October 2024 - Linux-stable-mirror

[PATCH 0/1] disable __counted_by for clang < 19.1.3

by Jan Hendrik Farr

Hi Kees, Bill's PR to disable __counted_by for "whole struct" __bdos cases has now been merged into 19.1.3 [1], so here's the patch to disable __counted_by for clang versions < 19.1.3 in the kernel. Hopefully in the near future __counted_by for whole struct __bdos can be enabled once again in coordination between the kernel, gcc, and clang. There has been recent progress on this in [2] thanks to Tavian. Also see previous discussion on the mailing list [3] Thanks to everyone for moving this issue along. In particular, Bill for his PR to clang/llvm, Kees and Thorsten for reproducers of the two issues, Nathan for Kconfig-ifying this patch, and Miguel for reviewing. Info for the stable team: This patch should be backported to kernels >= 6.6 to make sure that those build correctly with the effected clang versions. This patch cherry-picks cleanly onto linux-6.11.y. For linux-6.6.y three prerequiste commits are neded: 16c31dd7fdf6: Compiler Attributes: counted_by: bump min gcc version 2993eb7a8d34: Compiler Attributes: counted_by: fixup clang URL 231dc3f0c936: lkdtm/bugs: Improve warning message for compilers without counted_by support There are still two merge conflicts even with those prerequistes. Here's the correct resolution: 1. include/linux/compiler_types.h: use the incoming change until before (but not including) the "Apply __counted_by() when the Endianness matches to increase test coverage." comment 2. lib/overflow_kunit.c: HEAD is correct [1] https://github.com/llvm/llvm-project/pull/112786 [2] https://github.com/llvm/llvm-project/pull/112636 [3] https://lore.kernel.org/lkml/3E304FB2-799D-478F-889A-CDFC1A52DCD8@toblux.co… Best Regards Jan Jan Hendrik Farr (1): Compiler Attributes: disable __counted_by for clang < 19.1.3 drivers/misc/lkdtm/bugs.c | 2 +- include/linux/compiler_attributes.h | 13 ------------- include/linux/compiler_types.h | 19 +++++++++++++++++++ init/Kconfig | 9 +++++++++ lib/overflow_kunit.c | 2 +- 5 files changed, 30 insertions(+), 15 deletions(-) -- 2.47.0

5 months

3
3
0 0

[PATCH] powerpc/vdso: Drop -mstack-protector-guard flags in 32-bit files with clang

by Nathan Chancellor

Under certain conditions, the 64-bit '-mstack-protector-guard' flags may end up in the 32-bit vDSO flags, resulting in build failures due to the structure of clang's argument parsing of the stack protector options, which validates the arguments of the stack protector guard flags unconditionally in the frontend, choking on the 64-bit values when targeting 32-bit: clang: error: invalid value 'r13' in 'mstack-protector-guard-reg=', expected one of: r2 clang: error: invalid value 'r13' in 'mstack-protector-guard-reg=', expected one of: r2 make[3]: *** [arch/powerpc/kernel/vdso/Makefile:85: arch/powerpc/kernel/vdso/vgettimeofday-32.o] Error 1 make[3]: *** [arch/powerpc/kernel/vdso/Makefile:87: arch/powerpc/kernel/vdso/vgetrandom-32.o] Error 1 Remove these flags by adding them to the CC32FLAGSREMOVE variable, which already handles situations similar to this. Additionally, reformat and align a comment better for the expanding CONFIG_CC_IS_CLANG block. Cc: stable(a)vger.kernel.org # v6.1+ Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- I say "Under certain conditions" because I am not entirely sure what they are. I cannot reproduce this error in my host environment but I can reproduce it in TuxMake's environment, which our CI uses: https://storage.tuxsuite.com/public/clangbuiltlinux/continuous-integration2… $ tuxmake \ -a powerpc \ -k ppc64_guest_defconfig \ -r podman \ -t clang-nightly \ LLVM=1 \ config default ... clang: error: invalid value 'r13' in 'mstack-protector-guard-reg=', expected one of: r2 clang: error: invalid value 'r13' in 'mstack-protector-guard-reg=', expected one of: r2 I suspect that make 4.4 could play a difference here but the solution is quite simple here (since it is already weird with reusing flags) so I figured it was just worth doing this regardless of what the underlying reason is. --- arch/powerpc/kernel/vdso/Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/kernel/vdso/Makefile b/arch/powerpc/kernel/vdso/Makefile index 31ca5a5470047e7ac0a0f8194fd59c6a3b453b4d..c568cad6a22e6b8a8bcb04463b7c850306364804 100644 --- a/arch/powerpc/kernel/vdso/Makefile +++ b/arch/powerpc/kernel/vdso/Makefile @@ -54,10 +54,14 @@ ldflags-y += $(filter-out $(CC_AUTO_VAR_INIT_ZERO_ENABLER) $(CC_FLAGS_FTRACE) -W CC32FLAGS := -m32 CC32FLAGSREMOVE := -mcmodel=medium -mabi=elfv1 -mabi=elfv2 -mcall-aixdesc - # This flag is supported by clang for 64-bit but not 32-bit so it will cause - # an unused command line flag warning for this file. ifdef CONFIG_CC_IS_CLANG +# This flag is supported by clang for 64-bit but not 32-bit so it will cause +# an unused command line flag warning for this file. CC32FLAGSREMOVE += -fno-stack-clash-protection +# -mstack-protector-guard values from the 64-bit build are not valid for the +# 32-bit one. clang validates the values passed to these arguments during +# parsing, even when -fno-stack-protector is passed afterwards. +CC32FLAGSREMOVE += -mstack-protector-guard% endif LD32FLAGS := -Wl,-soname=linux-vdso32.so.1 AS32FLAGS := -D__VDSO32__ --- base-commit: bee08a9e6ab03caf14481d97b35a258400ffab8f change-id: 20241030-powerpc-vdso-drop-stackp-flags-clang-ddfbf2ef27a6 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

5 months

4
5
0 0

Re: Bluetooth kernel BUG with Intel AX211 (regression in 6.1.83)

by Linux regression tracking (Thorsten Leemhuis)

Hi stable team (and Bluetooth maintainers), I noticed a regression report about a BT problem in 6.1.y: On 21.04.24 15:54, Jeremy Lainé wrote: > > After upgrading my kernel to Debian's latest version (6.1.85), I > started encountering systematic kernel BUGs at boot, making the > bluetooth stack unusable. I initially reported this to Debian's bug > tracker: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069301 > > .. but have since confirmed that this is reproducible with vanilla > kernels, including the latest 6.1.y version (6.1.87). > > I tried various kernel versions (straight from kernel.org) to pinpoint > when the problem started occurring and the resultats are: Jeremy later wrote: > # first bad commit: [6083089ab00631617f9eac678df3ab050a9d837a] > Bluetooth: hci_conn: Consolidate code for aborting connections https://lore.kernel.org/all/8eeb980a-f04a-4e94-8065-25566cfef4dd@molgen.mpg… That's a13f316e90fdb1 ("Bluetooth: hci_conn: Consolidate code for aborting connections") [v6.6-rc1, v6.1.83 (6083089ab00631)] FWIW, there is a fix for the mainline commit under review: https://lore.kernel.org/all/20240411151929.403263-1-kovalev@altlinux.org/ But it is likely unrelated, as Jeremy later also wrote: > I'm now running 6.9-rc5 and have not been able to reproduce the issue, https://lore.kernel.org/all/CADRbXaA2yFjMo=_8_ZTubPbrrmWH9yx+aG5pUadnk395ko… Makes me wonder if 6.1.y is missing some other change a13f316e90fdb1 depends on. Ciao, Thorsten > I have included a trace below, and full system details are available > in the Debian bug listed above. Can you suggest any other tests I can > perform to help diagnose the origin of the problem? > > [ 22.660847] list_del corruption, ffff94d9f6302000->prev is > LIST_POISON2 (dead000000000122) > [ 22.660887] ------------[ cut here ]------------ > [ 22.660890] kernel BUG at lib/list_debug.c:56! > [ 22.660907] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI > [ 22.660917] CPU: 10 PID: 139 Comm: kworker/u25:0 Not tainted > 6.1.0-20-amd64 #1 Debian 6.1.85-1 > [ 22.660929] Hardware name: Dell Inc. XPS 9315/00KRKP, BIOS 1.19.1 03/14/2024 > [ 22.660936] Workqueue: hci0 hci_cmd_sync_work [bluetooth] > [ 22.661128] RIP: 0010:__list_del_entry_valid.cold+0x4b/0x6f > [ 22.661147] Code: fe ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 48 18 7a > 9f e8 14 a1 fe ff 0f 0b 48 89 fe 48 89 ca 48 c7 c7 10 18 7a 9f e8 00 > a1 fe ff <0f> 0b 48 89 fe 48 c7 c7 d8 17 7a 9f e8 ef a0 fe ff 0f 0b 48 > 89 fe > [ 22.661156] RSP: 0000:ffffae0e406efde0 EFLAGS: 00010246 > [ 22.661164] RAX: 000000000000004e RBX: ffff94d9f6302000 RCX: 0000000000000027 > [ 22.661172] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff94dfaf8a03a0 > [ 22.661177] RBP: ffff94d859392000 R08: 0000000000000000 R09: ffffae0e406efc78 > [ 22.661182] R10: 0000000000000003 R11: ffffffff9fed4448 R12: ffff94d859392000 > [ 22.661187] R13: ffff94d859392770 R14: ffff94d858cb9800 R15: dead000000000100 > [ 22.661194] FS: 0000000000000000(0000) GS:ffff94dfaf880000(0000) > knlGS:0000000000000000 > [ 22.661202] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 22.661208] CR2: 00007f423c024038 CR3: 0000000799c04000 CR4: 0000000000750ee0 > [ 22.661214] PKRU: 55555554 > [ 22.661218] Call Trace: > [ 22.661225] <TASK> > [ 22.661232] ? __die_body.cold+0x1a/0x1f > [ 22.661246] ? die+0x2a/0x50 > [ 22.661257] ? do_trap+0xc5/0x110 > [ 22.661268] ? __list_del_entry_valid.cold+0x4b/0x6f > [ 22.661279] ? do_error_trap+0x6a/0x90 > [ 22.661289] ? __list_del_entry_valid.cold+0x4b/0x6f > [ 22.661298] ? exc_invalid_op+0x4c/0x60 > [ 22.661307] ? __list_del_entry_valid.cold+0x4b/0x6f > [ 22.661316] ? asm_exc_invalid_op+0x16/0x20 > [ 22.661328] ? __list_del_entry_valid.cold+0x4b/0x6f > [ 22.661337] hci_conn_del+0x136/0x3e0 [bluetooth] > [ 22.661466] hci_abort_conn_sync+0xaa/0x230 [bluetooth] > [ 22.661632] ? abort_conn_sync+0x3d/0x70 [bluetooth] > [ 22.661751] hci_cmd_sync_work+0x9f/0x150 [bluetooth] > [ 22.661915] process_one_work+0x1c4/0x380 > [ 22.661929] worker_thread+0x4d/0x380 > [ 22.661940] ? rescuer_thread+0x3a0/0x3a0 > [ 22.661950] kthread+0xd7/0x100 > [ 22.661959] ? kthread_complete_and_exit+0x20/0x20 > [ 22.661969] ret_from_fork+0x1f/0x30 > [ 22.661984] </TASK> > [ 22.661987] Modules linked in: ctr ccm nft_chain_nat xt_MASQUERADE > nf_nat nf_conntrack_netlink br_netfilter bridge stp llc xfrm_user > xfrm_algo nvme_fabrics rfcomm snd_seq_dummy snd_hrtimer snd_seq > snd_seq_device cmac algif_hash algif_skcipher af_alg snd_ctl_led > snd_soc_sof_sdw snd_soc_intel_hda_dsp_common snd_sof_probes > snd_soc_intel_sof_maxim_common snd_soc_rt715_sdca snd_soc_rt1316_sdw > regmap_sdw_mbq snd_hda_codec_hdmi regmap_sdw overlay ip6t_REJECT > nf_reject_ipv6 xt_hl ip6_tables ip6t_rt ipt_REJECT nf_reject_ipv4 > xt_LOG qrtr nf_log_syslog nft_limit bnep ipmi_devintf ipmi_msghandler > xt_limit xt_addrtype xt_tcpudp xt_conntrack nf_conntrack > nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables libcrc32c nfnetlink > binfmt_misc nls_ascii nls_cp437 vfat fat x86_pkg_temp_thermal > intel_powerclamp coretemp snd_soc_dmic snd_sof_pci_intel_tgl > snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation > soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp > snd_sof snd_sof_utils > [ 22.662122] snd_soc_hdac_hda snd_hda_ext_core > snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core kvm_intel > snd_compress btusb soundwire_bus btrtl kvm btbcm snd_hda_intel btintel > snd_intel_dspcfg btmtk dell_laptop snd_intel_sdw_acpi irqbypass > ledtrig_audio bluetooth snd_hda_codec i915 snd_hda_core rapl mei_hdcp > intel_rapl_msr snd_hwdep processor_thermal_device_pci dell_wmi joydev > hid_sensor_als intel_cstate jitterentropy_rng processor_thermal_device > snd_pcm hid_sensor_trigger processor_thermal_rfim dell_smbios > ucsi_acpi dcdbas hid_sensor_iio_common processor_thermal_mbox > drm_buddy intel_uncore iwlmvm pcspkr drbg iTCO_wdt typec_ucsi > dell_wmi_sysman snd_timer industrialio_triggered_buffer > drm_display_helper processor_thermal_rapl mei_me dell_wmi_descriptor > firmware_attributes_class kfifo_buf wmi_bmof ansi_cprng intel_pmc_bxt > cec snd roles intel_rapl_common ecdh_generic iTCO_vendor_support > int3403_thermal watchdog ecc industrialio mei soundcore typec > int3400_thermal rc_core mac80211 > [ 22.662253] int340x_thermal_zone intel_pmc_core button intel_hid > acpi_thermal_rel sparse_keymap ttm acpi_pad acpi_tad drm_kms_helper > libarc4 igen6_edac i2c_algo_bit ac evdev hid_multitouch serio_raw > iwlwifi cfg80211 rfkill msr parport_pc ppdev lp drm parport fuse loop > efi_pstore configfs efivarfs ip_tables x_tables autofs4 ext4 crc16 > mbcache jbd2 crc32c_generic usbhid hid_sensor_custom hid_sensor_hub > dm_crypt dm_mod intel_ishtp_hid nvme nvme_core t10_pi > crc64_rocksoft_generic crc64_rocksoft crc_t10dif crct10dif_generic > crc64 ahci libahci crct10dif_pclmul crct10dif_common libata > crc32_pclmul crc32c_intel scsi_mod spi_pxa2xx_platform > ghash_clmulni_intel dw_dmac hid_generic sha512_ssse3 scsi_common > dw_dmac_core xhci_pci sha512_generic sha256_ssse3 xhci_hcd sha1_ssse3 > usbcore i2c_hid_acpi intel_lpss_pci aesni_intel video intel_ish_ipc > i2c_i801 i2c_hid intel_lpss psmouse thunderbolt crypto_simd cryptd > i2c_smbus vmd intel_ishtp usb_common idma64 hid battery wmi > [ 22.662422] ---[ end trace 0000000000000000 ]--- > > Cheers, > > Jeremy #regzbot ^introduced 6083089ab0063 #regzbot title Bluetooth kernel BUG with Intel AX211 #regzbot duplicate: https://lore.kernel.org/all/8eeb980a-f04a-4e94-8065-25566cfef4dd@molgen.mpg… #regzbot ignore-activit

5 months

7
22
0 0

[PATCH v1] drm/bridge: tc358768: Fix DSI command tx

by Francesco Dolcini

From: Francesco Dolcini <francesco.dolcini(a)toradex.com> Wait for the command transmission to be completed in the DSI transfer function polling for the dc_start bit to go back to idle state after the transmission is started. This is documented in the datasheet and failures to do so lead to commands corruption. Fixes: ff1ca6397b1d ("drm/bridge: Add tc358768 driver") Cc: stable(a)vger.kernel.org Signed-off-by: Francesco Dolcini <francesco.dolcini(a)toradex.com> --- drivers/gpu/drm/bridge/tc358768.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/bridge/tc358768.c b/drivers/gpu/drm/bridge/tc358768.c index 0e8813278a2f..bb1750a3dab0 100644 --- a/drivers/gpu/drm/bridge/tc358768.c +++ b/drivers/gpu/drm/bridge/tc358768.c @@ -125,6 +125,9 @@ #define TC358768_DSI_CONFW_MODE_CLR (6 << 29) #define TC358768_DSI_CONFW_ADDR_DSI_CONTROL (0x3 << 24) +/* TC358768_DSICMD_TX (0x0600) register */ +#define TC358768_DSI_CMDTX_DC_START BIT(0) + static const char * const tc358768_supplies[] = { "vddc", "vddmipi", "vddio" }; @@ -229,6 +232,21 @@ static void tc358768_update_bits(struct tc358768_priv *priv, u32 reg, u32 mask, tc358768_write(priv, reg, tmp); } +static void tc358768_dsicmd_tx(struct tc358768_priv *priv) +{ + u32 val; + + /* start transfer */ + tc358768_write(priv, TC358768_DSICMD_TX, TC358768_DSI_CMDTX_DC_START); + if (priv->error) + return; + + /* wait transfer completion */ + priv->error = regmap_read_poll_timeout(priv->regmap, TC358768_DSICMD_TX, val, + (val & TC358768_DSI_CMDTX_DC_START) == 0, + 100, 100000); +} + static int tc358768_sw_reset(struct tc358768_priv *priv) { /* Assert Reset */ @@ -516,8 +534,7 @@ static ssize_t tc358768_dsi_host_transfer(struct mipi_dsi_host *host, } } - /* start transfer */ - tc358768_write(priv, TC358768_DSICMD_TX, 1); + tc358768_dsicmd_tx(priv); ret = tc358768_clear_error(priv); if (ret) -- 2.39.5

5 months

2
4
0 0

[PATCH v2 00/12] mwifiex: two fixes and cleanup

by Sascha Hauer

These are a few patches broken out from [1]. Kalle requested to limit the number of patches per series to approximately 12 and Francesco to move the fixes to the front of the series, so here we go. First two patches are fixes. First one is for host mlme support which currently is in wireless-next, so no stable tag needed, second one has a stable tag. The remaining patches except the last one I have chosen to upstream first. I'll continue with the other patches after having this series in shape and merged. The last one is a new patch not included in [1]. Sascha [1] https://lore.kernel.org/all/20240820-mwifiex-cleanup-v1-0-320d8de4a4b7@peng… Signed-off-by: Sascha Hauer <s.hauer(a)pengutronix.de> --- Changes in v2: - Add refence to 7bff9c974e1a in commit message of "wifi: mwifiex: drop asynchronous init waiting code" - Add extra sentence about bss_started in "wifi: mwifiex: move common settings out of switch/case" - Kill now unused MWIFIEX_BSS_TYPE_ANY - Collect reviewed-by tags from Francesco Dolcini - Link to v1: https://lore.kernel.org/r/20240826-mwifiex-cleanup-1-v1-0-56e6f8e056ec@peng… --- Sascha Hauer (12): wifi: mwifiex: add missing locking wifi: mwifiex: fix MAC address handling wifi: mwifiex: deduplicate code in mwifiex_cmd_tx_rate_cfg() wifi: mwifiex: use adapter as context pointer for mwifiex_hs_activated_event() wifi: mwifiex: drop unnecessary initialization wifi: mwifiex: make region_code_mapping_t const wifi: mwifiex: pass adapter to mwifiex_dnld_cmd_to_fw() wifi: mwifiex: simplify mwifiex_setup_ht_caps() wifi: mwifiex: fix indention wifi: mwifiex: make locally used function static wifi: mwifiex: move common settings out of switch/case wifi: mwifiex: drop asynchronous init waiting code drivers/net/wireless/marvell/mwifiex/cfg80211.c | 38 ++++------ drivers/net/wireless/marvell/mwifiex/cfp.c | 4 +- drivers/net/wireless/marvell/mwifiex/cmdevt.c | 76 +++++++------------- drivers/net/wireless/marvell/mwifiex/decl.h | 1 - drivers/net/wireless/marvell/mwifiex/init.c | 19 ++--- drivers/net/wireless/marvell/mwifiex/main.c | 94 +++++++++---------------- drivers/net/wireless/marvell/mwifiex/main.h | 16 ++--- drivers/net/wireless/marvell/mwifiex/sta_cmd.c | 49 ++++--------- drivers/net/wireless/marvell/mwifiex/txrx.c | 3 +- drivers/net/wireless/marvell/mwifiex/util.c | 22 +----- drivers/net/wireless/marvell/mwifiex/wmm.c | 12 ++-- 11 files changed, 105 insertions(+), 229 deletions(-) --- base-commit: 67a72043aa2e6f60f7bbe7bfa598ba168f16d04f change-id: 20240826-mwifiex-cleanup-1-b5035c7faff6 Best regards, -- Sascha Hauer <s.hauer(a)pengutronix.de>

5 months

3
4
0 0

[PATCH RESEND] PM: domains: Fix return value of API dev_pm_get_subsys_data()

by Zijun Hu

From: Zijun Hu <quic_zijuhu(a)quicinc.com> dev_pm_get_subsys_data() has below 2 issues under condition (@dev->power.subsys_data != NULL): - it will do unnecessary kzalloc() and kfree(). - it will return -ENOMEM if the kzalloc() fails, that is wrong since the kzalloc() is not needed. Fixed by not doing kzalloc() and returning 0 for the condition. Fixes: ef27bed1870d ("PM: Reference counting of power.subsys_data") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- drivers/base/power/common.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/base/power/common.c b/drivers/base/power/common.c index 8c34ae1cd8d5..13cb1f2a06e7 100644 --- a/drivers/base/power/common.c +++ b/drivers/base/power/common.c @@ -26,6 +26,14 @@ int dev_pm_get_subsys_data(struct device *dev) { struct pm_subsys_data *psd; + spin_lock_irq(&dev->power.lock); + if (dev->power.subsys_data) { + dev->power.subsys_data->refcount++; + spin_unlock_irq(&dev->power.lock); + return 0; + } + spin_unlock_irq(&dev->power.lock); + psd = kzalloc(sizeof(*psd), GFP_KERNEL); if (!psd) return -ENOMEM; --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241010-fix_dev_pm_get_subsys_data-2478bb200fde Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

5 months

2
3
0 0

Re: No sound on speakers X1 Carbon Gen 12

by Takashi Iwai

On Sun, 20 Oct 2024 17:12:14 +0200, Dean Matthew Menezes wrote: > > The first change worked to fix the sound from the speaker. Then please double-check whether my original fix in https://lore.kernel.org/87cyjzrutw.wl-tiwai@suse.de really doesn't bring back the speaker output. If it's confirmed to be broken, run as root: echo 1 > /sys/module/snd_hda_codec/parameters/dump_coef and get alsa-info.sh outputs from both working and patched-but-not-working cases again, but at this time, during the playback. (Also, please keep Cc.) thanks, Takashi

5 months

3
20
0 0

[PATCH] amba: Fix atomicity violation in amba_match()

by Qiu-ji Chen

Atomicity violation occurs during consecutive reads of pcdev->driver_override. Consider a scenario: after pvdev->driver_override passes the if statement, due to possible concurrency, pvdev->driver_override may change. This leads to pvdev->driver_override passing the condition with an old value, but entering the return !strcmp(pcdev->driver_override, drv->name); statement with a new value. This causes the function to return an unexpected result. Since pvdev->driver_override is a string that is modified byte by byte, without considering atomicity, data races may cause a partially modified pvdev->driver_override to enter both the condition and return statements, resulting in an error. To fix this, we suggest protecting all reads of pvdev->driver_override with a lock, and storing the result of the strcmp() function in a new variable retval. This ensures that pvdev->driver_override does not change during the entire operation, allowing the function to return the expected result. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 5150a8f07f6c ("amba: reorder functions") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/amba/bus.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/amba/bus.c b/drivers/amba/bus.c index 34bc880ca20b..e310f4f83b27 100644 --- a/drivers/amba/bus.c +++ b/drivers/amba/bus.c @@ -209,6 +209,7 @@ static int amba_match(struct device *dev, const struct device_driver *drv) { struct amba_device *pcdev = to_amba_device(dev); const struct amba_driver *pcdrv = to_amba_driver(drv); + int retval; mutex_lock(&pcdev->periphid_lock); if (!pcdev->periphid) { @@ -230,8 +231,14 @@ static int amba_match(struct device *dev, const struct device_driver *drv) mutex_unlock(&pcdev->periphid_lock); /* When driver_override is set, only bind to the matching driver */ - if (pcdev->driver_override) - return !strcmp(pcdev->driver_override, drv->name); + + device_lock(dev); + if (pcdev->driver_override) { + retval = !strcmp(pcdev->driver_override, drv->name); + device_unlock(dev); + return retval; + } + device_unlock(dev); return amba_lookup(pcdrv->id_table, pcdev) != NULL; } -- 2.34.1

5 months, 1 week

2
2
0 0

[PATCH] cdx: Fix atomicity violation in cdx_bus_match() and cdx_probe()

by Qiu-ji Chen

An atomicity violation occurs during consecutive reads of the variable cdx_dev->driver_override. Imagine a scenario: while evaluating the statement if (cdx_dev->driver_override && strcmp(cdx_dev->driver_override, drv->name)), the value of cdx_dev->driver_override changes, leading to an inconsistency where the value of cdx_dev->driver_override is the old value when passing the non-null check, but the new value when evaluated by strcmp(). This causes an inconsistency. The second error occurs during the validation of cdx_dev->driver_override. The logic of this error is similar to the first one, as the entire process is not protected by a lock, leading to an inconsistency in the values of cdx_dev->driver_override before and after the reads. The third error occurs in driver_override_show() when executing the statement return sysfs_emit(buf, "%s\n", cdx_dev->driver_override);. Since the string changes byte by byte, it is possible for a partially modified cdx_dev->driver_override value to be used in this statement, leading to an incorrect return value from the program. To fix these issues, for the first and second problems, since we need to protect the entire process of reading the variable cdx_dev->driver_override with a lock, we introduced a variable ret and an out block. For each branch in this section, we replaced the return statements with assignments to the variable ret, and then used a goto statement to directly execute the out block, making the code overall more concise. For the third problem, we adopted a similar approach to the one used in the modalias_show() function, protecting the process of reading cdx_dev->driver_override with a lock, ensuring that the program runs correctly. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 2959ab247061 ("cdx: add the cdx bus driver") Fixes: 48a6c7bced2a ("cdx: add device attributes") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/cdx/cdx.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/drivers/cdx/cdx.c b/drivers/cdx/cdx.c index 07371cb653d3..fae03c89f818 100644 --- a/drivers/cdx/cdx.c +++ b/drivers/cdx/cdx.c @@ -268,6 +268,7 @@ static int cdx_bus_match(struct device *dev, const struct device_driver *drv) const struct cdx_driver *cdx_drv = to_cdx_driver(drv); const struct cdx_device_id *found_id = NULL; const struct cdx_device_id *ids; + int ret = false; if (cdx_dev->is_bus) return false; @@ -275,28 +276,40 @@ static int cdx_bus_match(struct device *dev, const struct device_driver *drv) ids = cdx_drv->match_id_table; /* When driver_override is set, only bind to the matching driver */ - if (cdx_dev->driver_override && strcmp(cdx_dev->driver_override, drv->name)) - return false; + device_lock(dev); + if (cdx_dev->driver_override && strcmp(cdx_dev->driver_override, drv->name)) { + ret = false; + goto out; + } found_id = cdx_match_id(ids, cdx_dev); - if (!found_id) - return false; + if (!found_id) { + ret = false; + goto out; + } do { /* * In case override_only was set, enforce driver_override * matching. */ - if (!found_id->override_only) - return true; - if (cdx_dev->driver_override) - return true; + if (!found_id->override_only) { + ret = true; + goto out; + } + if (cdx_dev->driver_override) { + ret = true; + goto out; + } ids = found_id + 1; found_id = cdx_match_id(ids, cdx_dev); } while (found_id); - return false; + ret = false; +out: + device_unlock(dev); + return ret; } static int cdx_probe(struct device *dev) @@ -470,8 +483,12 @@ static ssize_t driver_override_show(struct device *dev, struct device_attribute *attr, char *buf) { struct cdx_device *cdx_dev = to_cdx_device(dev); + ssize_t len; - return sysfs_emit(buf, "%s\n", cdx_dev->driver_override); + device_lock(dev); + len = sysfs_emit(buf, "%s\n", cdx_dev->driver_override); + device_unlock(dev); + return len; } static DEVICE_ATTR_RW(driver_override); -- 2.34.1

5 months, 1 week

2
2
0 0

[PATCH net] wifi: brcmfmac: release 'root' node in all execution paths

by Javier Carrasco

The fixed patch introduced an additional condition to enter the scope where the 'root' device_node is released (!settings->board_type, currently 'err'), which avoid decrementing the refcount with a call to of_node_put() if that second condition is not satisfied. Move the call to of_node_put() to the point where 'root' is no longer required to avoid leaking the resource if err is not zero. Cc: stable(a)vger.kernel.org Fixes: 7682de8b3351 ("wifi: brcmfmac: of: Fetch Apple properties") Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Note that a call to of_node_put() on a NULL device_node has no effect, which simplifies this patch as there is no need to refactor the or add more conditions. --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c index fe4f65756105..af930e34c21f 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c @@ -110,9 +110,8 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type, } strreplace(board_type, '/', '-'); settings->board_type = board_type; - - of_node_put(root); } + of_node_put(root); if (!np || !of_device_is_compatible(np, "brcm,bcm4329-fmac")) return; --- base-commit: c05c62850a8f035a267151dd86ea3daf887e28b8 change-id: 20241030-brcmfmac-of-cleanup-000fe98821df Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

5 months, 1 week

2
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2024