--- /dev/null
+From 7fa3e7d114abc9cc71cc35d768e116641074ddb4 Mon Sep 17 00:00:00 2001
+From: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
+Date: Mon, 17 Nov 2025 11:59:45 +0100
+Subject: dm-ebs: Mark full buffer dirty even on partial write
+
+From: Uladzislau Rezki (Sony) <urezki@gmail.com>
+
+commit 7fa3e7d114abc9cc71cc35d768e116641074ddb4 upstream.
+
+When performing a read-modify-write(RMW) operation, any modification
+to a buffered block must cause the entire buffer to be marked dirty.
+
+Marking only a subrange as dirty is incorrect because the underlying
+device block size(ubs) defines the minimum read/write granularity. A
+lower device can perform I/O only on regions which are fully aligned
+and sized to ubs.
+
+This change ensures that write-back operations always occur in full
+ubs-sized chunks, matching the intended emulation semantics of the
+EBS target.
+
+As for user space visible impact, submitting sub-ubs and misaligned
+I/O for devices which are tuned to ubs sizes only, will reject such
+requests, therefore it can lead to losing data. Example:
+
+1) Create a 8K nvme device in qemu by adding
+
+-device nvme,drive=drv0,serial=foo,logical_block_size=8192,physical_block_size=8192
+
+2) Setup dm-ebs to emulate 512B to 8K mapping
+
+urezki@pc638:~/bin$ cat dmsetup.sh
+
+lower=/dev/nvme0n1
+len=$(blockdev --getsz "$lower")
+
+echo "0 $len ebs $lower 0 1 16" | dmsetup create nvme-8k
+urezki@pc638:~/bin$
+
+offset 0, ebs=1 and ubs=16(in sectors).
+
+3) Create an ext4 filesystem(default 4K block size)
+
+urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0
+mke2fs 1.47.0 (5-Feb-2023)
+Discarding device blocks: done
+Creating filesystem with 2072576 4k blocks and 518144 inodes
+Filesystem UUID: bd0b6ca6-0506-4e31-86da-8d22c9d50b63
+Superblock backups stored on blocks:
+ 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
+
+Allocating group tables: done
+Writing inode tables: done
+Creating journal (16384 blocks): done
+Writing superblocks and filesystem accounting information: mkfs.ext4: Input/output error while writing out and closing file system
+urezki@pc638:~/bin$ dmesg
+
+<snip>
+[ 1618.875449] buffer_io_error: 1028 callbacks suppressed
+[ 1618.875456] Buffer I/O error on dev dm-0, logical block 0, lost async page write
+[ 1618.875527] Buffer I/O error on dev dm-0, logical block 1, lost async page write
+[ 1618.875602] Buffer I/O error on dev dm-0, logical block 2, lost async page write
+[ 1618.875620] Buffer I/O error on dev dm-0, logical block 3, lost async page write
+[ 1618.875639] Buffer I/O error on dev dm-0, logical block 4, lost async page write
+[ 1618.894316] Buffer I/O error on dev dm-0, logical block 5, lost async page write
+[ 1618.894358] Buffer I/O error on dev dm-0, logical block 6, lost async page write
+[ 1618.894380] Buffer I/O error on dev dm-0, logical block 7, lost async page write
+[ 1618.894405] Buffer I/O error on dev dm-0, logical block 8, lost async page write
+[ 1618.894427] Buffer I/O error on dev dm-0, logical block 9, lost async page write
+<snip>
+
+Many I/O errors because the lower 8K device rejects sub-ubs/misaligned
+requests.
+
+with a patch:
+
+urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0
+mke2fs 1.47.0 (5-Feb-2023)
+Discarding device blocks: done
+Creating filesystem with 2072576 4k blocks and 518144 inodes
+Filesystem UUID: 9b54f44f-ef55-4bd4-9e40-c8b775a616ac
+Superblock backups stored on blocks:
+ 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
+
+Allocating group tables: done
+Writing inode tables: done
+Creating journal (16384 blocks): done
+Writing superblocks and filesystem accounting information: done
+
+urezki@pc638:~/bin$ sudo mount /dev/dm-0 /mnt/
+urezki@pc638:~/bin$ ls -al /mnt/
+total 24
+drwxr-xr-x 3 root root 4096 Oct 17 15:13 .
+drwxr-xr-x 19 root root 4096 Jul 10 19:42 ..
+drwx------ 2 root root 16384 Oct 17 15:13 lost+found
+urezki@pc638:~/bin$
+
+After this change: mkfs completes; mount succeeds.
+
+Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-ebs-target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-ebs-target.c
++++ b/drivers/md/dm-ebs-target.c
+@@ -101,7 +101,7 @@ static int __ebs_rw_bvec(struct ebs_c *e
+ } else {
+ flush_dcache_page(bv->bv_page);
+ memcpy(ba, pa, cur_len);
+- dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len);
++ dm_bufio_mark_buffer_dirty(b);
+ }
+
+ dm_bufio_release(b);
--- /dev/null
+From e3f44742bbb10537fe53d83d20dea2a7c167674d Mon Sep 17 00:00:00 2001
+From: Rene Rebe <rene@exactco.de>
+Date: Fri, 14 Nov 2025 16:00:42 +0100
+Subject: fbdev: gbefb: fix to use physical address instead of dma address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rene Rebe <rene@exactco.de>
+
+commit e3f44742bbb10537fe53d83d20dea2a7c167674d upstream.
+
+While debuggigng why X would not start on mips64 Sgi/O2 I found the
+phys adress being off. Turns out the gbefb passed the internal
+dma_addr as phys. May be broken pre git history. Fix by converting
+dma_to_phys.
+
+Signed-off-by: René Rebe <rene@exactco.de>
+Cc: <stable@vger.kernel.org> # v4.0+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/gbefb.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/gbefb.c
++++ b/drivers/video/fbdev/gbefb.c
+@@ -12,6 +12,7 @@
+ #include <linux/delay.h>
+ #include <linux/platform_device.h>
+ #include <linux/dma-mapping.h>
++#include <linux/dma-direct.h>
+ #include <linux/errno.h>
+ #include <linux/gfp.h>
+ #include <linux/fb.h>
+@@ -65,7 +66,7 @@ struct gbefb_par {
+ static unsigned int gbe_mem_size = CONFIG_FB_GBE_MEM * 1024*1024;
+ static void *gbe_mem;
+ static dma_addr_t gbe_dma_addr;
+-static unsigned long gbe_mem_phys;
++static phys_addr_t gbe_mem_phys;
+
+ static struct {
+ uint16_t *cpu;
+@@ -1189,7 +1190,7 @@ static int gbefb_probe(struct platform_d
+ goto out_release_mem_region;
+ }
+
+- gbe_mem_phys = (unsigned long) gbe_dma_addr;
++ gbe_mem_phys = dma_to_phys(&p_dev->dev, gbe_dma_addr);
+ }
+
+ par = info->par;
--- /dev/null
+From 0155e868cbc111846cc2809c1546ea53810a56ae Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Tue, 2 Dec 2025 19:15:32 +0100
+Subject: fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 0155e868cbc111846cc2809c1546ea53810a56ae upstream.
+
+The variables were never clamped because the return value of clamp_val()
+was not used. Fix this by assigning the clamped values, and use clamp()
+instead of clamp_val().
+
+Cc: stable@vger.kernel.org
+Fixes: 3f16ff608a75 ("[ARM] pxafb: cleanup of the timing checking code")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/pxafb.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/video/fbdev/pxafb.c
++++ b/drivers/video/fbdev/pxafb.c
+@@ -418,12 +418,12 @@ static int pxafb_adjust_timing(struct px
+ var->yres = max_t(int, var->yres, MIN_YRES);
+
+ if (!(fbi->lccr0 & LCCR0_LCDT)) {
+- clamp_val(var->hsync_len, 1, 64);
+- clamp_val(var->vsync_len, 1, 64);
+- clamp_val(var->left_margin, 1, 255);
+- clamp_val(var->right_margin, 1, 255);
+- clamp_val(var->upper_margin, 1, 255);
+- clamp_val(var->lower_margin, 1, 255);
++ var->hsync_len = clamp(var->hsync_len, 1, 64);
++ var->vsync_len = clamp(var->vsync_len, 1, 64);
++ var->left_margin = clamp(var->left_margin, 1, 255);
++ var->right_margin = clamp(var->right_margin, 1, 255);
++ var->upper_margin = clamp(var->upper_margin, 1, 255);
++ var->lower_margin = clamp(var->lower_margin, 1, 255);
+ }
+
+ /* make sure each line is aligned on word boundary */
--- /dev/null
+From 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ren=C3=A9=20Rebe?= <rene@exactco.de>
+Date: Thu, 20 Nov 2025 14:24:00 +0100
+Subject: fbdev: tcx.c fix mem_map to correct smem_start offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: René Rebe <rene@exactco.de>
+
+commit 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e upstream.
+
+403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") changed the
+physbase initializing breaking the user-space mmap, e.g. for Xorg
+entirely.
+
+Fix fbdev mmap table so the sbus mmap helper work correctly, and
+not try to map vastly (physbase) offset memory.
+
+Fixes: 403ae52ac047 ("sparc: fix drivers/video/tcx.c warning")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: René Rebe <rene@exactco.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/tcx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/tcx.c
++++ b/drivers/video/fbdev/tcx.c
+@@ -436,7 +436,7 @@ static int tcx_probe(struct platform_dev
+ j = i;
+ break;
+ }
+- par->mmap_map[i].poff = op->resource[j].start;
++ par->mmap_map[i].poff = op->resource[j].start - info->fix.smem_start;
+ }
+
+ info->flags = FBINFO_DEFAULT;
--- /dev/null
+From 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b Mon Sep 17 00:00:00 2001
+From: Mahesh Rao <mahesh.rao@altera.com>
+Date: Mon, 27 Oct 2025 22:54:40 +0800
+Subject: firmware: stratix10-svc: Add mutex in stratix10 memory management
+
+From: Mahesh Rao <mahesh.rao@altera.com>
+
+commit 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b upstream.
+
+Add mutex lock to stratix10_svc_allocate_memory and
+stratix10_svc_free_memory for thread safety. This prevents race
+conditions and ensures proper synchronization during memory operations.
+This is required for parallel communication with the Stratix10 service
+channel.
+
+Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mahesh Rao <mahesh.rao@altera.com>
+Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/stratix10-svc.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/firmware/stratix10-svc.c
++++ b/drivers/firmware/stratix10-svc.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0
+ /*
+ * Copyright (C) 2017-2018, Intel Corporation
++ * Copyright (C) 2025, Altera Corporation
+ */
+
+ #include <linux/completion.h>
+@@ -168,6 +169,12 @@ static LIST_HEAD(svc_ctrl);
+ static LIST_HEAD(svc_data_mem);
+
+ /**
++ * svc_mem_lock protects access to the svc_data_mem list for
++ * concurrent multi-client operations
++ */
++static DEFINE_MUTEX(svc_mem_lock);
++
++/**
+ * svc_pa_to_va() - translate physical address to virtual address
+ * @addr: to be translated physical address
+ *
+@@ -179,6 +186,7 @@ static void *svc_pa_to_va(unsigned long
+ struct stratix10_svc_data_mem *pmem;
+
+ pr_debug("claim back P-addr=0x%016x\n", (unsigned int)addr);
++ guard(mutex)(&svc_mem_lock);
+ list_for_each_entry(pmem, &svc_data_mem, node)
+ if (pmem->paddr == addr)
+ return pmem->vaddr;
+@@ -844,6 +852,7 @@ int stratix10_svc_send(struct stratix10_
+ p_data->flag = ct->flags;
+ }
+ } else {
++ guard(mutex)(&svc_mem_lock);
+ list_for_each_entry(p_mem, &svc_data_mem, node)
+ if (p_mem->vaddr == p_msg->payload) {
+ p_data->paddr = p_mem->paddr;
+@@ -915,6 +924,7 @@ void *stratix10_svc_allocate_memory(stru
+ if (!pmem)
+ return ERR_PTR(-ENOMEM);
+
++ guard(mutex)(&svc_mem_lock);
+ va = gen_pool_alloc(genpool, s);
+ if (!va)
+ return ERR_PTR(-ENOMEM);
+@@ -943,6 +953,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate
+ void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr)
+ {
+ struct stratix10_svc_data_mem *pmem;
++ guard(mutex)(&svc_mem_lock);
+
+ list_for_each_entry(pmem, &svc_data_mem, node)
+ if (pmem->vaddr == kaddr) {
--- /dev/null
+From 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 Mon Sep 17 00:00:00 2001
+From: Ivan Abramov <i.abramov@mt-integration.ru>
+Date: Wed, 3 Sep 2025 02:23:31 +0300
+Subject: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
+
+From: Ivan Abramov <i.abramov@mt-integration.ru>
+
+commit 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 upstream.
+
+It's possible for cp_read() and hdmi_read() to return -EIO. Those
+values are further used as indexes for accessing arrays.
+
+Fix that by checking return values where it's needed.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/adv7842.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/adv7842.c
++++ b/drivers/media/i2c/adv7842.c
+@@ -2671,6 +2671,7 @@ static int adv7842_cp_log_status(struct
+ /* CP block */
+ struct adv7842_state *state = to_state(sd);
+ struct v4l2_dv_timings timings;
++ int temp;
+ u8 reg_io_0x02 = io_read(sd, 0x02);
+ u8 reg_io_0x21 = io_read(sd, 0x21);
+ u8 reg_rep_0x77 = rep_read(sd, 0x77);
+@@ -2793,8 +2794,9 @@ static int adv7842_cp_log_status(struct
+ (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ?
+ "(16-235)" : "(0-255)",
+ (reg_io_0x02 & 0x08) ? "enabled" : "disabled");
++ temp = cp_read(sd, 0xf4) >> 4;
+ v4l2_info(sd, "Color space conversion: %s\n",
+- csc_coeff_sel_rb[cp_read(sd, 0xf4) >> 4]);
++ temp < 0 ? "" : csc_coeff_sel_rb[temp]);
+
+ if (!is_digital_input(sd))
+ return 0;
+@@ -2824,8 +2826,9 @@ static int adv7842_cp_log_status(struct
+ hdmi_read(sd, 0x5f));
+ v4l2_info(sd, "AV Mute: %s\n",
+ (hdmi_read(sd, 0x04) & 0x40) ? "on" : "off");
++ temp = hdmi_read(sd, 0x0b) >> 6;
+ v4l2_info(sd, "Deep color mode: %s\n",
+- deep_color_mode_txt[hdmi_read(sd, 0x0b) >> 6]);
++ temp < 0 ? "" : deep_color_mode_txt[temp]);
+
+ adv7842_log_infoframes(sd);
+
--- /dev/null
+From c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb Mon Sep 17 00:00:00 2001
+From: Haotian Zhang <vulab@iscas.ac.cn>
+Date: Mon, 29 Sep 2025 19:12:29 +0800
+Subject: media: cec: Fix debugfs leak on bus_register() failure
+
+From: Haotian Zhang <vulab@iscas.ac.cn>
+
+commit c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb upstream.
+
+In cec_devnode_init(), the debugfs directory created with
+debugfs_create_dir() is not removed if bus_register() fails.
+This leaves a stale "cec" entry in debugfs and prevents
+proper module reloading.
+
+Fix this by removing the debugfs directory in the error path.
+
+Fixes: a56960e8b406 ("[media] cec: add HDMI CEC framework (core)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/cec/core/cec-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/cec/core/cec-core.c
++++ b/drivers/media/cec/core/cec-core.c
+@@ -433,6 +433,7 @@ static int __init cec_devnode_init(void)
+
+ ret = bus_register(&cec_bus_type);
+ if (ret < 0) {
++ debugfs_remove_recursive(top_cec_dir);
+ unregister_chrdev_region(cec_dev_t, CEC_NUM_DEVICES);
+ pr_warn("cec: bus_register failed\n");
+ return -EIO;
--- /dev/null
+From 8f34f24355a607b98ecd9924837aab13c676eeca Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Tue, 2 Sep 2025 09:53:37 +0800
+Subject: media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 8f34f24355a607b98ecd9924837aab13c676eeca upstream.
+
+The delayed_work delayed_work_enable_hotplug is initialized with
+INIT_DELAYED_WORK() in adv76xx_probe(), but it is never scheduled
+anywhere in the probe function.
+
+Calling cancel_delayed_work() on a work that has never been
+scheduled is redundant and unnecessary, as there is no pending
+work to cancel.
+
+Remove the redundant cancel_delayed_work() from error handling
+path and adjust the goto label accordingly to simplify the code
+and avoid potential confusion.
+
+Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder")
+Cc: stable@vger.kernel.org
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/adv7604.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -3561,7 +3561,7 @@ static int adv76xx_probe(struct i2c_clie
+ err = media_entity_pads_init(&sd->entity, state->source_pad + 1,
+ state->pads);
+ if (err)
+- goto err_work_queues;
++ goto err_i2c;
+
+ /* Configure regmaps */
+ err = configure_regmaps(state);
+@@ -3602,8 +3602,6 @@ static int adv76xx_probe(struct i2c_clie
+
+ err_entity:
+ media_entity_cleanup(&sd->entity);
+-err_work_queues:
+- cancel_delayed_work(&state->delayed_work_enable_hotplug);
+ err_i2c:
+ adv76xx_unregister_clients(state);
+ err_hdl:
--- /dev/null
+From e66a5cc606c58e72f18f9cdd868a3672e918f9f8 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Tue, 2 Sep 2025 09:10:31 +0800
+Subject: media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit e66a5cc606c58e72f18f9cdd868a3672e918f9f8 upstream.
+
+The delayed_work delayed_work_enable_hotplug is initialized with
+INIT_DELAYED_WORK() in adv7842_probe(), but it is never scheduled
+anywhere in the probe function.
+
+Calling cancel_delayed_work() on a work that has never been
+scheduled is redundant and unnecessary, as there is no pending
+work to cancel.
+
+Remove the redundant cancel_delayed_work() from error handling
+path and adjust the goto label accordingly to simplify the code
+and avoid potential confusion.
+
+Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/adv7842.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/media/i2c/adv7842.c
++++ b/drivers/media/i2c/adv7842.c
+@@ -3552,7 +3552,7 @@ static int adv7842_probe(struct i2c_clie
+ state->pad.flags = MEDIA_PAD_FL_SOURCE;
+ err = media_entity_pads_init(&sd->entity, 1, &state->pad);
+ if (err)
+- goto err_work_queues;
++ goto err_i2c;
+
+ err = adv7842_core_init(sd);
+ if (err)
+@@ -3573,8 +3573,6 @@ static int adv7842_probe(struct i2c_clie
+
+ err_entity:
+ media_entity_cleanup(&sd->entity);
+-err_work_queues:
+- cancel_delayed_work(&state->delayed_work_enable_hotplug);
+ err_i2c:
+ adv7842_unregister_clients(sd);
+ err_hdl:
--- /dev/null
+From d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 Mon Sep 17 00:00:00 2001
+From: Ivan Abramov <i.abramov@mt-integration.ru>
+Date: Wed, 3 Sep 2025 02:28:14 +0300
+Subject: media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
+
+From: Ivan Abramov <i.abramov@mt-integration.ru>
+
+commit d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 upstream.
+
+It's possible for max1 to remain -1 if msp_read() always fail. This
+variable is further used as index for accessing arrays.
+
+Fix that by checking max1 prior to array accesses.
+
+It seems that restart is the preferable action in case of out-of-bounds
+value.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/msp3400-kthreads.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/msp3400-kthreads.c
++++ b/drivers/media/i2c/msp3400-kthreads.c
+@@ -592,6 +592,8 @@ restart:
+ "carrier2 val: %5d / %s\n", val, cd[i].name);
+ }
+
++ if (max1 < 0 || max1 > 3)
++ goto restart;
+ /* program the msp3400 according to the results */
+ state->main = msp3400c_carrier_detect_main[max1].cdo;
+ switch (max1) {
--- /dev/null
+From 29de195ca39fc2ac0af6fd45522994df9f431f80 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Mon, 1 Sep 2025 21:26:17 +0800
+Subject: media: TDA1997x: Remove redundant cancel_delayed_work in probe
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit 29de195ca39fc2ac0af6fd45522994df9f431f80 upstream.
+
+The delayed_work delayed_work_enable_hpd is initialized with
+INIT_DELAYED_WORK(), but it is never scheduled in tda1997x_probe().
+
+Calling cancel_delayed_work() on a work that has never been
+scheduled is redundant and unnecessary, as there is no pending
+work to cancel.
+
+Remove the redundant cancel_delayed_work() from error handling
+path in tda1997x_probe() to avoid potential confusion.
+
+Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/tda1997x.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/media/i2c/tda1997x.c
++++ b/drivers/media/i2c/tda1997x.c
+@@ -2779,7 +2779,6 @@ err_free_media:
+ err_free_handler:
+ v4l2_ctrl_handler_free(&state->hdl);
+ err_free_mutex:
+- cancel_delayed_work(&state->delayed_work_enable_hpd);
+ mutex_destroy(&state->page_lock);
+ mutex_destroy(&state->lock);
+ err_free_state:
--- /dev/null
+From 5fb1d3ce3e74a4530042795e1e065422295f1371 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Wed, 15 Oct 2025 23:21:41 +0200
+Subject: parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
+
+From: Sven Schnelle <svens@stackframe.org>
+
+commit 5fb1d3ce3e74a4530042795e1e065422295f1371 upstream.
+
+When the kernel leaves to userspace via syscall_restore_rfi(), the
+W bit is not set in the new PSW. This doesn't cause any problems
+because there's no 64 bit userspace for parisc. Simple static binaries
+are usually loaded at addresses way below the 32 bit limit so the W bit
+doesn't matter.
+
+Fix this by setting the W bit when TIF_32BIT is not set.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/asm-offsets.c | 2 ++
+ arch/parisc/kernel/entry.S | 5 ++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/asm-offsets.c
++++ b/arch/parisc/kernel/asm-offsets.c
+@@ -262,6 +262,8 @@ int main(void)
+ BLANK();
+ DEFINE(TIF_BLOCKSTEP_PA_BIT, 31-TIF_BLOCKSTEP);
+ DEFINE(TIF_SINGLESTEP_PA_BIT, 31-TIF_SINGLESTEP);
++ DEFINE(TIF_32BIT_PA_BIT, 31-TIF_32BIT);
++
+ BLANK();
+ DEFINE(ASM_PMD_SHIFT, PMD_SHIFT);
+ DEFINE(ASM_PGDIR_SHIFT, PGDIR_SHIFT);
+--- a/arch/parisc/kernel/entry.S
++++ b/arch/parisc/kernel/entry.S
+@@ -1913,6 +1913,10 @@ syscall_restore_rfi:
+ extru,= %r19,TIF_BLOCKSTEP_PA_BIT,1,%r0
+ depi -1,7,1,%r20 /* T bit */
+
++#ifdef CONFIG_64BIT
++ extru,<> %r19,TIF_32BIT_PA_BIT,1,%r0
++ depi -1,4,1,%r20 /* W bit */
++#endif
+ STREG %r20,TASK_PT_PSW(%r1)
+
+ /* Always store space registers, since sr3 can be changed (e.g. fork) */
+@@ -1926,7 +1930,6 @@ syscall_restore_rfi:
+ STREG %r25,TASK_PT_IASQ0(%r1)
+ STREG %r25,TASK_PT_IASQ1(%r1)
+
+- /* XXX W bit??? */
+ /* Now if old D bit is clear, it means we didn't save all registers
+ * on syscall entry, so do that now. This only happens on TRACEME
+ * calls, or if someone attached to us while we were on a syscall.
--- /dev/null
+From 1aa4524c0c1b54842c4c0a370171d11b12d0709b Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@stackframe.org>
+Date: Thu, 30 Oct 2025 08:56:05 +0100
+Subject: parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
+
+From: Sven Schnelle <svens@stackframe.org>
+
+commit 1aa4524c0c1b54842c4c0a370171d11b12d0709b upstream.
+
+In wide mode, the IASQ contain the upper part of the GVA
+during interruption. This needs to be reversed before
+the space is used - otherwise it contains parts of IAOQ.
+See Page 2-13 "Processing Resources / Interruption Instruction
+Address Queues" in the Parisc 2.0 Architecture Manual page 2-13
+for an explanation.
+
+The IAOQ/IASQ space_adjust was skipped for other interruptions
+than itlb misses. However, the code in handle_interruption()
+checks whether iasq[0] contains a valid space. Due to the not
+masked out bits this match failed and the process was killed.
+
+Also add space_adjust for IAOQ1/IASQ1 so ptregs contains sane values.
+
+Signed-off-by: Sven Schnelle <svens@stackframe.org>
+Cc: stable@vger.kernel.org # v6.0+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/entry.S | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/kernel/entry.S
++++ b/arch/parisc/kernel/entry.S
+@@ -1072,8 +1072,6 @@ ENTRY_CFI(intr_save) /* for os_hpmc */
+ STREG %r17, PT_IOR(%r29)
+
+ #if defined(CONFIG_64BIT)
+- b,n intr_save2
+-
+ skip_save_ior:
+ /* We have a itlb miss, and when executing code above 4 Gb on ILP64, we
+ * need to adjust iasq/iaoq here in the same way we adjusted isr/ior
+@@ -1082,10 +1080,17 @@ skip_save_ior:
+ bb,COND(>=),n %r8,PSW_W_BIT,intr_save2
+ LDREG PT_IASQ0(%r29), %r16
+ LDREG PT_IAOQ0(%r29), %r17
+- /* adjust iasq/iaoq */
++ /* adjust iasq0/iaoq0 */
+ space_adjust %r16,%r17,%r1
+ STREG %r16, PT_IASQ0(%r29)
+ STREG %r17, PT_IAOQ0(%r29)
++
++ LDREG PT_IASQ1(%r29), %r16
++ LDREG PT_IAOQ1(%r29), %r17
++ /* adjust iasq1/iaoq1 */
++ space_adjust %r16,%r17,%r1
++ STREG %r16, PT_IASQ1(%r29)
++ STREG %r17, PT_IAOQ1(%r29)
+ #else
+ skip_save_ior:
+ #endif
mfd-altera-sysmgr-fix-device-leak-on-sysmgr-regmap-lookup.patch
mfd-max77620-fix-potential-irq-chip-conflict-when-probing-two-devices.patch
media-rc-st_rc-fix-reset-control-resource-leak.patch
+parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch
+parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch
+media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch
+firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch
+dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch
+fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch
+fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch
+fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch
+media-cec-fix-debugfs-leak-on-bus_register-failure.patch
+media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch
+media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch
+media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch
+media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
