From: Greg Kroah-Hartman Date: Mon, 20 Oct 2025 11:22:47 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.6.114~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d38fd002d05cfc7574574681f95dadd363a3eb78;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch media-lirc-fix-error-handling-in-lirc_register.patch media-pci-ivtv-add-missing-check-after-dma-map.patch media-pci-ivtv-switch-from-pci_-to-dma_-api.patch media-rc-directly-use-ida_free.patch xen-events-update-virq_to_irq-on-migration.patch --- diff --git a/queue-5.4/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch b/queue-5.4/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch new file mode 100644 index 0000000000..8cdfcd317b --- /dev/null +++ b/queue-5.4/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch @@ -0,0 +1,76 @@ +From stable+bounces-187849-greg=kroah.com@vger.kernel.org Sat Oct 18 18:11:01 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 12:10:44 -0400 +Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() +To: stable@vger.kernel.org +Cc: Anderson Nascimento , David Sterba , Sasha Levin +Message-ID: <20251018161044.834880-1-sashal@kernel.org> + +From: Anderson Nascimento + +[ Upstream commit dff4f9ff5d7f289e4545cc936362e01ed3252742 ] + +The function btrfs_encode_fh() does not properly account for the three +cases it handles. + +Before writing to the file handle (fh), the function only returns to the +user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or +BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). + +However, when a parent exists and the root ID of the parent and the +inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT +(10 dwords, 40 bytes). + +If *max_len is not large enough, this write goes out of bounds because +BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than +BTRFS_FID_SIZE_CONNECTABLE originally returned. + +This results in an 8-byte out-of-bounds write at +fid->parent_root_objectid = parent_root_id. + +A previous attempt to fix this issue was made but was lost. + +https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ + +Although this issue does not seem to be easily triggerable, it is a +potential memory corruption bug that should be fixed. This patch +resolves the issue by ensuring the function returns the appropriate size +for all three cases and validates that *max_len is large enough before +writing any data. + +Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3") +CC: stable@vger.kernel.org # 3.0+ +Signed-off-by: Anderson Nascimento +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ replaced btrfs_root_id() calls with direct ->root->root_key.objectid access ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/export.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -22,7 +22,11 @@ static int btrfs_encode_fh(struct inode + int type; + + if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) { +- *max_len = BTRFS_FID_SIZE_CONNECTABLE; ++ if (BTRFS_I(inode)->root->root_key.objectid != ++ BTRFS_I(parent)->root->root_key.objectid) ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; ++ else ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE; + return FILEID_INVALID; + } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) { + *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE; +@@ -44,6 +48,8 @@ static int btrfs_encode_fh(struct inode + parent_root_id = BTRFS_I(parent)->root->root_key.objectid; + + if (parent_root_id != fid->root_objectid) { ++ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT) ++ return FILEID_INVALID; + fid->parent_root_objectid = parent_root_id; + len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; + type = FILEID_BTRFS_WITH_PARENT_ROOT; diff --git a/queue-5.4/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch b/queue-5.4/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch new file mode 100644 index 0000000000..d68f5cccbc --- /dev/null +++ b/queue-5.4/drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch @@ -0,0 +1,167 @@ +From stable+bounces-187841-greg=kroah.com@vger.kernel.org Sat Oct 18 15:57:10 2025 +From: Sasha Levin +Date: Sat, 18 Oct 2025 09:57:00 -0400 +Subject: drm/exynos: exynos7_drm_decon: remove ctx->suspended +To: stable@vger.kernel.org +Cc: Kaustabh Chakraborty , Inki Dae , Sasha Levin +Message-ID: <20251018135700.715655-1-sashal@kernel.org> + +From: Kaustabh Chakraborty + +[ Upstream commit e1361a4f1be9cb69a662c6d7b5ce218007d6e82b ] + +Condition guards are found to be redundant, as the call flow is properly +managed now, as also observed in the Exynos5433 DECON driver. Since +state checking is no longer necessary, remove it. + +This also fixes an issue which prevented decon_commit() from +decon_atomic_enable() due to an incorrect state change setting. + +Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver") +Cc: stable@vger.kernel.org +Suggested-by: Inki Dae +Signed-off-by: Kaustabh Chakraborty +Signed-off-by: Inki Dae +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 ----------------------------- + 1 file changed, 36 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c +@@ -51,7 +51,6 @@ struct decon_context { + void __iomem *regs; + unsigned long irq_flags; + bool i80_if; +- bool suspended; + wait_queue_head_t wait_vsync_queue; + atomic_t wait_vsync_event; + +@@ -85,9 +84,6 @@ static void decon_wait_for_vblank(struct + { + struct decon_context *ctx = crtc->ctx; + +- if (ctx->suspended) +- return; +- + atomic_set(&ctx->wait_vsync_event, 1); + + /* +@@ -155,9 +151,6 @@ static void decon_commit(struct exynos_d + struct drm_display_mode *mode = &crtc->base.state->adjusted_mode; + u32 val, clkdiv; + +- if (ctx->suspended) +- return; +- + /* nothing to do if we haven't set the mode yet */ + if (mode->htotal == 0 || mode->vtotal == 0) + return; +@@ -219,9 +212,6 @@ static int decon_enable_vblank(struct ex + struct decon_context *ctx = crtc->ctx; + u32 val; + +- if (ctx->suspended) +- return -EPERM; +- + if (!test_and_set_bit(0, &ctx->irq_flags)) { + val = readl(ctx->regs + VIDINTCON0); + +@@ -244,9 +234,6 @@ static void decon_disable_vblank(struct + struct decon_context *ctx = crtc->ctx; + u32 val; + +- if (ctx->suspended) +- return; +- + if (test_and_clear_bit(0, &ctx->irq_flags)) { + val = readl(ctx->regs + VIDINTCON0); + +@@ -369,9 +356,6 @@ static void decon_atomic_begin(struct ex + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + for (i = 0; i < WINDOWS_NR; i++) + decon_shadow_protect_win(ctx, i, true); + } +@@ -391,9 +375,6 @@ static void decon_update_plane(struct ex + unsigned int cpp = fb->format->cpp[0]; + unsigned int pitch = fb->pitches[0]; + +- if (ctx->suspended) +- return; +- + /* + * SHADOWCON/PRTCON register is used for enabling timing. + * +@@ -481,9 +462,6 @@ static void decon_disable_plane(struct e + unsigned int win = plane->index; + u32 val; + +- if (ctx->suspended) +- return; +- + /* protect windows */ + decon_shadow_protect_win(ctx, win, true); + +@@ -502,9 +480,6 @@ static void decon_atomic_flush(struct ex + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + for (i = 0; i < WINDOWS_NR; i++) + decon_shadow_protect_win(ctx, i, false); + exynos_crtc_handle_event(crtc); +@@ -531,9 +506,6 @@ static void decon_enable(struct exynos_d + { + struct decon_context *ctx = crtc->ctx; + +- if (!ctx->suspended) +- return; +- + pm_runtime_get_sync(ctx->dev); + + decon_init(ctx); +@@ -543,8 +515,6 @@ static void decon_enable(struct exynos_d + decon_enable_vblank(ctx->crtc); + + decon_commit(ctx->crtc); +- +- ctx->suspended = false; + } + + static void decon_disable(struct exynos_drm_crtc *crtc) +@@ -552,9 +522,6 @@ static void decon_disable(struct exynos_ + struct decon_context *ctx = crtc->ctx; + int i; + +- if (ctx->suspended) +- return; +- + /* + * We need to make sure that all windows are disabled before we + * suspend that connector. Otherwise we might try to scan from +@@ -564,8 +531,6 @@ static void decon_disable(struct exynos_ + decon_disable_plane(crtc, &ctx->planes[i]); + + pm_runtime_put_sync(ctx->dev); +- +- ctx->suspended = true; + } + + static const struct exynos_drm_crtc_ops decon_crtc_ops = { +@@ -687,7 +652,6 @@ static int decon_probe(struct platform_d + return -ENOMEM; + + ctx->dev = dev; +- ctx->suspended = true; + + i80_if_timings = of_get_child_by_name(dev->of_node, "i80-if-timings"); + if (i80_if_timings) diff --git a/queue-5.4/media-lirc-fix-error-handling-in-lirc_register.patch b/queue-5.4/media-lirc-fix-error-handling-in-lirc_register.patch new file mode 100644 index 0000000000..25f2830f9b --- /dev/null +++ b/queue-5.4/media-lirc-fix-error-handling-in-lirc_register.patch @@ -0,0 +1,56 @@ +From stable+bounces-187726-greg=kroah.com@vger.kernel.org Sat Oct 18 01:32:04 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:31:51 -0400 +Subject: media: lirc: Fix error handling in lirc_register() +To: stable@vger.kernel.org +Cc: Ma Ke , Sean Young , Hans Verkuil , Sasha Levin +Message-ID: <20251017233151.37969-2-sashal@kernel.org> + +From: Ma Ke + +[ Upstream commit 4f4098c57e139ad972154077fb45c3e3141555dd ] + +When cdev_device_add() failed, calling put_device() to explicitly +release dev->lirc_dev. Otherwise, it could cause the fault of the +reference count. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi") +Signed-off-by: Ma Ke +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/lirc_dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -762,11 +762,11 @@ int ir_lirc_register(struct rc_dev *dev) + + cdev_init(&dev->lirc_cdev, &lirc_fops); + ++ get_device(&dev->dev); ++ + err = cdev_device_add(&dev->lirc_cdev, &dev->lirc_dev); + if (err) +- goto out_ida; +- +- get_device(&dev->dev); ++ goto out_put_device; + + switch (dev->driver_type) { + case RC_DRIVER_SCANCODE: +@@ -790,7 +790,8 @@ int ir_lirc_register(struct rc_dev *dev) + + return 0; + +-out_ida: ++out_put_device: ++ put_device(&dev->lirc_dev); + ida_free(&lirc_ida, minor); + return err; + } diff --git a/queue-5.4/media-pci-ivtv-add-missing-check-after-dma-map.patch b/queue-5.4/media-pci-ivtv-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..b662c52471 --- /dev/null +++ b/queue-5.4/media-pci-ivtv-add-missing-check-after-dma-map.patch @@ -0,0 +1,63 @@ +From stable+bounces-186339-greg=kroah.com@vger.kernel.org Fri Oct 17 16:33:34 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 10:32:42 -0400 +Subject: media: pci: ivtv: Add missing check after DMA map +To: stable@vger.kernel.org +Cc: Thomas Fourier , Hans Verkuil , Sasha Levin +Message-ID: <20251017143242.3997991-2-sashal@kernel.org> + +From: Thomas Fourier + +[ Upstream commit 1069a4fe637d0e3e4c163e3f8df9be306cc299b4 ] + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, free blanking_ptr and set it to 0. As 0 is a +valid DMA address, use blanking_ptr to test if the DMA address +is set. + +Fixes: 1a0adaf37c30 ("V4L/DVB (5345): ivtv driver for Conexant cx23416/cx23415 MPEG encoder/decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/ivtv/ivtv-irq.c | 2 +- + drivers/media/pci/ivtv/ivtv-yuv.c | 8 +++++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/pci/ivtv/ivtv-irq.c ++++ b/drivers/media/pci/ivtv/ivtv-irq.c +@@ -351,7 +351,7 @@ void ivtv_dma_stream_dec_prepare(struct + + /* Insert buffer block for YUV if needed */ + if (s->type == IVTV_DEC_STREAM_TYPE_YUV && f->offset_y) { +- if (yi->blanking_dmaptr) { ++ if (yi->blanking_ptr) { + s->sg_pending[idx].src = yi->blanking_dmaptr; + s->sg_pending[idx].dst = offset; + s->sg_pending[idx].size = 720 * 16; +--- a/drivers/media/pci/ivtv/ivtv-yuv.c ++++ b/drivers/media/pci/ivtv/ivtv-yuv.c +@@ -125,7 +125,7 @@ static int ivtv_yuv_prep_user_dma(struct + ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size); + + /* If we've offset the y plane, ensure top area is blanked */ +- if (f->offset_y && yi->blanking_dmaptr) { ++ if (f->offset_y && yi->blanking_ptr) { + dma->SGarray[dma->SG_length].size = cpu_to_le32(720*16); + dma->SGarray[dma->SG_length].src = cpu_to_le32(yi->blanking_dmaptr); + dma->SGarray[dma->SG_length].dst = cpu_to_le32(IVTV_DECODER_OFFSET + yuv_offset[frame]); +@@ -929,6 +929,12 @@ static void ivtv_yuv_init(struct ivtv *i + yi->blanking_dmaptr = dma_map_single(&itv->pdev->dev, + yi->blanking_ptr, + 720 * 16, DMA_TO_DEVICE); ++ if (dma_mapping_error(&itv->pdev->dev, yi->blanking_dmaptr)) { ++ kfree(yi->blanking_ptr); ++ yi->blanking_ptr = NULL; ++ yi->blanking_dmaptr = 0; ++ IVTV_DEBUG_WARN("Failed to dma_map yuv blanking buffer\n"); ++ } + } else { + yi->blanking_dmaptr = 0; + IVTV_DEBUG_WARN("Failed to allocate yuv blanking buffer\n"); diff --git a/queue-5.4/media-pci-ivtv-switch-from-pci_-to-dma_-api.patch b/queue-5.4/media-pci-ivtv-switch-from-pci_-to-dma_-api.patch new file mode 100644 index 0000000000..a654c4fa8e --- /dev/null +++ b/queue-5.4/media-pci-ivtv-switch-from-pci_-to-dma_-api.patch @@ -0,0 +1,393 @@ +From stable+bounces-186338-greg=kroah.com@vger.kernel.org Fri Oct 17 16:32:51 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 10:32:41 -0400 +Subject: media: pci/ivtv: switch from 'pci_' to 'dma_' API +To: stable@vger.kernel.org +Cc: Christophe JAILLET , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin +Message-ID: <20251017143242.3997991-1-sashal@kernel.org> + +From: Christophe JAILLET + +[ Upstream commit 1932dc2f4cf6ac23e48e5fcc24d21adbe35691d1 ] + +The wrappers in include/linux/pci-dma-compat.h should go away. + +The patch has been generated with the coccinelle script below. +It has been compile tested. + +No memory allocation in involved in this patch, so no GFP_ tweak is needed. + +@@ @@ +- PCI_DMA_BIDIRECTIONAL ++ DMA_BIDIRECTIONAL + +@@ @@ +- PCI_DMA_TODEVICE ++ DMA_TO_DEVICE + +@@ @@ +- PCI_DMA_FROMDEVICE ++ DMA_FROM_DEVICE + +@@ @@ +- PCI_DMA_NONE ++ DMA_NONE + +@@ +expression e1, e2, e3; +@@ +- pci_alloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3; +@@ +- pci_zalloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_free_consistent(e1, e2, e3, e4) ++ dma_free_coherent(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_single(e1, e2, e3, e4) ++ dma_map_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_single(e1, e2, e3, e4) ++ dma_unmap_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4, e5; +@@ +- pci_map_page(e1, e2, e3, e4, e5) ++ dma_map_page(&e1->dev, e2, e3, e4, e5) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_page(e1, e2, e3, e4) ++ dma_unmap_page(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_sg(e1, e2, e3, e4) ++ dma_map_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_sg(e1, e2, e3, e4) ++ dma_unmap_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_cpu(e1, e2, e3, e4) ++ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_device(e1, e2, e3, e4) ++ dma_sync_single_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4) ++ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_device(e1, e2, e3, e4) ++ dma_sync_sg_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2; +@@ +- pci_dma_mapping_error(e1, e2) ++ dma_mapping_error(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_dma_mask(e1, e2) ++ dma_set_mask(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_consistent_dma_mask(e1, e2) ++ dma_set_coherent_mask(&e1->dev, e2) + +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 1069a4fe637d ("media: pci: ivtv: Add missing check after DMA map") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/ivtv/ivtv-driver.c | 2 +- + drivers/media/pci/ivtv/ivtv-queue.c | 18 ++++++++++-------- + drivers/media/pci/ivtv/ivtv-streams.c | 22 +++++++++++----------- + drivers/media/pci/ivtv/ivtv-udma.c | 19 ++++++++++++------- + drivers/media/pci/ivtv/ivtv-yuv.c | 10 +++++++--- + 5 files changed, 41 insertions(+), 30 deletions(-) + +--- a/drivers/media/pci/ivtv/ivtv-driver.c ++++ b/drivers/media/pci/ivtv/ivtv-driver.c +@@ -843,7 +843,7 @@ static int ivtv_setup_pci(struct ivtv *i + IVTV_ERR("Can't enable device!\n"); + return -EIO; + } +- if (pci_set_dma_mask(pdev, DMA_BIT_MASK(32))) { ++ if (dma_set_mask(&pdev->dev, DMA_BIT_MASK(32))) { + IVTV_ERR("No suitable DMA available.\n"); + return -EIO; + } +--- a/drivers/media/pci/ivtv/ivtv-queue.c ++++ b/drivers/media/pci/ivtv/ivtv-queue.c +@@ -188,7 +188,7 @@ int ivtv_stream_alloc(struct ivtv_stream + return 0; + + IVTV_DEBUG_INFO("Allocate %s%s stream: %d x %d buffers (%dkB total)\n", +- s->dma != PCI_DMA_NONE ? "DMA " : "", ++ s->dma != DMA_NONE ? "DMA " : "", + s->name, s->buffers, s->buf_size, s->buffers * s->buf_size / 1024); + + s->sg_pending = kzalloc(SGsize, GFP_KERNEL|__GFP_NOWARN); +@@ -218,8 +218,9 @@ int ivtv_stream_alloc(struct ivtv_stream + return -ENOMEM; + } + if (ivtv_might_use_dma(s)) { +- s->sg_handle = pci_map_single(itv->pdev, s->sg_dma, +- sizeof(struct ivtv_sg_element), PCI_DMA_TODEVICE); ++ s->sg_handle = dma_map_single(&itv->pdev->dev, s->sg_dma, ++ sizeof(struct ivtv_sg_element), ++ DMA_TO_DEVICE); + ivtv_stream_sync_for_cpu(s); + } + +@@ -237,7 +238,7 @@ int ivtv_stream_alloc(struct ivtv_stream + } + INIT_LIST_HEAD(&buf->list); + if (ivtv_might_use_dma(s)) { +- buf->dma_handle = pci_map_single(s->itv->pdev, ++ buf->dma_handle = dma_map_single(&s->itv->pdev->dev, + buf->buf, s->buf_size + 256, s->dma); + ivtv_buf_sync_for_cpu(s, buf); + } +@@ -260,8 +261,8 @@ void ivtv_stream_free(struct ivtv_stream + /* empty q_free */ + while ((buf = ivtv_dequeue(s, &s->q_free))) { + if (ivtv_might_use_dma(s)) +- pci_unmap_single(s->itv->pdev, buf->dma_handle, +- s->buf_size + 256, s->dma); ++ dma_unmap_single(&s->itv->pdev->dev, buf->dma_handle, ++ s->buf_size + 256, s->dma); + kfree(buf->buf); + kfree(buf); + } +@@ -269,8 +270,9 @@ void ivtv_stream_free(struct ivtv_stream + /* Free SG Array/Lists */ + if (s->sg_dma != NULL) { + if (s->sg_handle != IVTV_DMA_UNMAPPED) { +- pci_unmap_single(s->itv->pdev, s->sg_handle, +- sizeof(struct ivtv_sg_element), PCI_DMA_TODEVICE); ++ dma_unmap_single(&s->itv->pdev->dev, s->sg_handle, ++ sizeof(struct ivtv_sg_element), ++ DMA_TO_DEVICE); + s->sg_handle = IVTV_DMA_UNMAPPED; + } + kfree(s->sg_pending); +--- a/drivers/media/pci/ivtv/ivtv-streams.c ++++ b/drivers/media/pci/ivtv/ivtv-streams.c +@@ -100,7 +100,7 @@ static struct { + { /* IVTV_ENC_STREAM_TYPE_MPG */ + "encoder MPG", + VFL_TYPE_VIDEO, 0, +- PCI_DMA_FROMDEVICE, 0, ++ DMA_FROM_DEVICE, 0, + V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_TUNER | + V4L2_CAP_AUDIO | V4L2_CAP_READWRITE, + &ivtv_v4l2_enc_fops +@@ -108,7 +108,7 @@ static struct { + { /* IVTV_ENC_STREAM_TYPE_YUV */ + "encoder YUV", + VFL_TYPE_VIDEO, IVTV_V4L2_ENC_YUV_OFFSET, +- PCI_DMA_FROMDEVICE, 0, ++ DMA_FROM_DEVICE, 0, + V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_TUNER | + V4L2_CAP_AUDIO | V4L2_CAP_READWRITE, + &ivtv_v4l2_enc_fops +@@ -116,7 +116,7 @@ static struct { + { /* IVTV_ENC_STREAM_TYPE_VBI */ + "encoder VBI", + VFL_TYPE_VBI, 0, +- PCI_DMA_FROMDEVICE, 0, ++ DMA_FROM_DEVICE, 0, + V4L2_CAP_VBI_CAPTURE | V4L2_CAP_SLICED_VBI_CAPTURE | V4L2_CAP_TUNER | + V4L2_CAP_AUDIO | V4L2_CAP_READWRITE, + &ivtv_v4l2_enc_fops +@@ -124,42 +124,42 @@ static struct { + { /* IVTV_ENC_STREAM_TYPE_PCM */ + "encoder PCM", + VFL_TYPE_VIDEO, IVTV_V4L2_ENC_PCM_OFFSET, +- PCI_DMA_FROMDEVICE, 0, ++ DMA_FROM_DEVICE, 0, + V4L2_CAP_TUNER | V4L2_CAP_AUDIO | V4L2_CAP_READWRITE, + &ivtv_v4l2_enc_fops + }, + { /* IVTV_ENC_STREAM_TYPE_RAD */ + "encoder radio", + VFL_TYPE_RADIO, 0, +- PCI_DMA_NONE, 1, ++ DMA_NONE, 1, + V4L2_CAP_RADIO | V4L2_CAP_TUNER, + &ivtv_v4l2_radio_fops + }, + { /* IVTV_DEC_STREAM_TYPE_MPG */ + "decoder MPG", + VFL_TYPE_VIDEO, IVTV_V4L2_DEC_MPG_OFFSET, +- PCI_DMA_TODEVICE, 0, ++ DMA_TO_DEVICE, 0, + V4L2_CAP_VIDEO_OUTPUT | V4L2_CAP_AUDIO | V4L2_CAP_READWRITE, + &ivtv_v4l2_dec_fops + }, + { /* IVTV_DEC_STREAM_TYPE_VBI */ + "decoder VBI", + VFL_TYPE_VBI, IVTV_V4L2_DEC_VBI_OFFSET, +- PCI_DMA_NONE, 1, ++ DMA_NONE, 1, + V4L2_CAP_SLICED_VBI_CAPTURE | V4L2_CAP_READWRITE, + &ivtv_v4l2_enc_fops + }, + { /* IVTV_DEC_STREAM_TYPE_VOUT */ + "decoder VOUT", + VFL_TYPE_VBI, IVTV_V4L2_DEC_VOUT_OFFSET, +- PCI_DMA_NONE, 1, ++ DMA_NONE, 1, + V4L2_CAP_SLICED_VBI_OUTPUT | V4L2_CAP_AUDIO | V4L2_CAP_READWRITE, + &ivtv_v4l2_dec_fops + }, + { /* IVTV_DEC_STREAM_TYPE_YUV */ + "decoder YUV", + VFL_TYPE_VIDEO, IVTV_V4L2_DEC_YUV_OFFSET, +- PCI_DMA_TODEVICE, 0, ++ DMA_TO_DEVICE, 0, + V4L2_CAP_VIDEO_OUTPUT | V4L2_CAP_AUDIO | V4L2_CAP_READWRITE, + &ivtv_v4l2_dec_fops + } +@@ -179,7 +179,7 @@ static void ivtv_stream_init(struct ivtv + s->vdev.device_caps = ivtv_stream_info[type].v4l2_caps; + + if (ivtv_stream_info[type].pio) +- s->dma = PCI_DMA_NONE; ++ s->dma = DMA_NONE; + else + s->dma = ivtv_stream_info[type].dma; + s->buf_size = itv->stream_buf_size[type]; +@@ -217,7 +217,7 @@ static int ivtv_prep_dev(struct ivtv *it + + /* User explicitly selected 0 buffers for these streams, so don't + create them. */ +- if (ivtv_stream_info[type].dma != PCI_DMA_NONE && ++ if (ivtv_stream_info[type].dma != DMA_NONE && + itv->options.kilobytes[type] == 0) { + IVTV_INFO("Disabled %s device\n", ivtv_stream_info[type].name); + return 0; +--- a/drivers/media/pci/ivtv/ivtv-udma.c ++++ b/drivers/media/pci/ivtv/ivtv-udma.c +@@ -81,8 +81,10 @@ void ivtv_udma_alloc(struct ivtv *itv) + { + if (itv->udma.SG_handle == 0) { + /* Map DMA Page Array Buffer */ +- itv->udma.SG_handle = pci_map_single(itv->pdev, itv->udma.SGarray, +- sizeof(itv->udma.SGarray), PCI_DMA_TODEVICE); ++ itv->udma.SG_handle = dma_map_single(&itv->pdev->dev, ++ itv->udma.SGarray, ++ sizeof(itv->udma.SGarray), ++ DMA_TO_DEVICE); + ivtv_udma_sync_for_cpu(itv); + } + } +@@ -138,7 +140,8 @@ int ivtv_udma_setup(struct ivtv *itv, un + } + + /* Map SG List */ +- dma->SG_length = pci_map_sg(itv->pdev, dma->SGlist, dma->page_count, PCI_DMA_TODEVICE); ++ dma->SG_length = dma_map_sg(&itv->pdev->dev, dma->SGlist, ++ dma->page_count, DMA_TO_DEVICE); + + /* Fill SG Array with new values */ + ivtv_udma_fill_sg_array (dma, ivtv_dest_addr, 0, -1); +@@ -163,7 +166,8 @@ void ivtv_udma_unmap(struct ivtv *itv) + + /* Unmap Scatterlist */ + if (dma->SG_length) { +- pci_unmap_sg(itv->pdev, dma->SGlist, dma->page_count, PCI_DMA_TODEVICE); ++ dma_unmap_sg(&itv->pdev->dev, dma->SGlist, dma->page_count, ++ DMA_TO_DEVICE); + dma->SG_length = 0; + } + /* sync DMA */ +@@ -182,13 +186,14 @@ void ivtv_udma_free(struct ivtv *itv) + + /* Unmap SG Array */ + if (itv->udma.SG_handle) { +- pci_unmap_single(itv->pdev, itv->udma.SG_handle, +- sizeof(itv->udma.SGarray), PCI_DMA_TODEVICE); ++ dma_unmap_single(&itv->pdev->dev, itv->udma.SG_handle, ++ sizeof(itv->udma.SGarray), DMA_TO_DEVICE); + } + + /* Unmap Scatterlist */ + if (itv->udma.SG_length) { +- pci_unmap_sg(itv->pdev, itv->udma.SGlist, itv->udma.page_count, PCI_DMA_TODEVICE); ++ dma_unmap_sg(&itv->pdev->dev, itv->udma.SGlist, ++ itv->udma.page_count, DMA_TO_DEVICE); + } + + for (i = 0; i < IVTV_DMA_SG_OSD_ENT; i++) { +--- a/drivers/media/pci/ivtv/ivtv-yuv.c ++++ b/drivers/media/pci/ivtv/ivtv-yuv.c +@@ -118,7 +118,8 @@ static int ivtv_yuv_prep_user_dma(struct + dma->page_count = 0; + return -ENOMEM; + } +- dma->SG_length = pci_map_sg(itv->pdev, dma->SGlist, dma->page_count, PCI_DMA_TODEVICE); ++ dma->SG_length = dma_map_sg(&itv->pdev->dev, dma->SGlist, ++ dma->page_count, DMA_TO_DEVICE); + + /* Fill SG Array with new values */ + ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size); +@@ -925,7 +926,9 @@ static void ivtv_yuv_init(struct ivtv *i + /* We need a buffer for blanking when Y plane is offset - non-fatal if we can't get one */ + yi->blanking_ptr = kzalloc(720 * 16, GFP_ATOMIC|__GFP_NOWARN); + if (yi->blanking_ptr) { +- yi->blanking_dmaptr = pci_map_single(itv->pdev, yi->blanking_ptr, 720*16, PCI_DMA_TODEVICE); ++ yi->blanking_dmaptr = dma_map_single(&itv->pdev->dev, ++ yi->blanking_ptr, ++ 720 * 16, DMA_TO_DEVICE); + } else { + yi->blanking_dmaptr = 0; + IVTV_DEBUG_WARN("Failed to allocate yuv blanking buffer\n"); +@@ -1269,7 +1272,8 @@ void ivtv_yuv_close(struct ivtv *itv) + if (yi->blanking_ptr) { + kfree(yi->blanking_ptr); + yi->blanking_ptr = NULL; +- pci_unmap_single(itv->pdev, yi->blanking_dmaptr, 720*16, PCI_DMA_TODEVICE); ++ dma_unmap_single(&itv->pdev->dev, yi->blanking_dmaptr, ++ 720 * 16, DMA_TO_DEVICE); + } + + /* Invalidate the old dimension information */ diff --git a/queue-5.4/media-rc-directly-use-ida_free.patch b/queue-5.4/media-rc-directly-use-ida_free.patch new file mode 100644 index 0000000000..865b47159e --- /dev/null +++ b/queue-5.4/media-rc-directly-use-ida_free.patch @@ -0,0 +1,84 @@ +From stable+bounces-187723-greg=kroah.com@vger.kernel.org Sat Oct 18 01:32:00 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 19:31:50 -0400 +Subject: media: rc: Directly use ida_free() +To: stable@vger.kernel.org +Cc: keliu , Sean Young , Mauro Carvalho Chehab , Sasha Levin +Message-ID: <20251017233151.37969-1-sashal@kernel.org> + +From: keliu + +[ Upstream commit cd54ff938091d890edf78e6555ec30c63dcd2eb5 ] + +Use ida_alloc() and ida_free() instead of the deprecated +ida_simple_get() and ida_simple_remove(). + +Signed-off-by: keliu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 4f4098c57e13 ("media: lirc: Fix error handling in lirc_register()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/lirc_dev.c | 6 +++--- + drivers/media/rc/rc-main.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/rc/lirc_dev.c ++++ b/drivers/media/rc/lirc_dev.c +@@ -746,7 +746,7 @@ int ir_lirc_register(struct rc_dev *dev) + const char *rx_type, *tx_type; + int err, minor; + +- minor = ida_simple_get(&lirc_ida, 0, RC_DEV_MAX, GFP_KERNEL); ++ minor = ida_alloc_max(&lirc_ida, RC_DEV_MAX - 1, GFP_KERNEL); + if (minor < 0) + return minor; + +@@ -791,7 +791,7 @@ int ir_lirc_register(struct rc_dev *dev) + return 0; + + out_ida: +- ida_simple_remove(&lirc_ida, minor); ++ ida_free(&lirc_ida, minor); + return err; + } + +@@ -809,7 +809,7 @@ void ir_lirc_unregister(struct rc_dev *d + spin_unlock_irqrestore(&dev->lirc_fh_lock, flags); + + cdev_device_del(&dev->lirc_cdev, &dev->lirc_dev); +- ida_simple_remove(&lirc_ida, MINOR(dev->lirc_dev.devt)); ++ ida_free(&lirc_ida, MINOR(dev->lirc_dev.devt)); + } + + int __init lirc_dev_init(void) +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1861,7 +1861,7 @@ int rc_register_device(struct rc_dev *de + if (!dev) + return -EINVAL; + +- minor = ida_simple_get(&rc_ida, 0, RC_DEV_MAX, GFP_KERNEL); ++ minor = ida_alloc_max(&rc_ida, RC_DEV_MAX - 1, GFP_KERNEL); + if (minor < 0) + return minor; + +@@ -1944,7 +1944,7 @@ out_rx_free: + out_raw: + ir_raw_event_free(dev); + out_minor: +- ida_simple_remove(&rc_ida, minor); ++ ida_free(&rc_ida, minor); + return rc; + } + EXPORT_SYMBOL_GPL(rc_register_device); +@@ -2004,7 +2004,7 @@ void rc_unregister_device(struct rc_dev + + device_del(&dev->dev); + +- ida_simple_remove(&rc_ida, dev->minor); ++ ida_free(&rc_ida, dev->minor); + + if (!dev->managed_alloc) + rc_free_device(dev); diff --git a/queue-5.4/series b/queue-5.4/series index 162a973cfa..23dcdd2455 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -149,3 +149,10 @@ cramfs-verify-inode-mode-when-loading-from-disk.patch xen-events-cleanup-find_virq-return-codes.patch media-cx18-add-missing-check-after-dma-map.patch pwm-berlin-fix-wrong-register-in-suspend-resume.patch +btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch +drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch +media-rc-directly-use-ida_free.patch +media-lirc-fix-error-handling-in-lirc_register.patch +xen-events-update-virq_to_irq-on-migration.patch +media-pci-ivtv-switch-from-pci_-to-dma_-api.patch +media-pci-ivtv-add-missing-check-after-dma-map.patch diff --git a/queue-5.4/xen-events-update-virq_to_irq-on-migration.patch b/queue-5.4/xen-events-update-virq_to_irq-on-migration.patch new file mode 100644 index 0000000000..6ea35e2678 --- /dev/null +++ b/queue-5.4/xen-events-update-virq_to_irq-on-migration.patch @@ -0,0 +1,64 @@ +From stable+bounces-186471-greg=kroah.com@vger.kernel.org Fri Oct 17 17:10:17 2025 +From: Sasha Levin +Date: Fri, 17 Oct 2025 11:02:13 -0400 +Subject: xen/events: Update virq_to_irq on migration +To: stable@vger.kernel.org +Cc: Jason Andryuk , Juergen Gross , Sasha Levin +Message-ID: <20251017150213.4015434-1-sashal@kernel.org> + +From: Jason Andryuk + +[ Upstream commit 3fcc8e146935415d69ffabb5df40ecf50e106131 ] + +VIRQs come in 3 flavors, per-VPU, per-domain, and global, and the VIRQs +are tracked in per-cpu virq_to_irq arrays. + +Per-domain and global VIRQs must be bound on CPU 0, and +bind_virq_to_irq() sets the per_cpu virq_to_irq at registration time +Later, the interrupt can migrate, and info->cpu is updated. When +calling __unbind_from_irq(), the per-cpu virq_to_irq is cleared for a +different cpu. If bind_virq_to_irq() is called again with CPU 0, the +stale irq is returned. There won't be any irq_info for the irq, so +things break. + +Make xen_rebind_evtchn_to_cpu() update the per_cpu virq_to_irq mappings +to keep them update to date with the current cpu. This ensures the +correct virq_to_irq is cleared in __unbind_from_irq(). + +Fixes: e46cdb66c8fc ("xen: event channels") +Cc: stable@vger.kernel.org +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Message-ID: <20250828003604.8949-4-jason.andryuk@amd.com> +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -1717,9 +1717,20 @@ static int xen_rebind_evtchn_to_cpu(stru + * virq or IPI channel, which don't actually need to be rebound. Ignore + * it, but don't do the xenlinux-level rebind in that case. + */ +- if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) ++ if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) { ++ int old_cpu = info->cpu; ++ + bind_evtchn_to_cpu(evtchn, tcpu); + ++ if (info->type == IRQT_VIRQ) { ++ int virq = info->u.virq; ++ int irq = per_cpu(virq_to_irq, old_cpu)[virq]; ++ ++ per_cpu(virq_to_irq, old_cpu)[virq] = -1; ++ per_cpu(virq_to_irq, tcpu)[virq] = irq; ++ } ++ } ++ + do_unmask(info, EVT_MASK_REASON_TEMPORARY); + + return 0;