From: Greg Kroah-Hartman Date: Mon, 1 Jul 2024 14:32:21 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.19.317~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=40d5aa916811278b054dbb5ebd20e1771843502a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ata-ahci-clean-up-sysfs-file-on-error.patch ata-libata-core-fix-double-free-on-error.patch batman-adv-don-t-accept-tt-entries-for-out-of-spec-vids.patch csky-hexagon-fix-broken-sys_sync_file_range.patch drm-i915-gt-fix-potential-uaf-by-revoke-of-fence-registers.patch drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch hexagon-fix-fadvise64_64-calling-conventions.patch kbuild-install-dtb-files-as-0644-in-makefile.dtbinst.patch net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch net-can-j1939-initialize-unused-data-in-j1939_send_one.patch net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch sh-rework-sync_file_range-abi.patch tty-mcf-mcf54418-has-10-uarts.patch --- diff --git a/queue-5.10/ata-ahci-clean-up-sysfs-file-on-error.patch b/queue-5.10/ata-ahci-clean-up-sysfs-file-on-error.patch new file mode 100644 index 00000000000..a2797201743 --- /dev/null +++ b/queue-5.10/ata-ahci-clean-up-sysfs-file-on-error.patch @@ -0,0 +1,87 @@ +From eeb25a09c5e0805d92e4ebd12c4b0ad0df1b0295 Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Sat, 29 Jun 2024 14:42:14 +0200 +Subject: ata: ahci: Clean up sysfs file on error + +From: Niklas Cassel + +commit eeb25a09c5e0805d92e4ebd12c4b0ad0df1b0295 upstream. + +.probe() (ahci_init_one()) calls sysfs_add_file_to_group(), however, +if probe() fails after this call, we currently never call +sysfs_remove_file_from_group(). + +(The sysfs_remove_file_from_group() call in .remove() (ahci_remove_one()) +does not help, as .remove() is not called on .probe() error.) + +Thus, if probe() fails after the sysfs_add_file_to_group() call, the next +time we insmod the module we will get: + +sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:04.0/remapped_nvme' +CPU: 11 PID: 954 Comm: modprobe Not tainted 6.10.0-rc5 #43 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 +Call Trace: + + dump_stack_lvl+0x5d/0x80 + sysfs_warn_dup.cold+0x17/0x23 + sysfs_add_file_mode_ns+0x11a/0x130 + sysfs_add_file_to_group+0x7e/0xc0 + ahci_init_one+0x31f/0xd40 [ahci] + +Fixes: 894fba7f434a ("ata: ahci: Add sysfs attribute to show remapped NVMe device count") +Cc: stable@vger.kernel.org +Reviewed-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20240629124210.181537-10-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -1893,8 +1893,10 @@ static int ahci_init_one(struct pci_dev + n_ports = max(ahci_nr_ports(hpriv->cap), fls(hpriv->port_map)); + + host = ata_host_alloc_pinfo(&pdev->dev, ppi, n_ports); +- if (!host) +- return -ENOMEM; ++ if (!host) { ++ rc = -ENOMEM; ++ goto err_rm_sysfs_file; ++ } + host->private_data = hpriv; + + if (ahci_init_msi(pdev, n_ports, hpriv) < 0) { +@@ -1947,11 +1949,11 @@ static int ahci_init_one(struct pci_dev + /* initialize adapter */ + rc = ahci_configure_dma_masks(pdev, hpriv); + if (rc) +- return rc; ++ goto err_rm_sysfs_file; + + rc = ahci_pci_reset_controller(host); + if (rc) +- return rc; ++ goto err_rm_sysfs_file; + + ahci_pci_init_controller(host); + ahci_pci_print_info(host); +@@ -1960,10 +1962,15 @@ static int ahci_init_one(struct pci_dev + + rc = ahci_host_activate(host, &ahci_sht); + if (rc) +- return rc; ++ goto err_rm_sysfs_file; + + pm_runtime_put_noidle(&pdev->dev); + return 0; ++ ++err_rm_sysfs_file: ++ sysfs_remove_file_from_group(&pdev->dev.kobj, ++ &dev_attr_remapped_nvme.attr, NULL); ++ return rc; + } + + static void ahci_shutdown_one(struct pci_dev *pdev) diff --git a/queue-5.10/ata-libata-core-fix-double-free-on-error.patch b/queue-5.10/ata-libata-core-fix-double-free-on-error.patch new file mode 100644 index 00000000000..94aa9635d82 --- /dev/null +++ b/queue-5.10/ata-libata-core-fix-double-free-on-error.patch @@ -0,0 +1,86 @@ +From ab9e0c529eb7cafebdd31fe1644524e80a48b05d Mon Sep 17 00:00:00 2001 +From: Niklas Cassel +Date: Sat, 29 Jun 2024 14:42:13 +0200 +Subject: ata: libata-core: Fix double free on error + +From: Niklas Cassel + +commit ab9e0c529eb7cafebdd31fe1644524e80a48b05d upstream. + +If e.g. the ata_port_alloc() call in ata_host_alloc() fails, we will jump +to the err_out label, which will call devres_release_group(). +devres_release_group() will trigger a call to ata_host_release(). +ata_host_release() calls kfree(host), so executing the kfree(host) in +ata_host_alloc() will lead to a double free: + +kernel BUG at mm/slub.c:553! +Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +CPU: 11 PID: 599 Comm: (udev-worker) Not tainted 6.10.0-rc5 #47 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 +RIP: 0010:kfree+0x2cf/0x2f0 +Code: 5d 41 5e 41 5f 5d e9 80 d6 ff ff 4d 89 f1 41 b8 01 00 00 00 48 89 d9 48 89 da +RSP: 0018:ffffc90000f377f0 EFLAGS: 00010246 +RAX: ffff888112b1f2c0 RBX: ffff888112b1f2c0 RCX: ffff888112b1f320 +RDX: 000000000000400b RSI: ffffffffc02c9de5 RDI: ffff888112b1f2c0 +RBP: ffffc90000f37830 R08: 0000000000000000 R09: 0000000000000000 +R10: ffffc90000f37610 R11: 617461203a736b6e R12: ffffea00044ac780 +R13: ffff888100046400 R14: ffffffffc02c9de5 R15: 0000000000000006 +FS: 00007f2f1cabe980(0000) GS:ffff88813b380000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f2f1c3acf75 CR3: 0000000111724000 CR4: 0000000000750ef0 +PKRU: 55555554 +Call Trace: + + ? __die_body.cold+0x19/0x27 + ? die+0x2e/0x50 + ? do_trap+0xca/0x110 + ? do_error_trap+0x6a/0x90 + ? kfree+0x2cf/0x2f0 + ? exc_invalid_op+0x50/0x70 + ? kfree+0x2cf/0x2f0 + ? asm_exc_invalid_op+0x1a/0x20 + ? ata_host_alloc+0xf5/0x120 [libata] + ? ata_host_alloc+0xf5/0x120 [libata] + ? kfree+0x2cf/0x2f0 + ata_host_alloc+0xf5/0x120 [libata] + ata_host_alloc_pinfo+0x14/0xa0 [libata] + ahci_init_one+0x6c9/0xd20 [ahci] + +Ensure that we will not call kfree(host) twice, by performing the kfree() +only if the devres_open_group() call failed. + +Fixes: dafd6c496381 ("libata: ensure host is free'd on error exit paths") +Cc: stable@vger.kernel.org +Reviewed-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20240629124210.181537-9-cassel@kernel.org +Signed-off-by: Niklas Cassel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -5420,8 +5420,10 @@ struct ata_host *ata_host_alloc(struct d + if (!host) + return NULL; + +- if (!devres_open_group(dev, NULL, GFP_KERNEL)) +- goto err_free; ++ if (!devres_open_group(dev, NULL, GFP_KERNEL)) { ++ kfree(host); ++ return NULL; ++ } + + dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL); + if (!dr) +@@ -5453,8 +5455,6 @@ struct ata_host *ata_host_alloc(struct d + + err_out: + devres_release_group(dev, NULL); +- err_free: +- kfree(host); + return NULL; + } + EXPORT_SYMBOL_GPL(ata_host_alloc); diff --git a/queue-5.10/batman-adv-don-t-accept-tt-entries-for-out-of-spec-vids.patch b/queue-5.10/batman-adv-don-t-accept-tt-entries-for-out-of-spec-vids.patch new file mode 100644 index 00000000000..bb354178f6a --- /dev/null +++ b/queue-5.10/batman-adv-don-t-accept-tt-entries-for-out-of-spec-vids.patch @@ -0,0 +1,92 @@ +From 537a350d14321c8cca5efbf0a33a404fec3a9f9e Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Sat, 4 May 2024 21:57:30 +0200 +Subject: batman-adv: Don't accept TT entries for out-of-spec VIDs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sven Eckelmann + +commit 537a350d14321c8cca5efbf0a33a404fec3a9f9e upstream. + +The internal handling of VLAN IDs in batman-adv is only specified for +following encodings: + +* VLAN is used + - bit 15 is 1 + - bit 11 - bit 0 is the VLAN ID (0-4095) + - remaining bits are 0 +* No VLAN is used + - bit 15 is 0 + - remaining bits are 0 + +batman-adv was only preparing new translation table entries (based on its +soft interface information) using this encoding format. But the receive +path was never checking if entries in the roam or TT TVLVs were also +following this encoding. + +It was therefore possible to create more than the expected maximum of 4096 ++ 1 entries in the originator VLAN list. Simply by setting the "remaining +bits" to "random" values in corresponding TVLV. + +Cc: stable@vger.kernel.org +Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") +Reported-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/originator.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/net/batman-adv/originator.c ++++ b/net/batman-adv/originator.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -133,6 +134,29 @@ batadv_orig_node_vlan_get(struct batadv_ + } + + /** ++ * batadv_vlan_id_valid() - check if vlan id is in valid batman-adv encoding ++ * @vid: the VLAN identifier ++ * ++ * Return: true when either no vlan is set or if VLAN is in correct range, ++ * false otherwise ++ */ ++static bool batadv_vlan_id_valid(unsigned short vid) ++{ ++ unsigned short non_vlan = vid & ~(BATADV_VLAN_HAS_TAG | VLAN_VID_MASK); ++ ++ if (vid == 0) ++ return true; ++ ++ if (!(vid & BATADV_VLAN_HAS_TAG)) ++ return false; ++ ++ if (non_vlan) ++ return false; ++ ++ return true; ++} ++ ++/** + * batadv_orig_node_vlan_new() - search and possibly create an orig_node_vlan + * object + * @orig_node: the originator serving the VLAN +@@ -150,6 +174,9 @@ batadv_orig_node_vlan_new(struct batadv_ + { + struct batadv_orig_node_vlan *vlan; + ++ if (!batadv_vlan_id_valid(vid)) ++ return NULL; ++ + spin_lock_bh(&orig_node->vlan_list_lock); + + /* first look if an object for this vid already exists */ diff --git a/queue-5.10/csky-hexagon-fix-broken-sys_sync_file_range.patch b/queue-5.10/csky-hexagon-fix-broken-sys_sync_file_range.patch new file mode 100644 index 00000000000..3076427f538 --- /dev/null +++ b/queue-5.10/csky-hexagon-fix-broken-sys_sync_file_range.patch @@ -0,0 +1,49 @@ +From 3339b99ef6fe38dac43b534cba3a8a0e29fb2eff Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 14 Jun 2024 09:54:20 +0200 +Subject: csky, hexagon: fix broken sys_sync_file_range + +From: Arnd Bergmann + +commit 3339b99ef6fe38dac43b534cba3a8a0e29fb2eff upstream. + +Both of these architectures require u64 function arguments to be +passed in even/odd pairs of registers or stack slots, which in case of +sync_file_range would result in a seven-argument system call that is +not currently possible. The system call is therefore incompatible with +all existing binaries. + +While it would be possible to implement support for seven arguments +like on mips, it seems better to use a six-argument version, either +with the normal argument order but misaligned as on most architectures +or with the reordered sync_file_range2() calling conventions as on +arm and powerpc. + +Cc: stable@vger.kernel.org +Acked-by: Guo Ren +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/include/uapi/asm/unistd.h | 1 + + arch/hexagon/include/uapi/asm/unistd.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/csky/include/uapi/asm/unistd.h ++++ b/arch/csky/include/uapi/asm/unistd.h +@@ -7,6 +7,7 @@ + #define __ARCH_WANT_SYS_CLONE3 + #define __ARCH_WANT_SET_GET_RLIMIT + #define __ARCH_WANT_TIME32_SYSCALLS ++#define __ARCH_WANT_SYNC_FILE_RANGE2 + #include + + #define __NR_set_thread_area (__NR_arch_specific_syscall + 0) +--- a/arch/hexagon/include/uapi/asm/unistd.h ++++ b/arch/hexagon/include/uapi/asm/unistd.h +@@ -36,5 +36,6 @@ + #define __ARCH_WANT_SYS_VFORK + #define __ARCH_WANT_SYS_FORK + #define __ARCH_WANT_TIME32_SYSCALLS ++#define __ARCH_WANT_SYNC_FILE_RANGE2 + + #include diff --git a/queue-5.10/drm-i915-gt-fix-potential-uaf-by-revoke-of-fence-registers.patch b/queue-5.10/drm-i915-gt-fix-potential-uaf-by-revoke-of-fence-registers.patch new file mode 100644 index 00000000000..0e73bba5df5 --- /dev/null +++ b/queue-5.10/drm-i915-gt-fix-potential-uaf-by-revoke-of-fence-registers.patch @@ -0,0 +1,84 @@ +From 996c3412a06578e9d779a16b9e79ace18125ab50 Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Mon, 3 Jun 2024 21:54:45 +0200 +Subject: drm/i915/gt: Fix potential UAF by revoke of fence registers + +From: Janusz Krzysztofik + +commit 996c3412a06578e9d779a16b9e79ace18125ab50 upstream. + +CI has been sporadically reporting the following issue triggered by +igt@i915_selftest@live@hangcheck on ADL-P and similar machines: + +<6> [414.049203] i915: Running intel_hangcheck_live_selftests/igt_reset_evict_fence +... +<6> [414.068804] i915 0000:00:02.0: [drm] GT0: GUC: submission enabled +<6> [414.068812] i915 0000:00:02.0: [drm] GT0: GUC: SLPC enabled +<3> [414.070354] Unable to pin Y-tiled fence; err:-4 +<3> [414.071282] i915_vma_revoke_fence:301 GEM_BUG_ON(!i915_active_is_idle(&fence->active)) +... +<4>[ 609.603992] ------------[ cut here ]------------ +<2>[ 609.603995] kernel BUG at drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c:301! +<4>[ 609.604003] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +<4>[ 609.604006] CPU: 0 PID: 268 Comm: kworker/u64:3 Tainted: G U W 6.9.0-CI_DRM_14785-g1ba62f8cea9c+ #1 +<4>[ 609.604008] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 +<4>[ 609.604010] Workqueue: i915 __i915_gem_free_work [i915] +<4>[ 609.604149] RIP: 0010:i915_vma_revoke_fence+0x187/0x1f0 [i915] +... +<4>[ 609.604271] Call Trace: +<4>[ 609.604273] +... +<4>[ 609.604716] __i915_vma_evict+0x2e9/0x550 [i915] +<4>[ 609.604852] __i915_vma_unbind+0x7c/0x160 [i915] +<4>[ 609.604977] force_unbind+0x24/0xa0 [i915] +<4>[ 609.605098] i915_vma_destroy+0x2f/0xa0 [i915] +<4>[ 609.605210] __i915_gem_object_pages_fini+0x51/0x2f0 [i915] +<4>[ 609.605330] __i915_gem_free_objects.isra.0+0x6a/0xc0 [i915] +<4>[ 609.605440] process_scheduled_works+0x351/0x690 +... + +In the past, there were similar failures reported by CI from other IGT +tests, observed on other platforms. + +Before commit 63baf4f3d587 ("drm/i915/gt: Only wait for GPU activity +before unbinding a GGTT fence"), i915_vma_revoke_fence() was waiting for +idleness of vma->active via fence_update(). That commit introduced +vma->fence->active in order for the fence_update() to be able to wait +selectively on that one instead of vma->active since only idleness of +fence registers was needed. But then, another commit 0d86ee35097a +("drm/i915/gt: Make fence revocation unequivocal") replaced the call to +fence_update() in i915_vma_revoke_fence() with only fence_write(), and +also added that GEM_BUG_ON(!i915_active_is_idle(&fence->active)) in front. +No justification was provided on why we might then expect idleness of +vma->fence->active without first waiting on it. + +The issue can be potentially caused by a race among revocation of fence +registers on one side and sequential execution of signal callbacks invoked +on completion of a request that was using them on the other, still +processed in parallel to revocation of those fence registers. Fix it by +waiting for idleness of vma->fence->active in i915_vma_revoke_fence(). + +Fixes: 0d86ee35097a ("drm/i915/gt: Make fence revocation unequivocal") +Closes: https://gitlab.freedesktop.org/drm/intel/issues/10021 +Signed-off-by: Janusz Krzysztofik +Cc: stable@vger.kernel.org # v5.8+ +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://patchwork.freedesktop.org/patch/msgid/20240603195446.297690-2-janusz.krzysztofik@linux.intel.com +(cherry picked from commit 24bb052d3dd499c5956abad5f7d8e4fd07da7fb1) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c ++++ b/drivers/gpu/drm/i915/gt/intel_ggtt_fencing.c +@@ -309,6 +309,7 @@ void i915_vma_revoke_fence(struct i915_v + return; + + GEM_BUG_ON(fence->vma != vma); ++ i915_active_wait(&fence->active); + GEM_BUG_ON(!i915_active_is_idle(&fence->active)); + GEM_BUG_ON(atomic_read(&fence->pin_count)); + diff --git a/queue-5.10/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch b/queue-5.10/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch new file mode 100644 index 00000000000..4a9e1e965dc --- /dev/null +++ b/queue-5.10/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch @@ -0,0 +1,43 @@ +From 6d411c8ccc0137a612e0044489030a194ff5c843 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 25 Jun 2024 16:10:29 +0800 +Subject: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes + +From: Ma Ke + +commit 6d411c8ccc0137a612e0044489030a194ff5c843 upstream. + +In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is +assigned to mode, which will lead to a possible NULL pointer dereference +on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode(). +Add a check to avoid null pointer dereference. + +Cc: stable@vger.kernel.org +Signed-off-by: Ma Ke +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20240625081029.2619437-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +@@ -259,6 +259,8 @@ static int nv17_tv_get_hd_modes(struct d + if (modes[i].hdisplay == output_mode->hdisplay && + modes[i].vdisplay == output_mode->vdisplay) { + mode = drm_mode_duplicate(encoder->dev, output_mode); ++ if (!mode) ++ continue; + mode->type |= DRM_MODE_TYPE_PREFERRED; + + } else { +@@ -266,6 +268,8 @@ static int nv17_tv_get_hd_modes(struct d + modes[i].vdisplay, 60, false, + (output_mode->flags & + DRM_MODE_FLAG_INTERLACE), false); ++ if (!mode) ++ continue; + } + + /* CVT modes are sometimes unsuitable... */ diff --git a/queue-5.10/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch b/queue-5.10/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch new file mode 100644 index 00000000000..fe6ba361dd9 --- /dev/null +++ b/queue-5.10/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch @@ -0,0 +1,33 @@ +From 66edf3fb331b6c55439b10f9862987b0916b3726 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 25 Jun 2024 16:18:28 +0800 +Subject: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes + +From: Ma Ke + +commit 66edf3fb331b6c55439b10f9862987b0916b3726 upstream. + +In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is +assigned to mode, which will lead to a possible NULL pointer dereference +on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Signed-off-by: Ma Ke +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20240625081828.2620794-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +@@ -208,6 +208,8 @@ static int nv17_tv_get_ld_modes(struct d + struct drm_display_mode *mode; + + mode = drm_mode_duplicate(encoder->dev, tv_mode); ++ if (!mode) ++ continue; + + mode->clock = tv_norm->tv_enc_mode.vrefresh * + mode->htotal / 1000 * diff --git a/queue-5.10/hexagon-fix-fadvise64_64-calling-conventions.patch b/queue-5.10/hexagon-fix-fadvise64_64-calling-conventions.patch new file mode 100644 index 00000000000..9388861776c --- /dev/null +++ b/queue-5.10/hexagon-fix-fadvise64_64-calling-conventions.patch @@ -0,0 +1,52 @@ +From 896842284c6ccba25ec9d78b7b6e62cdd507c083 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 20 Jun 2024 15:24:11 +0200 +Subject: hexagon: fix fadvise64_64 calling conventions + +From: Arnd Bergmann + +commit 896842284c6ccba25ec9d78b7b6e62cdd507c083 upstream. + +fadvise64_64() has two 64-bit arguments at the wrong alignment +for hexagon, which turns them into a 7-argument syscall that is +not supported by Linux. + +The downstream musl port for hexagon actually asks for a 6-argument +version the same way we do it on arm, csky, powerpc, so make the +kernel do it the same way to avoid having to change both. + +Link: https://github.com/quic/musl/blob/hexagon/arch/hexagon/syscall_arch.h#L78 +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/include/asm/syscalls.h | 6 ++++++ + arch/hexagon/kernel/syscalltab.c | 7 +++++++ + 2 files changed, 13 insertions(+) + create mode 100644 arch/hexagon/include/asm/syscalls.h + +--- /dev/null ++++ b/arch/hexagon/include/asm/syscalls.h +@@ -0,0 +1,6 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++#include ++ ++asmlinkage long sys_hexagon_fadvise64_64(int fd, int advice, ++ u32 a2, u32 a3, u32 a4, u32 a5); +--- a/arch/hexagon/kernel/syscalltab.c ++++ b/arch/hexagon/kernel/syscalltab.c +@@ -14,6 +14,13 @@ + #undef __SYSCALL + #define __SYSCALL(nr, call) [nr] = (call), + ++SYSCALL_DEFINE6(hexagon_fadvise64_64, int, fd, int, advice, ++ SC_ARG64(offset), SC_ARG64(len)) ++{ ++ return ksys_fadvise64_64(fd, SC_VAL64(loff_t, offset), SC_VAL64(loff_t, len), advice); ++} ++#define sys_fadvise64_64 sys_hexagon_fadvise64_64 ++ + void *sys_call_table[__NR_syscalls] = { + #include + }; diff --git a/queue-5.10/kbuild-install-dtb-files-as-0644-in-makefile.dtbinst.patch b/queue-5.10/kbuild-install-dtb-files-as-0644-in-makefile.dtbinst.patch new file mode 100644 index 00000000000..8909cf1c652 --- /dev/null +++ b/queue-5.10/kbuild-install-dtb-files-as-0644-in-makefile.dtbinst.patch @@ -0,0 +1,45 @@ +From 9cc5f3bf63aa98bd7cc7ce8a8599077fde13283e Mon Sep 17 00:00:00 2001 +From: Dragan Simic +Date: Mon, 10 Jun 2024 07:21:12 +0200 +Subject: kbuild: Install dtb files as 0644 in Makefile.dtbinst + +From: Dragan Simic + +commit 9cc5f3bf63aa98bd7cc7ce8a8599077fde13283e upstream. + +The compiled dtb files aren't executable, so install them with 0644 as their +permission mode, instead of defaulting to 0755 for the permission mode and +installing them with the executable bits set. + +Some Linux distributions, including Debian, [1][2][3] already include fixes +in their kernel package build recipes to change the dtb file permissions to +0644 in their kernel packages. These changes, when additionally propagated +into the long-term kernel versions, will allow such distributions to remove +their downstream fixes. + +[1] https://salsa.debian.org/kernel-team/linux/-/merge_requests/642 +[2] https://salsa.debian.org/kernel-team/linux/-/merge_requests/749 +[3] https://salsa.debian.org/kernel-team/linux/-/blob/debian/6.8.12-1/debian/rules.real#L193 + +Cc: Diederik de Haas +Cc: +Fixes: aefd80307a05 ("kbuild: refactor Makefile.dtbinst more") +Signed-off-by: Dragan Simic +Reviewed-by: Nicolas Schier +Signed-off-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.dtbinst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/Makefile.dtbinst ++++ b/scripts/Makefile.dtbinst +@@ -24,7 +24,7 @@ __dtbs_install: $(dtbs) $(subdirs) + @: + + quiet_cmd_dtb_install = INSTALL $@ +- cmd_dtb_install = install -D $< $@ ++ cmd_dtb_install = install -D -m 0644 $< $@ + + $(dst)/%.dtb: $(obj)/%.dtb + $(call cmd,dtb_install) diff --git a/queue-5.10/net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch b/queue-5.10/net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch new file mode 100644 index 00000000000..ef561aed2df --- /dev/null +++ b/queue-5.10/net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch @@ -0,0 +1,73 @@ +From d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 17 Nov 2023 13:49:59 +0100 +Subject: net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new + +From: Oleksij Rempel + +commit d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb upstream. + +This patch enhances error handling in scenarios with RTS (Request to +Send) messages arriving closely. It replaces the less informative WARN_ON_ONCE +backtraces with a new error handling method. This provides clearer error +messages and allows for the early termination of problematic sessions. +Previously, sessions were only released at the end of j1939_xtp_rx_rts(). + +Potentially this could be reproduced with something like: +testj1939 -r vcan0:0x80 & +while true; do + # send first RTS + cansend vcan0 18EC8090#1014000303002301; + # send second RTS + cansend vcan0 18EC8090#1014000303002301; + # send abort + cansend vcan0 18EC8090#ff00000000002301; +done + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Reported-by: syzbot+daa36413a5cedf799ae4@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20231117124959.961171-1-o.rempel@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1577,8 +1577,8 @@ j1939_session *j1939_xtp_rx_rts_session_ + struct j1939_sk_buff_cb skcb = *j1939_skb_to_cb(skb); + struct j1939_session *session; + const u8 *dat; ++ int len, ret; + pgn_t pgn; +- int len; + + netdev_dbg(priv->ndev, "%s\n", __func__); + +@@ -1634,7 +1634,22 @@ j1939_session *j1939_xtp_rx_rts_session_ + session->pkt.rx = 0; + session->pkt.tx = 0; + +- WARN_ON_ONCE(j1939_session_activate(session)); ++ ret = j1939_session_activate(session); ++ if (ret) { ++ /* Entering this scope indicates an issue with the J1939 bus. ++ * Possible scenarios include: ++ * - A time lapse occurred, and a new session was initiated ++ * due to another packet being sent correctly. This could ++ * have been caused by too long interrupt, debugger, or being ++ * out-scheduled by another task. ++ * - The bus is receiving numerous erroneous packets, either ++ * from a malfunctioning device or during a test scenario. ++ */ ++ netdev_alert(priv->ndev, "%s: 0x%p: concurrent session with same addr (%02x %02x) is already active.\n", ++ __func__, session, skcb.addr.sa, skcb.addr.da); ++ j1939_session_put(session); ++ return NULL; ++ } + + return session; + } diff --git a/queue-5.10/net-can-j1939-initialize-unused-data-in-j1939_send_one.patch b/queue-5.10/net-can-j1939-initialize-unused-data-in-j1939_send_one.patch new file mode 100644 index 00000000000..83812a6e533 --- /dev/null +++ b/queue-5.10/net-can-j1939-initialize-unused-data-in-j1939_send_one.patch @@ -0,0 +1,112 @@ +From b7cdf1dd5d2a2d8200efd98d1893684db48fe134 Mon Sep 17 00:00:00 2001 +From: Shigeru Yoshida +Date: Fri, 17 May 2024 12:59:53 +0900 +Subject: net: can: j1939: Initialize unused data in j1939_send_one() + +From: Shigeru Yoshida + +commit b7cdf1dd5d2a2d8200efd98d1893684db48fe134 upstream. + +syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one() +creates full frame including unused data, but it doesn't initialize +it. This causes the kernel-infoleak issue. Fix this by initializing +unused data. + +[1] +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] +BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] +BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] +BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + copy_to_user_iter lib/iov_iter.c:24 [inline] + iterate_ubuf include/linux/iov_iter.h:29 [inline] + iterate_and_advance2 include/linux/iov_iter.h:245 [inline] + iterate_and_advance include/linux/iov_iter.h:271 [inline] + _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 + copy_to_iter include/linux/uio.h:196 [inline] + memcpy_to_msg include/linux/skbuff.h:4113 [inline] + raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008 + sock_recvmsg_nosec net/socket.c:1046 [inline] + sock_recvmsg+0x2c4/0x340 net/socket.c:1068 + ____sys_recvmsg+0x18a/0x620 net/socket.c:2803 + ___sys_recvmsg+0x223/0x840 net/socket.c:2845 + do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939 + __sys_recvmmsg net/socket.c:3018 [inline] + __do_sys_recvmmsg net/socket.c:3041 [inline] + __se_sys_recvmmsg net/socket.c:3034 [inline] + __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034 + x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3804 [inline] + slab_alloc_node mm/slub.c:3845 [inline] + kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 + __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 + alloc_skb include/linux/skbuff.h:1313 [inline] + alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 + sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 + sock_alloc_send_skb include/net/sock.h:1842 [inline] + j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline] + j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline] + j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 + x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Bytes 12-15 of 16 are uninitialized +Memory access of size 16 starts at ffff888120969690 +Data copied to user address 00000000200017c0 + +CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Reported-and-tested-by: syzbot+5681e40d297b30f5b513@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5681e40d297b30f5b513 +Acked-by: Oleksij Rempel +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/all/20240517035953.2617090-1-syoshida@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/main.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/can/j1939/main.c ++++ b/net/can/j1939/main.c +@@ -30,10 +30,6 @@ MODULE_ALIAS("can-proto-" __stringify(CA + /* CAN_HDR: #bytes before can_frame data part */ + #define J1939_CAN_HDR (offsetof(struct can_frame, data)) + +-/* CAN_FTR: #bytes beyond data part */ +-#define J1939_CAN_FTR (sizeof(struct can_frame) - J1939_CAN_HDR - \ +- sizeof(((struct can_frame *)0)->data)) +- + /* lowest layer */ + static void j1939_can_recv(struct sk_buff *iskb, void *data) + { +@@ -338,7 +334,7 @@ int j1939_send_one(struct j1939_priv *pr + memset(cf, 0, J1939_CAN_HDR); + + /* make it a full can frame again */ +- skb_put(skb, J1939_CAN_FTR + (8 - dlc)); ++ skb_put_zero(skb, 8 - dlc); + + canid = CAN_EFF_FLAG | + (skcb->priority << 26) | diff --git a/queue-5.10/net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch b/queue-5.10/net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch new file mode 100644 index 00000000000..7a6b3c6dd00 --- /dev/null +++ b/queue-5.10/net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch @@ -0,0 +1,41 @@ +From 9ad1da14ab3bf23087ae45fe399d84a109ddb81a Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 28 May 2024 09:06:48 +0200 +Subject: net: can: j1939: recover socket queue on CAN bus error during BAM transmission +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oleksij Rempel + +commit 9ad1da14ab3bf23087ae45fe399d84a109ddb81a upstream. + +Addresses an issue where a CAN bus error during a BAM transmission +could stall the socket queue, preventing further transmissions even +after the bus error is resolved. The fix activates the next queued +session after the error recovery, allowing communication to continue. + +Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol") +Cc: stable@vger.kernel.org +Reported-by: Alexander Hölzl +Tested-by: Alexander Hölzl +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20240528070648.1947203-1-o.rempel@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1662,6 +1662,8 @@ static int j1939_xtp_rx_rts_session_acti + + j1939_session_timers_cancel(session); + j1939_session_cancel(session, J1939_XTP_ABORT_BUSY); ++ if (session->transmission) ++ j1939_session_deactivate_activate_next(session); + + return -EBUSY; + } diff --git a/queue-5.10/series b/queue-5.10/series index 0a5471236e5..a322611c573 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -310,3 +310,17 @@ usb-musb-da8xx-fix-a-resource-leak-in-probe.patch usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch serial-8250_omap-implementation-of-errata-i2310.patch serial-imx-set-receiver-level-before-starting-uart.patch +tty-mcf-mcf54418-has-10-uarts.patch +net-can-j1939-initialize-unused-data-in-j1939_send_one.patch +net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch +net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch +kbuild-install-dtb-files-as-0644-in-makefile.dtbinst.patch +sh-rework-sync_file_range-abi.patch +csky-hexagon-fix-broken-sys_sync_file_range.patch +hexagon-fix-fadvise64_64-calling-conventions.patch +drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch +drm-i915-gt-fix-potential-uaf-by-revoke-of-fence-registers.patch +drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch +batman-adv-don-t-accept-tt-entries-for-out-of-spec-vids.patch +ata-ahci-clean-up-sysfs-file-on-error.patch +ata-libata-core-fix-double-free-on-error.patch diff --git a/queue-5.10/sh-rework-sync_file_range-abi.patch b/queue-5.10/sh-rework-sync_file_range-abi.patch new file mode 100644 index 00000000000..9cfdd48bde0 --- /dev/null +++ b/queue-5.10/sh-rework-sync_file_range-abi.patch @@ -0,0 +1,72 @@ +From 30766f1105d6d2459c3b9fe34a3e52b637a72950 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 11 Jun 2024 22:12:43 +0200 +Subject: sh: rework sync_file_range ABI + +From: Arnd Bergmann + +commit 30766f1105d6d2459c3b9fe34a3e52b637a72950 upstream. + +The unusual function calling conventions on SuperH ended up causing +sync_file_range to have the wrong argument order, with the 'flags' +argument getting sorted before 'nbytes' by the compiler. + +In userspace, I found that musl, glibc, uclibc and strace all expect the +normal calling conventions with 'nbytes' last, so changing the kernel +to match them should make all of those work. + +In order to be able to also fix libc implementations to work with existing +kernels, they need to be able to tell which ABI is used. An easy way +to do this is to add yet another system call using the sync_file_range2 +ABI that works the same on all architectures. + +Old user binaries can now work on new kernels, and new binaries can +try the new sync_file_range2() to work with new kernels or fall back +to the old sync_file_range() version if that doesn't exist. + +Cc: stable@vger.kernel.org +Fixes: 75c92acdd5b1 ("sh: Wire up new syscalls.") +Acked-by: John Paul Adrian Glaubitz +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/sys_sh32.c | 11 +++++++++++ + arch/sh/kernel/syscalls/syscall.tbl | 3 ++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/sh/kernel/sys_sh32.c ++++ b/arch/sh/kernel/sys_sh32.c +@@ -59,3 +59,14 @@ asmlinkage int sys_fadvise64_64_wrapper( + (u64)len0 << 32 | len1, advice); + #endif + } ++ ++/* ++ * swap the arguments the way that libc wants them instead of ++ * moving flags ahead of the 64-bit nbytes argument ++ */ ++SYSCALL_DEFINE6(sh_sync_file_range6, int, fd, SC_ARG64(offset), ++ SC_ARG64(nbytes), unsigned int, flags) ++{ ++ return ksys_sync_file_range(fd, SC_VAL64(loff_t, offset), ++ SC_VAL64(loff_t, nbytes), flags); ++} +--- a/arch/sh/kernel/syscalls/syscall.tbl ++++ b/arch/sh/kernel/syscalls/syscall.tbl +@@ -321,7 +321,7 @@ + 311 common set_robust_list sys_set_robust_list + 312 common get_robust_list sys_get_robust_list + 313 common splice sys_splice +-314 common sync_file_range sys_sync_file_range ++314 common sync_file_range sys_sh_sync_file_range6 + 315 common tee sys_tee + 316 common vmsplice sys_vmsplice + 317 common move_pages sys_move_pages +@@ -395,6 +395,7 @@ + 385 common pkey_alloc sys_pkey_alloc + 386 common pkey_free sys_pkey_free + 387 common rseq sys_rseq ++388 common sync_file_range2 sys_sync_file_range2 + # room for arch specific syscalls + 393 common semget sys_semget + 394 common semctl sys_semctl diff --git a/queue-5.10/tty-mcf-mcf54418-has-10-uarts.patch b/queue-5.10/tty-mcf-mcf54418-has-10-uarts.patch new file mode 100644 index 00000000000..03ad384fa79 --- /dev/null +++ b/queue-5.10/tty-mcf-mcf54418-has-10-uarts.patch @@ -0,0 +1,32 @@ +From 7c92a8bd53f24d50c8cf4aba53bb75505b382fed Mon Sep 17 00:00:00 2001 +From: Jean-Michel Hautbois +Date: Thu, 20 Jun 2024 18:29:59 +0200 +Subject: tty: mcf: MCF54418 has 10 UARTS + +From: Jean-Michel Hautbois + +commit 7c92a8bd53f24d50c8cf4aba53bb75505b382fed upstream. + +Most of the colfires have up to 5 UARTs but MCF54418 has up-to 10 ! +Change the maximum value authorized. + +Signed-off-by: Jean-Michel Hautbois +Cc: stable +Fixes: 2545cf6e94b4 ("m68knommu: allow 4 coldfire serial ports") +Link: https://lore.kernel.org/r/20240620-upstream-uart-v1-1-a9d0d95fb19e@yoseli.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mcf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/mcf.c ++++ b/drivers/tty/serial/mcf.c +@@ -479,7 +479,7 @@ static const struct uart_ops mcf_uart_op + .verify_port = mcf_verify_port, + }; + +-static struct mcf_uart mcf_ports[4]; ++static struct mcf_uart mcf_ports[10]; + + #define MCF_MAXPORTS ARRAY_SIZE(mcf_ports) +