From: Greg Kroah-Hartman Date: Mon, 21 Jul 2025 11:07:11 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.1.147~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=606f045162a9848656dc905a21f2bdaf44c5e06c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch isofs-verify-inode-mode-when-loading-from-disk.patch memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch mmc-sdhci_am654-workaround-for-errata-i2312.patch phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch --- diff --git a/queue-5.10/af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch b/queue-5.10/af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch new file mode 100644 index 0000000000..3ff22ff638 --- /dev/null +++ b/queue-5.10/af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch @@ -0,0 +1,103 @@ +From 55f0bfc0370539213202f4ce1a07615327ac4713 Mon Sep 17 00:00:00 2001 +From: Yun Lu +Date: Fri, 11 Jul 2025 17:33:00 +0800 +Subject: af_packet: fix soft lockup issue caused by tpacket_snd() + +From: Yun Lu + +commit 55f0bfc0370539213202f4ce1a07615327ac4713 upstream. + +When MSG_DONTWAIT is not set, the tpacket_snd operation will wait for +pending_refcnt to decrement to zero before returning. The pending_refcnt +is decremented by 1 when the skb->destructor function is called, +indicating that the skb has been successfully sent and needs to be +destroyed. + +If an error occurs during this process, the tpacket_snd() function will +exit and return error, but pending_refcnt may not yet have decremented to +zero. Assuming the next send operation is executed immediately, but there +are no available frames to be sent in tx_ring (i.e., packet_current_frame +returns NULL), and skb is also NULL, the function will not execute +wait_for_completion_interruptible_timeout() to yield the CPU. Instead, it +will enter a do-while loop, waiting for pending_refcnt to be zero. Even +if the previous skb has completed transmission, the skb->destructor +function can only be invoked in the ksoftirqd thread (assuming NAPI +threading is enabled). When both the ksoftirqd thread and the tpacket_snd +operation happen to run on the same CPU, and the CPU trapped in the +do-while loop without yielding, the ksoftirqd thread will not get +scheduled to run. As a result, pending_refcnt will never be reduced to +zero, and the do-while loop cannot exit, eventually leading to a CPU soft +lockup issue. + +In fact, skb is true for all but the first iterations of that loop, and +as long as pending_refcnt is not zero, even if incremented by a previous +call, wait_for_completion_interruptible_timeout() should be executed to +yield the CPU, allowing the ksoftirqd thread to be scheduled. Therefore, +the execution condition of this function should be modified to check if +pending_refcnt is not zero, instead of check skb. + +- if (need_wait && skb) { ++ if (need_wait && packet_read_pending(&po->tx_ring)) { + +As a result, the judgment conditions are duplicated with the end code of +the while loop, and packet_read_pending() is a very expensive function. +Actually, this loop can only exit when ph is NULL, so the loop condition +can be changed to while (1), and in the "ph = NULL" branch, if the +subsequent condition of if is not met, the loop can break directly. Now, +the loop logic remains the same as origin but is clearer and more obvious. + +Fixes: 89ed5b519004 ("af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET") +Cc: stable@kernel.org +Suggested-by: LongJun Tang +Signed-off-by: Yun Lu +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2800,15 +2800,21 @@ static int tpacket_snd(struct packet_soc + ph = packet_current_frame(po, &po->tx_ring, + TP_STATUS_SEND_REQUEST); + if (unlikely(ph == NULL)) { +- if (need_wait && skb) { ++ /* Note: packet_read_pending() might be slow if we ++ * have to call it as it's per_cpu variable, but in ++ * fast-path we don't have to call it, only when ph ++ * is NULL, we need to check the pending_refcnt. ++ */ ++ if (need_wait && packet_read_pending(&po->tx_ring)) { + timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo); + if (timeo <= 0) { + err = !timeo ? -ETIMEDOUT : -ERESTARTSYS; + goto out_put; + } +- } +- /* check for additional frames */ +- continue; ++ /* check for additional frames */ ++ continue; ++ } else ++ break; + } + + skb = NULL; +@@ -2898,14 +2904,7 @@ tpacket_error: + } + packet_increment_head(&po->tx_ring); + len_sum += tp_len; +- } while (likely((ph != NULL) || +- /* Note: packet_read_pending() might be slow if we have +- * to call it as it's per_cpu variable, but in fast-path +- * we already short-circuit the loop with the first +- * condition, and luckily don't have to go that path +- * anyway. +- */ +- (need_wait && packet_read_pending(&po->tx_ring)))); ++ } while (1); + + err = len_sum; + goto out_put; diff --git a/queue-5.10/af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch b/queue-5.10/af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch new file mode 100644 index 0000000000..2e6d6a00b4 --- /dev/null +++ b/queue-5.10/af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch @@ -0,0 +1,59 @@ +From c1ba3c0cbdb5e53a8ec5d708e99cd4c497028a13 Mon Sep 17 00:00:00 2001 +From: Yun Lu +Date: Fri, 11 Jul 2025 17:32:59 +0800 +Subject: af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() + +From: Yun Lu + +commit c1ba3c0cbdb5e53a8ec5d708e99cd4c497028a13 upstream. + +Due to the changes in commit 581073f626e3 ("af_packet: do not call +packet_read_pending() from tpacket_destruct_skb()"), every time +tpacket_destruct_skb() is executed, the skb_completion is marked as +completed. When wait_for_completion_interruptible_timeout() returns +completed, the pending_refcnt has not yet been reduced to zero. +Therefore, when ph is NULL, the wait function may need to be called +multiple times until packet_read_pending() finally returns zero. + +We should call sock_sndtimeo() only once, otherwise the SO_SNDTIMEO +constraint could be way off. + +Fixes: 581073f626e3 ("af_packet: do not call packet_read_pending() from tpacket_destruct_skb()") +Cc: stable@kernel.org +Suggested-by: Eric Dumazet +Signed-off-by: Yun Lu +Reviewed-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2739,7 +2739,7 @@ static int tpacket_snd(struct packet_soc + int len_sum = 0; + int status = TP_STATUS_AVAILABLE; + int hlen, tlen, copylen = 0; +- long timeo = 0; ++ long timeo; + + mutex_lock(&po->pg_vec_lock); + +@@ -2793,6 +2793,7 @@ static int tpacket_snd(struct packet_soc + if ((size_max > dev->mtu + reserve + VLAN_HLEN) && !po->has_vnet_hdr) + size_max = dev->mtu + reserve + VLAN_HLEN; + ++ timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT); + reinit_completion(&po->skb_completion); + + do { +@@ -2800,7 +2801,6 @@ static int tpacket_snd(struct packet_soc + TP_STATUS_SEND_REQUEST); + if (unlikely(ph == NULL)) { + if (need_wait && skb) { +- timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT); + timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo); + if (timeo <= 0) { + err = !timeo ? -ETIMEDOUT : -ERESTARTSYS; diff --git a/queue-5.10/dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch b/queue-5.10/dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch new file mode 100644 index 0000000000..f1d81b43c8 --- /dev/null +++ b/queue-5.10/dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch @@ -0,0 +1,77 @@ +From 188c6ba1dd925849c5d94885c8bbdeb0b3dcf510 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 1 Jul 2025 17:31:40 -0500 +Subject: dmaengine: nbpfaxi: Fix memory corruption in probe() + +From: Dan Carpenter + +commit 188c6ba1dd925849c5d94885c8bbdeb0b3dcf510 upstream. + +The nbpf->chan[] array is allocated earlier in the nbpf_probe() function +and it has "num_channels" elements. These three loops iterate one +element farther than they should and corrupt memory. + +The changes to the second loop are more involved. In this case, we're +copying data from the irqbuf[] array into the nbpf->chan[] array. If +the data in irqbuf[i] is the error IRQ then we skip it, so the iterators +are not in sync. I added a check to ensure that we don't go beyond the +end of the irqbuf[] array. I'm pretty sure this can't happen, but it +seemed harmless to add a check. + +On the other hand, after the loop has ended there is a check to ensure +that the "chan" iterator is where we expect it to be. In the original +code we went one element beyond the end of the array so the iterator +wasn't in the correct place and it would always return -EINVAL. However, +now it will always be in the correct place. I deleted the check since +we know the result. + +Cc: stable@vger.kernel.org +Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/b13c5225-7eff-448c-badc-a2c98e9bcaca@sabinyo.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/nbpfaxi.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/dma/nbpfaxi.c ++++ b/drivers/dma/nbpfaxi.c +@@ -1356,7 +1356,7 @@ static int nbpf_probe(struct platform_de + if (irqs == 1) { + eirq = irqbuf[0]; + +- for (i = 0; i <= num_channels; i++) ++ for (i = 0; i < num_channels; i++) + nbpf->chan[i].irq = irqbuf[0]; + } else { + eirq = platform_get_irq_byname(pdev, "error"); +@@ -1366,16 +1366,15 @@ static int nbpf_probe(struct platform_de + if (irqs == num_channels + 1) { + struct nbpf_channel *chan; + +- for (i = 0, chan = nbpf->chan; i <= num_channels; ++ for (i = 0, chan = nbpf->chan; i < num_channels; + i++, chan++) { + /* Skip the error IRQ */ + if (irqbuf[i] == eirq) + i++; ++ if (i >= ARRAY_SIZE(irqbuf)) ++ return -EINVAL; + chan->irq = irqbuf[i]; + } +- +- if (chan != nbpf->chan + num_channels) +- return -EINVAL; + } else { + /* 2 IRQs and more than one channel */ + if (irqbuf[0] == eirq) +@@ -1383,7 +1382,7 @@ static int nbpf_probe(struct platform_de + else + irq = irqbuf[0]; + +- for (i = 0; i <= num_channels; i++) ++ for (i = 0; i < num_channels; i++) + nbpf->chan[i].irq = irq; + } + } diff --git a/queue-5.10/isofs-verify-inode-mode-when-loading-from-disk.patch b/queue-5.10/isofs-verify-inode-mode-when-loading-from-disk.patch new file mode 100644 index 0000000000..f96ae1dcc3 --- /dev/null +++ b/queue-5.10/isofs-verify-inode-mode-when-loading-from-disk.patch @@ -0,0 +1,43 @@ +From 0a9e7405131380b57e155f10242b2e25d2e51852 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 9 Jul 2025 11:55:46 +0200 +Subject: isofs: Verify inode mode when loading from disk + +From: Jan Kara + +commit 0a9e7405131380b57e155f10242b2e25d2e51852 upstream. + +Verify that the inode mode is sane when loading it from the disk to +avoid complaints from VFS about setting up invalid inodes. + +Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/20250709095545.31062-2-jack@suse.cz +Acked-by: Christian Brauner +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/inode.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -1492,9 +1492,16 @@ static int isofs_read_inode(struct inode + inode->i_op = &page_symlink_inode_operations; + inode_nohighmem(inode); + inode->i_data.a_ops = &isofs_symlink_aops; +- } else ++ } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || ++ S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { + /* XXX - parse_rock_ridge_inode() had already set i_rdev. */ + init_special_inode(inode, inode->i_mode, inode->i_rdev); ++ } else { ++ printk(KERN_DEBUG "ISOFS: Invalid file type 0%04o for inode %lu.\n", ++ inode->i_mode, inode->i_ino); ++ ret = -EIO; ++ goto fail; ++ } + + ret = 0; + out: diff --git a/queue-5.10/memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch b/queue-5.10/memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch new file mode 100644 index 0000000000..d721fb56a7 --- /dev/null +++ b/queue-5.10/memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch @@ -0,0 +1,47 @@ +From 21b34a3a204ed616373a12ec17dc127ebe51eab3 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 15 Jul 2025 15:56:05 -0700 +Subject: memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() + +From: Nathan Chancellor + +commit 21b34a3a204ed616373a12ec17dc127ebe51eab3 upstream. + +A new warning in clang [1] points out that id_reg is uninitialized then +passed to memstick_init_req() as a const pointer: + + drivers/memstick/core/memstick.c:330:59: error: variable 'id_reg' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] + 330 | memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, + | ^~~~~~ + +Commit de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull +warning") intentionally passed this variable uninitialized to avoid an +-Wnonnull warning from a NULL value that was previously there because +id_reg is never read from the call to memstick_init_req() in +h_memstick_read_dev_id(). Just zero initialize id_reg to avoid the +warning, which is likely happening in the majority of builds using +modern compilers that support '-ftrivial-auto-var-init=zero'. + +Cc: stable@vger.kernel.org +Fixes: de182cc8e882 ("drivers/memstick/core/memstick.c: avoid -Wnonnull warning") +Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1] +Closes: https://github.com/ClangBuiltLinux/linux/issues/2105 +Signed-off-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20250715-memstick-fix-uninit-const-pointer-v1-1-f6753829c27a@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/memstick/core/memstick.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/memstick/core/memstick.c ++++ b/drivers/memstick/core/memstick.c +@@ -324,7 +324,7 @@ EXPORT_SYMBOL(memstick_init_req); + static int h_memstick_read_dev_id(struct memstick_dev *card, + struct memstick_request **mrq) + { +- struct ms_id_register id_reg; ++ struct ms_id_register id_reg = {}; + + if (!(*mrq)) { + memstick_init_req(&card->current_mrq, MS_TPC_READ_REG, &id_reg, diff --git a/queue-5.10/mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch b/queue-5.10/mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..11c261c56b --- /dev/null +++ b/queue-5.10/mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,34 @@ +From ff09b71bf9daeca4f21d6e5e449641c9fad75b53 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 30 Jun 2025 11:35:07 +0200 +Subject: mmc: bcm2835: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +commit ff09b71bf9daeca4f21d6e5e449641c9fad75b53 upstream. + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 2f5da678351f ("mmc: bcm2835: Properly handle dmaengine_prep_slave_sg") +Signed-off-by: Thomas Fourier +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250630093510.82871-2-fourier.thomas@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/bcm2835.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/bcm2835.c ++++ b/drivers/mmc/host/bcm2835.c +@@ -507,7 +507,8 @@ void bcm2835_prepare_dma(struct bcm2835_ + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); + + if (!desc) { +- dma_unmap_sg(dma_chan->device->dev, data->sg, sg_len, dir_data); ++ dma_unmap_sg(dma_chan->device->dev, data->sg, data->sg_len, ++ dir_data); + return; + } + diff --git a/queue-5.10/mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch b/queue-5.10/mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch new file mode 100644 index 0000000000..e74fdf4aa6 --- /dev/null +++ b/queue-5.10/mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch @@ -0,0 +1,38 @@ +From 50c78f398e92fafa1cbba3469c95fe04b2e4206d Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Thu, 26 Jun 2025 08:24:42 -0300 +Subject: mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models + +From: Edson Juliano Drosdeck + +commit 50c78f398e92fafa1cbba3469c95fe04b2e4206d upstream. + +Disable command queuing on Intel GLK-based Positivo models. + +Without this quirk, CQE (Command Queuing Engine) causes instability +or I/O errors during operation. Disabling it ensures stable +operation on affected devices. + +Signed-off-by: Edson Juliano Drosdeck +Fixes: bedf9fc01ff1 ("mmc: sdhci: Workaround broken command queuing on Intel GLK") +Cc: stable@vger.kernel.org +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20250626112442.9791-1-edson.drosdeck@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -969,7 +969,8 @@ static bool glk_broken_cqhci(struct sdhc + { + return slot->chip->pdev->device == PCI_DEVICE_ID_INTEL_GLK_EMMC && + (dmi_match(DMI_BIOS_VENDOR, "LENOVO") || +- dmi_match(DMI_SYS_VENDOR, "IRBIS")); ++ dmi_match(DMI_SYS_VENDOR, "IRBIS") || ++ dmi_match(DMI_SYS_VENDOR, "Positivo Tecnologia SA")); + } + + static bool jsl_broken_hs400es(struct sdhci_pci_slot *slot) diff --git a/queue-5.10/mmc-sdhci_am654-workaround-for-errata-i2312.patch b/queue-5.10/mmc-sdhci_am654-workaround-for-errata-i2312.patch new file mode 100644 index 0000000000..0561fe933d --- /dev/null +++ b/queue-5.10/mmc-sdhci_am654-workaround-for-errata-i2312.patch @@ -0,0 +1,62 @@ +From 6d0b1c01847fedd7c85a5cdf59b8cfc7d14512e6 Mon Sep 17 00:00:00 2001 +From: Judith Mendez +Date: Thu, 26 Jun 2025 18:14:52 -0500 +Subject: mmc: sdhci_am654: Workaround for Errata i2312 + +From: Judith Mendez + +commit 6d0b1c01847fedd7c85a5cdf59b8cfc7d14512e6 upstream. + +Errata i2312 [0] for K3 silicon mentions the maximum obtainable +timeout through MMC host controller is 700ms. And for commands taking +longer than 700ms, hardware timeout should be disabled and software +timeout should be used. + +The workaround for Errata i2312 can be achieved by adding +SDHCI_QUIRK2_DISABLE_HW_TIMEOUT quirk in sdhci_am654. + +[0] https://www.ti.com/lit/pdf/sprz487 + +Signed-off-by: Judith Mendez +Acked-by: Adrian Hunter +Fixes: 41fd4caeb00b ("mmc: sdhci_am654: Add Initial Support for AM654 SDHCI driver") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250626231452.3460987-1-jm@ti.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci_am654.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/host/sdhci_am654.c ++++ b/drivers/mmc/host/sdhci_am654.c +@@ -558,7 +558,8 @@ static struct sdhci_ops sdhci_am654_ops + static const struct sdhci_pltfm_data sdhci_am654_pdata = { + .ops = &sdhci_am654_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_am654_sr1_drvdata = { +@@ -588,7 +589,8 @@ static struct sdhci_ops sdhci_j721e_8bit + static const struct sdhci_pltfm_data sdhci_j721e_8bit_pdata = { + .ops = &sdhci_j721e_8bit_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_j721e_8bit_drvdata = { +@@ -612,7 +614,8 @@ static struct sdhci_ops sdhci_j721e_4bit + static const struct sdhci_pltfm_data sdhci_j721e_4bit_pdata = { + .ops = &sdhci_j721e_4bit_ops, + .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12, +- .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | ++ SDHCI_QUIRK2_DISABLE_HW_TIMEOUT, + }; + + static const struct sdhci_am654_driver_data sdhci_j721e_4bit_drvdata = { diff --git a/queue-5.10/phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch b/queue-5.10/phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch new file mode 100644 index 0000000000..4ea5d736cd --- /dev/null +++ b/queue-5.10/phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch @@ -0,0 +1,50 @@ +From 17ba793f381eb813596d6de1cc6820bcbda5ed8b Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 15 Jul 2025 16:15:40 -0700 +Subject: phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() + +From: Nathan Chancellor + +commit 17ba793f381eb813596d6de1cc6820bcbda5ed8b upstream. + +A new warning in clang [1] points out a place in pep_sock_accept() where +dst is uninitialized then passed as a const pointer to pep_find_pipe(): + + net/phonet/pep.c:829:37: error: variable 'dst' is uninitialized when passed as a const pointer argument here [-Werror,-Wuninitialized-const-pointer] + 829 | newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); + | ^~~: + +Move the call to pn_skb_get_dst_sockaddr(), which initializes dst, to +before the call to pep_find_pipe(), so that dst is consistently used +initialized throughout the function. + +Cc: stable@vger.kernel.org +Fixes: f7ae8d59f661 ("Phonet: allocate sock from accept syscall rather than soft IRQ") +Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1] +Closes: https://github.com/ClangBuiltLinux/linux/issues/2101 +Signed-off-by: Nathan Chancellor +Link: https://patch.msgid.link/20250715-net-phonet-fix-uninit-const-pointer-v1-1-8efd1bd188b3@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/phonet/pep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -825,6 +825,7 @@ static struct sock *pep_sock_accept(stru + } + + /* Check for duplicate pipe handle */ ++ pn_skb_get_dst_sockaddr(skb, &dst); + newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle); + if (unlikely(newsk)) { + __sock_put(newsk); +@@ -849,7 +850,6 @@ static struct sock *pep_sock_accept(stru + newsk->sk_destruct = pipe_destruct; + + newpn = pep_sk(newsk); +- pn_skb_get_dst_sockaddr(skb, &dst); + pn_skb_get_src_sockaddr(skb, &src); + newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst); + newpn->pn_sk.dobject = pn_sockaddr_get_object(&src); diff --git a/queue-5.10/series b/queue-5.10/series index 920b603f30..67d4a9009d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -10,3 +10,12 @@ pch_uart-fix-dma_sync_sg_for_device-nents-value.patch hid-core-ensure-the-allocated-report-buffer-can-contain-the-reserved-report-id.patch hid-core-ensure-__hid_request-reserves-the-report-id-as-the-first-byte.patch hid-core-do-not-bypass-hid_hw_raw_request.patch +phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch +af_packet-fix-the-so_sndtimeo-constraint-not-effective-on-tpacked_snd.patch +af_packet-fix-soft-lockup-issue-caused-by-tpacket_snd.patch +dmaengine-nbpfaxi-fix-memory-corruption-in-probe.patch +isofs-verify-inode-mode-when-loading-from-disk.patch +memstick-core-zero-initialize-id_reg-in-h_memstick_read_dev_id.patch +mmc-bcm2835-fix-dma_unmap_sg-nents-value.patch +mmc-sdhci-pci-quirk-for-broken-command-queuing-on-intel-glk-based-positivo-models.patch +mmc-sdhci_am654-workaround-for-errata-i2312.patch