June 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] HID: i2c-hid: elan: fix reset suspend current leakage" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0eafc58f2194dbd01d4be40f99a697681171995b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061323-deuce-expose-15f0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 0eafc58f2194 ("HID: i2c-hid: elan: fix reset suspend current leakage") f2f43bf15d7a ("HID: i2c-hid: elan: Add ili9882t timing") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0eafc58f2194dbd01d4be40f99a697681171995b Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan+linaro(a)kernel.org> Date: Tue, 7 May 2024 16:48:18 +0200 Subject: [PATCH] HID: i2c-hid: elan: fix reset suspend current leakage The Elan eKTH5015M touch controller found on the Lenovo ThinkPad X13s shares the VCC33 supply with other peripherals that may remain powered during suspend (e.g. when enabled as wakeup sources). The reset line is also wired so that it can be left deasserted when the supply is off. This is important as it avoids holding the controller in reset for extended periods of time when it remains powered, which can lead to increased power consumption, and also avoids leaking current through the X13s reset circuitry during suspend (and after driver unbind). Use the new 'no-reset-on-power-off' devicetree property to determine when reset needs to be asserted on power down. Notably this also avoids wasting power on machine variants without a touchscreen for which the driver would otherwise exit probe with reset asserted. Fixes: bd3cba00dcc6 ("HID: i2c-hid: elan: Add support for Elan eKTH6915 i2c-hid touchscreens") Cc: <stable(a)vger.kernel.org> # 6.0 Cc: Douglas Anderson <dianders(a)chromium.org> Tested-by: Steev Klimaszewski <steev(a)kali.org> Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> Reviewed-by: Douglas Anderson <dianders(a)chromium.org> Link: https://lore.kernel.org/r/20240507144821.12275-5-johan+linaro@kernel.org Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> diff --git a/drivers/hid/i2c-hid/i2c-hid-of-elan.c b/drivers/hid/i2c-hid/i2c-hid-of-elan.c index 5b91fb106cfc..091e37933225 100644 --- a/drivers/hid/i2c-hid/i2c-hid-of-elan.c +++ b/drivers/hid/i2c-hid/i2c-hid-of-elan.c @@ -31,6 +31,7 @@ struct i2c_hid_of_elan { struct regulator *vcc33; struct regulator *vccio; struct gpio_desc *reset_gpio; + bool no_reset_on_power_off; const struct elan_i2c_hid_chip_data *chip_data; }; @@ -40,17 +41,17 @@ static int elan_i2c_hid_power_up(struct i2chid_ops *ops) container_of(ops, struct i2c_hid_of_elan, ops); int ret; + gpiod_set_value_cansleep(ihid_elan->reset_gpio, 1); + if (ihid_elan->vcc33) { ret = regulator_enable(ihid_elan->vcc33); if (ret) - return ret; + goto err_deassert_reset; } ret = regulator_enable(ihid_elan->vccio); - if (ret) { - regulator_disable(ihid_elan->vcc33); - return ret; - } + if (ret) + goto err_disable_vcc33; if (ihid_elan->chip_data->post_power_delay_ms) msleep(ihid_elan->chip_data->post_power_delay_ms); @@ -60,6 +61,15 @@ static int elan_i2c_hid_power_up(struct i2chid_ops *ops) msleep(ihid_elan->chip_data->post_gpio_reset_on_delay_ms); return 0; + +err_disable_vcc33: + if (ihid_elan->vcc33) + regulator_disable(ihid_elan->vcc33); +err_deassert_reset: + if (ihid_elan->no_reset_on_power_off) + gpiod_set_value_cansleep(ihid_elan->reset_gpio, 0); + + return ret; } static void elan_i2c_hid_power_down(struct i2chid_ops *ops) @@ -67,7 +77,14 @@ static void elan_i2c_hid_power_down(struct i2chid_ops *ops) struct i2c_hid_of_elan *ihid_elan = container_of(ops, struct i2c_hid_of_elan, ops); - gpiod_set_value_cansleep(ihid_elan->reset_gpio, 1); + /* + * Do not assert reset when the hardware allows for it to remain + * deasserted regardless of the state of the (shared) power supply to + * avoid wasting power when the supply is left on. + */ + if (!ihid_elan->no_reset_on_power_off) + gpiod_set_value_cansleep(ihid_elan->reset_gpio, 1); + if (ihid_elan->chip_data->post_gpio_reset_off_delay_ms) msleep(ihid_elan->chip_data->post_gpio_reset_off_delay_ms); @@ -79,6 +96,7 @@ static void elan_i2c_hid_power_down(struct i2chid_ops *ops) static int i2c_hid_of_elan_probe(struct i2c_client *client) { struct i2c_hid_of_elan *ihid_elan; + int ret; ihid_elan = devm_kzalloc(&client->dev, sizeof(*ihid_elan), GFP_KERNEL); if (!ihid_elan) @@ -93,21 +111,38 @@ static int i2c_hid_of_elan_probe(struct i2c_client *client) if (IS_ERR(ihid_elan->reset_gpio)) return PTR_ERR(ihid_elan->reset_gpio); + ihid_elan->no_reset_on_power_off = of_property_read_bool(client->dev.of_node, + "no-reset-on-power-off"); + ihid_elan->vccio = devm_regulator_get(&client->dev, "vccio"); - if (IS_ERR(ihid_elan->vccio)) - return PTR_ERR(ihid_elan->vccio); + if (IS_ERR(ihid_elan->vccio)) { + ret = PTR_ERR(ihid_elan->vccio); + goto err_deassert_reset; + } ihid_elan->chip_data = device_get_match_data(&client->dev); if (ihid_elan->chip_data->main_supply_name) { ihid_elan->vcc33 = devm_regulator_get(&client->dev, ihid_elan->chip_data->main_supply_name); - if (IS_ERR(ihid_elan->vcc33)) - return PTR_ERR(ihid_elan->vcc33); + if (IS_ERR(ihid_elan->vcc33)) { + ret = PTR_ERR(ihid_elan->vcc33); + goto err_deassert_reset; + } } - return i2c_hid_core_probe(client, &ihid_elan->ops, - ihid_elan->chip_data->hid_descriptor_address, 0); + ret = i2c_hid_core_probe(client, &ihid_elan->ops, + ihid_elan->chip_data->hid_descriptor_address, 0); + if (ret) + goto err_deassert_reset; + + return 0; + +err_deassert_reset: + if (ihid_elan->no_reset_on_power_off) + gpiod_set_value_cansleep(ihid_elan->reset_gpio, 0); + + return ret; } static const struct elan_i2c_hid_chip_data elan_ekth6915_chip_data = {

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] 9p: add missing locking around taking dentry fid list" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x c898afdc15645efb555acb6d85b484eb40a45409 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024061357-product-rigid-0f3e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: c898afdc1564 ("9p: add missing locking around taking dentry fid list") b48dbb998d70 ("9p fid refcount: add p9_fid_get/put wrappers") 47b1e3432b06 ("9p: Remove unnecessary variable for old fids while walking from d_parent") cba83f47fc0e ("9p: Track the root fid with its own variable during lookups") b0017602fdf6 ("9p: fix EBADF errors in cached mode") 2a3dcbccd64b ("9p: Fix refcounting during full path walks for fid lookups") beca774fc51a ("9p: fix fid refcount leak in v9fs_vfs_atomic_open_dotl") 6e195b0f7c8e ("9p: fix a bunch of checkpatch warnings") eb497943fa21 ("9p: Convert to using the netfs helper lib to do reads and caching") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c898afdc15645efb555acb6d85b484eb40a45409 Mon Sep 17 00:00:00 2001 From: Dominique Martinet <asmadeus(a)codewreck.org> Date: Tue, 21 May 2024 21:13:36 +0900 Subject: [PATCH] 9p: add missing locking around taking dentry fid list Fix a use-after-free on dentry's d_fsdata fid list when a thread looks up a fid through dentry while another thread unlinks it: UAF thread: refcount_t: addition on 0; use-after-free. p9_fid_get linux/./include/net/9p/client.h:262 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248 Freed by: p9_fid_destroy (inlined) p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456 p9_fid_put linux/./include/net/9p/client.h:278 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335 The problem is that d_fsdata was not accessed under d_lock, because d_release() normally is only called once the dentry is otherwise no longer accessible but since we also call it explicitly in v9fs_remove that lock is required: move the hlist out of the dentry under lock then unref its fids once they are no longer accessible. Fixes: 154372e67d40 ("fs/9p: fix create-unlink-getattr idiom") Cc: stable(a)vger.kernel.org Reported-by: Meysam Firouzi Reported-by: Amirmohammad Eftekhar Reviewed-by: Christian Schoenebeck <linux_oss(a)crudebyte.com> Message-ID: <20240521122947.1080227-1-asmadeus(a)codewreck.org> Signed-off-by: Dominique Martinet <asmadeus(a)codewreck.org> diff --git a/fs/9p/vfs_dentry.c b/fs/9p/vfs_dentry.c index f16f73581634..01338d4c2d9e 100644 --- a/fs/9p/vfs_dentry.c +++ b/fs/9p/vfs_dentry.c @@ -48,12 +48,17 @@ static int v9fs_cached_dentry_delete(const struct dentry *dentry) static void v9fs_dentry_release(struct dentry *dentry) { struct hlist_node *p, *n; + struct hlist_head head; p9_debug(P9_DEBUG_VFS, " dentry: %pd (%p)\n", dentry, dentry); - hlist_for_each_safe(p, n, (struct hlist_head *)&dentry->d_fsdata) + + spin_lock(&dentry->d_lock); + hlist_move_list((struct hlist_head *)&dentry->d_fsdata, &head); + spin_unlock(&dentry->d_lock); + + hlist_for_each_safe(p, n, &head) p9_fid_put(hlist_entry(p, struct p9_fid, dlist)); - dentry->d_fsdata = NULL; } static int v9fs_lookup_revalidate(struct dentry *dentry, unsigned int flags)

10 months, 3 weeks

1
0
0 0

[PATCH -stable,4.19.x 00/40] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This round includes pending -stable backport fixes for 4.19. This large batch includes dependency patches and fixes which are already present in -stable kernels >= 5.4.x but not in 4.19.x. The following list shows the backported patches, I am using original commit IDs for reference: 1) 0c2a85edd143 ("netfilter: nf_tables: pass context to nft_set_destroy()") 2) f8bb7889af58 ("netfilter: nftables: rename set element data activation/deactivation functions") 3) 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase") 4) 3b18d5eba491 ("netfilter: nft_set_rbtree: allow loose matching of closing element in interval") 5) 340eaff65116 ("netfilter: nft_set_rbtree: Add missing expired checks") 6) c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection") 7) 61ae320a29b0 ("netfilter: nft_set_rbtree: fix null deref on element insertion") 8) f718863aca46 ("netfilter: nft_set_rbtree: fix overlap expiration walk") 9) 24138933b97b ("netfilter: nf_tables: don't skip expired elements during walk") 10) 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") 11) f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API") 12) a2dd0233cbc4 ("netfilter: nf_tables: remove busy mark and gc batch API") 13) 6a33d8b73dfa ("netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path") 14) 02c6c24402bf ("netfilter: nf_tables: GC transaction race with netns dismantle") 15) 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path") 16) 8e51830e29e1 ("netfilter: nf_tables: defer gc run if previous batch is still pending") 17) 2ee52ae94baa ("netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction") 18) 96b33300fba8 ("netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention") 19) b079155faae9 ("netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration") 20) cf5000a7787c ("netfilter: nf_tables: fix memleak when more than 255 elements expired") 21) 6069da443bf6 ("netfilter: nf_tables: unregister flowtable hooks on netns exit") 22) f9a43007d3f7 ("netfilter: nf_tables: double hook unregistration in netns path") 23) 0ce7cf4127f1 ("netfilter: nftables: update table flags from the commit phase") 24) 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") 25) c9bd26513b3a ("netfilter: nf_tables: disable toggling dormant table state more than once") 26) ("netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 4.19)") NB: This patch does not exist in any upstream tree, but there is a similar patch already in 5.4 27) 917d80d376ff ("netfilter: nft_dynset: fix timeouts later than 23 days") 28) fd94d9dadee5 ("netfilter: nftables: exthdr: fix 4-byte stack OOB write") 29) 95cd4bca7b1f ("netfilter: nft_dynset: report EOPNOTSUPP on missing set feature") 30) 7b1394892de8 ("netfilter: nft_dynset: relax superfluous check on set updates") 31) 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort") 32) 6b1ca88e4bb6 ("netfilter: nf_tables: skip dead set elements in netlink dump") 33) d0009effa886 ("netfilter: nf_tables: validate NFPROTO_* family") 34) 60c0c230c6f0 ("netfilter: nft_set_rbtree: skip end interval element from gc") 35) bccebf647017 ("netfilter: nf_tables: set dormant flag on hook register failure") 36) 7e0f122c6591 ("netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()") 37) 4a0e7f2decbf ("netfilter: nf_tables: do not compare internal table flags on updates") 38) 552705a3650b ("netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout") 39) 994209ddf4f4 ("netfilter: nf_tables: reject new basechain after table flag update") 40) 1bc83a019bbe ("netfilter: nf_tables: discard table flag update with pending basechain deletion") Please, apply. Thanks. Florian Westphal (4): netfilter: nf_tables: defer gc run if previous batch is still pending netfilter: nftables: exthdr: fix 4-byte stack OOB write netfilter: nf_tables: mark newset as dead on transaction abort netfilter: nf_tables: set dormant flag on hook register failure Ignat Korchagin (1): netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Pablo Neira Ayuso (34): netfilter: nf_tables: pass context to nft_set_destroy() netfilter: nftables: rename set element data activation/deactivation functions netfilter: nf_tables: drop map element references from preparation phase netfilter: nft_set_rbtree: allow loose matching of closing element in interval netfilter: nft_set_rbtree: Switch to node list walk for overlap detection netfilter: nft_set_rbtree: fix null deref on element insertion netfilter: nft_set_rbtree: fix overlap expiration walk netfilter: nf_tables: don't skip expired elements during walk netfilter: nf_tables: GC transaction API to avoid race with control plane netfilter: nf_tables: adapt set backend to use GC transaction API netfilter: nf_tables: remove busy mark and gc batch API netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path netfilter: nf_tables: GC transaction race with netns dismantle netfilter: nf_tables: GC transaction race with abort path netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration netfilter: nf_tables: fix memleak when more than 255 elements expired netfilter: nf_tables: unregister flowtable hooks on netns exit netfilter: nf_tables: double hook unregistration in netns path netfilter: nftables: update table flags from the commit phase netfilter: nf_tables: fix table flag updates netfilter: nf_tables: disable toggling dormant table state more than once netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 4.19) netfilter: nft_dynset: fix timeouts later than 23 days netfilter: nft_dynset: report EOPNOTSUPP on missing set feature netfilter: nft_dynset: relax superfluous check on set updates netfilter: nf_tables: skip dead set elements in netlink dump netfilter: nf_tables: validate NFPROTO_* family netfilter: nft_set_rbtree: skip end interval element from gc netfilter: nf_tables: do not compare internal table flags on updates netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout netfilter: nf_tables: reject new basechain after table flag update netfilter: nf_tables: discard table flag update with pending basechain deletion Phil Sutter (1): netfilter: nft_set_rbtree: Add missing expired checks include/net/netfilter/nf_tables.h | 132 +++--- include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nf_tables_api.c | 529 +++++++++++++++++++---- net/netfilter/nft_chain_filter.c | 3 + net/netfilter/nft_compat.c | 32 ++ net/netfilter/nft_dynset.c | 24 +- net/netfilter/nft_exthdr.c | 14 +- net/netfilter/nft_flow_offload.c | 5 + net/netfilter/nft_nat.c | 5 + net/netfilter/nft_rt.c | 5 + net/netfilter/nft_set_bitmap.c | 5 +- net/netfilter/nft_set_hash.c | 111 +++-- net/netfilter/nft_set_rbtree.c | 387 ++++++++++++++--- net/netfilter/nft_socket.c | 5 + net/netfilter/nft_tproxy.c | 5 + 15 files changed, 977 insertions(+), 286 deletions(-) -- 2.30.2

10 months, 3 weeks

2
41
0 0

[PATCH] rtc: abx80x: Fix return value of nvmem callback on read

by Joy Chakraborty

Read callbacks registered with nvmem core expect 0 to be returned on success and a negative value to be returned on failure. abx80x_nvmem_xfer() on read calls i2c_smbus_read_i2c_block_data() which returns the number of bytes read on success as per its api description, this return value is handled as an error and returned to nvmem even on success. Fix to handle all possible values that would be returned by i2c_smbus_read_i2c_block_data(). Fixes: e90ff8ede777 ("rtc: abx80x: Add nvmem support") Cc: stable(a)vger.kernel.org Signed-off-by: Joy Chakraborty <joychakr(a)google.com> --- drivers/rtc/rtc-abx80x.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/rtc/rtc-abx80x.c b/drivers/rtc/rtc-abx80x.c index fde2b8054c2e..0f5847d1ca2a 100644 --- a/drivers/rtc/rtc-abx80x.c +++ b/drivers/rtc/rtc-abx80x.c @@ -711,9 +711,16 @@ static int abx80x_nvmem_xfer(struct abx80x_priv *priv, unsigned int offset, else ret = i2c_smbus_read_i2c_block_data(priv->client, reg, len, val); - if (ret) + if (ret < 0) return ret; + if (!write) { + if (ret) + len = ret; + else + return -EIO; + } + offset += len; val += len; bytes -= len; -- 2.45.2.505.gda0bf45e8d-goog

10 months, 3 weeks

2
2
0 0

[PATCH v2] PCI: use local_pci_probe when best selected cpu is offline

by Hongchen Zhang

When the best selected CPU is offline, work_on_cpu() will stuck forever. This can be happen if a node is online while all its CPUs are offline (we can use "maxcpus=1" without "nr_cpus=1" to reproduce it), Therefore, in this case, we should call local_pci_probe() instead of work_on_cpu(). Cc: <stable(a)vger.kernel.org> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> Signed-off-by: Hongchen Zhang <zhanghongchen(a)loongson.cn> --- v1 -> v2 Added the method to reproduce this issue --- drivers/pci/pci-driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c index af2996d0d17f..32a99828e6a3 100644 --- a/drivers/pci/pci-driver.c +++ b/drivers/pci/pci-driver.c @@ -386,7 +386,7 @@ static int pci_call_probe(struct pci_driver *drv, struct pci_dev *dev, free_cpumask_var(wq_domain_mask); } - if (cpu < nr_cpu_ids) + if ((cpu < nr_cpu_ids) && cpu_online(cpu)) error = work_on_cpu(cpu, local_pci_probe, &ddi); else error = local_pci_probe(&ddi); -- 2.33.0

10 months, 3 weeks

3
3
0 0

[PATCH v2] Input: try trimming too long modalias strings

by Jason Andryuk

From: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> commit 0774d19038c496f0c3602fb505c43e1b2d8eed85 upstream. If an input device declares too many capability bits then modalias string for such device may become too long and not fit into uevent buffer, resulting in failure of sending said uevent. This, in turn, may prevent userspace from recognizing existence of such devices. This is typically not a concern for real hardware devices as they have limited number of keys, but happen with synthetic devices such as ones created by xen-kbdfront driver, which creates devices as being capable of delivering all possible keys, since it doesn't know what keys the backend may produce. To deal with such devices input core will attempt to trim key data, in the hope that the rest of modalias string will fit in the given buffer. When trimming key data it will indicate that it is not complete by placing "+," sign, resulting in conversions like this: old: k71,72,73,74,78,7A,7B,7C,7D,8E,9E,A4,AD,E0,E1,E4,F8,174, new: k71,72,73,74,78,7A,7B,7C,+, This should allow existing udev rules continue to work with existing devices, and will also allow writing more complex rules that would recognize trimmed modalias and check input device characteristics by other means (for example by parsing KEY= data in uevent or parsing input device sysfs attributes). Note that the driver core may try adding more uevent environment variables once input core is done adding its own, so when forming modalias we can not use the entire available buffer, so we reduce it by somewhat an arbitrary amount (96 bytes). Reported-by: Jason Andryuk <jandryuk(a)gmail.com> Reviewed-by: Peter Hutterer <peter.hutterer(a)who-t.net> Tested-by: Jason Andryuk <jandryuk(a)gmail.com> Link: https://lore.kernel.org/r/ZjAWMQCJdrxZkvkB@google.com Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> [ Apply to linux-6.1.y ] Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> --- For 6.1 only. Patch did not automatically apply to 6.1.y because input_print_modalias_parts() does not have const on *id. v2: Remove const from input_print_modalias() and input_print_modalias_parts() Tested on 6.1. 5.15 and earlier need an additional fixup. drivers/input/input.c | 104 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 89 insertions(+), 15 deletions(-) diff --git a/drivers/input/input.c b/drivers/input/input.c index 8b6a922f8470..78be582b5766 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c @@ -1374,19 +1374,19 @@ static int input_print_modalias_bits(char *buf, int size, char name, unsigned long *bm, unsigned int min_bit, unsigned int max_bit) { - int len = 0, i; + int bit = min_bit; + int len = 0; len += snprintf(buf, max(size, 0), "%c", name); - for (i = min_bit; i < max_bit; i++) - if (bm[BIT_WORD(i)] & BIT_MASK(i)) - len += snprintf(buf + len, max(size - len, 0), "%X,", i); + for_each_set_bit_from(bit, bm, max_bit) + len += snprintf(buf + len, max(size - len, 0), "%X,", bit); return len; } -static int input_print_modalias(char *buf, int size, struct input_dev *id, - int add_cr) +static int input_print_modalias_parts(char *buf, int size, int full_len, + struct input_dev *id) { - int len; + int len, klen, remainder, space; len = snprintf(buf, max(size, 0), "input:b%04Xv%04Xp%04Xe%04X-", @@ -1395,8 +1395,48 @@ static int input_print_modalias(char *buf, int size, struct input_dev *id, len += input_print_modalias_bits(buf + len, size - len, 'e', id->evbit, 0, EV_MAX); - len += input_print_modalias_bits(buf + len, size - len, + + /* + * Calculate the remaining space in the buffer making sure we + * have place for the terminating 0. + */ + space = max(size - (len + 1), 0); + + klen = input_print_modalias_bits(buf + len, size - len, 'k', id->keybit, KEY_MIN_INTERESTING, KEY_MAX); + len += klen; + + /* + * If we have more data than we can fit in the buffer, check + * if we can trim key data to fit in the rest. We will indicate + * that key data is incomplete by adding "+" sign at the end, like + * this: * "k1,2,3,45,+,". + * + * Note that we shortest key info (if present) is "k+," so we + * can only try to trim if key data is longer than that. + */ + if (full_len && size < full_len + 1 && klen > 3) { + remainder = full_len - len; + /* + * We can only trim if we have space for the remainder + * and also for at least "k+," which is 3 more characters. + */ + if (remainder <= space - 3) { + /* + * We are guaranteed to have 'k' in the buffer, so + * we need at least 3 additional bytes for storing + * "+," in addition to the remainder. + */ + for (int i = size - 1 - remainder - 3; i >= 0; i--) { + if (buf[i] == 'k' || buf[i] == ',') { + strcpy(buf + i + 1, "+,"); + len = i + 3; /* Not counting '\0' */ + break; + } + } + } + } + len += input_print_modalias_bits(buf + len, size - len, 'r', id->relbit, 0, REL_MAX); len += input_print_modalias_bits(buf + len, size - len, @@ -1412,12 +1452,25 @@ static int input_print_modalias(char *buf, int size, struct input_dev *id, len += input_print_modalias_bits(buf + len, size - len, 'w', id->swbit, 0, SW_MAX); - if (add_cr) - len += snprintf(buf + len, max(size - len, 0), "\n"); - return len; } +static int input_print_modalias(char *buf, int size, struct input_dev *id) +{ + int full_len; + + /* + * Printing is done in 2 passes: first one figures out total length + * needed for the modalias string, second one will try to trim key + * data in case when buffer is too small for the entire modalias. + * If the buffer is too small regardless, it will fill as much as it + * can (without trimming key data) into the buffer and leave it to + * the caller to figure out what to do with the result. + */ + full_len = input_print_modalias_parts(NULL, 0, 0, id); + return input_print_modalias_parts(buf, size, full_len, id); +} + static ssize_t input_dev_show_modalias(struct device *dev, struct device_attribute *attr, char *buf) @@ -1425,7 +1478,9 @@ static ssize_t input_dev_show_modalias(struct device *dev, struct input_dev *id = to_input_dev(dev); ssize_t len; - len = input_print_modalias(buf, PAGE_SIZE, id, 1); + len = input_print_modalias(buf, PAGE_SIZE, id); + if (len < PAGE_SIZE - 2) + len += snprintf(buf + len, PAGE_SIZE - len, "\n"); return min_t(int, len, PAGE_SIZE); } @@ -1637,6 +1692,23 @@ static int input_add_uevent_bm_var(struct kobj_uevent_env *env, return 0; } +/* + * This is a pretty gross hack. When building uevent data the driver core + * may try adding more environment variables to kobj_uevent_env without + * telling us, so we have no idea how much of the buffer we can use to + * avoid overflows/-ENOMEM elsewhere. To work around this let's artificially + * reduce amount of memory we will use for the modalias environment variable. + * + * The potential additions are: + * + * SEQNUM=18446744073709551615 - (%llu - 28 bytes) + * HOME=/ (6 bytes) + * PATH=/sbin:/bin:/usr/sbin:/usr/bin (34 bytes) + * + * 68 bytes total. Allow extra buffer - 96 bytes + */ +#define UEVENT_ENV_EXTRA_LEN 96 + static int input_add_uevent_modalias_var(struct kobj_uevent_env *env, struct input_dev *dev) { @@ -1646,9 +1718,11 @@ static int input_add_uevent_modalias_var(struct kobj_uevent_env *env, return -ENOMEM; len = input_print_modalias(&env->buf[env->buflen - 1], - sizeof(env->buf) - env->buflen, - dev, 0); - if (len >= (sizeof(env->buf) - env->buflen)) + (int)sizeof(env->buf) - env->buflen - + UEVENT_ENV_EXTRA_LEN, + dev); + if (len >= ((int)sizeof(env->buf) - env->buflen - + UEVENT_ENV_EXTRA_LEN)) return -ENOMEM; env->buflen += len; -- 2.40.1

10 months, 3 weeks

1
0
0 0

[PATCH] Input: try trimming too long modalias strings

by Jason Andryuk

From: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> commit 0774d19038c496f0c3602fb505c43e1b2d8eed85 upstream. If an input device declares too many capability bits then modalias string for such device may become too long and not fit into uevent buffer, resulting in failure of sending said uevent. This, in turn, may prevent userspace from recognizing existence of such devices. This is typically not a concern for real hardware devices as they have limited number of keys, but happen with synthetic devices such as ones created by xen-kbdfront driver, which creates devices as being capable of delivering all possible keys, since it doesn't know what keys the backend may produce. To deal with such devices input core will attempt to trim key data, in the hope that the rest of modalias string will fit in the given buffer. When trimming key data it will indicate that it is not complete by placing "+," sign, resulting in conversions like this: old: k71,72,73,74,78,7A,7B,7C,7D,8E,9E,A4,AD,E0,E1,E4,F8,174, new: k71,72,73,74,78,7A,7B,7C,+, This should allow existing udev rules continue to work with existing devices, and will also allow writing more complex rules that would recognize trimmed modalias and check input device characteristics by other means (for example by parsing KEY= data in uevent or parsing input device sysfs attributes). Note that the driver core may try adding more uevent environment variables once input core is done adding its own, so when forming modalias we can not use the entire available buffer, so we reduce it by somewhat an arbitrary amount (96 bytes). Reported-by: Jason Andryuk <jandryuk(a)gmail.com> Reviewed-by: Peter Hutterer <peter.hutterer(a)who-t.net> Tested-by: Jason Andryuk <jandryuk(a)gmail.com> Link: https://lore.kernel.org/r/ZjAWMQCJdrxZkvkB@google.com Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> [ Apply to linux-6.1.y ] Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> --- Patch did not automatically apply to 6.1.y because input_print_modalias_parts() does not have const on *id. Tested on 6.1. Seems to also apply and build on 5.4 and 4.19. drivers/input/input.c | 104 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 89 insertions(+), 15 deletions(-) diff --git a/drivers/input/input.c b/drivers/input/input.c index 8b6a922f8470..eb2bb8cbec3c 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c @@ -1374,19 +1374,19 @@ static int input_print_modalias_bits(char *buf, int size, char name, unsigned long *bm, unsigned int min_bit, unsigned int max_bit) { - int len = 0, i; + int bit = min_bit; + int len = 0; len += snprintf(buf, max(size, 0), "%c", name); - for (i = min_bit; i < max_bit; i++) - if (bm[BIT_WORD(i)] & BIT_MASK(i)) - len += snprintf(buf + len, max(size - len, 0), "%X,", i); + for_each_set_bit_from(bit, bm, max_bit) + len += snprintf(buf + len, max(size - len, 0), "%X,", bit); return len; } -static int input_print_modalias(char *buf, int size, struct input_dev *id, - int add_cr) +static int input_print_modalias_parts(char *buf, int size, int full_len, + const struct input_dev *id) { - int len; + int len, klen, remainder, space; len = snprintf(buf, max(size, 0), "input:b%04Xv%04Xp%04Xe%04X-", @@ -1395,8 +1395,48 @@ static int input_print_modalias(char *buf, int size, struct input_dev *id, len += input_print_modalias_bits(buf + len, size - len, 'e', id->evbit, 0, EV_MAX); - len += input_print_modalias_bits(buf + len, size - len, + + /* + * Calculate the remaining space in the buffer making sure we + * have place for the terminating 0. + */ + space = max(size - (len + 1), 0); + + klen = input_print_modalias_bits(buf + len, size - len, 'k', id->keybit, KEY_MIN_INTERESTING, KEY_MAX); + len += klen; + + /* + * If we have more data than we can fit in the buffer, check + * if we can trim key data to fit in the rest. We will indicate + * that key data is incomplete by adding "+" sign at the end, like + * this: * "k1,2,3,45,+,". + * + * Note that we shortest key info (if present) is "k+," so we + * can only try to trim if key data is longer than that. + */ + if (full_len && size < full_len + 1 && klen > 3) { + remainder = full_len - len; + /* + * We can only trim if we have space for the remainder + * and also for at least "k+," which is 3 more characters. + */ + if (remainder <= space - 3) { + /* + * We are guaranteed to have 'k' in the buffer, so + * we need at least 3 additional bytes for storing + * "+," in addition to the remainder. + */ + for (int i = size - 1 - remainder - 3; i >= 0; i--) { + if (buf[i] == 'k' || buf[i] == ',') { + strcpy(buf + i + 1, "+,"); + len = i + 3; /* Not counting '\0' */ + break; + } + } + } + } + len += input_print_modalias_bits(buf + len, size - len, 'r', id->relbit, 0, REL_MAX); len += input_print_modalias_bits(buf + len, size - len, @@ -1412,12 +1452,25 @@ static int input_print_modalias(char *buf, int size, struct input_dev *id, len += input_print_modalias_bits(buf + len, size - len, 'w', id->swbit, 0, SW_MAX); - if (add_cr) - len += snprintf(buf + len, max(size - len, 0), "\n"); - return len; } +static int input_print_modalias(char *buf, int size, const struct input_dev *id) +{ + int full_len; + + /* + * Printing is done in 2 passes: first one figures out total length + * needed for the modalias string, second one will try to trim key + * data in case when buffer is too small for the entire modalias. + * If the buffer is too small regardless, it will fill as much as it + * can (without trimming key data) into the buffer and leave it to + * the caller to figure out what to do with the result. + */ + full_len = input_print_modalias_parts(NULL, 0, 0, id); + return input_print_modalias_parts(buf, size, full_len, id); +} + static ssize_t input_dev_show_modalias(struct device *dev, struct device_attribute *attr, char *buf) @@ -1425,7 +1478,9 @@ static ssize_t input_dev_show_modalias(struct device *dev, struct input_dev *id = to_input_dev(dev); ssize_t len; - len = input_print_modalias(buf, PAGE_SIZE, id, 1); + len = input_print_modalias(buf, PAGE_SIZE, id); + if (len < PAGE_SIZE - 2) + len += snprintf(buf + len, PAGE_SIZE - len, "\n"); return min_t(int, len, PAGE_SIZE); } @@ -1637,6 +1692,23 @@ static int input_add_uevent_bm_var(struct kobj_uevent_env *env, return 0; } +/* + * This is a pretty gross hack. When building uevent data the driver core + * may try adding more environment variables to kobj_uevent_env without + * telling us, so we have no idea how much of the buffer we can use to + * avoid overflows/-ENOMEM elsewhere. To work around this let's artificially + * reduce amount of memory we will use for the modalias environment variable. + * + * The potential additions are: + * + * SEQNUM=18446744073709551615 - (%llu - 28 bytes) + * HOME=/ (6 bytes) + * PATH=/sbin:/bin:/usr/sbin:/usr/bin (34 bytes) + * + * 68 bytes total. Allow extra buffer - 96 bytes + */ +#define UEVENT_ENV_EXTRA_LEN 96 + static int input_add_uevent_modalias_var(struct kobj_uevent_env *env, struct input_dev *dev) { @@ -1646,9 +1718,11 @@ static int input_add_uevent_modalias_var(struct kobj_uevent_env *env, return -ENOMEM; len = input_print_modalias(&env->buf[env->buflen - 1], - sizeof(env->buf) - env->buflen, - dev, 0); - if (len >= (sizeof(env->buf) - env->buflen)) + (int)sizeof(env->buf) - env->buflen - + UEVENT_ENV_EXTRA_LEN, + dev); + if (len >= ((int)sizeof(env->buf) - env->buflen - + UEVENT_ENV_EXTRA_LEN)) return -ENOMEM; env->buflen += len; -- 2.40.1

10 months, 3 weeks

2
2
0 0

[PATCH v2] virt: guest_memfd: fix reference leak on hwpoisoned page

by Paolo Bonzini

If __kvm_gmem_get_pfn() detects an hwpoisoned page, it returns -EHWPOISON but it does not put back the reference that kvm_gmem_get_folio() had grabbed. Add the forgotten folio_put(). Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory") Cc: stable(a)vger.kernel.org Signed-off-by: Paolo Bonzini <pbonzini(a)redhat.com> --- Sent v1 from the wrong directory, sorry about that. virt/kvm/guest_memfd.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c index 3bfe1824ec2d..19c220ec1efd 100644 --- a/virt/kvm/guest_memfd.c +++ b/virt/kvm/guest_memfd.c @@ -549,7 +549,6 @@ static int __kvm_gmem_get_pfn(struct file *file, struct kvm_memory_slot *slot, struct kvm_gmem *gmem = file->private_data; struct folio *folio; struct page *page; - int r; if (file != slot->gmem.file) { WARN_ON_ONCE(slot->gmem.file); @@ -567,8 +566,9 @@ static int __kvm_gmem_get_pfn(struct file *file, struct kvm_memory_slot *slot, return PTR_ERR(folio); if (folio_test_hwpoison(folio)) { - r = -EHWPOISON; - goto out_unlock; + folio_unlock(folio); + folio_put(folio); + return -EHWPOISON; } page = folio_file_page(folio, index); @@ -577,12 +577,8 @@ static int __kvm_gmem_get_pfn(struct file *file, struct kvm_memory_slot *slot, if (max_order) *max_order = 0; - r = 0; - -out_unlock: folio_unlock(folio); - - return r; + return 0; } int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot, -- 2.43.0

10 months, 3 weeks

3
2
0 0

[PATCH v2] Supports to use the default CMA when the device-specified CMA memory is not enough.

by zhai.he

From: He Zhai <zhai.he(a)nxp.com> In the current code logic, if the device-specified CMA memory allocation fails, memory will not be allocated from the default CMA area. This patch will use the default cma region when the device's specified CMA is not enough. In addition, the log level of allocation failure is changed to debug. Because these logs will be printed when memory allocation from the device specified CMA fails, but if the allocation fails, it will be allocated from the default cma area. It can easily mislead developers' judgment. Signed-off-by: He Zhai <zhai.he(a)nxp.com> --- kernel/dma/contiguous.c | 11 +++++++++-- mm/cma.c | 4 ++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c index 055da410ac71..e45cfb24500f 100644 --- a/kernel/dma/contiguous.c +++ b/kernel/dma/contiguous.c @@ -357,8 +357,13 @@ struct page *dma_alloc_contiguous(struct device *dev, size_t size, gfp_t gfp) /* CMA can be used only in the context which permits sleeping */ if (!gfpflags_allow_blocking(gfp)) return NULL; - if (dev->cma_area) - return cma_alloc_aligned(dev->cma_area, size, gfp); + if (dev->cma_area) { + struct page *page = NULL; + + page = cma_alloc_aligned(dev->cma_area, size, gfp); + if (page) + return page; + } if (size <= PAGE_SIZE) return NULL; @@ -406,6 +411,8 @@ void dma_free_contiguous(struct device *dev, struct page *page, size_t size) if (dev->cma_area) { if (cma_release(dev->cma_area, page, count)) return; + if (cma_release(dma_contiguous_default_area, page, count)) + return; } else { /* * otherwise, page is from either per-numa cma or default cma diff --git a/mm/cma.c b/mm/cma.c index 3e9724716bad..6e12faf1bea7 100644 --- a/mm/cma.c +++ b/mm/cma.c @@ -495,8 +495,8 @@ struct page *cma_alloc(struct cma *cma, unsigned long count, } if (ret && !no_warn) { - pr_err_ratelimited("%s: %s: alloc failed, req-size: %lu pages, ret: %d\n", - __func__, cma->name, count, ret); + pr_debug("%s: alloc failed, req-size: %lu pages, ret: %d, try to use default cma\n", + cma->name, count, ret); cma_debug_show_areas(cma); } -- 2.34.1

10 months, 3 weeks

4
3
0 0

reply

by Peter Chan

Hi, I have a project that I would like you to be part of for possible business collaboration in future as my company needs a new raw material supplier from your country. You might be wondering the the type of project, please get back to me so I can give you more details. Peter Chan

10 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror June 2024