From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 10:59:21 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.12.24~84 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7efdb26934916270b679bf844e570100490f8206;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: accel-ivpu-fix-deadlock-in-ivpu_ms_cleanup.patch accel-ivpu-fix-pm-related-deadlocks-in-ms-ioctls.patch accel-ivpu-fix-warning-in-ivpu_ipc_send_receive_internal.patch alsa-hda-realtek-enable-mute-led-on-hp-omen-16-laptop-xd000xx.patch arm64-cputype-add-midr_cortex_a76ae.patch arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch asoc-codecs-wcd937x-fix-a-potential-memory-leak-in-wcd937x_soc_codec_probe.patch asoc-q6apm-add-q6apm_get_hw_pointer-helper.patch asoc-q6apm-dai-make-use-of-q6apm_get_hw_pointer.patch asoc-q6apm-dai-schedule-all-available-frames-to-avoid-dsp-under-runs.patch asoc-qdsp6-q6apm-dai-fix-capture-pipeline-overruns.patch asoc-qdsp6-q6apm-dai-set-10-ms-period-and-buffer-alignment.patch asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch auxdisplay-hd44780-fix-an-api-misuse-in-hd44780.c.patch bus-mhi-host-fix-race-between-unprepare-and-queue_buf.patch clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch dt-bindings-media-st-stmipid02-correct-lane-polarities-maxitems.patch ext4-fix-off-by-one-error-in-do_split.patch f2fs-fix-to-avoid-atomicity-corruption-of-atomic-file.patch io_uring-kbuf-reject-zero-sized-provided-buffers.patch io_uring-net-fix-accept-multishot-handling.patch io_uring-net-fix-io_req_post_cqe-abuse-by-send-bundle.patch kvm-arm64-tear-down-vgic-on-failed-vcpu-creation.patch media-chips-media-wave5-avoid-race-condition-in-the-interrupt-handler.patch media-chips-media-wave5-fix-a-hang-after-seeking.patch media-chips-media-wave5-fix-gray-color-on-screen.patch media-chips-media-wave5-fix-timeout-while-testing-10bit-hevc-fluster.patch media-hi556-fix-memory-leak-on-error-in-hi556_check_hwcfg.patch media-i2c-adv748x-fix-test-pattern-selection-mask.patch media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-probe.patch media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-remove.patch media-i2c-imx214-rectify-probe-error-handling-related-to-runtime-pm.patch media-i2c-imx219-rectify-runtime-pm-handling-in-probe-and-remove.patch media-i2c-imx319-rectify-runtime-pm-handling-probe-and-remove.patch media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch media-i2c-ov7251-set-enable-gpio-low-in-probe.patch media-imx219-adjust-pll-settings-based-on-the-number-of-mipi-lanes.patch media-intel-ipu6-set-the-dev_parent-of-video-device-to-pdev.patch media-mediatek-vcodec-fix-a-resource-leak-related-to-the-scp-device-in-fw-initialization.patch media-mgb4-fix-cmt-registers-update-logic.patch media-mgb4-fix-switched-cmt-frequency-range-magic-values-sets.patch media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch media-nuvoton-fix-reference-handling-of-ece_node.patch media-nuvoton-fix-reference-handling-of-ece_pdev.patch media-platform-stm32-add-check-for-clk_enable.patch media-rockchip-rga-fix-rga-offset-lookup.patch media-siano-fix-error-handling-in-smsdvb_module_init.patch media-streamzap-prevent-processing-ir-data-on-urb-failure.patch media-uapi-rkisp1-config-fix-typo-in-extensible-params-example.patch media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch media-venus-hfi_parser-refactor-hfi-packet-parsing-logic.patch media-vim2m-print-device-name-after-registering-device.patch media-visl-fix-erange-error-when-setting-enum-controls.patch mptcp-sockopt-fix-getting-freebind-transparent.patch mptcp-sockopt-fix-getting-ipv6_v6only.patch mtd-add-check-for-devm_kcalloc.patch mtd-rawnand-brcmnand-fix-pm-resume-warning.patch mtd-replace-kcalloc-with-devm_kcalloc.patch net-dsa-mv88e6xxx-fix-internal-phys-for-6320-family.patch net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch revert-media-imx214-fix-the-error-handling-in-imx214_probe.patch smb311-client-fix-missing-tcon-check-when-mounting-with-linux-posix-extensions.patch soc-samsung-exynos-chipid-add-null-pointer-check-in-exynos_chipid_probe.patch spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch svcrdma-do-not-unregister-device-for-listeners.patch tpm-do-not-start-chip-while-suspended.patch tpm-tpm_tis-fix-timeout-handling-when-waiting-for-tpm-status.patch udf-fix-inode_getblk-return-value.patch vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch wifi-mt76-add-check-for-devm_kstrdup.patch wifi-mt76-mt7925-ensure-wow-pattern-command-align-fw-format.patch wifi-mt76-mt7925-fix-country-count-limitation-for-clc.patch wifi-mt76-mt7925-fix-the-wrong-link_idx-when-a-p2p_device-is-present.patch wifi-mt76-mt7925-fix-the-wrong-simultaneous-cap-for-mlo.patch xenfs-xensyms-respect-hypervisor-s-next-indication.patch --- diff --git a/queue-6.12/accel-ivpu-fix-deadlock-in-ivpu_ms_cleanup.patch b/queue-6.12/accel-ivpu-fix-deadlock-in-ivpu_ms_cleanup.patch new file mode 100644 index 0000000000..a562f4e933 --- /dev/null +++ b/queue-6.12/accel-ivpu-fix-deadlock-in-ivpu_ms_cleanup.patch @@ -0,0 +1,56 @@ +From 9a6f56762d23a1f3af15e67901493c927caaf882 Mon Sep 17 00:00:00 2001 +From: Jacek Lawrynowicz +Date: Tue, 25 Mar 2025 12:43:05 +0100 +Subject: accel/ivpu: Fix deadlock in ivpu_ms_cleanup() + +From: Jacek Lawrynowicz + +commit 9a6f56762d23a1f3af15e67901493c927caaf882 upstream. + +Fix deadlock in ivpu_ms_cleanup() by preventing runtime resume after +file_priv->ms_lock is acquired. + +During a failure in runtime resume, a cold boot is executed, which +calls ivpu_ms_cleanup_all(). This function calls ivpu_ms_cleanup() +that acquires file_priv->ms_lock and causes the deadlock. + +Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support") +Cc: stable@vger.kernel.org # v6.11+ +Signed-off-by: Maciej Falkowski +Reviewed-by: Lizhi Hou +Signed-off-by: Jacek Lawrynowicz +Link: https://lore.kernel.org/r/20250325114306.3740022-2-maciej.falkowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_ms.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/accel/ivpu/ivpu_ms.c ++++ b/drivers/accel/ivpu/ivpu_ms.c +@@ -4,6 +4,7 @@ + */ + + #include ++#include + + #include "ivpu_drv.h" + #include "ivpu_gem.h" +@@ -299,6 +300,9 @@ unlock: + void ivpu_ms_cleanup(struct ivpu_file_priv *file_priv) + { + struct ivpu_ms_instance *ms, *tmp; ++ struct ivpu_device *vdev = file_priv->vdev; ++ ++ pm_runtime_get_sync(vdev->drm.dev); + + mutex_lock(&file_priv->ms_lock); + +@@ -311,6 +315,8 @@ void ivpu_ms_cleanup(struct ivpu_file_pr + free_instance(file_priv, ms); + + mutex_unlock(&file_priv->ms_lock); ++ ++ pm_runtime_put_autosuspend(vdev->drm.dev); + } + + void ivpu_ms_cleanup_all(struct ivpu_device *vdev) diff --git a/queue-6.12/accel-ivpu-fix-pm-related-deadlocks-in-ms-ioctls.patch b/queue-6.12/accel-ivpu-fix-pm-related-deadlocks-in-ms-ioctls.patch new file mode 100644 index 0000000000..e4d6c01f70 --- /dev/null +++ b/queue-6.12/accel-ivpu-fix-pm-related-deadlocks-in-ms-ioctls.patch @@ -0,0 +1,112 @@ +From d893da85e06edf54737bb80648bb58ba8fd56d9f Mon Sep 17 00:00:00 2001 +From: Jacek Lawrynowicz +Date: Tue, 25 Mar 2025 12:43:06 +0100 +Subject: accel/ivpu: Fix PM related deadlocks in MS IOCTLs + +From: Jacek Lawrynowicz + +commit d893da85e06edf54737bb80648bb58ba8fd56d9f upstream. + +Prevent runtime resume/suspend while MS IOCTLs are in progress. +Failed suspend will call ivpu_ms_cleanup() that would try to acquire +file_priv->ms_lock, which is already held by the IOCTLs. + +Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support") +Cc: stable@vger.kernel.org # v6.11+ +Signed-off-by: Maciej Falkowski +Reviewed-by: Lizhi Hou +Signed-off-by: Jacek Lawrynowicz +Link: https://lore.kernel.org/r/20250325114306.3740022-3-maciej.falkowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_debugfs.c | 4 ++-- + drivers/accel/ivpu/ivpu_ms.c | 18 ++++++++++++++++++ + 2 files changed, 20 insertions(+), 2 deletions(-) + +--- a/drivers/accel/ivpu/ivpu_debugfs.c ++++ b/drivers/accel/ivpu/ivpu_debugfs.c +@@ -331,7 +331,7 @@ ivpu_force_recovery_fn(struct file *file + return -EINVAL; + + ret = ivpu_rpm_get(vdev); +- if (ret) ++ if (ret < 0) + return ret; + + ivpu_pm_trigger_recovery(vdev, "debugfs"); +@@ -408,7 +408,7 @@ static int dct_active_set(void *data, u6 + return -EINVAL; + + ret = ivpu_rpm_get(vdev); +- if (ret) ++ if (ret < 0) + return ret; + + if (active_percent) +--- a/drivers/accel/ivpu/ivpu_ms.c ++++ b/drivers/accel/ivpu/ivpu_ms.c +@@ -44,6 +44,10 @@ int ivpu_ms_start_ioctl(struct drm_devic + args->sampling_period_ns < MS_MIN_SAMPLE_PERIOD_NS) + return -EINVAL; + ++ ret = ivpu_rpm_get(vdev); ++ if (ret < 0) ++ return ret; ++ + mutex_lock(&file_priv->ms_lock); + + if (get_instance_by_mask(file_priv, args->metric_group_mask)) { +@@ -96,6 +100,8 @@ err_free_ms: + kfree(ms); + unlock: + mutex_unlock(&file_priv->ms_lock); ++ ++ ivpu_rpm_put(vdev); + return ret; + } + +@@ -160,6 +166,10 @@ int ivpu_ms_get_data_ioctl(struct drm_de + if (!args->metric_group_mask) + return -EINVAL; + ++ ret = ivpu_rpm_get(vdev); ++ if (ret < 0) ++ return ret; ++ + mutex_lock(&file_priv->ms_lock); + + ms = get_instance_by_mask(file_priv, args->metric_group_mask); +@@ -187,6 +197,7 @@ int ivpu_ms_get_data_ioctl(struct drm_de + unlock: + mutex_unlock(&file_priv->ms_lock); + ++ ivpu_rpm_put(vdev); + return ret; + } + +@@ -204,11 +215,17 @@ int ivpu_ms_stop_ioctl(struct drm_device + { + struct ivpu_file_priv *file_priv = file->driver_priv; + struct drm_ivpu_metric_streamer_stop *args = data; ++ struct ivpu_device *vdev = file_priv->vdev; + struct ivpu_ms_instance *ms; ++ int ret; + + if (!args->metric_group_mask) + return -EINVAL; + ++ ret = ivpu_rpm_get(vdev); ++ if (ret < 0) ++ return ret; ++ + mutex_lock(&file_priv->ms_lock); + + ms = get_instance_by_mask(file_priv, args->metric_group_mask); +@@ -217,6 +234,7 @@ int ivpu_ms_stop_ioctl(struct drm_device + + mutex_unlock(&file_priv->ms_lock); + ++ ivpu_rpm_put(vdev); + return ms ? 0 : -EINVAL; + } + diff --git a/queue-6.12/accel-ivpu-fix-warning-in-ivpu_ipc_send_receive_internal.patch b/queue-6.12/accel-ivpu-fix-warning-in-ivpu_ipc_send_receive_internal.patch new file mode 100644 index 0000000000..0453920e09 --- /dev/null +++ b/queue-6.12/accel-ivpu-fix-warning-in-ivpu_ipc_send_receive_internal.patch @@ -0,0 +1,36 @@ +From 6b4568b675b14cf890c0c21779773c3e08e80ce5 Mon Sep 17 00:00:00 2001 +From: Jacek Lawrynowicz +Date: Tue, 25 Mar 2025 12:42:19 +0100 +Subject: accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal() + +From: Jacek Lawrynowicz + +commit 6b4568b675b14cf890c0c21779773c3e08e80ce5 upstream. + +Warn if device is suspended only when runtime PM is enabled. +Runtime PM is disabled during reset/recovery and it is not an error +to use ivpu_ipc_send_receive_internal() in such cases. + +Fixes: 5eaa49741119 ("accel/ivpu: Prevent recovery invocation during probe and resume") +Cc: stable@vger.kernel.org # v6.13+ +Signed-off-by: Maciej Falkowski +Reviewed-by: Lizhi Hou +Signed-off-by: Jacek Lawrynowicz +Link: https://lore.kernel.org/r/20250325114219.3739951-1-maciej.falkowski@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_ipc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/accel/ivpu/ivpu_ipc.c ++++ b/drivers/accel/ivpu/ivpu_ipc.c +@@ -299,7 +299,8 @@ ivpu_ipc_send_receive_internal(struct iv + struct ivpu_ipc_consumer cons; + int ret; + +- drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev)); ++ drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev) && ++ pm_runtime_enabled(vdev->drm.dev)); + + ivpu_ipc_consumer_add(vdev, &cons, channel, NULL); + diff --git a/queue-6.12/alsa-hda-realtek-enable-mute-led-on-hp-omen-16-laptop-xd000xx.patch b/queue-6.12/alsa-hda-realtek-enable-mute-led-on-hp-omen-16-laptop-xd000xx.patch new file mode 100644 index 0000000000..73a7ac9471 --- /dev/null +++ b/queue-6.12/alsa-hda-realtek-enable-mute-led-on-hp-omen-16-laptop-xd000xx.patch @@ -0,0 +1,81 @@ +From e5182305a5199246dbcb4053299dcb1c8867b6ff Mon Sep 17 00:00:00 2001 +From: Sharan Kumar M +Date: Sat, 29 Mar 2025 21:11:06 +0530 +Subject: ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx + +From: Sharan Kumar M + +commit e5182305a5199246dbcb4053299dcb1c8867b6ff upstream. + +This patch adds the HP OMEN 16 Laptop xd000xx to enable mute led. +it uses ALC245_FIXUP_HP_MUTE_LED_COEFBIT with a slight modification +setting mute_led_coef.off to 0(it was set to 4 i guess +in that function) which i referred to your previous patch disscusion +https://bugzilla.kernel.org/show_bug.cgi?id=214735 . +i am not sure whether i can modify the current working function so i +added another version calling +ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT. and both works for me. + +Tested on 6.13.4-arch1-1 to 6.14.0-arch1-1 + +Signed-off-by: Sharan Kumar M +Cc: +Link: https://patch.msgid.link/20250329154105.7618-2-sharweshraajan@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4744,6 +4744,22 @@ static void alc245_fixup_hp_mute_led_coe + } + } + ++static void alc245_fixup_hp_mute_led_v1_coefbit(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ struct alc_spec *spec = codec->spec; ++ ++ if (action == HDA_FIXUP_ACT_PRE_PROBE) { ++ spec->mute_led_polarity = 0; ++ spec->mute_led_coef.idx = 0x0b; ++ spec->mute_led_coef.mask = 1 << 3; ++ spec->mute_led_coef.on = 1 << 3; ++ spec->mute_led_coef.off = 0; ++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set); ++ } ++} ++ + /* turn on/off mic-mute LED per capture hook by coef bit */ + static int coef_micmute_led_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +@@ -7851,6 +7867,7 @@ enum { + ALC287_FIXUP_TAS2781_I2C, + ALC287_FIXUP_YOGA7_14ARB7_I2C, + ALC245_FIXUP_HP_MUTE_LED_COEFBIT, ++ ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT, + ALC245_FIXUP_HP_X360_MUTE_LEDS, + ALC287_FIXUP_THINKPAD_I2S_SPK, + ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD, +@@ -10084,6 +10101,10 @@ static const struct hda_fixup alc269_fix + .type = HDA_FIXUP_FUNC, + .v.func = alc245_fixup_hp_mute_led_coefbit, + }, ++ [ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc245_fixup_hp_mute_led_v1_coefbit, ++ }, + [ALC245_FIXUP_HP_X360_MUTE_LEDS] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc245_fixup_hp_mute_led_coefbit, +@@ -10569,6 +10590,7 @@ static const struct hda_quirk alc269_fix + SND_PCI_QUIRK(0x103c, 0x8b97, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8bb3, "HP Slim OMEN", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8bb4, "HP Slim OMEN", ALC287_FIXUP_CS35L41_I2C_2), ++ SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT), + SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8bde, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2), + SND_PCI_QUIRK(0x103c, 0x8bdf, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2), diff --git a/queue-6.12/arm64-cputype-add-midr_cortex_a76ae.patch b/queue-6.12/arm64-cputype-add-midr_cortex_a76ae.patch new file mode 100644 index 0000000000..e04b2a9d41 --- /dev/null +++ b/queue-6.12/arm64-cputype-add-midr_cortex_a76ae.patch @@ -0,0 +1,39 @@ +From a9b5bd81b294d30a747edd125e9f6aef2def7c79 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 7 Jan 2025 12:06:01 -0800 +Subject: arm64: cputype: Add MIDR_CORTEX_A76AE + +From: Douglas Anderson + +commit a9b5bd81b294d30a747edd125e9f6aef2def7c79 upstream. + +>From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an +implementor of 0x41 (ARM). Add the values. + +Cc: stable@vger.kernel.org # dependency of the next fix in the series +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20250107120555.v4.4.I151f3b7ee323bcc3082179b8c60c3cd03308aa94@changeid +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -75,6 +75,7 @@ + #define ARM_CPU_PART_CORTEX_A76 0xD0B + #define ARM_CPU_PART_NEOVERSE_N1 0xD0C + #define ARM_CPU_PART_CORTEX_A77 0xD0D ++#define ARM_CPU_PART_CORTEX_A76AE 0xD0E + #define ARM_CPU_PART_NEOVERSE_V1 0xD40 + #define ARM_CPU_PART_CORTEX_A78 0xD41 + #define ARM_CPU_PART_CORTEX_A78AE 0xD42 +@@ -159,6 +160,7 @@ + #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) + #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) + #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) ++#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) + #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) + #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) + #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) diff --git a/queue-6.12/arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch b/queue-6.12/arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch new file mode 100644 index 0000000000..87758e1199 --- /dev/null +++ b/queue-6.12/arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch @@ -0,0 +1,37 @@ +From 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 7 Jan 2025 12:06:00 -0800 +Subject: arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list + +From: Douglas Anderson + +commit 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 upstream. + +Qualcomm has confirmed that, much like Cortex A53 and A55, KRYO +2XX/3XX/4XX silver cores are unaffected by Spectre BHB. Add them to +the safe list. + +Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels") +Cc: stable@vger.kernel.org +Cc: Scott Bauer +Signed-off-by: Douglas Anderson +Acked-by: Trilok Soni +Link: https://lore.kernel.org/r/20250107120555.v4.3.Iab8dbfb5c9b1e143e7a29f410bce5f9525a0ba32@changeid +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/proton-pack.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -854,6 +854,9 @@ static bool is_spectre_bhb_safe(int scop + MIDR_ALL_VERSIONS(MIDR_CORTEX_A510), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A520), + MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_2XX_SILVER), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER), + {}, + }; + static bool all_safe = true; diff --git a/queue-6.12/arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch b/queue-6.12/arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch new file mode 100644 index 0000000000..236acd412c --- /dev/null +++ b/queue-6.12/arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch @@ -0,0 +1,38 @@ +From ed1ce841245d8febe3badf51c57e81c3619d0a1d Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 7 Jan 2025 12:05:58 -0800 +Subject: arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list + +From: Douglas Anderson + +commit ed1ce841245d8febe3badf51c57e81c3619d0a1d upstream. + +Qualcomm Kryo 400-series Gold cores have a derivative of an ARM Cortex +A76 in them. Since A76 needs Spectre mitigation via looping then the +Kyro 400-series Gold cores also need Spectre mitigation via looping. + +Qualcomm has confirmed that the proper "k" value for Kryo 400-series +Gold cores is 24. + +Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels") +Cc: stable@vger.kernel.org +Cc: Scott Bauer +Signed-off-by: Douglas Anderson +Acked-by: Trilok Soni +Link: https://lore.kernel.org/r/20250107120555.v4.1.Ie4ef54abe02e7eb0eee50f830575719bf23bda48@changeid +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/proton-pack.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -866,6 +866,7 @@ u8 spectre_bhb_loop_affected(int scope) + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD), + {}, + }; + static const struct midr_range spectre_bhb_k11_list[] = { diff --git a/queue-6.12/arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch b/queue-6.12/arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch new file mode 100644 index 0000000000..30307e8b2f --- /dev/null +++ b/queue-6.12/arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch @@ -0,0 +1,334 @@ +From e403e8538359d8580cbee1976ff71813e947101e Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 7 Jan 2025 12:05:59 -0800 +Subject: arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB + +From: Douglas Anderson + +commit e403e8538359d8580cbee1976ff71813e947101e upstream. + +The code for detecting CPUs that are vulnerable to Spectre BHB was +based on a hardcoded list of CPU IDs that were known to be affected. +Unfortunately, the list mostly only contained the IDs of standard ARM +cores. The IDs for many cores that are minor variants of the standard +ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the +code to assume that those variants were not affected. + +Flip the code on its head and instead assume that a core is vulnerable +if it doesn't have CSV2_3 but is unrecognized as being safe. This +involves creating a "Spectre BHB safe" list. + +As of right now, the only CPU IDs added to the "Spectre BHB safe" list +are ARM Cortex A35, A53, A55, A510, and A520. This list was created by +looking for cores that weren't listed in ARM's list [1] as per review +feedback on v2 of this patch [2]. Additionally Brahma A53 is added as +per mailing list feedback [3]. + +NOTE: this patch will not actually _mitigate_ anyone, it will simply +cause them to report themselves as vulnerable. If any cores in the +system are reported as vulnerable but not mitigated then the whole +system will be reported as vulnerable though the system will attempt +to mitigate with the information it has about the known cores. + +[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB +[2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck +[3] https://lore.kernel.org/r/18dbd7d1-a46c-4112-a425-320c99f67a8d@broadcom.com + +Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels") +Cc: stable@vger.kernel.org +Reviewed-by: Julius Werner +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20250107120555.v4.2.I2040fa004dafe196243f67ebcc647cbedbb516e6@changeid +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/spectre.h | 1 + arch/arm64/kernel/proton-pack.c | 201 +++++++++++++++++++-------------------- + 2 files changed, 101 insertions(+), 101 deletions(-) + +--- a/arch/arm64/include/asm/spectre.h ++++ b/arch/arm64/include/asm/spectre.h +@@ -97,7 +97,6 @@ enum mitigation_state arm64_get_meltdown + + enum mitigation_state arm64_get_spectre_bhb_state(void); + bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope); +-u8 spectre_bhb_loop_affected(int scope); + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused); + bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr); + +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -845,53 +845,70 @@ static unsigned long system_bhb_mitigati + * This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any + * SCOPE_SYSTEM call will give the right answer. + */ +-u8 spectre_bhb_loop_affected(int scope) ++static bool is_spectre_bhb_safe(int scope) ++{ ++ static const struct midr_range spectre_bhb_safe_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A35), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A53), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520), ++ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53), ++ {}, ++ }; ++ static bool all_safe = true; ++ ++ if (scope != SCOPE_LOCAL_CPU) ++ return all_safe; ++ ++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list)) ++ return true; ++ ++ all_safe = false; ++ ++ return false; ++} ++ ++static u8 spectre_bhb_loop_affected(void) + { + u8 k = 0; +- static u8 max_bhb_k; + +- if (scope == SCOPE_LOCAL_CPU) { +- static const struct midr_range spectre_bhb_k32_list[] = { +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), +- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), +- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), +- {}, +- }; +- static const struct midr_range spectre_bhb_k24_list[] = { +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), +- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), +- MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD), +- {}, +- }; +- static const struct midr_range spectre_bhb_k11_list[] = { +- MIDR_ALL_VERSIONS(MIDR_AMPERE1), +- {}, +- }; +- static const struct midr_range spectre_bhb_k8_list[] = { +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), +- {}, +- }; +- +- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) +- k = 32; +- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list)) +- k = 24; +- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list)) +- k = 11; +- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list)) +- k = 8; +- +- max_bhb_k = max(max_bhb_k, k); +- } else { +- k = max_bhb_k; +- } ++ static const struct midr_range spectre_bhb_k32_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1), ++ {}, ++ }; ++ static const struct midr_range spectre_bhb_k24_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), ++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD), ++ {}, ++ }; ++ static const struct midr_range spectre_bhb_k11_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_AMPERE1), ++ {}, ++ }; ++ static const struct midr_range spectre_bhb_k8_list[] = { ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72), ++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57), ++ {}, ++ }; ++ ++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list)) ++ k = 32; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list)) ++ k = 24; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list)) ++ k = 11; ++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list)) ++ k = 8; + + return k; + } +@@ -917,29 +934,13 @@ static enum mitigation_state spectre_bhb + } + } + +-static bool is_spectre_bhb_fw_affected(int scope) ++static bool has_spectre_bhb_fw_mitigation(void) + { +- static bool system_affected; + enum mitigation_state fw_state; + bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE; +- static const struct midr_range spectre_bhb_firmware_mitigated_list[] = { +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A73), +- MIDR_ALL_VERSIONS(MIDR_CORTEX_A75), +- {}, +- }; +- bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(), +- spectre_bhb_firmware_mitigated_list); +- +- if (scope != SCOPE_LOCAL_CPU) +- return system_affected; + + fw_state = spectre_bhb_get_cpu_fw_mitigation_state(); +- if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) { +- system_affected = true; +- return true; +- } +- +- return false; ++ return has_smccc && fw_state == SPECTRE_MITIGATED; + } + + static bool supports_ecbhb(int scope) +@@ -955,6 +956,8 @@ static bool supports_ecbhb(int scope) + ID_AA64MMFR1_EL1_ECBHB_SHIFT); + } + ++static u8 max_bhb_k; ++ + bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, + int scope) + { +@@ -963,16 +966,18 @@ bool is_spectre_bhb_affected(const struc + if (supports_csv2p3(scope)) + return false; + +- if (supports_clearbhb(scope)) +- return true; +- +- if (spectre_bhb_loop_affected(scope)) +- return true; ++ if (is_spectre_bhb_safe(scope)) ++ return false; + +- if (is_spectre_bhb_fw_affected(scope)) +- return true; ++ /* ++ * At this point the core isn't known to be "safe" so we're going to ++ * assume it's vulnerable. We still need to update `max_bhb_k` though, ++ * but only if we aren't mitigating with clearbhb though. ++ */ ++ if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU)) ++ max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected()); + +- return false; ++ return true; + } + + static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot) +@@ -1003,7 +1008,7 @@ early_param("nospectre_bhb", parse_spect + void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry) + { + bp_hardening_cb_t cpu_cb; +- enum mitigation_state fw_state, state = SPECTRE_VULNERABLE; ++ enum mitigation_state state = SPECTRE_VULNERABLE; + struct bp_hardening_data *data = this_cpu_ptr(&bp_hardening_data); + + if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU)) +@@ -1029,7 +1034,7 @@ void spectre_bhb_enable_mitigation(const + this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN); + state = SPECTRE_MITIGATED; + set_bit(BHB_INSN, &system_bhb_mitigations); +- } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) { ++ } else if (spectre_bhb_loop_affected()) { + /* + * Ensure KVM uses the indirect vector which will have the + * branchy-loop added. A57/A72-r0 will already have selected +@@ -1042,32 +1047,29 @@ void spectre_bhb_enable_mitigation(const + this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP); + state = SPECTRE_MITIGATED; + set_bit(BHB_LOOP, &system_bhb_mitigations); +- } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) { +- fw_state = spectre_bhb_get_cpu_fw_mitigation_state(); +- if (fw_state == SPECTRE_MITIGATED) { +- /* +- * Ensure KVM uses one of the spectre bp_hardening +- * vectors. The indirect vector doesn't include the EL3 +- * call, so needs upgrading to +- * HYP_VECTOR_SPECTRE_INDIRECT. +- */ +- if (!data->slot || data->slot == HYP_VECTOR_INDIRECT) +- data->slot += 1; +- +- this_cpu_set_vectors(EL1_VECTOR_BHB_FW); +- +- /* +- * The WA3 call in the vectors supersedes the WA1 call +- * made during context-switch. Uninstall any firmware +- * bp_hardening callback. +- */ +- cpu_cb = spectre_v2_get_sw_mitigation_cb(); +- if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb) +- __this_cpu_write(bp_hardening_data.fn, NULL); +- +- state = SPECTRE_MITIGATED; +- set_bit(BHB_FW, &system_bhb_mitigations); +- } ++ } else if (has_spectre_bhb_fw_mitigation()) { ++ /* ++ * Ensure KVM uses one of the spectre bp_hardening ++ * vectors. The indirect vector doesn't include the EL3 ++ * call, so needs upgrading to ++ * HYP_VECTOR_SPECTRE_INDIRECT. ++ */ ++ if (!data->slot || data->slot == HYP_VECTOR_INDIRECT) ++ data->slot += 1; ++ ++ this_cpu_set_vectors(EL1_VECTOR_BHB_FW); ++ ++ /* ++ * The WA3 call in the vectors supersedes the WA1 call ++ * made during context-switch. Uninstall any firmware ++ * bp_hardening callback. ++ */ ++ cpu_cb = spectre_v2_get_sw_mitigation_cb(); ++ if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb) ++ __this_cpu_write(bp_hardening_data.fn, NULL); ++ ++ state = SPECTRE_MITIGATED; ++ set_bit(BHB_FW, &system_bhb_mitigations); + } + + update_mitigation_state(&spectre_bhb_state, state); +@@ -1101,7 +1103,6 @@ void noinstr spectre_bhb_patch_loop_iter + { + u8 rd; + u32 insn; +- u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM); + + BUG_ON(nr_inst != 1); /* MOV -> MOV */ + +@@ -1110,7 +1111,7 @@ void noinstr spectre_bhb_patch_loop_iter + + insn = le32_to_cpu(*origptr); + rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn); +- insn = aarch64_insn_gen_movewide(rd, loop_count, 0, ++ insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0, + AARCH64_INSN_VARIANT_64BIT, + AARCH64_INSN_MOVEWIDE_ZERO); + *updptr++ = cpu_to_le32(insn); diff --git a/queue-6.12/asoc-codecs-wcd937x-fix-a-potential-memory-leak-in-wcd937x_soc_codec_probe.patch b/queue-6.12/asoc-codecs-wcd937x-fix-a-potential-memory-leak-in-wcd937x_soc_codec_probe.patch new file mode 100644 index 0000000000..e1e97c8186 --- /dev/null +++ b/queue-6.12/asoc-codecs-wcd937x-fix-a-potential-memory-leak-in-wcd937x_soc_codec_probe.patch @@ -0,0 +1,42 @@ +From 3e330acf4efd63876d673c046cd073a1d4ed57a8 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Wed, 26 Feb 2025 16:50:50 +0800 +Subject: ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe() + +From: Haoxiang Li + +commit 3e330acf4efd63876d673c046cd073a1d4ed57a8 upstream. + +When snd_soc_dapm_new_controls() or snd_soc_dapm_add_routes() fails, +wcd937x_soc_codec_probe() returns without releasing 'wcd937x->clsh_info', +which is allocated by wcd_clsh_ctrl_alloc. Add wcd_clsh_ctrl_free() +to prevent potential memory leak. + +Fixes: 313e978df7fc ("ASoC: codecs: wcd937x: add audio routing and Kconfig") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20250226085050.3584898-1-haoxiang_li2024@163.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd937x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/codecs/wcd937x.c ++++ b/sound/soc/codecs/wcd937x.c +@@ -2564,6 +2564,7 @@ static int wcd937x_soc_codec_probe(struc + ARRAY_SIZE(wcd9375_dapm_widgets)); + if (ret < 0) { + dev_err(component->dev, "Failed to add snd_ctls\n"); ++ wcd_clsh_ctrl_free(wcd937x->clsh_info); + return ret; + } + +@@ -2571,6 +2572,7 @@ static int wcd937x_soc_codec_probe(struc + ARRAY_SIZE(wcd9375_audio_map)); + if (ret < 0) { + dev_err(component->dev, "Failed to add routes\n"); ++ wcd_clsh_ctrl_free(wcd937x->clsh_info); + return ret; + } + } diff --git a/queue-6.12/asoc-q6apm-add-q6apm_get_hw_pointer-helper.patch b/queue-6.12/asoc-q6apm-add-q6apm_get_hw_pointer-helper.patch new file mode 100644 index 0000000000..be90339dd1 --- /dev/null +++ b/queue-6.12/asoc-q6apm-add-q6apm_get_hw_pointer-helper.patch @@ -0,0 +1,94 @@ +From 0badb5432fd525a00db5630c459b635e9d47f445 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 14 Mar 2025 17:47:57 +0000 +Subject: ASoC: q6apm: add q6apm_get_hw_pointer helper + +From: Srinivas Kandagatla + +commit 0badb5432fd525a00db5630c459b635e9d47f445 upstream. + +Implement an helper function in q6apm to be able to read the current +hardware pointer for both read and write buffers. + +This should help q6apm-dai to get the hardware pointer consistently +without it doing manual calculation, which could go wrong in some race +conditions. + +Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support") +Cc: stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Tested-by: Krzysztof Kozlowski +Tested-by: Johan Hovold +Link: https://patch.msgid.link/20250314174800.10142-3-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm.c | 18 +++++++++++++++++- + sound/soc/qcom/qdsp6/q6apm.h | 3 +++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +--- a/sound/soc/qcom/qdsp6/q6apm.c ++++ b/sound/soc/qcom/qdsp6/q6apm.c +@@ -494,6 +494,19 @@ int q6apm_read(struct q6apm_graph *graph + } + EXPORT_SYMBOL_GPL(q6apm_read); + ++int q6apm_get_hw_pointer(struct q6apm_graph *graph, int dir) ++{ ++ struct audioreach_graph_data *data; ++ ++ if (dir == SNDRV_PCM_STREAM_PLAYBACK) ++ data = &graph->rx_data; ++ else ++ data = &graph->tx_data; ++ ++ return (int)atomic_read(&data->hw_ptr); ++} ++EXPORT_SYMBOL_GPL(q6apm_get_hw_pointer); ++ + static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op) + { + struct data_cmd_rsp_rd_sh_mem_ep_data_buffer_done_v2 *rd_done; +@@ -520,7 +533,8 @@ static int graph_callback(struct gpr_res + done = data->payload; + phys = graph->rx_data.buf[token].phys; + mutex_unlock(&graph->lock); +- ++ /* token numbering starts at 0 */ ++ atomic_set(&graph->rx_data.hw_ptr, token + 1); + if (lower_32_bits(phys) == done->buf_addr_lsw && + upper_32_bits(phys) == done->buf_addr_msw) { + graph->result.opcode = hdr->opcode; +@@ -553,6 +567,8 @@ static int graph_callback(struct gpr_res + rd_done = data->payload; + phys = graph->tx_data.buf[hdr->token].phys; + mutex_unlock(&graph->lock); ++ /* token numbering starts at 0 */ ++ atomic_set(&graph->tx_data.hw_ptr, hdr->token + 1); + + if (upper_32_bits(phys) == rd_done->buf_addr_msw && + lower_32_bits(phys) == rd_done->buf_addr_lsw) { +--- a/sound/soc/qcom/qdsp6/q6apm.h ++++ b/sound/soc/qcom/qdsp6/q6apm.h +@@ -2,6 +2,7 @@ + #ifndef __Q6APM_H__ + #define __Q6APM_H__ + #include ++#include + #include + #include + #include +@@ -77,6 +78,7 @@ struct audioreach_graph_data { + uint32_t num_periods; + uint32_t dsp_buf; + uint32_t mem_map_handle; ++ atomic_t hw_ptr; + }; + + struct audioreach_graph { +@@ -150,4 +152,5 @@ int q6apm_enable_compress_module(struct + int q6apm_remove_initial_silence(struct device *dev, struct q6apm_graph *graph, uint32_t samples); + int q6apm_remove_trailing_silence(struct device *dev, struct q6apm_graph *graph, uint32_t samples); + int q6apm_set_real_module_id(struct device *dev, struct q6apm_graph *graph, uint32_t codec_id); ++int q6apm_get_hw_pointer(struct q6apm_graph *graph, int dir); + #endif /* __APM_GRAPH_ */ diff --git a/queue-6.12/asoc-q6apm-dai-make-use-of-q6apm_get_hw_pointer.patch b/queue-6.12/asoc-q6apm-dai-make-use-of-q6apm_get_hw_pointer.patch new file mode 100644 index 0000000000..dc7e2bf3b1 --- /dev/null +++ b/queue-6.12/asoc-q6apm-dai-make-use-of-q6apm_get_hw_pointer.patch @@ -0,0 +1,101 @@ +From a93dad6f4e6a04a5943f6ee5686585f24abf7063 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 14 Mar 2025 17:47:58 +0000 +Subject: ASoC: q6apm-dai: make use of q6apm_get_hw_pointer + +From: Srinivas Kandagatla + +commit a93dad6f4e6a04a5943f6ee5686585f24abf7063 upstream. + +With the existing code, the buffer position is only reset in pointer +callback, which leaves the possiblity of it going over the size of +buffer size and reporting incorrect position to userspace. + +Without this patch, its possible to see errors like: +snd-x1e80100 sound: invalid position: pcmC0D0p:0, pos = 12288, buffer size = 12288, period size = 1536 +snd-x1e80100 sound: invalid position: pcmC0D0p:0, pos = 12288, buffer size = 12288, period size = 1536 + +Fixes: 9b4fe0f1cd791 ("ASoC: qdsp6: audioreach: add q6apm-dai support") +Cc: stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Tested-by: Krzysztof Kozlowski +Tested-by: Johan Hovold +Link: https://patch.msgid.link/20250314174800.10142-4-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-dai.c | 23 ++++------------------- + 1 file changed, 4 insertions(+), 19 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6apm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c +@@ -64,7 +64,6 @@ struct q6apm_dai_rtd { + phys_addr_t phys; + unsigned int pcm_size; + unsigned int pcm_count; +- unsigned int pos; /* Buffer position */ + unsigned int periods; + unsigned int bytes_sent; + unsigned int bytes_received; +@@ -124,23 +123,16 @@ static void event_handler(uint32_t opcod + { + struct q6apm_dai_rtd *prtd = priv; + struct snd_pcm_substream *substream = prtd->substream; +- unsigned long flags; + + switch (opcode) { + case APM_CLIENT_EVENT_CMD_EOS_DONE: + prtd->state = Q6APM_STREAM_STOPPED; + break; + case APM_CLIENT_EVENT_DATA_WRITE_DONE: +- spin_lock_irqsave(&prtd->lock, flags); +- prtd->pos += prtd->pcm_count; +- spin_unlock_irqrestore(&prtd->lock, flags); + snd_pcm_period_elapsed(substream); + + break; + case APM_CLIENT_EVENT_DATA_READ_DONE: +- spin_lock_irqsave(&prtd->lock, flags); +- prtd->pos += prtd->pcm_count; +- spin_unlock_irqrestore(&prtd->lock, flags); + snd_pcm_period_elapsed(substream); + if (prtd->state == Q6APM_STREAM_RUNNING) + q6apm_read(prtd->graph); +@@ -247,7 +239,6 @@ static int q6apm_dai_prepare(struct snd_ + } + + prtd->pcm_count = snd_pcm_lib_period_bytes(substream); +- prtd->pos = 0; + /* rate and channels are sent to audio driver */ + ret = q6apm_graph_media_format_shmem(prtd->graph, &cfg); + if (ret < 0) { +@@ -445,16 +436,12 @@ static snd_pcm_uframes_t q6apm_dai_point + struct snd_pcm_runtime *runtime = substream->runtime; + struct q6apm_dai_rtd *prtd = runtime->private_data; + snd_pcm_uframes_t ptr; +- unsigned long flags; + +- spin_lock_irqsave(&prtd->lock, flags); +- if (prtd->pos == prtd->pcm_size) +- prtd->pos = 0; +- +- ptr = bytes_to_frames(runtime, prtd->pos); +- spin_unlock_irqrestore(&prtd->lock, flags); ++ ptr = q6apm_get_hw_pointer(prtd->graph, substream->stream) * runtime->period_size; ++ if (ptr) ++ return ptr - 1; + +- return ptr; ++ return 0; + } + + static int q6apm_dai_hw_params(struct snd_soc_component *component, +@@ -669,8 +656,6 @@ static int q6apm_dai_compr_set_params(st + prtd->pcm_size = runtime->fragments * runtime->fragment_size; + prtd->bits_per_sample = 16; + +- prtd->pos = 0; +- + if (prtd->next_track != true) { + memcpy(&prtd->codec, codec, sizeof(*codec)); + diff --git a/queue-6.12/asoc-q6apm-dai-schedule-all-available-frames-to-avoid-dsp-under-runs.patch b/queue-6.12/asoc-q6apm-dai-schedule-all-available-frames-to-avoid-dsp-under-runs.patch new file mode 100644 index 0000000000..9a543c19e4 --- /dev/null +++ b/queue-6.12/asoc-q6apm-dai-schedule-all-available-frames-to-avoid-dsp-under-runs.patch @@ -0,0 +1,95 @@ +From 3d4a4411aa8bbc3653ff22a1ff0432eb93d22ae0 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 14 Mar 2025 17:47:56 +0000 +Subject: ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs + +From: Srinivas Kandagatla + +commit 3d4a4411aa8bbc3653ff22a1ff0432eb93d22ae0 upstream. + +With the existing code, we are only setting up one period at a time, in a +ping-pong buffer style. This triggers lot of underruns in the dsp +leading to jitter noise during audio playback. + +Fix this by scheduling all available periods, this will ensure that the dsp +has enough buffer feed and ultimatley fixing the underruns and audio +distortion. + +Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support") +Cc: stable@vger.kernel.org +Reported-by: Krzysztof Kozlowski +Signed-off-by: Srinivas Kandagatla +Tested-by: Krzysztof Kozlowski +Tested-by: Johan Hovold +Link: https://patch.msgid.link/20250314174800.10142-2-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-dai.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6apm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c +@@ -70,6 +70,7 @@ struct q6apm_dai_rtd { + unsigned int bytes_received; + unsigned int copied_total; + uint16_t bits_per_sample; ++ snd_pcm_uframes_t queue_ptr; + bool next_track; + enum stream_state state; + struct q6apm_graph *graph; +@@ -134,8 +135,6 @@ static void event_handler(uint32_t opcod + prtd->pos += prtd->pcm_count; + spin_unlock_irqrestore(&prtd->lock, flags); + snd_pcm_period_elapsed(substream); +- if (prtd->state == Q6APM_STREAM_RUNNING) +- q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, 0); + + break; + case APM_CLIENT_EVENT_DATA_READ_DONE: +@@ -294,6 +293,27 @@ static int q6apm_dai_prepare(struct snd_ + return 0; + } + ++static int q6apm_dai_ack(struct snd_soc_component *component, struct snd_pcm_substream *substream) ++{ ++ struct snd_pcm_runtime *runtime = substream->runtime; ++ struct q6apm_dai_rtd *prtd = runtime->private_data; ++ int i, ret = 0, avail_periods; ++ ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { ++ avail_periods = (runtime->control->appl_ptr - prtd->queue_ptr)/runtime->period_size; ++ for (i = 0; i < avail_periods; i++) { ++ ret = q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, NO_TIMESTAMP); ++ if (ret < 0) { ++ dev_err(component->dev, "Error queuing playback buffer %d\n", ret); ++ return ret; ++ } ++ prtd->queue_ptr += runtime->period_size; ++ } ++ } ++ ++ return ret; ++} ++ + static int q6apm_dai_trigger(struct snd_soc_component *component, + struct snd_pcm_substream *substream, int cmd) + { +@@ -305,9 +325,6 @@ static int q6apm_dai_trigger(struct snd_ + case SNDRV_PCM_TRIGGER_START: + case SNDRV_PCM_TRIGGER_RESUME: + case SNDRV_PCM_TRIGGER_PAUSE_RELEASE: +- /* start writing buffers for playback only as we already queued capture buffers */ +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- ret = q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, 0); + break; + case SNDRV_PCM_TRIGGER_STOP: + /* TODO support be handled via SoftPause Module */ +@@ -836,6 +853,7 @@ static const struct snd_soc_component_dr + .hw_params = q6apm_dai_hw_params, + .pointer = q6apm_dai_pointer, + .trigger = q6apm_dai_trigger, ++ .ack = q6apm_dai_ack, + .compress_ops = &q6apm_dai_compress_ops, + .use_dai_pcm_id = true, + }; diff --git a/queue-6.12/asoc-qdsp6-q6apm-dai-fix-capture-pipeline-overruns.patch b/queue-6.12/asoc-qdsp6-q6apm-dai-fix-capture-pipeline-overruns.patch new file mode 100644 index 0000000000..36d27b59de --- /dev/null +++ b/queue-6.12/asoc-qdsp6-q6apm-dai-fix-capture-pipeline-overruns.patch @@ -0,0 +1,39 @@ +From 5d01ed9b9939b4c726be74db291a982bc984c584 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 14 Mar 2025 17:48:00 +0000 +Subject: ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns. + +From: Srinivas Kandagatla + +commit 5d01ed9b9939b4c726be74db291a982bc984c584 upstream. + +Period sizes less than 6k for capture path triggers overruns in the +dsp capture pipeline. + +Change the period size and number of periods to value which DSP is happy with. + +Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support") +Cc: stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Tested-by: Krzysztof Kozlowski +Tested-by: Johan Hovold +Link: https://patch.msgid.link/20250314174800.10142-6-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-dai.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6apm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c +@@ -24,8 +24,8 @@ + #define PLAYBACK_MIN_PERIOD_SIZE 128 + #define CAPTURE_MIN_NUM_PERIODS 2 + #define CAPTURE_MAX_NUM_PERIODS 8 +-#define CAPTURE_MAX_PERIOD_SIZE 4096 +-#define CAPTURE_MIN_PERIOD_SIZE 320 ++#define CAPTURE_MAX_PERIOD_SIZE 65536 ++#define CAPTURE_MIN_PERIOD_SIZE 6144 + #define BUFFER_BYTES_MAX (PLAYBACK_MAX_NUM_PERIODS * PLAYBACK_MAX_PERIOD_SIZE) + #define BUFFER_BYTES_MIN (PLAYBACK_MIN_NUM_PERIODS * PLAYBACK_MIN_PERIOD_SIZE) + #define COMPR_PLAYBACK_MAX_FRAGMENT_SIZE (128 * 1024) diff --git a/queue-6.12/asoc-qdsp6-q6apm-dai-set-10-ms-period-and-buffer-alignment.patch b/queue-6.12/asoc-qdsp6-q6apm-dai-set-10-ms-period-and-buffer-alignment.patch new file mode 100644 index 0000000000..e290da26f3 --- /dev/null +++ b/queue-6.12/asoc-qdsp6-q6apm-dai-set-10-ms-period-and-buffer-alignment.patch @@ -0,0 +1,47 @@ +From 3107019501842c27334554ba9d6583b1f200f61f Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Fri, 14 Mar 2025 17:47:59 +0000 +Subject: ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment. + +From: Srinivas Kandagatla + +commit 3107019501842c27334554ba9d6583b1f200f61f upstream. + +DSP expects the periods to be aligned to fragment sizes, currently +setting up to hw constriants on periods bytes is not going to work +correctly as we can endup with periods sizes aligned to 32 bytes however +not aligned to fragment size. + +Update the constriants to use fragment size, and also set at step of +10ms for period size to accommodate DSP requirements of 10ms latency. + +Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support") +Cc: stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Tested-by: Johan Hovold +Link: https://patch.msgid.link/20250314174800.10142-5-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-dai.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6apm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c +@@ -385,13 +385,14 @@ static int q6apm_dai_open(struct snd_soc + } + } + +- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32); ++ /* setup 10ms latency to accommodate DSP restrictions */ ++ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480); + if (ret < 0) { + dev_err(dev, "constraint for period bytes step ret = %d\n", ret); + goto err; + } + +- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32); ++ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480); + if (ret < 0) { + dev_err(dev, "constraint for buffer bytes step ret = %d\n", ret); + goto err; diff --git a/queue-6.12/asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch b/queue-6.12/asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch new file mode 100644 index 0000000000..c37fd11af8 --- /dev/null +++ b/queue-6.12/asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch @@ -0,0 +1,110 @@ +From 7eccc86e90f04a0d758d16c08627a620ac59604d Mon Sep 17 00:00:00 2001 +From: Alexey Klimov +Date: Thu, 27 Mar 2025 15:46:50 +0000 +Subject: ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path + +From: Alexey Klimov + +commit 7eccc86e90f04a0d758d16c08627a620ac59604d upstream. + +In case of attempts to compress playback something, for instance, +when audio routing is not set up correctly, the audio DSP is left in +inconsistent state because we are not doing the correct things in +the error path of q6asm_dai_compr_set_params(). + +So, when routing is not set up and compress playback is attempted +the following errors are present (simplified log): + +q6routing routing: Routing not setup for MultiMedia-1 Session +q6asm-dai dais: Stream reg failed ret:-22 +q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params() +on 17300000.remoteproc:glink-edge:apr:service@7:dais + +After setting the correct routing the compress playback will always fail: + +q6asm-dai dais: cmd = 0x10db3 returned error = 0x9 +q6asm-dai dais: DSP returned error[9] +q6asm-dai dais: q6asm_open_write failed +q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params() +on 17300000.remoteproc:glink-edge:apr:service@7:dais + +0x9 here means "Operation is already processed". The CMD_OPEN here was +sent the second time hence DSP responds that it was already done. + +Turns out the CMD_CLOSE should be sent after the q6asm_open_write() +succeeded but something failed after that, for instance, routing +setup. + +Fix this by slightly reworking the error path in +q6asm_dai_compr_set_params(). + +Tested on QRB5165 RB5 and SDM845 RB3 boards. + +Cc: stable@vger.kernel.org +Fixes: 5b39363e54cc ("ASoC: q6asm-dai: prepare set params to accept profile change") +Cc: Srinivas Kandagatla +Cc: Vinod Koul +Cc: Pierre-Louis Bossart +Signed-off-by: Alexey Klimov +Reviewed-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20250327154650.337404-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6asm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c +@@ -892,9 +892,7 @@ static int q6asm_dai_compr_set_params(st + + if (ret < 0) { + dev_err(dev, "q6asm_open_write failed\n"); +- q6asm_audio_client_free(prtd->audio_client); +- prtd->audio_client = NULL; +- return ret; ++ goto open_err; + } + } + +@@ -903,7 +901,7 @@ static int q6asm_dai_compr_set_params(st + prtd->session_id, dir); + if (ret) { + dev_err(dev, "Stream reg failed ret:%d\n", ret); +- return ret; ++ goto q6_err; + } + + ret = __q6asm_dai_compr_set_codec_params(component, stream, +@@ -911,7 +909,7 @@ static int q6asm_dai_compr_set_params(st + prtd->stream_id); + if (ret) { + dev_err(dev, "codec param setup failed ret:%d\n", ret); +- return ret; ++ goto q6_err; + } + + ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys, +@@ -920,12 +918,21 @@ static int q6asm_dai_compr_set_params(st + + if (ret < 0) { + dev_err(dev, "Buffer Mapping failed ret:%d\n", ret); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto q6_err; + } + + prtd->state = Q6ASM_STREAM_RUNNING; + + return 0; ++ ++q6_err: ++ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE); ++ ++open_err: ++ q6asm_audio_client_free(prtd->audio_client); ++ prtd->audio_client = NULL; ++ return ret; + } + + static int q6asm_dai_compr_set_metadata(struct snd_soc_component *component, diff --git a/queue-6.12/auxdisplay-hd44780-fix-an-api-misuse-in-hd44780.c.patch b/queue-6.12/auxdisplay-hd44780-fix-an-api-misuse-in-hd44780.c.patch new file mode 100644 index 0000000000..204f0e8102 --- /dev/null +++ b/queue-6.12/auxdisplay-hd44780-fix-an-api-misuse-in-hd44780.c.patch @@ -0,0 +1,43 @@ +From 9b98a7d2e5f4e2beeff88f6571da0cdc5883c7fb Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 24 Feb 2025 18:15:27 +0800 +Subject: auxdisplay: hd44780: Fix an API misuse in hd44780.c + +From: Haoxiang Li + +commit 9b98a7d2e5f4e2beeff88f6571da0cdc5883c7fb upstream. + +Variable allocated by charlcd_alloc() should be released +by charlcd_free(). The following patch changed kfree() to +charlcd_free() to fix an API misuse. + +Fixes: 718e05ed92ec ("auxdisplay: Introduce hd44780_common.[ch]") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/auxdisplay/hd44780.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/auxdisplay/hd44780.c ++++ b/drivers/auxdisplay/hd44780.c +@@ -313,7 +313,7 @@ static int hd44780_probe(struct platform + fail3: + kfree(hd); + fail2: +- kfree(lcd); ++ charlcd_free(lcd); + fail1: + kfree(hdc); + return ret; +@@ -328,7 +328,7 @@ static void hd44780_remove(struct platfo + kfree(hdc->hd44780); + kfree(lcd->drvdata); + +- kfree(lcd); ++ charlcd_free(lcd); + } + + static const struct of_device_id hd44780_of_match[] = { diff --git a/queue-6.12/bus-mhi-host-fix-race-between-unprepare-and-queue_buf.patch b/queue-6.12/bus-mhi-host-fix-race-between-unprepare-and-queue_buf.patch new file mode 100644 index 0000000000..685456abef --- /dev/null +++ b/queue-6.12/bus-mhi-host-fix-race-between-unprepare-and-queue_buf.patch @@ -0,0 +1,81 @@ +From 0686a818d77a431fc3ba2fab4b46bbb04e8c9380 Mon Sep 17 00:00:00 2001 +From: Jeffrey Hugo +Date: Thu, 6 Mar 2025 10:29:13 -0700 +Subject: bus: mhi: host: Fix race between unprepare and queue_buf + +From: Jeff Hugo + +commit 0686a818d77a431fc3ba2fab4b46bbb04e8c9380 upstream. + +A client driver may use mhi_unprepare_from_transfer() to quiesce +incoming data during the client driver's tear down. The client driver +might also be processing data at the same time, resulting in a call to +mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs +after mhi_unprepare_from_transfer() has torn down the channel, a panic +will occur due to an invalid dereference leading to a page fault. + +This occurs because mhi_gen_tre() does not verify the channel state +after locking it. Fix this by having mhi_gen_tre() confirm the channel +state is valid, or return error to avoid accessing deinitialized data. + +Cc: stable@vger.kernel.org # 6.8 +Fixes: b89b6a863dd5 ("bus: mhi: host: Add spinlock to protect WP access when queueing TREs") +Signed-off-by: Jeffrey Hugo +Signed-off-by: Jeff Hugo +Reviewed-by: Krishna Chaitanya Chundru +Reviewed-by: Youssef Samir +Reviewed-by: Manivannan Sadhasivam +Reviewed-by: Troy Hanson +Link: https://lore.kernel.org/r/20250306172913.856982-1-jeff.hugo@oss.qualcomm.com +[mani: added stable tag] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/main.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/bus/mhi/host/main.c ++++ b/drivers/bus/mhi/host/main.c +@@ -1207,11 +1207,16 @@ int mhi_gen_tre(struct mhi_controller *m + struct mhi_ring_element *mhi_tre; + struct mhi_buf_info *buf_info; + int eot, eob, chain, bei; +- int ret; ++ int ret = 0; + + /* Protect accesses for reading and incrementing WP */ + write_lock_bh(&mhi_chan->lock); + ++ if (mhi_chan->ch_state != MHI_CH_STATE_ENABLED) { ++ ret = -ENODEV; ++ goto out; ++ } ++ + buf_ring = &mhi_chan->buf_ring; + tre_ring = &mhi_chan->tre_ring; + +@@ -1229,10 +1234,8 @@ int mhi_gen_tre(struct mhi_controller *m + + if (!info->pre_mapped) { + ret = mhi_cntrl->map_single(mhi_cntrl, buf_info); +- if (ret) { +- write_unlock_bh(&mhi_chan->lock); +- return ret; +- } ++ if (ret) ++ goto out; + } + + eob = !!(flags & MHI_EOB); +@@ -1250,9 +1253,10 @@ int mhi_gen_tre(struct mhi_controller *m + mhi_add_ring_element(mhi_cntrl, tre_ring); + mhi_add_ring_element(mhi_cntrl, buf_ring); + ++out: + write_unlock_bh(&mhi_chan->lock); + +- return 0; ++ return ret; + } + + int mhi_queue_buf(struct mhi_device *mhi_dev, enum dma_data_direction dir, diff --git a/queue-6.12/clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch b/queue-6.12/clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch new file mode 100644 index 0000000000..f78e246b82 --- /dev/null +++ b/queue-6.12/clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch @@ -0,0 +1,38 @@ +From 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 Mon Sep 17 00:00:00 2001 +From: Alexandre Torgue +Date: Thu, 6 Mar 2025 11:25:01 +0100 +Subject: clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup + +From: Alexandre Torgue + +commit 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 upstream. + +"wakeup-source" property describes a device which has wakeup capability +but should not force this device as a wakeup source. + +Fixes: 48b41c5e2de6 ("clocksource: Add Low Power STM32 timers driver") +Cc: stable@vger.kernel.org +Signed-off-by: Alexandre Torgue +Signed-off-by: Fabrice Gasnier +Rule: add +Link: https://lore.kernel.org/stable/20250306083407.2374894-1-fabrice.gasnier%40foss.st.com +Link: https://lore.kernel.org/r/20250306102501.2980153-1-fabrice.gasnier@foss.st.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-stm32-lp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/clocksource/timer-stm32-lp.c ++++ b/drivers/clocksource/timer-stm32-lp.c +@@ -168,9 +168,7 @@ static int stm32_clkevent_lp_probe(struc + } + + if (of_property_read_bool(pdev->dev.parent->of_node, "wakeup-source")) { +- ret = device_init_wakeup(&pdev->dev, true); +- if (ret) +- goto out_clk_disable; ++ device_set_wakeup_capable(&pdev->dev, true); + + ret = dev_pm_set_wake_irq(&pdev->dev, irq); + if (ret) diff --git a/queue-6.12/dt-bindings-media-st-stmipid02-correct-lane-polarities-maxitems.patch b/queue-6.12/dt-bindings-media-st-stmipid02-correct-lane-polarities-maxitems.patch new file mode 100644 index 0000000000..af5d72852a --- /dev/null +++ b/queue-6.12/dt-bindings-media-st-stmipid02-correct-lane-polarities-maxitems.patch @@ -0,0 +1,34 @@ +From 3a544a39e0a4c492e3026dfbed018321d2bd6caa Mon Sep 17 00:00:00 2001 +From: Alain Volmat +Date: Mon, 10 Feb 2025 11:04:31 +0100 +Subject: dt-bindings: media: st,stmipid02: correct lane-polarities maxItems + +From: Alain Volmat + +commit 3a544a39e0a4c492e3026dfbed018321d2bd6caa upstream. + +The MIPID02 can use up to 2 data lanes which leads to having a maximum +item number of 3 for the lane-polarities since this also contains the +clock lane. + +CC: stable@vger.kernel.org +Fixes: c2741cbe7f8a ("dt-bindings: media: st,stmipid02: Convert the text bindings to YAML") +Signed-off-by: Alain Volmat +Acked-by: Conor Dooley +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml ++++ b/Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml +@@ -71,7 +71,7 @@ properties: + description: + Any lane can be inverted or not. + minItems: 1 +- maxItems: 2 ++ maxItems: 3 + + required: + - data-lanes diff --git a/queue-6.12/ext4-fix-off-by-one-error-in-do_split.patch b/queue-6.12/ext4-fix-off-by-one-error-in-do_split.patch new file mode 100644 index 0000000000..654cf01e1d --- /dev/null +++ b/queue-6.12/ext4-fix-off-by-one-error-in-do_split.patch @@ -0,0 +1,82 @@ +From 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov +Date: Fri, 4 Apr 2025 08:28:05 +0000 +Subject: ext4: fix off-by-one error in do_split + +From: Artem Sadovnikov + +commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream. + +Syzkaller detected a use-after-free issue in ext4_insert_dentry that was +caused by out-of-bounds access due to incorrect splitting in do_split. + +BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 +Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 + +CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 + ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 + add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 + make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 + ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 + ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 + ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 + vfs_symlink+0x137/0x2e0 fs/namei.c:4615 + do_symlinkat+0x222/0x3a0 fs/namei.c:4641 + __do_sys_symlink fs/namei.c:4662 [inline] + __se_sys_symlink fs/namei.c:4660 [inline] + __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +The following loop is located right above 'if' statement. + +for (i = count-1; i >= 0; i--) { + /* is more than half of this entry in 2nd half of the block? */ + if (size + map[i].size/2 > blocksize/2) + break; + size += map[i].size; + move++; +} + +'i' in this case could go down to -1, in which case sum of active entries +wouldn't exceed half the block size, but previous behaviour would also do +split in half if sum would exceed at the very last block, which in case of +having too many long name files in a single block could lead to +out-of-bounds access and following use-after-free. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()") +Signed-off-by: Artem Sadovnikov +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1995,7 +1995,7 @@ static struct ext4_dir_entry_2 *do_split + * split it in half by count; each resulting block will have at least + * half the space free. + */ +- if (i > 0) ++ if (i >= 0) + split = count - move; + else + split = count/2; diff --git a/queue-6.12/f2fs-fix-to-avoid-atomicity-corruption-of-atomic-file.patch b/queue-6.12/f2fs-fix-to-avoid-atomicity-corruption-of-atomic-file.patch new file mode 100644 index 0000000000..80be119d74 --- /dev/null +++ b/queue-6.12/f2fs-fix-to-avoid-atomicity-corruption-of-atomic-file.patch @@ -0,0 +1,68 @@ +From f098aeba04c9328571567dca45159358a250240c Mon Sep 17 00:00:00 2001 +From: Yeongjin Gil +Date: Fri, 14 Mar 2025 21:06:51 +0900 +Subject: f2fs: fix to avoid atomicity corruption of atomic file + +From: Yeongjin Gil + +commit f098aeba04c9328571567dca45159358a250240c upstream. + +In the case of the following call stack for an atomic file, +FI_DIRTY_INODE is set, but FI_ATOMIC_DIRTIED is not subsequently set. + +f2fs_file_write_iter + f2fs_map_blocks + f2fs_reserve_new_blocks + inc_valid_block_count + __mark_inode_dirty(dquot) + f2fs_dirty_inode + +If FI_ATOMIC_DIRTIED is not set, atomic file can encounter corruption +due to a mismatch between old file size and new data. + +To resolve this issue, I changed to set FI_ATOMIC_DIRTIED when +FI_DIRTY_INODE is set. This ensures that FI_DIRTY_INODE, which was +previously cleared by the Writeback thread during the commit atomic, is +set and i_size is updated. + +Cc: +Fixes: fccaa81de87e ("f2fs: prevent atomic file from being dirtied before commit") +Reviewed-by: Sungjong Seo +Reviewed-by: Sunmin Jeong +Signed-off-by: Yeongjin Gil +Reviewed-by: Daeho Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inode.c | 4 +--- + fs/f2fs/super.c | 4 ++++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -34,10 +34,8 @@ void f2fs_mark_inode_dirty_sync(struct i + if (f2fs_inode_dirtied(inode, sync)) + return; + +- if (f2fs_is_atomic_file(inode)) { +- set_inode_flag(inode, FI_ATOMIC_DIRTIED); ++ if (f2fs_is_atomic_file(inode)) + return; +- } + + mark_inode_dirty_sync(inode); + } +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1515,6 +1515,10 @@ int f2fs_inode_dirtied(struct inode *ino + inc_page_count(sbi, F2FS_DIRTY_IMETA); + } + spin_unlock(&sbi->inode_lock[DIRTY_META]); ++ ++ if (!ret && f2fs_is_atomic_file(inode)) ++ set_inode_flag(inode, FI_ATOMIC_DIRTIED); ++ + return ret; + } + diff --git a/queue-6.12/io_uring-kbuf-reject-zero-sized-provided-buffers.patch b/queue-6.12/io_uring-kbuf-reject-zero-sized-provided-buffers.patch new file mode 100644 index 0000000000..616ae8cabb --- /dev/null +++ b/queue-6.12/io_uring-kbuf-reject-zero-sized-provided-buffers.patch @@ -0,0 +1,32 @@ +From cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 7 Apr 2025 07:51:23 -0600 +Subject: io_uring/kbuf: reject zero sized provided buffers + +From: Jens Axboe + +commit cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc upstream. + +This isn't fixing a real issue, but there's also zero point in going +through group and buffer setup, when the buffers are going to be +rejected once attempted to get used. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+58928048fd1416f1457c@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/kbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/kbuf.c ++++ b/io_uring/kbuf.c +@@ -484,6 +484,8 @@ int io_provide_buffers_prep(struct io_ki + p->nbufs = tmp; + p->addr = READ_ONCE(sqe->addr); + p->len = READ_ONCE(sqe->len); ++ if (!p->len) ++ return -EINVAL; + + if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs, + &size)) diff --git a/queue-6.12/io_uring-net-fix-accept-multishot-handling.patch b/queue-6.12/io_uring-net-fix-accept-multishot-handling.patch new file mode 100644 index 0000000000..ad4ba2066b --- /dev/null +++ b/queue-6.12/io_uring-net-fix-accept-multishot-handling.patch @@ -0,0 +1,36 @@ +From f6a89bf5278d6e15016a736db67043560d1b50d5 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Sun, 23 Feb 2025 17:22:29 +0000 +Subject: io_uring/net: fix accept multishot handling + +From: Pavel Begunkov + +commit f6a89bf5278d6e15016a736db67043560d1b50d5 upstream. + +REQ_F_APOLL_MULTISHOT doesn't guarantee it's executed from the multishot +context, so a multishot accept may get executed inline, fail +io_req_post_cqe(), and ask the core code to kill the request with +-ECANCELED by returning IOU_STOP_MULTISHOT even when a socket has been +accepted and installed. + +Cc: stable@vger.kernel.org +Fixes: 390ed29b5e425 ("io_uring: add IORING_ACCEPT_MULTISHOT for accept") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/51c6deb01feaa78b08565ca8f24843c017f5bc80.1740331076.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -1616,6 +1616,8 @@ retry: + } + + io_req_set_res(req, ret, cflags); ++ if (!(issue_flags & IO_URING_F_MULTISHOT)) ++ return IOU_OK; + return IOU_STOP_MULTISHOT; + } + diff --git a/queue-6.12/io_uring-net-fix-io_req_post_cqe-abuse-by-send-bundle.patch b/queue-6.12/io_uring-net-fix-io_req_post_cqe-abuse-by-send-bundle.patch new file mode 100644 index 0000000000..b33150e5a9 --- /dev/null +++ b/queue-6.12/io_uring-net-fix-io_req_post_cqe-abuse-by-send-bundle.patch @@ -0,0 +1,86 @@ +From 6889ae1b4df1579bcdffef023e2ea9a982565dff Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Thu, 27 Mar 2025 09:57:27 +0000 +Subject: io_uring/net: fix io_req_post_cqe abuse by send bundle + +From: Pavel Begunkov + +commit 6889ae1b4df1579bcdffef023e2ea9a982565dff upstream. + +[ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at io_uring/io_uring.c:872 io_req_post_cqe+0x12e/0x4f0 +[ 114.991597][ T5313] RIP: 0010:io_req_post_cqe+0x12e/0x4f0 +[ 115.001880][ T5313] Call Trace: +[ 115.002222][ T5313] +[ 115.007813][ T5313] io_send+0x4fe/0x10f0 +[ 115.009317][ T5313] io_issue_sqe+0x1a6/0x1740 +[ 115.012094][ T5313] io_wq_submit_work+0x38b/0xed0 +[ 115.013223][ T5313] io_worker_handle_work+0x62a/0x1600 +[ 115.013876][ T5313] io_wq_worker+0x34f/0xdf0 + +As the comment states, io_req_post_cqe() should only be used by +multishot requests, i.e. REQ_F_APOLL_MULTISHOT, which bundled sends are +not. Add a flag signifying whether a request wants to post multiple +CQEs. Eventually REQ_F_APOLL_MULTISHOT should imply the new flag, but +that's left out for simplicity. + +Cc: stable@vger.kernel.org +Fixes: a05d1f625c7aa ("io_uring/net: support bundles for send") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/8b611dbb54d1cd47a88681f5d38c84d0c02bc563.1743067183.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/io_uring_types.h | 3 +++ + io_uring/io_uring.c | 4 ++-- + io_uring/net.c | 1 + + 3 files changed, 6 insertions(+), 2 deletions(-) + +--- a/include/linux/io_uring_types.h ++++ b/include/linux/io_uring_types.h +@@ -457,6 +457,7 @@ enum { + REQ_F_SKIP_LINK_CQES_BIT, + REQ_F_SINGLE_POLL_BIT, + REQ_F_DOUBLE_POLL_BIT, ++ REQ_F_MULTISHOT_BIT, + REQ_F_APOLL_MULTISHOT_BIT, + REQ_F_CLEAR_POLLIN_BIT, + REQ_F_HASH_LOCKED_BIT, +@@ -530,6 +531,8 @@ enum { + REQ_F_SINGLE_POLL = IO_REQ_FLAG(REQ_F_SINGLE_POLL_BIT), + /* double poll may active */ + REQ_F_DOUBLE_POLL = IO_REQ_FLAG(REQ_F_DOUBLE_POLL_BIT), ++ /* request posts multiple completions, should be set at prep time */ ++ REQ_F_MULTISHOT = IO_REQ_FLAG(REQ_F_MULTISHOT_BIT), + /* fast poll multishot mode */ + REQ_F_APOLL_MULTISHOT = IO_REQ_FLAG(REQ_F_APOLL_MULTISHOT_BIT), + /* recvmsg special flag, clear EPOLLIN */ +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1821,7 +1821,7 @@ fail: + * Don't allow any multishot execution from io-wq. It's more restrictive + * than necessary and also cleaner. + */ +- if (req->flags & REQ_F_APOLL_MULTISHOT) { ++ if (req->flags & (REQ_F_MULTISHOT|REQ_F_APOLL_MULTISHOT)) { + err = -EBADFD; + if (!io_file_can_poll(req)) + goto fail; +@@ -1832,7 +1832,7 @@ fail: + goto fail; + return; + } else { +- req->flags &= ~REQ_F_APOLL_MULTISHOT; ++ req->flags &= ~(REQ_F_APOLL_MULTISHOT|REQ_F_MULTISHOT); + } + } + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -435,6 +435,7 @@ int io_sendmsg_prep(struct io_kiocb *req + sr->msg_flags |= MSG_WAITALL; + sr->buf_group = req->buf_index; + req->buf_list = NULL; ++ req->flags |= REQ_F_MULTISHOT; + } + + #ifdef CONFIG_COMPAT diff --git a/queue-6.12/kvm-arm64-tear-down-vgic-on-failed-vcpu-creation.patch b/queue-6.12/kvm-arm64-tear-down-vgic-on-failed-vcpu-creation.patch new file mode 100644 index 0000000000..ea959749a3 --- /dev/null +++ b/queue-6.12/kvm-arm64-tear-down-vgic-on-failed-vcpu-creation.patch @@ -0,0 +1,46 @@ +From 250f25367b58d8c65a1b060a2dda037eea09a672 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 14 Mar 2025 13:34:09 +0000 +Subject: KVM: arm64: Tear down vGIC on failed vCPU creation + +From: Will Deacon + +commit 250f25367b58d8c65a1b060a2dda037eea09a672 upstream. + +If kvm_arch_vcpu_create() fails to share the vCPU page with the +hypervisor, we propagate the error back to the ioctl but leave the +vGIC vCPU data initialised. Note only does this leak the corresponding +memory when the vCPU is destroyed but it can also lead to use-after-free +if the redistributor device handling tries to walk into the vCPU. + +Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the +vGIC vCPU structures are destroyed on error. + +Cc: +Cc: Marc Zyngier +Cc: Oliver Upton +Cc: Quentin Perret +Signed-off-by: Will Deacon +Reviewed-by: Marc Zyngier +Link: https://lore.kernel.org/r/20250314133409.9123-1-will@kernel.org +Signed-off-by: Oliver Upton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/arm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -493,7 +493,11 @@ int kvm_arch_vcpu_create(struct kvm_vcpu + if (err) + return err; + +- return kvm_share_hyp(vcpu, vcpu + 1); ++ err = kvm_share_hyp(vcpu, vcpu + 1); ++ if (err) ++ kvm_vgic_vcpu_destroy(vcpu); ++ ++ return err; + } + + void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu) diff --git a/queue-6.12/media-chips-media-wave5-avoid-race-condition-in-the-interrupt-handler.patch b/queue-6.12/media-chips-media-wave5-avoid-race-condition-in-the-interrupt-handler.patch new file mode 100644 index 0000000000..b31a62a99f --- /dev/null +++ b/queue-6.12/media-chips-media-wave5-avoid-race-condition-in-the-interrupt-handler.patch @@ -0,0 +1,46 @@ +From ac35f768986610480a1c01323d9cf9f5eaf3ee9b Mon Sep 17 00:00:00 2001 +From: "Jackson.lee" +Date: Tue, 17 Dec 2024 13:51:23 +0900 +Subject: media: chips-media: wave5: Avoid race condition in the interrupt handler + +From: Jackson.lee + +commit ac35f768986610480a1c01323d9cf9f5eaf3ee9b upstream. + +In case of multiple active instances, new interrupts can occur as soon +as the current interrupt is cleared. If the driver reads the +instance_info after clearing the interrupt, then there is no guarantee, +that the instance_info is still valid for the current interrupt. + +Read the instance_info register for each interrupt before clearing the +interrupt. + +Fixes: ed7276ed2fd0 ("media: chips-media: wave5: Add hrtimer based polling support") +Cc: stable@vger.kernel.org +Signed-off-by: Jackson.lee +Signed-off-by: Nas Chung +Reviewed-by: Nicolas Dufresne +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/chips-media/wave5/wave5-vpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c ++++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c +@@ -54,12 +54,12 @@ static void wave5_vpu_handle_irq(void *d + struct vpu_device *dev = dev_id; + + irq_reason = wave5_vdi_read_register(dev, W5_VPU_VINT_REASON); ++ seq_done = wave5_vdi_read_register(dev, W5_RET_SEQ_DONE_INSTANCE_INFO); ++ cmd_done = wave5_vdi_read_register(dev, W5_RET_QUEUE_CMD_DONE_INST); + wave5_vdi_write_register(dev, W5_VPU_VINT_REASON_CLR, irq_reason); + wave5_vdi_write_register(dev, W5_VPU_VINT_CLEAR, 0x1); + + list_for_each_entry(inst, &dev->instances, list) { +- seq_done = wave5_vdi_read_register(dev, W5_RET_SEQ_DONE_INSTANCE_INFO); +- cmd_done = wave5_vdi_read_register(dev, W5_RET_QUEUE_CMD_DONE_INST); + + if (irq_reason & BIT(INT_WAVE5_INIT_SEQ) || + irq_reason & BIT(INT_WAVE5_ENC_SET_PARAM)) { diff --git a/queue-6.12/media-chips-media-wave5-fix-a-hang-after-seeking.patch b/queue-6.12/media-chips-media-wave5-fix-a-hang-after-seeking.patch new file mode 100644 index 0000000000..d670eb5570 --- /dev/null +++ b/queue-6.12/media-chips-media-wave5-fix-a-hang-after-seeking.patch @@ -0,0 +1,86 @@ +From a2c75e964e51b096e9fe6adfa3eaed53594a668b Mon Sep 17 00:00:00 2001 +From: "Jackson.lee" +Date: Tue, 17 Dec 2024 13:51:24 +0900 +Subject: media: chips-media: wave5: Fix a hang after seeking + +From: Jackson.lee + +commit a2c75e964e51b096e9fe6adfa3eaed53594a668b upstream. + +While seeking, the driver calls the flush command. Before the flush +command is sent to the VPU, the driver should handle the display buffer +flags and should get all decoded information from the VPU if the VCORE +is running. + +Fixes: 9707a6254a8a ("media: chips-media: wave5: Add the v4l2 layer") +Cc: stable@vger.kernel.org +Signed-off-by: Jackson.lee +Signed-off-by: Nas Chung +Reviewed-by: Nicolas Dufresne +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c | 17 ++++++++++++++- + drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 10 ++++++++ + 2 files changed, 26 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c ++++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +@@ -1446,6 +1446,16 @@ static int streamoff_output(struct vb2_q + struct vb2_v4l2_buffer *buf; + int ret; + dma_addr_t new_rd_ptr; ++ struct dec_output_info dec_info; ++ unsigned int i; ++ ++ for (i = 0; i < v4l2_m2m_num_dst_bufs_ready(m2m_ctx); i++) { ++ ret = wave5_vpu_dec_set_disp_flag(inst, i); ++ if (ret) ++ dev_dbg(inst->dev->dev, ++ "%s: Setting display flag of buf index: %u, fail: %d\n", ++ __func__, i, ret); ++ } + + while ((buf = v4l2_m2m_src_buf_remove(m2m_ctx))) { + dev_dbg(inst->dev->dev, "%s: (Multiplanar) buf type %4u | index %4u\n", +@@ -1453,6 +1463,11 @@ static int streamoff_output(struct vb2_q + v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR); + } + ++ while (wave5_vpu_dec_get_output_info(inst, &dec_info) == 0) { ++ if (dec_info.index_frame_display >= 0) ++ wave5_vpu_dec_set_disp_flag(inst, dec_info.index_frame_display); ++ } ++ + ret = wave5_vpu_flush_instance(inst); + if (ret) + return ret; +@@ -1535,7 +1550,7 @@ static void wave5_vpu_dec_stop_streaming + break; + + if (wave5_vpu_dec_get_output_info(inst, &dec_output_info)) +- dev_dbg(inst->dev->dev, "Getting decoding results from fw, fail\n"); ++ dev_dbg(inst->dev->dev, "there is no output info\n"); + } + + v4l2_m2m_update_stop_streaming_state(m2m_ctx, q); +--- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c ++++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c +@@ -73,6 +73,16 @@ int wave5_vpu_flush_instance(struct vpu_ + inst->type == VPU_INST_TYPE_DEC ? "DECODER" : "ENCODER", inst->id); + mutex_unlock(&inst->dev->hw_lock); + return -ETIMEDOUT; ++ } else if (ret == -EBUSY) { ++ struct dec_output_info dec_info; ++ ++ mutex_unlock(&inst->dev->hw_lock); ++ wave5_vpu_dec_get_output_info(inst, &dec_info); ++ ret = mutex_lock_interruptible(&inst->dev->hw_lock); ++ if (ret) ++ return ret; ++ if (dec_info.index_frame_display > 0) ++ wave5_vpu_dec_set_disp_flag(inst, dec_info.index_frame_display); + } + } while (ret != 0); + mutex_unlock(&inst->dev->hw_lock); diff --git a/queue-6.12/media-chips-media-wave5-fix-gray-color-on-screen.patch b/queue-6.12/media-chips-media-wave5-fix-gray-color-on-screen.patch new file mode 100644 index 0000000000..6dd4fcc0a8 --- /dev/null +++ b/queue-6.12/media-chips-media-wave5-fix-gray-color-on-screen.patch @@ -0,0 +1,36 @@ +From 6bae4d5053da634eecb611118e7cd91a677a4bbf Mon Sep 17 00:00:00 2001 +From: "Jackson.lee" +Date: Tue, 17 Dec 2024 13:51:22 +0900 +Subject: media: chips-media: wave5: Fix gray color on screen + +From: Jackson.lee + +commit 6bae4d5053da634eecb611118e7cd91a677a4bbf upstream. + +When a decoder instance is created, the W5_CMD_ERR_CONCEAL register +should be initialized to 0. Otherwise, gray color is occasionally +displayed on the screen while decoding. + +Fixes: 45d1a2b93277 ("media: chips-media: wave5: Add vpuapi layer") +Cc: stable@vger.kernel.org +Signed-off-by: Jackson.lee +Signed-off-by: Nas Chung +Reviewed-by: Nicolas Dufresne +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/chips-media/wave5/wave5-hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/chips-media/wave5/wave5-hw.c ++++ b/drivers/media/platform/chips-media/wave5/wave5-hw.c +@@ -576,7 +576,7 @@ int wave5_vpu_build_up_dec_param(struct + vpu_write_reg(inst->dev, W5_CMD_NUM_CQ_DEPTH_M1, + WAVE521_COMMAND_QUEUE_DEPTH - 1); + } +- ++ vpu_write_reg(inst->dev, W5_CMD_ERR_CONCEAL, 0); + ret = send_firmware_command(inst, W5_CREATE_INSTANCE, true, NULL, NULL); + if (ret) { + wave5_vdi_free_dma_memory(vpu_dev, &p_dec_info->vb_work); diff --git a/queue-6.12/media-chips-media-wave5-fix-timeout-while-testing-10bit-hevc-fluster.patch b/queue-6.12/media-chips-media-wave5-fix-timeout-while-testing-10bit-hevc-fluster.patch new file mode 100644 index 0000000000..10d55e0199 --- /dev/null +++ b/queue-6.12/media-chips-media-wave5-fix-timeout-while-testing-10bit-hevc-fluster.patch @@ -0,0 +1,53 @@ +From 035371c9e5098018b8512efc6a8812912469480c Mon Sep 17 00:00:00 2001 +From: "Jackson.lee" +Date: Tue, 17 Dec 2024 13:51:25 +0900 +Subject: media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster + +From: Jackson.lee + +commit 035371c9e5098018b8512efc6a8812912469480c upstream. + +The Wave5 521C variant does not support 10 bit decoding. When 10 bit +decoding support was added for the 515 variant, a section of the code +was removed which returned an error. This removal causes a timeout for +the 521 variant, which was discovered during HEVC 10-bit decoding tests. + +Fixes: 143e7ab4d9a0 ("media: chips-media: wave5: support decoding HEVC Main10 profile") +Cc: stable@vger.kernel.org +Signed-off-by: Jackson.lee +Signed-off-by: Nas Chung +Reviewed-by: Nicolas Dufresne +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c ++++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +@@ -1424,10 +1424,24 @@ static int wave5_vpu_dec_start_streaming + if (ret) + goto free_bitstream_vbuf; + } else if (q->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) { ++ struct dec_initial_info *initial_info = ++ &inst->codec_info->dec_info.initial_info; ++ + if (inst->state == VPU_INST_STATE_STOP) + ret = switch_state(inst, VPU_INST_STATE_INIT_SEQ); + if (ret) + goto return_buffers; ++ ++ if (inst->state == VPU_INST_STATE_INIT_SEQ && ++ inst->dev->product_code == WAVE521C_CODE) { ++ if (initial_info->luma_bitdepth != 8) { ++ dev_info(inst->dev->dev, "%s: no support for %d bit depth", ++ __func__, initial_info->luma_bitdepth); ++ ret = -EINVAL; ++ goto return_buffers; ++ } ++ } ++ + } + + return ret; diff --git a/queue-6.12/media-hi556-fix-memory-leak-on-error-in-hi556_check_hwcfg.patch b/queue-6.12/media-hi556-fix-memory-leak-on-error-in-hi556_check_hwcfg.patch new file mode 100644 index 0000000000..5d6c4e07f6 --- /dev/null +++ b/queue-6.12/media-hi556-fix-memory-leak-on-error-in-hi556_check_hwcfg.patch @@ -0,0 +1,46 @@ +From ed554da65abd0c561e40d35272d1a61d030fe977 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 19 Dec 2024 20:27:30 +0100 +Subject: media: hi556: Fix memory leak (on error) in hi556_check_hwcfg() + +From: Hans de Goede + +commit ed554da65abd0c561e40d35272d1a61d030fe977 upstream. + +Commit 7d968b5badfc ("media: hi556: Return -EPROBE_DEFER if no endpoint is +found") moved the v4l2_fwnode_endpoint_alloc_parse() call in +hi556_check_hwcfg() up, but it did not make the error-exit paths between +the old and new call-site use "goto check_hwcfg_error;" to free the bus_cfg +on errors. + +Add the missing "goto check_hwcfg_error;" statements to fix a memleak on +early error-exits from hi556_check_hwcfg(). + +Fixes: 7d968b5badfc ("media: hi556: Return -EPROBE_DEFER if no endpoint is found") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/hi556.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/hi556.c ++++ b/drivers/media/i2c/hi556.c +@@ -1230,12 +1230,13 @@ static int hi556_check_hwcfg(struct devi + ret = fwnode_property_read_u32(fwnode, "clock-frequency", &mclk); + if (ret) { + dev_err(dev, "can't get clock frequency"); +- return ret; ++ goto check_hwcfg_error; + } + + if (mclk != HI556_MCLK) { + dev_err(dev, "external clock %d is not supported", mclk); +- return -EINVAL; ++ ret = -EINVAL; ++ goto check_hwcfg_error; + } + + if (bus_cfg.bus.mipi_csi2.num_data_lanes != 2) { diff --git a/queue-6.12/media-i2c-adv748x-fix-test-pattern-selection-mask.patch b/queue-6.12/media-i2c-adv748x-fix-test-pattern-selection-mask.patch new file mode 100644 index 0000000000..b6c179e406 --- /dev/null +++ b/queue-6.12/media-i2c-adv748x-fix-test-pattern-selection-mask.patch @@ -0,0 +1,44 @@ +From 9e38acacb9d809b97a0bdc5c76e725355a47158a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= + +Date: Tue, 21 Jan 2025 21:44:00 +0100 +Subject: media: i2c: adv748x: Fix test pattern selection mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +commit 9e38acacb9d809b97a0bdc5c76e725355a47158a upstream. + +The mask to select the test-pattern in register ADV748X_SDP_FRP is +incorrect, it's the lower 3 bits which controls the pattern. The +GENMASK() macro is used incorrectly and the generated mask is 0x0e +instead of 0x07. + +The result is that not all test patterns are selectable, and that in +some cases the wrong test pattern is activated. Fix this by correcting +the GENMASK(). + +Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver") +Cc: stable@vger.kernel.org +Signed-off-by: Niklas Söderlund +Reviewed-by: Kieran Bingham +Signed-off-by: Hans Verkuil +[hverkuil: fixed tiny typo in commit log: my -> by] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv748x/adv748x.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/adv748x/adv748x.h ++++ b/drivers/media/i2c/adv748x/adv748x.h +@@ -320,7 +320,7 @@ struct adv748x_state { + + /* Free run pattern select */ + #define ADV748X_SDP_FRP 0x14 +-#define ADV748X_SDP_FRP_MASK GENMASK(3, 1) ++#define ADV748X_SDP_FRP_MASK GENMASK(2, 0) + + /* Saturation */ + #define ADV748X_SDP_SD_SAT_U 0xe3 /* user_map_rw_reg_e3 */ diff --git a/queue-6.12/media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-probe.patch b/queue-6.12/media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-probe.patch new file mode 100644 index 0000000000..2ea533667d --- /dev/null +++ b/queue-6.12/media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-probe.patch @@ -0,0 +1,31 @@ +From 80704d14f1bd3628f578510e0a88b66824990ef6 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 10 Jan 2025 15:54:22 +0200 +Subject: media: i2c: ccs: Set the device's runtime PM status correctly in probe + +From: Sakari Ailus + +commit 80704d14f1bd3628f578510e0a88b66824990ef6 upstream. + +Set the device's runtime PM status to suspended in probe error paths where +it was previously set to active. + +Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM") +Cc: stable@vger.kernel.org # for >= v5.15 +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs/ccs-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/i2c/ccs/ccs-core.c ++++ b/drivers/media/i2c/ccs/ccs-core.c +@@ -3562,6 +3562,7 @@ static int ccs_probe(struct i2c_client * + out_disable_runtime_pm: + pm_runtime_put_noidle(&client->dev); + pm_runtime_disable(&client->dev); ++ pm_runtime_set_suspended(&client->dev); + + out_cleanup: + ccs_cleanup(sensor); diff --git a/queue-6.12/media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-remove.patch b/queue-6.12/media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-remove.patch new file mode 100644 index 0000000000..2ab00feadd --- /dev/null +++ b/queue-6.12/media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-remove.patch @@ -0,0 +1,36 @@ +From e04604583095faf455b3490b004254a225fd60d4 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 10 Jan 2025 14:50:27 +0200 +Subject: media: i2c: ccs: Set the device's runtime PM status correctly in remove + +From: Sakari Ailus + +commit e04604583095faf455b3490b004254a225fd60d4 upstream. + +Set the device's runtime PM status to suspended in device removal only if +it wasn't suspended already. + +Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM") +Cc: stable@vger.kernel.org # for >= v5.15 +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ccs/ccs-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/ccs/ccs-core.c ++++ b/drivers/media/i2c/ccs/ccs-core.c +@@ -3591,9 +3591,10 @@ static void ccs_remove(struct i2c_client + v4l2_async_unregister_subdev(subdev); + + pm_runtime_disable(&client->dev); +- if (!pm_runtime_status_suspended(&client->dev)) ++ if (!pm_runtime_status_suspended(&client->dev)) { + ccs_power_off(&client->dev); +- pm_runtime_set_suspended(&client->dev); ++ pm_runtime_set_suspended(&client->dev); ++ } + + for (i = 0; i < sensor->ssds_used; i++) + v4l2_device_unregister_subdev(&sensor->ssds[i].sd); diff --git a/queue-6.12/media-i2c-imx214-rectify-probe-error-handling-related-to-runtime-pm.patch b/queue-6.12/media-i2c-imx214-rectify-probe-error-handling-related-to-runtime-pm.patch new file mode 100644 index 0000000000..cc0ab227b0 --- /dev/null +++ b/queue-6.12/media-i2c-imx214-rectify-probe-error-handling-related-to-runtime-pm.patch @@ -0,0 +1,100 @@ +From ccc888d1698b6f42d52ddf5cecfe50fe925c95e5 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 10 Jan 2025 14:36:01 +0200 +Subject: media: i2c: imx214: Rectify probe error handling related to runtime PM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sakari Ailus + +commit ccc888d1698b6f42d52ddf5cecfe50fe925c95e5 upstream. + +There were multiple issues in the driver's probe function related to +error handling: + +- Device's PM runtime status wasn't reverted to suspended on some errors + in probe. + +- Runtime PM was left enabled for the device on some probe errors. + +- Device was left powered on if a probe failure happened or when it + was removed when it was powered on. + +- An extra pm_runtime_set_suspended() was issued in driver's remove + function when the device was suspended. + +Fix these bugs. + +Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver") +Cc: stable@vger.kernel.org # for >= v6.12 +Signed-off-by: Sakari Ailus +Acked-by: André Apitzsch +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx214.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/drivers/media/i2c/imx214.c ++++ b/drivers/media/i2c/imx214.c +@@ -1075,10 +1075,6 @@ static int imx214_probe(struct i2c_clien + */ + imx214_power_on(imx214->dev); + +- pm_runtime_set_active(imx214->dev); +- pm_runtime_enable(imx214->dev); +- pm_runtime_idle(imx214->dev); +- + ret = imx214_ctrls_init(imx214); + if (ret < 0) + goto error_power_off; +@@ -1099,21 +1095,30 @@ static int imx214_probe(struct i2c_clien + + imx214_entity_init_state(&imx214->sd, NULL); + ++ pm_runtime_set_active(imx214->dev); ++ pm_runtime_enable(imx214->dev); ++ + ret = v4l2_async_register_subdev_sensor(&imx214->sd); + if (ret < 0) { + dev_err(dev, "could not register v4l2 device\n"); + goto free_entity; + } + ++ pm_runtime_idle(imx214->dev); ++ + return 0; + + free_entity: ++ pm_runtime_disable(imx214->dev); ++ pm_runtime_set_suspended(&client->dev); + media_entity_cleanup(&imx214->sd.entity); ++ + free_ctrl: + mutex_destroy(&imx214->mutex); + v4l2_ctrl_handler_free(&imx214->ctrls); ++ + error_power_off: +- pm_runtime_disable(imx214->dev); ++ imx214_power_off(imx214->dev); + + return ret; + } +@@ -1126,11 +1131,12 @@ static void imx214_remove(struct i2c_cli + v4l2_async_unregister_subdev(&imx214->sd); + media_entity_cleanup(&imx214->sd.entity); + v4l2_ctrl_handler_free(&imx214->ctrls); +- +- pm_runtime_disable(&client->dev); +- pm_runtime_set_suspended(&client->dev); +- + mutex_destroy(&imx214->mutex); ++ pm_runtime_disable(&client->dev); ++ if (!pm_runtime_status_suspended(&client->dev)) { ++ imx214_power_off(imx214->dev); ++ pm_runtime_set_suspended(&client->dev); ++ } + } + + static const struct of_device_id imx214_of_match[] = { diff --git a/queue-6.12/media-i2c-imx219-rectify-runtime-pm-handling-in-probe-and-remove.patch b/queue-6.12/media-i2c-imx219-rectify-runtime-pm-handling-in-probe-and-remove.patch new file mode 100644 index 0000000000..06d4dbc4c3 --- /dev/null +++ b/queue-6.12/media-i2c-imx219-rectify-runtime-pm-handling-in-probe-and-remove.patch @@ -0,0 +1,70 @@ +From 42eceae9793566d0df53d509be3e416465c347f5 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 10 Jan 2025 14:53:20 +0200 +Subject: media: i2c: imx219: Rectify runtime PM handling in probe and remove + +From: Sakari Ailus + +commit 42eceae9793566d0df53d509be3e416465c347f5 upstream. + +Set the device's runtime PM status and enable runtime PM before +registering the async sub-device. This is needed to avoid the case where +the device is runtime PM resumed while runtime PM has not been enabled +yet. + +Also set the device's runtime PM status to suspended in remove only if it +wasn't so already. + +Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor") +Cc: stable@vger.kernel.org # for >= v6.6 +Reviewed-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx219.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/media/i2c/imx219.c ++++ b/drivers/media/i2c/imx219.c +@@ -1231,6 +1231,9 @@ static int imx219_probe(struct i2c_clien + goto error_media_entity; + } + ++ pm_runtime_set_active(dev); ++ pm_runtime_enable(dev); ++ + ret = v4l2_async_register_subdev_sensor(&imx219->sd); + if (ret < 0) { + dev_err_probe(dev, ret, +@@ -1238,15 +1241,14 @@ static int imx219_probe(struct i2c_clien + goto error_subdev_cleanup; + } + +- /* Enable runtime PM and turn off the device */ +- pm_runtime_set_active(dev); +- pm_runtime_enable(dev); + pm_runtime_idle(dev); + + return 0; + + error_subdev_cleanup: + v4l2_subdev_cleanup(&imx219->sd); ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); + + error_media_entity: + media_entity_cleanup(&imx219->sd.entity); +@@ -1271,9 +1273,10 @@ static void imx219_remove(struct i2c_cli + imx219_free_controls(imx219); + + pm_runtime_disable(&client->dev); +- if (!pm_runtime_status_suspended(&client->dev)) ++ if (!pm_runtime_status_suspended(&client->dev)) { + imx219_power_off(&client->dev); +- pm_runtime_set_suspended(&client->dev); ++ pm_runtime_set_suspended(&client->dev); ++ } + } + + static const struct of_device_id imx219_dt_ids[] = { diff --git a/queue-6.12/media-i2c-imx319-rectify-runtime-pm-handling-probe-and-remove.patch b/queue-6.12/media-i2c-imx319-rectify-runtime-pm-handling-probe-and-remove.patch new file mode 100644 index 0000000000..59529be0df --- /dev/null +++ b/queue-6.12/media-i2c-imx319-rectify-runtime-pm-handling-probe-and-remove.patch @@ -0,0 +1,59 @@ +From 5f5ffd3bc62b2e6c478061918b10473d8b90ac2d Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 10 Jan 2025 14:55:59 +0200 +Subject: media: i2c: imx319: Rectify runtime PM handling probe and remove + +From: Sakari Ailus + +commit 5f5ffd3bc62b2e6c478061918b10473d8b90ac2d upstream. + +Idle the device only after the async sub-device has been successfully +registered. In error handling, set the device's runtime PM status to +suspended only if it has been set to active previously in probe. + +Also set the device's runtime PM status to suspended in remove only if it +wasn't so already. + +Fixes: 8a89dc62f28c ("media: add imx319 camera sensor driver") +Cc: stable@vger.kernel.org # for >= v6.12 +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx319.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/media/i2c/imx319.c ++++ b/drivers/media/i2c/imx319.c +@@ -2442,17 +2442,19 @@ static int imx319_probe(struct i2c_clien + if (full_power) + pm_runtime_set_active(&client->dev); + pm_runtime_enable(&client->dev); +- pm_runtime_idle(&client->dev); + + ret = v4l2_async_register_subdev_sensor(&imx319->sd); + if (ret < 0) + goto error_media_entity_pm; + ++ pm_runtime_idle(&client->dev); ++ + return 0; + + error_media_entity_pm: + pm_runtime_disable(&client->dev); +- pm_runtime_set_suspended(&client->dev); ++ if (full_power) ++ pm_runtime_set_suspended(&client->dev); + media_entity_cleanup(&imx319->sd.entity); + + error_handler_free: +@@ -2474,7 +2476,8 @@ static void imx319_remove(struct i2c_cli + v4l2_ctrl_handler_free(sd->ctrl_handler); + + pm_runtime_disable(&client->dev); +- pm_runtime_set_suspended(&client->dev); ++ if (!pm_runtime_status_suspended(&client->dev)) ++ pm_runtime_set_suspended(&client->dev); + + mutex_destroy(&imx319->mutex); + } diff --git a/queue-6.12/media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch b/queue-6.12/media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch new file mode 100644 index 0000000000..a7f62fc1ea --- /dev/null +++ b/queue-6.12/media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch @@ -0,0 +1,33 @@ +From 3d391292cdd53984ec1b9a1f6182a62a62751e03 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 17 Jan 2025 16:04:02 +0200 +Subject: media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO + +From: Sakari Ailus + +commit 3d391292cdd53984ec1b9a1f6182a62a62751e03 upstream. + +Lift the xshutdown (enable) GPIO 1 ms after enabling the regulators, as +required by the sensor's power-up sequence. + +Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov7251.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/ov7251.c ++++ b/drivers/media/i2c/ov7251.c +@@ -922,6 +922,8 @@ static int ov7251_set_power_on(struct de + return ret; + } + ++ usleep_range(1000, 1100); ++ + gpiod_set_value_cansleep(ov7251->enable_gpio, 1); + + /* wait at least 65536 external clock cycles */ diff --git a/queue-6.12/media-i2c-ov7251-set-enable-gpio-low-in-probe.patch b/queue-6.12/media-i2c-ov7251-set-enable-gpio-low-in-probe.patch new file mode 100644 index 0000000000..572df06b6f --- /dev/null +++ b/queue-6.12/media-i2c-ov7251-set-enable-gpio-low-in-probe.patch @@ -0,0 +1,32 @@ +From a1963698d59cec83df640ded343af08b76c8e9c5 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 17 Jan 2025 15:38:13 +0200 +Subject: media: i2c: ov7251: Set enable GPIO low in probe + +From: Sakari Ailus + +commit a1963698d59cec83df640ded343af08b76c8e9c5 upstream. + +Set the enable GPIO low when acquiring it. + +Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov7251.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/ov7251.c ++++ b/drivers/media/i2c/ov7251.c +@@ -1696,7 +1696,7 @@ static int ov7251_probe(struct i2c_clien + return PTR_ERR(ov7251->analog_regulator); + } + +- ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_HIGH); ++ ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW); + if (IS_ERR(ov7251->enable_gpio)) { + dev_err(dev, "cannot get enable gpio\n"); + return PTR_ERR(ov7251->enable_gpio); diff --git a/queue-6.12/media-imx219-adjust-pll-settings-based-on-the-number-of-mipi-lanes.patch b/queue-6.12/media-imx219-adjust-pll-settings-based-on-the-number-of-mipi-lanes.patch new file mode 100644 index 0000000000..d8fdcdf795 --- /dev/null +++ b/queue-6.12/media-imx219-adjust-pll-settings-based-on-the-number-of-mipi-lanes.patch @@ -0,0 +1,195 @@ +From 591a07588c03437dbcc3addfff07675de95a461e Mon Sep 17 00:00:00 2001 +From: Dave Stevenson +Date: Thu, 23 Jan 2025 15:37:49 +0000 +Subject: media: imx219: Adjust PLL settings based on the number of MIPI lanes + +From: Dave Stevenson + +commit 591a07588c03437dbcc3addfff07675de95a461e upstream. + +Commit ceddfd4493b3 ("media: i2c: imx219: Support four-lane operation") +added support for device tree to allow configuration of the sensor to +use 4 lanes with a link frequency of 363MHz, and amended the advertised +pixel rate to 280.8MPix/s. + +However it didn't change any of the PLL settings, so actually it would +have been running overclocked in the MIPI block, and with the frame +rate and exposure calculations being wrong as the pixel rate was +unchanged. + +The pixel rate and link frequency advertised were taken from the "Clock +Setting Example" section of the datasheet. However those are based on an +external clock of 12MHz, and are unachievable with a clock of 24MHz - it +seems PREPLLCLK_VT_DIV and PREPLLCK_OP_DIV can ONLY be set via the +automatic configuration documented in "9-1-2 EXCK_FREQ setting depend on +INCK frequency", not by writing the registers. +The closest we can get with a 24MHz clock is 281.6MPix/s and 364MHz. + +Dropping all support for the 363MHz link frequency would cause problems +for existing users, so allow it, but log a warning that the requested +value is being changed to the supported one. + +Fixes: ceddfd4493b3 ("media: i2c: imx219: Support four-lane operation") +Cc: stable@vger.kernel.org +Co-developed-by: Peyton Howe +Signed-off-by: Peyton Howe +Signed-off-by: Dave Stevenson +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx219.c | 93 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 69 insertions(+), 24 deletions(-) + +--- a/drivers/media/i2c/imx219.c ++++ b/drivers/media/i2c/imx219.c +@@ -134,10 +134,11 @@ + + /* Pixel rate is fixed for all the modes */ + #define IMX219_PIXEL_RATE 182400000 +-#define IMX219_PIXEL_RATE_4LANE 280800000 ++#define IMX219_PIXEL_RATE_4LANE 281600000 + + #define IMX219_DEFAULT_LINK_FREQ 456000000 +-#define IMX219_DEFAULT_LINK_FREQ_4LANE 363000000 ++#define IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED 363000000 ++#define IMX219_DEFAULT_LINK_FREQ_4LANE 364000000 + + /* IMX219 native and active pixel array size. */ + #define IMX219_NATIVE_WIDTH 3296U +@@ -169,15 +170,6 @@ static const struct cci_reg_sequence imx + { CCI_REG8(0x30eb), 0x05 }, + { CCI_REG8(0x30eb), 0x09 }, + +- /* PLL Clock Table */ +- { IMX219_REG_VTPXCK_DIV, 5 }, +- { IMX219_REG_VTSYCK_DIV, 1 }, +- { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */ +- { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */ +- { IMX219_REG_PLL_VT_MPY, 57 }, +- { IMX219_REG_OPSYCK_DIV, 1 }, +- { IMX219_REG_PLL_OP_MPY, 114 }, +- + /* Undocumented registers */ + { CCI_REG8(0x455e), 0x00 }, + { CCI_REG8(0x471e), 0x4b }, +@@ -202,12 +194,45 @@ static const struct cci_reg_sequence imx + { IMX219_REG_EXCK_FREQ, IMX219_EXCK_FREQ(IMX219_XCLK_FREQ / 1000000) }, + }; + ++static const struct cci_reg_sequence imx219_2lane_regs[] = { ++ /* PLL Clock Table */ ++ { IMX219_REG_VTPXCK_DIV, 5 }, ++ { IMX219_REG_VTSYCK_DIV, 1 }, ++ { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */ ++ { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */ ++ { IMX219_REG_PLL_VT_MPY, 57 }, ++ { IMX219_REG_OPSYCK_DIV, 1 }, ++ { IMX219_REG_PLL_OP_MPY, 114 }, ++ ++ /* 2-Lane CSI Mode */ ++ { IMX219_REG_CSI_LANE_MODE, IMX219_CSI_2_LANE_MODE }, ++}; ++ ++static const struct cci_reg_sequence imx219_4lane_regs[] = { ++ /* PLL Clock Table */ ++ { IMX219_REG_VTPXCK_DIV, 5 }, ++ { IMX219_REG_VTSYCK_DIV, 1 }, ++ { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */ ++ { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */ ++ { IMX219_REG_PLL_VT_MPY, 88 }, ++ { IMX219_REG_OPSYCK_DIV, 1 }, ++ { IMX219_REG_PLL_OP_MPY, 91 }, ++ ++ /* 4-Lane CSI Mode */ ++ { IMX219_REG_CSI_LANE_MODE, IMX219_CSI_4_LANE_MODE }, ++}; ++ + static const s64 imx219_link_freq_menu[] = { + IMX219_DEFAULT_LINK_FREQ, + }; + + static const s64 imx219_link_freq_4lane_menu[] = { + IMX219_DEFAULT_LINK_FREQ_4LANE, ++ /* ++ * This will never be advertised to userspace, but will be used for ++ * v4l2_link_freq_to_bitmap ++ */ ++ IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED, + }; + + static const char * const imx219_test_pattern_menu[] = { +@@ -663,9 +688,11 @@ static int imx219_set_framefmt(struct im + + static int imx219_configure_lanes(struct imx219 *imx219) + { +- return cci_write(imx219->regmap, IMX219_REG_CSI_LANE_MODE, +- imx219->lanes == 2 ? IMX219_CSI_2_LANE_MODE : +- IMX219_CSI_4_LANE_MODE, NULL); ++ /* Write the appropriate PLL settings for the number of MIPI lanes */ ++ return cci_multi_reg_write(imx219->regmap, ++ imx219->lanes == 2 ? imx219_2lane_regs : imx219_4lane_regs, ++ imx219->lanes == 2 ? ARRAY_SIZE(imx219_2lane_regs) : ++ ARRAY_SIZE(imx219_4lane_regs), NULL); + }; + + static int imx219_start_streaming(struct imx219 *imx219, +@@ -1042,6 +1069,7 @@ static int imx219_check_hwcfg(struct dev + struct v4l2_fwnode_endpoint ep_cfg = { + .bus_type = V4L2_MBUS_CSI2_DPHY + }; ++ unsigned long link_freq_bitmap; + int ret = -EINVAL; + + endpoint = fwnode_graph_get_next_endpoint(dev_fwnode(dev), NULL); +@@ -1063,23 +1091,40 @@ static int imx219_check_hwcfg(struct dev + imx219->lanes = ep_cfg.bus.mipi_csi2.num_data_lanes; + + /* Check the link frequency set in device tree */ +- if (!ep_cfg.nr_of_link_frequencies) { +- dev_err_probe(dev, -EINVAL, +- "link-frequency property not found in DT\n"); +- goto error_out; ++ switch (imx219->lanes) { ++ case 2: ++ ret = v4l2_link_freq_to_bitmap(dev, ++ ep_cfg.link_frequencies, ++ ep_cfg.nr_of_link_frequencies, ++ imx219_link_freq_menu, ++ ARRAY_SIZE(imx219_link_freq_menu), ++ &link_freq_bitmap); ++ break; ++ case 4: ++ ret = v4l2_link_freq_to_bitmap(dev, ++ ep_cfg.link_frequencies, ++ ep_cfg.nr_of_link_frequencies, ++ imx219_link_freq_4lane_menu, ++ ARRAY_SIZE(imx219_link_freq_4lane_menu), ++ &link_freq_bitmap); ++ ++ if (!ret && (link_freq_bitmap & BIT(1))) { ++ dev_warn(dev, "Link frequency of %d not supported, but has been incorrectly advertised previously\n", ++ IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED); ++ dev_warn(dev, "Using link frequency of %d\n", ++ IMX219_DEFAULT_LINK_FREQ_4LANE); ++ link_freq_bitmap |= BIT(0); ++ } ++ break; + } + +- if (ep_cfg.nr_of_link_frequencies != 1 || +- (ep_cfg.link_frequencies[0] != ((imx219->lanes == 2) ? +- IMX219_DEFAULT_LINK_FREQ : IMX219_DEFAULT_LINK_FREQ_4LANE))) { ++ if (ret || !(link_freq_bitmap & BIT(0))) { ++ ret = -EINVAL; + dev_err_probe(dev, -EINVAL, + "Link frequency not supported: %lld\n", + ep_cfg.link_frequencies[0]); +- goto error_out; + } + +- ret = 0; +- + error_out: + v4l2_fwnode_endpoint_free(&ep_cfg); + fwnode_handle_put(endpoint); diff --git a/queue-6.12/media-intel-ipu6-set-the-dev_parent-of-video-device-to-pdev.patch b/queue-6.12/media-intel-ipu6-set-the-dev_parent-of-video-device-to-pdev.patch new file mode 100644 index 0000000000..ab1b2c1031 --- /dev/null +++ b/queue-6.12/media-intel-ipu6-set-the-dev_parent-of-video-device-to-pdev.patch @@ -0,0 +1,39 @@ +From 6f0ab5d3671f7cbb326c8cab6fb69cb7ab9901cc Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Fri, 14 Feb 2025 18:52:38 +0800 +Subject: media: intel/ipu6: set the dev_parent of video device to pdev + +From: Bingbu Cao + +commit 6f0ab5d3671f7cbb326c8cab6fb69cb7ab9901cc upstream. + +The bus_info in v4l2_capability of IPU6 isys v4l2_dev is missing. +The driver didn't set the dev_parent of v4l2_dev, its parent is set +to its parent auxdev which is neither platform nor PCI device, thus +media_set_bus_info() will not set the bus_info of v4l2_capability, then +`v4l2-ctl --all` cannot show the bus_info. + +This patch fixes it by setting the dev_parent of video_device and v4l2 +framework can detect the device type and set the bus_info instead. + +Fixes: 3c1dfb5a69cf ("media: intel/ipu6: input system video nodes and buffer queues") +Cc: stable@vger.kernel.org +Signed-off-by: Hidenori Kobayashi +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/pci/intel/ipu6/ipu6-isys-video.c ++++ b/drivers/media/pci/intel/ipu6/ipu6-isys-video.c +@@ -1296,6 +1296,7 @@ int ipu6_isys_video_init(struct ipu6_isy + av->vdev.release = video_device_release_empty; + av->vdev.fops = &isys_fops; + av->vdev.v4l2_dev = &av->isys->v4l2_dev; ++ av->vdev.dev_parent = &av->isys->adev->isp->pdev->dev; + if (!av->vdev.ioctl_ops) + av->vdev.ioctl_ops = &ipu6_v4l2_ioctl_ops; + av->vdev.queue = &av->aq.vbq; diff --git a/queue-6.12/media-mediatek-vcodec-fix-a-resource-leak-related-to-the-scp-device-in-fw-initialization.patch b/queue-6.12/media-mediatek-vcodec-fix-a-resource-leak-related-to-the-scp-device-in-fw-initialization.patch new file mode 100644 index 0000000000..4ccee86407 --- /dev/null +++ b/queue-6.12/media-mediatek-vcodec-fix-a-resource-leak-related-to-the-scp-device-in-fw-initialization.patch @@ -0,0 +1,38 @@ +From 4936cd5817af35d23e4d283f48fa59a18ef481e4 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Tue, 18 Feb 2025 18:58:09 +0000 +Subject: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization + +From: Jiasheng Jiang + +commit 4936cd5817af35d23e4d283f48fa59a18ef481e4 upstream. + +On Mediatek devices with a system companion processor (SCP) the mtk_scp +structure has to be removed explicitly to avoid a resource leak. +Free the structure in case the allocation of the firmware structure fails +during the firmware initialization. + +Fixes: 53dbe0850444 ("media: mtk-vcodec: potential null pointer deference in SCP") +Cc: stable@vger.kernel.org +Signed-off-by: Jiasheng Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c ++++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c +@@ -79,8 +79,11 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_scp_ + } + + fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL); +- if (!fw) ++ if (!fw) { ++ scp_put(scp); + return ERR_PTR(-ENOMEM); ++ } ++ + fw->type = SCP; + fw->ops = &mtk_vcodec_rproc_msg; + fw->scp = scp; diff --git a/queue-6.12/media-mgb4-fix-cmt-registers-update-logic.patch b/queue-6.12/media-mgb4-fix-cmt-registers-update-logic.patch new file mode 100644 index 0000000000..9619df4066 --- /dev/null +++ b/queue-6.12/media-mgb4-fix-cmt-registers-update-logic.patch @@ -0,0 +1,52 @@ +From dd05443189f9ae175dd806594b67bf55ddb6539e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20T=C5=AFma?= +Date: Fri, 21 Feb 2025 13:07:42 +0100 +Subject: media: mgb4: Fix CMT registers update logic +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Tůma + +commit dd05443189f9ae175dd806594b67bf55ddb6539e upstream. + +The CMT "magic values" registers must be updated while the CMT reset +registers are active. + +Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Tůma +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/mgb4/mgb4_cmt.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/media/pci/mgb4/mgb4_cmt.c ++++ b/drivers/media/pci/mgb4/mgb4_cmt.c +@@ -206,10 +206,11 @@ u32 mgb4_cmt_set_vout_freq(struct mgb4_v + + mgb4_write_reg(video, regs->config, 0x1 | (config & ~0x3)); + ++ mgb4_mask_reg(video, regs->config, 0x100, 0x100); ++ + for (i = 0; i < ARRAY_SIZE(cmt_addrs_out[0]); i++) + mgb4_write_reg(&voutdev->mgbdev->cmt, addr[i], reg_set[i]); + +- mgb4_mask_reg(video, regs->config, 0x100, 0x100); + mgb4_mask_reg(video, regs->config, 0x100, 0x0); + + mgb4_write_reg(video, regs->config, config & ~0x1); +@@ -236,10 +237,11 @@ void mgb4_cmt_set_vin_freq_range(struct + + mgb4_write_reg(video, regs->config, 0x1 | (config & ~0x3)); + ++ mgb4_mask_reg(video, regs->config, 0x1000, 0x1000); ++ + for (i = 0; i < ARRAY_SIZE(cmt_addrs_in[0]); i++) + mgb4_write_reg(&vindev->mgbdev->cmt, addr[i], reg_set[i]); + +- mgb4_mask_reg(video, regs->config, 0x1000, 0x1000); + mgb4_mask_reg(video, regs->config, 0x1000, 0x0); + + mgb4_write_reg(video, regs->config, config & ~0x1); diff --git a/queue-6.12/media-mgb4-fix-switched-cmt-frequency-range-magic-values-sets.patch b/queue-6.12/media-mgb4-fix-switched-cmt-frequency-range-magic-values-sets.patch new file mode 100644 index 0000000000..5fa9d916fb --- /dev/null +++ b/queue-6.12/media-mgb4-fix-switched-cmt-frequency-range-magic-values-sets.patch @@ -0,0 +1,36 @@ +From 450acf0840232eaf6eb7a80da11cf492e57498e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Martin=20T=C5=AFma?= +Date: Fri, 21 Feb 2025 13:07:43 +0100 +Subject: media: mgb4: Fix switched CMT frequency range "magic values" sets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin Tůma + +commit 450acf0840232eaf6eb7a80da11cf492e57498e8 upstream. + +The reason why this passed unnoticed is that most infotainment systems +use frequencies near enough the middle (50MHz) where both sets work. + +Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Tůma +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/mgb4/mgb4_cmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/mgb4/mgb4_cmt.c ++++ b/drivers/media/pci/mgb4/mgb4_cmt.c +@@ -135,8 +135,8 @@ static const u16 cmt_vals_out[][15] = { + }; + + static const u16 cmt_vals_in[][13] = { +- {0x1082, 0x0000, 0x5104, 0x0000, 0x11C7, 0x0000, 0x1041, 0x02BC, 0x7C01, 0xFFE9, 0x9900, 0x9908, 0x8100}, + {0x1104, 0x0000, 0x9208, 0x0000, 0x138E, 0x0000, 0x1041, 0x015E, 0x7C01, 0xFFE9, 0x0100, 0x0908, 0x1000}, ++ {0x1082, 0x0000, 0x5104, 0x0000, 0x11C7, 0x0000, 0x1041, 0x02BC, 0x7C01, 0xFFE9, 0x9900, 0x9908, 0x8100}, + }; + + static const u32 cmt_addrs_out[][15] = { diff --git a/queue-6.12/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch b/queue-6.12/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch new file mode 100644 index 0000000000..543977805d --- /dev/null +++ b/queue-6.12/media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch @@ -0,0 +1,44 @@ +From 07df4f23ef3ffe6fee697cd2e03623ad27108843 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 18 Oct 2024 15:21:10 +0000 +Subject: media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning + +From: Arnd Bergmann + +commit 07df4f23ef3ffe6fee697cd2e03623ad27108843 upstream. + +This is one of three clang warnings about incompatible enum types +in a conditional expression: + +drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional] + 597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; + | ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ + +The code is correct, so just rework it to avoid the warning. + +Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware") +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Reviewed-by: Alexandre Courbot +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c ++++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c +@@ -594,7 +594,11 @@ static int h264_enc_init(struct mtk_vcod + + inst->ctx = ctx; + inst->vpu_inst.ctx = ctx; +- inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264; ++ if (is_ext) ++ inst->vpu_inst.id = SCP_IPI_VENC_H264; ++ else ++ inst->vpu_inst.id = IPI_VENC_H264; ++ + inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx->dev->reg_base, VENC_SYS); + + ret = vpu_enc_init(&inst->vpu_inst); diff --git a/queue-6.12/media-nuvoton-fix-reference-handling-of-ece_node.patch b/queue-6.12/media-nuvoton-fix-reference-handling-of-ece_node.patch new file mode 100644 index 0000000000..f0022753cb --- /dev/null +++ b/queue-6.12/media-nuvoton-fix-reference-handling-of-ece_node.patch @@ -0,0 +1,42 @@ +From 8ba4ef40ad6ca62368292a69855324213181abfb Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 24 Feb 2025 07:03:54 +0000 +Subject: media: nuvoton: Fix reference handling of ece_node + +From: Ricardo Ribalda + +commit 8ba4ef40ad6ca62368292a69855324213181abfb upstream. + +Make sure all the code paths call of_node_put(). + +Instead of manually calling of_node_put, use the __free macros/helpers. + +Cc: stable@vger.kernel.org +Fixes: 46c15a4ff1f4 ("media: nuvoton: Add driver for NPCM video capture and encoding engine") +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nuvoton/npcm-video.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/platform/nuvoton/npcm-video.c ++++ b/drivers/media/platform/nuvoton/npcm-video.c +@@ -1650,8 +1650,8 @@ rel_ctrl_handler: + + static int npcm_video_ece_init(struct npcm_video *video) + { ++ struct device_node *ece_node __free(device_node) = NULL; + struct device *dev = video->dev; +- struct device_node *ece_node; + struct platform_device *ece_pdev; + void __iomem *regs; + +@@ -1671,7 +1671,6 @@ static int npcm_video_ece_init(struct np + dev_err(dev, "Failed to find ECE device\n"); + return -ENODEV; + } +- of_node_put(ece_node); + + regs = devm_platform_ioremap_resource(ece_pdev, 0); + if (IS_ERR(regs)) { diff --git a/queue-6.12/media-nuvoton-fix-reference-handling-of-ece_pdev.patch b/queue-6.12/media-nuvoton-fix-reference-handling-of-ece_pdev.patch new file mode 100644 index 0000000000..8472fb95e9 --- /dev/null +++ b/queue-6.12/media-nuvoton-fix-reference-handling-of-ece_pdev.patch @@ -0,0 +1,48 @@ +From 453d5cadab1bde8e6fdd5bd05f4200338cb21e72 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 24 Feb 2025 07:03:55 +0000 +Subject: media: nuvoton: Fix reference handling of ece_pdev + +From: Ricardo Ribalda + +commit 453d5cadab1bde8e6fdd5bd05f4200338cb21e72 upstream. + +When we obtain a reference to of a platform_device, we need to release +it via put_device. + +Found by cocci: +./platform/nuvoton/npcm-video.c:1677:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function. +./platform/nuvoton/npcm-video.c:1684:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function. +./platform/nuvoton/npcm-video.c:1690:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function. +./platform/nuvoton/npcm-video.c:1694:1-7: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function. + +Instead of manually calling put_device, use the __free macros. + +Cc: stable@vger.kernel.org +Fixes: 46c15a4ff1f4 ("media: nuvoton: Add driver for NPCM video capture and encoding engine") +Signed-off-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/nuvoton/npcm-video.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/nuvoton/npcm-video.c ++++ b/drivers/media/platform/nuvoton/npcm-video.c +@@ -1671,6 +1671,7 @@ static int npcm_video_ece_init(struct np + dev_err(dev, "Failed to find ECE device\n"); + return -ENODEV; + } ++ struct device *ece_dev __free(put_device) = &ece_pdev->dev; + + regs = devm_platform_ioremap_resource(ece_pdev, 0); + if (IS_ERR(regs)) { +@@ -1685,7 +1686,7 @@ static int npcm_video_ece_init(struct np + return PTR_ERR(video->ece.regmap); + } + +- video->ece.reset = devm_reset_control_get(&ece_pdev->dev, NULL); ++ video->ece.reset = devm_reset_control_get(ece_dev, NULL); + if (IS_ERR(video->ece.reset)) { + dev_err(dev, "Failed to get ECE reset control in DTS\n"); + return PTR_ERR(video->ece.reset); diff --git a/queue-6.12/media-platform-stm32-add-check-for-clk_enable.patch b/queue-6.12/media-platform-stm32-add-check-for-clk_enable.patch new file mode 100644 index 0000000000..03ab813815 --- /dev/null +++ b/queue-6.12/media-platform-stm32-add-check-for-clk_enable.patch @@ -0,0 +1,32 @@ +From f883f34b6a46b1a09d44d7f94c3cd72fe0e8f93b Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Fri, 22 Nov 2024 20:46:03 +0000 +Subject: media: platform: stm32: Add check for clk_enable() + +From: Jiasheng Jiang + +commit f883f34b6a46b1a09d44d7f94c3cd72fe0e8f93b upstream. + +Add check for the return value of clk_enable() to gurantee the success. + +Fixes: 002e8f0d5927 ("media: stm32-dma2d: STM32 DMA2D driver") +Cc: stable@vger.kernel.org +Signed-off-by: Jiasheng Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/st/stm32/dma2d/dma2d.c ++++ b/drivers/media/platform/st/stm32/dma2d/dma2d.c +@@ -492,7 +492,8 @@ static void device_run(void *prv) + dst->sequence = frm_cap->sequence++; + v4l2_m2m_buf_copy_metadata(src, dst, true); + +- clk_enable(dev->gate); ++ if (clk_enable(dev->gate)) ++ goto end; + + dma2d_config_fg(dev, frm_out, + vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0)); diff --git a/queue-6.12/media-rockchip-rga-fix-rga-offset-lookup.patch b/queue-6.12/media-rockchip-rga-fix-rga-offset-lookup.patch new file mode 100644 index 0000000000..ccb5aa4551 --- /dev/null +++ b/queue-6.12/media-rockchip-rga-fix-rga-offset-lookup.patch @@ -0,0 +1,33 @@ +From 11de3582675cc0b7136e12f3971f1da3e5a05382 Mon Sep 17 00:00:00 2001 +From: John Keeping +Date: Sat, 10 Aug 2024 14:02:54 +0100 +Subject: media: rockchip: rga: fix rga offset lookup + +From: John Keeping + +commit 11de3582675cc0b7136e12f3971f1da3e5a05382 upstream. + +The arguments to rga_lookup_draw_pos() are passed in the wrong order, +rotate mode should be before mirror mode. + +Fixes: 558c248f930e6 ("media: rockchip: rga: split src and dst buffer setup") +Cc: stable@vger.kernel.org +Signed-off-by: John Keeping +Reviewed-by: Michael Tretter +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/rockchip/rga/rga-hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/rockchip/rga/rga-hw.c ++++ b/drivers/media/platform/rockchip/rga/rga-hw.c +@@ -376,7 +376,7 @@ static void rga_cmd_set_dst_info(struct + * Configure the dest framebuffer base address with pixel offset. + */ + offsets = rga_get_addr_offset(&ctx->out, offset, dst_x, dst_y, dst_w, dst_h); +- dst_offset = rga_lookup_draw_pos(&offsets, mir_mode, rot_mode); ++ dst_offset = rga_lookup_draw_pos(&offsets, rot_mode, mir_mode); + + dest[(RGA_DST_Y_RGB_BASE_ADDR - RGA_MODE_BASE_REG) >> 2] = + dst_offset->y_off; diff --git a/queue-6.12/media-siano-fix-error-handling-in-smsdvb_module_init.patch b/queue-6.12/media-siano-fix-error-handling-in-smsdvb_module_init.patch new file mode 100644 index 0000000000..56643b11f9 --- /dev/null +++ b/queue-6.12/media-siano-fix-error-handling-in-smsdvb_module_init.patch @@ -0,0 +1,35 @@ +From 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Tue, 22 Oct 2024 14:50:37 +0800 +Subject: media: siano: Fix error handling in smsdvb_module_init() + +From: Yuan Can + +commit 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d upstream. + +The smsdvb_module_init() returns without checking the retval from +smscore_register_hotplug(). +If the smscore_register_hotplug() failed, the module failed to install, +leaving the smsdvb_debugfs not unregistered. + +Fixes: 3f6b87cff66b ("[media] siano: allow showing the complete statistics via debugfs") +Cc: stable@vger.kernel.org +Signed-off-by: Yuan Can +Acked-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/siano/smsdvb-main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/common/siano/smsdvb-main.c ++++ b/drivers/media/common/siano/smsdvb-main.c +@@ -1243,6 +1243,8 @@ static int __init smsdvb_module_init(voi + smsdvb_debugfs_register(); + + rc = smscore_register_hotplug(smsdvb_hotplug); ++ if (rc) ++ smsdvb_debugfs_unregister(); + + pr_debug("\n"); + diff --git a/queue-6.12/media-streamzap-prevent-processing-ir-data-on-urb-failure.patch b/queue-6.12/media-streamzap-prevent-processing-ir-data-on-urb-failure.patch new file mode 100644 index 0000000000..8ea761de11 --- /dev/null +++ b/queue-6.12/media-streamzap-prevent-processing-ir-data-on-urb-failure.patch @@ -0,0 +1,116 @@ +From 549f6d348167fb2f7800ed7c8d4bce9630c74498 Mon Sep 17 00:00:00 2001 +From: Murad Masimov +Date: Mon, 13 Jan 2025 13:51:31 +0300 +Subject: media: streamzap: prevent processing IR data on URB failure + +From: Murad Masimov + +commit 549f6d348167fb2f7800ed7c8d4bce9630c74498 upstream. + +If streamzap_callback() receives an urb with any non-critical error +status, i.e. any error code other than -ECONNRESET, -ENOENT or -ESHUTDOWN, +it will try to process IR data, ignoring a possible transfer failure. + +Make streamzap_callback() process IR data only when urb->status is 0. +Move processing logic to a separate function to make code cleaner and +more similar to the URB completion handlers in other RC drivers. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 19770693c354 ("V4L/DVB: staging/lirc: add lirc_streamzap driver") +Cc: stable@vger.kernel.org +Signed-off-by: Murad Masimov +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/streamzap.c | 68 ++++++++++++++++++++++++------------------- + 1 file changed, 38 insertions(+), 30 deletions(-) + +--- a/drivers/media/rc/streamzap.c ++++ b/drivers/media/rc/streamzap.c +@@ -138,39 +138,10 @@ static void sz_push_half_space(struct st + sz_push_full_space(sz, value & SZ_SPACE_MASK); + } + +-/* +- * streamzap_callback - usb IRQ handler callback +- * +- * This procedure is invoked on reception of data from +- * the usb remote. +- */ +-static void streamzap_callback(struct urb *urb) ++static void sz_process_ir_data(struct streamzap_ir *sz, int len) + { +- struct streamzap_ir *sz; + unsigned int i; +- int len; +- +- if (!urb) +- return; +- +- sz = urb->context; +- len = urb->actual_length; +- +- switch (urb->status) { +- case -ECONNRESET: +- case -ENOENT: +- case -ESHUTDOWN: +- /* +- * this urb is terminated, clean up. +- * sz might already be invalid at this point +- */ +- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status); +- return; +- default: +- break; +- } + +- dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len); + for (i = 0; i < len; i++) { + dev_dbg(sz->dev, "sz->buf_in[%d]: %x\n", + i, (unsigned char)sz->buf_in[i]); +@@ -219,6 +190,43 @@ static void streamzap_callback(struct ur + } + + ir_raw_event_handle(sz->rdev); ++} ++ ++/* ++ * streamzap_callback - usb IRQ handler callback ++ * ++ * This procedure is invoked on reception of data from ++ * the usb remote. ++ */ ++static void streamzap_callback(struct urb *urb) ++{ ++ struct streamzap_ir *sz; ++ int len; ++ ++ if (!urb) ++ return; ++ ++ sz = urb->context; ++ len = urb->actual_length; ++ ++ switch (urb->status) { ++ case 0: ++ dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len); ++ sz_process_ir_data(sz, len); ++ break; ++ case -ECONNRESET: ++ case -ENOENT: ++ case -ESHUTDOWN: ++ /* ++ * this urb is terminated, clean up. ++ * sz might already be invalid at this point ++ */ ++ dev_err(sz->dev, "urb terminated, status: %d\n", urb->status); ++ return; ++ default: ++ break; ++ } ++ + usb_submit_urb(urb, GFP_ATOMIC); + } + diff --git a/queue-6.12/media-uapi-rkisp1-config-fix-typo-in-extensible-params-example.patch b/queue-6.12/media-uapi-rkisp1-config-fix-typo-in-extensible-params-example.patch new file mode 100644 index 0000000000..d54264e582 --- /dev/null +++ b/queue-6.12/media-uapi-rkisp1-config-fix-typo-in-extensible-params-example.patch @@ -0,0 +1,43 @@ +From 7b0ee2de7c76e5518e2235a927fd211bc785d320 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= + +Date: Wed, 12 Feb 2025 17:50:53 +0100 +Subject: media: uapi: rkisp1-config: Fix typo in extensible params example +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +commit 7b0ee2de7c76e5518e2235a927fd211bc785d320 upstream. + +The define used for the version in the example diagram does not match what +is defined in enum rksip1_ext_param_buffer_version, nor the description +above it. Correct the typo to make it clear which define to use. + +Fixes: e9d05e9d5db1 ("media: uapi: rkisp1-config: Add extensible params format") +Cc: stable@vger.kernel.org +Signed-off-by: Niklas Söderlund +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/rkisp1-config.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/rkisp1-config.h b/include/uapi/linux/rkisp1-config.h +index 430daceafac7..2d995f3c1ca3 100644 +--- a/include/uapi/linux/rkisp1-config.h ++++ b/include/uapi/linux/rkisp1-config.h +@@ -1528,7 +1528,7 @@ enum rksip1_ext_param_buffer_version { + * The expected memory layout of the parameters buffer is:: + * + * +-------------------- struct rkisp1_ext_params_cfg -------------------+ +- * | version = RKISP_EXT_PARAMS_BUFFER_V1; | ++ * | version = RKISP1_EXT_PARAM_BUFFER_V1; | + * | data_size = sizeof(struct rkisp1_ext_params_bls_config) | + * | + sizeof(struct rkisp1_ext_params_dpcc_config); | + * | +------------------------- data ---------------------------------+ | +-- +2.49.0 + diff --git a/queue-6.12/media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch b/queue-6.12/media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch new file mode 100644 index 0000000000..799aa7bec6 --- /dev/null +++ b/queue-6.12/media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch @@ -0,0 +1,48 @@ +From 3edd1fc48d2c045e8259561797c89fe78f01717e Mon Sep 17 00:00:00 2001 +From: Karina Yankevich +Date: Wed, 21 Aug 2024 14:31:34 +0300 +Subject: media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() + +From: Karina Yankevich + +commit 3edd1fc48d2c045e8259561797c89fe78f01717e upstream. + +In v4l2_detect_gtf(), it seems safer to cast the 32-bit image_width +variable to the 64-bit type u64 before multiplying to avoid +a possible overflow. The resulting object code even seems to +look better, at least on x86_64. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +[Sergey: rewrote the patch subject/descripition] + +Fixes: c9bc9f50753d ("[media] v4l2-dv-timings: fix overflow in gtf timings calculation") +Cc: stable@vger.kernel.org +Signed-off-by: Karina Yankevich +Signed-off-by: Sergey Shtylyov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -764,7 +764,7 @@ bool v4l2_detect_gtf(unsigned int frame_ + u64 num; + u32 den; + +- num = ((image_width * GTF_D_C_PRIME * (u64)hfreq) - ++ num = (((u64)image_width * GTF_D_C_PRIME * hfreq) - + ((u64)image_width * GTF_D_M_PRIME * 1000)); + den = (hfreq * (100 - GTF_D_C_PRIME) + GTF_D_M_PRIME * 1000) * + (2 * GTF_CELL_GRAN); +@@ -774,7 +774,7 @@ bool v4l2_detect_gtf(unsigned int frame_ + u64 num; + u32 den; + +- num = ((image_width * GTF_S_C_PRIME * (u64)hfreq) - ++ num = (((u64)image_width * GTF_S_C_PRIME * hfreq) - + ((u64)image_width * GTF_S_M_PRIME * 1000)); + den = (hfreq * (100 - GTF_S_C_PRIME) + GTF_S_M_PRIME * 1000) * + (2 * GTF_CELL_GRAN); diff --git a/queue-6.12/media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch b/queue-6.12/media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch new file mode 100644 index 0000000000..72fefb737f --- /dev/null +++ b/queue-6.12/media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch @@ -0,0 +1,54 @@ +From f4b211714bcc70effa60c34d9fa613d182e3ef1e Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 20 Feb 2025 22:50:11 +0530 +Subject: media: venus: hfi: add a check to handle OOB in sfr region + +From: Vikash Garodia + +commit f4b211714bcc70effa60c34d9fa613d182e3ef1e upstream. + +sfr->buf_size is in shared memory and can be modified by malicious user. +OOB write is possible when the size is made higher than actual sfr data +buffer. Cap the size to allocated size for such cases. + +Cc: stable@vger.kernel.org +Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vikash Garodia +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -1035,18 +1035,26 @@ static void venus_sfr_print(struct venus + { + struct device *dev = hdev->core->dev; + struct hfi_sfr *sfr = hdev->sfr.kva; ++ u32 size; + void *p; + + if (!sfr) + return; + +- p = memchr(sfr->data, '\0', sfr->buf_size); ++ size = sfr->buf_size; ++ if (!size) ++ return; ++ ++ if (size > ALIGNED_SFR_SIZE) ++ size = ALIGNED_SFR_SIZE; ++ ++ p = memchr(sfr->data, '\0', size); + /* + * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates + * that Venus is in the process of crashing. + */ + if (!p) +- sfr->data[sfr->buf_size - 1] = '\0'; ++ sfr->data[size - 1] = '\0'; + + dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data); + } diff --git a/queue-6.12/media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch b/queue-6.12/media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch new file mode 100644 index 0000000000..90552f8f50 --- /dev/null +++ b/queue-6.12/media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch @@ -0,0 +1,58 @@ +From 69baf245b23e20efda0079238b27fc63ecf13de1 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 20 Feb 2025 22:50:10 +0530 +Subject: media: venus: hfi: add check to handle incorrect queue size + +From: Vikash Garodia + +commit 69baf245b23e20efda0079238b27fc63ecf13de1 upstream. + +qsize represents size of shared queued between driver and video +firmware. Firmware can modify this value to an invalid large value. In +such situation, empty_space will be bigger than the space actually +available. Since new_wr_idx is not checked, so the following code will +result in an OOB write. +... +qsize = qhdr->q_size + +if (wr_idx >= rd_idx) + empty_space = qsize - (wr_idx - rd_idx) +.... +if (new_wr_idx < qsize) { + memcpy(wr_ptr, packet, dwords << 2) --> OOB write + +Add check to ensure qsize is within the allocated size while +reading and writing packets into the queue. + +Cc: stable@vger.kernel.org +Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vikash Garodia +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -187,6 +187,9 @@ static int venus_write_queue(struct venu + /* ensure rd/wr indices's are read from memory */ + rmb(); + ++ if (qsize > IFACEQ_QUEUE_SIZE / 4) ++ return -EINVAL; ++ + if (wr_idx >= rd_idx) + empty_space = qsize - (wr_idx - rd_idx); + else +@@ -255,6 +258,9 @@ static int venus_read_queue(struct venus + wr_idx = qhdr->write_idx; + qsize = qhdr->q_size; + ++ if (qsize > IFACEQ_QUEUE_SIZE / 4) ++ return -EINVAL; ++ + /* make sure data is valid before using it */ + rmb(); + diff --git a/queue-6.12/media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch b/queue-6.12/media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch new file mode 100644 index 0000000000..933c5e562a --- /dev/null +++ b/queue-6.12/media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch @@ -0,0 +1,35 @@ +From 172bf5a9ef70a399bb227809db78442dc01d9e48 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 20 Feb 2025 22:50:08 +0530 +Subject: media: venus: hfi_parser: add check to avoid out of bound access + +From: Vikash Garodia + +commit 172bf5a9ef70a399bb227809db78442dc01d9e48 upstream. + +There is a possibility that init_codecs is invoked multiple times during +manipulated payload from video firmware. In such case, if codecs_count +can get incremented to value more than MAX_CODEC_NUM, there can be OOB +access. Reset the count so that it always starts from beginning. + +Cc: stable@vger.kernel.org +Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vikash Garodia +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_parser.c ++++ b/drivers/media/platform/qcom/venus/hfi_parser.c +@@ -19,6 +19,8 @@ static void init_codecs(struct venus_cor + struct hfi_plat_caps *caps = core->caps, *cap; + unsigned long bit; + ++ core->codecs_count = 0; ++ + if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM) + return; + diff --git a/queue-6.12/media-venus-hfi_parser-refactor-hfi-packet-parsing-logic.patch b/queue-6.12/media-venus-hfi_parser-refactor-hfi-packet-parsing-logic.patch new file mode 100644 index 0000000000..f4eebd80a7 --- /dev/null +++ b/queue-6.12/media-venus-hfi_parser-refactor-hfi-packet-parsing-logic.patch @@ -0,0 +1,270 @@ +From 9edaaa8e3e15aab1ca413ab50556de1975bcb329 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 20 Feb 2025 22:50:09 +0530 +Subject: media: venus: hfi_parser: refactor hfi packet parsing logic + +From: Vikash Garodia + +commit 9edaaa8e3e15aab1ca413ab50556de1975bcb329 upstream. + +words_count denotes the number of words in total payload, while data +points to payload of various property within it. When words_count +reaches last word, data can access memory beyond the total payload. This +can lead to OOB access. With this patch, the utility api for handling +individual properties now returns the size of data consumed. Accordingly +remaining bytes are calculated before parsing the payload, thereby +eliminates the OOB access possibilities. + +Cc: stable@vger.kernel.org +Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") +Signed-off-by: Vikash Garodia +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_parser.c | 98 ++++++++++++++++++------- + 1 file changed, 72 insertions(+), 26 deletions(-) + +--- a/drivers/media/platform/qcom/venus/hfi_parser.c ++++ b/drivers/media/platform/qcom/venus/hfi_parser.c +@@ -64,7 +64,7 @@ fill_buf_mode(struct hfi_plat_caps *cap, + cap->cap_bufs_mode_dynamic = true; + } + +-static void ++static int + parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data) + { + struct hfi_buffer_alloc_mode_supported *mode = data; +@@ -72,7 +72,7 @@ parse_alloc_mode(struct venus_core *core + u32 *type; + + if (num_entries > MAX_ALLOC_MODE_ENTRIES) +- return; ++ return -EINVAL; + + type = mode->data; + +@@ -84,6 +84,8 @@ parse_alloc_mode(struct venus_core *core + + type++; + } ++ ++ return sizeof(*mode); + } + + static void fill_profile_level(struct hfi_plat_caps *cap, const void *data, +@@ -98,7 +100,7 @@ static void fill_profile_level(struct hf + cap->num_pl += num; + } + +-static void ++static int + parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data) + { + struct hfi_profile_level_supported *pl = data; +@@ -106,12 +108,14 @@ parse_profile_level(struct venus_core *c + struct hfi_profile_level pl_arr[HFI_MAX_PROFILE_COUNT] = {}; + + if (pl->profile_count > HFI_MAX_PROFILE_COUNT) +- return; ++ return -EINVAL; + + memcpy(pl_arr, proflevel, pl->profile_count * sizeof(*proflevel)); + + for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain, + fill_profile_level, pl_arr, pl->profile_count); ++ ++ return pl->profile_count * sizeof(*proflevel) + sizeof(u32); + } + + static void +@@ -126,7 +130,7 @@ fill_caps(struct hfi_plat_caps *cap, con + cap->num_caps += num; + } + +-static void ++static int + parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data) + { + struct hfi_capabilities *caps = data; +@@ -135,12 +139,14 @@ parse_caps(struct venus_core *core, u32 + struct hfi_capability caps_arr[MAX_CAP_ENTRIES] = {}; + + if (num_caps > MAX_CAP_ENTRIES) +- return; ++ return -EINVAL; + + memcpy(caps_arr, cap, num_caps * sizeof(*cap)); + + for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain, + fill_caps, caps_arr, num_caps); ++ ++ return sizeof(*caps); + } + + static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts, +@@ -155,7 +161,7 @@ static void fill_raw_fmts(struct hfi_pla + cap->num_fmts += num_fmts; + } + +-static void ++static int + parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data) + { + struct hfi_uncompressed_format_supported *fmt = data; +@@ -164,7 +170,8 @@ parse_raw_formats(struct venus_core *cor + struct raw_formats rawfmts[MAX_FMT_ENTRIES] = {}; + u32 entries = fmt->format_entries; + unsigned int i = 0; +- u32 num_planes; ++ u32 num_planes = 0; ++ u32 size; + + while (entries) { + num_planes = pinfo->num_planes; +@@ -174,7 +181,7 @@ parse_raw_formats(struct venus_core *cor + i++; + + if (i >= MAX_FMT_ENTRIES) +- return; ++ return -EINVAL; + + if (pinfo->num_planes > MAX_PLANES) + break; +@@ -186,9 +193,13 @@ parse_raw_formats(struct venus_core *cor + + for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain, + fill_raw_fmts, rawfmts, i); ++ size = fmt->format_entries * (sizeof(*constr) * num_planes + 2 * sizeof(u32)) ++ + 2 * sizeof(u32); ++ ++ return size; + } + +-static void parse_codecs(struct venus_core *core, void *data) ++static int parse_codecs(struct venus_core *core, void *data) + { + struct hfi_codec_supported *codecs = data; + +@@ -200,21 +211,27 @@ static void parse_codecs(struct venus_co + core->dec_codecs &= ~HFI_VIDEO_CODEC_SPARK; + core->enc_codecs &= ~HFI_VIDEO_CODEC_HEVC; + } ++ ++ return sizeof(*codecs); + } + +-static void parse_max_sessions(struct venus_core *core, const void *data) ++static int parse_max_sessions(struct venus_core *core, const void *data) + { + const struct hfi_max_sessions_supported *sessions = data; + + core->max_sessions_supported = sessions->max_sessions; ++ ++ return sizeof(*sessions); + } + +-static void parse_codecs_mask(u32 *codecs, u32 *domain, void *data) ++static int parse_codecs_mask(u32 *codecs, u32 *domain, void *data) + { + struct hfi_codec_mask_supported *mask = data; + + *codecs = mask->codecs; + *domain = mask->video_domains; ++ ++ return sizeof(*mask); + } + + static void parser_init(struct venus_inst *inst, u32 *codecs, u32 *domain) +@@ -283,8 +300,9 @@ static int hfi_platform_parser(struct ve + u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf, + u32 size) + { +- unsigned int words_count = size >> 2; +- u32 *word = buf, *data, codecs = 0, domain = 0; ++ u32 *words = buf, *payload, codecs = 0, domain = 0; ++ u32 *frame_size = buf + size; ++ u32 rem_bytes = size; + int ret; + + ret = hfi_platform_parser(core, inst); +@@ -301,38 +319,66 @@ u32 hfi_parser(struct venus_core *core, + memset(core->caps, 0, sizeof(core->caps)); + } + +- while (words_count) { +- data = word + 1; ++ while (words < frame_size) { ++ payload = words + 1; + +- switch (*word) { ++ switch (*words) { + case HFI_PROPERTY_PARAM_CODEC_SUPPORTED: +- parse_codecs(core, data); ++ if (rem_bytes <= sizeof(struct hfi_codec_supported)) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ ++ ret = parse_codecs(core, payload); ++ if (ret < 0) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ + init_codecs(core); + break; + case HFI_PROPERTY_PARAM_MAX_SESSIONS_SUPPORTED: +- parse_max_sessions(core, data); ++ if (rem_bytes <= sizeof(struct hfi_max_sessions_supported)) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ ++ ret = parse_max_sessions(core, payload); + break; + case HFI_PROPERTY_PARAM_CODEC_MASK_SUPPORTED: +- parse_codecs_mask(&codecs, &domain, data); ++ if (rem_bytes <= sizeof(struct hfi_codec_mask_supported)) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ ++ ret = parse_codecs_mask(&codecs, &domain, payload); + break; + case HFI_PROPERTY_PARAM_UNCOMPRESSED_FORMAT_SUPPORTED: +- parse_raw_formats(core, codecs, domain, data); ++ if (rem_bytes <= sizeof(struct hfi_uncompressed_format_supported)) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ ++ ret = parse_raw_formats(core, codecs, domain, payload); + break; + case HFI_PROPERTY_PARAM_CAPABILITY_SUPPORTED: +- parse_caps(core, codecs, domain, data); ++ if (rem_bytes <= sizeof(struct hfi_capabilities)) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ ++ ret = parse_caps(core, codecs, domain, payload); + break; + case HFI_PROPERTY_PARAM_PROFILE_LEVEL_SUPPORTED: +- parse_profile_level(core, codecs, domain, data); ++ if (rem_bytes <= sizeof(struct hfi_profile_level_supported)) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ ++ ret = parse_profile_level(core, codecs, domain, payload); + break; + case HFI_PROPERTY_PARAM_BUFFER_ALLOC_MODE_SUPPORTED: +- parse_alloc_mode(core, codecs, domain, data); ++ if (rem_bytes <= sizeof(struct hfi_buffer_alloc_mode_supported)) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ ++ ret = parse_alloc_mode(core, codecs, domain, payload); + break; + default: ++ ret = sizeof(u32); + break; + } + +- word++; +- words_count--; ++ if (ret < 0) ++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES; ++ ++ words += ret / sizeof(u32); ++ rem_bytes -= ret; + } + + if (!core->max_sessions_supported) diff --git a/queue-6.12/media-vim2m-print-device-name-after-registering-device.patch b/queue-6.12/media-vim2m-print-device-name-after-registering-device.patch new file mode 100644 index 0000000000..c03713ab10 --- /dev/null +++ b/queue-6.12/media-vim2m-print-device-name-after-registering-device.patch @@ -0,0 +1,46 @@ +From 143d75583f2427f3a97dba62413c4f0604867ebf Mon Sep 17 00:00:00 2001 +From: Matthew Majewski +Date: Wed, 19 Feb 2025 14:05:01 -0500 +Subject: media: vim2m: print device name after registering device + +From: Matthew Majewski + +commit 143d75583f2427f3a97dba62413c4f0604867ebf upstream. + +Move the v4l2_info() call displaying the video device name after the +device is actually registered. + +This fixes a bug where the driver was always displaying "/dev/video0" +since it was reading from the vfd before it was registered. + +Fixes: cf7f34777a5b ("media: vim2m: Register video device after setting up internals") +Cc: stable@vger.kernel.org +Signed-off-by: Matthew Majewski +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vim2m.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/test-drivers/vim2m.c ++++ b/drivers/media/test-drivers/vim2m.c +@@ -1316,9 +1316,6 @@ static int vim2m_probe(struct platform_d + vfd->v4l2_dev = &dev->v4l2_dev; + + video_set_drvdata(vfd, dev); +- v4l2_info(&dev->v4l2_dev, +- "Device registered as /dev/video%d\n", vfd->num); +- + platform_set_drvdata(pdev, dev); + + dev->m2m_dev = v4l2_m2m_init(&m2m_ops); +@@ -1345,6 +1342,9 @@ static int vim2m_probe(struct platform_d + goto error_m2m; + } + ++ v4l2_info(&dev->v4l2_dev, ++ "Device registered as /dev/video%d\n", vfd->num); ++ + #ifdef CONFIG_MEDIA_CONTROLLER + ret = v4l2_m2m_register_media_controller(dev->m2m_dev, vfd, + MEDIA_ENT_F_PROC_VIDEO_SCALER); diff --git a/queue-6.12/media-visl-fix-erange-error-when-setting-enum-controls.patch b/queue-6.12/media-visl-fix-erange-error-when-setting-enum-controls.patch new file mode 100644 index 0000000000..8464838bb2 --- /dev/null +++ b/queue-6.12/media-visl-fix-erange-error-when-setting-enum-controls.patch @@ -0,0 +1,59 @@ +From d98e9213a768a3cc3a99f5e1abe09ad3baff2104 Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Tue, 10 Dec 2024 16:02:53 -0500 +Subject: media: visl: Fix ERANGE error when setting enum controls + +From: Nicolas Dufresne + +commit d98e9213a768a3cc3a99f5e1abe09ad3baff2104 upstream. + +The visl driver supports both frame and slice mode, with and without a +start-code. But, the range and default for these enum controls was not +set, which currently limits the decoder to enums with a value of 0. Fix +this by setting the decoder mode and start code controls for both the +H.264 and HEVC codecs. + +Fixes: 0c078e310b6d ("media: visl: add virtual stateless decoder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Nicolas Dufresne +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/visl/visl-core.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/media/test-drivers/visl/visl-core.c ++++ b/drivers/media/test-drivers/visl/visl-core.c +@@ -161,9 +161,15 @@ static const struct visl_ctrl_desc visl_ + }, + { + .cfg.id = V4L2_CID_STATELESS_H264_DECODE_MODE, ++ .cfg.min = V4L2_STATELESS_H264_DECODE_MODE_SLICE_BASED, ++ .cfg.max = V4L2_STATELESS_H264_DECODE_MODE_FRAME_BASED, ++ .cfg.def = V4L2_STATELESS_H264_DECODE_MODE_SLICE_BASED, + }, + { + .cfg.id = V4L2_CID_STATELESS_H264_START_CODE, ++ .cfg.min = V4L2_STATELESS_H264_START_CODE_NONE, ++ .cfg.max = V4L2_STATELESS_H264_START_CODE_ANNEX_B, ++ .cfg.def = V4L2_STATELESS_H264_START_CODE_NONE, + }, + { + .cfg.id = V4L2_CID_STATELESS_H264_SLICE_PARAMS, +@@ -198,9 +204,15 @@ static const struct visl_ctrl_desc visl_ + }, + { + .cfg.id = V4L2_CID_STATELESS_HEVC_DECODE_MODE, ++ .cfg.min = V4L2_STATELESS_HEVC_DECODE_MODE_SLICE_BASED, ++ .cfg.max = V4L2_STATELESS_HEVC_DECODE_MODE_FRAME_BASED, ++ .cfg.def = V4L2_STATELESS_HEVC_DECODE_MODE_SLICE_BASED, + }, + { + .cfg.id = V4L2_CID_STATELESS_HEVC_START_CODE, ++ .cfg.min = V4L2_STATELESS_HEVC_START_CODE_NONE, ++ .cfg.max = V4L2_STATELESS_HEVC_START_CODE_ANNEX_B, ++ .cfg.def = V4L2_STATELESS_HEVC_START_CODE_NONE, + }, + { + .cfg.id = V4L2_CID_STATELESS_HEVC_ENTRY_POINT_OFFSETS, diff --git a/queue-6.12/mptcp-sockopt-fix-getting-freebind-transparent.patch b/queue-6.12/mptcp-sockopt-fix-getting-freebind-transparent.patch new file mode 100644 index 0000000000..e6502b2735 --- /dev/null +++ b/queue-6.12/mptcp-sockopt-fix-getting-freebind-transparent.patch @@ -0,0 +1,62 @@ +From e2f4ac7bab2205d3c4dd9464e6ffd82502177c51 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Fri, 14 Mar 2025 21:11:33 +0100 +Subject: mptcp: sockopt: fix getting freebind & transparent + +From: Matthieu Baerts (NGI0) + +commit e2f4ac7bab2205d3c4dd9464e6ffd82502177c51 upstream. + +When adding a socket option support in MPTCP, both the get and set parts +are supposed to be implemented. + +IP(V6)_FREEBIND and IP(V6)_TRANSPARENT support for the setsockopt part +has been added a while ago, but it looks like the get part got +forgotten. It should have been present as a way to verify a setting has +been set as expected, and not to act differently from TCP or any other +socket types. + +Everything was in place to expose it, just the last step was missing. +Only new code is added to cover these specific getsockopt(), that seems +safe. + +Fixes: c9406a23c116 ("mptcp: sockopt: add SOL_IP freebind & transparent options") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-3-122dbb249db3@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/sockopt.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -1419,6 +1419,12 @@ static int mptcp_getsockopt_v4(struct mp + switch (optname) { + case IP_TOS: + return mptcp_put_int_option(msk, optval, optlen, READ_ONCE(inet_sk(sk)->tos)); ++ case IP_FREEBIND: ++ return mptcp_put_int_option(msk, optval, optlen, ++ inet_test_bit(FREEBIND, sk)); ++ case IP_TRANSPARENT: ++ return mptcp_put_int_option(msk, optval, optlen, ++ inet_test_bit(TRANSPARENT, sk)); + case IP_BIND_ADDRESS_NO_PORT: + return mptcp_put_int_option(msk, optval, optlen, + inet_test_bit(BIND_ADDRESS_NO_PORT, sk)); +@@ -1439,6 +1445,12 @@ static int mptcp_getsockopt_v6(struct mp + case IPV6_V6ONLY: + return mptcp_put_int_option(msk, optval, optlen, + sk->sk_ipv6only); ++ case IPV6_TRANSPARENT: ++ return mptcp_put_int_option(msk, optval, optlen, ++ inet_test_bit(TRANSPARENT, sk)); ++ case IPV6_FREEBIND: ++ return mptcp_put_int_option(msk, optval, optlen, ++ inet_test_bit(FREEBIND, sk)); + } + + return -EOPNOTSUPP; diff --git a/queue-6.12/mptcp-sockopt-fix-getting-ipv6_v6only.patch b/queue-6.12/mptcp-sockopt-fix-getting-ipv6_v6only.patch new file mode 100644 index 0000000000..3dce8e56a6 --- /dev/null +++ b/queue-6.12/mptcp-sockopt-fix-getting-ipv6_v6only.patch @@ -0,0 +1,72 @@ +From 8c39633759885b6ff85f6d96cf445560e74df5e8 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Fri, 14 Mar 2025 21:11:32 +0100 +Subject: mptcp: sockopt: fix getting IPV6_V6ONLY + +From: Matthieu Baerts (NGI0) + +commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream. + +When adding a socket option support in MPTCP, both the get and set parts +are supposed to be implemented. + +IPV6_V6ONLY support for the setsockopt part has been added a while ago, +but it looks like the get part got forgotten. It should have been +present as a way to verify a setting has been set as expected, and not +to act differently from TCP or any other socket types. + +Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want +to check the default value, before doing extra actions. On Linux, the +default value is 0, but this can be changed with the net.ipv6.bindv6only +sysctl knob. On Windows, it is set to 1 by default. So supporting the +get part, like for all other socket options, is important. + +Everything was in place to expose it, just the last step was missing. +Only new code is added to cover this specific getsockopt(), that seems +safe. + +Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt") +Cc: stable@vger.kernel.org +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550 +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/sockopt.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -1430,6 +1430,20 @@ static int mptcp_getsockopt_v4(struct mp + return -EOPNOTSUPP; + } + ++static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname, ++ char __user *optval, int __user *optlen) ++{ ++ struct sock *sk = (void *)msk; ++ ++ switch (optname) { ++ case IPV6_V6ONLY: ++ return mptcp_put_int_option(msk, optval, optlen, ++ sk->sk_ipv6only); ++ } ++ ++ return -EOPNOTSUPP; ++} ++ + static int mptcp_getsockopt_sol_mptcp(struct mptcp_sock *msk, int optname, + char __user *optval, int __user *optlen) + { +@@ -1469,6 +1483,8 @@ int mptcp_getsockopt(struct sock *sk, in + + if (level == SOL_IP) + return mptcp_getsockopt_v4(msk, optname, optval, option); ++ if (level == SOL_IPV6) ++ return mptcp_getsockopt_v6(msk, optname, optval, option); + if (level == SOL_TCP) + return mptcp_getsockopt_sol_tcp(msk, optname, optval, option); + if (level == SOL_MPTCP) diff --git a/queue-6.12/mtd-add-check-for-devm_kcalloc.patch b/queue-6.12/mtd-add-check-for-devm_kcalloc.patch new file mode 100644 index 0000000000..5ac0804e95 --- /dev/null +++ b/queue-6.12/mtd-add-check-for-devm_kcalloc.patch @@ -0,0 +1,32 @@ +From 2aee30bb10d7bad0a60255059c9ce1b84cf0130e Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 5 Feb 2025 02:31:41 +0000 +Subject: mtd: Add check for devm_kcalloc() + +From: Jiasheng Jiang + +commit 2aee30bb10d7bad0a60255059c9ce1b84cf0130e upstream. + +Add a check for devm_kcalloc() to ensure successful allocation. + +Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk") +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Jiasheng Jiang +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdpstore.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/mtdpstore.c ++++ b/drivers/mtd/mtdpstore.c +@@ -423,6 +423,9 @@ static void mtdpstore_notify_add(struct + longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize)); + cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL); + ++ if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap) ++ return; ++ + /* just support dmesg right now */ + cxt->dev.flags = PSTORE_FLAGS_DMESG; + cxt->dev.zone.read = mtdpstore_read; diff --git a/queue-6.12/mtd-rawnand-brcmnand-fix-pm-resume-warning.patch b/queue-6.12/mtd-rawnand-brcmnand-fix-pm-resume-warning.patch new file mode 100644 index 0000000000..8d2733099e --- /dev/null +++ b/queue-6.12/mtd-rawnand-brcmnand-fix-pm-resume-warning.patch @@ -0,0 +1,98 @@ +From ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Thu, 27 Feb 2025 12:46:08 -0500 +Subject: mtd: rawnand: brcmnand: fix PM resume warning + +From: Kamal Dasu + +commit ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 upstream. + +Fixed warning on PM resume as shown below caused due to uninitialized +struct nand_operation that checks chip select field : +WARN_ON(op->cs >= nanddev_ntargets(&chip->base) + +[ 14.588522] ------------[ cut here ]------------ +[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8 +[ 14.588553] Modules linked in: bdc udc_core +[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16 +[ 14.588590] Tainted: [W]=WARN +[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree) +[ 14.588598] Call trace: +[ 14.588604] dump_backtrace from show_stack+0x18/0x1c +[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c +[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c +[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c +[ 14.588653] r5:c08d40b0 r4:c1003cb0 +[ 14.588656] dump_stack from __warn+0x84/0xe4 +[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194 +[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000 +[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8 +[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048 +[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150 +[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040 +[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54 +[ 14.588735] r5:00000010 r4:c0840a50 +[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c +[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324 +[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010 +[ 14.588779] device_resume from dpm_resume+0x130/0x160 +[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0 +[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20 +[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414 +[ 14.588826] r4:00000010 +[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8 +[ 14.588848] r5:c228a414 r4:00000000 +[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc +[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000 +[ 14.588871] r4:00000003 +[ 14.588874] pm_suspend from state_store+0x74/0xd0 +[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003 +[ 14.588892] state_store from kobj_attr_store+0x1c/0x28 +[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250 +[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c +[ 14.588936] r5:c3502900 r4:c0d92a48 +[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0 +[ 14.588956] r5:c3502900 r4:c3501f40 +[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420 +[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00 +[ 14.588983] r4:c042a88c +[ 14.588987] vfs_write from ksys_write+0x74/0xe4 +[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00 +[ 14.589008] r4:c34f7f00 +[ 14.589011] ksys_write from sys_write+0x10/0x14 +[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004 +[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c +[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0) +[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001 +[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78 +[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8 +[ 14.589065] ---[ end trace 0000000000000000 ]--- + +The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when +doing PM resume operation in compliance with the controller support for single +die nand chip. Switching from nand_reset_op() to nand_reset() implies more +than just setting the cs field op->cs, it also reconfigures the data interface +(ie. the timings). Tested and confirmed the NAND chip is in sync timing wise +with host after the fix. + +Fixes: 97d90da8a886 ("mtd: nand: provide several helpers to do common NAND operations") +Cc: stable@vger.kernel.org +Signed-off-by: Kamal Dasu +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -3008,7 +3008,7 @@ static int brcmnand_resume(struct device + brcmnand_save_restore_cs_config(host, 1); + + /* Reset the chip, required by some chips after power-up */ +- nand_reset_op(chip); ++ nand_reset(chip, 0); + } + + return 0; diff --git a/queue-6.12/mtd-replace-kcalloc-with-devm_kcalloc.patch b/queue-6.12/mtd-replace-kcalloc-with-devm_kcalloc.patch new file mode 100644 index 0000000000..83c40c2f4f --- /dev/null +++ b/queue-6.12/mtd-replace-kcalloc-with-devm_kcalloc.patch @@ -0,0 +1,48 @@ +From 1b61a59876f0eafc19b23007c522ee407f55dbec Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 5 Feb 2025 02:31:40 +0000 +Subject: mtd: Replace kcalloc() with devm_kcalloc() + +From: Jiasheng Jiang + +commit 1b61a59876f0eafc19b23007c522ee407f55dbec upstream. + +Replace kcalloc() with devm_kcalloc() to prevent memory leaks in case of +errors. + +Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk") +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Jiasheng Jiang +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdpstore.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/mtd/mtdpstore.c ++++ b/drivers/mtd/mtdpstore.c +@@ -417,11 +417,11 @@ static void mtdpstore_notify_add(struct + } + + longcnt = BITS_TO_LONGS(div_u64(mtd->size, info->kmsg_size)); +- cxt->rmmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL); +- cxt->usedmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL); ++ cxt->rmmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL); ++ cxt->usedmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL); + + longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize)); +- cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL); ++ cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL); + + if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap) + return; +@@ -530,9 +530,6 @@ static void mtdpstore_notify_remove(stru + mtdpstore_flush_removed(cxt); + + unregister_pstore_device(&cxt->dev); +- kfree(cxt->badmap); +- kfree(cxt->usedmap); +- kfree(cxt->rmmap); + cxt->mtd = NULL; + cxt->index = -1; + } diff --git a/queue-6.12/net-dsa-mv88e6xxx-fix-internal-phys-for-6320-family.patch b/queue-6.12/net-dsa-mv88e6xxx-fix-internal-phys-for-6320-family.patch new file mode 100644 index 0000000000..4136d26199 --- /dev/null +++ b/queue-6.12/net-dsa-mv88e6xxx-fix-internal-phys-for-6320-family.patch @@ -0,0 +1,48 @@ +From 52fdc41c3278c981066a461d03d5477ebfcf270c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Mon, 17 Mar 2025 18:32:49 +0100 +Subject: net: dsa: mv88e6xxx: fix internal PHYs for 6320 family +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 52fdc41c3278c981066a461d03d5477ebfcf270c upstream. + +Fix internal PHYs definition for the 6320 family, which has only 2 +internal PHYs (on ports 3 and 4). + +Fixes: bc3931557d1d ("net: dsa: mv88e6xxx: Add number of internal PHYs") +Signed-off-by: Marek Behún +Cc: # 6.6.x +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250317173250.28780-7-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -6171,7 +6171,8 @@ static const struct mv88e6xxx_info mv88e + .num_databases = 4096, + .num_macs = 8192, + .num_ports = 7, +- .num_internal_phys = 5, ++ .num_internal_phys = 2, ++ .internal_phys_offset = 3, + .num_gpio = 15, + .max_vid = 4095, + .max_sid = 63, +@@ -6365,7 +6366,8 @@ static const struct mv88e6xxx_info mv88e + .num_databases = 4096, + .num_macs = 8192, + .num_ports = 7, +- .num_internal_phys = 5, ++ .num_internal_phys = 2, ++ .internal_phys_offset = 3, + .num_gpio = 15, + .max_vid = 4095, + .max_sid = 63, diff --git a/queue-6.12/net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch b/queue-6.12/net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch new file mode 100644 index 0000000000..019573107d --- /dev/null +++ b/queue-6.12/net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch @@ -0,0 +1,70 @@ +From 1ebc8e1ef906db9c08e9abe9776d85ddec837725 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Mon, 17 Mar 2025 18:32:50 +0100 +Subject: net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 1ebc8e1ef906db9c08e9abe9776d85ddec837725 upstream. + +Implement the workaround for erratum + 3.3 RGMII timing may be out of spec when transmit delay is enabled +for the 6320 family, which says: + + When transmit delay is enabled via Port register 1 bit 14 = 1, duty + cycle may be out of spec. Under very rare conditions this may cause + the attached device receive CRC errors. + +Signed-off-by: Marek Behún +Cc: # 5.4.x +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250317173250.28780-8-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3691,6 +3691,21 @@ static int mv88e6xxx_stats_setup(struct + return mv88e6xxx_g1_stats_clear(chip); + } + ++static int mv88e6320_setup_errata(struct mv88e6xxx_chip *chip) ++{ ++ u16 dummy; ++ int err; ++ ++ /* Workaround for erratum ++ * 3.3 RGMII timing may be out of spec when transmit delay is enabled ++ */ ++ err = mv88e6xxx_port_hidden_write(chip, 0, 0xf, 0x7, 0xe000); ++ if (err) ++ return err; ++ ++ return mv88e6xxx_port_hidden_read(chip, 0, 0xf, 0x7, &dummy); ++} ++ + /* Check if the errata has already been applied. */ + static bool mv88e6390_setup_errata_applied(struct mv88e6xxx_chip *chip) + { +@@ -5144,6 +5159,7 @@ static const struct mv88e6xxx_ops mv88e6 + + static const struct mv88e6xxx_ops mv88e6320_ops = { + /* MV88E6XXX_FAMILY_6320 */ ++ .setup_errata = mv88e6320_setup_errata, + .ieee_pri_map = mv88e6085_g1_ieee_pri_map, + .ip_pri_map = mv88e6085_g1_ip_pri_map, + .irl_init_all = mv88e6352_g2_irl_init_all, +@@ -5193,6 +5209,7 @@ static const struct mv88e6xxx_ops mv88e6 + + static const struct mv88e6xxx_ops mv88e6321_ops = { + /* MV88E6XXX_FAMILY_6320 */ ++ .setup_errata = mv88e6320_setup_errata, + .ieee_pri_map = mv88e6085_g1_ieee_pri_map, + .ip_pri_map = mv88e6085_g1_ip_pri_map, + .irl_init_all = mv88e6352_g2_irl_init_all, diff --git a/queue-6.12/revert-media-imx214-fix-the-error-handling-in-imx214_probe.patch b/queue-6.12/revert-media-imx214-fix-the-error-handling-in-imx214_probe.patch new file mode 100644 index 0000000000..0c99bacedb --- /dev/null +++ b/queue-6.12/revert-media-imx214-fix-the-error-handling-in-imx214_probe.patch @@ -0,0 +1,33 @@ +From abd88757252c2a2cea7909f3922de1f0e9e04002 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 10 Jan 2025 10:11:51 +0200 +Subject: Revert "media: imx214: Fix the error handling in imx214_probe()" + +From: Sakari Ailus + +commit abd88757252c2a2cea7909f3922de1f0e9e04002 upstream. + +This reverts commit 9bc92332cc3f06fda3c6e2423995ca2da0a7ec9a. + +Revert this "fix" as it's not really helpful but makes backporting a +proper fix harder. + +Fixes: 9bc92332cc3f ("media: imx214: Fix the error handling in imx214_probe()") +Cc: stable@vger.kernel.org # for >= v6.12 +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/imx214.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/i2c/imx214.c ++++ b/drivers/media/i2c/imx214.c +@@ -1114,7 +1114,6 @@ free_ctrl: + v4l2_ctrl_handler_free(&imx214->ctrls); + error_power_off: + pm_runtime_disable(imx214->dev); +- regulator_bulk_disable(IMX214_NUM_SUPPLIES, imx214->supplies); + + return ret; + } diff --git a/queue-6.12/series b/queue-6.12/series index bc1378c1e9..985321c820 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -184,3 +184,84 @@ hid-pidff-clamp-effect-playback-loop_count-value.patch hid-pidff-compute-infinite-value-instead-of-using-ha.patch hid-pidff-fix-90-degrees-direction-name-north-east.patch hid-pidff-fix-set_device_control.patch +auxdisplay-hd44780-fix-an-api-misuse-in-hd44780.c.patch +dt-bindings-media-st-stmipid02-correct-lane-polarities-maxitems.patch +media-mediatek-vcodec-fix-a-resource-leak-related-to-the-scp-device-in-fw-initialization.patch +media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch +media-uapi-rkisp1-config-fix-typo-in-extensible-params-example.patch +media-mgb4-fix-cmt-registers-update-logic.patch +media-i2c-adv748x-fix-test-pattern-selection-mask.patch +media-mgb4-fix-switched-cmt-frequency-range-magic-values-sets.patch +media-intel-ipu6-set-the-dev_parent-of-video-device-to-pdev.patch +media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch +media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch +media-vim2m-print-device-name-after-registering-device.patch +media-siano-fix-error-handling-in-smsdvb_module_init.patch +media-rockchip-rga-fix-rga-offset-lookup.patch +xenfs-xensyms-respect-hypervisor-s-next-indication.patch +arm64-cputype-add-midr_cortex_a76ae.patch +arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch +arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch +arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch +kvm-arm64-tear-down-vgic-on-failed-vcpu-creation.patch +spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch +mtd-rawnand-brcmnand-fix-pm-resume-warning.patch +tpm-tpm_tis-fix-timeout-handling-when-waiting-for-tpm-status.patch +accel-ivpu-fix-pm-related-deadlocks-in-ms-ioctls.patch +media-streamzap-prevent-processing-ir-data-on-urb-failure.patch +media-hi556-fix-memory-leak-on-error-in-hi556_check_hwcfg.patch +media-visl-fix-erange-error-when-setting-enum-controls.patch +media-platform-stm32-add-check-for-clk_enable.patch +media-imx219-adjust-pll-settings-based-on-the-number-of-mipi-lanes.patch +media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch +revert-media-imx214-fix-the-error-handling-in-imx214_probe.patch +media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-remove.patch +media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-probe.patch +media-i2c-ov7251-set-enable-gpio-low-in-probe.patch +media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch +media-nuvoton-fix-reference-handling-of-ece_node.patch +media-nuvoton-fix-reference-handling-of-ece_pdev.patch +media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch +media-venus-hfi_parser-refactor-hfi-packet-parsing-logic.patch +media-i2c-imx319-rectify-runtime-pm-handling-probe-and-remove.patch +media-i2c-imx219-rectify-runtime-pm-handling-in-probe-and-remove.patch +media-i2c-imx214-rectify-probe-error-handling-related-to-runtime-pm.patch +media-chips-media-wave5-fix-gray-color-on-screen.patch +media-chips-media-wave5-avoid-race-condition-in-the-interrupt-handler.patch +media-chips-media-wave5-fix-a-hang-after-seeking.patch +media-chips-media-wave5-fix-timeout-while-testing-10bit-hevc-fluster.patch +mptcp-sockopt-fix-getting-ipv6_v6only.patch +mptcp-sockopt-fix-getting-freebind-transparent.patch +mtd-add-check-for-devm_kcalloc.patch +net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch +net-dsa-mv88e6xxx-fix-internal-phys-for-6320-family.patch +mtd-replace-kcalloc-with-devm_kcalloc.patch +clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch +wifi-mt76-add-check-for-devm_kstrdup.patch +wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch +wifi-mt76-mt7925-ensure-wow-pattern-command-align-fw-format.patch +wifi-mt76-mt7925-fix-country-count-limitation-for-clc.patch +wifi-mt76-mt7925-fix-the-wrong-link_idx-when-a-p2p_device-is-present.patch +wifi-mt76-mt7925-fix-the-wrong-simultaneous-cap-for-mlo.patch +io_uring-net-fix-accept-multishot-handling.patch +io_uring-net-fix-io_req_post_cqe-abuse-by-send-bundle.patch +io_uring-kbuf-reject-zero-sized-provided-buffers.patch +asoc-codecs-wcd937x-fix-a-potential-memory-leak-in-wcd937x_soc_codec_probe.patch +asoc-q6apm-add-q6apm_get_hw_pointer-helper.patch +asoc-q6apm-dai-schedule-all-available-frames-to-avoid-dsp-under-runs.patch +asoc-q6apm-dai-make-use-of-q6apm_get_hw_pointer.patch +asoc-qdsp6-q6apm-dai-set-10-ms-period-and-buffer-alignment.patch +asoc-qdsp6-q6apm-dai-fix-capture-pipeline-overruns.patch +asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch +alsa-hda-realtek-enable-mute-led-on-hp-omen-16-laptop-xd000xx.patch +accel-ivpu-fix-warning-in-ivpu_ipc_send_receive_internal.patch +accel-ivpu-fix-deadlock-in-ivpu_ms_cleanup.patch +bus-mhi-host-fix-race-between-unprepare-and-queue_buf.patch +ext4-fix-off-by-one-error-in-do_split.patch +f2fs-fix-to-avoid-atomicity-corruption-of-atomic-file.patch +vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch +udf-fix-inode_getblk-return-value.patch +tpm-do-not-start-chip-while-suspended.patch +svcrdma-do-not-unregister-device-for-listeners.patch +soc-samsung-exynos-chipid-add-null-pointer-check-in-exynos_chipid_probe.patch +smb311-client-fix-missing-tcon-check-when-mounting-with-linux-posix-extensions.patch diff --git a/queue-6.12/smb311-client-fix-missing-tcon-check-when-mounting-with-linux-posix-extensions.patch b/queue-6.12/smb311-client-fix-missing-tcon-check-when-mounting-with-linux-posix-extensions.patch new file mode 100644 index 0000000000..b7b1abcb96 --- /dev/null +++ b/queue-6.12/smb311-client-fix-missing-tcon-check-when-mounting-with-linux-posix-extensions.patch @@ -0,0 +1,35 @@ +From b365b9d404b7376c60c91cd079218bfef11b7822 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Sun, 6 Apr 2025 14:09:19 -0500 +Subject: smb311 client: fix missing tcon check when mounting with linux/posix extensions + +From: Steve French + +commit b365b9d404b7376c60c91cd079218bfef11b7822 upstream. + +When mounting the same share twice, once with the "linux" mount parameter +(or equivalently "posix") and then once without (or e.g. with "nolinux"), +we were incorrectly reusing the same tree connection for both mounts. +This meant that the first mount of the share on the client, would +cause subsequent mounts of that same share on the same client to +ignore that mount parm ("linux" vs. "nolinux") and incorrectly reuse +the same tcon. + +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -2474,6 +2474,8 @@ static int match_tcon(struct cifs_tcon * + return 0; + if (tcon->nodelete != ctx->nodelete) + return 0; ++ if (tcon->posix_extensions != ctx->linux_ext) ++ return 0; + return 1; + } + diff --git a/queue-6.12/soc-samsung-exynos-chipid-add-null-pointer-check-in-exynos_chipid_probe.patch b/queue-6.12/soc-samsung-exynos-chipid-add-null-pointer-check-in-exynos_chipid_probe.patch new file mode 100644 index 0000000000..87aeeda72f --- /dev/null +++ b/queue-6.12/soc-samsung-exynos-chipid-add-null-pointer-check-in-exynos_chipid_probe.patch @@ -0,0 +1,37 @@ +From c8222ef6cf29dd7cad21643228f96535cc02b327 Mon Sep 17 00:00:00 2001 +From: Chenyuan Yang +Date: Wed, 12 Feb 2025 15:35:18 -0600 +Subject: soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() + +From: Chenyuan Yang + +commit c8222ef6cf29dd7cad21643228f96535cc02b327 upstream. + +soc_dev_attr->revision could be NULL, thus, +a pointer check is added to prevent potential NULL pointer dereference. +This is similar to the fix in commit 3027e7b15b02 +("ice: Fix some null pointer dereference issues in ice_ptp.c"). + +This issue is found by our static analysis tool. + +Signed-off-by: Chenyuan Yang +Link: https://lore.kernel.org/r/20250212213518.69432-1-chenyuan0y@gmail.com +Fixes: 3253b7b7cd44 ("soc: samsung: Add exynos chipid driver support") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/samsung/exynos-chipid.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/soc/samsung/exynos-chipid.c ++++ b/drivers/soc/samsung/exynos-chipid.c +@@ -131,6 +131,8 @@ static int exynos_chipid_probe(struct pl + + soc_dev_attr->revision = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "%x", soc_info.revision); ++ if (!soc_dev_attr->revision) ++ return -ENOMEM; + soc_dev_attr->soc_id = product_id_to_soc_id(soc_info.product_id); + if (!soc_dev_attr->soc_id) { + pr_err("Unknown SoC\n"); diff --git a/queue-6.12/spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch b/queue-6.12/spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch new file mode 100644 index 0000000000..3176d31009 --- /dev/null +++ b/queue-6.12/spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch @@ -0,0 +1,62 @@ +From b8665a1b49f5498edb7b21d730030c06b7348a3c Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 5 Mar 2025 21:09:32 +0100 +Subject: spi: cadence-qspi: Fix probe on AM62A LP SK + +From: Miquel Raynal + +commit b8665a1b49f5498edb7b21d730030c06b7348a3c upstream. + +In 2020, there's been an unnoticed change which rightfully attempted to +report probe deferrals upon DMA absence by checking the return value of +dma_request_chan_by_mask(). By doing so, it also reported errors which +were simply ignored otherwise, likely on purpose. + +This change actually turned a void return into an error code. Hence, not +only the -EPROBE_DEFER error codes but all error codes got reported to +the callers, now failing to probe in the absence of Rx DMA channel, +despite the fact that DMA seems to not be supported natively by many +implementations. + +Looking at the history, this change probably led to: +ad2775dc3fc5 ("spi: cadence-quadspi: Disable the DAC for Intel LGM SoC") +f724c296f2f2 ("spi: cadence-quadspi: fix Direct Access Mode disable for SoCFPGA") + +In my case, the AM62A LP SK core octo-SPI node from TI does not +advertise any DMA channel, hinting that there is likely no support for +it, but yet when the support for the am654 compatible was added, DMA +seemed to be used, so just discarding its use with the +CQSPI_DISABLE_DAC_MODE quirk for this compatible does not seem the +correct approach. + +Let's get change the return condition back to: +- return a probe deferral error if we get one +- ignore the return value otherwise +The "error" log level was however likely too high for something that is +expected to fail, so let's lower it arbitrarily to the info level. + +Fixes: 935da5e5100f ("mtd: spi-nor: cadence-quadspi: Handle probe deferral while requesting DMA channel") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://patch.msgid.link/20250305200933.2512925-2-miquel.raynal@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -1634,6 +1634,12 @@ static int cqspi_request_mmap_dma(struct + int ret = PTR_ERR(cqspi->rx_chan); + + cqspi->rx_chan = NULL; ++ if (ret == -ENODEV) { ++ /* DMA support is not mandatory */ ++ dev_info(&cqspi->pdev->dev, "No Rx DMA available\n"); ++ return 0; ++ } ++ + return dev_err_probe(&cqspi->pdev->dev, ret, "No Rx DMA available\n"); + } + init_completion(&cqspi->rx_dma_complete); diff --git a/queue-6.12/svcrdma-do-not-unregister-device-for-listeners.patch b/queue-6.12/svcrdma-do-not-unregister-device-for-listeners.patch new file mode 100644 index 0000000000..adf7e283ee --- /dev/null +++ b/queue-6.12/svcrdma-do-not-unregister-device-for-listeners.patch @@ -0,0 +1,43 @@ +From 750037aa0a9f28d84df3dcf319a28423d69092fd Mon Sep 17 00:00:00 2001 +From: Olga Kornievskaia +Date: Thu, 6 Feb 2025 13:15:34 -0500 +Subject: svcrdma: do not unregister device for listeners + +From: Olga Kornievskaia + +commit 750037aa0a9f28d84df3dcf319a28423d69092fd upstream. + +On an rdma-capable machine, a start/stop/start and then on a stop of +a knfsd server would lead kref underflow warning because svc_rdma_free +would indiscriminately unregister the rdma device but a listening +transport never calls the rdma_rn_register() thus leading to kref +going down to 0 on the 1st stop of the server and on the 2nd stop +it leads to a problem. + +Suggested-by: Chuck Lever +Fixes: c4de97f7c454 ("svcrdma: Handle device removal outside of the CM event handler") +Signed-off-by: Olga Kornievskaia +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtrdma/svc_rdma_transport.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c +index c3fbf0779d4a..aca8bdf65d72 100644 +--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c +@@ -621,7 +621,8 @@ static void __svc_rdma_free(struct work_struct *work) + /* Destroy the CM ID */ + rdma_destroy_id(rdma->sc_cm_id); + +- rpcrdma_rn_unregister(device, &rdma->sc_rn); ++ if (!test_bit(XPT_LISTENER, &rdma->sc_xprt.xpt_flags)) ++ rpcrdma_rn_unregister(device, &rdma->sc_rn); + kfree(rdma); + } + +-- +2.49.0 + diff --git a/queue-6.12/tpm-do-not-start-chip-while-suspended.patch b/queue-6.12/tpm-do-not-start-chip-while-suspended.patch new file mode 100644 index 0000000000..0cbecfabae --- /dev/null +++ b/queue-6.12/tpm-do-not-start-chip-while-suspended.patch @@ -0,0 +1,100 @@ +From 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Fri, 7 Feb 2025 15:07:46 -0300 +Subject: tpm: do not start chip while suspended + +From: Thadeu Lima de Souza Cascardo + +commit 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd upstream. + +Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can +lead to a spurious tpm_chip_start() call: + +[35985.503771] i2c i2c-1: Transfer while suspended +[35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810 +[35985.503802] Modules linked in: +[35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f +[35985.503814] Tainted: [W]=WARN +[35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023 +[35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810 +[35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5 +[35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246 +[35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000 +[35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001 +[35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 +[35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820 +[35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120 +[35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000 +[35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0 +[35985.503855] Call Trace: +[35985.503859] +[35985.503863] ? __warn+0xd4/0x260 +[35985.503868] ? __i2c_transfer+0xbe/0x810 +[35985.503874] ? report_bug+0xf3/0x210 +[35985.503882] ? handle_bug+0x63/0xb0 +[35985.503887] ? exc_invalid_op+0x16/0x50 +[35985.503892] ? asm_exc_invalid_op+0x16/0x20 +[35985.503904] ? __i2c_transfer+0xbe/0x810 +[35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0 +[35985.503920] tpm_cr50_i2c_read+0x8e/0x120 +[35985.503928] tpm_cr50_request_locality+0x75/0x170 +[35985.503935] tpm_chip_start+0x116/0x160 +[35985.503942] tpm_try_get_ops+0x57/0x90 +[35985.503948] tpm_find_get_ops+0x26/0xd0 +[35985.503955] tpm_get_random+0x2d/0x80 + +Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless +TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in +such a failure case. + +Fixes: 9265fed6db60 ("tpm: Lock TPM chip in tpm_pm_suspend() first") +Signed-off-by: Thadeu Lima de Souza Cascardo +Cc: stable@vger.kernel.org +Cc: Jerry Snitselaar +Cc: Mike Seo +Cc: Jarkko Sakkinen +Reviewed-by: Jerry Snitselaar +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm-chip.c | 5 +++++ + drivers/char/tpm/tpm-interface.c | 7 ------- + 2 files changed, 5 insertions(+), 7 deletions(-) + +--- a/drivers/char/tpm/tpm-chip.c ++++ b/drivers/char/tpm/tpm-chip.c +@@ -168,6 +168,11 @@ int tpm_try_get_ops(struct tpm_chip *chi + goto out_ops; + + mutex_lock(&chip->tpm_mutex); ++ ++ /* tmp_chip_start may issue IO that is denied while suspended */ ++ if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) ++ goto out_lock; ++ + rc = tpm_chip_start(chip); + if (rc) + goto out_lock; +--- a/drivers/char/tpm/tpm-interface.c ++++ b/drivers/char/tpm/tpm-interface.c +@@ -445,18 +445,11 @@ int tpm_get_random(struct tpm_chip *chip + if (!chip) + return -ENODEV; + +- /* Give back zero bytes, as TPM chip has not yet fully resumed: */ +- if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) { +- rc = 0; +- goto out; +- } +- + if (chip->flags & TPM_CHIP_FLAG_TPM2) + rc = tpm2_get_random(chip, out, max); + else + rc = tpm1_get_random(chip, out, max); + +-out: + tpm_put_ops(chip); + return rc; + } diff --git a/queue-6.12/tpm-tpm_tis-fix-timeout-handling-when-waiting-for-tpm-status.patch b/queue-6.12/tpm-tpm_tis-fix-timeout-handling-when-waiting-for-tpm-status.patch new file mode 100644 index 0000000000..4f37497038 --- /dev/null +++ b/queue-6.12/tpm-tpm_tis-fix-timeout-handling-when-waiting-for-tpm-status.patch @@ -0,0 +1,49 @@ +From 7146dffa875cd00e7a7f918e1fce79c7593ac1fa Mon Sep 17 00:00:00 2001 +From: Jonathan McDowell +Date: Wed, 12 Mar 2025 07:31:57 +0200 +Subject: tpm, tpm_tis: Fix timeout handling when waiting for TPM status +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan McDowell + +commit 7146dffa875cd00e7a7f918e1fce79c7593ac1fa upstream. + +The change to only use interrupts to handle supported status changes +introduced an issue when it is necessary to poll for the status. Rather +than checking for the status after sleeping the code now sleeps after +the check. This means a correct, but slower, status change on the part +of the TPM can be missed, resulting in a spurious timeout error, +especially on a more loaded system. Switch back to sleeping *then* +checking. An up front check of the status has been done at the start of +the function, so this does not cause an additional delay when the status +is already what we're looking for. + +Cc: stable@vger.kernel.org # v6.4+ +Fixes: e87fcf0dc2b4 ("tpm, tpm_tis: Only handle supported interrupts") +Signed-off-by: Jonathan McDowell +Reviewed-by: Michal Suchánek +Reviewed-by: Lino Sanfilippo +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -114,11 +114,10 @@ again: + return 0; + /* process status changes without irq support */ + do { ++ usleep_range(priv->timeout_min, priv->timeout_max); + status = chip->ops->status(chip); + if ((status & mask) == mask) + return 0; +- usleep_range(priv->timeout_min, +- priv->timeout_max); + } while (time_before(jiffies, stop)); + return -ETIME; + } diff --git a/queue-6.12/udf-fix-inode_getblk-return-value.patch b/queue-6.12/udf-fix-inode_getblk-return-value.patch new file mode 100644 index 0000000000..0cd61b9250 --- /dev/null +++ b/queue-6.12/udf-fix-inode_getblk-return-value.patch @@ -0,0 +1,37 @@ +From 6afdc60ec30b0a9390d11b7cebed79c857ce82aa Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 12 Mar 2025 16:18:39 +0100 +Subject: udf: Fix inode_getblk() return value + +From: Jan Kara + +commit 6afdc60ec30b0a9390d11b7cebed79c857ce82aa upstream. + +Smatch noticed that inode_getblk() can return 1 on successful mapping of +a block instead of expected 0 after commit b405c1e58b73 ("udf: refactor +udf_next_aext() to handle error"). This could confuse some of the +callers and lead to strange failures (although the one reported by +Smatch in udf_mkdir() is impossible to trigger in practice). Fix the +return value of inode_getblk(). + +Link: https://lore.kernel.org/all/cb514af7-bbe0-435b-934f-dd1d7a16d2cd@stanley.mountain +Reported-by: Dan Carpenter +Reviewed-by: Carlos Maiolino +Fixes: b405c1e58b73 ("udf: refactor udf_next_aext() to handle error") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -810,6 +810,7 @@ static int inode_getblk(struct inode *in + } + map->oflags = UDF_BLK_MAPPED; + map->pblk = udf_get_lb_pblock(inode->i_sb, &eloc, offset); ++ ret = 0; + goto out_free; + } + diff --git a/queue-6.12/vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch b/queue-6.12/vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch new file mode 100644 index 0000000000..daa19662a1 --- /dev/null +++ b/queue-6.12/vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch @@ -0,0 +1,49 @@ +From a6097e0a54a5c24f8d577ffecbc35289ae281c2e Mon Sep 17 00:00:00 2001 +From: Si-Wei Liu +Date: Thu, 20 Feb 2025 21:37:33 +0200 +Subject: vdpa/mlx5: Fix oversized null mkey longer than 32bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Si-Wei Liu + +commit a6097e0a54a5c24f8d577ffecbc35289ae281c2e upstream. + +create_user_mr() has correct code to count the number of null keys +used to fill in a hole for the memory map. However, fill_indir() +does not follow the same to cap the range up to the 1GB limit +correspondingly. Fill in more null keys for the gaps in between, +so that null keys are correctly populated. + +Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code") +Cc: stable@vger.kernel.org +Reported-by: Cong Meng +Signed-off-by: Si-Wei Liu +Signed-off-by: Dragos Tatulea +Acked-by: Eugenio Pérez +Message-Id: <20250220193732.521462-2-dtatulea@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/mlx5/core/mr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/vdpa/mlx5/core/mr.c ++++ b/drivers/vdpa/mlx5/core/mr.c +@@ -190,9 +190,12 @@ again: + klm->bcount = cpu_to_be32(klm_bcount(dmr->end - dmr->start)); + preve = dmr->end; + } else { ++ u64 bcount = min_t(u64, dmr->start - preve, MAX_KLM_SIZE); ++ + klm->key = cpu_to_be32(mvdev->res.null_mkey); +- klm->bcount = cpu_to_be32(klm_bcount(dmr->start - preve)); +- preve = dmr->start; ++ klm->bcount = cpu_to_be32(klm_bcount(bcount)); ++ preve += bcount; ++ + goto again; + } + } diff --git a/queue-6.12/wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch b/queue-6.12/wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch new file mode 100644 index 0000000000..fa1124349d --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch @@ -0,0 +1,63 @@ +From d00c0c4105e5ab8a6a13ed23d701cceb285761fa Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Wed, 12 Feb 2025 08:21:25 +0000 +Subject: wifi: mac80211: fix integer overflow in hwmp_route_info_get() + +From: Gavrilov Ilia + +commit d00c0c4105e5ab8a6a13ed23d701cceb285761fa upstream. + +Since the new_metric and last_hop_metric variables can reach +the MAX_METRIC(0xffffffff) value, an integer overflow may occur +when multiplying them by 10/9. It can lead to incorrect behavior. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Link: https://patch.msgid.link/20250212082124.4078236-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_hwmp.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -367,6 +367,12 @@ u32 airtime_link_metric_get(struct ieee8 + return (u32)result; + } + ++/* Check that the first metric is at least 10% better than the second one */ ++static bool is_metric_better(u32 x, u32 y) ++{ ++ return (x < y) && (x < (y - x / 10)); ++} ++ + /** + * hwmp_route_info_get - Update routing info to originator and transmitter + * +@@ -458,8 +464,8 @@ static u32 hwmp_route_info_get(struct ie + (mpath->sn == orig_sn && + (rcu_access_pointer(mpath->next_hop) != + sta ? +- mult_frac(new_metric, 10, 9) : +- new_metric) >= mpath->metric)) { ++ !is_metric_better(new_metric, mpath->metric) : ++ new_metric >= mpath->metric))) { + process = false; + fresh_info = false; + } +@@ -533,8 +539,8 @@ static u32 hwmp_route_info_get(struct ie + if ((mpath->flags & MESH_PATH_FIXED) || + ((mpath->flags & MESH_PATH_ACTIVE) && + ((rcu_access_pointer(mpath->next_hop) != sta ? +- mult_frac(last_hop_metric, 10, 9) : +- last_hop_metric) > mpath->metric))) ++ !is_metric_better(last_hop_metric, mpath->metric) : ++ last_hop_metric > mpath->metric)))) + fresh_info = false; + } else { + mpath = mesh_path_add(sdata, ta); diff --git a/queue-6.12/wifi-mt76-add-check-for-devm_kstrdup.patch b/queue-6.12/wifi-mt76-add-check-for-devm_kstrdup.patch new file mode 100644 index 0000000000..b5e6d64487 --- /dev/null +++ b/queue-6.12/wifi-mt76-add-check-for-devm_kstrdup.patch @@ -0,0 +1,35 @@ +From 4bc1da524b502999da28d287de4286c986a1af57 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Wed, 19 Feb 2025 11:36:45 +0800 +Subject: wifi: mt76: Add check for devm_kstrdup() + +From: Haoxiang Li + +commit 4bc1da524b502999da28d287de4286c986a1af57 upstream. + +Add check for the return value of devm_kstrdup() in +mt76_get_of_data_from_mtd() to catch potential exception. + +Fixes: e7a6a044f9b9 ("mt76: testmode: move mtd part to mt76_dev") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Link: https://patch.msgid.link/20250219033645.2594753-1-haoxiang_li2024@163.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/eeprom.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/eeprom.c ++++ b/drivers/net/wireless/mediatek/mt76/eeprom.c +@@ -95,6 +95,10 @@ int mt76_get_of_data_from_mtd(struct mt7 + + #ifdef CONFIG_NL80211_TESTMODE + dev->test_mtd.name = devm_kstrdup(dev->dev, part, GFP_KERNEL); ++ if (!dev->test_mtd.name) { ++ ret = -ENOMEM; ++ goto out_put_node; ++ } + dev->test_mtd.offset = offset; + #endif + diff --git a/queue-6.12/wifi-mt76-mt7925-ensure-wow-pattern-command-align-fw-format.patch b/queue-6.12/wifi-mt76-mt7925-ensure-wow-pattern-command-align-fw-format.patch new file mode 100644 index 0000000000..7d5f94557a --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7925-ensure-wow-pattern-command-align-fw-format.patch @@ -0,0 +1,35 @@ +From 8ae45b1f699bbc27ea8647093f794f671e77410b Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Thu, 16 Jan 2025 13:59:25 +0800 +Subject: wifi: mt76: mt7925: ensure wow pattern command align fw format + +From: Ming Yen Hsieh + +commit 8ae45b1f699bbc27ea8647093f794f671e77410b upstream. + +Align the format of "struct mt7925_wow_pattern_tlv" with +firmware to ensure proper functionality. + +Cc: stable@vger.kernel.org +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250116055925.3856856-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h +@@ -566,8 +566,8 @@ struct mt7925_wow_pattern_tlv { + u8 offset; + u8 mask[MT76_CONNAC_WOW_MASK_MAX_LEN]; + u8 pattern[MT76_CONNAC_WOW_PATTEN_MAX_LEN]; +- u8 rsv[7]; +-} __packed; ++ u8 rsv[4]; ++}; + + struct roc_acquire_tlv { + __le16 tag; diff --git a/queue-6.12/wifi-mt76-mt7925-fix-country-count-limitation-for-clc.patch b/queue-6.12/wifi-mt76-mt7925-fix-country-count-limitation-for-clc.patch new file mode 100644 index 0000000000..11b4aed532 --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7925-fix-country-count-limitation-for-clc.patch @@ -0,0 +1,43 @@ +From 6458d760a0c0afd2fda11e83ed3e1125a252432f Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Thu, 16 Jan 2025 14:21:31 +0800 +Subject: wifi: mt76: mt7925: fix country count limitation for CLC + +From: Ming Yen Hsieh + +commit 6458d760a0c0afd2fda11e83ed3e1125a252432f upstream. + +Due to the increase in the number of power tables for 6Ghz on CLC, +the variable nr_country is no longer sufficient to represent the +total quantity. Therefore, we have switched to calculating the +length of clc buf to obtain the correct power table. + +Cc: stable@vger.kernel.org +Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250116062131.3860198-1-mingyen.hsieh@mediatek.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c +@@ -3119,13 +3119,14 @@ __mt7925_mcu_set_clc(struct mt792x_dev * + .env = env_cap, + }; + int ret, valid_cnt = 0; +- u8 i, *pos; ++ u8 *pos, *last_pos; + + if (!clc) + return 0; + + pos = clc->data + sizeof(*seg) * clc->nr_seg; +- for (i = 0; i < clc->nr_country; i++) { ++ last_pos = clc->data + le32_to_cpu(*(__le32 *)(clc->data + 4)); ++ while (pos < last_pos) { + struct mt7925_clc_rule *rule = (struct mt7925_clc_rule *)pos; + + pos += sizeof(*rule); diff --git a/queue-6.12/wifi-mt76-mt7925-fix-the-wrong-link_idx-when-a-p2p_device-is-present.patch b/queue-6.12/wifi-mt76-mt7925-fix-the-wrong-link_idx-when-a-p2p_device-is-present.patch new file mode 100644 index 0000000000..58f38bbdf7 --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7925-fix-the-wrong-link_idx-when-a-p2p_device-is-present.patch @@ -0,0 +1,87 @@ +From 4bada9b0a29c185d45cc9512509edd6069fbfa79 Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Tue, 4 Mar 2025 16:08:47 -0800 +Subject: wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present + +From: Ming Yen Hsieh + +commit 4bada9b0a29c185d45cc9512509edd6069fbfa79 upstream. + +When the p2p device and MLO station are running concurrently, the p2p device +will occupy the wrong link_idx when the MLO secondary link is added. + +Fixes: 9e4c3a007f01 ("wifi: mt76: connac: Extend mt76_connac_mcu_uni_add_dev for MLO") +Cc: stable@vger.kernel.org +Co-developed-by: Sean Wang +Signed-off-by: Sean Wang +Tested-by: Caleb Jorden +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250305000851.493671-2-sean.wang@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt76.h | 1 + + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++-- + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 14 ++++++++++---- + 3 files changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt76.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76.h +@@ -755,6 +755,7 @@ struct mt76_testmode_data { + + struct mt76_vif { + u8 idx; ++ u8 link_idx; + u8 omac_idx; + u8 band_idx; + u8 wmm_idx; +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -1164,7 +1164,7 @@ int mt76_connac_mcu_uni_add_dev(struct m + .tag = cpu_to_le16(DEV_INFO_ACTIVE), + .len = cpu_to_le16(sizeof(struct req_tlv)), + .active = enable, +- .link_idx = mvif->idx, ++ .link_idx = mvif->link_idx, + }, + }; + struct { +@@ -1187,7 +1187,7 @@ int mt76_connac_mcu_uni_add_dev(struct m + .bmc_tx_wlan_idx = cpu_to_le16(wcid->idx), + .sta_idx = cpu_to_le16(wcid->idx), + .conn_state = 1, +- .link_idx = mvif->idx, ++ .link_idx = mvif->link_idx, + }, + }; + int err, idx, cmd, len; +--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c +@@ -356,10 +356,15 @@ static int mt7925_mac_link_bss_add(struc + struct mt76_txq *mtxq; + int idx, ret = 0; + +- mconf->mt76.idx = __ffs64(~dev->mt76.vif_mask); +- if (mconf->mt76.idx >= MT792x_MAX_INTERFACES) { +- ret = -ENOSPC; +- goto out; ++ if (vif->type == NL80211_IFTYPE_P2P_DEVICE) { ++ mconf->mt76.idx = MT792x_MAX_INTERFACES; ++ } else { ++ mconf->mt76.idx = __ffs64(~dev->mt76.vif_mask); ++ ++ if (mconf->mt76.idx >= MT792x_MAX_INTERFACES) { ++ ret = -ENOSPC; ++ goto out; ++ } + } + + mconf->mt76.omac_idx = ieee80211_vif_is_mld(vif) ? +@@ -367,6 +372,7 @@ static int mt7925_mac_link_bss_add(struc + mconf->mt76.band_idx = 0xff; + mconf->mt76.wmm_idx = ieee80211_vif_is_mld(vif) ? + 0 : mconf->mt76.idx % MT76_CONNAC_MAX_WMM_SETS; ++ mconf->mt76.link_idx = hweight16(mvif->valid_links); + + if (mvif->phy->mt76->chandef.chan->band != NL80211_BAND_2GHZ) + mconf->mt76.basic_rates_idx = MT792x_BASIC_RATES_TBL + 4; diff --git a/queue-6.12/wifi-mt76-mt7925-fix-the-wrong-simultaneous-cap-for-mlo.patch b/queue-6.12/wifi-mt76-mt7925-fix-the-wrong-simultaneous-cap-for-mlo.patch new file mode 100644 index 0000000000..181e60749d --- /dev/null +++ b/queue-6.12/wifi-mt76-mt7925-fix-the-wrong-simultaneous-cap-for-mlo.patch @@ -0,0 +1,41 @@ +From 7dcea6fe33ee3d7cbb65baee0dd7adc76d1c9ddc Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh +Date: Tue, 4 Mar 2025 16:08:48 -0800 +Subject: wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO + +From: Ming Yen Hsieh + +commit 7dcea6fe33ee3d7cbb65baee0dd7adc76d1c9ddc upstream. + +The mt7925 chip is only support a single radio, so the maximum +number of simultaneous should be 0. + +Fixes: 86c051f2c418 ("wifi: mt76: mt7925: enabling MLO when the firmware supports it") +Cc: stable@vger.kernel.org +Co-developed-by: Sean Wang +Signed-off-by: Sean Wang +Tested-by: Caleb Jorden +Signed-off-by: Ming Yen Hsieh +Link: https://patch.msgid.link/20250305000851.493671-3-sean.wang@kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7925/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c +index 676882f3928e..dd886b39f550 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c +@@ -256,7 +256,7 @@ int mt7925_init_mlo_caps(struct mt792x_phy *phy) + + ext_capab[0].eml_capabilities = phy->eml_cap; + ext_capab[0].mld_capa_and_ops = +- u16_encode_bits(1, IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS); ++ u16_encode_bits(0, IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS); + + wiphy->flags |= WIPHY_FLAG_SUPPORTS_MLO; + wiphy->iftype_ext_capab = ext_capab; +-- +2.49.0 + diff --git a/queue-6.12/xenfs-xensyms-respect-hypervisor-s-next-indication.patch b/queue-6.12/xenfs-xensyms-respect-hypervisor-s-next-indication.patch new file mode 100644 index 0000000000..2359a9d688 --- /dev/null +++ b/queue-6.12/xenfs-xensyms-respect-hypervisor-s-next-indication.patch @@ -0,0 +1,48 @@ +From 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 12 Mar 2025 16:32:45 +0100 +Subject: xenfs/xensyms: respect hypervisor's "next" indication + +From: Jan Beulich + +commit 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 upstream. + +The interface specifies the symnum field as an input and output; the +hypervisor sets it to the next sequential symbol's index. xensyms_next() +incrementing the position explicitly (and xensyms_next_sym() +decrementing it to "rewind") is only correct as long as the sequence of +symbol indexes is non-sparse. Use the hypervisor-supplied value instead +to update the position in xensyms_next(), and use the saved incoming +index in xensyms_next_sym(). + +Cc: stable@kernel.org +Fixes: a11f4f0a4e18 ("xen: xensyms support") +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross +Message-ID: <15d5e7fa-ec5d-422f-9319-d28bed916349@suse.com> +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenfs/xensyms.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/xenfs/xensyms.c ++++ b/drivers/xen/xenfs/xensyms.c +@@ -48,7 +48,7 @@ static int xensyms_next_sym(struct xensy + return -ENOMEM; + + set_xen_guest_handle(symdata->name, xs->name); +- symdata->symnum--; /* Rewind */ ++ symdata->symnum = symnum; /* Rewind */ + + ret = HYPERVISOR_platform_op(&xs->op); + if (ret < 0) +@@ -78,7 +78,7 @@ static void *xensyms_next(struct seq_fil + { + struct xensyms *xs = m->private; + +- xs->op.u.symdata.symnum = ++(*pos); ++ *pos = xs->op.u.symdata.symnum; + + if (xensyms_next_sym(xs)) + return NULL;