From 159eeb7d0c082879da280717e5f41e378e350df7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 5 May 2025 10:00:43 +0200 Subject: [PATCH] 5.4-stable patches added patches: amd-xgbe-fix-to-ensure-dependent-features-are-toggled-with-rx-checksum-offload.patch dm-always-update-the-array-size-in-realloc_argv-on-success.patch dm-integrity-fix-a-warning-on-invalid-table-line.patch edac-altera-set-ddr-and-sdmmc-interrupt-mask-before-registration.patch edac-altera-test-the-correct-error-reg-offset.patch i2c-imx-lpi2c-fix-clock-count-when-probe-defers.patch parisc-fix-double-sigfpe-crash.patch wifi-brcm80211-fmac-add-error-handling-for-brcmf_usb_dl_writeimage.patch --- ...are-toggled-with-rx-checksum-offload.patch | 135 ++++++++++++++++++ ...rray-size-in-realloc_argv-on-success.patch | 43 ++++++ ...-fix-a-warning-on-invalid-table-line.patch | 31 ++++ ...c-interrupt-mask-before-registration.patch | 59 ++++++++ ...ra-test-the-correct-error-reg-offset.patch | 36 +++++ ...2c-fix-clock-count-when-probe-defers.patch | 38 +++++ .../parisc-fix-double-sigfpe-crash.patch | 90 ++++++++++++ queue-5.4/series | 8 ++ ...handling-for-brcmf_usb_dl_writeimage.patch | 54 +++++++ 9 files changed, 494 insertions(+) create mode 100644 queue-5.4/amd-xgbe-fix-to-ensure-dependent-features-are-toggled-with-rx-checksum-offload.patch create mode 100644 queue-5.4/dm-always-update-the-array-size-in-realloc_argv-on-success.patch create mode 100644 queue-5.4/dm-integrity-fix-a-warning-on-invalid-table-line.patch create mode 100644 queue-5.4/edac-altera-set-ddr-and-sdmmc-interrupt-mask-before-registration.patch create mode 100644 queue-5.4/edac-altera-test-the-correct-error-reg-offset.patch create mode 100644 queue-5.4/i2c-imx-lpi2c-fix-clock-count-when-probe-defers.patch create mode 100644 queue-5.4/parisc-fix-double-sigfpe-crash.patch create mode 100644 queue-5.4/wifi-brcm80211-fmac-add-error-handling-for-brcmf_usb_dl_writeimage.patch diff --git a/queue-5.4/amd-xgbe-fix-to-ensure-dependent-features-are-toggled-with-rx-checksum-offload.patch b/queue-5.4/amd-xgbe-fix-to-ensure-dependent-features-are-toggled-with-rx-checksum-offload.patch new file mode 100644 index 00000000000..b73f38cced8 --- /dev/null +++ b/queue-5.4/amd-xgbe-fix-to-ensure-dependent-features-are-toggled-with-rx-checksum-offload.patch @@ -0,0 +1,135 @@ +From f04dd30f1bef1ed2e74a4050af6e5e5e3869bac3 Mon Sep 17 00:00:00 2001 +From: Vishal Badole +Date: Thu, 24 Apr 2025 18:32:48 +0530 +Subject: amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload + +From: Vishal Badole + +commit f04dd30f1bef1ed2e74a4050af6e5e5e3869bac3 upstream. + +According to the XGMAC specification, enabling features such as Layer 3 +and Layer 4 Packet Filtering, Split Header and Virtualized Network support +automatically selects the IPC Full Checksum Offload Engine on the receive +side. + +When RX checksum offload is disabled, these dependent features must also +be disabled to prevent abnormal behavior caused by mismatched feature +dependencies. + +Ensure that toggling RX checksum offload (disabling or enabling) properly +disables or enables all dependent features, maintaining consistent and +expected behavior in the network device. + +Cc: stable@vger.kernel.org +Fixes: 1a510ccf5869 ("amd-xgbe: Add support for VXLAN offload capabilities") +Signed-off-by: Vishal Badole +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250424130248.428865-1-Vishal.Badole@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +++++++-- + drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 ++++++++++++++++++++++-- + drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +++++++++-- + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++++ + 4 files changed, 42 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c +@@ -373,8 +373,13 @@ static int xgbe_map_rx_buffer(struct xgb + } + + /* Set up the header page info */ +- xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa, +- XGBE_SKB_ALLOC_SIZE); ++ if (pdata->netdev->features & NETIF_F_RXCSUM) { ++ xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa, ++ XGBE_SKB_ALLOC_SIZE); ++ } else { ++ xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa, ++ pdata->rx_buf_size); ++ } + + /* Set up the buffer page info */ + xgbe_set_buffer_data(&rdata->rx.buf, &ring->rx_buf_pa, +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -320,6 +320,18 @@ static void xgbe_config_sph_mode(struct + XGMAC_IOWRITE_BITS(pdata, MAC_RCR, HDSMS, XGBE_SPH_HDSMS_SIZE); + } + ++static void xgbe_disable_sph_mode(struct xgbe_prv_data *pdata) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < pdata->channel_count; i++) { ++ if (!pdata->channel[i]->rx_ring) ++ break; ++ ++ XGMAC_DMA_IOWRITE_BITS(pdata->channel[i], DMA_CH_CR, SPH, 0); ++ } ++} ++ + static int xgbe_write_rss_reg(struct xgbe_prv_data *pdata, unsigned int type, + unsigned int index, unsigned int val) + { +@@ -3495,8 +3507,12 @@ static int xgbe_init(struct xgbe_prv_dat + xgbe_config_tx_coalesce(pdata); + xgbe_config_rx_buffer_size(pdata); + xgbe_config_tso_mode(pdata); +- xgbe_config_sph_mode(pdata); +- xgbe_config_rss(pdata); ++ ++ if (pdata->netdev->features & NETIF_F_RXCSUM) { ++ xgbe_config_sph_mode(pdata); ++ xgbe_config_rss(pdata); ++ } ++ + desc_if->wrapper_tx_desc_init(pdata); + desc_if->wrapper_rx_desc_init(pdata); + xgbe_enable_dma_interrupts(pdata); +@@ -3650,5 +3666,9 @@ void xgbe_init_function_ptrs_dev(struct + hw_if->disable_vxlan = xgbe_disable_vxlan; + hw_if->set_vxlan_id = xgbe_set_vxlan_id; + ++ /* For Split Header*/ ++ hw_if->enable_sph = xgbe_config_sph_mode; ++ hw_if->disable_sph = xgbe_disable_sph_mode; ++ + DBGPR("<--xgbe_init_function_ptrs\n"); + } +--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c +@@ -2372,10 +2372,17 @@ static int xgbe_set_features(struct net_ + if (ret) + return ret; + +- if ((features & NETIF_F_RXCSUM) && !rxcsum) ++ if ((features & NETIF_F_RXCSUM) && !rxcsum) { ++ hw_if->enable_sph(pdata); ++ hw_if->enable_vxlan(pdata); + hw_if->enable_rx_csum(pdata); +- else if (!(features & NETIF_F_RXCSUM) && rxcsum) ++ schedule_work(&pdata->restart_work); ++ } else if (!(features & NETIF_F_RXCSUM) && rxcsum) { ++ hw_if->disable_sph(pdata); ++ hw_if->disable_vxlan(pdata); + hw_if->disable_rx_csum(pdata); ++ schedule_work(&pdata->restart_work); ++ } + + if ((features & NETIF_F_HW_VLAN_CTAG_RX) && !rxvlan) + hw_if->enable_rx_vlan_stripping(pdata); +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -834,6 +834,10 @@ struct xgbe_hw_if { + void (*enable_vxlan)(struct xgbe_prv_data *); + void (*disable_vxlan)(struct xgbe_prv_data *); + void (*set_vxlan_id)(struct xgbe_prv_data *); ++ ++ /* For Split Header */ ++ void (*enable_sph)(struct xgbe_prv_data *pdata); ++ void (*disable_sph)(struct xgbe_prv_data *pdata); + }; + + /* This structure represents implementation specific routines for an diff --git a/queue-5.4/dm-always-update-the-array-size-in-realloc_argv-on-success.patch b/queue-5.4/dm-always-update-the-array-size-in-realloc_argv-on-success.patch new file mode 100644 index 00000000000..ba0e187ccc6 --- /dev/null +++ b/queue-5.4/dm-always-update-the-array-size-in-realloc_argv-on-success.patch @@ -0,0 +1,43 @@ +From 5a2a6c428190f945c5cbf5791f72dbea83e97f66 Mon Sep 17 00:00:00 2001 +From: Benjamin Marzinski +Date: Tue, 15 Apr 2025 00:17:16 -0400 +Subject: dm: always update the array size in realloc_argv on success + +From: Benjamin Marzinski + +commit 5a2a6c428190f945c5cbf5791f72dbea83e97f66 upstream. + +realloc_argv() was only updating the array size if it was called with +old_argv already allocated. The first time it was called to create an +argv array, it would allocate the array but return the array size as +zero. dm_split_args() would think that it couldn't store any arguments +in the array and would call realloc_argv() again, causing it to +reallocate the initial slots (this time using GPF_KERNEL) and finally +return a size. Aside from being wasteful, this could cause deadlocks on +targets that need to process messages without starting new IO. Instead, +realloc_argv should always update the allocated array size on success. + +Fixes: a0651926553c ("dm table: don't copy from a NULL pointer in realloc_argv()") +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-table.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -573,9 +573,10 @@ static char **realloc_argv(unsigned *siz + gfp = GFP_NOIO; + } + argv = kmalloc_array(new_size, sizeof(*argv), gfp); +- if (argv && old_argv) { +- memcpy(argv, old_argv, *size * sizeof(*argv)); ++ if (argv) { + *size = new_size; ++ if (old_argv) ++ memcpy(argv, old_argv, *size * sizeof(*argv)); + } + + kfree(old_argv); diff --git a/queue-5.4/dm-integrity-fix-a-warning-on-invalid-table-line.patch b/queue-5.4/dm-integrity-fix-a-warning-on-invalid-table-line.patch new file mode 100644 index 00000000000..d2f332cd331 --- /dev/null +++ b/queue-5.4/dm-integrity-fix-a-warning-on-invalid-table-line.patch @@ -0,0 +1,31 @@ +From 0a533c3e4246c29d502a7e0fba0e86d80a906b04 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 22 Apr 2025 21:18:33 +0200 +Subject: dm-integrity: fix a warning on invalid table line + +From: Mikulas Patocka + +commit 0a533c3e4246c29d502a7e0fba0e86d80a906b04 upstream. + +If we use the 'B' mode and we have an invalit table line, +cancel_delayed_work_sync would trigger a warning. This commit avoids the +warning. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-integrity.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-integrity.c ++++ b/drivers/md/dm-integrity.c +@@ -4199,7 +4199,7 @@ static void dm_integrity_dtr(struct dm_t + BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress)); + BUG_ON(!list_empty(&ic->wait_list)); + +- if (ic->mode == 'B') ++ if (ic->mode == 'B' && ic->bitmap_flush_work.work.func) + cancel_delayed_work_sync(&ic->bitmap_flush_work); + if (ic->metadata_wq) + destroy_workqueue(ic->metadata_wq); diff --git a/queue-5.4/edac-altera-set-ddr-and-sdmmc-interrupt-mask-before-registration.patch b/queue-5.4/edac-altera-set-ddr-and-sdmmc-interrupt-mask-before-registration.patch new file mode 100644 index 00000000000..f9d939d4371 --- /dev/null +++ b/queue-5.4/edac-altera-set-ddr-and-sdmmc-interrupt-mask-before-registration.patch @@ -0,0 +1,59 @@ +From 6dbe3c5418c4368e824bff6ae4889257dd544892 Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Fri, 25 Apr 2025 07:26:40 -0700 +Subject: EDAC/altera: Set DDR and SDMMC interrupt mask before registration + +From: Niravkumar L Rabara + +commit 6dbe3c5418c4368e824bff6ae4889257dd544892 upstream. + +Mask DDR and SDMMC in probe function to avoid spurious interrupts before +registration. Removed invalid register write to system manager. + +Fixes: 1166fde93d5b ("EDAC, altera: Add Arria10 ECC memory init functions") +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Matthew Gerlach +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Dinh Nguyen +Cc: stable@kernel.org +Link: https://lore.kernel.org/20250425142640.33125-3-matthew.gerlach@altera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/altera_edac.c | 7 ++++--- + drivers/edac/altera_edac.h | 2 ++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/edac/altera_edac.c ++++ b/drivers/edac/altera_edac.c +@@ -1103,9 +1103,6 @@ altr_init_a10_ecc_block(struct device_no + } + } + +- /* Interrupt mode set to every SBERR */ +- regmap_write(ecc_mgr_map, ALTR_A10_ECC_INTMODE_OFST, +- ALTR_A10_ECC_INTMODE); + /* Enable ECC */ + ecc_set_bits(ecc_ctrl_en_mask, (ecc_block_base + + ALTR_A10_ECC_CTRL_OFST)); +@@ -2213,6 +2210,10 @@ static int altr_edac_a10_probe(struct pl + return PTR_ERR(edac->ecc_mgr_map); + } + ++ /* Set irq mask for DDR SBE to avoid any pending irq before registration */ ++ regmap_write(edac->ecc_mgr_map, A10_SYSMGR_ECC_INTMASK_SET_OFST, ++ (A10_SYSMGR_ECC_INTMASK_SDMMCB | A10_SYSMGR_ECC_INTMASK_DDR0)); ++ + edac->irq_chip.name = pdev->dev.of_node->name; + edac->irq_chip.irq_mask = a10_eccmgr_irq_mask; + edac->irq_chip.irq_unmask = a10_eccmgr_irq_unmask; +--- a/drivers/edac/altera_edac.h ++++ b/drivers/edac/altera_edac.h +@@ -249,6 +249,8 @@ struct altr_sdram_mc_data { + #define A10_SYSMGR_ECC_INTMASK_SET_OFST 0x94 + #define A10_SYSMGR_ECC_INTMASK_CLR_OFST 0x98 + #define A10_SYSMGR_ECC_INTMASK_OCRAM BIT(1) ++#define A10_SYSMGR_ECC_INTMASK_SDMMCB BIT(16) ++#define A10_SYSMGR_ECC_INTMASK_DDR0 BIT(17) + + #define A10_SYSMGR_ECC_INTSTAT_SERR_OFST 0x9C + #define A10_SYSMGR_ECC_INTSTAT_DERR_OFST 0xA0 diff --git a/queue-5.4/edac-altera-test-the-correct-error-reg-offset.patch b/queue-5.4/edac-altera-test-the-correct-error-reg-offset.patch new file mode 100644 index 00000000000..f8b3d8dedba --- /dev/null +++ b/queue-5.4/edac-altera-test-the-correct-error-reg-offset.patch @@ -0,0 +1,36 @@ +From 4fb7b8fceb0beebbe00712c3daf49ade0386076a Mon Sep 17 00:00:00 2001 +From: Niravkumar L Rabara +Date: Fri, 25 Apr 2025 07:26:39 -0700 +Subject: EDAC/altera: Test the correct error reg offset + +From: Niravkumar L Rabara + +commit 4fb7b8fceb0beebbe00712c3daf49ade0386076a upstream. + +Test correct structure member, ecc_cecnt_offset, before using it. + + [ bp: Massage commit message. ] + +Fixes: 73bcc942f427 ("EDAC, altera: Add Arria10 EDAC support") +Signed-off-by: Niravkumar L Rabara +Signed-off-by: Matthew Gerlach +Signed-off-by: Borislav Petkov (AMD) +Acked-by: Dinh Nguyen +Cc: stable@kernel.org +Link: https://lore.kernel.org/20250425142640.33125-2-matthew.gerlach@altera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/altera_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/altera_edac.c ++++ b/drivers/edac/altera_edac.c +@@ -96,7 +96,7 @@ static irqreturn_t altr_sdram_mc_err_han + if (status & priv->ecc_stat_ce_mask) { + regmap_read(drvdata->mc_vbase, priv->ecc_saddr_offset, + &err_addr); +- if (priv->ecc_uecnt_offset) ++ if (priv->ecc_cecnt_offset) + regmap_read(drvdata->mc_vbase, priv->ecc_cecnt_offset, + &err_count); + edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, err_count, diff --git a/queue-5.4/i2c-imx-lpi2c-fix-clock-count-when-probe-defers.patch b/queue-5.4/i2c-imx-lpi2c-fix-clock-count-when-probe-defers.patch new file mode 100644 index 00000000000..2b3a03bf444 --- /dev/null +++ b/queue-5.4/i2c-imx-lpi2c-fix-clock-count-when-probe-defers.patch @@ -0,0 +1,38 @@ +From b1852c5de2f2a37dd4462f7837c9e3e678f9e546 Mon Sep 17 00:00:00 2001 +From: Clark Wang +Date: Mon, 21 Apr 2025 14:23:41 +0800 +Subject: i2c: imx-lpi2c: Fix clock count when probe defers + +From: Clark Wang + +commit b1852c5de2f2a37dd4462f7837c9e3e678f9e546 upstream. + +Deferred probe with pm_runtime_put() may delay clock disable, causing +incorrect clock usage count. Use pm_runtime_put_sync() to ensure the +clock is disabled immediately. + +Fixes: 13d6eb20fc79 ("i2c: imx-lpi2c: add runtime pm support") +Signed-off-by: Clark Wang +Signed-off-by: Carlos Song +Cc: # v4.16+ +Link: https://lore.kernel.org/r/20250421062341.2471922-1-carlos.song@nxp.com +Signed-off-by: Andi Shyti +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-imx-lpi2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-imx-lpi2c.c ++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c +@@ -624,9 +624,9 @@ static int lpi2c_imx_probe(struct platfo + return 0; + + rpm_disable: +- pm_runtime_put(&pdev->dev); +- pm_runtime_disable(&pdev->dev); + pm_runtime_dont_use_autosuspend(&pdev->dev); ++ pm_runtime_put_sync(&pdev->dev); ++ pm_runtime_disable(&pdev->dev); + + return ret; + } diff --git a/queue-5.4/parisc-fix-double-sigfpe-crash.patch b/queue-5.4/parisc-fix-double-sigfpe-crash.patch new file mode 100644 index 00000000000..811f2d7272f --- /dev/null +++ b/queue-5.4/parisc-fix-double-sigfpe-crash.patch @@ -0,0 +1,90 @@ +From de3629baf5a33af1919dec7136d643b0662e85ef Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 3 May 2025 18:24:01 +0200 +Subject: parisc: Fix double SIGFPE crash + +From: Helge Deller + +commit de3629baf5a33af1919dec7136d643b0662e85ef upstream. + +Camm noticed that on parisc a SIGFPE exception will crash an application with +a second SIGFPE in the signal handler. Dave analyzed it, and it happens +because glibc uses a double-word floating-point store to atomically update +function descriptors. As a result of lazy binding, we hit a floating-point +store in fpe_func almost immediately. + +When the T bit is set, an assist exception trap occurs when when the +co-processor encounters *any* floating-point instruction except for a double +store of register %fr0. The latter cancels all pending traps. Let's fix this +by clearing the Trap (T) bit in the FP status register before returning to the +signal handler in userspace. + +The issue can be reproduced with this test program: + +root@parisc:~# cat fpe.c + +static void fpe_func(int sig, siginfo_t *i, void *v) { + sigset_t set; + sigemptyset(&set); + sigaddset(&set, SIGFPE); + sigprocmask(SIG_UNBLOCK, &set, NULL); + printf("GOT signal %d with si_code %ld\n", sig, i->si_code); +} + +int main() { + struct sigaction action = { + .sa_sigaction = fpe_func, + .sa_flags = SA_RESTART|SA_SIGINFO }; + sigaction(SIGFPE, &action, 0); + feenableexcept(FE_OVERFLOW); + return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308); +} + +root@parisc:~# gcc fpe.c -lm +root@parisc:~# ./a.out + Floating point exception + +root@parisc:~# strace -f ./a.out + execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0 + getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 + ... + rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 + --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} --- + --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} --- + +++ killed by SIGFPE +++ + Floating point exception + +Signed-off-by: Helge Deller +Suggested-by: John David Anglin +Reported-by: Camm Maguire +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/math-emu/driver.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/arch/parisc/math-emu/driver.c ++++ b/arch/parisc/math-emu/driver.c +@@ -103,9 +103,19 @@ handle_fpe(struct pt_regs *regs) + + memcpy(regs->fr, frcopy, sizeof regs->fr); + if (signalcode != 0) { +- force_sig_fault(signalcode >> 24, signalcode & 0xffffff, +- (void __user *) regs->iaoq[0]); +- return -1; ++ int sig = signalcode >> 24; ++ ++ if (sig == SIGFPE) { ++ /* ++ * Clear floating point trap bit to avoid trapping ++ * again on the first floating-point instruction in ++ * the userspace signal handler. ++ */ ++ regs->fr[0] &= ~(1ULL << 38); ++ } ++ force_sig_fault(sig, signalcode & 0xffffff, ++ (void __user *) regs->iaoq[0]); ++ return -1; + } + + return signalcode ? -1 : 0; diff --git a/queue-5.4/series b/queue-5.4/series index e69de29bb2d..968b65cdbb5 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -0,0 +1,8 @@ +edac-altera-test-the-correct-error-reg-offset.patch +edac-altera-set-ddr-and-sdmmc-interrupt-mask-before-registration.patch +i2c-imx-lpi2c-fix-clock-count-when-probe-defers.patch +parisc-fix-double-sigfpe-crash.patch +amd-xgbe-fix-to-ensure-dependent-features-are-toggled-with-rx-checksum-offload.patch +wifi-brcm80211-fmac-add-error-handling-for-brcmf_usb_dl_writeimage.patch +dm-integrity-fix-a-warning-on-invalid-table-line.patch +dm-always-update-the-array-size-in-realloc_argv-on-success.patch diff --git a/queue-5.4/wifi-brcm80211-fmac-add-error-handling-for-brcmf_usb_dl_writeimage.patch b/queue-5.4/wifi-brcm80211-fmac-add-error-handling-for-brcmf_usb_dl_writeimage.patch new file mode 100644 index 00000000000..4646fe10dea --- /dev/null +++ b/queue-5.4/wifi-brcm80211-fmac-add-error-handling-for-brcmf_usb_dl_writeimage.patch @@ -0,0 +1,54 @@ +From 8e089e7b585d95122c8122d732d1d5ef8f879396 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Tue, 22 Apr 2025 12:22:02 +0800 +Subject: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() + +From: Wentao Liang + +commit 8e089e7b585d95122c8122d732d1d5ef8f879396 upstream. + +The function brcmf_usb_dl_writeimage() calls the function +brcmf_usb_dl_cmd() but dose not check its return value. The +'state.state' and the 'state.bytes' are uninitialized if the +function brcmf_usb_dl_cmd() fails. It is dangerous to use +uninitialized variables in the conditions. + +Add error handling for brcmf_usb_dl_cmd() to jump to error +handling path if the brcmf_usb_dl_cmd() fails and the +'state.state' and the 'state.bytes' are uninitialized. + +Improve the error message to report more detailed error +information. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Cc: stable@vger.kernel.org # v3.4+ +Signed-off-by: Wentao Liang +Acked-by: Arend van Spriel +Link: https://patch.msgid.link/20250422042203.2259-1-vulab@iscas.ac.cn +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -866,14 +866,16 @@ brcmf_usb_dl_writeimage(struct brcmf_usb + } + + /* 1) Prepare USB boot loader for runtime image */ +- brcmf_usb_dl_cmd(devinfo, DL_START, &state, sizeof(state)); ++ err = brcmf_usb_dl_cmd(devinfo, DL_START, &state, sizeof(state)); ++ if (err) ++ goto fail; + + rdlstate = le32_to_cpu(state.state); + rdlbytes = le32_to_cpu(state.bytes); + + /* 2) Check we are in the Waiting state */ + if (rdlstate != DL_WAITING) { +- brcmf_err("Failed to DL_START\n"); ++ brcmf_err("Invalid DL state: %u\n", rdlstate); + err = -EINVAL; + goto fail; + } -- 2.47.3