Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch b/queue-5.4/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch
new file mode 100644 (file)
index 0000000..4c3b00b
--- /dev/null
+++ b/queue-5.4/arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch
@@ -0,0 +1,38 @@
+From 0bbe1eddc8cb9085cfa8e6506ec49cbf56129365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Mar 2025 20:11:16 +0100
+Subject: arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX
+
+From: Johan Korsnes <johan.korsnes@gmail.com>
+
+[ Upstream commit 75cd37c5f28b85979fd5a65174013010f6b78f27 ]
+
+This option was removed from the Kconfig in commit
+8c710f75256b ("net/sched: Retire tcindex classifier") but it was not
+removed from the defconfigs.
+
+Fixes: 8c710f75256b ("net/sched: Retire tcindex classifier")
+Signed-off-by: Johan Korsnes <johan.korsnes@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250323191116.113482-1-johan.korsnes@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/configs/ppc6xx_defconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/powerpc/configs/ppc6xx_defconfig b/arch/powerpc/configs/ppc6xx_defconfig
+index b75b62b094b5..319fe81a4a39 100644
+--- a/arch/powerpc/configs/ppc6xx_defconfig
++++ b/arch/powerpc/configs/ppc6xx_defconfig
+@@ -274,7 +274,6 @@ CONFIG_NET_SCH_DSMARK=m
+ CONFIG_NET_SCH_NETEM=m
+ CONFIG_NET_SCH_INGRESS=m
+ CONFIG_NET_CLS_BASIC=m
+-CONFIG_NET_CLS_TCINDEX=m
+ CONFIG_NET_CLS_ROUTE4=m
+ CONFIG_NET_CLS_FW=m
+ CONFIG_NET_CLS_U32=m
+-- 
+2.39.5
+

diff --git a/queue-5.4/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch b/queue-5.4/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch
new file mode 100644 (file)
index 0000000..4ae3584
--- /dev/null
+++ b/queue-5.4/arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch
@@ -0,0 +1,38 @@
+From fccfa9e100186bc971ad6e2d4136bb6ab44e9863 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 14:24:41 +0200
+Subject: ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485
+ interface
+
+From: Annette Kobou <annette.kobou@kontron.de>
+
+[ Upstream commit 47ef5256124fb939d8157b13ca048c902435cf23 ]
+
+The polarity of the DE signal of the transceiver is active-high for
+sending. Therefore rs485-rts-active-low is wrong and needs to be
+removed to make RS485 transmissions work.
+
+Signed-off-by: Annette Kobou <annette.kobou@kontron.de>
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Fixes: 1ea4b76cdfde ("ARM: dts: imx6ul-kontron-n6310: Add Kontron i.MX6UL N6310 SoM and boards")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts b/arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts
+index 4e99e6c79a68..9b347029c2f6 100644
+--- a/arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts
++++ b/arch/arm/boot/dts/imx6ul-kontron-n6310-s.dts
+@@ -168,7 +168,6 @@ &uart2 {
+       pinctrl-0 = <&pinctrl_uart2>;
+       linux,rs485-enabled-at-boot-time;
+       rs485-rx-during-tx;
+-      rs485-rts-active-low;
+       uart-has-rtscts;
+       status = "okay";
+ };
+-- 
+2.39.5
+

diff --git a/queue-5.4/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch b/queue-5.4/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch
new file mode 100644 (file)
index 0000000..b9128c9
--- /dev/null
+++ b/queue-5.4/arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch
@@ -0,0 +1,37 @@
+From 1db51d7e72a0a37103c2c32d9b60de9de2b5acb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 09:19:22 +0200
+Subject: ARM: dts: vfxxx: Correctly use two tuples for timer address
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f3440dcf8b994197c968fbafe047ce27eed226e8 ]
+
+Address and size-cells are 1 and the ftm timer node takes two address
+spaces in "reg" property, so this should be in two <> tuples.  Change
+has no functional impact, but original code is confusing/less readable.
+
+Fixes: 07513e1330a9 ("ARM: dts: vf610: Add Freescale FlexTimer Module timer node.")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/vfxxx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/vfxxx.dtsi b/arch/arm/boot/dts/vfxxx.dtsi
+index fa248066d9d9..3679922bbabc 100644
+--- a/arch/arm/boot/dts/vfxxx.dtsi
++++ b/arch/arm/boot/dts/vfxxx.dtsi
+@@ -617,7 +617,7 @@ usbmisc1: usb@400b4800 {
+ 
+                       ftm: ftm@400b8000 {
+                               compatible = "fsl,ftm-timer";
+-                              reg = <0x400b8000 0x1000 0x400b9000 0x1000>;
++                              reg = <0x400b8000 0x1000>, <0x400b9000 0x1000>;
+                               interrupts = <44 IRQ_TYPE_LEVEL_HIGH>;
+                               clock-names = "ftm-evt", "ftm-src",
+                                       "ftm-evt-counter-en", "ftm-src-counter-en";
+-- 
+2.39.5
+

diff --git a/queue-5.4/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch b/queue-5.4/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch
new file mode 100644 (file)
index 0000000..c0d2d42
--- /dev/null
+++ b/queue-5.4/asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch
@@ -0,0 +1,79 @@
+From bb1e909d155cbd3ba3e3412e1807ef750ea10ec4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 11:30:53 +0200
+Subject: ASoC: ops: dynamically allocate struct snd_ctl_elem_value
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7e10d7242ea8a5947878880b912ffa5806520705 ]
+
+This structure is really too larget to be allocated on the stack:
+
+sound/soc/soc-ops.c:435:5: error: stack frame size (1296) exceeds limit (1280) in 'snd_soc_limit_volume' [-Werror,-Wframe-larger-than]
+
+Change the function to dynamically allocate it instead.
+
+There is probably a better way to do it since only two integer fields
+inside of that structure are actually used, but this is the simplest
+rework for the moment.
+
+Fixes: 783db6851c18 ("ASoC: ops: Enforce platform maximum on initial value")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250610093057.2643233-1-arnd@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-ops.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
+index a3b1f1c064dd..02e4f336b524 100644
+--- a/sound/soc/soc-ops.c
++++ b/sound/soc/soc-ops.c
+@@ -638,28 +638,32 @@ EXPORT_SYMBOL_GPL(snd_soc_get_volsw_range);
+ static int snd_soc_clip_to_platform_max(struct snd_kcontrol *kctl)
+ {
+       struct soc_mixer_control *mc = (struct soc_mixer_control *)kctl->private_value;
+-      struct snd_ctl_elem_value uctl;
++      struct snd_ctl_elem_value *uctl;
+       int ret;
+ 
+       if (!mc->platform_max)
+               return 0;
+ 
+-      ret = kctl->get(kctl, &uctl);
++      uctl = kzalloc(sizeof(*uctl), GFP_KERNEL);
++      if (!uctl)
++              return -ENOMEM;
++
++      ret = kctl->get(kctl, uctl);
+       if (ret < 0)
+-              return ret;
++              goto out;
+ 
+-      if (uctl.value.integer.value[0] > mc->platform_max)
+-              uctl.value.integer.value[0] = mc->platform_max;
++      if (uctl->value.integer.value[0] > mc->platform_max)
++              uctl->value.integer.value[0] = mc->platform_max;
+ 
+       if (snd_soc_volsw_is_stereo(mc) &&
+-          uctl.value.integer.value[1] > mc->platform_max)
+-              uctl.value.integer.value[1] = mc->platform_max;
++          uctl->value.integer.value[1] > mc->platform_max)
++              uctl->value.integer.value[1] = mc->platform_max;
+ 
+-      ret = kctl->put(kctl, &uctl);
+-      if (ret < 0)
+-              return ret;
++      ret = kctl->put(kctl, uctl);
+ 
+-      return 0;
++out:
++      kfree(uctl);
++      return ret;
+ }
+ 
+ /**
+-- 
+2.39.5
+

diff --git a/queue-5.4/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch b/queue-5.4/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch
new file mode 100644 (file)
index 0000000..589b64d
--- /dev/null
+++ b/queue-5.4/bpf-check-flow_dissector-ctx-accesses-are-aligned.patch
@@ -0,0 +1,48 @@
+From ab9dfdb9d16ffddf024726a12b4e9698fbf6011e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Aug 2025 11:47:23 +0200
+Subject: bpf: Check flow_dissector ctx accesses are aligned
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit ead3d7b2b6afa5ee7958620c4329982a7d9c2b78 ]
+
+flow_dissector_is_valid_access doesn't check that the context access is
+aligned. As a consequence, an unaligned access within one of the exposed
+field is considered valid and later rejected by
+flow_dissector_convert_ctx_access when we try to convert it.
+
+The later rejection is problematic because it's reported as a verifier
+bug with a kernel warning and doesn't point to the right instruction in
+verifier logs.
+
+Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook")
+Reported-by: syzbot+ccac90e482b2a81d74aa@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=ccac90e482b2a81d74aa
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/cc1b036be484c99be45eddf48bd78cc6f72839b1.1754039605.git.paul.chaignon@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index e6ec6f013ec0..fd18497977bd 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -7282,6 +7282,9 @@ static bool flow_dissector_is_valid_access(int off, int size,
+       if (off < 0 || off >= sizeof(struct __sk_buff))
+               return false;
+ 
++      if (off % size != 0)
++              return false;
++
+       if (type == BPF_WRITE)
+               return false;
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch b/queue-5.4/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch
new file mode 100644 (file)
index 0000000..883f32b
--- /dev/null
+++ b/queue-5.4/bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch
@@ -0,0 +1,59 @@
+From ac85707d9627344956177c85c53729a850b04e42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 10:08:52 +0800
+Subject: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 178f6a5c8cb3b6be1602de0964cd440243f493c9 ]
+
+When sending plaintext data, we initially calculated the corresponding
+ciphertext length. However, if we later reduced the plaintext data length
+via socket policy, we failed to recalculate the ciphertext length.
+
+This results in transmitting buffers containing uninitialized data during
+ciphertext transmission.
+
+This causes uninitialized bytes to be appended after a complete
+"Application Data" packet, leading to errors on the receiving end when
+parsing TLS record.
+
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/bpf/20250609020910.397930-2-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 432bce329392..8dabbbf52168 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -822,6 +822,19 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+               delta = msg->sg.size;
+               psock->eval = sk_psock_msg_verdict(sk, psock, msg);
+               delta -= msg->sg.size;
++
++              if ((s32)delta > 0) {
++                      /* It indicates that we executed bpf_msg_pop_data(),
++                       * causing the plaintext data size to decrease.
++                       * Therefore the encrypted data size also needs to
++                       * correspondingly decrease. We only need to subtract
++                       * delta to calculate the new ciphertext length since
++                       * ktls does not support block encryption.
++                       */
++                      struct sk_msg *enc = &ctx->open_rec->msg_encrypted;
++
++                      sk_msg_trim(sk, enc, enc->sg.size - delta);
++              }
+       }
+       if (msg->cork_bytes && msg->cork_bytes > msg->sg.size &&
+           !enospc && !full_record) {
+-- 
+2.39.5
+

diff --git a/queue-5.4/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch b/queue-5.4/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch
new file mode 100644 (file)
index 0000000..871f92d
--- /dev/null
+++ b/queue-5.4/bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch
@@ -0,0 +1,77 @@
+From f3c6c9650acba2fcdc436bd2eba53438c9ab4cde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:21:33 +0800
+Subject: bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit 99fe8af069a9fa5b09140518b1364e35713a642e ]
+
+In function dump_xx_nlmsg(), when realloc() fails to allocate memory,
+the original pointer to the buffer is overwritten with NULL. This causes
+a memory leak because the previously allocated buffer becomes unreachable
+without being freed.
+
+Fixes: 7900efc19214 ("tools/bpf: bpftool: improve output format for bpftool net")
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Reviewed-by: Quentin Monnet <qmo@kernel.org>
+Link: https://lore.kernel.org/r/20250620012133.14819-1-chenyuan_fl@163.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/net.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
+index c6787a1daa48..c2953b2bf130 100644
+--- a/tools/bpf/bpftool/net.c
++++ b/tools/bpf/bpftool/net.c
+@@ -87,17 +87,18 @@ static int dump_link_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+ {
+       struct bpf_netdev_t *netinfo = cookie;
+       struct ifinfomsg *ifinfo = msg;
++      struct ip_devname_ifindex *tmp;
+ 
+       if (netinfo->filter_idx > 0 && netinfo->filter_idx != ifinfo->ifi_index)
+               return 0;
+ 
+       if (netinfo->used_len == netinfo->array_len) {
+-              netinfo->devices = realloc(netinfo->devices,
+-                      (netinfo->array_len + 16) *
+-                      sizeof(struct ip_devname_ifindex));
+-              if (!netinfo->devices)
++              tmp = realloc(netinfo->devices,
++                      (netinfo->array_len + 16) * sizeof(struct ip_devname_ifindex));
++              if (!tmp)
+                       return -ENOMEM;
+ 
++              netinfo->devices = tmp;
+               netinfo->array_len += 16;
+       }
+       netinfo->devices[netinfo->used_len].ifindex = ifinfo->ifi_index;
+@@ -116,6 +117,7 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+ {
+       struct bpf_tcinfo_t *tcinfo = cookie;
+       struct tcmsg *info = msg;
++      struct tc_kind_handle *tmp;
+ 
+       if (tcinfo->is_qdisc) {
+               /* skip clsact qdisc */
+@@ -127,11 +129,12 @@ static int dump_class_qdisc_nlmsg(void *cookie, void *msg, struct nlattr **tb)
+       }
+ 
+       if (tcinfo->used_len == tcinfo->array_len) {
+-              tcinfo->handle_array = realloc(tcinfo->handle_array,
++              tmp = realloc(tcinfo->handle_array,
+                       (tcinfo->array_len + 16) * sizeof(struct tc_kind_handle));
+-              if (!tcinfo->handle_array)
++              if (!tmp)
+                       return -ENOMEM;
+ 
++              tcinfo->handle_array = tmp;
+               tcinfo->array_len += 16;
+       }
+       tcinfo->handle_array[tcinfo->used_len].handle = info->tcm_handle;
+-- 
+2.39.5
+

diff --git a/queue-5.4/caif-reduce-stack-size-again.patch b/queue-5.4/caif-reduce-stack-size-again.patch
new file mode 100644 (file)
index 0000000..f1a0435
--- /dev/null
+++ b/queue-5.4/caif-reduce-stack-size-again.patch
@@ -0,0 +1,359 @@
+From dd391c8511e8b38d1a88f1e6d751dc87f51d9cb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:22:39 +0200
+Subject: caif: reduce stack size, again
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b630c781bcf6ff87657146661816d0d30a902139 ]
+
+I tried to fix the stack usage in this function a couple of years ago,
+but there is still a problem with the latest gcc versions in some
+configurations:
+
+net/caif/cfctrl.c:553:1: error: the frame size of 1296 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
+
+Reduce this once again, with a separate cfctrl_link_setup() function that
+holds the bulk of all the local variables. It also turns out that the
+param[] array that takes up a large portion of the stack is write-only
+and can be left out here.
+
+Fixes: ce6289661b14 ("caif: reduce stack size with KASAN")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250620112244.3425554-1-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/cfctrl.c | 294 +++++++++++++++++++++++-----------------------
+ 1 file changed, 144 insertions(+), 150 deletions(-)
+
+diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
+index d8cb4b2a076b..3eec293ab22f 100644
+--- a/net/caif/cfctrl.c
++++ b/net/caif/cfctrl.c
+@@ -351,17 +351,154 @@ int cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
+       return found;
+ }
+ 
++static int cfctrl_link_setup(struct cfctrl *cfctrl, struct cfpkt *pkt, u8 cmdrsp)
++{
++      u8 len;
++      u8 linkid = 0;
++      enum cfctrl_srv serv;
++      enum cfctrl_srv servtype;
++      u8 endpoint;
++      u8 physlinkid;
++      u8 prio;
++      u8 tmp;
++      u8 *cp;
++      int i;
++      struct cfctrl_link_param linkparam;
++      struct cfctrl_request_info rsp, *req;
++
++      memset(&linkparam, 0, sizeof(linkparam));
++
++      tmp = cfpkt_extr_head_u8(pkt);
++
++      serv = tmp & CFCTRL_SRV_MASK;
++      linkparam.linktype = serv;
++
++      servtype = tmp >> 4;
++      linkparam.chtype = servtype;
++
++      tmp = cfpkt_extr_head_u8(pkt);
++      physlinkid = tmp & 0x07;
++      prio = tmp >> 3;
++
++      linkparam.priority = prio;
++      linkparam.phyid = physlinkid;
++      endpoint = cfpkt_extr_head_u8(pkt);
++      linkparam.endpoint = endpoint & 0x03;
++
++      switch (serv) {
++      case CFCTRL_SRV_VEI:
++      case CFCTRL_SRV_DBG:
++              if (CFCTRL_ERR_BIT & cmdrsp)
++                      break;
++              /* Link ID */
++              linkid = cfpkt_extr_head_u8(pkt);
++              break;
++      case CFCTRL_SRV_VIDEO:
++              tmp = cfpkt_extr_head_u8(pkt);
++              linkparam.u.video.connid = tmp;
++              if (CFCTRL_ERR_BIT & cmdrsp)
++                      break;
++              /* Link ID */
++              linkid = cfpkt_extr_head_u8(pkt);
++              break;
++
++      case CFCTRL_SRV_DATAGRAM:
++              linkparam.u.datagram.connid = cfpkt_extr_head_u32(pkt);
++              if (CFCTRL_ERR_BIT & cmdrsp)
++                      break;
++              /* Link ID */
++              linkid = cfpkt_extr_head_u8(pkt);
++              break;
++      case CFCTRL_SRV_RFM:
++              /* Construct a frame, convert
++               * DatagramConnectionID
++               * to network format long and copy it out...
++               */
++              linkparam.u.rfm.connid = cfpkt_extr_head_u32(pkt);
++              cp = (u8 *) linkparam.u.rfm.volume;
++              for (tmp = cfpkt_extr_head_u8(pkt);
++                   cfpkt_more(pkt) && tmp != '\0';
++                   tmp = cfpkt_extr_head_u8(pkt))
++                      *cp++ = tmp;
++              *cp = '\0';
++
++              if (CFCTRL_ERR_BIT & cmdrsp)
++                      break;
++              /* Link ID */
++              linkid = cfpkt_extr_head_u8(pkt);
++
++              break;
++      case CFCTRL_SRV_UTIL:
++              /* Construct a frame, convert
++               * DatagramConnectionID
++               * to network format long and copy it out...
++               */
++              /* Fifosize KB */
++              linkparam.u.utility.fifosize_kb = cfpkt_extr_head_u16(pkt);
++              /* Fifosize bufs */
++              linkparam.u.utility.fifosize_bufs = cfpkt_extr_head_u16(pkt);
++              /* name */
++              cp = (u8 *) linkparam.u.utility.name;
++              caif_assert(sizeof(linkparam.u.utility.name)
++                           >= UTILITY_NAME_LENGTH);
++              for (i = 0; i < UTILITY_NAME_LENGTH && cfpkt_more(pkt); i++) {
++                      tmp = cfpkt_extr_head_u8(pkt);
++                      *cp++ = tmp;
++              }
++              /* Length */
++              len = cfpkt_extr_head_u8(pkt);
++              linkparam.u.utility.paramlen = len;
++              /* Param Data */
++              cp = linkparam.u.utility.params;
++              while (cfpkt_more(pkt) && len--) {
++                      tmp = cfpkt_extr_head_u8(pkt);
++                      *cp++ = tmp;
++              }
++              if (CFCTRL_ERR_BIT & cmdrsp)
++                      break;
++              /* Link ID */
++              linkid = cfpkt_extr_head_u8(pkt);
++              /* Length */
++              len = cfpkt_extr_head_u8(pkt);
++              /* Param Data */
++              cfpkt_extr_head(pkt, NULL, len);
++              break;
++      default:
++              pr_warn("Request setup, invalid type (%d)\n", serv);
++              return -1;
++      }
++
++      rsp.cmd = CFCTRL_CMD_LINK_SETUP;
++      rsp.param = linkparam;
++      spin_lock_bh(&cfctrl->info_list_lock);
++      req = cfctrl_remove_req(cfctrl, &rsp);
++
++      if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
++              cfpkt_erroneous(pkt)) {
++              pr_err("Invalid O/E bit or parse error "
++                              "on CAIF control channel\n");
++              cfctrl->res.reject_rsp(cfctrl->serv.layer.up, 0,
++                                     req ? req->client_layer : NULL);
++      } else {
++              cfctrl->res.linksetup_rsp(cfctrl->serv.layer.up, linkid,
++                                        serv, physlinkid,
++                                        req ?  req->client_layer : NULL);
++      }
++
++      kfree(req);
++
++      spin_unlock_bh(&cfctrl->info_list_lock);
++
++      return 0;
++}
++
+ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+ {
+       u8 cmdrsp;
+       u8 cmd;
+-      int ret = -1;
+-      u8 len;
+-      u8 param[255];
++      int ret = 0;
+       u8 linkid = 0;
+       struct cfctrl *cfctrl = container_obj(layer);
+-      struct cfctrl_request_info rsp, *req;
+-
+ 
+       cmdrsp = cfpkt_extr_head_u8(pkt);
+       cmd = cmdrsp & CFCTRL_CMD_MASK;
+@@ -374,150 +511,7 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+ 
+       switch (cmd) {
+       case CFCTRL_CMD_LINK_SETUP:
+-              {
+-                      enum cfctrl_srv serv;
+-                      enum cfctrl_srv servtype;
+-                      u8 endpoint;
+-                      u8 physlinkid;
+-                      u8 prio;
+-                      u8 tmp;
+-                      u8 *cp;
+-                      int i;
+-                      struct cfctrl_link_param linkparam;
+-                      memset(&linkparam, 0, sizeof(linkparam));
+-
+-                      tmp = cfpkt_extr_head_u8(pkt);
+-
+-                      serv = tmp & CFCTRL_SRV_MASK;
+-                      linkparam.linktype = serv;
+-
+-                      servtype = tmp >> 4;
+-                      linkparam.chtype = servtype;
+-
+-                      tmp = cfpkt_extr_head_u8(pkt);
+-                      physlinkid = tmp & 0x07;
+-                      prio = tmp >> 3;
+-
+-                      linkparam.priority = prio;
+-                      linkparam.phyid = physlinkid;
+-                      endpoint = cfpkt_extr_head_u8(pkt);
+-                      linkparam.endpoint = endpoint & 0x03;
+-
+-                      switch (serv) {
+-                      case CFCTRL_SRV_VEI:
+-                      case CFCTRL_SRV_DBG:
+-                              if (CFCTRL_ERR_BIT & cmdrsp)
+-                                      break;
+-                              /* Link ID */
+-                              linkid = cfpkt_extr_head_u8(pkt);
+-                              break;
+-                      case CFCTRL_SRV_VIDEO:
+-                              tmp = cfpkt_extr_head_u8(pkt);
+-                              linkparam.u.video.connid = tmp;
+-                              if (CFCTRL_ERR_BIT & cmdrsp)
+-                                      break;
+-                              /* Link ID */
+-                              linkid = cfpkt_extr_head_u8(pkt);
+-                              break;
+-
+-                      case CFCTRL_SRV_DATAGRAM:
+-                              linkparam.u.datagram.connid =
+-                                  cfpkt_extr_head_u32(pkt);
+-                              if (CFCTRL_ERR_BIT & cmdrsp)
+-                                      break;
+-                              /* Link ID */
+-                              linkid = cfpkt_extr_head_u8(pkt);
+-                              break;
+-                      case CFCTRL_SRV_RFM:
+-                              /* Construct a frame, convert
+-                               * DatagramConnectionID
+-                               * to network format long and copy it out...
+-                               */
+-                              linkparam.u.rfm.connid =
+-                                  cfpkt_extr_head_u32(pkt);
+-                              cp = (u8 *) linkparam.u.rfm.volume;
+-                              for (tmp = cfpkt_extr_head_u8(pkt);
+-                                   cfpkt_more(pkt) && tmp != '\0';
+-                                   tmp = cfpkt_extr_head_u8(pkt))
+-                                      *cp++ = tmp;
+-                              *cp = '\0';
+-
+-                              if (CFCTRL_ERR_BIT & cmdrsp)
+-                                      break;
+-                              /* Link ID */
+-                              linkid = cfpkt_extr_head_u8(pkt);
+-
+-                              break;
+-                      case CFCTRL_SRV_UTIL:
+-                              /* Construct a frame, convert
+-                               * DatagramConnectionID
+-                               * to network format long and copy it out...
+-                               */
+-                              /* Fifosize KB */
+-                              linkparam.u.utility.fifosize_kb =
+-                                  cfpkt_extr_head_u16(pkt);
+-                              /* Fifosize bufs */
+-                              linkparam.u.utility.fifosize_bufs =
+-                                  cfpkt_extr_head_u16(pkt);
+-                              /* name */
+-                              cp = (u8 *) linkparam.u.utility.name;
+-                              caif_assert(sizeof(linkparam.u.utility.name)
+-                                           >= UTILITY_NAME_LENGTH);
+-                              for (i = 0;
+-                                   i < UTILITY_NAME_LENGTH
+-                                   && cfpkt_more(pkt); i++) {
+-                                      tmp = cfpkt_extr_head_u8(pkt);
+-                                      *cp++ = tmp;
+-                              }
+-                              /* Length */
+-                              len = cfpkt_extr_head_u8(pkt);
+-                              linkparam.u.utility.paramlen = len;
+-                              /* Param Data */
+-                              cp = linkparam.u.utility.params;
+-                              while (cfpkt_more(pkt) && len--) {
+-                                      tmp = cfpkt_extr_head_u8(pkt);
+-                                      *cp++ = tmp;
+-                              }
+-                              if (CFCTRL_ERR_BIT & cmdrsp)
+-                                      break;
+-                              /* Link ID */
+-                              linkid = cfpkt_extr_head_u8(pkt);
+-                              /* Length */
+-                              len = cfpkt_extr_head_u8(pkt);
+-                              /* Param Data */
+-                              cfpkt_extr_head(pkt, &param, len);
+-                              break;
+-                      default:
+-                              pr_warn("Request setup, invalid type (%d)\n",
+-                                      serv);
+-                              goto error;
+-                      }
+-
+-                      rsp.cmd = cmd;
+-                      rsp.param = linkparam;
+-                      spin_lock_bh(&cfctrl->info_list_lock);
+-                      req = cfctrl_remove_req(cfctrl, &rsp);
+-
+-                      if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
+-                              cfpkt_erroneous(pkt)) {
+-                              pr_err("Invalid O/E bit or parse error "
+-                                              "on CAIF control channel\n");
+-                              cfctrl->res.reject_rsp(cfctrl->serv.layer.up,
+-                                                     0,
+-                                                     req ? req->client_layer
+-                                                     : NULL);
+-                      } else {
+-                              cfctrl->res.linksetup_rsp(cfctrl->serv.
+-                                                        layer.up, linkid,
+-                                                        serv, physlinkid,
+-                                                        req ? req->
+-                                                        client_layer : NULL);
+-                      }
+-
+-                      kfree(req);
+-
+-                      spin_unlock_bh(&cfctrl->info_list_lock);
+-              }
++              ret = cfctrl_link_setup(cfctrl, pkt, cmdrsp);
+               break;
+       case CFCTRL_CMD_LINK_DESTROY:
+               linkid = cfpkt_extr_head_u8(pkt);
+@@ -544,9 +538,9 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
+               break;
+       default:
+               pr_err("Unrecognized Control Frame\n");
++              ret = -1;
+               goto error;
+       }
+-      ret = 0;
+ error:
+       cfpkt_destroy(pkt);
+       return ret;
+-- 
+2.39.5
+

diff --git a/queue-5.4/can-kvaser_pciefd-store-device-channel-index.patch b/queue-5.4/can-kvaser_pciefd-store-device-channel-index.patch
new file mode 100644 (file)
index 0000000..71d3077
--- /dev/null
+++ b/queue-5.4/can-kvaser_pciefd-store-device-channel-index.patch
@@ -0,0 +1,36 @@
+From 92b1e9dd407172fb422f32c777b24431f2206fcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:32:25 +0200
+Subject: can: kvaser_pciefd: Store device channel index
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit d54b16b40ddadb7d0a77fff48af7b319a0cd6aae ]
+
+Store device channel index in netdev.dev_port.
+
+Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://patch.msgid.link/20250725123230.8-6-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/kvaser_pciefd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/can/kvaser_pciefd.c b/drivers/net/can/kvaser_pciefd.c
+index 560a0a5ba6f3..f269b5faa03a 100644
+--- a/drivers/net/can/kvaser_pciefd.c
++++ b/drivers/net/can/kvaser_pciefd.c
+@@ -953,6 +953,7 @@ static int kvaser_pciefd_setup_can_ctrls(struct kvaser_pciefd *pcie)
+               can->err_rep_cnt = 0;
+               can->bec.txerr = 0;
+               can->bec.rxerr = 0;
++              can->can.dev->dev_port = i;
+ 
+               init_completion(&can->start_comp);
+               init_completion(&can->flush_comp);
+-- 
+2.39.5
+

diff --git a/queue-5.4/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch b/queue-5.4/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch
new file mode 100644 (file)
index 0000000..1564cfa
--- /dev/null
+++ b/queue-5.4/can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch
@@ -0,0 +1,39 @@
+From 7dcb8a68e4677da2c6f11f9b0dc913ed8e633706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:34:44 +0200
+Subject: can: kvaser_usb: Assign netdev.dev_port based on device channel index
+
+From: Jimmy Assarsson <extja@kvaser.com>
+
+[ Upstream commit c151b06a087a61c7a1790b75ee2f1d6edb6a8a45 ]
+
+Assign netdev.dev_port based on the device channel index, to indicate the
+port number of the network device.
+While this driver already uses netdev.dev_id for that purpose, dev_port is
+more appropriate. However, retain dev_id to avoid potential regressions.
+
+Fixes: 3e66d0138c05 ("can: populate netdev::dev_id for udev discrimination")
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
+Link: https://patch.msgid.link/20250725123452.41-4-extja@kvaser.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+index a96b22398407..602f0b3bbcdf 100644
+--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
++++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+@@ -813,6 +813,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
+ 
+       SET_NETDEV_DEV(netdev, &dev->intf->dev);
+       netdev->dev_id = channel;
++      netdev->dev_port = channel;
+ 
+       dev->nets[channel] = priv;
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch b/queue-5.4/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch
new file mode 100644 (file)
index 0000000..92acd84
--- /dev/null
+++ b/queue-5.4/clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch
@@ -0,0 +1,45 @@
+From 533c32f639e2e1e09f9937150424e50c0ddb549f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 21:13:41 +0800
+Subject: clk: davinci: Add NULL check in davinci_lpsc_clk_register()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 13de464f445d42738fe18c9a28bab056ba3a290a ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+davinci_lpsc_clk_register() does not check for this case, which results
+in a NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue and ensuring
+no resources are left allocated.
+
+Fixes: c6ed4d734bc7 ("clk: davinci: New driver for davinci PSC clocks")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://lore.kernel.org/r/20250401131341.26800-1-bsdhenrymartin@gmail.com
+Reviewed-by: David Lechner <david@lechnology.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/davinci/psc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/clk/davinci/psc.c b/drivers/clk/davinci/psc.c
+index 5b69e24a224f..2e153320fc53 100644
+--- a/drivers/clk/davinci/psc.c
++++ b/drivers/clk/davinci/psc.c
+@@ -278,6 +278,11 @@ davinci_lpsc_clk_register(struct device *dev, const char *name,
+ 
+       lpsc->pm_domain.name = devm_kasprintf(dev, GFP_KERNEL, "%s: %s",
+                                             best_dev_name(dev), name);
++      if (!lpsc->pm_domain.name) {
++              clk_hw_unregister(&lpsc->hw);
++              kfree(lpsc);
++              return ERR_PTR(-ENOMEM);
++      }
+       lpsc->pm_domain.attach_dev = davinci_psc_genpd_attach_dev;
+       lpsc->pm_domain.detach_dev = davinci_psc_genpd_detach_dev;
+       lpsc->pm_domain.flags = GENPD_FLAG_PM_CLK;
+-- 
+2.39.5
+

diff --git a/queue-5.4/clk-sunxi-ng-v3s-fix-de-clock-definition.patch b/queue-5.4/clk-sunxi-ng-v3s-fix-de-clock-definition.patch
new file mode 100644 (file)
index 0000000..bc9e35c
--- /dev/null
+++ b/queue-5.4/clk-sunxi-ng-v3s-fix-de-clock-definition.patch
@@ -0,0 +1,44 @@
+From 6a7c44127364b6041a4f9378814bfc3fbc4a6a33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 17:40:07 +0200
+Subject: clk: sunxi-ng: v3s: Fix de clock definition
+
+From: Paul Kocialkowski <paulk@sys-base.io>
+
+[ Upstream commit e8ab346f9907a1a3aa2f0e5decf849925c06ae2e ]
+
+The de clock is marked with CLK_SET_RATE_PARENT, which is really not
+necessary (as confirmed from experimentation) and significantly
+restricts flexibility for other clocks using the same parent.
+
+In addition the source selection (parent) field is marked as using
+2 bits, when it the documentation reports that it uses 3.
+
+Fix both issues in the de clock definition.
+
+Fixes: d0f11d14b0bc ("clk: sunxi-ng: add support for V3s CCU")
+Signed-off-by: Paul Kocialkowski <paulk@sys-base.io>
+Link: https://patch.msgid.link/20250704154008.3463257-1-paulk@sys-base.io
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+index 0e36ca3bf3d5..4fddb489cdce 100644
+--- a/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
++++ b/drivers/clk/sunxi-ng/ccu-sun8i-v3s.c
+@@ -334,8 +334,7 @@ static SUNXI_CCU_GATE(dram_ohci_clk,       "dram-ohci",    "dram",
+ 
+ static const char * const de_parents[] = { "pll-video", "pll-periph0" };
+ static SUNXI_CCU_M_WITH_MUX_GATE(de_clk, "de", de_parents,
+-                               0x104, 0, 4, 24, 2, BIT(31),
+-                               CLK_SET_RATE_PARENT);
++                               0x104, 0, 4, 24, 3, BIT(31), 0);
+ 
+ static const char * const tcon_parents[] = { "pll-video" };
+ static SUNXI_CCU_M_WITH_MUX_GATE(tcon_clk, "tcon", tcon_parents,
+-- 
+2.39.5
+

diff --git a/queue-5.4/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch b/queue-5.4/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch
new file mode 100644 (file)
index 0000000..daa526c
--- /dev/null
+++ b/queue-5.4/cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch
@@ -0,0 +1,49 @@
+From d2ea092adea81024246aa77a94da25afd5714b79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:41:43 +0800
+Subject: cpufreq: Init policy->rwsem before it may be possibly used
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit d1378d1d7edb3a4c4935a44fe834ae135be03564 ]
+
+In cpufreq_policy_put_kobj(), policy->rwsem is used. But in
+cpufreq_policy_alloc(), if freq_qos_add_notifier() returns an error, error
+path via err_kobj_remove or err_min_qos_notifier will be reached and
+cpufreq_policy_put_kobj() will be called before policy->rwsem is
+initialized. Thus, the calling of init_rwsem() should be moved to where
+before these two error paths can be reached.
+
+Fixes: 67d874c3b2c6 ("cpufreq: Register notifiers with the PM QoS framework")
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://patch.msgid.link/20250709104145.2348017-3-zhenglifeng1@huawei.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 2a2fea6743aa..00f12d23077c 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -1220,6 +1220,8 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
+               goto err_free_real_cpus;
+       }
+ 
++      init_rwsem(&policy->rwsem);
++
+       freq_constraints_init(&policy->constraints);
+ 
+       policy->nb_min.notifier_call = cpufreq_notifier_min;
+@@ -1242,7 +1244,6 @@ static struct cpufreq_policy *cpufreq_policy_alloc(unsigned int cpu)
+       }
+ 
+       INIT_LIST_HEAD(&policy->policy_list);
+-      init_rwsem(&policy->rwsem);
+       spin_lock_init(&policy->transition_lock);
+       init_waitqueue_head(&policy->transition_wait);
+       INIT_WORK(&policy->update, handle_update);
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch b/queue-5.4/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch
new file mode 100644 (file)
index 0000000..033ad2e
--- /dev/null
+++ b/queue-5.4/crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch
@@ -0,0 +1,81 @@
+From 1834cf493fa4fc812852373792ced6a6b956c987 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:54:18 +0800
+Subject: crypto: ccp - Fix crash when rebind ccp device for ccp.ko
+
+From: Mengbiao Xiong <xisme1998@gmail.com>
+
+[ Upstream commit 181698af38d3f93381229ad89c09b5bd0496661a ]
+
+When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding
+the ccp device causes the following crash:
+
+$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind
+$ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind
+
+[  204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098
+[  204.978026] #PF: supervisor write access in kernel mode
+[  204.979126] #PF: error_code(0x0002) - not-present page
+[  204.980226] PGD 0 P4D 0
+[  204.981317] Oops: Oops: 0002 [#1] SMP NOPTI
+...
+[  204.997852] Call Trace:
+[  204.999074]  <TASK>
+[  205.000297]  start_creating+0x9f/0x1c0
+[  205.001533]  debugfs_create_dir+0x1f/0x170
+[  205.002769]  ? srso_return_thunk+0x5/0x5f
+[  205.004000]  ccp5_debugfs_setup+0x87/0x170 [ccp]
+[  205.005241]  ccp5_init+0x8b2/0x960 [ccp]
+[  205.006469]  ccp_dev_init+0xd4/0x150 [ccp]
+[  205.007709]  sp_init+0x5f/0x80 [ccp]
+[  205.008942]  sp_pci_probe+0x283/0x2e0 [ccp]
+[  205.010165]  ? srso_return_thunk+0x5/0x5f
+[  205.011376]  local_pci_probe+0x4f/0xb0
+[  205.012584]  pci_device_probe+0xdb/0x230
+[  205.013810]  really_probe+0xed/0x380
+[  205.015024]  __driver_probe_device+0x7e/0x160
+[  205.016240]  device_driver_attach+0x2f/0x60
+[  205.017457]  bind_store+0x7c/0xb0
+[  205.018663]  drv_attr_store+0x28/0x40
+[  205.019868]  sysfs_kf_write+0x5f/0x70
+[  205.021065]  kernfs_fop_write_iter+0x145/0x1d0
+[  205.022267]  vfs_write+0x308/0x440
+[  205.023453]  ksys_write+0x6d/0xe0
+[  205.024616]  __x64_sys_write+0x1e/0x30
+[  205.025778]  x64_sys_call+0x16ba/0x2150
+[  205.026942]  do_syscall_64+0x56/0x1e0
+[  205.028108]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[  205.029276] RIP: 0033:0x7fbc36f10104
+[  205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5
+
+This patch sets ccp_debugfs_dir to NULL after destroying it in
+ccp5_debugfs_destroy, allowing the directory dentry to be
+recreated when rebinding the ccp device.
+
+Tested on AMD Ryzen 7 1700X.
+
+Fixes: 3cdbe346ed3f ("crypto: ccp - Add debugfs entries for CCP information")
+Signed-off-by: Mengbiao Xiong <xisme1998@gmail.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/ccp-debugfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/ccp/ccp-debugfs.c b/drivers/crypto/ccp/ccp-debugfs.c
+index a1055554b47a..dc26bc22c91d 100644
+--- a/drivers/crypto/ccp/ccp-debugfs.c
++++ b/drivers/crypto/ccp/ccp-debugfs.c
+@@ -319,5 +319,8 @@ void ccp5_debugfs_setup(struct ccp_device *ccp)
+ 
+ void ccp5_debugfs_destroy(void)
+ {
++      mutex_lock(&ccp_debugfs_lock);
+       debugfs_remove_recursive(ccp_debugfs_dir);
++      ccp_debugfs_dir = NULL;
++      mutex_unlock(&ccp_debugfs_lock);
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch b/queue-5.4/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch
new file mode 100644 (file)
index 0000000..c041836
--- /dev/null
+++ b/queue-5.4/crypto-img-hash-fix-dma_unmap_sg-nents-value.patch
@@ -0,0 +1,36 @@
+From 2b88969369b607d1d3f96f7349fe54b3a7726a38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 11:16:22 +0200
+Subject: crypto: img-hash - Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 34b283636181ce02c52633551f594fec9876bec7 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/img-hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c
+index 17cc44f14e5c..b5fd15e0c050 100644
+--- a/drivers/crypto/img-hash.c
++++ b/drivers/crypto/img-hash.c
+@@ -434,7 +434,7 @@ static int img_hash_write_via_dma_stop(struct img_hash_dev *hdev)
+       struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req);
+ 
+       if (ctx->flags & DRIVER_FLAGS_SG)
+-              dma_unmap_sg(hdev->dev, ctx->sg, ctx->dma_ct, DMA_TO_DEVICE);
++              dma_unmap_sg(hdev->dev, ctx->sg, 1, DMA_TO_DEVICE);
+ 
+       return 0;
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch b/queue-5.4/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch
new file mode 100644 (file)
index 0000000..9283dcc
--- /dev/null
+++ b/queue-5.4/crypto-marvell-cesa-fix-engine-load-inaccuracy.patch
@@ -0,0 +1,75 @@
+From 7b25c01626e87297c015da87632a03a8e7ffc0dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 20:41:28 +0800
+Subject: crypto: marvell/cesa - Fix engine load inaccuracy
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 442134ab30e75b7229c4bfc1ac5641d245cffe27 ]
+
+If an error occurs during queueing the engine load will never be
+decremented.  Fix this by moving the engine load adjustment into
+the cleanup function.
+
+Fixes: bf8f91e71192 ("crypto: marvell - Add load balancing between engines")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cipher.c | 4 +++-
+ drivers/crypto/marvell/hash.c   | 5 +++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/marvell/cipher.c b/drivers/crypto/marvell/cipher.c
+index f92f86c94bff..d48034a9e0da 100644
+--- a/drivers/crypto/marvell/cipher.c
++++ b/drivers/crypto/marvell/cipher.c
+@@ -73,9 +73,12 @@ mv_cesa_skcipher_dma_cleanup(struct skcipher_request *req)
+ static inline void mv_cesa_skcipher_cleanup(struct skcipher_request *req)
+ {
+       struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
++      struct mv_cesa_engine *engine = creq->base.engine;
+ 
+       if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
+               mv_cesa_skcipher_dma_cleanup(req);
++
++      atomic_sub(req->cryptlen, &engine->load);
+ }
+ 
+ static void mv_cesa_skcipher_std_step(struct skcipher_request *req)
+@@ -202,7 +205,6 @@ mv_cesa_skcipher_complete(struct crypto_async_request *req)
+       struct mv_cesa_engine *engine = creq->base.engine;
+       unsigned int ivsize;
+ 
+-      atomic_sub(skreq->cryptlen, &engine->load);
+       ivsize = crypto_skcipher_ivsize(crypto_skcipher_reqtfm(skreq));
+ 
+       if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ) {
+diff --git a/drivers/crypto/marvell/hash.c b/drivers/crypto/marvell/hash.c
+index de1599bca3b7..01dd597b6a2a 100644
+--- a/drivers/crypto/marvell/hash.c
++++ b/drivers/crypto/marvell/hash.c
+@@ -107,9 +107,12 @@ static inline void mv_cesa_ahash_dma_cleanup(struct ahash_request *req)
+ static inline void mv_cesa_ahash_cleanup(struct ahash_request *req)
+ {
+       struct mv_cesa_ahash_req *creq = ahash_request_ctx(req);
++      struct mv_cesa_engine *engine = creq->base.engine;
+ 
+       if (mv_cesa_req_get_type(&creq->base) == CESA_DMA_REQ)
+               mv_cesa_ahash_dma_cleanup(req);
++
++      atomic_sub(req->nbytes, &engine->load);
+ }
+ 
+ static void mv_cesa_ahash_last_cleanup(struct ahash_request *req)
+@@ -363,8 +366,6 @@ static void mv_cesa_ahash_complete(struct crypto_async_request *req)
+                       }
+               }
+       }
+-
+-      atomic_sub(ahashreq->nbytes, &engine->load);
+ }
+ 
+ static void mv_cesa_ahash_prepare(struct crypto_async_request *req,
+-- 
+2.39.5
+

diff --git a/queue-5.4/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch b/queue-5.4/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch
new file mode 100644 (file)
index 0000000..36ab42a
--- /dev/null
+++ b/queue-5.4/crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch
@@ -0,0 +1,49 @@
+From 8b305237dd33a4bbd0ae169d8c3665e6dcabfedc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 08:10:29 +0100
+Subject: crypto: qat - fix seq_file position update in adf_ring_next()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 6908c5f4f066a0412c3d9a6f543a09fa7d87824b ]
+
+The `adf_ring_next()` function in the QAT debug transport interface
+fails to correctly update the position index when reaching the end of
+the ring elements. This triggers the following kernel warning when
+reading ring files, such as
+/sys/kernel/debug/qat_c6xx_<D:B:D:F>/transport/bank_00/ring_00:
+
+   [27725.022965] seq_file: buggy .next function adf_ring_next [intel_qat] did not update position index
+
+Ensure that the `*pos` index is incremented before returning NULL when
+after the last element in the ring is found, satisfying the seq_file API
+requirements and preventing the warning.
+
+Fixes: a672a9dc872e ("crypto: qat - Intel(R) QAT transport code")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_transport_debug.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_transport_debug.c b/drivers/crypto/qat/qat_common/adf_transport_debug.c
+index e794e9d97b2c..9303d6318207 100644
+--- a/drivers/crypto/qat/qat_common/adf_transport_debug.c
++++ b/drivers/crypto/qat/qat_common/adf_transport_debug.c
+@@ -75,8 +75,10 @@ static void *adf_ring_next(struct seq_file *sfile, void *v, loff_t *pos)
+       struct adf_etr_ring_data *ring = sfile->private;
+ 
+       if (*pos >= (ADF_SIZE_TO_RING_SIZE_IN_BYTES(ring->ring_size) /
+-                   ADF_MSG_SIZE_TO_BYTES(ring->msg_size)))
++                   ADF_MSG_SIZE_TO_BYTES(ring->msg_size))) {
++              (*pos)++;
+               return NULL;
++      }
+ 
+       return ring->base_addr +
+               (ADF_MSG_SIZE_TO_BYTES(ring->msg_size) * (*pos)++);
+-- 
+2.39.5
+

diff --git a/queue-5.4/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch b/queue-5.4/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch
new file mode 100644 (file)
index 0000000..e344fe5
--- /dev/null
+++ b/queue-5.4/dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch
@@ -0,0 +1,73 @@
+From cf623b990dcac921c5a75d785dc3165a75babe8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 14:37:52 +0200
+Subject: dmaengine: mv_xor: Fix missing check after DMA map and missing unmap
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 60095aca6b471b7b7a79c80b7395f7e4e414b479 ]
+
+The DMA map functions can fail and should be tested for errors.
+
+In case of error, unmap the already mapped regions.
+
+Fixes: 22843545b200 ("dma: mv_xor: Add support for DMA_INTERRUPT")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250701123753.46935-2-fourier.thomas@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mv_xor.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
+index e96032096042..827a1a9907b6 100644
+--- a/drivers/dma/mv_xor.c
++++ b/drivers/dma/mv_xor.c
+@@ -1061,8 +1061,16 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+        */
+       mv_chan->dummy_src_addr = dma_map_single(dma_dev->dev,
+               mv_chan->dummy_src, MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE);
++      if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_src_addr))
++              return ERR_PTR(-ENOMEM);
++
+       mv_chan->dummy_dst_addr = dma_map_single(dma_dev->dev,
+               mv_chan->dummy_dst, MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE);
++      if (dma_mapping_error(dma_dev->dev, mv_chan->dummy_dst_addr)) {
++              ret = -ENOMEM;
++              goto err_unmap_src;
++      }
++
+ 
+       /* allocate coherent memory for hardware descriptors
+        * note: writecombine gives slightly better performance, but
+@@ -1071,8 +1079,10 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+       mv_chan->dma_desc_pool_virt =
+         dma_alloc_wc(&pdev->dev, MV_XOR_POOL_SIZE, &mv_chan->dma_desc_pool,
+                      GFP_KERNEL);
+-      if (!mv_chan->dma_desc_pool_virt)
+-              return ERR_PTR(-ENOMEM);
++      if (!mv_chan->dma_desc_pool_virt) {
++              ret = -ENOMEM;
++              goto err_unmap_dst;
++      }
+ 
+       /* discover transaction capabilites from the platform data */
+       dma_dev->cap_mask = cap_mask;
+@@ -1156,6 +1166,13 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
+ err_free_dma:
+       dma_free_coherent(&pdev->dev, MV_XOR_POOL_SIZE,
+                         mv_chan->dma_desc_pool_virt, mv_chan->dma_desc_pool);
++err_unmap_dst:
++      dma_unmap_single(dma_dev->dev, mv_chan->dummy_dst_addr,
++                       MV_XOR_MIN_BYTE_COUNT, DMA_TO_DEVICE);
++err_unmap_src:
++      dma_unmap_single(dma_dev->dev, mv_chan->dummy_src_addr,
++                       MV_XOR_MIN_BYTE_COUNT, DMA_FROM_DEVICE);
++
+       return ERR_PTR(ret);
+ }
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch b/queue-5.4/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch
new file mode 100644 (file)
index 0000000..1fa1a38
--- /dev/null
+++ b/queue-5.4/dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch
@@ -0,0 +1,55 @@
+From f8bd23963227cf3d9d426761b56332aca1197316 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:57:16 +0200
+Subject: dmaengine: nbpfaxi: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c6ee78fc8f3e653bec427cfd06fec7877ee782bd ]
+
+The DMA map functions can fail and should be tested for errors.
+If the mapping fails, unmap and return an error.
+
+Fixes: b45b262cefd5 ("dmaengine: add a driver for AMBA AXI NBPF DMAC IP cores")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250707075752.28674-2-fourier.thomas@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/nbpfaxi.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/dma/nbpfaxi.c b/drivers/dma/nbpfaxi.c
+index b9a36a6a3852..0a8b04798b98 100644
+--- a/drivers/dma/nbpfaxi.c
++++ b/drivers/dma/nbpfaxi.c
+@@ -705,6 +705,9 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan)
+               list_add_tail(&ldesc->node, &lhead);
+               ldesc->hwdesc_dma_addr = dma_map_single(dchan->device->dev,
+                                       hwdesc, sizeof(*hwdesc), DMA_TO_DEVICE);
++              if (dma_mapping_error(dchan->device->dev,
++                                    ldesc->hwdesc_dma_addr))
++                      goto unmap_error;
+ 
+               dev_dbg(dev, "%s(): mapped 0x%p to %pad\n", __func__,
+                       hwdesc, &ldesc->hwdesc_dma_addr);
+@@ -731,6 +734,16 @@ static int nbpf_desc_page_alloc(struct nbpf_channel *chan)
+       spin_unlock_irq(&chan->lock);
+ 
+       return ARRAY_SIZE(dpage->desc);
++
++unmap_error:
++      while (i--) {
++              ldesc--; hwdesc--;
++
++              dma_unmap_single(dchan->device->dev, ldesc->hwdesc_dma_addr,
++                               sizeof(hwdesc), DMA_TO_DEVICE);
++      }
++
++      return -ENOMEM;
+ }
+ 
+ static void nbpf_desc_put(struct nbpf_desc *desc)
+-- 
+2.39.5
+

diff --git a/queue-5.4/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch b/queue-5.4/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch
new file mode 100644 (file)
index 0000000..3bf97e4
--- /dev/null
+++ b/queue-5.4/drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch
@@ -0,0 +1,44 @@
+From 689157527f299ed9c20fa9a2630ee744da491c68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 23:26:17 +0300
+Subject: drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit a54e4639c4ef37a0241bac7d2a77f2e6ffb57099 ]
+
+There is a small typo in phm_wait_on_indirect_register().
+
+Swap mask and value arguments provided to phm_wait_on_register() so that
+they satisfy the function signature and actual usage scheme.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+In practice this doesn't fix any issues because the only place this
+function is used uses the same value for the value and mask.
+
+Fixes: 3bace3591493 ("drm/amd/powerplay: add hardware manager sub-component")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/powerplay/hwmgr/smu_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/smu_helper.c b/drivers/gpu/drm/amd/powerplay/hwmgr/smu_helper.c
+index d09690fca452..8a1ad9305a21 100644
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu_helper.c
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu_helper.c
+@@ -148,7 +148,7 @@ int phm_wait_on_indirect_register(struct pp_hwmgr *hwmgr,
+       }
+ 
+       cgs_write_register(hwmgr->device, indirect_port, index);
+-      return phm_wait_on_register(hwmgr, indirect_port + 1, mask, value);
++      return phm_wait_on_register(hwmgr, indirect_port + 1, value, mask);
+ }
+ 
+ int phm_wait_for_register_unequal(struct pp_hwmgr *hwmgr,
+-- 
+2.39.5
+

diff --git a/queue-5.4/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch b/queue-5.4/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch
new file mode 100644 (file)
index 0000000..d76fbd5
--- /dev/null
+++ b/queue-5.4/f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch
@@ -0,0 +1,60 @@
+From d328fba4ec10a566265721557ea22814fd4f742a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 15:14:50 +0800
+Subject: f2fs: fix to avoid out-of-boundary access in devs.path
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 5661998536af52848cc4d52a377e90368196edea ]
+
+- touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123
+- truncate -s $((1024*1024*1024)) \
+  /mnt/f2fs/012345678901234567890123456789012345678901234567890123
+- touch /mnt/f2fs/file
+- truncate -s $((1024*1024*1024)) /mnt/f2fs/file
+- mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \
+  -c /mnt/f2fs/file
+- mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \
+  /mnt/f2fs/loop
+
+[16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01,      511,        0 -    3ffff
+[16937.192268] F2FS-fs (loop0): Failed to find devices
+
+If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may
+not end up w/ null character due to path array is fully filled, So
+accidently, fields locate after path[] may be treated as part of
+device path, result in parsing wrong device path.
+
+struct f2fs_dev_info {
+...
+       char path[MAX_PATH_LEN];
+...
+};
+
+Let's add one byte space for sbi->devs.path[] to store null
+character of device path string.
+
+Fixes: 3c62be17d4f5 ("f2fs: support multiple devices")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 1b8f41daddba..e17b19bb4148 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1098,7 +1098,7 @@ struct f2fs_bio_info {
+ #define RDEV(i)                               (raw_super->devs[i])
+ struct f2fs_dev_info {
+       struct block_device *bdev;
+-      char path[MAX_PATH_LEN];
++      char path[MAX_PATH_LEN + 1];
+       unsigned int total_segments;
+       block_t start_blk;
+       block_t end_blk;
+-- 
+2.39.5
+

diff --git a/queue-5.4/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch b/queue-5.4/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch
new file mode 100644 (file)
index 0000000..d90597e
--- /dev/null
+++ b/queue-5.4/f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch
@@ -0,0 +1,282 @@
+From 060b1a145723aff10088c98b9b0ca5441fda6365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 17:56:57 +0800
+Subject: f2fs: fix to avoid panic in f2fs_evict_inode
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit a509a55f8eecc8970b3980c6f06886bbff0e2f68 ]
+
+As syzbot [1] reported as below:
+
+R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450
+R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520
+ </TASK>
+---[ end trace 0000000000000000 ]---
+==================================================================
+BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+Read of size 8 at addr ffff88812d962278 by task syz-executor/564
+
+CPU: 1 PID: 564 Comm: syz-executor Tainted: G        W          6.1.129-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Call Trace:
+ <TASK>
+ __dump_stack+0x21/0x24 lib/dump_stack.c:88
+ dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106
+ print_address_description+0x71/0x210 mm/kasan/report.c:316
+ print_report+0x4a/0x60 mm/kasan/report.c:427
+ kasan_report+0x122/0x150 mm/kasan/report.c:531
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
+ __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+ __list_del_entry include/linux/list.h:134 [inline]
+ list_del_init include/linux/list.h:206 [inline]
+ f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531
+ f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585
+ f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703
+ f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731
+ write_inode fs/fs-writeback.c:1460 [inline]
+ __writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677
+ writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733
+ sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789
+ f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159
+ block_operations fs/f2fs/checkpoint.c:1269 [inline]
+ f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658
+ kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668
+ deactivate_locked_super+0x98/0x100 fs/super.c:332
+ deactivate_super+0xaf/0xe0 fs/super.c:363
+ cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186
+ __cleanup_mnt+0x19/0x20 fs/namespace.c:1193
+ task_work_run+0x1c6/0x230 kernel/task_work.c:203
+ exit_task_work include/linux/task_work.h:39 [inline]
+ do_exit+0x9fb/0x2410 kernel/exit.c:871
+ do_group_exit+0x210/0x2d0 kernel/exit.c:1021
+ __do_sys_exit_group kernel/exit.c:1032 [inline]
+ __se_sys_exit_group kernel/exit.c:1030 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030
+ x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+RIP: 0033:0x7f28b1b8e169
+Code: Unable to access opcode bytes at 0x7f28b1b8e13f.
+RSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
+RBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360
+R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360
+R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520
+ </TASK>
+
+Allocated by task 569:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
+ __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:201 [inline]
+ slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737
+ slab_alloc_node mm/slub.c:3398 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429
+ alloc_inode_sb include/linux/fs.h:3245 [inline]
+ f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x186/0x880 fs/inode.c:1373
+ f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483
+ f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487
+ __lookup_slow+0x2a3/0x3d0 fs/namei.c:1690
+ lookup_slow+0x57/0x70 fs/namei.c:1707
+ walk_component+0x2e6/0x410 fs/namei.c:1998
+ lookup_last fs/namei.c:2455 [inline]
+ path_lookupat+0x180/0x490 fs/namei.c:2479
+ filename_lookup+0x1f0/0x500 fs/namei.c:2508
+ vfs_statx+0x10b/0x660 fs/stat.c:229
+ vfs_fstatat fs/stat.c:267 [inline]
+ vfs_lstat include/linux/fs.h:3424 [inline]
+ __do_sys_newlstat fs/stat.c:423 [inline]
+ __se_sys_newlstat+0xd5/0x350 fs/stat.c:417
+ __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
+ x64_sys_call+0x393/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+Freed by task 13:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
+ ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:236
+ __kasan_slab_free+0x11/0x20 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ slab_free_hook mm/slub.c:1724 [inline]
+ slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1750
+ slab_free mm/slub.c:3661 [inline]
+ kmem_cache_free+0x12d/0x2a0 mm/slub.c:3683
+ f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1562
+ i_callback+0x4c/0x70 fs/inode.c:250
+ rcu_do_batch+0x503/0xb80 kernel/rcu/tree.c:2297
+ rcu_core+0x5a2/0xe70 kernel/rcu/tree.c:2557
+ rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
+ handle_softirqs+0x178/0x500 kernel/softirq.c:578
+ run_ksoftirqd+0x28/0x30 kernel/softirq.c:945
+ smpboot_thread_fn+0x45a/0x8c0 kernel/smpboot.c:164
+ kthread+0x270/0x310 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+Last potentially related work creation:
+ kasan_save_stack+0x3a/0x60 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486
+ kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
+ call_rcu+0xd4/0xf70 kernel/rcu/tree.c:2845
+ destroy_inode fs/inode.c:316 [inline]
+ evict+0x7da/0x870 fs/inode.c:720
+ iput_final fs/inode.c:1834 [inline]
+ iput+0x62b/0x830 fs/inode.c:1860
+ do_unlinkat+0x356/0x540 fs/namei.c:4397
+ __do_sys_unlink fs/namei.c:4438 [inline]
+ __se_sys_unlink fs/namei.c:4436 [inline]
+ __x64_sys_unlink+0x49/0x50 fs/namei.c:4436
+ x64_sys_call+0x958/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+The buggy address belongs to the object at ffff88812d961f20
+ which belongs to the cache f2fs_inode_cache of size 1200
+The buggy address is located 856 bytes inside of
+ 1200-byte region [ffff88812d961f20, ffff88812d9623d0)
+
+The buggy address belongs to the physical page:
+page:ffffea0004b65800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d960
+head:ffffea0004b65800 order:2 compound_mapcount:0 compound_pincount:0
+flags: 0x4000000000010200(slab|head|zone=1)
+raw: 4000000000010200 0000000000000000 dead000000000122 ffff88810a94c500
+raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 2, migratetype Reclaimable, gfp_mask 0x1d2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 569, tgid 568 (syz.2.16), ts 55943246141, free_ts 0
+ set_page_owner include/linux/page_owner.h:31 [inline]
+ post_alloc_hook+0x1d0/0x1f0 mm/page_alloc.c:2532
+ prep_new_page mm/page_alloc.c:2539 [inline]
+ get_page_from_freelist+0x2e63/0x2ef0 mm/page_alloc.c:4328
+ __alloc_pages+0x235/0x4b0 mm/page_alloc.c:5605
+ alloc_slab_page include/linux/gfp.h:-1 [inline]
+ allocate_slab mm/slub.c:1939 [inline]
+ new_slab+0xec/0x4b0 mm/slub.c:1992
+ ___slab_alloc+0x6f6/0xb50 mm/slub.c:3180
+ __slab_alloc+0x5e/0xa0 mm/slub.c:3279
+ slab_alloc_node mm/slub.c:3364 [inline]
+ slab_alloc mm/slub.c:3406 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3413 [inline]
+ kmem_cache_alloc_lru+0x13f/0x220 mm/slub.c:3429
+ alloc_inode_sb include/linux/fs.h:3245 [inline]
+ f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x186/0x880 fs/inode.c:1373
+ f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483
+ f2fs_fill_super+0x3ad7/0x6bb0 fs/f2fs/super.c:4293
+ mount_bdev+0x2ae/0x3e0 fs/super.c:1443
+ f2fs_mount+0x34/0x40 fs/f2fs/super.c:4642
+ legacy_get_tree+0xea/0x190 fs/fs_context.c:632
+ vfs_get_tree+0x89/0x260 fs/super.c:1573
+ do_new_mount+0x25a/0xa20 fs/namespace.c:3056
+page_owner free stack trace missing
+
+Memory state around the buggy address:
+ ffff88812d962100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88812d962180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88812d962200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                                                ^
+ ffff88812d962280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88812d962300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+[1] https://syzkaller.appspot.com/x/report.txt?x=13448368580000
+
+This bug can be reproduced w/ the reproducer [2], once we enable
+CONFIG_F2FS_CHECK_FS config, the reproducer will trigger panic as below,
+so the direct reason of this bug is the same as the one below patch [3]
+fixed.
+
+kernel BUG at fs/f2fs/inode.c:857!
+RIP: 0010:f2fs_evict_inode+0x1204/0x1a20
+Call Trace:
+ <TASK>
+ evict+0x32a/0x7a0
+ do_unlinkat+0x37b/0x5b0
+ __x64_sys_unlink+0xad/0x100
+ do_syscall_64+0x5a/0xb0
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+RIP: 0010:f2fs_evict_inode+0x1204/0x1a20
+
+[2] https://syzkaller.appspot.com/x/repro.c?x=17495ccc580000
+[3] https://lore.kernel.org/linux-f2fs-devel/20250702120321.1080759-1-chao@kernel.org
+
+Tracepoints before panic:
+
+f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file1
+f2fs_unlink_exit: dev = (7,0), ino = 7, ret = 0
+f2fs_evict_inode: dev = (7,0), ino = 7, pino = 3, i_mode = 0x81ed, i_size = 10, i_nlink = 0, i_blocks = 0, i_advise = 0x0
+f2fs_truncate_node: dev = (7,0), ino = 7, nid = 8, block_address = 0x3c05
+
+f2fs_unlink_enter: dev = (7,0), dir ino = 3, i_size = 4096, i_blocks = 8, name = file3
+f2fs_unlink_exit: dev = (7,0), ino = 8, ret = 0
+f2fs_evict_inode: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 9000, i_nlink = 0, i_blocks = 24, i_advise = 0x4
+f2fs_truncate: dev = (7,0), ino = 8, pino = 3, i_mode = 0x81ed, i_size = 0, i_nlink = 0, i_blocks = 24, i_advise = 0x4
+f2fs_truncate_blocks_enter: dev = (7,0), ino = 8, i_size = 0, i_blocks = 24, start file offset = 0
+f2fs_truncate_blocks_exit: dev = (7,0), ino = 8, ret = -2
+
+The root cause is: in the fuzzed image, dnode #8 belongs to inode #7,
+after inode #7 eviction, dnode #8 was dropped.
+
+However there is dirent that has ino #8, so, once we unlink file3, in
+f2fs_evict_inode(), both f2fs_truncate() and f2fs_update_inode_page()
+will fail due to we can not load node #8, result in we missed to call
+f2fs_inode_synced() to clear inode dirty status.
+
+Let's fix this by calling f2fs_inode_synced() in error path of
+f2fs_evict_inode().
+
+PS: As I verified, the reproducer [2] can trigger this bug in v6.1.129,
+but it failed in v6.16-rc4, this is because the testcase will stop due to
+other corruption has been detected by f2fs:
+
+F2FS-fs (loop0): inconsistent node block, node_type:2, nid:8, node_footer[nid:8,ino:8,ofs:0,cpver:5013063228981249506,blkaddr:15366]
+F2FS-fs (loop0): f2fs_lookup: inode (ino=9) has zero i_nlink
+
+Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing")
+Closes: https://syzkaller.appspot.com/x/report.txt?x=13448368580000
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inode.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index 859ff287467e..03444ebc741b 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -728,6 +728,19 @@ void f2fs_evict_inode(struct inode *inode)
+               f2fs_update_inode_page(inode);
+               if (dquot_initialize_needed(inode))
+                       set_sbi_flag(sbi, SBI_QUOTA_NEED_REPAIR);
++
++              /*
++               * If both f2fs_truncate() and f2fs_update_inode_page() failed
++               * due to fuzzed corrupted inode, call f2fs_inode_synced() to
++               * avoid triggering later f2fs_bug_on().
++               */
++              if (is_inode_flag_set(inode, FI_DIRTY_INODE)) {
++                      f2fs_warn(sbi,
++                              "f2fs_evict_inode: inode is dirty, ino:%lu",
++                              inode->i_ino);
++                      f2fs_inode_synced(inode);
++                      set_sbi_flag(sbi, SBI_NEED_FSCK);
++              }
+       }
+       sb_end_intwrite(inode->i_sb);
+ no_delete:
+-- 
+2.39.5
+

diff --git a/queue-5.4/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch b/queue-5.4/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch
new file mode 100644 (file)
index 0000000..164e3b5
--- /dev/null
+++ b/queue-5.4/f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch
@@ -0,0 +1,235 @@
+From 3a76665d4217623d4439b357ca5f384ded6e28be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 17:53:39 +0800
+Subject: f2fs: fix to avoid UAF in f2fs_sync_inode_meta()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 7c30d79930132466f5be7d0b57add14d1a016bda ]
+
+syzbot reported an UAF issue as below: [1] [2]
+
+[1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000
+
+==================================================================
+BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8
+
+CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G        W          6.1.129-syzkaller-00017-g642656a36791 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Workqueue: writeback wb_workfn (flush-7:0)
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:316 [inline]
+ print_report+0x158/0x4e0 mm/kasan/report.c:427
+ kasan_report+0x13c/0x170 mm/kasan/report.c:531
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351
+ __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62
+ __list_del_entry include/linux/list.h:134 [inline]
+ list_del_init include/linux/list.h:206 [inline]
+ f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553
+ f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588
+ f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706
+ f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734
+ write_inode fs/fs-writeback.c:1460 [inline]
+ __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677
+ writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903
+ __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974
+ wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081
+ wb_check_background_flush fs/fs-writeback.c:2151 [inline]
+ wb_do_writeback fs/fs-writeback.c:2239 [inline]
+ wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266
+ process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299
+ worker_thread+0xa60/0x1260 kernel/workqueue.c:2446
+ kthread+0x26d/0x300 kernel/kthread.c:386
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+ </TASK>
+
+Allocated by task 298:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505
+ __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333
+ kasan_slab_alloc include/linux/kasan.h:202 [inline]
+ slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768
+ slab_alloc_node mm/slub.c:3421 [inline]
+ slab_alloc mm/slub.c:3431 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3438 [inline]
+ kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454
+ alloc_inode_sb include/linux/fs.h:3255 [inline]
+ f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x18c/0x7e0 fs/inode.c:1373
+ f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486
+ f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484
+ __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689
+ lookup_slow+0x5a/0x80 fs/namei.c:1706
+ walk_component+0x2e7/0x410 fs/namei.c:1997
+ lookup_last fs/namei.c:2454 [inline]
+ path_lookupat+0x16d/0x450 fs/namei.c:2478
+ filename_lookup+0x251/0x600 fs/namei.c:2507
+ vfs_statx+0x107/0x4b0 fs/stat.c:229
+ vfs_fstatat fs/stat.c:267 [inline]
+ vfs_lstat include/linux/fs.h:3434 [inline]
+ __do_sys_newlstat fs/stat.c:423 [inline]
+ __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417
+ __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417
+ x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+Freed by task 0:
+ kasan_save_stack mm/kasan/common.c:45 [inline]
+ kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516
+ ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241
+ __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
+ kasan_slab_free include/linux/kasan.h:178 [inline]
+ slab_free_hook mm/slub.c:1745 [inline]
+ slab_free_freelist_hook mm/slub.c:1771 [inline]
+ slab_free mm/slub.c:3686 [inline]
+ kmem_cache_free+0x291/0x560 mm/slub.c:3711
+ f2fs_free_inode+0x24/0x30 fs/f2fs/super.c:1584
+ i_callback+0x4b/0x70 fs/inode.c:250
+ rcu_do_batch+0x552/0xbe0 kernel/rcu/tree.c:2297
+ rcu_core+0x502/0xf40 kernel/rcu/tree.c:2557
+ rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2574
+ handle_softirqs+0x1db/0x650 kernel/softirq.c:624
+ __do_softirq kernel/softirq.c:662 [inline]
+ invoke_softirq kernel/softirq.c:479 [inline]
+ __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711
+ irq_exit_rcu+0x9/0x10 kernel/softirq.c:723
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
+ sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
+ asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
+
+Last potentially related work creation:
+ kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xb4/0xc0 mm/kasan/generic.c:486
+ kasan_record_aux_stack_noalloc+0xb/0x10 mm/kasan/generic.c:496
+ __call_rcu_common kernel/rcu/tree.c:2807 [inline]
+ call_rcu+0xdc/0x10f0 kernel/rcu/tree.c:2926
+ destroy_inode fs/inode.c:316 [inline]
+ evict+0x87d/0x930 fs/inode.c:720
+ iput_final fs/inode.c:1834 [inline]
+ iput+0x616/0x690 fs/inode.c:1860
+ do_unlinkat+0x4e1/0x920 fs/namei.c:4396
+ __do_sys_unlink fs/namei.c:4437 [inline]
+ __se_sys_unlink fs/namei.c:4435 [inline]
+ __x64_sys_unlink+0x49/0x50 fs/namei.c:4435
+ x64_sys_call+0x289/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:88
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x68/0xd2
+
+The buggy address belongs to the object at ffff888100567a10
+ which belongs to the cache f2fs_inode_cache of size 1360
+The buggy address is located 952 bytes inside of
+ 1360-byte region [ffff888100567a10, ffff888100567f60)
+
+The buggy address belongs to the physical page:
+page:ffffea0004015800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x100560
+head:ffffea0004015800 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x4000000000010200(slab|head|zone=1)
+raw: 4000000000010200 0000000000000000 dead000000000122 ffff8881002c4d80
+raw: 0000000000000000 0000000080160016 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 3, migratetype Reclaimable, gfp_mask 0xd2050(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 298, tgid 298 (syz-executor330), ts 26489303743, free_ts 0
+ set_page_owner include/linux/page_owner.h:33 [inline]
+ post_alloc_hook+0x213/0x220 mm/page_alloc.c:2637
+ prep_new_page+0x1b/0x110 mm/page_alloc.c:2644
+ get_page_from_freelist+0x3a98/0x3b10 mm/page_alloc.c:4539
+ __alloc_pages+0x234/0x610 mm/page_alloc.c:5837
+ alloc_slab_page+0x6c/0xf0 include/linux/gfp.h:-1
+ allocate_slab mm/slub.c:1962 [inline]
+ new_slab+0x90/0x3e0 mm/slub.c:2015
+ ___slab_alloc+0x6f9/0xb80 mm/slub.c:3203
+ __slab_alloc+0x5d/0xa0 mm/slub.c:3302
+ slab_alloc_node mm/slub.c:3387 [inline]
+ slab_alloc mm/slub.c:3431 [inline]
+ __kmem_cache_alloc_lru mm/slub.c:3438 [inline]
+ kmem_cache_alloc_lru+0x149/0x270 mm/slub.c:3454
+ alloc_inode_sb include/linux/fs.h:3255 [inline]
+ f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437
+ alloc_inode fs/inode.c:261 [inline]
+ iget_locked+0x18c/0x7e0 fs/inode.c:1373
+ f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486
+ f2fs_fill_super+0x5360/0x6dc0 fs/f2fs/super.c:4488
+ mount_bdev+0x282/0x3b0 fs/super.c:1445
+ f2fs_mount+0x34/0x40 fs/f2fs/super.c:4743
+ legacy_get_tree+0xf1/0x190 fs/fs_context.c:632
+page_owner free stack trace missing
+
+Memory state around the buggy address:
+ ffff888100567c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888100567d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888100567d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                              ^
+ ffff888100567e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888100567e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+[2] https://syzkaller.appspot.com/text?tag=CrashLog&x=13654c60580000
+
+[   24.675720][   T28] audit: type=1400 audit(1745327318.732:72): avc:  denied  { write } for  pid=298 comm="syz-executor399" name="/" dev="loop0" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[   24.705426][  T296] ------------[ cut here ]------------
+[   24.706608][   T28] audit: type=1400 audit(1745327318.732:73): avc:  denied  { remove_name } for  pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[   24.711550][  T296] WARNING: CPU: 0 PID: 296 at fs/f2fs/inode.c:847 f2fs_evict_inode+0x1262/0x1540
+[   24.734141][   T28] audit: type=1400 audit(1745327318.732:74): avc:  denied  { rename } for  pid=298 comm="syz-executor399" name="file0" dev="loop0" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[   24.742969][  T296] Modules linked in:
+[   24.765201][   T28] audit: type=1400 audit(1745327318.732:75): avc:  denied  { add_name } for  pid=298 comm="syz-executor399" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1
+[   24.768847][  T296] CPU: 0 PID: 296 Comm: syz-executor399 Not tainted 6.1.129-syzkaller-00017-g642656a36791 #0
+[   24.799506][  T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+[   24.809401][  T296] RIP: 0010:f2fs_evict_inode+0x1262/0x1540
+[   24.815018][  T296] Code: 34 70 4a ff eb 0d e8 2d 70 4a ff 4d 89 e5 4c 8b 64 24 18 48 8b 5c 24 28 4c 89 e7 e8 78 38 03 00 e9 84 fc ff ff e8 0e 70 4a ff <0f> 0b 4c 89 f7 be 08 00 00 00 e8 7f 21 92 ff f0 41 80 0e 04 e9 61
+[   24.834584][  T296] RSP: 0018:ffffc90000db7a40 EFLAGS: 00010293
+[   24.840465][  T296] RAX: ffffffff822aca42 RBX: 0000000000000002 RCX: ffff888110948000
+[   24.848291][  T296] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000
+[   24.856064][  T296] RBP: ffffc90000db7bb0 R08: ffffffff822ac6a8 R09: ffffed10200b005d
+[   24.864073][  T296] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100580000
+[   24.871812][  T296] R13: dffffc0000000000 R14: ffff88810fef4078 R15: 1ffff920001b6f5c
+
+The root cause is w/ a fuzzed image, f2fs may missed to clear FI_DIRTY_INODE
+flag for target inode, after f2fs_evict_inode(), the inode is still linked in
+sbi->inode_list[DIRTY_META] global list, once it triggers checkpoint,
+f2fs_sync_inode_meta() may access the released inode.
+
+In f2fs_evict_inode(), let's always call f2fs_inode_synced() to clear
+FI_DIRTY_INODE flag and drop inode from global dirty list to avoid this
+UAF issue.
+
+Fixes: 0f18b462b2e5 ("f2fs: flush inode metadata when checkpoint is doing")
+Closes: https://syzkaller.appspot.com/bug?extid=849174b2efaf0d8be6ba
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inode.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index b0cbb01df8cb..859ff287467e 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -740,8 +740,12 @@ void f2fs_evict_inode(struct inode *inode)
+       if (likely(!f2fs_cp_error(sbi) &&
+                               !is_sbi_flag_set(sbi, SBI_CP_DISABLED)))
+               f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE));
+-      else
+-              f2fs_inode_synced(inode);
++
++      /*
++       * anyway, it needs to remove the inode from sbi->inode_list[DIRTY_META]
++       * list to avoid UAF in f2fs_sync_inode_meta() during checkpoint.
++       */
++      f2fs_inode_synced(inode);
+ 
+       /* ino == 0, if f2fs_new_inode() was failed t*/
+       if (inode->i_ino)
+-- 
+2.39.5
+

diff --git a/queue-5.4/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch b/queue-5.4/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch
new file mode 100644 (file)
index 0000000..1528c70
--- /dev/null
+++ b/queue-5.4/fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch
@@ -0,0 +1,46 @@
+From 555233ff85f203919ddff43e0ed7ccb28ecc5b95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:25:34 -0500
+Subject: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit da11e6a30e0bb8e911288bdc443b3dc8f6a7cac7 ]
+
+fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot
+allocate a struct fb_modelist.  If that happens, the modelist stays empty but
+the driver continues to register.  Add a check for its return value to prevent
+poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev:
+Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var").
+
+Fixes: 1b6c79361ba5 ("video: imxfb: Add DT support")
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/imxfb.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/imxfb.c b/drivers/video/fbdev/imxfb.c
+index dbc8808b093a..8dac15bf2b0c 100644
+--- a/drivers/video/fbdev/imxfb.c
++++ b/drivers/video/fbdev/imxfb.c
+@@ -992,8 +992,13 @@ static int imxfb_probe(struct platform_device *pdev)
+ 
+ 
+       INIT_LIST_HEAD(&info->modelist);
+-      for (i = 0; i < fbi->num_modes; i++)
+-              fb_add_videomode(&fbi->mode[i].mode, &info->modelist);
++      for (i = 0; i < fbi->num_modes; i++) {
++              ret = fb_add_videomode(&fbi->mode[i].mode, &info->modelist);
++              if (ret) {
++                      dev_err(&pdev->dev, "Failed to add videomode\n");
++                      goto failed_cmap;
++              }
++      }
+ 
+       /*
+        * This makes sure that our colour bitfield
+-- 
+2.39.5
+

diff --git a/queue-5.4/fs-orangefs-allow-2-more-characters-in-do_c_string.patch b/queue-5.4/fs-orangefs-allow-2-more-characters-in-do_c_string.patch
new file mode 100644 (file)
index 0000000..8a95482
--- /dev/null
+++ b/queue-5.4/fs-orangefs-allow-2-more-characters-in-do_c_string.patch
@@ -0,0 +1,65 @@
+From 96212b456947eafefa9293440e43f810454ce3a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jul 2025 09:19:10 -0500
+Subject: fs/orangefs: Allow 2 more characters in do_c_string()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 2138e89cb066b40386b1d9ddd61253347d356474 ]
+
+The do_k_string() and do_c_string() functions do essentially the same
+thing which is they add a string and a comma onto the end of an existing
+string.  At the end, the caller will overwrite the last comma with a
+newline.  Later, in orangefs_kernel_debug_init(), we add a newline to
+the string.
+
+The change to do_k_string() is just cosmetic.  I moved the "- 1" to
+the other side of the comparison and made it "+ 1".  This has no
+effect on runtime, I just wanted the functions to match each other
+and the rest of the file.
+
+However in do_c_string(), I removed the "- 2" which allows us to print
+two extra characters.  I noticed this issue while reviewing the code
+and I doubt affects anything in real life.  My guess is that this was
+double counting the comma and the newline.  The "+ 1" accounts for
+the newline, and the caller will delete the final comma which ensures
+there is enough space for the newline.
+
+Removing the "- 2" lets us print 2 more characters, but mainly it makes
+the code more consistent and understandable for reviewers.
+
+Fixes: 44f4641073f1 ("orangefs: clean up debugfs globals")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index fa41db088488..b57140ebfad0 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -728,8 +728,8 @@ static void do_k_string(void *k_mask, int index)
+ 
+       if (*mask & s_kmod_keyword_mask_map[index].mask_val) {
+               if ((strlen(kernel_debug_string) +
+-                   strlen(s_kmod_keyword_mask_map[index].keyword))
+-                      < ORANGEFS_MAX_DEBUG_STRING_LEN - 1) {
++                   strlen(s_kmod_keyword_mask_map[index].keyword) + 1)
++                      < ORANGEFS_MAX_DEBUG_STRING_LEN) {
+                               strcat(kernel_debug_string,
+                                      s_kmod_keyword_mask_map[index].keyword);
+                               strcat(kernel_debug_string, ",");
+@@ -756,7 +756,7 @@ static void do_c_string(void *c_mask, int index)
+           (mask->mask2 & cdm_array[index].mask2)) {
+               if ((strlen(client_debug_string) +
+                    strlen(cdm_array[index].keyword) + 1)
+-                      < ORANGEFS_MAX_DEBUG_STRING_LEN - 2) {
++                      < ORANGEFS_MAX_DEBUG_STRING_LEN) {
+                               strcat(client_debug_string,
+                                      cdm_array[index].keyword);
+                               strcat(client_debug_string, ",");
+-- 
+2.39.5
+

diff --git a/queue-5.4/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch b/queue-5.4/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch
new file mode 100644 (file)
index 0000000..6190909
--- /dev/null
+++ b/queue-5.4/hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch
@@ -0,0 +1,94 @@
+From 48051ca25100700fae94b72c92d775861d17d64b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 00:18:06 -0600
+Subject: hfsplus: remove mutex_lock check in hfsplus_free_extents
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit fcb96956c921f1aae7e7b477f2435c56f77a31b4 ]
+
+Syzbot reported an issue in hfsplus filesystem:
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346
+       hfsplus_free_extents+0x700/0xad0
+Call Trace:
+<TASK>
+hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606
+hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56
+cont_expand_zero fs/buffer.c:2383 [inline]
+cont_write_begin+0x2cf/0x860 fs/buffer.c:2446
+hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52
+generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347
+hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263
+notify_change+0xe38/0x10f0 fs/attr.c:420
+do_truncate+0x1fb/0x2e0 fs/open.c:65
+do_sys_ftruncate+0x2eb/0x380 fs/open.c:193
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock
+on file truncation") unlock extree before hfsplus_free_extents(),
+and add check wheather extree is locked in hfsplus_free_extents().
+
+However, when operations such as hfsplus_file_release,
+hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed
+concurrently in different files, it is very likely to trigger the
+WARN_ON, which will lead syzbot and xfstest to consider it as an
+abnormality.
+
+The comment above this warning also describes one of the easy
+triggering situations, which can easily trigger and cause
+xfstest&syzbot to report errors.
+
+[task A]                       [task B]
+->hfsplus_file_release
+  ->hfsplus_file_truncate
+    ->hfs_find_init
+      ->mutex_lock
+    ->mutex_unlock
+                               ->hfsplus_write_begin
+                                 ->hfsplus_get_block
+                                   ->hfsplus_file_extend
+                                     ->hfsplus_ext_read_extent
+                                       ->hfs_find_init
+                                         ->mutex_lock
+    ->hfsplus_free_extents
+      WARN_ON(mutex_is_locked) !!!
+
+Several threads could try to lock the shared extents tree.
+And warning can be triggered in one thread when another thread
+has locked the tree. This is the wrong behavior of the code and
+we need to remove the warning.
+
+Fixes: 31651c607151f ("hfsplus: avoid deadlock on file truncation")
+Reported-by: syzbot+8c0bc9f818702ff75b76@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/00000000000057fa4605ef101c4c@google.com/
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250529061807.2213498-1-frank.li@vivo.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/extents.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c
+index c95a2f0ed4a7..fad1c250f150 100644
+--- a/fs/hfsplus/extents.c
++++ b/fs/hfsplus/extents.c
+@@ -342,9 +342,6 @@ static int hfsplus_free_extents(struct super_block *sb,
+       int i;
+       int err = 0;
+ 
+-      /* Mapping the allocation file may lock the extent tree */
+-      WARN_ON(mutex_is_locked(&HFSPLUS_SB(sb)->ext_tree->tree_lock));
+-
+       hfsplus_dump_extent(extent);
+       for (i = 0; i < 8; extent++, i++) {
+               count = be32_to_cpu(extent->block_count);
+-- 
+2.39.5
+

diff --git a/queue-5.4/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch b/queue-5.4/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch
new file mode 100644 (file)
index 0000000..9aefe92
--- /dev/null
+++ b/queue-5.4/hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch
@@ -0,0 +1,38 @@
+From 974e474ddc31a2ef6a3e8c5f08ca1d048db56353 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 20:31:41 +0300
+Subject: hwrng: mtk - handle devm_pm_runtime_enable errors
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit 522a242a18adc5c63a24836715dbeec4dc3faee1 ]
+
+Although unlikely, devm_pm_runtime_enable() call might fail, so handle
+the return value.
+
+Fixes: 78cb66caa6ab ("hwrng: mtk - Use devm_pm_runtime_enable")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/mtk-rng.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c
+index 6c21eb749b51..f5325fe4f1de 100644
+--- a/drivers/char/hw_random/mtk-rng.c
++++ b/drivers/char/hw_random/mtk-rng.c
+@@ -149,7 +149,9 @@ static int mtk_rng_probe(struct platform_device *pdev)
+       dev_set_drvdata(&pdev->dev, priv);
+       pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT);
+       pm_runtime_use_autosuspend(&pdev->dev);
+-      devm_pm_runtime_enable(&pdev->dev);
++      ret = devm_pm_runtime_enable(&pdev->dev);
++      if (ret)
++              return ret;
+ 
+       dev_info(&pdev->dev, "registered RNG driver\n");
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch b/queue-5.4/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch
new file mode 100644 (file)
index 0000000..9c424f8
--- /dev/null
+++ b/queue-5.4/iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch
@@ -0,0 +1,69 @@
+From 7801b5f1fbe5f808a1a2773baf20a0884796dd54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 09:48:48 +0800
+Subject: iwlwifi: Add missing check for alloc_ordered_workqueue
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 90a0d9f339960448a3acc1437a46730f975efd6a ]
+
+Add check for the return value of alloc_ordered_workqueue since it may
+return NULL pointer.
+
+Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://patch.msgid.link/20230110014848.28226-1-jiasheng@iscas.ac.cn
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/main.c b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+index 4f2789bb3b5b..9ca704a2c679 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/main.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/main.c
+@@ -1055,9 +1055,11 @@ static void iwl_bg_restart(struct work_struct *data)
+  *
+  *****************************************************************************/
+ 
+-static void iwl_setup_deferred_work(struct iwl_priv *priv)
++static int iwl_setup_deferred_work(struct iwl_priv *priv)
+ {
+       priv->workqueue = alloc_ordered_workqueue(DRV_NAME, 0);
++      if (!priv->workqueue)
++              return -ENOMEM;
+ 
+       INIT_WORK(&priv->restart, iwl_bg_restart);
+       INIT_WORK(&priv->beacon_update, iwl_bg_beacon_update);
+@@ -1074,6 +1076,8 @@ static void iwl_setup_deferred_work(struct iwl_priv *priv)
+       timer_setup(&priv->statistics_periodic, iwl_bg_statistics_periodic, 0);
+ 
+       timer_setup(&priv->ucode_trace, iwl_bg_ucode_trace, 0);
++
++      return 0;
+ }
+ 
+ void iwl_cancel_deferred_work(struct iwl_priv *priv)
+@@ -1469,7 +1473,9 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+       /********************
+        * 6. Setup services
+        ********************/
+-      iwl_setup_deferred_work(priv);
++      if (iwl_setup_deferred_work(priv))
++              goto out_uninit_drv;
++
+       iwl_setup_rx_handlers(priv);
+ 
+       iwl_power_initialize(priv);
+@@ -1507,6 +1513,7 @@ static struct iwl_op_mode *iwl_op_mode_dvm_start(struct iwl_trans *trans,
+       iwl_cancel_deferred_work(priv);
+       destroy_workqueue(priv->workqueue);
+       priv->workqueue = NULL;
++out_uninit_drv:
+       iwl_uninit_drv(priv);
+ out_free_eeprom_blob:
+       kfree(priv->eeprom_blob);
+-- 
+2.39.5
+

diff --git a/queue-5.4/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch b/queue-5.4/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch
new file mode 100644 (file)
index 0000000..d9d891e
--- /dev/null
+++ b/queue-5.4/jfs-fix-metapage-reference-count-leak-in-dballocctl.patch
@@ -0,0 +1,45 @@
+From 73c02c81f34396c0fa1533b615461913e8aea27e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 01:22:14 +0000
+Subject: jfs: fix metapage reference count leak in dbAllocCtl
+
+From: Zheng Yu <zheng.yu@northwestern.edu>
+
+[ Upstream commit 856db37592021e9155384094e331e2d4589f28b1 ]
+
+In dbAllocCtl(), read_metapage() increases the reference count of the
+metapage. However, when dp->tree.budmin < 0, the function returns -EIO
+without calling release_metapage() to decrease the reference count,
+leading to a memory leak.
+
+Add release_metapage(mp) before the error return to properly manage
+the metapage reference count and prevent the leak.
+
+Fixes: a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ("jfs: fix shift-out-of-bounds in dbSplit")
+
+Signed-off-by: Zheng Yu <zheng.yu@northwestern.edu>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 8cffb5dd98cf..15f885d2fa3d 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -1875,8 +1875,10 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
+                       return -EIO;
+               dp = (struct dmap *) mp->data;
+ 
+-              if (dp->tree.budmin < 0)
++              if (dp->tree.budmin < 0) {
++                      release_metapage(mp);
+                       return -EIO;
++              }
+ 
+               /* try to allocate the blocks.
+                */
+-- 
+2.39.5
+

diff --git a/queue-5.4/m68k-don-t-unregister-boot-console-needlessly.patch b/queue-5.4/m68k-don-t-unregister-boot-console-needlessly.patch
new file mode 100644 (file)
index 0000000..47bedf4
--- /dev/null
+++ b/queue-5.4/m68k-don-t-unregister-boot-console-needlessly.patch
@@ -0,0 +1,150 @@
+From bc224bb2540c0667e440dbaf506f9eb38099ae1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 11:26:44 +1100
+Subject: m68k: Don't unregister boot console needlessly
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 83f672a7f69ec38b1bbb27221e342937f68c11c7 ]
+
+When MACH_IS_MVME147, the boot console calls mvme147_scc_write() to
+generate console output. That will continue to work even after
+debug_cons_nputs() becomes unavailable so there's no need to
+unregister the boot console.
+
+Take the opportunity to remove a repeated MACH_IS_* test. Use the
+actual .write method (instead of a wrapper) and test that pointer
+instead. This means adding an unused parameter to debug_cons_nputs() for
+consistency with the struct console API.
+
+early_printk.c is only built when CONFIG_EARLY_PRINTK=y. As of late,
+head.S is only built when CONFIG_MMU_MOTOROLA=y. So let the former symbol
+depend on the latter, to obviate some ifdef conditionals.
+
+Cc: Daniel Palmer <daniel@0x0f.com>
+Fixes: 077b33b9e283 ("m68k: mvme147: Reinstate early console")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/d1d4328e5aa9a87bd8352529ce62b767731c0530.1743467205.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/Kconfig.debug         |  2 +-
+ arch/m68k/kernel/early_printk.c | 42 +++++++++++----------------------
+ arch/m68k/kernel/head.S         |  8 +++----
+ 3 files changed, 19 insertions(+), 33 deletions(-)
+
+diff --git a/arch/m68k/Kconfig.debug b/arch/m68k/Kconfig.debug
+index f43643111eaf..f9fa89ba259d 100644
+--- a/arch/m68k/Kconfig.debug
++++ b/arch/m68k/Kconfig.debug
+@@ -10,7 +10,7 @@ config BOOTPARAM_STRING
+ 
+ config EARLY_PRINTK
+       bool "Early printk"
+-      depends on !(SUN3 || M68000 || COLDFIRE)
++      depends on MMU_MOTOROLA
+       help
+           Write kernel log output directly to a serial port.
+           Where implemented, output goes to the framebuffer as well.
+diff --git a/arch/m68k/kernel/early_printk.c b/arch/m68k/kernel/early_printk.c
+index f11ef9f1f56f..521cbb8a150c 100644
+--- a/arch/m68k/kernel/early_printk.c
++++ b/arch/m68k/kernel/early_printk.c
+@@ -16,25 +16,10 @@
+ #include "../mvme147/mvme147.h"
+ #include "../mvme16x/mvme16x.h"
+ 
+-asmlinkage void __init debug_cons_nputs(const char *s, unsigned n);
+-
+-static void __ref debug_cons_write(struct console *c,
+-                                 const char *s, unsigned n)
+-{
+-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
+-      defined(CONFIG_COLDFIRE))
+-      if (MACH_IS_MVME147)
+-              mvme147_scc_write(c, s, n);
+-      else if (MACH_IS_MVME16x)
+-              mvme16x_cons_write(c, s, n);
+-      else
+-              debug_cons_nputs(s, n);
+-#endif
+-}
++asmlinkage void __init debug_cons_nputs(struct console *c, const char *s, unsigned int n);
+ 
+ static struct console early_console_instance = {
+       .name  = "debug",
+-      .write = debug_cons_write,
+       .flags = CON_PRINTBUFFER | CON_BOOT,
+       .index = -1
+ };
+@@ -44,6 +29,12 @@ static int __init setup_early_printk(char *buf)
+       if (early_console || buf)
+               return 0;
+ 
++      if (MACH_IS_MVME147)
++              early_console_instance.write = mvme147_scc_write;
++      else if (MACH_IS_MVME16x)
++              early_console_instance.write = mvme16x_cons_write;
++      else
++              early_console_instance.write = debug_cons_nputs;
+       early_console = &early_console_instance;
+       register_console(early_console);
+ 
+@@ -51,20 +42,15 @@ static int __init setup_early_printk(char *buf)
+ }
+ early_param("earlyprintk", setup_early_printk);
+ 
+-/*
+- * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be called
+- * after init sections are discarded (for platforms that use it).
+- */
+-#if !(defined(CONFIG_SUN3) || defined(CONFIG_M68000) || \
+-      defined(CONFIG_COLDFIRE))
+-
+ static int __init unregister_early_console(void)
+ {
+-      if (!early_console || MACH_IS_MVME16x)
+-              return 0;
++      /*
++       * debug_cons_nputs() defined in arch/m68k/kernel/head.S cannot be
++       * called after init sections are discarded (for platforms that use it).
++       */
++      if (early_console && early_console->write == debug_cons_nputs)
++              return unregister_console(early_console);
+ 
+-      return unregister_console(early_console);
++      return 0;
+ }
+ late_initcall(unregister_early_console);
+-
+-#endif
+diff --git a/arch/m68k/kernel/head.S b/arch/m68k/kernel/head.S
+index a54788458ca3..692cdcfb3520 100644
+--- a/arch/m68k/kernel/head.S
++++ b/arch/m68k/kernel/head.S
+@@ -3242,8 +3242,8 @@ func_return      putn
+  *    turns around and calls the internal routines.  This routine
+  *    is used by the boot console.
+  *
+- *    The calling parameters are:
+- *            void debug_cons_nputs(const char *str, unsigned length)
++ *    The function signature is -
++ *            void debug_cons_nputs(struct console *c, const char *s, unsigned int n)
+  *
+  *    This routine does NOT understand variable arguments only
+  *    simple strings!
+@@ -3252,8 +3252,8 @@ ENTRY(debug_cons_nputs)
+       moveml  %d0/%d1/%a0,%sp@-
+       movew   %sr,%sp@-
+       ori     #0x0700,%sr
+-      movel   %sp@(18),%a0            /* fetch parameter */
+-      movel   %sp@(22),%d1            /* fetch parameter */
++      movel   %sp@(22),%a0            /* char *s */
++      movel   %sp@(26),%d1            /* unsigned int n */
+       jra     2f
+ 1:
+ #ifdef CONSOLE_DEBUG
+-- 
+2.39.5
+

diff --git a/queue-5.4/module-restore-the-moduleparam-prefix-length-check.patch b/queue-5.4/module-restore-the-moduleparam-prefix-length-check.patch
new file mode 100644 (file)
index 0000000..21dc495
--- /dev/null
+++ b/queue-5.4/module-restore-the-moduleparam-prefix-length-check.patch
@@ -0,0 +1,61 @@
+From 414331e19e955d7dd3c97ad533de8df18f5edc63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 16:32:34 +0200
+Subject: module: Restore the moduleparam prefix length check
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+[ Upstream commit bdc877ba6b7ff1b6d2ebeff11e63da4a50a54854 ]
+
+The moduleparam code allows modules to provide their own definition of
+MODULE_PARAM_PREFIX, instead of using the default KBUILD_MODNAME ".".
+
+Commit 730b69d22525 ("module: check kernel param length at compile time,
+not runtime") added a check to ensure the prefix doesn't exceed
+MODULE_NAME_LEN, as this is what param_sysfs_builtin() expects.
+
+Later, commit 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking
+for sysfs perms.") removed this check, but there is no indication this was
+intentional.
+
+Since the check is still useful for param_sysfs_builtin() to function
+properly, reintroduce it in __module_param_call(), but in a modernized form
+using static_assert().
+
+While here, clean up the __module_param_call() comments. In particular,
+remove the comment "Default value instead of permissions?", which comes
+from commit 9774a1f54f17 ("[PATCH] Compile-time check re world-writeable
+module params"). This comment was related to the test variable
+__param_perm_check_##name, which was removed in the previously mentioned
+commit 58f86cc89c33.
+
+Fixes: 58f86cc89c33 ("VERIFY_OCTAL_PERMISSIONS: stricter checking for sysfs perms.")
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
+Link: https://lore.kernel.org/r/20250630143535.267745-4-petr.pavlu@suse.com
+Signed-off-by: Daniel Gomez <da.gomez@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/moduleparam.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
+index 4d5a851cafe8..6e9062caa7df 100644
+--- a/include/linux/moduleparam.h
++++ b/include/linux/moduleparam.h
+@@ -214,10 +214,9 @@ struct kparam_array
+ #define __moduleparam_const const
+ #endif
+ 
+-/* This is the fundamental function for registering boot/module
+-   parameters. */
++/* This is the fundamental function for registering boot/module parameters. */
+ #define __module_param_call(prefix, name, ops, arg, perm, level, flags)       \
+-      /* Default value instead of permissions? */                     \
++      static_assert(sizeof(""prefix) - 1 <= MAX_PARAM_PREFIX_LEN);    \
+       static const char __param_str_##name[] = prefix #name;          \
+       static struct kernel_param __moduleparam_const __param_##name   \
+       __used                                                          \
+-- 
+2.39.5
+

diff --git a/queue-5.4/mtd-fix-possible-integer-overflow-in-erase_xfer.patch b/queue-5.4/mtd-fix-possible-integer-overflow-in-erase_xfer.patch
new file mode 100644 (file)
index 0000000..3fe5e58
--- /dev/null
+++ b/queue-5.4/mtd-fix-possible-integer-overflow-in-erase_xfer.patch
@@ -0,0 +1,41 @@
+From 124f23cadc8421684349707827d6a7dac0186f53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 17:53:13 +0300
+Subject: mtd: fix possible integer overflow in erase_xfer()
+
+From: Ivan Stepchenko <sid@itb.spb.ru>
+
+[ Upstream commit 9358bdb9f9f54d94ceafc650deffefd737d19fdd ]
+
+The expression '1 << EraseUnitSize' is evaluated in int, which causes
+a negative result when shifting by 31 - the upper bound of the valid
+range [10, 31], enforced by scan_header(). This leads to incorrect
+extension when storing the result in 'erase->len' (uint64_t), producing
+a large unexpected value.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ftl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/ftl.c b/drivers/mtd/ftl.c
+index 2578f27914ef..ffe89209cf4b 100644
+--- a/drivers/mtd/ftl.c
++++ b/drivers/mtd/ftl.c
+@@ -344,7 +344,7 @@ static int erase_xfer(partition_t *part,
+             return -ENOMEM;
+ 
+     erase->addr = xfer->Offset;
+-    erase->len = 1 << part->header.EraseUnitSize;
++    erase->len = 1ULL << part->header.EraseUnitSize;
+ 
+     ret = mtd_erase(part->mbd.mtd, erase);
+     if (!ret) {
+-- 
+2.39.5
+

diff --git a/queue-5.4/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch b/queue-5.4/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch
new file mode 100644 (file)
index 0000000..4d20473
--- /dev/null
+++ b/queue-5.4/mtd-rawnand-atmel-fix-dma_mapping_error-address.patch
@@ -0,0 +1,38 @@
+From 2e0b55bbb679b103443f34c6cb06026fac3c1aa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 08:45:11 +0200
+Subject: mtd: rawnand: atmel: Fix dma_mapping_error() address
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit e1e6b933c56b1e9fda93caa0b8bae39f3f421e5c ]
+
+It seems like what was intended is to test if the dma_map of the
+previous line failed but the wrong dma address was passed.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Rule: add
+Link: https://lore.kernel.org/stable/20250702064515.18145-2-fourier.thomas%40gmail.com
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c
+index 997910bec727..a54ad340f1e2 100644
+--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
+@@ -370,7 +370,7 @@ static int atmel_nand_dma_transfer(struct atmel_nand_controller *nc,
+       dma_cookie_t cookie;
+ 
+       buf_dma = dma_map_single(nc->dev, buf, len, dir);
+-      if (dma_mapping_error(nc->dev, dev_dma)) {
++      if (dma_mapping_error(nc->dev, buf_dma)) {
+               dev_err(nc->dev,
+                       "Failed to prepare a buffer for DMA access\n");
+               goto err;
+-- 
+2.39.5
+

diff --git a/queue-5.4/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch b/queue-5.4/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch
new file mode 100644 (file)
index 0000000..128284e
--- /dev/null
+++ b/queue-5.4/mtd-rawnand-atmel-set-pmecc-data-setup-time.patch
@@ -0,0 +1,57 @@
+From 3903b10bc57d757477d5d78f4ee033840f3f13e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 16:13:40 +0530
+Subject: mtd: rawnand: atmel: set pmecc data setup time
+
+From: Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
+
+[ Upstream commit f552a7c7e0a14215cb8a6fd89e60fa3932a74786 ]
+
+Setup the pmecc data setup time as 3 clock cycles for 133MHz as recommended
+by the datasheet.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Reported-by: Zixun LI <admin@hifiphile.com>
+Closes: https://lore.kernel.org/all/c015bb20-6a57-4f63-8102-34b3d83e0f5b@microchip.com
+Suggested-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+Signed-off-by: Balamanikandan Gunasundar <balamanikandan.gunasundar@microchip.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/atmel/pmecc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/mtd/nand/raw/atmel/pmecc.c b/drivers/mtd/nand/raw/atmel/pmecc.c
+index d1ed5878b3b1..28ed65dd3d43 100644
+--- a/drivers/mtd/nand/raw/atmel/pmecc.c
++++ b/drivers/mtd/nand/raw/atmel/pmecc.c
+@@ -143,6 +143,7 @@ struct atmel_pmecc_caps {
+       int nstrengths;
+       int el_offset;
+       bool correct_erased_chunks;
++      bool clk_ctrl;
+ };
+ 
+ struct atmel_pmecc {
+@@ -846,6 +847,10 @@ static struct atmel_pmecc *atmel_pmecc_create(struct platform_device *pdev,
+       if (IS_ERR(pmecc->regs.errloc))
+               return ERR_CAST(pmecc->regs.errloc);
+ 
++      /* pmecc data setup time */
++      if (caps->clk_ctrl)
++              writel(PMECC_CLK_133MHZ, pmecc->regs.base + ATMEL_PMECC_CLK);
++
+       /* Disable all interrupts before registering the PMECC handler. */
+       writel(0xffffffff, pmecc->regs.base + ATMEL_PMECC_IDR);
+       atmel_pmecc_reset(pmecc);
+@@ -899,6 +904,7 @@ static struct atmel_pmecc_caps at91sam9g45_caps = {
+       .strengths = atmel_pmecc_strengths,
+       .nstrengths = 5,
+       .el_offset = 0x8c,
++      .clk_ctrl = true,
+ };
+ 
+ static struct atmel_pmecc_caps sama5d4_caps = {
+-- 
+2.39.5
+

diff --git a/queue-5.4/mwl8k-add-missing-check-after-dma-map.patch b/queue-5.4/mwl8k-add-missing-check-after-dma-map.patch
new file mode 100644 (file)
index 0000000..78263cf
--- /dev/null
+++ b/queue-5.4/mwl8k-add-missing-check-after-dma-map.patch
@@ -0,0 +1,39 @@
+From 0c52a8d7aeb15a2a129022650be7428490132d23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 13:13:34 +0200
+Subject: mwl8k: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 50459501b9a212dbe7a673727589ee105a8a9954 ]
+
+The DMA map functions can fail and should be tested for errors.
+If the mapping fails, unmap and return an error.
+
+Fixes: 788838ebe8a4 ("mwl8k: use pci_unmap_addr{,set}() to keep track of unmap addresses on rx")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20250709111339.25360-2-fourier.thomas@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index abd5c8670bc4..a0c15af1b167 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -1220,6 +1220,10 @@ static int rxq_refill(struct ieee80211_hw *hw, int index, int limit)
+ 
+               addr = pci_map_single(priv->pdev, skb->data,
+                                     MWL8K_RX_MAXSZ, DMA_FROM_DEVICE);
++              if (dma_mapping_error(&priv->pdev->dev, addr)) {
++                      kfree_skb(skb);
++                      break;
++              }
+ 
+               rxq->rxd_count++;
+               rx = rxq->tail++;
+-- 
+2.39.5
+

diff --git a/queue-5.4/net-sched-restrict-conditions-for-adding-duplicating.patch b/queue-5.4/net-sched-restrict-conditions-for-adding-duplicating.patch
new file mode 100644 (file)
index 0000000..5ab69aa
--- /dev/null
+++ b/queue-5.4/net-sched-restrict-conditions-for-adding-duplicating.patch
@@ -0,0 +1,117 @@
+From dd2e7830f70a5ae3e2c874cbeb153c5047257342 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 16:43:26 +0000
+Subject: net/sched: Restrict conditions for adding duplicating netems to qdisc
+ tree
+
+From: William Liu <will@willsroot.io>
+
+[ Upstream commit ec8e0e3d7adef940cdf9475e2352c0680189d14e ]
+
+netem_enqueue's duplication prevention logic breaks when a netem
+resides in a qdisc tree with other netems - this can lead to a
+soft lockup and OOM loop in netem_dequeue, as seen in [1].
+Ensure that a duplicating netem cannot exist in a tree with other
+netems.
+
+Previous approaches suggested in discussions in chronological order:
+
+1) Track duplication status or ttl in the sk_buff struct. Considered
+too specific a use case to extend such a struct, though this would
+be a resilient fix and address other previous and potential future
+DOS bugs like the one described in loopy fun [2].
+
+2) Restrict netem_enqueue recursion depth like in act_mirred with a
+per cpu variable. However, netem_dequeue can call enqueue on its
+child, and the depth restriction could be bypassed if the child is a
+netem.
+
+3) Use the same approach as in 2, but add metadata in netem_skb_cb
+to handle the netem_dequeue case and track a packet's involvement
+in duplication. This is an overly complex approach, and Jamal
+notes that the skb cb can be overwritten to circumvent this
+safeguard.
+
+4) Prevent the addition of a netem to a qdisc tree if its ancestral
+path contains a netem. However, filters and actions can cause a
+packet to change paths when re-enqueued to the root from netem
+duplication, leading us to the current solution: prevent a
+duplicating netem from inhabiting the same tree as other netems.
+
+[1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/
+[2] https://lwn.net/Articles/719297/
+
+Fixes: 0afb51e72855 ("[PKT_SCHED]: netem: reinsert for duplication")
+Reported-by: William Liu <will@willsroot.io>
+Reported-by: Savino Dicanosa <savy@syst3mfailure.io>
+Signed-off-by: William Liu <will@willsroot.io>
+Signed-off-by: Savino Dicanosa <savy@syst3mfailure.io>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20250708164141.875402-1-will@willsroot.io
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_netem.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 27bd18c74e85..cdf2df194d24 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -962,6 +962,41 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
+       return 0;
+ }
+ 
++static const struct Qdisc_class_ops netem_class_ops;
++
++static int check_netem_in_tree(struct Qdisc *sch, bool duplicates,
++                             struct netlink_ext_ack *extack)
++{
++      struct Qdisc *root, *q;
++      unsigned int i;
++
++      root = qdisc_root_sleeping(sch);
++
++      if (sch != root && root->ops->cl_ops == &netem_class_ops) {
++              if (duplicates ||
++                  ((struct netem_sched_data *)qdisc_priv(root))->duplicate)
++                      goto err;
++      }
++
++      if (!qdisc_dev(root))
++              return 0;
++
++      hash_for_each(qdisc_dev(root)->qdisc_hash, i, q, hash) {
++              if (sch != q && q->ops->cl_ops == &netem_class_ops) {
++                      if (duplicates ||
++                          ((struct netem_sched_data *)qdisc_priv(q))->duplicate)
++                              goto err;
++              }
++      }
++
++      return 0;
++
++err:
++      NL_SET_ERR_MSG(extack,
++                     "netem: cannot mix duplicating netems with other netems in tree");
++      return -EINVAL;
++}
++
+ /* Parse netlink message to set options */
+ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+                       struct netlink_ext_ack *extack)
+@@ -1023,6 +1058,11 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+       q->gap = qopt->gap;
+       q->counter = 0;
+       q->loss = qopt->loss;
++
++      ret = check_netem_in_tree(sch, qopt->duplicate, extack);
++      if (ret)
++              goto unlock;
++
+       q->duplicate = qopt->duplicate;
+ 
+       /* for compatibility with earlier versions.
+-- 
+2.39.5
+

diff --git a/queue-5.4/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch b/queue-5.4/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch
new file mode 100644 (file)
index 0000000..006099a
--- /dev/null
+++ b/queue-5.4/netfilter-nf_tables-adjust-lockdep-assertions-handli.patch
@@ -0,0 +1,51 @@
+From 537a734acdb1e593288766d275ebdcf96341b4ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:12:15 +0300
+Subject: netfilter: nf_tables: adjust lockdep assertions handling
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 8df1b40de76979bb8e975201d07b71103d5de820 ]
+
+It's needed to check the return value of lockdep_commit_lock_is_held(),
+otherwise there's no point in this assertion as it doesn't print any
+debug information on itself.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace static
+analysis tool.
+
+Fixes: b04df3da1b5c ("netfilter: nf_tables: do not defer rule destruction via call_rcu")
+Reported-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 9e20fb759cb8..54c43f1cceac 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2823,7 +2823,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
+ static void nf_tables_rule_release(const struct nft_ctx *ctx,
+                                  struct nft_rule *rule)
+ {
+-      lockdep_commit_lock_is_held(ctx->net);
++      WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
+ 
+       nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
+       nf_tables_rule_destroy(ctx, rule);
+@@ -4173,7 +4173,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
+                             struct nft_set_binding *binding,
+                             enum nft_trans_phase phase)
+ {
+-      lockdep_commit_lock_is_held(ctx->net);
++      WARN_ON_ONCE(!lockdep_commit_lock_is_held(ctx->net));
+ 
+       switch (phase) {
+       case NFT_TRANS_PREPARE_ERROR:
+-- 
+2.39.5
+

diff --git a/queue-5.4/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch b/queue-5.4/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch
new file mode 100644 (file)
index 0000000..3079b1d
--- /dev/null
+++ b/queue-5.4/netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch
@@ -0,0 +1,50 @@
+From 61ea26bb0385d49e69ad179f02fdbf68bdd5c8e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 13:27:13 +0200
+Subject: netfilter: xt_nfacct: don't assume acct name is null-terminated
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit bf58e667af7d96c8eb9411f926a0a0955f41ce21 ]
+
+BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721
+Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851
+[..]
+ string+0x231/0x2b0 lib/vsprintf.c:721
+ vsnprintf+0x739/0xf00 lib/vsprintf.c:2874
+ [..]
+ nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41
+ xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523
+
+nfnl_acct_find_get() handles non-null input, but the error
+printk relied on its presence.
+
+Reported-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4ff165b9251e4d295690
+Tested-by: syzbot+4ff165b9251e4d295690@syzkaller.appspotmail.com
+Fixes: ceb98d03eac5 ("netfilter: xtables: add nfacct match to support extended accounting")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_nfacct.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
+index 5aab6df74e0f..68b07476f754 100644
+--- a/net/netfilter/xt_nfacct.c
++++ b/net/netfilter/xt_nfacct.c
+@@ -38,8 +38,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par)
+ 
+       nfacct = nfnl_acct_find_get(par->net, info->name);
+       if (nfacct == NULL) {
+-              pr_info_ratelimited("accounting object `%s' does not exists\n",
+-                                  info->name);
++              pr_info_ratelimited("accounting object `%.*s' does not exist\n",
++                                  NFACCT_NAME_MAX, info->name);
+               return -ENOENT;
+       }
+       info->nfacct = nfacct;
+-- 
+2.39.5
+

diff --git a/queue-5.4/pci-hotplug-pnv-php-improve-error-msg-on-power-state.patch b/queue-5.4/pci-hotplug-pnv-php-improve-error-msg-on-power-state.patch
new file mode 100644 (file)
index 0000000..113c290
--- /dev/null
+++ b/queue-5.4/pci-hotplug-pnv-php-improve-error-msg-on-power-state.patch
@@ -0,0 +1,70 @@
+From 5be6557ec96e3bfe2a996cd94c49682cb1f76553 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 14:49:14 +0100
+Subject: pci/hotplug/pnv-php: Improve error msg on power state change failure
+
+From: Frederic Barrat <fbarrat@linux.ibm.com>
+
+[ Upstream commit 323c2a26ff43500a96799250330fab68903d776f ]
+
+When changing the slot state, if opal hits an error and tells as such
+in the asynchronous reply, the warning "Wrong msg" is logged, which is
+rather confusing. Instead we can reuse the better message which is
+already used when we couldn't submit the asynchronous opal request
+initially.
+
+Reviewed-by: Alastair D'Silva <alastair@d-silva.org>
+Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191121134918.7155-8-fbarrat@linux.ibm.com
+Stable-dep-of: 466861909255 ("PCI: pnv_php: Clean up allocated IRQs on unplug")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index 382494261830..8223fe0b751f 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -341,18 +341,19 @@ int pnv_php_set_slot_power_state(struct hotplug_slot *slot,
+       ret = pnv_pci_set_power_state(php_slot->id, state, &msg);
+       if (ret > 0) {
+               if (be64_to_cpu(msg.params[1]) != php_slot->dn->phandle ||
+-                  be64_to_cpu(msg.params[2]) != state                 ||
+-                  be64_to_cpu(msg.params[3]) != OPAL_SUCCESS) {
++                  be64_to_cpu(msg.params[2]) != state) {
+                       pci_warn(php_slot->pdev, "Wrong msg (%lld, %lld, %lld)\n",
+                                be64_to_cpu(msg.params[1]),
+                                be64_to_cpu(msg.params[2]),
+                                be64_to_cpu(msg.params[3]));
+                       return -ENOMSG;
+               }
++              if (be64_to_cpu(msg.params[3]) != OPAL_SUCCESS) {
++                      ret = -ENODEV;
++                      goto error;
++              }
+       } else if (ret < 0) {
+-              pci_warn(php_slot->pdev, "Error %d powering %s\n",
+-                       ret, (state == OPAL_PCI_SLOT_POWER_ON) ? "on" : "off");
+-              return ret;
++              goto error;
+       }
+ 
+       if (state == OPAL_PCI_SLOT_POWER_OFF || state == OPAL_PCI_SLOT_OFFLINE)
+@@ -361,6 +362,11 @@ int pnv_php_set_slot_power_state(struct hotplug_slot *slot,
+               ret = pnv_php_add_devtree(php_slot);
+ 
+       return ret;
++
++error:
++      pci_warn(php_slot->pdev, "Error %d powering %s\n",
++               ret, (state == OPAL_PCI_SLOT_POWER_ON) ? "on" : "off");
++      return ret;
+ }
+ EXPORT_SYMBOL_GPL(pnv_php_set_slot_power_state);
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/pci-hotplug-pnv-php-wrap-warnings-in-macro.patch b/queue-5.4/pci-hotplug-pnv-php-wrap-warnings-in-macro.patch
new file mode 100644 (file)
index 0000000..792611b
--- /dev/null
+++ b/queue-5.4/pci-hotplug-pnv-php-wrap-warnings-in-macro.patch
@@ -0,0 +1,195 @@
+From 9def9e836b0931d8697b8f5c6c0c51cd9aafcdfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2019 14:49:17 +0100
+Subject: pci/hotplug/pnv-php: Wrap warnings in macro
+
+From: Frederic Barrat <fbarrat@linux.ibm.com>
+
+[ Upstream commit 748ac391ab9acd8d7f3c93cbf3e63c773c0b2638 ]
+
+An opencapi slot doesn't have an associated bridge device. It's not
+needed for operation, but any warning is displayed through pci_warn()
+which uses the pci_dev struct of the assocated bridge device. So wrap
+those warning so that a different trace mechanism can be used if it's
+an opencapi slot.
+
+Reviewed-by: Alastair D'Silva <alastair@d-silva.org>
+Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191121134918.7155-11-fbarrat@linux.ibm.com
+Stable-dep-of: 466861909255 ("PCI: pnv_php: Clean up allocated IRQs on unplug")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 51 +++++++++++++++++++----------------
+ 1 file changed, 28 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index 8223fe0b751f..3687a99383c1 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -18,6 +18,9 @@
+ #define DRIVER_AUTHOR "Gavin Shan, IBM Corporation"
+ #define DRIVER_DESC   "PowerPC PowerNV PCI Hotplug Driver"
+ 
++#define SLOT_WARN(sl, x...) \
++      ((sl)->pdev ? pci_warn((sl)->pdev, x) : dev_warn(&(sl)->bus->dev, x))
++
+ struct pnv_php_event {
+       bool                    added;
+       struct pnv_php_slot     *php_slot;
+@@ -270,7 +273,7 @@ static int pnv_php_add_devtree(struct pnv_php_slot *php_slot)
+ 
+       ret = pnv_pci_get_device_tree(php_slot->dn->phandle, fdt1, 0x10000);
+       if (ret) {
+-              pci_warn(php_slot->pdev, "Error %d getting FDT blob\n", ret);
++              SLOT_WARN(php_slot, "Error %d getting FDT blob\n", ret);
+               goto free_fdt1;
+       }
+ 
+@@ -284,7 +287,7 @@ static int pnv_php_add_devtree(struct pnv_php_slot *php_slot)
+       dt = of_fdt_unflatten_tree(fdt, php_slot->dn, NULL);
+       if (!dt) {
+               ret = -EINVAL;
+-              pci_warn(php_slot->pdev, "Cannot unflatten FDT\n");
++              SLOT_WARN(php_slot, "Cannot unflatten FDT\n");
+               goto free_fdt;
+       }
+ 
+@@ -294,15 +297,15 @@ static int pnv_php_add_devtree(struct pnv_php_slot *php_slot)
+       ret = pnv_php_populate_changeset(&php_slot->ocs, php_slot->dn);
+       if (ret) {
+               pnv_php_reverse_nodes(php_slot->dn);
+-              pci_warn(php_slot->pdev, "Error %d populating changeset\n",
+-                       ret);
++              SLOT_WARN(php_slot, "Error %d populating changeset\n",
++                        ret);
+               goto free_dt;
+       }
+ 
+       php_slot->dn->child = NULL;
+       ret = of_changeset_apply(&php_slot->ocs);
+       if (ret) {
+-              pci_warn(php_slot->pdev, "Error %d applying changeset\n", ret);
++              SLOT_WARN(php_slot, "Error %d applying changeset\n", ret);
+               goto destroy_changeset;
+       }
+ 
+@@ -342,10 +345,10 @@ int pnv_php_set_slot_power_state(struct hotplug_slot *slot,
+       if (ret > 0) {
+               if (be64_to_cpu(msg.params[1]) != php_slot->dn->phandle ||
+                   be64_to_cpu(msg.params[2]) != state) {
+-                      pci_warn(php_slot->pdev, "Wrong msg (%lld, %lld, %lld)\n",
+-                               be64_to_cpu(msg.params[1]),
+-                               be64_to_cpu(msg.params[2]),
+-                               be64_to_cpu(msg.params[3]));
++                      SLOT_WARN(php_slot, "Wrong msg (%lld, %lld, %lld)\n",
++                                be64_to_cpu(msg.params[1]),
++                                be64_to_cpu(msg.params[2]),
++                                be64_to_cpu(msg.params[3]));
+                       return -ENOMSG;
+               }
+               if (be64_to_cpu(msg.params[3]) != OPAL_SUCCESS) {
+@@ -364,8 +367,8 @@ int pnv_php_set_slot_power_state(struct hotplug_slot *slot,
+       return ret;
+ 
+ error:
+-      pci_warn(php_slot->pdev, "Error %d powering %s\n",
+-               ret, (state == OPAL_PCI_SLOT_POWER_ON) ? "on" : "off");
++      SLOT_WARN(php_slot, "Error %d powering %s\n",
++                ret, (state == OPAL_PCI_SLOT_POWER_ON) ? "on" : "off");
+       return ret;
+ }
+ EXPORT_SYMBOL_GPL(pnv_php_set_slot_power_state);
+@@ -383,8 +386,8 @@ static int pnv_php_get_power_state(struct hotplug_slot *slot, u8 *state)
+        */
+       ret = pnv_pci_get_power_state(php_slot->id, &power_state);
+       if (ret) {
+-              pci_warn(php_slot->pdev, "Error %d getting power status\n",
+-                       ret);
++              SLOT_WARN(php_slot, "Error %d getting power status\n",
++                        ret);
+       } else {
+               *state = power_state;
+       }
+@@ -407,7 +410,7 @@ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state)
+               *state = presence;
+               ret = 0;
+       } else {
+-              pci_warn(php_slot->pdev, "Error %d getting presence\n", ret);
++              SLOT_WARN(php_slot, "Error %d getting presence\n", ret);
+       }
+ 
+       return ret;
+@@ -680,7 +683,7 @@ static int pnv_php_register_slot(struct pnv_php_slot *php_slot)
+       ret = pci_hp_register(&php_slot->slot, php_slot->bus,
+                             php_slot->slot_no, php_slot->name);
+       if (ret) {
+-              pci_warn(php_slot->pdev, "Error %d registering slot\n", ret);
++              SLOT_WARN(php_slot, "Error %d registering slot\n", ret);
+               return ret;
+       }
+ 
+@@ -733,7 +736,7 @@ static int pnv_php_enable_msix(struct pnv_php_slot *php_slot)
+       /* Enable MSIx */
+       ret = pci_enable_msix_exact(pdev, &entry, 1);
+       if (ret) {
+-              pci_warn(pdev, "Error %d enabling MSIx\n", ret);
++              SLOT_WARN(php_slot, "Error %d enabling MSIx\n", ret);
+               return ret;
+       }
+ 
+@@ -783,8 +786,9 @@ static irqreturn_t pnv_php_interrupt(int irq, void *data)
+                  (sts & PCI_EXP_SLTSTA_PDC)) {
+               ret = pnv_pci_get_presence_state(php_slot->id, &presence);
+               if (ret) {
+-                      pci_warn(pdev, "PCI slot [%s] error %d getting presence (0x%04x), to retry the operation.\n",
+-                               php_slot->name, ret, sts);
++                      SLOT_WARN(php_slot,
++                                "PCI slot [%s] error %d getting presence (0x%04x), to retry the operation.\n",
++                                php_slot->name, ret, sts);
+                       return IRQ_HANDLED;
+               }
+ 
+@@ -814,8 +818,9 @@ static irqreturn_t pnv_php_interrupt(int irq, void *data)
+        */
+       event = kzalloc(sizeof(*event), GFP_ATOMIC);
+       if (!event) {
+-              pci_warn(pdev, "PCI slot [%s] missed hotplug event 0x%04x\n",
+-                       php_slot->name, sts);
++              SLOT_WARN(php_slot,
++                        "PCI slot [%s] missed hotplug event 0x%04x\n",
++                        php_slot->name, sts);
+               return IRQ_HANDLED;
+       }
+ 
+@@ -839,7 +844,7 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq)
+       /* Allocate workqueue */
+       php_slot->wq = alloc_workqueue("pciehp-%s", 0, 0, php_slot->name);
+       if (!php_slot->wq) {
+-              pci_warn(pdev, "Cannot alloc workqueue\n");
++              SLOT_WARN(php_slot, "Cannot alloc workqueue\n");
+               pnv_php_disable_irq(php_slot, true);
+               return;
+       }
+@@ -863,7 +868,7 @@ static void pnv_php_init_irq(struct pnv_php_slot *php_slot, int irq)
+                         php_slot->name, php_slot);
+       if (ret) {
+               pnv_php_disable_irq(php_slot, true);
+-              pci_warn(pdev, "Error %d enabling IRQ %d\n", ret, irq);
++              SLOT_WARN(php_slot, "Error %d enabling IRQ %d\n", ret, irq);
+               return;
+       }
+ 
+@@ -899,7 +904,7 @@ static void pnv_php_enable_irq(struct pnv_php_slot *php_slot)
+ 
+       ret = pci_enable_device(pdev);
+       if (ret) {
+-              pci_warn(pdev, "Error %d enabling device\n", ret);
++              SLOT_WARN(php_slot, "Error %d enabling device\n", ret);
+               return;
+       }
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/pci-rockchip-host-fix-unexpected-completion-log-mess.patch b/queue-5.4/pci-rockchip-host-fix-unexpected-completion-log-mess.patch
new file mode 100644 (file)
index 0000000..f4071a5
--- /dev/null
+++ b/queue-5.4/pci-rockchip-host-fix-unexpected-completion-log-mess.patch
@@ -0,0 +1,41 @@
+From f842fbd38ad1248a075fb8f09e62d22ad85428d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 00:01:59 +0800
+Subject: PCI: rockchip-host: Fix "Unexpected Completion" log message
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit fcc5f586c4edbcc10de23fb9b8c0972a84e945cd ]
+
+Fix the debug message for the PCIE_CORE_INT_UCR interrupt to clearly
+indicate "Unexpected Completion" instead of a duplicate "malformed TLP"
+message.
+
+Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+[mani: added fixes tag]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Acked-by: Shawn Lin <shawn.lin@rock-chips.com>
+Link: https://patch.msgid.link/20250607160201.807043-2-18255117159@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-rockchip-host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-rockchip-host.c b/drivers/pci/controller/pcie-rockchip-host.c
+index ef8e677ce9d1..281ddde9d8cc 100644
+--- a/drivers/pci/controller/pcie-rockchip-host.c
++++ b/drivers/pci/controller/pcie-rockchip-host.c
+@@ -445,7 +445,7 @@ static irqreturn_t rockchip_pcie_subsys_irq_handler(int irq, void *arg)
+                       dev_dbg(dev, "malformed TLP received from the link\n");
+ 
+               if (sub_reg & PCIE_CORE_INT_UCR)
+-                      dev_dbg(dev, "malformed TLP received from the link\n");
++                      dev_dbg(dev, "Unexpected Completion received from the link\n");
+ 
+               if (sub_reg & PCIE_CORE_INT_FCE)
+                       dev_dbg(dev, "an error was observed in the flow control advertisements from the other side\n");
+-- 
+2.39.5
+

diff --git a/queue-5.4/perf-tests-bp_account-fix-leaked-file-descriptor.patch b/queue-5.4/perf-tests-bp_account-fix-leaked-file-descriptor.patch
new file mode 100644 (file)
index 0000000..6c6dedb
--- /dev/null
+++ b/queue-5.4/perf-tests-bp_account-fix-leaked-file-descriptor.patch
@@ -0,0 +1,57 @@
+From dcc5a3fa65bbf93367cd214a5f6909d204e3801f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 12:10:15 +0100
+Subject: perf tests bp_account: Fix leaked file descriptor
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 4a6cdecaa1497f1fbbd1d5307a225b6ca5a62a90 ]
+
+Since the commit e9846f5ead26 ("perf test: In forked mode add check that
+fds aren't leaked"), the test "Breakpoint accounting" reports the error:
+
+  # perf test -vvv "Breakpoint accounting"
+  20: Breakpoint accounting:
+  --- start ---
+  test child forked, pid 373
+  failed opening event 0
+  failed opening event 0
+  watchpoints count 4, breakpoints count 6, has_ioctl 1, share 0
+  wp 0 created
+  wp 1 created
+  wp 2 created
+  wp 3 created
+  wp 0 modified to bp
+  wp max created
+  ---- end(0) ----
+  Leak of file descriptor 7 that opened: 'anon_inode:[perf_event]'
+
+A watchpoint's file descriptor was not properly released. This patch
+fixes the leak.
+
+Fixes: 032db28e5fa3 ("perf tests: Add breakpoint accounting/modify test")
+Reported-by: Aishwarya TCV <aishwarya.tcv@arm.com>
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250711-perf_fix_breakpoint_accounting-v1-1-b314393023f9@arm.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/bp_account.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/bp_account.c b/tools/perf/tests/bp_account.c
+index 55a9de311d7b..e1ff0faa0149 100644
+--- a/tools/perf/tests/bp_account.c
++++ b/tools/perf/tests/bp_account.c
+@@ -93,6 +93,7 @@ static int bp_accounting(int wp_cnt, int share)
+               fd_wp = wp_event((void *)&the_var, &attr_new);
+               TEST_ASSERT_VAL("failed to create max wp\n", fd_wp != -1);
+               pr_debug("wp max created\n");
++              close(fd_wp);
+       }
+ 
+       for (i = 0; i < wp_cnt; i++)
+-- 
+2.39.5
+

diff --git a/queue-5.4/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch b/queue-5.4/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch
new file mode 100644 (file)
index 0000000..c6bc559
--- /dev/null
+++ b/queue-5.4/pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch
@@ -0,0 +1,55 @@
+From 0a43fed0c4f3cafcad3cb62e3a6b9e044bae0ae3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:27:08 +0800
+Subject: pinctrl: sunxi: Fix memory leak on krealloc failure
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit e3507c56cbb208d4f160942748c527ef6a528ba1 ]
+
+In sunxi_pctrl_dt_node_to_map(), when krealloc() fails to resize
+the pinctrl_map array, the function returns -ENOMEM directly
+without freeing the previously allocated *map buffer. This results
+in a memory leak of the original kmalloc_array allocation.
+
+Fixes: e11dee2e98f8 ("pinctrl: sunxi: Deal with configless pins")
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Link: https://lore.kernel.org/20250620012708.16709-1-chenyuan_fl@163.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+index 8c41f8b818b2..83775dd12cfa 100644
+--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+@@ -327,6 +327,7 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
+       const char *function, *pin_prop;
+       const char *group;
+       int ret, npins, nmaps, configlen = 0, i = 0;
++      struct pinctrl_map *new_map;
+ 
+       *map = NULL;
+       *num_maps = 0;
+@@ -401,9 +402,13 @@ static int sunxi_pctrl_dt_node_to_map(struct pinctrl_dev *pctldev,
+        * We know have the number of maps we need, we can resize our
+        * map array
+        */
+-      *map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL);
+-      if (!*map)
+-              return -ENOMEM;
++      new_map = krealloc(*map, i * sizeof(struct pinctrl_map), GFP_KERNEL);
++      if (!new_map) {
++              ret = -ENOMEM;
++              goto err_free_map;
++      }
++
++      *map = new_map;
+ 
+       return 0;
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/power-supply-max14577-handle-null-pdata-when-config_.patch b/queue-5.4/power-supply-max14577-handle-null-pdata-when-config_.patch
new file mode 100644 (file)
index 0000000..19f2713
--- /dev/null
+++ b/queue-5.4/power-supply-max14577-handle-null-pdata-when-config_.patch
@@ -0,0 +1,51 @@
+From 170f8b320e893d51c001ce07218b0b2036c7096c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 14:16:01 +0800
+Subject: power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 2937f5d2e24eefef8cb126244caec7fe3307f724 ]
+
+When the kernel is not configured  CONFIG_OF, the max14577_charger_dt_init
+function returns NULL. Fix the max14577_charger_probe functionby returning
+-ENODATA instead of potentially passing a NULL pointer to PTR_ERR.
+
+This fixes the below smatch warning:
+max14577_charger_probe() warn: passing zero to 'PTR_ERR'
+
+Fixes: e30110e9c96f ("charger: max14577: Configure battery-dependent settings from DTS and sysfs")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250519061601.8755-1-hanchunchao@inspur.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max14577_charger.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/power/supply/max14577_charger.c b/drivers/power/supply/max14577_charger.c
+index 8a59feac6468..90b97736ac2a 100644
+--- a/drivers/power/supply/max14577_charger.c
++++ b/drivers/power/supply/max14577_charger.c
+@@ -501,7 +501,7 @@ static struct max14577_charger_platform_data *max14577_charger_dt_init(
+ static struct max14577_charger_platform_data *max14577_charger_dt_init(
+               struct platform_device *pdev)
+ {
+-      return NULL;
++      return ERR_PTR(-ENODATA);
+ }
+ #endif /* CONFIG_OF */
+ 
+@@ -572,7 +572,7 @@ static int max14577_charger_probe(struct platform_device *pdev)
+       chg->max14577 = max14577;
+ 
+       chg->pdata = max14577_charger_dt_init(pdev);
+-      if (IS_ERR_OR_NULL(chg->pdata))
++      if (IS_ERR(chg->pdata))
+               return PTR_ERR(chg->pdata);
+ 
+       ret = max14577_charger_reg_init(chg);
+-- 
+2.39.5
+

diff --git a/queue-5.4/pps-fix-poll-support.patch b/queue-5.4/pps-fix-poll-support.patch
new file mode 100644 (file)
index 0000000..03c724d
--- /dev/null
+++ b/queue-5.4/pps-fix-poll-support.patch
@@ -0,0 +1,102 @@
+From b6a5b4d3ad64d21bacaa10958faec9a1134ff841 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 12:57:50 +0200
+Subject: pps: fix poll support
+
+From: Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
+
+[ Upstream commit 12c409aa1ec2592280a2ddcc66ff8f3c7f7bb171 ]
+
+Because pps_cdev_poll() returns unconditionally EPOLLIN,
+a user space program that calls select/poll get always an immediate data
+ready-to-read response. As a result the intended use to wait until next
+data becomes ready does not work.
+
+User space snippet:
+
+    struct pollfd pollfd = {
+      .fd = open("/dev/pps0", O_RDONLY),
+      .events = POLLIN|POLLERR,
+      .revents = 0 };
+    while(1) {
+      poll(&pollfd, 1, 2000/*ms*/); // returns immediate, but should wait
+      if(revents & EPOLLIN) { // always true
+        struct pps_fdata fdata;
+        memset(&fdata, 0, sizeof(memdata));
+        ioctl(PPS_FETCH, &fdata); // currently fetches data at max speed
+      }
+    }
+
+Lets remember the last fetch event counter and compare this value
+in pps_cdev_poll() with most recent event counter
+and return 0 if they are equal.
+
+Signed-off-by: Denis OSTERLAND-HEIM <denis.osterland@diehl.com>
+Co-developed-by: Rodolfo Giometti <giometti@enneenne.com>
+Signed-off-by: Rodolfo Giometti <giometti@enneenne.com>
+Fixes: eae9d2ba0cfc ("LinuxPPS: core support")
+Link: https://lore.kernel.org/all/f6bed779-6d59-4f0f-8a59-b6312bd83b4e@enneenne.com/
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Link: https://lore.kernel.org/r/c3c50ad1eb19ef553eca8a57c17f4c006413ab70.camel@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pps/pps.c          | 11 +++++++++--
+ include/linux/pps_kernel.h |  1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pps/pps.c b/drivers/pps/pps.c
+index 2d008e0d116a..ea966fc67d28 100644
+--- a/drivers/pps/pps.c
++++ b/drivers/pps/pps.c
+@@ -41,6 +41,9 @@ static __poll_t pps_cdev_poll(struct file *file, poll_table *wait)
+ 
+       poll_wait(file, &pps->queue, wait);
+ 
++      if (pps->last_fetched_ev == pps->last_ev)
++              return 0;
++
+       return EPOLLIN | EPOLLRDNORM;
+ }
+ 
+@@ -186,9 +189,11 @@ static long pps_cdev_ioctl(struct file *file,
+               if (err)
+                       return err;
+ 
+-              /* Return the fetched timestamp */
++              /* Return the fetched timestamp and save last fetched event  */
+               spin_lock_irq(&pps->lock);
+ 
++              pps->last_fetched_ev = pps->last_ev;
++
+               fdata.info.assert_sequence = pps->assert_sequence;
+               fdata.info.clear_sequence = pps->clear_sequence;
+               fdata.info.assert_tu = pps->assert_tu;
+@@ -272,9 +277,11 @@ static long pps_cdev_compat_ioctl(struct file *file,
+               if (err)
+                       return err;
+ 
+-              /* Return the fetched timestamp */
++              /* Return the fetched timestamp and save last fetched event  */
+               spin_lock_irq(&pps->lock);
+ 
++              pps->last_fetched_ev = pps->last_ev;
++
+               compat.info.assert_sequence = pps->assert_sequence;
+               compat.info.clear_sequence = pps->clear_sequence;
+               compat.info.current_mode = pps->current_mode;
+diff --git a/include/linux/pps_kernel.h b/include/linux/pps_kernel.h
+index c7abce28ed29..aab0aebb529e 100644
+--- a/include/linux/pps_kernel.h
++++ b/include/linux/pps_kernel.h
+@@ -52,6 +52,7 @@ struct pps_device {
+       int current_mode;                       /* PPS mode at event time */
+ 
+       unsigned int last_ev;                   /* last PPS event id */
++      unsigned int last_fetched_ev;           /* last fetched PPS event id */
+       wait_queue_head_t queue;                /* PPS event queue */
+ 
+       unsigned int id;                        /* PPS source unique ID */
+-- 
+2.39.5
+

diff --git a/queue-5.4/reapply-wifi-mac80211-update-skb-s-control-block-key.patch b/queue-5.4/reapply-wifi-mac80211-update-skb-s-control-block-key.patch
new file mode 100644 (file)
index 0000000..1f8af65
--- /dev/null
+++ b/queue-5.4/reapply-wifi-mac80211-update-skb-s-control-block-key.patch
@@ -0,0 +1,40 @@
+From bffdbd50e218eb1c7e49a35d94f8888d9266b062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 17:45:29 +0200
+Subject: Reapply "wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()"
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 754fe848b3b297fc85ec24cd959bad22b6df8cb8 ]
+
+This reverts commit 0937cb5f345c ("Revert "wifi: mac80211: Update
+skb's control block key in ieee80211_tx_dequeue()"").
+
+This commit broke TX with 802.11 encapsulation HW offloading, now that
+this is fixed, reapply it.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/66b8fc39fb0194fa06c9ca7eeb6ffe0118dcb3ec.1752765971.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 461cff7b94ad..f8d72f3e4def 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3661,6 +3661,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+        * The key can be removed while the packet was queued, so need to call
+        * this here to get the current key.
+        */
++      info->control.hw_key = NULL;
+       r = ieee80211_tx_h_select_key(&tx);
+       if (r != TX_CONTINUE) {
+               ieee80211_free_txskb(&local->hw, skb);
+-- 
+2.39.5
+

diff --git a/queue-5.4/revert-vmci-prevent-the-dispatching-of-uninitialized.patch b/queue-5.4/revert-vmci-prevent-the-dispatching-of-uninitialized.patch
new file mode 100644 (file)
index 0000000..c0701d8
--- /dev/null
+++ b/queue-5.4/revert-vmci-prevent-the-dispatching-of-uninitialized.patch
@@ -0,0 +1,55 @@
+From 6458793b02e9a51fcc4c6109cbd02f1113cc4d23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 10:30:09 +0200
+Subject: Revert "vmci: Prevent the dispatching of uninitialized payloads"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit 8f5d9bed6122b8d96508436e5ad2498bb797eb6b ]
+
+This reverts commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031.
+
+While the code "looks" correct, the compiler has no way to know that
+doing "fun" pointer math like this really isn't a write off the end of
+the structure as there is no hint anywhere that the structure has data
+at the end of it.
+
+This causes the following build warning:
+
+In function 'fortify_memset_chk',
+    inlined from 'ctx_fire_notification.isra' at drivers/misc/vmw_vmci/vmci_context.c:254:3:
+include/linux/fortify-string.h:480:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
+  480 |                         __write_overflow_field(p_size_field, size);
+      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+So revert it for now and it can come back in the future in a "sane" way
+that either correctly makes the structure know that there is trailing
+data, OR just the payload structure is properly referenced and zeroed
+out.
+
+Fixes: bfb4cf9fb97e ("vmci: Prevent the dispatching of uninitialized payloads")
+Cc: Stephen Rothwell <sfr@canb.auug.org.au>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://lore.kernel.org/r/20250703171021.0aee1482@canb.auug.org.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
+index ccadbc0d8f7d..26ff49fdf0f7 100644
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -251,8 +251,6 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
+               ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID,
+                                                 VMCI_CONTEXT_RESOURCE_ID);
+               ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr);
+-              memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0,
+-                      ev.msg.hdr.payload_size);
+               ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED;
+               ev.payload.context_id = context_id;
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch b/queue-5.4/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch
new file mode 100644 (file)
index 0000000..167b16d
--- /dev/null
+++ b/queue-5.4/rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch
@@ -0,0 +1,40 @@
+From aa33d4b68fc9b32d857313694751eaa85d22734f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:21 -0400
+Subject: rtc: ds1307: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit cf6eb547a24af7ad7bbd2abe9c5327f956bbeae8 ]
+
+When ds3231_clk_sqw_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: 6c6ff145b3346 ("rtc: ds1307: add clock provider support for DS3231")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-1-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index 40532a36ae67..b371d1e48942 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -1381,7 +1381,7 @@ static long ds3231_clk_sqw_round_rate(struct clk_hw *hw, unsigned long rate,
+                       return ds3231_clk_sqw_rates[i];
+       }
+ 
+-      return 0;
++      return ds3231_clk_sqw_rates[ARRAY_SIZE(ds3231_clk_sqw_rates) - 1];
+ }
+ 
+ static int ds3231_clk_sqw_set_rate(struct clk_hw *hw, unsigned long rate,
+-- 
+2.39.5
+

diff --git a/queue-5.4/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch b/queue-5.4/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch
new file mode 100644 (file)
index 0000000..3dcdfbe
--- /dev/null
+++ b/queue-5.4/rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch
@@ -0,0 +1,40 @@
+From 82c906d667f54fdcb720f1fc390e082b438e550b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:22 -0400
+Subject: rtc: hym8563: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit d0a518eb0a692a2ab8357e844970660c5ea37720 ]
+
+When hym8563_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: dcaf038493525 ("rtc: add hym8563 rtc-driver")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-2-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-hym8563.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-hym8563.c b/drivers/rtc/rtc-hym8563.c
+index fb6d7967ec00..bd625ab70617 100644
+--- a/drivers/rtc/rtc-hym8563.c
++++ b/drivers/rtc/rtc-hym8563.c
+@@ -316,7 +316,7 @@ static long hym8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+               if (clkout_rates[i] <= rate)
+                       return clkout_rates[i];
+ 
+-      return 0;
++      return clkout_rates[0];
+ }
+ 
+ static int hym8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+-- 
+2.39.5
+

diff --git a/queue-5.4/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch b/queue-5.4/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch
new file mode 100644 (file)
index 0000000..8f9a11b
--- /dev/null
+++ b/queue-5.4/rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch
@@ -0,0 +1,40 @@
+From a94508238ea3fc014caeb1f168e1208d5398c5d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:20:25 -0400
+Subject: rtc: pcf8563: fix incorrect maximum clock rate handling
+
+From: Brian Masney <bmasney@redhat.com>
+
+[ Upstream commit 906726a5efeefe0ef0103ccff5312a09080c04ae ]
+
+When pcf8563_clkout_round_rate() is called with a requested rate higher
+than the highest supported rate, it currently returns 0, which disables
+the clock. According to the clk API, round_rate() should instead return
+the highest supported rate. Update the function to return the maximum
+supported rate in this case.
+
+Fixes: a39a6405d5f94 ("rtc: pcf8563: add CLKOUT to common clock framework")
+Signed-off-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20250710-rtc-clk-round-rate-v1-5-33140bb2278e@redhat.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf8563.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-pcf8563.c b/drivers/rtc/rtc-pcf8563.c
+index 24baa4767b11..9e4fdfe9d86a 100644
+--- a/drivers/rtc/rtc-pcf8563.c
++++ b/drivers/rtc/rtc-pcf8563.c
+@@ -421,7 +421,7 @@ static long pcf8563_clkout_round_rate(struct clk_hw *hw, unsigned long rate,
+               if (clkout_rates[i] <= rate)
+                       return clkout_rates[i];
+ 
+-      return 0;
++      return clkout_rates[0];
+ }
+ 
+ static int pcf8563_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+-- 
+2.39.5
+

diff --git a/queue-5.4/samples-mei-fix-building-on-musl-libc.patch b/queue-5.4/samples-mei-fix-building-on-musl-libc.patch
new file mode 100644 (file)
index 0000000..fa09133
--- /dev/null
+++ b/queue-5.4/samples-mei-fix-building-on-musl-libc.patch
@@ -0,0 +1,75 @@
+From 629f7c392848a4621bf8937f2695059bd6abb6ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 19:29:55 +0530
+Subject: samples: mei: Fix building on musl libc
+
+From: Brahmajit Das <listout@listout.xyz>
+
+[ Upstream commit 239df3e4b4752524e7c0fb3417c218d8063654b4 ]
+
+The header bits/wordsize.h is glibc specific and on building on musl
+with allyesconfig results in
+
+samples/mei/mei-amt-version.c:77:10: fatal error: bits/wordsize.h: No such file or directory
+   77 | #include <bits/wordsize.h>
+      |          ^~~~~~~~~~~~~~~~~
+
+mei-amt-version.c build file without bits/wordsize.h on musl and glibc.
+
+However on musl we get the follwing error without sys/time.h
+
+samples/mei/mei-amt-version.c: In function 'mei_recv_msg':
+samples/mei/mei-amt-version.c:159:24: error: storage size of 'tv' isn't known
+  159 |         struct timeval tv;
+      |                        ^~
+samples/mei/mei-amt-version.c:160:9: error: unknown type name 'fd_set'
+  160 |         fd_set set;
+      |         ^~~~~~
+samples/mei/mei-amt-version.c:168:9: error: implicit declaration of function 'FD_ZERO' [-Wimplicit-function-declaration]
+  168 |         FD_ZERO(&set);
+      |         ^~~~~~~
+samples/mei/mei-amt-version.c:169:9: error: implicit declaration of function 'FD_SET'; did you mean 'L_SET'? [-Wimplicit-function-declaration]
+  169 |         FD_SET(me->fd, &set);
+      |         ^~~~~~
+      |         L_SET
+samples/mei/mei-amt-version.c:170:14: error: implicit declaration of function 'select' [-Wimplicit-function-declaration]
+  170 |         rc = select(me->fd + 1, &set, NULL, NULL, &tv);
+      |              ^~~~~~
+samples/mei/mei-amt-version.c:171:23: error: implicit declaration of function 'FD_ISSET' [-Wimplicit-function-declaration]
+  171 |         if (rc > 0 && FD_ISSET(me->fd, &set)) {
+      |                       ^~~~~~~~
+samples/mei/mei-amt-version.c:159:24: warning: unused variable 'tv' [-Wunused-variable]
+  159 |         struct timeval tv;
+      |                        ^~
+
+Hence the the file has been included.
+
+Fixes: c52827cc4ddf ("staging/mei: add mei user space example")
+Signed-off-by: Brahmajit Das <listout@listout.xyz>
+Link: https://lore.kernel.org/r/20250702135955.24955-1-listout@listout.xyz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/mei/mei-amt-version.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/mei/mei-amt-version.c b/samples/mei/mei-amt-version.c
+index 32234481ad7d..9e8028e45e3b 100644
+--- a/samples/mei/mei-amt-version.c
++++ b/samples/mei/mei-amt-version.c
+@@ -69,11 +69,11 @@
+ #include <string.h>
+ #include <fcntl.h>
+ #include <sys/ioctl.h>
++#include <sys/time.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <stdint.h>
+ #include <stdbool.h>
+-#include <bits/wordsize.h>
+ #include <linux/mei.h>
+ 
+ /*****************************************************************************
+-- 
+2.39.5
+

diff --git a/queue-5.4/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch b/queue-5.4/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch
new file mode 100644 (file)
index 0000000..f3b0c64
--- /dev/null
+++ b/queue-5.4/scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch
@@ -0,0 +1,48 @@
+From 820cd4d1076c992b7db4ada0e5d5674fe4303b2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 13:18:02 +0200
+Subject: scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 023a293b9cd0bb86a9b50cd7688a3d9d266826db ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: 88a678bbc34c ("ibmvscsis: Initial commit of IBM VSCSI Tgt Driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250630111803.94389-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/ibmvscsi_tgt/libsrp.c b/drivers/scsi/ibmvscsi_tgt/libsrp.c
+index 8a0e28aec928..0ecad398ed3d 100644
+--- a/drivers/scsi/ibmvscsi_tgt/libsrp.c
++++ b/drivers/scsi/ibmvscsi_tgt/libsrp.c
+@@ -184,7 +184,8 @@ static int srp_direct_data(struct ibmvscsis_cmd *cmd, struct srp_direct_buf *md,
+       err = rdma_io(cmd, sg, nsg, md, 1, dir, len);
+ 
+       if (dma_map)
+-              dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
++              dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents,
++                           DMA_BIDIRECTIONAL);
+ 
+       return err;
+ }
+@@ -256,7 +257,8 @@ static int srp_indirect_data(struct ibmvscsis_cmd *cmd, struct srp_cmd *srp_cmd,
+       err = rdma_io(cmd, sg, nsg, md, nmd, dir, len);
+ 
+       if (dma_map)
+-              dma_unmap_sg(iue->target->dev, sg, nsg, DMA_BIDIRECTIONAL);
++              dma_unmap_sg(iue->target->dev, sg, cmd->se_cmd.t_data_nents,
++                           DMA_BIDIRECTIONAL);
+ 
+ free_mem:
+       if (token && dma_map) {
+-- 
+2.39.5
+

diff --git a/queue-5.4/scsi-isci-fix-dma_unmap_sg-nents-value.patch b/queue-5.4/scsi-isci-fix-dma_unmap_sg-nents-value.patch
new file mode 100644 (file)
index 0000000..c92739b
--- /dev/null
+++ b/queue-5.4/scsi-isci-fix-dma_unmap_sg-nents-value.patch
@@ -0,0 +1,37 @@
+From 05785661a3f1ce2ddea79843ca8acb39cd1aa5a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 16:24:47 +0200
+Subject: scsi: isci: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 063bec4444d54e5f35d11949c5c90eaa1ff84c11 ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: ddcc7e347a89 ("isci: fix dma_unmap_sg usage")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250627142451.241713-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/isci/request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c
+index 591aebb40a0f..2deeddad10e1 100644
+--- a/drivers/scsi/isci/request.c
++++ b/drivers/scsi/isci/request.c
+@@ -2914,7 +2914,7 @@ static void isci_request_io_request_complete(struct isci_host *ihost,
+                                        task->total_xfer_len, task->data_dir);
+               else  /* unmap the sgl dma addresses */
+                       dma_unmap_sg(&ihost->pdev->dev, task->scatter,
+-                                   request->num_sg_entries, task->data_dir);
++                                   task->num_scatter, task->data_dir);
+               break;
+       case SAS_PROTOCOL_SMP: {
+               struct scatterlist *sg = &task->smp_task.smp_req;
+-- 
+2.39.5
+

diff --git a/queue-5.4/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch b/queue-5.4/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch
new file mode 100644 (file)
index 0000000..543a70c
--- /dev/null
+++ b/queue-5.4/scsi-mvsas-fix-dma_unmap_sg-nents-value.patch
@@ -0,0 +1,46 @@
+From c82e417429b391c67adec181966297407a8923fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 15:48:18 +0200
+Subject: scsi: mvsas: Fix dma_unmap_sg() nents value
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 0141618727bc929fe868153d21797f10ce5bef3f ]
+
+The dma_unmap_sg() functions should be called with the same nents as the
+dma_map_sg(), not the value the map function returned.
+
+Fixes: b5762948263d ("[SCSI] mvsas: Add Marvell 6440 SAS/SATA driver")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250627134822.234813-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mvsas/mv_sas.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
+index 3e0b8ebe257f..68caeaf9e636 100644
+--- a/drivers/scsi/mvsas/mv_sas.c
++++ b/drivers/scsi/mvsas/mv_sas.c
+@@ -831,7 +831,7 @@ static int mvs_task_prep(struct sas_task *task, struct mvs_info *mvi, int is_tmf
+       dev_printk(KERN_ERR, mvi->dev, "mvsas prep failed[%d]!\n", rc);
+       if (!sas_protocol_ata(task->task_proto))
+               if (n_elem)
+-                      dma_unmap_sg(mvi->dev, task->scatter, n_elem,
++                      dma_unmap_sg(mvi->dev, task->scatter, task->num_scatter,
+                                    task->data_dir);
+ prep_out:
+       return rc;
+@@ -882,7 +882,7 @@ static void mvs_slot_task_free(struct mvs_info *mvi, struct sas_task *task,
+       if (!sas_protocol_ata(task->task_proto))
+               if (slot->n_elem)
+                       dma_unmap_sg(mvi->dev, task->scatter,
+-                                   slot->n_elem, task->data_dir);
++                                   task->num_scatter, task->data_dir);
+ 
+       switch (task->task_proto) {
+       case SAS_PROTOCOL_SMP:
+-- 
+2.39.5
+

diff --git a/queue-5.4/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch b/queue-5.4/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch
new file mode 100644 (file)
index 0000000..f39f094
--- /dev/null
+++ b/queue-5.4/selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch
@@ -0,0 +1,62 @@
+From 7d5192c19a18f7f3c50ba3da2ac3ce8ec6988f9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 11:50:28 +0800
+Subject: selftests: rtnetlink.sh: remove esp4_offload after test
+
+From: Xiumei Mu <xmu@redhat.com>
+
+[ Upstream commit 5b32321fdaf3fd1a92ec726af18765e225b0ee2b ]
+
+The esp4_offload module, loaded during IPsec offload tests, should
+be reset to its default settings after testing.
+Otherwise, leaving it enabled could unintentionally affect subsequence
+test cases by keeping offload active.
+
+Without this fix:
+$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload;
+PASS: ipsec_offload
+esp4_offload           12288  0
+esp4                   32768  1 esp4_offload
+
+With this fix:
+$ lsmod | grep offload; ./rtnetlink.sh -t kci_test_ipsec_offload ; lsmod | grep offload;
+PASS: ipsec_offload
+
+Fixes: 2766a11161cc ("selftests: rtnetlink: add ipsec offload API test")
+Signed-off-by: Xiumei Mu <xmu@redhat.com>
+Reviewed-by: Shannon Nelson <sln@onemain.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/6d3a1d777c4de4eb0ca94ced9e77be8d48c5b12f.1753415428.git.xmu@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rtnetlink.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/testing/selftests/net/rtnetlink.sh b/tools/testing/selftests/net/rtnetlink.sh
+index 3b929e031f59..0c343954a17b 100755
+--- a/tools/testing/selftests/net/rtnetlink.sh
++++ b/tools/testing/selftests/net/rtnetlink.sh
+@@ -744,6 +744,11 @@ kci_test_ipsec_offload()
+       sysfsf=$sysfsd/ipsec
+       sysfsnet=/sys/bus/netdevsim/devices/netdevsim0/net/
+       probed=false
++      esp4_offload_probed_default=false
++
++      if lsmod | grep -q esp4_offload; then
++              esp4_offload_probed_default=true
++      fi
+ 
+       # setup netdevsim since dummydev doesn't have offload support
+       if [ ! -w /sys/bus/netdevsim/new_device ] ; then
+@@ -833,6 +838,7 @@ EOF
+       fi
+ 
+       # clean up any leftovers
++      ! "$esp4_offload_probed_default" && lsmod | grep -q esp4_offload && rmmod esp4_offload
+       echo 0 > /sys/bus/netdevsim/del_device
+       $probed && rmmod netdevsim
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 978fb011aaf6dfb9b27f90123ffbdafc18b48ea8..d938c7beabf741e31597679540e2babaf8a03c2b 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -68,3 +68,71 @@ usb-chipidea-add-usb-phy-event.patch
 usb-phy-mxs-disconnect-line-when-usb-charger-is-atta.patch
 ethernet-intel-fix-building-with-large-nr_cpus.patch
 asoc-intel-fix-snd_soc_sof-dependencies.patch
 usb-phy-mxs-disconnect-line-when-usb-charger-is-atta.patch
 ethernet-intel-fix-building-with-large-nr_cpus.patch
 asoc-intel-fix-snd_soc_sof-dependencies.patch

+hfsplus-remove-mutex_lock-check-in-hfsplus_free_exte.patch
+asoc-ops-dynamically-allocate-struct-snd_ctl_elem_va.patch
+arm-dts-vfxxx-correctly-use-two-tuples-for-timer-add.patch
+staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch
+vmci-prevent-the-dispatching-of-uninitialized-payloa.patch
+pps-fix-poll-support.patch
+revert-vmci-prevent-the-dispatching-of-uninitialized.patch
+usb-early-xhci-dbc-fix-early_ioremap-leak.patch
+arm-dts-imx6ul-kontron-bl-common-fix-rts-polarity-fo.patch
+cpufreq-init-policy-rwsem-before-it-may-be-possibly-.patch
+samples-mei-fix-building-on-musl-libc.patch
+staging-nvec-fix-incorrect-null-termination-of-batte.patch
+bpf-ktls-fix-data-corruption-when-using-bpf_msg_pop_.patch
+bpftool-fix-memory-leak-in-dump_xx_nlmsg-on-realloc-.patch
+caif-reduce-stack-size-again.patch
+wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch
+wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch
+iwlwifi-add-missing-check-for-alloc_ordered_workqueu.patch
+tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch
+m68k-don-t-unregister-boot-console-needlessly.patch
+drm-amd-pm-powerplay-hwmgr-smu_helper-fix-order-of-m.patch
+netfilter-nf_tables-adjust-lockdep-assertions-handli.patch
+arch-powerpc-defconfig-drop-obsolete-config_net_cls_.patch
+net-sched-restrict-conditions-for-adding-duplicating.patch
+wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch
+mwl8k-add-missing-check-after-dma-map.patch
+reapply-wifi-mac80211-update-skb-s-control-block-key.patch
+wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch
+can-kvaser_pciefd-store-device-channel-index.patch
+can-kvaser_usb-assign-netdev.dev_port-based-on-devic.patch
+netfilter-xt_nfacct-don-t-assume-acct-name-is-null-t.patch
+selftests-rtnetlink.sh-remove-esp4_offload-after-tes.patch
+vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch
+pci-rockchip-host-fix-unexpected-completion-log-mess.patch
+crypto-marvell-cesa-fix-engine-load-inaccuracy.patch
+mtd-fix-possible-integer-overflow-in-erase_xfer.patch
+clk-davinci-add-null-check-in-davinci_lpsc_clk_regis.patch
+power-supply-max14577-handle-null-pdata-when-config_.patch
+pinctrl-sunxi-fix-memory-leak-on-krealloc-failure.patch
+crypto-ccp-fix-crash-when-rebind-ccp-device-for-ccp..patch
+perf-tests-bp_account-fix-leaked-file-descriptor.patch
+clk-sunxi-ng-v3s-fix-de-clock-definition.patch
+scsi-ibmvscsi_tgt-fix-dma_unmap_sg-nents-value.patch
+scsi-mvsas-fix-dma_unmap_sg-nents-value.patch
+scsi-isci-fix-dma_unmap_sg-nents-value.patch
+watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch
+hwrng-mtk-handle-devm_pm_runtime_enable-errors.patch
+crypto-img-hash-fix-dma_unmap_sg-nents-value.patch
+soundwire-stream-restore-params-when-prepare-ports-f.patch
+fs-orangefs-allow-2-more-characters-in-do_c_string.patch
+dmaengine-mv_xor-fix-missing-check-after-dma-map-and.patch
+dmaengine-nbpfaxi-add-missing-check-after-dma-map.patch
+crypto-qat-fix-seq_file-position-update-in-adf_ring_.patch
+fbdev-imxfb-check-fb_add_videomode-to-prevent-null-p.patch
+jfs-fix-metapage-reference-count-leak-in-dballocctl.patch
+mtd-rawnand-atmel-fix-dma_mapping_error-address.patch
+mtd-rawnand-atmel-set-pmecc-data-setup-time.patch
+bpf-check-flow_dissector-ctx-accesses-are-aligned.patch
+module-restore-the-moduleparam-prefix-length-check.patch
+rtc-ds1307-fix-incorrect-maximum-clock-rate-handling.patch
+rtc-hym8563-fix-incorrect-maximum-clock-rate-handlin.patch
+rtc-pcf8563-fix-incorrect-maximum-clock-rate-handlin.patch
+f2fs-fix-to-avoid-uaf-in-f2fs_sync_inode_meta.patch
+f2fs-fix-to-avoid-panic-in-f2fs_evict_inode.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-devs.pat.patch
+usb-chipidea-udc-fix-sleeping-function-called-from-i.patch
+pci-hotplug-pnv-php-improve-error-msg-on-power-state.patch
+pci-hotplug-pnv-php-wrap-warnings-in-macro.patch

diff --git a/queue-5.4/soundwire-stream-restore-params-when-prepare-ports-f.patch b/queue-5.4/soundwire-stream-restore-params-when-prepare-ports-f.patch
new file mode 100644 (file)
index 0000000..f943e0c
--- /dev/null
+++ b/queue-5.4/soundwire-stream-restore-params-when-prepare-ports-f.patch
@@ -0,0 +1,43 @@
+From c9b4b2318c278ac57fb7fc2cfc66410191b4de5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 14:09:52 +0800
+Subject: soundwire: stream: restore params when prepare ports fail
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit dba7d9dbfdc4389361ff3a910e767d3cfca22587 ]
+
+The bus->params should be restored if the stream is failed to prepare.
+The issue exists since beginning. The Fixes tag just indicates the
+first commit that the commit can be applied to.
+
+Fixes: 17ed5bef49f4 ("soundwire: add missing newlines in dynamic debug logs")
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Link: https://lore.kernel.org/r/20250626060952.405996-1-yung-chuan.liao@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soundwire/stream.c b/drivers/soundwire/stream.c
+index 3b3f909407c3..6e4c7bf9eb0d 100644
+--- a/drivers/soundwire/stream.c
++++ b/drivers/soundwire/stream.c
+@@ -1532,7 +1532,7 @@ static int _sdw_prepare_stream(struct sdw_stream_runtime *stream)
+               if (ret < 0) {
+                       dev_err(bus->dev, "Prepare port(s) failed ret = %d\n",
+                               ret);
+-                      return ret;
++                      goto restore_params;
+               }
+       }
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch b/queue-5.4/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch
new file mode 100644 (file)
index 0000000..de015ad
--- /dev/null
+++ b/queue-5.4/staging-fbtft-fix-potential-memory-leak-in-fbtft_fra.patch
@@ -0,0 +1,39 @@
+From 1d5f5cb552d34c09d43be8fc87e9190821da4c5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 22:54:10 +0530
+Subject: staging: fbtft: fix potential memory leak in
+ fbtft_framebuffer_alloc()
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit eb2cb7dab60f9be0b435ac4a674255429a36d72c ]
+
+In the error paths after fb_info structure is successfully allocated,
+the memory allocated in fb_deferred_io_init() for info->pagerefs is not
+freed. Fix that by adding the cleanup function on the error path.
+
+Fixes: c296d5f9957c ("staging: fbtft: core support")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250626172412.18355-1-abdun.nihaal@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/fbtft/fbtft-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
+index 771697508cec..a524cacd89cd 100644
+--- a/drivers/staging/fbtft/fbtft-core.c
++++ b/drivers/staging/fbtft/fbtft-core.c
+@@ -752,6 +752,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
+       return info;
+ 
+ release_framebuf:
++      fb_deferred_io_cleanup(info);
+       framebuffer_release(info);
+ 
+ alloc_fail:
+-- 
+2.39.5
+

diff --git a/queue-5.4/staging-nvec-fix-incorrect-null-termination-of-batte.patch b/queue-5.4/staging-nvec-fix-incorrect-null-termination-of-batte.patch
new file mode 100644 (file)
index 0000000..50a96ec
--- /dev/null
+++ b/queue-5.4/staging-nvec-fix-incorrect-null-termination-of-batte.patch
@@ -0,0 +1,41 @@
+From 4e6f0ff711b4c31e90948f8ab03c07adf6351039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jul 2025 01:07:42 -0700
+Subject: staging: nvec: Fix incorrect null termination of battery manufacturer
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit a8934352ba01081c51d2df428e9d540aae0e88b5 ]
+
+The battery manufacturer string was incorrectly null terminated using
+bat_model instead of bat_manu. This could result in an unintended
+write to the wrong field and potentially incorrect behavior.
+
+fixe the issue by correctly null terminating the bat_manu string.
+
+Fixes: 32890b983086 ("Staging: initial version of the nvec driver")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250719080755.3954373-1-alok.a.tiwari@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/nvec/nvec_power.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/nvec/nvec_power.c b/drivers/staging/nvec/nvec_power.c
+index 0e861c4bfcbf..590b801c5992 100644
+--- a/drivers/staging/nvec/nvec_power.c
++++ b/drivers/staging/nvec/nvec_power.c
+@@ -194,7 +194,7 @@ static int nvec_power_bat_notifier(struct notifier_block *nb,
+               break;
+       case MANUFACTURER:
+               memcpy(power->bat_manu, &res->plc, res->length - 2);
+-              power->bat_model[res->length - 2] = '\0';
++              power->bat_manu[res->length - 2] = '\0';
+               break;
+       case MODEL:
+               memcpy(power->bat_model, &res->plc, res->length - 2);
+-- 
+2.39.5
+

diff --git a/queue-5.4/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch b/queue-5.4/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch
new file mode 100644 (file)
index 0000000..5a5623d
--- /dev/null
+++ b/queue-5.4/tcp-fix-tcp_ofo_queue-to-avoid-including-too-much-du.patch
@@ -0,0 +1,56 @@
+From daad7a646c9e3e744234f0d4918ffd19497571b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 12:34:19 +0000
+Subject: tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range
+
+From: xin.guo <guoxin0309@gmail.com>
+
+[ Upstream commit a041f70e573e185d5d5fdbba53f0db2fbe7257ad ]
+
+If the new coming segment covers more than one skbs in the ofo queue,
+and which seq is equal to rcv_nxt, then the sequence range
+that is duplicated will be sent as DUP SACK, the detail as below,
+in step6, the {501,2001} range is clearly including too much
+DUP SACK range, in violation of RFC 2883 rules.
+
+1. client > server: Flags [.], seq 501:1001, ack 1325288529, win 20000, length 500
+2. server > client: Flags [.], ack 1, [nop,nop,sack 1 {501:1001}], length 0
+3. client > server: Flags [.], seq 1501:2001, ack 1325288529, win 20000, length 500
+4. server > client: Flags [.], ack 1, [nop,nop,sack 2 {1501:2001} {501:1001}], length 0
+5. client > server: Flags [.], seq 1:2001, ack 1325288529, win 20000, length 2000
+6. server > client: Flags [.], ack 2001, [nop,nop,sack 1 {501:2001}], length 0
+
+After this fix, the final ACK is as below:
+
+6. server > client: Flags [.], ack 2001, options [nop,nop,sack 1 {501:1001}], length 0
+
+[edumazet] added a new packetdrill test in the following patch.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: xin.guo <guoxin0309@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250626123420.1933835-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 6b3bb8a59035..9d65e684e626 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4588,8 +4588,9 @@ static void tcp_ofo_queue(struct sock *sk)
+ 
+               if (before(TCP_SKB_CB(skb)->seq, dsack_high)) {
+                       __u32 dsack = dsack_high;
++
+                       if (before(TCP_SKB_CB(skb)->end_seq, dsack_high))
+-                              dsack_high = TCP_SKB_CB(skb)->end_seq;
++                              dsack = TCP_SKB_CB(skb)->end_seq;
+                       tcp_dsack_extend(sk, TCP_SKB_CB(skb)->seq, dsack);
+               }
+               p = rb_next(p);
+-- 
+2.39.5
+

diff --git a/queue-5.4/usb-chipidea-udc-fix-sleeping-function-called-from-i.patch b/queue-5.4/usb-chipidea-udc-fix-sleeping-function-called-from-i.patch
new file mode 100644 (file)
index 0000000..3b8c630
--- /dev/null
+++ b/queue-5.4/usb-chipidea-udc-fix-sleeping-function-called-from-i.patch
@@ -0,0 +1,91 @@
+From ba83e63661fac8ae2771cc13e19ddf175a49eb8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Mar 2020 11:10:34 +0800
+Subject: usb: chipidea: udc: fix sleeping function called from invalid context
+
+From: Peter Chen <peter.chen@nxp.com>
+
+[ Upstream commit 7368760d1bcdabf515c41a502568b489de3da683 ]
+
+The code calls pm_runtime_get_sync with irq disabled, it causes below
+warning:
+
+BUG: sleeping function called from invalid context at
+wer/runtime.c:1075
+in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid:
+er/u8:1
+CPU: 1 PID: 37 Comm: kworker/u8:1 Not tainted
+20200304-00181-gbebfd2a5be98 #1588
+Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
+Workqueue: ci_otg ci_otg_work
+[<c010e8bd>] (unwind_backtrace) from [<c010a315>]
+1/0x14)
+[<c010a315>] (show_stack) from [<c0987d29>]
+5/0x94)
+[<c0987d29>] (dump_stack) from [<c013e77f>]
++0xeb/0x118)
+[<c013e77f>] (___might_sleep) from [<c052fa1d>]
+esume+0x75/0x78)
+[<c052fa1d>] (__pm_runtime_resume) from [<c0627a33>]
+0x23/0x74)
+[<c0627a33>] (ci_udc_pullup) from [<c062fb93>]
+nect+0x2b/0xcc)
+[<c062fb93>] (usb_gadget_connect) from [<c062769d>]
+_connect+0x59/0x104)
+[<c062769d>] (ci_hdrc_gadget_connect) from [<c062778b>]
+ssion+0x43/0x48)
+[<c062778b>] (ci_udc_vbus_session) from [<c062f997>]
+s_connect+0x17/0x9c)
+[<c062f997>] (usb_gadget_vbus_connect) from [<c062634d>]
+bd/0x128)
+[<c062634d>] (ci_otg_work) from [<c0134719>]
+rk+0x149/0x404)
+[<c0134719>] (process_one_work) from [<c0134acb>]
+0xf7/0x3bc)
+[<c0134acb>] (worker_thread) from [<c0139433>]
+x118)
+[<c0139433>] (kthread) from [<c01010bd>]
+(ret_from_fork+0x11/0x34)
+
+Tested-by: Dmitry Osipenko <digetx@gmail.com>
+Cc: <stable@vger.kernel.org> #v5.5
+Fixes: 72dc8df7920f ("usb: chipidea: udc: protect usb interrupt enable")
+Reported-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Link: https://lore.kernel.org/r/20200316031034.17847-2-peter.chen@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/chipidea/udc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
+index 19a9a4b83346..d483a957804b 100644
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1539,18 +1539,19 @@ static const struct usb_ep_ops usb_ep_ops = {
+ static void ci_hdrc_gadget_connect(struct usb_gadget *_gadget, int is_active)
+ {
+       struct ci_hdrc *ci = container_of(_gadget, struct ci_hdrc, gadget);
+-      unsigned long flags;
+ 
+       if (is_active) {
+               pm_runtime_get_sync(&_gadget->dev);
+               hw_device_reset(ci);
+-              spin_lock_irqsave(&ci->lock, flags);
++              spin_lock_irq(&ci->lock);
+               if (ci->driver) {
+                       hw_device_state(ci, ci->ep0out->qh.dma);
+                       usb_gadget_set_state(_gadget, USB_STATE_POWERED);
++                      spin_unlock_irq(&ci->lock);
+                       usb_udc_vbus_handler(_gadget, true);
++              } else {
++                      spin_unlock_irq(&ci->lock);
+               }
+-              spin_unlock_irqrestore(&ci->lock, flags);
+       } else {
+               usb_udc_vbus_handler(_gadget, false);
+               if (ci->driver)
+-- 
+2.39.5
+

diff --git a/queue-5.4/usb-early-xhci-dbc-fix-early_ioremap-leak.patch b/queue-5.4/usb-early-xhci-dbc-fix-early_ioremap-leak.patch
new file mode 100644 (file)
index 0000000..c7bf367
--- /dev/null
+++ b/queue-5.4/usb-early-xhci-dbc-fix-early_ioremap-leak.patch
@@ -0,0 +1,56 @@
+From 3f7efd6ea88425feadba20d4cabe293360530617 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 14:47:47 -0700
+Subject: usb: early: xhci-dbc: Fix early_ioremap leak
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit 2b7eec2ec3015f52fc74cf45d0408925e984ecd1 ]
+
+Using the kernel param earlyprintk=xdbc,keep without proper hardware
+setup leads to this:
+
+       [ ] xhci_dbc:early_xdbc_parse_parameter: dbgp_num: 0
+       ...
+       [ ] xhci_dbc:early_xdbc_setup_hardware: failed to setup the connection to host
+       ...
+       [ ] calling  kmemleak_late_init+0x0/0xa0 @ 1
+       [ ] kmemleak: Kernel memory leak detector initialized (mem pool available: 14919)
+       [ ] kmemleak: Automatic memory scanning thread started
+       [ ] initcall kmemleak_late_init+0x0/0xa0 returned 0 after 417 usecs
+       [ ] calling  check_early_ioremap_leak+0x0/0x70 @ 1
+       [ ] ------------[ cut here ]------------
+       [ ] Debug warning: early ioremap leak of 1 areas detected.
+           please boot with early_ioremap_debug and report the dmesg.
+       [ ] WARNING: CPU: 11 PID: 1 at mm/early_ioremap.c:90 check_early_ioremap_leak+0x4e/0x70
+
+When early_xdbc_setup_hardware() fails, make sure to call
+early_iounmap() since xdbc_init() won't handle it.
+
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability")
+Link: https://lore.kernel.org/r/20250627-xdbc-v1-1-43cc8c317b1b@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/early/xhci-dbc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c
+index 5a462a1d1896..7673ded077a4 100644
+--- a/drivers/usb/early/xhci-dbc.c
++++ b/drivers/usb/early/xhci-dbc.c
+@@ -678,6 +678,10 @@ int __init early_xdbc_setup_hardware(void)
+ 
+               xdbc.table_base = NULL;
+               xdbc.out_buf = NULL;
++
++              early_iounmap(xdbc.xhci_base, xdbc.xhci_length);
++              xdbc.xhci_base = NULL;
++              xdbc.xhci_length = 0;
+       }
+ 
+       return ret;
+-- 
+2.39.5
+

diff --git a/queue-5.4/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch b/queue-5.4/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch
new file mode 100644 (file)
index 0000000..21d92d3
--- /dev/null
+++ b/queue-5.4/vmci-prevent-the-dispatching-of-uninitialized-payloa.patch
@@ -0,0 +1,49 @@
+From d6fb52a46fce589f1ac54e7502f874f31d487fbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:52:14 +0800
+Subject: vmci: Prevent the dispatching of uninitialized payloads
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit bfb4cf9fb97e4063f0aa62e9e398025fb6625031 ]
+
+The reproducer executes the host's unlocked_ioctl call in two different
+tasks. When init_context fails, the struct vmci_event_ctx is not fully
+initialized when executing vmci_datagram_dispatch() to send events to all
+vm contexts. This affects the datagram taken from the datagram queue of
+its context by another task, because the datagram payload is not initialized
+according to the size payload_size, which causes the kernel data to leak
+to the user space.
+
+Before dispatching the datagram, and before setting the payload content,
+explicitly set the payload content to 0 to avoid data leakage caused by
+incomplete payload initialization.
+
+Fixes: 28d6692cd8fb ("VMCI: context implementation.")
+Reported-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9b9124ae9b12d5af5d95
+Tested-by: syzbot+9b9124ae9b12d5af5d95@syzkaller.appspotmail.com
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Link: https://lore.kernel.org/r/20250627055214.2967129-1-lizhi.xu@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c
+index 26ff49fdf0f7..ccadbc0d8f7d 100644
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -251,6 +251,8 @@ static int ctx_fire_notification(u32 context_id, u32 priv_flags)
+               ev.msg.hdr.src = vmci_make_handle(VMCI_HYPERVISOR_CONTEXT_ID,
+                                                 VMCI_CONTEXT_RESOURCE_ID);
+               ev.msg.hdr.payload_size = sizeof(ev) - sizeof(ev.msg.hdr);
++              memset((char*)&ev.msg.hdr + sizeof(ev.msg.hdr), 0,
++                      ev.msg.hdr.payload_size);
+               ev.msg.event_data.event = VMCI_EVENT_CTX_REMOVED;
+               ev.payload.context_id = context_id;
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch b/queue-5.4/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch
new file mode 100644 (file)
index 0000000..def0ebe
--- /dev/null
+++ b/queue-5.4/vrf-drop-existing-dst-reference-in-vrf_ip6_input_dst.patch
@@ -0,0 +1,65 @@
+From c1254302f121ac2135f064d975258786f75285c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 09:00:43 -0700
+Subject: vrf: Drop existing dst reference in vrf_ip6_input_dst
+
+From: Stanislav Fomichev <sdf@fomichev.me>
+
+[ Upstream commit f388f807eca1de9e6e70f9ffb1a573c3811c4215 ]
+
+Commit ff3fbcdd4724 ("selftests: tc: Add generic erspan_opts matching support
+for tc-flower") started triggering the following kmemleak warning:
+
+unreferenced object 0xffff888015fb0e00 (size 512):
+  comm "softirq", pid 0, jiffies 4294679065
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 40 d2 85 9e ff ff ff ff  ........@.......
+    41 69 59 9d ff ff ff ff 00 00 00 00 00 00 00 00  AiY.............
+  backtrace (crc 30b71e8b):
+    __kmalloc_noprof+0x359/0x460
+    metadata_dst_alloc+0x28/0x490
+    erspan_rcv+0x4f1/0x1160 [ip_gre]
+    gre_rcv+0x217/0x240 [ip_gre]
+    gre_rcv+0x1b8/0x400 [gre]
+    ip_protocol_deliver_rcu+0x31d/0x3a0
+    ip_local_deliver_finish+0x37d/0x620
+    ip_local_deliver+0x174/0x460
+    ip_rcv+0x52b/0x6b0
+    __netif_receive_skb_one_core+0x149/0x1a0
+    process_backlog+0x3c8/0x1390
+    __napi_poll.constprop.0+0xa1/0x390
+    net_rx_action+0x59b/0xe00
+    handle_softirqs+0x22b/0x630
+    do_softirq+0xb1/0xf0
+    __local_bh_enable_ip+0x115/0x150
+
+vrf_ip6_input_dst unconditionally sets skb dst entry, add a call to
+skb_dst_drop to drop any existing entry.
+
+Cc: David Ahern <dsahern@kernel.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Fixes: 9ff74384600a ("net: vrf: Handle ipv6 multicast and link-local addresses")
+Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://patch.msgid.link/20250725160043.350725-1-sdf@fomichev.me
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vrf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index b51a2367dbaa..8a320300a617 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -1040,6 +1040,8 @@ static void vrf_ip6_input_dst(struct sk_buff *skb, struct net_device *vrf_dev,
+       struct net *net = dev_net(vrf_dev);
+       struct rt6_info *rt6;
+ 
++      skb_dst_drop(skb);
++
+       rt6 = vrf_ip6_route_lookup(net, vrf_dev, &fl6, ifindex, skb,
+                                  RT6_LOOKUP_F_HAS_SADDR | RT6_LOOKUP_F_IFACE);
+       if (unlikely(!rt6))
+-- 
+2.39.5
+

diff --git a/queue-5.4/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch b/queue-5.4/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch
new file mode 100644 (file)
index 0000000..8f3f977
--- /dev/null
+++ b/queue-5.4/watchdog-ziirave_wdt-check-record-length-in-ziirave_.patch
@@ -0,0 +1,42 @@
+From 06e81214584b6a1b587a504fdf97ce1e2122f4c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 23:22:19 +0300
+Subject: watchdog: ziirave_wdt: check record length in ziirave_firm_verify()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 ]
+
+The "rec->len" value comes from the firmware.  We generally do
+trust firmware, but it's always better to double check.  If
+the length value is too large it would lead to memory corruption
+when we set "data[i] = ret;"
+
+Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/ziirave_wdt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c
+index 4a363a8b2d20..84c98c4c510c 100644
+--- a/drivers/watchdog/ziirave_wdt.c
++++ b/drivers/watchdog/ziirave_wdt.c
+@@ -306,6 +306,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
+               const u16 len = be16_to_cpu(rec->len);
+               const u32 addr = be32_to_cpu(rec->addr);
+ 
++              if (len > sizeof(data))
++                      return -EINVAL;
++
+               if (ziirave_firm_addr_readonly(addr))
+                       continue;
+ 
+-- 
+2.39.5
+

diff --git a/queue-5.4/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch b/queue-5.4/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch
new file mode 100644 (file)
index 0000000..545023e
--- /dev/null
+++ b/queue-5.4/wifi-brcmfmac-fix-p2p-discovery-failure-in-p2p-peer-.patch
@@ -0,0 +1,65 @@
+From 575ad202714db496acf657f4aaa01fc7da70d1a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 10:37:02 +0530
+Subject: wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing
+ P2P IE
+
+From: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+
+[ Upstream commit 579bf8037b70b644a674c126a32bbb2212cf5c21 ]
+
+After commit bd99a3013bdc ("brcmfmac: move configuration of probe request
+IEs"), the probe request MGMT IE addition operation brcmf_vif_set_mgmt_ie()
+got moved from the brcmf_p2p_scan_prep() to the brcmf_cfg80211_scan().
+
+Because of this, as part of the scan request handler for the P2P Discovery,
+vif struct used for adding the Probe Request P2P IE in firmware got changed
+from the P2PAPI_BSSCFG_DEVICE vif to P2PAPI_BSSCFG_PRIMARY vif incorrectly.
+So the firmware stopped adding P2P IE to the outgoing P2P Discovery probe
+requests frames and the other P2P peers were unable to discover this device
+causing a regression on the P2P feature.
+
+To fix this, while setting the P2P IE in firmware, properly use the vif of
+the P2P discovery wdev on which the driver received the P2P scan request.
+This is done by not changing the vif pointer, until brcmf_vif_set_mgmt_ie()
+is completed.
+
+Fixes: bd99a3013bdc ("brcmfmac: move configuration of probe request IEs")
+Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20250626050706.7271-1-gokulkumar.sivakumar@infineon.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c   | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 668c8897c109..f9508d71fc6c 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -1118,10 +1118,6 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request)
+               return -EAGAIN;
+       }
+ 
+-      /* If scan req comes for p2p0, send it over primary I/F */
+-      if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
+-              vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
+-
+       brcmf_dbg(SCAN, "START ESCAN\n");
+ 
+       cfg->scan_request = request;
+@@ -1137,6 +1133,10 @@ brcmf_cfg80211_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request)
+       if (err)
+               goto scan_out;
+ 
++      /* If scan req comes for p2p0, send it over primary I/F */
++      if (vif == cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif)
++              vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_PRIMARY].vif;
++
+       err = brcmf_do_escan(vif->ifp, request);
+       if (err)
+               goto scan_out;
+-- 
+2.39.5
+

diff --git a/queue-5.4/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch b/queue-5.4/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch
new file mode 100644 (file)
index 0000000..b4ab06a
--- /dev/null
+++ b/queue-5.4/wifi-iwlwifi-fix-memory-leak-in-iwl_mvm_init.patch
@@ -0,0 +1,40 @@
+From 4beaa9989b85f0e1aad4eff89a62b0231a4bdd0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 11:52:13 +0800
+Subject: wifi: iwlwifi: Fix memory leak in iwl_mvm_init()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit ed2e916c890944633d6826dce267579334f63ea5 ]
+
+When iwl_opmode_register() fails, it does not unregster rate control,
+which will cause a memory leak issue, this patch fixes it.
+
+Fixes: 9f66a397c877 ("iwlwifi: mvm: rs: add ops for the new rate scaling in the FW")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Link: https://patch.msgid.link/20221109035213.570-1-xiujianfeng@huawei.com
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index 18c5975d7c03..70ba91d2bedf 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -123,8 +123,10 @@ static int __init iwl_mvm_init(void)
+       }
+ 
+       ret = iwl_opmode_register("iwlmvm", &iwl_mvm_ops);
+-      if (ret)
++      if (ret) {
+               pr_err("Unable to register MVM op_mode: %d\n", ret);
++              iwl_mvm_rate_control_unregister();
++      }
+ 
+       return ret;
+ }
+-- 
+2.39.5
+

diff --git a/queue-5.4/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch b/queue-5.4/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch
new file mode 100644 (file)
index 0000000..8d2b975
--- /dev/null
+++ b/queue-5.4/wifi-rtl818x-kill-urbs-before-clearing-tx-status-que.patch
@@ -0,0 +1,68 @@
+From 3c3dcc05e3db35362036e32b3d5c5ff83020101d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 16:56:34 +0300
+Subject: wifi: rtl818x: Kill URBs before clearing tx status queue
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+[ Upstream commit 16d8fd74dbfca0ea58645cd2fca13be10cae3cdd ]
+
+In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
+b_tx_status.queue. This change prevents callbacks from using already freed
+skb due to anchor was not killed before freeing such skb.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000080
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015
+ RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211]
+ Call Trace:
+  <IRQ>
+  rtl8187_tx_cb+0x116/0x150 [rtl8187]
+  __usb_hcd_giveback_urb+0x9d/0x120
+  usb_giveback_urb_bh+0xbb/0x140
+  process_one_work+0x19b/0x3c0
+  bh_worker+0x1a7/0x210
+  tasklet_action+0x10/0x30
+  handle_softirqs+0xf0/0x340
+  __irq_exit_rcu+0xcd/0xf0
+  common_interrupt+0x85/0xa0
+  </IRQ>
+
+Tested on RTL8187BvE device.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: c1db52b9d27e ("rtl8187: Use usb anchor facilities to manage urbs")
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250617135634.21760-1-d.dulov@aladdin.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+index eb68b2d3caa1..c9df185dc3f4 100644
+--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+@@ -1041,10 +1041,11 @@ static void rtl8187_stop(struct ieee80211_hw *dev)
+       rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF);
+       rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL);
+ 
++      usb_kill_anchored_urbs(&priv->anchored);
++
+       while ((skb = skb_dequeue(&priv->b_tx_status.queue)))
+               dev_kfree_skb_any(skb);
+ 
+-      usb_kill_anchored_urbs(&priv->anchored);
+       mutex_unlock(&priv->conf_mutex);
+ 
+       if (!priv->is_rtl8187b)
+-- 
+2.39.5
+

diff --git a/queue-5.4/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch b/queue-5.4/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch
new file mode 100644 (file)
index 0000000..42a1e2e
--- /dev/null
+++ b/queue-5.4/wifi-rtl8xxxu-fix-rx-skb-size-for-aggregation-disabl.patch
@@ -0,0 +1,45 @@
+From fef6b4dc9a3299deff9a46f1c27df4d26599b8da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 14:15:22 +0200
+Subject: wifi: rtl8xxxu: Fix RX skb size for aggregation disabled
+
+From: Martin Kaistra <martin.kaistra@linutronix.de>
+
+[ Upstream commit d76a1abcf57734d2bcd4a7ec051617edd4513d7f ]
+
+Commit 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for
+phystats") increased the skb size when aggregation is enabled but decreased
+it for the aggregation disabled case.
+
+As a result, if a frame near the maximum size is received,
+rtl8xxxu_rx_complete() is called with status -EOVERFLOW and then the
+driver starts to malfunction and no further communication is possible.
+
+Restore the skb size in the aggregation disabled case.
+
+Fixes: 1e5b3b3fe9e0 ("rtl8xxxu: Adjust RX skb size to include space for phystats")
+Signed-off-by: Martin Kaistra <martin.kaistra@linutronix.de>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250709121522.1992366-1-martin.kaistra@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 5611f00ef0bd..81d1c544313f 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5387,7 +5387,7 @@ static int rtl8xxxu_submit_rx_urb(struct rtl8xxxu_priv *priv,
+               skb_size = fops->rx_agg_buf_size;
+               skb_size += (rx_desc_sz + sizeof(struct rtl8723au_phy_stats));
+       } else {
+-              skb_size = IEEE80211_MAX_FRAME_LEN;
++              skb_size = IEEE80211_MAX_FRAME_LEN + rx_desc_sz;
+       }
+ 
+       skb = __netdev_alloc_skb(NULL, skb_size, GFP_KERNEL);
+-- 
+2.39.5
+