From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 10:58:59 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.12.24~88 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a0c67e6aa7bb48d01cbdfb4267e2d0e15baad110;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm64-cputype-add-midr_cortex_a76ae.patch arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch ext4-fix-off-by-one-error-in-do_split.patch media-i2c-adv748x-fix-test-pattern-selection-mask.patch media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch media-i2c-ov7251-set-enable-gpio-low-in-probe.patch media-siano-fix-error-handling-in-smsdvb_module_init.patch media-streamzap-prevent-processing-ir-data-on-urb-failure.patch media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch media-vim2m-print-device-name-after-registering-device.patch mtd-rawnand-brcmnand-fix-pm-resume-warning.patch mtd-replace-kcalloc-with-devm_kcalloc.patch net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch xenfs-xensyms-respect-hypervisor-s-next-indication.patch --- diff --git a/queue-5.10/arm64-cputype-add-midr_cortex_a76ae.patch b/queue-5.10/arm64-cputype-add-midr_cortex_a76ae.patch new file mode 100644 index 0000000000..d8e65ad68b --- /dev/null +++ b/queue-5.10/arm64-cputype-add-midr_cortex_a76ae.patch @@ -0,0 +1,39 @@ +From a9b5bd81b294d30a747edd125e9f6aef2def7c79 Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 7 Jan 2025 12:06:01 -0800 +Subject: arm64: cputype: Add MIDR_CORTEX_A76AE + +From: Douglas Anderson + +commit a9b5bd81b294d30a747edd125e9f6aef2def7c79 upstream. + +>From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an +implementor of 0x41 (ARM). Add the values. + +Cc: stable@vger.kernel.org # dependency of the next fix in the series +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20250107120555.v4.4.I151f3b7ee323bcc3082179b8c60c3cd03308aa94@changeid +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -74,6 +74,7 @@ + #define ARM_CPU_PART_CORTEX_A76 0xD0B + #define ARM_CPU_PART_NEOVERSE_N1 0xD0C + #define ARM_CPU_PART_CORTEX_A77 0xD0D ++#define ARM_CPU_PART_CORTEX_A76AE 0xD0E + #define ARM_CPU_PART_NEOVERSE_V1 0xD40 + #define ARM_CPU_PART_CORTEX_A78 0xD41 + #define ARM_CPU_PART_CORTEX_A78AE 0xD42 +@@ -137,6 +138,7 @@ + #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76) + #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1) + #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77) ++#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE) + #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1) + #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78) + #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE) diff --git a/queue-5.10/arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch b/queue-5.10/arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch new file mode 100644 index 0000000000..8995cc4083 --- /dev/null +++ b/queue-5.10/arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch @@ -0,0 +1,38 @@ +From ed1ce841245d8febe3badf51c57e81c3619d0a1d Mon Sep 17 00:00:00 2001 +From: Douglas Anderson +Date: Tue, 7 Jan 2025 12:05:58 -0800 +Subject: arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list + +From: Douglas Anderson + +commit ed1ce841245d8febe3badf51c57e81c3619d0a1d upstream. + +Qualcomm Kryo 400-series Gold cores have a derivative of an ARM Cortex +A76 in them. Since A76 needs Spectre mitigation via looping then the +Kyro 400-series Gold cores also need Spectre mitigation via looping. + +Qualcomm has confirmed that the proper "k" value for Kryo 400-series +Gold cores is 24. + +Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels") +Cc: stable@vger.kernel.org +Cc: Scott Bauer +Signed-off-by: Douglas Anderson +Acked-by: Trilok Soni +Link: https://lore.kernel.org/r/20250107120555.v4.1.Ie4ef54abe02e7eb0eee50f830575719bf23bda48@changeid +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/proton-pack.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kernel/proton-pack.c ++++ b/arch/arm64/kernel/proton-pack.c +@@ -874,6 +874,7 @@ u8 spectre_bhb_loop_affected(int scope) + MIDR_ALL_VERSIONS(MIDR_CORTEX_A76), + MIDR_ALL_VERSIONS(MIDR_CORTEX_A77), + MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1), ++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD), + {}, + }; + static const struct midr_range spectre_bhb_k11_list[] = { diff --git a/queue-5.10/asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch b/queue-5.10/asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch new file mode 100644 index 0000000000..6891d40d28 --- /dev/null +++ b/queue-5.10/asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch @@ -0,0 +1,110 @@ +From 7eccc86e90f04a0d758d16c08627a620ac59604d Mon Sep 17 00:00:00 2001 +From: Alexey Klimov +Date: Thu, 27 Mar 2025 15:46:50 +0000 +Subject: ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path + +From: Alexey Klimov + +commit 7eccc86e90f04a0d758d16c08627a620ac59604d upstream. + +In case of attempts to compress playback something, for instance, +when audio routing is not set up correctly, the audio DSP is left in +inconsistent state because we are not doing the correct things in +the error path of q6asm_dai_compr_set_params(). + +So, when routing is not set up and compress playback is attempted +the following errors are present (simplified log): + +q6routing routing: Routing not setup for MultiMedia-1 Session +q6asm-dai dais: Stream reg failed ret:-22 +q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params() +on 17300000.remoteproc:glink-edge:apr:service@7:dais + +After setting the correct routing the compress playback will always fail: + +q6asm-dai dais: cmd = 0x10db3 returned error = 0x9 +q6asm-dai dais: DSP returned error[9] +q6asm-dai dais: q6asm_open_write failed +q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params() +on 17300000.remoteproc:glink-edge:apr:service@7:dais + +0x9 here means "Operation is already processed". The CMD_OPEN here was +sent the second time hence DSP responds that it was already done. + +Turns out the CMD_CLOSE should be sent after the q6asm_open_write() +succeeded but something failed after that, for instance, routing +setup. + +Fix this by slightly reworking the error path in +q6asm_dai_compr_set_params(). + +Tested on QRB5165 RB5 and SDM845 RB3 boards. + +Cc: stable@vger.kernel.org +Fixes: 5b39363e54cc ("ASoC: q6asm-dai: prepare set params to accept profile change") +Cc: Srinivas Kandagatla +Cc: Vinod Koul +Cc: Pierre-Louis Bossart +Signed-off-by: Alexey Klimov +Reviewed-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20250327154650.337404-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6asm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c +@@ -916,9 +916,7 @@ static int q6asm_dai_compr_set_params(st + + if (ret < 0) { + dev_err(dev, "q6asm_open_write failed\n"); +- q6asm_audio_client_free(prtd->audio_client); +- prtd->audio_client = NULL; +- return ret; ++ goto open_err; + } + } + +@@ -927,7 +925,7 @@ static int q6asm_dai_compr_set_params(st + prtd->session_id, dir); + if (ret) { + dev_err(dev, "Stream reg failed ret:%d\n", ret); +- return ret; ++ goto q6_err; + } + + ret = __q6asm_dai_compr_set_codec_params(component, stream, +@@ -935,7 +933,7 @@ static int q6asm_dai_compr_set_params(st + prtd->stream_id); + if (ret) { + dev_err(dev, "codec param setup failed ret:%d\n", ret); +- return ret; ++ goto q6_err; + } + + ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys, +@@ -944,12 +942,21 @@ static int q6asm_dai_compr_set_params(st + + if (ret < 0) { + dev_err(dev, "Buffer Mapping failed ret:%d\n", ret); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto q6_err; + } + + prtd->state = Q6ASM_STREAM_RUNNING; + + return 0; ++ ++q6_err: ++ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE); ++ ++open_err: ++ q6asm_audio_client_free(prtd->audio_client); ++ prtd->audio_client = NULL; ++ return ret; + } + + static int q6asm_dai_compr_set_metadata(struct snd_soc_component *component, diff --git a/queue-5.10/clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch b/queue-5.10/clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch new file mode 100644 index 0000000000..f78e246b82 --- /dev/null +++ b/queue-5.10/clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch @@ -0,0 +1,38 @@ +From 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 Mon Sep 17 00:00:00 2001 +From: Alexandre Torgue +Date: Thu, 6 Mar 2025 11:25:01 +0100 +Subject: clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup + +From: Alexandre Torgue + +commit 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 upstream. + +"wakeup-source" property describes a device which has wakeup capability +but should not force this device as a wakeup source. + +Fixes: 48b41c5e2de6 ("clocksource: Add Low Power STM32 timers driver") +Cc: stable@vger.kernel.org +Signed-off-by: Alexandre Torgue +Signed-off-by: Fabrice Gasnier +Rule: add +Link: https://lore.kernel.org/stable/20250306083407.2374894-1-fabrice.gasnier%40foss.st.com +Link: https://lore.kernel.org/r/20250306102501.2980153-1-fabrice.gasnier@foss.st.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-stm32-lp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/clocksource/timer-stm32-lp.c ++++ b/drivers/clocksource/timer-stm32-lp.c +@@ -168,9 +168,7 @@ static int stm32_clkevent_lp_probe(struc + } + + if (of_property_read_bool(pdev->dev.parent->of_node, "wakeup-source")) { +- ret = device_init_wakeup(&pdev->dev, true); +- if (ret) +- goto out_clk_disable; ++ device_set_wakeup_capable(&pdev->dev, true); + + ret = dev_pm_set_wake_irq(&pdev->dev, irq); + if (ret) diff --git a/queue-5.10/ext4-fix-off-by-one-error-in-do_split.patch b/queue-5.10/ext4-fix-off-by-one-error-in-do_split.patch new file mode 100644 index 0000000000..53624308fd --- /dev/null +++ b/queue-5.10/ext4-fix-off-by-one-error-in-do_split.patch @@ -0,0 +1,82 @@ +From 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d Mon Sep 17 00:00:00 2001 +From: Artem Sadovnikov +Date: Fri, 4 Apr 2025 08:28:05 +0000 +Subject: ext4: fix off-by-one error in do_split + +From: Artem Sadovnikov + +commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream. + +Syzkaller detected a use-after-free issue in ext4_insert_dentry that was +caused by out-of-bounds access due to incorrect splitting in do_split. + +BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 +Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 + +CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 + ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 + add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 + make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 + ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 + ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 + ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 + vfs_symlink+0x137/0x2e0 fs/namei.c:4615 + do_symlinkat+0x222/0x3a0 fs/namei.c:4641 + __do_sys_symlink fs/namei.c:4662 [inline] + __se_sys_symlink fs/namei.c:4660 [inline] + __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +The following loop is located right above 'if' statement. + +for (i = count-1; i >= 0; i--) { + /* is more than half of this entry in 2nd half of the block? */ + if (size + map[i].size/2 > blocksize/2) + break; + size += map[i].size; + move++; +} + +'i' in this case could go down to -1, in which case sum of active entries +wouldn't exceed half the block size, but previous behaviour would also do +split in half if sum would exceed at the very last block, which in case of +having too many long name files in a single block could lead to +out-of-bounds access and following use-after-free. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()") +Signed-off-by: Artem Sadovnikov +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -1930,7 +1930,7 @@ static struct ext4_dir_entry_2 *do_split + * split it in half by count; each resulting block will have at least + * half the space free. + */ +- if (i > 0) ++ if (i >= 0) + split = count - move; + else + split = count/2; diff --git a/queue-5.10/media-i2c-adv748x-fix-test-pattern-selection-mask.patch b/queue-5.10/media-i2c-adv748x-fix-test-pattern-selection-mask.patch new file mode 100644 index 0000000000..d23f2d10b7 --- /dev/null +++ b/queue-5.10/media-i2c-adv748x-fix-test-pattern-selection-mask.patch @@ -0,0 +1,44 @@ +From 9e38acacb9d809b97a0bdc5c76e725355a47158a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= + +Date: Tue, 21 Jan 2025 21:44:00 +0100 +Subject: media: i2c: adv748x: Fix test pattern selection mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +commit 9e38acacb9d809b97a0bdc5c76e725355a47158a upstream. + +The mask to select the test-pattern in register ADV748X_SDP_FRP is +incorrect, it's the lower 3 bits which controls the pattern. The +GENMASK() macro is used incorrectly and the generated mask is 0x0e +instead of 0x07. + +The result is that not all test patterns are selectable, and that in +some cases the wrong test pattern is activated. Fix this by correcting +the GENMASK(). + +Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver") +Cc: stable@vger.kernel.org +Signed-off-by: Niklas Söderlund +Reviewed-by: Kieran Bingham +Signed-off-by: Hans Verkuil +[hverkuil: fixed tiny typo in commit log: my -> by] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv748x/adv748x.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/adv748x/adv748x.h ++++ b/drivers/media/i2c/adv748x/adv748x.h +@@ -322,7 +322,7 @@ struct adv748x_state { + + /* Free run pattern select */ + #define ADV748X_SDP_FRP 0x14 +-#define ADV748X_SDP_FRP_MASK GENMASK(3, 1) ++#define ADV748X_SDP_FRP_MASK GENMASK(2, 0) + + /* Saturation */ + #define ADV748X_SDP_SD_SAT_U 0xe3 /* user_map_rw_reg_e3 */ diff --git a/queue-5.10/media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch b/queue-5.10/media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch new file mode 100644 index 0000000000..7f0018110d --- /dev/null +++ b/queue-5.10/media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch @@ -0,0 +1,33 @@ +From 3d391292cdd53984ec1b9a1f6182a62a62751e03 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 17 Jan 2025 16:04:02 +0200 +Subject: media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO + +From: Sakari Ailus + +commit 3d391292cdd53984ec1b9a1f6182a62a62751e03 upstream. + +Lift the xshutdown (enable) GPIO 1 ms after enabling the regulators, as +required by the sensor's power-up sequence. + +Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov7251.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/ov7251.c ++++ b/drivers/media/i2c/ov7251.c +@@ -748,6 +748,8 @@ static int ov7251_set_power_on(struct ov + return ret; + } + ++ usleep_range(1000, 1100); ++ + gpiod_set_value_cansleep(ov7251->enable_gpio, 1); + + /* wait at least 65536 external clock cycles */ diff --git a/queue-5.10/media-i2c-ov7251-set-enable-gpio-low-in-probe.patch b/queue-5.10/media-i2c-ov7251-set-enable-gpio-low-in-probe.patch new file mode 100644 index 0000000000..6078638600 --- /dev/null +++ b/queue-5.10/media-i2c-ov7251-set-enable-gpio-low-in-probe.patch @@ -0,0 +1,32 @@ +From a1963698d59cec83df640ded343af08b76c8e9c5 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Fri, 17 Jan 2025 15:38:13 +0200 +Subject: media: i2c: ov7251: Set enable GPIO low in probe + +From: Sakari Ailus + +commit a1963698d59cec83df640ded343af08b76c8e9c5 upstream. + +Set the enable GPIO low when acquiring it. + +Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov7251.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/ov7251.c ++++ b/drivers/media/i2c/ov7251.c +@@ -1330,7 +1330,7 @@ static int ov7251_probe(struct i2c_clien + return PTR_ERR(ov7251->analog_regulator); + } + +- ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_HIGH); ++ ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW); + if (IS_ERR(ov7251->enable_gpio)) { + dev_err(dev, "cannot get enable gpio\n"); + return PTR_ERR(ov7251->enable_gpio); diff --git a/queue-5.10/media-siano-fix-error-handling-in-smsdvb_module_init.patch b/queue-5.10/media-siano-fix-error-handling-in-smsdvb_module_init.patch new file mode 100644 index 0000000000..63cf8f40c0 --- /dev/null +++ b/queue-5.10/media-siano-fix-error-handling-in-smsdvb_module_init.patch @@ -0,0 +1,35 @@ +From 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d Mon Sep 17 00:00:00 2001 +From: Yuan Can +Date: Tue, 22 Oct 2024 14:50:37 +0800 +Subject: media: siano: Fix error handling in smsdvb_module_init() + +From: Yuan Can + +commit 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d upstream. + +The smsdvb_module_init() returns without checking the retval from +smscore_register_hotplug(). +If the smscore_register_hotplug() failed, the module failed to install, +leaving the smsdvb_debugfs not unregistered. + +Fixes: 3f6b87cff66b ("[media] siano: allow showing the complete statistics via debugfs") +Cc: stable@vger.kernel.org +Signed-off-by: Yuan Can +Acked-by: Ricardo Ribalda +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/siano/smsdvb-main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/common/siano/smsdvb-main.c ++++ b/drivers/media/common/siano/smsdvb-main.c +@@ -1210,6 +1210,8 @@ static int __init smsdvb_module_init(voi + smsdvb_debugfs_register(); + + rc = smscore_register_hotplug(smsdvb_hotplug); ++ if (rc) ++ smsdvb_debugfs_unregister(); + + pr_debug("\n"); + diff --git a/queue-5.10/media-streamzap-prevent-processing-ir-data-on-urb-failure.patch b/queue-5.10/media-streamzap-prevent-processing-ir-data-on-urb-failure.patch new file mode 100644 index 0000000000..5f6c17cf74 --- /dev/null +++ b/queue-5.10/media-streamzap-prevent-processing-ir-data-on-urb-failure.patch @@ -0,0 +1,116 @@ +From 549f6d348167fb2f7800ed7c8d4bce9630c74498 Mon Sep 17 00:00:00 2001 +From: Murad Masimov +Date: Mon, 13 Jan 2025 13:51:31 +0300 +Subject: media: streamzap: prevent processing IR data on URB failure + +From: Murad Masimov + +commit 549f6d348167fb2f7800ed7c8d4bce9630c74498 upstream. + +If streamzap_callback() receives an urb with any non-critical error +status, i.e. any error code other than -ECONNRESET, -ENOENT or -ESHUTDOWN, +it will try to process IR data, ignoring a possible transfer failure. + +Make streamzap_callback() process IR data only when urb->status is 0. +Move processing logic to a separate function to make code cleaner and +more similar to the URB completion handlers in other RC drivers. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 19770693c354 ("V4L/DVB: staging/lirc: add lirc_streamzap driver") +Cc: stable@vger.kernel.org +Signed-off-by: Murad Masimov +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/streamzap.c | 68 ++++++++++++++++++++++++------------------- + 1 file changed, 38 insertions(+), 30 deletions(-) + +--- a/drivers/media/rc/streamzap.c ++++ b/drivers/media/rc/streamzap.c +@@ -179,39 +179,10 @@ static void sz_push_half_space(struct st + sz_push_full_space(sz, value & SZ_SPACE_MASK); + } + +-/* +- * streamzap_callback - usb IRQ handler callback +- * +- * This procedure is invoked on reception of data from +- * the usb remote. +- */ +-static void streamzap_callback(struct urb *urb) ++static void sz_process_ir_data(struct streamzap_ir *sz, int len) + { +- struct streamzap_ir *sz; + unsigned int i; +- int len; +- +- if (!urb) +- return; +- +- sz = urb->context; +- len = urb->actual_length; +- +- switch (urb->status) { +- case -ECONNRESET: +- case -ENOENT: +- case -ESHUTDOWN: +- /* +- * this urb is terminated, clean up. +- * sz might already be invalid at this point +- */ +- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status); +- return; +- default: +- break; +- } + +- dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len); + for (i = 0; i < len; i++) { + dev_dbg(sz->dev, "sz->buf_in[%d]: %x\n", + i, (unsigned char)sz->buf_in[i]); +@@ -264,6 +235,43 @@ static void streamzap_callback(struct ur + } + + ir_raw_event_handle(sz->rdev); ++} ++ ++/* ++ * streamzap_callback - usb IRQ handler callback ++ * ++ * This procedure is invoked on reception of data from ++ * the usb remote. ++ */ ++static void streamzap_callback(struct urb *urb) ++{ ++ struct streamzap_ir *sz; ++ int len; ++ ++ if (!urb) ++ return; ++ ++ sz = urb->context; ++ len = urb->actual_length; ++ ++ switch (urb->status) { ++ case 0: ++ dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len); ++ sz_process_ir_data(sz, len); ++ break; ++ case -ECONNRESET: ++ case -ENOENT: ++ case -ESHUTDOWN: ++ /* ++ * this urb is terminated, clean up. ++ * sz might already be invalid at this point ++ */ ++ dev_err(sz->dev, "urb terminated, status: %d\n", urb->status); ++ return; ++ default: ++ break; ++ } ++ + usb_submit_urb(urb, GFP_ATOMIC); + + return; diff --git a/queue-5.10/media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch b/queue-5.10/media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch new file mode 100644 index 0000000000..799aa7bec6 --- /dev/null +++ b/queue-5.10/media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch @@ -0,0 +1,48 @@ +From 3edd1fc48d2c045e8259561797c89fe78f01717e Mon Sep 17 00:00:00 2001 +From: Karina Yankevich +Date: Wed, 21 Aug 2024 14:31:34 +0300 +Subject: media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() + +From: Karina Yankevich + +commit 3edd1fc48d2c045e8259561797c89fe78f01717e upstream. + +In v4l2_detect_gtf(), it seems safer to cast the 32-bit image_width +variable to the 64-bit type u64 before multiplying to avoid +a possible overflow. The resulting object code even seems to +look better, at least on x86_64. + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +[Sergey: rewrote the patch subject/descripition] + +Fixes: c9bc9f50753d ("[media] v4l2-dv-timings: fix overflow in gtf timings calculation") +Cc: stable@vger.kernel.org +Signed-off-by: Karina Yankevich +Signed-off-by: Sergey Shtylyov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-dv-timings.c ++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c +@@ -764,7 +764,7 @@ bool v4l2_detect_gtf(unsigned int frame_ + u64 num; + u32 den; + +- num = ((image_width * GTF_D_C_PRIME * (u64)hfreq) - ++ num = (((u64)image_width * GTF_D_C_PRIME * hfreq) - + ((u64)image_width * GTF_D_M_PRIME * 1000)); + den = (hfreq * (100 - GTF_D_C_PRIME) + GTF_D_M_PRIME * 1000) * + (2 * GTF_CELL_GRAN); +@@ -774,7 +774,7 @@ bool v4l2_detect_gtf(unsigned int frame_ + u64 num; + u32 den; + +- num = ((image_width * GTF_S_C_PRIME * (u64)hfreq) - ++ num = (((u64)image_width * GTF_S_C_PRIME * hfreq) - + ((u64)image_width * GTF_S_M_PRIME * 1000)); + den = (hfreq * (100 - GTF_S_C_PRIME) + GTF_S_M_PRIME * 1000) * + (2 * GTF_CELL_GRAN); diff --git a/queue-5.10/media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch b/queue-5.10/media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch new file mode 100644 index 0000000000..61b03900f5 --- /dev/null +++ b/queue-5.10/media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch @@ -0,0 +1,54 @@ +From f4b211714bcc70effa60c34d9fa613d182e3ef1e Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 20 Feb 2025 22:50:11 +0530 +Subject: media: venus: hfi: add a check to handle OOB in sfr region + +From: Vikash Garodia + +commit f4b211714bcc70effa60c34d9fa613d182e3ef1e upstream. + +sfr->buf_size is in shared memory and can be modified by malicious user. +OOB write is possible when the size is made higher than actual sfr data +buffer. Cap the size to allocated size for such cases. + +Cc: stable@vger.kernel.org +Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vikash Garodia +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -978,18 +978,26 @@ static void venus_sfr_print(struct venus + { + struct device *dev = hdev->core->dev; + struct hfi_sfr *sfr = hdev->sfr.kva; ++ u32 size; + void *p; + + if (!sfr) + return; + +- p = memchr(sfr->data, '\0', sfr->buf_size); ++ size = sfr->buf_size; ++ if (!size) ++ return; ++ ++ if (size > ALIGNED_SFR_SIZE) ++ size = ALIGNED_SFR_SIZE; ++ ++ p = memchr(sfr->data, '\0', size); + /* + * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates + * that Venus is in the process of crashing. + */ + if (!p) +- sfr->data[sfr->buf_size - 1] = '\0'; ++ sfr->data[size - 1] = '\0'; + + dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data); + } diff --git a/queue-5.10/media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch b/queue-5.10/media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch new file mode 100644 index 0000000000..27229d11ba --- /dev/null +++ b/queue-5.10/media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch @@ -0,0 +1,58 @@ +From 69baf245b23e20efda0079238b27fc63ecf13de1 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 20 Feb 2025 22:50:10 +0530 +Subject: media: venus: hfi: add check to handle incorrect queue size + +From: Vikash Garodia + +commit 69baf245b23e20efda0079238b27fc63ecf13de1 upstream. + +qsize represents size of shared queued between driver and video +firmware. Firmware can modify this value to an invalid large value. In +such situation, empty_space will be bigger than the space actually +available. Since new_wr_idx is not checked, so the following code will +result in an OOB write. +... +qsize = qhdr->q_size + +if (wr_idx >= rd_idx) + empty_space = qsize - (wr_idx - rd_idx) +.... +if (new_wr_idx < qsize) { + memcpy(wr_ptr, packet, dwords << 2) --> OOB write + +Add check to ensure qsize is within the allocated size while +reading and writing packets into the queue. + +Cc: stable@vger.kernel.org +Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vikash Garodia +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -188,6 +188,9 @@ static int venus_write_queue(struct venu + /* ensure rd/wr indices's are read from memory */ + rmb(); + ++ if (qsize > IFACEQ_QUEUE_SIZE / 4) ++ return -EINVAL; ++ + if (wr_idx >= rd_idx) + empty_space = qsize - (wr_idx - rd_idx); + else +@@ -256,6 +259,9 @@ static int venus_read_queue(struct venus + wr_idx = qhdr->write_idx; + qsize = qhdr->q_size; + ++ if (qsize > IFACEQ_QUEUE_SIZE / 4) ++ return -EINVAL; ++ + /* make sure data is valid before using it */ + rmb(); + diff --git a/queue-5.10/media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch b/queue-5.10/media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch new file mode 100644 index 0000000000..2975b7a631 --- /dev/null +++ b/queue-5.10/media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch @@ -0,0 +1,35 @@ +From 172bf5a9ef70a399bb227809db78442dc01d9e48 Mon Sep 17 00:00:00 2001 +From: Vikash Garodia +Date: Thu, 20 Feb 2025 22:50:08 +0530 +Subject: media: venus: hfi_parser: add check to avoid out of bound access + +From: Vikash Garodia + +commit 172bf5a9ef70a399bb227809db78442dc01d9e48 upstream. + +There is a possibility that init_codecs is invoked multiple times during +manipulated payload from video firmware. In such case, if codecs_count +can get incremented to value more than MAX_CODEC_NUM, there can be OOB +access. Reset the count so that it always starts from beginning. + +Cc: stable@vger.kernel.org +Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vikash Garodia +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/qcom/venus/hfi_parser.c ++++ b/drivers/media/platform/qcom/venus/hfi_parser.c +@@ -19,6 +19,8 @@ static void init_codecs(struct venus_cor + struct venus_caps *caps = core->caps, *cap; + unsigned long bit; + ++ core->codecs_count = 0; ++ + if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM) + return; + diff --git a/queue-5.10/media-vim2m-print-device-name-after-registering-device.patch b/queue-5.10/media-vim2m-print-device-name-after-registering-device.patch new file mode 100644 index 0000000000..54bcc3afe3 --- /dev/null +++ b/queue-5.10/media-vim2m-print-device-name-after-registering-device.patch @@ -0,0 +1,46 @@ +From 143d75583f2427f3a97dba62413c4f0604867ebf Mon Sep 17 00:00:00 2001 +From: Matthew Majewski +Date: Wed, 19 Feb 2025 14:05:01 -0500 +Subject: media: vim2m: print device name after registering device + +From: Matthew Majewski + +commit 143d75583f2427f3a97dba62413c4f0604867ebf upstream. + +Move the v4l2_info() call displaying the video device name after the +device is actually registered. + +This fixes a bug where the driver was always displaying "/dev/video0" +since it was reading from the vfd before it was registered. + +Fixes: cf7f34777a5b ("media: vim2m: Register video device after setting up internals") +Cc: stable@vger.kernel.org +Signed-off-by: Matthew Majewski +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vim2m.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/test-drivers/vim2m.c ++++ b/drivers/media/test-drivers/vim2m.c +@@ -1326,9 +1326,6 @@ static int vim2m_probe(struct platform_d + vfd->v4l2_dev = &dev->v4l2_dev; + + video_set_drvdata(vfd, dev); +- v4l2_info(&dev->v4l2_dev, +- "Device registered as /dev/video%d\n", vfd->num); +- + platform_set_drvdata(pdev, dev); + + dev->m2m_dev = v4l2_m2m_init(&m2m_ops); +@@ -1355,6 +1352,9 @@ static int vim2m_probe(struct platform_d + goto error_m2m; + } + ++ v4l2_info(&dev->v4l2_dev, ++ "Device registered as /dev/video%d\n", vfd->num); ++ + #ifdef CONFIG_MEDIA_CONTROLLER + ret = v4l2_m2m_register_media_controller(dev->m2m_dev, vfd, + MEDIA_ENT_F_PROC_VIDEO_SCALER); diff --git a/queue-5.10/mtd-rawnand-brcmnand-fix-pm-resume-warning.patch b/queue-5.10/mtd-rawnand-brcmnand-fix-pm-resume-warning.patch new file mode 100644 index 0000000000..05a3e9053b --- /dev/null +++ b/queue-5.10/mtd-rawnand-brcmnand-fix-pm-resume-warning.patch @@ -0,0 +1,98 @@ +From ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Thu, 27 Feb 2025 12:46:08 -0500 +Subject: mtd: rawnand: brcmnand: fix PM resume warning + +From: Kamal Dasu + +commit ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 upstream. + +Fixed warning on PM resume as shown below caused due to uninitialized +struct nand_operation that checks chip select field : +WARN_ON(op->cs >= nanddev_ntargets(&chip->base) + +[ 14.588522] ------------[ cut here ]------------ +[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8 +[ 14.588553] Modules linked in: bdc udc_core +[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16 +[ 14.588590] Tainted: [W]=WARN +[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree) +[ 14.588598] Call trace: +[ 14.588604] dump_backtrace from show_stack+0x18/0x1c +[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c +[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c +[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c +[ 14.588653] r5:c08d40b0 r4:c1003cb0 +[ 14.588656] dump_stack from __warn+0x84/0xe4 +[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194 +[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000 +[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8 +[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048 +[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150 +[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040 +[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54 +[ 14.588735] r5:00000010 r4:c0840a50 +[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c +[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324 +[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010 +[ 14.588779] device_resume from dpm_resume+0x130/0x160 +[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0 +[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20 +[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414 +[ 14.588826] r4:00000010 +[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8 +[ 14.588848] r5:c228a414 r4:00000000 +[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc +[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000 +[ 14.588871] r4:00000003 +[ 14.588874] pm_suspend from state_store+0x74/0xd0 +[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003 +[ 14.588892] state_store from kobj_attr_store+0x1c/0x28 +[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250 +[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c +[ 14.588936] r5:c3502900 r4:c0d92a48 +[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0 +[ 14.588956] r5:c3502900 r4:c3501f40 +[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420 +[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00 +[ 14.588983] r4:c042a88c +[ 14.588987] vfs_write from ksys_write+0x74/0xe4 +[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00 +[ 14.589008] r4:c34f7f00 +[ 14.589011] ksys_write from sys_write+0x10/0x14 +[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004 +[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c +[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0) +[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001 +[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78 +[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8 +[ 14.589065] ---[ end trace 0000000000000000 ]--- + +The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when +doing PM resume operation in compliance with the controller support for single +die nand chip. Switching from nand_reset_op() to nand_reset() implies more +than just setting the cs field op->cs, it also reconfigures the data interface +(ie. the timings). Tested and confirmed the NAND chip is in sync timing wise +with host after the fix. + +Fixes: 97d90da8a886 ("mtd: nand: provide several helpers to do common NAND operations") +Cc: stable@vger.kernel.org +Signed-off-by: Kamal Dasu +Reviewed-by: Florian Fainelli +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c ++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c +@@ -2914,7 +2914,7 @@ static int brcmnand_resume(struct device + brcmnand_save_restore_cs_config(host, 1); + + /* Reset the chip, required by some chips after power-up */ +- nand_reset_op(chip); ++ nand_reset(chip, 0); + } + + return 0; diff --git a/queue-5.10/mtd-replace-kcalloc-with-devm_kcalloc.patch b/queue-5.10/mtd-replace-kcalloc-with-devm_kcalloc.patch new file mode 100644 index 0000000000..f1468933a1 --- /dev/null +++ b/queue-5.10/mtd-replace-kcalloc-with-devm_kcalloc.patch @@ -0,0 +1,48 @@ +From 1b61a59876f0eafc19b23007c522ee407f55dbec Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 5 Feb 2025 02:31:40 +0000 +Subject: mtd: Replace kcalloc() with devm_kcalloc() + +From: Jiasheng Jiang + +commit 1b61a59876f0eafc19b23007c522ee407f55dbec upstream. + +Replace kcalloc() with devm_kcalloc() to prevent memory leaks in case of +errors. + +Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk") +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Jiasheng Jiang +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/mtdpstore.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/mtd/mtdpstore.c ++++ b/drivers/mtd/mtdpstore.c +@@ -417,11 +417,11 @@ static void mtdpstore_notify_add(struct + } + + longcnt = BITS_TO_LONGS(div_u64(mtd->size, info->kmsg_size)); +- cxt->rmmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL); +- cxt->usedmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL); ++ cxt->rmmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL); ++ cxt->usedmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL); + + longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize)); +- cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL); ++ cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL); + + cxt->dev.total_size = mtd->size; + /* just support dmesg right now */ +@@ -527,9 +527,6 @@ static void mtdpstore_notify_remove(stru + mtdpstore_flush_removed(cxt); + + unregister_pstore_device(&cxt->dev); +- kfree(cxt->badmap); +- kfree(cxt->usedmap); +- kfree(cxt->rmmap); + cxt->mtd = NULL; + cxt->index = -1; + } diff --git a/queue-5.10/net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch b/queue-5.10/net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch new file mode 100644 index 0000000000..1bfe7f9ca5 --- /dev/null +++ b/queue-5.10/net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch @@ -0,0 +1,70 @@ +From 1ebc8e1ef906db9c08e9abe9776d85ddec837725 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Mon, 17 Mar 2025 18:32:50 +0100 +Subject: net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 1ebc8e1ef906db9c08e9abe9776d85ddec837725 upstream. + +Implement the workaround for erratum + 3.3 RGMII timing may be out of spec when transmit delay is enabled +for the 6320 family, which says: + + When transmit delay is enabled via Port register 1 bit 14 = 1, duty + cycle may be out of spec. Under very rare conditions this may cause + the attached device receive CRC errors. + +Signed-off-by: Marek Behún +Cc: # 5.4.x +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250317173250.28780-8-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -2832,6 +2832,21 @@ static int mv88e6xxx_stats_setup(struct + return mv88e6xxx_g1_stats_clear(chip); + } + ++static int mv88e6320_setup_errata(struct mv88e6xxx_chip *chip) ++{ ++ u16 dummy; ++ int err; ++ ++ /* Workaround for erratum ++ * 3.3 RGMII timing may be out of spec when transmit delay is enabled ++ */ ++ err = mv88e6xxx_port_hidden_write(chip, 0, 0xf, 0x7, 0xe000); ++ if (err) ++ return err; ++ ++ return mv88e6xxx_port_hidden_read(chip, 0, 0xf, 0x7, &dummy); ++} ++ + /* Check if the errata has already been applied. */ + static bool mv88e6390_setup_errata_applied(struct mv88e6xxx_chip *chip) + { +@@ -4122,6 +4137,7 @@ static const struct mv88e6xxx_ops mv88e6 + + static const struct mv88e6xxx_ops mv88e6320_ops = { + /* MV88E6XXX_FAMILY_6320 */ ++ .setup_errata = mv88e6320_setup_errata, + .ieee_pri_map = mv88e6085_g1_ieee_pri_map, + .ip_pri_map = mv88e6085_g1_ip_pri_map, + .irl_init_all = mv88e6352_g2_irl_init_all, +@@ -4164,6 +4180,7 @@ static const struct mv88e6xxx_ops mv88e6 + + static const struct mv88e6xxx_ops mv88e6321_ops = { + /* MV88E6XXX_FAMILY_6320 */ ++ .setup_errata = mv88e6320_setup_errata, + .ieee_pri_map = mv88e6085_g1_ieee_pri_map, + .ip_pri_map = mv88e6085_g1_ip_pri_map, + .irl_init_all = mv88e6352_g2_irl_init_all, diff --git a/queue-5.10/series b/queue-5.10/series index ca8986cf37..b80e17863c 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -50,3 +50,25 @@ bpf-add-endian-modifiers-to-fix-endian-warnings.patch bpf-support-skf_net_off-and-skf_ll_off-on-skb-frags.patch ext4-reject-casefold-inode-flag-without-casefold-fea.patch ext4-don-t-treat-fhandle-lookup-of-ea_inode-as-fs-co.patch +media-i2c-adv748x-fix-test-pattern-selection-mask.patch +media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch +media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch +media-vim2m-print-device-name-after-registering-device.patch +media-siano-fix-error-handling-in-smsdvb_module_init.patch +xenfs-xensyms-respect-hypervisor-s-next-indication.patch +arm64-cputype-add-midr_cortex_a76ae.patch +arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch +spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch +mtd-rawnand-brcmnand-fix-pm-resume-warning.patch +media-streamzap-prevent-processing-ir-data-on-urb-failure.patch +media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch +media-i2c-ov7251-set-enable-gpio-low-in-probe.patch +media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch +media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch +net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch +mtd-replace-kcalloc-with-devm_kcalloc.patch +clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch +wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch +asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch +ext4-fix-off-by-one-error-in-do_split.patch +vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch diff --git a/queue-5.10/spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch b/queue-5.10/spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch new file mode 100644 index 0000000000..7dd70be6c4 --- /dev/null +++ b/queue-5.10/spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch @@ -0,0 +1,62 @@ +From b8665a1b49f5498edb7b21d730030c06b7348a3c Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Wed, 5 Mar 2025 21:09:32 +0100 +Subject: spi: cadence-qspi: Fix probe on AM62A LP SK + +From: Miquel Raynal + +commit b8665a1b49f5498edb7b21d730030c06b7348a3c upstream. + +In 2020, there's been an unnoticed change which rightfully attempted to +report probe deferrals upon DMA absence by checking the return value of +dma_request_chan_by_mask(). By doing so, it also reported errors which +were simply ignored otherwise, likely on purpose. + +This change actually turned a void return into an error code. Hence, not +only the -EPROBE_DEFER error codes but all error codes got reported to +the callers, now failing to probe in the absence of Rx DMA channel, +despite the fact that DMA seems to not be supported natively by many +implementations. + +Looking at the history, this change probably led to: +ad2775dc3fc5 ("spi: cadence-quadspi: Disable the DAC for Intel LGM SoC") +f724c296f2f2 ("spi: cadence-quadspi: fix Direct Access Mode disable for SoCFPGA") + +In my case, the AM62A LP SK core octo-SPI node from TI does not +advertise any DMA channel, hinting that there is likely no support for +it, but yet when the support for the am654 compatible was added, DMA +seemed to be used, so just discarding its use with the +CQSPI_DISABLE_DAC_MODE quirk for this compatible does not seem the +correct approach. + +Let's get change the return condition back to: +- return a probe deferral error if we get one +- ignore the return value otherwise +The "error" log level was however likely too high for something that is +expected to fail, so let's lower it arbitrarily to the info level. + +Fixes: 935da5e5100f ("mtd: spi-nor: cadence-quadspi: Handle probe deferral while requesting DMA channel") +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://patch.msgid.link/20250305200933.2512925-2-miquel.raynal@bootlin.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -1120,6 +1120,12 @@ static int cqspi_request_mmap_dma(struct + if (IS_ERR(cqspi->rx_chan)) { + int ret = PTR_ERR(cqspi->rx_chan); + cqspi->rx_chan = NULL; ++ if (ret == -ENODEV) { ++ /* DMA support is not mandatory */ ++ dev_info(&cqspi->pdev->dev, "No Rx DMA available\n"); ++ return 0; ++ } ++ + return dev_err_probe(&cqspi->pdev->dev, ret, "No Rx DMA available\n"); + } + init_completion(&cqspi->rx_dma_complete); diff --git a/queue-5.10/vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch b/queue-5.10/vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch new file mode 100644 index 0000000000..5dc4c9c5ed --- /dev/null +++ b/queue-5.10/vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch @@ -0,0 +1,49 @@ +From a6097e0a54a5c24f8d577ffecbc35289ae281c2e Mon Sep 17 00:00:00 2001 +From: Si-Wei Liu +Date: Thu, 20 Feb 2025 21:37:33 +0200 +Subject: vdpa/mlx5: Fix oversized null mkey longer than 32bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Si-Wei Liu + +commit a6097e0a54a5c24f8d577ffecbc35289ae281c2e upstream. + +create_user_mr() has correct code to count the number of null keys +used to fill in a hole for the memory map. However, fill_indir() +does not follow the same to cap the range up to the 1GB limit +correspondingly. Fill in more null keys for the gaps in between, +so that null keys are correctly populated. + +Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code") +Cc: stable@vger.kernel.org +Reported-by: Cong Meng +Signed-off-by: Si-Wei Liu +Signed-off-by: Dragos Tatulea +Acked-by: Eugenio Pérez +Message-Id: <20250220193732.521462-2-dtatulea@nvidia.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/mlx5/core/mr.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/vdpa/mlx5/core/mr.c ++++ b/drivers/vdpa/mlx5/core/mr.c +@@ -165,9 +165,12 @@ again: + klm->bcount = cpu_to_be32(klm_bcount(dmr->end - dmr->start)); + preve = dmr->end; + } else { ++ u64 bcount = min_t(u64, dmr->start - preve, MAX_KLM_SIZE); ++ + klm->key = cpu_to_be32(mvdev->res.null_mkey); +- klm->bcount = cpu_to_be32(klm_bcount(dmr->start - preve)); +- preve = dmr->start; ++ klm->bcount = cpu_to_be32(klm_bcount(bcount)); ++ preve += bcount; ++ + goto again; + } + } diff --git a/queue-5.10/wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch b/queue-5.10/wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch new file mode 100644 index 0000000000..7f8c8613f7 --- /dev/null +++ b/queue-5.10/wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch @@ -0,0 +1,63 @@ +From d00c0c4105e5ab8a6a13ed23d701cceb285761fa Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Wed, 12 Feb 2025 08:21:25 +0000 +Subject: wifi: mac80211: fix integer overflow in hwmp_route_info_get() + +From: Gavrilov Ilia + +commit d00c0c4105e5ab8a6a13ed23d701cceb285761fa upstream. + +Since the new_metric and last_hop_metric variables can reach +the MAX_METRIC(0xffffffff) value, an integer overflow may occur +when multiplying them by 10/9. It can lead to incorrect behavior. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Link: https://patch.msgid.link/20250212082124.4078236-1-Ilia.Gavrilov@infotecs.ru +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh_hwmp.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -360,6 +360,12 @@ u32 airtime_link_metric_get(struct ieee8 + return (u32)result; + } + ++/* Check that the first metric is at least 10% better than the second one */ ++static bool is_metric_better(u32 x, u32 y) ++{ ++ return (x < y) && (x < (y - x / 10)); ++} ++ + /** + * hwmp_route_info_get - Update routing info to originator and transmitter + * +@@ -450,8 +456,8 @@ static u32 hwmp_route_info_get(struct ie + (mpath->sn == orig_sn && + (rcu_access_pointer(mpath->next_hop) != + sta ? +- mult_frac(new_metric, 10, 9) : +- new_metric) >= mpath->metric)) { ++ !is_metric_better(new_metric, mpath->metric) : ++ new_metric >= mpath->metric))) { + process = false; + fresh_info = false; + } +@@ -521,8 +527,8 @@ static u32 hwmp_route_info_get(struct ie + if ((mpath->flags & MESH_PATH_FIXED) || + ((mpath->flags & MESH_PATH_ACTIVE) && + ((rcu_access_pointer(mpath->next_hop) != sta ? +- mult_frac(last_hop_metric, 10, 9) : +- last_hop_metric) > mpath->metric))) ++ !is_metric_better(last_hop_metric, mpath->metric) : ++ last_hop_metric > mpath->metric)))) + fresh_info = false; + } else { + mpath = mesh_path_add(sdata, ta); diff --git a/queue-5.10/xenfs-xensyms-respect-hypervisor-s-next-indication.patch b/queue-5.10/xenfs-xensyms-respect-hypervisor-s-next-indication.patch new file mode 100644 index 0000000000..41fb073064 --- /dev/null +++ b/queue-5.10/xenfs-xensyms-respect-hypervisor-s-next-indication.patch @@ -0,0 +1,48 @@ +From 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 12 Mar 2025 16:32:45 +0100 +Subject: xenfs/xensyms: respect hypervisor's "next" indication + +From: Jan Beulich + +commit 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 upstream. + +The interface specifies the symnum field as an input and output; the +hypervisor sets it to the next sequential symbol's index. xensyms_next() +incrementing the position explicitly (and xensyms_next_sym() +decrementing it to "rewind") is only correct as long as the sequence of +symbol indexes is non-sparse. Use the hypervisor-supplied value instead +to update the position in xensyms_next(), and use the saved incoming +index in xensyms_next_sym(). + +Cc: stable@kernel.org +Fixes: a11f4f0a4e18 ("xen: xensyms support") +Signed-off-by: Jan Beulich +Reviewed-by: Juergen Gross +Message-ID: <15d5e7fa-ec5d-422f-9319-d28bed916349@suse.com> +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenfs/xensyms.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/xenfs/xensyms.c ++++ b/drivers/xen/xenfs/xensyms.c +@@ -48,7 +48,7 @@ static int xensyms_next_sym(struct xensy + return -ENOMEM; + + set_xen_guest_handle(symdata->name, xs->name); +- symdata->symnum--; /* Rewind */ ++ symdata->symnum = symnum; /* Rewind */ + + ret = HYPERVISOR_platform_op(&xs->op); + if (ret < 0) +@@ -78,7 +78,7 @@ static void *xensyms_next(struct seq_fil + { + struct xensyms *xs = (struct xensyms *)m->private; + +- xs->op.u.symdata.symnum = ++(*pos); ++ *pos = xs->op.u.symdata.symnum; + + if (xensyms_next_sym(xs)) + return NULL;