From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 08:49:17 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.297~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=696415f937357092642b157e2a87749b76046b10;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch btrfs-populate-otime-when-logging-an-inode-item.patch cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch media-v4l2-ctrls-always-copy-the-controls-on-completion.patch media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch media-venus-hfi-explicitly-release-irq-during-teardown.patch media-venus-protect-against-spurious-interrupts-during-probe.patch media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch mm-kmemleak-turn-kmemleak_lock-and-object-lock-to-raw_spinlock_t.patch mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch net-usbnet-fix-the-wrong-netif_carrier_on-call.patch nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch nfs-fix-up-handling-of-outstanding-layoutcommit-in-nfs_update_inode.patch nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch nfsv4-fix-nfs4_bitmap_copy_adjust.patch pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch pwm-mediatek-fix-duty-and-period-setting.patch pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch pwm-mediatek-implement-.apply-callback.patch rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds1341.patch soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch usb-musb-omap2430-fix-device-leak-at-unbind.patch usb-typec-fusb302-cache-pd-rx-state.patch x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch --- diff --git a/queue-5.4/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch b/queue-5.4/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch new file mode 100644 index 0000000000..8e83eb166c --- /dev/null +++ b/queue-5.4/alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch @@ -0,0 +1,76 @@ +From stable+bounces-169408-greg=kroah.com@vger.kernel.org Wed Aug 13 16:49:18 2025 +From: Sasha Levin +Date: Wed, 13 Aug 2025 10:44:47 -0400 +Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() +To: stable@vger.kernel.org +Cc: "Geoffrey D. Bennett" , Takashi Iwai , Sasha Levin +Message-ID: <20250813144447.2048274-1-sashal@kernel.org> + +From: "Geoffrey D. Bennett" + +[ Upstream commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 ] + +During communication with Focusrite Scarlett Gen 2/3/4 USB audio +interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(), +snd_usb_ctl_msg() which can cause initialisation and control +operations to fail intermittently. + +This patch adds up to 5 retries in scarlett2_usb(), with a delay +starting at 5ms and doubling each time. This follows the same approach +as the fix for usb_set_interface() in endpoint.c (commit f406005e162b +("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")), +which resolved similar -EPROTO issues during device initialisation, +and is the same approach as in fcp.c:fcp_usb(). + +Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") +Closes: https://github.com/geoffreybennett/linux-fcp/issues/41 +Cc: stable@vger.kernel.org +Signed-off-by: Geoffrey D. Bennett +Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu +Signed-off-by: Takashi Iwai +[ Applied retry logic around snd_usb_ctl_msg() instead of scarlett2_usb_tx() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_scarlett_gen2.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/sound/usb/mixer_scarlett_gen2.c ++++ b/sound/usb/mixer_scarlett_gen2.c +@@ -118,6 +118,8 @@ + #define SCARLETT2_MIXER_MAX_VALUE \ + ((SCARLETT2_MIXER_MAX_DB - SCARLETT2_MIXER_MIN_DB) * 2) + ++#include ++ + /* map from (dB + 80) * 2 to mixer value + * for dB in 0 .. 172: int(8192 * pow(10, ((dB - 160) / 2 / 20))) + */ +@@ -591,6 +593,8 @@ static int scarlett2_usb( + u16 req_buf_size = sizeof(struct scarlett2_usb_packet) + req_size; + u16 resp_buf_size = sizeof(struct scarlett2_usb_packet) + resp_size; + struct scarlett2_usb_packet *req = NULL, *resp = NULL; ++ int retries = 0; ++ const int max_retries = 5; + int err = 0; + + req = kmalloc(req_buf_size, GFP_KERNEL); +@@ -614,6 +618,7 @@ static int scarlett2_usb( + if (req_size) + memcpy(req->data, req_data, req_size); + ++retry: + err = snd_usb_ctl_msg(mixer->chip->dev, + usb_sndctrlpipe(mixer->chip->dev, 0), + SCARLETT2_USB_VENDOR_SPECIFIC_CMD_REQ, +@@ -624,6 +629,10 @@ static int scarlett2_usb( + req_buf_size); + + if (err != req_buf_size) { ++ if (err == -EPROTO && ++retries <= max_retries) { ++ msleep(5 * (1 << (retries - 1))); ++ goto retry; ++ } + usb_audio_err( + mixer->chip, + "Scarlett Gen 2 USB request result cmd %x was %d\n", diff --git a/queue-5.4/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch b/queue-5.4/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch new file mode 100644 index 0000000000..8ed549f8fe --- /dev/null +++ b/queue-5.4/ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch @@ -0,0 +1,78 @@ +From stable+bounces-172214-greg=kroah.com@vger.kernel.org Thu Aug 21 20:27:59 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 14:26:54 -0400 +Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig +To: stable@vger.kernel.org +Cc: Damien Le Moal , Hannes Reinecke , Niklas Cassel , Sasha Levin +Message-ID: <20250821182654.891907-1-sashal@kernel.org> + +From: Damien Le Moal + +[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ] + +Improve the description of the possible default SATA link power +management policies and add the missing description for policy 5. +No functional changes. + +Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Reviewed-by: Niklas Cassel +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/Kconfig | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/ata/Kconfig ++++ b/drivers/ata/Kconfig +@@ -92,22 +92,39 @@ config SATA_AHCI + + config SATA_MOBILE_LPM_POLICY + int "Default SATA Link Power Management policy for mobile chipsets" +- range 0 4 ++ range 0 5 + default 0 + depends on SATA_AHCI + help + Select the Default SATA Link Power Management (LPM) policy to use + for mobile / laptop variants of chipsets / "South Bridges". + +- The value set has the following meanings: ++ Each policy combines power saving states and features: ++ - Partial: The Phy logic is powered but is in a reduced power ++ state. The exit latency from this state is no longer than ++ 10us). ++ - Slumber: The Phy logic is powered but is in an even lower power ++ state. The exit latency from this state is potentially ++ longer, but no longer than 10ms. ++ - DevSleep: The Phy logic may be powered down. The exit latency from ++ this state is no longer than 20 ms, unless otherwise ++ specified by DETO in the device Identify Device Data log. ++ - HIPM: Host Initiated Power Management (host automatically ++ transitions to partial and slumber). ++ - DIPM: Device Initiated Power Management (device automatically ++ transitions to partial and slumber). ++ ++ The possible values for the default SATA link power management ++ policies are: + 0 => Keep firmware settings +- 1 => Maximum performance +- 2 => Medium power +- 3 => Medium power with Device Initiated PM enabled +- 4 => Minimum power ++ 1 => No power savings (maximum performance) ++ 2 => HIPM (Partial) ++ 3 => HIPM (Partial) and DIPM (Partial and Slumber) ++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber) ++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber) + +- Note "Minimum power" is known to cause issues, including disk +- corruption, with some disks and should not be used. ++ Excluding the value 0, higher values represent policies with higher ++ power savings. + + config SATA_AHCI_PLATFORM + tristate "Platform AHCI SATA support" diff --git a/queue-5.4/btrfs-populate-otime-when-logging-an-inode-item.patch b/queue-5.4/btrfs-populate-otime-when-logging-an-inode-item.patch new file mode 100644 index 0000000000..cf36c53810 --- /dev/null +++ b/queue-5.4/btrfs-populate-otime-when-logging-an-inode-item.patch @@ -0,0 +1,116 @@ +From stable+bounces-171808-greg=kroah.com@vger.kernel.org Tue Aug 19 17:04:22 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 10:57:54 -0400 +Subject: btrfs: populate otime when logging an inode item +To: stable@vger.kernel.org +Cc: Qu Wenruo , Filipe Manana , David Sterba , Sasha Levin +Message-ID: <20250819145754.527446-1-sashal@kernel.org> + +From: Qu Wenruo + +[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ] + +[TEST FAILURE WITH EXPERIMENTAL FEATURES] +When running test case generic/508, the test case will fail with the new +btrfs shutdown support: + +generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad) +# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930 +# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930 +# @@ -1,2 +1,6 @@ +# QA output created by 508 +# Silence is golden +# +Before: +# +After : stat.btime = Thu Jan 1 09:30:00 1970 +# +Before: +# +After : stat.btime = Wed Jul 2 14:53:22 2025 +# ... +# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff) +Ran: generic/508 +Failures: generic/508 +Failed 1 of 1 tests + +Please note that the test case requires shutdown support, thus the test +case will be skipped using the current upstream kernel, as it doesn't +have shutdown ioctl support. + +[CAUSE] +The direct cause the 0 time stamp in the log tree: + +leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG +leaf 30507008 flags 0x1(WRITTEN) backref revision 1 +checksum stored e522548d +checksum calced e522548d +fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 +chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 + item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 9 transid 9 size 0 nbytes 0 + block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0 + sequence 1 flags 0x0(none) + atime 1751432947.492000000 (2025-07-02 14:39:07) + ctime 1751432947.492000000 (2025-07-02 14:39:07) + mtime 1751432947.492000000 (2025-07-02 14:39:07) + otime 0.0 (1970-01-01 09:30:00) <<< + +But the old fs tree has all the correct time stamp: + +btrfs-progs v6.12 +fs tree key (FS_TREE ROOT_ITEM 0) +leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE +leaf 30425088 flags 0x1(WRITTEN) backref revision 1 +checksum stored 48f6c57e +checksum calced 48f6c57e +fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0 +chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398 + item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 + generation 3 transid 0 size 0 nbytes 16384 + block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0 + sequence 0 flags 0x0(none) + atime 1751432947.0 (2025-07-02 14:39:07) + ctime 1751432947.0 (2025-07-02 14:39:07) + mtime 1751432947.0 (2025-07-02 14:39:07) + otime 1751432947.0 (2025-07-02 14:39:07) <<< + +The root cause is that fill_inode_item() in tree-log.c is only +populating a/c/m time, not the otime (or btime in statx output). + +Part of the reason is that, the vfs inode only has a/c/m time, no native +btime support yet. + +[FIX] +Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and +btrfs_inode::i_otime_nsec. + +So what we really need is just fill the otime time stamp in +fill_inode_item() of tree-log.c + +There is another fill_inode_item() in inode.c, which is doing the proper +otime population. + +Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing") +CC: stable@vger.kernel.org +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ adapted token-based API and timespec64 field structure ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3953,6 +3953,11 @@ static void fill_inode_item(struct btrfs + btrfs_set_token_timespec_nsec(leaf, &item->ctime, + inode->i_ctime.tv_nsec, &token); + ++ btrfs_set_token_timespec_sec(leaf, &item->otime, ++ BTRFS_I(inode)->i_otime.tv_sec, &token); ++ btrfs_set_token_timespec_nsec(leaf, &item->otime, ++ BTRFS_I(inode)->i_otime.tv_nsec, &token); ++ + btrfs_set_token_inode_nbytes(leaf, item, inode_get_bytes(inode), + &token); + diff --git a/queue-5.4/cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch b/queue-5.4/cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch new file mode 100644 index 0000000000..7430ffa16d --- /dev/null +++ b/queue-5.4/cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch @@ -0,0 +1,55 @@ +From stable+bounces-171675-greg=kroah.com@vger.kernel.org Tue Aug 19 01:14:07 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 19:13:58 -0400 +Subject: cdc-acm: fix race between initial clearing halt and open +To: stable@vger.kernel.org +Cc: Oliver Neukum , stable , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250818231358.138342-2-sashal@kernel.org> + +From: Oliver Neukum + +[ Upstream commit 64690a90cd7c6db16d3af8616be1f4bf8d492850 ] + +On the devices that need their endpoints to get an +initial clear_halt, this needs to be done before +the devices can be opened. That means it needs to be +before the devices are registered. + +Fixes: 15bf722e6f6c0 ("cdc-acm: Add support of ATOL FPrint fiscal printers") +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20250717141259.2345605-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1527,6 +1527,12 @@ skip_countries: + usb_driver_claim_interface(&acm_driver, data_interface, acm); + usb_set_intfdata(data_interface, acm); + ++ if (quirks & CLEAR_HALT_CONDITIONS) { ++ /* errors intentionally ignored */ ++ usb_clear_halt(usb_dev, acm->in); ++ usb_clear_halt(usb_dev, acm->out); ++ } ++ + tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor, + &control_interface->dev); + if (IS_ERR(tty_dev)) { +@@ -1534,11 +1540,6 @@ skip_countries: + goto alloc_fail6; + } + +- if (quirks & CLEAR_HALT_CONDITIONS) { +- usb_clear_halt(usb_dev, acm->in); +- usb_clear_halt(usb_dev, acm->out); +- } +- + dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); + + return 0; diff --git a/queue-5.4/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-5.4/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch new file mode 100644 index 0000000000..7f0680472a --- /dev/null +++ b/queue-5.4/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch @@ -0,0 +1,50 @@ +From stable+bounces-172609-greg=kroah.com@vger.kernel.org Sat Aug 23 16:46:09 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 10:44:36 -0400 +Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS +To: stable@vger.kernel.org +Cc: "Imre Deak" , "Ville Syrjälä" , "Jani Nikula" , "Jani Nikula" , "Sasha Levin" +Message-ID: <20250823144436.2255063-1-sashal@kernel.org> + +From: Imre Deak + +[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ] + +Reading DPCD registers has side-effects in general. In particular +accessing registers outside of the link training register range +(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly +forbidden by the DP v2.1 Standard, see + +3.6.5.1 DPTX AUX Transaction Handling Mandates +3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates + +Based on my tests, accessing the DPCD_REV register during the link +training of an UHBR TBT DP tunnel sink leads to link training failures. + +Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the +DPCD register access quirk. + +Cc: +Cc: Ville Syrjälä +Cc: Jani Nikula +Acked-by: Jani Nikula +Signed-off-by: Imre Deak +Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com +[ Call to drm_dp_dpcd_access() instead of drm_dp_dpcd_probe() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_dp_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_helper.c ++++ b/drivers/gpu/drm/drm_dp_helper.c +@@ -280,7 +280,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a + * We just have to do it before any DPCD access and hope that the + * monitor doesn't power down exactly after the throw away read. + */ +- ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_DPCD_REV, buffer, ++ ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_LANE0_1_STATUS, buffer, + 1); + if (ret != 1) + goto out; diff --git a/queue-5.4/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch b/queue-5.4/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch new file mode 100644 index 0000000000..6faad6a4f6 --- /dev/null +++ b/queue-5.4/drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch @@ -0,0 +1,85 @@ +From stable+bounces-165106-greg=kroah.com@vger.kernel.org Tue Jul 29 19:15:19 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 13:14:55 -0400 +Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs +To: stable@vger.kernel.org +Cc: "Lin.Cao" , "Christian König" , "Philipp Stanner" , "Sasha Levin" +Message-ID: <20250729171455.2825719-1-sashal@kernel.org> + +From: "Lin.Cao" + +[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ] + +When application A submits jobs and application B submits a job with a +dependency on A's fence, the normal flow wakes up the scheduler after +processing each job. However, the optimization in +drm_sched_entity_add_dependency_cb() uses a callback that only clears +dependencies without waking up the scheduler. + +When application A is killed before its jobs can run, the callback gets +triggered but only clears the dependency without waking up the scheduler, +causing the scheduler to enter sleep state and application B to hang. + +Remove the optimization by deleting drm_sched_entity_clear_dep() and its +usage, ensuring the scheduler is always woken up when dependencies are +cleared. + +Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler") +Cc: stable@vger.kernel.org # v4.6+ +Signed-off-by: Lin.Cao +Reviewed-by: Christian König +Signed-off-by: Philipp Stanner +Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com +[ adjusted context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 23 ++--------------------- + 1 file changed, 2 insertions(+), 21 deletions(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -328,19 +328,6 @@ void drm_sched_entity_destroy(struct drm + EXPORT_SYMBOL(drm_sched_entity_destroy); + + /** +- * drm_sched_entity_clear_dep - callback to clear the entities dependency +- */ +-static void drm_sched_entity_clear_dep(struct dma_fence *f, +- struct dma_fence_cb *cb) +-{ +- struct drm_sched_entity *entity = +- container_of(cb, struct drm_sched_entity, cb); +- +- entity->dependency = NULL; +- dma_fence_put(f); +-} +- +-/** + * drm_sched_entity_clear_dep - callback to clear the entities dependency and + * wake up scheduler + */ +@@ -350,7 +337,8 @@ static void drm_sched_entity_wakeup(stru + struct drm_sched_entity *entity = + container_of(cb, struct drm_sched_entity, cb); + +- drm_sched_entity_clear_dep(f, cb); ++ entity->dependency = NULL; ++ dma_fence_put(f); + drm_sched_wakeup(entity->rq->sched); + } + +@@ -426,13 +414,6 @@ static bool drm_sched_entity_add_depende + fence = dma_fence_get(&s_fence->scheduled); + dma_fence_put(entity->dependency); + entity->dependency = fence; +- if (!dma_fence_add_callback(fence, &entity->cb, +- drm_sched_entity_clear_dep)) +- return true; +- +- /* Ignore it when it is already scheduled */ +- dma_fence_put(fence); +- return false; + } + + if (!dma_fence_add_callback(entity->dependency, &entity->cb, diff --git a/queue-5.4/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch b/queue-5.4/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch new file mode 100644 index 0000000000..f2dd0f5e3a --- /dev/null +++ b/queue-5.4/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch @@ -0,0 +1,76 @@ +From stable+bounces-172554-greg=kroah.com@vger.kernel.org Sat Aug 23 06:23:21 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 00:23:11 -0400 +Subject: f2fs: fix to avoid out-of-boundary access in dnode page +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, Jiaming Zhang , Jaegeuk Kim , Sasha Levin +Message-ID: <20250823042311.1849185-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ] + +As Jiaming Zhang reported: + + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x17e/0x800 mm/kasan/report.c:480 + kasan_report+0x147/0x180 mm/kasan/report.c:593 + data_blkaddr fs/f2fs/f2fs.h:3053 [inline] + f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] + f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 + f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 + prepare_write_begin fs/f2fs/data.c:3395 [inline] + f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 + generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 + f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] + f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x546/0xa90 fs/read_write.c:686 + ksys_write+0x149/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The root cause is in the corrupted image, there is a dnode has the same +node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to +access block address in dnode at offset 934, however it parses the dnode +as inode node, so that get_dnode_addr() returns 360, then it tries to +access page address from 360 + 934 * 4 = 4096 w/ 4 bytes. + +To fix this issue, let's add sanity check for node id of all direct nodes +during f2fs_get_dnode_of_data(). + +Cc: stable@kernel.org +Reported-by: Jiaming Zhang +Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ replaced f2fs_err_ratelimited() with f2fs_err() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -764,6 +764,16 @@ int f2fs_get_dnode_of_data(struct dnode_ + for (i = 1; i <= level; i++) { + bool done = false; + ++ if (nids[i] && nids[i] == dn->inode->i_ino) { ++ err = -EFSCORRUPTED; ++ f2fs_err(sbi, ++ "inode mapping table is corrupted, run fsck to fix it, " ++ "ino:%lu, nid:%u, level:%d, offset:%d", ++ dn->inode->i_ino, nids[i], level, offset[level]); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto release_pages; ++ } ++ + if (!nids[i] && mode == ALLOC_NODE) { + /* alloc new node */ + if (!f2fs_alloc_nid(sbi, &(nids[i]))) { diff --git a/queue-5.4/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch b/queue-5.4/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch new file mode 100644 index 0000000000..a8aec29b0b --- /dev/null +++ b/queue-5.4/f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch @@ -0,0 +1,106 @@ +From stable+bounces-164653-greg=kroah.com@vger.kernel.org Thu Jul 24 19:51:02 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 13:50:53 -0400 +Subject: f2fs: fix to do sanity check on ino and xnid +To: stable@vger.kernel.org +Cc: Chao Yu , syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com, Jaegeuk Kim , Sasha Levin +Message-ID: <20250724175053.1410867-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ] + +syzbot reported a f2fs bug as below: + +INFO: task syz-executor140:5308 blocked for more than 143 seconds. + Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 +Call Trace: + + context_switch kernel/sched/core.c:5378 [inline] + __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 + __schedule_loop kernel/sched/core.c:6842 [inline] + schedule+0x14b/0x320 kernel/sched/core.c:6857 + io_schedule+0x8d/0x110 kernel/sched/core.c:7690 + folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 + __folio_lock mm/filemap.c:1664 [inline] + folio_lock include/linux/pagemap.h:1163 [inline] + __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 + pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 + find_get_page_flags include/linux/pagemap.h:842 [inline] + f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 + __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 + read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 + lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] + f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 + __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 + f2fs_acl_create fs/f2fs/acl.c:375 [inline] + f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 + f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 + f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 + f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 + f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 + f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] + f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 + vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 + unix_bind_bsd net/unix/af_unix.c:1286 [inline] + unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 + __sys_bind_socket net/socket.c:1817 [inline] + __sys_bind+0x1e4/0x290 net/socket.c:1848 + __do_sys_bind net/socket.c:1853 [inline] + __se_sys_bind net/socket.c:1851 [inline] + __x64_sys_bind+0x7a/0x90 net/socket.c:1851 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Let's dump and check metadata of corrupted inode, it shows its xattr_nid +is the same to its i_ino. + +dump.f2fs -i 3 chaseyu.img.raw +i_xattr_nid [0x 3 : 3] + +So that, during mknod in the corrupted directory, it tries to get and +lock inode page twice, result in deadlock. + +- f2fs_mknod + - f2fs_add_inline_entry + - f2fs_get_inode_page --- lock dir's inode page + - f2fs_init_acl + - f2fs_acl_create(dir,..) + - __f2fs_get_acl + - f2fs_getxattr + - lookup_all_xattrs + - __get_node_page --- try to lock dir's inode page + +In order to fix this, let's add sanity check on ino and xnid. + +Cc: stable@vger.kernel.org +Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -221,6 +221,13 @@ static bool sanity_check_inode(struct in + return false; + } + ++ if (ino_of_node(node_page) == fi->i_xattr_nid) { ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.", ++ __func__, inode->i_ino, fi->i_xattr_nid); ++ return false; ++ } ++ + if (f2fs_sb_has_flexible_inline_xattr(sbi) + && !f2fs_has_extra_attr(inode)) { + set_sbi_flag(sbi, SBI_NEED_FSCK); diff --git a/queue-5.4/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch b/queue-5.4/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch new file mode 100644 index 0000000000..d8a3e85c38 --- /dev/null +++ b/queue-5.4/ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch @@ -0,0 +1,41 @@ +From stable+bounces-165123-greg=kroah.com@vger.kernel.org Tue Jul 29 21:31:32 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 15:31:23 -0400 +Subject: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() +To: stable@vger.kernel.org +Cc: Haoxiang Li , Michal Swiatkowski , Aleksandr Loktionov , Simon Horman , Rinitha S , Tony Nguyen , Sasha Levin +Message-ID: <20250729193123.2873807-1-sashal@kernel.org> + +From: Haoxiang Li + +[ Upstream commit 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 ] + +Add check for the return value of devm_kmemdup() +to prevent potential null pointer dereference. + +Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Michal Swiatkowski +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +[ applied the patch to ice_flex_pipe.c instead of ice_ddp.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c ++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c +@@ -753,6 +753,8 @@ enum ice_status ice_copy_and_init_pkg(st + return ICE_ERR_PARAM; + + buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL); ++ if (!buf_copy) ++ return ICE_ERR_NO_MEMORY; + + status = ice_init_pkg(hw, buf_copy, len); + if (status) { diff --git a/queue-5.4/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch b/queue-5.4/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch new file mode 100644 index 0000000000..5cc5eabb3a --- /dev/null +++ b/queue-5.4/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch @@ -0,0 +1,42 @@ +From stable+bounces-164643-greg=kroah.com@vger.kernel.org Thu Jul 24 18:36:16 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 12:33:27 -0400 +Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation +To: stable@vger.kernel.org +Cc: Zhang Lixu , Srinivas Pandruvada , Jonathan Cameron , Sasha Levin +Message-ID: <20250724163327.1369882-1-sashal@kernel.org> + +From: Zhang Lixu + +[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ] + +The OFFSET calculation in the prox_read_raw() was incorrectly using the +unit exponent, which is intended for SCALE calculations. + +Remove the incorrect OFFSET calculation and set it to a fixed value of 0. + +Cc: stable@vger.kernel.org +Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com +Signed-off-by: Jonathan Cameron +[ adapted prox_attr array access to single structure member access ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -103,8 +103,7 @@ static int prox_read_raw(struct iio_dev + ret_type = prox_state->scale_precision; + break; + case IIO_CHAN_INFO_OFFSET: +- *val = hid_sensor_convert_exponent( +- prox_state->prox_attr.unit_expo); ++ *val = 0; + ret_type = IIO_VAL_INT; + break; + case IIO_CHAN_INFO_SAMP_FREQ: diff --git a/queue-5.4/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch b/queue-5.4/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch new file mode 100644 index 0000000000..baa6470002 --- /dev/null +++ b/queue-5.4/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch @@ -0,0 +1,51 @@ +From stable+bounces-172557-greg=kroah.com@vger.kernel.org Sat Aug 23 06:50:25 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 00:50:18 -0400 +Subject: media: qcom: camss: cleanup media device allocated resource on error path +To: stable@vger.kernel.org +Cc: Vladimir Zapolskiy , Bryan O'Donoghue , Bryan O'Donoghue , Hans Verkuil , Sasha Levin +Message-ID: <20250823045018.1878034-1-sashal@kernel.org> + +From: Vladimir Zapolskiy + +[ Upstream commit 69080ec3d0daba8a894025476c98ab16b5a505a4 ] + +A call to media_device_init() requires media_device_cleanup() counterpart +to complete cleanup and release any allocated resources. + +This has been done in the driver .remove() right from the beginning, but +error paths on .probe() shall also be fixed. + +Fixes: a1d7c116fcf7 ("media: camms: Add core files") +Cc: stable@vger.kernel.org +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +[ err_genpd_cleanup => err_cleanup ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/camss/camss.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/qcom/camss/camss.c ++++ b/drivers/media/platform/qcom/camss/camss.c +@@ -888,7 +888,7 @@ static int camss_probe(struct platform_d + ret = v4l2_device_register(camss->dev, &camss->v4l2_dev); + if (ret < 0) { + dev_err(dev, "Failed to register V4L2 device: %d\n", ret); +- goto err_cleanup; ++ goto err_media_device_cleanup; + } + + ret = camss_register_entities(camss); +@@ -945,6 +945,8 @@ err_register_subdevs: + camss_unregister_entities(camss); + err_register_entities: + v4l2_device_unregister(&camss->v4l2_dev); ++err_media_device_cleanup: ++ media_device_cleanup(&camss->media_dev); + err_cleanup: + v4l2_async_notifier_cleanup(&camss->notifier); + err_free: diff --git a/queue-5.4/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch b/queue-5.4/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch new file mode 100644 index 0000000000..754aebbb6d --- /dev/null +++ b/queue-5.4/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch @@ -0,0 +1,59 @@ +From stable+bounces-172533-greg=kroah.com@vger.kernel.org Sat Aug 23 03:45:26 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 21:45:18 -0400 +Subject: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() +To: stable@vger.kernel.org +Cc: Gui-Dong Han , Hans Verkuil , Sasha Levin +Message-ID: <20250823014519.1670171-1-sashal@kernel.org> + +From: Gui-Dong Han + +[ Upstream commit 7af160aea26c7dc9e6734d19306128cce156ec40 ] + +In the interrupt handler rain_interrupt(), the buffer full check on +rain->buf_len is performed before acquiring rain->buf_lock. This +creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as +rain->buf_len is concurrently accessed and modified in the work +handler rain_irq_work_handler() under the same lock. + +Multiple interrupt invocations can race, with each reading buf_len +before it becomes full and then proceeding. This can lead to both +interrupts attempting to write to the buffer, incrementing buf_len +beyond its capacity (DATA_SIZE) and causing a buffer overflow. + +Fix this bug by moving the spin_lock() to before the buffer full +check. This ensures that the check and the subsequent buffer modification +are performed atomically, preventing the race condition. An corresponding +spin_unlock() is added to the overflow path to correctly release the +lock. + +This possible bug was found by an experimental static analysis tool +developed by our team. + +Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Signed-off-by: Hans Verkuil +[ drivers/media/cec/usb/rainshadow/ => drivers/media/usb/rainshadow-cec/ ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/rainshadow-cec/rainshadow-cec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/rainshadow-cec/rainshadow-cec.c ++++ b/drivers/media/usb/rainshadow-cec/rainshadow-cec.c +@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct + { + struct rain *rain = serio_get_drvdata(serio); + ++ spin_lock(&rain->buf_lock); + if (rain->buf_len == DATA_SIZE) { ++ spin_unlock(&rain->buf_lock); + dev_warn_once(rain->dev, "buffer overflow\n"); + return IRQ_HANDLED; + } +- spin_lock(&rain->buf_lock); + rain->buf_len++; + rain->buf[rain->buf_wr_idx] = data; + rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff; diff --git a/queue-5.4/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch b/queue-5.4/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch new file mode 100644 index 0000000000..ec06f83426 --- /dev/null +++ b/queue-5.4/media-v4l2-ctrls-always-copy-the-controls-on-completion.patch @@ -0,0 +1,94 @@ +From stable+bounces-172536-greg=kroah.com@vger.kernel.org Sat Aug 23 03:59:20 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 21:59:11 -0400 +Subject: media: v4l2-ctrls: always copy the controls on completion +To: stable@vger.kernel.org +Cc: Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin +Message-ID: <20250823015912.1675214-1-sashal@kernel.org> + +From: Hans Verkuil + +[ Upstream commit c3bf5129f33923c92bf3bddaf4359b7b25ecb4ba ] + +When v4l2_ctrl_request_complete() is called and there is no control +handler object found in the request, then create such an object so +that all controls at completion state can be stored and are available +to userspace. + +Otherwise any attempt by userspace to read the completed request data +will fail. + +If allocating the control handler object failed, then indicate that +by returning ENOMEM when attempting to get the controls from the +completed request instead of returning ENOENT. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 5a0400aca5fa ("media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 36 +++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -3529,8 +3529,19 @@ v4l2_ctrls_find_req_obj(struct v4l2_ctrl + obj = media_request_object_find(req, &req_ops, hdl); + if (obj) + return obj; ++ /* ++ * If there are no controls in this completed request, ++ * then that can only happen if: ++ * ++ * 1) no controls were present in the queued request, and ++ * 2) v4l2_ctrl_request_complete() could not allocate a ++ * control handler object to store the completed state in. ++ * ++ * So return ENOMEM to indicate that there was an out-of-memory ++ * error. ++ */ + if (!set) +- return ERR_PTR(-ENOENT); ++ return ERR_PTR(-ENOMEM); + + new_hdl = kzalloc(sizeof(*new_hdl), GFP_KERNEL); + if (!new_hdl) +@@ -3541,8 +3552,8 @@ v4l2_ctrls_find_req_obj(struct v4l2_ctrl + if (!ret) + ret = v4l2_ctrl_request_bind(req, new_hdl, hdl); + if (ret) { ++ v4l2_ctrl_handler_free(new_hdl); + kfree(new_hdl); +- + return ERR_PTR(ret); + } + +@@ -4113,8 +4124,25 @@ void v4l2_ctrl_request_complete(struct m + * wants to leave the controls unchanged. + */ + obj = media_request_object_find(req, &req_ops, main_hdl); +- if (!obj) +- return; ++ if (!obj) { ++ int ret; ++ ++ /* Create a new request so the driver can return controls */ ++ hdl = kzalloc(sizeof(*hdl), GFP_KERNEL); ++ if (!hdl) ++ return; ++ ++ ret = v4l2_ctrl_handler_init(hdl, (main_hdl->nr_of_buckets - 1) * 8); ++ if (!ret) ++ ret = v4l2_ctrl_request_bind(req, hdl, main_hdl); ++ if (ret) { ++ v4l2_ctrl_handler_free(hdl); ++ kfree(hdl); ++ return; ++ } ++ hdl->request_is_queued = true; ++ obj = media_request_object_find(req, &req_ops, main_hdl); ++ } + hdl = container_of(obj, struct v4l2_ctrl_handler, req_obj); + + list_for_each_entry(ref, &hdl->ctrl_refs, node) { diff --git a/queue-5.4/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch b/queue-5.4/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch new file mode 100644 index 0000000000..10e3df9e84 --- /dev/null +++ b/queue-5.4/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch @@ -0,0 +1,49 @@ +From stable+bounces-172537-greg=kroah.com@vger.kernel.org Sat Aug 23 03:59:21 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 21:59:12 -0400 +Subject: media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() +To: stable@vger.kernel.org +Cc: Sakari Ailus , Hans Verkuil , Laurent Pinchart , Sasha Levin +Message-ID: <20250823015912.1675214-2-sashal@kernel.org> + +From: Sakari Ailus + +[ Upstream commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 ] + +It's a common pattern in drivers to free the control handler's resources +and then return the handler's error code on drivers' error handling paths. +Alas, the v4l2_ctrl_handler_free() function also zeroes the error field, +effectively indicating successful return to the caller. + +There's no apparent need to touch the error field while releasing the +control handler's resources and cleaning up stale pointers. Not touching +the handler's error field is a more certain way to address this problem +than changing all the users, in which case the pattern would be likely to +re-emerge in new drivers. + +Do just that, don't touch the control handler's error field in +v4l2_ctrl_handler_free(). + +Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +[ v4l2-ctrls.c => v4l2-ctrls-core.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls.c +@@ -2187,7 +2187,6 @@ void v4l2_ctrl_handler_free(struct v4l2_ + kvfree(hdl->buckets); + hdl->buckets = NULL; + hdl->cached = NULL; +- hdl->error = 0; + mutex_unlock(hdl->lock); + mutex_destroy(&hdl->_lock); + } diff --git a/queue-5.4/media-venus-hfi-explicitly-release-irq-during-teardown.patch b/queue-5.4/media-venus-hfi-explicitly-release-irq-during-teardown.patch new file mode 100644 index 0000000000..eaac63bd71 --- /dev/null +++ b/queue-5.4/media-venus-hfi-explicitly-release-irq-during-teardown.patch @@ -0,0 +1,43 @@ +From stable+bounces-172548-greg=kroah.com@vger.kernel.org Sat Aug 23 05:41:59 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 23:41:51 -0400 +Subject: media: venus: hfi: explicitly release IRQ during teardown +To: stable@vger.kernel.org +Cc: Jorge Ramirez-Ortiz , Dikshita Agarwal , Bryan O'Donoghue , Bryan O'Donoghue , Hans Verkuil , Sasha Levin +Message-ID: <20250823034151.1807520-1-sashal@kernel.org> + +From: Jorge Ramirez-Ortiz + +[ Upstream commit 640803003cd903cea73dc6a86bf6963e238e2b3f ] + +Ensure the IRQ is disabled - and all pending handlers completed - before +dismantling the interrupt routing and clearing related pointers. + +This prevents any possibility of the interrupt triggering after the +handler context has been invalidated. + +Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz +Reviewed-by: Dikshita Agarwal +Tested-by: Dikshita Agarwal # RB5 +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/hfi_venus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/qcom/venus/hfi_venus.c ++++ b/drivers/media/platform/qcom/venus/hfi_venus.c +@@ -1608,6 +1608,7 @@ void venus_hfi_destroy(struct venus_core + mutex_destroy(&hdev->lock); + kfree(hdev); + core->priv = NULL; ++ disable_irq(core->irq); + core->ops = NULL; + } + diff --git a/queue-5.4/media-venus-protect-against-spurious-interrupts-during-probe.patch b/queue-5.4/media-venus-protect-against-spurious-interrupts-during-probe.patch new file mode 100644 index 0000000000..3534ac50a8 --- /dev/null +++ b/queue-5.4/media-venus-protect-against-spurious-interrupts-during-probe.patch @@ -0,0 +1,57 @@ +From stable+bounces-172556-greg=kroah.com@vger.kernel.org Sat Aug 23 06:50:22 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 00:50:14 -0400 +Subject: media: venus: protect against spurious interrupts during probe +To: stable@vger.kernel.org +Cc: Jorge Ramirez-Ortiz , Bryan O'Donoghue , Vikash Garodia , Dikshita Agarwal , Bryan O'Donoghue , Hans Verkuil , Sasha Levin +Message-ID: <20250823045015.1877984-1-sashal@kernel.org> + +From: Jorge Ramirez-Ortiz + +[ Upstream commit 3200144a2fa4209dc084a19941b9b203b43580f0 ] + +Make sure the interrupt handler is initialized before the interrupt is +registered. + +If the IRQ is registered before hfi_create(), it's possible that an +interrupt fires before the handler setup is complete, leading to a NULL +dereference. + +This error condition has been observed during system boot on Rb3Gen2. + +Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") +Cc: stable@vger.kernel.org +Signed-off-by: Jorge Ramirez-Ortiz +Reviewed-by: Bryan O'Donoghue +Reviewed-by: Vikash Garodia +Reviewed-by: Dikshita Agarwal +Tested-by: Dikshita Agarwal # RB5 +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +[ kept hfi_isr_thread instead of venus_isr_thread ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/platform/qcom/venus/core.c ++++ b/drivers/media/platform/qcom/venus/core.c +@@ -267,13 +267,13 @@ static int venus_probe(struct platform_d + mutex_init(&core->lock); + INIT_DELAYED_WORK(&core->work, venus_sys_error_handler); + +- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread, +- IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- "venus", core); ++ ret = hfi_create(core, &venus_core_ops); + if (ret) + return ret; + +- ret = hfi_create(core, &venus_core_ops); ++ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread, ++ IRQF_TRIGGER_HIGH | IRQF_ONESHOT, ++ "venus", core); + if (ret) + return ret; + diff --git a/queue-5.4/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch b/queue-5.4/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch new file mode 100644 index 0000000000..a725701618 --- /dev/null +++ b/queue-5.4/media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch @@ -0,0 +1,64 @@ +From stable+bounces-172584-greg=kroah.com@vger.kernel.org Sat Aug 23 14:55:02 2025 +From: Sasha Levin +Date: Sat, 23 Aug 2025 08:54:54 -0400 +Subject: media: venus: vdec: Clamp param smaller than 1fps and bigger than 240. +To: stable@vger.kernel.org +Cc: Ricardo Ribalda , Hans Verkuil , Bryan O'Donoghue , Bryan O'Donoghue , Sasha Levin +Message-ID: <20250823125454.2100689-1-sashal@kernel.org> + +From: Ricardo Ribalda + +[ Upstream commit 377dc500d253f0b26732b2cb062e89668aef890a ] + +The driver uses "whole" fps in all its calculations (e.g. in +load_per_instance()). Those calculation expect an fps bigger than 1, and +not big enough to overflow. + +Clamp the value if the user provides a param that will result in an invalid +fps. + +Reported-by: Hans Verkuil +Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0 +Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") +Cc: stable@vger.kernel.org +Tested-by: Bryan O'Donoghue # qrb5615-rb5 +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Ricardo Ribalda +[bod: Change "parm" to "param"] +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Hans Verkuil +[ Adjust context in header ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/qcom/venus/core.h | 2 ++ + drivers/media/platform/qcom/venus/vdec.c | 5 ++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/qcom/venus/core.h ++++ b/drivers/media/platform/qcom/venus/core.h +@@ -16,6 +16,8 @@ + + #define VIDC_CLKS_NUM_MAX 4 + ++#define VENUS_MAX_FPS 240 ++ + struct freq_tbl { + unsigned int load; + unsigned long freq; +--- a/drivers/media/platform/qcom/venus/vdec.c ++++ b/drivers/media/platform/qcom/venus/vdec.c +@@ -418,11 +418,10 @@ static int vdec_s_parm(struct file *file + us_per_frame = timeperframe->numerator * (u64)USEC_PER_SEC; + do_div(us_per_frame, timeperframe->denominator); + +- if (!us_per_frame) +- return -EINVAL; +- ++ us_per_frame = clamp(us_per_frame, 1, USEC_PER_SEC); + fps = (u64)USEC_PER_SEC; + do_div(fps, us_per_frame); ++ fps = min(VENUS_MAX_FPS, fps); + + inst->fps = fps; + inst->timeperframe = *timeperframe; diff --git a/queue-5.4/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch b/queue-5.4/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch new file mode 100644 index 0000000000..43dcdc1a93 --- /dev/null +++ b/queue-5.4/mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch @@ -0,0 +1,61 @@ +From stable+bounces-169604-greg=kroah.com@vger.kernel.org Thu Aug 14 18:57:50 2025 +From: Sasha Levin +Date: Thu, 14 Aug 2025 12:53:56 -0400 +Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery +To: stable@vger.kernel.org +Cc: Andy Shevchenko , Leon Romanovsky , Alistair Popple , Bill Wendling , Jerome Glisse , Justin Stitt , Nathan Chancellor , Andrew Morton , Sasha Levin +Message-ID: <20250814165356.2131524-1-sashal@kernel.org> + +From: Andy Shevchenko + +[ Upstream commit 188cb385bbf04d486df3e52f28c47b3961f5f0c0 ] + +When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with +clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n: + + mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function] + +Fix this by moving the function to the respective existing ifdeffery +for its the only user. + +See also: + + 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build") + +Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.intel.com +Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem") +Signed-off-by: Andy Shevchenko +Reviewed-by: Leon Romanovsky +Reviewed-by: Alistair Popple +Cc: Andriy Shevchenko +Cc: Bill Wendling +Cc: Jerome Glisse +Cc: Justin Stitt +Cc: Nathan Chancellor +Cc: +Signed-off-by: Andrew Morton +[ Minor context adjustment ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/hmm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/hmm.c ++++ b/mm/hmm.c +@@ -392,6 +392,7 @@ static int hmm_vma_walk_hole(unsigned lo + return hmm_vma_walk_hole_(addr, end, fault, write_fault, walk); + } + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE + static inline uint64_t pmd_to_hmm_pfn_flags(struct hmm_range *range, pmd_t pmd) + { + if (pmd_protnone(pmd)) +@@ -401,7 +402,6 @@ static inline uint64_t pmd_to_hmm_pfn_fl + range->flags[HMM_PFN_VALID]; + } + +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE + static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr, + unsigned long end, uint64_t *pfns, pmd_t pmd) + { diff --git a/queue-5.4/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch b/queue-5.4/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch new file mode 100644 index 0000000000..c74a2a8ba2 --- /dev/null +++ b/queue-5.4/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch @@ -0,0 +1,68 @@ +From stable+bounces-171815-greg=kroah.com@vger.kernel.org Tue Aug 19 17:26:24 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 11:26:13 -0400 +Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock +To: stable@vger.kernel.org +Cc: Breno Leitao , Jakub Kicinski , Catalin Marinas , Andrew Morton , Sasha Levin +Message-ID: <20250819152613.541716-2-sashal@kernel.org> + +From: Breno Leitao + +[ Upstream commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 ] + +When netpoll is enabled, calling pr_warn_once() while holding +kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock +inversion with the netconsole subsystem. This occurs because +pr_warn_once() may trigger netpoll, which eventually leads to +__alloc_skb() and back into kmemleak code, attempting to reacquire +kmemleak_lock. + +This is the path for the deadlock. + +mem_pool_alloc() + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + -> pr_warn_once() + -> netconsole subsystem + -> netpoll + -> __alloc_skb + -> __create_object + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + +Fix this by setting a flag and issuing the pr_warn_once() after +kmemleak_lock is released. + +Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org +Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations") +Signed-off-by: Breno Leitao +Reported-by: Jakub Kicinski +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -417,6 +417,7 @@ static struct kmemleak_object *mem_pool_ + { + unsigned long flags; + struct kmemleak_object *object; ++ bool warn = false; + + /* try the slab allocator first */ + if (object_cache) { +@@ -434,8 +435,10 @@ static struct kmemleak_object *mem_pool_ + else if (mem_pool_free_count) + object = &mem_pool[--mem_pool_free_count]; + else +- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); ++ warn = true; + raw_spin_unlock_irqrestore(&kmemleak_lock, flags); ++ if (warn) ++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); + + return object; + } diff --git a/queue-5.4/mm-kmemleak-turn-kmemleak_lock-and-object-lock-to-raw_spinlock_t.patch b/queue-5.4/mm-kmemleak-turn-kmemleak_lock-and-object-lock-to-raw_spinlock_t.patch new file mode 100644 index 0000000000..73b8be7840 --- /dev/null +++ b/queue-5.4/mm-kmemleak-turn-kmemleak_lock-and-object-lock-to-raw_spinlock_t.patch @@ -0,0 +1,423 @@ +From stable+bounces-171814-greg=kroah.com@vger.kernel.org Tue Aug 19 17:26:21 2025 +From: Sasha Levin +Date: Tue, 19 Aug 2025 11:26:12 -0400 +Subject: mm/kmemleak: turn kmemleak_lock and object->lock to raw_spinlock_t +To: stable@vger.kernel.org +Cc: He Zhe , Liu Haitao , Yongxin Liu , Sebastian Andrzej Siewior , Catalin Marinas , Andrew Morton , Linus Torvalds , Sasha Levin +Message-ID: <20250819152613.541716-1-sashal@kernel.org> + +From: He Zhe + +[ Upstream commit 8c96f1bc6fc49c724c4cdd22d3e99260263b7384 ] + +kmemleak_lock as a rwlock on RT can possibly be acquired in atomic +context which does work. + +Since the kmemleak operation is performed in atomic context make it a +raw_spinlock_t so it can also be acquired on RT. This is used for +debugging and is not enabled by default in a production like environment +(where performance/latency matters) so it makes sense to make it a +raw_spinlock_t instead trying to get rid of the atomic context. Turn +also the kmemleak_object->lock into raw_spinlock_t which is acquired +(nested) while the kmemleak_lock is held. + +The time spent in "echo scan > kmemleak" slightly improved on 64core box +with this patch applied after boot. + +[bigeasy@linutronix.de: redo the description, update comments. Merge the individual bits: He Zhe did the kmemleak_lock, Liu Haitao the ->lock and Yongxin Liu forwarded Liu's patch.] +Link: http://lkml.kernel.org/r/20191219170834.4tah3prf2gdothz4@linutronix.de +Link: https://lkml.kernel.org/r/20181218150744.GB20197@arrakis.emea.arm.com +Link: https://lkml.kernel.org/r/1542877459-144382-1-git-send-email-zhe.he@windriver.com +Link: https://lkml.kernel.org/r/20190927082230.34152-1-yongxin.liu@windriver.com +Signed-off-by: He Zhe +Signed-off-by: Liu Haitao +Signed-off-by: Yongxin Liu +Signed-off-by: Sebastian Andrzej Siewior +Acked-by: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 47b0f6d8f0d2 ("mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 112 +++++++++++++++++++++++++++++----------------------------- + 1 file changed, 56 insertions(+), 56 deletions(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -13,7 +13,7 @@ + * + * The following locks and mutexes are used by kmemleak: + * +- * - kmemleak_lock (rwlock): protects the object_list modifications and ++ * - kmemleak_lock (raw_spinlock_t): protects the object_list modifications and + * accesses to the object_tree_root. The object_list is the main list + * holding the metadata (struct kmemleak_object) for the allocated memory + * blocks. The object_tree_root is a red black tree used to look-up +@@ -22,13 +22,13 @@ + * object_tree_root in the create_object() function called from the + * kmemleak_alloc() callback and removed in delete_object() called from the + * kmemleak_free() callback +- * - kmemleak_object.lock (spinlock): protects a kmemleak_object. Accesses to +- * the metadata (e.g. count) are protected by this lock. Note that some +- * members of this structure may be protected by other means (atomic or +- * kmemleak_lock). This lock is also held when scanning the corresponding +- * memory block to avoid the kernel freeing it via the kmemleak_free() +- * callback. This is less heavyweight than holding a global lock like +- * kmemleak_lock during scanning ++ * - kmemleak_object.lock (raw_spinlock_t): protects a kmemleak_object. ++ * Accesses to the metadata (e.g. count) are protected by this lock. Note ++ * that some members of this structure may be protected by other means ++ * (atomic or kmemleak_lock). This lock is also held when scanning the ++ * corresponding memory block to avoid the kernel freeing it via the ++ * kmemleak_free() callback. This is less heavyweight than holding a global ++ * lock like kmemleak_lock during scanning. + * - scan_mutex (mutex): ensures that only one thread may scan the memory for + * unreferenced objects at a time. The gray_list contains the objects which + * are already referenced or marked as false positives and need to be +@@ -135,7 +135,7 @@ struct kmemleak_scan_area { + * (use_count) and freed using the RCU mechanism. + */ + struct kmemleak_object { +- spinlock_t lock; ++ raw_spinlock_t lock; + unsigned int flags; /* object status flags */ + struct list_head object_list; + struct list_head gray_list; +@@ -191,8 +191,8 @@ static int mem_pool_free_count = ARRAY_S + static LIST_HEAD(mem_pool_free_list); + /* search tree for object boundaries */ + static struct rb_root object_tree_root = RB_ROOT; +-/* rw_lock protecting the access to object_list and object_tree_root */ +-static DEFINE_RWLOCK(kmemleak_lock); ++/* protecting the access to object_list and object_tree_root */ ++static DEFINE_RAW_SPINLOCK(kmemleak_lock); + + /* allocation caches for kmemleak internal data */ + static struct kmem_cache *object_cache; +@@ -426,7 +426,7 @@ static struct kmemleak_object *mem_pool_ + } + + /* slab allocation failed, try the memory pool */ +- write_lock_irqsave(&kmemleak_lock, flags); ++ raw_spin_lock_irqsave(&kmemleak_lock, flags); + object = list_first_entry_or_null(&mem_pool_free_list, + typeof(*object), object_list); + if (object) +@@ -435,7 +435,7 @@ static struct kmemleak_object *mem_pool_ + object = &mem_pool[--mem_pool_free_count]; + else + pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); +- write_unlock_irqrestore(&kmemleak_lock, flags); ++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags); + + return object; + } +@@ -453,9 +453,9 @@ static void mem_pool_free(struct kmemlea + } + + /* add the object to the memory pool free list */ +- write_lock_irqsave(&kmemleak_lock, flags); ++ raw_spin_lock_irqsave(&kmemleak_lock, flags); + list_add(&object->object_list, &mem_pool_free_list); +- write_unlock_irqrestore(&kmemleak_lock, flags); ++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags); + } + + /* +@@ -514,9 +514,9 @@ static struct kmemleak_object *find_and_ + struct kmemleak_object *object; + + rcu_read_lock(); +- read_lock_irqsave(&kmemleak_lock, flags); ++ raw_spin_lock_irqsave(&kmemleak_lock, flags); + object = lookup_object(ptr, alias); +- read_unlock_irqrestore(&kmemleak_lock, flags); ++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags); + + /* check whether the object is still available */ + if (object && !get_object(object)) +@@ -546,11 +546,11 @@ static struct kmemleak_object *find_and_ + unsigned long flags; + struct kmemleak_object *object; + +- write_lock_irqsave(&kmemleak_lock, flags); ++ raw_spin_lock_irqsave(&kmemleak_lock, flags); + object = lookup_object(ptr, alias); + if (object) + __remove_object(object); +- write_unlock_irqrestore(&kmemleak_lock, flags); ++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags); + + return object; + } +@@ -585,7 +585,7 @@ static struct kmemleak_object *create_ob + INIT_LIST_HEAD(&object->object_list); + INIT_LIST_HEAD(&object->gray_list); + INIT_HLIST_HEAD(&object->area_list); +- spin_lock_init(&object->lock); ++ raw_spin_lock_init(&object->lock); + atomic_set(&object->use_count, 1); + object->flags = OBJECT_ALLOCATED; + object->pointer = ptr; +@@ -617,7 +617,7 @@ static struct kmemleak_object *create_ob + /* kernel backtrace */ + object->trace_len = __save_stack_trace(object->trace); + +- write_lock_irqsave(&kmemleak_lock, flags); ++ raw_spin_lock_irqsave(&kmemleak_lock, flags); + + untagged_ptr = (unsigned long)kasan_reset_tag((void *)ptr); + min_addr = min(min_addr, untagged_ptr); +@@ -649,7 +649,7 @@ static struct kmemleak_object *create_ob + + list_add_tail_rcu(&object->object_list, &object_list); + out: +- write_unlock_irqrestore(&kmemleak_lock, flags); ++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags); + return object; + } + +@@ -667,9 +667,9 @@ static void __delete_object(struct kmeml + * Locking here also ensures that the corresponding memory block + * cannot be freed when it is being scanned. + */ +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + object->flags &= ~OBJECT_ALLOCATED; +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + put_object(object); + } + +@@ -739,9 +739,9 @@ static void paint_it(struct kmemleak_obj + { + unsigned long flags; + +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + __paint_it(object, color); +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + } + + static void paint_ptr(unsigned long ptr, int color) +@@ -803,7 +803,7 @@ static void add_scan_area(unsigned long + if (scan_area_cache) + area = kmem_cache_alloc(scan_area_cache, gfp_kmemleak_mask(gfp)); + +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + if (!area) { + pr_warn_once("Cannot allocate a scan area, scanning the full object\n"); + /* mark the object for full scan to avoid false positives */ +@@ -825,7 +825,7 @@ static void add_scan_area(unsigned long + + hlist_add_head(&area->node, &object->area_list); + out_unlock: +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + put_object(object); + } + +@@ -847,9 +847,9 @@ static void object_set_excess_ref(unsign + return; + } + +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + object->excess_ref = excess_ref; +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + put_object(object); + } + +@@ -869,9 +869,9 @@ static void object_no_scan(unsigned long + return; + } + +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + object->flags |= OBJECT_NO_SCAN; +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + put_object(object); + } + +@@ -1031,9 +1031,9 @@ void __ref kmemleak_update_trace(const v + return; + } + +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + object->trace_len = __save_stack_trace(object->trace); +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + + put_object(object); + } +@@ -1238,7 +1238,7 @@ static void scan_block(void *_start, voi + unsigned long flags; + unsigned long untagged_ptr; + +- read_lock_irqsave(&kmemleak_lock, flags); ++ raw_spin_lock_irqsave(&kmemleak_lock, flags); + for (ptr = start; ptr < end; ptr++) { + struct kmemleak_object *object; + unsigned long pointer; +@@ -1273,7 +1273,7 @@ static void scan_block(void *_start, voi + * previously acquired in scan_object(). These locks are + * enclosed by scan_mutex. + */ +- spin_lock_nested(&object->lock, SINGLE_DEPTH_NESTING); ++ raw_spin_lock_nested(&object->lock, SINGLE_DEPTH_NESTING); + /* only pass surplus references (object already gray) */ + if (color_gray(object)) { + excess_ref = object->excess_ref; +@@ -1282,7 +1282,7 @@ static void scan_block(void *_start, voi + excess_ref = 0; + update_refs(object); + } +- spin_unlock(&object->lock); ++ raw_spin_unlock(&object->lock); + + if (excess_ref) { + object = lookup_object(excess_ref, 0); +@@ -1291,12 +1291,12 @@ static void scan_block(void *_start, voi + if (object == scanned) + /* circular reference, ignore */ + continue; +- spin_lock_nested(&object->lock, SINGLE_DEPTH_NESTING); ++ raw_spin_lock_nested(&object->lock, SINGLE_DEPTH_NESTING); + update_refs(object); +- spin_unlock(&object->lock); ++ raw_spin_unlock(&object->lock); + } + } +- read_unlock_irqrestore(&kmemleak_lock, flags); ++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags); + } + + /* +@@ -1329,7 +1329,7 @@ static void scan_object(struct kmemleak_ + * Once the object->lock is acquired, the corresponding memory block + * cannot be freed (the same lock is acquired in delete_object). + */ +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + if (object->flags & OBJECT_NO_SCAN) + goto out; + if (!(object->flags & OBJECT_ALLOCATED)) +@@ -1349,9 +1349,9 @@ static void scan_object(struct kmemleak_ + if (start >= end) + break; + +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + cond_resched(); +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + } while (object->flags & OBJECT_ALLOCATED); + } else + hlist_for_each_entry(area, &object->area_list, node) +@@ -1359,7 +1359,7 @@ static void scan_object(struct kmemleak_ + (void *)(area->start + area->size), + object); + out: +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + } + + /* +@@ -1413,7 +1413,7 @@ static void kmemleak_scan(void) + /* prepare the kmemleak_object's */ + rcu_read_lock(); + list_for_each_entry_rcu(object, &object_list, object_list) { +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + #ifdef DEBUG + /* + * With a few exceptions there should be a maximum of +@@ -1430,7 +1430,7 @@ static void kmemleak_scan(void) + if (color_gray(object) && get_object(object)) + list_add_tail(&object->gray_list, &gray_list); + +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + } + rcu_read_unlock(); + +@@ -1498,14 +1498,14 @@ static void kmemleak_scan(void) + */ + rcu_read_lock(); + list_for_each_entry_rcu(object, &object_list, object_list) { +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + if (color_white(object) && (object->flags & OBJECT_ALLOCATED) + && update_checksum(object) && get_object(object)) { + /* color it gray temporarily */ + object->count = object->min_count; + list_add_tail(&object->gray_list, &gray_list); + } +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + } + rcu_read_unlock(); + +@@ -1525,7 +1525,7 @@ static void kmemleak_scan(void) + */ + rcu_read_lock(); + list_for_each_entry_rcu(object, &object_list, object_list) { +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + if (unreferenced_object(object) && + !(object->flags & OBJECT_REPORTED)) { + object->flags |= OBJECT_REPORTED; +@@ -1535,7 +1535,7 @@ static void kmemleak_scan(void) + + new_leaks++; + } +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + } + rcu_read_unlock(); + +@@ -1687,10 +1687,10 @@ static int kmemleak_seq_show(struct seq_ + struct kmemleak_object *object = v; + unsigned long flags; + +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + if ((object->flags & OBJECT_REPORTED) && unreferenced_object(object)) + print_unreferenced(seq, object); +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + return 0; + } + +@@ -1720,9 +1720,9 @@ static int dump_str_object_info(const ch + return -EINVAL; + } + +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + dump_object_info(object); +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + + put_object(object); + return 0; +@@ -1741,11 +1741,11 @@ static void kmemleak_clear(void) + + rcu_read_lock(); + list_for_each_entry_rcu(object, &object_list, object_list) { +- spin_lock_irqsave(&object->lock, flags); ++ raw_spin_lock_irqsave(&object->lock, flags); + if ((object->flags & OBJECT_REPORTED) && + unreferenced_object(object)) + __paint_it(object, KMEMLEAK_GREY); +- spin_unlock_irqrestore(&object->lock, flags); ++ raw_spin_unlock_irqrestore(&object->lock, flags); + } + rcu_read_unlock(); + diff --git a/queue-5.4/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch b/queue-5.4/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch new file mode 100644 index 0000000000..9e5706036e --- /dev/null +++ b/queue-5.4/mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch @@ -0,0 +1,58 @@ +From stable+bounces-165090-greg=kroah.com@vger.kernel.org Tue Jul 29 17:13:39 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 11:13:26 -0400 +Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n +To: stable@vger.kernel.org +Cc: Harry Yoo , David Hildenbrand , Sergey Senozhatsky , Minchan Kim , Andrew Morton , Sasha Levin +Message-ID: <20250729151326.2730116-2-sashal@kernel.org> + +From: Harry Yoo + +[ Upstream commit 694d6b99923eb05a8fd188be44e26077d19f0e21 ] + +Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for +migrating zsmalloc pages using the movable_operations migration framework. +However, the commit did not take into account that zsmalloc supports +migration only when CONFIG_COMPACTION is enabled. Tracing shows that +zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is +not supported. + +This can result in unmovable pages being allocated from movable page +blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area. + +Possible user visible effects: +- Some ZONE_MOVABLE memory can be not actually movable +- CMA allocation can fail because of this +- Increased memory fragmentation due to ignoring the page mobility + grouping feature +I'm not really sure who uses kernels without compaction support, though :( + +To fix this, clear the __GFP_MOVABLE flag when +!IS_ENABLED(CONFIG_COMPACTION). + +Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com +Fixes: 48b4800a1c6a ("zsmalloc: page migration support") +Signed-off-by: Harry Yoo +Acked-by: David Hildenbrand +Reviewed-by: Sergey Senozhatsky +Cc: Minchan Kim +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/zsmalloc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -1067,6 +1067,9 @@ static struct zspage *alloc_zspage(struc + if (!zspage) + return NULL; + ++ if (!IS_ENABLED(CONFIG_COMPACTION)) ++ gfp &= ~__GFP_MOVABLE; ++ + zspage->magic = ZSPAGE_MAGIC; + migrate_lock_init(zspage); + diff --git a/queue-5.4/mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch b/queue-5.4/mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch new file mode 100644 index 0000000000..1f8d371bef --- /dev/null +++ b/queue-5.4/mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch @@ -0,0 +1,48 @@ +From stable+bounces-165089-greg=kroah.com@vger.kernel.org Tue Jul 29 17:13:38 2025 +From: Sasha Levin +Date: Tue, 29 Jul 2025 11:13:25 -0400 +Subject: mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage() +To: stable@vger.kernel.org +Cc: Miaohe Lin , Sergey Senozhatsky , Minchan Kim , Andrew Morton , Linus Torvalds , Sasha Levin +Message-ID: <20250729151326.2730116-1-sashal@kernel.org> + +From: Miaohe Lin + +[ Upstream commit f0231305acd53375c6cf736971bf5711105dd6bb ] + +We always memset the zspage allocated via cache_alloc_zspage. So it's +more convenient to use kmem_cache_zalloc in cache_alloc_zspage than caller +do it manually. + +Link: https://lkml.kernel.org/r/20210114120032.25885-1-linmiaohe@huawei.com +Signed-off-by: Miaohe Lin +Reviewed-by: Sergey Senozhatsky +Cc: Minchan Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: 694d6b99923e ("mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/zsmalloc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -357,7 +357,7 @@ static void cache_free_handle(struct zs_ + + static struct zspage *cache_alloc_zspage(struct zs_pool *pool, gfp_t flags) + { +- return kmem_cache_alloc(pool->zspage_cachep, ++ return kmem_cache_zalloc(pool->zspage_cachep, + flags & ~(__GFP_HIGHMEM|__GFP_MOVABLE)); + } + +@@ -1067,7 +1067,6 @@ static struct zspage *alloc_zspage(struc + if (!zspage) + return NULL; + +- memset(zspage, 0, sizeof(struct zspage)); + zspage->magic = ZSPAGE_MAGIC; + migrate_lock_init(zspage); + diff --git a/queue-5.4/net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch b/queue-5.4/net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch new file mode 100644 index 0000000000..8deb01666a --- /dev/null +++ b/queue-5.4/net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch @@ -0,0 +1,122 @@ +From 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f Mon Sep 17 00:00:00 2001 +From: John Ernberg +Date: Wed, 23 Jul 2025 10:25:35 +0000 +Subject: net: usbnet: Avoid potential RCU stall on LINK_CHANGE event + +From: John Ernberg + +commit 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f upstream. + +The Gemalto Cinterion PLS83-W modem (cdc_ether) is emitting confusing link +up and down events when the WWAN interface is activated on the modem-side. + +Interrupt URBs will in consecutive polls grab: +* Link Connected +* Link Disconnected +* Link Connected + +Where the last Connected is then a stable link state. + +When the system is under load this may cause the unlink_urbs() work in +__handle_link_change() to not complete before the next usbnet_link_change() +call turns the carrier on again, allowing rx_submit() to queue new SKBs. + +In that event the URB queue is filled faster than it can drain, ending up +in a RCU stall: + + rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 0-.... } 33108 jiffies s: 201 root: 0x1/. + rcu: blocking rcu_node structures (internal RCU debug): + Sending NMI from CPU 1 to CPUs 0: + NMI backtrace for cpu 0 + + Call trace: + arch_local_irq_enable+0x4/0x8 + local_bh_enable+0x18/0x20 + __netdev_alloc_skb+0x18c/0x1cc + rx_submit+0x68/0x1f8 [usbnet] + rx_alloc_submit+0x4c/0x74 [usbnet] + usbnet_bh+0x1d8/0x218 [usbnet] + usbnet_bh_tasklet+0x10/0x18 [usbnet] + tasklet_action_common+0xa8/0x110 + tasklet_action+0x2c/0x34 + handle_softirqs+0x2cc/0x3a0 + __do_softirq+0x10/0x18 + ____do_softirq+0xc/0x14 + call_on_irq_stack+0x24/0x34 + do_softirq_own_stack+0x18/0x20 + __irq_exit_rcu+0xa8/0xb8 + irq_exit_rcu+0xc/0x30 + el1_interrupt+0x34/0x48 + el1h_64_irq_handler+0x14/0x1c + el1h_64_irq+0x68/0x6c + _raw_spin_unlock_irqrestore+0x38/0x48 + xhci_urb_dequeue+0x1ac/0x45c [xhci_hcd] + unlink1+0xd4/0xdc [usbcore] + usb_hcd_unlink_urb+0x70/0xb0 [usbcore] + usb_unlink_urb+0x24/0x44 [usbcore] + unlink_urbs.constprop.0.isra.0+0x64/0xa8 [usbnet] + __handle_link_change+0x34/0x70 [usbnet] + usbnet_deferred_kevent+0x1c0/0x320 [usbnet] + process_scheduled_works+0x2d0/0x48c + worker_thread+0x150/0x1dc + kthread+0xd8/0xe8 + ret_from_fork+0x10/0x20 + +Get around the problem by delaying the carrier on to the scheduled work. + +This needs a new flag to keep track of the necessary action. + +The carrier ok check cannot be removed as it remains required for the +LINK_RESET event flow. + +Fixes: 4b49f58fff00 ("usbnet: handle link change") +Cc: stable@vger.kernel.org +Signed-off-by: John Ernberg +Link: https://patch.msgid.link/20250723102526.1305339-1-john.ernberg@actia.se +Signed-off-by: Jakub Kicinski +[ adjust context in header ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 11 ++++++++--- + include/linux/usb/usbnet.h | 1 + + 2 files changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1106,6 +1106,9 @@ static void __handle_link_change(struct + * tx queue is stopped by netcore after link becomes off + */ + } else { ++ if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags)) ++ netif_carrier_on(dev->net); ++ + /* submitting URBs for reading packets */ + tasklet_schedule(&dev->bh); + } +@@ -1978,10 +1981,12 @@ EXPORT_SYMBOL(usbnet_manage_power); + void usbnet_link_change(struct usbnet *dev, bool link, bool need_reset) + { + /* update link after link is reseted */ +- if (link && !need_reset) +- netif_carrier_on(dev->net); +- else ++ if (link && !need_reset) { ++ set_bit(EVENT_LINK_CARRIER_ON, &dev->flags); ++ } else { ++ clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags); + netif_carrier_off(dev->net); ++ } + + if (need_reset && link) + usbnet_defer_kevent(dev, EVENT_LINK_RESET); +--- a/include/linux/usb/usbnet.h ++++ b/include/linux/usb/usbnet.h +@@ -83,6 +83,7 @@ struct usbnet { + # define EVENT_LINK_CHANGE 11 + # define EVENT_SET_RX_MODE 12 + # define EVENT_NO_IP_ALIGN 13 ++# define EVENT_LINK_CARRIER_ON 14 + u32 rx_speed; /* in bps - NOT Mbps */ + u32 tx_speed; /* in bps - NOT Mbps */ + }; diff --git a/queue-5.4/net-usbnet-fix-the-wrong-netif_carrier_on-call.patch b/queue-5.4/net-usbnet-fix-the-wrong-netif_carrier_on-call.patch new file mode 100644 index 0000000000..85a3c6e137 --- /dev/null +++ b/queue-5.4/net-usbnet-fix-the-wrong-netif_carrier_on-call.patch @@ -0,0 +1,57 @@ +From 8466d393700f9ccef68134d3349f4e0a087679b9 Mon Sep 17 00:00:00 2001 +From: Ammar Faizi +Date: Wed, 6 Aug 2025 07:31:05 +0700 +Subject: net: usbnet: Fix the wrong netif_carrier_on() call + +From: Ammar Faizi + +commit 8466d393700f9ccef68134d3349f4e0a087679b9 upstream. + +The commit referenced in the Fixes tag causes usbnet to malfunction +(identified via git bisect). Post-commit, my external RJ45 LAN cable +fails to connect. Linus also reported the same issue after pulling that +commit. + +The code has a logic error: netif_carrier_on() is only called when the +link is already on. Fix this by moving the netif_carrier_on() call +outside the if-statement entirely. This ensures it is always called +when EVENT_LINK_CARRIER_ON is set and properly clears it regardless +of the link state. + +Cc: stable@vger.kernel.org +Cc: Armando Budianto +Reviewed-by: Simon Horman +Suggested-by: Linus Torvalds +Link: https://lore.kernel.org/all/CAHk-=wjqL4uF0MG_c8+xHX1Vv8==sPYQrtzbdA3kzi96284nuQ@mail.gmail.com +Closes: https://lore.kernel.org/netdev/CAHk-=wjKh8X4PT_mU1kD4GQrbjivMfPn-_hXa6han_BTDcXddw@mail.gmail.com +Closes: https://lore.kernel.org/netdev/0752dee6-43d6-4e1f-81d2-4248142cccd2@gnuweeb.org +Fixes: 0d9cfc9b8cb1 ("net: usbnet: Avoid potential RCU stall on LINK_CHANGE event") +Signed-off-by: Ammar Faizi +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1097,6 +1097,9 @@ static void __handle_link_change(struct + if (!test_bit(EVENT_DEV_OPEN, &dev->flags)) + return; + ++ if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags)) ++ netif_carrier_on(dev->net); ++ + if (!netif_carrier_ok(dev->net)) { + /* kill URBs for reading packets to save bus bandwidth */ + unlink_urbs(dev, &dev->rxq); +@@ -1106,9 +1109,6 @@ static void __handle_link_change(struct + * tx queue is stopped by netcore after link becomes off + */ + } else { +- if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags)) +- netif_carrier_on(dev->net); +- + /* submitting URBs for reading packets */ + tasklet_schedule(&dev->bh); + } diff --git a/queue-5.4/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch b/queue-5.4/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch new file mode 100644 index 0000000000..eb14b76174 --- /dev/null +++ b/queue-5.4/nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch @@ -0,0 +1,154 @@ +From stable+bounces-169876-greg=kroah.com@vger.kernel.org Sun Aug 17 04:28:43 2025 +From: Sasha Levin +Date: Sat, 16 Aug 2025 22:28:12 -0400 +Subject: NFS: Fix the setting of capabilities when automounting a new filesystem +To: stable@vger.kernel.org +Cc: Trond Myklebust , Benjamin Coddington , Sasha Levin +Message-ID: <20250817022812.1338100-3-sashal@kernel.org> + +From: Trond Myklebust + +[ Upstream commit b01f21cacde9f2878492cf318fee61bf4ccad323 ] + +Capabilities cannot be inherited when we cross into a new filesystem. +They need to be reset to the minimal defaults, and then probed for +again. + +Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID") +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +[ adapted to older fs_context-less API structures ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/client.c | 44 ++++++++++++++++++++++++++++++++++++++++---- + fs/nfs/internal.h | 1 + + fs/nfs/nfs4client.c | 13 +------------ + fs/nfs/nfs4proc.c | 2 ++ + 4 files changed, 44 insertions(+), 16 deletions(-) + +--- a/fs/nfs/client.c ++++ b/fs/nfs/client.c +@@ -646,6 +646,42 @@ struct nfs_client *nfs_init_client(struc + } + EXPORT_SYMBOL_GPL(nfs_init_client); + ++static void nfs4_server_set_init_caps(struct nfs_server *server) ++{ ++#if IS_ENABLED(CONFIG_NFS_V4) ++ /* Set the basic capabilities */ ++ server->caps = server->nfs_client->cl_mvops->init_caps; ++ if (server->flags & NFS_MOUNT_NORDIRPLUS) ++ server->caps &= ~NFS_CAP_READDIRPLUS; ++ ++ /* ++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower ++ * authentication. ++ */ ++ if (nfs4_disable_idmapping && ++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) ++ server->caps |= NFS_CAP_UIDGID_NOMAP; ++#endif ++} ++ ++void nfs_server_set_init_caps(struct nfs_server *server) ++{ ++ switch (server->nfs_client->rpc_ops->version) { ++ case 2: ++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; ++ break; ++ case 3: ++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS; ++ if (!(server->flags & NFS_MOUNT_NORDIRPLUS)) ++ server->caps |= NFS_CAP_READDIRPLUS; ++ break; ++ default: ++ nfs4_server_set_init_caps(server); ++ break; ++ } ++} ++EXPORT_SYMBOL_GPL(nfs_server_set_init_caps); ++ + /* + * Create a version 2 or 3 client + */ +@@ -683,9 +719,6 @@ static int nfs_init_server(struct nfs_se + /* Initialise the client representation from the mount data */ + server->flags = data->flags; + server->options = data->options; +- server->caps |= NFS_CAP_HARDLINKS|NFS_CAP_SYMLINKS|NFS_CAP_FILEID| +- NFS_CAP_MODE|NFS_CAP_NLINK|NFS_CAP_OWNER|NFS_CAP_OWNER_GROUP| +- NFS_CAP_ATIME|NFS_CAP_CTIME|NFS_CAP_MTIME; + + if (data->rsize) + server->rsize = nfs_block_size(data->rsize, NULL); +@@ -710,6 +743,8 @@ static int nfs_init_server(struct nfs_se + if (error < 0) + goto error; + ++ nfs_server_set_init_caps(server); ++ + /* Preserve the values of mount_server-related mount options */ + if (data->mount_server.addrlen) { + memcpy(&server->mountd_address, &data->mount_server.address, +@@ -834,7 +869,6 @@ void nfs_server_copy_userdata(struct nfs + target->acregmax = source->acregmax; + target->acdirmin = source->acdirmin; + target->acdirmax = source->acdirmax; +- target->caps = source->caps; + target->options = source->options; + target->auth_info = source->auth_info; + target->port = source->port; +@@ -1042,6 +1076,8 @@ struct nfs_server *nfs_clone_server(stru + if (error < 0) + goto out_free_server; + ++ nfs_server_set_init_caps(server); ++ + /* probe the filesystem info for this server filesystem */ + error = nfs_probe_fsinfo(server, fh, fattr_fsinfo); + if (error < 0) +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -172,6 +172,7 @@ nfs4_find_client_sessionid(struct net *, + struct nfs4_sessionid *, u32); + extern struct nfs_server *nfs_create_server(struct nfs_mount_info *, + struct nfs_subversion *); ++extern void nfs_server_set_init_caps(struct nfs_server *); + extern struct nfs_server *nfs4_create_server( + struct nfs_mount_info *, + struct nfs_subversion *); +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -1011,18 +1011,7 @@ static int nfs4_server_common_setup(stru + if (error < 0) + goto out; + +- /* Set the basic capabilities */ +- server->caps |= server->nfs_client->cl_mvops->init_caps; +- if (server->flags & NFS_MOUNT_NORDIRPLUS) +- server->caps &= ~NFS_CAP_READDIRPLUS; +- /* +- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower +- * authentication. +- */ +- if (nfs4_disable_idmapping && +- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX) +- server->caps |= NFS_CAP_UIDGID_NOMAP; +- ++ nfs_server_set_init_caps(server); + + /* Probe the root fh to retrieve its FSID and filehandle */ + error = nfs4_get_rootfh(server, mntfh, auth_probe); +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3884,6 +3884,8 @@ int nfs4_server_capabilities(struct nfs_ + .interruptible = true, + }; + int err; ++ ++ nfs_server_set_init_caps(server); + do { + err = nfs4_handle_exception(server, + _nfs4_server_capabilities(server, fhandle), diff --git a/queue-5.4/nfs-fix-up-handling-of-outstanding-layoutcommit-in-nfs_update_inode.patch b/queue-5.4/nfs-fix-up-handling-of-outstanding-layoutcommit-in-nfs_update_inode.patch new file mode 100644 index 0000000000..b26f9a6234 --- /dev/null +++ b/queue-5.4/nfs-fix-up-handling-of-outstanding-layoutcommit-in-nfs_update_inode.patch @@ -0,0 +1,39 @@ +From stable+bounces-169875-greg=kroah.com@vger.kernel.org Sun Aug 17 04:28:21 2025 +From: Sasha Levin +Date: Sat, 16 Aug 2025 22:28:11 -0400 +Subject: NFS: Fix up handling of outstanding layoutcommit in nfs_update_inode() +To: stable@vger.kernel.org +Cc: Trond Myklebust , Sasha Levin +Message-ID: <20250817022812.1338100-2-sashal@kernel.org> + +From: Trond Myklebust + +[ Upstream commit 709fa5769914b377af87962bbe4ff81ffb019b2d ] + +If there is an outstanding layoutcommit, then the list of attributes +whose values are expected to change is not the full set. So let's +be explicit about the full list. + +Signed-off-by: Trond Myklebust +Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/inode.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1869,7 +1869,11 @@ static int nfs_update_inode(struct inode + nfs_wcc_update_inode(inode, fattr); + + if (pnfs_layoutcommit_outstanding(inode)) { +- nfsi->cache_validity |= save_cache_validity & NFS_INO_INVALID_ATTR; ++ nfsi->cache_validity |= ++ save_cache_validity & ++ (NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME | ++ NFS_INO_INVALID_MTIME | NFS_INO_INVALID_SIZE | ++ NFS_INO_REVAL_FORCED); + cache_revalidated = false; + } + diff --git a/queue-5.4/nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch b/queue-5.4/nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch new file mode 100644 index 0000000000..e72604f5bd --- /dev/null +++ b/queue-5.4/nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch @@ -0,0 +1,76 @@ +From stable+bounces-169820-greg=kroah.com@vger.kernel.org Fri Aug 15 22:27:54 2025 +From: Sasha Levin +Date: Fri, 15 Aug 2025 16:27:45 -0400 +Subject: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() +To: stable@vger.kernel.org +Cc: Jeff Layton , lei lu , Chuck Lever , Sasha Levin +Message-ID: <20250815202745.212176-1-sashal@kernel.org> + +From: Jeff Layton + +[ Upstream commit 908e4ead7f757504d8b345452730636e298cbf68 ] + +Lei Lu recently reported that nfsd4_setclientid_confirm() did not check +the return value from get_client_locked(). a SETCLIENTID_CONFIRM could +race with a confirmed client expiring and fail to get a reference. That +could later lead to a UAF. + +Fix this by getting a reference early in the case where there is an +extant confirmed client. If that fails then treat it as if there were no +confirmed client found at all. + +In the case where the unconfirmed client is expiring, just fail and +return the result from get_client_locked(). + +Reported-by: lei lu +Closes: https://lore.kernel.org/linux-nfs/CAEBF3_b=UvqzNKdnfD_52L05Mqrqui9vZ2eFamgAbV0WG+FNWQ@mail.gmail.com/ +Fixes: d20c11d86d8f ("nfsd: Protect session creation and client confirm using client_lock") +Cc: stable@vger.kernel.org +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3956,10 +3956,16 @@ nfsd4_setclientid_confirm(struct svc_rqs + } + status = nfs_ok; + if (conf) { /* case 1: callback update */ +- old = unconf; +- unhash_client_locked(old); +- nfsd4_change_callback(conf, &unconf->cl_cb_conn); +- } else { /* case 3: normal case; new or rebooted client */ ++ if (get_client_locked(conf) == nfs_ok) { ++ old = unconf; ++ unhash_client_locked(old); ++ nfsd4_change_callback(conf, &unconf->cl_cb_conn); ++ } else { ++ conf = NULL; ++ } ++ } ++ ++ if (!conf) { /* case 3: normal case; new or rebooted client */ + old = find_confirmed_client_by_name(&unconf->cl_name, nn); + if (old) { + status = nfserr_clid_inuse; +@@ -3975,10 +3981,14 @@ nfsd4_setclientid_confirm(struct svc_rqs + goto out; + } + } ++ status = get_client_locked(unconf); ++ if (status != nfs_ok) { ++ old = NULL; ++ goto out; ++ } + move_to_confirmed(unconf); + conf = unconf; + } +- get_client_locked(conf); + spin_unlock(&nn->client_lock); + nfsd4_probe_callback(conf); + spin_lock(&nn->client_lock); diff --git a/queue-5.4/nfsv4-fix-nfs4_bitmap_copy_adjust.patch b/queue-5.4/nfsv4-fix-nfs4_bitmap_copy_adjust.patch new file mode 100644 index 0000000000..cb0af20d86 --- /dev/null +++ b/queue-5.4/nfsv4-fix-nfs4_bitmap_copy_adjust.patch @@ -0,0 +1,104 @@ +From stable+bounces-169874-greg=kroah.com@vger.kernel.org Sun Aug 17 04:28:27 2025 +From: Sasha Levin +Date: Sat, 16 Aug 2025 22:28:10 -0400 +Subject: NFSv4: Fix nfs4_bitmap_copy_adjust() +To: stable@vger.kernel.org +Cc: Trond Myklebust , Sasha Levin +Message-ID: <20250817022812.1338100-1-sashal@kernel.org> + +From: Trond Myklebust + +[ Upstream commit a71029b86752e8d40301af235a6bbf4896cc1402 ] + +Don't remove flags from the set retrieved from the cache_validity. +We do want to retrieve all attributes that are listed as being +invalid, whether or not there is a delegation set. + +Signed-off-by: Trond Myklebust +Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -282,7 +282,7 @@ const u32 nfs4_fs_locations_bitmap[3] = + }; + + static void nfs4_bitmap_copy_adjust(__u32 *dst, const __u32 *src, +- struct inode *inode) ++ struct inode *inode, unsigned long flags) + { + unsigned long cache_validity; + +@@ -290,22 +290,19 @@ static void nfs4_bitmap_copy_adjust(__u3 + if (!inode || !nfs4_have_delegation(inode, FMODE_READ)) + return; + +- cache_validity = READ_ONCE(NFS_I(inode)->cache_validity); +- if (!(cache_validity & NFS_INO_REVAL_FORCED)) +- cache_validity &= ~(NFS_INO_INVALID_CHANGE +- | NFS_INO_INVALID_SIZE); ++ cache_validity = READ_ONCE(NFS_I(inode)->cache_validity) | flags; + ++ /* Remove the attributes over which we have full control */ ++ dst[1] &= ~FATTR4_WORD1_RAWDEV; + if (!(cache_validity & NFS_INO_INVALID_SIZE)) + dst[0] &= ~FATTR4_WORD0_SIZE; + + if (!(cache_validity & NFS_INO_INVALID_CHANGE)) + dst[0] &= ~FATTR4_WORD0_CHANGE; +-} + +-static void nfs4_bitmap_copy_adjust_setattr(__u32 *dst, +- const __u32 *src, struct inode *inode) +-{ +- nfs4_bitmap_copy_adjust(dst, src, inode); ++ if (!(cache_validity & NFS_INO_INVALID_OTHER)) ++ dst[1] &= ~(FATTR4_WORD1_MODE | FATTR4_WORD1_OWNER | ++ FATTR4_WORD1_OWNER_GROUP); + } + + static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dentry, +@@ -3333,12 +3330,15 @@ static int nfs4_do_setattr(struct inode + .inode = inode, + .stateid = &arg.stateid, + }; ++ unsigned long adjust_flags = NFS_INO_INVALID_CHANGE; + int err; + ++ if (sattr->ia_valid & (ATTR_MODE|ATTR_UID|ATTR_GID)) ++ adjust_flags |= NFS_INO_INVALID_OTHER; ++ + do { +- nfs4_bitmap_copy_adjust_setattr(bitmask, +- nfs4_bitmask(server, olabel), +- inode); ++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, olabel), ++ inode, adjust_flags); + + err = _nfs4_do_setattr(inode, &arg, &res, cred, ctx); + switch (err) { +@@ -4143,8 +4143,7 @@ static int _nfs4_proc_getattr(struct nfs + .rpc_resp = &res, + }; + +- nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode); +- ++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode, 0); + nfs_fattr_init(fattr); + return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0); + } +@@ -4732,8 +4731,8 @@ static int _nfs4_proc_link(struct inode + } + + nfs4_inode_make_writeable(inode); +- nfs4_bitmap_copy_adjust_setattr(bitmask, nfs4_bitmask(server, res.label), inode); +- ++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, res.label), inode, ++ NFS_INO_INVALID_CHANGE); + status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1); + if (!status) { + update_changeattr(dir, &res.cinfo, res.fattr->time_start, 0); diff --git a/queue-5.4/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch b/queue-5.4/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch new file mode 100644 index 0000000000..32264e36fc --- /dev/null +++ b/queue-5.4/pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch @@ -0,0 +1,114 @@ +From stable+bounces-163758-greg=kroah.com@vger.kernel.org Tue Jul 22 15:48:43 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 09:48:27 -0400 +Subject: pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov +To: stable@vger.kernel.org +Cc: Maulik Shah , Ulf Hansson , Sasha Levin +Message-ID: <20250722134827.947709-1-sashal@kernel.org> + +From: Maulik Shah + +[ Upstream commit 500ba33284416255b9a5b50ace24470b6fe77ea5 ] + +pm_domain_cpu_gov is selecting a cluster idle state but does not consider +latency tolerance of child CPUs. This results in deeper cluster idle state +whose latency does not meet latency tolerance requirement. + +Select deeper idle state only if global and device latency tolerance of all +child CPUs meet. + +Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than +domain idle state entry (2150) + exit (1983) usec latency mentioned in +devicetree, demonstrate the issue. + + # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us + +Before: (Usage is incrementing) +====== + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 29817 537 8 270 0 + + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 30348 542 8 271 0 + +After: (Usage is not incrementing due to latency tolerance) +====== + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 39319 626 14 307 0 + + # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states + State Time Spent(ms) Usage Rejected Above Below + S0 39319 626 14 307 0 + +Signed-off-by: Maulik Shah +Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualcomm.com +Signed-off-by: Ulf Hansson +[ replaced cpu_latency_qos_limit() with pm_qos_request(PM_QOS_CPU_DMA_LATENCY) ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/domain_governor.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain_governor.c ++++ b/drivers/base/power/domain_governor.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -254,6 +255,8 @@ static bool cpu_power_down_ok(struct dev + struct generic_pm_domain *genpd = pd_to_genpd(pd); + struct cpuidle_device *dev; + ktime_t domain_wakeup, next_hrtimer; ++ struct device *cpu_dev; ++ s64 cpu_constraint, global_constraint; + s64 idle_duration_ns; + int cpu, i; + +@@ -264,6 +267,7 @@ static bool cpu_power_down_ok(struct dev + if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) + return true; + ++ global_constraint = pm_qos_request(PM_QOS_CPU_DMA_LATENCY); + /* + * Find the next wakeup for any of the online CPUs within the PM domain + * and its subdomains. Note, we only need the genpd->cpus, as it already +@@ -277,8 +281,16 @@ static bool cpu_power_down_ok(struct dev + if (ktime_before(next_hrtimer, domain_wakeup)) + domain_wakeup = next_hrtimer; + } ++ ++ cpu_dev = get_cpu_device(cpu); ++ if (cpu_dev) { ++ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); ++ if (cpu_constraint < global_constraint) ++ global_constraint = cpu_constraint; ++ } + } + ++ global_constraint *= NSEC_PER_USEC; + /* The minimum idle duration is from now - until the next wakeup. */ + idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, ktime_get())); + if (idle_duration_ns <= 0) +@@ -291,8 +303,10 @@ static bool cpu_power_down_ok(struct dev + */ + i = genpd->state_idx; + do { +- if (idle_duration_ns >= (genpd->states[i].residency_ns + +- genpd->states[i].power_off_latency_ns)) { ++ if ((idle_duration_ns >= (genpd->states[i].residency_ns + ++ genpd->states[i].power_off_latency_ns)) && ++ (global_constraint >= (genpd->states[i].power_on_latency_ns + ++ genpd->states[i].power_off_latency_ns))) { + genpd->state_idx = i; + return true; + } diff --git a/queue-5.4/pwm-mediatek-fix-duty-and-period-setting.patch b/queue-5.4/pwm-mediatek-fix-duty-and-period-setting.patch new file mode 100644 index 0000000000..2afa9bf219 --- /dev/null +++ b/queue-5.4/pwm-mediatek-fix-duty-and-period-setting.patch @@ -0,0 +1,82 @@ +From stable+bounces-172501-greg=kroah.com@vger.kernel.org Fri Aug 22 21:05:59 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:05:27 -0400 +Subject: pwm: mediatek: Fix duty and period setting +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Uwe Kleine-König" , "Sasha Levin" +Message-ID: <20250822190527.1408882-3-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit f21d136caf8171f94159d975ea4620c164431bd9 ] + +The period generated by the hardware is + + (PWMDWIDTH + 1) << CLKDIV) / freq + +according to my tests with a signal analyser and also the documentation. + +The current algorithm doesn't consider the `+ 1` part and so configures +slightly too high periods. The same issue exists for the duty cycle +setting. So subtract 1 from both the register values for period and +duty cycle. If period is 0, bail out, if duty_cycle is 0, just disable +the PWM which results in a constant low output. + +Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support") +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/6d1fa87a76f8020bfe3171529b8e19baffceab10.1753717973.git.u.kleine-koenig@baylibre.com +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -168,7 +168,10 @@ static int pwm_mediatek_config(struct pw + do_div(resolution, clk_rate); + + cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution); +- while (cnt_period > 8191) { ++ if (!cnt_period) ++ return -EINVAL; ++ ++ while (cnt_period > 8192) { + resolution *= 2; + clkdiv++; + cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, +@@ -191,9 +194,16 @@ static int pwm_mediatek_config(struct pw + } + + cnt_duty = DIV_ROUND_CLOSEST_ULL((u64)duty_ns * 1000, resolution); ++ + pwm_mediatek_writel(pc, pwm->hwpwm, PWMCON, BIT(15) | clkdiv); +- pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period); +- pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty); ++ pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period - 1); ++ ++ if (cnt_duty) { ++ pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty - 1); ++ pwm_mediatek_enable(chip, pwm); ++ } else { ++ pwm_mediatek_disable(chip, pwm); ++ } + + out: + pwm_mediatek_clk_disable(chip, pwm); +@@ -222,11 +232,8 @@ static int pwm_mediatek_apply(struct pwm + if (err) + return err; + +- if (!pwm->state.enabled) { ++ if (!pwm->state.enabled) + err = pwm_mediatek_clk_enable(chip, pwm); +- if (!err) +- pwm_mediatek_enable(chip, pwm); +- } + + return err; + } diff --git a/queue-5.4/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch b/queue-5.4/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch new file mode 100644 index 0000000000..b619740c84 --- /dev/null +++ b/queue-5.4/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch @@ -0,0 +1,123 @@ +From stable+bounces-172500-greg=kroah.com@vger.kernel.org Fri Aug 22 21:05:36 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:05:26 -0400 +Subject: pwm: mediatek: Handle hardware enable and clock enable separately +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Uwe Kleine-König" , "Sasha Levin" +Message-ID: <20250822190527.1408882-2-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit 704d918341c378c5f9505dfdf32d315e256d3846 ] + +Stop handling the clocks in pwm_mediatek_enable() and +pwm_mediatek_disable(). This is a preparing change for the next commit +that requires that clocks and the enable bit are handled separately. + +Also move these two functions a bit further up in the source file to +make them usable in pwm_mediatek_config(), which is needed in the next +commit, too. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/55c94fe2917ece152ee1e998f4675642a7716f13.1753717973.git.u.kleine-koenig@baylibre.com +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 60 +++++++++++++++++++++------------------------ + 1 file changed, 28 insertions(+), 32 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -119,6 +119,26 @@ static inline void pwm_mediatek_writel(s + writel(value, chip->regs + pwm_mediatek_reg_offset[num] + offset); + } + ++static void pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm) ++{ ++ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); ++ u32 value; ++ ++ value = readl(pc->regs); ++ value |= BIT(pwm->hwpwm); ++ writel(value, pc->regs); ++} ++ ++static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm) ++{ ++ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); ++ u32 value; ++ ++ value = readl(pc->regs); ++ value &= ~BIT(pwm->hwpwm); ++ writel(value, pc->regs); ++} ++ + static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm, + int duty_ns, int period_ns) + { +@@ -181,35 +201,6 @@ out: + return ret; + } + +-static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm) +-{ +- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); +- u32 value; +- int ret; +- +- ret = pwm_mediatek_clk_enable(chip, pwm); +- if (ret < 0) +- return ret; +- +- value = readl(pc->regs); +- value |= BIT(pwm->hwpwm); +- writel(value, pc->regs); +- +- return 0; +-} +- +-static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm) +-{ +- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip); +- u32 value; +- +- value = readl(pc->regs); +- value &= ~BIT(pwm->hwpwm); +- writel(value, pc->regs); +- +- pwm_mediatek_clk_disable(chip, pwm); +-} +- + static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm, + const struct pwm_state *state) + { +@@ -219,8 +210,10 @@ static int pwm_mediatek_apply(struct pwm + return -EINVAL; + + if (!state->enabled) { +- if (pwm->state.enabled) ++ if (pwm->state.enabled) { + pwm_mediatek_disable(chip, pwm); ++ pwm_mediatek_clk_disable(chip, pwm); ++ } + + return 0; + } +@@ -229,8 +222,11 @@ static int pwm_mediatek_apply(struct pwm + if (err) + return err; + +- if (!pwm->state.enabled) +- err = pwm_mediatek_enable(chip, pwm); ++ if (!pwm->state.enabled) { ++ err = pwm_mediatek_clk_enable(chip, pwm); ++ if (!err) ++ pwm_mediatek_enable(chip, pwm); ++ } + + return err; + } diff --git a/queue-5.4/pwm-mediatek-implement-.apply-callback.patch b/queue-5.4/pwm-mediatek-implement-.apply-callback.patch new file mode 100644 index 0000000000..83a2c097bd --- /dev/null +++ b/queue-5.4/pwm-mediatek-implement-.apply-callback.patch @@ -0,0 +1,67 @@ +From stable+bounces-172499-greg=kroah.com@vger.kernel.org Fri Aug 22 21:06:18 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 15:05:25 -0400 +Subject: pwm: mediatek: Implement .apply() callback +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "AngeloGioacchino Del Regno" , "Thierry Reding" , "Sasha Levin" +Message-ID: <20250822190527.1408882-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit 758de66f4bd2cac2b1d71db917c65c3d611d4e74 ] + +To eventually get rid of all legacy drivers convert this driver to the +modern world implementing .apply(). +This just pushed a variant of pwm_apply_legacy() into the driver that was +slightly simplified because the driver doesn't provide a .set_polarity() +callback. + +Signed-off-by: Uwe Kleine-König +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Thierry Reding +Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -210,10 +210,33 @@ static void pwm_mediatek_disable(struct + pwm_mediatek_clk_disable(chip, pwm); + } + ++static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm, ++ const struct pwm_state *state) ++{ ++ int err; ++ ++ if (state->polarity != PWM_POLARITY_NORMAL) ++ return -EINVAL; ++ ++ if (!state->enabled) { ++ if (pwm->state.enabled) ++ pwm_mediatek_disable(chip, pwm); ++ ++ return 0; ++ } ++ ++ err = pwm_mediatek_config(pwm->chip, pwm, state->duty_cycle, state->period); ++ if (err) ++ return err; ++ ++ if (!pwm->state.enabled) ++ err = pwm_mediatek_enable(chip, pwm); ++ ++ return err; ++} ++ + static const struct pwm_ops pwm_mediatek_ops = { +- .config = pwm_mediatek_config, +- .enable = pwm_mediatek_enable, +- .disable = pwm_mediatek_disable, ++ .apply = pwm_mediatek_apply, + .owner = THIS_MODULE, + }; + diff --git a/queue-5.4/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds1341.patch b/queue-5.4/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds1341.patch new file mode 100644 index 0000000000..ed403b88eb --- /dev/null +++ b/queue-5.4/rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds1341.patch @@ -0,0 +1,69 @@ +From stable-commits+bounces-96325-greg=kroah.com@vger.kernel.org Thu Aug 21 01:07:02 2025 +From: Meagan Lloyd +Date: Wed, 20 Aug 2025 16:06:04 -0700 +Subject: rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 +To: sashal@kernel.org +Cc: alexandre.belloni@bootlin.com, meaganlloyd@linux.microsoft.com, stable-commits@vger.kernel.org, stable@vger.kernel.org +Message-ID: <1755731164-17255-1-git-send-email-meaganlloyd@linux.microsoft.com> + +From: Meagan Lloyd + +[ Upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e ] + +In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the +kernel time as long as rtc_read_time() succeeds. In some power loss +situations, our supercapacitor-backed DS1342 RTC comes up with either an +unpredictable future time or the default 01/01/00 from the datasheet. +The oscillator stop flag (OSF) is set in these scenarios due to the +power loss and can be used to determine the validity of the RTC data. + +This change expands the oscillator stop flag (OSF) handling that has +already been implemented for some chips to the ds1341 chip (DS1341 and +DS1342 share a datasheet). This handling manages the validity of the RTC +data in .read_time and .set_time based on the OSF. + +Signed-off-by: Meagan Lloyd +Reviewed-by: Tyler Hicks +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/1749665656-30108-3-git-send-email-meaganlloyd@linux.microsoft.com +Signed-off-by: Alexandre Belloni + +[ Git was trying to insert the code above the ds_1388 case statement block (in +each respective function) which don't exist in the v5.4.296 rtc-ds1307 driver, +thus a manual fixup was required. ] +Signed-off-by: Meagan Lloyd +Signed-off-by: Greg Kroah-Hartman +--- +Here's the backport of patch 2/2 of the series for v5.4. +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-ds1307.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -252,6 +252,13 @@ static int ds1307_get_time(struct device + if (tmp & DS1340_BIT_OSF) + return -EINVAL; + break; ++ case ds_1341: ++ ret = regmap_read(ds1307->regmap, DS1337_REG_STATUS, &tmp); ++ if (ret) ++ return ret; ++ if (tmp & DS1337_BIT_OSF) ++ return -EINVAL; ++ break; + case mcp794xx: + if (!(tmp & MCP794XX_BIT_ST)) + return -EINVAL; +@@ -343,6 +350,10 @@ static int ds1307_set_time(struct device + regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG, + DS1340_BIT_OSF, 0); + break; ++ case ds_1341: ++ regmap_update_bits(ds1307->regmap, DS1337_REG_STATUS, ++ DS1337_BIT_OSF, 0); ++ break; + case mcp794xx: + /* + * these bits were cleared when preparing the date/time diff --git a/queue-5.4/series b/queue-5.4/series index de9674c76d..06d47a6cc9 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -330,3 +330,46 @@ comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch +net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch +net-usbnet-fix-the-wrong-netif_carrier_on-call.patch +ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch +drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch +mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch +mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch +f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch +iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch +x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch +usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch +usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch +tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch +pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch +nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch +mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch +x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch +alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch +mm-kmemleak-turn-kmemleak_lock-and-object-lock-to-raw_spinlock_t.patch +mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch +usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch +cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch +usb-typec-fusb302-cache-pd-rx-state.patch +nfsv4-fix-nfs4_bitmap_copy_adjust.patch +nfs-fix-up-handling-of-outstanding-layoutcommit-in-nfs_update_inode.patch +nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch +usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch +usb-musb-omap2430-fix-device-leak-at-unbind.patch +rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds1341.patch +soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch +ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch +media-v4l2-ctrls-always-copy-the-controls-on-completion.patch +media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch +media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch +pwm-mediatek-implement-.apply-callback.patch +pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch +pwm-mediatek-fix-duty-and-period-setting.patch +drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch +media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch +media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch +media-venus-protect-against-spurious-interrupts-during-probe.patch +f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch +media-venus-hfi-explicitly-release-irq-during-teardown.patch +btrfs-populate-otime-when-logging-an-inode-item.patch diff --git a/queue-5.4/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch b/queue-5.4/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch new file mode 100644 index 0000000000..3d7714a875 --- /dev/null +++ b/queue-5.4/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch @@ -0,0 +1,109 @@ +From stable+bounces-172492-greg=kroah.com@vger.kernel.org Fri Aug 22 20:49:48 2025 +From: Sasha Levin +Date: Fri, 22 Aug 2025 14:49:39 -0400 +Subject: soc: qcom: mdt_loader: Ensure we don't read past the ELF header +To: stable@vger.kernel.org +Cc: Bjorn Andersson , Doug Anderson , Dmitry Baryshkov , Bjorn Andersson , Sasha Levin +Message-ID: <20250822184939.1400692-1-sashal@kernel.org> + +From: Bjorn Andersson + +[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ] + +When the MDT loader is used in remoteproc, the ELF header is sanitized +beforehand, but that's not necessary the case for other clients. + +Validate the size of the firmware buffer to ensure that we don't read +past the end as we iterate over the header. e_phentsize and e_shentsize +are validated as well, to ensure that the assumptions about step size in +the traversal are valid. + +Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom") +Cc: stable@vger.kernel.org +Reported-by: Doug Anderson +Signed-off-by: Bjorn Andersson +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/mdt_loader.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +--- a/drivers/soc/qcom/mdt_loader.c ++++ b/drivers/soc/qcom/mdt_loader.c +@@ -12,11 +12,43 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + ++static bool mdt_header_valid(const struct firmware *fw) ++{ ++ const struct elf32_hdr *ehdr; ++ size_t phend; ++ size_t shend; ++ ++ if (fw->size < sizeof(*ehdr)) ++ return false; ++ ++ ehdr = (struct elf32_hdr *)fw->data; ++ ++ if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG)) ++ return false; ++ ++ if (ehdr->e_phentsize != sizeof(struct elf32_phdr)) ++ return false; ++ ++ phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff); ++ if (phend > fw->size) ++ return false; ++ ++ if (ehdr->e_shentsize != sizeof(struct elf32_shdr)) ++ return false; ++ ++ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff); ++ if (shend > fw->size) ++ return false; ++ ++ return true; ++} ++ + static bool mdt_phdr_valid(const struct elf32_phdr *phdr) + { + if (phdr->p_type != PT_LOAD) +@@ -46,6 +78,9 @@ ssize_t qcom_mdt_get_size(const struct f + phys_addr_t max_addr = 0; + int i; + ++ if (!mdt_header_valid(fw)) ++ return -EINVAL; ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + +@@ -92,6 +127,9 @@ void *qcom_mdt_read_metadata(const struc + size_t ehdr_size; + void *data; + ++ if (!mdt_header_valid(fw)) ++ return ERR_PTR(-EINVAL); ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + +@@ -151,6 +189,9 @@ static int __qcom_mdt_load(struct device + if (!fw || !mem_region || !mem_phys || !mem_size) + return -EINVAL; + ++ if (!mdt_header_valid(fw)) ++ return -EINVAL; ++ + ehdr = (struct elf32_hdr *)fw->data; + phdrs = (struct elf32_phdr *)(ehdr + 1); + diff --git a/queue-5.4/tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch b/queue-5.4/tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch new file mode 100644 index 0000000000..4a94fbdbdc --- /dev/null +++ b/queue-5.4/tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch @@ -0,0 +1,62 @@ +From stable+bounces-164210-greg=kroah.com@vger.kernel.org Tue Jul 22 16:25:44 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 10:13:20 -0400 +Subject: tracing: Add down_write(trace_event_sem) when adding trace event +To: stable@vger.kernel.org +Cc: Steven Rostedt , Mathieu Desnoyers , Masami Hiramatsu , Fusheng Huang , Sasha Levin +Message-ID: <20250722141320.952515-1-sashal@kernel.org> + +From: Steven Rostedt + +[ Upstream commit b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df ] + +When a module is loaded, it adds trace events defined by the module. It +may also need to modify the modules trace printk formats to replace enum +names with their values. + +If two modules are loaded at the same time, the adding of the event to the +ftrace_events list can corrupt the walking of the list in the code that is +modifying the printk format strings and crash the kernel. + +The addition of the event should take the trace_event_sem for write while +it adds the new event. + +Also add a lockdep_assert_held() on that semaphore in +__trace_add_event_dirs() as it iterates the list. + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Acked-by: Masami Hiramatsu (Google) +Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home +Reported-by: Fusheng Huang(黄富生) +Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ +Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -2109,7 +2109,10 @@ __register_event(struct trace_event_call + if (ret < 0) + return ret; + ++ down_write(&trace_event_sem); + list_add(&call->list, &ftrace_events); ++ up_write(&trace_event_sem); ++ + call->mod = mod; + + return 0; +@@ -2489,6 +2492,8 @@ __trace_add_event_dirs(struct trace_arra + struct trace_event_call *call; + int ret; + ++ lockdep_assert_held(&trace_event_sem); ++ + list_for_each_entry(call, &ftrace_events, list) { + ret = __trace_add_new_event(call, tr); + if (ret < 0) diff --git a/queue-5.4/usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch b/queue-5.4/usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch new file mode 100644 index 0000000000..1dd3ec9509 --- /dev/null +++ b/queue-5.4/usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch @@ -0,0 +1,45 @@ +From stable+bounces-171674-greg=kroah.com@vger.kernel.org Tue Aug 19 01:14:05 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 19:13:57 -0400 +Subject: USB: cdc-acm: do not log successful probe on later errors +To: stable@vger.kernel.org +Cc: Johan Hovold , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250818231358.138342-1-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 79579411826647fd573dbe301c4d933bc90e4be7 ] + +Do not log the successful-probe message until the tty device has been +registered. + +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210322155318.9837-9-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 64690a90cd7c ("cdc-acm: fix race between initial clearing halt and open") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1520,8 +1520,6 @@ skip_countries: + acm->nb_index = 0; + acm->nb_size = 0; + +- dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); +- + acm->line.dwDTERate = cpu_to_le32(9600); + acm->line.bDataBits = 8; + acm_set_line(acm, &acm->line); +@@ -1541,6 +1539,8 @@ skip_countries: + usb_clear_halt(usb_dev, acm->out); + } + ++ dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor); ++ + return 0; + alloc_fail6: + if (!acm->combined_interfaces) { diff --git a/queue-5.4/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch b/queue-5.4/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch new file mode 100644 index 0000000000..9c3bbb4384 --- /dev/null +++ b/queue-5.4/usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch @@ -0,0 +1,102 @@ +From stable+bounces-164314-greg=kroah.com@vger.kernel.org Wed Jul 23 00:58:53 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 18:58:38 -0400 +Subject: usb: hub: avoid warm port reset during USB3 disconnect +To: stable@vger.kernel.org +Cc: Mathias Nyman , Mark Pearson , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250722225839.999383-1-sashal@kernel.org> + +From: Mathias Nyman + +[ Upstream commit f59f93cd1d720809466c7fd5aa16a236156c672b ] + +During disconnect USB-3 ports often go via SS.Inactive link error state +before the missing terminations are noticed, and link finally goes to +RxDetect state + +Avoid immediately warm-resetting ports in SS.Inactive state. +Let ports settle for a while and re-read the link status a few times 20ms +apart to see if the ports transitions out of SS.Inactive. + +According to USB 3.x spec 7.5.2, a port in SS.Inactive should +automatically check for missing far-end receiver termination every +12 ms (SSInactiveQuietTimeout) + +The futile multiple warm reset retries of a disconnected device takes +a lot of time, also the resetting of a removed devices has caused cases +where the reset bit got stuck for a long time on xHCI roothub. +This lead to issues in detecting new devices connected to the same port +shortly after. + +Tested-by: Mark Pearson +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211210111653.1378381-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 2521106fc732 ("usb: hub: Don't try to recover devices lost during warm reset.") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2788,6 +2788,8 @@ static unsigned hub_is_wusb(struct usb_h + #define SET_CONFIG_TRIES (2 * (use_both_schemes + 1)) + #define USE_NEW_SCHEME(i, scheme) ((i) / 2 == (int)(scheme)) + ++#define DETECT_DISCONNECT_TRIES 5 ++ + #define HUB_ROOT_RESET_TIME 60 /* times are in msec */ + #define HUB_SHORT_RESET_TIME 10 + #define HUB_BH_RESET_TIME 50 +@@ -5422,6 +5424,7 @@ static void port_event(struct usb_hub *h + struct usb_device *udev = port_dev->child; + struct usb_device *hdev = hub->hdev; + u16 portstatus, portchange; ++ int i = 0; + + connect_change = test_bit(port1, hub->change_bits); + clear_bit(port1, hub->event_bits); +@@ -5498,17 +5501,27 @@ static void port_event(struct usb_hub *h + connect_change = 1; + + /* +- * Warm reset a USB3 protocol port if it's in +- * SS.Inactive state. +- */ +- if (hub_port_warm_reset_required(hub, port1, portstatus)) { +- dev_dbg(&port_dev->dev, "do warm reset\n"); +- if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) ++ * Avoid trying to recover a USB3 SS.Inactive port with a warm reset if ++ * the device was disconnected. A 12ms disconnect detect timer in ++ * SS.Inactive state transitions the port to RxDetect automatically. ++ * SS.Inactive link error state is common during device disconnect. ++ */ ++ while (hub_port_warm_reset_required(hub, port1, portstatus)) { ++ if ((i++ < DETECT_DISCONNECT_TRIES) && udev) { ++ u16 unused; ++ ++ msleep(20); ++ hub_port_status(hub, port1, &portstatus, &unused); ++ dev_dbg(&port_dev->dev, "Wait for inactive link disconnect detect\n"); ++ continue; ++ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) + || udev->state == USB_STATE_NOTATTACHED) { ++ dev_dbg(&port_dev->dev, "do warm reset, port only\n"); + if (hub_port_reset(hub, port1, NULL, + HUB_BH_RESET_TIME, true) < 0) + hub_port_disable(hub, port1, 1); + } else { ++ dev_dbg(&port_dev->dev, "do warm reset, full device\n"); + usb_unlock_port(port_dev); + usb_lock_device(udev); + usb_reset_device(udev); +@@ -5516,6 +5529,7 @@ static void port_event(struct usb_hub *h + usb_lock_port(port_dev); + connect_change = 0; + } ++ break; + } + + if (connect_change) diff --git a/queue-5.4/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch b/queue-5.4/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch new file mode 100644 index 0000000000..4448920e6a --- /dev/null +++ b/queue-5.4/usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch @@ -0,0 +1,91 @@ +From stable+bounces-164315-greg=kroah.com@vger.kernel.org Wed Jul 23 00:58:54 2025 +From: Sasha Levin +Date: Tue, 22 Jul 2025 18:58:39 -0400 +Subject: usb: hub: Don't try to recover devices lost during warm reset. +To: stable@vger.kernel.org +Cc: "Mathias Nyman" , "Łukasz Bartosik" , "Alan Stern" , "Greg Kroah-Hartman" , "Sasha Levin" +Message-ID: <20250722225839.999383-2-sashal@kernel.org> + +From: Mathias Nyman + +[ Upstream commit 2521106fc732b0b75fd3555c689b1ed1d29d273c ] + +Hub driver warm-resets ports in SS.Inactive or Compliance mode to +recover a possible connected device. The port reset code correctly +detects if a connection is lost during reset, but hub driver +port_event() fails to take this into account in some cases. +port_event() ends up using stale values and assumes there is a +connected device, and will try all means to recover it, including +power-cycling the port. + +Details: +This case was triggered when xHC host was suspended with DbC (Debug +Capability) enabled and connected. DbC turns one xHC port into a simple +usb debug device, allowing debugging a system with an A-to-A USB debug +cable. + +xhci DbC code disables DbC when xHC is system suspended to D3, and +enables it back during resume. +We essentially end up with two hosts connected to each other during +suspend, and, for a short while during resume, until DbC is enabled back. +The suspended xHC host notices some activity on the roothub port, but +can't train the link due to being suspended, so xHC hardware sets a CAS +(Cold Attach Status) flag for this port to inform xhci host driver that +the port needs to be warm reset once xHC resumes. + +CAS is xHCI specific, and not part of USB specification, so xhci driver +tells usb core that the port has a connection and link is in compliance +mode. Recovery from complinace mode is similar to CAS recovery. + +xhci CAS driver support that fakes a compliance mode connection was added +in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS") + +Once xHCI resumes and DbC is enabled back, all activity on the xHC +roothub host side port disappears. The hub driver will anyway think +port has a connection and link is in compliance mode, and hub driver +will try to recover it. + +The port power-cycle during recovery seems to cause issues to the active +DbC connection. + +Fix this by clearing connect_change flag if hub_port_reset() returns +-ENOTCONN, thus avoiding the whole unnecessary port recovery and +initialization attempt. + +Cc: stable@vger.kernel.org +Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS") +Tested-by: Łukasz Bartosik +Signed-off-by: Mathias Nyman +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -5425,6 +5425,7 @@ static void port_event(struct usb_hub *h + struct usb_device *hdev = hub->hdev; + u16 portstatus, portchange; + int i = 0; ++ int err; + + connect_change = test_bit(port1, hub->change_bits); + clear_bit(port1, hub->event_bits); +@@ -5517,8 +5518,11 @@ static void port_event(struct usb_hub *h + } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION) + || udev->state == USB_STATE_NOTATTACHED) { + dev_dbg(&port_dev->dev, "do warm reset, port only\n"); +- if (hub_port_reset(hub, port1, NULL, +- HUB_BH_RESET_TIME, true) < 0) ++ err = hub_port_reset(hub, port1, NULL, ++ HUB_BH_RESET_TIME, true); ++ if (!udev && err == -ENOTCONN) ++ connect_change = 0; ++ else if (err < 0) + hub_port_disable(hub, port1, 1); + } else { + dev_dbg(&port_dev->dev, "do warm reset, full device\n"); diff --git a/queue-5.4/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch b/queue-5.4/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch new file mode 100644 index 0000000000..b6432cefbf --- /dev/null +++ b/queue-5.4/usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch @@ -0,0 +1,60 @@ +From sashal@kernel.org Thu Aug 21 18:20:28 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:20:24 -0400 +Subject: usb: musb: omap2430: Convert to platform remove callback returning void +To: stable@vger.kernel.org +Cc: "Uwe Kleine-König" , "Greg Kroah-Hartman" , "Sasha Levin" +Message-ID: <20250821162025.780036-1-sashal@kernel.org> + +From: Uwe Kleine-König + +[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is (mostly) ignored +and this typically results in resource leaks. To improve here there is a +quest to make the remove callback return void. In the first step of this +quest all drivers are converted to .remove_new() which already returns +void. + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/omap2430.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -505,14 +505,12 @@ err0: + return ret; + } + +-static int omap2430_remove(struct platform_device *pdev) ++static void omap2430_remove(struct platform_device *pdev) + { + struct omap2430_glue *glue = platform_get_drvdata(pdev); + + platform_device_unregister(glue->musb); + pm_runtime_disable(glue->dev); +- +- return 0; + } + + #ifdef CONFIG_PM +@@ -579,7 +577,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl + + static struct platform_driver omap2430_driver = { + .probe = omap2430_probe, +- .remove = omap2430_remove, ++ .remove_new = omap2430_remove, + .driver = { + .name = "musb-omap2430", + .pm = DEV_PM_OPS, diff --git a/queue-5.4/usb-musb-omap2430-fix-device-leak-at-unbind.patch b/queue-5.4/usb-musb-omap2430-fix-device-leak-at-unbind.patch new file mode 100644 index 0000000000..7e24271444 --- /dev/null +++ b/queue-5.4/usb-musb-omap2430-fix-device-leak-at-unbind.patch @@ -0,0 +1,66 @@ +From sashal@kernel.org Thu Aug 21 18:20:28 2025 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:20:25 -0400 +Subject: usb: musb: omap2430: fix device leak at unbind +To: stable@vger.kernel.org +Cc: Johan Hovold , Roger Quadros , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250821162025.780036-2-sashal@kernel.org> + +From: Johan Hovold + +[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ] + +Make sure to drop the reference to the control device taken by +of_find_device_by_node() during probe when the driver is unbound. + +Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()") +Cc: stable@vger.kernel.org # 3.13 +Cc: Roger Quadros +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ Removed populate_irqs-related goto changes ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/omap2430.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -476,13 +476,13 @@ static int omap2430_probe(struct platfor + ARRAY_SIZE(musb_resources)); + if (ret) { + dev_err(&pdev->dev, "failed to add resources\n"); +- goto err2; ++ goto err_put_control_otghs; + } + + ret = platform_device_add_data(musb, pdata, sizeof(*pdata)); + if (ret) { + dev_err(&pdev->dev, "failed to add platform_data\n"); +- goto err2; ++ goto err_put_control_otghs; + } + + pm_runtime_enable(glue->dev); +@@ -497,7 +497,9 @@ static int omap2430_probe(struct platfor + + err3: + pm_runtime_disable(glue->dev); +- ++err_put_control_otghs: ++ if (!IS_ERR(glue->control_otghs)) ++ put_device(glue->control_otghs); + err2: + platform_device_put(musb); + +@@ -511,6 +513,8 @@ static void omap2430_remove(struct platf + + platform_device_unregister(glue->musb); + pm_runtime_disable(glue->dev); ++ if (!IS_ERR(glue->control_otghs)) ++ put_device(glue->control_otghs); + } + + #ifdef CONFIG_PM diff --git a/queue-5.4/usb-typec-fusb302-cache-pd-rx-state.patch b/queue-5.4/usb-typec-fusb302-cache-pd-rx-state.patch new file mode 100644 index 0000000000..28165ba20f --- /dev/null +++ b/queue-5.4/usb-typec-fusb302-cache-pd-rx-state.patch @@ -0,0 +1,98 @@ +From stable+bounces-171672-greg=kroah.com@vger.kernel.org Tue Aug 19 01:08:51 2025 +From: Sasha Levin +Date: Mon, 18 Aug 2025 19:08:42 -0400 +Subject: usb: typec: fusb302: cache PD RX state +To: stable@vger.kernel.org +Cc: Sebastian Reichel , stable , Heikki Krogerus , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20250818230842.135812-1-sashal@kernel.org> + +From: Sebastian Reichel + +[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ] + +This patch fixes a race condition communication error, which ends up in +PD hard resets when losing the race. Some systems, like the Radxa ROCK +5B are powered through USB-C without any backup power source and use a +FUSB302 chip to do the PD negotiation. This means it is quite important +to avoid hard resets, since that effectively kills the system's +power-supply. + +I've found the following race condition while debugging unplanned power +loss during booting the board every now and then: + +1. lots of TCPM/FUSB302/PD initialization stuff +2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here) +3. the remote PD source does not send anything, so TCPM does a SOFT RESET +4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time + (tcpm_set_pd_rx is enabled again, even though it is still on) + +At this point I've seen broken CRC good messages being send by the +FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like +messages are being lost and things generally going haywire with one of +the two sides doing a hard reset once a broken CRC good message was send +to the bus. + +I think the system is running into a race condition, that the FIFOs are +being cleared and/or the automatic good CRC message generation flag is +being updated while a message is already arriving. + +Let's avoid this by caching the PD RX enabled state, as we have already +processed anything in the FIFOs and are in a good state. As a side +effect that this also optimizes I2C bus usage :) + +As far as I can tell the problem theoretically also exists when TCPM +enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less +critical for the following reason: + +On devices like the ROCK 5B, which are powered through a TCPM backed +USB-C port, the bootloader must have done some prior PD communication +(initial communication must happen within 5 seconds after plugging the +USB-C plug). This means the first time the kernel TCPM state machine +reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages +actively. On other devices a hard reset simply adds some extra delay and +things should be good afterwards. + +Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver") +Cc: stable +Signed-off-by: Sebastian Reichel +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org +Signed-off-by: Greg Kroah-Hartman +[ replaced str_on_off(on) with ternary operator ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/typec/tcpm/fusb302.c ++++ b/drivers/usb/typec/tcpm/fusb302.c +@@ -104,6 +104,7 @@ struct fusb302_chip { + bool vconn_on; + bool vbus_on; + bool charge_on; ++ bool pd_rx_on; + bool vbus_present; + enum typec_cc_polarity cc_polarity; + enum typec_cc_status cc1; +@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de + int ret = 0; + + mutex_lock(&chip->lock); ++ if (chip->pd_rx_on == on) { ++ fusb302_log(chip, "pd is already %s", on ? "on" : "off"); ++ goto done; ++ } ++ + ret = fusb302_pd_rx_flush(chip); + if (ret < 0) { + fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret); +@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de + on ? "on" : "off", ret); + goto done; + } ++ ++ chip->pd_rx_on = on; + fusb302_log(chip, "pd := %s", on ? "on" : "off"); + done: + mutex_unlock(&chip->lock); diff --git a/queue-5.4/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch b/queue-5.4/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch new file mode 100644 index 0000000000..c9e62e12d7 --- /dev/null +++ b/queue-5.4/x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch @@ -0,0 +1,62 @@ +From stable+bounces-169440-greg=kroah.com@vger.kernel.org Wed Aug 13 18:47:21 2025 +From: Sasha Levin +Date: Wed, 13 Aug 2025 12:42:19 -0400 +Subject: x86/fpu: Delay instruction pointer fixup until after warning +To: stable@vger.kernel.org +Cc: Dave Hansen , Chao Gao , Alison Schofield , Peter Zijlstra , Sasha Levin +Message-ID: <20250813164219.2063341-1-sashal@kernel.org> + +From: Dave Hansen + +[ Upstream commit 1cec9ac2d071cfd2da562241aab0ef701355762a ] + +Right now, if XRSTOR fails a console message like this is be printed: + + Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers. + +However, the text location (...+0x9a in this case) is the instruction +*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump +also points one instruction late. + +The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and +keep on running after returning from the #GP handler. But it does this +fixup before warning. + +The resulting warning output is nonsensical because it looks like the +non-FPU-related instruction is #GP'ing. + +Do not fix up RIP until after printing the warning. Do this by using +the more generic and standard ex_handler_default(). + +Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails") +Signed-off-by: Dave Hansen +Reviewed-by: Chao Gao +Acked-by: Alison Schofield +Acked-by: Peter Zijlstra (Intel) +Cc:stable@vger.kernel.org +Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com +[ adapted ex_handler_default() call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/extable.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/extable.c ++++ b/arch/x86/mm/extable.c +@@ -59,13 +59,12 @@ __visible bool ex_handler_fprestore(cons + unsigned long error_code, + unsigned long fault_addr) + { +- regs->ip = ex_fixup_addr(fixup); +- + WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.", + (void *)instruction_pointer(regs)); + + __copy_kernel_to_fpregs(&init_fpstate, -1); +- return true; ++ ++ return ex_handler_default(fixup, regs, trapnr, error_code, fault_addr); + } + EXPORT_SYMBOL_GPL(ex_handler_fprestore); + diff --git a/queue-5.4/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch b/queue-5.4/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch new file mode 100644 index 0000000000..2c8259e87b --- /dev/null +++ b/queue-5.4/x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch @@ -0,0 +1,62 @@ +From stable+bounces-164366-greg=kroah.com@vger.kernel.org Wed Jul 23 06:25:01 2025 +From: Sasha Levin +Date: Wed, 23 Jul 2025 00:24:51 -0400 +Subject: x86/mce/amd: Add default names for MCA banks and blocks +To: stable@vger.kernel.org +Cc: Yazen Ghannam , Borislav Petkov , Sasha Levin +Message-ID: <20250723042451.1048106-1-sashal@kernel.org> + +From: Yazen Ghannam + +[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ] + +Ensure that sysfs init doesn't fail for new/unrecognized bank types or if +a bank has additional blocks available. + +Most MCA banks have a single thresholding block, so the block takes the same +name as the bank. + +Unified Memory Controllers (UMCs) are a special case where there are two +blocks and each has a unique name. + +However, the microarchitecture allows for five blocks. Any new MCA bank types +with more than one block will be missing names for the extra blocks. The MCE +sysfs will fail to initialize in this case. + +Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/cpu/mce/amd.c ++++ b/arch/x86/kernel/cpu/mce/amd.c +@@ -1180,13 +1180,20 @@ static const char *get_name(unsigned int + } + + bank_type = smca_get_bank_type(bank); +- if (bank_type >= N_SMCA_BANK_TYPES) +- return NULL; + + if (b && bank_type == SMCA_UMC) { + if (b->block < ARRAY_SIZE(smca_umc_block_names)) + return smca_umc_block_names[b->block]; +- return NULL; ++ } ++ ++ if (b && b->block) { ++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block); ++ return buf_mcatype; ++ } ++ ++ if (bank_type >= N_SMCA_BANK_TYPES) { ++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank); ++ return buf_mcatype; + } + + if (smca_banks[bank].hwid->count == 1)