diff options
42 files changed, 3588 insertions, 0 deletions
diff --git a/queue-5.4/alsa-hda-ignore-unsol-events-for-cards-being-shut-do.patch b/queue-5.4/alsa-hda-ignore-unsol-events-for-cards-being-shut-do.patch new file mode 100644 index 0000000000..f901100f3e --- /dev/null +++ b/queue-5.4/alsa-hda-ignore-unsol-events-for-cards-being-shut-do.patch @@ -0,0 +1,48 @@ +From 216423a766c7cd7ba9a26632fb42e170470aadd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 30 May 2025 16:13:09 +0200 +Subject: ALSA: hda: Ignore unsol events for cards being shut down +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski <cezary.rojewski@intel.com> + +[ Upstream commit 3f100f524e75586537e337b34d18c8d604b398e7 ] + +For the classic snd_hda_intel driver, codec->card and bus->card point to +the exact same thing. When snd_card_diconnect() fires, bus->shutdown is +set thanks to azx_dev_disconnect(). card->shutdown is already set when +that happens but both provide basically the same functionality. + +For the DSP snd_soc_avs driver where multiple codecs are located on +multiple cards, bus->shutdown 'shortcut' is not sufficient. One codec +card may be unregistered while other codecs are still operational. +Proper check in form of card->shutdown must be used to verify whether +the codec's card is being shut down. + +Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com> +Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com> +Link: https://patch.msgid.link/20250530141309.2943404-1-cezary.rojewski@intel.com +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/pci/hda/hda_bind.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c +index 17a25e453f60c..047fe6cca7f1a 100644 +--- a/sound/pci/hda/hda_bind.c ++++ b/sound/pci/hda/hda_bind.c +@@ -44,7 +44,7 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev) + struct hda_codec *codec = container_of(dev, struct hda_codec, core); + + /* ignore unsol events during shutdown */ +- if (codec->bus->shutdown) ++ if (codec->card->shutdown || codec->bus->shutdown) + return; + + /* ignore unsol events during system suspend/resume */ +-- +2.39.5 + diff --git a/queue-5.4/asoc-codec-wcd9335-convert-to-gpio-descriptors.patch b/queue-5.4/asoc-codec-wcd9335-convert-to-gpio-descriptors.patch new file mode 100644 index 0000000000..111fc04219 --- /dev/null +++ b/queue-5.4/asoc-codec-wcd9335-convert-to-gpio-descriptors.patch @@ -0,0 +1,85 @@ +From 0e5651eed4a47f98c947e2ea862884c4c8e19f89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 24 Mar 2025 19:51:29 +0800 +Subject: ASoC: codec: wcd9335: Convert to GPIO descriptors + +From: Peng Fan <peng.fan@nxp.com> + +[ Upstream commit d5099bc1b56417733f4cccf10c61ee74dadd5562 ] + +of_gpio.h is deprecated, update the driver to use GPIO descriptors. +- Use dev_gpiod_get to get GPIO descriptor. +- Use gpiod_set_value to configure output value. + +With legacy of_gpio API, the driver set gpio value 0 to assert reset, +and 1 to deassert reset. And the reset-gpios use GPIO_ACTIVE_LOW flag in +DTS, so set GPIOD_OUT_LOW when get GPIO descriptors, and set value 1 means +output low, set value 0 means output high with gpiod API. + +The in-tree DTS files have the right polarity set up already so we can +expect this to "just work" + +Reviewed-by: Linus Walleij <linus.walleij@linaro.org> +Signed-off-by: Peng Fan <peng.fan@nxp.com> +Link: https://patch.msgid.link/20250324-wcd-gpiod-v2-3-773f67ce3b56@nxp.com +Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> +Signed-off-by: Mark Brown <broonie@kernel.org> +Stable-dep-of: 9079db287fc3 ("ASoC: codecs: wcd9335: Fix missing free of regulator supplies") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/soc/codecs/wcd9335.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c +index 61e3da5ec1ae3..98a4c613e400f 100644 +--- a/sound/soc/codecs/wcd9335.c ++++ b/sound/soc/codecs/wcd9335.c +@@ -16,7 +16,7 @@ + #include <sound/soc.h> + #include <sound/pcm_params.h> + #include <sound/soc-dapm.h> +-#include <linux/of_gpio.h> ++#include <linux/gpio/consumer.h> + #include <linux/of.h> + #include <linux/of_irq.h> + #include <sound/tlv.h> +@@ -338,7 +338,7 @@ struct wcd9335_codec { + int comp_enabled[COMPANDER_MAX]; + + int intr1; +- int reset_gpio; ++ struct gpio_desc *reset_gpio; + struct regulator_bulk_data supplies[WCD9335_MAX_SUPPLY]; + + unsigned int rx_port_value; +@@ -5024,12 +5024,11 @@ static const struct regmap_irq_chip wcd9335_regmap_irq1_chip = { + static int wcd9335_parse_dt(struct wcd9335_codec *wcd) + { + struct device *dev = wcd->dev; +- struct device_node *np = dev->of_node; + int ret; + +- wcd->reset_gpio = of_get_named_gpio(np, "reset-gpios", 0); +- if (wcd->reset_gpio < 0) +- return dev_err_probe(dev, wcd->reset_gpio, "Reset GPIO missing from DT\n"); ++ wcd->reset_gpio = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW); ++ if (IS_ERR(wcd->reset_gpio)) ++ return dev_err_probe(dev, PTR_ERR(wcd->reset_gpio), "Reset GPIO missing from DT\n"); + + wcd->mclk = devm_clk_get(dev, "mclk"); + if (IS_ERR(wcd->mclk)) +@@ -5072,9 +5071,9 @@ static int wcd9335_power_on_reset(struct wcd9335_codec *wcd) + */ + usleep_range(600, 650); + +- gpio_direction_output(wcd->reset_gpio, 0); ++ gpiod_set_value(wcd->reset_gpio, 1); + msleep(20); +- gpio_set_value(wcd->reset_gpio, 1); ++ gpiod_set_value(wcd->reset_gpio, 0); + msleep(20); + + return 0; +-- +2.39.5 + diff --git a/queue-5.4/asoc-codecs-wcd9335-fix-missing-free-of-regulator-su.patch b/queue-5.4/asoc-codecs-wcd9335-fix-missing-free-of-regulator-su.patch new file mode 100644 index 0000000000..64fbd3af3f --- /dev/null +++ b/queue-5.4/asoc-codecs-wcd9335-fix-missing-free-of-regulator-su.patch @@ -0,0 +1,88 @@ +From abfba995c67afea3452f2bacabb983d5452048c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 26 May 2025 11:47:01 +0200 +Subject: ASoC: codecs: wcd9335: Fix missing free of regulator supplies + +From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> + +[ Upstream commit 9079db287fc3e38e040b0edeb0a25770bb679c8e ] + +Driver gets and enables all regulator supplies in probe path +(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup +in final error paths and in unbind (missing remove() callback). This +leads to leaked memory and unbalanced regulator enable count during +probe errors or unbind. + +Fix this by converting entire code into devm_regulator_bulk_get_enable() +which also greatly simplifies the code. + +Fixes: 20aedafdf492 ("ASoC: wcd9335: add support to wcd9335 codec") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> +Link: https://patch.msgid.link/20250526-b4-b4-asoc-wcd9395-vdd-px-fixes-v1-1-0b8a2993b7d3@linaro.org +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/soc/codecs/wcd9335.c | 25 +++++++------------------ + 1 file changed, 7 insertions(+), 18 deletions(-) + +diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c +index 98a4c613e400f..5e4373987e2aa 100644 +--- a/sound/soc/codecs/wcd9335.c ++++ b/sound/soc/codecs/wcd9335.c +@@ -339,7 +339,6 @@ struct wcd9335_codec { + + int intr1; + struct gpio_desc *reset_gpio; +- struct regulator_bulk_data supplies[WCD9335_MAX_SUPPLY]; + + unsigned int rx_port_value; + unsigned int tx_port_value; +@@ -366,6 +365,10 @@ struct wcd9335_irq { + char *name; + }; + ++static const char * const wcd9335_supplies[] = { ++ "vdd-buck", "vdd-buck-sido", "vdd-tx", "vdd-rx", "vdd-io", ++}; ++ + static const struct wcd9335_slim_ch wcd9335_tx_chs[WCD9335_TX_MAX] = { + WCD9335_SLIM_TX_CH(0), + WCD9335_SLIM_TX_CH(1), +@@ -5038,30 +5041,16 @@ static int wcd9335_parse_dt(struct wcd9335_codec *wcd) + if (IS_ERR(wcd->native_clk)) + return dev_err_probe(dev, PTR_ERR(wcd->native_clk), "slimbus clock not found\n"); + +- wcd->supplies[0].supply = "vdd-buck"; +- wcd->supplies[1].supply = "vdd-buck-sido"; +- wcd->supplies[2].supply = "vdd-tx"; +- wcd->supplies[3].supply = "vdd-rx"; +- wcd->supplies[4].supply = "vdd-io"; +- +- ret = regulator_bulk_get(dev, WCD9335_MAX_SUPPLY, wcd->supplies); ++ ret = devm_regulator_bulk_get_enable(dev, ARRAY_SIZE(wcd9335_supplies), ++ wcd9335_supplies); + if (ret) +- return dev_err_probe(dev, ret, "Failed to get supplies\n"); ++ return dev_err_probe(dev, ret, "Failed to get and enable supplies\n"); + + return 0; + } + + static int wcd9335_power_on_reset(struct wcd9335_codec *wcd) + { +- struct device *dev = wcd->dev; +- int ret; +- +- ret = regulator_bulk_enable(WCD9335_MAX_SUPPLY, wcd->supplies); +- if (ret) { +- dev_err(dev, "Failed to get supplies: err = %d\n", ret); +- return ret; +- } +- + /* + * For WCD9335, it takes about 600us for the Vout_A and + * Vout_D to be ready after BUCK_SIDO is powered up. +-- +2.39.5 + diff --git a/queue-5.4/asoc-codecs-wcd9335-handle-nicer-probe-deferral-and-.patch b/queue-5.4/asoc-codecs-wcd9335-handle-nicer-probe-deferral-and-.patch new file mode 100644 index 0000000000..00e90b22cd --- /dev/null +++ b/queue-5.4/asoc-codecs-wcd9335-handle-nicer-probe-deferral-and-.patch @@ -0,0 +1,85 @@ +From dc639c2d0b154b2f556aeeb2d1defd59d95f1e31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 12 Jun 2024 18:15:17 +0200 +Subject: ASoC: codecs: wcd9335: Handle nicer probe deferral and simplify with + dev_err_probe() + +From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> + +[ Upstream commit 4a03b5dbad466c902d522f3405daa4e5d80578c5 ] + +wcd9335_parse_dt() function is called only from probe(), so printing +errors on resource acquisition is discouraged, because it can pollute +dmesg. Use dev_err_probe() to fix this and also make the code a bit +simpler. + +Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> +Link: https://msgid.link/r/20240612-asoc-wcd9xxx-wide-cleanups-v1-4-0d15885b2a06@linaro.org +Signed-off-by: Mark Brown <broonie@kernel.org> +Stable-dep-of: 9079db287fc3 ("ASoC: codecs: wcd9335: Fix missing free of regulator supplies") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/soc/codecs/wcd9335.c | 28 +++++++++------------------- + 1 file changed, 9 insertions(+), 19 deletions(-) + +diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c +index a952b94545130..61e3da5ec1ae3 100644 +--- a/sound/soc/codecs/wcd9335.c ++++ b/sound/soc/codecs/wcd9335.c +@@ -5028,22 +5028,16 @@ static int wcd9335_parse_dt(struct wcd9335_codec *wcd) + int ret; + + wcd->reset_gpio = of_get_named_gpio(np, "reset-gpios", 0); +- if (wcd->reset_gpio < 0) { +- dev_err(dev, "Reset GPIO missing from DT\n"); +- return wcd->reset_gpio; +- } ++ if (wcd->reset_gpio < 0) ++ return dev_err_probe(dev, wcd->reset_gpio, "Reset GPIO missing from DT\n"); + + wcd->mclk = devm_clk_get(dev, "mclk"); +- if (IS_ERR(wcd->mclk)) { +- dev_err(dev, "mclk not found\n"); +- return PTR_ERR(wcd->mclk); +- } ++ if (IS_ERR(wcd->mclk)) ++ return dev_err_probe(dev, PTR_ERR(wcd->mclk), "mclk not found\n"); + + wcd->native_clk = devm_clk_get(dev, "slimbus"); +- if (IS_ERR(wcd->native_clk)) { +- dev_err(dev, "slimbus clock not found\n"); +- return PTR_ERR(wcd->native_clk); +- } ++ if (IS_ERR(wcd->native_clk)) ++ return dev_err_probe(dev, PTR_ERR(wcd->native_clk), "slimbus clock not found\n"); + + wcd->supplies[0].supply = "vdd-buck"; + wcd->supplies[1].supply = "vdd-buck-sido"; +@@ -5052,10 +5046,8 @@ static int wcd9335_parse_dt(struct wcd9335_codec *wcd) + wcd->supplies[4].supply = "vdd-io"; + + ret = regulator_bulk_get(dev, WCD9335_MAX_SUPPLY, wcd->supplies); +- if (ret) { +- dev_err(dev, "Failed to get supplies: err = %d\n", ret); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "Failed to get supplies\n"); + + return 0; + } +@@ -5158,10 +5150,8 @@ static int wcd9335_slim_probe(struct slim_device *slim) + + wcd->dev = dev; + ret = wcd9335_parse_dt(wcd); +- if (ret) { +- dev_err(dev, "Error parsing DT: %d\n", ret); ++ if (ret) + return ret; +- } + + ret = wcd9335_power_on_reset(wcd); + if (ret) +-- +2.39.5 + diff --git a/queue-5.4/asoc-meson-meson-card-utils-use-of_property_present-.patch b/queue-5.4/asoc-meson-meson-card-utils-use-of_property_present-.patch new file mode 100644 index 0000000000..911bbf67f5 --- /dev/null +++ b/queue-5.4/asoc-meson-meson-card-utils-use-of_property_present-.patch @@ -0,0 +1,49 @@ +From b20c8c9286e86c57f2e5e5f3118e5120b18eb7d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 19 Apr 2025 23:34:48 +0200 +Subject: ASoC: meson: meson-card-utils: use of_property_present() for DT + parsing + +From: Martin Blumenstingl <martin.blumenstingl@googlemail.com> + +[ Upstream commit 171eb6f71e9e3ba6a7410a1d93f3ac213f39dae2 ] + +Commit c141ecc3cecd ("of: Warn when of_property_read_bool() is used on +non-boolean properties") added a warning when trying to parse a property +with a value (boolean properties are defined as: absent = false, present +without any value = true). This causes a warning from meson-card-utils. + +meson-card-utils needs to know about the existence of the +"audio-routing" and/or "audio-widgets" properties in order to properly +parse them. Switch to of_property_present() in order to silence the +following warning messages during boot: + OF: /sound: Read of boolean property 'audio-routing' with a value. + OF: /sound: Read of boolean property 'audio-widgets' with a value. + +Fixes: 7864a79f37b5 ("ASoC: meson: add axg sound card support") +Tested-by: Christian Hewitt <christianshewitt@gmail.com> +Cc: stable@vger.kernel.org +Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> +Link: https://patch.msgid.link/20250419213448.59647-1-martin.blumenstingl@googlemail.com +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + sound/soc/meson/meson-card-utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/meson/meson-card-utils.c b/sound/soc/meson/meson-card-utils.c +index a70d244ef88b6..f66a0c38c3037 100644 +--- a/sound/soc/meson/meson-card-utils.c ++++ b/sound/soc/meson/meson-card-utils.c +@@ -244,7 +244,7 @@ static int meson_card_parse_of_optional(struct snd_soc_card *card, + const char *p)) + { + /* If property is not provided, don't fail ... */ +- if (!of_property_read_bool(card->dev->of_node, propname)) ++ if (!of_property_present(card->dev->of_node, propname)) + return 0; + + /* ... but do fail if it is provided and the parsing fails */ +-- +2.39.5 + diff --git a/queue-5.4/bpfilter-match-bit-size-of-bpfilter_umh-to-that-of-t.patch b/queue-5.4/bpfilter-match-bit-size-of-bpfilter_umh-to-that-of-t.patch new file mode 100644 index 0000000000..0533035c9b --- /dev/null +++ b/queue-5.4/bpfilter-match-bit-size-of-bpfilter_umh-to-that-of-t.patch @@ -0,0 +1,94 @@ +From 1c255ddb938ec84a35d46c94972ddccdde88d3a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 29 Apr 2020 12:45:13 +0900 +Subject: bpfilter: match bit size of bpfilter_umh to that of the kernel + +From: Masahiro Yamada <masahiroy@kernel.org> + +[ Upstream commit 9371f86ecb60f6f1f120e3d93fe892bbb70d04c0 ] + +bpfilter_umh is built for the default machine bit of the compiler, +which may not match to the bit size of the kernel. + +This happens in the scenario below: + +You can use biarch GCC that defaults to 64-bit for building the 32-bit +kernel. In this case, Kbuild passes -m32 to teach the compiler to +produce 32-bit kernel space objects. However, it is missing when +building bpfilter_umh. It is built as a 64-bit ELF, and then embedded +into the 32-bit kernel. + +The 32-bit kernel and 64-bit umh is a bad combination. + +In theory, we can have 32-bit umh running on 64-bit kernel, but we do +not have a good reason to support such a usecase. + +The best is to match the bit size between them. + +Pass -m32 or -m64 to the umh build command if it is found in +$(KBUILD_CFLAGS). Evaluate CC_CAN_LINK against the kernel bit-size. + +Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> +Stable-dep-of: 02e9a22ceef0 ("kbuild: hdrcheck: fix cross build with clang") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + init/Kconfig | 4 +++- + net/bpfilter/Makefile | 5 +++-- + usr/include/Makefile | 4 ++++ + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/init/Kconfig b/init/Kconfig +index 41e87e8a5c6c1..50adf085d08b7 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -28,7 +28,9 @@ config CLANG_VERSION + default $(shell,$(srctree)/scripts/clang-version.sh $(CC)) + + config CC_CAN_LINK +- def_bool $(success,$(srctree)/scripts/cc-can-link.sh $(CC)) ++ bool ++ default $(success,$(srctree)/scripts/cc-can-link.sh $(CC) $(m64-flag)) if 64BIT ++ default $(success,$(srctree)/scripts/cc-can-link.sh $(CC) $(m32-flag)) + + config CC_HAS_ASM_GOTO + def_bool $(success,$(srctree)/scripts/gcc-goto.sh $(CC)) +diff --git a/net/bpfilter/Makefile b/net/bpfilter/Makefile +index aa945ab5b6558..05930c2fafd52 100644 +--- a/net/bpfilter/Makefile ++++ b/net/bpfilter/Makefile +@@ -5,14 +5,15 @@ + + hostprogs-y := bpfilter_umh + bpfilter_umh-objs := main.o +-KBUILD_HOSTCFLAGS += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi ++KBUILD_HOSTCFLAGS += -I $(srctree)/tools/include/ -I $(srctree)/tools/include/uapi \ ++ $(filter -m32 -m64, $(KBUILD_CFLAGS)) + HOSTCC := $(CC) + + ifeq ($(CONFIG_BPFILTER_UMH), y) + # builtin bpfilter_umh should be compiled with -static + # since rootfs isn't mounted at the time of __init + # function is called and do_execv won't find elf interpreter +-KBUILD_HOSTLDFLAGS += -static ++KBUILD_HOSTLDFLAGS += -static $(filter -m32 -m64, $(KBUILD_CFLAGS)) + endif + + $(obj)/bpfilter_umh_blob.o: $(obj)/bpfilter_umh +diff --git a/usr/include/Makefile b/usr/include/Makefile +index 6c4b79d4558d6..3d9dc4a5c6fca 100644 +--- a/usr/include/Makefile ++++ b/usr/include/Makefile +@@ -8,6 +8,10 @@ + # We cannot go as far as adding -Wpedantic since it emits too many warnings. + UAPI_CFLAGS := -std=c90 -Wall -Werror=implicit-function-declaration + ++# In theory, we do not care -m32 or -m64 for header compile tests. ++# It is here just because CONFIG_CC_CAN_LINK is tested with -m32 or -m64. ++UAPI_CFLAGS += $(filter -m32 -m64, $(KBUILD_CFLAGS)) ++ + override c_flags = $(UAPI_CFLAGS) -Wp,-MMD,$(depfile) -I$(objtree)/usr/include + + # The following are excluded for now because they fail to build. +-- +2.39.5 + diff --git a/queue-5.4/ceph-fix-possible-integer-overflow-in-ceph_zero_obje.patch b/queue-5.4/ceph-fix-possible-integer-overflow-in-ceph_zero_obje.patch new file mode 100644 index 0000000000..e559d3e49b --- /dev/null +++ b/queue-5.4/ceph-fix-possible-integer-overflow-in-ceph_zero_obje.patch @@ -0,0 +1,40 @@ +From 60a01533af123ace2a9ee2559c849aa675faeacc Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 22 Apr 2025 12:32:04 +0300 +Subject: ceph: fix possible integer overflow in ceph_zero_objects() + +From: Dmitry Kandybka <d.kandybka@gmail.com> + +[ Upstream commit 0abd87942e0c93964e93224836944712feba1d91 ] + +In 'ceph_zero_objects', promote 'object_size' to 'u64' to avoid possible +integer overflow. + +Compile tested only. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com> +Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com> +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ceph/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ceph/file.c b/fs/ceph/file.c +index 83122fc5f8130..9b10de2276c6f 100644 +--- a/fs/ceph/file.c ++++ b/fs/ceph/file.c +@@ -1749,7 +1749,7 @@ static int ceph_zero_objects(struct inode *inode, loff_t offset, loff_t length) + s32 stripe_unit = ci->i_layout.stripe_unit; + s32 stripe_count = ci->i_layout.stripe_count; + s32 object_size = ci->i_layout.object_size; +- u64 object_set_size = object_size * stripe_count; ++ u64 object_set_size = (u64) object_size * stripe_count; + u64 nearly, t; + + /* round offset up to next period boundary */ +-- +2.39.5 + diff --git a/queue-5.4/cifs-fix-cifs_query_path_info-for-windows-nt-servers.patch b/queue-5.4/cifs-fix-cifs_query_path_info-for-windows-nt-servers.patch new file mode 100644 index 0000000000..4ef9cc7d94 --- /dev/null +++ b/queue-5.4/cifs-fix-cifs_query_path_info-for-windows-nt-servers.patch @@ -0,0 +1,55 @@ +From d38914fc3293c420fea537013e8ff1b3581d7fe5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 31 Dec 2024 16:06:22 +0100 +Subject: cifs: Fix cifs_query_path_info() for Windows NT servers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár <pali@kernel.org> + +[ Upstream commit a3e771afbb3bce91c8296828304903e7348003fe ] + +For TRANS2 QUERY_PATH_INFO request when the path does not exist, the +Windows NT SMB server returns error response STATUS_OBJECT_NAME_NOT_FOUND +or ERRDOS/ERRbadfile without the SMBFLG_RESPONSE flag set. Similarly it +returns STATUS_DELETE_PENDING when the file is being deleted. And looks +like that any error response from TRANS2 QUERY_PATH_INFO does not have +SMBFLG_RESPONSE flag set. + +So relax check in check_smb_hdr() for detecting if the packet is response +for this special case. + +This change fixes stat() operation against Windows NT SMB servers and also +all operations which depends on -ENOENT result from stat like creat() or +mkdir(). + +Signed-off-by: Pali Rohár <pali@kernel.org> +Signed-off-by: Steve French <stfrench@microsoft.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/cifs/misc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c +index db1fcdedf289a..af9752535dbab 100644 +--- a/fs/cifs/misc.c ++++ b/fs/cifs/misc.c +@@ -306,6 +306,14 @@ check_smb_hdr(struct smb_hdr *smb) + if (smb->Command == SMB_COM_LOCKING_ANDX) + return 0; + ++ /* ++ * Windows NT server returns error resposne (e.g. STATUS_DELETE_PENDING ++ * or STATUS_OBJECT_NAME_NOT_FOUND or ERRDOS/ERRbadfile or any other) ++ * for some TRANS2 requests without the RESPONSE flag set in header. ++ */ ++ if (smb->Command == SMB_COM_TRANSACTION2 && smb->Status.CifsError != 0) ++ return 0; ++ + cifs_dbg(VFS, "Server sent request, not response. mid=%u\n", + get_mid(smb)); + return 1; +-- +2.39.5 + diff --git a/queue-5.4/dmaengine-xilinx_dma-set-dma_device-directions.patch b/queue-5.4/dmaengine-xilinx_dma-set-dma_device-directions.patch new file mode 100644 index 0000000000..b52492dd04 --- /dev/null +++ b/queue-5.4/dmaengine-xilinx_dma-set-dma_device-directions.patch @@ -0,0 +1,40 @@ +From 62b574f4eecb3f7b67b7b7463ddd6722c4417424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 7 May 2025 20:21:01 +0200 +Subject: dmaengine: xilinx_dma: Set dma_device directions + +From: Thomas Gessler <thomas.gessler@brueckmann-gmbh.de> + +[ Upstream commit 7e01511443c30a55a5ae78d3debd46d4d872517e ] + +Coalesce the direction bits from the enabled TX and/or RX channels into +the directions bit mask of dma_device. Without this mask set, +dma_get_slave_caps() in the DMAEngine fails, which prevents the driver +from being used with an IIO DMAEngine buffer. + +Signed-off-by: Thomas Gessler <thomas.gessler@brueckmann-gmbh.de> +Reviewed-by: Suraj Gupta <suraj.gupta2@amd.com> +Tested-by: Folker Schwesinger <dev@folker-schwesinger.de> +Link: https://lore.kernel.org/r/20250507182101.909010-1-thomas.gessler@brueckmann-gmbh.de +Signed-off-by: Vinod Koul <vkoul@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/dma/xilinx/xilinx_dma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index be44c86a1e037..5b5cbea997ff7 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -2490,6 +2490,8 @@ static int xilinx_dma_chan_probe(struct xilinx_dma_device *xdev, + return -EINVAL; + } + ++ xdev->common.directions |= chan->direction; ++ + /* Request the interrupt */ + chan->irq = irq_of_parse_and_map(node, 0); + err = request_irq(chan->irq, xilinx_dma_irq_handler, IRQF_SHARED, +-- +2.39.5 + diff --git a/queue-5.4/fs-jfs-consolidate-sanity-checking-in-dbmount.patch b/queue-5.4/fs-jfs-consolidate-sanity-checking-in-dbmount.patch new file mode 100644 index 0000000000..964d324794 --- /dev/null +++ b/queue-5.4/fs-jfs-consolidate-sanity-checking-in-dbmount.patch @@ -0,0 +1,81 @@ +From c05e6621f7d8fdce660471339d2549dacbcb00e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 20 Feb 2025 10:31:19 -0600 +Subject: fs/jfs: consolidate sanity checking in dbMount + +From: Dave Kleikamp <dave.kleikamp@oracle.com> + +[ Upstream commit 0d250b1c52484d489e31df2cf9118b7c4bd49d31 ] + +Sanity checks have been added to dbMount as individual if clauses with +identical error handling. Move these all into one clause. + +Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> +Stable-dep-of: 37bfb464ddca ("jfs: validate AG parameters in dbMount() to prevent crashes") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/jfs/jfs_dmap.c | 37 +++++++++---------------------------- + 1 file changed, 9 insertions(+), 28 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index d161bbafe77f6..6bd9ab705cc66 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -178,45 +178,26 @@ int dbMount(struct inode *ipbmap) + dbmp_le = (struct dbmap_disk *) mp->data; + bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); + bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); +- + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); +- if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE || +- bmp->db_l2nbperpage < 0) { +- err = -EINVAL; +- goto err_release_metapage; +- } +- + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); +- if (!bmp->db_numag || bmp->db_numag > MAXAG) { +- err = -EINVAL; +- goto err_release_metapage; +- } +- + bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel); + bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag); + bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref); +- if (bmp->db_maxag >= MAXAG || bmp->db_maxag < 0 || +- bmp->db_agpref >= MAXAG || bmp->db_agpref < 0) { +- err = -EINVAL; +- goto err_release_metapage; +- } +- + bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel); + bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight); + bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); +- if (!bmp->db_agwidth) { +- err = -EINVAL; +- goto err_release_metapage; +- } + bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); + bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); +- if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG || +- bmp->db_agl2size < 0) { +- err = -EINVAL; +- goto err_release_metapage; +- } + +- if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) { ++ if ((bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) || ++ (bmp->db_l2nbperpage < 0) || ++ !bmp->db_numag || (bmp->db_numag > MAXAG) || ++ (bmp->db_maxag >= MAXAG) || (bmp->db_maxag < 0) || ++ (bmp->db_agpref >= MAXAG) || (bmp->db_agpref < 0) || ++ !bmp->db_agwidth || ++ (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) || ++ (bmp->db_agl2size < 0) || ++ ((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) { + err = -EINVAL; + goto err_release_metapage; + } +-- +2.39.5 + diff --git a/queue-5.4/iio-pressure-zpa2326-use-aligned_s64-for-the-timesta.patch b/queue-5.4/iio-pressure-zpa2326-use-aligned_s64-for-the-timesta.patch new file mode 100644 index 0000000000..87df5b20de --- /dev/null +++ b/queue-5.4/iio-pressure-zpa2326-use-aligned_s64-for-the-timesta.patch @@ -0,0 +1,36 @@ +From 181f894b0ce8b1f6185b2fae2adac4397073d849 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sun, 13 Apr 2025 11:34:41 +0100 +Subject: iio: pressure: zpa2326: Use aligned_s64 for the timestamp + +From: Jonathan Cameron <Jonathan.Cameron@huawei.com> + +[ Upstream commit 886a446b76afddfad307488e95e87f23a08ffd51 ] + +On x86_32 s64 fields are only 32-bit aligned. Hence force the alignment of +the field and padding in the structure by using aligned_s64 instead. + +Reviewed-by: David Lechner <dlechner@baylibre.com> +Link: https://patch.msgid.link/20250413103443.2420727-19-jic23@kernel.org +Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/iio/pressure/zpa2326.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/pressure/zpa2326.c b/drivers/iio/pressure/zpa2326.c +index df60b3d91dad4..85ca48f2fe665 100644 +--- a/drivers/iio/pressure/zpa2326.c ++++ b/drivers/iio/pressure/zpa2326.c +@@ -581,7 +581,7 @@ static int zpa2326_fill_sample_buffer(struct iio_dev *indio_dev, + struct { + u32 pressure; + u16 temperature; +- u64 timestamp; ++ aligned_s64 timestamp; + } sample; + int err; + +-- +2.39.5 + diff --git a/queue-5.4/jfs-validate-ag-parameters-in-dbmount-to-prevent-cra.patch b/queue-5.4/jfs-validate-ag-parameters-in-dbmount-to-prevent-cra.patch new file mode 100644 index 0000000000..a33418d3cb --- /dev/null +++ b/queue-5.4/jfs-validate-ag-parameters-in-dbmount-to-prevent-cra.patch @@ -0,0 +1,78 @@ +From 000b96576269cae4b4148da4472d5794732679ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 10 Mar 2025 11:56:02 +0300 +Subject: jfs: validate AG parameters in dbMount() to prevent crashes + +From: Vasiliy Kovalev <kovalev@altlinux.org> + +[ Upstream commit 37bfb464ddca87f203071b5bd562cd91ddc0b40a ] + +Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch +corrupted metadata early and avoid undefined behavior in dbAllocAG. +Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: + +- agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift + (L2LPERCTL - 2*agheight) >= 0. +- agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) + ensures agperlev >= 1. + - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). + - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; + 2^(10 - 2*agheight) prevents division to 0. +- agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within + stree (size 1365). + - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). + +UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 +shift exponent -335544310 is negative +CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 +Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 +Call Trace: + <TASK> + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + ubsan_epilogue lib/ubsan.c:231 [inline] + __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 + dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 + dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 + jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 + jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+fe8264911355151c487f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fe8264911355151c487f +Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org> +Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/jfs/jfs_dmap.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index 6bd9ab705cc66..8cffb5dd98cfb 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -194,7 +194,11 @@ int dbMount(struct inode *ipbmap) + !bmp->db_numag || (bmp->db_numag > MAXAG) || + (bmp->db_maxag >= MAXAG) || (bmp->db_maxag < 0) || + (bmp->db_agpref >= MAXAG) || (bmp->db_agpref < 0) || +- !bmp->db_agwidth || ++ (bmp->db_agheight < 0) || (bmp->db_agheight > (L2LPERCTL >> 1)) || ++ (bmp->db_agwidth < 1) || (bmp->db_agwidth > (LPERCTL / MAXAG)) || ++ (bmp->db_agwidth > (1 << (L2LPERCTL - (bmp->db_agheight << 1)))) || ++ (bmp->db_agstart < 0) || ++ (bmp->db_agstart > (CTLTREESIZE - 1 - bmp->db_agwidth * (MAXAG - 1))) || + (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) || + (bmp->db_agl2size < 0) || + ((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) { +-- +2.39.5 + diff --git a/queue-5.4/kbuild-add-target-to-correctly-cross-compile-uapi-he.patch b/queue-5.4/kbuild-add-target-to-correctly-cross-compile-uapi-he.patch new file mode 100644 index 0000000000..144c183e31 --- /dev/null +++ b/queue-5.4/kbuild-add-target-to-correctly-cross-compile-uapi-he.patch @@ -0,0 +1,48 @@ +From ed6fa4f1b2bf2d3914d1fe9f3304d69e3a582308 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 5 Mar 2022 21:56:05 +0900 +Subject: kbuild: add --target to correctly cross-compile UAPI headers with + Clang + +From: Masahiro Yamada <masahiroy@kernel.org> + +[ Upstream commit 9fbed27a7a1101c926718dfa9b49aff1d04477b5 ] + +When you compile-test UAPI headers (CONFIG_UAPI_HEADER_TEST=y) with +Clang, they are currently compiled for the host target (likely x86_64) +regardless of the given ARCH=. + +In fact, some exported headers include libc headers. For example, +include/uapi/linux/agpgart.h includes <stdlib.h> after being exported. +The header search paths should match to the target we are compiling +them for. + +Pick up the --target triple from KBUILD_CFLAGS in the same ways as +commit 7f58b487e9ff ("kbuild: make Clang build userprogs for target +architecture"). + +Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> +Reviewed-by: Nathan Chancellor <nathan@kernel.org> +Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> +Stable-dep-of: 02e9a22ceef0 ("kbuild: hdrcheck: fix cross build with clang") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + usr/include/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/include/Makefile b/usr/include/Makefile +index 3d9dc4a5c6fca..de6f9bffb01ed 100644 +--- a/usr/include/Makefile ++++ b/usr/include/Makefile +@@ -10,7 +10,7 @@ UAPI_CFLAGS := -std=c90 -Wall -Werror=implicit-function-declaration + + # In theory, we do not care -m32 or -m64 for header compile tests. + # It is here just because CONFIG_CC_CAN_LINK is tested with -m32 or -m64. +-UAPI_CFLAGS += $(filter -m32 -m64, $(KBUILD_CFLAGS)) ++UAPI_CFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CFLAGS)) + + override c_flags = $(UAPI_CFLAGS) -Wp,-MMD,$(depfile) -I$(objtree)/usr/include + +-- +2.39.5 + diff --git a/queue-5.4/kbuild-hdrcheck-fix-cross-build-with-clang.patch b/queue-5.4/kbuild-hdrcheck-fix-cross-build-with-clang.patch new file mode 100644 index 0000000000..eeaf3f4f12 --- /dev/null +++ b/queue-5.4/kbuild-hdrcheck-fix-cross-build-with-clang.patch @@ -0,0 +1,45 @@ +From 0aa7d76b4e2963cb70c2f9beb0268b91e2153a62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 25 Feb 2025 11:00:31 +0100 +Subject: kbuild: hdrcheck: fix cross build with clang + +From: Arnd Bergmann <arnd@arndb.de> + +[ Upstream commit 02e9a22ceef0227175e391902d8760425fa072c6 ] + +The headercheck tries to call clang with a mix of compiler arguments +that don't include the target architecture. When building e.g. x86 +headers on arm64, this produces a warning like + + clang: warning: unknown platform, assuming -mfloat-abi=soft + +Add in the KBUILD_CPPFLAGS, which contain the target, in order to make it +build properly. + +See also 1b71c2fb04e7 ("kbuild: userprogs: fix bitsize and target +detection on clang"). + +Reviewed-by: Nathan Chancellor <nathan@kernel.org> +Fixes: feb843a469fb ("kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS") +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + usr/include/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/include/Makefile b/usr/include/Makefile +index de6f9bffb01ed..293cccc01387e 100644 +--- a/usr/include/Makefile ++++ b/usr/include/Makefile +@@ -10,7 +10,7 @@ UAPI_CFLAGS := -std=c90 -Wall -Werror=implicit-function-declaration + + # In theory, we do not care -m32 or -m64 for header compile tests. + # It is here just because CONFIG_CC_CAN_LINK is tested with -m32 or -m64. +-UAPI_CFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CFLAGS)) ++UAPI_CFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS)) + + override c_flags = $(UAPI_CFLAGS) -Wp,-MMD,$(depfile) -I$(objtree)/usr/include + +-- +2.39.5 + diff --git a/queue-5.4/kbuild-use-mmd-instead-of-md-to-exclude-system-heade.patch b/queue-5.4/kbuild-use-mmd-instead-of-md-to-exclude-system-heade.patch new file mode 100644 index 0000000000..6a4244b58a --- /dev/null +++ b/queue-5.4/kbuild-use-mmd-instead-of-md-to-exclude-system-heade.patch @@ -0,0 +1,110 @@ +From 5b164daed9dffcb1da5182979b02cc83b377d3cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 23 Apr 2020 23:23:53 +0900 +Subject: kbuild: use -MMD instead of -MD to exclude system headers from + dependency + +From: Masahiro Yamada <masahiroy@kernel.org> + +[ Upstream commit 30a7729771731971839cc969d2a321e6ea7a144b ] + +This omits system headers from the generated header dependency. + +System headers are not updated unless you upgrade the compiler. Nor do +they contain CONFIG options, so fixdep does not need to parse them. + +Having said that, the effect of this optimization will be quite small +because the kernel code generally does not include system headers +except <stdarg.h>. Host programs include a lot of system headers, +but there are not so many in the kernel tree. + +At first, keeping system headers in .*.cmd files might be useful to +detect the compiler update, but there is no guarantee that <stdarg.h> +is included from every file. So, I implemented a more reliable way in +the previous commit. + +Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> +Stable-dep-of: 02e9a22ceef0 ("kbuild: hdrcheck: fix cross build with clang") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + scripts/Kbuild.include | 2 +- + scripts/Makefile.host | 4 ++-- + scripts/Makefile.lib | 8 ++++---- + usr/include/Makefile | 2 +- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index 5d247d8f1e044..82eb69f07b356 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -16,7 +16,7 @@ pound := \# + dot-target = $(dir $@).$(notdir $@) + + ### +-# The temporary file to save gcc -MD generated dependencies must not ++# The temporary file to save gcc -MMD generated dependencies must not + # contain a comma + depfile = $(subst $(comma),_,$(dot-target).d) + +diff --git a/scripts/Makefile.host b/scripts/Makefile.host +index 4c51c95d40f47..a0a4af508f155 100644 +--- a/scripts/Makefile.host ++++ b/scripts/Makefile.host +@@ -92,8 +92,8 @@ _hostcxx_flags += -I $(objtree)/$(obj) + endif + endif + +-hostc_flags = -Wp,-MD,$(depfile) $(_hostc_flags) +-hostcxx_flags = -Wp,-MD,$(depfile) $(_hostcxx_flags) ++hostc_flags = -Wp,-MMD,$(depfile) $(_hostc_flags) ++hostcxx_flags = -Wp,-MMD,$(depfile) $(_hostcxx_flags) + + ##### + # Compile programs on the host +diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib +index a6d0044328b1f..9339fadb6a169 100644 +--- a/scripts/Makefile.lib ++++ b/scripts/Makefile.lib +@@ -160,22 +160,22 @@ modkern_aflags = $(if $(part-of-module), \ + $(KBUILD_AFLAGS_MODULE) $(AFLAGS_MODULE), \ + $(KBUILD_AFLAGS_KERNEL) $(AFLAGS_KERNEL)) + +-c_flags = -Wp,-MD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \ ++c_flags = -Wp,-MMD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \ + -include $(srctree)/include/linux/compiler_types.h \ + $(_c_flags) $(modkern_cflags) \ + $(basename_flags) $(modname_flags) + +-a_flags = -Wp,-MD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \ ++a_flags = -Wp,-MMD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \ + $(_a_flags) $(modkern_aflags) + +-cpp_flags = -Wp,-MD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \ ++cpp_flags = -Wp,-MMD,$(depfile) $(NOSTDINC_FLAGS) $(LINUXINCLUDE) \ + $(_cpp_flags) + + ld_flags = $(KBUILD_LDFLAGS) $(ldflags-y) $(LDFLAGS_$(@F)) + + DTC_INCLUDE := $(srctree)/scripts/dtc/include-prefixes + +-dtc_cpp_flags = -Wp,-MD,$(depfile).pre.tmp -nostdinc \ ++dtc_cpp_flags = -Wp,-MMD,$(depfile).pre.tmp -nostdinc \ + $(addprefix -I,$(DTC_INCLUDE)) \ + -undef -D__DTS__ + +diff --git a/usr/include/Makefile b/usr/include/Makefile +index e2840579156a9..6c4b79d4558d6 100644 +--- a/usr/include/Makefile ++++ b/usr/include/Makefile +@@ -8,7 +8,7 @@ + # We cannot go as far as adding -Wpedantic since it emits too many warnings. + UAPI_CFLAGS := -std=c90 -Wall -Werror=implicit-function-declaration + +-override c_flags = $(UAPI_CFLAGS) -Wp,-MD,$(depfile) -I$(objtree)/usr/include ++override c_flags = $(UAPI_CFLAGS) -Wp,-MMD,$(depfile) -I$(objtree)/usr/include + + # The following are excluded for now because they fail to build. + # +-- +2.39.5 + diff --git a/queue-5.4/mailbox-not-protect-module_put-with-spin_lock_irqsav.patch b/queue-5.4/mailbox-not-protect-module_put-with-spin_lock_irqsav.patch new file mode 100644 index 0000000000..81a10a19a3 --- /dev/null +++ b/queue-5.4/mailbox-not-protect-module_put-with-spin_lock_irqsav.patch @@ -0,0 +1,38 @@ +From f86871be25757b46e736d7f2a076087da47aca5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 11 Apr 2025 21:14:10 +0800 +Subject: mailbox: Not protect module_put with spin_lock_irqsave + +From: Peng Fan <peng.fan@nxp.com> + +[ Upstream commit dddbd233e67e792bb0a3f9694a4707e6be29b2c6 ] + +&chan->lock is not supposed to protect 'chan->mbox'. +And in __mbox_bind_client, try_module_get is also not protected +by &chan->lock. So move module_put out of the lock protected +region. + +Signed-off-by: Peng Fan <peng.fan@nxp.com> +Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/mailbox/mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c +index 6f54501dc7762..cb31ad917b352 100644 +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -459,8 +459,8 @@ void mbox_free_channel(struct mbox_chan *chan) + if (chan->txdone_method == TXDONE_BY_ACK) + chan->txdone_method = TXDONE_BY_POLL; + +- module_put(chan->mbox->dev->driver->owner); + spin_unlock_irqrestore(&chan->lock, flags); ++ module_put(chan->mbox->dev->driver->owner); + } + EXPORT_SYMBOL_GPL(mbox_free_channel); + +-- +2.39.5 + diff --git a/queue-5.4/md-md-bitmap-fix-dm-raid-max_write_behind-setting.patch b/queue-5.4/md-md-bitmap-fix-dm-raid-max_write_behind-setting.patch new file mode 100644 index 0000000000..66de1ac139 --- /dev/null +++ b/queue-5.4/md-md-bitmap-fix-dm-raid-max_write_behind-setting.patch @@ -0,0 +1,36 @@ +From 841b68da9d4ec31ef5ac48c86738b13743ac20b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 24 May 2025 14:13:10 +0800 +Subject: md/md-bitmap: fix dm-raid max_write_behind setting + +From: Yu Kuai <yukuai3@huawei.com> + +[ Upstream commit 2afe17794cfed5f80295b1b9facd66e6f65e5002 ] + +It's supposed to be COUNTER_MAX / 2, not COUNTER_MAX. + +Link: https://lore.kernel.org/linux-raid/20250524061320.370630-14-yukuai1@huaweicloud.com +Signed-off-by: Yu Kuai <yukuai3@huawei.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Hannes Reinecke <hare@suse.de> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/md/md-bitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c +index 8fc85b6251e48..feff5b29d0985 100644 +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -549,7 +549,7 @@ static int md_bitmap_new_disk_sb(struct bitmap *bitmap) + * is a good choice? We choose COUNTER_MAX / 2 arbitrarily. + */ + write_behind = bitmap->mddev->bitmap_info.max_write_behind; +- if (write_behind > COUNTER_MAX) ++ if (write_behind > COUNTER_MAX / 2) + write_behind = COUNTER_MAX / 2; + sb->write_behind = cpu_to_le32(write_behind); + bitmap->mddev->bitmap_info.max_write_behind = write_behind; +-- +2.39.5 + diff --git a/queue-5.4/media-cxusb-no-longer-judge-rbuf-when-the-write-fail.patch b/queue-5.4/media-cxusb-no-longer-judge-rbuf-when-the-write-fail.patch new file mode 100644 index 0000000000..f7b6a0e510 --- /dev/null +++ b/queue-5.4/media-cxusb-no-longer-judge-rbuf-when-the-write-fail.patch @@ -0,0 +1,71 @@ +From 17242e3d0b0f29850d31ea92c19d6e4378cec29b Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 5 Apr 2025 19:56:41 +0800 +Subject: media: cxusb: no longer judge rbuf when the write fails + +From: Edward Adam Davis <eadavis@qq.com> + +[ Upstream commit 73fb3b92da84637e3817580fa205d48065924e15 ] + +syzbot reported a uninit-value in cxusb_i2c_xfer. [1] + +Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() +succeeds and rlen is greater than 0, the read operation of usb_bulk_msg() +will be executed to read rlen bytes of data from the dvb device into the +rbuf. + +In this case, although rlen is 1, the write operation failed which resulted +in the dvb read operation not being executed, and ultimately variable i was +not initialized. + +[1] +BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] +BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 + cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] + cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 + __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 + i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 + i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 + i2c_master_send include/linux/i2c.h:109 [inline] + i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183 + do_loop_readv_writev fs/read_write.c:848 [inline] + vfs_writev+0x963/0x14e0 fs/read_write.c:1057 + do_writev+0x247/0x5c0 fs/read_write.c:1101 + __do_sys_writev fs/read_write.c:1169 [inline] + __se_sys_writev fs/read_write.c:1166 [inline] + __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166 + x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Reported-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=526bd95c0ec629993bf3 +Tested-by: syzbot+526bd95c0ec629993bf3@syzkaller.appspotmail.com +Fixes: 22c6d93a7310 ("[PATCH] dvb: usb: support Medion hybrid USB2.0 DVB-T/analogue box") +Cc: stable@vger.kernel.org +Signed-off-by: Edward Adam Davis <eadavis@qq.com> +Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/media/usb/dvb-usb/cxusb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c +index 5a15a6ec204f3..6beed13702d34 100644 +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -119,9 +119,8 @@ static void cxusb_gpio_tuner(struct dvb_usb_device *d, int onoff) + + o[0] = GPIO_TUNER; + o[1] = onoff; +- cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1); + +- if (i != 0x01) ++ if (!cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1) && i != 0x01) + dev_info(&d->udev->dev, "gpio_write failed.\n"); + + st->gpio_write_state[GPIO_TUNER] = onoff; +-- +2.39.5 + diff --git a/queue-5.4/media-cxusb-use-dev_dbg-rather-than-hand-rolled-debu.patch b/queue-5.4/media-cxusb-use-dev_dbg-rather-than-hand-rolled-debu.patch new file mode 100644 index 0000000000..e773f3a24f --- /dev/null +++ b/queue-5.4/media-cxusb-use-dev_dbg-rather-than-hand-rolled-debu.patch @@ -0,0 +1,176 @@ +From 039f996b37537c51f219532715d804a42e57d0bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 11 Nov 2019 12:40:52 +0100 +Subject: media: cxusb: use dev_dbg() rather than hand-rolled debug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Young <sean@mess.org> + +[ Upstream commit c376d66515f89dd833b344c419e313db9ad169b5 ] + +This solves the following compiler warnings: + +drivers/media/usb/dvb-usb/cxusb.c: In function ‘cxusb_gpio_tuner’: +drivers/media/usb/dvb-usb/cxusb.c:128:35: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + 128 | deb_info("gpio_write failed.\n"); + | ^ +drivers/media/usb/dvb-usb/cxusb.c: In function ‘cxusb_bluebird_gpio_rw’: +drivers/media/usb/dvb-usb/cxusb.c:145:44: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + 145 | deb_info("bluebird_gpio_write failed.\n"); + | ^ +drivers/media/usb/dvb-usb/cxusb.c: In function ‘cxusb_i2c_xfer’: +drivers/media/usb/dvb-usb/cxusb.c:251:42: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + 251 | deb_i2c("i2c read may have failed\n"); + | ^ +drivers/media/usb/dvb-usb/cxusb.c:274:43: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body] + 274 | deb_i2c("i2c write may have failed\n"); + | ^ + +Signed-off-by: Sean Young <sean@mess.org> +Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> +Stable-dep-of: 73fb3b92da84 ("media: cxusb: no longer judge rbuf when the write fails") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/media/usb/dvb-usb/cxusb.c | 33 ++++++++++++++----------------- + 1 file changed, 15 insertions(+), 18 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/cxusb.c b/drivers/media/usb/dvb-usb/cxusb.c +index 06bd827ef4619..5a15a6ec204f3 100644 +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -54,9 +54,6 @@ MODULE_PARM_DESC(debug, "set debugging level (see cxusb.h)." + + DVB_DEFINE_MOD_OPT_ADAPTER_NR(adapter_nr); + +-#define deb_info(args...) dprintk(dvb_usb_cxusb_debug, CXUSB_DBG_MISC, args) +-#define deb_i2c(args...) dprintk(dvb_usb_cxusb_debug, CXUSB_DBG_I2C, args) +- + enum cxusb_table_index { + MEDION_MD95700, + DVICO_BLUEBIRD_LG064F_COLD, +@@ -125,7 +122,7 @@ static void cxusb_gpio_tuner(struct dvb_usb_device *d, int onoff) + cxusb_ctrl_msg(d, CMD_GPIO_WRITE, o, 2, &i, 1); + + if (i != 0x01) +- deb_info("gpio_write failed.\n"); ++ dev_info(&d->udev->dev, "gpio_write failed.\n"); + + st->gpio_write_state[GPIO_TUNER] = onoff; + st->gpio_write_refresh[GPIO_TUNER] = false; +@@ -142,7 +139,7 @@ static int cxusb_bluebird_gpio_rw(struct dvb_usb_device *d, u8 changemask, + + rc = cxusb_ctrl_msg(d, CMD_BLUEBIRD_GPIO_RW, o, 2, &gpio_state, 1); + if (rc < 0 || (gpio_state & changemask) != (newval & changemask)) +- deb_info("bluebird_gpio_write failed.\n"); ++ dev_info(&d->udev->dev, "bluebird_gpio_write failed.\n"); + + return rc < 0 ? rc : gpio_state; + } +@@ -174,7 +171,7 @@ static int cxusb_d680_dmb_gpio_tuner(struct dvb_usb_device *d, + if (i == 0x01) + return 0; + +- deb_info("gpio_write failed.\n"); ++ dev_info(&d->udev->dev, "gpio_write failed.\n"); + return -EIO; + } + +@@ -248,7 +245,7 @@ static int cxusb_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + break; + + if (ibuf[0] != 0x08) +- deb_i2c("i2c read may have failed\n"); ++ dev_info(&d->udev->dev, "i2c read may have failed\n"); + + memcpy(msg[i + 1].buf, &ibuf[1], msg[i + 1].len); + +@@ -271,7 +268,7 @@ static int cxusb_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], + 2 + msg[i].len, &ibuf, 1) < 0) + break; + if (ibuf != 0x08) +- deb_i2c("i2c write may have failed\n"); ++ dev_info(&d->udev->dev, "i2c write may have failed\n"); + } + } + +@@ -299,7 +296,7 @@ static int _cxusb_power_ctrl(struct dvb_usb_device *d, int onoff) + { + u8 b = 0; + +- deb_info("setting power %s\n", onoff ? "ON" : "OFF"); ++ dev_info(&d->udev->dev, "setting power %s\n", onoff ? "ON" : "OFF"); + + if (onoff) + return cxusb_ctrl_msg(d, CMD_POWER_ON, &b, 1, NULL, 0); +@@ -318,7 +315,7 @@ static int cxusb_power_ctrl(struct dvb_usb_device *d, int onoff) + mutex_lock(&cxdev->open_lock); + + if (cxdev->open_type == CXUSB_OPEN_ANALOG) { +- deb_info("preventing DVB core from setting power OFF while we are in analog mode\n"); ++ dev_info(&d->udev->dev, "preventing DVB core from setting power OFF while we are in analog mode\n"); + ret = -EBUSY; + goto ret_unlock; + } +@@ -754,16 +751,16 @@ static int dvico_bluebird_xc2028_callback(void *ptr, int component, + + switch (command) { + case XC2028_TUNER_RESET: +- deb_info("%s: XC2028_TUNER_RESET %d\n", __func__, arg); ++ dev_info(&d->udev->dev, "XC2028_TUNER_RESET %d\n", arg); + cxusb_bluebird_gpio_pulse(d, 0x01, 1); + break; + case XC2028_RESET_CLK: +- deb_info("%s: XC2028_RESET_CLK %d\n", __func__, arg); ++ dev_info(&d->udev->dev, "XC2028_RESET_CLK %d\n", arg); + break; + case XC2028_I2C_FLUSH: + break; + default: +- deb_info("%s: unknown command %d, arg %d\n", __func__, ++ dev_info(&d->udev->dev, "unknown command %d, arg %d\n", + command, arg); + return -EINVAL; + } +@@ -1444,7 +1441,7 @@ int cxusb_medion_get(struct dvb_usb_device *dvbdev, + + if (cxdev->open_ctr == 0) { + if (cxdev->open_type != open_type) { +- deb_info("will acquire and switch to %s\n", ++ dev_info(&dvbdev->udev->dev, "will acquire and switch to %s\n", + open_type == CXUSB_OPEN_ANALOG ? + "analog" : "digital"); + +@@ -1476,7 +1473,7 @@ int cxusb_medion_get(struct dvb_usb_device *dvbdev, + + cxdev->open_type = open_type; + } else { +- deb_info("reacquired idle %s\n", ++ dev_info(&dvbdev->udev->dev, "reacquired idle %s\n", + open_type == CXUSB_OPEN_ANALOG ? + "analog" : "digital"); + } +@@ -1484,8 +1481,8 @@ int cxusb_medion_get(struct dvb_usb_device *dvbdev, + cxdev->open_ctr = 1; + } else if (cxdev->open_type == open_type) { + cxdev->open_ctr++; +- deb_info("acquired %s\n", open_type == CXUSB_OPEN_ANALOG ? +- "analog" : "digital"); ++ dev_info(&dvbdev->udev->dev, "acquired %s\n", ++ open_type == CXUSB_OPEN_ANALOG ? "analog" : "digital"); + } else { + ret = -EBUSY; + } +@@ -1511,7 +1508,7 @@ void cxusb_medion_put(struct dvb_usb_device *dvbdev) + if (!WARN_ON(cxdev->open_ctr < 1)) { + cxdev->open_ctr--; + +- deb_info("release %s\n", ++ dev_info(&dvbdev->udev->dev, "release %s\n", + cxdev->open_type == CXUSB_OPEN_ANALOG ? + "analog" : "digital"); + } +-- +2.39.5 + diff --git a/queue-5.4/media-omap3isp-use-sgtable-based-scatterlist-wrapper.patch b/queue-5.4/media-omap3isp-use-sgtable-based-scatterlist-wrapper.patch new file mode 100644 index 0000000000..21b4d592ca --- /dev/null +++ b/queue-5.4/media-omap3isp-use-sgtable-based-scatterlist-wrapper.patch @@ -0,0 +1,79 @@ +From 86281486baab84f80fa70ac533e4dfe220dfa587 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 7 May 2025 18:09:13 +0200 +Subject: media: omap3isp: use sgtable-based scatterlist wrappers + +From: Marek Szyprowski <m.szyprowski@samsung.com> + +[ Upstream commit 3de572fe2189a4a0bd80295e1f478401e739498e ] + +Use common wrappers operating directly on the struct sg_table objects to +fix incorrect use of scatterlists sync calls. dma_sync_sg_for_*() +functions have to be called with the number of elements originally passed +to dma_map_sg_*() function, not the one returned in sgtable's nents. + +Fixes: d33186d0be18 ("[media] omap3isp: ccdc: Use the DMA API for LSC") +Fixes: 0e24e90f2ca7 ("[media] omap3isp: stat: Use the DMA API") +CC: stable@vger.kernel.org +Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> +Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/media/platform/omap3isp/ispccdc.c | 8 ++++---- + drivers/media/platform/omap3isp/ispstat.c | 6 ++---- + 2 files changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/platform/omap3isp/ispccdc.c b/drivers/media/platform/omap3isp/ispccdc.c +index e2f336c715a4d..90fda694e0d3d 100644 +--- a/drivers/media/platform/omap3isp/ispccdc.c ++++ b/drivers/media/platform/omap3isp/ispccdc.c +@@ -446,8 +446,8 @@ static int ccdc_lsc_config(struct isp_ccdc_device *ccdc, + if (ret < 0) + goto done; + +- dma_sync_sg_for_cpu(isp->dev, req->table.sgt.sgl, +- req->table.sgt.nents, DMA_TO_DEVICE); ++ dma_sync_sgtable_for_cpu(isp->dev, &req->table.sgt, ++ DMA_TO_DEVICE); + + if (copy_from_user(req->table.addr, config->lsc, + req->config.size)) { +@@ -455,8 +455,8 @@ static int ccdc_lsc_config(struct isp_ccdc_device *ccdc, + goto done; + } + +- dma_sync_sg_for_device(isp->dev, req->table.sgt.sgl, +- req->table.sgt.nents, DMA_TO_DEVICE); ++ dma_sync_sgtable_for_device(isp->dev, &req->table.sgt, ++ DMA_TO_DEVICE); + } + + spin_lock_irqsave(&ccdc->lsc.req_lock, flags); +diff --git a/drivers/media/platform/omap3isp/ispstat.c b/drivers/media/platform/omap3isp/ispstat.c +index 5b9b57f4d9bf8..e8a1837b1b74f 100644 +--- a/drivers/media/platform/omap3isp/ispstat.c ++++ b/drivers/media/platform/omap3isp/ispstat.c +@@ -161,8 +161,7 @@ static void isp_stat_buf_sync_for_device(struct ispstat *stat, + if (ISP_STAT_USES_DMAENGINE(stat)) + return; + +- dma_sync_sg_for_device(stat->isp->dev, buf->sgt.sgl, +- buf->sgt.nents, DMA_FROM_DEVICE); ++ dma_sync_sgtable_for_device(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE); + } + + static void isp_stat_buf_sync_for_cpu(struct ispstat *stat, +@@ -171,8 +170,7 @@ static void isp_stat_buf_sync_for_cpu(struct ispstat *stat, + if (ISP_STAT_USES_DMAENGINE(stat)) + return; + +- dma_sync_sg_for_cpu(stat->isp->dev, buf->sgt.sgl, +- buf->sgt.nents, DMA_FROM_DEVICE); ++ dma_sync_sgtable_for_cpu(stat->isp->dev, &buf->sgt, DMA_FROM_DEVICE); + } + + static void isp_stat_buf_clear(struct ispstat *stat) +-- +2.39.5 + diff --git a/queue-5.4/media-vivid-change-the-siize-of-the-composing.patch b/queue-5.4/media-vivid-change-the-siize-of-the-composing.patch new file mode 100644 index 0000000000..47b3aefa3d --- /dev/null +++ b/queue-5.4/media-vivid-change-the-siize-of-the-composing.patch @@ -0,0 +1,68 @@ +From 24b0fdda7892c7fb2e099e226de20dc1d6b27a9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 15 Apr 2025 11:27:21 +0300 +Subject: media: vivid: Change the siize of the composing + +From: Denis Arefev <arefev@swemel.ru> + +[ Upstream commit f83ac8d30c43fd902af7c84c480f216157b60ef0 ] + +syzkaller found a bug: + +BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] +BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 +Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304 + +CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 + +Call Trace: + <TASK> + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x169/0x550 mm/kasan/report.c:489 + kasan_report+0x143/0x180 mm/kasan/report.c:602 + kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 + __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 + tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] + tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 + vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] + vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 + vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 + kthread+0x7a9/0x920 kernel/kthread.c:464 + ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 + </TASK> + +The composition size cannot be larger than the size of fmt_cap_rect. +So execute v4l2_rect_map_inside() even if has_compose_cap == 0. + +Fixes: 94a7ad928346 ("media: vivid: fix compose size exceed boundary") +Cc: stable@vger.kernel.org +Reported-by: syzbot+365005005522b70a36f2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=8ed8e8cc30cbe0d86c9a25bd1d6a5775129b8ea3 +Signed-off-by: Denis Arefev <arefev@swemel.ru> +Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c +index 842ebfe9b117a..00935d600db06 100644 +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -935,8 +935,8 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection + if (dev->has_compose_cap) { + v4l2_rect_set_min_size(compose, &min_rect); + v4l2_rect_set_max_size(compose, &max_rect); +- v4l2_rect_map_inside(compose, &fmt); + } ++ v4l2_rect_map_inside(compose, &fmt); + dev->fmt_cap_rect = fmt; + tpg_s_buf_height(&dev->tpg, fmt.height); + } else if (dev->has_compose_cap) { +-- +2.39.5 + diff --git a/queue-5.4/mfd-max14577-fix-wakeup-source-leaks-on-device-unbin.patch b/queue-5.4/mfd-max14577-fix-wakeup-source-leaks-on-device-unbin.patch new file mode 100644 index 0000000000..edbb5d9b6e --- /dev/null +++ b/queue-5.4/mfd-max14577-fix-wakeup-source-leaks-on-device-unbin.patch @@ -0,0 +1,35 @@ +From 65b7e409f72d77970f1f7fb18c3c79c0f536b823 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sun, 6 Apr 2025 21:50:11 +0200 +Subject: mfd: max14577: Fix wakeup source leaks on device unbind + +From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> + +[ Upstream commit d905d06e64b0eb3da43af6186c132f5282197998 ] + +Device can be unbound, so driver must also release memory for the wakeup +source. + +Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> +Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-3-318e14bdba0a@linaro.org +Signed-off-by: Lee Jones <lee@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/mfd/max14577.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/max14577.c b/drivers/mfd/max14577.c +index fd8864cafd25c..4d87b429a7bad 100644 +--- a/drivers/mfd/max14577.c ++++ b/drivers/mfd/max14577.c +@@ -467,6 +467,7 @@ static int max14577_i2c_remove(struct i2c_client *i2c) + { + struct max14577 *max14577 = i2c_get_clientdata(i2c); + ++ device_init_wakeup(max14577->dev, false); + mfd_remove_devices(max14577->dev); + regmap_del_irq_chip(max14577->irq, max14577->irq_data); + if (max14577->dev_type == MAXIM_DEVICE_TYPE_MAX77836) +-- +2.39.5 + diff --git a/queue-5.4/of-add-of_property_present-helper.patch b/queue-5.4/of-add-of_property_present-helper.patch new file mode 100644 index 0000000000..ed33fd59aa --- /dev/null +++ b/queue-5.4/of-add-of_property_present-helper.patch @@ -0,0 +1,61 @@ +From c0cd3b40a399b7d0e71539ff2a987bffa96bebab Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 9 Feb 2023 15:35:01 -0600 +Subject: of: Add of_property_present() helper + +From: Rob Herring <robh@kernel.org> + +[ Upstream commit 9cbad37ce8122de32a1529e394b468bc101c9e7f ] + +Add an of_property_present() function similar to +fwnode_property_present(). of_property_read_bool() could be used +directly, but it is cleaner to not use it on non-boolean properties. + +Reviewed-by: Frank Rowand <frowand.list@gmail.com> +Tested-by: Frank Rowand <frowand.list@gmail.com> +Link: https://lore.kernel.org/all/20230215215547.691573-1-robh@kernel.org/ +Signed-off-by: Rob Herring <robh@kernel.org> +Stable-dep-of: 171eb6f71e9e ("ASoC: meson: meson-card-utils: use of_property_present() for DT parsing") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/linux/of.h | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/include/linux/of.h b/include/linux/of.h +index ec6b8a1af73cf..728b9df20a521 100644 +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -1044,7 +1044,8 @@ static inline int of_property_read_string_index(const struct device_node *np, + * @np: device node from which the property value is to be read. + * @propname: name of the property to be searched. + * +- * Search for a property in a device node. ++ * Search for a boolean property in a device node. Usage on non-boolean ++ * property types is deprecated. + * + * Return: true if the property exists false otherwise. + */ +@@ -1056,6 +1057,20 @@ static inline bool of_property_read_bool(const struct device_node *np, + return prop ? true : false; + } + ++/** ++ * of_property_present - Test if a property is present in a node ++ * @np: device node to search for the property. ++ * @propname: name of the property to be searched. ++ * ++ * Test for a property present in a device node. ++ * ++ * Return: true if the property exists false otherwise. ++ */ ++static inline bool of_property_present(const struct device_node *np, const char *propname) ++{ ++ return of_property_read_bool(np, propname); ++} ++ + /** + * of_property_read_u8_array - Find and read an array of u8 from a property. + * +-- +2.39.5 + diff --git a/queue-5.4/of-property-define-of_property_read_u-8-16-32-64-_ar.patch b/queue-5.4/of-property-define-of_property_read_u-8-16-32-64-_ar.patch new file mode 100644 index 0000000000..9dad6947e3 --- /dev/null +++ b/queue-5.4/of-property-define-of_property_read_u-8-16-32-64-_ar.patch @@ -0,0 +1,325 @@ +From 98f483c0256af2bd068b615c8acc5dc10cb408f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 18 Jan 2022 18:35:03 +0100 +Subject: of: property: define of_property_read_u{8,16,32,64}_array() + unconditionally + +From: Michael Walle <michael@walle.cc> + +[ Upstream commit 2ca42c3ad9ed875b136065b010753a4caaaa1d38 ] + +We can get rid of all the empty stubs because all these functions call +of_property_read_variable_u{8,16,32,64}_array() which already have an +empty stub if CONFIG_OF is not defined. + +Signed-off-by: Michael Walle <michael@walle.cc> +Signed-off-by: Rob Herring <robh@kernel.org> +Link: https://lore.kernel.org/r/20220118173504.2867523-3-michael@walle.cc +Stable-dep-of: 171eb6f71e9e ("ASoC: meson: meson-card-utils: use of_property_present() for DT parsing") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/linux/of.h | 274 ++++++++++++++++++++------------------------- + 1 file changed, 124 insertions(+), 150 deletions(-) + +diff --git a/include/linux/of.h b/include/linux/of.h +index 8681277af9c6f..ec6b8a1af73cf 100644 +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -415,130 +415,6 @@ extern int of_detach_node(struct device_node *); + + #define of_match_ptr(_ptr) (_ptr) + +-/** +- * of_property_read_u8_array - Find and read an array of u8 from a property. +- * +- * @np: device node from which the property value is to be read. +- * @propname: name of the property to be searched. +- * @out_values: pointer to return value, modified only if return value is 0. +- * @sz: number of array elements to read +- * +- * Search for a property in a device node and read 8-bit value(s) from +- * it. +- * +- * dts entry of array should be like: +- * ``property = /bits/ 8 <0x50 0x60 0x70>;`` +- * +- * Return: 0 on success, -EINVAL if the property does not exist, +- * -ENODATA if property does not have a value, and -EOVERFLOW if the +- * property data isn't large enough. +- * +- * The out_values is modified only if a valid u8 value can be decoded. +- */ +-static inline int of_property_read_u8_array(const struct device_node *np, +- const char *propname, +- u8 *out_values, size_t sz) +-{ +- int ret = of_property_read_variable_u8_array(np, propname, out_values, +- sz, 0); +- if (ret >= 0) +- return 0; +- else +- return ret; +-} +- +-/** +- * of_property_read_u16_array - Find and read an array of u16 from a property. +- * +- * @np: device node from which the property value is to be read. +- * @propname: name of the property to be searched. +- * @out_values: pointer to return value, modified only if return value is 0. +- * @sz: number of array elements to read +- * +- * Search for a property in a device node and read 16-bit value(s) from +- * it. +- * +- * dts entry of array should be like: +- * ``property = /bits/ 16 <0x5000 0x6000 0x7000>;`` +- * +- * Return: 0 on success, -EINVAL if the property does not exist, +- * -ENODATA if property does not have a value, and -EOVERFLOW if the +- * property data isn't large enough. +- * +- * The out_values is modified only if a valid u16 value can be decoded. +- */ +-static inline int of_property_read_u16_array(const struct device_node *np, +- const char *propname, +- u16 *out_values, size_t sz) +-{ +- int ret = of_property_read_variable_u16_array(np, propname, out_values, +- sz, 0); +- if (ret >= 0) +- return 0; +- else +- return ret; +-} +- +-/** +- * of_property_read_u32_array - Find and read an array of 32 bit integers +- * from a property. +- * +- * @np: device node from which the property value is to be read. +- * @propname: name of the property to be searched. +- * @out_values: pointer to return value, modified only if return value is 0. +- * @sz: number of array elements to read +- * +- * Search for a property in a device node and read 32-bit value(s) from +- * it. +- * +- * Return: 0 on success, -EINVAL if the property does not exist, +- * -ENODATA if property does not have a value, and -EOVERFLOW if the +- * property data isn't large enough. +- * +- * The out_values is modified only if a valid u32 value can be decoded. +- */ +-static inline int of_property_read_u32_array(const struct device_node *np, +- const char *propname, +- u32 *out_values, size_t sz) +-{ +- int ret = of_property_read_variable_u32_array(np, propname, out_values, +- sz, 0); +- if (ret >= 0) +- return 0; +- else +- return ret; +-} +- +-/** +- * of_property_read_u64_array - Find and read an array of 64 bit integers +- * from a property. +- * +- * @np: device node from which the property value is to be read. +- * @propname: name of the property to be searched. +- * @out_values: pointer to return value, modified only if return value is 0. +- * @sz: number of array elements to read +- * +- * Search for a property in a device node and read 64-bit value(s) from +- * it. +- * +- * Return: 0 on success, -EINVAL if the property does not exist, +- * -ENODATA if property does not have a value, and -EOVERFLOW if the +- * property data isn't large enough. +- * +- * The out_values is modified only if a valid u64 value can be decoded. +- */ +-static inline int of_property_read_u64_array(const struct device_node *np, +- const char *propname, +- u64 *out_values, size_t sz) +-{ +- int ret = of_property_read_variable_u64_array(np, propname, out_values, +- sz, 0); +- if (ret >= 0) +- return 0; +- else +- return ret; +-} +- + /* + * struct property *prop; + * const __be32 *p; +@@ -719,32 +595,6 @@ static inline int of_property_count_elems_of_size(const struct device_node *np, + return -ENOSYS; + } + +-static inline int of_property_read_u8_array(const struct device_node *np, +- const char *propname, u8 *out_values, size_t sz) +-{ +- return -ENOSYS; +-} +- +-static inline int of_property_read_u16_array(const struct device_node *np, +- const char *propname, u16 *out_values, size_t sz) +-{ +- return -ENOSYS; +-} +- +-static inline int of_property_read_u32_array(const struct device_node *np, +- const char *propname, +- u32 *out_values, size_t sz) +-{ +- return -ENOSYS; +-} +- +-static inline int of_property_read_u64_array(const struct device_node *np, +- const char *propname, +- u64 *out_values, size_t sz) +-{ +- return -ENOSYS; +-} +- + static inline int of_property_read_u32_index(const struct device_node *np, + const char *propname, u32 index, u32 *out_value) + { +@@ -1206,6 +1056,130 @@ static inline bool of_property_read_bool(const struct device_node *np, + return prop ? true : false; + } + ++/** ++ * of_property_read_u8_array - Find and read an array of u8 from a property. ++ * ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @out_values: pointer to return value, modified only if return value is 0. ++ * @sz: number of array elements to read ++ * ++ * Search for a property in a device node and read 8-bit value(s) from ++ * it. ++ * ++ * dts entry of array should be like: ++ * ``property = /bits/ 8 <0x50 0x60 0x70>;`` ++ * ++ * Return: 0 on success, -EINVAL if the property does not exist, ++ * -ENODATA if property does not have a value, and -EOVERFLOW if the ++ * property data isn't large enough. ++ * ++ * The out_values is modified only if a valid u8 value can be decoded. ++ */ ++static inline int of_property_read_u8_array(const struct device_node *np, ++ const char *propname, ++ u8 *out_values, size_t sz) ++{ ++ int ret = of_property_read_variable_u8_array(np, propname, out_values, ++ sz, 0); ++ if (ret >= 0) ++ return 0; ++ else ++ return ret; ++} ++ ++/** ++ * of_property_read_u16_array - Find and read an array of u16 from a property. ++ * ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @out_values: pointer to return value, modified only if return value is 0. ++ * @sz: number of array elements to read ++ * ++ * Search for a property in a device node and read 16-bit value(s) from ++ * it. ++ * ++ * dts entry of array should be like: ++ * ``property = /bits/ 16 <0x5000 0x6000 0x7000>;`` ++ * ++ * Return: 0 on success, -EINVAL if the property does not exist, ++ * -ENODATA if property does not have a value, and -EOVERFLOW if the ++ * property data isn't large enough. ++ * ++ * The out_values is modified only if a valid u16 value can be decoded. ++ */ ++static inline int of_property_read_u16_array(const struct device_node *np, ++ const char *propname, ++ u16 *out_values, size_t sz) ++{ ++ int ret = of_property_read_variable_u16_array(np, propname, out_values, ++ sz, 0); ++ if (ret >= 0) ++ return 0; ++ else ++ return ret; ++} ++ ++/** ++ * of_property_read_u32_array - Find and read an array of 32 bit integers ++ * from a property. ++ * ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @out_values: pointer to return value, modified only if return value is 0. ++ * @sz: number of array elements to read ++ * ++ * Search for a property in a device node and read 32-bit value(s) from ++ * it. ++ * ++ * Return: 0 on success, -EINVAL if the property does not exist, ++ * -ENODATA if property does not have a value, and -EOVERFLOW if the ++ * property data isn't large enough. ++ * ++ * The out_values is modified only if a valid u32 value can be decoded. ++ */ ++static inline int of_property_read_u32_array(const struct device_node *np, ++ const char *propname, ++ u32 *out_values, size_t sz) ++{ ++ int ret = of_property_read_variable_u32_array(np, propname, out_values, ++ sz, 0); ++ if (ret >= 0) ++ return 0; ++ else ++ return ret; ++} ++ ++/** ++ * of_property_read_u64_array - Find and read an array of 64 bit integers ++ * from a property. ++ * ++ * @np: device node from which the property value is to be read. ++ * @propname: name of the property to be searched. ++ * @out_values: pointer to return value, modified only if return value is 0. ++ * @sz: number of array elements to read ++ * ++ * Search for a property in a device node and read 64-bit value(s) from ++ * it. ++ * ++ * Return: 0 on success, -EINVAL if the property does not exist, ++ * -ENODATA if property does not have a value, and -EOVERFLOW if the ++ * property data isn't large enough. ++ * ++ * The out_values is modified only if a valid u64 value can be decoded. ++ */ ++static inline int of_property_read_u64_array(const struct device_node *np, ++ const char *propname, ++ u64 *out_values, size_t sz) ++{ ++ int ret = of_property_read_variable_u64_array(np, propname, out_values, ++ sz, 0); ++ if (ret >= 0) ++ return 0; ++ else ++ return ret; ++} ++ + static inline int of_property_read_u8(const struct device_node *np, + const char *propname, + u8 *out_value) +-- +2.39.5 + diff --git a/queue-5.4/ovl-check-for-null-d_inode-in-ovl_dentry_upper.patch b/queue-5.4/ovl-check-for-null-d_inode-in-ovl_dentry_upper.patch new file mode 100644 index 0000000000..2539f19d21 --- /dev/null +++ b/queue-5.4/ovl-check-for-null-d_inode-in-ovl_dentry_upper.patch @@ -0,0 +1,68 @@ +From 6520d4b6e312983de54b8f3731e3fab9cb6c2805 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 21 Apr 2025 16:15:19 -0700 +Subject: ovl: Check for NULL d_inode() in ovl_dentry_upper() + +From: Kees Cook <kees@kernel.org> + +[ Upstream commit 8a39f1c870e9d6fbac5638f3a42a6a6363829c49 ] + +In ovl_path_type() and ovl_is_metacopy_dentry() GCC notices that it is +possible for OVL_E() to return NULL (which implies that d_inode(dentry) +may be NULL). This would result in out of bounds reads via container_of(), +seen with GCC 15's -Warray-bounds -fdiagnostics-details. For example: + +In file included from arch/x86/include/generated/asm/rwonce.h:1, + from include/linux/compiler.h:339, + from include/linux/export.h:5, + from include/linux/linkage.h:7, + from include/linux/fs.h:5, + from fs/overlayfs/util.c:7: +In function 'ovl_upperdentry_dereference', + inlined from 'ovl_dentry_upper' at ../fs/overlayfs/util.c:305:9, + inlined from 'ovl_path_type' at ../fs/overlayfs/util.c:216:6: +include/asm-generic/rwonce.h:44:26: error: array subscript 0 is outside array bounds of 'struct inode[7486503276667837]' [-Werror=array-bounds=] + 44 | #define __READ_ONCE(x) (*(const volatile __unqual_scalar_typeof(x) *)&(x)) + | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +include/asm-generic/rwonce.h:50:9: note: in expansion of macro '__READ_ONCE' + 50 | __READ_ONCE(x); \ + | ^~~~~~~~~~~ +fs/overlayfs/ovl_entry.h:195:16: note: in expansion of macro 'READ_ONCE' + 195 | return READ_ONCE(oi->__upperdentry); + | ^~~~~~~~~ + 'ovl_path_type': event 1 + 185 | return inode ? OVL_I(inode)->oe : NULL; + 'ovl_path_type': event 2 + +Avoid this by allowing ovl_dentry_upper() to return NULL if d_inode() is +NULL, as that means the problematic dereferencing can never be reached. +Note that this fixes the over-eager compiler warning in an effort to +being able to enable -Warray-bounds globally. There is no known +behavioral bug here. + +Suggested-by: Amir Goldstein <amir73il@gmail.com> +Signed-off-by: Kees Cook <kees@kernel.org> +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/overlayfs/util.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c +index 4d75e1cdf0b9c..af813e7773795 100644 +--- a/fs/overlayfs/util.c ++++ b/fs/overlayfs/util.c +@@ -191,7 +191,9 @@ enum ovl_path_type ovl_path_real(struct dentry *dentry, struct path *path) + + struct dentry *ovl_dentry_upper(struct dentry *dentry) + { +- return ovl_upperdentry_dereference(OVL_I(d_inode(dentry))); ++ struct inode *inode = d_inode(dentry); ++ ++ return inode ? ovl_upperdentry_dereference(OVL_I(inode)) : NULL; + } + + struct dentry *ovl_dentry_lower(struct dentry *dentry) +-- +2.39.5 + diff --git a/queue-5.4/rdma-core-use-refcount_t-instead-of-atomic_t-on-refc.patch b/queue-5.4/rdma-core-use-refcount_t-instead-of-atomic_t-on-refc.patch new file mode 100644 index 0000000000..21be0ce180 --- /dev/null +++ b/queue-5.4/rdma-core-use-refcount_t-instead-of-atomic_t-on-refc.patch @@ -0,0 +1,80 @@ +From 59e324e9fe08555da70954673cd3026ca2459067 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 28 May 2021 17:37:32 +0800 +Subject: RDMA/core: Use refcount_t instead of atomic_t on refcount of + iwcm_id_private + +From: Weihang Li <liweihang@huawei.com> + +[ Upstream commit 60dff56d77292062789232f68354f567e1ccf1d2 ] + +The refcount_t API will WARN on underflow and overflow of a reference +counter, and avoid use-after-free risks. + +Link: https://lore.kernel.org/r/1622194663-2383-2-git-send-email-liweihang@huawei.com +Signed-off-by: Weihang Li <liweihang@huawei.com> +Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> +Stable-dep-of: 6883b680e703 ("RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/infiniband/core/iwcm.c | 9 ++++----- + drivers/infiniband/core/iwcm.h | 2 +- + 2 files changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c +index 44362f693df9f..3e4941754b48d 100644 +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -211,8 +211,7 @@ static void free_cm_id(struct iwcm_id_private *cm_id_priv) + */ + static int iwcm_deref_id(struct iwcm_id_private *cm_id_priv) + { +- BUG_ON(atomic_read(&cm_id_priv->refcount)==0); +- if (atomic_dec_and_test(&cm_id_priv->refcount)) { ++ if (refcount_dec_and_test(&cm_id_priv->refcount)) { + BUG_ON(!list_empty(&cm_id_priv->work_list)); + free_cm_id(cm_id_priv); + return 1; +@@ -225,7 +224,7 @@ static void add_ref(struct iw_cm_id *cm_id) + { + struct iwcm_id_private *cm_id_priv; + cm_id_priv = container_of(cm_id, struct iwcm_id_private, id); +- atomic_inc(&cm_id_priv->refcount); ++ refcount_inc(&cm_id_priv->refcount); + } + + static void rem_ref(struct iw_cm_id *cm_id) +@@ -257,7 +256,7 @@ struct iw_cm_id *iw_create_cm_id(struct ib_device *device, + cm_id_priv->id.add_ref = add_ref; + cm_id_priv->id.rem_ref = rem_ref; + spin_lock_init(&cm_id_priv->lock); +- atomic_set(&cm_id_priv->refcount, 1); ++ refcount_set(&cm_id_priv->refcount, 1); + init_waitqueue_head(&cm_id_priv->connect_wait); + init_completion(&cm_id_priv->destroy_comp); + INIT_LIST_HEAD(&cm_id_priv->work_list); +@@ -1097,7 +1096,7 @@ static int cm_event_handler(struct iw_cm_id *cm_id, + } + } + +- atomic_inc(&cm_id_priv->refcount); ++ refcount_inc(&cm_id_priv->refcount); + if (list_empty(&cm_id_priv->work_list)) { + list_add_tail(&work->list, &cm_id_priv->work_list); + queue_work(iwcm_wq, &work->work); +diff --git a/drivers/infiniband/core/iwcm.h b/drivers/infiniband/core/iwcm.h +index 82c2cd1b0a804..bf74639be1287 100644 +--- a/drivers/infiniband/core/iwcm.h ++++ b/drivers/infiniband/core/iwcm.h +@@ -52,7 +52,7 @@ struct iwcm_id_private { + wait_queue_head_t connect_wait; + struct list_head work_list; + spinlock_t lock; +- atomic_t refcount; ++ refcount_t refcount; + struct list_head work_free_list; + }; + +-- +2.39.5 + diff --git a/queue-5.4/rdma-iwcm-fix-use-after-free-of-work-objects-after-c.patch b/queue-5.4/rdma-iwcm-fix-use-after-free-of-work-objects-after-c.patch new file mode 100644 index 0000000000..66952bd41c --- /dev/null +++ b/queue-5.4/rdma-iwcm-fix-use-after-free-of-work-objects-after-c.patch @@ -0,0 +1,196 @@ +From 8d1778c32cecee479c4c2a372ba9c5579907ef46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 10 May 2025 19:10:36 +0900 +Subject: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction + +From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> + +[ Upstream commit 6883b680e703c6b2efddb4e7a8d891ce1803d06b ] + +The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last +deref") simplified cm_id resource management by freeing cm_id once all +references to the cm_id were removed. The references are removed either +upon completion of iw_cm event handlers or when the application destroys +the cm_id. This commit introduced the use-after-free condition where +cm_id_private object could still be in use by event handler works during +the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a +use-after-free related to destroying CM IDs") addressed this use-after- +free by flushing all pending works at the cm_id destruction. + +However, still another use-after-free possibility remained. It happens +with the work objects allocated for each cm_id_priv within +alloc_work_entries() during cm_id creation, and subsequently freed in +dealloc_work_entries() once all references to the cm_id are removed. +If the cm_id's last reference is decremented in the event handler work, +the work object for the work itself gets removed, and causes the use- +after-free BUG below: + + BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 + Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 + + CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 + Workqueue: 0x0 (iw_cm_wq) + Call Trace: + <TASK> + dump_stack_lvl+0x6a/0x90 + print_report+0x174/0x554 + ? __virt_addr_valid+0x208/0x430 + ? __pwq_activate_work+0x1ff/0x250 + kasan_report+0xae/0x170 + ? __pwq_activate_work+0x1ff/0x250 + __pwq_activate_work+0x1ff/0x250 + pwq_dec_nr_in_flight+0x8c5/0xfb0 + process_one_work+0xc11/0x1460 + ? __pfx_process_one_work+0x10/0x10 + ? assign_work+0x16c/0x240 + worker_thread+0x5ef/0xfd0 + ? __pfx_worker_thread+0x10/0x10 + kthread+0x3b0/0x770 + ? __pfx_kthread+0x10/0x10 + ? rcu_is_watching+0x11/0xb0 + ? _raw_spin_unlock_irq+0x24/0x50 + ? rcu_is_watching+0x11/0xb0 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x30/0x70 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + </TASK> + + Allocated by task 147416: + kasan_save_stack+0x2c/0x50 + kasan_save_track+0x10/0x30 + __kasan_kmalloc+0xa6/0xb0 + alloc_work_entries+0xa9/0x260 [iw_cm] + iw_cm_connect+0x23/0x4a0 [iw_cm] + rdma_connect_locked+0xbfd/0x1920 [rdma_cm] + nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] + cma_cm_event_handler+0xae/0x320 [rdma_cm] + cma_work_handler+0x106/0x1b0 [rdma_cm] + process_one_work+0x84f/0x1460 + worker_thread+0x5ef/0xfd0 + kthread+0x3b0/0x770 + ret_from_fork+0x30/0x70 + ret_from_fork_asm+0x1a/0x30 + + Freed by task 147091: + kasan_save_stack+0x2c/0x50 + kasan_save_track+0x10/0x30 + kasan_save_free_info+0x37/0x60 + __kasan_slab_free+0x4b/0x70 + kfree+0x13a/0x4b0 + dealloc_work_entries+0x125/0x1f0 [iw_cm] + iwcm_deref_id+0x6f/0xa0 [iw_cm] + cm_work_handler+0x136/0x1ba0 [iw_cm] + process_one_work+0x84f/0x1460 + worker_thread+0x5ef/0xfd0 + kthread+0x3b0/0x770 + ret_from_fork+0x30/0x70 + ret_from_fork_asm+0x1a/0x30 + + Last potentially related work creation: + kasan_save_stack+0x2c/0x50 + kasan_record_aux_stack+0xa3/0xb0 + __queue_work+0x2ff/0x1390 + queue_work_on+0x67/0xc0 + cm_event_handler+0x46a/0x820 [iw_cm] + siw_cm_upcall+0x330/0x650 [siw] + siw_cm_work_handler+0x6b9/0x2b20 [siw] + process_one_work+0x84f/0x1460 + worker_thread+0x5ef/0xfd0 + kthread+0x3b0/0x770 + ret_from_fork+0x30/0x70 + ret_from_fork_asm+0x1a/0x30 + +This BUG is reproducible by repeating the blktests test case nvme/061 +for the rdma transport and the siw driver. + +To avoid the use-after-free of cm_id_private work objects, ensure that +the last reference to the cm_id is decremented not in the event handler +works, but in the cm_id destruction context. For that purpose, move +iwcm_deref_id() call from destroy_cm_id() to the callers of +destroy_cm_id(). In iw_destroy_cm_id(), call iwcm_deref_id() after +flushing the pending works. + +During the fix work, I noticed that iw_destroy_cm_id() is called from +cm_work_handler() and process_event() context. However, the comment of +iw_destroy_cm_id() notes that the function "cannot be called by the +event thread". Drop the false comment. + +Closes: https://lore.kernel.org/linux-rdma/r5676e754sv35aq7cdsqrlnvyhiq5zktteaurl7vmfih35efko@z6lay7uypy3c/ +Fixes: 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") +Cc: stable@vger.kernel.org +Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> +Link: https://patch.msgid.link/20250510101036.1756439-1-shinichiro.kawasaki@wdc.com +Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev> +Signed-off-by: Leon Romanovsky <leon@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/infiniband/core/iwcm.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c +index 3e4941754b48d..ce41f235af253 100644 +--- a/drivers/infiniband/core/iwcm.c ++++ b/drivers/infiniband/core/iwcm.c +@@ -367,12 +367,9 @@ EXPORT_SYMBOL(iw_cm_disconnect); + /* + * CM_ID <-- DESTROYING + * +- * Clean up all resources associated with the connection and release +- * the initial reference taken by iw_create_cm_id. +- * +- * Returns true if and only if the last cm_id_priv reference has been dropped. ++ * Clean up all resources associated with the connection. + */ +-static bool destroy_cm_id(struct iw_cm_id *cm_id) ++static void destroy_cm_id(struct iw_cm_id *cm_id) + { + struct iwcm_id_private *cm_id_priv; + struct ib_qp *qp; +@@ -441,20 +438,22 @@ static bool destroy_cm_id(struct iw_cm_id *cm_id) + iwpm_remove_mapinfo(&cm_id->local_addr, &cm_id->m_local_addr); + iwpm_remove_mapping(&cm_id->local_addr, RDMA_NL_IWCM); + } +- +- return iwcm_deref_id(cm_id_priv); + } + + /* +- * This function is only called by the application thread and cannot +- * be called by the event thread. The function will wait for all +- * references to be released on the cm_id and then kfree the cm_id +- * object. ++ * Destroy cm_id. If the cm_id still has other references, wait for all ++ * references to be released on the cm_id and then release the initial ++ * reference taken by iw_create_cm_id. + */ + void iw_destroy_cm_id(struct iw_cm_id *cm_id) + { +- if (!destroy_cm_id(cm_id)) ++ struct iwcm_id_private *cm_id_priv; ++ ++ cm_id_priv = container_of(cm_id, struct iwcm_id_private, id); ++ destroy_cm_id(cm_id); ++ if (refcount_read(&cm_id_priv->refcount) > 1) + flush_workqueue(iwcm_wq); ++ iwcm_deref_id(cm_id_priv); + } + EXPORT_SYMBOL(iw_destroy_cm_id); + +@@ -1037,8 +1036,10 @@ static void cm_work_handler(struct work_struct *_work) + + if (!test_bit(IWCM_F_DROP_EVENTS, &cm_id_priv->flags)) { + ret = process_event(cm_id_priv, &levent); +- if (ret) +- WARN_ON_ONCE(destroy_cm_id(&cm_id_priv->id)); ++ if (ret) { ++ destroy_cm_id(&cm_id_priv->id); ++ WARN_ON_ONCE(iwcm_deref_id(cm_id_priv)); ++ } + } else + pr_debug("dropping event %d\n", levent.event); + if (iwcm_deref_id(cm_id_priv)) +-- +2.39.5 + diff --git a/queue-5.4/regulator-add-devm-helpers-for-get-and-enable.patch b/queue-5.4/regulator-add-devm-helpers-for-get-and-enable.patch new file mode 100644 index 0000000000..fc59508f83 --- /dev/null +++ b/queue-5.4/regulator-add-devm-helpers-for-get-and-enable.patch @@ -0,0 +1,283 @@ +From e2fe9d4626853de1ec63fa984bc52398c782d032 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 12 Aug 2022 13:10:37 +0300 +Subject: regulator: Add devm helpers for get and enable + +From: Matti Vaittinen <mazziesaccount@gmail.com> + +[ Upstream commit da279e6965b3838e99e5c0ab8f76b87bf86b31a5 ] + +A few regulator consumer drivers seem to be just getting a regulator, +enabling it and registering a devm-action to disable the regulator at +the driver detach and then forget about it. + +We can simplify this a bit by adding a devm-helper for this pattern. +Add devm_regulator_get_enable() and devm_regulator_get_enable_optional() + +Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com> +Link: https://lore.kernel.org/r/ed7b8841193bb9749d426f3cb3b199c9460794cd.1660292316.git.mazziesaccount@gmail.com +Signed-off-by: Mark Brown <broonie@kernel.org> +Stable-dep-of: 9079db287fc3 ("ASoC: codecs: wcd9335: Fix missing free of regulator supplies") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/regulator/devres.c | 164 +++++++++++++++++++++++++++++ + include/linux/regulator/consumer.h | 27 +++++ + 2 files changed, 191 insertions(+) + +diff --git a/drivers/regulator/devres.c b/drivers/regulator/devres.c +index 762cc3ed85e9c..13b7d9e18d383 100644 +--- a/drivers/regulator/devres.c ++++ b/drivers/regulator/devres.c +@@ -70,6 +70,65 @@ struct regulator *devm_regulator_get_exclusive(struct device *dev, + } + EXPORT_SYMBOL_GPL(devm_regulator_get_exclusive); + ++static void regulator_action_disable(void *d) ++{ ++ struct regulator *r = (struct regulator *)d; ++ ++ regulator_disable(r); ++} ++ ++static int _devm_regulator_get_enable(struct device *dev, const char *id, ++ int get_type) ++{ ++ struct regulator *r; ++ int ret; ++ ++ r = _devm_regulator_get(dev, id, get_type); ++ if (IS_ERR(r)) ++ return PTR_ERR(r); ++ ++ ret = regulator_enable(r); ++ if (!ret) ++ ret = devm_add_action_or_reset(dev, ®ulator_action_disable, r); ++ ++ if (ret) ++ devm_regulator_put(r); ++ ++ return ret; ++} ++ ++/** ++ * devm_regulator_get_enable_optional - Resource managed regulator get and enable ++ * @dev: device to supply ++ * @id: supply name or regulator ID. ++ * ++ * Get and enable regulator for duration of the device life-time. ++ * regulator_disable() and regulator_put() are automatically called on driver ++ * detach. See regulator_get_optional() and regulator_enable() for more ++ * information. ++ */ ++int devm_regulator_get_enable_optional(struct device *dev, const char *id) ++{ ++ return _devm_regulator_get_enable(dev, id, OPTIONAL_GET); ++} ++EXPORT_SYMBOL_GPL(devm_regulator_get_enable_optional); ++ ++/** ++ * devm_regulator_get_enable - Resource managed regulator get and enable ++ * @dev: device to supply ++ * @id: supply name or regulator ID. ++ * ++ * Get and enable regulator for duration of the device life-time. ++ * regulator_disable() and regulator_put() are automatically called on driver ++ * detach. See regulator_get() and regulator_enable() for more ++ * information. ++ */ ++int devm_regulator_get_enable(struct device *dev, const char *id) ++{ ++ return _devm_regulator_get_enable(dev, id, NORMAL_GET); ++} ++EXPORT_SYMBOL_GPL(devm_regulator_get_enable); ++ + /** + * devm_regulator_get_optional - Resource managed regulator_get_optional() + * @dev: device for regulator "consumer" +@@ -194,6 +253,111 @@ int devm_regulator_bulk_get_const(struct device *dev, int num_consumers, + } + EXPORT_SYMBOL_GPL(devm_regulator_bulk_get_const); + ++static int devm_regulator_bulk_match(struct device *dev, void *res, ++ void *data) ++{ ++ struct regulator_bulk_devres *match = res; ++ struct regulator_bulk_data *target = data; ++ ++ /* ++ * We check the put uses same consumer list as the get did. ++ * We _could_ scan all entries in consumer array and check the ++ * regulators match but ATM I don't see the need. We can change this ++ * later if needed. ++ */ ++ return match->consumers == target; ++} ++ ++/** ++ * devm_regulator_bulk_put - Resource managed regulator_bulk_put() ++ * @consumers: consumers to free ++ * ++ * Deallocate regulators allocated with devm_regulator_bulk_get(). Normally ++ * this function will not need to be called and the resource management ++ * code will ensure that the resource is freed. ++ */ ++void devm_regulator_bulk_put(struct regulator_bulk_data *consumers) ++{ ++ int rc; ++ struct regulator *regulator = consumers[0].consumer; ++ ++ rc = devres_release(regulator->dev, devm_regulator_bulk_release, ++ devm_regulator_bulk_match, consumers); ++ if (rc != 0) ++ WARN_ON(rc); ++} ++EXPORT_SYMBOL_GPL(devm_regulator_bulk_put); ++ ++static void devm_regulator_bulk_disable(void *res) ++{ ++ struct regulator_bulk_devres *devres = res; ++ int i; ++ ++ for (i = 0; i < devres->num_consumers; i++) ++ regulator_disable(devres->consumers[i].consumer); ++} ++ ++/** ++ * devm_regulator_bulk_get_enable - managed get'n enable multiple regulators ++ * ++ * @dev: device to supply ++ * @num_consumers: number of consumers to register ++ * @id: list of supply names or regulator IDs ++ * ++ * @return 0 on success, an errno on failure. ++ * ++ * This helper function allows drivers to get several regulator ++ * consumers in one operation with management, the regulators will ++ * automatically be freed when the device is unbound. If any of the ++ * regulators cannot be acquired then any regulators that were ++ * allocated will be freed before returning to the caller. ++ */ ++int devm_regulator_bulk_get_enable(struct device *dev, int num_consumers, ++ const char * const *id) ++{ ++ struct regulator_bulk_devres *devres; ++ struct regulator_bulk_data *consumers; ++ int i, ret; ++ ++ devres = devm_kmalloc(dev, sizeof(*devres), GFP_KERNEL); ++ if (!devres) ++ return -ENOMEM; ++ ++ devres->consumers = devm_kcalloc(dev, num_consumers, sizeof(*consumers), ++ GFP_KERNEL); ++ consumers = devres->consumers; ++ if (!consumers) ++ return -ENOMEM; ++ ++ devres->num_consumers = num_consumers; ++ ++ for (i = 0; i < num_consumers; i++) ++ consumers[i].supply = id[i]; ++ ++ ret = devm_regulator_bulk_get(dev, num_consumers, consumers); ++ if (ret) ++ return ret; ++ ++ for (i = 0; i < num_consumers; i++) { ++ ret = regulator_enable(consumers[i].consumer); ++ if (ret) ++ goto unwind; ++ } ++ ++ ret = devm_add_action(dev, devm_regulator_bulk_disable, devres); ++ if (!ret) ++ return 0; ++ ++unwind: ++ while (--i >= 0) ++ regulator_disable(consumers[i].consumer); ++ ++ devm_regulator_bulk_put(consumers); ++ ++ return ret; ++} ++EXPORT_SYMBOL_GPL(devm_regulator_bulk_get_enable); ++ + static void devm_rdev_release(struct device *dev, void *res) + { + regulator_unregister(*(struct regulator_dev **)res); +diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h +index 7d3a399a556da..cabfad359c1e2 100644 +--- a/include/linux/regulator/consumer.h ++++ b/include/linux/regulator/consumer.h +@@ -187,6 +187,8 @@ struct regulator *__must_check regulator_get_optional(struct device *dev, + const char *id); + struct regulator *__must_check devm_regulator_get_optional(struct device *dev, + const char *id); ++int devm_regulator_get_enable(struct device *dev, const char *id); ++int devm_regulator_get_enable_optional(struct device *dev, const char *id); + void regulator_put(struct regulator *regulator); + void devm_regulator_put(struct regulator *regulator); + +@@ -229,12 +231,15 @@ int __must_check regulator_bulk_get(struct device *dev, int num_consumers, + struct regulator_bulk_data *consumers); + int __must_check devm_regulator_bulk_get(struct device *dev, int num_consumers, + struct regulator_bulk_data *consumers); ++void devm_regulator_bulk_put(struct regulator_bulk_data *consumers); + int __must_check devm_regulator_bulk_get_const( + struct device *dev, int num_consumers, + const struct regulator_bulk_data *in_consumers, + struct regulator_bulk_data **out_consumers); + int __must_check regulator_bulk_enable(int num_consumers, + struct regulator_bulk_data *consumers); ++int devm_regulator_bulk_get_enable(struct device *dev, int num_consumers, ++ const char * const *id); + int regulator_bulk_disable(int num_consumers, + struct regulator_bulk_data *consumers); + int regulator_bulk_force_disable(int num_consumers, +@@ -331,6 +336,17 @@ devm_regulator_get_exclusive(struct device *dev, const char *id) + return ERR_PTR(-ENODEV); + } + ++static inline int devm_regulator_get_enable(struct device *dev, const char *id) ++{ ++ return -ENODEV; ++} ++ ++static inline int devm_regulator_get_enable_optional(struct device *dev, ++ const char *id) ++{ ++ return -ENODEV; ++} ++ + static inline struct regulator *__must_check + regulator_get_optional(struct device *dev, const char *id) + { +@@ -352,6 +368,10 @@ static inline void devm_regulator_put(struct regulator *regulator) + { + } + ++static inline void devm_regulator_bulk_put(struct regulator_bulk_data *consumers) ++{ ++} ++ + static inline int regulator_register_supply_alias(struct device *dev, + const char *id, + struct device *alias_dev, +@@ -452,6 +472,13 @@ static inline int regulator_bulk_enable(int num_consumers, + return 0; + } + ++static inline int devm_regulator_bulk_get_enable(struct device *dev, ++ int num_consumers, ++ const char * const *id) ++{ ++ return 0; ++} ++ + static inline int regulator_bulk_disable(int num_consumers, + struct regulator_bulk_data *consumers) + { +-- +2.39.5 + diff --git a/queue-5.4/regulator-consumer-add-missing-stubs-to-regulator-co.patch b/queue-5.4/regulator-consumer-add-missing-stubs-to-regulator-co.patch new file mode 100644 index 0000000000..9f35539d1f --- /dev/null +++ b/queue-5.4/regulator-consumer-add-missing-stubs-to-regulator-co.patch @@ -0,0 +1,81 @@ +From db1b25500157acd3f65d8036bb569e5990a82e2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 20 Jan 2021 23:58:44 +0300 +Subject: regulator: consumer: Add missing stubs to regulator/consumer.h + +From: Dmitry Osipenko <digetx@gmail.com> + +[ Upstream commit 51dfb6ca3728bd0a0a3c23776a12d2a15a1d2457 ] + +Add missing stubs to regulator/consumer.h in order to fix COMPILE_TEST +of the kernel. In particular this should fix compile-testing of OPP core +because of a missing stub for regulator_sync_voltage(). + +Reported-by: kernel test robot <lkp@intel.com> +Signed-off-by: Dmitry Osipenko <digetx@gmail.com> +Link: https://lore.kernel.org/r/20210120205844.12658-1-digetx@gmail.com +Signed-off-by: Mark Brown <broonie@kernel.org> +Stable-dep-of: 9079db287fc3 ("ASoC: codecs: wcd9335: Fix missing free of regulator supplies") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + include/linux/regulator/consumer.h | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h +index 6a92fd3105a31..b670ede051460 100644 +--- a/include/linux/regulator/consumer.h ++++ b/include/linux/regulator/consumer.h +@@ -321,6 +321,12 @@ regulator_get_exclusive(struct device *dev, const char *id) + return ERR_PTR(-ENODEV); + } + ++static inline struct regulator *__must_check ++devm_regulator_get_exclusive(struct device *dev, const char *id) ++{ ++ return ERR_PTR(-ENODEV); ++} ++ + static inline struct regulator *__must_check + regulator_get_optional(struct device *dev, const char *id) + { +@@ -476,6 +482,11 @@ static inline int regulator_get_voltage(struct regulator *regulator) + return -EINVAL; + } + ++static inline int regulator_sync_voltage(struct regulator *regulator) ++{ ++ return -EINVAL; ++} ++ + static inline int regulator_is_supported_voltage(struct regulator *regulator, + int min_uV, int max_uV) + { +@@ -568,6 +579,25 @@ static inline int devm_regulator_unregister_notifier(struct regulator *regulator + return 0; + } + ++static inline int regulator_suspend_enable(struct regulator_dev *rdev, ++ suspend_state_t state) ++{ ++ return -EINVAL; ++} ++ ++static inline int regulator_suspend_disable(struct regulator_dev *rdev, ++ suspend_state_t state) ++{ ++ return -EINVAL; ++} ++ ++static inline int regulator_set_suspend_voltage(struct regulator *regulator, ++ int min_uV, int max_uV, ++ suspend_state_t state) ++{ ++ return -EINVAL; ++} ++ + static inline void *regulator_get_drvdata(struct regulator *regulator) + { + return NULL; +-- +2.39.5 + diff --git a/queue-5.4/regulator-core-allow-drivers-to-define-their-init-da.patch b/queue-5.4/regulator-core-allow-drivers-to-define-their-init-da.patch new file mode 100644 index 0000000000..90f09f284b --- /dev/null +++ b/queue-5.4/regulator-core-allow-drivers-to-define-their-init-da.patch @@ -0,0 +1,110 @@ +From 27abab1e558a1009373c626c887310fcbdc1c01b Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 26 Jul 2022 10:38:23 -0700 +Subject: regulator: core: Allow drivers to define their init data as const + +From: Douglas Anderson <dianders@chromium.org> + +[ Upstream commit 1de452a0edda26f1483d1d934f692eab13ba669a ] + +Drivers tend to want to define the names of their regulators somewhere +in their source file as "static const". This means, inevitable, that +every driver out there open codes something like this: + +static const char * const supply_names[] = { + "vcc", "vccl", +}; + +static int get_regulators(struct my_data *data) +{ + int i; + + data->supplies = devm_kzalloc(...) + if (!data->supplies) + return -ENOMEM; + + for (i = 0; i < ARRAY_SIZE(supply_names); i++) + data->supplies[i].supply = supply_names[i]; + + return devm_regulator_bulk_get(data->dev, + ARRAY_SIZE(supply_names), + data->supplies); +} + +Let's make this more convenient by doing providing a helper that does +the copy. + +I have chosen to have the "const" input structure here be the exact +same structure as the normal one passed to +devm_regulator_bulk_get(). This is slightly inefficent since the input +data can't possibly have anything useful for "ret" or consumer and +thus we waste 8 bytes per structure. This seems an OK tradeoff for not +introducing an extra structure. + +Signed-off-by: Douglas Anderson <dianders@chromium.org> +Link: https://lore.kernel.org/r/20220726103631.v2.6.I38fc508a73135a5c1b873851f3553ff2a3a625f5@changeid +Signed-off-by: Mark Brown <broonie@kernel.org> +Stable-dep-of: 9079db287fc3 ("ASoC: codecs: wcd9335: Fix missing free of regulator supplies") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/regulator/devres.c | 28 ++++++++++++++++++++++++++++ + include/linux/regulator/consumer.h | 4 ++++ + 2 files changed, 32 insertions(+) + +diff --git a/drivers/regulator/devres.c b/drivers/regulator/devres.c +index 3ea1c170f8402..762cc3ed85e9c 100644 +--- a/drivers/regulator/devres.c ++++ b/drivers/regulator/devres.c +@@ -166,6 +166,34 @@ int devm_regulator_bulk_get(struct device *dev, int num_consumers, + } + EXPORT_SYMBOL_GPL(devm_regulator_bulk_get); + ++/** ++ * devm_regulator_bulk_get_const - devm_regulator_bulk_get() w/ const data ++ * ++ * @dev: device to supply ++ * @num_consumers: number of consumers to register ++ * @in_consumers: const configuration of consumers ++ * @out_consumers: in_consumers is copied here and this is passed to ++ * devm_regulator_bulk_get(). ++ * ++ * This is a convenience function to allow bulk regulator configuration ++ * to be stored "static const" in files. ++ * ++ * Return: 0 on success, an errno on failure. ++ */ ++int devm_regulator_bulk_get_const(struct device *dev, int num_consumers, ++ const struct regulator_bulk_data *in_consumers, ++ struct regulator_bulk_data **out_consumers) ++{ ++ *out_consumers = devm_kmemdup(dev, in_consumers, ++ num_consumers * sizeof(*in_consumers), ++ GFP_KERNEL); ++ if (*out_consumers == NULL) ++ return -ENOMEM; ++ ++ return devm_regulator_bulk_get(dev, num_consumers, *out_consumers); ++} ++EXPORT_SYMBOL_GPL(devm_regulator_bulk_get_const); ++ + static void devm_rdev_release(struct device *dev, void *res) + { + regulator_unregister(*(struct regulator_dev **)res); +diff --git a/include/linux/regulator/consumer.h b/include/linux/regulator/consumer.h +index b670ede051460..7d3a399a556da 100644 +--- a/include/linux/regulator/consumer.h ++++ b/include/linux/regulator/consumer.h +@@ -229,6 +229,10 @@ int __must_check regulator_bulk_get(struct device *dev, int num_consumers, + struct regulator_bulk_data *consumers); + int __must_check devm_regulator_bulk_get(struct device *dev, int num_consumers, + struct regulator_bulk_data *consumers); ++int __must_check devm_regulator_bulk_get_const( ++ struct device *dev, int num_consumers, ++ const struct regulator_bulk_data *in_consumers, ++ struct regulator_bulk_data **out_consumers); + int __must_check regulator_bulk_enable(int num_consumers, + struct regulator_bulk_data *consumers); + int regulator_bulk_disable(int num_consumers, +-- +2.39.5 + diff --git a/queue-5.4/revert-iommu-amd-prevent-binding-other-pci-drivers-t.patch b/queue-5.4/revert-iommu-amd-prevent-binding-other-pci-drivers-t.patch new file mode 100644 index 0000000000..95674bea11 --- /dev/null +++ b/queue-5.4/revert-iommu-amd-prevent-binding-other-pci-drivers-t.patch @@ -0,0 +1,60 @@ +From cf8fe36abb607d8519a20f73ab58e1c7fdae26de Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 25 Apr 2025 11:24:21 +0200 +Subject: Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI + devices" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Wunner <lukas@wunner.de> + +[ Upstream commit 3be5fa236649da6404f1bca1491bf02d4b0d5cce ] + +Commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and +pcibios_free_irq()") changed IRQ handling on PCI driver probing. +It inadvertently broke resume from system sleep on AMD platforms: + + https://lore.kernel.org/r/20150926164651.GA3640@pd.tnic/ + +This was fixed by two independent commits: + +* 8affb487d4a4 ("x86/PCI: Don't alloc pcibios-irq when MSI is enabled") +* cbbc00be2ce3 ("iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices") + +The breaking change and one of these two fixes were subsequently reverted: + +* fe25d078874f ("Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"") +* 6c777e8799a9 ("Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"") + +This rendered the second fix unnecessary, so revert it as well. It used +the match_driver flag in struct pci_dev, which is internal to the PCI core +and not supposed to be touched by arbitrary drivers. + +Signed-off-by: Lukas Wunner <lukas@wunner.de> +Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> +Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org> +Acked-by: Joerg Roedel <jroedel@suse.de> +Link: https://patch.msgid.link/9a3ddff5cc49512044f963ba0904347bd404094d.1745572340.git.lukas@wunner.de +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/iommu/amd_iommu_init.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c +index de29512c75ccc..cd17deeedf349 100644 +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -1751,9 +1751,6 @@ static int __init iommu_init_pci(struct amd_iommu *iommu) + if (!iommu->dev) + return -ENODEV; + +- /* Prevent binding other PCI device drivers to IOMMU devices */ +- iommu->dev->match_driver = false; +- + /* ACPI _PRT won't have an IRQ for IOMMU */ + iommu->dev->irq_managed = 1; + +-- +2.39.5 + diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 0000000000..5694557513 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,41 @@ +cifs-fix-cifs_query_path_info-for-windows-nt-servers.patch +mailbox-not-protect-module_put-with-spin_lock_irqsav.patch +mfd-max14577-fix-wakeup-source-leaks-on-device-unbin.patch +revert-iommu-amd-prevent-binding-other-pci-drivers-t.patch +dmaengine-xilinx_dma-set-dma_device-directions.patch +md-md-bitmap-fix-dm-raid-max_write_behind-setting.patch +iio-pressure-zpa2326-use-aligned_s64-for-the-timesta.patch +usb-potential-integer-overflow-in-usbg_make_tpg.patch +tty-serial-uartlite-register-uart-driver-in-init.patch +usb-add-checks-for-snprintf-calls-in-usb_alloc_dev.patch +usb-cdc-wdm-avoid-setting-wdm_read-for-zlp-s.patch +usb-typec-displayport-receive-dp-status-update-nak-r.patch +alsa-hda-ignore-unsol-events-for-cards-being-shut-do.patch +ceph-fix-possible-integer-overflow-in-ceph_zero_obje.patch +ovl-check-for-null-d_inode-in-ovl_dentry_upper.patch +usb-usbtmc-fix-reading-stale-status-byte.patch +usb-usbtmc-add-usbtmc_ioctl_get_stb.patch +usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch +vmci-check-context-notify_page-after-call-to-get_use.patch +vmci-fix-race-between-vmci_host_setup_notify-and-vmc.patch +kbuild-use-mmd-instead-of-md-to-exclude-system-heade.patch +bpfilter-match-bit-size-of-bpfilter_umh-to-that-of-t.patch +kbuild-add-target-to-correctly-cross-compile-uapi-he.patch +kbuild-hdrcheck-fix-cross-build-with-clang.patch +of-property-define-of_property_read_u-8-16-32-64-_ar.patch +of-add-of_property_present-helper.patch +asoc-meson-meson-card-utils-use-of_property_present-.patch +fs-jfs-consolidate-sanity-checking-in-dbmount.patch +jfs-validate-ag-parameters-in-dbmount-to-prevent-cra.patch +media-cxusb-use-dev_dbg-rather-than-hand-rolled-debu.patch +media-cxusb-no-longer-judge-rbuf-when-the-write-fail.patch +media-omap3isp-use-sgtable-based-scatterlist-wrapper.patch +media-vivid-change-the-siize-of-the-composing.patch +regulator-consumer-add-missing-stubs-to-regulator-co.patch +regulator-core-allow-drivers-to-define-their-init-da.patch +regulator-add-devm-helpers-for-get-and-enable.patch +asoc-codecs-wcd9335-handle-nicer-probe-deferral-and-.patch +asoc-codec-wcd9335-convert-to-gpio-descriptors.patch +asoc-codecs-wcd9335-fix-missing-free-of-regulator-su.patch +rdma-core-use-refcount_t-instead-of-atomic_t-on-refc.patch +rdma-iwcm-fix-use-after-free-of-work-objects-after-c.patch diff --git a/queue-5.4/tty-serial-uartlite-register-uart-driver-in-init.patch b/queue-5.4/tty-serial-uartlite-register-uart-driver-in-init.patch new file mode 100644 index 0000000000..21101d62a6 --- /dev/null +++ b/queue-5.4/tty-serial-uartlite-register-uart-driver-in-init.patch @@ -0,0 +1,84 @@ +From d502ed4b0e3d486af77e19d352dff6def068173d Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 31 Mar 2025 18:06:19 +0200 +Subject: tty: serial: uartlite: register uart driver in init + +From: Jakub Lewalski <jakub.lewalski@nokia.com> + +[ Upstream commit 6bd697b5fc39fd24e2aa418c7b7d14469f550a93 ] + +When two instances of uart devices are probing, a concurrency race can +occur. If one thread calls uart_register_driver function, which first +allocates and assigns memory to 'uart_state' member of uart_driver +structure, the other instance can bypass uart driver registration and +call ulite_assign. This calls uart_add_one_port, which expects the uart +driver to be fully initialized. This leads to a kernel panic due to a +null pointer dereference: + +[ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 +[ 8.156982] #PF: supervisor write access in kernel mode +[ 8.156984] #PF: error_code(0x0002) - not-present page +[ 8.156986] PGD 0 P4D 0 +... +[ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 +[ 8.188624] Call Trace: +[ 8.188629] ? __die_body.cold+0x1a/0x1f +[ 8.195260] ? page_fault_oops+0x15c/0x290 +[ 8.209183] ? __irq_resolve_mapping+0x47/0x80 +[ 8.209187] ? exc_page_fault+0x64/0x140 +[ 8.209190] ? asm_exc_page_fault+0x22/0x30 +[ 8.209196] ? mutex_lock+0x19/0x30 +[ 8.223116] uart_add_one_port+0x60/0x440 +[ 8.223122] ? proc_tty_register_driver+0x43/0x50 +[ 8.223126] ? tty_register_driver+0x1ca/0x1e0 +[ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] + +To prevent it, move uart driver registration in to init function. This +will ensure that uart_driver is always registered when probe function +is called. + +Signed-off-by: Jakub Lewalski <jakub.lewalski@nokia.com> +Signed-off-by: Elodie Decerle <elodie.decerle@nokia.com> +Link: https://lore.kernel.org/r/20250331160732.2042-1-elodie.decerle@nokia.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/tty/serial/uartlite.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c +index 9a4049c894f7a..e323e9c0a321e 100644 +--- a/drivers/tty/serial/uartlite.c ++++ b/drivers/tty/serial/uartlite.c +@@ -874,16 +874,25 @@ static struct platform_driver ulite_platform_driver = { + + static int __init ulite_init(void) + { ++ int ret; ++ ++ pr_debug("uartlite: calling uart_register_driver()\n"); ++ ret = uart_register_driver(&ulite_uart_driver); ++ if (ret) ++ return ret; + + pr_debug("uartlite: calling platform_driver_register()\n"); +- return platform_driver_register(&ulite_platform_driver); ++ ret = platform_driver_register(&ulite_platform_driver); ++ if (ret) ++ uart_unregister_driver(&ulite_uart_driver); ++ ++ return ret; + } + + static void __exit ulite_exit(void) + { + platform_driver_unregister(&ulite_platform_driver); +- if (ulite_uart_driver.state) +- uart_unregister_driver(&ulite_uart_driver); ++ uart_unregister_driver(&ulite_uart_driver); + } + + module_init(ulite_init); +-- +2.39.5 + diff --git a/queue-5.4/usb-add-checks-for-snprintf-calls-in-usb_alloc_dev.patch b/queue-5.4/usb-add-checks-for-snprintf-calls-in-usb_alloc_dev.patch new file mode 100644 index 0000000000..938cd16f36 --- /dev/null +++ b/queue-5.4/usb-add-checks-for-snprintf-calls-in-usb_alloc_dev.patch @@ -0,0 +1,72 @@ +From 2d443e1b777fdbe1f72e9c633cd2c01c0c805c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Fri, 21 Mar 2025 18:49:49 +0200 +Subject: usb: Add checks for snprintf() calls in usb_alloc_dev() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andy Shevchenko <andriy.shevchenko@linux.intel.com> + +[ Upstream commit 82fe5107fa3d21d6c3fba091c9dbc50495588630 ] + +When creating a device path in the driver the snprintf() takes +up to 16 characters long argument along with the additional up to +12 characters for the signed integer (as it can't see the actual limits) +and tries to pack this into 16 bytes array. GCC complains about that +when build with `make W=1`: + + drivers/usb/core/usb.c:705:25: note: ‘snprintf’ output between 3 and 28 bytes into a destination of size 16 + +Since everything works until now, let's just check for the potential +buffer overflow and bail out. It is most likely a never happen situation, +but at least it makes GCC happy. + +Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> +Link: https://lore.kernel.org/r/20250321164949.423957-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/usb/core/usb.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c +index 502d911f71fa6..571ab8e0c7590 100644 +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -717,15 +717,16 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, + dev_set_name(&dev->dev, "usb%d", bus->busnum); + root_hub = 1; + } else { ++ int n; ++ + /* match any labeling on the hubs; it's one-based */ + if (parent->devpath[0] == '0') { +- snprintf(dev->devpath, sizeof dev->devpath, +- "%d", port1); ++ n = snprintf(dev->devpath, sizeof(dev->devpath), "%d", port1); + /* Root ports are not counted in route string */ + dev->route = 0; + } else { +- snprintf(dev->devpath, sizeof dev->devpath, +- "%s.%d", parent->devpath, port1); ++ n = snprintf(dev->devpath, sizeof(dev->devpath), "%s.%d", ++ parent->devpath, port1); + /* Route string assumes hubs have less than 16 ports */ + if (port1 < 15) + dev->route = parent->route + +@@ -734,6 +735,11 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent, + dev->route = parent->route + + (15 << ((parent->level - 1)*4)); + } ++ if (n >= sizeof(dev->devpath)) { ++ usb_put_hcd(bus_to_hcd(bus)); ++ usb_put_dev(dev); ++ return NULL; ++ } + + dev->dev.parent = &parent->dev; + dev_set_name(&dev->dev, "%d-%s", bus->busnum, dev->devpath); +-- +2.39.5 + diff --git a/queue-5.4/usb-cdc-wdm-avoid-setting-wdm_read-for-zlp-s.patch b/queue-5.4/usb-cdc-wdm-avoid-setting-wdm_read-for-zlp-s.patch new file mode 100644 index 0000000000..2d36a43656 --- /dev/null +++ b/queue-5.4/usb-cdc-wdm-avoid-setting-wdm_read-for-zlp-s.patch @@ -0,0 +1,114 @@ +From 5443d31b6e37f13be8dae2bbceb3cb6bd57200cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Thu, 3 Apr 2025 16:40:04 +0200 +Subject: usb: cdc-wdm: avoid setting WDM_READ for ZLP-s + +From: Robert Hodaszi <robert.hodaszi@digi.com> + +[ Upstream commit 387602d8a75574fafb451b7a8215e78dfd67ee63 ] + +Don't set WDM_READ flag in wdm_in_callback() for ZLP-s, otherwise when +userspace tries to poll for available data, it might - incorrectly - +believe there is something available, and when it tries to non-blocking +read it, it might get stuck in the read loop. + +For example this is what glib does for non-blocking read (briefly): + + 1. poll() + 2. if poll returns with non-zero, starts a read data loop: + a. loop on poll() (EINTR disabled) + b. if revents was set, reads data + I. if read returns with EINTR or EAGAIN, goto 2.a. + II. otherwise return with data + +So if ZLP sets WDM_READ (#1), we expect data, and try to read it (#2). +But as that was a ZLP, and we are doing non-blocking read, wdm_read() +returns with EAGAIN (#2.b.I), so loop again, and try to read again +(#2.a.). + +With glib, we might stuck in this loop forever, as EINTR is disabled +(#2.a). + +Signed-off-by: Robert Hodaszi <robert.hodaszi@digi.com> +Acked-by: Oliver Neukum <oneukum@suse.com> +Link: https://lore.kernel.org/r/20250403144004.3889125-1-robert.hodaszi@digi.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/usb/class/cdc-wdm.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c +index bc925394e881b..6afb941dd2672 100644 +--- a/drivers/usb/class/cdc-wdm.c ++++ b/drivers/usb/class/cdc-wdm.c +@@ -89,7 +89,6 @@ struct wdm_device { + u16 wMaxCommand; + u16 wMaxPacketSize; + __le16 inum; +- int reslength; + int length; + int read; + int count; +@@ -201,6 +200,11 @@ static void wdm_in_callback(struct urb *urb) + if (desc->rerr == 0 && status != -EPIPE) + desc->rerr = status; + ++ if (length == 0) { ++ dev_dbg(&desc->intf->dev, "received ZLP\n"); ++ goto skip_zlp; ++ } ++ + if (length + desc->length > desc->wMaxCommand) { + /* The buffer would overflow */ + set_bit(WDM_OVERFLOW, &desc->flags); +@@ -209,18 +213,18 @@ static void wdm_in_callback(struct urb *urb) + if (!test_bit(WDM_OVERFLOW, &desc->flags)) { + memmove(desc->ubuf + desc->length, desc->inbuf, length); + desc->length += length; +- desc->reslength = length; + } + } + skip_error: + + if (desc->rerr) { + /* +- * Since there was an error, userspace may decide to not read +- * any data after poll'ing. ++ * If there was a ZLP or an error, userspace may decide to not ++ * read any data after poll'ing. + * We should respond to further attempts from the device to send + * data, so that we can get unstuck. + */ ++skip_zlp: + schedule_work(&desc->service_outs_intr); + } else { + set_bit(WDM_READ, &desc->flags); +@@ -571,15 +575,6 @@ static ssize_t wdm_read + goto retry; + } + +- if (!desc->reslength) { /* zero length read */ +- dev_dbg(&desc->intf->dev, "zero length - clearing WDM_READ\n"); +- clear_bit(WDM_READ, &desc->flags); +- rv = service_outstanding_interrupt(desc); +- spin_unlock_irq(&desc->iuspin); +- if (rv < 0) +- goto err; +- goto retry; +- } + cntr = desc->length; + spin_unlock_irq(&desc->iuspin); + } +@@ -839,7 +834,7 @@ static void service_interrupt_work(struct work_struct *work) + + spin_lock_irq(&desc->iuspin); + service_outstanding_interrupt(desc); +- if (!desc->resp_count) { ++ if (!desc->resp_count && (desc->length || desc->rerr)) { + set_bit(WDM_READ, &desc->flags); + wake_up(&desc->wait); + } +-- +2.39.5 + diff --git a/queue-5.4/usb-potential-integer-overflow-in-usbg_make_tpg.patch b/queue-5.4/usb-potential-integer-overflow-in-usbg_make_tpg.patch new file mode 100644 index 0000000000..417a2a1623 --- /dev/null +++ b/queue-5.4/usb-potential-integer-overflow-in-usbg_make_tpg.patch @@ -0,0 +1,53 @@ +From e2bf8796d0f3da4e7e41514d5842a705c9290f67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 15 Apr 2025 14:58:57 +0800 +Subject: usb: potential integer overflow in usbg_make_tpg() + +From: Chen Yufeng <chenyufeng@iie.ac.cn> + +[ Upstream commit 153874010354d050f62f8ae25cbb960c17633dc5 ] + +The variable tpgt in usbg_make_tpg() is defined as unsigned long and is +assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an +integer overflow when tpgt is greater than USHRT_MAX (65535). I +haven't tried to trigger it myself, but it is possible to trigger it +by calling usbg_make_tpg() with a large value for tpgt. + +I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the +relevant code accordingly. + +This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential +memory corruption"). + +Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn> +Link: https://lore.kernel.org/r/20250415065857.1619-1-chenyufeng@iie.ac.cn +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/usb/gadget/function/f_tcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c +index 90fe33f9e0950..48d02c5ff8491 100644 +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -1320,14 +1320,14 @@ static struct se_portal_group *usbg_make_tpg(struct se_wwn *wwn, + struct usbg_tport *tport = container_of(wwn, struct usbg_tport, + tport_wwn); + struct usbg_tpg *tpg; +- unsigned long tpgt; ++ u16 tpgt; + int ret; + struct f_tcm_opts *opts; + unsigned i; + + if (strstr(name, "tpgt_") != name) + return ERR_PTR(-EINVAL); +- if (kstrtoul(name + 5, 0, &tpgt) || tpgt > UINT_MAX) ++ if (kstrtou16(name + 5, 0, &tpgt)) + return ERR_PTR(-EINVAL); + ret = -ENODEV; + mutex_lock(&tpg_instances_lock); +-- +2.39.5 + diff --git a/queue-5.4/usb-typec-displayport-receive-dp-status-update-nak-r.patch b/queue-5.4/usb-typec-displayport-receive-dp-status-update-nak-r.patch new file mode 100644 index 0000000000..5cb381e480 --- /dev/null +++ b/queue-5.4/usb-typec-displayport-receive-dp-status-update-nak-r.patch @@ -0,0 +1,56 @@ +From a6c9fc2d13cd6baeba6d1db64eadb7e3a3e2cbc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sun, 9 Feb 2025 15:19:26 +0800 +Subject: usb: typec: displayport: Receive DP Status Update NAK request exit dp + altmode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jos Wang <joswang@lenovo.com> + +[ Upstream commit b4b38ffb38c91afd4dc387608db26f6fc34ed40b ] + +Although some Type-C DRD devices that do not support the DP Sink +function (such as Huawei Mate 40Pro), the Source Port initiates +Enter Mode CMD, but the device responds to Enter Mode ACK, the +Source port then initiates DP Status Update CMD, and the device +responds to DP Status Update NAK. + +As PD2.0 spec ("6.4.4.3.4 Enter Mode Command"),A DR_Swap Message +Shall Not be sent during Modal Operation between the Port Partners. +At this time, the source port initiates DR_Swap message through the +"echo device > /sys/class/typec/port0/data_role" command to switch +the data role from host to device. The device will initiate a Hard +Reset for recovery, resulting in the failure of data role swap. + +Therefore, when DP Status Update NAK is received, Exit Mode CMD is +initiated to exit the currently entered DP altmode. + +Signed-off-by: Jos Wang <joswang@lenovo.com> +Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> +Link: https://lore.kernel.org/r/20250209071926.69625-1-joswang1221@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/usb/typec/altmodes/displayport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c +index a2a1baabca933..35d7a4d40d9a4 100644 +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -288,6 +288,10 @@ static int dp_altmode_vdm(struct typec_altmode *alt, + break; + case CMDT_RSP_NAK: + switch (cmd) { ++ case DP_CMD_STATUS_UPDATE: ++ if (typec_altmode_exit(alt)) ++ dev_err(&dp->alt->dev, "Exit Mode Failed!\n"); ++ break; + case DP_CMD_CONFIGURE: + dp->data.conf = 0; + ret = dp_altmode_configured(dp); +-- +2.39.5 + diff --git a/queue-5.4/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch b/queue-5.4/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch new file mode 100644 index 0000000000..7d74dcd88f --- /dev/null +++ b/queue-5.4/usb-usbtmc-add-usbtmc_ioctl_get_stb.patch @@ -0,0 +1,60 @@ +From 7245b240b8e32f7298f4e8c93cdc8115fac3cf8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 15 Dec 2020 16:56:19 +0100 +Subject: USB: usbtmc: Add USBTMC_IOCTL_GET_STB + +From: Dave Penkler <dpenkler@gmail.com> + +[ Upstream commit c9784e23c1020e63d6dba5e10ca8bf3d8b85c19c ] + +This new ioctl reads the status byte (STB) from the device and returns +the STB unmodified to the application. The srq_asserted bit is not taken +into account and not changed. + +This ioctl is useful to support non USBTMC-488 compliant devices. + +Tested-by: Jian-Wei Wu <jian-wei_wu@keysight.com> +Reviewed-by: Guido Kiener <guido.kiener@rohde-schwarz.com> +Signed-off-by: Dave Penkler <dpenkler@gmail.com> +Link: https://lore.kernel.org/r/20201215155621.9592-3-dpenkler@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Stable-dep-of: acb3dac2805d ("usb: usbtmc: Fix read_stb function and get_stb ioctl") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/usb/class/usbtmc.c | 6 ++++++ + include/uapi/linux/usb/tmc.h | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c +index d47ec01d29778..738ef160109bf 100644 +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -2173,6 +2173,12 @@ static long usbtmc_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + file_data->auto_abort = !!tmp_byte; + break; + ++ case USBTMC_IOCTL_GET_STB: ++ retval = usbtmc_get_stb(file_data, &tmp_byte); ++ if (retval > 0) ++ retval = put_user(tmp_byte, (__u8 __user *)arg); ++ break; ++ + case USBTMC_IOCTL_CANCEL_IO: + retval = usbtmc_ioctl_cancel_io(file_data); + break; +diff --git a/include/uapi/linux/usb/tmc.h b/include/uapi/linux/usb/tmc.h +index fdd4d88a7b95d..1e7878fe591f4 100644 +--- a/include/uapi/linux/usb/tmc.h ++++ b/include/uapi/linux/usb/tmc.h +@@ -102,6 +102,8 @@ struct usbtmc_message { + #define USBTMC_IOCTL_MSG_IN_ATTR _IOR(USBTMC_IOC_NR, 24, __u8) + #define USBTMC_IOCTL_AUTO_ABORT _IOW(USBTMC_IOC_NR, 25, __u8) + ++#define USBTMC_IOCTL_GET_STB _IOR(USBTMC_IOC_NR, 26, __u8) ++ + /* Cancel and cleanup asynchronous calls */ + #define USBTMC_IOCTL_CANCEL_IO _IO(USBTMC_IOC_NR, 35) + #define USBTMC_IOCTL_CLEANUP_IO _IO(USBTMC_IOC_NR, 36) +-- +2.39.5 + diff --git a/queue-5.4/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch b/queue-5.4/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch new file mode 100644 index 0000000000..82ac68006a --- /dev/null +++ b/queue-5.4/usb-usbtmc-fix-read_stb-function-and-get_stb-ioctl.patch @@ -0,0 +1,75 @@ +From 07ca6c3da8a96215d2f6131b838340ef790aab81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Wed, 21 May 2025 14:16:55 +0200 +Subject: usb: usbtmc: Fix read_stb function and get_stb ioctl + +From: Dave Penkler <dpenkler@gmail.com> + +[ Upstream commit acb3dac2805d3342ded7dbbd164add32bbfdf21c ] + +The usbtmc488_ioctl_read_stb function relied on a positive return from +usbtmc_get_stb to reset the srq condition in the driver. The +USBTMC_IOCTL_GET_STB case tested for a positive return to return the stb +to the user. + +Commit: <cac01bd178d6> ("usb: usbtmc: Fix erroneous get_stb ioctl +error returns") changed the return value of usbtmc_get_stb to 0 on +success instead of returning the value of usb_control_msg which is +positive in the normal case. This change caused the function +usbtmc488_ioctl_read_stb and the USBTMC_IOCTL_GET_STB ioctl to no +longer function correctly. + +Change the test in usbtmc488_ioctl_read_stb to test for failure +first and return the failure code immediately. +Change the test for the USBTMC_IOCTL_GET_STB ioctl to test for 0 +instead of a positive value. + +Fixes: cac01bd178d6 ("usb: usbtmc: Fix erroneous get_stb ioctl error returns") +Cc: stable@vger.kernel.org +Signed-off-by: Dave Penkler <dpenkler@gmail.com> +Link: https://lore.kernel.org/r/20250521121656.18174-3-dpenkler@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/usb/class/usbtmc.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c +index 738ef160109bf..9f084058b1956 100644 +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -565,14 +565,15 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, + + rv = usbtmc_get_stb(file_data, &stb); + +- if (rv > 0) { +- srq_asserted = atomic_xchg(&file_data->srq_asserted, +- srq_asserted); +- if (srq_asserted) +- stb |= 0x40; /* Set RQS bit */ ++ if (rv < 0) ++ return rv; ++ ++ srq_asserted = atomic_xchg(&file_data->srq_asserted, srq_asserted); ++ if (srq_asserted) ++ stb |= 0x40; /* Set RQS bit */ ++ ++ rv = put_user(stb, (__u8 __user *)arg); + +- rv = put_user(stb, (__u8 __user *)arg); +- } + return rv; + + } +@@ -2175,7 +2176,7 @@ static long usbtmc_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + + case USBTMC_IOCTL_GET_STB: + retval = usbtmc_get_stb(file_data, &tmp_byte); +- if (retval > 0) ++ if (!retval) + retval = put_user(tmp_byte, (__u8 __user *)arg); + break; + +-- +2.39.5 + diff --git a/queue-5.4/usb-usbtmc-fix-reading-stale-status-byte.patch b/queue-5.4/usb-usbtmc-fix-reading-stale-status-byte.patch new file mode 100644 index 0000000000..50a29cb81a --- /dev/null +++ b/queue-5.4/usb-usbtmc-fix-reading-stale-status-byte.patch @@ -0,0 +1,126 @@ +From 10429899c1d7ade01788fdcc316a32c768ee33ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Tue, 15 Dec 2020 16:56:18 +0100 +Subject: USB: usbtmc: Fix reading stale status byte + +From: Dave Penkler <dpenkler@gmail.com> + +[ Upstream commit 3c1037e2b6a94898f81ed1a68bea146a9db750a5 ] + +The ioctl USBTMC488_IOCTL_READ_STB either returns a cached status byte +(STB) sent by the device due to a service request (SRQ) condition or +the STB obtained from a query to the device with a READ_STATUS_BYTE +control message. + +When the query is interrupted by an SRQ message on the interrupt pipe, +the ioctl still returns the requested STB while the STB of the +out-of-band SRQ message is cached for the next call of this +ioctl. However the cached SRQ STB represents a state that was previous +to the last returned STB. Furthermore the cached SRQ STB can be stale +and not reflect the current state of the device. + +The fixed ioctl now always reads the STB from the device and if the +associated file descriptor has the srq_asserted bit set it ors in the +RQS bit to the returned STB and clears the srq_asserted bit conformant +to subclass USB488 devices. + +Tested-by: Jian-Wei Wu <jian-wei_wu@keysight.com> +Reviewed-by: Guido Kiener <guido.kiener@rohde-schwarz.com> +Signed-off-by: Dave Penkler <dpenkler@gmail.com> +Link: https://lore.kernel.org/r/20201215155621.9592-2-dpenkler@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Stable-dep-of: acb3dac2805d ("usb: usbtmc: Fix read_stb function and get_stb ioctl") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/usb/class/usbtmc.c | 46 +++++++++++++++++++++----------------- + 1 file changed, 25 insertions(+), 21 deletions(-) + +diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c +index d8ed205e6b439..d47ec01d29778 100644 +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -475,15 +475,12 @@ static int usbtmc_ioctl_abort_bulk_out(struct usbtmc_device_data *data) + return usbtmc_ioctl_abort_bulk_out_tag(data, data->bTag_last_write); + } + +-static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, +- void __user *arg) ++static int usbtmc_get_stb(struct usbtmc_file_data *file_data, __u8 *stb) + { + struct usbtmc_device_data *data = file_data->data; + struct device *dev = &data->intf->dev; +- int srq_asserted = 0; + u8 *buffer; + u8 tag; +- __u8 stb; + int rv; + long wait_rv; + unsigned long expire; +@@ -491,19 +488,6 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, + dev_dbg(dev, "Enter ioctl_read_stb iin_ep_present: %d\n", + data->iin_ep_present); + +- spin_lock_irq(&data->dev_lock); +- srq_asserted = atomic_xchg(&file_data->srq_asserted, srq_asserted); +- if (srq_asserted) { +- /* a STB with SRQ is already received */ +- stb = file_data->srq_byte; +- spin_unlock_irq(&data->dev_lock); +- rv = put_user(stb, (__u8 __user *)arg); +- dev_dbg(dev, "stb:0x%02x with srq received %d\n", +- (unsigned int)stb, rv); +- return rv; +- } +- spin_unlock_irq(&data->dev_lock); +- + buffer = kmalloc(8, GFP_KERNEL); + if (!buffer) + return -ENOMEM; +@@ -552,13 +536,12 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, + data->iin_bTag, tag); + } + +- stb = data->bNotify2; ++ *stb = data->bNotify2; + } else { +- stb = buffer[2]; ++ *stb = buffer[2]; + } + +- rv = put_user(stb, (__u8 __user *)arg); +- dev_dbg(dev, "stb:0x%02x received %d\n", (unsigned int)stb, rv); ++ dev_dbg(dev, "stb:0x%02x received %d\n", (unsigned int)*stb, rv); + + rv = 0; + +@@ -573,6 +556,27 @@ static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, + return rv; + } + ++static int usbtmc488_ioctl_read_stb(struct usbtmc_file_data *file_data, ++ void __user *arg) ++{ ++ int srq_asserted = 0; ++ __u8 stb; ++ int rv; ++ ++ rv = usbtmc_get_stb(file_data, &stb); ++ ++ if (rv > 0) { ++ srq_asserted = atomic_xchg(&file_data->srq_asserted, ++ srq_asserted); ++ if (srq_asserted) ++ stb |= 0x40; /* Set RQS bit */ ++ ++ rv = put_user(stb, (__u8 __user *)arg); ++ } ++ return rv; ++ ++} ++ + static int usbtmc488_ioctl_wait_srq(struct usbtmc_file_data *file_data, + __u32 __user *arg) + { +-- +2.39.5 + diff --git a/queue-5.4/vmci-check-context-notify_page-after-call-to-get_use.patch b/queue-5.4/vmci-check-context-notify_page-after-call-to-get_use.patch new file mode 100644 index 0000000000..941d106393 --- /dev/null +++ b/queue-5.4/vmci-check-context-notify_page-after-call-to-get_use.patch @@ -0,0 +1,56 @@ +From 2e477a5d47eb6356be57f5c34df30d301c7f00c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Mon, 28 Nov 2022 15:18:25 -0500 +Subject: VMCI: check context->notify_page after call to get_user_pages_fast() + to avoid GPF + +From: George Kennedy <george.kennedy@oracle.com> + +[ Upstream commit 1a726cb47fd204109c767409fa9ca15a96328f14 ] + +The call to get_user_pages_fast() in vmci_host_setup_notify() can return +NULL context->notify_page causing a GPF. To avoid GPF check if +context->notify_page == NULL and return error if so. + +general protection fault, probably for non-canonical address + 0xe0009d1000000060: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: maybe wild-memory-access in range [0x0005088000000300- + 0x0005088000000307] +CPU: 2 PID: 26180 Comm: repro_34802241 Not tainted 6.1.0-rc4 #1 +Hardware name: Red Hat KVM, BIOS 1.15.0-2.module+el8.6.0 04/01/2014 +RIP: 0010:vmci_ctx_check_signal_notify+0x91/0xe0 +Call Trace: + <TASK> + vmci_host_unlocked_ioctl+0x362/0x1f40 + __x64_sys_ioctl+0x1a1/0x230 + do_syscall_64+0x3a/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: a1d88436d53a ("VMCI: Fix two UVA mapping bugs") +Reported-by: syzkaller <syzkaller@googlegroups.com> +Signed-off-by: George Kennedy <george.kennedy@oracle.com> +Reviewed-by: Vishnu Dasa <vdasa@vmware.com> +Link: https://lore.kernel.org/r/1669666705-24012-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Stable-dep-of: 1bd6406fb5f3 ("VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify") +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/misc/vmw_vmci/vmci_host.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c +index 8ff8d649d9b3a..81ebdb1380f37 100644 +--- a/drivers/misc/vmw_vmci/vmci_host.c ++++ b/drivers/misc/vmw_vmci/vmci_host.c +@@ -245,6 +245,8 @@ static int vmci_host_setup_notify(struct vmci_ctx *context, + context->notify_page = NULL; + return VMCI_ERROR_GENERIC; + } ++ if (context->notify_page == NULL) ++ return VMCI_ERROR_UNAVAILABLE; + + /* + * Map the locked page and set up notify pointer. +-- +2.39.5 + diff --git a/queue-5.4/vmci-fix-race-between-vmci_host_setup_notify-and-vmc.patch b/queue-5.4/vmci-fix-race-between-vmci_host_setup_notify-and-vmc.patch new file mode 100644 index 0000000000..063984d93a --- /dev/null +++ b/queue-5.4/vmci-fix-race-between-vmci_host_setup_notify-and-vmc.patch @@ -0,0 +1,102 @@ +From bb11a0002b2ae996ced899666f037517e63191ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin <sashal@kernel.org> +Date: Sat, 10 May 2025 11:30:40 +0800 +Subject: VMCI: fix race between vmci_host_setup_notify and + vmci_ctx_unset_notify + +From: Wupeng Ma <mawupeng1@huawei.com> + +[ Upstream commit 1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4 ] + +During our test, it is found that a warning can be trigger in try_grab_folio +as follow: + + ------------[ cut here ]------------ + WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 + Modules linked in: + CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) + RIP: 0010:try_grab_folio+0x106/0x130 + Call Trace: + <TASK> + follow_huge_pmd+0x240/0x8e0 + follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 + follow_pud_mask.constprop.0.isra.0+0x14a/0x170 + follow_page_mask+0x1c2/0x1f0 + __get_user_pages+0x176/0x950 + __gup_longterm_locked+0x15b/0x1060 + ? gup_fast+0x120/0x1f0 + gup_fast_fallback+0x17e/0x230 + get_user_pages_fast+0x5f/0x80 + vmci_host_unlocked_ioctl+0x21c/0xf80 + RIP: 0033:0x54d2cd + ---[ end trace 0000000000000000 ]--- + +Digging into the source, context->notify_page may init by get_user_pages_fast +and can be seen in vmci_ctx_unset_notify which will try to put_page. However +get_user_pages_fast is not finished here and lead to following +try_grab_folio warning. The race condition is shown as follow: + +cpu0 cpu1 +vmci_host_do_set_notify +vmci_host_setup_notify +get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); +lockless_pages_from_mm +gup_pgd_range +gup_huge_pmd // update &context->notify_page + vmci_host_do_set_notify + vmci_ctx_unset_notify + notify_page = context->notify_page; + if (notify_page) + put_page(notify_page); // page is freed +__gup_longterm_locked +__get_user_pages +follow_trans_huge_pmd +try_grab_folio // warn here + +To slove this, use local variable page to make notify_page can be seen +after finish get_user_pages_fast. + +Fixes: a1d88436d53a ("VMCI: Fix two UVA mapping bugs") +Cc: stable <stable@kernel.org> +Closes: https://lore.kernel.org/all/e91da589-ad57-3969-d979-879bbd10dddd@huawei.com/ +Signed-off-by: Wupeng Ma <mawupeng1@huawei.com> +Link: https://lore.kernel.org/r/20250510033040.901582-1-mawupeng1@huawei.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/misc/vmw_vmci/vmci_host.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_host.c b/drivers/misc/vmw_vmci/vmci_host.c +index 81ebdb1380f37..6eddb805642e0 100644 +--- a/drivers/misc/vmw_vmci/vmci_host.c ++++ b/drivers/misc/vmw_vmci/vmci_host.c +@@ -222,6 +222,7 @@ static int drv_cp_harray_to_user(void __user *user_buf_uva, + static int vmci_host_setup_notify(struct vmci_ctx *context, + unsigned long uva) + { ++ struct page *page; + int retval; + + if (context->notify_page) { +@@ -240,13 +241,11 @@ static int vmci_host_setup_notify(struct vmci_ctx *context, + /* + * Lock physical page backing a given user VA. + */ +- retval = get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); +- if (retval != 1) { +- context->notify_page = NULL; ++ retval = get_user_pages_fast(uva, 1, FOLL_WRITE, &page); ++ if (retval != 1) + return VMCI_ERROR_GENERIC; +- } +- if (context->notify_page == NULL) +- return VMCI_ERROR_UNAVAILABLE; ++ ++ context->notify_page = page; + + /* + * Map the locked page and set up notify pointer. +-- +2.39.5 + |