Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

324 participants
124229 discussions

[PATCH v2] HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()

by Günther Noack

Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB. Cc: stable(a)vger.kernel.org Signed-off-by: Günther Noack <gnoack(a)google.com> --- drivers/hid/hid-logitech-hidpp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index 9ced0e4d46ae..c5e132a6c085 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -4313,7 +4313,7 @@ static int hidpp_get_report_length(struct hid_device *hdev, int id) re = &(hdev->report_enum[HID_OUTPUT_REPORT]); report = re->report_id_hash[id]; - if (!report) + if (!report || !report->maxfield) return 0; return report->field[0]->report_count + 1; -- 2.52.0.457.g6b5491de43-goog

3 days, 3 hours

[PATCH] HID: prodikeys: Check presence of pm->input_ep82

by Günther Noack

Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one. Cc: stable(a)vger.kernel.org Signed-off-by: Günther Noack <gnoack(a)google.com> --- drivers/hid/hid-prodikeys.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/hid/hid-prodikeys.c b/drivers/hid/hid-prodikeys.c index 74bddb2c3e82..6e413df38358 100644 --- a/drivers/hid/hid-prodikeys.c +++ b/drivers/hid/hid-prodikeys.c @@ -378,6 +378,10 @@ static int pcmidi_handle_report4(struct pcmidi_snd *pm, u8 *data) bit_mask = (bit_mask << 8) | data[2]; bit_mask = (bit_mask << 8) | data[3]; + /* robustness in case input_mapping hook does not get called */ + if (!pm->input_ep82) + return 0; + /* break keys */ for (bit_index = 0; bit_index < 24; bit_index++) { if (!((0x01 << bit_index) & bit_mask)) { -- 2.52.0.457.g6b5491de43-goog

3 days, 3 hours

[PATCH] HID: magicmouse: Do not crash on missing msc->input

by Günther Noack

Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, msc->input stays NULL, leading to a crash at a later time. Detect this condition in the input_configured() hook and reject the device. This is not supposed to happen with actual magic mouse devices, but can be provoked by imposing as a magic mouse USB device. Cc: stable(a)vger.kernel.org Signed-off-by: Günther Noack <gnoack(a)google.com> --- drivers/hid/hid-magicmouse.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/hid/hid-magicmouse.c b/drivers/hid/hid-magicmouse.c index 6e7c189f4d1d..b8932f02b6ee 100644 --- a/drivers/hid/hid-magicmouse.c +++ b/drivers/hid/hid-magicmouse.c @@ -726,6 +726,11 @@ static int magicmouse_input_configured(struct hid_device *hdev, struct magicmouse_sc *msc = hid_get_drvdata(hdev); int ret; + if (!msc->input) { + hid_err(hdev, "magicmouse setup input failed (no input)"); + return -EINVAL; + } + ret = magicmouse_setup_input(msc->input, hdev); if (ret) { hid_err(hdev, "magicmouse setup input failed (%d)\n", ret); -- 2.52.0.457.g6b5491de43-goog

3 days, 3 hours

[PATCH v2] drm/amdkfd: fix a memory leak in device_queue_manager_init()

by Haoxiang Li

If dqm->ops.initialize() fails, add deallocate_hiq_sdma_mqd() to release the memory allocated by allocate_hiq_sdma_mqd(). Move deallocate_hiq_sdma_mqd() up to ensure proper function visibility at the point of use. Fixes: 11614c36bc8f ("drm/amdkfd: Allocate MQD trunk for HIQ and SDMA") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- Changes in v2: - Move deallocate_hiq_sdma_mqd() up. Thanks, Felix! - Add a Fixes tag. --- .../drm/amd/amdkfd/kfd_device_queue_manager.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c index d7a2e7178ea9..8af0929ca40a 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c @@ -2919,6 +2919,14 @@ static int allocate_hiq_sdma_mqd(struct device_queue_manager *dqm) return retval; } +static void deallocate_hiq_sdma_mqd(struct kfd_node *dev, + struct kfd_mem_obj *mqd) +{ + WARN(!mqd, "No hiq sdma mqd trunk to free"); + + amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem); +} + struct device_queue_manager *device_queue_manager_init(struct kfd_node *dev) { struct device_queue_manager *dqm; @@ -3042,19 +3050,14 @@ struct device_queue_manager *device_queue_manager_init(struct kfd_node *dev) return dqm; } + if (!dev->kfd->shared_resources.enable_mes) + deallocate_hiq_sdma_mqd(dev, &dqm->hiq_sdma_mqd); + out_free: kfree(dqm); return NULL; } -static void deallocate_hiq_sdma_mqd(struct kfd_node *dev, - struct kfd_mem_obj *mqd) -{ - WARN(!mqd, "No hiq sdma mqd trunk to free"); - - amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem); -} - void device_queue_manager_uninit(struct device_queue_manager *dqm) { dqm->ops.stop(dqm); -- 2.25.1

3 days, 5 hours

[PATCH v2] hpsa: fix a memory leak in hpsa_find_cfgtables()

by Haoxiang Li

If write_driver_ver_to_cfgtable() fails, add iounmap() to release the memory allocated by remap_pci_mem(). Found by manual static code review. Fixes: 580ada3c1e2f ("[SCSI] hpsa: do a better job of detecting controller reset failure") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- Changes in v2: - replace iounmap with unified release method. Thanks, Greg! --- drivers/scsi/hpsa.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index 3654b12c5d5a..e38d4a7488f8 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -7646,8 +7646,10 @@ static int hpsa_find_cfgtables(struct ctlr_info *h) return -ENOMEM; } rc = write_driver_ver_to_cfgtable(h->cfgtable); - if (rc) + if (rc) { + hpsa_free_cfgtables(h); return rc; + } /* Find performant mode table. */ trans_offset = readl(&h->cfgtable->TransMethodOffset); h->transtable = remap_pci_mem(pci_resource_start(h->pdev, -- 2.25.1

3 days, 6 hours

[PATCH v2 RESEND] media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

by Jeongjun Park

In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... open("/path/to/dev"); // open hackrf dev .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly. Cc: <stable(a)vger.kernel.org> Reported-by: syzbot+6ffd76b5405c006a46b7(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6ffd76b5405c006a46b7 Reported-by: syzbot+f1b20958f93d2d250727(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f1b20958f93d2d250727 Fixes: 8bc4a9ed8504 ("[media] hackrf: add support for transmitter") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- v2: Fix incorrect patch description style and CC stable mailing list - Link to v1: https://lore.kernel.org/all/20250822142729.1156816-1-aha310510@gmail.com/ --- drivers/media/usb/hackrf/hackrf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/usb/hackrf/hackrf.c b/drivers/media/usb/hackrf/hackrf.c index 0b50de8775a3..d7a84422193d 100644 --- a/drivers/media/usb/hackrf/hackrf.c +++ b/drivers/media/usb/hackrf/hackrf.c @@ -1515,6 +1515,8 @@ static int hackrf_probe(struct usb_interface *intf, video_unregister_device(&dev->rx_vdev); err_v4l2_device_unregister: v4l2_device_unregister(&dev->v4l2_dev); + dev_dbg(&intf->dev, "failed=%d\n", ret); + return ret; err_v4l2_ctrl_handler_free_tx: v4l2_ctrl_handler_free(&dev->tx_ctrl_handler); err_v4l2_ctrl_handler_free_rx: --

3 days, 9 hours

[PATCH 6.12 1/2] drm/xe: make xe_gt_idle_disable_c6() handle the forcewake internally

by Xin Wang

[ Upstream commit 1313351e71181a4818afeb8dfe202e4162091ef6 ] Move forcewake_get() into xe_gt_idle_enable_c6() to streamline the code and make it easier to use. Suggested-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Signed-off-by: Xin Wang <x.wang(a)intel.com> Reviewed-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Link: https://lore.kernel.org/r/20250827000633.1369890-2-x.wang@intel.com Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> --- drivers/gpu/drm/xe/xe_gt_idle.c | 20 +++++++++++++------- drivers/gpu/drm/xe/xe_gt_idle.h | 2 +- drivers/gpu/drm/xe/xe_guc_pc.c | 10 +--------- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_gt_idle.c b/drivers/gpu/drm/xe/xe_gt_idle.c index 67aba4140510..0ab9667c223f 100644 --- a/drivers/gpu/drm/xe/xe_gt_idle.c +++ b/drivers/gpu/drm/xe/xe_gt_idle.c @@ -204,11 +204,8 @@ static void gt_idle_fini(void *arg) xe_gt_idle_disable_pg(gt); - if (gt_to_xe(gt)->info.skip_guc_pc) { - XE_WARN_ON(xe_force_wake_get(gt_to_fw(gt), XE_FW_GT)); + if (gt_to_xe(gt)->info.skip_guc_pc) xe_gt_idle_disable_c6(gt); - xe_force_wake_put(gt_to_fw(gt), XE_FW_GT); - } sysfs_remove_files(kobj, gt_idle_attrs); kobject_put(kobj); @@ -266,14 +263,23 @@ void xe_gt_idle_enable_c6(struct xe_gt *gt) RC_CTL_HW_ENABLE | RC_CTL_TO_MODE | RC_CTL_RC6_ENABLE); } -void xe_gt_idle_disable_c6(struct xe_gt *gt) +int xe_gt_idle_disable_c6(struct xe_gt *gt) { + unsigned int fw_ref; + xe_device_assert_mem_access(gt_to_xe(gt)); - xe_force_wake_assert_held(gt_to_fw(gt), XE_FW_GT); if (IS_SRIOV_VF(gt_to_xe(gt))) - return; + return 0; + + fw_ref = xe_force_wake_get(gt_to_fw(gt), XE_FW_GT); + if (!fw_ref) + return -ETIMEDOUT; xe_mmio_write32(gt, RC_CONTROL, 0); xe_mmio_write32(gt, RC_STATE, 0); + + xe_force_wake_put(gt_to_fw(gt), fw_ref); + + return 0; } diff --git a/drivers/gpu/drm/xe/xe_gt_idle.h b/drivers/gpu/drm/xe/xe_gt_idle.h index 554447b5d46d..cdd02aa5c150 100644 --- a/drivers/gpu/drm/xe/xe_gt_idle.h +++ b/drivers/gpu/drm/xe/xe_gt_idle.h @@ -12,7 +12,7 @@ struct xe_gt; int xe_gt_idle_init(struct xe_gt_idle *gtidle); void xe_gt_idle_enable_c6(struct xe_gt *gt); -void xe_gt_idle_disable_c6(struct xe_gt *gt); +int xe_gt_idle_disable_c6(struct xe_gt *gt); void xe_gt_idle_enable_pg(struct xe_gt *gt); void xe_gt_idle_disable_pg(struct xe_gt *gt); diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c index af02803c145b..209bb7c0f9ac 100644 --- a/drivers/gpu/drm/xe/xe_guc_pc.c +++ b/drivers/gpu/drm/xe/xe_guc_pc.c @@ -1008,15 +1008,7 @@ int xe_guc_pc_gucrc_disable(struct xe_guc_pc *pc) if (ret) return ret; - ret = xe_force_wake_get(gt_to_fw(gt), XE_FORCEWAKE_ALL); - if (ret) - return ret; - - xe_gt_idle_disable_c6(gt); - - XE_WARN_ON(xe_force_wake_put(gt_to_fw(gt), XE_FORCEWAKE_ALL)); - - return 0; + return xe_gt_idle_disable_c6(gt); } /** -- 2.43.0

3 days, 12 hours

[PATCH 1/4] KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation

by Yosry Ahmed

Commit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state") made KVM always use vmcb01 for the fields controlled by VMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code to always use vmcb01. As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not intercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01 instead of the current VMCB. Fixes: cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state") Cc: Maxim Levitsky <mlevitsk(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Yosry Ahmed <yosry.ahmed(a)linux.dev> --- arch/x86/kvm/svm/svm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 7041498a8091..4e4439a01828 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -2165,12 +2165,13 @@ static int vmload_vmsave_interception(struct kvm_vcpu *vcpu, bool vmload) ret = kvm_skip_emulated_instruction(vcpu); + /* KVM always performs VMLOAD/VMSAVE on VMCB01 (see __svm_vcpu_run()) */ if (vmload) { - svm_copy_vmloadsave_state(svm->vmcb, vmcb12); + svm_copy_vmloadsave_state(svm->vmcb01.ptr, vmcb12); svm->sysenter_eip_hi = 0; svm->sysenter_esp_hi = 0; } else { - svm_copy_vmloadsave_state(vmcb12, svm->vmcb); + svm_copy_vmloadsave_state(vmcb12, svm->vmcb01.ptr); } kvm_vcpu_unmap(vcpu, &map); -- 2.52.0.457.g6b5491de43-goog

3 days, 12 hours

[PATCH] wifi: rsi: Fix memory corruption due to not set vif driver data size

by Marek Vasut

The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it. Cc: stable(a)vger.kernel.org Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") Signed-off-by: Marek Vasut <marex(a)nabladev.com> --- Cc: Ingo Molnar <mingo(a)kernel.org> Cc: Johannes Berg <johannes.berg(a)intel.com> Cc: Marek Vasut <marex(a)nabladev.com> Cc: Radenovic Goran <gradenovic(a)ultratronik.de> Cc: Roopni Devanathan <quic_rdevanat(a)quicinc.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: kernel(a)dh-electronics.com Cc: linux-kernel(a)vger.kernel.org Cc: linux-wireless(a)vger.kernel.org --- Splat reported by UT https://lkml.org/lkml/2025/10/22/1167 Splat as seen on DH STM32MP15xx DHCOR DRC Compact with current 6.18.y LTS: 8<--- cut here --- Unable to handle kernel paging request at virtual address fffffffc when read [fffffffc] *pgd=dbfde861, *pte=00000000, *ppte=00000000 Internal error: Oops: 37 [#1] SMP ARM Modules linked in: CPU: 0 UID: 0 PID: 106 Comm: ifconfig Tainted: G W 6.18.4-00006-gbeb1780fe470-dirty #67 PREEMPT Tainted: [W]=WARN Hardware name: Generic DT based system PC is at fq_flow_reset.constprop.0+0x84/0x22c LR is at fq_flow_reset.constprop.0+0x84/0x22c pc : [<c0110934>] lr : [<c0110934>] psr: 600a0013 sp : e0c45ca0 ip : 00000000 fp : c2c11600 r10: 00000624 r9 : 00000000 r8 : e0c45cf4 r7 : 00000000 r6 : c197e668 r5 : c197e5c0 r4 : fffffffc r3 : c4281b00 r2 : 00000000 r1 : 00000000 r0 : 00000012 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c5387d Table: c429c06a DAC: 00000051 Register r0 information: non-paged memory Register r1 information: NULL pointer Register r2 information: NULL pointer Register r3 information: slab task_struct start c4281b00 pointer offset 0 size 2304 Register r4 information: non-paged memory Register r5 information: slab kmalloc-8k start c197e000 pointer offset 1472 size 8192 Register r6 information: slab kmalloc-8k start c197e000 pointer offset 1640 size 8192 Register r7 information: NULL pointer Register r8 information: 2-page vmalloc region starting at 0xe0c44000 allocated at kernel_clone+0xb4/0x288 Register r9 information: NULL pointer Register r10 information: non-paged memory Register r11 information: slab kmalloc-8k start c2c10000 pointer offset 5632 size 8192 Register r12 information: NULL pointer Process ifconfig (pid: 106, stack limit = 0x3fd08b1b) Stack: (0xe0c45ca0 to 0xe0c46000) 5ca0: c197e668 fffffffc 00000000 c2c11890 c197e5c0 00000000 00000000 c0110d18 5cc0: c2c10600 c197e5c0 e0c45cf4 00000000 e0c45cf4 c0b65f68 00008914 c0183e44 5ce0: 00000001 00000000 600a0013 c0187684 00000010 e0c45cf4 e0c45cf4 00000000 5d00: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5d20: 00000000 115bbe91 c4281b00 c2c10600 c197e240 c0db94cc 00001003 00000001 5d40: c2d68a0c e0c45e50 00008914 c0b66338 c197e240 115bbe91 00000000 c2c10000 5d60: e0c45d94 c0db94cc 00001003 c0953c00 e0c45d94 e0c45d94 c2c10000 00001002 5d80: e0c45d94 c095830c ffffffff c2d03ed8 c2205660 c2c10104 c2c10104 115bbe91 5da0: c2c10000 c2c10000 00000000 00001003 c2c10130 c0958404 c2c10000 00001002 5dc0: c2c10000 00001002 00000000 c2d68a00 00000000 c095b72c 00000000 e0c45e40 5de0: c2c10000 c0a07254 c3212a48 00000000 00000020 00000014 e0c45e60 c4281b00 5e00: e0c45e40 00001002 0044032c 0043fe6c 0042a1f0 115bbe91 00000000 00008914 5e20: beb49abc c13f6e40 c42ac000 e0c45e60 c4281b00 c29e1e40 00000004 c0a09b94 5e40: 6e616c77 00000030 00000000 00000000 00001002 0044032c 0043fe6c 0042a1f0 5e60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5e80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 5ea0: 00000000 00000000 00000000 00000000 00000000 115bbe91 00000000 c2511200 5ec0: 00008914 beb49abc c13f6e40 c0da8868 c4281b00 c092f358 e0c45ee7 c2b9d490 5ee0: c2204f68 00339798 00000000 00000000 00000000 00000000 00000000 00000000 5f00: 00000000 00000000 00000000 115bbe91 beb49b44 c29e1e40 beb49abc 00008914 5f20: c2511280 c02de8b4 fffffffe ffffff9c e0c45f74 c01002c4 0042bb7c 00000000 5f40: 00000000 c02da9e8 00000000 0042bb7c 00000001 004406c8 00000001 c4281b00 5f60: 00000004 c02c6f84 00000000 ffffff9c c29e1e40 00000000 00000000 115bbe91 5f80: 00000004 beb49b44 beb49abc 00000004 00000036 c01002c4 c4281b00 00000036 5fa0: beb49f86 c0100060 beb49b44 beb49abc 00000004 00008914 beb49abc beb49aa8 5fc0: beb49b44 beb49abc 00000004 00000036 00440000 0042a350 00000000 beb49f86 5fe0: 00000036 beb49a90 b6ea1891 b6e0f736 800a0030 00000004 00000000 00000000 Call trace: fq_flow_reset.constprop.0 from ieee80211_txq_purge+0xd8/0x1fc ieee80211_txq_purge from ieee80211_do_stop+0x52c/0x848 ieee80211_do_stop from ieee80211_stop+0xb4/0x138 ieee80211_stop from __dev_close_many+0xc8/0xe8 __dev_close_many from __dev_change_flags+0xe0/0x1b8 __dev_change_flags from netif_change_flags+0x20/0x5c netif_change_flags from dev_change_flags+0x2c/0x40 dev_change_flags from devinet_ioctl+0x304/0x59c devinet_ioctl from inet_ioctl+0x204/0x228 inet_ioctl from sock_ioctl+0x160/0x410 sock_ioctl from sys_ioctl+0x65c/0x8b8 sys_ioctl from ret_fast_syscall+0x0/0x54 Exception stack(0xe0c45fa8 to 0xe0c45ff0) 5fa0: beb49b44 beb49abc 00000004 00008914 beb49abc beb49aa8 5fc0: beb49b44 beb49abc 00000004 00000036 00440000 0042a350 00000000 beb49f86 5fe0: 00000036 beb49a90 b6ea1891 b6e0f736 Code: e59f1194 e59f018c e300213d ebffc819 (e5943000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception in interrupt ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- --- drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c index f3a853edfc11d..8c8e074a3a705 100644 --- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c +++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c @@ -2035,6 +2035,7 @@ int rsi_mac80211_attach(struct rsi_common *common) hw->queues = MAX_HW_QUEUES; hw->extra_tx_headroom = RSI_NEEDED_HEADROOM; + hw->vif_data_size = sizeof(struct vif_priv); hw->max_rates = 1; hw->max_rate_tries = MAX_RETRIES; -- 2.51.0

3 days, 13 hours

[PATCH 1/3] media: rzg2l-cru: Skip ICnMC configuration when ICnSVC is used

by Tommaso Merciai

When the CRU is configured to use ICnSVC for virtual channel mapping, as on the RZ/{G3E, V2H/P} SoC, the ICnMC register must not be programmed. Return early after setting up ICnSVC to avoid overriding the ICnMC register, which is not applicable in this mode. This prevents unintended register programming when ICnSVC is enabled. Fixes: 3c5ca0a48bb0 ("media: rzg2l-cru: Drop function pointer to configure CSI") Cc: stable(a)vger.kernel.org Signed-off-by: Tommaso Merciai <tommaso.merciai.xr(a)bp.renesas.com> --- drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c index 162e2ace6931..480e9b5dbcfe 100644 --- a/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c +++ b/drivers/media/platform/renesas/rzg2l-cru/rzg2l-video.c @@ -268,6 +268,8 @@ static void rzg2l_cru_csi2_setup(struct rzg2l_cru_dev *cru, rzg2l_cru_write(cru, ICnSVCNUM, csi_vc); rzg2l_cru_write(cru, ICnSVC, ICnSVC_SVC0(0) | ICnSVC_SVC1(1) | ICnSVC_SVC2(2) | ICnSVC_SVC3(3)); + + return; } icnmc |= rzg2l_cru_read(cru, info->image_conv) & ~ICnMC_INF_MASK; -- 2.43.0

3 days, 15 hours

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror