January 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] thermal: gov_power_allocator: avoid inability to reset a cdev" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e95fa7404716f6e25021e66067271a4ad8eb1486 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012648-impending-gala-16f2@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: e95fa7404716 ("thermal: gov_power_allocator: avoid inability to reset a cdev") 94be1d27aa8d ("thermal: gov_power_allocator: Use trip pointers instead of trip indices") 2c7b4bfadef0 ("thermal: core: Store trip pointer in struct thermal_instance") 790930f44289 ("thermal: core: Introduce thermal_cooling_device_update()") c43198af05cf ("thermal: core: Introduce thermal_cooling_device_present()") 5b8de18ee902 ("thermal/core: Move the thermal trip code to a dedicated file") e6ec64f85237 ("thermal/drivers/qcom: Fix set_trip_temp() deadlock") 1fa86b0a3692 ("thermal/drivers/qcom: Use generic thermal_zone_get_trip() function") 7f725a23f2b7 ("thermal/core/governors: Use thermal_zone_get_trip() instead of ops functions") 2e38a2a981b2 ("thermal/core: Add a generic thermal_zone_set_trip() function") 7c3d5c20dc16 ("thermal/core: Add a generic thermal_zone_get_trip() function") 91b3aafc2238 ("thermal/core: Remove thermal_zone_set_trips()") 05eeee2b51b4 ("thermal/core: Protect sysfs accesses to thermal operations with thermal zone mutex") 1c439dec359c ("thermal/core: Introduce locked version of thermal_zone_device_update") a365105c685c ("thermal: sysfs: Reuse cdev->max_state") c408b3d1d9bb ("thermal: Validate new state in cur_state_store()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e95fa7404716f6e25021e66067271a4ad8eb1486 Mon Sep 17 00:00:00 2001 From: Di Shen <di.shen(a)unisoc.com> Date: Wed, 10 Jan 2024 19:55:26 +0800 Subject: [PATCH] thermal: gov_power_allocator: avoid inability to reset a cdev Commit 0952177f2a1f ("thermal/core/power_allocator: Update once cooling devices when temp is low") adds an update flag to avoid triggering a thermal event when there is no need, and the thermal cdev is updated once when the temperature is low. But when the trips are writable, and switch_on_temp is set to be a higher value, the cooling device state may not be reset to 0, because last_temperature is smaller than switch_on_temp. For example: First: switch_on_temp=70 control_temp=85; Then userspace change the trip_temp: switch_on_temp=45 control_temp=55 cur_temp=54 Then userspace reset the trip_temp: switch_on_temp=70 control_temp=85 cur_temp=57 last_temp=54 At this time, the cooling device state should be reset to 0. However, because cur_temp(57) < switch_on_temp(70) last_temp(54) < switch_on_temp(70) ----> update = false, update is false, the cooling device state can not be reset. Using the observation that tz->passive can also be regarded as the temperature status, set the update flag to the tz->passive value. When the temperature drops below switch_on for the first time, the states of cooling devices can be reset once, and tz->passive is updated to 0. In the next round, because tz->passive is 0, cdev->state will not be updated. By using the tz->passive value as the "update" flag, the issue above can be solved, and the cooling devices can be updated only once when the temperature is low. Fixes: 0952177f2a1f ("thermal/core/power_allocator: Update once cooling devices when temp is low") Cc: 5.13+ <stable(a)vger.kernel.org> # 5.13+ Suggested-by: Wei Wang <wvw(a)google.com> Signed-off-by: Di Shen <di.shen(a)unisoc.com> Reviewed-by: Lukasz Luba <lukasz.luba(a)arm.com> [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/gov_power_allocator.c b/drivers/thermal/gov_power_allocator.c index 7b6aa265ff6a..81e061f183ad 100644 --- a/drivers/thermal/gov_power_allocator.c +++ b/drivers/thermal/gov_power_allocator.c @@ -762,7 +762,7 @@ static int power_allocator_throttle(struct thermal_zone_device *tz, trip = params->trip_switch_on; if (trip && tz->temperature < trip->temperature) { - update = tz->last_temperature >= trip->temperature; + update = tz->passive; tz->passive = 0; reset_pid_controller(params); allow_maximum_power(tz, update);

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] thermal: gov_power_allocator: avoid inability to reset a cdev" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e95fa7404716f6e25021e66067271a4ad8eb1486 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012646-bulb-spur-7ae9@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: e95fa7404716 ("thermal: gov_power_allocator: avoid inability to reset a cdev") 94be1d27aa8d ("thermal: gov_power_allocator: Use trip pointers instead of trip indices") 2c7b4bfadef0 ("thermal: core: Store trip pointer in struct thermal_instance") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e95fa7404716f6e25021e66067271a4ad8eb1486 Mon Sep 17 00:00:00 2001 From: Di Shen <di.shen(a)unisoc.com> Date: Wed, 10 Jan 2024 19:55:26 +0800 Subject: [PATCH] thermal: gov_power_allocator: avoid inability to reset a cdev Commit 0952177f2a1f ("thermal/core/power_allocator: Update once cooling devices when temp is low") adds an update flag to avoid triggering a thermal event when there is no need, and the thermal cdev is updated once when the temperature is low. But when the trips are writable, and switch_on_temp is set to be a higher value, the cooling device state may not be reset to 0, because last_temperature is smaller than switch_on_temp. For example: First: switch_on_temp=70 control_temp=85; Then userspace change the trip_temp: switch_on_temp=45 control_temp=55 cur_temp=54 Then userspace reset the trip_temp: switch_on_temp=70 control_temp=85 cur_temp=57 last_temp=54 At this time, the cooling device state should be reset to 0. However, because cur_temp(57) < switch_on_temp(70) last_temp(54) < switch_on_temp(70) ----> update = false, update is false, the cooling device state can not be reset. Using the observation that tz->passive can also be regarded as the temperature status, set the update flag to the tz->passive value. When the temperature drops below switch_on for the first time, the states of cooling devices can be reset once, and tz->passive is updated to 0. In the next round, because tz->passive is 0, cdev->state will not be updated. By using the tz->passive value as the "update" flag, the issue above can be solved, and the cooling devices can be updated only once when the temperature is low. Fixes: 0952177f2a1f ("thermal/core/power_allocator: Update once cooling devices when temp is low") Cc: 5.13+ <stable(a)vger.kernel.org> # 5.13+ Suggested-by: Wei Wang <wvw(a)google.com> Signed-off-by: Di Shen <di.shen(a)unisoc.com> Reviewed-by: Lukasz Luba <lukasz.luba(a)arm.com> [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/gov_power_allocator.c b/drivers/thermal/gov_power_allocator.c index 7b6aa265ff6a..81e061f183ad 100644 --- a/drivers/thermal/gov_power_allocator.c +++ b/drivers/thermal/gov_power_allocator.c @@ -762,7 +762,7 @@ static int power_allocator_throttle(struct thermal_zone_device *tz, trip = params->trip_switch_on; if (trip && tz->temperature < trip->temperature) { - update = tz->last_temperature >= trip->temperature; + update = tz->passive; tz->passive = 0; reset_pid_controller(params); allow_maximum_power(tz, update);

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] media: i2c: imx290: Properly encode registers as" failed to apply to 6.7-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.7-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.7.y git checkout FETCH_HEAD git cherry-pick -x 60fc87a69523c294eb23a1316af922f6665a6f8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012627-siesta-magnetic-bcd0@gregkh' --subject-prefix 'PATCH 6.7.y' HEAD^.. Possible dependencies: 60fc87a69523 ("media: i2c: imx290: Properly encode registers as little-endian") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60fc87a69523c294eb23a1316af922f6665a6f8c Mon Sep 17 00:00:00 2001 From: Alexander Stein <alexander.stein(a)ew.tq-group.com> Date: Thu, 2 Nov 2023 10:50:48 +0100 Subject: [PATCH] media: i2c: imx290: Properly encode registers as little-endian The conversion to CCI also converted the multi-byte register access to big-endian. Correct the register definition by using the correct little-endian ones. Fixes: af73323b9770 ("media: imx290: Convert to new CCI register access helpers") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> [Sakari Ailus: Fixed the Fixes: tag.] Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> diff --git a/drivers/media/i2c/imx290.c b/drivers/media/i2c/imx290.c index 52ba6188911b..9967f3477433 100644 --- a/drivers/media/i2c/imx290.c +++ b/drivers/media/i2c/imx290.c @@ -41,18 +41,18 @@ #define IMX290_WINMODE_720P (1 << 4) #define IMX290_WINMODE_CROP (4 << 4) #define IMX290_FR_FDG_SEL CCI_REG8(0x3009) -#define IMX290_BLKLEVEL CCI_REG16(0x300a) +#define IMX290_BLKLEVEL CCI_REG16_LE(0x300a) #define IMX290_GAIN CCI_REG8(0x3014) -#define IMX290_VMAX CCI_REG24(0x3018) +#define IMX290_VMAX CCI_REG24_LE(0x3018) #define IMX290_VMAX_MAX 0x3ffff -#define IMX290_HMAX CCI_REG16(0x301c) +#define IMX290_HMAX CCI_REG16_LE(0x301c) #define IMX290_HMAX_MAX 0xffff -#define IMX290_SHS1 CCI_REG24(0x3020) +#define IMX290_SHS1 CCI_REG24_LE(0x3020) #define IMX290_WINWV_OB CCI_REG8(0x303a) -#define IMX290_WINPV CCI_REG16(0x303c) -#define IMX290_WINWV CCI_REG16(0x303e) -#define IMX290_WINPH CCI_REG16(0x3040) -#define IMX290_WINWH CCI_REG16(0x3042) +#define IMX290_WINPV CCI_REG16_LE(0x303c) +#define IMX290_WINWV CCI_REG16_LE(0x303e) +#define IMX290_WINPH CCI_REG16_LE(0x3040) +#define IMX290_WINWH CCI_REG16_LE(0x3042) #define IMX290_OUT_CTRL CCI_REG8(0x3046) #define IMX290_ODBIT_10BIT (0 << 0) #define IMX290_ODBIT_12BIT (1 << 0) @@ -78,28 +78,28 @@ #define IMX290_ADBIT2 CCI_REG8(0x317c) #define IMX290_ADBIT2_10BIT 0x12 #define IMX290_ADBIT2_12BIT 0x00 -#define IMX290_CHIP_ID CCI_REG16(0x319a) +#define IMX290_CHIP_ID CCI_REG16_LE(0x319a) #define IMX290_ADBIT3 CCI_REG8(0x31ec) #define IMX290_ADBIT3_10BIT 0x37 #define IMX290_ADBIT3_12BIT 0x0e #define IMX290_REPETITION CCI_REG8(0x3405) #define IMX290_PHY_LANE_NUM CCI_REG8(0x3407) #define IMX290_OPB_SIZE_V CCI_REG8(0x3414) -#define IMX290_Y_OUT_SIZE CCI_REG16(0x3418) -#define IMX290_CSI_DT_FMT CCI_REG16(0x3441) +#define IMX290_Y_OUT_SIZE CCI_REG16_LE(0x3418) +#define IMX290_CSI_DT_FMT CCI_REG16_LE(0x3441) #define IMX290_CSI_DT_FMT_RAW10 0x0a0a #define IMX290_CSI_DT_FMT_RAW12 0x0c0c #define IMX290_CSI_LANE_MODE CCI_REG8(0x3443) -#define IMX290_EXTCK_FREQ CCI_REG16(0x3444) -#define IMX290_TCLKPOST CCI_REG16(0x3446) -#define IMX290_THSZERO CCI_REG16(0x3448) -#define IMX290_THSPREPARE CCI_REG16(0x344a) -#define IMX290_TCLKTRAIL CCI_REG16(0x344c) -#define IMX290_THSTRAIL CCI_REG16(0x344e) -#define IMX290_TCLKZERO CCI_REG16(0x3450) -#define IMX290_TCLKPREPARE CCI_REG16(0x3452) -#define IMX290_TLPX CCI_REG16(0x3454) -#define IMX290_X_OUT_SIZE CCI_REG16(0x3472) +#define IMX290_EXTCK_FREQ CCI_REG16_LE(0x3444) +#define IMX290_TCLKPOST CCI_REG16_LE(0x3446) +#define IMX290_THSZERO CCI_REG16_LE(0x3448) +#define IMX290_THSPREPARE CCI_REG16_LE(0x344a) +#define IMX290_TCLKTRAIL CCI_REG16_LE(0x344c) +#define IMX290_THSTRAIL CCI_REG16_LE(0x344e) +#define IMX290_TCLKZERO CCI_REG16_LE(0x3450) +#define IMX290_TCLKPREPARE CCI_REG16_LE(0x3452) +#define IMX290_TLPX CCI_REG16_LE(0x3454) +#define IMX290_X_OUT_SIZE CCI_REG16_LE(0x3472) #define IMX290_INCKSEL7 CCI_REG8(0x3480) #define IMX290_PGCTRL_REGEN BIT(0)

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] media: i2c: imx290: Properly encode registers as" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 60fc87a69523c294eb23a1316af922f6665a6f8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012626-lyrically-lifting-ba4e@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 60fc87a69523 ("media: i2c: imx290: Properly encode registers as little-endian") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 60fc87a69523c294eb23a1316af922f6665a6f8c Mon Sep 17 00:00:00 2001 From: Alexander Stein <alexander.stein(a)ew.tq-group.com> Date: Thu, 2 Nov 2023 10:50:48 +0100 Subject: [PATCH] media: i2c: imx290: Properly encode registers as little-endian The conversion to CCI also converted the multi-byte register access to big-endian. Correct the register definition by using the correct little-endian ones. Fixes: af73323b9770 ("media: imx290: Convert to new CCI register access helpers") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> [Sakari Ailus: Fixed the Fixes: tag.] Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> diff --git a/drivers/media/i2c/imx290.c b/drivers/media/i2c/imx290.c index 52ba6188911b..9967f3477433 100644 --- a/drivers/media/i2c/imx290.c +++ b/drivers/media/i2c/imx290.c @@ -41,18 +41,18 @@ #define IMX290_WINMODE_720P (1 << 4) #define IMX290_WINMODE_CROP (4 << 4) #define IMX290_FR_FDG_SEL CCI_REG8(0x3009) -#define IMX290_BLKLEVEL CCI_REG16(0x300a) +#define IMX290_BLKLEVEL CCI_REG16_LE(0x300a) #define IMX290_GAIN CCI_REG8(0x3014) -#define IMX290_VMAX CCI_REG24(0x3018) +#define IMX290_VMAX CCI_REG24_LE(0x3018) #define IMX290_VMAX_MAX 0x3ffff -#define IMX290_HMAX CCI_REG16(0x301c) +#define IMX290_HMAX CCI_REG16_LE(0x301c) #define IMX290_HMAX_MAX 0xffff -#define IMX290_SHS1 CCI_REG24(0x3020) +#define IMX290_SHS1 CCI_REG24_LE(0x3020) #define IMX290_WINWV_OB CCI_REG8(0x303a) -#define IMX290_WINPV CCI_REG16(0x303c) -#define IMX290_WINWV CCI_REG16(0x303e) -#define IMX290_WINPH CCI_REG16(0x3040) -#define IMX290_WINWH CCI_REG16(0x3042) +#define IMX290_WINPV CCI_REG16_LE(0x303c) +#define IMX290_WINWV CCI_REG16_LE(0x303e) +#define IMX290_WINPH CCI_REG16_LE(0x3040) +#define IMX290_WINWH CCI_REG16_LE(0x3042) #define IMX290_OUT_CTRL CCI_REG8(0x3046) #define IMX290_ODBIT_10BIT (0 << 0) #define IMX290_ODBIT_12BIT (1 << 0) @@ -78,28 +78,28 @@ #define IMX290_ADBIT2 CCI_REG8(0x317c) #define IMX290_ADBIT2_10BIT 0x12 #define IMX290_ADBIT2_12BIT 0x00 -#define IMX290_CHIP_ID CCI_REG16(0x319a) +#define IMX290_CHIP_ID CCI_REG16_LE(0x319a) #define IMX290_ADBIT3 CCI_REG8(0x31ec) #define IMX290_ADBIT3_10BIT 0x37 #define IMX290_ADBIT3_12BIT 0x0e #define IMX290_REPETITION CCI_REG8(0x3405) #define IMX290_PHY_LANE_NUM CCI_REG8(0x3407) #define IMX290_OPB_SIZE_V CCI_REG8(0x3414) -#define IMX290_Y_OUT_SIZE CCI_REG16(0x3418) -#define IMX290_CSI_DT_FMT CCI_REG16(0x3441) +#define IMX290_Y_OUT_SIZE CCI_REG16_LE(0x3418) +#define IMX290_CSI_DT_FMT CCI_REG16_LE(0x3441) #define IMX290_CSI_DT_FMT_RAW10 0x0a0a #define IMX290_CSI_DT_FMT_RAW12 0x0c0c #define IMX290_CSI_LANE_MODE CCI_REG8(0x3443) -#define IMX290_EXTCK_FREQ CCI_REG16(0x3444) -#define IMX290_TCLKPOST CCI_REG16(0x3446) -#define IMX290_THSZERO CCI_REG16(0x3448) -#define IMX290_THSPREPARE CCI_REG16(0x344a) -#define IMX290_TCLKTRAIL CCI_REG16(0x344c) -#define IMX290_THSTRAIL CCI_REG16(0x344e) -#define IMX290_TCLKZERO CCI_REG16(0x3450) -#define IMX290_TCLKPREPARE CCI_REG16(0x3452) -#define IMX290_TLPX CCI_REG16(0x3454) -#define IMX290_X_OUT_SIZE CCI_REG16(0x3472) +#define IMX290_EXTCK_FREQ CCI_REG16_LE(0x3444) +#define IMX290_TCLKPOST CCI_REG16_LE(0x3446) +#define IMX290_THSZERO CCI_REG16_LE(0x3448) +#define IMX290_THSPREPARE CCI_REG16_LE(0x344a) +#define IMX290_TCLKTRAIL CCI_REG16_LE(0x344c) +#define IMX290_THSTRAIL CCI_REG16_LE(0x344e) +#define IMX290_TCLKZERO CCI_REG16_LE(0x3450) +#define IMX290_TCLKPREPARE CCI_REG16_LE(0x3452) +#define IMX290_TLPX CCI_REG16_LE(0x3454) +#define IMX290_X_OUT_SIZE CCI_REG16_LE(0x3472) #define IMX290_INCKSEL7 CCI_REG8(0x3480) #define IMX290_PGCTRL_REGEN BIT(0)

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012633-expenses-vastly-81bc@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 832dd634bd1b ("arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD") 546b7cde9b1d ("arm64: Rename ARM64_WORKAROUND_2966298") 471470bc7052 ("arm64: errata: Add Cortex-A520 speculative unprivileged load workaround") cce8365fc47b ("arm64: errata: Group all Cortex-A510 errata together") e8069f5a8e3b ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f Mon Sep 17 00:00:00 2001 From: Mark Rutland <mark.rutland(a)arm.com> Date: Tue, 16 Jan 2024 11:02:20 +0000 Subject: [PATCH] arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD Currently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't quite right, as it is supposed to be applied after the last explicit memory access, but is immediately followed by an LDR. The ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to handle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295, which are described in: * https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en * https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en In both cases the workaround is described as: | If pagetable isolation is disabled, the context switch logic in the | kernel can be updated to execute the following sequence on affected | cores before exiting to EL0, and after all explicit memory accesses: | | 1. A non-shareable TLBI to any context and/or address, including | unused contexts or addresses, such as a `TLBI VALE1 Xzr`. | | 2. A DSB NSH to guarantee completion of the TLBI. The important part being that the TLBI+DSB must be placed "after all explicit memory accesses". Unfortunately, as-implemented, the TLBI+DSB is immediately followed by an LDR, as we have: | alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD | tlbi vale1, xzr | dsb nsh | alternative_else_nop_endif | alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 | ldr lr, [sp, #S_LR] | add sp, sp, #PT_REGS_SIZE // restore sp | eret | alternative_else_nop_endif | | [ ... KPTI exception return path ... ] This patch fixes this by reworking the logic to place the TLBI+DSB immediately before the ERET, after all explicit memory accesses. The ERET is currently in a separate alternative block, and alternatives cannot be nested. To account for this, the alternative block for ARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch to skip the KPTI logic, with the new shape of the logic being: | alternative_insn "b .L_skip_tramp_exit_\@", nop, ARM64_UNMAP_KERNEL_AT_EL0 | [ ... KPTI exception return path ... ] | .L_skip_tramp_exit_\@: | | ldr lr, [sp, #S_LR] | add sp, sp, #PT_REGS_SIZE // restore sp | | alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD | tlbi vale1, xzr | dsb nsh | alternative_else_nop_endif | eret The new structure means that the workaround is only applied when KPTI is not in use; this is fine as noted in the documented implications of the erratum: | Pagetable isolation between EL0 and higher level ELs prevents the | issue from occurring. ... and as per the workaround description quoted above, the workaround is only necessary "If pagetable isolation is disabled". Fixes: 471470bc7052 ("arm64: errata: Add Cortex-A520 speculative unprivileged load workaround") Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: James Morse <james.morse(a)arm.com> Cc: Rob Herring <robh(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240116110221.420467-2-mark.rutland@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 544ab46649f3..7fcbee0f6c0e 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -428,16 +428,9 @@ alternative_else_nop_endif ldp x28, x29, [sp, #16 * 14] .if \el == 0 -alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD - tlbi vale1, xzr - dsb nsh -alternative_else_nop_endif -alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 - ldr lr, [sp, #S_LR] - add sp, sp, #PT_REGS_SIZE // restore sp - eret -alternative_else_nop_endif #ifdef CONFIG_UNMAP_KERNEL_AT_EL0 + alternative_insn "b .L_skip_tramp_exit_\@", nop, ARM64_UNMAP_KERNEL_AT_EL0 + msr far_el1, x29 ldr_this_cpu x30, this_cpu_vector, x29 @@ -446,7 +439,18 @@ alternative_else_nop_endif ldr lr, [sp, #S_LR] // restore x30 add sp, sp, #PT_REGS_SIZE // restore sp br x29 + +.L_skip_tramp_exit_\@: #endif + ldr lr, [sp, #S_LR] + add sp, sp, #PT_REGS_SIZE // restore sp + + /* This must be after the last explicit memory access */ +alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD + tlbi vale1, xzr + dsb nsh +alternative_else_nop_endif + eret .else ldr lr, [sp, #S_LR] add sp, sp, #PT_REGS_SIZE // restore sp

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] arm64: errata: Add Cortex-A510 speculative unprivileged load" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f827bcdafa2a2ac21c91e47f587e8d0c76195409 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012602-carbon-unsworn-d737@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: f827bcdafa2a ("arm64: errata: Add Cortex-A510 speculative unprivileged load workaround") 546b7cde9b1d ("arm64: Rename ARM64_WORKAROUND_2966298") 471470bc7052 ("arm64: errata: Add Cortex-A520 speculative unprivileged load workaround") cce8365fc47b ("arm64: errata: Group all Cortex-A510 errata together") 6df696cd9bc1 ("arm64: errata: Mitigate Ampere1 erratum AC03_CPU_38 at stage-2") 52b603628a2c ("Merge branch kvm-arm64/parallel-access-faults into kvmarm/next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f827bcdafa2a2ac21c91e47f587e8d0c76195409 Mon Sep 17 00:00:00 2001 From: Rob Herring <robh(a)kernel.org> Date: Wed, 10 Jan 2024 11:29:21 -0600 Subject: [PATCH] arm64: errata: Add Cortex-A510 speculative unprivileged load workaround Implement the workaround for ARM Cortex-A510 erratum 3117295. On an affected Cortex-A510 core, a speculatively executed unprivileged load might leak data from a privileged load via a cache side channel. The issue only exists for loads within a translation regime with the same translation (e.g. same ASID and VMID). Therefore, the issue only affects the return to EL0. The erratum and workaround are the same as ARM Cortex-A520 erratum 2966298, so reuse the existing workaround. Cc: stable(a)vger.kernel.org Signed-off-by: Rob Herring <robh(a)kernel.org> Reviewed-by: Mark Rutland <mark.rutland(a)arm.com> Link: https://lore.kernel.org/r/20240110-arm-errata-a510-v1-2-d02bc51aeeee@kernel… Signed-off-by: Will Deacon <will(a)kernel.org> diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst index f47f63bcf67c..7acd64c61f50 100644 --- a/Documentation/arch/arm64/silicon-errata.rst +++ b/Documentation/arch/arm64/silicon-errata.rst @@ -71,6 +71,8 @@ stable kernels. +----------------+-----------------+-----------------+-----------------------------+ | ARM | Cortex-A510 | #2658417 | ARM64_ERRATUM_2658417 | +----------------+-----------------+-----------------+-----------------------------+ +| ARM | Cortex-A510 | #3117295 | ARM64_ERRATUM_3117295 | ++----------------+-----------------+-----------------+-----------------------------+ | ARM | Cortex-A520 | #2966298 | ARM64_ERRATUM_2966298 | +----------------+-----------------+-----------------+-----------------------------+ | ARM | Cortex-A53 | #826319 | ARM64_ERRATUM_826319 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 96f31e235a1a..bfd275249366 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1054,6 +1054,20 @@ config ARM64_ERRATUM_2966298 If unsure, say Y. +config ARM64_ERRATUM_3117295 + bool "Cortex-A510: 3117295: workaround for speculatively executed unprivileged load" + select ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD + default y + help + This option adds the workaround for ARM Cortex-A510 erratum 3117295. + + On an affected Cortex-A510 core, a speculatively executed unprivileged + load might leak data from a privileged level via a cache side channel. + + Work around this problem by executing a TLBI before returning to EL0. + + If unsure, say Y. + config CAVIUM_ERRATUM_22375 bool "Cavium erratum 22375, 24313" default y diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c index cb5e0622168d..967c7c7a4e7d 100644 --- a/arch/arm64/kernel/cpu_errata.c +++ b/arch/arm64/kernel/cpu_errata.c @@ -416,6 +416,19 @@ static struct midr_range broken_aarch32_aes[] = { }; #endif /* CONFIG_ARM64_WORKAROUND_TRBE_WRITE_OUT_OF_RANGE */ +#ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD +static const struct midr_range erratum_spec_unpriv_load_list[] = { +#ifdef CONFIG_ARM64_ERRATUM_3117295 + MIDR_ALL_VERSIONS(MIDR_CORTEX_A510), +#endif +#ifdef CONFIG_ARM64_ERRATUM_2966298 + /* Cortex-A520 r0p0 to r0p1 */ + MIDR_REV_RANGE(MIDR_CORTEX_A520, 0, 0, 1), +#endif + {}, +}; +#endif + const struct arm64_cpu_capabilities arm64_errata[] = { #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE { @@ -715,10 +728,10 @@ const struct arm64_cpu_capabilities arm64_errata[] = { #endif #ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD { - .desc = "ARM erratum 2966298", + .desc = "ARM errata 2966298, 3117295", .capability = ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD, /* Cortex-A520 r0p0 - r0p1 */ - ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A520, 0, 0, 1), + ERRATA_MIDR_RANGE_LIST(erratum_spec_unpriv_load_list), }, #endif #ifdef CONFIG_AMPERE_ERRATUM_AC03_CPU_38

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] media: v4l2-cci: Add support for little-endian encoded" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x d92e7a013ff33f4e0b31bbf768d0c85a8acefebf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012607-foam-lavish-8c79@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: d92e7a013ff3 ("media: v4l2-cci: Add support for little-endian encoded registers") cd93cc245dfe ("media: v4l: cci: Add macros to obtain register width and address") eba5058633b4 ("media: v4l: cci: Include linux/bits.h") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d92e7a013ff33f4e0b31bbf768d0c85a8acefebf Mon Sep 17 00:00:00 2001 From: Alexander Stein <alexander.stein(a)ew.tq-group.com> Date: Thu, 2 Nov 2023 10:50:47 +0100 Subject: [PATCH] media: v4l2-cci: Add support for little-endian encoded registers Some sensors, e.g. Sony IMX290, are using little-endian registers. Add support for those by encoding the endianness into Bit 20 of the register address. Fixes: af73323b9770 ("media: imx290: Convert to new CCI register access helpers") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> [Sakari Ailus: Fixed commit message.] Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> diff --git a/drivers/media/v4l2-core/v4l2-cci.c b/drivers/media/v4l2-core/v4l2-cci.c index 3179160abde3..10005c80f43b 100644 --- a/drivers/media/v4l2-core/v4l2-cci.c +++ b/drivers/media/v4l2-core/v4l2-cci.c @@ -18,6 +18,7 @@ int cci_read(struct regmap *map, u32 reg, u64 *val, int *err) { + bool little_endian; unsigned int len; u8 buf[8]; int ret; @@ -25,6 +26,7 @@ int cci_read(struct regmap *map, u32 reg, u64 *val, int *err) if (err && *err) return *err; + little_endian = reg & CCI_REG_LE; len = CCI_REG_WIDTH_BYTES(reg); reg = CCI_REG_ADDR(reg); @@ -40,16 +42,28 @@ int cci_read(struct regmap *map, u32 reg, u64 *val, int *err) *val = buf[0]; break; case 2: - *val = get_unaligned_be16(buf); + if (little_endian) + *val = get_unaligned_le16(buf); + else + *val = get_unaligned_be16(buf); break; case 3: - *val = get_unaligned_be24(buf); + if (little_endian) + *val = get_unaligned_le24(buf); + else + *val = get_unaligned_be24(buf); break; case 4: - *val = get_unaligned_be32(buf); + if (little_endian) + *val = get_unaligned_le32(buf); + else + *val = get_unaligned_be32(buf); break; case 8: - *val = get_unaligned_be64(buf); + if (little_endian) + *val = get_unaligned_le64(buf); + else + *val = get_unaligned_be64(buf); break; default: dev_err(regmap_get_device(map), "Error invalid reg-width %u for reg 0x%04x\n", @@ -68,6 +82,7 @@ EXPORT_SYMBOL_GPL(cci_read); int cci_write(struct regmap *map, u32 reg, u64 val, int *err) { + bool little_endian; unsigned int len; u8 buf[8]; int ret; @@ -75,6 +90,7 @@ int cci_write(struct regmap *map, u32 reg, u64 val, int *err) if (err && *err) return *err; + little_endian = reg & CCI_REG_LE; len = CCI_REG_WIDTH_BYTES(reg); reg = CCI_REG_ADDR(reg); @@ -83,16 +99,28 @@ int cci_write(struct regmap *map, u32 reg, u64 val, int *err) buf[0] = val; break; case 2: - put_unaligned_be16(val, buf); + if (little_endian) + put_unaligned_le16(val, buf); + else + put_unaligned_be16(val, buf); break; case 3: - put_unaligned_be24(val, buf); + if (little_endian) + put_unaligned_le24(val, buf); + else + put_unaligned_be24(val, buf); break; case 4: - put_unaligned_be32(val, buf); + if (little_endian) + put_unaligned_le32(val, buf); + else + put_unaligned_be32(val, buf); break; case 8: - put_unaligned_be64(val, buf); + if (little_endian) + put_unaligned_le64(val, buf); + else + put_unaligned_be64(val, buf); break; default: dev_err(regmap_get_device(map), "Error invalid reg-width %u for reg 0x%04x\n", diff --git a/include/media/v4l2-cci.h b/include/media/v4l2-cci.h index 406772a4e32e..4e96e90ee636 100644 --- a/include/media/v4l2-cci.h +++ b/include/media/v4l2-cci.h @@ -43,12 +43,17 @@ struct cci_reg_sequence { #define CCI_REG_WIDTH_BYTES(x) FIELD_GET(CCI_REG_WIDTH_MASK, x) #define CCI_REG_WIDTH(x) (CCI_REG_WIDTH_BYTES(x) << 3) #define CCI_REG_ADDR(x) FIELD_GET(CCI_REG_ADDR_MASK, x) +#define CCI_REG_LE BIT(20) #define CCI_REG8(x) ((1 << CCI_REG_WIDTH_SHIFT) | (x)) #define CCI_REG16(x) ((2 << CCI_REG_WIDTH_SHIFT) | (x)) #define CCI_REG24(x) ((3 << CCI_REG_WIDTH_SHIFT) | (x)) #define CCI_REG32(x) ((4 << CCI_REG_WIDTH_SHIFT) | (x)) #define CCI_REG64(x) ((8 << CCI_REG_WIDTH_SHIFT) | (x)) +#define CCI_REG16_LE(x) (CCI_REG_LE | (2U << CCI_REG_WIDTH_SHIFT) | (x)) +#define CCI_REG24_LE(x) (CCI_REG_LE | (3U << CCI_REG_WIDTH_SHIFT) | (x)) +#define CCI_REG32_LE(x) (CCI_REG_LE | (4U << CCI_REG_WIDTH_SHIFT) | (x)) +#define CCI_REG64_LE(x) (CCI_REG_LE | (8U << CCI_REG_WIDTH_SHIFT) | (x)) /** * cci_read() - Read a value from a single CCI register

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] media: v4l2-cci: Add support for little-endian encoded" failed to apply to 6.7-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.7-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.7.y git checkout FETCH_HEAD git cherry-pick -x d92e7a013ff33f4e0b31bbf768d0c85a8acefebf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012606-frill-unheated-ca08@gregkh' --subject-prefix 'PATCH 6.7.y' HEAD^.. Possible dependencies: d92e7a013ff3 ("media: v4l2-cci: Add support for little-endian encoded registers") cd93cc245dfe ("media: v4l: cci: Add macros to obtain register width and address") eba5058633b4 ("media: v4l: cci: Include linux/bits.h") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d92e7a013ff33f4e0b31bbf768d0c85a8acefebf Mon Sep 17 00:00:00 2001 From: Alexander Stein <alexander.stein(a)ew.tq-group.com> Date: Thu, 2 Nov 2023 10:50:47 +0100 Subject: [PATCH] media: v4l2-cci: Add support for little-endian encoded registers Some sensors, e.g. Sony IMX290, are using little-endian registers. Add support for those by encoding the endianness into Bit 20 of the register address. Fixes: af73323b9770 ("media: imx290: Convert to new CCI register access helpers") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> Reviewed-by: Hans de Goede <hdegoede(a)redhat.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> [Sakari Ailus: Fixed commit message.] Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> diff --git a/drivers/media/v4l2-core/v4l2-cci.c b/drivers/media/v4l2-core/v4l2-cci.c index 3179160abde3..10005c80f43b 100644 --- a/drivers/media/v4l2-core/v4l2-cci.c +++ b/drivers/media/v4l2-core/v4l2-cci.c @@ -18,6 +18,7 @@ int cci_read(struct regmap *map, u32 reg, u64 *val, int *err) { + bool little_endian; unsigned int len; u8 buf[8]; int ret; @@ -25,6 +26,7 @@ int cci_read(struct regmap *map, u32 reg, u64 *val, int *err) if (err && *err) return *err; + little_endian = reg & CCI_REG_LE; len = CCI_REG_WIDTH_BYTES(reg); reg = CCI_REG_ADDR(reg); @@ -40,16 +42,28 @@ int cci_read(struct regmap *map, u32 reg, u64 *val, int *err) *val = buf[0]; break; case 2: - *val = get_unaligned_be16(buf); + if (little_endian) + *val = get_unaligned_le16(buf); + else + *val = get_unaligned_be16(buf); break; case 3: - *val = get_unaligned_be24(buf); + if (little_endian) + *val = get_unaligned_le24(buf); + else + *val = get_unaligned_be24(buf); break; case 4: - *val = get_unaligned_be32(buf); + if (little_endian) + *val = get_unaligned_le32(buf); + else + *val = get_unaligned_be32(buf); break; case 8: - *val = get_unaligned_be64(buf); + if (little_endian) + *val = get_unaligned_le64(buf); + else + *val = get_unaligned_be64(buf); break; default: dev_err(regmap_get_device(map), "Error invalid reg-width %u for reg 0x%04x\n", @@ -68,6 +82,7 @@ EXPORT_SYMBOL_GPL(cci_read); int cci_write(struct regmap *map, u32 reg, u64 val, int *err) { + bool little_endian; unsigned int len; u8 buf[8]; int ret; @@ -75,6 +90,7 @@ int cci_write(struct regmap *map, u32 reg, u64 val, int *err) if (err && *err) return *err; + little_endian = reg & CCI_REG_LE; len = CCI_REG_WIDTH_BYTES(reg); reg = CCI_REG_ADDR(reg); @@ -83,16 +99,28 @@ int cci_write(struct regmap *map, u32 reg, u64 val, int *err) buf[0] = val; break; case 2: - put_unaligned_be16(val, buf); + if (little_endian) + put_unaligned_le16(val, buf); + else + put_unaligned_be16(val, buf); break; case 3: - put_unaligned_be24(val, buf); + if (little_endian) + put_unaligned_le24(val, buf); + else + put_unaligned_be24(val, buf); break; case 4: - put_unaligned_be32(val, buf); + if (little_endian) + put_unaligned_le32(val, buf); + else + put_unaligned_be32(val, buf); break; case 8: - put_unaligned_be64(val, buf); + if (little_endian) + put_unaligned_le64(val, buf); + else + put_unaligned_be64(val, buf); break; default: dev_err(regmap_get_device(map), "Error invalid reg-width %u for reg 0x%04x\n", diff --git a/include/media/v4l2-cci.h b/include/media/v4l2-cci.h index 406772a4e32e..4e96e90ee636 100644 --- a/include/media/v4l2-cci.h +++ b/include/media/v4l2-cci.h @@ -43,12 +43,17 @@ struct cci_reg_sequence { #define CCI_REG_WIDTH_BYTES(x) FIELD_GET(CCI_REG_WIDTH_MASK, x) #define CCI_REG_WIDTH(x) (CCI_REG_WIDTH_BYTES(x) << 3) #define CCI_REG_ADDR(x) FIELD_GET(CCI_REG_ADDR_MASK, x) +#define CCI_REG_LE BIT(20) #define CCI_REG8(x) ((1 << CCI_REG_WIDTH_SHIFT) | (x)) #define CCI_REG16(x) ((2 << CCI_REG_WIDTH_SHIFT) | (x)) #define CCI_REG24(x) ((3 << CCI_REG_WIDTH_SHIFT) | (x)) #define CCI_REG32(x) ((4 << CCI_REG_WIDTH_SHIFT) | (x)) #define CCI_REG64(x) ((8 << CCI_REG_WIDTH_SHIFT) | (x)) +#define CCI_REG16_LE(x) (CCI_REG_LE | (2U << CCI_REG_WIDTH_SHIFT) | (x)) +#define CCI_REG24_LE(x) (CCI_REG_LE | (3U << CCI_REG_WIDTH_SHIFT) | (x)) +#define CCI_REG32_LE(x) (CCI_REG_LE | (4U << CCI_REG_WIDTH_SHIFT) | (x)) +#define CCI_REG64_LE(x) (CCI_REG_LE | (8U << CCI_REG_WIDTH_SHIFT) | (x)) /** * cci_read() - Read a value from a single CCI register

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] media: mtk-jpeg: Fix use after free bug due to error path" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 206c857dd17d4d026de85866f1b5f0969f2a109e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012658-recycler-purity-f7c1@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 206c857dd17d ("media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run") 2023a9981111 ("media: platform: rename mediatek/mtk-jpeg/ to mediatek/jpeg/") 63fe3d27b226 ("media: platform/*/Kconfig: make manufacturer menus more uniform") f2ab6d3e8c48 ("media: platform: Create vendor/{Makefile,Kconfig} files") 8148baabd1c4 ("media: platform: re-structure TI drivers") 012e3ca3cb4d ("media: platform: rename omap/ to ti/omap/") ceafdaac46ea ("media: platform: rename omap3isp/ to ti/omap3isp/") d24a170bde65 ("media: platform: rename davinci/ to ti/davinci/") 407965e2348e ("media: platform: rename am437x/ to ti/am437x/") e7b8153e2a4f ("media: platform: place stm32/ and sti/ under st/ dir") 43ecec16c4fa ("media: platform: rename s5p-mfc/ to samsung/s5p-mfc/") f4104b7851a8 ("media: platform: rename s5p-jpeg/ to samsung/s5p-jpeg/") a7f3b2d32dab ("media: platform: rename s5p-g2d/ to samsung/s5p-g2d/") c1024049033f ("media: platform: rename s3c-camif/ to samsung/s3c-camif/") 3bae07d4b44c ("media: platform: rename exynos-gsc/ to samsung/exynos-gsc/") 238c84f71120 ("media: platform: rename exynos4-is/ to samsung/exynos4-is/") 9b18ef7c9ff4 ("media: platform: rename tegra/vde/ to nvidia/tegra-vde/") 574476a7d05d ("media: platform: rename mtk-vpu/ to mediatek/mtk-vpu/") 728dc4075acc ("media: platform: rename mtk-vcodec/ to mediatek/mtk-vcodec/") 1cb72963fa1e ("media: platform: rename mtk-mdp/ to mediatek/mtk-mdp/") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 206c857dd17d4d026de85866f1b5f0969f2a109e Mon Sep 17 00:00:00 2001 From: Zheng Wang <zyytlz.wz(a)163.com> Date: Mon, 6 Nov 2023 15:48:10 +0100 Subject: [PATCH] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Cc: stable(a)vger.kernel.org Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 7c2e6a2f6c40..63165f05e123 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1020,13 +1020,13 @@ static void mtk_jpeg_dec_device_run(void *priv) if (ret < 0) goto dec_end; - schedule_delayed_work(&jpeg->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) goto dec_end; + schedule_delayed_work(&jpeg->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&jpeg->hw_lock, flags); mtk_jpeg_dec_reset(jpeg->reg_base); mtk_jpeg_dec_set_config(jpeg->reg_base,

1 year, 4 months

1
0
0 0

FAILED: patch "[PATCH] media: mtk-jpeg: Fix use after free bug due to error path" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 206c857dd17d4d026de85866f1b5f0969f2a109e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024012656-unaligned-conductor-4ef5@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: 206c857dd17d ("media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run") 2023a9981111 ("media: platform: rename mediatek/mtk-jpeg/ to mediatek/jpeg/") 63fe3d27b226 ("media: platform/*/Kconfig: make manufacturer menus more uniform") f2ab6d3e8c48 ("media: platform: Create vendor/{Makefile,Kconfig} files") 8148baabd1c4 ("media: platform: re-structure TI drivers") 012e3ca3cb4d ("media: platform: rename omap/ to ti/omap/") ceafdaac46ea ("media: platform: rename omap3isp/ to ti/omap3isp/") d24a170bde65 ("media: platform: rename davinci/ to ti/davinci/") 407965e2348e ("media: platform: rename am437x/ to ti/am437x/") e7b8153e2a4f ("media: platform: place stm32/ and sti/ under st/ dir") 43ecec16c4fa ("media: platform: rename s5p-mfc/ to samsung/s5p-mfc/") f4104b7851a8 ("media: platform: rename s5p-jpeg/ to samsung/s5p-jpeg/") a7f3b2d32dab ("media: platform: rename s5p-g2d/ to samsung/s5p-g2d/") c1024049033f ("media: platform: rename s3c-camif/ to samsung/s3c-camif/") 3bae07d4b44c ("media: platform: rename exynos-gsc/ to samsung/exynos-gsc/") 238c84f71120 ("media: platform: rename exynos4-is/ to samsung/exynos4-is/") 9b18ef7c9ff4 ("media: platform: rename tegra/vde/ to nvidia/tegra-vde/") 574476a7d05d ("media: platform: rename mtk-vpu/ to mediatek/mtk-vpu/") 728dc4075acc ("media: platform: rename mtk-vcodec/ to mediatek/mtk-vcodec/") 1cb72963fa1e ("media: platform: rename mtk-mdp/ to mediatek/mtk-mdp/") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 206c857dd17d4d026de85866f1b5f0969f2a109e Mon Sep 17 00:00:00 2001 From: Zheng Wang <zyytlz.wz(a)163.com> Date: Mon, 6 Nov 2023 15:48:10 +0100 Subject: [PATCH] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2_m2m_job_finish will only be called in either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Cc: stable(a)vger.kernel.org Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 7c2e6a2f6c40..63165f05e123 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1020,13 +1020,13 @@ static void mtk_jpeg_dec_device_run(void *priv) if (ret < 0) goto dec_end; - schedule_delayed_work(&jpeg->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) goto dec_end; + schedule_delayed_work(&jpeg->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&jpeg->hw_lock, flags); mtk_jpeg_dec_reset(jpeg->reg_base); mtk_jpeg_dec_set_config(jpeg->reg_base,

1 year, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror January 2024