From: Greg Kroah-Hartman Date: Mon, 24 Nov 2025 13:29:58 +0000 (+0100) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ae25fc3087bb1a1e697f71d718729ec632fdf88b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: be2net-pass-wrb_params-in-case-of-os2bmc.patch exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch --- diff --git a/queue-5.10/be2net-pass-wrb_params-in-case-of-os2bmc.patch b/queue-5.10/be2net-pass-wrb_params-in-case-of-os2bmc.patch new file mode 100644 index 0000000000..3f414420bd --- /dev/null +++ b/queue-5.10/be2net-pass-wrb_params-in-case-of-os2bmc.patch @@ -0,0 +1,60 @@ +From 7d277a7a58578dd62fd546ddaef459ec24ccae36 Mon Sep 17 00:00:00 2001 +From: Andrey Vatoropin +Date: Wed, 19 Nov 2025 10:51:12 +0000 +Subject: be2net: pass wrb_params in case of OS2BMC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrey Vatoropin + +commit 7d277a7a58578dd62fd546ddaef459ec24ccae36 upstream. + +be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL +at be_send_pkt_to_bmc() call site.  This may lead to dereferencing a NULL +pointer when processing a workaround for specific packet, as commit +bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6 +packet") states. + +The correct way would be to pass the wrb_params from be_xmit(). + +Fixes: 760c295e0e8d ("be2net: Support for OS2BMC.") +Cc: stable@vger.kernel.org +Signed-off-by: Andrey Vatoropin +Link: https://patch.msgid.link/20251119105015.194501-1-a.vatoropin@crpt.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/emulex/benet/be_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1297,7 +1297,8 @@ static void be_xmit_flush(struct be_adap + (adapter->bmc_filt_mask & BMC_FILT_MULTICAST) + + static bool be_send_pkt_to_bmc(struct be_adapter *adapter, +- struct sk_buff **skb) ++ struct sk_buff **skb, ++ struct be_wrb_params *wrb_params) + { + struct ethhdr *eh = (struct ethhdr *)(*skb)->data; + bool os2bmc = false; +@@ -1361,7 +1362,7 @@ done: + * to BMC, asic expects the vlan to be inline in the packet. + */ + if (os2bmc) +- *skb = be_insert_vlan_in_pkt(adapter, *skb, NULL); ++ *skb = be_insert_vlan_in_pkt(adapter, *skb, wrb_params); + + return os2bmc; + } +@@ -1388,7 +1389,7 @@ static netdev_tx_t be_xmit(struct sk_buf + /* if os2bmc is enabled and if the pkt is destined to bmc, + * enqueue the pkt a 2nd time with mgmt bit set. + */ +- if (be_send_pkt_to_bmc(adapter, &skb)) { ++ if (be_send_pkt_to_bmc(adapter, &skb, &wrb_params)) { + BE_WRB_F_SET(wrb_params.features, OS2BMC, 1); + wrb_cnt = be_xmit_enqueue(adapter, txo, skb, &wrb_params); + if (unlikely(!wrb_cnt)) diff --git a/queue-5.10/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch b/queue-5.10/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch new file mode 100644 index 0000000000..c4ca3ca1b3 --- /dev/null +++ b/queue-5.10/exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch @@ -0,0 +1,37 @@ +From f2c1f631630e01821fe4c3fdf6077bc7a8284f82 Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Tue, 4 Nov 2025 20:50:07 +0800 +Subject: exfat: check return value of sb_min_blocksize in exfat_read_boot_sector + +From: Yongpeng Yang + +commit f2c1f631630e01821fe4c3fdf6077bc7a8284f82 upstream. + +sb_min_blocksize() may return 0. Check its return value to avoid +accessing the filesystem super block when sb->s_blocksize is 0. + +Cc: stable@vger.kernel.org # v6.15 +Fixes: 719c1e1829166d ("exfat: add super block operations") +Reviewed-by: Christoph Hellwig +Signed-off-by: Yongpeng Yang +Link: https://patch.msgid.link/20251104125009.2111925-3-yangyongpeng.storage@gmail.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/super.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/exfat/super.c ++++ b/fs/exfat/super.c +@@ -416,7 +416,10 @@ static int exfat_read_boot_sector(struct + struct exfat_sb_info *sbi = EXFAT_SB(sb); + + /* set block size to read super block */ +- sb_min_blocksize(sb, 512); ++ if (!sb_min_blocksize(sb, 512)) { ++ exfat_err(sb, "unable to set blocksize"); ++ return -EINVAL; ++ } + + /* read boot sector */ + sbi->boot_bh = sb_bread(sb, 0); diff --git a/queue-5.10/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch b/queue-5.10/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch new file mode 100644 index 0000000000..b49ca3bf34 --- /dev/null +++ b/queue-5.10/hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch @@ -0,0 +1,70 @@ +From beab067dbcff642243291fd528355d64c41dc3b2 Mon Sep 17 00:00:00 2001 +From: Zhang Heng +Date: Fri, 12 Sep 2025 20:38:18 +0800 +Subject: HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 + +From: Zhang Heng + +commit beab067dbcff642243291fd528355d64c41dc3b2 upstream. + +Based on available evidence, the USB ID 4c4a:4155 used by multiple +devices has been attributed to Jieli. The commit 1a8953f4f774 +("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY") affected touchscreen +functionality. Added checks for manufacturer and serial number to +maintain microphone compatibility, enabling both devices to function +properly. + +[jkosina@suse.com: edit shortlog] +Fixes: 1a8953f4f774 ("HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY") +Cc: stable@vger.kernel.org +Tested-by: staffan.melin@oscillator.se +Reviewed-by: Terry Junge +Signed-off-by: Zhang Heng +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 4 ++-- + drivers/hid/hid-quirks.c | 13 ++++++++++++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1365,7 +1365,7 @@ + #define USB_VENDOR_ID_SIGNOTEC 0x2133 + #define USB_DEVICE_ID_SIGNOTEC_VIEWSONIC_PD1011 0x0018 + +-#define USB_VENDOR_ID_SMARTLINKTECHNOLOGY 0x4c4a +-#define USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155 0x4155 ++#define USB_VENDOR_ID_JIELI_SDK_DEFAULT 0x4c4a ++#define USB_DEVICE_ID_JIELI_SDK_4155 0x4155 + + #endif +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -876,7 +876,6 @@ static const struct hid_device_id hid_ig + #endif + { HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) }, +- { HID_USB_DEVICE(USB_VENDOR_ID_SMARTLINKTECHNOLOGY, USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155) }, + { } + }; + +@@ -1025,6 +1024,18 @@ bool hid_ignore(struct hid_device *hdev) + strlen(elan_acpi_id[i].id))) + return true; + break; ++ case USB_VENDOR_ID_JIELI_SDK_DEFAULT: ++ /* ++ * Multiple USB devices with identical IDs (mic & touchscreen). ++ * The touch screen requires hid core processing, but the ++ * microphone does not. They can be distinguished by manufacturer ++ * and serial number. ++ */ ++ if (hdev->product == USB_DEVICE_ID_JIELI_SDK_4155 && ++ strncmp(hdev->name, "SmartlinkTechnology", 19) == 0 && ++ strncmp(hdev->uniq, "20201111000001", 14) == 0) ++ return true; ++ break; + } + + if (hdev->type == HID_TYPE_USBMOUSE && diff --git a/queue-5.10/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch b/queue-5.10/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch new file mode 100644 index 0000000000..34190af67e --- /dev/null +++ b/queue-5.10/mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch @@ -0,0 +1,174 @@ +From 9f048fa487409e364cf866c957cf0b0d782ca5a3 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Thu, 13 Nov 2025 05:21:10 +0000 +Subject: MIPS: mm: Prevent a TLB shutdown on initial uniquification + +From: Maciej W. Rozycki + +commit 9f048fa487409e364cf866c957cf0b0d782ca5a3 upstream. + +Depending on the particular CPU implementation a TLB shutdown may occur +if multiple matching entries are detected upon the execution of a TLBP +or the TLBWI/TLBWR instructions. Given that we don't know what entries +we have been handed we need to be very careful with the initial TLB +setup and avoid all these instructions. + +Therefore read all the TLB entries one by one with the TLBR instruction, +bypassing the content addressing logic, and truncate any large pages in +place so as to avoid a case in the second step where an incoming entry +for a large page at a lower address overlaps with a replacement entry +chosen at another index. Then preinitialize the TLB using addresses +outside our usual unique range and avoiding clashes with any entries +received, before making the usual call to local_flush_tlb_all(). + +This fixes (at least) R4x00 cores if TLBP hits multiple matching TLB +entries (SGI IP22 PROM for examples sets up all TLBs to the same virtual +address). + +Signed-off-by: Maciej W. Rozycki +Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init") +Cc: stable@vger.kernel.org +Reviewed-by: Jiaxun Yang +Tested-by: Jiaxun Yang # Boston I6400, M5150 sim +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/tlb-r4k.c | 102 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 64 insertions(+), 38 deletions(-) + +--- a/arch/mips/mm/tlb-r4k.c ++++ b/arch/mips/mm/tlb-r4k.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -498,55 +499,79 @@ static int __init set_ntlb(char *str) + + __setup("ntlb=", set_ntlb); + +-/* Initialise all TLB entries with unique values */ ++ ++/* Comparison function for EntryHi VPN fields. */ ++static int r4k_vpn_cmp(const void *a, const void *b) ++{ ++ long v = *(unsigned long *)a - *(unsigned long *)b; ++ int s = sizeof(long) > sizeof(int) ? sizeof(long) * 8 - 1: 0; ++ return s ? (v != 0) | v >> s : v; ++} ++ ++/* ++ * Initialise all TLB entries with unique values that do not clash with ++ * what we have been handed over and what we'll be using ourselves. ++ */ + static void r4k_tlb_uniquify(void) + { +- int entry = num_wired_entries(); ++ unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE]; ++ int tlbsize = current_cpu_data.tlbsize; ++ int start = num_wired_entries(); ++ unsigned long vpn_mask; ++ int cnt, ent, idx, i; ++ ++ vpn_mask = GENMASK(cpu_vmbits - 1, 13); ++ vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31; + + htw_stop(); +- write_c0_entrylo0(0); +- write_c0_entrylo1(0); + +- while (entry < current_cpu_data.tlbsize) { +- unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data); +- unsigned long asid = 0; +- int idx; ++ for (i = start, cnt = 0; i < tlbsize; i++, cnt++) { ++ unsigned long vpn; + +- /* Skip wired MMID to make ginvt_mmid work */ +- if (cpu_has_mmid) +- asid = MMID_KERNEL_WIRED + 1; ++ write_c0_index(i); ++ mtc0_tlbr_hazard(); ++ tlb_read(); ++ tlb_read_hazard(); ++ vpn = read_c0_entryhi(); ++ vpn &= vpn_mask & PAGE_MASK; ++ tlb_vpns[cnt] = vpn; + +- /* Check for match before using UNIQUE_ENTRYHI */ +- do { +- if (cpu_has_mmid) { +- write_c0_memorymapid(asid); +- write_c0_entryhi(UNIQUE_ENTRYHI(entry)); +- } else { +- write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid); +- } +- mtc0_tlbw_hazard(); +- tlb_probe(); +- tlb_probe_hazard(); +- idx = read_c0_index(); +- /* No match or match is on current entry */ +- if (idx < 0 || idx == entry) +- break; +- /* +- * If we hit a match, we need to try again with +- * a different ASID. +- */ +- asid++; +- } while (asid < asid_mask); +- +- if (idx >= 0 && idx != entry) +- panic("Unable to uniquify TLB entry %d", idx); +- +- write_c0_index(entry); ++ /* Prevent any large pages from overlapping regular ones. */ ++ write_c0_pagemask(read_c0_pagemask() & PM_DEFAULT_MASK); + mtc0_tlbw_hazard(); + tlb_write_indexed(); +- entry++; ++ tlbw_use_hazard(); + } + ++ sort(tlb_vpns, cnt, sizeof(tlb_vpns[0]), r4k_vpn_cmp, NULL); ++ ++ write_c0_pagemask(PM_DEFAULT_MASK); ++ write_c0_entrylo0(0); ++ write_c0_entrylo1(0); ++ ++ idx = 0; ++ ent = tlbsize; ++ for (i = start; i < tlbsize; i++) ++ while (1) { ++ unsigned long entryhi, vpn; ++ ++ entryhi = UNIQUE_ENTRYHI(ent); ++ vpn = entryhi & vpn_mask & PAGE_MASK; ++ ++ if (idx >= cnt || vpn < tlb_vpns[idx]) { ++ write_c0_entryhi(entryhi); ++ write_c0_index(i); ++ mtc0_tlbw_hazard(); ++ tlb_write_indexed(); ++ ent++; ++ break; ++ } else if (vpn == tlb_vpns[idx]) { ++ ent++; ++ } else { ++ idx++; ++ } ++ } ++ + tlbw_use_hazard(); + htw_start(); + flush_micro_tlb(); +@@ -592,6 +617,7 @@ static void r4k_tlb_configure(void) + + /* From this point on the ARC firmware is dead. */ + r4k_tlb_uniquify(); ++ local_flush_tlb_all(); + + /* Did I tell you that ARC SUCKS? */ + } diff --git a/queue-5.10/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch b/queue-5.10/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch new file mode 100644 index 0000000000..3177683acf --- /dev/null +++ b/queue-5.10/mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch @@ -0,0 +1,43 @@ +From 5c56bf214af85ca042bf97f8584aab2151035840 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Thu, 23 Oct 2025 11:32:01 +0800 +Subject: mtd: rawnand: cadence: fix DMA device NULL pointer dereference + +From: Niravkumar L Rabara + +commit 5c56bf214af85ca042bf97f8584aab2151035840 upstream. + +The DMA device pointer `dma_dev` was being dereferenced before ensuring +that `cdns_ctrl->dmac` is properly initialized. + +Move the assignment of `dma_dev` after successfully acquiring the DMA +channel to ensure the pointer is valid before use. + +Fixes: d76d22b5096c ("mtd: rawnand: cadence: use dma_map_resource for sdma address") +Cc: stable@vger.kernel.org +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/cadence-nand-controller.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/cadence-nand-controller.c ++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c +@@ -2833,7 +2833,7 @@ cadence_nand_irq_cleanup(int irqnum, str + static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl) + { + dma_cap_mask_t mask; +- struct dma_device *dma_dev = cdns_ctrl->dmac->device; ++ struct dma_device *dma_dev; + int ret; + + cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev, +@@ -2877,6 +2877,7 @@ static int cadence_nand_init(struct cdns + } + } + ++ dma_dev = cdns_ctrl->dmac->device; + cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma, + cdns_ctrl->io.size, + DMA_BIDIRECTIONAL, 0); diff --git a/queue-5.10/series b/queue-5.10/series index 1d23a66c05..3c50a682b2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -212,3 +212,8 @@ spi-try-to-get-acpi-gpio-irq-earlier.patch edac-altera-handle-ocram-ecc-enable-after-warm-reset.patch edac-altera-use-inttest-register-for-ethernet-and-usb-sbe-injection.patch isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch +hid-quirks-work-around-vid-pid-conflict-for-0x4c4a-0x4155.patch +mtd-rawnand-cadence-fix-dma-device-null-pointer-dereference.patch +exfat-check-return-value-of-sb_min_blocksize-in-exfat_read_boot_sector.patch +mips-mm-prevent-a-tlb-shutdown-on-initial-uniquification.patch +be2net-pass-wrb_params-in-case-of-os2bmc.patch