April 2025 - Linux-stable-mirror

[PATCH] bus: mhi: ep: Update read pointer only after buffer is written

by Sumit Kumar

Inside mhi_ep_ring_add_element, the read pointer (rd_offset) is updated before the buffer is written, potentially causing race conditions where the host sees an updated read pointer before the buffer is actually written. Updating rd_offset prematurely can lead to the host accessing an uninitialized or incomplete element, resulting in data corruption. Invoke the buffer write before updating rd_offset to ensure the element is fully written before signaling its availability. Fixes: bbdcba57a1a2 ("bus: mhi: ep: Add support for ring management") cc: stable(a)vger.kernel.org Co-developed-by: Youssef Samir <quic_yabdulra(a)quicinc.com> Signed-off-by: Youssef Samir <quic_yabdulra(a)quicinc.com> Signed-off-by: Sumit Kumar <quic_sumk(a)quicinc.com> --- drivers/bus/mhi/ep/ring.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/bus/mhi/ep/ring.c b/drivers/bus/mhi/ep/ring.c index aeb53b2c34a8cd859393529d0c8860462bc687ed..26357ee68dee984d70ae5bf39f8f09f2cbcafe30 100644 --- a/drivers/bus/mhi/ep/ring.c +++ b/drivers/bus/mhi/ep/ring.c @@ -131,19 +131,23 @@ int mhi_ep_ring_add_element(struct mhi_ep_ring *ring, struct mhi_ring_element *e } old_offset = ring->rd_offset; - mhi_ep_ring_inc_index(ring); dev_dbg(dev, "Adding an element to ring at offset (%zu)\n", ring->rd_offset); + buf_info.host_addr = ring->rbase + (old_offset * sizeof(*el)); + buf_info.dev_addr = el; + buf_info.size = sizeof(*el); + + ret = mhi_cntrl->write_sync(mhi_cntrl, &buf_info); + if (ret) + return ret; + + mhi_ep_ring_inc_index(ring); /* Update rp in ring context */ rp = cpu_to_le64(ring->rd_offset * sizeof(*el) + ring->rbase); memcpy_toio((void __iomem *) &ring->ring_ctx->generic.rp, &rp, sizeof(u64)); - buf_info.host_addr = ring->rbase + (old_offset * sizeof(*el)); - buf_info.dev_addr = el; - buf_info.size = sizeof(*el); - - return mhi_cntrl->write_sync(mhi_cntrl, &buf_info); + return ret; } void mhi_ep_ring_init(struct mhi_ep_ring *ring, enum mhi_ep_ring_type type, u32 id) --- base-commit: 1e26c5e28ca5821a824e90dd359556f5e9e7b89f change-id: 20250328-rp_fix-d7ebc18bc3be Best regards, -- Sumit Kumar <quic_sumk(a)quicinc.com>

4 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] staging: gpib: Fix Oops after disconnect in agilent usb" failed to apply to 6.13-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.13.y git checkout FETCH_HEAD git cherry-pick -x 8491e73a5223acb0a4b4d78c3f8b96aa9c5e774d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040317-flatterer-trio-16c9@gregkh' --subject-prefix 'PATCH 6.13.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8491e73a5223acb0a4b4d78c3f8b96aa9c5e774d Mon Sep 17 00:00:00 2001 From: Dave Penkler <dpenkler(a)gmail.com> Date: Sat, 22 Feb 2025 21:45:15 +0100 Subject: [PATCH] staging: gpib: Fix Oops after disconnect in agilent usb If the agilent usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously bus_interface was checked for NULL only in the functions directly calling usb_fill_bulk_urb or usb_control_msg. Check for valid bus_interface on all interface entry points and return -ENODEV if it is NULL. Fixes: fbae7090f30c ("staging: gpib: Update messaging and usb_device refs in agilent_usb") Cc: stable <stable(a)kernel.org> Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250222204515.5104-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/gpib/agilent_82357a/agilent_82357a.c b/drivers/staging/gpib/agilent_82357a/agilent_82357a.c index 7ebebe00dc48..e0d36f0dff25 100644 --- a/drivers/staging/gpib/agilent_82357a/agilent_82357a.c +++ b/drivers/staging/gpib/agilent_82357a/agilent_82357a.c @@ -427,7 +427,7 @@ static int agilent_82357a_read(gpib_board_t *board, uint8_t *buffer, size_t leng { int retval; struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length, in_data_length; int bytes_written, bytes_read; @@ -438,6 +438,10 @@ static int agilent_82357a_read(gpib_board_t *board, uint8_t *buffer, size_t leng *nbytes = 0; *end = 0; + + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); out_data_length = 0x9; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -534,7 +538,7 @@ static ssize_t agilent_82357a_generic_write(gpib_board_t *board, uint8_t *buffer { int retval; struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data = NULL; u8 *status_data = NULL; int out_data_length; @@ -545,6 +549,10 @@ static ssize_t agilent_82357a_generic_write(gpib_board_t *board, uint8_t *buffer struct agilent_82357a_register_pairlet read_reg; *bytes_written = 0; + if (!a_priv->bus_interface) + return -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); out_data_length = length + 0x8; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -697,9 +705,13 @@ int agilent_82357a_take_control_internal(gpib_board_t *board, int synchronous) static int agilent_82357a_take_control(gpib_board_t *board, int synchronous) { + struct agilent_82357a_priv *a_priv = board->private_data; const int timeout = 10; int i; + if (!a_priv->bus_interface) + return -ENODEV; + /* It looks like the 9914 does not handle tcs properly. * See comment above tms9914_take_control_workaround() in * drivers/gpib/tms9914/tms9914_aux.c @@ -723,10 +735,14 @@ static int agilent_82357a_take_control(gpib_board_t *board, int synchronous) static int agilent_82357a_go_to_standby(gpib_board_t *board) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_GTS; retval = agilent_82357a_write_registers(a_priv, &write, 1); @@ -739,11 +755,15 @@ static int agilent_82357a_go_to_standby(gpib_board_t *board) static void agilent_82357a_request_system_control(gpib_board_t *board, int request_control) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet writes[2]; int retval; int i = 0; + if (!a_priv->bus_interface) + return; // -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); /* 82357B needs bit to be set in 9914 AUXCR register */ writes[i].address = AUXCR; if (request_control) { @@ -767,10 +787,14 @@ static void agilent_82357a_request_system_control(gpib_board_t *board, int reque static void agilent_82357a_interface_clear(gpib_board_t *board, int assert) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return; // -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_SIC; if (assert) { @@ -785,10 +809,14 @@ static void agilent_82357a_interface_clear(gpib_board_t *board, int assert) static void agilent_82357a_remote_enable(gpib_board_t *board, int enable) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return; //-ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_SRE; if (enable) @@ -804,6 +832,8 @@ static int agilent_82357a_enable_eos(gpib_board_t *board, uint8_t eos_byte, int { struct agilent_82357a_priv *a_priv = board->private_data; + if (!a_priv->bus_interface) + return -ENODEV; if (compare_8_bits == 0) return -EOPNOTSUPP; @@ -822,10 +852,13 @@ static void agilent_82357a_disable_eos(gpib_board_t *board) static unsigned int agilent_82357a_update_status(gpib_board_t *board, unsigned int clear_mask) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet address_status, bus_status; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); board->status &= ~clear_mask; if (a_priv->is_cic) set_bit(CIC_NUM, &board->status); @@ -885,6 +918,9 @@ static int agilent_82357a_primary_address(gpib_board_t *board, unsigned int addr struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); // put primary address in address0 write.address = ADR; write.value = address & ADDRESS_MASK; @@ -906,11 +942,14 @@ static int agilent_82357a_secondary_address(gpib_board_t *board, unsigned int ad static int agilent_82357a_parallel_poll(gpib_board_t *board, uint8_t *result) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet writes[2]; struct agilent_82357a_register_pairlet read; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); // execute parallel poll writes[0].address = AUXCR; writes[0].value = AUX_CS | AUX_RPP; @@ -975,11 +1014,14 @@ static void agilent_82357a_return_to_local(gpib_board_t *board) static int agilent_82357a_line_status(const gpib_board_t *board) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet bus_status; int retval; int status = ValidALL; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); bus_status.address = BSR; retval = agilent_82357a_read_registers(a_priv, &bus_status, 1, 0); if (retval) { @@ -1025,10 +1067,13 @@ static unsigned short nanosec_to_fast_talker_bits(unsigned int *nanosec) static unsigned int agilent_82357a_t1_delay(gpib_board_t *board, unsigned int nanosec) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = FAST_TALKER_T1; write.value = nanosec_to_fast_talker_bits(&nanosec); retval = agilent_82357a_write_registers(a_priv, &write, 1);

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] staging: gpib: Fix Oops after disconnect in agilent usb" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x 8491e73a5223acb0a4b4d78c3f8b96aa9c5e774d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040316-trespass-fencing-02e9@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 8491e73a5223acb0a4b4d78c3f8b96aa9c5e774d Mon Sep 17 00:00:00 2001 From: Dave Penkler <dpenkler(a)gmail.com> Date: Sat, 22 Feb 2025 21:45:15 +0100 Subject: [PATCH] staging: gpib: Fix Oops after disconnect in agilent usb If the agilent usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously bus_interface was checked for NULL only in the functions directly calling usb_fill_bulk_urb or usb_control_msg. Check for valid bus_interface on all interface entry points and return -ENODEV if it is NULL. Fixes: fbae7090f30c ("staging: gpib: Update messaging and usb_device refs in agilent_usb") Cc: stable <stable(a)kernel.org> Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250222204515.5104-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/gpib/agilent_82357a/agilent_82357a.c b/drivers/staging/gpib/agilent_82357a/agilent_82357a.c index 7ebebe00dc48..e0d36f0dff25 100644 --- a/drivers/staging/gpib/agilent_82357a/agilent_82357a.c +++ b/drivers/staging/gpib/agilent_82357a/agilent_82357a.c @@ -427,7 +427,7 @@ static int agilent_82357a_read(gpib_board_t *board, uint8_t *buffer, size_t leng { int retval; struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length, in_data_length; int bytes_written, bytes_read; @@ -438,6 +438,10 @@ static int agilent_82357a_read(gpib_board_t *board, uint8_t *buffer, size_t leng *nbytes = 0; *end = 0; + + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); out_data_length = 0x9; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -534,7 +538,7 @@ static ssize_t agilent_82357a_generic_write(gpib_board_t *board, uint8_t *buffer { int retval; struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data = NULL; u8 *status_data = NULL; int out_data_length; @@ -545,6 +549,10 @@ static ssize_t agilent_82357a_generic_write(gpib_board_t *board, uint8_t *buffer struct agilent_82357a_register_pairlet read_reg; *bytes_written = 0; + if (!a_priv->bus_interface) + return -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); out_data_length = length + 0x8; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -697,9 +705,13 @@ int agilent_82357a_take_control_internal(gpib_board_t *board, int synchronous) static int agilent_82357a_take_control(gpib_board_t *board, int synchronous) { + struct agilent_82357a_priv *a_priv = board->private_data; const int timeout = 10; int i; + if (!a_priv->bus_interface) + return -ENODEV; + /* It looks like the 9914 does not handle tcs properly. * See comment above tms9914_take_control_workaround() in * drivers/gpib/tms9914/tms9914_aux.c @@ -723,10 +735,14 @@ static int agilent_82357a_take_control(gpib_board_t *board, int synchronous) static int agilent_82357a_go_to_standby(gpib_board_t *board) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_GTS; retval = agilent_82357a_write_registers(a_priv, &write, 1); @@ -739,11 +755,15 @@ static int agilent_82357a_go_to_standby(gpib_board_t *board) static void agilent_82357a_request_system_control(gpib_board_t *board, int request_control) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet writes[2]; int retval; int i = 0; + if (!a_priv->bus_interface) + return; // -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); /* 82357B needs bit to be set in 9914 AUXCR register */ writes[i].address = AUXCR; if (request_control) { @@ -767,10 +787,14 @@ static void agilent_82357a_request_system_control(gpib_board_t *board, int reque static void agilent_82357a_interface_clear(gpib_board_t *board, int assert) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return; // -ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_SIC; if (assert) { @@ -785,10 +809,14 @@ static void agilent_82357a_interface_clear(gpib_board_t *board, int assert) static void agilent_82357a_remote_enable(gpib_board_t *board, int enable) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return; //-ENODEV; + + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = AUXCR; write.value = AUX_SRE; if (enable) @@ -804,6 +832,8 @@ static int agilent_82357a_enable_eos(gpib_board_t *board, uint8_t eos_byte, int { struct agilent_82357a_priv *a_priv = board->private_data; + if (!a_priv->bus_interface) + return -ENODEV; if (compare_8_bits == 0) return -EOPNOTSUPP; @@ -822,10 +852,13 @@ static void agilent_82357a_disable_eos(gpib_board_t *board) static unsigned int agilent_82357a_update_status(gpib_board_t *board, unsigned int clear_mask) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet address_status, bus_status; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); board->status &= ~clear_mask; if (a_priv->is_cic) set_bit(CIC_NUM, &board->status); @@ -885,6 +918,9 @@ static int agilent_82357a_primary_address(gpib_board_t *board, unsigned int addr struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); // put primary address in address0 write.address = ADR; write.value = address & ADDRESS_MASK; @@ -906,11 +942,14 @@ static int agilent_82357a_secondary_address(gpib_board_t *board, unsigned int ad static int agilent_82357a_parallel_poll(gpib_board_t *board, uint8_t *result) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet writes[2]; struct agilent_82357a_register_pairlet read; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); // execute parallel poll writes[0].address = AUXCR; writes[0].value = AUX_CS | AUX_RPP; @@ -975,11 +1014,14 @@ static void agilent_82357a_return_to_local(gpib_board_t *board) static int agilent_82357a_line_status(const gpib_board_t *board) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet bus_status; int retval; int status = ValidALL; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); bus_status.address = BSR; retval = agilent_82357a_read_registers(a_priv, &bus_status, 1, 0); if (retval) { @@ -1025,10 +1067,13 @@ static unsigned short nanosec_to_fast_talker_bits(unsigned int *nanosec) static unsigned int agilent_82357a_t1_delay(gpib_board_t *board, unsigned int nanosec) { struct agilent_82357a_priv *a_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(a_priv->bus_interface); + struct usb_device *usb_dev; struct agilent_82357a_register_pairlet write; int retval; + if (!a_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(a_priv->bus_interface); write.address = FAST_TALKER_T1; write.value = nanosec_to_fast_talker_bits(&nanosec); retval = agilent_82357a_write_registers(a_priv, &write, 1);

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] staging: gpib: Fix Oops after disconnect in ni_usb" failed to apply to 6.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.14.y git checkout FETCH_HEAD git cherry-pick -x a239c6e91b665f1837cf57b97fe638ef1baf2e78 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040309-kabob-graph-ed91@gregkh' --subject-prefix 'PATCH 6.14.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a239c6e91b665f1837cf57b97fe638ef1baf2e78 Mon Sep 17 00:00:00 2001 From: Dave Penkler <dpenkler(a)gmail.com> Date: Sat, 22 Feb 2025 17:58:17 +0100 Subject: [PATCH] staging: gpib: Fix Oops after disconnect in ni_usb If the usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously bus_interface was checked for NULL only in the the functions directly calling usb_fill_bulk_urb or usb_control_msg. Check for valid bus_interface on all interface entry points and return -ENODEV if it is NULL. Fixes: 4934b98bb243 ("staging: gpib: Update messaging and usb_device refs in ni_usb") Cc: stable <stable(a)kernel.org> Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250222165817.12856-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/gpib/ni_usb/ni_usb_gpib.c b/drivers/staging/gpib/ni_usb/ni_usb_gpib.c index 61b15b19e134..62fbc78204ce 100644 --- a/drivers/staging/gpib/ni_usb/ni_usb_gpib.c +++ b/drivers/staging/gpib/ni_usb/ni_usb_gpib.c @@ -591,7 +591,7 @@ static int ni_usb_read(gpib_board_t *board, uint8_t *buffer, size_t length, { int retval, parse_retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x20; int in_data_length; @@ -604,8 +604,11 @@ static int ni_usb_read(gpib_board_t *board, uint8_t *buffer, size_t length, struct ni_usb_register reg; *bytes_read = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_read_length) return -EINVAL; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -718,7 +721,7 @@ static int ni_usb_write(gpib_board_t *board, uint8_t *buffer, size_t length, { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length; static const int in_data_length = 0x10; @@ -728,9 +731,11 @@ static int ni_usb_write(gpib_board_t *board, uint8_t *buffer, size_t length, struct ni_usb_status_block status; static const int max_write_length = 0xffff; - *bytes_written = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_write_length) return -EINVAL; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data_length = length + 0x10; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -819,7 +824,7 @@ static int ni_usb_command_chunk(gpib_board_t *board, uint8_t *buffer, size_t len { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length; static const int in_data_length = 0x10; @@ -831,8 +836,11 @@ static int ni_usb_command_chunk(gpib_board_t *board, uint8_t *buffer, size_t len static const int max_command_length = 0x10; *command_bytes_written = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_command_length) length = max_command_length; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data_length = length + 0x10; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -925,7 +933,7 @@ static int ni_usb_take_control(gpib_board_t *board, int synchronous) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x10; @@ -933,6 +941,9 @@ static int ni_usb_take_control(gpib_board_t *board, int synchronous) int i = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -983,7 +994,7 @@ static int ni_usb_go_to_standby(gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x20; @@ -991,6 +1002,9 @@ static int ni_usb_go_to_standby(gpib_board_t *board) int i = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1039,11 +1053,14 @@ static void ni_usb_request_system_control(gpib_board_t *board, int request_contr { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[4]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); if (request_control) { writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = CMDR; @@ -1087,7 +1104,7 @@ static void ni_usb_interface_clear(gpib_board_t *board, int assert) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x10; @@ -1095,7 +1112,10 @@ static void ni_usb_interface_clear(gpib_board_t *board, int assert) int i = 0; struct ni_usb_status_block status; - // FIXME: we are going to pulse when assert is true, and ignore otherwise + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); +// FIXME: we are going to pulse when assert is true, and ignore otherwise if (assert == 0) return; out_data = kmalloc(out_data_length, GFP_KERNEL); @@ -1133,10 +1153,13 @@ static void ni_usb_remote_enable(gpib_board_t *board, int enable) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; struct ni_usb_register reg; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); reg.device = NIUSB_SUBDEV_TNT4882; reg.address = nec7210_to_tnt4882_offset(AUXMR); if (enable) @@ -1180,11 +1203,14 @@ static unsigned int ni_usb_update_status(gpib_board_t *board, unsigned int clear { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; static const int buffer_length = 8; u8 *buffer; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); buffer = kmalloc(buffer_length, GFP_KERNEL); if (!buffer) return board->status; @@ -1232,11 +1258,14 @@ static int ni_usb_primary_address(gpib_board_t *board, unsigned int address) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[2]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(ADR); writes[i].value = address; @@ -1287,11 +1316,14 @@ static int ni_usb_secondary_address(gpib_board_t *board, unsigned int address, i { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[3]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); i += ni_usb_write_sad(writes, address, enable); retval = ni_usb_write_registers(ni_priv, writes, i, &ibsta); if (retval < 0) { @@ -1306,7 +1338,7 @@ static int ni_usb_parallel_poll(gpib_board_t *board, uint8_t *result) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x20; @@ -1315,6 +1347,9 @@ static int ni_usb_parallel_poll(gpib_board_t *board, uint8_t *result) int j = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1358,11 +1393,14 @@ static void ni_usb_parallel_poll_configure(gpib_board_t *board, uint8_t config) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); writes[i].value = PPR | config; @@ -1380,11 +1418,14 @@ static void ni_usb_parallel_poll_response(gpib_board_t *board, int ist) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); if (ist) @@ -1405,11 +1446,14 @@ static void ni_usb_serial_poll_response(gpib_board_t *board, u8 status) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(SPMR); writes[i].value = status; @@ -1432,11 +1476,14 @@ static void ni_usb_return_to_local(gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); writes[i].value = AUX_RTL; @@ -1454,7 +1501,7 @@ static int ni_usb_line_status(const gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x20; static const int in_data_length = 0x20; @@ -1464,6 +1511,9 @@ static int ni_usb_line_status(const gpib_board_t *board) int line_status = ValidALL; // NI windows driver reads 0xd(HSSEL), 0xc (ARD0), 0x1f (BSR) + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1570,12 +1620,15 @@ static unsigned int ni_usb_t1_delay(gpib_board_t *board, unsigned int nano_sec) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; struct ni_usb_register writes[3]; unsigned int ibsta; unsigned int actual_ns; int i; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); i = ni_usb_setup_t1_delay(writes, nano_sec, &actual_ns); retval = ni_usb_write_registers(ni_priv, writes, i, &ibsta); if (retval < 0) {

4 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] staging: gpib: Fix Oops after disconnect in ni_usb" failed to apply to 6.13-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.13-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.13.y git checkout FETCH_HEAD git cherry-pick -x a239c6e91b665f1837cf57b97fe638ef1baf2e78 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025040306-cedar-kiln-0b1a@gregkh' --subject-prefix 'PATCH 6.13.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a239c6e91b665f1837cf57b97fe638ef1baf2e78 Mon Sep 17 00:00:00 2001 From: Dave Penkler <dpenkler(a)gmail.com> Date: Sat, 22 Feb 2025 17:58:17 +0100 Subject: [PATCH] staging: gpib: Fix Oops after disconnect in ni_usb If the usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously bus_interface was checked for NULL only in the the functions directly calling usb_fill_bulk_urb or usb_control_msg. Check for valid bus_interface on all interface entry points and return -ENODEV if it is NULL. Fixes: 4934b98bb243 ("staging: gpib: Update messaging and usb_device refs in ni_usb") Cc: stable <stable(a)kernel.org> Signed-off-by: Dave Penkler <dpenkler(a)gmail.com> Link: https://lore.kernel.org/r/20250222165817.12856-1-dpenkler@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/staging/gpib/ni_usb/ni_usb_gpib.c b/drivers/staging/gpib/ni_usb/ni_usb_gpib.c index 61b15b19e134..62fbc78204ce 100644 --- a/drivers/staging/gpib/ni_usb/ni_usb_gpib.c +++ b/drivers/staging/gpib/ni_usb/ni_usb_gpib.c @@ -591,7 +591,7 @@ static int ni_usb_read(gpib_board_t *board, uint8_t *buffer, size_t length, { int retval, parse_retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x20; int in_data_length; @@ -604,8 +604,11 @@ static int ni_usb_read(gpib_board_t *board, uint8_t *buffer, size_t length, struct ni_usb_register reg; *bytes_read = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_read_length) return -EINVAL; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -718,7 +721,7 @@ static int ni_usb_write(gpib_board_t *board, uint8_t *buffer, size_t length, { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length; static const int in_data_length = 0x10; @@ -728,9 +731,11 @@ static int ni_usb_write(gpib_board_t *board, uint8_t *buffer, size_t length, struct ni_usb_status_block status; static const int max_write_length = 0xffff; - *bytes_written = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_write_length) return -EINVAL; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data_length = length + 0x10; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -819,7 +824,7 @@ static int ni_usb_command_chunk(gpib_board_t *board, uint8_t *buffer, size_t len { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; int out_data_length; static const int in_data_length = 0x10; @@ -831,8 +836,11 @@ static int ni_usb_command_chunk(gpib_board_t *board, uint8_t *buffer, size_t len static const int max_command_length = 0x10; *command_bytes_written = 0; + if (!ni_priv->bus_interface) + return -ENODEV; if (length > max_command_length) length = max_command_length; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data_length = length + 0x10; out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) @@ -925,7 +933,7 @@ static int ni_usb_take_control(gpib_board_t *board, int synchronous) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x10; @@ -933,6 +941,9 @@ static int ni_usb_take_control(gpib_board_t *board, int synchronous) int i = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -983,7 +994,7 @@ static int ni_usb_go_to_standby(gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x20; @@ -991,6 +1002,9 @@ static int ni_usb_go_to_standby(gpib_board_t *board) int i = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1039,11 +1053,14 @@ static void ni_usb_request_system_control(gpib_board_t *board, int request_contr { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[4]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); if (request_control) { writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = CMDR; @@ -1087,7 +1104,7 @@ static void ni_usb_interface_clear(gpib_board_t *board, int assert) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x10; @@ -1095,7 +1112,10 @@ static void ni_usb_interface_clear(gpib_board_t *board, int assert) int i = 0; struct ni_usb_status_block status; - // FIXME: we are going to pulse when assert is true, and ignore otherwise + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); +// FIXME: we are going to pulse when assert is true, and ignore otherwise if (assert == 0) return; out_data = kmalloc(out_data_length, GFP_KERNEL); @@ -1133,10 +1153,13 @@ static void ni_usb_remote_enable(gpib_board_t *board, int enable) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; struct ni_usb_register reg; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); reg.device = NIUSB_SUBDEV_TNT4882; reg.address = nec7210_to_tnt4882_offset(AUXMR); if (enable) @@ -1180,11 +1203,14 @@ static unsigned int ni_usb_update_status(gpib_board_t *board, unsigned int clear { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; static const int buffer_length = 8; u8 *buffer; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); buffer = kmalloc(buffer_length, GFP_KERNEL); if (!buffer) return board->status; @@ -1232,11 +1258,14 @@ static int ni_usb_primary_address(gpib_board_t *board, unsigned int address) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[2]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(ADR); writes[i].value = address; @@ -1287,11 +1316,14 @@ static int ni_usb_secondary_address(gpib_board_t *board, unsigned int address, i { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[3]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); i += ni_usb_write_sad(writes, address, enable); retval = ni_usb_write_registers(ni_priv, writes, i, &ibsta); if (retval < 0) { @@ -1306,7 +1338,7 @@ static int ni_usb_parallel_poll(gpib_board_t *board, uint8_t *result) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x10; static const int in_data_length = 0x20; @@ -1315,6 +1347,9 @@ static int ni_usb_parallel_poll(gpib_board_t *board, uint8_t *result) int j = 0; struct ni_usb_status_block status; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1358,11 +1393,14 @@ static void ni_usb_parallel_poll_configure(gpib_board_t *board, uint8_t config) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); writes[i].value = PPR | config; @@ -1380,11 +1418,14 @@ static void ni_usb_parallel_poll_response(gpib_board_t *board, int ist) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); if (ist) @@ -1405,11 +1446,14 @@ static void ni_usb_serial_poll_response(gpib_board_t *board, u8 status) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(SPMR); writes[i].value = status; @@ -1432,11 +1476,14 @@ static void ni_usb_return_to_local(gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; int i = 0; struct ni_usb_register writes[1]; unsigned int ibsta; + if (!ni_priv->bus_interface) + return; // -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); writes[i].device = NIUSB_SUBDEV_TNT4882; writes[i].address = nec7210_to_tnt4882_offset(AUXMR); writes[i].value = AUX_RTL; @@ -1454,7 +1501,7 @@ static int ni_usb_line_status(const gpib_board_t *board) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; u8 *out_data, *in_data; static const int out_data_length = 0x20; static const int in_data_length = 0x20; @@ -1464,6 +1511,9 @@ static int ni_usb_line_status(const gpib_board_t *board) int line_status = ValidALL; // NI windows driver reads 0xd(HSSEL), 0xc (ARD0), 0x1f (BSR) + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); out_data = kmalloc(out_data_length, GFP_KERNEL); if (!out_data) return -ENOMEM; @@ -1570,12 +1620,15 @@ static unsigned int ni_usb_t1_delay(gpib_board_t *board, unsigned int nano_sec) { int retval; struct ni_usb_priv *ni_priv = board->private_data; - struct usb_device *usb_dev = interface_to_usbdev(ni_priv->bus_interface); + struct usb_device *usb_dev; struct ni_usb_register writes[3]; unsigned int ibsta; unsigned int actual_ns; int i; + if (!ni_priv->bus_interface) + return -ENODEV; + usb_dev = interface_to_usbdev(ni_priv->bus_interface); i = ni_usb_setup_t1_delay(writes, nano_sec, &actual_ns); retval = ni_usb_write_registers(ni_priv, writes, i, &ibsta); if (retval < 0) {

4 months, 2 weeks

1
0
0 0

[PATCH 5.10/5.15] dm cache: fix flushing uninitialized delayed_work on cache_ctr error

by Ilia Gavrilov

From: Ming-Hung Tsai <mtsai(a)redhat.com> commit 135496c208ba26fd68cdef10b64ed7a91ac9a7ff upstream. An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum error. Reproduce steps: dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" Kernel logs: (snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890 Fix by pulling out the cancel_delayed_work_sync() from the constructor's error path. This patch doesn't affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix UAF in destroy()")) as cache_dtr is not changed. Signed-off-by: Ming-Hung Tsai <mtsai(a)redhat.com> Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()") Cc: stable(a)vger.kernel.org Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Acked-by: Joe Thornber <thornber(a)redhat.com> Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov(a)infotecs.ru> --- Backport fix for CVE-2024-50280 drivers/md/dm-cache-target.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c index 63eac25ec881..8a03357f8c93 100644 --- a/drivers/md/dm-cache-target.c +++ b/drivers/md/dm-cache-target.c @@ -1960,16 +1960,13 @@ static void check_migrations(struct work_struct *ws) * This function gets called on the error paths of the constructor, so we * have to cope with a partially initialised struct. */ -static void destroy(struct cache *cache) +static void __destroy(struct cache *cache) { - unsigned i; - mempool_exit(&cache->migration_pool); if (cache->prison) dm_bio_prison_destroy_v2(cache->prison); - cancel_delayed_work_sync(&cache->waker); if (cache->wq) destroy_workqueue(cache->wq); @@ -1997,13 +1994,22 @@ static void destroy(struct cache *cache) if (cache->policy) dm_cache_policy_destroy(cache->policy); + bioset_exit(&cache->bs); + + kfree(cache); +} + +static void destroy(struct cache *cache) +{ + unsigned int i; + + cancel_delayed_work_sync(&cache->waker); + for (i = 0; i < cache->nr_ctr_args ; i++) kfree(cache->ctr_args[i]); kfree(cache->ctr_args); - bioset_exit(&cache->bs); - - kfree(cache); + __destroy(cache); } static void cache_dtr(struct dm_target *ti) @@ -2616,7 +2622,7 @@ static int cache_create(struct cache_args *ca, struct cache **result) *result = cache; return 0; bad: - destroy(cache); + __destroy(cache); return r; } @@ -2667,7 +2673,7 @@ static int cache_ctr(struct dm_target *ti, unsigned argc, char **argv) r = copy_ctr_args(cache, argc - 3, (const char **)argv + 3); if (r) { - destroy(cache); + __destroy(cache); goto out; } -- 2.39.5

4 months, 2 weeks

1
0
0 0

[PATCH v2 0/7] ufs-exynos stability fixes for gs101

by Peter Griffin

Hi folks, This series fixes several stability issues with the upstream ufs-exynos driver, specifically for the gs101 SoC found in Pixel 6. The main fix is regarding the IO cache coherency setting and ensuring that it is correctly applied depending on if the dma-coherent property is specified in device tree. This fixes the UFS stability issues on gs101 and I would imagine will also fix issues on exynosauto platform that seems to have similar iocc shareability bits. Additionally the phy reference counting is fixed which allows module load/unload to work reliably and keeps the phy state machine in sync with the controller glue driver. regards, Peter Changes since v1: * Added patch for correct handling of iocc depedent on dma-coherent property * Rebased onto next-20250319 * Add a gs101 specific suspend hook (Bart) * Drop asserting GPIO_OUT in .exit() (Peter) * Remove superfluous blank line (Bart) * Update PRDT_PREFECT_EN to PRDT_PREFETCH_EN (Bart) * Update commit description for desctype type 3 (Eric) * https://lore.kernel.org/lkml/20250226220414.343659-1-peter.griffin@linaro.o… Signed-off-by: Peter Griffin <peter.griffin(a)linaro.org> --- Peter Griffin (7): scsi: ufs: exynos: ensure pre_link() executes before exynos_ufs_phy_init() scsi: ufs: exynos: move ufs shareability value to drvdata scsi: ufs: exynos: disable iocc if dma-coherent property isn't set scsi: ufs: exynos: ensure consistent phy reference counts scsi: ufs: exynos: Enable PRDT pre-fetching with UFSHCD_CAP_CRYPTO scsi: ufs: exynos: Move phy calls to .exit() callback scsi: ufs: exynos: gs101: put ufs device in reset on .suspend() drivers/ufs/host/ufs-exynos.c | 85 ++++++++++++++++++++++++++++++++----------- drivers/ufs/host/ufs-exynos.h | 6 ++- 2 files changed, 68 insertions(+), 23 deletions(-) --- base-commit: 433ccb6f2e879866b8601fcb1de14e316cdb0d39 change-id: 20250319-exynos-ufs-stability-fixes-e8da9862e3dc Best regards, -- Peter Griffin <peter.griffin(a)linaro.org>

4 months, 2 weeks

3
5
0 0

Request to back-port this patch to v5.4 stable tree

by Hardik Gohil

Hello Greg, This patch applies cleanly to the v5.4 kernel. dmaengine: ti: edma: Add some null pointer checks to the edma_probe [upstream commit 6e2276203ac9ff10fc76917ec9813c660f627369]

4 months, 2 weeks

2
1
0 0

[PATCH v3 1/2] ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate

by srinivas.kandagatla＠linaro.org

From: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> Currently the VI feedback rate is set to fixed 8K, fix this by getting the correct rate from params_rate. Without this patch incorrect rate will be set on the VI feedback recording resulting in rate miss match and audio artifacts. Fixes: 2c4066e5d428 ("ASoC: codecs: lpass-wsa-macro: add dapm widgets and route") Cc: stable(a)vger.kernel.org Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> --- sound/soc/codecs/lpass-wsa-macro.c | 39 +++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/sound/soc/codecs/lpass-wsa-macro.c b/sound/soc/codecs/lpass-wsa-macro.c index c989d82d1d3c..ac119847bc22 100644 --- a/sound/soc/codecs/lpass-wsa-macro.c +++ b/sound/soc/codecs/lpass-wsa-macro.c @@ -63,6 +63,10 @@ #define CDC_WSA_TX_SPKR_PROT_CLK_DISABLE 0 #define CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK GENMASK(3, 0) #define CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K 0 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K 1 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K 2 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K 3 +#define CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K 4 #define CDC_WSA_TX0_SPKR_PROT_PATH_CFG0 (0x0248) #define CDC_WSA_TX1_SPKR_PROT_PATH_CTL (0x0264) #define CDC_WSA_TX1_SPKR_PROT_PATH_CFG0 (0x0268) @@ -407,6 +411,7 @@ struct wsa_macro { int ear_spkr_gain; int spkr_gain_offset; int spkr_mode; + u32 pcm_rate_vi; int is_softclip_on[WSA_MACRO_SOFTCLIP_MAX]; int softclip_clk_users[WSA_MACRO_SOFTCLIP_MAX]; struct regmap *regmap; @@ -1280,6 +1285,7 @@ static int wsa_macro_hw_params(struct snd_pcm_substream *substream, struct snd_soc_dai *dai) { struct snd_soc_component *component = dai->component; + struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); int ret; switch (substream->stream) { @@ -1291,6 +1297,11 @@ static int wsa_macro_hw_params(struct snd_pcm_substream *substream, __func__, params_rate(params)); return ret; } + break; + case SNDRV_PCM_STREAM_CAPTURE: + if (dai->id == WSA_MACRO_AIF_VI) + wsa->pcm_rate_vi = params_rate(params); + break; default: break; @@ -1465,6 +1476,28 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); struct wsa_macro *wsa = snd_soc_component_get_drvdata(component); u32 tx_reg0, tx_reg1; + u32 rate_val; + + switch (wsa->pcm_rate_vi) { + case 8000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; + break; + case 16000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_16K; + break; + case 24000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_24K; + break; + case 32000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_32K; + break; + case 48000: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_48K; + break; + default: + rate_val = CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K; + break; + } if (test_bit(WSA_MACRO_TX0, &wsa->active_ch_mask[WSA_MACRO_AIF_VI])) { tx_reg0 = CDC_WSA_TX0_SPKR_PROT_PATH_CTL; @@ -1476,7 +1509,7 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, switch (event) { case SND_SOC_DAPM_POST_PMU: - /* Enable V&I sensing */ + /* Enable V&I sensing */ snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_RESET_MASK, CDC_WSA_TX_SPKR_PROT_RESET); @@ -1485,10 +1518,10 @@ static int wsa_macro_enable_vi_feedback(struct snd_soc_dapm_widget *w, CDC_WSA_TX_SPKR_PROT_RESET); snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K); + rate_val); snd_soc_component_update_bits(component, tx_reg1, CDC_WSA_TX_SPKR_PROT_PCM_RATE_MASK, - CDC_WSA_TX_SPKR_PROT_PCM_RATE_8K); + rate_val); snd_soc_component_update_bits(component, tx_reg0, CDC_WSA_TX_SPKR_PROT_CLK_EN_MASK, CDC_WSA_TX_SPKR_PROT_CLK_ENABLE); -- 2.39.5

4 months, 2 weeks

2
1
0 0

[PATCH v2] drm/nouveau: Prevent signalled fences in pending list

by Philipp Stanner

Nouveau currently relies on the assumption that dma_fences will only ever get signalled through nouveau_fence_signal(), which takes care of removing a signalled fence from the list nouveau_fence_chan.pending. This self-imposed rule is violated in nouveau_fence_done(), where dma_fence_is_signaled() can signal the fence without removing it from the list. This enables accesses to already signalled fences through the list, which is a bug. Furthermore, it must always be possible to use standard dma_fence methods an a dma_fence and observe valid behavior. The canonical way of ensuring that signalling a fence has additional effects is to add those effects to a callback and register it on that fence. Move the code from nouveau_fence_signal() into a dma_fence callback. Register that callback when creating the fence. Cc: <stable(a)vger.kernel.org> # 4.10+ Signed-off-by: Philipp Stanner <phasta(a)kernel.org> --- Changes in v2: - Remove Fixes: tag. (Danilo) - Remove integer "drop" and call nvif_event_block() in the fence callback. (Danilo) --- drivers/gpu/drm/nouveau/nouveau_fence.c | 52 +++++++++++++------------ drivers/gpu/drm/nouveau/nouveau_fence.h | 1 + 2 files changed, 29 insertions(+), 24 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.c b/drivers/gpu/drm/nouveau/nouveau_fence.c index 7cc84472cece..cf510ef9641a 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fence.c +++ b/drivers/gpu/drm/nouveau/nouveau_fence.c @@ -50,24 +50,24 @@ nouveau_fctx(struct nouveau_fence *fence) return container_of(fence->base.lock, struct nouveau_fence_chan, lock); } -static int -nouveau_fence_signal(struct nouveau_fence *fence) +static void +nouveau_fence_cleanup_cb(struct dma_fence *dfence, struct dma_fence_cb *cb) { - int drop = 0; + struct nouveau_fence_chan *fctx; + struct nouveau_fence *fence; + + fence = container_of(dfence, struct nouveau_fence, base); + fctx = nouveau_fctx(fence); - dma_fence_signal_locked(&fence->base); list_del(&fence->head); rcu_assign_pointer(fence->channel, NULL); if (test_bit(DMA_FENCE_FLAG_USER_BITS, &fence->base.flags)) { - struct nouveau_fence_chan *fctx = nouveau_fctx(fence); - if (!--fctx->notify_ref) - drop = 1; + nvif_event_block(&fctx->event); } dma_fence_put(&fence->base); - return drop; } static struct nouveau_fence * @@ -93,8 +93,7 @@ nouveau_fence_context_kill(struct nouveau_fence_chan *fctx, int error) if (error) dma_fence_set_error(&fence->base, error); - if (nouveau_fence_signal(fence)) - nvif_event_block(&fctx->event); + dma_fence_signal_locked(&fence->base); } fctx->killed = 1; spin_unlock_irqrestore(&fctx->lock, flags); @@ -127,11 +126,10 @@ nouveau_fence_context_free(struct nouveau_fence_chan *fctx) kref_put(&fctx->fence_ref, nouveau_fence_context_put); } -static int +static void nouveau_fence_update(struct nouveau_channel *chan, struct nouveau_fence_chan *fctx) { struct nouveau_fence *fence; - int drop = 0; u32 seq = fctx->read(chan); while (!list_empty(&fctx->pending)) { @@ -140,10 +138,8 @@ nouveau_fence_update(struct nouveau_channel *chan, struct nouveau_fence_chan *fc if ((int)(seq - fence->base.seqno) < 0) break; - drop |= nouveau_fence_signal(fence); + dma_fence_signal_locked(&fence->base); } - - return drop; } static void @@ -152,7 +148,6 @@ nouveau_fence_uevent_work(struct work_struct *work) struct nouveau_fence_chan *fctx = container_of(work, struct nouveau_fence_chan, uevent_work); unsigned long flags; - int drop = 0; spin_lock_irqsave(&fctx->lock, flags); if (!list_empty(&fctx->pending)) { @@ -161,11 +156,8 @@ nouveau_fence_uevent_work(struct work_struct *work) fence = list_entry(fctx->pending.next, typeof(*fence), head); chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); - if (nouveau_fence_update(chan, fctx)) - drop = 1; + nouveau_fence_update(chan, fctx); } - if (drop) - nvif_event_block(&fctx->event); spin_unlock_irqrestore(&fctx->lock, flags); } @@ -235,6 +227,19 @@ nouveau_fence_emit(struct nouveau_fence *fence) &fctx->lock, fctx->context, ++fctx->sequence); kref_get(&fctx->fence_ref); + fence->cb.func = nouveau_fence_cleanup_cb; + /* Adding a callback runs into __dma_fence_enable_signaling(), which will + * ultimately run into nouveau_fence_no_signaling(), where a WARN_ON + * would fire because the refcount can be dropped there. + * + * Increment the refcount here temporarily to work around that. + */ + dma_fence_get(&fence->base); + ret = dma_fence_add_callback(&fence->base, &fence->cb, nouveau_fence_cleanup_cb); + dma_fence_put(&fence->base); + if (ret) + return ret; + ret = fctx->emit(fence); if (!ret) { dma_fence_get(&fence->base); @@ -246,8 +251,7 @@ nouveau_fence_emit(struct nouveau_fence *fence) return -ENODEV; } - if (nouveau_fence_update(chan, fctx)) - nvif_event_block(&fctx->event); + nouveau_fence_update(chan, fctx); list_add_tail(&fence->head, &fctx->pending); spin_unlock_irq(&fctx->lock); @@ -270,8 +274,8 @@ nouveau_fence_done(struct nouveau_fence *fence) spin_lock_irqsave(&fctx->lock, flags); chan = rcu_dereference_protected(fence->channel, lockdep_is_held(&fctx->lock)); - if (chan && nouveau_fence_update(chan, fctx)) - nvif_event_block(&fctx->event); + if (chan) + nouveau_fence_update(chan, fctx); spin_unlock_irqrestore(&fctx->lock, flags); } return dma_fence_is_signaled(&fence->base); diff --git a/drivers/gpu/drm/nouveau/nouveau_fence.h b/drivers/gpu/drm/nouveau/nouveau_fence.h index 8bc065acfe35..e6b2df7fdc42 100644 --- a/drivers/gpu/drm/nouveau/nouveau_fence.h +++ b/drivers/gpu/drm/nouveau/nouveau_fence.h @@ -10,6 +10,7 @@ struct nouveau_bo; struct nouveau_fence { struct dma_fence base; + struct dma_fence_cb cb; struct list_head head; -- 2.48.1

4 months, 2 weeks

4
9
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2025