[PATCH AUTOSEL 7.0-6.18] media: rc: fix race between unregister and urb/irq callbacks

[PATCH AUTOSEL 7.0-6.18] media: rc: fix race between unregister and urb/irq callbacks

[Sasha Levin]

From: Sean Young <sean@mess.org>

[ Upstream commit dccc0c3ddf8f16071736f98a7d6dd46a2d43e037 ]

Some rc device drivers have a race condition between rc_unregister_device()
and irq or urb callbacks. This is because rc_unregister_device() does two
things, it marks the device as unregistered so no new commands can be
issued and then it calls rc_free_device(). This means the driver has no
chance to cancel any pending urb callbacks or interrupts after the device
has been marked as unregistered. Those callbacks may access struct rc_dev
or its members (e.g. struct ir_raw_event_ctrl), which have been freed by
rc_free_device().

This change removes the implicit call to rc_free_device() from
rc_unregister_device(). This means that device drivers can call
rc_unregister_device() in their remove or disconnect function, then cancel
all the urbs and interrupts before explicitly calling rc_free_device().

Note this is an alternative fix for an issue found by Haotian Zhang, see
the Closes: tags.

Reported-by: Haotian Zhang <vulab@iscas.ac.cn>
Closes: https://lore.kernel.org/linux-media/20251114101432.2566-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114101418.2548-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114101346.2530-1-vulab@iscas.ac.cn/
Closes: https://lore.kernel.org/linux-media/20251114090605.2413-1-vulab@iscas.ac.cn/
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Good - drivers using `devm_rc_allocate_device` don't call
`rc_unregister_device` manually (they use `devm_rc_register_device`
which handles cleanup automatically). The patch removes the
`managed_alloc` flag because it changes the contract:
`rc_unregister_device` no longer frees the device regardless of how it
was allocated. Instead, `devm_rc_alloc_release` (the devres release
callback) calls `rc_free_device`, and the regular drivers must add
explicit `rc_free_device` calls.

Now let me do the full analysis write-up.

---

## PHASE 1: COMMIT MESSAGE FORENSICS

### Step 1.1: PARSE THE SUBJECT LINE
Record: [media: rc] [fix] [race between unregister and urb/irq
callbacks]

### Step 1.2: PARSE ALL COMMIT MESSAGE TAGS
- **Reported-by:** Haotian Zhang <vulab@iscas.ac.cn> - the reporter
  found multiple race conditions
- **Closes:** 4 separate lore.kernel.org links to bug reports (Nov 2025)
- **Reviewed-by:** Patrice Chotard <patrice.chotard@foss.st.com>
- **Signed-off-by:** Sean Young <sean@mess.org> (author, RC subsystem
  maintainer)
- **Signed-off-by:** Hans Verkuil <hverkuil+cisco@kernel.org> (media
  subsystem maintainer)

Record: Multiple bug reports (4 Closes: tags), reviewed by a maintainer,
written by the RC subsystem maintainer, merged by the media subsystem
maintainer. No Fixes: tag (expected).

### Step 1.3: ANALYZE THE COMMIT BODY TEXT
The commit explains a **use-after-free race condition**:
1. `rc_unregister_device()` marks the device as unregistered
2. Then it calls `rc_free_device()`, which frees `struct rc_dev` and
   `struct ir_raw_event_ctrl`
3. Between marking unregistered and freeing, there's no window for
   drivers to cancel pending URBs/IRQs
4. Those pending callbacks may still access the freed `struct rc_dev` or
   its members

Record: Bug = use-after-free due to race between device unregister and
URB/IRQ callbacks. Symptom = accessing freed memory. Root cause =
`rc_unregister_device()` implicitly calls `rc_free_device()` before
drivers can cancel pending async operations.

### Step 1.4: DETECT HIDDEN BUG FIXES
This is an explicit race condition / use-after-free fix. Not hidden.
Record: This is a clear, well-documented bug fix.

## PHASE 2: DIFF ANALYSIS

### Step 2.1: INVENTORY THE CHANGES
41 files changed, ~58 insertions, ~36 deletions. Files span:
- Core: `rc-main.c`, `rc-ir-raw.c`, `rc-core.h`
- ~30+ driver files across media/rc, media/pci, media/usb, gpu/drm, hid,
  staging

Record: Cross-subsystem change touching 41 files, but each driver change
is 1-3 lines. Core changes are ~10 lines net.

### Step 2.2: UNDERSTAND THE CODE FLOW CHANGE
**Core changes:**
1. `rc-main.c`: `rc_unregister_device()` no longer calls
   `rc_free_device()` (removes the `if (!dev->managed_alloc)
   rc_free_device(dev)` block)
2. `rc-main.c`: `rc_dev_release()` now calls `ir_raw_event_free(dev)`
   before `kfree(dev)` - this ensures raw event data is cleaned up when
   the device struct is finally freed
3. `rc-main.c`: `devm_rc_allocate_device()` no longer sets
   `managed_alloc = true`
4. `rc-ir-raw.c`: `ir_raw_event_unregister()` no longer calls
   `ir_raw_event_free()` (moved to `rc_dev_release`)
5. `rc-ir-raw.c`: `ir_raw_event_free()` removes the `if (!dev)` guard
   (now only called from `rc_dev_release`)
6. `rc-core.h`: Removes `managed_alloc` field from `struct rc_dev`

**Driver changes:** Every driver using `rc_unregister_device()` now also
calls `rc_free_device()` afterward. Some USB drivers also reorder
operations to call `rc_unregister_device()` BEFORE killing URBs, then
`rc_free_device()` AFTER killing URBs.

### Step 2.3: IDENTIFY THE BUG MECHANISM
Category: **Race condition / Use-after-free**

Before the fix:
```
rc_unregister_device()
  -> marks device unregistered
  -> calls rc_free_device() -> frees struct rc_dev
  // URB/IRQ callbacks can still fire and access freed rc_dev!
```

After the fix:
```
rc_unregister_device()
  -> marks device unregistered
  // Driver cancels URBs/IRQs here
rc_free_device()
  -> safely frees struct rc_dev after all callbacks cancelled
```

Record: UAF race condition fix. Separating unregister from free gives
drivers a window to cancel async operations.

### Step 2.4: ASSESS THE FIX QUALITY
- Written by Sean Young (RC subsystem maintainer)
- Reviewed by Patrice Chotard
- Merged by Hans Verkuil (media maintainer)
- The approach is sound: it separates two concerns (marking unregistered
  vs. freeing memory)
- Each per-driver change is trivial (add one `rc_free_device()` line)
- **Concern:** The scope is very large (41 files), though each change is
  trivially mechanical

Record: High quality fix from the subsystem maintainer. Regression risk
is low per-driver but the sheer breadth is notable. The error path
changes in probe functions (removing `rdev = NULL` after
`rc_unregister_device`) are now correct because `rc_free_device(rdev)`
on the next goto target will properly free even after unregister.

## PHASE 3: GIT HISTORY INVESTIGATION

### Step 3.1: BLAME THE CHANGED LINES
The `managed_alloc` logic was introduced in commit `ddbf7d5a698c4d`
(2016, v4.10 era) by Heiner Kallweit. The implicit `rc_free_device()`
call in `rc_unregister_device()` has been present since `d8b4b5822f51e2`
(2010, v2.6.36 era). The race condition has existed since the very
beginning of the rc_core subsystem.

Record: Bug exists in all kernel versions since 2010 (v2.6.36+). Present
in all stable trees.

### Step 3.2: FOLLOW THE FIXES: TAG
No Fixes: tag present (expected for autosel candidates).

### Step 3.3: CHECK FILE HISTORY
Multiple previous fixes for the same class of UAF bugs exist:
- `5abda7a16698d` "media: dm1105: Fix use after free bug in
  dm1105_remove due to race condition"
- `29b0589a865b6` "media: rc: Fix use-after-free bugs caused by
  ene_tx_irqsim()"

These were individual driver fixes for the same systemic issue. This
patch fixes it once and for all in the core.

Record: This is a systemic fix replacing multiple individual driver-
level workarounds.

### Step 3.4: CHECK THE AUTHOR
Sean Young is the RC subsystem maintainer. He has dozens of commits in
`drivers/media/rc/`. This is his subsystem.

Record: Author is the subsystem maintainer - highest trust level.

### Step 3.5: CHECK FOR DEPENDENCIES
This is a single, self-contained patch. All changes are coordinated. No
other patches are needed.

Record: Standalone fix, no dependencies.

## PHASE 4: MAILING LIST AND EXTERNAL RESEARCH

### Step 4.1: FIND THE ORIGINAL PATCH DISCUSSION
Found via web search:
- v1: "[PATCH] media: rc: rc_unregister_device() should not call
  rc_free_device()" (Dec 20, 2025)
- v2: "[PATCH v2] media: rc: fix race between unregister and urb/irq
  callbacks" (Jan 26, 2026)

The v2 has the `Reviewed-by` tag from Patrice Chotard that v1 didn't
have.

Record: Patch went through 2 revisions. Applied version is v2 (latest).
Reviewed by maintainer.

### Step 4.2: WHO REVIEWED
- Reviewed-by: Patrice Chotard (STMicroelectronics, works on st_rc
  driver)
- Signed-off-by: Hans Verkuil (media subsystem co-maintainer)
- CC'd: Numerous subsystem maintainers (Maarten Lankhorst, David Airlie
  for DRM, etc.)

Record: Properly reviewed through the maintainer chain.

### Step 4.3: SEARCH FOR THE BUG REPORT
4 separate bug reports from Haotian Zhang (November 2025) about UAF
races in different RC drivers.

Record: Multiple independent bug reports confirm this is a real-world
issue.

### Step 4.4: RELATED PATCHES
This is the alternative/comprehensive fix. The original individual
patches from Haotian Zhang addressed each driver separately; Sean
Young's approach fixes the root cause in the core.

Record: This is the definitive fix rather than per-driver workarounds.

### Step 4.5: STABLE MAILING LIST
No specific stable discussion found. The patch does not have Cc: stable
tag.

## PHASE 5: CODE SEMANTIC ANALYSIS

### Step 5.1: KEY FUNCTIONS
- `rc_unregister_device()` - modified to remove implicit free
- `rc_free_device()` - now must be called explicitly by drivers
- `rc_dev_release()` - now frees raw event data
- `ir_raw_event_free()` - moved from unregister path to release path
- `ir_raw_event_unregister()` - no longer frees raw events

### Step 5.2: CALLERS
Every RC driver's remove/disconnect/exit function calls
`rc_unregister_device()`. The patch adds `rc_free_device()` to all of
them. This affects USB IR receivers, PCI TV tuner cards, embedded IR
receivers, DRM bridges, etc.

Record: Broad impact - every RC device driver is affected.

### Step 5.3-5.5: CALL CHAIN AND PATTERNS
The race is triggered during device removal (USB disconnect, PCI remove,
platform remove). This is a common path triggered by:
- USB device physical disconnect
- Module unload
- System shutdown
- Device unbind via sysfs

Record: The buggy path is easily triggered by physical device
disconnect. Not theoretical.

## PHASE 6: CROSS-REFERENCING AND STABLE TREE ANALYSIS

### Step 6.1: DOES THE BUGGY CODE EXIST IN STABLE?
Yes. The buggy code in `rc_unregister_device()` (calling
`rc_free_device()` implicitly) has existed since 2010. It is present in
ALL stable trees.

Record: Bug affects all stable trees (6.6.y, 6.1.y, 5.15.y, etc.).

### Step 6.2: BACKPORT COMPLICATIONS
This patch touches 41 files. Some files may have diverged between
mainline and stable trees. Backporting will likely require resolving
minor conflicts in some drivers. The core changes to `rc-main.c`, `rc-
ir-raw.c`, and `rc-core.h` are critical and should apply with minor
fuzz. The per-driver changes are mechanical and can be adapted.

Record: Expected difficulty: **medium**. Core changes likely apply
cleanly. Some driver-specific changes may need minor adjustment due to
driver-specific changes in stable trees vs mainline.

### Step 6.3: RELATED FIXES IN STABLE
Individual UAF fixes like `5abda7a16698d` (dm1105) and `29b0589a865b6`
(ene_ir) may already be in some stable trees, but they only fix specific
drivers. This systemic fix is comprehensive.

## PHASE 7: SUBSYSTEM AND MAINTAINER CONTEXT

### Step 7.1: SUBSYSTEM CRITICALITY
Media/RC subsystem - used by IR receivers on:
- TV tuner cards (USB and PCI)
- Media center remotes (iMON, MCE, Xbox)
- Embedded IR receivers (sunxi, meson, hix5hd2)
- DRM bridges with CEC/RC

Record: IMPORTANT level - affects users of IR remote control hardware
(common in HTPCs, embedded media devices).

### Step 7.2: SUBSYSTEM ACTIVITY
Active subsystem with regular maintenance from Sean Young.

## PHASE 8: IMPACT AND RISK ASSESSMENT

### Step 8.1: WHO IS AFFECTED
All users with IR remote control hardware who disconnect or unbind the
device. This includes USB IR receivers (very common for HTPC setups),
PCI TV tuner cards with IR, and embedded systems with hardware IR.

Record: Moderate user population - anyone using Linux with IR remote
control hardware.

### Step 8.2: TRIGGER CONDITIONS
- Physical USB disconnect of IR receiver
- Module unload while IR device active
- Device unbind via sysfs
- System shutdown with pending IR operations
- Concurrent with incoming IR data

Record: Common trigger conditions. USB disconnect is the most frequent.

### Step 8.3: FAILURE MODE SEVERITY
Use-after-free: Accessing freed `struct rc_dev` or `struct
ir_raw_event_ctrl` from URB/IRQ callbacks. This leads to:
- Kernel crash/oops (most likely)
- Memory corruption (possible)
- Security vulnerability (potential, if attacker controls USB device)

Record: Severity: HIGH to CRITICAL. UAF can cause crashes and is
potentially exploitable.

### Step 8.4: RISK-BENEFIT RATIO
**Benefit:** HIGH - Fixes use-after-free race in all RC drivers
systemically. Prevents crashes during device disconnect. Fixes reported
real-world bug.

**Risk:** MEDIUM - 41 files touched, but each change is 1-3 lines and
mechanically identical (add `rc_free_device()` after
`rc_unregister_device()`). The core API change is well-designed. Some
USB drivers also reorder operations to call `rc_unregister_device()`
before `usb_kill_urb()`, which is the correct order.

Record: Benefit HIGH, Risk MEDIUM. The fix is well-designed but the
scope is large.

## PHASE 9: FINAL SYNTHESIS

### Step 9.1: COMPILE THE EVIDENCE

**Evidence FOR backporting:**
- Fixes a real use-after-free race condition
- Multiple independent bug reports (4 Closes: tags)
- Written and signed by the RC subsystem maintainer (Sean Young)
- Reviewed by Patrice Chotard, merged by Hans Verkuil
- Bug has existed since 2010, affects all stable trees
- Previous individual driver fixes confirm this is a known issue pattern
- UAF can cause kernel crashes and is potentially exploitable
- The fix is logically correct - it separates unregister from free

**Evidence AGAINST backporting:**
- Very large scope: 41 files modified across multiple subsystems
- Changes a core API contract (rc_unregister_device no longer frees)
- Risk of backport conflicts due to per-driver divergence between
  mainline and stable
- Some drivers may not exist in older stable trees, requiring manual
  adaptation
- Removes `managed_alloc` infrastructure, affecting
  `devm_rc_allocate_device()` users

### Step 9.2: STABLE RULES CHECKLIST
1. Obviously correct and tested? **YES** - reviewed by maintainers,
   applied to mainline
2. Fixes a real bug? **YES** - UAF race condition with 4 bug reports
3. Important issue? **YES** - use-after-free / crash during device
   disconnect
4. Small and contained? **NO** - 41 files is very large. However, each
   change is mechanical (1-3 lines per file) and the core change is
   small (~10 lines)
5. No new features or APIs? **YES** - only changes existing API behavior
6. Can apply to stable trees? **PARTIALLY** - core changes likely apply;
   some driver changes may need adaptation

### Step 9.3: EXCEPTION CATEGORIES
Not applicable - this is a bug fix, not a device ID/quirk/DT/build fix.

### Step 9.4: DECISION
This is a genuine, important use-after-free fix from the subsystem
maintainer with multiple independent bug reports. However, the **scope
is extremely large** (41 files across multiple subsystems) and it
changes a core API contract. While each individual change is trivial and
mechanical, the sheer number of files makes this a high-risk backport.
If even one driver is missed or adapted incorrectly, it introduces a new
bug (memory leak from missing `rc_free_device()` or double-free from
calling it when not needed).

The stable kernel rules explicitly require patches to be "small and
contained." While the fix itself is correct and important, 41 files
touching DRM, HID, media PCI, media USB, and staging subsystems is not
small and contained. A backport of this magnitude would need careful
manual review for each stable tree to handle driver-specific divergence.

Verification:
- [Phase 1] Parsed tags: Reported-by: Haotian Zhang, 4 Closes: links,
  Reviewed-by: Patrice Chotard, Signed-off-by: Sean Young (author/RC
  maintainer), Hans Verkuil (media maintainer)
- [Phase 2] Diff analysis: 41 files changed, core change removes
  implicit rc_free_device() from rc_unregister_device(), each driver
  adds explicit rc_free_device() call
- [Phase 2] Verified: Current rc_unregister_device() at line 2046 has
  `if (!dev->managed_alloc) rc_free_device(dev)` - confirmed the bug
  exists
- [Phase 2] Verified: rc_dev_release() at line 1610 currently just does
  `kfree(dev)` without freeing raw events - patch adds
  ir_raw_event_free(dev) there
- [Phase 3] git blame: rc_unregister_device() implicit free from
  d8b4b5822f51e2 (2010, v2.6.36), managed_alloc from ddbf7d5a698c4d
  (2016, v4.10)
- [Phase 3] git show ddbf7d5a698c4d: confirmed managed_alloc was
  introduced by Heiner Kallweit in 2016
- [Phase 3] Found related individual driver UAF fixes: 5abda7a16698d
  (dm1105), 29b0589a865b6 (ene_ir)
- [Phase 3] git show 5abda7a16698d: confirmed dm1105 UAF race diagram
  showing exactly the same pattern
- [Phase 4] Web search found v1 and v2 submissions: v1 Dec 2025, v2 Jan
  26 2026
- [Phase 4] Found full v2 patch on freedesktop.org archives - matches
  commit
- [Phase 4] 4 separate bug reports from Haotian Zhang (Nov 2025) confirm
  real-world issue
- [Phase 5] Verified devm_rc_allocate_device callers (gpio-ir-recv,
  meson-ir, etc.) don't manually call rc_unregister_device - they use
  devm path, so they're unaffected
- [Phase 6] Bug exists since v2.6.36 (2010) - present in all stable
  trees
- [Phase 8] Trigger: USB device disconnect during IR activity - common
  operation
- UNVERIFIED: Whether all 41 files exist in all stable trees (some
  drivers may have been added/removed between releases)

This is a borderline case. The fix addresses a real, reported use-after-
free bug from the subsystem maintainer with proper review. However, the
41-file scope makes it risky for stable. On balance, the UAF is serious
enough (crash, potential security) that it warrants backporting despite
the large scope, especially since each per-driver change is mechanically
identical and trivially verifiable.

**YES**

 drivers/gpu/drm/bridge/sil-sii8620.c        | 1 +
 drivers/hid/hid-picolcd_cir.c               | 1 +
 drivers/media/cec/core/cec-core.c           | 2 +-
 drivers/media/common/siano/smsir.c          | 1 +
 drivers/media/i2c/ir-kbd-i2c.c              | 2 ++
 drivers/media/pci/bt8xx/bttv-input.c        | 3 ++-
 drivers/media/pci/cx23885/cx23885-input.c   | 1 +
 drivers/media/pci/cx88/cx88-input.c         | 3 ++-
 drivers/media/pci/dm1105/dm1105.c           | 1 +
 drivers/media/pci/mantis/mantis_input.c     | 1 +
 drivers/media/pci/saa7134/saa7134-input.c   | 1 +
 drivers/media/pci/smipcie/smipcie-ir.c      | 1 +
 drivers/media/pci/ttpci/budget-ci.c         | 1 +
 drivers/media/rc/ati_remote.c               | 6 +++---
 drivers/media/rc/ene_ir.c                   | 2 +-
 drivers/media/rc/fintek-cir.c               | 3 ++-
 drivers/media/rc/igorplugusb.c              | 1 +
 drivers/media/rc/iguanair.c                 | 1 +
 drivers/media/rc/img-ir/img-ir-hw.c         | 3 ++-
 drivers/media/rc/img-ir/img-ir-raw.c        | 3 ++-
 drivers/media/rc/imon.c                     | 3 ++-
 drivers/media/rc/ir-hix5hd2.c               | 2 +-
 drivers/media/rc/ir_toy.c                   | 1 +
 drivers/media/rc/ite-cir.c                  | 2 +-
 drivers/media/rc/mceusb.c                   | 1 +
 drivers/media/rc/rc-ir-raw.c                | 5 -----
 drivers/media/rc/rc-loopback.c              | 1 +
 drivers/media/rc/rc-main.c                  | 6 +-----
 drivers/media/rc/redrat3.c                  | 4 +++-
 drivers/media/rc/st_rc.c                    | 2 +-
 drivers/media/rc/streamzap.c                | 7 ++++---
 drivers/media/rc/sunxi-cir.c                | 1 +
 drivers/media/rc/ttusbir.c                  | 2 +-
 drivers/media/rc/winbond-cir.c              | 2 +-
 drivers/media/rc/xbox_remote.c              | 5 +++--
 drivers/media/usb/au0828/au0828-input.c     | 1 +
 drivers/media/usb/dvb-usb-v2/dvb_usb_core.c | 1 +
 drivers/media/usb/dvb-usb/dvb-usb-remote.c  | 6 ++++--
 drivers/media/usb/em28xx/em28xx-input.c     | 1 +
 drivers/staging/media/av7110/av7110_ir.c    | 1 +
 include/media/rc-core.h                     | 2 --
 41 files changed, 58 insertions(+), 36 deletions(-)

diff --git a/drivers/gpu/drm/bridge/sil-sii8620.c b/drivers/gpu/drm/bridge/sil-sii8620.c
index d3f238b1f2a94..982306eb4f0a7 100644
--- a/drivers/gpu/drm/bridge/sil-sii8620.c
+++ b/drivers/gpu/drm/bridge/sil-sii8620.c
@@ -2221,6 +2221,7 @@ static void sii8620_detach(struct drm_bridge *bridge)
 		return;
 
 	rc_unregister_device(ctx->rc_dev);
+	rc_free_device(ctx->rc_dev);
 }
 
 static int sii8620_is_packing_required(struct sii8620 *ctx,
diff --git a/drivers/hid/hid-picolcd_cir.c b/drivers/hid/hid-picolcd_cir.c
index d6faa0e00f95a..6d4c636e1c9f7 100644
--- a/drivers/hid/hid-picolcd_cir.c
+++ b/drivers/hid/hid-picolcd_cir.c
@@ -134,5 +134,6 @@ void picolcd_exit_cir(struct picolcd_data *data)
 
 	data->rc_dev = NULL;
 	rc_unregister_device(rdev);
+	rc_free_device(rdev);
 }
 
diff --git a/drivers/media/cec/core/cec-core.c b/drivers/media/cec/core/cec-core.c
index 1953ce559ecaf..0fcd3b5e60c8d 100644
--- a/drivers/media/cec/core/cec-core.c
+++ b/drivers/media/cec/core/cec-core.c
@@ -338,8 +338,8 @@ int cec_register_adapter(struct cec_adapter *adap,
 	res = cec_devnode_register(&adap->devnode, adap->owner);
 	if (res) {
 #ifdef CONFIG_MEDIA_CEC_RC
-		/* Note: rc_unregister also calls rc_free */
 		rc_unregister_device(adap->rc);
+		rc_free_device(adap->rc);
 		adap->rc = NULL;
 #endif
 		return res;
diff --git a/drivers/media/common/siano/smsir.c b/drivers/media/common/siano/smsir.c
index af07fed21ae12..283770d583d56 100644
--- a/drivers/media/common/siano/smsir.c
+++ b/drivers/media/common/siano/smsir.c
@@ -92,6 +92,7 @@ int sms_ir_init(struct smscore_device_t *coredev)
 void sms_ir_exit(struct smscore_device_t *coredev)
 {
 	rc_unregister_device(coredev->ir.dev);
+	rc_free_device(coredev->ir.dev);
 
 	pr_debug("\n");
 }
diff --git a/drivers/media/i2c/ir-kbd-i2c.c b/drivers/media/i2c/ir-kbd-i2c.c
index 5588cdd7ec20d..6047453170043 100644
--- a/drivers/media/i2c/ir-kbd-i2c.c
+++ b/drivers/media/i2c/ir-kbd-i2c.c
@@ -355,6 +355,7 @@ static void ir_work(struct work_struct *work)
 		mutex_unlock(&ir->lock);
 		if (rc == -ENODEV) {
 			rc_unregister_device(ir->rc);
+			rc_free_device(ir->rc);
 			ir->rc = NULL;
 			return;
 		}
@@ -972,6 +973,7 @@ static void ir_remove(struct i2c_client *client)
 	i2c_unregister_device(ir->tx_c);
 
 	rc_unregister_device(ir->rc);
+	rc_free_device(ir->rc);
 }
 
 static const struct i2c_device_id ir_kbd_id[] = {
diff --git a/drivers/media/pci/bt8xx/bttv-input.c b/drivers/media/pci/bt8xx/bttv-input.c
index 373b6c6817d76..f704476506e07 100644
--- a/drivers/media/pci/bt8xx/bttv-input.c
+++ b/drivers/media/pci/bt8xx/bttv-input.c
@@ -572,8 +572,9 @@ void bttv_input_fini(struct bttv *btv)
 	if (btv->remote == NULL)
 		return;
 
-	bttv_ir_stop(btv);
 	rc_unregister_device(btv->remote->dev);
+	bttv_ir_stop(btv);
+	rc_free_device(btv->remote->dev);
 	kfree(btv->remote);
 	btv->remote = NULL;
 }
diff --git a/drivers/media/pci/cx23885/cx23885-input.c b/drivers/media/pci/cx23885/cx23885-input.c
index ffbbeca8a8e5f..554767b8ef2bf 100644
--- a/drivers/media/pci/cx23885/cx23885-input.c
+++ b/drivers/media/pci/cx23885/cx23885-input.c
@@ -402,6 +402,7 @@ void cx23885_input_fini(struct cx23885_dev *dev)
 	if (dev->kernel_ir == NULL)
 		return;
 	rc_unregister_device(dev->kernel_ir->rc);
+	rc_free_device(dev->kernel_ir->rc);
 	kfree(dev->kernel_ir->phys);
 	kfree(dev->kernel_ir->name);
 	kfree(dev->kernel_ir);
diff --git a/drivers/media/pci/cx88/cx88-input.c b/drivers/media/pci/cx88/cx88-input.c
index e958eecb29c5c..5d9ce4f9af011 100644
--- a/drivers/media/pci/cx88/cx88-input.c
+++ b/drivers/media/pci/cx88/cx88-input.c
@@ -509,8 +509,9 @@ int cx88_ir_fini(struct cx88_core *core)
 	if (!ir)
 		return 0;
 
-	cx88_ir_stop(core);
 	rc_unregister_device(ir->dev);
+	cx88_ir_stop(core);
+	rc_free_device(ir->dev);
 	kfree(ir);
 
 	/* done */
diff --git a/drivers/media/pci/dm1105/dm1105.c b/drivers/media/pci/dm1105/dm1105.c
index de05d8b0f9dc5..bbd24769ae56b 100644
--- a/drivers/media/pci/dm1105/dm1105.c
+++ b/drivers/media/pci/dm1105/dm1105.c
@@ -763,6 +763,7 @@ static int dm1105_ir_init(struct dm1105_dev *dm1105)
 static void dm1105_ir_exit(struct dm1105_dev *dm1105)
 {
 	rc_unregister_device(dm1105->ir.dev);
+	rc_free_device(dm1105->ir.dev);
 }
 
 static int dm1105_hw_init(struct dm1105_dev *dev)
diff --git a/drivers/media/pci/mantis/mantis_input.c b/drivers/media/pci/mantis/mantis_input.c
index 34c0d979240fd..edb4cacf55d22 100644
--- a/drivers/media/pci/mantis/mantis_input.c
+++ b/drivers/media/pci/mantis/mantis_input.c
@@ -72,5 +72,6 @@ EXPORT_SYMBOL_GPL(mantis_input_init);
 void mantis_input_exit(struct mantis_pci *mantis)
 {
 	rc_unregister_device(mantis->rc);
+	rc_free_device(mantis->rc);
 }
 EXPORT_SYMBOL_GPL(mantis_input_exit);
diff --git a/drivers/media/pci/saa7134/saa7134-input.c b/drivers/media/pci/saa7134/saa7134-input.c
index 5b71014157808..7f6680de31564 100644
--- a/drivers/media/pci/saa7134/saa7134-input.c
+++ b/drivers/media/pci/saa7134/saa7134-input.c
@@ -834,6 +834,7 @@ void saa7134_input_fini(struct saa7134_dev *dev)
 		return;
 
 	rc_unregister_device(dev->remote->dev);
+	rc_free_device(dev->remote->dev);
 	kfree(dev->remote);
 	dev->remote = NULL;
 }
diff --git a/drivers/media/pci/smipcie/smipcie-ir.c b/drivers/media/pci/smipcie/smipcie-ir.c
index c0604d9c70119..0bbe4fa2d5a84 100644
--- a/drivers/media/pci/smipcie/smipcie-ir.c
+++ b/drivers/media/pci/smipcie/smipcie-ir.c
@@ -181,5 +181,6 @@ void smi_ir_exit(struct smi_dev *dev)
 
 	rc_unregister_device(rc_dev);
 	smi_ir_stop(ir);
+	rc_free_device(rc_dev);
 	ir->rc_dev = NULL;
 }
diff --git a/drivers/media/pci/ttpci/budget-ci.c b/drivers/media/pci/ttpci/budget-ci.c
index 3709c0fb23b07..8b496b959d7ea 100644
--- a/drivers/media/pci/ttpci/budget-ci.c
+++ b/drivers/media/pci/ttpci/budget-ci.c
@@ -249,6 +249,7 @@ static void msp430_ir_deinit(struct budget_ci *budget_ci)
 	cancel_work_sync(&budget_ci->ir.msp430_irq_bh_work);
 
 	rc_unregister_device(budget_ci->ir.dev);
+	rc_free_device(budget_ci->ir.dev);
 }
 
 static int ciintf_read_attribute_mem(struct dvb_ca_en50221 *ca, int slot, int address)
diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c
index 78abe810a88e7..51d85de24fae3 100644
--- a/drivers/media/rc/ati_remote.c
+++ b/drivers/media/rc/ati_remote.c
@@ -921,7 +921,6 @@ static int ati_remote_probe(struct usb_interface *interface,
 	input_free_device(input_dev);
  exit_unregister_device:
 	rc_unregister_device(rc_dev);
-	rc_dev = NULL;
  exit_kill_urbs:
 	usb_kill_urb(ati_remote->irq_urb);
 	usb_kill_urb(ati_remote->out_urb);
@@ -941,18 +940,19 @@ static void ati_remote_disconnect(struct usb_interface *interface)
 	struct ati_remote *ati_remote;
 
 	ati_remote = usb_get_intfdata(interface);
-	usb_set_intfdata(interface, NULL);
 	if (!ati_remote) {
 		dev_warn(&interface->dev, "%s - null device?\n", __func__);
 		return;
 	}
 
+	rc_unregister_device(ati_remote->rdev);
+	usb_set_intfdata(interface, NULL);
 	usb_kill_urb(ati_remote->irq_urb);
 	usb_kill_urb(ati_remote->out_urb);
 	if (ati_remote->idev)
 		input_unregister_device(ati_remote->idev);
-	rc_unregister_device(ati_remote->rdev);
 	ati_remote_free_buffers(ati_remote);
+	rc_free_device(ati_remote->rdev);
 	kfree(ati_remote);
 }
 
diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c
index f8120605501ab..6f7dccc965e7f 100644
--- a/drivers/media/rc/ene_ir.c
+++ b/drivers/media/rc/ene_ir.c
@@ -1090,7 +1090,6 @@ static int ene_probe(struct pnp_dev *pnp_dev, const struct pnp_device_id *id)
 	release_region(dev->hw_io, ENE_IO_SIZE);
 exit_unregister_device:
 	rc_unregister_device(rdev);
-	rdev = NULL;
 exit_free_dev_rdev:
 	rc_free_device(rdev);
 	kfree(dev);
@@ -1110,6 +1109,7 @@ static void ene_remove(struct pnp_dev *pnp_dev)
 	ene_rx_restore_hw_buffer(dev);
 	spin_unlock_irqrestore(&dev->hw_lock, flags);
 
+	rc_free_device(dev->rdev);
 	free_irq(dev->irq, dev);
 	release_region(dev->hw_io, ENE_IO_SIZE);
 	kfree(dev);
diff --git a/drivers/media/rc/fintek-cir.c b/drivers/media/rc/fintek-cir.c
index f7cfa8a073ebc..5055dfc3f4651 100644
--- a/drivers/media/rc/fintek-cir.c
+++ b/drivers/media/rc/fintek-cir.c
@@ -568,6 +568,7 @@ static void fintek_remove(struct pnp_dev *pdev)
 	struct fintek_dev *fintek = pnp_get_drvdata(pdev);
 	unsigned long flags;
 
+	rc_unregister_device(fintek->rdev);
 	spin_lock_irqsave(&fintek->fintek_lock, flags);
 	/* disable CIR */
 	fintek_disable_cir(fintek);
@@ -580,7 +581,7 @@ static void fintek_remove(struct pnp_dev *pdev)
 	free_irq(fintek->cir_irq, fintek);
 	release_region(fintek->cir_addr, fintek->cir_port_len);
 
-	rc_unregister_device(fintek->rdev);
+	rc_free_device(fintek->rdev);
 
 	kfree(fintek);
 }
diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c
index e034c93d57cf0..5ceb5ca44e235 100644
--- a/drivers/media/rc/igorplugusb.c
+++ b/drivers/media/rc/igorplugusb.c
@@ -242,6 +242,7 @@ static void igorplugusb_disconnect(struct usb_interface *intf)
 	usb_set_intfdata(intf, NULL);
 	usb_unpoison_urb(ir->urb);
 	usb_free_urb(ir->urb);
+	rc_free_device(ir->rc);
 	kfree(ir->buf_in);
 }
 
diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c
index c508f2536243e..0c5b8befb0af3 100644
--- a/drivers/media/rc/iguanair.c
+++ b/drivers/media/rc/iguanair.c
@@ -500,6 +500,7 @@ static void iguanair_disconnect(struct usb_interface *intf)
 	usb_set_intfdata(intf, NULL);
 	usb_kill_urb(ir->urb_in);
 	usb_kill_urb(ir->urb_out);
+	rc_free_device(ir->rc);
 	usb_free_urb(ir->urb_in);
 	usb_free_urb(ir->urb_out);
 	usb_free_coherent(ir->udev, MAX_IN_PACKET, ir->buf_in, ir->dma_in);
diff --git a/drivers/media/rc/img-ir/img-ir-hw.c b/drivers/media/rc/img-ir/img-ir-hw.c
index 63f6f5b36838d..f30adf4d8444d 100644
--- a/drivers/media/rc/img-ir/img-ir-hw.c
+++ b/drivers/media/rc/img-ir/img-ir-hw.c
@@ -1118,9 +1118,10 @@ void img_ir_remove_hw(struct img_ir_priv *priv)
 	struct rc_dev *rdev = hw->rdev;
 	if (!rdev)
 		return;
+	rc_unregister_device(rdev);
 	img_ir_set_decoder(priv, NULL, 0);
 	hw->rdev = NULL;
-	rc_unregister_device(rdev);
+	rc_free_device(rdev);
 #ifdef CONFIG_COMMON_CLK
 	if (!IS_ERR(priv->clk))
 		clk_notifier_unregister(priv->clk, &hw->clk_nb);
diff --git a/drivers/media/rc/img-ir/img-ir-raw.c b/drivers/media/rc/img-ir/img-ir-raw.c
index 92fb7b555a0f6..f1460d4acf3e8 100644
--- a/drivers/media/rc/img-ir/img-ir-raw.c
+++ b/drivers/media/rc/img-ir/img-ir-raw.c
@@ -136,6 +136,7 @@ void img_ir_remove_raw(struct img_ir_priv *priv)
 	if (!rdev)
 		return;
 
+	rc_unregister_device(rdev);
 	/* switch off and disable raw (edge) interrupts */
 	spin_lock_irq(&priv->lock);
 	raw->rdev = NULL;
@@ -145,7 +146,7 @@ void img_ir_remove_raw(struct img_ir_priv *priv)
 	img_ir_write(priv, IMG_IR_IRQ_CLEAR, IMG_IR_IRQ_EDGE);
 	spin_unlock_irq(&priv->lock);
 
-	rc_unregister_device(rdev);
+	rc_free_device(rdev);
 
 	timer_delete_sync(&raw->timer);
 }
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index 7e92161105d53..310c9fc9ae91c 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -2541,9 +2541,10 @@ static void imon_disconnect(struct usb_interface *interface)
 
 	if (ifnum == 0) {
 		ictx->dev_present_intf0 = false;
+		rc_unregister_device(ictx->rdev);
 		usb_kill_urb(ictx->rx_urb_intf0);
 		input_unregister_device(ictx->idev);
-		rc_unregister_device(ictx->rdev);
+		rc_free_device(ictx->rdev);
 		if (ictx->display_supported) {
 			if (ictx->display_type == IMON_DISPLAY_TYPE_LCD)
 				usb_deregister_dev(interface, &imon_lcd_class);
diff --git a/drivers/media/rc/ir-hix5hd2.c b/drivers/media/rc/ir-hix5hd2.c
index edc46828509c8..1b061e4a3dcfa 100644
--- a/drivers/media/rc/ir-hix5hd2.c
+++ b/drivers/media/rc/ir-hix5hd2.c
@@ -331,7 +331,6 @@ static int hix5hd2_ir_probe(struct platform_device *pdev)
 
 regerr:
 	rc_unregister_device(rdev);
-	rdev = NULL;
 clkerr:
 	clk_disable_unprepare(priv->clock);
 err:
@@ -346,6 +345,7 @@ static void hix5hd2_ir_remove(struct platform_device *pdev)
 
 	clk_disable_unprepare(priv->clock);
 	rc_unregister_device(priv->rdev);
+	rc_free_device(priv->rdev);
 }
 
 #ifdef CONFIG_PM_SLEEP
diff --git a/drivers/media/rc/ir_toy.c b/drivers/media/rc/ir_toy.c
index d6472de5da87d..089833e411786 100644
--- a/drivers/media/rc/ir_toy.c
+++ b/drivers/media/rc/ir_toy.c
@@ -536,6 +536,7 @@ static void irtoy_disconnect(struct usb_interface *intf)
 	usb_free_urb(ir->urb_out);
 	usb_kill_urb(ir->urb_in);
 	usb_free_urb(ir->urb_in);
+	rc_free_device(ir->rc);
 	kfree(ir->in);
 	kfree(ir->out);
 	kfree(ir);
diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
index bf544517c67a9..bde2a70512310 100644
--- a/drivers/media/rc/ite-cir.c
+++ b/drivers/media/rc/ite-cir.c
@@ -1414,7 +1414,6 @@ static int ite_probe(struct pnp_dev *pdev, const struct pnp_device_id
 	release_region(itdev->cir_addr, itdev->params->io_region_size);
 exit_unregister_device:
 	rc_unregister_device(rdev);
-	rdev = NULL;
 exit_free_dev_rdev:
 	rc_free_device(rdev);
 	kfree(itdev);
@@ -1439,6 +1438,7 @@ static void ite_remove(struct pnp_dev *pdev)
 	release_region(dev->cir_addr, dev->params->io_region_size);
 
 	rc_unregister_device(dev->rdev);
+	rc_free_device(dev->rdev);
 
 	kfree(dev);
 }
diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c
index ed55e9ec3c570..06222eee17540 100644
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1850,6 +1850,7 @@ static void mceusb_dev_disconnect(struct usb_interface *intf)
 	usb_free_urb(ir->urb_in);
 	usb_free_coherent(dev, ir->len_in, ir->buf_in, ir->dma_in);
 	usb_put_dev(dev);
+	rc_free_device(ir->rc);
 
 	kfree(ir);
 }
diff --git a/drivers/media/rc/rc-ir-raw.c b/drivers/media/rc/rc-ir-raw.c
index 2e269ef5e26be..ba24c2f22d39f 100644
--- a/drivers/media/rc/rc-ir-raw.c
+++ b/drivers/media/rc/rc-ir-raw.c
@@ -648,9 +648,6 @@ int ir_raw_event_register(struct rc_dev *dev)
 
 void ir_raw_event_free(struct rc_dev *dev)
 {
-	if (!dev)
-		return;
-
 	kfree(dev->raw);
 	dev->raw = NULL;
 }
@@ -674,8 +671,6 @@ void ir_raw_event_unregister(struct rc_dev *dev)
 
 	lirc_bpf_free(dev);
 
-	ir_raw_event_free(dev);
-
 	/*
 	 * A user can be calling bpf(BPF_PROG_{QUERY|ATTACH|DETACH}), so
 	 * ensure that the raw member is null on unlock; this is how
diff --git a/drivers/media/rc/rc-loopback.c b/drivers/media/rc/rc-loopback.c
index 78ac09b3cbd34..53d0540717b36 100644
--- a/drivers/media/rc/rc-loopback.c
+++ b/drivers/media/rc/rc-loopback.c
@@ -263,6 +263,7 @@ static int __init loop_init(void)
 static void __exit loop_exit(void)
 {
 	rc_unregister_device(loopdev.dev);
+	rc_free_device(loopdev.dev);
 }
 
 module_init(loop_init);
diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
index 821607504008a..dda3479ea3add 100644
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -1611,6 +1611,7 @@ static void rc_dev_release(struct device *device)
 {
 	struct rc_dev *dev = to_rc_dev(device);
 
+	ir_raw_event_free(dev);
 	kfree(dev);
 }
 
@@ -1773,7 +1774,6 @@ struct rc_dev *devm_rc_allocate_device(struct device *dev,
 	}
 
 	rc->dev.parent = dev;
-	rc->managed_alloc = true;
 	*dr = rc;
 	devres_add(dev, dr);
 
@@ -2042,11 +2042,7 @@ void rc_unregister_device(struct rc_dev *dev)
 	device_del(&dev->dev);
 
 	ida_free(&rc_ida, dev->minor);
-
-	if (!dev->managed_alloc)
-		rc_free_device(dev);
 }
-
 EXPORT_SYMBOL_GPL(rc_unregister_device);
 
 /*
diff --git a/drivers/media/rc/redrat3.c b/drivers/media/rc/redrat3.c
index 3b917a2a89188..3f828a564e192 100644
--- a/drivers/media/rc/redrat3.c
+++ b/drivers/media/rc/redrat3.c
@@ -1131,11 +1131,13 @@ static void redrat3_dev_disconnect(struct usb_interface *intf)
 {
 	struct usb_device *udev = interface_to_usbdev(intf);
 	struct redrat3_dev *rr3 = usb_get_intfdata(intf);
+	struct rc_dev *rc = rr3->rc;
 
 	usb_set_intfdata(intf, NULL);
-	rc_unregister_device(rr3->rc);
+	rc_unregister_device(rc);
 	led_classdev_unregister(&rr3->led);
 	redrat3_delete(rr3, udev);
+	rc_free_device(rc);
 }
 
 static int redrat3_dev_suspend(struct usb_interface *intf, pm_message_t message)
diff --git a/drivers/media/rc/st_rc.c b/drivers/media/rc/st_rc.c
index 6b70bac5f45d6..0ba06bfc9e14b 100644
--- a/drivers/media/rc/st_rc.c
+++ b/drivers/media/rc/st_rc.c
@@ -203,6 +203,7 @@ static void st_rc_remove(struct platform_device *pdev)
 	device_init_wakeup(&pdev->dev, false);
 	clk_disable_unprepare(rc_dev->sys_clock);
 	rc_unregister_device(rc_dev->rdev);
+	rc_free_device(rc_dev->rdev);
 }
 
 static int st_rc_open(struct rc_dev *rdev)
@@ -334,7 +335,6 @@ static int st_rc_probe(struct platform_device *pdev)
 	return ret;
 rcerr:
 	rc_unregister_device(rdev);
-	rdev = NULL;
 clkerr:
 	clk_disable_unprepare(rc_dev->sys_clock);
 err:
diff --git a/drivers/media/rc/streamzap.c b/drivers/media/rc/streamzap.c
index 5a18603f9a95c..7103da57c19f1 100644
--- a/drivers/media/rc/streamzap.c
+++ b/drivers/media/rc/streamzap.c
@@ -388,15 +388,16 @@ static void streamzap_disconnect(struct usb_interface *interface)
 	struct streamzap_ir *sz = usb_get_intfdata(interface);
 	struct usb_device *usbdev = interface_to_usbdev(interface);
 
-	usb_set_intfdata(interface, NULL);
-
 	if (!sz)
 		return;
 
-	usb_kill_urb(sz->urb_in);
 	rc_unregister_device(sz->rdev);
+	usb_set_intfdata(interface, NULL);
+
+	usb_kill_urb(sz->urb_in);
 	usb_free_urb(sz->urb_in);
 	usb_free_coherent(usbdev, sz->buf_in_len, sz->buf_in, sz->dma_in);
+	rc_free_device(sz->rdev);
 
 	kfree(sz);
 }
diff --git a/drivers/media/rc/sunxi-cir.c b/drivers/media/rc/sunxi-cir.c
index 92ef4e7c6f69f..cb4c56bf0752a 100644
--- a/drivers/media/rc/sunxi-cir.c
+++ b/drivers/media/rc/sunxi-cir.c
@@ -371,6 +371,7 @@ static void sunxi_ir_remove(struct platform_device *pdev)
 	struct sunxi_ir *ir = platform_get_drvdata(pdev);
 
 	rc_unregister_device(ir->rc);
+	rc_free_device(ir->rc);
 	sunxi_ir_hw_exit(&pdev->dev);
 }
 
diff --git a/drivers/media/rc/ttusbir.c b/drivers/media/rc/ttusbir.c
index 110a469001146..a2a64a860264b 100644
--- a/drivers/media/rc/ttusbir.c
+++ b/drivers/media/rc/ttusbir.c
@@ -333,7 +333,6 @@ static int ttusbir_probe(struct usb_interface *intf,
 	return 0;
 out3:
 	rc_unregister_device(rc);
-	rc = NULL;
 out2:
 	led_classdev_unregister(&tt->led);
 out:
@@ -373,6 +372,7 @@ static void ttusbir_disconnect(struct usb_interface *intf)
 	}
 	usb_kill_urb(tt->bulk_urb);
 	usb_free_urb(tt->bulk_urb);
+	rc_free_device(tt->rc);
 	usb_set_intfdata(intf, NULL);
 	kfree(tt);
 }
diff --git a/drivers/media/rc/winbond-cir.c b/drivers/media/rc/winbond-cir.c
index 515469dd82d4c..8e804661a6215 100644
--- a/drivers/media/rc/winbond-cir.c
+++ b/drivers/media/rc/winbond-cir.c
@@ -1132,7 +1132,6 @@ wbcir_probe(struct pnp_dev *device, const struct pnp_device_id *dev_id)
 	release_region(data->wbase, WAKEUP_IOMEM_LEN);
 exit_unregister_device:
 	rc_unregister_device(data->dev);
-	data->dev = NULL;
 exit_free_rc:
 	rc_free_device(data->dev);
 exit_unregister_led:
@@ -1163,6 +1162,7 @@ wbcir_remove(struct pnp_dev *device)
 	wbcir_set_bits(data->wbase + WBCIR_REG_WCEIR_EV_EN, 0x00, 0x07);
 
 	rc_unregister_device(data->dev);
+	rc_free_device(data->dev);
 
 	led_classdev_unregister(&data->led);
 
diff --git a/drivers/media/rc/xbox_remote.c b/drivers/media/rc/xbox_remote.c
index 3e3da70cf8da0..c64123e9d16a5 100644
--- a/drivers/media/rc/xbox_remote.c
+++ b/drivers/media/rc/xbox_remote.c
@@ -277,14 +277,15 @@ static void xbox_remote_disconnect(struct usb_interface *interface)
 	struct xbox_remote *xbox_remote;
 
 	xbox_remote = usb_get_intfdata(interface);
-	usb_set_intfdata(interface, NULL);
 	if (!xbox_remote) {
 		dev_warn(&interface->dev, "%s - null device?\n", __func__);
 		return;
 	}
 
-	usb_kill_urb(xbox_remote->irq_urb);
 	rc_unregister_device(xbox_remote->rdev);
+	usb_set_intfdata(interface, NULL);
+	usb_kill_urb(xbox_remote->irq_urb);
+	rc_free_device(xbox_remote->rdev);
 	usb_free_urb(xbox_remote->irq_urb);
 	kfree(xbox_remote);
 }
diff --git a/drivers/media/usb/au0828/au0828-input.c b/drivers/media/usb/au0828/au0828-input.c
index 7dec1a360da6a..81d0165a3064d 100644
--- a/drivers/media/usb/au0828/au0828-input.c
+++ b/drivers/media/usb/au0828/au0828-input.c
@@ -357,6 +357,7 @@ void au0828_rc_unregister(struct au0828_dev *dev)
 		return;
 
 	rc_unregister_device(ir->rc);
+	rc_free_device(ir->rc);
 
 	/* done */
 	kfree(ir);
diff --git a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
index 600cff8a4abdc..bd86d250433df 100644
--- a/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
+++ b/drivers/media/usb/dvb-usb-v2/dvb_usb_core.c
@@ -187,6 +187,7 @@ static int dvb_usbv2_remote_exit(struct dvb_usb_device *d)
 	if (d->rc_dev) {
 		cancel_delayed_work_sync(&d->rc_query_work);
 		rc_unregister_device(d->rc_dev);
+		rc_free_device(d->rc_dev);
 		d->rc_dev = NULL;
 	}
 
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-remote.c b/drivers/media/usb/dvb-usb/dvb-usb-remote.c
index 65e2c9e2cdc99..6dc11718dfb98 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-remote.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-remote.c
@@ -347,10 +347,12 @@ int dvb_usb_remote_exit(struct dvb_usb_device *d)
 {
 	if (d->state & DVB_USB_STATE_REMOTE) {
 		cancel_delayed_work_sync(&d->rc_query_work);
-		if (d->props.rc.mode == DVB_RC_LEGACY)
+		if (d->props.rc.mode == DVB_RC_LEGACY) {
 			input_unregister_device(d->input_dev);
-		else
+		} else {
 			rc_unregister_device(d->rc_dev);
+			rc_free_device(d->rc_dev);
+		}
 	}
 	d->state &= ~DVB_USB_STATE_REMOTE;
 	return 0;
diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
index 20fdd59b55185..ab61d9a29b10e 100644
--- a/drivers/media/usb/em28xx/em28xx-input.c
+++ b/drivers/media/usb/em28xx/em28xx-input.c
@@ -853,6 +853,7 @@ static int em28xx_ir_fini(struct em28xx *dev)
 		goto ref_put;
 
 	rc_unregister_device(ir->rc);
+	rc_free_device(ir->rc);
 
 	kfree(ir->i2c_client);
 
diff --git a/drivers/staging/media/av7110/av7110_ir.c b/drivers/staging/media/av7110/av7110_ir.c
index 68b3979ba5f20..fdae467fd7ab8 100644
--- a/drivers/staging/media/av7110/av7110_ir.c
+++ b/drivers/staging/media/av7110/av7110_ir.c
@@ -151,6 +151,7 @@ int av7110_ir_init(struct av7110 *av7110)
 void av7110_ir_exit(struct av7110 *av7110)
 {
 	rc_unregister_device(av7110->ir.rcdev);
+	rc_free_device(av7110->ir.rcdev);
 }
 
 //MODULE_AUTHOR("Holger Waechtler <holger@convergence.de>, Oliver Endriss <o.endriss@gmx.de>");
diff --git a/include/media/rc-core.h b/include/media/rc-core.h
index 35c7a0546f02e..7c964b5ad7926 100644
--- a/include/media/rc-core.h
+++ b/include/media/rc-core.h
@@ -81,7 +81,6 @@ struct lirc_fh {
 /**
  * struct rc_dev - represents a remote control device
  * @dev: driver model's view of this device
- * @managed_alloc: devm_rc_allocate_device was used to create rc_dev
  * @registered: set to true by rc_register_device(), false by
  *	rc_unregister_device
  * @idle: used to keep track of RX state
@@ -156,7 +155,6 @@ struct lirc_fh {
  */
 struct rc_dev {
 	struct device			dev;
-	bool				managed_alloc;
 	bool				registered;
 	bool				idle;
 	bool				encode_wakeup;
-- 
2.53.0

[PATCH AUTOSEL 7.0-5.10] media: renesas: vsp1: rpf: Fix crop left and top clamping

[Sasha Levin]

From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>

[ Upstream commit 55823379e61511d534b099949608677d703f709b ]

The RPF doesn't enforces the alignment constraint on the sink pad
format, which could have an odd size, possibly down to 1x1. In that
case, the upper bounds for the left and top coordinates clamping would
become negative, cast to a very large positive value. Incorrect crop
rectangle coordinates would then be incorrectly accepted.

A second issue can occur when the requested left and top coordinates are
negative. They are cast to a large unsigned value, clamped to the
maximum. While the calculation will produce valid values for the
hardware, this is not compliant with the V4L2 specification that
requires values to be adjusted to the closest valid value.

Fix both issues by switching to signed clamping, with an explicit
minimum to adjust negative values, and adjusting the clamp bounds to
avoid negative upper bounds.

Tested-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
Tested-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> # HiHope RZ/G2M
Link: https://patch.msgid.link/20260318235907.831556-5-laurent.pinchart+renesas@ideasonboard.com
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Now let me compile the full analysis.

---

## PHASE 1: COMMIT MESSAGE FORENSICS

**Step 1.1: Subject Line**
- Subsystem: `media: renesas: vsp1: rpf`
- Action verb: "Fix"
- Summary: Fix crop left and top coordinate clamping in the RPF
  subdevice

**Step 1.2: Tags**
- Tested-by: Niklas Söderlund (Renesas contributor/tester)
- Reviewed-by: Jacopo Mondi (media subsystem reviewer)
- Tested-by: Lad Prabhakar (Renesas RZ/G2M platform tester)
- Link: `https://patch.msgid.link/20260318235907.831556-5-
  laurent.pinchart+renesas@ideasonboard.com`
- Signed-off-by: Laurent Pinchart (subsystem author/maintainer)
- Signed-off-by: Hans Verkuil (V4L2 subsystem co-maintainer)
- Notable: TWO independent Tested-by tags from different engineers on
  different platforms, plus a Reviewed-by. No Fixes: tag (expected for
  autosel candidates). No Reported-by or syzbot.

**Step 1.3: Commit Body**
Two distinct bugs described:
1. When the sink pad format has odd dimensions (e.g. 1x1),
   `format->width - 2` underflows when used as `unsigned int`, producing
   a huge value. The `min_t(unsigned int, ...)` then fails to bound the
   coordinate.
2. Negative `left`/`top` values (from userspace - `__s32` type) are cast
   to large unsigned values, clamped to the maximum rather than to the
   closest valid value (0). This violates the V4L2 specification.

**Step 1.4: Hidden Bug Fix Detection**
This is explicitly labeled "Fix" — no disguise needed.

---

## PHASE 2: DIFF ANALYSIS

**Step 2.1: Inventory**
- Single file changed: `drivers/media/platform/renesas/vsp1/vsp1_rwpf.c`
- Single function modified: `vsp1_rwpf_set_selection()`
- ~20 lines of net change (added local variables, updated clamping
  logic, added comments)
- Scope: single-file surgical fix

**Step 2.2: Code Flow Change**

Before:
```c
sel->r.left = min_t(unsigned int, sel->r.left, format->width - 2);
sel->r.top = min_t(unsigned int, sel->r.top, format->height - 2);
```

After:
```c
// min_width/min_height computed to avoid negative upper bounds
sel->r.left = clamp_t(int, sel->r.left, 0, format->width - min_width);
sel->r.top = clamp_t(int, sel->r.top, 0, format->height - min_height);
```

**Step 2.3: Bug Mechanism**
This is a **type/integer overflow bug** (category g: logic/correctness +
category f: type bugs):

- `struct v4l2_rect` has `__s32 left` and `__s32 top` (confirmed at
  `include/uapi/linux/videodev2.h:442-447`)
- `RWPF_MIN_WIDTH = 1` and `RWPF_MIN_HEIGHT = 1` — so format can legally
  be 1x1
- For YUV formats, the hardcoded `format->width - 2` becomes `-1` when
  `width=1`
- `min_t(unsigned int, ...)` casts this to `0xFFFFFFFF` (~4 billion),
  making the clamp a no-op
- Negative `sel->r.left` values (valid `__s32` input) also wrap to huge
  unsigned values

**Step 2.4: Fix Quality**
- Obviously correct: switches to signed clamping (`clamp_t(int, ...)`
  with explicit 0 lower bound)
- Prevents underflow by computing `min_width = min(ALIGN(min_width, 2),
  format->width)` which guarantees `format->width - min_width >= 0`
- Minimal/surgical: changes only the clamping logic in one function
- Very low regression risk: identical behavior for well-formed inputs;
  only corrects behavior for edge cases

---

## PHASE 3: GIT HISTORY INVESTIGATION

**Step 3.1: Blame**
- The buggy `min_t(unsigned int, ...)` lines were introduced by commit
  `e5ad37b64de975` ("[media] v4l: vsp1: Add cropping support", Laurent
  Pinchart, 2013-08-24) — this is from the v3.12 era
- The YUV alignment code (which creates the `format->width - 2` problem
  for odd formats) was added by `85a0638b7855df` (Damian Hobson-Garcia,
  2015-05-28)
- Bug has existed since 2013/2015 — present in ALL active stable trees

**Step 3.2: No Fixes: tag present** (expected for autosel)

**Step 3.3: File History**
Recent commits to this file are mostly from Laurent Pinchart adding
colorspace support features. The bug fix is standalone and does not
depend on any of those feature commits.

**Step 3.4: Author**
Laurent Pinchart is the original author and subsystem maintainer for the
VSP1 driver (wrote the file in 2013). He is the most qualified person to
fix this code.

**Step 3.5: Dependencies**
- `clamp_t` macro exists in all stable trees (confirmed: present in
  v5.15 at `include/linux/minmax.h:124`)
- `RWPF_MIN_WIDTH`/`RWPF_MIN_HEIGHT` exist in the same file in all
  versions
- The fix is standalone — no prerequisites needed

---

## PHASE 4: MAILING LIST / EXTERNAL RESEARCH

**Step 4.1-4.2:** Lore.kernel.org is protected by anti-bot (Anubis),
direct web fetches failed. b4 dig could not locate the exact commit by
message-id. However:
- The patch was reviewed and tested by two independent testers and an
  experienced reviewer
- Hans Verkuil (V4L2 co-maintainer) applied it
- Part of a series (patch 5 of N) but this specific patch is a self-
  contained bug fix

**Step 4.3-4.5:** Could not verify lore discussion directly due to anti-
bot protection.

---

## PHASE 5: CODE SEMANTIC ANALYSIS

**Step 5.1: Functions Modified**
Only `vsp1_rwpf_set_selection()` is modified.

**Step 5.2: Callers**
- Registered as `.set_selection` pad operation in `vsp1_rwpf_pad_ops`
- Called from userspace via `VIDIOC_SUBDEV_S_SELECTION` ioctl (standard
  V4L2 path)
- Called from `vsp1_drm.c:157` during DRM pipeline configuration
- Both are real-world, commonly exercised code paths on Renesas
  platforms

**Step 5.3-5.4: Call Chain**
Userspace → V4L2 ioctl → subdev dispatch → `vsp1_rwpf_set_selection()`
The buggy path is directly reachable from userspace with arbitrary crop
rectangle values.

**Step 5.5: Similar Patterns**
Other `set_selection` implementations in the same driver
(`uif_set_selection`, `histo_set_selection`, `brx_set_selection`) use
different clamping logic and are not affected by this same bug.

---

## PHASE 6: STABLE TREE ANALYSIS

**Step 6.1: Buggy Code in Stable Trees**
Verified the exact same buggy lines exist in:
- **v5.15**: `min_t(unsigned int, sel->r.left, format->width - 2)` at
  line 225 (path: `drivers/media/platform/vsp1/vsp1_rwpf.c`)
- **v6.1**: Same code at line 225 (path:
  `drivers/media/platform/renesas/vsp1/vsp1_rwpf.c`)
- **v6.6**: Same code at line 225
- **v6.12**: Same code at line 212

**Step 6.2: Backport Complications**
- v6.12: Clean apply expected (same API as HEAD)
- v6.6, v6.1, v5.15: Minor context differences (older API names like
  `vsp1_entity_get_pad_format` vs `v4l2_subdev_state_get_format`), but
  the actual changed lines are identical. Straightforward adaptation
  needed.

**Step 6.3:** No related fixes already in stable for this issue.

---

## PHASE 7: SUBSYSTEM AND MAINTAINER CONTEXT

**Step 7.1:**
- Subsystem: drivers/media (V4L2, Renesas VSP1)
- Criticality: PERIPHERAL but important — VSP1 is the video processing
  unit on Renesas R-Car and RZ platforms, used in automotive and
  industrial embedded systems

**Step 7.2:** The VSP1 driver is actively maintained by Laurent Pinchart
with ongoing feature and fix development.

---

## PHASE 8: IMPACT AND RISK ASSESSMENT

**Step 8.1: Who is Affected**
Users of Renesas R-Car / RZ platforms with VSP1 hardware who set crop
rectangles (via V4L2 or DRM APIs).

**Step 8.2: Trigger Conditions**
- Setting crop on an RPF subdevice when the sink pad format has odd or
  small dimensions (especially 1x1 YUV)
- Passing negative left/top values in the crop rectangle (legal __s32
  values per V4L2 API)
- Reachable from unprivileged userspace via V4L2 ioctls

**Step 8.3: Failure Mode**
- Incorrect crop coordinates silently accepted → hardware
  misconfiguration → potential DMA to/from wrong memory regions
- V4L2 specification non-compliance (negative values adjusted to maximum
  instead of 0)
- Severity: **MEDIUM-HIGH** (incorrect hardware operation, potential
  memory safety implications via DMA)

**Step 8.4: Risk-Benefit**
- **Benefit**: HIGH — fixes real integer underflow bug reachable from
  userspace, prevents hardware misconfiguration
- **Risk**: VERY LOW — ~20 lines in a single function, changing only the
  type and method of clamping, well-tested by two independent testers
- Ratio: strongly favorable

---

## PHASE 9: FINAL SYNTHESIS

**Step 9.1: Evidence Summary**

FOR backporting:
- Fixes a real signed/unsigned integer underflow bug in crop coordinate
  clamping
- The bug allows incorrect hardware configuration, reachable from
  userspace
- Fix is small (~20 lines), surgical (single function), obviously
  correct
- Written by the subsystem maintainer (Laurent Pinchart)
- Two independent Tested-by and one Reviewed-by
- Applied by the V4L2 co-maintainer (Hans Verkuil)
- Bug exists in ALL active stable trees (since 2013)
- Uses only standard kernel primitives (`clamp_t`, `min`) available in
  all stable trees
- Self-contained — no dependencies on other commits

AGAINST backporting:
- No reports of the bug triggering in the wild (no Reported-by)
- Requires minor adaptation for older stable trees (context differences)
- Niche hardware (Renesas VSP1) — fewer users than core kernel

**Step 9.2: Stable Rules Checklist**
1. Obviously correct and tested? **YES** — two testers, one reviewer,
   logic is straightforward
2. Fixes a real bug? **YES** — integer underflow in crop coordinate
   clamping
3. Important issue? **YES** — potential hardware misconfiguration, V4L2
   spec violation
4. Small and contained? **YES** — ~20 lines in one function, one file
5. No new features/APIs? **CORRECT** — no new features
6. Can apply to stable? **YES** — with minor context adaptation for
   older trees

**Step 9.3: Exception Categories**
Not applicable — this is a standard bug fix, not a quirk/device-ID/DT
addition.

---

## Verification

- [Phase 1] Parsed tags: Found Tested-by x2 (Niklas Söderlund, Lad
  Prabhakar), Reviewed-by (Jacopo Mondi), Signed-off-by (Laurent
  Pinchart + Hans Verkuil)
- [Phase 2] Diff analysis: ~20 lines changed in
  `vsp1_rwpf_set_selection()`, replaces `min_t(unsigned int, ...)` with
  `clamp_t(int, ...)` and adds min_width/min_height bounds
- [Phase 2] Verified `struct v4l2_rect` has `__s32 left, top` at
  `include/uapi/linux/videodev2.h:442-447`, confirming signed→unsigned
  cast bug
- [Phase 3] git blame: buggy `min_t` lines introduced by
  `e5ad37b64de975` (2013, v3.12-era); YUV alignment by `85a0638b7855df`
  (2015)
- [Phase 3] Author Laurent Pinchart is the original file author and
  subsystem maintainer (all blame entries)
- [Phase 3] File history: no prerequisite commits needed
- [Phase 5] Callers: `vsp1_rwpf_set_selection` registered as
  `.set_selection` in `vsp1_rwpf_pad_ops:283`, called from userspace
  V4L2 ioctls and from `vsp1_drm.c:157`
- [Phase 6] Verified identical buggy code in v5.15:225, v6.1:225,
  v6.6:225, v6.12:212
- [Phase 6] Verified `clamp_t` exists in v5.15 at
  `include/linux/minmax.h:124`
- [Phase 6] Minor context differences in v5.15/v6.1 (different API
  names: `vsp1_entity_get_pad_format` vs `v4l2_subdev_state_get_format`)
  but core buggy lines are identical
- UNVERIFIED: Could not access lore.kernel.org due to anti-bot
  protection; reviewer/mailing-list discussion details not verified
- UNVERIFIED: Whether this is part of a multi-patch series where other
  patches are also needed (the Link msgid suggests patch 5 of N, but the
  fix is self-contained based on diff analysis)

The fix is small, surgical, obviously correct, well-tested, authored by
the subsystem maintainer, fixes a real integer underflow bug present
since 2013, and meets all stable kernel criteria.

**YES**

 .../media/platform/renesas/vsp1/vsp1_rwpf.c   | 28 ++++++++++++++++---
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/drivers/media/platform/renesas/vsp1/vsp1_rwpf.c b/drivers/media/platform/renesas/vsp1/vsp1_rwpf.c
index 9c8085d5d3060..7c7bfb946b779 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_rwpf.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_rwpf.c
@@ -216,6 +216,8 @@ static int vsp1_rwpf_set_selection(struct v4l2_subdev *subdev,
 				   struct v4l2_subdev_state *sd_state,
 				   struct v4l2_subdev_selection *sel)
 {
+	unsigned int min_width = RWPF_MIN_WIDTH;
+	unsigned int min_height = RWPF_MIN_HEIGHT;
 	struct vsp1_rwpf *rwpf = to_rwpf(subdev);
 	struct v4l2_subdev_state *state;
 	struct v4l2_mbus_framefmt *format;
@@ -244,18 +246,36 @@ static int vsp1_rwpf_set_selection(struct v4l2_subdev *subdev,
 	format = v4l2_subdev_state_get_format(state, RWPF_PAD_SINK);
 
 	/*
-	 * Restrict the crop rectangle coordinates to multiples of 2 to avoid
-	 * shifting the color plane.
+	 * For YUV formats, restrict the crop rectangle coordinates to multiples
+	 * of 2 to avoid shifting the color plane.
 	 */
 	if (format->code == MEDIA_BUS_FMT_AYUV8_1X32) {
 		sel->r.left = ALIGN(sel->r.left, 2);
 		sel->r.top = ALIGN(sel->r.top, 2);
 		sel->r.width = round_down(sel->r.width, 2);
 		sel->r.height = round_down(sel->r.height, 2);
+
+		/*
+		 * The RPF doesn't enforces the alignment constraint on the sink
+		 * pad format, which could have an odd size, possibly down to
+		 * 1x1. In that case, the minimum width and height would be
+		 * smaller than the sink pad format, leading to a negative upper
+		 * bound in the left and top clamping. Clamp the minimum width
+		 * and height to the format width and height to avoid this.
+		 *
+		 * In such a situation, odd values for the crop rectangle size
+		 * would be accepted when clamping the width and height below.
+		 * While that would create an invalid hardware configuration,
+		 * the video device enforces proper alignment of the pixel
+		 * format, and the mismatch will then result in link validation
+		 * failure. Incorrect operation of the hardware is not possible.
+		 */
+		min_width = min(ALIGN(min_width, 2), format->width);
+		min_height = min(ALIGN(min_height, 2), format->height);
 	}
 
-	sel->r.left = min_t(unsigned int, sel->r.left, format->width - 2);
-	sel->r.top = min_t(unsigned int, sel->r.top, format->height - 2);
+	sel->r.left = clamp_t(int, sel->r.left, 0, format->width - min_width);
+	sel->r.top = clamp_t(int, sel->r.top, 0, format->height - min_height);
 	sel->r.width = min_t(unsigned int, sel->r.width,
 			     format->width - sel->r.left);
 	sel->r.height = min_t(unsigned int, sel->r.height,
-- 
2.53.0

[PATCH AUTOSEL 7.0-5.10] media: au0828: Fix green screen in analog

[Sasha Levin]

From: Bradford Love <brad@nextdimension.cc>

[ Upstream commit 58119a0cffa8a597ce5d39587beb0f5a763434a0 ]

When the driver was converted to VB2 the original function to fix
green frame detection was removed and a default vb2 dqbuf function
was used instead. This vb2 dqbuf function leads to green frames not
being detected and correupting stream captures.

The vidioc_dqbuf function checks the greenscreen flag, and, if set
resets the stream to discard the green frame and decode a real frame.

Signed-off-by: Bradford Love <brad@nextdimension.cc>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Here is my complete analysis:

---

## PHASE 1: COMMIT MESSAGE FORENSICS

### Step 1.1: Subject Line
- **Subsystem:** `media: au0828`
- **Action verb:** "Fix" - explicit bug fix
- **Summary:** Fixes green screen frames in analog video capture by
  restoring a hardware workaround lost during VB2 conversion

### Step 1.2: Tags
- `Signed-off-by: Bradford Love <brad@nextdimension.cc>` - the author, a
  known au0828 contributor
- `Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>` - the V4L2
  subsystem maintainer who accepted the patch
- No Fixes: tag (expected for commits under review)
- No Cc: stable (expected)

### Step 1.3: Commit Body
The commit explains clearly:
- When the driver was converted to VB2 (videobuf2), the original
  `vidioc_dqbuf` function that contained greenscreen detection was
  removed
- It was replaced with the generic `vb2_ioctl_dqbuf` which has no
  greenscreen logic
- This causes green frames to go undetected, "correupting stream
  captures"
- The fix restores the custom `vidioc_dqbuf` that checks the greenscreen
  flag and resets the stream

### Step 1.4: Hidden Bug Fix Assessment
This is NOT a hidden bug fix - it explicitly says "Fix" and clearly
describes a regression from the VB2 conversion.

**Record:** This is a regression fix restoring a hardware workaround
that was accidentally removed during a refactoring 10+ years ago.

---

## PHASE 2: DIFF ANALYSIS

### Step 2.1: Inventory
- **File:** `drivers/media/usb/au0828/au0828-video.c`
- **Lines added:** ~21 (new `vidioc_dqbuf` function)
- **Lines changed:** 2 (ioctl_ops table entries: `.vidioc_dqbuf` and
  whitespace fix for `.vidioc_expbuf`)
- **Functions modified:** New `vidioc_dqbuf()` added; `video_ioctl_ops`
  struct updated
- **Scope:** Single-file, surgical fix

### Step 2.2: Code Flow Change
**Before:** `video_ioctl_ops.vidioc_dqbuf` pointed directly to
`vb2_ioctl_dqbuf`, which simply dequeues a buffer with no greenscreen
check.

**After:** A new wrapper `vidioc_dqbuf()` is called that:
1. Calls `check_dev(dev)` to verify device is connected/configured
2. Checks `dev->greenscreen_detected` flag
3. If set, calls `au0828_analog_stream_reset(dev)` (writes hardware
   registers to reset the stream) and clears the flag
4. Calls `vb2_ioctl_dqbuf()` for actual buffer dequeue

### Step 2.3: Bug Mechanism
This is a **logic/correctness fix** - specifically restoring a
**hardware workaround**. The au0828 hardware has a design bug where the
colorspace can sometimes be inverted, producing green frames. The
detection code at line 377-380 still sets `dev->greenscreen_detected =
1` when it detects inverted colorspace in the DMA buffer, but nothing
ever reads this flag to trigger the stream reset. The fix closes this
gap.

### Step 2.4: Fix Quality
- **Obviously correct:** Yes. It closely mirrors the pre-VB2 code that
  existed before commit `05439b1a3693`.
- **Minimal/surgical:** Yes. Only adds a wrapper and changes one
  function pointer.
- **Regression risk:** Very low. The wrapper simply adds a check before
  calling the same generic function.

---

## PHASE 3: GIT HISTORY INVESTIGATION

### Step 3.1: Blame
The line being modified (line 1767: `.vidioc_dqbuf = vb2_ioctl_dqbuf`)
was introduced by commit `05439b1a3693` ("[media] media: au0828 -
convert to use videobuf2") by Shuah Khan, dating to v3.19-rc6 era,
merged in **v4.0**.

### Step 3.2: Fixes Target
The implicit "Fixes" target is `05439b1a36935` ("media: au0828 - convert
to use videobuf2") which landed in v4.0. This commit exists in ALL
active stable trees (5.4.y, 5.10.y, 5.15.y, 6.1.y, 6.6.y, 6.12.y, etc.).

The VB2 conversion removed the old `vidioc_dqbuf` that contained the
greenscreen detection code (verified by `git show 05439b1a3693` which
shows the removal of the function with greenscreen_detected checks).

### Step 3.3: File History
The file has had minimal changes since ~v5.5 era. Recent changes are
trivial (renaming timers, dropping wait_prepare/finish, using umin
macro, USB API function changes). The area around the ioctl_ops table
has been stable since the VB2 conversion.

### Step 3.4: Author
Bradford Love is a known au0828 contributor with other accepted fixes
(error messages, kfree ordering). Hans Verkuil is THE V4L2 subsystem
maintainer who signed off.

### Step 3.5: Dependencies
This fix is **standalone** - no prerequisites. It uses functions
(`check_dev`, `au0828_analog_stream_reset`, `vb2_ioctl_dqbuf`) and the
`greenscreen_detected` field that all exist in the tree since v4.0.

---

## PHASE 4: MAILING LIST AND EXTERNAL RESEARCH

### Step 4.1-4.5
b4 dig was unable to find the original patch submission (likely too
recent or unusual submission path). Web searches also did not locate the
specific lore thread. The patch was signed off by Hans Verkuil (V4L2
maintainer), confirming it passed review.

The original VB2 conversion series by Shuah Khan was a 3-patch series
(confirmed via the lkml archive). Patch 3/3 actually removed the buffer
timeout workaround - but NOT the greenscreen detection. The greenscreen
detection setting (`dev->greenscreen_detected = 1`) remained in the code
but became a dead store since the VB2 conversion removed the consumer
side.

---

## PHASE 5: CODE SEMANTIC ANALYSIS

### Step 5.1: Functions
- **New:** `vidioc_dqbuf()` - wrapper around `vb2_ioctl_dqbuf`
- **References:** `check_dev()` (line 93),
  `au0828_analog_stream_reset()` (line 789), `greenscreen_detected` (set
  at line 380)

### Step 5.2: Callers
`vidioc_dqbuf` is called by the V4L2 ioctl framework when userspace
calls `VIDIOC_DQBUF` ioctl - this is every frame dequeue in video
capture. It's a hot path for any application doing analog TV capture.

### Step 5.3: Callees
- `check_dev()`: Simple state check (disconnected/misconfigured)
- `au0828_analog_stream_reset()`: Writes hardware registers
  (SENSORCTRL_100) to reset the stream with a 30ms delay
- `vb2_ioctl_dqbuf()`: Standard VB2 buffer dequeue

### Step 5.4: Call Chain
Userspace (tvtime, xawtv, vlc, etc.) -> ioctl(VIDIOC_DQBUF) ->
`video_ioctl2` -> `vidioc_dqbuf` -> checks greenscreen ->
`vb2_ioctl_dqbuf`. Very straightforward and commonly exercised path.

### Step 5.5: Similar Patterns
The greenscreen detection code (line 377-380) sets the flag based on
pixel luminance values. Without the fix, this flag is set but never
consumed - a clear dead-code indicator that something is missing.

---

## PHASE 6: STABLE TREE ANALYSIS

### Step 6.1: Code Existence
The buggy code (`.vidioc_dqbuf = vb2_ioctl_dqbuf` without greenscreen
workaround) exists in **ALL stable trees** since v4.0. The
`greenscreen_detected` field and `au0828_analog_stream_reset()` function
also exist in all trees.

### Step 6.2: Backport Complications
Expected to apply **cleanly** or with trivial conflicts. The ioctl_ops
table area and the insertion point (after `vidioc_log_status`) have been
very stable. The only possible minor conflict is whitespace around the
`vidioc_expbuf` alignment fix.

### Step 6.3: No related fixes already in stable for this issue.

---

## PHASE 7: SUBSYSTEM CONTEXT

### Step 7.1: Subsystem
- **Path:** `drivers/media/usb/au0828/` - USB media driver
- **Criticality:** PERIPHERAL (specific USB TV capture hardware -
  Hauppauge HVR-950Q and similar)
- But: au0828 is a commonly used USB TV tuner chipset

### Step 7.2: Activity
The file sees very infrequent changes - stable/mature driver.

---

## PHASE 8: IMPACT AND RISK ASSESSMENT

### Step 8.1: Affected Users
Users of au0828-based USB TV capture devices (Hauppauge HVR-950Q, etc.)
doing analog TV capture.

### Step 8.2: Trigger Conditions
The au0828 hardware can randomly invert colorspace, producing green
frames. This is a hardware bug that occurs during normal analog TV
capture - no special conditions needed. Every user of analog capture on
this hardware can experience it.

### Step 8.3: Failure Mode Severity
- **Without fix:** Corrupted (green) video frames during analog capture
- **Severity:** MEDIUM-HIGH - the device doesn't crash but produces
  unusable output
- Not a crash or security issue, but a real functional regression that
  makes the hardware partially broken

### Step 8.4: Risk-Benefit Ratio
- **BENEFIT:** HIGH - restores correct functionality for all au0828
  analog capture users
- **RISK:** VERY LOW - the fix is a simple wrapper that adds one check
  before calling the same generic function. The code pattern is
  identical to what existed pre-VB2 conversion for ~5 years. Accepted by
  the V4L2 maintainer.
- **Ratio:** Strongly favorable

---

## PHASE 9: FINAL SYNTHESIS

### Step 9.1: Evidence

**FOR backporting:**
- Fixes a real, user-visible bug (green/corrupted video frames)
- Regression from VB2 conversion in v4.0 (~2015) - 10+ year old
  regression
- Small, surgical fix (~21 lines new code + 2 line change)
- Restores behavior that existed for years before the VB2 conversion
- Obviously correct - mirrors the pre-VB2 code closely
- Signed off by Hans Verkuil (V4L2 subsystem maintainer)
- Bug exists in ALL active stable trees
- Standalone fix with no dependencies
- Hardware workaround - exactly the type of fix stable trees accept

**AGAINST backporting:**
- No syzbot or sanitizer report (hardware-specific visual issue)
- Not a crash/security/data-corruption fix (but IS a functional
  regression fix)
- The `greenscreen_detected` flag access is not protected by locks (but
  this was the same in the pre-VB2 code and the flag is only set from
  URB completion context)

### Step 9.2: Stable Rules Checklist
1. **Obviously correct and tested?** YES - mirrors pre-VB2 code,
   accepted by maintainer
2. **Fixes a real bug?** YES - corrupted video frames for hardware users
3. **Important issue?** YES - functional regression making hardware
   partially unusable
4. **Small and contained?** YES - single file, ~23 lines total change
5. **No new features?** CORRECT - restores existing behavior
6. **Can apply to stable?** YES - clean apply expected, all required
   symbols present

### Step 9.3: Exception Categories
This qualifies as a **hardware quirk/workaround** - the greenscreen
detection is a workaround for a hardware design flaw in the au0828 chip.

### Step 9.4: Decision
This is a clear regression fix that restores a hardware workaround
accidentally removed during VB2 conversion. It meets all stable
criteria.

---

## Verification

- [Phase 1] Parsed tags: Signed-off-by from author (Bradford Love) and
  maintainer (Hans Verkuil)
- [Phase 2] Diff analysis: 21 lines added (new vidioc_dqbuf wrapper), 2
  lines changed in ioctl ops table
- [Phase 3] git blame (line 1767): Buggy code introduced by commit
  05439b1a3693 (VB2 conversion, v4.0 era)
- [Phase 3] git show 05439b1a3693: Confirmed it removed old vidioc_dqbuf
  with greenscreen handling and replaced with generic vb2_ioctl_dqbuf
- [Phase 3] git describe: VB2 conversion is
  v3.19-rc6-230-g05439b1a36935, merged in v4.0
- [Phase 3] git log v3.19..v4.0: Confirmed 05439b1a36935 appears in v4.0
- [Phase 3] git tag --contains: Confirmed present in all stable trees
  (p-5.10, p-5.15, etc.)
- [Phase 4] b4 dig: Could not find original submission (too recent or
  unusual path)
- [Phase 4] LKML archive: Confirmed VB2 conversion was a 3-patch series
  that removed the timeout workaround but kept greenscreen_detected
  field
- [Phase 5] Grep check_dev: Used in other ioctls (line 1247), confirmed
  it exists and works the same way
- [Phase 5] Grep greenscreen_detected: Set at line 380 (au0828-video.c),
  declared at line 234 (au0828.h) - flag is set but never read without
  this fix
- [Phase 5] Grep au0828_analog_stream_reset: Called from lines 789,
  1019, 1567, 1724 - well-established function
- [Phase 6] git log across stable versions: File barely changed since
  v5.5; fix should apply cleanly
- [Phase 8] Failure mode: Corrupted green video frames during analog
  capture, severity MEDIUM-HIGH
- UNVERIFIED: Could not locate the exact lore.kernel.org discussion
  thread for this specific patch

**YES**

 drivers/media/usb/au0828/au0828-video.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
index fbaa542c8259a..3c53105f3d2b3 100644
--- a/drivers/media/usb/au0828/au0828-video.c
+++ b/drivers/media/usb/au0828/au0828-video.c
@@ -1671,6 +1671,27 @@ static int vidioc_log_status(struct file *file, void *fh)
 	return 0;
 }
 
+static int vidioc_dqbuf(struct file *file, void *priv, struct v4l2_buffer *b)
+{
+	struct au0828_dev *dev = video_drvdata(file);
+	int rc;
+
+	rc = check_dev(dev);
+	if (rc < 0)
+		return rc;
+
+	/* Workaround for a bug in the au0828 hardware design that
+	 * sometimes results in the colorspace being inverted
+	 */
+	if (dev->greenscreen_detected == 1) {
+		dprintk(1, "Detected green frame.  Resetting stream...\n");
+		au0828_analog_stream_reset(dev);
+		dev->greenscreen_detected = 0;
+	}
+
+	return vb2_ioctl_dqbuf(file, priv, b);
+}
+
 void au0828_v4l2_suspend(struct au0828_dev *dev)
 {
 	struct urb *urb;
@@ -1764,8 +1785,8 @@ static const struct v4l2_ioctl_ops video_ioctl_ops = {
 	.vidioc_prepare_buf         = vb2_ioctl_prepare_buf,
 	.vidioc_querybuf            = vb2_ioctl_querybuf,
 	.vidioc_qbuf                = vb2_ioctl_qbuf,
-	.vidioc_dqbuf               = vb2_ioctl_dqbuf,
-	.vidioc_expbuf               = vb2_ioctl_expbuf,
+	.vidioc_dqbuf               = vidioc_dqbuf,
+	.vidioc_expbuf              = vb2_ioctl_expbuf,
 
 	.vidioc_s_std               = vidioc_s_std,
 	.vidioc_g_std               = vidioc_g_std,
-- 
2.53.0

[PATCH AUTOSEL 7.0-5.10] media: stm32: dcmi: stop the dma transfer on overrun

[Sasha Levin]

From: Alain Volmat <alain.volmat@foss.st.com>

[ Upstream commit 4847286b87ccda7bdec8245f35c07203ce9eb0ed ]

Ensure to stop the dma transfer whenever receiving a overrun
to avoid having a buffer partially filled with a frame and
partially with the next frame.

Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Now I have all the necessary information. Let me compile my
comprehensive analysis.

---

## PHASE 1: COMMIT MESSAGE FORENSICS

### Step 1.1: Subject Line
- **Subsystem**: `media: stm32: dcmi:`
- **Action verb**: "stop" - implies fixing incorrect behavior (not
  stopping something that should be stopped)
- **Summary**: Stops DMA transfer on hardware overrun to prevent frame
  data corruption

### Step 1.2: Tags
- `Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>` - Author,
  STMicroelectronics employee (the SoC vendor)
- `Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>` - media
  subsystem co-maintainer
- `Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>` -
  media subsystem maintainer
- No Fixes: tag, no Reported-by:, no Cc: stable (expected for autosel
  candidates)

### Step 1.3: Commit Body
The commit explicitly describes data corruption: *"avoid having a buffer
partially filled with a frame and partially with the next frame"*. This
is frame-level data corruption during video capture. The mechanism is:
when DCMI hardware overruns, DMA continues writing into the active
buffer, mixing two different frames.

### Step 1.4: Hidden Bug Fix Detection
Despite using "ensure to stop" rather than "fix", this IS a data
corruption fix. The word "ensure" indicates adding a missing safety
action. The description of mixed frames in a buffer is a concrete, real-
world data corruption scenario.

Record: This is a real data corruption fix disguised with neutral
language.

---

## PHASE 2: DIFF ANALYSIS

### Step 2.1: Inventory
- Single file modified: `drivers/media/platform/st/stm32/stm32-dcmi.c`
- Function modified: `dcmi_irq_thread()` (the threaded IRQ handler)
- ~12 lines added, 0 lines removed (net)
- Scope: single-function surgical fix

### Step 2.2: Code Flow Change
**BEFORE**: When `IT_OVR` (overrun) occurs, the handler just increments
counters and falls through. DMA continues to run, potentially filling
the buffer with data from the next frame.

**AFTER**: When `IT_OVR` occurs:
1. Disable DCMI capture (`reg_clear(dcmi->regs, DCMI_CR, CR_CAPTURE)`)
2. Increment counters (existing code)
3. Release spinlock
4. Terminate DMA (`dmaengine_terminate_sync`)
5. Restart capture cleanly (`dcmi_restart_capture`)
6. Return `IRQ_HANDLED` early

### Step 2.3: Bug Mechanism
**Category**: Data corruption / logic fix. The overrun condition means
the DCMI FIFO overflowed and data was lost. Without stopping DMA, the
buffer ends up with partial frame N data followed by frame N+1 data,
delivering a corrupt buffer to userspace.

### Step 2.4: Fix Quality
- **Obviously correct**: Yes - the terminate+restart pattern is already
  used in `dcmi_process_jpeg()` in the same file
- **Minimal/surgical**: Yes - only the overrun handler is modified
- **Regression risk**: Low - `dmaengine_terminate_sync()` is safe in
  threaded IRQ context; `dcmi_restart_capture()` has its own internal
  locking
- **Locking correctness**: Verified - spinlock released before
  `dmaengine_terminate_sync` (which may sleep); `dcmi_restart_capture`
  takes its own lock internally

---

## PHASE 3: GIT HISTORY INVESTIGATION

### Step 3.1: Blame
The overrun handler code was introduced by commit `1be0a2b702308f`
(2019, v5.2 cycle) which added overrun counting, and the irq thread
structure from `37404f91ef8b91` (2017, v4.14 cycle). The buggy behavior
(not stopping DMA on overrun) was intentionally introduced by commit
`a1029f552c3f` (2018, v4.17 cycle) titled *"rework overrun/error case"*
which REMOVED the DMA stop/restart on overrun. That 2018 commit's
rationale was: *"Dma will be restarted on current frame transfer
completion."* The new commit reverses this decision because the
assumption was wrong - DMA does not properly self-recover on overrun.

### Step 3.2: No Fixes tag present
The implicit Fixes target would be `a1029f552c3f` ("rework overrun/error
case", v4.17) which exists in ALL active stable trees.

### Step 3.3: File History
The `dcmi_irq_thread` function has been stable since 2019. Recent
changes to this file are minor cleanups (style, API renames) that don't
affect the overrun path.

### Step 3.4: Author Context
Alain Volmat is from STMicroelectronics (the SoC vendor). He is an
active contributor to the STM32 media subsystem, maintaining both DCMI
and DCMIPP drivers. The patch was reviewed and signed off by both media
subsystem co-maintainers.

### Step 3.5: Dependencies
The patch was submitted as 4/12 in a series. However, patches 1-3 touch
unrelated code paths (pm_ptr, dma config at probe, descriptor creation).
Patch 5 reworks locking (makes `dcmi_restart_capture` caller-locked),
but patch 4 works correctly with the CURRENT `dcmi_restart_capture`
which has its own internal locking. This patch is self-contained.

---

## PHASE 4: MAILING LIST RESEARCH

### Step 4.1: Original Submission
Found at `http://lists.infradead.org/pipermail/linux-arm-
kernel/2026-January/1091896.html`. Part of series v2 "media: stm32:
dcmi: stability & performance enhancements" (12 patches). Cover letter
explicitly states: *"This series improve stability of the capture by
fixing the handling of the overrun which was leading to captured frame
corruption."*

### Step 4.2: Reviewers
Signed off by Sakari Ailus (media co-maintainer) and Mauro Carvalho
Chehab (media maintainer). The patch has proper maintainer chain sign-
off.

### Step 4.3-4.5: Bug Report / Stable Discussion
The bug was found during development by the hardware vendor
(STMicroelectronics). No explicit stable nomination was found, nor any
objections.

---

## PHASE 5: CODE SEMANTIC ANALYSIS

### Step 5.1-5.2: Function Analysis
`dcmi_irq_thread` is the threaded IRQ handler, called whenever the DCMI
hardware fires an interrupt (overrun, error, or frame complete). The
`IT_OVR` flag is set by the hardware when the DCMI internal FIFO
overflows. The `dcmi_restart_capture` → `dcmi_start_capture` →
`dcmi_start_dma` chain properly sets up a new DMA transfer and re-
enables capture.

### Step 5.3-5.4: The DMA stop + restart pattern
The same pattern exists in `dcmi_process_jpeg()` at line 434-440:
`dmaengine_terminate_sync` followed by `dcmi_restart_capture`. The
overrun fix replicates this proven pattern.

### Step 5.5: Similar Patterns
`dcmi_process_jpeg` already uses the exact same terminate+restart
pattern. `dcmi_dma_callback` also calls `dcmi_restart_capture` after DMA
completion. This is a well-established pattern in the driver.

---

## PHASE 6: STABLE TREE ANALYSIS

### Step 6.1: Buggy Code in Stable
The buggy overrun handler (just counting, not stopping DMA) exists since
v4.17 (commit `a1029f552c3f`). It is present in ALL active stable trees
(5.4, 5.10, 5.15, 6.1, 6.6, 6.12).

### Step 6.2: Backport Complications
The patch modifies a single function with clean context. The file path
changed from `stm32/stm32-dcmi.c` to `st/stm32/stm32-dcmi.c` in 6.5+,
but the function code is identical in context. Minor adjustment may be
needed for older trees.

### Step 6.3: No related fixes already in stable for this overrun issue.

---

## PHASE 7: SUBSYSTEM CONTEXT

### Step 7.1: Subsystem Criticality
- **Subsystem**: drivers/media/platform (embedded camera driver)
- **Criticality**: PERIPHERAL (specific STM32 hardware) but important
  for embedded/IoT users
- STM32 SoCs are widely used in embedded systems, industrial cameras,
  IoT devices

---

## PHASE 8: IMPACT AND RISK ASSESSMENT

### Step 8.1: Affected Users
STM32 DCMI users - embedded systems with camera interfaces on STM32MP1
SoCs.

### Step 8.2: Trigger Conditions
Overrun occurs when the camera sends data faster than DMA can drain the
DCMI FIFO. This is common during high-resolution or high-framerate
capture, or under system load. Not timing-dependent - it's a hardware
FIFO overflow condition.

### Step 8.3: Failure Mode Severity
**Data corruption** - frames delivered to userspace contain mixed data
from two different frames. For embedded camera applications (industrial
vision, surveillance, medical), this is a **HIGH** severity issue since
corrupted frames can lead to incorrect decisions.

### Step 8.4: Risk-Benefit
- **Benefit**: HIGH - prevents data corruption in active video capture
  on STM32 platforms
- **Risk**: LOW - ~12 lines, single function, follows proven existing
  pattern in the same driver, correct locking, no API changes
- **Ratio**: Strongly favorable

---

## PHASE 9: FINAL SYNTHESIS

### Step 9.1: Evidence Summary

**FOR backporting:**
- Fixes real data corruption (mixed frames in buffer)
- Small, surgical fix (12 lines in one function)
- Follows proven existing pattern in same driver (`dcmi_process_jpeg`)
- Author is from the hardware vendor (STMicroelectronics)
- Signed off by both media subsystem maintainers
- Correct locking model (spinlock released before sleeping call)
- Buggy code exists in all active stable trees
- Self-contained - does not depend on other patches in the series

**AGAINST backporting:**
- Part of a 12-patch series (but verified standalone correctness)
- Later patches (5, 7) further modify this code (but patch 4 is correct
  without them)
- No explicit Cc: stable (expected for autosel candidates)

### Step 9.2: Stable Rules Checklist
1. Obviously correct and tested? **YES** - pattern matches existing code
   in same driver, vendor-tested
2. Fixes a real bug? **YES** - data corruption (mixed frames)
3. Important issue? **YES** - data corruption during video capture
4. Small and contained? **YES** - 12 lines, single function
5. No new features/APIs? **YES** - no new features
6. Can apply to stable? **YES** - code context is unchanged in stable
   trees

### Step 9.3: No exception categories apply; this is a straightforward
bug fix.

---

## Verification

- [Phase 1] Parsed tags: SOBs from author (STMicroelectronics), Sakari
  Ailus, Mauro Carvalho Chehab
- [Phase 2] Diff analysis: ~12 lines added to overrun path in
  `dcmi_irq_thread()`, adds DMA stop + restart
- [Phase 3] git blame: overrun handler code from commit `1be0a2b702308f`
  (2019, v5.2); bug-causing rework from `a1029f552c3f` (2018, v4.17)
- [Phase 3] git show `a1029f552c3f`: confirmed it intentionally removed
  DMA stop/restart on overrun - present in all stable trees
- [Phase 3] Verified `dcmi_restart_capture()` has internal locking -
  standalone patch is correct
- [Phase 4] Found original submission at lists.infradead.org; cover
  letter confirms frame corruption fix
- [Phase 4] Verified patch 5/12 changes `dcmi_restart_capture` locking,
  but patch 4 works with current code
- [Phase 4] Patch 7/12 changes `terminate_sync` to `terminate_async` -
  optimization, not required for correctness
- [Phase 5] Verified same pattern (`dmaengine_terminate_sync` +
  `dcmi_restart_capture`) exists in `dcmi_process_jpeg()` at lines
  434-440
- [Phase 5] Verified `dcmi_start_capture()` re-enables CR_CAPTURE at
  line 372, matching our clear at overrun
- [Phase 6] Confirmed code exists unchanged in all active stable trees
  (5.4+)
- [Phase 8] Failure mode: data corruption (mixed frames) - severity HIGH

The fix is small, surgical, follows proven patterns in the same driver,
and prevents real data corruption on STM32 embedded platforms.

**YES**

 drivers/media/platform/st/stm32/stm32-dcmi.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/media/platform/st/stm32/stm32-dcmi.c b/drivers/media/platform/st/stm32/stm32-dcmi.c
index 13762861b7694..496e0781a957b 100644
--- a/drivers/media/platform/st/stm32/stm32-dcmi.c
+++ b/drivers/media/platform/st/stm32/stm32-dcmi.c
@@ -447,9 +447,21 @@ static irqreturn_t dcmi_irq_thread(int irq, void *arg)
 	spin_lock_irq(&dcmi->irqlock);
 
 	if (dcmi->misr & IT_OVR) {
+		/* Disable capture */
+		reg_clear(dcmi->regs, DCMI_CR, CR_CAPTURE);
+
 		dcmi->overrun_count++;
+
 		if (dcmi->overrun_count > OVERRUN_ERROR_THRESHOLD)
 			dcmi->errors_count++;
+
+		spin_unlock_irq(&dcmi->irqlock);
+		dmaengine_terminate_sync(dcmi->dma_chan);
+
+		if (dcmi_restart_capture(dcmi))
+			dev_err(dcmi->dev, "%s: Cannot restart capture\n", __func__);
+
+		return IRQ_HANDLED;
 	}
 	if (dcmi->misr & IT_ERR)
 		dcmi->errors_count++;
-- 
2.53.0

[PATCH AUTOSEL 7.0-5.10] media: i2c: mt9p031: Check return value of devm_gpiod_get_optional() in mt9p031_probe()

[Sasha Levin]

From: Chen Ni <nichen@iscas.ac.cn>

[ Upstream commit c8e0585dce5df525308f0fba40b618df03aaf7fc ]

The devm_gpiod_get_optional() function may return an error pointer
(ERR_PTR) in case of a genuine failure during GPIO acquisition, not just
NULL which indicates the legitimate absence of an optional GPIO.

Add an IS_ERR() check after the function call to catch such errors and
propagate them to the probe function, ensuring the driver fails to load
safely rather than proceeding with an invalid pointer.

Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

Now I have all the information needed. Here is my complete analysis:

---

## PHASE 1: COMMIT MESSAGE FORENSICS

**Step 1.1: Subject Line**
- Subsystem: `media: i2c: mt9p031`
- Action verb: "Check" — adding a missing return value check (= fixing
  an unchecked error)
- Summary: Add IS_ERR check for `devm_gpiod_get_optional()` in the
  driver's probe function

**Step 1.2: Tags**
- Signed-off-by: Chen Ni (author), Sakari Ailus (media sub-maintainer),
  Mauro Carvalho Chehab (media subsystem maintainer)
- No Fixes: tag (expected for commits under review)
- No Reported-by, Tested-by, Cc: stable
- Record: Patch was reviewed by two maintainers in the media subsystem
  chain. No syzbot, no bug report.

**Step 1.3: Commit Body**
- Explains that `devm_gpiod_get_optional()` can return ERR_PTR on
  genuine failure, not just NULL
- Without the check, the driver proceeds with an invalid pointer
- The symptom: driver loads with an invalid (ERR_PTR) value stored in
  `mt9p031->reset`, which will cause a crash when later dereferenced

**Step 1.4: Hidden Bug Fix Detection**
- This IS a bug fix: a missing error check for a function that can
  return error pointers. Without it, the driver proceeds with an invalid
  pointer that will eventually be dereferenced.

## PHASE 2: DIFF ANALYSIS

**Step 2.1: Inventory**
- Single file: `drivers/media/i2c/mt9p031.c`
- +4 lines, -0 lines
- Function modified: `mt9p031_probe()`
- Scope: Single-file surgical fix

**Step 2.2: Code Flow Change**
- BEFORE: `devm_gpiod_get_optional()` return stored directly in
  `mt9p031->reset` without error checking. If it returns ERR_PTR, the
  invalid pointer persists.
- AFTER: IS_ERR check added; on error, `ret` is set and execution jumps
  to `done:` cleanup label.

**Step 2.3: Bug Mechanism**
This is a **memory safety / invalid pointer dereference fix**. The
`mt9p031->reset` field is used in three places:

```315:316:drivers/media/i2c/mt9p031.c
        if (mt9p031->reset) {
                gpiod_set_value(mt9p031->reset, 1);
```

```337:338:drivers/media/i2c/mt9p031.c
        if (mt9p031->reset) {
                gpiod_set_value(mt9p031->reset, 0);
```

```352:353:drivers/media/i2c/mt9p031.c
        if (mt9p031->reset) {
                gpiod_set_value(mt9p031->reset, 1);
```

ERR_PTR values are non-NULL, so `if (mt9p031->reset)` evaluates to TRUE,
and `gpiod_set_value()` will dereference the invalid pointer → kernel
oops.

**Step 2.4: Fix Quality**
- Obviously correct: standard IS_ERR/PTR_ERR pattern used throughout the
  kernel
- Minimal and surgical
- Cannot introduce regression (only adds an error check before existing
  code)
- Goes to the existing `done:` cleanup label which properly frees
  resources

## PHASE 3: GIT HISTORY INVESTIGATION

**Step 3.1: Blame**
The unchecked `devm_gpiod_get_optional()` was introduced in commit
`7c3be9f812be6c` ("[media] v4l: mt9p031: Convert to the gpiod API") by
Laurent Pinchart, first appearing in v4.1-rc1. The bug has existed for
~11 years.

**Step 3.2: Fixes Tag**
No Fixes: tag present. The implicit fix target is `7c3be9f812be6c` from
v4.1-rc1.

**Step 3.3: File History**
There have been ~23 changes to this file since v5.10, but the specific
`devm_gpiod_get_optional` call and surrounding lines have been stable
since introduction. The fix is standalone — no dependencies on other
patches.

**Step 3.4: Author**
Chen Ni is a prolific contributor of "check return value" patches. Two
identical-pattern patches by the same author for `adin1110` and
`max98390` have been accepted in the same timeframe, confirming this is
a recognized bug pattern.

**Step 3.5: Dependencies**
None. The fix is self-contained: it adds 4 lines using only existing
variables (`ret`) and labels (`done:`).

## PHASE 4: MAILING LIST RESEARCH

**Step 4.1: Original Discussion**
Found via `b4 dig`:
https://patch.msgid.link/20260202024312.3911800-1-nichen@iscas.ac.cn
Single submission, accepted without review comments (common for
trivially correct patches).

**Step 4.2: Reviewers**
Sakari Ailus (linux-media sub-maintainer) applied the patch. Mauro
Carvalho Chehab (media subsystem maintainer) signed off. Both are the
correct maintainers for this code.

**Step 4.3: Bug Report**
No external bug report. This was found by code inspection.

**Step 4.4: Related Patches**
The similar adin1110 patch (`78211543d2e44`) has a `Fixes:` tag and was
accepted. The mt9p031 version lacks a Fixes: tag but addresses the same
class of bug.

**Step 4.5: Stable History**
No stable-specific discussion found.

## PHASE 5: CODE SEMANTIC ANALYSIS

**Step 5.1: Modified Functions**
Only `mt9p031_probe()` is modified.

**Step 5.2: Callers of Affected Code**
`mt9p031_probe()` is the I2C driver probe function, called during device
registration. The `mt9p031->reset` field is then used in:
- `mt9p031_power_on()` ← called from `mt9p031_registered()` and
  `__mt9p031_set_power()`
- `mt9p031_power_off()` ← called from `mt9p031_registered()` and
  `__mt9p031_set_power()`

These are called during normal device operation (open/close/stream).

**Step 5.3-5.4: Call Chain**
The crash path: user opens the V4L2 device → `mt9p031_open()` →
`mt9p031_set_power()` → `__mt9p031_set_power()` → `mt9p031_power_on()` →
`gpiod_set_value(invalid_ptr)` → **kernel oops**.

**Step 5.5: Similar Patterns**
The `devm_gpiod_get_optional()` documentation explicitly states it can
return IS_ERR codes. This same missing-check pattern was found and fixed
in at least two other drivers simultaneously.

## PHASE 6: STABLE TREE ANALYSIS

**Step 6.1: Code Existence in Stable**
The buggy `devm_gpiod_get_optional()` call has existed since v4.1-rc1
and is present in ALL current stable trees (5.4.y, 5.10.y, 5.15.y,
6.1.y, 6.6.y, 6.12.y).

**Step 6.2: Backport Complications**
The surrounding code at the `devm_gpiod_get_optional()` call site hasn't
changed. The `done:` label and cleanup pattern are the same. Patch
should apply cleanly or with minimal offset adjustments to older stable
trees.

**Step 6.3: Related Fixes Already in Stable**
No prior fix for this bug exists in any stable tree.

## PHASE 7: SUBSYSTEM CONTEXT

**Step 7.1: Subsystem**
- `drivers/media/i2c/mt9p031.c` — Camera sensor driver (Aptina
  MT9P031/MT9P006)
- Criticality: PERIPHERAL — specific embedded/industrial camera sensor
- Used in embedded systems, BeagleBone, and similar platforms

**Step 7.2: Subsystem Activity**
Moderately active — mostly cleanups and API conversions recently,
indicating a mature driver.

## PHASE 8: IMPACT AND RISK ASSESSMENT

**Step 8.1: Affected Users**
Users of the Aptina MT9P031/MT9P006 camera sensor on ARM/DT-based
platforms.

**Step 8.2: Trigger Conditions**
- `devm_gpiod_get_optional()` returns ERR_PTR, most commonly
  `-EPROBE_DEFER` (deferred probing)
- Deferred probing is common on DT-based ARM systems where probe order
  is non-deterministic
- Can also occur with pinctrl errors, GPIO controller failures, etc.
- Likelihood: LOW to MEDIUM on affected platforms

**Step 8.3: Failure Mode Severity**
Kernel oops (invalid pointer dereference in `gpiod_set_value()`) →
**HIGH** severity when triggered. System crash, potential data loss.

**Step 8.4: Risk-Benefit**
- BENEFIT: Prevents kernel oops on GPIO acquisition failure — moderate
  benefit (niche hardware, realistic trigger)
- RISK: Very low — 4 lines, adds only an error check, standard pattern,
  cannot introduce regression
- Ratio: Favorable

## PHASE 9: FINAL SYNTHESIS

**Evidence FOR backporting:**
- Fixes a real bug: invalid pointer stored and later dereferenced →
  kernel oops
- Very small fix: 4 lines, single file, standard IS_ERR pattern
- Obviously correct: follows the kernel's universal error-checking
  convention
- Zero regression risk
- Buggy code present in ALL stable trees since v4.1
- Reviewed and accepted by both media sub-maintainer and maintainer
- Realistic trigger (deferred probing is common on DT/ARM systems)
- Clean apply expected (code unchanged at patch site since v4.1)
- Similar patches for same bug class accepted elsewhere

**Evidence AGAINST backporting:**
- Niche hardware (MT9P031 camera sensor, embedded use)
- No user bug report — found by code inspection
- No Fixes: tag in the commit
- Trigger requires GPIO acquisition failure, which may be uncommon in
  practice for this specific driver

**Stable Rules Checklist:**
1. Obviously correct and tested? **YES** — standard IS_ERR/PTR_ERR
   pattern
2. Fixes a real bug? **YES** — invalid pointer dereference → crash
3. Important issue? **YES** — kernel oops on affected hardware
4. Small and contained? **YES** — 4 lines, single file
5. No new features or APIs? **YES** — only an error check
6. Can apply to stable? **YES** — code unchanged at patch site

## Verification

- [Phase 1] Parsed tags: Signed-off-by from author + two media
  maintainers. No Fixes, Reported-by, or Cc: stable.
- [Phase 2] Diff analysis: 4 lines added in `mt9p031_probe()`, adds
  IS_ERR check after `devm_gpiod_get_optional()`.
- [Phase 2] Confirmed ERR_PTR values are non-NULL, verified `if
  (mt9p031->reset)` checks at lines 315, 337, 352 would pass with
  ERR_PTR values.
- [Phase 3] git blame: buggy code introduced in commit `7c3be9f812be6c`
  (v4.1-rc1), confirmed with `git describe --contains`.
- [Phase 3] git log: no prior fix for this issue exists.
- [Phase 4] b4 dig -c c8e0585dce5df: found original submission at
  https://patch.msgid.link/20260202024312.3911800-1-nichen@iscas.ac.cn
- [Phase 4] Mbox downloaded: no review discussion beyond the submission
  itself.
- [Phase 4] Two similar patches by same author (`78211543d2e44`
  adin1110, `a1d14d8364eac` max98390) confirmed accepted.
- [Phase 5] Traced call chain: probe → power_on →
  gpiod_set_value(invalid) → oops.
- [Phase 5] Confirmed `devm_gpiod_get_optional()` documentation at line
  68 of `gpiolib-devres.c` states it returns IS_ERR codes on failure.
- [Phase 6] Buggy code exists in all stable trees (v4.1+). No
  conflicting changes at patch site.
- [Phase 6] File has had changes in stable windows, but the
  `devm_gpiod_get_optional` call site is unchanged since v4.1.
- [Phase 8] Failure mode: kernel oops (invalid pointer dereference),
  severity HIGH. Trigger: GPIO acquisition error (deferred probing),
  probability LOW-MEDIUM.

The fix is small, obviously correct, standalone, and prevents a kernel
oops on a realistic error path. It meets all stable kernel criteria.

**YES**

 drivers/media/i2c/mt9p031.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c
index 1500ee4db47ec..ea5d43d925ffa 100644
--- a/drivers/media/i2c/mt9p031.c
+++ b/drivers/media/i2c/mt9p031.c
@@ -1183,6 +1183,10 @@ static int mt9p031_probe(struct i2c_client *client)
 
 	mt9p031->reset = devm_gpiod_get_optional(&client->dev, "reset",
 						 GPIOD_OUT_HIGH);
+	if (IS_ERR(mt9p031->reset)) {
+		ret = PTR_ERR(mt9p031->reset);
+		goto done;
+	}
 
 	ret = mt9p031_clk_setup(mt9p031);
 	if (ret)
-- 
2.53.0