--- /dev/null
+From 2e363dac724846174b4c3318c2409f1f040f55f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 15:49:59 -0700
+Subject: Input: synaptics-rmi - fix crash with unsupported versions of F34
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit ca39500f6af9cfe6823dc5aa8fbaed788d6e35b2 ]
+
+Sysfs interface for updating firmware for RMI devices is available even
+when F34 probe fails. The code checks for presence of F34 "container"
+pointer and then tries to use the function data attached to the
+sub-device. F34 assigns the function data early, before it knows if
+probe will succeed, leaving behind a stale pointer.
+
+Fix this by expanding checks to not only test for presence of F34
+"container" but also check if there is driver data assigned to the
+sub-device, and call dev_set_drvdata() only after we are certain that
+probe is successful.
+
+This is not a complete fix, since F34 will be freed during firmware
+update, so there is still a race when fetching and accessing this
+pointer. This race will be addressed in follow-up changes.
+
+Reported-by: Hanno Böck <hanno@hboeck.de>
+Fixes: 29fd0ec2bdbe ("Input: synaptics-rmi4 - add support for F34 device reflash")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/aBlAl6sGulam-Qcx@google.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/rmi4/rmi_f34.c | 135 ++++++++++++++++++++---------------
+ 1 file changed, 76 insertions(+), 59 deletions(-)
+
+diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c
+index c26808f10827a..c93a8ccd87c73 100644
+--- a/drivers/input/rmi4/rmi_f34.c
++++ b/drivers/input/rmi4/rmi_f34.c
+@@ -4,6 +4,7 @@
+ * Copyright (C) 2016 Zodiac Inflight Innovations
+ */
+
++#include "linux/device.h"
+ #include <linux/kernel.h>
+ #include <linux/rmi.h>
+ #include <linux/firmware.h>
+@@ -298,39 +299,30 @@ static int rmi_f34_update_firmware(struct f34_data *f34,
+ return ret;
+ }
+
+-static int rmi_f34_status(struct rmi_function *fn)
+-{
+- struct f34_data *f34 = dev_get_drvdata(&fn->dev);
+-
+- /*
+- * The status is the percentage complete, or once complete,
+- * zero for success or a negative return code.
+- */
+- return f34->update_status;
+-}
+-
+ static ssize_t rmi_driver_bootloader_id_show(struct device *dev,
+ struct device_attribute *dattr,
+ char *buf)
+ {
+ struct rmi_driver_data *data = dev_get_drvdata(dev);
+- struct rmi_function *fn = data->f34_container;
++ struct rmi_function *fn;
+ struct f34_data *f34;
+
+- if (fn) {
+- f34 = dev_get_drvdata(&fn->dev);
+-
+- if (f34->bl_version == 5)
+- return sysfs_emit(buf, "%c%c\n",
+- f34->bootloader_id[0],
+- f34->bootloader_id[1]);
+- else
+- return sysfs_emit(buf, "V%d.%d\n",
+- f34->bootloader_id[1],
+- f34->bootloader_id[0]);
+- }
++ fn = data->f34_container;
++ if (!fn)
++ return -ENODEV;
+
+- return 0;
++ f34 = dev_get_drvdata(&fn->dev);
++ if (!f34)
++ return -ENODEV;
++
++ if (f34->bl_version == 5)
++ return sysfs_emit(buf, "%c%c\n",
++ f34->bootloader_id[0],
++ f34->bootloader_id[1]);
++ else
++ return sysfs_emit(buf, "V%d.%d\n",
++ f34->bootloader_id[1],
++ f34->bootloader_id[0]);
+ }
+
+ static DEVICE_ATTR(bootloader_id, 0444, rmi_driver_bootloader_id_show, NULL);
+@@ -343,13 +335,16 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev,
+ struct rmi_function *fn = data->f34_container;
+ struct f34_data *f34;
+
+- if (fn) {
+- f34 = dev_get_drvdata(&fn->dev);
++ fn = data->f34_container;
++ if (!fn)
++ return -ENODEV;
+
+- return sysfs_emit(buf, "%s\n", f34->configuration_id);
+- }
++ f34 = dev_get_drvdata(&fn->dev);
++ if (!f34)
++ return -ENODEV;
+
+- return 0;
++
++ return sysfs_emit(buf, "%s\n", f34->configuration_id);
+ }
+
+ static DEVICE_ATTR(configuration_id, 0444,
+@@ -365,10 +360,14 @@ static int rmi_firmware_update(struct rmi_driver_data *data,
+
+ if (!data->f34_container) {
+ dev_warn(dev, "%s: No F34 present!\n", __func__);
+- return -EINVAL;
++ return -ENODEV;
+ }
+
+ f34 = dev_get_drvdata(&data->f34_container->dev);
++ if (!f34) {
++ dev_warn(dev, "%s: No valid F34 present!\n", __func__);
++ return -ENODEV;
++ }
+
+ if (f34->bl_version == 7) {
+ if (data->pdt_props & HAS_BSR) {
+@@ -494,10 +493,18 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev,
+ char *buf)
+ {
+ struct rmi_driver_data *data = dev_get_drvdata(dev);
+- int update_status = 0;
++ struct f34_data *f34;
++ int update_status = -ENODEV;
+
+- if (data->f34_container)
+- update_status = rmi_f34_status(data->f34_container);
++ /*
++ * The status is the percentage complete, or once complete,
++ * zero for success or a negative return code.
++ */
++ if (data->f34_container) {
++ f34 = dev_get_drvdata(&data->f34_container->dev);
++ if (f34)
++ update_status = f34->update_status;
++ }
+
+ return sysfs_emit(buf, "%d\n", update_status);
+ }
+@@ -517,33 +524,21 @@ static const struct attribute_group rmi_firmware_attr_group = {
+ .attrs = rmi_firmware_attrs,
+ };
+
+-static int rmi_f34_probe(struct rmi_function *fn)
++static int rmi_f34v5_probe(struct f34_data *f34)
+ {
+- struct f34_data *f34;
+- unsigned char f34_queries[9];
++ struct rmi_function *fn = f34->fn;
++ u8 f34_queries[9];
+ bool has_config_id;
+- u8 version = fn->fd.function_version;
+- int ret;
+-
+- f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL);
+- if (!f34)
+- return -ENOMEM;
+-
+- f34->fn = fn;
+- dev_set_drvdata(&fn->dev, f34);
+-
+- /* v5 code only supported version 0, try V7 probe */
+- if (version > 0)
+- return rmi_f34v7_probe(f34);
++ int error;
+
+ f34->bl_version = 5;
+
+- ret = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr,
+- f34_queries, sizeof(f34_queries));
+- if (ret) {
++ error = rmi_read_block(fn->rmi_dev, fn->fd.query_base_addr,
++ f34_queries, sizeof(f34_queries));
++ if (error) {
+ dev_err(&fn->dev, "%s: Failed to query properties\n",
+ __func__);
+- return ret;
++ return error;
+ }
+
+ snprintf(f34->bootloader_id, sizeof(f34->bootloader_id),
+@@ -569,11 +564,11 @@ static int rmi_f34_probe(struct rmi_function *fn)
+ f34->v5.config_blocks);
+
+ if (has_config_id) {
+- ret = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr,
+- f34_queries, sizeof(f34_queries));
+- if (ret) {
++ error = rmi_read_block(fn->rmi_dev, fn->fd.control_base_addr,
++ f34_queries, sizeof(f34_queries));
++ if (error) {
+ dev_err(&fn->dev, "Failed to read F34 config ID\n");
+- return ret;
++ return error;
+ }
+
+ snprintf(f34->configuration_id, sizeof(f34->configuration_id),
+@@ -582,12 +577,34 @@ static int rmi_f34_probe(struct rmi_function *fn)
+ f34_queries[2], f34_queries[3]);
+
+ rmi_dbg(RMI_DEBUG_FN, &fn->dev, "Configuration ID: %s\n",
+- f34->configuration_id);
++ f34->configuration_id);
+ }
+
+ return 0;
+ }
+
++static int rmi_f34_probe(struct rmi_function *fn)
++{
++ struct f34_data *f34;
++ u8 version = fn->fd.function_version;
++ int error;
++
++ f34 = devm_kzalloc(&fn->dev, sizeof(struct f34_data), GFP_KERNEL);
++ if (!f34)
++ return -ENOMEM;
++
++ f34->fn = fn;
++
++ /* v5 code only supported version 0 */
++ error = version == 0 ? rmi_f34v5_probe(f34) : rmi_f34v7_probe(f34);
++ if (error)
++ return error;
++
++ dev_set_drvdata(&fn->dev, f34);
++
++ return 0;
++}
++
+ int rmi_f34_create_sysfs(struct rmi_device *rmi_dev)
+ {
+ return sysfs_create_group(&rmi_dev->dev.kobj, &rmi_firmware_attr_group);
+--
+2.39.5
+
--- /dev/null
+From 14ba226b0fcce2932564692fe8a14ed53a42e6ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 08:56:06 -0700
+Subject: Input: synaptics-rmi4 - convert to use sysfs_emit() APIs
+
+From: zhang songyi <zhang.songyi@zte.com.cn>
+
+[ Upstream commit 9dedc915937c33302df7fcab01c45e7936d6195a ]
+
+Follow the advice of the Documentation/filesystems/sysfs.rst and show()
+should only use sysfs_emit() or sysfs_emit_at() when formatting the value
+to be returned to user space.
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: zhang songyi <zhang.songyi@zte.com.cn>
+Link: https://lore.kernel.org/r/20220927070936.258300-1-zhang.songyi@zte.com.cn
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Stable-dep-of: ca39500f6af9 ("Input: synaptics-rmi - fix crash with unsupported versions of F34")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/rmi4/rmi_f34.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/input/rmi4/rmi_f34.c b/drivers/input/rmi4/rmi_f34.c
+index e5dca9868f87f..c26808f10827a 100644
+--- a/drivers/input/rmi4/rmi_f34.c
++++ b/drivers/input/rmi4/rmi_f34.c
+@@ -321,13 +321,13 @@ static ssize_t rmi_driver_bootloader_id_show(struct device *dev,
+ f34 = dev_get_drvdata(&fn->dev);
+
+ if (f34->bl_version == 5)
+- return scnprintf(buf, PAGE_SIZE, "%c%c\n",
+- f34->bootloader_id[0],
+- f34->bootloader_id[1]);
++ return sysfs_emit(buf, "%c%c\n",
++ f34->bootloader_id[0],
++ f34->bootloader_id[1]);
+ else
+- return scnprintf(buf, PAGE_SIZE, "V%d.%d\n",
+- f34->bootloader_id[1],
+- f34->bootloader_id[0]);
++ return sysfs_emit(buf, "V%d.%d\n",
++ f34->bootloader_id[1],
++ f34->bootloader_id[0]);
+ }
+
+ return 0;
+@@ -346,7 +346,7 @@ static ssize_t rmi_driver_configuration_id_show(struct device *dev,
+ if (fn) {
+ f34 = dev_get_drvdata(&fn->dev);
+
+- return scnprintf(buf, PAGE_SIZE, "%s\n", f34->configuration_id);
++ return sysfs_emit(buf, "%s\n", f34->configuration_id);
+ }
+
+ return 0;
+@@ -499,7 +499,7 @@ static ssize_t rmi_driver_update_fw_status_show(struct device *dev,
+ if (data->f34_container)
+ update_status = rmi_f34_status(data->f34_container);
+
+- return scnprintf(buf, PAGE_SIZE, "%d\n", update_status);
++ return sysfs_emit(buf, "%d\n", update_status);
+ }
+
+ static DEVICE_ATTR(update_fw_status, 0444,
+--
+2.39.5
+
--- /dev/null
+From ab39defc89221644125fbcadf37c375d5b379263 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 16:53:21 -0700
+Subject: NFSD: Fix ia_size underflow
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit e6faac3f58c7c4176b66f63def17a34232a17b0e ]
+
+iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and
+NFSv4 both define file size as an unsigned 64-bit type. Thus there
+is a range of valid file size values an NFS client can send that is
+already larger than Linux can handle.
+
+Currently decode_fattr4() dumps a full u64 value into ia_size. If
+that value happens to be larger than S64_MAX, then ia_size
+underflows. I'm about to fix up the NFSv3 behavior as well, so let's
+catch the underflow in the common code path: nfsd_setattr().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+(cherry picked from commit e6faac3f58c7c4176b66f63def17a34232a17b0e)
+[Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 2f221d6f7b88
+attr: handle idmapped mounts]
+Signed-off-by: Larry Bassel <larry.bassel@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/vfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index 6aa968bee0ce1..bee4fdf6e239a 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -448,6 +448,10 @@ nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap,
+ .ia_size = iap->ia_size,
+ };
+
++ host_err = -EFBIG;
++ if (iap->ia_size < 0)
++ goto out_unlock;
++
+ host_err = notify_change(dentry, &size_attr, NULL);
+ if (host_err)
+ goto out_unlock;
+--
+2.39.5
+
--- /dev/null
+From 98213e3630a0b2800c084be9bf7c7c07fffa7280 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 16:55:04 -0700
+Subject: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit a648fdeb7c0e17177a2280344d015dba3fbe3314 ]
+
+iattr::ia_size is a loff_t, so these NFSv3 procedures must be
+careful to deal with incoming client size values that are larger
+than s64_max without corrupting the value.
+
+Silently capping the value results in storing a different value
+than the client passed in which is unexpected behavior, so remove
+the min_t() check in decode_sattr3().
+
+Note that RFC 1813 permits only the WRITE procedure to return
+NFS3ERR_FBIG. We believe that NFSv3 reference implementations
+also return NFS3ERR_FBIG when ia_size is too large.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+(cherry picked from commit a648fdeb7c0e17177a2280344d015dba3fbe3314)
+[Larry: backport to 5.4.y. Minor conflict resolved due to missing commit 9cde9360d18d
+NFSD: Update the SETATTR3args decoder to use struct xdr_stream]
+Signed-off-by: Larry Bassel <larry.bassel@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs3xdr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
+index 03e8c45a52f3c..25b6b4db0af24 100644
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -122,7 +122,7 @@ decode_sattr3(__be32 *p, struct iattr *iap, struct user_namespace *userns)
+
+ iap->ia_valid |= ATTR_SIZE;
+ p = xdr_decode_hyper(p, &newsize);
+- iap->ia_size = min_t(u64, newsize, NFS_OFFSET_MAX);
++ iap->ia_size = newsize;
+ }
+ if ((tmp = ntohl(*p++)) == 1) { /* set to server time */
+ iap->ia_valid |= ATTR_ATIME;
+--
+2.39.5
+
--- /dev/null
+From d1f580308371e239f69325b0e22bb083c1731f93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 09:29:23 +0300
+Subject: pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 0f5757667ec0aaf2456c3b76fcf0c6c3ea3591fe ]
+
+The error checking for of_count_phandle_with_args() does not handle
+negative error codes correctly. The problem is that "index" is a u32 so
+in the condition "if (index >= num_domains)" negative error codes stored
+in "num_domains" are type promoted to very high positive values and
+"index" is always going to be valid.
+
+Test for negative error codes first and then test if "index" is valid.
+
+Fixes: 3ccf3f0cd197 ("PM / Domains: Enable genpd_dev_pm_attach_by_id|name() for single PM domain")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/aBxPQ8AI8N5v-7rL@stanley.mountain
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/domain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
+index eed4c865a4bf8..2ccd0c8003e24 100644
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -2509,7 +2509,7 @@ struct device *genpd_dev_pm_attach_by_id(struct device *dev,
+ /* Verify that the index is within a valid range. */
+ num_domains = of_count_phandle_with_args(dev->of_node, "power-domains",
+ "#power-domain-cells");
+- if (index >= num_domains)
++ if (num_domains < 0 || index >= num_domains)
+ return NULL;
+
+ /* Allocate and register device on the genpd bus. */
+--
+2.39.5
+
ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch
pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch
do_change_type-refuse-to-operate-on-unmounted-not-ou.patch
+pmdomain-core-fix-error-checking-in-genpd_dev_pm_att.patch
+input-synaptics-rmi4-convert-to-use-sysfs_emit-apis.patch
+input-synaptics-rmi-fix-crash-with-unsupported-versi.patch
+nfsd-fix-ia_size-underflow.patch
+nfsd-fix-nfsv3-setattr-create-s-handling-of-large-fi.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
