From: Greg Kroah-Hartman Date: Mon, 10 Feb 2025 14:04:04 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.6.77~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c066fdc767294ea2e969b1f2b852ba452399ea26;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch dm-crypt-track-tag_offset-in-convert_context.patch efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch kbuild-move-wenum-enum-conversion-to-w-2.patch of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch perf-bench-fix-undefined-behavior-in-cmpworker.patch powerpc-pseries-eeh-fix-get-pe-state-translation.patch scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch usb-gadget-f_tcm-translate-error-to-sense.patch wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch --- diff --git a/queue-5.10/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch b/queue-5.10/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch new file mode 100644 index 0000000000..6f9763b238 --- /dev/null +++ b/queue-5.10/alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch @@ -0,0 +1,66 @@ +From 3b4309546b48fc167aa615a2d881a09c0a97971f Mon Sep 17 00:00:00 2001 +From: Kuan-Wei Chiu +Date: Wed, 29 Jan 2025 00:54:15 +0800 +Subject: ALSA: hda: Fix headset detection failure due to unstable sort + +From: Kuan-Wei Chiu + +commit 3b4309546b48fc167aa615a2d881a09c0a97971f upstream. + +The auto_parser assumed sort() was stable, but the kernel's sort() uses +heapsort, which has never been stable. After commit 0e02ca29a563 +("lib/sort: optimize heapsort with double-pop variation"), the order of +equal elements changed, causing the headset to fail to work. + +Fix the issue by recording the original order of elements before +sorting and using it as a tiebreaker for equal elements in the +comparison function. + +Fixes: b9030a005d58 ("ALSA: hda - Use standard sort function in hda_auto_parser.c") +Reported-by: Austrum +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219158 +Tested-by: Austrum +Cc: stable@vger.kernel.org +Signed-off-by: Kuan-Wei Chiu +Link: https://patch.msgid.link/20250128165415.643223-1-visitorckw@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_auto_parser.c | 8 +++++++- + sound/pci/hda/hda_auto_parser.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_auto_parser.c ++++ b/sound/pci/hda/hda_auto_parser.c +@@ -80,7 +80,11 @@ static int compare_input_type(const void + + /* In case one has boost and the other one has not, + pick the one with boost first. */ +- return (int)(b->has_boost_on_pin - a->has_boost_on_pin); ++ if (a->has_boost_on_pin != b->has_boost_on_pin) ++ return (int)(b->has_boost_on_pin - a->has_boost_on_pin); ++ ++ /* Keep the original order */ ++ return a->order - b->order; + } + + /* Reorder the surround channels +@@ -404,6 +408,8 @@ int snd_hda_parse_pin_defcfg(struct hda_ + reorder_outputs(cfg->speaker_outs, cfg->speaker_pins); + + /* sort inputs in the order of AUTO_PIN_* type */ ++ for (i = 0; i < cfg->num_inputs; i++) ++ cfg->inputs[i].order = i; + sort(cfg->inputs, cfg->num_inputs, sizeof(cfg->inputs[0]), + compare_input_type, NULL); + +--- a/sound/pci/hda/hda_auto_parser.h ++++ b/sound/pci/hda/hda_auto_parser.h +@@ -35,6 +35,7 @@ struct auto_pin_cfg_item { + unsigned int is_headset_mic:1; + unsigned int is_headphone_mic:1; /* Mic-only in headphone jack */ + unsigned int has_boost_on_pin:1; ++ int order; + }; + + struct auto_pin_cfg; diff --git a/queue-5.10/alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch b/queue-5.10/alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch new file mode 100644 index 0000000000..b21dc04d9b --- /dev/null +++ b/queue-5.10/alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch @@ -0,0 +1,32 @@ +From 1aec3ed2e3e1512aba15e7e790196a44efd5f0a7 Mon Sep 17 00:00:00 2001 +From: Edson Juliano Drosdeck +Date: Tue, 14 Jan 2025 14:06:19 -0300 +Subject: ALSA: hda/realtek: Enable headset mic on Positivo C6400 + +From: Edson Juliano Drosdeck + +commit 1aec3ed2e3e1512aba15e7e790196a44efd5f0a7 upstream. + +Positivo C6400 is equipped with ALC269VB, and it needs +ALC269VB_FIXUP_ASUS_ZENBOOK quirk to make its headset mic work. +Also must to limits the microphone boost. + +Signed-off-by: Edson Juliano Drosdeck +Cc: +Link: https://patch.msgid.link/20250114170619.11510-1-edson.drosdeck@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -9435,6 +9435,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), + SND_PCI_QUIRK(0x17aa, 0x9e56, "Lenovo ZhaoYang CF4620Z", ALC286_FIXUP_SONY_MIC_NO_PRESENCE), ++ SND_PCI_QUIRK(0x1849, 0x0269, "Positivo Master C6400", ALC269VB_FIXUP_ASUS_ZENBOOK), + SND_PCI_QUIRK(0x1849, 0x1233, "ASRock NUC Box 1100", ALC233_FIXUP_NO_AUDIO_JACK), + SND_PCI_QUIRK(0x1849, 0xa233, "Positivo Master C6300", ALC269_FIXUP_HEADSET_MIC), + SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS), diff --git a/queue-5.10/blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch b/queue-5.10/blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch new file mode 100644 index 0000000000..3028d45bf3 --- /dev/null +++ b/queue-5.10/blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch @@ -0,0 +1,41 @@ +From d1248436cbef1f924c04255367ff4845ccd9025e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 5 Jan 2025 16:34:03 +0800 +Subject: blk-cgroup: Fix class @block_class's subsystem refcount leakage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zijun Hu + +commit d1248436cbef1f924c04255367ff4845ccd9025e upstream. + +blkcg_fill_root_iostats() iterates over @block_class's devices by +class_dev_iter_(init|next)(), but does not end iterating with +class_dev_iter_exit(), so causes the class's subsystem refcount leakage. + +Fix by ending the iterating with class_dev_iter_exit(). + +Fixes: ef45fe470e1e ("blk-cgroup: show global disk stats in root cgroup io.stat") +Reviewed-by: Michal Koutný +Cc: Greg Kroah-Hartman +Cc: stable@vger.kernel.org +Acked-by: Tejun Heo +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250105-class_fix-v6-2-3a2f1768d4d4@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -851,6 +851,7 @@ static void blkcg_fill_root_iostats(void + } + disk_put_part(part); + } ++ class_dev_iter_exit(&iter); + } + + static int blkcg_print_stat(struct seq_file *sf, void *v) diff --git a/queue-5.10/dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch b/queue-5.10/dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch new file mode 100644 index 0000000000..bb2cf1390f --- /dev/null +++ b/queue-5.10/dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch @@ -0,0 +1,91 @@ +From 9fdbbdbbc92b1474a87b89f8b964892a63734492 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Mon, 20 Jan 2025 16:29:49 +0800 +Subject: dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit() + +From: Hou Tao + +commit 9fdbbdbbc92b1474a87b89f8b964892a63734492 upstream. + +The updates of io->sector are the leftovers when dm-crypt allocated +pages for partial write request. However, since commit cf2f1abfbd0db +("dm crypt: don't allocate pages for a partial request"), there is no +partial request anymore. + +After the introduction of write request rb-tree, the updates of +io->sectors may interfere the insertion procedure, because ->sectors of +these write requests which have already been added in the rb-tree may be +changed during the insertion of new write request. + +Fix it by removing these buggy updates of io->sectors. Considering these +updates only effect the write request rb-tree, the commit which +introduces the write request rb-tree is used as the fix tag. + +Fixes: b3c5fd305249 ("dm crypt: sort writes") +Cc: stable@vger.kernel.org +Signed-off-by: Hou Tao +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -2015,7 +2015,6 @@ static void kcryptd_crypt_write_continue + struct crypt_config *cc = io->cc; + struct convert_context *ctx = &io->ctx; + int crypt_finished; +- sector_t sector = io->sector; + blk_status_t r; + + wait_for_completion(&ctx->restart); +@@ -2032,10 +2031,8 @@ static void kcryptd_crypt_write_continue + } + + /* Encryption was already finished, submit io now */ +- if (crypt_finished) { ++ if (crypt_finished) + kcryptd_crypt_write_io_submit(io, 0); +- io->sector = sector; +- } + + crypt_dec_pending(io); + } +@@ -2046,14 +2043,13 @@ static void kcryptd_crypt_write_convert( + struct convert_context *ctx = &io->ctx; + struct bio *clone; + int crypt_finished; +- sector_t sector = io->sector; + blk_status_t r; + + /* + * Prevent io from disappearing until this function completes. + */ + crypt_inc_pending(io); +- crypt_convert_init(cc, ctx, NULL, io->base_bio, sector); ++ crypt_convert_init(cc, ctx, NULL, io->base_bio, io->sector); + + clone = crypt_alloc_buffer(io, io->base_bio->bi_iter.bi_size); + if (unlikely(!clone)) { +@@ -2070,8 +2066,6 @@ static void kcryptd_crypt_write_convert( + io->ctx.iter_in = clone->bi_iter; + } + +- sector += bio_sectors(clone); +- + crypt_inc_pending(io); + r = crypt_convert(cc, ctx, + test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags), true); +@@ -2095,10 +2089,8 @@ static void kcryptd_crypt_write_convert( + } + + /* Encryption was already finished, submit io now */ +- if (crypt_finished) { ++ if (crypt_finished) + kcryptd_crypt_write_io_submit(io, 0); +- io->sector = sector; +- } + + dec: + crypt_dec_pending(io); diff --git a/queue-5.10/dm-crypt-track-tag_offset-in-convert_context.patch b/queue-5.10/dm-crypt-track-tag_offset-in-convert_context.patch new file mode 100644 index 0000000000..2b7ee5e564 --- /dev/null +++ b/queue-5.10/dm-crypt-track-tag_offset-in-convert_context.patch @@ -0,0 +1,96 @@ +From 8b8f8037765757861f899ed3a2bfb34525b5c065 Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Mon, 20 Jan 2025 16:29:51 +0800 +Subject: dm-crypt: track tag_offset in convert_context + +From: Hou Tao + +commit 8b8f8037765757861f899ed3a2bfb34525b5c065 upstream. + +dm-crypt uses tag_offset to index the integrity metadata for each crypt +sector. When the initial crypt_convert() returns BLK_STS_DEV_RESOURCE, +dm-crypt will try to continue the crypt/decrypt procedure in a kworker. +However, it resets tag_offset as zero instead of using the tag_offset +related with current sector. It may return unexpected data when using +random IV or return unexpected integrity related error. + +Fix the problem by tracking tag_offset in per-IO convert_context. +Therefore, when the crypt/decrypt procedure continues in a kworker, it +could use the next tag_offset saved in convert_context. + +Fixes: 8abec36d1274 ("dm crypt: do not wait for backlogged crypto request completion in softirq") +Cc: stable@vger.kernel.org +Signed-off-by: Hou Tao +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-crypt.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/md/dm-crypt.c ++++ b/drivers/md/dm-crypt.c +@@ -52,6 +52,7 @@ struct convert_context { + struct bio *bio_out; + struct bvec_iter iter_out; + atomic_t cc_pending; ++ unsigned int tag_offset; + u64 cc_sector; + union { + struct skcipher_request *req; +@@ -1218,6 +1219,7 @@ static void crypt_convert_init(struct cr + if (bio_out) + ctx->iter_out = bio_out->bi_iter; + ctx->cc_sector = sector + cc->iv_offset; ++ ctx->tag_offset = 0; + init_completion(&ctx->restart); + } + +@@ -1543,7 +1545,6 @@ static void crypt_free_req(struct crypt_ + static blk_status_t crypt_convert(struct crypt_config *cc, + struct convert_context *ctx, bool atomic, bool reset_pending) + { +- unsigned int tag_offset = 0; + unsigned int sector_step = cc->sector_size >> SECTOR_SHIFT; + int r; + +@@ -1566,9 +1567,9 @@ static blk_status_t crypt_convert(struct + atomic_inc(&ctx->cc_pending); + + if (crypt_integrity_aead(cc)) +- r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, tag_offset); ++ r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, ctx->tag_offset); + else +- r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, tag_offset); ++ r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, ctx->tag_offset); + + switch (r) { + /* +@@ -1588,8 +1589,8 @@ static blk_status_t crypt_convert(struct + * exit and continue processing in a workqueue + */ + ctx->r.req = NULL; ++ ctx->tag_offset++; + ctx->cc_sector += sector_step; +- tag_offset++; + return BLK_STS_DEV_RESOURCE; + } + } else { +@@ -1603,8 +1604,8 @@ static blk_status_t crypt_convert(struct + */ + case -EINPROGRESS: + ctx->r.req = NULL; ++ ctx->tag_offset++; + ctx->cc_sector += sector_step; +- tag_offset++; + continue; + /* + * The request was already processed (synchronously). +@@ -1612,7 +1613,7 @@ static blk_status_t crypt_convert(struct + case 0: + atomic_dec(&ctx->cc_pending); + ctx->cc_sector += sector_step; +- tag_offset++; ++ ctx->tag_offset++; + if (!atomic) + cond_resched(); + continue; diff --git a/queue-5.10/efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch b/queue-5.10/efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch new file mode 100644 index 0000000000..8b76c9fbe4 --- /dev/null +++ b/queue-5.10/efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch @@ -0,0 +1,52 @@ +From 8ba14d9f490aef9fd535c04e9e62e1169eb7a055 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Tue, 21 Jan 2025 18:11:34 -0700 +Subject: efi: libstub: Use '-std=gnu11' to fix build with GCC 15 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nathan Chancellor + +commit 8ba14d9f490aef9fd535c04e9e62e1169eb7a055 upstream. + +GCC 15 changed the default C standard version to C23, which should not +have impacted the kernel because it requests the gnu11 standard via +'-std=' in the main Makefile. However, the EFI libstub Makefile uses its +own set of KBUILD_CFLAGS for x86 without a '-std=' value (i.e., using +the default), resulting in errors from the kernel's definitions of bool, +true, and false in stddef.h, which are reserved keywords under C23. + + ./include/linux/stddef.h:11:9: error: expected identifier before ‘false’ + 11 | false = 0, + ./include/linux/types.h:35:33: error: two or more data types in declaration specifiers + 35 | typedef _Bool bool; + +Set '-std=gnu11' in the x86 cflags to resolve the error and consistently +use the same C standard version for the entire kernel. All other +architectures reuse KBUILD_CFLAGS from the rest of the kernel, so this +issue is not visible for them. + +Cc: stable@vger.kernel.org +Reported-by: Kostadin Shishmanov +Closes: https://lore.kernel.org/4OAhbllK7x4QJGpZjkYjtBYNLd_2whHx9oFiuZcGwtVR4hIzvduultkgfAIRZI3vQpZylu7Gl929HaYFRGeMEalWCpeMzCIIhLxxRhq4U-Y=@protonmail.com/ +Reported-by: Jakub Jelinek +Closes: https://lore.kernel.org/Z4467umXR2PZ0M1H@tucnak/ +Signed-off-by: Nathan Chancellor +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -7,7 +7,7 @@ + # + cflags-$(CONFIG_X86_32) := -march=i386 + cflags-$(CONFIG_X86_64) := -mcmodel=small +-cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ \ ++cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ -std=gnu11 \ + -fPIC -fno-strict-aliasing -mno-red-zone \ + -mno-mmx -mno-sse -fshort-wchar \ + -Wno-pointer-sign \ diff --git a/queue-5.10/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch b/queue-5.10/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch new file mode 100644 index 0000000000..87ac31bdbe --- /dev/null +++ b/queue-5.10/hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch @@ -0,0 +1,84 @@ +From 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 Mon Sep 17 00:00:00 2001 +From: Heiko Stuebner +Date: Thu, 7 Nov 2024 12:47:04 +0100 +Subject: HID: hid-sensor-hub: don't use stale platform-data on remove + +From: Heiko Stuebner + +commit 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 upstream. + +The hid-sensor-hub creates the individual device structs and transfers them +to the created mfd platform-devices via the platform_data in the mfd_cell. + +Before e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads") +the sensor-hub was managing access centrally, with one "completion" in the +hub's data structure, which needed to be finished on removal at the latest. + +The mentioned commit then moved this central management to each hid sensor +device, resulting on a completion in each struct hid_sensor_hub_device. +The remove procedure was adapted to go through all sensor devices and +finish any pending "completion". + +What this didn't take into account was, platform_device_add_data() that is +used by mfd_add{_hotplug}_devices() does a kmemdup on the submitted +platform-data. So the data the platform-device gets is a copy of the +original data, meaning that the device worked on a different completion +than what sensor_hub_remove() currently wants to access. + +To fix that, use device_for_each_child() to go through each child-device +similar to how mfd_remove_devices() unregisters the devices later and +with that get the live platform_data to finalize the correct completion. + +Fixes: e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Stuebner +Acked-by: Benjamin Tissoires +Acked-by: Srinivas Pandruvada +Acked-by: Jiri Kosina +Link: https://lore.kernel.org/r/20241107114712.538976-2-heiko@sntech.de +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-sensor-hub.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -730,23 +730,30 @@ err_stop_hw: + return ret; + } + ++static int sensor_hub_finalize_pending_fn(struct device *dev, void *data) ++{ ++ struct hid_sensor_hub_device *hsdev = dev->platform_data; ++ ++ if (hsdev->pending.status) ++ complete(&hsdev->pending.ready); ++ ++ return 0; ++} ++ + static void sensor_hub_remove(struct hid_device *hdev) + { + struct sensor_hub_data *data = hid_get_drvdata(hdev); + unsigned long flags; +- int i; + + hid_dbg(hdev, " hardware removed\n"); + hid_hw_close(hdev); + hid_hw_stop(hdev); ++ + spin_lock_irqsave(&data->lock, flags); +- for (i = 0; i < data->hid_sensor_client_cnt; ++i) { +- struct hid_sensor_hub_device *hsdev = +- data->hid_sensor_hub_client_devs[i].platform_data; +- if (hsdev->pending.status) +- complete(&hsdev->pending.ready); +- } ++ device_for_each_child(&hdev->dev, NULL, ++ sensor_hub_finalize_pending_fn); + spin_unlock_irqrestore(&data->lock, flags); ++ + mfd_remove_devices(&hdev->dev); + mutex_destroy(&data->mutex); + } diff --git a/queue-5.10/kbuild-move-wenum-enum-conversion-to-w-2.patch b/queue-5.10/kbuild-move-wenum-enum-conversion-to-w-2.patch new file mode 100644 index 0000000000..897982bce1 --- /dev/null +++ b/queue-5.10/kbuild-move-wenum-enum-conversion-to-w-2.patch @@ -0,0 +1,61 @@ +From 8f6629c004b193d23612641c3607e785819e97ab Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 17 Oct 2024 10:09:22 -0700 +Subject: kbuild: Move -Wenum-enum-conversion to W=2 + +From: Nathan Chancellor + +commit 8f6629c004b193d23612641c3607e785819e97ab upstream. + +-Wenum-enum-conversion was strengthened in clang-19 to warn for C, which +caused the kernel to move it to W=1 in commit 75b5ab134bb5 ("kbuild: +Move -Wenum-{compare-conditional,enum-conversion} into W=1") because +there were numerous instances that would break builds with -Werror. +Unfortunately, this is not a full solution, as more and more developers, +subsystems, and distributors are building with W=1 as well, so they +continue to see the numerous instances of this warning. + +Since the move to W=1, there have not been many new instances that have +appeared through various build reports and the ones that have appeared +seem to be following similar existing patterns, suggesting that most +instances of this warning will not be real issues. The only alternatives +for silencing this warning are adding casts (which is generally seen as +an ugly practice) or refactoring the enums to macro defines or a unified +enum (which may be undesirable because of type safety in other parts of +the code). + +Move the warning to W=2, where warnings that occur frequently but may be +relevant should reside. + +Cc: stable@vger.kernel.org +Fixes: 75b5ab134bb5 ("kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1") +Link: https://lore.kernel.org/ZwRA9SOcOjjLJcpi@google.com/ +Signed-off-by: Nathan Chancellor +Acked-by: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + scripts/Makefile.extrawarn | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/scripts/Makefile.extrawarn ++++ b/scripts/Makefile.extrawarn +@@ -37,6 +37,10 @@ KBUILD_CFLAGS += -Wno-missing-field-init + KBUILD_CFLAGS += -Wno-sign-compare + KBUILD_CFLAGS += -Wno-type-limits + ++ifdef CONFIG_CC_IS_CLANG ++KBUILD_CFLAGS += -Wno-enum-enum-conversion ++endif ++ + KBUILD_CPPFLAGS += -DKBUILD_EXTRA_WARN1 + + else +@@ -54,7 +58,6 @@ KBUILD_CFLAGS += -Wno-tautological-const + KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access) + KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict) + KBUILD_CFLAGS += -Wno-enum-compare-conditional +-KBUILD_CFLAGS += -Wno-enum-enum-conversion + endif + + endif diff --git a/queue-5.10/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch b/queue-5.10/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch new file mode 100644 index 0000000000..947bf00770 --- /dev/null +++ b/queue-5.10/of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch @@ -0,0 +1,50 @@ +From e4c00c9b1f70cd11792ff5b825899a6ee0234a62 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Thu, 9 Jan 2025 21:26:52 +0800 +Subject: of: Correct child specifier used as input of the 2nd nexus node + +From: Zijun Hu + +commit e4c00c9b1f70cd11792ff5b825899a6ee0234a62 upstream. + +API of_parse_phandle_with_args_map() will use wrong input for nexus node +Nexus_2 as shown below: + + Node_1 Nexus_1 Nexus_2 +&Nexus_1,arg_1 -> arg_1,&Nexus_2,arg_2' -> &Nexus_2,arg_2 -> arg_2,... + map-pass-thru=<...> + +Nexus_1's output arg_2 should be used as input of Nexus_2, but the API +wrongly uses arg_2' instead which != arg_2 due to Nexus_1's map-pass-thru. + +Fix by always making @match_array point to @initial_match_array into +which to store nexus output. + +Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-1-db8a72415b8c@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -1659,7 +1659,6 @@ int of_parse_phandle_with_args_map(const + * specifier into the out_args structure, keeping the + * bits specified in -map-pass-thru. + */ +- match_array = map - new_size; + for (i = 0; i < new_size; i++) { + __be32 val = *(map - new_size + i); + +@@ -1668,6 +1667,7 @@ int of_parse_phandle_with_args_map(const + val |= cpu_to_be32(out_args->args[i]) & pass[i]; + } + ++ initial_match_array[i] = val; + out_args->args[i] = be32_to_cpu(val); + } + out_args->args_count = list_size = new_size; diff --git a/queue-5.10/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch b/queue-5.10/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch new file mode 100644 index 0000000000..afd9b17f70 --- /dev/null +++ b/queue-5.10/of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch @@ -0,0 +1,52 @@ +From b9e58c934c56aa35b0fb436d9afd86ef326bae0e Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Mon, 16 Dec 2024 08:40:40 +0800 +Subject: of: Fix of_find_node_opts_by_path() handling of alias+path+options + +From: Zijun Hu + +commit b9e58c934c56aa35b0fb436d9afd86ef326bae0e upstream. + +of_find_node_opts_by_path() fails to find OF device node when its +@path parameter have pattern below: + +"alias-name/node-name-1/.../node-name-N:options". + +The reason is that alias name length calculated by the API is wrong, as +explained by example below: + +"testcase-alias/phandle-tests/consumer-a:testaliasoption". + ^ ^ ^ + 0 14 39 + +The right length of alias 'testcase-alias' is 14, but the result worked +out by the API is 39 which is obvious wrong. + +Fix by using index of either '/' or ':' as the length who comes earlier. + +Fixes: 75c28c09af99 ("of: add optional options parameter to of_find_node_by_path()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20241216-of_core_fix-v2-1-e69b8f60da63@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/base.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -926,10 +926,10 @@ struct device_node *of_find_node_opts_by + /* The path could begin with an alias */ + if (*path != '/') { + int len; +- const char *p = separator; ++ const char *p = strchrnul(path, '/'); + +- if (!p) +- p = strchrnul(path, '/'); ++ if (separator && separator < p) ++ p = separator; + len = p - path; + + /* of_aliases must not be NULL */ diff --git a/queue-5.10/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch b/queue-5.10/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch new file mode 100644 index 0000000000..db182ff5cf --- /dev/null +++ b/queue-5.10/of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch @@ -0,0 +1,47 @@ +From 267b21d0bef8e67dbe6c591c9991444e58237ec9 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Thu, 9 Jan 2025 21:27:00 +0800 +Subject: of: reserved-memory: Fix using wrong number of cells to get property 'alignment' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zijun Hu + +commit 267b21d0bef8e67dbe6c591c9991444e58237ec9 upstream. + +According to DT spec, size of property 'alignment' is based on parent +node’s #size-cells property. + +But __reserved_mem_alloc_size() wrongly uses @dt_root_addr_cells to get +the property obviously. + +Fix by using @dt_root_size_cells instead of @dt_root_addr_cells. + +Fixes: 3f0c82066448 ("drivers: of: add initialization code for dynamic reserved memory") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-9-db8a72415b8c@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/of_reserved_mem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/of/of_reserved_mem.c ++++ b/drivers/of/of_reserved_mem.c +@@ -94,12 +94,12 @@ static int __init __reserved_mem_alloc_s + + prop = of_get_flat_dt_prop(node, "alignment", &len); + if (prop) { +- if (len != dt_root_addr_cells * sizeof(__be32)) { ++ if (len != dt_root_size_cells * sizeof(__be32)) { + pr_err("invalid alignment property in '%s' node.\n", + uname); + return -EINVAL; + } +- align = dt_mem_next_cell(dt_root_addr_cells, &prop); ++ align = dt_mem_next_cell(dt_root_size_cells, &prop); + } + + nomap = of_get_flat_dt_prop(node, "no-map", NULL) != NULL; diff --git a/queue-5.10/perf-bench-fix-undefined-behavior-in-cmpworker.patch b/queue-5.10/perf-bench-fix-undefined-behavior-in-cmpworker.patch new file mode 100644 index 0000000000..7acf86becd --- /dev/null +++ b/queue-5.10/perf-bench-fix-undefined-behavior-in-cmpworker.patch @@ -0,0 +1,52 @@ +From 62892e77b8a64b9dc0e1da75980aa145347b6820 Mon Sep 17 00:00:00 2001 +From: Kuan-Wei Chiu +Date: Thu, 16 Jan 2025 19:08:42 +0800 +Subject: perf bench: Fix undefined behavior in cmpworker() + +From: Kuan-Wei Chiu + +commit 62892e77b8a64b9dc0e1da75980aa145347b6820 upstream. + +The comparison function cmpworker() violates the C standard's +requirements for qsort() comparison functions, which mandate symmetry +and transitivity: + +Symmetry: If x < y, then y > x. +Transitivity: If x < y and y < z, then x < z. + +In its current implementation, cmpworker() incorrectly returns 0 when +w1->tid < w2->tid, which breaks both symmetry and transitivity. This +violation causes undefined behavior, potentially leading to issues such +as memory corruption in glibc [1]. + +Fix the issue by returning -1 when w1->tid < w2->tid, ensuring +compliance with the C standard and preventing undefined behavior. + +Link: https://www.qualys.com/2024/01/30/qsort.txt [1] +Fixes: 121dd9ea0116 ("perf bench: Add epoll parallel epoll_wait benchmark") +Cc: stable@vger.kernel.org +Signed-off-by: Kuan-Wei Chiu +Reviewed-by: James Clark +Link: https://lore.kernel.org/r/20250116110842.4087530-1-visitorckw@gmail.com +Signed-off-by: Namhyung Kim +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/bench/epoll-wait.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/tools/perf/bench/epoll-wait.c ++++ b/tools/perf/bench/epoll-wait.c +@@ -407,7 +407,12 @@ static int cmpworker(const void *p1, con + + struct worker *w1 = (struct worker *) p1; + struct worker *w2 = (struct worker *) p2; +- return w1->tid > w2->tid; ++ ++ if (w1->tid > w2->tid) ++ return 1; ++ if (w1->tid < w2->tid) ++ return -1; ++ return 0; + } + + int bench_epoll_wait(int argc, const char **argv) diff --git a/queue-5.10/powerpc-pseries-eeh-fix-get-pe-state-translation.patch b/queue-5.10/powerpc-pseries-eeh-fix-get-pe-state-translation.patch new file mode 100644 index 0000000000..d8949700dc --- /dev/null +++ b/queue-5.10/powerpc-pseries-eeh-fix-get-pe-state-translation.patch @@ -0,0 +1,54 @@ +From 11b93559000c686ad7e5ab0547e76f21cc143844 Mon Sep 17 00:00:00 2001 +From: Narayana Murty N +Date: Thu, 16 Jan 2025 04:39:54 -0600 +Subject: powerpc/pseries/eeh: Fix get PE state translation + +From: Narayana Murty N + +commit 11b93559000c686ad7e5ab0547e76f21cc143844 upstream. + +The PE Reset State "0" returned by RTAS calls +"ibm_read_slot_reset_[state|state2]" indicates that the reset is +deactivated and the PE is in a state where MMIO and DMA are allowed. +However, the current implementation of "pseries_eeh_get_state()" does +not reflect this, causing drivers to incorrectly assume that MMIO and +DMA operations cannot be resumed. + +The userspace drivers as a part of EEH recovery using VFIO ioctls fail +to detect when the recovery process is complete. The VFIO_EEH_PE_GET_STATE +ioctl does not report the expected EEH_PE_STATE_NORMAL state, preventing +userspace drivers from functioning properly on pseries systems. + +The patch addresses this issue by updating 'pseries_eeh_get_state()' +to include "EEH_STATE_MMIO_ENABLED" and "EEH_STATE_DMA_ENABLED" in +the result mask for PE Reset State "0". This ensures correct state +reporting to the callers, aligning the behavior with the PAPR specification +and fixing the bug in EEH recovery for VFIO user workflows. + +Fixes: 00ba05a12b3c ("powerpc/pseries: Cleanup on pseries_eeh_get_state()") +Cc: stable@vger.kernel.org +Reviewed-by: Ritesh Harjani (IBM) +Signed-off-by: Narayana Murty N +Link: https://lore.kernel.org/stable/20241212075044.10563-1-nnmlinux%40linux.ibm.com +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250116103954.17324-1-nnmlinux@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/pseries/eeh_pseries.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/pseries/eeh_pseries.c ++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c +@@ -578,8 +578,10 @@ static int pseries_eeh_get_state(struct + + switch(rets[0]) { + case 0: +- result = EEH_STATE_MMIO_ACTIVE | +- EEH_STATE_DMA_ACTIVE; ++ result = EEH_STATE_MMIO_ACTIVE | ++ EEH_STATE_DMA_ACTIVE | ++ EEH_STATE_MMIO_ENABLED | ++ EEH_STATE_DMA_ENABLED; + break; + case 1: + result = EEH_STATE_RESET_ACTIVE | diff --git a/queue-5.10/scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch b/queue-5.10/scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch new file mode 100644 index 0000000000..ecbc71f6ec --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch @@ -0,0 +1,297 @@ +From 841df27d619ee1f5ca6473e15227b39d6136562d Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Fri, 15 Nov 2024 18:33:09 +0530 +Subject: scsi: qla2xxx: Move FCE Trace buffer allocation to user control + +From: Quinn Tran + +commit 841df27d619ee1f5ca6473e15227b39d6136562d upstream. + +Currently FCE Tracing is enabled to log additional ELS events. Instead, +user will enable or disable this feature through debugfs. + +Modify existing DFS knob to allow user to enable or disable this +feature. + +echo [1 | 0] > /sys/kernel/debug/qla2xxx/qla2xxx_??/fce +cat /sys/kernel/debug/qla2xxx/qla2xxx_??/fce + +Cc: stable@vger.kernel.org +Fixes: df613b96077c ("[SCSI] qla2xxx: Add Fibre Channel Event (FCE) tracing support.") +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Link: https://lore.kernel.org/r/20241115130313.46826-4-njavali@marvell.com +Reviewed-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_def.h | 2 + drivers/scsi/qla2xxx/qla_dfs.c | 124 ++++++++++++++++++++++++++++++++-------- + drivers/scsi/qla2xxx/qla_gbl.h | 3 + drivers/scsi/qla2xxx/qla_init.c | 28 ++++++--- + 4 files changed, 126 insertions(+), 31 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -3883,6 +3883,8 @@ struct qla_hw_data { + uint32_t npiv_supported :1; + uint32_t pci_channel_io_perm_failure :1; + uint32_t fce_enabled :1; ++ uint32_t user_enabled_fce :1; ++ uint32_t fce_dump_buf_alloced :1; + uint32_t fac_supported :1; + + uint32_t chip_reset_done :1; +--- a/drivers/scsi/qla2xxx/qla_dfs.c ++++ b/drivers/scsi/qla2xxx/qla_dfs.c +@@ -365,27 +365,32 @@ qla2x00_dfs_fce_show(struct seq_file *s, + + mutex_lock(&ha->fce_mutex); + +- seq_puts(s, "FCE Trace Buffer\n"); +- seq_printf(s, "In Pointer = %llx\n\n", (unsigned long long)ha->fce_wr); +- seq_printf(s, "Base = %llx\n\n", (unsigned long long) ha->fce_dma); +- seq_puts(s, "FCE Enable Registers\n"); +- seq_printf(s, "%08x %08x %08x %08x %08x %08x\n", +- ha->fce_mb[0], ha->fce_mb[2], ha->fce_mb[3], ha->fce_mb[4], +- ha->fce_mb[5], ha->fce_mb[6]); +- +- fce = (uint32_t *) ha->fce; +- fce_start = (unsigned long long) ha->fce_dma; +- for (cnt = 0; cnt < fce_calc_size(ha->fce_bufs) / 4; cnt++) { +- if (cnt % 8 == 0) +- seq_printf(s, "\n%llx: ", +- (unsigned long long)((cnt * 4) + fce_start)); +- else +- seq_putc(s, ' '); +- seq_printf(s, "%08x", *fce++); ++ if (ha->flags.user_enabled_fce) { ++ seq_puts(s, "FCE Trace Buffer\n"); ++ seq_printf(s, "In Pointer = %llx\n\n", (unsigned long long)ha->fce_wr); ++ seq_printf(s, "Base = %llx\n\n", (unsigned long long)ha->fce_dma); ++ seq_puts(s, "FCE Enable Registers\n"); ++ seq_printf(s, "%08x %08x %08x %08x %08x %08x\n", ++ ha->fce_mb[0], ha->fce_mb[2], ha->fce_mb[3], ha->fce_mb[4], ++ ha->fce_mb[5], ha->fce_mb[6]); ++ ++ fce = (uint32_t *)ha->fce; ++ fce_start = (unsigned long long)ha->fce_dma; ++ for (cnt = 0; cnt < fce_calc_size(ha->fce_bufs) / 4; cnt++) { ++ if (cnt % 8 == 0) ++ seq_printf(s, "\n%llx: ", ++ (unsigned long long)((cnt * 4) + fce_start)); ++ else ++ seq_putc(s, ' '); ++ seq_printf(s, "%08x", *fce++); ++ } ++ ++ seq_puts(s, "\nEnd\n"); ++ } else { ++ seq_puts(s, "FCE Trace is currently not enabled\n"); ++ seq_puts(s, "\techo [ 1 | 0 ] > fce\n"); + } + +- seq_puts(s, "\nEnd\n"); +- + mutex_unlock(&ha->fce_mutex); + + return 0; +@@ -423,7 +428,7 @@ qla2x00_dfs_fce_release(struct inode *in + struct qla_hw_data *ha = vha->hw; + int rval; + +- if (ha->flags.fce_enabled) ++ if (ha->flags.fce_enabled || !ha->fce) + goto out; + + mutex_lock(&ha->fce_mutex); +@@ -444,11 +449,88 @@ out: + return single_release(inode, file); + } + ++static ssize_t ++qla2x00_dfs_fce_write(struct file *file, const char __user *buffer, ++ size_t count, loff_t *pos) ++{ ++ struct seq_file *s = file->private_data; ++ struct scsi_qla_host *vha = s->private; ++ struct qla_hw_data *ha = vha->hw; ++ char *buf; ++ int rc = 0; ++ unsigned long enable; ++ ++ if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) && ++ !IS_QLA27XX(ha) && !IS_QLA28XX(ha)) { ++ ql_dbg(ql_dbg_user, vha, 0xd034, ++ "this adapter does not support FCE."); ++ return -EINVAL; ++ } ++ ++ buf = memdup_user_nul(buffer, count); ++ if (IS_ERR(buf)) { ++ ql_dbg(ql_dbg_user, vha, 0xd037, ++ "fail to copy user buffer."); ++ return PTR_ERR(buf); ++ } ++ ++ enable = kstrtoul(buf, 0, 0); ++ rc = count; ++ ++ mutex_lock(&ha->fce_mutex); ++ ++ if (enable) { ++ if (ha->flags.user_enabled_fce) { ++ mutex_unlock(&ha->fce_mutex); ++ goto out_free; ++ } ++ ha->flags.user_enabled_fce = 1; ++ if (!ha->fce) { ++ rc = qla2x00_alloc_fce_trace(vha); ++ if (rc) { ++ ha->flags.user_enabled_fce = 0; ++ mutex_unlock(&ha->fce_mutex); ++ goto out_free; ++ } ++ ++ /* adjust fw dump buffer to take into account of this feature */ ++ if (!ha->flags.fce_dump_buf_alloced) ++ qla2x00_alloc_fw_dump(vha); ++ } ++ ++ if (!ha->flags.fce_enabled) ++ qla_enable_fce_trace(vha); ++ ++ ql_dbg(ql_dbg_user, vha, 0xd045, "User enabled FCE .\n"); ++ } else { ++ if (!ha->flags.user_enabled_fce) { ++ mutex_unlock(&ha->fce_mutex); ++ goto out_free; ++ } ++ ha->flags.user_enabled_fce = 0; ++ if (ha->flags.fce_enabled) { ++ qla2x00_disable_fce_trace(vha, NULL, NULL); ++ ha->flags.fce_enabled = 0; ++ } ++ ++ qla2x00_free_fce_trace(ha); ++ /* no need to re-adjust fw dump buffer */ ++ ++ ql_dbg(ql_dbg_user, vha, 0xd04f, "User disabled FCE .\n"); ++ } ++ ++ mutex_unlock(&ha->fce_mutex); ++out_free: ++ kfree(buf); ++ return rc; ++} ++ + static const struct file_operations dfs_fce_ops = { + .open = qla2x00_dfs_fce_open, + .read = seq_read, + .llseek = seq_lseek, + .release = qla2x00_dfs_fce_release, ++ .write = qla2x00_dfs_fce_write, + }; + + static int +@@ -534,8 +616,6 @@ qla2x00_dfs_setup(scsi_qla_host_t *vha) + if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) && + !IS_QLA27XX(ha) && !IS_QLA28XX(ha)) + goto out; +- if (!ha->fce) +- goto out; + + if (qla2x00_dfs_root) + goto create_dir; +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -11,6 +11,9 @@ + /* + * Global Function Prototypes in qla_init.c source file. + */ ++int qla2x00_alloc_fce_trace(scsi_qla_host_t *); ++void qla2x00_free_fce_trace(struct qla_hw_data *ha); ++void qla_enable_fce_trace(scsi_qla_host_t *); + extern int qla2x00_initialize_adapter(scsi_qla_host_t *); + + extern int qla2100_pci_config(struct scsi_qla_host *); +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -2280,7 +2280,7 @@ exit: + return rval; + } + +-static void qla_enable_fce_trace(scsi_qla_host_t *vha) ++void qla_enable_fce_trace(scsi_qla_host_t *vha) + { + int rval; + struct qla_hw_data *ha = vha->hw; +@@ -3263,25 +3263,24 @@ qla24xx_chip_diag(scsi_qla_host_t *vha) + return rval; + } + +-static void +-qla2x00_alloc_fce_trace(scsi_qla_host_t *vha) ++int qla2x00_alloc_fce_trace(scsi_qla_host_t *vha) + { + dma_addr_t tc_dma; + void *tc; + struct qla_hw_data *ha = vha->hw; + + if (!IS_FWI2_CAPABLE(ha)) +- return; ++ return -EINVAL; + + if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) && + !IS_QLA27XX(ha) && !IS_QLA28XX(ha)) +- return; ++ return -EINVAL; + + if (ha->fce) { + ql_dbg(ql_dbg_init, vha, 0x00bd, + "%s: FCE Mem is already allocated.\n", + __func__); +- return; ++ return -EIO; + } + + /* Allocate memory for Fibre Channel Event Buffer. */ +@@ -3291,7 +3290,7 @@ qla2x00_alloc_fce_trace(scsi_qla_host_t + ql_log(ql_log_warn, vha, 0x00be, + "Unable to allocate (%d KB) for FCE.\n", + FCE_SIZE / 1024); +- return; ++ return -ENOMEM; + } + + ql_dbg(ql_dbg_init, vha, 0x00c0, +@@ -3300,6 +3299,16 @@ qla2x00_alloc_fce_trace(scsi_qla_host_t + ha->fce_dma = tc_dma; + ha->fce = tc; + ha->fce_bufs = FCE_NUM_BUFFERS; ++ return 0; ++} ++ ++void qla2x00_free_fce_trace(struct qla_hw_data *ha) ++{ ++ if (!ha->fce) ++ return; ++ dma_free_coherent(&ha->pdev->dev, FCE_SIZE, ha->fce, ha->fce_dma); ++ ha->fce = NULL; ++ ha->fce_dma = 0; + } + + static void +@@ -3390,9 +3399,10 @@ qla2x00_alloc_fw_dump(scsi_qla_host_t *v + if (ha->tgt.atio_ring) + mq_size += ha->tgt.atio_q_length * sizeof(request_t); + +- qla2x00_alloc_fce_trace(vha); +- if (ha->fce) ++ if (ha->fce) { + fce_size = sizeof(struct qla2xxx_fce_chain) + FCE_SIZE; ++ ha->flags.fce_dump_buf_alloced = 1; ++ } + qla2x00_alloc_eft_trace(vha); + if (ha->eft) + eft_size = EFT_SIZE; diff --git a/queue-5.10/scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch b/queue-5.10/scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch new file mode 100644 index 0000000000..685381abda --- /dev/null +++ b/queue-5.10/scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch @@ -0,0 +1,45 @@ +From 87c4b5e8a6b65189abd9ea5010ab308941f964a4 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Wed, 22 Jan 2025 19:07:22 -0800 +Subject: scsi: storvsc: Set correct data length for sending SCSI command without payload + +From: Long Li + +commit 87c4b5e8a6b65189abd9ea5010ab308941f964a4 upstream. + +In StorVSC, payload->range.len is used to indicate if this SCSI command +carries payload. This data is allocated as part of the private driver data +by the upper layer and may get passed to lower driver uninitialized. + +For example, the SCSI error handling mid layer may send TEST_UNIT_READY or +REQUEST_SENSE while reusing the buffer from a failed command. The private +data section may have stale data from the previous command. + +If the SCSI command doesn't carry payload, the driver may use this value as +is for communicating with host, resulting in possible corruption. + +Fix this by always initializing this value. + +Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information given by the host") +Cc: stable@kernel.org +Tested-by: Roman Kisel +Reviewed-by: Roman Kisel +Reviewed-by: Michael Kelley +Signed-off-by: Long Li +Link: https://lore.kernel.org/r/1737601642-7759-1-git-send-email-longli@linuxonhyperv.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1759,6 +1759,7 @@ static int storvsc_queuecommand(struct S + + length = scsi_bufflen(scmnd); + payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb; ++ payload->range.len = 0; + payload_sz = 0; + + if (sg_count) { diff --git a/queue-5.10/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch b/queue-5.10/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch new file mode 100644 index 0000000000..7bb9ec4443 --- /dev/null +++ b/queue-5.10/serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch @@ -0,0 +1,79 @@ +From 9f7dea875cc7f9c1a56a5c688290634a59cd1420 Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Thu, 16 Jan 2025 20:22:47 +0200 +Subject: serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use + +From: Claudiu Beznea + +commit 9f7dea875cc7f9c1a56a5c688290634a59cd1420 upstream. + +In the sh-sci driver, sci_ports[0] is used by earlycon. If the earlycon is +still active when sci_probe() is called and the new serial port is supposed +to map to sci_ports[0], return -EBUSY to prevent breaking the earlycon. + +This situation should occurs in debug scenarios, and users should be +aware of the potential conflict. + +Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") +Cc: stable@vger.kernel.org +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20250116182249.3828577-4-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -164,6 +164,7 @@ struct sci_port { + static struct sci_port sci_ports[SCI_NPORTS]; + static unsigned long sci_ports_in_use; + static struct uart_driver sci_uart_driver; ++static bool sci_uart_earlycon; + + static inline struct sci_port * + to_sci_port(struct uart_port *uart) +@@ -3343,6 +3344,7 @@ static int sci_probe_single(struct platf + static int sci_probe(struct platform_device *dev) + { + struct plat_sci_port *p; ++ struct resource *res; + struct sci_port *sp; + unsigned int dev_id; + int ret; +@@ -3372,6 +3374,26 @@ static int sci_probe(struct platform_dev + } + + sp = &sci_ports[dev_id]; ++ ++ /* ++ * In case: ++ * - the probed port alias is zero (as the one used by earlycon), and ++ * - the earlycon is still active (e.g., "earlycon keep_bootcon" in ++ * bootargs) ++ * ++ * defer the probe of this serial. This is a debug scenario and the user ++ * must be aware of it. ++ * ++ * Except when the probed port is the same as the earlycon port. ++ */ ++ ++ res = platform_get_resource(dev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -ENODEV; ++ ++ if (sci_uart_earlycon && sp == &sci_ports[0] && sp->port.mapbase != res->start) ++ return dev_err_probe(&dev->dev, -EBUSY, "sci_port[0] is used by earlycon!\n"); ++ + platform_set_drvdata(dev, sp); + + ret = sci_probe_single(dev, dev_id, p, sp); +@@ -3470,6 +3492,7 @@ static int __init early_console_setup(st + port_cfg.type = type; + sci_ports[0].cfg = &port_cfg; + sci_ports[0].params = sci_probe_regmap(&port_cfg); ++ sci_uart_earlycon = true; + port_cfg.scscr = sci_serial_in(&sci_ports[0].port, SCSCR); + sci_serial_out(&sci_ports[0].port, SCSCR, + SCSCR_RE | SCSCR_TE | port_cfg.scscr); diff --git a/queue-5.10/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch b/queue-5.10/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch new file mode 100644 index 0000000000..5d725b17ff --- /dev/null +++ b/queue-5.10/serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch @@ -0,0 +1,38 @@ +From eaeee4225dba30bef4d424bdf134a07b7f423e8b Mon Sep 17 00:00:00 2001 +From: Claudiu Beznea +Date: Thu, 16 Jan 2025 20:22:45 +0200 +Subject: serial: sh-sci: Drop __initdata macro for port_cfg + +From: Claudiu Beznea + +commit eaeee4225dba30bef4d424bdf134a07b7f423e8b upstream. + +The port_cfg object is used by serial_console_write(), which serves as +the write function for the earlycon device. Marking port_cfg as __initdata +causes it to be freed after kernel initialization, resulting in earlycon +becoming unavailable thereafter. Remove the __initdata macro from port_cfg +to resolve this issue. + +Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") +Cc: stable@vger.kernel.org +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Claudiu Beznea +Fixes: 0b0cced19ab15c9e ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support") +Link: https://lore.kernel.org/r/20250116182249.3828577-2-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -3455,7 +3455,7 @@ sh_early_platform_init_buffer("earlyprin + early_serial_buf, ARRAY_SIZE(early_serial_buf)); + #endif + #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON +-static struct plat_sci_port port_cfg __initdata; ++static struct plat_sci_port port_cfg; + + static int __init early_console_setup(struct earlycon_device *device, + int type) diff --git a/queue-5.10/series b/queue-5.10/series index 4605a14f2a..ff68ddc7c4 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -191,3 +191,27 @@ bluetooth-l2cap-accept-zero-as-a-special-value-for-mtu-auto-selection.patch clk-sunxi-ng-a100-enable-mmc-clock-reparenting.patch clk-qcom-clk-alpha-pll-fix-alpha-mode-configuration.patch clk-qcom-clk-rpmh-prevent-integer-overflow-in-recalc_rate.patch +blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch +efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch +perf-bench-fix-undefined-behavior-in-cmpworker.patch +of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch +of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch +of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch +hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch +wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch +wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch +usb-gadget-f_tcm-translate-error-to-sense.patch +usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch +usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch +usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch +soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch +serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch +serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch +powerpc-pseries-eeh-fix-get-pe-state-translation.patch +dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch +dm-crypt-track-tag_offset-in-convert_context.patch +alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch +alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch +scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch +scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch +kbuild-move-wenum-enum-conversion-to-w-2.patch diff --git a/queue-5.10/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch b/queue-5.10/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch new file mode 100644 index 0000000000..a1c39a12aa --- /dev/null +++ b/queue-5.10/soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch @@ -0,0 +1,49 @@ +From 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Mon, 30 Dec 2024 20:59:35 +0100 +Subject: soc: qcom: socinfo: Avoid out of bounds read of serial number + +From: Stephan Gerhold + +commit 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 upstream. + +On MSM8916 devices, the serial number exposed in sysfs is constant and does +not change across individual devices. It's always: + + db410c:/sys/devices/soc0$ cat serial_number + 2644893864 + +The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not +have support for the serial_num field in the socinfo struct. There is an +existing check to avoid exposing the serial number in that case, but it's +not correct: When checking the item_size returned by SMEM, we need to make +sure the *end* of the serial_num is within bounds, instead of comparing +with the *start* offset. The serial_number currently exposed on MSM8916 +devices is just an out of bounds read of whatever comes after the socinfo +struct in SMEM. + +Fix this by changing offsetof() to offsetofend(), so that the size of the +field is also taken into account. + +Cc: stable@vger.kernel.org +Fixes: efb448d0a3fc ("soc: qcom: Add socinfo driver") +Signed-off-by: Stephan Gerhold +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241230-qcom-socinfo-serialno-oob-v1-1-9b7a890da3da@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/socinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/socinfo.c ++++ b/drivers/soc/qcom/socinfo.c +@@ -510,7 +510,7 @@ static int qcom_socinfo_probe(struct pla + if (!qs->attr.soc_id || !qs->attr.revision) + return -ENOMEM; + +- if (offsetof(struct socinfo, serial_num) <= item_size) { ++ if (offsetofend(struct socinfo, serial_num) <= item_size) { + qs->attr.serial_number = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "%u", + le32_to_cpu(info->serial_num)); diff --git a/queue-5.10/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch b/queue-5.10/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch new file mode 100644 index 0000000000..7eef1f6654 --- /dev/null +++ b/queue-5.10/usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch @@ -0,0 +1,32 @@ +From 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:31:48 +0000 +Subject: usb: gadget: f_tcm: Decrement command ref count on cleanup + +From: Thinh Nguyen + +commit 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 upstream. + +We submitted the command with TARGET_SCF_ACK_KREF, which requires +acknowledgment of command completion. If the command fails, make sure to +decrement the ref count. + +Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/3c667b4d9c8b0b580346a69ff53616b6a74cfea2.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -973,6 +973,7 @@ static void usbg_data_write_cmpl(struct + return; + + cleanup: ++ target_put_sess_cmd(se_cmd); + transport_generic_free_cmd(&cmd->se_cmd, 0); + } + diff --git a/queue-5.10/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch b/queue-5.10/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch new file mode 100644 index 0000000000..59e1869893 --- /dev/null +++ b/queue-5.10/usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch @@ -0,0 +1,55 @@ +From 94d9bf671ae314cacc2d7bf96bd233b4abc7cede Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:32:07 +0000 +Subject: usb: gadget: f_tcm: Don't prepare BOT write request twice + +From: Thinh Nguyen + +commit 94d9bf671ae314cacc2d7bf96bd233b4abc7cede upstream. + +The duplicate kmalloc here is causing memory leak. The request +preparation in bot_send_write_request is also done in +usbg_prepare_w_request. Remove the duplicate work. + +Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/f4f26c3d586cde0d46f8c3bcb4e8ae32311b650d.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -245,7 +245,6 @@ static int bot_send_write_request(struct + { + struct f_uas *fu = cmd->fu; + struct se_cmd *se_cmd = &cmd->se_cmd; +- struct usb_gadget *gadget = fuas_to_gadget(fu); + int ret; + + init_completion(&cmd->write_complete); +@@ -256,22 +255,6 @@ static int bot_send_write_request(struct + return -EINVAL; + } + +- if (!gadget->sg_supported) { +- cmd->data_buf = kmalloc(se_cmd->data_length, GFP_KERNEL); +- if (!cmd->data_buf) +- return -ENOMEM; +- +- fu->bot_req_out->buf = cmd->data_buf; +- } else { +- fu->bot_req_out->buf = NULL; +- fu->bot_req_out->num_sgs = se_cmd->t_data_nents; +- fu->bot_req_out->sg = se_cmd->t_data_sg; +- } +- +- fu->bot_req_out->complete = usbg_data_write_cmpl; +- fu->bot_req_out->length = se_cmd->data_length; +- fu->bot_req_out->context = cmd; +- + ret = usbg_prepare_w_request(cmd, fu->bot_req_out); + if (ret) + goto cleanup; diff --git a/queue-5.10/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch b/queue-5.10/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch new file mode 100644 index 0000000000..53634d66d6 --- /dev/null +++ b/queue-5.10/usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch @@ -0,0 +1,80 @@ +From 25224c1f07d31c261d04dfbc705a7a0f314a825d Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:32:01 +0000 +Subject: usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint + +From: Thinh Nguyen + +commit 25224c1f07d31c261d04dfbc705a7a0f314a825d upstream. + +Match usb endpoint using fullspeed endpoint descriptor to make sure the +wMaxPacketSize for fullspeed descriptors is automatically configured. + +Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/e4507bc824aed6e7c7f5a718392ab6a7c1480a7f.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -2021,43 +2021,39 @@ static int tcm_bind(struct usb_configura + bot_intf_desc.bInterfaceNumber = iface; + uasp_intf_desc.bInterfaceNumber = iface; + fu->iface = iface; +- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bi_desc, +- &uasp_bi_ep_comp_desc); ++ ep = usb_ep_autoconfig(gadget, &uasp_fs_bi_desc); + if (!ep) + goto ep_fail; + + fu->ep_in = ep; + +- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bo_desc, +- &uasp_bo_ep_comp_desc); ++ ep = usb_ep_autoconfig(gadget, &uasp_fs_bo_desc); + if (!ep) + goto ep_fail; + fu->ep_out = ep; + +- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_status_desc, +- &uasp_status_in_ep_comp_desc); ++ ep = usb_ep_autoconfig(gadget, &uasp_fs_status_desc); + if (!ep) + goto ep_fail; + fu->ep_status = ep; + +- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_cmd_desc, +- &uasp_cmd_comp_desc); ++ ep = usb_ep_autoconfig(gadget, &uasp_fs_cmd_desc); + if (!ep) + goto ep_fail; + fu->ep_cmd = ep; + + /* Assume endpoint addresses are the same for both speeds */ +- uasp_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress; +- uasp_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress; ++ uasp_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress; ++ uasp_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress; + uasp_status_desc.bEndpointAddress = +- uasp_ss_status_desc.bEndpointAddress; +- uasp_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress; ++ uasp_fs_status_desc.bEndpointAddress; ++ uasp_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress; + +- uasp_fs_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress; +- uasp_fs_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress; +- uasp_fs_status_desc.bEndpointAddress = +- uasp_ss_status_desc.bEndpointAddress; +- uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress; ++ uasp_ss_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress; ++ uasp_ss_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress; ++ uasp_ss_status_desc.bEndpointAddress = ++ uasp_fs_status_desc.bEndpointAddress; ++ uasp_ss_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress; + + ret = usb_assign_descriptors(f, uasp_fs_function_desc, + uasp_hs_function_desc, uasp_ss_function_desc, diff --git a/queue-5.10/usb-gadget-f_tcm-translate-error-to-sense.patch b/queue-5.10/usb-gadget-f_tcm-translate-error-to-sense.patch new file mode 100644 index 0000000000..167e95fb6e --- /dev/null +++ b/queue-5.10/usb-gadget-f_tcm-translate-error-to-sense.patch @@ -0,0 +1,42 @@ +From 98fa00fd3ae43b857b4976984a135483d89d9281 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:31:43 +0000 +Subject: usb: gadget: f_tcm: Translate error to sense + +From: Thinh Nguyen + +commit 98fa00fd3ae43b857b4976984a135483d89d9281 upstream. + +When respond with check_condition error status, clear from_transport +input so the target layer can translate the sense reason reported by +f_tcm. + +Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/b2a5577efe7abd0af0051229622cf7d3be5cdcd0.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -1067,7 +1067,7 @@ static void usbg_cmd_work(struct work_st + + out: + transport_send_check_condition_and_sense(se_cmd, +- TCM_UNSUPPORTED_SCSI_OPCODE, 1); ++ TCM_UNSUPPORTED_SCSI_OPCODE, 0); + } + + static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu, +@@ -1197,7 +1197,7 @@ static void bot_cmd_work(struct work_str + + out: + transport_send_check_condition_and_sense(se_cmd, +- TCM_UNSUPPORTED_SCSI_OPCODE, 1); ++ TCM_UNSUPPORTED_SCSI_OPCODE, 0); + } + + static int bot_submit_command(struct f_uas *fu, diff --git a/queue-5.10/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch b/queue-5.10/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch new file mode 100644 index 0000000000..2d7e13ce77 --- /dev/null +++ b/queue-5.10/wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch @@ -0,0 +1,69 @@ +From 68abd0c4ebf24cd499841a488b97a6873d5efabb Mon Sep 17 00:00:00 2001 +From: Marcel Hamer +Date: Thu, 16 Jan 2025 14:22:40 +0100 +Subject: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() + +From: Marcel Hamer + +commit 68abd0c4ebf24cd499841a488b97a6873d5efabb upstream. + +On removal of the device or unloading of the kernel module a potential NULL +pointer dereference occurs. + +The following sequence deletes the interface: + + brcmf_detach() + brcmf_remove_interface() + brcmf_del_if() + +Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to +BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. + +After brcmf_remove_interface() call the brcmf_proto_detach() function is +called providing the following sequence: + + brcmf_detach() + brcmf_proto_detach() + brcmf_proto_msgbuf_detach() + brcmf_flowring_detach() + brcmf_msgbuf_delete_flowring() + brcmf_msgbuf_remove_flowring() + brcmf_flowring_delete() + brcmf_get_ifp() + brcmf_txfinalize() + +Since brcmf_get_ip() can and actually will return NULL in this case the +call to brcmf_txfinalize() will result in a NULL pointer dereference inside +brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors. + +This will only happen if a flowring still has an skb. + +Although the NULL pointer dereference has only been seen when trying to +update the tx statistic, all other uses of the ifp pointer have been +guarded as well with an early return if ifp is NULL. + +Cc: stable@vger.kernel.org +Signed-off-by: Marcel Hamer +Link: https://lore.kernel.org/all/b519e746-ddfd-421f-d897-7620d229e4b2@gmail.com/ +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://patch.msgid.link/20250116132240.731039-1-marcel.hamer@windriver.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -545,6 +545,11 @@ void brcmf_txfinalize(struct brcmf_if *i + struct ethhdr *eh; + u16 type; + ++ if (!ifp) { ++ brcmu_pkt_buf_free_skb(txp); ++ return; ++ } ++ + eh = (struct ethhdr *)(txp->data); + type = ntohs(eh->h_proto); + diff --git a/queue-5.10/wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch b/queue-5.10/wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch new file mode 100644 index 0000000000..3743708082 --- /dev/null +++ b/queue-5.10/wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch @@ -0,0 +1,59 @@ +From 66ef0289ac99e155d206ddaa0fdfad09ae3cd007 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Wed, 18 Dec 2024 00:53:11 +0200 +Subject: wifi: rtlwifi: rtl8821ae: Fix media status report + +From: Bitterblue Smith + +commit 66ef0289ac99e155d206ddaa0fdfad09ae3cd007 upstream. + +RTL8821AE is stuck transmitting at the lowest rate allowed by the rate +mask. This is because the firmware doesn't know the device is connected +to a network. + +Fix the macros SET_H2CCMD_MSRRPT_PARM_OPMODE and +SET_H2CCMD_MSRRPT_PARM_MACID_IND to work on the first byte of __cmd, +not the second. Now the firmware is correctly notified when the device +is connected to a network and it activates the rate control. + +Before (MCS3): + +[ 5] 0.00-1.00 sec 12.5 MBytes 105 Mbits/sec 0 339 KBytes +[ 5] 1.00-2.00 sec 10.6 MBytes 89.1 Mbits/sec 0 339 KBytes +[ 5] 2.00-3.00 sec 10.6 MBytes 89.1 Mbits/sec 0 386 KBytes +[ 5] 3.00-4.00 sec 10.6 MBytes 89.1 Mbits/sec 0 386 KBytes +[ 5] 4.00-5.00 sec 10.2 MBytes 86.0 Mbits/sec 0 427 KBytes + +After (MCS9): + +[ 5] 0.00-1.00 sec 33.9 MBytes 284 Mbits/sec 0 771 KBytes +[ 5] 1.00-2.00 sec 31.6 MBytes 265 Mbits/sec 0 865 KBytes +[ 5] 2.00-3.00 sec 29.9 MBytes 251 Mbits/sec 0 963 KBytes +[ 5] 3.00-4.00 sec 28.2 MBytes 237 Mbits/sec 0 963 KBytes +[ 5] 4.00-5.00 sec 26.8 MBytes 224 Mbits/sec 0 963 KBytes + +Fixes: 39f40710d0b5 ("rtlwifi: rtl88821ae: Remove usage of private bit manipulation macros") +Cc: stable@vger.kernel.org +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/754785b3-8a78-4554-b80d-de5f603b410b@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h +@@ -197,9 +197,9 @@ enum rtl8821a_h2c_cmd { + + /* _MEDIA_STATUS_RPT_PARM_CMD1 */ + #define SET_H2CCMD_MSRRPT_PARM_OPMODE(__cmd, __value) \ +- u8p_replace_bits(__cmd + 1, __value, BIT(0)) ++ u8p_replace_bits(__cmd, __value, BIT(0)) + #define SET_H2CCMD_MSRRPT_PARM_MACID_IND(__cmd, __value) \ +- u8p_replace_bits(__cmd + 1, __value, BIT(1)) ++ u8p_replace_bits(__cmd, __value, BIT(1)) + + /* AP_OFFLOAD */ + #define SET_H2CCMD_AP_OFFLOAD_ON(__cmd, __value) \