From: Greg Kroah-Hartman Date: Thu, 21 Aug 2025 13:41:19 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.16.3~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=851ae397d74c3f5288abd3ad7683bb2b9fba9280;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch media-gspca-add-bounds-checking-to-firmware-parser.patch media-hi556-correct-the-test-pattern-configuration.patch media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch media-ov2659-fix-memory-leaks-in-ov2659_probe.patch media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch media-usbtv-lock-resolution-while-streaming.patch mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch pci-endpoint-fix-configfs-group-list-head-handling.patch pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch --- diff --git a/queue-5.10/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch b/queue-5.10/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch new file mode 100644 index 0000000000..03b6bc2aa9 --- /dev/null +++ b/queue-5.10/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch @@ -0,0 +1,73 @@ +From 9d98cf4632258720f18265a058e62fde120c0151 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Tue, 12 Aug 2025 14:37:52 +0800 +Subject: jbd2: prevent softlockup in jbd2_log_do_checkpoint() + +From: Baokun Li + +commit 9d98cf4632258720f18265a058e62fde120c0151 upstream. + +Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() +periodically release j_list_lock after processing a batch of buffers to +avoid long hold times on the j_list_lock. However, since both functions +contend for j_list_lock, the combined time spent waiting and processing +can be significant. + +jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when +need_resched() is true to avoid softlockups during prolonged operations. +But jbd2_log_do_checkpoint() only exits its loop when need_resched() is +true, relying on potentially sleeping functions like __flush_batch() or +wait_on_buffer() to trigger rescheduling. If those functions do not sleep, +the kernel may hit a softlockup. + +watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] +CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 +Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 +Workqueue: writeback wb_workfn (flush-7:2) +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : native_queued_spin_lock_slowpath+0x358/0x418 +lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] +Call trace: + native_queued_spin_lock_slowpath+0x358/0x418 + jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] + __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] + add_transaction_credits+0x3bc/0x418 [jbd2] + start_this_handle+0xf8/0x560 [jbd2] + jbd2__journal_start+0x118/0x228 [jbd2] + __ext4_journal_start_sb+0x110/0x188 [ext4] + ext4_do_writepages+0x3dc/0x740 [ext4] + ext4_writepages+0xa4/0x190 [ext4] + do_writepages+0x94/0x228 + __writeback_single_inode+0x48/0x318 + writeback_sb_inodes+0x204/0x590 + __writeback_inodes_wb+0x54/0xf8 + wb_writeback+0x2cc/0x3d8 + wb_do_writeback+0x2e0/0x2f8 + wb_workfn+0x80/0x2a8 + process_one_work+0x178/0x3e8 + worker_thread+0x234/0x3b8 + kthread+0xf0/0x108 + ret_from_fork+0x10/0x20 + +So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid +softlockup. + +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Link: https://patch.msgid.link/20250812063752.912130-1-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -321,6 +321,7 @@ restart: + retry: + if (batch_count) + __flush_batch(journal, &batch_count); ++ cond_resched(); + spin_lock(&journal->j_list_lock); + goto restart; + } diff --git a/queue-5.10/media-gspca-add-bounds-checking-to-firmware-parser.patch b/queue-5.10/media-gspca-add-bounds-checking-to-firmware-parser.patch new file mode 100644 index 0000000000..8939ed836f --- /dev/null +++ b/queue-5.10/media-gspca-add-bounds-checking-to-firmware-parser.patch @@ -0,0 +1,56 @@ +From aef89c0b2417da79cb2062a95476288f9f203ab0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 28 May 2025 23:22:14 +0300 +Subject: media: gspca: Add bounds checking to firmware parser + +From: Dan Carpenter + +commit aef89c0b2417da79cb2062a95476288f9f203ab0 upstream. + +This sd_init() function reads the firmware. The firmware data holds a +series of records and the function reads each record and sends the data +to the device. The request_ihex_firmware() function +calls ihex_validate_fw() which ensures that the total length of all the +records won't read out of bounds of the fw->data[]. + +However, a potential issue is if there is a single very large +record (larger than PAGE_SIZE) and that would result in memory +corruption. Generally we trust the firmware, but it's always better to +double check. + +Fixes: 49b61ec9b5af ("[media] gspca: Add new vicam subdriver") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/vicam.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/gspca/vicam.c ++++ b/drivers/media/usb/gspca/vicam.c +@@ -227,6 +227,7 @@ static int sd_init(struct gspca_dev *gsp + const struct ihex_binrec *rec; + const struct firmware *fw; + u8 *firmware_buf; ++ int len; + + ret = request_ihex_firmware(&fw, VICAM_FIRMWARE, + &gspca_dev->dev->dev); +@@ -241,9 +242,14 @@ static int sd_init(struct gspca_dev *gsp + goto exit; + } + for (rec = (void *)fw->data; rec; rec = ihex_next_binrec(rec)) { +- memcpy(firmware_buf, rec->data, be16_to_cpu(rec->len)); ++ len = be16_to_cpu(rec->len); ++ if (len > PAGE_SIZE) { ++ ret = -EINVAL; ++ break; ++ } ++ memcpy(firmware_buf, rec->data, len); + ret = vicam_control_msg(gspca_dev, 0xff, 0, 0, firmware_buf, +- be16_to_cpu(rec->len)); ++ len); + if (ret < 0) + break; + } diff --git a/queue-5.10/media-hi556-correct-the-test-pattern-configuration.patch b/queue-5.10/media-hi556-correct-the-test-pattern-configuration.patch new file mode 100644 index 0000000000..f916450944 --- /dev/null +++ b/queue-5.10/media-hi556-correct-the-test-pattern-configuration.patch @@ -0,0 +1,95 @@ +From 020f602b068c9ce18d5056d02c8302199377d98d Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Mon, 30 Jun 2025 17:04:20 +0800 +Subject: media: hi556: correct the test pattern configuration + +From: Bingbu Cao + +commit 020f602b068c9ce18d5056d02c8302199377d98d upstream. + +Hynix hi556 support 8 test pattern modes: +hi556_test_pattern_menu[] = { +{ + "Disabled", + "Solid Colour", + "100% Colour Bars", + "Fade To Grey Colour Bars", + "PN9", + "Gradient Horizontal", + "Gradient Vertical", + "Check Board", + "Slant Pattern", +} + +The test pattern is set by a 8-bit register according to the +specification. ++--------+-------------------------------+ +| BIT[0] | Solid color | ++--------+-------------------------------+ +| BIT[1] | Color bar | ++--------+-------------------------------+ +| BIT[2] | Fade to grey color bar | ++--------+-------------------------------+ +| BIT[3] | PN9 | ++--------+-------------------------------+ +| BIT[4] | Gradient horizontal | ++--------+-------------------------------+ +| BIT[5] | Gradient vertical | ++--------+-------------------------------+ +| BIT[6] | Check board | ++--------+-------------------------------+ +| BIT[7] | Slant pattern | ++--------+-------------------------------+ +Based on function above, current test pattern programming is wrong. +This patch fixes it by 'BIT(pattern - 1)'. If pattern is 0, driver +will disable the test pattern generation and set the pattern to 0. + +Fixes: e62138403a84 ("media: hi556: Add support for Hi-556 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/hi556.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/media/i2c/hi556.c ++++ b/drivers/media/i2c/hi556.c +@@ -602,21 +602,23 @@ static int hi556_test_pattern(struct hi5 + int ret; + u32 val; + +- if (pattern) { +- ret = hi556_read_reg(hi556, HI556_REG_ISP, +- HI556_REG_VALUE_08BIT, &val); +- if (ret) +- return ret; +- +- ret = hi556_write_reg(hi556, HI556_REG_ISP, +- HI556_REG_VALUE_08BIT, +- val | HI556_REG_ISP_TPG_EN); +- if (ret) +- return ret; +- } ++ ret = hi556_read_reg(hi556, HI556_REG_ISP, ++ HI556_REG_VALUE_08BIT, &val); ++ if (ret) ++ return ret; ++ ++ val = pattern ? (val | HI556_REG_ISP_TPG_EN) : ++ (val & ~HI556_REG_ISP_TPG_EN); ++ ++ ret = hi556_write_reg(hi556, HI556_REG_ISP, ++ HI556_REG_VALUE_08BIT, val); ++ if (ret) ++ return ret; ++ ++ val = pattern ? BIT(pattern - 1) : 0; + + return hi556_write_reg(hi556, HI556_REG_TEST_PATTERN, +- HI556_REG_VALUE_08BIT, pattern); ++ HI556_REG_VALUE_08BIT, val); + } + + static int hi556_set_ctrl(struct v4l2_ctrl *ctrl) diff --git a/queue-5.10/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch b/queue-5.10/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch new file mode 100644 index 0000000000..a3745d5087 --- /dev/null +++ b/queue-5.10/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch @@ -0,0 +1,35 @@ +From fc5f8aec77704373ee804b5dba0e0e5029c0f180 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 27 Feb 2025 15:44:51 +0800 +Subject: media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() + +From: Haoxiang Li + +commit fc5f8aec77704373ee804b5dba0e0e5029c0f180 upstream. + +Add video_device_release() in label 'err_m2m' to release the memory +allocated by video_device_alloc() and prevent potential memory leaks. +Remove the reduntant code in label 'err_m2m'. + +Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Dan Carpenter +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/media/imx/imx-media-csc-scaler.c ++++ b/drivers/staging/media/imx/imx-media-csc-scaler.c +@@ -914,7 +914,7 @@ imx_media_csc_scaler_device_init(struct + return &priv->vdev; + + err_m2m: +- video_set_drvdata(vfd, NULL); ++ video_device_release(vfd); + err_vfd: + kfree(priv); + return ERR_PTR(ret); diff --git a/queue-5.10/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch b/queue-5.10/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch new file mode 100644 index 0000000000..91e7ee672a --- /dev/null +++ b/queue-5.10/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch @@ -0,0 +1,42 @@ +From 76142b137b968d47b35cdd8d1dc924677d319c8b Mon Sep 17 00:00:00 2001 +From: Zhang Shurong +Date: Sun, 6 Jul 2025 00:31:09 +0800 +Subject: media: ov2659: Fix memory leaks in ov2659_probe() + +From: Zhang Shurong + +commit 76142b137b968d47b35cdd8d1dc924677d319c8b upstream. + +ov2659_probe() doesn't properly free control handler resources in failure +paths, causing memory leaks. Add v4l2_ctrl_handler_free() to prevent these +memory leaks and reorder the ctrl_handler assignment for better code flow. + +Fixes: c4c0283ab3cd ("[media] media: i2c: add support for omnivision's ov2659 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Shurong +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov2659.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/ov2659.c ++++ b/drivers/media/i2c/ov2659.c +@@ -1482,14 +1482,15 @@ static int ov2659_probe(struct i2c_clien + V4L2_CID_TEST_PATTERN, + ARRAY_SIZE(ov2659_test_pattern_menu) - 1, + 0, 0, ov2659_test_pattern_menu); +- ov2659->sd.ctrl_handler = &ov2659->ctrls; + + if (ov2659->ctrls.error) { + dev_err(&client->dev, "%s: control initialization error %d\n", + __func__, ov2659->ctrls.error); ++ v4l2_ctrl_handler_free(&ov2659->ctrls); + return ov2659->ctrls.error; + } + ++ ov2659->sd.ctrl_handler = &ov2659->ctrls; + sd = &ov2659->sd; + client->flags |= I2C_CLIENT_SCCB; + #ifdef CONFIG_VIDEO_V4L2_SUBDEV_API diff --git a/queue-5.10/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch b/queue-5.10/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch new file mode 100644 index 0000000000..860bc54f4b --- /dev/null +++ b/queue-5.10/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch @@ -0,0 +1,54 @@ +From 7af160aea26c7dc9e6734d19306128cce156ec40 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 6 Jun 2025 03:04:59 +0000 +Subject: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() + +From: Gui-Dong Han + +commit 7af160aea26c7dc9e6734d19306128cce156ec40 upstream. + +In the interrupt handler rain_interrupt(), the buffer full check on +rain->buf_len is performed before acquiring rain->buf_lock. This +creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as +rain->buf_len is concurrently accessed and modified in the work +handler rain_irq_work_handler() under the same lock. + +Multiple interrupt invocations can race, with each reading buf_len +before it becomes full and then proceeding. This can lead to both +interrupts attempting to write to the buffer, incrementing buf_len +beyond its capacity (DATA_SIZE) and causing a buffer overflow. + +Fix this bug by moving the spin_lock() to before the buffer full +check. This ensures that the check and the subsequent buffer modification +are performed atomically, preventing the race condition. An corresponding +spin_unlock() is added to the overflow path to correctly release the +lock. + +This possible bug was found by an experimental static analysis tool +developed by our team. + +Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c ++++ b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c +@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct + { + struct rain *rain = serio_get_drvdata(serio); + ++ spin_lock(&rain->buf_lock); + if (rain->buf_len == DATA_SIZE) { ++ spin_unlock(&rain->buf_lock); + dev_warn_once(rain->dev, "buffer overflow\n"); + return IRQ_HANDLED; + } +- spin_lock(&rain->buf_lock); + rain->buf_len++; + rain->buf[rain->buf_wr_idx] = data; + rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff; diff --git a/queue-5.10/media-usbtv-lock-resolution-while-streaming.patch b/queue-5.10/media-usbtv-lock-resolution-while-streaming.patch new file mode 100644 index 0000000000..841ca89499 --- /dev/null +++ b/queue-5.10/media-usbtv-lock-resolution-while-streaming.patch @@ -0,0 +1,39 @@ +From 7e40e0bb778907b2441bff68d73c3eb6b6cd319f Mon Sep 17 00:00:00 2001 +From: Ludwig Disterhof +Date: Mon, 28 Apr 2025 20:16:50 +0200 +Subject: media: usbtv: Lock resolution while streaming + +From: Ludwig Disterhof + +commit 7e40e0bb778907b2441bff68d73c3eb6b6cd319f upstream. + +When an program is streaming (ffplay) and another program (qv4l2) +changes the TV standard from NTSC to PAL, the kernel crashes due to trying +to copy to unmapped memory. + +Changing from NTSC to PAL increases the resolution in the usbtv struct, +but the video plane buffer isn't adjusted, so it overflows. + +Fixes: 0e0fe3958fdd13d ("[media] usbtv: Add support for PAL video source") +Cc: stable@vger.kernel.org +Signed-off-by: Ludwig Disterhof +Signed-off-by: Hans Verkuil +[hverkuil: call vb2_is_busy instead of vb2_is_streaming] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/usbtv/usbtv-video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/usb/usbtv/usbtv-video.c ++++ b/drivers/media/usb/usbtv/usbtv-video.c +@@ -73,6 +73,10 @@ static int usbtv_configure_for_norm(stru + } + + if (params) { ++ if (vb2_is_busy(&usbtv->vb2q) && ++ (usbtv->width != params->cap_width || ++ usbtv->height != params->cap_height)) ++ return -EBUSY; + usbtv->width = params->cap_width; + usbtv->height = params->cap_height; + usbtv->n_chunks = usbtv->width * usbtv->height diff --git a/queue-5.10/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch b/queue-5.10/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..478ee55123 --- /dev/null +++ b/queue-5.10/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch @@ -0,0 +1,33 @@ +From 6c4dab38431fee3d39a841d66ba6f2890b31b005 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 7 Jul 2025 09:39:37 +0200 +Subject: mtd: rawnand: fsmc: Add missing check after DMA map + +From: Thomas Fourier + +commit 6c4dab38431fee3d39a841d66ba6f2890b31b005 upstream. + +The DMA map functions can fail and should be tested for errors. + +Fixes: 4774fb0a48aa ("mtd: nand/fsmc: Add DMA support") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Rule: add +Link: https://lore.kernel.org/stable/20250702065806.20983-2-fourier.thomas%40gmail.com +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/fsmc_nand.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/raw/fsmc_nand.c ++++ b/drivers/mtd/nand/raw/fsmc_nand.c +@@ -492,6 +492,8 @@ static int dma_xfer(struct fsmc_nand_dat + + dma_dev = chan->device; + dma_addr = dma_map_single(dma_dev->dev, buffer, len, direction); ++ if (dma_mapping_error(dma_dev->dev, dma_addr)) ++ return -EINVAL; + + if (direction == DMA_TO_DEVICE) { + dma_src = dma_addr; diff --git a/queue-5.10/pci-endpoint-fix-configfs-group-list-head-handling.patch b/queue-5.10/pci-endpoint-fix-configfs-group-list-head-handling.patch new file mode 100644 index 0000000000..deb6975901 --- /dev/null +++ b/queue-5.10/pci-endpoint-fix-configfs-group-list-head-handling.patch @@ -0,0 +1,62 @@ +From d79123d79a8154b4318529b7b2ff7e15806f480b Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 24 Jun 2025 20:45:43 +0900 +Subject: PCI: endpoint: Fix configfs group list head handling + +From: Damien Le Moal + +commit d79123d79a8154b4318529b7b2ff7e15806f480b upstream. + +Doing a list_del() on the epf_group field of struct pci_epf_driver in +pci_epf_remove_cfs() is not correct as this field is a list head, not +a list entry. This list_del() call triggers a KASAN warning when an +endpoint function driver which has a configfs attribute group is torn +down: + +================================================================== +BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198 +Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319 + +CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE +Hardware name: Radxa ROCK 5B (DT) +Call trace: +show_stack+0x2c/0x84 (C) +dump_stack_lvl+0x70/0x98 +print_report+0x17c/0x538 +kasan_report+0xb8/0x190 +__asan_report_store8_noabort+0x20/0x2c +pci_epf_remove_cfs+0x17c/0x198 +pci_epf_unregister_driver+0x18/0x30 +nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf] +__arm64_sys_delete_module+0x264/0x424 +invoke_syscall+0x70/0x260 +el0_svc_common.constprop.0+0xac/0x230 +do_el0_svc+0x40/0x58 +el0_svc+0x48/0xdc +el0t_64_sync_handler+0x10c/0x138 +el0t_64_sync+0x198/0x19c +... + +Remove this incorrect list_del() call from pci_epf_remove_cfs(). + +Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") +Signed-off-by: Damien Le Moal +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624114544.342159-2-dlemoal@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-epf-core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -147,7 +147,6 @@ static void pci_epf_remove_cfs(struct pc + mutex_lock(&pci_epf_mutex); + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) + pci_ep_cfs_remove_epf_group(group); +- list_del(&driver->epf_group); + mutex_unlock(&pci_epf_mutex); + } + diff --git a/queue-5.10/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch b/queue-5.10/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch new file mode 100644 index 0000000000..c572e5100c --- /dev/null +++ b/queue-5.10/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch @@ -0,0 +1,53 @@ +From 910bdb8197f9322790c738bb32feaa11dba26909 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 24 Jun 2025 20:45:44 +0900 +Subject: PCI: endpoint: Fix configfs group removal on driver teardown + +From: Damien Le Moal + +commit 910bdb8197f9322790c738bb32feaa11dba26909 upstream. + +An endpoint driver configfs attributes group is added to the +epf_group list of struct pci_epf_driver by pci_epf_add_cfs() but an +added group is not removed from this list when the attribute group is +unregistered with pci_ep_cfs_remove_epf_group(). + +Add the missing list_del() call in pci_ep_cfs_remove_epf_group() +to correctly remove the attribute group from the driver list. + +With this change, once the loop over all attribute groups in +pci_epf_remove_cfs() completes, the driver epf_group list should be +empty. Add a WARN_ON() to make sure of that. + +Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") +Signed-off-by: Damien Le Moal +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624114544.342159-3-dlemoal@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 1 + + drivers/pci/endpoint/pci-epf-core.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -464,6 +464,7 @@ void pci_ep_cfs_remove_epf_group(struct + if (IS_ERR_OR_NULL(group)) + return; + ++ list_del(&group->group_entry); + configfs_unregister_default_group(group); + } + EXPORT_SYMBOL(pci_ep_cfs_remove_epf_group); +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -147,6 +147,7 @@ static void pci_epf_remove_cfs(struct pc + mutex_lock(&pci_epf_mutex); + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) + pci_ep_cfs_remove_epf_group(group); ++ WARN_ON(!list_empty(&driver->epf_group)); + mutex_unlock(&pci_epf_mutex); + } + diff --git a/queue-5.10/series b/queue-5.10/series index 337c15c3dc..014bf36776 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -371,3 +371,14 @@ wifi-brcmsmac-remove-const-from-tbl_ptr-parameter-in-wlc_lcnphy_common_read_tabl wifi-ath11k-fix-source-ring-buffer-corruption.patch pwm-imx-tpm-reset-counter-if-cmod-is-0.patch hwmon-gsc-hwmon-fix-fan-pwm-setpoint-show-functions.patch +mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch +pci-endpoint-fix-configfs-group-list-head-handling.patch +pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch +jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch +soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch +media-gspca-add-bounds-checking-to-firmware-parser.patch +media-hi556-correct-the-test-pattern-configuration.patch +media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch +media-usbtv-lock-resolution-while-streaming.patch +media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch +media-ov2659-fix-memory-leaks-in-ov2659_probe.patch diff --git a/queue-5.10/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch b/queue-5.10/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch new file mode 100644 index 0000000000..92f307b0d1 --- /dev/null +++ b/queue-5.10/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch @@ -0,0 +1,137 @@ +From b6bcbce3359619d05bf387d4f5cc3af63668dbaa Mon Sep 17 00:00:00 2001 +From: Jon Hunter +Date: Thu, 31 Jul 2025 13:18:32 +0100 +Subject: soc/tegra: pmc: Ensure power-domains are in a known state + +From: Jon Hunter + +commit b6bcbce3359619d05bf387d4f5cc3af63668dbaa upstream. + +After commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on +until late_initcall_sync") was applied, the Tegra210 Jetson TX1 board +failed to boot. Looking into this issue, before this commit was applied, +if any of the Tegra power-domains were in 'on' state when the kernel +booted, they were being turned off by the genpd core before any driver +had chance to request them. This was purely by luck and a consequence of +the power-domains being turned off earlier during boot. After this +commit was applied, any power-domains in the 'on' state are kept on for +longer during boot and therefore, may never transitioned to the off +state before they are requested/used. The hang on the Tegra210 Jetson +TX1 is caused because devices in some power-domains are accessed without +the power-domain being turned off and on, indicating that the +power-domain is not in a completely on state. + +>From reviewing the Tegra PMC driver code, if a power-domain is in the +'on' state there is no guarantee that all the necessary clocks +associated with the power-domain are on and even if they are they would +not have been requested via the clock framework and so could be turned +off later. Some power-domains also have a 'clamping' register that needs +to be configured as well. In short, if a power-domain is already 'on' it +is difficult to know if it has been configured correctly. Given that the +power-domains happened to be switched off during boot previously, to +ensure that they are in a good known state on boot, fix this by +switching off any power-domains that are on initially when registering +the power-domains with the genpd framework. + +Note that commit 05cfb988a4d0 ("soc/tegra: pmc: Initialise resets +associated with a power partition") updated the +tegra_powergate_of_get_resets() function to pass the 'off' to ensure +that the resets for the power-domain are in the correct state on boot. +However, now that we may power off a domain on boot, if it is on, it is +better to move this logic into the tegra_powergate_add() function so +that there is a single place where we are handling the initial state of +the power-domain. + +Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support") +Signed-off-by: Jon Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250731121832.213671-1-jonathanh@nvidia.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/tegra/pmc.c | 51 +++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 22 deletions(-) + +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -1064,7 +1064,7 @@ err: + } + + static int tegra_powergate_of_get_resets(struct tegra_powergate *pg, +- struct device_node *np, bool off) ++ struct device_node *np) + { + struct device *dev = pg->pmc->dev; + int err; +@@ -1079,22 +1079,6 @@ static int tegra_powergate_of_get_resets + err = reset_control_acquire(pg->reset); + if (err < 0) { + pr_err("failed to acquire resets: %d\n", err); +- goto out; +- } +- +- if (off) { +- err = reset_control_assert(pg->reset); +- } else { +- err = reset_control_deassert(pg->reset); +- if (err < 0) +- goto out; +- +- reset_control_release(pg->reset); +- } +- +-out: +- if (err) { +- reset_control_release(pg->reset); + reset_control_put(pg->reset); + } + +@@ -1139,20 +1123,43 @@ static int tegra_powergate_add(struct te + goto set_available; + } + +- err = tegra_powergate_of_get_resets(pg, np, off); ++ err = tegra_powergate_of_get_resets(pg, np); + if (err < 0) { + dev_err(dev, "failed to get resets for %pOFn: %d\n", np, err); + goto remove_clks; + } + +- if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) { +- if (off) +- WARN_ON(tegra_powergate_power_up(pg, true)); ++ /* ++ * If the power-domain is off, then ensure the resets are asserted. ++ * If the power-domain is on, then power down to ensure that when is ++ * it turned on the power-domain, clocks and resets are all in the ++ * expected state. ++ */ ++ if (off) { ++ err = reset_control_assert(pg->reset); ++ if (err) { ++ pr_err("failed to assert resets: %d\n", err); ++ goto remove_resets; ++ } ++ } else { ++ err = tegra_powergate_power_down(pg); ++ if (err) { ++ dev_err(dev, "failed to turn off PM domain %s: %d\n", ++ pg->genpd.name, err); ++ goto remove_resets; ++ } ++ } + ++ /* ++ * If PM_GENERIC_DOMAINS is not enabled, power-on ++ * the domain and skip the genpd registration. ++ */ ++ if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) { ++ WARN_ON(tegra_powergate_power_up(pg, true)); + goto remove_resets; + } + +- err = pm_genpd_init(&pg->genpd, NULL, off); ++ err = pm_genpd_init(&pg->genpd, NULL, true); + if (err < 0) { + dev_err(dev, "failed to initialise PM domain %pOFn: %d\n", np, + err);