April 2023 - Linux-stable-mirror

[PATCH v2] writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs

by Baokun Li

KASAN report null-ptr-deref: ================================================================== BUG: KASAN: null-ptr-deref in bdi_split_work_to_wbs+0x5c5/0x7b0 Write of size 8 at addr 0000000000000000 by task sync/943 CPU: 5 PID: 943 Comm: sync Tainted: 6.3.0-rc5-next-20230406-dirty #461 Call Trace: <TASK> dump_stack_lvl+0x7f/0xc0 print_report+0x2ba/0x340 kasan_report+0xc4/0x120 kasan_check_range+0x1b7/0x2e0 __kasan_check_write+0x24/0x40 bdi_split_work_to_wbs+0x5c5/0x7b0 sync_inodes_sb+0x195/0x630 sync_inodes_one_sb+0x3a/0x50 iterate_supers+0x106/0x1b0 ksys_sync+0x98/0x160 [...] ================================================================== The race that causes the above issue is as follows: cpu1 cpu2 -------------------------|------------------------- inode_switch_wbs INIT_WORK(&isw->work, inode_switch_wbs_work_fn) queue_rcu_work(isw_wq, &isw->work) // queue_work async inode_switch_wbs_work_fn wb_put_many(old_wb, nr_switched) percpu_ref_put_many ref->data->release(ref) cgwb_release queue_work(cgwb_release_wq, &wb->release_work) // queue_work async &wb->release_work cgwb_release_workfn ksys_sync iterate_supers sync_inodes_one_sb sync_inodes_sb bdi_split_work_to_wbs kmalloc(sizeof(*work), GFP_ATOMIC) // alloc memory failed percpu_ref_exit ref->data = NULL kfree(data) wb_get(wb) percpu_ref_get(&wb->refcnt) percpu_ref_get_many(ref, 1) atomic_long_add(nr, &ref->data->count) atomic64_add(i, v) // trigger null-ptr-deref bdi_split_work_to_wbs() traverses &bdi->wb_list to split work into all wbs. If the allocation of new work fails, the on-stack fallback will be used and the reference count of the current wb is increased afterwards. If cgroup writeback membership switches occur before getting the reference count and the current wb is released as old_wd, then calling wb_get() or wb_put() will trigger the null pointer dereference above. This issue was introduced in v4.3-rc7 (see fix tag1). Both sync_inodes_sb() and __writeback_inodes_sb_nr() calls to bdi_split_work_to_wbs() can trigger this issue. For scenarios called via sync_inodes_sb(), originally commit 7fc5854f8c6e ("writeback: synchronize sync(2) against cgroup writeback membership switches") reduced the possibility of the issue by adding wb_switch_rwsem, but in v5.14-rc1 (see fix tag2) removed the "inode_io_list_del_locked(inode, old_wb)" from inode_switch_wbs_work_fn() so that wb->state contains WB_has_dirty_io, thus old_wb is not skipped when traversing wbs in bdi_split_work_to_wbs(), and the issue becomes easily reproducible again. To solve this problem, percpu_ref_exit() is called under RCU protection to avoid race between cgwb_release_workfn() and bdi_split_work_to_wbs(). Moreover, replace wb_get() with wb_tryget() in bdi_split_work_to_wbs(), and skip the current wb if wb_tryget() fails because the wb has already been shutdown. Fixes: b817525a4a80 ("writeback: bdi_writeback iteration must not skip dying ones") Fixes: f3b6a6df38aa ("writeback, cgroup: keep list of inodes attached to bdi_writeback") Cc: stable(a)vger.kernel.org Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- V1->V2: Use RCU instead of wb_switch_rwsem to avoid race. fs/fs-writeback.c | 17 ++++++++++------- mm/backing-dev.c | 12 ++++++++++-- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c index 195dc23e0d83..1db3e3c24b43 100644 --- a/fs/fs-writeback.c +++ b/fs/fs-writeback.c @@ -978,6 +978,16 @@ static void bdi_split_work_to_wbs(struct backing_dev_info *bdi, continue; } + /* + * If wb_tryget fails, the wb has been shutdown, skip it. + * + * Pin @wb so that it stays on @bdi->wb_list. This allows + * continuing iteration from @wb after dropping and + * regrabbing rcu read lock. + */ + if (!wb_tryget(wb)) + continue; + /* alloc failed, execute synchronously using on-stack fallback */ work = &fallback_work; *work = *base_work; @@ -986,13 +996,6 @@ static void bdi_split_work_to_wbs(struct backing_dev_info *bdi, work->done = &fallback_work_done; wb_queue_work(wb, work); - - /* - * Pin @wb so that it stays on @bdi->wb_list. This allows - * continuing iteration from @wb after dropping and - * regrabbing rcu read lock. - */ - wb_get(wb); last_wb = wb; rcu_read_unlock(); diff --git a/mm/backing-dev.c b/mm/backing-dev.c index ad011308cebe..43b48750b491 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c @@ -507,6 +507,15 @@ static LIST_HEAD(offline_cgwbs); static void cleanup_offline_cgwbs_workfn(struct work_struct *work); static DECLARE_WORK(cleanup_offline_cgwbs_work, cleanup_offline_cgwbs_workfn); +static void cgwb_free_rcu(struct rcu_head *rcu_head) +{ + struct bdi_writeback *wb = container_of(rcu_head, + struct bdi_writeback, rcu); + + percpu_ref_exit(&wb->refcnt); + kfree(wb); +} + static void cgwb_release_workfn(struct work_struct *work) { struct bdi_writeback *wb = container_of(work, struct bdi_writeback, @@ -529,11 +538,10 @@ static void cgwb_release_workfn(struct work_struct *work) list_del(&wb->offline_node); spin_unlock_irq(&cgwb_lock); - percpu_ref_exit(&wb->refcnt); wb_exit(wb); bdi_put(bdi); WARN_ON_ONCE(!list_empty(&wb->b_attached)); - kfree_rcu(wb, rcu); + call_rcu(&wb->rcu, cgwb_free_rcu); } static void cgwb_release(struct percpu_ref *refcnt) -- 2.31.1

1 year, 7 months

5
7
0 0

[net v2] net: ethernet: mtk_eth_soc: drop generic vlan rx offload, only use DSA untagging

by Frank Wunderlich

From: Felix Fietkau <nbd(a)nbd.name> Through testing I found out that hardware vlan rx offload support seems to have some hardware issues. At least when using multiple MACs and when receiving tagged packets on the secondary MAC, the hardware can sometimes start to emit wrong tags on the first MAC as well. In order to avoid such issues, drop the feature configuration and use the offload feature only for DSA hardware untagging on MT7621/MT7622 devices where this feature works properly. Fixes: 08666cbb7dd5 ("net: ethernet: mtk_eth_soc: add support for configuring vlan rx offload") Tested-by: Frank Wunderlich <frank-w(a)public-files.de> Signed-off-by: Felix Fietkau <nbd(a)nbd.name> Signed-off-by: Frank Wunderlich <frank-w(a)public-files.de> Tested-by: Arınç ÜNAL <arinc.unal(a)arinc9.com> --- v2: - changed commit message to drop "only one MAC used" phrase based on Arincs comments - fixed too long line in commit description and add empty line after declaration - add fixes tag used felix Patch as base and ported up to 6.3-rc6 it basicly reverts changes from vladimirs patch 1a3245fe0cf8 net: ethernet: mtk_eth_soc: fix DSA TX tag hwaccel for switch port 0 tested this on bananapi-r3 on non-dsa gmac1 and dsa eth0 (wan). on both vlan is working, but maybe it breaks HW-vlan-untagging --- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 106 ++++++++------------ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 - 2 files changed, 40 insertions(+), 67 deletions(-) diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c index 9e948d091a69..a75fd072082c 100644 --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c @@ -1918,9 +1918,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, while (done < budget) { unsigned int pktlen, *rxdcsum; - bool has_hwaccel_tag = false; struct net_device *netdev; - u16 vlan_proto, vlan_tci; dma_addr_t dma_addr; u32 hash, reason; int mac = 0; @@ -2055,31 +2053,16 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, skb_checksum_none_assert(skb); skb->protocol = eth_type_trans(skb, netdev); - if (netdev->features & NETIF_F_HW_VLAN_CTAG_RX) { - if (MTK_HAS_CAPS(eth->soc->caps, MTK_NETSYS_V2)) { - if (trxd.rxd3 & RX_DMA_VTAG_V2) { - vlan_proto = RX_DMA_VPID(trxd.rxd4); - vlan_tci = RX_DMA_VID(trxd.rxd4); - has_hwaccel_tag = true; - } - } else if (trxd.rxd2 & RX_DMA_VTAG) { - vlan_proto = RX_DMA_VPID(trxd.rxd3); - vlan_tci = RX_DMA_VID(trxd.rxd3); - has_hwaccel_tag = true; - } - } - /* When using VLAN untagging in combination with DSA, the * hardware treats the MTK special tag as a VLAN and untags it. */ - if (has_hwaccel_tag && netdev_uses_dsa(netdev)) { - unsigned int port = vlan_proto & GENMASK(2, 0); + if (!MTK_HAS_CAPS(eth->soc->caps, MTK_NETSYS_V2) && + (trxd.rxd2 & RX_DMA_VTAG) && netdev_uses_dsa(netdev)) { + unsigned int port = RX_DMA_VPID(trxd.rxd3) & GENMASK(2, 0); if (port < ARRAY_SIZE(eth->dsa_meta) && eth->dsa_meta[port]) skb_dst_set_noref(skb, &eth->dsa_meta[port]->dst); - } else if (has_hwaccel_tag) { - __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vlan_tci); } if (reason == MTK_PPE_CPU_REASON_HIT_UNBIND_RATE_REACHED) @@ -2907,29 +2890,11 @@ static netdev_features_t mtk_fix_features(struct net_device *dev, static int mtk_set_features(struct net_device *dev, netdev_features_t features) { - struct mtk_mac *mac = netdev_priv(dev); - struct mtk_eth *eth = mac->hw; netdev_features_t diff = dev->features ^ features; - int i; if ((diff & NETIF_F_LRO) && !(features & NETIF_F_LRO)) mtk_hwlro_netdev_disable(dev); - /* Set RX VLAN offloading */ - if (!(diff & NETIF_F_HW_VLAN_CTAG_RX)) - return 0; - - mtk_w32(eth, !!(features & NETIF_F_HW_VLAN_CTAG_RX), - MTK_CDMP_EG_CTRL); - - /* sync features with other MAC */ - for (i = 0; i < MTK_MAC_COUNT; i++) { - if (!eth->netdev[i] || eth->netdev[i] == dev) - continue; - eth->netdev[i]->features &= ~NETIF_F_HW_VLAN_CTAG_RX; - eth->netdev[i]->features |= features & NETIF_F_HW_VLAN_CTAG_RX; - } - return 0; } @@ -3247,30 +3212,6 @@ static int mtk_open(struct net_device *dev) struct mtk_eth *eth = mac->hw; int i, err; - if (mtk_uses_dsa(dev) && !eth->prog) { - for (i = 0; i < ARRAY_SIZE(eth->dsa_meta); i++) { - struct metadata_dst *md_dst = eth->dsa_meta[i]; - - if (md_dst) - continue; - - md_dst = metadata_dst_alloc(0, METADATA_HW_PORT_MUX, - GFP_KERNEL); - if (!md_dst) - return -ENOMEM; - - md_dst->u.port_info.port_id = i; - eth->dsa_meta[i] = md_dst; - } - } else { - /* Hardware special tag parsing needs to be disabled if at least - * one MAC does not use DSA. - */ - u32 val = mtk_r32(eth, MTK_CDMP_IG_CTRL); - val &= ~MTK_CDMP_STAG_EN; - mtk_w32(eth, val, MTK_CDMP_IG_CTRL); - } - err = phylink_of_phy_connect(mac->phylink, mac->of_node, 0); if (err) { netdev_err(dev, "%s: could not attach PHY: %d\n", __func__, @@ -3309,6 +3250,40 @@ static int mtk_open(struct net_device *dev) phylink_start(mac->phylink); netif_tx_start_all_queues(dev); + if (MTK_HAS_CAPS(eth->soc->caps, MTK_NETSYS_V2)) + return 0; + + if (mtk_uses_dsa(dev) && !eth->prog) { + for (i = 0; i < ARRAY_SIZE(eth->dsa_meta); i++) { + struct metadata_dst *md_dst = eth->dsa_meta[i]; + + if (md_dst) + continue; + + md_dst = metadata_dst_alloc(0, METADATA_HW_PORT_MUX, + GFP_KERNEL); + if (!md_dst) + return -ENOMEM; + + md_dst->u.port_info.port_id = i; + eth->dsa_meta[i] = md_dst; + } + } else { + /* Hardware special tag parsing needs to be disabled if at least + * one MAC does not use DSA. + */ + u32 val = mtk_r32(eth, MTK_CDMP_IG_CTRL); + + val &= ~MTK_CDMP_STAG_EN; + mtk_w32(eth, val, MTK_CDMP_IG_CTRL); + + val = mtk_r32(eth, MTK_CDMQ_IG_CTRL); + val &= ~MTK_CDMQ_STAG_EN; + mtk_w32(eth, val, MTK_CDMQ_IG_CTRL); + + mtk_w32(eth, 0, MTK_CDMP_EG_CTRL); + } + return 0; } @@ -3793,10 +3768,9 @@ static int mtk_hw_init(struct mtk_eth *eth, bool reset) if (!MTK_HAS_CAPS(eth->soc->caps, MTK_NETSYS_V2)) { val = mtk_r32(eth, MTK_CDMP_IG_CTRL); mtk_w32(eth, val | MTK_CDMP_STAG_EN, MTK_CDMP_IG_CTRL); - } - /* Enable RX VLan Offloading */ - mtk_w32(eth, 1, MTK_CDMP_EG_CTRL); + mtk_w32(eth, 1, MTK_CDMP_EG_CTRL); + } /* set interrupt delays based on current Net DIM sample */ mtk_dim_rx(&eth->rx_dim.work); @@ -4453,7 +4427,7 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np) eth->netdev[id]->hw_features |= NETIF_F_LRO; eth->netdev[id]->vlan_features = eth->soc->hw_features & - ~(NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX); + ~NETIF_F_HW_VLAN_CTAG_TX; eth->netdev[id]->features |= eth->soc->hw_features; eth->netdev[id]->ethtool_ops = &mtk_ethtool_ops; diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h index cdcf8534283e..707445f6bcb1 100644 --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h @@ -48,7 +48,6 @@ #define MTK_HW_FEATURES (NETIF_F_IP_CSUM | \ NETIF_F_RXCSUM | \ NETIF_F_HW_VLAN_CTAG_TX | \ - NETIF_F_HW_VLAN_CTAG_RX | \ NETIF_F_SG | NETIF_F_TSO | \ NETIF_F_TSO6 | \ NETIF_F_IPV6_CSUM |\ -- 2.34.1

1 year, 7 months

5
7
0 0

[RESEND PATCH 4.14 v3 1/5] iio: counter: 104-quad-8: Fix race condition between FLAG and CNTR reads

by William Breathitt Gray

commit 4aa3b75c74603c3374877d5fd18ad9cc3a9a62ed upstream. The Counter (CNTR) register is 24 bits wide, but we can have an effective 25-bit count value by setting bit 24 to the XOR of the Borrow flag and Carry flag. The flags can be read from the FLAG register, but a race condition exists: the Borrow flag and Carry flag are instantaneous and could change by the time the count value is read from the CNTR register. Since the race condition could result in an incorrect 25-bit count value, remove support for 25-bit count values from this driver. Fixes: 28e5d3bb0325 ("iio: 104-quad-8: Add IIO support for the ACCES 104-QUAD-8") Cc: <stable(a)vger.kernel.org> # 4.14.x Signed-off-by: William Breathitt Gray <william.gray(a)linaro.org> --- drivers/iio/counter/104-quad-8.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/drivers/iio/counter/104-quad-8.c b/drivers/iio/counter/104-quad-8.c index 181585ae6..bdb07694e 100644 --- a/drivers/iio/counter/104-quad-8.c +++ b/drivers/iio/counter/104-quad-8.c @@ -64,9 +64,6 @@ static int quad8_read_raw(struct iio_dev *indio_dev, { struct quad8_iio *const priv = iio_priv(indio_dev); const int base_offset = priv->base + 2 * chan->channel; - unsigned int flags; - unsigned int borrow; - unsigned int carry; int i; switch (mask) { @@ -76,12 +73,7 @@ static int quad8_read_raw(struct iio_dev *indio_dev, return IIO_VAL_INT; } - flags = inb(base_offset + 1); - borrow = flags & BIT(0); - carry = !!(flags & BIT(1)); - - /* Borrow XOR Carry effectively doubles count range */ - *val = (borrow ^ carry) << 24; + *val = 0; /* Reset Byte Pointer; transfer Counter to Output Latch */ outb(0x11, base_offset + 1); base-commit: f03c8bbaf6d9cbebee390e8353c5df75293aff7c -- 2.39.2

1 year, 7 months

3
9
0 0

[PATCH 6.3 00/11] 6.3.1-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.3.1 release. There are 11 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 30 Apr 2023 11:20:30 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.3.1-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.3.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.3.1-rc1 Stephen Boyd <swboyd(a)chromium.org> driver core: Don't require dynamic_debug for initcall_debug probe timing Arınç ÜNAL <arinc.unal(a)arinc9.com> USB: serial: option: add UNISOC vendor and TOZED LT70C product Vlastimil Babka <vbabka(a)suse.cz> mm/mremap: fix vm_pgoff in vma_merge() case 3 Genjian Zhang <zhanggenjian(a)kylinos.cn> btrfs: fix uninitialized variable warnings Marek Vasut <marex(a)denx.de> wifi: brcmfmac: add Cypress 43439 SDIO ids Ruihan Li <lrh2000(a)pku.edu.cn> bluetooth: Perform careful capability checks in hci_sock_ioctl() Werner Sembach <wse(a)tuxedocomputers.com> gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU Eric Biggers <ebiggers(a)google.com> fsverity: explicitly check for buffer overflow in build_merkle_tree() Daniel Vetter <daniel.vetter(a)ffwll.ch> drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var Eric Biggers <ebiggers(a)google.com> fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds Jisoo Jang <jisoo.jang(a)yonsei.ac.kr> wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() ------------- Diffstat: Makefile | 4 ++-- drivers/base/dd.c | 7 ++++++- drivers/gpio/gpiolib-acpi.c | 13 +++++++++++++ drivers/gpu/drm/drm_fb_helper.c | 3 +++ .../net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 9 ++++++++- .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++ drivers/usb/serial/option.c | 6 ++++++ fs/btrfs/send.c | 2 +- fs/btrfs/volumes.c | 2 +- fs/verity/enable.c | 17 +++++++++++++++++ include/linux/mmc/sdio_ids.h | 5 ++++- mm/mmap.c | 2 +- net/bluetooth/hci_sock.c | 9 ++++++++- 13 files changed, 75 insertions(+), 9 deletions(-)

1 year, 7 months

10
20
0 0

[PATCH 1/2] drm/dsc: fix drm_edp_dsc_sink_output_bpp() DPCD high byte usage

by Jani Nikula

The operator precedence between << and & is wrong, leading to the high byte being completely ignored. For example, with the 6.4 format, 32 becomes 0 and 24 becomes 8. Fix it, and remove the slightly confusing and unnecessary DP_DSC_MAX_BITS_PER_PIXEL_HI_SHIFT macro while at it. Fixes: 0575650077ea ("drm/dp: DRM DP helper/macros to get DP sink DSC parameters") Cc: Stanislav Lisovskiy <stanislav.lisovskiy(a)intel.com> Cc: Manasi Navare <navaremanasi(a)google.com> Cc: Anusha Srivatsa <anusha.srivatsa(a)intel.com> Cc: <stable(a)vger.kernel.org> # v5.0+ Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> --- include/drm/display/drm_dp.h | 1 - include/drm/display/drm_dp_helper.h | 5 ++--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/include/drm/display/drm_dp.h b/include/drm/display/drm_dp.h index 358db4a9f167..89d5a700b04d 100644 --- a/include/drm/display/drm_dp.h +++ b/include/drm/display/drm_dp.h @@ -286,7 +286,6 @@ #define DP_DSC_MAX_BITS_PER_PIXEL_HI 0x068 /* eDP 1.4 */ # define DP_DSC_MAX_BITS_PER_PIXEL_HI_MASK (0x3 << 0) -# define DP_DSC_MAX_BITS_PER_PIXEL_HI_SHIFT 8 # define DP_DSC_MAX_BPP_DELTA_VERSION_MASK 0x06 # define DP_DSC_MAX_BPP_DELTA_AVAILABILITY 0x08 diff --git a/include/drm/display/drm_dp_helper.h b/include/drm/display/drm_dp_helper.h index 533d3ee7fe05..86f24a759268 100644 --- a/include/drm/display/drm_dp_helper.h +++ b/include/drm/display/drm_dp_helper.h @@ -181,9 +181,8 @@ static inline u16 drm_edp_dsc_sink_output_bpp(const u8 dsc_dpcd[DP_DSC_RECEIVER_CAP_SIZE]) { return dsc_dpcd[DP_DSC_MAX_BITS_PER_PIXEL_LOW - DP_DSC_SUPPORT] | - (dsc_dpcd[DP_DSC_MAX_BITS_PER_PIXEL_HI - DP_DSC_SUPPORT] & - DP_DSC_MAX_BITS_PER_PIXEL_HI_MASK << - DP_DSC_MAX_BITS_PER_PIXEL_HI_SHIFT); + ((dsc_dpcd[DP_DSC_MAX_BITS_PER_PIXEL_HI - DP_DSC_SUPPORT] & + DP_DSC_MAX_BITS_PER_PIXEL_HI_MASK) << 8); } static inline u32 -- 2.39.2

1 year, 7 months

2
2
0 0

[PATCH 5.15 00/13] 5.15.110-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.110 release. There are 13 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 30 Apr 2023 11:20:30 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.110-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.110-rc1 Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: No need to relocate the dtb as it lies in the fixmap region Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Do not set initial_boot_params to the linear address of the dtb Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Move early dtb mapping into the fixmap region Matthieu Baerts <matthieu.baerts(a)tessares.net> selftests: mptcp: join: fix "invalid address, ADD_ADDR timeout" Stephen Boyd <swboyd(a)chromium.org> driver core: Don't require dynamic_debug for initcall_debug probe timing Arınç ÜNAL <arinc.unal(a)arinc9.com> USB: serial: option: add UNISOC vendor and TOZED LT70C product Ruihan Li <lrh2000(a)pku.edu.cn> bluetooth: Perform careful capability checks in hci_sock_ioctl() Daniel Vetter <daniel.vetter(a)ffwll.ch> drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var Jisoo Jang <jisoo.jang(a)yonsei.ac.kr> wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Dan Carpenter <dan.carpenter(a)linaro.org> KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() David Matlack <dmatlack(a)google.com> KVM: arm64: Retry fault if vma_lookup() results become invalid SeongJae Park <sjpark(a)amazon.de> selftests/kselftest/runner/run_one(): allow running non-executable files Kai-Heng Feng <kai.heng.feng(a)canonical.com> PCI/ASPM: Remove pcie_aspm_pm_state_change() ------------- Diffstat: Documentation/riscv/vm-layout.rst | 2 +- Makefile | 4 +- arch/arm64/kvm/mmu.c | 47 +++++++-------- arch/arm64/kvm/psci.c | 2 + arch/riscv/include/asm/fixmap.h | 8 +++ arch/riscv/include/asm/pgtable.h | 8 ++- arch/riscv/kernel/setup.c | 6 +- arch/riscv/mm/init.c | 68 ++++++++++++---------- drivers/base/dd.c | 7 ++- drivers/gpu/drm/drm_fb_helper.c | 3 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 5 ++ drivers/pci/pci.c | 3 - drivers/pci/pci.h | 2 - drivers/pci/pcie/aspm.c | 19 ------ drivers/usb/serial/option.c | 6 ++ net/bluetooth/hci_sock.c | 9 ++- tools/testing/selftests/kselftest/runner.sh | 28 +++++---- tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +- 18 files changed, 124 insertions(+), 105 deletions(-)

1 year, 7 months

8
20
0 0

[PATCH 6.1 00/16] 6.1.27-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.27 release. There are 16 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 30 Apr 2023 11:20:30 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.27-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.27-rc1 Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: No need to relocate the dtb as it lies in the fixmap region Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Do not set initial_boot_params to the linear address of the dtb Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Move early dtb mapping into the fixmap region Stephen Boyd <swboyd(a)chromium.org> driver core: Don't require dynamic_debug for initcall_debug probe timing Arınç ÜNAL <arinc.unal(a)arinc9.com> USB: serial: option: add UNISOC vendor and TOZED LT70C product Genjian Zhang <zhanggenjian(a)kylinos.cn> btrfs: fix uninitialized variable warnings Ruihan Li <lrh2000(a)pku.edu.cn> bluetooth: Perform careful capability checks in hci_sock_ioctl() Werner Sembach <wse(a)tuxedocomputers.com> gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU Daniel Vetter <daniel.vetter(a)ffwll.ch> drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var Jisoo Jang <jisoo.jang(a)yonsei.ac.kr> wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Paolo Abeni <pabeni(a)redhat.com> mptcp: fix accept vs worker race Paolo Abeni <pabeni(a)redhat.com> mptcp: stops worker on unaccepted sockets at listener close Liam R. Howlett <Liam.Howlett(a)oracle.com> mm/mempolicy: fix use-after-free of VMA iterator David Matlack <dmatlack(a)google.com> KVM: arm64: Retry fault if vma_lookup() results become invalid Florian Fainelli <f.fainelli(a)gmail.com> phy: phy-brcm-usb: Utilize platform_get_irq_byname_optional() David Gow <davidgow(a)google.com> um: Only disable SSE on clang to work around old GCC bugs ------------- Diffstat: Documentation/riscv/vm-layout.rst | 4 +- Makefile | 4 +- arch/arm64/kvm/mmu.c | 47 ++++----- arch/riscv/include/asm/fixmap.h | 8 ++ arch/riscv/include/asm/pgtable.h | 8 +- arch/riscv/kernel/setup.c | 6 +- arch/riscv/mm/init.c | 82 +++++++-------- arch/x86/Makefile.um | 5 + drivers/base/dd.c | 7 +- drivers/gpio/gpiolib-acpi.c | 13 +++ drivers/gpu/drm/drm_fb_helper.c | 3 + .../broadcom/brcm80211/brcmfmac/cfg80211.c | 5 + drivers/phy/broadcom/phy-brcm-usb.c | 4 +- drivers/usb/serial/option.c | 6 ++ fs/btrfs/send.c | 2 +- fs/btrfs/volumes.c | 2 +- mm/mempolicy.c | 115 ++++++++++----------- net/bluetooth/hci_sock.c | 9 +- net/mptcp/protocol.c | 74 ++++++++----- net/mptcp/protocol.h | 2 + net/mptcp/subflow.c | 80 +++++++++++++- 21 files changed, 309 insertions(+), 177 deletions(-)

1 year, 7 months

11
26
0 0

[PATCH 6.2 00/15] 6.2.14-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.2.14 release. There are 15 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun, 30 Apr 2023 11:20:30 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.2.14-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.2.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.2.14-rc1 Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: No need to relocate the dtb as it lies in the fixmap region Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Do not set initial_boot_params to the linear address of the dtb Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Move early dtb mapping into the fixmap region Stephen Boyd <swboyd(a)chromium.org> driver core: Don't require dynamic_debug for initcall_debug probe timing Arınç ÜNAL <arinc.unal(a)arinc9.com> USB: serial: option: add UNISOC vendor and TOZED LT70C product Genjian Zhang <zhanggenjian(a)kylinos.cn> btrfs: fix uninitialized variable warnings Marek Vasut <marex(a)denx.de> wifi: brcmfmac: add Cypress 43439 SDIO ids Ruihan Li <lrh2000(a)pku.edu.cn> bluetooth: Perform careful capability checks in hci_sock_ioctl() Werner Sembach <wse(a)tuxedocomputers.com> gpiolib: acpi: Add a ignore wakeup quirk for Clevo NL5xNU Daniel Vetter <daniel.vetter(a)ffwll.ch> drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var Jisoo Jang <jisoo.jang(a)yonsei.ac.kr> wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Liam R. Howlett <Liam.Howlett(a)oracle.com> mm/mempolicy: fix use-after-free of VMA iterator Ziwei Dai <ziwei.dai(a)unisoc.com> rcu/kvfree: Avoid freeing new kfree_rcu() memory after old grace period David Gow <davidgow(a)google.com> um: Only disable SSE on clang to work around old GCC bugs David Gow <davidgow(a)google.com> rust: arch/um: Disable FP/SIMD instruction to match x86 ------------- Diffstat: Documentation/riscv/vm-layout.rst | 6 +- Makefile | 4 +- arch/riscv/include/asm/fixmap.h | 8 ++ arch/riscv/include/asm/pgtable.h | 8 +- arch/riscv/kernel/setup.c | 6 +- arch/riscv/mm/init.c | 82 +++++++-------- arch/x86/Makefile.um | 11 ++ drivers/base/dd.c | 7 +- drivers/gpio/gpiolib-acpi.c | 13 +++ drivers/gpu/drm/drm_fb_helper.c | 3 + .../wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 9 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 5 + drivers/usb/serial/option.c | 6 ++ fs/btrfs/send.c | 2 +- fs/btrfs/volumes.c | 2 +- include/linux/mmc/sdio_ids.h | 5 +- kernel/rcu/tree.c | 27 +++-- mm/mempolicy.c | 115 ++++++++++----------- net/bluetooth/hci_sock.c | 9 +- 19 files changed, 194 insertions(+), 134 deletions(-)

1 year, 7 months

10
24
0 0

[PATCH] mm/mempolicy: Fix use-after-free of VMA iterator

by Liam R. Howlett

set_mempolicy_home_node() iterates over a list of VMAs and calls mbind_range() on each VMA, which also iterates over the singular list of the VMA passed in and potentially splits the VMA. Since the VMA iterator is not passed through, set_mempolicy_home_node() may now point to a stale node in the VMA tree. This can result in a UAF as reported by syzbot. Avoid the stale maple tree node by passing the VMA iterator through to the underlying call to split_vma(). mbind_range() is also overly complicated, since there are two calling functions and one already handles iterating over the VMAs. Simplify mbind_range() to only handle merging and splitting of the VMAs. Align the new loop in do_mbind() and existing loop in set_mempolicy_home_node() to use the reduced mbind_range() function. This allows for a single location of the range calculation and avoids constantly looking up the previous VMA (since this is a loop over the VMAs). Link: https://lore.kernel.org/linux-mm/000000000000c93feb05f87e24ad@google.com/ Reported-and-tested-by: syzbot+a7c1ec5b1d71ceaa5186(a)syzkaller.appspotmail.com Fixes: 66850be55e8e ("mm/mempolicy: use vma iterator & maple state instead of vma linked list") Cc: <stable(a)vger.kernel.org> Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> --- mm/mempolicy.c | 104 +++++++++++++++++++++++-------------------------- 1 file changed, 49 insertions(+), 55 deletions(-) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index a256a241fd1d..2068b594dc88 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -790,61 +790,50 @@ static int vma_replace_policy(struct vm_area_struct *vma, return err; } -/* Step 2: apply policy to a range and do splits. */ -static int mbind_range(struct mm_struct *mm, unsigned long start, - unsigned long end, struct mempolicy *new_pol) +/* Split or merge the VMA (if required) and apply the new policy */ +static int mbind_range(struct vma_iterator *vmi, struct vm_area_struct *vma, + struct vm_area_struct **prev, unsigned long start, + unsigned long end, struct mempolicy *new_pol) { - VMA_ITERATOR(vmi, mm, start); - struct vm_area_struct *prev; - struct vm_area_struct *vma; - int err = 0; + struct vm_area_struct *merged; + unsigned long vmstart, vmend; pgoff_t pgoff; + int err; - prev = vma_prev(&vmi); - vma = vma_find(&vmi, end); - if (WARN_ON(!vma)) + vmend = min(end, vma->vm_end); + if (start > vma->vm_start) { + *prev = vma; + vmstart = start; + } else { + vmstart = vma->vm_start; + } + + if (mpol_equal(vma_policy(vma), new_pol)) return 0; - if (start > vma->vm_start) - prev = vma; - - do { - unsigned long vmstart = max(start, vma->vm_start); - unsigned long vmend = min(end, vma->vm_end); - - if (mpol_equal(vma_policy(vma), new_pol)) - goto next; - - pgoff = vma->vm_pgoff + - ((vmstart - vma->vm_start) >> PAGE_SHIFT); - prev = vma_merge(&vmi, mm, prev, vmstart, vmend, vma->vm_flags, - vma->anon_vma, vma->vm_file, pgoff, - new_pol, vma->vm_userfaultfd_ctx, - anon_vma_name(vma)); - if (prev) { - vma = prev; - goto replace; - } - if (vma->vm_start != vmstart) { - err = split_vma(&vmi, vma, vmstart, 1); - if (err) - goto out; - } - if (vma->vm_end != vmend) { - err = split_vma(&vmi, vma, vmend, 0); - if (err) - goto out; - } -replace: - err = vma_replace_policy(vma, new_pol); + pgoff = vma->vm_pgoff + ((vmstart - vma->vm_start) >> PAGE_SHIFT); + merged = vma_merge(vmi, vma->vm_mm, *prev, vmstart, vmend, vma->vm_flags, + vma->anon_vma, vma->vm_file, pgoff, new_pol, + vma->vm_userfaultfd_ctx, anon_vma_name(vma)); + if (merged) { + *prev = merged; + return vma_replace_policy(merged, new_pol); + } + + if (vma->vm_start != vmstart) { + err = split_vma(vmi, vma, vmstart, 1); if (err) - goto out; -next: - prev = vma; - } for_each_vma_range(vmi, vma, end); + return err; + } -out: - return err; + if (vma->vm_end != vmend) { + err = split_vma(vmi, vma, vmend, 0); + if (err) + return err; + } + + *prev = vma; + return vma_replace_policy(vma, new_pol); } /* Set the process memory policy */ @@ -1259,6 +1248,8 @@ static long do_mbind(unsigned long start, unsigned long len, nodemask_t *nmask, unsigned long flags) { struct mm_struct *mm = current->mm; + struct vm_area_struct *vma, *prev; + struct vma_iterator vmi; struct mempolicy *new; unsigned long end; int err; @@ -1328,7 +1319,13 @@ static long do_mbind(unsigned long start, unsigned long len, goto up_out; } - err = mbind_range(mm, start, end, new); + vma_iter_init(&vmi, mm, start); + prev = vma_prev(&vmi); + for_each_vma_range(vmi, vma, end) { + err = mbind_range(&vmi, vma, &prev, start, end, new); + if (err) + break; + } if (!err) { int nr_failed = 0; @@ -1489,10 +1486,8 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le unsigned long, home_node, unsigned long, flags) { struct mm_struct *mm = current->mm; - struct vm_area_struct *vma; + struct vm_area_struct *vma, *prev; struct mempolicy *new, *old; - unsigned long vmstart; - unsigned long vmend; unsigned long end; int err = -ENOENT; VMA_ITERATOR(vmi, mm, start); @@ -1521,6 +1516,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le if (end == start) return 0; mmap_write_lock(mm); + prev = vma_prev(&vmi); for_each_vma_range(vmi, vma, end) { /* * If any vma in the range got policy other than MPOL_BIND @@ -1541,9 +1537,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le } new->home_node = home_node; - vmstart = max(start, vma->vm_start); - vmend = min(end, vma->vm_end); - err = mbind_range(mm, vmstart, vmend, new); + err = mbind_range(&vmi, vma, &prev, start, end, new); mpol_put(new); if (err) break; -- 2.39.2

1 year, 7 months

4
4
0 0

[PATCH v2] aacraid: reply queue mapping to CPUs based of IRQ affinity

by Sagar Biradar

Fix the IO hang that arises because of MSIx vector not having a mapped online CPU upon receiving completion. This patch sets up a reply queue mapping to CPUs based on the IRQ affinity retrieved using pci_irq_get_affinity() API. aac_setup_reply_map() is an explicit mapping for internally generated (non-SCSI) cmds. The SCSI cmds take the blk_mq route, and the non-SCSI cmds are mapped to the reply_map. Reviewed-by: Gilbert Wu <gilbert.wu(a)microchip.com> Signed-off-by: Sagar Biradar <Sagar.Biradar(a)microchip.com> --- drivers/scsi/aacraid/aacraid.h | 1 + drivers/scsi/aacraid/comminit.c | 32 ++++++++++++++++++++++++++++++++ drivers/scsi/aacraid/commsup.c | 6 +++++- drivers/scsi/aacraid/linit.c | 25 +++++++++++++++++++++++++ drivers/scsi/aacraid/src.c | 13 +++++++++++-- 5 files changed, 74 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h index 5e115e8b2ba4..20f8560a3038 100644 --- a/drivers/scsi/aacraid/aacraid.h +++ b/drivers/scsi/aacraid/aacraid.h @@ -1678,6 +1678,7 @@ struct aac_dev u32 handle_pci_error; bool init_reset; u8 soft_reset_support; + unsigned int *reply_map; }; #define aac_adapter_interrupt(dev) \ diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c index bd99c5492b7d..6f4e40cdaade 100644 --- a/drivers/scsi/aacraid/comminit.c +++ b/drivers/scsi/aacraid/comminit.c @@ -33,6 +33,8 @@ #include "aacraid.h" +void aac_setup_reply_map(struct aac_dev *dev); + struct aac_common aac_config = { .irq_mod = 1 }; @@ -630,6 +632,9 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev) if (aac_is_src(dev)) aac_define_int_mode(dev); + + aac_setup_reply_map(dev); + /* * Ok now init the communication subsystem */ @@ -658,3 +663,30 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev) return dev; } +/* + * aac_setup_reply_map - This is an explicit mapping for + * internally generated (non-SCSI) cmds which need to be + * serviced outside of IO requests. + * The SCSI cmds take the blk_mq mechanism, + * and the non-SCSI cmds are mapped to the reply_map. + */ +void aac_setup_reply_map(struct aac_dev *dev) +{ + const struct cpumask *mask; + unsigned int i, cpu = 1; + + for (i = 1; i < dev->max_msix; i++) { + mask = pci_irq_get_affinity(dev->pdev, i); + if (!mask) + goto fallback; + + for_each_cpu(cpu, mask) { + dev->reply_map[cpu] = i; + } + } + return; + +fallback: + for_each_possible_cpu(cpu) + dev->reply_map[cpu] = 0; +} diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c index deb32c9f4b3e..3f062e4013ab 100644 --- a/drivers/scsi/aacraid/commsup.c +++ b/drivers/scsi/aacraid/commsup.c @@ -223,8 +223,12 @@ int aac_fib_setup(struct aac_dev * dev) struct fib *aac_fib_alloc_tag(struct aac_dev *dev, struct scsi_cmnd *scmd) { struct fib *fibptr; + u32 blk_tag; + int i; - fibptr = &dev->fibs[scsi_cmd_to_rq(scmd)->tag]; + blk_tag = blk_mq_unique_tag(scsi_cmd_to_rq(scmd)); + i = blk_mq_unique_tag_to_tag(blk_tag); + fibptr = &dev->fibs[i]; /* * Null out fields that depend on being zero at the start of * each I/O diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c index 5ba5c18b77b4..077adbcde909 100644 --- a/drivers/scsi/aacraid/linit.c +++ b/drivers/scsi/aacraid/linit.c @@ -34,6 +34,7 @@ #include <linux/delay.h> #include <linux/kthread.h> #include <linux/msdos_partition.h> +#include <linux/blk-mq-pci.h> #include <scsi/scsi.h> #include <scsi/scsi_cmnd.h> @@ -505,6 +506,16 @@ static int aac_slave_configure(struct scsi_device *sdev) return 0; } +static void aac_map_queues(struct Scsi_Host *shost) +{ + struct aac_dev *aac = (struct aac_dev *)shost->hostdata; + + blk_mq_pci_map_queues(&shost->tag_set.map[HCTX_TYPE_DEFAULT], + aac->pdev, 0); +} + + + /** * aac_change_queue_depth - alter queue depths * @sdev: SCSI device we are considering @@ -1489,6 +1500,7 @@ static struct scsi_host_template aac_driver_template = { .bios_param = aac_biosparm, .shost_groups = aac_host_groups, .slave_configure = aac_slave_configure, + .map_queues = aac_map_queues, .change_queue_depth = aac_change_queue_depth, .sdev_groups = aac_dev_groups, .eh_abort_handler = aac_eh_abort, @@ -1668,6 +1680,14 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) goto out_free_host; } + aac->reply_map = kzalloc(sizeof(unsigned int) * nr_cpu_ids, + GFP_KERNEL); + if (!aac->reply_map) { + error = -ENOMEM; + dev_err(&pdev->dev, "reply_map allocation failed\n"); + goto out_free_host; + } + spin_lock_init(&aac->fib_lock); mutex_init(&aac->ioctl_mutex); @@ -1776,6 +1796,8 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) shost->max_lun = AAC_MAX_LUN; pci_set_drvdata(pdev, shost); + shost->nr_hw_queues = aac->max_msix; + shost->host_tagset = 1; error = scsi_add_host(shost, &pdev->dev); if (error) @@ -1797,6 +1819,8 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id) aac->comm_addr, aac->comm_phys); kfree(aac->queues); aac_adapter_ioremap(aac, 0); + /* By now we should have configured the reply_map */ + kfree(aac->reply_map); kfree(aac->fibs); kfree(aac->fsa_dev); out_free_host: @@ -1918,6 +1942,7 @@ static void aac_remove_one(struct pci_dev *pdev) aac_adapter_ioremap(aac, 0); + kfree(aac->reply_map); kfree(aac->fibs); kfree(aac->fsa_dev); diff --git a/drivers/scsi/aacraid/src.c b/drivers/scsi/aacraid/src.c index 11ef58204e96..46c0f4df995d 100644 --- a/drivers/scsi/aacraid/src.c +++ b/drivers/scsi/aacraid/src.c @@ -493,6 +493,8 @@ static int aac_src_deliver_message(struct fib *fib) #endif u16 vector_no; + struct scsi_cmnd *scmd; + u32 blk_tag; atomic_inc(&q->numpending); @@ -505,8 +507,15 @@ static int aac_src_deliver_message(struct fib *fib) if ((dev->comm_interface == AAC_COMM_MESSAGE_TYPE3) && dev->sa_firmware) vector_no = aac_get_vector(dev); - else - vector_no = fib->vector_no; + else { + if (!fib->vector_no || !fib->callback_data) { + vector_no = dev->reply_map[raw_smp_processor_id()]; + } else { + scmd = (struct scsi_cmnd *)fib->callback_data; + blk_tag = blk_mq_unique_tag(scsi_cmd_to_rq(scmd)); + vector_no = blk_mq_unique_tag_to_hwq(blk_tag); + } + } if (native_hba) { if (fib->flags & FIB_CONTEXT_FLAG_NATIVE_HBA_TMF) { -- 2.29.0

1 year, 7 months

3
2
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2023