From: Greg Kroah-Hartman Date: Sun, 21 Sep 2025 12:46:00 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.1.154~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d827453f3d4bf100c117d8b0a4a33dc064621f29;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch --- diff --git a/queue-5.4/mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch b/queue-5.4/mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch new file mode 100644 index 0000000000..d3706bdb10 --- /dev/null +++ b/queue-5.4/mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch @@ -0,0 +1,33 @@ +From 8ab2f1c35669bff7d7ed1bb16bf5cc989b3e2e17 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Tue, 26 Aug 2025 09:58:08 +0200 +Subject: mmc: mvsdio: Fix dma_unmap_sg() nents value + +From: Thomas Fourier + +commit 8ab2f1c35669bff7d7ed1bb16bf5cc989b3e2e17 upstream. + +The dma_unmap_sg() functions should be called with the same nents as the +dma_map_sg(), not the value the map function returned. + +Fixes: 236caa7cc351 ("mmc: SDIO driver for Marvell SoCs") +Signed-off-by: Thomas Fourier +Reviewed-by: Linus Walleij +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mvsdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/mvsdio.c ++++ b/drivers/mmc/host/mvsdio.c +@@ -292,7 +292,7 @@ static u32 mvsd_finish_data(struct mvsd_ + host->pio_ptr = NULL; + host->pio_size = 0; + } else { +- dma_unmap_sg(mmc_dev(host->mmc), data->sg, host->sg_frags, ++ dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len, + mmc_get_dma_dir(data)); + } + diff --git a/queue-5.4/nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch b/queue-5.4/nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch new file mode 100644 index 0000000000..ffb0f7f520 --- /dev/null +++ b/queue-5.4/nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch @@ -0,0 +1,95 @@ +From 025e87f8ea2ae3a28bf1fe2b052bfa412c27ed4a Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sat, 6 Sep 2025 23:43:34 +0900 +Subject: nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* + +From: Nathan Chancellor + +commit 025e87f8ea2ae3a28bf1fe2b052bfa412c27ed4a upstream. + +When accessing one of the files under /sys/fs/nilfs2/features when +CONFIG_CFI_CLANG is enabled, there is a CFI violation: + + CFI failure at kobj_attr_show+0x59/0x80 (target: nilfs_feature_revision_show+0x0/0x30; expected type: 0xfc392c4d) + ... + Call Trace: + + sysfs_kf_seq_show+0x2a6/0x390 + ? __cfi_kobj_attr_show+0x10/0x10 + kernfs_seq_show+0x104/0x15b + seq_read_iter+0x580/0xe2b + ... + +When the kobject of the kset for /sys/fs/nilfs2 is initialized, its ktype +is set to kset_ktype, which has a ->sysfs_ops of kobj_sysfs_ops. When +nilfs_feature_attr_group is added to that kobject via +sysfs_create_group(), the kernfs_ops of each files is sysfs_file_kfops_rw, +which will call sysfs_kf_seq_show() when ->seq_show() is called. +sysfs_kf_seq_show() in turn calls kobj_attr_show() through +->sysfs_ops->show(). kobj_attr_show() casts the provided attribute out to +a 'struct kobj_attribute' via container_of() and calls ->show(), resulting +in the CFI violation since neither nilfs_feature_revision_show() nor +nilfs_feature_README_show() match the prototype of ->show() in 'struct +kobj_attribute'. + +Resolve the CFI violation by adjusting the second parameter in +nilfs_feature_{revision,README}_show() from 'struct attribute' to 'struct +kobj_attribute' to match the expected prototype. + +Link: https://lkml.kernel.org/r/20250906144410.22511-1-konishi.ryusuke@gmail.com +Fixes: aebe17f68444 ("nilfs2: add /sys/fs/nilfs2/features group") +Signed-off-by: Nathan Chancellor +Signed-off-by: Ryusuke Konishi +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-lkp/202509021646.bc78d9ef-lkp@intel.com/ +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/sysfs.c | 4 ++-- + fs/nilfs2/sysfs.h | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/nilfs2/sysfs.c ++++ b/fs/nilfs2/sysfs.c +@@ -1081,7 +1081,7 @@ void nilfs_sysfs_delete_device_group(str + ************************************************************************/ + + static ssize_t nilfs_feature_revision_show(struct kobject *kobj, +- struct attribute *attr, char *buf) ++ struct kobj_attribute *attr, char *buf) + { + return sysfs_emit(buf, "%d.%d\n", + NILFS_CURRENT_REV, NILFS_MINOR_REV); +@@ -1093,7 +1093,7 @@ static const char features_readme_str[] + "(1) revision\n\tshow current revision of NILFS file system driver.\n"; + + static ssize_t nilfs_feature_README_show(struct kobject *kobj, +- struct attribute *attr, ++ struct kobj_attribute *attr, + char *buf) + { + return sysfs_emit(buf, features_readme_str); +--- a/fs/nilfs2/sysfs.h ++++ b/fs/nilfs2/sysfs.h +@@ -50,16 +50,16 @@ struct nilfs_sysfs_dev_subgroups { + struct completion sg_segments_kobj_unregister; + }; + +-#define NILFS_COMMON_ATTR_STRUCT(name) \ ++#define NILFS_KOBJ_ATTR_STRUCT(name) \ + struct nilfs_##name##_attr { \ + struct attribute attr; \ +- ssize_t (*show)(struct kobject *, struct attribute *, \ ++ ssize_t (*show)(struct kobject *, struct kobj_attribute *, \ + char *); \ +- ssize_t (*store)(struct kobject *, struct attribute *, \ ++ ssize_t (*store)(struct kobject *, struct kobj_attribute *, \ + const char *, size_t); \ + } + +-NILFS_COMMON_ATTR_STRUCT(feature); ++NILFS_KOBJ_ATTR_STRUCT(feature); + + #define NILFS_DEV_ATTR_STRUCT(name) \ + struct nilfs_##name##_attr { \ diff --git a/queue-5.4/power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch b/queue-5.4/power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch new file mode 100644 index 0000000000..27dd8b0d8a --- /dev/null +++ b/queue-5.4/power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch @@ -0,0 +1,66 @@ +From 2c334d038466ac509468fbe06905a32d202117db Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Sat, 23 Aug 2025 12:34:56 +0200 +Subject: power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery + +From: H. Nikolaus Schaller + +commit 2c334d038466ac509468fbe06905a32d202117db upstream. + +Since commit + + commit f16d9fb6cf03 ("power: supply: bq27xxx: Retrieve again when busy") + +the console log of some devices with hdq enabled but no bq27000 battery +(like e.g. the Pandaboard) is flooded with messages like: + +[ 34.247833] power_supply bq27000-battery: driver failed to report 'status' property: -1 + +as soon as user-space is finding a /sys entry and trying to read the +"status" property. + +It turns out that the offending commit changes the logic to now return the +value of cache.flags if it is <0. This is likely under the assumption that +it is an error number. In normal errors from bq27xxx_read() this is indeed +the case. + +But there is special code to detect if no bq27000 is installed or accessible +through hdq/1wire and wants to report this. In that case, the cache.flags +are set historically by + + commit 3dd843e1c26a ("bq27000: report missing device better.") + +to constant -1 which did make reading properties return -ENODEV. So everything +appeared to be fine before the return value was passed upwards. + +Now the -1 is returned as -EPERM instead of -ENODEV, triggering the error +condition in power_supply_format_property() which then floods the console log. + +So we change the detection of missing bq27000 battery to simply set + + cache.flags = -ENODEV + +instead of -1. + +Fixes: f16d9fb6cf03 ("power: supply: bq27xxx: Retrieve again when busy") +Cc: Jerry Lv +Cc: stable@vger.kernel.org +Signed-off-by: H. Nikolaus Schaller +Link: https://lore.kernel.org/r/692f79eb6fd541adb397038ea6e750d4de2deddf.1755945297.git.hns@goldelico.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1553,7 +1553,7 @@ static void bq27xxx_battery_update_unloc + + cache.flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, has_singe_flag); + if ((cache.flags & 0xff) == 0xff) +- cache.flags = -1; /* read error */ ++ cache.flags = -ENODEV; /* read error */ + if (cache.flags >= 0) { + cache.temperature = bq27xxx_battery_read_temperature(di); + if (has_ci_flag && (cache.flags & BQ27000_FLAG_CI)) { diff --git a/queue-5.4/power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch b/queue-5.4/power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch new file mode 100644 index 0000000000..ebd0c1179a --- /dev/null +++ b/queue-5.4/power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch @@ -0,0 +1,48 @@ +From 1e451977e1703b6db072719b37cd1b8e250b9cc9 Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Sat, 23 Aug 2025 12:34:57 +0200 +Subject: power: supply: bq27xxx: restrict no-battery detection to bq27000 + +From: H. Nikolaus Schaller + +commit 1e451977e1703b6db072719b37cd1b8e250b9cc9 upstream. + +There are fuel gauges in the bq27xxx series (e.g. bq27z561) which may in some +cases report 0xff as the value of BQ27XXX_REG_FLAGS that should not be +interpreted as "no battery" like for a disconnected battery with some built +in bq27000 chip. + +So restrict the no-battery detection originally introduced by + + commit 3dd843e1c26a ("bq27000: report missing device better.") + +to the bq27000. + +There is no need to backport further because this was hidden before + + commit f16d9fb6cf03 ("power: supply: bq27xxx: Retrieve again when busy") + +Fixes: f16d9fb6cf03 ("power: supply: bq27xxx: Retrieve again when busy") +Suggested-by: Jerry Lv +Cc: stable@vger.kernel.org +Signed-off-by: H. Nikolaus Schaller +Link: https://lore.kernel.org/r/dd979fa6855fd051ee5117016c58daaa05966e24.1755945297.git.hns@goldelico.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1552,8 +1552,8 @@ static void bq27xxx_battery_update_unloc + bool has_singe_flag = di->opts & BQ27XXX_O_ZERO; + + cache.flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, has_singe_flag); +- if ((cache.flags & 0xff) == 0xff) +- cache.flags = -ENODEV; /* read error */ ++ if (di->chip == BQ27000 && (cache.flags & 0xff) == 0xff) ++ cache.flags = -ENODEV; /* bq27000 hdq read error */ + if (cache.flags >= 0) { + cache.temperature = bq27xxx_battery_read_temperature(di); + if (has_ci_flag && (cache.flags & BQ27000_FLAG_CI)) { diff --git a/queue-5.4/rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch b/queue-5.4/rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch new file mode 100644 index 0000000000..dbc9e3d729 --- /dev/null +++ b/queue-5.4/rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch @@ -0,0 +1,82 @@ +From 4351ca3fcb3ffecf12631b4996bf085a2dad0db6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?H=C3=A5kon=20Bugge?= +Date: Thu, 11 Sep 2025 15:33:34 +0200 +Subject: rds: ib: Increment i_fastreg_wrs before bailing out +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +commit 4351ca3fcb3ffecf12631b4996bf085a2dad0db6 upstream. + +We need to increment i_fastreg_wrs before we bail out from +rds_ib_post_reg_frmr(). + +We have a fixed budget of how many FRWR operations that can be +outstanding using the dedicated QP used for memory registrations and +de-registrations. This budget is enforced by the atomic_t +i_fastreg_wrs. If we bail out early in rds_ib_post_reg_frmr(), we will +"leak" the possibility of posting an FRWR operation, and if that +accumulates, no FRWR operation can be carried out. + +Fixes: 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode") +Fixes: 3a2886cca703 ("net/rds: Keep track of and wait for FRWR segments in use upon shutdown") +Cc: stable@vger.kernel.org +Signed-off-by: HÃ¥kon Bugge +Reviewed-by: Allison Henderson +Link: https://patch.msgid.link/20250911133336.451212-1-haakon.bugge@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_frmr.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/net/rds/ib_frmr.c ++++ b/net/rds/ib_frmr.c +@@ -133,12 +133,15 @@ static int rds_ib_post_reg_frmr(struct r + + ret = ib_map_mr_sg_zbva(frmr->mr, ibmr->sg, ibmr->sg_dma_len, + &off, PAGE_SIZE); +- if (unlikely(ret != ibmr->sg_dma_len)) +- return ret < 0 ? ret : -EINVAL; ++ if (unlikely(ret != ibmr->sg_dma_len)) { ++ ret = ret < 0 ? ret : -EINVAL; ++ goto out_inc; ++ } + +- if (cmpxchg(&frmr->fr_state, +- FRMR_IS_FREE, FRMR_IS_INUSE) != FRMR_IS_FREE) +- return -EBUSY; ++ if (cmpxchg(&frmr->fr_state, FRMR_IS_FREE, FRMR_IS_INUSE) != FRMR_IS_FREE) { ++ ret = -EBUSY; ++ goto out_inc; ++ } + + atomic_inc(&ibmr->ic->i_fastreg_inuse_count); + +@@ -166,11 +169,10 @@ static int rds_ib_post_reg_frmr(struct r + /* Failure here can be because of -ENOMEM as well */ + rds_transition_frwr_state(ibmr, FRMR_IS_INUSE, FRMR_IS_STALE); + +- atomic_inc(&ibmr->ic->i_fastreg_wrs); + if (printk_ratelimit()) + pr_warn("RDS/IB: %s returned error(%d)\n", + __func__, ret); +- goto out; ++ goto out_inc; + } + + /* Wait for the registration to complete in order to prevent an invalid +@@ -179,8 +181,10 @@ static int rds_ib_post_reg_frmr(struct r + */ + wait_event(frmr->fr_reg_done, !frmr->fr_reg); + +-out: ++ return ret; + ++out_inc: ++ atomic_inc(&ibmr->ic->i_fastreg_wrs); + return ret; + } + diff --git a/queue-5.4/series b/queue-5.4/series index 14ac92425e..1d1364deb0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -38,3 +38,8 @@ tcp-clear-tcp_sk-sk-fastopen_rsk-in-tcp_disconnect.patch revert-net-mlx5e-update-and-set-xon-xoff-upon-port-s.patch net-liquidio-fix-overflow-in-octeon_init_instr_queue.patch cnic-fix-use-after-free-bugs-in-cnic_delete_task.patch +nilfs2-fix-cfi-failure-when-accessing-sys-fs-nilfs2-features.patch +power-supply-bq27xxx-fix-error-return-in-case-of-no-bq27000-hdq-battery.patch +power-supply-bq27xxx-restrict-no-battery-detection-to-bq27000.patch +mmc-mvsdio-fix-dma_unmap_sg-nents-value.patch +rds-ib-increment-i_fastreg_wrs-before-bailing-out.patch