From: Sasha Levin Date: Fri, 20 Jun 2025 13:15:08 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.4.295~128 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=02279d7cda7d1ba869aaeac8155311930f203876;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpi-battery-negate-current-when-discharging.patch b/queue-5.4/acpi-battery-negate-current-when-discharging.patch new file mode 100644 index 0000000000..652323ce7d --- /dev/null +++ b/queue-5.4/acpi-battery-negate-current-when-discharging.patch @@ -0,0 +1,63 @@ +From 4f1e6bffd73119f23ab56bce8fc148aa9d0b4c71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 12:41:45 +1000 +Subject: ACPI: battery: negate current when discharging + +From: Peter Marheine + +[ Upstream commit 234f71555019d308c6bc6f98c78c5551cb8cd56a ] + +The ACPI specification requires that battery rate is always positive, +but the kernel ABI for POWER_SUPPLY_PROP_CURRENT_NOW +(Documentation/ABI/testing/sysfs-class-power) specifies that it should +be negative when a battery is discharging. When reporting CURRENT_NOW, +massage the value to match the documented ABI. + +This only changes the sign of `current_now` and not `power_now` because +documentation doesn't describe any particular meaning for `power_now` so +leaving `power_now` unchanged is less likely to confuse userspace +unnecessarily, whereas becoming consistent with the documented ABI is +worth potentially confusing clients that read `current_now`. + +Signed-off-by: Peter Marheine +Link: https://patch.msgid.link/20250508024146.1436129-1-pmarheine@chromium.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index cf853e985d6d9..a5e120eca7f33 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -266,10 +266,23 @@ static int acpi_battery_get_property(struct power_supply *psy, + break; + case POWER_SUPPLY_PROP_CURRENT_NOW: + case POWER_SUPPLY_PROP_POWER_NOW: +- if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) ++ if (battery->rate_now == ACPI_BATTERY_VALUE_UNKNOWN) { + ret = -ENODEV; +- else +- val->intval = battery->rate_now * 1000; ++ break; ++ } ++ ++ val->intval = battery->rate_now * 1000; ++ /* ++ * When discharging, the current should be reported as a ++ * negative number as per the power supply class interface ++ * definition. ++ */ ++ if (psp == POWER_SUPPLY_PROP_CURRENT_NOW && ++ (battery->state & ACPI_BATTERY_STATE_DISCHARGING) && ++ acpi_battery_handle_discharging(battery) ++ == POWER_SUPPLY_STATUS_DISCHARGING) ++ val->intval = -val->intval; ++ + break; + case POWER_SUPPLY_PROP_CHARGE_FULL_DESIGN: + case POWER_SUPPLY_PROP_ENERGY_FULL_DESIGN: +-- +2.39.5 + diff --git a/queue-5.4/acpica-avoid-sequence-overread-in-call-to-strncmp.patch b/queue-5.4/acpica-avoid-sequence-overread-in-call-to-strncmp.patch new file mode 100644 index 0000000000..2fceee9ec2 --- /dev/null +++ b/queue-5.4/acpica-avoid-sequence-overread-in-call-to-strncmp.patch @@ -0,0 +1,57 @@ +From 1eb58f616b4dbd2bbeffe75daad37a9d45e78401 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 21:30:27 +0200 +Subject: ACPICA: Avoid sequence overread in call to strncmp() + +From: Ahmed Salem + +[ Upstream commit 64b9dfd0776e9c38d733094859a09f13282ce6f8 ] + +ACPICA commit 8b83a8d88dfec59ea147fad35fc6deea8859c58c + +ap_get_table_length() checks if tables are valid by +calling ap_is_valid_header(). The latter then calls +ACPI_VALIDATE_RSDP_SIG(Table->Signature). + +ap_is_valid_header() accepts struct acpi_table_header as an argument, so +the signature size is always fixed to 4 bytes. + +The problem is when the string comparison is between ACPI-defined table +signature and ACPI_SIG_RSDP. Common ACPI table header specifies the +Signature field to be 4 bytes long[1], with the exception of the RSDP +structure whose signature is 8 bytes long "RSD PTR " (including the +trailing blank character)[2]. Calling strncmp(sig, rsdp_sig, 8) would +then result in a sequence overread[3] as sig would be smaller (4 bytes) +than the specified bound (8 bytes). + +As a workaround, pass the bound conditionally based on the size of the +signature being passed. + +Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#system-description-table-header [1] +Link: https://uefi.org/specs/ACPI/6.5_A/05_ACPI_Software_Programming_Model.html#root-system-description-pointer-rsdp-structure [2] +Link: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wstringop-overread [3] +Link: https://github.com/acpica/acpica/commit/8b83a8d8 +Signed-off-by: Ahmed Salem +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/2248233.Mh6RI2rZIc@rjwysocki.net +Signed-off-by: Sasha Levin +--- + include/acpi/actypes.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/acpi/actypes.h b/include/acpi/actypes.h +index ff5fecff51167..f931312cf51a1 100644 +--- a/include/acpi/actypes.h ++++ b/include/acpi/actypes.h +@@ -524,7 +524,7 @@ typedef u64 acpi_integer; + + /* Support for the special RSDP signature (8 characters) */ + +-#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, 8)) ++#define ACPI_VALIDATE_RSDP_SIG(a) (!strncmp (ACPI_CAST_PTR (char, (a)), ACPI_SIG_RSDP, (sizeof(a) < 8) ? ACPI_NAMESEG_SIZE : 8)) + #define ACPI_MAKE_RSDP_SIG(dest) (memcpy (ACPI_CAST_PTR (char, (dest)), ACPI_SIG_RSDP, 8)) + + /* Support for OEMx signature (x can be any character) */ +-- +2.39.5 + diff --git a/queue-5.4/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch b/queue-5.4/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch new file mode 100644 index 0000000000..13df238ffc --- /dev/null +++ b/queue-5.4/acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch @@ -0,0 +1,110 @@ +From b5e478764e2a039940476f16fe4924ca284505c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 21:05:24 +0100 +Subject: ACPICA: fix acpi operand cache leak in dswstate.c + +From: Seunghun Han + +[ Upstream commit 156fd20a41e776bbf334bd5e45c4f78dfc90ce1c ] + +ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 + +I found an ACPI cache leak in ACPI early termination and boot continuing case. + +When early termination occurs due to malicious ACPI table, Linux kernel +terminates ACPI function and continues to boot process. While kernel terminates +ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. + +Boot log of ACPI operand cache leak is as follows: +>[ 0.585957] ACPI: Added _OSI(Module Device) +>[ 0.587218] ACPI: Added _OSI(Processor Device) +>[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) +>[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) +>[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) +>[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) +>[ 0.597858] ACPI: Unable to start the ACPI Interpreter +>[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +>[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects +>[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 +>[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 +>[ 0.609177] Call Trace: +>[ 0.610063] ? dump_stack+0x5c/0x81 +>[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 +>[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 +>[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b +>[ 0.619293] ? acpi_terminate+0xa/0x14 +>[ 0.620394] ? acpi_init+0x2af/0x34f +>[ 0.621616] ? __class_create+0x4c/0x80 +>[ 0.623412] ? video_setup+0x7f/0x7f +>[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.625861] ? do_one_initcall+0x4e/0x1a0 +>[ 0.627513] ? kernel_init_freeable+0x19e/0x21f +>[ 0.628972] ? rest_init+0x80/0x80 +>[ 0.630043] ? kernel_init+0xa/0x100 +>[ 0.631084] ? ret_from_fork+0x25/0x30 +>[ 0.633343] vgaarb: loaded +>[ 0.635036] EDAC MC: Ver: 3.0.0 +>[ 0.638601] PCI: Probing PCI hardware +>[ 0.639833] PCI host bridge to bus 0000:00 +>[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] +> ... Continue to boot and log is omitted ... + +I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ +delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() +function uses walk_state->operand_index for start position of the top, but +acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. +Therefore, this causes acpi operand memory leak. + +This cache leak causes a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +I made a patch to fix ACPI operand cache leak. + +Link: https://github.com/acpica/acpica/commit/987a3b5c +Signed-off-by: Seunghun Han +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/4999480.31r3eYUQgx@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsutils.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/dsutils.c b/drivers/acpi/acpica/dsutils.c +index fb9ed5e1da89d..2bdae8a25e084 100644 +--- a/drivers/acpi/acpica/dsutils.c ++++ b/drivers/acpi/acpica/dsutils.c +@@ -668,6 +668,8 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + union acpi_parse_object *arguments[ACPI_OBJ_NUM_OPERANDS]; + u32 arg_count = 0; + u32 index = walk_state->num_operands; ++ u32 prev_num_operands = walk_state->num_operands; ++ u32 new_num_operands; + u32 i; + + ACPI_FUNCTION_TRACE_PTR(ds_create_operands, first_arg); +@@ -696,6 +698,7 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + + /* Create the interpreter arguments, in reverse order */ + ++ new_num_operands = index; + index--; + for (i = 0; i < arg_count; i++) { + arg = arguments[index]; +@@ -720,7 +723,11 @@ acpi_ds_create_operands(struct acpi_walk_state *walk_state, + * pop everything off of the operand stack and delete those + * objects + */ +- acpi_ds_obj_stack_pop_and_delete(arg_count, walk_state); ++ walk_state->num_operands = i; ++ acpi_ds_obj_stack_pop_and_delete(new_num_operands, walk_state); ++ ++ /* Restore operand count */ ++ walk_state->num_operands = prev_num_operands; + + ACPI_EXCEPTION((AE_INFO, status, "While creating Arg %u", index)); + return_ACPI_STATUS(status); +-- +2.39.5 + diff --git a/queue-5.4/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch b/queue-5.4/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch new file mode 100644 index 0000000000..343f39d2c9 --- /dev/null +++ b/queue-5.4/acpica-fix-acpi-parse-and-parseext-cache-leaks.patch @@ -0,0 +1,236 @@ +From 583c858d3f9ecbdd26248589c334e1b0b2f39604 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 21:06:21 +0100 +Subject: ACPICA: fix acpi parse and parseext cache leaks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Seunghun Han + +[ Upstream commit bed18f0bdcd6737a938264a59d67923688696fc4 ] + +ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 + +I'm Seunghun Han, and I work for National Security Research Institute of +South Korea. + +I have been doing a research on ACPI and found an ACPI cache leak in ACPI +early abort cases. + +Boot log of ACPI cache leak is as follows: +[ 0.352414] ACPI: Added _OSI(Module Device) +[ 0.353182] ACPI: Added _OSI(Processor Device) +[ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) +[ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) +[ 0.356028] ACPI: Unable to start the ACPI Interpreter +[ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +[ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects +[ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #10 +[ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.361873] Call Trace: +[ 0.362243] ? dump_stack+0x5c/0x81 +[ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.363296] ? acpi_os_delete_cache+0xa/0x10 +[ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b +[ 0.364000] ? acpi_terminate+0xa/0x14 +[ 0.364000] ? acpi_init+0x2af/0x34f +[ 0.364000] ? __class_create+0x4c/0x80 +[ 0.364000] ? video_setup+0x7f/0x7f +[ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.364000] ? do_one_initcall+0x4e/0x1a0 +[ 0.364000] ? kernel_init_freeable+0x189/0x20a +[ 0.364000] ? rest_init+0xc0/0xc0 +[ 0.364000] ? kernel_init+0xa/0x100 +[ 0.364000] ? ret_from_fork+0x25/0x30 + +I analyzed this memory leak in detail. I found that “Acpi-State” cache and +“Acpi-Parse” cache were merged because the size of cache objects was same +slab cache size. + +I finally found “Acpi-Parse” cache and “Acpi-parse_ext” cache were leaked +using SLAB_NEVER_MERGE flag in kmem_cache_create() function. + +Real ACPI cache leak point is as follows: +[ 0.360101] ACPI: Added _OSI(Module Device) +[ 0.360101] ACPI: Added _OSI(Processor Device) +[ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) +[ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) +[ 0.364016] ACPI: Unable to start the ACPI Interpreter +[ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) +[ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects +[ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #8 +[ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.372000] Call Trace: +[ 0.372000] ? dump_stack+0x5c/0x81 +[ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.372000] ? acpi_os_delete_cache+0xa/0x10 +[ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b +[ 0.372000] ? acpi_terminate+0xa/0x14 +[ 0.372000] ? acpi_init+0x2af/0x34f +[ 0.372000] ? __class_create+0x4c/0x80 +[ 0.372000] ? video_setup+0x7f/0x7f +[ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.372000] ? do_one_initcall+0x4e/0x1a0 +[ 0.372000] ? kernel_init_freeable+0x189/0x20a +[ 0.372000] ? rest_init+0xc0/0xc0 +[ 0.372000] ? kernel_init+0xa/0x100 +[ 0.372000] ? ret_from_fork+0x25/0x30 +[ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects +[ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W +4.12.0-rc4-next-20170608+ #8 +[ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS +virtual_box 12/01/2006 +[ 0.392000] Call Trace: +[ 0.392000] ? dump_stack+0x5c/0x81 +[ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 +[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.392000] ? acpi_os_delete_cache+0xa/0x10 +[ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b +[ 0.392000] ? acpi_terminate+0xa/0x14 +[ 0.392000] ? acpi_init+0x2af/0x34f +[ 0.392000] ? __class_create+0x4c/0x80 +[ 0.392000] ? video_setup+0x7f/0x7f +[ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 +[ 0.392000] ? do_one_initcall+0x4e/0x1a0 +[ 0.392000] ? kernel_init_freeable+0x189/0x20a +[ 0.392000] ? rest_init+0xc0/0xc0 +[ 0.392000] ? kernel_init+0xa/0x100 +[ 0.392000] ? ret_from_fork+0x25/0x30 + +When early abort is occurred due to invalid ACPI information, Linux kernel +terminates ACPI by calling acpi_terminate() function. The function calls +acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_ +cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache). + +But the deletion codes in acpi_ut_delete_caches() function only delete +slab caches using kmem_cache_destroy() function, therefore the cache +objects should be flushed before acpi_ut_delete_caches() function. + +"Acpi-Parse" cache and "Acpi-ParseExt" cache are used in an AML parse +function, acpi_ps_parse_loop(). The function should complete all ops +using acpi_ps_complete_final_op() when an error occurs due to invalid +AML codes. +However, the current implementation of acpi_ps_complete_final_op() does not +complete all ops when it meets some errors and this cause cache leak. + +This cache leak has a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +To fix ACPI cache leak for enhancing security, I made a patch to complete all +ops unconditionally for acpi_ps_complete_final_op() function. + +I hope that this patch improves the security of Linux kernel. + +Thank you. + +Link: https://github.com/acpica/acpica/commit/8829e70e +Signed-off-by: Seunghun Han +Signed-off-by: Rafael J. Wysocki +Link: https://patch.msgid.link/2363774.ElGaqSPkdT@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/psobject.c | 52 ++++++++++------------------------ + 1 file changed, 15 insertions(+), 37 deletions(-) + +diff --git a/drivers/acpi/acpica/psobject.c b/drivers/acpi/acpica/psobject.c +index 98e5c7400e547..3ea26bbd534df 100644 +--- a/drivers/acpi/acpica/psobject.c ++++ b/drivers/acpi/acpica/psobject.c +@@ -639,7 +639,8 @@ acpi_status + acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + union acpi_parse_object *op, acpi_status status) + { +- acpi_status status2; ++ acpi_status return_status = status; ++ u8 ascending = TRUE; + + ACPI_FUNCTION_TRACE_PTR(ps_complete_final_op, walk_state); + +@@ -653,7 +654,7 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + op)); + do { + if (op) { +- if (walk_state->ascending_callback != NULL) { ++ if (ascending && walk_state->ascending_callback != NULL) { + walk_state->op = op; + walk_state->op_info = + acpi_ps_get_opcode_info(op->common. +@@ -675,49 +676,26 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + } + + if (status == AE_CTRL_TERMINATE) { +- status = AE_OK; +- +- /* Clean up */ +- do { +- if (op) { +- status2 = +- acpi_ps_complete_this_op +- (walk_state, op); +- if (ACPI_FAILURE +- (status2)) { +- return_ACPI_STATUS +- (status2); +- } +- } +- +- acpi_ps_pop_scope(& +- (walk_state-> +- parser_state), +- &op, +- &walk_state-> +- arg_types, +- &walk_state-> +- arg_count); +- +- } while (op); +- +- return_ACPI_STATUS(status); ++ ascending = FALSE; ++ return_status = AE_CTRL_TERMINATE; + } + + else if (ACPI_FAILURE(status)) { + + /* First error is most important */ + +- (void) +- acpi_ps_complete_this_op(walk_state, +- op); +- return_ACPI_STATUS(status); ++ ascending = FALSE; ++ return_status = status; + } + } + +- status2 = acpi_ps_complete_this_op(walk_state, op); +- if (ACPI_FAILURE(status2)) { +- return_ACPI_STATUS(status2); ++ status = acpi_ps_complete_this_op(walk_state, op); ++ if (ACPI_FAILURE(status)) { ++ ascending = FALSE; ++ if (ACPI_SUCCESS(return_status) || ++ return_status == AE_CTRL_TERMINATE) { ++ return_status = status; ++ } + } + } + +@@ -727,5 +705,5 @@ acpi_ps_complete_final_op(struct acpi_walk_state *walk_state, + + } while (op); + +- return_ACPI_STATUS(status); ++ return_ACPI_STATUS(return_status); + } +-- +2.39.5 + diff --git a/queue-5.4/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch b/queue-5.4/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch new file mode 100644 index 0000000000..8be4a6e80e --- /dev/null +++ b/queue-5.4/arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch @@ -0,0 +1,87 @@ +From 0e753780db62ad40197eaed32c43331cbfc4ec80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 16:00:39 -0700 +Subject: ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY + +From: Sukrut Bellary + +[ Upstream commit 47fe74098f3dadba2f9cc1e507d813a4aa93f5f3 ] + +Don't put the l4ls clk domain to sleep in case of standby. +Since CM3 PM FW[1](ti-v4.1.y) doesn't wake-up/enable the l4ls clk domain +upon wake-up, CM3 PM FW fails to wake-up the MPU. + +[1] https://git.ti.com/cgit/processor-firmware/ti-amx3-cm3-pm-firmware/ + +Signed-off-by: Sukrut Bellary +Tested-by: Judith Mendez +Link: https://lore.kernel.org/r/20250318230042.3138542-2-sbellary@baylibre.com +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/clockdomain.h | 1 + + arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +- + arch/arm/mach-omap2/cm33xx.c | 14 +++++++++++++- + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-omap2/clockdomain.h b/arch/arm/mach-omap2/clockdomain.h +index 68550b23c938d..eb6ca2ea80679 100644 +--- a/arch/arm/mach-omap2/clockdomain.h ++++ b/arch/arm/mach-omap2/clockdomain.h +@@ -48,6 +48,7 @@ + #define CLKDM_NO_AUTODEPS (1 << 4) + #define CLKDM_ACTIVE_WITH_MPU (1 << 5) + #define CLKDM_MISSING_IDLE_REPORTING (1 << 6) ++#define CLKDM_STANDBY_FORCE_WAKEUP BIT(7) + + #define CLKDM_CAN_HWSUP (CLKDM_CAN_ENABLE_AUTO | CLKDM_CAN_DISABLE_AUTO) + #define CLKDM_CAN_SWSUP (CLKDM_CAN_FORCE_SLEEP | CLKDM_CAN_FORCE_WAKEUP) +diff --git a/arch/arm/mach-omap2/clockdomains33xx_data.c b/arch/arm/mach-omap2/clockdomains33xx_data.c +index 32c90fd9eba26..3303c41dcefe8 100644 +--- a/arch/arm/mach-omap2/clockdomains33xx_data.c ++++ b/arch/arm/mach-omap2/clockdomains33xx_data.c +@@ -27,7 +27,7 @@ static struct clockdomain l4ls_am33xx_clkdm = { + .pwrdm = { .name = "per_pwrdm" }, + .cm_inst = AM33XX_CM_PER_MOD, + .clkdm_offs = AM33XX_CM_PER_L4LS_CLKSTCTRL_OFFSET, +- .flags = CLKDM_CAN_SWSUP, ++ .flags = CLKDM_CAN_SWSUP | CLKDM_STANDBY_FORCE_WAKEUP, + }; + + static struct clockdomain l3s_am33xx_clkdm = { +diff --git a/arch/arm/mach-omap2/cm33xx.c b/arch/arm/mach-omap2/cm33xx.c +index 084d454f60748..430a9de563a4e 100644 +--- a/arch/arm/mach-omap2/cm33xx.c ++++ b/arch/arm/mach-omap2/cm33xx.c +@@ -28,6 +28,9 @@ + #include "cm-regbits-34xx.h" + #include "cm-regbits-33xx.h" + #include "prm33xx.h" ++#if IS_ENABLED(CONFIG_SUSPEND) ++#include ++#endif + + /* + * CLKCTRL_IDLEST_*: possible values for the CM_*_CLKCTRL.IDLEST bitfield: +@@ -336,8 +339,17 @@ static int am33xx_clkdm_clk_disable(struct clockdomain *clkdm) + { + bool hwsup = false; + ++#if IS_ENABLED(CONFIG_SUSPEND) ++ /* ++ * In case of standby, Don't put the l4ls clk domain to sleep. ++ * Since CM3 PM FW doesn't wake-up/enable the l4ls clk domain ++ * upon wake-up, CM3 PM FW fails to wake-up th MPU. ++ */ ++ if (pm_suspend_target_state == PM_SUSPEND_STANDBY && ++ (clkdm->flags & CLKDM_STANDBY_FORCE_WAKEUP)) ++ return 0; ++#endif + hwsup = am33xx_cm_is_clkdm_in_hwsup(clkdm->cm_inst, clkdm->clkdm_offs); +- + if (!hwsup && (clkdm->flags & CLKDM_CAN_FORCE_SLEEP)) + am33xx_clkdm_sleep(clkdm); + +-- +2.39.5 + diff --git a/queue-5.4/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch b/queue-5.4/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch new file mode 100644 index 0000000000..6d260a16fe --- /dev/null +++ b/queue-5.4/bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch @@ -0,0 +1,40 @@ +From 72a2fd600cf76bea91612827dfc8db26841beeae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 13:58:14 +0300 +Subject: bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value + +From: Laurentiu Tudor + +[ Upstream commit 23d060136841c58c2f9ee8c08ad945d1879ead4b ] + +In case the MC firmware runs in debug mode with extensive prints pushed +to the console, the current timeout of 500ms is not enough. +Increase the timeout value so that we don't have any chance of wrongly +assuming that the firmware is not responding when it's just taking more +time. + +Signed-off-by: Laurentiu Tudor +Signed-off-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250408105814.2837951-7-ioana.ciornei@nxp.com +Signed-off-by: Christophe Leroy +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/mc-sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/fsl-mc/mc-sys.c b/drivers/bus/fsl-mc/mc-sys.c +index 3221a7fbaf0ad..24307ed59d777 100644 +--- a/drivers/bus/fsl-mc/mc-sys.c ++++ b/drivers/bus/fsl-mc/mc-sys.c +@@ -19,7 +19,7 @@ + /** + * Timeout in milliseconds to wait for the completion of an MC command + */ +-#define MC_CMD_COMPLETION_TIMEOUT_MS 500 ++#define MC_CMD_COMPLETION_TIMEOUT_MS 15000 + + /* + * usleep_range() min and max values used to throttle down polling +-- +2.39.5 + diff --git a/queue-5.4/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch b/queue-5.4/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch new file mode 100644 index 0000000000..bfe8e7f308 --- /dev/null +++ b/queue-5.4/clk-rockchip-rk3036-mark-ddrphy-as-critical.patch @@ -0,0 +1,37 @@ +From ba52643e5d6d72532dd34599e86f037d5c9c0d4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 May 2025 22:25:31 +0200 +Subject: clk: rockchip: rk3036: mark ddrphy as critical + +From: Heiko Stuebner + +[ Upstream commit 596a977b34a722c00245801a5774aa79cec4e81d ] + +The ddrphy is supplied by the dpll, but due to the limited number of PLLs +on the rk3036, the dpll also is used for other periperhals, like the GPU. + +So it happened, when the Lima driver turned off the gpu clock, this in +turn also disabled the dpll and thus the ram. + +Signed-off-by: Heiko Stuebner +Link: https://lore.kernel.org/r/20250503202532.992033-4-heiko@sntech.de +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3036.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/rockchip/clk-rk3036.c b/drivers/clk/rockchip/clk-rk3036.c +index 6a46f85ad8372..4a8c72d995735 100644 +--- a/drivers/clk/rockchip/clk-rk3036.c ++++ b/drivers/clk/rockchip/clk-rk3036.c +@@ -429,6 +429,7 @@ static const char *const rk3036_critical_clocks[] __initconst = { + "hclk_peri", + "pclk_peri", + "pclk_ddrupctl", ++ "ddrphy", + }; + + static void __init rk3036_clk_init(struct device_node *np) +-- +2.39.5 + diff --git a/queue-5.4/cpufreq-force-sync-policy-boost-with-global-boost-on.patch b/queue-5.4/cpufreq-force-sync-policy-boost-with-global-boost-on.patch new file mode 100644 index 0000000000..0f3317698e --- /dev/null +++ b/queue-5.4/cpufreq-force-sync-policy-boost-with-global-boost-on.patch @@ -0,0 +1,45 @@ +From 89035a3253b77c19a1af2e39c8751639a7c2c73f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 21:50:18 +0530 +Subject: cpufreq: Force sync policy boost with global boost on sysfs update + +From: Viresh Kumar + +[ Upstream commit 121baab7b88ed865532dadb7ef1aee6e2bea86f5 ] + +If the global boost flag is enabled and policy boost flag is disabled, a +call to `cpufreq_boost_trigger_state(true)` must enable the policy's +boost state. + +The current code misses that because of an optimization. Fix it. + +Suggested-by: Lifeng Zheng +Reviewed-by: Lifeng Zheng +Signed-off-by: Viresh Kumar +Link: https://patch.msgid.link/852ff11c589e6300730d207baac195b2d9d8b95f.1745511526.git.viresh.kumar@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 09510ff16ee2f..2a2fea6743aa6 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2580,8 +2580,10 @@ int cpufreq_boost_trigger_state(int state) + unsigned long flags; + int ret = 0; + +- if (cpufreq_driver->boost_enabled == state) +- return 0; ++ /* ++ * Don't compare 'cpufreq_driver->boost_enabled' with 'state' here to ++ * make sure all policies are in sync with global boost flag. ++ */ + + write_lock_irqsave(&cpufreq_driver_lock, flags); + cpufreq_driver->boost_enabled = state; +-- +2.39.5 + diff --git a/queue-5.4/drm-amd-display-add-null-pointer-checks-in-dm_force_.patch b/queue-5.4/drm-amd-display-add-null-pointer-checks-in-dm_force_.patch new file mode 100644 index 0000000000..b47e9bb4d9 --- /dev/null +++ b/queue-5.4/drm-amd-display-add-null-pointer-checks-in-dm_force_.patch @@ -0,0 +1,82 @@ +From 8f6f0c5f78a0105512276d0b8c605ed1d91d8c53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 00:57:19 +0530 +Subject: drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() + +From: Srinivasan Shanmugam + +[ Upstream commit 3f397cd203f247879c2f1a061e90d4c8d23655de ] + +This commit updates the dm_force_atomic_commit function to replace the +usage of PTR_ERR_OR_ZERO with IS_ERR for checking error states after +retrieving the Connector (drm_atomic_get_connector_state), CRTC +(drm_atomic_get_crtc_state), and Plane (drm_atomic_get_plane_state) +states. + +The function utilized PTR_ERR_OR_ZERO for error checking. However, this +approach is inappropriate in this context because the respective +functions do not return NULL; they return pointers that encode errors. + +This change ensures that error pointers are properly checked using +IS_ERR before attempting to dereference. + +Cc: Harry Wentland +Cc: Nicholas Kazlauskas +Cc: Tom Chung +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Aurabindo Pillai +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 869b38908b28d..e6aa17052aa1d 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -6505,16 +6505,20 @@ static int dm_force_atomic_commit(struct drm_connector *connector) + */ + conn_state = drm_atomic_get_connector_state(state, connector); + +- ret = PTR_ERR_OR_ZERO(conn_state); +- if (ret) ++ /* Check for error in getting connector state */ ++ if (IS_ERR(conn_state)) { ++ ret = PTR_ERR(conn_state); + goto out; ++ } + + /* Attach crtc to drm_atomic_state*/ + crtc_state = drm_atomic_get_crtc_state(state, &disconnected_acrtc->base); + +- ret = PTR_ERR_OR_ZERO(crtc_state); +- if (ret) ++ /* Check for error in getting crtc state */ ++ if (IS_ERR(crtc_state)) { ++ ret = PTR_ERR(crtc_state); + goto out; ++ } + + /* force a restore */ + crtc_state->mode_changed = true; +@@ -6522,9 +6526,11 @@ static int dm_force_atomic_commit(struct drm_connector *connector) + /* Attach plane to drm_atomic_state */ + plane_state = drm_atomic_get_plane_state(state, plane); + +- ret = PTR_ERR_OR_ZERO(plane_state); +- if (ret) ++ /* Check for error in getting plane state */ ++ if (IS_ERR(plane_state)) { ++ ret = PTR_ERR(plane_state); + goto out; ++ } + + /* Call commit internally with the state we just constructed */ + ret = drm_atomic_commit(state); +-- +2.39.5 + diff --git a/queue-5.4/drm-amdgpu-gfx10-fix-csib-handling.patch b/queue-5.4/drm-amdgpu-gfx10-fix-csib-handling.patch new file mode 100644 index 0000000000..79d42b0d92 --- /dev/null +++ b/queue-5.4/drm-amdgpu-gfx10-fix-csib-handling.patch @@ -0,0 +1,35 @@ +From 3d38fdca19c54a923525d6a31edd2c0f38eba4f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 11:58:03 -0400 +Subject: drm/amdgpu/gfx10: fix CSIB handling + +From: Alex Deucher + +[ Upstream commit 683308af030cd9b8d3f1de5cbc1ee51788878feb ] + +We shouldn't return after the last section. +We need to update the rest of the CSIB. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +index a84deb3c79a30..44380923b01c8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c +@@ -944,8 +944,6 @@ static void gfx_v10_0_get_csb_buffer(struct amdgpu_device *adev, + PACKET3_SET_CONTEXT_REG_START); + for (i = 0; i < ext->reg_count; i++) + buffer[count++] = cpu_to_le32(ext->extent[i]); +- } else { +- return; + } + } + } +-- +2.39.5 + diff --git a/queue-5.4/drm-amdgpu-gfx6-fix-csib-handling.patch b/queue-5.4/drm-amdgpu-gfx6-fix-csib-handling.patch new file mode 100644 index 0000000000..34a3c7ce23 --- /dev/null +++ b/queue-5.4/drm-amdgpu-gfx6-fix-csib-handling.patch @@ -0,0 +1,35 @@ +From 763ab936e903d329a3cadeb935beeede868920e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 11:56:02 -0400 +Subject: drm/amdgpu/gfx6: fix CSIB handling + +From: Alex Deucher + +[ Upstream commit 8307ebc15c1ea98a8a0b7837af1faa6c01514577 ] + +We shouldn't return after the last section. +We need to update the rest of the CSIB. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c +index 7f0a63628c43a..eac329fe27902 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c +@@ -2901,8 +2901,6 @@ static void gfx_v6_0_get_csb_buffer(struct amdgpu_device *adev, + buffer[count++] = cpu_to_le32(ext->reg_index - 0xa000); + for (i = 0; i < ext->reg_count; i++) + buffer[count++] = cpu_to_le32(ext->extent[i]); +- } else { +- return; + } + } + } +-- +2.39.5 + diff --git a/queue-5.4/drm-amdgpu-gfx7-fix-csib-handling.patch b/queue-5.4/drm-amdgpu-gfx7-fix-csib-handling.patch new file mode 100644 index 0000000000..43da6217c6 --- /dev/null +++ b/queue-5.4/drm-amdgpu-gfx7-fix-csib-handling.patch @@ -0,0 +1,35 @@ +From 1b388e22eb48fac1eb37e9975ce9e9e5d3bbbcd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 11:57:19 -0400 +Subject: drm/amdgpu/gfx7: fix CSIB handling + +From: Alex Deucher + +[ Upstream commit be7652c23d833d1ab2c67b16e173b1a4e69d1ae6 ] + +We shouldn't return after the last section. +We need to update the rest of the CSIB. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c +index d92e92e5d50b7..c1c3fb4d283d7 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c +@@ -3992,8 +3992,6 @@ static void gfx_v7_0_get_csb_buffer(struct amdgpu_device *adev, + buffer[count++] = cpu_to_le32(ext->reg_index - PACKET3_SET_CONTEXT_REG_START); + for (i = 0; i < ext->reg_count; i++) + buffer[count++] = cpu_to_le32(ext->extent[i]); +- } else { +- return; + } + } + } +-- +2.39.5 + diff --git a/queue-5.4/drm-amdgpu-gfx8-fix-csib-handling.patch b/queue-5.4/drm-amdgpu-gfx8-fix-csib-handling.patch new file mode 100644 index 0000000000..9a49f28494 --- /dev/null +++ b/queue-5.4/drm-amdgpu-gfx8-fix-csib-handling.patch @@ -0,0 +1,35 @@ +From 240084e0f9e34ef2e0e621459936b33f90445e6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 11:57:34 -0400 +Subject: drm/amdgpu/gfx8: fix CSIB handling + +From: Alex Deucher + +[ Upstream commit c8b8d7a4f1c5cdfbd61d75302fb3e3cdefb1a7ab ] + +We shouldn't return after the last section. +We need to update the rest of the CSIB. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +index 467ed7fca884d..79347df0620d0 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +@@ -1267,8 +1267,6 @@ static void gfx_v8_0_get_csb_buffer(struct amdgpu_device *adev, + PACKET3_SET_CONTEXT_REG_START); + for (i = 0; i < ext->reg_count; i++) + buffer[count++] = cpu_to_le32(ext->extent[i]); +- } else { +- return; + } + } + } +-- +2.39.5 + diff --git a/queue-5.4/drm-amdgpu-gfx9-fix-csib-handling.patch b/queue-5.4/drm-amdgpu-gfx9-fix-csib-handling.patch new file mode 100644 index 0000000000..0aa77cf2ca --- /dev/null +++ b/queue-5.4/drm-amdgpu-gfx9-fix-csib-handling.patch @@ -0,0 +1,35 @@ +From a2996e0eed370c0211833b2d9e98ae1a253c201f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 11:57:49 -0400 +Subject: drm/amdgpu/gfx9: fix CSIB handling + +From: Alex Deucher + +[ Upstream commit a4a4c0ae6742ec7d6bf1548d2c6828de440814a0 ] + +We shouldn't return after the last section. +We need to update the rest of the CSIB. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +index 4eba6b2d9cdec..3e2fe8f2ccae3 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -1472,8 +1472,6 @@ static void gfx_v9_0_get_csb_buffer(struct amdgpu_device *adev, + PACKET3_SET_CONTEXT_REG_START); + for (i = 0; i < ext->reg_count; i++) + buffer[count++] = cpu_to_le32(ext->extent[i]); +- } else { +- return; + } + } + } +-- +2.39.5 + diff --git a/queue-5.4/drm-amdkfd-set-sdma_rlcx_ib_cntl-switch_inside_ib.patch b/queue-5.4/drm-amdkfd-set-sdma_rlcx_ib_cntl-switch_inside_ib.patch new file mode 100644 index 0000000000..5e0759edd5 --- /dev/null +++ b/queue-5.4/drm-amdkfd-set-sdma_rlcx_ib_cntl-switch_inside_ib.patch @@ -0,0 +1,39 @@ +From ab08a32d1fbe78d8e0fb2e40116a81a3c4723f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Apr 2025 15:54:19 -0400 +Subject: drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB + +From: Amber Lin + +[ Upstream commit ab9fcc6362e0699fc1150aa1d8503c40fce2c1e1 ] + +When submitting MQD to CP, set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB bit so +it'll allow SDMA preemption if there is a massive command buffer of +long-running SDMA commands. + +Signed-off-by: Amber Lin +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +index d978fcac26651..4110cdc71f045 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c +@@ -387,6 +387,10 @@ static void update_mqd_sdma(struct mqd_manager *mm, void *mqd, + m->sdma_engine_id = q->sdma_engine_id; + m->sdma_queue_id = q->sdma_queue_id; + m->sdmax_rlcx_dummy_reg = SDMA_RLC_DUMMY_DEFAULT; ++ /* Allow context switch so we don't cross-process starve with a massive ++ * command buffer of long-running SDMA commands ++ */ ++ m->sdmax_rlcx_ib_cntl |= SDMA0_GFX_IB_CNTL__SWITCH_INSIDE_IB_MASK; + + q->is_active = QUEUE_IS_ACTIVE(*q); + } +-- +2.39.5 + diff --git a/queue-5.4/drm-bridge-analogix_dp-add-irq-flag-irqf_no_autoen-i.patch b/queue-5.4/drm-bridge-analogix_dp-add-irq-flag-irqf_no_autoen-i.patch new file mode 100644 index 0000000000..a05b797433 --- /dev/null +++ b/queue-5.4/drm-bridge-analogix_dp-add-irq-flag-irqf_no_autoen-i.patch @@ -0,0 +1,54 @@ +From 54ec61b21d302db79bb70d15150ebff299c13a9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 18:41:02 +0800 +Subject: drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of + calling disable_irq() + +From: Damon Ding + +[ Upstream commit efab13e7d13a641a22c7508cde6e1a5285161944 ] + +The IRQF_NO_AUTOEN can be used for the drivers that don't want +interrupts to be enabled automatically via devm_request_threaded_irq(). +Using this flag can provide be more robust compared to the way of +calling disable_irq() after devm_request_threaded_irq() without the +IRQF_NO_AUTOEN flag. + +Suggested-by: Douglas Anderson +Reviewed-by: Douglas Anderson +Signed-off-by: Damon Ding +Link: https://lore.kernel.org/r/20250310104114.2608063-2-damon.ding@rock-chips.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c +index df606a5675663..234c0bd38e851 100644 +--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c ++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c +@@ -1735,10 +1735,10 @@ analogix_dp_probe(struct device *dev, struct analogix_dp_plat_data *plat_data) + * that we can get the current state of the GPIO. + */ + dp->irq = gpiod_to_irq(dp->hpd_gpiod); +- irq_flags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING; ++ irq_flags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_NO_AUTOEN; + } else { + dp->irq = platform_get_irq(pdev, 0); +- irq_flags = 0; ++ irq_flags = IRQF_NO_AUTOEN; + } + + if (dp->irq == -ENXIO) { +@@ -1755,7 +1755,6 @@ analogix_dp_probe(struct device *dev, struct analogix_dp_plat_data *plat_data) + dev_err(&pdev->dev, "failed to request irq\n"); + goto err_disable_clk; + } +- disable_irq(dp->irq); + + return dp; + +-- +2.39.5 + diff --git a/queue-5.4/drm-msm-a6xx-increase-hfi-response-timeout.patch b/queue-5.4/drm-msm-a6xx-increase-hfi-response-timeout.patch new file mode 100644 index 0000000000..96457a334f --- /dev/null +++ b/queue-5.4/drm-msm-a6xx-increase-hfi-response-timeout.patch @@ -0,0 +1,39 @@ +From 1a4c8fc298dc7b62e66008f9b8869e4526b25f7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Apr 2025 20:21:31 +0530 +Subject: drm/msm/a6xx: Increase HFI response timeout + +From: Akhil P Oommen + +[ Upstream commit 5f02f5e78ec9688e29b6857813185b1181796abe ] + +When ACD feature is enabled, it triggers some internal calibrations +which result in a pretty long delay during the first HFI perf vote. +So, increase the HFI response timeout to match the downstream driver. + +Signed-off-by: Akhil P Oommen +Tested-by: Maya Matuszczyk +Tested-by: Anthony Ruhier +Patchwork: https://patchwork.freedesktop.org/patch/649344/ +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_hfi.c b/drivers/gpu/drm/msm/adreno/a6xx_hfi.c +index eda11abc5f011..d437196225457 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_hfi.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_hfi.c +@@ -88,7 +88,7 @@ static int a6xx_hfi_wait_for_ack(struct a6xx_gmu *gmu, u32 id, u32 seqnum, + + /* Wait for a response */ + ret = gmu_poll_timeout(gmu, REG_A6XX_GMU_GMU2HOST_INTR_INFO, val, +- val & A6XX_GMU_GMU2HOST_INTR_INFO_MSGQ, 100, 5000); ++ val & A6XX_GMU_GMU2HOST_INTR_INFO_MSGQ, 100, 1000000); + + if (ret) { + DRM_DEV_ERROR(gmu->dev, +-- +2.39.5 + diff --git a/queue-5.4/drm-msm-hdmi-add-runtime-pm-calls-to-ddc-transfer-fu.patch b/queue-5.4/drm-msm-hdmi-add-runtime-pm-calls-to-ddc-transfer-fu.patch new file mode 100644 index 0000000000..fb5c62cc90 --- /dev/null +++ b/queue-5.4/drm-msm-hdmi-add-runtime-pm-calls-to-ddc-transfer-fu.patch @@ -0,0 +1,70 @@ +From a164188a8d3d60ff4066ccc0e810e1c977893b88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 03:14:52 +0300 +Subject: drm/msm/hdmi: add runtime PM calls to DDC transfer function + +From: Dmitry Baryshkov + +[ Upstream commit 531b4e2c206e5f7dead04d9da84dfa693ac57481 ] + +We must be sure that the HDMI controller is powered on, while performing +the DDC transfer. Add corresponding runtime PM calls to +msm_hdmi_i2c_xfer(). + +Reviewed-by: Jessica Zhang +Signed-off-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/651727/ +Link: https://lore.kernel.org/r/20250505-fd-hdmi-hpd-v5-8-48541f76318c@oss.qualcomm.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/hdmi/hdmi_i2c.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/hdmi/hdmi_i2c.c b/drivers/gpu/drm/msm/hdmi/hdmi_i2c.c +index de182c0048434..9c78c6c528bea 100644 +--- a/drivers/gpu/drm/msm/hdmi/hdmi_i2c.c ++++ b/drivers/gpu/drm/msm/hdmi/hdmi_i2c.c +@@ -107,11 +107,15 @@ static int msm_hdmi_i2c_xfer(struct i2c_adapter *i2c, + if (num == 0) + return num; + ++ ret = pm_runtime_resume_and_get(&hdmi->pdev->dev); ++ if (ret) ++ return ret; ++ + init_ddc(hdmi_i2c); + + ret = ddc_clear_irq(hdmi_i2c); + if (ret) +- return ret; ++ goto fail; + + for (i = 0; i < num; i++) { + struct i2c_msg *p = &msgs[i]; +@@ -169,7 +173,7 @@ static int msm_hdmi_i2c_xfer(struct i2c_adapter *i2c, + hdmi_read(hdmi, REG_HDMI_DDC_SW_STATUS), + hdmi_read(hdmi, REG_HDMI_DDC_HW_STATUS), + hdmi_read(hdmi, REG_HDMI_DDC_INT_CTRL)); +- return ret; ++ goto fail; + } + + ddc_status = hdmi_read(hdmi, REG_HDMI_DDC_SW_STATUS); +@@ -202,7 +206,13 @@ static int msm_hdmi_i2c_xfer(struct i2c_adapter *i2c, + } + } + ++ pm_runtime_put(&hdmi->pdev->dev); ++ + return i; ++ ++fail: ++ pm_runtime_put(&hdmi->pdev->dev); ++ return ret; + } + + static u32 msm_hdmi_i2c_func(struct i2c_adapter *adapter) +-- +2.39.5 + diff --git a/queue-5.4/emulex-benet-correct-command-version-selection-in-be.patch b/queue-5.4/emulex-benet-correct-command-version-selection-in-be.patch new file mode 100644 index 0000000000..86d1a529e3 --- /dev/null +++ b/queue-5.4/emulex-benet-correct-command-version-selection-in-be.patch @@ -0,0 +1,39 @@ +From a572e08a4554c38cc56a1d64cb73b3cb4f7e04a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 May 2025 07:17:19 -0700 +Subject: emulex/benet: correct command version selection in be_cmd_get_stats() + +From: Alok Tiwari + +[ Upstream commit edb888d29748cee674006a52e544925dacc7728e ] + +Logic here always sets hdr->version to 2 if it is not a BE3 or Lancer chip, +even if it is BE2. Use 'else if' to prevent multiple assignments, setting +version 0 for BE2, version 1 for BE3 and Lancer, and version 2 for others. +Fixes potential incorrect version setting when BE2_chip and +BE3_chip/lancer_chip checks could both be true. + +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250519141731.691136-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index 9812a9a5d033b..d9bceb26f4e5b 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -1608,7 +1608,7 @@ int be_cmd_get_stats(struct be_adapter *adapter, struct be_dma_mem *nonemb_cmd) + /* version 1 of the cmd is not supported only by BE2 */ + if (BE2_chip(adapter)) + hdr->version = 0; +- if (BE3_chip(adapter) || lancer_chip(adapter)) ++ else if (BE3_chip(adapter) || lancer_chip(adapter)) + hdr->version = 1; + else + hdr->version = 2; +-- +2.39.5 + diff --git a/queue-5.4/gpio-pxa-make-irq_chip-immutable.patch b/queue-5.4/gpio-pxa-make-irq_chip-immutable.patch new file mode 100644 index 0000000000..7aee16c8a4 --- /dev/null +++ b/queue-5.4/gpio-pxa-make-irq_chip-immutable.patch @@ -0,0 +1,63 @@ +From a0b11abb5459e6c6b29904f91daf63f6754a4b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 12:45:40 +0800 +Subject: gpio: pxa: Make irq_chip immutable + +From: Peng Fan + +[ Upstream commit 20117cf426b677e7aced4e7a1b2b37f6080a46dc ] + +Kernel warns about mutable irq_chips: +"not an immutable chip, please consider fixing!" + +Constify pxa_muxed_gpio_chip, flag the irq_chip as IRQCHIP_IMMUTABLE, +add the new helper functions, and call the appropriate gpiolib functions. + +Signed-off-by: Peng Fan +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20250509-gpio-v1-9-639377c98288@nxp.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-pxa.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-pxa.c b/drivers/gpio/gpio-pxa.c +index 5c770b7891f71..177529aecc697 100644 +--- a/drivers/gpio/gpio-pxa.c ++++ b/drivers/gpio/gpio-pxa.c +@@ -508,6 +508,8 @@ static void pxa_mask_muxed_gpio(struct irq_data *d) + gfer = readl_relaxed(base + GFER_OFFSET) & ~GPIO_bit(gpio); + writel_relaxed(grer, base + GRER_OFFSET); + writel_relaxed(gfer, base + GFER_OFFSET); ++ ++ gpiochip_disable_irq(&pchip->chip, gpio); + } + + static int pxa_gpio_set_wake(struct irq_data *d, unsigned int on) +@@ -527,17 +529,21 @@ static void pxa_unmask_muxed_gpio(struct irq_data *d) + unsigned int gpio = irqd_to_hwirq(d); + struct pxa_gpio_bank *c = gpio_to_pxabank(&pchip->chip, gpio); + ++ gpiochip_enable_irq(&pchip->chip, gpio); ++ + c->irq_mask |= GPIO_bit(gpio); + update_edge_detect(c); + } + +-static struct irq_chip pxa_muxed_gpio_chip = { ++static const struct irq_chip pxa_muxed_gpio_chip = { + .name = "GPIO", + .irq_ack = pxa_ack_muxed_gpio, + .irq_mask = pxa_mask_muxed_gpio, + .irq_unmask = pxa_unmask_muxed_gpio, + .irq_set_type = pxa_gpio_irq_type, + .irq_set_wake = pxa_gpio_set_wake, ++ .flags = IRQCHIP_IMMUTABLE, ++ GPIOCHIP_IRQ_RESOURCE_HELPERS, + }; + + static int pxa_gpio_nums(struct platform_device *pdev) +-- +2.39.5 + diff --git a/queue-5.4/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch b/queue-5.4/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch new file mode 100644 index 0000000000..42d6aaf597 --- /dev/null +++ b/queue-5.4/i2c-designware-invoke-runtime-suspend-on-quick-slave.patch @@ -0,0 +1,79 @@ +From d3c817e7e7add303c129607b7560baf2c2b9dfb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Apr 2025 10:33:03 +0800 +Subject: i2c: designware: Invoke runtime suspend on quick slave + re-registration + +From: Tan En De + +[ Upstream commit 2fe2b969d911a09abcd6a47401a3c66c38a310e6 ] + +Replaced pm_runtime_put() with pm_runtime_put_sync_suspend() to ensure +the runtime suspend is invoked immediately when unregistering a slave. +This prevents a race condition where suspend was skipped when +unregistering and registering slave in quick succession. + +For example, consider the rapid sequence of +`delete_device -> new_device -> delete_device -> new_device`. +In this sequence, it is observed that the dw_i2c_plat_runtime_suspend() +might not be invoked after `delete_device` operation. + +This is because after `delete_device` operation, when the +pm_runtime_put() is about to trigger suspend, the following `new_device` +operation might race and cancel the suspend. + +If that happens, during the `new_device` operation, +dw_i2c_plat_runtime_resume() is skipped (since there was no suspend), which +means `i_dev->init()`, i.e. i2c_dw_init_slave(), is skipped. +Since i2c_dw_init_slave() is skipped, i2c_dw_configure_fifo_slave() is +skipped too, which leaves `DW_IC_INTR_MASK` unconfigured. If we inspect +the interrupt mask register using devmem, it will show as zero. + +Example shell script to reproduce the issue: +``` + #!/bin/sh + + SLAVE_LADDR=0x1010 + SLAVE_BUS=13 + NEW_DEVICE=/sys/bus/i2c/devices/i2c-$SLAVE_BUS/new_device + DELETE_DEVICE=/sys/bus/i2c/devices/i2c-$SLAVE_BUS/delete_device + + # Create initial device + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + sleep 2 + + # Rapid sequence of + # delete_device -> new_device -> delete_device -> new_device + echo $SLAVE_LADDR > $DELETE_DEVICE + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + echo $SLAVE_LADDR > $DELETE_DEVICE + echo slave-24c02 $SLAVE_LADDR > $NEW_DEVICE + + # Using devmem to inspect IC_INTR_MASK will show as zero +``` + +Signed-off-by: Tan En De +Acked-by: Jarkko Nikula +Link: https://lore.kernel.org/r/20250412023303.378600-1-ende.tan@starfivetech.com +Signed-off-by: Andi Shyti +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-slave.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c +index f5f001738df5e..57e67962a602f 100644 +--- a/drivers/i2c/busses/i2c-designware-slave.c ++++ b/drivers/i2c/busses/i2c-designware-slave.c +@@ -96,7 +96,7 @@ static int i2c_dw_unreg_slave(struct i2c_client *slave) + dev->disable(dev); + synchronize_irq(dev->irq); + dev->slave = NULL; +- pm_runtime_put(dev->dev); ++ pm_runtime_put_sync_suspend(dev->dev); + + return 0; + } +-- +2.39.5 + diff --git a/queue-5.4/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch b/queue-5.4/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch new file mode 100644 index 0000000000..032acdce49 --- /dev/null +++ b/queue-5.4/i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch @@ -0,0 +1,48 @@ +From 93c9d887d4b99b0f4a5af681e3a664f83a6b8860 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Mar 2025 14:16:02 +0900 +Subject: i40e: fix MMIO write access to an invalid page in i40e_clear_hw + +From: Kyungwook Boo + +[ Upstream commit 015bac5daca978448f2671478c553ce1f300c21e ] + +When the device sends a specific input, an integer underflow can occur, leading +to MMIO write access to an invalid page. + +Prevent the integer underflow by changing the type of related variables. + +Signed-off-by: Kyungwook Boo +Link: https://lore.kernel.org/lkml/ffc91764-1142-4ba2-91b6-8c773f6f7095@gmail.com/T/ +Reviewed-by: Przemek Kitszel +Reviewed-by: Simon Horman +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_common.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c +index a3709c4fc65d0..e4aa2a2d50e5d 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_common.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c +@@ -1322,10 +1322,11 @@ i40e_status i40e_pf_reset(struct i40e_hw *hw) + void i40e_clear_hw(struct i40e_hw *hw) + { + u32 num_queues, base_queue; +- u32 num_pf_int; +- u32 num_vf_int; ++ s32 num_pf_int; ++ s32 num_vf_int; + u32 num_vfs; +- u32 i, j; ++ s32 i; ++ u32 j; + u32 val; + u32 eol = 0x7ff; + +-- +2.39.5 + diff --git a/queue-5.4/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch b/queue-5.4/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch new file mode 100644 index 0000000000..4992128fd6 --- /dev/null +++ b/queue-5.4/ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch @@ -0,0 +1,44 @@ +From 57e7a4b04a9312dadbdc707d5d1e60c236489838 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 11:27:24 +0200 +Subject: ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT + +From: Sebastian Andrzej Siewior + +[ Upstream commit 1c0829788a6e6e165846b9bedd0b908ef16260b6 ] + +The statistics are incremented with raw_cpu_inc() assuming it always +happens with bottom half disabled. Without per-CPU locking in +local_bh_disable() on PREEMPT_RT this is no longer true. + +Use this_cpu_inc() on PREEMPT_RT for the increment to not worry about +preemption. + +Cc: David Ahern +Signed-off-by: Sebastian Andrzej Siewior +Link: https://patch.msgid.link/20250512092736.229935-4-bigeasy@linutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index da280a2df4e66..d173234503f94 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -197,7 +197,11 @@ const __u8 ip_tos2prio[16] = { + EXPORT_SYMBOL(ip_tos2prio); + + static DEFINE_PER_CPU(struct rt_cache_stat, rt_cache_stat); ++#ifndef CONFIG_PREEMPT_RT + #define RT_CACHE_STAT_INC(field) raw_cpu_inc(rt_cache_stat.field) ++#else ++#define RT_CACHE_STAT_INC(field) this_cpu_inc(rt_cache_stat.field) ++#endif + + #ifdef CONFIG_PROC_FS + static void *rt_cache_seq_start(struct seq_file *seq, loff_t *pos) +-- +2.39.5 + diff --git a/queue-5.4/jfs-fix-array-index-out-of-bounds-read-in-add_missin.patch b/queue-5.4/jfs-fix-array-index-out-of-bounds-read-in-add_missin.patch new file mode 100644 index 0000000000..b78229ca7f --- /dev/null +++ b/queue-5.4/jfs-fix-array-index-out-of-bounds-read-in-add_missin.patch @@ -0,0 +1,85 @@ +From 8e97f46f86dd38bd9f1d580dc775ad546c6619e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 20:59:16 +0530 +Subject: jfs: fix array-index-out-of-bounds read in add_missing_indices + +From: Aditya Dutt + +[ Upstream commit 5dff41a86377563f7a2b968aae00d25b4ceb37c9 ] + +stbl is s8 but it must contain offsets into slot which can go from 0 to +127. + +Added a bound check for that error and return -EIO if the check fails. +Also make jfs_readdir return with error if add_missing_indices returns +with an error. + +Reported-by: syzbot+b974bd41515f770c608b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com./bug?extid=b974bd41515f770c608b +Signed-off-by: Aditya Dutt +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dtree.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c +index 4666aee2e1f4b..93df5f3bb3bbb 100644 +--- a/fs/jfs/jfs_dtree.c ++++ b/fs/jfs/jfs_dtree.c +@@ -2909,7 +2909,7 @@ void dtInitRoot(tid_t tid, struct inode *ip, u32 idotdot) + * fsck.jfs should really fix this, but it currently does not. + * Called from jfs_readdir when bad index is detected. + */ +-static void add_missing_indices(struct inode *inode, s64 bn) ++static int add_missing_indices(struct inode *inode, s64 bn) + { + struct ldtentry *d; + struct dt_lock *dtlck; +@@ -2918,7 +2918,7 @@ static void add_missing_indices(struct inode *inode, s64 bn) + struct lv *lv; + struct metapage *mp; + dtpage_t *p; +- int rc; ++ int rc = 0; + s8 *stbl; + tid_t tid; + struct tlock *tlck; +@@ -2943,6 +2943,16 @@ static void add_missing_indices(struct inode *inode, s64 bn) + + stbl = DT_GETSTBL(p); + for (i = 0; i < p->header.nextindex; i++) { ++ if (stbl[i] < 0) { ++ jfs_err("jfs: add_missing_indices: Invalid stbl[%d] = %d for inode %ld, block = %lld", ++ i, stbl[i], (long)inode->i_ino, (long long)bn); ++ rc = -EIO; ++ ++ DT_PUTPAGE(mp); ++ txAbort(tid, 0); ++ goto end; ++ } ++ + d = (struct ldtentry *) &p->slot[stbl[i]]; + index = le32_to_cpu(d->index); + if ((index < 2) || (index >= JFS_IP(inode)->next_index)) { +@@ -2960,6 +2970,7 @@ static void add_missing_indices(struct inode *inode, s64 bn) + (void) txCommit(tid, 1, &inode, 0); + end: + txEnd(tid); ++ return rc; + } + + /* +@@ -3313,7 +3324,8 @@ int jfs_readdir(struct file *file, struct dir_context *ctx) + } + + if (fix_page) { +- add_missing_indices(ip, bn); ++ if ((rc = add_missing_indices(ip, bn))) ++ goto out; + page_fixed = 1; + } + +-- +2.39.5 + diff --git a/queue-5.4/jfs-fix-null-ptr-deref-in-jfs_ioc_trim.patch b/queue-5.4/jfs-fix-null-ptr-deref-in-jfs_ioc_trim.patch new file mode 100644 index 0000000000..de322fc1d3 --- /dev/null +++ b/queue-5.4/jfs-fix-null-ptr-deref-in-jfs_ioc_trim.patch @@ -0,0 +1,119 @@ +From e99aa51f6eb994ffe1e38bedcce2dd163b38cecc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 16:02:00 +0800 +Subject: jfs: Fix null-ptr-deref in jfs_ioc_trim + +From: Dylan Wolff + +[ Upstream commit a4685408ff6c3e2af366ad9a7274f45ff3f394ee ] + +[ Syzkaller Report ] + +Oops: general protection fault, probably for non-canonical address +0xdffffc0000000087: 0000 [#1 +KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] +CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted +6.13.0-rc6-gfbfd64d25c7a-dirty #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Sched_ext: serialise (enabled+all), task: runnable_at=-30ms +RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 +Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 +90 82 fe ff 4c 89 ff 31 f6 +RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 +RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a +RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 +RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 +R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 +FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + +? __die_body+0x61/0xb0 +? die_addr+0xb1/0xe0 +? exc_general_protection+0x333/0x510 +? asm_exc_general_protection+0x26/0x30 +? jfs_ioc_trim+0x34b/0x8f0 +jfs_ioctl+0x3c8/0x4f0 +? __pfx_jfs_ioctl+0x10/0x10 +? __pfx_jfs_ioctl+0x10/0x10 +__se_sys_ioctl+0x269/0x350 +? __pfx___se_sys_ioctl+0x10/0x10 +? do_syscall_64+0xfb/0x210 +do_syscall_64+0xee/0x210 +? syscall_exit_to_user_mode+0x1e0/0x330 +entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fe51f4903ad +Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d +RSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad +RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640 +R13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000 + +Modules linked in: +---[ end trace 0000000000000000 ]--- +RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 +Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 +90 82 fe ff 4c 89 ff 31 f6 +RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 +RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a +RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 +RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 +R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 +FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Kernel panic - not syncing: Fatal exception + +[ Analysis ] + +We believe that we have found a concurrency bug in the `fs/jfs` module +that results in a null pointer dereference. There is a closely related +issue which has been fixed: + +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 + +... but, unfortunately, the accepted patch appears to still be +susceptible to a null pointer dereference under some interleavings. + +To trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set +to NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This +bug manifests quite rarely under normal circumstances, but is +triggereable from a syz-program. + +Reported-and-tested-by: Dylan J. Wolff +Reported-and-tested-by: Jiacheng Xu +Signed-off-by: Dylan J. Wolff +Signed-off-by: Jiacheng Xu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_discard.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_discard.c b/fs/jfs/jfs_discard.c +index 5f4b305030ad5..4b660296caf39 100644 +--- a/fs/jfs/jfs_discard.c ++++ b/fs/jfs/jfs_discard.c +@@ -86,7 +86,8 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range) + down_read(&sb->s_umount); + bmp = JFS_SBI(ip->i_sb)->bmap; + +- if (minlen > bmp->db_agsize || ++ if (bmp == NULL || ++ minlen > bmp->db_agsize || + start >= bmp->db_mapsize || + range->len < sb->s_blocksize) { + up_read(&sb->s_umount); +-- +2.39.5 + diff --git a/queue-5.4/media-platform-exynos4-is-add-hardware-sync-wait-to-.patch b/queue-5.4/media-platform-exynos4-is-add-hardware-sync-wait-to-.patch new file mode 100644 index 0000000000..f421065486 --- /dev/null +++ b/queue-5.4/media-platform-exynos4-is-add-hardware-sync-wait-to-.patch @@ -0,0 +1,39 @@ +From 6f0442cfb5b00b9036e40a1aa53e5b3f8ca3b5f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Apr 2025 10:13:45 +0800 +Subject: media: platform: exynos4-is: Add hardware sync wait to + fimc_is_hw_change_mode() + +From: Wentao Liang + +[ Upstream commit bd9f6ce7d512fa21249415c16af801a4ed5d97b6 ] + +In fimc_is_hw_change_mode(), the function changes camera modes without +waiting for hardware completion, risking corrupted data or system hangs +if subsequent operations proceed before the hardware is ready. + +Add fimc_is_hw_wait_intmsr0_intmsd0() after mode configuration, ensuring +hardware state synchronization and stable interrupt handling. + +Signed-off-by: Wentao Liang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-is-regs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/exynos4-is/fimc-is-regs.c b/drivers/media/platform/exynos4-is/fimc-is-regs.c +index 366e6393817d2..5f9c44e825a5f 100644 +--- a/drivers/media/platform/exynos4-is/fimc-is-regs.c ++++ b/drivers/media/platform/exynos4-is/fimc-is-regs.c +@@ -164,6 +164,7 @@ int fimc_is_hw_change_mode(struct fimc_is *is) + if (WARN_ON(is->config_index >= ARRAY_SIZE(cmd))) + return -EINVAL; + ++ fimc_is_hw_wait_intmsr0_intmsd0(is); + mcuctl_write(cmd[is->config_index], is, MCUCTL_REG_ISSR(0)); + mcuctl_write(is->sensor_index, is, MCUCTL_REG_ISSR(1)); + mcuctl_write(is->setfile.sub_index, is, MCUCTL_REG_ISSR(2)); +-- +2.39.5 + diff --git a/queue-5.4/media-tc358743-ignore-video-while-hpd-is-low.patch b/queue-5.4/media-tc358743-ignore-video-while-hpd-is-low.patch new file mode 100644 index 0000000000..ede1c5099d --- /dev/null +++ b/queue-5.4/media-tc358743-ignore-video-while-hpd-is-low.patch @@ -0,0 +1,43 @@ +From ff5f5f09dffda6b38ea3ddba564534b6dcc273d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:54:17 +0200 +Subject: media: tc358743: ignore video while HPD is low + +From: Hans Verkuil + +[ Upstream commit 6829c5b5d26b1be31880d74ec24cb32d2d75f1ae ] + +If the HPD is low (happens if there is no EDID or the +EDID is being updated), then return -ENOLINK in +tc358743_get_detected_timings() instead of detecting video. + +This avoids userspace thinking that it can start streaming when +the HPD is low. + +Signed-off-by: Hans Verkuil +Tested-by: Maxime Ripard +Link: https://lore.kernel.org/linux-media/20240628-stoic-bettong-of-fortitude-e25611@houat/ +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index f042570bc5cae..f4ebe93a495c4 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -309,6 +309,10 @@ static int tc358743_get_detected_timings(struct v4l2_subdev *sd, + + memset(timings, 0, sizeof(struct v4l2_dv_timings)); + ++ /* if HPD is low, ignore any video */ ++ if (!(i2c_rd8(sd, HPD_CTL) & MASK_HPD_OUT0)) ++ return -ENOLINK; ++ + if (no_signal(sd)) { + v4l2_dbg(1, debug, sd, "%s: no valid signal\n", __func__); + return -ENOLINK; +-- +2.39.5 + diff --git a/queue-5.4/media-uapi-v4l-fix-v4l2_type_is_output-condition.patch b/queue-5.4/media-uapi-v4l-fix-v4l2_type_is_output-condition.patch new file mode 100644 index 0000000000..5dfc0a2852 --- /dev/null +++ b/queue-5.4/media-uapi-v4l-fix-v4l2_type_is_output-condition.patch @@ -0,0 +1,35 @@ +From a506cbad0f8f93390b0d7db8c045e8b1ddc8dcd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jul 2024 15:10:34 +0900 +Subject: media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition + +From: Nas Chung + +[ Upstream commit f81f69a0e3da141bdd73a16b8676f4e542533d87 ] + +V4L2_TYPE_IS_OUTPUT() returns true for V4L2_BUF_TYPE_VIDEO_OVERLAY +which definitely belongs to CAPTURE. + +Signed-off-by: Nas Chung +Signed-off-by: Sebastian Fricke +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + include/uapi/linux/videodev2.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h +index 895c5ba8b6ac2..5384c9d61d510 100644 +--- a/include/uapi/linux/videodev2.h ++++ b/include/uapi/linux/videodev2.h +@@ -164,7 +164,6 @@ enum v4l2_buf_type { + #define V4L2_TYPE_IS_OUTPUT(type) \ + ((type) == V4L2_BUF_TYPE_VIDEO_OUTPUT \ + || (type) == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE \ +- || (type) == V4L2_BUF_TYPE_VIDEO_OVERLAY \ + || (type) == V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY \ + || (type) == V4L2_BUF_TYPE_VBI_OUTPUT \ + || (type) == V4L2_BUF_TYPE_SLICED_VBI_OUTPUT \ +-- +2.39.5 + diff --git a/queue-5.4/net-dlink-add-synchronization-for-stats-update.patch b/queue-5.4/net-dlink-add-synchronization-for-stats-update.patch new file mode 100644 index 0000000000..0936435115 --- /dev/null +++ b/queue-5.4/net-dlink-add-synchronization-for-stats-update.patch @@ -0,0 +1,102 @@ +From a974d225fb46b62ac53ed85ae6149f818860bf15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:53:31 +0900 +Subject: net: dlink: add synchronization for stats update + +From: Moon Yeounsu + +[ Upstream commit 12889ce926e9a9baf6b83d809ba316af539b89e2 ] + +This patch synchronizes code that accesses from both user-space +and IRQ contexts. The `get_stats()` function can be called from both +context. + +`dev->stats.tx_errors` and `dev->stats.collisions` are also updated +in the `tx_errors()` function. Therefore, these fields must also be +protected by synchronized. + +There is no code that accessses `dev->stats.tx_errors` between the +previous and updated lines, so the updating point can be moved. + +Signed-off-by: Moon Yeounsu +Link: https://patch.msgid.link/20250515075333.48290-1-yyyynoom@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dlink/dl2k.c | 14 +++++++++++++- + drivers/net/ethernet/dlink/dl2k.h | 2 ++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dlink/dl2k.c b/drivers/net/ethernet/dlink/dl2k.c +index eb23157641343..8d57fb5072054 100644 +--- a/drivers/net/ethernet/dlink/dl2k.c ++++ b/drivers/net/ethernet/dlink/dl2k.c +@@ -155,6 +155,8 @@ rio_probe1 (struct pci_dev *pdev, const struct pci_device_id *ent) + np->ioaddr = ioaddr; + np->chip_id = chip_idx; + np->pdev = pdev; ++ ++ spin_lock_init(&np->stats_lock); + spin_lock_init (&np->tx_lock); + spin_lock_init (&np->rx_lock); + +@@ -875,7 +877,6 @@ tx_error (struct net_device *dev, int tx_status) + frame_id = (tx_status & 0xffff0000); + printk (KERN_ERR "%s: Transmit error, TxStatus %4.4x, FrameId %d.\n", + dev->name, tx_status, frame_id); +- dev->stats.tx_errors++; + /* Ttransmit Underrun */ + if (tx_status & 0x10) { + dev->stats.tx_fifo_errors++; +@@ -912,9 +913,15 @@ tx_error (struct net_device *dev, int tx_status) + rio_set_led_mode(dev); + /* Let TxStartThresh stay default value */ + } ++ ++ spin_lock(&np->stats_lock); + /* Maximum Collisions */ + if (tx_status & 0x08) + dev->stats.collisions++; ++ ++ dev->stats.tx_errors++; ++ spin_unlock(&np->stats_lock); ++ + /* Restart the Tx */ + dw32(MACCtrl, dr16(MACCtrl) | TxEnable); + } +@@ -1084,7 +1091,9 @@ get_stats (struct net_device *dev) + int i; + #endif + unsigned int stat_reg; ++ unsigned long flags; + ++ spin_lock_irqsave(&np->stats_lock, flags); + /* All statistics registers need to be acknowledged, + else statistic overflow could cause problems */ + +@@ -1134,6 +1143,9 @@ get_stats (struct net_device *dev) + dr16(TCPCheckSumErrors); + dr16(UDPCheckSumErrors); + dr16(IPCheckSumErrors); ++ ++ spin_unlock_irqrestore(&np->stats_lock, flags); ++ + return &dev->stats; + } + +diff --git a/drivers/net/ethernet/dlink/dl2k.h b/drivers/net/ethernet/dlink/dl2k.h +index 0e33e2eaae960..56aff2f0bdbfa 100644 +--- a/drivers/net/ethernet/dlink/dl2k.h ++++ b/drivers/net/ethernet/dlink/dl2k.h +@@ -372,6 +372,8 @@ struct netdev_private { + struct pci_dev *pdev; + void __iomem *ioaddr; + void __iomem *eeprom_addr; ++ // To ensure synchronization when stats are updated. ++ spinlock_t stats_lock; + spinlock_t tx_lock; + spinlock_t rx_lock; + unsigned int rx_buf_sz; /* Based on MTU+slack. */ +-- +2.39.5 + diff --git a/queue-5.4/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch b/queue-5.4/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch new file mode 100644 index 0000000000..2f20c2ba62 --- /dev/null +++ b/queue-5.4/net-macb-check-return-value-of-dma_set_mask_and_cohe.patch @@ -0,0 +1,42 @@ +From 913f862cbe41857e807bb447495a8ebab7440060 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 May 2025 21:20:31 -0600 +Subject: net: macb: Check return value of dma_set_mask_and_coherent() + +From: Sergio Perez Gonzalez + +[ Upstream commit 3920a758800762917177a6b5ab39707d8e376fe6 ] + +Issue flagged by coverity. Add a safety check for the return value +of dma_set_mask_and_coherent, go to a safe exit if it returns error. + +Link: https://scan7.scan.coverity.com/#/project-view/53936/11354?selectedIssue=1643754 +Signed-off-by: Sergio Perez Gonzalez +Reviewed-by: Claudiu Beznea +Link: https://patch.msgid.link/20250526032034.84900-1-sperezglz@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index a750c752846cf..a635c9af26c3e 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -4320,7 +4320,11 @@ static int macb_probe(struct platform_device *pdev) + + #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT + if (GEM_BFEXT(DAW64, gem_readl(bp, DCFG6))) { +- dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); ++ err = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(44)); ++ if (err) { ++ dev_err(&pdev->dev, "failed to set DMA mask\n"); ++ goto err_out_free_netdev; ++ } + bp->hw_dma_cap |= HW_DMA_CAP_64B; + } + #endif +-- +2.39.5 + diff --git a/queue-5.4/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch b/queue-5.4/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch new file mode 100644 index 0000000000..a595fabe3d --- /dev/null +++ b/queue-5.4/net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch @@ -0,0 +1,37 @@ +From 430af7e90b08d06b66af7aa10dadf415a3374ba8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 17:34:42 +0800 +Subject: net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info + +From: Jason Xing + +[ Upstream commit b86bcfee30576b752302c55693fff97242b35dfd ] + +As mlx4 has implemented skb_tx_timestamp() in mlx4_en_xmit(), the +SOFTWARE flag is surely needed when users are trying to get timestamp +information. + +Signed-off-by: Jason Xing +Reviewed-by: Tariq Toukan +Link: https://patch.msgid.link/20250510093442.79711-1-kerneljasonxing@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +index b711148a9d503..9dbdd6266f731 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1889,6 +1889,7 @@ static int mlx4_en_get_ts_info(struct net_device *dev, + if (mdev->dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_TS) { + info->so_timestamping |= + SOF_TIMESTAMPING_TX_HARDWARE | ++ SOF_TIMESTAMPING_TX_SOFTWARE | + SOF_TIMESTAMPING_RX_HARDWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; + +-- +2.39.5 + diff --git a/queue-5.4/nios2-force-update_mmu_cache-on-spurious-tlb-permiss.patch b/queue-5.4/nios2-force-update_mmu_cache-on-spurious-tlb-permiss.patch new file mode 100644 index 0000000000..401e8fd593 --- /dev/null +++ b/queue-5.4/nios2-force-update_mmu_cache-on-spurious-tlb-permiss.patch @@ -0,0 +1,85 @@ +From ee06300d329f570b9e862c864cea3ef28cdbee9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 14:54:22 +0100 +Subject: nios2: force update_mmu_cache on spurious tlb-permission--related + pagefaults + +From: Simon Schuster + +[ Upstream commit 2d8a3179ea035f9341b6a73e5ba4029fc67e983d ] + +NIOS2 uses a software-managed TLB for virtual address translation. To +flush a cache line, the original mapping is replaced by one to physical +address 0x0 with no permissions (rwx mapped to 0) set. This can lead to +TLB-permission--related traps when such a nominally flushed entry is +encountered as a mapping for an otherwise valid virtual address within a +process (e.g. due to an MMU-PID-namespace rollover that previously +flushed the complete TLB including entries of existing, running +processes). + +The default ptep_set_access_flags implementation from mm/pgtable-generic.c +only forces a TLB-update when the page-table entry has changed within the +page table: + + /* + * [...] We return whether the PTE actually changed, which in turn + * instructs the caller to do things like update__mmu_cache. [...] + */ + int ptep_set_access_flags(struct vm_area_struct *vma, + unsigned long address, pte_t *ptep, + pte_t entry, int dirty) + { + int changed = !pte_same(*ptep, entry); + if (changed) { + set_pte_at(vma->vm_mm, address, ptep, entry); + flush_tlb_fix_spurious_fault(vma, address); + } + return changed; + } + +However, no cross-referencing with the TLB-state occurs, so the +flushing-induced pseudo entries that are responsible for the pagefault +in the first place are never pre-empted from TLB on this code path. + +This commit fixes this behaviour by always requesting a TLB-update in +this part of the pagefault handling, fixing spurious page-faults on the +way. The handling is a straightforward port of the logic from the MIPS +architecture via an arch-specific ptep_set_access_flags function ported +from arch/mips/include/asm/pgtable.h. + +Signed-off-by: Simon Schuster +Signed-off-by: Andreas Oetken +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/nios2/include/asm/pgtable.h | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/arch/nios2/include/asm/pgtable.h b/arch/nios2/include/asm/pgtable.h +index 99985d8b71664..506bbc7730879 100644 +--- a/arch/nios2/include/asm/pgtable.h ++++ b/arch/nios2/include/asm/pgtable.h +@@ -297,4 +297,20 @@ extern void __init mmu_init(void); + extern void update_mmu_cache(struct vm_area_struct *vma, + unsigned long address, pte_t *pte); + ++static inline int pte_same(pte_t pte_a, pte_t pte_b); ++ ++#define __HAVE_ARCH_PTEP_SET_ACCESS_FLAGS ++static inline int ptep_set_access_flags(struct vm_area_struct *vma, ++ unsigned long address, pte_t *ptep, ++ pte_t entry, int dirty) ++{ ++ if (!pte_same(*ptep, entry)) ++ set_ptes(vma->vm_mm, address, ptep, entry, 1); ++ /* ++ * update_mmu_cache will unconditionally execute, handling both ++ * the case that the PTE changed and the spurious fault case. ++ */ ++ return true; ++} ++ + #endif /* _ASM_NIOS2_PGTABLE_H */ +-- +2.39.5 + diff --git a/queue-5.4/openvswitch-stricter-validation-for-the-userspace-ac.patch b/queue-5.4/openvswitch-stricter-validation-for-the-userspace-ac.patch new file mode 100644 index 0000000000..3e8cf31ea7 --- /dev/null +++ b/queue-5.4/openvswitch-stricter-validation-for-the-userspace-ac.patch @@ -0,0 +1,45 @@ +From 4637c2c3b176a11f10a210aa423111bc3e360bdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 10:08:24 +0200 +Subject: openvswitch: Stricter validation for the userspace action + +From: Eelco Chaudron + +[ Upstream commit 88906f55954131ed2d3974e044b7fb48129b86ae ] + +This change enhances the robustness of validate_userspace() by ensuring +that all Netlink attributes are fully contained within the parent +attribute. The previous use of nla_parse_nested_deprecated() could +silently skip trailing or malformed attributes, as it stops parsing at +the first invalid entry. + +By switching to nla_parse_deprecated_strict(), we make sure only fully +validated attributes are copied for later use. + +Signed-off-by: Eelco Chaudron +Reviewed-by: Simon Horman +Acked-by: Ilya Maximets +Link: https://patch.msgid.link/67eb414e2d250e8408bb8afeb982deca2ff2b10b.1747037304.git.echaudro@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow_netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c +index 4ad4c89886ee3..f1f7a0e34c7a9 100644 +--- a/net/openvswitch/flow_netlink.c ++++ b/net/openvswitch/flow_netlink.c +@@ -2912,7 +2912,8 @@ static int validate_userspace(const struct nlattr *attr) + struct nlattr *a[OVS_USERSPACE_ATTR_MAX + 1]; + int error; + +- error = nla_parse_nested_deprecated(a, OVS_USERSPACE_ATTR_MAX, attr, ++ error = nla_parse_deprecated_strict(a, OVS_USERSPACE_ATTR_MAX, ++ nla_data(attr), nla_len(attr), + userspace_policy, NULL); + if (error) + return error; +-- +2.39.5 + diff --git a/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch b/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch new file mode 100644 index 0000000000..ca878246ae --- /dev/null +++ b/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch @@ -0,0 +1,41 @@ +From 6e1686eb89fe5b4a2467b20f9d584593ab19bcea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:38 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_pmx_set_by_name() + +From: Gabor Juhos + +[ Upstream commit 4229c28323db141eda69cb99427be75d3edba071 ] + +The regmap_update_bits() function can fail, so propagate its error +up to the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-7-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index bee20c97aed41..5e0b04e593dc2 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -353,9 +353,7 @@ static int armada_37xx_pmx_set_by_name(struct pinctrl_dev *pctldev, + + val = grp->val[func]; + +- regmap_update_bits(info->regmap, reg, mask, val); +- +- return 0; ++ return regmap_update_bits(info->regmap, reg, mask, val); + } + + static int armada_37xx_pmx_set(struct pinctrl_dev *pctldev, +-- +2.39.5 + diff --git a/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-23419 b/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-23419 new file mode 100644 index 0000000000..2487971b4c --- /dev/null +++ b/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-23419 @@ -0,0 +1,52 @@ +From 52fb0f506ce3c28d24cd70d5e0fc63c9ea93c304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:36 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_pmx_gpio_set_direction() + +From: Gabor Juhos + +[ Upstream commit bfa0ff804ffa8b1246ade8be08de98c9eb19d16f ] + +The armada_37xx_gpio_direction_{in,out}put() functions can fail, so +propagate their error values back to the stack instead of silently +ignoring those. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-5-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index d3d156b25e96d..4df9dbad0e977 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -464,16 +464,17 @@ static int armada_37xx_pmx_gpio_set_direction(struct pinctrl_dev *pctldev, + { + struct armada_37xx_pinctrl *info = pinctrl_dev_get_drvdata(pctldev); + struct gpio_chip *chip = range->gc; ++ int ret; + + dev_dbg(info->dev, "gpio_direction for pin %u as %s-%d to %s\n", + offset, range->name, offset, input ? "input" : "output"); + + if (input) +- armada_37xx_gpio_direction_input(chip, offset); ++ ret = armada_37xx_gpio_direction_input(chip, offset); + else +- armada_37xx_gpio_direction_output(chip, offset, 0); ++ ret = armada_37xx_gpio_direction_output(chip, offset, 0); + +- return 0; ++ return ret; + } + + static int armada_37xx_gpio_request_enable(struct pinctrl_dev *pctldev, +-- +2.39.5 + diff --git a/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-31110 b/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-31110 new file mode 100644 index 0000000000..5c6b5f8fce --- /dev/null +++ b/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-31110 @@ -0,0 +1,45 @@ +From 4fc816f69160f6c0bb607cf8ef6db712e371eb94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:35 +0200 +Subject: pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() + +From: Gabor Juhos + +[ Upstream commit 57273ff8bb16f3842c2597b5bbcd49e7fa12edf7 ] + +The regmap_read() function can fail, so propagate its error up to +the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-4-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index 4df9dbad0e977..46e7e78d37632 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -435,11 +435,14 @@ static int armada_37xx_gpio_get(struct gpio_chip *chip, unsigned int offset) + struct armada_37xx_pinctrl *info = gpiochip_get_data(chip); + unsigned int reg = INPUT_VAL; + unsigned int val, mask; ++ int ret; + + armada_37xx_update_reg(®, &offset); + mask = BIT(offset); + +- regmap_read(info->regmap, reg, &val); ++ ret = regmap_read(info->regmap, reg, &val); ++ if (ret) ++ return ret; + + return (val & mask) != 0; + } +-- +2.39.5 + diff --git a/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-32495 b/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-32495 new file mode 100644 index 0000000000..e03726c4f6 --- /dev/null +++ b/queue-5.4/pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-32495 @@ -0,0 +1,45 @@ +From 0240d7818310994826229cd7901acd11921ba39c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 21:18:37 +0200 +Subject: pinctrl: armada-37xx: propagate error from + armada_37xx_gpio_get_direction() + +From: Gabor Juhos + +[ Upstream commit 6481c0a83367b0672951ccc876fbae7ee37b594b ] + +The regmap_read() function can fail, so propagate its error up to +the stack instead of silently ignoring that. + +Signed-off-by: Imre Kaloz +Reviewed-by: Andrew Lunn +Signed-off-by: Gabor Juhos +Link: https://lore.kernel.org/20250514-pinctrl-a37xx-fixes-v2-6-07e9ac1ab737@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +index 5e0b04e593dc2..d3d156b25e96d 100644 +--- a/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c ++++ b/drivers/pinctrl/mvebu/pinctrl-armada-37xx.c +@@ -395,10 +395,13 @@ static int armada_37xx_gpio_get_direction(struct gpio_chip *chip, + struct armada_37xx_pinctrl *info = gpiochip_get_data(chip); + unsigned int reg = OUTPUT_EN; + unsigned int val, mask; ++ int ret; + + armada_37xx_update_reg(®, &offset); + mask = BIT(offset); +- regmap_read(info->regmap, reg, &val); ++ ret = regmap_read(info->regmap, reg, &val); ++ if (ret) ++ return ret; + + return !(val & mask); + } +-- +2.39.5 + diff --git a/queue-5.4/platform-add-surface-platform-directory.patch b/queue-5.4/platform-add-surface-platform-directory.patch new file mode 100644 index 0000000000..84f81c48b0 --- /dev/null +++ b/queue-5.4/platform-add-surface-platform-directory.patch @@ -0,0 +1,116 @@ +From 83733ee8ac7f978f4b5bc4e9c8481bb75030f33e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Oct 2020 16:11:24 +0200 +Subject: platform: Add Surface platform directory + +From: Maximilian Luz + +[ Upstream commit 1e3a2bc89de44ec34153ab1c1056346b51def250 ] + +It may make sense to split the Microsoft Surface hardware platform +drivers out to a separate subdirectory, since some of it may be shared +between ARM and x86 in the future (regarding devices like the Surface +Pro X). + +Further, newer Surface devices will require additional platform drivers +for fundamental support (mostly regarding their embedded controller), +which may also warrant this split from a size perspective. + +This commit introduces a new platform/surface subdirectory for the +Surface device family, with subsequent commits moving existing Surface +drivers over from platform/x86. + +A new MAINTAINERS entry is added for this directory. Patches to files in +this directory will be taken up by the platform-drivers-x86 team (i.e. +Hans de Goede and Mark Gross) after they have been reviewed by +Maximilian Luz. + +Signed-off-by: Maximilian Luz +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20201009141128.683254-2-luzmaximilian@gmail.com +Signed-off-by: Hans de Goede +Stable-dep-of: f4b0fa38d5fe ("platform/x86: dell_rbu: Stop overwriting data buffer") +Signed-off-by: Sasha Levin +--- + MAINTAINERS | 9 +++++++++ + drivers/platform/Kconfig | 2 ++ + drivers/platform/Makefile | 1 + + drivers/platform/surface/Kconfig | 14 ++++++++++++++ + drivers/platform/surface/Makefile | 5 +++++ + 5 files changed, 31 insertions(+) + create mode 100644 drivers/platform/surface/Kconfig + create mode 100644 drivers/platform/surface/Makefile + +diff --git a/MAINTAINERS b/MAINTAINERS +index 2040c2f76dcf7..474daf91a054b 100644 +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -10819,6 +10819,15 @@ L: netdev@vger.kernel.org + S: Supported + F: drivers/net/ethernet/mscc/ + ++MICROSOFT SURFACE HARDWARE PLATFORM SUPPORT ++M: Hans de Goede ++M: Mark Gross ++M: Maximilian Luz ++L: platform-driver-x86@vger.kernel.org ++S: Maintained ++T: git git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86.git ++F: drivers/platform/surface/ ++ + MICROSOFT SURFACE PRO 3 BUTTON DRIVER + M: Chen Yu + L: platform-driver-x86@vger.kernel.org +diff --git a/drivers/platform/Kconfig b/drivers/platform/Kconfig +index 971426bb4302c..18fc6a08569eb 100644 +--- a/drivers/platform/Kconfig ++++ b/drivers/platform/Kconfig +@@ -13,3 +13,5 @@ source "drivers/platform/chrome/Kconfig" + source "drivers/platform/mellanox/Kconfig" + + source "drivers/platform/olpc/Kconfig" ++ ++source "drivers/platform/surface/Kconfig" +diff --git a/drivers/platform/Makefile b/drivers/platform/Makefile +index 6fda58c021ca4..4de08ef4ec9d0 100644 +--- a/drivers/platform/Makefile ++++ b/drivers/platform/Makefile +@@ -9,3 +9,4 @@ obj-$(CONFIG_MIPS) += mips/ + obj-$(CONFIG_OLPC_EC) += olpc/ + obj-$(CONFIG_GOLDFISH) += goldfish/ + obj-$(CONFIG_CHROME_PLATFORMS) += chrome/ ++obj-$(CONFIG_SURFACE_PLATFORMS) += surface/ +diff --git a/drivers/platform/surface/Kconfig b/drivers/platform/surface/Kconfig +new file mode 100644 +index 0000000000000..b67926ece95fb +--- /dev/null ++++ b/drivers/platform/surface/Kconfig +@@ -0,0 +1,14 @@ ++# SPDX-License-Identifier: GPL-2.0-only ++# ++# Microsoft Surface Platform-Specific Drivers ++# ++ ++menuconfig SURFACE_PLATFORMS ++ bool "Microsoft Surface Platform-Specific Device Drivers" ++ default y ++ help ++ Say Y here to get to see options for platform-specific device drivers ++ for Microsoft Surface devices. This option alone does not add any ++ kernel code. ++ ++ If you say N, all options in this submenu will be skipped and disabled. +diff --git a/drivers/platform/surface/Makefile b/drivers/platform/surface/Makefile +new file mode 100644 +index 0000000000000..3700f9e84299e +--- /dev/null ++++ b/drivers/platform/surface/Makefile +@@ -0,0 +1,5 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# ++# Makefile for linux/drivers/platform/surface ++# Microsoft Surface Platform-Specific Drivers ++# +-- +2.39.5 + diff --git a/queue-5.4/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch b/queue-5.4/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch new file mode 100644 index 0000000000..e3ec0b5797 --- /dev/null +++ b/queue-5.4/platform-x86-dell_rbu-stop-overwriting-data-buffer.patch @@ -0,0 +1,55 @@ +From d8afc314449bd6567bfb7a22cf83631432cb790c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 13:46:58 -0500 +Subject: platform/x86: dell_rbu: Stop overwriting data buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stuart Hayes + +[ Upstream commit f4b0fa38d5fefe9aed6ed831f3bd3538c168ee19 ] + +The dell_rbu driver will use memset() to clear the data held by each +packet when it is no longer needed (when the driver is unloaded, the +packet size is changed, etc). + +The amount of memory that is cleared (before this patch) is the normal +packet size. However, the last packet in the list may be smaller. + +Fix this to only clear the memory actually used by each packet, to prevent +it from writing past the end of data buffer. + +Because the packet data buffers are allocated with __get_free_pages() (in +page-sized increments), this bug could only result in a buffer being +overwritten when a packet size larger than one page is used. The only user +of the dell_rbu module should be the Dell BIOS update program, which uses +a packet size of 4096, so no issues should be seen without the patch, it +just blocks the possiblity. + +Fixes: 6c54c28e69f2 ("[PATCH] dell_rbu: new Dell BIOS update driver") +Signed-off-by: Stuart Hayes +Link: https://lore.kernel.org/r/20250609184659.7210-5-stuart.w.hayes@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/dell_rbu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell_rbu.c b/drivers/platform/x86/dell_rbu.c +index 3691391fea6b1..16e4614ad3e47 100644 +--- a/drivers/platform/x86/dell_rbu.c ++++ b/drivers/platform/x86/dell_rbu.c +@@ -344,7 +344,7 @@ static void packet_empty_list(void) + * zero out the RBU packet memory before freeing + * to make sure there are no stale RBU packets left in memory + */ +- memset(newpacket->data, 0, rbu_data.packetsize); ++ memset(newpacket->data, 0, newpacket->length); + set_memory_wb((unsigned long)newpacket->data, + 1 << newpacket->ordernum); + free_pages((unsigned long) newpacket->data, +-- +2.39.5 + diff --git a/queue-5.4/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch b/queue-5.4/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch new file mode 100644 index 0000000000..60617c3b86 --- /dev/null +++ b/queue-5.4/pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch @@ -0,0 +1,61 @@ +From 9b4a2ed9932da6aa0556a4a7a9a6b755cbe8883c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 12:11:25 +0530 +Subject: PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() + +From: Charan Teja Kalla + +[ Upstream commit 40d3b40dce375d6f1c1dbf08d79eed3aed6c691d ] + +pm_runtime_put_autosuspend() schedules a hrtimer to expire +at "dev->power.timer_expires". If the hrtimer's callback, +pm_suspend_timer_fn(), observes that the current time equals +"dev->power.timer_expires", it unexpectedly bails out instead of +proceeding with runtime suspend. + +pm_suspend_timer_fn(): + + if (expires > 0 && expires < ktime_get_mono_fast_ns()) { + dev->power.timer_expires = 0; + rpm_suspend(..) + } + +Additionally, as ->timer_expires is not cleared, all the future auto +suspend requests will not schedule hrtimer to perform auto suspend. + +rpm_suspend(): + + if ((rpmflags & RPM_AUTO) &&...) { + if (!(dev->power.timer_expires && ...) { <-- this will fail. + hrtimer_start_range_ns(&dev->power.suspend_timer,...); + } + } + +Fix this by as well checking if current time reaches the set expiration. + +Co-developed-by: Patrick Daly +Signed-off-by: Patrick Daly +Signed-off-by: Charan Teja Kalla +Link: https://patch.msgid.link/20250515064125.1211561-1-quic_charante@quicinc.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index d301a6de762df..7fa231076ad5f 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -982,7 +982,7 @@ static enum hrtimer_restart pm_suspend_timer_fn(struct hrtimer *timer) + * If 'expires' is after the current time, we've been called + * too early. + */ +- if (expires > 0 && expires < ktime_get_mono_fast_ns()) { ++ if (expires > 0 && expires <= ktime_get_mono_fast_ns()) { + dev->power.timer_expires = 0; + rpm_suspend(dev, dev->power.timer_autosuspends ? + (RPM_ASYNC | RPM_AUTO) : RPM_ASYNC); +-- +2.39.5 + diff --git a/queue-5.4/power-supply-bq27xxx-retrieve-again-when-busy.patch b/queue-5.4/power-supply-bq27xxx-retrieve-again-when-busy.patch new file mode 100644 index 0000000000..d2fe1fbd78 --- /dev/null +++ b/queue-5.4/power-supply-bq27xxx-retrieve-again-when-busy.patch @@ -0,0 +1,90 @@ +From 750474d1774d21c767fd6800b292a039391f6afa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 11:40:47 +0800 +Subject: power: supply: bq27xxx: Retrieve again when busy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jerry Lv + +[ Upstream commit f16d9fb6cf03fdbdefa41a8b32ba1e57afb7ae3d ] + +Multiple applications may access the battery gauge at the same time, so +the gauge may be busy and EBUSY will be returned. The driver will set a +flag to record the EBUSY state, and this flag will be kept until the next +periodic update. When this flag is set, bq27xxx_battery_get_property() +will just return ENODEV until the flag is updated. + +Even if the gauge was busy during the last accessing attempt, returning +ENODEV is not ideal, and can cause confusion in the applications layer. + +Instead, retry accessing the I2C to update the flag is as expected, for +the gauge typically recovers from busy state within a few milliseconds. +If still failed to access the gauge, the real error code would be returned +instead of ENODEV (as suggested by Pali Rohár). + +Reviewed-by: Pali Rohár +Signed-off-by: Jerry Lv +Link: https://lore.kernel.org/r/20250415-foo-fix-v2-1-5b45a395e4cc@axis.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery.c | 2 +- + drivers/power/supply/bq27xxx_battery_i2c.c | 13 ++++++++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c +index e6c4dfdc58c47..1cfec675f82f3 100644 +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1780,7 +1780,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy, + mutex_unlock(&di->lock); + + if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0) +- return -ENODEV; ++ return di->cache.flags; + + switch (psp) { + case POWER_SUPPLY_PROP_STATUS: +diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c +index 08c7e2b4155ad..bf235d0a96033 100644 +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -14,6 +14,7 @@ + * GNU General Public License for more details. + */ + ++#include + #include + #include + #include +@@ -40,6 +41,7 @@ static int bq27xxx_battery_i2c_read(struct bq27xxx_device_info *di, u8 reg, + struct i2c_msg msg[2]; + u8 data[2]; + int ret; ++ int retry = 0; + + if (!client->adapter) + return -ENODEV; +@@ -56,7 +58,16 @@ static int bq27xxx_battery_i2c_read(struct bq27xxx_device_info *di, u8 reg, + else + msg[1].len = 2; + +- ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg)); ++ do { ++ ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg)); ++ if (ret == -EBUSY && ++retry < 3) { ++ /* sleep 10 milliseconds when busy */ ++ usleep_range(10000, 11000); ++ continue; ++ } ++ break; ++ } while (1); ++ + if (ret < 0) + return ret; + +-- +2.39.5 + diff --git a/queue-5.4/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch b/queue-5.4/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch new file mode 100644 index 0000000000..2ec984889e --- /dev/null +++ b/queue-5.4/powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch @@ -0,0 +1,67 @@ +From 93407fd2858ff43dcf6fbd946f0e6fbe284300b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 02:29:28 -0400 +Subject: powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH + recovery + +From: Narayana Murty N + +[ Upstream commit 33bc69cf6655cf60829a803a45275f11a74899e5 ] + +VFIO EEH recovery for PCI passthrough devices fails on PowerNV and pseries +platforms due to missing host-side PE bridge reconfiguration. In the +current implementation, eeh_pe_configure() only performs RTAS or OPAL-based +bridge reconfiguration for native host devices, but skips it entirely for +PEs managed through VFIO in guest passthrough scenarios. + +This leads to incomplete EEH recovery when a PCI error affects a +passthrough device assigned to a QEMU/KVM guest. Although VFIO triggers the +EEH recovery flow through VFIO_EEH_PE_ENABLE ioctl, the platform-specific +bridge reconfiguration step is silently bypassed. As a result, the PE's +config space is not fully restored, causing subsequent config space access +failures or EEH freeze-on-access errors inside the guest. + +This patch fixes the issue by ensuring that eeh_pe_configure() always +invokes the platform's configure_bridge() callback (e.g., +pseries_eeh_phb_configure_bridge) even for VFIO-managed PEs. This ensures +that RTAS or OPAL calls to reconfigure the PE bridge are correctly issued +on the host side, restoring the PE's configuration space after an EEH +event. + +This fix is essential for reliable EEH recovery in QEMU/KVM guests using +VFIO PCI passthrough on PowerNV and pseries systems. + +Tested with: +- QEMU/KVM guest using VFIO passthrough (IBM Power9,(lpar)Power11 host) +- Injected EEH errors with pseries EEH errinjct tool on host, recovery + verified on qemu guest. +- Verified successful config space access and CAP_EXP DevCtl restoration + after recovery + +Fixes: 212d16cdca2d ("powerpc/eeh: EEH support for VFIO PCI device") +Signed-off-by: Narayana Murty N +Reviewed-by: Vaibhav Jain +Reviewed-by: Ganesh Goudar +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250508062928.146043-1-nnmlinux@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c +index 8b0e523b2abbe..301654971b32c 100644 +--- a/arch/powerpc/kernel/eeh.c ++++ b/arch/powerpc/kernel/eeh.c +@@ -1723,6 +1723,8 @@ int eeh_pe_configure(struct eeh_pe *pe) + /* Invalid PE ? */ + if (!pe) + return -ENODEV; ++ else ++ ret = eeh_ops->configure_bridge(pe); + + return ret; + } +-- +2.39.5 + diff --git a/queue-5.4/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch b/queue-5.4/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch new file mode 100644 index 0000000000..794a7f9ea3 --- /dev/null +++ b/queue-5.4/revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch @@ -0,0 +1,112 @@ +From 54f97701826024d5a5ce28f4eccedd29f5a623ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 11:06:34 +0200 +Subject: Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect + devices first" + +From: Alexander Sverdlin + +[ Upstream commit 36305857b1ead8f6ca033a913162ebc09bee0b43 ] + +This reverts commit 4700a00755fb5a4bb5109128297d6fd2d1272ee6. + +It breaks target-module@2b300050 ("ti,sysc-omap2") probe on AM62x in a case +when minimally-configured system tries to network-boot: + +[ 6.888776] probe of 2b300050.target-module returned 517 after 258 usecs +[ 17.129637] probe of 2b300050.target-module returned 517 after 708 usecs +[ 17.137397] platform 2b300050.target-module: deferred probe pending: (reason unknown) +[ 26.878471] Waiting up to 100 more seconds for network. + +There are minimal configurations possible when the deferred device is not +being probed any more (because everything else has been successfully +probed) and deferral lists are not processed any more. + +Stable mmc enumeration can be achieved by filling /aliases node properly +(4700a00755fb commit's rationale). + +After revert: + +[ 9.006816] IP-Config: Complete: +[ 9.010058] device=lan0, ... + +Tested-by: Andreas Kemnade # GTA04, Panda, BT200 +Reviewed-by: Tony Lindgren +Signed-off-by: Alexander Sverdlin +Link: https://lore.kernel.org/r/20250401090643.2776793-1-alexander.sverdlin@siemens.com +Signed-off-by: Kevin Hilman +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 49 ------------------------------------------- + 1 file changed, 49 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 70339f73181ea..5d27c43222fa4 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -602,51 +602,6 @@ static int sysc_parse_and_check_child_range(struct sysc *ddata) + return 0; + } + +-/* Interconnect instances to probe before l4_per instances */ +-static struct resource early_bus_ranges[] = { +- /* am3/4 l4_wkup */ +- { .start = 0x44c00000, .end = 0x44c00000 + 0x300000, }, +- /* omap4/5 and dra7 l4_cfg */ +- { .start = 0x4a000000, .end = 0x4a000000 + 0x300000, }, +- /* omap4 l4_wkup */ +- { .start = 0x4a300000, .end = 0x4a300000 + 0x30000, }, +- /* omap5 and dra7 l4_wkup without dra7 dcan segment */ +- { .start = 0x4ae00000, .end = 0x4ae00000 + 0x30000, }, +-}; +- +-static atomic_t sysc_defer = ATOMIC_INIT(10); +- +-/** +- * sysc_defer_non_critical - defer non_critical interconnect probing +- * @ddata: device driver data +- * +- * We want to probe l4_cfg and l4_wkup interconnect instances before any +- * l4_per instances as l4_per instances depend on resources on l4_cfg and +- * l4_wkup interconnects. +- */ +-static int sysc_defer_non_critical(struct sysc *ddata) +-{ +- struct resource *res; +- int i; +- +- if (!atomic_read(&sysc_defer)) +- return 0; +- +- for (i = 0; i < ARRAY_SIZE(early_bus_ranges); i++) { +- res = &early_bus_ranges[i]; +- if (ddata->module_pa >= res->start && +- ddata->module_pa <= res->end) { +- atomic_set(&sysc_defer, 0); +- +- return 0; +- } +- } +- +- atomic_dec_if_positive(&sysc_defer); +- +- return -EPROBE_DEFER; +-} +- + static struct device_node *stdout_path; + + static void sysc_init_stdout_path(struct sysc *ddata) +@@ -871,10 +826,6 @@ static int sysc_map_and_check_registers(struct sysc *ddata) + if (error) + return error; + +- error = sysc_defer_non_critical(ddata); +- if (error) +- return error; +- + sysc_check_children(ddata); + + error = sysc_parse_registers(ddata); +-- +2.39.5 + diff --git a/queue-5.4/scsi-lpfc-use-memcpy-for-bios-version.patch b/queue-5.4/scsi-lpfc-use-memcpy-for-bios-version.patch new file mode 100644 index 0000000000..22f5318608 --- /dev/null +++ b/queue-5.4/scsi-lpfc-use-memcpy-for-bios-version.patch @@ -0,0 +1,47 @@ +From ca29c4a1fc0436057ad33b1ca57ac233b54b1ef3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 13:34:22 +0200 +Subject: scsi: lpfc: Use memcpy() for BIOS version + +From: Daniel Wagner + +[ Upstream commit ae82eaf4aeea060bb736c3e20c0568b67c701d7d ] + +The strlcat() with FORTIFY support is triggering a panic because it +thinks the target buffer will overflow although the correct target +buffer size is passed in. + +Anyway, instead of memset() with 0 followed by a strlcat(), just use +memcpy() and ensure that the resulting buffer is NULL terminated. + +BIOSVersion is only used for the lpfc_printf_log() which expects a +properly terminated string. + +Signed-off-by: Daniel Wagner +Link: https://lore.kernel.org/r/20250409-fix-lpfc-bios-str-v1-1-05dac9e51e13@kernel.org +Reviewed-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_sli.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 04b9a94f2f5e5..e1ef28d9a89e9 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -5407,9 +5407,9 @@ lpfc_sli4_get_ctl_attr(struct lpfc_hba *phba) + phba->sli4_hba.lnk_info.lnk_no = + bf_get(lpfc_cntl_attr_lnk_numb, cntl_attr); + +- memset(phba->BIOSVersion, 0, sizeof(phba->BIOSVersion)); +- strlcat(phba->BIOSVersion, (char *)cntl_attr->bios_ver_str, ++ memcpy(phba->BIOSVersion, cntl_attr->bios_ver_str, + sizeof(phba->BIOSVersion)); ++ phba->BIOSVersion[sizeof(phba->BIOSVersion) - 1] = '\0'; + + lpfc_printf_log(phba, KERN_INFO, LOG_SLI, + "3086 lnk_type:%d, lnk_numb:%d, bios_ver:%s\n", +-- +2.39.5 + diff --git a/queue-5.4/sctp-do-not-wake-readers-in-__sctp_write_space.patch b/queue-5.4/sctp-do-not-wake-readers-in-__sctp_write_space.patch new file mode 100644 index 0000000000..54e3b45ce4 --- /dev/null +++ b/queue-5.4/sctp-do-not-wake-readers-in-__sctp_write_space.patch @@ -0,0 +1,42 @@ +From 28b08981354b9d3169d43ecd444463ae93bfdedd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 10:17:28 +0200 +Subject: sctp: Do not wake readers in __sctp_write_space() + +From: Petr Malat + +[ Upstream commit af295892a7abbf05a3c2ba7abc4d81bb448623d6 ] + +Function __sctp_write_space() doesn't set poll key, which leads to +ep_poll_callback() waking up all waiters, not only these waiting +for the socket being writable. Set the key properly using +wake_up_interruptible_poll(), which is preferred over the sync +variant, as writers are not woken up before at least half of the +queue is available. Also, TCP does the same. + +Signed-off-by: Petr Malat +Acked-by: Xin Long +Link: https://patch.msgid.link/20250516081727.1361451-1-oss@malat.biz +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index d7257eec66b1c..1ac05147dc304 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -8946,7 +8946,8 @@ static void __sctp_write_space(struct sctp_association *asoc) + wq = rcu_dereference(sk->sk_wq); + if (wq) { + if (waitqueue_active(&wq->wait)) +- wake_up_interruptible(&wq->wait); ++ wake_up_interruptible_poll(&wq->wait, EPOLLOUT | ++ EPOLLWRNORM | EPOLLWRBAND); + + /* Note that we try to include the Async I/O support + * here by modeling from the current TCP/UDP code. +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index dc09eb1b11..474d04d020 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -132,3 +132,56 @@ uio_hv_generic-use-correct-size-for-interrupt-and-monitor-pages.patch pci-add-acs-quirk-for-loongson-pcie.patch pci-fix-lock-symmetry-in-pci_slot_unlock.patch iio-adc-ad7606_spi-fix-reg-write-value-mask.patch +acpica-fix-acpi-operand-cache-leak-in-dswstate.c.patch +acpica-avoid-sequence-overread-in-call-to-strncmp.patch +acpica-fix-acpi-parse-and-parseext-cache-leaks.patch +power-supply-bq27xxx-retrieve-again-when-busy.patch +pm-runtime-fix-denying-of-auto-suspend-in-pm_suspend.patch +acpi-battery-negate-current-when-discharging.patch +drm-amdgpu-gfx6-fix-csib-handling.patch +sunrpc-update-nextcheck-time-when-adding-new-cache-e.patch +drm-bridge-analogix_dp-add-irq-flag-irqf_no_autoen-i.patch +drm-msm-hdmi-add-runtime-pm-calls-to-ddc-transfer-fu.patch +media-uapi-v4l-fix-v4l2_type_is_output-condition.patch +drm-amd-display-add-null-pointer-checks-in-dm_force_.patch +drm-msm-a6xx-increase-hfi-response-timeout.patch +drm-amdgpu-gfx10-fix-csib-handling.patch +drm-amdgpu-gfx7-fix-csib-handling.patch +jfs-fix-array-index-out-of-bounds-read-in-add_missin.patch +drm-amdgpu-gfx8-fix-csib-handling.patch +drm-amdgpu-gfx9-fix-csib-handling.patch +jfs-fix-null-ptr-deref-in-jfs_ioc_trim.patch +drm-amdkfd-set-sdma_rlcx_ib_cntl-switch_inside_ib.patch +media-tc358743-ignore-video-while-hpd-is-low.patch +media-platform-exynos4-is-add-hardware-sync-wait-to-.patch +nios2-force-update_mmu_cache-on-spurious-tlb-permiss.patch +gpio-pxa-make-irq_chip-immutable.patch +cpufreq-force-sync-policy-boost-with-global-boost-on.patch +net-macb-check-return-value-of-dma_set_mask_and_cohe.patch +i2c-designware-invoke-runtime-suspend-on-quick-slave.patch +emulex-benet-correct-command-version-selection-in-be.patch +sctp-do-not-wake-readers-in-__sctp_write_space.patch +net-dlink-add-synchronization-for-stats-update.patch +tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch +tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch +ipv4-route-use-this_cpu_inc-for-stats-on-preempt_rt.patch +openvswitch-stricter-validation-for-the-userspace-ac.patch +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-32495 +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-23419 +pinctrl-armada-37xx-propagate-error-from-armada_37xx.patch-31110 +net-mlx4-add-sof_timestamping_tx_software-flag-when-.patch +wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch +clk-rockchip-rk3036-mark-ddrphy-as-critical.patch +vxlan-do-not-treat-dst-cache-initialization-errors-a.patch +scsi-lpfc-use-memcpy-for-bios-version.patch +sock-correct-error-checking-condition-for-assign-rel.patch +i40e-fix-mmio-write-access-to-an-invalid-page-in-i40.patch +watchdog-da9052_wdt-respect-twdmin.patch +bus-fsl-mc-increase-mc_cmd_completion_timeout_ms-val.patch +arm-omap2-fix-l4ls-clk-domain-handling-in-standby.patch +tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch +revert-bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-inte.patch +platform-add-surface-platform-directory.patch +platform-x86-dell_rbu-stop-overwriting-data-buffer.patch +powerpc-eeh-fix-missing-pe-bridge-reconfiguration-du.patch diff --git a/queue-5.4/sock-correct-error-checking-condition-for-assign-rel.patch b/queue-5.4/sock-correct-error-checking-condition-for-assign-rel.patch new file mode 100644 index 0000000000..4b1c017e36 --- /dev/null +++ b/queue-5.4/sock-correct-error-checking-condition-for-assign-rel.patch @@ -0,0 +1,49 @@ +From 3105838b6e2ebb2d82a17769b64895ace8b9ec9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 09:01:27 +0800 +Subject: sock: Correct error checking condition for + (assign|release)_proto_idx() + +From: Zijun Hu + +[ Upstream commit faeefc173be40512341b102cf1568aa0b6571acd ] + +(assign|release)_proto_idx() wrongly check find_first_zero_bit() failure +by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously. + +Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)' + +Signed-off-by: Zijun Hu +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20250410-fix_net-v2-1-d69e7c5739a4@quicinc.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index a8359770fd93a..418d0857d2aaa 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -3370,7 +3370,7 @@ static int assign_proto_idx(struct proto *prot) + { + prot->inuse_idx = find_first_zero_bit(proto_inuse_idx, PROTO_INUSE_NR); + +- if (unlikely(prot->inuse_idx == PROTO_INUSE_NR - 1)) { ++ if (unlikely(prot->inuse_idx == PROTO_INUSE_NR)) { + pr_err("PROTO_INUSE_NR exhausted\n"); + return -ENOSPC; + } +@@ -3381,7 +3381,7 @@ static int assign_proto_idx(struct proto *prot) + + static void release_proto_idx(struct proto *prot) + { +- if (prot->inuse_idx != PROTO_INUSE_NR - 1) ++ if (prot->inuse_idx != PROTO_INUSE_NR) + clear_bit(prot->inuse_idx, proto_inuse_idx); + } + #else +-- +2.39.5 + diff --git a/queue-5.4/sunrpc-update-nextcheck-time-when-adding-new-cache-e.patch b/queue-5.4/sunrpc-update-nextcheck-time-when-adding-new-cache-e.patch new file mode 100644 index 0000000000..86af0861ad --- /dev/null +++ b/queue-5.4/sunrpc-update-nextcheck-time-when-adding-new-cache-e.patch @@ -0,0 +1,52 @@ +From c0856b07f9c52bd9e723de65a5a305ac0e192bb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Mar 2025 14:48:35 +0800 +Subject: sunrpc: update nextcheck time when adding new cache entries + +From: Long Li + +[ Upstream commit 5ca00634c8bbb2979c73465588f486b9632f5ed5 ] + +The cache_detail structure uses a "nextcheck" field to control hash table +scanning intervals. When a table scan begins, nextcheck is set to current +time plus 1800 seconds. During scanning, if cache_detail is not empty and +a cache entry's expiry time is earlier than the current nextcheck, the +nextcheck is updated to that expiry time. + +This mechanism ensures that: +1) Empty cache_details are scanned every 1800 seconds to avoid unnecessary + scans +2) Non-empty cache_details are scanned based on the earliest expiry time + found + +However, when adding a new cache entry to an empty cache_detail, the +nextcheck time was not being updated, remaining at 1800 seconds. This +could delay cache cleanup for up to 1800 seconds, potentially blocking +threads(such as nfsd) that are waiting for cache cleanup. + +Fix this by updating the nextcheck time whenever a new cache entry is +added. + +Signed-off-by: Long Li +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + net/sunrpc/cache.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c +index 2215314dc4c5d..47623d49fa3a6 100644 +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -114,6 +114,8 @@ static struct cache_head *sunrpc_cache_add_entry(struct cache_detail *detail, + + hlist_add_head_rcu(&new->cache_list, head); + detail->entries++; ++ if (detail->nextcheck > new->expiry_time) ++ detail->nextcheck = new->expiry_time + 1; + cache_get(new); + spin_unlock(&detail->hash_lock); + +-- +2.39.5 + diff --git a/queue-5.4/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch b/queue-5.4/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch new file mode 100644 index 0000000000..d7ddde9456 --- /dev/null +++ b/queue-5.4/tcp-always-seek-for-minimal-rtt-in-tcp_rcv_rtt_updat.patch @@ -0,0 +1,71 @@ +From 33ce62dd3a0afd9debcef2ee9800243c83e5e799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 19:39:15 +0000 +Subject: tcp: always seek for minimal rtt in tcp_rcv_rtt_update() + +From: Eric Dumazet + +[ Upstream commit b879dcb1aeeca278eacaac0b1e2425b1c7599f9f ] + +tcp_rcv_rtt_update() goal is to maintain an estimation of the RTT +in tp->rcv_rtt_est.rtt_us, used by tcp_rcv_space_adjust() + +When TCP TS are enabled, tcp_rcv_rtt_update() is using +EWMA to smooth the samples. + +Change this to immediately latch the incoming value if it +is lower than tp->rcv_rtt_est.rtt_us, so that tcp_rcv_space_adjust() +does not overshoot tp->rcvq_space.space and sk->sk_rcvbuf. + +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250513193919.1089692-8-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 5923261312912..d07aa23943c13 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -539,10 +539,12 @@ EXPORT_SYMBOL(tcp_initialize_rcv_mss); + */ + static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep) + { +- u32 new_sample = tp->rcv_rtt_est.rtt_us; +- long m = sample; ++ u32 new_sample, old_sample = tp->rcv_rtt_est.rtt_us; ++ long m = sample << 3; + +- if (new_sample != 0) { ++ if (old_sample == 0 || m < old_sample) { ++ new_sample = m; ++ } else { + /* If we sample in larger samples in the non-timestamp + * case, we could grossly overestimate the RTT especially + * with chatty applications or bulk transfer apps which +@@ -553,17 +555,9 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep) + * else with timestamps disabled convergence takes too + * long. + */ +- if (!win_dep) { +- m -= (new_sample >> 3); +- new_sample += m; +- } else { +- m <<= 3; +- if (m < new_sample) +- new_sample = m; +- } +- } else { +- /* No previous measure. */ +- new_sample = m << 3; ++ if (win_dep) ++ return; ++ new_sample = old_sample - (old_sample >> 3) + sample; + } + + tp->rcv_rtt_est.rtt_us = new_sample; +-- +2.39.5 + diff --git a/queue-5.4/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch b/queue-5.4/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch new file mode 100644 index 0000000000..e808f8dda1 --- /dev/null +++ b/queue-5.4/tcp-fix-initial-tp-rcvq_space.space-value-for-passiv.patch @@ -0,0 +1,52 @@ +From 5c8713edc09fc9a1565710f32f271368e3972693 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 19:39:14 +0000 +Subject: tcp: fix initial tp->rcvq_space.space value for passive TS enabled + flows + +From: Eric Dumazet + +[ Upstream commit cd171461b90a2d2cf230943df60d580174633718 ] + +tcp_rcv_state_process() must tweak tp->advmss for TS enabled flows +before the call to tcp_init_transfer() / tcp_init_buffer_space(). + +Otherwise tp->rcvq_space.space is off by 120 bytes +(TCP_INIT_CWND * TCPOLEN_TSTAMP_ALIGNED). + +Signed-off-by: Eric Dumazet +Reviewed-by: Wei Wang +Link: https://patch.msgid.link/20250513193919.1089692-7-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_input.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index d07aa23943c13..2378d561d171d 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -6333,6 +6333,9 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + if (!tp->srtt_us) + tcp_synack_rtt_meas(sk, req); + ++ if (tp->rx_opt.tstamp_ok) ++ tp->advmss -= TCPOLEN_TSTAMP_ALIGNED; ++ + if (req) { + tcp_rcv_synrecv_state_fastopen(sk); + } else { +@@ -6356,9 +6359,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb) + tp->snd_wnd = ntohs(th->window) << tp->rx_opt.snd_wscale; + tcp_init_wl(tp, TCP_SKB_CB(skb)->seq); + +- if (tp->rx_opt.tstamp_ok) +- tp->advmss -= TCPOLEN_TSTAMP_ALIGNED; +- + if (!inet_csk(sk)->icsk_ca_ops->cong_control) + tcp_update_pacing_rate(sk); + +-- +2.39.5 + diff --git a/queue-5.4/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch b/queue-5.4/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch new file mode 100644 index 0000000000..ad56c62932 --- /dev/null +++ b/queue-5.4/tee-prevent-size-calculation-wraparound-on-32-bit-ke.patch @@ -0,0 +1,87 @@ +From 803551f605695816d65ef26577b11447bbdafa7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 15:06:43 +0200 +Subject: tee: Prevent size calculation wraparound on 32-bit kernels + +From: Jann Horn + +[ Upstream commit 39bb67edcc582b3b386a9ec983da67fa8a10ec03 ] + +The current code around TEE_IOCTL_PARAM_SIZE() is a bit wrong on +32-bit kernels: Multiplying a user-provided 32-bit value with the +size of a structure can wrap around on such platforms. + +Fix it by using saturating arithmetic for the size calculation. + +This has no security consequences because, in all users of +TEE_IOCTL_PARAM_SIZE(), the subsequent kcalloc() implicitly checks +for wrapping. + +Signed-off-by: Jann Horn +Signed-off-by: Jens Wiklander +Tested-by: Rouven Czerwinski +Signed-off-by: Sasha Levin +--- + drivers/tee/tee_core.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/tee/tee_core.c b/drivers/tee/tee_core.c +index 2db144d2d26f3..357944bc73b19 100644 +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -16,7 +17,7 @@ + + #define TEE_NUM_DEVICES 32 + +-#define TEE_IOCTL_PARAM_SIZE(x) (sizeof(struct tee_param) * (x)) ++#define TEE_IOCTL_PARAM_SIZE(x) (size_mul(sizeof(struct tee_param), (x))) + + /* + * Unprivileged devices in the lower half range and privileged devices in +@@ -327,7 +328,7 @@ static int tee_ioctl_open_session(struct tee_context *ctx, + if (copy_from_user(&arg, uarg, sizeof(arg))) + return -EFAULT; + +- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) ++ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) + return -EINVAL; + + if (arg.num_params) { +@@ -398,7 +399,7 @@ static int tee_ioctl_invoke(struct tee_context *ctx, + if (copy_from_user(&arg, uarg, sizeof(arg))) + return -EFAULT; + +- if (sizeof(arg) + TEE_IOCTL_PARAM_SIZE(arg.num_params) != buf.buf_len) ++ if (size_add(sizeof(arg), TEE_IOCTL_PARAM_SIZE(arg.num_params)) != buf.buf_len) + return -EINVAL; + + if (arg.num_params) { +@@ -532,7 +533,7 @@ static int tee_ioctl_supp_recv(struct tee_context *ctx, + if (get_user(num_params, &uarg->num_params)) + return -EFAULT; + +- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) != buf.buf_len) ++ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) != buf.buf_len) + return -EINVAL; + + params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); +@@ -631,7 +632,7 @@ static int tee_ioctl_supp_send(struct tee_context *ctx, + get_user(num_params, &uarg->num_params)) + return -EFAULT; + +- if (sizeof(*uarg) + TEE_IOCTL_PARAM_SIZE(num_params) > buf.buf_len) ++ if (size_add(sizeof(*uarg), TEE_IOCTL_PARAM_SIZE(num_params)) > buf.buf_len) + return -EINVAL; + + params = kcalloc(num_params, sizeof(struct tee_param), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-5.4/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch b/queue-5.4/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch new file mode 100644 index 0000000000..c4cf7a808f --- /dev/null +++ b/queue-5.4/vxlan-do-not-treat-dst-cache-initialization-errors-a.patch @@ -0,0 +1,75 @@ +From 2b9c6753c9b35c06952583aae7a404942dfaa506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 15:11:41 +0300 +Subject: vxlan: Do not treat dst cache initialization errors as fatal + +From: Ido Schimmel + +[ Upstream commit 20c76dadc783759fd3819d289c72be590660cc8b ] + +FDB entries are allocated in an atomic context as they can be added from +the data path when learning is enabled. + +After converting the FDB hash table to rhashtable, the insertion rate +will be much higher (*) which will entail a much higher rate of per-CPU +allocations via dst_cache_init(). + +When adding a large number of entries (e.g., 256k) in a batch, a small +percentage (< 0.02%) of these per-CPU allocations will fail [1]. This +does not happen with the current code since the insertion rate is low +enough to give the per-CPU allocator a chance to asynchronously create +new chunks of per-CPU memory. + +Given that: + +a. Only a small percentage of these per-CPU allocations fail. + +b. The scenario where this happens might not be the most realistic one. + +c. The driver can work correctly without dst caches. The dst_cache_*() +APIs first check that the dst cache was properly initialized. + +d. The dst caches are not always used (e.g., 'tos inherit'). + +It seems reasonable to not treat these allocation failures as fatal. + +Therefore, do not bail when dst_cache_init() fails and suppress warnings +by specifying '__GFP_NOWARN'. + +[1] percpu: allocation failed, size=40 align=8 atomic=1, atomic alloc failed, no space left + +(*) 97% reduction in average latency of vxlan_fdb_update() when adding +256k entries in a batch. + +Reviewed-by: Petr Machata +Signed-off-by: Ido Schimmel +Link: https://patch.msgid.link/20250415121143.345227-14-idosch@nvidia.com +Reviewed-by: Nikolay Aleksandrov +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 7105ac37f341e..18844bac9375e 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -681,10 +681,10 @@ static int vxlan_fdb_append(struct vxlan_fdb *f, + if (rd == NULL) + return -ENOMEM; + +- if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) { +- kfree(rd); +- return -ENOMEM; +- } ++ /* The driver can work correctly without a dst cache, so do not treat ++ * dst cache initialization errors as fatal. ++ */ ++ dst_cache_init(&rd->dst_cache, GFP_ATOMIC | __GFP_NOWARN); + + rd->remote_ip = *ip; + rd->remote_port = port; +-- +2.39.5 + diff --git a/queue-5.4/watchdog-da9052_wdt-respect-twdmin.patch b/queue-5.4/watchdog-da9052_wdt-respect-twdmin.patch new file mode 100644 index 0000000000..45e7563d96 --- /dev/null +++ b/queue-5.4/watchdog-da9052_wdt-respect-twdmin.patch @@ -0,0 +1,39 @@ +From d9b3e801c940e215812477aac29768e8282f1000 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Mar 2025 09:29:51 +0100 +Subject: watchdog: da9052_wdt: respect TWDMIN + +From: Marcus Folkesson + +[ Upstream commit 325f510fcd9cda5a44bcb662b74ba4e3dabaca10 ] + +We have to wait at least the minimium time for the watchdog window +(TWDMIN) before writings to the wdt register after the +watchdog is activated. +Otherwise the chip will assert TWD_ERROR and power down to reset mode. + +Signed-off-by: Marcus Folkesson +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250326-da9052-fixes-v3-4-a38a560fef0e@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/da9052_wdt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/watchdog/da9052_wdt.c b/drivers/watchdog/da9052_wdt.c +index d708c091bf1b1..180526220d8c4 100644 +--- a/drivers/watchdog/da9052_wdt.c ++++ b/drivers/watchdog/da9052_wdt.c +@@ -164,6 +164,7 @@ static int da9052_wdt_probe(struct platform_device *pdev) + da9052_wdt = &driver_data->wdt; + + da9052_wdt->timeout = DA9052_DEF_TIMEOUT; ++ da9052_wdt->min_hw_heartbeat_ms = DA9052_TWDMIN; + da9052_wdt->info = &da9052_wdt_info; + da9052_wdt->ops = &da9052_wdt_ops; + da9052_wdt->parent = dev; +-- +2.39.5 + diff --git a/queue-5.4/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch b/queue-5.4/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch new file mode 100644 index 0000000000..93cc11d778 --- /dev/null +++ b/queue-5.4/wifi-mac80211-do-not-offer-a-mesh-path-if-forwarding.patch @@ -0,0 +1,67 @@ +From a2379a5a873b1ada2a44a64fdad91e0900ca9286 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Apr 2025 21:10:42 +0200 +Subject: wifi: mac80211: do not offer a mesh path if forwarding is disabled + +From: Benjamin Berg + +[ Upstream commit cf1b684a06170d253b47d6a5287821de976435bd ] + +When processing a PREQ the code would always check whether we have a +mesh path locally and reply accordingly. However, when forwarding is +disabled then we should not reply with this information as we will not +forward data packets down that path. + +Move the check for dot11MeshForwarding up in the function and skip the +mesh path lookup in that case. In the else block, set forward to false +so that the rest of the function becomes a no-op and the +dot11MeshForwarding check does not need to be duplicated. + +This explains an effect observed in the Freifunk community where mesh +forwarding is disabled. In that case a mesh with three STAs and only bad +links in between them, individual STAs would occionally have indirect +mpath entries. This should not have happened. + +Signed-off-by: Benjamin Berg +Reviewed-by: Rouven Czerwinski +Link: https://patch.msgid.link/20250430191042.3287004-1-benjamin@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_hwmp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c +index 295f98b4502e0..ae1c700dc82e8 100644 +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -620,7 +620,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + mesh_path_add_gate(mpath); + } + rcu_read_unlock(); +- } else { ++ } else if (ifmsh->mshcfg.dot11MeshForwarding) { + rcu_read_lock(); + mpath = mesh_path_lookup(sdata, target_addr); + if (mpath) { +@@ -638,6 +638,8 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + } + } + rcu_read_unlock(); ++ } else { ++ forward = false; + } + + if (reply) { +@@ -655,7 +657,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata, + } + } + +- if (forward && ifmsh->mshcfg.dot11MeshForwarding) { ++ if (forward) { + u32 preq_id; + u8 hopcount; + +-- +2.39.5 +