- Linux-stable-mirror - lists.linaro.org

[PATCH v3] virtio: console: fix lost wakeup when device is written and polled

by Lorenz Bauer

A process issuing blocking writes to a virtio console may get stuck indefinitely if another thread polls the device. Here is how to trigger the bug: - Thread A writes to the port until the virtqueue is full. - Thread A calls wait_port_writable() and goes to sleep, waiting on port->waitqueue. - The host processes some of the write, marks buffers as used and raises an interrupt. - Before the interrupt is serviced, thread B executes port_fops_poll(). This calls reclaim_consumed_buffers() via will_write_block() and consumes all used buffers. - The interrupt is serviced. vring_interrupt() finds no used buffers via more_used() and returns without waking port->waitqueue. - Thread A is still in wait_event(port->waitqueue), waiting for a wakeup that never arrives. The crux is that invoking reclaim_consumed_buffers() may cause vring_interrupt() to omit wakeups. Fix this by calling reclaim_consumed_buffers() in out_int() before waking. This is similar to the call to discard_port_data() in in_intr() which also frees buffer from a non-sleepable context. This in turn guarantees that port->outvq_full is up to date when handling polling. Since in_intr() already populates port->inbuf we use that to avoid changing reader state. Cc: stable(a)vger.kernel.org Signed-off-by: Lorenz Bauer <lmb(a)isovalent.com> --- As far as I can tell all currently maintained stable series kernels need this commit. Applies and builds cleanly on 5.10.247, verified to fix the issue. --- Changes in v3: - Use spin_lock_irq in port_fops_poll (Arnd) - Use spin_lock in out_intr (Arnd) - Link to v2: https://lore.kernel.org/r/20251222-virtio-console-lost-wakeup-v2-1-5de93cb3… Changes in v2: - Call reclaim_consumed_buffers() in out_intr instead of issuing another wake. - Link to v1: https://lore.kernel.org/r/20251215-virtio-console-lost-wakeup-v1-1-79a5c578… --- drivers/char/virtio_console.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 088182e54debd6029ea2c2a5542d7a28500e67b8..e6048e04c3b23d008caa2a1d31d4ac6b2841045f 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -971,10 +971,17 @@ static __poll_t port_fops_poll(struct file *filp, poll_table *wait) return EPOLLHUP; } ret = 0; - if (!will_read_block(port)) + + spin_lock_irq(&port->inbuf_lock); + if (port->inbuf) ret |= EPOLLIN | EPOLLRDNORM; - if (!will_write_block(port)) + spin_unlock_irq(&port->inbuf_lock); + + spin_lock_irq(&port->outvq_lock); + if (!port->outvq_full) ret |= EPOLLOUT; + spin_unlock_irq(&port->outvq_lock); + if (!port->host_connected) ret |= EPOLLHUP; @@ -1705,6 +1712,10 @@ static void out_intr(struct virtqueue *vq) return; } + spin_lock(&port->outvq_lock); + reclaim_consumed_buffers(port); + spin_unlock(&port->outvq_lock); + wake_up_interruptible(&port->waitqueue); } --- base-commit: d358e5254674b70f34c847715ca509e46eb81e6f change-id: 20251215-virtio-console-lost-wakeup-0f566c5cd35f Best regards, -- Lorenz Bauer <lmb(a)isovalent.com>

1 hour, 11 minutes

1
0
0 0

[PATCH RESEND v5 0/3] phy: qcom: edp: Add missing ref clock to x1e80100

by Abel Vesa

According to documentation, the DP PHY on x1e80100 has another clock called ref. The current X Elite devices supported upstream work fine without this clock, because the boot firmware leaves this clock enabled. But we should not rely on that. Also, when it comes to power management, this clock needs to be also disabled on suspend. So even though this change breaks the ABI, it is needed in order to make we disable this clock on runtime PM, when that is going to be enabled in the driver. So rework the driver to allow different number of clocks, fix the dt-bindings schema and add the clock to the DT node as well. Signed-off-by: Abel Vesa <abel.vesa(a)linaro.org> --- Changes in v5: - Picked-up Bjorn's R-b tags. - Replaced "parse" with "get" on clocks acquiring failure. - Link to v4: https://lore.kernel.org/r/20251029-phy-qcom-edp-add-missing-refclk-v4-0-adb… Changes in v4: - Picked Dmitry's R-b tag for the driver patch - Added x1e80100 substring to subject of dts patch - Link to v3 (resend): https://lore.kernel.org/r/20251014-phy-qcom-edp-add-missing-refclk-v3-0-078… Changes in v3 (resend) - picked-up Krzysztof's R-b tag for bindings patch - Link to v3: https://lore.kernel.org/r/20250909-phy-qcom-edp-add-missing-refclk-v3-0-4ec… Changes in v3: - Use dev_err_probe() on clocks parsing failure. - Explain why the ABI break is necessary. - Drop the extra 'clk' suffix from the clock name. So ref instead of refclk. - Link to v2: https://lore.kernel.org/r/20250903-phy-qcom-edp-add-missing-refclk-v2-0-d88… Changes in v2: - Fix schema by adding the minItems, as suggested by Krzysztof. - Use devm_clk_bulk_get_all, as suggested by Konrad. - Rephrase the commit messages to reflect the flexible number of clocks. - Link to v1: https://lore.kernel.org/r/20250730-phy-qcom-edp-add-missing-refclk-v1-0-6f7… --- Abel Vesa (3): dt-bindings: phy: qcom-edp: Add missing clock for X Elite phy: qcom: edp: Make the number of clocks flexible arm64: dts: qcom: x1e80100: Add missing TCSR ref clock to the DP PHYs .../devicetree/bindings/phy/qcom,edp-phy.yaml | 28 +++++++++++++++++++++- arch/arm64/boot/dts/qcom/hamoa.dtsi | 12 ++++++---- drivers/phy/qualcomm/phy-qcom-edp.c | 16 ++++++------- 3 files changed, 43 insertions(+), 13 deletions(-) --- base-commit: 131f3d9446a6075192cdd91f197989d98302faa6 change-id: 20250730-phy-qcom-edp-add-missing-refclk-5ab82828f8e7 Best regards, -- Abel Vesa <abel.vesa(a)oss.qualcomm.com>

1 hour, 12 minutes

1
3
0 0

[PATCH v6.1 0/2] x86/mm/pat: fix VM_PAT handling

by Ajay Kaher

[PATCH v6.1 1/2]: required to backport [PATCH v6.1 2/2]. [PATCH v6.1 2/2]: backport to fix VM_PAT handling when fork() fails in copy_page_range(). arch/x86/mm/pat/memtype.c | 50 +++++++++++++++++++++++---------------- include/linux/pgtable.h | 31 ++++++++++++++++++------ kernel/fork.c | 4 ++++ mm/memory.c | 10 ++++---- mm/mremap.c | 2 +- 5 files changed, 62 insertions(+), 35 deletions(-) -- 2.40.4

1 hour, 41 minutes

1
2
0 0

[PATCH] usb: cdns3: fix a null pointer dereference in cdns3_gadget_ep_queue()

by Haoxiang Li

If cdns3_gadget_ep_alloc_request() fails, a null pointer dereference occurs. Add a check to prevent it. Found by code review and compiled on ubuntu 20.04. Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/usb/cdns3/cdns3-gadget.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/cdns3/cdns3-gadget.c b/drivers/usb/cdns3/cdns3-gadget.c index 168707213ed9..cc2421a34588 100644 --- a/drivers/usb/cdns3/cdns3-gadget.c +++ b/drivers/usb/cdns3/cdns3-gadget.c @@ -2659,6 +2659,8 @@ static int cdns3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request, struct cdns3_request *priv_req; zlp_request = cdns3_gadget_ep_alloc_request(ep, GFP_ATOMIC); + if (!zlp_request) + return -ENOMEM; zlp_request->buf = priv_dev->zlp_buf; zlp_request->length = 0; -- 2.25.1

2 hours, 20 minutes

2
1
0 0

[PATCH] usb: cdns2: fix a null pointer dereference in cdns2_gadget_ep_queue()

by Haoxiang Li

If cdns2_gadget_ep_alloc_request() fails, a null pointer dereference occurs. Add a check to prevent it. Fixes: 3eb1f1efe204 ("usb: cdns2: Add main part of Cadence USBHS driver") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/usb/gadget/udc/cdns2/cdns2-gadget.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c index 9b53daf76583..c5b9dae743d8 100644 --- a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c +++ b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c @@ -1725,6 +1725,8 @@ static int cdns2_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request, struct cdns2_request *preq; zlp_request = cdns2_gadget_ep_alloc_request(ep, GFP_ATOMIC); + if (!zlp_request) + return -ENOMEM; zlp_request->buf = pdev->zlp_buf; zlp_request->length = 0; -- 2.25.1

2 hours, 21 minutes

2
1
0 0

[PATCH] drm/msm/dpu: Add missing NULL pointer check for pingpong interface

by Nikolay Kuratov

It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Cc: stable(a)vger.kernel.org Fixes: d7d0e73f7de33 ("drm/msm/dpu: introduce the dpu_encoder_phys_* for writeback") Signed-off-by: Nikolay Kuratov <kniv(a)yandex-team.ru> --- drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c index 46f348972a97..6d28f2281c76 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c @@ -247,14 +247,12 @@ static void dpu_encoder_phys_wb_setup_ctl(struct dpu_encoder_phys *phys_enc) if (hw_cdm) intf_cfg.cdm = hw_cdm->idx; - if (phys_enc->hw_pp->merge_3d && phys_enc->hw_pp->merge_3d->ops.setup_3d_mode) - phys_enc->hw_pp->merge_3d->ops.setup_3d_mode(phys_enc->hw_pp->merge_3d, - mode_3d); + if (hw_pp && hw_pp->merge_3d && hw_pp->merge_3d->ops.setup_3d_mode) + hw_pp->merge_3d->ops.setup_3d_mode(hw_pp->merge_3d, mode_3d); /* setup which pp blk will connect to this wb */ - if (hw_pp && phys_enc->hw_wb->ops.bind_pingpong_blk) - phys_enc->hw_wb->ops.bind_pingpong_blk(phys_enc->hw_wb, - phys_enc->hw_pp->idx); + if (hw_pp && hw_wb->ops.bind_pingpong_blk) + hw_wb->ops.bind_pingpong_blk(hw_wb, hw_pp->idx); phys_enc->hw_ctl->ops.setup_intf_cfg(phys_enc->hw_ctl, &intf_cfg); } else if (phys_enc->hw_ctl && phys_enc->hw_ctl->ops.setup_intf_cfg) { -- 2.34.1

2 hours, 38 minutes

2
3
0 0

[PATCH V2 0/2] LoongArch: KVM: fix "unreliable stack" issue

by Xianglai Li

When starting multi-core loongarch virtualization on loongarch physical machine, loading livepatch on the physical machine will cause an error similar to the following: [ 411.686289] livepatch: klp_try_switch_task: CPU 31/KVM:3116 has an unreliable stack The specific test steps are as follows: 1.Start a multi-core virtual machine on a physical machine 2.Enter the following command on the physical machine to turn on the debug switch: echo "file kernel/livepatch/transition.c +p" > /sys/kernel/debug/\ dynamic_debug/control 3.Load livepatch: modprobe livepatch-sample Through the above steps, similar prints can be viewed in dmesg. The reason for this issue is that the code of the kvm_exc_entry function was copied in the function kvm_loongarch_env_init. When the cpu needs to execute kvm_exc_entry, it will switch to the copied address for execution. The new address of the kvm_exc_entry function cannot be recognized in ORC, which eventually leads to the arch_stack_walk_reliable function returning an error and printing an exception message. To solve the above problems, we directly compile the switch.S file into the kernel instead of the module. In this way, the function kvm_exc_entry will no longer need to be copied. changlog: V2<-V1: 1.Rollback the modification of function parameter types such as kvm_save_fpu. In the asm-prototypes.h header file, only the parameter types it depends on are included Cc: Huacai Chen <chenhuacai(a)kernel.org> Cc: WANG Xuerui <kernel(a)xen0n.name> Cc: Tianrui Zhao <zhaotianrui(a)loongson.cn> Cc: Bibo Mao <maobibo(a)loongson.cn> Cc: Charlie Jenkins <charlie(a)rivosinc.com> Cc: Xianglai Li <lixianglai(a)loongson.cn> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Xianglai Li (2): LoongArch: KVM: Compile the switch.S file directly into the kernel LoongArch: KVM: fix "unreliable stack" issue arch/loongarch/Kbuild | 2 +- arch/loongarch/include/asm/asm-prototypes.h | 21 +++++++++++++ arch/loongarch/include/asm/kvm_host.h | 3 -- arch/loongarch/kvm/Makefile | 2 +- arch/loongarch/kvm/main.c | 35 ++------------------- arch/loongarch/kvm/switch.S | 24 +++++++++++--- 6 files changed, 45 insertions(+), 42 deletions(-) base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8 -- 2.39.1

2 hours, 53 minutes

4
12
0 0

[PATCH] drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()

by Haoxiang Li

In vmw_compat_shader_add(), the return value check of vmw_shader_alloc() is not proper. Modify the check for the return pointer 'res'. Found by code review and compiled on ubuntu 20.04. Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c index 69dfe69ce0f8..7ed938710342 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c @@ -923,8 +923,10 @@ int vmw_compat_shader_add(struct vmw_private *dev_priv, ttm_bo_unreserve(&buf->tbo); res = vmw_shader_alloc(dev_priv, buf, size, 0, shader_type); - if (unlikely(ret != 0)) + if (IS_ERR(res)) { + ret = PTR_ERR(res); goto no_reserve; + } ret = vmw_cmdbuf_res_add(man, vmw_cmdbuf_res_shader, vmw_shader_key(user_key, shader_type), -- 2.25.1

2 hours, 55 minutes

1
0
0 0

[PATCH] media: iris: Add missing platform data entries for SM8750

by Dikshita Agarwal

Two platform-data fields for SM8750 were missed: - get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. - max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails. Fixes: a5925a2ce077 ("media: iris: add VPU33 specific encoding buffer calculation") Fixes: a6882431a138 ("media: iris: Add support for ENUM_FRAMESIZES/FRAMEINTERVALS for encoder") Cc: stable(a)vger.kernel.org Signed-off-by: Dikshita Agarwal <dikshita.agarwal(a)oss.qualcomm.com> --- drivers/media/platform/qcom/iris/iris_platform_gen2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/qcom/iris/iris_platform_gen2.c b/drivers/media/platform/qcom/iris/iris_platform_gen2.c index c1989240c248601c34b84f508f1b72d72f81260a..00d1d55463179429f2ae7554546dcbe4fb1431cc 100644 --- a/drivers/media/platform/qcom/iris/iris_platform_gen2.c +++ b/drivers/media/platform/qcom/iris/iris_platform_gen2.c @@ -915,6 +915,7 @@ const struct iris_platform_data sm8750_data = { .get_instance = iris_hfi_gen2_get_instance, .init_hfi_command_ops = iris_hfi_gen2_command_ops_init, .init_hfi_response_ops = iris_hfi_gen2_response_ops_init, + .get_vpu_buffer_size = iris_vpu33_buf_size, .vpu_ops = &iris_vpu35_ops, .set_preset_registers = iris_set_sm8550_preset_registers, .icc_tbl = sm8550_icc_table, @@ -945,6 +946,7 @@ const struct iris_platform_data sm8750_data = { .num_vpp_pipe = 4, .max_session_count = 16, .max_core_mbpf = NUM_MBS_8K * 2, + .max_core_mbps = ((7680 * 4320) / 256) * 60, .dec_input_config_params_default = sm8550_vdec_input_config_params_default, .dec_input_config_params_default_size = --- base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8 change-id: 20251217-iris-sm8750-fix-2d42a133058d Best regards, -- Dikshita Agarwal <dikshita.agarwal(a)oss.qualcomm.com>

3 hours, 9 minutes

3
2
0 0

[PATCH v5.10-v6.1] drm/vmwgfx: Fix a null-ptr access in the cursor snooper

by Shivani Agarwal

From: Zack Rusin <zack.rusin(a)broadcom.com> [ Upstream commit 5ac2c0279053a2c5265d46903432fb26ae2d0da2 ] Check that the resource which is converted to a surface exists before trying to use the cursor snooper on it. vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers because some svga commands accept SVGA3D_INVALID_ID to mean "no surface", unfortunately functions that accept the actual surfaces as objects might (and in case of the cursor snooper, do not) be able to handle null objects. Make sure that we validate not only the identifier (via the vmw_cmd_res_check) but also check that the actual resource exists before trying to do something with it. Fixes unchecked null-ptr reference in the snooping code. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: c0951b797e7d ("drm/vmwgfx: Refactor resource management") Reported-by: Kuzey Arda Bulut <kuzeyardabulut(a)gmail.com> Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Reviewed-by: Ian Forbes <ian.forbes(a)broadcom.com> Link: https://lore.kernel.org/r/20250917153655.1968583-1-zack.rusin@broadcom.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Shivani: Modified to apply on v5.10.y-v6.1.y] Signed-off-by: Shivani Agarwal <shivani.agarwal(a)broadcom.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index 0d12d6af6..5d3827b5d 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -1507,6 +1507,7 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv, SVGA3dCmdHeader *header) { struct vmw_buffer_object *vmw_bo = NULL; + struct vmw_resource *res; struct vmw_surface *srf = NULL; VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSurfaceDMA); int ret; @@ -1542,18 +1543,24 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv, dirty = (cmd->body.transfer == SVGA3D_WRITE_HOST_VRAM) ? VMW_RES_DIRTY_SET : 0; - ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, - dirty, user_surface_converter, - &cmd->body.host.sid, NULL); + ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, dirty, + user_surface_converter, &cmd->body.host.sid, + NULL); if (unlikely(ret != 0)) { if (unlikely(ret != -ERESTARTSYS)) VMW_DEBUG_USER("could not find surface for DMA.\n"); return ret; } - srf = vmw_res_to_srf(sw_context->res_cache[vmw_res_surface].res); + res = sw_context->res_cache[vmw_res_surface].res; + if (!res) { + VMW_DEBUG_USER("Invalid DMA surface.\n"); + return -EINVAL; + } - vmw_kms_cursor_snoop(srf, sw_context->fp->tfile, &vmw_bo->base, header); + srf = vmw_res_to_srf(res); + vmw_kms_cursor_snoop(srf, sw_context->fp->tfile, &vmw_bo->base, + header); return 0; } -- 2.40.4

3 hours, 29 minutes

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror