October 2024 - Linux-stable-mirror

[PATCH] arm64: dts: mediatek: mt8186-corsola: Fix IT6505 reset line polarity

by Chen-Yu Tsai

The reset line of the IT6505 bridge chip is active low, not active high. It was incorrectly inverted in the device tree as the implementation at the time incorrectly inverted the polarity in its driver, due to a prior device having an inline inverting level shifter. Fix the polarity now while the external display pipeline is incomplete, thereby avoiding any impact to running systems. A matching fix for the driver should be included if this change is backported. Fixes: 8855d01fb81f ("arm64: dts: mediatek: Add MT8186 Krabby platform based Tentacruel / Tentacool") Cc: <stable(a)vger.kernel.org> Signed-off-by: Chen-Yu Tsai <wenst(a)chromium.org> --- The matching driver change can be found at https://lore.kernel.org/all/20241029095411.657616-1-wenst@chromium.org/ arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi index e3b58641f2c9..43c83620e479 100644 --- a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi +++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi @@ -422,7 +422,7 @@ it6505dptx: dp-bridge@5c { #sound-dai-cells = <0>; ovdd-supply = <&mt6366_vsim2_reg>; pwr18-supply = <&pp1800_dpbrdg_dx>; - reset-gpios = <&pio 177 GPIO_ACTIVE_HIGH>; + reset-gpios = <&pio 177 GPIO_ACTIVE_LOW>; ports { #address-cells = <1>; -- 2.47.0.163.g1226f6d8fa-goog

5 months, 2 weeks

2
1
0 0

[PATCH 6.1 000/137] 6.1.115-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.115 release. There are 137 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 30 Oct 2024 06:22:39 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.115-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.115-rc1 junhua huang <huang.junhua(a)zte.com.cn> arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning Dan Carpenter <dan.carpenter(a)linaro.org> ACPI: PRM: Clean up guid type in struct prm_handler_info Armin Wolf <W_Armin(a)gmx.de> platform/x86: dell-wmi: Ignore suspend notifications Zichen Xie <zichenxie0106(a)gmail.com> ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Xinyu Zhang <xizhang(a)purestorage.com> block: fix sanity checks in blk_rq_map_user_bvec Michel Alex <Alex.Michel(a)wiedemann-group.com> net: phy: dp83822: Fix reset pin definitions Jiri Slaby (SUSE) <jirislaby(a)kernel.org> serial: protect uart_port_dtr_rts() in uart_shutdown() too Paul Moore <paul(a)paul-moore.com> selinux: improve error checking in sel_write_load() Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Petr Vaganov <p.vaganov(a)ideco.ru> xfrm: fix one more kernel-infoleak in algo dumping Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Get correct cores_per_package for SMT systems José Relvas <josemonsantorelvas(a)gmail.com> ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Marc Zyngier <maz(a)kernel.org> KVM: arm64: Don't eagerly teardown the vgic on init error Sean Christopherson <seanjc(a)google.com> KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Aleksa Sarai <cyphar(a)cyphar.com> openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix kernel bug due to missing clearing of buffer delay flag Shubham Panwar <shubiisp8(a)gmail.com> ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Koba Ko <kobak(a)nvidia.com> ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context Christian Heusel <christian(a)heusel.eu> ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Guard against bad data for ATIF ACPI method Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix zone unusable accounting for freed reserved extent Yue Haibing <yuehaibing(a)huawei.com> btrfs: fix passing 0 to ERR_PTR in btrfs_search_dir_index_item() liwei <liwei728(a)huawei.com> cpufreq: CPPC: fix perf_to_khz/khz_to_perf conversion exception Vincent Guittot <vincent.guittot(a)linaro.org> cpufreq/cppc: Move and rename cppc_cpufreq_{perf_to_khz|khz_to_perf}() Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Update default depop procedure Yuan Can <yuancan(a)huawei.com> powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request() Andrey Shumilin <shum.sdl(a)nppct.ru> ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Miquel Raynal <miquel.raynal(a)bootlin.com> ASoC: dt-bindings: davinci-mcasp: Fix interrupt properties Miquel Raynal <miquel.raynal(a)bootlin.com> ASoC: dt-bindings: davinci-mcasp: Fix interrupts property Jiri Olsa <jolsa(a)kernel.org> bpf,perf: Fix perf_event_detach_bpf_prog error handling Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: ISO: Fix UAF on iso_sock_timeout Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SCO: Fix UAF on sco_sock_timeout Jinjie Ruan <ruanjinjie(a)huawei.com> posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Heiner Kallweit <hkallweit1(a)gmail.com> r8169: avoid unsolicited interrupts Dmitry Antipov <dmantipov(a)yandex.ru> net: sched: fix use-after-free in taprio_change() Vladimir Oltean <vladimir.oltean(a)nxp.com> net/sched: act_api: deny mismatched skip_sw/skip_hw flags for actions created by classifiers Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix name regression Eric Dumazet <edumazet(a)google.com> net: fix races in netdev_tx_sent_queue()/dev_watchdog() Praveen Kumar Kannoju <praveen.kannoju(a)oracle.com> net/sched: adjust device watchdog timer to detect stopped queue at right time Jakub Kicinski <kuba(a)kernel.org> net: provide macros for commonly copied lockless queue stop/wake code Jakub Kicinski <kuba(a)kernel.org> docs: net: reformat driver.rst from a list to sections Lin Ma <linma(a)zju.edu.cn> net: wwan: fix global oob in wwan_rtnl_policy Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: xtables: fix typo causing some targets not to load on IPv6 Peter Rashleigh <peter(a)rashleigh.ca> net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Aleksandr Mishin <amishin(a)t-argos.ru> octeon_ep: Add SKB allocation failures handling in __octep_oq_process_rx() Aleksandr Mishin <amishin(a)t-argos.ru> octeon_ep: Implement helper for iterating packets in Rx queue Jakub Boehm <boehm.jakub(a)gmail.com> net: plip: fix break; causing plip to never transmit Wang Hai <wanghai38(a)huawei.com> be2net: fix potential memory leak in be_xmit() Wang Hai <wanghai38(a)huawei.com> net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Eyal Birger <eyal.birger(a)gmail.com> xfrm: respect ip protocols rules criteria when performing dst lookups Eyal Birger <eyal.birger(a)gmail.com> xfrm: extract dst lookup parameters into a struct Leo Yan <leo.yan(a)arm.com> tracing: Consider the NULL character when validating the event length Dave Kleikamp <dave.kleikamp(a)oracle.com> jfs: Fix sanity check in dbMount Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> LoongArch: Don't crash in stack_top() for tasks without vDSO Tiezhu Yang <yangtiezhu(a)loongson.cn> LoongArch: Add support to clone a time namespace Crag Wang <crag_wang(a)dell.com> platform/x86: dell-sysman: add support for alienware products Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string Gianfranco Trad <gianf.trad(a)gmail.com> udf: fix uninit-value use in udf_get_fileshortad Zhao Mengmeng <zhaomengmeng(a)kylinos.cn> udf: refactor udf_current_aext() to handle error Mark Rutland <mark.rutland(a)arm.com> arm64: Force position-independent veneers Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: Enable 'FIFO continue on error' FCONT bit Alexey Klimov <alexey.klimov(a)linaro.org> ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values Hans de Goede <hdegoede(a)redhat.com> drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Add more attributes checks in mi_enum_attr() Mateusz Guzik <mjguzik(a)gmail.com> exec: don't WARN for racy path_noexec check Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix procress reference leakage for bfqq in merge chain Marek Vasut <marex(a)denx.de> serial: imx: Update mctrl old_status on RTSD interrupt Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> serial: Make uart_handle_cts_change() status param bool active Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> tty/serial: Make ->dcd_change()+uart_handle_dcd_change() status bool active Roger Quadros <rogerq(a)kernel.org> usb: dwc3: core: Fix system suspend on TI AM62 platforms Frank Li <Frank.Li(a)nxp.com> XHCI: Separate PORT and CAPs macros into dedicated file Elson Roy Serrao <quic_eserrao(a)quicinc.com> usb: gadget: Add function wakeup support Kevin Groeneveld <kgroeneveld(a)lenbrook.com> usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store John Keeping <jkeeping(a)inmusicbrands.com> usb: gadget: f_uac2: fix non-newline-terminated function name Lee Jones <lee(a)kernel.org> usb: gadget: f_uac2: Replace snprintf() with the safer scnprintf() variant Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: honor usb transfer size boundaries. Jiri Slaby (SUSE) <jirislaby(a)kernel.org> xhci: dbgtty: use kfifo from tty_port struct Jiri Slaby (SUSE) <jirislaby(a)kernel.org> xhci: dbgtty: remove kfifo_out() wrapper Mark Rutland <mark.rutland(a)arm.com> arm64: probes: Fix uprobes for big-endian kernels junhua huang <huang.junhua(a)zte.com.cn> arm64:uprobe fix the uprobe SWBP_INSN in big-endian Jordan Rome <linux(a)jordanrome.com> bpf: Fix iter/task tid filtering Andrea Parri <parri.andrea(a)gmail.com> riscv, bpf: Make BPF_CMPXCHG fully ordered Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Unregister notifier on eswitch init failure Shay Drory <shayd(a)nvidia.com> net/mlx5: Fix command bitmask initialization Shay Drory <shayd(a)nvidia.com> net/mlx5: split mlx5_cmd_init() to probe and reload routines Shay Drory <shayd(a)nvidia.com> net/mlx5: Remove redundant cmdif revision check Ye Bin <yebin10(a)huawei.com> Bluetooth: bnep: fix wild-memory-access in proto_unregister Heiko Carstens <hca(a)linux.ibm.com> s390: Initialize psw mask in perf_arch_fetch_caller_regs() Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> usb: typec: altmode should keep reference to parent Paulo Alcantara <pc(a)manguebit.com> smb: client: fix OOBs when building SMB2_IOCTL request Wang Hai <wanghai38(a)huawei.com> scsi: target: core: Fix null-ptr-deref in target_alloc_device() Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> net: ravb: Only advertise Rx/Tx timestamps if hardware supports it Gal Pressman <gal(a)nvidia.com> ravb: Remove setting of RX software timestamp Eric Dumazet <edumazet(a)google.com> genetlink: hold RCU in genlmsg_mcast() Kuniyuki Iwashima <kuniyu(a)amazon.com> tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Jessica Zhang <quic_jesszhan(a)quicinc.com> drm/msm/dpu: don't always program merge_3d block Marijn Suijten <marijn.suijten(a)somainline.org> drm/msm/dpu: Wire up DSC mask for active CTL configuration Fabrizio Castro <fabrizio.castro.jz(a)renesas.com> irqchip/renesas-rzg2l: Fix missing put_device Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> irqchip/renesas-rzg2l: Add support for suspend to RAM Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> irqchip/renesas-rzg2l: Document structure members Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> irqchip/renesas-rzg2l: Align struct member names to tabs Wang Hai <wanghai38(a)huawei.com> net: systemport: fix potential memory leak in bcm_sysport_xmit() Wang Hai <wanghai38(a)huawei.com> net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() Li RongQing <lirongqing(a)baidu.com> net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Wang Hai <wanghai38(a)huawei.com> net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Eric Dumazet <edumazet(a)google.com> netdevsim: use cond_resched() in nsim_dev_trap_report_work() Sabrina Dubroca <sd(a)queasysnail.net> macsec: don't increment counters for an unrelated SA Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring Colin Ian King <colin.i.king(a)gmail.com> octeontx2-af: Fix potential integer overflows on integer shifts Oliver Neukum <oneukum(a)suse.com> net: usb: usbnet: fix race in probe failure Douglas Anderson <dianders(a)chromium.org> drm/msm: Allocate memory for disp snapshot with kvzalloc() Douglas Anderson <dianders(a)chromium.org> drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() Jonathan Marek <jonathan(a)marek.ca> drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: make sure phys resources are properly initialized Bhargava Chenna Marreddy <bhargava.marreddy(a)broadcom.com> RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Return more meaningful error Xin Long <lucien.xin(a)gmail.com> ipv4: give an IPv4 dev to blackhole_netdev Bart Van Assche <bvanassche(a)acm.org> RDMA/srpt: Make slab cache names unique Alexander Zubkov <green(a)qrator.net> RDMA/irdma: Fix misspelling of "accept*" Anumula Murali Mohan Reddy <anumula(a)chelsio.com> RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Murad Masimov <m.masimov(a)maxima.ru> ALSA: hda/cs8409: Fix possible NULL dereference Tony Ambardar <tony.ambardar(a)gmail.com> selftests/bpf: Fix cross-compiling urandom_read Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Handle possible ENOMEM in vmw_stdu_connector_atomic_check Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: frequency: {admv4420,adrf6780}: format Kconfig entries Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: fix kfunc btf caching for modules Niklas Schnelle <schnelle(a)linux.ibm.com> s390/pci: Handle PCI error codes other than 0x3a Florian Klink <flokli(a)flokli.de> ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Martin Kletzander <nert.pinx(a)gmail.com> x86/resctrl: Avoid overflow in MB settings in bw_validate() Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Add a check for memory allocation Saravanan Vajravel <saravanan.vajravel(a)broadcom.com> RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Jiri Olsa <jolsa(a)kernel.org> bpf: Fix memory leak in bpf_core_apply Florian Kauer <florian.kauer(a)linutronix.de> bpf: devmap: provide rxq after redirect Toke Høiland-Jørgensen <toke(a)redhat.com> bpf: Make sure internal and UAPI bpf_redirect flags don't overlap Mikhail Lobanov <m.lobanov(a)rosalinux.ru> iio: accel: bma400: Fix uninitialized variable field_value in tap event handling. Wander Lairson Costa <wander.lairson(a)gmail.com> bpf: Use raw_spinlock_t in ringbuf ------------- Diffstat: .../bindings/sound/davinci-mcasp-audio.yaml | 18 +- Documentation/networking/driver.rst | 97 +++++--- Makefile | 4 +- arch/arm/boot/dts/bcm2837-rpi-cm3-io3.dts | 2 +- arch/arm64/Makefile | 2 +- arch/arm64/include/asm/uprobes.h | 12 +- arch/arm64/kernel/probes/uprobes.c | 4 +- arch/arm64/kvm/arm.c | 3 + arch/arm64/kvm/vgic/vgic-init.c | 6 +- arch/loongarch/Kconfig | 1 + arch/loongarch/include/asm/bootinfo.h | 4 + arch/loongarch/include/asm/page.h | 1 + arch/loongarch/include/asm/vdso/gettimeofday.h | 9 +- arch/loongarch/include/asm/vdso/vdso.h | 32 ++- arch/loongarch/kernel/process.c | 14 +- arch/loongarch/kernel/setup.c | 3 +- arch/loongarch/kernel/vdso.c | 98 ++++++-- arch/loongarch/vdso/vgetcpu.c | 2 +- arch/riscv/net/bpf_jit_comp64.c | 4 +- arch/s390/include/asm/perf_event.h | 1 + arch/s390/pci/pci_event.c | 17 +- arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 23 +- arch/x86/kvm/svm/nested.c | 6 +- block/bfq-iosched.c | 37 ++- block/blk-map.c | 4 +- drivers/acpi/button.c | 11 + drivers/acpi/cppc_acpi.c | 116 +++++++++ drivers/acpi/prmt.c | 29 ++- drivers/acpi/resource.c | 7 + drivers/cpufreq/cppc_cpufreq.c | 139 ++--------- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +- drivers/gpu/drm/amd/amdgpu/amdgpu_mes.c | 5 +- .../drm/amd/display/modules/power/power_helpers.c | 2 + drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 9 +- .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 1 + .../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_vid.c | 3 +- drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 19 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- drivers/gpu/drm/vboxvideo/hgsmi_base.c | 10 +- drivers/gpu/drm/vboxvideo/vboxvideo.h | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 4 + drivers/iio/accel/bma400_core.c | 3 +- drivers/iio/frequency/Kconfig | 31 +-- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +- drivers/infiniband/hw/bnxt_re/qplib_res.c | 21 +- drivers/infiniband/hw/cxgb4/cm.c | 9 +- drivers/infiniband/hw/irdma/cm.c | 2 +- drivers/infiniband/ulp/srpt/ib_srpt.c | 80 ++++++- drivers/irqchip/irq-renesas-rzg2l.c | 94 ++++++-- drivers/net/dsa/mv88e6xxx/port.c | 1 + drivers/net/ethernet/aeroflex/greth.c | 3 +- drivers/net/ethernet/broadcom/bcmsysport.c | 1 + drivers/net/ethernet/emulex/benet/be_main.c | 10 +- drivers/net/ethernet/i825xx/sun3_82586.c | 1 + drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 82 +++++-- .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 138 ++++++----- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 15 +- .../net/ethernet/mellanox/mlx5/core/mlx5_core.h | 2 + drivers/net/ethernet/realtek/r8169_main.c | 4 +- drivers/net/ethernet/renesas/ravb_main.c | 25 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 + drivers/net/hyperv/netvsc_drv.c | 30 +++ drivers/net/macsec.c | 18 -- drivers/net/netdevsim/dev.c | 15 +- drivers/net/phy/dp83822.c | 4 +- drivers/net/plip/plip.c | 2 +- drivers/net/usb/usbnet.c | 4 +- drivers/net/wwan/wwan_core.c | 2 +- drivers/platform/x86/dell/dell-wmi-base.c | 9 + drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 1 + drivers/powercap/dtpm_devfreq.c | 2 +- drivers/pps/clients/pps-ldisc.c | 6 +- drivers/target/target_core_device.c | 2 +- drivers/target/target_core_user.c | 2 +- drivers/tty/serial/imx.c | 17 +- drivers/tty/serial/max3100.c | 2 +- drivers/tty/serial/max310x.c | 3 +- drivers/tty/serial/serial_core.c | 32 +-- drivers/tty/serial/sunhv.c | 8 +- drivers/usb/dwc3/core.c | 19 ++ drivers/usb/dwc3/core.h | 3 + drivers/usb/gadget/composite.c | 40 ++++ drivers/usb/gadget/function/f_uac2.c | 13 +- drivers/usb/host/xhci-caps.h | 85 +++++++ drivers/usb/host/xhci-dbgcap.h | 2 +- drivers/usb/host/xhci-dbgtty.c | 71 ++++-- drivers/usb/host/xhci-port.h | 176 ++++++++++++++ drivers/usb/host/xhci.h | 262 +-------------------- drivers/usb/typec/class.c | 3 + fs/btrfs/block-group.c | 2 + fs/btrfs/dir-item.c | 4 +- fs/btrfs/inode.c | 7 +- fs/exec.c | 21 +- fs/jfs/jfs_dmap.c | 2 +- fs/nilfs2/page.c | 6 +- fs/ntfs3/record.c | 67 +++++- fs/open.c | 2 + fs/smb/client/smb2pdu.c | 9 + fs/udf/inode.c | 49 ++-- fs/udf/truncate.c | 10 +- fs/udf/udfdecl.h | 5 +- include/acpi/cppc_acpi.h | 2 + include/linux/netdevice.h | 13 + include/linux/serial_core.h | 6 +- include/linux/tty_ldisc.h | 4 +- include/linux/usb/composite.h | 6 + include/linux/usb/gadget.h | 1 + include/net/bluetooth/bluetooth.h | 1 + include/net/genetlink.h | 3 +- include/net/netdev_queues.h | 144 +++++++++++ include/net/xfrm.h | 28 ++- include/uapi/linux/bpf.h | 13 +- kernel/bpf/btf.c | 1 + kernel/bpf/devmap.c | 11 +- kernel/bpf/ringbuf.c | 12 +- kernel/bpf/task_iter.c | 2 +- kernel/bpf/verifier.c | 8 +- kernel/time/posix-clock.c | 6 +- kernel/trace/bpf_trace.c | 2 - kernel/trace/trace_probe.c | 2 +- net/bluetooth/af_bluetooth.c | 22 ++ net/bluetooth/bnep/core.c | 3 +- net/bluetooth/iso.c | 18 +- net/bluetooth/sco.c | 18 +- net/core/filter.c | 8 +- net/ipv4/devinet.c | 35 ++- net/ipv4/inet_connection_sock.c | 21 +- net/ipv4/xfrm4_policy.c | 38 ++- net/ipv6/xfrm6_policy.c | 31 +-- net/l2tp/l2tp_netlink.c | 4 +- net/netfilter/xt_NFLOG.c | 2 +- net/netfilter/xt_TRACE.c | 1 + net/netfilter/xt_mark.c | 2 +- net/netlink/genetlink.c | 28 +-- net/sched/act_api.c | 23 +- net/sched/sch_generic.c | 17 +- net/sched/sch_taprio.c | 3 +- net/smc/smc_pnet.c | 2 +- net/wireless/nl80211.c | 8 +- net/xfrm/xfrm_device.c | 11 +- net/xfrm/xfrm_policy.c | 50 +++- net/xfrm/xfrm_user.c | 4 +- security/selinux/selinuxfs.c | 27 ++- sound/firewire/amdtp-stream.c | 3 + sound/pci/hda/patch_cs8409.c | 5 +- sound/pci/hda/patch_realtek.c | 48 ++-- sound/soc/codecs/lpass-rx-macro.c | 2 +- sound/soc/fsl/fsl_sai.c | 5 +- sound/soc/fsl/fsl_sai.h | 1 + sound/soc/qcom/lpass-cpu.c | 2 + sound/soc/qcom/sm8250.c | 1 + tools/testing/selftests/bpf/Makefile | 2 +- 155 files changed, 1978 insertions(+), 1066 deletions(-)

5 months, 2 weeks

14
153
0 0

Backport smb client char/block fixes

by Pali Rohár

Hello, I would like to propose backporting these two commits into stable: * 663f295e3559 ("smb: client: fix parsing of device numbers") * a9de67336a4a ("smb: client: set correct device number on nfs reparse points") Linux SMB client without these two recent fixes swaps device major and minor numbers, which makes basically char/block device nodes unusable. Commit 663f295e3559 ("smb: client: fix parsing of device numbers") should have had following Fixes line: Fixes: 45e724022e27 ("smb: client: set correct file type from NFS reparse points") And commit a9de67336a4a ("smb: client: set correct device number on nfs reparse points") should have contained line: Fixes: 102466f303ff ("smb: client: allow creating special files via reparse points") Pali

5 months, 2 weeks

2
2
0 0

[PATCH v4] usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier

by Rex Nie

If the read of USB_PDPHY_RX_ACKNOWLEDGE_REG failed, then hdr_len and txbuf_len are uninitialized. This commit stops to print uninitialized value and misleading/false data. Cc: stable(a)vger.kernel.org Fixes: a4422ff22142 (" usb: typec: qcom: Add Qualcomm PMIC Type-C driver") Signed-off-by: Rex Nie <rex.nie(a)jaguarmicro.com> --- V2 -> V3: - add changelog, add Fixes tag, add Cc stable ml. Thanks heikki - Link to v2: https://lore.kernel.org/all/20241030022753.2045-1-rex.nie@jaguarmicro.com/ V1 -> V2: - keep printout when data didn't transmit, thanks Bjorn, bod, greg k-h - Links: https://lore.kernel.org/all/b177e736-e640-47ed-9f1e-ee65971dfc9c@linaro.org/ --- drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c index 5b7f52b74a40..726423684bae 100644 --- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c +++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c @@ -227,6 +227,10 @@ qcom_pmic_typec_pdphy_pd_transmit_payload(struct pmic_typec_pdphy *pmic_typec_pd spin_lock_irqsave(&pmic_typec_pdphy->lock, flags); + hdr_len = sizeof(msg->header); + txbuf_len = pd_header_cnt_le(msg->header) * 4; + txsize_len = hdr_len + txbuf_len - 1; + ret = regmap_read(pmic_typec_pdphy->regmap, pmic_typec_pdphy->base + USB_PDPHY_RX_ACKNOWLEDGE_REG, &val); @@ -244,10 +248,6 @@ qcom_pmic_typec_pdphy_pd_transmit_payload(struct pmic_typec_pdphy *pmic_typec_pd if (ret) goto done; - hdr_len = sizeof(msg->header); - txbuf_len = pd_header_cnt_le(msg->header) * 4; - txsize_len = hdr_len + txbuf_len - 1; - /* Write message header sizeof(u16) to USB_PDPHY_TX_BUFFER_HDR_REG */ ret = regmap_bulk_write(pmic_typec_pdphy->regmap, pmic_typec_pdphy->base + USB_PDPHY_TX_BUFFER_HDR_REG, -- 2.17.1

5 months, 2 weeks

3
3
0 0

[PATCH iwl-net v2 1/2] idpf: avoid vport access in idpf_get_link_ksettings

by Pavan Kumar Linga

When the device control plane is removed or the platform running device control plane is rebooted, a reset is detected on the driver. On driver reset, it releases the resources and waits for the reset to complete. If the reset fails, it takes the error path and releases the vport lock. At this time if the monitoring tools tries to access link settings, it call traces for accessing released vport pointer. To avoid it, move link_speed_mbps to netdev_priv structure which removes the dependency on vport pointer and the vport lock in idpf_get_link_ksettings. Also use netif_carrier_ok() to check the link status and adjust the offsetof to use link_up instead of link_speed_mbps. Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks") Cc: stable(a)vger.kernel.org # 6.7+ Reviewed-by: Tarun K Singh <tarun.k.singh(a)intel.com> Signed-off-by: Pavan Kumar Linga <pavan.kumar.linga(a)intel.com> --- drivers/net/ethernet/intel/idpf/idpf.h | 4 ++-- drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 11 +++-------- drivers/net/ethernet/intel/idpf/idpf_lib.c | 4 ++-- drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 2 +- 4 files changed, 8 insertions(+), 13 deletions(-) diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h index 2c31ad87587a..66544faab710 100644 --- a/drivers/net/ethernet/intel/idpf/idpf.h +++ b/drivers/net/ethernet/intel/idpf/idpf.h @@ -141,6 +141,7 @@ enum idpf_vport_state { * @adapter: Adapter back pointer * @vport: Vport back pointer * @vport_id: Vport identifier + * @link_speed_mbps: Link speed in mbps * @vport_idx: Relative vport index * @state: See enum idpf_vport_state * @netstats: Packet and byte stats @@ -150,6 +151,7 @@ struct idpf_netdev_priv { struct idpf_adapter *adapter; struct idpf_vport *vport; u32 vport_id; + u32 link_speed_mbps; u16 vport_idx; enum idpf_vport_state state; struct rtnl_link_stats64 netstats; @@ -287,7 +289,6 @@ struct idpf_port_stats { * @tx_itr_profile: TX profiles for Dynamic Interrupt Moderation * @port_stats: per port csum, header split, and other offload stats * @link_up: True if link is up - * @link_speed_mbps: Link speed in mbps * @sw_marker_wq: workqueue for marker packets */ struct idpf_vport { @@ -331,7 +332,6 @@ struct idpf_vport { struct idpf_port_stats port_stats; bool link_up; - u32 link_speed_mbps; wait_queue_head_t sw_marker_wq; }; diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c index 3806ddd3ce4a..59b1a1a09996 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c +++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c @@ -1296,24 +1296,19 @@ static void idpf_set_msglevel(struct net_device *netdev, u32 data) static int idpf_get_link_ksettings(struct net_device *netdev, struct ethtool_link_ksettings *cmd) { - struct idpf_vport *vport; - - idpf_vport_ctrl_lock(netdev); - vport = idpf_netdev_to_vport(netdev); + struct idpf_netdev_priv *np = netdev_priv(netdev); ethtool_link_ksettings_zero_link_mode(cmd, supported); cmd->base.autoneg = AUTONEG_DISABLE; cmd->base.port = PORT_NONE; - if (vport->link_up) { + if (netif_carrier_ok(netdev)) { cmd->base.duplex = DUPLEX_FULL; - cmd->base.speed = vport->link_speed_mbps; + cmd->base.speed = np->link_speed_mbps; } else { cmd->base.duplex = DUPLEX_UNKNOWN; cmd->base.speed = SPEED_UNKNOWN; } - idpf_vport_ctrl_unlock(netdev); - return 0; } diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c index 4f20343e49a9..c3848e10e7db 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_lib.c +++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c @@ -1860,7 +1860,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, * mess with. Nothing below should use those variables from new_vport * and should instead always refer to them in vport if they need to. */ - memcpy(new_vport, vport, offsetof(struct idpf_vport, link_speed_mbps)); + memcpy(new_vport, vport, offsetof(struct idpf_vport, link_up)); /* Adjust resource parameters prior to reallocating resources */ switch (reset_cause) { @@ -1906,7 +1906,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport, /* Same comment as above regarding avoiding copying the wait_queues and * mutexes applies here. We do not want to mess with those if possible. */ - memcpy(vport, new_vport, offsetof(struct idpf_vport, link_speed_mbps)); + memcpy(vport, new_vport, offsetof(struct idpf_vport, link_up)); if (reset_cause == IDPF_SR_Q_CHANGE) idpf_vport_alloc_vec_indexes(vport); diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c index 70986e12da28..3be883726b87 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c @@ -141,7 +141,7 @@ static void idpf_handle_event_link(struct idpf_adapter *adapter, } np = netdev_priv(vport->netdev); - vport->link_speed_mbps = le32_to_cpu(v2e->link_speed); + np->link_speed_mbps = le32_to_cpu(v2e->link_speed); if (vport->link_up == v2e->link_status) return; -- 2.43.0

5 months, 3 weeks

2
1
0 0

[PATCH iwl-net v2 2/2] idpf: fix idpf_vc_core_init error path

by Pavan Kumar Linga

In an event where the platform running the device control plane is rebooted, reset is detected on the driver. It releases all the resources and waits for the reset to complete. Once the reset is done, it tries to build the resources back. At this time if the device control plane is not yet started, then the driver timeouts on the virtchnl message and retries to establish the mailbox again. In the retry flow, mailbox is deinitialized but the mailbox workqueue is still alive and polling for the mailbox message. This results in accessing the released control queue leading to null-ptr-deref. Fix it by unrolling the work queue cancellation and mailbox deinitialization in the reverse order which they got initialized. Fixes: 4930fbf419a7 ("idpf: add core init and interrupt request") Fixes: 34c21fa894a1 ("idpf: implement virtchnl transaction manager") Cc: stable(a)vger.kernel.org # 6.9+ Reviewed-by: Tarun K Singh <tarun.k.singh(a)intel.com> Signed-off-by: Pavan Kumar Linga <pavan.kumar.linga(a)intel.com> --- v2: - remove changes which are not fixes for the actual issue from this patch --- drivers/net/ethernet/intel/idpf/idpf_lib.c | 1 + drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c index c3848e10e7db..b4fbb99bfad2 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_lib.c +++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c @@ -1786,6 +1786,7 @@ static int idpf_init_hard_reset(struct idpf_adapter *adapter) */ err = idpf_vc_core_init(adapter); if (err) { + cancel_delayed_work_sync(&adapter->mbx_task); idpf_deinit_dflt_mbx(adapter); goto unlock_mutex; } diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c index 3be883726b87..e7eee571d908 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c @@ -3070,7 +3070,6 @@ int idpf_vc_core_init(struct idpf_adapter *adapter) adapter->state = __IDPF_VER_CHECK; if (adapter->vcxn_mngr) idpf_vc_xn_shutdown(adapter->vcxn_mngr); - idpf_deinit_dflt_mbx(adapter); set_bit(IDPF_HR_DRV_LOAD, adapter->flags); queue_delayed_work(adapter->vc_event_wq, &adapter->vc_event_task, msecs_to_jiffies(task_delay)); -- 2.43.0

5 months, 3 weeks

2
1
0 0

[PATCH] Drivers: hv: kvp/vss: Avoid accessing a ringbuffer not initialized yet

by Dexuan Cui

If the KVP (or VSS) daemon starts before the VMBus channel's ringbuffer is fully initialized, we can hit the panic below: hv_utils: Registering HyperV Utility Driver hv_vmbus: registering driver hv_utils ... BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 44 UID: 0 PID: 2552 Comm: hv_kvp_daemon Tainted: G E 6.11.0-rc3+ #1 RIP: 0010:hv_pkt_iter_first+0x12/0xd0 Call Trace: ... vmbus_recvpacket hv_kvp_onchannelcallback vmbus_on_event tasklet_action_common tasklet_action handle_softirqs irq_exit_rcu sysvec_hyperv_stimer0 </IRQ> <TASK> asm_sysvec_hyperv_stimer0 ... kvp_register_done hvt_op_read vfs_read ksys_read __x64_sys_read This can happen because the KVP/VSS channel callback can be invoked even before the channel is fully opened: 1) as soon as hv_kvp_init() -> hvutil_transport_init() creates /dev/vmbus/hv_kvp, the kvp daemon can open the device file immediately and register itself to the driver by writing a message KVP_OP_REGISTER1 to the file (which is handled by kvp_on_msg() ->kvp_handle_handshake()) and reading the file for the driver's response, which is handled by hvt_op_read(), which calls hvt->on_read(), i.e. kvp_register_done(). 2) the problem with kvp_register_done() is that it can cause the channel callback to be called even before the channel is fully opened, and when the channel callback is starting to run, util_probe()-> vmbus_open() may have not initialized the ringbuffer yet, so the callback can hit the panic of NULL pointer dereference. To reproduce the panic consistently, we can add a "ssleep(10)" for KVP in __vmbus_open(), just before the first hv_ringbuffer_init(), and then we unload and reload the driver hv_utils, and run the daemon manually within the 10 seconds. Fix the panic by checking the channel state in the channel callback. To avoid the race condition with __vmbus_open(), we disable and enable the channel callback temporarily in __vmbus_open(). The channel callbacks of the other VMBus devices don't need to check the channel state since they can't run before the channels are fully initialized. Note: we would also need to fix the fcopy driver code, but that has been removed in commit ec314f61e4fc ("Drivers: hv: Remove fcopy driver") in the mainline kernel since v6.10. For old 6.x LTS kernels, and the 5.x and 4.x LTS kernels, the fcopy driver needs to be fixed when the fix is backported to the stable kernel branches. Fixes: e0fa3e5e7df6 ("Drivers: hv: utils: fix a race on userspace daemons registration") Cc: stable(a)vger.kernel.org Signed-off-by: Dexuan Cui <decui(a)microsoft.com> --- drivers/hv/channel.c | 11 +++++++++++ drivers/hv/hv_kvp.c | 3 +++ drivers/hv/hv_snapshot.c | 3 +++ 3 files changed, 17 insertions(+) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index fb8cd8469328..685e407a3fdf 100644 --- a/drivers/hv/channel.c +++ b/drivers/hv/channel.c @@ -657,6 +657,14 @@ static int __vmbus_open(struct vmbus_channel *newchannel, return -ENOMEM; } + /* + * The channel callbacks of KVP/VSS may run before __vmbus_open() + * finishes (see kvp_register_done() -> ... -> kvp_poll_wrapper()), so + * they check newchannel->state to tell the ringbuffer has been fully + * initialized or not. Disable and enable the tasklet to avoid the race. + */ + tasklet_disable(&newchannel->callback_event); + newchannel->state = CHANNEL_OPENING_STATE; newchannel->onchannel_callback = onchannelcallback; newchannel->channel_callback_context = context; @@ -750,6 +758,8 @@ static int __vmbus_open(struct vmbus_channel *newchannel, } newchannel->state = CHANNEL_OPENED_STATE; + tasklet_enable(&newchannel->callback_event); + kfree(open_info); return 0; @@ -766,6 +776,7 @@ static int __vmbus_open(struct vmbus_channel *newchannel, hv_ringbuffer_cleanup(&newchannel->inbound); vmbus_free_requestor(&newchannel->requestor); newchannel->state = CHANNEL_OPEN_STATE; + tasklet_enable(&newchannel->callback_event); return err; } diff --git a/drivers/hv/hv_kvp.c b/drivers/hv/hv_kvp.c index d35b60c06114..ec098067e579 100644 --- a/drivers/hv/hv_kvp.c +++ b/drivers/hv/hv_kvp.c @@ -662,6 +662,9 @@ void hv_kvp_onchannelcallback(void *context) if (kvp_transaction.state > HVUTIL_READY) return; + if (channel->state != CHANNEL_OPENED_STATE) + return; + if (vmbus_recvpacket(channel, recv_buffer, HV_HYP_PAGE_SIZE * 4, &recvlen, &requestid)) { pr_err_ratelimited("KVP request received. Could not read into recv buf\n"); return; diff --git a/drivers/hv/hv_snapshot.c b/drivers/hv/hv_snapshot.c index 0d2184be1691..f7924c2fc62e 100644 --- a/drivers/hv/hv_snapshot.c +++ b/drivers/hv/hv_snapshot.c @@ -301,6 +301,9 @@ void hv_vss_onchannelcallback(void *context) if (vss_transaction.state > HVUTIL_READY) return; + if (channel->state != CHANNEL_OPENED_STATE) + return; + if (vmbus_recvpacket(channel, recv_buffer, VSS_MAX_PKT_SIZE, &recvlen, &requestid)) { pr_err_ratelimited("VSS request received. Could not read into recv buf\n"); return; -- 2.25.1

5 months, 3 weeks

3
9
0 0

[PATCH V3] wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures

by Guilherme G. Piccoli

Syzkaller reported a hung task with uevent_show() on stack trace. That specific issue was addressed by another commit [0], but even with that fix applied (for example, running v6.12-rc5) we face another type of hung task that comes from the same reproducer [1]. By investigating that, we could narrow it to the following path: (a) Syzkaller emulates a Realtek USB WiFi adapter using raw-gadget and dummy_hcd infrastructure. (b) During the probe of rtl8192cu, the driver ends-up performing an efuse read procedure (which is related to EEPROM load IIUC), and here lies the issue: the function read_efuse() calls read_efuse_byte() many times, as loop iterations depending on the efuse size (in our example, 512 in total). This procedure for reading efuse bytes relies in a loop that performs an I/O read up to *10k* times in case of failures. We measured the time of the loop inside read_efuse_byte() alone, and in this reproducer (which involves the dummy_hcd emulation layer), it takes 15 seconds each. As a consequence, we have the driver stuck in its probe routine for big time, exposing a stack trace like below if we attempt to reboot the system, for example: task:kworker/0:3 state:D stack:0 pid:662 tgid:662 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: __schedule+0xe22/0xeb6 schedule_timeout+0xe7/0x132 __wait_for_common+0xb5/0x12e usb_start_wait_urb+0xc5/0x1ef ? usb_alloc_urb+0x95/0xa4 usb_control_msg+0xff/0x184 _usbctrl_vendorreq_sync+0xa0/0x161 _usb_read_sync+0xb3/0xc5 read_efuse_byte+0x13c/0x146 read_efuse+0x351/0x5f0 efuse_read_all_map+0x42/0x52 rtl_efuse_shadow_map_update+0x60/0xef rtl_get_hwinfo+0x5d/0x1c2 rtl92cu_read_eeprom_info+0x10a/0x8d5 ? rtl92c_read_chip_version+0x14f/0x17e rtl_usb_probe+0x323/0x851 usb_probe_interface+0x278/0x34b really_probe+0x202/0x4a4 __driver_probe_device+0x166/0x1b2 driver_probe_device+0x2f/0xd8 [...] We propose hereby to drastically reduce the attempts of doing the I/O reads in case of failures, restricted to USB devices (given that they're inherently slower than PCIe ones). By retrying up to 10 times (instead of 10000), we got reponsiveness in the reproducer, while seems reasonable to believe that there's no sane USB device implementation in the field requiring this amount of retries at every I/O read in order to properly work. Based on that assumption, it'd be good to have it backported to stable but maybe not since driver implementation (the 10k number comes from day 0), perhaps up to 6.x series makes sense. [0] Commit 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race"). [1] A note about that: this syzkaller report presents multiple reproducers that differs by the type of emulated USB device. For this specific case, check the entry from 2024/08/08 06:23 in the list of crashes; the C repro is available at https://syzkaller.appspot.com/text?tag=ReproC&x=1521fc83980000. Cc: stable(a)vger.kernel.org # v6.1+ Reported-by: syzbot+edd9fe0d3a65b14588d5(a)syzkaller.appspotmail.com Signed-off-by: Guilherme G. Piccoli <gpiccoli(a)igalia.com> --- V3: - Switch variable declaration to reverse xmas tree order (thanks Ping-Ke Shih for the suggestion). V2: - Restrict the change to USB device only (thanks Ping-Ke Shih). - Tested in 2 USB devices by Bitterblue Smith - thanks a lot! V1: https://lore.kernel.org/lkml/20241025150226.896613-1-gpiccoli@igalia.com/ drivers/net/wireless/realtek/rtlwifi/efuse.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/realtek/rtlwifi/efuse.c b/drivers/net/wireless/realtek/rtlwifi/efuse.c index 82cf5fb5175f..0ff553f650f9 100644 --- a/drivers/net/wireless/realtek/rtlwifi/efuse.c +++ b/drivers/net/wireless/realtek/rtlwifi/efuse.c @@ -162,9 +162,19 @@ void efuse_write_1byte(struct ieee80211_hw *hw, u16 address, u8 value) void read_efuse_byte(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf) { struct rtl_priv *rtlpriv = rtl_priv(hw); + u16 retry, max_attempts; u32 value32; u8 readbyte; - u16 retry; + + /* + * In case of USB devices, transfer speeds are limited, hence + * efuse I/O reads could be (way) slower. So, decrease (a lot) + * the read attempts in case of failures. + */ + if (rtlpriv->rtlhal.interface == INTF_PCI) + max_attempts = 10000; + else + max_attempts = 10; rtl_write_byte(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL] + 1, (_offset & 0xff)); @@ -178,7 +188,7 @@ void read_efuse_byte(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf) retry = 0; value32 = rtl_read_dword(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL]); - while (!(((value32 >> 24) & 0xff) & 0x80) && (retry < 10000)) { + while (!(((value32 >> 24) & 0xff) & 0x80) && (retry < max_attempts)) { value32 = rtl_read_dword(rtlpriv, rtlpriv->cfg->maps[EFUSE_CTRL]); retry++; -- 2.46.2

5 months, 3 weeks

2
4
0 0

[PATCH v7 bpf-next 01/10] lib/buildid: harden build ID parsing logic

by Andrii Nakryiko

Harden build ID parsing logic, adding explicit READ_ONCE() where it's important to have a consistent value read and validated just once. Also, as pointed out by Andi Kleen, we need to make sure that entire ELF note is within a page bounds, so move the overflow check up and add an extra note_size boundaries validation. Fixes tag below points to the code that moved this code into lib/buildid.c, and then subsequently was used in perf subsystem, making this code exposed to perf_event_open() users in v5.12+. Cc: stable(a)vger.kernel.org Reviewed-by: Eduard Zingerman <eddyz87(a)gmail.com> Reviewed-by: Jann Horn <jannh(a)google.com> Suggested-by: Andi Kleen <ak(a)linux.intel.com> Fixes: bd7525dacd7e ("bpf: Move stack_map_get_build_id into lib") Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> --- lib/buildid.c | 76 +++++++++++++++++++++++++++++---------------------- 1 file changed, 44 insertions(+), 32 deletions(-) diff --git a/lib/buildid.c b/lib/buildid.c index e02b5507418b..26007cc99a38 100644 --- a/lib/buildid.c +++ b/lib/buildid.c @@ -18,31 +18,37 @@ static int parse_build_id_buf(unsigned char *build_id, const void *note_start, Elf32_Word note_size) { - Elf32_Word note_offs = 0, new_offs; - - while (note_offs + sizeof(Elf32_Nhdr) < note_size) { - Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_offs); + const char note_name[] = "GNU"; + const size_t note_name_sz = sizeof(note_name); + u64 note_off = 0, new_off, name_sz, desc_sz; + const char *data; + + while (note_off + sizeof(Elf32_Nhdr) < note_size && + note_off + sizeof(Elf32_Nhdr) > note_off /* overflow */) { + Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_off); + + name_sz = READ_ONCE(nhdr->n_namesz); + desc_sz = READ_ONCE(nhdr->n_descsz); + + new_off = note_off + sizeof(Elf32_Nhdr); + if (check_add_overflow(new_off, ALIGN(name_sz, 4), &new_off) || + check_add_overflow(new_off, ALIGN(desc_sz, 4), &new_off) || + new_off > note_size) + break; if (nhdr->n_type == BUILD_ID && - nhdr->n_namesz == sizeof("GNU") && - !strcmp((char *)(nhdr + 1), "GNU") && - nhdr->n_descsz > 0 && - nhdr->n_descsz <= BUILD_ID_SIZE_MAX) { - memcpy(build_id, - note_start + note_offs + - ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr), - nhdr->n_descsz); - memset(build_id + nhdr->n_descsz, 0, - BUILD_ID_SIZE_MAX - nhdr->n_descsz); + name_sz == note_name_sz && + memcmp(nhdr + 1, note_name, note_name_sz) == 0 && + desc_sz > 0 && desc_sz <= BUILD_ID_SIZE_MAX) { + data = note_start + note_off + ALIGN(note_name_sz, 4); + memcpy(build_id, data, desc_sz); + memset(build_id + desc_sz, 0, BUILD_ID_SIZE_MAX - desc_sz); if (size) - *size = nhdr->n_descsz; + *size = desc_sz; return 0; } - new_offs = note_offs + sizeof(Elf32_Nhdr) + - ALIGN(nhdr->n_namesz, 4) + ALIGN(nhdr->n_descsz, 4); - if (new_offs <= note_offs) /* overflow */ - break; - note_offs = new_offs; + + note_off = new_off; } return -EINVAL; @@ -71,7 +77,7 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, { Elf32_Ehdr *ehdr = (Elf32_Ehdr *)page_addr; Elf32_Phdr *phdr; - int i; + __u32 i, phnum; /* * FIXME @@ -80,18 +86,19 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id, */ if (ehdr->e_phoff != sizeof(Elf32_Ehdr)) return -EINVAL; + + phnum = READ_ONCE(ehdr->e_phnum); /* only supports phdr that fits in one page */ - if (ehdr->e_phnum > - (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) + if (phnum > (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr)) return -EINVAL; phdr = (Elf32_Phdr *)(page_addr + sizeof(Elf32_Ehdr)); - for (i = 0; i < ehdr->e_phnum; ++i) { + for (i = 0; i < phnum; ++i) { if (phdr[i].p_type == PT_NOTE && !parse_build_id(page_addr, build_id, size, - page_addr + phdr[i].p_offset, - phdr[i].p_filesz)) + page_addr + READ_ONCE(phdr[i].p_offset), + READ_ONCE(phdr[i].p_filesz))) return 0; } return -EINVAL; @@ -103,7 +110,7 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id, { Elf64_Ehdr *ehdr = (Elf64_Ehdr *)page_addr; Elf64_Phdr *phdr; - int i; + __u32 i, phnum; /* * FIXME @@ -112,18 +119,19 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id, */ if (ehdr->e_phoff != sizeof(Elf64_Ehdr)) return -EINVAL; + + phnum = READ_ONCE(ehdr->e_phnum); /* only supports phdr that fits in one page */ - if (ehdr->e_phnum > - (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) + if (phnum > (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr)) return -EINVAL; phdr = (Elf64_Phdr *)(page_addr + sizeof(Elf64_Ehdr)); - for (i = 0; i < ehdr->e_phnum; ++i) { + for (i = 0; i < phnum; ++i) { if (phdr[i].p_type == PT_NOTE && !parse_build_id(page_addr, build_id, size, - page_addr + phdr[i].p_offset, - phdr[i].p_filesz)) + page_addr + READ_ONCE(phdr[i].p_offset), + READ_ONCE(phdr[i].p_filesz))) return 0; } return -EINVAL; @@ -152,6 +160,10 @@ int build_id_parse(struct vm_area_struct *vma, unsigned char *build_id, page = find_get_page(vma->vm_file->f_mapping, 0); if (!page) return -EFAULT; /* page not mapped */ + if (!PageUptodate(page)) { + put_page(page); + return -EFAULT; + } ret = -EINVAL; page_addr = kmap_local_page(page); -- 2.43.5

5 months, 3 weeks

3
2
0 0

[PATCH] nvme: rdma: Add check for queue in nvmet_rdma_cm_handler()

by George Rurikov

From: MrRurikov <grurikov(a)gmal.com> After having been assigned to a NULL value at rdma.c:1758, pointer 'queue' is passed as 1st parameter in call to function 'nvmet_rdma_queue_established' at rdma.c:1773, as 1st parameter in call to function 'nvmet_rdma_queue_disconnect' at rdma.c:1787 and as 2nd parameter in call to function 'nvmet_rdma_queue_connect_fail' at rdma.c:1800, where it is dereferenced. I understand, that driver is confident that the RDMA_CM_EVENT_CONNECT_REQUEST event will occur first and perform initialization, but maliciously prepared hardware could send events in violation of the protocol. Nothing guarantees that the sequence of events will start with RDMA_CM_EVENT_CONNECT_REQUEST. Found by Linux Verification Center (linuxtesting.org) with SVACE Fixes: e1a2ee249b19 ("nvmet-rdma: Fix use after free in nvmet_rdma_cm_handler()") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/nvme/target/rdma.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c index 1b6264fa5803..becebc95f349 100644 --- a/drivers/nvme/target/rdma.c +++ b/drivers/nvme/target/rdma.c @@ -1770,8 +1770,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, ret = nvmet_rdma_queue_connect(cm_id, event); break; case RDMA_CM_EVENT_ESTABLISHED: - nvmet_rdma_queue_established(queue); - break; + if (!queue) { + nvmet_rdma_queue_established(queue); + break; + } case RDMA_CM_EVENT_ADDR_CHANGE: if (!queue) { struct nvmet_rdma_port *port = cm_id->context; @@ -1782,8 +1784,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, fallthrough; case RDMA_CM_EVENT_DISCONNECTED: case RDMA_CM_EVENT_TIMEWAIT_EXIT: - nvmet_rdma_queue_disconnect(queue); - break; + if (!queue) { + nvmet_rdma_queue_disconnect(queue); + break; + } case RDMA_CM_EVENT_DEVICE_REMOVAL: ret = nvmet_rdma_device_removal(cm_id, queue); break; @@ -1793,8 +1797,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, fallthrough; case RDMA_CM_EVENT_UNREACHABLE: case RDMA_CM_EVENT_CONNECT_ERROR: - nvmet_rdma_queue_connect_fail(cm_id, queue); - break; + if (!queue) { + nvmet_rdma_queue_connect_fail(cm_id, queue); + break; + } default: pr_err("received unrecognized RDMA CM event %d\n", event->event); -- 2.34.1

5 months, 3 weeks

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2024