From: Sasha Levin Date: Mon, 7 Jul 2025 04:22:45 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v5.15.187~50 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=827f8e4bf4b7e401d571d88688fc7fca29b9cb0a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch b/queue-5.4/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch new file mode 100644 index 0000000000..72478259b0 --- /dev/null +++ b/queue-5.4/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch @@ -0,0 +1,51 @@ +From 68f98fdc6283631de858e2fc75020eccc4c95327 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 14:17:45 +0200 +Subject: ACPICA: Refuse to evaluate a method if arguments are missing + +From: Rafael J. Wysocki + +[ Upstream commit 6fcab2791543924d438e7fa49276d0998b0a069f ] + +As reported in [1], a platform firmware update that increased the number +of method parameters and forgot to update a least one of its callers, +caused ACPICA to crash due to use-after-free. + +Since this a result of a clear AML issue that arguably cannot be fixed +up by the interpreter (it cannot produce missing data out of thin air), +address it by making ACPICA refuse to evaluate a method if the caller +attempts to pass fewer arguments than expected to it. + +Closes: https://github.com/acpica/acpica/issues/1027 [1] +Reported-by: Peter Williams +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Tested-by: Hans de Goede # Dell XPS 9640 with BIOS 1.12.0 +Link: https://patch.msgid.link/5909446.DvuYhMxLoT@rjwysocki.net +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsmethod.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c +index 603483f8332b0..203e9ee47fdb8 100644 +--- a/drivers/acpi/acpica/dsmethod.c ++++ b/drivers/acpi/acpica/dsmethod.c +@@ -483,6 +483,13 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, + return_ACPI_STATUS(AE_NULL_OBJECT); + } + ++ if (this_walk_state->num_operands < obj_desc->method.param_count) { ++ ACPI_ERROR((AE_INFO, "Missing argument for method [%4.4s]", ++ acpi_ut_get_node_name(method_node))); ++ ++ return_ACPI_STATUS(AE_AML_UNINITIALIZED_ARG); ++ } ++ + /* Init for new method, possibly wait on method mutex */ + + status = +-- +2.39.5 + diff --git a/queue-5.4/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch b/queue-5.4/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch new file mode 100644 index 0000000000..5e6ee2a1f0 --- /dev/null +++ b/queue-5.4/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch @@ -0,0 +1,41 @@ +From cc58d31eb400e548884130d704a45c4bb2eba46c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 08:43:20 +0200 +Subject: ALSA: sb: Force to disable DMAs once when DMA mode is changed + +From: Takashi Iwai + +[ Upstream commit 4c267ae2ef349639b4d9ebf00dd28586a82fdbe6 ] + +When the DMA mode is changed on the (still real!) SB AWE32 after +playing a stream and closing, the previous DMA setup was still +silently kept, and it can confuse the hardware, resulting in the +unexpected noises. As a workaround, enforce the disablement of DMA +setups when the DMA setup is changed by the kcontrol. + +https://bugzilla.kernel.org/show_bug.cgi?id=218185 +Link: https://patch.msgid.link/20250610064322.26787-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/isa/sb/sb16_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c +index 679f9f48370ff..b69bc83c103c3 100644 +--- a/sound/isa/sb/sb16_main.c ++++ b/sound/isa/sb/sb16_main.c +@@ -722,6 +722,10 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct + change = nval != oval; + snd_sb16_set_dma_mode(chip, nval); + spin_unlock_irqrestore(&chip->reg_lock, flags); ++ if (change) { ++ snd_dma_disable(chip->dma8); ++ snd_dma_disable(chip->dma16); ++ } + return change; + } + +-- +2.39.5 + diff --git a/queue-5.4/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch b/queue-5.4/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch new file mode 100644 index 0000000000..375737c9fd --- /dev/null +++ b/queue-5.4/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch @@ -0,0 +1,89 @@ +From ca18097fb8ac92ace50eb606a564313fbc9e0ae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jul 2025 00:56:36 +0530 +Subject: amd-xgbe: align CL37 AN sequence as per databook + +From: Raju Rangoju + +[ Upstream commit 42fd432fe6d320323215ebdf4de4d0d7e56e6792 ] + +Update the Clause 37 Auto-Negotiation implementation to properly align +with the PCS hardware specifications: +- Fix incorrect bit settings in Link Status and Link Duplex fields +- Implement missing sequence steps 2 and 7 + +These changes ensure CL37 auto-negotiation protocol follows the exact +sequence patterns as specified in the hardware databook. + +Fixes: 1bf40ada6290 ("amd-xgbe: Add support for clause 37 auto-negotiation") +Signed-off-by: Raju Rangoju +Link: https://patch.msgid.link/20250630192636.3838291-1-Raju.Rangoju@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 ++ + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 +++++++++ + drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++-- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +index 533b8519ec352..c5dc23906a78d 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +@@ -1355,6 +1355,8 @@ + #define MDIO_VEND2_CTRL1_SS13 BIT(13) + #endif + ++#define XGBE_VEND2_MAC_AUTO_SW BIT(9) ++ + /* MDIO mask values */ + #define XGBE_AN_CL73_INT_CMPLT BIT(0) + #define XGBE_AN_CL73_INC_LINK BIT(1) +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 0e552022e659a..3819b23c927d5 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -363,6 +363,10 @@ static void xgbe_an37_set(struct xgbe_prv_data *pdata, bool enable, + reg |= MDIO_VEND2_CTRL1_AN_RESTART; + + XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_CTRL1, reg); ++ ++ reg = XMDIO_READ(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL); ++ reg |= XGBE_VEND2_MAC_AUTO_SW; ++ XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL, reg); + } + + static void xgbe_an37_restart(struct xgbe_prv_data *pdata) +@@ -991,6 +995,11 @@ static void xgbe_an37_init(struct xgbe_prv_data *pdata) + + netif_dbg(pdata, link, pdata->netdev, "CL37 AN (%s) initialized\n", + (pdata->an_mode == XGBE_AN_MODE_CL37) ? "BaseX" : "SGMII"); ++ ++ reg = XMDIO_READ(pdata, MDIO_MMD_AN, MDIO_CTRL1); ++ reg &= ~MDIO_AN_CTRL1_ENABLE; ++ XMDIO_WRITE(pdata, MDIO_MMD_AN, MDIO_CTRL1, reg); ++ + } + + static void xgbe_an73_init(struct xgbe_prv_data *pdata) +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index a27979ef7b1cc..536c8495d6afc 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -292,11 +292,11 @@ + #define XGBE_LINK_TIMEOUT 5 + #define XGBE_KR_TRAINING_WAIT_ITER 50 + +-#define XGBE_SGMII_AN_LINK_STATUS BIT(1) ++#define XGBE_SGMII_AN_LINK_DUPLEX BIT(1) + #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3)) + #define XGBE_SGMII_AN_LINK_SPEED_100 0x04 + #define XGBE_SGMII_AN_LINK_SPEED_1000 0x08 +-#define XGBE_SGMII_AN_LINK_DUPLEX BIT(4) ++#define XGBE_SGMII_AN_LINK_STATUS BIT(4) + + /* ECC correctable error notification window (seconds) */ + #define XGBE_ECC_LIMIT 60 +-- +2.39.5 + diff --git a/queue-5.4/ata-pata_cs5536-fix-build-on-32-bit-uml.patch b/queue-5.4/ata-pata_cs5536-fix-build-on-32-bit-uml.patch new file mode 100644 index 0000000000..c7dff0e31b --- /dev/null +++ b/queue-5.4/ata-pata_cs5536-fix-build-on-32-bit-uml.patch @@ -0,0 +1,38 @@ +From 8635f1162aee876c1e0e04a2b7b24286d5d570e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jun 2025 11:01:11 +0200 +Subject: ata: pata_cs5536: fix build on 32-bit UML + +From: Johannes Berg + +[ Upstream commit fe5b391fc56f77cf3c22a9dd4f0ce20db0e3533f ] + +On 32-bit ARCH=um, CONFIG_X86_32 is still defined, so it +doesn't indicate building on real X86 machines. There's +no MSR on UML though, so add a check for CONFIG_X86. + +Reported-by: Arnd Bergmann +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20250606090110.15784-2-johannes@sipsolutions.net +Signed-off-by: Niklas Cassel +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_cs5536.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/pata_cs5536.c b/drivers/ata/pata_cs5536.c +index 760ac6e65216f..3737d1bf1539d 100644 +--- a/drivers/ata/pata_cs5536.c ++++ b/drivers/ata/pata_cs5536.c +@@ -27,7 +27,7 @@ + #include + #include + +-#ifdef CONFIG_X86_32 ++#if defined(CONFIG_X86) && defined(CONFIG_X86_32) + #include + static int use_msr; + module_param_named(msr, use_msr, int, 0644); +-- +2.39.5 + diff --git a/queue-5.4/btrfs-fix-missing-error-handling-when-searching-for-.patch b/queue-5.4/btrfs-fix-missing-error-handling-when-searching-for-.patch new file mode 100644 index 0000000000..017362fc5c --- /dev/null +++ b/queue-5.4/btrfs-fix-missing-error-handling-when-searching-for-.patch @@ -0,0 +1,45 @@ +From 886060c7e9afec5becc6a88b7971df9d020f2865 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 16:57:07 +0100 +Subject: btrfs: fix missing error handling when searching for inode refs + during log replay + +From: Filipe Manana + +[ Upstream commit 6561a40ceced9082f50c374a22d5966cf9fc5f5c ] + +During log replay, at __add_inode_ref(), when we are searching for inode +ref keys we totally ignore if btrfs_search_slot() returns an error. This +may make a log replay succeed when there was an actual error and leave +some metadata inconsistency in a subvolume tree. Fix this by checking if +an error was returned from btrfs_search_slot() and if so, return it to +the caller. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Johannes Thumshirn +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tree-log.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c +index f75333d7b78a5..75bf490cd7320 100644 +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -1033,7 +1033,9 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans, + search_key.type = BTRFS_INODE_REF_KEY; + search_key.offset = parent_objectid; + ret = btrfs_search_slot(NULL, root, &search_key, path, 0, 0); +- if (ret == 0) { ++ if (ret < 0) { ++ return ret; ++ } else if (ret == 0) { + struct btrfs_inode_ref *victim_ref; + unsigned long ptr; + unsigned long ptr_end; +-- +2.39.5 + diff --git a/queue-5.4/drm-exynos-fimd-guard-display-clock-control-with-run.patch b/queue-5.4/drm-exynos-fimd-guard-display-clock-control-with-run.patch new file mode 100644 index 0000000000..8b1aaeba9d --- /dev/null +++ b/queue-5.4/drm-exynos-fimd-guard-display-clock-control-with-run.patch @@ -0,0 +1,67 @@ +From e6136caa5f32f1231982df09bf8aabaff72aea11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 14:06:26 +0200 +Subject: drm/exynos: fimd: Guard display clock control with runtime PM calls + +From: Marek Szyprowski + +[ Upstream commit 5d91394f236167ac624b823820faf4aa928b889e ] + +Commit c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable +and post-disable") changed the call sequence to the CRTC enable/disable +and bridge pre_enable/post_disable methods, so those bridge methods are +now called when CRTC is not yet enabled. + +This causes a lockup observed on Samsung Peach-Pit/Pi Chromebooks. The +source of this lockup is a call to fimd_dp_clock_enable() function, when +FIMD device is not yet runtime resumed. It worked before the mentioned +commit only because the CRTC implemented by the FIMD driver was always +enabled what guaranteed the FIMD device to be runtime resumed. + +This patch adds runtime PM guards to the fimd_dp_clock_enable() function +to enable its proper operation also when the CRTC implemented by FIMD is +not yet enabled. + +Fixes: 196e059a8a6a ("drm/exynos: convert clock_enable crtc callback to pipeline clock") +Signed-off-by: Marek Szyprowski +Reviewed-by: Tomi Valkeinen +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c +index 4fe4ca41665b3..1978491d3f846 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c +@@ -182,6 +182,7 @@ struct fimd_context { + u32 i80ifcon; + bool i80_if; + bool suspended; ++ bool dp_clk_enabled; + wait_queue_head_t wait_vsync_queue; + atomic_t wait_vsync_event; + atomic_t win_updated; +@@ -1003,7 +1004,18 @@ static void fimd_dp_clock_enable(struct exynos_drm_clk *clk, bool enable) + struct fimd_context *ctx = container_of(clk, struct fimd_context, + dp_clk); + u32 val = enable ? DP_MIE_CLK_DP_ENABLE : DP_MIE_CLK_DISABLE; ++ ++ if (enable == ctx->dp_clk_enabled) ++ return; ++ ++ if (enable) ++ pm_runtime_resume_and_get(ctx->dev); ++ ++ ctx->dp_clk_enabled = enable; + writel(val, ctx->regs + DP_MIE_CLKCON); ++ ++ if (!enable) ++ pm_runtime_put(ctx->dev); + } + + static const struct exynos_drm_crtc_ops fimd_crtc_ops = { +-- +2.39.5 + diff --git a/queue-5.4/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch b/queue-5.4/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch new file mode 100644 index 0000000000..64bd194610 --- /dev/null +++ b/queue-5.4/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch @@ -0,0 +1,47 @@ +From b6fc63c605a1ae8282f9f3d7eaa75f9a565580f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jun 2025 07:56:05 -0700 +Subject: enic: fix incorrect MTU comparison in enic_change_mtu() + +From: Alok Tiwari + +[ Upstream commit aaf2b2480375099c022a82023e1cd772bf1c6a5d ] + +The comparison in enic_change_mtu() incorrectly used the current +netdev->mtu instead of the new new_mtu value when warning about +an MTU exceeding the port MTU. This could suppress valid warnings +or issue incorrect ones. + +Fix the condition and log to properly reflect the new_mtu. + +Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly") +Signed-off-by: Alok Tiwari +Acked-by: John Daley +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250628145612.476096-1-alok.a.tiwari@oracle.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 892c4b5ff3036..1101f1416d076 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -2093,10 +2093,10 @@ static int enic_change_mtu(struct net_device *netdev, int new_mtu) + if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic)) + return -EOPNOTSUPP; + +- if (netdev->mtu > enic->port_mtu) ++ if (new_mtu > enic->port_mtu) + netdev_warn(netdev, + "interface MTU (%d) set higher than port MTU (%d)\n", +- netdev->mtu, enic->port_mtu); ++ new_mtu, enic->port_mtu); + + return _enic_change_mtu(netdev, new_mtu); + } +-- +2.39.5 + diff --git a/queue-5.4/lib-test_objagg-set-error-message-in-check_expect_hi.patch b/queue-5.4/lib-test_objagg-set-error-message-in-check_expect_hi.patch new file mode 100644 index 0000000000..e3335a4352 --- /dev/null +++ b/queue-5.4/lib-test_objagg-set-error-message-in-check_expect_hi.patch @@ -0,0 +1,50 @@ +From 8071542810e739ae1247be06357b89282b6c6a16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 14:36:40 -0500 +Subject: lib: test_objagg: Set error message in check_expect_hints_stats() + +From: Dan Carpenter + +[ Upstream commit e6ed134a4ef592fe1fd0cafac9683813b3c8f3e8 ] + +Smatch complains that the error message isn't set in the caller: + + lib/test_objagg.c:923 test_hints_case2() + error: uninitialized symbol 'errmsg'. + +This static checker warning only showed up after a recent refactoring +but the bug dates back to when the code was originally added. This +likely doesn't affect anything in real life. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/r/202506281403.DsuyHFTZ-lkp@intel.com/ +Fixes: 0a020d416d0a ("lib: introduce initial implementation of object aggregation manager") +Signed-off-by: Dan Carpenter +Reviewed-by: Ido Schimmel +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/8548f423-2e3b-4bb7-b816-5041de2762aa@sabinyo.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + lib/test_objagg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/test_objagg.c b/lib/test_objagg.c +index da137939a4100..78d25ab19a960 100644 +--- a/lib/test_objagg.c ++++ b/lib/test_objagg.c +@@ -899,8 +899,10 @@ static int check_expect_hints_stats(struct objagg_hints *objagg_hints, + int err; + + stats = objagg_hints_stats_get(objagg_hints); +- if (IS_ERR(stats)) ++ if (IS_ERR(stats)) { ++ *errmsg = "objagg_hints_stats_get() failed."; + return PTR_ERR(stats); ++ } + err = __check_expect_stats(stats, expect_stats, errmsg); + objagg_stats_put(stats); + return err; +-- +2.39.5 + diff --git a/queue-5.4/net-sched-always-pass-notifications-when-child-class.patch b/queue-5.4/net-sched-always-pass-notifications-when-child-class.patch new file mode 100644 index 0000000000..12b6351b1e --- /dev/null +++ b/queue-5.4/net-sched-always-pass-notifications-when-child-class.patch @@ -0,0 +1,109 @@ +From a902267f838f8dafce4340c390ac91203ff2a612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 15:27:30 +0200 +Subject: net/sched: Always pass notifications when child class becomes empty + +From: Lion Ackermann + +[ Upstream commit 103406b38c600fec1fe375a77b27d87e314aea09 ] + +Certain classful qdiscs may invoke their classes' dequeue handler on an +enqueue operation. This may unexpectedly empty the child qdisc and thus +make an in-flight class passive via qlen_notify(). Most qdiscs do not +expect such behaviour at this point in time and may re-activate the +class eventually anyways which will lead to a use-after-free. + +The referenced fix commit attempted to fix this behavior for the HFSC +case by moving the backlog accounting around, though this turned out to +be incomplete since the parent's parent may run into the issue too. +The following reproducer demonstrates this use-after-free: + + tc qdisc add dev lo root handle 1: drr + tc filter add dev lo parent 1: basic classid 1:1 + tc class add dev lo parent 1: classid 1:1 drr + tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 + tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 + tc qdisc add dev lo parent 2:1 handle 3: netem + tc qdisc add dev lo parent 3:1 handle 4: blackhole + + echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 + tc class delete dev lo classid 1:1 + echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 + +Since backlog accounting issues leading to a use-after-frees on stale +class pointers is a recurring pattern at this point, this patch takes +a different approach. Instead of trying to fix the accounting, the patch +ensures that qdisc_tree_reduce_backlog always calls qlen_notify when +the child qdisc is empty. This solves the problem because deletion of +qdiscs always involves a call to qdisc_reset() and / or +qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing +the following qdisc_tree_reduce_backlog() to report to the parent. Note +that this may call qlen_notify on passive classes multiple times. This +is not a problem after the recent patch series that made all the +classful qdiscs qlen_notify() handlers idempotent. + +Fixes: 3f981138109f ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()") +Signed-off-by: Lion Ackermann +Reviewed-by: Jamal Hadi Salim +Acked-by: Cong Wang +Acked-by: Jamal Hadi Salim +Link: https://patch.msgid.link/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 19 +++++-------------- + 1 file changed, 5 insertions(+), 14 deletions(-) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 60c8b81a22dcd..fe3808cc6eb82 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -758,15 +758,12 @@ static u32 qdisc_alloc_handle(struct net_device *dev) + + void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len) + { +- bool qdisc_is_offloaded = sch->flags & TCQ_F_OFFLOADED; + const struct Qdisc_class_ops *cops; + unsigned long cl; + u32 parentid; + bool notify; + int drops; + +- if (n == 0 && len == 0) +- return; + drops = max_t(int, n, 0); + rcu_read_lock(); + while ((parentid = sch->parent)) { +@@ -775,17 +772,8 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len) + + if (sch->flags & TCQ_F_NOPARENT) + break; +- /* Notify parent qdisc only if child qdisc becomes empty. +- * +- * If child was empty even before update then backlog +- * counter is screwed and we skip notification because +- * parent class is already passive. +- * +- * If the original child was offloaded then it is allowed +- * to be seem as empty, so the parent is notified anyway. +- */ +- notify = !sch->q.qlen && !WARN_ON_ONCE(!n && +- !qdisc_is_offloaded); ++ /* Notify parent qdisc only if child qdisc becomes empty. */ ++ notify = !sch->q.qlen; + /* TODO: perform the search on a per txq basis */ + sch = qdisc_lookup(qdisc_dev(sch), TC_H_MAJ(parentid)); + if (sch == NULL) { +@@ -794,6 +782,9 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len) + } + cops = sch->ops->cl_ops; + if (notify && cops->qlen_notify) { ++ /* Note that qlen_notify must be idempotent as it may get called ++ * multiple times. ++ */ + cl = cops->find(sch, parentid); + cops->qlen_notify(sch, cl); + } +-- +2.39.5 + diff --git a/queue-5.4/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch b/queue-5.4/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch new file mode 100644 index 0000000000..5f4770c65e --- /dev/null +++ b/queue-5.4/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch @@ -0,0 +1,139 @@ +From c7a6a26eab7d91b819af1dc4eb32e6233cfe76b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jun 2025 14:52:50 -0700 +Subject: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. + +From: Kuniyuki Iwashima + +[ Upstream commit e8d6f3ab59468e230f3253efe5cb63efa35289f7 ] + +syzbot reported a warning below [1] following a fault injection in +nfs_fs_proc_net_init(). [0] + +When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed. + +Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning +is logged as the directory is not empty. + +Let's handle the error of nfs_fs_proc_net_init() properly. + +[0]: +FAULT_INJECTION: forcing a failure. +name failslab, interval 1, probability 0, space 0, times 0 +CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:123) + should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174) + should_failslab (mm/failslab.c:46) + kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204) + __proc_create (fs/proc/generic.c:427) + proc_create_reg (fs/proc/generic.c:554) + proc_create_net_data (fs/proc/proc_net.c:120) + nfs_fs_proc_net_init (fs/nfs/client.c:1409) + nfs_net_init (fs/nfs/inode.c:2600) + ops_init (net/core/net_namespace.c:138) + setup_net (net/core/net_namespace.c:443) + copy_net_ns (net/core/net_namespace.c:576) + create_new_namespaces (kernel/nsproxy.c:110) + unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4)) + ksys_unshare (kernel/fork.c:3123) + __x64_sys_unshare (kernel/fork.c:3190) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + +[1]: +remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs' + WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727 +Modules linked in: +CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 + RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727 +Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00 +RSP: 0018:ffffc90003637b08 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8 +RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001 +RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00 +R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000 +FS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76 + ops_exit_list net/core/net_namespace.c:200 [inline] + ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253 + setup_net+0x2e1/0x510 net/core/net_namespace.c:457 + copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574 + create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110 + unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218 + ksys_unshare+0x45b/0xa40 kernel/fork.c:3121 + __do_sys_unshare kernel/fork.c:3192 [inline] + __se_sys_unshare kernel/fork.c:3190 [inline] + __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fa1a6b8e929 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fff3a090368 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 +RAX: ffffffffffffffda RBX: 00007fa1a6db5fa0 RCX: 00007fa1a6b8e929 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000080 +RBP: 00007fa1a6c10b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fa1a6db5fa0 R14: 00007fa1a6db5fa0 R15: 0000000000000001 + + +Fixes: d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces") +Reported-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a4cc4ac22daa4a71b87c +Tested-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 251f45fee53ca..0dc53732b5c98 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -2180,15 +2180,26 @@ EXPORT_SYMBOL_GPL(nfs_net_id); + static int nfs_net_init(struct net *net) + { + struct nfs_net *nn = net_generic(net, nfs_net_id); ++ int err; + + nfs_clients_init(net); + + if (!rpc_proc_register(net, &nn->rpcstats)) { +- nfs_clients_exit(net); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto err_proc_rpc; + } + +- return nfs_fs_proc_net_init(net); ++ err = nfs_fs_proc_net_init(net); ++ if (err) ++ goto err_proc_nfs; ++ ++ return 0; ++ ++err_proc_nfs: ++ rpc_proc_unregister(net, "nfs"); ++err_proc_rpc: ++ nfs_clients_exit(net); ++ return err; + } + + static void nfs_net_exit(struct net *net) +-- +2.39.5 + diff --git a/queue-5.4/nui-fix-dma_mapping_error-check.patch b/queue-5.4/nui-fix-dma_mapping_error-check.patch new file mode 100644 index 0000000000..efed7fea31 --- /dev/null +++ b/queue-5.4/nui-fix-dma_mapping_error-check.patch @@ -0,0 +1,143 @@ +From 72a3e2830bb3ace3397c9b8350e65f7105cd65e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jun 2025 10:36:43 +0200 +Subject: nui: Fix dma_mapping_error() check + +From: Thomas Fourier + +[ Upstream commit 561aa0e22b70a5e7246b73d62a824b3aef3fc375 ] + +dma_map_XXX() functions return values DMA_MAPPING_ERROR as error values +which is often ~0. The error value should be tested with +dma_mapping_error(). + +This patch creates a new function in niu_ops to test if the mapping +failed. The test is fixed in niu_rbr_add_page(), added in +niu_start_xmit() and the successfully mapped pages are unmaped upon error. + +Fixes: ec2deec1f352 ("niu: Fix to check for dma mapping errors.") +Signed-off-by: Thomas Fourier +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/niu.c | 31 ++++++++++++++++++++++++++++++- + drivers/net/ethernet/sun/niu.h | 4 ++++ + 2 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index e659415c62bd7..ca991bcb2e512 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -3317,7 +3317,7 @@ static int niu_rbr_add_page(struct niu *np, struct rx_ring_info *rp, + + addr = np->ops->map_page(np->device, page, 0, + PAGE_SIZE, DMA_FROM_DEVICE); +- if (!addr) { ++ if (np->ops->mapping_error(np->device, addr)) { + __free_page(page); + return -ENOMEM; + } +@@ -6654,6 +6654,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb, + len = skb_headlen(skb); + mapping = np->ops->map_single(np->device, skb->data, + len, DMA_TO_DEVICE); ++ if (np->ops->mapping_error(np->device, mapping)) ++ goto out_drop; + + prod = rp->prod; + +@@ -6695,6 +6697,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb, + mapping = np->ops->map_page(np->device, skb_frag_page(frag), + skb_frag_off(frag), len, + DMA_TO_DEVICE); ++ if (np->ops->mapping_error(np->device, mapping)) ++ goto out_unmap; + + rp->tx_buffs[prod].skb = NULL; + rp->tx_buffs[prod].mapping = mapping; +@@ -6719,6 +6723,19 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb, + out: + return NETDEV_TX_OK; + ++out_unmap: ++ while (i--) { ++ const skb_frag_t *frag; ++ ++ prod = PREVIOUS_TX(rp, prod); ++ frag = &skb_shinfo(skb)->frags[i]; ++ np->ops->unmap_page(np->device, rp->tx_buffs[prod].mapping, ++ skb_frag_size(frag), DMA_TO_DEVICE); ++ } ++ ++ np->ops->unmap_single(np->device, rp->tx_buffs[rp->prod].mapping, ++ skb_headlen(skb), DMA_TO_DEVICE); ++ + out_drop: + rp->tx_errors++; + kfree_skb(skb); +@@ -9612,6 +9629,11 @@ static void niu_pci_unmap_single(struct device *dev, u64 dma_address, + dma_unmap_single(dev, dma_address, size, direction); + } + ++static int niu_pci_mapping_error(struct device *dev, u64 addr) ++{ ++ return dma_mapping_error(dev, addr); ++} ++ + static const struct niu_ops niu_pci_ops = { + .alloc_coherent = niu_pci_alloc_coherent, + .free_coherent = niu_pci_free_coherent, +@@ -9619,6 +9641,7 @@ static const struct niu_ops niu_pci_ops = { + .unmap_page = niu_pci_unmap_page, + .map_single = niu_pci_map_single, + .unmap_single = niu_pci_unmap_single, ++ .mapping_error = niu_pci_mapping_error, + }; + + static void niu_driver_version(void) +@@ -9996,6 +10019,11 @@ static void niu_phys_unmap_single(struct device *dev, u64 dma_address, + /* Nothing to do. */ + } + ++static int niu_phys_mapping_error(struct device *dev, u64 dma_address) ++{ ++ return false; ++} ++ + static const struct niu_ops niu_phys_ops = { + .alloc_coherent = niu_phys_alloc_coherent, + .free_coherent = niu_phys_free_coherent, +@@ -10003,6 +10031,7 @@ static const struct niu_ops niu_phys_ops = { + .unmap_page = niu_phys_unmap_page, + .map_single = niu_phys_map_single, + .unmap_single = niu_phys_unmap_single, ++ .mapping_error = niu_phys_mapping_error, + }; + + static int niu_of_probe(struct platform_device *op) +diff --git a/drivers/net/ethernet/sun/niu.h b/drivers/net/ethernet/sun/niu.h +index 04c215f91fc08..0b169c08b0f2d 100644 +--- a/drivers/net/ethernet/sun/niu.h ++++ b/drivers/net/ethernet/sun/niu.h +@@ -2879,6 +2879,9 @@ struct tx_ring_info { + #define NEXT_TX(tp, index) \ + (((index) + 1) < (tp)->pending ? ((index) + 1) : 0) + ++#define PREVIOUS_TX(tp, index) \ ++ (((index) - 1) >= 0 ? ((index) - 1) : (((tp)->pending) - 1)) ++ + static inline u32 niu_tx_avail(struct tx_ring_info *tp) + { + return (tp->pending - +@@ -3140,6 +3143,7 @@ struct niu_ops { + enum dma_data_direction direction); + void (*unmap_single)(struct device *dev, u64 dma_address, + size_t size, enum dma_data_direction direction); ++ int (*mapping_error)(struct device *dev, u64 dma_address); + }; + + struct niu_link_config { +-- +2.39.5 + diff --git a/queue-5.4/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch b/queue-5.4/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch new file mode 100644 index 0000000000..3f956b67d6 --- /dev/null +++ b/queue-5.4/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch @@ -0,0 +1,46 @@ +From 6a7d6409a371bb4559e9c857ddd8a14f1de25719 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jun 2025 21:46:08 +0000 +Subject: platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Thompson + +[ Upstream commit 109f4d29dade8ae5b4ac6325af9d1bc24b4230f8 ] + +Fix warnings reported by sparse, related to incorrect type: +drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: warning: incorrect type in assignment (different base types) +drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: expected restricted __virtio32 [usertype] len +drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: got unsigned long + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202404040339.S7CUIgf3-lkp@intel.com/ +Fixes: 78034cbece79 ("platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors") +Signed-off-by: David Thompson +Link: https://lore.kernel.org/r/20250613214608.2250130-1-davthompson@nvidia.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/mellanox/mlxbf-tmfifo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c +index 767f4406e55f1..1eb7f4eb1156c 100644 +--- a/drivers/platform/mellanox/mlxbf-tmfifo.c ++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c +@@ -253,7 +253,8 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo, + vring->align = SMP_CACHE_BYTES; + vring->index = i; + vring->vdev_id = tm_vdev->vdev.id.device; +- vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN; ++ vring->drop_desc.len = cpu_to_virtio32(&tm_vdev->vdev, ++ VRING_DROP_DESC_MAX_LEN); + dev = &tm_vdev->vdev.dev; + + size = vring_size(vring->num, vring->align); +-- +2.39.5 + diff --git a/queue-5.4/powerpc-fix-struct-termio-related-ioctl-macros.patch b/queue-5.4/powerpc-fix-struct-termio-related-ioctl-macros.patch new file mode 100644 index 0000000000..2496f6dbca --- /dev/null +++ b/queue-5.4/powerpc-fix-struct-termio-related-ioctl-macros.patch @@ -0,0 +1,58 @@ +From dead42839caf00ac40e89a58c8c6b04a495152d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 May 2025 19:52:37 +0530 +Subject: powerpc: Fix struct termio related ioctl macros + +From: Madhavan Srinivasan + +[ Upstream commit ab107276607af90b13a5994997e19b7b9731e251 ] + +Since termio interface is now obsolete, include/uapi/asm/ioctls.h +has some constant macros referring to "struct termio", this caused +build failure at userspace. + +In file included from /usr/include/asm/ioctl.h:12, + from /usr/include/asm/ioctls.h:5, + from tst-ioctls.c:3: +tst-ioctls.c: In function 'get_TCGETA': +tst-ioctls.c:12:10: error: invalid application of 'sizeof' to incomplete type 'struct termio' + 12 | return TCGETA; + | ^~~~~~ + +Even though termios.h provides "struct termio", trying to juggle definitions around to +make it compile could introduce regressions. So better to open code it. + +Reported-by: Tulio Magno +Suggested-by: Nicholas Piggin +Tested-by: Justin M. Forbes +Reviewed-by: Michael Ellerman +Closes: https://lore.kernel.org/linuxppc-dev/8734dji5wl.fsf@ascii.art.br/ +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20250517142237.156665-1-maddy@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/uapi/asm/ioctls.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/include/uapi/asm/ioctls.h b/arch/powerpc/include/uapi/asm/ioctls.h +index 2c145da3b774a..b5211e413829a 100644 +--- a/arch/powerpc/include/uapi/asm/ioctls.h ++++ b/arch/powerpc/include/uapi/asm/ioctls.h +@@ -23,10 +23,10 @@ + #define TCSETSW _IOW('t', 21, struct termios) + #define TCSETSF _IOW('t', 22, struct termios) + +-#define TCGETA _IOR('t', 23, struct termio) +-#define TCSETA _IOW('t', 24, struct termio) +-#define TCSETAW _IOW('t', 25, struct termio) +-#define TCSETAF _IOW('t', 28, struct termio) ++#define TCGETA 0x40147417 /* _IOR('t', 23, struct termio) */ ++#define TCSETA 0x80147418 /* _IOW('t', 24, struct termio) */ ++#define TCSETAW 0x80147419 /* _IOW('t', 25, struct termio) */ ++#define TCSETAF 0x8014741c /* _IOW('t', 28, struct termio) */ + + #define TCSBRK _IO('t', 29) + #define TCXONC _IO('t', 30) +-- +2.39.5 + diff --git a/queue-5.4/rcu-return-early-if-callback-is-not-specified.patch b/queue-5.4/rcu-return-early-if-callback-is-not-specified.patch new file mode 100644 index 0000000000..af2ec4c789 --- /dev/null +++ b/queue-5.4/rcu-return-early-if-callback-is-not-specified.patch @@ -0,0 +1,43 @@ +From 475e4713034a7eae1cab1a60a8d7c4728aaeab5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jun 2025 19:34:48 +0200 +Subject: rcu: Return early if callback is not specified + +From: Uladzislau Rezki (Sony) + +[ Upstream commit 33b6a1f155d627f5bd80c7485c598ce45428f74f ] + +Currently the call_rcu() API does not check whether a callback +pointer is NULL. If NULL is passed, rcu_core() will try to invoke +it, resulting in NULL pointer dereference and a kernel crash. + +To prevent this and improve debuggability, this patch adds a check +for NULL and emits a kernel stack trace to help identify a faulty +caller. + +Signed-off-by: Uladzislau Rezki (Sony) +Reviewed-by: Joel Fernandes +Signed-off-by: Joel Fernandes +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 615283404d9dc..562c1ff452837 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -2568,6 +2568,10 @@ __call_rcu(struct rcu_head *head, rcu_callback_t func, bool lazy) + /* Misaligned rcu_head! */ + WARN_ON_ONCE((unsigned long)head & (sizeof(void *) - 1)); + ++ /* Avoid NULL dereference if callback is NULL. */ ++ if (WARN_ON_ONCE(!func)) ++ return; ++ + if (debug_rcu_head_queue(head)) { + /* + * Probable double call_rcu(), so leak the callback. +-- +2.39.5 + diff --git a/queue-5.4/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch b/queue-5.4/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch new file mode 100644 index 0000000000..94b89e66d8 --- /dev/null +++ b/queue-5.4/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch @@ -0,0 +1,100 @@ +From dc8a307df234f4a26750e0a0d54554c0cd8d6fe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 11:13:55 +0300 +Subject: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert + +From: Mark Zhang + +[ Upstream commit 8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a ] + +The obj_event may be loaded immediately after inserted, then if the +list_head is not initialized then we may get a poisonous pointer. This +fixes the crash below: + + mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced) + mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056 + mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0 + mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps + IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 + Mem abort info: + ESR = 0x96000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000 + [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000 + Internal error: Oops: 96000006 [#1] SMP + Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E) + [last unloaded: mst_pci] + CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1 + Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023 + pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--) + pc : dispatch_event_fd+0x68/0x300 [mlx5_ib] + lr : devx_event_notifier+0xcc/0x228 [mlx5_ib] + sp : ffff80001005bcf0 + x29: ffff80001005bcf0 x28: 0000000000000001 + x27: ffff244e0740a1d8 x26: ffff244e0740a1d0 + x25: ffffda56beff5ae0 x24: ffffda56bf911618 + x23: ffff244e0596a480 x22: ffff244e0596a480 + x21: ffff244d8312ad90 x20: ffff244e0596a480 + x19: fffffffffffffff0 x18: 0000000000000000 + x17: 0000000000000000 x16: ffffda56be66d620 + x15: 0000000000000000 x14: 0000000000000000 + x13: 0000000000000000 x12: 0000000000000000 + x11: 0000000000000040 x10: ffffda56bfcafb50 + x9 : ffffda5655c25f2c x8 : 0000000000000010 + x7 : 0000000000000000 x6 : ffff24545a2e24b8 + x5 : 0000000000000003 x4 : ffff80001005bd28 + x3 : 0000000000000000 x2 : 0000000000000000 + x1 : ffff244e0596a480 x0 : ffff244d8312ad90 + Call trace: + dispatch_event_fd+0x68/0x300 [mlx5_ib] + devx_event_notifier+0xcc/0x228 [mlx5_ib] + atomic_notifier_call_chain+0x58/0x80 + mlx5_eq_async_int+0x148/0x2b0 [mlx5_core] + atomic_notifier_call_chain+0x58/0x80 + irq_int_handler+0x20/0x30 [mlx5_core] + __handle_irq_event_percpu+0x60/0x220 + handle_irq_event_percpu+0x3c/0x90 + handle_irq_event+0x58/0x158 + handle_fasteoi_irq+0xfc/0x188 + generic_handle_irq+0x34/0x48 + ... + +Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX") +Link: https://patch.msgid.link/r/3ce7f20e0d1a03dc7de6e57494ec4b8eaf1f05c2.1750147949.git.leon@kernel.org +Signed-off-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/devx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c +index 7a3b56c150799..ad8057bfd0c8b 100644 +--- a/drivers/infiniband/hw/mlx5/devx.c ++++ b/drivers/infiniband/hw/mlx5/devx.c +@@ -1840,6 +1840,7 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table, + /* Level1 is valid for future use, no need to free */ + return -ENOMEM; + ++ INIT_LIST_HEAD(&obj_event->obj_sub_list); + err = xa_insert(&event->object_ids, + key_level2, + obj_event, +@@ -1848,7 +1849,6 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table, + kfree(obj_event); + return err; + } +- INIT_LIST_HEAD(&obj_event->obj_sub_list); + } + + return 0; +-- +2.39.5 + diff --git a/queue-5.4/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch b/queue-5.4/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch new file mode 100644 index 0000000000..34f7a821a5 --- /dev/null +++ b/queue-5.4/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch @@ -0,0 +1,37 @@ +From 6acd365939c64441531f7ad626a87b37b2d01444 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jun 2025 09:17:37 +0200 +Subject: scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() + +From: Thomas Fourier + +[ Upstream commit 00f452a1b084efbe8dcb60a29860527944a002a1 ] + +dma_map_XXX() can fail and should be tested for errors with +dma_mapping_error(). + +Fixes: b3a271a94d00 ("[SCSI] qla4xxx: support iscsiadm session mgmt") +Signed-off-by: Thomas Fourier +Link: https://lore.kernel.org/r/20250618071742.21822-2-fourier.thomas@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index ea15bbe0397fc..af1c45dd2f38a 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -3394,6 +3394,8 @@ static int qla4xxx_alloc_pdu(struct iscsi_task *task, uint8_t opcode) + task_data->data_dma = dma_map_single(&ha->pdev->dev, task->data, + task->data_count, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&ha->pdev->dev, task_data->data_dma)) ++ return -ENOMEM; + } + + DEBUG2(ql4_printk(KERN_INFO, ha, "%s: MaxRecvLen %u, iscsi hrd %d\n", +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index 198399df4a..cbfc746d49 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -64,3 +64,21 @@ mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch +platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch +rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch +nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch +scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch +btrfs-fix-missing-error-handling-when-searching-for-.patch +drm-exynos-fimd-guard-display-clock-control-with-run.patch +lib-test_objagg-set-error-message-in-check_expect_hi.patch +amd-xgbe-align-cl37-an-sequence-as-per-databook.patch +enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch +nui-fix-dma_mapping_error-check.patch +net-sched-always-pass-notifications-when-child-class.patch +alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch +ata-pata_cs5536-fix-build-on-32-bit-uml.patch +powerpc-fix-struct-termio-related-ioctl-macros.patch +wifi-mac80211-drop-invalid-source-address-ocb-frames.patch +wifi-ath6kl-remove-warn-on-bad-firmware-input.patch +acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch +rcu-return-early-if-callback-is-not-specified.patch diff --git a/queue-5.4/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch b/queue-5.4/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch new file mode 100644 index 0000000000..05d7d9ef8a --- /dev/null +++ b/queue-5.4/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch @@ -0,0 +1,43 @@ +From 39484dd56db46357afbc79fcfc4f368f34a73dae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jun 2025 11:45:29 +0200 +Subject: wifi: ath6kl: remove WARN on bad firmware input + +From: Johannes Berg + +[ Upstream commit e7417421d89358da071fd2930f91e67c7128fbff ] + +If the firmware gives bad input, that's nothing to do with +the driver's stack at this point etc., so the WARN_ON() +doesn't add any value. Additionally, this is one of the +top syzbot reports now. Just print a message, and as an +added bonus, print the sizes too. + +Reported-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com +Tested-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com +Acked-by: Jeff Johnson +Link: https://patch.msgid.link/20250617114529.031a677a348e.I58bf1eb4ac16a82c546725ff010f3f0d2b0cca49@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/bmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c +index af98e871199d3..5a9e93fd1ef42 100644 +--- a/drivers/net/wireless/ath/ath6kl/bmi.c ++++ b/drivers/net/wireless/ath/ath6kl/bmi.c +@@ -87,7 +87,9 @@ int ath6kl_bmi_get_target_info(struct ath6kl *ar, + * We need to do some backwards compatibility to make this work. + */ + if (le32_to_cpu(targ_info->byte_count) != sizeof(*targ_info)) { +- WARN_ON(1); ++ ath6kl_err("mismatched byte count %d vs. expected %zd\n", ++ le32_to_cpu(targ_info->byte_count), ++ sizeof(*targ_info)); + return -EINVAL; + } + +-- +2.39.5 + diff --git a/queue-5.4/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch b/queue-5.4/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch new file mode 100644 index 0000000000..37034a9824 --- /dev/null +++ b/queue-5.4/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch @@ -0,0 +1,42 @@ +From ed161a5853663d2bf394955e304beaae1ed4afbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jun 2025 17:18:38 +0200 +Subject: wifi: mac80211: drop invalid source address OCB frames + +From: Johannes Berg + +[ Upstream commit d1b1a5eb27c4948e8811cf4dbb05aaf3eb10700c ] + +In OCB, don't accept frames from invalid source addresses +(and in particular don't try to create stations for them), +drop the frames instead. + +Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/6788d2d9.050a0220.20d369.0028.GAE@google.com/ +Signed-off-by: Johannes Berg +Tested-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com +Link: https://patch.msgid.link/20250616171838.7433379cab5d.I47444d63c72a0bd58d2e2b67bb99e1fea37eec6f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 99d5f8b58e92e..4c805530edfb6 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -3982,6 +3982,10 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx) + if (!multicast && + !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1)) + return false; ++ /* reject invalid/our STA address */ ++ if (!is_valid_ether_addr(hdr->addr2) || ++ ether_addr_equal(sdata->dev->dev_addr, hdr->addr2)) ++ return false; + if (!rx->sta) { + int rate_idx; + if (status->encoding != RX_ENC_LEGACY) +-- +2.39.5 +