From: Greg Kroah-Hartman Date: Mon, 5 Jan 2026 11:12:33 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.12.64~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c98361defa36d68fb60cefa28a21dac8bbe1c75;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: dm-bufio-align-write-boundary-on-physical-block-size.patch dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch loongarch-correct-the-calculation-logic-of-thread_count.patch loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch media-cec-fix-debugfs-leak-on-bus_register-failure.patch media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch media-vpif_capture-fix-section-mismatch.patch media-vpif_display-fix-section-mismatch.patch parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch --- diff --git a/queue-6.1/dm-bufio-align-write-boundary-on-physical-block-size.patch b/queue-6.1/dm-bufio-align-write-boundary-on-physical-block-size.patch new file mode 100644 index 0000000000..89bc30b7ce --- /dev/null +++ b/queue-6.1/dm-bufio-align-write-boundary-on-physical-block-size.patch @@ -0,0 +1,53 @@ +From d0ac06ae53be0cdb61f5fe6b62d25d3317c51657 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 20 Oct 2025 14:48:13 +0200 +Subject: dm-bufio: align write boundary on physical block size + +From: Mikulas Patocka + +commit d0ac06ae53be0cdb61f5fe6b62d25d3317c51657 upstream. + +There may be devices with physical block size larger than 4k. + +If dm-bufio sends I/O that is not aligned on physical block size, +performance is degraded. + +The 4k minimum alignment limit is there because some SSDs report logical +and physical block size 512 despite having 4k internally - so dm-bufio +shouldn't send I/Os not aligned on 4k boundary, because they perform +badly (the SSD does read-modify-write for them). + +Signed-off-by: Mikulas Patocka +Reported-by: Uladzislau Rezki (Sony) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-bufio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -686,7 +686,7 @@ static void submit_io(struct dm_buffer * + { + unsigned int n_sectors; + sector_t sector; +- unsigned int offset, end; ++ unsigned int offset, end, align; + + b->end_io = end_io; + +@@ -700,9 +700,11 @@ static void submit_io(struct dm_buffer * + b->c->write_callback(b); + offset = b->write_start; + end = b->write_end; +- offset &= -DM_BUFIO_WRITE_ALIGN; +- end += DM_BUFIO_WRITE_ALIGN - 1; +- end &= -DM_BUFIO_WRITE_ALIGN; ++ align = max(DM_BUFIO_WRITE_ALIGN, ++ bdev_physical_block_size(b->c->bdev)); ++ offset &= -align; ++ end += align - 1; ++ end &= -align; + if (unlikely(end > b->c->block_size)) + end = b->c->block_size; + diff --git a/queue-6.1/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch b/queue-6.1/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch new file mode 100644 index 0000000000..a6141fa6f7 --- /dev/null +++ b/queue-6.1/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch @@ -0,0 +1,118 @@ +From 7fa3e7d114abc9cc71cc35d768e116641074ddb4 Mon Sep 17 00:00:00 2001 +From: "Uladzislau Rezki (Sony)" +Date: Mon, 17 Nov 2025 11:59:45 +0100 +Subject: dm-ebs: Mark full buffer dirty even on partial write + +From: Uladzislau Rezki (Sony) + +commit 7fa3e7d114abc9cc71cc35d768e116641074ddb4 upstream. + +When performing a read-modify-write(RMW) operation, any modification +to a buffered block must cause the entire buffer to be marked dirty. + +Marking only a subrange as dirty is incorrect because the underlying +device block size(ubs) defines the minimum read/write granularity. A +lower device can perform I/O only on regions which are fully aligned +and sized to ubs. + +This change ensures that write-back operations always occur in full +ubs-sized chunks, matching the intended emulation semantics of the +EBS target. + +As for user space visible impact, submitting sub-ubs and misaligned +I/O for devices which are tuned to ubs sizes only, will reject such +requests, therefore it can lead to losing data. Example: + +1) Create a 8K nvme device in qemu by adding + +-device nvme,drive=drv0,serial=foo,logical_block_size=8192,physical_block_size=8192 + +2) Setup dm-ebs to emulate 512B to 8K mapping + +urezki@pc638:~/bin$ cat dmsetup.sh + +lower=/dev/nvme0n1 +len=$(blockdev --getsz "$lower") + +echo "0 $len ebs $lower 0 1 16" | dmsetup create nvme-8k +urezki@pc638:~/bin$ + +offset 0, ebs=1 and ubs=16(in sectors). + +3) Create an ext4 filesystem(default 4K block size) + +urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0 +mke2fs 1.47.0 (5-Feb-2023) +Discarding device blocks: done +Creating filesystem with 2072576 4k blocks and 518144 inodes +Filesystem UUID: bd0b6ca6-0506-4e31-86da-8d22c9d50b63 +Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 + +Allocating group tables: done +Writing inode tables: done +Creating journal (16384 blocks): done +Writing superblocks and filesystem accounting information: mkfs.ext4: Input/output error while writing out and closing file system +urezki@pc638:~/bin$ dmesg + + +[ 1618.875449] buffer_io_error: 1028 callbacks suppressed +[ 1618.875456] Buffer I/O error on dev dm-0, logical block 0, lost async page write +[ 1618.875527] Buffer I/O error on dev dm-0, logical block 1, lost async page write +[ 1618.875602] Buffer I/O error on dev dm-0, logical block 2, lost async page write +[ 1618.875620] Buffer I/O error on dev dm-0, logical block 3, lost async page write +[ 1618.875639] Buffer I/O error on dev dm-0, logical block 4, lost async page write +[ 1618.894316] Buffer I/O error on dev dm-0, logical block 5, lost async page write +[ 1618.894358] Buffer I/O error on dev dm-0, logical block 6, lost async page write +[ 1618.894380] Buffer I/O error on dev dm-0, logical block 7, lost async page write +[ 1618.894405] Buffer I/O error on dev dm-0, logical block 8, lost async page write +[ 1618.894427] Buffer I/O error on dev dm-0, logical block 9, lost async page write + + +Many I/O errors because the lower 8K device rejects sub-ubs/misaligned +requests. + +with a patch: + +urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0 +mke2fs 1.47.0 (5-Feb-2023) +Discarding device blocks: done +Creating filesystem with 2072576 4k blocks and 518144 inodes +Filesystem UUID: 9b54f44f-ef55-4bd4-9e40-c8b775a616ac +Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 + +Allocating group tables: done +Writing inode tables: done +Creating journal (16384 blocks): done +Writing superblocks and filesystem accounting information: done + +urezki@pc638:~/bin$ sudo mount /dev/dm-0 /mnt/ +urezki@pc638:~/bin$ ls -al /mnt/ +total 24 +drwxr-xr-x 3 root root 4096 Oct 17 15:13 . +drwxr-xr-x 19 root root 4096 Jul 10 19:42 .. +drwx------ 2 root root 16384 Oct 17 15:13 lost+found +urezki@pc638:~/bin$ + +After this change: mkfs completes; mount succeeds. + +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -102,7 +102,7 @@ static int __ebs_rw_bvec(struct ebs_c *e + } else { + flush_dcache_page(bv->bv_page); + memcpy(ba, pa, cur_len); +- dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len); ++ dm_bufio_mark_buffer_dirty(b); + } + + dm_bufio_release(b); diff --git a/queue-6.1/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch b/queue-6.1/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch new file mode 100644 index 0000000000..907cba3906 --- /dev/null +++ b/queue-6.1/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch @@ -0,0 +1,53 @@ +From e3f44742bbb10537fe53d83d20dea2a7c167674d Mon Sep 17 00:00:00 2001 +From: Rene Rebe +Date: Fri, 14 Nov 2025 16:00:42 +0100 +Subject: fbdev: gbefb: fix to use physical address instead of dma address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rene Rebe + +commit e3f44742bbb10537fe53d83d20dea2a7c167674d upstream. + +While debuggigng why X would not start on mips64 Sgi/O2 I found the +phys adress being off. Turns out the gbefb passed the internal +dma_addr as phys. May be broken pre git history. Fix by converting +dma_to_phys. + +Signed-off-by: René Rebe +Cc: # v4.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/gbefb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/gbefb.c ++++ b/drivers/video/fbdev/gbefb.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -65,7 +66,7 @@ struct gbefb_par { + static unsigned int gbe_mem_size = CONFIG_FB_GBE_MEM * 1024*1024; + static void *gbe_mem; + static dma_addr_t gbe_dma_addr; +-static unsigned long gbe_mem_phys; ++static phys_addr_t gbe_mem_phys; + + static struct { + uint16_t *cpu; +@@ -1182,7 +1183,7 @@ static int gbefb_probe(struct platform_d + goto out_release_mem_region; + } + +- gbe_mem_phys = (unsigned long) gbe_dma_addr; ++ gbe_mem_phys = dma_to_phys(&p_dev->dev, gbe_dma_addr); + } + + par = info->par; diff --git a/queue-6.1/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch b/queue-6.1/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch new file mode 100644 index 0000000000..b24a2637e4 --- /dev/null +++ b/queue-6.1/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch @@ -0,0 +1,43 @@ +From 0155e868cbc111846cc2809c1546ea53810a56ae Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 2 Dec 2025 19:15:32 +0100 +Subject: fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing + +From: Thorsten Blum + +commit 0155e868cbc111846cc2809c1546ea53810a56ae upstream. + +The variables were never clamped because the return value of clamp_val() +was not used. Fix this by assigning the clamped values, and use clamp() +instead of clamp_val(). + +Cc: stable@vger.kernel.org +Fixes: 3f16ff608a75 ("[ARM] pxafb: cleanup of the timing checking code") +Signed-off-by: Thorsten Blum +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/pxafb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -418,12 +418,12 @@ static int pxafb_adjust_timing(struct px + var->yres = max_t(int, var->yres, MIN_YRES); + + if (!(fbi->lccr0 & LCCR0_LCDT)) { +- clamp_val(var->hsync_len, 1, 64); +- clamp_val(var->vsync_len, 1, 64); +- clamp_val(var->left_margin, 1, 255); +- clamp_val(var->right_margin, 1, 255); +- clamp_val(var->upper_margin, 1, 255); +- clamp_val(var->lower_margin, 1, 255); ++ var->hsync_len = clamp(var->hsync_len, 1, 64); ++ var->vsync_len = clamp(var->vsync_len, 1, 64); ++ var->left_margin = clamp(var->left_margin, 1, 255); ++ var->right_margin = clamp(var->right_margin, 1, 255); ++ var->upper_margin = clamp(var->upper_margin, 1, 255); ++ var->lower_margin = clamp(var->lower_margin, 1, 255); + } + + /* make sure each line is aligned on word boundary */ diff --git a/queue-6.1/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch b/queue-6.1/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch new file mode 100644 index 0000000000..26186bcca4 --- /dev/null +++ b/queue-6.1/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch @@ -0,0 +1,39 @@ +From 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ren=C3=A9=20Rebe?= +Date: Thu, 20 Nov 2025 14:24:00 +0100 +Subject: fbdev: tcx.c fix mem_map to correct smem_start offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +commit 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e upstream. + +403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") changed the +physbase initializing breaking the user-space mmap, e.g. for Xorg +entirely. + +Fix fbdev mmap table so the sbus mmap helper work correctly, and +not try to map vastly (physbase) offset memory. + +Fixes: 403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") +Cc: +Signed-off-by: René Rebe +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/tcx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/tcx.c ++++ b/drivers/video/fbdev/tcx.c +@@ -436,7 +436,7 @@ static int tcx_probe(struct platform_dev + j = i; + break; + } +- par->mmap_map[i].poff = op->resource[j].start; ++ par->mmap_map[i].poff = op->resource[j].start - info->fix.smem_start; + } + + info->flags = FBINFO_DEFAULT; diff --git a/queue-6.1/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch b/queue-6.1/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch new file mode 100644 index 0000000000..0ac941f241 --- /dev/null +++ b/queue-6.1/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch @@ -0,0 +1,80 @@ +From 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b Mon Sep 17 00:00:00 2001 +From: Mahesh Rao +Date: Mon, 27 Oct 2025 22:54:40 +0800 +Subject: firmware: stratix10-svc: Add mutex in stratix10 memory management + +From: Mahesh Rao + +commit 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b upstream. + +Add mutex lock to stratix10_svc_allocate_memory and +stratix10_svc_free_memory for thread safety. This prevents race +conditions and ensures proper synchronization during memory operations. +This is required for parallel communication with the Stratix10 service +channel. + +Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver") +Cc: stable@vger.kernel.org +Signed-off-by: Mahesh Rao +Reviewed-by: Matthew Gerlach +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + /* + * Copyright (C) 2017-2018, Intel Corporation ++ * Copyright (C) 2025, Altera Corporation + */ + + #include +@@ -175,6 +176,12 @@ static LIST_HEAD(svc_ctrl); + static LIST_HEAD(svc_data_mem); + + /** ++ * svc_mem_lock protects access to the svc_data_mem list for ++ * concurrent multi-client operations ++ */ ++static DEFINE_MUTEX(svc_mem_lock); ++ ++/** + * svc_pa_to_va() - translate physical address to virtual address + * @addr: to be translated physical address + * +@@ -186,6 +193,7 @@ static void *svc_pa_to_va(unsigned long + struct stratix10_svc_data_mem *pmem; + + pr_debug("claim back P-addr=0x%016x\n", (unsigned int)addr); ++ guard(mutex)(&svc_mem_lock); + list_for_each_entry(pmem, &svc_data_mem, node) + if (pmem->paddr == addr) + return pmem->vaddr; +@@ -978,6 +986,7 @@ int stratix10_svc_send(struct stratix10_ + p_data->flag = ct->flags; + } + } else { ++ guard(mutex)(&svc_mem_lock); + list_for_each_entry(p_mem, &svc_data_mem, node) + if (p_mem->vaddr == p_msg->payload) { + p_data->paddr = p_mem->paddr; +@@ -1060,6 +1069,7 @@ void *stratix10_svc_allocate_memory(stru + if (!pmem) + return ERR_PTR(-ENOMEM); + ++ guard(mutex)(&svc_mem_lock); + va = gen_pool_alloc(genpool, s); + if (!va) + return ERR_PTR(-ENOMEM); +@@ -1088,6 +1098,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate + void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr) + { + struct stratix10_svc_data_mem *pmem; ++ guard(mutex)(&svc_mem_lock); + + list_for_each_entry(pmem, &svc_data_mem, node) + if (pmem->vaddr == kaddr) { diff --git a/queue-6.1/loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch b/queue-6.1/loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch new file mode 100644 index 0000000000..7362342781 --- /dev/null +++ b/queue-6.1/loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch @@ -0,0 +1,36 @@ +From bf3fa8f232a1eec8d7b88dcd9e925e60f04f018d Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sat, 6 Dec 2025 10:39:49 +0800 +Subject: LoongArch: Add new PCI ID for pci_fixup_vgadev() + +From: Huacai Chen + +commit bf3fa8f232a1eec8d7b88dcd9e925e60f04f018d upstream. + +Loongson-2K3000 has a new PCI ID (0x7a46) for its display controller, +Add it for pci_fixup_vgadev() since we prefer a discrete graphics card +as default boot device if present. + +Cc: stable@vger.kernel.org +Signed-off-by: Tianrui Zhao +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/pci/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/loongarch/pci/pci.c ++++ b/arch/loongarch/pci/pci.c +@@ -15,6 +15,7 @@ + #define PCI_DEVICE_ID_LOONGSON_HOST 0x7a00 + #define PCI_DEVICE_ID_LOONGSON_DC1 0x7a06 + #define PCI_DEVICE_ID_LOONGSON_DC2 0x7a36 ++#define PCI_DEVICE_ID_LOONGSON_DC3 0x7a46 + + int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn, + int reg, int len, u32 *val) +@@ -98,3 +99,4 @@ static void pci_fixup_vgadev(struct pci_ + } + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC1, pci_fixup_vgadev); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC2, pci_fixup_vgadev); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC3, pci_fixup_vgadev); diff --git a/queue-6.1/loongarch-correct-the-calculation-logic-of-thread_count.patch b/queue-6.1/loongarch-correct-the-calculation-logic-of-thread_count.patch new file mode 100644 index 0000000000..781ae1fa4f --- /dev/null +++ b/queue-6.1/loongarch-correct-the-calculation-logic-of-thread_count.patch @@ -0,0 +1,49 @@ +From 1de0ae21f136efa6c5d8a4d3e07b7d1ca39c750f Mon Sep 17 00:00:00 2001 +From: Qiang Ma +Date: Sat, 6 Dec 2025 10:39:49 +0800 +Subject: LoongArch: Correct the calculation logic of thread_count + +From: Qiang Ma + +commit 1de0ae21f136efa6c5d8a4d3e07b7d1ca39c750f upstream. + +For thread_count, the current calculation method has a maximum of 255, +which may not be sufficient in the future. Therefore, we are correcting +it now. + +Reference: SMBIOS Specification, 7.5 Processor Information (Type 4)[1] + +[1]: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.9.0.pdf + +Cc: stable@vger.kernel.org +Signed-off-by: Qiang Ma +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kernel/setup.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/loongarch/kernel/setup.c ++++ b/arch/loongarch/kernel/setup.c +@@ -50,6 +50,7 @@ + #define SMBIOS_FREQLOW_MASK 0xFF + #define SMBIOS_CORE_PACKAGE_OFFSET 0x23 + #define SMBIOS_THREAD_PACKAGE_OFFSET 0x25 ++#define SMBIOS_THREAD_PACKAGE_2_OFFSET 0x2E + #define LOONGSON_EFI_ENABLE (1 << 3) + + struct screen_info screen_info __section(".data"); +@@ -116,7 +117,12 @@ static void __init parse_cpu_table(const + cpu_clock_freq = freq_temp * 1000000; + + loongson_sysconf.cpuname = (void *)dmi_string_parse(dm, dmi_data[16]); +- loongson_sysconf.cores_per_package = *(dmi_data + SMBIOS_THREAD_PACKAGE_OFFSET); ++ loongson_sysconf.cores_per_package = *(u8 *)(dmi_data + SMBIOS_THREAD_PACKAGE_OFFSET); ++ if (dm->length >= 0x30 && loongson_sysconf.cores_per_package == 0xff) { ++ /* SMBIOS 3.0+ has ThreadCount2 for more than 255 threads */ ++ loongson_sysconf.cores_per_package = ++ *(u16 *)(dmi_data + SMBIOS_THREAD_PACKAGE_2_OFFSET); ++ } + + pr_info("CpuClock = %llu\n", cpu_clock_freq); + } diff --git a/queue-6.1/loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch b/queue-6.1/loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch new file mode 100644 index 0000000000..25ddeb1e9b --- /dev/null +++ b/queue-6.1/loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch @@ -0,0 +1,57 @@ +From 4a71df151e703b5e7e85b33369cee59ef2665e61 Mon Sep 17 00:00:00 2001 +From: Yuli Wang +Date: Sat, 6 Dec 2025 10:39:48 +0800 +Subject: LoongArch: Use __pmd()/__pte() for swap entry conversions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +commit 4a71df151e703b5e7e85b33369cee59ef2665e61 upstream. + +The __pmd() and __pte() helper macros provide the correct initialization +syntax and abstraction for the pmd_t and pte_t types. + +Use __pmd() to fix follow warning about __swp_entry_to_pmd() with gcc-15 +under specific configs [1] : + + In file included from ./include/linux/pgtable.h:6, + from ./include/linux/mm.h:31, + from ./include/linux/pagemap.h:8, + from arch/loongarch/mm/init.c:14: + ./include/linux/swapops.h: In function ‘swp_entry_to_pmd’: + ./arch/loongarch/include/asm/pgtable.h:302:34: error: missing braces around initializer [-Werror=missing-braces] + 302 | #define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE }) + | ^ + ./include/linux/swapops.h:559:16: note: in expansion of macro ‘__swp_entry_to_pmd’ + 559 | return __swp_entry_to_pmd(arch_entry); + | ^~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +Also update __swp_entry_to_pte() to use __pte() for consistency. + +[1]. https://download.01.org/0day-ci/archive/20251119/202511190316.luI90kAo-lkp@intel.com/config + +Cc: stable@vger.kernel.org +Signed-off-by: Yuli Wang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/include/asm/pgtable.h ++++ b/arch/loongarch/include/asm/pgtable.h +@@ -254,9 +254,9 @@ static inline pte_t mk_swap_pte(unsigned + #define __swp_offset(x) ((x).val >> 24) + #define __swp_entry(type, offset) ((swp_entry_t) { pte_val(mk_swap_pte((type), (offset))) }) + #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) }) +-#define __swp_entry_to_pte(x) ((pte_t) { (x).val }) ++#define __swp_entry_to_pte(x) __pte((x).val) + #define __pmd_to_swp_entry(pmd) ((swp_entry_t) { pmd_val(pmd) }) +-#define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE }) ++#define __swp_entry_to_pmd(x) __pmd((x).val | _PAGE_HUGE) + + extern void paging_init(void); + diff --git a/queue-6.1/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch b/queue-6.1/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch new file mode 100644 index 0000000000..7dca9c41da --- /dev/null +++ b/queue-6.1/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch @@ -0,0 +1,57 @@ +From 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 Mon Sep 17 00:00:00 2001 +From: Ivan Abramov +Date: Wed, 3 Sep 2025 02:23:31 +0300 +Subject: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() + +From: Ivan Abramov + +commit 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 upstream. + +It's possible for cp_read() and hdmi_read() to return -EIO. Those +values are further used as indexes for accessing arrays. + +Fix that by checking return values where it's needed. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Abramov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7842.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -2680,6 +2680,7 @@ static int adv7842_cp_log_status(struct + /* CP block */ + struct adv7842_state *state = to_state(sd); + struct v4l2_dv_timings timings; ++ int temp; + u8 reg_io_0x02 = io_read(sd, 0x02); + u8 reg_io_0x21 = io_read(sd, 0x21); + u8 reg_rep_0x77 = rep_read(sd, 0x77); +@@ -2802,8 +2803,9 @@ static int adv7842_cp_log_status(struct + (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ? + "(16-235)" : "(0-255)", + (reg_io_0x02 & 0x08) ? "enabled" : "disabled"); ++ temp = cp_read(sd, 0xf4) >> 4; + v4l2_info(sd, "Color space conversion: %s\n", +- csc_coeff_sel_rb[cp_read(sd, 0xf4) >> 4]); ++ temp < 0 ? "" : csc_coeff_sel_rb[temp]); + + if (!is_digital_input(sd)) + return 0; +@@ -2833,8 +2835,9 @@ static int adv7842_cp_log_status(struct + hdmi_read(sd, 0x5f)); + v4l2_info(sd, "AV Mute: %s\n", + (hdmi_read(sd, 0x04) & 0x40) ? "on" : "off"); ++ temp = hdmi_read(sd, 0x0b) >> 6; + v4l2_info(sd, "Deep color mode: %s\n", +- deep_color_mode_txt[hdmi_read(sd, 0x0b) >> 6]); ++ temp < 0 ? "" : deep_color_mode_txt[temp]); + + adv7842_log_infoframes(sd); + diff --git a/queue-6.1/media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch b/queue-6.1/media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch new file mode 100644 index 0000000000..3a0911cd2f --- /dev/null +++ b/queue-6.1/media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch @@ -0,0 +1,44 @@ +From ae246b0032146e352c4c06a7bf03cd3d5bcb2ecd Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Tue, 16 Sep 2025 14:10:07 +0800 +Subject: media: amphion: Cancel message work before releasing the VPU core + +From: Ming Qian + +commit ae246b0032146e352c4c06a7bf03cd3d5bcb2ecd upstream. + +To avoid accessing the VPU register after release of the VPU core, +cancel the message work and destroy the workqueue that handles the +VPU message before release of the VPU core. + +Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support") +Cc: stable@vger.kernel.org +Signed-off-by: Ming Qian +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/amphion/vpu_v4l2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/amphion/vpu_v4l2.c ++++ b/drivers/media/platform/amphion/vpu_v4l2.c +@@ -597,15 +597,15 @@ static int vpu_v4l2_release(struct vpu_i + { + vpu_trace(inst->vpu->dev, "%p\n", inst); + +- vpu_release_core(inst->core); +- put_device(inst->dev); +- + if (inst->workqueue) { + cancel_work_sync(&inst->msg_work); + destroy_workqueue(inst->workqueue); + inst->workqueue = NULL; + } + ++ vpu_release_core(inst->core); ++ put_device(inst->dev); ++ + v4l2_ctrl_handler_free(&inst->ctrl_handler); + mutex_destroy(&inst->lock); + diff --git a/queue-6.1/media-cec-fix-debugfs-leak-on-bus_register-failure.patch b/queue-6.1/media-cec-fix-debugfs-leak-on-bus_register-failure.patch new file mode 100644 index 0000000000..63750caac3 --- /dev/null +++ b/queue-6.1/media-cec-fix-debugfs-leak-on-bus_register-failure.patch @@ -0,0 +1,35 @@ +From c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb Mon Sep 17 00:00:00 2001 +From: Haotian Zhang +Date: Mon, 29 Sep 2025 19:12:29 +0800 +Subject: media: cec: Fix debugfs leak on bus_register() failure + +From: Haotian Zhang + +commit c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb upstream. + +In cec_devnode_init(), the debugfs directory created with +debugfs_create_dir() is not removed if bus_register() fails. +This leaves a stale "cec" entry in debugfs and prevents +proper module reloading. + +Fix this by removing the debugfs directory in the error path. + +Fixes: a56960e8b406 ("[media] cec: add HDMI CEC framework (core)") +Cc: stable@vger.kernel.org +Signed-off-by: Haotian Zhang +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/core/cec-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/cec/core/cec-core.c ++++ b/drivers/media/cec/core/cec-core.c +@@ -449,6 +449,7 @@ static int __init cec_devnode_init(void) + + ret = bus_register(&cec_bus_type); + if (ret < 0) { ++ debugfs_remove_recursive(top_cec_dir); + unregister_chrdev_region(cec_dev_t, CEC_NUM_DEVICES); + pr_warn("cec: bus_register failed\n"); + return -EIO; diff --git a/queue-6.1/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-6.1/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..99fd2671d7 --- /dev/null +++ b/queue-6.1/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,50 @@ +From 8f34f24355a607b98ecd9924837aab13c676eeca Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 2 Sep 2025 09:53:37 +0800 +Subject: media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit 8f34f24355a607b98ecd9924837aab13c676eeca upstream. + +The delayed_work delayed_work_enable_hotplug is initialized with +INIT_DELAYED_WORK() in adv76xx_probe(), but it is never scheduled +anywhere in the probe function. + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path and adjust the goto label accordingly to simplify the code +and avoid potential confusion. + +Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7604.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -3617,7 +3617,7 @@ static int adv76xx_probe(struct i2c_clie + err = media_entity_pads_init(&sd->entity, state->source_pad + 1, + state->pads); + if (err) +- goto err_work_queues; ++ goto err_i2c; + + /* Configure regmaps */ + err = configure_regmaps(state); +@@ -3658,8 +3658,6 @@ static int adv76xx_probe(struct i2c_clie + + err_entity: + media_entity_cleanup(&sd->entity); +-err_work_queues: +- cancel_delayed_work(&state->delayed_work_enable_hotplug); + err_i2c: + adv76xx_unregister_clients(state); + err_hdl: diff --git a/queue-6.1/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-6.1/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..8aba0f198d --- /dev/null +++ b/queue-6.1/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,50 @@ +From e66a5cc606c58e72f18f9cdd868a3672e918f9f8 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 2 Sep 2025 09:10:31 +0800 +Subject: media: i2c: adv7842: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit e66a5cc606c58e72f18f9cdd868a3672e918f9f8 upstream. + +The delayed_work delayed_work_enable_hotplug is initialized with +INIT_DELAYED_WORK() in adv7842_probe(), but it is never scheduled +anywhere in the probe function. + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path and adjust the goto label accordingly to simplify the code +and avoid potential confusion. + +Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7842.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -3565,7 +3565,7 @@ static int adv7842_probe(struct i2c_clie + err = media_entity_pads_init(&sd->entity, ADV7842_PAD_SOURCE + 1, + state->pads); + if (err) +- goto err_work_queues; ++ goto err_i2c; + + err = adv7842_core_init(sd); + if (err) +@@ -3586,8 +3586,6 @@ static int adv7842_probe(struct i2c_clie + + err_entity: + media_entity_cleanup(&sd->entity); +-err_work_queues: +- cancel_delayed_work(&state->delayed_work_enable_hotplug); + err_i2c: + adv7842_unregister_clients(sd); + err_hdl: diff --git a/queue-6.1/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch b/queue-6.1/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch new file mode 100644 index 0000000000..77c68610d6 --- /dev/null +++ b/queue-6.1/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch @@ -0,0 +1,39 @@ +From d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 Mon Sep 17 00:00:00 2001 +From: Ivan Abramov +Date: Wed, 3 Sep 2025 02:28:14 +0300 +Subject: media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() + +From: Ivan Abramov + +commit d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 upstream. + +It's possible for max1 to remain -1 if msp_read() always fail. This +variable is further used as index for accessing arrays. + +Fix that by checking max1 prior to array accesses. + +It seems that restart is the preferable action in case of out-of-bounds +value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Abramov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/msp3400-kthreads.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/msp3400-kthreads.c ++++ b/drivers/media/i2c/msp3400-kthreads.c +@@ -596,6 +596,8 @@ restart: + "carrier2 val: %5d / %s\n", val, cd[i].name); + } + ++ if (max1 < 0 || max1 > 3) ++ goto restart; + /* program the msp3400 according to the results */ + state->main = msp3400c_carrier_detect_main[max1].cdo; + switch (max1) { diff --git a/queue-6.1/media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch b/queue-6.1/media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch new file mode 100644 index 0000000000..d894d4f463 --- /dev/null +++ b/queue-6.1/media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch @@ -0,0 +1,41 @@ +From 445e1658894fd74eab7e53071fa16233887574ed Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Wed, 3 Sep 2025 21:37:29 +0800 +Subject: media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled + +From: Miaoqian Lin + +commit 445e1658894fd74eab7e53071fa16233887574ed upstream. + +The function calls of_parse_phandle() which returns +a device node with an incremented reference count. When the bonded device +is not available, the function +returns NULL without releasing the reference, causing a reference leak. + +Add of_node_put(np) to release the device node reference. +The of_node_put function handles NULL pointers. + +Found through static analysis by reviewing the doc of of_parse_phandle() +and cross-checking its usage patterns across the codebase. + +Fixes: 7625ee981af1 ("[media] media: platform: rcar_drif: Add DRIF support") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Fabrizio Castro +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/renesas/rcar_drif.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/renesas/rcar_drif.c ++++ b/drivers/media/platform/renesas/rcar_drif.c +@@ -1248,6 +1248,7 @@ static struct device_node *rcar_drif_bon + if (np && of_device_is_available(np)) + return np; + ++ of_node_put(np); + return NULL; + } + diff --git a/queue-6.1/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch b/queue-6.1/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch new file mode 100644 index 0000000000..da13965e06 --- /dev/null +++ b/queue-6.1/media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch @@ -0,0 +1,44 @@ +From 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Tue, 14 Oct 2025 12:46:43 +0200 +Subject: media: samsung: exynos4-is: fix potential ABBA deadlock on init + +From: Marek Szyprowski + +commit 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b upstream. + +v4l2_device_register_subdev_nodes() must called without taking +media_dev->graph_mutex to avoid potential AB-BA deadlock on further +subdevice driver initialization. + +Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration") +Cc: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski +Acked-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/samsung/exynos4-is/media-dev.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/samsung/exynos4-is/media-dev.c ++++ b/drivers/media/platform/samsung/exynos4-is/media-dev.c +@@ -1411,12 +1411,14 @@ static int subdev_notifier_complete(stru + mutex_lock(&fmd->media_dev.graph_mutex); + + ret = fimc_md_create_links(fmd); +- if (ret < 0) +- goto unlock; ++ if (ret < 0) { ++ mutex_unlock(&fmd->media_dev.graph_mutex); ++ return ret; ++ } + +- ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev); +-unlock: + mutex_unlock(&fmd->media_dev.graph_mutex); ++ ++ ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev); + if (ret < 0) + return ret; + diff --git a/queue-6.1/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-6.1/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..2f64aa597e --- /dev/null +++ b/queue-6.1/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,38 @@ +From 29de195ca39fc2ac0af6fd45522994df9f431f80 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Mon, 1 Sep 2025 21:26:17 +0800 +Subject: media: TDA1997x: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit 29de195ca39fc2ac0af6fd45522994df9f431f80 upstream. + +The delayed_work delayed_work_enable_hpd is initialized with +INIT_DELAYED_WORK(), but it is never scheduled in tda1997x_probe(). + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path in tda1997x_probe() to avoid potential confusion. + +Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/tda1997x.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/i2c/tda1997x.c ++++ b/drivers/media/i2c/tda1997x.c +@@ -2794,7 +2794,6 @@ err_free_media: + err_free_handler: + v4l2_ctrl_handler_free(&state->hdl); + err_free_mutex: +- cancel_delayed_work(&state->delayed_work_enable_hpd); + mutex_destroy(&state->page_lock); + mutex_destroy(&state->lock); + tda1997x_set_power(state, 0); diff --git a/queue-6.1/media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch b/queue-6.1/media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch new file mode 100644 index 0000000000..57f433adb1 --- /dev/null +++ b/queue-6.1/media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch @@ -0,0 +1,60 @@ +From 47825b1646a6a9eca0f90baa3d4f98947c2add96 Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Mon, 22 Sep 2025 14:43:39 -0400 +Subject: media: verisilicon: Protect G2 HEVC decoder against invalid DPB index + +From: Nicolas Dufresne + +commit 47825b1646a6a9eca0f90baa3d4f98947c2add96 upstream. + +Fix the Hantro G2 HEVC decoder so that we use DPB index 0 whenever a +ninvalid index is received from user space. This protects the hardware +from doing faulty memory access which then leads to bus errors. + +To be noted that when a reference is missing, userspace such as GStreamer +passes an invalid DPB index of 255. This issue was found by seeking to a +CRA picture using GStreamer. The framework is currently missing the code +to skip over RASL pictures placed after the CRA. This situation can also +occur while doing live streaming over lossy transport. + +Fixes: cb5dd5a0fa518 ("media: hantro: Introduce G2/HEVC decoder") +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Gaignard +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c ++++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c +@@ -297,6 +297,15 @@ static void set_params(struct hantro_ctx + hantro_reg_write(vpu, &g2_apf_threshold, 8); + } + ++static u32 get_dpb_index(const struct v4l2_ctrl_hevc_decode_params *decode_params, ++ const u32 index) ++{ ++ if (index > decode_params->num_active_dpb_entries) ++ return 0; ++ ++ return index; ++} ++ + static void set_ref_pic_list(struct hantro_ctx *ctx) + { + const struct hantro_hevc_dec_ctrls *ctrls = &ctx->hevc_dec.ctrls; +@@ -369,8 +378,10 @@ static void set_ref_pic_list(struct hant + list1[j++] = list1[i++]; + + for (i = 0; i < V4L2_HEVC_DPB_ENTRIES_NUM_MAX; i++) { +- hantro_reg_write(vpu, &ref_pic_regs0[i], list0[i]); +- hantro_reg_write(vpu, &ref_pic_regs1[i], list1[i]); ++ hantro_reg_write(vpu, &ref_pic_regs0[i], ++ get_dpb_index(decode_params, list0[i])); ++ hantro_reg_write(vpu, &ref_pic_regs1[i], ++ get_dpb_index(decode_params, list1[i])); + } + } + diff --git a/queue-6.1/media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch b/queue-6.1/media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch new file mode 100644 index 0000000000..804cc941b1 --- /dev/null +++ b/queue-6.1/media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch @@ -0,0 +1,38 @@ +From 94de23a9aa487d7c1372efb161721d7949a177ae Mon Sep 17 00:00:00 2001 +From: Haotian Zhang +Date: Tue, 28 Oct 2025 14:44:43 +0800 +Subject: media: videobuf2: Fix device reference leak in vb2_dc_alloc error path + +From: Haotian Zhang + +commit 94de23a9aa487d7c1372efb161721d7949a177ae upstream. + +In vb2_dc_alloc(), get_device() is called to increment the device +reference count. However, if subsequent DMA allocation fails +(vb2_dc_alloc_coherent or vb2_dc_alloc_non_coherent returns error), +the function returns without calling put_device(), causing a device +reference leak. + +Add put_device() call in the error path before kfree() to properly +release the device reference acquired earlier. + +Fixes: de27891f675e ("media: videobuf2: handle non-contiguous DMA allocations") +Cc: stable@vger.kernel.org +Signed-off-by: Haotian Zhang +Reviewed-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/videobuf2/videobuf2-dma-contig.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c ++++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c +@@ -258,6 +258,7 @@ static void *vb2_dc_alloc(struct vb2_buf + + if (ret) { + dev_err(dev, "dma alloc of size %lu failed\n", size); ++ put_device(buf->dev); + kfree(buf); + return ERR_PTR(-ENOMEM); + } diff --git a/queue-6.1/media-vpif_capture-fix-section-mismatch.patch b/queue-6.1/media-vpif_capture-fix-section-mismatch.patch new file mode 100644 index 0000000000..035efa41db --- /dev/null +++ b/queue-6.1/media-vpif_capture-fix-section-mismatch.patch @@ -0,0 +1,46 @@ +From 0ef841113724166c3c484d0e9ae6db1eb5634fde Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Oct 2025 07:33:20 +0200 +Subject: media: vpif_capture: fix section mismatch + +From: Johan Hovold + +commit 0ef841113724166c3c484d0e9ae6db1eb5634fde upstream. + +Platform drivers can be probed after their init sections have been +discarded (e.g. on probe deferral or manual rebind through sysfs) so the +probe function must not live in init. + +Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section +mismatch warning") incorrectly suppressed the modpost warning. + +Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") +Fixes: 6ffefff5a9e7 ("V4L/DVB (12906c): V4L : vpif capture driver for DM6467") +Cc: stable@vger.kernel.org # 2.6.32 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/davinci/vpif_capture.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/ti/davinci/vpif_capture.c ++++ b/drivers/media/platform/ti/davinci/vpif_capture.c +@@ -1601,7 +1601,7 @@ err_cleanup: + * This creates device entries by register itself to the V4L2 driver and + * initializes fields of each channel objects + */ +-static __init int vpif_probe(struct platform_device *pdev) ++static int vpif_probe(struct platform_device *pdev) + { + struct vpif_subdev_info *subdevdata; + struct i2c_adapter *i2c_adap; +@@ -1809,7 +1809,7 @@ static int vpif_resume(struct device *de + + static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume); + +-static __refdata struct platform_driver vpif_driver = { ++static struct platform_driver vpif_driver = { + .driver = { + .name = VPIF_DRIVER_NAME, + .pm = &vpif_pm_ops, diff --git a/queue-6.1/media-vpif_display-fix-section-mismatch.patch b/queue-6.1/media-vpif_display-fix-section-mismatch.patch new file mode 100644 index 0000000000..5bde268a5f --- /dev/null +++ b/queue-6.1/media-vpif_display-fix-section-mismatch.patch @@ -0,0 +1,46 @@ +From 59ca64bf98e4209df8ace8057d31ae3c80f948cd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Oct 2025 07:33:21 +0200 +Subject: media: vpif_display: fix section mismatch + +From: Johan Hovold + +commit 59ca64bf98e4209df8ace8057d31ae3c80f948cd upstream. + +Platform drivers can be probed after their init sections have been +discarded (e.g. on probe deferral or manual rebind through sysfs) so the +probe function must not live in init. + +Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section +mismatch warning") incorrectly suppressed the modpost warning. + +Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning") +Fixes: e7332e3a552f ("V4L/DVB (12176): davinci/vpif_display: Add VPIF display driver") +Cc: stable@vger.kernel.org # 2.6.32 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/ti/davinci/vpif_display.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/ti/davinci/vpif_display.c ++++ b/drivers/media/platform/ti/davinci/vpif_display.c +@@ -1215,7 +1215,7 @@ probe_out: + * vpif_probe: This function creates device entries by register itself to the + * V4L2 driver and initializes fields of each channel objects + */ +-static __init int vpif_probe(struct platform_device *pdev) ++static int vpif_probe(struct platform_device *pdev) + { + struct vpif_subdev_info *subdevdata; + struct i2c_adapter *i2c_adap; +@@ -1393,7 +1393,7 @@ static int vpif_resume(struct device *de + + static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume); + +-static __refdata struct platform_driver vpif_driver = { ++static struct platform_driver vpif_driver = { + .driver = { + .name = VPIF_DRIVER_NAME, + .pm = &vpif_pm_ops, diff --git a/queue-6.1/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch b/queue-6.1/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch new file mode 100644 index 0000000000..bd1e498f82 --- /dev/null +++ b/queue-6.1/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch @@ -0,0 +1,58 @@ +From 5fb1d3ce3e74a4530042795e1e065422295f1371 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Wed, 15 Oct 2025 23:21:41 +0200 +Subject: parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() + +From: Sven Schnelle + +commit 5fb1d3ce3e74a4530042795e1e065422295f1371 upstream. + +When the kernel leaves to userspace via syscall_restore_rfi(), the +W bit is not set in the new PSW. This doesn't cause any problems +because there's no 64 bit userspace for parisc. Simple static binaries +are usually loaded at addresses way below the 32 bit limit so the W bit +doesn't matter. + +Fix this by setting the W bit when TIF_32BIT is not set. + +Signed-off-by: Sven Schnelle +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/asm-offsets.c | 2 ++ + arch/parisc/kernel/entry.S | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/asm-offsets.c ++++ b/arch/parisc/kernel/asm-offsets.c +@@ -258,6 +258,8 @@ int main(void) + BLANK(); + DEFINE(TIF_BLOCKSTEP_PA_BIT, 31-TIF_BLOCKSTEP); + DEFINE(TIF_SINGLESTEP_PA_BIT, 31-TIF_SINGLESTEP); ++ DEFINE(TIF_32BIT_PA_BIT, 31-TIF_32BIT); ++ + BLANK(); + DEFINE(ASM_PMD_SHIFT, PMD_SHIFT); + DEFINE(ASM_PGDIR_SHIFT, PGDIR_SHIFT); +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1824,6 +1824,10 @@ syscall_restore_rfi: + extru,= %r19,TIF_BLOCKSTEP_PA_BIT,1,%r0 + depi -1,7,1,%r20 /* T bit */ + ++#ifdef CONFIG_64BIT ++ extru,<> %r19,TIF_32BIT_PA_BIT,1,%r0 ++ depi -1,4,1,%r20 /* W bit */ ++#endif + STREG %r20,TASK_PT_PSW(%r1) + + /* Always store space registers, since sr3 can be changed (e.g. fork) */ +@@ -1837,7 +1841,6 @@ syscall_restore_rfi: + STREG %r25,TASK_PT_IASQ0(%r1) + STREG %r25,TASK_PT_IASQ1(%r1) + +- /* XXX W bit??? */ + /* Now if old D bit is clear, it means we didn't save all registers + * on syscall entry, so do that now. This only happens on TRACEME + * calls, or if someone attached to us while we were on a syscall. diff --git a/queue-6.1/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch b/queue-6.1/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch new file mode 100644 index 0000000000..2b89d14819 --- /dev/null +++ b/queue-6.1/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch @@ -0,0 +1,61 @@ +From 1aa4524c0c1b54842c4c0a370171d11b12d0709b Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Thu, 30 Oct 2025 08:56:05 +0100 +Subject: parisc: entry.S: fix space adjustment on interruption for 64-bit userspace + +From: Sven Schnelle + +commit 1aa4524c0c1b54842c4c0a370171d11b12d0709b upstream. + +In wide mode, the IASQ contain the upper part of the GVA +during interruption. This needs to be reversed before +the space is used - otherwise it contains parts of IAOQ. +See Page 2-13 "Processing Resources / Interruption Instruction +Address Queues" in the Parisc 2.0 Architecture Manual page 2-13 +for an explanation. + +The IAOQ/IASQ space_adjust was skipped for other interruptions +than itlb misses. However, the code in handle_interruption() +checks whether iasq[0] contains a valid space. Due to the not +masked out bits this match failed and the process was killed. + +Also add space_adjust for IAOQ1/IASQ1 so ptregs contains sane values. + +Signed-off-by: Sven Schnelle +Cc: stable@vger.kernel.org # v6.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1046,8 +1046,6 @@ ENTRY_CFI(intr_save) /* for os_hpmc */ + STREG %r17, PT_IOR(%r29) + + #if defined(CONFIG_64BIT) +- b,n intr_save2 +- + skip_save_ior: + /* We have a itlb miss, and when executing code above 4 Gb on ILP64, we + * need to adjust iasq/iaoq here in the same way we adjusted isr/ior +@@ -1056,10 +1054,17 @@ skip_save_ior: + bb,COND(>=),n %r8,PSW_W_BIT,intr_save2 + LDREG PT_IASQ0(%r29), %r16 + LDREG PT_IAOQ0(%r29), %r17 +- /* adjust iasq/iaoq */ ++ /* adjust iasq0/iaoq0 */ + space_adjust %r16,%r17,%r1 + STREG %r16, PT_IASQ0(%r29) + STREG %r17, PT_IAOQ0(%r29) ++ ++ LDREG PT_IASQ1(%r29), %r16 ++ LDREG PT_IAOQ1(%r29), %r17 ++ /* adjust iasq1/iaoq1 */ ++ space_adjust %r16,%r17,%r1 ++ STREG %r16, PT_IASQ1(%r29) ++ STREG %r17, PT_IAOQ1(%r29) + #else + skip_save_ior: + #endif diff --git a/queue-6.1/powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch b/queue-6.1/powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch new file mode 100644 index 0000000000..7086b9e6f0 --- /dev/null +++ b/queue-6.1/powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch @@ -0,0 +1,59 @@ +From fc6bcf9ac4de76f5e7bcd020b3c0a86faff3f2d5 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Tue, 21 Oct 2025 12:06:05 +0200 +Subject: powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION + +From: David Hildenbrand + +commit fc6bcf9ac4de76f5e7bcd020b3c0a86faff3f2d5 upstream. + +Patch series "powerpc/pseries/cmm: two smaller fixes". + +Two smaller fixes identified while doing a bigger rework. + + +This patch (of 2): + +We always have to initialize the balloon_dev_info, even when compaction is +not configured in: otherwise the containing list and the lock are left +uninitialized. + +Likely not many such configs exist in practice, but let's CC stable to +be sure. + +This was found by code inspection. + +Link: https://lkml.kernel.org/r/20251021100606.148294-1-david@redhat.com +Link: https://lkml.kernel.org/r/20251021100606.148294-2-david@redhat.com +Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction") +Signed-off-by: David Hildenbrand +Reviewed-by: Ritesh Harjani (IBM) +Cc: Christophe Leroy +Cc: Madhavan Srinivasan +Cc: Michael Ellerman +Cc: Nicholas Piggin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/cmm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/cmm.c ++++ b/arch/powerpc/platforms/pseries/cmm.c +@@ -550,7 +550,6 @@ static int cmm_migratepage(struct balloo + + static void cmm_balloon_compaction_init(void) + { +- balloon_devinfo_init(&b_dev_info); + b_dev_info.migratepage = cmm_migratepage; + } + #else /* CONFIG_BALLOON_COMPACTION */ +@@ -572,6 +571,7 @@ static int cmm_init(void) + if (!firmware_has_feature(FW_FEATURE_CMO) && !simulate) + return -EOPNOTSUPP; + ++ balloon_devinfo_init(&b_dev_info); + cmm_balloon_compaction_init(); + + rc = register_oom_notifier(&cmm_oom_nb); diff --git a/queue-6.1/series b/queue-6.1/series index fdfd819e25..3f593a6387 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -465,3 +465,28 @@ leds-leds-lp50xx-enable-chip-before-any-communication.patch mfd-altera-sysmgr-fix-device-leak-on-sysmgr-regmap-lookup.patch mfd-max77620-fix-potential-irq-chip-conflict-when-probing-two-devices.patch media-rc-st_rc-fix-reset-control-resource-leak.patch +parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch +parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch +powerpc-pseries-cmm-call-balloon_devinfo_init-also-without-config_balloon_compaction.patch +media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch +firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch +dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch +dm-bufio-align-write-boundary-on-physical-block-size.patch +fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch +fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch +fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch +media-cec-fix-debugfs-leak-on-bus_register-failure.patch +media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch +media-renesas-rcar_drif-fix-device-node-reference-leak-in-rcar_drif_bond_enabled.patch +media-samsung-exynos4-is-fix-potential-abba-deadlock-on-init.patch +media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch +media-verisilicon-protect-g2-hevc-decoder-against-invalid-dpb-index.patch +media-videobuf2-fix-device-reference-leak-in-vb2_dc_alloc-error-path.patch +media-vpif_capture-fix-section-mismatch.patch +media-vpif_display-fix-section-mismatch.patch +media-amphion-cancel-message-work-before-releasing-the-vpu-core.patch +media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch +media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch +loongarch-add-new-pci-id-for-pci_fixup_vgadev.patch +loongarch-correct-the-calculation-logic-of-thread_count.patch +loongarch-use-__pmd-__pte-for-swap-entry-conversions.patch