From: Greg Kroah-Hartman Date: Tue, 4 Feb 2025 17:54:51 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.6.76~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c8717b988184a9029bfe0440bf54b0dae6bcd4a8;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: media-imx-jpeg-fix-potential-error-pointer-dereference-in-detach_pm.patch media-uvcvideo-fix-double-free-in-error-path.patch mptcp-handle-fastopen-disconnect-correctly.patch remoteproc-core-fix-ida_free-call-while-not-allocated.patch staging-media-max96712-fix-kernel-oops-when-removing-module.patch usb-gadget-f_tcm-don-t-free-command-immediately.patch --- diff --git a/queue-6.1/media-imx-jpeg-fix-potential-error-pointer-dereference-in-detach_pm.patch b/queue-6.1/media-imx-jpeg-fix-potential-error-pointer-dereference-in-detach_pm.patch new file mode 100644 index 0000000000..4616f61e33 --- /dev/null +++ b/queue-6.1/media-imx-jpeg-fix-potential-error-pointer-dereference-in-detach_pm.patch @@ -0,0 +1,46 @@ +From 1378ffec30367233152b7dbf4fa6a25ee98585d1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 17 Oct 2024 23:34:16 +0300 +Subject: media: imx-jpeg: Fix potential error pointer dereference in detach_pm() + +From: Dan Carpenter + +commit 1378ffec30367233152b7dbf4fa6a25ee98585d1 upstream. + +The proble is on the first line: + + if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i])) + +If jpeg->pd_dev[i] is an error pointer, then passing it to +pm_runtime_suspended() will lead to an Oops. The other conditions +check for both error pointers and NULL, but it would be more clear to +use the IS_ERR_OR_NULL() check for that. + +Fixes: fd0af4cd35da ("media: imx-jpeg: Ensure power suppliers be suspended before detach them") +Cc: +Signed-off-by: Dan Carpenter +Reviewed-by: Ming Qian +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c +@@ -2097,11 +2097,12 @@ static void mxc_jpeg_detach_pm_domains(s + int i; + + for (i = 0; i < jpeg->num_domains; i++) { +- if (jpeg->pd_dev[i] && !pm_runtime_suspended(jpeg->pd_dev[i])) ++ if (!IS_ERR_OR_NULL(jpeg->pd_dev[i]) && ++ !pm_runtime_suspended(jpeg->pd_dev[i])) + pm_runtime_force_suspend(jpeg->pd_dev[i]); +- if (jpeg->pd_link[i] && !IS_ERR(jpeg->pd_link[i])) ++ if (!IS_ERR_OR_NULL(jpeg->pd_link[i])) + device_link_del(jpeg->pd_link[i]); +- if (jpeg->pd_dev[i] && !IS_ERR(jpeg->pd_dev[i])) ++ if (!IS_ERR_OR_NULL(jpeg->pd_dev[i])) + dev_pm_domain_detach(jpeg->pd_dev[i], true); + jpeg->pd_dev[i] = NULL; + jpeg->pd_link[i] = NULL; diff --git a/queue-6.1/media-uvcvideo-fix-double-free-in-error-path.patch b/queue-6.1/media-uvcvideo-fix-double-free-in-error-path.patch new file mode 100644 index 0000000000..fe1daeb4de --- /dev/null +++ b/queue-6.1/media-uvcvideo-fix-double-free-in-error-path.patch @@ -0,0 +1,36 @@ +From c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Fri, 8 Nov 2024 01:51:30 +0200 +Subject: media: uvcvideo: Fix double free in error path + +From: Laurent Pinchart + +commit c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac upstream. + +If the uvc_status_init() function fails to allocate the int_urb, it will +free the dev->status pointer but doesn't reset the pointer to NULL. This +results in the kfree() call in uvc_status_cleanup() trying to +double-free the memory. Fix it by resetting the dev->status pointer to +NULL after freeing it. + +Fixes: a31a4055473b ("V4L/DVB:usbvideo:don't use part of buffer for USB transfer #4") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241107235130.31372-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Laurent Pinchart +Reviewed by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_status.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/usb/uvc/uvc_status.c ++++ b/drivers/media/usb/uvc/uvc_status.c +@@ -267,6 +267,7 @@ int uvc_status_init(struct uvc_device *d + dev->int_urb = usb_alloc_urb(0, GFP_KERNEL); + if (dev->int_urb == NULL) { + kfree(dev->status); ++ dev->status = NULL; + return -ENOMEM; + } + diff --git a/queue-6.1/mptcp-consolidate-suboption-status.patch b/queue-6.1/mptcp-consolidate-suboption-status.patch index 2857308dfb..582b970bf0 100644 --- a/queue-6.1/mptcp-consolidate-suboption-status.patch +++ b/queue-6.1/mptcp-consolidate-suboption-status.patch @@ -245,15 +245,13 @@ Link: https://patch.msgid.link/20250123-net-mptcp-syzbot-issues-v1-1-af73258a726 Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- - net/mptcp/options.c | 13 +++++-------- - net/mptcp/protocol.h | 30 ++++++++++++++++-------------- + net/mptcp/options.c | 13 +++++-------- + net/mptcp/protocol.h | 30 ++++++++++++++++-------------- 2 files changed, 21 insertions(+), 22 deletions(-) -diff --git a/net/mptcp/options.c b/net/mptcp/options.c -index 123f3f297284..fd2de185bc93 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c -@@ -108,7 +108,6 @@ static void mptcp_parse_option(const struct sk_buff *skb, +@@ -103,7 +103,6 @@ static void mptcp_parse_option(const str mp_opt->suboptions |= OPTION_MPTCP_DSS; mp_opt->use_map = 1; mp_opt->mpc_map = 1; @@ -261,7 +259,7 @@ index 123f3f297284..fd2de185bc93 100644 mp_opt->data_len = get_unaligned_be16(ptr); ptr += 2; } -@@ -157,11 +156,6 @@ static void mptcp_parse_option(const struct sk_buff *skb, +@@ -152,11 +151,6 @@ static void mptcp_parse_option(const str pr_debug("DSS\n"); ptr++; @@ -273,7 +271,7 @@ index 123f3f297284..fd2de185bc93 100644 flags = (*ptr++) & MPTCP_DSS_FLAG_MASK; mp_opt->data_fin = (flags & MPTCP_DSS_DATA_FIN) != 0; mp_opt->dsn64 = (flags & MPTCP_DSS_DSN64) != 0; -@@ -369,8 +363,11 @@ void mptcp_get_options(const struct sk_buff *skb, +@@ -364,8 +358,11 @@ void mptcp_get_options(const struct sk_b const unsigned char *ptr; int length; @@ -287,11 +285,9 @@ index 123f3f297284..fd2de185bc93 100644 length = (th->doff * 4) - sizeof(struct tcphdr); ptr = (const unsigned char *)(th + 1); -diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h -index 0174a5aad279..f6a207958459 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h -@@ -149,22 +149,24 @@ struct mptcp_options_received { +@@ -141,22 +141,24 @@ struct mptcp_options_received { u32 subflow_seq; u16 data_len; __sum16 csum; @@ -330,6 +326,3 @@ index 0174a5aad279..f6a207958459 100644 u64 thmac; u8 hmac[MPTCPOPT_HMAC_LEN]; struct mptcp_addr_info addr; --- -2.48.1 - diff --git a/queue-6.1/mptcp-handle-fastopen-disconnect-correctly.patch b/queue-6.1/mptcp-handle-fastopen-disconnect-correctly.patch new file mode 100644 index 0000000000..87e85aa448 --- /dev/null +++ b/queue-6.1/mptcp-handle-fastopen-disconnect-correctly.patch @@ -0,0 +1,92 @@ +From 619af16b3b57a3a4ee50b9a30add9ff155541e71 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Thu, 23 Jan 2025 19:05:56 +0100 +Subject: mptcp: handle fastopen disconnect correctly + +From: Paolo Abeni + +commit 619af16b3b57a3a4ee50b9a30add9ff155541e71 upstream. + +Syzbot was able to trigger a data stream corruption: + + WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 + Modules linked in: + CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzkaller-00059-g00a5acdbf398 #0 + Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024 + RIP: 0010:__mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 + Code: fa ff ff 48 8b 4c 24 18 80 e1 07 fe c1 38 c1 0f 8c 8e fa ff ff 48 8b 7c 24 18 e8 e0 db 54 f6 e9 7f fa ff ff e8 e6 80 ee f5 90 <0f> 0b 90 4c 8b 6c 24 40 4d 89 f4 e9 04 f5 ff ff 44 89 f1 80 e1 07 + RSP: 0018:ffffc9000c0cf400 EFLAGS: 00010293 + RAX: ffffffff8bb0dd5a RBX: ffff888033f5d230 RCX: ffff888059ce8000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffffc9000c0cf518 R08: ffffffff8bb0d1dd R09: 1ffff110170c8928 + R10: dffffc0000000000 R11: ffffed10170c8929 R12: 0000000000000000 + R13: ffff888033f5d220 R14: dffffc0000000000 R15: ffff8880592b8000 + FS: 00007f6e866496c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f6e86f491a0 CR3: 00000000310e6000 CR4: 00000000003526f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + __mptcp_clean_una_wakeup+0x7f/0x2d0 net/mptcp/protocol.c:1074 + mptcp_release_cb+0x7cb/0xb30 net/mptcp/protocol.c:3493 + release_sock+0x1aa/0x1f0 net/core/sock.c:3640 + inet_wait_for_connect net/ipv4/af_inet.c:609 [inline] + __inet_stream_connect+0x8bd/0xf30 net/ipv4/af_inet.c:703 + mptcp_sendmsg_fastopen+0x2a2/0x530 net/mptcp/protocol.c:1755 + mptcp_sendmsg+0x1884/0x1b10 net/mptcp/protocol.c:1830 + sock_sendmsg_nosec net/socket.c:711 [inline] + __sock_sendmsg+0x1a6/0x270 net/socket.c:726 + ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2583 + ___sys_sendmsg net/socket.c:2637 [inline] + __sys_sendmsg+0x269/0x350 net/socket.c:2669 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f6e86ebfe69 + Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 1f 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 + RSP: 002b:00007f6e86649168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 00007f6e86f491b8 RCX: 00007f6e86ebfe69 + RDX: 0000000030004001 RSI: 0000000020000080 RDI: 0000000000000003 + RBP: 00007f6e86f491b0 R08: 00007f6e866496c0 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 00007f6e86f491bc + R13: 000000000000006e R14: 00007ffe445d9420 R15: 00007ffe445d9508 + + +The root cause is the bad handling of disconnect() generated internally +by the MPTCP protocol in case of connect FASTOPEN errors. + +Address the issue increasing the socket disconnect counter even on such +a case, to allow other threads waiting on the same socket lock to +properly error out. + +Fixes: c2b2ae3925b6 ("mptcp: handle correctly disconnect() failures") +Cc: stable@vger.kernel.org +Reported-by: syzbot+ebc0b8ae5d3590b2c074@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/67605870.050a0220.37aaf.0137.GAE@google.com +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/537 +Tested-by: syzbot+ebc0b8ae5d3590b2c074@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20250123-net-mptcp-syzbot-issues-v1-3-af73258a726f@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1779,8 +1779,10 @@ static int mptcp_sendmsg_fastopen(struct + * see mptcp_disconnect(). + * Attempt it again outside the problematic scope. + */ +- if (!mptcp_disconnect(sk, 0)) ++ if (!mptcp_disconnect(sk, 0)) { ++ sk->sk_disconnects++; + sk->sk_socket->state = SS_UNCONNECTED; ++ } + } + + return ret; diff --git a/queue-6.1/remoteproc-core-fix-ida_free-call-while-not-allocated.patch b/queue-6.1/remoteproc-core-fix-ida_free-call-while-not-allocated.patch new file mode 100644 index 0000000000..daf3fa0975 --- /dev/null +++ b/queue-6.1/remoteproc-core-fix-ida_free-call-while-not-allocated.patch @@ -0,0 +1,81 @@ +From 7378aeb664e5ebc396950b36a1f2dedf5aabec20 Mon Sep 17 00:00:00 2001 +From: Arnaud Pouliquen +Date: Fri, 22 Nov 2024 18:51:27 +0100 +Subject: remoteproc: core: Fix ida_free call while not allocated + +From: Arnaud Pouliquen + +commit 7378aeb664e5ebc396950b36a1f2dedf5aabec20 upstream. + +In the rproc_alloc() function, on error, put_device(&rproc->dev) is +called, leading to the call of the rproc_type_release() function. +An error can occurs before ida_alloc is called. + +In such case in rproc_type_release(), the condition (rproc->index >= 0) is +true as rproc->index has been initialized to 0. +ida_free() is called reporting a warning: +[ 4.181906] WARNING: CPU: 1 PID: 24 at lib/idr.c:525 ida_free+0x100/0x164 +[ 4.186378] stm32-display-dsi 5a000000.dsi: Fixed dependency cycle(s) with /soc/dsi@5a000000/panel@0 +[ 4.188854] ida_free called for id=0 which is not allocated. +[ 4.198256] mipi-dsi 5a000000.dsi.0: Fixed dependency cycle(s) with /soc/dsi@5a000000 +[ 4.203556] Modules linked in: panel_orisetech_otm8009a dw_mipi_dsi_stm(+) gpu_sched dw_mipi_dsi stm32_rproc stm32_crc32 stm32_ipcc(+) optee(+) +[ 4.224307] CPU: 1 UID: 0 PID: 24 Comm: kworker/u10:0 Not tainted 6.12.0 #442 +[ 4.231481] Hardware name: STM32 (Device Tree Support) +[ 4.236627] Workqueue: events_unbound deferred_probe_work_func +[ 4.242504] Call trace: +[ 4.242522] unwind_backtrace from show_stack+0x10/0x14 +[ 4.250218] show_stack from dump_stack_lvl+0x50/0x64 +[ 4.255274] dump_stack_lvl from __warn+0x80/0x12c +[ 4.260134] __warn from warn_slowpath_fmt+0x114/0x188 +[ 4.265199] warn_slowpath_fmt from ida_free+0x100/0x164 +[ 4.270565] ida_free from rproc_type_release+0x38/0x60 +[ 4.275832] rproc_type_release from device_release+0x30/0xa0 +[ 4.281601] device_release from kobject_put+0xc4/0x294 +[ 4.286762] kobject_put from rproc_alloc.part.0+0x208/0x28c +[ 4.292430] rproc_alloc.part.0 from devm_rproc_alloc+0x80/0xc4 +[ 4.298393] devm_rproc_alloc from stm32_rproc_probe+0xd0/0x844 [stm32_rproc] +[ 4.305575] stm32_rproc_probe [stm32_rproc] from platform_probe+0x5c/0xbc + +Calling ida_alloc earlier in rproc_alloc ensures that the rproc->index is +properly set. + +Fixes: 08333b911f01 ("remoteproc: Directly use ida_alloc()/free()") +Signed-off-by: Arnaud Pouliquen +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241122175127.2188037-1-arnaud.pouliquen@foss.st.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/remoteproc_core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -2464,6 +2464,13 @@ struct rproc *rproc_alloc(struct device + rproc->dev.driver_data = rproc; + idr_init(&rproc->notifyids); + ++ /* Assign a unique device index and name */ ++ rproc->index = ida_alloc(&rproc_dev_index, GFP_KERNEL); ++ if (rproc->index < 0) { ++ dev_err(dev, "ida_alloc failed: %d\n", rproc->index); ++ goto put_device; ++ } ++ + rproc->name = kstrdup_const(name, GFP_KERNEL); + if (!rproc->name) + goto put_device; +@@ -2474,13 +2481,6 @@ struct rproc *rproc_alloc(struct device + if (rproc_alloc_ops(rproc, ops)) + goto put_device; + +- /* Assign a unique device index and name */ +- rproc->index = ida_alloc(&rproc_dev_index, GFP_KERNEL); +- if (rproc->index < 0) { +- dev_err(dev, "ida_alloc failed: %d\n", rproc->index); +- goto put_device; +- } +- + dev_set_name(&rproc->dev, "remoteproc%d", rproc->index); + + atomic_set(&rproc->power, 0); diff --git a/queue-6.1/series b/queue-6.1/series index d0727ca2a2..922f432cb7 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -270,3 +270,9 @@ usb-dwc3-core-defer-the-probe-until-usb-power-supply-ready.patch usb-typec-tcpm-set-src_send_capabilities-timeout-to-pd_t_sender_response.patch usb-typec-tcpci-prevent-sink-disconnection-before-vppsshutdown-in-spr-pps.patch mptcp-consolidate-suboption-status.patch +mptcp-handle-fastopen-disconnect-correctly.patch +remoteproc-core-fix-ida_free-call-while-not-allocated.patch +media-uvcvideo-fix-double-free-in-error-path.patch +usb-gadget-f_tcm-don-t-free-command-immediately.patch +staging-media-max96712-fix-kernel-oops-when-removing-module.patch +media-imx-jpeg-fix-potential-error-pointer-dereference-in-detach_pm.patch diff --git a/queue-6.1/staging-media-max96712-fix-kernel-oops-when-removing-module.patch b/queue-6.1/staging-media-max96712-fix-kernel-oops-when-removing-module.patch new file mode 100644 index 0000000000..453a1ba144 --- /dev/null +++ b/queue-6.1/staging-media-max96712-fix-kernel-oops-when-removing-module.patch @@ -0,0 +1,113 @@ +From ee1b5046d5cd892a0754ab982aeaaad3702083a5 Mon Sep 17 00:00:00 2001 +From: Laurentiu Palcu +Date: Tue, 17 Dec 2024 08:51:50 +0200 +Subject: staging: media: max96712: fix kernel oops when removing module +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Laurentiu Palcu + +commit ee1b5046d5cd892a0754ab982aeaaad3702083a5 upstream. + +The following kernel oops is thrown when trying to remove the max96712 +module: + +Unable to handle kernel paging request at virtual address 00007375746174db +Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault +Data abort info: + ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 + CM = 0, WnR = 0, TnD = 0, TagAccess = 0 + GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 +user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af89000 +[00007375746174db] pgd=0000000000000000, p4d=0000000000000000 +Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP +Modules linked in: crct10dif_ce polyval_ce mxc_jpeg_encdec flexcan + snd_soc_fsl_sai snd_soc_fsl_asoc_card snd_soc_fsl_micfil dwc_mipi_csi2 + imx_csi_formatter polyval_generic v4l2_jpeg imx_pcm_dma can_dev + snd_soc_imx_audmux snd_soc_wm8962 snd_soc_imx_card snd_soc_fsl_utils + max96712(C-) rpmsg_ctrl rpmsg_char pwm_fan fuse + [last unloaded: imx8_isi] +CPU: 0 UID: 0 PID: 754 Comm: rmmod + Tainted: G C 6.12.0-rc6-06364-g327fec852c31 #17 +Tainted: [C]=CRAP +Hardware name: NXP i.MX95 19X19 board (DT) +pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : led_put+0x1c/0x40 +lr : v4l2_subdev_put_privacy_led+0x48/0x58 +sp : ffff80008699bbb0 +x29: ffff80008699bbb0 x28: ffff00008ac233c0 x27: 0000000000000000 +x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 +x23: ffff000080cf1170 x22: ffff00008b53bd00 x21: ffff8000822ad1c8 +x20: ffff000080ff5c00 x19: ffff00008b53be40 x18: 0000000000000000 +x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +x14: 0000000000000004 x13: ffff0000800f8010 x12: 0000000000000000 +x11: ffff000082acf5c0 x10: ffff000082acf478 x9 : ffff0000800f8010 +x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d +x5 : 8080808000000000 x4 : 0000000000000020 x3 : 00000000553a3dc1 +x2 : ffff00008ac233c0 x1 : ffff00008ac233c0 x0 : ff00737574617473 +Call trace: + led_put+0x1c/0x40 + v4l2_subdev_put_privacy_led+0x48/0x58 + v4l2_async_unregister_subdev+0x2c/0x1a4 + max96712_remove+0x1c/0x38 [max96712] + i2c_device_remove+0x2c/0x9c + device_remove+0x4c/0x80 + device_release_driver_internal+0x1cc/0x228 + driver_detach+0x4c/0x98 + bus_remove_driver+0x6c/0xbc + driver_unregister+0x30/0x60 + i2c_del_driver+0x54/0x64 + max96712_i2c_driver_exit+0x18/0x1d0 [max96712] + __arm64_sys_delete_module+0x1a4/0x290 + invoke_syscall+0x48/0x10c + el0_svc_common.constprop.0+0xc0/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x34/0xd8 + el0t_64_sync_handler+0x120/0x12c + el0t_64_sync+0x190/0x194 +Code: f9000bf3 aa0003f3 f9402800 f9402000 (f9403400) +---[ end trace 0000000000000000 ]--- + +This happens because in v4l2_i2c_subdev_init(), the i2c_set_cliendata() +is called again and the data is overwritten to point to sd, instead of +priv. So, in remove(), the wrong pointer is passed to +v4l2_async_unregister_subdev(), leading to a crash. + +Fixes: 5814f32fef13 ("media: staging: max96712: Add basic support for MAX96712 GMSL2 deserializer") +Signed-off-by: Laurentiu Palcu +Cc: stable@vger.kernel.org +Reviewed-by: Niklas Söderlund +Reviewed-by: Ricardo Ribalda +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/max96712/max96712.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/media/max96712/max96712.c ++++ b/drivers/staging/media/max96712/max96712.c +@@ -376,7 +376,6 @@ static int max96712_probe(struct i2c_cli + return -ENOMEM; + + priv->client = client; +- i2c_set_clientdata(client, priv); + + priv->regmap = devm_regmap_init_i2c(client, &max96712_i2c_regmap); + if (IS_ERR(priv->regmap)) +@@ -409,7 +408,8 @@ static int max96712_probe(struct i2c_cli + + static void max96712_remove(struct i2c_client *client) + { +- struct max96712_priv *priv = i2c_get_clientdata(client); ++ struct v4l2_subdev *sd = i2c_get_clientdata(client); ++ struct max96712_priv *priv = container_of(sd, struct max96712_priv, sd); + + v4l2_async_unregister_subdev(&priv->sd); + diff --git a/queue-6.1/usb-gadget-f_tcm-don-t-free-command-immediately.patch b/queue-6.1/usb-gadget-f_tcm-don-t-free-command-immediately.patch new file mode 100644 index 0000000000..c6e95575eb --- /dev/null +++ b/queue-6.1/usb-gadget-f_tcm-don-t-free-command-immediately.patch @@ -0,0 +1,40 @@ +From c225d006a31949d673e646d585d9569bc28feeb9 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:31:36 +0000 +Subject: usb: gadget: f_tcm: Don't free command immediately + +From: Thinh Nguyen + +commit c225d006a31949d673e646d585d9569bc28feeb9 upstream. + +Don't prematurely free the command. Wait for the status completion of +the sense status. It can be freed then. Otherwise we will double-free +the command. + +Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/ae919ac431f16275e05ec819bdffb3ac5f44cbe1.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -1066,7 +1066,6 @@ static void usbg_cmd_work(struct work_st + out: + transport_send_check_condition_and_sense(se_cmd, + TCM_UNSUPPORTED_SCSI_OPCODE, 1); +- transport_generic_free_cmd(&cmd->se_cmd, 0); + } + + static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu, +@@ -1195,7 +1194,6 @@ static void bot_cmd_work(struct work_str + out: + transport_send_check_condition_and_sense(se_cmd, + TCM_UNSUPPORTED_SCSI_OPCODE, 1); +- transport_generic_free_cmd(&cmd->se_cmd, 0); + } + + static int bot_submit_command(struct f_uas *fu,