From: Sasha Levin Date: Tue, 10 Jun 2025 11:54:37 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.6.94~74 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f06e9bc00d8db21b3e57a28e76acfc8d209ae7a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch b/queue-5.10/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch new file mode 100644 index 0000000000..e645f45e1c --- /dev/null +++ b/queue-5.10/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch @@ -0,0 +1,44 @@ +From 30575c3e126645cd005030c84cd3214705ea8110 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 18:54:54 +0200 +Subject: ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" + +From: Armin Wolf + +[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ] + +As specified in section 5.7.2 of the ACPI specification the feature +group string "3.0 _SCP Extensions" implies that the operating system +evaluates the _SCP control method with additional parameters. + +However the ACPI thermal driver evaluates the _SCP control method +without those additional parameters, conflicting with the above +feature group string advertised to the firmware thru _OSI. + +Stop advertising support for this feature string to avoid confusing +the ACPI firmware. + +Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osi.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c +index 9f68538091384..d93409f2b2a07 100644 +--- a/drivers/acpi/osi.c ++++ b/drivers/acpi/osi.c +@@ -42,7 +42,6 @@ static struct acpi_osi_entry + osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = { + {"Module Device", true}, + {"Processor Device", true}, +- {"3.0 _SCP Extensions", true}, + {"Processor Aggregator Device", true}, + /* + * Linux-Dell-Video is used by BIOS to disable RTD3 for NVidia graphics +-- +2.39.5 + diff --git a/queue-5.10/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch b/queue-5.10/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch new file mode 100644 index 0000000000..10f2cc21c4 --- /dev/null +++ b/queue-5.10/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch @@ -0,0 +1,67 @@ +From 7869608ff607d16fa32666ab4f0f72fcd480a0ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 23:04:46 +0200 +Subject: ARM: dts: at91: at91sam9263: fix NAND chip selects + +From: Wolfram Sang + +[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ] + +NAND did not work on my USB-A9263. I discovered that the offending +commit converted the PIO bank for chip selects wrongly, so all A9263 +boards need to be fixed. + +Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings") +Signed-off-by: Wolfram Sang +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91sam9263ek.dts | 2 +- + arch/arm/boot/dts/tny_a9263.dts | 2 +- + arch/arm/boot/dts/usb_a9263.dts | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/at91sam9263ek.dts b/arch/arm/boot/dts/at91sam9263ek.dts +index 71f60576761a0..df206bdb67883 100644 +--- a/arch/arm/boot/dts/at91sam9263ek.dts ++++ b/arch/arm/boot/dts/at91sam9263ek.dts +@@ -148,7 +148,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +diff --git a/arch/arm/boot/dts/tny_a9263.dts b/arch/arm/boot/dts/tny_a9263.dts +index 62b7d9f9a926c..c8b6318aaa838 100644 +--- a/arch/arm/boot/dts/tny_a9263.dts ++++ b/arch/arm/boot/dts/tny_a9263.dts +@@ -64,7 +64,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts +index d1c07503ff76f..87a5f96014e01 100644 +--- a/arch/arm/boot/dts/usb_a9263.dts ++++ b/arch/arm/boot/dts/usb_a9263.dts +@@ -84,7 +84,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +-- +2.39.5 + diff --git a/queue-5.10/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch b/queue-5.10/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch new file mode 100644 index 0000000000..73c737732c --- /dev/null +++ b/queue-5.10/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch @@ -0,0 +1,39 @@ +From e1fc9a805d8749a07bef714cefcea739809b57c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 13:27:43 +0200 +Subject: ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select + +From: Wolfram Sang + +[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ] + +Dataflash did not work on my board. After checking schematics and using +the proper GPIO, it works now. Also, make it active low to avoid: + +flash@0 enforce active low on GPIO handle + +Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support") +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/usb_a9263.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts +index 8a0cfbfd0c452..d1c07503ff76f 100644 +--- a/arch/arm/boot/dts/usb_a9263.dts ++++ b/arch/arm/boot/dts/usb_a9263.dts +@@ -58,7 +58,7 @@ + }; + + spi0: spi@fffa4000 { +- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>; + status = "okay"; + mtd_dataflash@0 { + compatible = "atmel,at45", "atmel,dataflash"; +-- +2.39.5 + diff --git a/queue-5.10/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch b/queue-5.10/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch new file mode 100644 index 0000000000..b21464c0ef --- /dev/null +++ b/queue-5.10/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch @@ -0,0 +1,58 @@ +From 8d638df22497e35dea243d16a276d1027954a6d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 15:22:00 +0200 +Subject: ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon + device + +From: Dmitry Baryshkov + +[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ] + +Follow up the expected way of describing the SFPB hwspinlock and merge +hwspinlock node into corresponding syscon node, fixing several dt-schema +warnings. + +Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi +index 3f1002c34446c..ba6cc81684c86 100644 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -211,12 +211,6 @@ + }; + }; + +- sfpb_mutex: hwmutex { +- compatible = "qcom,sfpb-mutex"; +- syscon = <&sfpb_wrapper_mutex 0x604 0x4>; +- #hwlock-cells = <1>; +- }; +- + smem { + compatible = "qcom,smem"; + memory-region = <&smem_region>; +@@ -360,9 +354,10 @@ + pinctrl-0 = <&ps_hold>; + }; + +- sfpb_wrapper_mutex: syscon@1200000 { +- compatible = "syscon"; +- reg = <0x01200000 0x8000>; ++ sfpb_mutex: hwmutex@1200600 { ++ compatible = "qcom,sfpb-mutex"; ++ reg = <0x01200600 0x100>; ++ #hwlock-cells = <1>; + }; + + intc: interrupt-controller@2000000 { +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch b/queue-5.10/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch new file mode 100644 index 0000000000..5ab984c94b --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch @@ -0,0 +1,37 @@ +From a8be8935d05dba56730583bc4811d6bd69ae8fcd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 20:01:27 -0500 +Subject: arm64: dts: imx8mm-beacon: Fix RTC capacitive load + +From: Adam Ford + +[ Upstream commit 2e98d456666d63f897ba153210bcef9d78ba0f3a ] + +Although not noticeable when used every day, the RTC appears to drift when +left to sit over time. This is due to the capacitive load not being +properly set. Fix RTC drift by correcting the capacitive load setting +from 7000 to 12500, which matches the actual hardware configuration. + +Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit") +Signed-off-by: Adam Ford +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +index b88c3c99b007e..34b2e862b7083 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi +@@ -194,6 +194,7 @@ + rtc@51 { + compatible = "nxp,pcf85263"; + reg = <0x51>; ++ quartz-load-femtofarads = <12500>; + }; + }; + +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch b/queue-5.10/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch new file mode 100644 index 0000000000..68483e6944 --- /dev/null +++ b/queue-5.10/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch @@ -0,0 +1,67 @@ +From 5b9c9c0b71dd7a6dc946b4f344a89cadf0ea0149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 17:18:10 +0200 +Subject: arm64: dts: rockchip: disable unrouted USB controllers and PHY on + RK3399 Puma with Haikou + +From: Quentin Schulz + +[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ] + +The u2phy0_host port is the part of the USB PHY0 (namely the +HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST +controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG +controller (dwc3), which we do use. + +The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply +disable the USB2.0 controllers. + +USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a +while, one of the recurring issues being that only USB2 is detected and +not USB3 in host mode. Reading the justification above and seeing that +we are keeping u2phy0_host in the Haikou carrierboard DTS probably may +have bothered you since it should be changed to u2phy0_otg. The issue is +that if it's switched to that, USB OTG on Haikou is entirely broken. I +have checked the routing in the Gerber file, the lanes are going to the +expected ball pins (that is, NOT HOST0_DP/DM). +u2phy0_host is for sure the wrong part of the PHY to use, but it's the +only one that works at the moment for that board so keep it until we +figure out what exactly is broken. + +No intended functional change. + +[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf + Chapter 2 USB2.0 PHY + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Quentin Schulz +Signed-off-by: Lukasz Czechowski +Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +index 3fc761c8d550a..40be64a37c47d 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +@@ -246,14 +246,6 @@ + status = "okay"; + }; + +-&usb_host0_ehci { +- status = "okay"; +-}; +- +-&usb_host0_ohci { +- status = "okay"; +-}; +- + &vopb { + status = "okay"; + }; +-- +2.39.5 + diff --git a/queue-5.10/backlight-pm8941-add-null-check-in-wled_configure.patch b/queue-5.10/backlight-pm8941-add-null-check-in-wled_configure.patch new file mode 100644 index 0000000000..23fa8471d9 --- /dev/null +++ b/queue-5.10/backlight-pm8941-add-null-check-in-wled_configure.patch @@ -0,0 +1,47 @@ +From 6679d7d3553cab7b158d57be842b40d8c069f46f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 17:16:47 +0800 +Subject: backlight: pm8941: Add NULL check in wled_configure() + +From: Henry Martin + +[ Upstream commit e12d3e1624a02706cdd3628bbf5668827214fa33 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +wled_configure() does not check for this case, which results in a NULL +pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name") +Signed-off-by: Henry Martin +Reviewed-by: Dmitry Baryshkov +Reviewed-by: "Daniel Thompson (RISCstar)" +Link: https://lore.kernel.org/r/20250401091647.22784-1-bsdhenrymartin@gmail.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/qcom-wled.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c +index 486d35da01507..54c4bb66009fc 100644 +--- a/drivers/video/backlight/qcom-wled.c ++++ b/drivers/video/backlight/qcom-wled.c +@@ -1404,9 +1404,11 @@ static int wled_configure(struct wled *wled) + wled->ctrl_addr = be32_to_cpu(*prop_addr); + + rc = of_property_read_string(dev->of_node, "label", &wled->name); +- if (rc) ++ if (rc) { + wled->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFn", dev->of_node); +- ++ if (!wled->name) ++ return -ENOMEM; ++ } + switch (wled->version) { + case 3: + u32_opts = wled3_opts; +-- +2.39.5 + diff --git a/queue-5.10/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch b/queue-5.10/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch new file mode 100644 index 0000000000..4cb2483357 --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch @@ -0,0 +1,40 @@ +From 9ab22c76a96c2e35d1de32f5527f1dd981768545 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 14:53:11 -0400 +Subject: Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION + +From: Luiz Augusto von Dentz + +[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ] + +Depending on the security set the response to L2CAP_LE_CONN_REQ shall be +just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM +is selected since that means security mode 2 which doesn't require +authentication which is something that is covered in the qualification +test L2CAP/LE/CFC/BV-25-C. + +Link: https://github.com/bluez/bluez/issues/1270 +Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index be281a95a0a8b..08d91a3d3460d 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5861,7 +5861,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, + + if (!smp_sufficient_security(conn->hcon, pchan->sec_level, + SMP_ALLOW_STK)) { +- result = L2CAP_CR_LE_AUTHENTICATION; ++ result = pchan->sec_level == BT_SECURITY_MEDIUM ? ++ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION; + chan = NULL; + goto response_unlock; + } +-- +2.39.5 + diff --git a/queue-5.10/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch b/queue-5.10/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch new file mode 100644 index 0000000000..5963a74858 --- /dev/null +++ b/queue-5.10/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch @@ -0,0 +1,86 @@ +From ac85b74905ecafc93ea5dca0c30d51fcfc0ac3f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:27:47 +0800 +Subject: bpf: Fix WARN() in get_bpf_raw_tp_regs + +From: Tao Chen + +[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ] + +syzkaller reported an issue: + +WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 +Modules linked in: +CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 +RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c +RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 +RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 +R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 +R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 +FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] + bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 + bpf_prog_ec3b2eefa702d8d3+0x43/0x47 + bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] + __bpf_prog_run include/linux/filter.h:718 [inline] + bpf_prog_run include/linux/filter.h:725 [inline] + __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] + bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 + __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 + __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 + __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] + trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] + __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 + __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] + mmap_read_trylock include/linux/mmap_lock.h:204 [inline] + stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 + __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 + ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] + bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 + ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] + bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 + bpf_prog_ec3b2eefa702d8d3+0x43/0x47 + +Tracepoint like trace_mmap_lock_acquire_returned may cause nested call +as the corner case show above, which will be resolved with more general +method in the future. As a result, WARN_ON_ONCE will be triggered. As +Alexei suggested, remove the WARN_ON_ONCE first. + +Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data") +Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com +Suggested-by: Alexei Starovoitov +Signed-off-by: Tao Chen +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev + +Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 6957381b139ce..782e64ff839d5 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1604,7 +1604,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void) + struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs); + int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level); + +- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) { ++ if (nest_level > ARRAY_SIZE(tp_regs->regs)) { + this_cpu_dec(bpf_raw_tp_nest_level); + return ERR_PTR(-EBUSY); + } +-- +2.39.5 + diff --git a/queue-5.10/bus-fsl-mc-fix-double-free-on-mc_dev.patch b/queue-5.10/bus-fsl-mc-fix-double-free-on-mc_dev.patch new file mode 100644 index 0000000000..7da3012919 --- /dev/null +++ b/queue-5.10/bus-fsl-mc-fix-double-free-on-mc_dev.patch @@ -0,0 +1,52 @@ +From b5b7add55ada614c067bf553da8dcb41d65b9228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 13:58:09 +0300 +Subject: bus: fsl-mc: fix double-free on mc_dev + +From: Ioana Ciornei + +[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ] + +The blamed commit tried to simplify how the deallocations are done but, +in the process, introduced a double-free on the mc_dev variable. + +In case the MC device is a DPRC, a new mc_bus is allocated and the +mc_dev variable is just a reference to one of its fields. In this +circumstance, on the error path only the mc_bus should be freed. + +This commit introduces back the following checkpatch warning which is a +false-positive. + +WARNING: kfree(NULL) is safe and this check is probably not required ++ if (mc_bus) ++ kfree(mc_bus); + +Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations") +Signed-off-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com +Signed-off-by: Christophe Leroy +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c +index e329cdd7156c9..9c207f1c19fbd 100644 +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -800,8 +800,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc, + + error_cleanup_dev: + kfree(mc_dev->regions); +- kfree(mc_bus); +- kfree(mc_dev); ++ if (mc_bus) ++ kfree(mc_bus); ++ else ++ kfree(mc_dev); + + return error; + } +-- +2.39.5 + diff --git a/queue-5.10/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch b/queue-5.10/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch new file mode 100644 index 0000000000..8e3b9fc345 --- /dev/null +++ b/queue-5.10/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch @@ -0,0 +1,108 @@ +From 098b06ca280a546de8b04fd655d95a0dfb80d888 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 15:18:56 -0700 +Subject: calipso: Don't call calipso functions for AF_INET sk. + +From: Kuniyuki Iwashima + +[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ] + +syzkaller reported a null-ptr-deref in txopt_get(). [0] + +The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, +so struct ipv6_pinfo was NULL there. + +However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 +is always set in inet6_create(), meaning the socket was not IPv6 one. + +The root cause is missing validation in netlbl_conn_setattr(). + +netlbl_conn_setattr() switches branches based on struct +sockaddr.sa_family, which is passed from userspace. However, +netlbl_conn_setattr() does not check if the address family matches +the socket. + +The syzkaller must have called connect() for an IPv6 address on +an IPv4 socket. + +We have a proper validation in tcp_v[46]_connect(), but +security_socket_connect() is called in the earlier stage. + +Let's copy the validation to netlbl_conn_setattr(). + +[0]: +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] +CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] +RIP: 0010: +Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 +RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 +RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c +RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 +RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e +R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 +R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 +FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 +PKRU: 80000000 +Call Trace: + + calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 + netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 + selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 + selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] + selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 + selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 + security_socket_connect+0x50/0xa0 security/security.c:4598 + __sys_connect_file+0xa4/0x190 net/socket.c:2067 + __sys_connect+0x12c/0x170 net/socket.c:2088 + __do_sys_connect net/socket.c:2098 [inline] + __se_sys_connect net/socket.c:2095 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:2095 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f901b61a12d +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d +RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 +RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 + +Modules linked in: + +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Reported-by: syzkaller +Reported-by: John Cheung +Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/ +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_kapi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c +index 96059c99b915e..2e9344b3c657c 100644 +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -1140,6 +1140,9 @@ int netlbl_conn_setattr(struct sock *sk, + break; + #if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: ++ if (sk->sk_family != AF_INET6) ++ return -EAFNOSUPPORT; ++ + addr6 = (struct sockaddr_in6 *)addr; + entry = netlbl_domhsh_getentry_af6(secattr->domain, + &addr6->sin6_addr); +-- +2.39.5 + diff --git a/queue-5.10/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch b/queue-5.10/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch new file mode 100644 index 0000000000..a4c95d81a2 --- /dev/null +++ b/queue-5.10/clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch @@ -0,0 +1,42 @@ +From ddae268f6be588cfe4353a6e17f4a853c62a9317 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 10:05:13 +0800 +Subject: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() + +From: Henry Martin + +[ Upstream commit 73c46d9a93d071ca69858dea3f569111b03e549e ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +raspberrypi_clk_register() does not check for this case, which results +in a NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks") +Signed-off-by: Henry Martin +Reviewed-by: Dave Stevenson +Link: https://lore.kernel.org/r/20250402020513.42628-1-bsdhenrymartin@gmail.com +Reviewed-by: Stefan Wahren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-raspberrypi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c +index 969227e2df215..f6e7ff6e9d7cc 100644 +--- a/drivers/clk/bcm/clk-raspberrypi.c ++++ b/drivers/clk/bcm/clk-raspberrypi.c +@@ -199,6 +199,8 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi, + init.name = devm_kasprintf(rpi->dev, GFP_KERNEL, + "fw-clk-%s", + rpi_firmware_clk_names[id]); ++ if (!init.name) ++ return ERR_PTR(-ENOMEM); + init.ops = &raspberrypi_firmware_clk_ops; + init.flags = CLK_GET_RATE_NOCACHE; + +-- +2.39.5 + diff --git a/queue-5.10/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch b/queue-5.10/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch new file mode 100644 index 0000000000..679d1b4310 --- /dev/null +++ b/queue-5.10/clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch @@ -0,0 +1,49 @@ +From 831e9d3e160206f008902fc7e15a27caa8da8565 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:45:12 +0200 +Subject: clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz + +From: Vincent Knecht + +[ Upstream commit 9e7acf70cf6aa7b22f67d911f50a8cd510e8fb00 ] + +Fix mclk0 & mclk1 parent map to use correct GPLL6 configuration and +freq_tbl to use GPLL6 instead of GPLL0 so that they tick at 24 MHz. + +Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller") +Suggested-by: Stephan Gerhold +Reviewed-by: Konrad Dybcio +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Vincent Knecht +Link: https://lore.kernel.org/r/20250414-gcc-msm8939-fixes-mclk-v2-resend2-v2-1-5ddcf572a6de@mailoo.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-msm8939.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-msm8939.c b/drivers/clk/qcom/gcc-msm8939.c +index 39ebb443ae3d5..a51f5c25782f9 100644 +--- a/drivers/clk/qcom/gcc-msm8939.c ++++ b/drivers/clk/qcom/gcc-msm8939.c +@@ -433,7 +433,7 @@ static const struct parent_map gcc_xo_gpll0_gpll1a_gpll6_sleep_map[] = { + { P_XO, 0 }, + { P_GPLL0, 1 }, + { P_GPLL1_AUX, 2 }, +- { P_GPLL6, 2 }, ++ { P_GPLL6, 3 }, + { P_SLEEP_CLK, 6 }, + }; + +@@ -1075,7 +1075,7 @@ static struct clk_rcg2 jpeg0_clk_src = { + }; + + static const struct freq_tbl ftbl_gcc_camss_mclk0_1_clk[] = { +- F(24000000, P_GPLL0, 1, 1, 45), ++ F(24000000, P_GPLL6, 1, 1, 45), + F(66670000, P_GPLL0, 12, 0, 0), + { } + }; +-- +2.39.5 + diff --git a/queue-5.10/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch b/queue-5.10/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch new file mode 100644 index 0000000000..1934654576 --- /dev/null +++ b/queue-5.10/crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch @@ -0,0 +1,48 @@ +From cb9fb049f924e75c2e5998a6ba25ada7ea1f66b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:28:08 +0800 +Subject: crypto: lrw - Only add ecb if it is not already there + +From: Herbert Xu + +[ Upstream commit 3d73909bddc2ebb3224a8bc2e5ce00e9df70c15d ] + +Only add ecb to the cipher name if it isn't already ecb. + +Also use memcmp instead of strncmp since these strings are all +stored in an array of length CRYPTO_MAX_ALG_NAME. + +Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202505151503.d8a6cf10-lkp@intel.com +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/lrw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/lrw.c b/crypto/lrw.c +index 80d9076e42e0b..7adc105c12f71 100644 +--- a/crypto/lrw.c ++++ b/crypto/lrw.c +@@ -322,7 +322,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb) + + err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst), + cipher_name, 0, mask); +- if (err == -ENOENT) { ++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) { + err = -ENAMETOOLONG; + if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", + cipher_name) >= CRYPTO_MAX_ALG_NAME) +@@ -356,7 +356,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb) + /* Alas we screwed up the naming so we have to mangle the + * cipher name. + */ +- if (!strncmp(cipher_name, "ecb(", 4)) { ++ if (!memcmp(cipher_name, "ecb(", 4)) { + int len; + + len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name)); +-- +2.39.5 + diff --git a/queue-5.10/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch b/queue-5.10/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch new file mode 100644 index 0000000000..ed312ebb89 --- /dev/null +++ b/queue-5.10/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch @@ -0,0 +1,36 @@ +From 8893268c1063f241af0e33b063dcac1e59ef3049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:43:33 +0800 +Subject: crypto: marvell/cesa - Avoid empty transfer descriptor + +From: Herbert Xu + +[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ] + +The user may set req->src even if req->nbytes == 0. If there +is no data to hash from req->src, do not generate an empty TDMA +descriptor. + +Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c +index 8441c3198d460..823a8fb114bbb 100644 +--- a/drivers/crypto/marvell/cesa/hash.c ++++ b/drivers/crypto/marvell/cesa/hash.c +@@ -639,7 +639,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req) + if (ret) + goto err_free_tdma; + +- if (iter.src.sg) { ++ if (iter.base.len > iter.src.op_offset) { + /* + * Add all the new data, inserting an operation block and + * launch command between each full SRAM block-worth of +-- +2.39.5 + diff --git a/queue-5.10/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch b/queue-5.10/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch new file mode 100644 index 0000000000..95a79f32b4 --- /dev/null +++ b/queue-5.10/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch @@ -0,0 +1,36 @@ +From d3f79bc1502f7d44519ec989c4a4b2840b865750 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:41:31 +0800 +Subject: crypto: marvell/cesa - Handle zero-length skcipher requests + +From: Herbert Xu + +[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ] + +Do not access random memory for zero-length skcipher requests. +Just return 0. + +Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cesa/cipher.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c +index 8dc10f9988948..051a661a63eeb 100644 +--- a/drivers/crypto/marvell/cesa/cipher.c ++++ b/drivers/crypto/marvell/cesa/cipher.c +@@ -449,6 +449,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req, + struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req); + struct mv_cesa_engine *engine; + ++ if (!req->cryptlen) ++ return 0; ++ + ret = mv_cesa_skcipher_req_init(req, tmpl); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-5.10/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch b/queue-5.10/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch new file mode 100644 index 0000000000..843e04c4de --- /dev/null +++ b/queue-5.10/crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch @@ -0,0 +1,41 @@ +From 287c1bf57ad0457300f2f77ca7eefadb8793fa6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 15:06:56 +0300 +Subject: crypto: sun8i-ce - move fallback ahash_request to the end of the + struct + +From: Ovidiu Panait + +[ Upstream commit c822831b426307a6ca426621504d3c7f99765a39 ] + +'struct ahash_request' has a flexible array at the end, so it must be the +last member in a struct, to avoid overwriting other struct members. + +Therefore, move 'fallback_req' to the end of the 'sun8i_ce_hash_reqctx' +struct. + +Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h +index 558027516aed1..0cacbd51b480d 100644 +--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h ++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h +@@ -295,8 +295,8 @@ struct sun8i_ce_hash_tfm_ctx { + * @flow: the flow to use for this request + */ + struct sun8i_ce_hash_reqctx { +- struct ahash_request fallback_req; + int flow; ++ struct ahash_request fallback_req; // keep at the end + }; + + /* +-- +2.39.5 + diff --git a/queue-5.10/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch b/queue-5.10/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch new file mode 100644 index 0000000000..8febaa9d7f --- /dev/null +++ b/queue-5.10/crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch @@ -0,0 +1,39 @@ +From a32019431655f1ad193fbd85c9bf64ce0e65d594 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 13:12:36 +0200 +Subject: crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions + +From: Corentin Labbe + +[ Upstream commit 2dfc7cd74a5e062a5405560447517e7aab1c7341 ] + +When testing sun8i-ss with multi_v7_defconfig, all CBC algorithm fail crypto +selftests. +This is strange since on sunxi_defconfig, everything was ok. +The problem was in the IV setup loop which never run because sg_dma_len +was 0. + +Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c +index 8a94f812e6d29..f8603b931b9bb 100644 +--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c ++++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c +@@ -117,7 +117,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq) + + /* we need to copy all IVs from source in case DMA is bi-directionnal */ + while (sg && len) { +- if (sg_dma_len(sg) == 0) { ++ if (sg->length == 0) { + sg = sg_next(sg); + continue; + } +-- +2.39.5 + diff --git a/queue-5.10/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch b/queue-5.10/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch new file mode 100644 index 0000000000..e43c3fe15b --- /dev/null +++ b/queue-5.10/crypto-xts-only-add-ecb-if-it-is-not-already-there.patch @@ -0,0 +1,46 @@ +From eed0e2142dbd10f9eabc61b912f06ce10a475050 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:34:04 +0800 +Subject: crypto: xts - Only add ecb if it is not already there + +From: Herbert Xu + +[ Upstream commit 270b6f13454cb7f2f7058c50df64df409c5dcf55 ] + +Only add ecb to the cipher name if it isn't already ecb. + +Also use memcmp instead of strncmp since these strings are all +stored in an array of length CRYPTO_MAX_ALG_NAME. + +Fixes: f1c131b45410 ("crypto: xts - Convert to skcipher") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/xts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/xts.c b/crypto/xts.c +index 74dc199d54867..a4677e1a1611f 100644 +--- a/crypto/xts.c ++++ b/crypto/xts.c +@@ -360,7 +360,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb) + + err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst), + cipher_name, 0, mask); +- if (err == -ENOENT) { ++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) { + err = -ENAMETOOLONG; + if (snprintf(ctx->name, CRYPTO_MAX_ALG_NAME, "ecb(%s)", + cipher_name) >= CRYPTO_MAX_ALG_NAME) +@@ -394,7 +394,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb) + /* Alas we screwed up the naming so we have to mangle the + * cipher name. + */ +- if (!strncmp(cipher_name, "ecb(", 4)) { ++ if (!memcmp(cipher_name, "ecb(", 4)) { + int len; + + len = strscpy(ctx->name, cipher_name + 4, sizeof(ctx->name)); +-- +2.39.5 + diff --git a/queue-5.10/dmaengine-ti-add-null-check-in-udma_probe.patch b/queue-5.10/dmaengine-ti-add-null-check-in-udma_probe.patch new file mode 100644 index 0000000000..e3bcd16343 --- /dev/null +++ b/queue-5.10/dmaengine-ti-add-null-check-in-udma_probe.patch @@ -0,0 +1,43 @@ +From 186aa11d0511cda69819a8eea1cff640574ef1c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 10:39:00 +0800 +Subject: dmaengine: ti: Add NULL check in udma_probe() + +From: Henry Martin + +[ Upstream commit fd447415e74bccd7362f760d4ea727f8e1ebfe91 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +udma_probe() does not check for this case, which results in a NULL +pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA") +Signed-off-by: Henry Martin +Reviewed-by: Nathan Lynch +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20250402023900.43440-1-bsdhenrymartin@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/k3-udma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c +index 1f01bd483c6ba..cade321095d20 100644 +--- a/drivers/dma/ti/k3-udma.c ++++ b/drivers/dma/ti/k3-udma.c +@@ -3672,7 +3672,8 @@ static int udma_probe(struct platform_device *pdev) + uc->config.dir = DMA_MEM_TO_MEM; + uc->name = devm_kasprintf(dev, GFP_KERNEL, "%s chan%d", + dev_name(dev), i); +- ++ if (!uc->name) ++ return -ENOMEM; + vchan_init(&uc->vc, &ud->ddev); + /* Use custom vchan completion handling */ + tasklet_setup(&uc->vc.task, udma_vchan_complete); +-- +2.39.5 + diff --git a/queue-5.10/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch b/queue-5.10/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch new file mode 100644 index 0000000000..69c116e70b --- /dev/null +++ b/queue-5.10/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch @@ -0,0 +1,40 @@ +From caf8f5d773cd1ccafa14111c34f4e770094897d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 12:27:08 -0400 +Subject: do_change_type(): refuse to operate on unmounted/not ours mounts + +From: Al Viro + +[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ] + +Ensure that propagation settings can only be changed for mounts located +in the caller's mount namespace. This change aligns permission checking +with the rest of mount(2). + +Reviewed-by: Christian Brauner +Fixes: 07b20889e305 ("beginning of the shared-subtree proper") +Reported-by: "Orlando, Noah" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 869cc6e06d889..2d5af6653cd11 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2308,6 +2308,10 @@ static int do_change_type(struct path *path, int ms_flags) + return -EINVAL; + + namespace_lock(); ++ if (!check_mnt(mnt)) { ++ err = -EINVAL; ++ goto out_unlock; ++ } + if (type == MS_SHARED) { + err = invent_group_ids(mnt, recurse); + if (err) +-- +2.39.5 + diff --git a/queue-5.10/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch b/queue-5.10/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch new file mode 100644 index 0000000000..477c8de08d --- /dev/null +++ b/queue-5.10/driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch @@ -0,0 +1,53 @@ +From b5d3328a798f450c3d8ab68a25bba3165d4b666e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 15:53:51 +0800 +Subject: driver: net: ethernet: mtk_star_emac: fix suspend/resume issue + +From: Yanqing Wang + +[ Upstream commit ba99c627aac85bc746fb4a6e2d79edb3ad100326 ] + +Identify the cause of the suspend/resume hang: netif_carrier_off() +is called during link state changes and becomes stuck while +executing linkwatch_work(). + +To resolve this issue, call netif_device_detach() during the Ethernet +suspend process to temporarily detach the network device from the +kernel and prevent the suspend/resume hang. + +Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver") +Signed-off-by: Yanqing Wang +Signed-off-by: Macpaul Lin +Signed-off-by: Biao Huang +Link: https://patch.msgid.link/20250528075351.593068-1-macpaul.lin@mediatek.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c +index 96d2891f1675a..9d884699ed9cc 100644 +--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c ++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c +@@ -1409,6 +1409,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev) + if (netif_running(ndev)) + mtk_star_disable(ndev); + ++ netif_device_detach(ndev); ++ + clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); + + return 0; +@@ -1433,6 +1435,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev) + clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks); + } + ++ netif_device_attach(ndev); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.10/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch b/queue-5.10/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch new file mode 100644 index 0000000000..3a6b1a36a9 --- /dev/null +++ b/queue-5.10/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch @@ -0,0 +1,61 @@ +From 833d5ab1a914e68b0eebf1380cca509119689a8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Nov 2023 12:24:24 +0000 +Subject: drm: rcar-du: Fix memory leak in rcar_du_vsps_init() + +From: Biju Das + +[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ] + +The rcar_du_vsps_init() doesn't free the np allocated by +of_parse_phandle_with_fixed_args() for the non-error case. + +Fix memory leak for the non-error case. + +While at it, replace the label 'error'->'done' as it applies to non-error +case as well and update the error check condition for rcar_du_vsp_init() +to avoid breakage in future, if it returns positive value. + +Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP") +Signed-off-by: Biju Das +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +index 7015e22872bbe..41b4a6715dad5 100644 +--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +@@ -626,7 +626,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu) + ret = of_parse_phandle_with_fixed_args(np, vsps_prop_name, + cells, i, &args); + if (ret < 0) +- goto error; ++ goto done; + + /* + * Add the VSP to the list or update the corresponding existing +@@ -664,13 +664,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu) + vsp->dev = rcdu; + + ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask); +- if (ret < 0) +- goto error; ++ if (ret) ++ goto done; + } + +- return 0; +- +-error: ++done: + for (i = 0; i < ARRAY_SIZE(vsps); ++i) + of_node_put(vsps[i].np); + +-- +2.39.5 + diff --git a/queue-5.10/drm-tegra-rgb-fix-the-unbound-reference-count.patch b/queue-5.10/drm-tegra-rgb-fix-the-unbound-reference-count.patch new file mode 100644 index 0000000000..13eacd2e27 --- /dev/null +++ b/queue-5.10/drm-tegra-rgb-fix-the-unbound-reference-count.patch @@ -0,0 +1,57 @@ +From de8506ffd70ddd9f6d4eb8b9ca3c23f1ccf831db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:21:35 +0000 +Subject: drm/tegra: rgb: Fix the unbound reference count + +From: Biju Das + +[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ] + +The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe, +but the driver does not decrement the refcount during unbind. Fix the +unbound reference count using devm_add_action_or_reset() helper. + +Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support") +Signed-off-by: Biju Das +Signed-off-by: Thierry Reding +Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c +index 4142a56ca7644..a3052f645c473 100644 +--- a/drivers/gpu/drm/tegra/rgb.c ++++ b/drivers/gpu/drm/tegra/rgb.c +@@ -170,6 +170,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = { + .atomic_check = tegra_rgb_encoder_atomic_check, + }; + ++static void tegra_dc_of_node_put(void *data) ++{ ++ of_node_put(data); ++} ++ + int tegra_dc_rgb_probe(struct tegra_dc *dc) + { + struct device_node *np; +@@ -177,7 +182,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc) + int err; + + np = of_get_child_by_name(dc->dev->of_node, "rgb"); +- if (!np || !of_device_is_available(np)) ++ if (!np) ++ return -ENODEV; ++ ++ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np); ++ if (err < 0) ++ return err; ++ ++ if (!of_device_is_available(np)) + return -ENODEV; + + rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-5.10/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch b/queue-5.10/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch new file mode 100644 index 0000000000..2b4834757a --- /dev/null +++ b/queue-5.10/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch @@ -0,0 +1,44 @@ +From 67b5a734a1a3f393462a23c3a11645b82ca0e8af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 23:14:32 -0700 +Subject: drm/vkms: Adjust vkms_state->active_planes allocation type + +From: Kees Cook + +[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ] + +In preparation for making the kmalloc family of allocators type aware, +we need to make sure that the returned type from the allocation matches +the type of the variable being assigned. (Before, the allocator would +always return "void *", which can be implicitly cast to any pointer type.) + +The assigned type is "struct vkms_plane_state **", but the returned type +will be "struct drm_plane **". These are the same size (pointer size), but +the types don't match. Adjust the allocation type to match the assignment. + +Signed-off-by: Kees Cook +Reviewed-by: Louis Chauvet +Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking") +Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org +Signed-off-by: Louis Chauvet +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index 1ae5cd47d9546..2225e764e709f 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -194,7 +194,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc, + i++; + } + +- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL); ++ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL); + if (!vkms_state->active_planes) + return -ENOMEM; + vkms_state->num_active_planes = i; +-- +2.39.5 + diff --git a/queue-5.10/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch b/queue-5.10/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch new file mode 100644 index 0000000000..b6c6f497f3 --- /dev/null +++ b/queue-5.10/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch @@ -0,0 +1,89 @@ +From acde6f69c3ec365ae0957f2d6c2e70b0615388c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 14:06:33 -0600 +Subject: drm/vmwgfx: Add seqno waiter for sync_files + +From: Ian Forbes + +[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ] + +Because sync_files are passive waiters they do not participate in +the processing of fences like the traditional vmw_fence_wait IOCTL. +If userspace exclusively uses sync_files for synchronization then +nothing in the kernel actually processes fence updates as interrupts +for fences are masked and ignored if the kernel does not indicate to the +SVGA device that there are active waiters. + +This oversight results in a bug where the entire GUI can freeze waiting +on a sync_file that will never be signalled as we've masked the interrupts +to signal its completion. This bug is incredibly racy as any process which +interacts with the fencing code via the 3D stack can process the stuck +fences on behalf of the stuck process causing it to run again. Even a +simple app like eglinfo is enough to resume the stuck process. Usually +this bug is seen at a login screen like GDM because there are no other +3D apps running. + +By adding a seqno waiter we re-enable interrupt based processing of the +dma_fences associated with the sync_file which is signalled as part of a +dma_fence_callback. + +This has likely been broken since it was initially added to the kernel in +2017 but has gone unnoticed until mutter recently started using sync_files +heavily over the course of 2024 as part of their explicit sync support. + +Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 616f6cb622783..987633c6c49f4 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -4027,6 +4027,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv, + return 0; + } + ++/* ++ * DMA fence callback to remove a seqno_waiter ++ */ ++struct seqno_waiter_rm_context { ++ struct dma_fence_cb base; ++ struct vmw_private *dev_priv; ++}; ++ ++static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb) ++{ ++ struct seqno_waiter_rm_context *ctx = ++ container_of(cb, struct seqno_waiter_rm_context, base); ++ ++ vmw_seqno_waiter_remove(ctx->dev_priv); ++ kfree(ctx); ++} ++ + int vmw_execbuf_process(struct drm_file *file_priv, + struct vmw_private *dev_priv, + void __user *user_commands, void *kernel_commands, +@@ -4220,6 +4237,15 @@ int vmw_execbuf_process(struct drm_file *file_priv, + } else { + /* Link the fence with the FD created earlier */ + fd_install(out_fence_fd, sync_file->file); ++ struct seqno_waiter_rm_context *ctx = ++ kmalloc(sizeof(*ctx), GFP_KERNEL); ++ ctx->dev_priv = dev_priv; ++ vmw_seqno_waiter_add(dev_priv); ++ if (dma_fence_add_callback(&fence->base, &ctx->base, ++ seqno_waiter_rm_cb) < 0) { ++ vmw_seqno_waiter_remove(dev_priv); ++ kfree(ctx); ++ } + } + } + +-- +2.39.5 + diff --git a/queue-5.10/edac-skx_common-fix-general-protection-fault.patch b/queue-5.10/edac-skx_common-fix-general-protection-fault.patch new file mode 100644 index 0000000000..b3570ac070 --- /dev/null +++ b/queue-5.10/edac-skx_common-fix-general-protection-fault.patch @@ -0,0 +1,68 @@ +From 23c700de3ebc0458801c5d5d4fdabe712a3ff936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 23:07:18 +0800 +Subject: EDAC/skx_common: Fix general protection fault + +From: Qiuxu Zhuo + +[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ] + +After loading i10nm_edac (which automatically loads skx_edac_common), if +unload only i10nm_edac, then reload it and perform error injection testing, +a general protection fault may occur: + + mce: [Hardware Error]: Machine check events logged + Oops: general protection fault ... + ... + Workqueue: events mce_gen_pool_process + RIP: 0010:string+0x53/0xe0 + ... + Call Trace: + + ? die_addr+0x37/0x90 + ? exc_general_protection+0x1e7/0x3f0 + ? asm_exc_general_protection+0x26/0x30 + ? string+0x53/0xe0 + vsnprintf+0x23e/0x4c0 + snprintf+0x4d/0x70 + skx_adxl_decode+0x16a/0x330 [skx_edac_common] + skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] + skx_mce_check_error+0x17/0x20 [skx_edac_common] + ... + +The issue arose was because the variable 'adxl_component_count' (inside +skx_edac_common), which counts the ADXL components, was not reset. During +the reloading of i10nm_edac, the count was incremented by the actual number +of ADXL components again, resulting in a count that was double the real +number of ADXL components. This led to an out-of-bounds reference to the +ADXL component array, causing the general protection fault above. + +Fix this issue by resetting the 'adxl_component_count' in adxl_put(), +which is called during the unloading of {skx,i10nm}_edac. + +Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module") +Reported-by: Feng Xu +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Feng Xu +Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/skx_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c +index b585cbe3eff94..1c408e665f7c9 100644 +--- a/drivers/edac/skx_common.c ++++ b/drivers/edac/skx_common.c +@@ -112,6 +112,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get); + + void skx_adxl_put(void) + { ++ adxl_component_count = 0; + kfree(adxl_values); + kfree(adxl_msg); + } +-- +2.39.5 + diff --git a/queue-5.10/f2fs-clean-up-w-fscrypt_is_bounce_page.patch b/queue-5.10/f2fs-clean-up-w-fscrypt_is_bounce_page.patch new file mode 100644 index 0000000000..9acce2bea3 --- /dev/null +++ b/queue-5.10/f2fs-clean-up-w-fscrypt_is_bounce_page.patch @@ -0,0 +1,34 @@ +From 21a0ddef2eda628763bee05b4370d76eb4d9174c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:52:36 +0800 +Subject: f2fs: clean up w/ fscrypt_is_bounce_page() + +From: Chao Yu + +[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ] + +Just cleanup, no logic changes. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 1b764f70b70ed..9eb20211619d3 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -77,7 +77,7 @@ static bool __is_cp_guaranteed(struct page *page) + struct inode *inode; + struct f2fs_sb_info *sbi; + +- if (!mapping) ++ if (fscrypt_is_bounce_page(page)) + return false; + + if (f2fs_is_compressed_page(page)) +-- +2.39.5 + diff --git a/queue-5.10/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch b/queue-5.10/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch new file mode 100644 index 0000000000..a6d9100a80 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch @@ -0,0 +1,36 @@ +From 134f479bb6374a4428d256669f5e2e11677719e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 16:45:49 +0800 +Subject: f2fs: fix to correct check conditions in f2fs_cross_rename + +From: Zhiguo Niu + +[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ] + +Should be "old_dir" here. + +Fixes: 5c57132eaf52 ("f2fs: support project quota") +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 1e3e525be68bf..a5ebebc15b08e 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -1123,7 +1123,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(new_dir)->i_projid, + F2FS_I(old_inode)->i_projid)) || +- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && ++ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(old_dir)->i_projid, + F2FS_I(new_inode)->i_projid))) + return -EXDEV; +-- +2.39.5 + diff --git a/queue-5.10/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch b/queue-5.10/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch new file mode 100644 index 0000000000..7e636d5839 --- /dev/null +++ b/queue-5.10/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch @@ -0,0 +1,76 @@ +From 6d33fd630420cb3aecd92538c54fd941808f9f09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 20:22:08 +0800 +Subject: f2fs: fix to do sanity check on sbi->total_valid_block_count + +From: Chao Yu + +[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ] + +syzbot reported a f2fs bug as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/f2fs.h:2521! +RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 +Call Trace: + f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 + truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 + truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 + f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 + f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 + f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 + f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 + f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 + notify_change+0xbca/0xe90 fs/attr.c:552 + do_truncate+0x222/0x310 fs/open.c:65 + handle_truncate fs/namei.c:3466 [inline] + do_open fs/namei.c:3849 [inline] + path_openat+0x2e4f/0x35d0 fs/namei.c:4004 + do_filp_open+0x284/0x4e0 fs/namei.c:4031 + do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 + do_sys_open fs/open.c:1444 [inline] + __do_sys_creat fs/open.c:1522 [inline] + __se_sys_creat fs/open.c:1516 [inline] + __x64_sys_creat+0x124/0x170 fs/open.c:1516 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 + +The reason is: in fuzzed image, sbi->total_valid_block_count is +inconsistent w/ mapped blocks indexed by inode, so, we should +not trigger panic for such case, instead, let's print log and +set fsck flag. + +Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure") +Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 10231d5bba159..4e42ca56da86a 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -2076,8 +2076,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi, + blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK; + + spin_lock(&sbi->stat_lock); +- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count); +- sbi->total_valid_block_count -= (block_t)count; ++ if (unlikely(sbi->total_valid_block_count < count)) { ++ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u", ++ sbi->total_valid_block_count, inode->i_ino, count); ++ sbi->total_valid_block_count = 0; ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ } else { ++ sbi->total_valid_block_count -= count; ++ } + if (sbi->reserved_blocks && + sbi->current_reserved_blocks < sbi->reserved_blocks) + sbi->current_reserved_blocks = min(sbi->reserved_blocks, +-- +2.39.5 + diff --git a/queue-5.10/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch b/queue-5.10/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch new file mode 100644 index 0000000000..253eaa28bf --- /dev/null +++ b/queue-5.10/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch @@ -0,0 +1,74 @@ +From 539e83820ac8bf3b34b10d610da4266d21d7143e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 16:45:48 +0800 +Subject: f2fs: use d_inode(dentry) cleanup dentry->d_inode + +From: Zhiguo Niu + +[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ] + +no logic changes. + +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 8 ++++---- + fs/f2fs/super.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 56d23bc254353..1e3e525be68bf 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -396,7 +396,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir, + + if (is_inode_flag_set(dir, FI_PROJ_INHERIT) && + (!projid_eq(F2FS_I(dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid))) ++ F2FS_I(inode)->i_projid))) + return -EXDEV; + + err = dquot_initialize(dir); +@@ -932,7 +932,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry, + + if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + (!projid_eq(F2FS_I(new_dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid))) ++ F2FS_I(old_inode)->i_projid))) + return -EXDEV; + + /* +@@ -1122,10 +1122,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + + if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(new_dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid)) || ++ F2FS_I(old_inode)->i_projid)) || + (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(old_dir)->i_projid, +- F2FS_I(new_dentry->d_inode)->i_projid))) ++ F2FS_I(new_inode)->i_projid))) + return -EXDEV; + + err = dquot_initialize(old_dir); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index 9afbb51bd6780..d1a5c64963b6f 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1507,9 +1507,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf) + buf->f_fsid = u64_to_fsid(id); + + #ifdef CONFIG_QUOTA +- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) && ++ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) && + sb_has_quota_limits_enabled(sb, PRJQUOTA)) { +- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf); ++ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf); + } + #endif + return 0; +-- +2.39.5 + diff --git a/queue-5.10/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch b/queue-5.10/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch new file mode 100644 index 0000000000..1fe09c9b15 --- /dev/null +++ b/queue-5.10/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch @@ -0,0 +1,42 @@ +From 7086b65eed393d56c46b5482c2efb725468baab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 23:35:58 +0300 +Subject: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() + +From: Sergey Shtylyov + +[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ] + +In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, +cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's +then passed to fb_cvt_hperiod(), where it's used as a divider -- division +by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to +avoid such overflow... + +Found by Linux Verification Center (linuxtesting.org) with the Svace static +analysis tool. + +Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcvt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c +index 64843464c6613..cd3821bd82e56 100644 +--- a/drivers/video/fbdev/core/fbcvt.c ++++ b/drivers/video/fbdev/core/fbcvt.c +@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb) + cvt.f_refresh = cvt.refresh; + cvt.interlace = 1; + +- if (!cvt.xres || !cvt.yres || !cvt.refresh) { ++ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) { + printk(KERN_INFO "fbcvt: Invalid input parameters\n"); + return 1; + } +-- +2.39.5 + diff --git a/queue-5.10/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch b/queue-5.10/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch new file mode 100644 index 0000000000..88ef3f31e6 --- /dev/null +++ b/queue-5.10/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch @@ -0,0 +1,42 @@ +From d26c50c21b28cf7136f0ee111d0ac07df17ff5fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 23:17:12 +0800 +Subject: firmware: psci: Fix refcount leak in psci_dt_init + +From: Miaoqian Lin + +[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ] + +Fix a reference counter leak in psci_dt_init() where of_node_put(np) was +missing after of_find_matching_node_and_match() when np is unavailable. + +Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled") +Signed-off-by: Miaoqian Lin +Reviewed-by: Gavin Shan +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/firmware/psci/psci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c +index 00af99b6f97c1..2c435a8d35487 100644 +--- a/drivers/firmware/psci/psci.c ++++ b/drivers/firmware/psci/psci.c +@@ -571,8 +571,10 @@ int __init psci_dt_init(void) + + np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np); + +- if (!np || !of_device_is_available(np)) ++ if (!np || !of_device_is_available(np)) { ++ of_node_put(np); + return -ENODEV; ++ } + + init_fn = (psci_initcall_t)matched_np->data; + ret = init_fn(np); +-- +2.39.5 + diff --git a/queue-5.10/firmware-sdei-allow-sdei-initialization-without-acpi.patch b/queue-5.10/firmware-sdei-allow-sdei-initialization-without-acpi.patch new file mode 100644 index 0000000000..ff3fd257e3 --- /dev/null +++ b/queue-5.10/firmware-sdei-allow-sdei-initialization-without-acpi.patch @@ -0,0 +1,136 @@ +From 7c1cfde511cc315ef02e7775dbed96d4543f43cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 May 2025 12:57:57 +0800 +Subject: firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES + +From: Huang Yiwei + +[ Upstream commit 59529bbe642de4eb2191a541d9b4bae7eb73862e ] + +SDEI usually initialize with the ACPI table, but on platforms where +ACPI is not used, the SDEI feature can still be used to handle +specific firmware calls or other customized purposes. Therefore, it +is not necessary for ARM_SDE_INTERFACE to depend on ACPI_APEI_GHES. + +In commit dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES +in acpi_init()"), to make APEI ready earlier, sdei_init was moved +into acpi_ghes_init instead of being a standalone initcall, adding +ACPI_APEI_GHES dependency to ARM_SDE_INTERFACE. This restricts the +flexibility and usability of SDEI. + +This patch corrects the dependency in Kconfig and splits sdei_init() +into two separate functions: sdei_init() and acpi_sdei_init(). +sdei_init() will be called by arch_initcall and will only initialize +the platform driver, while acpi_sdei_init() will initialize the +device from acpi_ghes_init() when ACPI is ready. This allows the +initialization of SDEI without ACPI_APEI_GHES enabled. + +Fixes: dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES in apci_init()") +Cc: Shuai Xue +Signed-off-by: Huang Yiwei +Reviewed-by: Shuai Xue +Reviewed-by: Gavin Shan +Acked-by: Rafael J. Wysocki +Link: https://lore.kernel.org/r/20250507045757.2658795-1-quic_hyiwei@quicinc.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/Kconfig | 1 + + drivers/acpi/apei/ghes.c | 2 +- + drivers/firmware/Kconfig | 1 - + drivers/firmware/arm_sdei.c | 11 ++++++++--- + include/linux/arm_sdei.h | 4 ++-- + 5 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig +index 6b18f8bc7be35..71e0d64a7792e 100644 +--- a/drivers/acpi/apei/Kconfig ++++ b/drivers/acpi/apei/Kconfig +@@ -23,6 +23,7 @@ config ACPI_APEI_GHES + select ACPI_HED + select IRQ_WORK + select GENERIC_ALLOCATOR ++ select ARM_SDE_INTERFACE if ARM64 + help + Generic Hardware Error Source provides a way to report + platform hardware errors (such as that from chipset). It +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index a6c8514110736..72087e05b5a5f 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -1478,7 +1478,7 @@ void __init ghes_init(void) + { + int rc; + +- sdei_init(); ++ acpi_sdei_init(); + + if (acpi_disabled) + return; +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index a83101310e34f..67023e184bb17 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -72,7 +72,6 @@ config ARM_SCPI_POWER_DOMAIN + config ARM_SDE_INTERFACE + bool "ARM Software Delegated Exception Interface (SDEI)" + depends on ARM64 +- depends on ACPI_APEI_GHES + help + The Software Delegated Exception Interface (SDEI) is an ARM + standard for registering callbacks from the platform firmware +diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c +index b160851c524cf..0fbf12df19d04 100644 +--- a/drivers/firmware/arm_sdei.c ++++ b/drivers/firmware/arm_sdei.c +@@ -1063,13 +1063,12 @@ static bool __init sdei_present_acpi(void) + return true; + } + +-void __init sdei_init(void) ++void __init acpi_sdei_init(void) + { + struct platform_device *pdev; + int ret; + +- ret = platform_driver_register(&sdei_driver); +- if (ret || !sdei_present_acpi()) ++ if (!sdei_present_acpi()) + return; + + pdev = platform_device_register_simple(sdei_driver.driver.name, +@@ -1082,6 +1081,12 @@ void __init sdei_init(void) + } + } + ++static int __init sdei_init(void) ++{ ++ return platform_driver_register(&sdei_driver); ++} ++arch_initcall(sdei_init); ++ + int sdei_event_handler(struct pt_regs *regs, + struct sdei_registered_event *arg) + { +diff --git a/include/linux/arm_sdei.h b/include/linux/arm_sdei.h +index 255701e1251b4..f652a5028b590 100644 +--- a/include/linux/arm_sdei.h ++++ b/include/linux/arm_sdei.h +@@ -46,12 +46,12 @@ int sdei_unregister_ghes(struct ghes *ghes); + /* For use by arch code when CPU hotplug notifiers are not appropriate. */ + int sdei_mask_local_cpu(void); + int sdei_unmask_local_cpu(void); +-void __init sdei_init(void); ++void __init acpi_sdei_init(void); + void sdei_handler_abort(void); + #else + static inline int sdei_mask_local_cpu(void) { return 0; } + static inline int sdei_unmask_local_cpu(void) { return 0; } +-static inline void sdei_init(void) { } ++static inline void acpi_sdei_init(void) { } + static inline void sdei_handler_abort(void) { } + #endif /* CONFIG_ARM_SDE_INTERFACE */ + +-- +2.39.5 + diff --git a/queue-5.10/gfs2-gfs2_create_inode-error-handling-fix.patch b/queue-5.10/gfs2-gfs2_create_inode-error-handling-fix.patch new file mode 100644 index 0000000000..0e88575c65 --- /dev/null +++ b/queue-5.10/gfs2-gfs2_create_inode-error-handling-fix.patch @@ -0,0 +1,35 @@ +From 25c11168ddb490e33ecaf5f07da1893ff32d24e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 16:40:58 +0200 +Subject: gfs2: gfs2_create_inode error handling fix + +From: Andreas Gruenbacher + +[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ] + +When gfs2_create_inode() finds a directory, make sure to return -EISDIR. + +Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c +index 22905a076a6a2..f266dec205175 100644 +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -636,7 +636,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + if (!IS_ERR(inode)) { + if (S_ISDIR(inode->i_mode)) { + iput(inode); +- inode = ERR_PTR(-EISDIR); ++ inode = NULL; ++ error = -EISDIR; + goto fail_gunlock; + } + d_instantiate(dentry, inode); +-- +2.39.5 + diff --git a/queue-5.10/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch b/queue-5.10/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch new file mode 100644 index 0000000000..bb27f3d7c9 --- /dev/null +++ b/queue-5.10/gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch @@ -0,0 +1,39 @@ +From 045bf0907af2285117ad844b849cc7105f656de4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 06:08:16 -0700 +Subject: gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt + +From: Alok Tiwari + +[ Upstream commit f41a94aade120dc60322865f363cee7865f2df01 ] + +Previously, the RX_BUFFERS_POSTED stat incorrectly reported the +fill_cnt from RX queue 0 for all queues, resulting in inaccurate +per-queue statistics. +Fix this by correctly indexing priv->rx[idx].fill_cnt for each RX queue. + +Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.") +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250527130830.1812903-1-alok.a.tiwari@oracle.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index b76d1d019a81d..f458a97dd7910 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1086,7 +1086,7 @@ void gve_handle_report_stats(struct gve_priv *priv) + }; + stats[stats_idx++] = (struct stats) { + .stat_name = cpu_to_be32(RX_BUFFERS_POSTED), +- .value = cpu_to_be64(priv->rx[0].fill_cnt), ++ .value = cpu_to_be64(priv->rx[idx].fill_cnt), + .queue_id = cpu_to_be32(idx), + }; + } +-- +2.39.5 + diff --git a/queue-5.10/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch b/queue-5.10/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch new file mode 100644 index 0000000000..31ab68cba1 --- /dev/null +++ b/queue-5.10/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch @@ -0,0 +1,72 @@ +From 8c35d91892662f8881fe1d4b52ffb7aab3a88001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:55:28 +0200 +Subject: ice: create new Tx scheduler nodes for new queues only + +From: Michal Kubiak + +[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ] + +The current implementation of the Tx scheduler tree attempts +to create nodes for all Tx queues, ignoring the fact that some +queues may already exist in the tree. For example, if the VSI +already has 128 Tx queues and the user requests for 16 new queues, +the Tx scheduler will compute the tree for 272 queues (128 existing +queues + 144 new queues), instead of 144 queues (128 existing queues +and 16 new queues). +Fix that by modifying the node count calculation algorithm to skip +the queues that already exist in the tree. + +Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support") +Reviewed-by: Dawid Osuchowski +Reviewed-by: Przemek Kitszel +Reviewed-by: Jacob Keller +Signed-off-by: Michal Kubiak +Reviewed-by: Simon Horman +Tested-by: Jesse Brandeburg +Tested-by: Saritha Sanigani (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c +index f5bfb662f1df0..504a5913caf07 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sched.c ++++ b/drivers/net/ethernet/intel/ice/ice_sched.c +@@ -1396,16 +1396,16 @@ ice_sched_get_vsi_node(struct ice_hw *hw, struct ice_sched_node *tc_node, + /** + * ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes + * @hw: pointer to the HW struct +- * @num_qs: number of queues ++ * @num_new_qs: number of new queues that will be added to the tree + * @num_nodes: num nodes array + * + * This function calculates the number of VSI child nodes based on the + * number of queues. + */ + static void +-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes) ++ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes) + { +- u16 num = num_qs; ++ u16 num = num_new_qs; + u8 i, qgl, vsil; + + qgl = ice_sched_get_qgrp_layer(hw); +@@ -1646,8 +1646,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle, + if (status) + return status; + +- if (new_numqs) +- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes); ++ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs, ++ new_num_nodes); ++ + /* Keep the max number of queue configuration all the time. Update the + * tree only if number of queues > previous number of queues. This may + * leave some extra nodes in the tree if number of queues < previous +-- +2.39.5 + diff --git a/queue-5.10/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch b/queue-5.10/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch new file mode 100644 index 0000000000..a7d6347c6c --- /dev/null +++ b/queue-5.10/iio-adc-ad7124-fix-3db-filter-frequency-reading.patch @@ -0,0 +1,45 @@ +From 601987c8e1e1a55bcda03a5754434494f3bf6c25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Mar 2025 12:52:47 +0100 +Subject: iio: adc: ad7124: Fix 3dB filter frequency reading +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 8712e4986e7ce42a14c762c4c350f290989986a5 ] + +The sinc4 filter has a factor 0.23 between Output Data Rate and f_{3dB} +and for sinc3 the factor is 0.272 according to the data sheets for +ad7124-4 (Rev. E.) and ad7124-8 (Rev. F). + +Fixes: cef2760954cf ("iio: adc: ad7124: add 3db filter") +Signed-off-by: Uwe Kleine-König +Reviewed-by: Marcelo Schmitt +Link: https://patch.msgid.link/20250317115247.3735016-6-u.kleine-koenig@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7124.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c +index 99d1288e66828..503814fca4dc0 100644 +--- a/drivers/iio/adc/ad7124.c ++++ b/drivers/iio/adc/ad7124.c +@@ -320,9 +320,9 @@ static int ad7124_get_3db_filter_freq(struct ad7124_state *st, + + switch (st->channel_config[channel].filter_type) { + case AD7124_SINC3_FILTER: +- return DIV_ROUND_CLOSEST(fadc * 230, 1000); ++ return DIV_ROUND_CLOSEST(fadc * 272, 1000); + case AD7124_SINC4_FILTER: +- return DIV_ROUND_CLOSEST(fadc * 262, 1000); ++ return DIV_ROUND_CLOSEST(fadc * 230, 1000); + default: + return -EINVAL; + } +-- +2.39.5 + diff --git a/queue-5.10/ktls-sockmap-fix-missing-uncharge-operation.patch b/queue-5.10/ktls-sockmap-fix-missing-uncharge-operation.patch new file mode 100644 index 0000000000..c4da8e4e87 --- /dev/null +++ b/queue-5.10/ktls-sockmap-fix-missing-uncharge-operation.patch @@ -0,0 +1,59 @@ +From 64a32120814f333ebef71dcdb0fc4a46c41dae27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 13:59:57 +0800 +Subject: ktls, sockmap: Fix missing uncharge operation + +From: Jiayuan Chen + +[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ] + +When we specify apply_bytes, we divide the msg into multiple segments, +each with a length of 'send', and every time we send this part of the data +using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the +memory of the specified 'send' size. + +However, if the first segment of data fails to send, for example, the +peer's buffer is full, we need to release all of the msg. When releasing +the msg, we haven't uncharged the memory of the subsequent segments. + +This modification does not make significant logical changes, but only +fills in the missing uncharge places. + +This issue has existed all along, until it was exposed after we added the +apply test in test_sockmap: +commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap") + +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Reported-by: Cong Wang +Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Acked-by: John Fastabend +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index ec57ca01b3c48..0723b3a4f6d91 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -859,6 +859,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + err = tcp_bpf_sendmsg_redir(sk_redir, &msg_redir, send, flags); + lock_sock(sk); + if (err < 0) { ++ /* Regardless of whether the data represented by ++ * msg_redir is sent successfully, we have already ++ * uncharged it via sk_msg_return_zero(). The ++ * msg->sg.size represents the remaining unprocessed ++ * data, which needs to be uncharged here. ++ */ ++ sk_mem_uncharge(sk, msg->sg.size); + *copied -= sk_msg_free_nocharge(sk, &msg_redir); + msg->sg.size = 0; + } +-- +2.39.5 + diff --git a/queue-5.10/libbpf-use-proper-errno-value-in-nlattr.patch b/queue-5.10/libbpf-use-proper-errno-value-in-nlattr.patch new file mode 100644 index 0000000000..b2dc4269dc --- /dev/null +++ b/queue-5.10/libbpf-use-proper-errno-value-in-nlattr.patch @@ -0,0 +1,75 @@ +From db80bb40330f4106254a1ab0dcc52d5a578091ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:20:11 +0000 +Subject: libbpf: Use proper errno value in nlattr + +From: Anton Protopopov + +[ Upstream commit fd5fd538a1f4b34cee6823ba0ddda2f7a55aca96 ] + +Return value of the validate_nla() function can be propagated all the +way up to users of libbpf API. In case of error this libbpf version +of validate_nla returns -1 which will be seen as -EPERM from user's +point of view. Instead, return a more reasonable -EINVAL. + +Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP") +Suggested-by: Andrii Nakryiko +Signed-off-by: Anton Protopopov +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250510182011.2246631-1-a.s.protopopov@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/nlattr.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c +index 1a04299a2a604..35ad5a845a147 100644 +--- a/tools/lib/bpf/nlattr.c ++++ b/tools/lib/bpf/nlattr.c +@@ -63,16 +63,16 @@ static int validate_nla(struct nlattr *nla, int maxtype, + minlen = nla_attr_minlen[pt->type]; + + if (libbpf_nla_len(nla) < minlen) +- return -1; ++ return -EINVAL; + + if (pt->maxlen && libbpf_nla_len(nla) > pt->maxlen) +- return -1; ++ return -EINVAL; + + if (pt->type == LIBBPF_NLA_STRING) { + char *data = libbpf_nla_data(nla); + + if (data[libbpf_nla_len(nla) - 1] != '\0') +- return -1; ++ return -EINVAL; + } + + return 0; +@@ -118,19 +118,18 @@ int libbpf_nla_parse(struct nlattr *tb[], int maxtype, struct nlattr *head, + if (policy) { + err = validate_nla(nla, maxtype, policy); + if (err < 0) +- goto errout; ++ return err; + } + +- if (tb[type]) ++ if (tb[type]) { + pr_warn("Attribute of type %#x found multiple times in message, " + "previous attribute is being ignored.\n", type); ++ } + + tb[type] = nla; + } + +- err = 0; +-errout: +- return err; ++ return 0; + } + + /** +-- +2.39.5 + diff --git a/queue-5.10/m68k-mac-fix-macintosh_config-for-mac-ii.patch b/queue-5.10/m68k-mac-fix-macintosh_config-for-mac-ii.patch new file mode 100644 index 0000000000..65ab1653a9 --- /dev/null +++ b/queue-5.10/m68k-mac-fix-macintosh_config-for-mac-ii.patch @@ -0,0 +1,46 @@ +From 9f81e7b1fa05d85b686011f91bc3e943d8a84cc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 10:07:26 +1000 +Subject: m68k: mac: Fix macintosh_config for Mac II + +From: Finn Thain + +[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ] + +When booted on my Mac II, the kernel prints this: + + Detected Macintosh model: 6 + Apple Macintosh Unknown + +The catch-all entry ("Unknown") is mac_data_table[0] which is only needed +in the unlikely event that the bootinfo model ID can't be matched. +When model ID is 6, the search should begin and end at mac_data_table[1]. +Fix the off-by-one error that causes this problem. + +Cc: Joshua Thompson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c +index 2bea1799b8de7..856042fecd81f 100644 +--- a/arch/m68k/mac/config.c ++++ b/arch/m68k/mac/config.c +@@ -800,7 +800,7 @@ static void __init mac_identify(void) + } + + macintosh_config = mac_data_table; +- for (m = macintosh_config; m->ident != -1; m++) { ++ for (m = &mac_data_table[1]; m->ident != -1; m++) { + if (m->ident == model) { + macintosh_config = m; + break; +-- +2.39.5 + diff --git a/queue-5.10/media-rkvdec-fix-frame-size-enumeration.patch b/queue-5.10/media-rkvdec-fix-frame-size-enumeration.patch new file mode 100644 index 0000000000..ae4a2e8048 --- /dev/null +++ b/queue-5.10/media-rkvdec-fix-frame-size-enumeration.patch @@ -0,0 +1,56 @@ +From 6d0c585e10150196255754ffb955d0d536ffef03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 10:40:33 +0100 +Subject: media: rkvdec: Fix frame size enumeration + +From: Jonas Karlman + +[ Upstream commit f270005b99fa19fee9a6b4006e8dee37c10f1944 ] + +The VIDIOC_ENUM_FRAMESIZES ioctl should return all frame sizes (i.e. +width and height in pixels) that the device supports for the given pixel +format. + +It doesn't make a lot of sense to return the frame-sizes in a stepwise +manner, which is used to enforce hardware alignments requirements for +CAPTURE buffers, for coded formats. + +Instead, applications should receive an indication, about the maximum +supported frame size for that hardware decoder, via a continuous +frame-size enumeration. + +Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver") +Suggested-by: Alex Bee +Signed-off-by: Jonas Karlman +Reviewed-by: Nicolas Dufresne +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/rkvdec/rkvdec.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c +index 86483f1c070b9..a5eca08ff2597 100644 +--- a/drivers/staging/media/rkvdec/rkvdec.c ++++ b/drivers/staging/media/rkvdec/rkvdec.c +@@ -178,8 +178,14 @@ static int rkvdec_enum_framesizes(struct file *file, void *priv, + if (!fmt) + return -EINVAL; + +- fsize->type = V4L2_FRMSIZE_TYPE_STEPWISE; +- fsize->stepwise = fmt->frmsize; ++ fsize->type = V4L2_FRMSIZE_TYPE_CONTINUOUS; ++ fsize->stepwise.min_width = 1; ++ fsize->stepwise.max_width = fmt->frmsize.max_width; ++ fsize->stepwise.step_width = 1; ++ fsize->stepwise.min_height = 1; ++ fsize->stepwise.max_height = fmt->frmsize.max_height; ++ fsize->stepwise.step_height = 1; ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.10/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch b/queue-5.10/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch new file mode 100644 index 0000000000..f18fdc02d5 --- /dev/null +++ b/queue-5.10/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch @@ -0,0 +1,38 @@ +From 8cabeafacdd43433ffb763e43f78ccd162de436c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 17:00:34 +0200 +Subject: mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in + exynos_lpass_remove() + +From: Christophe JAILLET + +[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ] + +exynos_lpass_disable() is called twice in the remove function. Remove +one of these calls. + +Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/exynos-lpass.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c +index 99bd0e73c19c3..ffda3445d1c0f 100644 +--- a/drivers/mfd/exynos-lpass.c ++++ b/drivers/mfd/exynos-lpass.c +@@ -144,7 +144,6 @@ static int exynos_lpass_remove(struct platform_device *pdev) + { + struct exynos_lpass *lpass = platform_get_drvdata(pdev); + +- exynos_lpass_disable(lpass); + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + exynos_lpass_disable(lpass); +-- +2.39.5 + diff --git a/queue-5.10/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch b/queue-5.10/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch new file mode 100644 index 0000000000..e20e12d75b --- /dev/null +++ b/queue-5.10/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch @@ -0,0 +1,40 @@ +From 66095e7697e9df1edafac4b2ad5846f63572cba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Apr 2025 18:16:32 +0200 +Subject: mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE + +From: Alexey Gladkov + +[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ] + +The name used in the macro does not exist. + +drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id' + 132 | MODULE_DEVICE_TABLE(spi, stmpe_id); + +Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface") +Signed-off-by: Alexey Gladkov +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmpe-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c +index 7351734f75938..07fa56e5337d1 100644 +--- a/drivers/mfd/stmpe-spi.c ++++ b/drivers/mfd/stmpe-spi.c +@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = { + { "stmpe2403", STMPE2403 }, + { } + }; +-MODULE_DEVICE_TABLE(spi, stmpe_id); ++MODULE_DEVICE_TABLE(spi, stmpe_spi_id); + + static struct spi_driver stmpe_spi_driver = { + .driver = { +-- +2.39.5 + diff --git a/queue-5.10/mips-loongson64-add-missing-interrupt-cells-for-loon.patch b/queue-5.10/mips-loongson64-add-missing-interrupt-cells-for-loon.patch new file mode 100644 index 0000000000..e6acc33f3b --- /dev/null +++ b/queue-5.10/mips-loongson64-add-missing-interrupt-cells-for-loon.patch @@ -0,0 +1,43 @@ +From d5fb5c6985e09b22bf578b2afeff185557031562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Apr 2025 11:45:48 +0800 +Subject: MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +[ Upstream commit 6d223b8ffcd1593d032b71875def2daa71c53111 ] + +Similar to commit 98a9e2ac3755 ("MIPS: Loongson64: DTS: Fix msi node for ls7a"). + +Fix follow warnings: + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts:28.31-36.4: Warning (interrupt_provider): /bus@10000000/msi-controller@2ff00000: Missing '#interrupt-cells' in interrupt provider + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider' + +Fixes: 24af105962c8 ("MIPS: Loongson64: DeviceTree for LS7A PCH") +Tested-by: WangYuli +Signed-off-by: WangYuli +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts +index c7ea4f1c0bb21..6c277ab83d4b9 100644 +--- a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts ++++ b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts +@@ -29,6 +29,7 @@ + compatible = "loongson,pch-msi-1.0"; + reg = <0 0x2ff00000 0 0x8>; + interrupt-controller; ++ #interrupt-cells = <1>; + msi-controller; + loongson,msi-base-vec = <64>; + loongson,msi-num-vecs = <64>; +-- +2.39.5 + diff --git a/queue-5.10/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch b/queue-5.10/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch new file mode 100644 index 0000000000..56020493cb --- /dev/null +++ b/queue-5.10/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch @@ -0,0 +1,47 @@ +From 6d8dceca960d9f21ec6612ce933d1d27847bd41c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 11:00:47 +0530 +Subject: net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy + +From: Thangaraj Samynathan + +[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ] + +rename the function to lan743x_hw_reset_phy to better describe it +operation. + +Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Thangaraj Samynathan +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan743x_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index a0f490a907573..26a230c60efb7 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -918,7 +918,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu) + } + + /* PHY */ +-static int lan743x_phy_reset(struct lan743x_adapter *adapter) ++static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter) + { + u32 data; + +@@ -952,7 +952,7 @@ static void lan743x_phy_update_flowcontrol(struct lan743x_adapter *adapter, + + static int lan743x_phy_init(struct lan743x_adapter *adapter) + { +- return lan743x_phy_reset(adapter); ++ return lan743x_hw_reset_phy(adapter); + } + + static void lan743x_phy_link_status_change(struct net_device *netdev) +-- +2.39.5 + diff --git a/queue-5.10/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch b/queue-5.10/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch new file mode 100644 index 0000000000..7780141a3b --- /dev/null +++ b/queue-5.10/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch @@ -0,0 +1,41 @@ +From cfdaee861e7a24260b594323a0ede4980a1a9df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 11:11:09 +0300 +Subject: net/mlx4_en: Prevent potential integer overflow calculating Hz + +From: Dan Carpenter + +[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ] + +The "freq" variable is in terms of MHz and "max_val_cycles" is in terms +of Hz. The fact that "max_val_cycles" is a u64 suggests that support +for high frequency is intended but the "freq_khz * 1000" would overflow +the u32 type if we went above 4GHz. Use unsigned long long type for the +mutliplication to prevent that. + +Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +index 024788549c256..060698b0c65cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +@@ -251,7 +251,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = { + static u32 freq_to_shift(u16 freq) + { + u32 freq_khz = freq * 1000; +- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC; ++ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC; + u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1); + /* calculate max possible multiplier in order to fit in 64bit */ + u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded); +-- +2.39.5 + diff --git a/queue-5.10/net-ncsi-fix-gcps-64-bit-member-variables.patch b/queue-5.10/net-ncsi-fix-gcps-64-bit-member-variables.patch new file mode 100644 index 0000000000..ef294319cc --- /dev/null +++ b/queue-5.10/net-ncsi-fix-gcps-64-bit-member-variables.patch @@ -0,0 +1,161 @@ +From 3b5c700601aac16039539440c528f6af29d6e7ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 18:23:08 -0700 +Subject: net: ncsi: Fix GCPS 64-bit member variables + +From: Hari Kalavakunta + +[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ] + +Correct Get Controller Packet Statistics (GCPS) 64-bit wide member +variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently +collects these stats, but they are yet to be exposed to the user. +Therefore, no user impact. + +Statistics fixes: +Total Bytes Received (byte range 28..35) +Total Bytes Transmitted (byte range 36..43) +Total Unicast Packets Received (byte range 44..51) +Total Multicast Packets Received (byte range 52..59) +Total Broadcast Packets Received (byte range 60..67) +Total Unicast Packets Transmitted (byte range 68..75) +Total Multicast Packets Transmitted (byte range 76..83) +Total Broadcast Packets Transmitted (byte range 84..91) +Valid Bytes Received (byte range 204..11) + +Signed-off-by: Hari Kalavakunta +Reviewed-by: Paul Fertser +Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 21 ++++++++++----------- + net/ncsi/ncsi-pkt.h | 23 +++++++++++------------ + net/ncsi/ncsi-rsp.c | 21 ++++++++++----------- + 3 files changed, 31 insertions(+), 34 deletions(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index dea60e25e8607..c61d2e2e93adc 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -140,16 +140,15 @@ struct ncsi_channel_vlan_filter { + }; + + struct ncsi_channel_stats { +- u32 hnc_cnt_hi; /* Counter cleared */ +- u32 hnc_cnt_lo; /* Counter cleared */ +- u32 hnc_rx_bytes; /* Rx bytes */ +- u32 hnc_tx_bytes; /* Tx bytes */ +- u32 hnc_rx_uc_pkts; /* Rx UC packets */ +- u32 hnc_rx_mc_pkts; /* Rx MC packets */ +- u32 hnc_rx_bc_pkts; /* Rx BC packets */ +- u32 hnc_tx_uc_pkts; /* Tx UC packets */ +- u32 hnc_tx_mc_pkts; /* Tx MC packets */ +- u32 hnc_tx_bc_pkts; /* Tx BC packets */ ++ u64 hnc_cnt; /* Counter cleared */ ++ u64 hnc_rx_bytes; /* Rx bytes */ ++ u64 hnc_tx_bytes; /* Tx bytes */ ++ u64 hnc_rx_uc_pkts; /* Rx UC packets */ ++ u64 hnc_rx_mc_pkts; /* Rx MC packets */ ++ u64 hnc_rx_bc_pkts; /* Rx BC packets */ ++ u64 hnc_tx_uc_pkts; /* Tx UC packets */ ++ u64 hnc_tx_mc_pkts; /* Tx MC packets */ ++ u64 hnc_tx_bc_pkts; /* Tx BC packets */ + u32 hnc_fcs_err; /* FCS errors */ + u32 hnc_align_err; /* Alignment errors */ + u32 hnc_false_carrier; /* False carrier detection */ +@@ -178,7 +177,7 @@ struct ncsi_channel_stats { + u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */ + u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */ + u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */ +- u32 hnc_rx_valid_bytes; /* Rx valid bytes */ ++ u64 hnc_rx_valid_bytes; /* Rx valid bytes */ + u32 hnc_rx_runt_pkts; /* Rx error runt packets */ + u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */ + u32 ncsi_rx_cmds; /* Rx NCSI commands */ +diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h +index 3fbea7e74fb1c..2729581360ec9 100644 +--- a/net/ncsi/ncsi-pkt.h ++++ b/net/ncsi/ncsi-pkt.h +@@ -246,16 +246,15 @@ struct ncsi_rsp_gp_pkt { + /* Get Controller Packet Statistics */ + struct ncsi_rsp_gcps_pkt { + struct ncsi_rsp_pkt_hdr rsp; /* Response header */ +- __be32 cnt_hi; /* Counter cleared */ +- __be32 cnt_lo; /* Counter cleared */ +- __be32 rx_bytes; /* Rx bytes */ +- __be32 tx_bytes; /* Tx bytes */ +- __be32 rx_uc_pkts; /* Rx UC packets */ +- __be32 rx_mc_pkts; /* Rx MC packets */ +- __be32 rx_bc_pkts; /* Rx BC packets */ +- __be32 tx_uc_pkts; /* Tx UC packets */ +- __be32 tx_mc_pkts; /* Tx MC packets */ +- __be32 tx_bc_pkts; /* Tx BC packets */ ++ __be64 cnt; /* Counter cleared */ ++ __be64 rx_bytes; /* Rx bytes */ ++ __be64 tx_bytes; /* Tx bytes */ ++ __be64 rx_uc_pkts; /* Rx UC packets */ ++ __be64 rx_mc_pkts; /* Rx MC packets */ ++ __be64 rx_bc_pkts; /* Rx BC packets */ ++ __be64 tx_uc_pkts; /* Tx UC packets */ ++ __be64 tx_mc_pkts; /* Tx MC packets */ ++ __be64 tx_bc_pkts; /* Tx BC packets */ + __be32 fcs_err; /* FCS errors */ + __be32 align_err; /* Alignment errors */ + __be32 false_carrier; /* False carrier detection */ +@@ -284,11 +283,11 @@ struct ncsi_rsp_gcps_pkt { + __be32 tx_1023_frames; /* Tx 512-1023 bytes frames */ + __be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */ + __be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */ +- __be32 rx_valid_bytes; /* Rx valid bytes */ ++ __be64 rx_valid_bytes; /* Rx valid bytes */ + __be32 rx_runt_pkts; /* Rx error runt packets */ + __be32 rx_jabber_pkts; /* Rx error jabber packets */ + __be32 checksum; /* Checksum */ +-}; ++} __packed __aligned(4); + + /* Get NCSI Statistics */ + struct ncsi_rsp_gns_pkt { +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index 960e2cfc1fd2a..88fb86cf7b208 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -933,16 +933,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr) + + /* Update HNC's statistics */ + ncs = &nc->stats; +- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi); +- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo); +- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes); +- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes); +- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts); +- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts); +- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts); +- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts); +- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts); +- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts); ++ ncs->hnc_cnt = be64_to_cpu(rsp->cnt); ++ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes); ++ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes); ++ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts); ++ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts); ++ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts); ++ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts); ++ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts); ++ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts); + ncs->hnc_fcs_err = ntohl(rsp->fcs_err); + ncs->hnc_align_err = ntohl(rsp->align_err); + ncs->hnc_false_carrier = ntohl(rsp->false_carrier); +@@ -971,7 +970,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr) + ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames); + ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames); + ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames); +- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes); ++ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes); + ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts); + ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts); + +-- +2.39.5 + diff --git a/queue-5.10/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch b/queue-5.10/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch new file mode 100644 index 0000000000..eb9d03d9f5 --- /dev/null +++ b/queue-5.10/net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch @@ -0,0 +1,75 @@ +From 0c8eabbf3bf1538a3c78ad552837fd9607af66f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 03:41:43 +0000 +Subject: net: openvswitch: Fix the dead loop of MPLS parse + +From: Faicker Mo + +[ Upstream commit 0bdc924bfb319fb10d1113cbf091fc26fb7b1f99 ] + +The unexpected MPLS packet may not end with the bottom label stack. +When there are many stacks, The label count value has wrapped around. +A dead loop occurs, soft lockup/CPU stuck finally. + +stack backtrace: +UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 +index -1 is out of range for type '__be32 [3]' +CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu +Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 +Call Trace: + + show_stack+0x52/0x5c + dump_stack_lvl+0x4a/0x63 + dump_stack+0x10/0x16 + ubsan_epilogue+0x9/0x36 + __ubsan_handle_out_of_bounds.cold+0x44/0x49 + key_extract_l3l4+0x82a/0x840 [openvswitch] + ? kfree_skbmem+0x52/0xa0 + key_extract+0x9c/0x2b0 [openvswitch] + ovs_flow_key_extract+0x124/0x350 [openvswitch] + ovs_vport_receive+0x61/0xd0 [openvswitch] + ? kernel_init_free_pages.part.0+0x4a/0x70 + ? get_page_from_freelist+0x353/0x540 + netdev_port_receive+0xc4/0x180 [openvswitch] + ? netdev_port_receive+0x180/0x180 [openvswitch] + netdev_frame_hook+0x1f/0x40 [openvswitch] + __netif_receive_skb_core.constprop.0+0x23a/0xf00 + __netif_receive_skb_list_core+0xfa/0x240 + netif_receive_skb_list_internal+0x18e/0x2a0 + napi_complete_done+0x7a/0x1c0 + bnxt_poll+0x155/0x1c0 [bnxt_en] + __napi_poll+0x30/0x180 + net_rx_action+0x126/0x280 + ? bnxt_msix+0x67/0x80 [bnxt_en] + handle_softirqs+0xda/0x2d0 + irq_exit_rcu+0x96/0xc0 + common_interrupt+0x8e/0xa0 + + +Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction") +Signed-off-by: Faicker Mo +Acked-by: Ilya Maximets +Reviewed-by: Aaron Conole +Link: https://patch.msgid.link/259D3404-575D-4A6D-B263-1DF59A67CF89@zenlayer.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/openvswitch/flow.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c +index 9bad601c7fe82..94531289ed26a 100644 +--- a/net/openvswitch/flow.c ++++ b/net/openvswitch/flow.c +@@ -638,7 +638,7 @@ static int key_extract_l3l4(struct sk_buff *skb, struct sw_flow_key *key) + memset(&key->ipv4, 0, sizeof(key->ipv4)); + } + } else if (eth_p_mpls(key->eth.type)) { +- u8 label_count = 1; ++ size_t label_count = 1; + + memset(&key->mpls, 0, sizeof(key->mpls)); + skb_set_inner_network_header(skb, skb->mac_len); +-- +2.39.5 + diff --git a/queue-5.10/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch b/queue-5.10/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch new file mode 100644 index 0000000000..389a399971 --- /dev/null +++ b/queue-5.10/net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch @@ -0,0 +1,47 @@ +From 2234fab8dbcffc759ee6795628f661d5062db1b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 May 2025 10:27:16 +0200 +Subject: net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames + +From: Horatiu Vultur + +[ Upstream commit 57a92d14659df3e7e7e0052358c8cc68bbbc3b5e ] + +We have noticed that when PHY timestamping is enabled, L2 frames seems +to be modified by changing two 2 bytes with a value of 0. The place were +these 2 bytes seems to be random(or I couldn't find a pattern). In most +of the cases the userspace can ignore these frames but if for example +those 2 bytes are in the correction field there is nothing to do. This +seems to happen when configuring the HW for IPv4 even that the flow is +not enabled. +These 2 bytes correspond to the UDPv4 checksum and once we don't enable +clearing the checksum when using L2 frames then the frame doesn't seem +to be changed anymore. + +Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support") +Signed-off-by: Horatiu Vultur +Link: https://patch.msgid.link/20250523082716.2935895-1-horatiu.vultur@microchip.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_ptp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c +index b97ee79f3cdfc..85102e895665e 100644 +--- a/drivers/net/phy/mscc/mscc_ptp.c ++++ b/drivers/net/phy/mscc/mscc_ptp.c +@@ -943,7 +943,9 @@ static int vsc85xx_ip1_conf(struct phy_device *phydev, enum ts_blk blk, + /* UDP checksum offset in IPv4 packet + * according to: https://tools.ietf.org/html/rfc768 + */ +- val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26) | IP1_NXT_PROT_UDP_CHKSUM_CLEAR; ++ val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26); ++ if (enable) ++ val |= IP1_NXT_PROT_UDP_CHKSUM_CLEAR; + vsc85xx_ts_write_csr(phydev, blk, MSCC_ANA_IP1_NXT_PROT_UDP_CHKSUM, + val); + +-- +2.39.5 + diff --git a/queue-5.10/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch b/queue-5.10/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch new file mode 100644 index 0000000000..5807d2f828 --- /dev/null +++ b/queue-5.10/net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch @@ -0,0 +1,68 @@ +From 2a82a68216030fe8c32979aa65baec73161eade8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 13:56:23 +0200 +Subject: net: stmmac: platform: guarantee uniqueness of bus_id + +From: Quentin Schulz + +[ Upstream commit eb7fd7aa35bfcc1e1fda4ecc42ccfcb526cdc780 ] + +bus_id is currently derived from the ethernetX alias. If one is missing +for the device, 0 is used. If ethernet0 points to another stmmac device +or if there are 2+ stmmac devices without an ethernet alias, then bus_id +will be 0 for all of those. + +This is an issue because the bus_id is used to generate the mdio bus id +(new_bus->id in drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c +stmmac_mdio_register) and this needs to be unique. + +This allows to avoid needing to define ethernet aliases for devices with +multiple stmmac controllers (such as the Rockchip RK3588) for multiple +stmmac devices to probe properly. + +Obviously, the bus_id isn't guaranteed to be stable across reboots if no +alias is set for the device but that is easily fixed by simply adding an +alias if this is desired. + +Fixes: 25c83b5c2e82 ("dt:net:stmmac: Add support to dwmac version 3.610 and 3.710") +Signed-off-by: Quentin Schulz +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20250527-stmmac-mdio-bus_id-v2-1-a5ca78454e3c@cherry.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +index f02ce09020fbc..7ebbb81375e84 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c +@@ -400,6 +400,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, const char **mac) + struct device_node *np = pdev->dev.of_node; + struct plat_stmmacenet_data *plat; + struct stmmac_dma_cfg *dma_cfg; ++ static int bus_id = -ENODEV; + int phy_mode; + int rc; + +@@ -435,8 +436,14 @@ stmmac_probe_config_dt(struct platform_device *pdev, const char **mac) + of_property_read_u32(np, "max-speed", &plat->max_speed); + + plat->bus_id = of_alias_get_id(np, "ethernet"); +- if (plat->bus_id < 0) +- plat->bus_id = 0; ++ if (plat->bus_id < 0) { ++ if (bus_id < 0) ++ bus_id = of_alias_get_highest_id("ethernet"); ++ /* No ethernet alias found, init at -1 so first bus_id is 0 */ ++ if (bus_id < 0) ++ bus_id = -1; ++ plat->bus_id = ++bus_id; ++ } + + /* Default to phy auto-detection */ + plat->phy_addr = -1; +-- +2.39.5 + diff --git a/queue-5.10/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch b/queue-5.10/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch new file mode 100644 index 0000000000..c615f4cba3 --- /dev/null +++ b/queue-5.10/net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch @@ -0,0 +1,57 @@ +From 2d575b25f30d73d8d58a715eceb85396ba7cb432 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 16:35:44 +0000 +Subject: net: tipc: fix refcount warning in tipc_aead_encrypt + +From: Charalampos Mitrodimas + +[ Upstream commit f29ccaa07cf3d35990f4d25028cc55470d29372b ] + +syzbot reported a refcount warning [1] caused by calling get_net() on +a network namespace that is being destroyed (refcount=0). This happens +when a TIPC discovery timer fires during network namespace cleanup. + +The recently added get_net() call in commit e279024617134 ("net/tipc: +fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to +hold a reference to the network namespace. However, if the namespace +is already being destroyed, its refcount might be zero, leading to the +use-after-free warning. + +Replace get_net() with maybe_get_net(), which safely checks if the +refcount is non-zero before incrementing it. If the namespace is being +destroyed, return -ENODEV early, after releasing the bearer reference. + +[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2 + +Reported-by: syzbot+f0c4a4aba757549ae26c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2 +Fixes: e27902461713 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") +Signed-off-by: Charalampos Mitrodimas +Reviewed-by: Tung Nguyen +Link: https://patch.msgid.link/20250527-net-tipc-warning-v2-1-df3dc398a047@posteo.net +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tipc/crypto.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 159d891b81c59..3b26c5a6aaaeb 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -822,7 +822,11 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb, + } + + /* Get net to avoid freed tipc_crypto when delete namespace */ +- get_net(aead->crypto->net); ++ if (!maybe_get_net(aead->crypto->net)) { ++ tipc_bearer_put(b); ++ rc = -ENODEV; ++ goto exit; ++ } + + /* Now, do encrypt */ + rc = crypto_aead_encrypt(req); +-- +2.39.5 + diff --git a/queue-5.10/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch b/queue-5.10/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch new file mode 100644 index 0000000000..6a5e86c90e --- /dev/null +++ b/queue-5.10/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch @@ -0,0 +1,106 @@ +From 01b5e443f3d3b050b8554100fad2bfd95b5992ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 14:32:39 +0300 +Subject: net: usb: aqc111: fix error handling of usbnet read calls + +From: Nikita Zhandarovich + +[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ] + +Syzkaller, courtesy of syzbot, identified an error (see report [1]) in +aqc111 driver, caused by incomplete sanitation of usb read calls' +results. This problem is quite similar to the one fixed in commit +920a9fa27e78 ("net: asix: add proper error handling of usb read errors"). + +For instance, usbnet_read_cmd() may read fewer than 'size' bytes, +even if the caller expected the full amount, and aqc111_read_cmd() +will not check its result properly. As [1] shows, this may lead +to MAC address in aqc111_bind() being only partly initialized, +triggering KMSAN warnings. + +Fix the issue by verifying that the number of bytes read is +as expected and not less. + +[1] Partial syzbot report: +BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] +BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 + is_valid_ether_addr include/linux/etherdevice.h:208 [inline] + usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:-1 [inline] + really_probe+0x4d1/0xd90 drivers/base/dd.c:658 + __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 +... + +Uninit was stored to memory at: + dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 + __dev_addr_set include/linux/netdevice.h:4874 [inline] + eth_hw_addr_set include/linux/etherdevice.h:325 [inline] + aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 +... + +Uninit was stored to memory at: + ether_addr_copy include/linux/etherdevice.h:305 [inline] + aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] + aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:-1 [inline] +... + +Local variable buf.i created at: + aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] + aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + +Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b +Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com +Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address") +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index 895d4f5166f99..279fcb9bf3be6 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value, + ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, data, size); + +- if (unlikely(ret < 0)) ++ if (unlikely(ret < size)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, + "Failed to read(0x%x) reg index 0x%04x: %d\n", + cmd, index, ret); ++ } + + return ret; + } +@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value, + ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, data, size); + +- if (unlikely(ret < 0)) ++ if (unlikely(ret < size)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, + "Failed to read(0x%x) reg index 0x%04x: %d\n", + cmd, index, ret); ++ } + + return ret; + } +-- +2.39.5 + diff --git a/queue-5.10/netfilter-bridge-move-specific-fragmented-packet-to-.patch b/queue-5.10/netfilter-bridge-move-specific-fragmented-packet-to-.patch new file mode 100644 index 0000000000..acfc260efb --- /dev/null +++ b/queue-5.10/netfilter-bridge-move-specific-fragmented-packet-to-.patch @@ -0,0 +1,96 @@ +From 8260c7aeca3e5fc25fa0f467cdd1a87569c1b8ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 17:29:53 +0800 +Subject: netfilter: bridge: Move specific fragmented packet to slow_path + instead of dropping it + +From: Huajian Yang + +[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ] + +The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for +fragmented packets. + +The original bridge does not know that it is a fragmented packet and +forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function +nf_br_ip_fragment and br_ip6_fragment will check the headroom. + +In original br_forward, insufficient headroom of skb may indeed exist, +but there's still a way to save the skb in the device driver after +dev_queue_xmit.So droping the skb will change the original bridge +forwarding in some cases. + +Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system") +Signed-off-by: Huajian Yang +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------ + net/ipv6/netfilter.c | 12 ++++++------ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c +index d14b2dbbd1dfb..abf0c9460ddf3 100644 +--- a/net/bridge/netfilter/nf_conntrack_bridge.c ++++ b/net/bridge/netfilter/nf_conntrack_bridge.c +@@ -59,19 +59,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk, + struct ip_fraglist_iter iter; + struct sk_buff *frag; + +- if (first_len - hlen > mtu || +- skb_headroom(skb) < ll_rs) ++ if (first_len - hlen > mtu) + goto blackhole; + +- if (skb_cloned(skb)) ++ if (skb_cloned(skb) || ++ skb_headroom(skb) < ll_rs) + goto slow_path; + + skb_walk_frags(skb, frag) { +- if (frag->len > mtu || +- skb_headroom(frag) < hlen + ll_rs) ++ if (frag->len > mtu) + goto blackhole; + +- if (skb_shared(frag)) ++ if (skb_shared(frag) || ++ skb_headroom(frag) < hlen + ll_rs) + goto slow_path; + } + +diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c +index ab9a279dd6d47..93e1af6c2dfb2 100644 +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -155,20 +155,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + struct ip6_fraglist_iter iter; + struct sk_buff *frag2; + +- if (first_len - hlen > mtu || +- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) ++ if (first_len - hlen > mtu) + goto blackhole; + +- if (skb_cloned(skb)) ++ if (skb_cloned(skb) || ++ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) + goto slow_path; + + skb_walk_frags(skb, frag2) { +- if (frag2->len > mtu || +- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr))) ++ if (frag2->len > mtu) + goto blackhole; + + /* Partially cloned skb? */ +- if (skb_shared(frag2)) ++ if (skb_shared(frag2) || ++ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr))) + goto slow_path; + } + +-- +2.39.5 + diff --git a/queue-5.10/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch b/queue-5.10/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch new file mode 100644 index 0000000000..2fd625e4da --- /dev/null +++ b/queue-5.10/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch @@ -0,0 +1,80 @@ +From f763efee16deb48a612a2ef01b99d817e9faeeea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:38:47 +0200 +Subject: netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result + discrepancy + +From: Florian Westphal + +[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ] + +With a VRF, ipv4 and ipv6 FIB expression behave differently. + + fib daddr . iif oif + +Will return the input interface name for ipv4, but the real device +for ipv6. Example: + +If VRF device name is tvrf and real (incoming) device is veth0. +First round is ok, both ipv4 and ipv6 will yield 'veth0'. + +But in the second round (incoming device will be set to "tvrf"), ipv4 +will yield "tvrf" whereas ipv6 returns "veth0" for the second round too. + +This makes ipv6 behave like ipv4. + +A followup patch will add a test case for this, without this change +it will fail with: + get element inet t fibif6iif { tvrf . dead:1::99 . tvrf } + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif + +Alternatively we could either not do anything at all or change +ipv4 to also return the lower/real device, however, nft (userspace) +doc says "iif: if fib lookup provides a route then check its output +interface is identical to the packets input interface." which is what +the nft fib ipv4 behaviour is. + +Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index 1a08b00aa3213..b7e543d4d57be 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -154,6 +154,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + { + const struct nft_fib *priv = nft_expr_priv(expr); + int noff = skb_network_offset(pkt->skb); ++ const struct net_device *found = NULL; + const struct net_device *oif = NULL; + u32 *dest = ®s->data[priv->dreg]; + struct ipv6hdr *iph, _iph; +@@ -198,11 +199,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) + goto put_rt_err; + +- if (oif && oif != rt->rt6i_idev->dev && +- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex) +- goto put_rt_err; ++ if (!oif) { ++ found = rt->rt6i_idev->dev; ++ } else { ++ if (oif == rt->rt6i_idev->dev || ++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex) ++ found = oif; ++ } + +- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev); ++ nft_fib_store_result(dest, priv, found); + put_rt_err: + ip6_rt_put(rt); + } +-- +2.39.5 + diff --git a/queue-5.10/netfilter-nft_tunnel-fix-geneve_opt-dump.patch b/queue-5.10/netfilter-nft_tunnel-fix-geneve_opt-dump.patch new file mode 100644 index 0000000000..c1e5d0c359 --- /dev/null +++ b/queue-5.10/netfilter-nft_tunnel-fix-geneve_opt-dump.patch @@ -0,0 +1,71 @@ +From c5e17866d82c4b2db8ac8a81cdb5b41055462f59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:41:08 +0200 +Subject: netfilter: nft_tunnel: fix geneve_opt dump + +From: Fernando Fernandez Mancera + +[ Upstream commit 22a9613de4c29d7d0770bfb8a5a9d73eb8df7dad ] + +When dumping a nft_tunnel with more than one geneve_opt configured the +netlink attribute hierarchy should be as follow: + + NFTA_TUNNEL_KEY_OPTS + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + | | + | |--NFTA_TUNNEL_KEY_GENEVE_CLASS + | |--NFTA_TUNNEL_KEY_GENEVE_TYPE + | |--NFTA_TUNNEL_KEY_GENEVE_DATA + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + | | + | |--NFTA_TUNNEL_KEY_GENEVE_CLASS + | |--NFTA_TUNNEL_KEY_GENEVE_TYPE + | |--NFTA_TUNNEL_KEY_GENEVE_DATA + | + |--NFTA_TUNNEL_KEY_OPTS_GENEVE + ... + +Otherwise, userspace tools won't be able to fetch the geneve options +configured correctly. + +Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_tunnel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c +index cfe6cf1be4217..95f8230322289 100644 +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -588,10 +588,10 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, + struct geneve_opt *opt; + int offset = 0; + +- inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE); +- if (!inner) +- goto failure; + while (opts->len > offset) { ++ inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE); ++ if (!inner) ++ goto failure; + opt = (struct geneve_opt *)(opts->u.data + offset); + if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS, + opt->opt_class) || +@@ -601,8 +601,8 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, + opt->length * 4, opt->opt_data)) + goto inner_failure; + offset += sizeof(*opt) + opt->length * 4; ++ nla_nest_end(skb, inner); + } +- nla_nest_end(skb, inner); + } + nla_nest_end(skb, nest); + return 0; +-- +2.39.5 + diff --git a/queue-5.10/nfs-clear-sb_rdonly-before-getting-superblock.patch b/queue-5.10/nfs-clear-sb_rdonly-before-getting-superblock.patch new file mode 100644 index 0000000000..5f8de2b905 --- /dev/null +++ b/queue-5.10/nfs-clear-sb_rdonly-before-getting-superblock.patch @@ -0,0 +1,68 @@ +From b43b1dbb4fd3a7b42181517a2a1b518da8c997f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 21:05:32 +0800 +Subject: nfs: clear SB_RDONLY before getting superblock + +From: Li Lingfeng + +[ Upstream commit 8cd9b785943c57a136536250da80ba1eb6f8eb18 ] + +As described in the link, commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when +mounting nfs") removed the check for the ro flag when determining whether +to share the superblock, which caused issues when mounting different +subdirectories under the same export directory via NFSv3. However, this +change did not affect NFSv4. + +For NFSv3: +1) A single superblock is created for the initial mount. +2) When mounted read-only, this superblock carries the SB_RDONLY flag. +3) Before commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs"): +Subsequent rw mounts would not share the existing ro superblock due to +flag mismatch, creating a new superblock without SB_RDONLY. +After the commit: + The SB_RDONLY flag is ignored during superblock comparison, and this leads + to sharing the existing superblock even for rw mounts. + Ultimately results in write operations being rejected at the VFS layer. + +For NFSv4: +1) Multiple superblocks are created and the last one will be kept. +2) The actually used superblock for ro mounts doesn't carry SB_RDONLY flag. +Therefore, commit 52cb7f8f1778 doesn't affect NFSv4 mounts. + +Clear SB_RDONLY before getting superblock when NFS_MOUNT_UNSHARED is not +set to fix it. + +Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs") +Closes: https://lore.kernel.org/all/12d7ea53-1202-4e21-a7ef-431c94758ce5@app.fastmail.com/T/ +Signed-off-by: Li Lingfeng +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 2d2238548a6e5..27923c2b36f77 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1248,8 +1248,17 @@ int nfs_get_tree_common(struct fs_context *fc) + if (IS_ERR(server)) + return PTR_ERR(server); + ++ /* ++ * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a ++ * superblock among each filesystem that mounts sub-directories ++ * belonging to a single exported root path. ++ * To prevent interference between different filesystems, the ++ * SB_RDONLY flag should be removed from the superblock. ++ */ + if (server->flags & NFS_MOUNT_UNSHARED) + compare_super = NULL; ++ else ++ fc->sb_flags &= ~SB_RDONLY; + + /* -o noac implies -o sync */ + if (server->flags & NFS_MOUNT_NOAC) +-- +2.39.5 + diff --git a/queue-5.10/nfs-ignore-sb_rdonly-when-remounting-nfs.patch b/queue-5.10/nfs-ignore-sb_rdonly-when-remounting-nfs.patch new file mode 100644 index 0000000000..9f350faa6a --- /dev/null +++ b/queue-5.10/nfs-ignore-sb_rdonly-when-remounting-nfs.patch @@ -0,0 +1,72 @@ +From e374a5b7c0a3ade93a84fe0c9446f9574ee4ebde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Mar 2025 21:05:33 +0800 +Subject: nfs: ignore SB_RDONLY when remounting nfs + +From: Li Lingfeng + +[ Upstream commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a ] + +In some scenarios, when mounting NFS, more than one superblock may be +created. The final superblock used is the last one created, but only the +first superblock carries the ro flag passed from user space. If a ro flag +is added to the superblock via remount, it will trigger the issue +described in Link[1]. + +Link[2] attempted to address this by marking the superblock as ro during +the initial mount. However, this introduced a new problem in scenarios +where multiple mount points share the same superblock: +[root@a ~]# mount /dev/sdb /mnt/sdb +[root@a ~]# echo "/mnt/sdb *(rw,no_root_squash)" > /etc/exports +[root@a ~]# echo "/mnt/sdb/test_dir2 *(ro,no_root_squash)" >> /etc/exports +[root@a ~]# systemctl restart nfs-server +[root@a ~]# mount -t nfs -o rw 127.0.0.1:/mnt/sdb/test_dir1 /mnt/test_mp1 +[root@a ~]# mount | grep nfs4 +127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (rw,relatime,... +[root@a ~]# mount -t nfs -o ro 127.0.0.1:/mnt/sdb/test_dir2 /mnt/test_mp2 +[root@a ~]# mount | grep nfs4 +127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (ro,relatime,... +127.0.0.1:/mnt/sdb/test_dir2 on /mnt/test_mp2 type nfs4 (ro,relatime,... +[root@a ~]# + +When mounting the second NFS, the shared superblock is marked as ro, +causing the previous NFS mount to become read-only. + +To resolve both issues, the ro flag is no longer applied to the superblock +during remount. Instead, the ro flag on the mount is used to control +whether the mount point is read-only. + +Fixes: 281cad46b34d ("NFS: Create a submount rpc_op") +Link[1]: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/ +Link[2]: https://lore.kernel.org/all/20241130035818.1459775-1-lilingfeng3@huawei.com/ +Signed-off-by: Li Lingfeng +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 27923c2b36f77..7c58a1688f7f7 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1000,6 +1000,16 @@ int nfs_reconfigure(struct fs_context *fc) + + sync_filesystem(sb); + ++ /* ++ * The SB_RDONLY flag has been removed from the superblock during ++ * mounts to prevent interference between different filesystems. ++ * Similarly, it is also necessary to ignore the SB_RDONLY flag ++ * during reconfiguration; otherwise, it may also result in the ++ * creation of redundant superblocks when mounting a directory with ++ * different rw and ro flags multiple times. ++ */ ++ fc->sb_flags_mask &= ~SB_RDONLY; ++ + /* + * Userspace mount programs that send binary options generally send + * them populated with default values. We have no way to know which +-- +2.39.5 + diff --git a/queue-5.10/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch b/queue-5.10/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch new file mode 100644 index 0000000000..9d205b9af4 --- /dev/null +++ b/queue-5.10/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch @@ -0,0 +1,56 @@ +From e57180d231591bec9959e0b9f59de168a10f7efd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 02:37:07 +0900 +Subject: nilfs2: add pointer check for nilfs_direct_propagate() + +From: Wentao Liang + +[ Upstream commit f43f02429295486059605997bc43803527d69791 ] + +Patch series "nilfs2: improve sanity checks in dirty state propagation". + +This fixes one missed check for block mapping anomalies and one improper +return of an error code during a preparation step for log writing, thereby +improving checking for filesystem corruption on writeback. + +This patch (of 2): + +In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr() +need to be checked to ensure it is not an invalid pointer. + +If the pointer value obtained by nilfs_direct_get_ptr() is +NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in +the nilfs_inode_info struct) that should point to the data block at the +buffer head of the argument is corrupted and the data block is orphaned, +meaning that the file system has lost consistency. + +Add a value check and return -EINVAL when it is an invalid pointer. + +Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com +Fixes: 36a580eb489f ("nilfs2: direct block mapping") +Signed-off-by: Wentao Liang +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/direct.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c +index 7faf8c285d6c9..a72371cd6b956 100644 +--- a/fs/nilfs2/direct.c ++++ b/fs/nilfs2/direct.c +@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap, + dat = nilfs_bmap_get_dat(bmap); + key = nilfs_bmap_data_get_key(bmap, bh); + ptr = nilfs_direct_get_ptr(bmap, key); ++ if (ptr == NILFS_BMAP_INVALID_PTR) ++ return -EINVAL; ++ + if (!buffer_nilfs_volatile(bh)) { + oldreq.pr_entry_nr = ptr; + newreq.pr_entry_nr = ptr; +-- +2.39.5 + diff --git a/queue-5.10/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch b/queue-5.10/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch new file mode 100644 index 0000000000..30dc0d4496 --- /dev/null +++ b/queue-5.10/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch @@ -0,0 +1,55 @@ +From 913ad7be6ece9a297f7f319a6b5ef782b2c67866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 02:37:08 +0900 +Subject: nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() + +From: Ryusuke Konishi + +[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ] + +In preparation for writing logs, in nilfs_btree_propagate(), which makes +parent and ancestor node blocks dirty starting from a modified data block +or b-tree node block, if the starting block does not belong to the b-tree, +i.e. is isolated, nilfs_btree_do_lookup() called within the function +fails with -ENOENT. + +In this case, even though -ENOENT is an internal code, it is propagated to +the log writer via nilfs_bmap_propagate() and may be erroneously returned +to system calls such as fsync(). + +Fix this issue by changing the error code to -EINVAL in this case, and +having the bmap layer detect metadata corruption and convert the error +code appropriately. + +Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com +Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl") +Signed-off-by: Ryusuke Konishi +Cc: Wentao Liang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index 7c9f4d79bdbc5..4a5e8495fa674 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -2097,11 +2097,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree, + + ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0); + if (ret < 0) { +- if (unlikely(ret == -ENOENT)) ++ if (unlikely(ret == -ENOENT)) { + nilfs_crit(btree->b_inode->i_sb, + "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d", + btree->b_inode->i_ino, + (unsigned long long)key, level); ++ ret = -EINVAL; ++ } + goto out; + } + +-- +2.39.5 + diff --git a/queue-5.10/pci-cadence-fix-runtime-atomic-count-underflow.patch b/queue-5.10/pci-cadence-fix-runtime-atomic-count-underflow.patch new file mode 100644 index 0000000000..aa46fc6991 --- /dev/null +++ b/queue-5.10/pci-cadence-fix-runtime-atomic-count-underflow.patch @@ -0,0 +1,53 @@ +From 48628c215a121dca9fe7e997c3a0c7116590e00f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Apr 2025 21:30:58 +0800 +Subject: PCI: cadence: Fix runtime atomic count underflow + +From: Hans Zhang <18255117159@163.com> + +[ Upstream commit 8805f32a96d3b97cef07999fa6f52112678f7e65 ] + +If the call to pci_host_probe() in cdns_pcie_host_setup() fails, PM +runtime count is decremented in the error path using pm_runtime_put_sync(). +But the runtime count is not incremented by this driver, but only by the +callers (cdns_plat_pcie_probe/j721e_pcie_probe). And the callers also +decrement the runtime PM count in their error path. So this leads to the +below warning from the PM core: + + "runtime PM usage count underflow!" + +So fix it by getting rid of pm_runtime_put_sync() in the error path and +directly return the errno. + +Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'") +Signed-off-by: Hans Zhang <18255117159@163.com> +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20250419133058.162048-1-18255117159@163.com +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c +index 4d8d15ac51ef4..c29176bdecd19 100644 +--- a/drivers/pci/controller/cadence/pcie-cadence-host.c ++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c +@@ -548,14 +548,5 @@ int cdns_pcie_host_setup(struct cdns_pcie_rc *rc) + if (!bridge->ops) + bridge->ops = &cdns_pcie_host_ops; + +- ret = pci_host_probe(bridge); +- if (ret < 0) +- goto err_init; +- +- return 0; +- +- err_init: +- pm_runtime_put_sync(dev); +- +- return ret; ++ return pci_host_probe(bridge); + } +-- +2.39.5 + diff --git a/queue-5.10/pci-dpc-initialize-aer_err_info-before-using-it.patch b/queue-5.10/pci-dpc-initialize-aer_err_info-before-using-it.patch new file mode 100644 index 0000000000..4a754c55e1 --- /dev/null +++ b/queue-5.10/pci-dpc-initialize-aer_err_info-before-using-it.patch @@ -0,0 +1,46 @@ +From 389f7aa3def4b524d48e9c5849b4f3aacc9f38c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 18:21:07 -0500 +Subject: PCI/DPC: Initialize aer_err_info before using it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjorn Helgaas + +[ Upstream commit a424b598e6a6c1e69a2bb801d6fd16e805ab2c38 ] + +Previously the struct aer_err_info "info" was allocated on the stack +without being initialized, so it contained junk except for the fields we +explicitly set later. + +Initialize "info" at declaration so it starts as all zeros. + +Fixes: 8aefa9b0d910 ("PCI/DPC: Print AER status in DPC event handling") +Signed-off-by: Bjorn Helgaas +Tested-by: Krzysztof Wilczyński +Reviewed-by: Kuppuswamy Sathyanarayanan +Reviewed-by: Ilpo Järvinen +Reviewed-by: Jonathan Cameron +Link: https://patch.msgid.link/20250522232339.1525671-2-helgaas@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/dpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c +index ab83f78f3eb1d..cabbaacdb6e61 100644 +--- a/drivers/pci/pcie/dpc.c ++++ b/drivers/pci/pcie/dpc.c +@@ -263,7 +263,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev, + void dpc_process_error(struct pci_dev *pdev) + { + u16 cap = pdev->dpc_cap, status, source, reason, ext_reason; +- struct aer_err_info info; ++ struct aer_err_info info = {}; + + pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status); + pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source); +-- +2.39.5 + diff --git a/queue-5.10/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch b/queue-5.10/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch new file mode 100644 index 0000000000..48641811e0 --- /dev/null +++ b/queue-5.10/perf-build-warn-when-libdebuginfod-devel-files-are-n.patch @@ -0,0 +1,111 @@ +From 9be047e7e9ce18dc91b52924d7f8bba52afc30d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 11:37:20 -0300 +Subject: perf build: Warn when libdebuginfod devel files are not available + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 4fce4b91fd1aabb326c46e237eb4b19ab72598f8 ] + +While working on 'perf version --build-options' I noticed that: + + $ perf version --build-options + perf version 6.15.rc1.g312a07a00d31 + aio: [ on ] # HAVE_AIO_SUPPORT + bpf: [ on ] # HAVE_LIBBPF_SUPPORT + bpf_skeletons: [ on ] # HAVE_BPF_SKEL + debuginfod: [ OFF ] # HAVE_DEBUGINFOD_SUPPORT + + +And looking at tools/perf/Makefile.config I also noticed that it is not +opt-in, meaning we will attempt to build with it in all normal cases. + +So add the usual warning at build time to let the user know that +something recommended is missing, now we see: + + Makefile.config:563: No elfutils/debuginfod.h found, no debuginfo server support, please install elfutils-debuginfod-client-devel or equivalent + +And after following the recommendation: + + $ perf check feature debuginfod + debuginfod: [ on ] # HAVE_DEBUGINFOD_SUPPORT + $ ldd ~/bin/perf | grep debuginfo + libdebuginfod.so.1 => /lib64/libdebuginfod.so.1 (0x00007fee5cf5f000) + $ + +With this feature on several perf tools will fetch what is needed and +not require all the contents of the debuginfo packages, for instance: + + # rpm -qa | grep kernel-debuginfo + # pahole --running_kernel_vmlinux + pahole: couldn't find a vmlinux that matches the running kernel + HINT: Maybe you're inside a container or missing a debuginfo package? + # + # perf trace -e open* perf probe --vars icmp_rcv + 0.000 ( 0.005 ms): perf/97391 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) = 3 + 0.014 ( 0.004 ms): perf/97391 openat(dfd: CWD, filename: "/lib64/libm.so.6", flags: RDONLY|CLOEXEC) = 3 + + 32130.100 ( 0.008 ms): perf/97391 openat(dfd: CWD, filename: "/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo") = 3 + + Available variables at icmp_rcv + @ + struct sk_buff* skb + + # + # pahole --running_kernel_vmlinux + /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + # file /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa3c82b4a13f9c0e0301bebb20fe958c4db6f362, with debug_info, not stripped + # ls -la /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + -r--------. 1 root root 475401512 Mar 27 21:00 /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo + # + +Then, cached: + + # perf stat --null perf probe --vars icmp_rcv + Available variables at icmp_rcv + @ + struct sk_buff* skb + + Performance counter stats for 'perf probe --vars icmp_rcv': + + 0.671389041 seconds time elapsed + + 0.519176000 seconds user + 0.150860000 seconds sys + +Fixes: c7a14fdcb3fa7736 ("perf build-ids: Fall back to debuginfod query if debuginfo not found") +Tested-by: Ingo Molnar +Cc: Adrian Hunter +Cc: Dmitriy Vyukov +Cc: Howard Chu +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Frank Ch. Eigler +Link: https://lore.kernel.org/r/Z_dkNDj9EPFwPqq1@gmail.com +[ Folded patch from Ingo to have the debian/ubuntu devel package added build warning message ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/Makefile.config | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config +index 89905b4e93091..e9edf29026eda 100644 +--- a/tools/perf/Makefile.config ++++ b/tools/perf/Makefile.config +@@ -521,6 +521,8 @@ ifndef NO_LIBELF + ifeq ($(feature-libdebuginfod), 1) + CFLAGS += -DHAVE_DEBUGINFOD_SUPPORT + EXTLIBS += -ldebuginfod ++ else ++ $(warning No elfutils/debuginfod.h found, no debuginfo server support, please install libdebuginfod-dev/elfutils-debuginfod-client-devel or equivalent) + endif + endif + +-- +2.39.5 + diff --git a/queue-5.10/perf-core-fix-broken-throttling-when-max_samples_per.patch b/queue-5.10/perf-core-fix-broken-throttling-when-max_samples_per.patch new file mode 100644 index 0000000000..68b389764d --- /dev/null +++ b/queue-5.10/perf-core-fix-broken-throttling-when-max_samples_per.patch @@ -0,0 +1,64 @@ +From bfc0b2fd0b81ef2be8af4c8815ed0ce7a8c27ade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Apr 2025 22:16:35 +0800 +Subject: perf/core: Fix broken throttling when max_samples_per_tick=1 + +From: Qing Wang + +[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ] + +According to the throttling mechanism, the pmu interrupts number can not +exceed the max_samples_per_tick in one tick. But this mechanism is +ineffective when max_samples_per_tick=1, because the throttling check is +skipped during the first interrupt and only performed when the second +interrupt arrives. + +Perhaps this bug may cause little influence in one tick, but if in a +larger time scale, the problem can not be underestimated. + +When max_samples_per_tick = 1: +Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH +200 100 100 X86 +500 250 250 ARM64 +... +Obviously, the pmu interrupt number far exceed the user's expect. + +Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling") +Signed-off-by: Qing Wang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 8f19d6ab039ef..21f56dd6c05a3 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9031,14 +9031,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle) + hwc->interrupts = 1; + } else { + hwc->interrupts++; +- if (unlikely(throttle && +- hwc->interrupts > max_samples_per_tick)) { +- __this_cpu_inc(perf_throttled_count); +- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); +- hwc->interrupts = MAX_INTERRUPTS; +- perf_log_throttle(event, 0); +- ret = 1; +- } ++ } ++ ++ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) { ++ __this_cpu_inc(perf_throttled_count); ++ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); ++ hwc->interrupts = MAX_INTERRUPTS; ++ perf_log_throttle(event, 0); ++ ret = 1; + } + + if (event->attr.freq) { +-- +2.39.5 + diff --git a/queue-5.10/perf-record-fix-incorrect-user-regs-comments.patch b/queue-5.10/perf-record-fix-incorrect-user-regs-comments.patch new file mode 100644 index 0000000000..e0ce1c172b --- /dev/null +++ b/queue-5.10/perf-record-fix-incorrect-user-regs-comments.patch @@ -0,0 +1,46 @@ +From 17ed6873c4213e2d3634aee1663d9b508ef887ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 06:08:10 +0000 +Subject: perf record: Fix incorrect --user-regs comments + +From: Dapeng Mi + +[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ] + +The comment of "--user-regs" option is not correct, fix it. + +"on interrupt," -> "in user space," + +Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments") +Reviewed-by: Ian Rogers +Signed-off-by: Dapeng Mi +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-record.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c +index 167cd8d3b7a21..42f6ec953b7cc 100644 +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -2516,7 +2516,7 @@ static struct option __record_options[] = { + "sample selected machine registers on interrupt," + " use '-I?' to list register names", parse_intr_regs), + OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register", +- "sample selected machine registers on interrupt," ++ "sample selected machine registers in user space," + " use '--user-regs=?' to list register names", parse_user_regs), + OPT_BOOLEAN(0, "running-time", &record.opts.running_time, + "Record running/enabled time of read (:S) events"), +-- +2.39.5 + diff --git a/queue-5.10/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch b/queue-5.10/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch new file mode 100644 index 0000000000..d5228aaf36 --- /dev/null +++ b/queue-5.10/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch @@ -0,0 +1,53 @@ +From 528e7a590eaaf85c703a222ec1bf5766362be32a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 12:39:32 +0300 +Subject: perf scripts python: exported-sql-viewer.py: Fix pattern matching + with Python 3 + +From: Adrian Hunter + +[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ] + +The script allows the user to enter patterns to find symbols. + +The pattern matching characters are converted for use in SQL. + +For PostgreSQL the conversion involves using the Python maketrans() +method which is slightly different in Python 3 compared with Python 2. + +Fix to work in Python 3. + +Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py") +Signed-off-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Tony Jones +Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py +index 711d4f9f5645c..4cea374b284c1 100755 +--- a/tools/perf/scripts/python/exported-sql-viewer.py ++++ b/tools/perf/scripts/python/exported-sql-viewer.py +@@ -679,7 +679,10 @@ class CallGraphModelBase(TreeModel): + s = value.replace("%", "\%") + s = s.replace("_", "\_") + # Translate * and ? into SQL LIKE pattern characters % and _ +- trans = string.maketrans("*?", "%_") ++ if sys.version_info[0] == 3: ++ trans = str.maketrans("*?", "%_") ++ else: ++ trans = string.maketrans("*?", "%_") + match = " LIKE '" + str(s).translate(trans) + "'" + else: + match = " GLOB '" + str(value) + "'" +-- +2.39.5 + diff --git a/queue-5.10/perf-tests-switch-tracking-fix-timestamp-comparison.patch b/queue-5.10/perf-tests-switch-tracking-fix-timestamp-comparison.patch new file mode 100644 index 0000000000..18fafa0db6 --- /dev/null +++ b/queue-5.10/perf-tests-switch-tracking-fix-timestamp-comparison.patch @@ -0,0 +1,102 @@ +From 7ae54f176f6ac1cef601b9e6169509751871f4b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 18:27:59 +0100 +Subject: perf tests switch-tracking: Fix timestamp comparison + +From: Leo Yan + +[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ] + +The test might fail on the Arm64 platform with the error: + + # perf test -vvv "Track with sched_switch" + Missing sched_switch events + # + +The issue is caused by incorrect handling of timestamp comparisons. The +comparison result, a signed 64-bit value, was being directly cast to an +int, leading to incorrect sorting for sched events. + +The case does not fail everytime, usually I can trigger the failure +after run 20 ~ 30 times: + + # while true; do perf test "Track with sched_switch"; done + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : FAILED! + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : FAILED! + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + +I used cross compiler to build Perf tool on my host machine and tested on +Debian / Juno board. Generally, I think this issue is not very specific +to GCC versions. As both internal CI and my local env can reproduce the +issue. + +My Host Build compiler: + + # aarch64-linux-gnu-gcc --version + aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0 + +Juno Board: + + # lsb_release -a + No LSB modules are available. + Distributor ID: Debian + Description: Debian GNU/Linux 12 (bookworm) + Release: 12 + Codename: bookworm + +Fix this by explicitly returning 0, 1, or -1 based on whether the result +is zero, positive, or negative. + +Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch") +Reviewed-by: Ian Rogers +Signed-off-by: Leo Yan +Cc: Adrian Hunter +Cc: James Clark +Cc: Kan Liang +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/switch-tracking.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c +index db5e1f70053a8..7b28d468fc6e8 100644 +--- a/tools/perf/tests/switch-tracking.c ++++ b/tools/perf/tests/switch-tracking.c +@@ -255,7 +255,7 @@ static int compar(const void *a, const void *b) + const struct event_node *nodeb = b; + s64 cmp = nodea->event_time - nodeb->event_time; + +- return cmp; ++ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0); + } + + static int process_events(struct evlist *evlist, +-- +2.39.5 + diff --git a/queue-5.10/perf-ui-browser-hists-set-actions-thread-before-call.patch b/queue-5.10/perf-ui-browser-hists-set-actions-thread-before-call.patch new file mode 100644 index 0000000000..ba48321187 --- /dev/null +++ b/queue-5.10/perf-ui-browser-hists-set-actions-thread-before-call.patch @@ -0,0 +1,62 @@ +From cd76f981f0415ea16474844a8d21ac6ab531d4a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 21:58:19 -0300 +Subject: perf ui browser hists: Set actions->thread before calling + do_zoom_thread() + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ] + +In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct +perf_hpp_list") it assumes that act->thread is set prior to calling +do_zoom_thread(). + +This doesn't happen when we use ESC or the Left arrow key to Zoom out of +a specific thread, making this operation not to work and we get stuck +into the thread zoom. + +In 6422184b087ff435 ("perf hists browser: Simplify zooming code using +pstack_peek()") it says no need to set actions->thread, and at that +point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL +check was added before the zoom out of thread could kick in. + +We can zoom out using the alternative 't' thread zoom toggle hotkey to +finally set actions->thread before calling do_zoom_thread() and zoom +out, but lets also fix the ESC/Zoom out of thread case. + +Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list") +Reported-by: Ingo Molnar +Tested-by: Ingo Molnar +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/hists.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c +index f2586e46d53e8..19e79e159996a 100644 +--- a/tools/perf/ui/browsers/hists.c ++++ b/tools/perf/ui/browsers/hists.c +@@ -3241,10 +3241,10 @@ static int perf_evsel__hists_browse(struct evsel *evsel, int nr_events, + /* + * No need to set actions->dso here since + * it's just to remove the current filter. +- * Ditto for thread below. + */ + do_zoom_dso(browser, actions); + } else if (top == &browser->hists->thread_filter) { ++ actions->thread = thread; + do_zoom_thread(browser, actions); + } else if (top == &browser->hists->socket_filter) { + do_zoom_socket(browser, actions); +-- +2.39.5 + diff --git a/queue-5.10/pinctrl-at91-fix-possible-out-of-boundary-access.patch b/queue-5.10/pinctrl-at91-fix-possible-out-of-boundary-access.patch new file mode 100644 index 0000000000..3c6a5efcde --- /dev/null +++ b/queue-5.10/pinctrl-at91-fix-possible-out-of-boundary-access.patch @@ -0,0 +1,50 @@ +From 7ff754303a4df85679bd822b14a910788fd72ed0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 23:08:07 +0300 +Subject: pinctrl: at91: Fix possible out-of-boundary access + +From: Andy Shevchenko + +[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ] + +at91_gpio_probe() doesn't check that given OF alias is not available or +something went wrong when trying to get it. This might have consequences +when accessing gpio_chips array with that value as an index. Note, that +BUG() can be compiled out and hence won't actually perform the required +checks. + +Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support") +Signed-off-by: Andy Shevchenko +Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/ +Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index bb9348f14b1ba..3b299f4e2c930 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -1820,12 +1820,16 @@ static int at91_gpio_probe(struct platform_device *pdev) + struct at91_gpio_chip *at91_chip = NULL; + struct gpio_chip *chip; + struct pinctrl_gpio_range *range; ++ int alias_idx; + int ret = 0; + int irq, i; +- int alias_idx = of_alias_get_id(np, "gpio"); + uint32_t ngpio; + char **names; + ++ alias_idx = of_alias_get_id(np, "gpio"); ++ if (alias_idx < 0) ++ return alias_idx; ++ + BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips)); + if (gpio_chips[alias_idx]) { + ret = -EBUSY; +-- +2.39.5 + diff --git a/queue-5.10/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch b/queue-5.10/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch new file mode 100644 index 0000000000..418cbb864e --- /dev/null +++ b/queue-5.10/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch @@ -0,0 +1,60 @@ +From 4f8f6bb26cda27e0370c9fa98184f78edf43a58b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 18:19:27 +0200 +Subject: PM: sleep: Fix power.is_suspended cleanup for direct-complete devices + +From: Rafael J. Wysocki + +[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ] + +Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete +set on errors") caused power.is_suspended to be set for devices with +power.direct_complete set, but it forgot to ensure the clearing of that +flag for them in device_resume(), so power.is_suspended is still set for +them during the next system suspend-resume cycle. + +If that cycle is aborted in dpm_suspend(), the subsequent invocation of +dpm_resume() will trigger a device_resume() call for every device and +because power.is_suspended is set for the devices in question, they will +not be skipped by device_resume() as expected which causes scary error +messages to be logged (as appropriate). + +To address this issue, move the clearing of power.is_suspended in +device_resume() immediately after the power.is_suspended check so it +will be always cleared for all devices processed by that function. + +Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280 +Reported-and-tested-by: Chris Bainbridge +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mario Limonciello +Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 00a0bdcbb4aa8..5600ceb9212d9 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -903,6 +903,8 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async) + if (!dev->power.is_suspended) + goto Complete; + ++ dev->power.is_suspended = false; ++ + if (dev->power.direct_complete) { + /* Match the pm_runtime_disable() in __device_suspend(). */ + pm_runtime_enable(dev); +@@ -958,7 +960,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async) + + End: + error = dpm_run_callback(callback, dev, state, info); +- dev->power.is_suspended = false; + + device_unlock(dev); + dpm_watchdog_clear(&wd); +-- +2.39.5 + diff --git a/queue-5.10/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch b/queue-5.10/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch new file mode 100644 index 0000000000..6f81bb8558 --- /dev/null +++ b/queue-5.10/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch @@ -0,0 +1,45 @@ +From 4225b8d7763c5060f8e4741fcc332bb619fd89e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 17:26:51 +0800 +Subject: PM: wakeup: Delete space in the end of string shown by + pm_show_wakelocks() + +From: Zijun Hu + +[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ] + +pm_show_wakelocks() is called to generate a string when showing +attributes /sys/power/wake_(lock|unlock), but the string ends +with an unwanted space that was added back by mistake by commit +c9d967b2ce40 ("PM: wakeup: simplify the output logic of +pm_show_wakelocks()"). + +Remove the unwanted space. + +Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()") +Signed-off-by: Zijun Hu +Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/wakelock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c +index 52571dcad768b..4e941999a53ba 100644 +--- a/kernel/power/wakelock.c ++++ b/kernel/power/wakelock.c +@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active) + len += sysfs_emit_at(buf, len, "%s ", wl->name); + } + ++ if (len > 0) ++ --len; ++ + len += sysfs_emit_at(buf, len, "\n"); + + mutex_unlock(&wakelocks_lock); +-- +2.39.5 + diff --git a/queue-5.10/power-reset-at91-reset-optimize-at91_reset.patch b/queue-5.10/power-reset-at91-reset-optimize-at91_reset.patch new file mode 100644 index 0000000000..78a1553118 --- /dev/null +++ b/queue-5.10/power-reset-at91-reset-optimize-at91_reset.patch @@ -0,0 +1,56 @@ +From 1f1ec89acd56ce05e0c9fda2e99ffdc58c6111e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 08:38:09 +0300 +Subject: power: reset: at91-reset: Optimize at91_reset() + +From: Alexander Shiyan + +[ Upstream commit 62d48983f215bf1dd48665913318101fa3414dcf ] + +This patch adds a small optimization to the low-level at91_reset() +function, which includes: +- Removes the extra branch, since the following store operations + already have proper condition checks. +- Removes the definition of the clobber register r4, since it is + no longer used in the code. + +Fixes: fcd0532fac2a ("power: reset: at91-reset: make at91sam9g45_restart() generic") +Signed-off-by: Alexander Shiyan +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20250307053809.20245-1-eagle.alexander923@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/at91-reset.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c +index 3ff9d93a52267..6659001291f41 100644 +--- a/drivers/power/reset/at91-reset.c ++++ b/drivers/power/reset/at91-reset.c +@@ -81,12 +81,11 @@ static int at91_reset(struct notifier_block *this, unsigned long mode, + " str %4, [%0, %6]\n\t" + /* Disable SDRAM1 accesses */ + "1: tst %1, #0\n\t" +- " beq 2f\n\t" + " strne %3, [%1, #" __stringify(AT91_DDRSDRC_RTR) "]\n\t" + /* Power down SDRAM1 */ + " strne %4, [%1, %6]\n\t" + /* Reset CPU */ +- "2: str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t" ++ " str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t" + + " b .\n\t" + : +@@ -97,7 +96,7 @@ static int at91_reset(struct notifier_block *this, unsigned long mode, + "r" cpu_to_le32(AT91_DDRSDRC_LPCB_POWER_DOWN), + "r" (reset->args), + "r" (reset->ramc_lpr) +- : "r4"); ++ ); + + return NOTIFY_DONE; + } +-- +2.39.5 + diff --git a/queue-5.10/randstruct-gcc-plugin-fix-attribute-addition.patch b/queue-5.10/randstruct-gcc-plugin-fix-attribute-addition.patch new file mode 100644 index 0000000000..6106dd3623 --- /dev/null +++ b/queue-5.10/randstruct-gcc-plugin-fix-attribute-addition.patch @@ -0,0 +1,134 @@ +From 2107f3cea2e7ca8efbda0a195561f183f5fdf394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 15:18:28 -0700 +Subject: randstruct: gcc-plugin: Fix attribute addition + +From: Kees Cook + +[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ] + +Based on changes in the 2021 public version of the randstruct +out-of-tree GCC plugin[1], more carefully update the attributes on +resulting decls, to avoid tripping checks in GCC 15's +comptypes_check_enum_int() when it has been configured with +"--enable-checking=misc": + +arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519 + 132 | const struct kexec_file_ops kexec_image_ops = { + | ^~~~~~~~~~~~~~ + internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517 + fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803 + comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519 + ... + +Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1] +Reported-by: Thiago Jung Bauermann +Closes: https://github.com/KSPP/linux/issues/367 +Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/ +Reported-by: Ingo Saitz +Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745 +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Tested-by: Thiago Jung Bauermann +Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++ + scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++------- + 2 files changed, 43 insertions(+), 11 deletions(-) + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index 0c037b8845308..50fe17ce569c9 100644 +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -185,6 +185,38 @@ static inline tree build_const_char_string(int len, const char *str) + return cstr; + } + ++static inline void __add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree oldattr; ++ ++ if (type == NULL_TREE) ++ return; ++ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type)); ++ if (oldattr != NULL_TREE) { ++ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args)); ++ return; ++ } ++ ++ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); ++ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type)); ++} ++ ++static inline void add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree main_variant = TYPE_MAIN_VARIANT(type); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args); ++ __add_type_attr(main_variant, attr, args); ++ ++ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) { ++ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type))) ++ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ } ++} ++ + #define PASS_INFO(NAME, REF, ID, POS) \ + struct register_pass_info NAME##_pass_info = { \ + .pass = make_##NAME##_pass(), \ +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index a5aea51ecca99..472427f169a4a 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -95,6 +95,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f + + if (TYPE_P(*node)) { + type = *node; ++ } else if (TREE_CODE(*node) == FIELD_DECL) { ++ *no_add_attrs = false; ++ return NULL_TREE; + } else { + gcc_assert(TREE_CODE(*node) == TYPE_DECL); + type = TREE_TYPE(*node); +@@ -381,15 +384,14 @@ static int relayout_struct(tree type) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + ++ add_type_attr(type, "randomize_performed", NULL_TREE); ++ add_type_attr(type, "designated_init", NULL_TREE); ++ if (has_flexarray) ++ add_type_attr(type, "has_flexarray", NULL_TREE); ++ + main_variant = TYPE_MAIN_VARIANT(type); +- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { ++ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) + TYPE_FIELDS(variant) = newtree[0]; +- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- if (has_flexarray) +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } + + /* + * force a re-layout of the main variant +@@ -457,10 +459,8 @@ static void randomize_type(tree type) + if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type)) + relayout_struct(type); + +- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } ++ add_type_attr(type, "randomize_considered", NULL_TREE); ++ + #ifdef __DEBUG_PLUGIN + fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type)); + #ifdef __DEBUG_VERBOSE +-- +2.39.5 + diff --git a/queue-5.10/randstruct-gcc-plugin-remove-bogus-void-member.patch b/queue-5.10/randstruct-gcc-plugin-remove-bogus-void-member.patch new file mode 100644 index 0000000000..7e1a0ad3a8 --- /dev/null +++ b/queue-5.10/randstruct-gcc-plugin-remove-bogus-void-member.patch @@ -0,0 +1,119 @@ +From 17c7c8f398bc703607bfe1360e581a5905a903dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Apr 2025 00:37:52 -0700 +Subject: randstruct: gcc-plugin: Remove bogus void member +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ] + +When building the randomized replacement tree of struct members, the +randstruct GCC plugin would insert, as the first member, a 0-sized void +member. This appears as though it was done to catch non-designated +("unnamed") static initializers, which wouldn't be stable since they +depend on the original struct layout order. + +This was accomplished by having the side-effect of the "void member" +tripping an assert in GCC internals (count_type_elements) if the member +list ever needed to be counted (e.g. for figuring out the order of members +during a non-designated initialization), which would catch impossible type +(void) in the struct: + +security/landlock/fs.c: In function ‘hook_file_ioctl_common’: +security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075 + 1745 | .u.op = &(struct lsm_ioctlop_audit) { + | ^ + +static HOST_WIDE_INT +count_type_elements (const_tree type, bool for_ctor_p) +{ + switch (TREE_CODE (type)) +... + case VOID_TYPE: + default: + gcc_unreachable (); + } +} + +However this is a redundant safety measure since randstruct uses the +__designated_initializer attribute both internally and within the +__randomized_layout attribute macro so that this would be enforced +by the compiler directly even when randstruct was not enabled (via +-Wdesignated-init). + +A recent change in Landlock ended up tripping the same member counting +routine when using a full-struct copy initializer as part of an anonymous +initializer. This, however, is a false positive as the initializer is +copying between identical structs (and hence identical layouts). The +"path" member is "struct path", a randomized struct, and is being copied +to from another "struct path", the "f_path" member: + + landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) { + .type = LANDLOCK_REQUEST_FS_ACCESS, + .audit = { + .type = LSM_AUDIT_DATA_IOCTL_OP, + .u.op = &(struct lsm_ioctlop_audit) { + .path = file->f_path, + .cmd = cmd, + }, + }, + ... + +As can be seen with the coming randstruct KUnit test, there appears to +be no behavioral problems with this kind of initialization when the void +member is removed from the randstruct GCC plugin, so remove it. + +Reported-by: "Dr. David Alan Gilbert" +Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/ +Reported-by: Mark Brown +Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/ +Reported-by: WangYuli +Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/ +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/randomize_layout_plugin.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index c7ff92b4189cb..a5aea51ecca99 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -377,29 +377,13 @@ static int relayout_struct(tree type) + + shuffle(type, (tree *)newtree, shuffle_length); + +- /* +- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers +- * as gcc provides no other way to detect such code +- */ +- list = make_node(FIELD_DECL); +- TREE_CHAIN(list) = newtree[0]; +- TREE_TYPE(list) = void_type_node; +- DECL_SIZE(list) = bitsize_zero_node; +- DECL_NONADDRESSABLE_P(list) = 1; +- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node; +- DECL_SIZE_UNIT(list) = size_zero_node; +- DECL_FIELD_OFFSET(list) = size_zero_node; +- DECL_CONTEXT(list) = type; +- // to satisfy the constify plugin +- TREE_READONLY(list) = 1; +- + for (i = 0; i < num_fields - 1; i++) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + + main_variant = TYPE_MAIN_VARIANT(type); + for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_FIELDS(variant) = list; ++ TYPE_FIELDS(variant) = newtree[0]; + TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); + TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); + TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +-- +2.39.5 + diff --git a/queue-5.10/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch b/queue-5.10/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch new file mode 100644 index 0000000000..a4ac72d2db --- /dev/null +++ b/queue-5.10/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch @@ -0,0 +1,80 @@ +From e92ae63f184827a56636c06fb145a04c82e0d162 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 21:27:49 +0800 +Subject: RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h + +From: Junxian Huang + +[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ] + +hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the +inline function hns_roce_write64(), but it doesn't include this +header currently. This leads to that files including +hns_roce_hw_v2.h must also include hnae3.h to avoid compilation +errors, even if they themselves don't really rely on hnae3.h. +This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h +directly. + +Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 - + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + + drivers/infiniband/hw/hns/hns_roce_main.c | 1 - + drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 - + 4 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 13aa8dd42f7d6..bb744ba155e2b 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -42,7 +42,6 @@ + #include + #include + +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_cmd.h" +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index 8948d2b5577d5..80d14261cc4e1 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -34,6 +34,7 @@ + #define _HNS_ROCE_HW_V2_H + + #include ++#include "hnae3.h" + + #define HNS_ROCE_VF_QPC_BT_NUM 256 + #define HNS_ROCE_VF_SCCC_BT_NUM 64 +diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c +index 3c79668c6b3b5..9078855aad184 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_main.c ++++ b/drivers/infiniband/hw/hns/hns_roce_main.c +@@ -37,7 +37,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include +diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c +index 259444c0a6301..8acab99f7ea6a 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c ++++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c +@@ -4,7 +4,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hw_v2.h" +-- +2.39.5 + diff --git a/queue-5.10/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch b/queue-5.10/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch new file mode 100644 index 0000000000..225c924a3a --- /dev/null +++ b/queue-5.10/rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch @@ -0,0 +1,140 @@ +From 7f75feb5d8dffc634b21501329c4dd932496119b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 14:34:07 +0300 +Subject: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction + +From: Patrisious Haddad + +[ Upstream commit 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 ] + +Upon RQ destruction if the firmware command fails which is the +last resource to be destroyed some SW resources were already cleaned +regardless of the failure. + +Now properly rollback the object to its original state upon such failure. + +In order to avoid a use-after free in case someone tries to destroy the +object again, which results in the following kernel trace: +refcount_t: underflow; use-after-free. +WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 +Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) +CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 +Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : refcount_warn_saturate+0xf4/0x148 +lr : refcount_warn_saturate+0xf4/0x148 +sp : ffff80008b81b7e0 +x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 +x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 +x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 +x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 +x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f +x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 +x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 +x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff +x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 +x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 +Call trace: + refcount_warn_saturate+0xf4/0x148 + mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] + mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] + mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] + ib_destroy_wq_user+0x30/0xc0 [ib_core] + uverbs_free_wq+0x28/0x58 [ib_uverbs] + destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] + uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] + __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] + uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] + ib_uverbs_close+0x2c/0x100 [ib_uverbs] + __fput+0xd8/0x2f0 + __fput_sync+0x50/0x70 + __arm64_sys_close+0x40/0x90 + invoke_syscall.constprop.0+0x74/0xd0 + do_el0_svc+0x48/0xe8 + el0_svc+0x44/0x1d0 + el0t_64_sync_handler+0x120/0x130 + el0t_64_sync+0x1a4/0x1a8 + +Fixes: e2013b212f9f ("net/mlx5_core: Add RQ and SQ event handling") +Signed-off-by: Patrisious Haddad +Link: https://patch.msgid.link/3181433ccdd695c63560eeeb3f0c990961732101.1745839855.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/qpc.c | 30 ++++++++++++++++++++++++++++-- + include/linux/mlx5/driver.h | 1 + + 2 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c +index 9a306da7f9496..245b7675bb4d9 100644 +--- a/drivers/infiniband/hw/mlx5/qpc.c ++++ b/drivers/infiniband/hw/mlx5/qpc.c +@@ -21,8 +21,10 @@ mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn) + spin_lock_irqsave(&table->lock, flags); + + common = radix_tree_lookup(&table->tree, rsn); +- if (common) ++ if (common && !common->invalid) + refcount_inc(&common->refcount); ++ else ++ common = NULL; + + spin_unlock_irqrestore(&table->lock, flags); + +@@ -172,6 +174,18 @@ static int create_resource_common(struct mlx5_ib_dev *dev, + return 0; + } + ++static void modify_resource_common_state(struct mlx5_ib_dev *dev, ++ struct mlx5_core_qp *qp, ++ bool invalid) ++{ ++ struct mlx5_qp_table *table = &dev->qp_table; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&table->lock, flags); ++ qp->common.invalid = invalid; ++ spin_unlock_irqrestore(&table->lock, flags); ++} ++ + static void destroy_resource_common(struct mlx5_ib_dev *dev, + struct mlx5_core_qp *qp) + { +@@ -578,8 +592,20 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen, + int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev, + struct mlx5_core_qp *rq) + { ++ int ret; ++ ++ /* The rq destruction can be called again in case it fails, hence we ++ * mark the common resource as invalid and only once FW destruction ++ * is completed successfully we actually destroy the resources. ++ */ ++ modify_resource_common_state(dev, rq, true); ++ ret = destroy_rq_tracked(dev, rq->qpn, rq->uid); ++ if (ret) { ++ modify_resource_common_state(dev, rq, false); ++ return ret; ++ } + destroy_resource_common(dev, rq); +- return destroy_rq_tracked(dev, rq->qpn, rq->uid); ++ return 0; + } + + static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid) +diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h +index 56cb2fbc496e6..0737d5fc35c75 100644 +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -390,6 +390,7 @@ struct mlx5_core_rsc_common { + enum mlx5_res_type res; + refcount_t refcount; + struct completion free; ++ bool invalid; + }; + + struct mlx5_uars_page { +-- +2.39.5 + diff --git a/queue-5.10/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch b/queue-5.10/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch new file mode 100644 index 0000000000..5749d6c0ef --- /dev/null +++ b/queue-5.10/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch @@ -0,0 +1,38 @@ +From d6848c99aa7ad1bdb43473206a9cdb3328e73689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 20:22:05 +0300 +Subject: rpmsg: qcom_smd: Fix uninitialized return variable in + __qcom_smd_send() + +From: Dan Carpenter + +[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ] + +The "ret" variable isn't initialized if we don't enter the loop. For +example, if "channel->state" is not SMD_CHANNEL_OPENED. + +Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index b5167ef93abf9..6facf1b31d463 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data, + __le32 hdr[5] = { cpu_to_le32(len), }; + int tlen = sizeof(hdr) + len; + unsigned long flags; +- int ret; ++ int ret = 0; + + /* Word aligned channels only accept word size aligned data */ + if (channel->info_word && len % 4) +-- +2.39.5 + diff --git a/queue-5.10/rtc-fix-offset-calculation-for-.start_secs-0.patch b/queue-5.10/rtc-fix-offset-calculation-for-.start_secs-0.patch new file mode 100644 index 0000000000..33926842aa --- /dev/null +++ b/queue-5.10/rtc-fix-offset-calculation-for-.start_secs-0.patch @@ -0,0 +1,58 @@ +From 64ba5109766447ab79fd9e470e1ff9ebcec0d3bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 12:06:48 +0200 +Subject: rtc: Fix offset calculation for .start_secs < 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Mergnat + +[ Upstream commit fe9f5f96cfe8b82d0f24cbfa93718925560f4f8d ] + +The comparison + + rtc->start_secs > rtc->range_max + +has a signed left-hand side and an unsigned right-hand side. +So the comparison might become true for negative start_secs which is +interpreted as a (possibly very large) positive value. + +As a negative value can never be bigger than an unsigned value +the correct representation of the (mathematical) comparison + + rtc->start_secs > rtc->range_max + +in C is: + + rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max + +Use that to fix the offset calculation currently used in the +rtc-mt6397 driver. + +Fixes: 989515647e783 ("rtc: Add one offset seconds to expand RTC range") +Signed-off-by: Alexandre Mergnat +Reviewed-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20250428-enable-rtc-v4-2-2b2f7e3f9349@baylibre.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/class.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c +index 625effe6cb65f..b1ce3bd724b2c 100644 +--- a/drivers/rtc/class.c ++++ b/drivers/rtc/class.c +@@ -314,7 +314,7 @@ static void rtc_device_get_offset(struct rtc_device *rtc) + * + * Otherwise the offset seconds should be 0. + */ +- if (rtc->start_secs > rtc->range_max || ++ if ((rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max) || + rtc->start_secs + range_secs - 1 < rtc->range_min) + rtc->offset_secs = rtc->start_secs - rtc->range_min; + else if (rtc->start_secs > rtc->range_min) +-- +2.39.5 + diff --git a/queue-5.10/rtc-sh-assign-correct-interrupts-with-dt.patch b/queue-5.10/rtc-sh-assign-correct-interrupts-with-dt.patch new file mode 100644 index 0000000000..ac89b46412 --- /dev/null +++ b/queue-5.10/rtc-sh-assign-correct-interrupts-with-dt.patch @@ -0,0 +1,51 @@ +From 92ede53fbea95684128dd50322d70b78e6ccfb83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 14:42:56 +0100 +Subject: rtc: sh: assign correct interrupts with DT + +From: Wolfram Sang + +[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ] + +The DT bindings for this driver define the interrupts in the order as +they are numbered in the interrupt controller. The old platform_data, +however, listed them in a different order. So, for DT based platforms, +they are mixed up. Assign them specifically for DT, so we can keep the +bindings stable. After the fix, 'rtctest' passes again on the Renesas +Genmai board (RZ-A1 / R7S72100). + +Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series") +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-sh.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index 9167b48014a15..7d2367104a9bf 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev) + return -ENOENT; + } + +- rtc->periodic_irq = ret; +- rtc->carry_irq = platform_get_irq(pdev, 1); +- rtc->alarm_irq = platform_get_irq(pdev, 2); ++ if (!pdev->dev.of_node) { ++ rtc->periodic_irq = ret; ++ rtc->carry_irq = platform_get_irq(pdev, 1); ++ rtc->alarm_irq = platform_get_irq(pdev, 2); ++ } else { ++ rtc->alarm_irq = ret; ++ rtc->periodic_irq = platform_get_irq(pdev, 1); ++ rtc->carry_irq = platform_get_irq(pdev, 2); ++ } + + res = platform_get_resource(pdev, IORESOURCE_IO, 0); + if (!res) +-- +2.39.5 + diff --git a/queue-5.10/s390-bpf-store-backchain-even-for-leaf-progs.patch b/queue-5.10/s390-bpf-store-backchain-even-for-leaf-progs.patch new file mode 100644 index 0000000000..2fdafb99f6 --- /dev/null +++ b/queue-5.10/s390-bpf-store-backchain-even-for-leaf-progs.patch @@ -0,0 +1,68 @@ +From 05a2dbded0722ed778234a6d11da8e2b50a4ec43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 14:26:15 +0200 +Subject: s390/bpf: Store backchain even for leaf progs + +From: Ilya Leoshkevich + +[ Upstream commit 5f55f2168432298f5a55294831ab6a76a10cb3c3 ] + +Currently a crash in a leaf prog (caused by a bug) produces the +following call trace: + + [<000003ff600ebf00>] bpf_prog_6df0139e1fbf2789_fentry+0x20/0x78 + [<0000000000000000>] 0x0 + +This is because leaf progs do not store backchain. Fix by making all +progs do it. This is what GCC and Clang-generated code does as well. +Now the call trace looks like this: + + [<000003ff600eb0f2>] bpf_prog_6df0139e1fbf2789_fentry+0x2a/0x80 + [<000003ff600ed096>] bpf_trampoline_201863462940+0x96/0xf4 + [<000003ff600e3a40>] bpf_prog_05f379658fdd72f2_classifier_0+0x58/0xc0 + [<000003ffe0aef070>] bpf_test_run+0x210/0x390 + [<000003ffe0af0dc2>] bpf_prog_test_run_skb+0x25a/0x668 + [<000003ffe038a90e>] __sys_bpf+0xa46/0xdb0 + [<000003ffe038ad0c>] __s390x_sys_bpf+0x44/0x50 + [<000003ffe0defea8>] __do_syscall+0x150/0x280 + [<000003ffe0e01d5c>] system_call+0x74/0x98 + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Ilya Leoshkevich +Link: https://lore.kernel.org/r/20250512122717.54878-1-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index cd0cbdafedbd2..03742d7cb61ac 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -543,17 +543,15 @@ static void bpf_jit_prologue(struct bpf_jit *jit, u32 stack_depth) + } + /* Setup stack and backchain */ + if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) { +- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC)) +- /* lgr %w1,%r15 (backchain) */ +- EMIT4(0xb9040000, REG_W1, REG_15); ++ /* lgr %w1,%r15 (backchain) */ ++ EMIT4(0xb9040000, REG_W1, REG_15); + /* la %bfp,STK_160_UNUSED(%r15) (BPF frame pointer) */ + EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, STK_160_UNUSED); + /* aghi %r15,-STK_OFF */ + EMIT4_IMM(0xa70b0000, REG_15, -(STK_OFF + stack_depth)); +- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC)) +- /* stg %w1,152(%r15) (backchain) */ +- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, +- REG_15, 152); ++ /* stg %w1,152(%r15) (backchain) */ ++ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0, ++ REG_15, 152); + } + } + +-- +2.39.5 + diff --git a/queue-5.10/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch b/queue-5.10/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch new file mode 100644 index 0000000000..0837a29276 --- /dev/null +++ b/queue-5.10/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch @@ -0,0 +1,53 @@ +From 5a9eecacc100af0cc11a09bcf67066e43d30cb7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 09:40:58 +0000 +Subject: selftests/seccomp: fix syscall_restart test for arm compat + +From: Neill Kapron + +[ Upstream commit 797002deed03491215a352ace891749b39741b69 ] + +The inconsistencies in the systcall ABI between arm and arm-compat can +can cause a failure in the syscall_restart test due to the logic +attempting to work around the differences. The 'machine' field for an +ARM64 device running in compat mode can report 'armv8l' or 'armv8b' +which matches with the string 'arm' when only examining the first three +characters of the string. + +This change adds additional validation to the workaround logic to make +sure we only take the arm path when running natively, not in arm-compat. + +Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64") +Signed-off-by: Neill Kapron +Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 413a7b9f3c4d3..7f62635226fd3 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -3081,12 +3081,15 @@ TEST(syscall_restart) + ret = get_syscall(_metadata, child_pid); + #if defined(__arm__) + /* +- * FIXME: + * - native ARM registers do NOT expose true syscall. + * - compat ARM registers on ARM64 DO expose true syscall. ++ * - values of utsbuf.machine include 'armv8l' or 'armb8b' ++ * for ARM64 running in compat mode. + */ + ASSERT_EQ(0, uname(&utsbuf)); +- if (strncmp(utsbuf.machine, "arm", 3) == 0) { ++ if ((strncmp(utsbuf.machine, "arm", 3) == 0) && ++ (strncmp(utsbuf.machine, "armv8l", 6) != 0) && ++ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) { + EXPECT_EQ(__NR_nanosleep, ret); + } else + #endif +-- +2.39.5 + diff --git a/queue-5.10/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch b/queue-5.10/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch new file mode 100644 index 0000000000..8899ebaed2 --- /dev/null +++ b/queue-5.10/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch @@ -0,0 +1,43 @@ +From 14db9bbdd86c27c5d998d801e4b5bbc2e0bb3bff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 15:03:39 +0800 +Subject: serial: Fix potential null-ptr-deref in mlb_usio_probe() + +From: Henry Martin + +[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ] + +devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() +does not check for this case, which could result in a NULL pointer +dereference. + +Add NULL check after devm_ioremap() to prevent this issue. + +Fixes: ba44dc043004 ("serial: Add Milbeaut serial control") +Signed-off-by: Henry Martin +Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/milbeaut_usio.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c +index 8f2cab7f66ad3..d9f094514945b 100644 +--- a/drivers/tty/serial/milbeaut_usio.c ++++ b/drivers/tty/serial/milbeaut_usio.c +@@ -523,7 +523,10 @@ static int mlb_usio_probe(struct platform_device *pdev) + } + port->membase = devm_ioremap(&pdev->dev, res->start, + resource_size(res)); +- ++ if (!port->membase) { ++ ret = -ENOMEM; ++ goto failed; ++ } + ret = platform_get_irq_byname(pdev, "rx"); + mlb_usio_irq[index][RX] = ret; + +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series index 7df308eb22..0171cbdd95 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -7,3 +7,100 @@ usb-storage-ignore-uas-driver-for-sandisk-3.2-gen2-storage-device.patch usb-usbtmc-fix-timeout-value-in-get_stb.patch thunderbolt-do-not-double-dequeue-a-configuration-request.patch netfilter-nft_socket-fix-sk-refcount-leaks.patch +gfs2-gfs2_create_inode-error-handling-fix.patch +perf-core-fix-broken-throttling-when-max_samples_per.patch +crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch +x86-cpu-sanitize-cpuid-0x80000000-output.patch +crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch +crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch +crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch +crypto-xts-only-add-ecb-if-it-is-not-already-there.patch +crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch +edac-skx_common-fix-general-protection-fault.patch +power-reset-at91-reset-optimize-at91_reset.patch +pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch +x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch +acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch +spi-sh-msiof-fix-maximum-dma-transfer-size.patch +drm-vmwgfx-add-seqno-waiter-for-sync_files.patch +media-rkvdec-fix-frame-size-enumeration.patch +m68k-mac-fix-macintosh_config-for-mac-ii.patch +firmware-psci-fix-refcount-leak-in-psci_dt_init.patch +selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch +drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch +drm-vkms-adjust-vkms_state-active_planes-allocation-.patch +drm-tegra-rgb-fix-the-unbound-reference-count.patch +firmware-sdei-allow-sdei-initialization-without-acpi.patch +wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch +f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch +net-ncsi-fix-gcps-64-bit-member-variables.patch +wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch +rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch +f2fs-clean-up-w-fscrypt_is_bounce_page.patch +netfilter-bridge-move-specific-fragmented-packet-to-.patch +rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch +clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch +ktls-sockmap-fix-missing-uncharge-operation.patch +libbpf-use-proper-errno-value-in-nlattr.patch +pinctrl-at91-fix-possible-out-of-boundary-access.patch +bpf-fix-warn-in-get_bpf_raw_tp_regs.patch +clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch +s390-bpf-store-backchain-even-for-leaf-progs.patch +wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch +netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch +vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch +netfilter-nft_tunnel-fix-geneve_opt-dump.patch +net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch +net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch +calipso-don-t-call-calipso-functions-for-af_inet-sk.patch +net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch +net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch +f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch +f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch +arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch +arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch +arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch +squashfs-check-return-result-of-sb_min_blocksize.patch +nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch +nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch +bus-fsl-mc-fix-double-free-on-mc_dev.patch +arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch +arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch +soc-aspeed-lpc-fix-impossible-judgment-condition.patch +soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch +fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch +randstruct-gcc-plugin-remove-bogus-void-member.patch +randstruct-gcc-plugin-fix-attribute-addition.patch +perf-build-warn-when-libdebuginfod-devel-files-are-n.patch +perf-ui-browser-hists-set-actions-thread-before-call.patch +backlight-pm8941-add-null-check-in-wled_configure.patch +perf-scripts-python-exported-sql-viewer.py-fix-patte.patch +rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch +mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch +mfd-stmpe-spi-correct-the-name-used-in-module_device.patch +perf-tests-switch-tracking-fix-timestamp-comparison.patch +perf-record-fix-incorrect-user-regs-comments.patch +nfs-clear-sb_rdonly-before-getting-superblock.patch +nfs-ignore-sb_rdonly-when-remounting-nfs.patch +rtc-sh-assign-correct-interrupts-with-dt.patch +pci-cadence-fix-runtime-atomic-count-underflow.patch +dmaengine-ti-add-null-check-in-udma_probe.patch +pci-dpc-initialize-aer_err_info-before-using-it.patch +rtc-fix-offset-calculation-for-.start_secs-0.patch +usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch +serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch +iio-adc-ad7124-fix-3db-filter-frequency-reading.patch +mips-loongson64-add-missing-interrupt-cells-for-loon.patch +vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch +net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch +gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch +net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch +driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch +net-mlx4_en-prevent-potential-integer-overflow-calcu.patch +spi-bcm63xx-spi-fix-shared-reset.patch +spi-bcm63xx-hsspi-fix-shared-reset.patch +bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch +ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch +vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch +pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch +do_change_type-refuse-to-operate-on-unmounted-not-ou.patch diff --git a/queue-5.10/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch b/queue-5.10/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch new file mode 100644 index 0000000000..f07e4bbb75 --- /dev/null +++ b/queue-5.10/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch @@ -0,0 +1,73 @@ +From f5da38446d0b1b9a395cbe0007445b862d2c20fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:44 +0930 +Subject: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() + +From: Henry Martin + +[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +aspeed_lpc_enable_snoop() does not check for this case, which results in a +NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com +[arj: Fix Fixes: tag to use subject from 3772e5da4454] +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index 8a2a22c40ef53..43e30937fc9da 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -202,11 +202,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR; + lpc_snoop->chan[channel].miscdev.name = + devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel); ++ if (!lpc_snoop->chan[channel].miscdev.name) { ++ rc = -ENOMEM; ++ goto err_free_fifo; ++ } + lpc_snoop->chan[channel].miscdev.fops = &snoop_fops; + lpc_snoop->chan[channel].miscdev.parent = dev; + rc = misc_register(&lpc_snoop->chan[channel].miscdev); + if (rc) +- return rc; ++ goto err_free_fifo; + + /* Enable LPC snoop channel at requested port */ + switch (channel) { +@@ -223,7 +227,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + hicrb_en = HICRB_ENSNP1D; + break; + default: +- return -EINVAL; ++ rc = -EINVAL; ++ goto err_misc_deregister; + } + + regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en); +@@ -233,6 +238,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + regmap_update_bits(lpc_snoop->regmap, HICRB, + hicrb_en, hicrb_en); + ++ return 0; ++ ++err_misc_deregister: ++ misc_deregister(&lpc_snoop->chan[channel].miscdev); ++err_free_fifo: ++ kfifo_free(&lpc_snoop->chan[channel].fifo); + return rc; + } + +-- +2.39.5 + diff --git a/queue-5.10/soc-aspeed-lpc-fix-impossible-judgment-condition.patch b/queue-5.10/soc-aspeed-lpc-fix-impossible-judgment-condition.patch new file mode 100644 index 0000000000..94a40193bb --- /dev/null +++ b/queue-5.10/soc-aspeed-lpc-fix-impossible-judgment-condition.patch @@ -0,0 +1,46 @@ +From 46431cadb461f1c82f511725bc6474c85a2981a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:43 +0930 +Subject: soc: aspeed: lpc: Fix impossible judgment condition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ] + +smatch error: +drivers/soc/aspeed/aspeed-lpc-snoop.c:169 +aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero + +platform_get_irq() return non-zero IRQ number or negative error code, +change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this. + +Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver") +Signed-off-by: Su Hui +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index 538d7aab8db5c..8a2a22c40ef53 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -168,7 +168,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop, + int rc; + + lpc_snoop->irq = platform_get_irq(pdev, 0); +- if (!lpc_snoop->irq) ++ if (lpc_snoop->irq < 0) + return -ENODEV; + + rc = devm_request_irq(dev, lpc_snoop->irq, +-- +2.39.5 + diff --git a/queue-5.10/spi-bcm63xx-hsspi-fix-shared-reset.patch b/queue-5.10/spi-bcm63xx-hsspi-fix-shared-reset.patch new file mode 100644 index 0000000000..5d7a3ace95 --- /dev/null +++ b/queue-5.10/spi-bcm63xx-hsspi-fix-shared-reset.patch @@ -0,0 +1,42 @@ +From 57cd391a80238cd5db45f8390da6739c985c13d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 15:09:15 +0200 +Subject: spi: bcm63xx-hsspi: fix shared reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 3d6d84c8f2f66d3fd6a43a1e2ce8e6b54c573960 ] + +Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI +and HSSPI controllers, so reset shouldn't be exclusive. + +Fixes: 0eeadddbf09a ("spi: bcm63xx-hsspi: add reset support") +Reported-by: Jonas Gorski +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250529130915.2519590-3-noltari@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 02f56fc001b47..7d8e5c66f6d17 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -357,7 +357,7 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev) + if (IS_ERR(clk)) + return PTR_ERR(clk); + +- reset = devm_reset_control_get_optional_exclusive(dev, NULL); ++ reset = devm_reset_control_get_optional_shared(dev, NULL); + if (IS_ERR(reset)) + return PTR_ERR(reset); + +-- +2.39.5 + diff --git a/queue-5.10/spi-bcm63xx-spi-fix-shared-reset.patch b/queue-5.10/spi-bcm63xx-spi-fix-shared-reset.patch new file mode 100644 index 0000000000..5c4b904991 --- /dev/null +++ b/queue-5.10/spi-bcm63xx-spi-fix-shared-reset.patch @@ -0,0 +1,42 @@ +From 20f7f4a1979cb4a1397efa7540ff7e5f47fc2143 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 15:09:14 +0200 +Subject: spi: bcm63xx-spi: fix shared reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 5ad20e3d8cfe3b2e42bbddc7e0ebaa74479bb589 ] + +Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI +and HSSPI controllers, so reset shouldn't be exclusive. + +Fixes: 38807adeaf1e ("spi: bcm63xx-spi: add reset support") +Reported-by: Jonas Gorski +Signed-off-by: Álvaro Fernández Rojas +Reviewed-by: Florian Fainelli +Link: https://patch.msgid.link/20250529130915.2519590-2-noltari@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c +index b31b5f4e959e5..da559b86f6b17 100644 +--- a/drivers/spi/spi-bcm63xx.c ++++ b/drivers/spi/spi-bcm63xx.c +@@ -533,7 +533,7 @@ static int bcm63xx_spi_probe(struct platform_device *pdev) + return PTR_ERR(clk); + } + +- reset = devm_reset_control_get_optional_exclusive(dev, NULL); ++ reset = devm_reset_control_get_optional_shared(dev, NULL); + if (IS_ERR(reset)) + return PTR_ERR(reset); + +-- +2.39.5 + diff --git a/queue-5.10/spi-sh-msiof-fix-maximum-dma-transfer-size.patch b/queue-5.10/spi-sh-msiof-fix-maximum-dma-transfer-size.patch new file mode 100644 index 0000000000..ad1eaa9964 --- /dev/null +++ b/queue-5.10/spi-sh-msiof-fix-maximum-dma-transfer-size.patch @@ -0,0 +1,71 @@ +From 0f8738d991e0d8f2537dc998a4c2782ce1bbf86c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 15:32:06 +0200 +Subject: spi: sh-msiof: Fix maximum DMA transfer size + +From: Geert Uytterhoeven + +[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ] + +The maximum amount of data to transfer in a single DMA request is +calculated from the FIFO sizes (which is technically not 100% correct, +but a simplification, as it is limited by the maximum word count values +in the Transmit and Control Data Registers). However, in case there is +both data to transmit and to receive, the transmit limit is overwritten +by the receive limit. + +Fix this by using the minimum applicable FIFO size instead. Move the +calculation outside the loop, so it is not repeated for each individual +DMA transfer. + +As currently tx_fifo_size is always equal to rx_fifo_size, this bug had +no real impact. + +Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word") +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sh-msiof.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c +index 12fd02f92e37b..f1ca8b5356bcf 100644 +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -915,6 +915,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr, + void *rx_buf = t->rx_buf; + unsigned int len = t->len; + unsigned int bits = t->bits_per_word; ++ unsigned int max_wdlen = 256; + unsigned int bytes_per_word; + unsigned int words; + int n; +@@ -928,17 +929,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr, + if (!spi_controller_is_slave(p->ctlr)) + sh_msiof_spi_set_clk_regs(p, clk_get_rate(p->clk), t->speed_hz); + ++ if (tx_buf) ++ max_wdlen = min(max_wdlen, p->tx_fifo_size); ++ if (rx_buf) ++ max_wdlen = min(max_wdlen, p->rx_fifo_size); ++ + while (ctlr->dma_tx && len > 15) { + /* + * DMA supports 32-bit words only, hence pack 8-bit and 16-bit + * words, with byte resp. word swapping. + */ +- unsigned int l = 0; +- +- if (tx_buf) +- l = min(round_down(len, 4), p->tx_fifo_size * 4); +- if (rx_buf) +- l = min(round_down(len, 4), p->rx_fifo_size * 4); ++ unsigned int l = min(round_down(len, 4), max_wdlen * 4); + + if (bits <= 8) { + copy32 = copy_bswap32; +-- +2.39.5 + diff --git a/queue-5.10/squashfs-check-return-result-of-sb_min_blocksize.patch b/queue-5.10/squashfs-check-return-result-of-sb_min_blocksize.patch new file mode 100644 index 0000000000..17f9b64fb5 --- /dev/null +++ b/queue-5.10/squashfs-check-return-result-of-sb_min_blocksize.patch @@ -0,0 +1,66 @@ +From 3997cbe5d481ca33f84803d8ab23994d6d7f803a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 03:47:47 +0100 +Subject: Squashfs: check return result of sb_min_blocksize + +From: Phillip Lougher + +[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ] + +Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. + +Syzkaller forks multiple processes which after mounting the Squashfs +filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). +Now if this ioctl occurs at the same time another process is in the +process of mounting a Squashfs filesystem on /dev/loop0, the failure +occurs. When this happens the following code in squashfs_fill_super() +fails. + +---- +msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); +msblk->devblksize_log2 = ffz(~msblk->devblksize); +---- + +sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. + +As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 +is set to 64. + +This subsequently causes the + +UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 +shift exponent 64 is too large for 64-bit type 'u64' (aka +'unsigned long long') + +This commit adds a check for a 0 return by sb_min_blocksize(). + +Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk +Fixes: 0aa666190509 ("Squashfs: super block operations") +Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/ +Signed-off-by: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c +index 88cc94be10765..5a47b5c2fdc00 100644 +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -86,6 +86,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc) + msblk = sb->s_fs_info; + + msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); ++ if (!msblk->devblksize) { ++ errorf(fc, "squashfs: unable to set blocksize\n"); ++ return -EINVAL; ++ } ++ + msblk->devblksize_log2 = ffz(~msblk->devblksize); + + mutex_init(&msblk->meta_index_mutex); +-- +2.39.5 + diff --git a/queue-5.10/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch b/queue-5.10/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch new file mode 100644 index 0000000000..9d305b41f2 --- /dev/null +++ b/queue-5.10/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch @@ -0,0 +1,192 @@ +From 07cec5a6567ce4c90a01afbbba1f0a0e61f80df3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 11:50:02 +0100 +Subject: usb: renesas_usbhs: Reorder clock handling and power management in + probe + +From: Lad Prabhakar + +[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ] + +Reorder the initialization sequence in `usbhs_probe()` to enable runtime +PM before accessing registers, preventing potential crashes due to +uninitialized clocks. + +Currently, in the probe path, registers are accessed before enabling the +clocks, leading to a synchronous external abort on the RZ/V2H SoC. +The problematic call flow is as follows: + + usbhs_probe() + usbhs_sys_clock_ctrl() + usbhs_bset() + usbhs_write() + iowrite16() <-- Register access before enabling clocks + +Since `iowrite16()` is performed without ensuring the required clocks are +enabled, this can lead to access errors. To fix this, enable PM runtime +early in the probe function and ensure clocks are acquired before register +access, preventing crashes like the following on RZ/V2H: + +[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP +[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 +[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 +[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) +[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] +[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] +[13.321138] sp : ffff8000827e3850 +[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 +[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 +[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 +[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff +[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce +[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 +[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 +[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c +[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 +[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 +[13.395574] Call trace: +[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) +[13.403076] platform_probe+0x68/0xdc +[13.406738] really_probe+0xbc/0x2c0 +[13.410306] __driver_probe_device+0x78/0x120 +[13.414653] driver_probe_device+0x3c/0x154 +[13.418825] __driver_attach+0x90/0x1a0 +[13.422647] bus_for_each_dev+0x7c/0xe0 +[13.426470] driver_attach+0x24/0x30 +[13.430032] bus_add_driver+0xe4/0x208 +[13.433766] driver_register+0x68/0x130 +[13.437587] __platform_driver_register+0x24/0x30 +[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] +[13.448450] do_one_initcall+0x60/0x1d4 +[13.452276] do_init_module+0x54/0x1f8 +[13.456014] load_module+0x1754/0x1c98 +[13.459750] init_module_from_file+0x88/0xcc +[13.464004] __arm64_sys_finit_module+0x1c4/0x328 +[13.468689] invoke_syscall+0x48/0x104 +[13.472426] el0_svc_common.constprop.0+0xc0/0xe0 +[13.477113] do_el0_svc+0x1c/0x28 +[13.480415] el0_svc+0x30/0xcc +[13.483460] el0t_64_sync_handler+0x10c/0x138 +[13.487800] el0t_64_sync+0x198/0x19c +[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) +[13.497522] ---[ end trace 0000000000000000 ]--- + +Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code") +Signed-off-by: Lad Prabhakar +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++------- + 1 file changed, 38 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c +index df679908b8d21..23d160ef4cd22 100644 +--- a/drivers/usb/renesas_usbhs/common.c ++++ b/drivers/usb/renesas_usbhs/common.c +@@ -678,10 +678,29 @@ static int usbhs_probe(struct platform_device *pdev) + INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug); + spin_lock_init(usbhs_priv_to_lock(priv)); + ++ /* ++ * Acquire clocks and enable power management (PM) early in the ++ * probe process, as the driver accesses registers during ++ * initialization. Ensure the device is active before proceeding. ++ */ ++ pm_runtime_enable(dev); ++ ++ ret = usbhsc_clk_get(dev, priv); ++ if (ret) ++ goto probe_pm_disable; ++ ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret) ++ goto probe_clk_put; ++ ++ ret = usbhsc_clk_prepare_enable(priv); ++ if (ret) ++ goto probe_pm_put; ++ + /* call pipe and module init */ + ret = usbhs_pipe_probe(priv); + if (ret < 0) +- return ret; ++ goto probe_clk_dis_unprepare; + + ret = usbhs_fifo_probe(priv); + if (ret < 0) +@@ -698,10 +717,6 @@ static int usbhs_probe(struct platform_device *pdev) + if (ret) + goto probe_fail_rst; + +- ret = usbhsc_clk_get(dev, priv); +- if (ret) +- goto probe_fail_clks; +- + /* + * deviece reset here because + * USB device might be used in boot loader. +@@ -714,7 +729,7 @@ static int usbhs_probe(struct platform_device *pdev) + if (ret) { + dev_warn(dev, "USB function not selected (GPIO)\n"); + ret = -ENOTSUPP; +- goto probe_end_mod_exit; ++ goto probe_assert_rest; + } + } + +@@ -728,14 +743,19 @@ static int usbhs_probe(struct platform_device *pdev) + ret = usbhs_platform_call(priv, hardware_init, pdev); + if (ret < 0) { + dev_err(dev, "platform init failed.\n"); +- goto probe_end_mod_exit; ++ goto probe_assert_rest; + } + + /* reset phy for connection */ + usbhs_platform_call(priv, phy_reset, pdev); + +- /* power control */ +- pm_runtime_enable(dev); ++ /* ++ * Disable the clocks that were enabled earlier in the probe path, ++ * and let the driver handle the clocks beyond this point. ++ */ ++ usbhsc_clk_disable_unprepare(priv); ++ pm_runtime_put(dev); ++ + if (!usbhs_get_dparam(priv, runtime_pwctrl)) { + usbhsc_power_ctrl(priv, 1); + usbhs_mod_autonomy_mode(priv); +@@ -752,9 +772,7 @@ static int usbhs_probe(struct platform_device *pdev) + + return ret; + +-probe_end_mod_exit: +- usbhsc_clk_put(priv); +-probe_fail_clks: ++probe_assert_rest: + reset_control_assert(priv->rsts); + probe_fail_rst: + usbhs_mod_remove(priv); +@@ -762,6 +780,14 @@ static int usbhs_probe(struct platform_device *pdev) + usbhs_fifo_remove(priv); + probe_end_pipe_exit: + usbhs_pipe_remove(priv); ++probe_clk_dis_unprepare: ++ usbhsc_clk_disable_unprepare(priv); ++probe_pm_put: ++ pm_runtime_put(dev); ++probe_clk_put: ++ usbhsc_clk_put(priv); ++probe_pm_disable: ++ pm_runtime_disable(dev); + + dev_info(dev, "probe failed (%d)\n", ret); + +-- +2.39.5 + diff --git a/queue-5.10/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch b/queue-5.10/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch new file mode 100644 index 0000000000..1a22c8a933 --- /dev/null +++ b/queue-5.10/vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch @@ -0,0 +1,45 @@ +From 72762f6545ac0ee59c01662d512569b3113f8175 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:46:47 +0800 +Subject: vfio/type1: Fix error unwind in migration dirty bitmap allocation + +From: Li RongQing + +[ Upstream commit 4518e5a60c7fbf0cdff393c2681db39d77b4f87e ] + +When setting up dirty page tracking at the vfio IOMMU backend for +device migration, if an error is encountered allocating a tracking +bitmap, the unwind loop fails to free previously allocated tracking +bitmaps. This occurs because the wrong loop index is used to +generate the tracking object. This results in unintended memory +usage for the life of the current DMA mappings where bitmaps were +successfully allocated. + +Use the correct loop index to derive the tracking object for +freeing during unwind. + +Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking") +Signed-off-by: Li RongQing +Link: https://lore.kernel.org/r/20250521034647.2877-1-lirongqing@baidu.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/vfio_iommu_type1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c +index 9b01f88ae4762..b2a543e7cac45 100644 +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -269,7 +269,7 @@ static int vfio_dma_bitmap_alloc_all(struct vfio_iommu *iommu, size_t pgsize) + struct rb_node *p; + + for (p = rb_prev(n); p; p = rb_prev(p)) { +- struct vfio_dma *dma = rb_entry(n, ++ struct vfio_dma *dma = rb_entry(p, + struct vfio_dma, node); + + vfio_dma_bitmap_free(dma); +-- +2.39.5 + diff --git a/queue-5.10/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch b/queue-5.10/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch new file mode 100644 index 0000000000..7c380cb362 --- /dev/null +++ b/queue-5.10/vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch @@ -0,0 +1,82 @@ +From bd83a5ec4b0edb1c2bf38d87864ecd0fec86b123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 15:27:00 +0000 +Subject: vmxnet3: correctly report gso type for UDP tunnels + +From: Ronak Doshi + +[ Upstream commit 982d30c30eaa2ec723df42e3bf526c014c1dbb88 ] + +Commit 3d010c8031e3 ("udp: do not accept non-tunnel GSO skbs landing +in a tunnel") added checks in linux stack to not accept non-tunnel +GRO packets landing in a tunnel. This exposed an issue in vmxnet3 +which was not correctly reporting GRO packets for tunnel packets. + +This patch fixes this issue by setting correct GSO type for the +tunnel packets. + +Currently, vmxnet3 does not support reporting inner fields for LRO +tunnel packets. The issue is not seen for egress drivers that do not +use skb inner fields. The workaround is to enable tnl-segmentation +offload on the egress interfaces if the driver supports it. This +problem pre-exists this patch fix and can be addressed as a separate +future patch. + +Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support") +Signed-off-by: Ronak Doshi +Acked-by: Guolin Yang +Link: https://patch.msgid.link/20250530152701.70354-1-ronak.doshi@broadcom.com +[pabeni@redhat.com: dropped the changelog] +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c +index 3b889fed98826..50a7a1abb90a0 100644 +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -1355,6 +1355,30 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapter *adapter, struct sk_buff *skb, + return (hlen + (hdr.tcp->doff << 2)); + } + ++static void ++vmxnet3_lro_tunnel(struct sk_buff *skb, __be16 ip_proto) ++{ ++ struct udphdr *uh = NULL; ++ ++ if (ip_proto == htons(ETH_P_IP)) { ++ struct iphdr *iph = (struct iphdr *)skb->data; ++ ++ if (iph->protocol == IPPROTO_UDP) ++ uh = (struct udphdr *)(iph + 1); ++ } else { ++ struct ipv6hdr *iph = (struct ipv6hdr *)skb->data; ++ ++ if (iph->nexthdr == IPPROTO_UDP) ++ uh = (struct udphdr *)(iph + 1); ++ } ++ if (uh) { ++ if (uh->check) ++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM; ++ else ++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL; ++ } ++} ++ + static int + vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + struct vmxnet3_adapter *adapter, int quota) +@@ -1591,6 +1615,8 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq, + if (segCnt != 0 && mss != 0) { + skb_shinfo(skb)->gso_type = rcd->v4 ? + SKB_GSO_TCPV4 : SKB_GSO_TCPV6; ++ if (encap_lro) ++ vmxnet3_lro_tunnel(skb, skb->protocol); + skb_shinfo(skb)->gso_size = mss; + skb_shinfo(skb)->gso_segs = segCnt; + } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) { +-- +2.39.5 + diff --git a/queue-5.10/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch b/queue-5.10/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch new file mode 100644 index 0000000000..2d2aea1f40 --- /dev/null +++ b/queue-5.10/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch @@ -0,0 +1,39 @@ +From 692de04bb7980884efcc3ac700f4488429bb77b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 11:30:52 -0400 +Subject: vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() + +From: Nicolas Pitre + +[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ] + +They are listed amon those cmd values that "treat 'arg' as an integer" +which is wrong. They should instead fall into the default case. Probably +nobody ever relied on that code since 2009 but still. + +Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver") +Signed-off-by: Nicolas Pitre +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt_ioctl.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c +index b10b86e2c17e9..b62ab122fb4af 100644 +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -1104,8 +1104,6 @@ long vt_compat_ioctl(struct tty_struct *tty, + case VT_WAITACTIVE: + case VT_RELDISP: + case VT_DISALLOCATE: +- case VT_RESIZE: +- case VT_RESIZEX: + return vt_ioctl(tty, cmd, arg); + + /* +-- +2.39.5 + diff --git a/queue-5.10/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch b/queue-5.10/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch new file mode 100644 index 0000000000..0c0c74aabf --- /dev/null +++ b/queue-5.10/wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch @@ -0,0 +1,83 @@ +From 3c259cbfa962bb5557e30cf9ea7dfffeb585e509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Mar 2025 13:31:45 +0800 +Subject: wifi: ath11k: fix node corruption in ar->arvifs list + +From: Stone Zhang + +[ Upstream commit 31e98e277ae47f56632e4d663b1d4fd12ba33ea8 ] + +In current WLAN recovery code flow, ath11k_core_halt() only +reinitializes the "arvifs" list head. This will cause the +list node immediately following the list head to become an +invalid list node. Because the prev of that node still points +to the list head "arvifs", but the next of the list head "arvifs" +no longer points to that list node. + +When a WLAN recovery occurs during the execution of a vif +removal, and it happens before the spin_lock_bh(&ar->data_lock) +in ath11k_mac_op_remove_interface(), list_del() will detect the +previously mentioned situation, thereby triggering a kernel panic. + +The fix is to remove and reinitialize all vif list nodes from the +list head "arvifs" during WLAN halt. The reinitialization is to make +the list nodes valid, ensuring that the list_del() in +ath11k_mac_op_remove_interface() can execute normally. + +Call trace: +__list_del_entry_valid_or_report+0xb8/0xd0 +ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] +drv_remove_interface+0x48/0x194 [mac80211] +ieee80211_do_stop+0x6e0/0x844 [mac80211] +ieee80211_stop+0x44/0x17c [mac80211] +__dev_close_many+0xac/0x150 +__dev_change_flags+0x194/0x234 +dev_change_flags+0x24/0x6c +devinet_ioctl+0x3a0/0x670 +inet_ioctl+0x200/0x248 +sock_do_ioctl+0x60/0x118 +sock_ioctl+0x274/0x35c +__arm64_sys_ioctl+0xac/0xf0 +invoke_syscall+0x48/0x114 +... + +Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Stone Zhang +Link: https://patch.msgid.link/20250320053145.3445187-1-quic_stonez@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 473d92240a829..6282ccad79d5e 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -736,6 +736,7 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) + void ath11k_core_halt(struct ath11k *ar) + { + struct ath11k_base *ab = ar->ab; ++ struct list_head *pos, *n; + + lockdep_assert_held(&ar->conf_mutex); + +@@ -749,7 +750,12 @@ void ath11k_core_halt(struct ath11k *ar) + + rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL); + synchronize_rcu(); +- INIT_LIST_HEAD(&ar->arvifs); ++ ++ spin_lock_bh(&ar->data_lock); ++ list_for_each_safe(pos, n, &ar->arvifs) ++ list_del_init(pos); ++ spin_unlock_bh(&ar->data_lock); ++ + idr_init(&ar->txmgmt_idr); + } + +-- +2.39.5 + diff --git a/queue-5.10/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch b/queue-5.10/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch new file mode 100644 index 0000000000..cfc2898a5b --- /dev/null +++ b/queue-5.10/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch @@ -0,0 +1,48 @@ +From 36df11fde4744ee1f52c4121aabd9246521f204c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 13:22:16 +0200 +Subject: wifi: ath9k_htc: Abort software beacon handling if disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ] + +A malicious USB device can send a WMI_SWBA_EVENTID event from an +ath9k_htc-managed device before beaconing has been enabled. This causes +a device-by-zero error in the driver, leading to either a crash or an +out of bounds read. + +Prevent this by aborting the handling in ath9k_htc_swba() if beacons are +not enabled. + +Reported-by: Robert Morris +Closes: https://lore.kernel.org/r/88967.1743099372@localhost +Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots") +Signed-off-by: Toke Høiland-Jørgensen +Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +index c745897aa3d6c..259a36b4c7cb0 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv, + struct ath_common *common = ath9k_hw_common(priv->ah); + int slot; + ++ if (!priv->cur_beacon_conf.enable_beacon) ++ return; ++ + if (swba->beacon_pending != 0) { + priv->beacon.bmisscnt++; + if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) { +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch b/queue-5.10/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch new file mode 100644 index 0000000000..8b8d8b6149 --- /dev/null +++ b/queue-5.10/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch @@ -0,0 +1,42 @@ +From 9f9c17051e3942a177e68bb7e8e8cc21f4d017db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 12:07:20 +0300 +Subject: wifi: rtw88: do not ignore hardware read error during DPK + +From: Dmitry Antipov + +[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ] + +In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned +by 'check_hw_ready()' but issue a warning to denote possible +DPK issue. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support") +Suggested-by: Ping-Ke Shih +Signed-off-by: Dmitry Antipov +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +index abed17e4c8c7b..a7fc2287521f0 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +@@ -3157,7 +3157,8 @@ static void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev) + rtw_write32(rtwdev, REG_NCTL0, 0x00001148); + rtw_write32(rtwdev, REG_NCTL0, 0x00001149); + +- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55); ++ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55)) ++ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal"); + + rtw_write8(rtwdev, 0x1b10, 0x0); + rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c); +-- +2.39.5 + diff --git a/queue-5.10/x86-cpu-sanitize-cpuid-0x80000000-output.patch b/queue-5.10/x86-cpu-sanitize-cpuid-0x80000000-output.patch new file mode 100644 index 0000000000..daaef6be9f --- /dev/null +++ b/queue-5.10/x86-cpu-sanitize-cpuid-0x80000000-output.patch @@ -0,0 +1,92 @@ +From c2005f326323a91a56949f8ed0d2c85d1725b10f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 07:04:13 +0200 +Subject: x86/cpu: Sanitize CPUID(0x80000000) output + +From: Ahmed S. Darwish + +[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ] + +CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On +x86-32 machines without an extended CPUID range, a CPUID(0x80000000) +query will just repeat the output of the last valid standard CPUID leaf +on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against +this by doing: + + eax = cpuid_eax(0x80000000); + c->extended_cpuid_level = eax; + + if ((eax & 0xffff0000) == 0x80000000) { + // CPU has an extended CPUID range. Check for 0x80000001 + if (eax >= 0x80000001) { + cpuid(0x80000001, ...); + } + } + +This is correct so far. Afterwards though, the same possibly broken EAX +value is used to check the availability of other extended CPUID leaves: + + if (c->extended_cpuid_level >= 0x80000007) + ... + if (c->extended_cpuid_level >= 0x80000008) + ... + if (c->extended_cpuid_level >= 0x8000000a) + ... + if (c->extended_cpuid_level >= 0x8000001f) + ... + +which is invalid. Fix this by immediately setting the CPU's max extended +CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid +CPUID extended range. + +While at it, add a comment, similar to kernel/head_32.S, clarifying the +CPUID(0x80000000) sanity check. + +References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX") +Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit") +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Ingo Molnar +Cc: Andrew Cooper +Cc: H. Peter Anvin +Cc: John Ogness +Cc: x86-cpuid@lists.linux.dev +Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/common.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index 840fdffec850b..db225e325ccfd 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -931,17 +931,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + c->x86_capability[CPUID_D_1_EAX] = eax; + } + +- /* AMD-defined flags: level 0x80000001 */ ++ /* ++ * Check if extended CPUID leaves are implemented: Max extended ++ * CPUID leaf must be in the 0x80000001-0x8000ffff range. ++ */ + eax = cpuid_eax(0x80000000); +- c->extended_cpuid_level = eax; ++ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0; + +- if ((eax & 0xffff0000) == 0x80000000) { +- if (eax >= 0x80000001) { +- cpuid(0x80000001, &eax, &ebx, &ecx, &edx); ++ if (c->extended_cpuid_level >= 0x80000001) { ++ cpuid(0x80000001, &eax, &ebx, &ecx, &edx); + +- c->x86_capability[CPUID_8000_0001_ECX] = ecx; +- c->x86_capability[CPUID_8000_0001_EDX] = edx; +- } ++ c->x86_capability[CPUID_8000_0001_ECX] = ecx; ++ c->x86_capability[CPUID_8000_0001_EDX] = edx; + } + + if (c->extended_cpuid_level >= 0x80000007) { +-- +2.39.5 + diff --git a/queue-5.10/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch b/queue-5.10/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch new file mode 100644 index 0000000000..2b70b36213 --- /dev/null +++ b/queue-5.10/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch @@ -0,0 +1,47 @@ +From 350e822224fe1619d8a1de14b049ac2c4defe3e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 17:06:33 +0000 +Subject: x86/mtrr: Check if fixed-range MTRRs exist in + mtrr_save_fixed_ranges() + +From: Jiaqing Zhao + +[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ] + +When suspending, save_processor_state() calls mtrr_save_fixed_ranges() +to save fixed-range MTRRs. + +On platforms without fixed-range MTRRs like the ACRN hypervisor which +has removed fixed-range MTRR emulation, accessing these MSRs will +trigger an unchecked MSR access error. Make sure fixed-range MTRRs are +supported before access to prevent such error. + +Since mtrr_state.have_fixed is only set when MTRRs are present and +enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is +unnecessary. + +Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending") +Signed-off-by: Jiaqing Zhao +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mtrr/generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c +index a29997e6cf9e6..214c8a8c47936 100644 +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -350,7 +350,7 @@ static void get_fixed_ranges(mtrr_type *frs) + + void mtrr_save_fixed_ranges(void *info) + { +- if (boot_cpu_has(X86_FEATURE_MTRR)) ++ if (mtrr_state.have_fixed) + get_fixed_ranges(mtrr_state.fixed_ranges); + } + +-- +2.39.5 +