From: Sasha Levin Date: Sun, 18 May 2025 10:30:32 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.15.184~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=739ff63f0110dfd9abbdeba1e0544ca32f62fc32;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch b/queue-5.10/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch new file mode 100644 index 0000000000..5eb1f17934 --- /dev/null +++ b/queue-5.10/alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch @@ -0,0 +1,46 @@ +From 317f578e06c7e7583668d072bcc25c5a45177e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 09:31:04 +0200 +Subject: ALSA: sh: SND_AICA should depend on SH_DMA_API + +From: Geert Uytterhoeven + +[ Upstream commit 66e48ef6ef506c89ec1b3851c6f9f5f80b5835ff ] + +If CONFIG_SH_DMA_API=n: + + WARNING: unmet direct dependencies detected for G2_DMA + Depends on [n]: SH_DREAMCAST [=y] && SH_DMA_API [=n] + Selected by [y]: + - SND_AICA [=y] && SOUND [=y] && SND [=y] && SND_SUPERH [=y] && SH_DREAMCAST [=y] + +SND_AICA selects G2_DMA. As the latter depends on SH_DMA_API, the +former should depend on SH_DMA_API, too. + +Fixes: f477a538c14d07f8 ("sh: dma: fix kconfig dependency for G2_DMA") +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202505131320.PzgTtl9H-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/b90625f8a9078d0d304bafe862cbe3a3fab40082.1747121335.git.geert+renesas@glider.be +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/sh/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/sh/Kconfig b/sound/sh/Kconfig +index b75fbb3236a7b..f5fa09d740b4c 100644 +--- a/sound/sh/Kconfig ++++ b/sound/sh/Kconfig +@@ -14,7 +14,7 @@ if SND_SUPERH + + config SND_AICA + tristate "Dreamcast Yamaha AICA sound" +- depends on SH_DREAMCAST ++ depends on SH_DREAMCAST && SH_DMA_API + select SND_PCM + select G2_DMA + help +-- +2.39.5 + diff --git a/queue-5.10/iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch b/queue-5.10/iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch new file mode 100644 index 0000000000..5f1b500b2f --- /dev/null +++ b/queue-5.10/iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch @@ -0,0 +1,44 @@ +From ef74c4807218a84acc388fcfb07ce5abab2623b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Apr 2025 11:34:25 +0100 +Subject: iio: adc: ad7768-1: Fix insufficient alignment of timestamp. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Cameron + +[ Upstream commit ffbc26bc91c1f1eb3dcf5d8776e74cbae21ee13a ] + +On architectures where an s64 is not 64-bit aligned, this may result +insufficient alignment of the timestamp and the structure being too small. +Use aligned_s64 to force the alignment. + +Fixes: a1caeebab07e ("iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp()") # aligned_s64 newer +Reported-by: David Lechner +Reviewed-by: Nuno Sá +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250413103443.2420727-3-jic23@kernel.org +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/ad7768-1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c +index 2445ebc551dd1..9580a7f7f73d2 100644 +--- a/drivers/iio/adc/ad7768-1.c ++++ b/drivers/iio/adc/ad7768-1.c +@@ -168,7 +168,7 @@ struct ad7768_state { + union { + struct { + __be32 chan; +- s64 timestamp; ++ aligned_s64 timestamp; + } scan; + __be32 d32; + u8 d8[2]; +-- +2.39.5 + diff --git a/queue-5.10/iio-chemical-sps30-use-aligned_s64-for-timestamp.patch b/queue-5.10/iio-chemical-sps30-use-aligned_s64-for-timestamp.patch new file mode 100644 index 0000000000..3d2a6003b6 --- /dev/null +++ b/queue-5.10/iio-chemical-sps30-use-aligned_s64-for-timestamp.patch @@ -0,0 +1,43 @@ +From 1c0e1427d5c1aab036a392933d02046ac997eac9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 11:52:37 -0500 +Subject: iio: chemical: sps30: use aligned_s64 for timestamp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Lechner + +[ Upstream commit bb49d940344bcb8e2b19e69d7ac86f567887ea9a ] + +Follow the pattern of other drivers and use aligned_s64 for the +timestamp. This will ensure that the timestamp is correctly aligned on +all architectures. + +Fixes: a5bf6fdd19c3 ("iio:chemical:sps30: Fix timestamp alignment") +Signed-off-by: David Lechner +Reviewed-by: Nuno Sá +Link: https://patch.msgid.link/20250417-iio-more-timestamp-alignment-v1-5-eafac1e22318@baylibre.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/chemical/sps30.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/chemical/sps30.c b/drivers/iio/chemical/sps30.c +index 2ea9a5c4d8462..002628e31b5c9 100644 +--- a/drivers/iio/chemical/sps30.c ++++ b/drivers/iio/chemical/sps30.c +@@ -232,7 +232,7 @@ static irqreturn_t sps30_trigger_handler(int irq, void *p) + int ret; + struct { + s32 data[4]; /* PM1, PM2P5, PM4, PM10 */ +- s64 ts; ++ aligned_s64 ts; + } scan; + + mutex_lock(&state->lock); +-- +2.39.5 + diff --git a/queue-5.10/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch b/queue-5.10/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch new file mode 100644 index 0000000000..343f2e7fc4 --- /dev/null +++ b/queue-5.10/net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch @@ -0,0 +1,64 @@ +From 25195e43885dfc1183cef7432e0ea4eeee3c55be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:19:35 +0200 +Subject: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. + +From: Mathieu Othacehe + +[ Upstream commit c92d6089d8ad7d4d815ebcedee3f3907b539ff1f ] + +There is a situation where after THALT is set high, TGO stays high as +well. Because jiffies are never updated, as we are in a context with +interrupts disabled, we never exit that loop and have a deadlock. + +That deadlock was noticed on a sama5d4 device that stayed locked for days. + +Use retries instead of jiffies so that the timeout really works and we do +not have a deadlock anymore. + +Fixes: e86cd53afc590 ("net/macb: better manage tx errors") +Signed-off-by: Mathieu Othacehe +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250509121935.16282-1-othacehe@gnu.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 0f18837def3c8..74f3cabf8ed64 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -826,22 +826,15 @@ static void macb_update_stats(struct macb *bp) + + static int macb_halt_tx(struct macb *bp) + { +- unsigned long halt_time, timeout; +- u32 status; ++ u32 status; + + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(THALT)); + +- timeout = jiffies + usecs_to_jiffies(MACB_HALT_TIMEOUT); +- do { +- halt_time = jiffies; +- status = macb_readl(bp, TSR); +- if (!(status & MACB_BIT(TGO))) +- return 0; +- +- udelay(250); +- } while (time_before(halt_time, timeout)); +- +- return -ETIMEDOUT; ++ /* Poll TSR until TGO is cleared or timeout. */ ++ return read_poll_timeout_atomic(macb_readl, status, ++ !(status & MACB_BIT(TGO)), ++ 250, MACB_HALT_TIMEOUT, false, ++ bp, TSR); + } + + static void macb_tx_unmap(struct macb *bp, struct macb_tx_skb *tx_skb) +-- +2.39.5 + diff --git a/queue-5.10/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch b/queue-5.10/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch new file mode 100644 index 0000000000..a0b7a450f6 --- /dev/null +++ b/queue-5.10/net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch @@ -0,0 +1,92 @@ +From 69267d537c5a259011224323cb34702f53ed7707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 14:38:16 +0300 +Subject: net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING + +From: Vladimir Oltean + +[ Upstream commit 498625a8ab2c8e1c9ab5105744310e8d6952cc01 ] + +It has been reported that when under a bridge with stp_state=1, the logs +get spammed with this message: + +[ 251.734607] fsl_dpaa2_eth dpni.5 eth0: Couldn't decode source port + +Further debugging shows the following info associated with packets: +source_port=-1, switch_id=-1, vid=-1, vbid=1 + +In other words, they are data plane packets which are supposed to be +decoded by dsa_tag_8021q_find_port_by_vbid(), but the latter (correctly) +refuses to do so, because no switch port is currently in +BR_STATE_LEARNING or BR_STATE_FORWARDING - so the packet is effectively +unexpected. + +The error goes away after the port progresses to BR_STATE_LEARNING in 15 +seconds (the default forward_time of the bridge), because then, +dsa_tag_8021q_find_port_by_vbid() can correctly associate the data plane +packets with a plausible bridge port in a plausible STP state. + +Re-reading IEEE 802.1D-1990, I see the following: + +"4.4.2 Learning: (...) The Forwarding Process shall discard received +frames." + +IEEE 802.1D-2004 further clarifies: + +"DISABLED, BLOCKING, LISTENING, and BROKEN all correspond to the +DISCARDING port state. While those dot1dStpPortStates serve to +distinguish reasons for discarding frames, the operation of the +Forwarding and Learning processes is the same for all of them. (...) +LISTENING represents a port that the spanning tree algorithm has +selected to be part of the active topology (computing a Root Port or +Designated Port role) but is temporarily discarding frames to guard +against loops or incorrect learning." + +Well, this is not what the driver does - instead it sets +mac[port].ingress = true. + +To get rid of the log spam, prevent unexpected data plane packets to +be received by software by discarding them on ingress in the LISTENING +state. + +In terms of blame attribution: the prints only date back to commit +d7f9787a763f ("net: dsa: tag_8021q: add support for imprecise RX based +on the VBID"). However, the settings would permit a LISTENING port to +forward to a FORWARDING port, and the standard suggests that's not OK. + +Fixes: 640f763f98c2 ("net: dsa: sja1105: Add support for Spanning Tree Protocol") +Signed-off-by: Vladimir Oltean +Link: https://patch.msgid.link/20250509113816.2221992-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/sja1105/sja1105_main.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c +index 4362fe0f346d2..5f5e5b8267e0c 100644 +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -1644,6 +1644,7 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port, + switch (state) { + case BR_STATE_DISABLED: + case BR_STATE_BLOCKING: ++ case BR_STATE_LISTENING: + /* From UM10944 description of DRPDTAG (why put this there?): + * "Management traffic flows to the port regardless of the state + * of the INGRESS flag". So BPDUs are still be allowed to pass. +@@ -1653,11 +1654,6 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port, + mac[port].egress = false; + mac[port].dyn_learn = false; + break; +- case BR_STATE_LISTENING: +- mac[port].ingress = true; +- mac[port].egress = false; +- mac[port].dyn_learn = false; +- break; + case BR_STATE_LEARNING: + mac[port].ingress = true; + mac[port].egress = false; +-- +2.39.5 + diff --git a/queue-5.10/net_sched-flush-gso_skb-list-too-during-change.patch b/queue-5.10/net_sched-flush-gso_skb-list-too-during-change.patch new file mode 100644 index 0000000000..9f22163d4e --- /dev/null +++ b/queue-5.10/net_sched-flush-gso_skb-list-too-during-change.patch @@ -0,0 +1,147 @@ +From 0b4601944fa88fa31eae76853f688aca63cb8d4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 21:35:58 -0700 +Subject: net_sched: Flush gso_skb list too during ->change() + +From: Cong Wang + +[ Upstream commit 2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8 ] + +Previously, when reducing a qdisc's limit via the ->change() operation, only +the main skb queue was trimmed, potentially leaving packets in the gso_skb +list. This could result in NULL pointer dereference when we only check +sch->limit against sch->q.qlen. + +This patch introduces a new helper, qdisc_dequeue_internal(), which ensures +both the gso_skb list and the main queue are properly flushed when trimming +excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) +are updated to use this helper in their ->change() routines. + +Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM") +Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM") +Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler") +Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") +Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") +Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme") +Reported-by: Will +Reported-by: Savy +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 15 +++++++++++++++ + net/sched/sch_codel.c | 2 +- + net/sched/sch_fq.c | 2 +- + net/sched/sch_fq_codel.c | 2 +- + net/sched/sch_fq_pie.c | 2 +- + net/sched/sch_hhf.c | 2 +- + net/sched/sch_pie.c | 2 +- + 7 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index 4db11c4695cf6..a4c670ad8c4ac 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1036,6 +1036,21 @@ static inline struct sk_buff *__qdisc_dequeue_head(struct qdisc_skb_head *qh) + return skb; + } + ++static inline struct sk_buff *qdisc_dequeue_internal(struct Qdisc *sch, bool direct) ++{ ++ struct sk_buff *skb; ++ ++ skb = __skb_dequeue(&sch->gso_skb); ++ if (skb) { ++ sch->q.qlen--; ++ return skb; ++ } ++ if (direct) ++ return __qdisc_dequeue_head(&sch->q); ++ else ++ return sch->dequeue(sch); ++} ++ + static inline struct sk_buff *qdisc_dequeue_head(struct Qdisc *sch) + { + struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); +diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c +index 30169b3adbbb0..d99c7386e24e6 100644 +--- a/net/sched/sch_codel.c ++++ b/net/sched/sch_codel.c +@@ -174,7 +174,7 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt, + + qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + + dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); +diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c +index 5a1274199fe33..65b12b39e2ec5 100644 +--- a/net/sched/sch_fq.c ++++ b/net/sched/sch_fq.c +@@ -904,7 +904,7 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt, + sch_tree_lock(sch); + } + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = fq_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + if (!skb) + break; +diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c +index 01d6eea5b0ce9..60dbc549e9910 100644 +--- a/net/sched/sch_fq_codel.c ++++ b/net/sched/sch_fq_codel.c +@@ -429,7 +429,7 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt, + + while (sch->q.qlen > sch->limit || + q->memory_usage > q->memory_limit) { +- struct sk_buff *skb = fq_codel_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + q->cstats.drop_len += qdisc_pkt_len(skb); + rtnl_kfree_skbs(skb, skb); +diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c +index a5b63158f081c..d4bfa3382e118 100644 +--- a/net/sched/sch_fq_pie.c ++++ b/net/sched/sch_fq_pie.c +@@ -360,7 +360,7 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt, + + /* Drop excess packets if new limit is lower */ + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = fq_pie_qdisc_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + len_dropped += qdisc_pkt_len(skb); + num_dropped += 1; +diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c +index 420ede8753229..433bddcbc0c72 100644 +--- a/net/sched/sch_hhf.c ++++ b/net/sched/sch_hhf.c +@@ -563,7 +563,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt, + qlen = sch->q.qlen; + prev_backlog = sch->qstats.backlog; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = hhf_dequeue(sch); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false); + + rtnl_kfree_skbs(skb, skb); + } +diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c +index c65077f0c0f39..47f5d4adb5a33 100644 +--- a/net/sched/sch_pie.c ++++ b/net/sched/sch_pie.c +@@ -193,7 +193,7 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt, + /* Drop excess packets if new limit is lower */ + qlen = sch->q.qlen; + while (sch->q.qlen > sch->limit) { +- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q); ++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true); + + dropped += qdisc_pkt_len(skb); + qdisc_qstats_backlog_dec(sch, skb); +-- +2.39.5 + diff --git a/queue-5.10/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch b/queue-5.10/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch new file mode 100644 index 0000000000..5d0058800f --- /dev/null +++ b/queue-5.10/nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch @@ -0,0 +1,97 @@ +From df3b42cfacd8da9eddfe7277570842a598785a27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 15:25:08 +0800 +Subject: nfs: handle failure of nfs_get_lock_context in unlock path + +From: Li Lingfeng + +[ Upstream commit c457dc1ec770a22636b473ce5d35614adfe97636 ] + +When memory is insufficient, the allocation of nfs_lock_context in +nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat +an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) +as valid and proceed to execute rpc_run_task(), this will trigger a NULL +pointer dereference in nfs4_locku_prepare. For example: + +BUG: kernel NULL pointer dereference, address: 000000000000000c +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] SMP PTI +CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 +Workqueue: rpciod rpc_async_schedule +RIP: 0010:nfs4_locku_prepare+0x35/0xc2 +Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3 +RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246 +RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40 +RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38 +R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030 +R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30 +FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0 +Call Trace: + + __rpc_execute+0xbc/0x480 + rpc_async_schedule+0x2f/0x40 + process_one_work+0x232/0x5d0 + worker_thread+0x1da/0x3d0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x10d/0x240 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + +Modules linked in: +CR2: 000000000000000c +---[ end trace 0000000000000000 ]--- + +Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and +return NULL to terminate subsequent rpc_run_task, preventing NULL pointer +dereference. + +Fixes: f30cb757f680 ("NFS: Always wait for I/O completion before unlock") +Signed-off-by: Li Lingfeng +Reviewed-by: Jeff Layton +Link: https://lore.kernel.org/r/20250417072508.3850532-1-lilingfeng3@huawei.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index ac3fab214df12..1005ecf7c250b 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -6732,10 +6732,18 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, + struct nfs4_unlockdata *p; + struct nfs4_state *state = lsp->ls_state; + struct inode *inode = state->inode; ++ struct nfs_lock_context *l_ctx; + + p = kzalloc(sizeof(*p), GFP_NOFS); + if (p == NULL) + return NULL; ++ l_ctx = nfs_get_lock_context(ctx); ++ if (!IS_ERR(l_ctx)) { ++ p->l_ctx = l_ctx; ++ } else { ++ kfree(p); ++ return NULL; ++ } + p->arg.fh = NFS_FH(inode); + p->arg.fl = &p->fl; + p->arg.seqid = seqid; +@@ -6743,7 +6751,6 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl, + p->lsp = lsp; + /* Ensure we don't close file until we're done freeing locks! */ + p->ctx = get_nfs_open_context(ctx); +- p->l_ctx = nfs_get_lock_context(ctx); + locks_init_lock(&p->fl); + locks_copy_lock(&p->fl, fl); + p->server = NFS_SERVER(inode); +-- +2.39.5 + diff --git a/queue-5.10/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch b/queue-5.10/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch new file mode 100644 index 0000000000..680b1c2af7 --- /dev/null +++ b/queue-5.10/nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch @@ -0,0 +1,50 @@ +From 22f144c7ad731b38636a813ce25657f52ce5faed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 10:50:13 -0400 +Subject: NFSv4/pnfs: Reset the layout state after a layoutreturn + +From: Trond Myklebust + +[ Upstream commit 6d6d7f91cc8c111d40416ac9240a3bb9396c5235 ] + +If there are still layout segments in the layout plh_return_lsegs list +after a layout return, we should be resetting the state to ensure they +eventually get returned as well. + +Fixes: 68f744797edd ("pNFS: Do not free layout segments that are marked for return") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index 39ac4824b97de..1800836306a5d 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -733,6 +733,14 @@ pnfs_mark_matching_lsegs_invalid(struct pnfs_layout_hdr *lo, + return remaining; + } + ++static void pnfs_reset_return_info(struct pnfs_layout_hdr *lo) ++{ ++ struct pnfs_layout_segment *lseg; ++ ++ list_for_each_entry(lseg, &lo->plh_return_segs, pls_list) ++ pnfs_set_plh_return_info(lo, lseg->pls_range.iomode, 0); ++} ++ + static void + pnfs_free_returned_lsegs(struct pnfs_layout_hdr *lo, + struct list_head *free_me, +@@ -1183,6 +1191,7 @@ void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo, + pnfs_mark_matching_lsegs_invalid(lo, &freeme, range, seq); + pnfs_free_returned_lsegs(lo, &freeme, range, seq); + pnfs_set_layout_stateid(lo, stateid, NULL, true); ++ pnfs_reset_return_info(lo); + } else + pnfs_mark_layout_stateid_invalid(lo, &freeme); + out_unlock: +-- +2.39.5 + diff --git a/queue-5.10/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch b/queue-5.10/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch new file mode 100644 index 0000000000..12db742db6 --- /dev/null +++ b/queue-5.10/platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch @@ -0,0 +1,76 @@ +From 3c8bef1aac2cab0ec71277c1ff4858a49a2a6d04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 May 2025 15:17:02 +0200 +Subject: platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit bfcfe6d335a967f8ea0c1980960e6f0205b5de6e ] + +The wlan_ctrl_by_user detection was introduced by commit a50bd128f28c +("asus-wmi: record wlan status while controlled by userapp"). + +Quoting from that commit's commit message: + +""" +When you call WMIMethod(DSTS, 0x00010011) to get WLAN status, it may return + +(1) 0x00050001 (On) +(2) 0x00050000 (Off) +(3) 0x00030001 (On) +(4) 0x00030000 (Off) +(5) 0x00000002 (Unknown) + +(1), (2) means that the model has hardware GPIO for WLAN, you can call +WMIMethod(DEVS, 0x00010011, 1 or 0) to turn WLAN on/off. +(3), (4) means that the model doesn’t have hardware GPIO, you need to use +API or driver library to turn WLAN on/off, and call +WMIMethod(DEVS, 0x00010012, 1 or 0) to set WLAN LED status. +After you set WLAN LED status, you can see the WLAN status is changed with +WMIMethod(DSTS, 0x00010011). Because the status is recorded lastly +(ex: Windows), you can use it for synchronization. +(5) means that the model doesn’t have WLAN device. + +WLAN is the ONLY special case with upper rule. +""" + +The wlan_ctrl_by_user flag should be set on 0x0003000? ((3), (4) above) +return values, but the flag mistakenly also gets set on laptops with +0x0005000? ((1), (2)) return values. This is causing rfkill problems on +laptops where 0x0005000? is returned. + +Fix the check to only set the wlan_ctrl_by_user flag for 0x0003000? +return values. + +Fixes: a50bd128f28c ("asus-wmi: record wlan status while controlled by userapp") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219786 +Signed-off-by: Hans de Goede +Reviewed-by: Armin Wolf +Link: https://lore.kernel.org/r/20250501131702.103360-2-hdegoede@redhat.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-wmi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 9316564947682..265232d1b9a86 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -2739,7 +2739,8 @@ static int asus_wmi_add(struct platform_device *pdev) + goto fail_leds; + + asus_wmi_get_devstate(asus, ASUS_WMI_DEVID_WLAN, &result); +- if (result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) ++ if ((result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) == ++ (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) + asus->driver->wlan_ctrl_by_user = 1; + + if (!(asus->driver->wlan_ctrl_by_user && ashs_present())) { +-- +2.39.5 + diff --git a/queue-5.10/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch b/queue-5.10/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch new file mode 100644 index 0000000000..9daa72c9a9 --- /dev/null +++ b/queue-5.10/qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch @@ -0,0 +1,45 @@ +From 20c21bd87bed039bf2b76c28da7c8ded851ba217 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 10:18:27 +0530 +Subject: qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() + +From: Abdun Nihaal + +[ Upstream commit 9d8a99c5a7c7f4f7eca2c168a4ec254409670035 ] + +In one of the error paths in qlcnic_sriov_channel_cfg_cmd(), the memory +allocated in qlcnic_sriov_alloc_bc_mbx_args() for mailbox arguments is +not freed. Fix that by jumping to the error path that frees them, by +calling qlcnic_free_mbx_args(). This was found using static analysis. + +Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation") +Signed-off-by: Abdun Nihaal +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250512044829.36400-1-abdun.nihaal@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 256b19f68caed..bf510d3882cf1 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -1485,8 +1485,11 @@ static int qlcnic_sriov_channel_cfg_cmd(struct qlcnic_adapter *adapter, u8 cmd_o + } + + cmd_op = (cmd.rsp.arg[0] & 0xff); +- if (cmd.rsp.arg[0] >> 25 == 2) +- return 2; ++ if (cmd.rsp.arg[0] >> 25 == 2) { ++ ret = 2; ++ goto out; ++ } ++ + if (cmd_op == QLCNIC_BC_CMD_CHANNEL_INIT) + set_bit(QLC_BC_VF_STATE, &vf->state); + else +-- +2.39.5 + diff --git a/queue-5.10/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch b/queue-5.10/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch new file mode 100644 index 0000000000..b7f11610f2 --- /dev/null +++ b/queue-5.10/rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch @@ -0,0 +1,69 @@ +From afaf091a644d1f92145479b0aebbafade72afbc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Apr 2025 09:57:14 +0200 +Subject: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug + +From: Zhu Yanjun + +[ Upstream commit f81b33582f9339d2dc17c69b92040d3650bb4bae ] + +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xcf/0x610 mm/kasan/report.c:489 + kasan_report+0xb5/0xe0 mm/kasan/report.c:602 + rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195 + rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132 + __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232 + rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109 + create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052 + ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095 + ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679 + vfs_write fs/read_write.c:677 [inline] + vfs_write+0x26a/0xcc0 fs/read_write.c:659 + ksys_write+0x1b8/0x200 fs/read_write.c:731 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +In the function rxe_create_cq, when rxe_cq_from_init fails, the function +rxe_cleanup will be called to handle the allocated resources. In fact, +some memory resources have already been freed in the function +rxe_cq_from_init. Thus, this problem will occur. + +The solution is to let rxe_cleanup do all the work. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://paste.ubuntu.com/p/tJgC42wDf6/ +Tested-by: liuyi +Signed-off-by: Zhu Yanjun +Link: https://patch.msgid.link/20250412075714.3257358-1-yanjun.zhu@linux.dev +Reviewed-by: Daisuke Matsuda +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_cq.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_cq.c b/drivers/infiniband/sw/rxe/rxe_cq.c +index 43394c3f29d41..129576a79698c 100644 +--- a/drivers/infiniband/sw/rxe/rxe_cq.c ++++ b/drivers/infiniband/sw/rxe/rxe_cq.c +@@ -69,11 +69,8 @@ int rxe_cq_from_init(struct rxe_dev *rxe, struct rxe_cq *cq, int cqe, + + err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata, + cq->queue->buf, cq->queue->buf_size, &cq->queue->ip); +- if (err) { +- vfree(cq->queue->buf); +- kfree(cq->queue); ++ if (err) + return err; +- } + + if (uresp) + cq->is_user = 1; +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series index c040965091..b51b4a7411 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -80,3 +80,15 @@ mips-fix-max_reg_offset.patch drm-panel-simple-update-timings-for-auo-g101evn010.patch nvme-unblock-ctrl-state-transition-for-firmware-upda.patch do_umount-add-missing-barrier-before-refcount-checks.patch +platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch +iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch +iio-chemical-sps30-use-aligned_s64-for-timestamp.patch +rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch +nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch +spi-loopback-test-do-not-split-1024-byte-hexdumps.patch +net_sched-flush-gso_skb-list-too-during-change.patch +net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch +net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch +alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch +qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch +nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch diff --git a/queue-5.10/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch b/queue-5.10/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch new file mode 100644 index 0000000000..2ef0dd7850 --- /dev/null +++ b/queue-5.10/spi-loopback-test-do-not-split-1024-byte-hexdumps.patch @@ -0,0 +1,43 @@ +From a4b3aefb2bd0bf951c4a2de2219a5a7d641ba1a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 May 2025 13:10:35 +0200 +Subject: spi: loopback-test: Do not split 1024-byte hexdumps + +From: Geert Uytterhoeven + +[ Upstream commit a73fa3690a1f3014d6677e368dce4e70767a6ba2 ] + +spi_test_print_hex_dump() prints buffers holding less than 1024 bytes in +full. Larger buffers are truncated: only the first 512 and the last 512 +bytes are printed, separated by a truncation message. The latter is +confusing in case the buffer holds exactly 1024 bytes, as all data is +printed anyway. + +Fix this by printing buffers holding up to and including 1024 bytes in +full. + +Fixes: 84e0c4e5e2c4ef42 ("spi: add loopback test driver to allow for spi_master regression tests") +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/37ee1bc90c6554c9347040adabf04188c8f704aa.1746184171.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-loopback-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c +index 4d4f77a186a98..89fccb9da1b8e 100644 +--- a/drivers/spi/spi-loopback-test.c ++++ b/drivers/spi/spi-loopback-test.c +@@ -383,7 +383,7 @@ MODULE_LICENSE("GPL"); + static void spi_test_print_hex_dump(char *pre, const void *ptr, size_t len) + { + /* limit the hex_dump */ +- if (len < 1024) { ++ if (len <= 1024) { + print_hex_dump(KERN_INFO, pre, + DUMP_PREFIX_OFFSET, 16, 1, + ptr, len, 0); +-- +2.39.5 +