From: Sasha Levin Date: Sun, 2 Feb 2025 04:05:22 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v6.6.76~71 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=afb13951b8fcd68f95e01283e49b07562f0c3029;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/acpi-fan-cleanup-resources-in-the-error-path-of-.pro.patch b/queue-5.10/acpi-fan-cleanup-resources-in-the-error-path-of-.pro.patch new file mode 100644 index 0000000000..739a072369 --- /dev/null +++ b/queue-5.10/acpi-fan-cleanup-resources-in-the-error-path-of-.pro.patch @@ -0,0 +1,59 @@ +From a2e94ebe03eeb6456acfac338a867fdf06de1a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 12:28:12 +0900 +Subject: ACPI: fan: cleanup resources in the error path of .probe() + +From: Joe Hattori + +[ Upstream commit c759bc8e9046f9812238f506d70f07d3ea4206d4 ] + +Call thermal_cooling_device_unregister() and sysfs_remove_link() in the +error path of acpi_fan_probe() to fix possible memory leak. + +This bug was found by an experimental static analysis tool that I am +developing. + +Fixes: 05a83d972293 ("ACPI: register ACPI Fan as generic thermal cooling device") +Signed-off-by: Joe Hattori +Link: https://patch.msgid.link/20241211032812.210164-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/fan.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/fan.c b/drivers/acpi/fan.c +index 5cd0ceb50bc8a..936429e81d8c8 100644 +--- a/drivers/acpi/fan.c ++++ b/drivers/acpi/fan.c +@@ -423,19 +423,25 @@ static int acpi_fan_probe(struct platform_device *pdev) + result = sysfs_create_link(&pdev->dev.kobj, + &cdev->device.kobj, + "thermal_cooling"); +- if (result) ++ if (result) { + dev_err(&pdev->dev, "Failed to create sysfs link 'thermal_cooling'\n"); ++ goto err_unregister; ++ } + + result = sysfs_create_link(&cdev->device.kobj, + &pdev->dev.kobj, + "device"); + if (result) { + dev_err(&pdev->dev, "Failed to create sysfs link 'device'\n"); +- goto err_end; ++ goto err_remove_link; + } + + return 0; + ++err_remove_link: ++ sysfs_remove_link(&pdev->dev.kobj, "thermal_cooling"); ++err_unregister: ++ thermal_cooling_device_unregister(cdev); + err_end: + if (fan->acpi4) { + int i; +-- +2.39.5 + diff --git a/queue-5.10/afs-fix-directory-format-encoding-struct.patch b/queue-5.10/afs-fix-directory-format-encoding-struct.patch new file mode 100644 index 0000000000..b8a58d0bf1 --- /dev/null +++ b/queue-5.10/afs-fix-directory-format-encoding-struct.patch @@ -0,0 +1,45 @@ +From 4cee02a61c80084b061f6891b5d8fd63104b210d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2024 20:41:03 +0000 +Subject: afs: Fix directory format encoding struct + +From: David Howells + +[ Upstream commit 07a10767853adcbdbf436dc91393b729b52c4e81 ] + +The AFS directory format structure, union afs_xdr_dir_block::meta, has too +many alloc counter slots declared and so pushes the hash table along and +over the data. This doesn't cause a problem at the moment because I'm +currently ignoring the hash table and only using the correct number of +alloc_ctrs in the code anyway. In future, however, I should start using +the hash table to try and speed up afs_lookup(). + +Fix this by using the correct constant to declare the counter array. + +Fixes: 4ea219a839bf ("afs: Split the directory content defs into a header") +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20241216204124.3752367-14-dhowells@redhat.com +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/xdr_fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/afs/xdr_fs.h b/fs/afs/xdr_fs.h +index 94f1f398eefad..cccc8e74f49b0 100644 +--- a/fs/afs/xdr_fs.h ++++ b/fs/afs/xdr_fs.h +@@ -82,7 +82,7 @@ union afs_xdr_dir_block { + + struct { + struct afs_xdr_dir_hdr hdr; +- u8 alloc_ctrs[AFS_DIR_MAX_BLOCKS]; ++ u8 alloc_ctrs[AFS_DIR_BLOCKS_WITH_CTR]; + __be16 hashtable[AFS_DIR_HASHTBL_SIZE]; + } meta; + +-- +2.39.5 + diff --git a/queue-5.10/afs-fix-eexist-error-returned-from-afs_rmdir-to-be-e.patch b/queue-5.10/afs-fix-eexist-error-returned-from-afs_rmdir-to-be-e.patch new file mode 100644 index 0000000000..39c5816b4a --- /dev/null +++ b/queue-5.10/afs-fix-eexist-error-returned-from-afs_rmdir-to-be-e.patch @@ -0,0 +1,48 @@ +From ec95583420815d31901158dff847f2f4923cf487 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2024 20:41:02 +0000 +Subject: afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY + +From: David Howells + +[ Upstream commit b49194da2aff2c879dec9c59ef8dec0f2b0809ef ] + +AFS servers pass back a code indicating EEXIST when they're asked to remove +a directory that is not empty rather than ENOTEMPTY because not all the +systems that an AFS server can run on have the latter error available and +AFS preexisted the addition of that error in general. + +Fix afs_rmdir() to translate EEXIST to ENOTEMPTY. + +Fixes: 260a980317da ("[AFS]: Add "directory write" support.") +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/20241216204124.3752367-13-dhowells@redhat.com +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index a59d6293a32b2..c3c870416f1b7 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -1412,7 +1412,12 @@ static int afs_rmdir(struct inode *dir, struct dentry *dentry) + op->file[1].vnode = vnode; + } + +- return afs_do_sync_operation(op); ++ ret = afs_do_sync_operation(op); ++ ++ /* Not all systems that can host afs servers have ENOTEMPTY. */ ++ if (ret == -EEXIST) ++ ret = -ENOTEMPTY; ++ return ret; + + error: + return afs_put_operation(op); +-- +2.39.5 + diff --git a/queue-5.10/afs-fix-the-fallback-handling-for-the-yfs.removefile.patch b/queue-5.10/afs-fix-the-fallback-handling-for-the-yfs.removefile.patch new file mode 100644 index 0000000000..b50039a82d --- /dev/null +++ b/queue-5.10/afs-fix-the-fallback-handling-for-the-yfs.removefile.patch @@ -0,0 +1,48 @@ +From 7bd9e65c36804512fb445509e654e5ca9bd1d8e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2025 14:46:03 +0000 +Subject: afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call + +From: David Howells + +[ Upstream commit e30458d690f35abb01de8b3cbc09285deb725d00 ] + +Fix a pair of bugs in the fallback handling for the YFS.RemoveFile2 RPC +call: + + (1) Fix the abort code check to also look for RXGEN_OPCODE. The lack of + this masks the second bug. + + (2) call->server is now not used for ordinary filesystem RPC calls that + have an operation descriptor. Fix to use call->op->server instead. + +Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept") +Signed-off-by: David Howells +Link: https://lore.kernel.org/r/109541.1736865963@warthog.procyon.org.uk +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/afs/yfsclient.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c +index 5b2ef5ffd716f..171de355a7e58 100644 +--- a/fs/afs/yfsclient.c ++++ b/fs/afs/yfsclient.c +@@ -689,8 +689,9 @@ static int yfs_deliver_fs_remove_file2(struct afs_call *call) + static void yfs_done_fs_remove_file2(struct afs_call *call) + { + if (call->error == -ECONNABORTED && +- call->abort_code == RX_INVALID_OPERATION) { +- set_bit(AFS_SERVER_FL_NO_RM2, &call->server->flags); ++ (call->abort_code == RX_INVALID_OPERATION || ++ call->abort_code == RXGEN_OPCODE)) { ++ set_bit(AFS_SERVER_FL_NO_RM2, &call->op->server->flags); + call->op->flags |= AFS_OPERATION_DOWNGRADE; + } + } +-- +2.39.5 + diff --git a/queue-5.10/arm-dts-mediatek-mt7623-fix-ir-nodename.patch b/queue-5.10/arm-dts-mediatek-mt7623-fix-ir-nodename.patch new file mode 100644 index 0000000000..3c45b90f54 --- /dev/null +++ b/queue-5.10/arm-dts-mediatek-mt7623-fix-ir-nodename.patch @@ -0,0 +1,42 @@ +From e0136a7b13d82861e9b5c1ac6e489c55a17bbf35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jun 2024 11:46:33 +0200 +Subject: ARM: dts: mediatek: mt7623: fix IR nodename +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 90234cf9b37c57201a24b78c217a91a8af774109 ] + +Fix following validation error: +arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: cir@10013000: $nodename:0: 'cir@10013000' does not match '^ir(-receiver)?(@[a-f0-9]+)?$' + from schema $id: http://devicetree.org/schemas/media/mediatek,mt7622-cir.yaml# + +Fixes: 91044f38dae7 ("arm: dts: mt7623: add ir nodes to the mt7623.dtsi file") +Cc: linux-media@vger.kernel.org +Signed-off-by: Rafał Miłecki +Link: https://lore.kernel.org/r/20240617094634.23173-1-zajec5@gmail.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/mt7623.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/mt7623.dtsi b/arch/arm/boot/dts/mt7623.dtsi +index aea6809500d74..c267fc1f83579 100644 +--- a/arch/arm/boot/dts/mt7623.dtsi ++++ b/arch/arm/boot/dts/mt7623.dtsi +@@ -309,7 +309,7 @@ + clock-names = "spi", "wrap"; + }; + +- cir: cir@10013000 { ++ cir: ir-receiver@10013000 { + compatible = "mediatek,mt7623-cir"; + reg = <0 0x10013000 0 0x1000>; + interrupts = ; +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-mediatek-mt8173-elm-drop-regulator-compati.patch b/queue-5.10/arm64-dts-mediatek-mt8173-elm-drop-regulator-compati.patch new file mode 100644 index 0000000000..91bc4b07b2 --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt8173-elm-drop-regulator-compati.patch @@ -0,0 +1,213 @@ +From e409ef2d8bc1754aef29809501a733f853d2cc6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 13:24:21 +0800 +Subject: arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property + +From: Chen-Yu Tsai + +[ Upstream commit 4b907b3ea5fba240808136cc5599d14b52230b39 ] + +The "regulator-compatible" property has been deprecated since 2012 in +commit 13511def87b9 ("regulator: deprecate regulator-compatible DT +property"), which is so old it's not even mentioned in the converted +regulator bindings YAML file. It is also not listed in the MT6397 +regulator bindings. Having them present produces a whole bunch of +validation errors: + + Unevaluated properties are not allowed ('regulator-compatible' was unexpected) + +Drop the "regulator-compatible" property from the board dts. The +property values are the same as the node name, so everything should +continue to work. + +Fixes: 689b937bedde ("arm64: dts: mediatek: add mt8173 elm and hana board") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20241211052427.4178367-4-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 23 -------------------- + 1 file changed, 23 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi +index 44a0346133cde..908b87735819e 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi +@@ -921,7 +921,6 @@ + compatible = "mediatek,mt6397-regulator"; + + mt6397_vpca15_reg: buck_vpca15 { +- regulator-compatible = "buck_vpca15"; + regulator-name = "vpca15"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -931,7 +930,6 @@ + }; + + mt6397_vpca7_reg: buck_vpca7 { +- regulator-compatible = "buck_vpca7"; + regulator-name = "vpca7"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -941,7 +939,6 @@ + }; + + mt6397_vsramca15_reg: buck_vsramca15 { +- regulator-compatible = "buck_vsramca15"; + regulator-name = "vsramca15"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -950,7 +947,6 @@ + }; + + mt6397_vsramca7_reg: buck_vsramca7 { +- regulator-compatible = "buck_vsramca7"; + regulator-name = "vsramca7"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -959,7 +955,6 @@ + }; + + mt6397_vcore_reg: buck_vcore { +- regulator-compatible = "buck_vcore"; + regulator-name = "vcore"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -968,7 +963,6 @@ + }; + + mt6397_vgpu_reg: buck_vgpu { +- regulator-compatible = "buck_vgpu"; + regulator-name = "vgpu"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -977,7 +971,6 @@ + }; + + mt6397_vdrm_reg: buck_vdrm { +- regulator-compatible = "buck_vdrm"; + regulator-name = "vdrm"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1400000>; +@@ -986,7 +979,6 @@ + }; + + mt6397_vio18_reg: buck_vio18 { +- regulator-compatible = "buck_vio18"; + regulator-name = "vio18"; + regulator-min-microvolt = <1620000>; + regulator-max-microvolt = <1980000>; +@@ -995,18 +987,15 @@ + }; + + mt6397_vtcxo_reg: ldo_vtcxo { +- regulator-compatible = "ldo_vtcxo"; + regulator-name = "vtcxo"; + regulator-always-on; + }; + + mt6397_va28_reg: ldo_va28 { +- regulator-compatible = "ldo_va28"; + regulator-name = "va28"; + }; + + mt6397_vcama_reg: ldo_vcama { +- regulator-compatible = "ldo_vcama"; + regulator-name = "vcama"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; +@@ -1014,18 +1003,15 @@ + }; + + mt6397_vio28_reg: ldo_vio28 { +- regulator-compatible = "ldo_vio28"; + regulator-name = "vio28"; + regulator-always-on; + }; + + mt6397_vusb_reg: ldo_vusb { +- regulator-compatible = "ldo_vusb"; + regulator-name = "vusb"; + }; + + mt6397_vmc_reg: ldo_vmc { +- regulator-compatible = "ldo_vmc"; + regulator-name = "vmc"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <3300000>; +@@ -1033,7 +1019,6 @@ + }; + + mt6397_vmch_reg: ldo_vmch { +- regulator-compatible = "ldo_vmch"; + regulator-name = "vmch"; + regulator-min-microvolt = <3000000>; + regulator-max-microvolt = <3300000>; +@@ -1041,7 +1026,6 @@ + }; + + mt6397_vemc_3v3_reg: ldo_vemc3v3 { +- regulator-compatible = "ldo_vemc3v3"; + regulator-name = "vemc_3v3"; + regulator-min-microvolt = <3000000>; + regulator-max-microvolt = <3300000>; +@@ -1049,7 +1033,6 @@ + }; + + mt6397_vgp1_reg: ldo_vgp1 { +- regulator-compatible = "ldo_vgp1"; + regulator-name = "vcamd"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; +@@ -1057,7 +1040,6 @@ + }; + + mt6397_vgp2_reg: ldo_vgp2 { +- regulator-compatible = "ldo_vgp2"; + regulator-name = "vcamio"; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; +@@ -1065,7 +1047,6 @@ + }; + + mt6397_vgp3_reg: ldo_vgp3 { +- regulator-compatible = "ldo_vgp3"; + regulator-name = "vcamaf"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; +@@ -1073,7 +1054,6 @@ + }; + + mt6397_vgp4_reg: ldo_vgp4 { +- regulator-compatible = "ldo_vgp4"; + regulator-name = "vgp4"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <3300000>; +@@ -1081,7 +1061,6 @@ + }; + + mt6397_vgp5_reg: ldo_vgp5 { +- regulator-compatible = "ldo_vgp5"; + regulator-name = "vgp5"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <3000000>; +@@ -1089,7 +1068,6 @@ + }; + + mt6397_vgp6_reg: ldo_vgp6 { +- regulator-compatible = "ldo_vgp6"; + regulator-name = "vgp6"; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; +@@ -1098,7 +1076,6 @@ + }; + + mt6397_vibr_reg: ldo_vibr { +- regulator-compatible = "ldo_vibr"; + regulator-name = "vibr"; + regulator-min-microvolt = <1300000>; + regulator-max-microvolt = <3300000>; +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-mediatek-mt8173-elm-fix-mt6397-pmic-sub-no.patch b/queue-5.10/arm64-dts-mediatek-mt8173-elm-fix-mt6397-pmic-sub-no.patch new file mode 100644 index 0000000000..23090991bd --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt8173-elm-fix-mt6397-pmic-sub-no.patch @@ -0,0 +1,58 @@ +From c87f06a9150d3942e508c9651aa1ea70996e4221 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 17:26:12 +0800 +Subject: arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names + +From: Chen-Yu Tsai + +[ Upstream commit beb06b727194f68b0a4b5183e50c88265ce185af ] + +The MT6397 PMIC bindings specify exact names for its sub-nodes. The +names used in the current dts don't match, causing a validation error. + +Fix up the names. Also drop the label for the regulators node, since +any reference should be against the individual regulator sub-nodes. + +Fixes: 689b937bedde ("arm64: dts: mediatek: add mt8173 elm and hana board") +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20241210092614.3951748-1-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi +index 908b87735819e..3eeeb1b8dbad1 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi +@@ -905,7 +905,7 @@ + interrupt-controller; + #interrupt-cells = <2>; + +- clock: mt6397clock { ++ clock: clocks { + compatible = "mediatek,mt6397-clk"; + #clock-cells = <1>; + }; +@@ -917,7 +917,7 @@ + #gpio-cells = <2>; + }; + +- regulator: mt6397regulator { ++ regulators { + compatible = "mediatek,mt6397-regulator"; + + mt6397_vpca15_reg: buck_vpca15 { +@@ -1083,7 +1083,7 @@ + }; + }; + +- rtc: mt6397rtc { ++ rtc: rtc { + compatible = "mediatek,mt6397-rtc"; + }; + +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-mediatek-mt8173-evb-drop-regulator-compati.patch b/queue-5.10/arm64-dts-mediatek-mt8173-evb-drop-regulator-compati.patch new file mode 100644 index 0000000000..691ea99ed6 --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt8173-evb-drop-regulator-compati.patch @@ -0,0 +1,214 @@ +From c7dabe62ef8a452fe1feeb1686286a162eba8af9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 13:24:20 +0800 +Subject: arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property + +From: Chen-Yu Tsai + +[ Upstream commit a6d5983e40f5d5b219337569cdd269727f5a3e2e ] + +The "regulator-compatible" property has been deprecated since 2012 in +commit 13511def87b9 ("regulator: deprecate regulator-compatible DT +property"), which is so old it's not even mentioned in the converted +regulator bindings YAML file. It is also not listed in the MT6397 +regulator bindings. Having them present produces a whole bunch of +validation errors: + + Unevaluated properties are not allowed ('regulator-compatible' was unexpected) + +Drop the "regulator-compatible" property from the board dts. The +property values are the same as the node name, so everything should +continue to work. + +Fixes: 16ea61fc5614 ("arm64: dts: mt8173-evb: Add PMIC support") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20241211052427.4178367-3-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 23 --------------------- + 1 file changed, 23 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts +index 2b66afcf026e1..66f0e5b24fda4 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts ++++ b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts +@@ -307,7 +307,6 @@ + compatible = "mediatek,mt6397-regulator"; + + mt6397_vpca15_reg: buck_vpca15 { +- regulator-compatible = "buck_vpca15"; + regulator-name = "vpca15"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -316,7 +315,6 @@ + }; + + mt6397_vpca7_reg: buck_vpca7 { +- regulator-compatible = "buck_vpca7"; + regulator-name = "vpca7"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -325,7 +323,6 @@ + }; + + mt6397_vsramca15_reg: buck_vsramca15 { +- regulator-compatible = "buck_vsramca15"; + regulator-name = "vsramca15"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -334,7 +331,6 @@ + }; + + mt6397_vsramca7_reg: buck_vsramca7 { +- regulator-compatible = "buck_vsramca7"; + regulator-name = "vsramca7"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -343,7 +339,6 @@ + }; + + mt6397_vcore_reg: buck_vcore { +- regulator-compatible = "buck_vcore"; + regulator-name = "vcore"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -352,7 +347,6 @@ + }; + + mt6397_vgpu_reg: buck_vgpu { +- regulator-compatible = "buck_vgpu"; + regulator-name = "vgpu"; + regulator-min-microvolt = < 700000>; + regulator-max-microvolt = <1350000>; +@@ -361,7 +355,6 @@ + }; + + mt6397_vdrm_reg: buck_vdrm { +- regulator-compatible = "buck_vdrm"; + regulator-name = "vdrm"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1400000>; +@@ -370,7 +363,6 @@ + }; + + mt6397_vio18_reg: buck_vio18 { +- regulator-compatible = "buck_vio18"; + regulator-name = "vio18"; + regulator-min-microvolt = <1620000>; + regulator-max-microvolt = <1980000>; +@@ -379,19 +371,16 @@ + }; + + mt6397_vtcxo_reg: ldo_vtcxo { +- regulator-compatible = "ldo_vtcxo"; + regulator-name = "vtcxo"; + regulator-always-on; + }; + + mt6397_va28_reg: ldo_va28 { +- regulator-compatible = "ldo_va28"; + regulator-name = "va28"; + regulator-always-on; + }; + + mt6397_vcama_reg: ldo_vcama { +- regulator-compatible = "ldo_vcama"; + regulator-name = "vcama"; + regulator-min-microvolt = <1500000>; + regulator-max-microvolt = <2800000>; +@@ -399,18 +388,15 @@ + }; + + mt6397_vio28_reg: ldo_vio28 { +- regulator-compatible = "ldo_vio28"; + regulator-name = "vio28"; + regulator-always-on; + }; + + mt6397_vusb_reg: ldo_vusb { +- regulator-compatible = "ldo_vusb"; + regulator-name = "vusb"; + }; + + mt6397_vmc_reg: ldo_vmc { +- regulator-compatible = "ldo_vmc"; + regulator-name = "vmc"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <3300000>; +@@ -418,7 +404,6 @@ + }; + + mt6397_vmch_reg: ldo_vmch { +- regulator-compatible = "ldo_vmch"; + regulator-name = "vmch"; + regulator-min-microvolt = <3000000>; + regulator-max-microvolt = <3300000>; +@@ -426,7 +411,6 @@ + }; + + mt6397_vemc_3v3_reg: ldo_vemc3v3 { +- regulator-compatible = "ldo_vemc3v3"; + regulator-name = "vemc_3v3"; + regulator-min-microvolt = <3000000>; + regulator-max-microvolt = <3300000>; +@@ -434,7 +418,6 @@ + }; + + mt6397_vgp1_reg: ldo_vgp1 { +- regulator-compatible = "ldo_vgp1"; + regulator-name = "vcamd"; + regulator-min-microvolt = <1220000>; + regulator-max-microvolt = <3300000>; +@@ -442,7 +425,6 @@ + }; + + mt6397_vgp2_reg: ldo_vgp2 { +- regulator-compatible = "ldo_vgp2"; + regulator-name = "vcamio"; + regulator-min-microvolt = <1000000>; + regulator-max-microvolt = <3300000>; +@@ -450,7 +432,6 @@ + }; + + mt6397_vgp3_reg: ldo_vgp3 { +- regulator-compatible = "ldo_vgp3"; + regulator-name = "vcamaf"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <3300000>; +@@ -458,7 +439,6 @@ + }; + + mt6397_vgp4_reg: ldo_vgp4 { +- regulator-compatible = "ldo_vgp4"; + regulator-name = "vgp4"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <3300000>; +@@ -466,7 +446,6 @@ + }; + + mt6397_vgp5_reg: ldo_vgp5 { +- regulator-compatible = "ldo_vgp5"; + regulator-name = "vgp5"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <3000000>; +@@ -474,7 +453,6 @@ + }; + + mt6397_vgp6_reg: ldo_vgp6 { +- regulator-compatible = "ldo_vgp6"; + regulator-name = "vgp6"; + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <3300000>; +@@ -482,7 +460,6 @@ + }; + + mt6397_vibr_reg: ldo_vibr { +- regulator-compatible = "ldo_vibr"; + regulator-name = "vibr"; + regulator-min-microvolt = <1300000>; + regulator-max-microvolt = <3300000>; +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-mediatek-mt8173-evb-fix-mt6397-pmic-sub-no.patch b/queue-5.10/arm64-dts-mediatek-mt8173-evb-fix-mt6397-pmic-sub-no.patch new file mode 100644 index 0000000000..39390f7d80 --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt8173-evb-fix-mt6397-pmic-sub-no.patch @@ -0,0 +1,40 @@ +From 49acb4c2790a647ac80e80f2b680f0de5aabe0fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 17:26:13 +0800 +Subject: arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names + +From: Chen-Yu Tsai + +[ Upstream commit 9545ba142865b9099d43c972b9ebcf463606499a ] + +The MT6397 PMIC bindings specify exact names for its sub-nodes. The +names used in the current dts don't match, causing a validation error. + +Fix up the names. Also drop the label for the regulators node, since +any reference should be against the individual regulator sub-nodes. + +Fixes: 16ea61fc5614 ("arm64: dts: mt8173-evb: Add PMIC support") +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20241210092614.3951748-2-wenst@chromium.org +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts +index 66f0e5b24fda4..1158bee050e13 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts ++++ b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts +@@ -303,7 +303,7 @@ + interrupt-controller; + #interrupt-cells = <2>; + +- mt6397regulator: mt6397regulator { ++ regulators { + compatible = "mediatek,mt6397-regulator"; + + mt6397_vpca15_reg: buck_vpca15 { +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-mediatek-mt8516-add-i2c-clock-div-property.patch b/queue-5.10/arm64-dts-mediatek-mt8516-add-i2c-clock-div-property.patch new file mode 100644 index 0000000000..4b461c02c1 --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt8516-add-i2c-clock-div-property.patch @@ -0,0 +1,74 @@ +From 1efba1caacea0a6e58983403ae43a99b0d03c837 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 16:05:06 -0300 +Subject: arm64: dts: mediatek: mt8516: add i2c clock-div property + +From: Val Packett + +[ Upstream commit eb72341fd92b7af510d236e5a8554d855ed38d3c ] + +Move the clock-div property from the pumpkin board dtsi to the SoC's +since it belongs to the SoC itself and is required on other devices. + +Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516") +Signed-off-by: Val Packett +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20241204190524.21862-4-val@packett.cool +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8516.dtsi | 3 +++ + arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 2 -- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +index 5163dda398d56..383ae46891ec2 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +@@ -308,6 +308,7 @@ + reg = <0 0x11009000 0 0x90>, + <0 0x11000180 0 0x80>; + interrupts = ; ++ clock-div = <2>; + clocks = <&topckgen CLK_TOP_I2C0>, + <&topckgen CLK_TOP_APDMA>; + clock-names = "main", "dma"; +@@ -322,6 +323,7 @@ + reg = <0 0x1100a000 0 0x90>, + <0 0x11000200 0 0x80>; + interrupts = ; ++ clock-div = <2>; + clocks = <&topckgen CLK_TOP_I2C1>, + <&topckgen CLK_TOP_APDMA>; + clock-names = "main", "dma"; +@@ -336,6 +338,7 @@ + reg = <0 0x1100b000 0 0x90>, + <0 0x11000280 0 0x80>; + interrupts = ; ++ clock-div = <2>; + clocks = <&topckgen CLK_TOP_I2C2>, + <&topckgen CLK_TOP_APDMA>; + clock-names = "main", "dma"; +diff --git a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi +index d5059735c5940..e5e3a3969145b 100644 +--- a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi ++++ b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi +@@ -48,7 +48,6 @@ + }; + + &i2c0 { +- clock-div = <2>; + pinctrl-names = "default"; + pinctrl-0 = <&i2c0_pins_a>; + status = "okay"; +@@ -157,7 +156,6 @@ + }; + + &i2c2 { +- clock-div = <2>; + pinctrl-names = "default"; + pinctrl-0 = <&i2c2_pins_a>; + status = "okay"; +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-mediatek-mt8516-fix-gicv2-range.patch b/queue-5.10/arm64-dts-mediatek-mt8516-fix-gicv2-range.patch new file mode 100644 index 0000000000..a5f7d06c68 --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt8516-fix-gicv2-range.patch @@ -0,0 +1,44 @@ +From f364bfb82cb6bedb8d47d14cfb55a501e8b97033 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 16:05:04 -0300 +Subject: arm64: dts: mediatek: mt8516: fix GICv2 range + +From: Val Packett + +[ Upstream commit e3ee31e4409f051c021a30122f3c470f093a7386 ] + +On the MT8167 which is based on the MT8516 DTS, the following error +was appearing on boot, breaking interrupt operation: + +GICv2 detected, but range too small and irqchip.gicv2_force_probe not set + +Similar to what's been proposed for MT7622 which has the same issue, +fix by using the range reported by force_probe. + +Link: https://lore.kernel.org/all/YmhNSLgp%2Fyg8Vr1F@makrotopia.org/ +Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516") +Signed-off-by: Val Packett +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20241204190524.21862-2-val@packett.cool +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8516.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +index 89af661e7f631..6d2804065ca89 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +@@ -262,7 +262,7 @@ + interrupt-parent = <&gic>; + interrupt-controller; + reg = <0 0x10310000 0 0x1000>, +- <0 0x10320000 0 0x1000>, ++ <0 0x1032f000 0 0x2000>, + <0 0x10340000 0 0x2000>, + <0 0x10360000 0 0x2000>; + interrupts = +Date: Wed, 4 Dec 2024 16:05:05 -0300 +Subject: arm64: dts: mediatek: mt8516: fix wdt irq type + +From: Val Packett + +[ Upstream commit 03a80442030e7147391738fb6cbe5fa0b3b91bb1 ] + +The GICv2 does not support EDGE_FALLING interrupts, so the watchdog +would refuse to attach due to a failing check coming from the GIC driver. + +Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516") +Signed-off-by: Val Packett +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20241204190524.21862-3-val@packett.cool +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8516.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +index 6d2804065ca89..247e89ee2f88e 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +@@ -206,7 +206,7 @@ + compatible = "mediatek,mt8516-wdt", + "mediatek,mt6589-wdt"; + reg = <0 0x10007000 0 0x1000>; +- interrupts = ; ++ interrupts = ; + #reset-cells = <1>; + }; + +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-mediatek-mt8516-remove-2-invalid-i2c-clock.patch b/queue-5.10/arm64-dts-mediatek-mt8516-remove-2-invalid-i2c-clock.patch new file mode 100644 index 0000000000..52119b3740 --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt8516-remove-2-invalid-i2c-clock.patch @@ -0,0 +1,80 @@ +From eebfbdd074b12c8f2595765c243780f067cf6692 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 20:35:20 +0100 +Subject: arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks + +From: Fabien Parent + +[ Upstream commit 9cf6a26ae352a6a150662c0c4ddff87664cc6e3c ] + +The two clocks "main-source" and "main-sel" are not present in the +driver and not defined in the binding documentation. Remove them +as they are not used and not described in the documentation. + +Signed-off-by: Fabien Parent +Link: https://lore.kernel.org/r/20211110193520.488-1-fparent@baylibre.com +Signed-off-by: Matthias Brugger +Stable-dep-of: eb72341fd92b ("arm64: dts: mediatek: mt8516: add i2c clock-div property") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8516.dtsi | 27 ++++++------------------ + 1 file changed, 6 insertions(+), 21 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +index 247e89ee2f88e..5163dda398d56 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +@@ -308,14 +308,9 @@ + reg = <0 0x11009000 0 0x90>, + <0 0x11000180 0 0x80>; + interrupts = ; +- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>, +- <&infracfg CLK_IFR_I2C0_SEL>, +- <&topckgen CLK_TOP_I2C0>, ++ clocks = <&topckgen CLK_TOP_I2C0>, + <&topckgen CLK_TOP_APDMA>; +- clock-names = "main-source", +- "main-sel", +- "main", +- "dma"; ++ clock-names = "main", "dma"; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -327,14 +322,9 @@ + reg = <0 0x1100a000 0 0x90>, + <0 0x11000200 0 0x80>; + interrupts = ; +- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>, +- <&infracfg CLK_IFR_I2C1_SEL>, +- <&topckgen CLK_TOP_I2C1>, ++ clocks = <&topckgen CLK_TOP_I2C1>, + <&topckgen CLK_TOP_APDMA>; +- clock-names = "main-source", +- "main-sel", +- "main", +- "dma"; ++ clock-names = "main", "dma"; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +@@ -346,14 +336,9 @@ + reg = <0 0x1100b000 0 0x90>, + <0 0x11000280 0 0x80>; + interrupts = ; +- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>, +- <&infracfg CLK_IFR_I2C2_SEL>, +- <&topckgen CLK_TOP_I2C2>, ++ clocks = <&topckgen CLK_TOP_I2C2>, + <&topckgen CLK_TOP_APDMA>; +- clock-names = "main-source", +- "main-sel", +- "main", +- "dma"; ++ clock-names = "main", "dma"; + #address-cells = <1>; + #size-cells = <0>; + status = "disabled"; +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-mediatek-mt8516-reserve-192-kib-for-tf-a.patch b/queue-5.10/arm64-dts-mediatek-mt8516-reserve-192-kib-for-tf-a.patch new file mode 100644 index 0000000000..b22b1328ea --- /dev/null +++ b/queue-5.10/arm64-dts-mediatek-mt8516-reserve-192-kib-for-tf-a.patch @@ -0,0 +1,43 @@ +From a7a2b4d88eb74a955710980171a3c92fb928c1cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Dec 2024 16:05:07 -0300 +Subject: arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A + +From: Val Packett + +[ Upstream commit 2561c7d5d497b988deccc36fe5eac7fd50b937f8 ] + +The Android DTB for the related MT8167 reserves 0x30000. This is likely +correct for MT8516 Android devices as well, and there's never any harm +in reserving 64KiB more. + +Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516") +Signed-off-by: Val Packett +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20241204190524.21862-5-val@packett.cool +Signed-off-by: AngeloGioacchino Del Regno +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt8516.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +index 383ae46891ec2..afb66d1439511 100644 +--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi +@@ -144,10 +144,10 @@ + #size-cells = <2>; + ranges; + +- /* 128 KiB reserved for ARM Trusted Firmware (BL31) */ ++ /* 192 KiB reserved for ARM Trusted Firmware (BL31) */ + bl31_secmon_reserved: secmon@43000000 { + no-map; +- reg = <0 0x43000000 0 0x20000>; ++ reg = <0 0x43000000 0 0x30000>; + }; + }; + +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-qcom-msm8916-correct-sleep-clock-frequency.patch b/queue-5.10/arm64-dts-qcom-msm8916-correct-sleep-clock-frequency.patch new file mode 100644 index 0000000000..e5ae15f76b --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8916-correct-sleep-clock-frequency.patch @@ -0,0 +1,38 @@ +From b434a83407b03387c35bec944c9f45d228659716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 12:17:00 +0200 +Subject: arm64: dts: qcom: msm8916: correct sleep clock frequency + +From: Dmitry Baryshkov + +[ Upstream commit f088b921890cef28862913e5627bb2e2b5f82125 ] + +The MSM8916 platform uses PM8916 to provide sleep clock. According to the +documentation, that clock has 32.7645 kHz frequency. Correct the sleep +clock definition. + +Fixes: f4fb6aeafaaa ("arm64: dts: qcom: msm8916: Add fixed rate on-board oscillators") +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-1-e9b08fbeadd3@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index c39a299fc636f..4e0441d99eefa 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -104,7 +104,7 @@ + sleep_clk: sleep-clk { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <32768>; ++ clock-frequency = <32764>; + }; + }; + +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-qcom-msm8994-correct-sleep-clock-frequency.patch b/queue-5.10/arm64-dts-qcom-msm8994-correct-sleep-clock-frequency.patch new file mode 100644 index 0000000000..0ff3ab9552 --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-msm8994-correct-sleep-clock-frequency.patch @@ -0,0 +1,38 @@ +From 2322cfe6e847a546ad526071b4247a012135dc65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 12:17:02 +0200 +Subject: arm64: dts: qcom: msm8994: correct sleep clock frequency + +From: Dmitry Baryshkov + +[ Upstream commit a4148d869d47d8c86da0291dd95d411a5ebe90c8 ] + +The MSM8994 platform uses PM8994/6 to provide sleep clock. According to the +documentation, that clock has 32.7645 kHz frequency. Correct the sleep +clock definition. + +Fixes: feeaf56ac78d ("arm64: dts: msm8994 SoC and Huawei Angler (Nexus 6P) support") +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-3-e9b08fbeadd3@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8994.dtsi b/arch/arm64/boot/dts/qcom/msm8994.dtsi +index caaf7102f5798..9a8c365abbda4 100644 +--- a/arch/arm64/boot/dts/qcom/msm8994.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8994.dtsi +@@ -24,7 +24,7 @@ + sleep_clk: sleep-clk { + compatible = "fixed-clock"; + #clock-cells = <0>; +- clock-frequency = <32768>; ++ clock-frequency = <32764>; + clock-output-names = "sleep_clk"; + }; + }; +-- +2.39.5 + diff --git a/queue-5.10/arm64-dts-qcom-sm8250-correct-sleep-clock-frequency.patch b/queue-5.10/arm64-dts-qcom-sm8250-correct-sleep-clock-frequency.patch new file mode 100644 index 0000000000..6c7f0cad8c --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-sm8250-correct-sleep-clock-frequency.patch @@ -0,0 +1,38 @@ +From 7c6321e28db6268f542faa5519a85b68b9836451 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 12:17:12 +0200 +Subject: arm64: dts: qcom: sm8250: correct sleep clock frequency + +From: Dmitry Baryshkov + +[ Upstream commit 75420e437eed69fa95d1d7c339dad86dea35319a ] + +The SM8250 platform uses PM8150 to provide sleep clock. According to the +documentation, that clock has 32.7645 kHz frequency. Correct the sleep +clock definition. + +Fixes: 9ff8b0591fcf ("arm64: dts: qcom: sm8250: use the right clock-freqency for sleep-clk") +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-13-e9b08fbeadd3@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi +index ec356fe07ac8a..025503ce88780 100644 +--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi +@@ -75,7 +75,7 @@ + + sleep_clk: sleep-clk { + compatible = "fixed-clock"; +- clock-frequency = <32768>; ++ clock-frequency = <32764>; + #clock-cells = <0>; + }; + }; +-- +2.39.5 + diff --git a/queue-5.10/asoc-sun4i-spdif-add-clock-multiplier-settings.patch b/queue-5.10/asoc-sun4i-spdif-add-clock-multiplier-settings.patch new file mode 100644 index 0000000000..b8931ae1e2 --- /dev/null +++ b/queue-5.10/asoc-sun4i-spdif-add-clock-multiplier-settings.patch @@ -0,0 +1,86 @@ +From 584fa35f4a134806a26613ef3cd93fcd9c4da2e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Nov 2024 17:55:29 +0100 +Subject: ASoC: sun4i-spdif: Add clock multiplier settings + +From: George Lander + +[ Upstream commit 0a2319308de88b9e819c0b43d0fccd857123eb31 ] + +There have been intermittent issues with the SPDIF output on H3 +and H2+ devices which has been fixed by setting the s_clk to 4 +times the audio pll. +Add a quirk for the clock multiplier as not every supported SoC +requires it. Without the multiplier, the audio at normal sampling +rates was distorted and did not play at higher sampling rates. + +Fixes: 1bd92af877ab ("ASoC: sun4i-spdif: Add support for the H3 SoC") +Signed-off-by: George Lander +Signed-off-by: Marcus Cooper +Link: https://patch.msgid.link/20241111165600.57219-2-codekipper@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sunxi/sun4i-spdif.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/sunxi/sun4i-spdif.c b/sound/soc/sunxi/sun4i-spdif.c +index 6dcad1aa25037..8e255a6d0bd1a 100644 +--- a/sound/soc/sunxi/sun4i-spdif.c ++++ b/sound/soc/sunxi/sun4i-spdif.c +@@ -175,6 +175,7 @@ struct sun4i_spdif_quirks { + unsigned int reg_dac_txdata; + bool has_reset; + unsigned int val_fctl_ftx; ++ unsigned int mclk_multiplier; + }; + + struct sun4i_spdif_dev { +@@ -311,6 +312,7 @@ static int sun4i_spdif_hw_params(struct snd_pcm_substream *substream, + default: + return -EINVAL; + } ++ mclk *= host->quirks->mclk_multiplier; + + ret = clk_set_rate(host->spdif_clk, mclk); + if (ret < 0) { +@@ -345,6 +347,7 @@ static int sun4i_spdif_hw_params(struct snd_pcm_substream *substream, + default: + return -EINVAL; + } ++ mclk_div *= host->quirks->mclk_multiplier; + + reg_val = 0; + reg_val |= SUN4I_SPDIF_TXCFG_ASS; +@@ -427,24 +430,28 @@ static struct snd_soc_dai_driver sun4i_spdif_dai = { + static const struct sun4i_spdif_quirks sun4i_a10_spdif_quirks = { + .reg_dac_txdata = SUN4I_SPDIF_TXFIFO, + .val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX, ++ .mclk_multiplier = 1, + }; + + static const struct sun4i_spdif_quirks sun6i_a31_spdif_quirks = { + .reg_dac_txdata = SUN4I_SPDIF_TXFIFO, + .val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX, + .has_reset = true, ++ .mclk_multiplier = 1, + }; + + static const struct sun4i_spdif_quirks sun8i_h3_spdif_quirks = { + .reg_dac_txdata = SUN8I_SPDIF_TXFIFO, + .val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX, + .has_reset = true, ++ .mclk_multiplier = 4, + }; + + static const struct sun4i_spdif_quirks sun50i_h6_spdif_quirks = { + .reg_dac_txdata = SUN8I_SPDIF_TXFIFO, + .val_fctl_ftx = SUN50I_H6_SPDIF_FCTL_FTX, + .has_reset = true, ++ .mclk_multiplier = 1, + }; + + static const struct of_device_id sun4i_spdif_of_match[] = { +-- +2.39.5 + diff --git a/queue-5.10/bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch b/queue-5.10/bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch new file mode 100644 index 0000000000..1006e031d9 --- /dev/null +++ b/queue-5.10/bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch @@ -0,0 +1,73 @@ +From 9da0d7d4e6b0602f89e861a302f3478c1903a30b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jan 2025 09:51:59 -0800 +Subject: bgmac: reduce max frame size to support just MTU 1500 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 752e5fcc2e77358936d36ef8e522d6439372e201 ] + +bgmac allocates new replacement buffer before handling each received +frame. Allocating & DMA-preparing 9724 B each time consumes a lot of CPU +time. Ideally bgmac should just respect currently set MTU but it isn't +the case right now. For now just revert back to the old limited frame +size. + +This change bumps NAT masquerade speed by ~95%. + +Since commit 8218f62c9c9b ("mm: page_frag: use initial zero offset for +page_frag_alloc_align()"), the bgmac driver fails to open its network +interface successfully and runs out of memory in the following call +stack: + +bgmac_open + -> bgmac_dma_init + -> bgmac_dma_rx_skb_for_slot + -> netdev_alloc_frag + +BGMAC_RX_ALLOC_SIZE = 10048 and PAGE_FRAG_CACHE_MAX_SIZE = 32768. + +Eventually we land into __page_frag_alloc_align() with the following +parameters across multiple successive calls: + +__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=0 +__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=10048 +__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=20096 +__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=30144 + +So in that case we do indeed have offset + fragsz (40192) > size (32768) +and so we would eventually return NULL. Reverting to the older 1500 +bytes MTU allows the network driver to be usable again. + +Fixes: 8c7da63978f1 ("bgmac: configure MTU and add support for frames beyond 8192 byte size") +Signed-off-by: Rafał Miłecki +[florian: expand commit message about recent commits] +Reviewed-by: Simon Horman +Signed-off-by: Florian Fainelli +Link: https://patch.msgid.link/20250127175159.1788246-1-florian.fainelli@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac.h b/drivers/net/ethernet/broadcom/bgmac.h +index d1200b27af1ed..51ff5aceba99e 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.h ++++ b/drivers/net/ethernet/broadcom/bgmac.h +@@ -366,8 +366,7 @@ + #define BGMAC_RX_FRAME_OFFSET 30 /* There are 2 unused bytes between header and real data */ + #define BGMAC_RX_BUF_OFFSET (NET_SKB_PAD + NET_IP_ALIGN - \ + BGMAC_RX_FRAME_OFFSET) +-/* Jumbo frame size with FCS */ +-#define BGMAC_RX_MAX_FRAME_SIZE 9724 ++#define BGMAC_RX_MAX_FRAME_SIZE 1536 + #define BGMAC_RX_BUF_SIZE (BGMAC_RX_FRAME_OFFSET + BGMAC_RX_MAX_FRAME_SIZE) + #define BGMAC_RX_ALLOC_SIZE (SKB_DATA_ALIGN(BGMAC_RX_BUF_SIZE + BGMAC_RX_BUF_OFFSET) + \ + SKB_DATA_ALIGN(sizeof(struct skb_shared_info))) +-- +2.39.5 + diff --git a/queue-5.10/bpf-send-signals-asynchronously-if-preemptible.patch b/queue-5.10/bpf-send-signals-asynchronously-if-preemptible.patch new file mode 100644 index 0000000000..367f42efe1 --- /dev/null +++ b/queue-5.10/bpf-send-signals-asynchronously-if-preemptible.patch @@ -0,0 +1,42 @@ +From 7cdc329584f6a498dc2f880d8433bd73c8c568be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 10:36:47 +0000 +Subject: bpf: Send signals asynchronously if !preemptible + +From: Puranjay Mohan + +[ Upstream commit 87c544108b612512b254c8f79aa5c0a8546e2cc4 ] + +BPF programs can execute in all kinds of contexts and when a program +running in a non-preemptible context uses the bpf_send_signal() kfunc, +it will cause issues because this kfunc can sleep. +Change `irqs_disabled()` to `!preemptible()`. + +Reported-by: syzbot+97da3d7e0112d59971de@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67486b09.050a0220.253251.0084.GAE@google.com/ +Fixes: 1bc7896e9ef4 ("bpf: Fix deadlock with rq_lock in bpf_send_signal()") +Signed-off-by: Puranjay Mohan +Acked-by: Yonghong Song +Link: https://lore.kernel.org/r/20250115103647.38487-1-puranjay@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 71e0c1bc9759e..1656a7d9bb697 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1081,7 +1081,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type) + if (unlikely(is_global_init(current))) + return -EPERM; + +- if (irqs_disabled()) { ++ if (!preemptible()) { + /* Do an early check on signal validity. Otherwise, + * the error is lost in deferred irq_work. + */ +-- +2.39.5 + diff --git a/queue-5.10/clk-analogbits-fix-incorrect-calculation-of-vco-rate.patch b/queue-5.10/clk-analogbits-fix-incorrect-calculation-of-vco-rate.patch new file mode 100644 index 0000000000..5733d4807c --- /dev/null +++ b/queue-5.10/clk-analogbits-fix-incorrect-calculation-of-vco-rate.patch @@ -0,0 +1,41 @@ +From 912c74c08659c936ca6a92e5092cecca3ad01712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Aug 2024 23:16:39 -0700 +Subject: clk: analogbits: Fix incorrect calculation of vco rate delta + +From: Bo Gan + +[ Upstream commit d7f12857f095ef38523399d47e68787b357232f6 ] + +In wrpll_configure_for_rate() we try to determine the best PLL +configuration for a target rate. However, in the loop where we try +values of R, we should compare the derived `vco` with `target_vco_rate`. +However, we were in fact comparing it with `target_rate`, which is +actually after Q shift. This is incorrect, and sometimes can result in +suboptimal clock rates. Fix it. + +Fixes: 7b9487a9a5c4 ("clk: analogbits: add Wide-Range PLL library") +Signed-off-by: Bo Gan +Link: https://lore.kernel.org/r/20240830061639.2316-1-ganboing@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/analogbits/wrpll-cln28hpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/analogbits/wrpll-cln28hpc.c b/drivers/clk/analogbits/wrpll-cln28hpc.c +index 776ead319ae9c..9df572579afb4 100644 +--- a/drivers/clk/analogbits/wrpll-cln28hpc.c ++++ b/drivers/clk/analogbits/wrpll-cln28hpc.c +@@ -287,7 +287,7 @@ int wrpll_configure_for_rate(struct wrpll_cfg *c, u32 target_rate, + vco = vco_pre * f; + } + +- delta = abs(target_rate - vco); ++ delta = abs(target_vco_rate - vco); + if (delta < best_delta) { + best_delta = delta; + best_r = r; +-- +2.39.5 + diff --git a/queue-5.10/clk-imx8mp-fix-clkout1-2-support.patch b/queue-5.10/clk-imx8mp-fix-clkout1-2-support.patch new file mode 100644 index 0000000000..184fec8c28 --- /dev/null +++ b/queue-5.10/clk-imx8mp-fix-clkout1-2-support.patch @@ -0,0 +1,45 @@ +From 14e150cac27cf4b90ac35d19bbb3dc99732527cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2024 02:36:54 +0100 +Subject: clk: imx8mp: Fix clkout1/2 support + +From: Marek Vasut + +[ Upstream commit a9b7c84d22fb1687d63ca2a386773015cf59436b ] + +The CLKOUTn may be fed from PLL1/2/3, but the PLL1/2/3 has to be enabled +first by setting PLL_CLKE bit 11 in CCM_ANALOG_SYS_PLLn_GEN_CTRL register. +The CCM_ANALOG_SYS_PLLn_GEN_CTRL bit 11 is modeled by plln_out clock. Fix +the clock tree and place the clkout1/2 under plln_sel instead of plain plln +to let the clock subsystem correctly control the bit 11 and enable the PLL +in case the CLKOUTn is supplied by PLL1/2/3. + +Fixes: 43896f56b59e ("clk: imx8mp: add clkout1/2 support") +Signed-off-by: Marek Vasut +Reviewed-by: Peng Fan +Link: https://lore.kernel.org/r/20241112013718.333771-1-marex@denx.de +Signed-off-by: Abel Vesa +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c +index 56d45caa603f8..385653fe39660 100644 +--- a/drivers/clk/imx/clk-imx8mp.c ++++ b/drivers/clk/imx/clk-imx8mp.c +@@ -410,8 +410,9 @@ static const char * const imx8mp_dram_core_sels[] = {"dram_pll_out", "dram_alt_r + + static const char * const imx8mp_clkout_sels[] = {"audio_pll1_out", "audio_pll2_out", "video_pll1_out", + "dummy", "dummy", "gpu_pll_out", "vpu_pll_out", +- "arm_pll_out", "sys_pll1", "sys_pll2", "sys_pll3", +- "dummy", "dummy", "osc_24m", "dummy", "osc_32k"}; ++ "arm_pll_out", "sys_pll1_out", "sys_pll2_out", ++ "sys_pll3_out", "dummy", "dummy", "osc_24m", ++ "dummy", "osc_32k"}; + + static struct clk_hw **hws; + static struct clk_hw_onecell_data *clk_hw_data; +-- +2.39.5 + diff --git a/queue-5.10/cpufreq-acpi-fix-max-frequency-computation.patch b/queue-5.10/cpufreq-acpi-fix-max-frequency-computation.patch new file mode 100644 index 0000000000..098b1ae357 --- /dev/null +++ b/queue-5.10/cpufreq-acpi-fix-max-frequency-computation.patch @@ -0,0 +1,122 @@ +From 239d3d8517fa35d3a4dba28f966bd4fa77d99929 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 10:11:07 +0530 +Subject: cpufreq: ACPI: Fix max-frequency computation + +From: Gautham R. Shenoy + +[ Upstream commit 0834667545962ef1c5e8684ed32b45d9c574acd3 ] + +Commit 3c55e94c0ade ("cpufreq: ACPI: Extend frequency tables to cover +boost frequencies") introduced an assumption in acpi_cpufreq_cpu_init() +that the first entry in the P-state table was the nominal frequency. +This assumption is incorrect. The frequency corresponding to the P0 +P-State need not be the same as the nominal frequency advertised via +CPPC. + +Since the driver is using the CPPC.highest_perf and CPPC.nominal_perf +to compute the boost-ratio, it makes sense to use CPPC.nominal_freq to +compute the max-frequency. CPPC.nominal_freq is advertised on +platforms supporting CPPC revisions 3 or higher. + +Hence, fallback to using the first entry in the P-State table only on +platforms that do not advertise CPPC.nominal_freq. + +Fixes: 3c55e94c0ade ("cpufreq: ACPI: Extend frequency tables to cover boost frequencies") +Tested-by: Dhananjay Ugwekar +Signed-off-by: Gautham R. Shenoy +Reviewed-by: Mario Limonciello +Link: https://patch.msgid.link/20250113044107.566-1-gautham.shenoy@amd.com +[ rjw: Retain reverse X-mas tree ordering of local variable declarations ] +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/acpi-cpufreq.c | 36 +++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c +index d1bbc16fba4b4..4109dda5e36d0 100644 +--- a/drivers/cpufreq/acpi-cpufreq.c ++++ b/drivers/cpufreq/acpi-cpufreq.c +@@ -630,7 +630,14 @@ static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c) + #endif + + #ifdef CONFIG_ACPI_CPPC_LIB +-static u64 get_max_boost_ratio(unsigned int cpu) ++/* ++ * get_max_boost_ratio: Computes the max_boost_ratio as the ratio ++ * between the highest_perf and the nominal_perf. ++ * ++ * Returns the max_boost_ratio for @cpu. Returns the CPPC nominal ++ * frequency via @nominal_freq if it is non-NULL pointer. ++ */ ++static u64 get_max_boost_ratio(unsigned int cpu, u64 *nominal_freq) + { + struct cppc_perf_caps perf_caps; + u64 highest_perf, nominal_perf; +@@ -649,6 +656,9 @@ static u64 get_max_boost_ratio(unsigned int cpu) + highest_perf = perf_caps.highest_perf; + nominal_perf = perf_caps.nominal_perf; + ++ if (nominal_freq) ++ *nominal_freq = perf_caps.nominal_freq; ++ + if (!highest_perf || !nominal_perf) { + pr_debug("CPU%d: highest or nominal performance missing\n", cpu); + return 0; +@@ -661,8 +671,12 @@ static u64 get_max_boost_ratio(unsigned int cpu) + + return div_u64(highest_perf << SCHED_CAPACITY_SHIFT, nominal_perf); + } ++ + #else +-static inline u64 get_max_boost_ratio(unsigned int cpu) { return 0; } ++static inline u64 get_max_boost_ratio(unsigned int cpu, u64 *nominal_freq) ++{ ++ return 0; ++} + #endif + + static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) +@@ -672,9 +686,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) + struct acpi_cpufreq_data *data; + unsigned int cpu = policy->cpu; + struct cpuinfo_x86 *c = &cpu_data(cpu); ++ u64 max_boost_ratio, nominal_freq = 0; + unsigned int valid_states = 0; + unsigned int result = 0; +- u64 max_boost_ratio; + unsigned int i; + #ifdef CONFIG_SMP + static int blacklisted; +@@ -824,16 +838,20 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy) + } + freq_table[valid_states].frequency = CPUFREQ_TABLE_END; + +- max_boost_ratio = get_max_boost_ratio(cpu); ++ max_boost_ratio = get_max_boost_ratio(cpu, &nominal_freq); + if (max_boost_ratio) { +- unsigned int freq = freq_table[0].frequency; ++ unsigned int freq = nominal_freq; + + /* +- * Because the loop above sorts the freq_table entries in the +- * descending order, freq is the maximum frequency in the table. +- * Assume that it corresponds to the CPPC nominal frequency and +- * use it to set cpuinfo.max_freq. ++ * The loop above sorts the freq_table entries in the ++ * descending order. If ACPI CPPC has not advertised ++ * the nominal frequency (this is possible in CPPC ++ * revisions prior to 3), then use the first entry in ++ * the pstate table as a proxy for nominal frequency. + */ ++ if (!freq) ++ freq = freq_table[0].frequency; ++ + policy->cpuinfo.max_freq = freq * max_boost_ratio >> SCHED_CAPACITY_SHIFT; + } else { + /* +-- +2.39.5 + diff --git a/queue-5.10/cpufreq-schedutil-fix-superfluous-updates-caused-by-.patch b/queue-5.10/cpufreq-schedutil-fix-superfluous-updates-caused-by-.patch new file mode 100644 index 0000000000..5d7256a395 --- /dev/null +++ b/queue-5.10/cpufreq-schedutil-fix-superfluous-updates-caused-by-.patch @@ -0,0 +1,64 @@ +From 81bfc721bcc813e9364f09c289c4b4ff4f5c6acc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Dec 2024 17:57:32 -0800 +Subject: cpufreq: schedutil: Fix superfluous updates caused by + need_freq_update + +From: Sultan Alsawaf (unemployed) + +[ Upstream commit 8e461a1cb43d69d2fc8a97e61916dce571e6bb31 ] + +A redundant frequency update is only truly needed when there is a policy +limits change with a driver that specifies CPUFREQ_NEED_UPDATE_LIMITS. + +In spite of that, drivers specifying CPUFREQ_NEED_UPDATE_LIMITS receive a +frequency update _all the time_, not just for a policy limits change, +because need_freq_update is never cleared. + +Furthermore, ignore_dl_rate_limit()'s usage of need_freq_update also leads +to a redundant frequency update, regardless of whether or not the driver +specifies CPUFREQ_NEED_UPDATE_LIMITS, when the next chosen frequency is the +same as the current one. + +Fix the superfluous updates by only honoring CPUFREQ_NEED_UPDATE_LIMITS +when there's a policy limits change, and clearing need_freq_update when a +requisite redundant update occurs. + +This is neatly achieved by moving up the CPUFREQ_NEED_UPDATE_LIMITS test +and instead setting need_freq_update to false in sugov_update_next_freq(). + +Fixes: 600f5badb78c ("cpufreq: schedutil: Don't skip freq update when limits change") +Signed-off-by: Sultan Alsawaf (unemployed) +Reviewed-by: Christian Loehle +Link: https://patch.msgid.link/20241212015734.41241-2-sultan@kerneltoast.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/sched/cpufreq_schedutil.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c +index 04295212ab500..d8b9e1d25200f 100644 +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -90,7 +90,7 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time) + + if (unlikely(sg_policy->limits_changed)) { + sg_policy->limits_changed = false; +- sg_policy->need_freq_update = true; ++ sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS); + return true; + } + +@@ -103,7 +103,7 @@ static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time, + unsigned int next_freq) + { + if (sg_policy->need_freq_update) +- sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS); ++ sg_policy->need_freq_update = false; + else if (sg_policy->next_freq == next_freq) + return false; + +-- +2.39.5 + diff --git a/queue-5.10/cpufreq-schedutil-simplify-sugov_update_next_freq.patch b/queue-5.10/cpufreq-schedutil-simplify-sugov_update_next_freq.patch new file mode 100644 index 0000000000..5bcc634f78 --- /dev/null +++ b/queue-5.10/cpufreq-schedutil-simplify-sugov_update_next_freq.patch @@ -0,0 +1,42 @@ +From 190ca27e24a861374c799e472581898df78200ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Nov 2020 20:26:42 +0100 +Subject: cpufreq: schedutil: Simplify sugov_update_next_freq() + +From: Rafael J. Wysocki + +[ Upstream commit 90ac908a418b836427d6eaf84fbc5062881747fd ] + +Rearrange a conditional to make it more straightforward. + +Signed-off-by: Rafael J. Wysocki +Acked-by: Viresh Kumar +Stable-dep-of: 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused by need_freq_update") +Signed-off-by: Sasha Levin +--- + kernel/sched/cpufreq_schedutil.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c +index 5e39da0ae0868..04295212ab500 100644 +--- a/kernel/sched/cpufreq_schedutil.c ++++ b/kernel/sched/cpufreq_schedutil.c +@@ -102,12 +102,10 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time) + static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time, + unsigned int next_freq) + { +- if (!sg_policy->need_freq_update) { +- if (sg_policy->next_freq == next_freq) +- return false; +- } else { ++ if (sg_policy->need_freq_update) + sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS); +- } ++ else if (sg_policy->next_freq == next_freq) ++ return false; + + sg_policy->next_freq = next_freq; + sg_policy->last_freq_update_time = time; +-- +2.39.5 + diff --git a/queue-5.10/cpupower-fix-tsc-mhz-calculation.patch b/queue-5.10/cpupower-fix-tsc-mhz-calculation.patch new file mode 100644 index 0000000000..950a94a892 --- /dev/null +++ b/queue-5.10/cpupower-fix-tsc-mhz-calculation.patch @@ -0,0 +1,114 @@ +From e981dff073836ce823ec367a437107986b8b20cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 10:14:59 +0800 +Subject: cpupower: fix TSC MHz calculation + +From: He Rongguang + +[ Upstream commit 9d6c0e58514f8b57cd9c2c755e41623d6a966025 ] + +Commit 'cpupower: Make TSC read per CPU for Mperf monitor' (c2adb1877b7) +changes TSC counter reads per cpu, but left time diff global (from start +of all cpus to end of all cpus), thus diff(time) is too large for a +cpu's tsc counting, resulting in far less than acutal TSC_Mhz and thus +`cpupower monitor` showing far less than actual cpu realtime frequency. + +/proc/cpuinfo shows frequency: +cat /proc/cpuinfo | egrep -e 'processor' -e 'MHz' +... +processor : 171 +cpu MHz : 4108.498 +... + +before fix (System 100% busy): + | Mperf || Idle_Stats + CPU| C0 | Cx | Freq || POLL | C1 | C2 + 171| 0.77| 99.23| 2279|| 0.00| 0.00| 0.00 + +after fix (System 100% busy): + | Mperf || Idle_Stats + CPU| C0 | Cx | Freq || POLL | C1 | C2 + 171| 0.46| 99.54| 4095|| 0.00| 0.00| 0.00 + +Fixes: c2adb1877b76 ("cpupower: Make TSC read per CPU for Mperf monitor") +Signed-off-by: He Rongguang +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../cpupower/utils/idle_monitor/mperf_monitor.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index ae6af354a81db..08a399b0be286 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -33,7 +33,7 @@ static int mperf_get_count_percent(unsigned int self_id, double *percent, + unsigned int cpu); + static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + unsigned int cpu); +-static struct timespec time_start, time_end; ++static struct timespec *time_start, *time_end; + + static cstate_t mperf_cstates[MPERF_CSTATE_COUNT] = { + { +@@ -174,7 +174,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent, + dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n", + mperf_cstates[id].name, mperf_diff, tsc_diff); + } else if (max_freq_mode == MAX_FREQ_SYSFS) { +- timediff = max_frequency * timespec_diff_us(time_start, time_end); ++ timediff = max_frequency * timespec_diff_us(time_start[cpu], time_end[cpu]); + *percent = 100.0 * mperf_diff / timediff; + dprint("%s: MAXFREQ - mperf_diff: %llu, time_diff: %llu\n", + mperf_cstates[id].name, mperf_diff, timediff); +@@ -207,7 +207,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count, + if (max_freq_mode == MAX_FREQ_TSC_REF) { + /* Calculate max_freq from TSC count */ + tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu]; +- time_diff = timespec_diff_us(time_start, time_end); ++ time_diff = timespec_diff_us(time_start[cpu], time_end[cpu]); + max_frequency = tsc_diff / time_diff; + } + +@@ -226,9 +226,8 @@ static int mperf_start(void) + { + int cpu; + +- clock_gettime(CLOCK_REALTIME, &time_start); +- + for (cpu = 0; cpu < cpu_count; cpu++) { ++ clock_gettime(CLOCK_REALTIME, &time_start[cpu]); + mperf_get_tsc(&tsc_at_measure_start[cpu]); + mperf_init_stats(cpu); + } +@@ -243,9 +242,9 @@ static int mperf_stop(void) + for (cpu = 0; cpu < cpu_count; cpu++) { + mperf_measure_stats(cpu); + mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ clock_gettime(CLOCK_REALTIME, &time_end[cpu]); + } + +- clock_gettime(CLOCK_REALTIME, &time_end); + return 0; + } + +@@ -349,6 +348,8 @@ struct cpuidle_monitor *mperf_register(void) + aperf_current_count = calloc(cpu_count, sizeof(unsigned long long)); + tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long)); + tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long)); ++ time_start = calloc(cpu_count, sizeof(struct timespec)); ++ time_end = calloc(cpu_count, sizeof(struct timespec)); + mperf_monitor.name_len = strlen(mperf_monitor.name); + return &mperf_monitor; + } +@@ -361,6 +362,8 @@ void mperf_unregister(void) + free(aperf_current_count); + free(tsc_at_measure_start); + free(tsc_at_measure_end); ++ free(time_start); ++ free(time_end); + free(is_valid); + } + +-- +2.39.5 + diff --git a/queue-5.10/dmaengine-ti-edma-fix-of-node-reference-leaks-in-edm.patch b/queue-5.10/dmaengine-ti-edma-fix-of-node-reference-leaks-in-edm.patch new file mode 100644 index 0000000000..454b8d3d50 --- /dev/null +++ b/queue-5.10/dmaengine-ti-edma-fix-of-node-reference-leaks-in-edm.patch @@ -0,0 +1,55 @@ +From 02db35c02a9ac15c648fc6bf9a2725f25b8e7808 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Dec 2024 11:05:07 +0900 +Subject: dmaengine: ti: edma: fix OF node reference leaks in edma_driver + +From: Joe Hattori + +[ Upstream commit e883c64778e5a9905fce955681f8ee38c7197e0f ] + +The .probe() of edma_driver calls of_parse_phandle_with_fixed_args() but +does not release the obtained OF nodes. Thus add a of_node_put() call. + +This bug was found by an experimental verification tool that I am +developing. + +Fixes: 1be5336bc7ba ("dmaengine: edma: New device tree binding") +Signed-off-by: Joe Hattori +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/20241219020507.1983124-3-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/edma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c +index 69292d4a0c441..560fe658b8942 100644 +--- a/drivers/dma/ti/edma.c ++++ b/drivers/dma/ti/edma.c +@@ -217,7 +217,6 @@ struct edma_desc { + struct edma_cc; + + struct edma_tc { +- struct device_node *node; + u16 id; + }; + +@@ -2524,13 +2523,13 @@ static int edma_probe(struct platform_device *pdev) + if (ret || i == ecc->num_tc) + break; + +- ecc->tc_list[i].node = tc_args.np; + ecc->tc_list[i].id = i; + queue_priority_mapping[i][1] = tc_args.args[0]; + if (queue_priority_mapping[i][1] > lowest_priority) { + lowest_priority = queue_priority_mapping[i][1]; + info->default_queue = i; + } ++ of_node_put(tc_args.np); + } + + /* See if we have optional dma-channel-mask array */ +-- +2.39.5 + diff --git a/queue-5.10/driver-core-platform-change-logic-implementing-platf.patch b/queue-5.10/driver-core-platform-change-logic-implementing-platf.patch new file mode 100644 index 0000000000..bc794c1cf6 --- /dev/null +++ b/queue-5.10/driver-core-platform-change-logic-implementing-platf.patch @@ -0,0 +1,83 @@ +From 1eae1d687bfd5e9aa2c573ebc0edaddeaf1c898f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Nov 2020 13:46:10 +0100 +Subject: driver core: platform: change logic implementing + platform_driver_probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 16085668eacdc56c46652d0f3bfef81ecace57de ] + +Instead of overwriting the core driver's probe function handle probing +devices for drivers loaded by platform_driver_probe() in the platform +driver probe function. + +The intended goal is to not have to change the probe function to +simplify converting the platform bus to use bus functions. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20201119124611.2573057-2-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak") +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index fa023cf80dc48..16426eb934632 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -743,12 +743,25 @@ struct platform_device *platform_device_register_full( + } + EXPORT_SYMBOL_GPL(platform_device_register_full); + ++static int platform_probe_fail(struct platform_device *pdev); ++ + static int platform_drv_probe(struct device *_dev) + { + struct platform_driver *drv = to_platform_driver(_dev->driver); + struct platform_device *dev = to_platform_device(_dev); + int ret; + ++ /* ++ * A driver registered using platform_driver_probe() cannot be bound ++ * again later because the probe function usually lives in __init code ++ * and so is gone. For these drivers .probe is set to ++ * platform_probe_fail in __platform_driver_probe(). Don't even ++ * prepare clocks and PM domains for these to match the traditional ++ * behaviour. ++ */ ++ if (unlikely(drv->probe == platform_probe_fail)) ++ return -ENXIO; ++ + ret = of_clk_set_defaults(_dev->of_node, false); + if (ret < 0) + return ret; +@@ -822,7 +835,7 @@ void platform_driver_unregister(struct platform_driver *drv) + } + EXPORT_SYMBOL_GPL(platform_driver_unregister); + +-static int platform_drv_probe_fail(struct device *_dev) ++static int platform_probe_fail(struct platform_device *pdev) + { + return -ENXIO; + } +@@ -887,10 +900,9 @@ int __init_or_module __platform_driver_probe(struct platform_driver *drv, + * new devices fail. + */ + spin_lock(&drv->driver.bus->p->klist_drivers.k_lock); +- drv->probe = NULL; ++ drv->probe = platform_probe_fail; + if (code == 0 && list_empty(&drv->driver.p->klist_devices.k_list)) + retval = -ENODEV; +- drv->driver.probe = platform_drv_probe_fail; + spin_unlock(&drv->driver.bus->p->klist_drivers.k_lock); + + if (code != retval) +-- +2.39.5 + diff --git a/queue-5.10/driver-core-platform-emit-a-warning-if-a-remove-call.patch b/queue-5.10/driver-core-platform-emit-a-warning-if-a-remove-call.patch new file mode 100644 index 0000000000..33606a173a --- /dev/null +++ b/queue-5.10/driver-core-platform-emit-a-warning-if-a-remove-call.patch @@ -0,0 +1,60 @@ +From d3130d676b6942ea14cd06dcbe105f997a956302 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Feb 2021 22:15:37 +0100 +Subject: driver core: platform: Emit a warning if a remove callback returned + non-zero +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit e5e1c209788138f33ca6558bf9f572f6904f486d ] + +The driver core ignores the return value of a bus' remove callback. However +a driver returning an error code is a hint that there is a problem, +probably a driver author who expects that returning e.g. -EBUSY has any +effect. + +The right thing to do would be to make struct platform_driver::remove() +return void. With the immense number of platform drivers this is however a +big quest and I hope to prevent at least a few new drivers that return an +error code here. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20210207211537.19992-1-uwe@kleine-koenig.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak") +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 90166535a5c05..d0b15cbab0ff0 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -1305,13 +1305,16 @@ static int platform_remove(struct device *_dev) + { + struct platform_driver *drv = to_platform_driver(_dev->driver); + struct platform_device *dev = to_platform_device(_dev); +- int ret = 0; + +- if (drv->remove) +- ret = drv->remove(dev); ++ if (drv->remove) { ++ int ret = drv->remove(dev); ++ ++ if (ret) ++ dev_warn(_dev, "remove callback returned a non-zero value. This will be ignored.\n"); ++ } + dev_pm_domain_detach(_dev, true); + +- return ret; ++ return 0; + } + + static void platform_shutdown(struct device *_dev) +-- +2.39.5 + diff --git a/queue-5.10/driver-core-platform-reorder-functions.patch b/queue-5.10/driver-core-platform-reorder-functions.patch new file mode 100644 index 0000000000..7911049774 --- /dev/null +++ b/queue-5.10/driver-core-platform-reorder-functions.patch @@ -0,0 +1,361 @@ +From d850359856e0edc5c80cd3bb1b9f5932091f18f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Nov 2020 13:46:09 +0100 +Subject: driver core: platform: reorder functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit e21d740a3fe5ad2db7b5f5c2331fe2b713b1edba ] + +This way all callbacks and structures used to initialize +platform_bus_type are defined just before platform_bus_type and in the +same order. Also move platform_drv_probe_fail just before it's only +user. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20201119124611.2573057-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak") +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 293 ++++++++++++++++++++-------------------- + 1 file changed, 147 insertions(+), 146 deletions(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 647066229fec3..fa023cf80dc48 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -772,11 +772,6 @@ static int platform_drv_probe(struct device *_dev) + return ret; + } + +-static int platform_drv_probe_fail(struct device *_dev) +-{ +- return -ENXIO; +-} +- + static int platform_drv_remove(struct device *_dev) + { + struct platform_driver *drv = to_platform_driver(_dev->driver); +@@ -827,6 +822,11 @@ void platform_driver_unregister(struct platform_driver *drv) + } + EXPORT_SYMBOL_GPL(platform_driver_unregister); + ++static int platform_drv_probe_fail(struct device *_dev) ++{ ++ return -ENXIO; ++} ++ + /** + * __platform_driver_probe - register driver for non-hotpluggable device + * @drv: platform driver structure +@@ -1017,109 +1017,6 @@ void platform_unregister_drivers(struct platform_driver * const *drivers, + } + EXPORT_SYMBOL_GPL(platform_unregister_drivers); + +-/* modalias support enables more hands-off userspace setup: +- * (a) environment variable lets new-style hotplug events work once system is +- * fully running: "modprobe $MODALIAS" +- * (b) sysfs attribute lets new-style coldplug recover from hotplug events +- * mishandled before system is fully running: "modprobe $(cat modalias)" +- */ +-static ssize_t modalias_show(struct device *dev, +- struct device_attribute *attr, char *buf) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- int len; +- +- len = of_device_modalias(dev, buf, PAGE_SIZE); +- if (len != -ENODEV) +- return len; +- +- len = acpi_device_modalias(dev, buf, PAGE_SIZE - 1); +- if (len != -ENODEV) +- return len; +- +- return sysfs_emit(buf, "platform:%s\n", pdev->name); +-} +-static DEVICE_ATTR_RO(modalias); +- +-static ssize_t driver_override_store(struct device *dev, +- struct device_attribute *attr, +- const char *buf, size_t count) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- int ret; +- +- ret = driver_set_override(dev, &pdev->driver_override, buf, count); +- if (ret) +- return ret; +- +- return count; +-} +- +-static ssize_t driver_override_show(struct device *dev, +- struct device_attribute *attr, char *buf) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- ssize_t len; +- +- device_lock(dev); +- len = sysfs_emit(buf, "%s\n", pdev->driver_override); +- device_unlock(dev); +- +- return len; +-} +-static DEVICE_ATTR_RW(driver_override); +- +-static ssize_t numa_node_show(struct device *dev, +- struct device_attribute *attr, char *buf) +-{ +- return sysfs_emit(buf, "%d\n", dev_to_node(dev)); +-} +-static DEVICE_ATTR_RO(numa_node); +- +-static umode_t platform_dev_attrs_visible(struct kobject *kobj, struct attribute *a, +- int n) +-{ +- struct device *dev = container_of(kobj, typeof(*dev), kobj); +- +- if (a == &dev_attr_numa_node.attr && +- dev_to_node(dev) == NUMA_NO_NODE) +- return 0; +- +- return a->mode; +-} +- +-static struct attribute *platform_dev_attrs[] = { +- &dev_attr_modalias.attr, +- &dev_attr_numa_node.attr, +- &dev_attr_driver_override.attr, +- NULL, +-}; +- +-static struct attribute_group platform_dev_group = { +- .attrs = platform_dev_attrs, +- .is_visible = platform_dev_attrs_visible, +-}; +-__ATTRIBUTE_GROUPS(platform_dev); +- +-static int platform_uevent(struct device *dev, struct kobj_uevent_env *env) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- int rc; +- +- /* Some devices have extra OF data and an OF-style MODALIAS */ +- rc = of_device_uevent_modalias(dev, env); +- if (rc != -ENODEV) +- return rc; +- +- rc = acpi_device_uevent_modalias(dev, env); +- if (rc != -ENODEV) +- return rc; +- +- add_uevent_var(env, "MODALIAS=%s%s", PLATFORM_MODULE_PREFIX, +- pdev->name); +- return 0; +-} +- + static const struct platform_device_id *platform_match_id( + const struct platform_device_id *id, + struct platform_device *pdev) +@@ -1134,44 +1031,6 @@ static const struct platform_device_id *platform_match_id( + return NULL; + } + +-/** +- * platform_match - bind platform device to platform driver. +- * @dev: device. +- * @drv: driver. +- * +- * Platform device IDs are assumed to be encoded like this: +- * "", where is a short description of the type of +- * device, like "pci" or "floppy", and is the enumerated +- * instance of the device, like '0' or '42'. Driver IDs are simply +- * "". So, extract the from the platform_device structure, +- * and compare it against the name of the driver. Return whether they match +- * or not. +- */ +-static int platform_match(struct device *dev, struct device_driver *drv) +-{ +- struct platform_device *pdev = to_platform_device(dev); +- struct platform_driver *pdrv = to_platform_driver(drv); +- +- /* When driver_override is set, only bind to the matching driver */ +- if (pdev->driver_override) +- return !strcmp(pdev->driver_override, drv->name); +- +- /* Attempt an OF style match first */ +- if (of_driver_match_device(dev, drv)) +- return 1; +- +- /* Then try ACPI style match */ +- if (acpi_driver_match_device(dev, drv)) +- return 1; +- +- /* Then try to match against the id table */ +- if (pdrv->id_table) +- return platform_match_id(pdrv->id_table, pdev) != NULL; +- +- /* fall-back to driver name match */ +- return (strcmp(pdev->name, drv->name) == 0); +-} +- + #ifdef CONFIG_PM_SLEEP + + static int platform_legacy_suspend(struct device *dev, pm_message_t mesg) +@@ -1316,6 +1175,148 @@ int platform_pm_restore(struct device *dev) + + #endif /* CONFIG_HIBERNATE_CALLBACKS */ + ++/* modalias support enables more hands-off userspace setup: ++ * (a) environment variable lets new-style hotplug events work once system is ++ * fully running: "modprobe $MODALIAS" ++ * (b) sysfs attribute lets new-style coldplug recover from hotplug events ++ * mishandled before system is fully running: "modprobe $(cat modalias)" ++ */ ++static ssize_t modalias_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ int len; ++ ++ len = of_device_modalias(dev, buf, PAGE_SIZE); ++ if (len != -ENODEV) ++ return len; ++ ++ len = acpi_device_modalias(dev, buf, PAGE_SIZE - 1); ++ if (len != -ENODEV) ++ return len; ++ ++ return sysfs_emit(buf, "platform:%s\n", pdev->name); ++} ++static DEVICE_ATTR_RO(modalias); ++ ++static ssize_t numa_node_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sysfs_emit(buf, "%d\n", dev_to_node(dev)); ++} ++static DEVICE_ATTR_RO(numa_node); ++ ++static ssize_t driver_override_show(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ ssize_t len; ++ ++ device_lock(dev); ++ len = sysfs_emit(buf, "%s\n", pdev->driver_override); ++ device_unlock(dev); ++ ++ return len; ++} ++ ++static ssize_t driver_override_store(struct device *dev, ++ struct device_attribute *attr, ++ const char *buf, size_t count) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ int ret; ++ ++ ret = driver_set_override(dev, &pdev->driver_override, buf, count); ++ if (ret) ++ return ret; ++ ++ return count; ++} ++static DEVICE_ATTR_RW(driver_override); ++ ++static struct attribute *platform_dev_attrs[] = { ++ &dev_attr_modalias.attr, ++ &dev_attr_numa_node.attr, ++ &dev_attr_driver_override.attr, ++ NULL, ++}; ++ ++static umode_t platform_dev_attrs_visible(struct kobject *kobj, struct attribute *a, ++ int n) ++{ ++ struct device *dev = container_of(kobj, typeof(*dev), kobj); ++ ++ if (a == &dev_attr_numa_node.attr && ++ dev_to_node(dev) == NUMA_NO_NODE) ++ return 0; ++ ++ return a->mode; ++} ++ ++static struct attribute_group platform_dev_group = { ++ .attrs = platform_dev_attrs, ++ .is_visible = platform_dev_attrs_visible, ++}; ++__ATTRIBUTE_GROUPS(platform_dev); ++ ++ ++/** ++ * platform_match - bind platform device to platform driver. ++ * @dev: device. ++ * @drv: driver. ++ * ++ * Platform device IDs are assumed to be encoded like this: ++ * "", where is a short description of the type of ++ * device, like "pci" or "floppy", and is the enumerated ++ * instance of the device, like '0' or '42'. Driver IDs are simply ++ * "". So, extract the from the platform_device structure, ++ * and compare it against the name of the driver. Return whether they match ++ * or not. ++ */ ++static int platform_match(struct device *dev, struct device_driver *drv) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct platform_driver *pdrv = to_platform_driver(drv); ++ ++ /* When driver_override is set, only bind to the matching driver */ ++ if (pdev->driver_override) ++ return !strcmp(pdev->driver_override, drv->name); ++ ++ /* Attempt an OF style match first */ ++ if (of_driver_match_device(dev, drv)) ++ return 1; ++ ++ /* Then try ACPI style match */ ++ if (acpi_driver_match_device(dev, drv)) ++ return 1; ++ ++ /* Then try to match against the id table */ ++ if (pdrv->id_table) ++ return platform_match_id(pdrv->id_table, pdev) != NULL; ++ ++ /* fall-back to driver name match */ ++ return (strcmp(pdev->name, drv->name) == 0); ++} ++ ++static int platform_uevent(struct device *dev, struct kobj_uevent_env *env) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ int rc; ++ ++ /* Some devices have extra OF data and an OF-style MODALIAS */ ++ rc = of_device_uevent_modalias(dev, env); ++ if (rc != -ENODEV) ++ return rc; ++ ++ rc = acpi_device_uevent_modalias(dev, env); ++ if (rc != -ENODEV) ++ return rc; ++ ++ add_uevent_var(env, "MODALIAS=%s%s", PLATFORM_MODULE_PREFIX, ++ pdev->name); ++ return 0; ++} ++ + int platform_dma_configure(struct device *dev) + { + enum dev_dma_attr attr; +-- +2.39.5 + diff --git a/queue-5.10/driver-core-platform-use-bus_type-functions.patch b/queue-5.10/driver-core-platform-use-bus_type-functions.patch new file mode 100644 index 0000000000..1084c88789 --- /dev/null +++ b/queue-5.10/driver-core-platform-use-bus_type-functions.patch @@ -0,0 +1,194 @@ +From 42a21f6047a9a56987a59b5340e718b5e1109e7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Nov 2020 13:46:11 +0100 +Subject: driver core: platform: use bus_type functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 9c30921fe7994907e0b3e0637b2c8c0fc4b5171f ] + +This works towards the goal mentioned in 2006 in commit 594c8281f905 +("[PATCH] Add bus_type probe, remove, shutdown methods."). + +The functions are moved to where the other bus_type functions are +defined and renamed to match the already established naming scheme. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20201119124611.2573057-3-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak") +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 132 ++++++++++++++++++++-------------------- + 1 file changed, 65 insertions(+), 67 deletions(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index 16426eb934632..90166535a5c05 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -743,70 +743,6 @@ struct platform_device *platform_device_register_full( + } + EXPORT_SYMBOL_GPL(platform_device_register_full); + +-static int platform_probe_fail(struct platform_device *pdev); +- +-static int platform_drv_probe(struct device *_dev) +-{ +- struct platform_driver *drv = to_platform_driver(_dev->driver); +- struct platform_device *dev = to_platform_device(_dev); +- int ret; +- +- /* +- * A driver registered using platform_driver_probe() cannot be bound +- * again later because the probe function usually lives in __init code +- * and so is gone. For these drivers .probe is set to +- * platform_probe_fail in __platform_driver_probe(). Don't even +- * prepare clocks and PM domains for these to match the traditional +- * behaviour. +- */ +- if (unlikely(drv->probe == platform_probe_fail)) +- return -ENXIO; +- +- ret = of_clk_set_defaults(_dev->of_node, false); +- if (ret < 0) +- return ret; +- +- ret = dev_pm_domain_attach(_dev, true); +- if (ret) +- goto out; +- +- if (drv->probe) { +- ret = drv->probe(dev); +- if (ret) +- dev_pm_domain_detach(_dev, true); +- } +- +-out: +- if (drv->prevent_deferred_probe && ret == -EPROBE_DEFER) { +- dev_warn(_dev, "probe deferral not supported\n"); +- ret = -ENXIO; +- } +- +- return ret; +-} +- +-static int platform_drv_remove(struct device *_dev) +-{ +- struct platform_driver *drv = to_platform_driver(_dev->driver); +- struct platform_device *dev = to_platform_device(_dev); +- int ret = 0; +- +- if (drv->remove) +- ret = drv->remove(dev); +- dev_pm_domain_detach(_dev, true); +- +- return ret; +-} +- +-static void platform_drv_shutdown(struct device *_dev) +-{ +- struct platform_driver *drv = to_platform_driver(_dev->driver); +- struct platform_device *dev = to_platform_device(_dev); +- +- if (drv->shutdown) +- drv->shutdown(dev); +-} +- + /** + * __platform_driver_register - register a driver for platform-level devices + * @drv: platform driver structure +@@ -817,9 +753,6 @@ int __platform_driver_register(struct platform_driver *drv, + { + drv->driver.owner = owner; + drv->driver.bus = &platform_bus_type; +- drv->driver.probe = platform_drv_probe; +- drv->driver.remove = platform_drv_remove; +- drv->driver.shutdown = platform_drv_shutdown; + + return driver_register(&drv->driver); + } +@@ -1329,6 +1262,68 @@ static int platform_uevent(struct device *dev, struct kobj_uevent_env *env) + return 0; + } + ++static int platform_probe(struct device *_dev) ++{ ++ struct platform_driver *drv = to_platform_driver(_dev->driver); ++ struct platform_device *dev = to_platform_device(_dev); ++ int ret; ++ ++ /* ++ * A driver registered using platform_driver_probe() cannot be bound ++ * again later because the probe function usually lives in __init code ++ * and so is gone. For these drivers .probe is set to ++ * platform_probe_fail in __platform_driver_probe(). Don't even prepare ++ * clocks and PM domains for these to match the traditional behaviour. ++ */ ++ if (unlikely(drv->probe == platform_probe_fail)) ++ return -ENXIO; ++ ++ ret = of_clk_set_defaults(_dev->of_node, false); ++ if (ret < 0) ++ return ret; ++ ++ ret = dev_pm_domain_attach(_dev, true); ++ if (ret) ++ goto out; ++ ++ if (drv->probe) { ++ ret = drv->probe(dev); ++ if (ret) ++ dev_pm_domain_detach(_dev, true); ++ } ++ ++out: ++ if (drv->prevent_deferred_probe && ret == -EPROBE_DEFER) { ++ dev_warn(_dev, "probe deferral not supported\n"); ++ ret = -ENXIO; ++ } ++ ++ return ret; ++} ++ ++static int platform_remove(struct device *_dev) ++{ ++ struct platform_driver *drv = to_platform_driver(_dev->driver); ++ struct platform_device *dev = to_platform_device(_dev); ++ int ret = 0; ++ ++ if (drv->remove) ++ ret = drv->remove(dev); ++ dev_pm_domain_detach(_dev, true); ++ ++ return ret; ++} ++ ++static void platform_shutdown(struct device *_dev) ++{ ++ struct platform_driver *drv = to_platform_driver(_dev->driver); ++ struct platform_device *dev = to_platform_device(_dev); ++ ++ if (drv->shutdown) ++ drv->shutdown(dev); ++} ++ ++ + int platform_dma_configure(struct device *dev) + { + enum dev_dma_attr attr; +@@ -1355,6 +1350,9 @@ struct bus_type platform_bus_type = { + .dev_groups = platform_dev_groups, + .match = platform_match, + .uevent = platform_uevent, ++ .probe = platform_probe, ++ .remove = platform_remove, ++ .shutdown = platform_shutdown, + .dma_configure = platform_dma_configure, + .pm = &platform_dev_pm_ops, + }; +-- +2.39.5 + diff --git a/queue-5.10/drm-amdgpu-fix-potential-null-pointer-dereference-in.patch b/queue-5.10/drm-amdgpu-fix-potential-null-pointer-dereference-in.patch new file mode 100644 index 0000000000..dd1237701d --- /dev/null +++ b/queue-5.10/drm-amdgpu-fix-potential-null-pointer-dereference-in.patch @@ -0,0 +1,44 @@ +From 0552f8ac30103417ffa89c88e1bda02f87ce405d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 11:00:43 +0300 +Subject: drm/amdgpu: Fix potential NULL pointer dereference in + atomctrl_get_smc_sclk_range_table + +From: Ivan Stepchenko + +[ Upstream commit 357445e28ff004d7f10967aa93ddb4bffa5c3688 ] + +The function atomctrl_get_smc_sclk_range_table() does not check the return +value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to +retrieve SMU_Info table, it returns NULL which is later dereferenced. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +In practice this should never happen as this code only gets called +on polaris chips and the vbios data table will always be present on +those chips. + +Fixes: a23eefa2f461 ("drm/amd/powerplay: enable dpm for baffin.") +Signed-off-by: Ivan Stepchenko +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c +index 165af862d0542..04dbd9f89a45d 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c +@@ -1370,6 +1370,8 @@ int atomctrl_get_smc_sclk_range_table(struct pp_hwmgr *hwmgr, struct pp_atom_ctr + GetIndexIntoMasterTable(DATA, SMU_Info), + &size, &frev, &crev); + ++ if (!psmu_info) ++ return -EINVAL; + + for (i = 0; i < psmu_info->ucSclkEntryNum; i++) { + table->entry[i].ucVco_setting = psmu_info->asSclkFcwRangeEntry[i].ucVco_setting; +-- +2.39.5 + diff --git a/queue-5.10/drm-etnaviv-fix-page-property-being-used-for-non-wri.patch b/queue-5.10/drm-etnaviv-fix-page-property-being-used-for-non-wri.patch new file mode 100644 index 0000000000..0ca3782e48 --- /dev/null +++ b/queue-5.10/drm-etnaviv-fix-page-property-being-used-for-non-wri.patch @@ -0,0 +1,60 @@ +From 791d9ffe333712fffb952f74ac4c77b6ca20724c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Nov 2024 08:41:56 +0800 +Subject: drm/etnaviv: Fix page property being used for non writecombine + buffers + +From: Sui Jingfeng + +[ Upstream commit 834f304192834d6f0941954f3277ae0ba11a9a86 ] + +In the etnaviv_gem_vmap_impl() function, the driver vmap whatever buffers +with write combine(WC) page property, this is incorrect. Cached buffers +should be mapped with the cached page property and uncached buffers should +be mapped with the uncached page property. + +Fixes: a0a5ab3e99b8 ("drm/etnaviv: call correct function when trying to vmap a DMABUF") +Signed-off-by: Sui Jingfeng +Signed-off-by: Lucas Stach +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/etnaviv/etnaviv_gem.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem.c b/drivers/gpu/drm/etnaviv/etnaviv_gem.c +index aa372982335e9..bdd3564634e79 100644 +--- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c +@@ -351,6 +351,7 @@ void *etnaviv_gem_vmap(struct drm_gem_object *obj) + static void *etnaviv_gem_vmap_impl(struct etnaviv_gem_object *obj) + { + struct page **pages; ++ pgprot_t prot; + + lockdep_assert_held(&obj->lock); + +@@ -358,8 +359,19 @@ static void *etnaviv_gem_vmap_impl(struct etnaviv_gem_object *obj) + if (IS_ERR(pages)) + return NULL; + +- return vmap(pages, obj->base.size >> PAGE_SHIFT, +- VM_MAP, pgprot_writecombine(PAGE_KERNEL)); ++ switch (obj->flags & ETNA_BO_CACHE_MASK) { ++ case ETNA_BO_CACHED: ++ prot = PAGE_KERNEL; ++ break; ++ case ETNA_BO_UNCACHED: ++ prot = pgprot_noncached(PAGE_KERNEL); ++ break; ++ case ETNA_BO_WC: ++ default: ++ prot = pgprot_writecombine(PAGE_KERNEL); ++ } ++ ++ return vmap(pages, obj->base.size >> PAGE_SHIFT, VM_MAP, prot); + } + + static inline enum dma_data_direction etnaviv_op_to_dma_dir(u32 op) +-- +2.39.5 + diff --git a/queue-5.10/dt-bindings-mmc-controller-clarify-the-address-cells.patch b/queue-5.10/dt-bindings-mmc-controller-clarify-the-address-cells.patch new file mode 100644 index 0000000000..f14d049754 --- /dev/null +++ b/queue-5.10/dt-bindings-mmc-controller-clarify-the-address-cells.patch @@ -0,0 +1,39 @@ +From 21bd38f238e2fe68a69e55f9c382d42bde0e4338 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Nov 2024 16:16:41 +0100 +Subject: dt-bindings: mmc: controller: clarify the address-cells description + +From: Neil Armstrong + +[ Upstream commit b2b8e93ec00b8110cb37cbde5400d5abfdaed6a7 ] + +The term "slot ID" has nothing to do with the SDIO function number +which is specified in the reg property of the subnodes, rephrase +the description to be more accurate. + +Fixes: f9b7989859dd ("dt-bindings: mmc: Add YAML schemas for the generic MMC options") +Signed-off-by: Neil Armstrong +Acked-by: Rob Herring (Arm) +Message-ID: <20241128-topic-amlogic-arm32-upstream-bindings-fixes-convert-meson-mx-sdio-v4-1-11d9f9200a59@linaro.org> +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/mmc/mmc-controller.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/mmc/mmc-controller.yaml b/Documentation/devicetree/bindings/mmc/mmc-controller.yaml +index 186f04ba93579..b7976809d8f68 100644 +--- a/Documentation/devicetree/bindings/mmc/mmc-controller.yaml ++++ b/Documentation/devicetree/bindings/mmc/mmc-controller.yaml +@@ -25,7 +25,7 @@ properties: + "#address-cells": + const: 1 + description: | +- The cell is the slot ID if a function subnode is used. ++ The cell is the SDIO function number if a function subnode is used. + + "#size-cells": + const: 0 +-- +2.39.5 + diff --git a/queue-5.10/fbdev-omapfb-fix-an-of-node-leak-in-dss_of_port_get_.patch b/queue-5.10/fbdev-omapfb-fix-an-of-node-leak-in-dss_of_port_get_.patch new file mode 100644 index 0000000000..af92b77922 --- /dev/null +++ b/queue-5.10/fbdev-omapfb-fix-an-of-node-leak-in-dss_of_port_get_.patch @@ -0,0 +1,42 @@ +From eccab193b9fda61f532cca14f0eeec3054420b36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 10:15:37 +0900 +Subject: fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device() + +From: Joe Hattori + +[ Upstream commit de124b61e179e690277116e6be512e4f422b5dd8 ] + +dss_of_port_get_parent_device() leaks an OF node reference when i >= 2 +and struct device_node *np is present. Since of_get_next_parent() +obtains a reference of the returned OF node, call of_node_put() before +returning NULL. + +This was found by an experimental verifier that I am developing, and no +runtime test was able to be performed due to that lack of actual +devices. + +Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") +Signed-off-by: Joe Hattori +Reviewed-by: Laurent Pinchart +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/omap2/omapfb/dss/dss-of.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c b/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c +index 0282d4eef139d..3b16c3342cb77 100644 +--- a/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c ++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c +@@ -102,6 +102,7 @@ struct device_node *dss_of_port_get_parent_device(struct device_node *port) + np = of_get_next_parent(np); + } + ++ of_node_put(np); + return NULL; + } + +-- +2.39.5 + diff --git a/queue-5.10/genirq-make-handle_enforce_irqctx-unconditionally-av.patch b/queue-5.10/genirq-make-handle_enforce_irqctx-unconditionally-av.patch new file mode 100644 index 0000000000..e5edeaadcd --- /dev/null +++ b/queue-5.10/genirq-make-handle_enforce_irqctx-unconditionally-av.patch @@ -0,0 +1,60 @@ +From 060c0f9c50fce3108df6e2b769d32808d7b681df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 11:20:43 +0100 +Subject: genirq: Make handle_enforce_irqctx() unconditionally available + +From: Thomas Gleixner + +[ Upstream commit 8d187a77f04c14fb459a5301d69f733a5a1396bc ] + +Commit 1b57d91b969c ("irqchip/gic-v2, v3: Prevent SW resends entirely") +sett the flag which enforces interrupt handling in interrupt context and +prevents software base resends for ARM GIC v2/v3. + +But it missed that the helper function which checks the flag was hidden +behind CONFIG_GENERIC_PENDING_IRQ, which is not set by ARM[64]. + +Make the helper unconditionally available so that the enforcement actually +works. + +Fixes: 1b57d91b969c ("irqchip/gic-v2, v3: Prevent SW resends entirely") +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/all/20241210101811.497716609@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/irq/internals.h | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h +index f1d83a8b44171..da1f282d5a1d1 100644 +--- a/kernel/irq/internals.h ++++ b/kernel/irq/internals.h +@@ -429,10 +429,6 @@ static inline struct cpumask *irq_desc_get_pending_mask(struct irq_desc *desc) + { + return desc->pending_mask; + } +-static inline bool handle_enforce_irqctx(struct irq_data *data) +-{ +- return irqd_is_handle_enforce_irqctx(data); +-} + bool irq_fixup_move_pending(struct irq_desc *desc, bool force_clear); + #else /* CONFIG_GENERIC_PENDING_IRQ */ + static inline bool irq_can_move_pcntxt(struct irq_data *data) +@@ -459,11 +455,12 @@ static inline bool irq_fixup_move_pending(struct irq_desc *desc, bool fclear) + { + return false; + } ++#endif /* !CONFIG_GENERIC_PENDING_IRQ */ ++ + static inline bool handle_enforce_irqctx(struct irq_data *data) + { +- return false; ++ return irqd_is_handle_enforce_irqctx(data); + } +-#endif /* !CONFIG_GENERIC_PENDING_IRQ */ + + #if !defined(CONFIG_IRQ_DOMAIN) || !defined(CONFIG_IRQ_DOMAIN_HIERARCHY) + static inline int irq_domain_activate_irq(struct irq_data *data, bool reserve) +-- +2.39.5 + diff --git a/queue-5.10/ipmi-ipmb-add-check-devm_kasprintf-returned-value.patch b/queue-5.10/ipmi-ipmb-add-check-devm_kasprintf-returned-value.patch new file mode 100644 index 0000000000..8de6fcf2bd --- /dev/null +++ b/queue-5.10/ipmi-ipmb-add-check-devm_kasprintf-returned-value.patch @@ -0,0 +1,38 @@ +From 9c751e59a57a0ed68c47f2d8ccfb668d50271830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Sep 2024 17:44:19 +0800 +Subject: ipmi: ipmb: Add check devm_kasprintf() returned value + +From: Charles Han + +[ Upstream commit 2378bd0b264ad3a1f76bd957caf33ee0c7945351 ] + +devm_kasprintf() can return a NULL pointer on failure but this +returned value is not checked. + +Fixes: 51bd6f291583 ("Add support for IPMB driver") +Signed-off-by: Charles Han +Message-ID: <20240926094419.25900-1-hanchunchao@inspur.com> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmb_dev_int.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c +index 382b28f1cf2f6..8800f2998d590 100644 +--- a/drivers/char/ipmi/ipmb_dev_int.c ++++ b/drivers/char/ipmi/ipmb_dev_int.c +@@ -322,6 +322,9 @@ static int ipmb_probe(struct i2c_client *client, + ipmb_dev->miscdev.name = devm_kasprintf(&client->dev, GFP_KERNEL, + "%s%d", "ipmb-", + client->adapter->nr); ++ if (!ipmb_dev->miscdev.name) ++ return -ENOMEM; ++ + ipmb_dev->miscdev.fops = &ipmb_fops; + ipmb_dev->miscdev.parent = &client->dev; + ret = misc_register(&ipmb_dev->miscdev); +-- +2.39.5 + diff --git a/queue-5.10/ipmr-do-not-call-mr_mfc_uses_dev-for-unres-entries.patch b/queue-5.10/ipmr-do-not-call-mr_mfc_uses_dev-for-unres-entries.patch new file mode 100644 index 0000000000..d61390f3b9 --- /dev/null +++ b/queue-5.10/ipmr-do-not-call-mr_mfc_uses_dev-for-unres-entries.patch @@ -0,0 +1,71 @@ +From 9c258f48b695c7203dc4429f4e9d7c02fbfae3fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jan 2025 18:12:41 +0000 +Subject: ipmr: do not call mr_mfc_uses_dev() for unres entries + +From: Eric Dumazet + +[ Upstream commit 15a901361ec3fb1c393f91880e1cbf24ec0a88bd ] + +syzbot found that calling mr_mfc_uses_dev() for unres entries +would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif +alias to "struct sk_buff_head unresolved", which contain two pointers. + +This code never worked, lets remove it. + +[1] +Unable to handle kernel paging request at virtual address ffff5fff2d536613 +KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] +Modules linked in: +CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] + pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 + lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] + lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 +Call trace: + mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) + mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) + mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 + ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 + rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 + rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 + netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 + netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 + sock_recvmsg_nosec net/socket.c:1033 [inline] + sock_recvmsg net/socket.c:1055 [inline] + sock_read_iter+0x2d8/0x40c net/socket.c:1125 + new_sync_read fs/read_write.c:484 [inline] + vfs_read+0x740/0x970 fs/read_write.c:565 + ksys_read+0x15c/0x26c fs/read_write.c:708 + +Fixes: cb167893f41e ("net: Plumb support for filtering ipv4 and ipv6 multicast route dumps") +Reported-by: syzbot+5cfae50c0e5f2c500013@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/678fe2d1.050a0220.15cac.00b3.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Link: https://patch.msgid.link/20250121181241.841212-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/ipmr_base.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c +index c45cb7cb57590..8b5b6f196cdc4 100644 +--- a/net/ipv4/ipmr_base.c ++++ b/net/ipv4/ipmr_base.c +@@ -321,9 +321,6 @@ int mr_table_dump(struct mr_table *mrt, struct sk_buff *skb, + list_for_each_entry(mfc, &mrt->mfc_unres_queue, list) { + if (e < s_e) + goto next_entry2; +- if (filter->dev && +- !mr_mfc_uses_dev(mrt, mfc, filter->dev)) +- goto next_entry2; + + err = fill(mrt, skb, NETLINK_CB(cb->skb).portid, + cb->nlh->nlmsg_seq, mfc, RTM_NEWROUTE, flags); +-- +2.39.5 + diff --git a/queue-5.10/ktest.pl-remove-unused-declarations-in-run_bisect_te.patch b/queue-5.10/ktest.pl-remove-unused-declarations-in-run_bisect_te.patch new file mode 100644 index 0000000000..35e84532b3 --- /dev/null +++ b/queue-5.10/ktest.pl-remove-unused-declarations-in-run_bisect_te.patch @@ -0,0 +1,37 @@ +From 39a73b24f0572b861febdb1fb082039b1ac2aa5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Sep 2024 21:07:35 +0800 +Subject: ktest.pl: Remove unused declarations in run_bisect_test function + +From: Ba Jing + +[ Upstream commit 776735b954f49f85fd19e1198efa421fae2ad77c ] + +Since $output and $ret are not used in the subsequent code, the declarations +should be removed. + +Fixes: a75fececff3c ("ktest: Added sample.conf, new %default option format") +Link: https://lore.kernel.org/20240902130735.6034-1-bajing@cmss.chinamobile.com +Signed-off-by: Ba Jing +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + tools/testing/ktest/ktest.pl | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl +index f260b455b74d4..72101e172e073 100755 +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -2892,8 +2892,6 @@ sub run_bisect_test { + + my $failed = 0; + my $result; +- my $output; +- my $ret; + + $in_bisect = 1; + +-- +2.39.5 + diff --git a/queue-5.10/leds-netxbig-fix-an-of-node-reference-leak-in-netxbi.patch b/queue-5.10/leds-netxbig-fix-an-of-node-reference-leak-in-netxbi.patch new file mode 100644 index 0000000000..b6fe3646e0 --- /dev/null +++ b/queue-5.10/leds-netxbig-fix-an-of-node-reference-leak-in-netxbi.patch @@ -0,0 +1,41 @@ +From 34edd797b6516ed6b638984266c49853aa6a36a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Dec 2024 16:49:23 +0900 +Subject: leds: netxbig: Fix an OF node reference leak in + netxbig_leds_get_of_pdata() + +From: Joe Hattori + +[ Upstream commit 0508316be63bb735f59bdc8fe4527cadb62210ca ] + +netxbig_leds_get_of_pdata() does not release the OF node obtained by +of_parse_phandle() when of_find_device_by_node() fails. Add an +of_node_put() call to fix the leak. + +This bug was found by an experimental static analysis tool that I am +developing. + +Fixes: 9af512e81964 ("leds: netxbig: Convert to use GPIO descriptors") +Signed-off-by: Joe Hattori +Link: https://lore.kernel.org/r/20241216074923.628509-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-netxbig.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/leds/leds-netxbig.c b/drivers/leds/leds-netxbig.c +index 68fbf0b66fadd..c2cc45e19c4b2 100644 +--- a/drivers/leds/leds-netxbig.c ++++ b/drivers/leds/leds-netxbig.c +@@ -440,6 +440,7 @@ static int netxbig_leds_get_of_pdata(struct device *dev, + } + gpio_ext_pdev = of_find_device_by_node(gpio_ext_np); + if (!gpio_ext_pdev) { ++ of_node_put(gpio_ext_np); + dev_err(dev, "Failed to find platform device for gpio-ext\n"); + return -ENODEV; + } +-- +2.39.5 + diff --git a/queue-5.10/media-camif-core-add-check-for-clk_enable.patch b/queue-5.10/media-camif-core-add-check-for-clk_enable.patch new file mode 100644 index 0000000000..7551c62dac --- /dev/null +++ b/queue-5.10/media-camif-core-add-check-for-clk_enable.patch @@ -0,0 +1,50 @@ +From 5f1b122052f9e68efc560d25686407b34f9d32cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 19:18:17 +0000 +Subject: media: camif-core: Add check for clk_enable() + +From: Jiasheng Jiang + +[ Upstream commit 77ed2470ac09c2b0a33cf3f98cc51d18ba9ed976 ] + +Add check for the return value of clk_enable() to gurantee the success. + +Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s3c-camif/camif-core.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/s3c-camif/camif-core.c b/drivers/media/platform/s3c-camif/camif-core.c +index 422fd549e9c87..aa2427cb2e63b 100644 +--- a/drivers/media/platform/s3c-camif/camif-core.c ++++ b/drivers/media/platform/s3c-camif/camif-core.c +@@ -529,10 +529,19 @@ static int s3c_camif_remove(struct platform_device *pdev) + static int s3c_camif_runtime_resume(struct device *dev) + { + struct camif_dev *camif = dev_get_drvdata(dev); ++ int ret; ++ ++ ret = clk_enable(camif->clock[CLK_GATE]); ++ if (ret) ++ return ret; + +- clk_enable(camif->clock[CLK_GATE]); + /* null op on s3c244x */ +- clk_enable(camif->clock[CLK_CAM]); ++ ret = clk_enable(camif->clock[CLK_CAM]); ++ if (ret) { ++ clk_disable(camif->clock[CLK_GATE]); ++ return ret; ++ } ++ + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.10/media-lmedm04-handle-errors-for-lme2510_int_read.patch b/queue-5.10/media-lmedm04-handle-errors-for-lme2510_int_read.patch new file mode 100644 index 0000000000..d53fec621e --- /dev/null +++ b/queue-5.10/media-lmedm04-handle-errors-for-lme2510_int_read.patch @@ -0,0 +1,58 @@ +From 2384bc02b1cdc348b3d82982b5dcc6217cb72736 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 17:10:42 +0800 +Subject: media: lmedm04: Handle errors for lme2510_int_read + +From: Chen Ni + +[ Upstream commit a2836d3fe220220ff8c495ca9722f89cea8a67e7 ] + +Add check for the return value of usb_pipe_endpoint() and +usb_submit_urb() in order to catch the errors. + +Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb") +Signed-off-by: Chen Ni +Link: https://lore.kernel.org/r/20240521091042.1769684-1-nichen@iscas.ac.cn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 0f5a1eed5ea9f..b54eb5a083561 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -372,6 +372,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) + struct dvb_usb_device *d = adap_to_d(adap); + struct lme2510_state *lme_int = adap_to_priv(adap); + struct usb_host_endpoint *ep; ++ int ret; + + lme_int->lme_urb = usb_alloc_urb(0, GFP_KERNEL); + +@@ -389,11 +390,20 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) + + /* Quirk of pipe reporting PIPE_BULK but behaves as interrupt */ + ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe); ++ if (!ep) { ++ usb_free_urb(lme_int->lme_urb); ++ return -ENODEV; ++ } + + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) + lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa); + +- usb_submit_urb(lme_int->lme_urb, GFP_KERNEL); ++ ret = usb_submit_urb(lme_int->lme_urb, GFP_KERNEL); ++ if (ret) { ++ usb_free_urb(lme_int->lme_urb); ++ return ret; ++ } ++ + info("INT Interrupt Service Started"); + + return 0; +-- +2.39.5 + diff --git a/queue-5.10/media-lmedm04-use-gfp_kernel-for-urb-allocation-subm.patch b/queue-5.10/media-lmedm04-use-gfp_kernel-for-urb-allocation-subm.patch new file mode 100644 index 0000000000..6a4f33d15f --- /dev/null +++ b/queue-5.10/media-lmedm04-use-gfp_kernel-for-urb-allocation-subm.patch @@ -0,0 +1,47 @@ +From ba9cdff976ba1f2c53a3c335ccb017260385d62f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 11:32:43 +0200 +Subject: media: lmedm04: Use GFP_KERNEL for URB allocation/submission. + +From: Malcolm Priestley + +[ Upstream commit add5861769f912af0181f5fbd79dbf19c8211c20 ] + +lme2510_int_read is not atomically called so use GFP_KERNEL for +usb_alloc_urb and usb_submit_urb which is the first in the chain +of interrupt submissions. + +Signed-off-by: Malcolm Priestley +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: a2836d3fe220 ("media: lmedm04: Handle errors for lme2510_int_read") +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c +index 9ddda8d68ee0f..0f5a1eed5ea9f 100644 +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -373,7 +373,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) + struct lme2510_state *lme_int = adap_to_priv(adap); + struct usb_host_endpoint *ep; + +- lme_int->lme_urb = usb_alloc_urb(0, GFP_ATOMIC); ++ lme_int->lme_urb = usb_alloc_urb(0, GFP_KERNEL); + + if (lme_int->lme_urb == NULL) + return -ENOMEM; +@@ -393,7 +393,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap) + if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK) + lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa); + +- usb_submit_urb(lme_int->lme_urb, GFP_ATOMIC); ++ usb_submit_urb(lme_int->lme_urb, GFP_KERNEL); + info("INT Interrupt Service Started"); + + return 0; +-- +2.39.5 + diff --git a/queue-5.10/media-marvell-add-check-for-clk_enable.patch b/queue-5.10/media-marvell-add-check-for-clk_enable.patch new file mode 100644 index 0000000000..bd540fa165 --- /dev/null +++ b/queue-5.10/media-marvell-add-check-for-clk_enable.patch @@ -0,0 +1,42 @@ +From 4a41255bc2ab4917f188fe0535739815912e87f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 21:29:02 +0000 +Subject: media: marvell: Add check for clk_enable() + +From: Jiasheng Jiang + +[ Upstream commit 11f68d2ba2e1521a608af773bf788e8cfa260f68 ] + +Add check for the return value of clk_enable() to guarantee the success. + +Fixes: 81a409bfd551 ("media: marvell-ccic: provide a clock for the sensor") +Signed-off-by: Jiasheng Jiang +[Sakari Ailus: Fix spelling in commit message.] +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/marvell-ccic/mcam-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c +index e56c5e56e824a..2d7e68fa2b9af 100644 +--- a/drivers/media/platform/marvell-ccic/mcam-core.c ++++ b/drivers/media/platform/marvell-ccic/mcam-core.c +@@ -935,7 +935,12 @@ static int mclk_enable(struct clk_hw *hw) + ret = pm_runtime_resume_and_get(cam->dev); + if (ret < 0) + return ret; +- clk_enable(cam->clk[0]); ++ ret = clk_enable(cam->clk[0]); ++ if (ret) { ++ pm_runtime_put(cam->dev); ++ return ret; ++ } ++ + mcam_reg_write(cam, REG_CLKCTRL, (mclk_src << 29) | mclk_div); + mcam_ctlr_power_up(cam); + +-- +2.39.5 + diff --git a/queue-5.10/media-mipi-csis-add-check-for-clk_enable.patch b/queue-5.10/media-mipi-csis-add-check-for-clk_enable.patch new file mode 100644 index 0000000000..968f90b082 --- /dev/null +++ b/queue-5.10/media-mipi-csis-add-check-for-clk_enable.patch @@ -0,0 +1,50 @@ +From 6231f3bef30fe9158042bd83835b6e58628a0ca4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Nov 2024 19:18:18 +0000 +Subject: media: mipi-csis: Add check for clk_enable() + +From: Jiasheng Jiang + +[ Upstream commit 125ad1aeec77eb55273b420be6894b284a01e4b6 ] + +Add check for the return value of clk_enable() to gurantee the success. + +Fixes: b5f1220d587d ("[media] v4l: Add v4l2 subdev driver for S5P/EXYNOS4 MIPI-CSI receivers") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/mipi-csis.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c +index ebf39c8568943..e6c86ba30fa32 100644 +--- a/drivers/media/platform/exynos4-is/mipi-csis.c ++++ b/drivers/media/platform/exynos4-is/mipi-csis.c +@@ -939,13 +939,19 @@ static int s5pcsis_pm_resume(struct device *dev, bool runtime) + state->supplies); + goto unlock; + } +- clk_enable(state->clock[CSIS_CLK_GATE]); ++ ret = clk_enable(state->clock[CSIS_CLK_GATE]); ++ if (ret) { ++ phy_power_off(state->phy); ++ regulator_bulk_disable(CSIS_NUM_SUPPLIES, ++ state->supplies); ++ goto unlock; ++ } + } + if (state->flags & ST_STREAMING) + s5pcsis_start_stream(state); + + state->flags &= ~ST_SUSPENDED; +- unlock: ++unlock: + mutex_unlock(&state->lock); + return ret ? -EAGAIN : 0; + } +-- +2.39.5 + diff --git a/queue-5.10/media-rc-iguanair-handle-timeouts.patch b/queue-5.10/media-rc-iguanair-handle-timeouts.patch new file mode 100644 index 0000000000..77944aa7dd --- /dev/null +++ b/queue-5.10/media-rc-iguanair-handle-timeouts.patch @@ -0,0 +1,48 @@ +From 9d59eb279cb0c3c95cbd14cb3398cfc0d1be8989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Nov 2024 14:17:22 +0100 +Subject: media: rc: iguanair: handle timeouts + +From: Oliver Neukum + +[ Upstream commit b98d5000c50544f14bacb248c34e5219fbe81287 ] + +In case of a timeout the IO must be cancelled or +the next IO using the URB will fail and/or overwrite +an operational URB. + +The automatic bisection fails because it arrives +at a commit that correctly lets the test case run +without an error. + +Signed-off-by: Oliver Neukum +Fixes: e99a7cfe93fd ("[media] iguanair: reuse existing urb callback for command responses") +Reported-by: syzbot+ffba8e636870dac0e0c0@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/66f5cc9a.050a0220.46d20.0004.GAE@google.com/ +Tested-by: syzbot+ffba8e636870dac0e0c0@syzkaller.appspotmail.com +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/iguanair.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c +index 84949baf9f6b3..c1343df0dbbab 100644 +--- a/drivers/media/rc/iguanair.c ++++ b/drivers/media/rc/iguanair.c +@@ -197,8 +197,10 @@ static int iguanair_send(struct iguanair *ir, unsigned size) + if (rc) + return rc; + +- if (wait_for_completion_timeout(&ir->completion, TIMEOUT) == 0) ++ if (wait_for_completion_timeout(&ir->completion, TIMEOUT) == 0) { ++ usb_kill_urb(ir->urb_out); + return -ETIMEDOUT; ++ } + + return rc; + } +-- +2.39.5 + diff --git a/queue-5.10/media-uvcvideo-propagate-buf-error-to-userspace.patch b/queue-5.10/media-uvcvideo-propagate-buf-error-to-userspace.patch new file mode 100644 index 0000000000..c1f14026fa --- /dev/null +++ b/queue-5.10/media-uvcvideo-propagate-buf-error-to-userspace.patch @@ -0,0 +1,44 @@ +From 47a65e72e88e6064daf3f079afc8a7da87d05fe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 21:39:08 +0000 +Subject: media: uvcvideo: Propagate buf->error to userspace + +From: Ricardo Ribalda + +[ Upstream commit 87ce177654e388451850905a1d376658aebe8699 ] + +Now we return VB2_BUF_STATE_DONE for valid and invalid frames. Propagate +the correct value, so the user can know if the frame is valid or not via +struct v4l2_buffer->flags. + +Reported-by: Hans de Goede +Closes: https://lore.kernel.org/linux-media/84b0f212-cd88-46bb-8e6f-b94ec3eccba6@redhat.com +Fixes: 6998b6fb4b1c ("[media] uvcvideo: Use videobuf2-vmalloc") +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20241218-uvc-deprecate-v2-1-ab814139e983@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_queue.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_queue.c b/drivers/media/usb/uvc/uvc_queue.c +index cd60c6c1749ea..6a9fdd32cfb86 100644 +--- a/drivers/media/usb/uvc/uvc_queue.c ++++ b/drivers/media/usb/uvc/uvc_queue.c +@@ -486,7 +486,8 @@ static void uvc_queue_buffer_complete(struct kref *ref) + + buf->state = buf->error ? UVC_BUF_STATE_ERROR : UVC_BUF_STATE_DONE; + vb2_set_plane_payload(&buf->buf.vb2_buf, 0, buf->bytesused); +- vb2_buffer_done(&buf->buf.vb2_buf, VB2_BUF_STATE_DONE); ++ vb2_buffer_done(&buf->buf.vb2_buf, buf->error ? VB2_BUF_STATE_ERROR : ++ VB2_BUF_STATE_DONE); + } + + /* +-- +2.39.5 + diff --git a/queue-5.10/module-extend-the-preempt-disabled-section-in-derefe.patch b/queue-5.10/module-extend-the-preempt-disabled-section-in-derefe.patch new file mode 100644 index 0000000000..cd206bad93 --- /dev/null +++ b/queue-5.10/module-extend-the-preempt-disabled-section-in-derefe.patch @@ -0,0 +1,59 @@ +From c06c749bd4f8beed37b15014dfa96ad7aefb85a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 10:04:30 +0100 +Subject: module: Extend the preempt disabled section in + dereference_symbol_descriptor(). + +From: Sebastian Andrzej Siewior + +[ Upstream commit a145c848d69f9c6f32008d8319edaa133360dd74 ] + +dereference_symbol_descriptor() needs to obtain the module pointer +belonging to pointer in order to resolve that pointer. +The returned mod pointer is obtained under RCU-sched/ preempt_disable() +guarantees and needs to be used within this section to ensure that the +module is not removed in the meantime. + +Extend the preempt_disable() section to also cover +dereference_module_function_descriptor(). + +Fixes: 04b8eb7a4ccd9 ("symbol lookup: introduce dereference_symbol_descriptor()") +Cc: James E.J. Bottomley +Cc: Christophe Leroy +Cc: Helge Deller +Cc: Madhavan Srinivasan +Cc: Michael Ellerman +Cc: Naveen N Rao +Cc: Nicholas Piggin +Cc: Sergey Senozhatsky +Cc: linux-parisc@vger.kernel.org +Cc: linuxppc-dev@lists.ozlabs.org +Reviewed-by: Sergey Senozhatsky +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Sebastian Andrzej Siewior +Link: https://lore.kernel.org/r/20250108090457.512198-2-bigeasy@linutronix.de +Signed-off-by: Petr Pavlu +Signed-off-by: Sasha Levin +--- + include/linux/kallsyms.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h +index 430f1cefbb9e1..ea2eb5fe83a3c 100644 +--- a/include/linux/kallsyms.h ++++ b/include/linux/kallsyms.h +@@ -63,10 +63,10 @@ static inline void *dereference_symbol_descriptor(void *ptr) + + preempt_disable(); + mod = __module_address((unsigned long)ptr); +- preempt_enable(); + + if (mod) + ptr = dereference_module_function_descriptor(mod, ptr); ++ preempt_enable(); + #endif + return ptr; + } +-- +2.39.5 + diff --git a/queue-5.10/mtd-hyperbus-hbmc-am654-convert-to-platform-remove-c.patch b/queue-5.10/mtd-hyperbus-hbmc-am654-convert-to-platform-remove-c.patch new file mode 100644 index 0000000000..9eaec5c0e5 --- /dev/null +++ b/queue-5.10/mtd-hyperbus-hbmc-am654-convert-to-platform-remove-c.patch @@ -0,0 +1,70 @@ +From dedab413388b592ae804446041bc6f7e77dfaf5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Oct 2023 22:01:32 +0200 +Subject: mtd: hyperbus: hbmc-am654: Convert to platform remove callback + returning void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 59bd56760df17506bc2f828f19b40a2243edd0d0 ] + +The .remove() callback for a platform driver returns an int which makes +many driver authors wrongly assume it's possible to do error handling by +returning an error code. However the value returned is ignored (apart +from emitting a warning) and this typically results in resource leaks. + +To improve here there is a quest to make the remove callback return +void. In the first step of this quest all drivers are converted to +.remove_new(), which already returns void. Eventually after all drivers +are converted, .remove_new() will be renamed to .remove(). + +Trivially convert this driver from always returning zero in the remove +callback to the void returning variant. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Miquel Raynal +Acked-by: Tudor Ambarus +Link: https://lore.kernel.org/linux-mtd/20231008200143.196369-10-u.kleine-koenig@pengutronix.de +Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak") +Signed-off-by: Sasha Levin +--- + drivers/mtd/hyperbus/hbmc-am654.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mtd/hyperbus/hbmc-am654.c b/drivers/mtd/hyperbus/hbmc-am654.c +index a6161ce340d4e..dbe3eb361cca2 100644 +--- a/drivers/mtd/hyperbus/hbmc-am654.c ++++ b/drivers/mtd/hyperbus/hbmc-am654.c +@@ -229,7 +229,7 @@ static int am654_hbmc_probe(struct platform_device *pdev) + return ret; + } + +-static int am654_hbmc_remove(struct platform_device *pdev) ++static void am654_hbmc_remove(struct platform_device *pdev) + { + struct am654_hbmc_priv *priv = platform_get_drvdata(pdev); + struct am654_hbmc_device_priv *dev_priv = priv->hbdev.priv; +@@ -241,8 +241,6 @@ static int am654_hbmc_remove(struct platform_device *pdev) + + if (dev_priv->rx_chan) + dma_release_channel(dev_priv->rx_chan); +- +- return 0; + } + + static const struct of_device_id am654_hbmc_dt_ids[] = { +@@ -256,7 +254,7 @@ MODULE_DEVICE_TABLE(of, am654_hbmc_dt_ids); + + static struct platform_driver am654_hbmc_platform_driver = { + .probe = am654_hbmc_probe, +- .remove = am654_hbmc_remove, ++ .remove_new = am654_hbmc_remove, + .driver = { + .name = "hbmc-am654", + .of_match_table = am654_hbmc_dt_ids, +-- +2.39.5 + diff --git a/queue-5.10/mtd-hyperbus-hbmc-am654-fix-an-of-node-reference-lea.patch b/queue-5.10/mtd-hyperbus-hbmc-am654-fix-an-of-node-reference-lea.patch new file mode 100644 index 0000000000..4c4c14d588 --- /dev/null +++ b/queue-5.10/mtd-hyperbus-hbmc-am654-fix-an-of-node-reference-lea.patch @@ -0,0 +1,82 @@ +From 1ea3481b5c548f292943bcb58bc9cceebd8838ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 22:38:09 +0900 +Subject: mtd: hyperbus: hbmc-am654: fix an OF node reference leak + +From: Joe Hattori + +[ Upstream commit bf5821909eb9c7f5d07d5c6e852ead2c373c94a0 ] + +In am654_hbmc_platform_driver, .remove() and the error path of .probe() +do not decrement the refcount of an OF node obtained by + of_get_next_child(). Fix this by adding of_node_put() calls. + +Fixes: aca31ce96814 ("mtd: hyperbus: hbmc-am654: Fix direct mapping setup flash access") +Signed-off-by: Joe Hattori +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +--- + drivers/mtd/hyperbus/hbmc-am654.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/mtd/hyperbus/hbmc-am654.c b/drivers/mtd/hyperbus/hbmc-am654.c +index dbe3eb361cca2..4b6cbee23fe89 100644 +--- a/drivers/mtd/hyperbus/hbmc-am654.c ++++ b/drivers/mtd/hyperbus/hbmc-am654.c +@@ -174,26 +174,30 @@ static int am654_hbmc_probe(struct platform_device *pdev) + priv->hbdev.np = of_get_next_child(np, NULL); + ret = of_address_to_resource(priv->hbdev.np, 0, &res); + if (ret) +- return ret; ++ goto put_node; + + if (of_property_read_bool(dev->of_node, "mux-controls")) { + struct mux_control *control = devm_mux_control_get(dev, NULL); + +- if (IS_ERR(control)) +- return PTR_ERR(control); ++ if (IS_ERR(control)) { ++ ret = PTR_ERR(control); ++ goto put_node; ++ } + + ret = mux_control_select(control, 1); + if (ret) { + dev_err(dev, "Failed to select HBMC mux\n"); +- return ret; ++ goto put_node; + } + priv->mux_ctrl = control; + } + + priv->hbdev.map.size = resource_size(&res); + priv->hbdev.map.virt = devm_ioremap_resource(dev, &res); +- if (IS_ERR(priv->hbdev.map.virt)) +- return PTR_ERR(priv->hbdev.map.virt); ++ if (IS_ERR(priv->hbdev.map.virt)) { ++ ret = PTR_ERR(priv->hbdev.map.virt); ++ goto disable_mux; ++ } + + priv->ctlr.dev = dev; + priv->ctlr.ops = &am654_hbmc_ops; +@@ -226,6 +230,8 @@ static int am654_hbmc_probe(struct platform_device *pdev) + disable_mux: + if (priv->mux_ctrl) + mux_control_deselect(priv->mux_ctrl); ++put_node: ++ of_node_put(priv->hbdev.np); + return ret; + } + +@@ -241,6 +247,7 @@ static void am654_hbmc_remove(struct platform_device *pdev) + + if (dev_priv->rx_chan) + dma_release_channel(dev_priv->rx_chan); ++ of_node_put(priv->hbdev.np); + } + + static const struct of_device_id am654_hbmc_dt_ids[] = { +-- +2.39.5 + diff --git a/queue-5.10/mtd-hyperbus-make-hyperbus_unregister_device-return-.patch b/queue-5.10/mtd-hyperbus-make-hyperbus_unregister_device-return-.patch new file mode 100644 index 0000000000..9aa63f196d --- /dev/null +++ b/queue-5.10/mtd-hyperbus-make-hyperbus_unregister_device-return-.patch @@ -0,0 +1,117 @@ +From 9cfe7c4f97f6d4cf6aacc85a5282564415887533 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 23:07:45 +0200 +Subject: mtd: hyperbus: Make hyperbus_unregister_device() return void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 0c90466a7985d39355f743e9cd2139da3e86c4d8 ] + +The only thing that could theoretically fail in that function is +mtd_device_unregister(). However it's not supposed to fail and when +used correctly it doesn't. So wail loudly if it does anyhow. + +This matches how other drivers (e.g. nand/raw/nandsim.c) use +mtd_device_unregister(). + +This is a preparation for making platform remove callbacks return void. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220603210758.148493-2-u.kleine-koenig@pengutronix.de +Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak") +Signed-off-by: Sasha Levin +--- + drivers/mtd/hyperbus/hbmc-am654.c | 6 +++--- + drivers/mtd/hyperbus/hyperbus-core.c | 8 ++------ + drivers/mtd/hyperbus/rpc-if.c | 5 +++-- + include/linux/mtd/hyperbus.h | 4 +--- + 4 files changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/mtd/hyperbus/hbmc-am654.c b/drivers/mtd/hyperbus/hbmc-am654.c +index a3439b791eeb4..a6161ce340d4e 100644 +--- a/drivers/mtd/hyperbus/hbmc-am654.c ++++ b/drivers/mtd/hyperbus/hbmc-am654.c +@@ -233,16 +233,16 @@ static int am654_hbmc_remove(struct platform_device *pdev) + { + struct am654_hbmc_priv *priv = platform_get_drvdata(pdev); + struct am654_hbmc_device_priv *dev_priv = priv->hbdev.priv; +- int ret; + +- ret = hyperbus_unregister_device(&priv->hbdev); ++ hyperbus_unregister_device(&priv->hbdev); ++ + if (priv->mux_ctrl) + mux_control_deselect(priv->mux_ctrl); + + if (dev_priv->rx_chan) + dma_release_channel(dev_priv->rx_chan); + +- return ret; ++ return 0; + } + + static const struct of_device_id am654_hbmc_dt_ids[] = { +diff --git a/drivers/mtd/hyperbus/hyperbus-core.c b/drivers/mtd/hyperbus/hyperbus-core.c +index 2f9fc4e17d53e..4d8047d43e48e 100644 +--- a/drivers/mtd/hyperbus/hyperbus-core.c ++++ b/drivers/mtd/hyperbus/hyperbus-core.c +@@ -126,16 +126,12 @@ int hyperbus_register_device(struct hyperbus_device *hbdev) + } + EXPORT_SYMBOL_GPL(hyperbus_register_device); + +-int hyperbus_unregister_device(struct hyperbus_device *hbdev) ++void hyperbus_unregister_device(struct hyperbus_device *hbdev) + { +- int ret = 0; +- + if (hbdev && hbdev->mtd) { +- ret = mtd_device_unregister(hbdev->mtd); ++ WARN_ON(mtd_device_unregister(hbdev->mtd)); + map_destroy(hbdev->mtd); + } +- +- return ret; + } + EXPORT_SYMBOL_GPL(hyperbus_unregister_device); + +diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c +index dc164c18f8429..cd0e577684ff0 100644 +--- a/drivers/mtd/hyperbus/rpc-if.c ++++ b/drivers/mtd/hyperbus/rpc-if.c +@@ -151,11 +151,12 @@ static int rpcif_hb_probe(struct platform_device *pdev) + static int rpcif_hb_remove(struct platform_device *pdev) + { + struct rpcif_hyperbus *hyperbus = platform_get_drvdata(pdev); +- int error = hyperbus_unregister_device(&hyperbus->hbdev); ++ ++ hyperbus_unregister_device(&hyperbus->hbdev); + + rpcif_disable_rpm(&hyperbus->rpc); + +- return error; ++ return 0; + } + + static struct platform_driver rpcif_platform_driver = { +diff --git a/include/linux/mtd/hyperbus.h b/include/linux/mtd/hyperbus.h +index 0ce612428aea2..bb6b7121a5427 100644 +--- a/include/linux/mtd/hyperbus.h ++++ b/include/linux/mtd/hyperbus.h +@@ -89,9 +89,7 @@ int hyperbus_register_device(struct hyperbus_device *hbdev); + /** + * hyperbus_unregister_device - deregister HyperBus slave memory device + * @hbdev: hyperbus_device to be unregistered +- * +- * Return: 0 for success, others for failure. + */ +-int hyperbus_unregister_device(struct hyperbus_device *hbdev); ++void hyperbus_unregister_device(struct hyperbus_device *hbdev); + + #endif /* __LINUX_MTD_HYPERBUS_H__ */ +-- +2.39.5 + diff --git a/queue-5.10/nbd-don-t-allow-reconnect-after-disconnect.patch b/queue-5.10/nbd-don-t-allow-reconnect-after-disconnect.patch new file mode 100644 index 0000000000..39469f6ee4 --- /dev/null +++ b/queue-5.10/nbd-don-t-allow-reconnect-after-disconnect.patch @@ -0,0 +1,75 @@ +From 134fd000ebbf5634f68765b6481e1c8f26709844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jan 2025 17:28:59 +0800 +Subject: nbd: don't allow reconnect after disconnect + +From: Yu Kuai + +[ Upstream commit 844b8cdc681612ff24df62cdefddeab5772fadf1 ] + +Following process can cause nbd_config UAF: + +1) grab nbd_config temporarily; + +2) nbd_genl_disconnect() flush all recv_work() and release the +initial reference: + + nbd_genl_disconnect + nbd_disconnect_and_put + nbd_disconnect + flush_workqueue(nbd->recv_workq) + if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...)) + nbd_config_put + -> due to step 1), reference is still not zero + +3) nbd_genl_reconfigure() queue recv_work() again; + + nbd_genl_reconfigure + config = nbd_get_config_unlocked(nbd) + if (!config) + -> succeed + if (!test_bit(NBD_RT_BOUND, ...)) + -> succeed + nbd_reconnect_socket + queue_work(nbd->recv_workq, &args->work) + +4) step 1) release the reference; + +5) Finially, recv_work() will trigger UAF: + + recv_work + nbd_config_put(nbd) + -> nbd_config is freed + atomic_dec(&config->recv_threads) + -> UAF + +Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so +that nbd_genl_reconfigure() will fail. + +Fixes: b7aa3d39385d ("nbd: add a reconfigure netlink command") +Reported-by: syzbot+6b0df248918b92c33e6a@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/675bfb65.050a0220.1a2d0d.0006.GAE@google.com/ +Signed-off-by: Yu Kuai +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250103092859.3574648-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index d6e3edb404748..4776009587190 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -2065,6 +2065,7 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd) + flush_workqueue(nbd->recv_workq); + nbd_clear_que(nbd); + nbd->task_setup = NULL; ++ clear_bit(NBD_RT_BOUND, &nbd->config->runtime_flags); + mutex_unlock(&nbd->config_lock); + + if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, +-- +2.39.5 + diff --git a/queue-5.10/net-davicom-fix-uaf-in-dm9000_drv_remove.patch b/queue-5.10/net-davicom-fix-uaf-in-dm9000_drv_remove.patch new file mode 100644 index 0000000000..f073d2e55b --- /dev/null +++ b/queue-5.10/net-davicom-fix-uaf-in-dm9000_drv_remove.patch @@ -0,0 +1,52 @@ +From 57326cbb3c31d8e6ff53f21924d1e4f44ba08a8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jan 2025 15:42:13 -0600 +Subject: net: davicom: fix UAF in dm9000_drv_remove +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenyuan Yang + +[ Upstream commit 19e65c45a1507a1a2926649d2db3583ed9d55fd9 ] + +dm is netdev private data and it cannot be +used after free_netdev() call. Using dm after free_netdev() +can cause UAF bug. Fix it by moving free_netdev() at the end of the +function. + +This is similar to the issue fixed in commit +ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove"). + +This bug is detected by our static analysis tool. + +Fixes: cf9e60aa69ae ("net: davicom: Fix regulator not turned off on driver removal") +Signed-off-by: Chenyuan Yang +CC: Uwe Kleine-König +Link: https://patch.msgid.link/20250123214213.623518-1-chenyuan0y@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/davicom/dm9000.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c +index afc4a103c5080..79aef6b368836 100644 +--- a/drivers/net/ethernet/davicom/dm9000.c ++++ b/drivers/net/ethernet/davicom/dm9000.c +@@ -1779,10 +1779,11 @@ dm9000_drv_remove(struct platform_device *pdev) + + unregister_netdev(ndev); + dm9000_release_board(pdev, dm); +- free_netdev(ndev); /* free device structure */ + if (dm->power_supply) + regulator_disable(dm->power_supply); + ++ free_netdev(ndev); /* free device structure */ ++ + dev_dbg(&pdev->dev, "released and freed device\n"); + return 0; + } +-- +2.39.5 + diff --git a/queue-5.10/net-ethernet-ti-am65-cpsw-fix-freeing-irq-in-am65_cp.patch b/queue-5.10/net-ethernet-ti-am65-cpsw-fix-freeing-irq-in-am65_cp.patch new file mode 100644 index 0000000000..c6e1ef437b --- /dev/null +++ b/queue-5.10/net-ethernet-ti-am65-cpsw-fix-freeing-irq-in-am65_cp.patch @@ -0,0 +1,61 @@ +From 432cc647e9b5b060ee580f9be57794e9cf96c19c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 15:54:49 +0200 +Subject: net: ethernet: ti: am65-cpsw: fix freeing IRQ in + am65_cpsw_nuss_remove_tx_chns() + +From: Roger Quadros + +[ Upstream commit 4395a44acb15850e492dd1de9ec4b6479d96bc80 ] + +When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns +negative error value on error. So not NULL check is not sufficient +to deteremine if IRQ is valid. Check that IRQ is greater then zero +to ensure it is valid. + +There is no issue at probe time but at runtime user can invoke +.set_channels which results in the following call chain. +am65_cpsw_set_channels() + am65_cpsw_nuss_update_tx_rx_chns() + am65_cpsw_nuss_remove_tx_chns() + am65_cpsw_nuss_init_tx_chns() + +At this point if am65_cpsw_nuss_init_tx_chns() fails due to +k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a +negative value. + +Then, at subsequent .set_channels with higher channel count we +will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns() +leading to a kernel warning. + +The issue is present in the original commit that introduced this driver, +although there, am65_cpsw_nuss_update_tx_rx_chns() existed as +am65_cpsw_nuss_update_tx_chns(). + +Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") +Signed-off-by: Roger Quadros +Reviewed-by: Simon Horman +Reviewed-by: Siddharth Vadapalli +Reviewed-by: Jacob Keller +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +index 94e36deefe88a..07510e068742e 100644 +--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c ++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c +@@ -1425,7 +1425,7 @@ void am65_cpsw_nuss_remove_tx_chns(struct am65_cpsw_common *common) + for (i = 0; i < common->tx_ch_num; i++) { + struct am65_cpsw_tx_chn *tx_chn = &common->tx_chns[i]; + +- if (tx_chn->irq) ++ if (tx_chn->irq > 0) + devm_free_irq(dev, tx_chn->irq, tx_chn); + + netif_napi_del(&tx_chn->napi_tx); +-- +2.39.5 + diff --git a/queue-5.10/net-fec-implement-tso-descriptor-cleanup.patch b/queue-5.10/net-fec-implement-tso-descriptor-cleanup.patch new file mode 100644 index 0000000000..022ac8fd31 --- /dev/null +++ b/queue-5.10/net-fec-implement-tso-descriptor-cleanup.patch @@ -0,0 +1,78 @@ +From 713cf7b041ae5693925ab8720f9ab9446795f001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jan 2025 14:24:30 +0530 +Subject: net: fec: implement TSO descriptor cleanup + +From: Dheeraj Reddy Jonnalagadda + +[ Upstream commit 61dc1fd9205bc9d9918aa933a847b08e80b4dc20 ] + +Implement cleanup of descriptors in the TSO error path of +fec_enet_txq_submit_tso(). The cleanup + +- Unmaps DMA buffers for data descriptors skipping TSO header +- Clears all buffer descriptors +- Handles extended descriptors by clearing cbd_esc when enabled + +Fixes: 79f339125ea3 ("net: fec: Add software TSO support") +Signed-off-by: Dheeraj Reddy Jonnalagadda +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20250120085430.99318-1-dheeraj.linuxdev@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 31 ++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index a591ca0b37787..8e30e999456d4 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -728,6 +728,8 @@ static int fec_enet_txq_submit_tso(struct fec_enet_priv_tx_q *txq, + struct fec_enet_private *fep = netdev_priv(ndev); + int hdr_len, total_len, data_left; + struct bufdesc *bdp = txq->bd.cur; ++ struct bufdesc *tmp_bdp; ++ struct bufdesc_ex *ebdp; + struct tso_t tso; + unsigned int index = 0; + int ret; +@@ -801,7 +803,34 @@ static int fec_enet_txq_submit_tso(struct fec_enet_priv_tx_q *txq, + return 0; + + err_release: +- /* TODO: Release all used data descriptors for TSO */ ++ /* Release all used data descriptors for TSO */ ++ tmp_bdp = txq->bd.cur; ++ ++ while (tmp_bdp != bdp) { ++ /* Unmap data buffers */ ++ if (tmp_bdp->cbd_bufaddr && ++ !IS_TSO_HEADER(txq, fec32_to_cpu(tmp_bdp->cbd_bufaddr))) ++ dma_unmap_single(&fep->pdev->dev, ++ fec32_to_cpu(tmp_bdp->cbd_bufaddr), ++ fec16_to_cpu(tmp_bdp->cbd_datlen), ++ DMA_TO_DEVICE); ++ ++ /* Clear standard buffer descriptor fields */ ++ tmp_bdp->cbd_sc = 0; ++ tmp_bdp->cbd_datlen = 0; ++ tmp_bdp->cbd_bufaddr = 0; ++ ++ /* Handle extended descriptor if enabled */ ++ if (fep->bufdesc_ex) { ++ ebdp = (struct bufdesc_ex *)tmp_bdp; ++ ebdp->cbd_esc = 0; ++ } ++ ++ tmp_bdp = fec_enet_get_nextdesc(tmp_bdp, &txq->bd); ++ } ++ ++ dev_kfree_skb_any(skb); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.10/net-hns3-fix-oops-when-unload-drivers-paralleling.patch b/queue-5.10/net-hns3-fix-oops-when-unload-drivers-paralleling.patch new file mode 100644 index 0000000000..868c6b5983 --- /dev/null +++ b/queue-5.10/net-hns3-fix-oops-when-unload-drivers-paralleling.patch @@ -0,0 +1,121 @@ +From b31256ff89b06aadc1b4d4b086c0ced594f11e10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Jan 2025 17:47:41 +0800 +Subject: net: hns3: fix oops when unload drivers paralleling + +From: Jian Shen + +[ Upstream commit 92e5995773774a3e70257e9c95ea03518268bea5 ] + +When unload hclge driver, it tries to disable sriov first for each +ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at +the time, because it removes all the ae_dev nodes, and it may cause +oops. + +But we can't simply use hnae3_common_lock for this. Because in the +process flow of pci_disable_sriov(), it will trigger the remove flow +of VF, which will also take hnae3_common_lock. + +To fixes it, introduce a new mutex to protect the unload process. + +Fixes: 0dd8a25f355b ("net: hns3: disable sriov before unload hclge layer") +Signed-off-by: Jian Shen +Signed-off-by: Jijie Shao +Link: https://patch.msgid.link/20250118094741.3046663-1-shaojijie@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hnae3.c | 15 +++++++++++++++ + drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 ++ + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 ++ + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 ++ + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 ++ + 5 files changed, 23 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c +index 9a63fbc694083..b25fb400f4767 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c +@@ -40,6 +40,21 @@ EXPORT_SYMBOL(hnae3_unregister_ae_algo_prepare); + */ + static DEFINE_MUTEX(hnae3_common_lock); + ++/* ensure the drivers being unloaded one by one */ ++static DEFINE_MUTEX(hnae3_unload_lock); ++ ++void hnae3_acquire_unload_lock(void) ++{ ++ mutex_lock(&hnae3_unload_lock); ++} ++EXPORT_SYMBOL(hnae3_acquire_unload_lock); ++ ++void hnae3_release_unload_lock(void) ++{ ++ mutex_unlock(&hnae3_unload_lock); ++} ++EXPORT_SYMBOL(hnae3_release_unload_lock); ++ + static bool hnae3_client_match(enum hnae3_client_type client_type) + { + if (client_type == HNAE3_CLIENT_KNIC || +diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +index 4a9576a449e10..25b6b4f780f1d 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h +@@ -764,4 +764,6 @@ int hnae3_register_client(struct hnae3_client *client); + void hnae3_set_client_init_flag(struct hnae3_client *client, + struct hnae3_ae_dev *ae_dev, + unsigned int inited); ++void hnae3_acquire_unload_lock(void); ++void hnae3_release_unload_lock(void); + #endif +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +index 9ff5179b4d879..110baa9949a0c 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -4751,9 +4751,11 @@ module_init(hns3_init_module); + */ + static void __exit hns3_exit_module(void) + { ++ hnae3_acquire_unload_lock(); + pci_unregister_driver(&hns3_driver); + hnae3_unregister_client(&client); + hns3_dbg_unregister_debugfs(); ++ hnae3_release_unload_lock(); + } + module_exit(hns3_exit_module); + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index 885793707a5f1..ec918f2981ec2 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -11539,9 +11539,11 @@ static int hclge_init(void) + + static void hclge_exit(void) + { ++ hnae3_acquire_unload_lock(); + hnae3_unregister_ae_algo_prepare(&ae_algo); + hnae3_unregister_ae_algo(&ae_algo); + destroy_workqueue(hclge_wq); ++ hnae3_release_unload_lock(); + } + module_init(hclge_init); + module_exit(hclge_exit); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index 755935f9efc81..aa026eb5cf588 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -3726,8 +3726,10 @@ static int hclgevf_init(void) + + static void hclgevf_exit(void) + { ++ hnae3_acquire_unload_lock(); + hnae3_unregister_ae_algo(&ae_algovf); + destroy_workqueue(hclgevf_wq); ++ hnae3_release_unload_lock(); + } + module_init(hclgevf_init); + module_exit(hclgevf_exit); +-- +2.39.5 + diff --git a/queue-5.10/net-hsr-fix-fill_frame_info-regression-vs-vlan-packe.patch b/queue-5.10/net-hsr-fix-fill_frame_info-regression-vs-vlan-packe.patch new file mode 100644 index 0000000000..199399fcab --- /dev/null +++ b/queue-5.10/net-hsr-fix-fill_frame_info-regression-vs-vlan-packe.patch @@ -0,0 +1,79 @@ +From e77a82c3c3dde553462bde07e47703f8fceada8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jan 2025 13:00:07 +0000 +Subject: net: hsr: fix fill_frame_info() regression vs VLAN packets + +From: Eric Dumazet + +[ Upstream commit 0f5697f1a3f99bc2b674b8aa3c5da822c5673c11 ] + +Stephan Wurm reported that my recent patch broke VLAN support. + +Apparently skb->mac_len is not correct for VLAN traffic as +shown by debug traces [1]. + +Use instead pskb_may_pull() to make sure the expected header +is present in skb->head. + +Many thanks to Stephan for his help. + +[1] +kernel: skb len=170 headroom=2 headlen=170 tailroom=20 + mac=(2,14) mac_len=14 net=(16,-1) trans=-1 + shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0)) + csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0) + hash(0x0 sw=0 l4=0) proto=0x0000 pkttype=0 iif=0 + priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0 + encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0) +kernel: dev name=prp0 feat=0x0000000000007000 +kernel: sk family=17 type=3 proto=0 +kernel: skb headroom: 00000000: 74 00 +kernel: skb linear: 00000000: 01 0c cd 01 00 01 00 d0 93 53 9c cb 81 00 80 00 +kernel: skb linear: 00000010: 88 b8 00 01 00 98 00 00 00 00 61 81 8d 80 16 52 +kernel: skb linear: 00000020: 45 47 44 4e 43 54 52 4c 2f 4c 4c 4e 30 24 47 4f +kernel: skb linear: 00000030: 24 47 6f 43 62 81 01 14 82 16 52 45 47 44 4e 43 +kernel: skb linear: 00000040: 54 52 4c 2f 4c 4c 4e 30 24 44 73 47 6f 6f 73 65 +kernel: skb linear: 00000050: 83 07 47 6f 49 64 65 6e 74 84 08 67 8d f5 93 7e +kernel: skb linear: 00000060: 76 c8 00 85 01 01 86 01 00 87 01 00 88 01 01 89 +kernel: skb linear: 00000070: 01 00 8a 01 02 ab 33 a2 15 83 01 00 84 03 03 00 +kernel: skb linear: 00000080: 00 91 08 67 8d f5 92 77 4b c6 1f 83 01 00 a2 1a +kernel: skb linear: 00000090: a2 06 85 01 00 83 01 00 84 03 03 00 00 91 08 67 +kernel: skb linear: 000000a0: 8d f5 92 77 4b c6 1f 83 01 00 +kernel: skb tailroom: 00000000: 80 18 02 00 fe 4e 00 00 01 01 08 0a 4f fd 5e d1 +kernel: skb tailroom: 00000010: 4f fd 5e cd + +Fixes: b9653d19e556 ("net: hsr: avoid potential out-of-bound access in fill_frame_info()") +Reported-by: Stephan Wurm +Tested-by: Stephan Wurm +Closes: https://lore.kernel.org/netdev/Z4o_UC0HweBHJ_cw@PC-LX-SteWu/ +Signed-off-by: Eric Dumazet +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250129130007.644084-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index a58c0be64272b..66df4d7cbfb1e 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -525,9 +525,12 @@ static int fill_frame_info(struct hsr_frame_info *frame, + frame->is_vlan = true; + + if (frame->is_vlan) { +- if (skb->mac_len < offsetofend(struct hsr_vlan_ethhdr, vlanhdr)) ++ /* Note: skb->mac_len might be wrong here. */ ++ if (!pskb_may_pull(skb, ++ skb_mac_offset(skb) + ++ offsetofend(struct hsr_vlan_ethhdr, vlanhdr))) + return -EINVAL; +- vlan_hdr = (struct hsr_vlan_ethhdr *)ethhdr; ++ vlan_hdr = (struct hsr_vlan_ethhdr *)skb_mac_header(skb); + proto = vlan_hdr->vlanhdr.h_vlan_encapsulated_proto; + /* FIXME: */ + netdev_warn_once(skb->dev, "VLAN not yet supported"); +-- +2.39.5 + diff --git a/queue-5.10/net-let-net.core.dev_weight-always-be-non-zero.patch b/queue-5.10/net-let-net.core.dev_weight-always-be-non-zero.patch new file mode 100644 index 0000000000..0621f9df1f --- /dev/null +++ b/queue-5.10/net-let-net.core.dev_weight-always-be-non-zero.patch @@ -0,0 +1,103 @@ +From e1541185e39a6912069eb360194d2cbfb953b1cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 22:30:53 +0800 +Subject: net: let net.core.dev_weight always be non-zero + +From: Liu Jian + +[ Upstream commit d1f9f79fa2af8e3b45cffdeef66e05833480148a ] + +The following problem was encountered during stability test: + +(NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ + returned 1, exceeding its budget of 0. +------------[ cut here ]------------ +list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \ + next=ffff88905f746e40. +WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \ + __list_add_valid_or_report+0xf3/0x130 +CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+ +RIP: 0010:__list_add_valid_or_report+0xf3/0x130 +Call Trace: +? __warn+0xcd/0x250 +? __list_add_valid_or_report+0xf3/0x130 +enqueue_to_backlog+0x923/0x1070 +netif_rx_internal+0x92/0x2b0 +__netif_rx+0x15/0x170 +loopback_xmit+0x2ef/0x450 +dev_hard_start_xmit+0x103/0x490 +__dev_queue_xmit+0xeac/0x1950 +ip_finish_output2+0x6cc/0x1620 +ip_output+0x161/0x270 +ip_push_pending_frames+0x155/0x1a0 +raw_sendmsg+0xe13/0x1550 +__sys_sendto+0x3bf/0x4e0 +__x64_sys_sendto+0xdc/0x1b0 +do_syscall_64+0x5b/0x170 +entry_SYSCALL_64_after_hwframe+0x76/0x7e + +The reproduction command is as follows: + sysctl -w net.core.dev_weight=0 + ping 127.0.0.1 + +This is because when the napi's weight is set to 0, process_backlog() may +return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this +napi to be re-polled in net_rx_action() until __do_softirq() times out. +Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can +be retriggered in enqueue_to_backlog(), causing this issue. + +Making the napi's weight always non-zero solves this problem. + +Triggering this issue requires system-wide admin (setting is +not namespaced). + +Fixes: e38766054509 ("[NET]: Fix sysctl net.core.dev_weight") +Fixes: 3d48b53fb2ae ("net: dev_weight: TX/RX orthogonality") +Signed-off-by: Liu Jian +Link: https://patch.msgid.link/20250116143053.4146855-1-liujian56@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/sysctl_net_core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c +index 0dfe9f255ab3a..3640be19a795e 100644 +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -239,7 +239,7 @@ static int proc_do_dev_weight(struct ctl_table *table, int write, + int ret, weight; + + mutex_lock(&dev_weight_mutex); +- ret = proc_dointvec(table, write, buffer, lenp, ppos); ++ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); + if (!ret && write) { + weight = READ_ONCE(weight_p); + WRITE_ONCE(dev_rx_weight, weight * dev_weight_rx_bias); +@@ -351,6 +351,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_do_dev_weight, ++ .extra1 = SYSCTL_ONE, + }, + { + .procname = "dev_weight_rx_bias", +@@ -358,6 +359,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_do_dev_weight, ++ .extra1 = SYSCTL_ONE, + }, + { + .procname = "dev_weight_tx_bias", +@@ -365,6 +367,7 @@ static struct ctl_table net_core_table[] = { + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_do_dev_weight, ++ .extra1 = SYSCTL_ONE, + }, + { + .procname = "netdev_max_backlog", +-- +2.39.5 + diff --git a/queue-5.10/net-mlxfw-drop-hard-coded-max-fw-flash-image-size.patch b/queue-5.10/net-mlxfw-drop-hard-coded-max-fw-flash-image-size.patch new file mode 100644 index 0000000000..9b1d3f6db6 --- /dev/null +++ b/queue-5.10/net-mlxfw-drop-hard-coded-max-fw-flash-image-size.patch @@ -0,0 +1,53 @@ +From 980553a0ac6a55dd4b4c22ede5fe53a8993d06ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jan 2025 14:33:16 +0200 +Subject: net/mlxfw: Drop hard coded max FW flash image size + +From: Maher Sanalla + +[ Upstream commit 70d81f25cc92cc4e914516c9935ae752f27d78ad ] + +Currently, mlxfw kernel module limits FW flash image size to be +10MB at most, preventing the ability to burn recent BlueField-3 +FW that exceeds the said size limit. + +Thus, drop the hard coded limit. Instead, rely on FW's +max_component_size threshold that is reported in MCQI register +as the size limit for FW image. + +Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process") +Signed-off-by: Maher Sanalla +Signed-off-by: Moshe Shemesh +Reviewed-by: Ido Schimmel +Tested-by: Ido Schimmel +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/1737030796-1441634-1-git-send-email-moshe@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c +index bcd166911d444..bbcaac4f99bc6 100644 +--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c ++++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c +@@ -14,7 +14,6 @@ + #define MLXFW_FSM_STATE_WAIT_TIMEOUT_MS 30000 + #define MLXFW_FSM_STATE_WAIT_ROUNDS \ + (MLXFW_FSM_STATE_WAIT_TIMEOUT_MS / MLXFW_FSM_STATE_WAIT_CYCLE_MS) +-#define MLXFW_FSM_MAX_COMPONENT_SIZE (10 * (1 << 20)) + + static const int mlxfw_fsm_state_errno[] = { + [MLXFW_FSM_STATE_ERR_ERROR] = -EIO, +@@ -229,7 +228,6 @@ static int mlxfw_flash_component(struct mlxfw_dev *mlxfw_dev, + return err; + } + +- comp_max_size = min_t(u32, comp_max_size, MLXFW_FSM_MAX_COMPONENT_SIZE); + if (comp->data_size > comp_max_size) { + MLXFW_ERR_MSG(mlxfw_dev, extack, + "Component size is bigger than limit", -EINVAL); +-- +2.39.5 + diff --git a/queue-5.10/net-netdevsim-try-to-close-udp-port-harness-races.patch b/queue-5.10/net-netdevsim-try-to-close-udp-port-harness-races.patch new file mode 100644 index 0000000000..f7a32ee340 --- /dev/null +++ b/queue-5.10/net-netdevsim-try-to-close-udp-port-harness-races.patch @@ -0,0 +1,175 @@ +From 0403aec24c255c9f67224f4cd7a69deb6e512863 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2025 14:45:03 -0800 +Subject: net: netdevsim: try to close UDP port harness races + +From: Jakub Kicinski + +[ Upstream commit 50bf398e1ceacb9a7f85bd3bdca065ebe5cb6159 ] + +syzbot discovered that we remove the debugfs files after we free +the netdev. Try to clean up the relevant dir while the device +is still around. + +Reported-by: syzbot+2e5de9e3ab986b71d2bf@syzkaller.appspotmail.com +Fixes: 424be63ad831 ("netdevsim: add UDP tunnel port offload support") +Reviewed-by: Michal Swiatkowski +Link: https://patch.msgid.link/20250122224503.762705-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/netdevsim/netdevsim.h | 1 + + drivers/net/netdevsim/udp_tunnels.c | 23 +++++++++++-------- + .../drivers/net/netdevsim/udp_tunnel_nic.sh | 16 ++++++------- + 3 files changed, 23 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h +index c4e7ad2a19642..a001db758b13f 100644 +--- a/drivers/net/netdevsim/netdevsim.h ++++ b/drivers/net/netdevsim/netdevsim.h +@@ -87,6 +87,7 @@ struct netdevsim { + u32 sleep; + u32 __ports[2][NSIM_UDP_TUNNEL_N_PORTS]; + u32 (*ports)[NSIM_UDP_TUNNEL_N_PORTS]; ++ struct dentry *ddir; + struct debugfs_u32_array dfs_ports[2]; + } udp_ports; + +diff --git a/drivers/net/netdevsim/udp_tunnels.c b/drivers/net/netdevsim/udp_tunnels.c +index 02dc3123eb6c1..640b4983a9a0d 100644 +--- a/drivers/net/netdevsim/udp_tunnels.c ++++ b/drivers/net/netdevsim/udp_tunnels.c +@@ -112,9 +112,11 @@ nsim_udp_tunnels_info_reset_write(struct file *file, const char __user *data, + struct net_device *dev = file->private_data; + struct netdevsim *ns = netdev_priv(dev); + +- memset(ns->udp_ports.ports, 0, sizeof(ns->udp_ports.__ports)); + rtnl_lock(); +- udp_tunnel_nic_reset_ntf(dev); ++ if (dev->reg_state == NETREG_REGISTERED) { ++ memset(ns->udp_ports.ports, 0, sizeof(ns->udp_ports.__ports)); ++ udp_tunnel_nic_reset_ntf(dev); ++ } + rtnl_unlock(); + + return count; +@@ -144,23 +146,23 @@ int nsim_udp_tunnels_info_create(struct nsim_dev *nsim_dev, + else + ns->udp_ports.ports = nsim_dev->udp_ports.__ports; + +- debugfs_create_u32("udp_ports_inject_error", 0600, +- ns->nsim_dev_port->ddir, ++ ns->udp_ports.ddir = debugfs_create_dir("udp_ports", ++ ns->nsim_dev_port->ddir); ++ ++ debugfs_create_u32("inject_error", 0600, ns->udp_ports.ddir, + &ns->udp_ports.inject_error); + + ns->udp_ports.dfs_ports[0].array = ns->udp_ports.ports[0]; + ns->udp_ports.dfs_ports[0].n_elements = NSIM_UDP_TUNNEL_N_PORTS; +- debugfs_create_u32_array("udp_ports_table0", 0400, +- ns->nsim_dev_port->ddir, ++ debugfs_create_u32_array("table0", 0400, ns->udp_ports.ddir, + &ns->udp_ports.dfs_ports[0]); + + ns->udp_ports.dfs_ports[1].array = ns->udp_ports.ports[1]; + ns->udp_ports.dfs_ports[1].n_elements = NSIM_UDP_TUNNEL_N_PORTS; +- debugfs_create_u32_array("udp_ports_table1", 0400, +- ns->nsim_dev_port->ddir, ++ debugfs_create_u32_array("table1", 0400, ns->udp_ports.ddir, + &ns->udp_ports.dfs_ports[1]); + +- debugfs_create_file("udp_ports_reset", 0200, ns->nsim_dev_port->ddir, ++ debugfs_create_file("reset", 0200, ns->udp_ports.ddir, + dev, &nsim_udp_tunnels_info_reset_fops); + + /* Note: it's not normal to allocate the info struct like this! +@@ -196,6 +198,9 @@ int nsim_udp_tunnels_info_create(struct nsim_dev *nsim_dev, + + void nsim_udp_tunnels_info_destroy(struct net_device *dev) + { ++ struct netdevsim *ns = netdev_priv(dev); ++ ++ debugfs_remove_recursive(ns->udp_ports.ddir); + kfree(dev->udp_tunnel_nic_info); + dev->udp_tunnel_nic_info = NULL; + } +diff --git a/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh b/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh +index 185b02d2d4cd1..7af78990b5bb6 100755 +--- a/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh ++++ b/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh +@@ -142,7 +142,7 @@ function pre_ethtool { + } + + function check_table { +- local path=$NSIM_DEV_DFS/ports/$port/udp_ports_table$1 ++ local path=$NSIM_DEV_DFS/ports/$port/udp_ports/table$1 + local -n expected=$2 + local last=$3 + +@@ -212,7 +212,7 @@ function check_tables { + } + + function print_table { +- local path=$NSIM_DEV_DFS/ports/$port/udp_ports_table$1 ++ local path=$NSIM_DEV_DFS/ports/$port/udp_ports/table$1 + read -a have < $path + + tree $NSIM_DEV_DFS/ +@@ -640,7 +640,7 @@ for port in 0 1; do + NSIM_NETDEV=`get_netdev_name old_netdevs` + ifconfig $NSIM_NETDEV up + +- echo 110 > $NSIM_DEV_DFS/ports/$port/udp_ports_inject_error ++ echo 110 > $NSIM_DEV_DFS/ports/$port/udp_ports/inject_error + + msg="1 - create VxLANs v6" + exp0=( 0 0 0 0 ) +@@ -662,7 +662,7 @@ for port in 0 1; do + new_geneve gnv0 20000 + + msg="2 - destroy GENEVE" +- echo 2 > $NSIM_DEV_DFS/ports/$port/udp_ports_inject_error ++ echo 2 > $NSIM_DEV_DFS/ports/$port/udp_ports/inject_error + exp1=( `mke 20000 2` 0 0 0 ) + del_dev gnv0 + +@@ -763,7 +763,7 @@ for port in 0 1; do + msg="create VxLANs v4" + new_vxlan vxlan0 10000 $NSIM_NETDEV + +- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset ++ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset + check_tables + + msg="NIC device goes down" +@@ -774,7 +774,7 @@ for port in 0 1; do + fi + check_tables + +- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset ++ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset + check_tables + + msg="NIC device goes up again" +@@ -788,7 +788,7 @@ for port in 0 1; do + del_dev vxlan0 + check_tables + +- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset ++ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset + check_tables + + msg="destroy NIC" +@@ -895,7 +895,7 @@ msg="vacate VxLAN in overflow table" + exp0=( `mke 10000 1` `mke 10004 1` 0 `mke 10003 1` ) + del_dev vxlan2 + +-echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset ++echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset + check_tables + + msg="tunnels destroyed 2" +-- +2.39.5 + diff --git a/queue-5.10/net-rose-fix-timer-races-against-user-threads.patch b/queue-5.10/net-rose-fix-timer-races-against-user-threads.patch new file mode 100644 index 0000000000..7c5c7712e9 --- /dev/null +++ b/queue-5.10/net-rose-fix-timer-races-against-user-threads.patch @@ -0,0 +1,116 @@ +From 1c7e8c91364056c1e882d5ab0fc5eefab276e1fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jan 2025 18:02:44 +0000 +Subject: net: rose: fix timer races against user threads + +From: Eric Dumazet + +[ Upstream commit 5de7665e0a0746b5ad7943554b34db8f8614a196 ] + +Rose timers only acquire the socket spinlock, without +checking if the socket is owned by one user thread. + +Add a check and rearm the timers if needed. + +BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 +Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 + +CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x169/0x550 mm/kasan/report.c:489 + kasan_report+0x143/0x180 mm/kasan/report.c:602 + rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 + call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 + expire_timers kernel/time/timer.c:1844 [inline] + __run_timers kernel/time/timer.c:2418 [inline] + __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 + run_timer_base kernel/time/timer.c:2439 [inline] + run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 + handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 + __do_softirq kernel/softirq.c:595 [inline] + invoke_softirq kernel/softirq.c:435 [inline] + __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 + irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 + instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] + sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20250122180244.1861468-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/rose_timer.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/net/rose/rose_timer.c b/net/rose/rose_timer.c +index f06ddbed3fed6..1525773e94aa1 100644 +--- a/net/rose/rose_timer.c ++++ b/net/rose/rose_timer.c +@@ -122,6 +122,10 @@ static void rose_heartbeat_expiry(struct timer_list *t) + struct rose_sock *rose = rose_sk(sk); + + bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { ++ sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ/20); ++ goto out; ++ } + switch (rose->state) { + case ROSE_STATE_0: + /* Magic here: If we listen() and a new link dies before it +@@ -152,6 +156,7 @@ static void rose_heartbeat_expiry(struct timer_list *t) + } + + rose_start_heartbeat(sk); ++out: + bh_unlock_sock(sk); + sock_put(sk); + } +@@ -162,6 +167,10 @@ static void rose_timer_expiry(struct timer_list *t) + struct sock *sk = &rose->sock; + + bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { ++ sk_reset_timer(sk, &rose->timer, jiffies + HZ/20); ++ goto out; ++ } + switch (rose->state) { + case ROSE_STATE_1: /* T1 */ + case ROSE_STATE_4: /* T2 */ +@@ -182,6 +191,7 @@ static void rose_timer_expiry(struct timer_list *t) + } + break; + } ++out: + bh_unlock_sock(sk); + sock_put(sk); + } +@@ -192,6 +202,10 @@ static void rose_idletimer_expiry(struct timer_list *t) + struct sock *sk = &rose->sock; + + bh_lock_sock(sk); ++ if (sock_owned_by_user(sk)) { ++ sk_reset_timer(sk, &rose->idletimer, jiffies + HZ/20); ++ goto out; ++ } + rose_clear_queues(sk); + + rose_write_internal(sk, ROSE_CLEAR_REQUEST); +@@ -207,6 +221,7 @@ static void rose_idletimer_expiry(struct timer_list *t) + sk->sk_state_change(sk); + sock_set_flag(sk, SOCK_DEAD); + } ++out: + bh_unlock_sock(sk); + sock_put(sk); + } +-- +2.39.5 + diff --git a/queue-5.10/net-rose-prevent-integer-overflows-in-rose_setsockop.patch b/queue-5.10/net-rose-prevent-integer-overflows-in-rose_setsockop.patch new file mode 100644 index 0000000000..9ea536225d --- /dev/null +++ b/queue-5.10/net-rose-prevent-integer-overflows-in-rose_setsockop.patch @@ -0,0 +1,90 @@ +From d65e383fca56a3a8f2c65f44587175a4f6331616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 08:42:20 -0800 +Subject: net/rose: prevent integer overflows in rose_setsockopt() + +From: Nikita Zhandarovich + +[ Upstream commit d640627663bfe7d8963c7615316d7d4ef60f3b0b ] + +In case of possible unpredictably large arguments passed to +rose_setsockopt() and multiplied by extra values on top of that, +integer overflows may occur. + +Do the safest minimum and fix these issues by checking the +contents of 'opt' and returning -EINVAL if they are too large. Also, +switch to unsigned int and remove useless check for negative 'opt' +in ROSE_IDLE case. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20250115164220.19954-1-n.zhandarovich@fintech.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/rose/af_rose.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index 1d95ff34b13c9..65fd5b99f9dea 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -396,15 +396,15 @@ static int rose_setsockopt(struct socket *sock, int level, int optname, + { + struct sock *sk = sock->sk; + struct rose_sock *rose = rose_sk(sk); +- int opt; ++ unsigned int opt; + + if (level != SOL_ROSE) + return -ENOPROTOOPT; + +- if (optlen < sizeof(int)) ++ if (optlen < sizeof(unsigned int)) + return -EINVAL; + +- if (copy_from_sockptr(&opt, optval, sizeof(int))) ++ if (copy_from_sockptr(&opt, optval, sizeof(unsigned int))) + return -EFAULT; + + switch (optname) { +@@ -413,31 +413,31 @@ static int rose_setsockopt(struct socket *sock, int level, int optname, + return 0; + + case ROSE_T1: +- if (opt < 1) ++ if (opt < 1 || opt > UINT_MAX / HZ) + return -EINVAL; + rose->t1 = opt * HZ; + return 0; + + case ROSE_T2: +- if (opt < 1) ++ if (opt < 1 || opt > UINT_MAX / HZ) + return -EINVAL; + rose->t2 = opt * HZ; + return 0; + + case ROSE_T3: +- if (opt < 1) ++ if (opt < 1 || opt > UINT_MAX / HZ) + return -EINVAL; + rose->t3 = opt * HZ; + return 0; + + case ROSE_HOLDBACK: +- if (opt < 1) ++ if (opt < 1 || opt > UINT_MAX / HZ) + return -EINVAL; + rose->hb = opt * HZ; + return 0; + + case ROSE_IDLE: +- if (opt < 0) ++ if (opt > UINT_MAX / (60 * HZ)) + return -EINVAL; + rose->idle = opt * 60 * HZ; + return 0; +-- +2.39.5 + diff --git a/queue-5.10/net-sched-disallow-replacing-of-child-qdisc-from-one.patch b/queue-5.10/net-sched-disallow-replacing-of-child-qdisc-from-one.patch new file mode 100644 index 0000000000..25e71f93f6 --- /dev/null +++ b/queue-5.10/net-sched-disallow-replacing-of-child-qdisc-from-one.patch @@ -0,0 +1,115 @@ +From 5bf8602e8b779723264f8e39af923edc6b1407ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 17:37:13 -0800 +Subject: net: sched: Disallow replacing of child qdisc from one parent to + another + +From: Jamal Hadi Salim + +[ Upstream commit bc50835e83f60f56e9bec2b392fb5544f250fb6f ] + +Lion Ackermann was able to create a UAF which can be abused for privilege +escalation with the following script + +Step 1. create root qdisc +tc qdisc add dev lo root handle 1:0 drr + +step2. a class for packet aggregation do demonstrate uaf +tc class add dev lo classid 1:1 drr + +step3. a class for nesting +tc class add dev lo classid 1:2 drr + +step4. a class to graft qdisc to +tc class add dev lo classid 1:3 drr + +step5. +tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 + +step6. +tc qdisc add dev lo parent 1:2 handle 3:0 drr + +step7. +tc class add dev lo classid 3:1 drr + +step 8. +tc qdisc add dev lo parent 3:1 handle 4:0 pfifo + +step 9. Display the class/qdisc layout + +tc class ls dev lo + class drr 1:1 root leaf 2: quantum 64Kb + class drr 1:2 root leaf 3: quantum 64Kb + class drr 3:1 root leaf 4: quantum 64Kb + +tc qdisc ls + qdisc drr 1: dev lo root refcnt 2 + qdisc plug 2: dev lo parent 1:1 + qdisc pfifo 4: dev lo parent 3:1 limit 1000p + qdisc drr 3: dev lo parent 1:2 + +step10. trigger the bug <=== prevented by this patch +tc qdisc replace dev lo parent 1:3 handle 4:0 + +step 11. Redisplay again the qdiscs/classes + +tc class ls dev lo + class drr 1:1 root leaf 2: quantum 64Kb + class drr 1:2 root leaf 3: quantum 64Kb + class drr 1:3 root leaf 4: quantum 64Kb + class drr 3:1 root leaf 4: quantum 64Kb + +tc qdisc ls + qdisc drr 1: dev lo root refcnt 2 + qdisc plug 2: dev lo parent 1:1 + qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p + qdisc drr 3: dev lo parent 1:2 + +Observe that a) parent for 4:0 does not change despite the replace request. +There can only be one parent. b) refcount has gone up by two for 4:0 and +c) both class 1:3 and 3:1 are pointing to it. + +Step 12. send one packet to plug +echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) +step13. send one packet to the grafted fifo +echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) + +step14. lets trigger the uaf +tc class delete dev lo classid 1:3 +tc class delete dev lo classid 1:1 + +The semantics of "replace" is for a del/add _on the same node_ and not +a delete from one node(3:1) and add to another node (1:3) as in step10. +While we could "fix" with a more complex approach there could be +consequences to expectations so the patch takes the preventive approach of +"disallow such config". + +Joint work with Lion Ackermann +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jamal Hadi Salim +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250116013713.900000-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index b4e405676600f..238ae7b0ca5ba 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1603,6 +1603,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, + q = qdisc_lookup(dev, tcm->tcm_handle); + if (!q) + goto create_n_graft; ++ if (q->parent != tcm->tcm_parent) { ++ NL_SET_ERR_MSG(extack, "Cannot move an existing qdisc to a different parent"); ++ return -EINVAL; ++ } + if (n->nlmsg_flags & NLM_F_EXCL) { + NL_SET_ERR_MSG(extack, "Exclusivity flag on, cannot override"); + return -EEXIST; +-- +2.39.5 + diff --git a/queue-5.10/net-sh_eth-fix-missing-rtnl-lock-in-suspend-resume-p.patch b/queue-5.10/net-sh_eth-fix-missing-rtnl-lock-in-suspend-resume-p.patch new file mode 100644 index 0000000000..e49e8f8add --- /dev/null +++ b/queue-5.10/net-sh_eth-fix-missing-rtnl-lock-in-suspend-resume-p.patch @@ -0,0 +1,60 @@ +From 389a99e207d1941f9414bd1f4726fe1ac8ef165b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jan 2025 10:50:47 +0100 +Subject: net: sh_eth: Fix missing rtnl lock in suspend/resume path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kory Maincent + +[ Upstream commit b95102215a8d0987789715ce11c0d4ec031cbfbe ] + +Fix the suspend/resume path by ensuring the rtnl lock is held where +required. Calls to sh_eth_close, sh_eth_open and wol operations must be +performed under the rtnl lock to prevent conflicts with ongoing ndo +operations. + +Fixes: b71af04676e9 ("sh_eth: add more PM methods") +Tested-by: Niklas Söderlund +Reviewed-by: Sergey Shtylyov +Signed-off-by: Kory Maincent +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/sh_eth.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c +index 8927d59977458..e2019dc3ac563 100644 +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -3446,10 +3446,12 @@ static int sh_eth_suspend(struct device *dev) + + netif_device_detach(ndev); + ++ rtnl_lock(); + if (mdp->wol_enabled) + ret = sh_eth_wol_setup(ndev); + else + ret = sh_eth_close(ndev); ++ rtnl_unlock(); + + return ret; + } +@@ -3463,10 +3465,12 @@ static int sh_eth_resume(struct device *dev) + if (!netif_running(ndev)) + return 0; + ++ rtnl_lock(); + if (mdp->wol_enabled) + ret = sh_eth_wol_restore(ndev); + else + ret = sh_eth_open(ndev); ++ rtnl_unlock(); + + if (ret < 0) + return ret; +-- +2.39.5 + diff --git a/queue-5.10/net-smc-fix-data-error-when-recvmsg-with-msg_peek-fl.patch b/queue-5.10/net-smc-fix-data-error-when-recvmsg-with-msg_peek-fl.patch new file mode 100644 index 0000000000..480d8a5dc5 --- /dev/null +++ b/queue-5.10/net-smc-fix-data-error-when-recvmsg-with-msg_peek-fl.patch @@ -0,0 +1,244 @@ +From 8b3d5df01ea3e16457c48b75af46250f27b40bae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jan 2025 22:32:01 +0800 +Subject: net/smc: fix data error when recvmsg with MSG_PEEK flag + +From: Guangguan Wang + +[ Upstream commit a4b6539038c1aa1ae871aacf6e41b566c3613993 ] + +When recvmsg with MSG_PEEK flag, the data will be copied to +user's buffer without advancing consume cursor and without +reducing the length of rx available data. Once the expected +peek length is larger than the value of bytes_to_rcv, in the +loop of do while in smc_rx_recvmsg, the first loop will copy +bytes_to_rcv bytes of data from the position local_tx_ctrl.cons, +the second loop will copy the min(bytes_to_rcv, read_remaining) +bytes from the position local_tx_ctrl.cons again because of the +lacking of process with advancing consume cursor and reducing +the length of available data. So do the subsequent loops. The +data copied in the second loop and the subsequent loops will +result in data error, as it should not be copied if no more data +arrives and it should be copied from the position advancing +bytes_to_rcv bytes from the local_tx_ctrl.cons if more data arrives. + +This issue can be reproduce by the following python script: +server.py: +import socket +import time +server_ip = '0.0.0.0' +server_port = 12346 +server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +server_socket.bind((server_ip, server_port)) +server_socket.listen(1) +print('Server is running and listening for connections...') +conn, addr = server_socket.accept() +print('Connected by', addr) +while True: + data = conn.recv(1024) + if not data: + break + print('Received request:', data.decode()) + conn.sendall(b'Hello, client!\n') + time.sleep(5) + conn.sendall(b'Hello, again!\n') +conn.close() + +client.py: +import socket +server_ip = '' +server_port = 12346 +resp=b'Hello, client!\nHello, again!\n' +client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +client_socket.connect((server_ip, server_port)) +request = 'Hello, server!' +client_socket.sendall(request.encode()) +peek_data = client_socket.recv(len(resp), + socket.MSG_PEEK | socket.MSG_WAITALL) +print('Peeked data:', peek_data.decode()) +client_socket.close() + +Fixes: 952310ccf2d8 ("smc: receive data from RMBE") +Reported-by: D. Wythe +Signed-off-by: Guangguan Wang +Link: https://patch.msgid.link/20250104143201.35529-1-guangguan.wang@linux.alibaba.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 2 +- + net/smc/smc_rx.c | 37 +++++++++++++++++++++---------------- + net/smc/smc_rx.h | 8 ++++---- + 3 files changed, 26 insertions(+), 21 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 0e0a12f4bb61f..d64cfd651c7a1 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1968,7 +1968,7 @@ static int smc_accept(struct socket *sock, struct socket *new_sock, + release_sock(clcsk); + } else if (!atomic_read(&smc_sk(nsk)->conn.bytes_to_rcv)) { + lock_sock(nsk); +- smc_rx_wait(smc_sk(nsk), &timeo, smc_rx_data_available); ++ smc_rx_wait(smc_sk(nsk), &timeo, 0, smc_rx_data_available); + release_sock(nsk); + } + } +diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c +index 3757aff6c2f00..5f20538cbf990 100644 +--- a/net/smc/smc_rx.c ++++ b/net/smc/smc_rx.c +@@ -174,22 +174,23 @@ static int smc_rx_splice(struct pipe_inode_info *pipe, char *src, size_t len, + return bytes; + } + +-static int smc_rx_data_available_and_no_splice_pend(struct smc_connection *conn) ++static int smc_rx_data_available_and_no_splice_pend(struct smc_connection *conn, size_t peeked) + { +- return atomic_read(&conn->bytes_to_rcv) && ++ return smc_rx_data_available(conn, peeked) && + !atomic_read(&conn->splice_pending); + } + + /* blocks rcvbuf consumer until >=len bytes available or timeout or interrupted + * @smc smc socket + * @timeo pointer to max seconds to wait, pointer to value 0 for no timeout ++ * @peeked number of bytes already peeked + * @fcrit add'l criterion to evaluate as function pointer + * Returns: + * 1 if at least 1 byte available in rcvbuf or if socket error/shutdown. + * 0 otherwise (nothing in rcvbuf nor timeout, e.g. interrupted). + */ +-int smc_rx_wait(struct smc_sock *smc, long *timeo, +- int (*fcrit)(struct smc_connection *conn)) ++int smc_rx_wait(struct smc_sock *smc, long *timeo, size_t peeked, ++ int (*fcrit)(struct smc_connection *conn, size_t baseline)) + { + DEFINE_WAIT_FUNC(wait, woken_wake_function); + struct smc_connection *conn = &smc->conn; +@@ -198,7 +199,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo, + struct sock *sk = &smc->sk; + int rc; + +- if (fcrit(conn)) ++ if (fcrit(conn, peeked)) + return 1; + sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk); + add_wait_queue(sk_sleep(sk), &wait); +@@ -207,7 +208,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo, + cflags->peer_conn_abort || + READ_ONCE(sk->sk_shutdown) & RCV_SHUTDOWN || + conn->killed || +- fcrit(conn), ++ fcrit(conn, peeked), + &wait); + remove_wait_queue(sk_sleep(sk), &wait); + sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk); +@@ -257,11 +258,11 @@ static int smc_rx_recv_urg(struct smc_sock *smc, struct msghdr *msg, int len, + return -EAGAIN; + } + +-static bool smc_rx_recvmsg_data_available(struct smc_sock *smc) ++static bool smc_rx_recvmsg_data_available(struct smc_sock *smc, size_t peeked) + { + struct smc_connection *conn = &smc->conn; + +- if (smc_rx_data_available(conn)) ++ if (smc_rx_data_available(conn, peeked)) + return true; + else if (conn->urg_state == SMC_URG_VALID) + /* we received a single urgent Byte - skip */ +@@ -279,10 +280,10 @@ static bool smc_rx_recvmsg_data_available(struct smc_sock *smc) + int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, + struct pipe_inode_info *pipe, size_t len, int flags) + { +- size_t copylen, read_done = 0, read_remaining = len; ++ size_t copylen, read_done = 0, read_remaining = len, peeked_bytes = 0; + size_t chunk_len, chunk_off, chunk_len_sum; + struct smc_connection *conn = &smc->conn; +- int (*func)(struct smc_connection *conn); ++ int (*func)(struct smc_connection *conn, size_t baseline); + union smc_host_cursor cons; + int readable, chunk; + char *rcvbuf_base; +@@ -313,14 +314,14 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, + if (conn->killed) + break; + +- if (smc_rx_recvmsg_data_available(smc)) ++ if (smc_rx_recvmsg_data_available(smc, peeked_bytes)) + goto copy; + + if (sk->sk_shutdown & RCV_SHUTDOWN) { + /* smc_cdc_msg_recv_action() could have run after + * above smc_rx_recvmsg_data_available() + */ +- if (smc_rx_recvmsg_data_available(smc)) ++ if (smc_rx_recvmsg_data_available(smc, peeked_bytes)) + goto copy; + break; + } +@@ -354,26 +355,28 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, + } + } + +- if (!smc_rx_data_available(conn)) { +- smc_rx_wait(smc, &timeo, smc_rx_data_available); ++ if (!smc_rx_data_available(conn, peeked_bytes)) { ++ smc_rx_wait(smc, &timeo, peeked_bytes, smc_rx_data_available); + continue; + } + + copy: + /* initialize variables for 1st iteration of subsequent loop */ + /* could be just 1 byte, even after waiting on data above */ +- readable = atomic_read(&conn->bytes_to_rcv); ++ readable = smc_rx_data_available(conn, peeked_bytes); + splbytes = atomic_read(&conn->splice_pending); + if (!readable || (msg && splbytes)) { + if (splbytes) + func = smc_rx_data_available_and_no_splice_pend; + else + func = smc_rx_data_available; +- smc_rx_wait(smc, &timeo, func); ++ smc_rx_wait(smc, &timeo, peeked_bytes, func); + continue; + } + + smc_curs_copy(&cons, &conn->local_tx_ctrl.cons, conn); ++ if ((flags & MSG_PEEK) && peeked_bytes) ++ smc_curs_add(conn->rmb_desc->len, &cons, peeked_bytes); + /* subsequent splice() calls pick up where previous left */ + if (splbytes) + smc_curs_add(conn->rmb_desc->len, &cons, splbytes); +@@ -410,6 +413,8 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, + } + read_remaining -= chunk_len; + read_done += chunk_len; ++ if (flags & MSG_PEEK) ++ peeked_bytes += chunk_len; + + if (chunk_len_sum == copylen) + break; /* either on 1st or 2nd iteration */ +diff --git a/net/smc/smc_rx.h b/net/smc/smc_rx.h +index db823c97d824e..994f5e42d1ba2 100644 +--- a/net/smc/smc_rx.h ++++ b/net/smc/smc_rx.h +@@ -21,11 +21,11 @@ void smc_rx_init(struct smc_sock *smc); + + int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg, + struct pipe_inode_info *pipe, size_t len, int flags); +-int smc_rx_wait(struct smc_sock *smc, long *timeo, +- int (*fcrit)(struct smc_connection *conn)); +-static inline int smc_rx_data_available(struct smc_connection *conn) ++int smc_rx_wait(struct smc_sock *smc, long *timeo, size_t peeked, ++ int (*fcrit)(struct smc_connection *conn, size_t baseline)); ++static inline int smc_rx_data_available(struct smc_connection *conn, size_t peeked) + { +- return atomic_read(&conn->bytes_to_rcv); ++ return atomic_read(&conn->bytes_to_rcv) - peeked; + } + + #endif /* SMC_RX_H */ +-- +2.39.5 + diff --git a/queue-5.10/nfsv4.2-fix-copy_notify-xdr-buf-size-calculation.patch b/queue-5.10/nfsv4.2-fix-copy_notify-xdr-buf-size-calculation.patch new file mode 100644 index 0000000000..662cdd6aec --- /dev/null +++ b/queue-5.10/nfsv4.2-fix-copy_notify-xdr-buf-size-calculation.patch @@ -0,0 +1,38 @@ +From c0e31f774919d810a72c9d82a272d432da6454df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 11:52:00 -0500 +Subject: NFSv4.2: fix COPY_NOTIFY xdr buf size calculation + +From: Olga Kornievskaia + +[ Upstream commit e8380c2d06055665b3df6c03964911375d7f9290 ] + +We need to include sequence size in the compound. + +Fixes: 0491567b51ef ("NFS: add COPY_NOTIFY operation") +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs42xdr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfs/nfs42xdr.c b/fs/nfs/nfs42xdr.c +index df5bee2f505c4..c9987d615ebc5 100644 +--- a/fs/nfs/nfs42xdr.c ++++ b/fs/nfs/nfs42xdr.c +@@ -122,9 +122,11 @@ + decode_putfh_maxsz + \ + decode_offload_cancel_maxsz) + #define NFS4_enc_copy_notify_sz (compound_encode_hdr_maxsz + \ ++ encode_sequence_maxsz + \ + encode_putfh_maxsz + \ + encode_copy_notify_maxsz) + #define NFS4_dec_copy_notify_sz (compound_decode_hdr_maxsz + \ ++ decode_sequence_maxsz + \ + decode_putfh_maxsz + \ + decode_copy_notify_maxsz) + #define NFS4_enc_deallocate_sz (compound_encode_hdr_maxsz + \ +-- +2.39.5 + diff --git a/queue-5.10/nvme-add-error-check-for-xa_store-in-nvme_get_effect.patch b/queue-5.10/nvme-add-error-check-for-xa_store-in-nvme_get_effect.patch new file mode 100644 index 0000000000..6d18aa507c --- /dev/null +++ b/queue-5.10/nvme-add-error-check-for-xa_store-in-nvme_get_effect.patch @@ -0,0 +1,52 @@ +From a24c6dd0e0d07a21b142b4c4557b0545f04ccbaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 13:00:47 +0100 +Subject: nvme: Add error check for xa_store in nvme_get_effects_log + +From: Keisuke Nishimura + +[ Upstream commit ac32057acc7f3d7a238dafaa9b2aa2bc9750080e ] + +The xa_store() may fail due to memory allocation failure because there +is no guarantee that the index csi is already used. This fix adds an +error check of the return value of xa_store() in nvme_get_effects_log(). + +Fixes: 1cf7a12e09aa ("nvme: use an xarray to lookup the Commands Supported and Effects log") +Signed-off-by: Keisuke Nishimura +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index c739ac1761ba6..f988a5e3f0e15 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3043,7 +3043,7 @@ int nvme_get_log(struct nvme_ctrl *ctrl, u32 nsid, u8 log_page, u8 lsp, u8 csi, + static int nvme_get_effects_log(struct nvme_ctrl *ctrl, u8 csi, + struct nvme_effects_log **log) + { +- struct nvme_effects_log *cel = xa_load(&ctrl->cels, csi); ++ struct nvme_effects_log *old, *cel = xa_load(&ctrl->cels, csi); + int ret; + + if (cel) +@@ -3060,7 +3060,11 @@ static int nvme_get_effects_log(struct nvme_ctrl *ctrl, u8 csi, + return ret; + } + +- xa_store(&ctrl->cels, csi, cel, GFP_KERNEL); ++ old = xa_store(&ctrl->cels, csi, cel, GFP_KERNEL); ++ if (xa_is_err(old)) { ++ kfree(cel); ++ return xa_err(old); ++ } + out: + *log = cel; + return 0; +-- +2.39.5 + diff --git a/queue-5.10/ocfs2-mark-dquot-as-inactive-if-failed-to-start-tran.patch b/queue-5.10/ocfs2-mark-dquot-as-inactive-if-failed-to-start-tran.patch new file mode 100644 index 0000000000..5fe53a557d --- /dev/null +++ b/queue-5.10/ocfs2-mark-dquot-as-inactive-if-failed-to-start-tran.patch @@ -0,0 +1,68 @@ +From 94ff684b9b5de2f828fc9986617adf5ed86eba74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jan 2025 22:06:53 +0800 +Subject: ocfs2: mark dquot as inactive if failed to start trans while + releasing dquot + +From: Su Yue + +[ Upstream commit 276c61385f6bc3223a5ecd307cf4aba2dfbb9a31 ] + +While running fstests generic/329, the kernel workqueue +quota_release_workfn is dead looping in calling ocfs2_release_dquot(). +The ocfs2 state is already readonly but ocfs2_release_dquot wants to +start a transaction but fails and returns. + +===================================================================== +[ 2918.123602 ][ T275 ] On-disk corruption discovered. Please run +fsck.ocfs2 once the filesystem is unmounted. +[ 2918.124034 ][ T275 ] (kworker/u135:1,275,11):ocfs2_release_dquot:765 +ERROR: status = -30 +[ 2918.124452 ][ T275 ] (kworker/u135:1,275,11):ocfs2_release_dquot:795 +ERROR: status = -30 +[ 2918.124883 ][ T275 ] (kworker/u135:1,275,11):ocfs2_start_trans:357 +ERROR: status = -30 +[ 2918.125276 ][ T275 ] OCFS2: abort (device dm-0): ocfs2_start_trans: +Detected aborted journal +[ 2918.125710 ][ T275 ] On-disk corruption discovered. Please run +fsck.ocfs2 once the filesystem is unmounted. +===================================================================== + +ocfs2_release_dquot() is much like dquot_release(), which is called by +ext4 to handle similar situation. So here fix it by marking the dquot as +inactive like what dquot_release() does. + +Link: https://lkml.kernel.org/r/20250106140653.92292-1-glass.su@suse.com +Fixes: 9e33d69f553a ("ocfs2: Implementation of local and global quota file handling") +Signed-off-by: Su Yue +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/quota_global.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c +index 1ce3780e8b499..742bf103d2eb2 100644 +--- a/fs/ocfs2/quota_global.c ++++ b/fs/ocfs2/quota_global.c +@@ -749,6 +749,11 @@ static int ocfs2_release_dquot(struct dquot *dquot) + handle = ocfs2_start_trans(osb, + ocfs2_calc_qdel_credits(dquot->dq_sb, dquot->dq_id.type)); + if (IS_ERR(handle)) { ++ /* ++ * Mark dquot as inactive to avoid endless cycle in ++ * quota_release_workfn(). ++ */ ++ clear_bit(DQ_ACTIVE_B, &dquot->dq_flags); + status = PTR_ERR(handle); + mlog_errno(status); + goto out_ilock; +-- +2.39.5 + diff --git a/queue-5.10/padata-add-pd-get-put-refcnt-helper.patch b/queue-5.10/padata-add-pd-get-put-refcnt-helper.patch new file mode 100644 index 0000000000..c8b94648ec --- /dev/null +++ b/queue-5.10/padata-add-pd-get-put-refcnt-helper.patch @@ -0,0 +1,89 @@ +From d1444a04911d5920736008f3cade522d0602585c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 06:16:37 +0000 +Subject: padata: add pd get/put refcnt helper + +From: Chen Ridong + +[ Upstream commit ae154202cc6a189b035359f3c4e143d5c24d5352 ] + +Add helpers for pd to get/put refcnt to make code consice. + +Signed-off-by: Chen Ridong +Acked-by: Daniel Jordan +Signed-off-by: Herbert Xu +Stable-dep-of: dd7d37ccf6b1 ("padata: avoid UAF for reorder_work") +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/kernel/padata.c b/kernel/padata.c +index e4e0121ef3da2..02bb06a2c797d 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -60,6 +60,22 @@ struct padata_mt_job_state { + static void padata_free_pd(struct parallel_data *pd); + static void __init padata_mt_helper(struct work_struct *work); + ++static inline void padata_get_pd(struct parallel_data *pd) ++{ ++ refcount_inc(&pd->refcnt); ++} ++ ++static inline void padata_put_pd_cnt(struct parallel_data *pd, int cnt) ++{ ++ if (refcount_sub_and_test(cnt, &pd->refcnt)) ++ padata_free_pd(pd); ++} ++ ++static inline void padata_put_pd(struct parallel_data *pd) ++{ ++ padata_put_pd_cnt(pd, 1); ++} ++ + static int padata_index_to_cpu(struct parallel_data *pd, int cpu_index) + { + int cpu, target_cpu; +@@ -211,7 +227,7 @@ int padata_do_parallel(struct padata_shell *ps, + if ((pinst->flags & PADATA_RESET)) + goto out; + +- refcount_inc(&pd->refcnt); ++ padata_get_pd(pd); + padata->pd = pd; + padata->cb_cpu = *cb_cpu; + +@@ -385,8 +401,7 @@ static void padata_serial_worker(struct work_struct *serial_work) + } + local_bh_enable(); + +- if (refcount_sub_and_test(cnt, &pd->refcnt)) +- padata_free_pd(pd); ++ padata_put_pd_cnt(pd, cnt); + } + + /** +@@ -683,8 +698,7 @@ static int padata_replace(struct padata_instance *pinst) + synchronize_rcu(); + + list_for_each_entry_continue_reverse(ps, &pinst->pslist, list) +- if (refcount_dec_and_test(&ps->opd->refcnt)) +- padata_free_pd(ps->opd); ++ padata_put_pd(ps->opd); + + pinst->flags &= ~PADATA_RESET; + +@@ -1132,8 +1146,7 @@ void padata_free_shell(struct padata_shell *ps) + mutex_lock(&ps->pinst->lock); + list_del(&ps->list); + pd = rcu_dereference_protected(ps->pd, 1); +- if (refcount_dec_and_test(&pd->refcnt)) +- padata_free_pd(pd); ++ padata_put_pd(pd); + mutex_unlock(&ps->pinst->lock); + + kfree(ps); +-- +2.39.5 + diff --git a/queue-5.10/padata-avoid-uaf-for-reorder_work.patch b/queue-5.10/padata-avoid-uaf-for-reorder_work.patch new file mode 100644 index 0000000000..75b8c9c231 --- /dev/null +++ b/queue-5.10/padata-avoid-uaf-for-reorder_work.patch @@ -0,0 +1,91 @@ +From 2aee1b9354dccccd72d4b1e2172393719af48433 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 06:16:39 +0000 +Subject: padata: avoid UAF for reorder_work + +From: Chen Ridong + +[ Upstream commit dd7d37ccf6b11f3d95e797ebe4e9e886d0332600 ] + +Although the previous patch can avoid ps and ps UAF for _do_serial, it +can not avoid potential UAF issue for reorder_work. This issue can +happen just as below: + +crypto_request crypto_request crypto_del_alg +padata_do_serial + ... + padata_reorder + // processes all remaining + // requests then breaks + while (1) { + if (!padata) + break; + ... + } + + padata_do_serial + // new request added + list_add + // sees the new request + queue_work(reorder_work) + padata_reorder + queue_work_on(squeue->work) +... + + + padata_serial_worker + // completes new request, + // no more outstanding + // requests + + crypto_del_alg + // free pd + + +invoke_padata_reorder + // UAF of pd + +To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' +into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish. + +Fixes: bbefa1dd6a6d ("crypto: pcrypt - Avoid deadlock by using per-instance padata queues") +Signed-off-by: Chen Ridong +Acked-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/kernel/padata.c b/kernel/padata.c +index 02bb06a2c797d..c7aa60907fdf8 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -357,8 +357,14 @@ static void padata_reorder(struct parallel_data *pd) + smp_mb(); + + reorder = per_cpu_ptr(pd->reorder_list, pd->cpu); +- if (!list_empty(&reorder->list) && padata_find_next(pd, false)) ++ if (!list_empty(&reorder->list) && padata_find_next(pd, false)) { ++ /* ++ * Other context(eg. the padata_serial_worker) can finish the request. ++ * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish. ++ */ ++ padata_get_pd(pd); + queue_work(pinst->serial_wq, &pd->reorder_work); ++ } + } + + static void invoke_padata_reorder(struct work_struct *work) +@@ -369,6 +375,8 @@ static void invoke_padata_reorder(struct work_struct *work) + pd = container_of(work, struct parallel_data, reorder_work); + padata_reorder(pd); + local_bh_enable(); ++ /* Pairs with putting the reorder_work in the serial_wq */ ++ padata_put_pd(pd); + } + + static void padata_serial_worker(struct work_struct *serial_work) +-- +2.39.5 + diff --git a/queue-5.10/padata-fix-sysfs-store-callback-check.patch b/queue-5.10/padata-fix-sysfs-store-callback-check.patch new file mode 100644 index 0000000000..834cd191ff --- /dev/null +++ b/queue-5.10/padata-fix-sysfs-store-callback-check.patch @@ -0,0 +1,40 @@ +From 66d57654c833ef4d9553e9da8e866e7750e8dcea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Dec 2024 23:32:01 +0100 +Subject: padata: fix sysfs store callback check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit 9ff6e943bce67d125781fe4780a5d6f072dc44c0 ] + +padata_sysfs_store() was copied from padata_sysfs_show() but this check +was not adapted. Today there is no attribute which can fail this +check, but if there is one it may as well be correct. + +Fixes: 5e017dc3f8bc ("padata: Added sysfs primitives to padata subsystem") +Signed-off-by: Thomas Weißschuh +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/padata.c b/kernel/padata.c +index 914a88d9cee14..a2badc5dd922e 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -972,7 +972,7 @@ static ssize_t padata_sysfs_store(struct kobject *kobj, struct attribute *attr, + + pinst = kobj2pinst(kobj); + pentry = attr2pentry(attr); +- if (pentry->show) ++ if (pentry->store) + ret = pentry->store(pinst, attr, buf, count); + + return ret; +-- +2.39.5 + diff --git a/queue-5.10/padata-fix-uaf-in-padata_reorder.patch b/queue-5.10/padata-fix-uaf-in-padata_reorder.patch new file mode 100644 index 0000000000..8fda62fa5b --- /dev/null +++ b/queue-5.10/padata-fix-uaf-in-padata_reorder.patch @@ -0,0 +1,94 @@ +From d32c71e93d8b59a6b19e16753b56da238ac83149 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 06:16:38 +0000 +Subject: padata: fix UAF in padata_reorder + +From: Chen Ridong + +[ Upstream commit e01780ea4661172734118d2a5f41bc9720765668 ] + +A bug was found when run ltp test: + +BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 +Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 + +CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ +Workqueue: pdecrypt_parallel padata_parallel_worker +Call Trace: + +dump_stack_lvl+0x32/0x50 +print_address_description.constprop.0+0x6b/0x3d0 +print_report+0xdd/0x2c0 +kasan_report+0xa5/0xd0 +padata_find_next+0x29/0x1a0 +padata_reorder+0x131/0x220 +padata_parallel_worker+0x3d/0xc0 +process_one_work+0x2ec/0x5a0 + +If 'mdelay(10)' is added before calling 'padata_find_next' in the +'padata_reorder' function, this issue could be reproduced easily with +ltp test (pcrypt_aead01). + +This can be explained as bellow: + +pcrypt_aead_encrypt +... +padata_do_parallel +refcount_inc(&pd->refcnt); // add refcnt +... +padata_do_serial +padata_reorder // pd +while (1) { +padata_find_next(pd, true); // using pd +queue_work_on +... +padata_serial_worker crypto_del_alg +padata_put_pd_cnt // sub refcnt + padata_free_shell + padata_put_pd(ps->pd); + // pd is freed +// loop again, but pd is freed +// call padata_find_next, UAF +} + +In the padata_reorder function, when it loops in 'while', if the alg is +deleted, the refcnt may be decreased to 0 before entering +'padata_find_next', which leads to UAF. + +As mentioned in [1], do_serial is supposed to be called with BHs disabled +and always happen under RCU protection, to address this issue, add +synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls +to finish. + +[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ +[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/ +Fixes: b128a3040935 ("padata: allocate workqueue internally") +Signed-off-by: Chen Ridong +Signed-off-by: Qu Zicheng +Acked-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + kernel/padata.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/padata.c b/kernel/padata.c +index a2badc5dd922e..e4e0121ef3da2 100644 +--- a/kernel/padata.c ++++ b/kernel/padata.c +@@ -1123,6 +1123,12 @@ void padata_free_shell(struct padata_shell *ps) + if (!ps) + return; + ++ /* ++ * Wait for all _do_serial calls to finish to avoid touching ++ * freed pd's and ps's. ++ */ ++ synchronize_rcu(); ++ + mutex_lock(&ps->pinst->lock); + list_del(&ps->list); + pd = rcu_dereference_protected(ps->pd, 1); +-- +2.39.5 + diff --git a/queue-5.10/partitions-ldm-remove-the-initial-kernel-doc-notatio.patch b/queue-5.10/partitions-ldm-remove-the-initial-kernel-doc-notatio.patch new file mode 100644 index 0000000000..c682f5fd6c --- /dev/null +++ b/queue-5.10/partitions-ldm-remove-the-initial-kernel-doc-notatio.patch @@ -0,0 +1,41 @@ +From dae9fcfc16d42c09dc4fe6ee4f91f99baf5e2ebf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jan 2025 22:27:58 -0800 +Subject: partitions: ldm: remove the initial kernel-doc notation + +From: Randy Dunlap + +[ Upstream commit e494e451611a3de6ae95f99e8339210c157d70fb ] + +Remove the file's first comment describing what the file is. +This comment is not in kernel-doc format so it causes a kernel-doc +warning. + +ldm.h:13: warning: expecting prototype for ldm(). Prototype was for _FS_PT_LDM_H_() instead + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Randy Dunlap +Cc: Richard Russon (FlatCap) +Cc: linux-ntfs-dev@lists.sourceforge.net +Cc: Jens Axboe +Link: https://lore.kernel.org/r/20250111062758.910458-1-rdunlap@infradead.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/partitions/ldm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/partitions/ldm.h b/block/partitions/ldm.h +index 8693704dcf5e9..84a66b51cd2ab 100644 +--- a/block/partitions/ldm.h ++++ b/block/partitions/ldm.h +@@ -1,5 +1,5 @@ + // SPDX-License-Identifier: GPL-2.0-or-later +-/** ++/* + * ldm - Part of the Linux-NTFS project. + * + * Copyright (C) 2001,2002 Richard Russon +-- +2.39.5 + diff --git a/queue-5.10/pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch b/queue-5.10/pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch new file mode 100644 index 0000000000..37c25a52fc --- /dev/null +++ b/queue-5.10/pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch @@ -0,0 +1,43 @@ +From 3c32457592042da6ecd4ffe7d991f87f459ba61b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Dec 2024 22:00:18 +0800 +Subject: PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy() + +From: Zijun Hu + +[ Upstream commit d4929755e4d02bd3de3ae5569dab69cb9502c54f ] + +The devm_pci_epc_destroy() comment says destroys the EPC device, but it +does not actually do that since devres_destroy() does not call +devm_pci_epc_release(), and it also can not fully undo what the API +devm_pci_epc_create() does, so it is faulty. + +Fortunately, the faulty API has not been used by current kernel tree. Use +devres_release() instead of devres_destroy() so the EPC device will be +released. + +Link: https://lore.kernel.org/r/20241210-pci-epc-core_fix-v3-1-4d86dd573e4b@quicinc.com +Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions") +Signed-off-by: Zijun Hu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/endpoint/pci-epc-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c +index ea7e7465ce7a6..8062bc2432303 100644 +--- a/drivers/pci/endpoint/pci-epc-core.c ++++ b/drivers/pci/endpoint/pci-epc-core.c +@@ -616,7 +616,7 @@ void devm_pci_epc_destroy(struct device *dev, struct pci_epc *epc) + { + int r; + +- r = devres_destroy(dev, devm_pci_epc_release, devm_pci_epc_match, ++ r = devres_release(dev, devm_pci_epc_release, devm_pci_epc_match, + epc); + dev_WARN_ONCE(dev, r, "couldn't find PCI EPC resource\n"); + } +-- +2.39.5 + diff --git a/queue-5.10/pci-rcar-ep-fix-incorrect-variable-used-when-calling.patch b/queue-5.10/pci-rcar-ep-fix-incorrect-variable-used-when-calling.patch new file mode 100644 index 0000000000..8adb8fbcea --- /dev/null +++ b/queue-5.10/pci-rcar-ep-fix-incorrect-variable-used-when-calling.patch @@ -0,0 +1,69 @@ +From cd5d7716e645bc9b38c201508f78187f288a0083 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 08:50:18 +0800 +Subject: PCI: rcar-ep: Fix incorrect variable used when calling + devm_request_mem_region() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: King Dix + +[ Upstream commit 2d2da5a4c1b4509f6f7e5a8db015cd420144beb4 ] + +The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region() +macro to request a needed resource. A string variable that lives on the +stack is then used to store a dynamically computed resource name, which +is then passed on as one of the macro arguments. This can lead to +undefined behavior. + +Depending on the current contents of the memory, the manifestations of +errors may vary. One possible output may be as follows: + + $ cat /proc/iomem + 30000000-37ffffff : + 38000000-3fffffff : + +Sometimes, garbage may appear after the colon. + +In very rare cases, if no NULL-terminator is found in memory, the system +might crash because the string iterator will overrun which can lead to +access of unmapped memory above the stack. + +Thus, fix this by replacing outbound_name with the name of the previously +requested resource. With the changes applied, the output will be as +follows: + + $ cat /proc/iomem + 30000000-37ffffff : memory2 + 38000000-3fffffff : memory3 + +Fixes: 2a6d0d63d999 ("PCI: rcar: Add endpoint mode support") +Link: https://lore.kernel.org/r/tencent_DBDCC19D60F361119E76919ADAB25EC13C06@qq.com +Tested-by: Lad Prabhakar +Signed-off-by: King Dix +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Lad Prabhakar +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pcie-rcar-ep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pcie-rcar-ep.c b/drivers/pci/controller/pcie-rcar-ep.c +index c91d85b151290..fc85263797e91 100644 +--- a/drivers/pci/controller/pcie-rcar-ep.c ++++ b/drivers/pci/controller/pcie-rcar-ep.c +@@ -110,7 +110,7 @@ static int rcar_pcie_parse_outbound_ranges(struct rcar_pcie_endpoint *ep, + } + if (!devm_request_mem_region(&pdev->dev, res->start, + resource_size(res), +- outbound_name)) { ++ res->name)) { + dev_err(pcie->dev, "Cannot request memory region %s.\n", + outbound_name); + return -EIO; +-- +2.39.5 + diff --git a/queue-5.10/perf-bpf-fix-two-memory-leakages-when-calling-perf_e.patch b/queue-5.10/perf-bpf-fix-two-memory-leakages-when-calling-perf_e.patch new file mode 100644 index 0000000000..8cf01a589c --- /dev/null +++ b/queue-5.10/perf-bpf-fix-two-memory-leakages-when-calling-perf_e.patch @@ -0,0 +1,105 @@ +From 60adc37079b1c1e3be4b5a2e8e5ad4183ddf8e57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:45:00 +0800 +Subject: perf bpf: Fix two memory leakages when calling + perf_env__insert_bpf_prog_info() + +From: Zhongqiu Han + +[ Upstream commit 03edb7020bb920f1935c3f30acad0bb27fdb99af ] + +If perf_env__insert_bpf_prog_info() returns false due to a duplicate bpf +prog info node insertion, the temporary info_node and info_linear memory +will leak. Add a check to ensure the memory is freed if the function +returns false. + +Fixes: d56354dc49091e33 ("perf tools: Save bpf_prog_info and BTF of new BPF programs") +Reviewed-by: Namhyung Kim +Signed-off-by: Zhongqiu Han +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Yicong Yang +Link: https://lore.kernel.org/r/20241205084500.823660-4-quic_zhonhan@quicinc.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/bpf-event.c | 10 ++++++++-- + tools/perf/util/env.c | 8 ++++++-- + tools/perf/util/env.h | 2 +- + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c +index c50d2c7a264fe..c4de19eba3880 100644 +--- a/tools/perf/util/bpf-event.c ++++ b/tools/perf/util/bpf-event.c +@@ -280,7 +280,10 @@ static int perf_event__synthesize_one_bpf_prog(struct perf_session *session, + } + + info_node->info_linear = info_linear; +- perf_env__insert_bpf_prog_info(env, info_node); ++ if (!perf_env__insert_bpf_prog_info(env, info_node)) { ++ free(info_linear); ++ free(info_node); ++ } + info_linear = NULL; + + /* +@@ -468,7 +471,10 @@ static void perf_env__add_bpf_info(struct perf_env *env, u32 id) + info_node = malloc(sizeof(struct bpf_prog_info_node)); + if (info_node) { + info_node->info_linear = info_linear; +- perf_env__insert_bpf_prog_info(env, info_node); ++ if (!perf_env__insert_bpf_prog_info(env, info_node)) { ++ free(info_linear); ++ free(info_node); ++ } + } else + free(info_linear); + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index 08d641c4e4580..485ee960debfd 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -17,12 +17,16 @@ struct perf_env perf_env; + #include "bpf-event.h" + #include + +-void perf_env__insert_bpf_prog_info(struct perf_env *env, ++bool perf_env__insert_bpf_prog_info(struct perf_env *env, + struct bpf_prog_info_node *info_node) + { ++ bool ret; ++ + down_write(&env->bpf_progs.lock); +- __perf_env__insert_bpf_prog_info(env, info_node); ++ ret = __perf_env__insert_bpf_prog_info(env, info_node); + up_write(&env->bpf_progs.lock); ++ ++ return ret; + } + + bool __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node) +diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h +index b5ddf2ab0e8c6..76c918544db1b 100644 +--- a/tools/perf/util/env.h ++++ b/tools/perf/util/env.h +@@ -141,7 +141,7 @@ int perf_env__nr_cpus_avail(struct perf_env *env); + void perf_env__init(struct perf_env *env); + bool __perf_env__insert_bpf_prog_info(struct perf_env *env, + struct bpf_prog_info_node *info_node); +-void perf_env__insert_bpf_prog_info(struct perf_env *env, ++bool perf_env__insert_bpf_prog_info(struct perf_env *env, + struct bpf_prog_info_node *info_node); + struct bpf_prog_info_node *perf_env__find_bpf_prog_info(struct perf_env *env, + __u32 prog_id); +-- +2.39.5 + diff --git a/queue-5.10/perf-env-conditionally-compile-bpf-support-code-on-h.patch b/queue-5.10/perf-env-conditionally-compile-bpf-support-code-on-h.patch new file mode 100644 index 0000000000..a390553695 --- /dev/null +++ b/queue-5.10/perf-env-conditionally-compile-bpf-support-code-on-h.patch @@ -0,0 +1,248 @@ +From 9ad8939054828b6fb25425614ec62c877da30e6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Oct 2020 15:57:21 -0300 +Subject: perf env: Conditionally compile BPF support code on having + HAVE_LIBBPF_SUPPORT + +From: Arnaldo Carvalho de Melo + +[ Upstream commit ef0580ecd8b0306acf09b7a7508d72cafc67896d ] + +If libbpf isn't selected, no need for a bunch of related code, that were +not even being used, as code using these perf_env methods was also +enclosed in HAVE_LIBBPF_SUPPORT. + +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Jiri Olsa +Cc: Namhyung Kim +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 03edb7020bb9 ("perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info()") +Signed-off-by: Sasha Levin +--- + tools/perf/util/dso.c | 14 ++++++++++---- + tools/perf/util/env.c | 15 ++++++++++++--- + tools/perf/util/env.h | 4 ++-- + tools/perf/util/header.c | 21 ++++++++------------- + 4 files changed, 32 insertions(+), 22 deletions(-) + +diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c +index 5e9902fa1dc8a..48b5d6ec27b6e 100644 +--- a/tools/perf/util/dso.c ++++ b/tools/perf/util/dso.c +@@ -11,8 +11,10 @@ + #include + #include + #include ++#ifdef HAVE_LIBBPF_SUPPORT + #include + #include "bpf-event.h" ++#endif + #include "compress.h" + #include "env.h" + #include "namespaces.h" +@@ -728,6 +730,7 @@ bool dso__data_status_seen(struct dso *dso, enum dso_data_status_seen by) + return false; + } + ++#ifdef HAVE_LIBBPF_SUPPORT + static ssize_t bpf_read(struct dso *dso, u64 offset, char *data) + { + struct bpf_prog_info_node *node; +@@ -765,6 +768,7 @@ static int bpf_size(struct dso *dso) + dso->data.file_size = node->info_linear->info.jited_prog_len; + return 0; + } ++#endif // HAVE_LIBBPF_SUPPORT + + static void + dso_cache__free(struct dso *dso) +@@ -894,10 +898,12 @@ static struct dso_cache *dso_cache__populate(struct dso *dso, + *ret = -ENOMEM; + return NULL; + } +- ++#ifdef HAVE_LIBBPF_SUPPORT + if (dso->binary_type == DSO_BINARY_TYPE__BPF_PROG_INFO) + *ret = bpf_read(dso, cache_offset, cache->data); +- else if (dso->binary_type == DSO_BINARY_TYPE__OOL) ++ else ++#endif ++ if (dso->binary_type == DSO_BINARY_TYPE__OOL) + *ret = DSO__DATA_CACHE_SIZE; + else + *ret = file_read(dso, machine, cache_offset, cache->data); +@@ -1018,10 +1024,10 @@ int dso__data_file_size(struct dso *dso, struct machine *machine) + + if (dso->data.status == DSO_DATA_STATUS_ERROR) + return -1; +- ++#ifdef HAVE_LIBBPF_SUPPORT + if (dso->binary_type == DSO_BINARY_TYPE__BPF_PROG_INFO) + return bpf_size(dso); +- ++#endif + return file_size(dso, machine); + } + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index abb43643c7857..08d641c4e4580 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -5,16 +5,18 @@ + #include "util/header.h" + #include + #include +-#include "bpf-event.h" + #include "cgroup.h" + #include + #include +-#include + #include + #include + + struct perf_env perf_env; + ++#ifdef HAVE_LIBBPF_SUPPORT ++#include "bpf-event.h" ++#include ++ + void perf_env__insert_bpf_prog_info(struct perf_env *env, + struct bpf_prog_info_node *info_node) + { +@@ -182,6 +184,11 @@ static void perf_env__purge_bpf(struct perf_env *env) + + up_write(&env->bpf_progs.lock); + } ++#else // HAVE_LIBBPF_SUPPORT ++static void perf_env__purge_bpf(struct perf_env *env __maybe_unused) ++{ ++} ++#endif // HAVE_LIBBPF_SUPPORT + + void perf_env__exit(struct perf_env *env) + { +@@ -218,11 +225,13 @@ void perf_env__exit(struct perf_env *env) + zfree(&env->memory_nodes); + } + +-void perf_env__init(struct perf_env *env) ++void perf_env__init(struct perf_env *env __maybe_unused) + { ++#ifdef HAVE_LIBBPF_SUPPORT + env->bpf_progs.infos = RB_ROOT; + env->bpf_progs.btfs = RB_ROOT; + init_rwsem(&env->bpf_progs.lock); ++#endif + } + + int perf_env__set_cmdline(struct perf_env *env, int argc, const char *argv[]) +diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h +index 64b63e989472e..b5ddf2ab0e8c6 100644 +--- a/tools/perf/util/env.h ++++ b/tools/perf/util/env.h +@@ -77,7 +77,7 @@ struct perf_env { + struct numa_node *numa_nodes; + struct memory_node *memory_nodes; + unsigned long long memory_bsize; +- ++#ifdef HAVE_LIBBPF_SUPPORT + /* + * bpf_info_lock protects bpf rbtrees. This is needed because the + * trees are accessed by different threads in perf-top +@@ -89,7 +89,7 @@ struct perf_env { + struct rb_root btfs; + u32 btfs_cnt; + } bpf_progs; +- ++#endif // HAVE_LIBBPF_SUPPORT + /* same reason as above (for perf-top) */ + struct { + struct rw_semaphore lock; +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index 8d4f35e08905c..94b9c96c29d58 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -19,7 +19,9 @@ + #include + #include + #include ++#ifdef HAVE_LIBBPF_SUPPORT + #include ++#endif + #include + + #include "dso.h" +@@ -987,13 +989,6 @@ static int write_bpf_prog_info(struct feat_fd *ff, + up_read(&env->bpf_progs.lock); + return ret; + } +-#else // HAVE_LIBBPF_SUPPORT +-static int write_bpf_prog_info(struct feat_fd *ff __maybe_unused, +- struct evlist *evlist __maybe_unused) +-{ +- return 0; +-} +-#endif // HAVE_LIBBPF_SUPPORT + + static int write_bpf_btf(struct feat_fd *ff, + struct evlist *evlist __maybe_unused) +@@ -1027,6 +1022,7 @@ static int write_bpf_btf(struct feat_fd *ff, + up_read(&env->bpf_progs.lock); + return ret; + } ++#endif // HAVE_LIBBPF_SUPPORT + + static int cpu_cache_level__sort(const void *a, const void *b) + { +@@ -1638,6 +1634,7 @@ static void print_dir_format(struct feat_fd *ff, FILE *fp) + fprintf(fp, "# directory data version : %"PRIu64"\n", data->dir.version); + } + ++#ifdef HAVE_LIBBPF_SUPPORT + static void print_bpf_prog_info(struct feat_fd *ff, FILE *fp) + { + struct perf_env *env = &ff->ph->env; +@@ -1683,6 +1680,7 @@ static void print_bpf_btf(struct feat_fd *ff, FILE *fp) + + up_read(&env->bpf_progs.lock); + } ++#endif // HAVE_LIBBPF_SUPPORT + + static void free_event_desc(struct evsel *events) + { +@@ -2941,12 +2939,6 @@ static int process_bpf_prog_info(struct feat_fd *ff, void *data __maybe_unused) + up_write(&env->bpf_progs.lock); + return err; + } +-#else // HAVE_LIBBPF_SUPPORT +-static int process_bpf_prog_info(struct feat_fd *ff __maybe_unused, void *data __maybe_unused) +-{ +- return 0; +-} +-#endif // HAVE_LIBBPF_SUPPORT + + static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused) + { +@@ -2994,6 +2986,7 @@ static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused) + free(node); + return err; + } ++#endif // HAVE_LIBBPF_SUPPORT + + static int process_compressed(struct feat_fd *ff, + void *data __maybe_unused) +@@ -3124,8 +3117,10 @@ const struct perf_header_feature_ops feat_ops[HEADER_LAST_FEATURE] = { + FEAT_OPR(MEM_TOPOLOGY, mem_topology, true), + FEAT_OPR(CLOCKID, clockid, false), + FEAT_OPN(DIR_FORMAT, dir_format, false), ++#ifdef HAVE_LIBBPF_SUPPORT + FEAT_OPR(BPF_PROG_INFO, bpf_prog_info, false), + FEAT_OPR(BPF_BTF, bpf_btf, false), ++#endif + FEAT_OPR(COMPRESSED, compressed, false), + FEAT_OPR(CPU_PMU_CAPS, cpu_pmu_caps, false), + FEAT_OPR(CLOCK_DATA, clock_data, false), +-- +2.39.5 + diff --git a/queue-5.10/perf-header-fix-one-memory-leakage-in-process_bpf_bt.patch b/queue-5.10/perf-header-fix-one-memory-leakage-in-process_bpf_bt.patch new file mode 100644 index 0000000000..4fa1a7db64 --- /dev/null +++ b/queue-5.10/perf-header-fix-one-memory-leakage-in-process_bpf_bt.patch @@ -0,0 +1,51 @@ +From f4af205ea1fa52239f0cd4ead0f8e09bd4a5eea8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:44:58 +0800 +Subject: perf header: Fix one memory leakage in process_bpf_btf() + +From: Zhongqiu Han + +[ Upstream commit 875d22980a062521beed7b5df71fb13a1af15d83 ] + +If __perf_env__insert_btf() returns false due to a duplicate btf node +insertion, the temporary node will leak. Add a check to ensure the memory +is freed if the function returns false. + +Fixes: a70a1123174ab592 ("perf bpf: Save BTF information as headers to perf.data") +Reviewed-by: Namhyung Kim +Signed-off-by: Zhongqiu Han +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Yicong Yang +Link: https://lore.kernel.org/r/20241205084500.823660-2-quic_zhonhan@quicinc.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index d2812d98968df..a0a83e5de762a 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -2980,7 +2980,8 @@ static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused) + if (__do_read(ff, node->data, data_size)) + goto out; + +- __perf_env__insert_btf(env, node); ++ if (!__perf_env__insert_btf(env, node)) ++ free(node); + node = NULL; + } + +-- +2.39.5 + diff --git a/queue-5.10/perf-header-fix-one-memory-leakage-in-process_bpf_pr.patch b/queue-5.10/perf-header-fix-one-memory-leakage-in-process_bpf_pr.patch new file mode 100644 index 0000000000..943d5da067 --- /dev/null +++ b/queue-5.10/perf-header-fix-one-memory-leakage-in-process_bpf_pr.patch @@ -0,0 +1,99 @@ +From d58126c7966da6e6bd59b71760e36ed51fea8eb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Dec 2024 16:44:59 +0800 +Subject: perf header: Fix one memory leakage in process_bpf_prog_info() + +From: Zhongqiu Han + +[ Upstream commit a7da6c7030e1aec32f0a41c7b4fa70ec96042019 ] + +Function __perf_env__insert_bpf_prog_info() will return without inserting +bpf prog info node into perf env again due to a duplicate bpf prog info +node insertion, causing the temporary info_linear and info_node memory to +leak. Modify the return type of this function to bool and add a check to +ensure the memory is freed if the function returns false. + +Fixes: 606f972b1361f477 ("perf bpf: Save bpf_prog_info information as headers to perf.data") +Reviewed-by: Namhyung Kim +Signed-off-by: Zhongqiu Han +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Yicong Yang +Link: https://lore.kernel.org/r/20241205084500.823660-3-quic_zhonhan@quicinc.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/env.c | 5 +++-- + tools/perf/util/env.h | 2 +- + tools/perf/util/header.c | 5 ++++- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c +index ed2a42abe1270..abb43643c7857 100644 +--- a/tools/perf/util/env.c ++++ b/tools/perf/util/env.c +@@ -23,7 +23,7 @@ void perf_env__insert_bpf_prog_info(struct perf_env *env, + up_write(&env->bpf_progs.lock); + } + +-void __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node) ++bool __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node) + { + __u32 prog_id = info_node->info_linear->info.id; + struct bpf_prog_info_node *node; +@@ -41,13 +41,14 @@ void __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info + p = &(*p)->rb_right; + } else { + pr_debug("duplicated bpf prog info %u\n", prog_id); +- return; ++ return false; + } + } + + rb_link_node(&info_node->rb_node, parent, p); + rb_insert_color(&info_node->rb_node, &env->bpf_progs.infos); + env->bpf_progs.infos_cnt++; ++ return true; + } + + struct bpf_prog_info_node *perf_env__find_bpf_prog_info(struct perf_env *env, +diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h +index ef0fd544cd672..64b63e989472e 100644 +--- a/tools/perf/util/env.h ++++ b/tools/perf/util/env.h +@@ -139,7 +139,7 @@ const char *perf_env__raw_arch(struct perf_env *env); + int perf_env__nr_cpus_avail(struct perf_env *env); + + void perf_env__init(struct perf_env *env); +-void __perf_env__insert_bpf_prog_info(struct perf_env *env, ++bool __perf_env__insert_bpf_prog_info(struct perf_env *env, + struct bpf_prog_info_node *info_node); + void perf_env__insert_bpf_prog_info(struct perf_env *env, + struct bpf_prog_info_node *info_node); +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index a0a83e5de762a..8d4f35e08905c 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -2927,7 +2927,10 @@ static int process_bpf_prog_info(struct feat_fd *ff, void *data __maybe_unused) + /* after reading from file, translate offset to address */ + bpf_program__bpil_offs_to_addr(info_linear); + info_node->info_linear = info_linear; +- __perf_env__insert_bpf_prog_info(env, info_node); ++ if (!__perf_env__insert_bpf_prog_info(env, info_node)) { ++ free(info_linear); ++ free(info_node); ++ } + } + + up_write(&env->bpf_progs.lock); +-- +2.39.5 + diff --git a/queue-5.10/perf-machine-don-t-ignore-_etext-when-not-a-text-sym.patch b/queue-5.10/perf-machine-don-t-ignore-_etext-when-not-a-text-sym.patch new file mode 100644 index 0000000000..0dbd73e5db --- /dev/null +++ b/queue-5.10/perf-machine-don-t-ignore-_etext-when-not-a-text-sym.patch @@ -0,0 +1,68 @@ +From 8876def9bc05bf6db1aa72b1c1f3115544ce6ae6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 10:15:24 +0100 +Subject: perf machine: Don't ignore _etext when not a text symbol + +From: Christophe Leroy + +[ Upstream commit 7a93786c306296f15e728b1dbd949a319e4e3d19 ] + +Depending on how vmlinux.lds is written, _etext might be the very first +data symbol instead of the very last text symbol. + +Don't require it to be a text symbol, accept any symbol type. + +Comitter notes: + +See the first Link for further discussion, but it all boils down to +this: + + --- + # grep -e _stext -e _etext -e _edata /proc/kallsyms + c0000000 T _stext + c08b8000 D _etext + + So there is no _edata and _etext is not text + + $ ppc-linux-objdump -x vmlinux | grep -e _stext -e _etext -e _edata + c0000000 g .head.text 00000000 _stext + c08b8000 g .rodata 00000000 _etext + c1378000 g .sbss 00000000 _edata + --- + +Fixes: ed9adb2035b5be58 ("perf machine: Read also the end of the kernel") +Signed-off-by: Christophe Leroy +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: linuxppc-dev@lists.ozlabs.org +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Link: https://lore.kernel.org/r/b3ee1994d95257cb7f2de037c5030ba7d1bed404.1736327613.git.christophe.leroy@csgroup.eu +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/machine.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c +index d8d64cd63b1dc..4ae2d28f13ebe 100644 +--- a/tools/perf/util/machine.c ++++ b/tools/perf/util/machine.c +@@ -1039,7 +1039,7 @@ static int machine__get_running_kernel_start(struct machine *machine, + + err = kallsyms__get_symbol_start(filename, "_edata", &addr); + if (err) +- err = kallsyms__get_function_start(filename, "_etext", &addr); ++ err = kallsyms__get_symbol_start(filename, "_etext", &addr); + if (!err) + *end = addr; + +-- +2.39.5 + diff --git a/queue-5.10/perf-machine-include-data-symbols-in-the-kernel-map.patch b/queue-5.10/perf-machine-include-data-symbols-in-the-kernel-map.patch new file mode 100644 index 0000000000..e341797681 --- /dev/null +++ b/queue-5.10/perf-machine-include-data-symbols-in-the-kernel-map.patch @@ -0,0 +1,77 @@ +From 850ab5f1c00d51542a86b35175bdf47a768aea98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jul 2023 17:19:29 -0700 +Subject: perf machine: Include data symbols in the kernel map + +From: Namhyung Kim + +[ Upstream commit 69a87a32f5cd8b262cb2195b045f96c63aede734 ] + +When 'perf record -d' is used, it needs data mmaps to symbolize global +data. But it missed to collect kernel data maps so it cannot symbolize +them. Instead of having a separate map, just increase the kernel map +size to include the data section. + +Probably we can have a separate kernel map for data, but the current +code assumes a single kernel map. So it'd require more changes in other +places and looks error-prone. I decided not to go that way for now. + +Also it seems the kernel module size already includes the data section. + +For example, my system has the following. + + $ grep -e _stext -e _etext -e _edata /proc/kallsyms + ffffffff99800000 T _stext + ffffffff9a601ac8 T _etext + ffffffff9b446a00 D _edata + +Size of the text section is (0x9a601ac8 - 0x99800000 = 0xe01ac8) and +size including data section is (0x9b446a00 - 0x99800000 = 0x1c46a00). + +Before: + $ perf record -d true + + $ perf report -D | grep MMAP | head -1 + 0 0 0x460 [0x60]: PERF_RECORD_MMAP -1/0: [0xffffffff99800000(0xe01ac8) @ 0xffffffff99800000]: x [kernel.kallsyms]_text + ^^^^^^^^ + here +After: + $ perf report -D | grep MMAP | head -1 + 0 0 0x460 [0x60]: PERF_RECORD_MMAP -1/0: [0xffffffff99800000(0x1c46a00) @ 0xffffffff99800000]: x [kernel.kallsyms]_text + ^^^^^^^^^ + +Instead of just replacing it to _edata, try _edata first and then fall +back to _etext just in case. + +Signed-off-by: Namhyung Kim +Acked-by: Adrian Hunter +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20230725001929.368041-2-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Stable-dep-of: 7a93786c3062 ("perf machine: Don't ignore _etext when not a text symbol") +Signed-off-by: Sasha Levin +--- + tools/perf/util/machine.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c +index eec926c313b13..d8d64cd63b1dc 100644 +--- a/tools/perf/util/machine.c ++++ b/tools/perf/util/machine.c +@@ -1037,7 +1037,9 @@ static int machine__get_running_kernel_start(struct machine *machine, + + *start = addr; + +- err = kallsyms__get_function_start(filename, "_etext", &addr); ++ err = kallsyms__get_symbol_start(filename, "_edata", &addr); ++ if (err) ++ err = kallsyms__get_function_start(filename, "_etext", &addr); + if (!err) + *end = addr; + +-- +2.39.5 + diff --git a/queue-5.10/perf-report-fix-misleading-help-message-about-demang.patch b/queue-5.10/perf-report-fix-misleading-help-message-about-demang.patch new file mode 100644 index 0000000000..11f6c28817 --- /dev/null +++ b/queue-5.10/perf-report-fix-misleading-help-message-about-demang.patch @@ -0,0 +1,46 @@ +From 47692cae3eacf88366ac52692203ddce5b6ff977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 23:22:19 +0800 +Subject: perf report: Fix misleading help message about --demangle + +From: Jiachen Zhang + +[ Upstream commit ac0ac75189a4d6a29a2765a7adbb62bc6cc650c7 ] + +The wrong help message may mislead users. This commit fixes it. + +Fixes: 328ccdace8855289 ("perf report: Add --no-demangle option") +Reviewed-by: Namhyung Kim +Signed-off-by: Jiachen Zhang +Cc: Adrian Hunter +Cc: Alexander Shishkin +Cc: Ian Rogers +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20250109152220.1869581-1-me@jcix.top +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-report.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c +index b55ee073c2f72..575ad3c4fb373 100644 +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -1276,7 +1276,7 @@ int cmd_report(int argc, const char **argv) + OPT_STRING(0, "objdump", &report.annotation_opts.objdump_path, "path", + "objdump binary to use for disassembly and annotations"), + OPT_BOOLEAN(0, "demangle", &symbol_conf.demangle, +- "Disable symbol demangling"), ++ "Symbol demangling. Enabled by default, use --no-demangle to disable."), + OPT_BOOLEAN(0, "demangle-kernel", &symbol_conf.demangle_kernel, + "Enable kernel symbol demangling"), + OPT_BOOLEAN(0, "mem-mode", &report.mem_mode, "mem access profile"), +-- +2.39.5 + diff --git a/queue-5.10/perf-top-don-t-complain-about-lack-of-vmlinux-when-n.patch b/queue-5.10/perf-top-don-t-complain-about-lack-of-vmlinux-when-n.patch new file mode 100644 index 0000000000..2fd6d59fac --- /dev/null +++ b/queue-5.10/perf-top-don-t-complain-about-lack-of-vmlinux-when-n.patch @@ -0,0 +1,64 @@ +From 0b62cea497c0d1c173405630e71433b90996d231 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jan 2025 16:50:39 -0300 +Subject: perf top: Don't complain about lack of vmlinux when not resolving + some kernel samples + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 058b38ccd2af9e5c95590b018e8425fa148d7aca ] + +Recently we got a case where a kernel sample wasn't being resolved due +to a bug that was not setting the end address on kernel functions +implemented in assembly (see Link: tag), and then those were not being +found by machine__resolve() -> map__find_symbol(). + +So we ended up with: + + # perf top --stdio + PerfTop: 0 irqs/s kernel: 0% exact: 0% lost: 0/0 drop: 0/0 [cycles/P] + ----------------------------------------------------------------------- + + Warning: + A vmlinux file was not found. + Kernel samples will not be resolved. + ^Z + [1]+ Stopped perf top --stdio + # + +But then resolving all other kernel symbols. + +So just fixup the logic to only print that warning when there are no +symbols in the kernel map. + +Fixes: d88205db9caa0e9d ("perf dso: Add dso__has_symbols() method") +Reviewed-by: Namhyung Kim +Cc: Adrian Hunter +Cc: Ian Rogers +Cc: Christophe Leroy +Cc: James Clark +Cc: Jiri Olsa +Cc: Kan Liang +Link: https://lore.kernel.org/lkml/Z3buKhcCsZi3_aGb@x1 +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-top.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c +index ee30372f77133..f14970acc6ba8 100644 +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -809,7 +809,7 @@ static void perf_event__process_sample(struct perf_tool *tool, + * invalid --vmlinux ;-) + */ + if (!machine->kptr_restrict_warned && !top->vmlinux_warned && +- __map__is_kernel(al.map) && map__has_symbols(al.map)) { ++ __map__is_kernel(al.map) && !map__has_symbols(al.map)) { + if (symbol_conf.vmlinux_name) { + char serr[256]; + dso__strerror_load(al.map->dso, serr, sizeof(serr)); +-- +2.39.5 + diff --git a/queue-5.10/perf-trace-fix-runtime-error-of-index-out-of-bounds.patch b/queue-5.10/perf-trace-fix-runtime-error-of-index-out-of-bounds.patch new file mode 100644 index 0000000000..ad81840c94 --- /dev/null +++ b/queue-5.10/perf-trace-fix-runtime-error-of-index-out-of-bounds.patch @@ -0,0 +1,63 @@ +From 19cc43fcc3567709ccdd93d1cb68ea21df1aec3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jan 2025 18:55:19 -0800 +Subject: perf trace: Fix runtime error of index out of bounds + +From: Howard Chu + +[ Upstream commit c7b87ce0dd10b64b68a0b22cb83bbd556e28fe81 ] + +libtraceevent parses and returns an array of argument fields, sometimes +larger than RAW_SYSCALL_ARGS_NUM (6) because it includes "__syscall_nr", +idx will traverse to index 6 (7th element) whereas sc->fmt->arg holds 6 +elements max, creating an out-of-bounds access. This runtime error is +found by UBsan. The error message: + + $ sudo UBSAN_OPTIONS=print_stacktrace=1 ./perf trace -a --max-events=1 + builtin-trace.c:1966:35: runtime error: index 6 out of bounds for type 'syscall_arg_fmt [6]' + #0 0x5c04956be5fe in syscall__alloc_arg_fmts /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:1966 + #1 0x5c04956c0510 in trace__read_syscall_info /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:2110 + #2 0x5c04956c372b in trace__syscall_info /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:2436 + #3 0x5c04956d2f39 in trace__init_syscalls_bpf_prog_array_maps /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:3897 + #4 0x5c04956d6d25 in trace__run /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:4335 + #5 0x5c04956e112e in cmd_trace /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:5502 + #6 0x5c04956eda7d in run_builtin /home/howard/hw/linux-perf/tools/perf/perf.c:351 + #7 0x5c04956ee0a8 in handle_internal_command /home/howard/hw/linux-perf/tools/perf/perf.c:404 + #8 0x5c04956ee37f in run_argv /home/howard/hw/linux-perf/tools/perf/perf.c:448 + #9 0x5c04956ee8e9 in main /home/howard/hw/linux-perf/tools/perf/perf.c:556 + #10 0x79eb3622a3b7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #11 0x79eb3622a47a in __libc_start_main_impl ../csu/libc-start.c:360 + #12 0x5c04955422d4 in _start (/home/howard/hw/linux-perf/tools/perf/perf+0x4e02d4) (BuildId: 5b6cab2d59e96a4341741765ad6914a4d784dbc6) + + 0.000 ( 0.014 ms): Chrome_ChildIO/117244 write(fd: 238, buf: !, count: 1) = 1 + +Fixes: 5e58fcfaf4c6 ("perf trace: Allow allocating sc->arg_fmt even without the syscall tracepoint") +Signed-off-by: Howard Chu +Link: https://lore.kernel.org/r/20250122025519.361873-1-howardchu95@gmail.com +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-trace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c +index 68189e6347205..178cf3a11f089 100644 +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -1803,8 +1803,12 @@ static int trace__read_syscall_info(struct trace *trace, int id) + return PTR_ERR(sc->tp_format); + } + ++ /* ++ * The tracepoint format contains __syscall_nr field, so it's one more ++ * than the actual number of syscall arguments. ++ */ + if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ? +- RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields)) ++ RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields - 1)) + return -ENOMEM; + + sc->args = sc->tp_format->format.fields; +-- +2.39.5 + diff --git a/queue-5.10/platform-provide-a-remove-callback-that-returns-no-v.patch b/queue-5.10/platform-provide-a-remove-callback-that-returns-no-v.patch new file mode 100644 index 0000000000..82a6472269 --- /dev/null +++ b/queue-5.10/platform-provide-a-remove-callback-that-returns-no-v.patch @@ -0,0 +1,86 @@ +From d513c6f29e95ad19a3285bcd0eae0a7bc05a1c51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 16:09:14 +0100 +Subject: platform: Provide a remove callback that returns no value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5c5a7680e67ba6fbbb5f4d79fa41485450c1985c ] + +struct platform_driver::remove returning an integer made driver authors +expect that returning an error code was proper error handling. However +the driver core ignores the error and continues to remove the device +because there is nothing the core could do anyhow and reentering the +remove callback again is only calling for trouble. + +So this is an source for errors typically yielding resource leaks in the +error path. + +As there are too many platform drivers to neatly convert them all to +return void in a single go, do it in several steps after this patch: + + a) Convert all drivers to implement .remove_new() returning void instead + of .remove() returning int; + b) Change struct platform_driver::remove() to return void and so make + it identical to .remove_new(); + c) Change all drivers back to .remove() now with the better prototype; + d) drop struct platform_driver::remove_new(). + +While this touches all drivers eventually twice, steps a) and c) can be +done one driver after another and so reduces coordination efforts +immensely and simplifies review. + +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20221209150914.3557650-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak") +Signed-off-by: Sasha Levin +--- + drivers/base/platform.c | 4 +++- + include/linux/platform_device.h | 11 +++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/platform.c b/drivers/base/platform.c +index d0b15cbab0ff0..e07043d85c65c 100644 +--- a/drivers/base/platform.c ++++ b/drivers/base/platform.c +@@ -1306,7 +1306,9 @@ static int platform_remove(struct device *_dev) + struct platform_driver *drv = to_platform_driver(_dev->driver); + struct platform_device *dev = to_platform_device(_dev); + +- if (drv->remove) { ++ if (drv->remove_new) { ++ drv->remove_new(dev); ++ } else if (drv->remove) { + int ret = drv->remove(dev); + + if (ret) +diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h +index e7a83b0218077..870a918aa251c 100644 +--- a/include/linux/platform_device.h ++++ b/include/linux/platform_device.h +@@ -203,7 +203,18 @@ extern void platform_device_put(struct platform_device *pdev); + + struct platform_driver { + int (*probe)(struct platform_device *); ++ ++ /* ++ * Traditionally the remove callback returned an int which however is ++ * ignored by the driver core. This led to wrong expectations by driver ++ * authors who thought returning an error code was a valid error ++ * handling strategy. To convert to a callback returning void, new ++ * drivers should implement .remove_new() until the conversion it done ++ * that eventually makes .remove() return void. ++ */ + int (*remove)(struct platform_device *); ++ void (*remove_new)(struct platform_device *); ++ + void (*shutdown)(struct platform_device *); + int (*suspend)(struct platform_device *, pm_message_t state); + int (*resume)(struct platform_device *); +-- +2.39.5 + diff --git a/queue-5.10/pm-hibernate-add-error-handling-for-syscore_suspend.patch b/queue-5.10/pm-hibernate-add-error-handling-for-syscore_suspend.patch new file mode 100644 index 0000000000..00de5e358f --- /dev/null +++ b/queue-5.10/pm-hibernate-add-error-handling-for-syscore_suspend.patch @@ -0,0 +1,58 @@ +From b3457db125d2253d1b2b760f57c0741bf23daba8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jan 2025 22:32:05 +0800 +Subject: PM: hibernate: Add error handling for syscore_suspend() + +From: Wentao Liang + +[ Upstream commit e20a70c572539a486dbd91b225fa6a194a5e2122 ] + +In hibernation_platform_enter(), the code did not check the +return value of syscore_suspend(), potentially leading to a +situation where syscore_resume() would be called even if +syscore_suspend() failed. This could cause unpredictable +behavior or system instability. + +Modify the code sequence in question to properly handle errors returned +by syscore_suspend(). If an error occurs in the suspend path, the code +now jumps to label 'Enable_irqs' skipping the syscore_resume() call and +only enabling interrupts after setting the system state to SYSTEM_RUNNING. + +Fixes: 40dc166cb5dd ("PM / Core: Introduce struct syscore_ops for core subsystems PM") +Signed-off-by: Wentao Liang +Link: https://patch.msgid.link/20250119143205.2103-1-vulab@iscas.ac.cn +[ rjw: Changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/hibernate.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index 59a1b126c369b..f2b2a2dcdb87b 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -590,7 +590,11 @@ int hibernation_platform_enter(void) + + local_irq_disable(); + system_state = SYSTEM_SUSPEND; +- syscore_suspend(); ++ ++ error = syscore_suspend(); ++ if (error) ++ goto Enable_irqs; ++ + if (pm_wakeup_pending()) { + error = -EAGAIN; + goto Power_up; +@@ -602,6 +606,7 @@ int hibernation_platform_enter(void) + + Power_up: + syscore_resume(); ++ Enable_irqs: + system_state = SYSTEM_RUNNING; + local_irq_enable(); + +-- +2.39.5 + diff --git a/queue-5.10/pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch b/queue-5.10/pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch new file mode 100644 index 0000000000..06d78793bb --- /dev/null +++ b/queue-5.10/pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch @@ -0,0 +1,119 @@ +From 1856343e6435d557ab04729f9707bc14b961039a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 20:24:41 +0100 +Subject: PM: sleep: core: Synchronize runtime PM status of parents and + children + +From: Rafael J. Wysocki + +[ Upstream commit 3775fc538f535a7c5adaf11990c7932a0bd1f9eb ] + +Commit 6e176bf8d461 ("PM: sleep: core: Do not skip callbacks in the +resume phase") overlooked the case in which the parent of a device with +DPM_FLAG_SMART_SUSPEND set did not use that flag and could be runtime- +suspended before a transition into a system-wide sleep state. In that +case, if the child is resumed during the subsequent transition from +that state into the working state, its runtime PM status will be set to +RPM_ACTIVE, but the runtime PM status of the parent will not be updated +accordingly, even though the parent will be resumed too, because of the +dev_pm_skip_suspend() check in device_resume_noirq(). + +Address this problem by tracking the need to set the runtime PM status +to RPM_ACTIVE during system-wide resume transitions for devices with +DPM_FLAG_SMART_SUSPEND set and all of the devices depended on by them. + +Fixes: 6e176bf8d461 ("PM: sleep: core: Do not skip callbacks in the resume phase") +Closes: https://lore.kernel.org/linux-pm/Z30p2Etwf3F2AUvD@hovoldconsulting.com/ +Reported-by: Johan Hovold +Tested-by: Manivannan Sadhasivam +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Link: https://patch.msgid.link/12619233.O9o76ZdvQC@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 29 ++++++++++++++++++++--------- + include/linux/pm.h | 1 + + 2 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index 07f561e17b637..39646b27f2fb0 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -618,13 +618,15 @@ static void device_resume_noirq(struct device *dev, pm_message_t state, bool asy + * so change its status accordingly. + * + * Otherwise, the device is going to be resumed, so set its PM-runtime +- * status to "active", but do that only if DPM_FLAG_SMART_SUSPEND is set +- * to avoid confusing drivers that don't use it. ++ * status to "active" unless its power.set_active flag is clear, in ++ * which case it is not necessary to update its PM-runtime status. + */ +- if (skip_resume) ++ if (skip_resume) { + pm_runtime_set_suspended(dev); +- else if (dev_pm_skip_suspend(dev)) ++ } else if (dev->power.set_active) { + pm_runtime_set_active(dev); ++ dev->power.set_active = false; ++ } + + if (dev->pm_domain) { + info = "noirq power domain "; +@@ -1176,18 +1178,24 @@ static pm_message_t resume_event(pm_message_t sleep_state) + return PMSG_ON; + } + +-static void dpm_superior_set_must_resume(struct device *dev) ++static void dpm_superior_set_must_resume(struct device *dev, bool set_active) + { + struct device_link *link; + int idx; + +- if (dev->parent) ++ if (dev->parent) { + dev->parent->power.must_resume = true; ++ if (set_active) ++ dev->parent->power.set_active = true; ++ } + + idx = device_links_read_lock(); + +- list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node) ++ list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node) { + link->supplier->power.must_resume = true; ++ if (set_active) ++ link->supplier->power.set_active = true; ++ } + + device_links_read_unlock(idx); + } +@@ -1263,8 +1271,11 @@ static int __device_suspend_noirq(struct device *dev, pm_message_t state, bool a + dev->power.may_skip_resume)) + dev->power.must_resume = true; + +- if (dev->power.must_resume) +- dpm_superior_set_must_resume(dev); ++ if (dev->power.must_resume) { ++ dev->power.set_active = dev->power.set_active || ++ dev_pm_test_driver_flags(dev, DPM_FLAG_SMART_SUSPEND); ++ dpm_superior_set_must_resume(dev, dev->power.set_active); ++ } + + Complete: + complete_all(&dev->power.completion); +diff --git a/include/linux/pm.h b/include/linux/pm.h +index 04ba61ac1a8d6..9007379d333b3 100644 +--- a/include/linux/pm.h ++++ b/include/linux/pm.h +@@ -585,6 +585,7 @@ struct dev_pm_info { + bool no_pm_callbacks:1; /* Owned by the PM core */ + bool async_in_progress:1; /* Owned by the PM core */ + bool must_resume:1; /* Owned by the PM core */ ++ bool set_active:1; /* Owned by the PM core */ + bool may_skip_resume:1; /* Set by subsystems */ + #else + bool should_wakeup:1; +-- +2.39.5 + diff --git a/queue-5.10/pm-sleep-restore-asynchronous-device-resume-optimiza.patch b/queue-5.10/pm-sleep-restore-asynchronous-device-resume-optimiza.patch new file mode 100644 index 0000000000..a7ae71ac89 --- /dev/null +++ b/queue-5.10/pm-sleep-restore-asynchronous-device-resume-optimiza.patch @@ -0,0 +1,284 @@ +From 46afbb4961503f331dbc45ed832299fd5a613a10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jan 2024 17:59:22 +0100 +Subject: PM: sleep: Restore asynchronous device resume optimization + +From: Rafael J. Wysocki + +[ Upstream commit 3e999770ac1c7c31a70685dd5b88e89473509e9c ] + +Before commit 7839d0078e0d ("PM: sleep: Fix possible deadlocks in core +system-wide PM code"), the resume of devices that were allowed to resume +asynchronously was scheduled before starting the resume of the other +devices, so the former did not have to wait for the latter unless +functional dependencies were present. + +Commit 7839d0078e0d removed that optimization in order to address a +correctness issue, but it can be restored with the help of a new device +power management flag, so do that now. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Stanislaw Gruszka +Stable-dep-of: 3775fc538f53 ("PM: sleep: core: Synchronize runtime PM status of parents and children") +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 117 +++++++++++++++++++++----------------- + include/linux/pm.h | 1 + + 2 files changed, 65 insertions(+), 53 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index fbc57c4fcdd01..07f561e17b637 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -583,7 +583,7 @@ bool dev_pm_skip_resume(struct device *dev) + } + + /** +- * __device_resume_noirq - Execute a "noirq resume" callback for given device. ++ * device_resume_noirq - Execute a "noirq resume" callback for given device. + * @dev: Device to handle. + * @state: PM transition of the system being carried out. + * @async: If true, the device is being resumed asynchronously. +@@ -591,7 +591,7 @@ bool dev_pm_skip_resume(struct device *dev) + * The driver of @dev will not receive interrupts while this function is being + * executed. + */ +-static void __device_resume_noirq(struct device *dev, pm_message_t state, bool async) ++static void device_resume_noirq(struct device *dev, pm_message_t state, bool async) + { + pm_callback_t callback = NULL; + const char *info = NULL; +@@ -678,16 +678,22 @@ static bool dpm_async_fn(struct device *dev, async_func_t func) + { + reinit_completion(&dev->power.completion); + +- if (!is_async(dev)) +- return false; +- +- get_device(dev); ++ if (is_async(dev)) { ++ dev->power.async_in_progress = true; + +- if (async_schedule_dev_nocall(func, dev)) +- return true; ++ get_device(dev); + +- put_device(dev); ++ if (async_schedule_dev_nocall(func, dev)) ++ return true; + ++ put_device(dev); ++ } ++ /* ++ * Because async_schedule_dev_nocall() above has returned false or it ++ * has not been called at all, func() is not running and it is safe to ++ * update the async_in_progress flag without extra synchronization. ++ */ ++ dev->power.async_in_progress = false; + return false; + } + +@@ -695,18 +701,10 @@ static void async_resume_noirq(void *data, async_cookie_t cookie) + { + struct device *dev = data; + +- __device_resume_noirq(dev, pm_transition, true); ++ device_resume_noirq(dev, pm_transition, true); + put_device(dev); + } + +-static void device_resume_noirq(struct device *dev) +-{ +- if (dpm_async_fn(dev, async_resume_noirq)) +- return; +- +- __device_resume_noirq(dev, pm_transition, false); +-} +- + static void dpm_noirq_resume_devices(pm_message_t state) + { + struct device *dev; +@@ -716,18 +714,28 @@ static void dpm_noirq_resume_devices(pm_message_t state) + mutex_lock(&dpm_list_mtx); + pm_transition = state; + ++ /* ++ * Trigger the resume of "async" devices upfront so they don't have to ++ * wait for the "non-async" ones they don't depend on. ++ */ ++ list_for_each_entry(dev, &dpm_noirq_list, power.entry) ++ dpm_async_fn(dev, async_resume_noirq); ++ + while (!list_empty(&dpm_noirq_list)) { + dev = to_device(dpm_noirq_list.next); +- get_device(dev); + list_move_tail(&dev->power.entry, &dpm_late_early_list); + +- mutex_unlock(&dpm_list_mtx); ++ if (!dev->power.async_in_progress) { ++ get_device(dev); + +- device_resume_noirq(dev); ++ mutex_unlock(&dpm_list_mtx); + +- put_device(dev); ++ device_resume_noirq(dev, state, false); + +- mutex_lock(&dpm_list_mtx); ++ put_device(dev); ++ ++ mutex_lock(&dpm_list_mtx); ++ } + } + mutex_unlock(&dpm_list_mtx); + async_synchronize_full(); +@@ -753,14 +761,14 @@ void dpm_resume_noirq(pm_message_t state) + } + + /** +- * __device_resume_early - Execute an "early resume" callback for given device. ++ * device_resume_early - Execute an "early resume" callback for given device. + * @dev: Device to handle. + * @state: PM transition of the system being carried out. + * @async: If true, the device is being resumed asynchronously. + * + * Runtime PM is disabled for @dev while this function is being executed. + */ +-static void __device_resume_early(struct device *dev, pm_message_t state, bool async) ++static void device_resume_early(struct device *dev, pm_message_t state, bool async) + { + pm_callback_t callback = NULL; + const char *info = NULL; +@@ -826,18 +834,10 @@ static void async_resume_early(void *data, async_cookie_t cookie) + { + struct device *dev = data; + +- __device_resume_early(dev, pm_transition, true); ++ device_resume_early(dev, pm_transition, true); + put_device(dev); + } + +-static void device_resume_early(struct device *dev) +-{ +- if (dpm_async_fn(dev, async_resume_early)) +- return; +- +- __device_resume_early(dev, pm_transition, false); +-} +- + /** + * dpm_resume_early - Execute "early resume" callbacks for all devices. + * @state: PM transition of the system being carried out. +@@ -851,18 +851,28 @@ void dpm_resume_early(pm_message_t state) + mutex_lock(&dpm_list_mtx); + pm_transition = state; + ++ /* ++ * Trigger the resume of "async" devices upfront so they don't have to ++ * wait for the "non-async" ones they don't depend on. ++ */ ++ list_for_each_entry(dev, &dpm_late_early_list, power.entry) ++ dpm_async_fn(dev, async_resume_early); ++ + while (!list_empty(&dpm_late_early_list)) { + dev = to_device(dpm_late_early_list.next); +- get_device(dev); + list_move_tail(&dev->power.entry, &dpm_suspended_list); + +- mutex_unlock(&dpm_list_mtx); ++ if (!dev->power.async_in_progress) { ++ get_device(dev); + +- device_resume_early(dev); ++ mutex_unlock(&dpm_list_mtx); + +- put_device(dev); ++ device_resume_early(dev, state, false); + +- mutex_lock(&dpm_list_mtx); ++ put_device(dev); ++ ++ mutex_lock(&dpm_list_mtx); ++ } + } + mutex_unlock(&dpm_list_mtx); + async_synchronize_full(); +@@ -882,12 +892,12 @@ void dpm_resume_start(pm_message_t state) + EXPORT_SYMBOL_GPL(dpm_resume_start); + + /** +- * __device_resume - Execute "resume" callbacks for given device. ++ * device_resume - Execute "resume" callbacks for given device. + * @dev: Device to handle. + * @state: PM transition of the system being carried out. + * @async: If true, the device is being resumed asynchronously. + */ +-static void __device_resume(struct device *dev, pm_message_t state, bool async) ++static void device_resume(struct device *dev, pm_message_t state, bool async) + { + pm_callback_t callback = NULL; + const char *info = NULL; +@@ -981,18 +991,10 @@ static void async_resume(void *data, async_cookie_t cookie) + { + struct device *dev = data; + +- __device_resume(dev, pm_transition, true); ++ device_resume(dev, pm_transition, true); + put_device(dev); + } + +-static void device_resume(struct device *dev) +-{ +- if (dpm_async_fn(dev, async_resume)) +- return; +- +- __device_resume(dev, pm_transition, false); +-} +- + /** + * dpm_resume - Execute "resume" callbacks for non-sysdev devices. + * @state: PM transition of the system being carried out. +@@ -1012,16 +1014,25 @@ void dpm_resume(pm_message_t state) + pm_transition = state; + async_error = 0; + ++ /* ++ * Trigger the resume of "async" devices upfront so they don't have to ++ * wait for the "non-async" ones they don't depend on. ++ */ ++ list_for_each_entry(dev, &dpm_suspended_list, power.entry) ++ dpm_async_fn(dev, async_resume); ++ + while (!list_empty(&dpm_suspended_list)) { + dev = to_device(dpm_suspended_list.next); + + get_device(dev); + +- mutex_unlock(&dpm_list_mtx); ++ if (!dev->power.async_in_progress) { ++ mutex_unlock(&dpm_list_mtx); + +- device_resume(dev); ++ device_resume(dev, state, false); + +- mutex_lock(&dpm_list_mtx); ++ mutex_lock(&dpm_list_mtx); ++ } + + if (!list_empty(&dev->power.entry)) + list_move_tail(&dev->power.entry, &dpm_prepared_list); +diff --git a/include/linux/pm.h b/include/linux/pm.h +index 52d9724db9dc6..c27d1e4ca8ca9 100644 +--- a/include/linux/pm.h ++++ b/include/linux/pm.h +@@ -583,6 +583,7 @@ struct dev_pm_info { + bool wakeup_path:1; + bool syscore:1; + bool no_pm_callbacks:1; /* Owned by the PM core */ ++ bool async_in_progress:1; /* Owned by the PM core */ + unsigned int must_resume:1; /* Owned by the PM core */ + unsigned int may_skip_resume:1; /* Set by subsystems */ + #else +-- +2.39.5 + diff --git a/queue-5.10/pm-sleep-use-bool-for-all-1-bit-fields-in-struct-dev.patch b/queue-5.10/pm-sleep-use-bool-for-all-1-bit-fields-in-struct-dev.patch new file mode 100644 index 0000000000..1724e355e5 --- /dev/null +++ b/queue-5.10/pm-sleep-use-bool-for-all-1-bit-fields-in-struct-dev.patch @@ -0,0 +1,86 @@ +From 6eaa9e0ddeb12a1936d188b0b17c0cd1c1abbb2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 17:11:26 +0100 +Subject: PM: sleep: Use bool for all 1-bit fields in struct dev_pm_info + +From: Rafael J. Wysocki + +[ Upstream commit b017500ab53c06441ff7d3a681484e37039b4f57 ] + +For some 1-bit fields in struct dev_pm_info the data type is bool, while +for some other 1-bit fields in there it is unsigned int, and these +differences are somewhat arbitrary. + +For consistency, change the data type of the latter to bool, so that all +of the 1-bit fields in struct dev_pm_info fields are bool. + +No intentional functional impact. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Greg Kroah-Hartman +Stable-dep-of: 3775fc538f53 ("PM: sleep: core: Synchronize runtime PM status of parents and children") +Signed-off-by: Sasha Levin +--- + include/linux/pm.h | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/include/linux/pm.h b/include/linux/pm.h +index c27d1e4ca8ca9..04ba61ac1a8d6 100644 +--- a/include/linux/pm.h ++++ b/include/linux/pm.h +@@ -564,8 +564,8 @@ struct pm_subsys_data { + + struct dev_pm_info { + pm_message_t power_state; +- unsigned int can_wakeup:1; +- unsigned int async_suspend:1; ++ bool can_wakeup:1; ++ bool async_suspend:1; + bool in_dpm_list:1; /* Owned by the PM core */ + bool is_prepared:1; /* Owned by the PM core */ + bool is_suspended:1; /* Ditto */ +@@ -584,10 +584,10 @@ struct dev_pm_info { + bool syscore:1; + bool no_pm_callbacks:1; /* Owned by the PM core */ + bool async_in_progress:1; /* Owned by the PM core */ +- unsigned int must_resume:1; /* Owned by the PM core */ +- unsigned int may_skip_resume:1; /* Set by subsystems */ ++ bool must_resume:1; /* Owned by the PM core */ ++ bool may_skip_resume:1; /* Set by subsystems */ + #else +- unsigned int should_wakeup:1; ++ bool should_wakeup:1; + #endif + #ifdef CONFIG_PM + struct hrtimer suspend_timer; +@@ -598,17 +598,17 @@ struct dev_pm_info { + atomic_t usage_count; + atomic_t child_count; + unsigned int disable_depth:3; +- unsigned int idle_notification:1; +- unsigned int request_pending:1; +- unsigned int deferred_resume:1; +- unsigned int needs_force_resume:1; +- unsigned int runtime_auto:1; ++ bool idle_notification:1; ++ bool request_pending:1; ++ bool deferred_resume:1; ++ bool needs_force_resume:1; ++ bool runtime_auto:1; + bool ignore_children:1; +- unsigned int no_callbacks:1; +- unsigned int irq_safe:1; +- unsigned int use_autosuspend:1; +- unsigned int timer_autosuspends:1; +- unsigned int memalloc_noio:1; ++ bool no_callbacks:1; ++ bool irq_safe:1; ++ bool use_autosuspend:1; ++ bool timer_autosuspends:1; ++ bool memalloc_noio:1; + unsigned int links_count; + enum rpm_request request; + enum rpm_status runtime_status; +-- +2.39.5 + diff --git a/queue-5.10/pwm-stm32-add-check-for-clk_enable.patch b/queue-5.10/pwm-stm32-add-check-for-clk_enable.patch new file mode 100644 index 0000000000..433b4375b7 --- /dev/null +++ b/queue-5.10/pwm-stm32-add-check-for-clk_enable.patch @@ -0,0 +1,46 @@ +From 455a1be83ff738d4e788ceb5bb15c08619d37dac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Dec 2024 17:47:52 -0500 +Subject: pwm: stm32: Add check for clk_enable() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mingwei Zheng + +[ Upstream commit e8c59791ebb60790c74b2c3ab520f04a8a57219a ] + +Add check for the return value of clk_enable() to catch the potential +error. + +Fixes: 19f1016ea960 ("pwm: stm32: Fix enable count for clk in .probe()") +Signed-off-by: Mingwei Zheng +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20241215224752.220318-1-zmw12306@gmail.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-stm32.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c +index 7146b3f6755bc..2ca2855255be1 100644 +--- a/drivers/pwm/pwm-stm32.c ++++ b/drivers/pwm/pwm-stm32.c +@@ -634,8 +634,11 @@ static int stm32_pwm_probe(struct platform_device *pdev) + priv->chip.npwm = stm32_pwm_detect_channels(priv, &num_enabled); + + /* Initialize clock refcount to number of enabled PWM channels. */ +- for (i = 0; i < num_enabled; i++) +- clk_enable(priv->clk); ++ for (i = 0; i < num_enabled; i++) { ++ ret = clk_enable(priv->clk); ++ if (ret) ++ return ret; ++ } + + ret = pwmchip_add(&priv->chip); + if (ret < 0) +-- +2.39.5 + diff --git a/queue-5.10/pwm-stm32-lp-add-check-for-clk_enable.patch b/queue-5.10/pwm-stm32-lp-add-check-for-clk_enable.patch new file mode 100644 index 0000000000..86189f6a4f --- /dev/null +++ b/queue-5.10/pwm-stm32-lp-add-check-for-clk_enable.patch @@ -0,0 +1,48 @@ +From f90fc366b8a06acbffd51cb01af83bee75f60747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 16:53:18 -0500 +Subject: pwm: stm32-lp: Add check for clk_enable() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mingwei Zheng + +[ Upstream commit cce16e7f6216227964cda25f5f23634bce2c500f ] + +Add check for the return value of clk_enable() to catch the potential +error. +We used APP-Miner to find it. + +Fixes: e70a540b4e02 ("pwm: Add STM32 LPTimer PWM driver") +Signed-off-by: Mingwei Zheng +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20241206215318.3402860-1-zmw12306@gmail.com +Signed-off-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-stm32-lp.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/pwm/pwm-stm32-lp.c b/drivers/pwm/pwm-stm32-lp.c +index c8a847fcb775b..6c77499c27211 100644 +--- a/drivers/pwm/pwm-stm32-lp.c ++++ b/drivers/pwm/pwm-stm32-lp.c +@@ -169,8 +169,12 @@ static void stm32_pwm_lp_get_state(struct pwm_chip *chip, + regmap_read(priv->regmap, STM32_LPTIM_CR, &val); + state->enabled = !!FIELD_GET(STM32_LPTIM_ENABLE, val); + /* Keep PWM counter clock refcount in sync with PWM initial state */ +- if (state->enabled) +- clk_enable(priv->clk); ++ if (state->enabled) { ++ int ret = clk_enable(priv->clk); ++ ++ if (ret) ++ return ret; ++ } + + regmap_read(priv->regmap, STM32_LPTIM_CFGR, &val); + presc = FIELD_GET(STM32_LPTIM_PRESC, val); +-- +2.39.5 + diff --git a/queue-5.10/rdma-cxgb4-prevent-potential-integer-overflow-on-32b.patch b/queue-5.10/rdma-cxgb4-prevent-potential-integer-overflow-on-32b.patch new file mode 100644 index 0000000000..43c059d1d3 --- /dev/null +++ b/queue-5.10/rdma-cxgb4-prevent-potential-integer-overflow-on-32b.patch @@ -0,0 +1,43 @@ +From df45899a5e30e7634c34c73d2107cbd00abda35d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Nov 2024 13:01:37 +0300 +Subject: rdma/cxgb4: Prevent potential integer overflow on 32bit + +From: Dan Carpenter + +[ Upstream commit bd96a3935e89486304461a21752f824fc25e0f0b ] + +The "gl->tot_len" variable is controlled by the user. It comes from +process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct +cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an +integer wrapping bug. Use size_add() to prevent this. + +Fixes: 1cab775c3e75 ("RDMA/cxgb4: Fix LE hash collision bug for passive open connection") +Link: https://patch.msgid.link/r/86b404e1-4a75-4a35-a34e-e3054fa554c7@stanley.mountain +Signed-off-by: Dan Carpenter +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/device.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/cxgb4/device.c b/drivers/infiniband/hw/cxgb4/device.c +index 541dbcf22d0eb..13e4b2c40d835 100644 +--- a/drivers/infiniband/hw/cxgb4/device.c ++++ b/drivers/infiniband/hw/cxgb4/device.c +@@ -1114,8 +1114,10 @@ static inline struct sk_buff *copy_gl_to_skb_pkt(const struct pkt_gl *gl, + * The math here assumes sizeof cpl_pass_accept_req >= sizeof + * cpl_rx_pkt. + */ +- skb = alloc_skb(gl->tot_len + sizeof(struct cpl_pass_accept_req) + +- sizeof(struct rss_header) - pktshift, GFP_ATOMIC); ++ skb = alloc_skb(size_add(gl->tot_len, ++ sizeof(struct cpl_pass_accept_req) + ++ sizeof(struct rss_header)) - pktshift, ++ GFP_ATOMIC); + if (unlikely(!skb)) + return NULL; + +-- +2.39.5 + diff --git a/queue-5.10/rdma-mlx4-avoid-false-error-about-access-to-uninitia.patch b/queue-5.10/rdma-mlx4-avoid-false-error-about-access-to-uninitia.patch new file mode 100644 index 0000000000..08ed96b636 --- /dev/null +++ b/queue-5.10/rdma-mlx4-avoid-false-error-about-access-to-uninitia.patch @@ -0,0 +1,45 @@ +From 7702cc153d3acb2002a8c4b541bc04d9c905fea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2024 15:44:25 +0200 +Subject: RDMA/mlx4: Avoid false error about access to uninitialized gids array + +From: Leon Romanovsky + +[ Upstream commit 1f53d88cbb0dcc7df235bf6611ae632b254fccd8 ] + +Smatch generates the following false error report: +drivers/infiniband/hw/mlx4/main.c:393 mlx4_ib_del_gid() error: uninitialized symbol 'gids'. + +Traditionally, we are not changing kernel code and asking people to fix +the tools. However in this case, the fix can be done by simply rearranging +the code to be more clear. + +Fixes: e26be1bfef81 ("IB/mlx4: Implement ib_device callbacks") +Link: https://patch.msgid.link/6a3a1577463da16962463fcf62883a87506e9b62.1733233426.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c +index c62cdd6456962..0c49f3f5e6247 100644 +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -391,10 +391,10 @@ static int mlx4_ib_del_gid(const struct ib_gid_attr *attr, void **context) + } + spin_unlock_bh(&iboe->lock); + +- if (!ret && hw_update) { ++ if (gids) + ret = mlx4_ib_update_gids(gids, ibdev, attr->port_num); +- kfree(gids); +- } ++ ++ kfree(gids); + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.10/regulator-of-implement-the-unwind-path-of-of_regulat.patch b/queue-5.10/regulator-of-implement-the-unwind-path-of-of_regulat.patch new file mode 100644 index 0000000000..ef3aedf01f --- /dev/null +++ b/queue-5.10/regulator-of-implement-the-unwind-path-of-of_regulat.patch @@ -0,0 +1,66 @@ +From e93b7637a341d6e3bba9c2d67658c6571241cbd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jan 2025 17:04:53 +0900 +Subject: regulator: of: Implement the unwind path of of_regulator_match() + +From: Joe Hattori + +[ Upstream commit dddca3b2fc676113c58b04aaefe84bfb958ac83e ] + +of_regulator_match() does not release the OF node reference in the error +path, resulting in an OF node leak. Therefore, call of_node_put() on the +obtained nodes before returning the EINVAL error. + +Since it is possible that some drivers call this function and do not +exit on failure, such as s2mps11_pmic_driver, clear the init_data and +of_node in the error path. + +This was reported by an experimental verification tool that I am +developing. As I do not have access to actual devices nor the QEMU board +configuration to test drivers that call this function, no runtime test +was able to be performed. + +Fixes: 1c8fa58f4750 ("regulator: Add generic DT parsing for regulators") +Signed-off-by: Joe Hattori +Link: https://patch.msgid.link/20250104080453.2153592-1-joe@pf.is.s.u-tokyo.ac.jp +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/of_regulator.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c +index 5d844697c7b68..d1e69470137cf 100644 +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -377,7 +377,7 @@ int of_regulator_match(struct device *dev, struct device_node *node, + "failed to parse DT for regulator %pOFn\n", + child); + of_node_put(child); +- return -EINVAL; ++ goto err_put; + } + match->of_node = of_node_get(child); + count++; +@@ -386,6 +386,18 @@ int of_regulator_match(struct device *dev, struct device_node *node, + } + + return count; ++ ++err_put: ++ for (i = 0; i < num_matches; i++) { ++ struct of_regulator_match *match = &matches[i]; ++ ++ match->init_data = NULL; ++ if (match->of_node) { ++ of_node_put(match->of_node); ++ match->of_node = NULL; ++ } ++ } ++ return -EINVAL; + } + EXPORT_SYMBOL_GPL(of_regulator_match); + +-- +2.39.5 + diff --git a/queue-5.10/rtc-pcf85063-fix-potential-oob-write-in-pcf85063-nvm.patch b/queue-5.10/rtc-pcf85063-fix-potential-oob-write-in-pcf85063-nvm.patch new file mode 100644 index 0000000000..c976b9b409 --- /dev/null +++ b/queue-5.10/rtc-pcf85063-fix-potential-oob-write-in-pcf85063-nvm.patch @@ -0,0 +1,51 @@ +From bde7c944d212055d666c6c52f6684bb7587298f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 20:34:58 +0100 +Subject: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read + +From: Oleksij Rempel + +[ Upstream commit 3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c ] + +The nvmem interface supports variable buffer sizes, while the regmap +interface operates with fixed-size storage. If an nvmem client uses a +buffer size less than 4 bytes, regmap_read will write out of bounds +as it expects the buffer to point at an unsigned int. + +Fix this by using an intermediary unsigned int to hold the value. + +Fixes: fadfd092ee91 ("rtc: pcf85063: add nvram support") +Signed-off-by: Oleksij Rempel +Signed-off-by: Ahmad Fatoum +Link: https://lore.kernel.org/r/20241218-rtc-pcf85063-stack-corruption-v1-1-12fd0ee0f046@pengutronix.de +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf85063.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c +index 449204d84c61d..dd3336cbb7921 100644 +--- a/drivers/rtc/rtc-pcf85063.c ++++ b/drivers/rtc/rtc-pcf85063.c +@@ -328,7 +328,16 @@ static const struct rtc_class_ops pcf85063_rtc_ops_alarm = { + static int pcf85063_nvmem_read(void *priv, unsigned int offset, + void *val, size_t bytes) + { +- return regmap_read(priv, PCF85063_REG_RAM, val); ++ unsigned int tmp; ++ int ret; ++ ++ ret = regmap_read(priv, PCF85063_REG_RAM, &tmp); ++ if (ret < 0) ++ return ret; ++ ++ *(u8 *)val = tmp; ++ ++ return 0; + } + + static int pcf85063_nvmem_write(void *priv, unsigned int offset, +-- +2.39.5 + diff --git a/queue-5.10/rtlwifi-remove-redundant-assignment-to-variable-err.patch b/queue-5.10/rtlwifi-remove-redundant-assignment-to-variable-err.patch new file mode 100644 index 0000000000..d40933eeac --- /dev/null +++ b/queue-5.10/rtlwifi-remove-redundant-assignment-to-variable-err.patch @@ -0,0 +1,39 @@ +From aa3b4edf2e0f30264fdf14dcba225e615093f59e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Mar 2021 23:00:14 +0000 +Subject: rtlwifi: remove redundant assignment to variable err + +From: Colin Ian King + +[ Upstream commit 87431bc1f0f67aa2d23ca1b9682fe54f68549d42 ] + +Variable err is assigned -ENODEV followed by an error return path +via label error_out that does not access the variable and returns +with the -ENODEV error return code. The assignment to err is +redundant and can be removed. + +Addresses-Coverity: ("Unused value") +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210327230014.25554-1-colin.king@canonical.com +Stable-dep-of: b4b26642b31e ("wifi: rtlwifi: wait for firmware loading before releasing memory") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 7e4655de30237..add6da1ce3602 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1072,7 +1072,6 @@ int rtl_usb_probe(struct usb_interface *intf, + err = ieee80211_register_hw(hw); + if (err) { + pr_err("Can't register mac80211 hw.\n"); +- err = -ENODEV; + goto error_out; + } + rtlpriv->mac80211.mac80211_registered = 1; +-- +2.39.5 + diff --git a/queue-5.10/rtlwifi-replace-usage-of-found-with-dedicated-list-i.patch b/queue-5.10/rtlwifi-replace-usage-of-found-with-dedicated-list-i.patch new file mode 100644 index 0000000000..f9fb3fb74a --- /dev/null +++ b/queue-5.10/rtlwifi-replace-usage-of-found-with-dedicated-list-i.patch @@ -0,0 +1,119 @@ +From 20605d6f26ad64cbae1084b1c1a8e3fea9b9c364 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 08:21:24 +0100 +Subject: rtlwifi: replace usage of found with dedicated list iterator variable + +From: Jakob Koschel + +[ Upstream commit a0ff2a87194a968b9547fd4d824a09092171d1ea ] + +To move the list iterator variable into the list_for_each_entry_*() +macro in the future it should be avoided to use the list iterator +variable after the loop body. + +To *never* use the list iterator variable after the loop it was +concluded to use a separate iterator variable instead of a +found boolean [1]. + +This removes the need to use a found variable and simply checking if +the variable was set, can determine if the break/goto was hit. + +Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ +Signed-off-by: Jakob Koschel +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220324072124.62458-1-jakobkoschel@gmail.com +Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 13 ++++++------- + drivers/net/wireless/realtek/rtlwifi/pci.c | 15 +++++++-------- + 2 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c +index 1866f6c2acab1..7ec876c6c663e 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -1995,8 +1995,7 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb) + struct rtl_mac *mac = rtl_mac(rtl_priv(hw)); + unsigned long flags; + +- struct rtl_bssid_entry *entry; +- bool entry_found = false; ++ struct rtl_bssid_entry *entry = NULL, *iter; + + /* check if it is scanning */ + if (!mac->act_scanning) +@@ -2009,10 +2008,10 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb) + + spin_lock_irqsave(&rtlpriv->locks.scan_list_lock, flags); + +- list_for_each_entry(entry, &rtlpriv->scan_list.list, list) { +- if (memcmp(entry->bssid, hdr->addr3, ETH_ALEN) == 0) { +- list_del_init(&entry->list); +- entry_found = true; ++ list_for_each_entry(iter, &rtlpriv->scan_list.list, list) { ++ if (memcmp(iter->bssid, hdr->addr3, ETH_ALEN) == 0) { ++ list_del_init(&iter->list); ++ entry = iter; + rtl_dbg(rtlpriv, COMP_SCAN, DBG_LOUD, + "Update BSSID=%pM to scan list (total=%d)\n", + hdr->addr3, rtlpriv->scan_list.num); +@@ -2020,7 +2019,7 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb) + } + } + +- if (!entry_found) { ++ if (!entry) { + entry = kmalloc(sizeof(*entry), GFP_ATOMIC); + + if (!entry) +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 70f1cc906502b..f17a365fba070 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -300,14 +300,13 @@ static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw, + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_pci_priv *pcipriv = rtl_pcipriv(hw); +- bool find_buddy_priv = false; +- struct rtl_priv *tpriv; ++ struct rtl_priv *tpriv = NULL, *iter; + struct rtl_pci_priv *tpcipriv = NULL; + + if (!list_empty(&rtlpriv->glb_var->glb_priv_list)) { +- list_for_each_entry(tpriv, &rtlpriv->glb_var->glb_priv_list, ++ list_for_each_entry(iter, &rtlpriv->glb_var->glb_priv_list, + list) { +- tpcipriv = (struct rtl_pci_priv *)tpriv->priv; ++ tpcipriv = (struct rtl_pci_priv *)iter->priv; + rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD, + "pcipriv->ndis_adapter.funcnumber %x\n", + pcipriv->ndis_adapter.funcnumber); +@@ -321,19 +320,19 @@ static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw, + tpcipriv->ndis_adapter.devnumber && + pcipriv->ndis_adapter.funcnumber != + tpcipriv->ndis_adapter.funcnumber) { +- find_buddy_priv = true; ++ tpriv = iter; + break; + } + } + } + + rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD, +- "find_buddy_priv %d\n", find_buddy_priv); ++ "find_buddy_priv %d\n", tpriv != NULL); + +- if (find_buddy_priv) ++ if (tpriv) + *buddy_priv = tpriv; + +- return find_buddy_priv; ++ return tpriv != NULL; + } + + static void rtl_pci_parse_configuration(struct pci_dev *pdev, +-- +2.39.5 + diff --git a/queue-5.10/scsi-mpt3sas-set-ioc-manu_pg11.eedptagmode-directly-.patch b/queue-5.10/scsi-mpt3sas-set-ioc-manu_pg11.eedptagmode-directly-.patch new file mode 100644 index 0000000000..3d8cc679af --- /dev/null +++ b/queue-5.10/scsi-mpt3sas-set-ioc-manu_pg11.eedptagmode-directly-.patch @@ -0,0 +1,46 @@ +From e515841737e9d7cc3cc4013579052803f2804d12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Dec 2024 23:18:12 +0100 +Subject: scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1 + +From: Paul Menzel + +[ Upstream commit ad7c3c0cb8f61d6d5a48b83e62ca4a9fd2f26153 ] + +Currently, the code does: + + if (x == 0) { + x &= ~0x3; + x |= 0x1; + } + +Zeroing bits 0 and 1 of a variable that is 0 is not necessary. So directly +set the variable to 1. + +Cc: Sreekanth Reddy +Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") +Signed-off-by: Paul Menzel +Link: https://lore.kernel.org/r/20241212221817.78940-2-pmenzel@molgen.mpg.de +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c +index 768635de93da9..78b178aa46e94 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -4771,8 +4771,7 @@ _base_static_config_pages(struct MPT3SAS_ADAPTER *ioc) + if (!ioc->is_gen35_ioc && ioc->manu_pg11.EEDPTagMode == 0) { + pr_err("%s: overriding NVDATA EEDPTagMode setting\n", + ioc->name); +- ioc->manu_pg11.EEDPTagMode &= ~0x3; +- ioc->manu_pg11.EEDPTagMode |= 0x1; ++ ioc->manu_pg11.EEDPTagMode = 0x1; + mpt3sas_config_set_manufacturing_pg11(ioc, &mpi_reply, + &ioc->manu_pg11); + } +-- +2.39.5 + diff --git a/queue-5.10/scsi-ufs-bsg-delete-bsg_dev-when-setting-up-bsg-fail.patch b/queue-5.10/scsi-ufs-bsg-delete-bsg_dev-when-setting-up-bsg-fail.patch new file mode 100644 index 0000000000..50c891be95 --- /dev/null +++ b/queue-5.10/scsi-ufs-bsg-delete-bsg_dev-when-setting-up-bsg-fail.patch @@ -0,0 +1,37 @@ +From 930a1b5b957318c09f0234f6ac4ecb53244c890a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 09:42:13 +0800 +Subject: scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails + +From: Guixin Liu + +[ Upstream commit fcf247deb3c3e1c6be5774e3fa03bbd018eff1a9 ] + +We should remove the bsg device when bsg_setup_queue() fails to release the +resources. + +Fixes: df032bf27a41 ("scsi: ufs: Add a bsg endpoint that supports UPIUs") +Signed-off-by: Guixin Liu +Link: https://lore.kernel.org/r/20241218014214.64533-2-kanie@linux.alibaba.com +Reviewed-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufs_bsg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ufs/ufs_bsg.c b/drivers/scsi/ufs/ufs_bsg.c +index 5b2bc1a6f9226..05c7347eda188 100644 +--- a/drivers/scsi/ufs/ufs_bsg.c ++++ b/drivers/scsi/ufs/ufs_bsg.c +@@ -213,6 +213,7 @@ int ufs_bsg_probe(struct ufs_hba *hba) + q = bsg_setup_queue(bsg_dev, dev_name(bsg_dev), ufs_bsg_request, NULL, 0); + if (IS_ERR(q)) { + ret = PTR_ERR(q); ++ device_del(bsg_dev); + goto out; + } + +-- +2.39.5 + diff --git a/queue-5.10/select-fix-unbalanced-user_access_end.patch b/queue-5.10/select-fix-unbalanced-user_access_end.patch new file mode 100644 index 0000000000..c5c656b573 --- /dev/null +++ b/queue-5.10/select-fix-unbalanced-user_access_end.patch @@ -0,0 +1,56 @@ +From 668db8475eb987b5380ee8b422fb101f9ec0338d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 09:37:24 +0100 +Subject: select: Fix unbalanced user_access_end() + +From: Christophe Leroy + +[ Upstream commit 344af27715ddbf357cf76978d674428b88f8e92d ] + +While working on implementing user access validation on powerpc +I got the following warnings on a pmac32_defconfig build: + + CC fs/select.o + fs/select.o: warning: objtool: sys_pselect6+0x1bc: redundant UACCESS disable + fs/select.o: warning: objtool: sys_pselect6_time32+0x1bc: redundant UACCESS disable + +On powerpc/32s, user_read_access_begin/end() are no-ops, but the +failure path has a user_access_end() instead of user_read_access_end() +which means an access end without any prior access begin. + +Replace that user_access_end() by user_read_access_end(). + +Fixes: 7e71609f64ec ("pselect6() and friends: take handling the combined 6th/7th args into helper") +Signed-off-by: Christophe Leroy +Link: https://lore.kernel.org/r/a7139e28d767a13e667ee3c79599a8047222ef36.1736751221.git.christophe.leroy@csgroup.eu +Signed-off-by: Christian Brauner +Signed-off-by: Sasha Levin +--- + fs/select.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/select.c b/fs/select.c +index 668a5200503ae..7ce67428582e6 100644 +--- a/fs/select.c ++++ b/fs/select.c +@@ -787,7 +787,7 @@ static inline int get_sigset_argpack(struct sigset_argpack *to, + } + return 0; + Efault: +- user_access_end(); ++ user_read_access_end(); + return -EFAULT; + } + +@@ -1360,7 +1360,7 @@ static inline int get_compat_sigset_argpack(struct compat_sigset_argpack *to, + } + return 0; + Efault: +- user_access_end(); ++ user_read_access_end(); + return -EFAULT; + } + +-- +2.39.5 + diff --git a/queue-5.10/selftests-harness-fix-printing-of-mismatch-values-in.patch b/queue-5.10/selftests-harness-fix-printing-of-mismatch-values-in.patch new file mode 100644 index 0000000000..7577baed6c --- /dev/null +++ b/queue-5.10/selftests-harness-fix-printing-of-mismatch-values-in.patch @@ -0,0 +1,83 @@ +From 6b90497f1f071a52a5a5b00a62fd2c38eef46192 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jan 2025 19:07:57 +0200 +Subject: selftests: harness: fix printing of mismatch values in __EXPECT() + +From: Dmitry V. Levin + +[ Upstream commit 02bc220dc6dc7c56edc4859bc5dd2c08b95d5fb5 ] + +intptr_t and uintptr_t are not big enough types on 32-bit architectures +when printing 64-bit values, resulting to the following incorrect +diagnostic output: + + # get_syscall_info.c:209:get_syscall_info:Expected exp_args[2] (3134324433) == info.entry.args[1] (3134324433) + +Replace intptr_t and uintptr_t with intmax_t and uintmax_t, respectively. +With this fix, the same test produces more usable diagnostic output: + + # get_syscall_info.c:209:get_syscall_info:Expected exp_args[2] (3134324433) == info.entry.args[1] (18446744072548908753) + +Link: https://lore.kernel.org/r/20250108170757.GA6723@strace.io +Fixes: b5bb6d3068ea ("selftests/seccomp: fix 32-bit build warnings") +Signed-off-by: Dmitry V. Levin +Reviewed-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kselftest_harness.h | 24 ++++++++++----------- + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h +index 2fadc99d93619..8baf4789d9372 100644 +--- a/tools/testing/selftests/kselftest_harness.h ++++ b/tools/testing/selftests/kselftest_harness.h +@@ -695,33 +695,33 @@ + /* Report with actual signedness to avoid weird output. */ \ + switch (is_signed_type(__exp) * 2 + is_signed_type(__seen)) { \ + case 0: { \ +- unsigned long long __exp_print = (uintptr_t)__exp; \ +- unsigned long long __seen_print = (uintptr_t)__seen; \ +- __TH_LOG("Expected %s (%llu) %s %s (%llu)", \ ++ uintmax_t __exp_print = (uintmax_t)__exp; \ ++ uintmax_t __seen_print = (uintmax_t)__seen; \ ++ __TH_LOG("Expected %s (%ju) %s %s (%ju)", \ + _expected_str, __exp_print, #_t, \ + _seen_str, __seen_print); \ + break; \ + } \ + case 1: { \ +- unsigned long long __exp_print = (uintptr_t)__exp; \ +- long long __seen_print = (intptr_t)__seen; \ +- __TH_LOG("Expected %s (%llu) %s %s (%lld)", \ ++ uintmax_t __exp_print = (uintmax_t)__exp; \ ++ intmax_t __seen_print = (intmax_t)__seen; \ ++ __TH_LOG("Expected %s (%ju) %s %s (%jd)", \ + _expected_str, __exp_print, #_t, \ + _seen_str, __seen_print); \ + break; \ + } \ + case 2: { \ +- long long __exp_print = (intptr_t)__exp; \ +- unsigned long long __seen_print = (uintptr_t)__seen; \ +- __TH_LOG("Expected %s (%lld) %s %s (%llu)", \ ++ intmax_t __exp_print = (intmax_t)__exp; \ ++ uintmax_t __seen_print = (uintmax_t)__seen; \ ++ __TH_LOG("Expected %s (%jd) %s %s (%ju)", \ + _expected_str, __exp_print, #_t, \ + _seen_str, __seen_print); \ + break; \ + } \ + case 3: { \ +- long long __exp_print = (intptr_t)__exp; \ +- long long __seen_print = (intptr_t)__seen; \ +- __TH_LOG("Expected %s (%lld) %s %s (%lld)", \ ++ intmax_t __exp_print = (intmax_t)__exp; \ ++ intmax_t __seen_print = (intmax_t)__seen; \ ++ __TH_LOG("Expected %s (%jd) %s %s (%jd)", \ + _expected_str, __exp_print, #_t, \ + _seen_str, __seen_print); \ + break; \ +-- +2.39.5 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 0000000000..afe9e2a7e2 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,126 @@ +afs-fix-eexist-error-returned-from-afs_rmdir-to-be-e.patch +afs-fix-directory-format-encoding-struct.patch +nbd-don-t-allow-reconnect-after-disconnect.patch +nvme-add-error-check-for-xa_store-in-nvme_get_effect.patch +partitions-ldm-remove-the-initial-kernel-doc-notatio.patch +select-fix-unbalanced-user_access_end.patch +afs-fix-the-fallback-handling-for-the-yfs.removefile.patch +drm-etnaviv-fix-page-property-being-used-for-non-wri.patch +drm-amdgpu-fix-potential-null-pointer-dereference-in.patch +genirq-make-handle_enforce_irqctx-unconditionally-av.patch +ipmi-ipmb-add-check-devm_kasprintf-returned-value.patch +wifi-rtlwifi-do-not-complete-firmware-loading-needle.patch +wifi-rtlwifi-rtl8192se-rise-completion-of-firmware-l.patch +rtlwifi-remove-redundant-assignment-to-variable-err.patch +wifi-rtlwifi-wait-for-firmware-loading-before-releas.patch +wifi-rtlwifi-fix-init_sw_vars-leak-when-probe-fails.patch +wifi-rtlwifi-usb-fix-workqueue-leak-when-probe-fails.patch +spi-zynq-qspi-add-check-for-clk_enable.patch +dt-bindings-mmc-controller-clarify-the-address-cells.patch +rtlwifi-replace-usage-of-found-with-dedicated-list-i.patch +wifi-rtlwifi-remove-unused-timer-and-related-code.patch +wifi-rtlwifi-remove-unused-dualmac-control-leftovers.patch +wifi-rtlwifi-remove-unused-check_buddy_priv.patch +wifi-rtlwifi-destroy-workqueue-at-rtl_deinit_core.patch +wifi-rtlwifi-fix-memory-leaks-and-invalid-access-at-.patch +wifi-rtlwifi-pci-wait-for-firmware-loading-before-re.patch +acpi-fan-cleanup-resources-in-the-error-path-of-.pro.patch +cpupower-fix-tsc-mhz-calculation.patch +leds-netxbig-fix-an-of-node-reference-leak-in-netxbi.patch +pwm-stm32-lp-add-check-for-clk_enable.patch +cpufreq-schedutil-simplify-sugov_update_next_freq.patch +cpufreq-schedutil-fix-superfluous-updates-caused-by-.patch +udp-deal-with-race-between-udp-socket-address-change.patch +clk-imx8mp-fix-clkout1-2-support.patch +team-prevent-adding-a-device-which-is-already-a-team.patch +regulator-of-implement-the-unwind-path-of-of_regulat.patch +wifi-wlcore-fix-unbalanced-pm_runtime-calls.patch +net-smc-fix-data-error-when-recvmsg-with-msg_peek-fl.patch +wifi-mt76-mt76u_vendor_request-do-not-print-error-me.patch +cpufreq-acpi-fix-max-frequency-computation.patch +selftests-harness-fix-printing-of-mismatch-values-in.patch +wifi-cfg80211-handle-specific-bssid-in-6ghz-scanning.patch +wifi-cfg80211-adjust-allocation-of-colocated-ap-data.patch +clk-analogbits-fix-incorrect-calculation-of-vco-rate.patch +pwm-stm32-add-check-for-clk_enable.patch +net-let-net.core.dev_weight-always-be-non-zero.patch +net-mlxfw-drop-hard-coded-max-fw-flash-image-size.patch +net-sched-disallow-replacing-of-child-qdisc-from-one.patch +net-ethernet-ti-am65-cpsw-fix-freeing-irq-in-am65_cp.patch +net-rose-prevent-integer-overflows-in-rose_setsockop.patch +tools-testing-selftests-bpf-test_tc_tunnel.sh-fix-wa.patch +asoc-sun4i-spdif-add-clock-multiplier-settings.patch +perf-header-fix-one-memory-leakage-in-process_bpf_bt.patch +perf-header-fix-one-memory-leakage-in-process_bpf_pr.patch +perf-env-conditionally-compile-bpf-support-code-on-h.patch +perf-bpf-fix-two-memory-leakages-when-calling-perf_e.patch +ktest.pl-remove-unused-declarations-in-run_bisect_te.patch +padata-fix-sysfs-store-callback-check.patch +perf-top-don-t-complain-about-lack-of-vmlinux-when-n.patch +perf-machine-include-data-symbols-in-the-kernel-map.patch +perf-machine-don-t-ignore-_etext-when-not-a-text-sym.patch +perf-report-fix-misleading-help-message-about-demang.patch +bpf-send-signals-asynchronously-if-preemptible.patch +padata-fix-uaf-in-padata_reorder.patch +padata-add-pd-get-put-refcnt-helper.patch +padata-avoid-uaf-for-reorder_work.patch +soc-atmel-fix-device_node-release-in-atmel_soc_devic.patch +arm64-dts-mediatek-mt8516-fix-gicv2-range.patch +arm64-dts-mediatek-mt8516-fix-wdt-irq-type.patch +arm64-dts-mediatek-mt8516-remove-2-invalid-i2c-clock.patch +arm64-dts-mediatek-mt8516-add-i2c-clock-div-property.patch +arm64-dts-mediatek-mt8516-reserve-192-kib-for-tf-a.patch +rdma-mlx4-avoid-false-error-about-access-to-uninitia.patch +rdma-cxgb4-prevent-potential-integer-overflow-on-32b.patch +arm64-dts-mediatek-mt8173-evb-drop-regulator-compati.patch +arm64-dts-mediatek-mt8173-elm-drop-regulator-compati.patch +arm64-dts-mediatek-mt8173-elm-fix-mt6397-pmic-sub-no.patch +arm64-dts-mediatek-mt8173-evb-fix-mt6397-pmic-sub-no.patch +arm64-dts-qcom-msm8916-correct-sleep-clock-frequency.patch +arm64-dts-qcom-msm8994-correct-sleep-clock-frequency.patch +arm64-dts-qcom-sm8250-correct-sleep-clock-frequency.patch +arm-dts-mediatek-mt7623-fix-ir-nodename.patch +fbdev-omapfb-fix-an-of-node-leak-in-dss_of_port_get_.patch +media-rc-iguanair-handle-timeouts.patch +media-lmedm04-use-gfp_kernel-for-urb-allocation-subm.patch +media-lmedm04-handle-errors-for-lme2510_int_read.patch +pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch +media-marvell-add-check-for-clk_enable.patch +media-mipi-csis-add-check-for-clk_enable.patch +media-camif-core-add-check-for-clk_enable.patch +media-uvcvideo-propagate-buf-error-to-userspace.patch +driver-core-platform-reorder-functions.patch +driver-core-platform-change-logic-implementing-platf.patch +driver-core-platform-use-bus_type-functions.patch +driver-core-platform-emit-a-warning-if-a-remove-call.patch +mtd-hyperbus-make-hyperbus_unregister_device-return-.patch +platform-provide-a-remove-callback-that-returns-no-v.patch +mtd-hyperbus-hbmc-am654-convert-to-platform-remove-c.patch +mtd-hyperbus-hbmc-am654-fix-an-of-node-reference-lea.patch +staging-media-imx-fix-of-node-leak-in-imx_media_add_.patch +pci-rcar-ep-fix-incorrect-variable-used-when-calling.patch +scsi-mpt3sas-set-ioc-manu_pg11.eedptagmode-directly-.patch +scsi-ufs-bsg-delete-bsg_dev-when-setting-up-bsg-fail.patch +ocfs2-mark-dquot-as-inactive-if-failed-to-start-tran.patch +module-extend-the-preempt-disabled-section-in-derefe.patch +nfsv4.2-fix-copy_notify-xdr-buf-size-calculation.patch +tools-bootconfig-fix-the-wrong-format-specifier.patch +xfrm-replay-fix-the-update-of-replay_esn-oseq_hi-for.patch +dmaengine-ti-edma-fix-of-node-reference-leaks-in-edm.patch +rtc-pcf85063-fix-potential-oob-write-in-pcf85063-nvm.patch +ubifs-skip-dumping-tnc-tree-when-zroot-is-null.patch +net-hns3-fix-oops-when-unload-drivers-paralleling.patch +net-fec-implement-tso-descriptor-cleanup.patch +ipmr-do-not-call-mr_mfc_uses_dev-for-unres-entries.patch +pm-hibernate-add-error-handling-for-syscore_suspend.patch +net-rose-fix-timer-races-against-user-threads.patch +net-netdevsim-try-to-close-udp-port-harness-races.patch +net-davicom-fix-uaf-in-dm9000_drv_remove.patch +perf-trace-fix-runtime-error-of-index-out-of-bounds.patch +pm-sleep-restore-asynchronous-device-resume-optimiza.patch +pm-sleep-use-bool-for-all-1-bit-fields-in-struct-dev.patch +pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch +vsock-allow-retrying-on-connect-failure.patch +bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch +net-sh_eth-fix-missing-rtnl-lock-in-suspend-resume-p.patch +net-hsr-fix-fill_frame_info-regression-vs-vlan-packe.patch diff --git a/queue-5.10/soc-atmel-fix-device_node-release-in-atmel_soc_devic.patch b/queue-5.10/soc-atmel-fix-device_node-release-in-atmel_soc_devic.patch new file mode 100644 index 0000000000..2f67468125 --- /dev/null +++ b/queue-5.10/soc-atmel-fix-device_node-release-in-atmel_soc_devic.patch @@ -0,0 +1,43 @@ +From a93bf0191848b931143f60e57abfc7d76b5e3e22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Oct 2024 13:33:36 +0100 +Subject: soc: atmel: fix device_node release in atmel_soc_device_init() + +From: Javier Carrasco + +[ Upstream commit d3455ab798100f40af77123e7c2443ec979c546b ] + +A device_node acquired via of_find_node_by_path() requires explicit +calls to of_node_put() when it is no longer needed to avoid leaking the +resource. + +Instead of adding the missing calls to of_node_put() in all execution +paths, use the cleanup attribute for 'np' by means of the __free() +macro, which automatically calls of_node_put() when the variable goes +out of scope. + +Fixes: 960ddf70cc11 ("drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs") +Signed-off-by: Javier Carrasco +Link: https://lore.kernel.org/r/20241031-soc-atmel-soc-cleanup-v2-1-73f2d235fd98@gmail.com +Signed-off-by: Claudiu Beznea +Signed-off-by: Sasha Levin +--- + drivers/soc/atmel/soc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/atmel/soc.c b/drivers/soc/atmel/soc.c +index 5d06ee70a36b9..7d852f859687b 100644 +--- a/drivers/soc/atmel/soc.c ++++ b/drivers/soc/atmel/soc.c +@@ -275,7 +275,7 @@ static const struct of_device_id at91_soc_allowed_list[] __initconst = { + + static int __init atmel_soc_device_init(void) + { +- struct device_node *np = of_find_node_by_path("/"); ++ struct device_node *np __free(device_node) = of_find_node_by_path("/"); + + if (!of_match_node(at91_soc_allowed_list, np)) + return 0; +-- +2.39.5 + diff --git a/queue-5.10/spi-zynq-qspi-add-check-for-clk_enable.patch b/queue-5.10/spi-zynq-qspi-add-check-for-clk_enable.patch new file mode 100644 index 0000000000..1c9866cbdc --- /dev/null +++ b/queue-5.10/spi-zynq-qspi-add-check-for-clk_enable.patch @@ -0,0 +1,53 @@ +From 2e032b66c06128b18b7712f903b81d4a83428361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 20:52:06 -0500 +Subject: spi: zynq-qspi: Add check for clk_enable() + +From: Mingwei Zheng + +[ Upstream commit 8332e667099712e05ec87ba2058af394b51ebdc9 ] + +Add check for the return value of clk_enable() to catch the potential +error. + +Fixes: c618a90dcaf3 ("spi: zynq-qspi: Drop GPIO header") +Signed-off-by: Mingwei Zheng +Signed-off-by: Jiasheng Jiang +Link: https://patch.msgid.link/20241207015206.3689364-1-zmw12306@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-zynq-qspi.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c +index 13c0b15fe1764..2be764d5460d3 100644 +--- a/drivers/spi/spi-zynq-qspi.c ++++ b/drivers/spi/spi-zynq-qspi.c +@@ -379,12 +379,21 @@ static int zynq_qspi_setup_op(struct spi_device *spi) + { + struct spi_controller *ctlr = spi->master; + struct zynq_qspi *qspi = spi_controller_get_devdata(ctlr); ++ int ret; + + if (ctlr->busy) + return -EBUSY; + +- clk_enable(qspi->refclk); +- clk_enable(qspi->pclk); ++ ret = clk_enable(qspi->refclk); ++ if (ret) ++ return ret; ++ ++ ret = clk_enable(qspi->pclk); ++ if (ret) { ++ clk_disable(qspi->refclk); ++ return ret; ++ } ++ + zynq_qspi_write(qspi, ZYNQ_QSPI_ENABLE_OFFSET, + ZYNQ_QSPI_ENABLE_ENABLE_MASK); + +-- +2.39.5 + diff --git a/queue-5.10/staging-media-imx-fix-of-node-leak-in-imx_media_add_.patch b/queue-5.10/staging-media-imx-fix-of-node-leak-in-imx_media_add_.patch new file mode 100644 index 0000000000..525d258c19 --- /dev/null +++ b/queue-5.10/staging-media-imx-fix-of-node-leak-in-imx_media_add_.patch @@ -0,0 +1,58 @@ +From 423a1d5431cf508472e6f36708faaf68e3b095e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 12:54:11 +0900 +Subject: staging: media: imx: fix OF node leak in imx_media_add_of_subdevs() + +From: Joe Hattori + +[ Upstream commit 094f5c315f756b19198e6c401aa821ac0e868750 ] + +imx_media_add_of_subdevs() calls of_parse_phandle() and passes the +obtained node to imx_media_of_add_csi(). The passed node is used in +v4l2_async_nf_add_fwnode(), which increments the refcount of the node. +Therefore, while the current implementation only releases the node when +imx_media_of_add_csi() fails, but should always release it. Call +of_node_put() right after imx_media_of_add_csi(). + +Fixes: dee747f88167 ("media: imx: Don't register IPU subdevs/links if CSI port missing") +Signed-off-by: Joe Hattori +Reviewed-by: Vladimir Zapolskiy +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/staging/media/imx/imx-media-of.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/staging/media/imx/imx-media-of.c b/drivers/staging/media/imx/imx-media-of.c +index 82e13e972e233..566e133ad3f42 100644 +--- a/drivers/staging/media/imx/imx-media-of.c ++++ b/drivers/staging/media/imx/imx-media-of.c +@@ -55,22 +55,18 @@ int imx_media_add_of_subdevs(struct imx_media_dev *imxmd, + break; + + ret = imx_media_of_add_csi(imxmd, csi_np); ++ of_node_put(csi_np); + if (ret) { + /* unavailable or already added is not an error */ + if (ret == -ENODEV || ret == -EEXIST) { +- of_node_put(csi_np); + continue; + } + + /* other error, can't continue */ +- goto err_out; ++ return ret; + } + } + + return 0; +- +-err_out: +- of_node_put(csi_np); +- return ret; + } + EXPORT_SYMBOL_GPL(imx_media_add_of_subdevs); +-- +2.39.5 + diff --git a/queue-5.10/team-prevent-adding-a-device-which-is-already-a-team.patch b/queue-5.10/team-prevent-adding-a-device-which-is-already-a-team.patch new file mode 100644 index 0000000000..369166b43b --- /dev/null +++ b/queue-5.10/team-prevent-adding-a-device-which-is-already-a-team.patch @@ -0,0 +1,118 @@ +From 1544cca7bdf6449a4f6a44de7b7d20a59d407363 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 12:56:47 -0800 +Subject: team: prevent adding a device which is already a team device lower + +From: Octavian Purdila + +[ Upstream commit 3fff5da4ca2164bb4d0f1e6cd33f6eb8a0e73e50 ] + +Prevent adding a device which is already a team device lower, +e.g. adding veth0 if vlan1 was already added and veth0 is a lower of +vlan1. + +This is not useful in practice and can lead to recursive locking: + +$ ip link add veth0 type veth peer name veth1 +$ ip link set veth0 up +$ ip link set veth1 up +$ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1 +$ ip link add team0 type team +$ ip link set veth0.1 down +$ ip link set veth0.1 master team0 +team0: Port device veth0.1 added +$ ip link set veth0 down +$ ip link set veth0 master team0 + +============================================ +WARNING: possible recursive locking detected +6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted +-------------------------------------------- +ip/7684 is trying to acquire lock: +ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) + +but task is already holding lock: +ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_add_slave (drivers/net/team/team_core.c:1147 drivers/net/team/team_core.c:1977) + +other info that might help us debug this: +Possible unsafe locking scenario: + +CPU0 +---- +lock(team->team_lock_key); +lock(team->team_lock_key); + +*** DEADLOCK *** + +May be due to missing lock nesting notation + +2 locks held by ip/7684: + +stack backtrace: +CPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +Call Trace: + +dump_stack_lvl (lib/dump_stack.c:122) +print_deadlock_bug.cold (kernel/locking/lockdep.c:3040) +__lock_acquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226) +? netlink_broadcast_filtered (net/netlink/af_netlink.c:1548) +lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851) +? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) +? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 2)) +? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) +? lock_acquire (kernel/locking/lockdep.c:5822) +? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) +__mutex_lock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735) +? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) +? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) +? fib_sync_up (net/ipv4/fib_semantics.c:2167) +? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) +team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973) +notifier_call_chain (kernel/notifier.c:85) +call_netdevice_notifiers_info (net/core/dev.c:1996) +__dev_notify_flags (net/core/dev.c:8993) +? __dev_change_flags (net/core/dev.c:8975) +dev_change_flags (net/core/dev.c:9027) +vlan_device_event (net/8021q/vlan.c:85 net/8021q/vlan.c:470) +? br_device_event (net/bridge/br.c:143) +notifier_call_chain (kernel/notifier.c:85) +call_netdevice_notifiers_info (net/core/dev.c:1996) +dev_open (net/core/dev.c:1519 net/core/dev.c:1505) +team_add_slave (drivers/net/team/team_core.c:1219 drivers/net/team/team_core.c:1977) +? __pfx_team_add_slave (drivers/net/team/team_core.c:1972) +do_set_master (net/core/rtnetlink.c:2917) +do_setlink.isra.0 (net/core/rtnetlink.c:3117) + +Reported-by: syzbot+3c47b5843403a45aef57@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3c47b5843403a45aef57 +Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") +Signed-off-by: Octavian Purdila +Reviewed-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/team/team.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c +index bc52f9e24ff34..699076fbfb4d6 100644 +--- a/drivers/net/team/team.c ++++ b/drivers/net/team/team.c +@@ -1165,6 +1165,13 @@ static int team_port_add(struct team *team, struct net_device *port_dev, + return -EBUSY; + } + ++ if (netdev_has_upper_dev(port_dev, dev)) { ++ NL_SET_ERR_MSG(extack, "Device is already a lower device of the team interface"); ++ netdev_err(dev, "Device %s is already a lower device of the team interface\n", ++ portname); ++ return -EBUSY; ++ } ++ + if (port_dev->features & NETIF_F_VLAN_CHALLENGED && + vlan_uses_dev(dev)) { + NL_SET_ERR_MSG(extack, "Device is VLAN challenged and team device has VLAN set up"); +-- +2.39.5 + diff --git a/queue-5.10/tools-bootconfig-fix-the-wrong-format-specifier.patch b/queue-5.10/tools-bootconfig-fix-the-wrong-format-specifier.patch new file mode 100644 index 0000000000..a6d83ef0d7 --- /dev/null +++ b/queue-5.10/tools-bootconfig-fix-the-wrong-format-specifier.patch @@ -0,0 +1,46 @@ +From 3c93215d2fb90a8eab990c5596f425707d928b48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 23:27:01 +0900 +Subject: tools/bootconfig: Fix the wrong format specifier + +From: Luo Yifan + +[ Upstream commit f6ab7384d554ba80ff4793259d75535874b366f5 ] + +Use '%u' instead of '%d' for unsigned int. + +Link: https://lore.kernel.org/all/20241105011048.201629-1-luoyifan@cmss.chinamobile.com/ + +Fixes: 973780011106 ("tools/bootconfig: Suppress non-error messages") +Signed-off-by: Luo Yifan +Signed-off-by: Masami Hiramatsu (Google) +Signed-off-by: Sasha Levin +--- + tools/bootconfig/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c +index 6cd6080cac04c..365c022fb7cdd 100644 +--- a/tools/bootconfig/main.c ++++ b/tools/bootconfig/main.c +@@ -207,7 +207,7 @@ static int load_xbc_from_initrd(int fd, char **buf) + /* Wrong Checksum */ + rcsum = checksum((unsigned char *)*buf, size); + if (csum != rcsum) { +- pr_err("checksum error: %d != %d\n", csum, rcsum); ++ pr_err("checksum error: %u != %u\n", csum, rcsum); + return -EINVAL; + } + +@@ -375,7 +375,7 @@ static int apply_xbc(const char *path, const char *xbc_path) + printf("Apply %s to %s\n", xbc_path, path); + printf("\tNumber of nodes: %d\n", ret); + printf("\tSize: %u bytes\n", (unsigned int)size); +- printf("\tChecksum: %d\n", (unsigned int)csum); ++ printf("\tChecksum: %u\n", (unsigned int)csum); + + /* TODO: Check the options by schema */ + xbc_destroy_all(); +-- +2.39.5 + diff --git a/queue-5.10/tools-testing-selftests-bpf-test_tc_tunnel.sh-fix-wa.patch b/queue-5.10/tools-testing-selftests-bpf-test_tc_tunnel.sh-fix-wa.patch new file mode 100644 index 0000000000..fce10b4c1c --- /dev/null +++ b/queue-5.10/tools-testing-selftests-bpf-test_tc_tunnel.sh-fix-wa.patch @@ -0,0 +1,43 @@ +From 49f197473a068db6c933306fa253d997603f472b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Dec 2024 12:45:30 -0800 +Subject: tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server + bind + +From: Marco Leogrande + +[ Upstream commit e2f0791124a1b6ca8d570110cbd487969d9d41ef ] + +Commit f803bcf9208a ("selftests/bpf: Prevent client connect before +server bind in test_tc_tunnel.sh") added code that waits for the +netcat server to start before the netcat client attempts to connect to +it. However, not all calls to 'server_listen' were guarded. + +This patch adds the existing 'wait_for_port' guard after the remaining +call to 'server_listen'. + +Fixes: f803bcf9208a ("selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh") +Signed-off-by: Marco Leogrande +Acked-by: Stanislav Fomichev +Link: https://lore.kernel.org/r/20241202204530.1143448-1-leogrande@google.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_tc_tunnel.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/bpf/test_tc_tunnel.sh b/tools/testing/selftests/bpf/test_tc_tunnel.sh +index 21bde60c95230..e42d8959cbf1c 100755 +--- a/tools/testing/selftests/bpf/test_tc_tunnel.sh ++++ b/tools/testing/selftests/bpf/test_tc_tunnel.sh +@@ -286,6 +286,7 @@ else + client_connect + verify_data + server_listen ++ wait_for_port ${port} ${netcat_opt} + fi + + # bpf_skb_net_shrink does not take tunnel flags yet, cannot update L3. +-- +2.39.5 + diff --git a/queue-5.10/ubifs-skip-dumping-tnc-tree-when-zroot-is-null.patch b/queue-5.10/ubifs-skip-dumping-tnc-tree-when-zroot-is-null.patch new file mode 100644 index 0000000000..bf352d4cd6 --- /dev/null +++ b/queue-5.10/ubifs-skip-dumping-tnc-tree-when-zroot-is-null.patch @@ -0,0 +1,60 @@ +From 9debb44ff4f9ebd8f22b754de94e5ae55cf96af7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Dec 2024 16:18:23 +0800 +Subject: ubifs: skip dumping tnc tree when zroot is null + +From: pangliyuan + +[ Upstream commit bdb0ca39e0acccf6771db49c3f94ed787d05f2d7 ] + +Clearing slab cache will free all znode in memory and make +c->zroot.znode = NULL, then dumping tnc tree will access +c->zroot.znode which cause null pointer dereference. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=219624#c0 +Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") +Signed-off-by: pangliyuan +Reviewed-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/debug.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/fs/ubifs/debug.c b/fs/ubifs/debug.c +index ebff43f8009c2..9ee58cf4d53f6 100644 +--- a/fs/ubifs/debug.c ++++ b/fs/ubifs/debug.c +@@ -925,16 +925,20 @@ void ubifs_dump_tnc(struct ubifs_info *c) + + pr_err("\n"); + pr_err("(pid %d) start dumping TNC tree\n", current->pid); +- znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, NULL); +- level = znode->level; +- pr_err("== Level %d ==\n", level); +- while (znode) { +- if (level != znode->level) { +- level = znode->level; +- pr_err("== Level %d ==\n", level); ++ if (c->zroot.znode) { ++ znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, NULL); ++ level = znode->level; ++ pr_err("== Level %d ==\n", level); ++ while (znode) { ++ if (level != znode->level) { ++ level = znode->level; ++ pr_err("== Level %d ==\n", level); ++ } ++ ubifs_dump_znode(c, znode); ++ znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, znode); + } +- ubifs_dump_znode(c, znode); +- znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, znode); ++ } else { ++ pr_err("empty TNC tree in memory\n"); + } + pr_err("(pid %d) finish dumping TNC tree\n", current->pid); + } +-- +2.39.5 + diff --git a/queue-5.10/udp-deal-with-race-between-udp-socket-address-change.patch b/queue-5.10/udp-deal-with-race-between-udp-socket-address-change.patch new file mode 100644 index 0000000000..87c6a8c94e --- /dev/null +++ b/queue-5.10/udp-deal-with-race-between-udp-socket-address-change.patch @@ -0,0 +1,301 @@ +From e27cd5cf7f24ac02a5c48b834440c0618e75b6eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Dec 2024 17:21:16 +0100 +Subject: udp: Deal with race between UDP socket address change and rehash + +From: Stefano Brivio + +[ Upstream commit a502ea6fa94b1f7be72a24bcf9e3f5f6b7e6e90c ] + +If a UDP socket changes its local address while it's receiving +datagrams, as a result of connect(), there is a period during which +a lookup operation might fail to find it, after the address is changed +but before the secondary hash (port and address) and the four-tuple +hash (local and remote ports and addresses) are updated. + +Secondary hash chains were introduced by commit 30fff9231fad ("udp: +bind() optimisation") and, as a result, a rehash operation became +needed to make a bound socket reachable again after a connect(). + +This operation was introduced by commit 719f835853a9 ("udp: add +rehash on connect()") which isn't however a complete fix: the +socket will be found once the rehashing completes, but not while +it's pending. + +This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a +client sending datagrams to it. After the server receives the first +datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to +the address of the sender, in order to set up a directed flow. + +Now, if the client, running on a different CPU thread, happens to +send a (subsequent) datagram while the server's socket changes its +address, but is not rehashed yet, this will result in a failed +lookup and a port unreachable error delivered to the client, as +apparent from the following reproducer: + + LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4)) + dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in + + while :; do + taskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & + sleep 0.1 || sleep 1 + taskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null + wait + done + +where the client will eventually get ECONNREFUSED on a write() +(typically the second or third one of a given iteration): + + 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused + +This issue was first observed as a seldom failure in Podman's tests +checking UDP functionality while using pasta(1) to connect the +container's network namespace, which leads us to a reproducer with +the lookup error resulting in an ICMP packet on a tap device: + + LOCAL_ADDR="$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == "global").local')" + + while :; do + ./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc & + sleep 0.2 || sleep 1 + socat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null + wait + cmp tmp.in tmp.out + done + +Once this fails: + + tmp.in tmp.out differ: char 8193, line 29 + +we can finally have a look at what's going on: + + $ tshark -r pasta.pcap + 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2 + 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 + 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 + 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 + 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164 + 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55 + 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 + 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable) + 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 + 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192 + 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096 + 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0 + +On the third datagram received, the network namespace of the container +initiates an ARP lookup to deliver the ICMP message. + +In another variant of this reproducer, starting the client with: + + strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc 2>strace.log & + +and connecting to the socat server using a loopback address: + + socat OPEN:tmp.in UDP4:localhost:1337,shut-null + +we can more clearly observe a sendmmsg() call failing after the +first datagram is delivered: + + [pid 278012] connect(173, 0x7fff96c95fc0, 16) = 0 + [...] + [pid 278012] recvmmsg(173, 0x7fff96c96020, 1024, MSG_DONTWAIT, NULL) = -1 EAGAIN (Resource temporarily unavailable) + [pid 278012] sendmmsg(173, 0x561c5ad0a720, 1, MSG_NOSIGNAL) = 1 + [...] + [pid 278012] sendmmsg(173, 0x561c5ad0a720, 1, MSG_NOSIGNAL) = -1 ECONNREFUSED (Connection refused) + +and, somewhat confusingly, after a connect() on the same socket +succeeded. + +Until commit 4cdeeee9252a ("net: udp: prefer listeners bound to an +address"), the race between receive address change and lookup didn't +actually cause visible issues, because, once the lookup based on the +secondary hash chain failed, we would still attempt a lookup based on +the primary hash (destination port only), and find the socket with the +outdated secondary hash. + +That change, however, dropped port-only lookups altogether, as side +effect, making the race visible. + +To fix this, while avoiding the need to make address changes and +rehash atomic against lookups, reintroduce primary hash lookups as +fallback, if lookups based on four-tuple and secondary hashes fail. + +To this end, introduce a simplified lookup implementation, which +doesn't take care of SO_REUSEPORT groups: if we have one, there are +multiple sockets that would match the four-tuple or secondary hash, +meaning that we can't run into this race at all. + +v2: + - instead of synchronising lookup operations against address change + plus rehash, reintroduce a simplified version of the original + primary hash lookup as fallback + +v1: + - fix build with CONFIG_IPV6=n: add ifdef around sk_v6_rcv_saddr + usage (Kuniyuki Iwashima) + - directly use sk_rcv_saddr for IPv4 receive addresses instead of + fetching inet_rcv_saddr (Kuniyuki Iwashima) + - move inet_update_saddr() to inet_hashtables.h and use that + to set IPv4/IPv6 addresses as suitable (Kuniyuki Iwashima) + - rebase onto net-next, update commit message accordingly + +Reported-by: Ed Santiago +Link: https://github.com/containers/podman/issues/24147 +Analysed-by: David Gibson +Fixes: 30fff9231fad ("udp: bind() optimisation") +Signed-off-by: Stefano Brivio +Reviewed-by: Eric Dumazet +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++ + net/ipv6/udp.c | 50 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 106 insertions(+) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 6ad25dc9710c1..0f835abe7c9e9 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -412,6 +412,49 @@ u32 udp_ehashfn(const struct net *net, const __be32 laddr, const __u16 lport, + udp_ehash_secret + net_hash_mix(net)); + } + ++/** ++ * udp4_lib_lookup1() - Simplified lookup using primary hash (destination port) ++ * @net: Network namespace ++ * @saddr: Source address, network order ++ * @sport: Source port, network order ++ * @daddr: Destination address, network order ++ * @hnum: Destination port, host order ++ * @dif: Destination interface index ++ * @sdif: Destination bridge port index, if relevant ++ * @udptable: Set of UDP hash tables ++ * ++ * Simplified lookup to be used as fallback if no sockets are found due to a ++ * potential race between (receive) address change, and lookup happening before ++ * the rehash operation. This function ignores SO_REUSEPORT groups while scoring ++ * result sockets, because if we have one, we don't need the fallback at all. ++ * ++ * Called under rcu_read_lock(). ++ * ++ * Return: socket with highest matching score if any, NULL if none ++ */ ++static struct sock *udp4_lib_lookup1(const struct net *net, ++ __be32 saddr, __be16 sport, ++ __be32 daddr, unsigned int hnum, ++ int dif, int sdif, ++ const struct udp_table *udptable) ++{ ++ unsigned int slot = udp_hashfn(net, hnum, udptable->mask); ++ struct udp_hslot *hslot = &udptable->hash[slot]; ++ struct sock *sk, *result = NULL; ++ int score, badness = 0; ++ ++ sk_for_each_rcu(sk, &hslot->head) { ++ score = compute_score(sk, net, ++ saddr, sport, daddr, hnum, dif, sdif); ++ if (score > badness) { ++ result = sk; ++ badness = score; ++ } ++ } ++ ++ return result; ++} ++ + /* called with rcu_read_lock() */ + static struct sock *udp4_lib_lookup2(struct net *net, + __be32 saddr, __be16 sport, +@@ -539,6 +582,19 @@ struct sock *__udp4_lib_lookup(struct net *net, __be32 saddr, + result = udp4_lib_lookup2(net, saddr, sport, + htonl(INADDR_ANY), hnum, dif, sdif, + hslot2, skb); ++ if (!IS_ERR_OR_NULL(result)) ++ goto done; ++ ++ /* Primary hash (destination port) lookup as fallback for this race: ++ * 1. __ip4_datagram_connect() sets sk_rcv_saddr ++ * 2. lookup (this function): new sk_rcv_saddr, hashes not updated yet ++ * 3. rehash operation updating _secondary and four-tuple_ hashes ++ * The primary hash doesn't need an update after 1., so, thanks to this ++ * further step, 1. and 3. don't need to be atomic against the lookup. ++ */ ++ result = udp4_lib_lookup1(net, saddr, sport, daddr, hnum, dif, sdif, ++ udptable); ++ + done: + if (IS_ERR(result)) + return NULL; +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 203a6d64d7e99..9f5aaf90ce905 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -156,6 +156,49 @@ static int compute_score(struct sock *sk, struct net *net, + return score; + } + ++/** ++ * udp6_lib_lookup1() - Simplified lookup using primary hash (destination port) ++ * @net: Network namespace ++ * @saddr: Source address, network order ++ * @sport: Source port, network order ++ * @daddr: Destination address, network order ++ * @hnum: Destination port, host order ++ * @dif: Destination interface index ++ * @sdif: Destination bridge port index, if relevant ++ * @udptable: Set of UDP hash tables ++ * ++ * Simplified lookup to be used as fallback if no sockets are found due to a ++ * potential race between (receive) address change, and lookup happening before ++ * the rehash operation. This function ignores SO_REUSEPORT groups while scoring ++ * result sockets, because if we have one, we don't need the fallback at all. ++ * ++ * Called under rcu_read_lock(). ++ * ++ * Return: socket with highest matching score if any, NULL if none ++ */ ++static struct sock *udp6_lib_lookup1(const struct net *net, ++ const struct in6_addr *saddr, __be16 sport, ++ const struct in6_addr *daddr, ++ unsigned int hnum, int dif, int sdif, ++ const struct udp_table *udptable) ++{ ++ unsigned int slot = udp_hashfn(net, hnum, udptable->mask); ++ struct udp_hslot *hslot = &udptable->hash[slot]; ++ struct sock *sk, *result = NULL; ++ int score, badness = 0; ++ ++ sk_for_each_rcu(sk, &hslot->head) { ++ score = compute_score(sk, net, ++ saddr, sport, daddr, hnum, dif, sdif); ++ if (score > badness) { ++ result = sk; ++ badness = score; ++ } ++ } ++ ++ return result; ++} ++ + /* called with rcu_read_lock() */ + static struct sock *udp6_lib_lookup2(struct net *net, + const struct in6_addr *saddr, __be16 sport, +@@ -284,6 +327,13 @@ struct sock *__udp6_lib_lookup(struct net *net, + result = udp6_lib_lookup2(net, saddr, sport, + &in6addr_any, hnum, dif, sdif, + hslot2, skb); ++ if (!IS_ERR_OR_NULL(result)) ++ goto done; ++ ++ /* Cover address change/lookup/rehash race: see __udp4_lib_lookup() */ ++ result = udp6_lib_lookup1(net, saddr, sport, daddr, hnum, dif, sdif, ++ udptable); ++ + done: + if (IS_ERR(result)) + return NULL; +-- +2.39.5 + diff --git a/queue-5.10/vsock-allow-retrying-on-connect-failure.patch b/queue-5.10/vsock-allow-retrying-on-connect-failure.patch new file mode 100644 index 0000000000..7218290af1 --- /dev/null +++ b/queue-5.10/vsock-allow-retrying-on-connect-failure.patch @@ -0,0 +1,45 @@ +From 5e03a66d55db154f0f27f4d07f518782fe99db15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jan 2025 14:15:28 +0100 +Subject: vsock: Allow retrying on connect() failure + +From: Michal Luczaj + +[ Upstream commit aa388c72113b7458127b709bdd7d3628af26e9b4 ] + +sk_err is set when a (connectible) connect() fails. Effectively, this makes +an otherwise still healthy SS_UNCONNECTED socket impossible to use for any +subsequent connection attempts. + +Clear sk_err upon trying to establish a connection. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reviewed-by: Stefano Garzarella +Reviewed-by: Luigi Leonardi +Signed-off-by: Michal Luczaj +Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-2-1cf57065b770@rbox.co +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 53a9c0a73489b..473ba765a4356 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1340,6 +1340,11 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + if (err < 0) + goto out; + ++ /* sk_err might have been set as a result of an earlier ++ * (failed) connect attempt. ++ */ ++ sk->sk_err = 0; ++ + /* Mark sock as connecting and set the error code to in + * progress in case this is a non-blocking connect. + */ +-- +2.39.5 + diff --git a/queue-5.10/wifi-cfg80211-adjust-allocation-of-colocated-ap-data.patch b/queue-5.10/wifi-cfg80211-adjust-allocation-of-colocated-ap-data.patch new file mode 100644 index 0000000000..8cf2de612c --- /dev/null +++ b/queue-5.10/wifi-cfg80211-adjust-allocation-of-colocated-ap-data.patch @@ -0,0 +1,41 @@ +From 2983cfa2eff2016ebeb3bbd466f6cb634fac65db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 18:54:17 +0300 +Subject: wifi: cfg80211: adjust allocation of colocated AP data + +From: Dmitry Antipov + +[ Upstream commit 1a0d24775cdee2b8dc14bfa4f4418c930ab1ac57 ] + +In 'cfg80211_scan_6ghz()', an instances of 'struct cfg80211_colocated_ap' +are allocated as if they would have 'ssid' as trailing VLA member. Since +this is not so, extra IEEE80211_MAX_SSID_LEN bytes are not needed. +Briefly tested with KUnit. + +Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning") +Signed-off-by: Dmitry Antipov +Link: https://patch.msgid.link/20250113155417.552587-1-dmantipov@yandex.ru +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 348b2fce25fc3..670fcdbef95be 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -821,9 +821,7 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev) + if (ret) + continue; + +- entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN, +- GFP_ATOMIC); +- ++ entry = kzalloc(sizeof(*entry), GFP_ATOMIC); + if (!entry) + continue; + +-- +2.39.5 + diff --git a/queue-5.10/wifi-cfg80211-handle-specific-bssid-in-6ghz-scanning.patch b/queue-5.10/wifi-cfg80211-handle-specific-bssid-in-6ghz-scanning.patch new file mode 100644 index 0000000000..b0ba1cfeed --- /dev/null +++ b/queue-5.10/wifi-cfg80211-handle-specific-bssid-in-6ghz-scanning.patch @@ -0,0 +1,84 @@ +From 3ab29ef4dbe3c2a73d5feb2f4d22d5290f70fbda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 17:35:30 +0300 +Subject: wifi: cfg80211: Handle specific BSSID in 6GHz scanning + +From: Ilan Peer + +[ Upstream commit 0fca7784b7a14d4ede64f479662afb98876ec7f8 ] + +When the scan parameters for a 6GHz scan specify a unicast +BSSID address, and the corresponding AP is found in the scan +list, add a corresponding entry in the collocated AP list, +so this AP would be directly probed even if it was not +advertised as a collocated AP. + +This is needed for handling a scan request that is intended +for a ML probe flow, where user space can requests a scan +to retrieve information for other links in the AP MLD. + +Signed-off-by: Ilan Peer +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230928172905.54b954bc02ad.I1c072793d3d77a4c8fbbc64b4db5cce1bbb00382@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: 1a0d24775cde ("wifi: cfg80211: adjust allocation of colocated AP data") +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index f6307061aac49..348b2fce25fc3 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -796,10 +796,47 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev) + list_for_each_entry(intbss, &rdev->bss_list, list) { + struct cfg80211_bss *res = &intbss->pub; + const struct cfg80211_bss_ies *ies; ++ const struct element *ssid_elem; ++ struct cfg80211_colocated_ap *entry; ++ u32 s_ssid_tmp; ++ int ret; + + ies = rcu_access_pointer(res->ies); + count += cfg80211_parse_colocated_ap(ies, + &coloc_ap_list); ++ ++ /* In case the scan request specified a specific BSSID ++ * and the BSS is found and operating on 6GHz band then ++ * add this AP to the collocated APs list. ++ * This is relevant for ML probe requests when the lower ++ * band APs have not been discovered. ++ */ ++ if (is_broadcast_ether_addr(rdev_req->bssid) || ++ !ether_addr_equal(rdev_req->bssid, res->bssid) || ++ res->channel->band != NL80211_BAND_6GHZ) ++ continue; ++ ++ ret = cfg80211_calc_short_ssid(ies, &ssid_elem, ++ &s_ssid_tmp); ++ if (ret) ++ continue; ++ ++ entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN, ++ GFP_ATOMIC); ++ ++ if (!entry) ++ continue; ++ ++ memcpy(entry->bssid, res->bssid, ETH_ALEN); ++ entry->short_ssid = s_ssid_tmp; ++ memcpy(entry->ssid, ssid_elem->data, ++ ssid_elem->datalen); ++ entry->ssid_len = ssid_elem->datalen; ++ entry->short_ssid_valid = true; ++ entry->center_freq = res->channel->center_freq; ++ ++ list_add_tail(&entry->list, &coloc_ap_list); ++ count++; + } + spin_unlock_bh(&rdev->bss_lock); + } +-- +2.39.5 + diff --git a/queue-5.10/wifi-mt76-mt76u_vendor_request-do-not-print-error-me.patch b/queue-5.10/wifi-mt76-mt76u_vendor_request-do-not-print-error-me.patch new file mode 100644 index 0000000000..6209792b60 --- /dev/null +++ b/queue-5.10/wifi-mt76-mt76u_vendor_request-do-not-print-error-me.patch @@ -0,0 +1,72 @@ +From 1f1742e649d32d1e8b048d30a148603728383362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jan 2025 15:02:41 +0800 +Subject: wifi: mt76: mt76u_vendor_request: Do not print error messages when + -EPROTO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: WangYuli + +[ Upstream commit f1b1e133a770fcdbd89551651232b034d2f7a27a ] + +When initializing the network card, unplugging the device will +trigger an -EPROTO error, resulting in a flood of error messages +being printed frantically. + +The exception is printed as follows: + + mt76x2u 2-2.4:1.0: vendor request req:47 off:9018 failed:-71 + mt76x2u 2-2.4:1.0: vendor request req:47 off:9018 failed:-71 + ... + +It will continue to print more than 2000 times for about 5 minutes, +causing the usb device to be unable to be disconnected. During this +period, the usb port cannot recognize the new device because the old +device has not disconnected. + +There may be other operating methods that cause -EPROTO, but -EPROTO is +a low-level hardware error. It is unwise to repeat vendor requests +expecting to read correct data. It is a better choice to treat -EPROTO +and -ENODEV the same way. + +Similar to commit 9b0f100c1970 ("mt76: usb: process URBs with status +EPROTO properly") do no schedule rx_worker for urb marked with status +set -EPROTO. I also reproduced this situation when plugging and +unplugging the device, and this patch is effective. + +Just do not vendor request again for urb marked with status set -EPROTO. + +Link: https://lore.kernel.org/all/531681bd-30f5-4a70-a156-bf8754b8e072@intel.com/ +Link: https://lore.kernel.org/all/D4B9CC1FFC0CBAC3+20250105040607.154706-1-wangyuli@uniontech.com/ +Fixes: b40b15e1521f ("mt76: add usb support to mt76 layer") +Co-developed-by: Xu Rao +Signed-off-by: Xu Rao +Signed-off-by: WangYuli +Link: https://patch.msgid.link/9DD7DE7AAB497CB7+20250113070241.63590-1-wangyuli@uniontech.com +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c +index f1ae9ff835b23..07a563df6d6d3 100644 +--- a/drivers/net/wireless/mediatek/mt76/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/usb.c +@@ -34,9 +34,9 @@ static int __mt76u_vendor_request(struct mt76_dev *dev, u8 req, + + ret = usb_control_msg(udev, pipe, req, req_type, val, + offset, buf, len, MT_VEND_REQ_TOUT_MS); +- if (ret == -ENODEV) ++ if (ret == -ENODEV || ret == -EPROTO) + set_bit(MT76_REMOVED, &dev->phy.state); +- if (ret >= 0 || ret == -ENODEV) ++ if (ret >= 0 || ret == -ENODEV || ret == -EPROTO) + return ret; + usleep_range(5000, 10000); + } +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-destroy-workqueue-at-rtl_deinit_core.patch b/queue-5.10/wifi-rtlwifi-destroy-workqueue-at-rtl_deinit_core.patch new file mode 100644 index 0000000000..4203a4fb2b --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-destroy-workqueue-at-rtl_deinit_core.patch @@ -0,0 +1,88 @@ +From 118a7f0ed18f2cf53f466ecc59129518bbc62069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 14:37:11 -0300 +Subject: wifi: rtlwifi: destroy workqueue at rtl_deinit_core + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit d8ece6fc3694657e4886191b32ca1690af11adda ] + +rtl_wq is allocated at rtl_init_core, so it makes more sense to destroy it +at rtl_deinit_core. In the case of USB, where _rtl_usb_init does not +require anything to be undone, that is fine. But for PCI, rtl_pci_init, +which is called after rtl_init_core, needs to deallocate data, but only if +it has been called. + +That means that destroying the workqueue needs to be done whether +rtl_pci_init has been called or not. And since rtl_pci_deinit was doing it, +it has to be moved out of there. + +It makes more sense to move it to rtl_deinit_core and have it done in both +cases, USB and PCI. + +Since this is a requirement for a followup memory leak fix, mark this as +fixing such memory leak. + +Fixes: 0c8173385e54 ("rtl8192ce: Add new driver") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241206173713.3222187-3-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 6 ++++++ + drivers/net/wireless/realtek/rtlwifi/pci.c | 2 -- + drivers/net/wireless/realtek/rtlwifi/usb.c | 5 ----- + 3 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c +index c14d7cbaa6472..775f0c181fece 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -576,9 +576,15 @@ static void rtl_free_entries_from_ack_queue(struct ieee80211_hw *hw, + + void rtl_deinit_core(struct ieee80211_hw *hw) + { ++ struct rtl_priv *rtlpriv = rtl_priv(hw); ++ + rtl_c2hcmd_launcher(hw, 0); + rtl_free_entries_from_scan_list(hw); + rtl_free_entries_from_ack_queue(hw, false); ++ if (rtlpriv->works.rtl_wq) { ++ destroy_workqueue(rtlpriv->works.rtl_wq); ++ rtlpriv->works.rtl_wq = NULL; ++ } + } + EXPORT_SYMBOL_GPL(rtl_deinit_core); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index c0a201f1b74e5..84f2669f201ab 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -1657,8 +1657,6 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw) + synchronize_irq(rtlpci->pdev->irq); + tasklet_kill(&rtlpriv->works.irq_tasklet); + cancel_work_sync(&rtlpriv->works.lps_change_work); +- +- destroy_workqueue(rtlpriv->works.rtl_wq); + } + + static int rtl_pci_init(struct ieee80211_hw *hw, struct pci_dev *pdev) +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 08ab2482c00cc..be17498b5515f 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -680,11 +680,6 @@ static void _rtl_usb_cleanup_rx(struct ieee80211_hw *hw) + tasklet_kill(&rtlusb->rx_work_tasklet); + cancel_work_sync(&rtlpriv->works.lps_change_work); + +- if (rtlpriv->works.rtl_wq) { +- destroy_workqueue(rtlpriv->works.rtl_wq); +- rtlpriv->works.rtl_wq = NULL; +- } +- + skb_queue_purge(&rtlusb->rx_queue); + + while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) { +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-do-not-complete-firmware-loading-needle.patch b/queue-5.10/wifi-rtlwifi-do-not-complete-firmware-loading-needle.patch new file mode 100644 index 0000000000..cca1663ce4 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-do-not-complete-firmware-loading-needle.patch @@ -0,0 +1,50 @@ +From 418335fef86482f13bac38c25bafe2a7fca1a138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 10:33:18 -0300 +Subject: wifi: rtlwifi: do not complete firmware loading needlessly + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit e73e11d303940119e41850a0452a0deda2cc4eb5 ] + +The only code waiting for completion is driver removal, which will not be +called when probe returns a failure. So this completion is unnecessary. + +Fixes: b0302aba812b ("rtlwifi: Convert to asynchronous firmware load") +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241107133322.855112-2-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 1 - + drivers/net/wireless/realtek/rtlwifi/usb.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 6d9f2a6233a21..70f1cc906502b 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -2274,7 +2274,6 @@ int rtl_pci_probe(struct pci_dev *pdev, + pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start); + + pci_release_regions(pdev); +- complete(&rtlpriv->firmware_loading_complete); + + fail1: + if (hw) +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index c6e4fda7e431f..7e4655de30237 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1085,7 +1085,6 @@ int rtl_usb_probe(struct usb_interface *intf, + error_out2: + _rtl_usb_io_handler_release(hw); + usb_put_dev(udev); +- complete(&rtlpriv->firmware_loading_complete); + kfree(rtlpriv->usb_data); + ieee80211_free_hw(hw); + return -ENODEV; +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-fix-init_sw_vars-leak-when-probe-fails.patch b/queue-5.10/wifi-rtlwifi-fix-init_sw_vars-leak-when-probe-fails.patch new file mode 100644 index 0000000000..a6393a0461 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-fix-init_sw_vars-leak-when-probe-fails.patch @@ -0,0 +1,37 @@ +From e0192c88ec8421bbdb280f228c6a31c06a9428ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 10:33:21 -0300 +Subject: wifi: rtlwifi: fix init_sw_vars leak when probe fails + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit 00260350aed80c002df270c805ca443ec9a719a6 ] + +If ieee80211_register_hw fails, the memory allocated for the firmware will +not be released. Call deinit_sw_vars as the function that undoes the +allocationes done by init_sw_vars. + +Fixes: cefe3dfdb9f5 ("rtl8192cu: Call ieee80211_register_hw from rtl_usb_probe") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241107133322.855112-5-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 087e398da36d9..66af56a79dbe5 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1081,6 +1081,7 @@ int rtl_usb_probe(struct usb_interface *intf, + + error_init_vars: + wait_for_completion(&rtlpriv->firmware_loading_complete); ++ rtlpriv->cfg->ops->deinit_sw_vars(hw); + error_out: + rtl_deinit_core(hw); + error_out2: +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-fix-memory-leaks-and-invalid-access-at-.patch b/queue-5.10/wifi-rtlwifi-fix-memory-leaks-and-invalid-access-at-.patch new file mode 100644 index 0000000000..f35bb39cec --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-fix-memory-leaks-and-invalid-access-at-.patch @@ -0,0 +1,80 @@ +From 8c08d47fd625a7d33ffaa15c114ab7741d0f95ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 14:37:12 -0300 +Subject: wifi: rtlwifi: fix memory leaks and invalid access at probe error + path + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit e7ceefbfd8d447abc8aca8ab993a942803522c06 ] + +Deinitialize at reverse order when probe fails. + +When init_sw_vars fails, rtl_deinit_core should not be called, specially +now that it destroys the rtl_wq workqueue. + +And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be +leaked. + +Remove pci_set_drvdata call as it will already be cleaned up by the core +driver code and could lead to memory leaks too. cf. commit 8d450935ae7f +("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and +commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory"). + +Fixes: 0c8173385e54 ("rtl8192ce: Add new driver") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241206173713.3222187-4-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 84f2669f201ab..5b0a5a22d06d2 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -2167,7 +2167,7 @@ int rtl_pci_probe(struct pci_dev *pdev, + if (rtlpriv->cfg->ops->init_sw_vars(hw)) { + pr_err("Can't init_sw_vars\n"); + err = -ENODEV; +- goto fail3; ++ goto fail2; + } + rtlpriv->cfg->ops->init_sw_leds(hw); + +@@ -2185,14 +2185,14 @@ int rtl_pci_probe(struct pci_dev *pdev, + err = rtl_pci_init(hw, pdev); + if (err) { + pr_err("Failed to init PCI\n"); +- goto fail3; ++ goto fail4; + } + + err = ieee80211_register_hw(hw); + if (err) { + pr_err("Can't register mac80211 hw.\n"); + err = -ENODEV; +- goto fail3; ++ goto fail5; + } + rtlpriv->mac80211.mac80211_registered = 1; + +@@ -2215,9 +2215,12 @@ int rtl_pci_probe(struct pci_dev *pdev, + set_bit(RTL_STATUS_INTERFACE_START, &rtlpriv->status); + return 0; + +-fail3: +- pci_set_drvdata(pdev, NULL); ++fail5: ++ rtl_pci_deinit(hw); ++fail4: + rtl_deinit_core(hw); ++fail3: ++ rtlpriv->cfg->ops->deinit_sw_vars(hw); + + fail2: + if (rtlpriv->io.pci_mem_start != 0) +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-pci-wait-for-firmware-loading-before-re.patch b/queue-5.10/wifi-rtlwifi-pci-wait-for-firmware-loading-before-re.patch new file mode 100644 index 0000000000..8eacd22750 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-pci-wait-for-firmware-loading-before-re.patch @@ -0,0 +1,38 @@ +From 7c850c6545b697f8068c101ed53990c2527ad5e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 14:37:13 -0300 +Subject: wifi: rtlwifi: pci: wait for firmware loading before releasing memory + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit b59b86c5d08be7d761c04affcbcec8184738c200 ] + +At probe error path, the firmware loading work may have already been +queued. In such a case, it will try to access memory allocated by the probe +function, which is about to be released. In such paths, wait for the +firmware worker to finish before releasing memory. + +Fixes: 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241206173713.3222187-5-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 5b0a5a22d06d2..925e4f807eb9f 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -2220,6 +2220,7 @@ int rtl_pci_probe(struct pci_dev *pdev, + fail4: + rtl_deinit_core(hw); + fail3: ++ wait_for_completion(&rtlpriv->firmware_loading_complete); + rtlpriv->cfg->ops->deinit_sw_vars(hw); + + fail2: +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-remove-unused-check_buddy_priv.patch b/queue-5.10/wifi-rtlwifi-remove-unused-check_buddy_priv.patch new file mode 100644 index 0000000000..fb402514f0 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-remove-unused-check_buddy_priv.patch @@ -0,0 +1,200 @@ +From 7c52028a64469487d0902fa71a5acb46f48d56b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Dec 2024 14:37:10 -0300 +Subject: wifi: rtlwifi: remove unused check_buddy_priv + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit 2fdac64c3c35858aa8ac5caa70b232e03456e120 ] + +Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global +list of private data structures. + +Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match +vendor version 2013.02.07") started adding the private data to that list at +probe time and added a hook, check_buddy_priv to find the private data from +a similar device. + +However, that function was never used. + +Besides, though there is a lock for that list, it is never used. And when +the probe fails, the private data is never removed from the list. This +would cause a second probe to access freed memory. + +Remove the unused hook, structures and members, which will prevent the +potential race condition on the list and its corruption during a second +probe when probe fails. + +Fixes: 26634c4b1868 ("rtlwifi Modify existing bits to match vendor version 2013.02.07") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241206173713.3222187-2-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 7 ---- + drivers/net/wireless/realtek/rtlwifi/base.h | 1 - + drivers/net/wireless/realtek/rtlwifi/pci.c | 44 --------------------- + drivers/net/wireless/realtek/rtlwifi/wifi.h | 12 ------ + 4 files changed, 64 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c +index 3c2bdfb56fb4f..c14d7cbaa6472 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -2720,9 +2720,6 @@ MODULE_AUTHOR("Larry Finger "); + MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Realtek 802.11n PCI wireless core"); + +-struct rtl_global_var rtl_global_var = {}; +-EXPORT_SYMBOL_GPL(rtl_global_var); +- + static int __init rtl_core_module_init(void) + { + BUILD_BUG_ON(TX_PWR_BY_RATE_NUM_RATE < TX_PWR_BY_RATE_NUM_SECTION); +@@ -2736,10 +2733,6 @@ static int __init rtl_core_module_init(void) + /* add debugfs */ + rtl_debugfs_add_topdir(); + +- /* init some global vars */ +- INIT_LIST_HEAD(&rtl_global_var.glb_priv_list); +- spin_lock_init(&rtl_global_var.glb_list_lock); +- + return 0; + } + +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.h b/drivers/net/wireless/realtek/rtlwifi/base.h +index f081a9a90563f..f3a6a43a42eca 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.h ++++ b/drivers/net/wireless/realtek/rtlwifi/base.h +@@ -124,7 +124,6 @@ int rtl_send_smps_action(struct ieee80211_hw *hw, + u8 *rtl_find_ie(u8 *data, unsigned int len, u8 ie); + void rtl_recognize_peer(struct ieee80211_hw *hw, u8 *data, unsigned int len); + u8 rtl_tid_to_ac(u8 tid); +-extern struct rtl_global_var rtl_global_var; + void rtl_phy_scan_operation_backup(struct ieee80211_hw *hw, u8 operation); + + #endif +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 0dcf5350e0885..c0a201f1b74e5 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -295,46 +295,6 @@ static bool rtl_pci_get_amd_l1_patch(struct ieee80211_hw *hw) + return status; + } + +-static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw, +- struct rtl_priv **buddy_priv) +-{ +- struct rtl_priv *rtlpriv = rtl_priv(hw); +- struct rtl_pci_priv *pcipriv = rtl_pcipriv(hw); +- struct rtl_priv *tpriv = NULL, *iter; +- struct rtl_pci_priv *tpcipriv = NULL; +- +- if (!list_empty(&rtlpriv->glb_var->glb_priv_list)) { +- list_for_each_entry(iter, &rtlpriv->glb_var->glb_priv_list, +- list) { +- tpcipriv = (struct rtl_pci_priv *)iter->priv; +- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD, +- "pcipriv->ndis_adapter.funcnumber %x\n", +- pcipriv->ndis_adapter.funcnumber); +- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD, +- "tpcipriv->ndis_adapter.funcnumber %x\n", +- tpcipriv->ndis_adapter.funcnumber); +- +- if (pcipriv->ndis_adapter.busnumber == +- tpcipriv->ndis_adapter.busnumber && +- pcipriv->ndis_adapter.devnumber == +- tpcipriv->ndis_adapter.devnumber && +- pcipriv->ndis_adapter.funcnumber != +- tpcipriv->ndis_adapter.funcnumber) { +- tpriv = iter; +- break; +- } +- } +- } +- +- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD, +- "find_buddy_priv %d\n", tpriv != NULL); +- +- if (tpriv) +- *buddy_priv = tpriv; +- +- return tpriv != NULL; +-} +- + static void rtl_pci_parse_configuration(struct pci_dev *pdev, + struct ieee80211_hw *hw) + { +@@ -2013,7 +1973,6 @@ static bool _rtl_pci_find_adapter(struct pci_dev *pdev, + pcipriv->ndis_adapter.amd_l1_patch); + + rtl_pci_parse_configuration(pdev, hw); +- list_add_tail(&rtlpriv->list, &rtlpriv->glb_var->glb_priv_list); + + return true; + } +@@ -2160,7 +2119,6 @@ int rtl_pci_probe(struct pci_dev *pdev, + rtlpriv->rtlhal.interface = INTF_PCI; + rtlpriv->cfg = (struct rtl_hal_cfg *)(id->driver_data); + rtlpriv->intf_ops = &rtl_pci_ops; +- rtlpriv->glb_var = &rtl_global_var; + rtl_efuse_ops_init(hw); + + /* MEM map */ +@@ -2318,7 +2276,6 @@ void rtl_pci_disconnect(struct pci_dev *pdev) + if (rtlpci->using_msi) + pci_disable_msi(rtlpci->pdev); + +- list_del(&rtlpriv->list); + if (rtlpriv->io.pci_mem_start != 0) { + pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start); + pci_release_regions(pdev); +@@ -2378,7 +2335,6 @@ const struct rtl_intf_ops rtl_pci_ops = { + .read_efuse_byte = read_efuse_byte, + .adapter_start = rtl_pci_start, + .adapter_stop = rtl_pci_stop, +- .check_buddy_priv = rtl_pci_check_buddy_priv, + .adapter_tx = rtl_pci_tx, + .flush = rtl_pci_flush, + .reset_trx_ring = rtl_pci_reset_trx_ring, +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index f22891c73ade1..359ee313a0d2b 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -2335,8 +2335,6 @@ struct rtl_intf_ops { + void (*read_efuse_byte)(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf); + int (*adapter_start)(struct ieee80211_hw *hw); + void (*adapter_stop)(struct ieee80211_hw *hw); +- bool (*check_buddy_priv)(struct ieee80211_hw *hw, +- struct rtl_priv **buddy_priv); + + int (*adapter_tx)(struct ieee80211_hw *hw, + struct ieee80211_sta *sta, +@@ -2580,14 +2578,6 @@ struct dig_t { + u32 rssi_max; + }; + +-struct rtl_global_var { +- /* from this list we can get +- * other adapter's rtl_priv +- */ +- struct list_head glb_priv_list; +- spinlock_t glb_list_lock; +-}; +- + #define IN_4WAY_TIMEOUT_TIME (30 * MSEC_PER_SEC) /* 30 seconds */ + + struct rtl_btc_info { +@@ -2733,9 +2723,7 @@ struct rtl_scan_list { + struct rtl_priv { + struct ieee80211_hw *hw; + struct completion firmware_loading_complete; +- struct list_head list; + struct rtl_priv *buddy_priv; +- struct rtl_global_var *glb_var; + struct rtl_dmsp_ctl dmsp_ctl; + struct rtl_locks locks; + struct rtl_works works; +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-remove-unused-dualmac-control-leftovers.patch b/queue-5.10/wifi-rtlwifi-remove-unused-dualmac-control-leftovers.patch new file mode 100644 index 0000000000..651b7c42c9 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-remove-unused-dualmac-control-leftovers.patch @@ -0,0 +1,69 @@ +From 9fa6477c83c43929d08001745fcb39be77e4f6a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 09:59:40 +0300 +Subject: wifi: rtlwifi: remove unused dualmac control leftovers + +From: Dmitry Antipov + +[ Upstream commit 557123259200b30863e1b6a8f24a8c8060b6fc1d ] + +Remove 'struct rtl_dualmac_easy_concurrent_ctl' of 'struct rtl_priv' +and related code in '_rtl_pci_tx_chk_waitq()'. + +Signed-off-by: Dmitry Antipov +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230602065940.149198-2-dmantipov@yandex.ru +Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 5 ----- + drivers/net/wireless/realtek/rtlwifi/wifi.h | 9 --------- + 2 files changed, 14 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index f17a365fba070..0dcf5350e0885 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -443,11 +443,6 @@ static void _rtl_pci_tx_chk_waitq(struct ieee80211_hw *hw) + if (!rtlpriv->rtlhal.earlymode_enable) + return; + +- if (rtlpriv->dm.supp_phymode_switch && +- (rtlpriv->easy_concurrent_ctl.switch_in_process || +- (rtlpriv->buddy_priv && +- rtlpriv->buddy_priv->easy_concurrent_ctl.switch_in_process))) +- return; + /* we just use em for BE/BK/VI/VO */ + for (tid = 7; tid >= 0; tid--) { + u8 hw_queue = ac_to_hwq[rtl_tid_to_ac(tid)]; +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index d1b36760c8948..f22891c73ade1 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -2496,14 +2496,6 @@ struct rtl_debug { + #define MIMO_PS_DYNAMIC 1 + #define MIMO_PS_NOLIMIT 3 + +-struct rtl_dualmac_easy_concurrent_ctl { +- enum band_type currentbandtype_backfordmdp; +- bool close_bbandrf_for_dmsp; +- bool change_to_dmdp; +- bool change_to_dmsp; +- bool switch_in_process; +-}; +- + struct rtl_dmsp_ctl { + bool activescan_for_slaveofdmsp; + bool scan_for_anothermac_fordmsp; +@@ -2744,7 +2736,6 @@ struct rtl_priv { + struct list_head list; + struct rtl_priv *buddy_priv; + struct rtl_global_var *glb_var; +- struct rtl_dualmac_easy_concurrent_ctl easy_concurrent_ctl; + struct rtl_dmsp_ctl dmsp_ctl; + struct rtl_locks locks; + struct rtl_works works; +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-remove-unused-timer-and-related-code.patch b/queue-5.10/wifi-rtlwifi-remove-unused-timer-and-related-code.patch new file mode 100644 index 0000000000..cc351b32ef --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-remove-unused-timer-and-related-code.patch @@ -0,0 +1,95 @@ +From 300462f725072feaf60e97423cf978ef1b55b2b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jun 2023 09:59:39 +0300 +Subject: wifi: rtlwifi: remove unused timer and related code + +From: Dmitry Antipov + +[ Upstream commit 358b94f0a7cadd2ec7824531d54dadaa8b71de04 ] + +Drop unused 'dualmac_easyconcurrent_retrytimer' of 'struct rtl_works', +corresponding 'rtl_easy_concurrent_retrytimer_callback()' handler, +'dualmac_easy_concurrent' function pointer of 'struct rtl_hal_ops' +and related call to 'timer_setup()' in '_rtl_init_deferred_work()'. + +Signed-off-by: Dmitry Antipov +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230602065940.149198-1-dmantipov@yandex.ru +Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 16 +--------------- + drivers/net/wireless/realtek/rtlwifi/base.h | 1 - + drivers/net/wireless/realtek/rtlwifi/wifi.h | 2 -- + 3 files changed, 1 insertion(+), 18 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c +index 7ec876c6c663e..3c2bdfb56fb4f 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -452,8 +452,7 @@ static int _rtl_init_deferred_work(struct ieee80211_hw *hw) + /* <1> timer */ + timer_setup(&rtlpriv->works.watchdog_timer, + rtl_watch_dog_timer_callback, 0); +- timer_setup(&rtlpriv->works.dualmac_easyconcurrent_retrytimer, +- rtl_easy_concurrent_retrytimer_callback, 0); ++ + /* <2> work queue */ + rtlpriv->works.hw = hw; + rtlpriv->works.rtl_wq = wq; +@@ -2376,19 +2375,6 @@ static void rtl_c2hcmd_wq_callback(struct work_struct *work) + rtl_c2hcmd_launcher(hw, 1); + } + +-void rtl_easy_concurrent_retrytimer_callback(struct timer_list *t) +-{ +- struct rtl_priv *rtlpriv = +- from_timer(rtlpriv, t, works.dualmac_easyconcurrent_retrytimer); +- struct ieee80211_hw *hw = rtlpriv->hw; +- struct rtl_priv *buddy_priv = rtlpriv->buddy_priv; +- +- if (buddy_priv == NULL) +- return; +- +- rtlpriv->cfg->ops->dualmac_easy_concurrent(hw); +-} +- + /********************************************************* + * + * frame process functions +diff --git a/drivers/net/wireless/realtek/rtlwifi/base.h b/drivers/net/wireless/realtek/rtlwifi/base.h +index 0e4f8a8ae3a5f..f081a9a90563f 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/base.h ++++ b/drivers/net/wireless/realtek/rtlwifi/base.h +@@ -124,7 +124,6 @@ int rtl_send_smps_action(struct ieee80211_hw *hw, + u8 *rtl_find_ie(u8 *data, unsigned int len, u8 ie); + void rtl_recognize_peer(struct ieee80211_hw *hw, u8 *data, unsigned int len); + u8 rtl_tid_to_ac(u8 tid); +-void rtl_easy_concurrent_retrytimer_callback(struct timer_list *t); + extern struct rtl_global_var rtl_global_var; + void rtl_phy_scan_operation_backup(struct ieee80211_hw *hw, u8 operation); + +diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h +index c997d8bfda975..d1b36760c8948 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h ++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h +@@ -2300,7 +2300,6 @@ struct rtl_hal_ops { + u32 regaddr, u32 bitmask, u32 data); + void (*linked_set_reg)(struct ieee80211_hw *hw); + void (*chk_switch_dmdp)(struct ieee80211_hw *hw); +- void (*dualmac_easy_concurrent)(struct ieee80211_hw *hw); + void (*dualmac_switch_to_dmdp)(struct ieee80211_hw *hw); + bool (*phy_rf6052_config)(struct ieee80211_hw *hw); + void (*phy_rf6052_set_cck_txpower)(struct ieee80211_hw *hw, +@@ -2466,7 +2465,6 @@ struct rtl_works { + + /*timer */ + struct timer_list watchdog_timer; +- struct timer_list dualmac_easyconcurrent_retrytimer; + struct timer_list fw_clockoff_timer; + struct timer_list fast_antenna_training_timer; + /*task */ +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-rtl8192se-rise-completion-of-firmware-l.patch b/queue-5.10/wifi-rtlwifi-rtl8192se-rise-completion-of-firmware-l.patch new file mode 100644 index 0000000000..30acb84e91 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-rtl8192se-rise-completion-of-firmware-l.patch @@ -0,0 +1,59 @@ +From e92e1e45f3f502f0bcb8a2f0144ebf5b6310baed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 10:33:19 -0300 +Subject: wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last + step + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit 8559a9e0c457729fe3edb3176bbf7c7874f482b0 ] + +Just like in commit 4dfde294b979 ("rtlwifi: rise completion at the last +step of firmware callback"), only signal completion once the function is +finished. Otherwise, the module removal waiting for the completion could +free the memory that the callback will still use before returning. + +Fixes: b0302aba812b ("rtlwifi: Convert to asynchronous firmware load") +Signed-off-by: Thadeu Lima de Souza Cascardo +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241107133322.855112-3-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c +index 6d352a3161b8f..60d97e73ca28e 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c +@@ -67,22 +67,23 @@ static void rtl92se_fw_cb(const struct firmware *firmware, void *context) + + rtl_dbg(rtlpriv, COMP_ERR, DBG_LOUD, + "Firmware callback routine entered!\n"); +- complete(&rtlpriv->firmware_loading_complete); + if (!firmware) { + pr_err("Firmware %s not available\n", fw_name); + rtlpriv->max_fw_size = 0; +- return; ++ goto exit; + } + if (firmware->size > rtlpriv->max_fw_size) { + pr_err("Firmware is too big!\n"); + rtlpriv->max_fw_size = 0; + release_firmware(firmware); +- return; ++ goto exit; + } + pfirmware = (struct rt_firmware *)rtlpriv->rtlhal.pfirmware; + memcpy(pfirmware->sz_fw_tmpbuffer, firmware->data, firmware->size); + pfirmware->sz_fw_tmpbufferlen = firmware->size; + release_firmware(firmware); ++exit: ++ complete(&rtlpriv->firmware_loading_complete); + } + + static int rtl92s_init_sw_vars(struct ieee80211_hw *hw) +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-usb-fix-workqueue-leak-when-probe-fails.patch b/queue-5.10/wifi-rtlwifi-usb-fix-workqueue-leak-when-probe-fails.patch new file mode 100644 index 0000000000..e50438e5c5 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-usb-fix-workqueue-leak-when-probe-fails.patch @@ -0,0 +1,38 @@ +From 21b2f5af6267068406869160976909cafef9c506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 10:33:22 -0300 +Subject: wifi: rtlwifi: usb: fix workqueue leak when probe fails + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit f79bc5c67867c19ce2762e7934c20dbb835ed82c ] + +rtl_init_core creates a workqueue that is then assigned to rtl_wq. +rtl_deinit_core does not destroy it. It is left to rtl_usb_deinit, which +must be called in the probe error path. + +Fixes: 2ca20f79e0d8 ("rtlwifi: Add usb driver") +Fixes: 851639fdaeac ("rtlwifi: Modify some USB de-initialize code.") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241107133322.855112-6-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index 66af56a79dbe5..08ab2482c00cc 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1083,6 +1083,7 @@ int rtl_usb_probe(struct usb_interface *intf, + wait_for_completion(&rtlpriv->firmware_loading_complete); + rtlpriv->cfg->ops->deinit_sw_vars(hw); + error_out: ++ rtl_usb_deinit(hw); + rtl_deinit_core(hw); + error_out2: + _rtl_usb_io_handler_release(hw); +-- +2.39.5 + diff --git a/queue-5.10/wifi-rtlwifi-wait-for-firmware-loading-before-releas.patch b/queue-5.10/wifi-rtlwifi-wait-for-firmware-loading-before-releas.patch new file mode 100644 index 0000000000..ee50d21751 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-wait-for-firmware-loading-before-releas.patch @@ -0,0 +1,47 @@ +From bc829d902168c0d1341f8a966c4acbb607826f0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Nov 2024 10:33:20 -0300 +Subject: wifi: rtlwifi: wait for firmware loading before releasing memory + +From: Thadeu Lima de Souza Cascardo + +[ Upstream commit b4b26642b31ef282df6ff7ea8531985edfdef12a ] + +At probe error path, the firmware loading work may have already been +queued. In such a case, it will try to access memory allocated by the probe +function, which is about to be released. In such paths, wait for the +firmware worker to finish before releasing memory. + +Fixes: a7f7c15e945a ("rtlwifi: rtl8192cu: Free ieee80211_hw if probing fails") +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20241107133322.855112-4-cascardo@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c +index add6da1ce3602..087e398da36d9 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1072,13 +1072,15 @@ int rtl_usb_probe(struct usb_interface *intf, + err = ieee80211_register_hw(hw); + if (err) { + pr_err("Can't register mac80211 hw.\n"); +- goto error_out; ++ goto error_init_vars; + } + rtlpriv->mac80211.mac80211_registered = 1; + + set_bit(RTL_STATUS_INTERFACE_START, &rtlpriv->status); + return 0; + ++error_init_vars: ++ wait_for_completion(&rtlpriv->firmware_loading_complete); + error_out: + rtl_deinit_core(hw); + error_out2: +-- +2.39.5 + diff --git a/queue-5.10/wifi-wlcore-fix-unbalanced-pm_runtime-calls.patch b/queue-5.10/wifi-wlcore-fix-unbalanced-pm_runtime-calls.patch new file mode 100644 index 0000000000..c871560ce5 --- /dev/null +++ b/queue-5.10/wifi-wlcore-fix-unbalanced-pm_runtime-calls.patch @@ -0,0 +1,70 @@ +From 5f5cdb7dd0f4795fd439a93f8bc741f456adf0e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Jan 2025 20:55:07 +0100 +Subject: wifi: wlcore: fix unbalanced pm_runtime calls + +From: Andreas Kemnade + +[ Upstream commit 996c934c8c196144af386c4385f61fcd5349af28 ] + +If firmware boot failes, runtime pm is put too often: +[12092.708099] wlcore: ERROR firmware boot failed despite 3 retries +[12092.708099] wl18xx_driver wl18xx.1.auto: Runtime PM usage count underflow! +Fix that by redirecting all error gotos before runtime_get so that runtime is +not put. + +Fixes: c40aad28a3cf ("wlcore: Make sure firmware is initialized in wl1271_op_add_interface()") +Signed-off-by: Andreas Kemnade +Reviewed-by: Michael Nemanov +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20250104195507.402673-1-akemnade@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/main.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c +index 6e402d62dbe4a..109c51e497926 100644 +--- a/drivers/net/wireless/ti/wlcore/main.c ++++ b/drivers/net/wireless/ti/wlcore/main.c +@@ -2552,24 +2552,24 @@ static int wl1271_op_add_interface(struct ieee80211_hw *hw, + if (test_bit(WL1271_FLAG_RECOVERY_IN_PROGRESS, &wl->flags) || + test_bit(WLVIF_FLAG_INITIALIZED, &wlvif->flags)) { + ret = -EBUSY; +- goto out; ++ goto out_unlock; + } + + + ret = wl12xx_init_vif_data(wl, vif); + if (ret < 0) +- goto out; ++ goto out_unlock; + + wlvif->wl = wl; + role_type = wl12xx_get_role_type(wl, wlvif); + if (role_type == WL12XX_INVALID_ROLE_TYPE) { + ret = -EINVAL; +- goto out; ++ goto out_unlock; + } + + ret = wlcore_allocate_hw_queue_base(wl, wlvif); + if (ret < 0) +- goto out; ++ goto out_unlock; + + /* + * TODO: after the nvs issue will be solved, move this block +@@ -2584,7 +2584,7 @@ static int wl1271_op_add_interface(struct ieee80211_hw *hw, + + ret = wl12xx_init_fw(wl); + if (ret < 0) +- goto out; ++ goto out_unlock; + } + + /* +-- +2.39.5 + diff --git a/queue-5.10/xfrm-replay-fix-the-update-of-replay_esn-oseq_hi-for.patch b/queue-5.10/xfrm-replay-fix-the-update-of-replay_esn-oseq_hi-for.patch new file mode 100644 index 0000000000..c55d6359c9 --- /dev/null +++ b/queue-5.10/xfrm-replay-fix-the-update-of-replay_esn-oseq_hi-for.patch @@ -0,0 +1,61 @@ +From 8d4cf97a8c4900b4fbcc89dccf50151262c92be8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Nov 2024 14:10:31 +0200 +Subject: xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO + +From: Jianbo Liu + +[ Upstream commit c05c5e5aa163f4682ca97a2f0536575fc7dbdecb ] + +When skb needs GSO and wrap around happens, if xo->seq.low (seqno of +the first skb segment) is before the last seq number but oseq (seqno +of the last segment) is after it, xo->seq.low is still bigger than +replay_esn->oseq while oseq is smaller than it, so the update of +replay_esn->oseq_hi is missed for this case wrap around because of +the change in the cited commit. + +For example, if sending a packet with gso_segs=3 while old +replay_esn->oseq=0xfffffffe, we calculate: + xo->seq.low = 0xfffffffe + 1 = 0x0xffffffff + oseq = 0xfffffffe + 3 = 0x1 +(oseq < replay_esn->oseq) is true, but (xo->seq.low < +replay_esn->oseq) is false, so replay_esn->oseq_hi is not incremented. + +To fix this issue, change the outer checking back for the update of +replay_esn->oseq_hi. And add new checking inside for the update of +packet's oseq_hi. + +Fixes: 4b549ccce941 ("xfrm: replay: Fix ESN wrap around for GSO") +Signed-off-by: Jianbo Liu +Reviewed-by: Patrisious Haddad +Signed-off-by: Leon Romanovsky +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_replay.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c +index 65d009e3b6bbe..aedc61ceadb30 100644 +--- a/net/xfrm/xfrm_replay.c ++++ b/net/xfrm/xfrm_replay.c +@@ -657,10 +657,12 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff + oseq += skb_shinfo(skb)->gso_segs; + } + +- if (unlikely(xo->seq.low < replay_esn->oseq)) { +- XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi; +- xo->seq.hi = oseq_hi; +- replay_esn->oseq_hi = oseq_hi; ++ if (unlikely(oseq < replay_esn->oseq)) { ++ replay_esn->oseq_hi = ++oseq_hi; ++ if (xo->seq.low < replay_esn->oseq) { ++ XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi; ++ xo->seq.hi = oseq_hi; ++ } + if (replay_esn->oseq_hi == 0) { + replay_esn->oseq--; + replay_esn->oseq_hi--; +-- +2.39.5 +