July 2025 - Linux-stable-mirror

[PATCH] comedi: fix race between polling and detaching

by Ian Abbott

syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll entries are later triggered or removed, as the memory for the wait_queue_head has been freed. We need to check there are no tasks queued on any of the subdevices' wait queues before allowing the device to be detached by the `COMEDI_DEVCONFIG` ioctl. Tasks will read-lock `dev->attach_lock` before adding themselves to the subdevice wait queue, so fix the problem in the `COMEDI_DEVCONFIG` ioctl handler by write-locking `dev->attach_lock` before checking that all of the subdevices are safe to be deleted. This includes testing for any sleepers on the subdevices' wait queues. It remains locked until the device has been detached. This requires the `comedi_device_detach()` function to be refactored slightly, moving the bulk of it into new function `comedi_device_detach_locked()`. Note that the refactor of `comedi_device_detach()` results in `comedi_device_cancel_all()` now being called while `dev->attach_lock` is write-locked, which wasn't the case previously, but that does not matter. Thanks to Jens Axboe for diagnosing the problem and co-developing this patch. Cc: <stable(a)vger.kernel.org> # 5.13+ Fixes: 2f3fdcd7ce93 ("staging: comedi: add rw_semaphore to protect against device detachment") Link: https://lore.kernel.org/all/687bd5fe.a70a0220.693ce.0091.GAE@google.com/ Reported-by: syzbot+01523a0ae5600aef5895(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=01523a0ae5600aef5895 Co-developed-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm release series 5.10 and 5.4. --- drivers/comedi/comedi_fops.c | 31 ++++++++++++++++++++++++------- drivers/comedi/comedi_internal.h | 1 + drivers/comedi/drivers.c | 13 ++++++++++--- 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 3383a7ce27ff..3007fe946e42 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -787,6 +787,7 @@ static int is_device_busy(struct comedi_device *dev) struct comedi_subdevice *s; int i; + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); if (!dev->attached) return 0; @@ -795,7 +796,16 @@ static int is_device_busy(struct comedi_device *dev) s = &dev->subdevices[i]; if (s->busy) return 1; - if (s->async && comedi_buf_is_mmapped(s)) + if (!s->async) + continue; + if (comedi_buf_is_mmapped(s)) + return 1; + /* + * There may be tasks still waiting on the subdevice's wait + * queue, although they should already be about to be removed + * from it since the subdevice has no active async command. + */ + if (wq_has_sleeper(&s->async->wait_head)) return 1; } @@ -825,15 +835,22 @@ static int do_devconfig_ioctl(struct comedi_device *dev, return -EPERM; if (!arg) { - if (is_device_busy(dev)) - return -EBUSY; + int rc = 0; + if (dev->attached) { - struct module *driver_module = dev->driver->module; + down_write(&dev->attach_lock); + if (is_device_busy(dev)) { + rc = -EBUSY; + } else { + struct module *driver_module = + dev->driver->module; - comedi_device_detach(dev); - module_put(driver_module); + comedi_device_detach_locked(dev); + module_put(driver_module); + } + up_write(&dev->attach_lock); } - return 0; + return rc; } if (copy_from_user(&it, arg, sizeof(it))) diff --git a/drivers/comedi/comedi_internal.h b/drivers/comedi/comedi_internal.h index 9b3631a654c8..cf10ba016ebc 100644 --- a/drivers/comedi/comedi_internal.h +++ b/drivers/comedi/comedi_internal.h @@ -50,6 +50,7 @@ extern struct mutex comedi_drivers_list_lock; int insn_inval(struct comedi_device *dev, struct comedi_subdevice *s, struct comedi_insn *insn, unsigned int *data); +void comedi_device_detach_locked(struct comedi_device *dev); void comedi_device_detach(struct comedi_device *dev); int comedi_device_attach(struct comedi_device *dev, struct comedi_devconfig *it); diff --git a/drivers/comedi/drivers.c b/drivers/comedi/drivers.c index 376130bfba8a..f5c2ee271d0e 100644 --- a/drivers/comedi/drivers.c +++ b/drivers/comedi/drivers.c @@ -158,7 +158,7 @@ static void comedi_device_detach_cleanup(struct comedi_device *dev) int i; struct comedi_subdevice *s; - lockdep_assert_held(&dev->attach_lock); + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); if (dev->subdevices) { for (i = 0; i < dev->n_subdevices; i++) { @@ -196,16 +196,23 @@ static void comedi_device_detach_cleanup(struct comedi_device *dev) comedi_clear_hw_dev(dev); } -void comedi_device_detach(struct comedi_device *dev) +void comedi_device_detach_locked(struct comedi_device *dev) { + lockdep_assert_held_write(&dev->attach_lock); lockdep_assert_held(&dev->mutex); comedi_device_cancel_all(dev); - down_write(&dev->attach_lock); dev->attached = false; dev->detach_count++; if (dev->driver) dev->driver->detach(dev); comedi_device_detach_cleanup(dev); +} + +void comedi_device_detach(struct comedi_device *dev) +{ + lockdep_assert_held(&dev->mutex); + down_write(&dev->attach_lock); + comedi_device_detach_locked(dev); up_write(&dev->attach_lock); } -- 2.47.2

1 month

2
1
0 0

[PATCH v3] wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again

by Muhammad Usama Anjum

Don't deinitialize and reinitialize the HAL helpers. The dma memory is deallocated and there is high possibility that we'll not be able to get the same memory allocated from dma when there is high memory pressure. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.6 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable(a)vger.kernel.org Cc: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang(a)oss.qualcomm.com> Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> --- Changes since v1: - Cc stable and fix tested on tag - Clear essential fields as they may have stale data Changes since v2: - Add comment and reviewed by tag --- drivers/net/wireless/ath/ath11k/core.c | 6 +----- drivers/net/wireless/ath/ath11k/hal.c | 16 ++++++++++++++++ drivers/net/wireless/ath/ath11k/hal.h | 1 + 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c index 4488e4cdc5e9e..34b27711ed00f 100644 --- a/drivers/net/wireless/ath/ath11k/core.c +++ b/drivers/net/wireless/ath/ath11k/core.c @@ -2213,14 +2213,10 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab) mutex_unlock(&ab->core_lock); ath11k_dp_free(ab); - ath11k_hal_srng_deinit(ab); + ath11k_hal_srng_clear(ab); ab->free_vdev_map = (1LL << (ab->num_radios * TARGET_NUM_VDEVS(ab))) - 1; - ret = ath11k_hal_srng_init(ab); - if (ret) - return ret; - clear_bit(ATH11K_FLAG_CRASH_FLUSH, &ab->dev_flags); ret = ath11k_core_qmi_firmware_ready(ab); diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index b32de563d453a..e8ebf963f195c 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1359,6 +1359,22 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) } EXPORT_SYMBOL(ath11k_hal_srng_deinit); +void ath11k_hal_srng_clear(struct ath11k_base *ab) +{ + /* No need to memset rdp and wrp memory since each individual + * segment would get cleared ath11k_hal_srng_src_hw_init() and + * ath11k_hal_srng_dst_hw_init(). + */ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; +} +EXPORT_SYMBOL(ath11k_hal_srng_clear); + void ath11k_hal_dump_srng_stats(struct ath11k_base *ab) { struct hal_srng *srng; diff --git a/drivers/net/wireless/ath/ath11k/hal.h b/drivers/net/wireless/ath/ath11k/hal.h index 601542410c752..839095af9267e 100644 --- a/drivers/net/wireless/ath/ath11k/hal.h +++ b/drivers/net/wireless/ath/ath11k/hal.h @@ -965,6 +965,7 @@ int ath11k_hal_srng_setup(struct ath11k_base *ab, enum hal_ring_type type, struct hal_srng_params *params); int ath11k_hal_srng_init(struct ath11k_base *ath11k); void ath11k_hal_srng_deinit(struct ath11k_base *ath11k); +void ath11k_hal_srng_clear(struct ath11k_base *ab); void ath11k_hal_dump_srng_stats(struct ath11k_base *ab); void ath11k_hal_srng_get_shadow_config(struct ath11k_base *ab, u32 **cfg, u32 *len); -- 2.39.5

1 month

3
4
0 0

FAILED: patch "[PATCH] tracing: Add down_write(trace_event_sem) when adding trace" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-perjury-dynamite-23ba@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Jul 2025 22:31:58 -0400 Subject: [PATCH] tracing: Add down_write(trace_event_sem) when adding trace event MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang(a)luxshare-ict.com> Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 120531268abf..d01e5c910ce1 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -3136,7 +3136,10 @@ __register_event(struct trace_event_call *call, struct module *mod) if (ret < 0) return ret; + down_write(&trace_event_sem); list_add(&call->list, &ftrace_events); + up_write(&trace_event_sem); + if (call->flags & TRACE_EVENT_FL_DYNAMIC) atomic_set(&call->refcnt, 0); else @@ -3750,6 +3753,8 @@ __trace_add_event_dirs(struct trace_array *tr) struct trace_event_call *call; int ret; + lockdep_assert_held(&trace_event_sem); + list_for_each_entry(call, &ftrace_events, list) { ret = __trace_add_new_event(call, tr); if (ret < 0)

1 month

2
1
0 0

FAILED: patch "[PATCH] tracing: Add down_write(trace_event_sem) when adding trace" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-nutty-other-f178@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df Mon Sep 17 00:00:00 2001 From: Steven Rostedt <rostedt(a)goodmis.org> Date: Fri, 18 Jul 2025 22:31:58 -0400 Subject: [PATCH] tracing: Add down_write(trace_event_sem) when adding trace event MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. Cc: stable(a)vger.kernel.org Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Acked-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang(a)luxshare-ict.com> Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/ Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c index 120531268abf..d01e5c910ce1 100644 --- a/kernel/trace/trace_events.c +++ b/kernel/trace/trace_events.c @@ -3136,7 +3136,10 @@ __register_event(struct trace_event_call *call, struct module *mod) if (ret < 0) return ret; + down_write(&trace_event_sem); list_add(&call->list, &ftrace_events); + up_write(&trace_event_sem); + if (call->flags & TRACE_EVENT_FL_DYNAMIC) atomic_set(&call->refcnt, 0); else @@ -3750,6 +3753,8 @@ __trace_add_event_dirs(struct trace_array *tr) struct trace_event_call *call; int ret; + lockdep_assert_held(&trace_event_sem); + list_for_each_entry(call, &ftrace_events, list) { ret = __trace_add_new_event(call, tr); if (ret < 0)

1 month

2
1
0 0

FAILED: patch "[PATCH] pmdomain: governor: Consider CPU latency tolerance from" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 500ba33284416255b9a5b50ace24470b6fe77ea5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072114-matriarch-decline-2598@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001 From: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Date: Wed, 9 Jul 2025 14:00:11 +0530 Subject: [PATCH] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov pm_domain_cpu_gov is selecting a cluster idle state but does not consider latency tolerance of child CPUs. This results in deeper cluster idle state whose latency does not meet latency tolerance requirement. Select deeper idle state only if global and device latency tolerance of all child CPUs meet. Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than domain idle state entry (2150) + exit (1983) usec latency mentioned in devicetree, demonstrate the issue. # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us Before: (Usage is incrementing) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 29817 537 8 270 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 30348 542 8 271 0 After: (Usage is not incrementing due to latency tolerance) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 Signed-off-by: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualc… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/governor.c b/drivers/pmdomain/governor.c index c1e148657c87..39359811a930 100644 --- a/drivers/pmdomain/governor.c +++ b/drivers/pmdomain/governor.c @@ -8,6 +8,7 @@ #include <linux/pm_domain.h> #include <linux/pm_qos.h> #include <linux/hrtimer.h> +#include <linux/cpu.h> #include <linux/cpuidle.h> #include <linux/cpumask.h> #include <linux/ktime.h> @@ -349,6 +350,8 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) struct cpuidle_device *dev; ktime_t domain_wakeup, next_hrtimer; ktime_t now = ktime_get(); + struct device *cpu_dev; + s64 cpu_constraint, global_constraint; s64 idle_duration_ns; int cpu, i; @@ -359,6 +362,7 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) return true; + global_constraint = cpu_latency_qos_limit(); /* * Find the next wakeup for any of the online CPUs within the PM domain * and its subdomains. Note, we only need the genpd->cpus, as it already @@ -372,8 +376,16 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (ktime_before(next_hrtimer, domain_wakeup)) domain_wakeup = next_hrtimer; } + + cpu_dev = get_cpu_device(cpu); + if (cpu_dev) { + cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); + if (cpu_constraint < global_constraint) + global_constraint = cpu_constraint; + } } + global_constraint *= NSEC_PER_USEC; /* The minimum idle duration is from now - until the next wakeup. */ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); if (idle_duration_ns <= 0) @@ -389,8 +401,10 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) */ i = genpd->state_idx; do { - if (idle_duration_ns >= (genpd->states[i].residency_ns + - genpd->states[i].power_off_latency_ns)) { + if ((idle_duration_ns >= (genpd->states[i].residency_ns + + genpd->states[i].power_off_latency_ns)) && + (global_constraint >= (genpd->states[i].power_on_latency_ns + + genpd->states[i].power_off_latency_ns))) { genpd->state_idx = i; genpd->gd->last_enter = now; genpd->gd->reflect_residency = true;

1 month

2
1
0 0

FAILED: patch "[PATCH] pmdomain: governor: Consider CPU latency tolerance from" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 500ba33284416255b9a5b50ace24470b6fe77ea5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072113-grill-thimble-5d5c@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001 From: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Date: Wed, 9 Jul 2025 14:00:11 +0530 Subject: [PATCH] pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov pm_domain_cpu_gov is selecting a cluster idle state but does not consider latency tolerance of child CPUs. This results in deeper cluster idle state whose latency does not meet latency tolerance requirement. Select deeper idle state only if global and device latency tolerance of all child CPUs meet. Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than domain idle state entry (2150) + exit (1983) usec latency mentioned in devicetree, demonstrate the issue. # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us Before: (Usage is incrementing) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 29817 537 8 270 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 30348 542 8 271 0 After: (Usage is not incrementing due to latency tolerance) ====== # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states State Time Spent(ms) Usage Rejected Above Below S0 39319 626 14 307 0 Signed-off-by: Maulik Shah <maulik.shah(a)oss.qualcomm.com> Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs") Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualc… Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/pmdomain/governor.c b/drivers/pmdomain/governor.c index c1e148657c87..39359811a930 100644 --- a/drivers/pmdomain/governor.c +++ b/drivers/pmdomain/governor.c @@ -8,6 +8,7 @@ #include <linux/pm_domain.h> #include <linux/pm_qos.h> #include <linux/hrtimer.h> +#include <linux/cpu.h> #include <linux/cpuidle.h> #include <linux/cpumask.h> #include <linux/ktime.h> @@ -349,6 +350,8 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) struct cpuidle_device *dev; ktime_t domain_wakeup, next_hrtimer; ktime_t now = ktime_get(); + struct device *cpu_dev; + s64 cpu_constraint, global_constraint; s64 idle_duration_ns; int cpu, i; @@ -359,6 +362,7 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN)) return true; + global_constraint = cpu_latency_qos_limit(); /* * Find the next wakeup for any of the online CPUs within the PM domain * and its subdomains. Note, we only need the genpd->cpus, as it already @@ -372,8 +376,16 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) if (ktime_before(next_hrtimer, domain_wakeup)) domain_wakeup = next_hrtimer; } + + cpu_dev = get_cpu_device(cpu); + if (cpu_dev) { + cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev); + if (cpu_constraint < global_constraint) + global_constraint = cpu_constraint; + } } + global_constraint *= NSEC_PER_USEC; /* The minimum idle duration is from now - until the next wakeup. */ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now)); if (idle_duration_ns <= 0) @@ -389,8 +401,10 @@ static bool cpu_power_down_ok(struct dev_pm_domain *pd) */ i = genpd->state_idx; do { - if (idle_duration_ns >= (genpd->states[i].residency_ns + - genpd->states[i].power_off_latency_ns)) { + if ((idle_duration_ns >= (genpd->states[i].residency_ns + + genpd->states[i].power_off_latency_ns)) && + (global_constraint >= (genpd->states[i].power_on_latency_ns + + genpd->states[i].power_off_latency_ns))) { genpd->state_idx = i; genpd->gd->last_enter = now; genpd->gd->reflect_residency = true;

1 month

2
1
0 0

[PATCH 6.1] crypto: qat - fix ring to service map for QAT GEN4

by Giovanni Cabiddu

[ Upstream commit a238487f7965d102794ed9f8aff0b667cd2ae886 ] The 4xxx drivers hardcode the ring to service mapping. However, when additional configurations where added to the driver, the mappings were not updated. This implies that an incorrect mapping might be reported through pfvf for certain configurations. This is a backport of the upstream commit with modifications, as the original patch does not apply cleanly to kernel v6.1.x. The logic has been simplified to reflect the limited configurations of the QAT driver in this version: crypto-only and compression. Instead of dynamically computing the ring to service mappings, these are now hardcoded to simplify the backport. Fixes: 0cec19c761e5 ("crypto: qat - add support for compression for 4xxx") Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> Reviewed-by: Damian Muszynski <damian.muszynski(a)intel.com> Reviewed-by: Tero Kristo <tero.kristo(a)linux.intel.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: <stable(a)vger.kernel.org> # 6.1.x Reviewed-by: Ahsan Atta <ahsan.atta(a)intel.com> Tested-by: Ahsan Atta <ahsan.atta(a)intel.com> --- drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 13 +++++++++++++ drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 + drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 6 ++++++ drivers/crypto/qat/qat_common/adf_init.c | 3 +++ 4 files changed, 23 insertions(+) diff --git a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c index fda5f699ff57..65b52c692add 100644 --- a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c +++ b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c @@ -297,6 +297,18 @@ static char *uof_get_name(struct adf_accel_dev *accel_dev, u32 obj_num) return NULL; } +static u16 get_ring_to_svc_map(struct adf_accel_dev *accel_dev) +{ + switch (get_service_enabled(accel_dev)) { + case SVC_CY: + return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP; + case SVC_DC: + return ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC; + } + + return 0; +} + static u32 uof_get_ae_mask(struct adf_accel_dev *accel_dev, u32 obj_num) { switch (get_service_enabled(accel_dev)) { @@ -353,6 +365,7 @@ void adf_init_hw_data_4xxx(struct adf_hw_device_data *hw_data) hw_data->uof_get_ae_mask = uof_get_ae_mask; hw_data->set_msix_rttable = set_msix_default_rttable; hw_data->set_ssm_wdtimer = adf_gen4_set_ssm_wdtimer; + hw_data->get_ring_to_svc_map = get_ring_to_svc_map; hw_data->disable_iov = adf_disable_sriov; hw_data->ring_pair_reset = adf_gen4_ring_pair_reset; hw_data->enable_pm = adf_gen4_enable_pm; diff --git a/drivers/crypto/qat/qat_common/adf_accel_devices.h b/drivers/crypto/qat/qat_common/adf_accel_devices.h index ad01d99e6e2b..7993d0f82dea 100644 --- a/drivers/crypto/qat/qat_common/adf_accel_devices.h +++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h @@ -176,6 +176,7 @@ struct adf_hw_device_data { void (*get_arb_info)(struct arb_info *arb_csrs_info); void (*get_admin_info)(struct admin_info *admin_csrs_info); enum dev_sku_info (*get_sku)(struct adf_hw_device_data *self); + u16 (*get_ring_to_svc_map)(struct adf_accel_dev *accel_dev); int (*alloc_irq)(struct adf_accel_dev *accel_dev); void (*free_irq)(struct adf_accel_dev *accel_dev); void (*enable_error_correction)(struct adf_accel_dev *accel_dev); diff --git a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h index 4fb4b3df5a18..5e653ec755e6 100644 --- a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h +++ b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h @@ -95,6 +95,12 @@ do { \ ADF_RING_BUNDLE_SIZE * (bank) + \ ADF_RING_CSR_RING_SRV_ARB_EN, (value)) +#define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP_DC \ + (COMP << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_1_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_2_SHIFT | \ + COMP << ADF_CFG_SERV_RING_PAIR_3_SHIFT) + /* Default ring mapping */ #define ADF_GEN4_DEFAULT_RING_TO_SRV_MAP \ (ASYM << ADF_CFG_SERV_RING_PAIR_0_SHIFT | \ diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c index 2e3481270c4b..49f07584f8c9 100644 --- a/drivers/crypto/qat/qat_common/adf_init.c +++ b/drivers/crypto/qat/qat_common/adf_init.c @@ -95,6 +95,9 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) return -EFAULT; } + if (hw_data->get_ring_to_svc_map) + hw_data->ring_to_svc_map = hw_data->get_ring_to_svc_map(accel_dev); + if (adf_ae_init(accel_dev)) { dev_err(&GET_DEV(accel_dev), "Failed to initialise Acceleration Engine\n"); -- 2.50.0

1 month

3
6
0 0

Re: Patch "smb: client: make use of common smbdirect_socket_parameters" has been added to the 6.12-stable tree

by Stefan Metzmacher

Hi, any reason why this is only backported to 6.12, but not 6.15? I'm looking at v6.15.5 and v6.12.36 and the following are missing from 6.15: bced02aca343 David Howells Wed Apr 2 20:27:26 2025 +0100 cifs: Fix reading into an ITER_FOLIOQ from the smbdirect code 87dcc7e33fc3 David Howells Wed Jun 25 14:15:04 2025 +0100 cifs: Fix the smbd_response slab to allow usercopy b8ddcca4391e Stefan Metzmacher Wed May 28 18:01:40 2025 +0200 smb: client: make use of common smbdirect_socket_parameters 69cafc413c2d Stefan Metzmacher Wed May 28 18:01:39 2025 +0200 smb: smbdirect: introduce smbdirect_socket_parameters c39639bc7723 Stefan Metzmacher Wed May 28 18:01:37 2025 +0200 smb: client: make use of common smbdirect_socket f4b05342c293 Stefan Metzmacher Wed May 28 18:01:36 2025 +0200 smb: smbdirect: add smbdirect_socket.h a6ec1fcafd41 Stefan Metzmacher Wed May 28 18:01:33 2025 +0200 smb: smbdirect: add smbdirect.h with public structures 6509de31b1b6 Stefan Metzmacher Wed May 28 18:01:31 2025 +0200 smb: client: make use of common smbdirect_pdu.h a9bb4006c4f3 Stefan Metzmacher Wed May 28 18:01:30 2025 +0200 smb: smbdirect: add smbdirect_pdu.h with protocol definitions With these being backported to 6.15 too, the following is missing in both: commit 1944f6ab4967db7ad8d4db527dceae8c77de76e9 Author: Stefan Metzmacher <metze(a)samba.org> AuthorDate: Wed Jun 25 10:16:38 2025 +0200 Commit: Steve French <stfrench(a)microsoft.com> CommitDate: Wed Jun 25 11:12:54 2025 -0500 smb: client: let smbd_post_send_iter() respect the peers max_send_size and transmit all data As it was marked as Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be info->max_send_size in backports But now that the patches up to b8ddcca4391e are backported it can be cherry-picked just fine to both branches. Thanks! metze Am 29.06.25 um 16:56 schrieb Steve French: >> Steve: Do you agree? > > Yes > > Thanks, > > Steve > > On Sun, Jun 29, 2025, 9:48 AM Stefan Metzmacher <metze(a)samba.org> wrote: > >> Hi, >> >> if these patches are backported to stable then >> 1944f6ab4967db7ad8d4db527dceae8c77de76e9 >> "smb: client: let smbd_post_send_iter() respect the peers max_send_size >> and transmit all data" >> can also be backported as is. >> >> I just added the >> "Cc: <stable+noautosel(a)kernel.org> # sp->max_send_size should be >> info->max_send_size in backports" >> because I thought they would not be backported. >> >> I'm fine with backporting the header changes... >> >> @Steve: Do you agree? >> >> Thanks! >> metze >> >> Am 29.06.25 um 16:28 schrieb Sasha Levin: >>> This is a note to let you know that I've just added the patch titled >>> >>> smb: client: make use of common smbdirect_socket_parameters >>> >>> to the 6.12-stable tree which can be found at: >>> >> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… >>> >>> The filename of the patch is: >>> smb-client-make-use-of-common-smbdirect_socket_param.patch >>> and it can be found in the queue-6.12 subdirectory. >>> >>> If you, or anyone else, feels it should not be added to the stable tree, >>> please let <stable(a)vger.kernel.org> know about it. >>> >>> >>> >>> commit a1fa1698297356797d7a0379b7e056744fd133ac >>> Author: Stefan Metzmacher <metze(a)samba.org> >>> Date: Wed May 28 18:01:40 2025 +0200 >>> >>> smb: client: make use of common smbdirect_socket_parameters >>> >>> [ Upstream commit cc55f65dd352bdb7bdf8db1c36fb348c294c3b66 ] >>> >>> Cc: Steve French <smfrench(a)gmail.com> >>> Cc: Tom Talpey <tom(a)talpey.com> >>> Cc: Long Li <longli(a)microsoft.com> >>> Cc: Namjae Jeon <linkinjeon(a)kernel.org> >>> Cc: Hyunchul Lee <hyc.lee(a)gmail.com> >>> Cc: Meetakshi Setiya <meetakshisetiyaoss(a)gmail.com> >>> Cc: linux-cifs(a)vger.kernel.org >>> Cc: samba-technical(a)lists.samba.org >>> Signed-off-by: Stefan Metzmacher <metze(a)samba.org> >>> Signed-off-by: Steve French <stfrench(a)microsoft.com> >>> Stable-dep-of: 43e7e284fc77 ("cifs: Fix the smbd_response slab to >> allow usercopy") >>> Signed-off-by: Sasha Levin <sashal(a)kernel.org> >>> >>> diff --git a/fs/smb/client/cifs_debug.c b/fs/smb/client/cifs_debug.c >>> index 56b0b5c82dd19..c0196be0e65fc 100644 >>> --- a/fs/smb/client/cifs_debug.c >>> +++ b/fs/smb/client/cifs_debug.c >>> @@ -362,6 +362,10 @@ static int cifs_debug_data_proc_show(struct >> seq_file *m, void *v) >>> c = 0; >>> spin_lock(&cifs_tcp_ses_lock); >>> list_for_each_entry(server, &cifs_tcp_ses_list, tcp_ses_list) { >>> +#ifdef CONFIG_CIFS_SMB_DIRECT >>> + struct smbdirect_socket_parameters *sp; >>> +#endif >>> + >>> /* channel info will be printed as a part of sessions >> below */ >>> if (SERVER_IS_CHAN(server)) >>> continue; >>> @@ -383,6 +387,7 @@ static int cifs_debug_data_proc_show(struct seq_file >> *m, void *v) >>> seq_printf(m, "\nSMBDirect transport not >> available"); >>> goto skip_rdma; >>> } >>> + sp = &server->smbd_conn->socket.parameters; >>> >>> seq_printf(m, "\nSMBDirect (in hex) protocol version: %x " >>> "transport status: %x", >>> @@ -390,18 +395,18 @@ static int cifs_debug_data_proc_show(struct >> seq_file *m, void *v) >>> server->smbd_conn->socket.status); >>> seq_printf(m, "\nConn receive_credit_max: %x " >>> "send_credit_target: %x max_send_size: %x", >>> - server->smbd_conn->receive_credit_max, >>> - server->smbd_conn->send_credit_target, >>> - server->smbd_conn->max_send_size); >>> + sp->recv_credit_max, >>> + sp->send_credit_target, >>> + sp->max_send_size); >>> seq_printf(m, "\nConn max_fragmented_recv_size: %x " >>> "max_fragmented_send_size: %x max_receive_size:%x", >>> - server->smbd_conn->max_fragmented_recv_size, >>> - server->smbd_conn->max_fragmented_send_size, >>> - server->smbd_conn->max_receive_size); >>> + sp->max_fragmented_recv_size, >>> + sp->max_fragmented_send_size, >>> + sp->max_recv_size); >>> seq_printf(m, "\nConn keep_alive_interval: %x " >>> "max_readwrite_size: %x rdma_readwrite_threshold: >> %x", >>> - server->smbd_conn->keep_alive_interval, >>> - server->smbd_conn->max_readwrite_size, >>> + sp->keepalive_interval_msec * 1000, >>> + sp->max_read_write_size, >>> server->smbd_conn->rdma_readwrite_threshold); >>> seq_printf(m, "\nDebug count_get_receive_buffer: %x " >>> "count_put_receive_buffer: %x count_send_empty: >> %x", >>> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c >>> index 74bcc51ccd32f..e596bc4837b68 100644 >>> --- a/fs/smb/client/smb2ops.c >>> +++ b/fs/smb/client/smb2ops.c >>> @@ -504,6 +504,9 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, struct >> smb3_fs_context *ctx) >>> wsize = min_t(unsigned int, wsize, server->max_write); >>> #ifdef CONFIG_CIFS_SMB_DIRECT >>> if (server->rdma) { >>> + struct smbdirect_socket_parameters *sp = >>> + &server->smbd_conn->socket.parameters; >>> + >>> if (server->sign) >>> /* >>> * Account for SMB2 data transfer packet header and >>> @@ -511,12 +514,12 @@ smb3_negotiate_wsize(struct cifs_tcon *tcon, >> struct smb3_fs_context *ctx) >>> */ >>> wsize = min_t(unsigned int, >>> wsize, >>> - >> server->smbd_conn->max_fragmented_send_size - >>> + sp->max_fragmented_send_size - >>> SMB2_READWRITE_PDU_HEADER_SIZE - >>> sizeof(struct smb2_transform_hdr)); >>> else >>> wsize = min_t(unsigned int, >>> - wsize, >> server->smbd_conn->max_readwrite_size); >>> + wsize, sp->max_read_write_size); >>> } >>> #endif >>> if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) >>> @@ -552,6 +555,9 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, struct >> smb3_fs_context *ctx) >>> rsize = min_t(unsigned int, rsize, server->max_read); >>> #ifdef CONFIG_CIFS_SMB_DIRECT >>> if (server->rdma) { >>> + struct smbdirect_socket_parameters *sp = >>> + &server->smbd_conn->socket.parameters; >>> + >>> if (server->sign) >>> /* >>> * Account for SMB2 data transfer packet header and >>> @@ -559,12 +565,12 @@ smb3_negotiate_rsize(struct cifs_tcon *tcon, >> struct smb3_fs_context *ctx) >>> */ >>> rsize = min_t(unsigned int, >>> rsize, >>> - >> server->smbd_conn->max_fragmented_recv_size - >>> + sp->max_fragmented_recv_size - >>> SMB2_READWRITE_PDU_HEADER_SIZE - >>> sizeof(struct smb2_transform_hdr)); >>> else >>> rsize = min_t(unsigned int, >>> - rsize, >> server->smbd_conn->max_readwrite_size); >>> + rsize, sp->max_read_write_size); >>> } >>> #endif >>> >>> diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c >>> index ac489df8151a1..cbc85bca006f7 100644 >>> --- a/fs/smb/client/smbdirect.c >>> +++ b/fs/smb/client/smbdirect.c >>> @@ -320,6 +320,8 @@ static bool process_negotiation_response( >>> struct smbd_response *response, int packet_length) >>> { >>> struct smbd_connection *info = response->info; >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct smbdirect_negotiate_resp *packet = >> smbd_response_payload(response); >>> >>> if (packet_length < sizeof(struct smbdirect_negotiate_resp)) { >>> @@ -349,20 +351,20 @@ static bool process_negotiation_response( >>> >>> atomic_set(&info->receive_credits, 0); >>> >>> - if (le32_to_cpu(packet->preferred_send_size) > >> info->max_receive_size) { >>> + if (le32_to_cpu(packet->preferred_send_size) > sp->max_recv_size) { >>> log_rdma_event(ERR, "error: preferred_send_size=%d\n", >>> le32_to_cpu(packet->preferred_send_size)); >>> return false; >>> } >>> - info->max_receive_size = le32_to_cpu(packet->preferred_send_size); >>> + sp->max_recv_size = le32_to_cpu(packet->preferred_send_size); >>> >>> if (le32_to_cpu(packet->max_receive_size) < SMBD_MIN_RECEIVE_SIZE) >> { >>> log_rdma_event(ERR, "error: max_receive_size=%d\n", >>> le32_to_cpu(packet->max_receive_size)); >>> return false; >>> } >>> - info->max_send_size = min_t(int, info->max_send_size, >>> - >> le32_to_cpu(packet->max_receive_size)); >>> + sp->max_send_size = min_t(u32, sp->max_send_size, >>> + le32_to_cpu(packet->max_receive_size)); >>> >>> if (le32_to_cpu(packet->max_fragmented_size) < >>> SMBD_MIN_FRAGMENTED_SIZE) { >>> @@ -370,18 +372,18 @@ static bool process_negotiation_response( >>> le32_to_cpu(packet->max_fragmented_size)); >>> return false; >>> } >>> - info->max_fragmented_send_size = >>> + sp->max_fragmented_send_size = >>> le32_to_cpu(packet->max_fragmented_size); >>> info->rdma_readwrite_threshold = >>> - rdma_readwrite_threshold > info->max_fragmented_send_size ? >>> - info->max_fragmented_send_size : >>> + rdma_readwrite_threshold > sp->max_fragmented_send_size ? >>> + sp->max_fragmented_send_size : >>> rdma_readwrite_threshold; >>> >>> >>> - info->max_readwrite_size = min_t(u32, >>> + sp->max_read_write_size = min_t(u32, >>> le32_to_cpu(packet->max_readwrite_size), >>> info->max_frmr_depth * PAGE_SIZE); >>> - info->max_frmr_depth = info->max_readwrite_size / PAGE_SIZE; >>> + info->max_frmr_depth = sp->max_read_write_size / PAGE_SIZE; >>> >>> return true; >>> } >>> @@ -689,6 +691,7 @@ static int smbd_ia_open( >>> static int smbd_post_send_negotiate_req(struct smbd_connection *info) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_send_wr send_wr; >>> int rc = -ENOMEM; >>> struct smbd_request *request; >>> @@ -704,11 +707,11 @@ static int smbd_post_send_negotiate_req(struct >> smbd_connection *info) >>> packet->min_version = cpu_to_le16(SMBDIRECT_V1); >>> packet->max_version = cpu_to_le16(SMBDIRECT_V1); >>> packet->reserved = 0; >>> - packet->credits_requested = cpu_to_le16(info->send_credit_target); >>> - packet->preferred_send_size = cpu_to_le32(info->max_send_size); >>> - packet->max_receive_size = cpu_to_le32(info->max_receive_size); >>> + packet->credits_requested = cpu_to_le16(sp->send_credit_target); >>> + packet->preferred_send_size = cpu_to_le32(sp->max_send_size); >>> + packet->max_receive_size = cpu_to_le32(sp->max_recv_size); >>> packet->max_fragmented_size = >>> - cpu_to_le32(info->max_fragmented_recv_size); >>> + cpu_to_le32(sp->max_fragmented_recv_size); >>> >>> request->num_sge = 1; >>> request->sge[0].addr = ib_dma_map_single( >>> @@ -800,6 +803,7 @@ static int smbd_post_send(struct smbd_connection >> *info, >>> struct smbd_request *request) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_send_wr send_wr; >>> int rc, i; >>> >>> @@ -831,7 +835,7 @@ static int smbd_post_send(struct smbd_connection >> *info, >>> } else >>> /* Reset timer for idle connection after packet is sent */ >>> mod_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> >>> return rc; >>> } >>> @@ -841,6 +845,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> int *_remaining_data_length) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> int i, rc; >>> int header_length; >>> int data_length; >>> @@ -868,7 +873,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> >>> wait_send_queue: >>> wait_event(info->wait_post_send, >>> - atomic_read(&info->send_pending) < >> info->send_credit_target || >>> + atomic_read(&info->send_pending) < sp->send_credit_target >> || >>> sc->status != SMBDIRECT_SOCKET_CONNECTED); >>> >>> if (sc->status != SMBDIRECT_SOCKET_CONNECTED) { >>> @@ -878,7 +883,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> } >>> >>> if (unlikely(atomic_inc_return(&info->send_pending) > >>> - info->send_credit_target)) { >>> + sp->send_credit_target)) { >>> atomic_dec(&info->send_pending); >>> goto wait_send_queue; >>> } >>> @@ -917,7 +922,7 @@ static int smbd_post_send_iter(struct >> smbd_connection *info, >>> >>> /* Fill in the packet header */ >>> packet = smbd_request_payload(request); >>> - packet->credits_requested = cpu_to_le16(info->send_credit_target); >>> + packet->credits_requested = cpu_to_le16(sp->send_credit_target); >>> >>> new_credits = manage_credits_prior_sending(info); >>> atomic_add(new_credits, &info->receive_credits); >>> @@ -1017,16 +1022,17 @@ static int smbd_post_recv( >>> struct smbd_connection *info, struct smbd_response >> *response) >>> { >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct ib_recv_wr recv_wr; >>> int rc = -EIO; >>> >>> response->sge.addr = ib_dma_map_single( >>> sc->ib.dev, response->packet, >>> - info->max_receive_size, DMA_FROM_DEVICE); >>> + sp->max_recv_size, DMA_FROM_DEVICE); >>> if (ib_dma_mapping_error(sc->ib.dev, response->sge.addr)) >>> return rc; >>> >>> - response->sge.length = info->max_receive_size; >>> + response->sge.length = sp->max_recv_size; >>> response->sge.lkey = sc->ib.pd->local_dma_lkey; >>> >>> response->cqe.done = recv_done; >>> @@ -1274,6 +1280,8 @@ static void idle_connection_timer(struct >> work_struct *work) >>> struct smbd_connection *info = container_of( >>> work, struct smbd_connection, >>> idle_timer_work.work); >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> >>> if (info->keep_alive_requested != KEEP_ALIVE_NONE) { >>> log_keep_alive(ERR, >>> @@ -1288,7 +1296,7 @@ static void idle_connection_timer(struct >> work_struct *work) >>> >>> /* Setup the next idle timeout work */ >>> queue_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> } >>> >>> /* >>> @@ -1300,6 +1308,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> { >>> struct smbd_connection *info = server->smbd_conn; >>> struct smbdirect_socket *sc; >>> + struct smbdirect_socket_parameters *sp; >>> struct smbd_response *response; >>> unsigned long flags; >>> >>> @@ -1308,6 +1317,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> return; >>> } >>> sc = &info->socket; >>> + sp = &sc->parameters; >>> >>> log_rdma_event(INFO, "destroying rdma session\n"); >>> if (sc->status != SMBDIRECT_SOCKET_DISCONNECTED) { >>> @@ -1349,7 +1359,7 @@ void smbd_destroy(struct TCP_Server_Info *server) >>> log_rdma_event(INFO, "free receive buffers\n"); >>> wait_event(info->wait_receive_queues, >>> info->count_receive_queue + info->count_empty_packet_queue >>> - == info->receive_credit_max); >>> + == sp->recv_credit_max); >>> destroy_receive_buffers(info); >>> >>> /* >>> @@ -1437,6 +1447,8 @@ static void destroy_caches_and_workqueue(struct >> smbd_connection *info) >>> #define MAX_NAME_LEN 80 >>> static int allocate_caches_and_workqueue(struct smbd_connection *info) >>> { >>> + struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> char name[MAX_NAME_LEN]; >>> int rc; >>> >>> @@ -1451,7 +1463,7 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> return -ENOMEM; >>> >>> info->request_mempool = >>> - mempool_create(info->send_credit_target, >> mempool_alloc_slab, >>> + mempool_create(sp->send_credit_target, mempool_alloc_slab, >>> mempool_free_slab, info->request_cache); >>> if (!info->request_mempool) >>> goto out1; >>> @@ -1461,13 +1473,13 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> kmem_cache_create( >>> name, >>> sizeof(struct smbd_response) + >>> - info->max_receive_size, >>> + sp->max_recv_size, >>> 0, SLAB_HWCACHE_ALIGN, NULL); >>> if (!info->response_cache) >>> goto out2; >>> >>> info->response_mempool = >>> - mempool_create(info->receive_credit_max, >> mempool_alloc_slab, >>> + mempool_create(sp->recv_credit_max, mempool_alloc_slab, >>> mempool_free_slab, info->response_cache); >>> if (!info->response_mempool) >>> goto out3; >>> @@ -1477,7 +1489,7 @@ static int allocate_caches_and_workqueue(struct >> smbd_connection *info) >>> if (!info->workqueue) >>> goto out4; >>> >>> - rc = allocate_receive_buffers(info, info->receive_credit_max); >>> + rc = allocate_receive_buffers(info, sp->recv_credit_max); >>> if (rc) { >>> log_rdma_event(ERR, "failed to allocate receive >> buffers\n"); >>> goto out5; >>> @@ -1505,6 +1517,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> int rc; >>> struct smbd_connection *info; >>> struct smbdirect_socket *sc; >>> + struct smbdirect_socket_parameters *sp; >>> struct rdma_conn_param conn_param; >>> struct ib_qp_init_attr qp_attr; >>> struct sockaddr_in *addr_in = (struct sockaddr_in *) dstaddr; >>> @@ -1515,6 +1528,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> if (!info) >>> return NULL; >>> sc = &info->socket; >>> + sp = &sc->parameters; >>> >>> sc->status = SMBDIRECT_SOCKET_CONNECTING; >>> rc = smbd_ia_open(info, dstaddr, port); >>> @@ -1541,12 +1555,12 @@ static struct smbd_connection >> *_smbd_get_connection( >>> goto config_failed; >>> } >>> >>> - info->receive_credit_max = smbd_receive_credit_max; >>> - info->send_credit_target = smbd_send_credit_target; >>> - info->max_send_size = smbd_max_send_size; >>> - info->max_fragmented_recv_size = smbd_max_fragmented_recv_size; >>> - info->max_receive_size = smbd_max_receive_size; >>> - info->keep_alive_interval = smbd_keep_alive_interval; >>> + sp->recv_credit_max = smbd_receive_credit_max; >>> + sp->send_credit_target = smbd_send_credit_target; >>> + sp->max_send_size = smbd_max_send_size; >>> + sp->max_fragmented_recv_size = smbd_max_fragmented_recv_size; >>> + sp->max_recv_size = smbd_max_receive_size; >>> + sp->keepalive_interval_msec = smbd_keep_alive_interval * 1000; >>> >>> if (sc->ib.dev->attrs.max_send_sge < SMBDIRECT_MAX_SEND_SGE || >>> sc->ib.dev->attrs.max_recv_sge < SMBDIRECT_MAX_RECV_SGE) { >>> @@ -1561,7 +1575,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> >>> sc->ib.send_cq = >>> ib_alloc_cq_any(sc->ib.dev, info, >>> - info->send_credit_target, IB_POLL_SOFTIRQ); >>> + sp->send_credit_target, IB_POLL_SOFTIRQ); >>> if (IS_ERR(sc->ib.send_cq)) { >>> sc->ib.send_cq = NULL; >>> goto alloc_cq_failed; >>> @@ -1569,7 +1583,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> >>> sc->ib.recv_cq = >>> ib_alloc_cq_any(sc->ib.dev, info, >>> - info->receive_credit_max, IB_POLL_SOFTIRQ); >>> + sp->recv_credit_max, IB_POLL_SOFTIRQ); >>> if (IS_ERR(sc->ib.recv_cq)) { >>> sc->ib.recv_cq = NULL; >>> goto alloc_cq_failed; >>> @@ -1578,8 +1592,8 @@ static struct smbd_connection >> *_smbd_get_connection( >>> memset(&qp_attr, 0, sizeof(qp_attr)); >>> qp_attr.event_handler = smbd_qp_async_error_upcall; >>> qp_attr.qp_context = info; >>> - qp_attr.cap.max_send_wr = info->send_credit_target; >>> - qp_attr.cap.max_recv_wr = info->receive_credit_max; >>> + qp_attr.cap.max_send_wr = sp->send_credit_target; >>> + qp_attr.cap.max_recv_wr = sp->recv_credit_max; >>> qp_attr.cap.max_send_sge = SMBDIRECT_MAX_SEND_SGE; >>> qp_attr.cap.max_recv_sge = SMBDIRECT_MAX_RECV_SGE; >>> qp_attr.cap.max_inline_data = 0; >>> @@ -1654,7 +1668,7 @@ static struct smbd_connection >> *_smbd_get_connection( >>> init_waitqueue_head(&info->wait_send_queue); >>> INIT_DELAYED_WORK(&info->idle_timer_work, idle_connection_timer); >>> queue_delayed_work(info->workqueue, &info->idle_timer_work, >>> - info->keep_alive_interval*HZ); >>> + msecs_to_jiffies(sp->keepalive_interval_msec)); >>> >>> init_waitqueue_head(&info->wait_send_pending); >>> atomic_set(&info->send_pending, 0); >>> @@ -1971,6 +1985,7 @@ int smbd_send(struct TCP_Server_Info *server, >>> { >>> struct smbd_connection *info = server->smbd_conn; >>> struct smbdirect_socket *sc = &info->socket; >>> + struct smbdirect_socket_parameters *sp = &sc->parameters; >>> struct smb_rqst *rqst; >>> struct iov_iter iter; >>> unsigned int remaining_data_length, klen; >>> @@ -1988,10 +2003,10 @@ int smbd_send(struct TCP_Server_Info *server, >>> for (i = 0; i < num_rqst; i++) >>> remaining_data_length += smb_rqst_len(server, >> &rqst_array[i]); >>> >>> - if (unlikely(remaining_data_length > >> info->max_fragmented_send_size)) { >>> + if (unlikely(remaining_data_length > >> sp->max_fragmented_send_size)) { >>> /* assertion: payload never exceeds negotiated maximum */ >>> log_write(ERR, "payload size %d > max size %d\n", >>> - remaining_data_length, >> info->max_fragmented_send_size); >>> + remaining_data_length, >> sp->max_fragmented_send_size); >>> return -EINVAL; >>> } >>> >>> diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h >>> index 4b559a4147af1..3d552ab27e0f3 100644 >>> --- a/fs/smb/client/smbdirect.h >>> +++ b/fs/smb/client/smbdirect.h >>> @@ -69,15 +69,7 @@ struct smbd_connection { >>> spinlock_t lock_new_credits_offered; >>> int new_credits_offered; >>> >>> - /* Connection parameters defined in [MS-SMBD] 3.1.1.1 */ >>> - int receive_credit_max; >>> - int send_credit_target; >>> - int max_send_size; >>> - int max_fragmented_recv_size; >>> - int max_fragmented_send_size; >>> - int max_receive_size; >>> - int keep_alive_interval; >>> - int max_readwrite_size; >>> + /* dynamic connection parameters defined in [MS-SMBD] 3.1.1.1 */ >>> enum keep_alive_status keep_alive_requested; >>> int protocol; >>> atomic_t send_credits; >> >> >

1 month

2
6
0 0

FAILED: patch "[PATCH] nvmem: layouts: u-boot-env: remove crc32 endianness" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 2d7521aa26ec2dc8b877bb2d1f2611a2df49a3cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072117-afraid-cyclic-e53c@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2d7521aa26ec2dc8b877bb2d1f2611a2df49a3cf Mon Sep 17 00:00:00 2001 From: "Michael C. Pratt" <mcpratt(a)pm.me> Date: Wed, 16 Jul 2025 15:42:10 +0100 Subject: [PATCH] nvmem: layouts: u-boot-env: remove crc32 endianness conversion On 11 Oct 2022, it was reported that the crc32 verification of the u-boot environment failed only on big-endian systems for the u-boot-env nvmem layout driver with the following error. Invalid calculated CRC32: 0x88cd6f09 (expected: 0x096fcd88) This problem has been present since the driver was introduced, and before it was made into a layout driver. The suggested fix at the time was to use further endianness conversion macros in order to have both the stored and calculated crc32 values to compare always represented in the system's endianness. This was not accepted due to sparse warnings and some disagreement on how to handle the situation. Later on in a newer revision of the patch, it was proposed to use cpu_to_le32() for both values to compare instead of le32_to_cpu() and store the values as __le32 type to remove compilation errors. The necessity of this is based on the assumption that the use of crc32() requires endianness conversion because the algorithm uses little-endian, however, this does not prove to be the case and the issue is unrelated. Upon inspecting the current kernel code, there already is an existing use of le32_to_cpu() in this driver, which suggests there already is special handling for big-endian systems, however, it is big-endian systems that have the problem. This, being the only functional difference between architectures in the driver combined with the fact that the suggested fix was to use the exact same endianness conversion for the values brings up the possibility that it was not necessary to begin with, as the same endianness conversion for two values expected to be the same is expected to be equivalent to no conversion at all. After inspecting the u-boot environment of devices of both endianness and trying to remove the existing endianness conversion, the problem is resolved in an equivalent way as the other suggested fixes. Ultimately, it seems that u-boot is agnostic to endianness at least for the purpose of environment variables. In other words, u-boot reads and writes the stored crc32 value with the same endianness that the crc32 value is calculated with in whichever endianness a certain architecture runs on. Therefore, the u-boot-env driver does not need to convert endianness. Remove the usage of endianness macros in the u-boot-env driver, and change the type of local variables to maintain the same return type. If there is a special situation in the case of endianness, it would be a corner case and should be handled by a unique "compatible". Even though it is not necessary to use endianness conversion macros here, it may be useful to use them in the future for consistent error printing. Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables") Reported-by: INAGAKI Hiroshi <musashino.open(a)gmail.com> Link: https://lore.kernel.org/all/20221011024928.1807-1-musashino.open@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: "Michael C. Pratt" <mcpratt(a)pm.me> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> Link: https://lore.kernel.org/r/20250716144210.4804-1-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/nvmem/layouts/u-boot-env.c b/drivers/nvmem/layouts/u-boot-env.c index 436426d4e8f9..8571aac56295 100644 --- a/drivers/nvmem/layouts/u-boot-env.c +++ b/drivers/nvmem/layouts/u-boot-env.c @@ -92,7 +92,7 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, size_t crc32_data_offset; size_t crc32_data_len; size_t crc32_offset; - __le32 *crc32_addr; + uint32_t *crc32_addr; size_t data_offset; size_t data_len; size_t dev_size; @@ -143,8 +143,8 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, goto err_kfree; } - crc32_addr = (__le32 *)(buf + crc32_offset); - crc32 = le32_to_cpu(*crc32_addr); + crc32_addr = (uint32_t *)(buf + crc32_offset); + crc32 = *crc32_addr; crc32_data_len = dev_size - crc32_data_offset; data_len = dev_size - data_offset;

1 month

2
1
0 0

FAILED: patch "[PATCH] nvmem: layouts: u-boot-env: remove crc32 endianness" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 2d7521aa26ec2dc8b877bb2d1f2611a2df49a3cf # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025072115-gotten-sprout-e549@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2d7521aa26ec2dc8b877bb2d1f2611a2df49a3cf Mon Sep 17 00:00:00 2001 From: "Michael C. Pratt" <mcpratt(a)pm.me> Date: Wed, 16 Jul 2025 15:42:10 +0100 Subject: [PATCH] nvmem: layouts: u-boot-env: remove crc32 endianness conversion On 11 Oct 2022, it was reported that the crc32 verification of the u-boot environment failed only on big-endian systems for the u-boot-env nvmem layout driver with the following error. Invalid calculated CRC32: 0x88cd6f09 (expected: 0x096fcd88) This problem has been present since the driver was introduced, and before it was made into a layout driver. The suggested fix at the time was to use further endianness conversion macros in order to have both the stored and calculated crc32 values to compare always represented in the system's endianness. This was not accepted due to sparse warnings and some disagreement on how to handle the situation. Later on in a newer revision of the patch, it was proposed to use cpu_to_le32() for both values to compare instead of le32_to_cpu() and store the values as __le32 type to remove compilation errors. The necessity of this is based on the assumption that the use of crc32() requires endianness conversion because the algorithm uses little-endian, however, this does not prove to be the case and the issue is unrelated. Upon inspecting the current kernel code, there already is an existing use of le32_to_cpu() in this driver, which suggests there already is special handling for big-endian systems, however, it is big-endian systems that have the problem. This, being the only functional difference between architectures in the driver combined with the fact that the suggested fix was to use the exact same endianness conversion for the values brings up the possibility that it was not necessary to begin with, as the same endianness conversion for two values expected to be the same is expected to be equivalent to no conversion at all. After inspecting the u-boot environment of devices of both endianness and trying to remove the existing endianness conversion, the problem is resolved in an equivalent way as the other suggested fixes. Ultimately, it seems that u-boot is agnostic to endianness at least for the purpose of environment variables. In other words, u-boot reads and writes the stored crc32 value with the same endianness that the crc32 value is calculated with in whichever endianness a certain architecture runs on. Therefore, the u-boot-env driver does not need to convert endianness. Remove the usage of endianness macros in the u-boot-env driver, and change the type of local variables to maintain the same return type. If there is a special situation in the case of endianness, it would be a corner case and should be handled by a unique "compatible". Even though it is not necessary to use endianness conversion macros here, it may be useful to use them in the future for consistent error printing. Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables") Reported-by: INAGAKI Hiroshi <musashino.open(a)gmail.com> Link: https://lore.kernel.org/all/20221011024928.1807-1-musashino.open@gmail.com Cc: stable(a)vger.kernel.org Signed-off-by: "Michael C. Pratt" <mcpratt(a)pm.me> Signed-off-by: Srinivas Kandagatla <srini(a)kernel.org> Link: https://lore.kernel.org/r/20250716144210.4804-1-srini@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/nvmem/layouts/u-boot-env.c b/drivers/nvmem/layouts/u-boot-env.c index 436426d4e8f9..8571aac56295 100644 --- a/drivers/nvmem/layouts/u-boot-env.c +++ b/drivers/nvmem/layouts/u-boot-env.c @@ -92,7 +92,7 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, size_t crc32_data_offset; size_t crc32_data_len; size_t crc32_offset; - __le32 *crc32_addr; + uint32_t *crc32_addr; size_t data_offset; size_t data_len; size_t dev_size; @@ -143,8 +143,8 @@ int u_boot_env_parse(struct device *dev, struct nvmem_device *nvmem, goto err_kfree; } - crc32_addr = (__le32 *)(buf + crc32_offset); - crc32 = le32_to_cpu(*crc32_addr); + crc32_addr = (uint32_t *)(buf + crc32_offset); + crc32 = *crc32_addr; crc32_data_len = dev_size - crc32_data_offset; data_len = dev_size - data_offset;

1 month

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2025