]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
5.4-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 10 Feb 2025 14:03:44 +0000 (15:03 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 10 Feb 2025 14:03:44 +0000 (15:03 +0100)
added patches:
alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch
hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch
kbuild-move-wenum-enum-conversion-to-w-2.patch
of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch
of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch
of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch
perf-bench-fix-undefined-behavior-in-cmpworker.patch
powerpc-pseries-eeh-fix-get-pe-state-translation.patch
serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch
serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch
soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch
usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch
usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch
usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch
usb-gadget-f_tcm-translate-error-to-sense.patch
wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch

17 files changed:
queue-5.4/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch [new file with mode: 0644]
queue-5.4/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch [new file with mode: 0644]
queue-5.4/kbuild-move-wenum-enum-conversion-to-w-2.patch [new file with mode: 0644]
queue-5.4/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch [new file with mode: 0644]
queue-5.4/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch [new file with mode: 0644]
queue-5.4/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch [new file with mode: 0644]
queue-5.4/perf-bench-fix-undefined-behavior-in-cmpworker.patch [new file with mode: 0644]
queue-5.4/powerpc-pseries-eeh-fix-get-pe-state-translation.patch [new file with mode: 0644]
queue-5.4/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch [new file with mode: 0644]
queue-5.4/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch [new file with mode: 0644]
queue-5.4/series
queue-5.4/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch [new file with mode: 0644]
queue-5.4/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch [new file with mode: 0644]
queue-5.4/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch [new file with mode: 0644]
queue-5.4/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch [new file with mode: 0644]
queue-5.4/usb-gadget-f_tcm-translate-error-to-sense.patch [new file with mode: 0644]
queue-5.4/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch [new file with mode: 0644]

diff --git a/queue-5.4/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch b/queue-5.4/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch
new file mode 100644 (file)
index 0000000..6f9763b
--- /dev/null
@@ -0,0 +1,66 @@
+From 3b4309546b48fc167aa615a2d881a09c0a97971f Mon Sep 17 00:00:00 2001
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+Date: Wed, 29 Jan 2025 00:54:15 +0800
+Subject: ALSA: hda: Fix headset detection failure due to unstable sort
+
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+
+commit 3b4309546b48fc167aa615a2d881a09c0a97971f upstream.
+
+The auto_parser assumed sort() was stable, but the kernel's sort() uses
+heapsort, which has never been stable. After commit 0e02ca29a563
+("lib/sort: optimize heapsort with double-pop variation"), the order of
+equal elements changed, causing the headset to fail to work.
+
+Fix the issue by recording the original order of elements before
+sorting and using it as a tiebreaker for equal elements in the
+comparison function.
+
+Fixes: b9030a005d58 ("ALSA: hda - Use standard sort function in hda_auto_parser.c")
+Reported-by: Austrum <austrum.lab@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219158
+Tested-by: Austrum <austrum.lab@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
+Link: https://patch.msgid.link/20250128165415.643223-1-visitorckw@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_auto_parser.c |    8 +++++++-
+ sound/pci/hda/hda_auto_parser.h |    1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_auto_parser.c
++++ b/sound/pci/hda/hda_auto_parser.c
+@@ -80,7 +80,11 @@ static int compare_input_type(const void
+       /* In case one has boost and the other one has not,
+          pick the one with boost first. */
+-      return (int)(b->has_boost_on_pin - a->has_boost_on_pin);
++      if (a->has_boost_on_pin != b->has_boost_on_pin)
++              return (int)(b->has_boost_on_pin - a->has_boost_on_pin);
++
++      /* Keep the original order */
++      return a->order - b->order;
+ }
+ /* Reorder the surround channels
+@@ -404,6 +408,8 @@ int snd_hda_parse_pin_defcfg(struct hda_
+       reorder_outputs(cfg->speaker_outs, cfg->speaker_pins);
+       /* sort inputs in the order of AUTO_PIN_* type */
++      for (i = 0; i < cfg->num_inputs; i++)
++              cfg->inputs[i].order = i;
+       sort(cfg->inputs, cfg->num_inputs, sizeof(cfg->inputs[0]),
+            compare_input_type, NULL);
+--- a/sound/pci/hda/hda_auto_parser.h
++++ b/sound/pci/hda/hda_auto_parser.h
+@@ -35,6 +35,7 @@ struct auto_pin_cfg_item {
+       unsigned int is_headset_mic:1;
+       unsigned int is_headphone_mic:1; /* Mic-only in headphone jack */
+       unsigned int has_boost_on_pin:1;
++      int order;
+ };
+ struct auto_pin_cfg;
diff --git a/queue-5.4/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch b/queue-5.4/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch
new file mode 100644 (file)
index 0000000..87ac31b
--- /dev/null
@@ -0,0 +1,84 @@
+From 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 Mon Sep 17 00:00:00 2001
+From: Heiko Stuebner <heiko@sntech.de>
+Date: Thu, 7 Nov 2024 12:47:04 +0100
+Subject: HID: hid-sensor-hub: don't use stale platform-data on remove
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+commit 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 upstream.
+
+The hid-sensor-hub creates the individual device structs and transfers them
+to the created mfd platform-devices via the platform_data in the mfd_cell.
+
+Before e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads")
+the sensor-hub was managing access centrally, with one "completion" in the
+hub's data structure, which needed to be finished on removal at the latest.
+
+The mentioned commit then moved this central management to each hid sensor
+device, resulting on a completion in each struct hid_sensor_hub_device.
+The remove procedure was adapted to go through all sensor devices and
+finish any pending "completion".
+
+What this didn't take into account was, platform_device_add_data() that is
+used by mfd_add{_hotplug}_devices() does a kmemdup on the submitted
+platform-data. So the data the platform-device gets is a copy of the
+original data, meaning that the device worked on a different completion
+than what sensor_hub_remove() currently wants to access.
+
+To fix that, use device_for_each_child() to go through each child-device
+similar to how mfd_remove_devices() unregisters the devices later and
+with that get the live platform_data to finalize the correct completion.
+
+Fixes: e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Acked-by: Benjamin Tissoires <bentiss@kernel.org>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Acked-by: Jiri Kosina <jkosina@suse.com>
+Link: https://lore.kernel.org/r/20241107114712.538976-2-heiko@sntech.de
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-sensor-hub.c |   21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -730,23 +730,30 @@ err_stop_hw:
+       return ret;
+ }
++static int sensor_hub_finalize_pending_fn(struct device *dev, void *data)
++{
++      struct hid_sensor_hub_device *hsdev = dev->platform_data;
++
++      if (hsdev->pending.status)
++              complete(&hsdev->pending.ready);
++
++      return 0;
++}
++
+ static void sensor_hub_remove(struct hid_device *hdev)
+ {
+       struct sensor_hub_data *data = hid_get_drvdata(hdev);
+       unsigned long flags;
+-      int i;
+       hid_dbg(hdev, " hardware removed\n");
+       hid_hw_close(hdev);
+       hid_hw_stop(hdev);
++
+       spin_lock_irqsave(&data->lock, flags);
+-      for (i = 0; i < data->hid_sensor_client_cnt; ++i) {
+-              struct hid_sensor_hub_device *hsdev =
+-                      data->hid_sensor_hub_client_devs[i].platform_data;
+-              if (hsdev->pending.status)
+-                      complete(&hsdev->pending.ready);
+-      }
++      device_for_each_child(&hdev->dev, NULL,
++                            sensor_hub_finalize_pending_fn);
+       spin_unlock_irqrestore(&data->lock, flags);
++
+       mfd_remove_devices(&hdev->dev);
+       mutex_destroy(&data->mutex);
+ }
diff --git a/queue-5.4/kbuild-move-wenum-enum-conversion-to-w-2.patch b/queue-5.4/kbuild-move-wenum-enum-conversion-to-w-2.patch
new file mode 100644 (file)
index 0000000..61c0ad5
--- /dev/null
@@ -0,0 +1,61 @@
+From 8f6629c004b193d23612641c3607e785819e97ab Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Thu, 17 Oct 2024 10:09:22 -0700
+Subject: kbuild: Move -Wenum-enum-conversion to W=2
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 8f6629c004b193d23612641c3607e785819e97ab upstream.
+
+-Wenum-enum-conversion was strengthened in clang-19 to warn for C, which
+caused the kernel to move it to W=1 in commit 75b5ab134bb5 ("kbuild:
+Move -Wenum-{compare-conditional,enum-conversion} into W=1") because
+there were numerous instances that would break builds with -Werror.
+Unfortunately, this is not a full solution, as more and more developers,
+subsystems, and distributors are building with W=1 as well, so they
+continue to see the numerous instances of this warning.
+
+Since the move to W=1, there have not been many new instances that have
+appeared through various build reports and the ones that have appeared
+seem to be following similar existing patterns, suggesting that most
+instances of this warning will not be real issues. The only alternatives
+for silencing this warning are adding casts (which is generally seen as
+an ugly practice) or refactoring the enums to macro defines or a unified
+enum (which may be undesirable because of type safety in other parts of
+the code).
+
+Move the warning to W=2, where warnings that occur frequently but may be
+relevant should reside.
+
+Cc: stable@vger.kernel.org
+Fixes: 75b5ab134bb5 ("kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1")
+Link: https://lore.kernel.org/ZwRA9SOcOjjLJcpi@google.com/
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/Makefile.extrawarn |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/scripts/Makefile.extrawarn
++++ b/scripts/Makefile.extrawarn
+@@ -36,6 +36,10 @@ KBUILD_CFLAGS += $(call cc-option, -Wstr
+ KBUILD_CFLAGS += -Wno-missing-field-initializers
+ KBUILD_CFLAGS += -Wno-sign-compare
++ifdef CONFIG_CC_IS_CLANG
++KBUILD_CFLAGS += -Wno-enum-enum-conversion
++endif
++
+ KBUILD_CPPFLAGS += -DKBUILD_EXTRA_WARN1
+ else
+@@ -52,7 +56,6 @@ KBUILD_CFLAGS += $(call cc-disable-warni
+ KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access)
+ KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict)
+ KBUILD_CFLAGS += -Wno-enum-compare-conditional
+-KBUILD_CFLAGS += -Wno-enum-enum-conversion
+ endif
+ endif
diff --git a/queue-5.4/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch b/queue-5.4/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch
new file mode 100644 (file)
index 0000000..59afb60
--- /dev/null
@@ -0,0 +1,50 @@
+From e4c00c9b1f70cd11792ff5b825899a6ee0234a62 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Thu, 9 Jan 2025 21:26:52 +0800
+Subject: of: Correct child specifier used as input of the 2nd nexus node
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit e4c00c9b1f70cd11792ff5b825899a6ee0234a62 upstream.
+
+API of_parse_phandle_with_args_map() will use wrong input for nexus node
+Nexus_2 as shown below:
+
+    Node_1             Nexus_1                              Nexus_2
+&Nexus_1,arg_1 -> arg_1,&Nexus_2,arg_2' -> &Nexus_2,arg_2 -> arg_2,...
+                 map-pass-thru=<...>
+
+Nexus_1's output arg_2 should be used as input of Nexus_2, but the API
+wrongly uses arg_2' instead which != arg_2 due to Nexus_1's map-pass-thru.
+
+Fix by always making @match_array point to @initial_match_array into
+which to store nexus output.
+
+Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-1-db8a72415b8c@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1733,7 +1733,6 @@ int of_parse_phandle_with_args_map(const
+                * specifier into the out_args structure, keeping the
+                * bits specified in <list>-map-pass-thru.
+                */
+-              match_array = map - new_size;
+               for (i = 0; i < new_size; i++) {
+                       __be32 val = *(map - new_size + i);
+@@ -1742,6 +1741,7 @@ int of_parse_phandle_with_args_map(const
+                               val |= cpu_to_be32(out_args->args[i]) & pass[i];
+                       }
++                      initial_match_array[i] = val;
+                       out_args->args[i] = be32_to_cpu(val);
+               }
+               out_args->args_count = list_size = new_size;
diff --git a/queue-5.4/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch b/queue-5.4/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch
new file mode 100644 (file)
index 0000000..6ce40b9
--- /dev/null
@@ -0,0 +1,52 @@
+From b9e58c934c56aa35b0fb436d9afd86ef326bae0e Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Mon, 16 Dec 2024 08:40:40 +0800
+Subject: of: Fix of_find_node_opts_by_path() handling of alias+path+options
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit b9e58c934c56aa35b0fb436d9afd86ef326bae0e upstream.
+
+of_find_node_opts_by_path() fails to find OF device node when its
+@path parameter have pattern below:
+
+"alias-name/node-name-1/.../node-name-N:options".
+
+The reason is that alias name length calculated by the API is wrong, as
+explained by example below:
+
+"testcase-alias/phandle-tests/consumer-a:testaliasoption".
+ ^             ^                        ^
+ 0             14                       39
+
+The right length of alias 'testcase-alias' is 14, but the result worked
+out by the API is 39 which is obvious wrong.
+
+Fix by using index of either '/' or ':' as the length who comes earlier.
+
+Fixes: 75c28c09af99 ("of: add optional options parameter to of_find_node_by_path()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20241216-of_core_fix-v2-1-e69b8f60da63@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -988,10 +988,10 @@ struct device_node *of_find_node_opts_by
+       /* The path could begin with an alias */
+       if (*path != '/') {
+               int len;
+-              const char *p = separator;
++              const char *p = strchrnul(path, '/');
+-              if (!p)
+-                      p = strchrnul(path, '/');
++              if (separator && separator < p)
++                      p = separator;
+               len = p - path;
+               /* of_aliases must not be NULL */
diff --git a/queue-5.4/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch b/queue-5.4/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch
new file mode 100644 (file)
index 0000000..5df58e9
--- /dev/null
@@ -0,0 +1,47 @@
+From 267b21d0bef8e67dbe6c591c9991444e58237ec9 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Thu, 9 Jan 2025 21:27:00 +0800
+Subject: of: reserved-memory: Fix using wrong number of cells to get property 'alignment'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 267b21d0bef8e67dbe6c591c9991444e58237ec9 upstream.
+
+According to DT spec, size of property 'alignment' is based on parent
+node’s #size-cells property.
+
+But __reserved_mem_alloc_size() wrongly uses @dt_root_addr_cells to get
+the property obviously.
+
+Fix by using @dt_root_size_cells instead of @dt_root_addr_cells.
+
+Fixes: 3f0c82066448 ("drivers: of: add initialization code for dynamic reserved memory")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-9-db8a72415b8c@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/of_reserved_mem.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/of/of_reserved_mem.c
++++ b/drivers/of/of_reserved_mem.c
+@@ -96,12 +96,12 @@ static int __init __reserved_mem_alloc_s
+       prop = of_get_flat_dt_prop(node, "alignment", &len);
+       if (prop) {
+-              if (len != dt_root_addr_cells * sizeof(__be32)) {
++              if (len != dt_root_size_cells * sizeof(__be32)) {
+                       pr_err("invalid alignment property in '%s' node.\n",
+                               uname);
+                       return -EINVAL;
+               }
+-              align = dt_mem_next_cell(dt_root_addr_cells, &prop);
++              align = dt_mem_next_cell(dt_root_size_cells, &prop);
+       }
+       /* Need adjust the alignment to satisfy the CMA requirement */
diff --git a/queue-5.4/perf-bench-fix-undefined-behavior-in-cmpworker.patch b/queue-5.4/perf-bench-fix-undefined-behavior-in-cmpworker.patch
new file mode 100644 (file)
index 0000000..7acf86b
--- /dev/null
@@ -0,0 +1,52 @@
+From 62892e77b8a64b9dc0e1da75980aa145347b6820 Mon Sep 17 00:00:00 2001
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+Date: Thu, 16 Jan 2025 19:08:42 +0800
+Subject: perf bench: Fix undefined behavior in cmpworker()
+
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+
+commit 62892e77b8a64b9dc0e1da75980aa145347b6820 upstream.
+
+The comparison function cmpworker() violates the C standard's
+requirements for qsort() comparison functions, which mandate symmetry
+and transitivity:
+
+Symmetry: If x < y, then y > x.
+Transitivity: If x < y and y < z, then x < z.
+
+In its current implementation, cmpworker() incorrectly returns 0 when
+w1->tid < w2->tid, which breaks both symmetry and transitivity. This
+violation causes undefined behavior, potentially leading to issues such
+as memory corruption in glibc [1].
+
+Fix the issue by returning -1 when w1->tid < w2->tid, ensuring
+compliance with the C standard and preventing undefined behavior.
+
+Link: https://www.qualys.com/2024/01/30/qsort.txt [1]
+Fixes: 121dd9ea0116 ("perf bench: Add epoll parallel epoll_wait benchmark")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
+Reviewed-by: James Clark <james.clark@linaro.org>
+Link: https://lore.kernel.org/r/20250116110842.4087530-1-visitorckw@gmail.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/bench/epoll-wait.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/bench/epoll-wait.c
++++ b/tools/perf/bench/epoll-wait.c
+@@ -407,7 +407,12 @@ static int cmpworker(const void *p1, con
+       struct worker *w1 = (struct worker *) p1;
+       struct worker *w2 = (struct worker *) p2;
+-      return w1->tid > w2->tid;
++
++      if (w1->tid > w2->tid)
++              return 1;
++      if (w1->tid < w2->tid)
++              return -1;
++      return 0;
+ }
+ int bench_epoll_wait(int argc, const char **argv)
diff --git a/queue-5.4/powerpc-pseries-eeh-fix-get-pe-state-translation.patch b/queue-5.4/powerpc-pseries-eeh-fix-get-pe-state-translation.patch
new file mode 100644 (file)
index 0000000..d2d31b9
--- /dev/null
@@ -0,0 +1,54 @@
+From 11b93559000c686ad7e5ab0547e76f21cc143844 Mon Sep 17 00:00:00 2001
+From: Narayana Murty N <nnmlinux@linux.ibm.com>
+Date: Thu, 16 Jan 2025 04:39:54 -0600
+Subject: powerpc/pseries/eeh: Fix get PE state translation
+
+From: Narayana Murty N <nnmlinux@linux.ibm.com>
+
+commit 11b93559000c686ad7e5ab0547e76f21cc143844 upstream.
+
+The PE Reset State "0" returned by RTAS calls
+"ibm_read_slot_reset_[state|state2]" indicates that the reset is
+deactivated and the PE is in a state where MMIO and DMA are allowed.
+However, the current implementation of "pseries_eeh_get_state()" does
+not reflect this, causing drivers to incorrectly assume that MMIO and
+DMA operations cannot be resumed.
+
+The userspace drivers as a part of EEH recovery using VFIO ioctls fail
+to detect when the recovery process is complete. The VFIO_EEH_PE_GET_STATE
+ioctl does not report the expected EEH_PE_STATE_NORMAL state, preventing
+userspace drivers from functioning properly on pseries systems.
+
+The patch addresses this issue by updating 'pseries_eeh_get_state()'
+to include "EEH_STATE_MMIO_ENABLED" and "EEH_STATE_DMA_ENABLED" in
+the result mask for PE Reset State "0". This ensures correct state
+reporting to the callers, aligning the behavior with the PAPR specification
+and fixing the bug in EEH recovery for VFIO user workflows.
+
+Fixes: 00ba05a12b3c ("powerpc/pseries: Cleanup on pseries_eeh_get_state()")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Signed-off-by: Narayana Murty N <nnmlinux@linux.ibm.com>
+Link: https://lore.kernel.org/stable/20241212075044.10563-1-nnmlinux%40linux.ibm.com
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250116103954.17324-1-nnmlinux@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/eeh_pseries.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
+@@ -472,8 +472,10 @@ static int pseries_eeh_get_state(struct
+       switch(rets[0]) {
+       case 0:
+-              result = EEH_STATE_MMIO_ACTIVE |
+-                       EEH_STATE_DMA_ACTIVE;
++              result = EEH_STATE_MMIO_ACTIVE  |
++                       EEH_STATE_DMA_ACTIVE   |
++                       EEH_STATE_MMIO_ENABLED |
++                       EEH_STATE_DMA_ENABLED;
+               break;
+       case 1:
+               result = EEH_STATE_RESET_ACTIVE |
diff --git a/queue-5.4/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch b/queue-5.4/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch
new file mode 100644 (file)
index 0000000..86fa2e1
--- /dev/null
@@ -0,0 +1,79 @@
+From 9f7dea875cc7f9c1a56a5c688290634a59cd1420 Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Date: Thu, 16 Jan 2025 20:22:47 +0200
+Subject: serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+commit 9f7dea875cc7f9c1a56a5c688290634a59cd1420 upstream.
+
+In the sh-sci driver, sci_ports[0] is used by earlycon. If the earlycon is
+still active when sci_probe() is called and the new serial port is supposed
+to map to sci_ports[0], return -EBUSY to prevent breaking the earlycon.
+
+This situation should occurs in debug scenarios, and users should be
+aware of the potential conflict.
+
+Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Link: https://lore.kernel.org/r/20250116182249.3828577-4-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c |   23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -166,6 +166,7 @@ struct sci_port {
+ static struct sci_port sci_ports[SCI_NPORTS];
+ static unsigned long sci_ports_in_use;
+ static struct uart_driver sci_uart_driver;
++static bool sci_uart_earlycon;
+ static inline struct sci_port *
+ to_sci_port(struct uart_port *uart)
+@@ -3345,6 +3346,7 @@ static int sci_probe_single(struct platf
+ static int sci_probe(struct platform_device *dev)
+ {
+       struct plat_sci_port *p;
++      struct resource *res;
+       struct sci_port *sp;
+       unsigned int dev_id;
+       int ret;
+@@ -3372,6 +3374,26 @@ static int sci_probe(struct platform_dev
+       }
+       sp = &sci_ports[dev_id];
++
++      /*
++       * In case:
++       * - the probed port alias is zero (as the one used by earlycon), and
++       * - the earlycon is still active (e.g., "earlycon keep_bootcon" in
++       *   bootargs)
++       *
++       * defer the probe of this serial. This is a debug scenario and the user
++       * must be aware of it.
++       *
++       * Except when the probed port is the same as the earlycon port.
++       */
++
++      res = platform_get_resource(dev, IORESOURCE_MEM, 0);
++      if (!res)
++              return -ENODEV;
++
++      if (sci_uart_earlycon && sp == &sci_ports[0] && sp->port.mapbase != res->start)
++              return dev_err_probe(&dev->dev, -EBUSY, "sci_port[0] is used by earlycon!\n");
++
+       platform_set_drvdata(dev, sp);
+       ret = sci_probe_single(dev, dev_id, p, sp);
+@@ -3470,6 +3492,7 @@ static int __init early_console_setup(st
+       port_cfg.type = type;
+       sci_ports[0].cfg = &port_cfg;
+       sci_ports[0].params = sci_probe_regmap(&port_cfg);
++      sci_uart_earlycon = true;
+       port_cfg.scscr = sci_serial_in(&sci_ports[0].port, SCSCR);
+       sci_serial_out(&sci_ports[0].port, SCSCR,
+                      SCSCR_RE | SCSCR_TE | port_cfg.scscr);
diff --git a/queue-5.4/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch b/queue-5.4/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch
new file mode 100644 (file)
index 0000000..d6156fc
--- /dev/null
@@ -0,0 +1,38 @@
+From eaeee4225dba30bef4d424bdf134a07b7f423e8b Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Date: Thu, 16 Jan 2025 20:22:45 +0200
+Subject: serial: sh-sci: Drop __initdata macro for port_cfg
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+commit eaeee4225dba30bef4d424bdf134a07b7f423e8b upstream.
+
+The port_cfg object is used by serial_console_write(), which serves as
+the write function for the earlycon device. Marking port_cfg as __initdata
+causes it to be freed after kernel initialization, resulting in earlycon
+becoming unavailable thereafter. Remove the __initdata macro from port_cfg
+to resolve this issue.
+
+Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Fixes: 0b0cced19ab15c9e ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
+Link: https://lore.kernel.org/r/20250116182249.3828577-2-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -3455,7 +3455,7 @@ early_platform_init_buffer("earlyprintk"
+                          early_serial_buf, ARRAY_SIZE(early_serial_buf));
+ #endif
+ #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON
+-static struct plat_sci_port port_cfg __initdata;
++static struct plat_sci_port port_cfg;
+ static int __init early_console_setup(struct earlycon_device *device,
+                                     int type)
index b3b5d8873d3b3d6db0df9c9c0b71dc8f6083e7b2..d380caae51b0c8deb0815c35fb700184e8c4fb4f 100644 (file)
@@ -120,3 +120,19 @@ drm-komeda-add-check-for-komeda_get_layer_fourcc_list.patch
 bluetooth-l2cap-handle-null-sock-pointer-in-l2cap_sock_alloc.patch
 clk-qcom-clk-alpha-pll-fix-alpha-mode-configuration.patch
 clk-qcom-clk-rpmh-prevent-integer-overflow-in-recalc_rate.patch
+perf-bench-fix-undefined-behavior-in-cmpworker.patch
+of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch
+of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch
+of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch
+hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch
+wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch
+usb-gadget-f_tcm-translate-error-to-sense.patch
+usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch
+usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch
+usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch
+soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch
+serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch
+serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch
+powerpc-pseries-eeh-fix-get-pe-state-translation.patch
+alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch
+kbuild-move-wenum-enum-conversion-to-w-2.patch
diff --git a/queue-5.4/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch b/queue-5.4/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch
new file mode 100644 (file)
index 0000000..0a82be9
--- /dev/null
@@ -0,0 +1,49 @@
+From 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Mon, 30 Dec 2024 20:59:35 +0100
+Subject: soc: qcom: socinfo: Avoid out of bounds read of serial number
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 upstream.
+
+On MSM8916 devices, the serial number exposed in sysfs is constant and does
+not change across individual devices. It's always:
+
+  db410c:/sys/devices/soc0$ cat serial_number
+  2644893864
+
+The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not
+have support for the serial_num field in the socinfo struct. There is an
+existing check to avoid exposing the serial number in that case, but it's
+not correct: When checking the item_size returned by SMEM, we need to make
+sure the *end* of the serial_num is within bounds, instead of comparing
+with the *start* offset. The serial_number currently exposed on MSM8916
+devices is just an out of bounds read of whatever comes after the socinfo
+struct in SMEM.
+
+Fix this by changing offsetof() to offsetofend(), so that the size of the
+field is also taken into account.
+
+Cc: stable@vger.kernel.org
+Fixes: efb448d0a3fc ("soc: qcom: Add socinfo driver")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241230-qcom-socinfo-serialno-oob-v1-1-9b7a890da3da@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/socinfo.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/socinfo.c
++++ b/drivers/soc/qcom/socinfo.c
+@@ -436,7 +436,7 @@ static int qcom_socinfo_probe(struct pla
+       if (!qs->attr.soc_id || !qs->attr.revision)
+               return -ENOMEM;
+-      if (offsetof(struct socinfo, serial_num) <= item_size) {
++      if (offsetofend(struct socinfo, serial_num) <= item_size) {
+               qs->attr.serial_number = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+                                                       "%u",
+                                                       le32_to_cpu(info->serial_num));
diff --git a/queue-5.4/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch b/queue-5.4/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch
new file mode 100644 (file)
index 0000000..507e547
--- /dev/null
@@ -0,0 +1,32 @@
+From 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:31:48 +0000
+Subject: usb: gadget: f_tcm: Decrement command ref count on cleanup
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 upstream.
+
+We submitted the command with TARGET_SCF_ACK_KREF, which requires
+acknowledgment of command completion. If the command fails, make sure to
+decrement the ref count.
+
+Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/3c667b4d9c8b0b580346a69ff53616b6a74cfea2.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -971,6 +971,7 @@ static void usbg_data_write_cmpl(struct
+       return;
+ cleanup:
++      target_put_sess_cmd(se_cmd);
+       transport_generic_free_cmd(&cmd->se_cmd, 0);
+ }
diff --git a/queue-5.4/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch b/queue-5.4/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch
new file mode 100644 (file)
index 0000000..59e1869
--- /dev/null
@@ -0,0 +1,55 @@
+From 94d9bf671ae314cacc2d7bf96bd233b4abc7cede Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:32:07 +0000
+Subject: usb: gadget: f_tcm: Don't prepare BOT write request twice
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 94d9bf671ae314cacc2d7bf96bd233b4abc7cede upstream.
+
+The duplicate kmalloc here is causing memory leak. The request
+preparation in bot_send_write_request is also done in
+usbg_prepare_w_request. Remove the duplicate work.
+
+Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/f4f26c3d586cde0d46f8c3bcb4e8ae32311b650d.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c |   17 -----------------
+ 1 file changed, 17 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -245,7 +245,6 @@ static int bot_send_write_request(struct
+ {
+       struct f_uas *fu = cmd->fu;
+       struct se_cmd *se_cmd = &cmd->se_cmd;
+-      struct usb_gadget *gadget = fuas_to_gadget(fu);
+       int ret;
+       init_completion(&cmd->write_complete);
+@@ -256,22 +255,6 @@ static int bot_send_write_request(struct
+               return -EINVAL;
+       }
+-      if (!gadget->sg_supported) {
+-              cmd->data_buf = kmalloc(se_cmd->data_length, GFP_KERNEL);
+-              if (!cmd->data_buf)
+-                      return -ENOMEM;
+-
+-              fu->bot_req_out->buf = cmd->data_buf;
+-      } else {
+-              fu->bot_req_out->buf = NULL;
+-              fu->bot_req_out->num_sgs = se_cmd->t_data_nents;
+-              fu->bot_req_out->sg = se_cmd->t_data_sg;
+-      }
+-
+-      fu->bot_req_out->complete = usbg_data_write_cmpl;
+-      fu->bot_req_out->length = se_cmd->data_length;
+-      fu->bot_req_out->context = cmd;
+-
+       ret = usbg_prepare_w_request(cmd, fu->bot_req_out);
+       if (ret)
+               goto cleanup;
diff --git a/queue-5.4/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch b/queue-5.4/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch
new file mode 100644 (file)
index 0000000..d93d610
--- /dev/null
@@ -0,0 +1,80 @@
+From 25224c1f07d31c261d04dfbc705a7a0f314a825d Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:32:01 +0000
+Subject: usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 25224c1f07d31c261d04dfbc705a7a0f314a825d upstream.
+
+Match usb endpoint using fullspeed endpoint descriptor to make sure the
+wMaxPacketSize for fullspeed descriptors is automatically configured.
+
+Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/e4507bc824aed6e7c7f5a718392ab6a7c1480a7f.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c |   30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -2016,43 +2016,39 @@ static int tcm_bind(struct usb_configura
+       bot_intf_desc.bInterfaceNumber = iface;
+       uasp_intf_desc.bInterfaceNumber = iface;
+       fu->iface = iface;
+-      ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bi_desc,
+-                      &uasp_bi_ep_comp_desc);
++      ep = usb_ep_autoconfig(gadget, &uasp_fs_bi_desc);
+       if (!ep)
+               goto ep_fail;
+       fu->ep_in = ep;
+-      ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bo_desc,
+-                      &uasp_bo_ep_comp_desc);
++      ep = usb_ep_autoconfig(gadget, &uasp_fs_bo_desc);
+       if (!ep)
+               goto ep_fail;
+       fu->ep_out = ep;
+-      ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_status_desc,
+-                      &uasp_status_in_ep_comp_desc);
++      ep = usb_ep_autoconfig(gadget, &uasp_fs_status_desc);
+       if (!ep)
+               goto ep_fail;
+       fu->ep_status = ep;
+-      ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_cmd_desc,
+-                      &uasp_cmd_comp_desc);
++      ep = usb_ep_autoconfig(gadget, &uasp_fs_cmd_desc);
+       if (!ep)
+               goto ep_fail;
+       fu->ep_cmd = ep;
+       /* Assume endpoint addresses are the same for both speeds */
+-      uasp_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress;
+-      uasp_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress;
++      uasp_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress;
++      uasp_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress;
+       uasp_status_desc.bEndpointAddress =
+-              uasp_ss_status_desc.bEndpointAddress;
+-      uasp_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress;
++              uasp_fs_status_desc.bEndpointAddress;
++      uasp_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress;
+-      uasp_fs_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress;
+-      uasp_fs_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress;
+-      uasp_fs_status_desc.bEndpointAddress =
+-              uasp_ss_status_desc.bEndpointAddress;
+-      uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress;
++      uasp_ss_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress;
++      uasp_ss_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress;
++      uasp_ss_status_desc.bEndpointAddress =
++              uasp_fs_status_desc.bEndpointAddress;
++      uasp_ss_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress;
+       ret = usb_assign_descriptors(f, uasp_fs_function_desc,
+                       uasp_hs_function_desc, uasp_ss_function_desc,
diff --git a/queue-5.4/usb-gadget-f_tcm-translate-error-to-sense.patch b/queue-5.4/usb-gadget-f_tcm-translate-error-to-sense.patch
new file mode 100644 (file)
index 0000000..48a87a1
--- /dev/null
@@ -0,0 +1,42 @@
+From 98fa00fd3ae43b857b4976984a135483d89d9281 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:31:43 +0000
+Subject: usb: gadget: f_tcm: Translate error to sense
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 98fa00fd3ae43b857b4976984a135483d89d9281 upstream.
+
+When respond with check_condition error status, clear from_transport
+input so the target layer can translate the sense reason reported by
+f_tcm.
+
+Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/b2a5577efe7abd0af0051229622cf7d3be5cdcd0.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -1063,7 +1063,7 @@ static void usbg_cmd_work(struct work_st
+ out:
+       transport_send_check_condition_and_sense(se_cmd,
+-                      TCM_UNSUPPORTED_SCSI_OPCODE, 1);
++                      TCM_UNSUPPORTED_SCSI_OPCODE, 0);
+ }
+ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
+@@ -1192,7 +1192,7 @@ static void bot_cmd_work(struct work_str
+ out:
+       transport_send_check_condition_and_sense(se_cmd,
+-                              TCM_UNSUPPORTED_SCSI_OPCODE, 1);
++                              TCM_UNSUPPORTED_SCSI_OPCODE, 0);
+ }
+ static int bot_submit_command(struct f_uas *fu,
diff --git a/queue-5.4/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch b/queue-5.4/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch
new file mode 100644 (file)
index 0000000..eaec117
--- /dev/null
@@ -0,0 +1,69 @@
+From 68abd0c4ebf24cd499841a488b97a6873d5efabb Mon Sep 17 00:00:00 2001
+From: Marcel Hamer <marcel.hamer@windriver.com>
+Date: Thu, 16 Jan 2025 14:22:40 +0100
+Subject: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
+
+From: Marcel Hamer <marcel.hamer@windriver.com>
+
+commit 68abd0c4ebf24cd499841a488b97a6873d5efabb upstream.
+
+On removal of the device or unloading of the kernel module a potential NULL
+pointer dereference occurs.
+
+The following sequence deletes the interface:
+
+  brcmf_detach()
+    brcmf_remove_interface()
+      brcmf_del_if()
+
+Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to
+BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.
+
+After brcmf_remove_interface() call the brcmf_proto_detach() function is
+called providing the following sequence:
+
+  brcmf_detach()
+    brcmf_proto_detach()
+      brcmf_proto_msgbuf_detach()
+        brcmf_flowring_detach()
+          brcmf_msgbuf_delete_flowring()
+            brcmf_msgbuf_remove_flowring()
+              brcmf_flowring_delete()
+                brcmf_get_ifp()
+                brcmf_txfinalize()
+
+Since brcmf_get_ip() can and actually will return NULL in this case the
+call to brcmf_txfinalize() will result in a NULL pointer dereference inside
+brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors.
+
+This will only happen if a flowring still has an skb.
+
+Although the NULL pointer dereference has only been seen when trying to
+update the tx statistic, all other uses of the ifp pointer have been
+guarded as well with an early return if ifp is NULL.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Hamer <marcel.hamer@windriver.com>
+Link: https://lore.kernel.org/all/b519e746-ddfd-421f-d897-7620d229e4b2@gmail.com/
+Acked-by: Arend van Spriel  <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20250116132240.731039-1-marcel.hamer@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -538,6 +538,11 @@ void brcmf_txfinalize(struct brcmf_if *i
+       struct ethhdr *eh;
+       u16 type;
++      if (!ifp) {
++              brcmu_pkt_buf_free_skb(txp);
++              return;
++      }
++
+       eh = (struct ethhdr *)(txp->data);
+       type = ntohs(eh->h_proto);