April 2023 - Linux-stable-mirror

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.104 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/filesystems/vfs.rst | 2 Makefile | 2 arch/riscv/include/asm/mmu.h | 2 arch/riscv/include/asm/tlbflush.h | 18 arch/riscv/mm/context.c | 40 - arch/riscv/mm/tlbflush.c | 28 - arch/s390/boot/ipl_report.c | 8 arch/s390/pci/pci.c | 16 arch/s390/pci/pci_bus.c | 12 arch/s390/pci/pci_bus.h | 3 arch/x86/kernel/cpu/mce/core.c | 1 arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 7 arch/x86/kernel/cpu/resctrl/internal.h | 1 arch/x86/kernel/cpu/resctrl/rdtgroup.c | 25 + arch/x86/kvm/vmx/nested.c | 10 arch/x86/mm/mem_encrypt_identity.c | 3 drivers/block/loop.c | 25 - drivers/block/null_blk/main.c | 6 drivers/block/sunvdc.c | 2 drivers/clk/Kconfig | 2 drivers/cpuidle/cpuidle-psci-domain.c | 3 drivers/firmware/xilinx/zynqmp.c | 2 drivers/gpu/drm/amd/amdkfd/kfd_events.c | 9 drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 43 +- drivers/gpu/drm/drm_gem_shmem_helper.c | 9 drivers/gpu/drm/i915/display/intel_display_types.h | 2 drivers/gpu/drm/i915/display/intel_psr.c | 207 +++++++--- drivers/gpu/drm/i915/gt/intel_ring.c | 2 drivers/gpu/drm/i915/i915_active.c | 24 - drivers/gpu/drm/meson/meson_vpp.c | 2 drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 drivers/gpu/drm/sun4i/sun4i_drv.c | 6 drivers/hid/hid-core.c | 18 drivers/hid/uhid.c | 1 drivers/hwmon/adt7475.c | 8 drivers/hwmon/ina3221.c | 2 drivers/hwmon/ltc2992.c | 1 drivers/hwmon/pmbus/adm1266.c | 1 drivers/hwmon/pmbus/ucd9000.c | 75 +++ drivers/hwmon/tmp513.c | 2 drivers/hwmon/xgene-hwmon.c | 1 drivers/interconnect/core.c | 4 drivers/interconnect/samsung/exynos.c | 6 drivers/media/i2c/m5mols/m5mols_core.c | 2 drivers/mmc/host/atmel-mci.c | 3 drivers/mmc/host/sdhci_am654.c | 2 drivers/net/bonding/bond_main.c | 23 - drivers/net/dsa/mt7530.c | 64 +-- drivers/net/dsa/mv88e6xxx/chip.c | 16 drivers/net/ethernet/intel/i40e/i40e_main.c | 1 drivers/net/ethernet/intel/ice/ice.h | 14 drivers/net/ethernet/intel/ice/ice_main.c | 19 drivers/net/ethernet/intel/ice/ice_xsk.c | 4 drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c | 2 drivers/net/ethernet/renesas/ravb_main.c | 12 drivers/net/ethernet/renesas/sh_eth.c | 12 drivers/net/ethernet/sun/ldmvsw.c | 3 drivers/net/ethernet/sun/sunvnet.c | 3 drivers/net/ipvlan/ipvlan_l3s.c | 1 drivers/net/phy/nxp-c45-tja11xx.c | 2 drivers/net/phy/smsc.c | 5 drivers/net/usb/smsc75xx.c | 7 drivers/nfc/pn533/usb.c | 1 drivers/nfc/st-nci/ndlc.c | 6 drivers/nvme/host/core.c | 28 - drivers/nvme/host/pci.c | 2 drivers/nvme/target/core.c | 4 drivers/pci/bus.c | 21 + drivers/pci/pci-driver.c | 4 drivers/pci/pci.c | 57 +- drivers/pci/pci.h | 16 drivers/pci/pcie/dpc.c | 4 drivers/scsi/hosts.c | 3 drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 drivers/tty/serial/8250/8250_em.c | 4 drivers/tty/serial/8250/8250_fsl.c | 4 drivers/tty/serial/fsl_lpuart.c | 12 drivers/vdpa/vdpa_sim/vdpa_sim.c | 13 drivers/video/fbdev/stifb.c | 27 + fs/cifs/smb2inode.c | 31 + fs/cifs/transport.c | 21 - fs/ext4/inode.c | 18 fs/ext4/namei.c | 4 fs/ext4/super.c | 7 fs/ext4/xattr.c | 11 fs/jffs2/file.c | 15 include/drm/drm_bridge.h | 4 include/linux/hid.h | 3 include/linux/netdevice.h | 6 include/linux/pci.h | 1 include/linux/sh_intc.h | 5 include/linux/tracepoint.h | 15 io_uring/io_uring.c | 4 kernel/events/core.c | 2 kernel/trace/ftrace.c | 3 kernel/trace/trace.c | 2 kernel/trace/trace_events_hist.c | 3 kernel/trace/trace_hwlat.c | 3 mm/huge_memory.c | 6 net/9p/client.c | 2 net/ipv4/fib_frontend.c | 3 net/ipv4/ip_tunnel.c | 12 net/ipv4/tcp_output.c | 2 net/ipv6/ip6_tunnel.c | 4 net/iucv/iucv.c | 2 net/mptcp/pm_netlink.c | 16 net/mptcp/subflow.c | 12 net/netfilter/nft_masq.c | 2 net/netfilter/nft_nat.c | 2 net/netfilter/nft_redir.c | 4 net/smc/smc_cdc.c | 3 net/smc/smc_core.c | 2 net/xfrm/xfrm_state.c | 3 scripts/kconfig/confdata.c | 6 sound/hda/intel-dsp-config.c | 9 sound/pci/hda/hda_intel.c | 5 sound/pci/hda/patch_realtek.c | 1 tools/testing/selftests/net/devlink_port_split.py | 36 + 120 files changed, 919 insertions(+), 439 deletions(-) Alex Hung (1): drm/amd/display: fix shift-out-of-bounds in CalculateVMAndRowBytes Alexandra Winter (1): net/iucv: Fix size of interrupt data Arınç ÜNAL (2): net: dsa: mt7530: remove now incorrect comment regarding port 5 net: dsa: mt7530: set PLL frequency and trgmii only when trgmii is used Baokun Li (3): ext4: fail ext4_iget if special inode unallocated ext4: update s_journal_inum if it changes after journal replay ext4: fix task hung in ext4_xattr_delete_inode Bard Liao (1): ALSA: hda: intel-dsp-config: add MTL PCI id Bart Van Assche (2): scsi: core: Fix a procfs host directory removal regression loop: Fix use-after-free issues Biju Das (1): serial: 8250_em: Fix UART port type Bjorn Helgaas (1): ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU() Breno Leitao (1): tcp: tcp_make_synack() can be called from process context Budimir Markovic (1): perf: Fix check before add_event_to_groups() in perf_group_detach() Błażej Szczygieł (1): drm/amd/pm: Fix sienna cichlid incorrect OD volage after resume Chen Zhongjin (1): ftrace: Fix invalid address access in lookup_rec() when index is 0 Christian Hewitt (1): drm/meson: fix 1px pink line on GXM when scaling video overlay D. Wythe (1): net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler() Damien Le Moal (2): block: null_blk: Fix handling of fake timeout request nvmet: avoid potential UAF in nvmet_req_complete() Daniil Tatianin (2): qed/qed_dev: guard against a possible division by zero qed/qed_mng_tlv: correctly zero out ->min instead of ->hour Dave Ertman (1): ice: avoid bonding causing auxiliary plug/unplug under RTNL lock David Hildenbrand (1): mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage Dmitry Osipenko (2): drm/panfrost: Don't sync rpm suspension after mmu flushing drm/shmem-helper: Remove another errant put in error path Elmer Miroslav Mosher Golovin (1): nvme-pci: add NVME_QUIRK_BOGUS_NID for Netac NV3000 Eric Dumazet (1): net: tunnels: annotate lockless accesses to dev->needed_headroom Eric Van Hensbergen (1): net/9p: fix bug in client create for .L Eugenio Pérez (2): vdpa_sim: not reset state in vdpasim_queue_ready vdpa_sim: set last_used_idx as last_avail_idx in vdpasim_queue_ready Fedor Pchelkin (2): nfc: pn533: initialize struct pn533_out_arg properly io_uring: avoid null-ptr-deref in io_arm_poll_handler Francesco Dolcini (1): mmc: sdhci_am654: lower power-on failed message severity Geliang Tang (1): mptcp: add ro_after_init for tcp{,v6}_prot_override Glenn Washburn (1): docs: Correct missing "d_" prefix for dentry_operations member d_weak_revalidate Greg Kroah-Hartman (1): Linux 5.15.104 Guo Ren (1): riscv: asid: Fixup stale TLB entry cause application crash Hamidreza H. Fard (1): ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book2 Pro Heiner Kallweit (1): net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails Helge Deller (1): fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks Herbert Xu (1): xfrm: Allow transport-mode states with AF_UNSPEC selector Ido Schimmel (1): ipv4: Fix incorrect table ID in IOCTL path Ivan Vecera (1): i40e: Fix kernel crash during reboot when adapter is in recovery mode Janusz Krzysztofik (1): drm/i915/active: Fix misuse of non-idle barriers as fence trackers Jeremy Sowden (4): netfilter: nft_nat: correct length for loading protocol registers netfilter: nft_masq: correct length for loading protocol registers netfilter: nft_redir: correct length for loading protocol registers netfilter: nft_redir: correct value of inet type `.maxattrs` Jianguo Wu (1): ipvlan: Make skb->skb_iif track skb->dev for l3s mode Johan Hovold (4): serial: 8250_fsl: fix handle_irq locking interconnect: fix mem leak when freeing nodes interconnect: exynos: fix node leak in probe PM QoS error path drm/sun4i: fix missing component unbind on bind errors John Harrison (1): drm/i915: Don't use stolen memory for ring buffers with LLC José Roberto de Souza (3): drm/i915/display: Workaround cursor left overs with PSR2 selective fetch enabled drm/i915/display/psr: Use drm damage helpers to calculate plane damaged area drm/i915/display/psr: Handle plane and pipe restrictions at every page flip Jouni Högander (1): drm/i915/psr: Use calculated io and fast wake lines Jurica Vukadin (1): kconfig: Update config changed flag before calling callback Krzysztof Kozlowski (1): hwmon: tmp512: drop of_match_ptr for ID table Lars-Peter Clausen (3): hwmon: (ucd90320) Add minimum delay between bus accesses hwmon: (adm1266) Set `can_sleep` flag for GPIO chip hwmon: (ltc2992) Set `can_sleep` flag for GPIO chip Lee Jones (2): HID: core: Provide new max_buffer_size attribute to over-ride the default HID: uhid: Over-ride the default maximum data buffer value with our own Liang He (2): block: sunvdc: add check for mdesc_grab() returning NULL ethernet: sun: add check for the mdesc_grab() Linus Torvalds (1): media: m5mols: fix off-by-one loop termination error Liu Ying (1): drm/bridge: Fix returned array size name for atomic_get_input_bus_fmts kdoc Lukas Wunner (2): PCI: Unify delay handling for reset and resume PCI/DPC: Await readiness of secondary bus after reset Maciej Fijalkowski (1): ice: xsk: disable txq irq before flushing hw Marcus Folkesson (1): hwmon: (ina3221) return prober error code Matthieu Baerts (1): mptcp: avoid setting TCP_CLOSE state twice Michael Karcher (1): sh: intc: Avoid spurious sizeof-pointer-div warning Ming Lei (1): nvme: fix handling single range discard request Nikita Zhandarovich (1): x86/mm: Fix use of uninitialized buffer in sme_enable() Niklas Schnelle (1): PCI: s390: Fix use-after-free of PCI resources with per-function hotplug Nikolay Aleksandrov (2): bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type change bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails Paolo Abeni (2): mptcp: fix possible deadlock in subflow_error_report mptcp: fix lockdep false positive in mptcp_pm_nl_create_listen_socket() Paolo Bonzini (1): KVM: nVMX: add missing consistency checks for CR0 and CR4 Po-Hsu Lin (1): selftests: net: devlink_port_split.py: skip test if no suitable device available Qu Huang (1): drm/amdkfd: Fix an illegal memory access Radu Pirea (OSS) (1): net: phy: nxp-c45-tja11xx: fix MII_BASIC_CONFIG_REV bit Randy Dunlap (1): clk: HI655X: select REGMAP instead of depending on it Roman Gushchin (1): firmware: xilinx: don't make a sleepable memory allocation from an atomic context Sergey Matyukevich (1): Revert "riscv: mm: notify remote harts about mmu cache updates" Shawn Guo (1): cpuidle: psci: Iterate backwards over list in psci_pd_remove() Shawn Wang (1): x86/resctrl: Clear staged_config[] before and after it is used Sherry Sun (1): tty: serial: fsl_lpuart: skip waiting for transmission complete when UARTCTRL_SBK is asserted Steven Rostedt (Google) (2): tracing: Check field value in hist_field_name() tracing: Make tracepoint lockdep check actually test something Sung-hun Kim (1): tracing: Make splice_read available again Sven Schnelle (1): s390/ipl: add missing intersection check to ipl_report handling Szymon Heidrich (2): net: usb: smsc75xx: Limit packet length to skb->len net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull Tero Kristo (1): trace/hwlat: Do not wipe the contents of per-cpu thread data Theodore Ts'o (1): ext4: fix possible double unlock when moving a directory Tobias Schramm (1): mmc: atmel-mci: fix race between stop command and start of next command Tom Rix (1): drm/i915/display: clean up comments Tony O'Brien (2): hwmon: (adt7475) Display smoothing attributes in correct order hwmon: (adt7475) Fix masking of hysteresis registers Vladimir Oltean (1): net: dsa: mv88e6xxx: fix max_mtu of 1492 on 6165, 6191, 6220, 6250, 6290 Volker Lendecke (1): cifs: Fix smb2_set_path_size() Wenchao Hao (1): scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add() Wenjia Zhang (1): net/smc: fix deadlock triggered by cancel_delayed_work_syn() Wolfram Sang (2): ravb: avoid PHY being resumed when interface is not up sh_eth: avoid PHY being resumed when interface is not up Yazen Ghannam (1): x86/mce: Make sure logged MCEs are processed after sysfs update Yifei Liu (1): jffs2: correct logic when creating a hole in jffs2_write_begin Zhang Xiaoxu (1): cifs: Move the in_send statistic to __smb_send_rqst() Zheng Wang (2): nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition

1 year, 11 months

2
7
0 0

[PATCH v3 5/6] PCI: hv: Add a per-bus mutex state_lock

by Dexuan Cui

In the case of fast device addition/removal, it's possible that hv_eject_device_work() can start to run before create_root_hv_pci_bus() starts to run; as a result, the pci_get_domain_bus_and_slot() in hv_eject_device_work() can return a 'pdev' of NULL, and hv_eject_device_work() can remove the 'hpdev', and immediately send a message PCI_EJECTION_COMPLETE to the host, and the host immediately unassigns the PCI device from the guest; meanwhile, create_root_hv_pci_bus() and the PCI device driver can be probing the dead PCI device and reporting timeout errors. Fix the issue by adding a per-bus mutex 'state_lock' and grabbing the mutex before powering on the PCI bus in hv_pci_enter_d0(): when hv_eject_device_work() starts to run, it's able to find the 'pdev' and call pci_stop_and_remove_bus_device(pdev): if the PCI device driver has loaded, the PCI device driver's probe() function is already called in create_root_hv_pci_bus() -> pci_bus_add_devices(), and now hv_eject_device_work() -> pci_stop_and_remove_bus_device() is able to call the PCI device driver's remove() function and remove the device reliably; if the PCI device driver hasn't loaded yet, the function call hv_eject_device_work() -> pci_stop_and_remove_bus_device() is able to remove the PCI device reliably and the PCI device driver's probe() function won't be called; if the PCI device driver's probe() is already running (e.g., systemd-udev is loading the PCI device driver), it must be holding the per-device lock, and after the probe() finishes and releases the lock, hv_eject_device_work() -> pci_stop_and_remove_bus_device() is able to proceed to remove the device reliably. Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Reviewed-by: Michael Kelley <mikelley(a)microsoft.com> Cc: stable(a)vger.kernel.org --- v2: Removed the "debug code". Fixed the "goto out" in hv_pci_resume() [Michael Kelley] Added Cc:stable v3: Added Michael's Reviewed-by. drivers/pci/controller/pci-hyperv.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c index 48feab095a144..3ae2f99dea8c2 100644 --- a/drivers/pci/controller/pci-hyperv.c +++ b/drivers/pci/controller/pci-hyperv.c @@ -489,7 +489,10 @@ struct hv_pcibus_device { struct fwnode_handle *fwnode; /* Protocol version negotiated with the host */ enum pci_protocol_version_t protocol_version; + + struct mutex state_lock; enum hv_pcibus_state state; + struct hv_device *hdev; resource_size_t low_mmio_space; resource_size_t high_mmio_space; @@ -2512,6 +2515,8 @@ static void pci_devices_present_work(struct work_struct *work) if (!dr) return; + mutex_lock(&hbus->state_lock); + /* First, mark all existing children as reported missing. */ spin_lock_irqsave(&hbus->device_list_lock, flags); list_for_each_entry(hpdev, &hbus->children, list_entry) { @@ -2593,6 +2598,8 @@ static void pci_devices_present_work(struct work_struct *work) break; } + mutex_unlock(&hbus->state_lock); + kfree(dr); } @@ -2741,6 +2748,8 @@ static void hv_eject_device_work(struct work_struct *work) hpdev = container_of(work, struct hv_pci_dev, wrk); hbus = hpdev->hbus; + mutex_lock(&hbus->state_lock); + /* * Ejection can come before or after the PCI bus has been set up, so * attempt to find it and tear down the bus state, if it exists. This @@ -2777,6 +2786,8 @@ static void hv_eject_device_work(struct work_struct *work) put_pcichild(hpdev); put_pcichild(hpdev); /* hpdev has been freed. Do not use it any more. */ + + mutex_unlock(&hbus->state_lock); } /** @@ -3562,6 +3573,7 @@ static int hv_pci_probe(struct hv_device *hdev, return -ENOMEM; hbus->bridge = bridge; + mutex_init(&hbus->state_lock); hbus->state = hv_pcibus_init; hbus->wslot_res_allocated = -1; @@ -3670,9 +3682,11 @@ static int hv_pci_probe(struct hv_device *hdev, if (ret) goto free_irq_domain; + mutex_lock(&hbus->state_lock); + ret = hv_pci_enter_d0(hdev); if (ret) - goto free_irq_domain; + goto release_state_lock; ret = hv_pci_allocate_bridge_windows(hbus); if (ret) @@ -3690,12 +3704,15 @@ static int hv_pci_probe(struct hv_device *hdev, if (ret) goto free_windows; + mutex_unlock(&hbus->state_lock); return 0; free_windows: hv_pci_free_bridge_windows(hbus); exit_d0: (void) hv_pci_bus_exit(hdev, true); +release_state_lock: + mutex_unlock(&hbus->state_lock); free_irq_domain: irq_domain_remove(hbus->irq_domain); free_fwnode: @@ -3945,20 +3962,26 @@ static int hv_pci_resume(struct hv_device *hdev) if (ret) goto out; + mutex_lock(&hbus->state_lock); + ret = hv_pci_enter_d0(hdev); if (ret) - goto out; + goto release_state_lock; ret = hv_send_resources_allocated(hdev); if (ret) - goto out; + goto release_state_lock; prepopulate_bars(hbus); hv_pci_restore_msi_state(hbus); hbus->state = hv_pcibus_installed; + mutex_unlock(&hbus->state_lock); return 0; + +release_state_lock: + mutex_unlock(&hbus->state_lock); out: vmbus_close(hdev->channel); return ret; -- 2.25.1

1 year, 11 months

2
1
0 0

[PATCH] ARM: dts: qcom-apq8060: Fix regulator node names

by Linus Walleij

commit 04715461abf7 altered the node names in a DTSI file used by qcom-apq8060-dragonboard.dts breaking the board. Align the node names in the DTS file and the board boots again. Cc: stable(a)vger.kernel.org Fixes: 04715461abf7 ("ARM: dts: qcom-msm8660: align RPM regulators node name with bindings") Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> --- arch/arm/boot/dts/qcom-apq8060-dragonboard.dts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm/boot/dts/qcom-apq8060-dragonboard.dts b/arch/arm/boot/dts/qcom-apq8060-dragonboard.dts index 8e4b61e4d4b1..e8fe321f3d89 100644 --- a/arch/arm/boot/dts/qcom-apq8060-dragonboard.dts +++ b/arch/arm/boot/dts/qcom-apq8060-dragonboard.dts @@ -451,7 +451,7 @@ &rpm { * PM8901 supplies "preliminary regulators" whatever * that means */ - pm8901-regulators { + regulators-0 { vdd_l0-supply = <&pm8901_s4>; vdd_l1-supply = <&vph>; vdd_l2-supply = <&vph>; @@ -537,7 +537,7 @@ lvs0 { }; - pm8058-regulators { + regulators-1 { vdd_l0_l1_lvs-supply = <&pm8058_s3>; vdd_l2_l11_l12-supply = <&vph>; vdd_l3_l4_l5-supply = <&vph>; -- 2.34.1

1 year, 11 months

2
1
0 0

[PATCH] ARM: dts: qcom: ipq4019: fix broken NAND controller properties override

by Krzysztof Kozlowski

After renaming NAND controller node name from "qpic-nand" to "nand-controller", the board DTS/DTSI also have to be updated: Warning (unit_address_vs_reg): /soc/qpic-nand@79b0000: node has a unit name, but no reg or ranges property Cc: <stable(a)vger.kernel.org> Fixes: 9e1e00f18afc ("ARM: dts: qcom: Fix node name for NAND controller node") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts | 8 ++++---- arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi | 10 +++++----- arch/arm/boot/dts/qcom-ipq4019-ap.dk07.1.dtsi | 12 ++++++------ 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts b/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts index 79b0c6318e52..0993f840d1fc 100644 --- a/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts +++ b/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts @@ -11,9 +11,9 @@ soc { dma-controller@7984000 { status = "okay"; }; - - qpic-nand@79b0000 { - status = "okay"; - }; }; }; + +&nand { + status = "okay"; +}; diff --git a/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi b/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi index a63b3778636d..468ebc40d2ad 100644 --- a/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi +++ b/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi @@ -102,10 +102,10 @@ pci@40000000 { status = "okay"; perst-gpios = <&tlmm 38 GPIO_ACTIVE_LOW>; }; - - qpic-nand@79b0000 { - pinctrl-0 = <&nand_pins>; - pinctrl-names = "default"; - }; }; }; + +&nand { + pinctrl-0 = <&nand_pins>; + pinctrl-names = "default"; +}; diff --git a/arch/arm/boot/dts/qcom-ipq4019-ap.dk07.1.dtsi b/arch/arm/boot/dts/qcom-ipq4019-ap.dk07.1.dtsi index 0107f552f520..7ef635997efa 100644 --- a/arch/arm/boot/dts/qcom-ipq4019-ap.dk07.1.dtsi +++ b/arch/arm/boot/dts/qcom-ipq4019-ap.dk07.1.dtsi @@ -65,11 +65,11 @@ i2c@78b7000 { /* BLSP1 QUP2 */ dma-controller@7984000 { status = "okay"; }; - - qpic-nand@79b0000 { - pinctrl-0 = <&nand_pins>; - pinctrl-names = "default"; - status = "okay"; - }; }; }; + +&nand { + pinctrl-0 = <&nand_pins>; + pinctrl-names = "default"; + status = "okay"; +}; -- 2.34.1

1 year, 11 months

4
4
0 0

[PATCH v3 6/6] PCI: hv: Use async probing to reduce boot time

by Dexuan Cui

Commit 414428c5da1c ("PCI: hv: Lock PCI bus on device eject") added pci_lock_rescan_remove() and pci_unlock_rescan_remove() in create_root_hv_pci_bus() and in hv_eject_device_work() to address the race between create_root_hv_pci_bus() and hv_eject_device_work(), but it turns that grabing the pci_rescan_remove_lock mutex is not enough: refer to the earlier fix "PCI: hv: Add a per-bus mutex state_lock". Now with hbus->state_lock and other fixes, the race is resolved, so remove pci_{lock,unlock}_rescan_remove() in create_root_hv_pci_bus(): this removes the serialization in hv_pci_probe() and hence allows async-probing (PROBE_PREFER_ASYNCHRONOUS) to work. Add the async-probing flag to hv_pci_drv. pci_{lock,unlock}_rescan_remove() in hv_eject_device_work() and in hv_pci_remove() are still kept: according to the comment before drivers/pci/probe.c: static DEFINE_MUTEX(pci_rescan_remove_lock), "PCI device removal routines should always be executed under this mutex". Signed-off-by: Dexuan Cui <decui(a)microsoft.com> Reviewed-by: Michael Kelley <mikelley(a)microsoft.com> Reviewed-by: Long Li <longli(a)microsoft.com> Cc: stable(a)vger.kernel.org --- v2: No change to the patch body. Improved the commit message [Michael Kelley] Added Cc:stable v3: Added Michael's and Long Li's Reviewed-by. Fixed a typo in the commit message: grubing -> grabing [Thanks, Michael!] drivers/pci/controller/pci-hyperv.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c index 3ae2f99dea8c2..2ea2b1b8a4c9a 100644 --- a/drivers/pci/controller/pci-hyperv.c +++ b/drivers/pci/controller/pci-hyperv.c @@ -2312,12 +2312,16 @@ static int create_root_hv_pci_bus(struct hv_pcibus_device *hbus) if (error) return error; - pci_lock_rescan_remove(); + /* + * pci_lock_rescan_remove() and pci_unlock_rescan_remove() are + * unnecessary here, because we hold the hbus->state_lock, meaning + * hv_eject_device_work() and pci_devices_present_work() can't race + * with create_root_hv_pci_bus(). + */ hv_pci_assign_numa_node(hbus); pci_bus_assign_resources(bridge->bus); hv_pci_assign_slots(hbus); pci_bus_add_devices(bridge->bus); - pci_unlock_rescan_remove(); hbus->state = hv_pcibus_installed; return 0; } @@ -4003,6 +4007,9 @@ static struct hv_driver hv_pci_drv = { .remove = hv_pci_remove, .suspend = hv_pci_suspend, .resume = hv_pci_resume, + .driver = { + .probe_type = PROBE_PREFER_ASYNCHRONOUS, + }, }; static void __exit exit_hv_pci_drv(void) -- 2.25.1

1 year, 11 months

3
6
0 0

[PATCH] ext4: Fix possible corruption when moving a directory

by Jan Kara

When we are renaming a directory to a different directory, we need to update '..' entry in the moved directory. However nothing prevents moved directory from being modified and even converted from the inline format to the normal format. When such race happens the rename code gets confused and we crash. Fix the problem by locking the moved directory. CC: stable(a)vger.kernel.org Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir") Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/namei.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index dd28453d6ea3..270fbcba75b6 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -3872,9 +3872,16 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir)) goto end_rename; } + /* + * We need to protect against old.inode directory getting + * converted from inline directory format into a normal one. + */ + inode_lock_nested(old.inode, I_MUTEX_NONDIR2); retval = ext4_rename_dir_prepare(handle, &old); - if (retval) + if (retval) { + inode_unlock(old.inode); goto end_rename; + } } /* * If we're renaming a file within an inline_data dir and adding or @@ -4006,6 +4013,8 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir, } else { ext4_journal_stop(handle); } + if (old.dir_bh) + inode_unlock(old.inode); release_bh: brelse(old.dir_bh); brelse(old.bh); -- 2.35.3

1 year, 11 months

3
3
0 0

Re: dmaengine: at_hdmac: Regression regarding rs485 via dma in v5.4

by Linux regression tracking (Thorsten Leemhuis)

[Adding a few pople to the list of recipients that were involved in developing the culprit; also CCing the regression list, as it should be in the loop for regressions: https://docs.kernel.org/admin-guide/reporting-regressions.html] [TLDR: I'm adding this report to the list of tracked Linux kernel regressions; the text you find below is based on a few templates paragraphs you might have encountered already in similar form. See link in footer if these mails annoy you.] On 29.03.23 16:31, Kristof Havasi wrote: > > I was rebasing the Kernel branch of our SAMA5D35 based board from > v5.4.189 to v5.4.238. > I noticed that after the rebase we could _only send, but not receive_ > through our RS485 interface. > > I could bisect the problem to 77b97ef4908aa917e7b68667ec6b344cc5dc5034 > in the v5.4.225 release. FWIW, that's 7176a6a8982d ("dmaengine: at_hdmac: Don't start transactions at tx_submit level") in mainline. Kristof Havasi: would be good to know if this is something that happens with recent mainline as well, because if not it might be something the stable team needs to handle. > If I revert this commit, the tx/rx works just > like before. > Maybe this use-case wasn't considered when this patch was created? > I haven't seen a documentation change regarding this in DT bindings, > but if the config should be something else, please let me know. > Otherwise this commit breaks the RS485 function of atmel_serial at > least in the v5.4.y branch. > > Best Regards, > Kristóf Havasi > > The relevant device tree nodes: > > from sama5d3.dtsi: > > usart1: serial@f0020000 { > compatible = "atmel,at91sam9260-usart"; > reg = <0xf0020000 0x100>; > interrupts = <13 IRQ_TYPE_LEVEL_HIGH 5>; > dmas = <&dma0 2 AT91_DMA_CFG_PER_ID(5)>, > <&dma0 2 (AT91_DMA_CFG_PER_ID(6) | AT91_DMA_CFG_FIFOCFG_ASAP)>; > dma-names = "tx", "rx"; > pinctrl-names = "default"; > pinctrl-0 = <&pinctrl_usart1>; > clocks = <&usart1_clk>; > clock-names = "usart"; > status = "disabled"; > }; > > pinctrl_usart1: usart1-0 { > atmel,pins = > <AT91_PIOB 28 AT91_PERIPH_A AT91_PINCTRL_PULL_UP > AT91_PIOB 29 AT91_PERIPH_A AT91_PINCTRL_NONE>; > }; > pinctrl_usart1_rts_cts: usart1_rts_cts-0 { > atmel,pins = > <AT91_PIOB 26 AT91_PERIPH_A AT91_PINCTRL_NONE /* PB26 periph A, > conflicts with GRX7 */ > AT91_PIOB 27 AT91_PERIPH_A AT91_PINCTRL_NONE>; /* PB27 periph A, > conflicts with G125CKO */ > }; > > from our dts: > > &usart1 { > pinctrl-0 = <&pinctrl_usart1 &pinctrl_usart1_rts_cts>; > atmel,use-dma-rx; > atmel,use-dma-tx; > rs485-rx-during-tx; > linux,rs485-enabled-at-boot-time; > status = "okay"; > }; > > HW: > The SAMA5D3's PB27 is connected to the |RE+DE of the RS485 transceiver > SP3458EN-L Thanks for the report. To be sure the issue doesn't fall through the cracks unnoticed, I'm adding it to regzbot, the Linux kernel regression tracking bot: #regzbot ^introduced 77b97ef4908aa #regzbot title dmaengine: at_hdmac: receiving data through the RS485 interface broke #regzbot ignore-activity This isn't a regression? This issue or a fix for it are already discussed somewhere else? It was fixed already? You want to clarify when the regression started to happen? Or point out I got the title or something else totally wrong? Then just reply and tell me -- ideally while also telling regzbot about it, as explained by the page listed in the footer of this mail. Developers: When fixing the issue, remember to add 'Link:' tags pointing to the report (the parent of this mail). See page linked in footer for details. Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr That page also explains what to do if mails like this annoy you.

1 year, 11 months

2
2
0 0

[PATCH v2] drm/dp_mst: Clear MSG_RDY flag before sending new message

by Wayne Lin

[Why] The sequence for collecting down_reply from source perspective should be: Request_n->repeat (get partial reply of Request_n->clear message ready flag to ack DPRX that the message is received) till all partial replies for Request_n are received->new Request_n+1. Now there is chance that drm_dp_mst_hpd_irq() will fire new down request in the tx queue when the down reply is incomplete. Source is restricted to generate interveleaved message transactions so we should avoid it. Also, while assembling partial reply packets, reading out DPCD DOWN_REP Sideband MSG buffer + clearing DOWN_REP_MSG_RDY flag should be wrapped up as a complete operation for reading out a reply packet. Kicking off a new request before clearing DOWN_REP_MSG_RDY flag might be risky. e.g. If the reply of the new request has overwritten the DPRX DOWN_REP Sideband MSG buffer before source writing one to clear DOWN_REP_MSG_RDY flag, source then unintentionally flushes the reply for the new request. Should handle the up request in the same way. [How] Separete drm_dp_mst_hpd_irq() into 2 steps. After acking the MST IRQ event, driver calls drm_dp_mst_hpd_irq_step2() and might trigger drm_dp_mst_kick_tx() only when there is no on going message transaction. Changes since v1: * Reworked on review comments received -> Adjust the fix to let driver explicitly kick off new down request when mst irq event is handled and acked -> Adjust the commit message Signed-off-by: Wayne Lin <Wayne.Lin(a)amd.com> Cc: stable(a)vger.kernel.org --- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++--- drivers/gpu/drm/display/drm_dp_mst_topology.c | 35 ++++++++++++++++--- drivers/gpu/drm/i915/display/intel_dp.c | 5 ++- drivers/gpu/drm/nouveau/dispnv50/disp.c | 5 ++- include/drm/display/drm_dp_mst_helper.h | 4 +-- 5 files changed, 45 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 1ad67c2a697e..48bdcb2ee9b1 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -3259,10 +3259,9 @@ static void dm_handle_mst_sideband_msg(struct amdgpu_dm_connector *aconnector) DRM_DEBUG_DRIVER("ESI %02x %02x %02x\n", esi[0], esi[1], esi[2]); /* handle HPD short pulse irq */ if (aconnector->mst_mgr.mst_state) - drm_dp_mst_hpd_irq( - &aconnector->mst_mgr, - esi, - &new_irq_handled); + drm_dp_mst_hpd_irq_step1(&aconnector->mst_mgr, + esi, + &new_irq_handled); if (new_irq_handled) { /* ACK at DPCD to notify down stream */ @@ -3281,6 +3280,7 @@ static void dm_handle_mst_sideband_msg(struct amdgpu_dm_connector *aconnector) break; } + drm_dp_mst_hpd_irq_step2(&aconnector->mst_mgr); /* check if there is new irq to be handled */ dret = drm_dp_dpcd_read( &aconnector->dm_dp_aux.aux, diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c index 70df29fe92db..2e0a38a6509c 100644 --- a/drivers/gpu/drm/display/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c @@ -4045,7 +4045,7 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr) } /** - * drm_dp_mst_hpd_irq() - MST hotplug IRQ notify + * drm_dp_mst_hpd_irq_step1() - MST hotplug IRQ notify * @mgr: manager to notify irq for. * @esi: 4 bytes from SINK_COUNT_ESI * @handled: whether the hpd interrupt was consumed or not @@ -4055,7 +4055,7 @@ static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr) * topology manager will process the sideband messages received as a result * of this. */ -int drm_dp_mst_hpd_irq(struct drm_dp_mst_topology_mgr *mgr, u8 *esi, bool *handled) +int drm_dp_mst_hpd_irq_step1(struct drm_dp_mst_topology_mgr *mgr, u8 *esi, bool *handled) { int ret = 0; int sc; @@ -4077,11 +4077,38 @@ int drm_dp_mst_hpd_irq(struct drm_dp_mst_topology_mgr *mgr, u8 *esi, bool *handl *handled = true; } - drm_dp_mst_kick_tx(mgr); return ret; } -EXPORT_SYMBOL(drm_dp_mst_hpd_irq); +EXPORT_SYMBOL(drm_dp_mst_hpd_irq_step1); + +/** + * drm_dp_mst_hpd_irq_step2() - MST hotplug IRQ 2nd part handling + * @mgr: manager to notify irq for. + * + * This should be called from the driver when mst irq event is handled + * and acked. Note that new down request should only be sent when + * previous message transaction is done. Source is not supposed to generate + * interleaved message transactions. + */ +void drm_dp_mst_hpd_irq_step2(struct drm_dp_mst_topology_mgr *mgr) +{ + struct drm_dp_sideband_msg_tx *txmsg; + bool skip = false; + mutex_lock(&mgr->qlock); + txmsg = list_first_entry_or_null(&mgr->tx_msg_downq, + struct drm_dp_sideband_msg_tx, next); + /* If last transaction is not completed yet*/ + if (!txmsg || + txmsg->state == DRM_DP_SIDEBAND_TX_START_SEND || + txmsg->state == DRM_DP_SIDEBAND_TX_SENT) + skip = true; + mutex_unlock(&mgr->qlock); + + if (!skip) + drm_dp_mst_kick_tx(mgr); +} +EXPORT_SYMBOL(drm_dp_mst_hpd_irq_step2); /** * drm_dp_mst_detect_port() - get connection status for an MST port * @connector: DRM connector for this port diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index 75070eb07d4b..9a9a5aec9534 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -3803,7 +3803,7 @@ intel_dp_mst_hpd_irq(struct intel_dp *intel_dp, u8 *esi, u8 *ack) { bool handled = false; - drm_dp_mst_hpd_irq(&intel_dp->mst_mgr, esi, &handled); + drm_dp_mst_hpd_irq_step1(&intel_dp->mst_mgr, esi, &handled); if (handled) ack[1] |= esi[1] & (DP_DOWN_REP_MSG_RDY | DP_UP_REQ_MSG_RDY); @@ -3880,6 +3880,9 @@ intel_dp_check_mst_status(struct intel_dp *intel_dp) if (!intel_dp_ack_sink_irq_esi(intel_dp, ack)) drm_dbg_kms(&i915->drm, "Failed to ack ESI\n"); + + if (ack[1] & (DP_DOWN_REP_MSG_RDY | DP_UP_REQ_MSG_RDY)) + drm_dp_mst_hpd_irq_step2(&intel_dp->mst_mgr); } return link_ok; diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c index ed9d374147b8..00c36fcc8afd 100644 --- a/drivers/gpu/drm/nouveau/dispnv50/disp.c +++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c @@ -1332,12 +1332,15 @@ nv50_mstm_service(struct nouveau_drm *drm, break; } - drm_dp_mst_hpd_irq(&mstm->mgr, esi, &handled); + drm_dp_mst_hpd_irq_step1(&mstm->mgr, esi, &handled); if (!handled) break; rc = drm_dp_dpcd_write(aux, DP_SINK_COUNT_ESI + 1, &esi[1], 3); + + drm_dp_mst_hpd_irq_step2(&mstm->mgr); + if (rc != 3) { ret = false; break; diff --git a/include/drm/display/drm_dp_mst_helper.h b/include/drm/display/drm_dp_mst_helper.h index 32c764fb9cb5..6c08ba765d5a 100644 --- a/include/drm/display/drm_dp_mst_helper.h +++ b/include/drm/display/drm_dp_mst_helper.h @@ -815,8 +815,8 @@ void drm_dp_mst_topology_mgr_destroy(struct drm_dp_mst_topology_mgr *mgr); bool drm_dp_read_mst_cap(struct drm_dp_aux *aux, const u8 dpcd[DP_RECEIVER_CAP_SIZE]); int drm_dp_mst_topology_mgr_set_mst(struct drm_dp_mst_topology_mgr *mgr, bool mst_state); -int drm_dp_mst_hpd_irq(struct drm_dp_mst_topology_mgr *mgr, u8 *esi, bool *handled); - +int drm_dp_mst_hpd_irq_step1(struct drm_dp_mst_topology_mgr *mgr, u8 *esi, bool *handled); +void drm_dp_mst_hpd_irq_step2(struct drm_dp_mst_topology_mgr *mgr); int drm_dp_mst_detect_port(struct drm_connector *connector, -- 2.37.3

1 year, 11 months

3
4
0 0

[PATCH 1/1] net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero

by Lee Jones

Currently, due to the sequential use of min_t() and clamp_t() macros, in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is not set, the logic sets tx_max to 0. This is then used to allocate the data area of the SKB requested later in cdc_ncm_fill_tx_frame(). This does not cause an issue presently because when memory is allocated during initialisation phase of SKB creation, more memory (512b) is allocated than is required for the SKB headers alone (320b), leaving some space (512b - 320b = 192b) for CDC data (172b). However, if more elements (for example 3 x u64 = [24b]) were added to one of the SKB header structs, say 'struct skb_shared_info', increasing its original size (320b [320b aligned]) to something larger (344b [384b aligned]), then suddenly the CDC data (172b) no longer fits in the spare SKB data area (512b - 384b = 128b). Consequently the SKB bounds checking semantics fails and panics: skbuff: skb_over_panic: text:ffffffff830a5b5f len:184 put:172 \ head:ffff888119227c00 data:ffff888119227c00 tail:0xb8 end:0x80 dev:<NULL> ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:110! RIP: 0010:skb_panic+0x14f/0x160 net/core/skbuff.c:106 <snip> Call Trace: <IRQ> skb_over_panic+0x2c/0x30 net/core/skbuff.c:115 skb_put+0x205/0x210 net/core/skbuff.c:1877 skb_put_zero include/linux/skbuff.h:2270 [inline] cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1116 [inline] cdc_ncm_fill_tx_frame+0x127f/0x3d50 drivers/net/usb/cdc_ncm.c:1293 cdc_ncm_tx_fixup+0x98/0xf0 drivers/net/usb/cdc_ncm.c:1514 By overriding the max value with the default CDC_NCM_NTB_MAX_SIZE_TX when not offered through the system provided params, we ensure enough data space is allocated to handle the CDC data, meaning no crash will occur. Cc: stable(a)vger.kernel.org Cc: Oliver Neukum <oliver(a)neukum.org> Cc: "David S. Miller" <davem(a)davemloft.net> Cc: Jakub Kicinski <kuba(a)kernel.org> Cc: linux-usb(a)vger.kernel.org Cc: netdev(a)vger.kernel.org Cc: linux-kernel(a)vger.kernel.org Fixes: 289507d3364f9 ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning") Signed-off-by: Lee Jones <lee.jones(a)linaro.org> --- drivers/net/usb/cdc_ncm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c index 24753a4da7e60..e303b522efb50 100644 --- a/drivers/net/usb/cdc_ncm.c +++ b/drivers/net/usb/cdc_ncm.c @@ -181,6 +181,8 @@ static u32 cdc_ncm_check_tx_max(struct usbnet *dev, u32 new_tx) min = ctx->max_datagram_size + ctx->max_ndp_size + sizeof(struct usb_cdc_ncm_nth32); max = min_t(u32, CDC_NCM_NTB_MAX_SIZE_TX, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize)); + if (max == 0) + max = CDC_NCM_NTB_MAX_SIZE_TX; /* dwNtbOutMaxSize not set */ /* some devices set dwNtbOutMaxSize too low for the above default */ min = min(min, max); -- 2.34.0.384.gca35af8252-goog

1 year, 11 months

6
13
0 0

[PATCH] arm64: mte: Do not set PG_mte_tagged if tags were not initialized

by Peter Collingbourne

The mte_sync_page_tags() function sets PG_mte_tagged if it initializes page tags. Then we return to mte_sync_tags(), which sets PG_mte_tagged again. At best, this is redundant. However, it is possible for mte_sync_page_tags() to return without having initialized tags for the page, i.e. in the case where check_swap is true (non-compound page), is_swap_pte(old_pte) is false and pte_is_tagged is false. So at worst, we set PG_mte_tagged on a page with uninitialized tags. This can happen if, for example, page migration causes a PTE for an untagged page to be replaced. If the userspace program subsequently uses mprotect() to enable PROT_MTE for that page, the uninitialized tags will be exposed to userspace. Fix it by removing the redundant call to set_page_mte_tagged(). Fixes: e059853d14ca ("arm64: mte: Fix/clarify the PG_mte_tagged semantics") Signed-off-by: Peter Collingbourne <pcc(a)google.com> Cc: <stable(a)vger.kernel.org> # 6.1 Link: https://linux-review.googlesource.com/id/Ib02d004d435b2ed87603b858ef7480f7b… --- arch/arm64/kernel/mte.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c index f5bcb0dc6267..7e89968bd282 100644 --- a/arch/arm64/kernel/mte.c +++ b/arch/arm64/kernel/mte.c @@ -66,13 +66,10 @@ void mte_sync_tags(pte_t old_pte, pte_t pte) return; /* if PG_mte_tagged is set, tags have already been initialised */ - for (i = 0; i < nr_pages; i++, page++) { - if (!page_mte_tagged(page)) { + for (i = 0; i < nr_pages; i++, page++) + if (!page_mte_tagged(page)) mte_sync_page_tags(page, old_pte, check_swap, pte_is_tagged); - set_page_mte_tagged(page); - } - } /* ensure the tags are visible before the PTE is set */ smp_wmb(); -- 2.40.0.634.g4ca3ef3211-goog

1 year, 11 months

4
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2023