From: Sasha Levin Date: Tue, 10 Jun 2025 11:54:37 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.6.94~73 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a9df16acef6b58de557455d77b658d35bb6e36e9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch b/queue-5.4/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch new file mode 100644 index 0000000000..9496b029a6 --- /dev/null +++ b/queue-5.4/acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch @@ -0,0 +1,44 @@ +From 634451716839c16322a404e7b3c9990480c46212 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Apr 2025 18:54:54 +0200 +Subject: ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" + +From: Armin Wolf + +[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ] + +As specified in section 5.7.2 of the ACPI specification the feature +group string "3.0 _SCP Extensions" implies that the operating system +evaluates the _SCP control method with additional parameters. + +However the ACPI thermal driver evaluates the _SCP control method +without those additional parameters, conflicting with the above +feature group string advertised to the firmware thru _OSI. + +Stop advertising support for this feature string to avoid confusing +the ACPI firmware. + +Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file") +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/osi.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c +index bec0bebc7f52b..763d4b8045110 100644 +--- a/drivers/acpi/osi.c ++++ b/drivers/acpi/osi.c +@@ -42,7 +42,6 @@ static struct acpi_osi_entry + osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = { + {"Module Device", true}, + {"Processor Device", true}, +- {"3.0 _SCP Extensions", true}, + {"Processor Aggregator Device", true}, + /* + * Linux-Dell-Video is used by BIOS to disable RTD3 for NVidia graphics +-- +2.39.5 + diff --git a/queue-5.4/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch b/queue-5.4/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch new file mode 100644 index 0000000000..e4bb7b2a9e --- /dev/null +++ b/queue-5.4/arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch @@ -0,0 +1,67 @@ +From 1db6cf121a56e4989f6694c42ec7d2b4411be195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 23:04:46 +0200 +Subject: ARM: dts: at91: at91sam9263: fix NAND chip selects + +From: Wolfram Sang + +[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ] + +NAND did not work on my USB-A9263. I discovered that the offending +commit converted the PIO bank for chip selects wrongly, so all A9263 +boards need to be fixed. + +Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings") +Signed-off-by: Wolfram Sang +Reviewed-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91sam9263ek.dts | 2 +- + arch/arm/boot/dts/tny_a9263.dts | 2 +- + arch/arm/boot/dts/usb_a9263.dts | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/at91sam9263ek.dts b/arch/arm/boot/dts/at91sam9263ek.dts +index 62d218542a480..64e4a56b30e07 100644 +--- a/arch/arm/boot/dts/at91sam9263ek.dts ++++ b/arch/arm/boot/dts/at91sam9263ek.dts +@@ -147,7 +147,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +diff --git a/arch/arm/boot/dts/tny_a9263.dts b/arch/arm/boot/dts/tny_a9263.dts +index 2820635952e33..f31bacf641b4a 100644 +--- a/arch/arm/boot/dts/tny_a9263.dts ++++ b/arch/arm/boot/dts/tny_a9263.dts +@@ -64,7 +64,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts +index 937adf3ed3611..a22c7628e2b58 100644 +--- a/arch/arm/boot/dts/usb_a9263.dts ++++ b/arch/arm/boot/dts/usb_a9263.dts +@@ -84,7 +84,7 @@ + nand@3 { + reg = <0x3 0x0 0x800000>; + rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>; +- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>; + nand-bus-width = <8>; + nand-ecc-mode = "soft"; + nand-on-flash-bbt; +-- +2.39.5 + diff --git a/queue-5.4/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch b/queue-5.4/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch new file mode 100644 index 0000000000..f9e3bd36a4 --- /dev/null +++ b/queue-5.4/arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch @@ -0,0 +1,39 @@ +From 57dc4f43dae212276a204231984ee36a3ff2a612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Apr 2025 13:27:43 +0200 +Subject: ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select + +From: Wolfram Sang + +[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ] + +Dataflash did not work on my board. After checking schematics and using +the proper GPIO, it works now. Also, make it active low to avoid: + +flash@0 enforce active low on GPIO handle + +Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support") +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/usb_a9263.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts +index e7a705fddda95..937adf3ed3611 100644 +--- a/arch/arm/boot/dts/usb_a9263.dts ++++ b/arch/arm/boot/dts/usb_a9263.dts +@@ -58,7 +58,7 @@ + }; + + spi0: spi@fffa4000 { +- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>; ++ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>; + status = "okay"; + mtd_dataflash@0 { + compatible = "atmel,at45", "atmel,dataflash"; +-- +2.39.5 + diff --git a/queue-5.4/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch b/queue-5.4/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch new file mode 100644 index 0000000000..e5df4aaab5 --- /dev/null +++ b/queue-5.4/arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch @@ -0,0 +1,58 @@ +From f6b1dcab565e47c3fe87b3def050b68d6185deea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 15:22:00 +0200 +Subject: ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon + device + +From: Dmitry Baryshkov + +[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ] + +Follow up the expected way of describing the SFPB hwspinlock and merge +hwspinlock node into corresponding syscon node, fixing several dt-schema +warnings. + +Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-apq8064.dtsi | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi +index cd200910ccdf8..f3131dae731ac 100644 +--- a/arch/arm/boot/dts/qcom-apq8064.dtsi ++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi +@@ -211,12 +211,6 @@ + }; + }; + +- sfpb_mutex: hwmutex { +- compatible = "qcom,sfpb-mutex"; +- syscon = <&sfpb_wrapper_mutex 0x604 0x4>; +- #hwlock-cells = <1>; +- }; +- + smem { + compatible = "qcom,smem"; + memory-region = <&smem_region>; +@@ -359,9 +353,10 @@ + pinctrl-0 = <&ps_hold>; + }; + +- sfpb_wrapper_mutex: syscon@1200000 { +- compatible = "syscon"; +- reg = <0x01200000 0x8000>; ++ sfpb_mutex: hwmutex@1200600 { ++ compatible = "qcom,sfpb-mutex"; ++ reg = <0x01200600 0x100>; ++ #hwlock-cells = <1>; + }; + + intc: interrupt-controller@2000000 { +-- +2.39.5 + diff --git a/queue-5.4/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch b/queue-5.4/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch new file mode 100644 index 0000000000..9bff3942c7 --- /dev/null +++ b/queue-5.4/arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch @@ -0,0 +1,67 @@ +From 090d503b9f079a23f53197e9dd687f1706b4f7e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 17:18:10 +0200 +Subject: arm64: dts: rockchip: disable unrouted USB controllers and PHY on + RK3399 Puma with Haikou + +From: Quentin Schulz + +[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ] + +The u2phy0_host port is the part of the USB PHY0 (namely the +HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST +controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG +controller (dwc3), which we do use. + +The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply +disable the USB2.0 controllers. + +USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a +while, one of the recurring issues being that only USB2 is detected and +not USB3 in host mode. Reading the justification above and seeing that +we are keeping u2phy0_host in the Haikou carrierboard DTS probably may +have bothered you since it should be changed to u2phy0_otg. The issue is +that if it's switched to that, USB OTG on Haikou is entirely broken. I +have checked the routing in the Gerber file, the lanes are going to the +expected ball pins (that is, NOT HOST0_DP/DM). +u2phy0_host is for sure the wrong part of the PHY to use, but it's the +only one that works at the moment for that board so keep it until we +figure out what exactly is broken. + +No intended functional change. + +[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf + Chapter 2 USB2.0 PHY + +Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM") +Signed-off-by: Quentin Schulz +Signed-off-by: Lukasz Czechowski +Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +index d29937e4a606b..ea3fbd8da2cf6 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts +@@ -246,14 +246,6 @@ + status = "okay"; + }; + +-&usb_host0_ehci { +- status = "okay"; +-}; +- +-&usb_host0_ohci { +- status = "okay"; +-}; +- + &vopb { + status = "okay"; + }; +-- +2.39.5 + diff --git a/queue-5.4/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch b/queue-5.4/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch new file mode 100644 index 0000000000..673d01f8f9 --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch @@ -0,0 +1,40 @@ +From 94a44bd1c78ee5f0217d65cdc269efab5102d6bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 14:53:11 -0400 +Subject: Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION + +From: Luiz Augusto von Dentz + +[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ] + +Depending on the security set the response to L2CAP_LE_CONN_REQ shall be +just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM +is selected since that means security mode 2 which doesn't require +authentication which is something that is covered in the qualification +test L2CAP/LE/CFC/BV-25-C. + +Link: https://github.com/bluez/bluez/issues/1270 +Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 874f12d93bfa2..dc9edf8fc336a 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5578,7 +5578,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, + + if (!smp_sufficient_security(conn->hcon, pchan->sec_level, + SMP_ALLOW_STK)) { +- result = L2CAP_CR_LE_AUTHENTICATION; ++ result = pchan->sec_level == BT_SECURITY_MEDIUM ? ++ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION; + chan = NULL; + goto response_unlock; + } +-- +2.39.5 + diff --git a/queue-5.4/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch b/queue-5.4/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch new file mode 100644 index 0000000000..be040699c4 --- /dev/null +++ b/queue-5.4/bpf-fix-warn-in-get_bpf_raw_tp_regs.patch @@ -0,0 +1,86 @@ +From 333dd5fb265afd345e4ef0b43fc934969d058dca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:27:47 +0800 +Subject: bpf: Fix WARN() in get_bpf_raw_tp_regs + +From: Tao Chen + +[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ] + +syzkaller reported an issue: + +WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 +Modules linked in: +CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 +RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c +RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 +RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 +R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 +R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 +FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] + bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 + bpf_prog_ec3b2eefa702d8d3+0x43/0x47 + bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] + __bpf_prog_run include/linux/filter.h:718 [inline] + bpf_prog_run include/linux/filter.h:725 [inline] + __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] + bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 + __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 + __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 + __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] + trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] + __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 + __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] + mmap_read_trylock include/linux/mmap_lock.h:204 [inline] + stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 + __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 + ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] + bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 + ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] + bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 + bpf_prog_ec3b2eefa702d8d3+0x43/0x47 + +Tracepoint like trace_mmap_lock_acquire_returned may cause nested call +as the corner case show above, which will be resolved with more general +method in the future. As a result, WARN_ON_ONCE will be triggered. As +Alexei suggested, remove the WARN_ON_ONCE first. + +Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data") +Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com +Suggested-by: Alexei Starovoitov +Signed-off-by: Tao Chen +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev + +Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 75ea2ab532134..d001602fde590 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -956,7 +956,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void) + struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs); + int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level); + +- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) { ++ if (nest_level > ARRAY_SIZE(tp_regs->regs)) { + this_cpu_dec(bpf_raw_tp_nest_level); + return ERR_PTR(-EBUSY); + } +-- +2.39.5 + diff --git a/queue-5.4/bus-fsl-mc-fix-double-free-on-mc_dev.patch b/queue-5.4/bus-fsl-mc-fix-double-free-on-mc_dev.patch new file mode 100644 index 0000000000..ed1b1f9f02 --- /dev/null +++ b/queue-5.4/bus-fsl-mc-fix-double-free-on-mc_dev.patch @@ -0,0 +1,52 @@ +From 8242d922aa2bba8926b67093e3d307b48d7749c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 13:58:09 +0300 +Subject: bus: fsl-mc: fix double-free on mc_dev + +From: Ioana Ciornei + +[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ] + +The blamed commit tried to simplify how the deallocations are done but, +in the process, introduced a double-free on the mc_dev variable. + +In case the MC device is a DPRC, a new mc_bus is allocated and the +mc_dev variable is just a reference to one of its fields. In this +circumstance, on the error path only the mc_bus should be freed. + +This commit introduces back the following checkpatch warning which is a +false-positive. + +WARNING: kfree(NULL) is safe and this check is probably not required ++ if (mc_bus) ++ kfree(mc_bus); + +Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations") +Signed-off-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com +Signed-off-by: Christophe Leroy +Signed-off-by: Sasha Levin +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c +index 5c9bf2e065520..3a2107d1c5394 100644 +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -679,8 +679,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc, + + error_cleanup_dev: + kfree(mc_dev->regions); +- kfree(mc_bus); +- kfree(mc_dev); ++ if (mc_bus) ++ kfree(mc_bus); ++ else ++ kfree(mc_dev); + + return error; + } +-- +2.39.5 + diff --git a/queue-5.4/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch b/queue-5.4/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch new file mode 100644 index 0000000000..cfdc0c4980 --- /dev/null +++ b/queue-5.4/calipso-don-t-call-calipso-functions-for-af_inet-sk.patch @@ -0,0 +1,108 @@ +From c366e6a53ef08f945a9076cba6c3e71e8373414e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 15:18:56 -0700 +Subject: calipso: Don't call calipso functions for AF_INET sk. + +From: Kuniyuki Iwashima + +[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ] + +syzkaller reported a null-ptr-deref in txopt_get(). [0] + +The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, +so struct ipv6_pinfo was NULL there. + +However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 +is always set in inet6_create(), meaning the socket was not IPv6 one. + +The root cause is missing validation in netlbl_conn_setattr(). + +netlbl_conn_setattr() switches branches based on struct +sockaddr.sa_family, which is passed from userspace. However, +netlbl_conn_setattr() does not check if the address family matches +the socket. + +The syzkaller must have called connect() for an IPv6 address on +an IPv4 socket. + +We have a proper validation in tcp_v[46]_connect(), but +security_socket_connect() is called in the earlier stage. + +Let's copy the validation to netlbl_conn_setattr(). + +[0]: +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] +CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] +RIP: 0010: +Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 +RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 +RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c +RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 +RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e +R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 +R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 +FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 +PKRU: 80000000 +Call Trace: + + calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 + netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 + selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 + selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] + selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 + selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 + security_socket_connect+0x50/0xa0 security/security.c:4598 + __sys_connect_file+0xa4/0x190 net/socket.c:2067 + __sys_connect+0x12c/0x170 net/socket.c:2088 + __do_sys_connect net/socket.c:2098 [inline] + __se_sys_connect net/socket.c:2095 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:2095 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f901b61a12d +Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d +RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 +RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 + +Modules linked in: + +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Reported-by: syzkaller +Reported-by: John Cheung +Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/ +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_kapi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c +index 96059c99b915e..2e9344b3c657c 100644 +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -1140,6 +1140,9 @@ int netlbl_conn_setattr(struct sock *sk, + break; + #if IS_ENABLED(CONFIG_IPV6) + case AF_INET6: ++ if (sk->sk_family != AF_INET6) ++ return -EAFNOSUPPORT; ++ + addr6 = (struct sockaddr_in6 *)addr; + entry = netlbl_domhsh_getentry_af6(secattr->domain, + &addr6->sin6_addr); +-- +2.39.5 + diff --git a/queue-5.4/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch b/queue-5.4/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch new file mode 100644 index 0000000000..a59c9e4f5b --- /dev/null +++ b/queue-5.4/crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch @@ -0,0 +1,36 @@ +From a184f573714b164712d3498d4eacf9cd1936480b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:43:33 +0800 +Subject: crypto: marvell/cesa - Avoid empty transfer descriptor + +From: Herbert Xu + +[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ] + +The user may set req->src even if req->nbytes == 0. If there +is no data to hash from req->src, do not generate an empty TDMA +descriptor. + +Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/marvell/hash.c b/drivers/crypto/marvell/hash.c +index a2b35fb0fb890..de1599bca3b75 100644 +--- a/drivers/crypto/marvell/hash.c ++++ b/drivers/crypto/marvell/hash.c +@@ -630,7 +630,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req) + if (ret) + goto err_free_tdma; + +- if (iter.src.sg) { ++ if (iter.base.len > iter.src.op_offset) { + /* + * Add all the new data, inserting an operation block and + * launch command between each full SRAM block-worth of +-- +2.39.5 + diff --git a/queue-5.4/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch b/queue-5.4/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch new file mode 100644 index 0000000000..7d57d591ab --- /dev/null +++ b/queue-5.4/crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch @@ -0,0 +1,36 @@ +From 35d1d73428b7cbdbf139c55155fff21a48dcceab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 18:41:31 +0800 +Subject: crypto: marvell/cesa - Handle zero-length skcipher requests + +From: Herbert Xu + +[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ] + +Do not access random memory for zero-length skcipher requests. +Just return 0. + +Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/cipher.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/marvell/cipher.c b/drivers/crypto/marvell/cipher.c +index c7d433d1cd99d..f92f86c94bff7 100644 +--- a/drivers/crypto/marvell/cipher.c ++++ b/drivers/crypto/marvell/cipher.c +@@ -447,6 +447,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req, + struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req); + struct mv_cesa_engine *engine; + ++ if (!req->cryptlen) ++ return 0; ++ + ret = mv_cesa_skcipher_req_init(req, tmpl); + if (ret) + return ret; +-- +2.39.5 + diff --git a/queue-5.4/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch b/queue-5.4/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch new file mode 100644 index 0000000000..63908e606a --- /dev/null +++ b/queue-5.4/do_change_type-refuse-to-operate-on-unmounted-not-ou.patch @@ -0,0 +1,40 @@ +From baeba9d3daa479f2d188d57778b30bc0b534eb6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 12:27:08 -0400 +Subject: do_change_type(): refuse to operate on unmounted/not ours mounts + +From: Al Viro + +[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ] + +Ensure that propagation settings can only be changed for mounts located +in the caller's mount namespace. This change aligns permission checking +with the rest of mount(2). + +Reviewed-by: Christian Brauner +Fixes: 07b20889e305 ("beginning of the shared-subtree proper") +Reported-by: "Orlando, Noah" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/namespace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index a5cb608778b1e..8a35144897686 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2246,6 +2246,10 @@ static int do_change_type(struct path *path, int ms_flags) + return -EINVAL; + + namespace_lock(); ++ if (!check_mnt(mnt)) { ++ err = -EINVAL; ++ goto out_unlock; ++ } + if (type == MS_SHARED) { + err = invent_group_ids(mnt, recurse); + if (err) +-- +2.39.5 + diff --git a/queue-5.4/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch b/queue-5.4/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch new file mode 100644 index 0000000000..8ce1676d33 --- /dev/null +++ b/queue-5.4/drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch @@ -0,0 +1,61 @@ +From 236302592e5b4b4df35b63ac7c10f9616e7d767b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Nov 2023 12:24:24 +0000 +Subject: drm: rcar-du: Fix memory leak in rcar_du_vsps_init() + +From: Biju Das + +[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ] + +The rcar_du_vsps_init() doesn't free the np allocated by +of_parse_phandle_with_fixed_args() for the non-error case. + +Fix memory leak for the non-error case. + +While at it, replace the label 'error'->'done' as it applies to non-error +case as well and update the error check condition for rcar_du_vsp_init() +to avoid breakage in future, if it returns positive value. + +Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP") +Signed-off-by: Biju Das +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +index 2dc9caee87670..97c5b137add80 100644 +--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +@@ -567,7 +567,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu) + ret = of_parse_phandle_with_fixed_args(np, "vsps", cells, i, + &args); + if (ret < 0) +- goto error; ++ goto done; + + /* + * Add the VSP to the list or update the corresponding existing +@@ -601,13 +601,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu) + vsp->dev = rcdu; + + ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask); +- if (ret < 0) +- goto error; ++ if (ret) ++ goto done; + } + +- return 0; +- +-error: ++done: + for (i = 0; i < ARRAY_SIZE(vsps); ++i) + of_node_put(vsps[i].np); + +-- +2.39.5 + diff --git a/queue-5.4/drm-tegra-rgb-fix-the-unbound-reference-count.patch b/queue-5.4/drm-tegra-rgb-fix-the-unbound-reference-count.patch new file mode 100644 index 0000000000..bf6dd0e409 --- /dev/null +++ b/queue-5.4/drm-tegra-rgb-fix-the-unbound-reference-count.patch @@ -0,0 +1,57 @@ +From d064fc861a756cbe0c230fdcda3217c3ffd305b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Feb 2025 11:21:35 +0000 +Subject: drm/tegra: rgb: Fix the unbound reference count + +From: Biju Das + +[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ] + +The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe, +but the driver does not decrement the refcount during unbind. Fix the +unbound reference count using devm_add_action_or_reset() helper. + +Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support") +Signed-off-by: Biju Das +Signed-off-by: Thierry Reding +Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c +index 4be4dfd4a68a3..a2168866f5520 100644 +--- a/drivers/gpu/drm/tegra/rgb.c ++++ b/drivers/gpu/drm/tegra/rgb.c +@@ -211,6 +211,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = { + .atomic_check = tegra_rgb_encoder_atomic_check, + }; + ++static void tegra_dc_of_node_put(void *data) ++{ ++ of_node_put(data); ++} ++ + int tegra_dc_rgb_probe(struct tegra_dc *dc) + { + struct device_node *np; +@@ -218,7 +223,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc) + int err; + + np = of_get_child_by_name(dc->dev->of_node, "rgb"); +- if (!np || !of_device_is_available(np)) ++ if (!np) ++ return -ENODEV; ++ ++ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np); ++ if (err < 0) ++ return err; ++ ++ if (!of_device_is_available(np)) + return -ENODEV; + + rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL); +-- +2.39.5 + diff --git a/queue-5.4/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch b/queue-5.4/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch new file mode 100644 index 0000000000..d5f4b197a7 --- /dev/null +++ b/queue-5.4/drm-vkms-adjust-vkms_state-active_planes-allocation-.patch @@ -0,0 +1,44 @@ +From 3ccd032e8094609edf77790f9f835d2791862b18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 23:14:32 -0700 +Subject: drm/vkms: Adjust vkms_state->active_planes allocation type + +From: Kees Cook + +[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ] + +In preparation for making the kmalloc family of allocators type aware, +we need to make sure that the returned type from the allocation matches +the type of the variable being assigned. (Before, the allocator would +always return "void *", which can be implicitly cast to any pointer type.) + +The assigned type is "struct vkms_plane_state **", but the returned type +will be "struct drm_plane **". These are the same size (pointer size), but +the types don't match. Adjust the allocation type to match the assignment. + +Signed-off-by: Kees Cook +Reviewed-by: Louis Chauvet +Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking") +Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org +Signed-off-by: Louis Chauvet +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vkms/vkms_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c +index 8b01fae65f43b..1b797156cf874 100644 +--- a/drivers/gpu/drm/vkms/vkms_crtc.c ++++ b/drivers/gpu/drm/vkms/vkms_crtc.c +@@ -187,7 +187,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc, + i++; + } + +- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL); ++ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL); + if (!vkms_state->active_planes) + return -ENOMEM; + vkms_state->num_active_planes = i; +-- +2.39.5 + diff --git a/queue-5.4/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch b/queue-5.4/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch new file mode 100644 index 0000000000..1ac245d351 --- /dev/null +++ b/queue-5.4/drm-vmwgfx-add-seqno-waiter-for-sync_files.patch @@ -0,0 +1,89 @@ +From 0e4b904fc0425be1eea9adaa7e5337d3d95c2575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Feb 2025 14:06:33 -0600 +Subject: drm/vmwgfx: Add seqno waiter for sync_files + +From: Ian Forbes + +[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ] + +Because sync_files are passive waiters they do not participate in +the processing of fences like the traditional vmw_fence_wait IOCTL. +If userspace exclusively uses sync_files for synchronization then +nothing in the kernel actually processes fence updates as interrupts +for fences are masked and ignored if the kernel does not indicate to the +SVGA device that there are active waiters. + +This oversight results in a bug where the entire GUI can freeze waiting +on a sync_file that will never be signalled as we've masked the interrupts +to signal its completion. This bug is incredibly racy as any process which +interacts with the fencing code via the 3D stack can process the stuck +fences on behalf of the stuck process causing it to run again. Even a +simple app like eglinfo is enough to resume the stuck process. Usually +this bug is seen at a login screen like GDM because there are no other +3D apps running. + +By adding a seqno waiter we re-enable interrupt based processing of the +dma_fences associated with the sync_file which is signalled as part of a +dma_fence_callback. + +This has likely been broken since it was initially added to the kernel in +2017 but has gone unnoticed until mutter recently started using sync_files +heavily over the course of 2024 as part of their explicit sync support. + +Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support") +Signed-off-by: Ian Forbes +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +index 8db3b3ddbb644..0d29fe6f60358 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +@@ -3621,6 +3621,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv, + return 0; + } + ++/* ++ * DMA fence callback to remove a seqno_waiter ++ */ ++struct seqno_waiter_rm_context { ++ struct dma_fence_cb base; ++ struct vmw_private *dev_priv; ++}; ++ ++static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb) ++{ ++ struct seqno_waiter_rm_context *ctx = ++ container_of(cb, struct seqno_waiter_rm_context, base); ++ ++ vmw_seqno_waiter_remove(ctx->dev_priv); ++ kfree(ctx); ++} ++ + int vmw_execbuf_process(struct drm_file *file_priv, + struct vmw_private *dev_priv, + void __user *user_commands, void *kernel_commands, +@@ -3814,6 +3831,15 @@ int vmw_execbuf_process(struct drm_file *file_priv, + } else { + /* Link the fence with the FD created earlier */ + fd_install(out_fence_fd, sync_file->file); ++ struct seqno_waiter_rm_context *ctx = ++ kmalloc(sizeof(*ctx), GFP_KERNEL); ++ ctx->dev_priv = dev_priv; ++ vmw_seqno_waiter_add(dev_priv); ++ if (dma_fence_add_callback(&fence->base, &ctx->base, ++ seqno_waiter_rm_cb) < 0) { ++ vmw_seqno_waiter_remove(dev_priv); ++ kfree(ctx); ++ } + } + } + +-- +2.39.5 + diff --git a/queue-5.4/edac-skx_common-fix-general-protection-fault.patch b/queue-5.4/edac-skx_common-fix-general-protection-fault.patch new file mode 100644 index 0000000000..ea78bd35ad --- /dev/null +++ b/queue-5.4/edac-skx_common-fix-general-protection-fault.patch @@ -0,0 +1,68 @@ +From 5bb82fe8b7844ad064802a97fe7d7bdc74e62ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 23:07:18 +0800 +Subject: EDAC/skx_common: Fix general protection fault + +From: Qiuxu Zhuo + +[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ] + +After loading i10nm_edac (which automatically loads skx_edac_common), if +unload only i10nm_edac, then reload it and perform error injection testing, +a general protection fault may occur: + + mce: [Hardware Error]: Machine check events logged + Oops: general protection fault ... + ... + Workqueue: events mce_gen_pool_process + RIP: 0010:string+0x53/0xe0 + ... + Call Trace: + + ? die_addr+0x37/0x90 + ? exc_general_protection+0x1e7/0x3f0 + ? asm_exc_general_protection+0x26/0x30 + ? string+0x53/0xe0 + vsnprintf+0x23e/0x4c0 + snprintf+0x4d/0x70 + skx_adxl_decode+0x16a/0x330 [skx_edac_common] + skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] + skx_mce_check_error+0x17/0x20 [skx_edac_common] + ... + +The issue arose was because the variable 'adxl_component_count' (inside +skx_edac_common), which counts the ADXL components, was not reset. During +the reloading of i10nm_edac, the count was incremented by the actual number +of ADXL components again, resulting in a count that was double the real +number of ADXL components. This led to an out-of-bounds reference to the +ADXL component array, causing the general protection fault above. + +Fix this issue by resetting the 'adxl_component_count' in adxl_put(), +which is called during the unloading of {skx,i10nm}_edac. + +Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module") +Reported-by: Feng Xu +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Feng Xu +Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/skx_common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c +index b298b189bdf35..37d76d591745c 100644 +--- a/drivers/edac/skx_common.c ++++ b/drivers/edac/skx_common.c +@@ -112,6 +112,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get); + + void skx_adxl_put(void) + { ++ adxl_component_count = 0; + kfree(adxl_values); + kfree(adxl_msg); + } +-- +2.39.5 + diff --git a/queue-5.4/f2fs-clean-up-w-fscrypt_is_bounce_page.patch b/queue-5.4/f2fs-clean-up-w-fscrypt_is_bounce_page.patch new file mode 100644 index 0000000000..12b7e8a0be --- /dev/null +++ b/queue-5.4/f2fs-clean-up-w-fscrypt_is_bounce_page.patch @@ -0,0 +1,34 @@ +From ebebb3e3871c9290bae2aad3c7a30a6b40f7469f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Apr 2025 18:52:36 +0800 +Subject: f2fs: clean up w/ fscrypt_is_bounce_page() + +From: Chao Yu + +[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ] + +Just cleanup, no logic changes. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 8f78050c935d7..e7aa23f098470 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -37,7 +37,7 @@ static bool __is_cp_guaranteed(struct page *page) + struct inode *inode; + struct f2fs_sb_info *sbi; + +- if (!mapping) ++ if (fscrypt_is_bounce_page(page)) + return false; + + inode = mapping->host; +-- +2.39.5 + diff --git a/queue-5.4/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch b/queue-5.4/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch new file mode 100644 index 0000000000..5471c90be6 --- /dev/null +++ b/queue-5.4/f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch @@ -0,0 +1,36 @@ +From d137d7f4703a857883f834ffce6eeb9aba323103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 16:45:49 +0800 +Subject: f2fs: fix to correct check conditions in f2fs_cross_rename + +From: Zhiguo Niu + +[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ] + +Should be "old_dir" here. + +Fixes: 5c57132eaf52 ("f2fs: support project quota") +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index e74e5d2570ef6..d9b7bfb682a89 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -1067,7 +1067,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(new_dir)->i_projid, + F2FS_I(old_inode)->i_projid)) || +- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && ++ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(old_dir)->i_projid, + F2FS_I(new_inode)->i_projid))) + return -EXDEV; +-- +2.39.5 + diff --git a/queue-5.4/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch b/queue-5.4/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch new file mode 100644 index 0000000000..e0ae356fbb --- /dev/null +++ b/queue-5.4/f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch @@ -0,0 +1,76 @@ +From 2369dbc40a3bf703abc13c38a3e19e1273941f6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Apr 2025 20:22:08 +0800 +Subject: f2fs: fix to do sanity check on sbi->total_valid_block_count + +From: Chao Yu + +[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ] + +syzbot reported a f2fs bug as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/f2fs.h:2521! +RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 +Call Trace: + f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 + truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 + truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 + f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 + f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 + f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 + f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 + f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 + notify_change+0xbca/0xe90 fs/attr.c:552 + do_truncate+0x222/0x310 fs/open.c:65 + handle_truncate fs/namei.c:3466 [inline] + do_open fs/namei.c:3849 [inline] + path_openat+0x2e4f/0x35d0 fs/namei.c:4004 + do_filp_open+0x284/0x4e0 fs/namei.c:4031 + do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 + do_sys_open fs/open.c:1444 [inline] + __do_sys_creat fs/open.c:1522 [inline] + __se_sys_creat fs/open.c:1516 [inline] + __x64_sys_creat+0x124/0x170 fs/open.c:1516 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 + +The reason is: in fuzzed image, sbi->total_valid_block_count is +inconsistent w/ mapped blocks indexed by inode, so, we should +not trigger panic for such case, instead, let's print log and +set fsck flag. + +Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure") +Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 44c849bebd2ef..1b8f41daddbaa 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1867,8 +1867,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi, + blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK; + + spin_lock(&sbi->stat_lock); +- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count); +- sbi->total_valid_block_count -= (block_t)count; ++ if (unlikely(sbi->total_valid_block_count < count)) { ++ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u", ++ sbi->total_valid_block_count, inode->i_ino, count); ++ sbi->total_valid_block_count = 0; ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ } else { ++ sbi->total_valid_block_count -= count; ++ } + if (sbi->reserved_blocks && + sbi->current_reserved_blocks < sbi->reserved_blocks) + sbi->current_reserved_blocks = min(sbi->reserved_blocks, +-- +2.39.5 + diff --git a/queue-5.4/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch b/queue-5.4/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch new file mode 100644 index 0000000000..7ff707593c --- /dev/null +++ b/queue-5.4/f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch @@ -0,0 +1,74 @@ +From 43c6528f38d56f6b712e0fca1677f87c045fb180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 16:45:48 +0800 +Subject: f2fs: use d_inode(dentry) cleanup dentry->d_inode + +From: Zhiguo Niu + +[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ] + +no logic changes. + +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/namei.c | 8 ++++---- + fs/f2fs/super.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c +index 99a91c746b399..e74e5d2570ef6 100644 +--- a/fs/f2fs/namei.c ++++ b/fs/f2fs/namei.c +@@ -329,7 +329,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir, + + if (is_inode_flag_set(dir, FI_PROJ_INHERIT) && + (!projid_eq(F2FS_I(dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid))) ++ F2FS_I(inode)->i_projid))) + return -EXDEV; + + err = dquot_initialize(dir); +@@ -869,7 +869,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry, + + if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + (!projid_eq(F2FS_I(new_dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid))) ++ F2FS_I(old_inode)->i_projid))) + return -EXDEV; + + if (flags & RENAME_WHITEOUT) { +@@ -1066,10 +1066,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, + + if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(new_dir)->i_projid, +- F2FS_I(old_dentry->d_inode)->i_projid)) || ++ F2FS_I(old_inode)->i_projid)) || + (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && + !projid_eq(F2FS_I(old_dir)->i_projid, +- F2FS_I(new_dentry->d_inode)->i_projid))) ++ F2FS_I(new_inode)->i_projid))) + return -EXDEV; + + err = dquot_initialize(old_dir); +diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c +index da51474596eff..d4ba9ad16a137 100644 +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1342,9 +1342,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf) + buf->f_fsid.val[1] = (u32)(id >> 32); + + #ifdef CONFIG_QUOTA +- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) && ++ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) && + sb_has_quota_limits_enabled(sb, PRJQUOTA)) { +- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf); ++ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf); + } + #endif + return 0; +-- +2.39.5 + diff --git a/queue-5.4/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch b/queue-5.4/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch new file mode 100644 index 0000000000..93fe524cda --- /dev/null +++ b/queue-5.4/fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch @@ -0,0 +1,42 @@ +From 8368e8caa2731d2d5cb2699714573ef2dd2a4f98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 May 2025 23:35:58 +0300 +Subject: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() + +From: Sergey Shtylyov + +[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ] + +In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, +cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's +then passed to fb_cvt_hperiod(), where it's used as a divider -- division +by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to +avoid such overflow... + +Found by Linux Verification Center (linuxtesting.org) with the Svace static +analysis tool. + +Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbcvt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c +index 64843464c6613..cd3821bd82e56 100644 +--- a/drivers/video/fbdev/core/fbcvt.c ++++ b/drivers/video/fbdev/core/fbcvt.c +@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb) + cvt.f_refresh = cvt.refresh; + cvt.interlace = 1; + +- if (!cvt.xres || !cvt.yres || !cvt.refresh) { ++ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) { + printk(KERN_INFO "fbcvt: Invalid input parameters\n"); + return 1; + } +-- +2.39.5 + diff --git a/queue-5.4/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch b/queue-5.4/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch new file mode 100644 index 0000000000..94d8f3ffab --- /dev/null +++ b/queue-5.4/firmware-psci-fix-refcount-leak-in-psci_dt_init.patch @@ -0,0 +1,42 @@ +From 965356e766e11747649f295c16ed6f89c8340901 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Mar 2025 23:17:12 +0800 +Subject: firmware: psci: Fix refcount leak in psci_dt_init + +From: Miaoqian Lin + +[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ] + +Fix a reference counter leak in psci_dt_init() where of_node_put(np) was +missing after of_find_matching_node_and_match() when np is unavailable. + +Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled") +Signed-off-by: Miaoqian Lin +Reviewed-by: Gavin Shan +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/firmware/psci/psci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c +index eb797081d1596..f1926972b2670 100644 +--- a/drivers/firmware/psci/psci.c ++++ b/drivers/firmware/psci/psci.c +@@ -573,8 +573,10 @@ int __init psci_dt_init(void) + + np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np); + +- if (!np || !of_device_is_available(np)) ++ if (!np || !of_device_is_available(np)) { ++ of_node_put(np); + return -ENODEV; ++ } + + init_fn = (psci_initcall_t)matched_np->data; + ret = init_fn(np); +-- +2.39.5 + diff --git a/queue-5.4/gfs2-gfs2_create_inode-error-handling-fix.patch b/queue-5.4/gfs2-gfs2_create_inode-error-handling-fix.patch new file mode 100644 index 0000000000..a62390ccba --- /dev/null +++ b/queue-5.4/gfs2-gfs2_create_inode-error-handling-fix.patch @@ -0,0 +1,35 @@ +From f4145b7bdff4b784441ead9779c5364b34eed6f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Apr 2025 16:40:58 +0200 +Subject: gfs2: gfs2_create_inode error handling fix + +From: Andreas Gruenbacher + +[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ] + +When gfs2_create_inode() finds a directory, make sure to return -EISDIR. + +Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c +index 4e0c933e08002..496449fccc828 100644 +--- a/fs/gfs2/inode.c ++++ b/fs/gfs2/inode.c +@@ -616,7 +616,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, + if (!IS_ERR(inode)) { + if (S_ISDIR(inode->i_mode)) { + iput(inode); +- inode = ERR_PTR(-EISDIR); ++ inode = NULL; ++ error = -EISDIR; + goto fail_gunlock; + } + d_instantiate(dentry, inode); +-- +2.39.5 + diff --git a/queue-5.4/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch b/queue-5.4/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch new file mode 100644 index 0000000000..60676a663d --- /dev/null +++ b/queue-5.4/ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch @@ -0,0 +1,72 @@ +From ef3e368ae76816be703bb168ea66fee7307a6556 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 May 2025 12:55:28 +0200 +Subject: ice: create new Tx scheduler nodes for new queues only + +From: Michal Kubiak + +[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ] + +The current implementation of the Tx scheduler tree attempts +to create nodes for all Tx queues, ignoring the fact that some +queues may already exist in the tree. For example, if the VSI +already has 128 Tx queues and the user requests for 16 new queues, +the Tx scheduler will compute the tree for 272 queues (128 existing +queues + 144 new queues), instead of 144 queues (128 existing queues +and 16 new queues). +Fix that by modifying the node count calculation algorithm to skip +the queues that already exist in the tree. + +Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support") +Reviewed-by: Dawid Osuchowski +Reviewed-by: Przemek Kitszel +Reviewed-by: Jacob Keller +Signed-off-by: Michal Kubiak +Reviewed-by: Simon Horman +Tested-by: Jesse Brandeburg +Tested-by: Saritha Sanigani (A Contingent Worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c +index d1c0ccee879bc..c6c96d3ee9cce 100644 +--- a/drivers/net/ethernet/intel/ice/ice_sched.c ++++ b/drivers/net/ethernet/intel/ice/ice_sched.c +@@ -1188,16 +1188,16 @@ ice_sched_get_vsi_node(struct ice_hw *hw, struct ice_sched_node *tc_node, + /** + * ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes + * @hw: pointer to the HW struct +- * @num_qs: number of queues ++ * @num_new_qs: number of new queues that will be added to the tree + * @num_nodes: num nodes array + * + * This function calculates the number of VSI child nodes based on the + * number of queues. + */ + static void +-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes) ++ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes) + { +- u16 num = num_qs; ++ u16 num = num_new_qs; + u8 i, qgl, vsil; + + qgl = ice_sched_get_qgrp_layer(hw); +@@ -1438,8 +1438,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle, + if (status) + return status; + +- if (new_numqs) +- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes); ++ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs, ++ new_num_nodes); ++ + /* Keep the max number of queue configuration all the time. Update the + * tree only if number of queues > previous number of queues. This may + * leave some extra nodes in the tree if number of queues < previous +-- +2.39.5 + diff --git a/queue-5.4/ktls-sockmap-fix-missing-uncharge-operation.patch b/queue-5.4/ktls-sockmap-fix-missing-uncharge-operation.patch new file mode 100644 index 0000000000..83d823b75a --- /dev/null +++ b/queue-5.4/ktls-sockmap-fix-missing-uncharge-operation.patch @@ -0,0 +1,59 @@ +From 141fd22f470846ed28b636a51bb8c405ffb861d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Apr 2025 13:59:57 +0800 +Subject: ktls, sockmap: Fix missing uncharge operation + +From: Jiayuan Chen + +[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ] + +When we specify apply_bytes, we divide the msg into multiple segments, +each with a length of 'send', and every time we send this part of the data +using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the +memory of the specified 'send' size. + +However, if the first segment of data fails to send, for example, the +peer's buffer is full, we need to release all of the msg. When releasing +the msg, we haven't uncharged the memory of the subsequent segments. + +This modification does not make significant logical changes, but only +fills in the missing uncharge places. + +This issue has existed all along, until it was exposed after we added the +apply test in test_sockmap: +commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap") + +Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") +Reported-by: Cong Wang +Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Acked-by: John Fastabend +Reviewed-by: Cong Wang +Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev +Signed-off-by: Sasha Levin +--- + net/tls/tls_sw.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c +index 03f608da594e5..432bce3293923 100644 +--- a/net/tls/tls_sw.c ++++ b/net/tls/tls_sw.c +@@ -856,6 +856,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk, + err = tcp_bpf_sendmsg_redir(sk_redir, &msg_redir, send, flags); + lock_sock(sk); + if (err < 0) { ++ /* Regardless of whether the data represented by ++ * msg_redir is sent successfully, we have already ++ * uncharged it via sk_msg_return_zero(). The ++ * msg->sg.size represents the remaining unprocessed ++ * data, which needs to be uncharged here. ++ */ ++ sk_mem_uncharge(sk, msg->sg.size); + *copied -= sk_msg_free_nocharge(sk, &msg_redir); + msg->sg.size = 0; + } +-- +2.39.5 + diff --git a/queue-5.4/m68k-mac-fix-macintosh_config-for-mac-ii.patch b/queue-5.4/m68k-mac-fix-macintosh_config-for-mac-ii.patch new file mode 100644 index 0000000000..03017f0c3d --- /dev/null +++ b/queue-5.4/m68k-mac-fix-macintosh_config-for-mac-ii.patch @@ -0,0 +1,46 @@ +From e92da7be6bdb1bf074a4d6d8560f41022dc5c1f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 10:07:26 +1000 +Subject: m68k: mac: Fix macintosh_config for Mac II + +From: Finn Thain + +[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ] + +When booted on my Mac II, the kernel prints this: + + Detected Macintosh model: 6 + Apple Macintosh Unknown + +The catch-all entry ("Unknown") is mac_data_table[0] which is only needed +in the unlikely event that the bootinfo model ID can't be matched. +When model ID is 6, the search should begin and end at mac_data_table[1]. +Fix the off-by-one error that causes this problem. + +Cc: Joshua Thompson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/mac/config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c +index d0126ab01360b..41041c4422331 100644 +--- a/arch/m68k/mac/config.c ++++ b/arch/m68k/mac/config.c +@@ -804,7 +804,7 @@ static void __init mac_identify(void) + } + + macintosh_config = mac_data_table; +- for (m = macintosh_config; m->ident != -1; m++) { ++ for (m = &mac_data_table[1]; m->ident != -1; m++) { + if (m->ident == model) { + macintosh_config = m; + break; +-- +2.39.5 + diff --git a/queue-5.4/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch b/queue-5.4/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch new file mode 100644 index 0000000000..6441be3750 --- /dev/null +++ b/queue-5.4/mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch @@ -0,0 +1,38 @@ +From 7926778662e444a73a89fd2dec80707d1658fd00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 17:00:34 +0200 +Subject: mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in + exynos_lpass_remove() + +From: Christophe JAILLET + +[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ] + +exynos_lpass_disable() is called twice in the remove function. Remove +one of these calls. + +Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/exynos-lpass.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c +index 99bd0e73c19c3..ffda3445d1c0f 100644 +--- a/drivers/mfd/exynos-lpass.c ++++ b/drivers/mfd/exynos-lpass.c +@@ -144,7 +144,6 @@ static int exynos_lpass_remove(struct platform_device *pdev) + { + struct exynos_lpass *lpass = platform_get_drvdata(pdev); + +- exynos_lpass_disable(lpass); + pm_runtime_disable(&pdev->dev); + if (!pm_runtime_status_suspended(&pdev->dev)) + exynos_lpass_disable(lpass); +-- +2.39.5 + diff --git a/queue-5.4/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch b/queue-5.4/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch new file mode 100644 index 0000000000..207fb3228e --- /dev/null +++ b/queue-5.4/mfd-stmpe-spi-correct-the-name-used-in-module_device.patch @@ -0,0 +1,40 @@ +From b777fb3f1bbcb8d306ea5c14f2da0947ce76be86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Apr 2025 18:16:32 +0200 +Subject: mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE + +From: Alexey Gladkov + +[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ] + +The name used in the macro does not exist. + +drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id' + 132 | MODULE_DEVICE_TABLE(spi, stmpe_id); + +Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface") +Signed-off-by: Alexey Gladkov +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/stmpe-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c +index 7351734f75938..07fa56e5337d1 100644 +--- a/drivers/mfd/stmpe-spi.c ++++ b/drivers/mfd/stmpe-spi.c +@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = { + { "stmpe2403", STMPE2403 }, + { } + }; +-MODULE_DEVICE_TABLE(spi, stmpe_id); ++MODULE_DEVICE_TABLE(spi, stmpe_spi_id); + + static struct spi_driver stmpe_spi_driver = { + .driver = { +-- +2.39.5 + diff --git a/queue-5.4/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch b/queue-5.4/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch new file mode 100644 index 0000000000..f682fca2ea --- /dev/null +++ b/queue-5.4/net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch @@ -0,0 +1,47 @@ +From b143e4489e049e644fddce8e42ed86f3f0563e83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 11:00:47 +0530 +Subject: net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy + +From: Thangaraj Samynathan + +[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ] + +rename the function to lan743x_hw_reset_phy to better describe it +operation. + +Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver") +Signed-off-by: Thangaraj Samynathan +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan743x_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c +index a69a34d93ad62..22e1143c58467 100644 +--- a/drivers/net/ethernet/microchip/lan743x_main.c ++++ b/drivers/net/ethernet/microchip/lan743x_main.c +@@ -912,7 +912,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu) + } + + /* PHY */ +-static int lan743x_phy_reset(struct lan743x_adapter *adapter) ++static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter) + { + u32 data; + +@@ -946,7 +946,7 @@ static void lan743x_phy_update_flowcontrol(struct lan743x_adapter *adapter, + + static int lan743x_phy_init(struct lan743x_adapter *adapter) + { +- return lan743x_phy_reset(adapter); ++ return lan743x_hw_reset_phy(adapter); + } + + static void lan743x_phy_link_status_change(struct net_device *netdev) +-- +2.39.5 + diff --git a/queue-5.4/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch b/queue-5.4/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch new file mode 100644 index 0000000000..9578f11a3d --- /dev/null +++ b/queue-5.4/net-mlx4_en-prevent-potential-integer-overflow-calcu.patch @@ -0,0 +1,41 @@ +From 7456a58b67d3e7837ebac367fedba5d76e936f67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 May 2025 11:11:09 +0300 +Subject: net/mlx4_en: Prevent potential integer overflow calculating Hz + +From: Dan Carpenter + +[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ] + +The "freq" variable is in terms of MHz and "max_val_cycles" is in terms +of Hz. The fact that "max_val_cycles" is a u64 suggests that support +for high frequency is intended but the "freq_khz * 1000" would overflow +the u32 type if we went above 4GHz. Use unsigned long long type for the +mutliplication to prevent that. + +Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency") +Signed-off-by: Dan Carpenter +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +index 024788549c256..060698b0c65cc 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c +@@ -251,7 +251,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = { + static u32 freq_to_shift(u16 freq) + { + u32 freq_khz = freq * 1000; +- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC; ++ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC; + u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1); + /* calculate max possible multiplier in order to fit in 64bit */ + u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded); +-- +2.39.5 + diff --git a/queue-5.4/net-ncsi-fix-gcps-64-bit-member-variables.patch b/queue-5.4/net-ncsi-fix-gcps-64-bit-member-variables.patch new file mode 100644 index 0000000000..212a5ae8f1 --- /dev/null +++ b/queue-5.4/net-ncsi-fix-gcps-64-bit-member-variables.patch @@ -0,0 +1,161 @@ +From ca5477a762682e91f57198ba0cc250e91ed2f279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 18:23:08 -0700 +Subject: net: ncsi: Fix GCPS 64-bit member variables + +From: Hari Kalavakunta + +[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ] + +Correct Get Controller Packet Statistics (GCPS) 64-bit wide member +variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently +collects these stats, but they are yet to be exposed to the user. +Therefore, no user impact. + +Statistics fixes: +Total Bytes Received (byte range 28..35) +Total Bytes Transmitted (byte range 36..43) +Total Unicast Packets Received (byte range 44..51) +Total Multicast Packets Received (byte range 52..59) +Total Broadcast Packets Received (byte range 60..67) +Total Unicast Packets Transmitted (byte range 68..75) +Total Multicast Packets Transmitted (byte range 76..83) +Total Broadcast Packets Transmitted (byte range 84..91) +Valid Bytes Received (byte range 204..11) + +Signed-off-by: Hari Kalavakunta +Reviewed-by: Paul Fertser +Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 21 ++++++++++----------- + net/ncsi/ncsi-pkt.h | 23 +++++++++++------------ + net/ncsi/ncsi-rsp.c | 21 ++++++++++----------- + 3 files changed, 31 insertions(+), 34 deletions(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index 1dde6dc841b88..b723452768d48 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -119,16 +119,15 @@ struct ncsi_channel_vlan_filter { + }; + + struct ncsi_channel_stats { +- u32 hnc_cnt_hi; /* Counter cleared */ +- u32 hnc_cnt_lo; /* Counter cleared */ +- u32 hnc_rx_bytes; /* Rx bytes */ +- u32 hnc_tx_bytes; /* Tx bytes */ +- u32 hnc_rx_uc_pkts; /* Rx UC packets */ +- u32 hnc_rx_mc_pkts; /* Rx MC packets */ +- u32 hnc_rx_bc_pkts; /* Rx BC packets */ +- u32 hnc_tx_uc_pkts; /* Tx UC packets */ +- u32 hnc_tx_mc_pkts; /* Tx MC packets */ +- u32 hnc_tx_bc_pkts; /* Tx BC packets */ ++ u64 hnc_cnt; /* Counter cleared */ ++ u64 hnc_rx_bytes; /* Rx bytes */ ++ u64 hnc_tx_bytes; /* Tx bytes */ ++ u64 hnc_rx_uc_pkts; /* Rx UC packets */ ++ u64 hnc_rx_mc_pkts; /* Rx MC packets */ ++ u64 hnc_rx_bc_pkts; /* Rx BC packets */ ++ u64 hnc_tx_uc_pkts; /* Tx UC packets */ ++ u64 hnc_tx_mc_pkts; /* Tx MC packets */ ++ u64 hnc_tx_bc_pkts; /* Tx BC packets */ + u32 hnc_fcs_err; /* FCS errors */ + u32 hnc_align_err; /* Alignment errors */ + u32 hnc_false_carrier; /* False carrier detection */ +@@ -157,7 +156,7 @@ struct ncsi_channel_stats { + u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */ + u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */ + u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */ +- u32 hnc_rx_valid_bytes; /* Rx valid bytes */ ++ u64 hnc_rx_valid_bytes; /* Rx valid bytes */ + u32 hnc_rx_runt_pkts; /* Rx error runt packets */ + u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */ + u32 ncsi_rx_cmds; /* Rx NCSI commands */ +diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h +index 3fbea7e74fb1c..2729581360ec9 100644 +--- a/net/ncsi/ncsi-pkt.h ++++ b/net/ncsi/ncsi-pkt.h +@@ -246,16 +246,15 @@ struct ncsi_rsp_gp_pkt { + /* Get Controller Packet Statistics */ + struct ncsi_rsp_gcps_pkt { + struct ncsi_rsp_pkt_hdr rsp; /* Response header */ +- __be32 cnt_hi; /* Counter cleared */ +- __be32 cnt_lo; /* Counter cleared */ +- __be32 rx_bytes; /* Rx bytes */ +- __be32 tx_bytes; /* Tx bytes */ +- __be32 rx_uc_pkts; /* Rx UC packets */ +- __be32 rx_mc_pkts; /* Rx MC packets */ +- __be32 rx_bc_pkts; /* Rx BC packets */ +- __be32 tx_uc_pkts; /* Tx UC packets */ +- __be32 tx_mc_pkts; /* Tx MC packets */ +- __be32 tx_bc_pkts; /* Tx BC packets */ ++ __be64 cnt; /* Counter cleared */ ++ __be64 rx_bytes; /* Rx bytes */ ++ __be64 tx_bytes; /* Tx bytes */ ++ __be64 rx_uc_pkts; /* Rx UC packets */ ++ __be64 rx_mc_pkts; /* Rx MC packets */ ++ __be64 rx_bc_pkts; /* Rx BC packets */ ++ __be64 tx_uc_pkts; /* Tx UC packets */ ++ __be64 tx_mc_pkts; /* Tx MC packets */ ++ __be64 tx_bc_pkts; /* Tx BC packets */ + __be32 fcs_err; /* FCS errors */ + __be32 align_err; /* Alignment errors */ + __be32 false_carrier; /* False carrier detection */ +@@ -284,11 +283,11 @@ struct ncsi_rsp_gcps_pkt { + __be32 tx_1023_frames; /* Tx 512-1023 bytes frames */ + __be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */ + __be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */ +- __be32 rx_valid_bytes; /* Rx valid bytes */ ++ __be64 rx_valid_bytes; /* Rx valid bytes */ + __be32 rx_runt_pkts; /* Rx error runt packets */ + __be32 rx_jabber_pkts; /* Rx error jabber packets */ + __be32 checksum; /* Checksum */ +-}; ++} __packed __aligned(4); + + /* Get NCSI Statistics */ + struct ncsi_rsp_gns_pkt { +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index 876622e9a5b2b..b7d311f979051 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -931,16 +931,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr) + + /* Update HNC's statistics */ + ncs = &nc->stats; +- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi); +- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo); +- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes); +- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes); +- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts); +- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts); +- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts); +- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts); +- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts); +- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts); ++ ncs->hnc_cnt = be64_to_cpu(rsp->cnt); ++ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes); ++ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes); ++ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts); ++ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts); ++ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts); ++ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts); ++ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts); ++ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts); + ncs->hnc_fcs_err = ntohl(rsp->fcs_err); + ncs->hnc_align_err = ntohl(rsp->align_err); + ncs->hnc_false_carrier = ntohl(rsp->false_carrier); +@@ -969,7 +968,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr) + ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames); + ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames); + ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames); +- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes); ++ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes); + ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts); + ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts); + +-- +2.39.5 + diff --git a/queue-5.4/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch b/queue-5.4/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch new file mode 100644 index 0000000000..c3848745a4 --- /dev/null +++ b/queue-5.4/net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch @@ -0,0 +1,106 @@ +From e3dfc0666c8601e7a6ad48aecce34c8e3ae87125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 May 2025 14:32:39 +0300 +Subject: net: usb: aqc111: fix error handling of usbnet read calls + +From: Nikita Zhandarovich + +[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ] + +Syzkaller, courtesy of syzbot, identified an error (see report [1]) in +aqc111 driver, caused by incomplete sanitation of usb read calls' +results. This problem is quite similar to the one fixed in commit +920a9fa27e78 ("net: asix: add proper error handling of usb read errors"). + +For instance, usbnet_read_cmd() may read fewer than 'size' bytes, +even if the caller expected the full amount, and aqc111_read_cmd() +will not check its result properly. As [1] shows, this may lead +to MAC address in aqc111_bind() being only partly initialized, +triggering KMSAN warnings. + +Fix the issue by verifying that the number of bytes read is +as expected and not less. + +[1] Partial syzbot report: +BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] +BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 + is_valid_ether_addr include/linux/etherdevice.h:208 [inline] + usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:-1 [inline] + really_probe+0x4d1/0xd90 drivers/base/dd.c:658 + __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 +... + +Uninit was stored to memory at: + dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 + __dev_addr_set include/linux/netdevice.h:4874 [inline] + eth_hw_addr_set include/linux/etherdevice.h:325 [inline] + aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 +... + +Uninit was stored to memory at: + ether_addr_copy include/linux/etherdevice.h:305 [inline] + aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] + aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 + call_driver_probe drivers/base/dd.c:-1 [inline] +... + +Local variable buf.i created at: + aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] + aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 + usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 + +Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b +Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com +Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address") +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/aqc111.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c +index b958e00058820..44bf74b23c0f3 100644 +--- a/drivers/net/usb/aqc111.c ++++ b/drivers/net/usb/aqc111.c +@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value, + ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, data, size); + +- if (unlikely(ret < 0)) ++ if (unlikely(ret < size)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, + "Failed to read(0x%x) reg index 0x%04x: %d\n", + cmd, index, ret); ++ } + + return ret; + } +@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value, + ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, data, size); + +- if (unlikely(ret < 0)) ++ if (unlikely(ret < size)) { ++ ret = ret < 0 ? ret : -ENODATA; ++ + netdev_warn(dev->net, + "Failed to read(0x%x) reg index 0x%04x: %d\n", + cmd, index, ret); ++ } + + return ret; + } +-- +2.39.5 + diff --git a/queue-5.4/netfilter-bridge-move-specific-fragmented-packet-to-.patch b/queue-5.4/netfilter-bridge-move-specific-fragmented-packet-to-.patch new file mode 100644 index 0000000000..0e422d7f75 --- /dev/null +++ b/queue-5.4/netfilter-bridge-move-specific-fragmented-packet-to-.patch @@ -0,0 +1,96 @@ +From 600e8502fb07c2309b78e29cf82c3d9b9b22f259 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Apr 2025 17:29:53 +0800 +Subject: netfilter: bridge: Move specific fragmented packet to slow_path + instead of dropping it + +From: Huajian Yang + +[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ] + +The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for +fragmented packets. + +The original bridge does not know that it is a fragmented packet and +forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function +nf_br_ip_fragment and br_ip6_fragment will check the headroom. + +In original br_forward, insufficient headroom of skb may indeed exist, +but there's still a way to save the skb in the device driver after +dev_queue_xmit.So droping the skb will change the original bridge +forwarding in some cases. + +Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system") +Signed-off-by: Huajian Yang +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------ + net/ipv6/netfilter.c | 12 ++++++------ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c +index d14b2dbbd1dfb..abf0c9460ddf3 100644 +--- a/net/bridge/netfilter/nf_conntrack_bridge.c ++++ b/net/bridge/netfilter/nf_conntrack_bridge.c +@@ -59,19 +59,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk, + struct ip_fraglist_iter iter; + struct sk_buff *frag; + +- if (first_len - hlen > mtu || +- skb_headroom(skb) < ll_rs) ++ if (first_len - hlen > mtu) + goto blackhole; + +- if (skb_cloned(skb)) ++ if (skb_cloned(skb) || ++ skb_headroom(skb) < ll_rs) + goto slow_path; + + skb_walk_frags(skb, frag) { +- if (frag->len > mtu || +- skb_headroom(frag) < hlen + ll_rs) ++ if (frag->len > mtu) + goto blackhole; + +- if (skb_shared(frag)) ++ if (skb_shared(frag) || ++ skb_headroom(frag) < hlen + ll_rs) + goto slow_path; + } + +diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c +index ab9a279dd6d47..93e1af6c2dfb2 100644 +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -155,20 +155,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + struct ip6_fraglist_iter iter; + struct sk_buff *frag2; + +- if (first_len - hlen > mtu || +- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) ++ if (first_len - hlen > mtu) + goto blackhole; + +- if (skb_cloned(skb)) ++ if (skb_cloned(skb) || ++ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr))) + goto slow_path; + + skb_walk_frags(skb, frag2) { +- if (frag2->len > mtu || +- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr))) ++ if (frag2->len > mtu) + goto blackhole; + + /* Partially cloned skb? */ +- if (skb_shared(frag2)) ++ if (skb_shared(frag2) || ++ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr))) + goto slow_path; + } + +-- +2.39.5 + diff --git a/queue-5.4/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch b/queue-5.4/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch new file mode 100644 index 0000000000..c49613352f --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch @@ -0,0 +1,80 @@ +From 638fb7d115867600b984974ec1e6acf9b504522c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 May 2025 11:38:47 +0200 +Subject: netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result + discrepancy + +From: Florian Westphal + +[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ] + +With a VRF, ipv4 and ipv6 FIB expression behave differently. + + fib daddr . iif oif + +Will return the input interface name for ipv4, but the real device +for ipv6. Example: + +If VRF device name is tvrf and real (incoming) device is veth0. +First round is ok, both ipv4 and ipv6 will yield 'veth0'. + +But in the second round (incoming device will be set to "tvrf"), ipv4 +will yield "tvrf" whereas ipv6 returns "veth0" for the second round too. + +This makes ipv6 behave like ipv4. + +A followup patch will add a test case for this, without this change +it will fail with: + get element inet t fibif6iif { tvrf . dead:1::99 . tvrf } + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif + +Alternatively we could either not do anything at all or change +ipv4 to also return the lower/real device, however, nft (userspace) +doc says "iif: if fib lookup provides a route then check its output +interface is identical to the packets input interface." which is what +the nft fib ipv4 behaviour is. + +Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index 03dbd16f9ad53..018f01efeca5a 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -143,6 +143,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + { + const struct nft_fib *priv = nft_expr_priv(expr); + int noff = skb_network_offset(pkt->skb); ++ const struct net_device *found = NULL; + const struct net_device *oif = NULL; + u32 *dest = ®s->data[priv->dreg]; + struct ipv6hdr *iph, _iph; +@@ -182,11 +183,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) + goto put_rt_err; + +- if (oif && oif != rt->rt6i_idev->dev && +- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex) +- goto put_rt_err; ++ if (!oif) { ++ found = rt->rt6i_idev->dev; ++ } else { ++ if (oif == rt->rt6i_idev->dev || ++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex) ++ found = oif; ++ } + +- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev); ++ nft_fib_store_result(dest, priv, found); + put_rt_err: + ip6_rt_put(rt); + } +-- +2.39.5 + diff --git a/queue-5.4/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch b/queue-5.4/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch new file mode 100644 index 0000000000..9b5fd3a864 --- /dev/null +++ b/queue-5.4/nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch @@ -0,0 +1,56 @@ +From e9e72444efc45d0e4dbcf405232a5d297f287230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 02:37:07 +0900 +Subject: nilfs2: add pointer check for nilfs_direct_propagate() + +From: Wentao Liang + +[ Upstream commit f43f02429295486059605997bc43803527d69791 ] + +Patch series "nilfs2: improve sanity checks in dirty state propagation". + +This fixes one missed check for block mapping anomalies and one improper +return of an error code during a preparation step for log writing, thereby +improving checking for filesystem corruption on writeback. + +This patch (of 2): + +In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr() +need to be checked to ensure it is not an invalid pointer. + +If the pointer value obtained by nilfs_direct_get_ptr() is +NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in +the nilfs_inode_info struct) that should point to the data block at the +buffer head of the argument is corrupted and the data block is orphaned, +meaning that the file system has lost consistency. + +Add a value check and return -EINVAL when it is an invalid pointer. + +Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com +Fixes: 36a580eb489f ("nilfs2: direct block mapping") +Signed-off-by: Wentao Liang +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/direct.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c +index 7faf8c285d6c9..a72371cd6b956 100644 +--- a/fs/nilfs2/direct.c ++++ b/fs/nilfs2/direct.c +@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap, + dat = nilfs_bmap_get_dat(bmap); + key = nilfs_bmap_data_get_key(bmap, bh); + ptr = nilfs_direct_get_ptr(bmap, key); ++ if (ptr == NILFS_BMAP_INVALID_PTR) ++ return -EINVAL; ++ + if (!buffer_nilfs_volatile(bh)) { + oldreq.pr_entry_nr = ptr; + newreq.pr_entry_nr = ptr; +-- +2.39.5 + diff --git a/queue-5.4/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch b/queue-5.4/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch new file mode 100644 index 0000000000..f4f5aed16f --- /dev/null +++ b/queue-5.4/nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch @@ -0,0 +1,55 @@ +From 86bdfa98573a46ee0706d6d257ab21a85c970d87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 02:37:08 +0900 +Subject: nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() + +From: Ryusuke Konishi + +[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ] + +In preparation for writing logs, in nilfs_btree_propagate(), which makes +parent and ancestor node blocks dirty starting from a modified data block +or b-tree node block, if the starting block does not belong to the b-tree, +i.e. is isolated, nilfs_btree_do_lookup() called within the function +fails with -ENOENT. + +In this case, even though -ENOENT is an internal code, it is propagated to +the log writer via nilfs_bmap_propagate() and may be erroneously returned +to system calls such as fsync(). + +Fix this issue by changing the error code to -EINVAL in this case, and +having the bmap layer detect metadata corruption and convert the error +code appropriately. + +Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com +Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl") +Signed-off-by: Ryusuke Konishi +Cc: Wentao Liang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/btree.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c +index 7c9f4d79bdbc5..4a5e8495fa674 100644 +--- a/fs/nilfs2/btree.c ++++ b/fs/nilfs2/btree.c +@@ -2097,11 +2097,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree, + + ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0); + if (ret < 0) { +- if (unlikely(ret == -ENOENT)) ++ if (unlikely(ret == -ENOENT)) { + nilfs_crit(btree->b_inode->i_sb, + "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d", + btree->b_inode->i_ino, + (unsigned long long)key, level); ++ ret = -EINVAL; ++ } + goto out; + } + +-- +2.39.5 + diff --git a/queue-5.4/perf-core-fix-broken-throttling-when-max_samples_per.patch b/queue-5.4/perf-core-fix-broken-throttling-when-max_samples_per.patch new file mode 100644 index 0000000000..1a286c0edc --- /dev/null +++ b/queue-5.4/perf-core-fix-broken-throttling-when-max_samples_per.patch @@ -0,0 +1,64 @@ +From 78f12e0203b021c0a5cd0a13d6379527ce88ae22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Apr 2025 22:16:35 +0800 +Subject: perf/core: Fix broken throttling when max_samples_per_tick=1 + +From: Qing Wang + +[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ] + +According to the throttling mechanism, the pmu interrupts number can not +exceed the max_samples_per_tick in one tick. But this mechanism is +ineffective when max_samples_per_tick=1, because the throttling check is +skipped during the first interrupt and only performed when the second +interrupt arrives. + +Perhaps this bug may cause little influence in one tick, but if in a +larger time scale, the problem can not be underestimated. + +When max_samples_per_tick = 1: +Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH +200 100 100 X86 +500 250 250 ARM64 +... +Obviously, the pmu interrupt number far exceed the user's expect. + +Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling") +Signed-off-by: Qing Wang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index dd55fd475f121..7b97be4ed9d00 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8266,14 +8266,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle) + hwc->interrupts = 1; + } else { + hwc->interrupts++; +- if (unlikely(throttle && +- hwc->interrupts > max_samples_per_tick)) { +- __this_cpu_inc(perf_throttled_count); +- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); +- hwc->interrupts = MAX_INTERRUPTS; +- perf_log_throttle(event, 0); +- ret = 1; +- } ++ } ++ ++ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) { ++ __this_cpu_inc(perf_throttled_count); ++ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); ++ hwc->interrupts = MAX_INTERRUPTS; ++ perf_log_throttle(event, 0); ++ ret = 1; + } + + if (event->attr.freq) { +-- +2.39.5 + diff --git a/queue-5.4/perf-record-fix-incorrect-user-regs-comments.patch b/queue-5.4/perf-record-fix-incorrect-user-regs-comments.patch new file mode 100644 index 0000000000..c0cb608dc0 --- /dev/null +++ b/queue-5.4/perf-record-fix-incorrect-user-regs-comments.patch @@ -0,0 +1,46 @@ +From dc8effafe75b29b62c56c0b84651b3fe605daaaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 06:08:10 +0000 +Subject: perf record: Fix incorrect --user-regs comments + +From: Dapeng Mi + +[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ] + +The comment of "--user-regs" option is not correct, fix it. + +"on interrupt," -> "in user space," + +Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments") +Reviewed-by: Ian Rogers +Signed-off-by: Dapeng Mi +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Ingo Molnar +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-record.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c +index 9c03f67398cb2..8f03f89a6031d 100644 +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -2215,7 +2215,7 @@ static struct option __record_options[] = { + "sample selected machine registers on interrupt," + " use '-I?' to list register names", parse_intr_regs), + OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register", +- "sample selected machine registers on interrupt," ++ "sample selected machine registers in user space," + " use '--user-regs=?' to list register names", parse_user_regs), + OPT_BOOLEAN(0, "running-time", &record.opts.running_time, + "Record running/enabled time of read (:S) events"), +-- +2.39.5 + diff --git a/queue-5.4/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch b/queue-5.4/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch new file mode 100644 index 0000000000..6ec6fb9a5b --- /dev/null +++ b/queue-5.4/perf-scripts-python-exported-sql-viewer.py-fix-patte.patch @@ -0,0 +1,53 @@ +From b4112ee6fa662316b52395ed154a657582dc6b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 May 2025 12:39:32 +0300 +Subject: perf scripts python: exported-sql-viewer.py: Fix pattern matching + with Python 3 + +From: Adrian Hunter + +[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ] + +The script allows the user to enter patterns to find symbols. + +The pattern matching characters are converted for use in SQL. + +For PostgreSQL the conversion involves using the Python maketrans() +method which is slightly different in Python 3 compared with Python 2. + +Fix to work in Python 3. + +Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py") +Signed-off-by: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Cc: Tony Jones +Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py +index 01acf3ea7619d..21473d6df5b9a 100755 +--- a/tools/perf/scripts/python/exported-sql-viewer.py ++++ b/tools/perf/scripts/python/exported-sql-viewer.py +@@ -667,7 +667,10 @@ class CallGraphModelBase(TreeModel): + s = value.replace("%", "\%") + s = s.replace("_", "\_") + # Translate * and ? into SQL LIKE pattern characters % and _ +- trans = string.maketrans("*?", "%_") ++ if sys.version_info[0] == 3: ++ trans = str.maketrans("*?", "%_") ++ else: ++ trans = string.maketrans("*?", "%_") + match = " LIKE '" + str(s).translate(trans) + "'" + else: + match = " GLOB '" + str(value) + "'" +-- +2.39.5 + diff --git a/queue-5.4/perf-tests-switch-tracking-fix-timestamp-comparison.patch b/queue-5.4/perf-tests-switch-tracking-fix-timestamp-comparison.patch new file mode 100644 index 0000000000..1c6966c9bc --- /dev/null +++ b/queue-5.4/perf-tests-switch-tracking-fix-timestamp-comparison.patch @@ -0,0 +1,102 @@ +From 16054ead66096c9be1cd6d7a2ecaad96750b3a5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 18:27:59 +0100 +Subject: perf tests switch-tracking: Fix timestamp comparison + +From: Leo Yan + +[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ] + +The test might fail on the Arm64 platform with the error: + + # perf test -vvv "Track with sched_switch" + Missing sched_switch events + # + +The issue is caused by incorrect handling of timestamp comparisons. The +comparison result, a signed 64-bit value, was being directly cast to an +int, leading to incorrect sorting for sched events. + +The case does not fail everytime, usually I can trigger the failure +after run 20 ~ 30 times: + + # while true; do perf test "Track with sched_switch"; done + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : FAILED! + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + 106: Track with sched_switch : FAILED! + 106: Track with sched_switch : Ok + 106: Track with sched_switch : Ok + +I used cross compiler to build Perf tool on my host machine and tested on +Debian / Juno board. Generally, I think this issue is not very specific +to GCC versions. As both internal CI and my local env can reproduce the +issue. + +My Host Build compiler: + + # aarch64-linux-gnu-gcc --version + aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0 + +Juno Board: + + # lsb_release -a + No LSB modules are available. + Distributor ID: Debian + Description: Debian GNU/Linux 12 (bookworm) + Release: 12 + Codename: bookworm + +Fix this by explicitly returning 0, 1, or -1 based on whether the result +is zero, positive, or negative. + +Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch") +Reviewed-by: Ian Rogers +Signed-off-by: Leo Yan +Cc: Adrian Hunter +Cc: James Clark +Cc: Kan Liang +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/tests/switch-tracking.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c +index ffa592e0020ee..ffe3831fb7bf2 100644 +--- a/tools/perf/tests/switch-tracking.c ++++ b/tools/perf/tests/switch-tracking.c +@@ -254,7 +254,7 @@ static int compar(const void *a, const void *b) + const struct event_node *nodeb = b; + s64 cmp = nodea->event_time - nodeb->event_time; + +- return cmp; ++ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0); + } + + static int process_events(struct evlist *evlist, +-- +2.39.5 + diff --git a/queue-5.4/perf-ui-browser-hists-set-actions-thread-before-call.patch b/queue-5.4/perf-ui-browser-hists-set-actions-thread-before-call.patch new file mode 100644 index 0000000000..decd24df6b --- /dev/null +++ b/queue-5.4/perf-ui-browser-hists-set-actions-thread-before-call.patch @@ -0,0 +1,62 @@ +From e349299f6ff8b5217c4516cecdc13441a622405b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 21:58:19 -0300 +Subject: perf ui browser hists: Set actions->thread before calling + do_zoom_thread() + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ] + +In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct +perf_hpp_list") it assumes that act->thread is set prior to calling +do_zoom_thread(). + +This doesn't happen when we use ESC or the Left arrow key to Zoom out of +a specific thread, making this operation not to work and we get stuck +into the thread zoom. + +In 6422184b087ff435 ("perf hists browser: Simplify zooming code using +pstack_peek()") it says no need to set actions->thread, and at that +point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL +check was added before the zoom out of thread could kick in. + +We can zoom out using the alternative 't' thread zoom toggle hotkey to +finally set actions->thread before calling do_zoom_thread() and zoom +out, but lets also fix the ESC/Zoom out of thread case. + +Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list") +Reported-by: Ingo Molnar +Tested-by: Ingo Molnar +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Namhyung Kim +Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/ui/browsers/hists.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c +index 3461fa8cf4400..2a38140391c44 100644 +--- a/tools/perf/ui/browsers/hists.c ++++ b/tools/perf/ui/browsers/hists.c +@@ -3065,10 +3065,10 @@ static int perf_evsel__hists_browse(struct evsel *evsel, int nr_events, + /* + * No need to set actions->dso here since + * it's just to remove the current filter. +- * Ditto for thread below. + */ + do_zoom_dso(browser, actions); + } else if (top == &browser->hists->thread_filter) { ++ actions->thread = thread; + do_zoom_thread(browser, actions); + } else if (top == &browser->hists->socket_filter) { + do_zoom_socket(browser, actions); +-- +2.39.5 + diff --git a/queue-5.4/pinctrl-at91-fix-possible-out-of-boundary-access.patch b/queue-5.4/pinctrl-at91-fix-possible-out-of-boundary-access.patch new file mode 100644 index 0000000000..1431eb0c9e --- /dev/null +++ b/queue-5.4/pinctrl-at91-fix-possible-out-of-boundary-access.patch @@ -0,0 +1,50 @@ +From 0296e084112a6c9b26fed656d7ae978ab02cc9ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 23:08:07 +0300 +Subject: pinctrl: at91: Fix possible out-of-boundary access + +From: Andy Shevchenko + +[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ] + +at91_gpio_probe() doesn't check that given OF alias is not available or +something went wrong when trying to get it. This might have consequences +when accessing gpio_chips array with that value as an index. Note, that +BUG() can be compiled out and hence won't actually perform the required +checks. + +Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support") +Signed-off-by: Andy Shevchenko +Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/ +Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index 4e6e151db11f2..4265a4055a382 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -1819,12 +1819,16 @@ static int at91_gpio_probe(struct platform_device *pdev) + struct at91_gpio_chip *at91_chip = NULL; + struct gpio_chip *chip; + struct pinctrl_gpio_range *range; ++ int alias_idx; + int ret = 0; + int irq, i; +- int alias_idx = of_alias_get_id(np, "gpio"); + uint32_t ngpio; + char **names; + ++ alias_idx = of_alias_get_id(np, "gpio"); ++ if (alias_idx < 0) ++ return alias_idx; ++ + BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips)); + if (gpio_chips[alias_idx]) { + ret = -EBUSY; +-- +2.39.5 + diff --git a/queue-5.4/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch b/queue-5.4/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch new file mode 100644 index 0000000000..699d55f7ce --- /dev/null +++ b/queue-5.4/pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch @@ -0,0 +1,60 @@ +From 7a64f2d72bf077a34cfe8484bb87a0b9280c70bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jun 2025 18:19:27 +0200 +Subject: PM: sleep: Fix power.is_suspended cleanup for direct-complete devices + +From: Rafael J. Wysocki + +[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ] + +Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete +set on errors") caused power.is_suspended to be set for devices with +power.direct_complete set, but it forgot to ensure the clearing of that +flag for them in device_resume(), so power.is_suspended is still set for +them during the next system suspend-resume cycle. + +If that cycle is aborted in dpm_suspend(), the subsequent invocation of +dpm_resume() will trigger a device_resume() call for every device and +because power.is_suspended is set for the devices in question, they will +not be skipped by device_resume() as expected which causes scary error +messages to be logged (as appropriate). + +To address this issue, move the clearing of power.is_suspended in +device_resume() immediately after the power.is_suspended check so it +will be always cleared for all devices processed by that function. + +Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280 +Reported-and-tested-by: Chris Bainbridge +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mario Limonciello +Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 7375624de5646..6ad29e0793a5f 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -971,6 +971,8 @@ static int device_resume(struct device *dev, pm_message_t state, bool async) + if (!dev->power.is_suspended) + goto Complete; + ++ dev->power.is_suspended = false; ++ + if (dev->power.direct_complete) { + /* Match the pm_runtime_disable() in __device_suspend(). */ + pm_runtime_enable(dev); +@@ -1026,7 +1028,6 @@ static int device_resume(struct device *dev, pm_message_t state, bool async) + + End: + error = dpm_run_callback(callback, dev, state, info); +- dev->power.is_suspended = false; + + device_unlock(dev); + dpm_watchdog_clear(&wd); +-- +2.39.5 + diff --git a/queue-5.4/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch b/queue-5.4/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch new file mode 100644 index 0000000000..b7f6b7bcc4 --- /dev/null +++ b/queue-5.4/pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch @@ -0,0 +1,45 @@ +From 7ee7195467eb0ae3eb39668c8e762a6c5ce8e379 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 May 2025 17:26:51 +0800 +Subject: PM: wakeup: Delete space in the end of string shown by + pm_show_wakelocks() + +From: Zijun Hu + +[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ] + +pm_show_wakelocks() is called to generate a string when showing +attributes /sys/power/wake_(lock|unlock), but the string ends +with an unwanted space that was added back by mistake by commit +c9d967b2ce40 ("PM: wakeup: simplify the output logic of +pm_show_wakelocks()"). + +Remove the unwanted space. + +Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()") +Signed-off-by: Zijun Hu +Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/wakelock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c +index 52571dcad768b..4e941999a53ba 100644 +--- a/kernel/power/wakelock.c ++++ b/kernel/power/wakelock.c +@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active) + len += sysfs_emit_at(buf, len, "%s ", wl->name); + } + ++ if (len > 0) ++ --len; ++ + len += sysfs_emit_at(buf, len, "\n"); + + mutex_unlock(&wakelocks_lock); +-- +2.39.5 + diff --git a/queue-5.4/randstruct-gcc-plugin-fix-attribute-addition.patch b/queue-5.4/randstruct-gcc-plugin-fix-attribute-addition.patch new file mode 100644 index 0000000000..8c674cb843 --- /dev/null +++ b/queue-5.4/randstruct-gcc-plugin-fix-attribute-addition.patch @@ -0,0 +1,134 @@ +From ee29ee2e45a6dd5a33a2726c3ea338be92fad321 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 15:18:28 -0700 +Subject: randstruct: gcc-plugin: Fix attribute addition + +From: Kees Cook + +[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ] + +Based on changes in the 2021 public version of the randstruct +out-of-tree GCC plugin[1], more carefully update the attributes on +resulting decls, to avoid tripping checks in GCC 15's +comptypes_check_enum_int() when it has been configured with +"--enable-checking=misc": + +arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519 + 132 | const struct kexec_file_ops kexec_image_ops = { + | ^~~~~~~~~~~~~~ + internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517 + fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803 + comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519 + ... + +Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1] +Reported-by: Thiago Jung Bauermann +Closes: https://github.com/KSPP/linux/issues/367 +Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/ +Reported-by: Ingo Saitz +Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745 +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Tested-by: Thiago Jung Bauermann +Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++ + scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++------- + 2 files changed, 43 insertions(+), 11 deletions(-) + +diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h +index 0907ab19202a1..6ec887ae71b64 100644 +--- a/scripts/gcc-plugins/gcc-common.h ++++ b/scripts/gcc-plugins/gcc-common.h +@@ -182,6 +182,38 @@ static inline tree build_const_char_string(int len, const char *str) + return cstr; + } + ++static inline void __add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree oldattr; ++ ++ if (type == NULL_TREE) ++ return; ++ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type)); ++ if (oldattr != NULL_TREE) { ++ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args)); ++ return; ++ } ++ ++ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); ++ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type)); ++} ++ ++static inline void add_type_attr(tree type, const char *attr, tree args) ++{ ++ tree main_variant = TYPE_MAIN_VARIANT(type); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args); ++ __add_type_attr(main_variant, attr, args); ++ ++ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) { ++ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type))) ++ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant); ++ ++ __add_type_attr(TYPE_CANONICAL(type), attr, args); ++ } ++} ++ + #define PASS_INFO(NAME, REF, ID, POS) \ + struct register_pass_info NAME##_pass_info = { \ + .pass = make_##NAME##_pass(), \ +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index a5aea51ecca99..472427f169a4a 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -95,6 +95,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f + + if (TYPE_P(*node)) { + type = *node; ++ } else if (TREE_CODE(*node) == FIELD_DECL) { ++ *no_add_attrs = false; ++ return NULL_TREE; + } else { + gcc_assert(TREE_CODE(*node) == TYPE_DECL); + type = TREE_TYPE(*node); +@@ -381,15 +384,14 @@ static int relayout_struct(tree type) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + ++ add_type_attr(type, "randomize_performed", NULL_TREE); ++ add_type_attr(type, "designated_init", NULL_TREE); ++ if (has_flexarray) ++ add_type_attr(type, "has_flexarray", NULL_TREE); ++ + main_variant = TYPE_MAIN_VARIANT(type); +- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { ++ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) + TYPE_FIELDS(variant) = newtree[0]; +- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +- if (has_flexarray) +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } + + /* + * force a re-layout of the main variant +@@ -457,10 +459,8 @@ static void randomize_type(tree type) + if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type)) + relayout_struct(type); + +- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type)); +- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type)); +- } ++ add_type_attr(type, "randomize_considered", NULL_TREE); ++ + #ifdef __DEBUG_PLUGIN + fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type)); + #ifdef __DEBUG_VERBOSE +-- +2.39.5 + diff --git a/queue-5.4/randstruct-gcc-plugin-remove-bogus-void-member.patch b/queue-5.4/randstruct-gcc-plugin-remove-bogus-void-member.patch new file mode 100644 index 0000000000..a44e572ab2 --- /dev/null +++ b/queue-5.4/randstruct-gcc-plugin-remove-bogus-void-member.patch @@ -0,0 +1,119 @@ +From 1277732ff03465d088cd0b647f73c0431dcc772f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Apr 2025 00:37:52 -0700 +Subject: randstruct: gcc-plugin: Remove bogus void member +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ] + +When building the randomized replacement tree of struct members, the +randstruct GCC plugin would insert, as the first member, a 0-sized void +member. This appears as though it was done to catch non-designated +("unnamed") static initializers, which wouldn't be stable since they +depend on the original struct layout order. + +This was accomplished by having the side-effect of the "void member" +tripping an assert in GCC internals (count_type_elements) if the member +list ever needed to be counted (e.g. for figuring out the order of members +during a non-designated initialization), which would catch impossible type +(void) in the struct: + +security/landlock/fs.c: In function ‘hook_file_ioctl_common’: +security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075 + 1745 | .u.op = &(struct lsm_ioctlop_audit) { + | ^ + +static HOST_WIDE_INT +count_type_elements (const_tree type, bool for_ctor_p) +{ + switch (TREE_CODE (type)) +... + case VOID_TYPE: + default: + gcc_unreachable (); + } +} + +However this is a redundant safety measure since randstruct uses the +__designated_initializer attribute both internally and within the +__randomized_layout attribute macro so that this would be enforced +by the compiler directly even when randstruct was not enabled (via +-Wdesignated-init). + +A recent change in Landlock ended up tripping the same member counting +routine when using a full-struct copy initializer as part of an anonymous +initializer. This, however, is a false positive as the initializer is +copying between identical structs (and hence identical layouts). The +"path" member is "struct path", a randomized struct, and is being copied +to from another "struct path", the "f_path" member: + + landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) { + .type = LANDLOCK_REQUEST_FS_ACCESS, + .audit = { + .type = LSM_AUDIT_DATA_IOCTL_OP, + .u.op = &(struct lsm_ioctlop_audit) { + .path = file->f_path, + .cmd = cmd, + }, + }, + ... + +As can be seen with the coming randstruct KUnit test, there appears to +be no behavioral problems with this kind of initialization when the void +member is removed from the randstruct GCC plugin, so remove it. + +Reported-by: "Dr. David Alan Gilbert" +Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/ +Reported-by: Mark Brown +Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/ +Reported-by: WangYuli +Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/ +Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin") +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + scripts/gcc-plugins/randomize_layout_plugin.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c +index c7ff92b4189cb..a5aea51ecca99 100644 +--- a/scripts/gcc-plugins/randomize_layout_plugin.c ++++ b/scripts/gcc-plugins/randomize_layout_plugin.c +@@ -377,29 +377,13 @@ static int relayout_struct(tree type) + + shuffle(type, (tree *)newtree, shuffle_length); + +- /* +- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers +- * as gcc provides no other way to detect such code +- */ +- list = make_node(FIELD_DECL); +- TREE_CHAIN(list) = newtree[0]; +- TREE_TYPE(list) = void_type_node; +- DECL_SIZE(list) = bitsize_zero_node; +- DECL_NONADDRESSABLE_P(list) = 1; +- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node; +- DECL_SIZE_UNIT(list) = size_zero_node; +- DECL_FIELD_OFFSET(list) = size_zero_node; +- DECL_CONTEXT(list) = type; +- // to satisfy the constify plugin +- TREE_READONLY(list) = 1; +- + for (i = 0; i < num_fields - 1; i++) + TREE_CHAIN(newtree[i]) = newtree[i+1]; + TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE; + + main_variant = TYPE_MAIN_VARIANT(type); + for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) { +- TYPE_FIELDS(variant) = list; ++ TYPE_FIELDS(variant) = newtree[0]; + TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant)); + TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant)); + TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant)); +-- +2.39.5 + diff --git a/queue-5.4/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch b/queue-5.4/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch new file mode 100644 index 0000000000..6ed0ef076d --- /dev/null +++ b/queue-5.4/rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch @@ -0,0 +1,67 @@ +From 5c81bf8188378e4874f8383b819dac9869ce67bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Apr 2025 21:27:49 +0800 +Subject: RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h + +From: Junxian Huang + +[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ] + +hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the +inline function hns_roce_write64(), but it doesn't include this +header currently. This leads to that files including +hns_roce_hw_v2.h must also include hnae3.h to avoid compilation +errors, even if they themselves don't really rely on hnae3.h. +This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h +directly. + +Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset") +Signed-off-by: Junxian Huang +Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 - + drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + + drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 - + 3 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 28bbc4708fd48..f494a571c7a54 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -41,7 +41,6 @@ + #include + #include + +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_cmd.h" +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +index b9ab3ca3079c7..45eac5db33145 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h +@@ -34,6 +34,7 @@ + #define _HNS_ROCE_HW_V2_H + + #include ++#include "hnae3.h" + + #define HNS_ROCE_VF_QPC_BT_NUM 256 + #define HNS_ROCE_VF_SCCC_BT_NUM 64 +diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c +index 39c08217e861a..2ac0359a647b1 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c ++++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c +@@ -4,7 +4,6 @@ + #include + #include + #include +-#include "hnae3.h" + #include "hns_roce_common.h" + #include "hns_roce_device.h" + #include "hns_roce_hw_v2.h" +-- +2.39.5 + diff --git a/queue-5.4/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch b/queue-5.4/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch new file mode 100644 index 0000000000..6676778b74 --- /dev/null +++ b/queue-5.4/rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch @@ -0,0 +1,38 @@ +From e15b73d43680a2e597065a3d89ad5db4e0ba5210 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Apr 2025 20:22:05 +0300 +Subject: rpmsg: qcom_smd: Fix uninitialized return variable in + __qcom_smd_send() + +From: Dan Carpenter + +[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ] + +The "ret" variable isn't initialized if we don't enter the loop. For +example, if "channel->state" is not SMD_CHANNEL_OPENED. + +Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index b5167ef93abf9..6facf1b31d463 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data, + __le32 hdr[5] = { cpu_to_le32(len), }; + int tlen = sizeof(hdr) + len; + unsigned long flags; +- int ret; ++ int ret = 0; + + /* Word aligned channels only accept word size aligned data */ + if (channel->info_word && len % 4) +-- +2.39.5 + diff --git a/queue-5.4/rtc-fix-offset-calculation-for-.start_secs-0.patch b/queue-5.4/rtc-fix-offset-calculation-for-.start_secs-0.patch new file mode 100644 index 0000000000..5d7f5fc1f5 --- /dev/null +++ b/queue-5.4/rtc-fix-offset-calculation-for-.start_secs-0.patch @@ -0,0 +1,58 @@ +From cca2cc8e855dfc957726e76e4c70c23919487199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Apr 2025 12:06:48 +0200 +Subject: rtc: Fix offset calculation for .start_secs < 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alexandre Mergnat + +[ Upstream commit fe9f5f96cfe8b82d0f24cbfa93718925560f4f8d ] + +The comparison + + rtc->start_secs > rtc->range_max + +has a signed left-hand side and an unsigned right-hand side. +So the comparison might become true for negative start_secs which is +interpreted as a (possibly very large) positive value. + +As a negative value can never be bigger than an unsigned value +the correct representation of the (mathematical) comparison + + rtc->start_secs > rtc->range_max + +in C is: + + rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max + +Use that to fix the offset calculation currently used in the +rtc-mt6397 driver. + +Fixes: 989515647e783 ("rtc: Add one offset seconds to expand RTC range") +Signed-off-by: Alexandre Mergnat +Reviewed-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20250428-enable-rtc-v4-2-2b2f7e3f9349@baylibre.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/class.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/class.c b/drivers/rtc/class.c +index 8b434213bc7ad..87cb34acadde3 100644 +--- a/drivers/rtc/class.c ++++ b/drivers/rtc/class.c +@@ -270,7 +270,7 @@ static void rtc_device_get_offset(struct rtc_device *rtc) + * + * Otherwise the offset seconds should be 0. + */ +- if (rtc->start_secs > rtc->range_max || ++ if ((rtc->start_secs >= 0 && rtc->start_secs > rtc->range_max) || + rtc->start_secs + range_secs - 1 < rtc->range_min) + rtc->offset_secs = rtc->start_secs - rtc->range_min; + else if (rtc->start_secs > rtc->range_min) +-- +2.39.5 + diff --git a/queue-5.4/rtc-sh-assign-correct-interrupts-with-dt.patch b/queue-5.4/rtc-sh-assign-correct-interrupts-with-dt.patch new file mode 100644 index 0000000000..715b36d169 --- /dev/null +++ b/queue-5.4/rtc-sh-assign-correct-interrupts-with-dt.patch @@ -0,0 +1,51 @@ +From b7ed769bbea9603d2ac88aa798a83df5f472c637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Feb 2025 14:42:56 +0100 +Subject: rtc: sh: assign correct interrupts with DT + +From: Wolfram Sang + +[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ] + +The DT bindings for this driver define the interrupts in the order as +they are numbered in the interrupt controller. The old platform_data, +however, listed them in a different order. So, for DT based platforms, +they are mixed up. Assign them specifically for DT, so we can keep the +bindings stable. After the fix, 'rtctest' passes again on the Renesas +Genmai board (RZ-A1 / R7S72100). + +Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series") +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-sh.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c +index 579b3ff5c644f..8b4a2ef59e609 100644 +--- a/drivers/rtc/rtc-sh.c ++++ b/drivers/rtc/rtc-sh.c +@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev) + return -ENOENT; + } + +- rtc->periodic_irq = ret; +- rtc->carry_irq = platform_get_irq(pdev, 1); +- rtc->alarm_irq = platform_get_irq(pdev, 2); ++ if (!pdev->dev.of_node) { ++ rtc->periodic_irq = ret; ++ rtc->carry_irq = platform_get_irq(pdev, 1); ++ rtc->alarm_irq = platform_get_irq(pdev, 2); ++ } else { ++ rtc->alarm_irq = ret; ++ rtc->periodic_irq = platform_get_irq(pdev, 1); ++ rtc->carry_irq = platform_get_irq(pdev, 2); ++ } + + res = platform_get_resource(pdev, IORESOURCE_IO, 0); + if (!res) +-- +2.39.5 + diff --git a/queue-5.4/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch b/queue-5.4/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch new file mode 100644 index 0000000000..36c10c3d3f --- /dev/null +++ b/queue-5.4/selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch @@ -0,0 +1,53 @@ +From 79301b60273666e6af790660b7496dacc29f6622 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Apr 2025 09:40:58 +0000 +Subject: selftests/seccomp: fix syscall_restart test for arm compat + +From: Neill Kapron + +[ Upstream commit 797002deed03491215a352ace891749b39741b69 ] + +The inconsistencies in the systcall ABI between arm and arm-compat can +can cause a failure in the syscall_restart test due to the logic +attempting to work around the differences. The 'machine' field for an +ARM64 device running in compat mode can report 'armv8l' or 'armv8b' +which matches with the string 'arm' when only examining the first three +characters of the string. + +This change adds additional validation to the workaround logic to make +sure we only take the arm path when running natively, not in arm-compat. + +Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64") +Signed-off-by: Neill Kapron +Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c +index 19c7351eeb74b..a12eea3aff104 100644 +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -2875,12 +2875,15 @@ TEST(syscall_restart) + ret = get_syscall(_metadata, child_pid); + #if defined(__arm__) + /* +- * FIXME: + * - native ARM registers do NOT expose true syscall. + * - compat ARM registers on ARM64 DO expose true syscall. ++ * - values of utsbuf.machine include 'armv8l' or 'armb8b' ++ * for ARM64 running in compat mode. + */ + ASSERT_EQ(0, uname(&utsbuf)); +- if (strncmp(utsbuf.machine, "arm", 3) == 0) { ++ if ((strncmp(utsbuf.machine, "arm", 3) == 0) && ++ (strncmp(utsbuf.machine, "armv8l", 6) != 0) && ++ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) { + EXPECT_EQ(__NR_nanosleep, ret); + } else + #endif +-- +2.39.5 + diff --git a/queue-5.4/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch b/queue-5.4/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch new file mode 100644 index 0000000000..14b6fc2f85 --- /dev/null +++ b/queue-5.4/serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch @@ -0,0 +1,43 @@ +From 68378d312871b1a09ff4bfad17b2e23a31825b9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Apr 2025 15:03:39 +0800 +Subject: serial: Fix potential null-ptr-deref in mlb_usio_probe() + +From: Henry Martin + +[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ] + +devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() +does not check for this case, which could result in a NULL pointer +dereference. + +Add NULL check after devm_ioremap() to prevent this issue. + +Fixes: ba44dc043004 ("serial: Add Milbeaut serial control") +Signed-off-by: Henry Martin +Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/milbeaut_usio.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c +index 949ab7efc4fcd..e7ad13e2323f3 100644 +--- a/drivers/tty/serial/milbeaut_usio.c ++++ b/drivers/tty/serial/milbeaut_usio.c +@@ -527,7 +527,10 @@ static int mlb_usio_probe(struct platform_device *pdev) + } + port->membase = devm_ioremap(&pdev->dev, res->start, + resource_size(res)); +- ++ if (!port->membase) { ++ ret = -ENOMEM; ++ goto failed; ++ } + ret = platform_get_irq_byname(pdev, "rx"); + mlb_usio_irq[index][RX] = ret; + +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index c9c83e3014..195b787345 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -6,3 +6,66 @@ usb-storage-ignore-uas-driver-for-sandisk-3.2-gen2-storage-device.patch usb-usbtmc-fix-timeout-value-in-get_stb.patch thunderbolt-do-not-double-dequeue-a-configuration-request.patch netfilter-nft_socket-fix-sk-refcount-leaks.patch +gfs2-gfs2_create_inode-error-handling-fix.patch +perf-core-fix-broken-throttling-when-max_samples_per.patch +x86-cpu-sanitize-cpuid-0x80000000-output.patch +crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch +crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch +edac-skx_common-fix-general-protection-fault.patch +pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch +x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch +acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch +spi-sh-msiof-fix-maximum-dma-transfer-size.patch +drm-vmwgfx-add-seqno-waiter-for-sync_files.patch +m68k-mac-fix-macintosh_config-for-mac-ii.patch +firmware-psci-fix-refcount-leak-in-psci_dt_init.patch +selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch +drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch +drm-vkms-adjust-vkms_state-active_planes-allocation-.patch +drm-tegra-rgb-fix-the-unbound-reference-count.patch +f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch +net-ncsi-fix-gcps-64-bit-member-variables.patch +wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch +rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch +f2fs-clean-up-w-fscrypt_is_bounce_page.patch +netfilter-bridge-move-specific-fragmented-packet-to-.patch +ktls-sockmap-fix-missing-uncharge-operation.patch +pinctrl-at91-fix-possible-out-of-boundary-access.patch +bpf-fix-warn-in-get_bpf_raw_tp_regs.patch +wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch +netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch +net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch +net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch +calipso-don-t-call-calipso-functions-for-af_inet-sk.patch +f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch +f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch +arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch +arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch +squashfs-check-return-result-of-sb_min_blocksize.patch +nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch +nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch +bus-fsl-mc-fix-double-free-on-mc_dev.patch +arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch +arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch +soc-aspeed-lpc-fix-impossible-judgment-condition.patch +soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch +fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch +randstruct-gcc-plugin-remove-bogus-void-member.patch +randstruct-gcc-plugin-fix-attribute-addition.patch +perf-ui-browser-hists-set-actions-thread-before-call.patch +perf-scripts-python-exported-sql-viewer.py-fix-patte.patch +rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch +mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch +mfd-stmpe-spi-correct-the-name-used-in-module_device.patch +perf-tests-switch-tracking-fix-timestamp-comparison.patch +perf-record-fix-incorrect-user-regs-comments.patch +rtc-sh-assign-correct-interrupts-with-dt.patch +rtc-fix-offset-calculation-for-.start_secs-0.patch +usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch +serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch +vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch +net-mlx4_en-prevent-potential-integer-overflow-calcu.patch +bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch +ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch +pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch +do_change_type-refuse-to-operate-on-unmounted-not-ou.patch diff --git a/queue-5.4/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch b/queue-5.4/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch new file mode 100644 index 0000000000..e1ee1020b8 --- /dev/null +++ b/queue-5.4/soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch @@ -0,0 +1,73 @@ +From 988be02dcfd12f6432f17cd08cc1210e460e22c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:44 +0930 +Subject: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() + +From: Henry Martin + +[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +aspeed_lpc_enable_snoop() does not check for this case, which results in a +NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue. + +Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com +[arj: Fix Fixes: tag to use subject from 3772e5da4454] +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index 8a2a22c40ef53..43e30937fc9da 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -202,11 +202,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR; + lpc_snoop->chan[channel].miscdev.name = + devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel); ++ if (!lpc_snoop->chan[channel].miscdev.name) { ++ rc = -ENOMEM; ++ goto err_free_fifo; ++ } + lpc_snoop->chan[channel].miscdev.fops = &snoop_fops; + lpc_snoop->chan[channel].miscdev.parent = dev; + rc = misc_register(&lpc_snoop->chan[channel].miscdev); + if (rc) +- return rc; ++ goto err_free_fifo; + + /* Enable LPC snoop channel at requested port */ + switch (channel) { +@@ -223,7 +227,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + hicrb_en = HICRB_ENSNP1D; + break; + default: +- return -EINVAL; ++ rc = -EINVAL; ++ goto err_misc_deregister; + } + + regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en); +@@ -233,6 +238,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop, + regmap_update_bits(lpc_snoop->regmap, HICRB, + hicrb_en, hicrb_en); + ++ return 0; ++ ++err_misc_deregister: ++ misc_deregister(&lpc_snoop->chan[channel].miscdev); ++err_free_fifo: ++ kfifo_free(&lpc_snoop->chan[channel].fifo); + return rc; + } + +-- +2.39.5 + diff --git a/queue-5.4/soc-aspeed-lpc-fix-impossible-judgment-condition.patch b/queue-5.4/soc-aspeed-lpc-fix-impossible-judgment-condition.patch new file mode 100644 index 0000000000..5f45687624 --- /dev/null +++ b/queue-5.4/soc-aspeed-lpc-fix-impossible-judgment-condition.patch @@ -0,0 +1,46 @@ +From 4b92fb1ef2b09e6a3208376f13b945d5efd58d1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 16:00:43 +0930 +Subject: soc: aspeed: lpc: Fix impossible judgment condition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Su Hui + +[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ] + +smatch error: +drivers/soc/aspeed/aspeed-lpc-snoop.c:169 +aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero + +platform_get_irq() return non-zero IRQ number or negative error code, +change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this. + +Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver") +Signed-off-by: Su Hui +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com +Signed-off-by: Andrew Jeffery +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c +index 538d7aab8db5c..8a2a22c40ef53 100644 +--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c ++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c +@@ -168,7 +168,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop, + int rc; + + lpc_snoop->irq = platform_get_irq(pdev, 0); +- if (!lpc_snoop->irq) ++ if (lpc_snoop->irq < 0) + return -ENODEV; + + rc = devm_request_irq(dev, lpc_snoop->irq, +-- +2.39.5 + diff --git a/queue-5.4/spi-sh-msiof-fix-maximum-dma-transfer-size.patch b/queue-5.4/spi-sh-msiof-fix-maximum-dma-transfer-size.patch new file mode 100644 index 0000000000..f84fd4adc1 --- /dev/null +++ b/queue-5.4/spi-sh-msiof-fix-maximum-dma-transfer-size.patch @@ -0,0 +1,71 @@ +From 09360d09a67583e5c3cc910832761dea1bf4ea30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 May 2025 15:32:06 +0200 +Subject: spi: sh-msiof: Fix maximum DMA transfer size + +From: Geert Uytterhoeven + +[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ] + +The maximum amount of data to transfer in a single DMA request is +calculated from the FIFO sizes (which is technically not 100% correct, +but a simplification, as it is limited by the maximum word count values +in the Transmit and Control Data Registers). However, in case there is +both data to transmit and to receive, the transmit limit is overwritten +by the receive limit. + +Fix this by using the minimum applicable FIFO size instead. Move the +calculation outside the loop, so it is not repeated for each individual +DMA transfer. + +As currently tx_fifo_size is always equal to rx_fifo_size, this bug had +no real impact. + +Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word") +Signed-off-by: Geert Uytterhoeven +Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sh-msiof.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c +index edb26b0857063..80a39424dc1e2 100644 +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -918,6 +918,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr, + void *rx_buf = t->rx_buf; + unsigned int len = t->len; + unsigned int bits = t->bits_per_word; ++ unsigned int max_wdlen = 256; + unsigned int bytes_per_word; + unsigned int words; + int n; +@@ -931,17 +932,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr, + if (!spi_controller_is_slave(p->ctlr)) + sh_msiof_spi_set_clk_regs(p, clk_get_rate(p->clk), t->speed_hz); + ++ if (tx_buf) ++ max_wdlen = min(max_wdlen, p->tx_fifo_size); ++ if (rx_buf) ++ max_wdlen = min(max_wdlen, p->rx_fifo_size); ++ + while (ctlr->dma_tx && len > 15) { + /* + * DMA supports 32-bit words only, hence pack 8-bit and 16-bit + * words, with byte resp. word swapping. + */ +- unsigned int l = 0; +- +- if (tx_buf) +- l = min(round_down(len, 4), p->tx_fifo_size * 4); +- if (rx_buf) +- l = min(round_down(len, 4), p->rx_fifo_size * 4); ++ unsigned int l = min(round_down(len, 4), max_wdlen * 4); + + if (bits <= 8) { + copy32 = copy_bswap32; +-- +2.39.5 + diff --git a/queue-5.4/squashfs-check-return-result-of-sb_min_blocksize.patch b/queue-5.4/squashfs-check-return-result-of-sb_min_blocksize.patch new file mode 100644 index 0000000000..771aa18b50 --- /dev/null +++ b/queue-5.4/squashfs-check-return-result-of-sb_min_blocksize.patch @@ -0,0 +1,66 @@ +From c4926dc0b0b6694c79a25cec3441a8f16c7c03cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Apr 2025 03:47:47 +0100 +Subject: Squashfs: check return result of sb_min_blocksize + +From: Phillip Lougher + +[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ] + +Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. + +Syzkaller forks multiple processes which after mounting the Squashfs +filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). +Now if this ioctl occurs at the same time another process is in the +process of mounting a Squashfs filesystem on /dev/loop0, the failure +occurs. When this happens the following code in squashfs_fill_super() +fails. + +---- +msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); +msblk->devblksize_log2 = ffz(~msblk->devblksize); +---- + +sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. + +As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 +is set to 64. + +This subsequently causes the + +UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 +shift exponent 64 is too large for 64-bit type 'u64' (aka +'unsigned long long') + +This commit adds a check for a 0 return by sb_min_blocksize(). + +Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk +Fixes: 0aa666190509 ("Squashfs: super block operations") +Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/ +Signed-off-by: Phillip Lougher +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/squashfs/super.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c +index 2110323b610b9..545207683ddd7 100644 +--- a/fs/squashfs/super.c ++++ b/fs/squashfs/super.c +@@ -86,6 +86,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc) + msblk = sb->s_fs_info; + + msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); ++ if (!msblk->devblksize) { ++ errorf(fc, "squashfs: unable to set blocksize\n"); ++ return -EINVAL; ++ } ++ + msblk->devblksize_log2 = ffz(~msblk->devblksize); + + mutex_init(&msblk->meta_index_mutex); +-- +2.39.5 + diff --git a/queue-5.4/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch b/queue-5.4/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch new file mode 100644 index 0000000000..296804e765 --- /dev/null +++ b/queue-5.4/usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch @@ -0,0 +1,192 @@ +From 61aaed94b46b22b53ed6b1da6f133f68a92db18b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Apr 2025 11:50:02 +0100 +Subject: usb: renesas_usbhs: Reorder clock handling and power management in + probe + +From: Lad Prabhakar + +[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ] + +Reorder the initialization sequence in `usbhs_probe()` to enable runtime +PM before accessing registers, preventing potential crashes due to +uninitialized clocks. + +Currently, in the probe path, registers are accessed before enabling the +clocks, leading to a synchronous external abort on the RZ/V2H SoC. +The problematic call flow is as follows: + + usbhs_probe() + usbhs_sys_clock_ctrl() + usbhs_bset() + usbhs_write() + iowrite16() <-- Register access before enabling clocks + +Since `iowrite16()` is performed without ensuring the required clocks are +enabled, this can lead to access errors. To fix this, enable PM runtime +early in the probe function and ensure clocks are acquired before register +access, preventing crashes like the following on RZ/V2H: + +[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP +[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 +[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 +[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) +[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] +[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] +[13.321138] sp : ffff8000827e3850 +[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 +[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 +[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 +[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff +[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce +[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 +[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 +[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c +[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 +[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 +[13.395574] Call trace: +[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) +[13.403076] platform_probe+0x68/0xdc +[13.406738] really_probe+0xbc/0x2c0 +[13.410306] __driver_probe_device+0x78/0x120 +[13.414653] driver_probe_device+0x3c/0x154 +[13.418825] __driver_attach+0x90/0x1a0 +[13.422647] bus_for_each_dev+0x7c/0xe0 +[13.426470] driver_attach+0x24/0x30 +[13.430032] bus_add_driver+0xe4/0x208 +[13.433766] driver_register+0x68/0x130 +[13.437587] __platform_driver_register+0x24/0x30 +[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] +[13.448450] do_one_initcall+0x60/0x1d4 +[13.452276] do_init_module+0x54/0x1f8 +[13.456014] load_module+0x1754/0x1c98 +[13.459750] init_module_from_file+0x88/0xcc +[13.464004] __arm64_sys_finit_module+0x1c4/0x328 +[13.468689] invoke_syscall+0x48/0x104 +[13.472426] el0_svc_common.constprop.0+0xc0/0xe0 +[13.477113] do_el0_svc+0x1c/0x28 +[13.480415] el0_svc+0x30/0xcc +[13.483460] el0t_64_sync_handler+0x10c/0x138 +[13.487800] el0t_64_sync+0x198/0x19c +[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) +[13.497522] ---[ end trace 0000000000000000 ]--- + +Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code") +Signed-off-by: Lad Prabhakar +Reviewed-by: Yoshihiro Shimoda +Tested-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++------- + 1 file changed, 38 insertions(+), 12 deletions(-) + +diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c +index ab33320028723..c395f5e23f8b5 100644 +--- a/drivers/usb/renesas_usbhs/common.c ++++ b/drivers/usb/renesas_usbhs/common.c +@@ -680,10 +680,29 @@ static int usbhs_probe(struct platform_device *pdev) + INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug); + spin_lock_init(usbhs_priv_to_lock(priv)); + ++ /* ++ * Acquire clocks and enable power management (PM) early in the ++ * probe process, as the driver accesses registers during ++ * initialization. Ensure the device is active before proceeding. ++ */ ++ pm_runtime_enable(dev); ++ ++ ret = usbhsc_clk_get(dev, priv); ++ if (ret) ++ goto probe_pm_disable; ++ ++ ret = pm_runtime_resume_and_get(dev); ++ if (ret) ++ goto probe_clk_put; ++ ++ ret = usbhsc_clk_prepare_enable(priv); ++ if (ret) ++ goto probe_pm_put; ++ + /* call pipe and module init */ + ret = usbhs_pipe_probe(priv); + if (ret < 0) +- return ret; ++ goto probe_clk_dis_unprepare; + + ret = usbhs_fifo_probe(priv); + if (ret < 0) +@@ -700,10 +719,6 @@ static int usbhs_probe(struct platform_device *pdev) + if (ret) + goto probe_fail_rst; + +- ret = usbhsc_clk_get(dev, priv); +- if (ret) +- goto probe_fail_clks; +- + /* + * deviece reset here because + * USB device might be used in boot loader. +@@ -719,7 +734,7 @@ static int usbhs_probe(struct platform_device *pdev) + dev_warn(dev, "USB function not selected (GPIO %d)\n", + priv->dparam.enable_gpio); + ret = -ENOTSUPP; +- goto probe_end_mod_exit; ++ goto probe_assert_rest; + } + } + +@@ -733,14 +748,19 @@ static int usbhs_probe(struct platform_device *pdev) + ret = usbhs_platform_call(priv, hardware_init, pdev); + if (ret < 0) { + dev_err(dev, "platform init failed.\n"); +- goto probe_end_mod_exit; ++ goto probe_assert_rest; + } + + /* reset phy for connection */ + usbhs_platform_call(priv, phy_reset, pdev); + +- /* power control */ +- pm_runtime_enable(dev); ++ /* ++ * Disable the clocks that were enabled earlier in the probe path, ++ * and let the driver handle the clocks beyond this point. ++ */ ++ usbhsc_clk_disable_unprepare(priv); ++ pm_runtime_put(dev); ++ + if (!usbhs_get_dparam(priv, runtime_pwctrl)) { + usbhsc_power_ctrl(priv, 1); + usbhs_mod_autonomy_mode(priv); +@@ -757,9 +777,7 @@ static int usbhs_probe(struct platform_device *pdev) + + return ret; + +-probe_end_mod_exit: +- usbhsc_clk_put(priv); +-probe_fail_clks: ++probe_assert_rest: + reset_control_assert(priv->rsts); + probe_fail_rst: + usbhs_mod_remove(priv); +@@ -767,6 +785,14 @@ static int usbhs_probe(struct platform_device *pdev) + usbhs_fifo_remove(priv); + probe_end_pipe_exit: + usbhs_pipe_remove(priv); ++probe_clk_dis_unprepare: ++ usbhsc_clk_disable_unprepare(priv); ++probe_pm_put: ++ pm_runtime_put(dev); ++probe_clk_put: ++ usbhsc_clk_put(priv); ++probe_pm_disable: ++ pm_runtime_disable(dev); + + dev_info(dev, "probe failed (%d)\n", ret); + +-- +2.39.5 + diff --git a/queue-5.4/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch b/queue-5.4/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch new file mode 100644 index 0000000000..5c38317238 --- /dev/null +++ b/queue-5.4/vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch @@ -0,0 +1,39 @@ +From 9777d33bbf0d89e85061593cf745e9336920e3de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 May 2025 11:30:52 -0400 +Subject: vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() + +From: Nicolas Pitre + +[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ] + +They are listed amon those cmd values that "treat 'arg' as an integer" +which is wrong. They should instead fall into the default case. Probably +nobody ever relied on that code since 2009 but still. + +Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver") +Signed-off-by: Nicolas Pitre +Reviewed-by: Jiri Slaby +Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt_ioctl.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c +index f623b3859e980..0d51353d1e0d1 100644 +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -1106,8 +1106,6 @@ long vt_compat_ioctl(struct tty_struct *tty, + case VT_WAITACTIVE: + case VT_RELDISP: + case VT_DISALLOCATE: +- case VT_RESIZE: +- case VT_RESIZEX: + return vt_ioctl(tty, cmd, arg); + + /* +-- +2.39.5 + diff --git a/queue-5.4/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch b/queue-5.4/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch new file mode 100644 index 0000000000..d941e0760c --- /dev/null +++ b/queue-5.4/wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch @@ -0,0 +1,48 @@ +From ab9e8d6cfd96f6095f07262cf84be9d98d792f04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 13:22:16 +0200 +Subject: wifi: ath9k_htc: Abort software beacon handling if disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ] + +A malicious USB device can send a WMI_SWBA_EVENTID event from an +ath9k_htc-managed device before beaconing has been enabled. This causes +a device-by-zero error in the driver, leading to either a crash or an +out of bounds read. + +Prevent this by aborting the handling in ath9k_htc_swba() if beacons are +not enabled. + +Reported-by: Robert Morris +Closes: https://lore.kernel.org/r/88967.1743099372@localhost +Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots") +Signed-off-by: Toke Høiland-Jørgensen +Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +index f20c839aeda22..6db484ee7ee08 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c +@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv, + struct ath_common *common = ath9k_hw_common(priv->ah); + int slot; + ++ if (!priv->cur_beacon_conf.enable_beacon) ++ return; ++ + if (swba->beacon_pending != 0) { + priv->beacon.bmisscnt++; + if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) { +-- +2.39.5 + diff --git a/queue-5.4/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch b/queue-5.4/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch new file mode 100644 index 0000000000..0567d439ae --- /dev/null +++ b/queue-5.4/wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch @@ -0,0 +1,42 @@ +From 608dbbe3b66bc1de61c4f9867acf2b6c6008668a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Apr 2025 12:07:20 +0300 +Subject: wifi: rtw88: do not ignore hardware read error during DPK + +From: Dmitry Antipov + +[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ] + +In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned +by 'check_hw_ready()' but issue a warning to denote possible +DPK issue. Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support") +Suggested-by: Ping-Ke Shih +Signed-off-by: Dmitry Antipov +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +index 72d711a62b07b..0cc8d507165af 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +@@ -2857,7 +2857,8 @@ void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev) + rtw_write32(rtwdev, REG_NCTL0, 0x00001148); + rtw_write32(rtwdev, REG_NCTL0, 0x00001149); + +- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55); ++ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55)) ++ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal"); + + rtw_write8(rtwdev, 0x1b10, 0x0); + rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c); +-- +2.39.5 + diff --git a/queue-5.4/x86-cpu-sanitize-cpuid-0x80000000-output.patch b/queue-5.4/x86-cpu-sanitize-cpuid-0x80000000-output.patch new file mode 100644 index 0000000000..2bf64a7265 --- /dev/null +++ b/queue-5.4/x86-cpu-sanitize-cpuid-0x80000000-output.patch @@ -0,0 +1,92 @@ +From 9e29c80db7262468251fbaee81e6f4d898e77c8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 May 2025 07:04:13 +0200 +Subject: x86/cpu: Sanitize CPUID(0x80000000) output + +From: Ahmed S. Darwish + +[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ] + +CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On +x86-32 machines without an extended CPUID range, a CPUID(0x80000000) +query will just repeat the output of the last valid standard CPUID leaf +on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against +this by doing: + + eax = cpuid_eax(0x80000000); + c->extended_cpuid_level = eax; + + if ((eax & 0xffff0000) == 0x80000000) { + // CPU has an extended CPUID range. Check for 0x80000001 + if (eax >= 0x80000001) { + cpuid(0x80000001, ...); + } + } + +This is correct so far. Afterwards though, the same possibly broken EAX +value is used to check the availability of other extended CPUID leaves: + + if (c->extended_cpuid_level >= 0x80000007) + ... + if (c->extended_cpuid_level >= 0x80000008) + ... + if (c->extended_cpuid_level >= 0x8000000a) + ... + if (c->extended_cpuid_level >= 0x8000001f) + ... + +which is invalid. Fix this by immediately setting the CPU's max extended +CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid +CPUID extended range. + +While at it, add a comment, similar to kernel/head_32.S, clarifying the +CPUID(0x80000000) sanity check. + +References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX") +Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit") +Signed-off-by: Ahmed S. Darwish +Signed-off-by: Ingo Molnar +Cc: Andrew Cooper +Cc: H. Peter Anvin +Cc: John Ogness +Cc: x86-cpuid@lists.linux.dev +Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/common.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c +index ae9d8aa3ae48e..bd29a436e87e8 100644 +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -934,17 +934,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c) + c->x86_capability[CPUID_D_1_EAX] = eax; + } + +- /* AMD-defined flags: level 0x80000001 */ ++ /* ++ * Check if extended CPUID leaves are implemented: Max extended ++ * CPUID leaf must be in the 0x80000001-0x8000ffff range. ++ */ + eax = cpuid_eax(0x80000000); +- c->extended_cpuid_level = eax; ++ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0; + +- if ((eax & 0xffff0000) == 0x80000000) { +- if (eax >= 0x80000001) { +- cpuid(0x80000001, &eax, &ebx, &ecx, &edx); ++ if (c->extended_cpuid_level >= 0x80000001) { ++ cpuid(0x80000001, &eax, &ebx, &ecx, &edx); + +- c->x86_capability[CPUID_8000_0001_ECX] = ecx; +- c->x86_capability[CPUID_8000_0001_EDX] = edx; +- } ++ c->x86_capability[CPUID_8000_0001_ECX] = ecx; ++ c->x86_capability[CPUID_8000_0001_EDX] = edx; + } + + if (c->extended_cpuid_level >= 0x80000007) { +-- +2.39.5 + diff --git a/queue-5.4/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch b/queue-5.4/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch new file mode 100644 index 0000000000..0ada530820 --- /dev/null +++ b/queue-5.4/x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch @@ -0,0 +1,47 @@ +From b6da33b669e70e124dd03e16fc1c290dd080fe1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 May 2025 17:06:33 +0000 +Subject: x86/mtrr: Check if fixed-range MTRRs exist in + mtrr_save_fixed_ranges() + +From: Jiaqing Zhao + +[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ] + +When suspending, save_processor_state() calls mtrr_save_fixed_ranges() +to save fixed-range MTRRs. + +On platforms without fixed-range MTRRs like the ACRN hypervisor which +has removed fixed-range MTRR emulation, accessing these MSRs will +trigger an unchecked MSR access error. Make sure fixed-range MTRRs are +supported before access to prevent such error. + +Since mtrr_state.have_fixed is only set when MTRRs are present and +enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is +unnecessary. + +Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending") +Signed-off-by: Jiaqing Zhao +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mtrr/generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c +index 4ea906fe1c351..d15152126877b 100644 +--- a/arch/x86/kernel/cpu/mtrr/generic.c ++++ b/arch/x86/kernel/cpu/mtrr/generic.c +@@ -350,7 +350,7 @@ static void get_fixed_ranges(mtrr_type *frs) + + void mtrr_save_fixed_ranges(void *info) + { +- if (boot_cpu_has(X86_FEATURE_MTRR)) ++ if (mtrr_state.have_fixed) + get_fixed_ranges(mtrr_state.fixed_ranges); + } + +-- +2.39.5 +