From a02898794a992389e9f8bb194f09b1aa84d43671 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 7 Apr 2025 10:02:18 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...-overlarge-ofs-data-block-size-field.patch | 51 +++++ ...e-ofs-sequence-numbers-starting-at-1.patch | 68 ++++++ ...-realtek-always-honor-no_shutup_pins.patch | 55 +++++ ...-add-null-check-in-com20020pci_probe.patch | 67 ++++++ ...count-directly-in-bpf_send_signal_co.patch | 47 +++++ ...istics-use-atomic-access-in-hot-path.patch | 194 ++++++++++++++++++ ...ogic-g12a-fix-mmc-a-peripheral-clock.patch | 45 ++++ ...logic-g12b-fix-cluster-a-parent-data.patch | 105 ++++++++++ ...xbb-drop-incorrect-flag-on-32k-clock.patch | 43 ++++ ...b-drop-non-existing-32k-clock-parent.patch | 62 ++++++ ...328-fix-wrong-clk_ref_usb3otg-parent.patch | 39 ++++ ...ix-number-of-pages-while-using-64k-p.patch | 41 ++++ ...-fix-negative-idle_time-handling-in-.patch | 116 +++++++++++ ..._hdmi-fix-typo-for-aud_sampe_size-me.patch | 66 ++++++ ...-the-dimm-size-mask-for-several-socs.patch | 46 +++++ ...-the-error-path-order-of-ie31200_ini.patch | 68 ++++++ ...-the-size-of-edac_mc_layer_chip_sele.patch | 48 +++++ ...ove-a-variable-assignment-behind-a-n.patch | 52 +++++ ...dev-sm501fb-add-some-geometry-checks.patch | 44 ++++ ...fix-the-comment-above-proc_pid_wchan.patch | 41 ++++ ...re-fix-out-of-bounds-access-for-nct6.patch | 40 ++++ ...ilable-slots-before-posting-receive-.patch | 133 ++++++++++++ ...2-ensure-error-return-on-failure-to-.patch | 61 ++++++ ...-netlink-attributes-when-using-rtext.patch | 87 ++++++++ ...uninit-value-bug-in-do_isofs_readdir.patch | 89 ++++++++ ...lize-elf-lowest-address-to-ulong_max.patch | 71 +++++++ ...ove-error-handling-in-sw842_compress.patch | 44 ++++ ...sable-interrupts-on-rt-in-disable_ir.patch | 82 ++++++++ ...e-use-wake_q-to-wake-up-processes-ou.patch | 150 ++++++++++++++ queue-5.4/mdacon-rework-dependency-list.patch | 47 +++++ ...-to-bit-to-mitigate-integer-overflow.patch | 63 ++++++ ...x-propperly-shutdown-ppu-re-enable-t.patch | 126 ++++++++++++ ...o-remove-overly-strict-queue-asserti.patch | 60 ++++++ ...l-pointer-exception-caused-by-calips.patch | 87 ++++++++ ...ntb-intel-fix-using-link-status-db-s.patch | 37 ++++ ...-fix-shift-out-of-bounds-in-switchte.patch | 45 ++++ ...b8000-prevent-divide-by-zero-in-dib8.patch | 49 +++++ ..._tree_depth-to-avoid-out-of-bounds-a.patch | 56 +++++ ...ix-mbox-intr-handler-when-num-vfs-64.patch | 39 ++++ ...k-state-exit-during-switch-upstream-.patch | 84 ++++++++ ...-enable-hpie-when-resuming-in-poll-m.patch | 49 +++++ ...-disable-pciehp-interrupts-early-whe.patch | 60 ++++++ ...-put_device-in-pci_register_host_bri.patch | 41 ++++ ...k-if-there-is-space-to-copy-all-the-.patch | 68 ++++++ ...ement-the-refcount-of-just-created-e.patch | 52 +++++ ...p-description-of-sample.id-event-mem.patch | 38 ++++ ...-allow-the-epollrdnorm-flag-for-poll.patch | 43 ++++ ...f-units-fix-insufficient-array-space.patch | 46 +++++ ...as-rza2-fix-missing-of_node_put-call.patch | 42 ++++ ...dling-devices-with-direct_complete-s.patch | 91 ++++++++ ...77693-fix-wrong-conversion-of-charge.patch | 46 +++++ ...fix-mlx5_poll_one-cur_qp-update-flow.patch | 91 ++++++++ ...-fix-bytes_dropped-calculation-issue.patch | 41 ++++ ...se-online-cpus-for-validating-runtim.patch | 45 ++++ ...d-smt-always-inline-sched_smt_active.patch | 45 ++++ ...-tool-resolving-errors-in-install_po.patch | 66 ++++++ queue-5.4/series | 66 ++++++ ...s-fix-a-leak-in-spufs_create_context.patch | 39 ++++ ...fix-a-leak-on-spufs_new_file-failure.patch | 40 ++++ ...rmal-int340x-add-null-check-for-adev.patch | 50 +++++ ...out-during-connect-if-the-socket-is-.patch | 62 ++++++ ...-allocate-chained-sg-tables-for-dump.patch | 140 +++++++++++++ ...x-inaccurate-unwinding-from-exceptio.patch | 69 +++++++ ...c-unwinder-for-push_regs-with-save_r.patch | 55 +++++ ...pying-dynamic-fp-state-from-init_tas.patch | 57 +++++ ...a-test-fix-length-for-cpa_array-test.patch | 40 ++++ ...rm-only-allow-config_eisa-for-32-bit.patch | 43 ++++ 67 files changed, 4273 insertions(+) create mode 100644 queue-5.4/affs-don-t-write-overlarge-ofs-data-block-size-field.patch create mode 100644 queue-5.4/affs-generate-ofs-sequence-numbers-starting-at-1.patch create mode 100644 queue-5.4/alsa-hda-realtek-always-honor-no_shutup_pins.patch create mode 100644 queue-5.4/arcnet-add-null-check-in-com20020pci_probe.patch create mode 100644 queue-5.4/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch create mode 100644 queue-5.4/can-statistics-use-atomic-access-in-hot-path.patch create mode 100644 queue-5.4/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch create mode 100644 queue-5.4/clk-amlogic-g12b-fix-cluster-a-parent-data.patch create mode 100644 queue-5.4/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch create mode 100644 queue-5.4/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch create mode 100644 queue-5.4/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch create mode 100644 queue-5.4/coresight-catu-fix-number-of-pages-while-using-64k-p.patch create mode 100644 queue-5.4/cpufreq-governor-fix-negative-idle_time-handling-in-.patch create mode 100644 queue-5.4/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch create mode 100644 queue-5.4/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch create mode 100644 queue-5.4/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch create mode 100644 queue-5.4/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch create mode 100644 queue-5.4/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch create mode 100644 queue-5.4/fbdev-sm501fb-add-some-geometry-checks.patch create mode 100644 queue-5.4/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch create mode 100644 queue-5.4/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch create mode 100644 queue-5.4/ib-mad-check-available-slots-before-posting-receive-.patch create mode 100644 queue-5.4/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch create mode 100644 queue-5.4/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch create mode 100644 queue-5.4/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch create mode 100644 queue-5.4/kexec-initialize-elf-lowest-address-to-ulong_max.patch create mode 100644 queue-5.4/lib-842-improve-error-handling-in-sw842_compress.patch create mode 100644 queue-5.4/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch create mode 100644 queue-5.4/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch create mode 100644 queue-5.4/mdacon-rework-dependency-list.patch create mode 100644 queue-5.4/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch create mode 100644 queue-5.4/net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch create mode 100644 queue-5.4/net_sched-skbprio-remove-overly-strict-queue-asserti.patch create mode 100644 queue-5.4/netlabel-fix-null-pointer-exception-caused-by-calips.patch create mode 100644 queue-5.4/ntb-intel-fix-using-link-status-db-s.patch create mode 100644 queue-5.4/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch create mode 100644 queue-5.4/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch create mode 100644 queue-5.4/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch create mode 100644 queue-5.4/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch create mode 100644 queue-5.4/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch create mode 100644 queue-5.4/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch create mode 100644 queue-5.4/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch create mode 100644 queue-5.4/pci-remove-stray-put_device-in-pci_register_host_bri.patch create mode 100644 queue-5.4/perf-python-check-if-there-is-space-to-copy-all-the-.patch create mode 100644 queue-5.4/perf-python-decrement-the-refcount-of-just-created-e.patch create mode 100644 queue-5.4/perf-python-fixup-description-of-sample.id-event-mem.patch create mode 100644 queue-5.4/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch create mode 100644 queue-5.4/perf-units-fix-insufficient-array-space.patch create mode 100644 queue-5.4/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch create mode 100644 queue-5.4/pm-sleep-fix-handling-devices-with-direct_complete-s.patch create mode 100644 queue-5.4/power-supply-max77693-fix-wrong-conversion-of-charge.patch create mode 100644 queue-5.4/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch create mode 100644 queue-5.4/ring-buffer-fix-bytes_dropped-calculation-issue.patch create mode 100644 queue-5.4/sched-deadline-use-online-cpus-for-validating-runtim.patch create mode 100644 queue-5.4/sched-smt-always-inline-sched_smt_active.patch create mode 100644 queue-5.4/selinux-chain-up-tool-resolving-errors-in-install_po.patch create mode 100644 queue-5.4/spufs-fix-a-leak-in-spufs_create_context.patch create mode 100644 queue-5.4/spufs-fix-a-leak-on-spufs_new_file-failure.patch create mode 100644 queue-5.4/thermal-int340x-add-null-check-for-adev.patch create mode 100644 queue-5.4/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch create mode 100644 queue-5.4/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch create mode 100644 queue-5.4/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch create mode 100644 queue-5.4/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch create mode 100644 queue-5.4/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch create mode 100644 queue-5.4/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch create mode 100644 queue-5.4/x86-platform-only-allow-config_eisa-for-32-bit.patch diff --git a/queue-5.4/affs-don-t-write-overlarge-ofs-data-block-size-field.patch b/queue-5.4/affs-don-t-write-overlarge-ofs-data-block-size-field.patch new file mode 100644 index 0000000000..b86144d5f8 --- /dev/null +++ b/queue-5.4/affs-don-t-write-overlarge-ofs-data-block-size-field.patch @@ -0,0 +1,51 @@ +From ea0a62b09e5b890f2aa0ba8ed3c5097378f880ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 08:14:44 +0000 +Subject: affs: don't write overlarge OFS data block size fields + +From: Simon Tatham + +[ Upstream commit 011ea742a25a77bac3d995f457886a67d178c6f0 ] + +If a data sector on an OFS floppy contains a value > 0x1e8 (the +largest amount of data that fits in the sector after its header), then +an Amiga reading the file can return corrupt data, by taking the +overlarge size at its word and reading past the end of the buffer it +read the disk sector into! + +The cause: when affs_write_end_ofs() writes data to an OFS filesystem, +the new size field for a data block was computed by adding the amount +of data currently being written (into the block) to the existing value +of the size field. This is correct if you're extending the file at the +end, but if you seek backwards in the file and overwrite _existing_ +data, it can lead to the size field being larger than the maximum +legal value. + +This commit changes the calculation so that it sets the size field to +the max of its previous size and the position within the block that we +just wrote up to. + +Signed-off-by: Simon Tatham +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index 6dae4ca09be5f..199b92f6a9941 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -724,7 +724,8 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + tmp = min(bsize - boff, to - from); + BUG_ON(boff + tmp > bsize || tmp > bsize); + memcpy(AFFS_DATA(bh) + boff, data + from, tmp); +- be32_add_cpu(&AFFS_DATA_HEAD(bh)->size, tmp); ++ AFFS_DATA_HEAD(bh)->size = cpu_to_be32( ++ max(boff + tmp, be32_to_cpu(AFFS_DATA_HEAD(bh)->size))); + affs_fix_checksum(sb, bh); + mark_buffer_dirty_inode(bh, inode); + written += tmp; +-- +2.39.5 + diff --git a/queue-5.4/affs-generate-ofs-sequence-numbers-starting-at-1.patch b/queue-5.4/affs-generate-ofs-sequence-numbers-starting-at-1.patch new file mode 100644 index 0000000000..245cf33f32 --- /dev/null +++ b/queue-5.4/affs-generate-ofs-sequence-numbers-starting-at-1.patch @@ -0,0 +1,68 @@ +From 69dfcf6f6ee75ced7aebfb60d39b4d3baeb371c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 08:14:43 +0000 +Subject: affs: generate OFS sequence numbers starting at 1 + +From: Simon Tatham + +[ Upstream commit e4cf8ec4de4e13f156c1d61977d282d90c221085 ] + +If I write a file to an OFS floppy image, and try to read it back on +an emulated Amiga running Workbench 1.3, the Amiga reports a disk +error trying to read the file. (That is, it's unable to read it _at +all_, even to copy it to the NIL: device. It isn't a matter of getting +the wrong data and being unable to parse the file format.) + +This is because the 'sequence number' field in the OFS data block +header is supposed to be based at 1, but affs writes it based at 0. +All three locations changed by this patch were setting the sequence +number to a variable 'bidx' which was previously obtained by dividing +a file position by bsize, so bidx will naturally use 0 for the first +block. Therefore all three should add 1 to that value before writing +it into the sequence number field. + +With this change, the Amiga successfully reads the file. + +For data block reference: https://wiki.osdev.org/FFS_(Amiga) + +Signed-off-by: Simon Tatham +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index 82bb38370aa9a..6dae4ca09be5f 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -596,7 +596,7 @@ affs_extent_file_ofs(struct inode *inode, u32 newsize) + BUG_ON(tmp > bsize); + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp); + affs_fix_checksum(sb, bh); + bh->b_state &= ~(1UL << BH_New); +@@ -746,7 +746,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + if (buffer_new(bh)) { + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(bsize); + AFFS_DATA_HEAD(bh)->next = 0; + bh->b_state &= ~(1UL << BH_New); +@@ -780,7 +780,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping, + if (buffer_new(bh)) { + AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA); + AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino); +- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx); ++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1); + AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp); + AFFS_DATA_HEAD(bh)->next = 0; + bh->b_state &= ~(1UL << BH_New); +-- +2.39.5 + diff --git a/queue-5.4/alsa-hda-realtek-always-honor-no_shutup_pins.patch b/queue-5.4/alsa-hda-realtek-always-honor-no_shutup_pins.patch new file mode 100644 index 0000000000..7579b79732 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-always-honor-no_shutup_pins.patch @@ -0,0 +1,55 @@ +From abd81854532c4e1667e92f63ffc0034e821f9f5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 Mar 2025 15:30:19 +0100 +Subject: ALSA: hda/realtek: Always honor no_shutup_pins + +From: Takashi Iwai + +[ Upstream commit 5a0c72c1da3cbc0cd4940a95d1be2830104c6edf ] + +The workaround for Dell machines to skip the pin-shutup for mic pins +introduced alc_headset_mic_no_shutup() that is replaced from the +generic snd_hda_shutup_pins() for certain codecs. The problem is that +the call is done unconditionally even if spec->no_shutup_pins is set. +This seems causing problems on other platforms like Lenovo. + +This patch corrects the behavior and the driver honors always +spec->no_shutup_pins flag and skips alc_headset_mic_no_shutup() if +it's set. + +Fixes: dad3197da7a3 ("ALSA: hda/realtek - Fixup headphone noise via runtime suspend") +Reported-and-tested-by: Oleg Gorobets +Link: https://patch.msgid.link/20250315143020.27184-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 93bb7c5922e78..2e7b45f5f8b18 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -519,6 +519,9 @@ static void alc_shutup_pins(struct hda_codec *codec) + { + struct alc_spec *spec = codec->spec; + ++ if (spec->no_shutup_pins) ++ return; ++ + switch (codec->core.vendor_id) { + case 0x10ec0236: + case 0x10ec0256: +@@ -534,8 +537,7 @@ static void alc_shutup_pins(struct hda_codec *codec) + alc_headset_mic_no_shutup(codec); + break; + default: +- if (!spec->no_shutup_pins) +- snd_hda_shutup_pins(codec); ++ snd_hda_shutup_pins(codec); + break; + } + } +-- +2.39.5 + diff --git a/queue-5.4/arcnet-add-null-check-in-com20020pci_probe.patch b/queue-5.4/arcnet-add-null-check-in-com20020pci_probe.patch new file mode 100644 index 0000000000..d726190cdc --- /dev/null +++ b/queue-5.4/arcnet-add-null-check-in-com20020pci_probe.patch @@ -0,0 +1,67 @@ +From be8e7e3f3536a86dd7f69f0e2adfc8ee4056c6db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 21:50:36 +0800 +Subject: arcnet: Add NULL check in com20020pci_probe() + +From: Henry Martin + +[ Upstream commit fda8c491db2a90ff3e6fbbae58e495b4ddddeca3 ] + +devm_kasprintf() returns NULL when memory allocation fails. Currently, +com20020pci_probe() does not check for this case, which results in a +NULL pointer dereference. + +Add NULL check after devm_kasprintf() to prevent this issue and ensure +no resources are left allocated. + +Fixes: 6b17a597fc2f ("arcnet: restoring support for multiple Sohard Arcnet cards") +Signed-off-by: Henry Martin +Link: https://patch.msgid.link/20250402135036.44697-1-bsdhenrymartin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/arcnet/com20020-pci.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c +index 9d9e4200064f9..00a80f0adece4 100644 +--- a/drivers/net/arcnet/com20020-pci.c ++++ b/drivers/net/arcnet/com20020-pci.c +@@ -250,18 +250,33 @@ static int com20020pci_probe(struct pci_dev *pdev, + card->tx_led.default_trigger = devm_kasprintf(&pdev->dev, + GFP_KERNEL, "arc%d-%d-tx", + dev->dev_id, i); ++ if (!card->tx_led.default_trigger) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->tx_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "pci:green:tx:%d-%d", + dev->dev_id, i); +- ++ if (!card->tx_led.name) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->tx_led.dev = &dev->dev; + card->recon_led.brightness_set = led_recon_set; + card->recon_led.default_trigger = devm_kasprintf(&pdev->dev, + GFP_KERNEL, "arc%d-%d-recon", + dev->dev_id, i); ++ if (!card->recon_led.default_trigger) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->recon_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL, + "pci:red:recon:%d-%d", + dev->dev_id, i); ++ if (!card->recon_led.name) { ++ ret = -ENOMEM; ++ goto err_free_arcdev; ++ } + card->recon_led.dev = &dev->dev; + + ret = devm_led_classdev_register(&pdev->dev, &card->tx_led); +-- +2.39.5 + diff --git a/queue-5.4/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch b/queue-5.4/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch new file mode 100644 index 0000000000..0357b44549 --- /dev/null +++ b/queue-5.4/bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch @@ -0,0 +1,47 @@ +From b14afa2260c094067d1596cb0c9330d920e1ee9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2025 12:22:59 +0800 +Subject: bpf: Use preempt_count() directly in bpf_send_signal_common() + +From: Hou Tao + +[ Upstream commit b4a8b5bba712a711d8ca1f7d04646db63f9c88f5 ] + +bpf_send_signal_common() uses preemptible() to check whether or not the +current context is preemptible. If it is preemptible, it will use +irq_work to send the signal asynchronously instead of trying to hold a +spin-lock, because spin-lock is sleepable under PREEMPT_RT. + +However, preemptible() depends on CONFIG_PREEMPT_COUNT. When +CONFIG_PREEMPT_COUNT is turned off (e.g., CONFIG_PREEMPT_VOLUNTARY=y), +!preemptible() will be evaluated as 1 and bpf_send_signal_common() will +use irq_work unconditionally. + +Fix it by unfolding "!preemptible()" and using "preempt_count() != 0 || +irqs_disabled()" instead. + +Fixes: 87c544108b61 ("bpf: Send signals asynchronously if !preemptible") +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20250220042259.1583319-1-houtao@huaweicloud.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index ac3125d0c73f1..75ea2ab532134 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -653,7 +653,7 @@ BPF_CALL_1(bpf_send_signal, u32, sig) + if (unlikely(is_global_init(current))) + return -EPERM; + +- if (!preemptible()) { ++ if (preempt_count() != 0 || irqs_disabled()) { + /* Do an early check on signal validity. Otherwise, + * the error is lost in deferred irq_work. + */ +-- +2.39.5 + diff --git a/queue-5.4/can-statistics-use-atomic-access-in-hot-path.patch b/queue-5.4/can-statistics-use-atomic-access-in-hot-path.patch new file mode 100644 index 0000000000..e8a2174c3b --- /dev/null +++ b/queue-5.4/can-statistics-use-atomic-access-in-hot-path.patch @@ -0,0 +1,194 @@ +From 7caabbe8ef34b2d86f80beb58e950091ce2017a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 15:33:53 +0100 +Subject: can: statistics: use atomic access in hot path + +From: Oliver Hartkopp + +[ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ] + +In can_send() and can_receive() CAN messages and CAN filter matches are +counted to be visible in the CAN procfs files. + +KCSAN detected a data race within can_send() when two CAN frames have +been generated by a timer event writing to the same CAN netdevice at the +same time. Use atomic operations to access the statistics in the hot path +to fix the KCSAN complaint. + +Reported-by: syzbot+78ce4489b812515d5e4d@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com +Signed-off-by: Oliver Hartkopp +Reviewed-by: Vincent Mailhol +Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/af_can.c | 12 ++++++------ + net/can/af_can.h | 12 ++++++------ + net/can/proc.c | 46 +++++++++++++++++++++++++++------------------- + 3 files changed, 39 insertions(+), 31 deletions(-) + +diff --git a/net/can/af_can.c b/net/can/af_can.c +index bc06016a4fe90..d2fd12da30c60 100644 +--- a/net/can/af_can.c ++++ b/net/can/af_can.c +@@ -288,8 +288,8 @@ int can_send(struct sk_buff *skb, int loop) + netif_rx_ni(newskb); + + /* update statistics */ +- pkg_stats->tx_frames++; +- pkg_stats->tx_frames_delta++; ++ atomic_long_inc(&pkg_stats->tx_frames); ++ atomic_long_inc(&pkg_stats->tx_frames_delta); + + return 0; + +@@ -647,8 +647,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) + int matches; + + /* update statistics */ +- pkg_stats->rx_frames++; +- pkg_stats->rx_frames_delta++; ++ atomic_long_inc(&pkg_stats->rx_frames); ++ atomic_long_inc(&pkg_stats->rx_frames_delta); + + /* create non-zero unique skb identifier together with *skb */ + while (!(can_skb_prv(skb)->skbcnt)) +@@ -669,8 +669,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev) + consume_skb(skb); + + if (matches > 0) { +- pkg_stats->matches++; +- pkg_stats->matches_delta++; ++ atomic_long_inc(&pkg_stats->matches); ++ atomic_long_inc(&pkg_stats->matches_delta); + } + } + +diff --git a/net/can/af_can.h b/net/can/af_can.h +index 7c2d9161e2245..22f3352c77fec 100644 +--- a/net/can/af_can.h ++++ b/net/can/af_can.h +@@ -66,9 +66,9 @@ struct receiver { + struct can_pkg_stats { + unsigned long jiffies_init; + +- unsigned long rx_frames; +- unsigned long tx_frames; +- unsigned long matches; ++ atomic_long_t rx_frames; ++ atomic_long_t tx_frames; ++ atomic_long_t matches; + + unsigned long total_rx_rate; + unsigned long total_tx_rate; +@@ -82,9 +82,9 @@ struct can_pkg_stats { + unsigned long max_tx_rate; + unsigned long max_rx_match_ratio; + +- unsigned long rx_frames_delta; +- unsigned long tx_frames_delta; +- unsigned long matches_delta; ++ atomic_long_t rx_frames_delta; ++ atomic_long_t tx_frames_delta; ++ atomic_long_t matches_delta; + }; + + /* persistent statistics */ +diff --git a/net/can/proc.c b/net/can/proc.c +index a5fc63c78370e..ea442ddd4fd9d 100644 +--- a/net/can/proc.c ++++ b/net/can/proc.c +@@ -123,6 +123,13 @@ void can_stat_update(struct timer_list *t) + struct can_pkg_stats *pkg_stats = net->can.pkg_stats; + unsigned long j = jiffies; /* snapshot */ + ++ long rx_frames = atomic_long_read(&pkg_stats->rx_frames); ++ long tx_frames = atomic_long_read(&pkg_stats->tx_frames); ++ long matches = atomic_long_read(&pkg_stats->matches); ++ long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta); ++ long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta); ++ long matches_delta = atomic_long_read(&pkg_stats->matches_delta); ++ + /* restart counting in timer context on user request */ + if (user_reset) + can_init_stats(net); +@@ -132,35 +139,33 @@ void can_stat_update(struct timer_list *t) + can_init_stats(net); + + /* prevent overflow in calc_rate() */ +- if (pkg_stats->rx_frames > (ULONG_MAX / HZ)) ++ if (rx_frames > (LONG_MAX / HZ)) + can_init_stats(net); + + /* prevent overflow in calc_rate() */ +- if (pkg_stats->tx_frames > (ULONG_MAX / HZ)) ++ if (tx_frames > (LONG_MAX / HZ)) + can_init_stats(net); + + /* matches overflow - very improbable */ +- if (pkg_stats->matches > (ULONG_MAX / 100)) ++ if (matches > (LONG_MAX / 100)) + can_init_stats(net); + + /* calc total values */ +- if (pkg_stats->rx_frames) +- pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) / +- pkg_stats->rx_frames; ++ if (rx_frames) ++ pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames; + + pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j, +- pkg_stats->tx_frames); ++ tx_frames); + pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j, +- pkg_stats->rx_frames); ++ rx_frames); + + /* calc current values */ +- if (pkg_stats->rx_frames_delta) ++ if (rx_frames_delta) + pkg_stats->current_rx_match_ratio = +- (pkg_stats->matches_delta * 100) / +- pkg_stats->rx_frames_delta; ++ (matches_delta * 100) / rx_frames_delta; + +- pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta); +- pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta); ++ pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta); ++ pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta); + + /* check / update maximum values */ + if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate) +@@ -173,9 +178,9 @@ void can_stat_update(struct timer_list *t) + pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio; + + /* clear values for 'current rate' calculation */ +- pkg_stats->tx_frames_delta = 0; +- pkg_stats->rx_frames_delta = 0; +- pkg_stats->matches_delta = 0; ++ atomic_long_set(&pkg_stats->tx_frames_delta, 0); ++ atomic_long_set(&pkg_stats->rx_frames_delta, 0); ++ atomic_long_set(&pkg_stats->matches_delta, 0); + + /* restart timer (one second) */ + mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ)); +@@ -217,9 +222,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v) + struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats; + + seq_putc(m, '\n'); +- seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames); +- seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames); +- seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches); ++ seq_printf(m, " %8ld transmitted frames (TXF)\n", ++ atomic_long_read(&pkg_stats->tx_frames)); ++ seq_printf(m, " %8ld received frames (RXF)\n", ++ atomic_long_read(&pkg_stats->rx_frames)); ++ seq_printf(m, " %8ld matched frames (RXMF)\n", ++ atomic_long_read(&pkg_stats->matches)); + + seq_putc(m, '\n'); + +-- +2.39.5 + diff --git a/queue-5.4/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch b/queue-5.4/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch new file mode 100644 index 0000000000..959804988d --- /dev/null +++ b/queue-5.4/clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch @@ -0,0 +1,45 @@ +From 3643f14580583e99a1347c53e136a9c33384dcb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 11:03:23 +0100 +Subject: clk: amlogic: g12a: fix mmc A peripheral clock + +From: Jerome Brunet + +[ Upstream commit 0079e77c08de692cb20b38e408365c830a44b1ef ] + +The bit index of the peripheral clock for mmc A is wrong +This was probably not a problem for mmc A as the peripheral is likely left +enabled by the bootloader. + +No issues has been reported so far but it could be a problem, most likely +some form of conflict between the ethernet and mmc A clock, breaking +ethernet on init. + +Use the value provided by the documentation for mmc A before this +becomes an actual problem. + +Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-mmca-fix-v1-1-5af421f58b64@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/g12a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c +index 9bf1744657e6b..4400e73d4c930 100644 +--- a/drivers/clk/meson/g12a.c ++++ b/drivers/clk/meson/g12a.c +@@ -3910,7 +3910,7 @@ static MESON_GATE(g12a_spicc_1, HHI_GCLK_MPEG0, 14); + static MESON_GATE(g12a_hiu_reg, HHI_GCLK_MPEG0, 19); + static MESON_GATE(g12a_mipi_dsi_phy, HHI_GCLK_MPEG0, 20); + static MESON_GATE(g12a_assist_misc, HHI_GCLK_MPEG0, 23); +-static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 4); ++static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 24); + static MESON_GATE(g12a_emmc_b, HHI_GCLK_MPEG0, 25); + static MESON_GATE(g12a_emmc_c, HHI_GCLK_MPEG0, 26); + static MESON_GATE(g12a_audio_codec, HHI_GCLK_MPEG0, 28); +-- +2.39.5 + diff --git a/queue-5.4/clk-amlogic-g12b-fix-cluster-a-parent-data.patch b/queue-5.4/clk-amlogic-g12b-fix-cluster-a-parent-data.patch new file mode 100644 index 0000000000..8a4b3799ba --- /dev/null +++ b/queue-5.4/clk-amlogic-g12b-fix-cluster-a-parent-data.patch @@ -0,0 +1,105 @@ +From 0ecb98b0af59a46530d98e24a80c12e3a403a42e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Dec 2024 15:30:17 +0100 +Subject: clk: amlogic: g12b: fix cluster A parent data + +From: Jerome Brunet + +[ Upstream commit 8995f8f108c3ac5ad52b12a6cfbbc7b3b32e9a58 ] + +Several clocks used by both g12a and g12b use the g12a cpu A clock hw +pointer as clock parent. This is incorrect on g12b since the parents of +cluster A cpu clock are different. Also the hw clock provided as parent to +these children is not even registered clock on g12b. + +Fix the problem by reverting to the global namespace and let CCF pick +the appropriate, as it is already done for other clocks, such as +cpu_clk_trace_div. + +Fixes: 25e682a02d91 ("clk: meson: g12a: migrate to the new parent description method") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-cpua-parent-fix-v1-1-d8c0f41865fe@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/g12a.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c +index a55b22ebf103c..9bf1744657e6b 100644 +--- a/drivers/clk/meson/g12a.c ++++ b/drivers/clk/meson/g12a.c +@@ -1135,8 +1135,18 @@ static struct clk_regmap g12a_cpu_clk_div16_en = { + .hw.init = &(struct clk_init_data) { + .name = "cpu_clk_div16_en", + .ops = &clk_regmap_gate_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { +- &g12a_cpu_clk.hw ++ .parent_data = &(const struct clk_parent_data) { ++ /* ++ * Note: ++ * G12A and G12B have different cpu clocks (with ++ * different struct clk_hw). We fallback to the global ++ * naming string mechanism so this clock picks ++ * up the appropriate one. Same goes for the other ++ * clock using cpu cluster A clock output and present ++ * on both G12 variant. ++ */ ++ .name = "cpu_clk", ++ .index = -1, + }, + .num_parents = 1, + /* +@@ -1201,7 +1211,10 @@ static struct clk_regmap g12a_cpu_clk_apb_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_apb_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1235,7 +1248,10 @@ static struct clk_regmap g12a_cpu_clk_atb_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_atb_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1269,7 +1285,10 @@ static struct clk_regmap g12a_cpu_clk_axi_div = { + .hw.init = &(struct clk_init_data){ + .name = "cpu_clk_axi_div", + .ops = &clk_regmap_divider_ro_ops, +- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw }, ++ .parent_data = &(const struct clk_parent_data) { ++ .name = "cpu_clk", ++ .index = -1, ++ }, + .num_parents = 1, + }, + }; +@@ -1304,13 +1323,6 @@ static struct clk_regmap g12a_cpu_clk_trace_div = { + .name = "cpu_clk_trace_div", + .ops = &clk_regmap_divider_ro_ops, + .parent_data = &(const struct clk_parent_data) { +- /* +- * Note: +- * G12A and G12B have different cpu_clks (with +- * different struct clk_hw). We fallback to the global +- * naming string mechanism so cpu_clk_trace_div picks +- * up the appropriate one. +- */ + .name = "cpu_clk", + .index = -1, + }, +-- +2.39.5 + diff --git a/queue-5.4/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch b/queue-5.4/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch new file mode 100644 index 0000000000..42118d54e4 --- /dev/null +++ b/queue-5.4/clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch @@ -0,0 +1,43 @@ +From 2e9f563c154c5b876caaff6360be04e5270e6553 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 11:25:36 +0100 +Subject: clk: amlogic: gxbb: drop incorrect flag on 32k clock + +From: Jerome Brunet + +[ Upstream commit f38f7fe4830c5cb4eac138249225f119e7939965 ] + +gxbb_32k_clk_div sets CLK_DIVIDER_ROUND_CLOSEST in the init_data flag which +is incorrect. This is field is not where the divider flags belong. + +Thankfully, CLK_DIVIDER_ROUND_CLOSEST maps to bit 4 which is an unused +clock flag, so there is no unintended consequence to this error. + +Effectively, the clock has been used without CLK_DIVIDER_ROUND_CLOSEST +so far, so just drop it. + +Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-1-baca56ecf2db@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/gxbb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c +index e8e36ec70b27f..f37b763f7c48b 100644 +--- a/drivers/clk/meson/gxbb.c ++++ b/drivers/clk/meson/gxbb.c +@@ -1305,7 +1305,7 @@ static struct clk_regmap gxbb_32k_clk_div = { + &gxbb_32k_clk_sel.hw + }, + .num_parents = 1, +- .flags = CLK_SET_RATE_PARENT | CLK_DIVIDER_ROUND_CLOSEST, ++ .flags = CLK_SET_RATE_PARENT, + }, + }; + +-- +2.39.5 + diff --git a/queue-5.4/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch b/queue-5.4/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch new file mode 100644 index 0000000000..974cb71764 --- /dev/null +++ b/queue-5.4/clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch @@ -0,0 +1,62 @@ +From dceeba17f2b8b54b95cd60740b472a44e0806df1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Dec 2024 11:25:37 +0100 +Subject: clk: amlogic: gxbb: drop non existing 32k clock parent + +From: Jerome Brunet + +[ Upstream commit 7915d7d5407c026fa9343befb4d3343f7a345f97 ] + +The 32k clock reference a parent 'cts_slow_oscin' with a fixme note saying +that this clock should be provided by AO controller. + +The HW probably has this clock but it does not exist at the moment in +any controller implementation. Furthermore, referencing clock by the global +name should be avoided whenever possible. + +There is no reason to keep this hack around, at least for now. + +Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC") +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-2-baca56ecf2db@baylibre.com +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/gxbb.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c +index f37b763f7c48b..c541fb085351f 100644 +--- a/drivers/clk/meson/gxbb.c ++++ b/drivers/clk/meson/gxbb.c +@@ -1265,14 +1265,13 @@ static struct clk_regmap gxbb_cts_i958 = { + }, + }; + ++/* ++ * This table skips a clock named 'cts_slow_oscin' in the documentation ++ * This clock does not exist yet in this controller or the AO one ++ */ ++static u32 gxbb_32k_clk_parents_val_table[] = { 0, 2, 3 }; + static const struct clk_parent_data gxbb_32k_clk_parent_data[] = { + { .fw_name = "xtal", }, +- /* +- * FIXME: This clock is provided by the ao clock controller but the +- * clock is not yet part of the binding of this controller, so string +- * name must be use to set this parent. +- */ +- { .name = "cts_slow_oscin", .index = -1 }, + { .hw = &gxbb_fclk_div3.hw }, + { .hw = &gxbb_fclk_div5.hw }, + }; +@@ -1282,6 +1281,7 @@ static struct clk_regmap gxbb_32k_clk_sel = { + .offset = HHI_32K_CLK_CNTL, + .mask = 0x3, + .shift = 16, ++ .table = gxbb_32k_clk_parents_val_table, + }, + .hw.init = &(struct clk_init_data){ + .name = "32k_clk_sel", +-- +2.39.5 + diff --git a/queue-5.4/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch b/queue-5.4/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch new file mode 100644 index 0000000000..cd46a97b66 --- /dev/null +++ b/queue-5.4/clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch @@ -0,0 +1,39 @@ +From 2a85238d3af78c1567cf65af0acf83d67078b3e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 01:26:22 +0000 +Subject: clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent + +From: Peter Geis + +[ Upstream commit a9e60f1ffe1ca57d6af6a2573e2f950e76efbf5b ] + +Correct the clk_ref_usb3otg parent to fix clock control for the usb3 +controller on rk3328. Verified against the rk3328 trm, the rk3228h trm, +and the rk3328 usb3 phy clock map. + +Fixes: fe3511ad8a1c ("clk: rockchip: add clock controller for rk3328") +Signed-off-by: Peter Geis +Reviewed-by: Dragan Simic +Link: https://lore.kernel.org/r/20250115012628.1035928-2-pgwipeout@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-rk3328.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c +index c186a1985bf4e..e9b471a623b55 100644 +--- a/drivers/clk/rockchip/clk-rk3328.c ++++ b/drivers/clk/rockchip/clk-rk3328.c +@@ -200,7 +200,7 @@ PNAME(mux_aclk_peri_pre_p) = { "cpll_peri", + "gpll_peri", + "hdmiphy_peri" }; + PNAME(mux_ref_usb3otg_src_p) = { "xin24m", +- "clk_usb3otg_ref" }; ++ "clk_ref_usb3otg_src" }; + PNAME(mux_xin24m_32k_p) = { "xin24m", + "clk_rtc32k" }; + PNAME(mux_mac2io_src_p) = { "clk_mac2io_src", +-- +2.39.5 + diff --git a/queue-5.4/coresight-catu-fix-number-of-pages-while-using-64k-p.patch b/queue-5.4/coresight-catu-fix-number-of-pages-while-using-64k-p.patch new file mode 100644 index 0000000000..39c61be993 --- /dev/null +++ b/queue-5.4/coresight-catu-fix-number-of-pages-while-using-64k-p.patch @@ -0,0 +1,41 @@ +From 860775e31e559f4aa85b6c555ae25e443eb72b22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jan 2025 21:53:48 +0000 +Subject: coresight: catu: Fix number of pages while using 64k pages + +From: Ilkka Koskinen + +[ Upstream commit 0e14e062f5ff98aa15264dfa87c5f5e924028561 ] + +Trying to record a trace on kernel with 64k pages resulted in -ENOMEM. +This happens due to a bug in calculating the number of table pages, which +returns zero. Fix the issue by rounding up. + +$ perf record --kcore -e cs_etm/@tmc_etr55,cycacc,branch_broadcast/k --per-thread taskset --cpu-list 1 dd if=/dev/zero of=/dev/null +failed to mmap with 12 (Cannot allocate memory) + +Fixes: 8ed536b1e283 ("coresight: catu: Add support for scatter gather tables") +Signed-off-by: Ilkka Koskinen +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20250109215348.5483-1-ilkka@os.amperecomputing.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-catu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c +index 16ebf38a9f664..da205738e8c96 100644 +--- a/drivers/hwtracing/coresight/coresight-catu.c ++++ b/drivers/hwtracing/coresight/coresight-catu.c +@@ -267,7 +267,7 @@ catu_init_sg_table(struct device *catu_dev, int node, + * Each table can address upto 1MB and we can have + * CATU_PAGES_PER_SYSPAGE tables in a system page. + */ +- nr_tpages = DIV_ROUND_UP(size, SZ_1M) / CATU_PAGES_PER_SYSPAGE; ++ nr_tpages = DIV_ROUND_UP(size, CATU_PAGES_PER_SYSPAGE * SZ_1M); + catu_table = tmc_alloc_sg_table(catu_dev, node, nr_tpages, + size >> PAGE_SHIFT, pages); + if (IS_ERR(catu_table)) +-- +2.39.5 + diff --git a/queue-5.4/cpufreq-governor-fix-negative-idle_time-handling-in-.patch b/queue-5.4/cpufreq-governor-fix-negative-idle_time-handling-in-.patch new file mode 100644 index 0000000000..c3c155da25 --- /dev/null +++ b/queue-5.4/cpufreq-governor-fix-negative-idle_time-handling-in-.patch @@ -0,0 +1,116 @@ +From dbacde8e47d4045153a5f61ca3b21abef5730c9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2025 11:55:10 +0800 +Subject: cpufreq: governor: Fix negative 'idle_time' handling in dbs_update() + +From: Jie Zhan + +[ Upstream commit 3698dd6b139dc37b35a9ad83d9330c1f99666c02 ] + +We observed an issue that the CPU frequency can't raise up with a 100% CPU +load when NOHZ is off and the 'conservative' governor is selected. + +'idle_time' can be negative if it's obtained from get_cpu_idle_time_jiffy() +when NOHZ is off. This was found and explained in commit 9485e4ca0b48 +("cpufreq: governor: Fix handling of special cases in dbs_update()"). + +However, commit 7592019634f8 ("cpufreq: governors: Fix long idle detection +logic in load calculation") introduced a comparison between 'idle_time' and +'samling_rate' to detect a long idle interval. While 'idle_time' is +converted to int before comparison, it's actually promoted to unsigned +again when compared with an unsigned 'sampling_rate'. Hence, this leads to +wrong idle interval detection when it's in fact 100% busy and sets +policy_dbs->idle_periods to a very large value. 'conservative' adjusts the +frequency to minimum because of the large 'idle_periods', such that the +frequency can't raise up. 'Ondemand' doesn't use policy_dbs->idle_periods +so it fortunately avoids the issue. + +Correct negative 'idle_time' to 0 before any use of it in dbs_update(). + +Fixes: 7592019634f8 ("cpufreq: governors: Fix long idle detection logic in load calculation") +Signed-off-by: Jie Zhan +Reviewed-by: Chen Yu +Link: https://patch.msgid.link/20250213035510.2402076-1-zhanjie9@hisilicon.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq_governor.c | 45 +++++++++++++++--------------- + 1 file changed, 23 insertions(+), 22 deletions(-) + +diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c +index 4bb054d0cb432..01d19d9ac0fe8 100644 +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -145,7 +145,23 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + time_elapsed = update_time - j_cdbs->prev_update_time; + j_cdbs->prev_update_time = update_time; + +- idle_time = cur_idle_time - j_cdbs->prev_cpu_idle; ++ /* ++ * cur_idle_time could be smaller than j_cdbs->prev_cpu_idle if ++ * it's obtained from get_cpu_idle_time_jiffy() when NOHZ is ++ * off, where idle_time is calculated by the difference between ++ * time elapsed in jiffies and "busy time" obtained from CPU ++ * statistics. If a CPU is 100% busy, the time elapsed and busy ++ * time should grow with the same amount in two consecutive ++ * samples, but in practice there could be a tiny difference, ++ * making the accumulated idle time decrease sometimes. Hence, ++ * in this case, idle_time should be regarded as 0 in order to ++ * make the further process correct. ++ */ ++ if (cur_idle_time > j_cdbs->prev_cpu_idle) ++ idle_time = cur_idle_time - j_cdbs->prev_cpu_idle; ++ else ++ idle_time = 0; ++ + j_cdbs->prev_cpu_idle = cur_idle_time; + + if (ignore_nice) { +@@ -162,7 +178,7 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + * calls, so the previous load value can be used then. + */ + load = j_cdbs->prev_load; +- } else if (unlikely((int)idle_time > 2 * sampling_rate && ++ } else if (unlikely(idle_time > 2 * sampling_rate && + j_cdbs->prev_load)) { + /* + * If the CPU had gone completely idle and a task has +@@ -189,30 +205,15 @@ unsigned int dbs_update(struct cpufreq_policy *policy) + load = j_cdbs->prev_load; + j_cdbs->prev_load = 0; + } else { +- if (time_elapsed >= idle_time) { ++ if (time_elapsed > idle_time) + load = 100 * (time_elapsed - idle_time) / time_elapsed; +- } else { +- /* +- * That can happen if idle_time is returned by +- * get_cpu_idle_time_jiffy(). In that case +- * idle_time is roughly equal to the difference +- * between time_elapsed and "busy time" obtained +- * from CPU statistics. Then, the "busy time" +- * can end up being greater than time_elapsed +- * (for example, if jiffies_64 and the CPU +- * statistics are updated by different CPUs), +- * so idle_time may in fact be negative. That +- * means, though, that the CPU was busy all +- * the time (on the rough average) during the +- * last sampling interval and 100 can be +- * returned as the load. +- */ +- load = (int)idle_time < 0 ? 100 : 0; +- } ++ else ++ load = 0; ++ + j_cdbs->prev_load = load; + } + +- if (unlikely((int)idle_time > 2 * sampling_rate)) { ++ if (unlikely(idle_time > 2 * sampling_rate)) { + unsigned int periods = idle_time / sampling_rate; + + if (periods < idle_periods) +-- +2.39.5 + diff --git a/queue-5.4/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch b/queue-5.4/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch new file mode 100644 index 0000000000..8a95da76c3 --- /dev/null +++ b/queue-5.4/drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch @@ -0,0 +1,66 @@ +From da18af42647df1f3c541bd5e04452f128c12e295 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 16:48:12 +0100 +Subject: drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member + +From: AngeloGioacchino Del Regno + +[ Upstream commit 72fcb88e7bbc053ed4fc74cebb0315b98a0f20c3 ] + +Rename member aud_sampe_size of struct hdmi_audio_param to +aud_sample_size to fix a typo and enhance readability. + +This commit brings no functional changes. + +Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support") +Reviewed-by: CK Hu +Signed-off-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-20-angelogioacchino.delregno@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index 74a54a9e35339..afc0de27c976c 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -135,7 +135,7 @@ enum hdmi_aud_channel_swap_type { + + struct hdmi_audio_param { + enum hdmi_audio_coding_type aud_codec; +- enum hdmi_audio_sample_size aud_sampe_size; ++ enum hdmi_audio_sample_size aud_sample_size; + enum hdmi_aud_input_type aud_input_type; + enum hdmi_aud_i2s_fmt aud_i2s_fmt; + enum hdmi_aud_mclk aud_mclk; +@@ -1085,7 +1085,7 @@ static int mtk_hdmi_output_init(struct mtk_hdmi *hdmi) + + hdmi->csp = HDMI_COLORSPACE_RGB; + aud_param->aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- aud_param->aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ aud_param->aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + aud_param->aud_input_type = HDMI_AUD_INPUT_I2S; + aud_param->aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT; + aud_param->aud_mclk = HDMI_AUD_MCLK_128FS; +@@ -1589,14 +1589,14 @@ static int mtk_hdmi_audio_hw_params(struct device *dev, void *data, + switch (daifmt->fmt) { + case HDMI_I2S: + hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + hdmi_params.aud_input_type = HDMI_AUD_INPUT_I2S; + hdmi_params.aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT; + hdmi_params.aud_mclk = HDMI_AUD_MCLK_128FS; + break; + case HDMI_SPDIF: + hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM; +- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16; ++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16; + hdmi_params.aud_input_type = HDMI_AUD_INPUT_SPDIF; + break; + default: +-- +2.39.5 + diff --git a/queue-5.4/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch b/queue-5.4/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch new file mode 100644 index 0000000000..f7c5be5b33 --- /dev/null +++ b/queue-5.4/edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch @@ -0,0 +1,46 @@ +From 1ca51af29cf8c028bd8a7fd2137cdd0d832f6cd3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:02 +0800 +Subject: EDAC/ie31200: Fix the DIMM size mask for several SoCs + +From: Qiuxu Zhuo + +[ Upstream commit 3427befbbca6b19fe0e37f91d66ce5221de70bf1 ] + +The DIMM size mask for {Sky, Kaby, Coffee} Lake is not bits{7:0}, +but bits{5:0}. Fix it. + +Fixes: 953dee9bbd24 ("EDAC, ie31200_edac: Add Skylake support") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-3-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index c11a46fdf3862..0fc78a922e3f3 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -154,6 +154,7 @@ + #define IE31200_MAD_DIMM_0_OFFSET 0x5004 + #define IE31200_MAD_DIMM_0_OFFSET_SKL 0x500C + #define IE31200_MAD_DIMM_SIZE GENMASK_ULL(7, 0) ++#define IE31200_MAD_DIMM_SIZE_SKL GENMASK_ULL(5, 0) + #define IE31200_MAD_DIMM_A_RANK BIT(17) + #define IE31200_MAD_DIMM_A_RANK_SHIFT 17 + #define IE31200_MAD_DIMM_A_RANK_SKL BIT(10) +@@ -368,7 +369,7 @@ static void __iomem *ie31200_map_mchbar(struct pci_dev *pdev) + static void __skl_populate_dimm_info(struct dimm_data *dd, u32 addr_decode, + int chan) + { +- dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE; ++ dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE_SKL; + dd->dual_rank = (addr_decode & (IE31200_MAD_DIMM_A_RANK_SKL << (chan << 4))) ? 1 : 0; + dd->x16_width = ((addr_decode & (IE31200_MAD_DIMM_A_WIDTH_SKL << (chan << 4))) >> + (IE31200_MAD_DIMM_A_WIDTH_SKL_SHIFT + (chan << 4))); +-- +2.39.5 + diff --git a/queue-5.4/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch b/queue-5.4/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch new file mode 100644 index 0000000000..54e1536355 --- /dev/null +++ b/queue-5.4/edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch @@ -0,0 +1,68 @@ +From 0ccdf8994a5430010d87e6d91097574478661144 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:03 +0800 +Subject: EDAC/ie31200: Fix the error path order of ie31200_init() + +From: Qiuxu Zhuo + +[ Upstream commit 231e341036d9988447e3b3345cf741a98139199e ] + +The error path order of ie31200_init() is incorrect, fix it. + +Fixes: 709ed1bcef12 ("EDAC/ie31200: Fallback if host bridge device is already initialized") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-4-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index 0fc78a922e3f3..d3d9916b1ba3f 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -611,7 +611,7 @@ static int __init ie31200_init(void) + + pci_rc = pci_register_driver(&ie31200_driver); + if (pci_rc < 0) +- goto fail0; ++ return pci_rc; + + if (!mci_pdev) { + ie31200_registered = 0; +@@ -622,11 +622,13 @@ static int __init ie31200_init(void) + if (mci_pdev) + break; + } ++ + if (!mci_pdev) { + edac_dbg(0, "ie31200 pci_get_device fail\n"); + pci_rc = -ENODEV; +- goto fail1; ++ goto fail0; + } ++ + pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]); + if (pci_rc < 0) { + edac_dbg(0, "ie31200 init fail\n"); +@@ -634,12 +636,12 @@ static int __init ie31200_init(void) + goto fail1; + } + } +- return 0; + ++ return 0; + fail1: +- pci_unregister_driver(&ie31200_driver); +-fail0: + pci_dev_put(mci_pdev); ++fail0: ++ pci_unregister_driver(&ie31200_driver); + + return pci_rc; + } +-- +2.39.5 + diff --git a/queue-5.4/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch b/queue-5.4/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch new file mode 100644 index 0000000000..653390800c --- /dev/null +++ b/queue-5.4/edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch @@ -0,0 +1,48 @@ +From c5677b9a3c59c06ea9126e23150bae697f50d35f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 09:14:01 +0800 +Subject: EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer + +From: Qiuxu Zhuo + +[ Upstream commit d59d844e319d97682c8de29b88d2d60922a683b3 ] + +The EDAC_MC_LAYER_CHIP_SELECT layer pertains to the rank, not the DIMM. +Fix its size to reflect the number of ranks instead of the number of DIMMs. +Also delete the unused macros IE31200_{DIMMS,RANKS}. + +Fixes: 7ee40b897d18 ("ie31200_edac: Introduce the driver") +Signed-off-by: Qiuxu Zhuo +Signed-off-by: Tony Luck +Tested-by: Gary Wang +Link: https://lore.kernel.org/r/20250310011411.31685-2-qiuxu.zhuo@intel.com +Signed-off-by: Sasha Levin +--- + drivers/edac/ie31200_edac.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c +index 9be43b4f9c506..c11a46fdf3862 100644 +--- a/drivers/edac/ie31200_edac.c ++++ b/drivers/edac/ie31200_edac.c +@@ -83,8 +83,6 @@ + (((did) & PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK) == \ + PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK)) + +-#define IE31200_DIMMS 4 +-#define IE31200_RANKS 8 + #define IE31200_RANKS_PER_CHANNEL 4 + #define IE31200_DIMMS_PER_CHANNEL 2 + #define IE31200_CHANNELS 2 +@@ -419,7 +417,7 @@ static int ie31200_probe1(struct pci_dev *pdev, int dev_idx) + + nr_channels = how_many_channels(pdev); + layers[0].type = EDAC_MC_LAYER_CHIP_SELECT; +- layers[0].size = IE31200_DIMMS; ++ layers[0].size = IE31200_RANKS_PER_CHANNEL; + layers[0].is_virt_csrow = true; + layers[1].type = EDAC_MC_LAYER_CHANNEL; + layers[1].size = nr_channels; +-- +2.39.5 + diff --git a/queue-5.4/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch b/queue-5.4/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch new file mode 100644 index 0000000000..8ad805492e --- /dev/null +++ b/queue-5.4/fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch @@ -0,0 +1,52 @@ +From 4541faf878ef24fe254bde096504a4b109153570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Apr 2023 21:35:36 +0200 +Subject: fbdev: au1100fb: Move a variable assignment behind a null pointer + check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Elfring + +[ Upstream commit 2df2c0caaecfd869b49e14f2b8df822397c5dd7f ] + +The address of a data structure member was determined before +a corresponding null pointer check in the implementation of +the function “au1100fb_setmode”. + +This issue was detected by using the Coccinelle software. + +Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.") +Signed-off-by: Markus Elfring +Acked-by: Uwe Kleine-König +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/au1100fb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/au1100fb.c b/drivers/video/fbdev/au1100fb.c +index 99941ae1f3a1c..514bd874a627e 100644 +--- a/drivers/video/fbdev/au1100fb.c ++++ b/drivers/video/fbdev/au1100fb.c +@@ -137,13 +137,15 @@ static int au1100fb_fb_blank(int blank_mode, struct fb_info *fbi) + */ + int au1100fb_setmode(struct au1100fb_device *fbdev) + { +- struct fb_info *info = &fbdev->info; ++ struct fb_info *info; + u32 words; + int index; + + if (!fbdev) + return -EINVAL; + ++ info = &fbdev->info; ++ + /* Update var-dependent FB info */ + if (panel_is_active(fbdev->panel) || panel_is_color(fbdev->panel)) { + if (info->var.bits_per_pixel <= 8) { +-- +2.39.5 + diff --git a/queue-5.4/fbdev-sm501fb-add-some-geometry-checks.patch b/queue-5.4/fbdev-sm501fb-add-some-geometry-checks.patch new file mode 100644 index 0000000000..c533f5b215 --- /dev/null +++ b/queue-5.4/fbdev-sm501fb-add-some-geometry-checks.patch @@ -0,0 +1,44 @@ +From d839f4a7111306611a7ca793d2c544c523a01989 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 01:30:11 +0000 +Subject: fbdev: sm501fb: Add some geometry checks. + +From: Danila Chernetsov + +[ Upstream commit aee50bd88ea5fde1ff4cc021385598f81a65830c ] + +Added checks for xoffset, yoffset settings. +Incorrect settings of these parameters can lead to errors +in sm501fb_pan_ functions. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 5fc404e47bdf ("[PATCH] fb: SM501 framebuffer driver") +Signed-off-by: Danila Chernetsov +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sm501fb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c +index 3dd1b1d76e983..a7acf0acd3e92 100644 +--- a/drivers/video/fbdev/sm501fb.c ++++ b/drivers/video/fbdev/sm501fb.c +@@ -326,6 +326,13 @@ static int sm501fb_check_var(struct fb_var_screeninfo *var, + if (var->xres_virtual > 4096 || var->yres_virtual > 2048) + return -EINVAL; + ++ /* geometry sanity checks */ ++ if (var->xres + var->xoffset > var->xres_virtual) ++ return -EINVAL; ++ ++ if (var->yres + var->yoffset > var->yres_virtual) ++ return -EINVAL; ++ + /* can cope with 8,16 or 32bpp */ + + if (var->bits_per_pixel <= 8) +-- +2.39.5 + diff --git a/queue-5.4/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch b/queue-5.4/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch new file mode 100644 index 0000000000..ecf06e2bdd --- /dev/null +++ b/queue-5.4/fs-procfs-fix-the-comment-above-proc_pid_wchan.patch @@ -0,0 +1,41 @@ +From 2e0542578fb1f6fa84622546144d7e9841d477df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Mar 2025 14:02:22 -0700 +Subject: fs/procfs: fix the comment above proc_pid_wchan() + +From: Bart Van Assche + +[ Upstream commit 6287fbad1cd91f0c25cdc3a580499060828a8f30 ] + +proc_pid_wchan() used to report kernel addresses to user space but that is +no longer the case today. Bring the comment above proc_pid_wchan() in +sync with the implementation. + +Link: https://lkml.kernel.org/r/20250319210222.1518771-1-bvanassche@acm.org +Fixes: b2f73922d119 ("fs/proc, core/debug: Don't expose absolute kernel addresses via wchan") +Signed-off-by: Bart Van Assche +Cc: Kees Cook +Cc: Eric W. Biederman +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 34e15da39fdf3..d785d148e15f3 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -413,7 +413,7 @@ static const struct file_operations proc_pid_cmdline_ops = { + #ifdef CONFIG_KALLSYMS + /* + * Provides a wchan file via kallsyms in a proper one-value-per-file format. +- * Returns the resolved symbol. If that fails, simply return the address. ++ * Returns the resolved symbol to user space. + */ + static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task) +-- +2.39.5 + diff --git a/queue-5.4/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch b/queue-5.4/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch new file mode 100644 index 0000000000..e5318d12a7 --- /dev/null +++ b/queue-5.4/hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch @@ -0,0 +1,40 @@ +From 5d9bc55edf210f0d3d60d51461392102916bc631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 05:08:32 +0200 +Subject: hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9} + +From: Tasos Sahanidis + +[ Upstream commit 815f80ad20b63830949a77c816e35395d5d55144 ] + +pwm_num is set to 7 for these chips, but NCT6776_REG_PWM_MODE and +NCT6776_PWM_MODE_MASK only contain 6 values. + +Fix this by adding another 0 to the end of each array. + +Signed-off-by: Tasos Sahanidis +Link: https://lore.kernel.org/r/20250312030832.106475-1-tasos@tasossah.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index da6bbfca15fee..a6b7919ab63fe 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -420,8 +420,8 @@ static const s8 NCT6776_BEEP_BITS[] = { + static const u16 NCT6776_REG_TOLERANCE_H[] = { + 0x10c, 0x20c, 0x30c, 0x80c, 0x90c, 0xa0c, 0xb0c }; + +-static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0 }; +-static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0 }; ++static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0, 0 }; ++static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0, 0 }; + + static const u16 NCT6776_REG_FAN_MIN[] = { + 0x63a, 0x63c, 0x63e, 0x640, 0x642, 0x64a, 0x64c }; +-- +2.39.5 + diff --git a/queue-5.4/ib-mad-check-available-slots-before-posting-receive-.patch b/queue-5.4/ib-mad-check-available-slots-before-posting-receive-.patch new file mode 100644 index 0000000000..dfe98fb467 --- /dev/null +++ b/queue-5.4/ib-mad-check-available-slots-before-posting-receive-.patch @@ -0,0 +1,133 @@ +From 5ead70ad3a14d7d31420ba7019e40898e8a51ca8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:20:17 +0200 +Subject: IB/mad: Check available slots before posting receive WRs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maher Sanalla + +[ Upstream commit 37826f0a8c2f6b6add5179003b8597e32a445362 ] + +The ib_post_receive_mads() function handles posting receive work +requests (WRs) to MAD QPs and is called in two cases: +1) When a MAD port is opened. +2) When a receive WQE is consumed upon receiving a new MAD. + +Whereas, if MADs arrive during the port open phase, a race condition +might cause an extra WR to be posted, exceeding the QP’s capacity. +This leads to failures such as: +infiniband mlx5_0: ib_post_recv failed: -12 +infiniband mlx5_0: Couldn't post receive WRs +infiniband mlx5_0: Couldn't start port +infiniband mlx5_0: Couldn't open port 1 + +Fix this by checking the current receive count before posting a new WR. +If the QP’s receive queue is full, do not post additional WRs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Maher Sanalla +Link: https://patch.msgid.link/c4984ba3c3a98a5711a558bccefcad789587ecf1.1741875592.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/mad.c | 38 ++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c +index 2284930b5f915..92d9e314238a2 100644 +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -2926,11 +2926,11 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + struct ib_mad_private *mad) + { + unsigned long flags; +- int post, ret; + struct ib_mad_private *mad_priv; + struct ib_sge sg_list; + struct ib_recv_wr recv_wr; + struct ib_mad_queue *recv_queue = &qp_info->recv_queue; ++ int ret = 0; + + /* Initialize common scatter list fields */ + sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey; +@@ -2940,7 +2940,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + recv_wr.sg_list = &sg_list; + recv_wr.num_sge = 1; + +- do { ++ while (true) { + /* Allocate and map receive buffer */ + if (mad) { + mad_priv = mad; +@@ -2948,10 +2948,8 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + } else { + mad_priv = alloc_mad_private(port_mad_size(qp_info->port_priv), + GFP_ATOMIC); +- if (!mad_priv) { +- ret = -ENOMEM; +- break; +- } ++ if (!mad_priv) ++ return -ENOMEM; + } + sg_list.length = mad_priv_dma_size(mad_priv); + sg_list.addr = ib_dma_map_single(qp_info->port_priv->device, +@@ -2960,37 +2958,41 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info, + DMA_FROM_DEVICE); + if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device, + sg_list.addr))) { +- kfree(mad_priv); + ret = -ENOMEM; +- break; ++ goto free_mad_priv; + } + mad_priv->header.mapping = sg_list.addr; + mad_priv->header.mad_list.mad_queue = recv_queue; + mad_priv->header.mad_list.cqe.done = ib_mad_recv_done; + recv_wr.wr_cqe = &mad_priv->header.mad_list.cqe; +- +- /* Post receive WR */ + spin_lock_irqsave(&recv_queue->lock, flags); +- post = (++recv_queue->count < recv_queue->max_active); +- list_add_tail(&mad_priv->header.mad_list.list, &recv_queue->list); ++ if (recv_queue->count >= recv_queue->max_active) { ++ /* Fully populated the receive queue */ ++ spin_unlock_irqrestore(&recv_queue->lock, flags); ++ break; ++ } ++ recv_queue->count++; ++ list_add_tail(&mad_priv->header.mad_list.list, ++ &recv_queue->list); + spin_unlock_irqrestore(&recv_queue->lock, flags); ++ + ret = ib_post_recv(qp_info->qp, &recv_wr, NULL); + if (ret) { + spin_lock_irqsave(&recv_queue->lock, flags); + list_del(&mad_priv->header.mad_list.list); + recv_queue->count--; + spin_unlock_irqrestore(&recv_queue->lock, flags); +- ib_dma_unmap_single(qp_info->port_priv->device, +- mad_priv->header.mapping, +- mad_priv_dma_size(mad_priv), +- DMA_FROM_DEVICE); +- kfree(mad_priv); + dev_err(&qp_info->port_priv->device->dev, + "ib_post_recv failed: %d\n", ret); + break; + } +- } while (post); ++ } + ++ ib_dma_unmap_single(qp_info->port_priv->device, ++ mad_priv->header.mapping, ++ mad_priv_dma_size(mad_priv), DMA_FROM_DEVICE); ++free_mad_priv: ++ kfree(mad_priv); + return ret; + } + +-- +2.39.5 + diff --git a/queue-5.4/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch b/queue-5.4/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch new file mode 100644 index 0000000000..4745651b15 --- /dev/null +++ b/queue-5.4/iio-accel-mma8452-ensure-error-return-on-failure-to-.patch @@ -0,0 +1,61 @@ +From f435d631a07c2b6c0c9a5a06af16c8f41ca364dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Feb 2025 14:01:28 +0000 +Subject: iio: accel: mma8452: Ensure error return on failure to matching + oversampling ratio + +From: Jonathan Cameron + +[ Upstream commit df330c808182a8beab5d0f84a6cbc9cff76c61fc ] + +If a match was not found, then the write_raw() callback would return +the odr index, not an error. Return -EINVAL if this occurs. +To avoid similar issues in future, introduce j, a new indexing variable +rather than using ret for this purpose. + +Fixes: 79de2ee469aa ("iio: accel: mma8452: claim direct mode during write raw") +Reviewed-by: David Lechner +Link: https://patch.msgid.link/20250217140135.896574-2-jic23@kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/mma8452.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c +index 74942bfc676a1..ecf24ca653d92 100644 +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -710,7 +710,7 @@ static int mma8452_write_raw(struct iio_dev *indio_dev, + int val, int val2, long mask) + { + struct mma8452_data *data = iio_priv(indio_dev); +- int i, ret; ++ int i, j, ret; + + ret = iio_device_claim_direct_mode(indio_dev); + if (ret) +@@ -770,14 +770,18 @@ static int mma8452_write_raw(struct iio_dev *indio_dev, + break; + + case IIO_CHAN_INFO_OVERSAMPLING_RATIO: +- ret = mma8452_get_odr_index(data); ++ j = mma8452_get_odr_index(data); + + for (i = 0; i < ARRAY_SIZE(mma8452_os_ratio); i++) { +- if (mma8452_os_ratio[i][ret] == val) { ++ if (mma8452_os_ratio[i][j] == val) { + ret = mma8452_set_power_mode(data, i); + break; + } + } ++ if (i == ARRAY_SIZE(mma8452_os_ratio)) { ++ ret = -EINVAL; ++ break; ++ } + break; + default: + ret = -EINVAL; +-- +2.39.5 + diff --git a/queue-5.4/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch b/queue-5.4/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch new file mode 100644 index 0000000000..0c83eddef8 --- /dev/null +++ b/queue-5.4/ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch @@ -0,0 +1,87 @@ +From fb30bcb1fbd1a5744d07e1d9e852bf9f3d8ca307 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Apr 2025 14:17:51 +0200 +Subject: ipv6: fix omitted netlink attributes when using + RTEXT_FILTER_SKIP_STATS + +From: Fernando Fernandez Mancera + +[ Upstream commit 7ac6ea4a3e0898db76aecccd68fb2c403eb7d24e ] + +Using RTEXT_FILTER_SKIP_STATS is incorrectly skipping non-stats IPv6 +netlink attributes on link dump. This causes issues on userspace tools, +e.g iproute2 is not rendering address generation mode as it should due +to missing netlink attribute. + +Move the filling of IFLA_INET6_STATS and IFLA_INET6_ICMP6STATS to a +helper function guarded by a flag check to avoid hitting the same +situation in the future. + +Fixes: d5566fd72ec1 ("rtnetlink: RTEXT_FILTER_SKIP_STATS support to avoid dumping inet/inet6 stats") +Signed-off-by: Fernando Fernandez Mancera +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250402121751.3108-1-ffmancera@riseup.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 37 +++++++++++++++++++++++++------------ + 1 file changed, 25 insertions(+), 12 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 57c55909cb6a0..4b9bced728c2e 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5600,6 +5600,27 @@ static void snmp6_fill_stats(u64 *stats, struct inet6_dev *idev, int attrtype, + } + } + ++static int inet6_fill_ifla6_stats_attrs(struct sk_buff *skb, ++ struct inet6_dev *idev) ++{ ++ struct nlattr *nla; ++ ++ nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64)); ++ if (!nla) ++ goto nla_put_failure; ++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla)); ++ ++ nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64)); ++ if (!nla) ++ goto nla_put_failure; ++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla)); ++ ++ return 0; ++ ++nla_put_failure: ++ return -EMSGSIZE; ++} ++ + static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev, + u32 ext_filter_mask) + { +@@ -5621,18 +5642,10 @@ static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev, + + /* XXX - MC not implemented */ + +- if (ext_filter_mask & RTEXT_FILTER_SKIP_STATS) +- return 0; +- +- nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64)); +- if (!nla) +- goto nla_put_failure; +- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla)); +- +- nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64)); +- if (!nla) +- goto nla_put_failure; +- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla)); ++ if (!(ext_filter_mask & RTEXT_FILTER_SKIP_STATS)) { ++ if (inet6_fill_ifla6_stats_attrs(skb, idev) < 0) ++ goto nla_put_failure; ++ } + + nla = nla_reserve(skb, IFLA_INET6_TOKEN, sizeof(struct in6_addr)); + if (!nla) +-- +2.39.5 + diff --git a/queue-5.4/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch b/queue-5.4/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch new file mode 100644 index 0000000000..169f8f1556 --- /dev/null +++ b/queue-5.4/isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch @@ -0,0 +1,89 @@ +From 8d0fcb5e1237e86c442d342f1ac56b0510bec7ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2025 19:59:00 +0000 +Subject: isofs: fix KMSAN uninit-value bug in do_isofs_readdir() + +From: Qasim Ijaz + +[ Upstream commit 81a82e8f33880793029cd6f8a766fb13b737e6a7 ] + +In do_isofs_readdir() when assigning the variable +"struct iso_directory_record *de" the b_data field of the buffer_head +is accessed and an offset is added to it, the size of b_data is 2048 +and the offset size is 2047, meaning +"de = (struct iso_directory_record *) (bh->b_data + offset);" +yields the final byte of the 2048 sized b_data block. + +The first byte of the directory record (de_len) is then read and +found to be 31, meaning the directory record size is 31 bytes long. +The directory record is defined by the structure: + + struct iso_directory_record { + __u8 length; // 1 byte + __u8 ext_attr_length; // 1 byte + __u8 extent[8]; // 8 bytes + __u8 size[8]; // 8 bytes + __u8 date[7]; // 7 bytes + __u8 flags; // 1 byte + __u8 file_unit_size; // 1 byte + __u8 interleave; // 1 byte + __u8 volume_sequence_number[4]; // 4 bytes + __u8 name_len; // 1 byte + char name[]; // variable size + } __attribute__((packed)); + +The fixed portion of this structure occupies 33 bytes. Therefore, a +valid directory record must be at least 33 bytes long +(even without considering the variable-length name field). +Since de_len is only 31, it is insufficient to contain +the complete fixed header. + +The code later hits the following sanity check that +compares de_len against the sum of de->name_len and +sizeof(struct iso_directory_record): + + if (de_len < de->name_len[0] + sizeof(struct iso_directory_record)) { + ... + } + +Since the fixed portion of the structure is +33 bytes (up to and including name_len member), +a valid record should have de_len of at least 33 bytes; +here, however, de_len is too short, and the field de->name_len +(located at offset 32) is accessed even though it lies beyond +the available 31 bytes. + +This access on the corrupted isofs data triggers a KASAN uninitialized +memory warning. The fix would be to first verify that de_len is at least +sizeof(struct iso_directory_record) before accessing any +fields like de->name_len. + +Reported-by: syzbot +Tested-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=812641c6c3d7586a1613 +Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem") +Signed-off-by: Qasim Ijaz +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20250211195900.42406-1-qasdev00@gmail.com +Signed-off-by: Sasha Levin +--- + fs/isofs/dir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c +index b9e6a7ec78be4..23c73bb56d821 100644 +--- a/fs/isofs/dir.c ++++ b/fs/isofs/dir.c +@@ -147,7 +147,8 @@ static int do_isofs_readdir(struct inode *inode, struct file *file, + de = tmpde; + } + /* Basic sanity check, whether name doesn't exceed dir entry */ +- if (de_len < de->name_len[0] + ++ if (de_len < sizeof(struct iso_directory_record) || ++ de_len < de->name_len[0] + + sizeof(struct iso_directory_record)) { + printk(KERN_NOTICE "iso9660: Corrupted directory entry" + " in block %lu of inode %lu\n", block, +-- +2.39.5 + diff --git a/queue-5.4/kexec-initialize-elf-lowest-address-to-ulong_max.patch b/queue-5.4/kexec-initialize-elf-lowest-address-to-ulong_max.patch new file mode 100644 index 0000000000..4ec1ff53c6 --- /dev/null +++ b/queue-5.4/kexec-initialize-elf-lowest-address-to-ulong_max.patch @@ -0,0 +1,71 @@ +From 42bf2f53ce4f0624ffd9d5fd8e38eca0adf486d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jan 2025 17:08:24 +0530 +Subject: kexec: initialize ELF lowest address to ULONG_MAX + +From: Sourabh Jain + +[ Upstream commit 9986fb5164c8b21f6439cfd45ba36d8cc80c9710 ] + +Patch series "powerpc/crash: use generic crashkernel reservation", v3. + +Commit 0ab97169aa05 ("crash_core: add generic function to do reservation") +added a generic function to reserve crashkernel memory. So let's use the +same function on powerpc and remove the architecture-specific code that +essentially does the same thing. + +The generic crashkernel reservation also provides a way to split the +crashkernel reservation into high and low memory reservations, which can +be enabled for powerpc in the future. + +Additionally move powerpc to use generic APIs to locate memory hole for +kexec segments while loading kdump kernel. + +This patch (of 7): + +kexec_elf_load() loads an ELF executable and sets the address of the +lowest PT_LOAD section to the address held by the lowest_load_addr +function argument. + +To determine the lowest PT_LOAD address, a local variable lowest_addr +(type unsigned long) is initialized to UINT_MAX. After loading each +PT_LOAD, its address is compared to lowest_addr. If a loaded PT_LOAD +address is lower, lowest_addr is updated. However, setting lowest_addr to +UINT_MAX won't work when the kernel image is loaded above 4G, as the +returned lowest PT_LOAD address would be invalid. This is resolved by +initializing lowest_addr to ULONG_MAX instead. + +This issue was discovered while implementing crashkernel high/low +reservation on the PowerPC architecture. + +Link: https://lkml.kernel.org/r/20250131113830.925179-1-sourabhjain@linux.ibm.com +Link: https://lkml.kernel.org/r/20250131113830.925179-2-sourabhjain@linux.ibm.com +Fixes: a0458284f062 ("powerpc: Add support code for kexec_file_load()") +Signed-off-by: Sourabh Jain +Acked-by: Hari Bathini +Acked-by: Baoquan He +Cc: Madhavan Srinivasan +Cc: Mahesh Salgaonkar +Cc: Michael Ellerman +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/kexec_elf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/kexec_elf.c b/kernel/kexec_elf.c +index d3689632e8b90..3a5c25b2adc94 100644 +--- a/kernel/kexec_elf.c ++++ b/kernel/kexec_elf.c +@@ -390,7 +390,7 @@ int kexec_elf_load(struct kimage *image, struct elfhdr *ehdr, + struct kexec_buf *kbuf, + unsigned long *lowest_load_addr) + { +- unsigned long lowest_addr = UINT_MAX; ++ unsigned long lowest_addr = ULONG_MAX; + int ret; + size_t i; + +-- +2.39.5 + diff --git a/queue-5.4/lib-842-improve-error-handling-in-sw842_compress.patch b/queue-5.4/lib-842-improve-error-handling-in-sw842_compress.patch new file mode 100644 index 0000000000..c61a3abb45 --- /dev/null +++ b/queue-5.4/lib-842-improve-error-handling-in-sw842_compress.patch @@ -0,0 +1,44 @@ +From f7c3580a706304a2225e3b2c939d3d4ad3119afd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jan 2025 19:42:04 +0530 +Subject: lib: 842: Improve error handling in sw842_compress() + +From: Tanya Agarwal + +[ Upstream commit af324dc0e2b558678aec42260cce38be16cc77ca ] + +The static code analysis tool "Coverity Scan" pointed the following +implementation details out for further development considerations: +CID 1309755: Unused value +In sw842_compress: A value assigned to a variable is never used. (CWE-563) +returned_value: Assigning value from add_repeat_template(p, repeat_count) +to ret here, but that stored value is overwritten before it can be used. + +Conclusion: +Add error handling for the return value from an add_repeat_template() +call. + +Fixes: 2da572c959dd ("lib: add software 842 compression/decompression") +Signed-off-by: Tanya Agarwal +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/842/842_compress.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/842/842_compress.c b/lib/842/842_compress.c +index c02baa4168e16..055356508d97c 100644 +--- a/lib/842/842_compress.c ++++ b/lib/842/842_compress.c +@@ -532,6 +532,8 @@ int sw842_compress(const u8 *in, unsigned int ilen, + } + if (repeat_count) { + ret = add_repeat_template(p, repeat_count); ++ if (ret) ++ return ret; + repeat_count = 0; + if (next == last) /* reached max repeat bits */ + goto repeat; +-- +2.39.5 + diff --git a/queue-5.4/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch b/queue-5.4/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch new file mode 100644 index 0000000000..628b2b2814 --- /dev/null +++ b/queue-5.4/lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch @@ -0,0 +1,82 @@ +From 64950144ba7c082e0ffc9eb1b568649500d757ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Feb 2025 11:36:18 +0100 +Subject: lockdep: Don't disable interrupts on RT in + disable_irq_nosync_lockdep.*() + +From: Sebastian Andrzej Siewior + +[ Upstream commit 87886b32d669abc11c7be95ef44099215e4f5788 ] + +disable_irq_nosync_lockdep() disables interrupts with lockdep enabled to +avoid false positive reports by lockdep that a certain lock has not been +acquired with disabled interrupts. The user of this macros expects that +a lock can be acquried without disabling interrupts because the IRQ line +triggering the interrupt is disabled. + +This triggers a warning on PREEMPT_RT because after +disable_irq_nosync_lockdep.*() the following spinlock_t now is acquired +with disabled interrupts. + +On PREEMPT_RT there is no difference between spin_lock() and +spin_lock_irq() so avoiding disabling interrupts in this case works for +the two remaining callers as of today. + +Don't disable interrupts on PREEMPT_RT in disable_irq_nosync_lockdep.*(). + +Closes: https://lore.kernel.org/760e34f9-6034-40e0-82a5-ee9becd24438@roeck-us.net +Fixes: e8106b941ceab ("[PATCH] lockdep: core, add enable/disable_irq_irqsave/irqrestore() APIs") +Reported-by: Guenter Roeck +Suggested-by: "Steven Rostedt (Google)" +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Guenter Roeck +Link: https://lore.kernel.org/r/20250212103619.2560503-2-bigeasy@linutronix.de +Signed-off-by: Sasha Levin +--- + include/linux/interrupt.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index b70a35b97210d..7b8bdc468492e 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -411,7 +411,7 @@ irq_calc_affinity_vectors(unsigned int minvec, unsigned int maxvec, + static inline void disable_irq_nosync_lockdep(unsigned int irq) + { + disable_irq_nosync(irq); +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_disable(); + #endif + } +@@ -419,7 +419,7 @@ static inline void disable_irq_nosync_lockdep(unsigned int irq) + static inline void disable_irq_nosync_lockdep_irqsave(unsigned int irq, unsigned long *flags) + { + disable_irq_nosync(irq); +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_save(*flags); + #endif + } +@@ -434,7 +434,7 @@ static inline void disable_irq_lockdep(unsigned int irq) + + static inline void enable_irq_lockdep(unsigned int irq) + { +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_enable(); + #endif + enable_irq(irq); +@@ -442,7 +442,7 @@ static inline void enable_irq_lockdep(unsigned int irq) + + static inline void enable_irq_lockdep_irqrestore(unsigned int irq, unsigned long *flags) + { +-#ifdef CONFIG_LOCKDEP ++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT) + local_irq_restore(*flags); + #endif + enable_irq(irq); +-- +2.39.5 + diff --git a/queue-5.4/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch b/queue-5.4/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch new file mode 100644 index 0000000000..38ac0e210e --- /dev/null +++ b/queue-5.4/locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch @@ -0,0 +1,150 @@ +From e9000d5db5044bc5d5efc204d122453682375ecd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 15:26:52 -0800 +Subject: locking/semaphore: Use wake_q to wake up processes outside lock + critical section + +From: Waiman Long + +[ Upstream commit 85b2b9c16d053364e2004883140538e73b333cdb ] + +A circular lock dependency splat has been seen involving down_trylock(): + + ====================================================== + WARNING: possible circular locking dependency detected + 6.12.0-41.el10.s390x+debug + ------------------------------------------------------ + dd/32479 is trying to acquire lock: + 0015a20accd0d4f8 ((console_sem).lock){-.-.}-{2:2}, at: down_trylock+0x26/0x90 + + but task is already holding lock: + 000000017e461698 (&zone->lock){-.-.}-{2:2}, at: rmqueue_bulk+0xac/0x8f0 + + the existing dependency chain (in reverse order) is: + -> #4 (&zone->lock){-.-.}-{2:2}: + -> #3 (hrtimer_bases.lock){-.-.}-{2:2}: + -> #2 (&rq->__lock){-.-.}-{2:2}: + -> #1 (&p->pi_lock){-.-.}-{2:2}: + -> #0 ((console_sem).lock){-.-.}-{2:2}: + +The console_sem -> pi_lock dependency is due to calling try_to_wake_up() +while holding the console_sem raw_spinlock. This dependency can be broken +by using wake_q to do the wakeup instead of calling try_to_wake_up() +under the console_sem lock. This will also make the semaphore's +raw_spinlock become a terminal lock without taking any further locks +underneath it. + +The hrtimer_bases.lock is a raw_spinlock while zone->lock is a +spinlock. The hrtimer_bases.lock -> zone->lock dependency happens via +the debug_objects_fill_pool() helper function in the debugobjects code. + + -> #4 (&zone->lock){-.-.}-{2:2}: + __lock_acquire+0xe86/0x1cc0 + lock_acquire.part.0+0x258/0x630 + lock_acquire+0xb8/0xe0 + _raw_spin_lock_irqsave+0xb4/0x120 + rmqueue_bulk+0xac/0x8f0 + __rmqueue_pcplist+0x580/0x830 + rmqueue_pcplist+0xfc/0x470 + rmqueue.isra.0+0xdec/0x11b0 + get_page_from_freelist+0x2ee/0xeb0 + __alloc_pages_noprof+0x2c2/0x520 + alloc_pages_mpol_noprof+0x1fc/0x4d0 + alloc_pages_noprof+0x8c/0xe0 + allocate_slab+0x320/0x460 + ___slab_alloc+0xa58/0x12b0 + __slab_alloc.isra.0+0x42/0x60 + kmem_cache_alloc_noprof+0x304/0x350 + fill_pool+0xf6/0x450 + debug_object_activate+0xfe/0x360 + enqueue_hrtimer+0x34/0x190 + __run_hrtimer+0x3c8/0x4c0 + __hrtimer_run_queues+0x1b2/0x260 + hrtimer_interrupt+0x316/0x760 + do_IRQ+0x9a/0xe0 + do_irq_async+0xf6/0x160 + +Normally a raw_spinlock to spinlock dependency is not legitimate +and will be warned if CONFIG_PROVE_RAW_LOCK_NESTING is enabled, +but debug_objects_fill_pool() is an exception as it explicitly +allows this dependency for non-PREEMPT_RT kernel without causing +PROVE_RAW_LOCK_NESTING lockdep splat. As a result, this dependency is +legitimate and not a bug. + +Anyway, semaphore is the only locking primitive left that is still +using try_to_wake_up() to do wakeup inside critical section, all the +other locking primitives had been migrated to use wake_q to do wakeup +outside of the critical section. It is also possible that there are +other circular locking dependencies involving printk/console_sem or +other existing/new semaphores lurking somewhere which may show up in +the future. Let just do the migration now to wake_q to avoid headache +like this. + +Reported-by: yzbot+ed801a886dfdbfe7136d@syzkaller.appspotmail.com +Signed-off-by: Waiman Long +Signed-off-by: Boqun Feng +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250307232717.1759087-3-boqun.feng@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/locking/semaphore.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/kernel/locking/semaphore.c b/kernel/locking/semaphore.c +index d9dd94defc0a9..19389fdbfdfb1 100644 +--- a/kernel/locking/semaphore.c ++++ b/kernel/locking/semaphore.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -37,7 +38,7 @@ static noinline void __down(struct semaphore *sem); + static noinline int __down_interruptible(struct semaphore *sem); + static noinline int __down_killable(struct semaphore *sem); + static noinline int __down_timeout(struct semaphore *sem, long timeout); +-static noinline void __up(struct semaphore *sem); ++static noinline void __up(struct semaphore *sem, struct wake_q_head *wake_q); + + /** + * down - acquire the semaphore +@@ -178,13 +179,16 @@ EXPORT_SYMBOL(down_timeout); + void up(struct semaphore *sem) + { + unsigned long flags; ++ DEFINE_WAKE_Q(wake_q); + + raw_spin_lock_irqsave(&sem->lock, flags); + if (likely(list_empty(&sem->wait_list))) + sem->count++; + else +- __up(sem); ++ __up(sem, &wake_q); + raw_spin_unlock_irqrestore(&sem->lock, flags); ++ if (!wake_q_empty(&wake_q)) ++ wake_up_q(&wake_q); + } + EXPORT_SYMBOL(up); + +@@ -252,11 +256,12 @@ static noinline int __sched __down_timeout(struct semaphore *sem, long timeout) + return __down_common(sem, TASK_UNINTERRUPTIBLE, timeout); + } + +-static noinline void __sched __up(struct semaphore *sem) ++static noinline void __sched __up(struct semaphore *sem, ++ struct wake_q_head *wake_q) + { + struct semaphore_waiter *waiter = list_first_entry(&sem->wait_list, + struct semaphore_waiter, list); + list_del(&waiter->list); + waiter->up = true; +- wake_up_process(waiter->task); ++ wake_q_add(wake_q, waiter->task); + } +-- +2.39.5 + diff --git a/queue-5.4/mdacon-rework-dependency-list.patch b/queue-5.4/mdacon-rework-dependency-list.patch new file mode 100644 index 0000000000..35dea5e370 --- /dev/null +++ b/queue-5.4/mdacon-rework-dependency-list.patch @@ -0,0 +1,47 @@ +From 0ce3f3b080e7428143913a8c8d2aa272a892aa7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Feb 2025 17:44:23 +0100 +Subject: mdacon: rework dependency list + +From: Arnd Bergmann + +[ Upstream commit 5bbcc7645f4b244ffb5ac6563fbe9d3d42194447 ] + +mdacon has roughly the same dependencies as vgacon but expresses them +as a negative list instead of a positive list, with the only practical +difference being PowerPC/CHRP, which uses vga16fb instead of vgacon. + +The CONFIG_MDA_CONSOLE description advises to only turn it on when vgacon +is also used because MDA/Hercules-only systems should be using vgacon +instead, so just change the list to enforce that directly for simplicity. + +The probing was broken from 2002 to 2008, this improves on the fix +that was added then: If vgacon is a loadable module, then mdacon +cannot be built-in now, and the list of systems that support vgacon +is carried over. + +Fixes: 0b9cf3aa6b1e ("mdacon messing up default vc's - set default to vc13-16 again") +Signed-off-by: Arnd Bergmann +Reviewed-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/console/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/console/Kconfig b/drivers/video/console/Kconfig +index 3b432a18b5ab6..60102eea17abc 100644 +--- a/drivers/video/console/Kconfig ++++ b/drivers/video/console/Kconfig +@@ -23,7 +23,7 @@ config VGA_CONSOLE + Say Y. + + config MDA_CONSOLE +- depends on !M68K && !PARISC && ISA ++ depends on VGA_CONSOLE && ISA + tristate "MDA text console (dual-headed)" + ---help--- + Say Y here if you have an old MDA or monochrome Hercules graphics +-- +2.39.5 + diff --git a/queue-5.4/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch b/queue-5.4/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch new file mode 100644 index 0000000000..52835157df --- /dev/null +++ b/queue-5.4/mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch @@ -0,0 +1,63 @@ +From 09ba9e14e2b977e04b2a5204a061cde81bacb70a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jan 2025 09:12:06 -0800 +Subject: mfd: sm501: Switch to BIT() to mitigate integer overflows + +From: Nikita Zhandarovich + +[ Upstream commit 2d8cb9ffe18c2f1e5bd07a19cbce85b26c1d0cf0 ] + +If offset end up being high enough, right hand expression in functions +like sm501_gpio_set() shifted left for that number of bits, may +not fit in int type. + +Just in case, fix that by using BIT() both as an option safe from +overflow issues and to make this step look similar to other gpio +drivers. + +Found by Linux Verification Center (linuxtesting.org) with static +analysis tool SVACE. + +Fixes: f61be273d369 ("sm501: add gpiolib support") +Signed-off-by: Nikita Zhandarovich +Link: https://lore.kernel.org/r/20250115171206.20308-1-n.zhandarovich@fintech.ru +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index aab8d8910319d..96616f8267530 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -920,7 +920,7 @@ static void sm501_gpio_set(struct gpio_chip *chip, unsigned offset, int value) + { + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + void __iomem *regs = smchip->regbase; + unsigned long save; + unsigned long val; +@@ -946,7 +946,7 @@ static int sm501_gpio_input(struct gpio_chip *chip, unsigned offset) + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; + void __iomem *regs = smchip->regbase; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + unsigned long save; + unsigned long ddr; + +@@ -971,7 +971,7 @@ static int sm501_gpio_output(struct gpio_chip *chip, + { + struct sm501_gpio_chip *smchip = gpiochip_get_data(chip); + struct sm501_gpio *smgpio = smchip->ourgpio; +- unsigned long bit = 1 << offset; ++ unsigned long bit = BIT(offset); + void __iomem *regs = smchip->regbase; + unsigned long save; + unsigned long val; +-- +2.39.5 + diff --git a/queue-5.4/net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch b/queue-5.4/net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch new file mode 100644 index 0000000000..7d23887b35 --- /dev/null +++ b/queue-5.4/net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch @@ -0,0 +1,126 @@ +From b225bf8050b7fda58d22d154af847554e27f6e1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 15:56:37 +0200 +Subject: net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on + destroy + +From: David Oberhollenzer + +[ Upstream commit a58d882841a0750da3c482cd3d82432b1c7edb77 ] + +The mv88e6xxx has an internal PPU that polls PHY state. If we want to +access the internal PHYs, we need to disable the PPU first. Because +that is a slow operation, a 10ms timer is used to re-enable it, +canceled with every access, so bulk operations effectively only +disable it once and re-enable it some 10ms after the last access. + +If a PHY is accessed and then the mv88e6xxx module is removed before +the 10ms are up, the PPU re-enable ends up accessing a dangling pointer. + +This especially affects probing during bootup. The MDIO bus and PHY +registration may succeed, but registration with the DSA framework +may fail later on (e.g. because the CPU port depends on another, +very slow device that isn't done probing yet, returning -EPROBE_DEFER). +In this case, probe() fails, but the MDIO subsystem may already have +accessed the MIDO bus or PHYs, arming the timer. + +This is fixed as follows: + - If probe fails after mv88e6xxx_phy_init(), make sure we also call + mv88e6xxx_phy_destroy() before returning + - In mv88e6xxx_remove(), make sure we do the teardown in the correct + order, calling mv88e6xxx_phy_destroy() after unregistering the + switch device. + - In mv88e6xxx_phy_destroy(), destroy both the timer and the work item + that the timer might schedule, synchronously waiting in case one of + the callbacks already fired and destroying the timer first, before + waiting for the work item. + - Access to the PPU is guarded by a mutex, the worker acquires it + with a mutex_trylock(), not proceeding with the expensive shutdown + if that fails. We grab the mutex in mv88e6xxx_phy_destroy() to make + sure the slow PPU shutdown is already done or won't even enter, when + we wait for the work item. + +Fixes: 2e5f032095ff ("dsa: add support for the Marvell 88E6131 switch chip") +Signed-off-by: David Oberhollenzer +Reviewed-by: Vladimir Oltean +Link: https://patch.msgid.link/20250401135705.92760-1-david.oberhollenzer@sigma-star.at +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 11 +++++++---- + drivers/net/dsa/mv88e6xxx/phy.c | 3 +++ + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index cf3d574374376..047e328b770d1 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -5151,13 +5151,13 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + err = mv88e6xxx_switch_reset(chip); + mv88e6xxx_reg_unlock(chip); + if (err) +- goto out; ++ goto out_phy; + + if (np) { + chip->irq = of_irq_get(np, 0); + if (chip->irq == -EPROBE_DEFER) { + err = chip->irq; +- goto out; ++ goto out_phy; + } + } + +@@ -5176,7 +5176,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + mv88e6xxx_reg_unlock(chip); + + if (err) +- goto out; ++ goto out_phy; + + if (chip->info->g2_irqs > 0) { + err = mv88e6xxx_g2_irq_setup(chip); +@@ -5216,6 +5216,8 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev) + mv88e6xxx_g1_irq_free(chip); + else + mv88e6xxx_irq_poll_free(chip); ++out_phy: ++ mv88e6xxx_phy_destroy(chip); + out: + if (pdata) + dev_put(pdata->netdev); +@@ -5233,7 +5235,6 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev) + mv88e6xxx_ptp_free(chip); + } + +- mv88e6xxx_phy_destroy(chip); + mv88e6xxx_unregister_switch(chip); + mv88e6xxx_mdios_unregister(chip); + +@@ -5247,6 +5248,8 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev) + mv88e6xxx_g1_irq_free(chip); + else + mv88e6xxx_irq_poll_free(chip); ++ ++ mv88e6xxx_phy_destroy(chip); + } + + static const struct of_device_id mv88e6xxx_of_match[] = { +diff --git a/drivers/net/dsa/mv88e6xxx/phy.c b/drivers/net/dsa/mv88e6xxx/phy.c +index 252b5b3a3efef..d2104bd346ea2 100644 +--- a/drivers/net/dsa/mv88e6xxx/phy.c ++++ b/drivers/net/dsa/mv88e6xxx/phy.c +@@ -197,7 +197,10 @@ static void mv88e6xxx_phy_ppu_state_init(struct mv88e6xxx_chip *chip) + + static void mv88e6xxx_phy_ppu_state_destroy(struct mv88e6xxx_chip *chip) + { ++ mutex_lock(&chip->ppu_mutex); + del_timer_sync(&chip->ppu_timer); ++ cancel_work_sync(&chip->ppu_work); ++ mutex_unlock(&chip->ppu_mutex); + } + + int mv88e6185_phy_ppu_read(struct mv88e6xxx_chip *chip, struct mii_bus *bus, +-- +2.39.5 + diff --git a/queue-5.4/net_sched-skbprio-remove-overly-strict-queue-asserti.patch b/queue-5.4/net_sched-skbprio-remove-overly-strict-queue-asserti.patch new file mode 100644 index 0000000000..9b01c6b060 --- /dev/null +++ b/queue-5.4/net_sched-skbprio-remove-overly-strict-queue-asserti.patch @@ -0,0 +1,60 @@ +From 7b5acb97efd1ca8120f3182e253ab52eb4a3e95a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Mar 2025 15:25:35 -0700 +Subject: net_sched: skbprio: Remove overly strict queue assertions + +From: Cong Wang + +[ Upstream commit ce8fe975fd99b49c29c42e50f2441ba53112b2e8 ] + +In the current implementation, skbprio enqueue/dequeue contains an assertion +that fails under certain conditions when SKBPRIO is used as a child qdisc under +TBF with specific parameters. The failure occurs because TBF sometimes peeks at +packets in the child qdisc without actually dequeuing them when tokens are +unavailable. + +This peek operation creates a discrepancy between the parent and child qdisc +queue length counters. When TBF later receives a high-priority packet, +SKBPRIO's queue length may show a different value than what's reflected in its +internal priority queue tracking, triggering the assertion. + +The fix removes this overly strict assertions in SKBPRIO, they are not +necessary at all. + +Reported-by: syzbot+a3422a19b05ea96bee18@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a3422a19b05ea96bee18 +Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler") +Cc: Nishanth Devarajan +Signed-off-by: Cong Wang +Acked-by: Paolo Abeni +Link: https://patch.msgid.link/20250329222536.696204-2-xiyou.wangcong@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_skbprio.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/sched/sch_skbprio.c b/net/sched/sch_skbprio.c +index 7a5e4c4547156..7dca66026ca4d 100644 +--- a/net/sched/sch_skbprio.c ++++ b/net/sched/sch_skbprio.c +@@ -121,8 +121,6 @@ static int skbprio_enqueue(struct sk_buff *skb, struct Qdisc *sch, + /* Check to update highest and lowest priorities. */ + if (skb_queue_empty(lp_qdisc)) { + if (q->lowest_prio == q->highest_prio) { +- /* The incoming packet is the only packet in queue. */ +- BUG_ON(sch->q.qlen != 1); + q->lowest_prio = prio; + q->highest_prio = prio; + } else { +@@ -154,7 +152,6 @@ static struct sk_buff *skbprio_dequeue(struct Qdisc *sch) + /* Update highest priority field. */ + if (skb_queue_empty(hpq)) { + if (q->lowest_prio == q->highest_prio) { +- BUG_ON(sch->q.qlen); + q->highest_prio = 0; + q->lowest_prio = SKBPRIO_MAX_PRIORITY - 1; + } else { +-- +2.39.5 + diff --git a/queue-5.4/netlabel-fix-null-pointer-exception-caused-by-calips.patch b/queue-5.4/netlabel-fix-null-pointer-exception-caused-by-calips.patch new file mode 100644 index 0000000000..8044459320 --- /dev/null +++ b/queue-5.4/netlabel-fix-null-pointer-exception-caused-by-calips.patch @@ -0,0 +1,87 @@ +From 1dc987475fdc0d29030a6de16c9ba0374f234c2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Apr 2025 20:40:18 +0800 +Subject: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 + sockets + +From: Debin Zhu + +[ Upstream commit 078aabd567de3d63d37d7673f714e309d369e6e2 ] + +When calling netlbl_conn_setattr(), addr->sa_family is used +to determine the function behavior. If sk is an IPv4 socket, +but the connect function is called with an IPv6 address, +the function calipso_sock_setattr() is triggered. +Inside this function, the following code is executed: + +sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; + +Since sk is an IPv4 socket, pinet6 is NULL, leading to a +null pointer dereference. + +This patch fixes the issue by checking if inet6_sk(sk) +returns a NULL pointer before accessing pinet6. + +Signed-off-by: Debin Zhu +Signed-off-by: Bitao Ouyang <1985755126@qq.com> +Acked-by: Paul Moore +Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") +Link: https://patch.msgid.link/20250401124018.4763-1-mowenroot@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/calipso.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c +index 7426e33686d13..9bc612b3f8340 100644 +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -1075,8 +1075,13 @@ static int calipso_sock_getattr(struct sock *sk, + struct ipv6_opt_hdr *hop; + int opt_len, len, ret_val = -ENOMSG, offset; + unsigned char *opt; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return -EAFNOSUPPORT; + ++ txopts = txopt_get(pinfo); + if (!txopts || !txopts->hopopt) + goto done; + +@@ -1128,8 +1133,13 @@ static int calipso_sock_setattr(struct sock *sk, + { + int ret_val; + struct ipv6_opt_hdr *old, *new; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return -EAFNOSUPPORT; + ++ txopts = txopt_get(pinfo); + old = NULL; + if (txopts) + old = txopts->hopopt; +@@ -1156,8 +1166,13 @@ static int calipso_sock_setattr(struct sock *sk, + static void calipso_sock_delattr(struct sock *sk) + { + struct ipv6_opt_hdr *new_hop; +- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk)); ++ struct ipv6_pinfo *pinfo = inet6_sk(sk); ++ struct ipv6_txoptions *txopts; ++ ++ if (!pinfo) ++ return; + ++ txopts = txopt_get(pinfo); + if (!txopts || !txopts->hopopt) + goto done; + +-- +2.39.5 + diff --git a/queue-5.4/ntb-intel-fix-using-link-status-db-s.patch b/queue-5.4/ntb-intel-fix-using-link-status-db-s.patch new file mode 100644 index 0000000000..c11caa3230 --- /dev/null +++ b/queue-5.4/ntb-intel-fix-using-link-status-db-s.patch @@ -0,0 +1,37 @@ +From d549b79dfa0a8ba0d40c9167e21d6aab23fc97cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 11:15:19 +0300 +Subject: ntb: intel: Fix using link status DB's + +From: Nikita Shubin + +[ Upstream commit 8144e9c8f30fb23bb736a5d24d5c9d46965563c4 ] + +Make sure we are not using DB's which were remapped for link status. + +Fixes: f6e51c354b60 ("ntb: intel: split out the gen3 code") +Signed-off-by: Nikita Shubin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_gen3.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_gen3.c b/drivers/ntb/hw/intel/ntb_hw_gen3.c +index c3397160db7f7..0076a73c51721 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_gen3.c ++++ b/drivers/ntb/hw/intel/ntb_hw_gen3.c +@@ -215,6 +215,9 @@ static int gen3_init_ntb(struct intel_ntb_dev *ndev) + } + + ndev->db_valid_mask = BIT_ULL(ndev->db_count) - 1; ++ /* Make sure we are not using DB's used for link status */ ++ if (ndev->hwerr_flags & NTB_HWERR_MSIX_VECTOR32_BAD) ++ ndev->db_valid_mask &= ~ndev->db_link_mask; + + ndev->reg->db_iowrite(ndev->db_valid_mask, + ndev->self_mmio + +-- +2.39.5 + diff --git a/queue-5.4/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch b/queue-5.4/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch new file mode 100644 index 0000000000..5c0ce2ed6d --- /dev/null +++ b/queue-5.4/ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch @@ -0,0 +1,45 @@ +From 9d624a4d37ae3884a2f8cc7d728f437814b87157 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Aug 2023 16:33:05 +0800 +Subject: ntb_hw_switchtec: Fix shift-out-of-bounds in + switchtec_ntb_mw_set_trans + +From: Yajun Deng + +[ Upstream commit de203da734fae00e75be50220ba5391e7beecdf9 ] + +There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and +size. This would make xlate_pos negative. + +[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000 +[ 23.734158] ================================================================================ +[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7 +[ 23.734418] shift exponent -1 is negative + +Ensuring xlate_pos is a positive or zero before BIT. + +Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()") +Signed-off-by: Yajun Deng +Reviewed-by: Logan Gunthorpe +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +index db9be3ce1cd0d..4dfb0dea2bda0 100644 +--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c ++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c +@@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *ntb, int pidx, int widx, + if (xlate_pos < 12) + return -EINVAL; + +- if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { ++ if (xlate_pos >= 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) { + /* + * In certain circumstances we can get a buffer that is + * not aligned to its size. (Most of the time +-- +2.39.5 + diff --git a/queue-5.4/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch b/queue-5.4/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch new file mode 100644 index 0000000000..f7cc628393 --- /dev/null +++ b/queue-5.4/objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch @@ -0,0 +1,49 @@ +From a669e8a124737d134a437617d2a46582d5df8b45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Mar 2025 14:56:06 -0700 +Subject: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() + +From: Josh Poimboeuf + +[ Upstream commit e63d465f59011dede0a0f1d21718b59a64c3ff5c ] + +If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result +is a divide-by-zero. Prevent that from happening. + +Fixes the following warning with an UBSAN kernel: + + drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx() + +Fixes: 173a64cb3fcf ("[media] dib8000: enhancement") +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Mauro Carvalho Chehab +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/bd1d504d930ae3f073b1e071bcf62cae7708773c.1742852847.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/r/202503210602.fvH5DO1i-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib8000.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index 02cb48223dc67..a28cbbd9e475c 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -2701,8 +2701,11 @@ static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz) + u8 ratio; + + if (state->revision == 0x8090) { ++ u32 internal = dib8000_read32(state, 23) / 1000; ++ + ratio = 4; +- unit_khz_dds_val = (1<<26) / (dib8000_read32(state, 23) / 1000); ++ ++ unit_khz_dds_val = (1<<26) / (internal ?: 1); + if (offset_khz < 0) + dds = (1 << 26) - (abs_offset_khz * unit_khz_dds_val); + else +-- +2.39.5 + diff --git a/queue-5.4/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch b/queue-5.4/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch new file mode 100644 index 0000000000..f91a75ca3e --- /dev/null +++ b/queue-5.4/ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch @@ -0,0 +1,56 @@ +From 3f406427632a5c1cda5c3905dc7b8865a55d65fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Feb 2025 11:49:08 +0300 +Subject: ocfs2: validate l_tree_depth to avoid out-of-bounds access + +From: Vasiliy Kovalev + +[ Upstream commit a406aff8c05115119127c962cbbbbd202e1973ef ] + +The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is +limited to OCFS2_MAX_PATH_DEPTH. + +Add a check to prevent out-of-bounds access if l_tree_depth has an invalid +value, which may occur when reading from a corrupted mounted disk [1]. + +Link: https://lkml.kernel.org/r/20250214084908.736528-1-kovalev@altlinux.org +Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") +Signed-off-by: Vasiliy Kovalev +Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1] +Reviewed-by: Joseph Qi +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Kurt Hackel +Cc: Mark Fasheh +Cc: Vasiliy Kovalev +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/alloc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c +index 52ccd8d4ed820..0d2dbf3fded2a 100644 +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -1799,6 +1799,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci, + + el = root_el; + while (el->l_tree_depth) { ++ if (unlikely(le16_to_cpu(el->l_tree_depth) >= OCFS2_MAX_PATH_DEPTH)) { ++ ocfs2_error(ocfs2_metadata_cache_get_super(ci), ++ "Owner %llu has invalid tree depth %u in extent list\n", ++ (unsigned long long)ocfs2_metadata_cache_owner(ci), ++ le16_to_cpu(el->l_tree_depth)); ++ ret = -EROFS; ++ goto out; ++ } + if (le16_to_cpu(el->l_next_free_rec) == 0) { + ocfs2_error(ocfs2_metadata_cache_get_super(ci), + "Owner %llu has empty extent list at depth %u\n", +-- +2.39.5 + diff --git a/queue-5.4/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch b/queue-5.4/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch new file mode 100644 index 0000000000..34c181ed05 --- /dev/null +++ b/queue-5.4/octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch @@ -0,0 +1,39 @@ +From 4243c1bea6c7e8a4e1ddad20d1b13d91313745cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Mar 2025 14:44:41 +0530 +Subject: octeontx2-af: Fix mbox INTR handler when num VFs > 64 + +From: Geetha sowjanya + +[ Upstream commit 0fdba88a211508984eb5df62008c29688692b134 ] + +When number of RVU VFs > 64, the vfs value passed to "rvu_queue_work" +function is incorrect. Due to which mbox workqueue entries for +VFs 0 to 63 never gets added to workqueue. + +Fixes: 9bdc47a6e328 ("octeontx2-af: Mbox communication support btw AF and it's VFs") +Signed-off-by: Geetha sowjanya +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20250327091441.1284-1-gakula@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index f569a98e35a02..57e3a11451b56 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1740,7 +1740,7 @@ static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq) + rvupf_write64(rvu, RVU_PF_VFPF_MBOX_INTX(1), intr); + + rvu_queue_work(&rvu->afvf_wq_info, 64, vfs, intr); +- vfs -= 64; ++ vfs = 64; + } + + intr = rvupf_read64(rvu, RVU_PF_VFPF_MBOX_INTX(0)); +-- +2.39.5 + diff --git a/queue-5.4/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch b/queue-5.4/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch new file mode 100644 index 0000000000..8573368d7b --- /dev/null +++ b/queue-5.4/pci-aspm-fix-link-state-exit-during-switch-upstream-.patch @@ -0,0 +1,84 @@ +From 06936b665b1cf2ee061e41dfe465893d083b76fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Dec 2024 19:39:08 -0800 +Subject: PCI/ASPM: Fix link state exit during switch upstream function removal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Stodden + +[ Upstream commit cbf937dcadfd571a434f8074d057b32cd14fbea5 ] + +Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to +avoid use-after-free"), we would free the ASPM link only after the last +function on the bus pertaining to the given link was removed. + +That was too late. If function 0 is removed before sibling function, +link->downstream would point to free'd memory after. + +After above change, we freed the ASPM parent link state upon any function +removal on the bus pertaining to a given link. + +That is too early. If the link is to a PCIe switch with MFD on the upstream +port, then removing functions other than 0 first would free a link which +still remains parent_link to the remaining downstream ports. + +The resulting GPFs are especially frequent during hot-unplug, because +pciehp removes devices on the link bus in reverse order. + +On that switch, function 0 is the virtual P2P bridge to the internal bus. +Free exactly when function 0 is removed -- before the parent link is +obsolete, but after all subordinate links are gone. + +Link: https://lore.kernel.org/r/e12898835f25234561c9d7de4435590d957b85d9.1734924854.git.dns@arista.com +Fixes: 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free") +Signed-off-by: Daniel Stodden +Signed-off-by: Bjorn Helgaas +[kwilczynski: commit log] +Signed-off-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/aspm.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c +index ee51e433fdedb..c55ea6f0b9552 100644 +--- a/drivers/pci/pcie/aspm.c ++++ b/drivers/pci/pcie/aspm.c +@@ -1012,16 +1012,16 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + parent_link = link->parent; + + /* +- * link->downstream is a pointer to the pci_dev of function 0. If +- * we remove that function, the pci_dev is about to be deallocated, +- * so we can't use link->downstream again. Free the link state to +- * avoid this. ++ * Free the parent link state, no later than function 0 (i.e. ++ * link->downstream) being removed. + * +- * If we're removing a non-0 function, it's possible we could +- * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends +- * programming the same ASPM Control value for all functions of +- * multi-function devices, so disable ASPM for all of them. ++ * Do not free the link state any earlier. If function 0 is a ++ * switch upstream port, this link state is parent_link to all ++ * subordinate ones. + */ ++ if (pdev != link->downstream) ++ goto out; ++ + pcie_config_aspm_link(link, 0); + list_del(&link->sibling); + free_link_state(link); +@@ -1032,6 +1032,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) + pcie_config_aspm_path(parent_link); + } + ++ out: + mutex_unlock(&aspm_lock); + up_read(&pci_bus_sem); + } +-- +2.39.5 + diff --git a/queue-5.4/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch b/queue-5.4/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch new file mode 100644 index 0000000000..0e6b3260fc --- /dev/null +++ b/queue-5.4/pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch @@ -0,0 +1,49 @@ +From 2831ab24e4ddeb231d7ed650963b919b01eaa8ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Mar 2025 18:21:14 +0200 +Subject: PCI: pciehp: Don't enable HPIE when resuming in poll mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 527664f738afb6f2c58022cd35e63801e5dc7aec ] + +PCIe hotplug can operate in poll mode without interrupt handlers using a +polling kthread only. eb34da60edee ("PCI: pciehp: Disable hotplug +interrupt during suspend") failed to consider that and enables HPIE +(Hot-Plug Interrupt Enable) unconditionally when resuming the Port. + +Only set HPIE if non-poll mode is in use. This makes +pcie_enable_interrupt() match how pcie_enable_notification() already +handles HPIE. + +Link: https://lore.kernel.org/r/20250321162114.3939-1-ilpo.jarvinen@linux.intel.com +Fixes: eb34da60edee ("PCI: pciehp: Disable hotplug interrupt during suspend") +Signed-off-by: Ilpo Järvinen +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Signed-off-by: Sasha Levin +--- + drivers/pci/hotplug/pciehp_hpc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c +index bdbe01d4d9e90..c3512a0e5b14c 100644 +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -765,7 +765,9 @@ void pcie_enable_interrupt(struct controller *ctrl) + { + u16 mask; + +- mask = PCI_EXP_SLTCTL_HPIE | PCI_EXP_SLTCTL_DLLSCE; ++ mask = PCI_EXP_SLTCTL_DLLSCE; ++ if (!pciehp_poll_mode) ++ mask |= PCI_EXP_SLTCTL_HPIE; + pcie_write_cmd(ctrl, mask, mask); + } + +-- +2.39.5 + diff --git a/queue-5.4/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch b/queue-5.4/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch new file mode 100644 index 0000000000..eaada84c84 --- /dev/null +++ b/queue-5.4/pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch @@ -0,0 +1,60 @@ +From ddab6f5d4883d955d85c28794fae5003b0bcadbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Mar 2025 10:36:30 +0800 +Subject: PCI/portdrv: Only disable pciehp interrupts early when needed + +From: Feng Tang + +[ Upstream commit 9d7db4db19827380e225914618c0c1bf435ed2f5 ] + +Firmware developers reported that Linux issues two PCIe hotplug commands in +very short intervals on an ARM server, which doesn't comply with the PCIe +spec. According to PCIe r6.1, sec 6.7.3.2, if the Command Completed event +is supported, software must wait for a command to complete or wait at +least 1 second before sending a new command. + +In the failure case, the first PCIe hotplug command is from +get_port_device_capability(), which sends a command to disable PCIe hotplug +interrupts without waiting for its completion, and the second command comes +from pcie_enable_notification() of pciehp driver, which enables hotplug +interrupts again. + +Fix this by only disabling the hotplug interrupts when the pciehp driver is +not enabled. + +Link: https://lore.kernel.org/r/20250303023630.78397-1-feng.tang@linux.alibaba.com +Fixes: 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization") +Suggested-by: Lukas Wunner +Signed-off-by: Feng Tang +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Reviewed-by: Lukas Wunner +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Sasha Levin +--- + drivers/pci/pcie/portdrv_core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/pcie/portdrv_core.c b/drivers/pci/pcie/portdrv_core.c +index 8637f6068f9c2..07d2699286448 100644 +--- a/drivers/pci/pcie/portdrv_core.c ++++ b/drivers/pci/pcie/portdrv_core.c +@@ -214,10 +214,12 @@ static int get_port_device_capability(struct pci_dev *dev) + + /* + * Disable hot-plug interrupts in case they have been enabled +- * by the BIOS and the hot-plug service driver is not loaded. ++ * by the BIOS and the hot-plug service driver won't be loaded ++ * to handle them. + */ +- pcie_capability_clear_word(dev, PCI_EXP_SLTCTL, +- PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE); ++ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) ++ pcie_capability_clear_word(dev, PCI_EXP_SLTCTL, ++ PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE); + } + + #ifdef CONFIG_PCIEAER +-- +2.39.5 + diff --git a/queue-5.4/pci-remove-stray-put_device-in-pci_register_host_bri.patch b/queue-5.4/pci-remove-stray-put_device-in-pci_register_host_bri.patch new file mode 100644 index 0000000000..73a670770c --- /dev/null +++ b/queue-5.4/pci-remove-stray-put_device-in-pci_register_host_bri.patch @@ -0,0 +1,41 @@ +From 16be7c6fe9f59219e78ddb40f1886090fc2fe99d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 11:46:34 +0300 +Subject: PCI: Remove stray put_device() in pci_register_host_bridge() + +From: Dan Carpenter + +[ Upstream commit 6e8d06e5096c80cbf41313b4a204f43071ca42be ] + +This put_device() was accidentally left over from when we changed the code +from using device_register() to calling device_add(). Delete it. + +Link: https://lore.kernel.org/r/55b24870-89fb-4c91-b85d-744e35db53c2@stanley.mountain +Fixes: 9885440b16b8 ("PCI: Fix pci_host_bridge struct device release/free handling") +Signed-off-by: Dan Carpenter +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/probe.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index a41d04c57642d..701489c1c5d32 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -869,10 +869,9 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge) + goto free; + + err = device_add(&bridge->dev); +- if (err) { +- put_device(&bridge->dev); ++ if (err) + goto free; +- } ++ + bus->bridge = get_device(&bridge->dev); + device_enable_async_suspend(bus->bridge); + pci_set_bus_of_node(bus); +-- +2.39.5 + diff --git a/queue-5.4/perf-python-check-if-there-is-space-to-copy-all-the-.patch b/queue-5.4/perf-python-check-if-there-is-space-to-copy-all-the-.patch new file mode 100644 index 0000000000..e7083bb2f2 --- /dev/null +++ b/queue-5.4/perf-python-check-if-there-is-space-to-copy-all-the-.patch @@ -0,0 +1,68 @@ +From c3a5b9f8d7fd15d57e57cadb5eaa475fd164c605 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:41 -0300 +Subject: perf python: Check if there is space to copy all the event + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 89aaeaf84231157288035b366cb6300c1c6cac64 ] + +The pyrf_event__new() method copies the event obtained from the perf +ring buffer to a structure that will then be turned into a python object +for further consumption, so it copies perf_event.header.size bytes to +its 'event' member: + + $ pahole -C pyrf_event /tmp/build/perf-tools-next/python/perf.cpython-312-x86_64-linux-gnu.so + struct pyrf_event { + PyObject ob_base; /* 0 16 */ + struct evsel * evsel; /* 16 8 */ + struct perf_sample sample; /* 24 312 */ + + /* XXX last struct has 7 bytes of padding, 2 holes */ + + /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */ + union perf_event event; /* 336 4168 */ + + /* size: 4504, cachelines: 71, members: 4 */ + /* member types with holes: 1, total: 2 */ + /* paddings: 1, sum paddings: 7 */ + /* last cacheline: 24 bytes */ + }; + + $ + +It was doing so without checking if the event just obtained has more +than that space, fix it. + +This isn't a proper, final solution, as we need to support larger +events, but for the time being we at least bounds check and document it. + +Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-7-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 594c738e4930f..3cfaa843b6a9d 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -537,6 +537,11 @@ static PyObject *pyrf_event__new(union perf_event *event) + event->header.type == PERF_RECORD_SWITCH_CPU_WIDE)) + return NULL; + ++ // FIXME this better be dynamic or we need to parse everything ++ // before calling perf_mmap__consume(), including tracepoint fields. ++ if (sizeof(pevent->event) < event->header.size) ++ return NULL; ++ + ptype = pyrf_event__type[event->header.type]; + pevent = PyObject_New(struct pyrf_event, ptype); + if (pevent != NULL) +-- +2.39.5 + diff --git a/queue-5.4/perf-python-decrement-the-refcount-of-just-created-e.patch b/queue-5.4/perf-python-decrement-the-refcount-of-just-created-e.patch new file mode 100644 index 0000000000..27a03584df --- /dev/null +++ b/queue-5.4/perf-python-decrement-the-refcount-of-just-created-e.patch @@ -0,0 +1,52 @@ +From f8a5faa3926ae9e56450c1cc4be74e7b1643058d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:39 -0300 +Subject: perf python: Decrement the refcount of just created event on failure + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 3de5a2bf5b4847f7a59a184568f969f8fe05d57f ] + +To avoid a leak if we have the python object but then something happens +and we need to return the operation, decrement the offset of the newly +created object. + +Fixes: 377f698db12150a1 ("perf python: Add struct evsel into struct pyrf_event") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-5-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 2ff87ad8d7e88..594c738e4930f 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -1036,6 +1036,7 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + + evsel = perf_evlist__event2evsel(evlist, event); + if (!evsel) { ++ Py_DECREF(pyevent); + Py_INCREF(Py_None); + return Py_None; + } +@@ -1047,9 +1048,12 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist, + /* Consume the even only after we parsed it out. */ + perf_mmap__consume(md); + +- if (err) ++ if (err) { ++ Py_DECREF(pyevent); + return PyErr_Format(PyExc_OSError, + "perf: can't parse sample, err=%d", err); ++ } ++ + return pyevent; + } + end: +-- +2.39.5 + diff --git a/queue-5.4/perf-python-fixup-description-of-sample.id-event-mem.patch b/queue-5.4/perf-python-fixup-description-of-sample.id-event-mem.patch new file mode 100644 index 0000000000..1b755d2051 --- /dev/null +++ b/queue-5.4/perf-python-fixup-description-of-sample.id-event-mem.patch @@ -0,0 +1,38 @@ +From b3504f82f0d1f3ef786a333a3f1fadb99274ec78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 17:31:36 -0300 +Subject: perf python: Fixup description of sample.id event member + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 1376c195e8ad327bb9f2d32e0acc5ac39e7cb30a ] + +Some old cut'n'paste error, its "ip", so the description should be +"event ip", not "event type". + +Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding") +Signed-off-by: Arnaldo Carvalho de Melo +Reviewed-by: Ian Rogers +Link: https://lore.kernel.org/r/20250312203141.285263-2-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/python.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c +index 02460362256d1..2ff87ad8d7e88 100644 +--- a/tools/perf/util/python.c ++++ b/tools/perf/util/python.c +@@ -110,7 +110,7 @@ struct pyrf_event { + }; + + #define sample_members \ +- sample_member_def(sample_ip, ip, T_ULONGLONG, "event type"), \ ++ sample_member_def(sample_ip, ip, T_ULONGLONG, "event ip"), \ + sample_member_def(sample_pid, pid, T_INT, "event pid"), \ + sample_member_def(sample_tid, tid, T_INT, "event tid"), \ + sample_member_def(sample_time, time, T_ULONGLONG, "event timestamp"), \ +-- +2.39.5 + diff --git a/queue-5.4/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch b/queue-5.4/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch new file mode 100644 index 0000000000..92756d63c3 --- /dev/null +++ b/queue-5.4/perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch @@ -0,0 +1,43 @@ +From 69a652a1b9af33e09d1c79ed1e016d6938d60e00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Mar 2025 11:00:36 +0800 +Subject: perf/ring_buffer: Allow the EPOLLRDNORM flag for poll + +From: Tao Chen + +[ Upstream commit c96fff391c095c11dc87dab35be72dee7d217cde ] + +The poll man page says POLLRDNORM is equivalent to POLLIN. For poll(), +it seems that if user sets pollfd with POLLRDNORM in userspace, perf_poll +will not return until timeout even if perf_output_wakeup called, +whereas POLLIN returns. + +Fixes: 76369139ceb9 ("perf: Split up buffer handling from core code") +Signed-off-by: Tao Chen +Signed-off-by: Ingo Molnar +Cc: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: "H. Peter Anvin" +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250314030036.2543180-1-chen.dylane@linux.dev +Signed-off-by: Sasha Levin +--- + kernel/events/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c +index 679cc87b40f4b..0611477e4dadd 100644 +--- a/kernel/events/ring_buffer.c ++++ b/kernel/events/ring_buffer.c +@@ -19,7 +19,7 @@ + + static void perf_output_wakeup(struct perf_output_handle *handle) + { +- atomic_set(&handle->rb->poll, EPOLLIN); ++ atomic_set(&handle->rb->poll, EPOLLIN | EPOLLRDNORM); + + handle->event->pending_wakeup = 1; + irq_work_queue(&handle->event->pending); +-- +2.39.5 + diff --git a/queue-5.4/perf-units-fix-insufficient-array-space.patch b/queue-5.4/perf-units-fix-insufficient-array-space.patch new file mode 100644 index 0000000000..60318dfd31 --- /dev/null +++ b/queue-5.4/perf-units-fix-insufficient-array-space.patch @@ -0,0 +1,46 @@ +From 976c798ec3235f75abdcae254b68edc4933fa98f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Mar 2025 16:45:32 -0300 +Subject: perf units: Fix insufficient array space + +From: Arnaldo Carvalho de Melo + +[ Upstream commit cf67629f7f637fb988228abdb3aae46d0c1748fe ] + +No need to specify the array size, let the compiler figure that out. + +This addresses this compiler warning that was noticed while build +testing on fedora rawhide: + + 31 15.81 fedora:rawhide : FAIL gcc version 15.0.1 20250225 (Red Hat 15.0.1-0) (GCC) + util/units.c: In function 'unit_number__scnprintf': + util/units.c:67:24: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-initialization] + 67 | char unit[4] = "BKMG"; + | ^~~~~~ + cc1: all warnings being treated as errors + +Fixes: 9808143ba2e54818 ("perf tools: Add unit_number__scnprintf function") +Signed-off-by: Arnaldo Carvalho de Melo +Link: https://lore.kernel.org/r/20250310194534.265487-3-acme@kernel.org +Signed-off-by: Namhyung Kim +Signed-off-by: Sasha Levin +--- + tools/perf/util/units.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/units.c b/tools/perf/util/units.c +index a46762aec4c9f..24c83b8b8c980 100644 +--- a/tools/perf/util/units.c ++++ b/tools/perf/util/units.c +@@ -57,7 +57,7 @@ unsigned long convert_unit(unsigned long value, char *unit) + + int unit_number__scnprintf(char *buf, size_t size, u64 n) + { +- char unit[4] = "BKMG"; ++ char unit[] = "BKMG"; + int i = 0; + + while (((n / 1024) > 1) && (i < 3)) { +-- +2.39.5 + diff --git a/queue-5.4/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch b/queue-5.4/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch new file mode 100644 index 0000000000..6227355614 --- /dev/null +++ b/queue-5.4/pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch @@ -0,0 +1,42 @@ +From 63f9df75d3b08a3853fad0d49006b11cd50394d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Mar 2025 16:37:53 +0000 +Subject: pinctrl: renesas: rza2: Fix missing of_node_put() call + +From: Fabrizio Castro + +[ Upstream commit abcdeb4e299a11ecb5a3ea0cce00e68e8f540375 ] + +of_parse_phandle_with_fixed_args() requires its caller to +call into of_node_put() on the node pointer from the output +structure, but such a call is currently missing. + +Call into of_node_put() to rectify that. + +Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller") +Signed-off-by: Fabrizio Castro +Reviewed-by: Lad Prabhakar +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/20250305163753.34913-5-fabrizio.castro.jz@renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rza2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/pinctrl-rza2.c b/drivers/pinctrl/pinctrl-rza2.c +index 8c3174d007507..fb6dccc5c304f 100644 +--- a/drivers/pinctrl/pinctrl-rza2.c ++++ b/drivers/pinctrl/pinctrl-rza2.c +@@ -253,6 +253,8 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv) + return ret; + } + ++ of_node_put(of_args.np); ++ + if ((of_args.args[0] != 0) || + (of_args.args[1] != 0) || + (of_args.args[2] != priv->npins)) { +-- +2.39.5 + diff --git a/queue-5.4/pm-sleep-fix-handling-devices-with-direct_complete-s.patch b/queue-5.4/pm-sleep-fix-handling-devices-with-direct_complete-s.patch new file mode 100644 index 0000000000..45f2bac0f5 --- /dev/null +++ b/queue-5.4/pm-sleep-fix-handling-devices-with-direct_complete-s.patch @@ -0,0 +1,91 @@ +From c4f715cd3dae90b30c6ca0c71e6ac042b314898e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 17:00:00 +0100 +Subject: PM: sleep: Fix handling devices with direct_complete set on errors + +From: Rafael J. Wysocki + +[ Upstream commit 03f1444016b71feffa1dfb8a51f15ba592f94b13 ] + +When dpm_suspend() fails, some devices with power.direct_complete set +may not have been handled by device_suspend() yet, so runtime PM has +not been disabled for them yet even though power.direct_complete is set. + +Since device_resume() expects that runtime PM has been disabled for all +devices with power.direct_complete set, it will attempt to reenable +runtime PM for the devices that have not been processed by device_suspend() +which does not make sense. Had those devices had runtime PM disabled +before device_suspend() had run, device_resume() would have inadvertently +enable runtime PM for them, but this is not expected to happen because +it would require ->prepare() callbacks to return positive values for +devices with runtime PM disabled, which would be invalid. + +In practice, this issue is most likely benign because pm_runtime_enable() +will not allow the "disable depth" counter to underflow, but it causes a +warning message to be printed for each affected device. + +To allow device_resume() to distinguish the "direct complete" devices +that have been processed by device_suspend() from those which have not +been handled by it, make device_suspend() set power.is_suspended for +"direct complete" devices. + +Next, move the power.is_suspended check in device_resume() before the +power.direct_complete check in it to make it skip the "direct complete" +devices that have not been handled by device_suspend(). + +This change is based on a preliminary patch from Saravana Kannan. + +Fixes: aae4518b3124 ("PM / sleep: Mechanism to avoid resuming runtime-suspended devices unnecessarily") +Link: https://lore.kernel.org/linux-pm/20241114220921.2529905-2-saravanak@google.com/ +Reported-by: Saravana Kannan +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Saravana Kannan +Link: https://patch.msgid.link/12627587.O9o76ZdvQC@rjwysocki.net +Signed-off-by: Sasha Levin +--- + drivers/base/power/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c +index ae382c4018fd8..7375624de5646 100644 +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -968,6 +968,9 @@ static int device_resume(struct device *dev, pm_message_t state, bool async) + if (dev->power.syscore) + goto Complete; + ++ if (!dev->power.is_suspended) ++ goto Complete; ++ + if (dev->power.direct_complete) { + /* Match the pm_runtime_disable() in __device_suspend(). */ + pm_runtime_enable(dev); +@@ -986,9 +989,6 @@ static int device_resume(struct device *dev, pm_message_t state, bool async) + */ + dev->power.is_prepared = false; + +- if (!dev->power.is_suspended) +- goto Unlock; +- + if (dev->pm_domain) { + info = "power domain "; + callback = pm_op(&dev->pm_domain->ops, state); +@@ -1028,7 +1028,6 @@ static int device_resume(struct device *dev, pm_message_t state, bool async) + error = dpm_run_callback(callback, dev, state, info); + dev->power.is_suspended = false; + +- Unlock: + device_unlock(dev); + dpm_watchdog_clear(&wd); + +@@ -1758,6 +1757,7 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async) + pm_runtime_disable(dev); + if (pm_runtime_status_suspended(dev)) { + pm_dev_dbg(dev, state, "direct-complete "); ++ dev->power.is_suspended = true; + goto Complete; + } + +-- +2.39.5 + diff --git a/queue-5.4/power-supply-max77693-fix-wrong-conversion-of-charge.patch b/queue-5.4/power-supply-max77693-fix-wrong-conversion-of-charge.patch new file mode 100644 index 0000000000..810e989af2 --- /dev/null +++ b/queue-5.4/power-supply-max77693-fix-wrong-conversion-of-charge.patch @@ -0,0 +1,46 @@ +From 4ebb7d0b3680d1097b89c36b32be9eb334145d29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Mar 2025 21:11:49 +0100 +Subject: power: supply: max77693: Fix wrong conversion of charge input + threshold value + +From: Artur Weber + +[ Upstream commit 30cc7b0d0e9341d419eb7da15fb5c22406dbe499 ] + +The charge input threshold voltage register on the MAX77693 PMIC accepts +four values: 0x0 for 4.3v, 0x1 for 4.7v, 0x2 for 4.8v and 0x3 for 4.9v. +Due to an oversight, the driver calculated the values for 4.7v and above +starting from 0x0, rather than from 0x1 ([(4700000 - 4700000) / 100000] +gives 0). + +Add 1 to the calculation to ensure that 4.7v is converted to a register +value of 0x1 and that the other two voltages are converted correctly as +well. + +Fixes: 87c2d9067893 ("power: max77693: Add charger driver for Maxim 77693") +Signed-off-by: Artur Weber +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20250316-max77693-charger-input-threshold-fix-v1-1-2b037d0ac722@gmail.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max77693_charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/max77693_charger.c b/drivers/power/supply/max77693_charger.c +index a2c5c9858639f..ef3482fa4023e 100644 +--- a/drivers/power/supply/max77693_charger.c ++++ b/drivers/power/supply/max77693_charger.c +@@ -556,7 +556,7 @@ static int max77693_set_charge_input_threshold_volt(struct max77693_charger *chg + case 4700000: + case 4800000: + case 4900000: +- data = (uvolt - 4700000) / 100000; ++ data = ((uvolt - 4700000) / 100000) + 1; + break; + default: + dev_err(chg->dev, "Wrong value for charge input voltage regulation threshold\n"); +-- +2.39.5 + diff --git a/queue-5.4/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch b/queue-5.4/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch new file mode 100644 index 0000000000..8f1f367d7b --- /dev/null +++ b/queue-5.4/rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch @@ -0,0 +1,91 @@ +From 0cf9351078725833f98dfab643e29d841d2efd28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Mar 2025 16:29:53 +0200 +Subject: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow + +From: Patrisious Haddad + +[ Upstream commit 5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd ] + +When cur_qp isn't NULL, in order to avoid fetching the QP from +the radix tree again we check if the next cqe QP is identical to +the one we already have. + +The bug however is that we are checking if the QP is identical by +checking the QP number inside the CQE against the QP number inside the +mlx5_ib_qp, but that's wrong since the QP number from the CQE is from +FW so it should be matched against mlx5_core_qp which is our FW QP +number. + +Otherwise we could use the wrong QP when handling a CQE which could +cause the kernel trace below. + +This issue is mainly noticeable over QPs 0 & 1, since for now they are +the only QPs in our driver whereas the QP number inside mlx5_ib_qp +doesn't match the QP number inside mlx5_core_qp. + +BUG: kernel NULL pointer dereference, address: 0000000000000012 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP + CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 + Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] + RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] + Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 + RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 + RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a + RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 + R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 + R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 + FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 + Call Trace: + + ? __die+0x20/0x60 + ? page_fault_oops+0x150/0x3e0 + ? exc_page_fault+0x74/0x130 + ? asm_exc_page_fault+0x22/0x30 + ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] + __ib_process_cq+0x5a/0x150 [ib_core] + ib_cq_poll_work+0x31/0x90 [ib_core] + process_one_work+0x169/0x320 + worker_thread+0x288/0x3a0 + ? work_busy+0xb0/0xb0 + kthread+0xd7/0x1f0 + ? kthreads_online_cpu+0x130/0x130 + ? kthreads_online_cpu+0x130/0x130 + ret_from_fork+0x2d/0x50 + ? kthreads_online_cpu+0x130/0x130 + ret_from_fork_asm+0x11/0x20 + + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Patrisious Haddad +Reviewed-by: Edward Srouji +Link: https://patch.msgid.link/4ada09d41f1e36db62c44a9b25c209ea5f054316.1741875692.git.leon@kernel.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/cq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c +index 7f659c240c99c..eb20f8fa2bd31 100644 +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -483,7 +483,7 @@ static int mlx5_poll_one(struct mlx5_ib_cq *cq, + } + + qpn = ntohl(cqe64->sop_drop_qpn) & 0xffffff; +- if (!*cur_qp || (qpn != (*cur_qp)->ibqp.qp_num)) { ++ if (!*cur_qp || (qpn != (*cur_qp)->trans_qp.base.mqp.qpn)) { + /* We do not have to take the QP table lock here, + * because CQs will be locked while QPs are removed + * from the table. +-- +2.39.5 + diff --git a/queue-5.4/ring-buffer-fix-bytes_dropped-calculation-issue.patch b/queue-5.4/ring-buffer-fix-bytes_dropped-calculation-issue.patch new file mode 100644 index 0000000000..d3361c9d39 --- /dev/null +++ b/queue-5.4/ring-buffer-fix-bytes_dropped-calculation-issue.patch @@ -0,0 +1,41 @@ +From 76395ee94ceaf1a96875a0935d63d2717beabdef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Feb 2025 15:01:06 +0800 +Subject: ring-buffer: Fix bytes_dropped calculation issue + +From: Feng Yang + +[ Upstream commit c73f0b69648501978e8b3e8fa7eef7f4197d0481 ] + +The calculation of bytes-dropped and bytes_dropped_nested is reversed. +Although it does not affect the final calculation of total_dropped, +it should still be modified. + +Link: https://lore.kernel.org/20250223070106.6781-1-yangfeng59949@163.com +Fixes: 6c43e554a2a5 ("ring-buffer: Add ring buffer startup selftest") +Signed-off-by: Feng Yang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index 2011219c11a91..b12838d4c3270 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -5195,9 +5195,9 @@ static __init int rb_write_something(struct rb_test_data *data, bool nested) + /* Ignore dropped events before test starts. */ + if (started) { + if (nested) +- data->bytes_dropped += len; +- else + data->bytes_dropped_nested += len; ++ else ++ data->bytes_dropped += len; + } + return len; + } +-- +2.39.5 + diff --git a/queue-5.4/sched-deadline-use-online-cpus-for-validating-runtim.patch b/queue-5.4/sched-deadline-use-online-cpus-for-validating-runtim.patch new file mode 100644 index 0000000000..5394f6eb10 --- /dev/null +++ b/queue-5.4/sched-deadline-use-online-cpus-for-validating-runtim.patch @@ -0,0 +1,45 @@ +From 1510216241a6ba8b351b7f1abe2a2574512f8e5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Mar 2025 10:59:53 +0530 +Subject: sched/deadline: Use online cpus for validating runtime + +From: Shrikanth Hegde + +[ Upstream commit 14672f059d83f591afb2ee1fff56858efe055e5a ] + +The ftrace selftest reported a failure because writing -1 to +sched_rt_runtime_us returns -EBUSY. This happens when the possible +CPUs are different from active CPUs. + +Active CPUs are part of one root domain, while remaining CPUs are part +of def_root_domain. Since active cpumask is being used, this results in +cpus=0 when a non active CPUs is used in the loop. + +Fix it by looping over the online CPUs instead for validating the +bandwidth calculations. + +Signed-off-by: Shrikanth Hegde +Signed-off-by: Ingo Molnar +Reviewed-by: Juri Lelli +Link: https://lore.kernel.org/r/20250306052954.452005-2-sshegde@linux.ibm.com +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index ba3d7c223999e..023d52d2a0f10 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -2513,7 +2513,7 @@ int sched_dl_global_validate(void) + * cycling on root_domains... Discussion on different/better + * solutions is welcome! + */ +- for_each_possible_cpu(cpu) { ++ for_each_online_cpu(cpu) { + rcu_read_lock_sched(); + dl_b = dl_bw_of(cpu); + cpus = dl_bw_cpus(cpu); +-- +2.39.5 + diff --git a/queue-5.4/sched-smt-always-inline-sched_smt_active.patch b/queue-5.4/sched-smt-always-inline-sched_smt_active.patch new file mode 100644 index 0000000000..d3976d0121 --- /dev/null +++ b/queue-5.4/sched-smt-always-inline-sched_smt_active.patch @@ -0,0 +1,45 @@ +From 38e4a11a19e1d1de85550193b3b9925fcf77361f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Mar 2025 21:26:44 -0700 +Subject: sched/smt: Always inline sched_smt_active() + +From: Josh Poimboeuf + +[ Upstream commit 09f37f2d7b21ff35b8b533f9ab8cfad2fe8f72f6 ] + +sched_smt_active() can be called from noinstr code, so it should always +be inlined. The CONFIG_SCHED_SMT version already has __always_inline. +Do the same for its !CONFIG_SCHED_SMT counterpart. + +Fixes the following warning: + + vmlinux.o: error: objtool: intel_idle_ibrs+0x13: call to sched_smt_active() leaves .noinstr.text section + +Fixes: 321a874a7ef8 ("sched/smt: Expose sched_smt_present static key") +Reported-by: kernel test robot +Signed-off-by: Josh Poimboeuf +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/1d03907b0a247cf7fb5c1d518de378864f603060.1743481539.git.jpoimboe@kernel.org +Closes: https://lore.kernel.org/r/202503311434.lyw2Tveh-lkp@intel.com/ +Signed-off-by: Sasha Levin +--- + include/linux/sched/smt.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h +index 59d3736c454cf..737b50f40137b 100644 +--- a/include/linux/sched/smt.h ++++ b/include/linux/sched/smt.h +@@ -12,7 +12,7 @@ static __always_inline bool sched_smt_active(void) + return static_branch_likely(&sched_smt_present); + } + #else +-static inline bool sched_smt_active(void) { return false; } ++static __always_inline bool sched_smt_active(void) { return false; } + #endif + + void arch_smt_update(void); +-- +2.39.5 + diff --git a/queue-5.4/selinux-chain-up-tool-resolving-errors-in-install_po.patch b/queue-5.4/selinux-chain-up-tool-resolving-errors-in-install_po.patch new file mode 100644 index 0000000000..d162e10e56 --- /dev/null +++ b/queue-5.4/selinux-chain-up-tool-resolving-errors-in-install_po.patch @@ -0,0 +1,66 @@ +From 8b0df080a584f05688905ef5d9010efa5970dc34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Mar 2025 10:56:43 +0100 +Subject: selinux: Chain up tool resolving errors in install_policy.sh + +From: Tim Schumacher + +[ Upstream commit 6ae0042f4d3f331e841495eb0a3d51598e593ec2 ] + +Subshell evaluations are not exempt from errexit, so if a command is +not available, `which` will fail and exit the script as a whole. +This causes the helpful error messages to not be printed if they are +tacked on using a `$?` comparison. + +Resolve the issue by using chains of logical operators, which are not +subject to the effects of errexit. + +Fixes: e37c1877ba5b1 ("scripts/selinux: modernize mdp") +Signed-off-by: Tim Schumacher +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + scripts/selinux/install_policy.sh | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh +index 20af56ce245c5..c68f0e045fb00 100755 +--- a/scripts/selinux/install_policy.sh ++++ b/scripts/selinux/install_policy.sh +@@ -6,27 +6,24 @@ if [ `id -u` -ne 0 ]; then + exit 1 + fi + +-SF=`which setfiles` +-if [ $? -eq 1 ]; then ++SF=`which setfiles` || { + echo "Could not find setfiles" + echo "Do you have policycoreutils installed?" + exit 1 +-fi ++} + +-CP=`which checkpolicy` +-if [ $? -eq 1 ]; then ++CP=`which checkpolicy` || { + echo "Could not find checkpolicy" + echo "Do you have checkpolicy installed?" + exit 1 +-fi ++} + VERS=`$CP -V | awk '{print $1}'` + +-ENABLED=`which selinuxenabled` +-if [ $? -eq 1 ]; then ++ENABLED=`which selinuxenabled` || { + echo "Could not find selinuxenabled" + echo "Do you have libselinux-utils installed?" + exit 1 +-fi ++} + + if selinuxenabled; then + echo "SELinux is already enabled" +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series index ea2078791f..865109b024 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -77,3 +77,69 @@ net-usb-qmi_wwan-add-telit-cinterion-fe990b-composition.patch net-usb-usbnet-restore-usb-d-name-exception-for-local-mac-addresses.patch memstick-rtsx_usb_ms-fix-slab-use-after-free-in-rtsx_usb_ms_drv_remove.patch serial-8250_dma-terminate-correct-dma-in-tx_dma_flush.patch +x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch +cpufreq-governor-fix-negative-idle_time-handling-in-.patch +x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch +x86-platform-only-allow-config_eisa-for-32-bit.patch +selinux-chain-up-tool-resolving-errors-in-install_po.patch +edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch +edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch +edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch +thermal-int340x-add-null-check-for-adev.patch +pm-sleep-fix-handling-devices-with-direct_complete-s.patch +lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch +perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch +alsa-hda-realtek-always-honor-no_shutup_pins.patch +drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch +pci-aspm-fix-link-state-exit-during-switch-upstream-.patch +pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch +pci-remove-stray-put_device-in-pci_register_host_bri.patch +pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch +fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch +mdacon-rework-dependency-list.patch +fbdev-sm501fb-add-some-geometry-checks.patch +clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch +bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch +lib-842-improve-error-handling-in-sw842_compress.patch +pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch +clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch +ib-mad-check-available-slots-before-posting-receive-.patch +clk-amlogic-g12b-fix-cluster-a-parent-data.patch +clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch +clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch +x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch +power-supply-max77693-fix-wrong-conversion-of-charge.patch +rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch +mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch +x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch +isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch +coresight-catu-fix-number-of-pages-while-using-64k-p.patch +iio-accel-mma8452-ensure-error-return-on-failure-to-.patch +perf-units-fix-insufficient-array-space.patch +kexec-initialize-elf-lowest-address-to-ulong_max.patch +ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch +perf-python-fixup-description-of-sample.id-event-mem.patch +perf-python-decrement-the-refcount-of-just-created-e.patch +perf-python-check-if-there-is-space-to-copy-all-the-.patch +fs-procfs-fix-the-comment-above-proc_pid_wchan.patch +objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch +ring-buffer-fix-bytes_dropped-calculation-issue.patch +octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch +sched-smt-always-inline-sched_smt_active.patch +wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch +affs-generate-ofs-sequence-numbers-starting-at-1.patch +affs-don-t-write-overlarge-ofs-data-block-size-field.patch +sched-deadline-use-online-cpus-for-validating-runtim.patch +locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch +can-statistics-use-atomic-access-in-hot-path.patch +hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch +spufs-fix-a-leak-on-spufs_new_file-failure.patch +spufs-fix-a-leak-in-spufs_create_context.patch +ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch +ntb-intel-fix-using-link-status-db-s.patch +netlabel-fix-null-pointer-exception-caused-by-calips.patch +net_sched-skbprio-remove-overly-strict-queue-asserti.patch +vsock-avoid-timeout-during-connect-if-the-socket-is-.patch +ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch +net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch +arcnet-add-null-check-in-com20020pci_probe.patch diff --git a/queue-5.4/spufs-fix-a-leak-in-spufs_create_context.patch b/queue-5.4/spufs-fix-a-leak-in-spufs_create_context.patch new file mode 100644 index 0000000000..ed8d7b713d --- /dev/null +++ b/queue-5.4/spufs-fix-a-leak-in-spufs_create_context.patch @@ -0,0 +1,39 @@ +From ecaefed847d5fbb5d1374c0438dc672b900cd052 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 19:38:28 -0400 +Subject: spufs: fix a leak in spufs_create_context() + +From: Al Viro + +[ Upstream commit 0f5cce3fc55b08ee4da3372baccf4bcd36a98396 ] + +Leak fixes back in 2008 missed one case - if we are trying to set affinity +and spufs_mkdir() fails, we need to drop the reference to neighbor. + +Fixes: 58119068cb27 "[POWERPC] spufs: Fix memory leak on SPU affinity" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/inode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c +index 1183e264ff421..93214d52ae82a 100644 +--- a/arch/powerpc/platforms/cell/spufs/inode.c ++++ b/arch/powerpc/platforms/cell/spufs/inode.c +@@ -440,8 +440,11 @@ spufs_create_context(struct inode *inode, struct dentry *dentry, + } + + ret = spufs_mkdir(inode, dentry, flags, mode & 0777); +- if (ret) ++ if (ret) { ++ if (neighbor) ++ put_spu_context(neighbor); + goto out_aff_unlock; ++ } + + if (affinity) { + spufs_set_affinity(flags, SPUFS_I(d_inode(dentry))->i_ctx, +-- +2.39.5 + diff --git a/queue-5.4/spufs-fix-a-leak-on-spufs_new_file-failure.patch b/queue-5.4/spufs-fix-a-leak-on-spufs_new_file-failure.patch new file mode 100644 index 0000000000..c72e7de28f --- /dev/null +++ b/queue-5.4/spufs-fix-a-leak-on-spufs_new_file-failure.patch @@ -0,0 +1,40 @@ +From 509bf73e4723447b05c8468b0bcb4be8bc20dd39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Mar 2025 19:26:31 -0500 +Subject: spufs: fix a leak on spufs_new_file() failure + +From: Al Viro + +[ Upstream commit d1ca8698ca1332625d83ea0d753747be66f9906d ] + +It's called from spufs_fill_dir(), and caller of that will do +spufs_rmdir() in case of failure. That does remove everything +we'd managed to create, but... the problem dentry is still +negative. IOW, it needs to be explicitly dropped. + +Fixes: 3f51dd91c807 "[PATCH] spufs: fix spufs_fill_dir error path" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/spufs/inode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c +index 99e688498a9cb..1183e264ff421 100644 +--- a/arch/powerpc/platforms/cell/spufs/inode.c ++++ b/arch/powerpc/platforms/cell/spufs/inode.c +@@ -189,8 +189,10 @@ static int spufs_fill_dir(struct dentry *dir, + return -ENOMEM; + ret = spufs_new_file(dir->d_sb, dentry, files->ops, + files->mode & mode, files->size, ctx); +- if (ret) ++ if (ret) { ++ dput(dentry); + return ret; ++ } + files++; + } + return 0; +-- +2.39.5 + diff --git a/queue-5.4/thermal-int340x-add-null-check-for-adev.patch b/queue-5.4/thermal-int340x-add-null-check-for-adev.patch new file mode 100644 index 0000000000..234cfbc8cf --- /dev/null +++ b/queue-5.4/thermal-int340x-add-null-check-for-adev.patch @@ -0,0 +1,50 @@ +From e06a504d26a566aceb59f3bbce31c43031f24961 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Mar 2025 23:36:11 -0500 +Subject: thermal: int340x: Add NULL check for adev +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenyuan Yang + +[ Upstream commit 2542a3f70e563a9e70e7ded314286535a3321bdb ] + +Not all devices have an ACPI companion fwnode, so adev might be NULL. +This is similar to the commit cd2fd6eab480 +("platform/x86: int3472: Check for adev == NULL"). + +Add a check for adev not being set and return -ENODEV in that case to +avoid a possible NULL pointer deref in int3402_thermal_probe(). + +Note, under the same directory, int3400_thermal_probe() has such a +check. + +Fixes: 77e337c6e23e ("Thermal: introduce INT3402 thermal driver") +Signed-off-by: Chenyuan Yang +Acked-by: Uwe Kleine-König +Link: https://patch.msgid.link/20250313043611.1212116-1-chenyuan0y@gmail.com +[ rjw: Subject edit, added Fixes: ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/int340x_thermal/int3402_thermal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c +index 43fa351e2b9ec..b7fdf25bfd237 100644 +--- a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c ++++ b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c +@@ -45,6 +45,9 @@ static int int3402_thermal_probe(struct platform_device *pdev) + struct int3402_thermal_data *d; + int ret; + ++ if (!adev) ++ return -ENODEV; ++ + if (!acpi_has_method(adev->handle, "_TMP")) + return -ENODEV; + +-- +2.39.5 + diff --git a/queue-5.4/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch b/queue-5.4/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch new file mode 100644 index 0000000000..c66c66ea8d --- /dev/null +++ b/queue-5.4/vsock-avoid-timeout-during-connect-if-the-socket-is-.patch @@ -0,0 +1,62 @@ +From b8aa247b6b64ad026ad33b176a09f38c7a59ebc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Mar 2025 15:15:28 +0100 +Subject: vsock: avoid timeout during connect() if the socket is closing + +From: Stefano Garzarella + +[ Upstream commit fccd2b711d9628c7ce0111d5e4938652101ee30a ] + +When a peer attempts to establish a connection, vsock_connect() contains +a loop that waits for the state to be TCP_ESTABLISHED. However, the +other peer can be fast enough to accept the connection and close it +immediately, thus moving the state to TCP_CLOSING. + +When this happens, the peer in the vsock_connect() is properly woken up, +but since the state is not TCP_ESTABLISHED, it goes back to sleep +until the timeout expires, returning -ETIMEDOUT. + +If the socket state is TCP_CLOSING, waiting for the timeout is pointless. +vsock_connect() can return immediately without errors or delay since the +connection actually happened. The socket will be in a closing state, +but this is not an issue, and subsequent calls will fail as expected. + +We discovered this issue while developing a test that accepts and +immediately closes connections to stress the transport switch between +two connect() calls, where the first one was interrupted by a signal +(see Closes link). + +Reported-by: Luigi Leonardi +Closes: https://lore.kernel.org/virtualization/bq6hxrolno2vmtqwcvb5bljfpb7mvwb3kohrvaed6auz5vxrfv@ijmd2f3grobn/ +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Signed-off-by: Stefano Garzarella +Acked-by: Paolo Abeni +Tested-by: Luigi Leonardi +Reviewed-by: Luigi Leonardi +Link: https://patch.msgid.link/20250328141528.420719-1-sgarzare@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 5d490633a7f11..7877515a6962e 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1204,7 +1204,11 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + timeout = vsk->connect_timeout; + prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); + +- while (sk->sk_state != TCP_ESTABLISHED && sk->sk_err == 0) { ++ /* If the socket is already closing or it is in an error state, there ++ * is no point in waiting. ++ */ ++ while (sk->sk_state != TCP_ESTABLISHED && ++ sk->sk_state != TCP_CLOSING && sk->sk_err == 0) { + if (flags & O_NONBLOCK) { + /* If we're not going to block, we schedule a timeout + * function to generate a timeout on the connection +-- +2.39.5 + diff --git a/queue-5.4/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch b/queue-5.4/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch new file mode 100644 index 0000000000..882781f82f --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch @@ -0,0 +1,140 @@ +From ec88e8e9bdc313a514a2cd303363f3ae1d9eabe3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Feb 2025 14:34:45 +0200 +Subject: wifi: iwlwifi: fw: allocate chained SG tables for dump + +From: Johannes Berg + +[ Upstream commit 7774e3920029398ad49dc848b23840593f14d515 ] + +The firmware dumps can be pretty big, and since we use single +pages for each SG table entry, even the table itself may end +up being an order-5 allocation. Build chained tables so that +we need not allocate a higher-order table here. + +This could be improved and cleaned up, e.g. by using the SG +pool code or simply kvmalloc(), but all of that would require +also updating the devcoredump first since that frees it all, +so we need to be more careful. SG pool might also run against +the CONFIG_ARCH_NO_SG_CHAIN limitation, which is irrelevant +here. + +Also use _devcd_free_sgtable() for the error paths now, much +simpler especially since it's in two places now. + +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20250209143303.697c7a465ac9.Iea982df46b5c075bfb77ade36f187d99a70c63db@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 86 ++++++++++++++------- + 1 file changed, 58 insertions(+), 28 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +index cb5465d9c0686..286b5ca3b1674 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -619,41 +619,71 @@ static void iwl_dump_prph(struct iwl_fw_runtime *fwrt, + } + + /* +- * alloc_sgtable - allocates scallerlist table in the given size, +- * fills it with pages and returns it ++ * alloc_sgtable - allocates (chained) scatterlist in the given size, ++ * fills it with pages and returns it + * @size: the size (in bytes) of the table +-*/ +-static struct scatterlist *alloc_sgtable(int size) ++ */ ++static struct scatterlist *alloc_sgtable(ssize_t size) + { +- int alloc_size, nents, i; +- struct page *new_page; +- struct scatterlist *iter; +- struct scatterlist *table; ++ struct scatterlist *result = NULL, *prev; ++ int nents, i, n_prev; + + nents = DIV_ROUND_UP(size, PAGE_SIZE); +- table = kcalloc(nents, sizeof(*table), GFP_KERNEL); +- if (!table) +- return NULL; +- sg_init_table(table, nents); +- iter = table; +- for_each_sg(table, iter, sg_nents(table), i) { +- new_page = alloc_page(GFP_KERNEL); +- if (!new_page) { +- /* release all previous allocated pages in the table */ +- iter = table; +- for_each_sg(table, iter, sg_nents(table), i) { +- new_page = sg_page(iter); +- if (new_page) +- __free_page(new_page); +- } +- kfree(table); ++ ++#define N_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(*result)) ++ /* ++ * We need an additional entry for table chaining, ++ * this ensures the loop can finish i.e. we can ++ * fit at least two entries per page (obviously, ++ * many more really fit.) ++ */ ++ BUILD_BUG_ON(N_ENTRIES_PER_PAGE < 2); ++ ++ while (nents > 0) { ++ struct scatterlist *new, *iter; ++ int n_fill, n_alloc; ++ ++ if (nents <= N_ENTRIES_PER_PAGE) { ++ /* last needed table */ ++ n_fill = nents; ++ n_alloc = nents; ++ nents = 0; ++ } else { ++ /* fill a page with entries */ ++ n_alloc = N_ENTRIES_PER_PAGE; ++ /* reserve one for chaining */ ++ n_fill = n_alloc - 1; ++ nents -= n_fill; ++ } ++ ++ new = kcalloc(n_alloc, sizeof(*new), GFP_KERNEL); ++ if (!new) { ++ if (result) ++ _devcd_free_sgtable(result); + return NULL; + } +- alloc_size = min_t(int, size, PAGE_SIZE); +- size -= PAGE_SIZE; +- sg_set_page(iter, new_page, alloc_size, 0); ++ sg_init_table(new, n_alloc); ++ ++ if (!result) ++ result = new; ++ else ++ sg_chain(prev, n_prev, new); ++ prev = new; ++ n_prev = n_alloc; ++ ++ for_each_sg(new, iter, n_fill, i) { ++ struct page *new_page = alloc_page(GFP_KERNEL); ++ ++ if (!new_page) { ++ _devcd_free_sgtable(result); ++ return NULL; ++ } ++ ++ sg_set_page(iter, new_page, PAGE_SIZE, 0); ++ } + } +- return table; ++ ++ return result; + } + + static void iwl_fw_get_prph_len(struct iwl_fw_runtime *fwrt, +-- +2.39.5 + diff --git a/queue-5.4/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch b/queue-5.4/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch new file mode 100644 index 0000000000..44e67d53d1 --- /dev/null +++ b/queue-5.4/x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch @@ -0,0 +1,69 @@ +From 6138a861e668fdd8ca2b75522d78b459eedcb1f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 03:01:23 +0100 +Subject: x86/dumpstack: Fix inaccurate unwinding from exception stacks due to + misplaced assignment + +From: Jann Horn + +[ Upstream commit 2c118f50d7fd4d9aefc4533a26f83338b2906b7a ] + +Commit: + + 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again") + +was intended to ensure alignment of the stack pointer; but it also moved +the initialization of the "stack" variable down into the loop header. + +This was likely intended as a no-op cleanup, since the commit +message does not mention it; however, this caused a behavioral change +because the value of "regs" is different between the two places. + +Originally, get_stack_pointer() used the regs provided by the caller; after +that commit, get_stack_pointer() instead uses the regs at the top of the +stack frame the unwinder is looking at. Often, there are no such regs at +all, and "regs" is NULL, causing get_stack_pointer() to fall back to the +task's current stack pointer, which is not what we want here, but probably +happens to mostly work. Other times, the original regs will point to +another regs frame - in that case, the linear guess unwind logic in +show_trace_log_lvl() will start unwinding too far up the stack, causing the +first frame found by the proper unwinder to never be visited, resulting in +a stack trace consisting purely of guess lines. + +Fix it by moving the "stack = " assignment back where it belongs. + +Fixes: 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again") +Signed-off-by: Jann Horn +Signed-off-by: Ingo Molnar +Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-2-acd774364768@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/dumpstack.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c +index 9b2bbb66d0c87..caf14c49539ba 100644 +--- a/arch/x86/kernel/dumpstack.c ++++ b/arch/x86/kernel/dumpstack.c +@@ -171,6 +171,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs, + printk("%sCall Trace:\n", log_lvl); + + unwind_start(&state, task, regs, stack); ++ stack = stack ?: get_stack_pointer(task, regs); + regs = unwind_get_entry_regs(&state, &partial); + + /* +@@ -189,9 +190,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs, + * - hardirq stack + * - entry stack + */ +- for (stack = stack ?: get_stack_pointer(task, regs); +- stack; +- stack = stack_info.next_sp) { ++ for (; stack; stack = stack_info.next_sp) { + const char *stack_name; + + stack = PTR_ALIGN(stack, sizeof(long)); +-- +2.39.5 + diff --git a/queue-5.4/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch b/queue-5.4/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch new file mode 100644 index 0000000000..2c812c410b --- /dev/null +++ b/queue-5.4/x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch @@ -0,0 +1,55 @@ +From fb501b969d68d905f4e61edd011047bec86c05a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Mar 2025 03:01:22 +0100 +Subject: x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1 + +From: Jann Horn + +[ Upstream commit 57e2428f8df8263275344566e02c277648a4b7f1 ] + +PUSH_REGS with save_ret=1 is used by interrupt entry helper functions that +initially start with a UNWIND_HINT_FUNC ORC state. + +However, save_ret=1 means that we clobber the helper function's return +address (and then later restore the return address further down on the +stack); after that point, the only thing on the stack we can unwind through +is the IRET frame, so use UNWIND_HINT_IRET_REGS until we have a full +pt_regs frame. + +( An alternate approach would be to move the pt_regs->di overwrite down + such that it is the final step of pt_regs setup; but I don't want to + rearrange entry code just to make unwinding a tiny bit more elegant. ) + +Fixes: 9e809d15d6b6 ("x86/entry: Reduce the code footprint of the 'idtentry' macro") +Signed-off-by: Jann Horn +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: Brian Gerst +Cc: Juergen Gross +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Kees Cook +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-1-acd774364768@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/entry/calling.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h +index 29e5675c6d4f2..6819ace46d8d2 100644 +--- a/arch/x86/entry/calling.h ++++ b/arch/x86/entry/calling.h +@@ -104,6 +104,8 @@ For 32-bit we have the following conventions - kernel is built with + pushq %rsi /* pt_regs->si */ + movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */ + movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */ ++ /* We just clobbered the return address - use the IRET frame for unwinding: */ ++ UNWIND_HINT_IRET_REGS offset=3*8 + .else + pushq %rdi /* pt_regs->di */ + pushq %rsi /* pt_regs->si */ +-- +2.39.5 + diff --git a/queue-5.4/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch b/queue-5.4/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch new file mode 100644 index 0000000000..d883b9c39b --- /dev/null +++ b/queue-5.4/x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch @@ -0,0 +1,57 @@ +From 22a95ea79af0c99e31a6f3a8474f7cc42c84d3b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 14:31:36 +0100 +Subject: x86/fpu: Avoid copying dynamic FP state from init_task in + arch_dup_task_struct() + +From: Benjamin Berg + +[ Upstream commit 5d3b81d4d8520efe888536b6906dc10fd1a228a8 ] + +The init_task instance of struct task_struct is statically allocated and +may not contain the full FP state for userspace. As such, limit the copy +to the valid area of both init_task and 'dst' and ensure all memory is +initialized. + +Note that the FP state is only needed for userspace, and as such it is +entirely reasonable for init_task to not contain parts of it. + +Fixes: 5aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86") +Signed-off-by: Benjamin Berg +Signed-off-by: Ingo Molnar +Cc: Andy Lutomirski +Cc: H. Peter Anvin +Cc: Oleg Nesterov +Link: https://lore.kernel.org/r/20250226133136.816901-1-benjamin@sipsolutions.net +---- + +v2: +- Fix code if arch_task_struct_size < sizeof(init_task) by using + memcpy_and_pad. + +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/process.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index c402b079b74e8..cc9d682a98a13 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -96,7 +96,12 @@ EXPORT_PER_CPU_SYMBOL_GPL(__tss_limit_invalid); + */ + int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) + { +- memcpy(dst, src, arch_task_struct_size); ++ /* init_task is not dynamically sized (incomplete FPU state) */ ++ if (unlikely(src == &init_task)) ++ memcpy_and_pad(dst, arch_task_struct_size, src, sizeof(init_task), 0); ++ else ++ memcpy(dst, src, arch_task_struct_size); ++ + #ifdef CONFIG_VM86 + dst->thread.vm86 = NULL; + #endif +-- +2.39.5 + diff --git a/queue-5.4/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch b/queue-5.4/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch new file mode 100644 index 0000000000..aadeb40d08 --- /dev/null +++ b/queue-5.4/x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch @@ -0,0 +1,40 @@ +From fadfb83a4abd3b0b22af8eb6d6abc15661cb846e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jan 2025 09:47:25 +0200 +Subject: x86/mm/pat: cpa-test: fix length for CPA_ARRAY test + +From: Mike Rapoport (Microsoft) + +[ Upstream commit 33ea120582a638b2f2e380a50686c2b1d7cce795 ] + +The CPA_ARRAY test always uses len[1] as numpages argument to +change_page_attr_set() although the addresses array is different each +iteration of the test loop. + +Replace len[1] with len[i] to have numpages matching the addresses array. + +Fixes: ecc729f1f471 ("x86/mm/cpa: Add ARRAY and PAGES_ARRAY selftests") +Signed-off-by: "Mike Rapoport (Microsoft)" +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20250126074733.1384926-2-rppt@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/mm/pageattr-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/mm/pageattr-test.c b/arch/x86/mm/pageattr-test.c +index facce271e8b93..0d24ab91cce34 100644 +--- a/arch/x86/mm/pageattr-test.c ++++ b/arch/x86/mm/pageattr-test.c +@@ -184,7 +184,7 @@ static int pageattr_test(void) + break; + + case 1: +- err = change_page_attr_set(addrs, len[1], PAGE_CPA_TEST, 1); ++ err = change_page_attr_set(addrs, len[i], PAGE_CPA_TEST, 1); + break; + + case 2: +-- +2.39.5 + diff --git a/queue-5.4/x86-platform-only-allow-config_eisa-for-32-bit.patch b/queue-5.4/x86-platform-only-allow-config_eisa-for-32-bit.patch new file mode 100644 index 0000000000..90fe95a26e --- /dev/null +++ b/queue-5.4/x86-platform-only-allow-config_eisa-for-32-bit.patch @@ -0,0 +1,43 @@ +From 2e1abd2fa022494bc655aad2e461e3b7f8804ff1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Feb 2025 22:37:14 +0100 +Subject: x86/platform: Only allow CONFIG_EISA for 32-bit + +From: Arnd Bergmann + +[ Upstream commit 976ba8da2f3c2f1e997f4f620da83ae65c0e3728 ] + +The CONFIG_EISA menu was cleaned up in 2018, but this inadvertently +brought the option back on 64-bit machines: ISA remains guarded by +a CONFIG_X86_32 check, but EISA no longer depends on ISA. + +The last Intel machines ith EISA support used a 82375EB PCI/EISA bridge +from 1993 that could be paired with the 440FX chipset on early Pentium-II +CPUs, long before the first x86-64 products. + +Fixes: 6630a8e50105 ("eisa: consolidate EISA Kconfig entry in drivers/eisa") +Signed-off-by: Arnd Bergmann +Signed-off-by: Ingo Molnar +Cc: Linus Torvalds +Link: https://lore.kernel.org/r/20250226213714.4040853-11-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + arch/x86/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index df0a3a1b08ae0..e92b5eb57acd7 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -160,7 +160,7 @@ config X86 + select HAVE_DYNAMIC_FTRACE_WITH_REGS + select HAVE_EBPF_JIT + select HAVE_EFFICIENT_UNALIGNED_ACCESS +- select HAVE_EISA ++ select HAVE_EISA if X86_32 + select HAVE_EXIT_THREAD + select HAVE_FAST_GUP + select HAVE_FENTRY if X86_64 || DYNAMIC_FTRACE +-- +2.39.5 + -- 2.47.3