From 0047f5a4ac66b93cbcccffdf9f1a8ff9acfa7313 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Jul 2024 16:29:17 +0200 Subject: [PATCH] 5.4-stable patches added patches: csky-hexagon-fix-broken-sys_sync_file_range.patch drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch hexagon-fix-fadvise64_64-calling-conventions.patch net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch net-can-j1939-initialize-unused-data-in-j1939_send_one.patch net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch sh-rework-sync_file_range-abi.patch tty-mcf-mcf54418-has-10-uarts.patch --- ...xagon-fix-broken-sys_sync_file_range.patch | 49 ++++++++ ...-dereference-in-nv17_tv_get_hd_modes.patch | 43 +++++++ ...-dereference-in-nv17_tv_get_ld_modes.patch | 33 ++++++ ...fix-fadvise64_64-calling-conventions.patch | 52 ++++++++ ...s-messages-in-xtp_rx_rts_session_new.patch | 73 ++++++++++++ ...ialize-unused-data-in-j1939_send_one.patch | 112 ++++++++++++++++++ ...an-bus-error-during-bam-transmission.patch | 41 +++++++ queue-5.4/series | 9 ++ queue-5.4/sh-rework-sync_file_range-abi.patch | 72 +++++++++++ queue-5.4/tty-mcf-mcf54418-has-10-uarts.patch | 32 +++++ 10 files changed, 516 insertions(+) create mode 100644 queue-5.4/csky-hexagon-fix-broken-sys_sync_file_range.patch create mode 100644 queue-5.4/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch create mode 100644 queue-5.4/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch create mode 100644 queue-5.4/hexagon-fix-fadvise64_64-calling-conventions.patch create mode 100644 queue-5.4/net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch create mode 100644 queue-5.4/net-can-j1939-initialize-unused-data-in-j1939_send_one.patch create mode 100644 queue-5.4/net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch create mode 100644 queue-5.4/sh-rework-sync_file_range-abi.patch create mode 100644 queue-5.4/tty-mcf-mcf54418-has-10-uarts.patch diff --git a/queue-5.4/csky-hexagon-fix-broken-sys_sync_file_range.patch b/queue-5.4/csky-hexagon-fix-broken-sys_sync_file_range.patch new file mode 100644 index 00000000000..3076427f538 --- /dev/null +++ b/queue-5.4/csky-hexagon-fix-broken-sys_sync_file_range.patch @@ -0,0 +1,49 @@ +From 3339b99ef6fe38dac43b534cba3a8a0e29fb2eff Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 14 Jun 2024 09:54:20 +0200 +Subject: csky, hexagon: fix broken sys_sync_file_range + +From: Arnd Bergmann + +commit 3339b99ef6fe38dac43b534cba3a8a0e29fb2eff upstream. + +Both of these architectures require u64 function arguments to be +passed in even/odd pairs of registers or stack slots, which in case of +sync_file_range would result in a seven-argument system call that is +not currently possible. The system call is therefore incompatible with +all existing binaries. + +While it would be possible to implement support for seven arguments +like on mips, it seems better to use a six-argument version, either +with the normal argument order but misaligned as on most architectures +or with the reordered sync_file_range2() calling conventions as on +arm and powerpc. + +Cc: stable@vger.kernel.org +Acked-by: Guo Ren +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/csky/include/uapi/asm/unistd.h | 1 + + arch/hexagon/include/uapi/asm/unistd.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/csky/include/uapi/asm/unistd.h ++++ b/arch/csky/include/uapi/asm/unistd.h +@@ -7,6 +7,7 @@ + #define __ARCH_WANT_SYS_CLONE3 + #define __ARCH_WANT_SET_GET_RLIMIT + #define __ARCH_WANT_TIME32_SYSCALLS ++#define __ARCH_WANT_SYNC_FILE_RANGE2 + #include + + #define __NR_set_thread_area (__NR_arch_specific_syscall + 0) +--- a/arch/hexagon/include/uapi/asm/unistd.h ++++ b/arch/hexagon/include/uapi/asm/unistd.h +@@ -36,5 +36,6 @@ + #define __ARCH_WANT_SYS_VFORK + #define __ARCH_WANT_SYS_FORK + #define __ARCH_WANT_TIME32_SYSCALLS ++#define __ARCH_WANT_SYNC_FILE_RANGE2 + + #include diff --git a/queue-5.4/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch b/queue-5.4/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch new file mode 100644 index 00000000000..4a9e1e965dc --- /dev/null +++ b/queue-5.4/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch @@ -0,0 +1,43 @@ +From 6d411c8ccc0137a612e0044489030a194ff5c843 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 25 Jun 2024 16:10:29 +0800 +Subject: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes + +From: Ma Ke + +commit 6d411c8ccc0137a612e0044489030a194ff5c843 upstream. + +In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is +assigned to mode, which will lead to a possible NULL pointer dereference +on failure of drm_mode_duplicate(). The same applies to drm_cvt_mode(). +Add a check to avoid null pointer dereference. + +Cc: stable@vger.kernel.org +Signed-off-by: Ma Ke +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20240625081029.2619437-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +@@ -259,6 +259,8 @@ static int nv17_tv_get_hd_modes(struct d + if (modes[i].hdisplay == output_mode->hdisplay && + modes[i].vdisplay == output_mode->vdisplay) { + mode = drm_mode_duplicate(encoder->dev, output_mode); ++ if (!mode) ++ continue; + mode->type |= DRM_MODE_TYPE_PREFERRED; + + } else { +@@ -266,6 +268,8 @@ static int nv17_tv_get_hd_modes(struct d + modes[i].vdisplay, 60, false, + (output_mode->flags & + DRM_MODE_FLAG_INTERLACE), false); ++ if (!mode) ++ continue; + } + + /* CVT modes are sometimes unsuitable... */ diff --git a/queue-5.4/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch b/queue-5.4/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch new file mode 100644 index 00000000000..fe6ba361dd9 --- /dev/null +++ b/queue-5.4/drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch @@ -0,0 +1,33 @@ +From 66edf3fb331b6c55439b10f9862987b0916b3726 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 25 Jun 2024 16:18:28 +0800 +Subject: drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes + +From: Ma Ke + +commit 66edf3fb331b6c55439b10f9862987b0916b3726 upstream. + +In nv17_tv_get_ld_modes(), the return value of drm_mode_duplicate() is +assigned to mode, which will lead to a possible NULL pointer dereference +on failure of drm_mode_duplicate(). Add a check to avoid npd. + +Cc: stable@vger.kernel.org +Signed-off-by: Ma Ke +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20240625081828.2620794-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c ++++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c +@@ -208,6 +208,8 @@ static int nv17_tv_get_ld_modes(struct d + struct drm_display_mode *mode; + + mode = drm_mode_duplicate(encoder->dev, tv_mode); ++ if (!mode) ++ continue; + + mode->clock = tv_norm->tv_enc_mode.vrefresh * + mode->htotal / 1000 * diff --git a/queue-5.4/hexagon-fix-fadvise64_64-calling-conventions.patch b/queue-5.4/hexagon-fix-fadvise64_64-calling-conventions.patch new file mode 100644 index 00000000000..9388861776c --- /dev/null +++ b/queue-5.4/hexagon-fix-fadvise64_64-calling-conventions.patch @@ -0,0 +1,52 @@ +From 896842284c6ccba25ec9d78b7b6e62cdd507c083 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 20 Jun 2024 15:24:11 +0200 +Subject: hexagon: fix fadvise64_64 calling conventions + +From: Arnd Bergmann + +commit 896842284c6ccba25ec9d78b7b6e62cdd507c083 upstream. + +fadvise64_64() has two 64-bit arguments at the wrong alignment +for hexagon, which turns them into a 7-argument syscall that is +not supported by Linux. + +The downstream musl port for hexagon actually asks for a 6-argument +version the same way we do it on arm, csky, powerpc, so make the +kernel do it the same way to avoid having to change both. + +Link: https://github.com/quic/musl/blob/hexagon/arch/hexagon/syscall_arch.h#L78 +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/include/asm/syscalls.h | 6 ++++++ + arch/hexagon/kernel/syscalltab.c | 7 +++++++ + 2 files changed, 13 insertions(+) + create mode 100644 arch/hexagon/include/asm/syscalls.h + +--- /dev/null ++++ b/arch/hexagon/include/asm/syscalls.h +@@ -0,0 +1,6 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++ ++#include ++ ++asmlinkage long sys_hexagon_fadvise64_64(int fd, int advice, ++ u32 a2, u32 a3, u32 a4, u32 a5); +--- a/arch/hexagon/kernel/syscalltab.c ++++ b/arch/hexagon/kernel/syscalltab.c +@@ -14,6 +14,13 @@ + #undef __SYSCALL + #define __SYSCALL(nr, call) [nr] = (call), + ++SYSCALL_DEFINE6(hexagon_fadvise64_64, int, fd, int, advice, ++ SC_ARG64(offset), SC_ARG64(len)) ++{ ++ return ksys_fadvise64_64(fd, SC_VAL64(loff_t, offset), SC_VAL64(loff_t, len), advice); ++} ++#define sys_fadvise64_64 sys_hexagon_fadvise64_64 ++ + void *sys_call_table[__NR_syscalls] = { + #include + }; diff --git a/queue-5.4/net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch b/queue-5.4/net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch new file mode 100644 index 00000000000..ef561aed2df --- /dev/null +++ b/queue-5.4/net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch @@ -0,0 +1,73 @@ +From d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Fri, 17 Nov 2023 13:49:59 +0100 +Subject: net: can: j1939: enhanced error handling for tightly received RTS messages in xtp_rx_rts_session_new + +From: Oleksij Rempel + +commit d3e2904f71ea0fe7eaff1d68a2b0363c888ea0fb upstream. + +This patch enhances error handling in scenarios with RTS (Request to +Send) messages arriving closely. It replaces the less informative WARN_ON_ONCE +backtraces with a new error handling method. This provides clearer error +messages and allows for the early termination of problematic sessions. +Previously, sessions were only released at the end of j1939_xtp_rx_rts(). + +Potentially this could be reproduced with something like: +testj1939 -r vcan0:0x80 & +while true; do + # send first RTS + cansend vcan0 18EC8090#1014000303002301; + # send second RTS + cansend vcan0 18EC8090#1014000303002301; + # send abort + cansend vcan0 18EC8090#ff00000000002301; +done + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Reported-by: syzbot+daa36413a5cedf799ae4@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20231117124959.961171-1-o.rempel@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1577,8 +1577,8 @@ j1939_session *j1939_xtp_rx_rts_session_ + struct j1939_sk_buff_cb skcb = *j1939_skb_to_cb(skb); + struct j1939_session *session; + const u8 *dat; ++ int len, ret; + pgn_t pgn; +- int len; + + netdev_dbg(priv->ndev, "%s\n", __func__); + +@@ -1634,7 +1634,22 @@ j1939_session *j1939_xtp_rx_rts_session_ + session->pkt.rx = 0; + session->pkt.tx = 0; + +- WARN_ON_ONCE(j1939_session_activate(session)); ++ ret = j1939_session_activate(session); ++ if (ret) { ++ /* Entering this scope indicates an issue with the J1939 bus. ++ * Possible scenarios include: ++ * - A time lapse occurred, and a new session was initiated ++ * due to another packet being sent correctly. This could ++ * have been caused by too long interrupt, debugger, or being ++ * out-scheduled by another task. ++ * - The bus is receiving numerous erroneous packets, either ++ * from a malfunctioning device or during a test scenario. ++ */ ++ netdev_alert(priv->ndev, "%s: 0x%p: concurrent session with same addr (%02x %02x) is already active.\n", ++ __func__, session, skcb.addr.sa, skcb.addr.da); ++ j1939_session_put(session); ++ return NULL; ++ } + + return session; + } diff --git a/queue-5.4/net-can-j1939-initialize-unused-data-in-j1939_send_one.patch b/queue-5.4/net-can-j1939-initialize-unused-data-in-j1939_send_one.patch new file mode 100644 index 00000000000..83812a6e533 --- /dev/null +++ b/queue-5.4/net-can-j1939-initialize-unused-data-in-j1939_send_one.patch @@ -0,0 +1,112 @@ +From b7cdf1dd5d2a2d8200efd98d1893684db48fe134 Mon Sep 17 00:00:00 2001 +From: Shigeru Yoshida +Date: Fri, 17 May 2024 12:59:53 +0900 +Subject: net: can: j1939: Initialize unused data in j1939_send_one() + +From: Shigeru Yoshida + +commit b7cdf1dd5d2a2d8200efd98d1893684db48fe134 upstream. + +syzbot reported kernel-infoleak in raw_recvmsg() [1]. j1939_send_one() +creates full frame including unused data, but it doesn't initialize +it. This causes the kernel-infoleak issue. Fix this by initializing +unused data. + +[1] +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] +BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] +BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] +BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + copy_to_user_iter lib/iov_iter.c:24 [inline] + iterate_ubuf include/linux/iov_iter.h:29 [inline] + iterate_and_advance2 include/linux/iov_iter.h:245 [inline] + iterate_and_advance include/linux/iov_iter.h:271 [inline] + _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 + copy_to_iter include/linux/uio.h:196 [inline] + memcpy_to_msg include/linux/skbuff.h:4113 [inline] + raw_recvmsg+0x2b8/0x9e0 net/can/raw.c:1008 + sock_recvmsg_nosec net/socket.c:1046 [inline] + sock_recvmsg+0x2c4/0x340 net/socket.c:1068 + ____sys_recvmsg+0x18a/0x620 net/socket.c:2803 + ___sys_recvmsg+0x223/0x840 net/socket.c:2845 + do_recvmmsg+0x4fc/0xfd0 net/socket.c:2939 + __sys_recvmmsg net/socket.c:3018 [inline] + __do_sys_recvmmsg net/socket.c:3041 [inline] + __se_sys_recvmmsg net/socket.c:3034 [inline] + __x64_sys_recvmmsg+0x397/0x490 net/socket.c:3034 + x64_sys_call+0xf6c/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:300 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:3804 [inline] + slab_alloc_node mm/slub.c:3845 [inline] + kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 + __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 + alloc_skb include/linux/skbuff.h:1313 [inline] + alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 + sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 + sock_alloc_send_skb include/net/sock.h:1842 [inline] + j1939_sk_alloc_skb net/can/j1939/socket.c:878 [inline] + j1939_sk_send_loop net/can/j1939/socket.c:1142 [inline] + j1939_sk_sendmsg+0xc0a/0x2730 net/can/j1939/socket.c:1277 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg+0x30f/0x380 net/socket.c:745 + ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 + __sys_sendmsg net/socket.c:2667 [inline] + __do_sys_sendmsg net/socket.c:2676 [inline] + __se_sys_sendmsg net/socket.c:2674 [inline] + __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 + x64_sys_call+0xc4b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:47 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Bytes 12-15 of 16 are uninitialized +Memory access of size 16 starts at ffff888120969690 +Data copied to user address 00000000200017c0 + +CPU: 1 PID: 5050 Comm: syz-executor198 Not tainted 6.9.0-rc5-syzkaller-00031-g71b1543c83d6 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 + +Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") +Reported-and-tested-by: syzbot+5681e40d297b30f5b513@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5681e40d297b30f5b513 +Acked-by: Oleksij Rempel +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/all/20240517035953.2617090-1-syoshida@redhat.com +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/main.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/net/can/j1939/main.c ++++ b/net/can/j1939/main.c +@@ -30,10 +30,6 @@ MODULE_ALIAS("can-proto-" __stringify(CA + /* CAN_HDR: #bytes before can_frame data part */ + #define J1939_CAN_HDR (offsetof(struct can_frame, data)) + +-/* CAN_FTR: #bytes beyond data part */ +-#define J1939_CAN_FTR (sizeof(struct can_frame) - J1939_CAN_HDR - \ +- sizeof(((struct can_frame *)0)->data)) +- + /* lowest layer */ + static void j1939_can_recv(struct sk_buff *iskb, void *data) + { +@@ -338,7 +334,7 @@ int j1939_send_one(struct j1939_priv *pr + memset(cf, 0, J1939_CAN_HDR); + + /* make it a full can frame again */ +- skb_put(skb, J1939_CAN_FTR + (8 - dlc)); ++ skb_put_zero(skb, 8 - dlc); + + canid = CAN_EFF_FLAG | + (skcb->priority << 26) | diff --git a/queue-5.4/net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch b/queue-5.4/net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch new file mode 100644 index 00000000000..7a6b3c6dd00 --- /dev/null +++ b/queue-5.4/net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch @@ -0,0 +1,41 @@ +From 9ad1da14ab3bf23087ae45fe399d84a109ddb81a Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Tue, 28 May 2024 09:06:48 +0200 +Subject: net: can: j1939: recover socket queue on CAN bus error during BAM transmission +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oleksij Rempel + +commit 9ad1da14ab3bf23087ae45fe399d84a109ddb81a upstream. + +Addresses an issue where a CAN bus error during a BAM transmission +could stall the socket queue, preventing further transmissions even +after the bus error is resolved. The fix activates the next queued +session after the error recovery, allowing communication to continue. + +Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol") +Cc: stable@vger.kernel.org +Reported-by: Alexander Hölzl +Tested-by: Alexander Hölzl +Signed-off-by: Oleksij Rempel +Link: https://lore.kernel.org/all/20240528070648.1947203-1-o.rempel@pengutronix.de +Cc: stable@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/j1939/transport.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/can/j1939/transport.c ++++ b/net/can/j1939/transport.c +@@ -1662,6 +1662,8 @@ static int j1939_xtp_rx_rts_session_acti + + j1939_session_timers_cancel(session); + j1939_session_cancel(session, J1939_XTP_ABORT_BUSY); ++ if (session->transmission) ++ j1939_session_deactivate_activate_next(session); + + return -EBUSY; + } diff --git a/queue-5.4/series b/queue-5.4/series index f5b782b3813..79374726d4f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -216,3 +216,12 @@ usb-gadget-printer-ss-support.patch usb-musb-da8xx-fix-a-resource-leak-in-probe.patch usb-atm-cxacru-fix-endpoint-checking-in-cxacru_bind.patch serial-imx-set-receiver-level-before-starting-uart.patch +tty-mcf-mcf54418-has-10-uarts.patch +net-can-j1939-initialize-unused-data-in-j1939_send_one.patch +net-can-j1939-recover-socket-queue-on-can-bus-error-during-bam-transmission.patch +net-can-j1939-enhanced-error-handling-for-tightly-received-rts-messages-in-xtp_rx_rts_session_new.patch +sh-rework-sync_file_range-abi.patch +csky-hexagon-fix-broken-sys_sync_file_range.patch +hexagon-fix-fadvise64_64-calling-conventions.patch +drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_ld_modes.patch +drm-nouveau-dispnv04-fix-null-pointer-dereference-in-nv17_tv_get_hd_modes.patch diff --git a/queue-5.4/sh-rework-sync_file_range-abi.patch b/queue-5.4/sh-rework-sync_file_range-abi.patch new file mode 100644 index 00000000000..9cfdd48bde0 --- /dev/null +++ b/queue-5.4/sh-rework-sync_file_range-abi.patch @@ -0,0 +1,72 @@ +From 30766f1105d6d2459c3b9fe34a3e52b637a72950 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 11 Jun 2024 22:12:43 +0200 +Subject: sh: rework sync_file_range ABI + +From: Arnd Bergmann + +commit 30766f1105d6d2459c3b9fe34a3e52b637a72950 upstream. + +The unusual function calling conventions on SuperH ended up causing +sync_file_range to have the wrong argument order, with the 'flags' +argument getting sorted before 'nbytes' by the compiler. + +In userspace, I found that musl, glibc, uclibc and strace all expect the +normal calling conventions with 'nbytes' last, so changing the kernel +to match them should make all of those work. + +In order to be able to also fix libc implementations to work with existing +kernels, they need to be able to tell which ABI is used. An easy way +to do this is to add yet another system call using the sync_file_range2 +ABI that works the same on all architectures. + +Old user binaries can now work on new kernels, and new binaries can +try the new sync_file_range2() to work with new kernels or fall back +to the old sync_file_range() version if that doesn't exist. + +Cc: stable@vger.kernel.org +Fixes: 75c92acdd5b1 ("sh: Wire up new syscalls.") +Acked-by: John Paul Adrian Glaubitz +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/sys_sh32.c | 11 +++++++++++ + arch/sh/kernel/syscalls/syscall.tbl | 3 ++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/sh/kernel/sys_sh32.c ++++ b/arch/sh/kernel/sys_sh32.c +@@ -59,3 +59,14 @@ asmlinkage int sys_fadvise64_64_wrapper( + (u64)len0 << 32 | len1, advice); + #endif + } ++ ++/* ++ * swap the arguments the way that libc wants them instead of ++ * moving flags ahead of the 64-bit nbytes argument ++ */ ++SYSCALL_DEFINE6(sh_sync_file_range6, int, fd, SC_ARG64(offset), ++ SC_ARG64(nbytes), unsigned int, flags) ++{ ++ return ksys_sync_file_range(fd, SC_VAL64(loff_t, offset), ++ SC_VAL64(loff_t, nbytes), flags); ++} +--- a/arch/sh/kernel/syscalls/syscall.tbl ++++ b/arch/sh/kernel/syscalls/syscall.tbl +@@ -321,7 +321,7 @@ + 311 common set_robust_list sys_set_robust_list + 312 common get_robust_list sys_get_robust_list + 313 common splice sys_splice +-314 common sync_file_range sys_sync_file_range ++314 common sync_file_range sys_sh_sync_file_range6 + 315 common tee sys_tee + 316 common vmsplice sys_vmsplice + 317 common move_pages sys_move_pages +@@ -395,6 +395,7 @@ + 385 common pkey_alloc sys_pkey_alloc + 386 common pkey_free sys_pkey_free + 387 common rseq sys_rseq ++388 common sync_file_range2 sys_sync_file_range2 + # room for arch specific syscalls + 393 common semget sys_semget + 394 common semctl sys_semctl diff --git a/queue-5.4/tty-mcf-mcf54418-has-10-uarts.patch b/queue-5.4/tty-mcf-mcf54418-has-10-uarts.patch new file mode 100644 index 00000000000..03ad384fa79 --- /dev/null +++ b/queue-5.4/tty-mcf-mcf54418-has-10-uarts.patch @@ -0,0 +1,32 @@ +From 7c92a8bd53f24d50c8cf4aba53bb75505b382fed Mon Sep 17 00:00:00 2001 +From: Jean-Michel Hautbois +Date: Thu, 20 Jun 2024 18:29:59 +0200 +Subject: tty: mcf: MCF54418 has 10 UARTS + +From: Jean-Michel Hautbois + +commit 7c92a8bd53f24d50c8cf4aba53bb75505b382fed upstream. + +Most of the colfires have up to 5 UARTs but MCF54418 has up-to 10 ! +Change the maximum value authorized. + +Signed-off-by: Jean-Michel Hautbois +Cc: stable +Fixes: 2545cf6e94b4 ("m68knommu: allow 4 coldfire serial ports") +Link: https://lore.kernel.org/r/20240620-upstream-uart-v1-1-a9d0d95fb19e@yoseli.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mcf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/mcf.c ++++ b/drivers/tty/serial/mcf.c +@@ -479,7 +479,7 @@ static const struct uart_ops mcf_uart_op + .verify_port = mcf_verify_port, + }; + +-static struct mcf_uart mcf_ports[4]; ++static struct mcf_uart mcf_ports[10]; + + #define MCF_MAXPORTS ARRAY_SIZE(mcf_ports) + -- 2.47.3