From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 08:18:03 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.297~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b03753d6c0837598a5b3baffbcfaa04de684eff8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch asm-generic-add-memory-barrier-dma_mb.patch drm-amd-display-don-t-overclock-dce-6-by-15.patch drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch locking-barriers-kcsan-support-generic-instrumentation.patch media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch media-v4l2-ctrls-always-copy-the-controls-on-completion.patch media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch media-venus-add-support-for-ssr-trigger-using-fault-injection.patch media-venus-don-t-de-reference-null-pointers-at-irq-time.patch media-venus-hfi-explicitly-release-irq-during-teardown.patch media-venus-protect-against-spurious-interrupts-during-probe.patch media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch minmax-add-umin-a-b-and-umax-a-b.patch platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch platform-chrome-cros_ec-use-per-device-lockdep-key.patch pwm-mediatek-fix-duty-and-period-setting.patch pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch pwm-mediatek-implement-.apply-callback.patch wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch --- diff --git a/queue-5.10/acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch b/queue-5.10/acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch new file mode 100644 index 0000000000..78b2862cdc --- /dev/null +++ b/queue-5.10/acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch @@ -0,0 +1,37 @@ +From 2437513a814b3e93bd02879740a8a06e52e2cf7d Mon Sep 17 00:00:00 2001 +From: Li Zhong +Date: Fri, 2 Sep 2022 00:37:30 -0700 +Subject: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value + +From: Li Zhong + +commit 2437513a814b3e93bd02879740a8a06e52e2cf7d upstream. + +The return value of acpi_fetch_acpi_dev() could be NULL, which would +cause a NULL pointer dereference to occur in acpi_device_hid(). + +Signed-off-by: Li Zhong +[ rjw: Subject and changelog edits, added empty line after if () ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Teddy Astie +Signed-off-by: Yann Sionneau +Reported-by: Dillon C +Tested-by: Dillon C +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_idle.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -1128,7 +1128,9 @@ static int acpi_processor_get_lpi_info(s + + status = acpi_get_parent(handle, &pr_ahandle); + while (ACPI_SUCCESS(status)) { +- acpi_bus_get_device(pr_ahandle, &d); ++ if (acpi_bus_get_device(pr_ahandle, &d)) ++ break; ++ + handle = pr_ahandle; + + if (strcmp(acpi_device_hid(d), ACPI_PROCESSOR_CONTAINER_HID)) diff --git a/queue-5.10/asm-generic-add-memory-barrier-dma_mb.patch b/queue-5.10/asm-generic-add-memory-barrier-dma_mb.patch new file mode 100644 index 0000000000..8a43bf3673 --- /dev/null +++ b/queue-5.10/asm-generic-add-memory-barrier-dma_mb.patch @@ -0,0 +1,81 @@ +From stable+bounces-172511-greg=kroah.com@vger.kernel.org Fri Aug 22 21:53:53 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:53:29 -0400 +Subject: asm-generic: Add memory barrier dma_mb() +To: stable@vger.kernel.org +Cc: Kefeng Wang , Arnd Bergmann , Marco Elver , Will Deacon , Sasha Levin +Message-ID: <20250822195330.1458412-2-sashal@kernel.org> + +From: Kefeng Wang + +[ Upstream commit ed59dfd9509d172e4920994ed9cbebf93b0050cc ] + +The memory barrier dma_mb() is introduced by commit a76a37777f2c +("iommu/arm-smmu-v3: Ensure queue is read after updating prod pointer"), +which is used to ensure that prior (both reads and writes) accesses +to memory by a CPU are ordered w.r.t. a subsequent MMIO write. + +Reviewed-by: Arnd Bergmann # for asm-generic +Signed-off-by: Kefeng Wang +Reviewed-by: Marco Elver +Link: https://lore.kernel.org/r/20220523113126.171714-2-wangkefeng.wang@huawei.com +Signed-off-by: Will Deacon +Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/memory-barriers.txt | 11 ++++++----- + include/asm-generic/barrier.h | 8 ++++++++ + 2 files changed, 14 insertions(+), 5 deletions(-) + +--- a/Documentation/memory-barriers.txt ++++ b/Documentation/memory-barriers.txt +@@ -1894,6 +1894,7 @@ There are some more advanced barrier fun + + (*) dma_wmb(); + (*) dma_rmb(); ++ (*) dma_mb(); + + These are for use with consistent memory to guarantee the ordering + of writes or reads of shared memory accessible to both the CPU and a +@@ -1925,11 +1926,11 @@ There are some more advanced barrier fun + The dma_rmb() allows us guarantee the device has released ownership + before we read the data from the descriptor, and the dma_wmb() allows + us to guarantee the data is written to the descriptor before the device +- can see it now has ownership. Note that, when using writel(), a prior +- wmb() is not needed to guarantee that the cache coherent memory writes +- have completed before writing to the MMIO region. The cheaper +- writel_relaxed() does not provide this guarantee and must not be used +- here. ++ can see it now has ownership. The dma_mb() implies both a dma_rmb() and ++ a dma_wmb(). Note that, when using writel(), a prior wmb() is not needed ++ to guarantee that the cache coherent memory writes have completed before ++ writing to the MMIO region. The cheaper writel_relaxed() does not provide ++ this guarantee and must not be used here. + + See the subsection "Kernel I/O barrier effects" for more information on + relaxed I/O accessors and the Documentation/core-api/dma-api.rst file for +--- a/include/asm-generic/barrier.h ++++ b/include/asm-generic/barrier.h +@@ -37,6 +37,10 @@ + #define wmb() do { kcsan_wmb(); __wmb(); } while (0) + #endif + ++#ifdef __dma_mb ++#define dma_mb() do { kcsan_mb(); __dma_mb(); } while (0) ++#endif ++ + #ifdef __dma_rmb + #define dma_rmb() do { kcsan_rmb(); __dma_rmb(); } while (0) + #endif +@@ -64,6 +68,10 @@ + #define wmb() mb() + #endif + ++#ifndef dma_mb ++#define dma_mb() mb() ++#endif ++ + #ifndef dma_rmb + #define dma_rmb() rmb() + #endif diff --git a/queue-5.10/drm-amd-display-don-t-overclock-dce-6-by-15.patch b/queue-5.10/drm-amd-display-don-t-overclock-dce-6-by-15.patch new file mode 100644 index 0000000000..531bb09256 --- /dev/null +++ b/queue-5.10/drm-amd-display-don-t-overclock-dce-6-by-15.patch @@ -0,0 +1,55 @@ +From stable+bounces-172679-greg=kroah.com@vger.kernel.org Sun Aug 24 03:19:04 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 21:18:57 -0400 +Subject: drm/amd/display: Don't overclock DCE 6 by 15% +To: stable@vger.kernel.org +Cc: "Timur Kristóf" , "Alex Deucher" , "Rodrigo Siqueira" , "Alex Hung" , "Sasha Levin" +Message-ID: <20250824011857.2574854-1-sashal@kernel.org> + +From: Timur Kristóf + +[ Upstream commit cb7b7ae53b557d168b4af5cd8549f3eff920bfb5 ] + +The extra 15% clock was added as a workaround for a Polaris issue +which uses DCE 11, and should not have been used on DCE 6 which +is already hardcoded to the highest possible display clock. +Unfortunately, the extra 15% was mistakenly copied and kept +even on code paths which don't affect Polaris. + +This commit fixes that and also adds a check to make sure +not to exceed the maximum DCE 6 display clock. + +Fixes: 8cd61c313d8b ("drm/amd/display: Raise dispclk value for Polaris") +Fixes: dc88b4a684d2 ("drm/amd/display: make clk mgr soc specific") +Fixes: 3ecb3b794e2c ("drm/amd/display: dc/clk_mgr: add support for SI parts (v2)") +Signed-off-by: Timur Kristóf +Acked-by: Alex Deucher +Reviewed-by: Rodrigo Siqueira +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit 427980c1cbd22bb256b9385f5ce73c0937562408) +Cc: stable@vger.kernel.org +[ `MIN` => `min` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c +@@ -112,11 +112,9 @@ static void dce60_update_clocks(struct c + { + struct clk_mgr_internal *clk_mgr_dce = TO_CLK_MGR_INTERNAL(clk_mgr_base); + struct dm_pp_power_level_change_request level_change_req; +- int patched_disp_clk = context->bw_ctx.bw.dce.dispclk_khz; +- +- /*TODO: W/A for dal3 linux, investigate why this works */ +- if (!clk_mgr_dce->dfs_bypass_active) +- patched_disp_clk = patched_disp_clk * 115 / 100; ++ const int max_disp_clk = ++ clk_mgr_dce->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz; ++ int patched_disp_clk = min(max_disp_clk, context->bw_ctx.bw.dce.dispclk_khz); + + level_change_req.power_level = dce_get_required_clocks_state(clk_mgr_base, context); + /* get max clock state from PPLIB */ diff --git a/queue-5.10/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-5.10/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch new file mode 100644 index 0000000000..359f0705d6 --- /dev/null +++ b/queue-5.10/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch @@ -0,0 +1,50 @@ +From stable+bounces-172601-greg=kroah.com@vger.kernel.org Sat Aug 23 16:14:41 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 10:14:31 -0400 +Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS +To: stable@vger.kernel.org +Cc: "Imre Deak" , "Ville Syrjälä" , "Jani Nikula" , "Jani Nikula" , "Sasha Levin" +Message-ID: <20250823141432.2196555-1-sashal@kernel.org> + +From: Imre Deak + +[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ] + +Reading DPCD registers has side-effects in general. In particular +accessing registers outside of the link training register range +(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly +forbidden by the DP v2.1 Standard, see + +3.6.5.1 DPTX AUX Transaction Handling Mandates +3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates + +Based on my tests, accessing the DPCD_REV register during the link +training of an UHBR TBT DP tunnel sink leads to link training failures. + +Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the +DPCD register access quirk. + +Cc: +Cc: Ville Syrjälä +Cc: Jani Nikula +Acked-by: Jani Nikula +Signed-off-by: Imre Deak +Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com +[ call to drm_dp_dpcd_access() instead of drm_dp_dpcd_probe() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_dp_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_helper.c ++++ b/drivers/gpu/drm/drm_dp_helper.c +@@ -299,7 +299,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a + * monitor doesn't power down exactly after the throw away read. + */ + if (!aux->is_remote) { +- ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_DPCD_REV, ++ ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_LANE0_1_STATUS, + buffer, 1); + if (ret != 1) + goto out; diff --git a/queue-5.10/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch b/queue-5.10/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch new file mode 100644 index 0000000000..f48f747af3 --- /dev/null +++ b/queue-5.10/ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch @@ -0,0 +1,84 @@ +From stable+bounces-172283-greg=kroah.com@vger.kernel.org Fri Aug 22 06:18:38 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 00:16:40 -0400 +Subject: ext4: fix hole length calculation overflow in non-extent inodes +To: stable@vger.kernel.org +Cc: Zhang Yi , stable@kernel.org, Qu Wenruo , Theodore Ts'o , Sasha Levin +Message-ID: <20250822041640.1082105-2-sashal@kernel.org> + +From: Zhang Yi + +[ Upstream commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 ] + +In a filesystem with a block size larger than 4KB, the hole length +calculation for a non-extent inode in ext4_ind_map_blocks() can easily +exceed INT_MAX. Then it could return a zero length hole and trigger the +following waring and infinite in the iomap infrastructure. + + ------------[ cut here ]------------ + WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190 + CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary) + Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 + pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : iomap_iter_done+0x148/0x190 + lr : iomap_iter+0x174/0x230 + sp : ffff8000880af740 + x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000 + x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000 + x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48 + x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000 + x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000 + x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c + x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44 + x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000 + x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000 + x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000 + Call trace: + iomap_iter_done+0x148/0x190 (P) + iomap_iter+0x174/0x230 + iomap_fiemap+0x154/0x1d8 + ext4_fiemap+0x110/0x140 [ext4] + do_vfs_ioctl+0x4b8/0xbc0 + __arm64_sys_ioctl+0x8c/0x120 + invoke_syscall+0x6c/0x100 + el0_svc_common.constprop.0+0x48/0xf0 + do_el0_svc+0x24/0x38 + el0_svc+0x38/0x120 + el0t_64_sync_handler+0x10c/0x138 + el0t_64_sync+0x198/0x1a0 + ---[ end trace 0000000000000000 ]--- + +Cc: stable@kernel.org +Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()") +Reported-by: Qu Wenruo +Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/ +Tested-by: Qu Wenruo +Signed-off-by: Zhang Yi +Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/indirect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ext4/indirect.c ++++ b/fs/ext4/indirect.c +@@ -537,7 +537,7 @@ int ext4_ind_map_blocks(handle_t *handle + int indirect_blks; + int blocks_to_boundary = 0; + int depth; +- int count = 0; ++ u64 count = 0; + ext4_fsblk_t first_block = 0; + + trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); +@@ -586,7 +586,7 @@ int ext4_ind_map_blocks(handle_t *handle + count++; + /* Fill in size of a hole we found */ + map->m_pblk = 0; +- map->m_len = min_t(unsigned int, map->m_len, count); ++ map->m_len = umin(map->m_len, count); + goto cleanup; + } + diff --git a/queue-5.10/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch b/queue-5.10/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch new file mode 100644 index 0000000000..84b04d70de --- /dev/null +++ b/queue-5.10/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch @@ -0,0 +1,76 @@ +From stable+bounces-172553-greg=kroah.com@vger.kernel.org Sat Aug 23 06:11:08 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 00:10:38 -0400 +Subject: f2fs: fix to avoid out-of-boundary access in dnode page +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, Jiaming Zhang , Jaegeuk Kim , Sasha Levin +Message-ID: <20250823041038.1834302-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ] + +As Jiaming Zhang reported: + + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x17e/0x800 mm/kasan/report.c:480 + kasan_report+0x147/0x180 mm/kasan/report.c:593 + data_blkaddr fs/f2fs/f2fs.h:3053 [inline] + f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] + f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 + f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 + prepare_write_begin fs/f2fs/data.c:3395 [inline] + f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 + generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 + f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] + f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x546/0xa90 fs/read_write.c:686 + ksys_write+0x149/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The root cause is in the corrupted image, there is a dnode has the same +node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to +access block address in dnode at offset 934, however it parses the dnode +as inode node, so that get_dnode_addr() returns 360, then it tries to +access page address from 360 + 934 * 4 = 4096 w/ 4 bytes. + +To fix this issue, let's add sanity check for node id of all direct nodes +during f2fs_get_dnode_of_data(). + +Cc: stable@kernel.org +Reported-by: Jiaming Zhang +Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ replaced f2fs_err_ratelimited() with f2fs_err() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -760,6 +760,16 @@ int f2fs_get_dnode_of_data(struct dnode_ + for (i = 1; i <= level; i++) { + bool done = false; + ++ if (nids[i] && nids[i] == dn->inode->i_ino) { ++ err = -EFSCORRUPTED; ++ f2fs_err(sbi, ++ "inode mapping table is corrupted, run fsck to fix it, " ++ "ino:%lu, nid:%u, level:%d, offset:%d", ++ dn->inode->i_ino, nids[i], level, offset[level]); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto release_pages; ++ } ++ + if (!nids[i] && mode == ALLOC_NODE) { + /* alloc new node */ + if (!f2fs_alloc_nid(sbi, &(nids[i]))) { diff --git a/queue-5.10/locking-barriers-kcsan-support-generic-instrumentation.patch b/queue-5.10/locking-barriers-kcsan-support-generic-instrumentation.patch new file mode 100644 index 0000000000..f5a8e04500 --- /dev/null +++ b/queue-5.10/locking-barriers-kcsan-support-generic-instrumentation.patch @@ -0,0 +1,70 @@ +From stable+bounces-172510-greg=kroah.com@vger.kernel.org Fri Aug 22 21:53:53 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:53:28 -0400 +Subject: locking/barriers, kcsan: Support generic instrumentation +To: stable@vger.kernel.org +Cc: Marco Elver , "Paul E. McKenney" , Sasha Levin +Message-ID: <20250822195330.1458412-1-sashal@kernel.org> + +From: Marco Elver + +[ Upstream commit 2505a51ac6f249956735e0a369e2404f96eebef0 ] + +Thus far only smp_*() barriers had been defined by asm-generic/barrier.h +based on __smp_*() barriers, because the !SMP case is usually generic. + +With the introduction of instrumentation, it also makes sense to have +asm-generic/barrier.h assist in the definition of instrumented versions +of mb(), rmb(), wmb(), dma_rmb(), and dma_wmb(). + +Because there is no requirement to distinguish the !SMP case, the +definition can be simpler: we can avoid also providing fallbacks for the +__ prefixed cases, and only check if `defined(__)`, to finally +define the KCSAN-instrumented versions. + +This also allows for the compiler to complain if an architecture +accidentally defines both the normal and __ prefixed variant. + +Signed-off-by: Marco Elver +Signed-off-by: Paul E. McKenney +Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/barrier.h | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/include/asm-generic/barrier.h ++++ b/include/asm-generic/barrier.h +@@ -21,6 +21,31 @@ + #endif + + /* ++ * Architectures that want generic instrumentation can define __ prefixed ++ * variants of all barriers. ++ */ ++ ++#ifdef __mb ++#define mb() do { kcsan_mb(); __mb(); } while (0) ++#endif ++ ++#ifdef __rmb ++#define rmb() do { kcsan_rmb(); __rmb(); } while (0) ++#endif ++ ++#ifdef __wmb ++#define wmb() do { kcsan_wmb(); __wmb(); } while (0) ++#endif ++ ++#ifdef __dma_rmb ++#define dma_rmb() do { kcsan_rmb(); __dma_rmb(); } while (0) ++#endif ++ ++#ifdef __dma_wmb ++#define dma_wmb() do { kcsan_wmb(); __dma_wmb(); } while (0) ++#endif ++ ++/* + * Force strict CPU ordering. And yes, this is required on UP too when we're + * talking to devices. + * diff --git a/queue-5.10/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch b/queue-5.10/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch new file mode 100644 index 0000000000..90f826c760 --- /dev/null +++ b/queue-5.10/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch @@ -0,0 +1,51 @@ +From stable+bounces-172555-greg=kroah.com@vger.kernel.org Sat Aug 23 06:24:03 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 00:23:52 -0400 +Subject: media: qcom: camss: cleanup media device allocated resource on error path +To: stable@vger.kernel.org +Cc: Vladimir Zapolskiy , Bryan O'Donoghue , Bryan O'Donoghue , Hans Verkuil , Sasha Levin +Message-ID: <20250823042352.1850575-1-sashal@kernel.org> + +From: Vladimir Zapolskiy + +[ Upstream commit 69080ec3d0daba8a894025476c98ab16b5a505a4 ] + +A call to media_device_init() requires media_device_cleanup() counterpart +to complete cleanup and release any allocated resources. + +This has been done in the driver .remove() right from the beginning, but +error paths on .probe() shall also be fixed. + +Fixes: a1d7c116fcf7 ("media: camms: Add core files") +Cc: stable@vger.kernel.org +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +[ err_genpd_cleanup => err_cleanup ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss/camss.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/camss/camss.c ++++ b/drivers/media/platform/qcom/camss/camss.c +@@ -888,7 +888,7 @@ static int camss_probe(struct platform_d + ret = v4l2_device_register(camss->dev, &camss->v4l2_dev); + if (ret < 0) { + dev_err(dev, "Failed to register V4L2 device: %d\n", ret); +- goto err_cleanup; ++ goto err_media_device_cleanup; + } + + ret = camss_register_entities(camss); +@@ -945,6 +945,8 @@ err_register_subdevs: + camss_unregister_entities(camss); + err_register_entities: + v4l2_device_unregister(&camss->v4l2_dev); ++err_media_device_cleanup: ++ media_device_cleanup(&camss->media_dev); + err_cleanup: + v4l2_async_notifier_cleanup(&camss->notifier); + err_free: diff --git a/queue-5.10/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch b/queue-5.10/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch new file mode 100644 index 0000000000..5e8b508109 --- /dev/null +++ b/queue-5.10/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch @@ -0,0 +1,94 @@ +From stable+bounces-172534-greg=kroah.com@vger.kernel.org Sat Aug 23 03:46:29 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 21:46:18 -0400 +Subject: media: v4l2-ctrls: always copy the controls on completion +To: stable@vger.kernel.org +Cc: Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin +Message-ID: <20250823014619.1670865-1-sashal@kernel.org> + +From: Hans Verkuil + +[ Upstream commit c3bf5129f33923c92bf3bddaf4359b7b25ecb4ba ] + +When v4l2_ctrl_request_complete() is called and there is no control +handler object found in the request, then create such an object so +that all controls at completion state can be stored and are available +to userspace. + +Otherwise any attempt by userspace to read the completed request data +will fail. + +If allocating the control handler object failed, then indicate that +by returning ENOMEM when attempting to get the controls from the +completed request instead of returning ENOENT. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 5a0400aca5fa ("media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 36 +++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -3767,8 +3767,19 @@ v4l2_ctrls_find_req_obj(struct v4l2_ctrl + obj = media_request_object_find(req, &req_ops, hdl); + if (obj) + return obj; ++ /* ++ * If there are no controls in this completed request, ++ * then that can only happen if: ++ * ++ * 1) no controls were present in the queued request, and ++ * 2) v4l2_ctrl_request_complete() could not allocate a ++ * control handler object to store the completed state in. ++ * ++ * So return ENOMEM to indicate that there was an out-of-memory ++ * error. ++ */ + if (!set) +- return ERR_PTR(-ENOENT); ++ return ERR_PTR(-ENOMEM); + + new_hdl = kzalloc(sizeof(*new_hdl), GFP_KERNEL); + if (!new_hdl) +@@ -3779,8 +3790,8 @@ v4l2_ctrls_find_req_obj(struct v4l2_ctrl + if (!ret) + ret = v4l2_ctrl_request_bind(req, new_hdl, hdl); + if (ret) { ++ v4l2_ctrl_handler_free(new_hdl); + kfree(new_hdl); +- + return ERR_PTR(ret); + } + +@@ -4369,8 +4380,25 @@ void v4l2_ctrl_request_complete(struct m + * wants to leave the controls unchanged. + */ + obj = media_request_object_find(req, &req_ops, main_hdl); +- if (!obj) +- return; ++ if (!obj) { ++ int ret; ++ ++ /* Create a new request so the driver can return controls */ ++ hdl = kzalloc(sizeof(*hdl), GFP_KERNEL); ++ if (!hdl) ++ return; ++ ++ ret = v4l2_ctrl_handler_init(hdl, (main_hdl->nr_of_buckets - 1) * 8); ++ if (!ret) ++ ret = v4l2_ctrl_request_bind(req, hdl, main_hdl); ++ if (ret) { ++ v4l2_ctrl_handler_free(hdl); ++ kfree(hdl); ++ return; ++ } ++ hdl->request_is_queued = true; ++ obj = media_request_object_find(req, &req_ops, main_hdl); ++ } + hdl = container_of(obj, struct v4l2_ctrl_handler, req_obj); + + list_for_each_entry(ref, &hdl->ctrl_refs, node) { diff --git a/queue-5.10/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch b/queue-5.10/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch new file mode 100644 index 0000000000..29b5a29a80 --- /dev/null +++ b/queue-5.10/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch @@ -0,0 +1,49 @@ +From stable+bounces-172535-greg=kroah.com@vger.kernel.org Sat Aug 23 03:46:30 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 21:46:19 -0400 +Subject: media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() +To: stable@vger.kernel.org +Cc: Sakari Ailus , Hans Verkuil , Laurent Pinchart , Sasha Levin +Message-ID: <20250823014619.1670865-2-sashal@kernel.org> + +From: Sakari Ailus + +[ Upstream commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 ] + +It's a common pattern in drivers to free the control handler's resources +and then return the handler's error code on drivers' error handling paths. +Alas, the v4l2_ctrl_handler_free() function also zeroes the error field, +effectively indicating successful return to the caller. + +There's no apparent need to touch the error field while releasing the +control handler's resources and cleaning up stale pointers. Not touching +the handler's error field is a more certain way to address this problem +than changing all the users, in which case the pattern would be likely to +re-emerge in new drivers. + +Do just that, don't touch the control handler's error field in +v4l2_ctrl_handler_free(). + +Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +[ v4l2-ctrls.c => v4l2-ctrls-core.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -2388,7 +2388,6 @@ void v4l2_ctrl_handler_free(struct v4l2_ + kvfree(hdl->buckets); + hdl->buckets = NULL; + hdl->cached = NULL; +- hdl->error = 0; + mutex_unlock(hdl->lock); + mutex_destroy(&hdl->_lock); + } diff --git a/queue-5.10/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch b/queue-5.10/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch new file mode 100644 index 0000000000..ee6470b168 --- /dev/null +++ b/queue-5.10/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch @@ -0,0 +1,112 @@ +From stable+bounces-172549-greg=kroah.com@vger.kernel.org Sat Aug 23 05:54:57 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 23:54:47 -0400 +Subject: media: venus: Add support for SSR trigger using fault injection +To: stable@vger.kernel.org +Cc: Dikshita Agarwal , Stanimir Varbanov , Stephen Boyd , Mauro Carvalho Chehab , Sasha Levin +Message-ID: <20250823035448.1818703-1-sashal@kernel.org> + +From: Dikshita Agarwal + +[ Upstream commit 748b080f21678f2988b0da2d2b396a6f928d9b2c ] + +Here we introduce a new fault injection for SSR trigger. + +To trigger the SSR: + echo 100 > /sys/kernel/debug/venus/fail_ssr/probability + echo 1 > /sys/kernel/debug/venus/fail_ssr/times + +Co-developed-by: Stanimir Varbanov +Signed-off-by: Stanimir Varbanov +Signed-off-by: Dikshita Agarwal +Reviewed-by: Stephen Boyd +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 3200144a2fa4 ("media: venus: protect against spurious interrupts during probe") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 15 ++++++++++++++- + drivers/media/platform/qcom/venus/dbgfs.c | 9 +++++++++ + drivers/media/platform/qcom/venus/dbgfs.h | 13 +++++++++++++ + 3 files changed, 36 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -220,6 +220,19 @@ static void venus_assign_register_offset + core->wrapper_base = core->base + WRAPPER_BASE; + } + ++static irqreturn_t venus_isr_thread(int irq, void *dev_id) ++{ ++ struct venus_core *core = dev_id; ++ irqreturn_t ret; ++ ++ ret = hfi_isr_thread(irq, dev_id); ++ ++ if (ret == IRQ_HANDLED && venus_fault_inject_ssr()) ++ hfi_core_trigger_ssr(core, HFI_TEST_SSR_SW_ERR_FATAL); ++ ++ return ret; ++} ++ + static int venus_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +@@ -276,7 +289,7 @@ static int venus_probe(struct platform_d + mutex_init(&core->lock); + INIT_DELAYED_WORK(&core->work, venus_sys_error_handler); + +- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread, ++ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread, + IRQF_TRIGGER_HIGH | IRQF_ONESHOT, + "venus", core); + if (ret) +--- a/drivers/media/platform/qcom/venus/dbgfs.c ++++ b/drivers/media/platform/qcom/venus/dbgfs.c +@@ -4,13 +4,22 @@ + */ + + #include ++#include + + #include "core.h" + ++#ifdef CONFIG_FAULT_INJECTION ++DECLARE_FAULT_ATTR(venus_ssr_attr); ++#endif ++ + void venus_dbgfs_init(struct venus_core *core) + { + core->root = debugfs_create_dir("venus", NULL); + debugfs_create_x32("fw_level", 0644, core->root, &venus_fw_debug); ++ ++#ifdef CONFIG_FAULT_INJECTION ++ fault_create_debugfs_attr("fail_ssr", core->root, &venus_ssr_attr); ++#endif + } + + void venus_dbgfs_deinit(struct venus_core *core) +--- a/drivers/media/platform/qcom/venus/dbgfs.h ++++ b/drivers/media/platform/qcom/venus/dbgfs.h +@@ -4,8 +4,21 @@ + #ifndef __VENUS_DBGFS_H__ + #define __VENUS_DBGFS_H__ + ++#include ++ + struct venus_core; + ++#ifdef CONFIG_FAULT_INJECTION ++extern struct fault_attr venus_ssr_attr; ++static inline bool venus_fault_inject_ssr(void) ++{ ++ return should_fail(&venus_ssr_attr, 1); ++} ++#else ++static inline bool venus_fault_inject_ssr(void) { return false; } ++#endif ++ ++ + void venus_dbgfs_init(struct venus_core *core); + void venus_dbgfs_deinit(struct venus_core *core); + diff --git a/queue-5.10/media-venus-don-t-de-reference-null-pointers-at-irq-time.patch b/queue-5.10/media-venus-don-t-de-reference-null-pointers-at-irq-time.patch new file mode 100644 index 0000000000..54d98b121d --- /dev/null +++ b/queue-5.10/media-venus-don-t-de-reference-null-pointers-at-irq-time.patch @@ -0,0 +1,78 @@ +From stable+bounces-172541-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:26 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 22:50:19 -0400 +Subject: media: venus: don't de-reference NULL pointers at IRQ time +To: stable@vger.kernel.org +Cc: Mauro Carvalho Chehab , Sasha Levin +Message-ID: <20250823025020.1694568-1-sashal@kernel.org> + +From: Mauro Carvalho Chehab + +[ Upstream commit 686ee9b6253f9b6d7f1151e73114698940cc0894 ] + +Smatch is warning that: + drivers/media/platform/qcom/venus/hfi_venus.c:1100 venus_isr() warn: variable dereferenced before check 'hdev' (see line 1097) + +The logic basically does: + hdev = to_hfi_priv(core); + +with is translated to: + hdev = core->priv; + +If the IRQ code can receive a NULL pointer for hdev, there's +a bug there, as it will first try to de-reference the pointer, +and then check if it is null. + +After looking at the code, it seems that this indeed can happen: +Basically, the venus IRQ thread is started with: + devm_request_threaded_irq() +So, it will only be freed after the driver unbinds. + +In order to prevent the IRQ code to work with freed data, +the logic at venus_hfi_destroy() sets core->priv to NULL, +which would make the IRQ code to ignore any pending IRQs. + +There is, however a race condition, as core->priv is set +to NULL only after being freed. So, we need also to move the +core->priv = NULL to happen earlier. + +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 640803003cd9 ("media: venus: hfi: explicitly release IRQ during teardown") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -1071,12 +1071,15 @@ static irqreturn_t venus_isr(struct venu + { + struct venus_hfi_device *hdev = to_hfi_priv(core); + u32 status; +- void __iomem *cpu_cs_base = hdev->core->cpu_cs_base; +- void __iomem *wrapper_base = hdev->core->wrapper_base; ++ void __iomem *cpu_cs_base; ++ void __iomem *wrapper_base; + + if (!hdev) + return IRQ_NONE; + ++ cpu_cs_base = hdev->core->cpu_cs_base; ++ wrapper_base = hdev->core->wrapper_base; ++ + status = readl(wrapper_base + WRAPPER_INTR_STATUS); + + if (status & WRAPPER_INTR_STATUS_A2H_MASK || +@@ -1613,10 +1616,10 @@ void venus_hfi_destroy(struct venus_core + { + struct venus_hfi_device *hdev = to_hfi_priv(core); + ++ core->priv = NULL; + venus_interface_queues_release(hdev); + mutex_destroy(&hdev->lock); + kfree(hdev); +- core->priv = NULL; + core->ops = NULL; + } + diff --git a/queue-5.10/media-venus-hfi-explicitly-release-irq-during-teardown.patch b/queue-5.10/media-venus-hfi-explicitly-release-irq-during-teardown.patch new file mode 100644 index 0000000000..9e61e6c24d --- /dev/null +++ b/queue-5.10/media-venus-hfi-explicitly-release-irq-during-teardown.patch @@ -0,0 +1,42 @@ +From stable+bounces-172542-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:58 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 22:50:20 -0400 +Subject: media: venus: hfi: explicitly release IRQ during teardown +To: stable@vger.kernel.org +Cc: Jorge Ramirez-Ortiz , Dikshita Agarwal , Bryan O'Donoghue , Bryan O'Donoghue , Hans Verkuil , Sasha Levin +Message-ID: <20250823025020.1694568-2-sashal@kernel.org> + +From: Jorge Ramirez-Ortiz + +[ Upstream commit 640803003cd903cea73dc6a86bf6963e238e2b3f ] + +Ensure the IRQ is disabled - and all pending handlers completed - before +dismantling the interrupt routing and clearing related pointers. + +This prevents any possibility of the interrupt triggering after the +handler context has been invalidated. + +Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz +Reviewed-by: Dikshita Agarwal +Tested-by: Dikshita Agarwal # RB5 +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -1620,6 +1620,7 @@ void venus_hfi_destroy(struct venus_core + venus_interface_queues_release(hdev); + mutex_destroy(&hdev->lock); + kfree(hdev); ++ disable_irq(core->irq); + core->ops = NULL; + } + diff --git a/queue-5.10/media-venus-protect-against-spurious-interrupts-during-probe.patch b/queue-5.10/media-venus-protect-against-spurious-interrupts-during-probe.patch new file mode 100644 index 0000000000..7df0f9650b --- /dev/null +++ b/queue-5.10/media-venus-protect-against-spurious-interrupts-during-probe.patch @@ -0,0 +1,56 @@ +From stable+bounces-172550-greg=kroah.com@vger.kernel.org Sat Aug 23 05:54:59 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 23:54:48 -0400 +Subject: media: venus: protect against spurious interrupts during probe +To: stable@vger.kernel.org +Cc: Jorge Ramirez-Ortiz , Bryan O'Donoghue , Vikash Garodia , Dikshita Agarwal , Bryan O'Donoghue , Hans Verkuil , Sasha Levin +Message-ID: <20250823035448.1818703-2-sashal@kernel.org> + +From: Jorge Ramirez-Ortiz + +[ Upstream commit 3200144a2fa4209dc084a19941b9b203b43580f0 ] + +Make sure the interrupt handler is initialized before the interrupt is +registered. + +If the IRQ is registered before hfi_create(), it's possible that an +interrupt fires before the handler setup is complete, leading to a NULL +dereference. + +This error condition has been observed during system boot on Rb3Gen2. + +Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz +Reviewed-by: Bryan O'Donoghue +Reviewed-by: Vikash Garodia +Reviewed-by: Dikshita Agarwal +Tested-by: Dikshita Agarwal # RB5 +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -289,13 +289,13 @@ static int venus_probe(struct platform_d + mutex_init(&core->lock); + INIT_DELAYED_WORK(&core->work, venus_sys_error_handler); + +- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- "venus", core); ++ ret = hfi_create(core, &venus_core_ops); + if (ret) + goto err_core_put; + +- ret = hfi_create(core, &venus_core_ops); ++ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread, ++ IRQF_TRIGGER_HIGH | IRQF_ONESHOT, ++ "venus", core); + if (ret) + goto err_core_put; + diff --git a/queue-5.10/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch b/queue-5.10/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch new file mode 100644 index 0000000000..35c88ac6c6 --- /dev/null +++ b/queue-5.10/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch @@ -0,0 +1,63 @@ +From stable+bounces-172552-greg=kroah.com@vger.kernel.org Sat Aug 23 06:09:07 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 00:08:59 -0400 +Subject: media: venus: vdec: Clamp param smaller than 1fps and bigger than 240. +To: stable@vger.kernel.org +Cc: Ricardo Ribalda , Hans Verkuil , Bryan O'Donoghue , Bryan O'Donoghue , Sasha Levin +Message-ID: <20250823040859.1832832-1-sashal@kernel.org> + +From: Ricardo Ribalda + +[ Upstream commit 377dc500d253f0b26732b2cb062e89668aef890a ] + +The driver uses "whole" fps in all its calculations (e.g. in +load_per_instance()). Those calculation expect an fps bigger than 1, and +not big enough to overflow. + +Clamp the value if the user provides a param that will result in an invalid +fps. + +Reported-by: Hans Verkuil +Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0 +Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") +Cc: stable@vger.kernel.org +Tested-by: Bryan O'Donoghue # qrb5615-rb5 +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Ricardo Ribalda +[bod: Change "parm" to "param"] +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.h | 2 ++ + drivers/media/platform/qcom/venus/vdec.c | 5 ++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/qcom/venus/core.h ++++ b/drivers/media/platform/qcom/venus/core.h +@@ -25,6 +25,8 @@ + #define VIDC_VCODEC_CLKS_NUM_MAX 2 + #define VIDC_PMDOMAINS_NUM_MAX 3 + ++#define VENUS_MAX_FPS 240 ++ + extern int venus_fw_debug; + + struct freq_tbl { +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -427,11 +427,10 @@ static int vdec_s_parm(struct file *file + us_per_frame = timeperframe->numerator * (u64)USEC_PER_SEC; + do_div(us_per_frame, timeperframe->denominator); + +- if (!us_per_frame) +- return -EINVAL; +- ++ us_per_frame = clamp(us_per_frame, 1, USEC_PER_SEC); + fps = (u64)USEC_PER_SEC; + do_div(fps, us_per_frame); ++ fps = min(VENUS_MAX_FPS, fps); + + inst->fps = fps; + inst->timeperframe = *timeperframe; diff --git a/queue-5.10/minmax-add-umin-a-b-and-umax-a-b.patch b/queue-5.10/minmax-add-umin-a-b-and-umax-a-b.patch new file mode 100644 index 0000000000..898ba78d79 --- /dev/null +++ b/queue-5.10/minmax-add-umin-a-b-and-umax-a-b.patch @@ -0,0 +1,141 @@ +From stable+bounces-172282-greg=kroah.com@vger.kernel.org Fri Aug 22 06:18:37 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 00:16:39 -0400 +Subject: minmax: add umin(a, b) and umax(a, b) +To: stable@vger.kernel.org +Cc: David Laight , David Laight , Andy Shevchenko , Christoph Hellwig , "Jason A. Donenfeld" , Linus Torvalds , "Matthew Wilcox (Oracle)" , Andrew Morton , Sasha Levin +Message-ID: <20250822041640.1082105-1-sashal@kernel.org> + +From: David Laight + +[ Upstream commit 80fcac55385ccb710d33a20dc1caaef29bd5a921 ] + +Patch series "minmax: Relax type checks in min() and max()", v4. + +The min() (etc) functions in minmax.h require that the arguments have +exactly the same types. + +However when the type check fails, rather than look at the types and fix +the type of a variable/constant, everyone seems to jump on min_t(). In +reality min_t() ought to be rare - when something unusual is being done, +not normality. + +The orginal min() (added in 2.4.9) replaced several inline functions and +included the type - so matched the implicit casting of the function call. +This was renamed min_t() in 2.4.10 and the current min() added. There is +no actual indication that the conversion of negatve values to large +unsigned values has ever been an actual problem. + +A quick grep shows 5734 min() and 4597 min_t(). Having the casts on +almost half of the calls shows that something is clearly wrong. + +If the wrong type is picked (and it is far too easy to pick the type of +the result instead of the larger input) then significant bits can get +discarded. + +Pretty much the worst example is in the derived clamp_val(), consider: + unsigned char x = 200u; + y = clamp_val(x, 10u, 300u); + +I also suspect that many of the min_t(u16, ...) are actually wrong. For +example copy_data() in printk_ringbuffer.c contains: + + data_size = min_t(u16, buf_size, len); + +Here buf_size is 'unsigned int' and len 'u16', pass a 64k buffer (can you +prove that doesn't happen?) and no data is returned. Apparantly it did - +and has since been fixed. + +The only reason that most of the min_t() are 'fine' is that pretty much +all the values in the kernel are between 0 and INT_MAX. + +Patch 1 adds umin(), this uses integer promotions to convert both +arguments to 'unsigned long long'. It can be used to compare a signed +type that is known to contain a non-negative value with an unsigned type. +The compiler typically optimises it all away. Added first so that it can +be referred to in patch 2. + +Patch 2 replaces the 'same type' check with a 'same signedness' one. This +makes min(unsigned_int_var, sizeof()) be ok. The error message is also +improved and will contain the expanded form of both arguments (useful for +seeing how constants are defined). + +Patch 3 just fixes some whitespace. + +Patch 4 allows comparisons of 'unsigned char' and 'unsigned short' to +signed types. The integer promotion rules convert them both to 'signed +int' prior to the comparison so they can never cause a negative value be +converted to a large positive one. + +Patch 5 (rewritted for v4) allows comparisons of unsigned values against +non-negative constant integer expressions. This makes +min(unsigned_int_var, 4) be ok. + +The only common case that is still errored is the comparison of signed +values against unsigned constant integer expressions below __INT_MAX__. +Typcally min(int_val, sizeof (foo)), the real fix for this is casting the +constant: min(int_var, (int)sizeof (foo)). + +With all the patches applied pretty much all the min_t() could be replaced +by min(), and most of the rest by umin(). However they all need careful +inspection due to code like: + + sz = min_t(unsigned char, sz - 1, LIM - 1) + 1; + +which converts 0 to LIM. + +This patch (of 6): + +umin() and umax() can be used when min()/max() errors a signed v unsigned +compare when the signed value is known to be non-negative. + +Unlike min_t(some_unsigned_type, a, b) umin() will never mask off high +bits if an inappropriate type is selected. + +The '+ 0u + 0ul + 0ull' may look strange. +The '+ 0u' is needed for 'signed int' on 64bit systems. +The '+ 0ul' is needed for 'signed long' on 32bit systems. +The '+ 0ull' is needed for 'signed long long'. + +Link: https://lkml.kernel.org/r/b97faef60ad24922b530241c5d7c933c@AcuMS.aculab.com +Link: https://lkml.kernel.org/r/41d93ca827a248698ec64bf57e0c05a5@AcuMS.aculab.com +Signed-off-by: David Laight +Cc: Andy Shevchenko +Cc: Christoph Hellwig +Cc: Jason A. Donenfeld +Cc: Linus Torvalds +Cc: Matthew Wilcox (Oracle) +Signed-off-by: Andrew Morton +Stable-dep-of: 02c7f7219ac0 ("ext4: fix hole length calculation overflow in non-extent inodes") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/minmax.h | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/include/linux/minmax.h ++++ b/include/linux/minmax.h +@@ -52,6 +52,23 @@ + #define max(x, y) __careful_cmp(x, y, >) + + /** ++ * umin - return minimum of two non-negative values ++ * Signed types are zero extended to match a larger unsigned type. ++ * @x: first value ++ * @y: second value ++ */ ++#define umin(x, y) \ ++ __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, <) ++ ++/** ++ * umax - return maximum of two non-negative values ++ * @x: first value ++ * @y: second value ++ */ ++#define umax(x, y) \ ++ __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, >) ++ ++/** + * min3 - return minimum of three values + * @x: first value + * @y: second value diff --git a/queue-5.10/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch b/queue-5.10/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch new file mode 100644 index 0000000000..d7d3ea2a44 --- /dev/null +++ b/queue-5.10/platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch @@ -0,0 +1,103 @@ +From stable+bounces-172185-greg=kroah.com@vger.kernel.org Thu Aug 21 18:14:53 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:14:34 -0400 +Subject: platform/chrome: cros_ec: Make cros_ec_unregister() return void +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Guenter Roeck" , "Lee Jones" , "Mark Brown" , "Sasha Levin" +Message-ID: <20250821161437.775522-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit afb0a80e63d67e957b5d0eb4ade301aff6e13c8c ] + +Up to now cros_ec_unregister() returns zero unconditionally. Make it +return void instead which makes it easier to see in the callers that +there is no error to handle. + +Also the return value of i2c, platform and spi remove callbacks is +ignored anyway. + +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20211020071753.wltjslmimb6wtlp5@pengutronix.de +Signed-off-by: Uwe Kleine-König +Acked-by: Lee Jones +Link: https://lore.kernel.org/r/20220123175201.34839-5-u.kleine-koenig@pengutronix.de +Signed-off-by: Mark Brown +Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 4 +--- + drivers/platform/chrome/cros_ec.h | 2 +- + drivers/platform/chrome/cros_ec_i2c.c | 4 +++- + drivers/platform/chrome/cros_ec_lpc.c | 4 +++- + drivers/platform/chrome/cros_ec_spi.c | 4 +++- + 5 files changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -285,13 +285,11 @@ EXPORT_SYMBOL(cros_ec_register); + * + * Return: 0 on success or negative error code. + */ +-int cros_ec_unregister(struct cros_ec_device *ec_dev) ++void cros_ec_unregister(struct cros_ec_device *ec_dev) + { + if (ec_dev->pd) + platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); +- +- return 0; + } + EXPORT_SYMBOL(cros_ec_unregister); + +--- a/drivers/platform/chrome/cros_ec.h ++++ b/drivers/platform/chrome/cros_ec.h +@@ -9,7 +9,7 @@ + #define __CROS_EC_H + + int cros_ec_register(struct cros_ec_device *ec_dev); +-int cros_ec_unregister(struct cros_ec_device *ec_dev); ++void cros_ec_unregister(struct cros_ec_device *ec_dev); + + int cros_ec_suspend(struct cros_ec_device *ec_dev); + int cros_ec_resume(struct cros_ec_device *ec_dev); +--- a/drivers/platform/chrome/cros_ec_i2c.c ++++ b/drivers/platform/chrome/cros_ec_i2c.c +@@ -313,7 +313,9 @@ static int cros_ec_i2c_remove(struct i2c + { + struct cros_ec_device *ec_dev = i2c_get_clientdata(client); + +- return cros_ec_unregister(ec_dev); ++ cros_ec_unregister(ec_dev); ++ ++ return 0; + } + + #ifdef CONFIG_PM_SLEEP +--- a/drivers/platform/chrome/cros_ec_lpc.c ++++ b/drivers/platform/chrome/cros_ec_lpc.c +@@ -439,7 +439,9 @@ static int cros_ec_lpc_remove(struct pla + acpi_remove_notify_handler(adev->handle, ACPI_ALL_NOTIFY, + cros_ec_lpc_acpi_notify); + +- return cros_ec_unregister(ec_dev); ++ cros_ec_unregister(ec_dev); ++ ++ return 0; + } + + static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = { +--- a/drivers/platform/chrome/cros_ec_spi.c ++++ b/drivers/platform/chrome/cros_ec_spi.c +@@ -791,7 +791,9 @@ static int cros_ec_spi_remove(struct spi + { + struct cros_ec_device *ec_dev = spi_get_drvdata(spi); + +- return cros_ec_unregister(ec_dev); ++ cros_ec_unregister(ec_dev); ++ ++ return 0; + } + + #ifdef CONFIG_PM_SLEEP diff --git a/queue-5.10/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch b/queue-5.10/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch new file mode 100644 index 0000000000..c37a86a0b6 --- /dev/null +++ b/queue-5.10/platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch @@ -0,0 +1,75 @@ +From stable+bounces-172187-greg=kroah.com@vger.kernel.org Thu Aug 21 18:19:29 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:14:36 -0400 +Subject: platform/chrome: cros_ec: remove unneeded label and if-condition +To: stable@vger.kernel.org +Cc: Tzung-Bi Shih , Guenter Roeck , Sasha Levin +Message-ID: <20250821161437.775522-3-sashal@kernel.org> + +From: Tzung-Bi Shih + +[ Upstream commit 554ec02c97254962bbb0a8776c3160d294fc7e51 ] + +Both `ec_dev->ec` and `ec_dev->pd` are initialized to NULL at the +beginning of cros_ec_register(). Also, platform_device_unregister() +takes care if the given platform_device is NULL. + +Remove the unneeded goto-label and if-condition. + +Signed-off-by: Tzung-Bi Shih +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20230308031247.2866401-1-tzungbi@kernel.org +Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -193,7 +193,7 @@ int cros_ec_register(struct cros_ec_devi + err = cros_ec_query_all(ec_dev); + if (err) { + dev_err(dev, "Cannot identify the EC: error %d\n", err); +- goto destroy_mutex; ++ goto exit; + } + + if (ec_dev->irq > 0) { +@@ -205,7 +205,7 @@ int cros_ec_register(struct cros_ec_devi + if (err) { + dev_err(dev, "Failed to request IRQ %d: %d", + ec_dev->irq, err); +- goto destroy_mutex; ++ goto exit; + } + } + +@@ -217,7 +217,7 @@ int cros_ec_register(struct cros_ec_devi + dev_err(ec_dev->dev, + "Failed to create CrOS EC platform device\n"); + err = PTR_ERR(ec_dev->ec); +- goto destroy_mutex; ++ goto exit; + } + + if (ec_dev->max_passthru) { +@@ -276,7 +276,6 @@ int cros_ec_register(struct cros_ec_devi + exit: + platform_device_unregister(ec_dev->ec); + platform_device_unregister(ec_dev->pd); +-destroy_mutex: + mutex_destroy(&ec_dev->lock); + lockdep_unregister_key(&ec_dev->lockdep_key); + return err; +@@ -293,8 +292,7 @@ EXPORT_SYMBOL(cros_ec_register); + */ + void cros_ec_unregister(struct cros_ec_device *ec_dev) + { +- if (ec_dev->pd) +- platform_device_unregister(ec_dev->pd); ++ platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); + mutex_destroy(&ec_dev->lock); + lockdep_unregister_key(&ec_dev->lockdep_key); diff --git a/queue-5.10/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch b/queue-5.10/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch new file mode 100644 index 0000000000..8bcff54e94 --- /dev/null +++ b/queue-5.10/platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch @@ -0,0 +1,40 @@ +From stable+bounces-172188-greg=kroah.com@vger.kernel.org Thu Aug 21 18:18:30 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:14:37 -0400 +Subject: platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() +To: stable@vger.kernel.org +Cc: Tzung-Bi Shih , Benson Leung , Sasha Levin +Message-ID: <20250821161437.775522-4-sashal@kernel.org> + +From: Tzung-Bi Shih + +[ Upstream commit e2374953461947eee49f69b3e3204ff080ef31b1 ] + +The blocking notifier is registered in cros_ec_register(); however, it +isn't unregistered in cros_ec_unregister(). + +Fix it. + +Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW") +Cc: stable@vger.kernel.org +Reviewed-by: Benson Leung +Link: https://lore.kernel.org/r/20250722120513.234031-1-tzungbi@kernel.org +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -292,6 +292,9 @@ EXPORT_SYMBOL(cros_ec_register); + */ + void cros_ec_unregister(struct cros_ec_device *ec_dev) + { ++ if (ec_dev->mkbp_event_supported) ++ blocking_notifier_chain_unregister(&ec_dev->event_notifier, ++ &ec_dev->notifier_ready); + platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); + mutex_destroy(&ec_dev->lock); diff --git a/queue-5.10/platform-chrome-cros_ec-use-per-device-lockdep-key.patch b/queue-5.10/platform-chrome-cros_ec-use-per-device-lockdep-key.patch new file mode 100644 index 0000000000..41f1cc05ee --- /dev/null +++ b/queue-5.10/platform-chrome-cros_ec-use-per-device-lockdep-key.patch @@ -0,0 +1,144 @@ +From stable+bounces-172186-greg=kroah.com@vger.kernel.org Thu Aug 21 18:18:02 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:14:35 -0400 +Subject: platform/chrome: cros_ec: Use per-device lockdep key +To: stable@vger.kernel.org +Cc: Chen-Yu Tsai , Tzung-Bi Shih , Sasha Levin +Message-ID: <20250821161437.775522-2-sashal@kernel.org> + +From: Chen-Yu Tsai + +[ Upstream commit 961a325becd9a142ae5c8b258e5c2f221f8bfac8 ] + +Lockdep reports a bogus possible deadlock on MT8192 Chromebooks due to +the following lock sequences: + +1. lock(i2c_register_adapter) [1]; lock(&ec_dev->lock) +2. lock(&ec_dev->lock); lock(prepare_lock); + +The actual dependency chains are much longer. The shortened version +looks somewhat like: + +1. cros-ec-rpmsg on mtk-scp + ec_dev->lock -> prepare_lock +2. In rt5682_i2c_probe() on native I2C bus: + prepare_lock -> regmap->lock -> (possibly) i2c_adapter->bus_lock +3. In rt5682_i2c_probe() on native I2C bus: + regmap->lock -> i2c_adapter->bus_lock +4. In sbs_probe() on i2c-cros-ec-tunnel I2C bus attached on cros-ec: + i2c_adapter->bus_lock -> ec_dev->lock + +While lockdep is correct that the shared lockdep classes have a circular +dependency, it is bogus because + + a) 2+3 happen on a native I2C bus + b) 4 happens on the actual EC on ChromeOS devices + c) 1 happens on the SCP coprocessor on MediaTek Chromebooks that just + happens to expose a cros-ec interface, but does not have an + i2c-cros-ec-tunnel I2C bus + +In short, the "dependencies" are actually on different devices. + +Setup a per-device lockdep key for cros_ec devices so lockdep can tell +the two instances apart. This helps with getting rid of the bogus +lockdep warning. For ChromeOS devices that only have one cros-ec +instance this doesn't change anything. + +Also add a missing mutex_destroy, just to make the teardown complete. + +[1] This is likely the per I2C bus lock with shared lockdep class + +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20230111074146.2624496-1-wenst@chromium.org +Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec.c | 14 +++++++++++--- + include/linux/platform_data/cros_ec_proto.h | 4 ++++ + 2 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -186,12 +186,14 @@ int cros_ec_register(struct cros_ec_devi + if (!ec_dev->dout) + return -ENOMEM; + ++ lockdep_register_key(&ec_dev->lockdep_key); + mutex_init(&ec_dev->lock); ++ lockdep_set_class(&ec_dev->lock, &ec_dev->lockdep_key); + + err = cros_ec_query_all(ec_dev); + if (err) { + dev_err(dev, "Cannot identify the EC: error %d\n", err); +- return err; ++ goto destroy_mutex; + } + + if (ec_dev->irq > 0) { +@@ -203,7 +205,7 @@ int cros_ec_register(struct cros_ec_devi + if (err) { + dev_err(dev, "Failed to request IRQ %d: %d", + ec_dev->irq, err); +- return err; ++ goto destroy_mutex; + } + } + +@@ -214,7 +216,8 @@ int cros_ec_register(struct cros_ec_devi + if (IS_ERR(ec_dev->ec)) { + dev_err(ec_dev->dev, + "Failed to create CrOS EC platform device\n"); +- return PTR_ERR(ec_dev->ec); ++ err = PTR_ERR(ec_dev->ec); ++ goto destroy_mutex; + } + + if (ec_dev->max_passthru) { +@@ -273,6 +276,9 @@ int cros_ec_register(struct cros_ec_devi + exit: + platform_device_unregister(ec_dev->ec); + platform_device_unregister(ec_dev->pd); ++destroy_mutex: ++ mutex_destroy(&ec_dev->lock); ++ lockdep_unregister_key(&ec_dev->lockdep_key); + return err; + } + EXPORT_SYMBOL(cros_ec_register); +@@ -290,6 +296,8 @@ void cros_ec_unregister(struct cros_ec_d + if (ec_dev->pd) + platform_device_unregister(ec_dev->pd); + platform_device_unregister(ec_dev->ec); ++ mutex_destroy(&ec_dev->lock); ++ lockdep_unregister_key(&ec_dev->lockdep_key); + } + EXPORT_SYMBOL(cros_ec_unregister); + +--- a/include/linux/platform_data/cros_ec_proto.h ++++ b/include/linux/platform_data/cros_ec_proto.h +@@ -9,6 +9,7 @@ + #define __LINUX_CROS_EC_PROTO_H + + #include ++#include + #include + #include + +@@ -114,6 +115,8 @@ struct cros_ec_command { + * command. The caller should check msg.result for the EC's result + * code. + * @pkt_xfer: Send packet to EC and get response. ++ * @lockdep_key: Lockdep class for each instance. Unused if CONFIG_LOCKDEP is ++ * not enabled. + * @lock: One transaction at a time. + * @mkbp_event_supported: 0 if MKBP not supported. Otherwise its value is + * the maximum supported version of the MKBP host event +@@ -159,6 +162,7 @@ struct cros_ec_device { + struct cros_ec_command *msg); + int (*pkt_xfer)(struct cros_ec_device *ec, + struct cros_ec_command *msg); ++ struct lock_class_key lockdep_key; + struct mutex lock; + u8 mkbp_event_supported; + bool host_sleep_v1; diff --git a/queue-5.10/pwm-mediatek-fix-duty-and-period-setting.patch b/queue-5.10/pwm-mediatek-fix-duty-and-period-setting.patch new file mode 100644 index 0000000000..e0757a1aa2 --- /dev/null +++ b/queue-5.10/pwm-mediatek-fix-duty-and-period-setting.patch @@ -0,0 +1,82 @@ +From stable+bounces-172498-greg=kroah.com@vger.kernel.org Fri Aug 22 21:02:43 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:01:33 -0400 +Subject: pwm: mediatek: Fix duty and period setting +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Uwe Kleine-König" , "Sasha Levin" +Message-ID: <20250822190133.1406293-3-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit f21d136caf8171f94159d975ea4620c164431bd9 ] + +The period generated by the hardware is + + (PWMDWIDTH + 1) << CLKDIV) / freq + +according to my tests with a signal analyser and also the documentation. + +The current algorithm doesn't consider the `+ 1` part and so configures +slightly too high periods. The same issue exists for the duty cycle +setting. So subtract 1 from both the register values for period and +duty cycle. If period is 0, bail out, if duty_cycle is 0, just disable +the PWM which results in a constant low output. + +Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support") +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/6d1fa87a76f8020bfe3171529b8e19baffceab10.1753717973.git.u.kleine-koenig@baylibre.com +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -169,7 +169,10 @@ static int pwm_mediatek_config(struct pw + do_div(resolution, clk_rate); + + cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution); +- while (cnt_period > 8191) { ++ if (!cnt_period) ++ return -EINVAL; ++ ++ while (cnt_period > 8192) { + resolution *= 2; + clkdiv++; + cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, +@@ -192,9 +195,16 @@ static int pwm_mediatek_config(struct pw + } + + cnt_duty = DIV_ROUND_CLOSEST_ULL((u64)duty_ns * 1000, resolution); ++ + pwm_mediatek_writel(pc, pwm->hwpwm, PWMCON, BIT(15) | clkdiv); +- pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); +- pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); ++ pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period - 1); ++ ++ if (cnt_duty) { ++ pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty - 1); ++ pwm_mediatek_enable(chip, pwm); ++ } else { ++ pwm_mediatek_disable(chip, pwm); ++ } + + out: + pwm_mediatek_clk_disable(chip, pwm); +@@ -223,11 +233,8 @@ static int pwm_mediatek_apply(struct pwm + if (err) + return err; + +- if (!pwm->state.enabled) { ++ if (!pwm->state.enabled) + err = pwm_mediatek_clk_enable(chip, pwm); +- if (!err) +- pwm_mediatek_enable(chip, pwm); +- } + + return err; + } diff --git a/queue-5.10/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch b/queue-5.10/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch new file mode 100644 index 0000000000..9f2a3e45ed --- /dev/null +++ b/queue-5.10/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch @@ -0,0 +1,123 @@ +From stable+bounces-172497-greg=kroah.com@vger.kernel.org Fri Aug 22 21:02:35 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:01:32 -0400 +Subject: pwm: mediatek: Handle hardware enable and clock enable separately +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Uwe Kleine-König" , "Sasha Levin" +Message-ID: <20250822190133.1406293-2-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit 704d918341c378c5f9505dfdf32d315e256d3846 ] + +Stop handling the clocks in pwm_mediatek_enable() and +pwm_mediatek_disable(). This is a preparing change for the next commit +that requires that clocks and the enable bit are handled separately. + +Also move these two functions a bit further up in the source file to +make them usable in pwm_mediatek_config(), which is needed in the next +commit, too. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/55c94fe2917ece152ee1e998f4675642a7716f13.1753717973.git.u.kleine-koenig@baylibre.com +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 60 +++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 32 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -120,6 +120,26 @@ static inline void pwm_mediatek_writel(s + writel(value, chip->regs + pwm_mediatek_reg_offset[num] + offset); + } + ++static void pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm) ++{ ++ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); ++ u32 value; ++ ++ value = readl(pc->regs); ++ value |= BIT(pwm->hwpwm); ++ writel(value, pc->regs); ++} ++ ++static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm) ++{ ++ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); ++ u32 value; ++ ++ value = readl(pc->regs); ++ value &= ~BIT(pwm->hwpwm); ++ writel(value, pc->regs); ++} ++ + static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, + int duty_ns, int period_ns) + { +@@ -182,35 +202,6 @@ out: + return ret; + } + +-static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm) +-{ +- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); +- u32 value; +- int ret; +- +- ret = pwm_mediatek_clk_enable(chip, pwm); +- if (ret < 0) +- return ret; +- +- value = readl(pc->regs); +- value |= BIT(pwm->hwpwm); +- writel(value, pc->regs); +- +- return 0; +-} +- +-static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm) +-{ +- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); +- u32 value; +- +- value = readl(pc->regs); +- value &= ~BIT(pwm->hwpwm); +- writel(value, pc->regs); +- +- pwm_mediatek_clk_disable(chip, pwm); +-} +- + static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm, + const struct pwm_state *state) + { +@@ -220,8 +211,10 @@ static int pwm_mediatek_apply(struct pwm + return -EINVAL; + + if (!state->enabled) { +- if (pwm->state.enabled) ++ if (pwm->state.enabled) { + pwm_mediatek_disable(chip, pwm); ++ pwm_mediatek_clk_disable(chip, pwm); ++ } + + return 0; + } +@@ -230,8 +223,11 @@ static int pwm_mediatek_apply(struct pwm + if (err) + return err; + +- if (!pwm->state.enabled) +- err = pwm_mediatek_enable(chip, pwm); ++ if (!pwm->state.enabled) { ++ err = pwm_mediatek_clk_enable(chip, pwm); ++ if (!err) ++ pwm_mediatek_enable(chip, pwm); ++ } + + return err; + } diff --git a/queue-5.10/pwm-mediatek-implement-.apply-callback.patch b/queue-5.10/pwm-mediatek-implement-.apply-callback.patch new file mode 100644 index 0000000000..f02049f0cf --- /dev/null +++ b/queue-5.10/pwm-mediatek-implement-.apply-callback.patch @@ -0,0 +1,67 @@ +From stable+bounces-172496-greg=kroah.com@vger.kernel.org Fri Aug 22 21:02:36 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:01:31 -0400 +Subject: pwm: mediatek: Implement .apply() callback +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Thierry Reding" , "Sasha Levin" +Message-ID: <20250822190133.1406293-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit 758de66f4bd2cac2b1d71db917c65c3d611d4e74 ] + +To eventually get rid of all legacy drivers convert this driver to the +modern world implementing .apply(). +This just pushed a variant of pwm_apply_legacy() into the driver that was +slightly simplified because the driver doesn't provide a .set_polarity() +callback. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Thierry Reding +Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -211,10 +211,33 @@ static void pwm_mediatek_disable(struct + pwm_mediatek_clk_disable(chip, pwm); + } + ++static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm, ++ const struct pwm_state *state) ++{ ++ int err; ++ ++ if (state->polarity != PWM_POLARITY_NORMAL) ++ return -EINVAL; ++ ++ if (!state->enabled) { ++ if (pwm->state.enabled) ++ pwm_mediatek_disable(chip, pwm); ++ ++ return 0; ++ } ++ ++ err = pwm_mediatek_config(pwm->chip, pwm, state->duty_cycle, state->period); ++ if (err) ++ return err; ++ ++ if (!pwm->state.enabled) ++ err = pwm_mediatek_enable(chip, pwm); ++ ++ return err; ++} ++ + static const struct pwm_ops pwm_mediatek_ops = { +- .config = pwm_mediatek_config, +- .enable = pwm_mediatek_enable, +- .disable = pwm_mediatek_disable, ++ .apply = pwm_mediatek_apply, + .owner = THIS_MODULE, + }; + diff --git a/queue-5.10/series b/queue-5.10/series index b0275b3be5..ca02c6efca 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -467,3 +467,27 @@ soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch usb-musb-omap2430-fix-device-leak-at-unbind.patch btrfs-populate-otime-when-logging-an-inode-item.patch +acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch +minmax-add-umin-a-b-and-umax-a-b.patch +ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch +platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch +platform-chrome-cros_ec-use-per-device-lockdep-key.patch +platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch +platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch +pwm-mediatek-implement-.apply-callback.patch +pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch +pwm-mediatek-fix-duty-and-period-setting.patch +locking-barriers-kcsan-support-generic-instrumentation.patch +asm-generic-add-memory-barrier-dma_mb.patch +wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch +media-v4l2-ctrls-always-copy-the-controls-on-completion.patch +media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch +media-venus-don-t-de-reference-null-pointers-at-irq-time.patch +media-venus-hfi-explicitly-release-irq-during-teardown.patch +media-venus-add-support-for-ssr-trigger-using-fault-injection.patch +media-venus-protect-against-spurious-interrupts-during-probe.patch +drm-amd-display-don-t-overclock-dce-6-by-15.patch +drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch +media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch +f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch +media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch diff --git a/queue-5.10/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch b/queue-5.10/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch new file mode 100644 index 0000000000..3cf698c955 --- /dev/null +++ b/queue-5.10/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch @@ -0,0 +1,65 @@ +From stable+bounces-172512-greg=kroah.com@vger.kernel.org Fri Aug 22 21:54:04 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:53:30 -0400 +Subject: wifi: ath11k: fix dest ring-buffer corruption when ring is full +To: stable@vger.kernel.org +Cc: Johan Hovold , Baochen Qiang , Jeff Johnson , Sasha Levin +Message-ID: <20250822195330.1458412-3-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit aa6956150f820e6a6deba44be325ddfcb5b10f88 ] + +Add the missing memory barriers to make sure that destination ring +descriptors are read before updating the tail pointer (and passing +ownership to the device) to avoid memory corruption on weakly ordered +architectures like aarch64 when the ring is full. + +Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/hal.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -833,7 +833,6 @@ void ath11k_hal_srng_access_end(struct a + { + lockdep_assert_held(&srng->lock); + +- /* TODO: See if we need a write memory barrier here */ + if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) { + /* For LMAC rings, ring pointer updates are done through FW and + * hence written to a shared memory location that is read by FW +@@ -848,7 +847,11 @@ void ath11k_hal_srng_access_end(struct a + WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp); + } else { + srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; +- *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp; ++ /* Make sure descriptor is read before updating the ++ * tail pointer. ++ */ ++ dma_mb(); ++ WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp); + } + } else { + if (srng->ring_dir == HAL_SRNG_DIR_SRC) { +@@ -864,6 +867,10 @@ void ath11k_hal_srng_access_end(struct a + srng->u.src_ring.hp); + } else { + srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; ++ /* Make sure descriptor is read before updating the ++ * tail pointer. ++ */ ++ mb(); + ath11k_hif_write32(ab, + (unsigned long)srng->u.dst_ring.tp_addr - + (unsigned long)ab->mem,