From 2030a26c0bf2ca42669b2893e75cecd0465498de Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 17 Aug 2025 09:27:15 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...dd-taint_machine_check-on-ghes-panic.patch | 43 +++ ...essor-fix-acpi_object-initialization.patch | 41 +++ ...fix-buffer-overflow-in-add_tuning_co.patch | 41 +++ ...x-incorrect-codec-index-usage-in-mix.patch | 37 +++ ...void-precedence-issues-in-mixer_quir.patch | 61 ++++ ...-kernel-hang-during-smp-initializati.patch | 70 +++++ ...egra-use-i-o-memcpy-to-write-to-iram.patch | 36 +++ ...dle-kcov-__init-vs-inline-mismatches.patch | 51 +++ ...-rt5640-retry-device_id-verification.patch | 48 +++ ...ate-limit-logging-on-connection-and-.patch | 68 ++++ ...t-bias_level-if-snd_soc_dapm_set_bia.patch | 73 +++++ ...ct-byte-order-and-format-string-for-.patch | 53 ++++ ..._hecc-fix-woverflow-compiler-warning.patch | 40 +++ ...-cifsfindfirst-for-root-path-without.patch | 60 ++++ ...k-driver-with-need_update_limits-fla.patch | 51 +++ ...ernor-when-failed-to-start-old-gover.patch | 43 +++ ...g-kref_get-in-handle_write_conflicts.patch | 65 ++++ ...131x-add-missing-check-after-dma-map.patch | 100 ++++++ ...when-inline_data_fl-lacks-system.dat.patch | 73 +++++ ...gefs-use-snprintf-instead-of-sprintf.patch | 47 +++ ...eck-the-return-value-of-regmap_updat.patch | 42 +++ ...ot-erasing-deleted-b-tree-node-issue.patch | 105 +++++++ ...slab-out-of-bounds-in-hfs_bnode_read.patch | 166 ++++++++++ ...e-bug_on-in-hfsplus_create_attribute.patch | 46 +++ ...-out-of-bounds-in-hfsplus_bnode_read.patch | 296 ++++++++++++++++++ ...-out-of-bounds-read-in-hfsplus_uni2a.patch | 177 +++++++++++ ...d-missing-include-to-internal-header.patch | 44 +++ ...n-t-fail-if-gethdrcap-is-unsupported.patch | 43 +++ ...rcpy-source-and-destination-the-same.patch | 150 +++++++++ ...n_ratelimited-for-incorrect-message-.patch | 47 +++ .../jfs-regular-file-corruption-check.patch | 39 +++ ...good-inode-pages-when-hard-link-is-0.patch | 41 +++ ...und-check-of-tree-index-in-dballocag.patch | 44 +++ ...oid-hardcoding-model2-in-on_treeview.patch | 45 +++ ...x-potential-memory-leak-in-renderer_.patch | 42 +++ ...ialog-fix-space-to-de-select-options.patch | 49 +++ ...-replace-strcpy-with-strncpy-in-inpu.patch | 41 +++ ...sure-null-termination-where-strncpy-.patch | 55 ++++ ...-recursion-of-default-variable-optio.patch | 62 ++++ ...nds-dib7090p-fix-null-ptr-deref-in-d.patch | 46 +++ ...nds-w7090p-fix-null-ptr-deref-in-w70.patch | 48 +++ ...743-check-i2c-succeeded-during-probe.patch | 109 +++++++ ...3-increase-fifo-trigger-level-to-374.patch | 58 ++++ ...eturn-an-appropriate-colorspace-from.patch | 113 +++++++ ...vr-disable-zero-length-read-messages.patch | 46 +++ ...fix-bandwidth-issue-for-alcor-camera.patch | 52 +++ ...-in-stack_top-for-tasks-without-abi-.patch | 79 +++++ ...missing-prototypes-for-vpe_-alloc-st.patch | 53 ++++ ...mc-fix-error-path-in-sd_set_power_mo.patch | 40 +++ ...71xx-add-missing-check-after-dma-map.patch | 50 +++ ...3-fix-b53_imp_vlan_setup-for-bcm5325.patch | 42 +++ ...b53-fix-ip_multicast_ctrl-on-bcm5325.patch | 69 ++++ ...revent-switch_ctrl-access-on-bcm5325.patch | 49 +++ .../net-fec-allow-disable-coalescing.patch | 80 +++++ ...ix-incorrect-mtu-in-broadcast-routes.patch | 51 +++ ...ffer-overflow-in-fetching-version-id.patch | 52 +++ ...-add-proper-reset-flags-for-lan8710a.patch | 41 +++ ...-format-truncation-warning-in-bgx_ac.patch | 66 ++++ ...-bug-with-warn_on_once-in-vlan_dev_-.patch | 56 ++++ ...rag_address_safe-with-unreadable-skb.patch | 45 +++ ...-around-switches-with-broken-presenc.patch | 77 +++++ ...l-stm32-manage-irq-affinity-settings.patch | 39 +++ ...nkpad_acpi-handle-kcov-__init-vs-inl.patch | 50 +++ ...the-snapshot-order-of-tsc-mperf-cloc.patch | 46 +++ ...-power.needs_force_resume-in-pm_runt.patch | 41 +++ ...p-console-fix-the-black-screen-issue.patch | 77 +++++ ...ddr-range-check-in-block-scsi-layout.patch | 41 +++ ...-stripe-mapping-in-block-scsi-layout.patch | 57 ++++ ...nited-ptr-deref-in-block-scsi-layout.patch | 99 ++++++ ...dle-rpc-size-limit-for-layoutcommits.patch | 67 ++++ ...possible-dma_unmap_single-on-uniniti.patch | 43 +++ ...t-defer_qs_iw_pending-from-data-race.patch | 97 ++++++ ...ssible-divide-by-zero-in-find_hw_thr.patch | 85 +++++ ...e-clear-of-oscillator-stop-flag-osf-.patch | 52 +++ ...tp-remove-udelay-from-stp_sync_clock.patch | 44 +++ ...me-use-monotonic-clock-in-get_cycles.patch | 54 ++++ ...-aacraid-stop-using-pci_irq_affinity.patch | 69 ++++ queue-5.4/scsi-bfa-double-free-fix.patch | 42 +++ ...r_scan-to-handle-wildcard-and-multi-.patch | 136 ++++++++ ...itialize-iscsi_conn-dd_data-only-if-.patch | 63 ++++ ...for-hdwq-null-ptr-when-cleaning-up-l.patch | 44 +++ ...s-correctly-handle-ata-device-errors.patch | 85 +++++ ...-t-pin-dentries-twice-once-is-enough.patch | 44 +++ ...define-sys_futex-on-32-bit-architect.patch | 52 +++ ...g-use-mutex_unlock-for-testing-glob-.patch | 41 +++ queue-5.4/series | 102 ++++++ ...turn-enodata-instead-of-eagain-for-r.patch | 53 ++++ ...-visibility-of-most-ipv6-socket-opti.patch | 102 ++++++ .../udf-verify-partition-map-count.patch | 54 ++++ ...-usb_submit_urb-downgrade-type-check.patch | 40 +++ ...howing-errors-during-surprise-remova.patch | 60 ++++ ...howing-warnings-for-dying-controller.patch | 55 ++++ ...hci-xhc_state-when-queue_command-fai.patch | 42 +++ ..._trb_len-8-for-ep0-during-address-de.patch | 61 ++++ ...il-early-when-__vhost_add_used-fails.patch | 43 +++ .../watchdog-dw_wdt-fix-default-timeout.patch | 43 +++ ...g80211-fix-interface-type-validation.patch | 36 +++ ...reject-htc-bit-for-management-frames.patch | 38 +++ ...-check-rate_idx-range-after-addition.patch | 43 +++ ...-fix-potential-overflow-in-rs_fill_l.patch | 44 +++ ...fix-possible-memory-leak-in-iwl_fw_d.patch | 47 +++ ...wifi-mvm-fix-scan-request-validation.patch | 37 +++ ...-possible-skb-memory-leak-in-_rtl_pc.patch | 58 ++++ 103 files changed, 6383 insertions(+) create mode 100644 queue-5.4/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch create mode 100644 queue-5.4/acpi-processor-fix-acpi_object-initialization.patch create mode 100644 queue-5.4/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch create mode 100644 queue-5.4/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch create mode 100644 queue-5.4/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch create mode 100644 queue-5.4/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch create mode 100644 queue-5.4/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch create mode 100644 queue-5.4/arm64-handle-kcov-__init-vs-inline-mismatches.patch create mode 100644 queue-5.4/asoc-codecs-rt5640-retry-device_id-verification.patch create mode 100644 queue-5.4/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch create mode 100644 queue-5.4/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch create mode 100644 queue-5.4/be2net-use-correct-byte-order-and-format-string-for-.patch create mode 100644 queue-5.4/can-ti_hecc-fix-woverflow-compiler-warning.patch create mode 100644 queue-5.4/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch create mode 100644 queue-5.4/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch create mode 100644 queue-5.4/cpufreq-exit-governor-when-failed-to-start-old-gover.patch create mode 100644 queue-5.4/drbd-add-missing-kref_get-in-handle_write_conflicts.patch create mode 100644 queue-5.4/et131x-add-missing-check-after-dma-map.patch create mode 100644 queue-5.4/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch create mode 100644 queue-5.4/fs-orangefs-use-snprintf-instead-of-sprintf.patch create mode 100644 queue-5.4/gpio-tps65912-check-the-return-value-of-regmap_updat.patch create mode 100644 queue-5.4/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch create mode 100644 queue-5.4/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch create mode 100644 queue-5.4/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch create mode 100644 queue-5.4/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch create mode 100644 queue-5.4/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch create mode 100644 queue-5.4/i3c-add-missing-include-to-internal-header.patch create mode 100644 queue-5.4/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch create mode 100644 queue-5.4/ipmi-fix-strcpy-source-and-destination-the-same.patch create mode 100644 queue-5.4/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch create mode 100644 queue-5.4/jfs-regular-file-corruption-check.patch create mode 100644 queue-5.4/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch create mode 100644 queue-5.4/jfs-upper-bound-check-of-tree-index-in-dballocag.patch create mode 100644 queue-5.4/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch create mode 100644 queue-5.4/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch create mode 100644 queue-5.4/kconfig-lxdialog-fix-space-to-de-select-options.patch create mode 100644 queue-5.4/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch create mode 100644 queue-5.4/kconfig-nconf-ensure-null-termination-where-strncpy-.patch create mode 100644 queue-5.4/ktest.pl-prevent-recursion-of-default-variable-optio.patch create mode 100644 queue-5.4/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch create mode 100644 queue-5.4/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch create mode 100644 queue-5.4/media-tc358743-check-i2c-succeeded-during-probe.patch create mode 100644 queue-5.4/media-tc358743-increase-fifo-trigger-level-to-374.patch create mode 100644 queue-5.4/media-tc358743-return-an-appropriate-colorspace-from.patch create mode 100644 queue-5.4/media-usb-hdpvr-disable-zero-length-read-messages.patch create mode 100644 queue-5.4/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch create mode 100644 queue-5.4/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch create mode 100644 queue-5.4/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch create mode 100644 queue-5.4/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch create mode 100644 queue-5.4/net-ag71xx-add-missing-check-after-dma-map.patch create mode 100644 queue-5.4/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch create mode 100644 queue-5.4/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch create mode 100644 queue-5.4/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch create mode 100644 queue-5.4/net-fec-allow-disable-coalescing.patch create mode 100644 queue-5.4/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch create mode 100644 queue-5.4/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch create mode 100644 queue-5.4/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch create mode 100644 queue-5.4/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch create mode 100644 queue-5.4/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch create mode 100644 queue-5.4/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch create mode 100644 queue-5.4/pci-pnv_php-work-around-switches-with-broken-presenc.patch create mode 100644 queue-5.4/pinctrl-stm32-manage-irq-affinity-settings.patch create mode 100644 queue-5.4/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch create mode 100644 queue-5.4/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch create mode 100644 queue-5.4/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch create mode 100644 queue-5.4/pm-sleep-console-fix-the-black-screen-issue.patch create mode 100644 queue-5.4/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch create mode 100644 queue-5.4/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch create mode 100644 queue-5.4/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch create mode 100644 queue-5.4/pnfs-handle-rpc-size-limit-for-layoutcommits.patch create mode 100644 queue-5.4/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch create mode 100644 queue-5.4/rcu-protect-defer_qs_iw_pending-from-data-race.patch create mode 100644 queue-5.4/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch create mode 100644 queue-5.4/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch create mode 100644 queue-5.4/s390-stp-remove-udelay-from-stp_sync_clock.patch create mode 100644 queue-5.4/s390-time-use-monotonic-clock-in-get_cycles.patch create mode 100644 queue-5.4/scsi-aacraid-stop-using-pci_irq_affinity.patch create mode 100644 queue-5.4/scsi-bfa-double-free-fix.patch create mode 100644 queue-5.4/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch create mode 100644 queue-5.4/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch create mode 100644 queue-5.4/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch create mode 100644 queue-5.4/scsi-mpt3sas-correctly-handle-ata-device-errors.patch create mode 100644 queue-5.4/securityfs-don-t-pin-dentries-twice-once-is-enough.patch create mode 100644 queue-5.4/selftests-futex-define-sys_futex-on-32-bit-architect.patch create mode 100644 queue-5.4/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch create mode 100644 queue-5.4/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch create mode 100644 queue-5.4/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch create mode 100644 queue-5.4/udf-verify-partition-map-count.patch create mode 100644 queue-5.4/usb-core-usb_submit_urb-downgrade-type-check.patch create mode 100644 queue-5.4/usb-xhci-avoid-showing-errors-during-surprise-remova.patch create mode 100644 queue-5.4/usb-xhci-avoid-showing-warnings-for-dying-controller.patch create mode 100644 queue-5.4/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch create mode 100644 queue-5.4/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch create mode 100644 queue-5.4/vhost-fail-early-when-__vhost_add_used-fails.patch create mode 100644 queue-5.4/watchdog-dw_wdt-fix-default-timeout.patch create mode 100644 queue-5.4/wifi-cfg80211-fix-interface-type-validation.patch create mode 100644 queue-5.4/wifi-cfg80211-reject-htc-bit-for-management-frames.patch create mode 100644 queue-5.4/wifi-iwlegacy-check-rate_idx-range-after-addition.patch create mode 100644 queue-5.4/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch create mode 100644 queue-5.4/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch create mode 100644 queue-5.4/wifi-iwlwifi-mvm-fix-scan-request-validation.patch create mode 100644 queue-5.4/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch diff --git a/queue-5.4/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch b/queue-5.4/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch new file mode 100644 index 0000000000..0673b010bf --- /dev/null +++ b/queue-5.4/acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch @@ -0,0 +1,43 @@ +From ccf2c3dd2a9f6ebc30a893f4f81280214ad39ed1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 08:39:51 -0700 +Subject: ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path + +From: Breno Leitao + +[ Upstream commit 4734c8b46b901cff2feda8b82abc710b65dc31c1 ] + +When a GHES (Generic Hardware Error Source) triggers a panic, add the +TAINT_MACHINE_CHECK taint flag to the kernel. This explicitly marks the +kernel as tainted due to a machine check event, improving diagnostics +and post-mortem analysis. The taint is set with LOCKDEP_STILL_OK to +indicate lockdep remains valid. + +At large scale deployment, this helps to quickly determine panics that +are coming due to hardware failures. + +Signed-off-by: Breno Leitao +Reviewed-by: Tony Luck +Link: https://patch.msgid.link/20250702-add_tain-v1-1-9187b10914b9@debian.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index 50bed5a70812..d02d7cbab387 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -709,6 +709,8 @@ static void __ghes_panic(struct ghes *ghes, + + __ghes_print_estatus(KERN_EMERG, ghes->generic, estatus); + ++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK); ++ + ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx); + + if (!panic_timeout) +-- +2.39.5 + diff --git a/queue-5.4/acpi-processor-fix-acpi_object-initialization.patch b/queue-5.4/acpi-processor-fix-acpi_object-initialization.patch new file mode 100644 index 0000000000..b6defa4600 --- /dev/null +++ b/queue-5.4/acpi-processor-fix-acpi_object-initialization.patch @@ -0,0 +1,41 @@ +From 93f0b6c2f0e81f73d80874cdb85e1a16aeefc959 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:42:15 +0200 +Subject: ACPI: processor: fix acpi_object initialization + +From: Sebastian Ott + +[ Upstream commit 13edf7539211d8f7d0068ce3ed143005f1da3547 ] + +Initialization of the local acpi_object in acpi_processor_get_info() +only sets the first 4 bytes to zero and is thus incomplete. This is +indicated by messages like: + acpi ACPI0007:be: Invalid PBLK length [166288104] + +Fix this by initializing all 16 bytes of the processor member of that +union. + +Signed-off-by: Sebastian Ott +Link: https://patch.msgid.link/20250703124215.12522-1-sebott@redhat.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_processor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c +index c8338d627857..9cbf0593da05 100644 +--- a/drivers/acpi/acpi_processor.c ++++ b/drivers/acpi/acpi_processor.c +@@ -228,7 +228,7 @@ static inline int acpi_processor_hotadd_init(struct acpi_processor *pr) + + static int acpi_processor_get_info(struct acpi_device *device) + { +- union acpi_object object = { 0 }; ++ union acpi_object object = { .processor = { 0 } }; + struct acpi_buffer buffer = { sizeof(union acpi_object), &object }; + struct acpi_processor *pr = acpi_driver_data(device); + int device_declaration = 0; +-- +2.39.5 + diff --git a/queue-5.4/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch b/queue-5.4/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch new file mode 100644 index 0000000000..4db16b390a --- /dev/null +++ b/queue-5.4/alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch @@ -0,0 +1,41 @@ +From 80fd41366ff6e6f9dae0f00c5a591769eef9aa63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 19:50:12 +0200 +Subject: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control + +From: Lucy Thrun + +[ Upstream commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 ] + +The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte +buffer if either string argument is too long. This triggers a compiler +warning. +Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent +overflow. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/ +Signed-off-by: Lucy Thrun +Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 40f50571ad63..dee38dd872b5 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -4014,7 +4014,7 @@ static int add_tuning_control(struct hda_codec *codec, + } + knew.private_value = + HDA_COMPOSE_AMP_VAL(nid, 1, 0, type); +- sprintf(namestr, "%s %s Volume", name, dirstr[dir]); ++ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]); + return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec)); + } + +-- +2.39.5 + diff --git a/queue-5.4/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch b/queue-5.4/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch new file mode 100644 index 0000000000..1dfad12ed9 --- /dev/null +++ b/queue-5.4/alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch @@ -0,0 +1,37 @@ +From 92cbbb99deb05998bb9243fc5589ba9950bc5e21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jun 2025 11:52:24 -0700 +Subject: ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 + +From: Alok Tiwari + +[ Upstream commit 87aafc8580acf87fcaf1a7e30ed858d8c8d37d81 ] + +code mistakenly used a hardcoded index (codec[1]) instead of +iterating, over the codec array using the loop variable i. +Use codec[i] instead of codec[1] to match the loop iteration. + +Signed-off-by: Alok Tiwari +Link: https://patch.msgid.link/20250621185233.4081094-1-alok.a.tiwari@oracle.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/intel8x0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c +index 5150e8d38975..87a23a4660e8 100644 +--- a/sound/pci/intel8x0.c ++++ b/sound/pci/intel8x0.c +@@ -2285,7 +2285,7 @@ static int snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock, + tmp |= chip->ac97_sdin[0] << ICH_DI1L_SHIFT; + for (i = 1; i < 4; i++) { + if (pcm->r[0].codec[i]) { +- tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT; ++ tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT; + break; + } + } +-- +2.39.5 + diff --git a/queue-5.4/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch b/queue-5.4/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch new file mode 100644 index 0000000000..ee308c8cb6 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch @@ -0,0 +1,61 @@ +From e2e8dcfb9a58bcb703fc36282fdd7a690c0a27ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 May 2025 17:07:42 +0300 +Subject: ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros + +From: Cristian Ciocaltea + +[ Upstream commit fd3ab72e42e9871a9902b945a2bf8bb87b49c718 ] + +Fix all macro related issues identified by checkpatch.pl: + + CHECK: Macro argument 'x' may be better as '(x)' to avoid precedence issues + +Signed-off-by: Cristian Ciocaltea +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20250526-dualsense-alsa-jack-v1-3-1a821463b632@collabora.com +Signed-off-by: Sasha Levin +--- + sound/usb/mixer_quirks.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c +index e752b6bb03ec..04267d4e3ecf 100644 +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1990,15 +1990,15 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer) + #define SND_RME_CLK_FREQMUL_SHIFT 18 + #define SND_RME_CLK_FREQMUL_MASK 0x7 + #define SND_RME_CLK_SYSTEM(x) \ +- ((x >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK) ++ (((x) >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK) + #define SND_RME_CLK_AES(x) \ +- ((x >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) ++ (((x) >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) + #define SND_RME_CLK_SPDIF(x) \ +- ((x >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) ++ (((x) >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK) + #define SND_RME_CLK_SYNC(x) \ +- ((x >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK) ++ (((x) >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK) + #define SND_RME_CLK_FREQMUL(x) \ +- ((x >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK) ++ (((x) >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK) + #define SND_RME_CLK_AES_LOCK 0x1 + #define SND_RME_CLK_AES_SYNC 0x4 + #define SND_RME_CLK_SPDIF_LOCK 0x2 +@@ -2007,9 +2007,9 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer) + #define SND_RME_SPDIF_FORMAT_SHIFT 5 + #define SND_RME_BINARY_MASK 0x1 + #define SND_RME_SPDIF_IF(x) \ +- ((x >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK) ++ (((x) >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK) + #define SND_RME_SPDIF_FORMAT(x) \ +- ((x >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK) ++ (((x) >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK) + + static const u32 snd_rme_rate_table[] = { + 32000, 44100, 48000, 50000, +-- +2.39.5 + diff --git a/queue-5.4/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch b/queue-5.4/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch new file mode 100644 index 0000000000..54eed78194 --- /dev/null +++ b/queue-5.4/arm-rockchip-fix-kernel-hang-during-smp-initializati.patch @@ -0,0 +1,70 @@ +From f8dc79dbf8846424d5321f7d2dfee4ae694e5b2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 17:04:53 +0300 +Subject: ARM: rockchip: fix kernel hang during smp initialization + +From: Alexander Kochetkov + +[ Upstream commit 7cdb433bb44cdc87dc5260cdf15bf03cc1cd1814 ] + +In order to bring up secondary CPUs main CPU write trampoline +code to SRAM. The trampoline code is written while secondary +CPUs are powered on (at least that true for RK3188 CPU). +Sometimes that leads to kernel hang. Probably because secondary +CPU execute trampoline code while kernel doesn't expect. + +The patch moves SRAM initialization step to the point where all +secondary CPUs are powered down. + +That fixes rarely hangs on RK3188: +[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000 +[ 0.091996] rockchip_smp_prepare_cpus: ncores 4 + +Signed-off-by: Alexander Kochetkov +Link: https://lore.kernel.org/r/20250703140453.1273027-1-al.kochet@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm/mach-rockchip/platsmp.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/mach-rockchip/platsmp.c b/arch/arm/mach-rockchip/platsmp.c +index 649e0a54784c..246a525d1d26 100644 +--- a/arch/arm/mach-rockchip/platsmp.c ++++ b/arch/arm/mach-rockchip/platsmp.c +@@ -279,11 +279,6 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus) + } + + if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) { +- if (rockchip_smp_prepare_sram(node)) { +- of_node_put(node); +- return; +- } +- + /* enable the SCU power domain */ + pmu_set_power_domain(PMU_PWRDN_SCU, true); + +@@ -316,11 +311,19 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus) + asm ("mrc p15, 1, %0, c9, c0, 2\n" : "=r" (l2ctlr)); + ncores = ((l2ctlr >> 24) & 0x3) + 1; + } +- of_node_put(node); + + /* Make sure that all cores except the first are really off */ + for (i = 1; i < ncores; i++) + pmu_set_power_domain(0 + i, false); ++ ++ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) { ++ if (rockchip_smp_prepare_sram(node)) { ++ of_node_put(node); ++ return; ++ } ++ } ++ ++ of_node_put(node); + } + + static void __init rk3036_smp_prepare_cpus(unsigned int max_cpus) +-- +2.39.5 + diff --git a/queue-5.4/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch b/queue-5.4/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch new file mode 100644 index 0000000000..34d8172b20 --- /dev/null +++ b/queue-5.4/arm-tegra-use-i-o-memcpy-to-write-to-iram.patch @@ -0,0 +1,36 @@ +From 1c489158cce9e5b27ec9fd3ade6ad2863870c3cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 11:11:24 -0500 +Subject: ARM: tegra: Use I/O memcpy to write to IRAM + +From: Aaron Kling + +[ Upstream commit 398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1 ] + +Kasan crashes the kernel trying to check boundaries when using the +normal memcpy. + +Signed-off-by: Aaron Kling +Link: https://lore.kernel.org/r/20250522-mach-tegra-kasan-v1-1-419041b8addb@gmail.com +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + arch/arm/mach-tegra/reset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-tegra/reset.c b/arch/arm/mach-tegra/reset.c +index 76a65df42d10..dce0cb1fdd6f 100644 +--- a/arch/arm/mach-tegra/reset.c ++++ b/arch/arm/mach-tegra/reset.c +@@ -63,7 +63,7 @@ static void __init tegra_cpu_reset_handler_enable(void) + BUG_ON(is_enabled); + BUG_ON(tegra_cpu_reset_handler_size > TEGRA_IRAM_RESET_HANDLER_SIZE); + +- memcpy(iram_base, (void *)__tegra_cpu_reset_handler_start, ++ memcpy_toio(iram_base, (void *)__tegra_cpu_reset_handler_start, + tegra_cpu_reset_handler_size); + + err = call_firmware_op(set_cpu_boot_addr, 0, reset_address); +-- +2.39.5 + diff --git a/queue-5.4/arm64-handle-kcov-__init-vs-inline-mismatches.patch b/queue-5.4/arm64-handle-kcov-__init-vs-inline-mismatches.patch new file mode 100644 index 0000000000..239c106946 --- /dev/null +++ b/queue-5.4/arm64-handle-kcov-__init-vs-inline-mismatches.patch @@ -0,0 +1,51 @@ +From eae588e0989350f822d9d45f9531555ef240f0bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:50:25 -0700 +Subject: arm64: Handle KCOV __init vs inline mismatches + +From: Kees Cook + +[ Upstream commit 65c430906efffee9bd7551d474f01a6b1197df90 ] + +GCC appears to have kind of fragile inlining heuristics, in the +sense that it can change whether or not it inlines something based on +optimizations. It looks like the kcov instrumentation being added (or in +this case, removed) from a function changes the optimization results, +and some functions marked "inline" are _not_ inlined. In that case, +we end up with __init code calling a function not marked __init, and we +get the build warnings I'm trying to eliminate in the coming patch that +adds __no_sanitize_coverage to __init functions: + +WARNING: modpost: vmlinux: section mismatch in reference: acpi_get_enable_method+0x1c (section: .text.unlikely) -> acpi_psci_present (section: .init.text) + +This problem is somewhat fragile (though using either __always_inline +or __init will deterministically solve it), but we've tripped over +this before with GCC and the solution has usually been to just use +__always_inline and move on. + +For arm64 this requires forcing one ACPI function to be inlined with +__always_inline. + +Link: https://lore.kernel.org/r/20250724055029.3623499-1-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/acpi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/include/asm/acpi.h b/arch/arm64/include/asm/acpi.h +index cbf97e648d19..d1ddf5575973 100644 +--- a/arch/arm64/include/asm/acpi.h ++++ b/arch/arm64/include/asm/acpi.h +@@ -141,7 +141,7 @@ acpi_set_mailbox_entry(int cpu, struct acpi_madt_generic_interrupt *processor) + {} + #endif + +-static inline const char *acpi_get_enable_method(int cpu) ++static __always_inline const char *acpi_get_enable_method(int cpu) + { + if (acpi_psci_present()) + return "psci"; +-- +2.39.5 + diff --git a/queue-5.4/asoc-codecs-rt5640-retry-device_id-verification.patch b/queue-5.4/asoc-codecs-rt5640-retry-device_id-verification.patch new file mode 100644 index 0000000000..8aebde0c5f --- /dev/null +++ b/queue-5.4/asoc-codecs-rt5640-retry-device_id-verification.patch @@ -0,0 +1,48 @@ +From fcd2b022378276d364fa5f488a4e2bfed9c69a87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 May 2025 16:21:19 +0200 +Subject: ASoC: codecs: rt5640: Retry DEVICE_ID verification +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xinxin Wan + +[ Upstream commit 19f971057b2d7b99c80530ec1052b45de236a8da ] + +To be more resilient to codec-detection failures when the hardware +powers on slowly, add retry mechanism to the device verification check. +Similar pattern is found throughout a number of Realtek codecs. Our +tests show that 60ms delay is sufficient to address readiness issues on +rt5640 chip. + +Reviewed-by: Amadeusz Sławiński +Reviewed-by: Cezary Rojewski +Signed-off-by: Xinxin Wan +Signed-off-by: Cezary Rojewski +Link: https://patch.msgid.link/20250530142120.2944095-3-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt5640.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c +index 3bc63fbcb188..e290a83c20af 100644 +--- a/sound/soc/codecs/rt5640.c ++++ b/sound/soc/codecs/rt5640.c +@@ -2810,6 +2810,11 @@ static int rt5640_i2c_probe(struct i2c_client *i2c, + } + + regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val); ++ if (val != RT5640_DEVICE_ID) { ++ usleep_range(60000, 100000); ++ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val); ++ } ++ + if (val != RT5640_DEVICE_ID) { + dev_err(&i2c->dev, + "Device with ID register %#x is not rt5640/39\n", val); +-- +2.39.5 + diff --git a/queue-5.4/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch b/queue-5.4/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch new file mode 100644 index 0000000000..36fa84c776 --- /dev/null +++ b/queue-5.4/asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch @@ -0,0 +1,68 @@ +From 52bc50c8f4fa122a830df39515063a1a2b477187 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 17:41:04 +0100 +Subject: ASoC: hdac_hdmi: Rate limit logging on connection and disconnection + +From: Mark Brown + +[ Upstream commit c4ca928a6db1593802cd945f075a7e21dd0430c1 ] + +We currently log parse failures for ELD data and some disconnection events +as errors without rate limiting. These log messages can be triggered very +frequently in some situations, especially ELD parsing when there is nothing +connected to a HDMI port which will generate: + +hdmi-audio-codec hdmi-audio-codec.1.auto: HDMI: Unknown ELD version 0 + +While there's doubtless work that could be done on reducing the number of +connection notification callbacks it's possible these may be legitimately +generated by poor quality physical connections so let's use rate limiting +to mitigate the log spam for the parse errors and lower the severity for +disconnect logging to debug level. + +Signed-off-by: Mark Brown +Link: https://patch.msgid.link/20250613-asoc-hdmi-eld-logging-v1-1-76d64154d969@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/hdac_hdmi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c +index 78d5b4d31bb6..71d13b413418 100644 +--- a/sound/soc/codecs/hdac_hdmi.c ++++ b/sound/soc/codecs/hdac_hdmi.c +@@ -1231,7 +1231,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev, + >> DRM_ELD_VER_SHIFT; + + if (ver != ELD_VER_CEA_861D && ver != ELD_VER_PARTIAL) { +- dev_err(&hdev->dev, "HDMI: Unknown ELD version %d\n", ver); ++ dev_err_ratelimited(&hdev->dev, ++ "HDMI: Unknown ELD version %d\n", ver); + return -EINVAL; + } + +@@ -1239,7 +1240,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev, + DRM_ELD_MNL_MASK) >> DRM_ELD_MNL_SHIFT; + + if (mnl > ELD_MAX_MNL) { +- dev_err(&hdev->dev, "HDMI: MNL Invalid %d\n", mnl); ++ dev_err_ratelimited(&hdev->dev, ++ "HDMI: MNL Invalid %d\n", mnl); + return -EINVAL; + } + +@@ -1293,8 +1295,8 @@ static void hdac_hdmi_present_sense(struct hdac_hdmi_pin *pin, + + if (!port->eld.monitor_present || !port->eld.eld_valid) { + +- dev_err(&hdev->dev, "%s: disconnect for pin:port %d:%d\n", +- __func__, pin->nid, port->id); ++ dev_dbg(&hdev->dev, "%s: disconnect for pin:port %d:%d\n", ++ __func__, pin->nid, port->id); + + /* + * PCMs are not registered during device probe, so don't +-- +2.39.5 + diff --git a/queue-5.4/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch b/queue-5.4/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch new file mode 100644 index 0000000000..b5f994f6fa --- /dev/null +++ b/queue-5.4/asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch @@ -0,0 +1,73 @@ +From 1221704663aede5e5c009054abb1c35a2810c673 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 02:26:39 +0000 +Subject: ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was + successed + +From: Kuninori Morimoto + +[ Upstream commit f40ecc2743652c0b0f19935f81baf57c601eb7f0 ] + +ASoC has 2 functions to set bias level. + (A) snd_soc_dapm_force_bias_level() + (B) snd_soc_dapm_set_bias_level() + +snd_soc_dapm_force_bias_level() (A) will set dapm->bias_level (a) if +successed. + +(A) int snd_soc_dapm_force_bias_level(...) + { + ... + if (ret == 0) +(a) dapm->bias_level = level; + ... + } + +snd_soc_dapm_set_bias_level() (B) is also a function that sets bias_level. +It will call snd_soc_dapm_force_bias_level() (A) inside, but doesn't +set dapm->bias_level by itself. One note is that (A) might not be called. + +(B) static int snd_soc_dapm_set_bias_level(...) + { + ... + ret = snd_soc_card_set_bias_level(...); + ... + if (dapm != &card->dapm) +(A) ret = snd_soc_dapm_force_bias_level(...); + ... + ret = snd_soc_card_set_bias_level_post(...); + ... + } + +dapm->bias_level will be set if (A) was called, but might not be set +if (B) was called, even though it calles set_bias_level() function. + +We should set dapm->bias_level if we calls +snd_soc_dapm_set_bias_level() (B), too. + +Signed-off-by: Kuninori Morimoto +Link: https://patch.msgid.link/87qzyn4g4h.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 9f764d92469e..6142ce468c3b 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -741,6 +741,10 @@ static int snd_soc_dapm_set_bias_level(struct snd_soc_dapm_context *dapm, + out: + trace_snd_soc_bias_level_done(card, level); + ++ /* success */ ++ if (ret == 0) ++ snd_soc_dapm_init_bias_level(dapm, level); ++ + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.4/be2net-use-correct-byte-order-and-format-string-for-.patch b/queue-5.4/be2net-use-correct-byte-order-and-format-string-for-.patch new file mode 100644 index 0000000000..f04c3d822e --- /dev/null +++ b/queue-5.4/be2net-use-correct-byte-order-and-format-string-for-.patch @@ -0,0 +1,53 @@ +From ecb5c5248af73958143e48fa441775b96ba54455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 12:35:47 -0700 +Subject: be2net: Use correct byte order and format string for TCP seq and + ack_seq + +From: Alok Tiwari + +[ Upstream commit 4701ee5044fb3992f1c910630a9673c2dc600ce5 ] + +The TCP header fields seq and ack_seq are 32-bit values in network +byte order as (__be32). these fields were earlier printed using +ntohs(), which converts only 16-bit values and produces incorrect +results for 32-bit fields. This patch is changeing the conversion +to ntohl(), ensuring correct interpretation of these sequence numbers. + +Notably, the format specifier is updated from %d to %u to reflect the +unsigned nature of these fields. + +improves the accuracy of debug log messages for TCP sequence and +acknowledgment numbers during TX timeouts. + +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250717193552.3648791-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/emulex/benet/be_main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index 4b9380003c85..ce235def334f 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -1467,10 +1467,10 @@ static void be_tx_timeout(struct net_device *netdev) + ntohs(tcphdr->source)); + dev_info(dev, "TCP dest port %d\n", + ntohs(tcphdr->dest)); +- dev_info(dev, "TCP sequence num %d\n", +- ntohs(tcphdr->seq)); +- dev_info(dev, "TCP ack_seq %d\n", +- ntohs(tcphdr->ack_seq)); ++ dev_info(dev, "TCP sequence num %u\n", ++ ntohl(tcphdr->seq)); ++ dev_info(dev, "TCP ack_seq %u\n", ++ ntohl(tcphdr->ack_seq)); + } else if (ip_hdr(skb)->protocol == + IPPROTO_UDP) { + udphdr = udp_hdr(skb); +-- +2.39.5 + diff --git a/queue-5.4/can-ti_hecc-fix-woverflow-compiler-warning.patch b/queue-5.4/can-ti_hecc-fix-woverflow-compiler-warning.patch new file mode 100644 index 0000000000..afc707a55a --- /dev/null +++ b/queue-5.4/can-ti_hecc-fix-woverflow-compiler-warning.patch @@ -0,0 +1,40 @@ +From 061439123b8958a480b2e95d738e9b8fc707039e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 20:28:11 +0900 +Subject: can: ti_hecc: fix -Woverflow compiler warning + +From: Vincent Mailhol + +[ Upstream commit 7cae4d04717b002cffe41169da3f239c845a0723 ] + +Fix below default (W=0) warning: + + drivers/net/can/ti_hecc.c: In function 'ti_hecc_start': + drivers/net/can/ti_hecc.c:386:20: warning: conversion from 'long unsigned int' to 'u32' {aka 'unsigned int'} changes value from '18446744073709551599' to '4294967279' [-Woverflow] + 386 | mbx_mask = ~BIT(HECC_RX_LAST_MBOX); + | ^ + +Signed-off-by: Vincent Mailhol +Link: https://patch.msgid.link/20250715-can-compile-test-v2-1-f7fd566db86f@wanadoo.fr +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/ti_hecc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c +index d0a05fc5cc32..905fc3690e61 100644 +--- a/drivers/net/can/ti_hecc.c ++++ b/drivers/net/can/ti_hecc.c +@@ -393,7 +393,7 @@ static void ti_hecc_start(struct net_device *ndev) + * overflows instead of the hardware silently dropping the + * messages. + */ +- mbx_mask = ~BIT(HECC_RX_LAST_MBOX); ++ mbx_mask = ~BIT_U32(HECC_RX_LAST_MBOX); + hecc_write(priv, HECC_CANOPC, mbx_mask); + + /* Enable interrupts */ +-- +2.39.5 + diff --git a/queue-5.4/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch b/queue-5.4/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch new file mode 100644 index 0000000000..db93cf4469 --- /dev/null +++ b/queue-5.4/cifs-fix-calling-cifsfindfirst-for-root-path-without.patch @@ -0,0 +1,60 @@ +From d11b4b8da895342f2327dd3d2a5f5142ffdac82b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Dec 2024 20:54:11 +0100 +Subject: cifs: Fix calling CIFSFindFirst() for root path without msearch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit b460249b9a1dab7a9f58483e5349d045ad6d585c ] + +To query root path (without msearch wildcard) it is needed to +send pattern '\' instead of '' (empty string). + +This allows to use CIFSFindFirst() to query information about root path +which is being used in followup changes. + +This change fixes the stat() syscall called on the root path on the mount. +It is because stat() syscall uses the cifs_query_path_info() function and +it can fallback to the CIFSFindFirst() usage with msearch=false. + +Signed-off-by: Pali Rohár +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifssmb.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c +index f924f05b1829..ea444c8d0c40 100644 +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -4544,6 +4544,12 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon, + pSMB->FileName[name_len] = 0; + pSMB->FileName[name_len+1] = 0; + name_len += 2; ++ } else if (!searchName[0]) { ++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb); ++ pSMB->FileName[1] = 0; ++ pSMB->FileName[2] = 0; ++ pSMB->FileName[3] = 0; ++ name_len = 4; + } + } else { + name_len = copy_path_name(pSMB->FileName, searchName); +@@ -4555,6 +4561,10 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon, + pSMB->FileName[name_len] = '*'; + pSMB->FileName[name_len+1] = 0; + name_len += 2; ++ } else if (!searchName[0]) { ++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb); ++ pSMB->FileName[1] = 0; ++ name_len = 2; + } + } + +-- +2.39.5 + diff --git a/queue-5.4/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch b/queue-5.4/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch new file mode 100644 index 0000000000..f441eb310e --- /dev/null +++ b/queue-5.4/cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch @@ -0,0 +1,51 @@ +From d3edd23ecdf60b304927941961e01d26a007e123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 05:55:40 +0000 +Subject: cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag + +From: Prashant Malani + +[ Upstream commit 0a1416a49e63c320f6e6c1c8d07e1b58c0d4a3f3 ] + +AMU counters on certain CPPC-based platforms tend to yield inaccurate +delivered performance measurements on systems that are idle/mostly idle. +This results in an inaccurate frequency being stored by cpufreq in its +policy structure when the CPU is brought online. [1] + +Consequently, if the userspace governor tries to set the frequency to a +new value, there is a possibility that it would be the erroneous value +stored earlier. In such a scenario, cpufreq would assume that the +requested frequency has already been set and return early, resulting in +the correct/new frequency request never making it to the hardware. + +Since the operating frequency is liable to this sort of inconsistency, +mark the CPPC driver with CPUFREQ_NEED_UPDATE_LIMITS so that it is always +invoked when a target frequency update is requested. + +Link: https://lore.kernel.org/linux-pm/20250619000925.415528-3-pmalani@google.com/ [1] +Suggested-by: Rafael J. Wysocki +Signed-off-by: Prashant Malani +Acked-by: Viresh Kumar +Link: https://patch.msgid.link/20250722055611.130574-2-pmalani@google.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cppc_cpufreq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c +index 8910fd1ae3c6..c85b01aa801d 100644 +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -407,7 +407,7 @@ static unsigned int cppc_cpufreq_get_rate(unsigned int cpunum) + } + + static struct cpufreq_driver cppc_cpufreq_driver = { +- .flags = CPUFREQ_CONST_LOOPS, ++ .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS, + .verify = cppc_verify_policy, + .target = cppc_cpufreq_set_target, + .get = cppc_cpufreq_get_rate, +-- +2.39.5 + diff --git a/queue-5.4/cpufreq-exit-governor-when-failed-to-start-old-gover.patch b/queue-5.4/cpufreq-exit-governor-when-failed-to-start-old-gover.patch new file mode 100644 index 0000000000..f507315625 --- /dev/null +++ b/queue-5.4/cpufreq-exit-governor-when-failed-to-start-old-gover.patch @@ -0,0 +1,43 @@ +From 3f0d9826c72f92868882258a800eebb6c5ad6246 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 18:41:45 +0800 +Subject: cpufreq: Exit governor when failed to start old governor + +From: Lifeng Zheng + +[ Upstream commit 0ae204405095abfbc2d694ee0fbb49bcbbe55c57 ] + +Detect the result of starting old governor in cpufreq_set_policy(). If it +fails, exit the governor and clear policy->governor. + +Signed-off-by: Lifeng Zheng +Link: https://patch.msgid.link/20250709104145.2348017-5-zhenglifeng1@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 00f12d23077c..0f8777343e21 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2483,10 +2483,12 @@ static int cpufreq_set_policy(struct cpufreq_policy *policy, + pr_debug("starting governor %s failed\n", policy->governor->name); + if (old_gov) { + policy->governor = old_gov; +- if (cpufreq_init_governor(policy)) ++ if (cpufreq_init_governor(policy)) { + policy->governor = NULL; +- else +- cpufreq_start_governor(policy); ++ } else if (cpufreq_start_governor(policy)) { ++ cpufreq_exit_governor(policy); ++ policy->governor = NULL; ++ } + } + + return ret; +-- +2.39.5 + diff --git a/queue-5.4/drbd-add-missing-kref_get-in-handle_write_conflicts.patch b/queue-5.4/drbd-add-missing-kref_get-in-handle_write_conflicts.patch new file mode 100644 index 0000000000..b1997255da --- /dev/null +++ b/queue-5.4/drbd-add-missing-kref_get-in-handle_write_conflicts.patch @@ -0,0 +1,65 @@ +From e6675eb604841e460de8af0e9f7eb90f8404d4a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 11:57:28 +0200 +Subject: drbd: add missing kref_get in handle_write_conflicts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sarah Newman + +[ Upstream commit 00c9c9628b49e368d140cfa61d7df9b8922ec2a8 ] + +With `two-primaries` enabled, DRBD tries to detect "concurrent" writes +and handle write conflicts, so that even if you write to the same sector +simultaneously on both nodes, they end up with the identical data once +the writes are completed. + +In handling "superseeded" writes, we forgot a kref_get, +resulting in a premature drbd_destroy_device and use after free, +and further to kernel crashes with symptoms. + +Relevance: No one should use DRBD as a random data generator, and apparently +all users of "two-primaries" handle concurrent writes correctly on layer up. +That is cluster file systems use some distributed lock manager, +and live migration in virtualization environments stops writes on one node +before starting writes on the other node. + +Which means that other than for "test cases", +this code path is never taken in real life. + +FYI, in DRBD 9, things are handled differently nowadays. We still detect +"write conflicts", but no longer try to be smart about them. +We decided to disconnect hard instead: upper layers must not submit concurrent +writes. If they do, that's their fault. + +Signed-off-by: Sarah Newman +Signed-off-by: Lars Ellenberg +Signed-off-by: Christoph Böhmwalder +Link: https://lore.kernel.org/r/20250627095728.800688-1-christoph.boehmwalder@linbit.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index d94f41a0abbe..d75050b0d1b3 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -2531,7 +2531,11 @@ static int handle_write_conflicts(struct drbd_device *device, + peer_req->w.cb = superseded ? e_send_superseded : + e_send_retry_write; + list_add_tail(&peer_req->w.list, &device->done_ee); +- queue_work(connection->ack_sender, &peer_req->peer_device->send_acks_work); ++ /* put is in drbd_send_acks_wf() */ ++ kref_get(&device->kref); ++ if (!queue_work(connection->ack_sender, ++ &peer_req->peer_device->send_acks_work)) ++ kref_put(&device->kref, drbd_destroy_device); + + err = -ENOENT; + goto out; +-- +2.39.5 + diff --git a/queue-5.4/et131x-add-missing-check-after-dma-map.patch b/queue-5.4/et131x-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..e44be4e77e --- /dev/null +++ b/queue-5.4/et131x-add-missing-check-after-dma-map.patch @@ -0,0 +1,100 @@ +From 827ffaf2cc6b14bff005c61249015c4f2fa1e35e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:47:30 +0200 +Subject: et131x: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit d61f6cb6f6ef3c70d2ccc0d9c85c508cb8017da9 ] + +The DMA map functions can fail and should be tested for errors. +If the mapping fails, unmap and return an error. + +Signed-off-by: Thomas Fourier +Acked-by: Mark Einon +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250716094733.28734-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/agere/et131x.c | 36 +++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/drivers/net/ethernet/agere/et131x.c b/drivers/net/ethernet/agere/et131x.c +index 174344c450af..f6232e8178b8 100644 +--- a/drivers/net/ethernet/agere/et131x.c ++++ b/drivers/net/ethernet/agere/et131x.c +@@ -2464,6 +2464,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb->data, + skb_headlen(skb), + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ return -ENOMEM; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2473,6 +2477,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb->data, + skb_headlen(skb) / 2, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ return -ENOMEM; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2483,6 +2491,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + skb_headlen(skb) / 2, + skb_headlen(skb) / 2, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, ++ dma_addr)) ++ goto unmap_first_out; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2494,6 +2506,9 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + 0, + desc[frag].len_vlan, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, dma_addr)) ++ goto unmap_out; ++ + desc[frag].addr_lo = lower_32_bits(dma_addr); + desc[frag].addr_hi = upper_32_bits(dma_addr); + frag++; +@@ -2583,6 +2598,27 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb) + &adapter->regs->global.watchdog_timer); + } + return 0; ++ ++unmap_out: ++ // Unmap the body of the packet with map_page ++ while (--i) { ++ frag--; ++ dma_addr = desc[frag].addr_lo; ++ dma_addr |= (u64)desc[frag].addr_hi << 32; ++ dma_unmap_page(&adapter->pdev->dev, dma_addr, ++ desc[frag].len_vlan, DMA_TO_DEVICE); ++ } ++ ++unmap_first_out: ++ // Unmap the header with map_single ++ while (frag--) { ++ dma_addr = desc[frag].addr_lo; ++ dma_addr |= (u64)desc[frag].addr_hi << 32; ++ dma_unmap_single(&adapter->pdev->dev, dma_addr, ++ desc[frag].len_vlan, DMA_TO_DEVICE); ++ } ++ ++ return -ENOMEM; + } + + static int send_packet(struct sk_buff *skb, struct et131x_adapter *adapter) +-- +2.39.5 + diff --git a/queue-5.4/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch b/queue-5.4/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch new file mode 100644 index 0000000000..0b6c4e72b4 --- /dev/null +++ b/queue-5.4/ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch @@ -0,0 +1,73 @@ +From b71becfa66c1f9024ced2e6be8beaf8b76fdeb8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:54:34 -0400 +Subject: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr + +From: Theodore Ts'o + +[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ] + +A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() +when an inode had the INLINE_DATA_FL flag set but was missing the +system.data extended attribute. + +Since this can happen due to a maiciouly fuzzed file system, we +shouldn't BUG, but rather, report it as a corrupted file system. + +Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii +ext4_create_inline_data() and ext4_inline_data_truncate(). + +Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/inline.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index 7e8892dad2d7..626be0ec3c7a 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -296,7 +296,11 @@ static int ext4_create_inline_data(handle_t *handle, + if (error) + goto out; + +- BUG_ON(!is.s.not_found); ++ if (!is.s.not_found) { ++ EXT4_ERROR_INODE(inode, "unexpected inline data xattr"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + + error = ext4_xattr_ibody_set(handle, inode, &i, &is); + if (error) { +@@ -347,7 +351,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode, + if (error) + goto out; + +- BUG_ON(is.s.not_found); ++ if (is.s.not_found) { ++ EXT4_ERROR_INODE(inode, "missing inline data xattr"); ++ error = -EFSCORRUPTED; ++ goto out; ++ } + + len -= EXT4_MIN_INLINE_DATA_SIZE; + value = kzalloc(len, GFP_NOFS); +@@ -1978,7 +1986,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline) + if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0) + goto out_error; + +- BUG_ON(is.s.not_found); ++ if (is.s.not_found) { ++ EXT4_ERROR_INODE(inode, ++ "missing inline data xattr"); ++ err = -EFSCORRUPTED; ++ goto out_error; ++ } + + value_len = le32_to_cpu(is.s.here->e_value_size); + value = kmalloc(value_len, GFP_NOFS); +-- +2.39.5 + diff --git a/queue-5.4/fs-orangefs-use-snprintf-instead-of-sprintf.patch b/queue-5.4/fs-orangefs-use-snprintf-instead-of-sprintf.patch new file mode 100644 index 0000000000..736f1dd7bd --- /dev/null +++ b/queue-5.4/fs-orangefs-use-snprintf-instead-of-sprintf.patch @@ -0,0 +1,47 @@ +From 0f49e8d5c4229245fb140466d9447b8ffbfd28d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Jun 2025 20:05:59 +0330 +Subject: fs/orangefs: use snprintf() instead of sprintf() + +From: Amir Mohammad Jahangirzad + +[ Upstream commit cdfa1304657d6f23be8fd2bb0516380a3c89034e ] + +sprintf() is discouraged for use with bounded destination buffers +as it does not prevent buffer overflows when the formatted output +exceeds the destination buffer size. snprintf() is a safer +alternative as it limits the number of bytes written and ensures +NUL-termination. + +Replace sprintf() with snprintf() for copying the debug string +into a temporary buffer, using ORANGEFS_MAX_DEBUG_STRING_LEN as +the maximum size to ensure safe formatting and prevent memory +corruption in edge cases. + +EDIT: After this patch sat on linux-next for a few days, Dan +Carpenter saw it and suggested that I use scnprintf instead of +snprintf. I made the change and retested. + +Signed-off-by: Amir Mohammad Jahangirzad +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index b57140ebfad0..cd4bfd92ebd6 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -354,7 +354,7 @@ static ssize_t orangefs_debug_read(struct file *file, + goto out; + + mutex_lock(&orangefs_debug_lock); +- sprintf_ret = sprintf(buf, "%s", (char *)file->private_data); ++ sprintf_ret = scnprintf(buf, ORANGEFS_MAX_DEBUG_STRING_LEN, "%s", (char *)file->private_data); + mutex_unlock(&orangefs_debug_lock); + + read_ret = simple_read_from_buffer(ubuf, count, ppos, buf, sprintf_ret); +-- +2.39.5 + diff --git a/queue-5.4/gpio-tps65912-check-the-return-value-of-regmap_updat.patch b/queue-5.4/gpio-tps65912-check-the-return-value-of-regmap_updat.patch new file mode 100644 index 0000000000..c66f7fac61 --- /dev/null +++ b/queue-5.4/gpio-tps65912-check-the-return-value-of-regmap_updat.patch @@ -0,0 +1,42 @@ +From dd7d733dedf5655b090f4167b33810fc77a9eab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Jul 2025 09:50:15 +0200 +Subject: gpio: tps65912: check the return value of regmap_update_bits() + +From: Bartosz Golaszewski + +[ Upstream commit a0b2a6bbff8c26aafdecd320f38f52c341d5cafa ] + +regmap_update_bits() can fail, check its return value like we do +elsewhere in the driver. + +Link: https://lore.kernel.org/r/20250707-gpiochip-set-rv-gpio-round4-v1-2-35668aaaf6d2@linaro.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-tps65912.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c +index 3ad68bd78282..736af805e54a 100644 +--- a/drivers/gpio/gpio-tps65912.c ++++ b/drivers/gpio/gpio-tps65912.c +@@ -49,10 +49,13 @@ static int tps65912_gpio_direction_output(struct gpio_chip *gc, + unsigned offset, int value) + { + struct tps65912_gpio *gpio = gpiochip_get_data(gc); ++ int ret; + + /* Set the initial value */ +- regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, +- GPIO_SET_MASK, value ? GPIO_SET_MASK : 0); ++ ret = regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, ++ GPIO_SET_MASK, value ? GPIO_SET_MASK : 0); ++ if (ret) ++ return ret; + + return regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset, + GPIO_CFG_MASK, GPIO_CFG_MASK); +-- +2.39.5 + diff --git a/queue-5.4/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch b/queue-5.4/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch new file mode 100644 index 0000000000..90166066ac --- /dev/null +++ b/queue-5.4/hfs-fix-not-erasing-deleted-b-tree-node-issue.patch @@ -0,0 +1,105 @@ +From 7bacecb4042b47cab9e23c823c0a07991dc2b0d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Apr 2025 17:12:11 -0700 +Subject: hfs: fix not erasing deleted b-tree node issue + +From: Viacheslav Dubeyko + +[ Upstream commit d3ed6d6981f4756f145766753c872482bc3b28d3 ] + +The generic/001 test of xfstests suite fails and corrupts +the HFS volume: + +sudo ./check generic/001 +FSTYP -- hfs +PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2> +MKFS_OPTIONS -- /dev/loop51 +MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch + +generic/001 32s ... _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent +(see /home/slavad/XFSTESTS-2/xfstests-dev/results//generic/001.full for details) + +Ran: generic/001 +Failures: generic/001 +Failed 1 of 1 tests + +fsck.hfs -d -n ./test-image.bin +** ./test-image.bin (NO WRITE) + Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K. + Executing fsck_hfs (version 540.1-Linux). +** Checking HFS volume. + The volume name is untitled +** Checking extents overflow file. +** Checking catalog file. + Unused node is not erased (node = 2) + Unused node is not erased (node = 4) + + Unused node is not erased (node = 253) + Unused node is not erased (node = 254) + Unused node is not erased (node = 255) + Unused node is not erased (node = 256) +** Checking catalog hierarchy. +** Checking volume bitmap. +** Checking volume information. + Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000 + CBTStat = 0x0004 CatStat = 0x00000000 +** The volume untitled was found corrupt and needs to be repaired. + volume type is HFS + primary MDB is at block 2 0x02 + alternate MDB is at block 20971518 0x13ffffe + primary VHB is at block 0 0x00 + alternate VHB is at block 0 0x00 + sector size = 512 0x200 + VolumeObject flags = 0x19 + total sectors for volume = 20971520 0x1400000 + total sectors for embedded volume = 0 0x00 + +This patch adds logic of clearing the deleted b-tree node. + +sudo ./check generic/001 +FSTYP -- hfs +PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2025 +MKFS_OPTIONS -- /dev/loop51 +MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch + +generic/001 9s ... 32s +Ran: generic/001 +Passed all 1 tests + +fsck.hfs -d -n ./test-image.bin +** ./test-image.bin (NO WRITE) + Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K. + Executing fsck_hfs (version 540.1-Linux). +** Checking HFS volume. + The volume name is untitled +** Checking extents overflow file. +** Checking catalog file. +** Checking catalog hierarchy. +** Checking volume bitmap. +** Checking volume information. +** The volume untitled appears to be OK. + +Signed-off-by: Viacheslav Dubeyko +Reviewed-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20250430001211.1912533-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bnode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c +index 2039cb6d5f66..219e3b8fd6a8 100644 +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -586,6 +586,7 @@ void hfs_bnode_put(struct hfs_bnode *node) + if (test_bit(HFS_BNODE_DELETED, &node->flags)) { + hfs_bnode_unhash(node); + spin_unlock(&tree->hash_lock); ++ hfs_bnode_clear(node, 0, tree->node_size); + hfs_bmap_free(node); + hfs_bnode_free(node); + return; +-- +2.39.5 + diff --git a/queue-5.4/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch b/queue-5.4/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch new file mode 100644 index 0000000000..4ab536dfb9 --- /dev/null +++ b/queue-5.4/hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch @@ -0,0 +1,166 @@ +From 1803e13641c8f6fdffd775a0c958001cd5478ec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:49:12 -0700 +Subject: hfs: fix slab-out-of-bounds in hfs_bnode_read() + +From: Viacheslav Dubeyko + +[ Upstream commit a431930c9bac518bf99d6b1da526a7f37ddee8d8 ] + +This patch introduces is_bnode_offset_valid() method that checks +the requested offset value. Also, it introduces +check_and_correct_requested_length() method that checks and +correct the requested length (if it is necessary). These methods +are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), +hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent +the access out of allocated memory and triggering the crash. + +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250703214912.244138-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c +index 2251286cd83f..2039cb6d5f66 100644 +--- a/fs/hfs/bnode.c ++++ b/fs/hfs/bnode.c +@@ -15,6 +15,48 @@ + + #include "btree.h" + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page *page; +@@ -23,6 +65,20 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + int bytes_to_read; + void *vaddr; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagenum = off >> PAGE_SHIFT; + off &= ~PAGE_MASK; /* compute page offset for the first page */ +@@ -83,6 +139,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page *page; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + page = node->page[0]; + +@@ -108,6 +178,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len) + { + struct page *page; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + page = node->page[0]; + +@@ -124,6 +208,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst, + hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(src_node, src, len); ++ len = check_and_correct_requested_length(dst_node, dst, len); ++ + src += src_node->page_offset; + dst += dst_node->page_offset; + src_page = src_node->page[0]; +@@ -143,6 +231,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len) + hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(node, src, len); ++ len = check_and_correct_requested_length(node, dst, len); ++ + src += node->page_offset; + dst += node->page_offset; + page = node->page[0]; +-- +2.39.5 + diff --git a/queue-5.4/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch b/queue-5.4/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch new file mode 100644 index 0000000000..0a21be2152 --- /dev/null +++ b/queue-5.4/hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch @@ -0,0 +1,46 @@ +From f3eabb074436f596c1885615fe6dc385923fe869 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 14:17:56 +0900 +Subject: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() + +From: Tetsuo Handa + +[ Upstream commit c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 ] + +When the volume header contains erroneous values that do not reflect +the actual state of the filesystem, hfsplus_fill_super() assumes that +the attributes file is not yet created, which later results in hitting +BUG_ON() when hfsplus_create_attributes_file() is called. Replace this +BUG_ON() with -EIO error with a message to suggest running fsck tool. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=1107451c16b9eb9d29e6 +Signed-off-by: Tetsuo Handa +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/7b587d24-c8a1-4413-9b9a-00a33fbd849f@I-love.SAKURA.ne.jp +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/xattr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c +index d91f76ef18d9..2438cd759620 100644 +--- a/fs/hfsplus/xattr.c ++++ b/fs/hfsplus/xattr.c +@@ -172,7 +172,11 @@ static int hfsplus_create_attributes_file(struct super_block *sb) + return PTR_ERR(attr_file); + } + +- BUG_ON(i_size_read(attr_file) != 0); ++ if (i_size_read(attr_file) != 0) { ++ err = -EIO; ++ pr_err("detected inconsistent attributes file, running fsck.hfsplus is recommended.\n"); ++ goto end_attr_file_creation; ++ } + + hip = HFSPLUS_I(attr_file); + +-- +2.39.5 + diff --git a/queue-5.4/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch b/queue-5.4/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch new file mode 100644 index 0000000000..193e4bea51 --- /dev/null +++ b/queue-5.4/hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch @@ -0,0 +1,296 @@ +From ac3e95419d76f6f0f83f0ef08fd0321296efd100 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 14:48:04 -0700 +Subject: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() + +From: Viacheslav Dubeyko + +[ Upstream commit c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2 ] + +The hfsplus_bnode_read() method can trigger the issue: + +[ 174.852007][ T9784] ================================================================== +[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360 +[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784 +[ 174.854059][ T9784] +[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full) +[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 174.854286][ T9784] Call Trace: +[ 174.854289][ T9784] +[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0 +[ 174.854305][ T9784] print_report+0xd0/0x660 +[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610 +[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180 +[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 +[ 174.854337][ T9784] kasan_report+0xc6/0x100 +[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360 +[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360 +[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380 +[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10 +[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0 +[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310 +[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40 +[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0 +[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0 +[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10 +[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10 +[ 174.854436][ T9784] ? __asan_memset+0x23/0x50 +[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320 +[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10 +[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0 +[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40 +[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0 +[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10 +[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0 +[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10 +[ 174.854525][ T9784] ? down_write+0x148/0x200 +[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10 +[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0 +[ 174.854549][ T9784] do_unlinkat+0x490/0x670 +[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10 +[ 174.854565][ T9784] ? __might_fault+0xbc/0x130 +[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550 +[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110 +[ 174.854592][ T9784] do_syscall_64+0xc9/0x480 +[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167 +[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08 +[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 +[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167 +[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50 +[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40 +[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0 +[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 174.854658][ T9784] +[ 174.854661][ T9784] +[ 174.879281][ T9784] Allocated by task 9784: +[ 174.879664][ T9784] kasan_save_stack+0x20/0x40 +[ 174.880082][ T9784] kasan_save_track+0x14/0x30 +[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0 +[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550 +[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890 +[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10 +[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520 +[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x320 +[ 174.883144][ T9784] hfsplus_delete_cat+0x845/0xde0 +[ 174.883595][ T9784] hfsplus_rmdir+0x106/0x1b0 +[ 174.884004][ T9784] vfs_rmdir+0x206/0x690 +[ 174.884379][ T9784] do_rmdir+0x2b7/0x390 +[ 174.884751][ T9784] __x64_sys_rmdir+0xc5/0x110 +[ 174.885167][ T9784] do_syscall_64+0xc9/0x480 +[ 174.885568][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 174.886083][ T9784] +[ 174.886293][ T9784] The buggy address belongs to the object at ffff88810b5fc600 +[ 174.886293][ T9784] which belongs to the cache kmalloc-192 of size 192 +[ 174.887507][ T9784] The buggy address is located 40 bytes to the right of +[ 174.887507][ T9784] allocated 152-byte region [ffff88810b5fc600, ffff88810b5fc698) +[ 174.888766][ T9784] +[ 174.888976][ T9784] The buggy address belongs to the physical page: +[ 174.889533][ T9784] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b5fc +[ 174.890295][ T9784] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff) +[ 174.890927][ T9784] page_type: f5(slab) +[ 174.891284][ T9784] raw: 057ff00000000000 ffff88801b4423c0 ffffea000426dc80 dead000000000002 +[ 174.892032][ T9784] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 +[ 174.892774][ T9784] page dumped because: kasan: bad access detected +[ 174.893327][ T9784] page_owner tracks the page as allocated +[ 174.893825][ T9784] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NO1 +[ 174.895373][ T9784] post_alloc_hook+0x1c0/0x230 +[ 174.895801][ T9784] get_page_from_freelist+0xdeb/0x3b30 +[ 174.896284][ T9784] __alloc_frozen_pages_noprof+0x25c/0x2460 +[ 174.896810][ T9784] alloc_pages_mpol+0x1fb/0x550 +[ 174.897242][ T9784] new_slab+0x23b/0x340 +[ 174.897614][ T9784] ___slab_alloc+0xd81/0x1960 +[ 174.898028][ T9784] __slab_alloc.isra.0+0x56/0xb0 +[ 174.898468][ T9784] __kmalloc_noprof+0x2b0/0x550 +[ 174.898896][ T9784] usb_alloc_urb+0x73/0xa0 +[ 174.899289][ T9784] usb_control_msg+0x1cb/0x4a0 +[ 174.899718][ T9784] usb_get_string+0xab/0x1a0 +[ 174.900133][ T9784] usb_string_sub+0x107/0x3c0 +[ 174.900549][ T9784] usb_string+0x307/0x670 +[ 174.900933][ T9784] usb_cache_string+0x80/0x150 +[ 174.901355][ T9784] usb_new_device+0x1d0/0x19d0 +[ 174.901786][ T9784] register_root_hub+0x299/0x730 +[ 174.902231][ T9784] page last free pid 10 tgid 10 stack trace: +[ 174.902757][ T9784] __free_frozen_pages+0x80c/0x1250 +[ 174.903217][ T9784] vfree.part.0+0x12b/0xab0 +[ 174.903645][ T9784] delayed_vfree_work+0x93/0xd0 +[ 174.904073][ T9784] process_one_work+0x9b5/0x1b80 +[ 174.904519][ T9784] worker_thread+0x630/0xe60 +[ 174.904927][ T9784] kthread+0x3a8/0x770 +[ 174.905291][ T9784] ret_from_fork+0x517/0x6e0 +[ 174.905709][ T9784] ret_from_fork_asm+0x1a/0x30 +[ 174.906128][ T9784] +[ 174.906338][ T9784] Memory state around the buggy address: +[ 174.906828][ T9784] ffff88810b5fc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 174.907528][ T9784] ffff88810b5fc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 174.908222][ T9784] >ffff88810b5fc680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 174.908917][ T9784] ^ +[ 174.909481][ T9784] ffff88810b5fc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 174.910432][ T9784] ffff88810b5fc780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ 174.911401][ T9784] ================================================================== + +The reason of the issue that code doesn't check the correctness +of the requested offset and length. As a result, incorrect value +of offset or/and length could result in access out of allocated +memory. + +This patch introduces is_bnode_offset_valid() method that checks +the requested offset value. Also, it introduces +check_and_correct_requested_length() method that checks and +correct the requested length (if it is necessary). These methods +are used in hfsplus_bnode_read(), hfsplus_bnode_write(), +hfsplus_bnode_clear(), hfsplus_bnode_copy(), and hfsplus_bnode_move() +with the goal to prevent the access out of allocated memory +and triggering the crash. + +Reported-by: Kun Hu +Reported-by: Jiaji Qin +Reported-by: Shuoran Bai +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250703214804.244077-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 92 insertions(+) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index cf6e5de7b9da..c9c38fddf505 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,12 +18,68 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) + { + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -83,6 +139,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len) + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -113,6 +183,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len) + struct page **pagep; + int l; + ++ if (!is_bnode_offset_valid(node, off)) ++ return; ++ ++ if (len == 0) { ++ pr_err("requested zero length: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len); ++ return; ++ } ++ ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + off &= ~PAGE_MASK; +@@ -139,6 +223,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst, + hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(src_node, src, len); ++ len = check_and_correct_requested_length(dst_node, dst, len); ++ + src += src_node->page_offset; + dst += dst_node->page_offset; + src_page = src_node->page + (src >> PAGE_SHIFT); +@@ -196,6 +284,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len) + hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len); + if (!len) + return; ++ ++ len = check_and_correct_requested_length(node, src, len); ++ len = check_and_correct_requested_length(node, dst, len); ++ + src += node->page_offset; + dst += node->page_offset; + if (dst > src) { +-- +2.39.5 + diff --git a/queue-5.4/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch b/queue-5.4/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch new file mode 100644 index 0000000000..52ba7e7f21 --- /dev/null +++ b/queue-5.4/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch @@ -0,0 +1,177 @@ +From 196eb3421c74d9edafa408a3a3211857b154f3ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:08:30 -0700 +Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() + +From: Viacheslav Dubeyko + +[ Upstream commit 94458781aee6045bd3d0ad4b80b02886b9e2219b ] + +The hfsplus_readdir() method is capable to crash by calling +hfsplus_uni2asc(): + +[ 667.121659][ T9805] ================================================================== +[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10 +[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 +[ 667.124578][ T9805] +[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full) +[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 667.124890][ T9805] Call Trace: +[ 667.124893][ T9805] +[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0 +[ 667.124911][ T9805] print_report+0xd0/0x660 +[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610 +[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180 +[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10 +[ 667.124942][ T9805] kasan_report+0xc6/0x100 +[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10 +[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10 +[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360 +[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0 +[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10 +[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0 +[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20 +[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0 +[ 667.125022][ T9805] ? lock_acquire+0x30/0x80 +[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20 +[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0 +[ 667.125044][ T9805] ? putname+0x154/0x1a0 +[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10 +[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0 +[ 667.125069][ T9805] iterate_dir+0x296/0xb20 +[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0 +[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10 +[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200 +[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10 +[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0 +[ 667.125143][ T9805] do_syscall_64+0xc9/0x480 +[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9 +[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9 +[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9 +[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004 +[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110 +[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260 +[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 667.125207][ T9805] +[ 667.125210][ T9805] +[ 667.145632][ T9805] Allocated by task 9805: +[ 667.145991][ T9805] kasan_save_stack+0x20/0x40 +[ 667.146352][ T9805] kasan_save_track+0x14/0x30 +[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0 +[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550 +[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0 +[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0 +[ 667.148174][ T9805] iterate_dir+0x296/0xb20 +[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0 +[ 667.148937][ T9805] do_syscall_64+0xc9/0x480 +[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.149809][ T9805] +[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000 +[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048 +[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of +[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c) +[ 667.152580][ T9805] +[ 667.152798][ T9805] The buggy address belongs to the physical page: +[ 667.153373][ T9805] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25928 +[ 667.154157][ T9805] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 667.154916][ T9805] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) +[ 667.155631][ T9805] page_type: f5(slab) +[ 667.155997][ T9805] raw: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001 +[ 667.156770][ T9805] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 667.157536][ T9805] head: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001 +[ 667.158317][ T9805] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 667.159088][ T9805] head: 00fff00000000003 ffffea0000964a01 00000000ffffffff 00000000ffffffff +[ 667.159865][ T9805] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +[ 667.160643][ T9805] page dumped because: kasan: bad access detected +[ 667.161216][ T9805] page_owner tracks the page as allocated +[ 667.161732][ T9805] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN9 +[ 667.163566][ T9805] post_alloc_hook+0x1c0/0x230 +[ 667.164003][ T9805] get_page_from_freelist+0xdeb/0x3b30 +[ 667.164503][ T9805] __alloc_frozen_pages_noprof+0x25c/0x2460 +[ 667.165040][ T9805] alloc_pages_mpol+0x1fb/0x550 +[ 667.165489][ T9805] new_slab+0x23b/0x340 +[ 667.165872][ T9805] ___slab_alloc+0xd81/0x1960 +[ 667.166313][ T9805] __slab_alloc.isra.0+0x56/0xb0 +[ 667.166767][ T9805] __kmalloc_cache_noprof+0x255/0x3e0 +[ 667.167255][ T9805] psi_cgroup_alloc+0x52/0x2d0 +[ 667.167693][ T9805] cgroup_mkdir+0x694/0x1210 +[ 667.168118][ T9805] kernfs_iop_mkdir+0x111/0x190 +[ 667.168568][ T9805] vfs_mkdir+0x59b/0x8d0 +[ 667.168956][ T9805] do_mkdirat+0x2ed/0x3d0 +[ 667.169353][ T9805] __x64_sys_mkdir+0xef/0x140 +[ 667.169784][ T9805] do_syscall_64+0xc9/0x480 +[ 667.170195][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 667.170730][ T9805] page last free pid 1257 tgid 1257 stack trace: +[ 667.171304][ T9805] __free_frozen_pages+0x80c/0x1250 +[ 667.171770][ T9805] vfree.part.0+0x12b/0xab0 +[ 667.172182][ T9805] delayed_vfree_work+0x93/0xd0 +[ 667.172612][ T9805] process_one_work+0x9b5/0x1b80 +[ 667.173067][ T9805] worker_thread+0x630/0xe60 +[ 667.173486][ T9805] kthread+0x3a8/0x770 +[ 667.173857][ T9805] ret_from_fork+0x517/0x6e0 +[ 667.174278][ T9805] ret_from_fork_asm+0x1a/0x30 +[ 667.174703][ T9805] +[ 667.174917][ T9805] Memory state around the buggy address: +[ 667.175411][ T9805] ffff88802592f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 667.176114][ T9805] ffff88802592f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 667.176830][ T9805] >ffff88802592f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.177547][ T9805] ^ +[ 667.177933][ T9805] ffff88802592f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.178640][ T9805] ffff88802592f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 667.179350][ T9805] ================================================================== + +The hfsplus_uni2asc() method operates by struct hfsplus_unistr: + +struct hfsplus_unistr { + __be16 length; + hfsplus_unichr unicode[HFSPLUS_MAX_STRLEN]; +} __packed; + +where HFSPLUS_MAX_STRLEN is 255 bytes. The issue happens if length +of the structure instance has value bigger than 255 (for example, +65283). In such case, pointer on unicode buffer is going beyond of +the allocated memory. + +The patch fixes the issue by checking the length value of +hfsplus_unistr instance and using 255 value in the case if length +value is bigger than HFSPLUS_MAX_STRLEN. Potential reason of such +situation could be a corruption of Catalog File b-tree's node. + +Reported-by: Wenzhi Wang +Signed-off-by: Liu Shixin +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Reviewed-by: Yangtao Li +Link: https://lore.kernel.org/r/20250710230830.110500-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/unicode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c +index 73342c925a4b..36b6cf2a3abb 100644 +--- a/fs/hfsplus/unicode.c ++++ b/fs/hfsplus/unicode.c +@@ -132,7 +132,14 @@ int hfsplus_uni2asc(struct super_block *sb, + + op = astr; + ip = ustr->unicode; ++ + ustrlen = be16_to_cpu(ustr->length); ++ if (ustrlen > HFSPLUS_MAX_STRLEN) { ++ ustrlen = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(ustr->length), ustrlen); ++ } ++ + len = *len_p; + ce1 = NULL; + compose = !test_bit(HFSPLUS_SB_NODECOMPOSE, &HFSPLUS_SB(sb)->flags); +-- +2.39.5 + diff --git a/queue-5.4/i3c-add-missing-include-to-internal-header.patch b/queue-5.4/i3c-add-missing-include-to-internal-header.patch new file mode 100644 index 0000000000..594cd6a273 --- /dev/null +++ b/queue-5.4/i3c-add-missing-include-to-internal-header.patch @@ -0,0 +1,44 @@ +From 667e5d6db45ef94641e107ba378a25f3a18a02ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 14:00:47 +0200 +Subject: i3c: add missing include to internal header + +From: Wolfram Sang + +[ Upstream commit 3b661ca549b9e5bb11d0bc97ada6110aac3282d2 ] + +LKP found a random config which failed to build because IO accessors +were not defined: + + In file included from drivers/i3c/master.c:21: + drivers/i3c/internals.h: In function 'i3c_writel_fifo': +>> drivers/i3c/internals.h:35:9: error: implicit declaration of function 'writesl' [-Werror=implicit-function-declaration] + +Add the proper header to where the IO accessors are used. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202507150208.BZDzzJ5E-lkp@intel.com/ +Signed-off-by: Wolfram Sang +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250717120046.9022-2-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/internals.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/i3c/internals.h b/drivers/i3c/internals.h +index 86b7b44cfca2..1906c711f38a 100644 +--- a/drivers/i3c/internals.h ++++ b/drivers/i3c/internals.h +@@ -9,6 +9,7 @@ + #define I3C_INTERNALS_H + + #include ++#include + + extern struct bus_type i3c_bus_type; + +-- +2.39.5 + diff --git a/queue-5.4/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch b/queue-5.4/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch new file mode 100644 index 0000000000..10e580316f --- /dev/null +++ b/queue-5.4/i3c-don-t-fail-if-gethdrcap-is-unsupported.patch @@ -0,0 +1,43 @@ +From 3ae7c79a0c490dcdb0f0ae11ca2e523e803c0fd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Jul 2025 22:44:32 +0200 +Subject: i3c: don't fail if GETHDRCAP is unsupported + +From: Wolfram Sang + +[ Upstream commit 447270cdb41b1c8c3621bb14b93a6749f942556e ] + +'I3C_BCR_HDR_CAP' is still spec v1.0 and has been renamed to 'advanced +capabilities' in v1.1 onwards. The ST pressure sensor LPS22DF does not +have HDR, but has the 'advanced cap' bit set. The core still wants to +get additional information using the CCC 'GETHDRCAP' (or GETCAPS in v1.1 +onwards). Not all controllers support this CCC and will notify the upper +layers about it. For instantiating the device, we can ignore this +unsupported CCC as standard communication will work. Without this patch, +the device will not be instantiated at all. + +Signed-off-by: Wolfram Sang +Reviewed-by: Frank Li +Link: https://lore.kernel.org/r/20250704204524.6124-1-wsa+renesas@sang-engineering.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/i3c/master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c +index 8604c9e7b6ac..07478ddff622 100644 +--- a/drivers/i3c/master.c ++++ b/drivers/i3c/master.c +@@ -1243,7 +1243,7 @@ static int i3c_master_retrieve_dev_info(struct i3c_dev_desc *dev) + + if (dev->info.bcr & I3C_BCR_HDR_CAP) { + ret = i3c_master_gethdrcap_locked(master, &dev->info); +- if (ret) ++ if (ret && ret != -ENOTSUPP) + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.4/ipmi-fix-strcpy-source-and-destination-the-same.patch b/queue-5.4/ipmi-fix-strcpy-source-and-destination-the-same.patch new file mode 100644 index 0000000000..3db9bda49c --- /dev/null +++ b/queue-5.4/ipmi-fix-strcpy-source-and-destination-the-same.patch @@ -0,0 +1,150 @@ +From 8970cdf1104156042241b7eccdae0bfa759eefc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 19:06:26 -0500 +Subject: ipmi: Fix strcpy source and destination the same + +From: Corey Minyard + +[ Upstream commit 8ffcb7560b4a15faf821df95e3ab532b2b020f8c ] + +The source and destination of some strcpy operations was the same. +Split out the part of the operations that needed to be done for those +particular calls so the unnecessary copy wasn't done. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506140756.EFXXvIP4-lkp@intel.com/ +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_watchdog.c | 59 ++++++++++++++++++++++--------- + 1 file changed, 42 insertions(+), 17 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c +index ccb62c480bdd..ac2099f3f41a 100644 +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -1192,14 +1192,8 @@ static struct ipmi_smi_watcher smi_watcher = { + .smi_gone = ipmi_smi_gone + }; + +-static int action_op(const char *inval, char *outval) ++static int action_op_set_val(const char *inval) + { +- if (outval) +- strcpy(outval, action); +- +- if (!inval) +- return 0; +- + if (strcmp(inval, "reset") == 0) + action_val = WDOG_TIMEOUT_RESET; + else if (strcmp(inval, "none") == 0) +@@ -1210,18 +1204,26 @@ static int action_op(const char *inval, char *outval) + action_val = WDOG_TIMEOUT_POWER_DOWN; + else + return -EINVAL; +- strcpy(action, inval); + return 0; + } + +-static int preaction_op(const char *inval, char *outval) ++static int action_op(const char *inval, char *outval) + { ++ int rv; ++ + if (outval) +- strcpy(outval, preaction); ++ strcpy(outval, action); + + if (!inval) + return 0; ++ rv = action_op_set_val(inval); ++ if (!rv) ++ strcpy(action, inval); ++ return rv; ++} + ++static int preaction_op_set_val(const char *inval) ++{ + if (strcmp(inval, "pre_none") == 0) + preaction_val = WDOG_PRETIMEOUT_NONE; + else if (strcmp(inval, "pre_smi") == 0) +@@ -1234,18 +1236,26 @@ static int preaction_op(const char *inval, char *outval) + preaction_val = WDOG_PRETIMEOUT_MSG_INT; + else + return -EINVAL; +- strcpy(preaction, inval); + return 0; + } + +-static int preop_op(const char *inval, char *outval) ++static int preaction_op(const char *inval, char *outval) + { ++ int rv; ++ + if (outval) +- strcpy(outval, preop); ++ strcpy(outval, preaction); + + if (!inval) + return 0; ++ rv = preaction_op_set_val(inval); ++ if (!rv) ++ strcpy(preaction, inval); ++ return 0; ++} + ++static int preop_op_set_val(const char *inval) ++{ + if (strcmp(inval, "preop_none") == 0) + preop_val = WDOG_PREOP_NONE; + else if (strcmp(inval, "preop_panic") == 0) +@@ -1254,7 +1264,22 @@ static int preop_op(const char *inval, char *outval) + preop_val = WDOG_PREOP_GIVE_DATA; + else + return -EINVAL; +- strcpy(preop, inval); ++ return 0; ++} ++ ++static int preop_op(const char *inval, char *outval) ++{ ++ int rv; ++ ++ if (outval) ++ strcpy(outval, preop); ++ ++ if (!inval) ++ return 0; ++ ++ rv = preop_op_set_val(inval); ++ if (!rv) ++ strcpy(preop, inval); + return 0; + } + +@@ -1291,18 +1316,18 @@ static int __init ipmi_wdog_init(void) + { + int rv; + +- if (action_op(action, NULL)) { ++ if (action_op_set_val(action)) { + action_op("reset", NULL); + pr_info("Unknown action '%s', defaulting to reset\n", action); + } + +- if (preaction_op(preaction, NULL)) { ++ if (preaction_op_set_val(preaction)) { + preaction_op("pre_none", NULL); + pr_info("Unknown preaction '%s', defaulting to none\n", + preaction); + } + +- if (preop_op(preop, NULL)) { ++ if (preop_op_set_val(preop)) { + preop_op("preop_none", NULL); + pr_info("Unknown preop '%s', defaulting to none\n", preop); + } +-- +2.39.5 + diff --git a/queue-5.4/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch b/queue-5.4/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch new file mode 100644 index 0000000000..29591bf700 --- /dev/null +++ b/queue-5.4/ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch @@ -0,0 +1,47 @@ +From 1c37dd3e907364b60111c4f7c5ca298aed391697 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 05:57:26 -0700 +Subject: ipmi: Use dev_warn_ratelimited() for incorrect message warnings + +From: Breno Leitao + +[ Upstream commit ec50ec378e3fd83bde9b3d622ceac3509a60b6b5 ] + +During BMC firmware upgrades on live systems, the ipmi_msghandler +generates excessive "BMC returned incorrect response" warnings +while the BMC is temporarily offline. This can flood system logs +in large deployments. + +Replace dev_warn() with dev_warn_ratelimited() to throttle these +warnings and prevent log spam during BMC maintenance operations. + +Signed-off-by: Breno Leitao +Message-ID: <20250710-ipmi_ratelimit-v1-1-6d417015ebe9@debian.org> +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 0833a2ac2f69..b8a13edee817 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -4302,10 +4302,10 @@ static int handle_one_recv_msg(struct ipmi_smi *intf, + * The NetFN and Command in the response is not even + * marginally correct. + */ +- dev_warn(intf->si_dev, +- "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n", +- (msg->data[0] >> 2) | 1, msg->data[1], +- msg->rsp[0] >> 2, msg->rsp[1]); ++ dev_warn_ratelimited(intf->si_dev, ++ "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n", ++ (msg->data[0] >> 2) | 1, msg->data[1], ++ msg->rsp[0] >> 2, msg->rsp[1]); + + /* Generate an error response for the message. */ + msg->rsp[0] = msg->data[0] | (1 << 2); +-- +2.39.5 + diff --git a/queue-5.4/jfs-regular-file-corruption-check.patch b/queue-5.4/jfs-regular-file-corruption-check.patch new file mode 100644 index 0000000000..61d6ee45e5 --- /dev/null +++ b/queue-5.4/jfs-regular-file-corruption-check.patch @@ -0,0 +1,39 @@ +From 831e9aaac3de662d8d941fd8ba2cd12a4213edf2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 14:48:43 +0800 +Subject: jfs: Regular file corruption check + +From: Edward Adam Davis + +[ Upstream commit 2d04df8116426b6c7b9f8b9b371250f666a2a2fb ] + +The reproducer builds a corrupted file on disk with a negative i_size value. +Add a check when opening this file to avoid subsequent operation failures. + +Reported-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=630f6d40b3ccabc8e96e +Tested-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/jfs/file.c b/fs/jfs/file.c +index 930d2701f206..44872daeca01 100644 +--- a/fs/jfs/file.c ++++ b/fs/jfs/file.c +@@ -44,6 +44,9 @@ static int jfs_open(struct inode *inode, struct file *file) + { + int rc; + ++ if (S_ISREG(inode->i_mode) && inode->i_size < 0) ++ return -EIO; ++ + if ((rc = dquot_file_open(inode, file))) + return rc; + +-- +2.39.5 + diff --git a/queue-5.4/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch b/queue-5.4/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch new file mode 100644 index 0000000000..5311cdb39c --- /dev/null +++ b/queue-5.4/jfs-truncate-good-inode-pages-when-hard-link-is-0.patch @@ -0,0 +1,41 @@ +From 104ad5eddd7c89a60d5561fbb3375946c3c92063 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 11:05:34 +0800 +Subject: jfs: truncate good inode pages when hard link is 0 + +From: Lizhi Xu + +[ Upstream commit 2d91b3765cd05016335cd5df5e5c6a29708ec058 ] + +The fileset value of the inode copy from the disk by the reproducer is +AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its +inode pages are not truncated. This causes the bugon to be triggered when +executing clear_inode() because nrpages is greater than 0. + +Reported-by: syzbot+6e516bb515d93230bc7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6e516bb515d93230bc7b +Signed-off-by: Lizhi Xu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c +index 62c4a5450cda..6d353fbe67c0 100644 +--- a/fs/jfs/inode.c ++++ b/fs/jfs/inode.c +@@ -145,9 +145,9 @@ void jfs_evict_inode(struct inode *inode) + if (!inode->i_nlink && !is_bad_inode(inode)) { + dquot_initialize(inode); + ++ truncate_inode_pages_final(&inode->i_data); + if (JFS_IP(inode)->fileset == FILESYSTEM_I) { + struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap; +- truncate_inode_pages_final(&inode->i_data); + + if (test_cflag(COMMIT_Freewmap, inode)) + jfs_free_zero_link(inode); +-- +2.39.5 + diff --git a/queue-5.4/jfs-upper-bound-check-of-tree-index-in-dballocag.patch b/queue-5.4/jfs-upper-bound-check-of-tree-index-in-dballocag.patch new file mode 100644 index 0000000000..dd11164c31 --- /dev/null +++ b/queue-5.4/jfs-upper-bound-check-of-tree-index-in-dballocag.patch @@ -0,0 +1,44 @@ +From 4d61cc4cc189d9c9393ef93594676b0ec7464e23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 00:13:51 +0200 +Subject: jfs: upper bound check of tree index in dbAllocAG + +From: Arnaud Lecomte + +[ Upstream commit c214006856ff52a8ff17ed8da52d50601d54f9ce ] + +When computing the tree index in dbAllocAG, we never check if we are +out of bounds realative to the size of the stree. +This could happen in a scenario where the filesystem metadata are +corrupted. + +Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e +Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com +Signed-off-by: Arnaud Lecomte +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 15f885d2fa3d..17c4e7bdf283 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -1457,6 +1457,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results) + (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth; + ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1)); + ++ if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) { ++ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n"); ++ release_metapage(mp); ++ return -EIO; ++ } ++ + /* dmap control page trees fan-out by 4 and a single allocation + * group may be described by 1 or 2 subtrees within the ag level + * dmap control page, depending upon the ag size. examine the ag's +-- +2.39.5 + diff --git a/queue-5.4/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch b/queue-5.4/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch new file mode 100644 index 0000000000..a38f5577ea --- /dev/null +++ b/queue-5.4/kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch @@ -0,0 +1,45 @@ +From 54c7936c3d36300ebe3661c740a57b25c1b48f92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 00:05:20 +0900 +Subject: kconfig: gconf: avoid hardcoding model2 in + on_treeview2_cursor_changed() + +From: Masahiro Yamada + +[ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ] + +The on_treeview2_cursor_changed() handler is connected to both the left +and right tree views, but it hardcodes model2 (the GtkTreeModel of the +right tree view). This is incorrect. Get the associated model from the +view. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/gconf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c +index 9b10f1248da1..bd1fdbd949cc 100644 +--- a/scripts/kconfig/gconf.c ++++ b/scripts/kconfig/gconf.c +@@ -980,13 +980,14 @@ on_treeview2_key_press_event(GtkWidget * widget, + void + on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data) + { ++ GtkTreeModel *model = gtk_tree_view_get_model(treeview); + GtkTreeSelection *selection; + GtkTreeIter iter; + struct menu *menu; + + selection = gtk_tree_view_get_selection(treeview); +- if (gtk_tree_selection_get_selected(selection, &model2, &iter)) { +- gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1); ++ if (gtk_tree_selection_get_selected(selection, &model, &iter)) { ++ gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1); + text_insert_help(menu); + } + } +-- +2.39.5 + diff --git a/queue-5.4/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch b/queue-5.4/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch new file mode 100644 index 0000000000..d95922b475 --- /dev/null +++ b/queue-5.4/kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch @@ -0,0 +1,42 @@ +From de4c62da4596e35f4739f491a47c3b27e9d6a0de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Jun 2025 00:04:55 +0900 +Subject: kconfig: gconf: fix potential memory leak in renderer_edited() + +From: Masahiro Yamada + +[ Upstream commit f72ed4c6a375e52a3f4b75615e4a89d29d8acea7 ] + +If gtk_tree_model_get_iter() fails, gtk_tree_path_free() is not called. + +Signed-off-by: Masahiro Yamada +Acked-by: Randy Dunlap +Signed-off-by: Sasha Levin +--- + scripts/kconfig/gconf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c +index bd1fdbd949cc..6eb71c75b765 100644 +--- a/scripts/kconfig/gconf.c ++++ b/scripts/kconfig/gconf.c +@@ -786,7 +786,7 @@ static void renderer_edited(GtkCellRendererText * cell, + struct symbol *sym; + + if (!gtk_tree_model_get_iter(model2, &iter, path)) +- return; ++ goto free; + + gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1); + sym = menu->sym; +@@ -798,6 +798,7 @@ static void renderer_edited(GtkCellRendererText * cell, + + update_tree(&rootmenu, NULL); + ++free: + gtk_tree_path_free(path); + } + +-- +2.39.5 + diff --git a/queue-5.4/kconfig-lxdialog-fix-space-to-de-select-options.patch b/queue-5.4/kconfig-lxdialog-fix-space-to-de-select-options.patch new file mode 100644 index 0000000000..caf4c4487c --- /dev/null +++ b/queue-5.4/kconfig-lxdialog-fix-space-to-de-select-options.patch @@ -0,0 +1,49 @@ +From 8e526ce247c335139fdcfe3a17ce514f4efb2191 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Nov 2013 00:53:32 +0100 +Subject: kconfig: lxdialog: fix 'space' to (de)select options + +From: Yann E. MORIN + +[ Upstream commit 694174f94ebeeb5ec5cc0e9de9b40c82057e1d95 ] + +In case a menu has comment without letters/numbers (eg. characters +matching the regexp '^[^[:alpha:][:digit:]]+$', for example - or *), +hitting space will cycle through those comments, rather than +selecting/deselecting the currently-highlighted option. + +This is the behaviour of hitting any letter/digit: jump to the next +option which prompt starts with that letter. The only letters that +do not behave as such are 'y' 'm' and 'n'. Prompts that start with +one of those three letters are instead matched on the first letter +that is not 'y', 'm' or 'n'. + +Fix that by treating 'space' as we treat y/m/n, ie. as an action key, +not as shortcut to jump to prompt. + +Signed-off-by: Yann E. MORIN +Signed-off-by: Peter Korsgaard +Signed-off-by: Cherniaev Andrei +[masahiro: took from Buildroot, adjusted the commit subject] +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/lxdialog/menubox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/kconfig/lxdialog/menubox.c b/scripts/kconfig/lxdialog/menubox.c +index 58c2f8afe59b..7e10e919fbdc 100644 +--- a/scripts/kconfig/lxdialog/menubox.c ++++ b/scripts/kconfig/lxdialog/menubox.c +@@ -272,7 +272,7 @@ int dialog_menu(const char *title, const char *prompt, + if (key < 256 && isalpha(key)) + key = tolower(key); + +- if (strchr("ynmh", key)) ++ if (strchr("ynmh ", key)) + i = max_choice; + else { + for (i = choice + 1; i < max_choice; i++) { +-- +2.39.5 + diff --git a/queue-5.4/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch b/queue-5.4/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch new file mode 100644 index 0000000000..be2596a873 --- /dev/null +++ b/queue-5.4/kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch @@ -0,0 +1,41 @@ +From c0f458fb9a7e446919be2eedc07c8bf68999aecf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jul 2025 22:14:33 +0530 +Subject: kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c + +From: Suchit Karunakaran + +[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ] + +strcpy() performs no bounds checking and can lead to buffer overflows if +the input string exceeds the destination buffer size. This patch replaces +it with strncpy(), and null terminates the input string. + +Signed-off-by: Suchit Karunakaran +Reviewed-by: Nicolas Schier +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/lxdialog/inputbox.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c +index 1dcfb288ee63..327b60cdb8da 100644 +--- a/scripts/kconfig/lxdialog/inputbox.c ++++ b/scripts/kconfig/lxdialog/inputbox.c +@@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width + + if (!init) + instr[0] = '\0'; +- else +- strcpy(instr, init); ++ else { ++ strncpy(instr, init, sizeof(dialog_input_result) - 1); ++ instr[sizeof(dialog_input_result) - 1] = '\0'; ++ } + + do_resize: + if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGTH_MIN)) +-- +2.39.5 + diff --git a/queue-5.4/kconfig-nconf-ensure-null-termination-where-strncpy-.patch b/queue-5.4/kconfig-nconf-ensure-null-termination-where-strncpy-.patch new file mode 100644 index 0000000000..b361aa04f5 --- /dev/null +++ b/queue-5.4/kconfig-nconf-ensure-null-termination-where-strncpy-.patch @@ -0,0 +1,55 @@ +From aa0accd0b8c64efcba6c5de7467eb332b2947266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 00:36:54 +0530 +Subject: kconfig: nconf: Ensure null termination where strncpy is used + +From: Shankari Anand + +[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ] + +strncpy() does not guarantee null-termination if the source string is +longer than the destination buffer. + +Ensure the buffer is explicitly null-terminated to prevent potential +string overflows or undefined behavior. + +Signed-off-by: Shankari Anand +Signed-off-by: Masahiro Yamada +Acked-by: Randy Dunlap +Tested-by: Randy Dunlap +Tested-by: Nicolas Schier +Acked-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/kconfig/nconf.c | 2 ++ + scripts/kconfig/nconf.gui.c | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c +index 331b2cc917ec..af56d27693d0 100644 +--- a/scripts/kconfig/nconf.c ++++ b/scripts/kconfig/nconf.c +@@ -580,6 +580,8 @@ static void item_add_str(const char *fmt, ...) + tmp_str, + sizeof(k_menu_items[index].str)); + ++ k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0'; ++ + free_item(curses_menu_items[index]); + curses_menu_items[index] = new_item( + k_menu_items[index].str, +diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c +index 77f525a8617c..8b3e9bc893a7 100644 +--- a/scripts/kconfig/nconf.gui.c ++++ b/scripts/kconfig/nconf.gui.c +@@ -398,6 +398,7 @@ int dialog_inputbox(WINDOW *main_window, + x = (columns-win_cols)/2; + + strncpy(result, init, *result_len); ++ result[*result_len - 1] = '\0'; + + /* create the windows */ + win = newwin(win_lines, win_cols, y, x); +-- +2.39.5 + diff --git a/queue-5.4/ktest.pl-prevent-recursion-of-default-variable-optio.patch b/queue-5.4/ktest.pl-prevent-recursion-of-default-variable-optio.patch new file mode 100644 index 0000000000..bbfda9d28d --- /dev/null +++ b/queue-5.4/ktest.pl-prevent-recursion-of-default-variable-optio.patch @@ -0,0 +1,62 @@ +From be0c135d14853ffe1b6c72612465c82e39c4184f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 16:18:44 -0400 +Subject: ktest.pl: Prevent recursion of default variable options + +From: Steven Rostedt + +[ Upstream commit 61f7e318e99d3b398670518dd3f4f8510d1800fc ] + +If a default variable contains itself, do not recurse on it. + +For example: + + ADD_CONFIG := ${CONFIG_DIR}/temp_config + DEFAULTS + ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG} + +The above works because the temp variable ADD_CONFIG (is a temp because it +is created with ":=") is already defined, it will be substituted in the +variable option. But if it gets commented out: + + # ADD_CONFIG := ${CONFIG_DIR}/temp_config + DEFAULTS + ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG} + +Then the above will go into a recursive loop where ${ADD_CONFIG} will +get replaced with the current definition of ADD_CONFIG which contains the +${ADD_CONFIG} and that will also try to get converted. ktest.pl will error +after 100 attempts of recursion and fail. + +When replacing a variable with the default variable, if the default +variable contains itself, do not replace it. + +Cc: "John Warthog9 Hawley" +Cc: Dhaval Giani +Cc: Greg KH +Link: https://lore.kernel.org/20250718202053.732189428@kernel.org +Signed-off-by: Steven Rostedt +Signed-off-by: Sasha Levin +--- + tools/testing/ktest/ktest.pl | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl +index 10b3c5b25b69..964a531e1a65 100755 +--- a/tools/testing/ktest/ktest.pl ++++ b/tools/testing/ktest/ktest.pl +@@ -1280,7 +1280,10 @@ sub __eval_option { + # If a variable contains itself, use the default var + if (($var eq $name) && defined($opt{$var})) { + $o = $opt{$var}; +- $retval = "$retval$o"; ++ # Only append if the default doesn't contain itself ++ if ($o !~ m/\$\{$var\}/) { ++ $retval = "$retval$o"; ++ } + } elsif (defined($opt{$o})) { + $o = $opt{$o}; + $retval = "$retval$o"; +-- +2.39.5 + diff --git a/queue-5.4/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch b/queue-5.4/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch new file mode 100644 index 0000000000..57cbcf84a5 --- /dev/null +++ b/queue-5.4/media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch @@ -0,0 +1,46 @@ +From 8081342a563292e442d523d348a3b1070c8c6b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 21:32:31 -0400 +Subject: media: dvb-frontends: dib7090p: fix null-ptr-deref in + dib7090p_rw_on_apb() + +From: Alex Guo + +[ Upstream commit ce5cac69b2edac3e3246fee03e8f4c2a1075238b ] + +In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and +msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing +msg[0].buf[2] without sanity check, null pointer deref would happen. We add +check on msg[0].len to prevent crash. Similar issue occurs when access +msg[1].buf[0] and msg[1].buf[1]. + +Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Alex Guo +Link: https://lore.kernel.org/r/20250616013231.730221-1-alexguo1023@gmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index fd08a851a452..d31ce5c7104d 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -2261,8 +2261,12 @@ static int dib7090p_rw_on_apb(struct i2c_adapter *i2c_adap, + u16 word; + + if (num == 1) { /* write */ ++ if (msg[0].len < 3) ++ return -EOPNOTSUPP; + dib7000p_write_word(state, apb_address, ((msg[0].buf[1] << 8) | (msg[0].buf[2]))); + } else { ++ if (msg[1].len < 2) ++ return -EOPNOTSUPP; + word = dib7000p_read_word(state, apb_address); + msg[1].buf[0] = (word >> 8) & 0xff; + msg[1].buf[1] = (word) & 0xff; +-- +2.39.5 + diff --git a/queue-5.4/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch b/queue-5.4/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch new file mode 100644 index 0000000000..0662b4e591 --- /dev/null +++ b/queue-5.4/media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch @@ -0,0 +1,48 @@ +From c66a40d7fefe77f46486990d119d27d8a790cedd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jun 2025 21:33:53 -0400 +Subject: media: dvb-frontends: w7090p: fix null-ptr-deref in + w7090p_tuner_write_serpar and w7090p_tuner_read_serpar + +From: Alex Guo + +[ Upstream commit ed0234c8458b3149f15e496b48a1c9874dd24a1b ] + +In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add +check on msg[0].len to prevent crash. + +Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") + +Signed-off-by: Alex Guo +Link: https://lore.kernel.org/r/20250616013353.738790-1-alexguo1023@gmail.com +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib7000p.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c +index d31ce5c7104d..41dcbabdc193 100644 +--- a/drivers/media/dvb-frontends/dib7000p.c ++++ b/drivers/media/dvb-frontends/dib7000p.c +@@ -2198,6 +2198,8 @@ static int w7090p_tuner_write_serpar(struct i2c_adapter *i2c_adap, struct i2c_ms + struct dib7000p_state *state = i2c_get_adapdata(i2c_adap); + u8 n_overflow = 1; + u16 i = 1000; ++ if (msg[0].len < 3) ++ return -EOPNOTSUPP; + u16 serpar_num = msg[0].buf[0]; + + while (n_overflow == 1 && i) { +@@ -2217,6 +2219,8 @@ static int w7090p_tuner_read_serpar(struct i2c_adapter *i2c_adap, struct i2c_msg + struct dib7000p_state *state = i2c_get_adapdata(i2c_adap); + u8 n_overflow = 1, n_empty = 1; + u16 i = 1000; ++ if (msg[0].len < 1 || msg[1].len < 2) ++ return -EOPNOTSUPP; + u16 serpar_num = msg[0].buf[0]; + u16 read_word; + +-- +2.39.5 + diff --git a/queue-5.4/media-tc358743-check-i2c-succeeded-during-probe.patch b/queue-5.4/media-tc358743-check-i2c-succeeded-during-probe.patch new file mode 100644 index 0000000000..93706d7c57 --- /dev/null +++ b/queue-5.4/media-tc358743-check-i2c-succeeded-during-probe.patch @@ -0,0 +1,109 @@ +From 4c6e832427cb325d3e4dbc86fd39f2ca7348d83c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:15 +0100 +Subject: media: tc358743: Check I2C succeeded during probe + +From: Dave Stevenson + +[ Upstream commit 303d81635e1d9c949b370215cc94526ed81f2e3d ] + +The probe for the TC358743 reads the CHIPID register from +the device and compares it to the expected value of 0. +If the I2C request fails then that also returns 0, so +the driver loads thinking that the device is there. + +Generally I2C communications are reliable so there is +limited need to check the return value on every transfer, +therefore only amend the one read during probe to check +for I2C errors. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index f4ebe93a495c..ce54d963457d 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -110,7 +110,7 @@ static inline struct tc358743_state *to_state(struct v4l2_subdev *sd) + + /* --------------- I2C --------------- */ + +-static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) ++static int i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + { + struct tc358743_state *state = to_state(sd); + struct i2c_client *client = state->i2c_client; +@@ -136,6 +136,7 @@ static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + v4l2_err(sd, "%s: reading register 0x%x from 0x%x failed\n", + __func__, reg, client->addr); + } ++ return err != ARRAY_SIZE(msgs); + } + + static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) +@@ -192,15 +193,24 @@ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n) + } + } + +-static noinline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n) ++static noinline u32 i2c_rdreg_err(struct v4l2_subdev *sd, u16 reg, u32 n, ++ int *err) + { ++ int error; + __le32 val = 0; + +- i2c_rd(sd, reg, (u8 __force *)&val, n); ++ error = i2c_rd(sd, reg, (u8 __force *)&val, n); ++ if (err) ++ *err = error; + + return le32_to_cpu(val); + } + ++static inline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n) ++{ ++ return i2c_rdreg_err(sd, reg, n, NULL); ++} ++ + static noinline void i2c_wrreg(struct v4l2_subdev *sd, u16 reg, u32 val, u32 n) + { + __le32 raw = cpu_to_le32(val); +@@ -229,6 +239,13 @@ static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg) + return i2c_rdreg(sd, reg, 2); + } + ++static int i2c_rd16_err(struct v4l2_subdev *sd, u16 reg, u16 *value) ++{ ++ int err; ++ *value = i2c_rdreg_err(sd, reg, 2, &err); ++ return err; ++} ++ + static void i2c_wr16(struct v4l2_subdev *sd, u16 reg, u16 val) + { + i2c_wrreg(sd, reg, val, 2); +@@ -2041,6 +2058,7 @@ static int tc358743_probe(struct i2c_client *client) + struct tc358743_platform_data *pdata = client->dev.platform_data; + struct v4l2_subdev *sd; + u16 irq_mask = MASK_HDMI_MSK | MASK_CSI_MSK; ++ u16 chipid; + int err; + + if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_BYTE_DATA)) +@@ -2072,7 +2090,8 @@ static int tc358743_probe(struct i2c_client *client) + sd->flags |= V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; + + /* i2c access */ +- if ((i2c_rd16(sd, CHIPID) & MASK_CHIPID) != 0) { ++ if (i2c_rd16_err(sd, CHIPID, &chipid) || ++ (chipid & MASK_CHIPID) != 0) { + v4l2_info(sd, "not a TC358743 on address 0x%x\n", + client->addr << 1); + return -ENODEV; +-- +2.39.5 + diff --git a/queue-5.4/media-tc358743-increase-fifo-trigger-level-to-374.patch b/queue-5.4/media-tc358743-increase-fifo-trigger-level-to-374.patch new file mode 100644 index 0000000000..28d7a812eb --- /dev/null +++ b/queue-5.4/media-tc358743-increase-fifo-trigger-level-to-374.patch @@ -0,0 +1,58 @@ +From 6b9a73b9f5170c80c7ec553ae5a05667c2ac7a7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:14 +0100 +Subject: media: tc358743: Increase FIFO trigger level to 374 + +From: Dave Stevenson + +[ Upstream commit 86addd25314a1e77dbdcfddfeed0bab2f27da0e2 ] + +The existing fixed value of 16 worked for UYVY 720P60 over +2 lanes at 594MHz, or UYVY 1080P60 over 4 lanes. (RGB888 +1080P60 needs 6 lanes at 594MHz). +It doesn't allow for lower resolutions to work as the FIFO +underflows. + +374 is required for 1080P24 or 1080P30 UYVY over 2 lanes @ +972Mbit/s, but >374 means that the FIFO underflows on 1080P50 +UYVY over 2 lanes @ 972Mbit/s. + +Whilst it would be nice to compute it, the required information +isn't published by Toshiba. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 26e9e95dd6ae..2dad35568586 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1959,8 +1959,19 @@ static int tc358743_probe_of(struct tc358743_state *state) + state->pdata.refclk_hz = clk_get_rate(refclk); + state->pdata.ddc5v_delay = DDC5V_DELAY_100_MS; + state->pdata.enable_hdcp = false; +- /* A FIFO level of 16 should be enough for 2-lane 720p60 at 594 MHz. */ +- state->pdata.fifo_level = 16; ++ /* ++ * Ideally the FIFO trigger level should be set based on the input and ++ * output data rates, but the calculations required are buried in ++ * Toshiba's register settings spreadsheet. ++ * A value of 16 works with a 594Mbps data rate for 720p60 (using 2 ++ * lanes) and 1080p60 (using 4 lanes), but fails when the data rate ++ * is increased, or a lower pixel clock is used that result in CSI ++ * reading out faster than the data is arriving. ++ * ++ * A value of 374 works with both those modes at 594Mbps, and with most ++ * modes on 972Mbps. ++ */ ++ state->pdata.fifo_level = 374; + /* + * The PLL input clock is obtained by dividing refclk by pll_prd. + * It must be between 6 MHz and 40 MHz, lower frequency is better. +-- +2.39.5 + diff --git a/queue-5.4/media-tc358743-return-an-appropriate-colorspace-from.patch b/queue-5.4/media-tc358743-return-an-appropriate-colorspace-from.patch new file mode 100644 index 0000000000..88f528cd92 --- /dev/null +++ b/queue-5.4/media-tc358743-return-an-appropriate-colorspace-from.patch @@ -0,0 +1,113 @@ +From 3810b897cb109c2f777ab3ea0d386b89f13eb17d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 19:37:16 +0100 +Subject: media: tc358743: Return an appropriate colorspace from + tc358743_set_fmt + +From: Dave Stevenson + +[ Upstream commit 377cc006a364dfdab2f3f221cfad63a9265200b8 ] + +When calling tc358743_set_fmt, the code was calling tc358743_get_fmt +to choose a valid format. However that sets the colorspace +based on information read back from the chip, not the colour +format requested. + +The result was that if you called try or set format for UYVY +when the current format was RGB3 then you would get told SRGB, +and try RGB3 when current was UYVY and you would get told +SMPTE170M. + +The value programmed in the VI_REP register for the colorspace +is always set by this driver, therefore there is no need to read +back the value, and never set to REC709. +Return the colorspace based on the format set/tried instead. + +Signed-off-by: Dave Stevenson +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 44 ++++++++++++++---------------------- + 1 file changed, 17 insertions(+), 27 deletions(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index ce54d963457d..26e9e95dd6ae 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1685,12 +1685,23 @@ static int tc358743_enum_mbus_code(struct v4l2_subdev *sd, + return 0; + } + ++static u32 tc358743_g_colorspace(u32 code) ++{ ++ switch (code) { ++ case MEDIA_BUS_FMT_RGB888_1X24: ++ return V4L2_COLORSPACE_SRGB; ++ case MEDIA_BUS_FMT_UYVY8_1X16: ++ return V4L2_COLORSPACE_SMPTE170M; ++ default: ++ return 0; ++ } ++} ++ + static int tc358743_get_fmt(struct v4l2_subdev *sd, + struct v4l2_subdev_pad_config *cfg, + struct v4l2_subdev_format *format) + { + struct tc358743_state *state = to_state(sd); +- u8 vi_rep = i2c_rd8(sd, VI_REP); + + if (format->pad != 0) + return -EINVAL; +@@ -1700,23 +1711,7 @@ static int tc358743_get_fmt(struct v4l2_subdev *sd, + format->format.height = state->timings.bt.height; + format->format.field = V4L2_FIELD_NONE; + +- switch (vi_rep & MASK_VOUT_COLOR_SEL) { +- case MASK_VOUT_COLOR_RGB_FULL: +- case MASK_VOUT_COLOR_RGB_LIMITED: +- format->format.colorspace = V4L2_COLORSPACE_SRGB; +- break; +- case MASK_VOUT_COLOR_601_YCBCR_LIMITED: +- case MASK_VOUT_COLOR_601_YCBCR_FULL: +- format->format.colorspace = V4L2_COLORSPACE_SMPTE170M; +- break; +- case MASK_VOUT_COLOR_709_YCBCR_FULL: +- case MASK_VOUT_COLOR_709_YCBCR_LIMITED: +- format->format.colorspace = V4L2_COLORSPACE_REC709; +- break; +- default: +- format->format.colorspace = 0; +- break; +- } ++ format->format.colorspace = tc358743_g_colorspace(format->format.code); + + return 0; + } +@@ -1730,19 +1725,14 @@ static int tc358743_set_fmt(struct v4l2_subdev *sd, + u32 code = format->format.code; /* is overwritten by get_fmt */ + int ret = tc358743_get_fmt(sd, cfg, format); + +- format->format.code = code; ++ if (code == MEDIA_BUS_FMT_RGB888_1X24 || ++ code == MEDIA_BUS_FMT_UYVY8_1X16) ++ format->format.code = code; ++ format->format.colorspace = tc358743_g_colorspace(format->format.code); + + if (ret) + return ret; + +- switch (code) { +- case MEDIA_BUS_FMT_RGB888_1X24: +- case MEDIA_BUS_FMT_UYVY8_1X16: +- break; +- default: +- return -EINVAL; +- } +- + if (format->which == V4L2_SUBDEV_FORMAT_TRY) + return 0; + +-- +2.39.5 + diff --git a/queue-5.4/media-usb-hdpvr-disable-zero-length-read-messages.patch b/queue-5.4/media-usb-hdpvr-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..6ec9396cba --- /dev/null +++ b/queue-5.4/media-usb-hdpvr-disable-zero-length-read-messages.patch @@ -0,0 +1,46 @@ +From ef6655a1edd6b94c1dc37da916548d041267cbdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 May 2025 10:09:54 +0200 +Subject: media: usb: hdpvr: disable zero-length read messages + +From: Wolfram Sang + +[ Upstream commit b5ae5a79825ba8037b0be3ef677a24de8c063abf ] + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Signed-off-by: Wolfram Sang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/usb/hdpvr/hdpvr-i2c.c b/drivers/media/usb/hdpvr/hdpvr-i2c.c +index 785c8508a46e..e6a190fe0e87 100644 +--- a/drivers/media/usb/hdpvr/hdpvr-i2c.c ++++ b/drivers/media/usb/hdpvr/hdpvr-i2c.c +@@ -165,10 +165,16 @@ static const struct i2c_algorithm hdpvr_algo = { + .functionality = hdpvr_functionality, + }; + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks hdpvr_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + static const struct i2c_adapter hdpvr_i2c_adapter_template = { + .name = "Hauppauge HD PVR I2C", + .owner = THIS_MODULE, + .algo = &hdpvr_algo, ++ .quirks = &hdpvr_quirks, + }; + + static int hdpvr_activate_ir(struct hdpvr_device *dev) +-- +2.39.5 + diff --git a/queue-5.4/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch b/queue-5.4/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch new file mode 100644 index 0000000000..660e45ac34 --- /dev/null +++ b/queue-5.4/media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch @@ -0,0 +1,52 @@ +From a592a92b8a65dc80efe1b6f958eac2e1b3759be6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 May 2025 14:18:03 +0800 +Subject: media: uvcvideo: Fix bandwidth issue for Alcor camera + +From: chenchangcheng + +[ Upstream commit 9764401bf6f8a20eb11c2e78470f20fee91a9ea7 ] + +Some broken device return wrong dwMaxPayloadTransferSize fields as +follows: + +[ 218.632537] uvcvideo: Device requested 2752512 B/frame bandwidth. +[ 218.632598] uvcvideo: No fast enough alt setting for requested bandwidth. + +When dwMaxPayloadTransferSize is greater than maxpsize, it will prevent +the camera from starting. So use the bandwidth of maxpsize. + +Signed-off-by: chenchangcheng +Reviewed-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20250510061803.811433-1-ccc194101@163.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_video.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index e62afdee20db..d1510c1230d9 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -228,6 +228,15 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, + + ctrl->dwMaxPayloadTransferSize = bandwidth; + } ++ ++ if (stream->intf->num_altsetting > 1 && ++ ctrl->dwMaxPayloadTransferSize > stream->maxpsize) { ++ dev_warn_ratelimited(&stream->intf->dev, ++ "UVC non compliance: the max payload transmission size (%u) exceeds the size of the ep max packet (%u). Using the max size.\n", ++ ctrl->dwMaxPayloadTransferSize, ++ stream->maxpsize); ++ ctrl->dwMaxPayloadTransferSize = stream->maxpsize; ++ } + } + + static size_t uvc_video_ctrl_size(struct uvc_streaming *stream) +-- +2.39.5 + diff --git a/queue-5.4/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch b/queue-5.4/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch new file mode 100644 index 0000000000..8b51b2566b --- /dev/null +++ b/queue-5.4/mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch @@ -0,0 +1,79 @@ +From 267a2c96d7ee6cc208c90e130652a3bd88a1ee6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 13:28:26 +0200 +Subject: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +[ Upstream commit e9f4a6b3421e936c3ee9d74710243897d74dbaa2 ] + +Not all tasks have an ABI associated or vDSO mapped, +for example kthreads never do. +If such a task ever ends up calling stack_top(), it will derefence the +NULL ABI pointer and crash. + +This can for example happen when using kunit: + + mips_stack_top+0x28/0xc0 + arch_pick_mmap_layout+0x190/0x220 + kunit_vm_mmap_init+0xf8/0x138 + __kunit_add_resource+0x40/0xa8 + kunit_vm_mmap+0x88/0xd8 + usercopy_test_init+0xb8/0x240 + kunit_try_run_case+0x5c/0x1a8 + kunit_generic_run_threadfn_adapter+0x28/0x50 + kthread+0x118/0x240 + ret_from_kernel_thread+0x14/0x1c + +Only dereference the ABI point if it is set. + +The GIC page is also included as it is specific to the vDSO. +Also move the randomization adjustment into the same conditional. + +Signed-off-by: Thomas Weißschuh +Reviewed-by: David Gow +Reviewed-by: Huacai Chen +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/process.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 339870ed92f7..42e95e6edd1d 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -654,18 +654,20 @@ unsigned long mips_stack_top(void) + top -= PAGE_SIZE; + + /* Space for the VDSO, data page & GIC user page */ +- top -= PAGE_ALIGN(current->thread.abi->vdso->size); +- top -= PAGE_SIZE; +- top -= mips_gic_present() ? PAGE_SIZE : 0; ++ if (current->thread.abi) { ++ top -= PAGE_ALIGN(current->thread.abi->vdso->size); ++ top -= PAGE_SIZE; ++ top -= mips_gic_present() ? PAGE_SIZE : 0; ++ ++ /* Space to randomize the VDSO base */ ++ if (current->flags & PF_RANDOMIZE) ++ top -= VDSO_RANDOMIZE_SIZE; ++ } + + /* Space for cache colour alignment */ + if (cpu_has_dc_aliases) + top -= shm_align_mask + 1; + +- /* Space to randomize the VDSO base */ +- if (current->flags & PF_RANDOMIZE) +- top -= VDSO_RANDOMIZE_SIZE; +- + return top; + } + +-- +2.39.5 + diff --git a/queue-5.4/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch b/queue-5.4/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch new file mode 100644 index 0000000000..788ab27a2f --- /dev/null +++ b/queue-5.4/mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch @@ -0,0 +1,53 @@ +From f60396730e3969d10899c630032fab8f889dd064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 21:06:32 +0800 +Subject: MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} + +From: Shiji Yang + +[ Upstream commit 844615dd0f2d95c018ec66b943e08af22b62aff3 ] + +These functions are exported but their prototypes are not defined. +This patch adds the missing function prototypes to fix the following +compilation warnings: + +arch/mips/kernel/vpe-mt.c:180:7: error: no previous prototype for 'vpe_alloc' [-Werror=missing-prototypes] + 180 | void *vpe_alloc(void) + | ^~~~~~~~~ +arch/mips/kernel/vpe-mt.c:198:5: error: no previous prototype for 'vpe_start' [-Werror=missing-prototypes] + 198 | int vpe_start(void *vpe, unsigned long start) + | ^~~~~~~~~ +arch/mips/kernel/vpe-mt.c:208:5: error: no previous prototype for 'vpe_stop' [-Werror=missing-prototypes] + 208 | int vpe_stop(void *vpe) + | ^~~~~~~~ +arch/mips/kernel/vpe-mt.c:229:5: error: no previous prototype for 'vpe_free' [-Werror=missing-prototypes] + 229 | int vpe_free(void *vpe) + | ^~~~~~~~ + +Signed-off-by: Shiji Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/vpe.h | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h +index 012731546cf6..3de6b0ff1627 100644 +--- a/arch/mips/include/asm/vpe.h ++++ b/arch/mips/include/asm/vpe.h +@@ -126,4 +126,12 @@ void cleanup_tc(struct tc *tc); + + int __init vpe_module_init(void); + void __exit vpe_module_exit(void); ++ ++#ifdef CONFIG_MIPS_VPE_LOADER_MT ++void *vpe_alloc(void); ++int vpe_start(void *vpe, unsigned long start); ++int vpe_stop(void *vpe); ++int vpe_free(void *vpe); ++#endif /* CONFIG_MIPS_VPE_LOADER_MT */ ++ + #endif /* _ASM_VPE_H */ +-- +2.39.5 + diff --git a/queue-5.4/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch b/queue-5.4/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch new file mode 100644 index 0000000000..12bfeffcff --- /dev/null +++ b/queue-5.4/mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch @@ -0,0 +1,40 @@ +From 5449a0eebb515d6c485c075a2973ecc3a8942d33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 13:16:23 +0200 +Subject: mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() + +From: Ulf Hansson + +[ Upstream commit 47a255f7d2eabee06cfbf5b1c2379749442fd01d ] + +In the error path of sd_set_power_mode() we don't update host->power_mode, +which could lead to an imbalance of the runtime PM usage count. Fix this by +always updating host->power_mode. + +Reviewed-by: Avri Altman +Signed-off-by: Ulf Hansson +Acked-by: Ricky Wu +Link: https://lore.kernel.org/r/20250610111633.504366-2-ulf.hansson@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c +index 3261560bede4..581bec5c4caf 100644 +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1038,9 +1038,7 @@ static int sd_set_power_mode(struct rtsx_usb_sdmmc *host, + err = sd_power_on(host); + } + +- if (!err) +- host->power_mode = power_mode; +- ++ host->power_mode = power_mode; + return err; + } + +-- +2.39.5 + diff --git a/queue-5.4/net-ag71xx-add-missing-check-after-dma-map.patch b/queue-5.4/net-ag71xx-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..8ad7d29f2f --- /dev/null +++ b/queue-5.4/net-ag71xx-add-missing-check-after-dma-map.patch @@ -0,0 +1,50 @@ +From 080a8fbd92e54a74393f743130f0bd55d61e17b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jul 2025 11:57:25 +0200 +Subject: net: ag71xx: Add missing check after DMA map + +From: Thomas Fourier + +[ Upstream commit 96a1e15e60216b52da0e6da5336b6d7f5b0188b0 ] + +The DMA map functions can fail and should be tested for errors. + +Signed-off-by: Thomas Fourier +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250716095733.37452-3-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/ag71xx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c +index 58a002dd758c..ba07817d0a22 100644 +--- a/drivers/net/ethernet/atheros/ag71xx.c ++++ b/drivers/net/ethernet/atheros/ag71xx.c +@@ -1049,6 +1049,11 @@ static bool ag71xx_fill_rx_buf(struct ag71xx *ag, struct ag71xx_buf *buf, + buf->rx.rx_buf = data; + buf->rx.dma_addr = dma_map_single(&ag->pdev->dev, data, ag->rx_buf_size, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(&ag->pdev->dev, buf->rx.dma_addr)) { ++ skb_free_frag(data); ++ buf->rx.rx_buf = NULL; ++ return false; ++ } + desc->data = (u32)buf->rx.dma_addr + offset; + return true; + } +@@ -1343,6 +1348,10 @@ static netdev_tx_t ag71xx_hard_start_xmit(struct sk_buff *skb, + + dma_addr = dma_map_single(&ag->pdev->dev, skb->data, skb->len, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&ag->pdev->dev, dma_addr)) { ++ netif_dbg(ag, tx_err, ndev, "DMA mapping error\n"); ++ goto err_drop; ++ } + + i = ring->curr & ring_mask; + desc = ag71xx_ring_desc(ring, i); +-- +2.39.5 + diff --git a/queue-5.4/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch b/queue-5.4/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch new file mode 100644 index 0000000000..fd448f5ccd --- /dev/null +++ b/queue-5.4/net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch @@ -0,0 +1,42 @@ +From 3c9d32b7f7e22b763de96e50c33ac661060fd9cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:59 +0200 +Subject: net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit c00df1018791185ea398f78af415a2a0aaa0c79c ] + +CPU port should be B53_CPU_PORT instead of B53_CPU_PORT_25 for +B53_PVLAN_PORT_MASK register. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-14-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index d41c9006a028..1816a5b56d51 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -502,6 +502,10 @@ void b53_imp_vlan_setup(struct dsa_switch *ds, int cpu_port) + unsigned int i; + u16 pvlan; + ++ /* BCM5325 CPU port is at 8 */ ++ if ((is5325(dev) || is5365(dev)) && cpu_port == B53_CPU_PORT_25) ++ cpu_port = B53_CPU_PORT; ++ + /* Enable the IMP port to be in the same VLAN as the other ports + * on a per-port basis such that we only have Port i and IMP in + * the same VLAN. +-- +2.39.5 + diff --git a/queue-5.4/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch b/queue-5.4/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch new file mode 100644 index 0000000000..41db251362 --- /dev/null +++ b/queue-5.4/net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch @@ -0,0 +1,69 @@ +From 280ee95955a8659cff39ef182004e89ed02323a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:54 +0200 +Subject: net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 044d5ce2788b165798bfd173548e61bf7b6baf4d ] + +BCM5325 doesn't implement B53_UC_FWD_EN, B53_MC_FWD_EN or B53_IPMC_FWD_EN. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-9-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 18 +++++++++++------- + drivers/net/dsa/b53/b53_regs.h | 1 + + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 43726157dfe2..fea28b24a1a0 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -342,14 +342,18 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); + mgmt |= B53_MII_DUMB_FWDG_EN; + b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); +- } + +- /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether +- * frames should be flooded or not. +- */ +- b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); +- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; +- b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether ++ * frames should be flooded or not. ++ */ ++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); ++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN; ++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ } else { ++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt); ++ mgmt |= B53_IP_MCAST_25; ++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt); ++ } + } + + static void b53_enable_vlan(struct b53_device *dev, bool enable, +diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h +index b2c539a42154..ea6897c3f6f7 100644 +--- a/drivers/net/dsa/b53/b53_regs.h ++++ b/drivers/net/dsa/b53/b53_regs.h +@@ -103,6 +103,7 @@ + + /* IP Multicast control (8 bit) */ + #define B53_IP_MULTICAST_CTRL 0x21 ++#define B53_IP_MCAST_25 BIT(0) + #define B53_IPMC_FWD_EN BIT(1) + #define B53_UC_FWD_EN BIT(6) + #define B53_MC_FWD_EN BIT(7) +-- +2.39.5 + diff --git a/queue-5.4/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch b/queue-5.4/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch new file mode 100644 index 0000000000..4d369c5332 --- /dev/null +++ b/queue-5.4/net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch @@ -0,0 +1,49 @@ +From ffed2af6dbe42a4b9f9f67d6d8150a268b04a5d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jun 2025 09:59:53 +0200 +Subject: net: dsa: b53: prevent SWITCH_CTRL access on BCM5325 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 22ccaaca43440e90a3b68d2183045b42247dc4be ] + +BCM5325 doesn't implement SWITCH_CTRL register so we should avoid reading +or writing it. + +Reviewed-by: Florian Fainelli +Signed-off-by: Álvaro Fernández Rojas +Link: https://patch.msgid.link/20250614080000.1884236-8-noltari@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/b53/b53_common.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c +index 1816a5b56d51..43726157dfe2 100644 +--- a/drivers/net/dsa/b53/b53_common.c ++++ b/drivers/net/dsa/b53/b53_common.c +@@ -337,11 +337,12 @@ static void b53_set_forwarding(struct b53_device *dev, int enable) + + b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_MODE, mgmt); + +- /* Include IMP port in dumb forwarding mode +- */ +- b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); +- mgmt |= B53_MII_DUMB_FWDG_EN; +- b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); ++ if (!is5325(dev)) { ++ /* Include IMP port in dumb forwarding mode */ ++ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt); ++ mgmt |= B53_MII_DUMB_FWDG_EN; ++ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt); ++ } + + /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether + * frames should be flooded or not. +-- +2.39.5 + diff --git a/queue-5.4/net-fec-allow-disable-coalescing.patch b/queue-5.4/net-fec-allow-disable-coalescing.patch new file mode 100644 index 0000000000..48cba4809d --- /dev/null +++ b/queue-5.4/net-fec-allow-disable-coalescing.patch @@ -0,0 +1,80 @@ +From ad93f7c502226c3a922992abef70bde7ea46aa53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jun 2025 15:44:02 +0200 +Subject: net: fec: allow disable coalescing + +From: Jonas Rebmann + +[ Upstream commit b7ad21258f9e9a7f58b19595d5ceed2cde3bed68 ] + +In the current implementation, IP coalescing is always enabled and +cannot be disabled. + +As setting maximum frames to 0 or 1, or setting delay to zero implies +immediate delivery of single packets/IRQs, disable coalescing in +hardware in these cases. + +This also guarantees that coalescing is never enabled with ICFT or ICTT +set to zero, a configuration that could lead to unpredictable behaviour +according to i.MX8MP reference manual. + +Signed-off-by: Jonas Rebmann +Reviewed-by: Wei Fang +Link: https://patch.msgid.link/20250626-fec_deactivate_coalescing-v2-1-0b217f2e80da@pengutronix.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 34 +++++++++++------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index fd7c504b44f2..f8a096633280 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -2590,27 +2590,25 @@ static int fec_enet_us_to_itr_clock(struct net_device *ndev, int us) + static void fec_enet_itr_coal_set(struct net_device *ndev) + { + struct fec_enet_private *fep = netdev_priv(ndev); +- int rx_itr, tx_itr; ++ u32 rx_itr = 0, tx_itr = 0; ++ int rx_ictt, tx_ictt; + +- /* Must be greater than zero to avoid unpredictable behavior */ +- if (!fep->rx_time_itr || !fep->rx_pkts_itr || +- !fep->tx_time_itr || !fep->tx_pkts_itr) +- return; +- +- /* Select enet system clock as Interrupt Coalescing +- * timer Clock Source +- */ +- rx_itr = FEC_ITR_CLK_SEL; +- tx_itr = FEC_ITR_CLK_SEL; ++ rx_ictt = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr); ++ tx_ictt = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr); + +- /* set ICFT and ICTT */ +- rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr); +- rx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr)); +- tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr); +- tx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr)); ++ if (rx_ictt > 0 && fep->rx_pkts_itr > 1) { ++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */ ++ rx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL; ++ rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr); ++ rx_itr |= FEC_ITR_ICTT(rx_ictt); ++ } + +- rx_itr |= FEC_ITR_EN; +- tx_itr |= FEC_ITR_EN; ++ if (tx_ictt > 0 && fep->tx_pkts_itr > 1) { ++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */ ++ tx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL; ++ tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr); ++ tx_itr |= FEC_ITR_ICTT(tx_ictt); ++ } + + writel(tx_itr, fep->hwp + FEC_TXIC0); + writel(rx_itr, fep->hwp + FEC_RXIC0); +-- +2.39.5 + diff --git a/queue-5.4/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch b/queue-5.4/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch new file mode 100644 index 0000000000..f6f541cbe2 --- /dev/null +++ b/queue-5.4/net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch @@ -0,0 +1,51 @@ +From 227dbf32303f868271c62b775542ee25b93b4667 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 16:27:13 +0200 +Subject: net: ipv4: fix incorrect MTU in broadcast routes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oscar Maes + +[ Upstream commit 9e30ecf23b1b8f091f7d08b27968dea83aae7908 ] + +Currently, __mkroute_output overrules the MTU value configured for +broadcast routes. + +This buggy behaviour can be reproduced with: + +ip link set dev eth1 mtu 9000 +ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 +ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500 + +The maximum packet size should be 1500, but it is actually 8000: + +ping -b 192.168.0.255 -s 8000 + +Fix __mkroute_output to allow MTU values to be configured for +for broadcast routes (to support a mixed-MTU local-area-network). + +Signed-off-by: Oscar Maes +Link: https://patch.msgid.link/20250710142714.12986-1-oscmaes92@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index d173234503f9..80612f73ff53 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2378,7 +2378,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res, + do_cache = true; + if (type == RTN_BROADCAST) { + flags |= RTCF_BROADCAST | RTCF_LOCAL; +- fi = NULL; + } else if (type == RTN_MULTICAST) { + flags |= RTCF_MULTICAST | RTCF_LOCAL; + if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr, +-- +2.39.5 + diff --git a/queue-5.4/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch b/queue-5.4/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch new file mode 100644 index 0000000000..4cdabb213d --- /dev/null +++ b/queue-5.4/net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch @@ -0,0 +1,52 @@ +From 654e54627376d3017049f3ac9c4e439fb087efab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 12:33:38 -0700 +Subject: net: ncsi: Fix buffer overflow in fetching version id + +From: Hari Kalavakunta + +[ Upstream commit 8e16170ae972c7fed132bc928914a2ffb94690fc ] + +In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't +need to be null terminated while its size occupies the full size +of the field. Fix the buffer overflow issue by adding one +additional byte for null terminator. + +Signed-off-by: Hari Kalavakunta +Reviewed-by: Paul Fertser +Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ncsi/internal.h | 2 +- + net/ncsi/ncsi-rsp.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h +index b723452768d4..67d5ee4dbc2a 100644 +--- a/net/ncsi/internal.h ++++ b/net/ncsi/internal.h +@@ -86,7 +86,7 @@ struct ncsi_channel_version { + u8 update; /* NCSI version update */ + char alpha1; /* NCSI version alpha1 */ + char alpha2; /* NCSI version alpha2 */ +- u8 fw_name[12]; /* Firmware name string */ ++ u8 fw_name[12 + 1]; /* Firmware name string */ + u32 fw_version; /* Firmware version */ + u16 pci_ids[4]; /* PCI identification */ + u32 mf_id; /* Manufacture ID */ +diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c +index b7d311f97905..41e4ed80f29a 100644 +--- a/net/ncsi/ncsi-rsp.c ++++ b/net/ncsi/ncsi-rsp.c +@@ -782,6 +782,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr) + ncv->alpha1 = rsp->alpha1; + ncv->alpha2 = rsp->alpha2; + memcpy(ncv->fw_name, rsp->fw_name, 12); ++ ncv->fw_name[12] = '\0'; + ncv->fw_version = ntohl(rsp->fw_version); + for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++) + ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]); +-- +2.39.5 + diff --git a/queue-5.4/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch b/queue-5.4/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch new file mode 100644 index 0000000000..279f7f7335 --- /dev/null +++ b/queue-5.4/net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch @@ -0,0 +1,41 @@ +From a762ab44eb0d3cf0364340232171b4f91e70d9be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jul 2025 17:29:16 +0200 +Subject: net: phy: smsc: add proper reset flags for LAN8710A +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Buday Csaba + +[ Upstream commit 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d ] + +According to the LAN8710A datasheet (Rev. B, section 3.8.5.1), a hardware +reset is required after power-on, and the reference clock (REF_CLK) must be +established before asserting reset. + +Signed-off-by: Buday Csaba +Cc: Csókás Bence +Reviewed-by: Andrew Lunn +Link: https://patch.msgid.link/20250728152916.46249-2-csokas.bence@prolan.hu +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/smsc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c +index e387c219f17d..68bb94f970f6 100644 +--- a/drivers/net/phy/smsc.c ++++ b/drivers/net/phy/smsc.c +@@ -306,6 +306,7 @@ static struct phy_driver smsc_phy_driver[] = { + /* PHY_BASIC_FEATURES */ + .flags = PHY_RST_AFTER_CLK_EN, + ++ .flags = PHY_RST_AFTER_CLK_EN, + .probe = smsc_phy_probe, + + /* basic functions */ +-- +2.39.5 + diff --git a/queue-5.4/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch b/queue-5.4/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch new file mode 100644 index 0000000000..815c18576d --- /dev/null +++ b/queue-5.4/net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch @@ -0,0 +1,66 @@ +From ac0fe0ffcbb6c9af9bff288b9029c27ecc615bc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 07:05:30 -0700 +Subject: net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alok Tiwari + +[ Upstream commit 53d20606c40678d425cc03f0978c614dca51f25e ] + +The buffer bgx_sel used in snprintf() was too small to safely hold +the formatted string "BGX%d" for all valid bgx_id values. This caused +a -Wformat-truncation warning with `Werror` enabled during build. + +Increase the buffer size from 5 to 7 and use `sizeof(bgx_sel)` in +snprintf() to ensure safety and suppress the warning. + +Build warning: + CC drivers/net/ethernet/cavium/thunder/thunder_bgx.o + drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function +‘bgx_acpi_match_id’: + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:27: error: ‘%d’ +directive output may be truncated writing between 1 and 3 bytes into a +region of size 2 [-Werror=format-truncation=] + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + ^~ + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:23: note: +directive argument in the range [0, 255] + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + ^~~~~~~ + drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:2: note: +‘snprintf’ output between 5 and 7 bytes into a destination of size 5 + snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); + +compiler warning due to insufficient snprintf buffer size. + +Signed-off-by: Alok Tiwari +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250711140532.2463602-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +index a34c33e8a8ad..8854025610e6 100644 +--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c ++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c +@@ -1430,9 +1430,9 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl, + { + struct acpi_buffer string = { ACPI_ALLOCATE_BUFFER, NULL }; + struct bgx *bgx = context; +- char bgx_sel[5]; ++ char bgx_sel[7]; + +- snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id); ++ snprintf(bgx_sel, sizeof(bgx_sel), "BGX%d", bgx->bgx_id); + if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &string))) { + pr_warn("Invalid link device\n"); + return AE_OK; +-- +2.39.5 + diff --git a/queue-5.4/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch b/queue-5.4/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch new file mode 100644 index 0000000000..d135083266 --- /dev/null +++ b/queue-5.4/net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch @@ -0,0 +1,56 @@ +From 72c01d3dbd211927403f68c74df99a2d3fd001cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 16:26:25 +0300 +Subject: net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs + +From: Gal Pressman + +[ Upstream commit 60a8b1a5d0824afda869f18dc0ecfe72f8dfda42 ] + +When CONFIG_VLAN_8021Q=n, a set of stub helpers are used, three of these +helpers use BUG() unconditionally. + +This code should not be reached, as callers of these functions should +always check for is_vlan_dev() first, but the usage of BUG() is not +recommended, replace it with WARN_ON() instead. + +Reviewed-by: Alex Lazar +Reviewed-by: Dragos Tatulea +Signed-off-by: Gal Pressman +Link: https://patch.msgid.link/20250616132626.1749331-3-gal@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/if_vlan.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index b3dae069bcd9..52ce74226ba2 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -240,19 +240,19 @@ vlan_for_each(struct net_device *dev, + + static inline struct net_device *vlan_dev_real_dev(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return NULL; + } + + static inline u16 vlan_dev_vlan_id(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return 0; + } + + static inline __be16 vlan_dev_vlan_proto(const struct net_device *dev) + { +- BUG(); ++ WARN_ON_ONCE(1); + return 0; + } + +-- +2.39.5 + diff --git a/queue-5.4/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch b/queue-5.4/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch new file mode 100644 index 0000000000..5403b8ad92 --- /dev/null +++ b/queue-5.4/netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch @@ -0,0 +1,45 @@ +From 2cf7d93338396bdd80dff422652b30f25313ef32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jun 2025 17:52:38 +0000 +Subject: netmem: fix skb_frag_address_safe with unreadable skbs + +From: Mina Almasry + +[ Upstream commit 4672aec56d2e8edabcb74c3e2320301d106a377e ] + +skb_frag_address_safe() needs a check that the +skb_frag_page exists check similar to skb_frag_address(). + +Cc: ap420073@gmail.com + +Signed-off-by: Mina Almasry +Acked-by: Stanislav Fomichev +Link: https://patch.msgid.link/20250619175239.3039329-1-almasrymina@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/skbuff.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index d9abd9e6833e..101ac3d6581e 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3073,7 +3073,13 @@ static inline void *skb_frag_address(const skb_frag_t *frag) + */ + static inline void *skb_frag_address_safe(const skb_frag_t *frag) + { +- void *ptr = page_address(skb_frag_page(frag)); ++ struct page *page = skb_frag_page(frag); ++ void *ptr; ++ ++ if (!page) ++ return NULL; ++ ++ ptr = page_address(page); + if (unlikely(!ptr)) + return NULL; + +-- +2.39.5 + diff --git a/queue-5.4/pci-pnv_php-work-around-switches-with-broken-presenc.patch b/queue-5.4/pci-pnv_php-work-around-switches-with-broken-presenc.patch new file mode 100644 index 0000000000..019dd1d05a --- /dev/null +++ b/queue-5.4/pci-pnv_php-work-around-switches-with-broken-presenc.patch @@ -0,0 +1,77 @@ +From 7be6953e5698179c48ab7683fc060a441c0b726b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 16:36:55 -0500 +Subject: PCI: pnv_php: Work around switches with broken presence detection + +From: Timothy Pearson + +[ Upstream commit 80f9fc2362797538ebd4fd70a1dfa838cc2c2cdb ] + +The Microsemi Switchtec PM8533 PFX 48xG3 [11f8:8533] PCIe switch system +was observed to incorrectly assert the Presence Detect Set bit in its +capabilities when tested on a Raptor Computing Systems Blackbird system, +resulting in the hot insert path never attempting a rescan of the bus +and any downstream devices not being re-detected. + +Work around this by additionally checking whether the PCIe data link is +active or not when performing presence detection on downstream switches' +ports, similar to the pciehp_hpc.c driver. + +Signed-off-by: Shawn Anastasio +Signed-off-by: Timothy Pearson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/505981576.1359853.1752615415117.JavaMail.zimbra@raptorengineeringinc.com +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pnv_php.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c +index 3687a99383c1..800964c81e06 100644 +--- a/drivers/pci/hotplug/pnv_php.c ++++ b/drivers/pci/hotplug/pnv_php.c +@@ -395,6 +395,20 @@ static int pnv_php_get_power_state(struct hotplug_slot *slot, u8 *state) + return 0; + } + ++static int pcie_check_link_active(struct pci_dev *pdev) ++{ ++ u16 lnk_status; ++ int ret; ++ ++ ret = pcie_capability_read_word(pdev, PCI_EXP_LNKSTA, &lnk_status); ++ if (ret == PCIBIOS_DEVICE_NOT_FOUND || PCI_POSSIBLE_ERROR(lnk_status)) ++ return -ENODEV; ++ ++ ret = !!(lnk_status & PCI_EXP_LNKSTA_DLLLA); ++ ++ return ret; ++} ++ + static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state) + { + struct pnv_php_slot *php_slot = to_pnv_php_slot(slot); +@@ -407,6 +421,19 @@ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state) + */ + ret = pnv_pci_get_presence_state(php_slot->id, &presence); + if (ret >= 0) { ++ if (pci_pcie_type(php_slot->pdev) == PCI_EXP_TYPE_DOWNSTREAM && ++ presence == OPAL_PCI_SLOT_EMPTY) { ++ /* ++ * Similar to pciehp_hpc, check whether the Link Active ++ * bit is set to account for broken downstream bridges ++ * that don't properly assert Presence Detect State, as ++ * was observed on the Microsemi Switchtec PM8533 PFX ++ * [11f8:8533]. ++ */ ++ if (pcie_check_link_active(php_slot->pdev) > 0) ++ presence = OPAL_PCI_SLOT_PRESENT; ++ } ++ + *state = presence; + ret = 0; + } else { +-- +2.39.5 + diff --git a/queue-5.4/pinctrl-stm32-manage-irq-affinity-settings.patch b/queue-5.4/pinctrl-stm32-manage-irq-affinity-settings.patch new file mode 100644 index 0000000000..32a2cfc8a6 --- /dev/null +++ b/queue-5.4/pinctrl-stm32-manage-irq-affinity-settings.patch @@ -0,0 +1,39 @@ +From e9e432f274875e6689fb63b255031c41071664ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 16:30:39 +0200 +Subject: pinctrl: stm32: Manage irq affinity settings + +From: Cheick Traore + +[ Upstream commit 4c5cc2f65386e22166ce006efe515c667aa075e4 ] + +Trying to set the affinity of the interrupts associated to stm32 +pinctrl results in a write error. + +Fill struct irq_chip::irq_set_affinity to use the default helper +function. + +Signed-off-by: Cheick Traore +Signed-off-by: Antonio Borneo +Link: https://lore.kernel.org/20250610143042.295376-3-antonio.borneo@foss.st.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/stm32/pinctrl-stm32.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c +index 10595b43360b..2a9c2d94eb55 100644 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -340,6 +340,7 @@ static struct irq_chip stm32_gpio_irq_chip = { + .irq_set_wake = irq_chip_set_wake_parent, + .irq_request_resources = stm32_gpio_irq_request_resources, + .irq_release_resources = stm32_gpio_irq_release_resources, ++ .irq_set_affinity = IS_ENABLED(CONFIG_SMP) ? irq_chip_set_affinity_parent : NULL, + }; + + static int stm32_gpio_domain_translate(struct irq_domain *d, +-- +2.39.5 + diff --git a/queue-5.4/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch b/queue-5.4/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch new file mode 100644 index 0000000000..4ac5657a74 --- /dev/null +++ b/queue-5.4/platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch @@ -0,0 +1,50 @@ +From 00aae85acc2719362810aab08a0f51cd53d1b35e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 May 2025 11:18:37 -0700 +Subject: platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 6418a8504187dc7f5b6f9d0649c03e362cb0664b ] + +When KCOV is enabled all functions get instrumented, unless the +__no_sanitize_coverage attribute is used. To prepare for +__no_sanitize_coverage being applied to __init functions[1], we have +to handle differences in how GCC's inline optimizations get resolved. +For thinkpad_acpi routines, this means forcing two functions to be +inline with __always_inline. + +Link: https://lore.kernel.org/lkml/20250523043935.2009972-11-kees@kernel.org/ [1] +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20250529181831.work.439-kees@kernel.org +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 9eb74d9e1519..e480fff7142a 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -514,12 +514,12 @@ static unsigned long __init tpacpi_check_quirks( + return 0; + } + +-static inline bool __pure __init tpacpi_is_lenovo(void) ++static __always_inline bool __pure __init tpacpi_is_lenovo(void) + { + return thinkpad_id.vendor == PCI_VENDOR_ID_LENOVO; + } + +-static inline bool __pure __init tpacpi_is_ibm(void) ++static __always_inline bool __pure __init tpacpi_is_ibm(void) + { + return thinkpad_id.vendor == PCI_VENDOR_ID_IBM; + } +-- +2.39.5 + diff --git a/queue-5.4/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch b/queue-5.4/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch new file mode 100644 index 0000000000..ed0430eeb2 --- /dev/null +++ b/queue-5.4/pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch @@ -0,0 +1,46 @@ +From db67fbda3e60a3fd61e65367c5e5efae00d441ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 17:53:54 +0530 +Subject: pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in + mperf_stop() + +From: Gautham R. Shenoy + +[ Upstream commit cda7ac8ce7de84cf32a3871ba5f318aa3b79381e ] + +In the function mperf_start(), mperf_monitor snapshots the time, tsc +and finally the aperf,mperf MSRs. However, this order of snapshotting +in is reversed in mperf_stop(). As a result, the C0 residency (which +is computed as delta_mperf * 100 / delta_tsc) is under-reported on +CPUs that is 100% busy. + +Fix this by snapshotting time, tsc and then aperf,mperf in +mperf_stop() in the same order as in mperf_start(). + +Link: https://lore.kernel.org/r/20250612122355.19629-2-gautham.shenoy@amd.com +Signed-off-by: Gautham R. Shenoy +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +index 0e8c0b879d4b..09c606760464 100644 +--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c ++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c +@@ -201,9 +201,9 @@ static int mperf_stop(void) + int cpu; + + for (cpu = 0; cpu < cpu_count; cpu++) { +- mperf_measure_stats(cpu); +- mperf_get_tsc(&tsc_at_measure_end[cpu]); + clock_gettime(CLOCK_REALTIME, &time_end[cpu]); ++ mperf_get_tsc(&tsc_at_measure_end[cpu]); ++ mperf_measure_stats(cpu); + } + + return 0; +-- +2.39.5 + diff --git a/queue-5.4/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch b/queue-5.4/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch new file mode 100644 index 0000000000..cd94b04d93 --- /dev/null +++ b/queue-5.4/pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch @@ -0,0 +1,41 @@ +From 33ae574bab58ede54809e0b361b8b1b26d5d5102 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 21:16:05 +0200 +Subject: PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() + +From: Rafael J. Wysocki + +[ Upstream commit 89d9cec3b1e9c49bae9375a2db6dc49bc7468af0 ] + +Clear power.needs_force_resume in pm_runtime_reinit() in case it has +been set by pm_runtime_force_suspend() invoked from a driver remove +callback. + +Suggested-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Ulf Hansson +Link: https://patch.msgid.link/9495163.CDJkKcVGEf@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/runtime.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c +index 7fa231076ad5..7d362b38f2e8 100644 +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -1698,6 +1698,11 @@ void pm_runtime_reinit(struct device *dev) + pm_runtime_put(dev->parent); + } + } ++ /* ++ * Clear power.needs_force_resume in case it has been set by ++ * pm_runtime_force_suspend() invoked from a driver remove callback. ++ */ ++ dev->power.needs_force_resume = false; + } + + /** +-- +2.39.5 + diff --git a/queue-5.4/pm-sleep-console-fix-the-black-screen-issue.patch b/queue-5.4/pm-sleep-console-fix-the-black-screen-issue.patch new file mode 100644 index 0000000000..d93694ac26 --- /dev/null +++ b/queue-5.4/pm-sleep-console-fix-the-black-screen-issue.patch @@ -0,0 +1,77 @@ +From cef668a5a111105b8c3cc394a2ba3e64259cc7d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:23:45 +0800 +Subject: PM: sleep: console: Fix the black screen issue + +From: tuhaowen + +[ Upstream commit 4266e8fa56d3d982bf451d382a410b9db432015c ] + +When the computer enters sleep status without a monitor +connected, the system switches the console to the virtual +terminal tty63(SUSPEND_CONSOLE). + +If a monitor is subsequently connected before waking up, +the system skips the required VT restoration process +during wake-up, leaving the console on tty63 instead of +switching back to tty1. + +To fix this issue, a global flag vt_switch_done is introduced +to record whether the system has successfully switched to +the suspend console via vt_move_to_console() during suspend. + +If the switch was completed, vt_switch_done is set to 1. +Later during resume, this flag is checked to ensure that +the original console is restored properly by calling +vt_move_to_console(orig_fgconsole, 0). + +This prevents scenarios where the resume logic skips console +restoration due to incorrect detection of the console state, +especially when a monitor is reconnected before waking up. + +Signed-off-by: tuhaowen +Link: https://patch.msgid.link/20250611032345.29962-1-tuhaowen@uniontech.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/console.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/power/console.c b/kernel/power/console.c +index fcdf0e14a47d..19c48aa5355d 100644 +--- a/kernel/power/console.c ++++ b/kernel/power/console.c +@@ -16,6 +16,7 @@ + #define SUSPEND_CONSOLE (MAX_NR_CONSOLES-1) + + static int orig_fgconsole, orig_kmsg; ++static bool vt_switch_done; + + static DEFINE_MUTEX(vt_switch_mutex); + +@@ -136,17 +137,21 @@ void pm_prepare_console(void) + if (orig_fgconsole < 0) + return; + ++ vt_switch_done = true; ++ + orig_kmsg = vt_kmsg_redirect(SUSPEND_CONSOLE); + return; + } + + void pm_restore_console(void) + { +- if (!pm_vt_switch()) ++ if (!pm_vt_switch() && !vt_switch_done) + return; + + if (orig_fgconsole >= 0) { + vt_move_to_console(orig_fgconsole, 0); + vt_kmsg_redirect(orig_kmsg); + } ++ ++ vt_switch_done = false; + } +-- +2.39.5 + diff --git a/queue-5.4/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch b/queue-5.4/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch new file mode 100644 index 0000000000..dc7eeb6506 --- /dev/null +++ b/queue-5.4/pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch @@ -0,0 +1,41 @@ +From e07685d6d3583633d4bcd136ec111f14c90011cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jul 2025 16:32:21 +0300 +Subject: pNFS: Fix disk addr range check in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 7db6e66663681abda54f81d5916db3a3b8b1a13d ] + +At the end of the isect translation, disc_addr represents the physical +disk offset. Thus, end calculated from disk_addr is also a physical disk +offset. Therefore, range checking should be done using map->disk_offset, +not map->start. + +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250702133226.212537-1-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/blocklayout.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c +index 9f10b90debec..4f929134fc63 100644 +--- a/fs/nfs/blocklayout/blocklayout.c ++++ b/fs/nfs/blocklayout/blocklayout.c +@@ -171,8 +171,8 @@ do_add_page_to_bio(struct bio *bio, int npg, int rw, sector_t isect, + + /* limit length to what the device mapping allows */ + end = disk_addr + *len; +- if (end >= map->start + map->len) +- *len = map->start + map->len - disk_addr; ++ if (end >= map->disk_offset + map->len) ++ *len = map->disk_offset + map->len - disk_addr; + + retry: + if (!bio) { +-- +2.39.5 + diff --git a/queue-5.4/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch b/queue-5.4/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch new file mode 100644 index 0000000000..3258444aa7 --- /dev/null +++ b/queue-5.4/pnfs-fix-stripe-mapping-in-block-scsi-layout.patch @@ -0,0 +1,57 @@ +From 895cc348e2858b675321bba6a0f888568612533a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 15:21:48 +0300 +Subject: pNFS: Fix stripe mapping in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 81438498a285759f31e843ac4800f82a5ce6521f ] + +Because of integer division, we need to carefully calculate the +disk offset. Consider the example below for a stripe of 6 volumes, +a chunk size of 4096, and an offset of 70000. + +chunk = div_u64(offset, dev->chunk_size) = 70000 / 4096 = 17 +offset = chunk * dev->chunk_size = 17 * 4096 = 69632 +disk_offset_wrong = div_u64(offset, dev->nr_children) = 69632 / 6 = 11605 +disk_chunk = div_u64(chunk, dev->nr_children) = 17 / 6 = 2 +disk_offset = disk_chunk * dev->chunk_size = 2 * 4096 = 8192 + +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250701122341.199112-1-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/dev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c +index 6e3a14fdff9c..007d68a3a616 100644 +--- a/fs/nfs/blocklayout/dev.c ++++ b/fs/nfs/blocklayout/dev.c +@@ -199,10 +199,11 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset, + struct pnfs_block_dev *child; + u64 chunk; + u32 chunk_idx; ++ u64 disk_chunk; + u64 disk_offset; + + chunk = div_u64(offset, dev->chunk_size); +- div_u64_rem(chunk, dev->nr_children, &chunk_idx); ++ disk_chunk = div_u64_rem(chunk, dev->nr_children, &chunk_idx); + + if (chunk_idx >= dev->nr_children) { + dprintk("%s: invalid chunk idx %d (%lld/%lld)\n", +@@ -215,7 +216,7 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset, + offset = chunk * dev->chunk_size; + + /* disk offset of the stripe */ +- disk_offset = div_u64(offset, dev->nr_children); ++ disk_offset = disk_chunk * dev->chunk_size; + + child = &dev->children[chunk_idx]; + child->map(child, disk_offset, map); +-- +2.39.5 + diff --git a/queue-5.4/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch b/queue-5.4/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch new file mode 100644 index 0000000000..da296c76eb --- /dev/null +++ b/queue-5.4/pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch @@ -0,0 +1,99 @@ +From 9c68be5041705f881a9f26018d124f633920e5d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 21:35:26 +0300 +Subject: pNFS: Fix uninited ptr deref in block/scsi layout + +From: Sergey Bashirov + +[ Upstream commit 9768797c219326699778fba9cd3b607b2f1e7950 ] + +The error occurs on the third attempt to encode extents. When function +ext_tree_prepare_commit() reallocates a larger buffer to retry encoding +extents, the "layoutupdate_pages" page array is initialized only after the +retry loop. But ext_tree_free_commitdata() is called on every iteration +and tries to put pages in the array, thus dereferencing uninitialized +pointers. + +An additional problem is that there is no limit on the maximum possible +buffer_size. When there are too many extents, the client may create a +layoutcommit that is larger than the maximum possible RPC size accepted +by the server. + +During testing, we observed two typical scenarios. First, one memory page +for extents is enough when we work with small files, append data to the +end of the file, or preallocate extents before writing. But when we fill +a new large file without preallocating, the number of extents can be huge, +and counting the number of written extents in ext_tree_encode_commit() +does not help much. Since this number increases even more between +unlocking and locking of ext_tree, the reallocated buffer may not be +large enough again and again. + +Co-developed-by: Konstantin Evtushenko +Signed-off-by: Konstantin Evtushenko +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250630183537.196479-2-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/blocklayout/extent_tree.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/fs/nfs/blocklayout/extent_tree.c b/fs/nfs/blocklayout/extent_tree.c +index 7a57ff2528af..055ec818eaaa 100644 +--- a/fs/nfs/blocklayout/extent_tree.c ++++ b/fs/nfs/blocklayout/extent_tree.c +@@ -552,6 +552,15 @@ static int ext_tree_encode_commit(struct pnfs_block_layout *bl, __be32 *p, + return ret; + } + ++/** ++ * ext_tree_prepare_commit - encode extents that need to be committed ++ * @arg: layout commit data ++ * ++ * Return values: ++ * %0: Success, all required extents are encoded ++ * %-ENOSPC: Some extents are encoded, but not all, due to RPC size limit ++ * %-ENOMEM: Out of memory, extents not encoded ++ */ + int + ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + { +@@ -568,12 +577,12 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + start_p = page_address(arg->layoutupdate_page); + arg->layoutupdate_pages = &arg->layoutupdate_page; + +-retry: +- ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, &count, &arg->lastbytewritten); ++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, ++ &count, &arg->lastbytewritten); + if (unlikely(ret)) { + ext_tree_free_commitdata(arg, buffer_size); + +- buffer_size = ext_tree_layoutupdate_size(bl, count); ++ buffer_size = NFS_SERVER(arg->inode)->wsize; + count = 0; + + arg->layoutupdate_pages = +@@ -588,7 +597,8 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + return -ENOMEM; + } + +- goto retry; ++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, ++ &count, &arg->lastbytewritten); + } + + *start_p = cpu_to_be32(count); +@@ -608,7 +618,7 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg) + } + + dprintk("%s found %zu ranges\n", __func__, count); +- return 0; ++ return ret; + } + + void +-- +2.39.5 + diff --git a/queue-5.4/pnfs-handle-rpc-size-limit-for-layoutcommits.patch b/queue-5.4/pnfs-handle-rpc-size-limit-for-layoutcommits.patch new file mode 100644 index 0000000000..aaf8ef48e3 --- /dev/null +++ b/queue-5.4/pnfs-handle-rpc-size-limit-for-layoutcommits.patch @@ -0,0 +1,67 @@ +From b65ee67f3cab963a09137a36a8d4835fb4d2671b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 21:35:29 +0300 +Subject: pNFS: Handle RPC size limit for layoutcommits + +From: Sergey Bashirov + +[ Upstream commit d897d81671bc4615c80f4f3bd5e6b218f59df50c ] + +When there are too many block extents for a layoutcommit, they may not +all fit into the maximum-sized RPC. This patch allows the generic pnfs +code to properly handle -ENOSPC returned by the block/scsi layout driver +and trigger additional layoutcommits if necessary. + +Co-developed-by: Konstantin Evtushenko +Signed-off-by: Konstantin Evtushenko +Signed-off-by: Sergey Bashirov +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20250630183537.196479-5-sergeybashirov@gmail.com +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c +index d91576a587e4..992cdac8dbe9 100644 +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -3047,6 +3047,7 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync) + struct nfs_inode *nfsi = NFS_I(inode); + loff_t end_pos; + int status; ++ bool mark_as_dirty = false; + + if (!pnfs_layoutcommit_outstanding(inode)) + return 0; +@@ -3098,19 +3099,23 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync) + if (ld->prepare_layoutcommit) { + status = ld->prepare_layoutcommit(&data->args); + if (status) { +- put_cred(data->cred); ++ if (status != -ENOSPC) ++ put_cred(data->cred); + spin_lock(&inode->i_lock); + set_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags); + if (end_pos > nfsi->layout->plh_lwb) + nfsi->layout->plh_lwb = end_pos; +- goto out_unlock; ++ if (status != -ENOSPC) ++ goto out_unlock; ++ spin_unlock(&inode->i_lock); ++ mark_as_dirty = true; + } + } + + + status = nfs4_proc_layoutcommit(data, sync); + out: +- if (status) ++ if (status || mark_as_dirty) + mark_inode_dirty_sync(inode); + dprintk("<-- %s status %d\n", __func__, status); + return status; +-- +2.39.5 + diff --git a/queue-5.4/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch b/queue-5.4/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch new file mode 100644 index 0000000000..b8eeaf5a51 --- /dev/null +++ b/queue-5.4/powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch @@ -0,0 +1,43 @@ +From 1e366e3e9646b0cbc8df06834e3a689a481b6203 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 16:29:11 +0200 +Subject: (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized + pointer + +From: Thomas Fourier + +[ Upstream commit 760b9b4f6de9a33ca56a05f950cabe82138d25bd ] + +If the device configuration fails (if `dma_dev->device_config()`), +`sg_dma_address(&sg)` is not initialized and the jump to `err_dma_prep` +leads to calling `dma_unmap_single()` on `sg_dma_address(&sg)`. + +Signed-off-by: Thomas Fourier +Reviewed-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250610142918.169540-2-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c +index 13631f35cd14..12fb94968f3c 100644 +--- a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c ++++ b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c +@@ -240,10 +240,8 @@ static int mpc512x_lpbfifo_kick(void) + dma_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + + /* Make DMA channel work with LPB FIFO data register */ +- if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) { +- ret = -EINVAL; +- goto err_dma_prep; +- } ++ if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) ++ return -EINVAL; + + sg_init_table(&sg, 1); + +-- +2.39.5 + diff --git a/queue-5.4/rcu-protect-defer_qs_iw_pending-from-data-race.patch b/queue-5.4/rcu-protect-defer_qs_iw_pending-from-data-race.patch new file mode 100644 index 0000000000..c7fe49abd9 --- /dev/null +++ b/queue-5.4/rcu-protect-defer_qs_iw_pending-from-data-race.patch @@ -0,0 +1,97 @@ +From 471f3d08efb346812a3cfa53c7706c519d15ba37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Apr 2025 16:49:53 -0700 +Subject: rcu: Protect ->defer_qs_iw_pending from data race + +From: Paul E. McKenney + +[ Upstream commit 90c09d57caeca94e6f3f87c49e96a91edd40cbfd ] + +On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is +invoked within an interrupts-disabled region of code [1], it will invoke +rcu_read_unlock_special(), which uses an irq-work handler to force the +system to notice when the RCU read-side critical section actually ends. +That end won't happen until interrupts are enabled at the soonest. + +In some kernels, such as those booted with rcutree.use_softirq=y, the +irq-work handler is used unconditionally. + +The per-CPU rcu_data structure's ->defer_qs_iw_pending field is +updated by the irq-work handler and is both read and updated by +rcu_read_unlock_special(). This resulted in the following KCSAN splat: + +------------------------------------------------------------------------ + +BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special + +read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8: + rcu_read_unlock_special+0x175/0x260 + __rcu_read_unlock+0x92/0xa0 + rt_spin_unlock+0x9b/0xc0 + __local_bh_enable+0x10d/0x170 + __local_bh_enable_ip+0xfb/0x150 + rcu_do_batch+0x595/0xc40 + rcu_cpu_kthread+0x4e9/0x830 + smpboot_thread_fn+0x24d/0x3b0 + kthread+0x3bd/0x410 + ret_from_fork+0x35/0x40 + ret_from_fork_asm+0x1a/0x30 + +write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8: + rcu_preempt_deferred_qs_handler+0x1e/0x30 + irq_work_single+0xaf/0x160 + run_irq_workd+0x91/0xc0 + smpboot_thread_fn+0x24d/0x3b0 + kthread+0x3bd/0x410 + ret_from_fork+0x35/0x40 + ret_from_fork_asm+0x1a/0x30 + +no locks held by irq_work/8/88. +irq event stamp: 200272 +hardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320 +hardirqs last disabled at (200271): [] __schedule+0x129/0xd70 +softirqs last enabled at (0): [] copy_process+0x4df/0x1cc0 +softirqs last disabled at (0): [<0000000000000000>] 0x0 + +------------------------------------------------------------------------ + +The problem is that irq-work handlers run with interrupts enabled, which +means that rcu_preempt_deferred_qs_handler() could be interrupted, +and that interrupt handler might contain an RCU read-side critical +section, which might invoke rcu_read_unlock_special(). In the strict +KCSAN mode of operation used by RCU, this constitutes a data race on +the ->defer_qs_iw_pending field. + +This commit therefore disables interrupts across the portion of the +rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending +field. This suffices because this handler is not a fast path. + +Signed-off-by: Paul E. McKenney +Reviewed-by: Frederic Weisbecker +Signed-off-by: Neeraj Upadhyay (AMD) +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_plugin.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index 1d9f2831b54e..197fefa82d18 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -582,10 +582,13 @@ static void rcu_preempt_deferred_qs(struct task_struct *t) + */ + static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp) + { ++ unsigned long flags; + struct rcu_data *rdp; + + rdp = container_of(iwp, struct rcu_data, defer_qs_iw); ++ local_irq_save(flags); + rdp->defer_qs_iw_pending = false; ++ local_irq_restore(flags); + } + + /* +-- +2.39.5 + diff --git a/queue-5.4/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch b/queue-5.4/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch new file mode 100644 index 0000000000..70183b873f --- /dev/null +++ b/queue-5.4/rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch @@ -0,0 +1,85 @@ +From 72048ca082b21f834f41c16140a5dc5fc481a0a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jun 2025 15:39:38 -0400 +Subject: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() + +From: Yury Norov [NVIDIA] + +[ Upstream commit 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a ] + +The function divides number of online CPUs by num_core_siblings, and +later checks the divider by zero. This implies a possibility to get +and divide-by-zero runtime error. Fix it by moving the check prior to +division. This also helps to save one indentation level. + +Signed-off-by: Yury Norov [NVIDIA] +Link: https://patch.msgid.link/20250604193947.11834-3-yury.norov@gmail.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/affinity.c | 44 +++++++++++++++------------ + 1 file changed, 24 insertions(+), 20 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c +index 832b878fa67e..6933fbea2b46 100644 +--- a/drivers/infiniband/hw/hfi1/affinity.c ++++ b/drivers/infiniband/hw/hfi1/affinity.c +@@ -1009,31 +1009,35 @@ static void find_hw_thread_mask(uint hw_thread_no, cpumask_var_t hw_thread_mask, + struct hfi1_affinity_node_list *affinity) + { + int possible, curr_cpu, i; +- uint num_cores_per_socket = node_affinity.num_online_cpus / ++ uint num_cores_per_socket; ++ ++ cpumask_copy(hw_thread_mask, &affinity->proc.mask); ++ ++ if (affinity->num_core_siblings == 0) ++ return; ++ ++ num_cores_per_socket = node_affinity.num_online_cpus / + affinity->num_core_siblings / + node_affinity.num_online_nodes; + +- cpumask_copy(hw_thread_mask, &affinity->proc.mask); +- if (affinity->num_core_siblings > 0) { +- /* Removing other siblings not needed for now */ +- possible = cpumask_weight(hw_thread_mask); +- curr_cpu = cpumask_first(hw_thread_mask); +- for (i = 0; +- i < num_cores_per_socket * node_affinity.num_online_nodes; +- i++) +- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); +- +- for (; i < possible; i++) { +- cpumask_clear_cpu(curr_cpu, hw_thread_mask); +- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); +- } ++ /* Removing other siblings not needed for now */ ++ possible = cpumask_weight(hw_thread_mask); ++ curr_cpu = cpumask_first(hw_thread_mask); ++ for (i = 0; ++ i < num_cores_per_socket * node_affinity.num_online_nodes; ++ i++) ++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); + +- /* Identifying correct HW threads within physical cores */ +- cpumask_shift_left(hw_thread_mask, hw_thread_mask, +- num_cores_per_socket * +- node_affinity.num_online_nodes * +- hw_thread_no); ++ for (; i < possible; i++) { ++ cpumask_clear_cpu(curr_cpu, hw_thread_mask); ++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask); + } ++ ++ /* Identifying correct HW threads within physical cores */ ++ cpumask_shift_left(hw_thread_mask, hw_thread_mask, ++ num_cores_per_socket * ++ node_affinity.num_online_nodes * ++ hw_thread_no); + } + + int hfi1_get_proc_affinity(int node) +-- +2.39.5 + diff --git a/queue-5.4/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch b/queue-5.4/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch new file mode 100644 index 0000000000..1d9ddd5731 --- /dev/null +++ b/queue-5.4/rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch @@ -0,0 +1,52 @@ +From 33e8b8a77e095b32a15d27397d7762b8ab2a9555 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 11:14:15 -0700 +Subject: rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe + +From: Meagan Lloyd + +[ Upstream commit 48458654659c9c2e149c211d86637f1592470da5 ] + +In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the +kernel time as long as rtc_read_time() succeeds. In some power loss +situations, our supercapacitor-backed DS1342 RTC comes up with either an +unpredictable future time or the default 01/01/00 from the datasheet. +The oscillator stop flag (OSF) is set in these scenarios due to the +power loss and can be used to determine the validity of the RTC data. + +Some chip types in the ds1307 driver already have OSF handling to +determine whether .read_time provides valid RTC data or returns -EINVAL. + +This change removes the clear of the OSF in .probe as the OSF needs to +be preserved to expand the OSF handling to the ds1341 chip type (note +that DS1341 and DS1342 share a datasheet). + +Signed-off-by: Meagan Lloyd +Reviewed-by: Tyler Hicks +Acked-by: Rodolfo Giometti +Link: https://lore.kernel.org/r/1749665656-30108-2-git-send-email-meaganlloyd@linux.microsoft.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1307.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c +index b371d1e48942..ff9785ff36e7 100644 +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -1686,10 +1686,8 @@ static int ds1307_probe(struct i2c_client *client, + regmap_write(ds1307->regmap, DS1337_REG_CONTROL, + regs[0]); + +- /* oscillator fault? clear flag, and warn */ ++ /* oscillator fault? warn */ + if (regs[1] & DS1337_BIT_OSF) { +- regmap_write(ds1307->regmap, DS1337_REG_STATUS, +- regs[1] & ~DS1337_BIT_OSF); + dev_warn(ds1307->dev, "SET TIME!\n"); + } + break; +-- +2.39.5 + diff --git a/queue-5.4/s390-stp-remove-udelay-from-stp_sync_clock.patch b/queue-5.4/s390-stp-remove-udelay-from-stp_sync_clock.patch new file mode 100644 index 0000000000..37b98156cf --- /dev/null +++ b/queue-5.4/s390-stp-remove-udelay-from-stp_sync_clock.patch @@ -0,0 +1,44 @@ +From f5070413b6ebe9d3f9737238293c6c93d2262681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:50:27 +0200 +Subject: s390/stp: Remove udelay from stp_sync_clock() + +From: Sven Schnelle + +[ Upstream commit b367017cdac21781a74eff4e208d3d38e1f38d3f ] + +When an stp sync check is handled on a system with multiple +cpus each cpu gets a machine check but only the first one +actually handles the sync operation. All other CPUs spin +waiting for the first one to finish with a short udelay(). +But udelay can't be used here as the first CPU modifies tod_clock_base +before performing the sync op. During this timeframe +get_tod_clock_monotonic() might return a non-monotonic time. + +The time spent waiting should be very short and udelay is a busy loop +anyways, therefore simply remove the udelay. + +Reviewed-by: Heiko Carstens +Signed-off-by: Sven Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c +index 11c32b228f51..0e1925104fcf 100644 +--- a/arch/s390/kernel/time.c ++++ b/arch/s390/kernel/time.c +@@ -642,7 +642,7 @@ static int stp_sync_clock(void *data) + atomic_dec(&sync->cpus); + /* Wait for in_sync to be set. */ + while (READ_ONCE(sync->in_sync) == 0) +- __udelay(1); ++ ; + } + if (sync->in_sync != 1) + /* Didn't work. Clear per-cpu in sync bit again. */ +-- +2.39.5 + diff --git a/queue-5.4/s390-time-use-monotonic-clock-in-get_cycles.patch b/queue-5.4/s390-time-use-monotonic-clock-in-get_cycles.patch new file mode 100644 index 0000000000..58da1bf5a7 --- /dev/null +++ b/queue-5.4/s390-time-use-monotonic-clock-in-get_cycles.patch @@ -0,0 +1,54 @@ +From e59ba5d36f76dfd88f75b1f3b946247681619b80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 09:42:29 +0200 +Subject: s390/time: Use monotonic clock in get_cycles() + +From: Sven Schnelle + +[ Upstream commit 09e7e29d2b49ba84bcefb3dc1657726d2de5bb24 ] + +Otherwise the code might not work correctly when the clock +is changed. + +Signed-off-by: Sven Schnelle +Reviewed-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/timex.h | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h +index 99a7e028232d..8ab537d0d6f8 100644 +--- a/arch/s390/include/asm/timex.h ++++ b/arch/s390/include/asm/timex.h +@@ -172,13 +172,6 @@ static inline unsigned long long get_tod_clock_fast(void) + return get_tod_clock(); + #endif + } +- +-static inline cycles_t get_cycles(void) +-{ +- return (cycles_t) get_tod_clock() >> 2; +-} +-#define get_cycles get_cycles +- + int get_phys_clock(unsigned long *clock); + void init_cpu_timer(void); + unsigned long long monotonic_clock(void); +@@ -202,6 +195,12 @@ static inline unsigned long long get_tod_clock_monotonic(void) + return tod; + } + ++static inline cycles_t get_cycles(void) ++{ ++ return (cycles_t)get_tod_clock_monotonic() >> 2; ++} ++#define get_cycles get_cycles ++ + /** + * tod_to_ns - convert a TOD format value to nanoseconds + * @todval: to be converted TOD format value +-- +2.39.5 + diff --git a/queue-5.4/scsi-aacraid-stop-using-pci_irq_affinity.patch b/queue-5.4/scsi-aacraid-stop-using-pci_irq_affinity.patch new file mode 100644 index 0000000000..7b8dd15cd3 --- /dev/null +++ b/queue-5.4/scsi-aacraid-stop-using-pci_irq_affinity.patch @@ -0,0 +1,69 @@ +From 57ea1365173b149e2075b2bfc23b04ddf0a61867 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jul 2025 11:15:35 +0000 +Subject: scsi: aacraid: Stop using PCI_IRQ_AFFINITY + +From: John Garry + +[ Upstream commit dafeaf2c03e71255438ffe5a341d94d180e6c88e ] + +When PCI_IRQ_AFFINITY is set for calling pci_alloc_irq_vectors(), it +means interrupts are spread around the available CPUs. It also means that +the interrupts become managed, which means that an interrupt is shutdown +when all the CPUs in the interrupt affinity mask go offline. + +Using managed interrupts in this way means that we should ensure that +completions should not occur on HW queues where the associated interrupt +is shutdown. This is typically achieved by ensuring only CPUs which are +online can generate IO completion traffic to the HW queue which they are +mapped to (so that they can also serve completion interrupts for that HW +queue). + +The problem in the driver is that a CPU can generate completions to a HW +queue whose interrupt may be shutdown, as the CPUs in the HW queue +interrupt affinity mask may be offline. This can cause IOs to never +complete and hang the system. The driver maintains its own CPU <-> HW +queue mapping for submissions, see aac_fib_vector_assign(), but this does +not reflect the CPU <-> HW queue interrupt affinity mapping. + +Commit 9dc704dcc09e ("scsi: aacraid: Reply queue mapping to CPUs based on +IRQ affinity") tried to remedy this issue may mapping CPUs properly to HW +queue interrupts. However this was later reverted in commit c5becf57dd56 +("Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ +affinity") - it seems that there were other reports of hangs. I guess +that this was due to some implementation issue in the original commit or +maybe a HW issue. + +Fix the very original hang by just not using managed interrupts by not +setting PCI_IRQ_AFFINITY. In this way, all CPUs will be in each HW queue +affinity mask, so should not create completion problems if any CPUs go +offline. + +Signed-off-by: John Garry +Link: https://lore.kernel.org/r/20250715111535.499853-1-john.g.garry@oracle.com +Closes: https://lore.kernel.org/linux-scsi/20250618192427.3845724-1-jmeneghi@redhat.com/ +Reviewed-by: John Meneghini +Tested-by: John Meneghini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aacraid/comminit.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c +index 8849eca08a49..6909affadf6f 100644 +--- a/drivers/scsi/aacraid/comminit.c ++++ b/drivers/scsi/aacraid/comminit.c +@@ -482,8 +482,7 @@ void aac_define_int_mode(struct aac_dev *dev) + pci_find_capability(dev->pdev, PCI_CAP_ID_MSIX)) { + min_msix = 2; + i = pci_alloc_irq_vectors(dev->pdev, +- min_msix, msi_count, +- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY); ++ min_msix, msi_count, PCI_IRQ_MSIX); + if (i > 0) { + dev->msi_enabled = 1; + msi_count = i; +-- +2.39.5 + diff --git a/queue-5.4/scsi-bfa-double-free-fix.patch b/queue-5.4/scsi-bfa-double-free-fix.patch new file mode 100644 index 0000000000..bc2746fc16 --- /dev/null +++ b/queue-5.4/scsi-bfa-double-free-fix.patch @@ -0,0 +1,42 @@ +From 77c7257c68b6a78ad35ba45d4531886604919406 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 19:58:24 +0800 +Subject: scsi: bfa: Double-free fix + +From: jackysliu <1972843537@qq.com> + +[ Upstream commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 ] + +When the bfad_im_probe() function fails during initialization, the memory +pointed to by bfad->im is freed without setting bfad->im to NULL. + +Subsequently, during driver uninstallation, when the state machine enters +the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, +it attempts to free the memory pointed to by bfad->im again, thereby +triggering a double-free vulnerability. + +Set bfad->im to NULL if probing fails. + +Signed-off-by: jackysliu <1972843537@qq.com> +Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bfa/bfad_im.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c +index 22f06be2606f..6dcf1094e01b 100644 +--- a/drivers/scsi/bfa/bfad_im.c ++++ b/drivers/scsi/bfa/bfad_im.c +@@ -707,6 +707,7 @@ bfad_im_probe(struct bfad_s *bfad) + + if (bfad_thread_workq(bfad) != BFA_STATUS_OK) { + kfree(im); ++ bfad->im = NULL; + return BFA_STATUS_FAILED; + } + +-- +2.39.5 + diff --git a/queue-5.4/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch b/queue-5.4/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch new file mode 100644 index 0000000000..07a8874701 --- /dev/null +++ b/queue-5.4/scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch @@ -0,0 +1,136 @@ +From de651bbc26b68f465c96267ee100fda449534231 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jun 2025 11:46:49 +0530 +Subject: scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans + +From: Ranjan Kumar + +[ Upstream commit 37c4e72b0651e7697eb338cd1fb09feef472cc1a ] + +sas_user_scan() did not fully process wildcard channel scans +(SCAN_WILD_CARD) when a transport-specific user_scan() callback was +present. Only channel 0 would be scanned via user_scan(), while the +remaining channels were skipped, potentially missing devices. + +user_scan() invokes updated sas_user_scan() for channel 0, and if +successful, iteratively scans remaining channels (1 to +shost->max_channel) via scsi_scan_host_selected(). This ensures complete +wildcard scanning without affecting transport-specific scanning behavior. + +Signed-off-by: Ranjan Kumar +Link: https://lore.kernel.org/r/20250624061649.17990-1-ranjan.kumar@broadcom.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_scan.c | 2 +- + drivers/scsi/scsi_transport_sas.c | 60 ++++++++++++++++++++++++------- + 2 files changed, 49 insertions(+), 13 deletions(-) + +diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c +index d236322ced30..175cc535fc96 100644 +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -1686,7 +1686,7 @@ int scsi_scan_host_selected(struct Scsi_Host *shost, unsigned int channel, + + return 0; + } +- ++EXPORT_SYMBOL(scsi_scan_host_selected); + static void scsi_sysfs_add_devices(struct Scsi_Host *shost) + { + struct scsi_device *sdev; +diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c +index 182fd25c7c43..0da3f7f1d03e 100644 +--- a/drivers/scsi/scsi_transport_sas.c ++++ b/drivers/scsi/scsi_transport_sas.c +@@ -41,6 +41,8 @@ + #include + + #include "scsi_sas_internal.h" ++#include "scsi_priv.h" ++ + struct sas_host_attrs { + struct list_head rphy_list; + struct mutex lock; +@@ -1648,32 +1650,66 @@ int scsi_is_sas_rphy(const struct device *dev) + } + EXPORT_SYMBOL(scsi_is_sas_rphy); + +- +-/* +- * SCSI scan helper +- */ +- +-static int sas_user_scan(struct Scsi_Host *shost, uint channel, +- uint id, u64 lun) ++static void scan_channel_zero(struct Scsi_Host *shost, uint id, u64 lun) + { + struct sas_host_attrs *sas_host = to_sas_host_attrs(shost); + struct sas_rphy *rphy; + +- mutex_lock(&sas_host->lock); + list_for_each_entry(rphy, &sas_host->rphy_list, list) { + if (rphy->identify.device_type != SAS_END_DEVICE || + rphy->scsi_target_id == -1) + continue; + +- if ((channel == SCAN_WILD_CARD || channel == 0) && +- (id == SCAN_WILD_CARD || id == rphy->scsi_target_id)) { ++ if (id == SCAN_WILD_CARD || id == rphy->scsi_target_id) { + scsi_scan_target(&rphy->dev, 0, rphy->scsi_target_id, + lun, SCSI_SCAN_MANUAL); + } + } +- mutex_unlock(&sas_host->lock); ++} + +- return 0; ++/* ++ * SCSI scan helper ++ */ ++ ++static int sas_user_scan(struct Scsi_Host *shost, uint channel, ++ uint id, u64 lun) ++{ ++ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost); ++ int res = 0; ++ int i; ++ ++ switch (channel) { ++ case 0: ++ mutex_lock(&sas_host->lock); ++ scan_channel_zero(shost, id, lun); ++ mutex_unlock(&sas_host->lock); ++ break; ++ ++ case SCAN_WILD_CARD: ++ mutex_lock(&sas_host->lock); ++ scan_channel_zero(shost, id, lun); ++ mutex_unlock(&sas_host->lock); ++ ++ for (i = 1; i <= shost->max_channel; i++) { ++ res = scsi_scan_host_selected(shost, i, id, lun, ++ SCSI_SCAN_MANUAL); ++ if (res) ++ goto exit_scan; ++ } ++ break; ++ ++ default: ++ if (channel < shost->max_channel) { ++ res = scsi_scan_host_selected(shost, channel, id, lun, ++ SCSI_SCAN_MANUAL); ++ } else { ++ res = -EINVAL; ++ } ++ break; ++ } ++ ++exit_scan: ++ return res; + } + + +-- +2.39.5 + diff --git a/queue-5.4/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch b/queue-5.4/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch new file mode 100644 index 0000000000..0f9471a676 --- /dev/null +++ b/queue-5.4/scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch @@ -0,0 +1,63 @@ +From 9b851b0fb88abe1fbaa120a9d67637b12a61a9fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jun 2025 16:53:29 +0530 +Subject: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is + allocated + +From: Showrya M N + +[ Upstream commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 ] + +In case of an ib_fast_reg_mr allocation failure during iSER setup, the +machine hits a panic because iscsi_conn->dd_data is initialized +unconditionally, even when no memory is allocated (dd_size == 0). This +leads invalid pointer dereference during connection teardown. + +Fix by setting iscsi_conn->dd_data only if memory is actually allocated. + +Panic trace: +------------ + iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 + iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers + BUG: unable to handle page fault for address: fffffffffffffff8 + RIP: 0010:swake_up_locked.part.5+0xa/0x40 + Call Trace: + complete+0x31/0x40 + iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] + iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] + iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] + iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] + ? netlink_lookup+0x12f/0x1b0 + ? netlink_deliver_tap+0x2c/0x200 + netlink_unicast+0x1ab/0x280 + netlink_sendmsg+0x257/0x4f0 + ? _copy_from_user+0x29/0x60 + sock_sendmsg+0x5f/0x70 + +Signed-off-by: Showrya M N +Signed-off-by: Potnuri Bharat Teja +Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com +Reviewed-by: Chris Leech +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index f3cee64c6d12..9b94218ff04c 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -2893,7 +2893,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size, + conn = cls_conn->dd_data; + memset(conn, 0, sizeof(*conn) + dd_size); + +- conn->dd_data = cls_conn->dd_data + sizeof(*conn); ++ if (dd_size) ++ conn->dd_data = cls_conn->dd_data + sizeof(*conn); + conn->session = session; + conn->cls_conn = cls_conn; + conn->c_stage = ISCSI_CONN_INITIAL_STAGE; +-- +2.39.5 + diff --git a/queue-5.4/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch b/queue-5.4/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch new file mode 100644 index 0000000000..3fc99b2676 --- /dev/null +++ b/queue-5.4/scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch @@ -0,0 +1,44 @@ +From 5ef88699ed5a65e558b67ecb8f59bb6d5b44a2f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 12:21:28 -0700 +Subject: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport + structure + +From: Justin Tee + +[ Upstream commit 6698796282e828733cde3329c887b4ae9e5545e9 ] + +If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the +resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may +occur before sli4_hba.hdwqs are allocated. This may result in a null +pointer dereference when attempting to take the abts_io_buf_list_lock for +the first hardware queue. Fix by adding a null ptr check on +phba->sli4_hba.hdwq and early return because this situation means there +must have been an error during port initialization. + +Signed-off-by: Justin Tee +Link: https://lore.kernel.org/r/20250618192138.124116-4-justintee8345@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_scsi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index f238e0f41f07..1d58895b3943 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -469,6 +469,10 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport) + if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP)) + return; + ++ /* may be called before queues established if hba_setup fails */ ++ if (!phba->sli4_hba.hdwq) ++ return; ++ + spin_lock_irqsave(&phba->hbalock, iflag); + for (idx = 0; idx < phba->cfg_hdw_queue; idx++) { + qp = &phba->sli4_hba.hdwq[idx]; +-- +2.39.5 + diff --git a/queue-5.4/scsi-mpt3sas-correctly-handle-ata-device-errors.patch b/queue-5.4/scsi-mpt3sas-correctly-handle-ata-device-errors.patch new file mode 100644 index 0000000000..3a6cfac993 --- /dev/null +++ b/queue-5.4/scsi-mpt3sas-correctly-handle-ata-device-errors.patch @@ -0,0 +1,85 @@ +From 0557645b2c1066b150d025d5cc51ba3a3d34f086 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 14:27:47 +0900 +Subject: scsi: mpt3sas: Correctly handle ATA device errors + +From: Damien Le Moal + +[ Upstream commit 15592a11d5a5c8411ac8494ec49736b658f6fbff ] + +With the ATA error model, an NCQ command failure always triggers an abort +(termination) of all NCQ commands queued on the device. In such case, the +SAT or the host must handle the failed command according to the command +sense data and immediately retry all other NCQ commands that were aborted +due to the failed NCQ command. + +For SAS HBAs controlled by the mpt3sas driver, NCQ command aborts are not +handled by the HBA SAT and sent back to the host, with an ioc log +information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code +PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function +_scsih_io_done() always forces a retry of commands terminated with the +status MPI2_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result +DID_SOFT_ERROR, regardless of the log_info for the command. This +correctly forces the retry of collateral NCQ abort commands, but with the +retry counter for the command being incremented. If a command to an ATA +device is subject to too many retries due to other NCQ commands failing +(e.g. read commands trying to access unreadable sectors), the collateral +NCQ abort commands may be terminated with an error as they run out of +retries. This violates the SAT specification and causes hard-to-debug +command errors. + +Solve this issue by modifying the handling of the +MPI2_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an +ATA device and if the command loginfo indicates an NCQ collateral +abort. If that is the case, force the command retry using the SCSI result +DID_IMM_RETRY to avoid incrementing the command retry count. + +Signed-off-by: Damien Le Moal +Link: https://lore.kernel.org/r/20250606052747.742998-3-dlemoal@kernel.org +Tested-by: Yafang Shao +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index 4731e464dfb9..3169b37a88b3 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -181,6 +181,14 @@ struct sense_info { + #define MPT3SAS_PORT_ENABLE_COMPLETE (0xFFFD) + #define MPT3SAS_ABRT_TASK_SET (0xFFFE) + #define MPT3SAS_REMOVE_UNRESPONDING_DEVICES (0xFFFF) ++ ++/* ++ * SAS Log info code for a NCQ collateral abort after an NCQ error: ++ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR ++ * See: drivers/message/fusion/lsi/mpi_log_sas.h ++ */ ++#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000 ++ + /** + * struct fw_event_work - firmware event struct + * @list: link list framework +@@ -5327,6 +5335,17 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply) + scmd->result = DID_TRANSPORT_DISRUPTED << 16; + goto out; + } ++ if (log_info == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) { ++ /* ++ * This is a ATA NCQ command aborted due to another NCQ ++ * command failure. We must retry this command ++ * immediately but without incrementing its retry ++ * counter. ++ */ ++ WARN_ON_ONCE(xfer_cnt != 0); ++ scmd->result = DID_IMM_RETRY << 16; ++ break; ++ } + if (log_info == 0x31110630) { + if (scmd->retries > 2) { + scmd->result = DID_NO_CONNECT << 16; +-- +2.39.5 + diff --git a/queue-5.4/securityfs-don-t-pin-dentries-twice-once-is-enough.patch b/queue-5.4/securityfs-don-t-pin-dentries-twice-once-is-enough.patch new file mode 100644 index 0000000000..37adb3e898 --- /dev/null +++ b/queue-5.4/securityfs-don-t-pin-dentries-twice-once-is-enough.patch @@ -0,0 +1,44 @@ +From cae93a99695f7ebc32d1eb8c1f1b49ef2c173823 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 May 2025 23:38:01 -0400 +Subject: securityfs: don't pin dentries twice, once is enough... + +From: Al Viro + +[ Upstream commit 27cd1bf1240d482e4f02ca4f9812e748f3106e4f ] + +incidentally, securityfs_recursive_remove() is broken without that - +it leaks dentries, since simple_recursive_removal() does not expect +anything of that sort. It could be worked around by dput() in +remove_one() callback, but it's easier to just drop that double-get +stuff. + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + security/inode.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/security/inode.c b/security/inode.c +index 6c326939750d..e6e07787eec9 100644 +--- a/security/inode.c ++++ b/security/inode.c +@@ -159,7 +159,6 @@ static struct dentry *securityfs_create_dentry(const char *name, umode_t mode, + inode->i_fop = fops; + } + d_instantiate(dentry, inode); +- dget(dentry); + inode_unlock(dir); + return dentry; + +@@ -306,7 +305,6 @@ void securityfs_remove(struct dentry *dentry) + simple_rmdir(dir, dentry); + else + simple_unlink(dir, dentry); +- dput(dentry); + } + inode_unlock(dir); + simple_release_fs(&mount, &mount_count); +-- +2.39.5 + diff --git a/queue-5.4/selftests-futex-define-sys_futex-on-32-bit-architect.patch b/queue-5.4/selftests-futex-define-sys_futex-on-32-bit-architect.patch new file mode 100644 index 0000000000..2952a508da --- /dev/null +++ b/queue-5.4/selftests-futex-define-sys_futex-on-32-bit-architect.patch @@ -0,0 +1,52 @@ +From 4beeea3c608a7deba2ea338a63ddc372bae2e898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jul 2025 18:36:30 +0800 +Subject: selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit + time_t + +From: Cynthia Huang + +[ Upstream commit 04850819c65c8242072818655d4341e70ae998b5 ] + +The kernel does not provide sys_futex() on 32-bit architectures that do not +support 32-bit time representations, such as riscv32. + +As a result, glibc cannot define SYS_futex, causing compilation failures in +tests that rely on this syscall. Define SYS_futex as SYS_futex_time64 in +such cases to ensure successful compilation and compatibility. + +Signed-off-by: Cynthia Huang +Signed-off-by: Ben Zong-You Xie +Signed-off-by: Thomas Gleixner +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/all/20250710103630.3156130-1-ben717@andestech.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/futex/include/futextest.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/testing/selftests/futex/include/futextest.h b/tools/testing/selftests/futex/include/futextest.h +index ddbcfc9b7bac..7a5fd1d5355e 100644 +--- a/tools/testing/selftests/futex/include/futextest.h ++++ b/tools/testing/selftests/futex/include/futextest.h +@@ -47,6 +47,17 @@ typedef volatile u_int32_t futex_t; + FUTEX_PRIVATE_FLAG) + #endif + ++/* ++ * SYS_futex is expected from system C library, in glibc some 32-bit ++ * architectures (e.g. RV32) are using 64-bit time_t, therefore it doesn't have ++ * SYS_futex defined but just SYS_futex_time64. Define SYS_futex as ++ * SYS_futex_time64 in this situation to ensure the compilation and the ++ * compatibility. ++ */ ++#if !defined(SYS_futex) && defined(SYS_futex_time64) ++#define SYS_futex SYS_futex_time64 ++#endif ++ + /** + * futex() - SYS_futex syscall wrapper + * @uaddr: address of first futex +-- +2.39.5 + diff --git a/queue-5.4/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch b/queue-5.4/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch new file mode 100644 index 0000000000..4a096f0f0e --- /dev/null +++ b/queue-5.4/selftests-tracing-use-mutex_unlock-for-testing-glob-.patch @@ -0,0 +1,41 @@ +From d9009badef2c14dd48cbbb288a43094f41b3b58b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jul 2025 13:26:43 +0900 +Subject: selftests: tracing: Use mutex_unlock for testing glob filter + +From: Masami Hiramatsu (Google) + +[ Upstream commit a089bb2822a49b0c5777a8936f82c1f8629231fb ] + +Since commit c5b6ababd21a ("locking/mutex: implement +mutex_trylock_nested") makes mutex_trylock() as an inlined +function if CONFIG_DEBUG_LOCK_ALLOC=y, we can not use +mutex_trylock() for testing the glob filter of ftrace. + +Use mutex_unlock instead. + +Link: https://lore.kernel.org/r/175151680309.2149615.9795104805153538717.stgit@mhiramat.tok.corp.google.com +Signed-off-by: Masami Hiramatsu (Google) +Acked-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +index f4e92afab14b..9a7b7c62cbd9 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +@@ -33,7 +33,7 @@ ftrace_filter_check 'schedule*' '^schedule.*$' + ftrace_filter_check '*pin*lock' '.*pin.*lock$' + + # filter by start*mid* +-ftrace_filter_check 'mutex*try*' '^mutex.*try.*' ++ftrace_filter_check 'mutex*unl*' '^mutex.*unl.*' + + # Advanced full-glob matching feature is recently supported. + # Skip the tests if we are sure the kernel does not support it. +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 7973eb6c30..16401c2d3a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -168,3 +168,105 @@ acpi-processor-perflib-move-problematic-pr-performance-check.patch udp-also-consider-secpath-when-evaluating-ipsec-use-.patch netfilter-ctnetlink-fix-refcount-leak-on-table-dump.patch sctp-linearize-cloned-gso-packets-in-sctp_rcv.patch +hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch +hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch +hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch +hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch +arm64-handle-kcov-__init-vs-inline-mismatches.patch +udf-verify-partition-map-count.patch +drbd-add-missing-kref_get-in-handle_write_conflicts.patch +hfs-fix-not-erasing-deleted-b-tree-node-issue.patch +securityfs-don-t-pin-dentries-twice-once-is-enough.patch +usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch +cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch +selftests-futex-define-sys_futex-on-32-bit-architect.patch +usb-xhci-avoid-showing-warnings-for-dying-controller.patch +usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch +usb-xhci-avoid-showing-errors-during-surprise-remova.patch +cpufreq-exit-governor-when-failed-to-start-old-gover.patch +arm-rockchip-fix-kernel-hang-during-smp-initializati.patch +asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch +gpio-tps65912-check-the-return-value-of-regmap_updat.patch +arm-tegra-use-i-o-memcpy-to-write-to-iram.patch +selftests-tracing-use-mutex_unlock-for-testing-glob-.patch +pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch +thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch +pm-sleep-console-fix-the-black-screen-issue.patch +acpi-processor-fix-acpi_object-initialization.patch +acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch +mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch +asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch +alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch +usb-core-usb_submit_urb-downgrade-type-check.patch +pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch +platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch +alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch +alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch +asoc-codecs-rt5640-retry-device_id-verification.patch +ktest.pl-prevent-recursion-of-default-variable-optio.patch +wifi-cfg80211-reject-htc-bit-for-management-frames.patch +s390-time-use-monotonic-clock-in-get_cycles.patch +be2net-use-correct-byte-order-and-format-string-for-.patch +et131x-add-missing-check-after-dma-map.patch +net-ag71xx-add-missing-check-after-dma-map.patch +rcu-protect-defer_qs_iw_pending-from-data-race.patch +can-ti_hecc-fix-woverflow-compiler-warning.patch +wifi-cfg80211-fix-interface-type-validation.patch +net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch +net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch +wifi-iwlwifi-mvm-fix-scan-request-validation.patch +s390-stp-remove-udelay-from-stp_sync_clock.patch +powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch +net-fec-allow-disable-coalescing.patch +wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch +wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch +wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch +netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch +wifi-iwlegacy-check-rate_idx-range-after-addition.patch +net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch +net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch +net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch +net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch +uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch +net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch +vhost-fail-early-when-__vhost_add_used-fails.patch +cifs-fix-calling-cifsfindfirst-for-root-path-without.patch +ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch +scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch +fs-orangefs-use-snprintf-instead-of-sprintf.patch +watchdog-dw_wdt-fix-default-timeout.patch +mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch +scsi-bfa-double-free-fix.patch +jfs-truncate-good-inode-pages-when-hard-link-is-0.patch +jfs-regular-file-corruption-check.patch +jfs-upper-bound-check-of-tree-index-in-dballocag.patch +mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch +rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch +scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch +scsi-mpt3sas-correctly-handle-ata-device-errors.patch +pinctrl-stm32-manage-irq-affinity-settings.patch +media-tc358743-check-i2c-succeeded-during-probe.patch +media-tc358743-return-an-appropriate-colorspace-from.patch +media-tc358743-increase-fifo-trigger-level-to-374.patch +media-usb-hdpvr-disable-zero-length-read-messages.patch +media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch +media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch +media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch +i3c-add-missing-include-to-internal-header.patch +pci-pnv_php-work-around-switches-with-broken-presenc.patch +i3c-don-t-fail-if-gethdrcap-is-unsupported.patch +kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch +kconfig-nconf-ensure-null-termination-where-strncpy-.patch +scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch +scsi-aacraid-stop-using-pci_irq_affinity.patch +ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch +kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch +kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch +kconfig-lxdialog-fix-space-to-de-select-options.patch +ipmi-fix-strcpy-source-and-destination-the-same.patch +net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch +pnfs-fix-stripe-mapping-in-block-scsi-layout.patch +pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch +pnfs-handle-rpc-size-limit-for-layoutcommits.patch +pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch +rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch diff --git a/queue-5.4/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch b/queue-5.4/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch new file mode 100644 index 0000000000..a4aae2c4b0 --- /dev/null +++ b/queue-5.4/thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch @@ -0,0 +1,53 @@ +From 057646b1a95a869c83ed8b4875086220f989acbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jun 2025 10:41:43 +0000 +Subject: thermal: sysfs: Return ENODATA instead of EAGAIN for reads + +From: Hsin-Te Yuan + +[ Upstream commit 1a4aabc27e95674837f2e25f4ef340c0469e6203 ] + +According to POSIX spec, EAGAIN returned by read with O_NONBLOCK set +means the read would block. Hence, the common implementation in +nonblocking model will poll the file when the nonblocking read returns +EAGAIN. However, when the target file is thermal zone, this mechanism +will totally malfunction because thermal zone doesn't implement sysfs +notification and thus the poll will never return. + +For example, the read in Golang implemnts such method and sometimes +hangs at reading some thermal zones via sysfs. + +Change to return -ENODATA instead of -EAGAIN to userspace. + +Signed-off-by: Hsin-Te Yuan +Link: https://patch.msgid.link/20250620-temp-v3-1-6becc6aeb66c@chromium.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_sysfs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c +index 17b2361bc8f2..fc768b61f483 100644 +--- a/drivers/thermal/thermal_sysfs.c ++++ b/drivers/thermal/thermal_sysfs.c +@@ -39,10 +39,13 @@ temp_show(struct device *dev, struct device_attribute *attr, char *buf) + + ret = thermal_zone_get_temp(tz, &temperature); + +- if (ret) +- return ret; ++ if (!ret) ++ return sprintf(buf, "%d\n", temperature); + +- return sprintf(buf, "%d\n", temperature); ++ if (ret == -EAGAIN) ++ return -ENODATA; ++ ++ return ret; + } + + static ssize_t +-- +2.39.5 + diff --git a/queue-5.4/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch b/queue-5.4/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch new file mode 100644 index 0000000000..c4fe6c00ca --- /dev/null +++ b/queue-5.4/uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch @@ -0,0 +1,102 @@ +From 80321f9826b8ec742c74c4254ad052de367f9f1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jun 2025 07:39:33 -0700 +Subject: uapi: in6: restore visibility of most IPv6 socket options +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Kicinski + +[ Upstream commit 31557b3487b349464daf42bc4366153743c1e727 ] + +A decade ago commit 6d08acd2d32e ("in6: fix conflict with glibc") +hid the definitions of IPV6 options, because GCC was complaining +about duplicates. The commit did not list the warnings seen, but +trying to recreate them now I think they are (building iproute2): + +In file included from ./include/uapi/rdma/rdma_user_cm.h:39, + from rdma.h:16, + from res.h:9, + from res-ctx.c:7: +../include/uapi/linux/in6.h:171:9: warning: ‘IPV6_ADD_MEMBERSHIP’ redefined + 171 | #define IPV6_ADD_MEMBERSHIP 20 + | ^~~~~~~~~~~~~~~~~~~ +In file included from /usr/include/netinet/in.h:37, + from rdma.h:13: +/usr/include/bits/in.h:233:10: note: this is the location of the previous definition + 233 | # define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP + | ^~~~~~~~~~~~~~~~~~~ +../include/uapi/linux/in6.h:172:9: warning: ‘IPV6_DROP_MEMBERSHIP’ redefined + 172 | #define IPV6_DROP_MEMBERSHIP 21 + | ^~~~~~~~~~~~~~~~~~~~ +/usr/include/bits/in.h:234:10: note: this is the location of the previous definition + 234 | # define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP + | ^~~~~~~~~~~~~~~~~~~~ + +Compilers don't complain about redefinition if the defines +are identical, but here we have the kernel using the literal +value, and glibc using an indirection (defining to a name +of another define, with the same numerical value). + +Problem is, the commit in question hid all the IPV6 socket +options, and glibc has a pretty sparse list. For instance +it lacks Flow Label related options. Willem called this out +in commit 3fb321fde22d ("selftests/net: ipv6 flowlabel"): + + /* uapi/glibc weirdness may leave this undefined */ + #ifndef IPV6_FLOWINFO + #define IPV6_FLOWINFO 11 + #endif + +More interestingly some applications (socat) use +a #ifdef IPV6_FLOWINFO to gate compilation of thier +rudimentary flow label support. (For added confusion +socat misspells it as IPV4_FLOWINFO in some places.) + +Hide only the two defines we know glibc has a problem +with. If we discover more warnings we can hide more +but we should avoid covering the entire block of +defines for "IPV6 socket options". + +Link: https://patch.msgid.link/20250609143933.1654417-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/uapi/linux/in6.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h +index 9f2273a08356..acd32dc630c3 100644 +--- a/include/uapi/linux/in6.h ++++ b/include/uapi/linux/in6.h +@@ -151,7 +151,6 @@ struct in6_flowlabel_req { + /* + * IPV6 socket options + */ +-#if __UAPI_DEF_IPV6_OPTIONS + #define IPV6_ADDRFORM 1 + #define IPV6_2292PKTINFO 2 + #define IPV6_2292HOPOPTS 3 +@@ -168,8 +167,10 @@ struct in6_flowlabel_req { + #define IPV6_MULTICAST_IF 17 + #define IPV6_MULTICAST_HOPS 18 + #define IPV6_MULTICAST_LOOP 19 ++#if __UAPI_DEF_IPV6_OPTIONS + #define IPV6_ADD_MEMBERSHIP 20 + #define IPV6_DROP_MEMBERSHIP 21 ++#endif + #define IPV6_ROUTER_ALERT 22 + #define IPV6_MTU_DISCOVER 23 + #define IPV6_MTU 24 +@@ -201,7 +202,6 @@ struct in6_flowlabel_req { + #define IPV6_IPSEC_POLICY 34 + #define IPV6_XFRM_POLICY 35 + #define IPV6_HDRINCL 36 +-#endif + + /* + * Multicast: +-- +2.39.5 + diff --git a/queue-5.4/udf-verify-partition-map-count.patch b/queue-5.4/udf-verify-partition-map-count.patch new file mode 100644 index 0000000000..f42d036264 --- /dev/null +++ b/queue-5.4/udf-verify-partition-map-count.patch @@ -0,0 +1,54 @@ +From aa95ab4049c00ed26aed903e60d9415c875e0527 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Jul 2025 19:01:20 +0200 +Subject: udf: Verify partition map count + +From: Jan Kara + +[ Upstream commit 1a11201668e8635602577dcf06f2e96c591d8819 ] + +Verify that number of partition maps isn't insanely high which can lead +to large allocation in udf_sb_alloc_partition_maps(). All partition maps +have to fit in the LVD which is in a single block. + +Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 9f2de5e7c6e1..361bc8acfb0f 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1417,7 +1417,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + struct genericPartitionMap *gpm; + uint16_t ident; + struct buffer_head *bh; +- unsigned int table_len; ++ unsigned int table_len, part_map_count; + int ret; + + bh = udf_read_tagged(sb, block, block, &ident); +@@ -1438,7 +1438,16 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + "logical volume"); + if (ret) + goto out_bh; +- ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); ++ ++ part_map_count = le32_to_cpu(lvd->numPartitionMaps); ++ if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too many partition maps (%u > %u)\n", part_map_count, ++ table_len / (unsigned)sizeof(struct genericPartitionMap1)); ++ ret = -EIO; ++ goto out_bh; ++ } ++ ret = udf_sb_alloc_partition_maps(sb, part_map_count); + if (ret) + goto out_bh; + +-- +2.39.5 + diff --git a/queue-5.4/usb-core-usb_submit_urb-downgrade-type-check.patch b/queue-5.4/usb-core-usb_submit_urb-downgrade-type-check.patch new file mode 100644 index 0000000000..1a4172de9b --- /dev/null +++ b/queue-5.4/usb-core-usb_submit_urb-downgrade-type-check.patch @@ -0,0 +1,40 @@ +From 513e80400a5d4d0fd852e95feadfc7f125251a8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 14:20:25 +0200 +Subject: usb: core: usb_submit_urb: downgrade type check + +From: Oliver Neukum + +[ Upstream commit 503bbde34cc3dd2acd231f277ba70c3f9ed22e59 ] + +Checking for the endpoint type is no reason for a WARN, as that can +cause a reboot. A driver not checking the endpoint type must not cause a +reboot, as there is just no point in this. We cannot prevent a device +from doing something incorrect as a reaction to a transfer. Hence +warning for a mere assumption being wrong is not sensible. + +Signed-off-by: Oliver Neukum +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20250612122149.2559724-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/urb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index 850d0fffe1c6..e60f4ef06e3d 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -490,7 +490,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags) + + /* Check that the pipe's type matches the endpoint's type */ + if (usb_pipe_type_check(urb->dev, urb->pipe)) +- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", ++ dev_warn_once(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n", + usb_pipetype(urb->pipe), pipetypes[xfertype]); + + /* Check against a simple/standard policy */ +-- +2.39.5 + diff --git a/queue-5.4/usb-xhci-avoid-showing-errors-during-surprise-remova.patch b/queue-5.4/usb-xhci-avoid-showing-errors-during-surprise-remova.patch new file mode 100644 index 0000000000..ff17e41140 --- /dev/null +++ b/queue-5.4/usb-xhci-avoid-showing-errors-during-surprise-remova.patch @@ -0,0 +1,60 @@ +From e0544aaff6b8be6486d94333df174ad5084396db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:05 +0300 +Subject: usb: xhci: Avoid showing errors during surprise removal + +From: Mario Limonciello + +[ Upstream commit 4b9c60e440525b729ac5f071e00bcee12e0a7e84 ] + +When a USB4 dock is unplugged from a system it won't respond to ring +events. The PCI core handles the surprise removal event and notifies +all PCI drivers. The XHCI PCI driver sets a flag that the device is +being removed as well. + +When that flag is set don't show messages in the cleanup path for +marking the controller dead. + +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Acked-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 71b17a00d3ed..47326fb8b1fc 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -973,12 +973,15 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci, + */ + void xhci_hc_died(struct xhci_hcd *xhci) + { ++ bool notify; + int i, j; + + if (xhci->xhc_state & XHCI_STATE_DYING) + return; + +- xhci_err(xhci, "xHCI host controller not responding, assume dead\n"); ++ notify = !(xhci->xhc_state & XHCI_STATE_REMOVING); ++ if (notify) ++ xhci_err(xhci, "xHCI host controller not responding, assume dead\n"); + xhci->xhc_state |= XHCI_STATE_DYING; + + xhci_cleanup_command_queue(xhci); +@@ -992,7 +995,7 @@ void xhci_hc_died(struct xhci_hcd *xhci) + } + + /* inform usb core hc died if PCI remove isn't already handling it */ +- if (!(xhci->xhc_state & XHCI_STATE_REMOVING)) ++ if (notify) + usb_hc_died(xhci_to_hcd(xhci)); + } + +-- +2.39.5 + diff --git a/queue-5.4/usb-xhci-avoid-showing-warnings-for-dying-controller.patch b/queue-5.4/usb-xhci-avoid-showing-warnings-for-dying-controller.patch new file mode 100644 index 0000000000..2310b03817 --- /dev/null +++ b/queue-5.4/usb-xhci-avoid-showing-warnings-for-dying-controller.patch @@ -0,0 +1,55 @@ +From 543c126281f908bf73349cb231da29dec134ac64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:06 +0300 +Subject: usb: xhci: Avoid showing warnings for dying controller + +From: Mario Limonciello + +[ Upstream commit 65fc0fc137b5da3ee1f4ca4f61050fcb203d7582 ] + +When a USB4 dock is unplugged from a system it won't respond to ring +events. The PCI core handles the surprise removal event and notifies +all PCI drivers. The XHCI PCI driver sets a flag that the device is +being removed, and when the device stops responding a flag is also +added to indicate it's dying. + +When that flag is set don't bother to show warnings about a missing +controller. + +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Acked-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-3-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 3383d7f0c88f..dcda4d7c2b75 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -118,7 +118,8 @@ int xhci_halt(struct xhci_hcd *xhci) + ret = xhci_handshake(&xhci->op_regs->status, + STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC); + if (ret) { +- xhci_warn(xhci, "Host halt failed, %d\n", ret); ++ if (!(xhci->xhc_state & XHCI_STATE_DYING)) ++ xhci_warn(xhci, "Host halt failed, %d\n", ret); + return ret; + } + xhci->xhc_state |= XHCI_STATE_HALTED; +@@ -175,7 +176,8 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us) + state = readl(&xhci->op_regs->status); + + if (state == ~(u32)0) { +- xhci_warn(xhci, "Host not accessible, reset failed.\n"); ++ if (!(xhci->xhc_state & XHCI_STATE_DYING)) ++ xhci_warn(xhci, "Host not accessible, reset failed.\n"); + return -ENODEV; + } + +-- +2.39.5 + diff --git a/queue-5.4/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch b/queue-5.4/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch new file mode 100644 index 0000000000..648c650b19 --- /dev/null +++ b/queue-5.4/usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch @@ -0,0 +1,42 @@ +From aa534c3329fdb8b688a0801eaa5387da3863b938 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jul 2025 14:01:18 +0800 +Subject: usb: xhci: print xhci->xhc_state when queue_command failed + +From: Su Hui + +[ Upstream commit 7919407eca2ef562fa6c98c41cfdf6f6cdd69d92 ] + +When encounters some errors like these: +xhci_hcd 0000:4a:00.2: xHCI dying or halted, can't queue_command +xhci_hcd 0000:4a:00.2: FIXME: allocate a command ring segment +usb usb5-port6: couldn't allocate usb_device + +It's hard to know whether xhc_state is dying or halted. So it's better +to print xhc_state's value which can help locate the resaon of the bug. + +Signed-off-by: Su Hui +Link: https://lore.kernel.org/r/20250725060117.1773770-1-suhui@nfschina.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c +index 08b016864fc0..71b17a00d3ed 100644 +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -4076,7 +4076,8 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd, + + if ((xhci->xhc_state & XHCI_STATE_DYING) || + (xhci->xhc_state & XHCI_STATE_HALTED)) { +- xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n"); ++ xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n", ++ xhci->xhc_state); + return -ESHUTDOWN; + } + +-- +2.39.5 + diff --git a/queue-5.4/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch b/queue-5.4/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch new file mode 100644 index 0000000000..009b0e5926 --- /dev/null +++ b/queue-5.4/usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch @@ -0,0 +1,61 @@ +From 2aa2a9ebef8020ce0f14e6680b8dd7c568b7e992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 10:31:07 +0300 +Subject: usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command + +From: Jay Chen + +[ Upstream commit f72b9aa821a2bfe4b6dfec4be19f264d0673b008 ] + +There is a subtle contradiction between sections of the xHCI 1.2 spec +regarding the initialization of Input Endpoint Context fields. Section +4.8.2 ("Endpoint Context Initialization") states that all fields should +be initialized to 0. However, Section 6.2.3 ("Endpoint Context", p.453) +specifies that the Average TRB Length (avg_trb_len) field shall be +greater than 0, and explicitly notes (p.454): "Software shall set +Average TRB Length to '8' for control endpoints." + +Strictly setting all fields to 0 during initialization conflicts with +the specific recommendation for control endpoints. In practice, setting +avg_trb_len = 0 is not meaningful for the hardware/firmware, as the +value is used for bandwidth calculation. + +Motivation: Our company is developing a custom Virtual xHC hardware +platform that strictly follows the xHCI spec and its recommendations. +During validation, we observed that enumeration fails and a parameter +error (TRB Completion Code = 5) is reported if avg_trb_len for EP0 is +not set to 8 as recommended by Section 6.2.3. This demonstrates the +importance of assigning a meaningful, non-zero value to avg_trb_len, +even in virtualized or emulated environments. + +This patch explicitly sets avg_trb_len to 8 for EP0 in +xhci_setup_addressable_virt_dev(), as recommended in Section 6.2.3, to +prevent potential issues with xHCI host controllers that enforce the +spec strictly. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220033 +Signed-off-by: Jay Chen +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20250717073107.488599-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 610190bf62da..6dddd5414fe9 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1214,6 +1214,8 @@ int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *ud + ep0_ctx->deq = cpu_to_le64(dev->eps[0].ring->first_seg->dma | + dev->eps[0].ring->cycle_state); + ++ ep0_ctx->tx_info = cpu_to_le32(EP_AVG_TRB_LENGTH(8)); ++ + trace_xhci_setup_addressable_virt_device(dev); + + /* Steps 7 and 8 were done in xhci_alloc_virt_device() */ +-- +2.39.5 + diff --git a/queue-5.4/vhost-fail-early-when-__vhost_add_used-fails.patch b/queue-5.4/vhost-fail-early-when-__vhost_add_used-fails.patch new file mode 100644 index 0000000000..5a23c501b3 --- /dev/null +++ b/queue-5.4/vhost-fail-early-when-__vhost_add_used-fails.patch @@ -0,0 +1,43 @@ +From ede808a6a8979248e0c47bea303e8bdbc26efdb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jul 2025 16:47:53 +0800 +Subject: vhost: fail early when __vhost_add_used() fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Wang + +[ Upstream commit b4ba1207d45adaafa2982c035898b36af2d3e518 ] + +This patch fails vhost_add_used_n() early when __vhost_add_used() +fails to make sure used idx is not updated with stale used ring +information. + +Reported-by: Eugenio Pérez +Signed-off-by: Jason Wang +Message-Id: <20250714084755.11921-2-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Tested-by: Lei Yang +Signed-off-by: Sasha Levin +--- + drivers/vhost/vhost.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 484818796978..8402255760b3 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -2422,6 +2422,9 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads, + } + r = __vhost_add_used_n(vq, heads, count); + ++ if (r < 0) ++ return r; ++ + /* Make sure buffer is written before we update index. */ + smp_wmb(); + if (vhost_put_used_idx(vq)) { +-- +2.39.5 + diff --git a/queue-5.4/watchdog-dw_wdt-fix-default-timeout.patch b/queue-5.4/watchdog-dw_wdt-fix-default-timeout.patch new file mode 100644 index 0000000000..3724161333 --- /dev/null +++ b/queue-5.4/watchdog-dw_wdt-fix-default-timeout.patch @@ -0,0 +1,43 @@ +From 7818464a5284f17f878a78671a5ea40a522a2ee8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jul 2025 18:55:02 +0200 +Subject: watchdog: dw_wdt: Fix default timeout + +From: Sebastian Reichel + +[ Upstream commit ac3dbb91e0167d017f44701dd51c1efe30d0c256 ] + +The Synopsys Watchdog driver sets the default timeout to 30 seconds, +but on some devices this is not a valid timeout. E.g. on RK3588 the +actual timeout being used is 44 seconds instead. + +Once the watchdog is started the value is updated accordingly, but +it would be better to expose a sensible timeout to userspace without +the need to first start the watchdog. + +Signed-off-by: Sebastian Reichel +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250717-dw-wdt-fix-initial-timeout-v1-1-86dc864d48dd@kernel.org +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/dw_wdt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/watchdog/dw_wdt.c b/drivers/watchdog/dw_wdt.c +index fef7c61f5555..72dc5f4f6eb8 100644 +--- a/drivers/watchdog/dw_wdt.c ++++ b/drivers/watchdog/dw_wdt.c +@@ -289,6 +289,8 @@ static int dw_wdt_drv_probe(struct platform_device *pdev) + } else { + wdd->timeout = DW_WDT_DEFAULT_SECONDS; + watchdog_init_timeout(wdd, 0, dev); ++ /* Limit timeout value to hardware constraints. */ ++ dw_wdt_set_timeout(wdd, wdd->timeout); + } + + platform_set_drvdata(pdev, dw_wdt); +-- +2.39.5 + diff --git a/queue-5.4/wifi-cfg80211-fix-interface-type-validation.patch b/queue-5.4/wifi-cfg80211-fix-interface-type-validation.patch new file mode 100644 index 0000000000..bd05754e23 --- /dev/null +++ b/queue-5.4/wifi-cfg80211-fix-interface-type-validation.patch @@ -0,0 +1,36 @@ +From c9680dade9df1df9addedd35b33c423360ed7d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:37:55 +0300 +Subject: wifi: cfg80211: Fix interface type validation + +From: Ilan Peer + +[ Upstream commit 14450be2332a49445106403492a367412b8c23f4 ] + +Fix a condition that verified valid values of interface types. + +Signed-off-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709233537.7ad199ca5939.I0ac1ff74798bf59a87a57f2e18f2153c308b119b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + include/net/cfg80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h +index 2dfa3331604e..3a550544dd9f 100644 +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -433,7 +433,7 @@ ieee80211_get_sband_iftype_data(const struct ieee80211_supported_band *sband, + { + int i; + +- if (WARN_ON(iftype >= NL80211_IFTYPE_MAX)) ++ if (WARN_ON(iftype >= NUM_NL80211_IFTYPES)) + return NULL; + + if (iftype == NL80211_IFTYPE_AP_VLAN) +-- +2.39.5 + diff --git a/queue-5.4/wifi-cfg80211-reject-htc-bit-for-management-frames.patch b/queue-5.4/wifi-cfg80211-reject-htc-bit-for-management-frames.patch new file mode 100644 index 0000000000..416d59e01b --- /dev/null +++ b/queue-5.4/wifi-cfg80211-reject-htc-bit-for-management-frames.patch @@ -0,0 +1,38 @@ +From cecbcf126038242387410f748edaef7b173376b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jul 2025 20:23:06 +0200 +Subject: wifi: cfg80211: reject HTC bit for management frames + +From: Johannes Berg + +[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ] + +Management frames sent by userspace should never have the +order/HTC bit set, reject that. It could also cause some +confusion with the length of the buffer and the header so +the validation might end up wrong. + +Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/mlme.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c +index f9462010575f..ea75459ac272 100644 +--- a/net/wireless/mlme.c ++++ b/net/wireless/mlme.c +@@ -598,7 +598,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev, + + mgmt = (const struct ieee80211_mgmt *)params->buf; + +- if (!ieee80211_is_mgmt(mgmt->frame_control)) ++ if (!ieee80211_is_mgmt(mgmt->frame_control) || ++ ieee80211_has_order(mgmt->frame_control)) + return -EINVAL; + + stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; +-- +2.39.5 + diff --git a/queue-5.4/wifi-iwlegacy-check-rate_idx-range-after-addition.patch b/queue-5.4/wifi-iwlegacy-check-rate_idx-range-after-addition.patch new file mode 100644 index 0000000000..0f10ef0ef4 --- /dev/null +++ b/queue-5.4/wifi-iwlegacy-check-rate_idx-range-after-addition.patch @@ -0,0 +1,43 @@ +From e0de43a4c09e2174b9dd5a3d25231c57a5717099 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 May 2025 16:45:24 +0200 +Subject: wifi: iwlegacy: Check rate_idx range after addition + +From: Stanislaw Gruszka + +[ Upstream commit 0de19d5ae0b2c5b18b88c5c7f0442f707a207409 ] + +Limit rate_idx to IL_LAST_OFDM_RATE for 5GHz band for thinkable case +the index is incorrect. + +Reported-by: Fedor Pchelkin +Reported-by: Alexei Safin +Signed-off-by: Stanislaw Gruszka +Reviewed-by: Fedor Pchelkin +Link: https://patch.msgid.link/20250525144524.GA172583@wp.pl +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +index 20c933602f0a..31f1c57450d4 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -1573,8 +1573,11 @@ il4965_tx_cmd_build_rate(struct il_priv *il, + || rate_idx > RATE_COUNT_LEGACY) + rate_idx = rate_lowest_index(&il->bands[info->band], sta); + /* For 5 GHZ band, remap mac80211 rate indices into driver indices */ +- if (info->band == NL80211_BAND_5GHZ) ++ if (info->band == NL80211_BAND_5GHZ) { + rate_idx += IL_FIRST_OFDM_RATE; ++ if (rate_idx > IL_LAST_OFDM_RATE) ++ rate_idx = IL_LAST_OFDM_RATE; ++ } + /* Get PLCP rate for tx_cmd->rate_n_flags */ + rate_plcp = il_rates[rate_idx].plcp; + /* Zero out flags for this packet */ +-- +2.39.5 + diff --git a/queue-5.4/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch b/queue-5.4/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch new file mode 100644 index 0000000000..59c82593aa --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch @@ -0,0 +1,44 @@ +From 22e2b15fa8b65af8f8c2b7f357f788c152439342 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 13:17:55 +0300 +Subject: wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() + +From: Rand Deeb + +[ Upstream commit e3ad987e9dc7d1e12e3f2f1e623f0e174cd0ca78 ] + +The 'index' variable in the rs_fill_link_cmd() function can reach +LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This +variable is used as an index for the lq_cmd->rs_table array, which has a +size of LINK_QUAL_MAX_RETRY_NUM, without proper validation. + +Modify the condition of the inner loop to ensure that the 'index' variable +does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any +potential overflow issues. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rand Deeb +Link: https://patch.msgid.link/20240313101755.269209-1-rand.sec96@gmail.com +Signed-off-by: Miri Korenblit +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +index e68a13c33c45..19defdb43126 100644 +--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c +@@ -2935,7 +2935,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv, + /* Repeat initial/next rate. + * For legacy IWL_NUMBER_TRY == 1, this loop will not execute. + * For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */ +- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) { ++ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) { + if (is_legacy(tbl_type.lq_type)) { + if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) + ant_toggle_cnt++; +-- +2.39.5 + diff --git a/queue-5.4/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch b/queue-5.4/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch new file mode 100644 index 0000000000..1e9cfccfe8 --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch @@ -0,0 +1,47 @@ +From 84513cd23ce6843615a1f85e139368da4fa8d76e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jun 2025 22:26:23 +0300 +Subject: wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect + +From: Pagadala Yesu Anjaneyulu + +[ Upstream commit cc8d9cbf269dab363c768bfa9312265bc807fca5 ] + +Ensure descriptor is freed on error to avoid memory leak. + +Signed-off-by: Pagadala Yesu Anjaneyulu +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250611222325.8158d15ec866.Ifa3e422c302397111f20a16da7509e6574bc19e3@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index 286b5ca3b167..14f96bd41377 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -2130,6 +2130,7 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt, + struct iwl_fw_dump_desc *desc; + unsigned int delay = 0; + bool monitor_only = false; ++ int ret; + + if (trigger) { + u16 occurrences = le16_to_cpu(trigger->occurrences) - 1; +@@ -2160,7 +2161,11 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt, + desc->trig_desc.type = cpu_to_le32(trig); + memcpy(desc->trig_desc.data, str, len); + +- return iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay); ++ ret = iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay); ++ if (ret) ++ kfree(desc); ++ ++ return ret; + } + IWL_EXPORT_SYMBOL(iwl_fw_dbg_collect); + +-- +2.39.5 + diff --git a/queue-5.4/wifi-iwlwifi-mvm-fix-scan-request-validation.patch b/queue-5.4/wifi-iwlwifi-mvm-fix-scan-request-validation.patch new file mode 100644 index 0000000000..3346033942 --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-mvm-fix-scan-request-validation.patch @@ -0,0 +1,37 @@ +From 15d46022526e77b123e41aaee52dd1c278871ea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Jul 2025 23:05:43 +0300 +Subject: wifi: iwlwifi: mvm: fix scan request validation + +From: Avraham Stern + +[ Upstream commit 7c2f3ec7707188d8d5269ae2dce97d7be3e9f261 ] + +The scan request validation function uses bitwise and instead +of logical and. Fix it. + +Signed-off-by: Avraham Stern +Reviewed-by: Ilan Peer +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250709230308.3fbc1f27871b.I7a8ee91f463c1a2d9d8561c8232e196885d02c43@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +index 55292e9b15c1..b860aad4c155 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c +@@ -874,7 +874,7 @@ static inline bool iwl_mvm_scan_fits(struct iwl_mvm *mvm, int n_ssids, + int n_channels) + { + return ((n_ssids <= PROBE_OPTION_MAX) && +- (n_channels <= mvm->fw->ucode_capa.n_scan_channels) & ++ (n_channels <= mvm->fw->ucode_capa.n_scan_channels) && + (ies->common_ie_len + + ies->len[NL80211_BAND_2GHZ] + + ies->len[NL80211_BAND_5GHZ] <= +-- +2.39.5 + diff --git a/queue-5.4/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch b/queue-5.4/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch new file mode 100644 index 0000000000..dc64ee6615 --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch @@ -0,0 +1,58 @@ +From e7b3e5227c87863186b626cf58fdf6e8918948db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 12:56:30 +0200 +Subject: wifi: rtlwifi: fix possible skb memory leak in + `_rtl_pci_rx_interrupt()`. + +From: Thomas Fourier + +[ Upstream commit 44c0e191004f0e3aa1bdee3be248be14dbe5b020 ] + +The function `_rtl_pci_init_one_rxdesc()` can fail even when the new +`skb` is passed because of a DMA mapping error. If it fails, the `skb` +is not saved in the rx ringbuffer and thus lost. + +Compile tested only + +Signed-off-by: Thomas Fourier +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250616105631.444309-4-fourier.thomas@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c +index 9339c6d2b258..daf6d0eeb3e3 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -804,13 +804,19 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) + skb = new_skb; + no_new: + if (rtlpriv->use_new_trx_flow) { +- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc, +- rxring_idx, +- rtlpci->rx_ring[rxring_idx].idx); ++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc, ++ rxring_idx, ++ rtlpci->rx_ring[rxring_idx].idx)) { ++ if (new_skb) ++ dev_kfree_skb_any(skb); ++ } + } else { +- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc, +- rxring_idx, +- rtlpci->rx_ring[rxring_idx].idx); ++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc, ++ rxring_idx, ++ rtlpci->rx_ring[rxring_idx].idx)) { ++ if (new_skb) ++ dev_kfree_skb_any(skb); ++ } + if (rtlpci->rx_ring[rxring_idx].idx == + rtlpci->rxringcount - 1) + rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc, +-- +2.39.5 + -- 2.47.3