From: Greg Kroah-Hartman Date: Fri, 20 Jun 2025 07:44:56 +0000 (+0200) Subject: 6.15-stable patches X-Git-Tag: v5.4.295~168 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6855ef0af9ced0e288cd641ab3448d418674ae20;p=thirdparty%2Fkernel%2Fstable-queue.git 6.15-stable patches added patches: anon_inode-explicitly-block-setattr.patch anon_inode-raise-sb_i_nodev-and-sb_i_noexec.patch anon_inode-use-a-proper-mode-internally.patch fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch jfs-validate-ag-parameters-in-dbmount-to-prevent-crashes.patch media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch media-gspca-add-error-handling-for-stv06xx_read_sensor.patch media-i2c-change-lt6911uxe-irq_gpio-name-to-hpd.patch media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch media-i2c-imx335-fix-frame-size-enumeration.patch media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch media-imx-jpeg-cleanup-after-an-allocation-error.patch media-imx-jpeg-drop-the-first-error-frames.patch media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch media-imx-jpeg-reset-slot-data-pointers-when-freed.patch media-imx335-use-correct-register-width-for-hnum.patch media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch media-ipu6-remove-workaround-for-meteor-lake-es2.patch media-iris-fix-error-code-in-iris_load_fw_to_memory.patch media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch media-ov08x40-extend-sleep-after-reset-to-5-ms.patch media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch media-ov5675-suppress-probe-deferral-errors.patch media-ov8856-suppress-probe-deferral-errors.patch media-qcom-camss-csid-suppress-csid-log-spam.patch media-qcom-camss-vfe-suppress-vfe-version-log-spam.patch media-rcar-vin-fix-raw10.patch media-uvcvideo-fix-deferred-probing-error.patch media-uvcvideo-return-the-number-of-processed-controls.patch media-uvcvideo-send-control-events-for-partial-succeeds.patch media-v4l2-dev-fix-error-handling-in-__video_register_device.patch media-venus-fix-probe-error-handling.patch media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch media-vivid-change-the-siize-of-the-composing.patch nfs-always-probe-for-localio-support-asynchronously.patch nfsd-fix-access-checking-for-nlm-under-xprtsec-policies.patch nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch nfsd-implement-fattr4_clone_blksize-attribute.patch nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch wifi-ath11k-fix-ring-buffer-corruption.patch wifi-ath11k-fix-rx-completion-meta-data-corruption.patch wifi-ath12k-fix-ring-buffer-corruption.patch wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch --- diff --git a/queue-6.15/anon_inode-explicitly-block-setattr.patch b/queue-6.15/anon_inode-explicitly-block-setattr.patch new file mode 100644 index 0000000000..32e6034853 --- /dev/null +++ b/queue-6.15/anon_inode-explicitly-block-setattr.patch @@ -0,0 +1,85 @@ +From 22bdf3d6581af6d06ed8a46c6835648421cca0ea Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 7 Apr 2025 11:54:17 +0200 +Subject: anon_inode: explicitly block ->setattr() + +From: Christian Brauner + +commit 22bdf3d6581af6d06ed8a46c6835648421cca0ea upstream. + +It is currently possible to change the mode and owner of the single +anonymous inode in the kernel: + +int main(int argc, char *argv[]) +{ + int ret, sfd; + sigset_t mask; + struct signalfd_siginfo fdsi; + + sigemptyset(&mask); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGQUIT); + + ret = sigprocmask(SIG_BLOCK, &mask, NULL); + if (ret < 0) + _exit(1); + + sfd = signalfd(-1, &mask, 0); + if (sfd < 0) + _exit(2); + + ret = fchown(sfd, 5555, 5555); + if (ret < 0) + _exit(3); + + ret = fchmod(sfd, 0777); + if (ret < 0) + _exit(3); + + _exit(4); +} + +This is a bug. It's not really a meaningful one because anonymous inodes +don't really figure into path lookup and they cannot be reopened via +/proc//fd/ and can't be used for lookup itself. So they can +only ever serve as direct references. + +But it is still completely bogus to allow the mode and ownership or any +of the properties of the anonymous inode to be changed. Block this! + +Link: https://lore.kernel.org/20250407-work-anon_inode-v1-3-53a44c20d44e@kernel.org +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org # all LTS kernels +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/anon_inodes.c | 7 +++++++ + fs/internal.h | 2 ++ + 2 files changed, 9 insertions(+) + +--- a/fs/anon_inodes.c ++++ b/fs/anon_inodes.c +@@ -57,8 +57,15 @@ int anon_inode_getattr(struct mnt_idmap + return 0; + } + ++int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, ++ struct iattr *attr) ++{ ++ return -EOPNOTSUPP; ++} ++ + static const struct inode_operations anon_inode_operations = { + .getattr = anon_inode_getattr, ++ .setattr = anon_inode_setattr, + }; + + /* +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -346,3 +346,5 @@ int statmount_mnt_idmap(struct mnt_idmap + int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path, + struct kstat *stat, u32 request_mask, + unsigned int query_flags); ++int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, ++ struct iattr *attr); diff --git a/queue-6.15/anon_inode-raise-sb_i_nodev-and-sb_i_noexec.patch b/queue-6.15/anon_inode-raise-sb_i_nodev-and-sb_i_noexec.patch new file mode 100644 index 0000000000..90a594a93d --- /dev/null +++ b/queue-6.15/anon_inode-raise-sb_i_nodev-and-sb_i_noexec.patch @@ -0,0 +1,44 @@ +From 1ed95281c0c77dbb1540f9855cd3c5f19900f7a5 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 7 Apr 2025 11:54:19 +0200 +Subject: anon_inode: raise SB_I_NODEV and SB_I_NOEXEC + +From: Christian Brauner + +commit 1ed95281c0c77dbb1540f9855cd3c5f19900f7a5 upstream. + +It isn't possible to execute anonymous inodes because they cannot be +opened in any way after they have been created. This includes execution: + +execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH) + +Anonymous inodes have inode->f_op set to no_open_fops which sets +no_open() which returns ENXIO. That means any call to do_dentry_open() +which is the endpoint of the do_open_execat() will fail. There's no +chance to execute an anonymous inode. Unless a given subsystem overrides +it ofc. + +However, we should still harden this and raise SB_I_NODEV and +SB_I_NOEXEC on the superblock itself so that no one gets any creative +ideas. + +Link: https://lore.kernel.org/20250407-work-anon_inode-v1-5-53a44c20d44e@kernel.org +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org # all LTS kernels +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/anon_inodes.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/anon_inodes.c ++++ b/fs/anon_inodes.c +@@ -86,6 +86,8 @@ static int anon_inodefs_init_fs_context( + struct pseudo_fs_context *ctx = init_pseudo(fc, ANON_INODE_FS_MAGIC); + if (!ctx) + return -ENOMEM; ++ fc->s_iflags |= SB_I_NOEXEC; ++ fc->s_iflags |= SB_I_NODEV; + ctx->dops = &anon_inodefs_dentry_operations; + return 0; + } diff --git a/queue-6.15/anon_inode-use-a-proper-mode-internally.patch b/queue-6.15/anon_inode-use-a-proper-mode-internally.patch new file mode 100644 index 0000000000..ecb03ed997 --- /dev/null +++ b/queue-6.15/anon_inode-use-a-proper-mode-internally.patch @@ -0,0 +1,118 @@ +From cfd86ef7e8e7b9e015707e46479a6b1de141eed0 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 7 Apr 2025 11:54:15 +0200 +Subject: anon_inode: use a proper mode internally + +From: Christian Brauner + +commit cfd86ef7e8e7b9e015707e46479a6b1de141eed0 upstream. + +This allows the VFS to not trip over anonymous inodes and we can add +asserts based on the mode into the vfs. When we report it to userspace +we can simply hide the mode to avoid regressions. I've audited all +direct callers of alloc_anon_inode() and only secretmen overrides i_mode +and i_op inode operations but it already uses a regular file. + +Link: https://lore.kernel.org/20250407-work-anon_inode-v1-1-53a44c20d44e@kernel.org +Fixes: af153bb63a336 ("vfs: catch invalid modes in may_open()") +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org # all LTS kernels +Reported-by: syzbot+5d8e79d323a13aa0b248@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67ed3fb3.050a0220.14623d.0009.GAE@google.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/anon_inodes.c | 36 ++++++++++++++++++++++++++++++++++++ + fs/internal.h | 3 +++ + fs/libfs.c | 8 +++++++- + 3 files changed, 46 insertions(+), 1 deletion(-) + +--- a/fs/anon_inodes.c ++++ b/fs/anon_inodes.c +@@ -24,10 +24,44 @@ + + #include + ++#include "internal.h" ++ + static struct vfsmount *anon_inode_mnt __ro_after_init; + static struct inode *anon_inode_inode __ro_after_init; + + /* ++ * User space expects anonymous inodes to have no file type in st_mode. ++ * ++ * In particular, 'lsof' has this legacy logic: ++ * ++ * type = s->st_mode & S_IFMT; ++ * switch (type) { ++ * ... ++ * case 0: ++ * if (!strcmp(p, "anon_inode")) ++ * Lf->ntype = Ntype = N_ANON_INODE; ++ * ++ * to detect our old anon_inode logic. ++ * ++ * Rather than mess with our internal sane inode data, just fix it ++ * up here in getattr() by masking off the format bits. ++ */ ++int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path, ++ struct kstat *stat, u32 request_mask, ++ unsigned int query_flags) ++{ ++ struct inode *inode = d_inode(path->dentry); ++ ++ generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat); ++ stat->mode &= ~S_IFMT; ++ return 0; ++} ++ ++static const struct inode_operations anon_inode_operations = { ++ .getattr = anon_inode_getattr, ++}; ++ ++/* + * anon_inodefs_dname() is called from d_path(). + */ + static char *anon_inodefs_dname(struct dentry *dentry, char *buffer, int buflen) +@@ -66,6 +100,7 @@ static struct inode *anon_inode_make_sec + if (IS_ERR(inode)) + return inode; + inode->i_flags &= ~S_PRIVATE; ++ inode->i_op = &anon_inode_operations; + error = security_inode_init_security_anon(inode, &QSTR(name), + context_inode); + if (error) { +@@ -313,6 +348,7 @@ static int __init anon_inode_init(void) + anon_inode_inode = alloc_anon_inode(anon_inode_mnt->mnt_sb); + if (IS_ERR(anon_inode_inode)) + panic("anon_inode_init() inode allocation failed (%ld)\n", PTR_ERR(anon_inode_inode)); ++ anon_inode_inode->i_op = &anon_inode_operations; + + return 0; + } +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -343,3 +343,6 @@ static inline bool path_mounted(const st + void file_f_owner_release(struct file *file); + bool file_seek_cur_needs_f_lock(struct file *file); + int statmount_mnt_idmap(struct mnt_idmap *idmap, struct seq_file *seq, bool uid_map); ++int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path, ++ struct kstat *stat, u32 request_mask, ++ unsigned int query_flags); +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -1647,7 +1647,13 @@ struct inode *alloc_anon_inode(struct su + * that it already _is_ on the dirty list. + */ + inode->i_state = I_DIRTY; +- inode->i_mode = S_IRUSR | S_IWUSR; ++ /* ++ * Historically anonymous inodes didn't have a type at all and ++ * userspace has come to rely on this. Internally they're just ++ * regular files but S_IFREG is masked off when reporting ++ * information to userspace. ++ */ ++ inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR; + inode->i_uid = current_fsuid(); + inode->i_gid = current_fsgid(); + inode->i_flags |= S_PRIVATE; diff --git a/queue-6.15/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch b/queue-6.15/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch new file mode 100644 index 0000000000..fac7c2a716 --- /dev/null +++ b/queue-6.15/fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch @@ -0,0 +1,70 @@ +From 4c10fa44bc5f700e2ea21de2fbae520ba21f19d9 Mon Sep 17 00:00:00 2001 +From: Max Kellermann +Date: Wed, 23 Apr 2025 15:22:50 +0200 +Subject: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() + +From: Max Kellermann + +commit 4c10fa44bc5f700e2ea21de2fbae520ba21f19d9 upstream. + +Sometimes, when a file was read while it was being truncated by +another NFS client, the kernel could deadlock because folio_unlock() +was called twice, and the second call would XOR back the `PG_locked` +flag. + +Most of the time (depending on the timing of the truncation), nobody +notices the problem because folio_unlock() gets called three times, +which flips `PG_locked` back off: + + 1. vfs_read, nfs_read_folio, ... nfs_read_add_folio, + nfs_return_empty_folio + 2. vfs_read, nfs_read_folio, ... netfs_read_collection, + netfs_unlock_abandoned_read_pages + 3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio, + nfs_return_empty_folio + +The problem is that nfs_read_add_folio() is not supposed to unlock the +folio if fscache is enabled, and a nfs_netfs_folio_unlock() check is +missing in nfs_return_empty_folio(). + +Rarely this leads to a warning in netfs_read_collection(): + + ------------[ cut here ]------------ + R=0000031c: folio 10 is not locked + WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00 + [...] + Workqueue: events_unbound netfs_read_collection_worker + RIP: 0010:netfs_read_collection+0x7c0/0xf00 + [...] + Call Trace: + + netfs_read_collection_worker+0x67/0x80 + process_one_work+0x12e/0x2c0 + worker_thread+0x295/0x3a0 + +Most of the time, however, processes just get stuck forever in +folio_wait_bit_common(), waiting for `PG_locked` to disappear, which +never happens because nobody is really holding the folio lock. + +Fixes: 000dbe0bec05 ("NFS: Convert buffered read paths to use netfs when fscache is enabled") +Cc: stable@vger.kernel.org +Signed-off-by: Max Kellermann +Reviewed-by: Dave Wysochanski +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/read.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/read.c ++++ b/fs/nfs/read.c +@@ -56,7 +56,8 @@ static int nfs_return_empty_folio(struct + { + folio_zero_segment(folio, 0, folio_size(folio)); + folio_mark_uptodate(folio); +- folio_unlock(folio); ++ if (nfs_netfs_folio_unlock(folio)) ++ folio_unlock(folio); + return 0; + } + diff --git a/queue-6.15/jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch b/queue-6.15/jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch new file mode 100644 index 0000000000..ebb54d1f0a --- /dev/null +++ b/queue-6.15/jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch @@ -0,0 +1,82 @@ +From af98b0157adf6504fade79b3e6cb260c4ff68e37 Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Wed, 14 May 2025 22:08:55 +0900 +Subject: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() + +From: Jeongjun Park + +commit af98b0157adf6504fade79b3e6cb260c4ff68e37 upstream. + +Since handle->h_transaction may be a NULL pointer, so we should change it +to call is_handle_aborted(handle) first before dereferencing it. + +And the following data-race was reported in my fuzzer: + +================================================================== +BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata + +write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1: + jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556 + __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 + ext4_do_update_inode fs/ext4/inode.c:5220 [inline] + ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 + __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 + ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 +.... + +read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0: + jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512 + __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 + ext4_do_update_inode fs/ext4/inode.c:5220 [inline] + ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 + __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 + ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 +.... + +value changed: 0x00000000 -> 0x00000001 +================================================================== + +This issue is caused by missing data-race annotation for jh->b_modified. +Therefore, the missing annotation needs to be added. + +Reported-by: syzbot+de24c3fe3c4091051710@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=de24c3fe3c4091051710 +Fixes: 6e06ae88edae ("jbd2: speedup jbd2_journal_dirty_metadata()") +Signed-off-by: Jeongjun Park +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20250514130855.99010-1-aha310510@gmail.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/transaction.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -1509,7 +1509,7 @@ int jbd2_journal_dirty_metadata(handle_t + jh->b_next_transaction == transaction); + spin_unlock(&jh->b_state_lock); + } +- if (jh->b_modified == 1) { ++ if (data_race(jh->b_modified == 1)) { + /* If it's in our transaction it must be in BJ_Metadata list. */ + if (data_race(jh->b_transaction == transaction && + jh->b_jlist != BJ_Metadata)) { +@@ -1528,7 +1528,6 @@ int jbd2_journal_dirty_metadata(handle_t + goto out; + } + +- journal = transaction->t_journal; + spin_lock(&jh->b_state_lock); + + if (is_handle_aborted(handle)) { +@@ -1543,6 +1542,8 @@ int jbd2_journal_dirty_metadata(handle_t + goto out_unlock_bh; + } + ++ journal = transaction->t_journal; ++ + if (jh->b_modified == 0) { + /* + * This buffer's got modified and becoming part diff --git a/queue-6.15/jfs-validate-ag-parameters-in-dbmount-to-prevent-crashes.patch b/queue-6.15/jfs-validate-ag-parameters-in-dbmount-to-prevent-crashes.patch new file mode 100644 index 0000000000..817f6e4f66 --- /dev/null +++ b/queue-6.15/jfs-validate-ag-parameters-in-dbmount-to-prevent-crashes.patch @@ -0,0 +1,73 @@ +From 37bfb464ddca87f203071b5bd562cd91ddc0b40a Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev +Date: Mon, 10 Mar 2025 11:56:02 +0300 +Subject: jfs: validate AG parameters in dbMount() to prevent crashes + +From: Vasiliy Kovalev + +commit 37bfb464ddca87f203071b5bd562cd91ddc0b40a upstream. + +Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch +corrupted metadata early and avoid undefined behavior in dbAllocAG. +Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: + +- agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift + (L2LPERCTL - 2*agheight) >= 0. +- agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) + ensures agperlev >= 1. + - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). + - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; + 2^(10 - 2*agheight) prevents division to 0. +- agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within + stree (size 1365). + - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). + +UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 +shift exponent -335544310 is negative +CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 + dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 + dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 + jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 + jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+fe8264911355151c487f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fe8264911355151c487f +Signed-off-by: Vasiliy Kovalev +Signed-off-by: Dave Kleikamp +Signed-off-by: Greg Kroah-Hartman +--- + fs/jfs/jfs_dmap.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -194,7 +194,11 @@ int dbMount(struct inode *ipbmap) + !bmp->db_numag || (bmp->db_numag > MAXAG) || + (bmp->db_maxag >= MAXAG) || (bmp->db_maxag < 0) || + (bmp->db_agpref >= MAXAG) || (bmp->db_agpref < 0) || +- !bmp->db_agwidth || ++ (bmp->db_agheight < 0) || (bmp->db_agheight > (L2LPERCTL >> 1)) || ++ (bmp->db_agwidth < 1) || (bmp->db_agwidth > (LPERCTL / MAXAG)) || ++ (bmp->db_agwidth > (1 << (L2LPERCTL - (bmp->db_agheight << 1)))) || ++ (bmp->db_agstart < 0) || ++ (bmp->db_agstart > (CTLTREESIZE - 1 - bmp->db_agwidth * (MAXAG - 1))) || + (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) || + (bmp->db_agl2size < 0) || + ((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) { diff --git a/queue-6.15/media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch b/queue-6.15/media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch new file mode 100644 index 0000000000..231af48436 --- /dev/null +++ b/queue-6.15/media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch @@ -0,0 +1,35 @@ +From 6868b955acd6e5d7405a2b730c2ffb692ad50d2c Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 20 Feb 2025 10:54:44 +0200 +Subject: media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case + +From: Sakari Ailus + +commit 6868b955acd6e5d7405a2b730c2ffb692ad50d2c upstream. + +The check for VT PLL upper limit in dual PLL case was missing. Add it now. + +Fixes: 6c7469e46b60 ("media: ccs-pll: Add trivial dual PLL support") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs-pll.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/i2c/ccs-pll.c ++++ b/drivers/media/i2c/ccs-pll.c +@@ -312,6 +312,11 @@ __ccs_pll_calculate_vt_tree(struct devic + dev_dbg(dev, "more_mul2: %u\n", more_mul); + + pll_fr->pll_multiplier = mul * more_mul; ++ if (pll_fr->pll_multiplier > lim_fr->max_pll_multiplier) { ++ dev_dbg(dev, "pll multiplier %u too high\n", ++ pll_fr->pll_multiplier); ++ return -EINVAL; ++ } + + if (pll_fr->pll_multiplier * pll_fr->pll_ip_clk_freq_hz > + lim_fr->max_pll_op_clk_freq_hz) diff --git a/queue-6.15/media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch b/queue-6.15/media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch new file mode 100644 index 0000000000..6d786cdd1e --- /dev/null +++ b/queue-6.15/media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch @@ -0,0 +1,35 @@ +From f639494db450770fa30d6845d9c84b9cb009758f Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Wed, 19 Feb 2025 15:06:11 +0200 +Subject: media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div + +From: Sakari Ailus + +commit f639494db450770fa30d6845d9c84b9cb009758f upstream. + +The PLL calculator does a search of the PLL configuration space for all +valid OP pre-PLL clock dividers. The maximum did not take into account the +CCS PLL flag CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER in which case also odd PLL +dividers (other than 1) are valid. Do that now. + +Fixes: 4e1e8d240dff ("media: ccs-pll: Add support for extended input PLL clock divider") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs-pll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/ccs-pll.c ++++ b/drivers/media/i2c/ccs-pll.c +@@ -794,7 +794,7 @@ int ccs_pll_calculate(struct device *dev + op_lim_fr->min_pre_pll_clk_div, op_lim_fr->max_pre_pll_clk_div); + max_op_pre_pll_clk_div = + min_t(u16, op_lim_fr->max_pre_pll_clk_div, +- clk_div_even(pll->ext_clk_freq_hz / ++ DIV_ROUND_UP(pll->ext_clk_freq_hz, + op_lim_fr->min_pll_ip_clk_freq_hz)); + min_op_pre_pll_clk_div = + max_t(u16, op_lim_fr->min_pre_pll_clk_div, diff --git a/queue-6.15/media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch b/queue-6.15/media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch new file mode 100644 index 0000000000..1f86382b54 --- /dev/null +++ b/queue-6.15/media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch @@ -0,0 +1,36 @@ +From 660e613d05e449766784c549faf5927ffaf281f1 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Tue, 18 Feb 2025 23:43:58 +0200 +Subject: media: ccs-pll: Start OP pre-PLL multiplier search from correct value + +From: Sakari Ailus + +commit 660e613d05e449766784c549faf5927ffaf281f1 upstream. + +The ccs_pll_calculate() function does a search over possible PLL +configurations to find the "best" one. If the sensor does not support odd +pre-PLL divisors and the minimum value (with constraints) isn't 1, other +odd values could be errorneously searched (and selected) for the pre-PLL +divisor. Fix this. + +Fixes: 415ddd993978 ("media: ccs-pll: Split limits and PLL configuration into front and back parts") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs-pll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/ccs-pll.c ++++ b/drivers/media/i2c/ccs-pll.c +@@ -817,6 +817,8 @@ int ccs_pll_calculate(struct device *dev + one_or_more( + DIV_ROUND_UP(op_lim_fr->max_pll_op_clk_freq_hz, + pll->ext_clk_freq_hz)))); ++ if (!(pll->flags & CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER)) ++ min_op_pre_pll_clk_div = clk_div_even(min_op_pre_pll_clk_div); + dev_dbg(dev, "pll_op check: min / max op_pre_pll_clk_div: %u / %u\n", + min_op_pre_pll_clk_div, max_op_pre_pll_clk_div); + diff --git a/queue-6.15/media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch b/queue-6.15/media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch new file mode 100644 index 0000000000..b44645ff7a --- /dev/null +++ b/queue-6.15/media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch @@ -0,0 +1,36 @@ +From 06d2d478b09e6764fb6161d1621fc10d9f0f2860 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Tue, 18 Feb 2025 23:47:13 +0200 +Subject: media: ccs-pll: Start VT pre-PLL multiplier search from correct value + +From: Sakari Ailus + +commit 06d2d478b09e6764fb6161d1621fc10d9f0f2860 upstream. + +The ccs_pll_calculate_vt_tree() function does a search over possible VT +PLL configurations to find the "best" one. If the sensor does not support +odd pre-PLL divisors and the minimum value (with constraints) isn't 1, +other odd values could be errorneously searched (and selected) for the +pre-PLL divisor. Fix this. + +Fixes: 415ddd993978 ("media: ccs-pll: Split limits and PLL configuration into front and back parts") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs-pll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/ccs-pll.c ++++ b/drivers/media/i2c/ccs-pll.c +@@ -397,6 +397,8 @@ static int ccs_pll_calculate_vt_tree(str + min_pre_pll_clk_div = max_t(u16, min_pre_pll_clk_div, + pll->ext_clk_freq_hz / + lim_fr->max_pll_ip_clk_freq_hz); ++ if (!(pll->flags & CCS_PLL_FLAG_EXT_IP_PLL_DIVIDER)) ++ min_pre_pll_clk_div = clk_div_even(min_pre_pll_clk_div); + + dev_dbg(dev, "vt min/max_pre_pll_clk_div: %u,%u\n", + min_pre_pll_clk_div, max_pre_pll_clk_div); diff --git a/queue-6.15/media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch b/queue-6.15/media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch new file mode 100644 index 0000000000..f24c67be2d --- /dev/null +++ b/queue-6.15/media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch @@ -0,0 +1,66 @@ +From 73fb3b92da84637e3817580fa205d48065924e15 Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Sat, 5 Apr 2025 19:56:41 +0800 +Subject: media: cxusb: no longer judge rbuf when the write fails + +From: Edward Adam Davis + +commit 73fb3b92da84637e3817580fa205d48065924e15 upstream. + +syzbot reported a uninit-value in cxusb_i2c_xfer. [1] + +Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() +succeeds and rlen is greater than 0, the read operation of usb_bulk_msg() +will be executed to read rlen bytes of data from the dvb device into the +rbuf. + +In this case, although rlen is 1, the write operation failed which resulted +in the dvb read operation not being executed, and ultimately variable i was +not initialized. + +[1] +BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] +BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 + cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] + cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 + __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 + i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 + i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 + i2c_master_send include/linux/i2c.h:109 [inline] + i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183 + do_loop_readv_writev fs/read_write.c:848 [inline] + vfs_writev+0x963/0x14e0 fs/read_write.c:1057 + do_writev+0x247/0x5c0 fs/read_write.c:1101 + __do_sys_writev fs/read_write.c:1169 [inline] + __se_sys_writev fs/read_write.c:1166 [inline] + __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166 + x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=526bd95c0ec629993bf3 +Tested-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com +Fixes: 22c6d93a7310 ("[PATCH] dvb: usb: support Medion hybrid USB2.0 DVB-T/analogue box") +Cc: stable@vger.kernel.org +Signed-off-by: Edward Adam Davis +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb/cxusb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -119,9 +119,8 @@ static void cxusb_gpio_tuner(struct dvb_ + + o[0] = GPIO_TUNER; + o[1] = onoff; +- cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1); + +- if (i != 0x01) ++ if (!cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1) && i != 0x01) + dev_info(&d->udev->dev, "gpio_write failed.\n"); + + st->gpio_write_state[GPIO_TUNER] = onoff; diff --git a/queue-6.15/media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch b/queue-6.15/media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch new file mode 100644 index 0000000000..d0ba3e901c --- /dev/null +++ b/queue-6.15/media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch @@ -0,0 +1,47 @@ +From 024bf40edf1155e7a587f0ec46294049777d9b02 Mon Sep 17 00:00:00 2001 +From: Dmitry Nikiforov +Date: Wed, 16 Apr 2025 23:51:19 +0300 +Subject: media: davinci: vpif: Fix memory leak in probe error path + +From: Dmitry Nikiforov + +commit 024bf40edf1155e7a587f0ec46294049777d9b02 upstream. + +If an error occurs during the initialization of `pdev_display`, +the allocated platform device `pdev_capture` is not released properly, +leading to a memory leak. + +Adjust error path handling to fix the leak. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 43acb728bbc4 ("media: davinci: vpif: fix use-after-free on driver unbind") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Nikiforov +Reviewed-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/davinci/vpif.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/ti/davinci/vpif.c ++++ b/drivers/media/platform/ti/davinci/vpif.c +@@ -504,7 +504,7 @@ static int vpif_probe(struct platform_de + pdev_display = kzalloc(sizeof(*pdev_display), GFP_KERNEL); + if (!pdev_display) { + ret = -ENOMEM; +- goto err_put_pdev_capture; ++ goto err_del_pdev_capture; + } + + pdev_display->name = "vpif_display"; +@@ -527,6 +527,8 @@ static int vpif_probe(struct platform_de + + err_put_pdev_display: + platform_device_put(pdev_display); ++err_del_pdev_capture: ++ platform_device_del(pdev_capture); + err_put_pdev_capture: + platform_device_put(pdev_capture); + err_put_rpm: diff --git a/queue-6.15/media-gspca-add-error-handling-for-stv06xx_read_sensor.patch b/queue-6.15/media-gspca-add-error-handling-for-stv06xx_read_sensor.patch new file mode 100644 index 0000000000..411b38df86 --- /dev/null +++ b/queue-6.15/media-gspca-add-error-handling-for-stv06xx_read_sensor.patch @@ -0,0 +1,41 @@ +From 398a1b33f1479af35ca915c5efc9b00d6204f8fa Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Tue, 22 Apr 2025 11:07:39 +0800 +Subject: media: gspca: Add error handling for stv06xx_read_sensor() + +From: Wentao Liang + +commit 398a1b33f1479af35ca915c5efc9b00d6204f8fa upstream. + +In hdcs_init(), the return value of stv06xx_read_sensor() needs to be +checked. A proper implementation can be found in vv6410_dump(). Add a +check in loop condition and propergate error code to fix this issue. + +Fixes: 4c98834addfe ("V4L/DVB (10048): gspca - stv06xx: New subdriver.") +Cc: stable@vger.kernel.org # v2.6+ +Signed-off-by: Wentao Liang +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c ++++ b/drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c +@@ -520,12 +520,13 @@ static int hdcs_init(struct sd *sd) + static int hdcs_dump(struct sd *sd) + { + u16 reg, val; ++ int err = 0; + + pr_info("Dumping sensor registers:\n"); + +- for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH; reg++) { +- stv06xx_read_sensor(sd, reg, &val); ++ for (reg = HDCS_IDENT; reg <= HDCS_ROWEXPH && !err; reg++) { ++ err = stv06xx_read_sensor(sd, reg, &val); + pr_info("reg 0x%02x = 0x%02x\n", reg, val); + } +- return 0; ++ return (err < 0) ? err : 0; + } diff --git a/queue-6.15/media-i2c-change-lt6911uxe-irq_gpio-name-to-hpd.patch b/queue-6.15/media-i2c-change-lt6911uxe-irq_gpio-name-to-hpd.patch new file mode 100644 index 0000000000..f55d6a052c --- /dev/null +++ b/queue-6.15/media-i2c-change-lt6911uxe-irq_gpio-name-to-hpd.patch @@ -0,0 +1,47 @@ +From 20244cbafbd6c8486347bb82d972f6e2d2d5a201 Mon Sep 17 00:00:00 2001 +From: Dongcheng Yan +Date: Fri, 25 Apr 2025 18:43:31 +0800 +Subject: media: i2c: change lt6911uxe irq_gpio name to "hpd" + +From: Dongcheng Yan + +commit 20244cbafbd6c8486347bb82d972f6e2d2d5a201 upstream. + +Lt6911uxe is used in IPU6 / x86 platform, worked with an out-of-tree +int3472 patch and upstream intel/ipu6 before. It is only used on ACPI +platforms till now and there are no devicetree bindings for this +driver. + +The upstream int3472 driver uses "hpd" instead of "readystat" now. +this patch updates the irq_gpio name to "hpd" accordingly, so that +mere users can now use the upstream version directly without relying +on out-of-tree int3472 pin support. + +The new name "hpd" (Hotplug Detect) aligns with common naming +conventions used in other drivers(like adv7604) and documentation. + +Fixes: e49563c3be09d4 ("media: i2c: add lt6911uxe hdmi bridge driver") +Cc: stable@vger.kernel.org +Signed-off-by: Dongcheng Yan +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/lt6911uxe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/lt6911uxe.c ++++ b/drivers/media/i2c/lt6911uxe.c +@@ -605,10 +605,10 @@ static int lt6911uxe_probe(struct i2c_cl + return dev_err_probe(dev, PTR_ERR(lt6911uxe->reset_gpio), + "failed to get reset gpio\n"); + +- lt6911uxe->irq_gpio = devm_gpiod_get(dev, "readystat", GPIOD_IN); ++ lt6911uxe->irq_gpio = devm_gpiod_get(dev, "hpd", GPIOD_IN); + if (IS_ERR(lt6911uxe->irq_gpio)) + return dev_err_probe(dev, PTR_ERR(lt6911uxe->irq_gpio), +- "failed to get ready_stat gpio\n"); ++ "failed to get hpd gpio\n"); + + ret = lt6911uxe_fwnode_parse(lt6911uxe, dev); + if (ret) diff --git a/queue-6.15/media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch b/queue-6.15/media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch new file mode 100644 index 0000000000..4c7e483e71 --- /dev/null +++ b/queue-6.15/media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch @@ -0,0 +1,39 @@ +From ef205273132bdc9bcfa1540eef8105475a453300 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Mon, 3 Mar 2025 21:32:05 +0530 +Subject: media: i2c: ds90ub913: Fix returned fmt from .set_fmt() + +From: Tomi Valkeinen + +commit ef205273132bdc9bcfa1540eef8105475a453300 upstream. + +When setting the sink pad's stream format, set_fmt accidentally changes +the returned format's code to 'outcode', while the purpose is to only +use the 'outcode' for the propagated source stream format. + +Fixes: c158d0d4ff15 ("media: i2c: add DS90UB913 driver") +Cc: stable@vger.kernel.org +Signed-off-by: Tomi Valkeinen +Signed-off-by: Jai Luthra +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ds90ub913.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/ds90ub913.c ++++ b/drivers/media/i2c/ds90ub913.c +@@ -450,10 +450,10 @@ static int ub913_set_fmt(struct v4l2_sub + if (!fmt) + return -EINVAL; + +- format->format.code = finfo->outcode; +- + *fmt = format->format; + ++ fmt->code = finfo->outcode; ++ + return 0; + } + diff --git a/queue-6.15/media-i2c-imx335-fix-frame-size-enumeration.patch b/queue-6.15/media-i2c-imx335-fix-frame-size-enumeration.patch new file mode 100644 index 0000000000..10df2414c9 --- /dev/null +++ b/queue-6.15/media-i2c-imx335-fix-frame-size-enumeration.patch @@ -0,0 +1,43 @@ +From b240df2913d396638033b86af0f0ff76aa1aafc8 Mon Sep 17 00:00:00 2001 +From: Kieran Bingham +Date: Wed, 30 Apr 2025 08:36:49 +0100 +Subject: media: i2c: imx335: Fix frame size enumeration + +From: Kieran Bingham + +commit b240df2913d396638033b86af0f0ff76aa1aafc8 upstream. + +In commit cfa49ff0558a ("media: i2c: imx335: Support 2592x1940 10-bit +mode") the IMX335 driver was extended to support multiple output +bitdepth modes. + +This incorrectly extended the frame size enumeration to check against +the supported mbus_codes array instead of the supported mode/frame +array. This has the unwanted side effect of reporting the currently +supported frame size 2592x1944 three times. + +Fix the check accordingly to report a frame size for each supported +size, which is presently only a single entry. + +Fixes: cfa49ff0558a ("media: i2c: imx335: Support 2592x1940 10-bit mode") +Cc: stable@vger.kernel.org +Signed-off-by: Kieran Bingham +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx335.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/imx335.c ++++ b/drivers/media/i2c/imx335.c +@@ -660,7 +660,8 @@ static int imx335_enum_frame_size(struct + struct imx335 *imx335 = to_imx335(sd); + u32 code; + +- if (fsize->index > ARRAY_SIZE(imx335_mbus_codes)) ++ /* Only a single supported_mode available. */ ++ if (fsize->index > 0) + return -EINVAL; + + code = imx335_get_format_code(imx335, fsize->code); diff --git a/queue-6.15/media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch b/queue-6.15/media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch new file mode 100644 index 0000000000..1cbaadf370 --- /dev/null +++ b/queue-6.15/media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch @@ -0,0 +1,48 @@ +From 609ba05b9484856b08869f827a6edee51d51b5f3 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Wed, 26 Feb 2025 20:49:22 +0800 +Subject: media: imagination: fix a potential memory leak in e5010_probe() + +From: Haoxiang Li + +commit 609ba05b9484856b08869f827a6edee51d51b5f3 upstream. + +Add video_device_release() to release the memory allocated by +video_device_alloc() if something goes wrong. + +Fixes: a1e294045885 ("media: imagination: Add E5010 JPEG Encoder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/imagination/e5010-jpeg-enc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/imagination/e5010-jpeg-enc.c ++++ b/drivers/media/platform/imagination/e5010-jpeg-enc.c +@@ -1057,8 +1057,11 @@ static int e5010_probe(struct platform_d + e5010->vdev->lock = &e5010->mutex; + + ret = v4l2_device_register(dev, &e5010->v4l2_dev); +- if (ret) +- return dev_err_probe(dev, ret, "failed to register v4l2 device\n"); ++ if (ret) { ++ dev_err_probe(dev, ret, "failed to register v4l2 device\n"); ++ goto fail_after_video_device_alloc; ++ } ++ + + e5010->m2m_dev = v4l2_m2m_init(&e5010_m2m_ops); + if (IS_ERR(e5010->m2m_dev)) { +@@ -1118,6 +1121,8 @@ fail_after_video_register_device: + v4l2_m2m_release(e5010->m2m_dev); + fail_after_v4l2_register: + v4l2_device_unregister(&e5010->v4l2_dev); ++fail_after_video_device_alloc: ++ video_device_release(e5010->vdev); + return ret; + } + diff --git a/queue-6.15/media-imx-jpeg-cleanup-after-an-allocation-error.patch b/queue-6.15/media-imx-jpeg-cleanup-after-an-allocation-error.patch new file mode 100644 index 0000000000..10a8c013af --- /dev/null +++ b/queue-6.15/media-imx-jpeg-cleanup-after-an-allocation-error.patch @@ -0,0 +1,35 @@ +From 7500bb9cf164edbb2c8117d57620227b1a4a8369 Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Mon, 21 Apr 2025 16:12:54 +0800 +Subject: media: imx-jpeg: Cleanup after an allocation error + +From: Ming Qian + +commit 7500bb9cf164edbb2c8117d57620227b1a4a8369 upstream. + +When allocation failures are not cleaned up by the driver, further +allocation errors will be false-positives, which will cause buffers to +remain uninitialized and cause NULL pointer dereferences. +Ensure proper cleanup of failed allocations to prevent these issues. + +Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Qian +Reviewed-by: Frank Li +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +@@ -820,6 +820,7 @@ skip_alloc: + return true; + err: + dev_err(jpeg->dev, "Could not allocate descriptors for slot %d", jpeg->slot_data.slot); ++ mxc_jpeg_free_slot_data(jpeg); + + return false; + } diff --git a/queue-6.15/media-imx-jpeg-drop-the-first-error-frames.patch b/queue-6.15/media-imx-jpeg-drop-the-first-error-frames.patch new file mode 100644 index 0000000000..6803792b2e --- /dev/null +++ b/queue-6.15/media-imx-jpeg-drop-the-first-error-frames.patch @@ -0,0 +1,54 @@ +From d52b9b7e2f10d22a49468128540533e8d76910cd Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Mon, 21 Apr 2025 15:06:12 +0800 +Subject: media: imx-jpeg: Drop the first error frames + +From: Ming Qian + +commit d52b9b7e2f10d22a49468128540533e8d76910cd upstream. + +When an output buffer contains error frame header, +v4l2_jpeg_parse_header() will return error, then driver will mark this +buffer and a capture buffer done with error flag in device_run(). + +But if the error occurs in the first frames, before setup the capture +queue, there is no chance to schedule device_run(), and there may be no +capture to mark error. + +So we need to drop this buffer with error flag, and make the decoding +can continue. + +Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Qian +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +@@ -1918,9 +1918,19 @@ static void mxc_jpeg_buf_queue(struct vb + jpeg_src_buf = vb2_to_mxc_buf(vb); + jpeg_src_buf->jpeg_parse_error = false; + ret = mxc_jpeg_parse(ctx, vb); +- if (ret) ++ if (ret) { + jpeg_src_buf->jpeg_parse_error = true; + ++ /* ++ * if the capture queue is not setup, the device_run() won't be scheduled, ++ * need to drop the error buffer, so that the decoding can continue ++ */ ++ if (!vb2_is_streaming(v4l2_m2m_get_dst_vq(ctx->fh.m2m_ctx))) { ++ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR); ++ return; ++ } ++ } ++ + end: + v4l2_m2m_buf_queue(ctx->fh.m2m_ctx, vbuf); + } diff --git a/queue-6.15/media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch b/queue-6.15/media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch new file mode 100644 index 0000000000..bccbea4c11 --- /dev/null +++ b/queue-6.15/media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch @@ -0,0 +1,81 @@ +From 46e9c092f850bd7b4d06de92d3d21877f49a3fcb Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Mon, 21 Apr 2025 16:12:52 +0800 +Subject: media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead + +From: Ming Qian + +commit 46e9c092f850bd7b4d06de92d3d21877f49a3fcb upstream. + +Move function mxc_jpeg_free_slot_data() above mxc_jpeg_alloc_slot_data() +allowing to call that function during allocation failures. +No functional changes are made. + +Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Qian +Reviewed-by: Nicolas Dufresne +Reviewed-by: Frank Li +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 40 ++++++++++++------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +@@ -752,6 +752,26 @@ static int mxc_get_free_slot(struct mxc_ + return -1; + } + ++static void mxc_jpeg_free_slot_data(struct mxc_jpeg_dev *jpeg) ++{ ++ /* free descriptor for decoding/encoding phase */ ++ dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc), ++ jpeg->slot_data.desc, ++ jpeg->slot_data.desc_handle); ++ ++ /* free descriptor for encoder configuration phase / decoder DHT */ ++ dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc), ++ jpeg->slot_data.cfg_desc, ++ jpeg->slot_data.cfg_desc_handle); ++ ++ /* free configuration stream */ ++ dma_free_coherent(jpeg->dev, MXC_JPEG_MAX_CFG_STREAM, ++ jpeg->slot_data.cfg_stream_vaddr, ++ jpeg->slot_data.cfg_stream_handle); ++ ++ jpeg->slot_data.used = false; ++} ++ + static bool mxc_jpeg_alloc_slot_data(struct mxc_jpeg_dev *jpeg) + { + struct mxc_jpeg_desc *desc; +@@ -798,26 +818,6 @@ err: + return false; + } + +-static void mxc_jpeg_free_slot_data(struct mxc_jpeg_dev *jpeg) +-{ +- /* free descriptor for decoding/encoding phase */ +- dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc), +- jpeg->slot_data.desc, +- jpeg->slot_data.desc_handle); +- +- /* free descriptor for encoder configuration phase / decoder DHT */ +- dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc), +- jpeg->slot_data.cfg_desc, +- jpeg->slot_data.cfg_desc_handle); +- +- /* free configuration stream */ +- dma_free_coherent(jpeg->dev, MXC_JPEG_MAX_CFG_STREAM, +- jpeg->slot_data.cfg_stream_vaddr, +- jpeg->slot_data.cfg_stream_handle); +- +- jpeg->slot_data.used = false; +-} +- + static void mxc_jpeg_check_and_set_last_buffer(struct mxc_jpeg_ctx *ctx, + struct vb2_v4l2_buffer *src_buf, + struct vb2_v4l2_buffer *dst_buf) diff --git a/queue-6.15/media-imx-jpeg-reset-slot-data-pointers-when-freed.patch b/queue-6.15/media-imx-jpeg-reset-slot-data-pointers-when-freed.patch new file mode 100644 index 0000000000..78e328e396 --- /dev/null +++ b/queue-6.15/media-imx-jpeg-reset-slot-data-pointers-when-freed.patch @@ -0,0 +1,51 @@ +From faa8051b128f4b34277ea8a026d02d83826f8122 Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Mon, 21 Apr 2025 16:12:53 +0800 +Subject: media: imx-jpeg: Reset slot data pointers when freed + +From: Ming Qian + +commit faa8051b128f4b34277ea8a026d02d83826f8122 upstream. + +Ensure that the slot data pointers are reset to NULL and handles are +set to 0 after freeing the coherent memory. This makes he function +mxc_jpeg_alloc_slot_data() and mxc_jpeg_free_slot_data() safe to be +called multiple times. + +Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Qian +Reviewed-by: Nicolas Dufresne +Reviewed-by: Frank Li +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +@@ -758,16 +758,22 @@ static void mxc_jpeg_free_slot_data(stru + dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc), + jpeg->slot_data.desc, + jpeg->slot_data.desc_handle); ++ jpeg->slot_data.desc = NULL; ++ jpeg->slot_data.desc_handle = 0; + + /* free descriptor for encoder configuration phase / decoder DHT */ + dma_free_coherent(jpeg->dev, sizeof(struct mxc_jpeg_desc), + jpeg->slot_data.cfg_desc, + jpeg->slot_data.cfg_desc_handle); ++ jpeg->slot_data.cfg_desc_handle = 0; ++ jpeg->slot_data.cfg_desc = NULL; + + /* free configuration stream */ + dma_free_coherent(jpeg->dev, MXC_JPEG_MAX_CFG_STREAM, + jpeg->slot_data.cfg_stream_vaddr, + jpeg->slot_data.cfg_stream_handle); ++ jpeg->slot_data.cfg_stream_vaddr = NULL; ++ jpeg->slot_data.cfg_stream_handle = 0; + + jpeg->slot_data.used = false; + } diff --git a/queue-6.15/media-imx335-use-correct-register-width-for-hnum.patch b/queue-6.15/media-imx335-use-correct-register-width-for-hnum.patch new file mode 100644 index 0000000000..b5f7ac4fde --- /dev/null +++ b/queue-6.15/media-imx335-use-correct-register-width-for-hnum.patch @@ -0,0 +1,34 @@ +From b122c9cfcb39c8ef520d50eddfbe15f3e6551a50 Mon Sep 17 00:00:00 2001 +From: Umang Jain +Date: Tue, 22 Apr 2025 13:20:52 +0100 +Subject: media: imx335: Use correct register width for HNUM + +From: Umang Jain + +commit b122c9cfcb39c8ef520d50eddfbe15f3e6551a50 upstream. + +CCI_REG_HNUM should be using CCI_REG16_LE() instead of CCI_REG8() +as HNUM spans from 0x302e[0:7] to 0x302f[0:3]. + +Signed-off-by: Umang Jain +Signed-off-by: Kieran Bingham +Fixes: 8f0926dba799 ("media: imx335: Use V4L2 CCI for accessing sensor registers") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx335.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/imx335.c ++++ b/drivers/media/i2c/imx335.c +@@ -31,7 +31,7 @@ + #define IMX335_REG_CPWAIT_TIME CCI_REG8(0x300d) + #define IMX335_REG_WINMODE CCI_REG8(0x3018) + #define IMX335_REG_HTRIMMING_START CCI_REG16_LE(0x302c) +-#define IMX335_REG_HNUM CCI_REG8(0x302e) ++#define IMX335_REG_HNUM CCI_REG16_LE(0x302e) + + /* Lines per frame */ + #define IMX335_REG_VMAX CCI_REG24_LE(0x3030) diff --git a/queue-6.15/media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch b/queue-6.15/media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch new file mode 100644 index 0000000000..f1d157e9f0 --- /dev/null +++ b/queue-6.15/media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch @@ -0,0 +1,46 @@ +From 0209916ebe2475079ce6d8dc4114afbc0ccad1c2 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 10 Apr 2025 11:47:06 +0200 +Subject: media: intel/ipu6: Fix dma mask for non-secure mode + +From: Stanislaw Gruszka + +commit 0209916ebe2475079ce6d8dc4114afbc0ccad1c2 upstream. + +We use dma_get_mask() of auxdev device for calculate iova pfn limit. +This is always 32 bit mask as we do not initialize the mask (and we can +not do so, since dev->dev_mask is NULL anyways for auxdev). + +Since we need 31 bit mask for non-secure mode use mmu_info->aperture_end +which is properly initialized to correct mask for both modes. + +Fixes: daabc5c64703 ("media: ipu6: not override the dma_ops of device in driver") +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu6/ipu6-dma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/pci/intel/ipu6/ipu6-dma.c ++++ b/drivers/media/pci/intel/ipu6/ipu6-dma.c +@@ -172,7 +172,7 @@ void *ipu6_dma_alloc(struct ipu6_bus_dev + count = PHYS_PFN(size); + + iova = alloc_iova(&mmu->dmap->iovad, count, +- PHYS_PFN(dma_get_mask(dev)), 0); ++ PHYS_PFN(mmu->dmap->mmu_info->aperture_end), 0); + if (!iova) + goto out_kfree; + +@@ -398,7 +398,7 @@ int ipu6_dma_map_sg(struct ipu6_bus_devi + nents, npages); + + iova = alloc_iova(&mmu->dmap->iovad, npages, +- PHYS_PFN(dma_get_mask(dev)), 0); ++ PHYS_PFN(mmu->dmap->mmu_info->aperture_end), 0); + if (!iova) + return 0; + diff --git a/queue-6.15/media-ipu6-remove-workaround-for-meteor-lake-es2.patch b/queue-6.15/media-ipu6-remove-workaround-for-meteor-lake-es2.patch new file mode 100644 index 0000000000..da1a78d00e --- /dev/null +++ b/queue-6.15/media-ipu6-remove-workaround-for-meteor-lake-es2.patch @@ -0,0 +1,42 @@ +From d471fb06b21ae54bf76464731ae1dcb26ef1ca68 Mon Sep 17 00:00:00 2001 +From: Hao Yao +Date: Tue, 11 Mar 2025 16:41:55 +0800 +Subject: media: ipu6: Remove workaround for Meteor Lake ES2 + +From: Hao Yao + +commit d471fb06b21ae54bf76464731ae1dcb26ef1ca68 upstream. + +There was a hardware bug which need IPU6 driver to disable the ATS. This +workaround is not needed anymore as the bug was fixed in hardware level. + +Additionally, Arrow Lake has the same IPU6 PCI ID and x86 stepping but +does not have the bug. Removing the Meteor Lake workaround is also +required for the driver to function on Arrow Lake. + +Signed-off-by: Hao Yao +Reviewed-by: Stanislaw Gruszka +Fixes: 25fedc021985 ("media: intel/ipu6: add Intel IPU6 PCI device driver") +Cc: stable@vger.kernel.org +[Sakari Ailus: Added tags and explanation of what is fixed.] +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu6/ipu6.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/media/pci/intel/ipu6/ipu6.c ++++ b/drivers/media/pci/intel/ipu6/ipu6.c +@@ -464,11 +464,6 @@ static int ipu6_pci_config_setup(struct + { + int ret; + +- /* disable IPU6 PCI ATS on mtl ES2 */ +- if (is_ipu6ep_mtl(hw_ver) && boot_cpu_data.x86_stepping == 0x2 && +- pci_ats_supported(dev)) +- pci_disable_ats(dev); +- + /* No PCI msi capability for IPU6EP */ + if (is_ipu6ep(hw_ver) || is_ipu6ep_mtl(hw_ver)) { + /* likely do nothing as msi not enabled by default */ diff --git a/queue-6.15/media-iris-fix-error-code-in-iris_load_fw_to_memory.patch b/queue-6.15/media-iris-fix-error-code-in-iris_load_fw_to_memory.patch new file mode 100644 index 0000000000..338cdc35c7 --- /dev/null +++ b/queue-6.15/media-iris-fix-error-code-in-iris_load_fw_to_memory.patch @@ -0,0 +1,41 @@ +From e68c3c50a736490d9c07888fe525718d16ff9e9c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 17 Feb 2025 11:08:00 +0300 +Subject: media: iris: fix error code in iris_load_fw_to_memory() + +From: Dan Carpenter + +commit e68c3c50a736490d9c07888fe525718d16ff9e9c upstream. + +Return -ENOMEM if memremap() fails. Don't return success. + +Fixes: d19b163356b8 ("media: iris: implement video firmware load/unload") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Reviewed-by: Dikshita Agarwal +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/iris/iris_firmware.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/qcom/iris/iris_firmware.c b/drivers/media/platform/qcom/iris/iris_firmware.c +index 7c493b4a75db..f1b5cd56db32 100644 +--- a/drivers/media/platform/qcom/iris/iris_firmware.c ++++ b/drivers/media/platform/qcom/iris/iris_firmware.c +@@ -53,8 +53,10 @@ static int iris_load_fw_to_memory(struct iris_core *core, const char *fw_name) + } + + mem_virt = memremap(mem_phys, res_size, MEMREMAP_WC); +- if (!mem_virt) ++ if (!mem_virt) { ++ ret = -ENOMEM; + goto err_release_fw; ++ } + + ret = qcom_mdt_load(dev, firmware, fw_name, + pas_id, mem_virt, mem_phys, res_size, NULL); +-- +2.50.0 + diff --git a/queue-6.15/media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch b/queue-6.15/media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch new file mode 100644 index 0000000000..22ff038dc5 --- /dev/null +++ b/queue-6.15/media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch @@ -0,0 +1,37 @@ +From f19035b86382f635a0d13d177b601babaf263a12 Mon Sep 17 00:00:00 2001 +From: Fei Shao +Date: Fri, 14 Mar 2025 15:56:17 +0800 +Subject: media: mediatek: vcodec: Correct vsi_core framebuffer size + +From: Fei Shao + +commit f19035b86382f635a0d13d177b601babaf263a12 upstream. + +The framebuffer size for decoder instances was being incorrectly set - +inst->vsi_core->fb.y.size was assigned twice consecutively. + +Assign the second picinfo framebuffer size to the C framebuffer instead, +which appears to be the intended target based on the surrounding code. + +Fixes: 2674486aac7d ("media: mediatek: vcodec: support stateless hevc decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Fei Shao +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c ++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_hevc_req_multi_if.c +@@ -821,7 +821,7 @@ static int vdec_hevc_slice_setup_core_bu + inst->vsi_core->fb.y.dma_addr = y_fb_dma; + inst->vsi_core->fb.y.size = ctx->picinfo.fb_sz[0]; + inst->vsi_core->fb.c.dma_addr = c_fb_dma; +- inst->vsi_core->fb.y.size = ctx->picinfo.fb_sz[1]; ++ inst->vsi_core->fb.c.size = ctx->picinfo.fb_sz[1]; + + inst->vsi_core->dec.vdec_fb_va = (unsigned long)fb; + diff --git a/queue-6.15/media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch b/queue-6.15/media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch new file mode 100644 index 0000000000..a2bb3b1955 --- /dev/null +++ b/queue-6.15/media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch @@ -0,0 +1,95 @@ +From 910efa649076be9c2e1326059830327cf4228cf6 Mon Sep 17 00:00:00 2001 +From: Laurentiu Palcu +Date: Wed, 23 Oct 2024 11:56:43 +0300 +Subject: media: nxp: imx8-isi: better handle the m2m usage_count + +From: Laurentiu Palcu + +commit 910efa649076be9c2e1326059830327cf4228cf6 upstream. + +Currently, if streamon/streamoff calls are imbalanced we can either end up +with a negative ISI m2m usage_count (if streamoff() is called more times +than streamon()) in which case we'll not be able to restart the ISI pipe +next time, or the usage_count never gets to 0 and the pipe is never +switched off. + +To avoid that, add a 'streaming' flag to mxc_isi_m2m_ctx_queue_data and use it +in the streamon/streamoff to avoid incrementing/decrementing the usage_count +uselessly, if called multiple times from the same context. + +Fixes: cf21f328fcafac ("media: nxp: Add i.MX8 ISI driver") +Cc: stable@vger.kernel.org +Suggested-by: Laurent Pinchart +Signed-off-by: Laurentiu Palcu +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20241023085643.978729-1-laurentiu.palcu@oss.nxp.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c ++++ b/drivers/media/platform/nxp/imx8-isi/imx8-isi-m2m.c +@@ -43,6 +43,7 @@ struct mxc_isi_m2m_ctx_queue_data { + struct v4l2_pix_format_mplane format; + const struct mxc_isi_format_info *info; + u32 sequence; ++ bool streaming; + }; + + struct mxc_isi_m2m_ctx { +@@ -484,15 +485,18 @@ static int mxc_isi_m2m_streamon(struct f + enum v4l2_buf_type type) + { + struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(fh); ++ struct mxc_isi_m2m_ctx_queue_data *q = mxc_isi_m2m_ctx_qdata(ctx, type); + const struct v4l2_pix_format_mplane *out_pix = &ctx->queues.out.format; + const struct v4l2_pix_format_mplane *cap_pix = &ctx->queues.cap.format; + const struct mxc_isi_format_info *cap_info = ctx->queues.cap.info; + const struct mxc_isi_format_info *out_info = ctx->queues.out.info; + struct mxc_isi_m2m *m2m = ctx->m2m; + bool bypass; +- + int ret; + ++ if (q->streaming) ++ return 0; ++ + mutex_lock(&m2m->lock); + + if (m2m->usage_count == INT_MAX) { +@@ -545,6 +549,8 @@ static int mxc_isi_m2m_streamon(struct f + goto unchain; + } + ++ q->streaming = true; ++ + return 0; + + unchain: +@@ -567,10 +573,14 @@ static int mxc_isi_m2m_streamoff(struct + enum v4l2_buf_type type) + { + struct mxc_isi_m2m_ctx *ctx = to_isi_m2m_ctx(fh); ++ struct mxc_isi_m2m_ctx_queue_data *q = mxc_isi_m2m_ctx_qdata(ctx, type); + struct mxc_isi_m2m *m2m = ctx->m2m; + + v4l2_m2m_ioctl_streamoff(file, fh, type); + ++ if (!q->streaming) ++ return 0; ++ + mutex_lock(&m2m->lock); + + /* +@@ -596,6 +606,8 @@ static int mxc_isi_m2m_streamoff(struct + + mutex_unlock(&m2m->lock); + ++ q->streaming = false; ++ + return 0; + } + diff --git a/queue-6.15/media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch b/queue-6.15/media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch new file mode 100644 index 0000000000..72e57ea102 --- /dev/null +++ b/queue-6.15/media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch @@ -0,0 +1,72 @@ +From 3de572fe2189a4a0bd80295e1f478401e739498e Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 7 May 2025 18:09:13 +0200 +Subject: media: omap3isp: use sgtable-based scatterlist wrappers + +From: Marek Szyprowski + +commit 3de572fe2189a4a0bd80295e1f478401e739498e upstream. + +Use common wrappers operating directly on the struct sg_table objects to +fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() +functions have to be called with the number of elements originally passed +to dma_map_sg_*() function, not the one returned in sgtable's nents. + +Fixes: d33186d0be18 ("[media] omap3isp: ccdc: Use the DMA API for LSC") +Fixes: 0e24e90f2ca7 ("[media] omap3isp: stat: Use the DMA API") +CC: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/omap3isp/ispccdc.c | 8 ++++---- + drivers/media/platform/ti/omap3isp/ispstat.c | 6 ++---- + 2 files changed, 6 insertions(+), 8 deletions(-) + +--- a/drivers/media/platform/ti/omap3isp/ispccdc.c ++++ b/drivers/media/platform/ti/omap3isp/ispccdc.c +@@ -446,8 +446,8 @@ static int ccdc_lsc_config(struct isp_cc + if (ret < 0) + goto done; + +- dma_sync_sg_for_cpu(isp->dev, req->table.sgt.sgl, +- req->table.sgt.nents, DMA_TO_DEVICE); ++ dma_sync_sgtable_for_cpu(isp->dev, &req->table.sgt, ++ DMA_TO_DEVICE); + + if (copy_from_user(req->table.addr, config->lsc, + req->config.size)) { +@@ -455,8 +455,8 @@ static int ccdc_lsc_config(struct isp_cc + goto done; + } + +- dma_sync_sg_for_device(isp->dev, req->table.sgt.sgl, +- req->table.sgt.nents, DMA_TO_DEVICE); ++ dma_sync_sgtable_for_device(isp->dev, &req->table.sgt, ++ DMA_TO_DEVICE); + } + + spin_lock_irqsave(&ccdc->lsc.req_lock, flags); +--- a/drivers/media/platform/ti/omap3isp/ispstat.c ++++ b/drivers/media/platform/ti/omap3isp/ispstat.c +@@ -161,8 +161,7 @@ static void isp_stat_buf_sync_for_device + if (ISP_STAT_USES_DMAENGINE(stat)) + return; + +- dma_sync_sg_for_device(stat->isp->dev, buf->sgt.sgl, +- buf->sgt.nents, DMA_FROM_DEVICE); ++ dma_sync_sgtable_for_device(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE); + } + + static void isp_stat_buf_sync_for_cpu(struct ispstat *stat, +@@ -171,8 +170,7 @@ static void isp_stat_buf_sync_for_cpu(st + if (ISP_STAT_USES_DMAENGINE(stat)) + return; + +- dma_sync_sg_for_cpu(stat->isp->dev, buf->sgt.sgl, +- buf->sgt.nents, DMA_FROM_DEVICE); ++ dma_sync_sgtable_for_cpu(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE); + } + + static void isp_stat_buf_clear(struct ispstat *stat) diff --git a/queue-6.15/media-ov08x40-extend-sleep-after-reset-to-5-ms.patch b/queue-6.15/media-ov08x40-extend-sleep-after-reset-to-5-ms.patch new file mode 100644 index 0000000000..a486f7005c --- /dev/null +++ b/queue-6.15/media-ov08x40-extend-sleep-after-reset-to-5-ms.patch @@ -0,0 +1,40 @@ +From 77aed862c34f192f9d4b80d5288263b22b50ca98 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 11 Mar 2025 12:48:44 +0100 +Subject: media: ov08x40: Extend sleep after reset to 5 ms + +From: Hans de Goede + +commit 77aed862c34f192f9d4b80d5288263b22b50ca98 upstream. + +Some users are reporting that ov08x40_identify_module() fails +to identify the chip reading 0x00 as value for OV08X40_REG_CHIP_ID. + +Intel's out of tree IPU6 drivers include some ov08x40 changes +including adding support for the reset GPIO for older kernels and +Intel's patch for this uses 5 ms. Extend the sleep to 5 ms following +Intel's example, this fixes the ov08x40_identify_module() problem. + +Link: https://github.com/intel/ipu6-drivers/blob/c09e2198d801e1eb701984d2948373123ba92a56/patch/v6.12/0008-media-ov08x40-Add-support-for-2-4-lanes-support-at-1.patch#L4607 +Fixes: df1ae2251a50 ("media: ov08x40: Add OF probe support") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov08x40.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/ov08x40.c ++++ b/drivers/media/i2c/ov08x40.c +@@ -1341,7 +1341,7 @@ static int ov08x40_power_on(struct devic + } + + gpiod_set_value_cansleep(ov08x->reset_gpio, 0); +- usleep_range(1500, 1800); ++ usleep_range(5000, 5500); + + return 0; + diff --git a/queue-6.15/media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch b/queue-6.15/media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch new file mode 100644 index 0000000000..02c9b14fe0 --- /dev/null +++ b/queue-6.15/media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch @@ -0,0 +1,45 @@ +From 81cf4f46a03a07b0b86f9d677c34ba782df7d65e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 24 Mar 2025 14:01:09 +0100 +Subject: media: ov2740: Move pm-runtime cleanup on probe-errors to proper place + +From: Hans de Goede + +commit 81cf4f46a03a07b0b86f9d677c34ba782df7d65e upstream. + +When v4l2_subdev_init_finalize() fails no changes have been made to +the runtime-pm device state yet, so the probe_error_media_entity_cleanup +rollback path should not touch the runtime-pm device state. + +Instead this should be done from the probe_error_v4l2_subdev_cleanup +rollback path. Note the pm_runtime_xxx() calls are put above +the v4l2_subdev_cleanup() call to have the reverse call order of probe(). + +Signed-off-by: Hans de Goede +Reviewed-by: Bingbu Cao +Fixes: 289c25923ecd ("media: ov2740: Use sub-device active state") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov2740.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/ov2740.c ++++ b/drivers/media/i2c/ov2740.c +@@ -1456,12 +1456,12 @@ static int ov2740_probe(struct i2c_clien + return 0; + + probe_error_v4l2_subdev_cleanup: ++ pm_runtime_disable(&client->dev); ++ pm_runtime_set_suspended(&client->dev); + v4l2_subdev_cleanup(&ov2740->sd); + + probe_error_media_entity_cleanup: + media_entity_cleanup(&ov2740->sd.entity); +- pm_runtime_disable(&client->dev); +- pm_runtime_set_suspended(&client->dev); + + probe_error_v4l2_ctrl_handler_free: + v4l2_ctrl_handler_free(ov2740->sd.ctrl_handler); diff --git a/queue-6.15/media-ov5675-suppress-probe-deferral-errors.patch b/queue-6.15/media-ov5675-suppress-probe-deferral-errors.patch new file mode 100644 index 0000000000..65d670eab6 --- /dev/null +++ b/queue-6.15/media-ov5675-suppress-probe-deferral-errors.patch @@ -0,0 +1,44 @@ +From 8268da3c474a43a79a6540fb06c5d3b730a0d5a5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Apr 2025 14:52:37 +0200 +Subject: media: ov5675: suppress probe deferral errors + +From: Johan Hovold + +commit 8268da3c474a43a79a6540fb06c5d3b730a0d5a5 upstream. + +Probe deferral should not be logged as an error: + + ov5675 24-0010: failed to get HW configuration: -517 + +Drop the (mostly) redundant dev_err() from sensor probe() to suppress +it. + +Note that errors during clock and regulator lookup are already correctly +logged using dev_err_probe(). + +Fixes: 49d9ad719e89 ("media: ov5675: add device-tree support and support runtime PM") +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov5675.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/media/i2c/ov5675.c ++++ b/drivers/media/i2c/ov5675.c +@@ -1295,11 +1295,8 @@ static int ov5675_probe(struct i2c_clien + return -ENOMEM; + + ret = ov5675_get_hwcfg(ov5675, &client->dev); +- if (ret) { +- dev_err(&client->dev, "failed to get HW configuration: %d", +- ret); ++ if (ret) + return ret; +- } + + v4l2_i2c_subdev_init(&ov5675->sd, client, &ov5675_subdev_ops); + diff --git a/queue-6.15/media-ov8856-suppress-probe-deferral-errors.patch b/queue-6.15/media-ov8856-suppress-probe-deferral-errors.patch new file mode 100644 index 0000000000..eb21254674 --- /dev/null +++ b/queue-6.15/media-ov8856-suppress-probe-deferral-errors.patch @@ -0,0 +1,55 @@ +From e3d86847fba58cf71f66e81b6a2515e07039ae17 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 25 Apr 2025 14:52:38 +0200 +Subject: media: ov8856: suppress probe deferral errors + +From: Johan Hovold + +commit e3d86847fba58cf71f66e81b6a2515e07039ae17 upstream. + +Probe deferral should not be logged as an error: + + ov8856 24-0010: failed to get HW configuration: -517 + +Use dev_err_probe() for the clock lookup and drop the (mostly) redundant +dev_err() from sensor probe() to suppress it. + +Note that errors during regulator lookup is already correctly logged +using dev_err_probe(). + +Fixes: 0c2c7a1e0d69 ("media: ov8856: Add devicetree support") +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov8856.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/ov8856.c ++++ b/drivers/media/i2c/ov8856.c +@@ -2276,8 +2276,8 @@ static int ov8856_get_hwcfg(struct ov885 + if (!is_acpi_node(fwnode)) { + ov8856->xvclk = devm_clk_get(dev, "xvclk"); + if (IS_ERR(ov8856->xvclk)) { +- dev_err(dev, "could not get xvclk clock (%pe)\n", +- ov8856->xvclk); ++ dev_err_probe(dev, PTR_ERR(ov8856->xvclk), ++ "could not get xvclk clock\n"); + return PTR_ERR(ov8856->xvclk); + } + +@@ -2382,11 +2382,8 @@ static int ov8856_probe(struct i2c_clien + return -ENOMEM; + + ret = ov8856_get_hwcfg(ov8856, &client->dev); +- if (ret) { +- dev_err(&client->dev, "failed to get HW configuration: %d", +- ret); ++ if (ret) + return ret; +- } + + v4l2_i2c_subdev_init(&ov8856->sd, client, &ov8856_subdev_ops); + diff --git a/queue-6.15/media-qcom-camss-csid-suppress-csid-log-spam.patch b/queue-6.15/media-qcom-camss-csid-suppress-csid-log-spam.patch new file mode 100644 index 0000000000..0610096a45 --- /dev/null +++ b/queue-6.15/media-qcom-camss-csid-suppress-csid-log-spam.patch @@ -0,0 +1,54 @@ +From aef1d545989bc9e7f555af6b9f1be4963772192b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 7 Apr 2025 10:51:25 +0200 +Subject: media: qcom: camss: csid: suppress CSID log spam + +From: Johan Hovold + +commit aef1d545989bc9e7f555af6b9f1be4963772192b upstream. + +A recent commit refactored the printing of the CSID hardware version, but +(without it being mentioned) also changed the log level from debug to +info. + +This results in repeated log spam during use, for example, on the Lenovo +ThinkPad X13s: + + qcom-camss ac5a000.camss: CSID:0 HW Version = 1.0.0 + qcom-camss ac5a000.camss: CSID:0 HW Version = 1.0.0 + qcom-camss ac5a000.camss: CSID:0 HW Version = 1.0.0 + qcom-camss ac5a000.camss: CSID:0 HW Version = 1.0.0 + qcom-camss ac5a000.camss: CSID:0 HW Version = 1.0.0 + +Suppress the version logging by demoting to debug level again. + +Fixes: f759b8fd3086 ("media: qcom: camss: csid: Move common code into csid core") +Cc: stable@vger.kernel.org +Cc: Depeng Shao +Signed-off-by: Johan Hovold +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss/camss-csid.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-csid.c b/drivers/media/platform/qcom/camss/camss-csid.c +index d08117f46f3b..5284b5857368 100644 +--- a/drivers/media/platform/qcom/camss/camss-csid.c ++++ b/drivers/media/platform/qcom/camss/camss-csid.c +@@ -613,8 +613,8 @@ u32 csid_hw_version(struct csid_device *csid) + hw_gen = (hw_version >> HW_VERSION_GENERATION) & 0xF; + hw_rev = (hw_version >> HW_VERSION_REVISION) & 0xFFF; + hw_step = (hw_version >> HW_VERSION_STEPPING) & 0xFFFF; +- dev_info(csid->camss->dev, "CSID:%d HW Version = %u.%u.%u\n", +- csid->id, hw_gen, hw_rev, hw_step); ++ dev_dbg(csid->camss->dev, "CSID:%d HW Version = %u.%u.%u\n", ++ csid->id, hw_gen, hw_rev, hw_step); + + return hw_version; + } +-- +2.50.0 + diff --git a/queue-6.15/media-qcom-camss-vfe-suppress-vfe-version-log-spam.patch b/queue-6.15/media-qcom-camss-vfe-suppress-vfe-version-log-spam.patch new file mode 100644 index 0000000000..cb1abe9d0c --- /dev/null +++ b/queue-6.15/media-qcom-camss-vfe-suppress-vfe-version-log-spam.patch @@ -0,0 +1,63 @@ +From b6fafb3941fa0f065def304d44d6c3c6d6ac0f64 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 7 Apr 2025 12:48:28 +0200 +Subject: media: qcom: camss: vfe: suppress VFE version log spam + +From: Johan Hovold + +commit b6fafb3941fa0f065def304d44d6c3c6d6ac0f64 upstream. + +A recent commit refactored the printing of the VFE hardware version, but +(without it being mentioned) also changed the log level from debug to +info. + +This results in several hundred lines of repeated log spam during boot +and use, for example, on the Lenovo ThinkPad X13s: + + qcom-camss ac5a000.camss: VFE:1 HW Version = 1.2.2 + qcom-camss ac5a000.camss: VFE:0 HW Version = 1.2.2 + qcom-camss ac5a000.camss: VFE:2 HW Version = 1.2.2 + qcom-camss ac5a000.camss: VFE:2 HW Version = 1.2.2 + qcom-camss ac5a000.camss: VFE:3 HW Version = 1.2.2 + qcom-camss ac5a000.camss: VFE:5 HW Version = 1.3.0 + qcom-camss ac5a000.camss: VFE:6 HW Version = 1.3.0 + qcom-camss ac5a000.camss: VFE:4 HW Version = 1.3.0 + qcom-camss ac5a000.camss: VFE:5 HW Version = 1.3.0 + qcom-camss ac5a000.camss: VFE:6 HW Version = 1.3.0 + qcom-camss ac5a000.camss: VFE:7 HW Version = 1.3.0 + qcom-camss ac5a000.camss: VFE:7 HW Version = 1.3.0 + qcom-camss ac5a000.camss: VFE:7 HW Version = 1.3.0 + ... + +Suppress the version logging by demoting to debug level again. + +Fixes: 10693fed125d ("media: qcom: camss: vfe: Move common code into vfe core") +Cc: stable@vger.kernel.org +Cc: Depeng Shao +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Johan Hovold +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss/camss-vfe.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/camss/camss-vfe.c b/drivers/media/platform/qcom/camss/camss-vfe.c +index cf0e8f5c004a..91bc0cb7781e 100644 +--- a/drivers/media/platform/qcom/camss/camss-vfe.c ++++ b/drivers/media/platform/qcom/camss/camss-vfe.c +@@ -428,8 +428,8 @@ u32 vfe_hw_version(struct vfe_device *vfe) + u32 rev = (hw_version >> HW_VERSION_REVISION) & 0xFFF; + u32 step = (hw_version >> HW_VERSION_STEPPING) & 0xFFFF; + +- dev_info(vfe->camss->dev, "VFE:%d HW Version = %u.%u.%u\n", +- vfe->id, gen, rev, step); ++ dev_dbg(vfe->camss->dev, "VFE:%d HW Version = %u.%u.%u\n", ++ vfe->id, gen, rev, step); + + return hw_version; + } +-- +2.50.0 + diff --git a/queue-6.15/media-rcar-vin-fix-raw10.patch b/queue-6.15/media-rcar-vin-fix-raw10.patch new file mode 100644 index 0000000000..8b5cc427b2 --- /dev/null +++ b/queue-6.15/media-rcar-vin-fix-raw10.patch @@ -0,0 +1,71 @@ +From 94bf847ae5a61e0ab0b971ed186a443688eb793f Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Thu, 24 Apr 2025 10:05:36 +0300 +Subject: media: rcar-vin: Fix RAW10 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tomi Valkeinen + +commit 94bf847ae5a61e0ab0b971ed186a443688eb793f upstream. + +Fix the following to get RAW10 formats working: + +In rvin_formats, the bpp is set to 4 for RAW10. As VIN unpacks RAW10 to +16-bit containers, the bpp should be 2. + +Don't set VNDMR_YC_THR to the VNDMR register. The YC_THR is "YC Data +Through Mode", used for YUV formats and should not be set for RAW10. + +Fixes: 1b7e7240eaf3 ("media: rcar-vin: Add support for RAW10") +Cc: stable@vger.kernel.org +Signed-off-by: Tomi Valkeinen +Reviewed-by: Niklas Söderlund +Tested-by: Niklas Söderlund +Link: https://lore.kernel.org/r/20250424-rcar-fix-raw-v2-4-f6afca378124@ideasonboard.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/renesas/rcar-vin/rcar-dma.c | 2 +- + drivers/media/platform/renesas/rcar-vin/rcar-v4l2.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/media/platform/renesas/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/renesas/rcar-vin/rcar-dma.c +@@ -910,7 +910,7 @@ static int rvin_setup(struct rvin_dev *v + case V4L2_PIX_FMT_SGBRG10: + case V4L2_PIX_FMT_SGRBG10: + case V4L2_PIX_FMT_SRGGB10: +- dmr = VNDMR_RMODE_RAW10 | VNDMR_YC_THR; ++ dmr = VNDMR_RMODE_RAW10; + break; + default: + vin_err(vin, "Invalid pixelformat (0x%x)\n", +--- a/drivers/media/platform/renesas/rcar-vin/rcar-v4l2.c ++++ b/drivers/media/platform/renesas/rcar-vin/rcar-v4l2.c +@@ -88,19 +88,19 @@ static const struct rvin_video_format rv + }, + { + .fourcc = V4L2_PIX_FMT_SBGGR10, +- .bpp = 4, ++ .bpp = 2, + }, + { + .fourcc = V4L2_PIX_FMT_SGBRG10, +- .bpp = 4, ++ .bpp = 2, + }, + { + .fourcc = V4L2_PIX_FMT_SGRBG10, +- .bpp = 4, ++ .bpp = 2, + }, + { + .fourcc = V4L2_PIX_FMT_SRGGB10, +- .bpp = 4, ++ .bpp = 2, + }, + }; + diff --git a/queue-6.15/media-uvcvideo-fix-deferred-probing-error.patch b/queue-6.15/media-uvcvideo-fix-deferred-probing-error.patch new file mode 100644 index 0000000000..a5827d06a1 --- /dev/null +++ b/queue-6.15/media-uvcvideo-fix-deferred-probing-error.patch @@ -0,0 +1,100 @@ +From 387e8939307192d5a852a2afeeb83427fa477151 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Thu, 13 Mar 2025 12:20:39 +0000 +Subject: media: uvcvideo: Fix deferred probing error + +From: Ricardo Ribalda + +commit 387e8939307192d5a852a2afeeb83427fa477151 upstream. + +uvc_gpio_parse() can return -EPROBE_DEFER when the GPIOs it depends on +have not yet been probed. This return code should be propagated to the +caller of uvc_probe() to ensure that probing is retried when the required +GPIOs become available. + +Currently, this error code is incorrectly converted to -ENODEV, +causing some internal cameras to be ignored. + +This commit fixes this issue by propagating the -EPROBE_DEFER error. + +Cc: stable@vger.kernel.org +Fixes: 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT") +Reviewed-by: Douglas Anderson +Signed-off-by: Ricardo Ribalda +Message-ID: <20250313-uvc-eprobedefer-v3-1-a1d312708eef@chromium.org> +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2232,13 +2232,16 @@ static int uvc_probe(struct usb_interfac + #endif + + /* Parse the Video Class control descriptor. */ +- if (uvc_parse_control(dev) < 0) { ++ ret = uvc_parse_control(dev); ++ if (ret < 0) { ++ ret = -ENODEV; + uvc_dbg(dev, PROBE, "Unable to parse UVC descriptors\n"); + goto error; + } + + /* Parse the associated GPIOs. */ +- if (uvc_gpio_parse(dev) < 0) { ++ ret = uvc_gpio_parse(dev); ++ if (ret < 0) { + uvc_dbg(dev, PROBE, "Unable to parse UVC GPIOs\n"); + goto error; + } +@@ -2264,24 +2267,32 @@ static int uvc_probe(struct usb_interfac + } + + /* Register the V4L2 device. */ +- if (v4l2_device_register(&intf->dev, &dev->vdev) < 0) ++ ret = v4l2_device_register(&intf->dev, &dev->vdev); ++ if (ret < 0) + goto error; + + /* Scan the device for video chains. */ +- if (uvc_scan_device(dev) < 0) ++ if (uvc_scan_device(dev) < 0) { ++ ret = -ENODEV; + goto error; ++ } + + /* Initialize controls. */ +- if (uvc_ctrl_init_device(dev) < 0) ++ if (uvc_ctrl_init_device(dev) < 0) { ++ ret = -ENODEV; + goto error; ++ } + + /* Register video device nodes. */ +- if (uvc_register_chains(dev) < 0) ++ if (uvc_register_chains(dev) < 0) { ++ ret = -ENODEV; + goto error; ++ } + + #ifdef CONFIG_MEDIA_CONTROLLER + /* Register the media device node */ +- if (media_device_register(&dev->mdev) < 0) ++ ret = media_device_register(&dev->mdev); ++ if (ret < 0) + goto error; + #endif + /* Save our data pointer in the interface data. */ +@@ -2315,7 +2326,7 @@ static int uvc_probe(struct usb_interfac + error: + uvc_unregister_video(dev); + kref_put(&dev->ref, uvc_delete); +- return -ENODEV; ++ return ret; + } + + static void uvc_disconnect(struct usb_interface *intf) diff --git a/queue-6.15/media-uvcvideo-return-the-number-of-processed-controls.patch b/queue-6.15/media-uvcvideo-return-the-number-of-processed-controls.patch new file mode 100644 index 0000000000..5059c6de6e --- /dev/null +++ b/queue-6.15/media-uvcvideo-return-the-number-of-processed-controls.patch @@ -0,0 +1,71 @@ +From ba4fafb02ad6a4eb2e00f861893b5db42ba54369 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 24 Feb 2025 10:34:53 +0000 +Subject: media: uvcvideo: Return the number of processed controls + +From: Ricardo Ribalda + +commit ba4fafb02ad6a4eb2e00f861893b5db42ba54369 upstream. + +If we let know our callers that we have not done anything, they will be +able to optimize their decisions. + +Cc: stable@kernel.org +Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events") +Reviewed-by: Laurent Pinchart +Signed-off-by: Ricardo Ribalda +Message-ID: <20250224-uvc-data-backup-v2-1-de993ed9823b@chromium.org> +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_ctrl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -2090,12 +2090,17 @@ int uvc_ctrl_begin(struct uvc_video_chai + return mutex_lock_interruptible(&chain->ctrl_mutex) ? -ERESTARTSYS : 0; + } + ++/* ++ * Returns the number of uvc controls that have been correctly set, or a ++ * negative number if there has been an error. ++ */ + static int uvc_ctrl_commit_entity(struct uvc_device *dev, + struct uvc_fh *handle, + struct uvc_entity *entity, + int rollback, + struct uvc_control **err_ctrl) + { ++ unsigned int processed_ctrls = 0; + struct uvc_control *ctrl; + unsigned int i; + int ret; +@@ -2130,6 +2135,9 @@ static int uvc_ctrl_commit_entity(struct + else + ret = 0; + ++ if (!ret) ++ processed_ctrls++; ++ + if (rollback || ret < 0) + memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT), + uvc_ctrl_data(ctrl, UVC_CTRL_DATA_BACKUP), +@@ -2148,7 +2156,7 @@ static int uvc_ctrl_commit_entity(struct + uvc_ctrl_set_handle(handle, ctrl, handle); + } + +- return 0; ++ return processed_ctrls; + } + + static int uvc_ctrl_find_ctrl_idx(struct uvc_entity *entity, +@@ -2195,6 +2203,7 @@ int __uvc_ctrl_commit(struct uvc_fh *han + + if (!rollback) + uvc_ctrl_send_events(handle, ctrls->controls, ctrls->count); ++ ret = 0; + done: + mutex_unlock(&chain->ctrl_mutex); + return ret; diff --git a/queue-6.15/media-uvcvideo-send-control-events-for-partial-succeeds.patch b/queue-6.15/media-uvcvideo-send-control-events-for-partial-succeeds.patch new file mode 100644 index 0000000000..0b1913183b --- /dev/null +++ b/queue-6.15/media-uvcvideo-send-control-events-for-partial-succeeds.patch @@ -0,0 +1,64 @@ +From 5c791467aea6277430da5f089b9b6c2a9d8a4af7 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 24 Feb 2025 10:34:54 +0000 +Subject: media: uvcvideo: Send control events for partial succeeds + +From: Ricardo Ribalda + +commit 5c791467aea6277430da5f089b9b6c2a9d8a4af7 upstream. + +Today, when we are applying a change to entities A, B. If A succeeds and B +fails the events for A are not sent. + +This change changes the code so the events for A are send right after +they happen. + +Cc: stable@kernel.org +Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events") +Signed-off-by: Ricardo Ribalda +Message-ID: <20250224-uvc-data-backup-v2-2-de993ed9823b@chromium.org> +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_ctrl.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -1943,7 +1943,9 @@ static bool uvc_ctrl_xctrls_has_control( + } + + static void uvc_ctrl_send_events(struct uvc_fh *handle, +- const struct v4l2_ext_control *xctrls, unsigned int xctrls_count) ++ struct uvc_entity *entity, ++ const struct v4l2_ext_control *xctrls, ++ unsigned int xctrls_count) + { + struct uvc_control_mapping *mapping; + struct uvc_control *ctrl; +@@ -1955,6 +1957,9 @@ static void uvc_ctrl_send_events(struct + s32 value; + + ctrl = uvc_find_control(handle->chain, xctrls[i].id, &mapping); ++ if (ctrl->entity != entity) ++ continue; ++ + if (ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS) + /* Notification will be sent from an Interrupt event. */ + continue; +@@ -2198,11 +2203,12 @@ int __uvc_ctrl_commit(struct uvc_fh *han + uvc_ctrl_find_ctrl_idx(entity, ctrls, + err_ctrl); + goto done; ++ } else if (ret > 0 && !rollback) { ++ uvc_ctrl_send_events(handle, entity, ++ ctrls->controls, ctrls->count); + } + } + +- if (!rollback) +- uvc_ctrl_send_events(handle, ctrls->controls, ctrls->count); + ret = 0; + done: + mutex_unlock(&chain->ctrl_mutex); diff --git a/queue-6.15/media-v4l2-dev-fix-error-handling-in-__video_register_device.patch b/queue-6.15/media-v4l2-dev-fix-error-handling-in-__video_register_device.patch new file mode 100644 index 0000000000..e20546e5c4 --- /dev/null +++ b/queue-6.15/media-v4l2-dev-fix-error-handling-in-__video_register_device.patch @@ -0,0 +1,66 @@ +From 2a934fdb01db6458288fc9386d3d8ceba6dd551a Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Wed, 19 Mar 2025 16:02:48 +0800 +Subject: media: v4l2-dev: fix error handling in __video_register_device() + +From: Ma Ke + +commit 2a934fdb01db6458288fc9386d3d8ceba6dd551a upstream. + +Once device_register() failed, we should call put_device() to +decrement reference count for cleanup. Or it could cause memory leak. +And move callback function v4l2_device_release() and v4l2_device_get() +before put_device(). + +As comment of device_register() says, 'NOTE: _Never_ directly free +@dev after calling this function, even if it returned an error! Always +use put_device() to give up the reference initialized in this function +instead.' + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: dc93a70cc7f9 ("V4L/DVB (9973): v4l2-dev: use the release callback from device instead of cdev") +Signed-off-by: Ma Ke +Reviewed-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-dev.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-dev.c ++++ b/drivers/media/v4l2-core/v4l2-dev.c +@@ -1054,25 +1054,25 @@ int __video_register_device(struct video + vdev->dev.class = &video_class; + vdev->dev.devt = MKDEV(VIDEO_MAJOR, vdev->minor); + vdev->dev.parent = vdev->dev_parent; ++ vdev->dev.release = v4l2_device_release; + dev_set_name(&vdev->dev, "%s%d", name_base, vdev->num); ++ ++ /* Increase v4l2_device refcount */ ++ v4l2_device_get(vdev->v4l2_dev); ++ + mutex_lock(&videodev_lock); + ret = device_register(&vdev->dev); + if (ret < 0) { + mutex_unlock(&videodev_lock); + pr_err("%s: device_register failed\n", __func__); +- goto cleanup; ++ put_device(&vdev->dev); ++ return ret; + } +- /* Register the release callback that will be called when the last +- reference to the device goes away. */ +- vdev->dev.release = v4l2_device_release; + + if (nr != -1 && nr != vdev->num && warn_if_nr_in_use) + pr_warn("%s: requested %s%d, got %s\n", __func__, + name_base, nr, video_device_node_name(vdev)); + +- /* Increase v4l2_device refcount */ +- v4l2_device_get(vdev->v4l2_dev); +- + /* Part 5: Register the entity. */ + ret = video_register_media_controller(vdev); + diff --git a/queue-6.15/media-venus-fix-probe-error-handling.patch b/queue-6.15/media-venus-fix-probe-error-handling.patch new file mode 100644 index 0000000000..f6d5e7eef8 --- /dev/null +++ b/queue-6.15/media-venus-fix-probe-error-handling.patch @@ -0,0 +1,79 @@ +From 523cea3a19f0b3b020a4745344c136a636e6ffd7 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Thu, 27 Mar 2025 13:53:04 +0100 +Subject: media: venus: Fix probe error handling + +From: Loic Poulain + +commit 523cea3a19f0b3b020a4745344c136a636e6ffd7 upstream. + +Video device registering has been moved earlier in the probe function, +but the new order has not been propagated to error handling. This means +we can end with unreleased resources on error (e.g dangling video device +on missing firmware probe aborting). + +Fixes: 08b1cf474b7f7 ("media: venus: core, venc, vdec: Fix probe dependency error") +Cc: stable@vger.kernel.org +Signed-off-by: Loic Poulain +Reviewed-by: Dikshita Agarwal +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -438,7 +438,7 @@ static int venus_probe(struct platform_d + + ret = v4l2_device_register(dev, &core->v4l2_dev); + if (ret) +- goto err_core_deinit; ++ goto err_hfi_destroy; + + platform_set_drvdata(pdev, core); + +@@ -476,24 +476,24 @@ static int venus_probe(struct platform_d + + ret = venus_enumerate_codecs(core, VIDC_SESSION_TYPE_DEC); + if (ret) +- goto err_venus_shutdown; ++ goto err_core_deinit; + + ret = venus_enumerate_codecs(core, VIDC_SESSION_TYPE_ENC); + if (ret) +- goto err_venus_shutdown; ++ goto err_core_deinit; + + ret = pm_runtime_put_sync(dev); + if (ret) { + pm_runtime_get_noresume(dev); +- goto err_dev_unregister; ++ goto err_core_deinit; + } + + venus_dbgfs_init(core); + + return 0; + +-err_dev_unregister: +- v4l2_device_unregister(&core->v4l2_dev); ++err_core_deinit: ++ hfi_core_deinit(core, false); + err_venus_shutdown: + venus_shutdown(core); + err_firmware_deinit: +@@ -506,9 +506,9 @@ err_runtime_disable: + pm_runtime_put_noidle(dev); + pm_runtime_disable(dev); + pm_runtime_set_suspended(dev); ++ v4l2_device_unregister(&core->v4l2_dev); ++err_hfi_destroy: + hfi_destroy(core); +-err_core_deinit: +- hfi_core_deinit(core, false); + err_core_put: + if (core->pm_ops->core_put) + core->pm_ops->core_put(core); diff --git a/queue-6.15/media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch b/queue-6.15/media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch new file mode 100644 index 0000000000..37df368aa1 --- /dev/null +++ b/queue-6.15/media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch @@ -0,0 +1,45 @@ +From a704a3c503ae1cfd9de8a2e2d16a0c9430e98162 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 7 May 2025 18:09:11 +0200 +Subject: media: videobuf2: use sgtable-based scatterlist wrappers + +From: Marek Szyprowski + +commit a704a3c503ae1cfd9de8a2e2d16a0c9430e98162 upstream. + +Use common wrappers operating directly on the struct sg_table objects to +fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() +functions have to be called with the number of elements originally passed +to dma_map_sg_*() function, not the one returned in sgt->nents. + +Fixes: d4db5eb57cab ("media: videobuf2: add begin/end cpu_access callbacks to dma-sg") +CC: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski +Reviewed-by: Sergey Senozhatsky +Acked-by: Tomasz Figa +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/videobuf2/videobuf2-dma-sg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c ++++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c +@@ -469,7 +469,7 @@ vb2_dma_sg_dmabuf_ops_begin_cpu_access(s + struct vb2_dma_sg_buf *buf = dbuf->priv; + struct sg_table *sgt = buf->dma_sgt; + +- dma_sync_sg_for_cpu(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sgtable_for_cpu(buf->dev, sgt, buf->dma_dir); + return 0; + } + +@@ -480,7 +480,7 @@ vb2_dma_sg_dmabuf_ops_end_cpu_access(str + struct vb2_dma_sg_buf *buf = dbuf->priv; + struct sg_table *sgt = buf->dma_sgt; + +- dma_sync_sg_for_device(buf->dev, sgt->sgl, sgt->nents, buf->dma_dir); ++ dma_sync_sgtable_for_device(buf->dev, sgt, buf->dma_dir); + return 0; + } + diff --git a/queue-6.15/media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch b/queue-6.15/media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch new file mode 100644 index 0000000000..727b0d83d6 --- /dev/null +++ b/queue-6.15/media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch @@ -0,0 +1,148 @@ +From 1d5f88f053480326873115092bc116b7d14916ba Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Tue, 11 Mar 2025 15:20:14 +0800 +Subject: media: vidtv: Terminating the subsequent process of initialization failure + +From: Edward Adam Davis + +commit 1d5f88f053480326873115092bc116b7d14916ba upstream. + +syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] + +After PSI initialization fails, the si member is accessed again, resulting +in this uaf. + +After si initialization fails, the subsequent process needs to be exited. + +[1] +BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline] +BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 +Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059 + +CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 +Hardware name: Google Compute Engine, BIOS Google 02/12/2025 +Call Trace: + +__dump_stack lib/dump_stack.c:94 [inline] +dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 +print_address_description mm/kasan/report.c:408 [inline] +print_report+0xc3/0x670 mm/kasan/report.c:521 +kasan_report+0xd9/0x110 mm/kasan/report.c:634 +vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 +vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 +vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 +vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 +dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 +dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] +dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 +dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 +dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] +dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 +__fput+0x3ff/0xb70 fs/file_table.c:464 +task_work_run+0x14e/0x250 kernel/task_work.c:227 +exit_task_work include/linux/task_work.h:40 [inline] +do_exit+0xad8/0x2d70 kernel/exit.c:938 +do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 +__do_sys_exit_group kernel/exit.c:1098 [inline] +__se_sys_exit_group kernel/exit.c:1096 [inline] +__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 +x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f871d58d169 +Code: Unable to access opcode bytes at 0x7f871d58d13f. +RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 +RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 +R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 +R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 + + +Allocated by task 6059: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 + kmalloc_noprof include/linux/slab.h:901 [inline] + kzalloc_noprof include/linux/slab.h:1037 [inline] + vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 + vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 + vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 + vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 + vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 + dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 + dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] + dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 + dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 + dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] + dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 + __fput+0x3ff/0xb70 fs/file_table.c:464 + task_work_run+0x14e/0x250 kernel/task_work.c:227 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0xad8/0x2d70 kernel/exit.c:938 + do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 + __do_sys_exit_group kernel/exit.c:1098 [inline] + __se_sys_exit_group kernel/exit.c:1096 [inline] + __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 + x64_sys_call arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 6059: + kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 + kasan_save_track+0x14/0x30 mm/kasan/common.c:68 + kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2353 [inline] + slab_free mm/slub.c:4609 [inline] + kfree+0x2c4/0x4d0 mm/slub.c:4757 + vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:499 + vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 + vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 + vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 + dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 + dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] + dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 + dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 + dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] + dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 + __fput+0x3ff/0xb70 fs/file_table.c:464 + task_work_run+0x14e/0x250 kernel/task_work.c:227 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0xad8/0x2d70 kernel/exit.c:938 + do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 + __do_sys_exit_group kernel/exit.c:1098 [inline] + __se_sys_exit_group kernel/exit.c:1096 [inline] + __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 + x64_sys_call arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 3be8037960bc ("media: vidtv: add error checks") +Cc: stable@vger.kernel.org +Reported-by: syzbot+0d33ab192bd50b6c91e6@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0d33ab192bd50b6c91e6 +Signed-off-by: Edward Adam Davis +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vidtv/vidtv_channel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c +@@ -497,7 +497,7 @@ free_sdt: + vidtv_psi_sdt_table_destroy(m->si.sdt); + free_pat: + vidtv_psi_pat_table_destroy(m->si.pat); +- return 0; ++ return -EINVAL; + } + + void vidtv_channel_si_destroy(struct vidtv_mux *m) diff --git a/queue-6.15/media-vivid-change-the-siize-of-the-composing.patch b/queue-6.15/media-vivid-change-the-siize-of-the-composing.patch new file mode 100644 index 0000000000..04ce6147c0 --- /dev/null +++ b/queue-6.15/media-vivid-change-the-siize-of-the-composing.patch @@ -0,0 +1,63 @@ +From f83ac8d30c43fd902af7c84c480f216157b60ef0 Mon Sep 17 00:00:00 2001 +From: Denis Arefev +Date: Tue, 15 Apr 2025 11:27:21 +0300 +Subject: media: vivid: Change the siize of the composing + +From: Denis Arefev + +commit f83ac8d30c43fd902af7c84c480f216157b60ef0 upstream. + +syzkaller found a bug: + +BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] +BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 +Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304 + +CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 + +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x169/0x550 mm/kasan/report.c:489 + kasan_report+0x143/0x180 mm/kasan/report.c:602 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 + tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] + tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 + vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] + vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 + vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 + kthread+0x7a9/0x920 kernel/kthread.c:464 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + + +The composition size cannot be larger than the size of fmt_cap_rect. +So execute v4l2_rect_map_inside() even if has_compose_cap == 0. + +Fixes: 94a7ad928346 ("media: vivid: fix compose size exceed boundary") +Cc: stable@vger.kernel.org +Reported-by: syzbot+365005005522b70a36f2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=8ed8e8cc30cbe0d86c9a25bd1d6a5775129b8ea3 +Signed-off-by: Denis Arefev +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -946,8 +946,8 @@ int vivid_vid_cap_s_selection(struct fil + if (dev->has_compose_cap) { + v4l2_rect_set_min_size(compose, &min_rect); + v4l2_rect_set_max_size(compose, &max_rect); +- v4l2_rect_map_inside(compose, &fmt); + } ++ v4l2_rect_map_inside(compose, &fmt); + dev->fmt_cap_rect = fmt; + tpg_s_buf_height(&dev->tpg, fmt.height); + } else if (dev->has_compose_cap) { diff --git a/queue-6.15/nfs-always-probe-for-localio-support-asynchronously.patch b/queue-6.15/nfs-always-probe-for-localio-support-asynchronously.patch new file mode 100644 index 0000000000..320cb62d6f --- /dev/null +++ b/queue-6.15/nfs-always-probe-for-localio-support-asynchronously.patch @@ -0,0 +1,101 @@ +From 1ff4716f420b5a6e6ef095b23bb5db76f46be7fc Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Tue, 13 May 2025 12:08:31 -0400 +Subject: NFS: always probe for LOCALIO support asynchronously + +From: Mike Snitzer + +commit 1ff4716f420b5a6e6ef095b23bb5db76f46be7fc upstream. + +It was reported that NFS client mounts of AWS Elastic File System +(EFS) volumes is slow, this is because the AWS firewall disallows +LOCALIO (because it doesn't consider the use of NFS_LOCALIO_PROGRAM +valid), see: https://bugzilla.redhat.com/show_bug.cgi?id=2335129 + +Switch to performing the LOCALIO probe asynchronously to address the +potential for the NFS LOCALIO protocol being disallowed and/or slowed +by the remote server's response. + +While at it, fix nfs_local_probe_async() to always take/put a +reference on the nfs_client that is using the LOCALIO protocol. +Also, unexport the nfs_local_probe() symbol and make it private to +fs/nfs/localio.c + +This change has the side-effect of initially issuing reads, writes and +commits over the wire via SUNRPC until the LOCALIO probe completes. + +Suggested-by: Jeff Layton # to always probe async +Fixes: 76d4cb6345da ("nfs: probe for LOCALIO when v4 client reconnects to server") +Cc: stable@vger.kernel.org # 6.14+ +Signed-off-by: Mike Snitzer +Reviewed-by: Jeff Layton +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/client.c | 2 +- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +- + fs/nfs/internal.h | 1 - + fs/nfs/localio.c | 6 ++++-- + 4 files changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -439,7 +439,7 @@ struct nfs_client *nfs_get_client(const + spin_unlock(&nn->nfs_client_lock); + new = rpc_ops->init_client(new, cl_init); + if (!IS_ERR(new)) +- nfs_local_probe(new); ++ nfs_local_probe_async(new); + return new; + } + +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -400,7 +400,7 @@ nfs4_ff_layout_prepare_ds(struct pnfs_la + * keep ds_clp even if DS is local, so that if local IO cannot + * proceed somehow, we can fall back to NFS whenever we want. + */ +- nfs_local_probe(ds->ds_clp); ++ nfs_local_probe_async(ds->ds_clp); + max_payload = + nfs_block_size(rpc_max_payload(ds->ds_clp->cl_rpcclient), + NULL); +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -455,7 +455,6 @@ extern int nfs_wait_bit_killable(struct + + #if IS_ENABLED(CONFIG_NFS_LOCALIO) + /* localio.c */ +-extern void nfs_local_probe(struct nfs_client *); + extern void nfs_local_probe_async(struct nfs_client *); + extern void nfs_local_probe_async_work(struct work_struct *); + extern struct nfsd_file *nfs_local_open_fh(struct nfs_client *, +--- a/fs/nfs/localio.c ++++ b/fs/nfs/localio.c +@@ -171,7 +171,7 @@ static bool nfs_server_uuid_is_local(str + * - called after alloc_client and init_client (so cl_rpcclient exists) + * - this function is idempotent, it can be called for old or new clients + */ +-void nfs_local_probe(struct nfs_client *clp) ++static void nfs_local_probe(struct nfs_client *clp) + { + /* Disallow localio if disabled via sysfs or AUTH_SYS isn't used */ + if (!localio_enabled || +@@ -191,14 +191,16 @@ void nfs_local_probe(struct nfs_client * + nfs_localio_enable_client(clp); + nfs_uuid_end(&clp->cl_uuid); + } +-EXPORT_SYMBOL_GPL(nfs_local_probe); + + void nfs_local_probe_async_work(struct work_struct *work) + { + struct nfs_client *clp = + container_of(work, struct nfs_client, cl_local_probe_work); + ++ if (!refcount_inc_not_zero(&clp->cl_count)) ++ return; + nfs_local_probe(clp); ++ nfs_put_client(clp); + } + + void nfs_local_probe_async(struct nfs_client *clp) diff --git a/queue-6.15/nfsd-fix-access-checking-for-nlm-under-xprtsec-policies.patch b/queue-6.15/nfsd-fix-access-checking-for-nlm-under-xprtsec-policies.patch new file mode 100644 index 0000000000..916af8c3e2 --- /dev/null +++ b/queue-6.15/nfsd-fix-access-checking-for-nlm-under-xprtsec-policies.patch @@ -0,0 +1,40 @@ +From 0813c5f01249dbc32ccbc68d27a24fde5bf2901c Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Fri, 21 Mar 2025 20:13:04 -0400 +Subject: nfsd: fix access checking for NLM under XPRTSEC policies + +From: Olga Kornievskaia + +commit 0813c5f01249dbc32ccbc68d27a24fde5bf2901c upstream. + +When an export policy with xprtsec policy is set with "tls" +and/or "mtls", but an NFS client is doing a v3 xprtsec=tls +mount, then NLM locking calls fail with an error because +there is currently no support for NLM with TLS. + +Until such support is added, allow NLM calls under TLS-secured +policy. + +Fixes: 4cc9b9f2bf4d ("nfsd: refine and rename NFSD_MAY_LOCK") +Cc: stable@vger.kernel.org +Signed-off-by: Olga Kornievskaia +Reviewed-by: NeilBrown +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/export.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/export.c ++++ b/fs/nfsd/export.c +@@ -1124,7 +1124,8 @@ __be32 check_nfsd_access(struct svc_expo + test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) + goto ok; + } +- goto denied; ++ if (!may_bypass_gss) ++ goto denied; + + ok: + /* legacy gss-only clients are always OK: */ diff --git a/queue-6.15/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch b/queue-6.15/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch new file mode 100644 index 0000000000..004d5b0118 --- /dev/null +++ b/queue-6.15/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch @@ -0,0 +1,167 @@ +From f7fb730cac9aafda8b9813b55d04e28a9664d17c Mon Sep 17 00:00:00 2001 +From: Maninder Singh +Date: Thu, 6 Mar 2025 14:50:07 +0530 +Subject: NFSD: fix race between nfsd registration and exports_proc + +From: Maninder Singh + +commit f7fb730cac9aafda8b9813b55d04e28a9664d17c upstream. + +As of now nfsd calls create_proc_exports_entry() at start of init_nfsd +and cleanup by remove_proc_entry() at last of exit_nfsd. + +Which causes kernel OOPs if there is race between below 2 operations: +(i) exportfs -r +(ii) mount -t nfsd none /proc/fs/nfsd + +for 5.4 kernel ARM64: + +CPU 1: +el1_irq+0xbc/0x180 +arch_counter_get_cntvct+0x14/0x18 +running_clock+0xc/0x18 +preempt_count_add+0x88/0x110 +prep_new_page+0xb0/0x220 +get_page_from_freelist+0x2d8/0x1778 +__alloc_pages_nodemask+0x15c/0xef0 +__vmalloc_node_range+0x28c/0x478 +__vmalloc_node_flags_caller+0x8c/0xb0 +kvmalloc_node+0x88/0xe0 +nfsd_init_net+0x6c/0x108 [nfsd] +ops_init+0x44/0x170 +register_pernet_operations+0x114/0x270 +register_pernet_subsys+0x34/0x50 +init_nfsd+0xa8/0x718 [nfsd] +do_one_initcall+0x54/0x2e0 + +CPU 2 : +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 + +PC is at : exports_net_open+0x50/0x68 [nfsd] + +Call trace: +exports_net_open+0x50/0x68 [nfsd] +exports_proc_open+0x2c/0x38 [nfsd] +proc_reg_open+0xb8/0x198 +do_dentry_open+0x1c4/0x418 +vfs_open+0x38/0x48 +path_openat+0x28c/0xf18 +do_filp_open+0x70/0xe8 +do_sys_open+0x154/0x248 + +Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu(). + +and same is happening on latest 6.14 kernel as well: + +[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty +... +[ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48 +... +[ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4 +... +[ 285.469695] Call trace: +[ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P) +[ 285.470488] seq_read+0xe0/0x11c +[ 285.470675] proc_reg_read+0x9c/0xf0 +[ 285.470874] vfs_read+0xc4/0x2fc +[ 285.471057] ksys_read+0x6c/0xf4 +[ 285.471231] __arm64_sys_read+0x1c/0x28 +[ 285.471428] invoke_syscall+0x44/0x100 +[ 285.471633] el0_svc_common.constprop.0+0x40/0xe0 +[ 285.471870] do_el0_svc_compat+0x1c/0x34 +[ 285.472073] el0_svc_compat+0x2c/0x80 +[ 285.472265] el0t_32_sync_handler+0x90/0x140 +[ 285.472473] el0t_32_sync+0x19c/0x1a0 +[ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3) +[ 285.473422] ---[ end trace 0000000000000000 ]--- + +It reproduced simply with below script: +while [ 1 ] +do +/exportfs -r +done & + +while [ 1 ] +do +insmod /nfsd.ko +mount -t nfsd none /proc/fs/nfsd +umount /proc/fs/nfsd +rmmod nfsd +done & + +So exporting interfaces to user space shall be done at last and +cleanup at first place. + +With change there is no Kernel OOPs. + +Co-developed-by: Shubham Rana +Signed-off-by: Shubham Rana +Signed-off-by: Maninder Singh +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -2291,12 +2291,9 @@ static int __init init_nfsd(void) + if (retval) + goto out_free_pnfs; + nfsd_lockd_init(); /* lockd->nfsd callbacks */ +- retval = create_proc_exports_entry(); +- if (retval) +- goto out_free_lockd; + retval = register_pernet_subsys(&nfsd_net_ops); + if (retval < 0) +- goto out_free_exports; ++ goto out_free_lockd; + retval = register_cld_notifier(); + if (retval) + goto out_free_subsys; +@@ -2308,11 +2305,16 @@ static int __init init_nfsd(void) + goto out_free_nfsd4; + retval = genl_register_family(&nfsd_nl_family); + if (retval) ++ goto out_free_filesystem; ++ retval = create_proc_exports_entry(); ++ if (retval) + goto out_free_all; + nfsd_localio_ops_init(); + + return 0; + out_free_all: ++ genl_unregister_family(&nfsd_nl_family); ++out_free_filesystem: + unregister_filesystem(&nfsd_fs_type); + out_free_nfsd4: + nfsd4_destroy_laundry_wq(); +@@ -2320,9 +2322,6 @@ out_free_cld: + unregister_cld_notifier(); + out_free_subsys: + unregister_pernet_subsys(&nfsd_net_ops); +-out_free_exports: +- remove_proc_entry("fs/nfs/exports", NULL); +- remove_proc_entry("fs/nfs", NULL); + out_free_lockd: + nfsd_lockd_shutdown(); + nfsd_drc_slab_free(); +@@ -2335,14 +2334,14 @@ out_free_slabs: + + static void __exit exit_nfsd(void) + { ++ remove_proc_entry("fs/nfs/exports", NULL); ++ remove_proc_entry("fs/nfs", NULL); + genl_unregister_family(&nfsd_nl_family); + unregister_filesystem(&nfsd_fs_type); + nfsd4_destroy_laundry_wq(); + unregister_cld_notifier(); + unregister_pernet_subsys(&nfsd_net_ops); + nfsd_drc_slab_free(); +- remove_proc_entry("fs/nfs/exports", NULL); +- remove_proc_entry("fs/nfs", NULL); + nfsd_lockd_shutdown(); + nfsd4_free_slabs(); + nfsd4_exit_pnfs(); diff --git a/queue-6.15/nfsd-implement-fattr4_clone_blksize-attribute.patch b/queue-6.15/nfsd-implement-fattr4_clone_blksize-attribute.patch new file mode 100644 index 0000000000..897bb82484 --- /dev/null +++ b/queue-6.15/nfsd-implement-fattr4_clone_blksize-attribute.patch @@ -0,0 +1,67 @@ +From d6ca7d2643eebe09cf46840bdc7d68b6e07aba77 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 7 May 2025 10:45:15 -0400 +Subject: NFSD: Implement FATTR4_CLONE_BLKSIZE attribute + +From: Chuck Lever + +commit d6ca7d2643eebe09cf46840bdc7d68b6e07aba77 upstream. + +RFC 7862 states that if an NFS server implements a CLONE operation, +it MUST also implement FATTR4_CLONE_BLKSIZE. NFSD implements CLONE, +but does not implement FATTR4_CLONE_BLKSIZE. + +Note that in Section 12.2, RFC 7862 claims that +FATTR4_CLONE_BLKSIZE is RECOMMENDED, not REQUIRED. Likely this is +because a minor version is not permitted to add a REQUIRED +attribute. Confusing. + +We assume this attribute reports a block size as a count of bytes, +as RFC 7862 does not specify a unit. + +Reported-by: Roland Mainz +Suggested-by: Christoph Hellwig +Reviewed-by: Roland Mainz +Cc: stable@vger.kernel.org # v6.7+ +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3391,6 +3391,23 @@ static __be32 nfsd4_encode_fattr4_suppat + return nfsd4_encode_bitmap4(xdr, supp[0], supp[1], supp[2]); + } + ++/* ++ * Copied from generic_remap_checks/generic_remap_file_range_prep. ++ * ++ * These generic functions use the file system's s_blocksize, but ++ * individual file systems aren't required to use ++ * generic_remap_file_range_prep. Until there is a mechanism for ++ * determining a particular file system's (or file's) clone block ++ * size, this is the best NFSD can do. ++ */ ++static __be32 nfsd4_encode_fattr4_clone_blksize(struct xdr_stream *xdr, ++ const struct nfsd4_fattr_args *args) ++{ ++ struct inode *inode = d_inode(args->dentry); ++ ++ return nfsd4_encode_uint32_t(xdr, inode->i_sb->s_blocksize); ++} ++ + #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + static __be32 nfsd4_encode_fattr4_sec_label(struct xdr_stream *xdr, + const struct nfsd4_fattr_args *args) +@@ -3545,7 +3562,7 @@ static const nfsd4_enc_attr nfsd4_enc_fa + [FATTR4_MODE_SET_MASKED] = nfsd4_encode_fattr4__noop, + [FATTR4_SUPPATTR_EXCLCREAT] = nfsd4_encode_fattr4_suppattr_exclcreat, + [FATTR4_FS_CHARSET_CAP] = nfsd4_encode_fattr4__noop, +- [FATTR4_CLONE_BLKSIZE] = nfsd4_encode_fattr4__noop, ++ [FATTR4_CLONE_BLKSIZE] = nfsd4_encode_fattr4_clone_blksize, + [FATTR4_SPACE_FREED] = nfsd4_encode_fattr4__noop, + [FATTR4_CHANGE_ATTR_TYPE] = nfsd4_encode_fattr4__noop, + diff --git a/queue-6.15/nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch b/queue-6.15/nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch new file mode 100644 index 0000000000..e3c9315e04 --- /dev/null +++ b/queue-6.15/nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch @@ -0,0 +1,51 @@ +From b31da62889e6d610114d81dc7a6edbcaa503fcf8 Mon Sep 17 00:00:00 2001 +From: Li Lingfeng +Date: Mon, 14 Apr 2025 22:38:52 +0800 +Subject: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference + +From: Li Lingfeng + +commit b31da62889e6d610114d81dc7a6edbcaa503fcf8 upstream. + +In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through +nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, +this can cause NULL pointer dereference. + +Normally the delayed start of laundromat_work allows sufficient time for +nfsd_ssc initialization to complete. However, when the kernel waits too +long for userspace responses (e.g. in nfs4_state_start_net -> +nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done -> +cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the +delayed work may start before nfsd_ssc initialization finishes. + +Fix this by moving nfsd_ssc initialization before starting laundromat_work. + +Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.") +Cc: stable@vger.kernel.org +Reviewed-by: Jeff Layton +Signed-off-by: Li Lingfeng +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfssvc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -396,13 +396,13 @@ static int nfsd_startup_net(struct net * + if (ret) + goto out_filecache; + ++#ifdef CONFIG_NFSD_V4_2_INTER_SSC ++ nfsd4_ssc_init_umount_work(nn); ++#endif + ret = nfs4_state_start_net(net); + if (ret) + goto out_reply_cache; + +-#ifdef CONFIG_NFSD_V4_2_INTER_SSC +- nfsd4_ssc_init_umount_work(nn); +-#endif + nn->nfsd_net_up = true; + return 0; + diff --git a/queue-6.15/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch b/queue-6.15/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch new file mode 100644 index 0000000000..041205c1b8 --- /dev/null +++ b/queue-6.15/nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch @@ -0,0 +1,37 @@ +From 1244f0b2c3cecd3f349a877006e67c9492b41807 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 28 Mar 2025 11:05:59 +1100 +Subject: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request + +From: NeilBrown + +commit 1244f0b2c3cecd3f349a877006e67c9492b41807 upstream. + +If the request being processed is not a v4 compound request, then +examining the cstate can have undefined results. + +This patch adds a check that the rpc procedure being executed +(rq_procinfo) is the NFSPROC4_COMPOUND procedure. + +Reported-by: Olga Kornievskaia +Cc: stable@vger.kernel.org +Reviewed-by: Jeff Layton +Signed-off-by: NeilBrown +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -3766,7 +3766,8 @@ bool nfsd4_spo_must_allow(struct svc_rqs + struct nfs4_op_map *allow = &cstate->clp->cl_spo_must_allow; + u32 opiter; + +- if (!cstate->minorversion) ++ if (rqstp->rq_procinfo != &nfsd_version4.vs_proc[NFSPROC4_COMPOUND] || ++ cstate->minorversion == 0) + return false; + + if (cstate->spo_must_allowed) diff --git a/queue-6.15/nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch b/queue-6.15/nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch new file mode 100644 index 0000000000..581e2cc26d --- /dev/null +++ b/queue-6.15/nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch @@ -0,0 +1,44 @@ +From ff12eb379554eea7932ad6caea55e3091701cce4 Mon Sep 17 00:00:00 2001 +From: Maninder Singh +Date: Thu, 6 Mar 2025 14:50:06 +0530 +Subject: NFSD: unregister filesystem in case genl_register_family() fails + +From: Maninder Singh + +commit ff12eb379554eea7932ad6caea55e3091701cce4 upstream. + +With rpc_status netlink support, unregister of register_filesystem() +was missed in case of genl_register_family() fails. + +Correcting it by making new label. + +Fixes: bd9d6a3efa97 ("NFSD: add rpc_status netlink support") +Cc: stable@vger.kernel.org +Signed-off-by: Maninder Singh +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -2305,7 +2305,7 @@ static int __init init_nfsd(void) + goto out_free_cld; + retval = register_filesystem(&nfsd_fs_type); + if (retval) +- goto out_free_all; ++ goto out_free_nfsd4; + retval = genl_register_family(&nfsd_nl_family); + if (retval) + goto out_free_all; +@@ -2313,6 +2313,8 @@ static int __init init_nfsd(void) + + return 0; + out_free_all: ++ unregister_filesystem(&nfsd_fs_type); ++out_free_nfsd4: + nfsd4_destroy_laundry_wq(); + out_free_cld: + unregister_cld_notifier(); diff --git a/queue-6.15/nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch b/queue-6.15/nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch new file mode 100644 index 0000000000..8dce8cfa92 --- /dev/null +++ b/queue-6.15/nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch @@ -0,0 +1,37 @@ +From 4d4832ed13ff505fe0371544b4773e79be2bb964 Mon Sep 17 00:00:00 2001 +From: Scott Mayhew +Date: Wed, 30 Apr 2025 07:12:29 -0400 +Subject: NFSv4: Don't check for OPEN feature support in v4.1 + +From: Scott Mayhew + +commit 4d4832ed13ff505fe0371544b4773e79be2bb964 upstream. + +fattr4_open_arguments is a v4.2 recommended attribute, so we shouldn't +be sending it to v4.1 servers. + +Fixes: cb78f9b7d0c0 ("nfs: fix the fetch of FATTR4_OPEN_ARGUMENTS") +Signed-off-by: Scott Mayhew +Reviewed-by: Jeff Layton +Reviewed-by: Benjamin Coddington +Cc: stable@vger.kernel.org # 6.11+ +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3976,8 +3976,9 @@ static int _nfs4_server_capabilities(str + FATTR4_WORD0_CASE_INSENSITIVE | + FATTR4_WORD0_CASE_PRESERVING; + if (minorversion) +- bitmask[2] = FATTR4_WORD2_SUPPATTR_EXCLCREAT | +- FATTR4_WORD2_OPEN_ARGUMENTS; ++ bitmask[2] = FATTR4_WORD2_SUPPATTR_EXCLCREAT; ++ if (minorversion > 1) ++ bitmask[2] |= FATTR4_WORD2_OPEN_ARGUMENTS; + + status = nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0); + if (status == 0) { diff --git a/queue-6.15/series b/queue-6.15/series index 20f375b671..db63a95dcd 100644 --- a/queue-6.15/series +++ b/queue-6.15/series @@ -30,3 +30,62 @@ net-mlx5_core-add-error-handling-inmlx5_query_nic_vport_qkey_viol_cntr.patch net-mlx5-add-error-handling-in-mlx5_query_nic_vport_node_guid.patch wifi-p54-prevent-buffer-overflow-in-p54_rx_eeprom_readback.patch wifi-mt76-mt7925-fix-host-interrupt-register-initialization.patch +anon_inode-use-a-proper-mode-internally.patch +anon_inode-explicitly-block-setattr.patch +anon_inode-raise-sb_i_nodev-and-sb_i_noexec.patch +wifi-ath11k-fix-rx-completion-meta-data-corruption.patch +wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch +wifi-ath11k-fix-ring-buffer-corruption.patch +nfsd-unregister-filesystem-in-case-genl_register_family-fails.patch +nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch +nfsd-implement-fattr4_clone_blksize-attribute.patch +nfsd-fix-access-checking-for-nlm-under-xprtsec-policies.patch +nfsd-nfsd4_spo_must_allow-must-check-this-is-a-v4-compound-request.patch +nfsd-initialize-ssc-before-laundromat_work-to-prevent-null-dereference.patch +sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch +nfs-always-probe-for-localio-support-asynchronously.patch +nfsv4-don-t-check-for-open-feature-support-in-v4.1.patch +fs-nfs-read-fix-double-unlock-bug-in-nfs_return_empty_folio.patch +wifi-ath12k-fix-ring-buffer-corruption.patch +jbd2-fix-data-race-and-null-ptr-deref-in-jbd2_journal_dirty_metadata.patch +svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch +wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch +wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch +jfs-validate-ag-parameters-in-dbmount-to-prevent-crashes.patch +media-ov8856-suppress-probe-deferral-errors.patch +media-ov5675-suppress-probe-deferral-errors.patch +media-i2c-change-lt6911uxe-irq_gpio-name-to-hpd.patch +media-imx335-use-correct-register-width-for-hnum.patch +media-nxp-imx8-isi-better-handle-the-m2m-usage_count.patch +media-i2c-ds90ub913-fix-returned-fmt-from-.set_fmt.patch +media-ccs-pll-start-vt-pre-pll-multiplier-search-from-correct-value.patch +media-ov2740-move-pm-runtime-cleanup-on-probe-errors-to-proper-place.patch +media-ccs-pll-start-op-pre-pll-multiplier-search-from-correct-value.patch +media-ccs-pll-correct-the-upper-limit-of-maximum-op_pre_pll_clk_div.patch +media-ccs-pll-check-for-too-high-vt-pll-multiplier-in-dual-pll-case.patch +media-cxusb-no-longer-judge-rbuf-when-the-write-fails.patch +media-davinci-vpif-fix-memory-leak-in-probe-error-path.patch +media-gspca-add-error-handling-for-stv06xx_read_sensor.patch +media-i2c-imx335-fix-frame-size-enumeration.patch +media-imagination-fix-a-potential-memory-leak-in-e5010_probe.patch +media-intel-ipu6-fix-dma-mask-for-non-secure-mode.patch +media-ipu6-remove-workaround-for-meteor-lake-es2.patch +media-iris-fix-error-code-in-iris_load_fw_to_memory.patch +media-mediatek-vcodec-correct-vsi_core-framebuffer-size.patch +media-omap3isp-use-sgtable-based-scatterlist-wrappers.patch +media-ov08x40-extend-sleep-after-reset-to-5-ms.patch +media-qcom-camss-csid-suppress-csid-log-spam.patch +media-qcom-camss-vfe-suppress-vfe-version-log-spam.patch +media-rcar-vin-fix-raw10.patch +media-v4l2-dev-fix-error-handling-in-__video_register_device.patch +media-venus-fix-probe-error-handling.patch +media-videobuf2-use-sgtable-based-scatterlist-wrappers.patch +media-vidtv-terminating-the-subsequent-process-of-initialization-failure.patch +media-vivid-change-the-siize-of-the-composing.patch +media-imx-jpeg-drop-the-first-error-frames.patch +media-imx-jpeg-move-mxc_jpeg_free_slot_data-ahead.patch +media-imx-jpeg-reset-slot-data-pointers-when-freed.patch +media-imx-jpeg-cleanup-after-an-allocation-error.patch +media-uvcvideo-return-the-number-of-processed-controls.patch +media-uvcvideo-send-control-events-for-partial-succeeds.patch +media-uvcvideo-fix-deferred-probing-error.patch diff --git a/queue-6.15/sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch b/queue-6.15/sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch new file mode 100644 index 0000000000..9841a325f1 --- /dev/null +++ b/queue-6.15/sunrpc-prevent-hang-on-nfs-mount-with-xprtsec-tls.patch @@ -0,0 +1,58 @@ +From 0bd2f6b8996d4f1ca4573652454987826730a04a Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Wed, 21 May 2025 16:34:13 -0400 +Subject: SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls + +From: Chuck Lever + +commit 0bd2f6b8996d4f1ca4573652454987826730a04a upstream. + +Engineers at Hammerspace noticed that sometimes mounting with +"xprtsec=tls" hangs for a minute or so, and then times out, even +when the NFS server is reachable and responsive. + +kTLS shuts off data_ready callbacks if strp->msg_ready is set to +mitigate data_ready callbacks when a full TLS record is not yet +ready to be read from the socket. + +Normally msg_ready is clear when the first TLS record arrives on +a socket. However, I observed that sometimes tls_setsockopt() sets +strp->msg_ready, and that prevents forward progress because +tls_data_ready() becomes a no-op. + +Moreover, Jakub says: "If there's a full record queued at the time +when [tlshd] passes the socket back to the kernel, it's up to the +reader to read the already queued data out." So SunRPC cannot +expect a data_ready call when ingress data is already waiting. + +Add an explicit poll after SunRPC's upper transport is set up to +pick up any data that arrived after the TLS handshake but before +transport set-up is complete. + +Reported-by: Steve Sears +Suggested-by: Jakub Kacinski +Fixes: 75eb6af7acdf ("SUNRPC: Add a TCP-with-TLS RPC transport class") +Tested-by: Mike Snitzer +Reviewed-by: Mike Snitzer +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtsock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2740,6 +2740,11 @@ static void xs_tcp_tls_setup_socket(stru + } + rpc_shutdown_client(lower_clnt); + ++ /* Check for ingress data that arrived before the socket's ++ * ->data_ready callback was set up. ++ */ ++ xs_poll_check_readable(upper_transport); ++ + out_unlock: + current_restore_flags(pflags, PF_MEMALLOC); + upper_transport->clnt = NULL; diff --git a/queue-6.15/svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch b/queue-6.15/svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch new file mode 100644 index 0000000000..0c146ddb92 --- /dev/null +++ b/queue-6.15/svcrdma-unregister-the-device-if-svc_rdma_accept-fails.patch @@ -0,0 +1,34 @@ +From 8ac6fcae5dc0e801f1c82a83f5ae2c0a4db19932 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sun, 27 Apr 2025 12:39:59 -0400 +Subject: svcrdma: Unregister the device if svc_rdma_accept() fails + +From: Chuck Lever + +commit 8ac6fcae5dc0e801f1c82a83f5ae2c0a4db19932 upstream. + +To handle device removal, svc_rdma_accept() requests removal +notification for the underlying device when accepting a connection. +However svc_rdma_free() is not invoked if svc_rdma_accept() fails. +There needs to be a matching "unregister" in that case; otherwise +the device cannot be removed. + +Fixes: c4de97f7c454 ("svcrdma: Handle device removal outside of the CM event handler") +Cc: stable@vger.kernel.org +Reviewed-by: Zhu Yanjun +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c +@@ -577,6 +577,7 @@ static struct svc_xprt *svc_rdma_accept( + if (newxprt->sc_qp && !IS_ERR(newxprt->sc_qp)) + ib_destroy_qp(newxprt->sc_qp); + rdma_destroy_id(newxprt->sc_cm_id); ++ rpcrdma_rn_unregister(dev, &newxprt->sc_rn); + /* This call to put will destroy the transport */ + svc_xprt_put(&newxprt->sc_xprt); + return NULL; diff --git a/queue-6.15/wifi-ath11k-fix-ring-buffer-corruption.patch b/queue-6.15/wifi-ath11k-fix-ring-buffer-corruption.patch new file mode 100644 index 0000000000..9b7cb53aa0 --- /dev/null +++ b/queue-6.15/wifi-ath11k-fix-ring-buffer-corruption.patch @@ -0,0 +1,98 @@ +From 6d037a372f817e9fcb56482f37917545596bd776 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 21 Mar 2025 10:49:16 +0100 +Subject: wifi: ath11k: fix ring-buffer corruption + +From: Johan Hovold + +commit 6d037a372f817e9fcb56482f37917545596bd776 upstream. + +Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes +breaks and the log fills up with errors like: + + ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492 + ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484 + +which based on a quick look at the driver seemed to indicate some kind +of ring-buffer corruption. + +Miaoqing Pan tracked it down to the host seeing the updated destination +ring head pointer before the updated descriptor, and the error handling +for that in turn leaves the ring buffer in an inconsistent state. + +Add the missing memory barrier to make sure that the descriptor is read +after the head pointer to address the root cause of the corruption while +fixing up the error handling in case there are ever any (ordering) bugs +on the device side. + +Note that the READ_ONCE() are only needed to avoid compiler mischief in +case the ring-buffer helpers are ever inlined. + +Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623 +Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com +Cc: Miaoqing Pan +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Reviewed-by: Miaoqing Pan +Tested-by: Steev Klimaszewski +Tested-by: Jens Glathe +Tested-by: Clayton Craft +Link: https://patch.msgid.link/20250321094916.19098-1-johan+linaro@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/ce.c | 11 +++++------ + drivers/net/wireless/ath/ath11k/hal.c | 4 ++-- + 2 files changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/ce.c ++++ b/drivers/net/wireless/ath/ath11k/ce.c +@@ -393,11 +393,10 @@ static int ath11k_ce_completed_recv_next + goto err; + } + ++ /* Make sure descriptor is read after the head pointer. */ ++ dma_rmb(); ++ + *nbytes = ath11k_hal_ce_dst_status_get_length(desc); +- if (*nbytes == 0) { +- ret = -EIO; +- goto err; +- } + + *skb = pipe->dest_ring->skb[sw_index]; + pipe->dest_ring->skb[sw_index] = NULL; +@@ -430,8 +429,8 @@ static void ath11k_ce_recv_process_cb(st + dma_unmap_single(ab->dev, ATH11K_SKB_RXCB(skb)->paddr, + max_nbytes, DMA_FROM_DEVICE); + +- if (unlikely(max_nbytes < nbytes)) { +- ath11k_warn(ab, "rxed more than expected (nbytes %d, max %d)", ++ if (unlikely(max_nbytes < nbytes || nbytes == 0)) { ++ ath11k_warn(ab, "unexpected rx length (nbytes %d, max %d)", + nbytes, max_nbytes); + dev_kfree_skb_any(skb); + continue; +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -599,7 +599,7 @@ u32 ath11k_hal_ce_dst_status_get_length( + struct hal_ce_srng_dst_status_desc *desc = buf; + u32 len; + +- len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, desc->flags); ++ len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, READ_ONCE(desc->flags)); + desc->flags &= ~HAL_CE_DST_STATUS_DESC_FLAGS_LEN; + + return len; +@@ -829,7 +829,7 @@ void ath11k_hal_srng_access_begin(struct + srng->u.src_ring.cached_tp = + *(volatile u32 *)srng->u.src_ring.tp_addr; + } else { +- srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr; ++ srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); + + /* Try to prefetch the next descriptor in the ring */ + if (srng->flags & HAL_SRNG_FLAGS_CACHED) diff --git a/queue-6.15/wifi-ath11k-fix-rx-completion-meta-data-corruption.patch b/queue-6.15/wifi-ath11k-fix-rx-completion-meta-data-corruption.patch new file mode 100644 index 0000000000..03cf5369a1 --- /dev/null +++ b/queue-6.15/wifi-ath11k-fix-rx-completion-meta-data-corruption.patch @@ -0,0 +1,100 @@ +From ab52e3e44fe9b666281752e2481d11e25b0e3fdd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 21 Mar 2025 15:53:02 +0100 +Subject: wifi: ath11k: fix rx completion meta data corruption + +From: Johan Hovold + +commit ab52e3e44fe9b666281752e2481d11e25b0e3fdd upstream. + +Add the missing memory barrier to make sure that the REO dest ring +descriptor is read after the head pointer to avoid using stale data on +weakly ordered architectures like aarch64. + +This may fix the ring-buffer corruption worked around by commit +f9fff67d2d7c ("wifi: ath11k: Fix SKB corruption in REO destination +ring") by silently discarding data, and may possibly also address user +reported errors like: + + ath11k_pci 0006:01:00.0: msdu_done bit in attention is not set + +Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218005 +Signed-off-by: Johan Hovold +Tested-by: Clayton Craft +Link: https://patch.msgid.link/20250321145302.4775-1-johan+linaro@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -2637,7 +2637,7 @@ int ath11k_dp_process_rx(struct ath11k_b + struct ath11k *ar; + struct hal_reo_dest_ring *desc; + enum hal_reo_dest_ring_push_reason push_reason; +- u32 cookie; ++ u32 cookie, info0, rx_msdu_info0, rx_mpdu_info0; + int i; + + for (i = 0; i < MAX_RADIOS; i++) +@@ -2650,11 +2650,14 @@ int ath11k_dp_process_rx(struct ath11k_b + try_again: + ath11k_hal_srng_access_begin(ab, srng); + ++ /* Make sure descriptor is read after the head pointer. */ ++ dma_rmb(); ++ + while (likely(desc = + (struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab, + srng))) { + cookie = FIELD_GET(BUFFER_ADDR_INFO1_SW_COOKIE, +- desc->buf_addr_info.info1); ++ READ_ONCE(desc->buf_addr_info.info1)); + buf_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_BUF_ID, + cookie); + mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie); +@@ -2683,8 +2686,9 @@ try_again: + + num_buffs_reaped[mac_id]++; + ++ info0 = READ_ONCE(desc->info0); + push_reason = FIELD_GET(HAL_REO_DEST_RING_INFO0_PUSH_REASON, +- desc->info0); ++ info0); + if (unlikely(push_reason != + HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION)) { + dev_kfree_skb_any(msdu); +@@ -2692,18 +2696,21 @@ try_again: + continue; + } + +- rxcb->is_first_msdu = !!(desc->rx_msdu_info.info0 & ++ rx_msdu_info0 = READ_ONCE(desc->rx_msdu_info.info0); ++ rx_mpdu_info0 = READ_ONCE(desc->rx_mpdu_info.info0); ++ ++ rxcb->is_first_msdu = !!(rx_msdu_info0 & + RX_MSDU_DESC_INFO0_FIRST_MSDU_IN_MPDU); +- rxcb->is_last_msdu = !!(desc->rx_msdu_info.info0 & ++ rxcb->is_last_msdu = !!(rx_msdu_info0 & + RX_MSDU_DESC_INFO0_LAST_MSDU_IN_MPDU); +- rxcb->is_continuation = !!(desc->rx_msdu_info.info0 & ++ rxcb->is_continuation = !!(rx_msdu_info0 & + RX_MSDU_DESC_INFO0_MSDU_CONTINUATION); + rxcb->peer_id = FIELD_GET(RX_MPDU_DESC_META_DATA_PEER_ID, +- desc->rx_mpdu_info.meta_data); ++ READ_ONCE(desc->rx_mpdu_info.meta_data)); + rxcb->seq_no = FIELD_GET(RX_MPDU_DESC_INFO0_SEQ_NUM, +- desc->rx_mpdu_info.info0); ++ rx_mpdu_info0); + rxcb->tid = FIELD_GET(HAL_REO_DEST_RING_INFO0_RX_QUEUE_NUM, +- desc->info0); ++ info0); + + rxcb->mac_id = mac_id; + __skb_queue_tail(&msdu_list[mac_id], msdu); diff --git a/queue-6.15/wifi-ath12k-fix-ring-buffer-corruption.patch b/queue-6.15/wifi-ath12k-fix-ring-buffer-corruption.patch new file mode 100644 index 0000000000..5401363343 --- /dev/null +++ b/queue-6.15/wifi-ath12k-fix-ring-buffer-corruption.patch @@ -0,0 +1,99 @@ +From 6b67d2cf14ea997061f61e9c8afd4e1c0f22acb9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 21 Mar 2025 10:52:19 +0100 +Subject: wifi: ath12k: fix ring-buffer corruption + +From: Johan Hovold + +commit 6b67d2cf14ea997061f61e9c8afd4e1c0f22acb9 upstream. + +Users of the Lenovo ThinkPad X13s have reported that Wi-Fi sometimes +breaks and the log fills up with errors like: + + ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1484, expected 1492 + ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484 + +which based on a quick look at the ath11k driver seemed to indicate some +kind of ring-buffer corruption. + +Miaoqing Pan tracked it down to the host seeing the updated destination +ring head pointer before the updated descriptor, and the error handling +for that in turn leaves the ring buffer in an inconsistent state. + +While this has not yet been observed with ath12k, the ring-buffer +implementation is very similar to the ath11k one and it suffers from the +same bugs. + +Add the missing memory barrier to make sure that the descriptor is read +after the head pointer to address the root cause of the corruption while +fixing up the error handling in case there are ever any (ordering) bugs +on the device side. + +Note that the READ_ONCE() are only needed to avoid compiler mischief in +case the ring-buffer helpers are ever inlined. + +Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 + +Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") +Cc: stable@vger.kernel.org # 6.3 +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218623 +Link: https://lore.kernel.org/20250310010217.3845141-3-quic_miaoqing@quicinc.com +Cc: Miaoqing Pan +Signed-off-by: Johan Hovold +Reviewed-by: Miaoqing Pan +Link: https://patch.msgid.link/20250321095219.19369-1-johan+linaro@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath12k/ce.c | 11 +++++------ + drivers/net/wireless/ath/ath12k/hal.c | 4 ++-- + 2 files changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/ath/ath12k/ce.c ++++ b/drivers/net/wireless/ath/ath12k/ce.c +@@ -343,11 +343,10 @@ static int ath12k_ce_completed_recv_next + goto err; + } + ++ /* Make sure descriptor is read after the head pointer. */ ++ dma_rmb(); ++ + *nbytes = ath12k_hal_ce_dst_status_get_length(desc); +- if (*nbytes == 0) { +- ret = -EIO; +- goto err; +- } + + *skb = pipe->dest_ring->skb[sw_index]; + pipe->dest_ring->skb[sw_index] = NULL; +@@ -380,8 +379,8 @@ static void ath12k_ce_recv_process_cb(st + dma_unmap_single(ab->dev, ATH12K_SKB_RXCB(skb)->paddr, + max_nbytes, DMA_FROM_DEVICE); + +- if (unlikely(max_nbytes < nbytes)) { +- ath12k_warn(ab, "rxed more than expected (nbytes %d, max %d)", ++ if (unlikely(max_nbytes < nbytes || nbytes == 0)) { ++ ath12k_warn(ab, "unexpected rx length (nbytes %d, max %d)", + nbytes, max_nbytes); + dev_kfree_skb_any(skb); + continue; +--- a/drivers/net/wireless/ath/ath12k/hal.c ++++ b/drivers/net/wireless/ath/ath12k/hal.c +@@ -1943,7 +1943,7 @@ u32 ath12k_hal_ce_dst_status_get_length( + { + u32 len; + +- len = le32_get_bits(desc->flags, HAL_CE_DST_STATUS_DESC_FLAGS_LEN); ++ len = le32_get_bits(READ_ONCE(desc->flags), HAL_CE_DST_STATUS_DESC_FLAGS_LEN); + desc->flags &= ~cpu_to_le32(HAL_CE_DST_STATUS_DESC_FLAGS_LEN); + + return len; +@@ -2113,7 +2113,7 @@ void ath12k_hal_srng_access_begin(struct + srng->u.src_ring.cached_tp = + *(volatile u32 *)srng->u.src_ring.tp_addr; + else +- srng->u.dst_ring.cached_hp = *srng->u.dst_ring.hp_addr; ++ srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); + } + + /* Update cached ring head/tail pointers to HW. ath12k_hal_srng_access_begin() diff --git a/queue-6.15/wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch b/queue-6.15/wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch new file mode 100644 index 0000000000..c00d778d8d --- /dev/null +++ b/queue-6.15/wifi-rtlwifi-disable-aspm-for-rtl8723be-with-subsystem-id-11ad-1723.patch @@ -0,0 +1,64 @@ +From 77a6407c6ab240527166fb19ee96e95f5be4d3cd Mon Sep 17 00:00:00 2001 +From: Mingcong Bai +Date: Tue, 22 Apr 2025 14:17:54 +0800 +Subject: wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 + +From: Mingcong Bai + +commit 77a6407c6ab240527166fb19ee96e95f5be4d3cd upstream. + +RTL8723BE found on some ASUSTek laptops, such as F441U and X555UQ with +subsystem ID 11ad:1723 are known to output large amounts of PCIe AER +errors during and after boot up, causing heavy lags and at times lock-ups: + + pcieport 0000:00:1c.5: AER: Correctable error message received from 0000:00:1c.5 + pcieport 0000:00:1c.5: PCIe Bus Error: severity=Correctable, type=Physical Layer, (Receiver ID) + pcieport 0000:00:1c.5: device [8086:9d15] error status/mask=00000001/00002000 + pcieport 0000:00:1c.5: [ 0] RxErr + +Disable ASPM on this combo as a quirk. + +This patch is a revision of a previous patch (linked below) which +attempted to disable ASPM for RTL8723BE on all Intel Skylake and Kaby Lake +PCIe bridges. I take a more conservative approach as all known reports +point to ASUSTek laptops of these two generations with this particular +wireless card. + +Please note, however, before the rtl8723be finishes probing, the AER +errors remained. After the module finishes probing, all AER errors would +indeed be eliminated, along with heavy lags, poor network throughput, +and/or occasional lock-ups. + +Cc: +Fixes: a619d1abe20c ("rtlwifi: rtl8723be: Add new driver") +Reported-by: Liangliang Zou +Link: https://bugzilla.kernel.org/show_bug.cgi?id=218127 +Link: https://lore.kernel.org/lkml/05390e0b-27fd-4190-971e-e70a498c8221@lwfinger.net/T/ +Tested-by: Liangliang Zou +Signed-off-by: Mingcong Bai +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250422061755.356535-1-jeffbai@aosc.io +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -155,6 +155,16 @@ static void _rtl_pci_update_default_sett + ((u8)init_aspm) == (PCI_EXP_LNKCTL_ASPM_L0S | + PCI_EXP_LNKCTL_ASPM_L1 | PCI_EXP_LNKCTL_CCC)) + ppsc->support_aspm = false; ++ ++ /* RTL8723BE found on some ASUSTek laptops, such as F441U and ++ * X555UQ with subsystem ID 11ad:1723 are known to output large ++ * amounts of PCIe AER errors during and after boot up, causing ++ * heavy lags, poor network throughput, and occasional lock-ups. ++ */ ++ if (rtlpriv->rtlhal.hw_type == HARDWARE_TYPE_RTL8723BE && ++ (rtlpci->pdev->subsystem_vendor == 0x11ad && ++ rtlpci->pdev->subsystem_device == 0x1723)) ++ ppsc->support_aspm = false; + } + + static bool _rtl_pci_platform_switch_device_pci_aspm( diff --git a/queue-6.15/wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch b/queue-6.15/wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch new file mode 100644 index 0000000000..2c24f2e5cf --- /dev/null +++ b/queue-6.15/wifi-rtw88-usb-reduce-control-message-timeout-to-500-ms.patch @@ -0,0 +1,57 @@ +From 490340faddea461319652ce36dbc7c1b4482c35e Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Sat, 10 May 2025 15:21:25 +0300 +Subject: wifi: rtw88: usb: Reduce control message timeout to 500 ms + +From: Bitterblue Smith + +commit 490340faddea461319652ce36dbc7c1b4482c35e upstream. + +RTL8811AU stops responding during the firmware download on some systems: + +[ 809.256440] rtw_8821au 5-2.1:1.0: Firmware version 42.4.0, H2C version 0 +[ 812.759142] rtw_8821au 5-2.1:1.0 wlp48s0f4u2u1: renamed from wlan0 +[ 837.315388] rtw_8821au 1-4:1.0: write register 0x1ef4 failed with -110 +[ 867.524259] rtw_8821au 1-4:1.0: write register 0x1ef8 failed with -110 +[ 868.930976] rtw_8821au 5-2.1:1.0 wlp48s0f4u2u1: entered promiscuous mode +[ 897.730952] rtw_8821au 1-4:1.0: write register 0x1efc failed with -110 + +Each write takes 30 seconds to fail because that's the timeout currently +used for control messages in rtw_usb_write(). + +In this scenario the firmware download takes at least 2000 seconds. +Because this is done from the USB probe function, the long delay makes +other things in the system hang. + +Reduce the timeout to 500 ms. This is the value used by the official USB +wifi drivers from Realtek. + +Of course this only makes things hang for ~30 seconds instead of ~30 +minutes. It doesn't fix the firmware download. + +Tested with RTL8822CU, RTL8812BU, RTL8811CU, RTL8814AU, RTL8811AU, +RTL8812AU, RTL8821AU, RTL8723DU. + +Cc: stable@vger.kernel.org +Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support") +Link: https://github.com/lwfinger/rtw88/issues/344 +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/1e35dd26-3f10-40b1-b2b4-f72184a26611@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtw88/usb.c ++++ b/drivers/net/wireless/realtek/rtw88/usb.c +@@ -139,7 +139,7 @@ static void rtw_usb_write(struct rtw_dev + + ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + RTW_USB_CMD_REQ, RTW_USB_CMD_WRITE, +- addr, 0, data, len, 30000); ++ addr, 0, data, len, 500); + if (ret < 0 && ret != -ENODEV && count++ < 4) + rtw_err(rtwdev, "write register 0x%x failed with %d\n", + addr, ret); diff --git a/queue-6.15/wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch b/queue-6.15/wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch new file mode 100644 index 0000000000..0287086342 --- /dev/null +++ b/queue-6.15/wifi-rtw88-usb-upload-the-firmware-in-bigger-chunks.patch @@ -0,0 +1,219 @@ +From 80fe0bc1659c0ccc79d082e426fa376be5df9c04 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Sat, 10 May 2025 15:22:24 +0300 +Subject: wifi: rtw88: usb: Upload the firmware in bigger chunks + +From: Bitterblue Smith + +commit 80fe0bc1659c0ccc79d082e426fa376be5df9c04 upstream. + +RTL8811AU stops responding during the firmware download on some systems: + +[ 809.256440] rtw_8821au 5-2.1:1.0: Firmware version 42.4.0, H2C version 0 +[ 812.759142] rtw_8821au 5-2.1:1.0 wlp48s0f4u2u1: renamed from wlan0 +[ 837.315388] rtw_8821au 1-4:1.0: write register 0x1ef4 failed with -110 +[ 867.524259] rtw_8821au 1-4:1.0: write register 0x1ef8 failed with -110 +[ 868.930976] rtw_8821au 5-2.1:1.0 wlp48s0f4u2u1: entered promiscuous mode +[ 897.730952] rtw_8821au 1-4:1.0: write register 0x1efc failed with -110 + +Maybe it takes too long when writing the firmware 4 bytes at a time. + +Write 196 bytes at a time for RTL8821AU, RTL8811AU, and RTL8812AU, +and 254 bytes at a time for RTL8723DU. These are the sizes used in +their official drivers. Tested with all these chips. + +Cc: stable@vger.kernel.org +Link: https://github.com/lwfinger/rtw88/issues/344 +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/43f1daad-3ec0-4a3b-a50c-9cd9eb2c2f52@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/hci.h | 8 ++++ + drivers/net/wireless/realtek/rtw88/mac.c | 11 +++--- + drivers/net/wireless/realtek/rtw88/mac.h | 2 + + drivers/net/wireless/realtek/rtw88/pci.c | 2 + + drivers/net/wireless/realtek/rtw88/sdio.c | 2 + + drivers/net/wireless/realtek/rtw88/usb.c | 55 ++++++++++++++++++++++++++++++ + 6 files changed, 76 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/realtek/rtw88/hci.h ++++ b/drivers/net/wireless/realtek/rtw88/hci.h +@@ -19,6 +19,8 @@ struct rtw_hci_ops { + void (*link_ps)(struct rtw_dev *rtwdev, bool enter); + void (*interface_cfg)(struct rtw_dev *rtwdev); + void (*dynamic_rx_agg)(struct rtw_dev *rtwdev, bool enable); ++ void (*write_firmware_page)(struct rtw_dev *rtwdev, u32 page, ++ const u8 *data, u32 size); + + int (*write_data_rsvd_page)(struct rtw_dev *rtwdev, u8 *buf, u32 size); + int (*write_data_h2c)(struct rtw_dev *rtwdev, u8 *buf, u32 size); +@@ -79,6 +81,12 @@ static inline void rtw_hci_dynamic_rx_ag + rtwdev->hci.ops->dynamic_rx_agg(rtwdev, enable); + } + ++static inline void rtw_hci_write_firmware_page(struct rtw_dev *rtwdev, u32 page, ++ const u8 *data, u32 size) ++{ ++ rtwdev->hci.ops->write_firmware_page(rtwdev, page, data, size); ++} ++ + static inline int + rtw_hci_write_data_rsvd_page(struct rtw_dev *rtwdev, u8 *buf, u32 size) + { +--- a/drivers/net/wireless/realtek/rtw88/mac.c ++++ b/drivers/net/wireless/realtek/rtw88/mac.c +@@ -856,8 +856,8 @@ fwdl_ready: + } + } + +-static void +-write_firmware_page(struct rtw_dev *rtwdev, u32 page, const u8 *data, u32 size) ++void rtw_write_firmware_page(struct rtw_dev *rtwdev, u32 page, ++ const u8 *data, u32 size) + { + u32 val32; + u32 block_nr; +@@ -887,6 +887,7 @@ write_firmware_page(struct rtw_dev *rtwd + rtw_write32(rtwdev, write_addr, le32_to_cpu(remain_data)); + } + } ++EXPORT_SYMBOL(rtw_write_firmware_page); + + static int + download_firmware_legacy(struct rtw_dev *rtwdev, const u8 *data, u32 size) +@@ -904,11 +905,13 @@ download_firmware_legacy(struct rtw_dev + rtw_write8_set(rtwdev, REG_MCUFW_CTRL, BIT_FWDL_CHK_RPT); + + for (page = 0; page < total_page; page++) { +- write_firmware_page(rtwdev, page, data, DLFW_PAGE_SIZE_LEGACY); ++ rtw_hci_write_firmware_page(rtwdev, page, data, ++ DLFW_PAGE_SIZE_LEGACY); + data += DLFW_PAGE_SIZE_LEGACY; + } + if (last_page_size) +- write_firmware_page(rtwdev, page, data, last_page_size); ++ rtw_hci_write_firmware_page(rtwdev, page, data, ++ last_page_size); + + if (!check_hw_ready(rtwdev, REG_MCUFW_CTRL, BIT_FWDL_CHK_RPT, 1)) { + rtw_err(rtwdev, "failed to check download firmware report\n"); +--- a/drivers/net/wireless/realtek/rtw88/mac.h ++++ b/drivers/net/wireless/realtek/rtw88/mac.h +@@ -34,6 +34,8 @@ int rtw_pwr_seq_parser(struct rtw_dev *r + const struct rtw_pwr_seq_cmd * const *cmd_seq); + int rtw_mac_power_on(struct rtw_dev *rtwdev); + void rtw_mac_power_off(struct rtw_dev *rtwdev); ++void rtw_write_firmware_page(struct rtw_dev *rtwdev, u32 page, ++ const u8 *data, u32 size); + int rtw_download_firmware(struct rtw_dev *rtwdev, struct rtw_fw_state *fw); + int rtw_mac_init(struct rtw_dev *rtwdev); + void rtw_mac_flush_queues(struct rtw_dev *rtwdev, u32 queues, bool drop); +--- a/drivers/net/wireless/realtek/rtw88/pci.c ++++ b/drivers/net/wireless/realtek/rtw88/pci.c +@@ -12,6 +12,7 @@ + #include "fw.h" + #include "ps.h" + #include "debug.h" ++#include "mac.h" + + static bool rtw_disable_msi; + static bool rtw_pci_disable_aspm; +@@ -1602,6 +1603,7 @@ static const struct rtw_hci_ops rtw_pci_ + .link_ps = rtw_pci_link_ps, + .interface_cfg = rtw_pci_interface_cfg, + .dynamic_rx_agg = NULL, ++ .write_firmware_page = rtw_write_firmware_page, + + .read8 = rtw_pci_read8, + .read16 = rtw_pci_read16, +--- a/drivers/net/wireless/realtek/rtw88/sdio.c ++++ b/drivers/net/wireless/realtek/rtw88/sdio.c +@@ -10,6 +10,7 @@ + #include + #include + #include "main.h" ++#include "mac.h" + #include "debug.h" + #include "fw.h" + #include "ps.h" +@@ -1154,6 +1155,7 @@ static const struct rtw_hci_ops rtw_sdio + .link_ps = rtw_sdio_link_ps, + .interface_cfg = rtw_sdio_interface_cfg, + .dynamic_rx_agg = NULL, ++ .write_firmware_page = rtw_write_firmware_page, + + .read8 = rtw_sdio_read8, + .read16 = rtw_sdio_read16, +--- a/drivers/net/wireless/realtek/rtw88/usb.c ++++ b/drivers/net/wireless/realtek/rtw88/usb.c +@@ -165,6 +165,60 @@ static void rtw_usb_write32(struct rtw_d + rtw_usb_write(rtwdev, addr, val, 4); + } + ++static void rtw_usb_write_firmware_page(struct rtw_dev *rtwdev, u32 page, ++ const u8 *data, u32 size) ++{ ++ struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev); ++ struct usb_device *udev = rtwusb->udev; ++ u32 addr = FW_START_ADDR_LEGACY; ++ u8 *data_dup, *buf; ++ u32 n, block_size; ++ int ret; ++ ++ switch (rtwdev->chip->id) { ++ case RTW_CHIP_TYPE_8723D: ++ block_size = 254; ++ break; ++ default: ++ block_size = 196; ++ break; ++ } ++ ++ data_dup = kmemdup(data, size, GFP_KERNEL); ++ if (!data_dup) ++ return; ++ ++ buf = data_dup; ++ ++ rtw_write32_mask(rtwdev, REG_MCUFW_CTRL, BIT_ROM_PGE, page); ++ ++ while (size > 0) { ++ if (size >= block_size) ++ n = block_size; ++ else if (size >= 8) ++ n = 8; ++ else ++ n = 1; ++ ++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), ++ RTW_USB_CMD_REQ, RTW_USB_CMD_WRITE, ++ addr, 0, buf, n, 500); ++ if (ret != n) { ++ if (ret != -ENODEV) ++ rtw_err(rtwdev, ++ "write 0x%x len %d failed: %d\n", ++ addr, n, ret); ++ break; ++ } ++ ++ addr += n; ++ buf += n; ++ size -= n; ++ } ++ ++ kfree(data_dup); ++} ++ + static int dma_mapping_to_ep(enum rtw_dma_mapping dma_mapping) + { + switch (dma_mapping) { +@@ -891,6 +945,7 @@ static const struct rtw_hci_ops rtw_usb_ + .link_ps = rtw_usb_link_ps, + .interface_cfg = rtw_usb_interface_cfg, + .dynamic_rx_agg = rtw_usb_dynamic_rx_agg, ++ .write_firmware_page = rtw_usb_write_firmware_page, + + .write8 = rtw_usb_write8, + .write16 = rtw_usb_write16,