0x24c/0x5c8 + load_module+0x4acc/0x4e90 + init_module_from_file+0xd4/0x128 + idempotent_init_module+0x2d4/0x57c + __arm64_sys_finit_module+0xac/0x100 + invoke_syscall+0x6c/0x258 + el0_svc_common.constprop.0+0x160/0x22c + do_el0_svc+0x44/0x5c + el0_svc+0x48/0xb8 + el0t_64_sync_handler+0x13c/0x158 + el0t_64_sync+0x190/0x194 + Code: f9400753 d2dff800 f2fbffe0 d343fe7c (38e06b80) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: Oops: Fatal exception + +Link: https://lore.kernel.org/r/20241112080314.407966-1-ruanjinjie@huawei.com +Cc: stable@vger.kernel.org +Fixes: a3fdf784780c ("kunit: string-stream: Decouple string_stream from kunit") +Suggested-by: Kuan-Wei Chiu +Signed-off-by: Jinjie Ruan +Reviewed-by: Kuan-Wei Chiu +Reviewed-by: David Gow +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + lib/kunit/debugfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/lib/kunit/debugfs.c ++++ b/lib/kunit/debugfs.c +@@ -212,8 +212,11 @@ void kunit_debugfs_create_suite(struct k + + err: + string_stream_destroy(suite->log); +- kunit_suite_for_each_test_case(suite, test_case) ++ suite->log = NULL; ++ kunit_suite_for_each_test_case(suite, test_case) { + string_stream_destroy(test_case->log); ++ test_case->log = NULL; ++ } + } + + void kunit_debugfs_destroy_suite(struct kunit_suite *suite) diff --git a/queue-6.12/leds-lp55xx-remove-redundant-test-for-invalid-channel-number.patch b/queue-6.12/leds-lp55xx-remove-redundant-test-for-invalid-channel-number.patch new file mode 100644 index 00000000000..9bd626fce26 --- /dev/null +++ b/queue-6.12/leds-lp55xx-remove-redundant-test-for-invalid-channel-number.patch @@ -0,0 +1,54 @@ +From 09b1ef9813a0742674f7efe26104403ca94a1b4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Vok=C3=A1=C4=8D?= +Date: Thu, 17 Oct 2024 17:08:12 +0200 +Subject: leds: lp55xx: Remove redundant test for invalid channel number +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +commit 09b1ef9813a0742674f7efe26104403ca94a1b4a upstream. + +Since commit 92a81562e695 ("leds: lp55xx: Add multicolor framework +support to lp55xx") there are two subsequent tests if the chan_nr +(reg property) is in valid range. One in the lp55xx_init_led() +function and one in the lp55xx_parse_common_child() function that +was added with the mentioned commit. + +There are two issues with that. + +First is in the lp55xx_parse_common_child() function where the reg +property is tested right after it is read from the device tree. +Test for the upper range is not correct though. Valid reg values are +0 to (max_channel - 1) so it should be >=. + +Second issue is that in case the parsed value is out of the range +the probe just fails and no error message is shown as the code never +reaches the second test that prints and error message. + +Remove the test form lp55xx_parse_common_child() function completely +and keep the one in lp55xx_init_led() function to deal with it. + +Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx") +Cc: stable@vger.kernel.org +Signed-off-by: Michal Vokáč +Link: https://lore.kernel.org/r/20241017150812.3563629-1-michal.vokac@ysoft.com +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-lp55xx-common.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/leds/leds-lp55xx-common.c ++++ b/drivers/leds/leds-lp55xx-common.c +@@ -1132,9 +1132,6 @@ static int lp55xx_parse_common_child(str + if (ret) + return ret; + +- if (*chan_nr < 0 || *chan_nr > cfg->max_channel) +- return -EINVAL; +- + return 0; + } + diff --git a/queue-6.12/maple_tree-refine-mas_store_root-on-storing-null.patch b/queue-6.12/maple_tree-refine-mas_store_root-on-storing-null.patch new file mode 100644 index 00000000000..1c943a76ca2 --- /dev/null +++ b/queue-6.12/maple_tree-refine-mas_store_root-on-storing-null.patch @@ -0,0 +1,76 @@ +From 0ea120b278ad7f7cfeeb606e150ad04b192df60b Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Thu, 31 Oct 2024 23:16:26 +0000 +Subject: maple_tree: refine mas_store_root() on storing NULL + +From: Wei Yang + +commit 0ea120b278ad7f7cfeeb606e150ad04b192df60b upstream. + +Currently, when storing NULL on mas_store_root(), the behavior could be +improved. + +Storing NULLs over the entire tree may result in a node being used to +store a single range. Further stores of NULL may cause the node and +tree to be corrupt and cause incorrect behaviour. Fixing the store to +the root null fixes the issue by ensuring that a range of 0 - ULONG_MAX +results in an empty tree. + +Users of the tree may experience incorrect values returned if the tree +was expanded to store values, then overwritten by all NULLS, then +continued to store NULLs over the empty area. + +For example possible cases are: + + * store NULL at any range result a new node + * store NULL at range [m, n] where m > 0 to a single entry tree result + a new node with range [m, n] set to NULL + * store NULL at range [m, n] where m > 0 to an empty tree result + consecutive NULL slot + * it allows for multiple NULL entries by expanding root + to store NULLs to an empty tree + +This patch tries to improve in: + + * memory efficient by setting to empty tree instead of using a node + * remove the possibility of consecutive NULL slot which will prohibit + extended null in later operation + +Link: https://lkml.kernel.org/r/20241031231627.14316-5-richard.weiyang@gmail.com +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Wei Yang +Reviewed-by: Liam R. Howlett +Cc: Liam R. Howlett +Cc: Sidhartha Kumar +Cc: Lorenzo Stoakes +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -3439,9 +3439,20 @@ static inline int mas_root_expand(struct + return slot; + } + ++/* ++ * mas_store_root() - Storing value into root. ++ * @mas: The maple state ++ * @entry: The entry to store. ++ * ++ * There is no root node now and we are storing a value into the root - this ++ * function either assigns the pointer or expands into a node. ++ */ + static inline void mas_store_root(struct ma_state *mas, void *entry) + { +- if (likely((mas->last != 0) || (mas->index != 0))) ++ if (!entry) { ++ if (!mas->index) ++ rcu_assign_pointer(mas->tree->ma_root, NULL); ++ } else if (likely((mas->last != 0) || (mas->index != 0))) + mas_root_expand(mas, entry); + else if (((unsigned long) (entry) & 3) == 2) + mas_root_expand(mas, entry); diff --git a/queue-6.12/media-amphion-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch b/queue-6.12/media-amphion-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch new file mode 100644 index 00000000000..8a0878169a8 --- /dev/null +++ b/queue-6.12/media-amphion-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch @@ -0,0 +1,36 @@ +From 316e74500d1c6589cba28cebe2864a0bceeb2396 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Fri, 1 Nov 2024 17:40:49 +0800 +Subject: media: amphion: Fix pm_runtime_set_suspended() with runtime pm enabled + +From: Jinjie Ruan + +commit 316e74500d1c6589cba28cebe2864a0bceeb2396 upstream. + +It is not valid to call pm_runtime_set_suspended() for devices +with runtime PM enabled because it returns -EAGAIN if it is enabled +already and working. So, call pm_runtime_disable() before to fix it. + +Cc: stable@vger.kernel.org +Fixes: b50a64fc54af ("media: amphion: add amphion vpu device driver") +Signed-off-by: Jinjie Ruan +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/amphion/vpu_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/amphion/vpu_drv.c ++++ b/drivers/media/platform/amphion/vpu_drv.c +@@ -151,8 +151,8 @@ err_add_decoder: + media_device_cleanup(&vpu->mdev); + v4l2_device_unregister(&vpu->v4l2_dev); + err_vpu_deinit: +- pm_runtime_set_suspended(dev); + pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); + + return ret; + } diff --git a/queue-6.12/media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch b/queue-6.12/media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch new file mode 100644 index 00000000000..7d3b2f834b0 --- /dev/null +++ b/queue-6.12/media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch @@ -0,0 +1,37 @@ +From d2842dec577900031826dc44e9bf0c66416d7173 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Mon, 28 Oct 2024 16:02:56 +0800 +Subject: media: gspca: ov534-ov772x: Fix off-by-one error in set_frame_rate() + +From: Jinjie Ruan + +commit d2842dec577900031826dc44e9bf0c66416d7173 upstream. + +In set_frame_rate(), select a rate in rate_0 or rate_1 by checking +sd->frame_rate >= r->fps in a loop, but the loop condition terminates when +the index reaches zero, which fails to check the last elememt in rate_0 or +rate_1. + +Check for >= 0 so that the last one in rate_0 or rate_1 is also checked. + +Fixes: 189d92af707e ("V4L/DVB (13422): gspca - ov534: ov772x changes from Richard Kaswy.") +Cc: stable@vger.kernel.org +Signed-off-by: Jinjie Ruan +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/ov534.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/gspca/ov534.c ++++ b/drivers/media/usb/gspca/ov534.c +@@ -847,7 +847,7 @@ static void set_frame_rate(struct gspca_ + r = rate_1; + i = ARRAY_SIZE(rate_1); + } +- while (--i > 0) { ++ while (--i >= 0) { + if (sd->frame_rate >= r->fps) + break; + r++; diff --git a/queue-6.12/media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch b/queue-6.12/media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch new file mode 100644 index 00000000000..add77d87612 --- /dev/null +++ b/queue-6.12/media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch @@ -0,0 +1,79 @@ +From 869f38ae07f7df829da4951c3d1f7a2be09c2e9a Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Wed, 9 Oct 2024 09:05:44 +0300 +Subject: media: i2c: tc358743: Fix crash in the probe error path when using polling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexander Shiyan + +commit 869f38ae07f7df829da4951c3d1f7a2be09c2e9a upstream. + +If an error occurs in the probe() function, we should remove the polling +timer that was alarmed earlier, otherwise the timer is called with +arguments that are already freed, which results in a crash. + +------------[ cut here ]------------ +WARNING: CPU: 3 PID: 0 at kernel/time/timer.c:1830 __run_timers+0x244/0x268 +Modules linked in: +CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.11.0 #226 +Hardware name: Diasom DS-RK3568-SOM-EVB (DT) +pstate: 804000c9 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : __run_timers+0x244/0x268 +lr : __run_timers+0x1d4/0x268 +sp : ffffff80eff2baf0 +x29: ffffff80eff2bb50 x28: 7fffffffffffffff x27: ffffff80eff2bb00 +x26: ffffffc080f669c0 x25: ffffff80efef6bf0 x24: ffffff80eff2bb00 +x23: 0000000000000000 x22: dead000000000122 x21: 0000000000000000 +x20: ffffff80efef6b80 x19: ffffff80041c8bf8 x18: ffffffffffffffff +x17: ffffffc06f146000 x16: ffffff80eff27dc0 x15: 000000000000003e +x14: 0000000000000000 x13: 00000000000054da x12: 0000000000000000 +x11: 00000000000639c0 x10: 000000000000000c x9 : 0000000000000009 +x8 : ffffff80eff2cb40 x7 : ffffff80eff2cb40 x6 : ffffff8002bee480 +x5 : ffffffc080cb2220 x4 : ffffffc080cb2150 x3 : 00000000000f4240 +x2 : 0000000000000102 x1 : ffffff80eff2bb00 x0 : ffffff80041c8bf0 +Call trace: + __run_timers+0x244/0x268 + timer_expire_remote+0x50/0x68 + tmigr_handle_remote+0x388/0x39c + run_timer_softirq+0x38/0x44 + handle_softirqs+0x138/0x298 + __do_softirq+0x14/0x20 + ____do_softirq+0x10/0x1c + call_on_irq_stack+0x24/0x4c + do_softirq_own_stack+0x1c/0x2c + irq_exit_rcu+0x9c/0xcc + el1_interrupt+0x48/0xc0 + el1h_64_irq_handler+0x18/0x24 + el1h_64_irq+0x7c/0x80 + default_idle_call+0x34/0x68 + do_idle+0x23c/0x294 + cpu_startup_entry+0x38/0x3c + secondary_start_kernel+0x128/0x160 + __secondary_switched+0xb8/0xbc +---[ end trace 0000000000000000 ]--- + +Fixes: 4e66a52a2e4c ("[media] tc358743: Add support for platforms without IRQ line") +Signed-off-by: Alexander Shiyan +Cc: stable@vger.kernel.org +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/tc358743.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -2168,8 +2168,10 @@ static int tc358743_probe(struct i2c_cli + + err_work_queues: + cec_unregister_adapter(state->cec_adap); +- if (!state->i2c_client->irq) ++ if (!state->i2c_client->irq) { ++ del_timer(&state->timer); + flush_work(&state->work_i2c_poll); ++ } + cancel_delayed_work(&state->delayed_work_enable_hotplug); + mutex_destroy(&state->confctl_mutex); + err_hdl: diff --git a/queue-6.12/media-imx-jpeg-ensure-power-suppliers-be-suspended-before-detach-them.patch b/queue-6.12/media-imx-jpeg-ensure-power-suppliers-be-suspended-before-detach-them.patch new file mode 100644 index 00000000000..3debfee75b9 --- /dev/null +++ b/queue-6.12/media-imx-jpeg-ensure-power-suppliers-be-suspended-before-detach-them.patch @@ -0,0 +1,78 @@ +From fd0af4cd35da0eb550ef682b71cda70a4e36f6b9 Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Fri, 13 Sep 2024 15:22:54 +0900 +Subject: media: imx-jpeg: Ensure power suppliers be suspended before detach them + +From: Ming Qian + +commit fd0af4cd35da0eb550ef682b71cda70a4e36f6b9 upstream. + +The power suppliers are always requested to suspend asynchronously, +dev_pm_domain_detach() requires the caller to ensure proper +synchronization of this function with power management callbacks. +otherwise the detach may led to kernel panic, like below: + +[ 1457.107934] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000040 +[ 1457.116777] Mem abort info: +[ 1457.119589] ESR = 0x0000000096000004 +[ 1457.123358] EC = 0x25: DABT (current EL), IL = 32 bits +[ 1457.128692] SET = 0, FnV = 0 +[ 1457.131764] EA = 0, S1PTW = 0 +[ 1457.134920] FSC = 0x04: level 0 translation fault +[ 1457.139812] Data abort info: +[ 1457.142707] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 +[ 1457.148196] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 +[ 1457.153256] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +[ 1457.158563] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001138b6000 +[ 1457.165000] [0000000000000040] pgd=0000000000000000, p4d=0000000000000000 +[ 1457.171792] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +[ 1457.178045] Modules linked in: v4l2_jpeg wave6_vpu_ctrl(-) [last unloaded: mxc_jpeg_encdec] +[ 1457.186383] CPU: 0 PID: 51938 Comm: kworker/0:3 Not tainted 6.6.36-gd23d64eea511 #66 +[ 1457.194112] Hardware name: NXP i.MX95 19X19 board (DT) +[ 1457.199236] Workqueue: pm pm_runtime_work +[ 1457.203247] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 1457.210188] pc : genpd_runtime_suspend+0x20/0x290 +[ 1457.214886] lr : __rpm_callback+0x48/0x1d8 +[ 1457.218968] sp : ffff80008250bc50 +[ 1457.222270] x29: ffff80008250bc50 x28: 0000000000000000 x27: 0000000000000000 +[ 1457.229394] x26: 0000000000000000 x25: 0000000000000008 x24: 00000000000f4240 +[ 1457.236518] x23: 0000000000000000 x22: ffff00008590f0e4 x21: 0000000000000008 +[ 1457.243642] x20: ffff80008099c434 x19: ffff00008590f000 x18: ffffffffffffffff +[ 1457.250766] x17: 5300326563697665 x16: 645f676e696c6f6f x15: 63343a6d726f6674 +[ 1457.257890] x14: 0000000000000004 x13: 00000000000003a4 x12: 0000000000000002 +[ 1457.265014] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff80008250bbb0 +[ 1457.272138] x8 : ffff000092937200 x7 : ffff0003fdf6af80 x6 : 0000000000000000 +[ 1457.279262] x5 : 00000000410fd050 x4 : 0000000000200000 x3 : 0000000000000000 +[ 1457.286386] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008590f000 +[ 1457.293510] Call trace: +[ 1457.295946] genpd_runtime_suspend+0x20/0x290 +[ 1457.300296] __rpm_callback+0x48/0x1d8 +[ 1457.304038] rpm_callback+0x6c/0x78 +[ 1457.307515] rpm_suspend+0x10c/0x570 +[ 1457.311077] pm_runtime_work+0xc4/0xc8 +[ 1457.314813] process_one_work+0x138/0x248 +[ 1457.318816] worker_thread+0x320/0x438 +[ 1457.322552] kthread+0x110/0x114 +[ 1457.325767] ret_from_fork+0x10/0x20 + +Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") +Cc: +Signed-off-by: Ming Qian +Reviewed-by: TaoJiang +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +@@ -2679,6 +2679,8 @@ static void mxc_jpeg_detach_pm_domains(s + int i; + + for (i = 0; i < jpeg->num_domains; i++) { ++ if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i])) ++ pm_runtime_force_suspend(jpeg->pd_dev[i]); + if (jpeg->pd_link[i] && !IS_ERR(jpeg->pd_link[i])) + device_link_del(jpeg->pd_link[i]); + if (jpeg->pd_dev[i] && !IS_ERR(jpeg->pd_dev[i])) diff --git a/queue-6.12/media-ov08x40-fix-burst-write-sequence.patch b/queue-6.12/media-ov08x40-fix-burst-write-sequence.patch new file mode 100644 index 00000000000..6d5e3180a63 --- /dev/null +++ b/queue-6.12/media-ov08x40-fix-burst-write-sequence.patch @@ -0,0 +1,87 @@ +From d0fef6de4f1b957e35a05a5ba4aab2a2576d6686 Mon Sep 17 00:00:00 2001 +From: Bryan O'Donoghue +Date: Thu, 10 Oct 2024 13:33:17 +0100 +Subject: media: ov08x40: Fix burst write sequence + +From: Bryan O'Donoghue + +commit d0fef6de4f1b957e35a05a5ba4aab2a2576d6686 upstream. + +It is necessary to account for I2C quirks in the burst mode path of this +driver. Not all I2C controllers can accept arbitrarily long writes and this +is represented in the quirks field of the adapter structure. + +Prior to this patch the following error message is seen on a Qualcomm +X1E80100 CRD. + +[ 38.773524] i2c i2c-2: adapter quirk: msg too long (addr 0x0036, size 290, write) +[ 38.781454] ov08x40 2-0036: Failed regs transferred: -95 +[ 38.787076] ov08x40 2-0036: ov08x40_start_streaming failed to set regs + +Fix the error by breaking up the write sequence into the advertised maximum +write size of the quirks field if the quirks field is populated. + +Fixes: 8f667d202384 ("media: ov08x40: Reduce start streaming time") +Cc: stable@vger.kernel.org # v6.9+ +Tested-by: Bryan O'Donoghue # x1e80100-crd +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov08x40.c | 33 ++++++++++++++++++++++++++++----- + 1 file changed, 28 insertions(+), 5 deletions(-) + +--- a/drivers/media/i2c/ov08x40.c ++++ b/drivers/media/i2c/ov08x40.c +@@ -1339,15 +1339,13 @@ static int ov08x40_read_reg(struct ov08x + return 0; + } + +-static int ov08x40_burst_fill_regs(struct ov08x40 *ov08x, u16 first_reg, +- u16 last_reg, u8 val) ++static int __ov08x40_burst_fill_regs(struct i2c_client *client, u16 first_reg, ++ u16 last_reg, size_t num_regs, u8 val) + { +- struct i2c_client *client = v4l2_get_subdevdata(&ov08x->sd); + struct i2c_msg msgs; +- size_t i, num_regs; ++ size_t i; + int ret; + +- num_regs = last_reg - first_reg + 1; + msgs.addr = client->addr; + msgs.flags = 0; + msgs.len = 2 + num_regs; +@@ -1371,6 +1369,31 @@ static int ov08x40_burst_fill_regs(struc + } + + return 0; ++} ++ ++static int ov08x40_burst_fill_regs(struct ov08x40 *ov08x, u16 first_reg, ++ u16 last_reg, u8 val) ++{ ++ struct i2c_client *client = v4l2_get_subdevdata(&ov08x->sd); ++ size_t num_regs, num_write_regs; ++ int ret; ++ ++ num_regs = last_reg - first_reg + 1; ++ num_write_regs = num_regs; ++ ++ if (client->adapter->quirks && client->adapter->quirks->max_write_len) ++ num_write_regs = client->adapter->quirks->max_write_len - 2; ++ ++ while (first_reg < last_reg) { ++ ret = __ov08x40_burst_fill_regs(client, first_reg, last_reg, ++ num_write_regs, val); ++ if (ret) ++ return ret; ++ ++ first_reg += num_write_regs; ++ } ++ ++ return 0; + } + + /* Write registers up to 4 at a time */ diff --git a/queue-6.12/media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch b/queue-6.12/media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch new file mode 100644 index 00000000000..f28fe23c6cd --- /dev/null +++ b/queue-6.12/media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch @@ -0,0 +1,37 @@ +From 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 Mon Sep 17 00:00:00 2001 +From: Gaosheng Cui +Date: Wed, 9 Oct 2024 16:28:02 +0800 +Subject: media: platform: allegro-dvt: Fix possible memory leak in allocate_buffers_internal() + +From: Gaosheng Cui + +commit 0f514068fbc5d4d189c817adc7c4e32cffdc2e47 upstream. + +The buffer in the loop should be released under the exception path, +otherwise there may be a memory leak here. + +To mitigate this, free the buffer when allegro_alloc_buffer fails. + +Fixes: f20387dfd065 ("media: allegro: add Allegro DVT video IP core driver") +Cc: +Signed-off-by: Gaosheng Cui +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/allegro-dvt/allegro-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/allegro-dvt/allegro-core.c ++++ b/drivers/media/platform/allegro-dvt/allegro-core.c +@@ -1509,8 +1509,10 @@ static int allocate_buffers_internal(str + INIT_LIST_HEAD(&buffer->head); + + err = allegro_alloc_buffer(dev, buffer, size); +- if (err) ++ if (err) { ++ kfree(buffer); + goto err; ++ } + list_add(&buffer->head, list); + } + diff --git a/queue-6.12/media-platform-exynos4-is-fix-an-of-node-reference-leak-in-fimc_md_is_isp_available.patch b/queue-6.12/media-platform-exynos4-is-fix-an-of-node-reference-leak-in-fimc_md_is_isp_available.patch new file mode 100644 index 00000000000..ecd4a84e895 --- /dev/null +++ b/queue-6.12/media-platform-exynos4-is-fix-an-of-node-reference-leak-in-fimc_md_is_isp_available.patch @@ -0,0 +1,39 @@ +From 8964eb23408243ae0016d1f8473c76f64ff25d20 Mon Sep 17 00:00:00 2001 +From: Joe Hattori +Date: Mon, 4 Nov 2024 19:01:19 +0900 +Subject: media: platform: exynos4-is: Fix an OF node reference leak in fimc_md_is_isp_available + +From: Joe Hattori + +commit 8964eb23408243ae0016d1f8473c76f64ff25d20 upstream. + +In fimc_md_is_isp_available(), of_get_child_by_name() is called to check +if FIMC-IS is available. Current code does not decrement the refcount of +the returned device node, which causes an OF node reference leak. Fix it +by calling of_node_put() at the end of the variable scope. + +Signed-off-by: Joe Hattori +Fixes: e781bbe3fecf ("[media] exynos4-is: Add fimc-is subdevs registration") +Cc: stable@vger.kernel.org +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Hans Verkuil +[hverkuil: added CC to stable] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/samsung/exynos4-is/media-dev.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/samsung/exynos4-is/media-dev.h ++++ b/drivers/media/platform/samsung/exynos4-is/media-dev.h +@@ -178,8 +178,9 @@ int fimc_md_set_camclk(struct v4l2_subde + #ifdef CONFIG_OF + static inline bool fimc_md_is_isp_available(struct device_node *node) + { +- node = of_get_child_by_name(node, FIMC_IS_OF_NODE_NAME); +- return node ? of_device_is_available(node) : false; ++ struct device_node *child __free(device_node) = ++ of_get_child_by_name(node, FIMC_IS_OF_NODE_NAME); ++ return child ? of_device_is_available(child) : false; + } + #else + #define fimc_md_is_isp_available(node) (false) diff --git a/queue-6.12/media-platform-rga-fix-32-bit-dma-limitation.patch b/queue-6.12/media-platform-rga-fix-32-bit-dma-limitation.patch new file mode 100644 index 00000000000..c512fd46f2a --- /dev/null +++ b/queue-6.12/media-platform-rga-fix-32-bit-dma-limitation.patch @@ -0,0 +1,34 @@ +From 953c03d8cb41d08fe6994f5d94c4393ac9da2f13 Mon Sep 17 00:00:00 2001 +From: John Keeping +Date: Mon, 12 Aug 2024 15:35:55 +0100 +Subject: media: platform: rga: fix 32-bit DMA limitation + +From: John Keeping + +commit 953c03d8cb41d08fe6994f5d94c4393ac9da2f13 upstream. + +The destination buffer flags are assigned twice but source is not set in +what looks like a copy+paste mistake. Assign the source queue flags so +the 32-bit DMA limitation is handled consistently. + +Fixes: ec9ef8dda2a2 ("media: rockchip: rga: set dma mask to 32 bits") +Cc: +Signed-off-by: John Keeping +Reviewed-by: Michael Tretter +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/rockchip/rga/rga.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/rockchip/rga/rga.c ++++ b/drivers/media/platform/rockchip/rga/rga.c +@@ -102,7 +102,7 @@ queue_init(void *priv, struct vb2_queue + src_vq->drv_priv = ctx; + src_vq->ops = &rga_qops; + src_vq->mem_ops = &vb2_dma_sg_memops; +- dst_vq->gfp_flags = __GFP_DMA32; ++ src_vq->gfp_flags = __GFP_DMA32; + src_vq->buf_struct_size = sizeof(struct rga_vb_buffer); + src_vq->timestamp_flags = V4L2_BUF_FLAG_TIMESTAMP_COPY; + src_vq->lock = &ctx->rga->mutex; diff --git a/queue-6.12/media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch b/queue-6.12/media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch new file mode 100644 index 00000000000..4f773a8486f --- /dev/null +++ b/queue-6.12/media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch @@ -0,0 +1,73 @@ +From 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba Mon Sep 17 00:00:00 2001 +From: Li Zetao +Date: Thu, 10 Oct 2024 23:41:13 +0800 +Subject: media: ts2020: fix null-ptr-deref in ts2020_probe() + +From: Li Zetao + +commit 4a058b34b52ed3feb1f3ff6fd26aefeeeed20cba upstream. + +KASAN reported a null-ptr-deref issue when executing the following +command: + + # echo ts2020 0x20 > /sys/bus/i2c/devices/i2c-0/new_device + KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] + CPU: 53 UID: 0 PID: 970 Comm: systemd-udevd Not tainted 6.12.0-rc2+ #24 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) + RIP: 0010:ts2020_probe+0xad/0xe10 [ts2020] + RSP: 0018:ffffc9000abbf598 EFLAGS: 00010202 + RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffffc0714809 + RDX: 0000000000000002 RSI: ffff88811550be00 RDI: 0000000000000010 + RBP: ffff888109868800 R08: 0000000000000001 R09: fffff52001577eb6 + R10: 0000000000000000 R11: ffffc9000abbff50 R12: ffffffffc0714790 + R13: 1ffff92001577eb8 R14: ffffffffc07190d0 R15: 0000000000000001 + FS: 00007f95f13b98c0(0000) GS:ffff888149280000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000555d2634b000 CR3: 0000000152236000 CR4: 00000000000006f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + ts2020_probe+0xad/0xe10 [ts2020] + i2c_device_probe+0x421/0xb40 + really_probe+0x266/0x850 + ... + +The cause of the problem is that when using sysfs to dynamically register +an i2c device, there is no platform data, but the probe process of ts2020 +needs to use platform data, resulting in a null pointer being accessed. + +Solve this problem by adding checks to platform data. + +Fixes: dc245a5f9b51 ("[media] ts2020: implement I2C client bindings") +Cc: +Signed-off-by: Li Zetao +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/ts2020.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/ts2020.c ++++ b/drivers/media/dvb-frontends/ts2020.c +@@ -553,13 +553,19 @@ static void ts2020_regmap_unlock(void *_ + static int ts2020_probe(struct i2c_client *client) + { + struct ts2020_config *pdata = client->dev.platform_data; +- struct dvb_frontend *fe = pdata->fe; ++ struct dvb_frontend *fe; + struct ts2020_priv *dev; + int ret; + u8 u8tmp; + unsigned int utmp; + char *chip_str; + ++ if (!pdata) { ++ dev_err(&client->dev, "platform data is mandatory\n"); ++ return -EINVAL; ++ } ++ ++ fe = pdata->fe; + dev = kzalloc(sizeof(*dev), GFP_KERNEL); + if (!dev) { + ret = -ENOMEM; diff --git a/queue-6.12/media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch b/queue-6.12/media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch new file mode 100644 index 00000000000..71ebb66a78d --- /dev/null +++ b/queue-6.12/media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch @@ -0,0 +1,279 @@ +From 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 13 Sep 2024 15:06:01 -0300 +Subject: media: uvcvideo: Require entities to have a non-zero unique ID + +From: Thadeu Lima de Souza Cascardo + +commit 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195 upstream. + +Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero +unique ID. + +``` +Each Unit and Terminal within the video function is assigned a unique +identification number, the Unit ID (UID) or Terminal ID (TID), contained in +the bUnitID or bTerminalID field of the descriptor. The value 0x00 is +reserved for undefined ID, +``` + +So, deny allocating an entity with ID 0 or an ID that belongs to a unit +that is already added to the list of entities. + +This also prevents some syzkaller reproducers from triggering warnings due +to a chain of entities referring to themselves. In one particular case, an +Output Unit is connected to an Input Unit, both with the same ID of 1. But +when looking up for the source ID of the Output Unit, that same entity is +found instead of the input entity, which leads to such warnings. + +In another case, a backward chain was considered finished as the source ID +was 0. Later on, that entity was found, but its pads were not valid. + +Here is a sample stack trace for one of those cases. + +[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd +[ 20.830206] usb 1-1: Using ep0 maxpacket: 8 +[ 20.833501] usb 1-1: config 0 descriptor?? +[ 21.038518] usb 1-1: string descriptor 0 read error: -71 +[ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201) +[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! +[ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! +[ 21.042218] ------------[ cut here ]------------ +[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 +[ 21.043195] Modules linked in: +[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 +[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +[ 21.044639] Workqueue: usb_hub_wq hub_event +[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 +[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 +[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 +[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 +[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 +[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 +[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 +[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 +[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 +[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 +[ 21.051136] PKRU: 55555554 +[ 21.051331] Call Trace: +[ 21.051480] +[ 21.051611] ? __warn+0xc4/0x210 +[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 +[ 21.052252] ? report_bug+0x11b/0x1a0 +[ 21.052540] ? trace_hardirqs_on+0x31/0x40 +[ 21.052901] ? handle_bug+0x3d/0x70 +[ 21.053197] ? exc_invalid_op+0x1a/0x50 +[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 +[ 21.053924] ? media_create_pad_link+0x91/0x2e0 +[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 +[ 21.054834] ? media_create_pad_link+0x91/0x2e0 +[ 21.055131] ? _raw_spin_unlock+0x1e/0x40 +[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 +[ 21.055837] uvc_mc_register_entities+0x358/0x400 +[ 21.056144] uvc_register_chains+0x1fd/0x290 +[ 21.056413] uvc_probe+0x380e/0x3dc0 +[ 21.056676] ? __lock_acquire+0x5aa/0x26e0 +[ 21.056946] ? find_held_lock+0x33/0xa0 +[ 21.057196] ? kernfs_activate+0x70/0x80 +[ 21.057533] ? usb_match_dynamic_id+0x1b/0x70 +[ 21.057811] ? find_held_lock+0x33/0xa0 +[ 21.058047] ? usb_match_dynamic_id+0x55/0x70 +[ 21.058330] ? lock_release+0x124/0x260 +[ 21.058657] ? usb_match_one_id_intf+0xa2/0x100 +[ 21.058997] usb_probe_interface+0x1ba/0x330 +[ 21.059399] really_probe+0x1ba/0x4c0 +[ 21.059662] __driver_probe_device+0xb2/0x180 +[ 21.059944] driver_probe_device+0x5a/0x100 +[ 21.060170] __device_attach_driver+0xe9/0x160 +[ 21.060427] ? __pfx___device_attach_driver+0x10/0x10 +[ 21.060872] bus_for_each_drv+0xa9/0x100 +[ 21.061312] __device_attach+0xed/0x190 +[ 21.061812] device_initial_probe+0xe/0x20 +[ 21.062229] bus_probe_device+0x4d/0xd0 +[ 21.062590] device_add+0x308/0x590 +[ 21.062912] usb_set_configuration+0x7b6/0xaf0 +[ 21.063403] usb_generic_driver_probe+0x36/0x80 +[ 21.063714] usb_probe_device+0x7b/0x130 +[ 21.063936] really_probe+0x1ba/0x4c0 +[ 21.064111] __driver_probe_device+0xb2/0x180 +[ 21.064577] driver_probe_device+0x5a/0x100 +[ 21.065019] __device_attach_driver+0xe9/0x160 +[ 21.065403] ? __pfx___device_attach_driver+0x10/0x10 +[ 21.065820] bus_for_each_drv+0xa9/0x100 +[ 21.066094] __device_attach+0xed/0x190 +[ 21.066535] device_initial_probe+0xe/0x20 +[ 21.066992] bus_probe_device+0x4d/0xd0 +[ 21.067250] device_add+0x308/0x590 +[ 21.067501] usb_new_device+0x347/0x610 +[ 21.067817] hub_event+0x156b/0x1e30 +[ 21.068060] ? process_scheduled_works+0x48b/0xaf0 +[ 21.068337] process_scheduled_works+0x5a3/0xaf0 +[ 21.068668] worker_thread+0x3cf/0x560 +[ 21.068932] ? kthread+0x109/0x1b0 +[ 21.069133] kthread+0x197/0x1b0 +[ 21.069343] ? __pfx_worker_thread+0x10/0x10 +[ 21.069598] ? __pfx_kthread+0x10/0x10 +[ 21.069908] ret_from_fork+0x32/0x40 +[ 21.070169] ? __pfx_kthread+0x10/0x10 +[ 21.070424] ret_from_fork_asm+0x1a/0x30 +[ 21.070737] + +Cc: stable@vger.kernel.org +Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675 +Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b +Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads") +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240913180601.1400596-2-cascardo@igalia.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 70 ++++++++++++++++++++++--------------- + 1 file changed, 43 insertions(+), 27 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -775,14 +775,27 @@ static const u8 uvc_media_transport_inpu + UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT; + static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING; + +-static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id, +- unsigned int num_pads, unsigned int extra_size) ++static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type, ++ u16 id, unsigned int num_pads, ++ unsigned int extra_size) + { + struct uvc_entity *entity; + unsigned int num_inputs; + unsigned int size; + unsigned int i; + ++ /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */ ++ if (id == 0) { ++ dev_err(&dev->udev->dev, "Found Unit with invalid ID 0.\n"); ++ return ERR_PTR(-EINVAL); ++ } ++ ++ /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */ ++ if (uvc_entity_by_id(dev, id)) { ++ dev_err(&dev->udev->dev, "Found multiple Units with ID %u\n", id); ++ return ERR_PTR(-EINVAL); ++ } ++ + extra_size = roundup(extra_size, sizeof(*entity->pads)); + if (num_pads) + num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1; +@@ -792,7 +805,7 @@ static struct uvc_entity *uvc_alloc_enti + + num_inputs; + entity = kzalloc(size, GFP_KERNEL); + if (entity == NULL) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + entity->id = id; + entity->type = type; +@@ -904,10 +917,10 @@ static int uvc_parse_vendor_control(stru + break; + } + +- unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3], +- p + 1, 2*n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT, ++ buffer[3], p + 1, 2 * n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->guid, &buffer[4], 16); + unit->extension.bNumControls = buffer[20]; +@@ -1016,10 +1029,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3], +- 1, n + p); +- if (term == NULL) +- return -ENOMEM; ++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT, ++ buffer[3], 1, n + p); ++ if (IS_ERR(term)) ++ return PTR_ERR(term); + + if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) { + term->camera.bControlSize = n; +@@ -1075,10 +1088,10 @@ static int uvc_parse_standard_control(st + return 0; + } + +- term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3], +- 1, 0); +- if (term == NULL) +- return -ENOMEM; ++ term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT, ++ buffer[3], 1, 0); ++ if (IS_ERR(term)) ++ return PTR_ERR(term); + + memcpy(term->baSourceID, &buffer[7], 1); + +@@ -1097,9 +1110,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], ++ p + 1, 0); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->baSourceID, &buffer[5], p); + +@@ -1119,9 +1133,9 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->baSourceID, &buffer[4], 1); + unit->processing.wMaxMultiplier = +@@ -1148,9 +1162,10 @@ static int uvc_parse_standard_control(st + return -EINVAL; + } + +- unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n); +- if (unit == NULL) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], ++ p + 1, n); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + memcpy(unit->guid, &buffer[4], 16); + unit->extension.bNumControls = buffer[20]; +@@ -1290,9 +1305,10 @@ static int uvc_gpio_parse(struct uvc_dev + return dev_err_probe(&dev->udev->dev, irq, + "No IRQ for privacy GPIO\n"); + +- unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1); +- if (!unit) +- return -ENOMEM; ++ unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT, ++ UVC_EXT_GPIO_UNIT_ID, 0, 1); ++ if (IS_ERR(unit)) ++ return PTR_ERR(unit); + + unit->gpio.gpio_privacy = gpio_privacy; + unit->gpio.irq = irq; diff --git a/queue-6.12/media-uvcvideo-stop-stream-during-unregister.patch b/queue-6.12/media-uvcvideo-stop-stream-during-unregister.patch new file mode 100644 index 00000000000..af50dbab6e1 --- /dev/null +++ b/queue-6.12/media-uvcvideo-stop-stream-during-unregister.patch @@ -0,0 +1,84 @@ +From c9ec6f1736363b2b2bb4e266997389740f628441 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Thu, 26 Sep 2024 05:59:06 +0000 +Subject: media: uvcvideo: Stop stream during unregister + +From: Ricardo Ribalda + +commit c9ec6f1736363b2b2bb4e266997389740f628441 upstream. + +uvc_unregister_video() can be called asynchronously from +uvc_disconnect(). If the device is still streaming when that happens, a +plethora of race conditions can occur. + +Make sure that the device has stopped streaming before exiting this +function. + +If the user still holds handles to the driver's file descriptors, any +ioctl will return -ENODEV from the v4l2 core. + +This change makes uvc more consistent with the rest of the v4l2 drivers +using the vb2_fop_* and vb2_ioctl_* helpers. + +This driver (and many other usb drivers) always had this problem, but it +wasn't possible to easily fix this until the vb2_video_unregister_device() +helper was added. So the Fixes tag points to the creation of that helper. + +Reviewed-by: Hans Verkuil +Suggested-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Reviewed-by: Mauro Carvalho Chehab +Fixes: f729ef5796d8 ("media: videobuf2-v4l2.c: add vb2_video_unregister_device helper function") +Cc: stable@vger.kernel.org # 5.10.x +[hverkuil: add note regarding Fixes version] +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1919,11 +1919,41 @@ static void uvc_unregister_video(struct + struct uvc_streaming *stream; + + list_for_each_entry(stream, &dev->streams, list) { ++ /* Nothing to do here, continue. */ + if (!video_is_registered(&stream->vdev)) + continue; + ++ /* ++ * For stream->vdev we follow the same logic as: ++ * vb2_video_unregister_device(). ++ */ ++ ++ /* 1. Take a reference to vdev */ ++ get_device(&stream->vdev.dev); ++ ++ /* 2. Ensure that no new ioctls can be called. */ + video_unregister_device(&stream->vdev); +- video_unregister_device(&stream->meta.vdev); ++ ++ /* 3. Wait for old ioctls to finish. */ ++ mutex_lock(&stream->mutex); ++ ++ /* 4. Stop streaming. */ ++ uvc_queue_release(&stream->queue); ++ ++ mutex_unlock(&stream->mutex); ++ ++ put_device(&stream->vdev.dev); ++ ++ /* ++ * For stream->meta.vdev we can directly call: ++ * vb2_video_unregister_device(). ++ */ ++ vb2_video_unregister_device(&stream->meta.vdev); ++ ++ /* ++ * Now both vdevs are not streaming and all the ioctls will ++ * return -ENODEV. ++ */ + + uvc_debugfs_cleanup_stream(stream); + } diff --git a/queue-6.12/media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch b/queue-6.12/media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch new file mode 100644 index 00000000000..2aeb8be0648 --- /dev/null +++ b/queue-6.12/media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch @@ -0,0 +1,37 @@ +From 2a20869f7d798aa2b69e45b863eaf1b1ecf98278 Mon Sep 17 00:00:00 2001 +From: Jinjie Ruan +Date: Fri, 1 Nov 2024 17:40:50 +0800 +Subject: media: venus: Fix pm_runtime_set_suspended() with runtime pm enabled + +From: Jinjie Ruan + +commit 2a20869f7d798aa2b69e45b863eaf1b1ecf98278 upstream. + +It is not valid to call pm_runtime_set_suspended() for devices +with runtime PM enabled because it returns -EAGAIN if it is enabled +already and working. So, call pm_runtime_disable() before to fix it. + +Cc: stable@vger.kernel.org +Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") +Signed-off-by: Jinjie Ruan +Reviewed-by: Bryan O'Donoghue +Acked-by: Stanimir Varbanov +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -412,8 +412,8 @@ err_of_depopulate: + of_platform_depopulate(dev); + err_runtime_disable: + pm_runtime_put_noidle(dev); +- pm_runtime_set_suspended(dev); + pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); + hfi_destroy(core); + err_core_deinit: + hfi_core_deinit(core, false); diff --git a/queue-6.12/media-verisilicon-av1-fix-reference-video-buffer-pointer-assignment.patch b/queue-6.12/media-verisilicon-av1-fix-reference-video-buffer-pointer-assignment.patch new file mode 100644 index 00000000000..3bb2dbc7e1d --- /dev/null +++ b/queue-6.12/media-verisilicon-av1-fix-reference-video-buffer-pointer-assignment.patch @@ -0,0 +1,38 @@ +From 672f24ed6ebcd986688c6674a6d994a265fefc25 Mon Sep 17 00:00:00 2001 +From: Benjamin Gaignard +Date: Tue, 10 Sep 2024 14:10:09 +0000 +Subject: media: verisilicon: av1: Fix reference video buffer pointer assignment + +From: Benjamin Gaignard + +commit 672f24ed6ebcd986688c6674a6d994a265fefc25 upstream. + +Always get new destination buffer for reference frame because nothing +garantees the one set previously is still valid or unused. + +Fixes this chromium test suite: +https://chromium.googlesource.com/chromium/src/media/+/refs/heads/main/test/data/test-25fps.av1.ivf + +Fixes: 727a400686a2 ("media: verisilicon: Add Rockchip AV1 decoder") +Cc: +Signed-off-by: Benjamin Gaignard +Reviewed-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +[hverkuil: fix typo and add link to chromium test suite] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/verisilicon/rockchip_vpu981_hw_av1_dec.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/platform/verisilicon/rockchip_vpu981_hw_av1_dec.c ++++ b/drivers/media/platform/verisilicon/rockchip_vpu981_hw_av1_dec.c +@@ -161,8 +161,7 @@ static int rockchip_vpu981_av1_dec_frame + av1_dec->frame_refs[i].timestamp = timestamp; + av1_dec->frame_refs[i].frame_type = frame->frame_type; + av1_dec->frame_refs[i].order_hint = frame->order_hint; +- if (!av1_dec->frame_refs[i].vb2_ref) +- av1_dec->frame_refs[i].vb2_ref = hantro_get_dst_buf(ctx); ++ av1_dec->frame_refs[i].vb2_ref = hantro_get_dst_buf(ctx); + + for (j = 0; j < V4L2_AV1_TOTAL_REFS_PER_FRAME; j++) + av1_dec->frame_refs[i].order_hints[j] = frame->order_hints[j]; diff --git a/queue-6.12/mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch b/queue-6.12/mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch new file mode 100644 index 00000000000..7b3d9381e60 --- /dev/null +++ b/queue-6.12/mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch @@ -0,0 +1,122 @@ +From f3c7a1ede435e2e45177d7a490a85fb0a0ec96d1 Mon Sep 17 00:00:00 2001 +From: Zheng Yejian +Date: Tue, 22 Oct 2024 16:39:26 +0800 +Subject: mm/damon/vaddr: fix issue in damon_va_evenly_split_region() + +From: Zheng Yejian + +commit f3c7a1ede435e2e45177d7a490a85fb0a0ec96d1 upstream. + +Patch series "mm/damon/vaddr: Fix issue in +damon_va_evenly_split_region()". v2. + +According to the logic of damon_va_evenly_split_region(), currently +following split case would not meet the expectation: + + Suppose DAMON_MIN_REGION=0x1000, + Case: Split [0x0, 0x3000) into 2 pieces, then the result would be + acutually 3 regions: + [0x0, 0x1000), [0x1000, 0x2000), [0x2000, 0x3000) + but NOT the expected 2 regions: + [0x0, 0x1000), [0x1000, 0x3000) !!! + +The root cause is that when calculating size of each split piece in +damon_va_evenly_split_region(): + + `sz_piece = ALIGN_DOWN(sz_orig / nr_pieces, DAMON_MIN_REGION);` + +both the dividing and the ALIGN_DOWN may cause loss of precision, then +each time split one piece of size 'sz_piece' from origin 'start' to 'end' +would cause more pieces are split out than expected!!! + +To fix it, count for each piece split and make sure no more than +'nr_pieces'. In addition, add above case into damon_test_split_evenly(). + +And add 'nr_piece == 1' check in damon_va_evenly_split_region() for better +code readability and add a corresponding kunit testcase. + + +This patch (of 2): + +According to the logic of damon_va_evenly_split_region(), currently +following split case would not meet the expectation: + + Suppose DAMON_MIN_REGION=0x1000, + Case: Split [0x0, 0x3000) into 2 pieces, then the result would be + acutually 3 regions: + [0x0, 0x1000), [0x1000, 0x2000), [0x2000, 0x3000) + but NOT the expected 2 regions: + [0x0, 0x1000), [0x1000, 0x3000) !!! + +The root cause is that when calculating size of each split piece in +damon_va_evenly_split_region(): + + `sz_piece = ALIGN_DOWN(sz_orig / nr_pieces, DAMON_MIN_REGION);` + +both the dividing and the ALIGN_DOWN may cause loss of precision, +then each time split one piece of size 'sz_piece' from origin 'start' to +'end' would cause more pieces are split out than expected!!! + +To fix it, count for each piece split and make sure no more than +'nr_pieces'. In addition, add above case into damon_test_split_evenly(). + +After this patch, damon-operations test passed: + + # ./tools/testing/kunit/kunit.py run damon-operations + [...] + ============== damon-operations (6 subtests) =============== + [PASSED] damon_test_three_regions_in_vmas + [PASSED] damon_test_apply_three_regions1 + [PASSED] damon_test_apply_three_regions2 + [PASSED] damon_test_apply_three_regions3 + [PASSED] damon_test_apply_three_regions4 + [PASSED] damon_test_split_evenly + ================ [PASSED] damon-operations ================= + +Link: https://lkml.kernel.org/r/20241022083927.3592237-1-zhengyejian@huaweicloud.com +Link: https://lkml.kernel.org/r/20241022083927.3592237-2-zhengyejian@huaweicloud.com +Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces") +Signed-off-by: Zheng Yejian +Reviewed-by: SeongJae Park +Cc: Fernand Sieber +Cc: Leonard Foerster +Cc: Shakeel Butt +Cc: Ye Weihua +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/tests/vaddr-kunit.h | 1 + + mm/damon/vaddr.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/damon/tests/vaddr-kunit.h ++++ b/mm/damon/tests/vaddr-kunit.h +@@ -300,6 +300,7 @@ static void damon_test_split_evenly(stru + damon_test_split_evenly_fail(test, 0, 100, 0); + damon_test_split_evenly_succ(test, 0, 100, 10); + damon_test_split_evenly_succ(test, 5, 59, 5); ++ damon_test_split_evenly_succ(test, 0, 3, 2); + damon_test_split_evenly_fail(test, 5, 6, 2); + } + +--- a/mm/damon/vaddr.c ++++ b/mm/damon/vaddr.c +@@ -67,6 +67,7 @@ static int damon_va_evenly_split_region( + unsigned long sz_orig, sz_piece, orig_end; + struct damon_region *n = NULL, *next; + unsigned long start; ++ unsigned int i; + + if (!r || !nr_pieces) + return -EINVAL; +@@ -80,8 +81,7 @@ static int damon_va_evenly_split_region( + + r->ar.end = r->ar.start + sz_piece; + next = damon_next_region(r); +- for (start = r->ar.end; start + sz_piece <= orig_end; +- start += sz_piece) { ++ for (start = r->ar.end, i = 1; i < nr_pieces; start += sz_piece, i++) { + n = damon_new_region(start, start + sz_piece); + if (!n) + return -ENOMEM; diff --git a/queue-6.12/net-phy-dp83869-fix-status-reporting-for-1000base-x-autonegotiation.patch b/queue-6.12/net-phy-dp83869-fix-status-reporting-for-1000base-x-autonegotiation.patch new file mode 100644 index 00000000000..4a1a1cfd01d --- /dev/null +++ b/queue-6.12/net-phy-dp83869-fix-status-reporting-for-1000base-x-autonegotiation.patch @@ -0,0 +1,86 @@ +From 378e8feea9a70d37a5dc1678b7ec27df21099fa5 Mon Sep 17 00:00:00 2001 +From: Romain Gantois +Date: Tue, 12 Nov 2024 15:06:08 +0100 +Subject: net: phy: dp83869: fix status reporting for 1000base-x autonegotiation + +From: Romain Gantois + +commit 378e8feea9a70d37a5dc1678b7ec27df21099fa5 upstream. + +The DP83869 PHY transceiver supports converting from RGMII to 1000base-x. +In this operation mode, autonegotiation can be performed, as described in +IEEE802.3. + +The DP83869 has a set of fiber-specific registers located at offset 0xc00. +When the transceiver is configured in RGMII-to-1000base-x mode, these +registers are mapped onto offset 0, which should make reading the +autonegotiation status transparent. + +However, the fiber registers at offset 0xc04 and 0xc05 follow the bit +layout specified in Clause 37, and genphy_read_status() assumes a Clause 22 +layout. Thus, genphy_read_status() doesn't properly read the capabilities +advertised by the link partner, resulting in incorrect link parameters. + +Similarly, genphy_config_aneg() doesn't properly write advertised +capabilities. + +Fix the 1000base-x autonegotiation procedure by replacing +genphy_read_status() and genphy_config_aneg() with their Clause 37 +equivalents. + +Fixes: a29de52ba2a1 ("net: dp83869: Add ability to advertise Fiber connection") +Cc: stable@vger.kernel.org +Signed-off-by: Romain Gantois +Link: https://patch.msgid.link/20241112-dp83869-1000base-x-v3-1-36005f4ab0d9@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83869.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/net/phy/dp83869.c ++++ b/drivers/net/phy/dp83869.c +@@ -153,19 +153,32 @@ struct dp83869_private { + int mode; + }; + ++static int dp83869_config_aneg(struct phy_device *phydev) ++{ ++ struct dp83869_private *dp83869 = phydev->priv; ++ ++ if (dp83869->mode != DP83869_RGMII_1000_BASE) ++ return genphy_config_aneg(phydev); ++ ++ return genphy_c37_config_aneg(phydev); ++} ++ + static int dp83869_read_status(struct phy_device *phydev) + { + struct dp83869_private *dp83869 = phydev->priv; ++ bool changed; + int ret; + ++ if (dp83869->mode == DP83869_RGMII_1000_BASE) ++ return genphy_c37_read_status(phydev, &changed); ++ + ret = genphy_read_status(phydev); + if (ret) + return ret; + +- if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, phydev->supported)) { ++ if (dp83869->mode == DP83869_RGMII_100_BASE) { + if (phydev->link) { +- if (dp83869->mode == DP83869_RGMII_100_BASE) +- phydev->speed = SPEED_100; ++ phydev->speed = SPEED_100; + } else { + phydev->speed = SPEED_UNKNOWN; + phydev->duplex = DUPLEX_UNKNOWN; +@@ -898,6 +911,7 @@ static int dp83869_phy_reset(struct phy_ + .soft_reset = dp83869_phy_reset, \ + .config_intr = dp83869_config_intr, \ + .handle_interrupt = dp83869_handle_interrupt, \ ++ .config_aneg = dp83869_config_aneg, \ + .read_status = dp83869_read_status, \ + .get_tunable = dp83869_get_tunable, \ + .set_tunable = dp83869_set_tunable, \ diff --git a/queue-6.12/ovl-filter-invalid-inodes-with-missing-lookup-function.patch b/queue-6.12/ovl-filter-invalid-inodes-with-missing-lookup-function.patch new file mode 100644 index 00000000000..866feeefebe --- /dev/null +++ b/queue-6.12/ovl-filter-invalid-inodes-with-missing-lookup-function.patch @@ -0,0 +1,38 @@ +From c8b359dddb418c60df1a69beea01d1b3322bfe83 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Tue, 19 Nov 2024 18:58:17 +0300 +Subject: ovl: Filter invalid inodes with missing lookup function + +From: Vasiliy Kovalev + +commit c8b359dddb418c60df1a69beea01d1b3322bfe83 upstream. + +Add a check to the ovl_dentry_weird() function to prevent the +processing of directory inodes that lack the lookup function. +This is important because such inodes can cause errors in overlayfs +when passed to the lowerstack. + +Reported-by: syzbot+a8c9d476508bd14a90e5@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=a8c9d476508bd14a90e5 +Suggested-by: Miklos Szeredi +Link: https://lore.kernel.org/linux-unionfs/CAJfpegvx-oS9XGuwpJx=Xe28_jzWx5eRo1y900_ZzWY+=gGzUg@mail.gmail.com/ +Signed-off-by: Vasiliy Kovalev +Cc: +Signed-off-by: Amir Goldstein +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/util.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/overlayfs/util.c ++++ b/fs/overlayfs/util.c +@@ -197,6 +197,9 @@ void ovl_dentry_init_flags(struct dentry + + bool ovl_dentry_weird(struct dentry *dentry) + { ++ if (!d_can_lookup(dentry) && !d_is_file(dentry) && !d_is_symlink(dentry)) ++ return true; ++ + return dentry->d_flags & (DCACHE_NEED_AUTOMOUNT | + DCACHE_MANAGE_TRANSIT | + DCACHE_OP_HASH | diff --git a/queue-6.12/powerpc-vdso-drop-mstack-protector-guard-flags-in-32-bit-files-with-clang.patch b/queue-6.12/powerpc-vdso-drop-mstack-protector-guard-flags-in-32-bit-files-with-clang.patch new file mode 100644 index 00000000000..bb4f45bfbe1 --- /dev/null +++ b/queue-6.12/powerpc-vdso-drop-mstack-protector-guard-flags-in-32-bit-files-with-clang.patch @@ -0,0 +1,53 @@ +From d677ce521334d8f1f327cafc8b1b7854b0833158 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 30 Oct 2024 11:41:37 -0700 +Subject: powerpc/vdso: Drop -mstack-protector-guard flags in 32-bit files with clang + +From: Nathan Chancellor + +commit d677ce521334d8f1f327cafc8b1b7854b0833158 upstream. + +Under certain conditions, the 64-bit '-mstack-protector-guard' flags may +end up in the 32-bit vDSO flags, resulting in build failures due to the +structure of clang's argument parsing of the stack protector options, +which validates the arguments of the stack protector guard flags +unconditionally in the frontend, choking on the 64-bit values when +targeting 32-bit: + + clang: error: invalid value 'r13' in 'mstack-protector-guard-reg=', expected one of: r2 + clang: error: invalid value 'r13' in 'mstack-protector-guard-reg=', expected one of: r2 + make[3]: *** [arch/powerpc/kernel/vdso/Makefile:85: arch/powerpc/kernel/vdso/vgettimeofday-32.o] Error 1 + make[3]: *** [arch/powerpc/kernel/vdso/Makefile:87: arch/powerpc/kernel/vdso/vgetrandom-32.o] Error 1 + +Remove these flags by adding them to the CC32FLAGSREMOVE variable, which +already handles situations similar to this. Additionally, reformat and +align a comment better for the expanding CONFIG_CC_IS_CLANG block. + +Cc: stable@vger.kernel.org # v6.1+ +Signed-off-by: Nathan Chancellor +Signed-off-by: Michael Ellerman +Link: https://patch.msgid.link/20241030-powerpc-vdso-drop-stackp-flags-clang-v1-1-d95e7376d29c@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/vdso/Makefile | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/vdso/Makefile ++++ b/arch/powerpc/kernel/vdso/Makefile +@@ -54,10 +54,14 @@ ldflags-y += $(filter-out $(CC_AUTO_VAR_ + + CC32FLAGS := -m32 + CC32FLAGSREMOVE := -mcmodel=medium -mabi=elfv1 -mabi=elfv2 -mcall-aixdesc +- # This flag is supported by clang for 64-bit but not 32-bit so it will cause +- # an unused command line flag warning for this file. + ifdef CONFIG_CC_IS_CLANG ++# This flag is supported by clang for 64-bit but not 32-bit so it will cause ++# an unused command line flag warning for this file. + CC32FLAGSREMOVE += -fno-stack-clash-protection ++# -mstack-protector-guard values from the 64-bit build are not valid for the ++# 32-bit one. clang validates the values passed to these arguments during ++# parsing, even when -fno-stack-protector is passed afterwards. ++CC32FLAGSREMOVE += -mstack-protector-guard% + endif + LD32FLAGS := -Wl,-soname=linux-vdso32.so.1 + AS32FLAGS := -D__VDSO32__ diff --git a/queue-6.12/series b/queue-6.12/series index 2f09707e420..bbb78d65c9b 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -22,3 +22,33 @@ media-imx-jpeg-set-video-drvdata-before-register-video-device.patch media-mtk-jpeg-fix-null-ptr-deref-during-unload-module.patch media-i2c-dw9768-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch arm64-dts-freescale-imx8mp-verdin-fix-sd-regulator-startup-delay.patch +media-i2c-tc358743-fix-crash-in-the-probe-error-path-when-using-polling.patch +media-imx-jpeg-ensure-power-suppliers-be-suspended-before-detach-them.patch +media-platform-rga-fix-32-bit-dma-limitation.patch +media-verisilicon-av1-fix-reference-video-buffer-pointer-assignment.patch +media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch +media-platform-exynos4-is-fix-an-of-node-reference-leak-in-fimc_md_is_isp_available.patch +efi-libstub-free-correct-pointer-on-failure.patch +net-phy-dp83869-fix-status-reporting-for-1000base-x-autonegotiation.patch +media-amphion-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch +media-venus-fix-pm_runtime_set_suspended-with-runtime-pm-enabled.patch +media-gspca-ov534-ov772x-fix-off-by-one-error-in-set_frame_rate.patch +media-ov08x40-fix-burst-write-sequence.patch +media-platform-allegro-dvt-fix-possible-memory-leak-in-allocate_buffers_internal.patch +media-uvcvideo-stop-stream-during-unregister.patch +media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch +tracing-fix-function-timing-profiler-to-initialize-hashtable.patch +kunit-fix-potential-null-dereference-in-kunit_device_driver_test.patch +kunit-string-stream-fix-a-uaf-bug-in-kunit_init_suite.patch +ovl-filter-invalid-inodes-with-missing-lookup-function.patch +maple_tree-refine-mas_store_root-on-storing-null.patch +ftrace-fix-regression-with-module-command-in-stack_trace_filter.patch +vmstat-call-fold_vm_zone_numa_events-before-show-per-zone-numa-event.patch +zram-clear-idle-flag-after-recompression.patch +iommu-io-pgtable-arm-fix-stage-2-map-unmap-for-concatenated-tables.patch +iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch +leds-lp55xx-remove-redundant-test-for-invalid-channel-number.patch +mm-damon-vaddr-fix-issue-in-damon_va_evenly_split_region.patch +powerpc-vdso-drop-mstack-protector-guard-flags-in-32-bit-files-with-clang.patch +cpufreq-scmi-fix-cleanup-path-when-boost-enablement-fails.patch +clk-qcom-gcc-qcs404-fix-initial-rate-of-gpll3.patch diff --git a/queue-6.12/tracing-fix-function-timing-profiler-to-initialize-hashtable.patch b/queue-6.12/tracing-fix-function-timing-profiler-to-initialize-hashtable.patch new file mode 100644 index 00000000000..97bf0b60e4b --- /dev/null +++ b/queue-6.12/tracing-fix-function-timing-profiler-to-initialize-hashtable.patch @@ -0,0 +1,35 @@ +From c54a1a06daa78613519b4d24495b0d175b8af63f Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Sun, 18 Aug 2024 21:50:28 +0900 +Subject: tracing: Fix function timing profiler to initialize hashtable + +From: Masami Hiramatsu (Google) + +commit c54a1a06daa78613519b4d24495b0d175b8af63f upstream. + +Since the new fgraph requires to initialize fgraph_ops.ops.func_hash before +calling register_ftrace_graph(), initialize it with default (tracing all +functions) parameter. + +Cc: stable@vger.kernel.org +Fixes: 5fccc7552ccb ("ftrace: Add subops logic to allow one ops to manage many") +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -883,6 +883,10 @@ static void profile_graph_return(struct + } + + static struct fgraph_ops fprofiler_ops = { ++ .ops = { ++ .flags = FTRACE_OPS_FL_INITIALIZED, ++ INIT_OPS_HASH(fprofiler_ops.ops) ++ }, + .entryfunc = &profile_graph_entry, + .retfunc = &profile_graph_return, + }; diff --git a/queue-6.12/vmstat-call-fold_vm_zone_numa_events-before-show-per-zone-numa-event.patch b/queue-6.12/vmstat-call-fold_vm_zone_numa_events-before-show-per-zone-numa-event.patch new file mode 100644 index 00000000000..3d393d96528 --- /dev/null +++ b/queue-6.12/vmstat-call-fold_vm_zone_numa_events-before-show-per-zone-numa-event.patch @@ -0,0 +1,46 @@ +From 2ea80b039b9af0b71c00378523b71c254fb99c23 Mon Sep 17 00:00:00 2001 +From: MengEn Sun +Date: Fri, 1 Nov 2024 12:06:38 +0800 +Subject: vmstat: call fold_vm_zone_numa_events() before show per zone NUMA event + +From: MengEn Sun + +commit 2ea80b039b9af0b71c00378523b71c254fb99c23 upstream. + +Since 5.14-rc1, NUMA events will only be folded from per-CPU statistics to +per zone and global statistics when the user actually needs it. + +Currently, the kernel has performs the fold operation when reading +/proc/vmstat, but does not perform the fold operation in /proc/zoneinfo. +This can lead to inaccuracies in the following statistics in zoneinfo: +- numa_hit +- numa_miss +- numa_foreign +- numa_interleave +- numa_local +- numa_other + +Therefore, before printing per-zone vm_numa_event when reading +/proc/zoneinfo, we should also perform the fold operation. + +Link: https://lkml.kernel.org/r/1730433998-10461-1-git-send-email-mengensun@tencent.com +Fixes: f19298b9516c ("mm/vmstat: convert NUMA statistics to basic NUMA counters") +Signed-off-by: MengEn Sun +Reviewed-by: JinLiang Zheng +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmstat.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1780,6 +1780,7 @@ static void zoneinfo_show_print(struct s + zone_page_state(zone, i)); + + #ifdef CONFIG_NUMA ++ fold_vm_zone_numa_events(zone); + for (i = 0; i < NR_VM_NUMA_EVENT_ITEMS; i++) + seq_printf(m, "\n %-12s %lu", numa_stat_name(i), + zone_numa_event_state(zone, i)); diff --git a/queue-6.12/zram-clear-idle-flag-after-recompression.patch b/queue-6.12/zram-clear-idle-flag-after-recompression.patch new file mode 100644 index 00000000000..8649410bb0c --- /dev/null +++ b/queue-6.12/zram-clear-idle-flag-after-recompression.patch @@ -0,0 +1,64 @@ +From f85219096648b251a81e9fe24a1974590cfc417d Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Tue, 29 Oct 2024 00:36:14 +0900 +Subject: zram: clear IDLE flag after recompression + +From: Sergey Senozhatsky + +commit f85219096648b251a81e9fe24a1974590cfc417d upstream. + +Patch series "zram: IDLE flag handling fixes", v2. + +zram can wrongly preserve ZRAM_IDLE flag on its entries which can result +in premature post-processing (writeback and recompression) of such +entries. + +This patch (of 2) + +Recompression should clear ZRAM_IDLE flag on the entries it has accessed, +because otherwise some entries, specifically those for which recompression +has failed, become immediate candidate entries for another post-processing +(e.g. writeback). + +Consider the following case: +- recompression marks entries IDLE every 4 hours and attempts + to recompress them +- some entries are incompressible, so we keep them intact and + hence preserve IDLE flag +- writeback marks entries IDLE every 8 hours and writebacks + IDLE entries, however we have IDLE entries left from + recompression, so writeback prematurely writebacks those + entries. + +The bug was reported by Shin Kawamura. + +Link: https://lkml.kernel.org/r/20241028153629.1479791-1-senozhatsky@chromium.org +Link: https://lkml.kernel.org/r/20241028153629.1479791-2-senozhatsky@chromium.org +Fixes: 84b33bf78889 ("zram: introduce recompress sysfs knob") +Signed-off-by: Sergey Senozhatsky +Reported-by: Shin Kawamura +Acked-by: Brian Geffon +Cc: Minchan Kim +Signed-off-by: Andrew Morton +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/zram/zram_drv.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -1692,6 +1692,13 @@ static int zram_recompress(struct zram * + if (ret) + return ret; + ++ /* ++ * We touched this entry so mark it as non-IDLE. This makes sure that ++ * we don't preserve IDLE flag and don't incorrectly pick this entry ++ * for different post-processing type (e.g. writeback). ++ */ ++ zram_clear_flag(zram, index, ZRAM_IDLE); ++ + class_index_old = zs_lookup_class_index(zram->mem_pool, comp_len_old); + /* + * Iterate the secondary comp algorithms list (in order of priority)