From: Sasha Levin Date: Sun, 17 Aug 2025 13:27:14 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v6.12.43~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=20921eb1f4cc01769da38a718432786e640e1bf7;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch b/queue-5.10/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch new file mode 100644 index 0000000000..62e178adf4 --- /dev/null +++ b/queue-5.10/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch @@ -0,0 +1,43 @@ +From fde8013c370d78b81f3b96020b9cb8e7a96816ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 08:39:51 -0700 +Subject: ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path + +From: Breno Leitao + +[ Upstream commit 4734c8b46b901cff2feda8b82abc710b65dc31c1 ] + +When a GHES (Generic Hardware Error Source) triggers a panic, add the +TAINT_MACHINE_CHECK taint flag to the kernel. This explicitly marks the +kernel as tainted due to a machine check event, improving diagnostics +and post-mortem analysis. The taint is set with LOCKDEP_STILL_OK to +indicate lockdep remains valid. + +At large scale deployment, this helps to quickly determine panics that +are coming due to hardware failures. + +Signed-off-by: Breno Leitao +Reviewed-by: Tony Luck +Link: https://patch.msgid.link/20250702-add_tain-v1-1-9187b10914b9@debian.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 72087e05b5a5..250ea9ec5f0c 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -860,6 +860,8 @@ static void __ghes_panic(struct ghes *ghes, + + __ghes_print_estatus(KERN_EMERG, ghes->generic, estatus); + ++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK); ++ + ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx); + + if (!panic_timeout) +-- +2.39.5 + diff --git a/queue-5.10/acpi-processor-fix-acpi_object-initialization.patch b/queue-5.10/acpi-processor-fix-acpi_object-initialization.patch new file mode 100644 index 0000000000..6198157d63 --- /dev/null +++ b/queue-5.10/acpi-processor-fix-acpi_object-initialization.patch @@ -0,0 +1,41 @@ +From 0e6210e1536bc34928e8ba0df178bdfbb9ec0a60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:42:15 +0200 +Subject: ACPI: processor: fix acpi_object initialization + +From: Sebastian Ott + +[ Upstream commit 13edf7539211d8f7d0068ce3ed143005f1da3547 ] + +Initialization of the local acpi_object in acpi_processor_get_info() +only sets the first 4 bytes to zero and is thus incomplete. This is +indicated by messages like: + acpi ACPI0007:be: Invalid PBLK length [166288104] + +Fix this by initializing all 16 bytes of the processor member of that +union. + +Signed-off-by: Sebastian Ott +Link: https://patch.msgid.link/20250703124215.12522-1-sebott@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index 707b2c37e5ee..74e949d340a1 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -228,7 +228,7 @@ static inline int acpi_processor_hotadd_init(struct acpi_processor *pr) + + static int acpi_processor_get_info(struct acpi_device *device) + { +- union acpi_object object = { 0 }; ++ union acpi_object object = { .processor = { 0 } }; + struct acpi_buffer buffer = { sizeof(union acpi_object), &object }; + struct acpi_processor *pr = acpi_driver_data(device); + int device_declaration = 0; +-- +2.39.5 + diff --git a/queue-5.10/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch b/queue-5.10/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch new file mode 100644 index 0000000000..b8aad17e38 --- /dev/null +++ b/queue-5.10/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch @@ -0,0 +1,41 @@ +From 52fe86031d460e6773cc49ec4e67f70d39a13c21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 19:50:12 +0200 +Subject: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control + +From: Lucy Thrun + +[ Upstream commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 ] + +The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte +buffer if either string argument is too long. This triggers a compiler +warning. +Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent +overflow. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/ +Signed-off-by: Lucy Thrun +Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index b9d88b156f40..3acb4066b5ea 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4279,7 +4279,7 @@ static int add_tuning_control(struct hda_codec *codec, + } + knew.private_value = + HDA_COMPOSE_AMP_VAL(nid, 1, 0, type); +- sprintf(namestr, "%s %s Volume", name, dirstr[dir]); ++ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]); + return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec)); + } + +-- +2.39.5 + diff --git a/queue-5.10/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch b/queue-5.10/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch new file mode 100644 index 0000000000..10aa29c788 --- /dev/null +++ b/queue-5.10/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch @@ -0,0 +1,37 @@ +From f45daeeddccdc6922493503e6f38cd465cd2c14d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jun 2025 11:52:24 -0700 +Subject: ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 + +From: Alok Tiwari + +[ Upstream commit 87aafc8580acf87fcaf1a7e30ed858d8c8d37d81 ] + +code mistakenly used a hardcoded index (codec[1]) instead of +iterating, over the codec array using the loop variable i. +Use codec[i] instead of codec[1] to match the loop iteration. + +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250621185233.4081094-1-alok.a.tiwari@oracle.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/intel8x0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c +index 3707dc27324d..324d9df7f111 100644 +--- a/sound/pci/intel8x0.c ++++ b/sound/pci/intel8x0.c +@@ -2270,7 +2270,7 @@ static int snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock, + tmp |= chip->ac97_sdin[0] << ICH_DI1L_SHIFT; + for (i = 1; i < 4; i++) { + if (pcm->r[0].codec[i]) { +- tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT; ++ tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT; + break; + } + } +-- +2.39.5 + diff --git a/queue-5.10/alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch b/queue-5.10/alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch new file mode 100644 index 0000000000..ce5607ad6a --- /dev/null +++ b/queue-5.10/alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch @@ -0,0 +1,96 @@ +From 220c0b72dbc6fd0f797762773c357a5d37274b7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 11:44:02 +0200 +Subject: ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop + +From: Christophe Leroy + +[ Upstream commit 92f59aeb13252265c20e7aef1379a8080c57e0a2 ] + +At the time being recalculate_boundary() is implemented with a +loop which shows up as costly in a perf profile, as depicted by +the annotate below: + + 0.00 : c057e934: 3d 40 7f ff lis r10,32767 + 0.03 : c057e938: 61 4a ff ff ori r10,r10,65535 + 0.21 : c057e93c: 7d 49 50 50 subf r10,r9,r10 + 5.39 : c057e940: 7d 3c 4b 78 mr r28,r9 + 2.11 : c057e944: 55 29 08 3c slwi r9,r9,1 + 3.04 : c057e948: 7c 09 50 40 cmplw r9,r10 + 2.47 : c057e94c: 40 81 ff f4 ble c057e940 + +Total: 13.2% on that simple loop. + +But what the loop does is to multiply the boundary by 2 until it is +over the wanted border. This can be avoided by using fls() to get the +boundary value order and shift it by the appropriate number of bits at +once. + +This change provides the following profile: + + 0.04 : c057f6e8: 3d 20 7f ff lis r9,32767 + 0.02 : c057f6ec: 61 29 ff ff ori r9,r9,65535 + 0.34 : c057f6f0: 7d 5a 48 50 subf r10,r26,r9 + 0.23 : c057f6f4: 7c 1a 50 40 cmplw r26,r10 + 0.02 : c057f6f8: 41 81 00 20 bgt c057f718 + 0.26 : c057f6fc: 7f 47 00 34 cntlzw r7,r26 + 0.09 : c057f700: 7d 48 00 34 cntlzw r8,r10 + 0.22 : c057f704: 7d 08 38 50 subf r8,r8,r7 + 0.04 : c057f708: 7f 5a 40 30 slw r26,r26,r8 + 0.35 : c057f70c: 7c 0a d0 40 cmplw r10,r26 + 0.13 : c057f710: 40 80 05 f8 bge c057fd08 + 0.00 : c057f714: 57 5a f8 7e srwi r26,r26,1 + +Total: 1.7% with that loopless alternative. + +Signed-off-by: Christophe Leroy +Link: https://patch.msgid.link/4836e2cde653eebaf2709ebe30eec736bb8c67fd.1749202237.git.christophe.leroy@csgroup.eu +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_native.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c +index 98bd6fe850d3..145e5157515f 100644 +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include "pcm_local.h" + +@@ -3094,13 +3095,23 @@ struct snd_pcm_sync_ptr32 { + static snd_pcm_uframes_t recalculate_boundary(struct snd_pcm_runtime *runtime) + { + snd_pcm_uframes_t boundary; ++ snd_pcm_uframes_t border; ++ int order; + + if (! runtime->buffer_size) + return 0; +- boundary = runtime->buffer_size; +- while (boundary * 2 <= 0x7fffffffUL - runtime->buffer_size) +- boundary *= 2; +- return boundary; ++ ++ border = 0x7fffffffUL - runtime->buffer_size; ++ if (runtime->buffer_size > border) ++ return runtime->buffer_size; ++ ++ order = __fls(border) - __fls(runtime->buffer_size); ++ boundary = runtime->buffer_size << order; ++ ++ if (boundary <= border) ++ return boundary; ++ else ++ return boundary / 2; + } + + static int snd_pcm_ioctl_sync_ptr_compat(struct snd_pcm_substream *substream, +-- +2.39.5 + diff --git a/queue-5.10/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch b/queue-5.10/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch new file mode 100644 index 0000000000..043c4a620e --- /dev/null +++ b/queue-5.10/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch @@ -0,0 +1,61 @@ +From f039543d788105c0a0ef714a6b7d73ad071e1996 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 17:07:42 +0300 +Subject: ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros + +From: Cristian Ciocaltea + +[ Upstream commit fd3ab72e42e9871a9902b945a2bf8bb87b49c718 ] + +Fix all macro related issues identified by checkpatch.pl: + + CHECK: Macro argument 'x' may be better as '(x)' to avoid precedence issues + +Signed-off-by: Cristian Ciocaltea +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250526-dualsense-alsa-jack-v1-3-1a821463b632@collabora.com +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_quirks.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index eee5a3ce9471..c0948922562b 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1991,15 +1991,15 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer) + #define SND_RME_CLK_FREQMUL_SHIFT 18 + #define SND_RME_CLK_FREQMUL_MASK 0x7 + #define SND_RME_CLK_SYSTEM(x) \ +- ((x >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK) ++ (((x) >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK) + #define SND_RME_CLK_AES(x) \ +- ((x >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) ++ (((x) >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) + #define SND_RME_CLK_SPDIF(x) \ +- ((x >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) ++ (((x) >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) + #define SND_RME_CLK_SYNC(x) \ +- ((x >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK) ++ (((x) >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK) + #define SND_RME_CLK_FREQMUL(x) \ +- ((x >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK) ++ (((x) >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK) + #define SND_RME_CLK_AES_LOCK 0x1 + #define SND_RME_CLK_AES_SYNC 0x4 + #define SND_RME_CLK_SPDIF_LOCK 0x2 +@@ -2008,9 +2008,9 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer) + #define SND_RME_SPDIF_FORMAT_SHIFT 5 + #define SND_RME_BINARY_MASK 0x1 + #define SND_RME_SPDIF_IF(x) \ +- ((x >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK) ++ (((x) >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK) + #define SND_RME_SPDIF_FORMAT(x) \ +- ((x >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK) ++ (((x) >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK) + + static const u32 snd_rme_rate_table[] = { + 32000, 44100, 48000, 50000, +-- +2.39.5 + diff --git a/queue-5.10/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch b/queue-5.10/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch new file mode 100644 index 0000000000..cda0746b3e --- /dev/null +++ b/queue-5.10/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch @@ -0,0 +1,70 @@ +From b61976517524dcbdd83178b974e07cfe12e96424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 17:04:53 +0300 +Subject: ARM: rockchip: fix kernel hang during smp initialization + +From: Alexander Kochetkov + +[ Upstream commit 7cdb433bb44cdc87dc5260cdf15bf03cc1cd1814 ] + +In order to bring up secondary CPUs main CPU write trampoline +code to SRAM. The trampoline code is written while secondary +CPUs are powered on (at least that true for RK3188 CPU). +Sometimes that leads to kernel hang. Probably because secondary +CPU execute trampoline code while kernel doesn't expect. + +The patch moves SRAM initialization step to the point where all +secondary CPUs are powered down. + +That fixes rarely hangs on RK3188: +[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000 +[ 0.091996] rockchip_smp_prepare_cpus: ncores 4 + +Signed-off-by: Alexander Kochetkov +Link: https://lore.kernel.org/r/20250703140453.1273027-1-al.kochet@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/mach-rockchip/platsmp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/mach-rockchip/platsmp.c b/arch/arm/mach-rockchip/platsmp.c +index d60856898d97..17aee4701e81 100644 +--- a/arch/arm/mach-rockchip/platsmp.c ++++ b/arch/arm/mach-rockchip/platsmp.c +@@ -279,11 +279,6 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus) + } + + if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) { +- if (rockchip_smp_prepare_sram(node)) { +- of_node_put(node); +- return; +- } +- + /* enable the SCU power domain */ + pmu_set_power_domain(PMU_PWRDN_SCU, true); + +@@ -316,11 +311,19 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus) + asm ("mrc p15, 1, %0, c9, c0, 2\n" : "=r" (l2ctlr)); + ncores = ((l2ctlr >> 24) & 0x3) + 1; + } +- of_node_put(node); + + /* Make sure that all cores except the first are really off */ + for (i = 1; i < ncores; i++) + pmu_set_power_domain(0 + i, false); ++ ++ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) { ++ if (rockchip_smp_prepare_sram(node)) { ++ of_node_put(node); ++ return; ++ } ++ } ++ ++ of_node_put(node); + } + + static void __init rk3036_smp_prepare_cpus(unsigned int max_cpus) +-- +2.39.5 + diff --git a/queue-5.10/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch b/queue-5.10/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch new file mode 100644 index 0000000000..d39c6e6156 --- /dev/null +++ b/queue-5.10/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch @@ -0,0 +1,36 @@ +From 29928e0fcacf3299e6d031b19ba464611624650c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 11:11:24 -0500 +Subject: ARM: tegra: Use I/O memcpy to write to IRAM + +From: Aaron Kling + +[ Upstream commit 398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1 ] + +Kasan crashes the kernel trying to check boundaries when using the +normal memcpy. + +Signed-off-by: Aaron Kling +Link: https://lore.kernel.org/r/20250522-mach-tegra-kasan-v1-1-419041b8addb@gmail.com +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm/mach-tegra/reset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-tegra/reset.c b/arch/arm/mach-tegra/reset.c +index d5c805adf7a8..ea706fac6358 100644 +--- a/arch/arm/mach-tegra/reset.c ++++ b/arch/arm/mach-tegra/reset.c +@@ -63,7 +63,7 @@ static void __init tegra_cpu_reset_handler_enable(void) + BUG_ON(is_enabled); + BUG_ON(tegra_cpu_reset_handler_size > TEGRA_IRAM_RESET_HANDLER_SIZE); + +- memcpy(iram_base, (void *)__tegra_cpu_reset_handler_start, ++ memcpy_toio(iram_base, (void *)__tegra_cpu_reset_handler_start, + tegra_cpu_reset_handler_size); + + err = call_firmware_op(set_cpu_boot_addr, 0, reset_address); +-- +2.39.5 + diff --git a/queue-5.10/arm64-handle-kcov-__init-vs-inline-mismatches.patch b/queue-5.10/arm64-handle-kcov-__init-vs-inline-mismatches.patch new file mode 100644 index 0000000000..1e794ec092 --- /dev/null +++ b/queue-5.10/arm64-handle-kcov-__init-vs-inline-mismatches.patch @@ -0,0 +1,51 @@ +From d97dc01dc788c40eedb55ed4fb2e92e77e80b333 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:50:25 -0700 +Subject: arm64: Handle KCOV __init vs inline mismatches + +From: Kees Cook + +[ Upstream commit 65c430906efffee9bd7551d474f01a6b1197df90 ] + +GCC appears to have kind of fragile inlining heuristics, in the +sense that it can change whether or not it inlines something based on +optimizations. It looks like the kcov instrumentation being added (or in +this case, removed) from a function changes the optimization results, +and some functions marked "inline" are _not_ inlined. In that case, +we end up with __init code calling a function not marked __init, and we +get the build warnings I'm trying to eliminate in the coming patch that +adds __no_sanitize_coverage to __init functions: + +WARNING: modpost: vmlinux: section mismatch in reference: acpi_get_enable_method+0x1c (section: .text.unlikely) -> acpi_psci_present (section: .init.text) + +This problem is somewhat fragile (though using either __always_inline +or __init will deterministically solve it), but we've tripped over +this before with GCC and the solution has usually been to just use +__always_inline and move on. + +For arm64 this requires forcing one ACPI function to be inlined with +__always_inline. + +Link: https://lore.kernel.org/r/20250724055029.3623499-1-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/acpi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/acpi.h b/arch/arm64/include/asm/acpi.h +index 702587fda70c..8cbbd08cc8c5 100644 +--- a/arch/arm64/include/asm/acpi.h ++++ b/arch/arm64/include/asm/acpi.h +@@ -128,7 +128,7 @@ acpi_set_mailbox_entry(int cpu, struct acpi_madt_generic_interrupt *processor) + {} + #endif + +-static inline const char *acpi_get_enable_method(int cpu) ++static __always_inline const char *acpi_get_enable_method(int cpu) + { + if (acpi_psci_present()) + return "psci"; +-- +2.39.5 + diff --git a/queue-5.10/asoc-codecs-rt5640-retry-device_id-verification.patch b/queue-5.10/asoc-codecs-rt5640-retry-device_id-verification.patch new file mode 100644 index 0000000000..a46b883693 --- /dev/null +++ b/queue-5.10/asoc-codecs-rt5640-retry-device_id-verification.patch @@ -0,0 +1,48 @@ +From 6a985b555cd92d6942df23b435bf5cf6bce8e0e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 16:21:19 +0200 +Subject: ASoC: codecs: rt5640: Retry DEVICE_ID verification +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xinxin Wan + +[ Upstream commit 19f971057b2d7b99c80530ec1052b45de236a8da ] + +To be more resilient to codec-detection failures when the hardware +powers on slowly, add retry mechanism to the device verification check. +Similar pattern is found throughout a number of Realtek codecs. Our +tests show that 60ms delay is sufficient to address readiness issues on +rt5640 chip. + +Reviewed-by: Amadeusz Sławiński +Reviewed-by: Cezary Rojewski +Signed-off-by: Xinxin Wan +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250530142120.2944095-3-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5640.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c +index a5674c227b3a..c12966025cfa 100644 +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -2810,6 +2810,11 @@ static int rt5640_i2c_probe(struct i2c_client *i2c, + } + + regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val); ++ if (val != RT5640_DEVICE_ID) { ++ usleep_range(60000, 100000); ++ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val); ++ } ++ + if (val != RT5640_DEVICE_ID) { + dev_err(&i2c->dev, + "Device with ID register %#x is not rt5640/39\n", val); +-- +2.39.5 + diff --git a/queue-5.10/asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch b/queue-5.10/asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch new file mode 100644 index 0000000000..d9c0046bad --- /dev/null +++ b/queue-5.10/asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch @@ -0,0 +1,46 @@ +From ddbcf74d5c584b67f372b8a59601b13f76cf5796 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 11:42:20 +0300 +Subject: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() + +From: Peter Ujfalusi + +[ Upstream commit 2d91cb261cac6d885954b8f5da28b5c176c18131 ] + +snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will +leads to null pointer dereference. +This was reproduced with topology loading and marking a link as ignore +due to missing hardware component on the system. +On module removal the soc_tplg_remove_link() would call +snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored, +no runtime was created. + +Signed-off-by: Peter Ujfalusi +Reviewed-by: Bard Liao +Reviewed-by: Ranjani Sridharan +Reviewed-by: Liam Girdwood +Reviewed-by: Kai Vehmanen +Link: https://patch.msgid.link/20250619084222.559-3-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index e9da95ebccc8..1120d669fe2e 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -958,6 +958,9 @@ static int soc_dai_link_sanity_check(struct snd_soc_card *card, + void snd_soc_remove_pcm_runtime(struct snd_soc_card *card, + struct snd_soc_pcm_runtime *rtd) + { ++ if (!rtd) ++ return; ++ + lockdep_assert_held(&client_mutex); + + /* release machine specific resources */ +-- +2.39.5 + diff --git a/queue-5.10/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch b/queue-5.10/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch new file mode 100644 index 0000000000..25bb3aa593 --- /dev/null +++ b/queue-5.10/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch @@ -0,0 +1,68 @@ +From 9212f26ff58584b3caa062754173ba3168f8b040 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 17:41:04 +0100 +Subject: ASoC: hdac_hdmi: Rate limit logging on connection and disconnection + +From: Mark Brown + +[ Upstream commit c4ca928a6db1593802cd945f075a7e21dd0430c1 ] + +We currently log parse failures for ELD data and some disconnection events +as errors without rate limiting. These log messages can be triggered very +frequently in some situations, especially ELD parsing when there is nothing +connected to a HDMI port which will generate: + +hdmi-audio-codec hdmi-audio-codec.1.auto: HDMI: Unknown ELD version 0 + +While there's doubtless work that could be done on reducing the number of +connection notification callbacks it's possible these may be legitimately +generated by poor quality physical connections so let's use rate limiting +to mitigate the log spam for the parse errors and lower the severity for +disconnect logging to debug level. + +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20250613-asoc-hdmi-eld-logging-v1-1-76d64154d969@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdac_hdmi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c +index 6de3e47b92d8..76e06c88f279 100644 +--- a/sound/soc/codecs/hdac_hdmi.c ++++ b/sound/soc/codecs/hdac_hdmi.c +@@ -1230,7 +1230,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev, + >> DRM_ELD_VER_SHIFT; + + if (ver != ELD_VER_CEA_861D && ver != ELD_VER_PARTIAL) { +- dev_err(&hdev->dev, "HDMI: Unknown ELD version %d\n", ver); ++ dev_err_ratelimited(&hdev->dev, ++ "HDMI: Unknown ELD version %d\n", ver); + return -EINVAL; + } + +@@ -1238,7 +1239,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev, + DRM_ELD_MNL_MASK) >> DRM_ELD_MNL_SHIFT; + + if (mnl > ELD_MAX_MNL) { +- dev_err(&hdev->dev, "HDMI: MNL Invalid %d\n", mnl); ++ dev_err_ratelimited(&hdev->dev, ++ "HDMI: MNL Invalid %d\n", mnl); + return -EINVAL; + } + +@@ -1297,8 +1299,8 @@ static void hdac_hdmi_present_sense(struct hdac_hdmi_pin *pin, + + if (!port->eld.monitor_present || !port->eld.eld_valid) { + +- dev_err(&hdev->dev, "%s: disconnect for pin:port %d:%d\n", +- __func__, pin->nid, port->id); ++ dev_dbg(&hdev->dev, "%s: disconnect for pin:port %d:%d\n", ++ __func__, pin->nid, port->id); + + /* + * PCMs are not registered during device probe, so don't +-- +2.39.5 + diff --git a/queue-5.10/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch b/queue-5.10/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch new file mode 100644 index 0000000000..b51d13c0b1 --- /dev/null +++ b/queue-5.10/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch @@ -0,0 +1,73 @@ +From dbe4d899d722c8d9096b4620be389c8f49e23d10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 02:26:39 +0000 +Subject: ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was + successed + +From: Kuninori Morimoto + +[ Upstream commit f40ecc2743652c0b0f19935f81baf57c601eb7f0 ] + +ASoC has 2 functions to set bias level. + (A) snd_soc_dapm_force_bias_level() + (B) snd_soc_dapm_set_bias_level() + +snd_soc_dapm_force_bias_level() (A) will set dapm->bias_level (a) if +successed. + +(A) int snd_soc_dapm_force_bias_level(...) + { + ... + if (ret == 0) +(a) dapm->bias_level = level; + ... + } + +snd_soc_dapm_set_bias_level() (B) is also a function that sets bias_level. +It will call snd_soc_dapm_force_bias_level() (A) inside, but doesn't +set dapm->bias_level by itself. One note is that (A) might not be called. + +(B) static int snd_soc_dapm_set_bias_level(...) + { + ... + ret = snd_soc_card_set_bias_level(...); + ... + if (dapm != &card->dapm) +(A) ret = snd_soc_dapm_force_bias_level(...); + ... + ret = snd_soc_card_set_bias_level_post(...); + ... + } + +dapm->bias_level will be set if (A) was called, but might not be set +if (B) was called, even though it calles set_bias_level() function. + +We should set dapm->bias_level if we calls +snd_soc_dapm_set_bias_level() (B), too. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87qzyn4g4h.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index acb46e1f9c0a..175c8c264b62 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -743,6 +743,10 @@ static int snd_soc_dapm_set_bias_level(struct snd_soc_dapm_context *dapm, + out: + trace_snd_soc_bias_level_done(card, level); + ++ /* success */ ++ if (ret == 0) ++ snd_soc_dapm_init_bias_level(dapm, level); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.10/ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch b/queue-5.10/ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch new file mode 100644 index 0000000000..1072500905 --- /dev/null +++ b/queue-5.10/ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch @@ -0,0 +1,42 @@ +From ef472c99d03f3daff6aa5a2e16ed12bdd284e241 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 21:53:16 +0900 +Subject: ata: libata-sata: Disallow changing LPM state if not supported + +From: Damien Le Moal + +[ Upstream commit 413e800cadbf67550d76c77c230b2ecd96bce83a ] + +Modify ata_scsi_lpm_store() to return an error if a user attempts to set +a link power management policy for a port that does not support LPM, +that is, ports flagged with ATA_FLAG_NO_LPM. + +Signed-off-by: Damien Le Moal +Reviewed-by: Niklas Cassel +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20250701125321.69496-6-dlemoal@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sata.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c +index 45656067c547..d5c97dba2dd4 100644 +--- a/drivers/ata/libata-sata.c ++++ b/drivers/ata/libata-sata.c +@@ -815,6 +815,11 @@ static ssize_t ata_scsi_lpm_store(struct device *device, + + spin_lock_irqsave(ap->lock, flags); + ++ if (ap->flags & ATA_FLAG_NO_LPM) { ++ count = -EOPNOTSUPP; ++ goto out_unlock; ++ } ++ + ata_for_each_link(link, ap, EDGE) { + ata_for_each_dev(dev, &ap->link, ENABLED) { + if (dev->horkage & ATA_HORKAGE_NOLPM) { +-- +2.39.5 + diff --git a/queue-5.10/be2net-use-correct-byte-order-and-format-string-for-.patch b/queue-5.10/be2net-use-correct-byte-order-and-format-string-for-.patch new file mode 100644 index 0000000000..0f44047b37 --- /dev/null +++ b/queue-5.10/be2net-use-correct-byte-order-and-format-string-for-.patch @@ -0,0 +1,53 @@ +From 67f9250fa7823f3c81f71977bb592b795d1863ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 12:35:47 -0700 +Subject: be2net: Use correct byte order and format string for TCP seq and + ack_seq + +From: Alok Tiwari + +[ Upstream commit 4701ee5044fb3992f1c910630a9673c2dc600ce5 ] + +The TCP header fields seq and ack_seq are 32-bit values in network +byte order as (__be32). these fields were earlier printed using +ntohs(), which converts only 16-bit values and produces incorrect +results for 32-bit fields. This patch is changeing the conversion +to ntohl(), ensuring correct interpretation of these sequence numbers. + +Notably, the format specifier is updated from %d to %u to reflect the +unsigned nature of these fields. + +improves the accuracy of debug log messages for TCP sequence and +acknowledgment numbers during TX timeouts. + +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250717193552.3648791-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index ff3ea24d2e3f..97cbe7737eb4 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1466,10 +1466,10 @@ static void be_tx_timeout(struct net_device *netdev, unsigned int txqueue) + ntohs(tcphdr->source)); + dev_info(dev, "TCP dest port %d\n", + ntohs(tcphdr->dest)); +- dev_info(dev, "TCP sequence num %d\n", +- ntohs(tcphdr->seq)); +- dev_info(dev, "TCP ack_seq %d\n", +- ntohs(tcphdr->ack_seq)); ++ dev_info(dev, "TCP sequence num %u\n", ++ ntohl(tcphdr->seq)); ++ dev_info(dev, "TCP ack_seq %u\n", ++ ntohl(tcphdr->ack_seq)); + } else if (ip_hdr(skb)->protocol == + IPPROTO_UDP) { + udphdr = udp_hdr(skb); +-- +2.39.5 + diff --git a/queue-5.10/better-lockdep-annotations-for-simple_recursive_remo.patch b/queue-5.10/better-lockdep-annotations-for-simple_recursive_remo.patch new file mode 100644 index 0000000000..e2d044b0fa --- /dev/null +++ b/queue-5.10/better-lockdep-annotations-for-simple_recursive_remo.patch @@ -0,0 +1,57 @@ +From a40000ca751c5c403017343c5b143a79a19b8099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 22:30:32 -0400 +Subject: better lockdep annotations for simple_recursive_removal() + +From: Al Viro + +[ Upstream commit 2a8061ee5e41034eb14170ec4517b5583dbeff9f ] + +We want a class that nests outside of I_MUTEX_NORMAL (for the sake of +callbacks that might want to lock the victim) and inside I_MUTEX_PARENT +(so that a variant of that could be used with parent of the victim +held locked by the caller). + +In reality, simple_recursive_removal() + * never holds two locks at once + * holds the lock on parent of dentry passed to callback + * is used only on the trees with fixed topology, so the depths +are not changing. + +So the locking order is actually fine. + +AFAICS, the best solution is to assign I_MUTEX_CHILD to the locks +grabbed by that thing. + +Reported-by: syzbot+169de184e9defe7fe709@syzkaller.appspotmail.com +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/libfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/libfs.c b/fs/libfs.c +index aa0fbd720409..c6ed6c58dee6 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -272,7 +272,7 @@ void simple_recursive_removal(struct dentry *dentry, + struct dentry *victim = NULL, *child; + struct inode *inode = this->d_inode; + +- inode_lock(inode); ++ inode_lock_nested(inode, I_MUTEX_CHILD); + if (d_is_dir(this)) + inode->i_flags |= S_DEAD; + while ((child = find_next_child(this, victim)) == NULL) { +@@ -284,7 +284,7 @@ void simple_recursive_removal(struct dentry *dentry, + victim = this; + this = this->d_parent; + inode = this->d_inode; +- inode_lock(inode); ++ inode_lock_nested(inode, I_MUTEX_CHILD); + if (simple_positive(victim)) { + d_invalidate(victim); // avoid lost mounts + if (d_is_dir(victim)) +-- +2.39.5 + diff --git a/queue-5.10/block-avoid-possible-overflow-for-chunk_sectors-chec.patch b/queue-5.10/block-avoid-possible-overflow-for-chunk_sectors-chec.patch new file mode 100644 index 0000000000..32e7083285 --- /dev/null +++ b/queue-5.10/block-avoid-possible-overflow-for-chunk_sectors-chec.patch @@ -0,0 +1,44 @@ +From c4d47511dd0eb363e740236d84086d63aa285165 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jul 2025 09:14:47 +0000 +Subject: block: avoid possible overflow for chunk_sectors check in + blk_stack_limits() + +From: John Garry + +[ Upstream commit 448dfecc7ff807822ecd47a5c052acedca7d09e8 ] + +In blk_stack_limits(), we check that the t->chunk_sectors value is a +multiple of the t->physical_block_size value. + +However, by finding the chunk_sectors value in bytes, we may overflow +the unsigned int which holds chunk_sectors, so change the check to be +based on sectors. + +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Signed-off-by: John Garry +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250729091448.1691334-2-john.g.garry@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-settings.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/blk-settings.c b/block/blk-settings.c +index ebd373469c80..18855d4bfda2 100644 +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -605,7 +605,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b, + } + + /* chunk_sectors a multiple of the physical block size? */ +- if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) { ++ if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) { + t->chunk_sectors = 0; + t->misaligned = 1; + ret = -1; +-- +2.39.5 + diff --git a/queue-5.10/can-ti_hecc-fix-woverflow-compiler-warning.patch b/queue-5.10/can-ti_hecc-fix-woverflow-compiler-warning.patch new file mode 100644 index 0000000000..3d31f69e75 --- /dev/null +++ b/queue-5.10/can-ti_hecc-fix-woverflow-compiler-warning.patch @@ -0,0 +1,40 @@ +From bdbf3e2b3c973d57ce423b6343388044f9670e0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 20:28:11 +0900 +Subject: can: ti_hecc: fix -Woverflow compiler warning + +From: Vincent Mailhol + +[ Upstream commit 7cae4d04717b002cffe41169da3f239c845a0723 ] + +Fix below default (W=0) warning: + + drivers/net/can/ti_hecc.c: In function 'ti_hecc_start': + drivers/net/can/ti_hecc.c:386:20: warning: conversion from 'long unsigned int' to 'u32' {aka 'unsigned int'} changes value from '18446744073709551599' to '4294967279' [-Woverflow] + 386 | mbx_mask = ~BIT(HECC_RX_LAST_MBOX); + | ^ + +Signed-off-by: Vincent Mailhol +Link: https://patch.msgid.link/20250715-can-compile-test-v2-1-f7fd566db86f@wanadoo.fr +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/ti_hecc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c +index 2c22f40e12bd..7662c4b9e318 100644 +--- a/drivers/net/can/ti_hecc.c ++++ b/drivers/net/can/ti_hecc.c +@@ -393,7 +393,7 @@ static void ti_hecc_start(struct net_device *ndev) + * overflows instead of the hardware silently dropping the + * messages. + */ +- mbx_mask = ~BIT(HECC_RX_LAST_MBOX); ++ mbx_mask = ~BIT_U32(HECC_RX_LAST_MBOX); + hecc_write(priv, HECC_CANOPC, mbx_mask); + + /* Enable interrupts */ +-- +2.39.5 + diff --git a/queue-5.10/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch b/queue-5.10/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch new file mode 100644 index 0000000000..3bcb1957d1 --- /dev/null +++ b/queue-5.10/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch @@ -0,0 +1,60 @@ +From a1a084d393fe454a835756a02e5bc35def8aa1a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 20:54:11 +0100 +Subject: cifs: Fix calling CIFSFindFirst() for root path without msearch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit b460249b9a1dab7a9f58483e5349d045ad6d585c ] + +To query root path (without msearch wildcard) it is needed to +send pattern '\' instead of '' (empty string). + +This allows to use CIFSFindFirst() to query information about root path +which is being used in followup changes. + +This change fixes the stat() syscall called on the root path on the mount. +It is because stat() syscall uses the cifs_query_path_info() function and +it can fallback to the CIFSFindFirst() usage with msearch=false. + +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifssmb.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index 95992c93bbe3..a19e5e7c7d0f 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -4470,6 +4470,12 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon, + pSMB->FileName[name_len] = 0; + pSMB->FileName[name_len+1] = 0; + name_len += 2; ++ } else if (!searchName[0]) { ++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb); ++ pSMB->FileName[1] = 0; ++ pSMB->FileName[2] = 0; ++ pSMB->FileName[3] = 0; ++ name_len = 4; + } + } else { + name_len = copy_path_name(pSMB->FileName, searchName); +@@ -4481,6 +4487,10 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon, + pSMB->FileName[name_len] = '*'; + pSMB->FileName[name_len+1] = 0; + name_len += 2; ++ } else if (!searchName[0]) { ++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb); ++ pSMB->FileName[1] = 0; ++ name_len = 2; + } + } + +-- +2.39.5 + diff --git a/queue-5.10/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch b/queue-5.10/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch new file mode 100644 index 0000000000..940dd898eb --- /dev/null +++ b/queue-5.10/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch @@ -0,0 +1,51 @@ +From cdecdb7aea08a632d2311092ce3c552c6adbe41c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 05:55:40 +0000 +Subject: cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag + +From: Prashant Malani + +[ Upstream commit 0a1416a49e63c320f6e6c1c8d07e1b58c0d4a3f3 ] + +AMU counters on certain CPPC-based platforms tend to yield inaccurate +delivered performance measurements on systems that are idle/mostly idle. +This results in an inaccurate frequency being stored by cpufreq in its +policy structure when the CPU is brought online. [1] + +Consequently, if the userspace governor tries to set the frequency to a +new value, there is a possibility that it would be the erroneous value +stored earlier. In such a scenario, cpufreq would assume that the +requested frequency has already been set and return early, resulting in +the correct/new frequency request never making it to the hardware. + +Since the operating frequency is liable to this sort of inconsistency, +mark the CPPC driver with CPUFREQ_NEED_UPDATE_LIMITS so that it is always +invoked when a target frequency update is requested. + +Link: https://lore.kernel.org/linux-pm/20250619000925.415528-3-pmalani@google.com/ [1] +Suggested-by: Rafael J. Wysocki +Signed-off-by: Prashant Malani +Acked-by: Viresh Kumar +Link: https://patch.msgid.link/20250722055611.130574-2-pmalani@google.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cppc_cpufreq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c +index f29e8d0553a8..17e712651090 100644 +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -396,7 +396,7 @@ static int cppc_cpufreq_set_boost(struct cpufreq_policy *policy, int state) + } + + static struct cpufreq_driver cppc_cpufreq_driver = { +- .flags = CPUFREQ_CONST_LOOPS, ++ .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS, + .verify = cppc_verify_policy, + .target = cppc_cpufreq_set_target, + .get = cppc_cpufreq_get_rate, +-- +2.39.5 + diff --git a/queue-5.10/cpufreq-exit-governor-when-failed-to-start-old-gover.patch b/queue-5.10/cpufreq-exit-governor-when-failed-to-start-old-gover.patch new file mode 100644 index 0000000000..580a5b1f91 --- /dev/null +++ b/queue-5.10/cpufreq-exit-governor-when-failed-to-start-old-gover.patch @@ -0,0 +1,43 @@ +From 46312ddf39f13387f816caa7dd898b446c00040a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:41:45 +0800 +Subject: cpufreq: Exit governor when failed to start old governor + +From: Lifeng Zheng + +[ Upstream commit 0ae204405095abfbc2d694ee0fbb49bcbbe55c57 ] + +Detect the result of starting old governor in cpufreq_set_policy(). If it +fails, exit the governor and clear policy->governor. + +Signed-off-by: Lifeng Zheng +Link: https://patch.msgid.link/20250709104145.2348017-5-zhenglifeng1@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index d1277f98d1fd..149ba2e39a96 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2545,10 +2545,12 @@ static int cpufreq_set_policy(struct cpufreq_policy *policy, + pr_debug("starting governor %s failed\n", policy->governor->name); + if (old_gov) { + policy->governor = old_gov; +- if (cpufreq_init_governor(policy)) ++ if (cpufreq_init_governor(policy)) { + policy->governor = NULL; +- else +- cpufreq_start_governor(policy); ++ } else if (cpufreq_start_governor(policy)) { ++ cpufreq_exit_governor(policy); ++ policy->governor = NULL; ++ } + } + + return ret; +-- +2.39.5 + diff --git a/queue-5.10/dm-mpath-don-t-print-the-loaded-message-if-registeri.patch b/queue-5.10/dm-mpath-don-t-print-the-loaded-message-if-registeri.patch new file mode 100644 index 0000000000..6c1bb70e97 --- /dev/null +++ b/queue-5.10/dm-mpath-don-t-print-the-loaded-message-if-registeri.patch @@ -0,0 +1,87 @@ +From 4469fa9d1123687f474da2b4b102f710ea1514f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 15:24:22 +0200 +Subject: dm-mpath: don't print the "loaded" message if registering fails + +From: Mikulas Patocka + +[ Upstream commit 6e11952a6abc4641dc8ae63f01b318b31b44e8db ] + +If dm_register_path_selector, don't print the "version X loaded" message. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-historical-service-time.c | 4 +++- + drivers/md/dm-queue-length.c | 4 +++- + drivers/md/dm-round-robin.c | 4 +++- + drivers/md/dm-service-time.c | 4 +++- + 4 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/md/dm-historical-service-time.c b/drivers/md/dm-historical-service-time.c +index 06fe43c13ba3..2d23de6742fb 100644 +--- a/drivers/md/dm-historical-service-time.c ++++ b/drivers/md/dm-historical-service-time.c +@@ -537,8 +537,10 @@ static int __init dm_hst_init(void) + { + int r = dm_register_path_selector(&hst_ps); + +- if (r < 0) ++ if (r < 0) { + DMERR("register failed %d", r); ++ return r; ++ } + + DMINFO("version " HST_VERSION " loaded"); + +diff --git a/drivers/md/dm-queue-length.c b/drivers/md/dm-queue-length.c +index 5fd018d18418..cbb72039005a 100644 +--- a/drivers/md/dm-queue-length.c ++++ b/drivers/md/dm-queue-length.c +@@ -256,8 +256,10 @@ static int __init dm_ql_init(void) + { + int r = dm_register_path_selector(&ql_ps); + +- if (r < 0) ++ if (r < 0) { + DMERR("register failed %d", r); ++ return r; ++ } + + DMINFO("version " QL_VERSION " loaded"); + +diff --git a/drivers/md/dm-round-robin.c b/drivers/md/dm-round-robin.c +index bdbb7e6e8212..fa7205f8f0b4 100644 +--- a/drivers/md/dm-round-robin.c ++++ b/drivers/md/dm-round-robin.c +@@ -212,8 +212,10 @@ static int __init dm_rr_init(void) + { + int r = dm_register_path_selector(&rr_ps); + +- if (r < 0) ++ if (r < 0) { + DMERR("register failed %d", r); ++ return r; ++ } + + DMINFO("version " RR_VERSION " loaded"); + +diff --git a/drivers/md/dm-service-time.c b/drivers/md/dm-service-time.c +index 9cfda665e9eb..563bd9e4d16f 100644 +--- a/drivers/md/dm-service-time.c ++++ b/drivers/md/dm-service-time.c +@@ -338,8 +338,10 @@ static int __init dm_st_init(void) + { + int r = dm_register_path_selector(&st_ps); + +- if (r < 0) ++ if (r < 0) { + DMERR("register failed %d", r); ++ return r; ++ } + + DMINFO("version " ST_VERSION " loaded"); + +-- +2.39.5 + diff --git a/queue-5.10/drbd-add-missing-kref_get-in-handle_write_conflicts.patch b/queue-5.10/drbd-add-missing-kref_get-in-handle_write_conflicts.patch new file mode 100644 index 0000000000..7c931b036b --- /dev/null +++ b/queue-5.10/drbd-add-missing-kref_get-in-handle_write_conflicts.patch @@ -0,0 +1,65 @@ +From cafd72849b894de962c378c1ae8b281491449150 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 11:57:28 +0200 +Subject: drbd: add missing kref_get in handle_write_conflicts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sarah Newman + +[ Upstream commit 00c9c9628b49e368d140cfa61d7df9b8922ec2a8 ] + +With `two-primaries` enabled, DRBD tries to detect "concurrent" writes +and handle write conflicts, so that even if you write to the same sector +simultaneously on both nodes, they end up with the identical data once +the writes are completed. + +In handling "superseeded" writes, we forgot a kref_get, +resulting in a premature drbd_destroy_device and use after free, +and further to kernel crashes with symptoms. + +Relevance: No one should use DRBD as a random data generator, and apparently +all users of "two-primaries" handle concurrent writes correctly on layer up. +That is cluster file systems use some distributed lock manager, +and live migration in virtualization environments stops writes on one node +before starting writes on the other node. + +Which means that other than for "test cases", +this code path is never taken in real life. + +FYI, in DRBD 9, things are handled differently nowadays. We still detect +"write conflicts", but no longer try to be smart about them. +We decided to disconnect hard instead: upper layers must not submit concurrent +writes. If they do, that's their fault. + +Signed-off-by: Sarah Newman +Signed-off-by: Lars Ellenberg +Signed-off-by: Christoph Böhmwalder +Link: https://lore.kernel.org/r/20250627095728.800688-1-christoph.boehmwalder@linbit.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 405e09575f08..b4d4e4a41b08 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -2532,7 +2532,11 @@ static int handle_write_conflicts(struct drbd_device *device, + peer_req->w.cb = superseded ? e_send_superseded : + e_send_retry_write; + list_add_tail(&peer_req->w.list, &device->done_ee); +- queue_work(connection->ack_sender, &peer_req->peer_device->send_acks_work); ++ /* put is in drbd_send_acks_wf() */ ++ kref_get(&device->kref); ++ if (!queue_work(connection->ack_sender, ++ &peer_req->peer_device->send_acks_work)) ++ kref_put(&device->kref, drbd_destroy_device); + + err = -ENOENT; + goto out; +-- +2.39.5 + diff --git a/queue-5.10/drm-amd-display-fix-failed-to-blank-crtc.patch b/queue-5.10/drm-amd-display-fix-failed-to-blank-crtc.patch new file mode 100644 index 0000000000..e169caf266 --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-failed-to-blank-crtc.patch @@ -0,0 +1,48 @@ +From 251348757a725c1e1dddaa2e100b4a0c895791f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jun 2025 16:37:08 -0400 +Subject: drm/amd/display: Fix 'failed to blank crtc!' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wen Chen + +[ Upstream commit 01f60348d8fb6b3fbcdfc7bdde5d669f95b009a4 ] + +[why] +DCN35 is having “DC: failed to blank crtc!” when running HPO +test cases. It's caused by not having sufficient udelay time. + +[how] +Replace the old wait_for_blank_complete function with fsleep function to +sleep just until the next frame should come up. This way it doesn't poll +in case the pixel clock or other clock was bugged or until vactive and +the vblank are hit again. + +Reviewed-by: Nicholas Kazlauskas +Signed-off-by: Wen Chen +Signed-off-by: Fangzhi Zuo +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +index b6dc99317d7f..402d65759e73 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +@@ -735,7 +735,7 @@ enum dc_status dcn20_enable_stream_timing( + return DC_ERROR_UNEXPECTED; + } + +- hws->funcs.wait_for_blank_complete(pipe_ctx->stream_res.opp); ++ fsleep(stream->timing.v_total * (stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz)); + + params.vertical_total_min = stream->adjust.v_total_min; + params.vertical_total_max = stream->adjust.v_total_max; +-- +2.39.5 + diff --git a/queue-5.10/drm-amd-display-separate-set_gsl-from-set_gsl_source.patch b/queue-5.10/drm-amd-display-separate-set_gsl-from-set_gsl_source.patch new file mode 100644 index 0000000000..14950be130 --- /dev/null +++ b/queue-5.10/drm-amd-display-separate-set_gsl-from-set_gsl_source.patch @@ -0,0 +1,49 @@ +From 25b84f45dcdf26aa1ee6375e28b5a0a073670d25 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 13:07:14 -0400 +Subject: drm/amd/display: Separate set_gsl from set_gsl_source_select + +From: Ilya Bakoulin + +[ Upstream commit 660a467a5e7366cd6642de61f1aaeaf0d253ee68 ] + +[Why/How] +Separate the checks for set_gsl and set_gsl_source_select, since +source_select may not be implemented/necessary. + +Reviewed-by: Nevenko Stupar +Signed-off-by: Ilya Bakoulin +Signed-off-by: Ray Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +index c6c4888c6665..b6dc99317d7f 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +@@ -159,14 +159,13 @@ static void dcn20_setup_gsl_group_as_lock( + } + + /* at this point we want to program whether it's to enable or disable */ +- if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL && +- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL) { ++ if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL) { + pipe_ctx->stream_res.tg->funcs->set_gsl( + pipe_ctx->stream_res.tg, + &gsl); +- +- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select( +- pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0); ++ if (pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL) ++ pipe_ctx->stream_res.tg->funcs->set_gsl_source_select( ++ pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0); + } else + BREAK_TO_DEBUGGER(); + } +-- +2.39.5 + diff --git a/queue-5.10/drm-ttm-should-to-return-the-evict-error.patch b/queue-5.10/drm-ttm-should-to-return-the-evict-error.patch new file mode 100644 index 0000000000..2a8057f0b7 --- /dev/null +++ b/queue-5.10/drm-ttm-should-to-return-the-evict-error.patch @@ -0,0 +1,45 @@ +From b1b0ec8ed453fd1f2d7592e97269d046f9f485bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 17:11:54 +0800 +Subject: drm/ttm: Should to return the evict error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Emily Deng + +[ Upstream commit 4e16a9a00239db5d819197b9a00f70665951bf50 ] + +For the evict fail case, the evict error should be returned. + +v2: Consider ENOENT case. + +v3: Abort directly when the eviction failed for some reason (except for -ENOENT) + and not wait for the move to finish + +Signed-off-by: Emily Deng +Reviewed-by: Christian König +Signed-off-by: Christian König +Link: https://lore.kernel.org/r/20250603091154.3472646-1-Emily.Deng@amd.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ttm/ttm_resource.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/ttm/ttm_resource.c b/drivers/gpu/drm/ttm/ttm_resource.c +index b325b9264203..e6db512ff581 100644 +--- a/drivers/gpu/drm/ttm/ttm_resource.c ++++ b/drivers/gpu/drm/ttm/ttm_resource.c +@@ -113,6 +113,9 @@ int ttm_resource_manager_force_list_clean(struct ttm_bo_device *bdev, + } + spin_unlock(&glob->lru_lock); + ++ if (ret && ret != -ENOENT) ++ return ret; ++ + spin_lock(&man->move_lock); + fence = dma_fence_get(man->move); + spin_unlock(&man->move_lock); +-- +2.39.5 + diff --git a/queue-5.10/et131x-add-missing-check-after-dma-map.patch b/queue-5.10/et131x-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..d697c01f3d --- /dev/null +++ b/queue-5.10/et131x-add-missing-check-after-dma-map.patch @@ -0,0 +1,100 @@ +From fe8808607fbff92439a5c5e11ea9ac0e33ea0e08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:47:30 +0200 +Subject: et131x: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit d61f6cb6f6ef3c70d2ccc0d9c85c508cb8017da9 ] + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, unmap and return an error. + +Signed-off-by: Thomas Fourier +Acked-by: Mark Einon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250716094733.28734-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/agere/et131x.c | 36 +++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/drivers/net/ethernet/agere/et131x.c b/drivers/net/ethernet/agere/et131x.c +index 41f8821f792d..fa04e37de089 100644 +--- a/drivers/net/ethernet/agere/et131x.c ++++ b/drivers/net/ethernet/agere/et131x.c +@@ -2460,6 +2460,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb->data, + skb_headlen(skb), + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ return -ENOMEM; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2469,6 +2473,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb->data, + skb_headlen(skb) / 2, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ return -ENOMEM; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2479,6 +2487,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb_headlen(skb) / 2, + skb_headlen(skb) / 2, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ goto unmap_first_out; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2490,6 +2502,9 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + 0, + desc[frag].len_vlan, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, dma_addr)) ++ goto unmap_out; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2579,6 +2594,27 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + &adapter->regs->global.watchdog_timer); + } + return 0; ++ ++unmap_out: ++ // Unmap the body of the packet with map_page ++ while (--i) { ++ frag--; ++ dma_addr = desc[frag].addr_lo; ++ dma_addr |= (u64)desc[frag].addr_hi << 32; ++ dma_unmap_page(&adapter->pdev->dev, dma_addr, ++ desc[frag].len_vlan, DMA_TO_DEVICE); ++ } ++ ++unmap_first_out: ++ // Unmap the header with map_single ++ while (frag--) { ++ dma_addr = desc[frag].addr_lo; ++ dma_addr |= (u64)desc[frag].addr_hi << 32; ++ dma_unmap_single(&adapter->pdev->dev, dma_addr, ++ desc[frag].len_vlan, DMA_TO_DEVICE); ++ } ++ ++ return -ENOMEM; + } + + static int send_packet(struct sk_buff *skb, struct et131x_adapter *adapter) +-- +2.39.5 + diff --git a/queue-5.10/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch b/queue-5.10/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch new file mode 100644 index 0000000000..af61b913b1 --- /dev/null +++ b/queue-5.10/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch @@ -0,0 +1,73 @@ +From eee52e9bd1a68c5fb0a74aefd72fe7462739a6df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:54:34 -0400 +Subject: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr + +From: Theodore Ts'o + +[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ] + +A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() +when an inode had the INLINE_DATA_FL flag set but was missing the +system.data extended attribute. + +Since this can happen due to a maiciouly fuzzed file system, we +shouldn't BUG, but rather, report it as a corrupted file system. + +Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii +ext4_create_inline_data() and ext4_inline_data_truncate(). + +Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 8ccbb3703954..f02fcaa62804 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -296,7 +296,11 @@ static int ext4_create_inline_data(handle_t *handle, + if (error) + goto out; + +- BUG_ON(!is.s.not_found); ++ if (!is.s.not_found) { ++ EXT4_ERROR_INODE(inode, "unexpected inline data xattr"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + + error = ext4_xattr_ibody_set(handle, inode, &i, &is); + if (error) { +@@ -347,7 +351,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode, + if (error) + goto out; + +- BUG_ON(is.s.not_found); ++ if (is.s.not_found) { ++ EXT4_ERROR_INODE(inode, "missing inline data xattr"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + + len -= EXT4_MIN_INLINE_DATA_SIZE; + value = kzalloc(len, GFP_NOFS); +@@ -1939,7 +1947,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline) + if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0) + goto out_error; + +- BUG_ON(is.s.not_found); ++ if (is.s.not_found) { ++ EXT4_ERROR_INODE(inode, ++ "missing inline data xattr"); ++ err = -EFSCORRUPTED; ++ goto out_error; ++ } + + value_len = le32_to_cpu(is.s.here->e_value_size); + value = kmalloc(value_len, GFP_NOFS); +-- +2.39.5 + diff --git a/queue-5.10/fs-orangefs-use-snprintf-instead-of-sprintf.patch b/queue-5.10/fs-orangefs-use-snprintf-instead-of-sprintf.patch new file mode 100644 index 0000000000..b7c7fc9ef2 --- /dev/null +++ b/queue-5.10/fs-orangefs-use-snprintf-instead-of-sprintf.patch @@ -0,0 +1,47 @@ +From d29c6b2c8aec5973f7980d26d4782e79fb3a5c5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jun 2025 20:05:59 +0330 +Subject: fs/orangefs: use snprintf() instead of sprintf() + +From: Amir Mohammad Jahangirzad + +[ Upstream commit cdfa1304657d6f23be8fd2bb0516380a3c89034e ] + +sprintf() is discouraged for use with bounded destination buffers +as it does not prevent buffer overflows when the formatted output +exceeds the destination buffer size. snprintf() is a safer +alternative as it limits the number of bytes written and ensures +NUL-termination. + +Replace sprintf() with snprintf() for copying the debug string +into a temporary buffer, using ORANGEFS_MAX_DEBUG_STRING_LEN as +the maximum size to ensure safe formatting and prevent memory +corruption in edge cases. + +EDIT: After this patch sat on linux-next for a few days, Dan +Carpenter saw it and suggested that I use scnprintf instead of +snprintf. I made the change and retested. + +Signed-off-by: Amir Mohammad Jahangirzad +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index b57140ebfad0..cd4bfd92ebd6 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -354,7 +354,7 @@ static ssize_t orangefs_debug_read(struct file *file, + goto out; + + mutex_lock(&orangefs_debug_lock); +- sprintf_ret = sprintf(buf, "%s", (char *)file->private_data); ++ sprintf_ret = scnprintf(buf, ORANGEFS_MAX_DEBUG_STRING_LEN, "%s", (char *)file->private_data); + mutex_unlock(&orangefs_debug_lock); + + read_ret = simple_read_from_buffer(ubuf, count, ppos, buf, sprintf_ret); +-- +2.39.5 + diff --git a/queue-5.10/gpio-tps65912-check-the-return-value-of-regmap_updat.patch b/queue-5.10/gpio-tps65912-check-the-return-value-of-regmap_updat.patch new file mode 100644 index 0000000000..151e5df8a5 --- /dev/null +++ b/queue-5.10/gpio-tps65912-check-the-return-value-of-regmap_updat.patch @@ -0,0 +1,42 @@ +From d2c6aaa1114a3a0af6a9e4ce14552f93eb1f5070 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:50:15 +0200 +Subject: gpio: tps65912: check the return value of regmap_update_bits() + +From: Bartosz Golaszewski + +[ Upstream commit a0b2a6bbff8c26aafdecd320f38f52c341d5cafa ] + +regmap_update_bits() can fail, check its return value like we do +elsewhere in the driver. + +Link: https://lore.kernel.org/r/20250707-gpiochip-set-rv-gpio-round4-v1-2-35668aaaf6d2@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tps65912.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c +index 510d9ed9fd2a..a8a2ad13e09e 100644 +--- a/drivers/gpio/gpio-tps65912.c ++++ b/drivers/gpio/gpio-tps65912.c +@@ -49,10 +49,13 @@ static int tps65912_gpio_direction_output(struct gpio_chip *gc, + unsigned offset, int value) + { + struct tps65912_gpio *gpio = gpiochip_get_data(gc); ++ int ret; + + /* Set the initial value */ +- regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, +- GPIO_SET_MASK, value ? GPIO_SET_MASK : 0); ++ ret = regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, ++ GPIO_SET_MASK, value ? GPIO_SET_MASK : 0); ++ if (ret) ++ return ret; + + return regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, + GPIO_CFG_MASK, GPIO_CFG_MASK); +-- +2.39.5 + diff --git a/queue-5.10/gpio-wcd934x-check-the-return-value-of-regmap_update.patch b/queue-5.10/gpio-wcd934x-check-the-return-value-of-regmap_update.patch new file mode 100644 index 0000000000..3db366ea73 --- /dev/null +++ b/queue-5.10/gpio-wcd934x-check-the-return-value-of-regmap_update.patch @@ -0,0 +1,42 @@ +From b2d4bac922bd110887905bc339bc80a66acc4b63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 08:41:39 +0200 +Subject: gpio: wcd934x: check the return value of regmap_update_bits() + +From: Bartosz Golaszewski + +[ Upstream commit ff0f0d7c6587e38c308be9905e36f86e98fb9c1f ] + +regmap_update_bits() can fail so check its return value in +wcd_gpio_direction_output() for consistency with the rest of the code +and propagate any errors. + +Link: https://lore.kernel.org/r/20250709-gpiochip-set-rv-gpio-remaining-v1-2-b8950f69618d@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-wcd934x.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-wcd934x.c b/drivers/gpio/gpio-wcd934x.c +index 97e6caedf1f3..c00968ce7a56 100644 +--- a/drivers/gpio/gpio-wcd934x.c ++++ b/drivers/gpio/gpio-wcd934x.c +@@ -45,9 +45,12 @@ static int wcd_gpio_direction_output(struct gpio_chip *chip, unsigned int pin, + int val) + { + struct wcd_gpio_data *data = gpiochip_get_data(chip); ++ int ret; + +- regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET, +- WCD_PIN_MASK(pin), WCD_PIN_MASK(pin)); ++ ret = regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET, ++ WCD_PIN_MASK(pin), WCD_PIN_MASK(pin)); ++ if (ret) ++ return ret; + + return regmap_update_bits(data->map, WCD_REG_VAL_CTL_OFFSET, + WCD_PIN_MASK(pin), +-- +2.39.5 + diff --git a/queue-5.10/gve-return-error-for-unknown-admin-queue-command.patch b/queue-5.10/gve-return-error-for-unknown-admin-queue-command.patch new file mode 100644 index 0000000000..0cfc90ec9f --- /dev/null +++ b/queue-5.10/gve-return-error-for-unknown-admin-queue-command.patch @@ -0,0 +1,41 @@ +From 53fe08c7987d01dae6685ff1a26c31333df174f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 22:45:01 -0700 +Subject: gve: Return error for unknown admin queue command + +From: Alok Tiwari + +[ Upstream commit b11344f63fdd9e8c5121148a6965b41079071dd2 ] + +In gve_adminq_issue_cmd(), return -EINVAL instead of 0 when an unknown +admin queue command opcode is encountered. + +This prevents the function from silently succeeding on invalid input +and prevents undefined behavior by ensuring the function fails gracefully +when an unrecognized opcode is provided. + +These changes improve error handling. + +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250616054504.1644770-2-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_adminq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c +index 67f2b9a61463..f02b3f01a557 100644 +--- a/drivers/net/ethernet/google/gve/gve_adminq.c ++++ b/drivers/net/ethernet/google/gve/gve_adminq.c +@@ -246,6 +246,7 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv, + break; + default: + dev_err(&priv->pdev->dev, "unknown AQ command opcode %d\n", opcode); ++ return -EINVAL; + } + + return 0; +-- +2.39.5 + diff --git a/queue-5.10/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch b/queue-5.10/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch new file mode 100644 index 0000000000..4b55baf5cb --- /dev/null +++ b/queue-5.10/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch @@ -0,0 +1,105 @@ +From 2cd3d0652bf0e62d6dbccd7fc5d7ae32369683e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 17:12:11 -0700 +Subject: hfs: fix not erasing deleted b-tree node issue + +From: Viacheslav Dubeyko + +[ Upstream commit d3ed6d6981f4756f145766753c872482bc3b28d3 ] + +The generic/001 test of xfstests suite fails and corrupts +the HFS volume: + +sudo ./check generic/001 +FSTYP -- hfs +PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2> +MKFS_OPTIONS -- /dev/loop51 +MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch + +generic/001 32s ... _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent +(see /home/slavad/XFSTESTS-2/xfstests-dev/results//generic/001.full for details) + +Ran: generic/001 +Failures: generic/001 +Failed 1 of 1 tests + +fsck.hfs -d -n ./test-image.bin +** ./test-image.bin (NO WRITE) + Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K. + Executing fsck_hfs (version 540.1-Linux). +** Checking HFS volume. + The volume name is untitled +** Checking extents overflow file. +** Checking catalog file. + Unused node is not erased (node = 2) + Unused node is not erased (node = 4) + + Unused node is not erased (node = 253) + Unused node is not erased (node = 254) + Unused node is not erased (node = 255) + Unused node is not erased (node = 256) +** Checking catalog hierarchy. +** Checking volume bitmap. +** Checking volume information. + Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000 + CBTStat = 0x0004 CatStat = 0x00000000 +** The volume untitled was found corrupt and needs to be repaired. + volume type is HFS + primary MDB is at block 2 0x02 + alternate MDB is at block 20971518 0x13ffffe + primary VHB is at block 0 0x00 + alternate VHB is at block 0 0x00 + sector size = 512 0x200 + VolumeObject flags = 0x19 + total sectors for volume = 20971520 0x1400000 + total sectors for embedded volume = 0 0x00 + +This patch adds logic of clearing the deleted b-tree node. + +sudo ./check generic/001 +FSTYP -- hfs +PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2025 +MKFS_OPTIONS -- /dev/loop51 +MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch + +generic/001 9s ... 32s +Ran: generic/001 +Passed all 1 tests + +fsck.hfs -d -n ./test-image.bin +** ./test-image.bin (NO WRITE) + Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K. + Executing fsck_hfs (version 540.1-Linux). +** Checking HFS volume. + The volume name is untitled +** Checking extents overflow file. +** Checking catalog file. +** Checking catalog hierarchy. +** Checking volume bitmap. +** Checking volume information. +** The volume untitled appears to be OK. + +Signed-off-by: Viacheslav Dubeyko +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20250430001211.1912533-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bnode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c +index 2039cb6d5f66..219e3b8fd6a8 100644 +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -586,6 +586,7 @@ void hfs_bnode_put(struct hfs_bnode *node) + if (test_bit(HFS_BNODE_DELETED, &node->flags)) { + hfs_bnode_unhash(node); + spin_unlock(&tree->hash_lock); ++ hfs_bnode_clear(node, 0, tree->node_size); + hfs_bmap_free(node); + hfs_bnode_free(node); + return; +-- +2.39.5 + diff --git a/queue-5.10/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch b/queue-5.10/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch new file mode 100644 index 0000000000..d3b4724299 --- /dev/null +++ b/queue-5.10/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch @@ -0,0 +1,166 @@ +From 9ec37120905410cab0fdf7c734b2db869059b7bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:49:12 -0700 +Subject: hfs: fix slab-out-of-bounds in hfs_bnode_read() + +From: Viacheslav Dubeyko + +[ Upstream commit a431930c9bac518bf99d6b1da526a7f37ddee8d8 ] + +This patch introduces is_bnode_offset_valid() method that checks +the requested offset value. Also, it introduces +check_and_correct_requested_length() method that checks and +correct the requested length (if it is necessary). These methods +are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), +hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent +the access out of allocated memory and triggering the crash. + +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250703214912.244138-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c +index 2251286cd83f..2039cb6d5f66 100644 +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -15,6 +15,48 @@ + + #include "btree.h" + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page *page; +@@ -23,6 +65,20 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + int bytes_to_read; + void *vaddr; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagenum = off >> PAGE_SHIFT; + off &= ~PAGE_MASK; /* compute page offset for the first page */ +@@ -83,6 +139,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page *page; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + page = node->page[0]; + +@@ -108,6 +178,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len) + { + struct page *page; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + page = node->page[0]; + +@@ -124,6 +208,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst, + hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(src_node, src, len); ++ len = check_and_correct_requested_length(dst_node, dst, len); ++ + src += src_node->page_offset; + dst += dst_node->page_offset; + src_page = src_node->page[0]; +@@ -143,6 +231,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len) + hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(node, src, len); ++ len = check_and_correct_requested_length(node, dst, len); ++ + src += node->page_offset; + dst += node->page_offset; + page = node->page[0]; +-- +2.39.5 + diff --git a/queue-5.10/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch b/queue-5.10/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch new file mode 100644 index 0000000000..d2b4ad811a --- /dev/null +++ b/queue-5.10/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch @@ -0,0 +1,46 @@ +From 8d67e71fee78d84d395a107ed2b2258341554b89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 14:17:56 +0900 +Subject: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() + +From: Tetsuo Handa + +[ Upstream commit c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 ] + +When the volume header contains erroneous values that do not reflect +the actual state of the filesystem, hfsplus_fill_super() assumes that +the attributes file is not yet created, which later results in hitting +BUG_ON() when hfsplus_create_attributes_file() is called. Replace this +BUG_ON() with -EIO error with a message to suggest running fsck tool. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=1107451c16b9eb9d29e6 +Signed-off-by: Tetsuo Handa +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/7b587d24-c8a1-4413-9b9a-00a33fbd849f@I-love.SAKURA.ne.jp +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/xattr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c +index d91f76ef18d9..2438cd759620 100644 +--- a/fs/hfsplus/xattr.c ++++ b/fs/hfsplus/xattr.c +@@ -172,7 +172,11 @@ static int hfsplus_create_attributes_file(struct super_block *sb) + return PTR_ERR(attr_file); + } + +- BUG_ON(i_size_read(attr_file) != 0); ++ if (i_size_read(attr_file) != 0) { ++ err = -EIO; ++ pr_err("detected inconsistent attributes file, running fsck.hfsplus is recommended.\n"); ++ goto end_attr_file_creation; ++ } + + hip = HFSPLUS_I(attr_file); + +-- +2.39.5 + diff --git a/queue-5.10/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch b/queue-5.10/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch new file mode 100644 index 0000000000..500ac82c60 --- /dev/null +++ b/queue-5.10/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch @@ -0,0 +1,296 @@ +From 243fb5606b46cbd4318c2de997be255767c0ab55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:48:04 -0700 +Subject: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() + +From: Viacheslav Dubeyko + +[ Upstream commit c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2 ] + +The hfsplus_bnode_read() method can trigger the issue: + +[ 174.852007][ T9784] ================================================================== +[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360 +[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784 +[ 174.854059][ T9784] +[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full) +[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 174.854286][ T9784] Call Trace: +[ 174.854289][ T9784] +[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0 +[ 174.854305][ T9784] print_report+0xd0/0x660 +[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610 +[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180 +[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 +[ 174.854337][ T9784] kasan_report+0xc6/0x100 +[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 +[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360 +[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380 +[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10 +[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0 +[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310 +[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40 +[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0 +[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0 +[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10 +[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10 +[ 174.854436][ T9784] ? __asan_memset+0x23/0x50 +[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320 +[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10 +[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0 +[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40 +[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0 +[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10 +[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0 +[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10 +[ 174.854525][ T9784] ? down_write+0x148/0x200 +[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10 +[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0 +[ 174.854549][ T9784] do_unlinkat+0x490/0x670 +[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10 +[ 174.854565][ T9784] ? __might_fault+0xbc/0x130 +[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550 +[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110 +[ 174.854592][ T9784] do_syscall_64+0xc9/0x480 +[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167 +[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08 +[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 +[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167 +[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50 +[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40 +[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0 +[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 174.854658][ T9784] +[ 174.854661][ T9784] +[ 174.879281][ T9784] Allocated by task 9784: +[ 174.879664][ T9784] kasan_save_stack+0x20/0x40 +[ 174.880082][ T9784] kasan_save_track+0x14/0x30 +[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0 +[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550 +[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890 +[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10 +[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520 +[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x320 +[ 174.883144][ T9784] hfsplus_delete_cat+0x845/0xde0 +[ 174.883595][ T9784] hfsplus_rmdir+0x106/0x1b0 +[ 174.884004][ T9784] vfs_rmdir+0x206/0x690 +[ 174.884379][ T9784] do_rmdir+0x2b7/0x390 +[ 174.884751][ T9784] __x64_sys_rmdir+0xc5/0x110 +[ 174.885167][ T9784] do_syscall_64+0xc9/0x480 +[ 174.885568][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 174.886083][ T9784] +[ 174.886293][ T9784] The buggy address belongs to the object at ffff88810b5fc600 +[ 174.886293][ T9784] which belongs to the cache kmalloc-192 of size 192 +[ 174.887507][ T9784] The buggy address is located 40 bytes to the right of +[ 174.887507][ T9784] allocated 152-byte region [ffff88810b5fc600, ffff88810b5fc698) +[ 174.888766][ T9784] +[ 174.888976][ T9784] The buggy address belongs to the physical page: +[ 174.889533][ T9784] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b5fc +[ 174.890295][ T9784] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) +[ 174.890927][ T9784] page_type: f5(slab) +[ 174.891284][ T9784] raw: 057ff00000000000 ffff88801b4423c0 ffffea000426dc80 dead000000000002 +[ 174.892032][ T9784] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 +[ 174.892774][ T9784] page dumped because: kasan: bad access detected +[ 174.893327][ T9784] page_owner tracks the page as allocated +[ 174.893825][ T9784] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NO1 +[ 174.895373][ T9784] post_alloc_hook+0x1c0/0x230 +[ 174.895801][ T9784] get_page_from_freelist+0xdeb/0x3b30 +[ 174.896284][ T9784] __alloc_frozen_pages_noprof+0x25c/0x2460 +[ 174.896810][ T9784] alloc_pages_mpol+0x1fb/0x550 +[ 174.897242][ T9784] new_slab+0x23b/0x340 +[ 174.897614][ T9784] ___slab_alloc+0xd81/0x1960 +[ 174.898028][ T9784] __slab_alloc.isra.0+0x56/0xb0 +[ 174.898468][ T9784] __kmalloc_noprof+0x2b0/0x550 +[ 174.898896][ T9784] usb_alloc_urb+0x73/0xa0 +[ 174.899289][ T9784] usb_control_msg+0x1cb/0x4a0 +[ 174.899718][ T9784] usb_get_string+0xab/0x1a0 +[ 174.900133][ T9784] usb_string_sub+0x107/0x3c0 +[ 174.900549][ T9784] usb_string+0x307/0x670 +[ 174.900933][ T9784] usb_cache_string+0x80/0x150 +[ 174.901355][ T9784] usb_new_device+0x1d0/0x19d0 +[ 174.901786][ T9784] register_root_hub+0x299/0x730 +[ 174.902231][ T9784] page last free pid 10 tgid 10 stack trace: +[ 174.902757][ T9784] __free_frozen_pages+0x80c/0x1250 +[ 174.903217][ T9784] vfree.part.0+0x12b/0xab0 +[ 174.903645][ T9784] delayed_vfree_work+0x93/0xd0 +[ 174.904073][ T9784] process_one_work+0x9b5/0x1b80 +[ 174.904519][ T9784] worker_thread+0x630/0xe60 +[ 174.904927][ T9784] kthread+0x3a8/0x770 +[ 174.905291][ T9784] ret_from_fork+0x517/0x6e0 +[ 174.905709][ T9784] ret_from_fork_asm+0x1a/0x30 +[ 174.906128][ T9784] +[ 174.906338][ T9784] Memory state around the buggy address: +[ 174.906828][ T9784] ffff88810b5fc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 174.907528][ T9784] ffff88810b5fc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 174.908222][ T9784] >ffff88810b5fc680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 174.908917][ T9784] ^ +[ 174.909481][ T9784] ffff88810b5fc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 174.910432][ T9784] ffff88810b5fc780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 174.911401][ T9784] ================================================================== + +The reason of the issue that code doesn't check the correctness +of the requested offset and length. As a result, incorrect value +of offset or/and length could result in access out of allocated +memory. + +This patch introduces is_bnode_offset_valid() method that checks +the requested offset value. Also, it introduces +check_and_correct_requested_length() method that checks and +correct the requested length (if it is necessary). These methods +are used in hfsplus_bnode_read(), hfsplus_bnode_write(), +hfsplus_bnode_clear(), hfsplus_bnode_copy(), and hfsplus_bnode_move() +with the goal to prevent the access out of allocated memory +and triggering the crash. + +Reported-by: Kun Hu +Reported-by: Jiaji Qin +Reported-by: Shuoran Bai +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250703214804.244077-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index cf6e5de7b9da..c9c38fddf505 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,12 +18,68 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -83,6 +139,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len) + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -113,6 +183,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len) + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -139,6 +223,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst, + hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(src_node, src, len); ++ len = check_and_correct_requested_length(dst_node, dst, len); ++ + src += src_node->page_offset; + dst += dst_node->page_offset; + src_page = src_node->page + (src >> PAGE_SHIFT); +@@ -196,6 +284,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len) + hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(node, src, len); ++ len = check_and_correct_requested_length(node, dst, len); ++ + src += node->page_offset; + dst += node->page_offset; + if (dst > src) { +-- +2.39.5 + diff --git a/queue-5.10/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch b/queue-5.10/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch new file mode 100644 index 0000000000..d9ebe546dd --- /dev/null +++ b/queue-5.10/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch @@ -0,0 +1,177 @@ +From f2b55df8e6a45f4b53b322a5b03fb0f2d0708c1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:08:30 -0700 +Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() + +From: Viacheslav Dubeyko + +[ Upstream commit 94458781aee6045bd3d0ad4b80b02886b9e2219b ] + +The hfsplus_readdir() method is capable to crash by calling +hfsplus_uni2asc(): + +[ 667.121659][ T9805] ================================================================== +[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10 +[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 +[ 667.124578][ T9805] +[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full) +[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 667.124890][ T9805] Call Trace: +[ 667.124893][ T9805] +[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0 +[ 667.124911][ T9805] print_report+0xd0/0x660 +[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610 +[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180 +[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10 +[ 667.124942][ T9805] kasan_report+0xc6/0x100 +[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10 +[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10 +[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360 +[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0 +[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10 +[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0 +[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20 +[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0 +[ 667.125022][ T9805] ? lock_acquire+0x30/0x80 +[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20 +[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0 +[ 667.125044][ T9805] ? putname+0x154/0x1a0 +[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10 +[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0 +[ 667.125069][ T9805] iterate_dir+0x296/0xb20 +[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0 +[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10 +[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200 +[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10 +[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0 +[ 667.125143][ T9805] do_syscall_64+0xc9/0x480 +[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9 +[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9 +[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9 +[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004 +[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110 +[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260 +[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 667.125207][ T9805] +[ 667.125210][ T9805] +[ 667.145632][ T9805] Allocated by task 9805: +[ 667.145991][ T9805] kasan_save_stack+0x20/0x40 +[ 667.146352][ T9805] kasan_save_track+0x14/0x30 +[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0 +[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550 +[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0 +[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0 +[ 667.148174][ T9805] iterate_dir+0x296/0xb20 +[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0 +[ 667.148937][ T9805] do_syscall_64+0xc9/0x480 +[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.149809][ T9805] +[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000 +[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048 +[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of +[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c) +[ 667.152580][ T9805] +[ 667.152798][ T9805] The buggy address belongs to the physical page: +[ 667.153373][ T9805] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25928 +[ 667.154157][ T9805] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 667.154916][ T9805] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) +[ 667.155631][ T9805] page_type: f5(slab) +[ 667.155997][ T9805] raw: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001 +[ 667.156770][ T9805] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 667.157536][ T9805] head: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001 +[ 667.158317][ T9805] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 667.159088][ T9805] head: 00fff00000000003 ffffea0000964a01 00000000ffffffff 00000000ffffffff +[ 667.159865][ T9805] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +[ 667.160643][ T9805] page dumped because: kasan: bad access detected +[ 667.161216][ T9805] page_owner tracks the page as allocated +[ 667.161732][ T9805] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN9 +[ 667.163566][ T9805] post_alloc_hook+0x1c0/0x230 +[ 667.164003][ T9805] get_page_from_freelist+0xdeb/0x3b30 +[ 667.164503][ T9805] __alloc_frozen_pages_noprof+0x25c/0x2460 +[ 667.165040][ T9805] alloc_pages_mpol+0x1fb/0x550 +[ 667.165489][ T9805] new_slab+0x23b/0x340 +[ 667.165872][ T9805] ___slab_alloc+0xd81/0x1960 +[ 667.166313][ T9805] __slab_alloc.isra.0+0x56/0xb0 +[ 667.166767][ T9805] __kmalloc_cache_noprof+0x255/0x3e0 +[ 667.167255][ T9805] psi_cgroup_alloc+0x52/0x2d0 +[ 667.167693][ T9805] cgroup_mkdir+0x694/0x1210 +[ 667.168118][ T9805] kernfs_iop_mkdir+0x111/0x190 +[ 667.168568][ T9805] vfs_mkdir+0x59b/0x8d0 +[ 667.168956][ T9805] do_mkdirat+0x2ed/0x3d0 +[ 667.169353][ T9805] __x64_sys_mkdir+0xef/0x140 +[ 667.169784][ T9805] do_syscall_64+0xc9/0x480 +[ 667.170195][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.170730][ T9805] page last free pid 1257 tgid 1257 stack trace: +[ 667.171304][ T9805] __free_frozen_pages+0x80c/0x1250 +[ 667.171770][ T9805] vfree.part.0+0x12b/0xab0 +[ 667.172182][ T9805] delayed_vfree_work+0x93/0xd0 +[ 667.172612][ T9805] process_one_work+0x9b5/0x1b80 +[ 667.173067][ T9805] worker_thread+0x630/0xe60 +[ 667.173486][ T9805] kthread+0x3a8/0x770 +[ 667.173857][ T9805] ret_from_fork+0x517/0x6e0 +[ 667.174278][ T9805] ret_from_fork_asm+0x1a/0x30 +[ 667.174703][ T9805] +[ 667.174917][ T9805] Memory state around the buggy address: +[ 667.175411][ T9805] ffff88802592f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 667.176114][ T9805] ffff88802592f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 667.176830][ T9805] >ffff88802592f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.177547][ T9805] ^ +[ 667.177933][ T9805] ffff88802592f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.178640][ T9805] ffff88802592f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.179350][ T9805] ================================================================== + +The hfsplus_uni2asc() method operates by struct hfsplus_unistr: + +struct hfsplus_unistr { + __be16 length; + hfsplus_unichr unicode[HFSPLUS_MAX_STRLEN]; +} __packed; + +where HFSPLUS_MAX_STRLEN is 255 bytes. The issue happens if length +of the structure instance has value bigger than 255 (for example, +65283). In such case, pointer on unicode buffer is going beyond of +the allocated memory. + +The patch fixes the issue by checking the length value of +hfsplus_unistr instance and using 255 value in the case if length +value is bigger than HFSPLUS_MAX_STRLEN. Potential reason of such +situation could be a corruption of Catalog File b-tree's node. + +Reported-by: Wenzhi Wang +Signed-off-by: Liu Shixin +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Reviewed-by: Yangtao Li +Link: https://lore.kernel.org/r/20250710230830.110500-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/unicode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c +index 73342c925a4b..36b6cf2a3abb 100644 +--- a/fs/hfsplus/unicode.c ++++ b/fs/hfsplus/unicode.c +@@ -132,7 +132,14 @@ int hfsplus_uni2asc(struct super_block *sb, + + op = astr; + ip = ustr->unicode; ++ + ustrlen = be16_to_cpu(ustr->length); ++ if (ustrlen > HFSPLUS_MAX_STRLEN) { ++ ustrlen = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(ustr->length), ustrlen); ++ } ++ + len = *len_p; + ce1 = NULL; + compose = !test_bit(HFSPLUS_SB_NODECOMPOSE, &HFSPLUS_SB(sb)->flags); +-- +2.39.5 + diff --git a/queue-5.10/i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch b/queue-5.10/i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch new file mode 100644 index 0000000000..f5f6fd038a --- /dev/null +++ b/queue-5.10/i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch @@ -0,0 +1,39 @@ +From b1c4208c6dcea49c130793cadd2e366daefed2e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Aug 2025 07:15:54 +0800 +Subject: i2c: Force DLL0945 touchpad i2c freq to 100khz + +From: fangzhong.zhou + +[ Upstream commit 0b7c9528facdb5a73ad78fea86d2e95a6c48dbc4 ] + +This patch fixes an issue where the touchpad cursor movement becomes +slow on the Dell Precision 5560. Force the touchpad freq to 100khz +as a workaround. + +Tested on Dell Precision 5560 with 6.14 to 6.14.6. Cursor movement +is now smooth and responsive. + +Signed-off-by: fangzhong.zhou +[wsa: kept sorting and removed unnecessary parts from commit msg] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c +index e7aed9442d56..197b89f0b3e0 100644 +--- a/drivers/i2c/i2c-core-acpi.c ++++ b/drivers/i2c/i2c-core-acpi.c +@@ -314,6 +314,7 @@ static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = { + * the device works without issues on Windows at what is expected to be + * a 400KHz frequency. The root cause of the issue is not known. + */ ++ { "DLL0945", 0 }, + { "ELAN06FA", 0 }, + {} + }; +-- +2.39.5 + diff --git a/queue-5.10/i3c-add-missing-include-to-internal-header.patch b/queue-5.10/i3c-add-missing-include-to-internal-header.patch new file mode 100644 index 0000000000..ad76668c84 --- /dev/null +++ b/queue-5.10/i3c-add-missing-include-to-internal-header.patch @@ -0,0 +1,44 @@ +From 662f5f41a84459bcc75ed686968d04fe89d65642 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 14:00:47 +0200 +Subject: i3c: add missing include to internal header + +From: Wolfram Sang + +[ Upstream commit 3b661ca549b9e5bb11d0bc97ada6110aac3282d2 ] + +LKP found a random config which failed to build because IO accessors +were not defined: + + In file included from drivers/i3c/master.c:21: + drivers/i3c/internals.h: In function 'i3c_writel_fifo': +>> drivers/i3c/internals.h:35:9: error: implicit declaration of function 'writesl' [-Werror=implicit-function-declaration] + +Add the proper header to where the IO accessors are used. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202507150208.BZDzzJ5E-lkp@intel.com/ +Signed-off-by: Wolfram Sang +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250717120046.9022-2-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/internals.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i3c/internals.h b/drivers/i3c/internals.h +index 86b7b44cfca2..1906c711f38a 100644 +--- a/drivers/i3c/internals.h ++++ b/drivers/i3c/internals.h +@@ -9,6 +9,7 @@ + #define I3C_INTERNALS_H + + #include ++#include + + extern struct bus_type i3c_bus_type; + +-- +2.39.5 + diff --git a/queue-5.10/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch b/queue-5.10/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch new file mode 100644 index 0000000000..f7ad0fceac --- /dev/null +++ b/queue-5.10/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch @@ -0,0 +1,43 @@ +From 8968615d45fd227d06c6285f0ed203845776b6c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 22:44:32 +0200 +Subject: i3c: don't fail if GETHDRCAP is unsupported + +From: Wolfram Sang + +[ Upstream commit 447270cdb41b1c8c3621bb14b93a6749f942556e ] + +'I3C_BCR_HDR_CAP' is still spec v1.0 and has been renamed to 'advanced +capabilities' in v1.1 onwards. The ST pressure sensor LPS22DF does not +have HDR, but has the 'advanced cap' bit set. The core still wants to +get additional information using the CCC 'GETHDRCAP' (or GETCAPS in v1.1 +onwards). Not all controllers support this CCC and will notify the upper +layers about it. For instantiating the device, we can ignore this +unsupported CCC as standard communication will work. Without this patch, +the device will not be instantiated at all. + +Signed-off-by: Wolfram Sang +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250704204524.6124-1-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 6d56d23d6429..203b7497b52d 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1308,7 +1308,7 @@ static int i3c_master_retrieve_dev_info(struct i3c_dev_desc *dev) + + if (dev->info.bcr & I3C_BCR_HDR_CAP) { + ret = i3c_master_gethdrcap_locked(master, &dev->info); +- if (ret) ++ if (ret && ret != -ENOTSUPP) + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.10/iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch b/queue-5.10/iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch new file mode 100644 index 0000000000..f2735edd92 --- /dev/null +++ b/queue-5.10/iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch @@ -0,0 +1,70 @@ +From 35b4690fdd19c66e77d49b95ae00eabb4ef7dd0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 16:35:21 -0300 +Subject: iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Santos + +[ Upstream commit 7e54d932873d91a55d1b89b7389876d78aeeab32 ] + +The SYNC_IN pulse width must be at least 1.5 x Tmclk, corresponding to +~2.5 µs at the lowest supported MCLK frequency. Add a 3 µs delay to +ensure reliable synchronization timing even for the worst-case scenario. + +Signed-off-by: Jonathan Santos +Reviewed-by: David Lechner +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/d3ee92a533cd1207cf5c5cc4d7bdbb5c6c267f68.1749063024.git.Jonathan.Santos@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7768-1.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c +index 9580a7f7f73d..883399ad80e0 100644 +--- a/drivers/iio/adc/ad7768-1.c ++++ b/drivers/iio/adc/ad7768-1.c +@@ -202,6 +202,24 @@ static int ad7768_spi_reg_write(struct ad7768_state *st, + return spi_write(st->spi, st->data.d8, 2); + } + ++static int ad7768_send_sync_pulse(struct ad7768_state *st) ++{ ++ /* ++ * The datasheet specifies a minimum SYNC_IN pulse width of 1.5 × Tmclk, ++ * where Tmclk is the MCLK period. The supported MCLK frequencies range ++ * from 0.6 MHz to 17 MHz, which corresponds to a minimum SYNC_IN pulse ++ * width of approximately 2.5 µs in the worst-case scenario (0.6 MHz). ++ * ++ * Add a delay to ensure the pulse width is always sufficient to ++ * trigger synchronization. ++ */ ++ gpiod_set_value_cansleep(st->gpio_sync_in, 1); ++ fsleep(3); ++ gpiod_set_value_cansleep(st->gpio_sync_in, 0); ++ ++ return 0; ++} ++ + static int ad7768_set_mode(struct ad7768_state *st, + enum ad7768_conv_mode mode) + { +@@ -287,10 +305,7 @@ static int ad7768_set_dig_fil(struct ad7768_state *st, + return ret; + + /* A sync-in pulse is required every time the filter dec rate changes */ +- gpiod_set_value(st->gpio_sync_in, 1); +- gpiod_set_value(st->gpio_sync_in, 0); +- +- return 0; ++ return ad7768_send_sync_pulse(st); + } + + static int ad7768_set_freq(struct ad7768_state *st, +-- +2.39.5 + diff --git a/queue-5.10/ipmi-fix-strcpy-source-and-destination-the-same.patch b/queue-5.10/ipmi-fix-strcpy-source-and-destination-the-same.patch new file mode 100644 index 0000000000..776d5b20e9 --- /dev/null +++ b/queue-5.10/ipmi-fix-strcpy-source-and-destination-the-same.patch @@ -0,0 +1,150 @@ +From 4c2228e2dd6fc36b85bd975eb20204ba0c63277f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 19:06:26 -0500 +Subject: ipmi: Fix strcpy source and destination the same + +From: Corey Minyard + +[ Upstream commit 8ffcb7560b4a15faf821df95e3ab532b2b020f8c ] + +The source and destination of some strcpy operations was the same. +Split out the part of the operations that needed to be done for those +particular calls so the unnecessary copy wasn't done. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506140756.EFXXvIP4-lkp@intel.com/ +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_watchdog.c | 59 ++++++++++++++++++++++--------- + 1 file changed, 42 insertions(+), 17 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c +index 883b4a341012..56be20f7485b 100644 +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -1198,14 +1198,8 @@ static struct ipmi_smi_watcher smi_watcher = { + .smi_gone = ipmi_smi_gone + }; + +-static int action_op(const char *inval, char *outval) ++static int action_op_set_val(const char *inval) + { +- if (outval) +- strcpy(outval, action); +- +- if (!inval) +- return 0; +- + if (strcmp(inval, "reset") == 0) + action_val = WDOG_TIMEOUT_RESET; + else if (strcmp(inval, "none") == 0) +@@ -1216,18 +1210,26 @@ static int action_op(const char *inval, char *outval) + action_val = WDOG_TIMEOUT_POWER_DOWN; + else + return -EINVAL; +- strcpy(action, inval); + return 0; + } + +-static int preaction_op(const char *inval, char *outval) ++static int action_op(const char *inval, char *outval) + { ++ int rv; ++ + if (outval) +- strcpy(outval, preaction); ++ strcpy(outval, action); + + if (!inval) + return 0; ++ rv = action_op_set_val(inval); ++ if (!rv) ++ strcpy(action, inval); ++ return rv; ++} + ++static int preaction_op_set_val(const char *inval) ++{ + if (strcmp(inval, "pre_none") == 0) + preaction_val = WDOG_PRETIMEOUT_NONE; + else if (strcmp(inval, "pre_smi") == 0) +@@ -1240,18 +1242,26 @@ static int preaction_op(const char *inval, char *outval) + preaction_val = WDOG_PRETIMEOUT_MSG_INT; + else + return -EINVAL; +- strcpy(preaction, inval); + return 0; + } + +-static int preop_op(const char *inval, char *outval) ++static int preaction_op(const char *inval, char *outval) + { ++ int rv; ++ + if (outval) +- strcpy(outval, preop); ++ strcpy(outval, preaction); + + if (!inval) + return 0; ++ rv = preaction_op_set_val(inval); ++ if (!rv) ++ strcpy(preaction, inval); ++ return 0; ++} + ++static int preop_op_set_val(const char *inval) ++{ + if (strcmp(inval, "preop_none") == 0) + preop_val = WDOG_PREOP_NONE; + else if (strcmp(inval, "preop_panic") == 0) +@@ -1260,7 +1270,22 @@ static int preop_op(const char *inval, char *outval) + preop_val = WDOG_PREOP_GIVE_DATA; + else + return -EINVAL; +- strcpy(preop, inval); ++ return 0; ++} ++ ++static int preop_op(const char *inval, char *outval) ++{ ++ int rv; ++ ++ if (outval) ++ strcpy(outval, preop); ++ ++ if (!inval) ++ return 0; ++ ++ rv = preop_op_set_val(inval); ++ if (!rv) ++ strcpy(preop, inval); + return 0; + } + +@@ -1297,18 +1322,18 @@ static int __init ipmi_wdog_init(void) + { + int rv; + +- if (action_op(action, NULL)) { ++ if (action_op_set_val(action)) { + action_op("reset", NULL); + pr_info("Unknown action '%s', defaulting to reset\n", action); + } + +- if (preaction_op(preaction, NULL)) { ++ if (preaction_op_set_val(preaction)) { + preaction_op("pre_none", NULL); + pr_info("Unknown preaction '%s', defaulting to none\n", + preaction); + } + +- if (preop_op(preop, NULL)) { ++ if (preop_op_set_val(preop)) { + preop_op("preop_none", NULL); + pr_info("Unknown preop '%s', defaulting to none\n", preop); + } +-- +2.39.5 + diff --git a/queue-5.10/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch b/queue-5.10/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch new file mode 100644 index 0000000000..8b6ca65af2 --- /dev/null +++ b/queue-5.10/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch @@ -0,0 +1,47 @@ +From 34cd503387fa00ba51910ec5c9f40dcd89ed8bf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 05:57:26 -0700 +Subject: ipmi: Use dev_warn_ratelimited() for incorrect message warnings + +From: Breno Leitao + +[ Upstream commit ec50ec378e3fd83bde9b3d622ceac3509a60b6b5 ] + +During BMC firmware upgrades on live systems, the ipmi_msghandler +generates excessive "BMC returned incorrect response" warnings +while the BMC is temporarily offline. This can flood system logs +in large deployments. + +Replace dev_warn() with dev_warn_ratelimited() to throttle these +warnings and prevent log spam during BMC maintenance operations. + +Signed-off-by: Breno Leitao +Message-ID: <20250710-ipmi_ratelimit-v1-1-6d417015ebe9@debian.org> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index b89f300751b1..5b01985aed22 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -4307,10 +4307,10 @@ static int handle_one_recv_msg(struct ipmi_smi *intf, + * The NetFN and Command in the response is not even + * marginally correct. + */ +- dev_warn(intf->si_dev, +- "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n", +- (msg->data[0] >> 2) | 1, msg->data[1], +- msg->rsp[0] >> 2, msg->rsp[1]); ++ dev_warn_ratelimited(intf->si_dev, ++ "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n", ++ (msg->data[0] >> 2) | 1, msg->data[1], ++ msg->rsp[0] >> 2, msg->rsp[1]); + + /* Generate an error response for the message. */ + msg->rsp[0] = msg->data[0] | (1 << 2); +-- +2.39.5 + diff --git a/queue-5.10/jfs-regular-file-corruption-check.patch b/queue-5.10/jfs-regular-file-corruption-check.patch new file mode 100644 index 0000000000..2cbda8f6c4 --- /dev/null +++ b/queue-5.10/jfs-regular-file-corruption-check.patch @@ -0,0 +1,39 @@ +From 31f64ed27fd91b252c4b9979b1611579468ce098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 14:48:43 +0800 +Subject: jfs: Regular file corruption check + +From: Edward Adam Davis + +[ Upstream commit 2d04df8116426b6c7b9f8b9b371250f666a2a2fb ] + +The reproducer builds a corrupted file on disk with a negative i_size value. +Add a check when opening this file to avoid subsequent operation failures. + +Reported-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=630f6d40b3ccabc8e96e +Tested-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/file.c b/fs/jfs/file.c +index 930d2701f206..44872daeca01 100644 +--- a/fs/jfs/file.c ++++ b/fs/jfs/file.c +@@ -44,6 +44,9 @@ static int jfs_open(struct inode *inode, struct file *file) + { + int rc; + ++ if (S_ISREG(inode->i_mode) && inode->i_size < 0) ++ return -EIO; ++ + if ((rc = dquot_file_open(inode, file))) + return rc; + +-- +2.39.5 + diff --git a/queue-5.10/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch b/queue-5.10/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch new file mode 100644 index 0000000000..d2330ce132 --- /dev/null +++ b/queue-5.10/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch @@ -0,0 +1,41 @@ +From 90c781e7fd0232865072e40dc62f5396bb68fb96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 11:05:34 +0800 +Subject: jfs: truncate good inode pages when hard link is 0 + +From: Lizhi Xu + +[ Upstream commit 2d91b3765cd05016335cd5df5e5c6a29708ec058 ] + +The fileset value of the inode copy from the disk by the reproducer is +AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its +inode pages are not truncated. This causes the bugon to be triggered when +executing clear_inode() because nrpages is greater than 0. + +Reported-by: syzbot+6e516bb515d93230bc7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6e516bb515d93230bc7b +Signed-off-by: Lizhi Xu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c +index 980aa3300f10..2472b33e3a2d 100644 +--- a/fs/jfs/inode.c ++++ b/fs/jfs/inode.c +@@ -145,9 +145,9 @@ void jfs_evict_inode(struct inode *inode) + if (!inode->i_nlink && !is_bad_inode(inode)) { + dquot_initialize(inode); + ++ truncate_inode_pages_final(&inode->i_data); + if (JFS_IP(inode)->fileset == FILESYSTEM_I) { + struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap; +- truncate_inode_pages_final(&inode->i_data); + + if (test_cflag(COMMIT_Freewmap, inode)) + jfs_free_zero_link(inode); +-- +2.39.5 + diff --git a/queue-5.10/jfs-upper-bound-check-of-tree-index-in-dballocag.patch b/queue-5.10/jfs-upper-bound-check-of-tree-index-in-dballocag.patch new file mode 100644 index 0000000000..1148bb459b --- /dev/null +++ b/queue-5.10/jfs-upper-bound-check-of-tree-index-in-dballocag.patch @@ -0,0 +1,44 @@ +From 62b15b66d1810c8b9b3d370aef3abadd7dde5e6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 00:13:51 +0200 +Subject: jfs: upper bound check of tree index in dbAllocAG + +From: Arnaud Lecomte + +[ Upstream commit c214006856ff52a8ff17ed8da52d50601d54f9ce ] + +When computing the tree index in dbAllocAG, we never check if we are +out of bounds realative to the size of the stree. +This could happen in a scenario where the filesystem metadata are +corrupted. + +Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e +Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com +Signed-off-by: Arnaud Lecomte +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 234b7cc4acfa..f34025cc9b05 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1457,6 +1457,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results) + (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth; + ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1)); + ++ if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) { ++ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n"); ++ release_metapage(mp); ++ return -EIO; ++ } ++ + /* dmap control page trees fan-out by 4 and a single allocation + * group may be described by 1 or 2 subtrees within the ag level + * dmap control page, depending upon the ag size. examine the ag's +-- +2.39.5 + diff --git a/queue-5.10/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch b/queue-5.10/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch new file mode 100644 index 0000000000..d4b46e2dac --- /dev/null +++ b/queue-5.10/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch @@ -0,0 +1,45 @@ +From c5655bedfeeed96924b743a770afd22bd390d2dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 00:05:20 +0900 +Subject: kconfig: gconf: avoid hardcoding model2 in + on_treeview2_cursor_changed() + +From: Masahiro Yamada + +[ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ] + +The on_treeview2_cursor_changed() handler is connected to both the left +and right tree views, but it hardcodes model2 (the GtkTreeModel of the +right tree view). This is incorrect. Get the associated model from the +view. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/gconf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c +index 409799912731..50c1340cf636 100644 +--- a/scripts/kconfig/gconf.c ++++ b/scripts/kconfig/gconf.c +@@ -981,13 +981,14 @@ on_treeview2_key_press_event(GtkWidget * widget, + void + on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data) + { ++ GtkTreeModel *model = gtk_tree_view_get_model(treeview); + GtkTreeSelection *selection; + GtkTreeIter iter; + struct menu *menu; + + selection = gtk_tree_view_get_selection(treeview); +- if (gtk_tree_selection_get_selected(selection, &model2, &iter)) { +- gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1); ++ if (gtk_tree_selection_get_selected(selection, &model, &iter)) { ++ gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1); + text_insert_help(menu); + } + } +-- +2.39.5 + diff --git a/queue-5.10/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch b/queue-5.10/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch new file mode 100644 index 0000000000..56981fa9e6 --- /dev/null +++ b/queue-5.10/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch @@ -0,0 +1,42 @@ +From a06206700a6dbafb5e643b90c51a3fe41a18a431 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 00:04:55 +0900 +Subject: kconfig: gconf: fix potential memory leak in renderer_edited() + +From: Masahiro Yamada + +[ Upstream commit f72ed4c6a375e52a3f4b75615e4a89d29d8acea7 ] + +If gtk_tree_model_get_iter() fails, gtk_tree_path_free() is not called. + +Signed-off-by: Masahiro Yamada +Acked-by: Randy Dunlap +Signed-off-by: Sasha Levin +--- + scripts/kconfig/gconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c +index 50c1340cf636..e092bb686f45 100644 +--- a/scripts/kconfig/gconf.c ++++ b/scripts/kconfig/gconf.c +@@ -787,7 +787,7 @@ static void renderer_edited(GtkCellRendererText * cell, + struct symbol *sym; + + if (!gtk_tree_model_get_iter(model2, &iter, path)) +- return; ++ goto free; + + gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1); + sym = menu->sym; +@@ -799,6 +799,7 @@ static void renderer_edited(GtkCellRendererText * cell, + + update_tree(&rootmenu, NULL); + ++free: + gtk_tree_path_free(path); + } + +-- +2.39.5 + diff --git a/queue-5.10/kconfig-lxdialog-fix-space-to-de-select-options.patch b/queue-5.10/kconfig-lxdialog-fix-space-to-de-select-options.patch new file mode 100644 index 0000000000..9f8975811b --- /dev/null +++ b/queue-5.10/kconfig-lxdialog-fix-space-to-de-select-options.patch @@ -0,0 +1,49 @@ +From 47f97196bf0737c0ba795886be603902af464c01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2013 00:53:32 +0100 +Subject: kconfig: lxdialog: fix 'space' to (de)select options + +From: Yann E. MORIN + +[ Upstream commit 694174f94ebeeb5ec5cc0e9de9b40c82057e1d95 ] + +In case a menu has comment without letters/numbers (eg. characters +matching the regexp '^[^[:alpha:][:digit:]]+$', for example - or *), +hitting space will cycle through those comments, rather than +selecting/deselecting the currently-highlighted option. + +This is the behaviour of hitting any letter/digit: jump to the next +option which prompt starts with that letter. The only letters that +do not behave as such are 'y' 'm' and 'n'. Prompts that start with +one of those three letters are instead matched on the first letter +that is not 'y', 'm' or 'n'. + +Fix that by treating 'space' as we treat y/m/n, ie. as an action key, +not as shortcut to jump to prompt. + +Signed-off-by: Yann E. MORIN +Signed-off-by: Peter Korsgaard +Signed-off-by: Cherniaev Andrei +[masahiro: took from Buildroot, adjusted the commit subject] +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/lxdialog/menubox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/lxdialog/menubox.c b/scripts/kconfig/lxdialog/menubox.c +index 58c2f8afe59b..7e10e919fbdc 100644 +--- a/scripts/kconfig/lxdialog/menubox.c ++++ b/scripts/kconfig/lxdialog/menubox.c +@@ -272,7 +272,7 @@ int dialog_menu(const char *title, const char *prompt, + if (key < 256 && isalpha(key)) + key = tolower(key); + +- if (strchr("ynmh", key)) ++ if (strchr("ynmh ", key)) + i = max_choice; + else { + for (i = choice + 1; i < max_choice; i++) { +-- +2.39.5 + diff --git a/queue-5.10/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch b/queue-5.10/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch new file mode 100644 index 0000000000..f60b41e404 --- /dev/null +++ b/queue-5.10/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch @@ -0,0 +1,41 @@ +From a8eb9289ce999ef1a4af4b1fbf22a231a95890c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jul 2025 22:14:33 +0530 +Subject: kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c + +From: Suchit Karunakaran + +[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ] + +strcpy() performs no bounds checking and can lead to buffer overflows if +the input string exceeds the destination buffer size. This patch replaces +it with strncpy(), and null terminates the input string. + +Signed-off-by: Suchit Karunakaran +Reviewed-by: Nicolas Schier +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/lxdialog/inputbox.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c +index 1dcfb288ee63..327b60cdb8da 100644 +--- a/scripts/kconfig/lxdialog/inputbox.c ++++ b/scripts/kconfig/lxdialog/inputbox.c +@@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width + + if (!init) + instr[0] = '\0'; +- else +- strcpy(instr, init); ++ else { ++ strncpy(instr, init, sizeof(dialog_input_result) - 1); ++ instr[sizeof(dialog_input_result) - 1] = '\0'; ++ } + + do_resize: + if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGTH_MIN)) +-- +2.39.5 + diff --git a/queue-5.10/kconfig-nconf-ensure-null-termination-where-strncpy-.patch b/queue-5.10/kconfig-nconf-ensure-null-termination-where-strncpy-.patch new file mode 100644 index 0000000000..71d9ffab8d --- /dev/null +++ b/queue-5.10/kconfig-nconf-ensure-null-termination-where-strncpy-.patch @@ -0,0 +1,55 @@ +From dce17128af8adcb82c214b49497bc4ba5803f7f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 00:36:54 +0530 +Subject: kconfig: nconf: Ensure null termination where strncpy is used + +From: Shankari Anand + +[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ] + +strncpy() does not guarantee null-termination if the source string is +longer than the destination buffer. + +Ensure the buffer is explicitly null-terminated to prevent potential +string overflows or undefined behavior. + +Signed-off-by: Shankari Anand +Signed-off-by: Masahiro Yamada +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Tested-by: Nicolas Schier +Acked-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 2 ++ + scripts/kconfig/nconf.gui.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index af814b39b876..cdbd60a3ae16 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -581,6 +581,8 @@ static void item_add_str(const char *fmt, ...) + tmp_str, + sizeof(k_menu_items[index].str)); + ++ k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0'; ++ + free_item(curses_menu_items[index]); + curses_menu_items[index] = new_item( + k_menu_items[index].str, +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c +index 77f525a8617c..8b3e9bc893a7 100644 +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -398,6 +398,7 @@ int dialog_inputbox(WINDOW *main_window, + x = (columns-win_cols)/2; + + strncpy(result, init, *result_len); ++ result[*result_len - 1] = '\0'; + + /* create the windows */ + win = newwin(win_lines, win_cols, y, x); +-- +2.39.5 + diff --git a/queue-5.10/ktest.pl-prevent-recursion-of-default-variable-optio.patch b/queue-5.10/ktest.pl-prevent-recursion-of-default-variable-optio.patch new file mode 100644 index 0000000000..f8a26a5dff --- /dev/null +++ b/queue-5.10/ktest.pl-prevent-recursion-of-default-variable-optio.patch @@ -0,0 +1,62 @@ +From 07044a22f2a0b338ed7b25342616e97dc85902b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 16:18:44 -0400 +Subject: ktest.pl: Prevent recursion of default variable options + +From: Steven Rostedt + +[ Upstream commit 61f7e318e99d3b398670518dd3f4f8510d1800fc ] + +If a default variable contains itself, do not recurse on it. + +For example: + + ADD_CONFIG := ${CONFIG_DIR}/temp_config + DEFAULTS + ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG} + +The above works because the temp variable ADD_CONFIG (is a temp because it +is created with ":=") is already defined, it will be substituted in the +variable option. But if it gets commented out: + + # ADD_CONFIG := ${CONFIG_DIR}/temp_config + DEFAULTS + ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG} + +Then the above will go into a recursive loop where ${ADD_CONFIG} will +get replaced with the current definition of ADD_CONFIG which contains the +${ADD_CONFIG} and that will also try to get converted. ktest.pl will error +after 100 attempts of recursion and fail. + +When replacing a variable with the default variable, if the default +variable contains itself, do not replace it. + +Cc: "John Warthog9 Hawley" +Cc: Dhaval Giani +Cc: Greg KH +Link: https://lore.kernel.org/20250718202053.732189428@kernel.org +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + tools/testing/ktest/ktest.pl | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl +index 8ac30e2ac3ac..512a3cc586fd 100755 +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -1291,7 +1291,10 @@ sub __eval_option { + # If a variable contains itself, use the default var + if (($var eq $name) && defined($opt{$var})) { + $o = $opt{$var}; +- $retval = "$retval$o"; ++ # Only append if the default doesn't contain itself ++ if ($o !~ m/\$\{$var\}/) { ++ $retval = "$retval$o"; ++ } + } elsif (defined($opt{$o})) { + $o = $opt{$o}; + $retval = "$retval$o"; +-- +2.39.5 + diff --git a/queue-5.10/leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch b/queue-5.10/leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch new file mode 100644 index 0000000000..7642d5e40e --- /dev/null +++ b/queue-5.10/leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch @@ -0,0 +1,68 @@ +From 33733167ab149af4c575061c597192f71d49b827 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 12:23:54 +0200 +Subject: leds: leds-lp50xx: Handle reg to get correct multi_index + +From: Johan Adolfsson + +[ Upstream commit 2e84a5e5374232e6f356ce5c079a5658d7e4af2c ] + +mc_subled used for multi_index needs well defined array indexes, +to guarantee the desired result, use reg for that. + +If devicetree child nodes is processed in random or reverse order +you may end up with multi_index "blue green red" instead of the expected +"red green blue". +If user space apps uses multi_index to deduce how to control the leds +they would most likely be broken without this patch if devicetree +processing is reversed (which it appears to be). + +arch/arm/boot/dts/aspeed/aspeed-bmc-facebook-fuji.dts has reg set +but I don't see how it can have worked without this change. + +If reg is not set, an error is returned, +If reg is out of range, an error is returned. +reg within led child nodes starts with 0, to map to the iout in each bank. + +Signed-off-by: Johan Adolfsson +Reviewed-by: Jacek Anaszewski +Link: https://lore.kernel.org/r/20250617-led-fix-v7-1-cdbe8efc88fa@axis.com +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lp50xx.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c +index d4529082935b..279f3958e0ab 100644 +--- a/drivers/leds/leds-lp50xx.c ++++ b/drivers/leds/leds-lp50xx.c +@@ -493,6 +493,7 @@ static int lp50xx_probe_dt(struct lp50xx *priv) + } + + fwnode_for_each_child_node(child, led_node) { ++ int multi_index; + ret = fwnode_property_read_u32(led_node, "color", + &color_id); + if (ret) { +@@ -500,8 +501,16 @@ static int lp50xx_probe_dt(struct lp50xx *priv) + dev_err(priv->dev, "Cannot read color\n"); + goto child_out; + } ++ ret = fwnode_property_read_u32(led_node, "reg", &multi_index); ++ if (ret != 0) { ++ dev_err(priv->dev, "reg must be set\n"); ++ return -EINVAL; ++ } else if (multi_index >= LP50XX_LEDS_PER_MODULE) { ++ dev_err(priv->dev, "reg %i out of range\n", multi_index); ++ return -EINVAL; ++ } + +- mc_led_info[num_colors].color_index = color_id; ++ mc_led_info[multi_index].color_index = color_id; + num_colors++; + } + +-- +2.39.5 + diff --git a/queue-5.10/md-dm-zoned-target-initialize-return-variable-r-to-a.patch b/queue-5.10/md-dm-zoned-target-initialize-return-variable-r-to-a.patch new file mode 100644 index 0000000000..711aa1817a --- /dev/null +++ b/queue-5.10/md-dm-zoned-target-initialize-return-variable-r-to-a.patch @@ -0,0 +1,45 @@ +From 349c3b08faa0978e4998408ff50e287c6133a9ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 13:11:57 +0530 +Subject: md: dm-zoned-target: Initialize return variable r to avoid + uninitialized use + +From: Purva Yeshi + +[ Upstream commit 487767bff572d46f7c37ad846c4078f6d6c9cc55 ] + +Fix Smatch-detected error: +drivers/md/dm-zoned-target.c:1073 dmz_iterate_devices() +error: uninitialized symbol 'r'. + +Smatch detects a possible use of the uninitialized variable 'r' in +dmz_iterate_devices() because if dmz->nr_ddevs is zero, the loop is +skipped and 'r' is returned without being set, leading to undefined +behavior. + +Initialize 'r' to 0 before the loop. This ensures that if there are no +devices to iterate over, the function still returns a defined value. + +Signed-off-by: Purva Yeshi +Signed-off-by: Mikulas Patocka +Signed-off-by: Sasha Levin +--- + drivers/md/dm-zoned-target.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c +index 48fc723f1ac8..e5f61a9080e4 100644 +--- a/drivers/md/dm-zoned-target.c ++++ b/drivers/md/dm-zoned-target.c +@@ -1066,7 +1066,7 @@ static int dmz_iterate_devices(struct dm_target *ti, + struct dmz_target *dmz = ti->private; + unsigned int zone_nr_sectors = dmz_zone_nr_sectors(dmz->metadata); + sector_t capacity; +- int i, r; ++ int i, r = 0; + + for (i = 0; i < dmz->nr_ddevs; i++) { + capacity = dmz->dev[i].capacity & ~(zone_nr_sectors - 1); +-- +2.39.5 + diff --git a/queue-5.10/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch b/queue-5.10/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch new file mode 100644 index 0000000000..69b4858402 --- /dev/null +++ b/queue-5.10/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch @@ -0,0 +1,46 @@ +From c9b24070be7887ec1f87c9c83b8f8681724d3668 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 21:32:31 -0400 +Subject: media: dvb-frontends: dib7090p: fix null-ptr-deref in + dib7090p_rw_on_apb() + +From: Alex Guo + +[ Upstream commit ce5cac69b2edac3e3246fee03e8f4c2a1075238b ] + +In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and +msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing +msg[0].buf[2] without sanity check, null pointer deref would happen. We add +check on msg[0].len to prevent crash. Similar issue occurs when access +msg[1].buf[0] and msg[1].buf[1]. + +Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Alex Guo +Link: https://lore.kernel.org/r/20250616013231.730221-1-alexguo1023@gmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index 8c426baf76ee..a4d060fb1bab 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -2261,8 +2261,12 @@ static int dib7090p_rw_on_apb(struct i2c_adapter *i2c_adap, + u16 word; + + if (num == 1) { /* write */ ++ if (msg[0].len < 3) ++ return -EOPNOTSUPP; + dib7000p_write_word(state, apb_address, ((msg[0].buf[1] << 8) | (msg[0].buf[2]))); + } else { ++ if (msg[1].len < 2) ++ return -EOPNOTSUPP; + word = dib7000p_read_word(state, apb_address); + msg[1].buf[0] = (word >> 8) & 0xff; + msg[1].buf[1] = (word) & 0xff; +-- +2.39.5 + diff --git a/queue-5.10/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch b/queue-5.10/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch new file mode 100644 index 0000000000..3f9b21e42d --- /dev/null +++ b/queue-5.10/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch @@ -0,0 +1,48 @@ +From fd7106814f1c4fb80801374449734c6006bffed6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 21:33:53 -0400 +Subject: media: dvb-frontends: w7090p: fix null-ptr-deref in + w7090p_tuner_write_serpar and w7090p_tuner_read_serpar + +From: Alex Guo + +[ Upstream commit ed0234c8458b3149f15e496b48a1c9874dd24a1b ] + +In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add +check on msg[0].len to prevent crash. + +Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Alex Guo +Link: https://lore.kernel.org/r/20250616013353.738790-1-alexguo1023@gmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index a4d060fb1bab..08b3ac8ff108 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -2198,6 +2198,8 @@ static int w7090p_tuner_write_serpar(struct i2c_adapter *i2c_adap, struct i2c_ms + struct dib7000p_state *state = i2c_get_adapdata(i2c_adap); + u8 n_overflow = 1; + u16 i = 1000; ++ if (msg[0].len < 3) ++ return -EOPNOTSUPP; + u16 serpar_num = msg[0].buf[0]; + + while (n_overflow == 1 && i) { +@@ -2217,6 +2219,8 @@ static int w7090p_tuner_read_serpar(struct i2c_adapter *i2c_adap, struct i2c_msg + struct dib7000p_state *state = i2c_get_adapdata(i2c_adap); + u8 n_overflow = 1, n_empty = 1; + u16 i = 1000; ++ if (msg[0].len < 1 || msg[1].len < 2) ++ return -EOPNOTSUPP; + u16 serpar_num = msg[0].buf[0]; + u16 read_word; + +-- +2.39.5 + diff --git a/queue-5.10/media-tc358743-check-i2c-succeeded-during-probe.patch b/queue-5.10/media-tc358743-check-i2c-succeeded-during-probe.patch new file mode 100644 index 0000000000..2af9ba9592 --- /dev/null +++ b/queue-5.10/media-tc358743-check-i2c-succeeded-during-probe.patch @@ -0,0 +1,109 @@ +From 8cd4bde8a3f889b99b21e3c6f69ab598644488a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:15 +0100 +Subject: media: tc358743: Check I2C succeeded during probe + +From: Dave Stevenson + +[ Upstream commit 303d81635e1d9c949b370215cc94526ed81f2e3d ] + +The probe for the TC358743 reads the CHIPID register from +the device and compares it to the expected value of 0. +If the I2C request fails then that also returns 0, so +the driver loads thinking that the device is there. + +Generally I2C communications are reliable so there is +limited need to check the return value on every transfer, +therefore only amend the one read during probe to check +for I2C errors. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 1b3441510b6f..ab180ae4837a 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -110,7 +110,7 @@ static inline struct tc358743_state *to_state(struct v4l2_subdev *sd) + + /* --------------- I2C --------------- */ + +-static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) ++static int i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + { + struct tc358743_state *state = to_state(sd); + struct i2c_client *client = state->i2c_client; +@@ -136,6 +136,7 @@ static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + v4l2_err(sd, "%s: reading register 0x%x from 0x%x failed\n", + __func__, reg, client->addr); + } ++ return err != ARRAY_SIZE(msgs); + } + + static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) +@@ -192,15 +193,24 @@ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + } + } + +-static noinline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n) ++static noinline u32 i2c_rdreg_err(struct v4l2_subdev *sd, u16 reg, u32 n, ++ int *err) + { ++ int error; + __le32 val = 0; + +- i2c_rd(sd, reg, (u8 __force *)&val, n); ++ error = i2c_rd(sd, reg, (u8 __force *)&val, n); ++ if (err) ++ *err = error; + + return le32_to_cpu(val); + } + ++static inline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n) ++{ ++ return i2c_rdreg_err(sd, reg, n, NULL); ++} ++ + static noinline void i2c_wrreg(struct v4l2_subdev *sd, u16 reg, u32 val, u32 n) + { + __le32 raw = cpu_to_le32(val); +@@ -229,6 +239,13 @@ static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg) + return i2c_rdreg(sd, reg, 2); + } + ++static int i2c_rd16_err(struct v4l2_subdev *sd, u16 reg, u16 *value) ++{ ++ int err; ++ *value = i2c_rdreg_err(sd, reg, 2, &err); ++ return err; ++} ++ + static void i2c_wr16(struct v4l2_subdev *sd, u16 reg, u16 val) + { + i2c_wrreg(sd, reg, val, 2); +@@ -2042,6 +2059,7 @@ static int tc358743_probe(struct i2c_client *client) + struct tc358743_platform_data *pdata = client->dev.platform_data; + struct v4l2_subdev *sd; + u16 irq_mask = MASK_HDMI_MSK | MASK_CSI_MSK; ++ u16 chipid; + int err; + + if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_BYTE_DATA)) +@@ -2073,7 +2091,8 @@ static int tc358743_probe(struct i2c_client *client) + sd->flags |= V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; + + /* i2c access */ +- if ((i2c_rd16(sd, CHIPID) & MASK_CHIPID) != 0) { ++ if (i2c_rd16_err(sd, CHIPID, &chipid) || ++ (chipid & MASK_CHIPID) != 0) { + v4l2_info(sd, "not a TC358743 on address 0x%x\n", + client->addr << 1); + return -ENODEV; +-- +2.39.5 + diff --git a/queue-5.10/media-tc358743-increase-fifo-trigger-level-to-374.patch b/queue-5.10/media-tc358743-increase-fifo-trigger-level-to-374.patch new file mode 100644 index 0000000000..40868ed5b1 --- /dev/null +++ b/queue-5.10/media-tc358743-increase-fifo-trigger-level-to-374.patch @@ -0,0 +1,58 @@ +From 6de2d46f0155e2475a117552d1cefd3519839bee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:14 +0100 +Subject: media: tc358743: Increase FIFO trigger level to 374 + +From: Dave Stevenson + +[ Upstream commit 86addd25314a1e77dbdcfddfeed0bab2f27da0e2 ] + +The existing fixed value of 16 worked for UYVY 720P60 over +2 lanes at 594MHz, or UYVY 1080P60 over 4 lanes. (RGB888 +1080P60 needs 6 lanes at 594MHz). +It doesn't allow for lower resolutions to work as the FIFO +underflows. + +374 is required for 1080P24 or 1080P30 UYVY over 2 lanes @ +972Mbit/s, but >374 means that the FIFO underflows on 1080P50 +UYVY over 2 lanes @ 972Mbit/s. + +Whilst it would be nice to compute it, the required information +isn't published by Toshiba. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 3649c02d611e..9cc52beb3b5e 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1960,8 +1960,19 @@ static int tc358743_probe_of(struct tc358743_state *state) + state->pdata.refclk_hz = clk_get_rate(refclk); + state->pdata.ddc5v_delay = DDC5V_DELAY_100_MS; + state->pdata.enable_hdcp = false; +- /* A FIFO level of 16 should be enough for 2-lane 720p60 at 594 MHz. */ +- state->pdata.fifo_level = 16; ++ /* ++ * Ideally the FIFO trigger level should be set based on the input and ++ * output data rates, but the calculations required are buried in ++ * Toshiba's register settings spreadsheet. ++ * A value of 16 works with a 594Mbps data rate for 720p60 (using 2 ++ * lanes) and 1080p60 (using 4 lanes), but fails when the data rate ++ * is increased, or a lower pixel clock is used that result in CSI ++ * reading out faster than the data is arriving. ++ * ++ * A value of 374 works with both those modes at 594Mbps, and with most ++ * modes on 972Mbps. ++ */ ++ state->pdata.fifo_level = 374; + /* + * The PLL input clock is obtained by dividing refclk by pll_prd. + * It must be between 6 MHz and 40 MHz, lower frequency is better. +-- +2.39.5 + diff --git a/queue-5.10/media-tc358743-return-an-appropriate-colorspace-from.patch b/queue-5.10/media-tc358743-return-an-appropriate-colorspace-from.patch new file mode 100644 index 0000000000..c2e52b0786 --- /dev/null +++ b/queue-5.10/media-tc358743-return-an-appropriate-colorspace-from.patch @@ -0,0 +1,113 @@ +From 4580f32fda14efa374096da6dc61daa9a8b3edb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:16 +0100 +Subject: media: tc358743: Return an appropriate colorspace from + tc358743_set_fmt + +From: Dave Stevenson + +[ Upstream commit 377cc006a364dfdab2f3f221cfad63a9265200b8 ] + +When calling tc358743_set_fmt, the code was calling tc358743_get_fmt +to choose a valid format. However that sets the colorspace +based on information read back from the chip, not the colour +format requested. + +The result was that if you called try or set format for UYVY +when the current format was RGB3 then you would get told SRGB, +and try RGB3 when current was UYVY and you would get told +SMPTE170M. + +The value programmed in the VI_REP register for the colorspace +is always set by this driver, therefore there is no need to read +back the value, and never set to REC709. +Return the colorspace based on the format set/tried instead. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 44 ++++++++++++++---------------------- + 1 file changed, 17 insertions(+), 27 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index ab180ae4837a..3649c02d611e 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1686,12 +1686,23 @@ static int tc358743_enum_mbus_code(struct v4l2_subdev *sd, + return 0; + } + ++static u32 tc358743_g_colorspace(u32 code) ++{ ++ switch (code) { ++ case MEDIA_BUS_FMT_RGB888_1X24: ++ return V4L2_COLORSPACE_SRGB; ++ case MEDIA_BUS_FMT_UYVY8_1X16: ++ return V4L2_COLORSPACE_SMPTE170M; ++ default: ++ return 0; ++ } ++} ++ + static int tc358743_get_fmt(struct v4l2_subdev *sd, + struct v4l2_subdev_pad_config *cfg, + struct v4l2_subdev_format *format) + { + struct tc358743_state *state = to_state(sd); +- u8 vi_rep = i2c_rd8(sd, VI_REP); + + if (format->pad != 0) + return -EINVAL; +@@ -1701,23 +1712,7 @@ static int tc358743_get_fmt(struct v4l2_subdev *sd, + format->format.height = state->timings.bt.height; + format->format.field = V4L2_FIELD_NONE; + +- switch (vi_rep & MASK_VOUT_COLOR_SEL) { +- case MASK_VOUT_COLOR_RGB_FULL: +- case MASK_VOUT_COLOR_RGB_LIMITED: +- format->format.colorspace = V4L2_COLORSPACE_SRGB; +- break; +- case MASK_VOUT_COLOR_601_YCBCR_LIMITED: +- case MASK_VOUT_COLOR_601_YCBCR_FULL: +- format->format.colorspace = V4L2_COLORSPACE_SMPTE170M; +- break; +- case MASK_VOUT_COLOR_709_YCBCR_FULL: +- case MASK_VOUT_COLOR_709_YCBCR_LIMITED: +- format->format.colorspace = V4L2_COLORSPACE_REC709; +- break; +- default: +- format->format.colorspace = 0; +- break; +- } ++ format->format.colorspace = tc358743_g_colorspace(format->format.code); + + return 0; + } +@@ -1731,19 +1726,14 @@ static int tc358743_set_fmt(struct v4l2_subdev *sd, + u32 code = format->format.code; /* is overwritten by get_fmt */ + int ret = tc358743_get_fmt(sd, cfg, format); + +- format->format.code = code; ++ if (code == MEDIA_BUS_FMT_RGB888_1X24 || ++ code == MEDIA_BUS_FMT_UYVY8_1X16) ++ format->format.code = code; ++ format->format.colorspace = tc358743_g_colorspace(format->format.code); + + if (ret) + return ret; + +- switch (code) { +- case MEDIA_BUS_FMT_RGB888_1X24: +- case MEDIA_BUS_FMT_UYVY8_1X16: +- break; +- default: +- return -EINVAL; +- } +- + if (format->which == V4L2_SUBDEV_FORMAT_TRY) + return 0; + +-- +2.39.5 + diff --git a/queue-5.10/media-usb-hdpvr-disable-zero-length-read-messages.patch b/queue-5.10/media-usb-hdpvr-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..cf7381b07b --- /dev/null +++ b/queue-5.10/media-usb-hdpvr-disable-zero-length-read-messages.patch @@ -0,0 +1,46 @@ +From bfa83278afda1cb2b7ca43deff9955ffae81555d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 10:09:54 +0200 +Subject: media: usb: hdpvr: disable zero-length read messages + +From: Wolfram Sang + +[ Upstream commit b5ae5a79825ba8037b0be3ef677a24de8c063abf ] + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Signed-off-by: Wolfram Sang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/usb/hdpvr/hdpvr-i2c.c b/drivers/media/usb/hdpvr/hdpvr-i2c.c +index 070559b01b01..54956a8ff15e 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-i2c.c ++++ b/drivers/media/usb/hdpvr/hdpvr-i2c.c +@@ -165,10 +165,16 @@ static const struct i2c_algorithm hdpvr_algo = { + .functionality = hdpvr_functionality, + }; + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks hdpvr_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + static const struct i2c_adapter hdpvr_i2c_adapter_template = { + .name = "Hauppauge HD PVR I2C", + .owner = THIS_MODULE, + .algo = &hdpvr_algo, ++ .quirks = &hdpvr_quirks, + }; + + static int hdpvr_activate_ir(struct hdpvr_device *dev) +-- +2.39.5 + diff --git a/queue-5.10/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch b/queue-5.10/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch new file mode 100644 index 0000000000..43c2b67468 --- /dev/null +++ b/queue-5.10/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch @@ -0,0 +1,52 @@ +From 2148cf0ce18b56b11ccc0ca6e52df8d5ef411a3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 14:18:03 +0800 +Subject: media: uvcvideo: Fix bandwidth issue for Alcor camera + +From: chenchangcheng + +[ Upstream commit 9764401bf6f8a20eb11c2e78470f20fee91a9ea7 ] + +Some broken device return wrong dwMaxPayloadTransferSize fields as +follows: + +[ 218.632537] uvcvideo: Device requested 2752512 B/frame bandwidth. +[ 218.632598] uvcvideo: No fast enough alt setting for requested bandwidth. + +When dwMaxPayloadTransferSize is greater than maxpsize, it will prevent +the camera from starting. So use the bandwidth of maxpsize. + +Signed-off-by: chenchangcheng +Reviewed-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20250510061803.811433-1-ccc194101@163.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_video.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index f6e97ff7a8e4..7385c6023f89 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -228,6 +228,15 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, + + ctrl->dwMaxPayloadTransferSize = bandwidth; + } ++ ++ if (stream->intf->num_altsetting > 1 && ++ ctrl->dwMaxPayloadTransferSize > stream->maxpsize) { ++ dev_warn_ratelimited(&stream->intf->dev, ++ "UVC non compliance: the max payload transmission size (%u) exceeds the size of the ep max packet (%u). Using the max size.\n", ++ ctrl->dwMaxPayloadTransferSize, ++ stream->maxpsize); ++ ctrl->dwMaxPayloadTransferSize = stream->maxpsize; ++ } + } + + static size_t uvc_video_ctrl_size(struct uvc_streaming *stream) +-- +2.39.5 + diff --git a/queue-5.10/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch b/queue-5.10/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch new file mode 100644 index 0000000000..50be1494c9 --- /dev/null +++ b/queue-5.10/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch @@ -0,0 +1,79 @@ +From 95f024594b79d62eb9051efb9457fff84db671f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 13:28:26 +0200 +Subject: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit e9f4a6b3421e936c3ee9d74710243897d74dbaa2 ] + +Not all tasks have an ABI associated or vDSO mapped, +for example kthreads never do. +If such a task ever ends up calling stack_top(), it will derefence the +NULL ABI pointer and crash. + +This can for example happen when using kunit: + + mips_stack_top+0x28/0xc0 + arch_pick_mmap_layout+0x190/0x220 + kunit_vm_mmap_init+0xf8/0x138 + __kunit_add_resource+0x40/0xa8 + kunit_vm_mmap+0x88/0xd8 + usercopy_test_init+0xb8/0x240 + kunit_try_run_case+0x5c/0x1a8 + kunit_generic_run_threadfn_adapter+0x28/0x50 + kthread+0x118/0x240 + ret_from_kernel_thread+0x14/0x1c + +Only dereference the ABI point if it is set. + +The GIC page is also included as it is specific to the vDSO. +Also move the randomization adjustment into the same conditional. + +Signed-off-by: Thomas Weißschuh +Reviewed-by: David Gow +Reviewed-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/process.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 98ecaf6f3edb..0a5710a4d696 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -675,18 +675,20 @@ unsigned long mips_stack_top(void) + } + + /* Space for the VDSO, data page & GIC user page */ +- top -= PAGE_ALIGN(current->thread.abi->vdso->size); +- top -= PAGE_SIZE; +- top -= mips_gic_present() ? PAGE_SIZE : 0; ++ if (current->thread.abi) { ++ top -= PAGE_ALIGN(current->thread.abi->vdso->size); ++ top -= PAGE_SIZE; ++ top -= mips_gic_present() ? PAGE_SIZE : 0; ++ ++ /* Space to randomize the VDSO base */ ++ if (current->flags & PF_RANDOMIZE) ++ top -= VDSO_RANDOMIZE_SIZE; ++ } + + /* Space for cache colour alignment */ + if (cpu_has_dc_aliases) + top -= shm_align_mask + 1; + +- /* Space to randomize the VDSO base */ +- if (current->flags & PF_RANDOMIZE) +- top -= VDSO_RANDOMIZE_SIZE; +- + return top; + } + +-- +2.39.5 + diff --git a/queue-5.10/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch b/queue-5.10/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch new file mode 100644 index 0000000000..562f0bfc53 --- /dev/null +++ b/queue-5.10/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch @@ -0,0 +1,53 @@ +From d97b62375d4604294245e75c8eb68131afd6e6c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 21:06:32 +0800 +Subject: MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} + +From: Shiji Yang + +[ Upstream commit 844615dd0f2d95c018ec66b943e08af22b62aff3 ] + +These functions are exported but their prototypes are not defined. +This patch adds the missing function prototypes to fix the following +compilation warnings: + +arch/mips/kernel/vpe-mt.c:180:7: error: no previous prototype for 'vpe_alloc' [-Werror=missing-prototypes] + 180 | void *vpe_alloc(void) + | ^~~~~~~~~ +arch/mips/kernel/vpe-mt.c:198:5: error: no previous prototype for 'vpe_start' [-Werror=missing-prototypes] + 198 | int vpe_start(void *vpe, unsigned long start) + | ^~~~~~~~~ +arch/mips/kernel/vpe-mt.c:208:5: error: no previous prototype for 'vpe_stop' [-Werror=missing-prototypes] + 208 | int vpe_stop(void *vpe) + | ^~~~~~~~ +arch/mips/kernel/vpe-mt.c:229:5: error: no previous prototype for 'vpe_free' [-Werror=missing-prototypes] + 229 | int vpe_free(void *vpe) + | ^~~~~~~~ + +Signed-off-by: Shiji Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/vpe.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h +index 012731546cf6..3de6b0ff1627 100644 +--- a/arch/mips/include/asm/vpe.h ++++ b/arch/mips/include/asm/vpe.h +@@ -126,4 +126,12 @@ void cleanup_tc(struct tc *tc); + + int __init vpe_module_init(void); + void __exit vpe_module_exit(void); ++ ++#ifdef CONFIG_MIPS_VPE_LOADER_MT ++void *vpe_alloc(void); ++int vpe_start(void *vpe, unsigned long start); ++int vpe_stop(void *vpe); ++int vpe_free(void *vpe); ++#endif /* CONFIG_MIPS_VPE_LOADER_MT */ ++ + #endif /* _ASM_VPE_H */ +-- +2.39.5 + diff --git a/queue-5.10/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch b/queue-5.10/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch new file mode 100644 index 0000000000..88eaeb6103 --- /dev/null +++ b/queue-5.10/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch @@ -0,0 +1,40 @@ +From 57519c86fc0aa85986cd7d97a55386172a2771b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 13:16:23 +0200 +Subject: mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() + +From: Ulf Hansson + +[ Upstream commit 47a255f7d2eabee06cfbf5b1c2379749442fd01d ] + +In the error path of sd_set_power_mode() we don't update host->power_mode, +which could lead to an imbalance of the runtime PM usage count. Fix this by +always updating host->power_mode. + +Reviewed-by: Avri Altman +Signed-off-by: Ulf Hansson +Acked-by: Ricky Wu +Link: https://lore.kernel.org/r/20250610111633.504366-2-ulf.hansson@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c +index 1be3a355f10d..ab7023d956eb 100644 +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1032,9 +1032,7 @@ static int sd_set_power_mode(struct rtsx_usb_sdmmc *host, + err = sd_power_on(host); + } + +- if (!err) +- host->power_mode = power_mode; +- ++ host->power_mode = power_mode; + return err; + } + +-- +2.39.5 + diff --git a/queue-5.10/mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch b/queue-5.10/mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch new file mode 100644 index 0000000000..646cfb83a1 --- /dev/null +++ b/queue-5.10/mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch @@ -0,0 +1,71 @@ +From 8cb0f448968ab8ec102f1c12064cff025565d487 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 15:36:59 +0530 +Subject: mmc: sdhci-msm: Ensure SD card power isn't ON when card removed + +From: Sarthak Garg + +[ Upstream commit db58532188ebf51d52b1d7693d9e94c76b926e9f ] + +Many mobile phones feature multi-card tray designs, where the same +tray is used for both SD and SIM cards. If the SD card is placed +at the outermost location in the tray, the SIM card may come in +contact with SD card power-supply while removing the tray, possibly +resulting in SIM damage. + +To prevent that, make sure the SD card is really inserted by reading +the Card Detect pin state. If it's not, turn off the power in +sdhci_msm_check_power_status() and also set the BUS_FAIL power state +on the controller as part of pwr_irq handling for BUS_ON request. + +Signed-off-by: Sarthak Garg +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250701100659.3310386-1-quic_sartgarg@quicinc.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-msm.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c +index c9298a986ef0..183617d56b44 100644 +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -1544,6 +1544,7 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ struct mmc_host *mmc = host->mmc; + bool done = false; + u32 val = SWITCHABLE_SIGNALING_VOLTAGE; + const struct sdhci_msm_offset *msm_offset = +@@ -1601,6 +1602,12 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type) + "%s: pwr_irq for req: (%d) timed out\n", + mmc_hostname(host->mmc), req_type); + } ++ ++ if ((req_type & REQ_BUS_ON) && mmc->card && !mmc->ops->get_cd(mmc)) { ++ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL); ++ host->pwr = 0; ++ } ++ + pr_debug("%s: %s: request %d done\n", mmc_hostname(host->mmc), + __func__, req_type); + } +@@ -1659,6 +1666,13 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq) + udelay(10); + } + ++ if ((irq_status & CORE_PWRCTL_BUS_ON) && mmc->card && ++ !mmc->ops->get_cd(mmc)) { ++ msm_host_writel(msm_host, CORE_PWRCTL_BUS_FAIL, host, ++ msm_offset->core_pwrctl_ctl); ++ return; ++ } ++ + /* Handle BUS ON/OFF*/ + if (irq_status & CORE_PWRCTL_BUS_ON) { + pwr_state = REQ_BUS_ON; +-- +2.39.5 + diff --git a/queue-5.10/net-ag71xx-add-missing-check-after-dma-map.patch b/queue-5.10/net-ag71xx-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..bd6b093fdf --- /dev/null +++ b/queue-5.10/net-ag71xx-add-missing-check-after-dma-map.patch @@ -0,0 +1,50 @@ +From fe51b91f81b106461e6ead92df738c3975151b1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:57:25 +0200 +Subject: net: ag71xx: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit 96a1e15e60216b52da0e6da5336b6d7f5b0188b0 ] + +The DMA map functions can fail and should be tested for errors. + +Signed-off-by: Thomas Fourier +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250716095733.37452-3-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/ag71xx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c +index fe3ca3af431a..67409a53d510 100644 +--- a/drivers/net/ethernet/atheros/ag71xx.c ++++ b/drivers/net/ethernet/atheros/ag71xx.c +@@ -1275,6 +1275,11 @@ static bool ag71xx_fill_rx_buf(struct ag71xx *ag, struct ag71xx_buf *buf, + buf->rx.rx_buf = data; + buf->rx.dma_addr = dma_map_single(&ag->pdev->dev, data, ag->rx_buf_size, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(&ag->pdev->dev, buf->rx.dma_addr)) { ++ skb_free_frag(data); ++ buf->rx.rx_buf = NULL; ++ return false; ++ } + desc->data = (u32)buf->rx.dma_addr + offset; + return true; + } +@@ -1573,6 +1578,10 @@ static netdev_tx_t ag71xx_hard_start_xmit(struct sk_buff *skb, + + dma_addr = dma_map_single(&ag->pdev->dev, skb->data, skb->len, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&ag->pdev->dev, dma_addr)) { ++ netif_dbg(ag, tx_err, ndev, "DMA mapping error\n"); ++ goto err_drop; ++ } + + i = ring->curr & ring_mask; + desc = ag71xx_ring_desc(ring, i); +-- +2.39.5 + diff --git a/queue-5.10/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch b/queue-5.10/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch new file mode 100644 index 0000000000..532b03efb1 --- /dev/null +++ b/queue-5.10/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch @@ -0,0 +1,42 @@ +From 96eefeba3dfe767e53d4f89ba5e61e41a8abe1fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:59 +0200 +Subject: net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit c00df1018791185ea398f78af415a2a0aaa0c79c ] + +CPU port should be B53_CPU_PORT instead of B53_CPU_PORT_25 for +B53_PVLAN_PORT_MASK register. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-14-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 39a56cedbc1f..971c134cd71a 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -504,6 +504,10 @@ void b53_imp_vlan_setup(struct dsa_switch *ds, int cpu_port) + unsigned int i; + u16 pvlan; + ++ /* BCM5325 CPU port is at 8 */ ++ if ((is5325(dev) || is5365(dev)) && cpu_port == B53_CPU_PORT_25) ++ cpu_port = B53_CPU_PORT; ++ + /* Enable the IMP port to be in the same VLAN as the other ports + * on a per-port basis such that we only have Port i and IMP in + * the same VLAN. +-- +2.39.5 + diff --git a/queue-5.10/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch b/queue-5.10/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch new file mode 100644 index 0000000000..edd2c88aa4 --- /dev/null +++ b/queue-5.10/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch @@ -0,0 +1,69 @@ +From 9fd73bb59f53f7273e0719fec52704b4f44afc55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:54 +0200 +Subject: net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 044d5ce2788b165798bfd173548e61bf7b6baf4d ] + +BCM5325 doesn't implement B53_UC_FWD_EN, B53_MC_FWD_EN or B53_IPMC_FWD_EN. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-9-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 18 +++++++++++------- + drivers/net/dsa/b53/b53_regs.h | 1 + + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index cb341a4d7540..361f9be65386 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -344,14 +344,18 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); + mgmt |= B53_MII_DUMB_FWDG_EN; + b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); +- } + +- /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether +- * frames should be flooded or not. +- */ +- b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; +- b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether ++ * frames should be flooded or not. ++ */ ++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ } else { ++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); ++ mgmt |= B53_IP_MCAST_25; ++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ } + } + + static void b53_enable_vlan(struct b53_device *dev, bool enable, +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index e5776545a8a0..77fb7ae660b8 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -104,6 +104,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 ++#define B53_IP_MCAST_25 BIT(0) + #define B53_IPMC_FWD_EN BIT(1) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) +-- +2.39.5 + diff --git a/queue-5.10/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch b/queue-5.10/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch new file mode 100644 index 0000000000..50a4d0a751 --- /dev/null +++ b/queue-5.10/net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch @@ -0,0 +1,88 @@ +From 54ee6297261186f948601df1b790d31554cd63a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:57 +0200 +Subject: net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 37883bbc45a8555d6eca88d3a9730504d2dac86c ] + +BCM5325 doesn't implement GMII_PORT_OVERRIDE_CTRL register so we should +avoid reading or writing it. +PORT_OVERRIDE_RX_FLOW and PORT_OVERRIDE_TX_FLOW aren't defined on BCM5325 +and we should use PORT_OVERRIDE_LP_FLOW_25 instead. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-12-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 21 +++++++++++++++++---- + drivers/net/dsa/b53/b53_regs.h | 1 + + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 971c134cd71a..5840001ea3e7 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -1106,6 +1106,8 @@ static void b53_force_link(struct b53_device *dev, int port, int link) + if (port == dev->imp_port) { + off = B53_PORT_OVERRIDE_CTRL; + val = PORT_OVERRIDE_EN; ++ } else if (is5325(dev)) { ++ return; + } else { + off = B53_GMII_PORT_OVERRIDE_CTRL(port); + val = GMII_PO_EN; +@@ -1130,6 +1132,8 @@ static void b53_force_port_config(struct b53_device *dev, int port, + if (port == dev->imp_port) { + off = B53_PORT_OVERRIDE_CTRL; + val = PORT_OVERRIDE_EN; ++ } else if (is5325(dev)) { ++ return; + } else { + off = B53_GMII_PORT_OVERRIDE_CTRL(port); + val = GMII_PO_EN; +@@ -1160,10 +1164,19 @@ static void b53_force_port_config(struct b53_device *dev, int port, + return; + } + +- if (rx_pause) +- reg |= PORT_OVERRIDE_RX_FLOW; +- if (tx_pause) +- reg |= PORT_OVERRIDE_TX_FLOW; ++ if (rx_pause) { ++ if (is5325(dev)) ++ reg |= PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg |= PORT_OVERRIDE_RX_FLOW; ++ } ++ ++ if (tx_pause) { ++ if (is5325(dev)) ++ reg |= PORT_OVERRIDE_LP_FLOW_25; ++ else ++ reg |= PORT_OVERRIDE_TX_FLOW; ++ } + + b53_write8(dev, B53_CTRL_PAGE, off, reg); + } +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index b2c539a42154..e5776545a8a0 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -92,6 +92,7 @@ + #define PORT_OVERRIDE_SPEED_10M (0 << PORT_OVERRIDE_SPEED_S) + #define PORT_OVERRIDE_SPEED_100M (1 << PORT_OVERRIDE_SPEED_S) + #define PORT_OVERRIDE_SPEED_1000M (2 << PORT_OVERRIDE_SPEED_S) ++#define PORT_OVERRIDE_LP_FLOW_25 BIT(3) /* BCM5325 only */ + #define PORT_OVERRIDE_RV_MII_25 BIT(4) /* BCM5325 only */ + #define PORT_OVERRIDE_RX_FLOW BIT(4) + #define PORT_OVERRIDE_TX_FLOW BIT(5) +-- +2.39.5 + diff --git a/queue-5.10/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch b/queue-5.10/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch new file mode 100644 index 0000000000..6db2520b0e --- /dev/null +++ b/queue-5.10/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch @@ -0,0 +1,49 @@ +From 041f81febed281b36d503db15a907100d14d504f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:53 +0200 +Subject: net: dsa: b53: prevent SWITCH_CTRL access on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 22ccaaca43440e90a3b68d2183045b42247dc4be ] + +BCM5325 doesn't implement SWITCH_CTRL register so we should avoid reading +or writing it. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-8-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 5840001ea3e7..cb341a4d7540 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -339,11 +339,12 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + + b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_MODE, mgmt); + +- /* Include IMP port in dumb forwarding mode +- */ +- b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); +- mgmt |= B53_MII_DUMB_FWDG_EN; +- b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); ++ if (!is5325(dev)) { ++ /* Include IMP port in dumb forwarding mode */ ++ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); ++ mgmt |= B53_MII_DUMB_FWDG_EN; ++ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); ++ } + + /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether + * frames should be flooded or not. +-- +2.39.5 + diff --git a/queue-5.10/net-fec-allow-disable-coalescing.patch b/queue-5.10/net-fec-allow-disable-coalescing.patch new file mode 100644 index 0000000000..656efcf8aa --- /dev/null +++ b/queue-5.10/net-fec-allow-disable-coalescing.patch @@ -0,0 +1,80 @@ +From ca68e5164bbc1aaa10f8a5f54d7a2979da5d70f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 15:44:02 +0200 +Subject: net: fec: allow disable coalescing + +From: Jonas Rebmann + +[ Upstream commit b7ad21258f9e9a7f58b19595d5ceed2cde3bed68 ] + +In the current implementation, IP coalescing is always enabled and +cannot be disabled. + +As setting maximum frames to 0 or 1, or setting delay to zero implies +immediate delivery of single packets/IRQs, disable coalescing in +hardware in these cases. + +This also guarantees that coalescing is never enabled with ICFT or ICTT +set to zero, a configuration that could lead to unpredictable behaviour +according to i.MX8MP reference manual. + +Signed-off-by: Jonas Rebmann +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20250626-fec_deactivate_coalescing-v2-1-0b217f2e80da@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 34 +++++++++++------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 805434ba3035..adf70a1650f4 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -2630,27 +2630,25 @@ static int fec_enet_us_to_itr_clock(struct net_device *ndev, int us) + static void fec_enet_itr_coal_set(struct net_device *ndev) + { + struct fec_enet_private *fep = netdev_priv(ndev); +- int rx_itr, tx_itr; ++ u32 rx_itr = 0, tx_itr = 0; ++ int rx_ictt, tx_ictt; + +- /* Must be greater than zero to avoid unpredictable behavior */ +- if (!fep->rx_time_itr || !fep->rx_pkts_itr || +- !fep->tx_time_itr || !fep->tx_pkts_itr) +- return; +- +- /* Select enet system clock as Interrupt Coalescing +- * timer Clock Source +- */ +- rx_itr = FEC_ITR_CLK_SEL; +- tx_itr = FEC_ITR_CLK_SEL; ++ rx_ictt = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr); ++ tx_ictt = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr); + +- /* set ICFT and ICTT */ +- rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr); +- rx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr)); +- tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr); +- tx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr)); ++ if (rx_ictt > 0 && fep->rx_pkts_itr > 1) { ++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */ ++ rx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL; ++ rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr); ++ rx_itr |= FEC_ITR_ICTT(rx_ictt); ++ } + +- rx_itr |= FEC_ITR_EN; +- tx_itr |= FEC_ITR_EN; ++ if (tx_ictt > 0 && fep->tx_pkts_itr > 1) { ++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */ ++ tx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL; ++ tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr); ++ tx_itr |= FEC_ITR_ICTT(tx_ictt); ++ } + + writel(tx_itr, fep->hwp + FEC_TXIC0); + writel(rx_itr, fep->hwp + FEC_RXIC0); +-- +2.39.5 + diff --git a/queue-5.10/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch b/queue-5.10/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch new file mode 100644 index 0000000000..b559ab3b91 --- /dev/null +++ b/queue-5.10/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch @@ -0,0 +1,51 @@ +From 20392d4c2f6b02cb6aa69f847560fa4f4b24cd2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:27:13 +0200 +Subject: net: ipv4: fix incorrect MTU in broadcast routes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oscar Maes + +[ Upstream commit 9e30ecf23b1b8f091f7d08b27968dea83aae7908 ] + +Currently, __mkroute_output overrules the MTU value configured for +broadcast routes. + +This buggy behaviour can be reproduced with: + +ip link set dev eth1 mtu 9000 +ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 +ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500 + +The maximum packet size should be 1500, but it is actually 8000: + +ping -b 192.168.0.255 -s 8000 + +Fix __mkroute_output to allow MTU values to be configured for +for broadcast routes (to support a mixed-MTU local-area-network). + +Signed-off-by: Oscar Maes +Link: https://patch.msgid.link/20250710142714.12986-1-oscmaes92@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 815b6b0089c2..7c4479adbf32 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2465,7 +2465,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res, + do_cache = true; + if (type == RTN_BROADCAST) { + flags |= RTCF_BROADCAST | RTCF_LOCAL; +- fi = NULL; + } else if (type == RTN_MULTICAST) { + flags |= RTCF_MULTICAST | RTCF_LOCAL; + if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, +-- +2.39.5 + diff --git a/queue-5.10/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch b/queue-5.10/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch new file mode 100644 index 0000000000..5629ae8179 --- /dev/null +++ b/queue-5.10/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch @@ -0,0 +1,52 @@ +From c226e82c10c751d05c21d8eb1b6549e2fd97edbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 12:33:38 -0700 +Subject: net: ncsi: Fix buffer overflow in fetching version id + +From: Hari Kalavakunta + +[ Upstream commit 8e16170ae972c7fed132bc928914a2ffb94690fc ] + +In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't +need to be null terminated while its size occupies the full size +of the field. Fix the buffer overflow issue by adding one +additional byte for null terminator. + +Signed-off-by: Hari Kalavakunta +Reviewed-by: Paul Fertser +Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 2 +- + net/ncsi/ncsi-rsp.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index c61d2e2e93ad..6ebf9e55c046 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -107,7 +107,7 @@ struct ncsi_channel_version { + u8 update; /* NCSI version update */ + char alpha1; /* NCSI version alpha1 */ + char alpha2; /* NCSI version alpha2 */ +- u8 fw_name[12]; /* Firmware name string */ ++ u8 fw_name[12 + 1]; /* Firmware name string */ + u32 fw_version; /* Firmware version */ + u16 pci_ids[4]; /* PCI identification */ + u32 mf_id; /* Manufacture ID */ +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index 88fb86cf7b20..c1d42bbfdc7e 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -782,6 +782,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr) + ncv->alpha1 = rsp->alpha1; + ncv->alpha2 = rsp->alpha2; + memcpy(ncv->fw_name, rsp->fw_name, 12); ++ ncv->fw_name[12] = '\0'; + ncv->fw_version = ntohl(rsp->fw_version); + for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++) + ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]); +-- +2.39.5 + diff --git a/queue-5.10/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch b/queue-5.10/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch new file mode 100644 index 0000000000..20c5e88c19 --- /dev/null +++ b/queue-5.10/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch @@ -0,0 +1,41 @@ +From 8c09a7d422fea24999854742a543e4658f7e46da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 17:29:16 +0200 +Subject: net: phy: smsc: add proper reset flags for LAN8710A +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Buday Csaba + +[ Upstream commit 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d ] + +According to the LAN8710A datasheet (Rev. B, section 3.8.5.1), a hardware +reset is required after power-on, and the reference clock (REF_CLK) must be +established before asserting reset. + +Signed-off-by: Buday Csaba +Cc: Csókás Bence +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250728152916.46249-2-csokas.bence@prolan.hu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index d860a2626b13..c799c6505767 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -427,6 +427,7 @@ static struct phy_driver smsc_phy_driver[] = { + + /* PHY_BASIC_FEATURES */ + ++ .flags = PHY_RST_AFTER_CLK_EN, + .probe = smsc_phy_probe, + .remove = smsc_phy_remove, + +-- +2.39.5 + diff --git a/queue-5.10/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch b/queue-5.10/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch new file mode 100644 index 0000000000..642b527408 --- /dev/null +++ b/queue-5.10/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch @@ -0,0 +1,66 @@ +From 3fbd6a8478e41ba3aabe08a242098fa9e0884b91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 07:05:30 -0700 +Subject: net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alok Tiwari + +[ Upstream commit 53d20606c40678d425cc03f0978c614dca51f25e ] + +The buffer bgx_sel used in snprintf() was too small to safely hold +the formatted string "BGX%d" for all valid bgx_id values. This caused +a -Wformat-truncation warning with `Werror` enabled during build. + +Increase the buffer size from 5 to 7 and use `sizeof(bgx_sel)` in +snprintf() to ensure safety and suppress the warning. + +Build warning: + CC drivers/net/ethernet/cavium/thunder/thunder_bgx.o + drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function +‘bgx_acpi_match_id’: + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:27: error: ‘%d’ +directive output may be truncated writing between 1 and 3 bytes into a +region of size 2 [-Werror=format-truncation=] + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + ^~ + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:23: note: +directive argument in the range [0, 255] + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + ^~~~~~~ + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:2: note: +‘snprintf’ output between 5 and 7 bytes into a destination of size 5 + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + +compiler warning due to insufficient snprintf buffer size. + +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250711140532.2463602-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index f0e48b9373d6..0a71909bb2ee 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1430,9 +1430,9 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl, + { + struct acpi_buffer string = { ACPI_ALLOCATE_BUFFER, NULL }; + struct bgx *bgx = context; +- char bgx_sel[5]; ++ char bgx_sel[7]; + +- snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); ++ snprintf(bgx_sel, sizeof(bgx_sel), "BGX%d", bgx->bgx_id); + if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &string))) { + pr_warn("Invalid link device\n"); + return AE_OK; +-- +2.39.5 + diff --git a/queue-5.10/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch b/queue-5.10/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch new file mode 100644 index 0000000000..76dbca27e5 --- /dev/null +++ b/queue-5.10/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch @@ -0,0 +1,56 @@ +From e0d3898d4ce216bdf22dea1406741da880f4c9a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 16:26:25 +0300 +Subject: net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs + +From: Gal Pressman + +[ Upstream commit 60a8b1a5d0824afda869f18dc0ecfe72f8dfda42 ] + +When CONFIG_VLAN_8021Q=n, a set of stub helpers are used, three of these +helpers use BUG() unconditionally. + +This code should not be reached, as callers of these functions should +always check for is_vlan_dev() first, but the usage of BUG() is not +recommended, replace it with WARN_ON() instead. + +Reviewed-by: Alex Lazar +Reviewed-by: Dragos Tatulea +Signed-off-by: Gal Pressman +Link: https://patch.msgid.link/20250616132626.1749331-3-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/if_vlan.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 64cfe7cd292c..3728e3978f83 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -248,19 +248,19 @@ vlan_for_each(struct net_device *dev, + + static inline struct net_device *vlan_dev_real_dev(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return NULL; + } + + static inline u16 vlan_dev_vlan_id(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return 0; + } + + static inline __be16 vlan_dev_vlan_proto(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.10/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch b/queue-5.10/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch new file mode 100644 index 0000000000..2100e43420 --- /dev/null +++ b/queue-5.10/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch @@ -0,0 +1,45 @@ +From 0001741819c8ddbeb380378b5e6c55af130ebb86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 17:52:38 +0000 +Subject: netmem: fix skb_frag_address_safe with unreadable skbs + +From: Mina Almasry + +[ Upstream commit 4672aec56d2e8edabcb74c3e2320301d106a377e ] + +skb_frag_address_safe() needs a check that the +skb_frag_page exists check similar to skb_frag_address(). + +Cc: ap420073@gmail.com + +Signed-off-by: Mina Almasry +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20250619175239.3039329-1-almasrymina@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index ca7f2a2c3e3f..4b5731245bf1 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3104,7 +3104,13 @@ static inline void *skb_frag_address(const skb_frag_t *frag) + */ + static inline void *skb_frag_address_safe(const skb_frag_t *frag) + { +- void *ptr = page_address(skb_frag_page(frag)); ++ struct page *page = skb_frag_page(frag); ++ void *ptr; ++ ++ if (!page) ++ return NULL; ++ ++ ptr = page_address(page); + if (unlikely(!ptr)) + return NULL; + +-- +2.39.5 + diff --git a/queue-5.10/pinctrl-stm32-manage-irq-affinity-settings.patch b/queue-5.10/pinctrl-stm32-manage-irq-affinity-settings.patch new file mode 100644 index 0000000000..1f1c960a9d --- /dev/null +++ b/queue-5.10/pinctrl-stm32-manage-irq-affinity-settings.patch @@ -0,0 +1,39 @@ +From 59dec007747b17dcb47dfca1c06471f49b7b5802 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 16:30:39 +0200 +Subject: pinctrl: stm32: Manage irq affinity settings + +From: Cheick Traore + +[ Upstream commit 4c5cc2f65386e22166ce006efe515c667aa075e4 ] + +Trying to set the affinity of the interrupts associated to stm32 +pinctrl results in a write error. + +Fill struct irq_chip::irq_set_affinity to use the default helper +function. + +Signed-off-by: Cheick Traore +Signed-off-by: Antonio Borneo +Link: https://lore.kernel.org/20250610143042.295376-3-antonio.borneo@foss.st.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/stm32/pinctrl-stm32.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c +index 2d852f15cc50..6b6fdb711659 100644 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -412,6 +412,7 @@ static struct irq_chip stm32_gpio_irq_chip = { + .irq_set_wake = irq_chip_set_wake_parent, + .irq_request_resources = stm32_gpio_irq_request_resources, + .irq_release_resources = stm32_gpio_irq_release_resources, ++ .irq_set_affinity = IS_ENABLED(CONFIG_SMP) ? irq_chip_set_affinity_parent : NULL, + }; + + static int stm32_gpio_domain_translate(struct irq_domain *d, +-- +2.39.5 + diff --git a/queue-5.10/platform-chrome-cros_ec_typec-defer-probe-on-missing.patch b/queue-5.10/platform-chrome-cros_ec_typec-defer-probe-on-missing.patch new file mode 100644 index 0000000000..2679f10dbf --- /dev/null +++ b/queue-5.10/platform-chrome-cros_ec_typec-defer-probe-on-missing.patch @@ -0,0 +1,44 @@ +From 8b785df0ea9a1276b19da419bf1f7365a79dad62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 17:37:47 +0200 +Subject: platform/chrome: cros_ec_typec: Defer probe on missing EC parent + +From: Tomasz Michalec + +[ Upstream commit 8866f4e557eba43e991f99711515217a95f62d2e ] + +If cros_typec_probe is called before EC device is registered, +cros_typec_probe will fail. It may happen when cros-ec-typec.ko is +loaded before EC bus layer module (e.g. cros_ec_lpcs.ko, +cros_ec_spi.ko). + +Return -EPROBE_DEFER when cros_typec_probe doesn't get EC device, so +the probe function can be called again after EC device is registered. + +Signed-off-by: Tomasz Michalec +Reviewed-by: Abhishek Pandit-Subedi +Link: https://lore.kernel.org/r/20250610153748.1858519-1-tmichalec@google.com +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_typec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c +index 983daa220ee3..137f99c1848e 100644 +--- a/drivers/platform/chrome/cros_ec_typec.c ++++ b/drivers/platform/chrome/cros_ec_typec.c +@@ -716,8 +716,8 @@ static int cros_typec_probe(struct platform_device *pdev) + + typec->ec = dev_get_drvdata(pdev->dev.parent); + if (!typec->ec) { +- dev_err(dev, "couldn't find parent EC device\n"); +- return -ENODEV; ++ dev_warn(dev, "couldn't find parent EC device\n"); ++ return -EPROBE_DEFER; + } + + platform_set_drvdata(pdev, typec); +-- +2.39.5 + diff --git a/queue-5.10/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch b/queue-5.10/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch new file mode 100644 index 0000000000..7808255dbd --- /dev/null +++ b/queue-5.10/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch @@ -0,0 +1,50 @@ +From 5a32ebe4d0ba4347a09e30d0353c82a3d97deddd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 11:18:37 -0700 +Subject: platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 6418a8504187dc7f5b6f9d0649c03e362cb0664b ] + +When KCOV is enabled all functions get instrumented, unless the +__no_sanitize_coverage attribute is used. To prepare for +__no_sanitize_coverage being applied to __init functions[1], we have +to handle differences in how GCC's inline optimizations get resolved. +For thinkpad_acpi routines, this means forcing two functions to be +inline with __always_inline. + +Link: https://lore.kernel.org/lkml/20250523043935.2009972-11-kees@kernel.org/ [1] +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20250529181831.work.439-kees@kernel.org +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 5a8434da60e7..d18b6ddba982 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -515,12 +515,12 @@ static unsigned long __init tpacpi_check_quirks( + return 0; + } + +-static inline bool __pure __init tpacpi_is_lenovo(void) ++static __always_inline bool __pure __init tpacpi_is_lenovo(void) + { + return thinkpad_id.vendor == PCI_VENDOR_ID_LENOVO; + } + +-static inline bool __pure __init tpacpi_is_ibm(void) ++static __always_inline bool __pure __init tpacpi_is_ibm(void) + { + return thinkpad_id.vendor == PCI_VENDOR_ID_IBM; + } +-- +2.39.5 + diff --git a/queue-5.10/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch b/queue-5.10/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch new file mode 100644 index 0000000000..8fbcba0e39 --- /dev/null +++ b/queue-5.10/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch @@ -0,0 +1,46 @@ +From f8b4906d06fa59b02b50d4921bf005bda46b4be5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 17:53:54 +0530 +Subject: pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in + mperf_stop() + +From: Gautham R. Shenoy + +[ Upstream commit cda7ac8ce7de84cf32a3871ba5f318aa3b79381e ] + +In the function mperf_start(), mperf_monitor snapshots the time, tsc +and finally the aperf,mperf MSRs. However, this order of snapshotting +in is reversed in mperf_stop(). As a result, the C0 residency (which +is computed as delta_mperf * 100 / delta_tsc) is under-reported on +CPUs that is 100% busy. + +Fix this by snapshotting time, tsc and then aperf,mperf in +mperf_stop() in the same order as in mperf_start(). + +Link: https://lore.kernel.org/r/20250612122355.19629-2-gautham.shenoy@amd.com +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index 08a399b0be28..6ab9139f16af 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -240,9 +240,9 @@ static int mperf_stop(void) + int cpu; + + for (cpu = 0; cpu < cpu_count; cpu++) { +- mperf_measure_stats(cpu); +- mperf_get_tsc(&tsc_at_measure_end[cpu]); + clock_gettime(CLOCK_REALTIME, &time_end[cpu]); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ mperf_measure_stats(cpu); + } + + return 0; +-- +2.39.5 + diff --git a/queue-5.10/pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch b/queue-5.10/pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch new file mode 100644 index 0000000000..519315d4ae --- /dev/null +++ b/queue-5.10/pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch @@ -0,0 +1,51 @@ +From f6258833902515d019bb8ef722b29431709201a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 11:00:17 +0800 +Subject: PM / devfreq: governor: Replace sscanf() with kstrtoul() in + set_freq_store() + +From: Lifeng Zheng + +[ Upstream commit 914cc799b28f17d369d5b4db3b941957d18157e8 ] + +Replace sscanf() with kstrtoul() in set_freq_store() and check the result +to avoid invalid input. + +Signed-off-by: Lifeng Zheng +Link: https://lore.kernel.org/lkml/20250421030020.3108405-2-zhenglifeng1@huawei.com/ +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/governor_userspace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c +index 8a9cf8220808..82c60dedcffd 100644 +--- a/drivers/devfreq/governor_userspace.c ++++ b/drivers/devfreq/governor_userspace.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -39,10 +40,13 @@ static ssize_t store_freq(struct device *dev, struct device_attribute *attr, + unsigned long wanted; + int err = 0; + ++ err = kstrtoul(buf, 0, &wanted); ++ if (err) ++ return err; ++ + mutex_lock(&devfreq->lock); + data = devfreq->governor_data; + +- sscanf(buf, "%lu", &wanted); + data->user_frequency = wanted; + data->valid = true; + err = update_devfreq(devfreq); +-- +2.39.5 + diff --git a/queue-5.10/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch b/queue-5.10/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch new file mode 100644 index 0000000000..838ee59dc3 --- /dev/null +++ b/queue-5.10/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch @@ -0,0 +1,41 @@ +From fb4a4bde516bb2ef2fee36332c3b612b8f893f28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 21:16:05 +0200 +Subject: PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() + +From: Rafael J. Wysocki + +[ Upstream commit 89d9cec3b1e9c49bae9375a2db6dc49bc7468af0 ] + +Clear power.needs_force_resume in pm_runtime_reinit() in case it has +been set by pm_runtime_force_suspend() invoked from a driver remove +callback. + +Suggested-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Ulf Hansson +Link: https://patch.msgid.link/9495163.CDJkKcVGEf@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 58d376b1cd68..7e912d2ed427 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1716,6 +1716,11 @@ void pm_runtime_reinit(struct device *dev) + pm_runtime_put(dev->parent); + } + } ++ /* ++ * Clear power.needs_force_resume in case it has been set by ++ * pm_runtime_force_suspend() invoked from a driver remove callback. ++ */ ++ dev->power.needs_force_resume = false; + } + + /** +-- +2.39.5 + diff --git a/queue-5.10/pm-sleep-console-fix-the-black-screen-issue.patch b/queue-5.10/pm-sleep-console-fix-the-black-screen-issue.patch new file mode 100644 index 0000000000..02a5a2ba97 --- /dev/null +++ b/queue-5.10/pm-sleep-console-fix-the-black-screen-issue.patch @@ -0,0 +1,77 @@ +From b549eb4b03481221bf082ffa8adc06f11de17c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:23:45 +0800 +Subject: PM: sleep: console: Fix the black screen issue + +From: tuhaowen + +[ Upstream commit 4266e8fa56d3d982bf451d382a410b9db432015c ] + +When the computer enters sleep status without a monitor +connected, the system switches the console to the virtual +terminal tty63(SUSPEND_CONSOLE). + +If a monitor is subsequently connected before waking up, +the system skips the required VT restoration process +during wake-up, leaving the console on tty63 instead of +switching back to tty1. + +To fix this issue, a global flag vt_switch_done is introduced +to record whether the system has successfully switched to +the suspend console via vt_move_to_console() during suspend. + +If the switch was completed, vt_switch_done is set to 1. +Later during resume, this flag is checked to ensure that +the original console is restored properly by calling +vt_move_to_console(orig_fgconsole, 0). + +This prevents scenarios where the resume logic skips console +restoration due to incorrect detection of the console state, +especially when a monitor is reconnected before waking up. + +Signed-off-by: tuhaowen +Link: https://patch.msgid.link/20250611032345.29962-1-tuhaowen@uniontech.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/console.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/console.c b/kernel/power/console.c +index fcdf0e14a47d..19c48aa5355d 100644 +--- a/kernel/power/console.c ++++ b/kernel/power/console.c +@@ -16,6 +16,7 @@ + #define SUSPEND_CONSOLE (MAX_NR_CONSOLES-1) + + static int orig_fgconsole, orig_kmsg; ++static bool vt_switch_done; + + static DEFINE_MUTEX(vt_switch_mutex); + +@@ -136,17 +137,21 @@ void pm_prepare_console(void) + if (orig_fgconsole < 0) + return; + ++ vt_switch_done = true; ++ + orig_kmsg = vt_kmsg_redirect(SUSPEND_CONSOLE); + return; + } + + void pm_restore_console(void) + { +- if (!pm_vt_switch()) ++ if (!pm_vt_switch() && !vt_switch_done) + return; + + if (orig_fgconsole >= 0) { + vt_move_to_console(orig_fgconsole, 0); + vt_kmsg_redirect(orig_kmsg); + } ++ ++ vt_switch_done = false; + } +-- +2.39.5 + diff --git a/queue-5.10/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch b/queue-5.10/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch new file mode 100644 index 0000000000..38b3241d31 --- /dev/null +++ b/queue-5.10/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch @@ -0,0 +1,41 @@ +From 33aab1c9067f282364d7eb2e430e478eeaca7383 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 16:32:21 +0300 +Subject: pNFS: Fix disk addr range check in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 7db6e66663681abda54f81d5916db3a3b8b1a13d ] + +At the end of the isect translation, disc_addr represents the physical +disk offset. Thus, end calculated from disk_addr is also a physical disk +offset. Therefore, range checking should be done using map->disk_offset, +not map->start. + +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250702133226.212537-1-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/blocklayout.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c +index a9e563145e0c..a853711bcad2 100644 +--- a/fs/nfs/blocklayout/blocklayout.c ++++ b/fs/nfs/blocklayout/blocklayout.c +@@ -171,8 +171,8 @@ do_add_page_to_bio(struct bio *bio, int npg, int rw, sector_t isect, + + /* limit length to what the device mapping allows */ + end = disk_addr + *len; +- if (end >= map->start + map->len) +- *len = map->start + map->len - disk_addr; ++ if (end >= map->disk_offset + map->len) ++ *len = map->disk_offset + map->len - disk_addr; + + retry: + if (!bio) { +-- +2.39.5 + diff --git a/queue-5.10/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch b/queue-5.10/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch new file mode 100644 index 0000000000..b5600c23c3 --- /dev/null +++ b/queue-5.10/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch @@ -0,0 +1,57 @@ +From 05db9ac6e4788740b8b53e0972b35f79730da138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 15:21:48 +0300 +Subject: pNFS: Fix stripe mapping in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 81438498a285759f31e843ac4800f82a5ce6521f ] + +Because of integer division, we need to carefully calculate the +disk offset. Consider the example below for a stripe of 6 volumes, +a chunk size of 4096, and an offset of 70000. + +chunk = div_u64(offset, dev->chunk_size) = 70000 / 4096 = 17 +offset = chunk * dev->chunk_size = 17 * 4096 = 69632 +disk_offset_wrong = div_u64(offset, dev->nr_children) = 69632 / 6 = 11605 +disk_chunk = div_u64(chunk, dev->nr_children) = 17 / 6 = 2 +disk_offset = disk_chunk * dev->chunk_size = 2 * 4096 = 8192 + +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250701122341.199112-1-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/dev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c +index 16412d6636e8..4e176d7d704d 100644 +--- a/fs/nfs/blocklayout/dev.c ++++ b/fs/nfs/blocklayout/dev.c +@@ -199,10 +199,11 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset, + struct pnfs_block_dev *child; + u64 chunk; + u32 chunk_idx; ++ u64 disk_chunk; + u64 disk_offset; + + chunk = div_u64(offset, dev->chunk_size); +- div_u64_rem(chunk, dev->nr_children, &chunk_idx); ++ disk_chunk = div_u64_rem(chunk, dev->nr_children, &chunk_idx); + + if (chunk_idx >= dev->nr_children) { + dprintk("%s: invalid chunk idx %d (%lld/%lld)\n", +@@ -215,7 +216,7 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset, + offset = chunk * dev->chunk_size; + + /* disk offset of the stripe */ +- disk_offset = div_u64(offset, dev->nr_children); ++ disk_offset = disk_chunk * dev->chunk_size; + + child = &dev->children[chunk_idx]; + child->map(child, disk_offset, map); +-- +2.39.5 + diff --git a/queue-5.10/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch b/queue-5.10/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch new file mode 100644 index 0000000000..c89fce0953 --- /dev/null +++ b/queue-5.10/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch @@ -0,0 +1,99 @@ +From ea7dfe65892bf2be792c4bcc920b5b4542210fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 21:35:26 +0300 +Subject: pNFS: Fix uninited ptr deref in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 9768797c219326699778fba9cd3b607b2f1e7950 ] + +The error occurs on the third attempt to encode extents. When function +ext_tree_prepare_commit() reallocates a larger buffer to retry encoding +extents, the "layoutupdate_pages" page array is initialized only after the +retry loop. But ext_tree_free_commitdata() is called on every iteration +and tries to put pages in the array, thus dereferencing uninitialized +pointers. + +An additional problem is that there is no limit on the maximum possible +buffer_size. When there are too many extents, the client may create a +layoutcommit that is larger than the maximum possible RPC size accepted +by the server. + +During testing, we observed two typical scenarios. First, one memory page +for extents is enough when we work with small files, append data to the +end of the file, or preallocate extents before writing. But when we fill +a new large file without preallocating, the number of extents can be huge, +and counting the number of written extents in ext_tree_encode_commit() +does not help much. Since this number increases even more between +unlocking and locking of ext_tree, the reallocated buffer may not be +large enough again and again. + +Co-developed-by: Konstantin Evtushenko +Signed-off-by: Konstantin Evtushenko +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250630183537.196479-2-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/extent_tree.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/blocklayout/extent_tree.c b/fs/nfs/blocklayout/extent_tree.c +index 8f7cff7a4293..0add0f329816 100644 +--- a/fs/nfs/blocklayout/extent_tree.c ++++ b/fs/nfs/blocklayout/extent_tree.c +@@ -552,6 +552,15 @@ static int ext_tree_encode_commit(struct pnfs_block_layout *bl, __be32 *p, + return ret; + } + ++/** ++ * ext_tree_prepare_commit - encode extents that need to be committed ++ * @arg: layout commit data ++ * ++ * Return values: ++ * %0: Success, all required extents are encoded ++ * %-ENOSPC: Some extents are encoded, but not all, due to RPC size limit ++ * %-ENOMEM: Out of memory, extents not encoded ++ */ + int + ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + { +@@ -568,12 +577,12 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + start_p = page_address(arg->layoutupdate_page); + arg->layoutupdate_pages = &arg->layoutupdate_page; + +-retry: +- ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, &count, &arg->lastbytewritten); ++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, ++ &count, &arg->lastbytewritten); + if (unlikely(ret)) { + ext_tree_free_commitdata(arg, buffer_size); + +- buffer_size = ext_tree_layoutupdate_size(bl, count); ++ buffer_size = NFS_SERVER(arg->inode)->wsize; + count = 0; + + arg->layoutupdate_pages = +@@ -588,7 +597,8 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + return -ENOMEM; + } + +- goto retry; ++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, ++ &count, &arg->lastbytewritten); + } + + *start_p = cpu_to_be32(count); +@@ -608,7 +618,7 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + } + + dprintk("%s found %zu ranges\n", __func__, count); +- return 0; ++ return ret; + } + + void +-- +2.39.5 + diff --git a/queue-5.10/pnfs-handle-rpc-size-limit-for-layoutcommits.patch b/queue-5.10/pnfs-handle-rpc-size-limit-for-layoutcommits.patch new file mode 100644 index 0000000000..1703538452 --- /dev/null +++ b/queue-5.10/pnfs-handle-rpc-size-limit-for-layoutcommits.patch @@ -0,0 +1,67 @@ +From 0f9ecd227ef6b9595dfdc8d9b3fa02af7eedb639 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 21:35:29 +0300 +Subject: pNFS: Handle RPC size limit for layoutcommits + +From: Sergey Bashirov + +[ Upstream commit d897d81671bc4615c80f4f3bd5e6b218f59df50c ] + +When there are too many block extents for a layoutcommit, they may not +all fit into the maximum-sized RPC. This patch allows the generic pnfs +code to properly handle -ENOSPC returned by the block/scsi layout driver +and trigger additional layoutcommits if necessary. + +Co-developed-by: Konstantin Evtushenko +Signed-off-by: Konstantin Evtushenko +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250630183537.196479-5-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 758689877d85..e14cf7140bab 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -3219,6 +3219,7 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync) + struct nfs_inode *nfsi = NFS_I(inode); + loff_t end_pos; + int status; ++ bool mark_as_dirty = false; + + if (!pnfs_layoutcommit_outstanding(inode)) + return 0; +@@ -3270,19 +3271,23 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync) + if (ld->prepare_layoutcommit) { + status = ld->prepare_layoutcommit(&data->args); + if (status) { +- put_cred(data->cred); ++ if (status != -ENOSPC) ++ put_cred(data->cred); + spin_lock(&inode->i_lock); + set_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags); + if (end_pos > nfsi->layout->plh_lwb) + nfsi->layout->plh_lwb = end_pos; +- goto out_unlock; ++ if (status != -ENOSPC) ++ goto out_unlock; ++ spin_unlock(&inode->i_lock); ++ mark_as_dirty = true; + } + } + + + status = nfs4_proc_layoutcommit(data, sync); + out: +- if (status) ++ if (status || mark_as_dirty) + mark_inode_dirty_sync(inode); + dprintk("<-- %s status %d\n", __func__, status); + return status; +-- +2.39.5 + diff --git a/queue-5.10/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch b/queue-5.10/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch new file mode 100644 index 0000000000..a10a2d5350 --- /dev/null +++ b/queue-5.10/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch @@ -0,0 +1,43 @@ +From df8c43cfdafc7c3e7aaf7507c8641c7e16900a32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 16:29:11 +0200 +Subject: (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized + pointer + +From: Thomas Fourier + +[ Upstream commit 760b9b4f6de9a33ca56a05f950cabe82138d25bd ] + +If the device configuration fails (if `dma_dev->device_config()`), +`sg_dma_address(&sg)` is not initialized and the jump to `err_dma_prep` +leads to calling `dma_unmap_single()` on `sg_dma_address(&sg)`. + +Signed-off-by: Thomas Fourier +Reviewed-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250610142918.169540-2-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c +index 04bf6ecf7d55..85e0fa7d902b 100644 +--- a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c ++++ b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c +@@ -240,10 +240,8 @@ static int mpc512x_lpbfifo_kick(void) + dma_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + + /* Make DMA channel work with LPB FIFO data register */ +- if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) { +- ret = -EINVAL; +- goto err_dma_prep; +- } ++ if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) ++ return -EINVAL; + + sg_init_table(&sg, 1); + +-- +2.39.5 + diff --git a/queue-5.10/rcu-protect-defer_qs_iw_pending-from-data-race.patch b/queue-5.10/rcu-protect-defer_qs_iw_pending-from-data-race.patch new file mode 100644 index 0000000000..b6cbc944b6 --- /dev/null +++ b/queue-5.10/rcu-protect-defer_qs_iw_pending-from-data-race.patch @@ -0,0 +1,97 @@ +From b971e431c8cb90ef1a079dec16dc7d176e07309d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 16:49:53 -0700 +Subject: rcu: Protect ->defer_qs_iw_pending from data race + +From: Paul E. McKenney + +[ Upstream commit 90c09d57caeca94e6f3f87c49e96a91edd40cbfd ] + +On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is +invoked within an interrupts-disabled region of code [1], it will invoke +rcu_read_unlock_special(), which uses an irq-work handler to force the +system to notice when the RCU read-side critical section actually ends. +That end won't happen until interrupts are enabled at the soonest. + +In some kernels, such as those booted with rcutree.use_softirq=y, the +irq-work handler is used unconditionally. + +The per-CPU rcu_data structure's ->defer_qs_iw_pending field is +updated by the irq-work handler and is both read and updated by +rcu_read_unlock_special(). This resulted in the following KCSAN splat: + +------------------------------------------------------------------------ + +BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special + +read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8: + rcu_read_unlock_special+0x175/0x260 + __rcu_read_unlock+0x92/0xa0 + rt_spin_unlock+0x9b/0xc0 + __local_bh_enable+0x10d/0x170 + __local_bh_enable_ip+0xfb/0x150 + rcu_do_batch+0x595/0xc40 + rcu_cpu_kthread+0x4e9/0x830 + smpboot_thread_fn+0x24d/0x3b0 + kthread+0x3bd/0x410 + ret_from_fork+0x35/0x40 + ret_from_fork_asm+0x1a/0x30 + +write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8: + rcu_preempt_deferred_qs_handler+0x1e/0x30 + irq_work_single+0xaf/0x160 + run_irq_workd+0x91/0xc0 + smpboot_thread_fn+0x24d/0x3b0 + kthread+0x3bd/0x410 + ret_from_fork+0x35/0x40 + ret_from_fork_asm+0x1a/0x30 + +no locks held by irq_work/8/88. +irq event stamp: 200272 +hardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320 +hardirqs last disabled at (200271): [] __schedule+0x129/0xd70 +softirqs last enabled at (0): [] copy_process+0x4df/0x1cc0 +softirqs last disabled at (0): [<0000000000000000>] 0x0 + +------------------------------------------------------------------------ + +The problem is that irq-work handlers run with interrupts enabled, which +means that rcu_preempt_deferred_qs_handler() could be interrupted, +and that interrupt handler might contain an RCU read-side critical +section, which might invoke rcu_read_unlock_special(). In the strict +KCSAN mode of operation used by RCU, this constitutes a data race on +the ->defer_qs_iw_pending field. + +This commit therefore disables interrupts across the portion of the +rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending +field. This suffices because this handler is not a fast path. + +Signed-off-by: Paul E. McKenney +Reviewed-by: Frederic Weisbecker +Signed-off-by: Neeraj Upadhyay (AMD) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_plugin.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index c07a84197173..ed17deba8b18 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -585,10 +585,13 @@ static void rcu_preempt_deferred_qs(struct task_struct *t) + */ + static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp) + { ++ unsigned long flags; + struct rcu_data *rdp; + + rdp = container_of(iwp, struct rcu_data, defer_qs_iw); ++ local_irq_save(flags); + rdp->defer_qs_iw_pending = false; ++ local_irq_restore(flags); + } + + /* +-- +2.39.5 + diff --git a/queue-5.10/rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch b/queue-5.10/rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch new file mode 100644 index 0000000000..4fa1eefb4f --- /dev/null +++ b/queue-5.10/rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch @@ -0,0 +1,77 @@ +From c4a51e283226c2d159afd7be3b607d64caf8dbf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 13:33:26 +0200 +Subject: RDMA/core: reduce stack using in nldev_stat_get_doit() + +From: Arnd Bergmann + +[ Upstream commit 43163f4c30f94d2103c948a247cdf2cda5068ca7 ] + +In the s390 defconfig, gcc-10 and earlier end up inlining three functions +into nldev_stat_get_doit(), and each of them uses some 600 bytes of stack. + +The result is a function with an overly large stack frame and a warning: + +drivers/infiniband/core/nldev.c:2466:1: error: the frame size of 1720 bytes is larger than 1280 bytes [-Werror=frame-larger-than=] + +Mark the three functions noinline_for_stack to prevent this, ensuring +that only one copy of the nlattr array is on the stack of each function. + +Signed-off-by: Arnd Bergmann +Link: https://patch.msgid.link/20250620113335.3776965-1-arnd@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/nldev.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c +index f8dfec7ad7cc..1475069aa428 100644 +--- a/drivers/infiniband/core/nldev.c ++++ b/drivers/infiniband/core/nldev.c +@@ -1240,10 +1240,11 @@ static const struct nldev_fill_res_entry fill_entries[RDMA_RESTRACK_MAX] = { + }, + }; + +-static int res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh, +- struct netlink_ext_ack *extack, +- enum rdma_restrack_type res_type, +- res_fill_func_t fill_func) ++static noinline_for_stack int ++res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh, ++ struct netlink_ext_ack *extack, ++ enum rdma_restrack_type res_type, ++ res_fill_func_t fill_func) + { + const struct nldev_fill_res_entry *fe = &fill_entries[res_type]; + struct nlattr *tb[RDMA_NLDEV_ATTR_MAX]; +@@ -1877,10 +1878,10 @@ static int nldev_stat_del_doit(struct sk_buff *skb, struct nlmsghdr *nlh, + return ret; + } + +-static int stat_get_doit_default_counter(struct sk_buff *skb, +- struct nlmsghdr *nlh, +- struct netlink_ext_ack *extack, +- struct nlattr *tb[]) ++static noinline_for_stack int ++stat_get_doit_default_counter(struct sk_buff *skb, struct nlmsghdr *nlh, ++ struct netlink_ext_ack *extack, ++ struct nlattr *tb[]) + { + struct rdma_hw_stats *stats; + struct nlattr *table_attr; +@@ -1970,8 +1971,9 @@ static int stat_get_doit_default_counter(struct sk_buff *skb, + return ret; + } + +-static int stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh, +- struct netlink_ext_ack *extack, struct nlattr *tb[]) ++static noinline_for_stack int ++stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh, ++ struct netlink_ext_ack *extack, struct nlattr *tb[]) + + { + static enum rdma_nl_counter_mode mode; +-- +2.39.5 + diff --git a/queue-5.10/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch b/queue-5.10/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch new file mode 100644 index 0000000000..e1c7da3279 --- /dev/null +++ b/queue-5.10/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch @@ -0,0 +1,85 @@ +From 985786cfd9501abc288883f3d91918b4f340ee74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 15:39:38 -0400 +Subject: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() + +From: Yury Norov [NVIDIA] + +[ Upstream commit 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a ] + +The function divides number of online CPUs by num_core_siblings, and +later checks the divider by zero. This implies a possibility to get +and divide-by-zero runtime error. Fix it by moving the check prior to +division. This also helps to save one indentation level. + +Signed-off-by: Yury Norov [NVIDIA] +Link: https://patch.msgid.link/20250604193947.11834-3-yury.norov@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/affinity.c | 44 +++++++++++++++------------ + 1 file changed, 24 insertions(+), 20 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c +index d5a8d0173709..5eaf61784788 100644 +--- a/drivers/infiniband/hw/hfi1/affinity.c ++++ b/drivers/infiniband/hw/hfi1/affinity.c +@@ -1008,31 +1008,35 @@ static void find_hw_thread_mask(uint hw_thread_no, cpumask_var_t hw_thread_mask, + struct hfi1_affinity_node_list *affinity) + { + int possible, curr_cpu, i; +- uint num_cores_per_socket = node_affinity.num_online_cpus / ++ uint num_cores_per_socket; ++ ++ cpumask_copy(hw_thread_mask, &affinity->proc.mask); ++ ++ if (affinity->num_core_siblings == 0) ++ return; ++ ++ num_cores_per_socket = node_affinity.num_online_cpus / + affinity->num_core_siblings / + node_affinity.num_online_nodes; + +- cpumask_copy(hw_thread_mask, &affinity->proc.mask); +- if (affinity->num_core_siblings > 0) { +- /* Removing other siblings not needed for now */ +- possible = cpumask_weight(hw_thread_mask); +- curr_cpu = cpumask_first(hw_thread_mask); +- for (i = 0; +- i < num_cores_per_socket * node_affinity.num_online_nodes; +- i++) +- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); +- +- for (; i < possible; i++) { +- cpumask_clear_cpu(curr_cpu, hw_thread_mask); +- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); +- } ++ /* Removing other siblings not needed for now */ ++ possible = cpumask_weight(hw_thread_mask); ++ curr_cpu = cpumask_first(hw_thread_mask); ++ for (i = 0; ++ i < num_cores_per_socket * node_affinity.num_online_nodes; ++ i++) ++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); + +- /* Identifying correct HW threads within physical cores */ +- cpumask_shift_left(hw_thread_mask, hw_thread_mask, +- num_cores_per_socket * +- node_affinity.num_online_nodes * +- hw_thread_no); ++ for (; i < possible; i++) { ++ cpumask_clear_cpu(curr_cpu, hw_thread_mask); ++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); + } ++ ++ /* Identifying correct HW threads within physical cores */ ++ cpumask_shift_left(hw_thread_mask, hw_thread_mask, ++ num_cores_per_socket * ++ node_affinity.num_online_nodes * ++ hw_thread_no); + } + + int hfi1_get_proc_affinity(int node) +-- +2.39.5 + diff --git a/queue-5.10/reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch b/queue-5.10/reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch new file mode 100644 index 0000000000..09a9965e6f --- /dev/null +++ b/queue-5.10/reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch @@ -0,0 +1,59 @@ +From 3d00052c041444e5def2dffdb3185c33791b2ba3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 18:52:58 +0100 +Subject: reset: brcmstb: Enable reset drivers for ARCH_BCM2835 + +From: Peter Robinson + +[ Upstream commit 1d99f92f71b6b4b2eee776562c991428490f71ef ] + +The BRCMSTB and BRCMSTB_RESCAL reset drivers are also +used in the BCM2712, AKA the RPi5. The RPi platforms +have typically used the ARCH_BCM2835, and the PCIe +support for this SoC can use this config which depends +on these drivers so enable building them when just that +arch option is enabled to ensure the platform works as +expected. + +Signed-off-by: Peter Robinson +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20250630175301.846082-1-pbrobinson@gmail.com +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/Kconfig | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/reset/Kconfig b/drivers/reset/Kconfig +index 147543ad303f..315324dcdac4 100644 +--- a/drivers/reset/Kconfig ++++ b/drivers/reset/Kconfig +@@ -43,8 +43,8 @@ config RESET_BERLIN + + config RESET_BRCMSTB + tristate "Broadcom STB reset controller" +- depends on ARCH_BRCMSTB || COMPILE_TEST +- default ARCH_BRCMSTB ++ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST ++ default ARCH_BRCMSTB || ARCH_BCM2835 + help + This enables the reset controller driver for Broadcom STB SoCs using + a SUN_TOP_CTRL_SW_INIT style controller. +@@ -52,11 +52,11 @@ config RESET_BRCMSTB + config RESET_BRCMSTB_RESCAL + bool "Broadcom STB RESCAL reset controller" + depends on HAS_IOMEM +- depends on ARCH_BRCMSTB || COMPILE_TEST +- default ARCH_BRCMSTB ++ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST ++ default ARCH_BRCMSTB || ARCH_BCM2835 + help + This enables the RESCAL reset controller for SATA, PCIe0, or PCIe1 on +- BCM7216. ++ BCM7216 or the BCM2712. + + config RESET_HSDK + bool "Synopsys HSDK Reset Driver" +-- +2.39.5 + diff --git a/queue-5.10/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch b/queue-5.10/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch new file mode 100644 index 0000000000..8141d717f5 --- /dev/null +++ b/queue-5.10/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch @@ -0,0 +1,63 @@ +From 78b0d1929e460f18a4c53bf3f681bc174e9922a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:14:16 -0700 +Subject: rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 + +From: Meagan Lloyd + +[ Upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e ] + +In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the +kernel time as long as rtc_read_time() succeeds. In some power loss +situations, our supercapacitor-backed DS1342 RTC comes up with either an +unpredictable future time or the default 01/01/00 from the datasheet. +The oscillator stop flag (OSF) is set in these scenarios due to the +power loss and can be used to determine the validity of the RTC data. + +This change expands the oscillator stop flag (OSF) handling that has +already been implemented for some chips to the ds1341 chip (DS1341 and +DS1342 share a datasheet). This handling manages the validity of the RTC +data in .read_time and .set_time based on the OSF. + +Signed-off-by: Meagan Lloyd +Reviewed-by: Tyler Hicks +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/1749665656-30108-3-git-send-email-meaganlloyd@linux.microsoft.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index ba420201505c..a60362c69d87 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -275,6 +275,13 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t) + if (tmp & DS1340_BIT_OSF) + return -EINVAL; + break; ++ case ds_1341: ++ ret = regmap_read(ds1307->regmap, DS1337_REG_STATUS, &tmp); ++ if (ret) ++ return ret; ++ if (tmp & DS1337_BIT_OSF) ++ return -EINVAL; ++ break; + case ds_1388: + ret = regmap_read(ds1307->regmap, DS1388_REG_FLAG, &tmp); + if (ret) +@@ -373,6 +380,10 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t) + regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG, + DS1340_BIT_OSF, 0); + break; ++ case ds_1341: ++ regmap_update_bits(ds1307->regmap, DS1337_REG_STATUS, ++ DS1337_BIT_OSF, 0); ++ break; + case ds_1388: + regmap_update_bits(ds1307->regmap, DS1388_REG_FLAG, + DS1388_BIT_OSF, 0); +-- +2.39.5 + diff --git a/queue-5.10/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch b/queue-5.10/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch new file mode 100644 index 0000000000..ce91bf31b9 --- /dev/null +++ b/queue-5.10/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch @@ -0,0 +1,52 @@ +From e10c5a0eb6fde6f060b3a7cc064afbd5f3fe433b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:14:15 -0700 +Subject: rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe + +From: Meagan Lloyd + +[ Upstream commit 48458654659c9c2e149c211d86637f1592470da5 ] + +In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the +kernel time as long as rtc_read_time() succeeds. In some power loss +situations, our supercapacitor-backed DS1342 RTC comes up with either an +unpredictable future time or the default 01/01/00 from the datasheet. +The oscillator stop flag (OSF) is set in these scenarios due to the +power loss and can be used to determine the validity of the RTC data. + +Some chip types in the ds1307 driver already have OSF handling to +determine whether .read_time provides valid RTC data or returns -EINVAL. + +This change removes the clear of the OSF in .probe as the OSF needs to +be preserved to expand the OSF handling to the ds1341 chip type (note +that DS1341 and DS1342 share a datasheet). + +Signed-off-by: Meagan Lloyd +Reviewed-by: Tyler Hicks +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/1749665656-30108-2-git-send-email-meaganlloyd@linux.microsoft.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index a60362c69d87..ecfd6c27ba54 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -1881,10 +1881,8 @@ static int ds1307_probe(struct i2c_client *client, + regmap_write(ds1307->regmap, DS1337_REG_CONTROL, + regs[0]); + +- /* oscillator fault? clear flag, and warn */ ++ /* oscillator fault? warn */ + if (regs[1] & DS1337_BIT_OSF) { +- regmap_write(ds1307->regmap, DS1337_REG_STATUS, +- regs[1] & ~DS1337_BIT_OSF); + dev_warn(ds1307->dev, "SET TIME!\n"); + } + break; +-- +2.39.5 + diff --git a/queue-5.10/s390-stp-remove-udelay-from-stp_sync_clock.patch b/queue-5.10/s390-stp-remove-udelay-from-stp_sync_clock.patch new file mode 100644 index 0000000000..208c7e7d0f --- /dev/null +++ b/queue-5.10/s390-stp-remove-udelay-from-stp_sync_clock.patch @@ -0,0 +1,44 @@ +From 8e35313f5fb5657b8fec444911311075cb1f7bc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:50:27 +0200 +Subject: s390/stp: Remove udelay from stp_sync_clock() + +From: Sven Schnelle + +[ Upstream commit b367017cdac21781a74eff4e208d3d38e1f38d3f ] + +When an stp sync check is handled on a system with multiple +cpus each cpu gets a machine check but only the first one +actually handles the sync operation. All other CPUs spin +waiting for the first one to finish with a short udelay(). +But udelay can't be used here as the first CPU modifies tod_clock_base +before performing the sync op. During this timeframe +get_tod_clock_monotonic() might return a non-monotonic time. + +The time spent waiting should be very short and udelay is a busy loop +anyways, therefore simply remove the udelay. + +Reviewed-by: Heiko Carstens +Signed-off-by: Sven Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c +index b6517453fa23..cd79e9cd785f 100644 +--- a/arch/s390/kernel/time.c ++++ b/arch/s390/kernel/time.c +@@ -587,7 +587,7 @@ static int stp_sync_clock(void *data) + atomic_dec(&sync->cpus); + /* Wait for in_sync to be set. */ + while (READ_ONCE(sync->in_sync) == 0) +- __udelay(1); ++ ; + } + if (sync->in_sync != 1) + /* Didn't work. Clear per-cpu in sync bit again. */ +-- +2.39.5 + diff --git a/queue-5.10/s390-time-use-monotonic-clock-in-get_cycles.patch b/queue-5.10/s390-time-use-monotonic-clock-in-get_cycles.patch new file mode 100644 index 0000000000..5b85755d24 --- /dev/null +++ b/queue-5.10/s390-time-use-monotonic-clock-in-get_cycles.patch @@ -0,0 +1,54 @@ +From 1e6f62f4e89098012077b2c00b6dbc9affa57ca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 09:42:29 +0200 +Subject: s390/time: Use monotonic clock in get_cycles() + +From: Sven Schnelle + +[ Upstream commit 09e7e29d2b49ba84bcefb3dc1657726d2de5bb24 ] + +Otherwise the code might not work correctly when the clock +is changed. + +Signed-off-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/timex.h | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h +index 588aa0f2c842..d0260a1ec298 100644 +--- a/arch/s390/include/asm/timex.h ++++ b/arch/s390/include/asm/timex.h +@@ -167,13 +167,6 @@ static inline unsigned long long get_tod_clock_fast(void) + return get_tod_clock(); + #endif + } +- +-static inline cycles_t get_cycles(void) +-{ +- return (cycles_t) get_tod_clock() >> 2; +-} +-#define get_cycles get_cycles +- + int get_phys_clock(unsigned long *clock); + void init_cpu_timer(void); + +@@ -196,6 +189,12 @@ static inline unsigned long long get_tod_clock_monotonic(void) + return tod; + } + ++static inline cycles_t get_cycles(void) ++{ ++ return (cycles_t)get_tod_clock_monotonic() >> 2; ++} ++#define get_cycles get_cycles ++ + /** + * tod_to_ns - convert a TOD format value to nanoseconds + * @todval: to be converted TOD format value +-- +2.39.5 + diff --git a/queue-5.10/scsi-aacraid-stop-using-pci_irq_affinity.patch b/queue-5.10/scsi-aacraid-stop-using-pci_irq_affinity.patch new file mode 100644 index 0000000000..f952da9cbb --- /dev/null +++ b/queue-5.10/scsi-aacraid-stop-using-pci_irq_affinity.patch @@ -0,0 +1,69 @@ +From b67455d3550fa8bfabe5238f01490ce158a3e13d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 11:15:35 +0000 +Subject: scsi: aacraid: Stop using PCI_IRQ_AFFINITY + +From: John Garry + +[ Upstream commit dafeaf2c03e71255438ffe5a341d94d180e6c88e ] + +When PCI_IRQ_AFFINITY is set for calling pci_alloc_irq_vectors(), it +means interrupts are spread around the available CPUs. It also means that +the interrupts become managed, which means that an interrupt is shutdown +when all the CPUs in the interrupt affinity mask go offline. + +Using managed interrupts in this way means that we should ensure that +completions should not occur on HW queues where the associated interrupt +is shutdown. This is typically achieved by ensuring only CPUs which are +online can generate IO completion traffic to the HW queue which they are +mapped to (so that they can also serve completion interrupts for that HW +queue). + +The problem in the driver is that a CPU can generate completions to a HW +queue whose interrupt may be shutdown, as the CPUs in the HW queue +interrupt affinity mask may be offline. This can cause IOs to never +complete and hang the system. The driver maintains its own CPU <-> HW +queue mapping for submissions, see aac_fib_vector_assign(), but this does +not reflect the CPU <-> HW queue interrupt affinity mapping. + +Commit 9dc704dcc09e ("scsi: aacraid: Reply queue mapping to CPUs based on +IRQ affinity") tried to remedy this issue may mapping CPUs properly to HW +queue interrupts. However this was later reverted in commit c5becf57dd56 +("Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ +affinity") - it seems that there were other reports of hangs. I guess +that this was due to some implementation issue in the original commit or +maybe a HW issue. + +Fix the very original hang by just not using managed interrupts by not +setting PCI_IRQ_AFFINITY. In this way, all CPUs will be in each HW queue +affinity mask, so should not create completion problems if any CPUs go +offline. + +Signed-off-by: John Garry +Link: https://lore.kernel.org/r/20250715111535.499853-1-john.g.garry@oracle.com +Closes: https://lore.kernel.org/linux-scsi/20250618192427.3845724-1-jmeneghi@redhat.com/ +Reviewed-by: John Meneghini +Tested-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/comminit.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c +index 34e45c87cae0..7b520e824c29 100644 +--- a/drivers/scsi/aacraid/comminit.c ++++ b/drivers/scsi/aacraid/comminit.c +@@ -481,8 +481,7 @@ void aac_define_int_mode(struct aac_dev *dev) + pci_find_capability(dev->pdev, PCI_CAP_ID_MSIX)) { + min_msix = 2; + i = pci_alloc_irq_vectors(dev->pdev, +- min_msix, msi_count, +- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY); ++ min_msix, msi_count, PCI_IRQ_MSIX); + if (i > 0) { + dev->msi_enabled = 1; + msi_count = i; +-- +2.39.5 + diff --git a/queue-5.10/scsi-bfa-double-free-fix.patch b/queue-5.10/scsi-bfa-double-free-fix.patch new file mode 100644 index 0000000000..f18abd625a --- /dev/null +++ b/queue-5.10/scsi-bfa-double-free-fix.patch @@ -0,0 +1,42 @@ +From 6c6478b88ac24014ae4c209209c53228fa682105 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 19:58:24 +0800 +Subject: scsi: bfa: Double-free fix + +From: jackysliu <1972843537@qq.com> + +[ Upstream commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 ] + +When the bfad_im_probe() function fails during initialization, the memory +pointed to by bfad->im is freed without setting bfad->im to NULL. + +Subsequently, during driver uninstallation, when the state machine enters +the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, +it attempts to free the memory pointed to by bfad->im again, thereby +triggering a double-free vulnerability. + +Set bfad->im to NULL if probing fails. + +Signed-off-by: jackysliu <1972843537@qq.com> +Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad_im.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c +index 22f06be2606f..6dcf1094e01b 100644 +--- a/drivers/scsi/bfa/bfad_im.c ++++ b/drivers/scsi/bfa/bfad_im.c +@@ -707,6 +707,7 @@ bfad_im_probe(struct bfad_s *bfad) + + if (bfad_thread_workq(bfad) != BFA_STATUS_OK) { + kfree(im); ++ bfad->im = NULL; + return BFA_STATUS_FAILED; + } + +-- +2.39.5 + diff --git a/queue-5.10/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch b/queue-5.10/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch new file mode 100644 index 0000000000..fe6ada92e2 --- /dev/null +++ b/queue-5.10/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch @@ -0,0 +1,136 @@ +From 5b74348ec11c62dd2f6761b3f22e098f9dffc064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 11:46:49 +0530 +Subject: scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans + +From: Ranjan Kumar + +[ Upstream commit 37c4e72b0651e7697eb338cd1fb09feef472cc1a ] + +sas_user_scan() did not fully process wildcard channel scans +(SCAN_WILD_CARD) when a transport-specific user_scan() callback was +present. Only channel 0 would be scanned via user_scan(), while the +remaining channels were skipped, potentially missing devices. + +user_scan() invokes updated sas_user_scan() for channel 0, and if +successful, iteratively scans remaining channels (1 to +shost->max_channel) via scsi_scan_host_selected(). This ensures complete +wildcard scanning without affecting transport-specific scanning behavior. + +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20250624061649.17990-1-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 2 +- + drivers/scsi/scsi_transport_sas.c | 60 ++++++++++++++++++++++++------- + 2 files changed, 49 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index e8703b043805..1dea44c1c568 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -1686,7 +1686,7 @@ int scsi_scan_host_selected(struct Scsi_Host *shost, unsigned int channel, + + return 0; + } +- ++EXPORT_SYMBOL(scsi_scan_host_selected); + static void scsi_sysfs_add_devices(struct Scsi_Host *shost) + { + struct scsi_device *sdev; +diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c +index c6256fdc24b1..1eb58f8765e2 100644 +--- a/drivers/scsi/scsi_transport_sas.c ++++ b/drivers/scsi/scsi_transport_sas.c +@@ -41,6 +41,8 @@ + #include + + #include "scsi_sas_internal.h" ++#include "scsi_priv.h" ++ + struct sas_host_attrs { + struct list_head rphy_list; + struct mutex lock; +@@ -1652,32 +1654,66 @@ int scsi_is_sas_rphy(const struct device *dev) + } + EXPORT_SYMBOL(scsi_is_sas_rphy); + +- +-/* +- * SCSI scan helper +- */ +- +-static int sas_user_scan(struct Scsi_Host *shost, uint channel, +- uint id, u64 lun) ++static void scan_channel_zero(struct Scsi_Host *shost, uint id, u64 lun) + { + struct sas_host_attrs *sas_host = to_sas_host_attrs(shost); + struct sas_rphy *rphy; + +- mutex_lock(&sas_host->lock); + list_for_each_entry(rphy, &sas_host->rphy_list, list) { + if (rphy->identify.device_type != SAS_END_DEVICE || + rphy->scsi_target_id == -1) + continue; + +- if ((channel == SCAN_WILD_CARD || channel == 0) && +- (id == SCAN_WILD_CARD || id == rphy->scsi_target_id)) { ++ if (id == SCAN_WILD_CARD || id == rphy->scsi_target_id) { + scsi_scan_target(&rphy->dev, 0, rphy->scsi_target_id, + lun, SCSI_SCAN_MANUAL); + } + } +- mutex_unlock(&sas_host->lock); ++} + +- return 0; ++/* ++ * SCSI scan helper ++ */ ++ ++static int sas_user_scan(struct Scsi_Host *shost, uint channel, ++ uint id, u64 lun) ++{ ++ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost); ++ int res = 0; ++ int i; ++ ++ switch (channel) { ++ case 0: ++ mutex_lock(&sas_host->lock); ++ scan_channel_zero(shost, id, lun); ++ mutex_unlock(&sas_host->lock); ++ break; ++ ++ case SCAN_WILD_CARD: ++ mutex_lock(&sas_host->lock); ++ scan_channel_zero(shost, id, lun); ++ mutex_unlock(&sas_host->lock); ++ ++ for (i = 1; i <= shost->max_channel; i++) { ++ res = scsi_scan_host_selected(shost, i, id, lun, ++ SCSI_SCAN_MANUAL); ++ if (res) ++ goto exit_scan; ++ } ++ break; ++ ++ default: ++ if (channel < shost->max_channel) { ++ res = scsi_scan_host_selected(shost, channel, id, lun, ++ SCSI_SCAN_MANUAL); ++ } else { ++ res = -EINVAL; ++ } ++ break; ++ } ++ ++exit_scan: ++ return res; + } + + +-- +2.39.5 + diff --git a/queue-5.10/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch b/queue-5.10/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch new file mode 100644 index 0000000000..20a308d636 --- /dev/null +++ b/queue-5.10/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch @@ -0,0 +1,63 @@ +From 9890ddea2c86de7ce52ccb0d3db3497a2de1d7df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 16:53:29 +0530 +Subject: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is + allocated + +From: Showrya M N + +[ Upstream commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 ] + +In case of an ib_fast_reg_mr allocation failure during iSER setup, the +machine hits a panic because iscsi_conn->dd_data is initialized +unconditionally, even when no memory is allocated (dd_size == 0). This +leads invalid pointer dereference during connection teardown. + +Fix by setting iscsi_conn->dd_data only if memory is actually allocated. + +Panic trace: +------------ + iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 + iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers + BUG: unable to handle page fault for address: fffffffffffffff8 + RIP: 0010:swake_up_locked.part.5+0xa/0x40 + Call Trace: + complete+0x31/0x40 + iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] + iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] + iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] + iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] + ? netlink_lookup+0x12f/0x1b0 + ? netlink_deliver_tap+0x2c/0x200 + netlink_unicast+0x1ab/0x280 + netlink_sendmsg+0x257/0x4f0 + ? _copy_from_user+0x29/0x60 + sock_sendmsg+0x5f/0x70 + +Signed-off-by: Showrya M N +Signed-off-by: Potnuri Bharat Teja +Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 05799b41974d..bad5730bf7ab 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -2949,7 +2949,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size, + conn = cls_conn->dd_data; + memset(conn, 0, sizeof(*conn) + dd_size); + +- conn->dd_data = cls_conn->dd_data + sizeof(*conn); ++ if (dd_size) ++ conn->dd_data = cls_conn->dd_data + sizeof(*conn); + conn->session = session; + conn->cls_conn = cls_conn; + conn->c_stage = ISCSI_CONN_INITIAL_STAGE; +-- +2.39.5 + diff --git a/queue-5.10/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch b/queue-5.10/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch new file mode 100644 index 0000000000..a07ab4d6a2 --- /dev/null +++ b/queue-5.10/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch @@ -0,0 +1,44 @@ +From a3822ed6e28f15e06db9e55262bee5524268f6c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 12:21:28 -0700 +Subject: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport + structure + +From: Justin Tee + +[ Upstream commit 6698796282e828733cde3329c887b4ae9e5545e9 ] + +If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the +resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may +occur before sli4_hba.hdwqs are allocated. This may result in a null +pointer dereference when attempting to take the abts_io_buf_list_lock for +the first hardware queue. Fix by adding a null ptr check on +phba->sli4_hba.hdwq and early return because this situation means there +must have been an error during port initialization. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20250618192138.124116-4-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_scsi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index 212153483874..a35426409a6f 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -469,6 +469,10 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport) + if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP)) + return; + ++ /* may be called before queues established if hba_setup fails */ ++ if (!phba->sli4_hba.hdwq) ++ return; ++ + spin_lock_irqsave(&phba->hbalock, iflag); + for (idx = 0; idx < phba->cfg_hdw_queue; idx++) { + qp = &phba->sli4_hba.hdwq[idx]; +-- +2.39.5 + diff --git a/queue-5.10/scsi-mpt3sas-correctly-handle-ata-device-errors.patch b/queue-5.10/scsi-mpt3sas-correctly-handle-ata-device-errors.patch new file mode 100644 index 0000000000..176f8523a1 --- /dev/null +++ b/queue-5.10/scsi-mpt3sas-correctly-handle-ata-device-errors.patch @@ -0,0 +1,85 @@ +From 646682924fcd95c51f777fd2371fcce620f7714b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 14:27:47 +0900 +Subject: scsi: mpt3sas: Correctly handle ATA device errors + +From: Damien Le Moal + +[ Upstream commit 15592a11d5a5c8411ac8494ec49736b658f6fbff ] + +With the ATA error model, an NCQ command failure always triggers an abort +(termination) of all NCQ commands queued on the device. In such case, the +SAT or the host must handle the failed command according to the command +sense data and immediately retry all other NCQ commands that were aborted +due to the failed NCQ command. + +For SAS HBAs controlled by the mpt3sas driver, NCQ command aborts are not +handled by the HBA SAT and sent back to the host, with an ioc log +information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code +PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function +_scsih_io_done() always forces a retry of commands terminated with the +status MPI2_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result +DID_SOFT_ERROR, regardless of the log_info for the command. This +correctly forces the retry of collateral NCQ abort commands, but with the +retry counter for the command being incremented. If a command to an ATA +device is subject to too many retries due to other NCQ commands failing +(e.g. read commands trying to access unreadable sectors), the collateral +NCQ abort commands may be terminated with an error as they run out of +retries. This violates the SAT specification and causes hard-to-debug +command errors. + +Solve this issue by modifying the handling of the +MPI2_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an +ATA device and if the command loginfo indicates an NCQ collateral +abort. If that is the case, force the command retry using the SCSI result +DID_IMM_RETRY to avoid incrementing the command retry count. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250606052747.742998-3-dlemoal@kernel.org +Tested-by: Yafang Shao +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index e797f6e3982c..4f4c2a20f47a 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -181,6 +181,14 @@ struct sense_info { + #define MPT3SAS_PORT_ENABLE_COMPLETE (0xFFFD) + #define MPT3SAS_ABRT_TASK_SET (0xFFFE) + #define MPT3SAS_REMOVE_UNRESPONDING_DEVICES (0xFFFF) ++ ++/* ++ * SAS Log info code for a NCQ collateral abort after an NCQ error: ++ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR ++ * See: drivers/message/fusion/lsi/mpi_log_sas.h ++ */ ++#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000 ++ + /** + * struct fw_event_work - firmware event struct + * @list: link list framework +@@ -5628,6 +5636,17 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply) + scmd->result = DID_TRANSPORT_DISRUPTED << 16; + goto out; + } ++ if (log_info == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) { ++ /* ++ * This is a ATA NCQ command aborted due to another NCQ ++ * command failure. We must retry this command ++ * immediately but without incrementing its retry ++ * counter. ++ */ ++ WARN_ON_ONCE(xfer_cnt != 0); ++ scmd->result = DID_IMM_RETRY << 16; ++ break; ++ } + if (log_info == 0x31110630) { + if (scmd->retries > 2) { + scmd->result = DID_NO_CONNECT << 16; +-- +2.39.5 + diff --git a/queue-5.10/securityfs-don-t-pin-dentries-twice-once-is-enough.patch b/queue-5.10/securityfs-don-t-pin-dentries-twice-once-is-enough.patch new file mode 100644 index 0000000000..5099d4a979 --- /dev/null +++ b/queue-5.10/securityfs-don-t-pin-dentries-twice-once-is-enough.patch @@ -0,0 +1,44 @@ +From 756b2c0f2c084f0e818c7c448b55e6152db0a76d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 23:38:01 -0400 +Subject: securityfs: don't pin dentries twice, once is enough... + +From: Al Viro + +[ Upstream commit 27cd1bf1240d482e4f02ca4f9812e748f3106e4f ] + +incidentally, securityfs_recursive_remove() is broken without that - +it leaks dentries, since simple_recursive_removal() does not expect +anything of that sort. It could be worked around by dput() in +remove_one() callback, but it's easier to just drop that double-get +stuff. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + security/inode.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/security/inode.c b/security/inode.c +index 6c326939750d..e6e07787eec9 100644 +--- a/security/inode.c ++++ b/security/inode.c +@@ -159,7 +159,6 @@ static struct dentry *securityfs_create_dentry(const char *name, umode_t mode, + inode->i_fop = fops; + } + d_instantiate(dentry, inode); +- dget(dentry); + inode_unlock(dir); + return dentry; + +@@ -306,7 +305,6 @@ void securityfs_remove(struct dentry *dentry) + simple_rmdir(dir, dentry); + else + simple_unlink(dir, dentry); +- dput(dentry); + } + inode_unlock(dir); + simple_release_fs(&mount, &mount_count); +-- +2.39.5 + diff --git a/queue-5.10/selftests-futex-define-sys_futex-on-32-bit-architect.patch b/queue-5.10/selftests-futex-define-sys_futex-on-32-bit-architect.patch new file mode 100644 index 0000000000..6aef25e733 --- /dev/null +++ b/queue-5.10/selftests-futex-define-sys_futex-on-32-bit-architect.patch @@ -0,0 +1,52 @@ +From c86bf655a0cce65deaf6b7b87d1f35838207442c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 18:36:30 +0800 +Subject: selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit + time_t + +From: Cynthia Huang + +[ Upstream commit 04850819c65c8242072818655d4341e70ae998b5 ] + +The kernel does not provide sys_futex() on 32-bit architectures that do not +support 32-bit time representations, such as riscv32. + +As a result, glibc cannot define SYS_futex, causing compilation failures in +tests that rely on this syscall. Define SYS_futex as SYS_futex_time64 in +such cases to ensure successful compilation and compatibility. + +Signed-off-by: Cynthia Huang +Signed-off-by: Ben Zong-You Xie +Signed-off-by: Thomas Gleixner +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/all/20250710103630.3156130-1-ben717@andestech.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/futex/include/futextest.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/testing/selftests/futex/include/futextest.h b/tools/testing/selftests/futex/include/futextest.h +index ddbcfc9b7bac..7a5fd1d5355e 100644 +--- a/tools/testing/selftests/futex/include/futextest.h ++++ b/tools/testing/selftests/futex/include/futextest.h +@@ -47,6 +47,17 @@ typedef volatile u_int32_t futex_t; + FUTEX_PRIVATE_FLAG) + #endif + ++/* ++ * SYS_futex is expected from system C library, in glibc some 32-bit ++ * architectures (e.g. RV32) are using 64-bit time_t, therefore it doesn't have ++ * SYS_futex defined but just SYS_futex_time64. Define SYS_futex as ++ * SYS_futex_time64 in this situation to ensure the compilation and the ++ * compatibility. ++ */ ++#if !defined(SYS_futex) && defined(SYS_futex_time64) ++#define SYS_futex SYS_futex_time64 ++#endif ++ + /** + * futex() - SYS_futex syscall wrapper + * @uaddr: address of first futex +-- +2.39.5 + diff --git a/queue-5.10/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch b/queue-5.10/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch new file mode 100644 index 0000000000..2f464e1203 --- /dev/null +++ b/queue-5.10/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch @@ -0,0 +1,41 @@ +From ba34fc4075b5898df7f48337284f1286621e925e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:26:43 +0900 +Subject: selftests: tracing: Use mutex_unlock for testing glob filter + +From: Masami Hiramatsu (Google) + +[ Upstream commit a089bb2822a49b0c5777a8936f82c1f8629231fb ] + +Since commit c5b6ababd21a ("locking/mutex: implement +mutex_trylock_nested") makes mutex_trylock() as an inlined +function if CONFIG_DEBUG_LOCK_ALLOC=y, we can not use +mutex_trylock() for testing the glob filter of ftrace. + +Use mutex_unlock instead. + +Link: https://lore.kernel.org/r/175151680309.2149615.9795104805153538717.stgit@mhiramat.tok.corp.google.com +Signed-off-by: Masami Hiramatsu (Google) +Acked-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +index 4b994b6df5ac..ed81eaf2afd6 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +@@ -29,7 +29,7 @@ ftrace_filter_check 'schedule*' '^schedule.*$' + ftrace_filter_check '*pin*lock' '.*pin.*lock$' + + # filter by start*mid* +-ftrace_filter_check 'mutex*try*' '^mutex.*try.*' ++ftrace_filter_check 'mutex*unl*' '^mutex.*unl.*' + + # Advanced full-glob matching feature is recently supported. + # Skip the tests if we are sure the kernel does not support it. +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series index c167be5b1b..5f3c0dab6b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -208,3 +208,131 @@ netfilter-ctnetlink-fix-refcount-leak-on-table-dump.patch sctp-linearize-cloned-gso-packets-in-sctp_rcv.patch intel_idle-allow-loading-acpi-tables-for-any-family.patch cpuidle-governors-menu-avoid-using-invalid-recent-in.patch +hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch +hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch +hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch +hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch +arm64-handle-kcov-__init-vs-inline-mismatches.patch +udf-verify-partition-map-count.patch +drbd-add-missing-kref_get-in-handle_write_conflicts.patch +hfs-fix-not-erasing-deleted-b-tree-node-issue.patch +better-lockdep-annotations-for-simple_recursive_remo.patch +ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch +securityfs-don-t-pin-dentries-twice-once-is-enough.patch +usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch +cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch +selftests-futex-define-sys_futex-on-32-bit-architect.patch +usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch +usb-xhci-avoid-showing-warnings-for-dying-controller.patch +usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch +usb-xhci-avoid-showing-errors-during-surprise-remova.patch +gpio-wcd934x-check-the-return-value-of-regmap_update.patch +cpufreq-exit-governor-when-failed-to-start-old-gover.patch +arm-rockchip-fix-kernel-hang-during-smp-initializati.patch +pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch +asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch +gpio-tps65912-check-the-return-value-of-regmap_updat.patch +arm-tegra-use-i-o-memcpy-to-write-to-iram.patch +selftests-tracing-use-mutex_unlock-for-testing-glob-.patch +pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch +thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch +pm-sleep-console-fix-the-black-screen-issue.patch +acpi-processor-fix-acpi_object-initialization.patch +mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch +acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch +reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch +mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch +x86-bugs-avoid-warning-when-overriding-return-thunk.patch +asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch +alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch +asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch +usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch +usb-core-usb_submit_urb-downgrade-type-check.patch +pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch +platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch +platform-chrome-cros_ec_typec-defer-probe-on-missing.patch +alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch +alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch +alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch +iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch +asoc-codecs-rt5640-retry-device_id-verification.patch +xen-netfront-fix-tx-response-spurious-interrupts.patch +ktest.pl-prevent-recursion-of-default-variable-optio.patch +wifi-cfg80211-reject-htc-bit-for-management-frames.patch +s390-time-use-monotonic-clock-in-get_cycles.patch +be2net-use-correct-byte-order-and-format-string-for-.patch +et131x-add-missing-check-after-dma-map.patch +net-ag71xx-add-missing-check-after-dma-map.patch +rcu-protect-defer_qs_iw_pending-from-data-race.patch +can-ti_hecc-fix-woverflow-compiler-warning.patch +wifi-cfg80211-fix-interface-type-validation.patch +net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch +net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch +wifi-iwlwifi-mvm-fix-scan-request-validation.patch +s390-stp-remove-udelay-from-stp_sync_clock.patch +powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch +net-fec-allow-disable-coalescing.patch +drm-amd-display-separate-set_gsl-from-set_gsl_source.patch +wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch +wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch +drm-amd-display-fix-failed-to-blank-crtc.patch +wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch +netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch +wifi-iwlegacy-check-rate_idx-range-after-addition.patch +net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch +gve-return-error-for-unknown-admin-queue-command.patch +net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch +net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch +net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch +wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-1059 +net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch +drm-ttm-should-to-return-the-evict-error.patch +uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch +net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch +vhost-fail-early-when-__vhost_add_used-fails.patch +cifs-fix-calling-cifsfindfirst-for-root-path-without.patch +ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch +scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch +fs-orangefs-use-snprintf-instead-of-sprintf.patch +watchdog-dw_wdt-fix-default-timeout.patch +mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch +scsi-bfa-double-free-fix.patch +jfs-truncate-good-inode-pages-when-hard-link-is-0.patch +jfs-regular-file-corruption-check.patch +jfs-upper-bound-check-of-tree-index-in-dballocag.patch +mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch +leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch +rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch +rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch +scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch +scsi-mpt3sas-correctly-handle-ata-device-errors.patch +pinctrl-stm32-manage-irq-affinity-settings.patch +media-tc358743-check-i2c-succeeded-during-probe.patch +media-tc358743-return-an-appropriate-colorspace-from.patch +media-tc358743-increase-fifo-trigger-level-to-374.patch +media-usb-hdpvr-disable-zero-length-read-messages.patch +media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch +media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch +media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch +md-dm-zoned-target-initialize-return-variable-r-to-a.patch +i3c-add-missing-include-to-internal-header.patch +rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch +i3c-don-t-fail-if-gethdrcap-is-unsupported.patch +dm-mpath-don-t-print-the-loaded-message-if-registeri.patch +i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch +kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch +kconfig-nconf-ensure-null-termination-where-strncpy-.patch +scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch +scsi-aacraid-stop-using-pci_irq_affinity.patch +ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch +kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch +kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch +kconfig-lxdialog-fix-space-to-de-select-options.patch +ipmi-fix-strcpy-source-and-destination-the-same.patch +net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch +block-avoid-possible-overflow-for-chunk_sectors-chec.patch +pnfs-fix-stripe-mapping-in-block-scsi-layout.patch +pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch +pnfs-handle-rpc-size-limit-for-layoutcommits.patch +pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch +rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch diff --git a/queue-5.10/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch b/queue-5.10/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch new file mode 100644 index 0000000000..17d8d28668 --- /dev/null +++ b/queue-5.10/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch @@ -0,0 +1,53 @@ +From 230253b99159501cc52053a27e655ea210a1cf04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 10:41:43 +0000 +Subject: thermal: sysfs: Return ENODATA instead of EAGAIN for reads + +From: Hsin-Te Yuan + +[ Upstream commit 1a4aabc27e95674837f2e25f4ef340c0469e6203 ] + +According to POSIX spec, EAGAIN returned by read with O_NONBLOCK set +means the read would block. Hence, the common implementation in +nonblocking model will poll the file when the nonblocking read returns +EAGAIN. However, when the target file is thermal zone, this mechanism +will totally malfunction because thermal zone doesn't implement sysfs +notification and thus the poll will never return. + +For example, the read in Golang implemnts such method and sometimes +hangs at reading some thermal zones via sysfs. + +Change to return -ENODATA instead of -EAGAIN to userspace. + +Signed-off-by: Hsin-Te Yuan +Link: https://patch.msgid.link/20250620-temp-v3-1-6becc6aeb66c@chromium.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_sysfs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c +index 05e9a3de80b5..d64af62abcc6 100644 +--- a/drivers/thermal/thermal_sysfs.c ++++ b/drivers/thermal/thermal_sysfs.c +@@ -39,10 +39,13 @@ temp_show(struct device *dev, struct device_attribute *attr, char *buf) + + ret = thermal_zone_get_temp(tz, &temperature); + +- if (ret) +- return ret; ++ if (!ret) ++ return sprintf(buf, "%d\n", temperature); + +- return sprintf(buf, "%d\n", temperature); ++ if (ret == -EAGAIN) ++ return -ENODATA; ++ ++ return ret; + } + + static ssize_t +-- +2.39.5 + diff --git a/queue-5.10/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch b/queue-5.10/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch new file mode 100644 index 0000000000..ad86e33f34 --- /dev/null +++ b/queue-5.10/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch @@ -0,0 +1,102 @@ +From 60dcd79cbd231e2b71d190c486abb73fac7bb703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 07:39:33 -0700 +Subject: uapi: in6: restore visibility of most IPv6 socket options +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Kicinski + +[ Upstream commit 31557b3487b349464daf42bc4366153743c1e727 ] + +A decade ago commit 6d08acd2d32e ("in6: fix conflict with glibc") +hid the definitions of IPV6 options, because GCC was complaining +about duplicates. The commit did not list the warnings seen, but +trying to recreate them now I think they are (building iproute2): + +In file included from ./include/uapi/rdma/rdma_user_cm.h:39, + from rdma.h:16, + from res.h:9, + from res-ctx.c:7: +../include/uapi/linux/in6.h:171:9: warning: ‘IPV6_ADD_MEMBERSHIP’ redefined + 171 | #define IPV6_ADD_MEMBERSHIP 20 + | ^~~~~~~~~~~~~~~~~~~ +In file included from /usr/include/netinet/in.h:37, + from rdma.h:13: +/usr/include/bits/in.h:233:10: note: this is the location of the previous definition + 233 | # define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP + | ^~~~~~~~~~~~~~~~~~~ +../include/uapi/linux/in6.h:172:9: warning: ‘IPV6_DROP_MEMBERSHIP’ redefined + 172 | #define IPV6_DROP_MEMBERSHIP 21 + | ^~~~~~~~~~~~~~~~~~~~ +/usr/include/bits/in.h:234:10: note: this is the location of the previous definition + 234 | # define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP + | ^~~~~~~~~~~~~~~~~~~~ + +Compilers don't complain about redefinition if the defines +are identical, but here we have the kernel using the literal +value, and glibc using an indirection (defining to a name +of another define, with the same numerical value). + +Problem is, the commit in question hid all the IPV6 socket +options, and glibc has a pretty sparse list. For instance +it lacks Flow Label related options. Willem called this out +in commit 3fb321fde22d ("selftests/net: ipv6 flowlabel"): + + /* uapi/glibc weirdness may leave this undefined */ + #ifndef IPV6_FLOWINFO + #define IPV6_FLOWINFO 11 + #endif + +More interestingly some applications (socat) use +a #ifdef IPV6_FLOWINFO to gate compilation of thier +rudimentary flow label support. (For added confusion +socat misspells it as IPV4_FLOWINFO in some places.) + +Hide only the two defines we know glibc has a problem +with. If we discover more warnings we can hide more +but we should avoid covering the entire block of +defines for "IPV6 socket options". + +Link: https://patch.msgid.link/20250609143933.1654417-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/uapi/linux/in6.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h +index 5ad396a57eb3..327fd76c0962 100644 +--- a/include/uapi/linux/in6.h ++++ b/include/uapi/linux/in6.h +@@ -151,7 +151,6 @@ struct in6_flowlabel_req { + /* + * IPV6 socket options + */ +-#if __UAPI_DEF_IPV6_OPTIONS + #define IPV6_ADDRFORM 1 + #define IPV6_2292PKTINFO 2 + #define IPV6_2292HOPOPTS 3 +@@ -168,8 +167,10 @@ struct in6_flowlabel_req { + #define IPV6_MULTICAST_IF 17 + #define IPV6_MULTICAST_HOPS 18 + #define IPV6_MULTICAST_LOOP 19 ++#if __UAPI_DEF_IPV6_OPTIONS + #define IPV6_ADD_MEMBERSHIP 20 + #define IPV6_DROP_MEMBERSHIP 21 ++#endif + #define IPV6_ROUTER_ALERT 22 + #define IPV6_MTU_DISCOVER 23 + #define IPV6_MTU 24 +@@ -202,7 +203,6 @@ struct in6_flowlabel_req { + #define IPV6_IPSEC_POLICY 34 + #define IPV6_XFRM_POLICY 35 + #define IPV6_HDRINCL 36 +-#endif + + /* + * Multicast: +-- +2.39.5 + diff --git a/queue-5.10/udf-verify-partition-map-count.patch b/queue-5.10/udf-verify-partition-map-count.patch new file mode 100644 index 0000000000..2eb632bd8c --- /dev/null +++ b/queue-5.10/udf-verify-partition-map-count.patch @@ -0,0 +1,54 @@ +From 07c0781320c40c2a1319ebc385f32c86c668c312 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 19:01:20 +0200 +Subject: udf: Verify partition map count + +From: Jan Kara + +[ Upstream commit 1a11201668e8635602577dcf06f2e96c591d8819 ] + +Verify that number of partition maps isn't insanely high which can lead +to large allocation in udf_sb_alloc_partition_maps(). All partition maps +have to fit in the LVD which is in a single block. + +Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 8dae5e73a00b..723184b1201f 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1410,7 +1410,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + struct genericPartitionMap *gpm; + uint16_t ident; + struct buffer_head *bh; +- unsigned int table_len; ++ unsigned int table_len, part_map_count; + int ret; + + bh = udf_read_tagged(sb, block, block, &ident); +@@ -1431,7 +1431,16 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + "logical volume"); + if (ret) + goto out_bh; +- ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); ++ ++ part_map_count = le32_to_cpu(lvd->numPartitionMaps); ++ if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too many partition maps (%u > %u)\n", part_map_count, ++ table_len / (unsigned)sizeof(struct genericPartitionMap1)); ++ ret = -EIO; ++ goto out_bh; ++ } ++ ret = udf_sb_alloc_partition_maps(sb, part_map_count); + if (ret) + goto out_bh; + +-- +2.39.5 + diff --git a/queue-5.10/usb-core-usb_submit_urb-downgrade-type-check.patch b/queue-5.10/usb-core-usb_submit_urb-downgrade-type-check.patch new file mode 100644 index 0000000000..f09530b56f --- /dev/null +++ b/queue-5.10/usb-core-usb_submit_urb-downgrade-type-check.patch @@ -0,0 +1,40 @@ +From 541b3b0d2b30711ccfea16b13dc5f1920b3fdfd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 14:20:25 +0200 +Subject: usb: core: usb_submit_urb: downgrade type check + +From: Oliver Neukum + +[ Upstream commit 503bbde34cc3dd2acd231f277ba70c3f9ed22e59 ] + +Checking for the endpoint type is no reason for a WARN, as that can +cause a reboot. A driver not checking the endpoint type must not cause a +reboot, as there is just no point in this. We cannot prevent a device +from doing something incorrect as a reaction to a transfer. Hence +warning for a mere assumption being wrong is not sensible. + +Signed-off-by: Oliver Neukum +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250612122149.2559724-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/urb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index 9c285026f827..c41b25bc585c 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -490,7 +490,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags) + + /* Check that the pipe's type matches the endpoint's type */ + if (usb_pipe_type_check(urb->dev, urb->pipe)) +- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", ++ dev_warn_once(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", + usb_pipetype(urb->pipe), pipetypes[xfertype]); + + /* Check against a simple/standard policy */ +-- +2.39.5 + diff --git a/queue-5.10/usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch b/queue-5.10/usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch new file mode 100644 index 0000000000..f628726e1b --- /dev/null +++ b/queue-5.10/usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch @@ -0,0 +1,40 @@ +From 1ff9a4f0b378a0a070c1121140b95118946344c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 17:40:58 +0200 +Subject: usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present + +From: Tomasz Michalec + +[ Upstream commit df9a825f330e76c72d1985bc9bdc4b8981e3d15f ] + +If pmc_usb_probe is called before SCU IPC is registered, pmc_usb_probe +will fail. + +Return -EPROBE_DEFER when pmc_usb_probe doesn't get SCU IPC device, so +the probe function can be called again after SCU IPC is initialized. + +Signed-off-by: Tomasz Michalec +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250610154058.1859812-1-tmichalec@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/mux/intel_pmc_mux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/mux/intel_pmc_mux.c b/drivers/usb/typec/mux/intel_pmc_mux.c +index 1276112edeff..9b4963450fe8 100644 +--- a/drivers/usb/typec/mux/intel_pmc_mux.c ++++ b/drivers/usb/typec/mux/intel_pmc_mux.c +@@ -644,7 +644,7 @@ static int pmc_usb_probe(struct platform_device *pdev) + + pmc->ipc = devm_intel_scu_ipc_dev_get(&pdev->dev); + if (!pmc->ipc) +- return -ENODEV; ++ return -EPROBE_DEFER; + + pmc->dev = &pdev->dev; + +-- +2.39.5 + diff --git a/queue-5.10/usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch b/queue-5.10/usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch new file mode 100644 index 0000000000..7dcad8aae5 --- /dev/null +++ b/queue-5.10/usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch @@ -0,0 +1,68 @@ +From 7862cbca10f73fdeb6ac71982c1785892c7ceb45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 20:08:05 +0000 +Subject: usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and + Default + +From: Benson Leung + +[ Upstream commit af833e7f7db3cf4c82f063668e1b52297a30ec18 ] + +ucsi_psy_get_current_max would return 0mA as the maximum current if +UCSI detected a BC or a Default USB Power sporce. + +The comment in this function is true that we can't tell the difference +between DCP/CDP or SDP chargers, but we can guarantee that at least 1-unit +of USB 1.1/2.0 power is available, which is 100mA, which is a better +fallback value than 0, which causes some userspaces, including the ChromeOS +power manager, to regard this as a power source that is not providing +any power. + +In reality, 100mA is guaranteed from all sources in these classes. + +Signed-off-by: Benson Leung +Reviewed-by: Jameson Thies +Reviewed-by: Heikki Krogerus +Reviewed-by: Sebastian Reichel +Link: https://lore.kernel.org/r/20250717200805.3710473-1-bleung@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/ucsi/psy.c | 2 +- + drivers/usb/typec/ucsi/ucsi.h | 7 ++++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/typec/ucsi/psy.c b/drivers/usb/typec/ucsi/psy.c +index 571a51e16234..ba5f797156dc 100644 +--- a/drivers/usb/typec/ucsi/psy.c ++++ b/drivers/usb/typec/ucsi/psy.c +@@ -142,7 +142,7 @@ static int ucsi_psy_get_current_max(struct ucsi_connector *con, + case UCSI_CONSTAT_PWR_OPMODE_DEFAULT: + /* UCSI can't tell b/w DCP/CDP or USB2/3x1/3x2 SDP chargers */ + default: +- val->intval = 0; ++ val->intval = UCSI_TYPEC_DEFAULT_CURRENT * 1000; + break; + } + return 0; +diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h +index f75b1e2c05fe..ed8fcd7ecf21 100644 +--- a/drivers/usb/typec/ucsi/ucsi.h ++++ b/drivers/usb/typec/ucsi/ucsi.h +@@ -305,9 +305,10 @@ struct ucsi { + #define UCSI_MAX_SVID 5 + #define UCSI_MAX_ALTMODES (UCSI_MAX_SVID * 6) + +-#define UCSI_TYPEC_VSAFE5V 5000 +-#define UCSI_TYPEC_1_5_CURRENT 1500 +-#define UCSI_TYPEC_3_0_CURRENT 3000 ++#define UCSI_TYPEC_VSAFE5V 5000 ++#define UCSI_TYPEC_DEFAULT_CURRENT 100 ++#define UCSI_TYPEC_1_5_CURRENT 1500 ++#define UCSI_TYPEC_3_0_CURRENT 3000 + + struct ucsi_connector { + int num; +-- +2.39.5 + diff --git a/queue-5.10/usb-xhci-avoid-showing-errors-during-surprise-remova.patch b/queue-5.10/usb-xhci-avoid-showing-errors-during-surprise-remova.patch new file mode 100644 index 0000000000..c7b427db3f --- /dev/null +++ b/queue-5.10/usb-xhci-avoid-showing-errors-during-surprise-remova.patch @@ -0,0 +1,60 @@ +From 9972933b146b1c73bedd7f346b8852223727097d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:05 +0300 +Subject: usb: xhci: Avoid showing errors during surprise removal + +From: Mario Limonciello + +[ Upstream commit 4b9c60e440525b729ac5f071e00bcee12e0a7e84 ] + +When a USB4 dock is unplugged from a system it won't respond to ring +events. The PCI core handles the surprise removal event and notifies +all PCI drivers. The XHCI PCI driver sets a flag that the device is +being removed as well. + +When that flag is set don't show messages in the cleanup path for +marking the controller dead. + +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Acked-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index c026e7cc0af1..a65ad8e760d0 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -1094,12 +1094,15 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci, + */ + void xhci_hc_died(struct xhci_hcd *xhci) + { ++ bool notify; + int i, j; + + if (xhci->xhc_state & XHCI_STATE_DYING) + return; + +- xhci_err(xhci, "xHCI host controller not responding, assume dead\n"); ++ notify = !(xhci->xhc_state & XHCI_STATE_REMOVING); ++ if (notify) ++ xhci_err(xhci, "xHCI host controller not responding, assume dead\n"); + xhci->xhc_state |= XHCI_STATE_DYING; + + xhci_cleanup_command_queue(xhci); +@@ -1113,7 +1116,7 @@ void xhci_hc_died(struct xhci_hcd *xhci) + } + + /* inform usb core hc died if PCI remove isn't already handling it */ +- if (!(xhci->xhc_state & XHCI_STATE_REMOVING)) ++ if (notify) + usb_hc_died(xhci_to_hcd(xhci)); + } + +-- +2.39.5 + diff --git a/queue-5.10/usb-xhci-avoid-showing-warnings-for-dying-controller.patch b/queue-5.10/usb-xhci-avoid-showing-warnings-for-dying-controller.patch new file mode 100644 index 0000000000..263ff838c9 --- /dev/null +++ b/queue-5.10/usb-xhci-avoid-showing-warnings-for-dying-controller.patch @@ -0,0 +1,55 @@ +From f023ecfe02fd49c7d821d0c70d54f80e98fa7d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:06 +0300 +Subject: usb: xhci: Avoid showing warnings for dying controller + +From: Mario Limonciello + +[ Upstream commit 65fc0fc137b5da3ee1f4ca4f61050fcb203d7582 ] + +When a USB4 dock is unplugged from a system it won't respond to ring +events. The PCI core handles the surprise removal event and notifies +all PCI drivers. The XHCI PCI driver sets a flag that the device is +being removed, and when the device stops responding a flag is also +added to indicate it's dying. + +When that flag is set don't bother to show warnings about a missing +controller. + +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Acked-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 908445cff24f..235824d1822a 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -118,7 +118,8 @@ int xhci_halt(struct xhci_hcd *xhci) + ret = xhci_handshake(&xhci->op_regs->status, + STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC); + if (ret) { +- xhci_warn(xhci, "Host halt failed, %d\n", ret); ++ if (!(xhci->xhc_state & XHCI_STATE_DYING)) ++ xhci_warn(xhci, "Host halt failed, %d\n", ret); + return ret; + } + xhci->xhc_state |= XHCI_STATE_HALTED; +@@ -175,7 +176,8 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) + state = readl(&xhci->op_regs->status); + + if (state == ~(u32)0) { +- xhci_warn(xhci, "Host not accessible, reset failed.\n"); ++ if (!(xhci->xhc_state & XHCI_STATE_DYING)) ++ xhci_warn(xhci, "Host not accessible, reset failed.\n"); + return -ENODEV; + } + +-- +2.39.5 + diff --git a/queue-5.10/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch b/queue-5.10/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch new file mode 100644 index 0000000000..b7ed0fb264 --- /dev/null +++ b/queue-5.10/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch @@ -0,0 +1,42 @@ +From f8e23ae913732dae3205e9625df2c9a4c3ac8804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:01:18 +0800 +Subject: usb: xhci: print xhci->xhc_state when queue_command failed + +From: Su Hui + +[ Upstream commit 7919407eca2ef562fa6c98c41cfdf6f6cdd69d92 ] + +When encounters some errors like these: +xhci_hcd 0000:4a:00.2: xHCI dying or halted, can't queue_command +xhci_hcd 0000:4a:00.2: FIXME: allocate a command ring segment +usb usb5-port6: couldn't allocate usb_device + +It's hard to know whether xhc_state is dying or halted. So it's better +to print xhc_state's value which can help locate the resaon of the bug. + +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20250725060117.1773770-1-suhui@nfschina.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 954cd962e113..c026e7cc0af1 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -4183,7 +4183,8 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, + + if ((xhci->xhc_state & XHCI_STATE_DYING) || + (xhci->xhc_state & XHCI_STATE_HALTED)) { +- xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n"); ++ xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n", ++ xhci->xhc_state); + return -ESHUTDOWN; + } + +-- +2.39.5 + diff --git a/queue-5.10/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch b/queue-5.10/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch new file mode 100644 index 0000000000..2a6ab5b083 --- /dev/null +++ b/queue-5.10/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch @@ -0,0 +1,61 @@ +From 50e6906cfa3fc29324d412fc8becce3d1cea6871 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:07 +0300 +Subject: usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command + +From: Jay Chen + +[ Upstream commit f72b9aa821a2bfe4b6dfec4be19f264d0673b008 ] + +There is a subtle contradiction between sections of the xHCI 1.2 spec +regarding the initialization of Input Endpoint Context fields. Section +4.8.2 ("Endpoint Context Initialization") states that all fields should +be initialized to 0. However, Section 6.2.3 ("Endpoint Context", p.453) +specifies that the Average TRB Length (avg_trb_len) field shall be +greater than 0, and explicitly notes (p.454): "Software shall set +Average TRB Length to '8' for control endpoints." + +Strictly setting all fields to 0 during initialization conflicts with +the specific recommendation for control endpoints. In practice, setting +avg_trb_len = 0 is not meaningful for the hardware/firmware, as the +value is used for bandwidth calculation. + +Motivation: Our company is developing a custom Virtual xHC hardware +platform that strictly follows the xHCI spec and its recommendations. +During validation, we observed that enumeration fails and a parameter +error (TRB Completion Code = 5) is reported if avg_trb_len for EP0 is +not set to 8 as recommended by Section 6.2.3. This demonstrates the +importance of assigning a meaningful, non-zero value to avg_trb_len, +even in virtualized or emulated environments. + +This patch explicitly sets avg_trb_len to 8 for EP0 in +xhci_setup_addressable_virt_dev(), as recommended in Section 6.2.3, to +prevent potential issues with xHCI host controllers that enforce the +spec strictly. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220033 +Signed-off-by: Jay Chen +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 5b0e00978322..1874a81d9766 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1227,6 +1227,8 @@ int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *ud + ep0_ctx->deq = cpu_to_le64(dev->eps[0].ring->first_seg->dma | + dev->eps[0].ring->cycle_state); + ++ ep0_ctx->tx_info = cpu_to_le32(EP_AVG_TRB_LENGTH(8)); ++ + trace_xhci_setup_addressable_virt_device(dev); + + /* Steps 7 and 8 were done in xhci_alloc_virt_device() */ +-- +2.39.5 + diff --git a/queue-5.10/vhost-fail-early-when-__vhost_add_used-fails.patch b/queue-5.10/vhost-fail-early-when-__vhost_add_used-fails.patch new file mode 100644 index 0000000000..f56a0c8db9 --- /dev/null +++ b/queue-5.10/vhost-fail-early-when-__vhost_add_used-fails.patch @@ -0,0 +1,43 @@ +From 5f61059358e2295becfd27e20ebec4035ed50b6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 16:47:53 +0800 +Subject: vhost: fail early when __vhost_add_used() fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Wang + +[ Upstream commit b4ba1207d45adaafa2982c035898b36af2d3e518 ] + +This patch fails vhost_add_used_n() early when __vhost_add_used() +fails to make sure used idx is not updated with stale used ring +information. + +Reported-by: Eugenio Pérez +Signed-off-by: Jason Wang +Message-Id: <20250714084755.11921-2-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Tested-by: Lei Yang +Signed-off-by: Sasha Levin +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 8ed9c9b63eb1..97e00c481870 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2416,6 +2416,9 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads, + } + r = __vhost_add_used_n(vq, heads, count); + ++ if (r < 0) ++ return r; ++ + /* Make sure buffer is written before we update index. */ + smp_wmb(); + if (vhost_put_used_idx(vq)) { +-- +2.39.5 + diff --git a/queue-5.10/watchdog-dw_wdt-fix-default-timeout.patch b/queue-5.10/watchdog-dw_wdt-fix-default-timeout.patch new file mode 100644 index 0000000000..1c555a30fe --- /dev/null +++ b/queue-5.10/watchdog-dw_wdt-fix-default-timeout.patch @@ -0,0 +1,43 @@ +From d91260dadc9dc584ad48c1a3c89a11f9f0facc72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 18:55:02 +0200 +Subject: watchdog: dw_wdt: Fix default timeout + +From: Sebastian Reichel + +[ Upstream commit ac3dbb91e0167d017f44701dd51c1efe30d0c256 ] + +The Synopsys Watchdog driver sets the default timeout to 30 seconds, +but on some devices this is not a valid timeout. E.g. on RK3588 the +actual timeout being used is 44 seconds instead. + +Once the watchdog is started the value is updated accordingly, but +it would be better to expose a sensible timeout to userspace without +the need to first start the watchdog. + +Signed-off-by: Sebastian Reichel +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250717-dw-wdt-fix-initial-timeout-v1-1-86dc864d48dd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/dw_wdt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/watchdog/dw_wdt.c b/drivers/watchdog/dw_wdt.c +index 3cd118281980..d18530bafc4e 100644 +--- a/drivers/watchdog/dw_wdt.c ++++ b/drivers/watchdog/dw_wdt.c +@@ -661,6 +661,8 @@ static int dw_wdt_drv_probe(struct platform_device *pdev) + } else { + wdd->timeout = DW_WDT_DEFAULT_SECONDS; + watchdog_init_timeout(wdd, 0, dev); ++ /* Limit timeout value to hardware constraints. */ ++ dw_wdt_set_timeout(wdd, wdd->timeout); + } + + platform_set_drvdata(pdev, dw_wdt); +-- +2.39.5 + diff --git a/queue-5.10/wifi-cfg80211-fix-interface-type-validation.patch b/queue-5.10/wifi-cfg80211-fix-interface-type-validation.patch new file mode 100644 index 0000000000..4288b0ed37 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-fix-interface-type-validation.patch @@ -0,0 +1,36 @@ +From 36cdc8be16acb18a522538845e23eb900929b244 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:37:55 +0300 +Subject: wifi: cfg80211: Fix interface type validation + +From: Ilan Peer + +[ Upstream commit 14450be2332a49445106403492a367412b8c23f4 ] + +Fix a condition that verified valid values of interface types. + +Signed-off-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709233537.7ad199ca5939.I0ac1ff74798bf59a87a57f2e18f2153c308b119b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index 4536a122c4bc..5595c2a94939 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -510,7 +510,7 @@ ieee80211_get_sband_iftype_data(const struct ieee80211_supported_band *sband, + { + int i; + +- if (WARN_ON(iftype >= NL80211_IFTYPE_MAX)) ++ if (WARN_ON(iftype >= NUM_NL80211_IFTYPES)) + return NULL; + + if (iftype == NL80211_IFTYPE_AP_VLAN) +-- +2.39.5 + diff --git a/queue-5.10/wifi-cfg80211-reject-htc-bit-for-management-frames.patch b/queue-5.10/wifi-cfg80211-reject-htc-bit-for-management-frames.patch new file mode 100644 index 0000000000..0cdda40a48 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-reject-htc-bit-for-management-frames.patch @@ -0,0 +1,38 @@ +From 3e404dafc1d20ab0e1dcce726ef2d3d6b604c727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 20:23:06 +0200 +Subject: wifi: cfg80211: reject HTC bit for management frames + +From: Johannes Berg + +[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ] + +Management frames sent by userspace should never have the +order/HTC bit set, reject that. It could also cause some +confusion with the length of the buffer and the header so +the validation might end up wrong. + +Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c +index 6dcfc5a34874..8fce621a3f01 100644 +--- a/net/wireless/mlme.c ++++ b/net/wireless/mlme.c +@@ -657,7 +657,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev, + + mgmt = (const struct ieee80211_mgmt *)params->buf; + +- if (!ieee80211_is_mgmt(mgmt->frame_control)) ++ if (!ieee80211_is_mgmt(mgmt->frame_control) || ++ ieee80211_has_order(mgmt->frame_control)) + return -EINVAL; + + stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; +-- +2.39.5 + diff --git a/queue-5.10/wifi-iwlegacy-check-rate_idx-range-after-addition.patch b/queue-5.10/wifi-iwlegacy-check-rate_idx-range-after-addition.patch new file mode 100644 index 0000000000..51fa42595f --- /dev/null +++ b/queue-5.10/wifi-iwlegacy-check-rate_idx-range-after-addition.patch @@ -0,0 +1,43 @@ +From 20a765b8d21d11861fc0ece1333883fc34c92ff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 May 2025 16:45:24 +0200 +Subject: wifi: iwlegacy: Check rate_idx range after addition + +From: Stanislaw Gruszka + +[ Upstream commit 0de19d5ae0b2c5b18b88c5c7f0442f707a207409 ] + +Limit rate_idx to IL_LAST_OFDM_RATE for 5GHz band for thinkable case +the index is incorrect. + +Reported-by: Fedor Pchelkin +Reported-by: Alexei Safin +Signed-off-by: Stanislaw Gruszka +Reviewed-by: Fedor Pchelkin +Link: https://patch.msgid.link/20250525144524.GA172583@wp.pl +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +index 2549902552e1..6e5decf79a06 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -1574,8 +1574,11 @@ il4965_tx_cmd_build_rate(struct il_priv *il, + || rate_idx > RATE_COUNT_LEGACY) + rate_idx = rate_lowest_index(&il->bands[info->band], sta); + /* For 5 GHZ band, remap mac80211 rate indices into driver indices */ +- if (info->band == NL80211_BAND_5GHZ) ++ if (info->band == NL80211_BAND_5GHZ) { + rate_idx += IL_FIRST_OFDM_RATE; ++ if (rate_idx > IL_LAST_OFDM_RATE) ++ rate_idx = IL_LAST_OFDM_RATE; ++ } + /* Get PLCP rate for tx_cmd->rate_n_flags */ + rate_plcp = il_rates[rate_idx].plcp; + /* Zero out flags for this packet */ +-- +2.39.5 + diff --git a/queue-5.10/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch b/queue-5.10/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch new file mode 100644 index 0000000000..d9cffa966e --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch @@ -0,0 +1,44 @@ +From 8421a0e090760e14535450b98296fcada67bc944 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:17:55 +0300 +Subject: wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() + +From: Rand Deeb + +[ Upstream commit e3ad987e9dc7d1e12e3f2f1e623f0e174cd0ca78 ] + +The 'index' variable in the rs_fill_link_cmd() function can reach +LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This +variable is used as an index for the lq_cmd->rs_table array, which has a +size of LINK_QUAL_MAX_RETRY_NUM, without proper validation. + +Modify the condition of the inner loop to ensure that the 'index' variable +does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any +potential overflow issues. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rand Deeb +Link: https://patch.msgid.link/20240313101755.269209-1-rand.sec96@gmail.com +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +index 958bfc38d390..f44448a13172 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +@@ -2926,7 +2926,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv, + /* Repeat initial/next rate. + * For legacy IWL_NUMBER_TRY == 1, this loop will not execute. + * For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */ +- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) { ++ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) { + if (is_legacy(tbl_type.lq_type)) { + if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) + ant_toggle_cnt++; +-- +2.39.5 + diff --git a/queue-5.10/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch b/queue-5.10/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch new file mode 100644 index 0000000000..fc78106d6f --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch @@ -0,0 +1,47 @@ +From 85a800b4176d4be8a6be0b68cb755e1cdf235dd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 22:26:23 +0300 +Subject: wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect + +From: Pagadala Yesu Anjaneyulu + +[ Upstream commit cc8d9cbf269dab363c768bfa9312265bc807fca5 ] + +Ensure descriptor is freed on error to avoid memory leak. + +Signed-off-by: Pagadala Yesu Anjaneyulu +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250611222325.8158d15ec866.Ifa3e422c302397111f20a16da7509e6574bc19e3@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index 558caf78a56d..37c1158b9225 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -2507,6 +2507,7 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt, + struct iwl_fw_dump_desc *desc; + unsigned int delay = 0; + bool monitor_only = false; ++ int ret; + + if (trigger) { + u16 occurrences = le16_to_cpu(trigger->occurrences) - 1; +@@ -2537,7 +2538,11 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt, + desc->trig_desc.type = cpu_to_le32(trig); + memcpy(desc->trig_desc.data, str, len); + +- return iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay); ++ ret = iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay); ++ if (ret) ++ kfree(desc); ++ ++ return ret; + } + IWL_EXPORT_SYMBOL(iwl_fw_dbg_collect); + +-- +2.39.5 + diff --git a/queue-5.10/wifi-iwlwifi-mvm-fix-scan-request-validation.patch b/queue-5.10/wifi-iwlwifi-mvm-fix-scan-request-validation.patch new file mode 100644 index 0000000000..4d8350581b --- /dev/null +++ b/queue-5.10/wifi-iwlwifi-mvm-fix-scan-request-validation.patch @@ -0,0 +1,37 @@ +From f7a852111bc3556d7a5177f6a91721d3f9def41f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:05:43 +0300 +Subject: wifi: iwlwifi: mvm: fix scan request validation + +From: Avraham Stern + +[ Upstream commit 7c2f3ec7707188d8d5269ae2dce97d7be3e9f261 ] + +The scan request validation function uses bitwise and instead +of logical and. Fix it. + +Signed-off-by: Avraham Stern +Reviewed-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709230308.3fbc1f27871b.I7a8ee91f463c1a2d9d8561c8232e196885d02c43@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index a52af491eed5..6e6325717c0a 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -876,7 +876,7 @@ static inline bool iwl_mvm_scan_fits(struct iwl_mvm *mvm, int n_ssids, + int n_channels) + { + return ((n_ssids <= PROBE_OPTION_MAX) && +- (n_channels <= mvm->fw->ucode_capa.n_scan_channels) & ++ (n_channels <= mvm->fw->ucode_capa.n_scan_channels) && + (ies->common_ie_len + + ies->len[NL80211_BAND_2GHZ] + + ies->len[NL80211_BAND_5GHZ] <= +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch b/queue-5.10/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch new file mode 100644 index 0000000000..e5eebb0bec --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch @@ -0,0 +1,58 @@ +From 58127f11d56bb9b7859c61ff5c9c66453207756c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 12:56:30 +0200 +Subject: wifi: rtlwifi: fix possible skb memory leak in + `_rtl_pci_rx_interrupt()`. + +From: Thomas Fourier + +[ Upstream commit 44c0e191004f0e3aa1bdee3be248be14dbe5b020 ] + +The function `_rtl_pci_init_one_rxdesc()` can fail even when the new +`skb` is passed because of a DMA mapping error. If it fails, the `skb` +is not saved in the rx ringbuffer and thus lost. + +Compile tested only + +Signed-off-by: Thomas Fourier +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250616105631.444309-4-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index f024533d34a9..bccb959d8210 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -803,13 +803,19 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) + skb = new_skb; + no_new: + if (rtlpriv->use_new_trx_flow) { +- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc, +- rxring_idx, +- rtlpci->rx_ring[rxring_idx].idx); ++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc, ++ rxring_idx, ++ rtlpci->rx_ring[rxring_idx].idx)) { ++ if (new_skb) ++ dev_kfree_skb_any(skb); ++ } + } else { +- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc, +- rxring_idx, +- rtlpci->rx_ring[rxring_idx].idx); ++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc, ++ rxring_idx, ++ rtlpci->rx_ring[rxring_idx].idx)) { ++ if (new_skb) ++ dev_kfree_skb_any(skb); ++ } + if (rtlpci->rx_ring[rxring_idx].idx == + rtlpci->rxringcount - 1) + rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc, +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-1059 b/queue-5.10/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-1059 new file mode 100644 index 0000000000..1e9e68070b --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-1059 @@ -0,0 +1,43 @@ +From 8755674e0eb13baf443bf32d770da9df2bb87a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 09:38:36 +0200 +Subject: wifi: rtlwifi: fix possible skb memory leak in + _rtl_pci_init_one_rxdesc() + +From: Thomas Fourier + +[ Upstream commit 76b3e5078d76f0eeadb7aacf9845399f8473da0d ] + +When `dma_mapping_error()` is true, if a new `skb` has been allocated, +then it must be de-allocated. + +Compile tested only + +Signed-off-by: Thomas Fourier +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250613074014.69856-2-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index bccb959d8210..02821588673e 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -573,8 +573,11 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw, + dma_map_single(&rtlpci->pdev->dev, skb_tail_pointer(skb), + rtlpci->rxbuffersize, DMA_FROM_DEVICE); + bufferaddress = *((dma_addr_t *)skb->cb); +- if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress)) ++ if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress)) { ++ if (!new_skb) ++ kfree_skb(skb); + return 0; ++ } + rtlpci->rx_ring[rxring_idx].rx_buf[desc_idx] = skb; + if (rtlpriv->use_new_trx_flow) { + /* skb->cb may be 64 bit address */ +-- +2.39.5 + diff --git a/queue-5.10/x86-bugs-avoid-warning-when-overriding-return-thunk.patch b/queue-5.10/x86-bugs-avoid-warning-when-overriding-return-thunk.patch new file mode 100644 index 0000000000..f990a536ea --- /dev/null +++ b/queue-5.10/x86-bugs-avoid-warning-when-overriding-return-thunk.patch @@ -0,0 +1,46 @@ +From 338481c70406f77c2f3988f334eb6dd3549abdec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 10:29:31 -0700 +Subject: x86/bugs: Avoid warning when overriding return thunk + +From: Pawan Gupta + +[ Upstream commit 9f85fdb9fc5a1bd308a10a0a7d7e34f2712ba58b ] + +The purpose of the warning is to prevent an unexpected change to the return +thunk mitigation. However, there are legitimate cases where the return +thunk is intentionally set more than once. For example, ITS and SRSO both +can set the return thunk after retbleed has set it. In both the cases +retbleed is still mitigated. + +Replace the warning with an info about the active return thunk. + +Suggested-by: Borislav Petkov +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/20250611-eibrs-fix-v4-3-5ff86cac6c61@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/bugs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 7c269dcb7cec..6ff9fd836d87 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -67,10 +67,9 @@ void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk; + + static void __init set_return_thunk(void *thunk) + { +- if (x86_return_thunk != __x86_return_thunk) +- pr_warn("x86/bugs: return thunk changed\n"); +- + x86_return_thunk = thunk; ++ ++ pr_info("active return thunk: %ps\n", thunk); + } + + /* Update SPEC_CTRL MSR and its cached copy unconditionally */ +-- +2.39.5 + diff --git a/queue-5.10/xen-netfront-fix-tx-response-spurious-interrupts.patch b/queue-5.10/xen-netfront-fix-tx-response-spurious-interrupts.patch new file mode 100644 index 0000000000..42b120d5a6 --- /dev/null +++ b/queue-5.10/xen-netfront-fix-tx-response-spurious-interrupts.patch @@ -0,0 +1,108 @@ +From 57a81380b1bc372465a93f22c51290932d7714f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jul 2025 09:34:54 +0000 +Subject: xen/netfront: Fix TX response spurious interrupts + +From: Anthoine Bourgeois + +[ Upstream commit 114a2de6fa86d99ed9546cc9113a3cad58beef79 ] + +We found at Vates that there are lot of spurious interrupts when +benchmarking the xen-net PV driver frontend. This issue appeared with a +patch that addresses security issue XSA-391 (b27d47950e48 "xen/netfront: +harden netfront against event channel storms"). On an iperf benchmark, +spurious interrupts can represent up to 50% of the interrupts. + +Spurious interrupts are interrupts that are rised for nothing, there is +no work to do. This appends because the function that handles the +interrupts ("xennet_tx_buf_gc") is also called at the end of the request +path to garbage collect the responses received during the transmission +load. + +The request path is doing the work that the interrupt handler should +have done otherwise. This is particurary true when there is more than +one vcpu and get worse linearly with the number of vcpu/queue. + +Moreover, this problem is amplifyed by the penalty imposed by a spurious +interrupt. When an interrupt is found spurious the interrupt chip will +delay the EOI to slowdown the backend. This delay will allow more +responses to be handled by the request path and then there will be more +chance the next interrupt will not find any work to do, creating a new +spurious interrupt. + +This causes performance issue. The solution here is to remove the calls +from the request path and let the interrupt handler do the processing of +the responses. This approch removes most of the spurious interrupts +(<0.05%) and also has the benefit of freeing up cycles in the request +path, allowing it to process more work, which improves performance +compared to masking the spurious interrupt one way or another. + +This optimization changes a part of the code that is present since the +net frontend driver was upstreamed. There is no similar pattern in the +other xen PV drivers. Since the first commit of xen-netfront is a blob +that doesn't explain all the design choices I can only guess why this +specific mecanism was here. This could have been introduce to compensate +a slow backend at the time (maybe the backend was fixed or optimize +later) or a small queue. In 18 years, both frontend and backend gain lot +of features and optimizations that could have obsolete the feature of +reaping completions from the TX path. + +Some vif throughput performance figures from a 8 vCPUs, 4GB of RAM HVM +guest(s): + +Without this patch on the : +vm -> dom0: 4.5Gb/s +vm -> vm: 7.0Gb/s + +Without XSA-391 patch (revert of b27d47950e48): +vm -> dom0: 8.3Gb/s +vm -> vm: 8.7Gb/s + +With XSA-391 and this patch: +vm -> dom0: 11.5Gb/s +vm -> vm: 12.6Gb/s + +v2: +- add revewed and tested by tags +- resend with the maintainers in the recipients list + +v3: +- remove Fixes tag but keep the commit ref in the explanation +- add a paragraph on why this code was here + +Signed-off-by: Anthoine Bourgeois +Reviewed-by: Juergen Gross +Tested-by: Elliott Mitchell +Signed-off-by: Juergen Gross +Message-ID: <20250721093316.23560-1-anthoine.bourgeois@vates.tech> +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netfront.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c +index bad9e549d533..34c4770bf555 100644 +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -638,8 +638,6 @@ static int xennet_xdp_xmit_one(struct net_device *dev, + tx_stats->packets++; + u64_stats_update_end(&tx_stats->syncp); + +- xennet_tx_buf_gc(queue); +- + return 0; + } + +@@ -851,9 +849,6 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev + tx_stats->packets++; + u64_stats_update_end(&tx_stats->syncp); + +- /* Note: It is not safe to access skb after xennet_tx_buf_gc()! */ +- xennet_tx_buf_gc(queue); +- + if (!netfront_tx_slot_available(queue)) + netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id)); + +-- +2.39.5 +