From: Greg Kroah-Hartman Date: Mon, 5 Jan 2026 11:12:22 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v6.12.64~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c054589b9c5557b65ab1c646dcc3ff6b97138f3c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch media-cec-fix-debugfs-leak-on-bus_register-failure.patch media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch --- diff --git a/queue-5.15/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch b/queue-5.15/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch new file mode 100644 index 0000000000..7bd9af547b --- /dev/null +++ b/queue-5.15/dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch @@ -0,0 +1,118 @@ +From 7fa3e7d114abc9cc71cc35d768e116641074ddb4 Mon Sep 17 00:00:00 2001 +From: "Uladzislau Rezki (Sony)" +Date: Mon, 17 Nov 2025 11:59:45 +0100 +Subject: dm-ebs: Mark full buffer dirty even on partial write + +From: Uladzislau Rezki (Sony) + +commit 7fa3e7d114abc9cc71cc35d768e116641074ddb4 upstream. + +When performing a read-modify-write(RMW) operation, any modification +to a buffered block must cause the entire buffer to be marked dirty. + +Marking only a subrange as dirty is incorrect because the underlying +device block size(ubs) defines the minimum read/write granularity. A +lower device can perform I/O only on regions which are fully aligned +and sized to ubs. + +This change ensures that write-back operations always occur in full +ubs-sized chunks, matching the intended emulation semantics of the +EBS target. + +As for user space visible impact, submitting sub-ubs and misaligned +I/O for devices which are tuned to ubs sizes only, will reject such +requests, therefore it can lead to losing data. Example: + +1) Create a 8K nvme device in qemu by adding + +-device nvme,drive=drv0,serial=foo,logical_block_size=8192,physical_block_size=8192 + +2) Setup dm-ebs to emulate 512B to 8K mapping + +urezki@pc638:~/bin$ cat dmsetup.sh + +lower=/dev/nvme0n1 +len=$(blockdev --getsz "$lower") + +echo "0 $len ebs $lower 0 1 16" | dmsetup create nvme-8k +urezki@pc638:~/bin$ + +offset 0, ebs=1 and ubs=16(in sectors). + +3) Create an ext4 filesystem(default 4K block size) + +urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0 +mke2fs 1.47.0 (5-Feb-2023) +Discarding device blocks: done +Creating filesystem with 2072576 4k blocks and 518144 inodes +Filesystem UUID: bd0b6ca6-0506-4e31-86da-8d22c9d50b63 +Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 + +Allocating group tables: done +Writing inode tables: done +Creating journal (16384 blocks): done +Writing superblocks and filesystem accounting information: mkfs.ext4: Input/output error while writing out and closing file system +urezki@pc638:~/bin$ dmesg + + +[ 1618.875449] buffer_io_error: 1028 callbacks suppressed +[ 1618.875456] Buffer I/O error on dev dm-0, logical block 0, lost async page write +[ 1618.875527] Buffer I/O error on dev dm-0, logical block 1, lost async page write +[ 1618.875602] Buffer I/O error on dev dm-0, logical block 2, lost async page write +[ 1618.875620] Buffer I/O error on dev dm-0, logical block 3, lost async page write +[ 1618.875639] Buffer I/O error on dev dm-0, logical block 4, lost async page write +[ 1618.894316] Buffer I/O error on dev dm-0, logical block 5, lost async page write +[ 1618.894358] Buffer I/O error on dev dm-0, logical block 6, lost async page write +[ 1618.894380] Buffer I/O error on dev dm-0, logical block 7, lost async page write +[ 1618.894405] Buffer I/O error on dev dm-0, logical block 8, lost async page write +[ 1618.894427] Buffer I/O error on dev dm-0, logical block 9, lost async page write + + +Many I/O errors because the lower 8K device rejects sub-ubs/misaligned +requests. + +with a patch: + +urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0 +mke2fs 1.47.0 (5-Feb-2023) +Discarding device blocks: done +Creating filesystem with 2072576 4k blocks and 518144 inodes +Filesystem UUID: 9b54f44f-ef55-4bd4-9e40-c8b775a616ac +Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632 + +Allocating group tables: done +Writing inode tables: done +Creating journal (16384 blocks): done +Writing superblocks and filesystem accounting information: done + +urezki@pc638:~/bin$ sudo mount /dev/dm-0 /mnt/ +urezki@pc638:~/bin$ ls -al /mnt/ +total 24 +drwxr-xr-x 3 root root 4096 Oct 17 15:13 . +drwxr-xr-x 19 root root 4096 Jul 10 19:42 .. +drwx------ 2 root root 16384 Oct 17 15:13 lost+found +urezki@pc638:~/bin$ + +After this change: mkfs completes; mount succeeds. + +Signed-off-by: Uladzislau Rezki (Sony) +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ebs-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ebs-target.c ++++ b/drivers/md/dm-ebs-target.c +@@ -101,7 +101,7 @@ static int __ebs_rw_bvec(struct ebs_c *e + } else { + flush_dcache_page(bv->bv_page); + memcpy(ba, pa, cur_len); +- dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len); ++ dm_bufio_mark_buffer_dirty(b); + } + + dm_bufio_release(b); diff --git a/queue-5.15/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch b/queue-5.15/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch new file mode 100644 index 0000000000..9bed1d5fde --- /dev/null +++ b/queue-5.15/fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch @@ -0,0 +1,53 @@ +From e3f44742bbb10537fe53d83d20dea2a7c167674d Mon Sep 17 00:00:00 2001 +From: Rene Rebe +Date: Fri, 14 Nov 2025 16:00:42 +0100 +Subject: fbdev: gbefb: fix to use physical address instead of dma address +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rene Rebe + +commit e3f44742bbb10537fe53d83d20dea2a7c167674d upstream. + +While debuggigng why X would not start on mips64 Sgi/O2 I found the +phys adress being off. Turns out the gbefb passed the internal +dma_addr as phys. May be broken pre git history. Fix by converting +dma_to_phys. + +Signed-off-by: René Rebe +Cc: # v4.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/gbefb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/gbefb.c ++++ b/drivers/video/fbdev/gbefb.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -65,7 +66,7 @@ struct gbefb_par { + static unsigned int gbe_mem_size = CONFIG_FB_GBE_MEM * 1024*1024; + static void *gbe_mem; + static dma_addr_t gbe_dma_addr; +-static unsigned long gbe_mem_phys; ++static phys_addr_t gbe_mem_phys; + + static struct { + uint16_t *cpu; +@@ -1187,7 +1188,7 @@ static int gbefb_probe(struct platform_d + goto out_release_mem_region; + } + +- gbe_mem_phys = (unsigned long) gbe_dma_addr; ++ gbe_mem_phys = dma_to_phys(&p_dev->dev, gbe_dma_addr); + } + + par = info->par; diff --git a/queue-5.15/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch b/queue-5.15/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch new file mode 100644 index 0000000000..b24a2637e4 --- /dev/null +++ b/queue-5.15/fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch @@ -0,0 +1,43 @@ +From 0155e868cbc111846cc2809c1546ea53810a56ae Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 2 Dec 2025 19:15:32 +0100 +Subject: fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing + +From: Thorsten Blum + +commit 0155e868cbc111846cc2809c1546ea53810a56ae upstream. + +The variables were never clamped because the return value of clamp_val() +was not used. Fix this by assigning the clamped values, and use clamp() +instead of clamp_val(). + +Cc: stable@vger.kernel.org +Fixes: 3f16ff608a75 ("[ARM] pxafb: cleanup of the timing checking code") +Signed-off-by: Thorsten Blum +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/pxafb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/video/fbdev/pxafb.c ++++ b/drivers/video/fbdev/pxafb.c +@@ -418,12 +418,12 @@ static int pxafb_adjust_timing(struct px + var->yres = max_t(int, var->yres, MIN_YRES); + + if (!(fbi->lccr0 & LCCR0_LCDT)) { +- clamp_val(var->hsync_len, 1, 64); +- clamp_val(var->vsync_len, 1, 64); +- clamp_val(var->left_margin, 1, 255); +- clamp_val(var->right_margin, 1, 255); +- clamp_val(var->upper_margin, 1, 255); +- clamp_val(var->lower_margin, 1, 255); ++ var->hsync_len = clamp(var->hsync_len, 1, 64); ++ var->vsync_len = clamp(var->vsync_len, 1, 64); ++ var->left_margin = clamp(var->left_margin, 1, 255); ++ var->right_margin = clamp(var->right_margin, 1, 255); ++ var->upper_margin = clamp(var->upper_margin, 1, 255); ++ var->lower_margin = clamp(var->lower_margin, 1, 255); + } + + /* make sure each line is aligned on word boundary */ diff --git a/queue-5.15/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch b/queue-5.15/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch new file mode 100644 index 0000000000..26186bcca4 --- /dev/null +++ b/queue-5.15/fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch @@ -0,0 +1,39 @@ +From 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ren=C3=A9=20Rebe?= +Date: Thu, 20 Nov 2025 14:24:00 +0100 +Subject: fbdev: tcx.c fix mem_map to correct smem_start offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: René Rebe + +commit 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e upstream. + +403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") changed the +physbase initializing breaking the user-space mmap, e.g. for Xorg +entirely. + +Fix fbdev mmap table so the sbus mmap helper work correctly, and +not try to map vastly (physbase) offset memory. + +Fixes: 403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") +Cc: +Signed-off-by: René Rebe +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/tcx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/tcx.c ++++ b/drivers/video/fbdev/tcx.c +@@ -436,7 +436,7 @@ static int tcx_probe(struct platform_dev + j = i; + break; + } +- par->mmap_map[i].poff = op->resource[j].start; ++ par->mmap_map[i].poff = op->resource[j].start - info->fix.smem_start; + } + + info->flags = FBINFO_DEFAULT; diff --git a/queue-5.15/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch b/queue-5.15/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch new file mode 100644 index 0000000000..a5da8babbe --- /dev/null +++ b/queue-5.15/firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch @@ -0,0 +1,80 @@ +From 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b Mon Sep 17 00:00:00 2001 +From: Mahesh Rao +Date: Mon, 27 Oct 2025 22:54:40 +0800 +Subject: firmware: stratix10-svc: Add mutex in stratix10 memory management + +From: Mahesh Rao + +commit 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b upstream. + +Add mutex lock to stratix10_svc_allocate_memory and +stratix10_svc_free_memory for thread safety. This prevents race +conditions and ensures proper synchronization during memory operations. +This is required for parallel communication with the Stratix10 service +channel. + +Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver") +Cc: stable@vger.kernel.org +Signed-off-by: Mahesh Rao +Reviewed-by: Matthew Gerlach +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + /* + * Copyright (C) 2017-2018, Intel Corporation ++ * Copyright (C) 2025, Altera Corporation + */ + + #include +@@ -168,6 +169,12 @@ static LIST_HEAD(svc_ctrl); + static LIST_HEAD(svc_data_mem); + + /** ++ * svc_mem_lock protects access to the svc_data_mem list for ++ * concurrent multi-client operations ++ */ ++static DEFINE_MUTEX(svc_mem_lock); ++ ++/** + * svc_pa_to_va() - translate physical address to virtual address + * @addr: to be translated physical address + * +@@ -179,6 +186,7 @@ static void *svc_pa_to_va(unsigned long + struct stratix10_svc_data_mem *pmem; + + pr_debug("claim back P-addr=0x%016x\n", (unsigned int)addr); ++ guard(mutex)(&svc_mem_lock); + list_for_each_entry(pmem, &svc_data_mem, node) + if (pmem->paddr == addr) + return pmem->vaddr; +@@ -844,6 +852,7 @@ int stratix10_svc_send(struct stratix10_ + p_data->flag = ct->flags; + } + } else { ++ guard(mutex)(&svc_mem_lock); + list_for_each_entry(p_mem, &svc_data_mem, node) + if (p_mem->vaddr == p_msg->payload) { + p_data->paddr = p_mem->paddr; +@@ -915,6 +924,7 @@ void *stratix10_svc_allocate_memory(stru + if (!pmem) + return ERR_PTR(-ENOMEM); + ++ guard(mutex)(&svc_mem_lock); + va = gen_pool_alloc(genpool, s); + if (!va) + return ERR_PTR(-ENOMEM); +@@ -943,6 +953,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate + void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr) + { + struct stratix10_svc_data_mem *pmem; ++ guard(mutex)(&svc_mem_lock); + + list_for_each_entry(pmem, &svc_data_mem, node) + if (pmem->vaddr == kaddr) { diff --git a/queue-5.15/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch b/queue-5.15/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch new file mode 100644 index 0000000000..66f9335009 --- /dev/null +++ b/queue-5.15/media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch @@ -0,0 +1,57 @@ +From 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 Mon Sep 17 00:00:00 2001 +From: Ivan Abramov +Date: Wed, 3 Sep 2025 02:23:31 +0300 +Subject: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() + +From: Ivan Abramov + +commit 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 upstream. + +It's possible for cp_read() and hdmi_read() to return -EIO. Those +values are further used as indexes for accessing arrays. + +Fix that by checking return values where it's needed. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Abramov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7842.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -2690,6 +2690,7 @@ static int adv7842_cp_log_status(struct + /* CP block */ + struct adv7842_state *state = to_state(sd); + struct v4l2_dv_timings timings; ++ int temp; + u8 reg_io_0x02 = io_read(sd, 0x02); + u8 reg_io_0x21 = io_read(sd, 0x21); + u8 reg_rep_0x77 = rep_read(sd, 0x77); +@@ -2812,8 +2813,9 @@ static int adv7842_cp_log_status(struct + (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ? + "(16-235)" : "(0-255)", + (reg_io_0x02 & 0x08) ? "enabled" : "disabled"); ++ temp = cp_read(sd, 0xf4) >> 4; + v4l2_info(sd, "Color space conversion: %s\n", +- csc_coeff_sel_rb[cp_read(sd, 0xf4) >> 4]); ++ temp < 0 ? "" : csc_coeff_sel_rb[temp]); + + if (!is_digital_input(sd)) + return 0; +@@ -2843,8 +2845,9 @@ static int adv7842_cp_log_status(struct + hdmi_read(sd, 0x5f)); + v4l2_info(sd, "AV Mute: %s\n", + (hdmi_read(sd, 0x04) & 0x40) ? "on" : "off"); ++ temp = hdmi_read(sd, 0x0b) >> 6; + v4l2_info(sd, "Deep color mode: %s\n", +- deep_color_mode_txt[hdmi_read(sd, 0x0b) >> 6]); ++ temp < 0 ? "" : deep_color_mode_txt[temp]); + + adv7842_log_infoframes(sd); + diff --git a/queue-5.15/media-cec-fix-debugfs-leak-on-bus_register-failure.patch b/queue-5.15/media-cec-fix-debugfs-leak-on-bus_register-failure.patch new file mode 100644 index 0000000000..523e751e71 --- /dev/null +++ b/queue-5.15/media-cec-fix-debugfs-leak-on-bus_register-failure.patch @@ -0,0 +1,35 @@ +From c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb Mon Sep 17 00:00:00 2001 +From: Haotian Zhang +Date: Mon, 29 Sep 2025 19:12:29 +0800 +Subject: media: cec: Fix debugfs leak on bus_register() failure + +From: Haotian Zhang + +commit c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb upstream. + +In cec_devnode_init(), the debugfs directory created with +debugfs_create_dir() is not removed if bus_register() fails. +This leaves a stale "cec" entry in debugfs and prevents +proper module reloading. + +Fix this by removing the debugfs directory in the error path. + +Fixes: a56960e8b406 ("[media] cec: add HDMI CEC framework (core)") +Cc: stable@vger.kernel.org +Signed-off-by: Haotian Zhang +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/core/cec-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/cec/core/cec-core.c ++++ b/drivers/media/cec/core/cec-core.c +@@ -433,6 +433,7 @@ static int __init cec_devnode_init(void) + + ret = bus_register(&cec_bus_type); + if (ret < 0) { ++ debugfs_remove_recursive(top_cec_dir); + unregister_chrdev_region(cec_dev_t, CEC_NUM_DEVICES); + pr_warn("cec: bus_register failed\n"); + return -EIO; diff --git a/queue-5.15/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-5.15/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..2d6a71f2f9 --- /dev/null +++ b/queue-5.15/media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,50 @@ +From 8f34f24355a607b98ecd9924837aab13c676eeca Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 2 Sep 2025 09:53:37 +0800 +Subject: media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit 8f34f24355a607b98ecd9924837aab13c676eeca upstream. + +The delayed_work delayed_work_enable_hotplug is initialized with +INIT_DELAYED_WORK() in adv76xx_probe(), but it is never scheduled +anywhere in the probe function. + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path and adjust the goto label accordingly to simplify the code +and avoid potential confusion. + +Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7604.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -3615,7 +3615,7 @@ static int adv76xx_probe(struct i2c_clie + err = media_entity_pads_init(&sd->entity, state->source_pad + 1, + state->pads); + if (err) +- goto err_work_queues; ++ goto err_i2c; + + /* Configure regmaps */ + err = configure_regmaps(state); +@@ -3656,8 +3656,6 @@ static int adv76xx_probe(struct i2c_clie + + err_entity: + media_entity_cleanup(&sd->entity); +-err_work_queues: +- cancel_delayed_work(&state->delayed_work_enable_hotplug); + err_i2c: + adv76xx_unregister_clients(state); + err_hdl: diff --git a/queue-5.15/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-5.15/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..87625d522c --- /dev/null +++ b/queue-5.15/media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,50 @@ +From e66a5cc606c58e72f18f9cdd868a3672e918f9f8 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Tue, 2 Sep 2025 09:10:31 +0800 +Subject: media: i2c: adv7842: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit e66a5cc606c58e72f18f9cdd868a3672e918f9f8 upstream. + +The delayed_work delayed_work_enable_hotplug is initialized with +INIT_DELAYED_WORK() in adv7842_probe(), but it is never scheduled +anywhere in the probe function. + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path and adjust the goto label accordingly to simplify the code +and avoid potential confusion. + +Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/adv7842.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -3575,7 +3575,7 @@ static int adv7842_probe(struct i2c_clie + err = media_entity_pads_init(&sd->entity, ADV7842_PAD_SOURCE + 1, + state->pads); + if (err) +- goto err_work_queues; ++ goto err_i2c; + + err = adv7842_core_init(sd); + if (err) +@@ -3596,8 +3596,6 @@ static int adv7842_probe(struct i2c_clie + + err_entity: + media_entity_cleanup(&sd->entity); +-err_work_queues: +- cancel_delayed_work(&state->delayed_work_enable_hotplug); + err_i2c: + adv7842_unregister_clients(sd); + err_hdl: diff --git a/queue-5.15/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch b/queue-5.15/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch new file mode 100644 index 0000000000..77c68610d6 --- /dev/null +++ b/queue-5.15/media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch @@ -0,0 +1,39 @@ +From d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 Mon Sep 17 00:00:00 2001 +From: Ivan Abramov +Date: Wed, 3 Sep 2025 02:28:14 +0300 +Subject: media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() + +From: Ivan Abramov + +commit d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 upstream. + +It's possible for max1 to remain -1 if msp_read() always fail. This +variable is further used as index for accessing arrays. + +Fix that by checking max1 prior to array accesses. + +It seems that restart is the preferable action in case of out-of-bounds +value. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)") +Cc: stable@vger.kernel.org +Signed-off-by: Ivan Abramov +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/msp3400-kthreads.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/msp3400-kthreads.c ++++ b/drivers/media/i2c/msp3400-kthreads.c +@@ -596,6 +596,8 @@ restart: + "carrier2 val: %5d / %s\n", val, cd[i].name); + } + ++ if (max1 < 0 || max1 > 3) ++ goto restart; + /* program the msp3400 according to the results */ + state->main = msp3400c_carrier_detect_main[max1].cdo; + switch (max1) { diff --git a/queue-5.15/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch b/queue-5.15/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch new file mode 100644 index 0000000000..9b0bfb5a7d --- /dev/null +++ b/queue-5.15/media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch @@ -0,0 +1,38 @@ +From 29de195ca39fc2ac0af6fd45522994df9f431f80 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Mon, 1 Sep 2025 21:26:17 +0800 +Subject: media: TDA1997x: Remove redundant cancel_delayed_work in probe + +From: Duoming Zhou + +commit 29de195ca39fc2ac0af6fd45522994df9f431f80 upstream. + +The delayed_work delayed_work_enable_hpd is initialized with +INIT_DELAYED_WORK(), but it is never scheduled in tda1997x_probe(). + +Calling cancel_delayed_work() on a work that has never been +scheduled is redundant and unnecessary, as there is no pending +work to cancel. + +Remove the redundant cancel_delayed_work() from error handling +path in tda1997x_probe() to avoid potential confusion. + +Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/tda1997x.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/i2c/tda1997x.c ++++ b/drivers/media/i2c/tda1997x.c +@@ -2780,7 +2780,6 @@ err_free_media: + err_free_handler: + v4l2_ctrl_handler_free(&state->hdl); + err_free_mutex: +- cancel_delayed_work(&state->delayed_work_enable_hpd); + mutex_destroy(&state->page_lock); + mutex_destroy(&state->lock); + err_free_state: diff --git a/queue-5.15/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch b/queue-5.15/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch new file mode 100644 index 0000000000..c7d34ab8cb --- /dev/null +++ b/queue-5.15/parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch @@ -0,0 +1,58 @@ +From 5fb1d3ce3e74a4530042795e1e065422295f1371 Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Wed, 15 Oct 2025 23:21:41 +0200 +Subject: parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() + +From: Sven Schnelle + +commit 5fb1d3ce3e74a4530042795e1e065422295f1371 upstream. + +When the kernel leaves to userspace via syscall_restore_rfi(), the +W bit is not set in the new PSW. This doesn't cause any problems +because there's no 64 bit userspace for parisc. Simple static binaries +are usually loaded at addresses way below the 32 bit limit so the W bit +doesn't matter. + +Fix this by setting the W bit when TIF_32BIT is not set. + +Signed-off-by: Sven Schnelle +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/asm-offsets.c | 2 ++ + arch/parisc/kernel/entry.S | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/asm-offsets.c ++++ b/arch/parisc/kernel/asm-offsets.c +@@ -260,6 +260,8 @@ int main(void) + BLANK(); + DEFINE(TIF_BLOCKSTEP_PA_BIT, 31-TIF_BLOCKSTEP); + DEFINE(TIF_SINGLESTEP_PA_BIT, 31-TIF_SINGLESTEP); ++ DEFINE(TIF_32BIT_PA_BIT, 31-TIF_32BIT); ++ + BLANK(); + DEFINE(ASM_PMD_SHIFT, PMD_SHIFT); + DEFINE(ASM_PGDIR_SHIFT, PGDIR_SHIFT); +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1913,6 +1913,10 @@ syscall_restore_rfi: + extru,= %r19,TIF_BLOCKSTEP_PA_BIT,1,%r0 + depi -1,7,1,%r20 /* T bit */ + ++#ifdef CONFIG_64BIT ++ extru,<> %r19,TIF_32BIT_PA_BIT,1,%r0 ++ depi -1,4,1,%r20 /* W bit */ ++#endif + STREG %r20,TASK_PT_PSW(%r1) + + /* Always store space registers, since sr3 can be changed (e.g. fork) */ +@@ -1926,7 +1930,6 @@ syscall_restore_rfi: + STREG %r25,TASK_PT_IASQ0(%r1) + STREG %r25,TASK_PT_IASQ1(%r1) + +- /* XXX W bit??? */ + /* Now if old D bit is clear, it means we didn't save all registers + * on syscall entry, so do that now. This only happens on TRACEME + * calls, or if someone attached to us while we were on a syscall. diff --git a/queue-5.15/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch b/queue-5.15/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch new file mode 100644 index 0000000000..298e44d3d4 --- /dev/null +++ b/queue-5.15/parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch @@ -0,0 +1,61 @@ +From 1aa4524c0c1b54842c4c0a370171d11b12d0709b Mon Sep 17 00:00:00 2001 +From: Sven Schnelle +Date: Thu, 30 Oct 2025 08:56:05 +0100 +Subject: parisc: entry.S: fix space adjustment on interruption for 64-bit userspace + +From: Sven Schnelle + +commit 1aa4524c0c1b54842c4c0a370171d11b12d0709b upstream. + +In wide mode, the IASQ contain the upper part of the GVA +during interruption. This needs to be reversed before +the space is used - otherwise it contains parts of IAOQ. +See Page 2-13 "Processing Resources / Interruption Instruction +Address Queues" in the Parisc 2.0 Architecture Manual page 2-13 +for an explanation. + +The IAOQ/IASQ space_adjust was skipped for other interruptions +than itlb misses. However, the code in handle_interruption() +checks whether iasq[0] contains a valid space. Due to the not +masked out bits this match failed and the process was killed. + +Also add space_adjust for IAOQ1/IASQ1 so ptregs contains sane values. + +Signed-off-by: Sven Schnelle +Cc: stable@vger.kernel.org # v6.0+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1072,8 +1072,6 @@ ENTRY_CFI(intr_save) /* for os_hpmc */ + STREG %r17, PT_IOR(%r29) + + #if defined(CONFIG_64BIT) +- b,n intr_save2 +- + skip_save_ior: + /* We have a itlb miss, and when executing code above 4 Gb on ILP64, we + * need to adjust iasq/iaoq here in the same way we adjusted isr/ior +@@ -1082,10 +1080,17 @@ skip_save_ior: + bb,COND(>=),n %r8,PSW_W_BIT,intr_save2 + LDREG PT_IASQ0(%r29), %r16 + LDREG PT_IAOQ0(%r29), %r17 +- /* adjust iasq/iaoq */ ++ /* adjust iasq0/iaoq0 */ + space_adjust %r16,%r17,%r1 + STREG %r16, PT_IASQ0(%r29) + STREG %r17, PT_IAOQ0(%r29) ++ ++ LDREG PT_IASQ1(%r29), %r16 ++ LDREG PT_IAOQ1(%r29), %r17 ++ /* adjust iasq1/iaoq1 */ ++ space_adjust %r16,%r17,%r1 ++ STREG %r16, PT_IASQ1(%r29) ++ STREG %r17, PT_IAOQ1(%r29) + #else + skip_save_ior: + #endif diff --git a/queue-5.15/series b/queue-5.15/series index 0e42ef96ac..d462be3239 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -385,3 +385,16 @@ leds-leds-lp50xx-lp5009-supports-3-modules-for-a-total-of-9-leds.patch mfd-altera-sysmgr-fix-device-leak-on-sysmgr-regmap-lookup.patch mfd-max77620-fix-potential-irq-chip-conflict-when-probing-two-devices.patch media-rc-st_rc-fix-reset-control-resource-leak.patch +parisc-entry.s-fix-space-adjustment-on-interruption-for-64-bit-userspace.patch +parisc-entry-set-w-bit-for-compat-tasks-in-syscall_restore_rfi.patch +media-adv7842-avoid-possible-out-of-bounds-array-accesses-in-adv7842_cp_log_status.patch +firmware-stratix10-svc-add-mutex-in-stratix10-memory-management.patch +dm-ebs-mark-full-buffer-dirty-even-on-partial-write.patch +fbdev-gbefb-fix-to-use-physical-address-instead-of-dma-address.patch +fbdev-pxafb-fix-multiple-clamped-values-in-pxafb_adjust_timing.patch +fbdev-tcx.c-fix-mem_map-to-correct-smem_start-offset.patch +media-cec-fix-debugfs-leak-on-bus_register-failure.patch +media-msp3400-avoid-possible-out-of-bounds-array-accesses-in-msp3400c_thread.patch +media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch +media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch +media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch