- Linux-stable-mirror - lists.linaro.org

[PATCH v2] drm/ast: Fix ast_dp connection status

by Jocelyn Falempe

ast_dp_is_connected() used to also check for link training success to report the DP connector as connected. Without this check, the physical_status is always connected. So if no monitor is present, it will fail to read the EDID and set the default resolution to 640x480 instead of 1024x768. Signed-off-by: Jocelyn Falempe <jfalempe(a)redhat.com> Fixes: 2281475168d2 ("drm/ast: astdp: Perform link training during atomic_enable") Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Dave Airlie <airlied(a)redhat.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.12+ --- drivers/gpu/drm/ast/ast_dp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/ast/ast_dp.c b/drivers/gpu/drm/ast/ast_dp.c index 0e282b7b167c..30aad5c0112a 100644 --- a/drivers/gpu/drm/ast/ast_dp.c +++ b/drivers/gpu/drm/ast/ast_dp.c @@ -17,6 +17,12 @@ static bool ast_astdp_is_connected(struct ast_device *ast) { if (!ast_get_index_reg_mask(ast, AST_IO_VGACRI, 0xDF, AST_IO_VGACRDF_HPD)) return false; + /* + * HPD might be set even if no monitor is connected, so also check that + * the link training was successful. + */ + if (!ast_get_index_reg_mask(ast, AST_IO_VGACRI, 0xDC, AST_IO_VGACRDC_LINK_SUCCESS)) + return false; return true; } base-commit: 798047e63ac970f105c49c22e6d44df901c486b2 -- 2.47.1

3 months

2
3
0 0

[PATCH 6.1.y v2] net: fix data-races around sk->sk_forward_alloc

by alvalan9＠foxmail.com

From: Wang Liang <wangliang74(a)huawei.com> commit 073d89808c065ac4c672c0a613a71b27a80691cb upstream. Syzkaller reported this warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x88/0x130 ? inet_sock_destruct+0x1c5/0x1e0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x1c5/0x1e0 __sk_destruct+0x2a/0x200 rcu_do_batch+0x1aa/0x530 ? rcu_do_batch+0x13b/0x530 rcu_core+0x159/0x2f0 handle_softirqs+0xd3/0x2b0 ? __pfx_smpboot_thread_fn+0x10/0x10 run_ksoftirqd+0x25/0x30 smpboot_thread_fn+0xdd/0x1d0 kthread+0xd3/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add() concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked, which triggers a data-race around sk->sk_forward_alloc: tcp_v6_rcv tcp_v6_do_rcv skb_clone_and_charge_r sk_rmem_schedule __sk_mem_schedule sk_forward_alloc_add() skb_set_owner_r sk_mem_charge sk_forward_alloc_add() __kfree_skb skb_release_all skb_release_head_state sock_rfree sk_mem_uncharge sk_forward_alloc_add() sk_mem_reclaim // set local var reclaimable __sk_mem_reclaim sk_forward_alloc_add() In this syzkaller testcase, two threads call tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like this: (cpu 1) | (cpu 2) | sk_forward_alloc ... | ... | 0 __sk_mem_schedule() | | +4096 = 4096 | __sk_mem_schedule() | +4096 = 8192 sk_mem_charge() | | -768 = 7424 | sk_mem_charge() | -768 = 6656 ... | ... | sk_mem_uncharge() | | +768 = 7424 reclaimable=7424 | | | sk_mem_uncharge() | +768 = 8192 | reclaimable=8192 | __sk_mem_reclaim() | | -4096 = 4096 | __sk_mem_reclaim() | -8192 = -4096 != 0 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock(). Fix the same issue in dccp_v6_do_rcv(). Suggested-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets") Signed-off-by: Wang Liang <wangliang74(a)huawei.com> Link: https://patch.msgid.link/20241107023405.889239-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- v2: For I had sent the patch two times, I added v2 to the subject to distinguish it from the v1 version. --- net/dccp/ipv6.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index d90bb941f2ad..8f5f56b1e5f8 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -615,7 +615,7 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) by tcp. Feel free to propose better solution. --ANK (980728) */ - if (np->rxopt.all) + if (np->rxopt.all && sk->sk_state != DCCP_LISTEN) opt_skb = skb_clone_and_charge_r(skb, sk); if (sk->sk_state == DCCP_OPEN) { /* Fast path */ diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 06b4acbfd314..0ccaa78f6ff3 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1463,7 +1463,7 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) by tcp. Feel free to propose better solution. --ANK (980728) */ - if (np->rxopt.all) + if (np->rxopt.all && sk->sk_state != TCP_LISTEN) opt_skb = skb_clone_and_charge_r(skb, sk); reason = SKB_DROP_REASON_NOT_SPECIFIED; @@ -1502,8 +1502,6 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) if (nsk != sk) { if (tcp_child_process(sk, nsk, skb)) goto reset; - if (opt_skb) - __kfree_skb(opt_skb); return 0; } } else -- 2.43.0

3 months

3
2
0 0

Request inclusion of 18676c6aab0863618eb35443e7b8615eea3535a9 into stable 6.6

by Christian Kühnke

Hi all, I have been sent here from the linux-ide mailing list. Over there, I have reported an issue with the 6.6 stable series of the kernel, starting with 6.6.51. The root cause is as follows: On 12.09.2024, commit 872f86e1757bbb0a334ee739b824e47c448f5ebc ("ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf") was applied to 6.6, adding checks of ATA_QCFLAG_RTF_FILLED to libata_scsi. The patch seen in baseline commit 18676c6aab0863618eb35443e7b8615eea3535a9 ("ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf()") should have gone together with this. Without it, I receive errors retrieving SMART data from SATA disks via a C602 SAS controller, apparently because in this situation ATA_QCFLAG_RTF_FILLED is not set. I applied 18676c6aab0863618eb35443e7b8615eea3535a9 from baseline to 6.6.74 and the problem went away. If you need any further information, do not hesitate to contact me (linux user since 0.99.x, but only debugging it once every few years or so...). Regards Christian

3 months

2
1
0 0

[PATCH] hwmon: Use 64-bit arithmetic instead of 32-bit

by Ваторопин Андрей

From: Andrey Vatoropin <a.vatoropin(a)crpt.ru> Add suffix ULL to constant 500 in order to give the compiler complete information about the proper arithmetic to use. Notice that this constant is used in a context that expects an expression of type u64 (64 bits, unsigned). The expression PCC_NUM_RETRIES * pcc_chan->latency, which at preprocessing time translates to pcc_chan->latency; is currently being evaluated using 32-bit arithmetic. This is similar to commit b52f45110502 ("ACPI / CPPC: Use 64-bit arithmetic instead of 32-bit") Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Andrey Vatoropin <a.vatoropin(a)crpt.ru> --- drivers/hwmon/xgene-hwmon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c index 1e3bd129a922..43a08ddb964b 100644 --- a/drivers/hwmon/xgene-hwmon.c +++ b/drivers/hwmon/xgene-hwmon.c @@ -61,7 +61,7 @@ * Arbitrary retries in case the remote processor is slow to respond * to PCC commands */ -#define PCC_NUM_RETRIES 500 +#define PCC_NUM_RETRIES 500ULL #define ASYNC_MSG_FIFO_SIZE 16 #define MBOX_OP_TIMEOUTMS 1000 -- 2.43.0

3 months

1
0
0 0

[PATCH] hwmon: Use 64-bit arithmetic instead of 32-bit

by Ваторопин Андрей

From: Andrey Vatoropin <a.vatoropin(a)crpt.ru> Add suffix ULL to constant 500 in order to give the compiler complete information about the proper arithmetic to use. Notice that this constant is used in a context that expects an expression of type u64 (64 bits, unsigned). The expression PCC_NUM_RETRIES * cppc_ss->latency, which at preprocessing time translates to cppc_ss->latency; is currently being evaluated using 32-bit arithmetic. This is similar to commit b52f45110502 ("ACPI / CPPC: Use 64-bit arithmetic instead of 32-bit") Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Andrey Vatoropin <a.vatoropin(a)crpt.ru> --- drivers/hwmon/xgene-hwmon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c index 1e3bd129a922..43a08ddb964b 100644 --- a/drivers/hwmon/xgene-hwmon.c +++ b/drivers/hwmon/xgene-hwmon.c @@ -61,7 +61,7 @@ * Arbitrary retries in case the remote processor is slow to respond * to PCC commands */ -#define PCC_NUM_RETRIES 500 +#define PCC_NUM_RETRIES 500ULL #define ASYNC_MSG_FIFO_SIZE 16 #define MBOX_OP_TIMEOUTMS 1000 -- 2.43.0

3 months

1
0
0 0

[PATCH v2 mm-hotfixes] mm/zswap: fix inconsistent charging when zswap_store_page() fails

by Hyeonggon Yoo

Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") skips charging any zswapped base pages when it failed to zswap the entire folio. However, when some base pages are zswapped but it failed to zswap the entire folio, the zswap operation is rolled back. When freeing zswap entries for those pages, zswap_entry_free() uncharges the pages that were not previously charged, causing zswap charging to become inconsistent. This inconsistency triggers two warnings with following steps: # On a machine with 64GiB of RAM and 36GiB of zswap $ stress-ng --bigheap 2 # wait until the OOM-killer kills stress-ng $ sudo reboot Two warnings are: in mm/memcontrol.c:163, function obj_cgroup_release(): WARN_ON_ONCE(nr_bytes & (PAGE_SIZE - 1)); in mm/page_counter.c:60, function page_counter_cancel(): if (WARN_ONCE(new < 0, "page_counter underflow: %ld nr_pages=%lu\n", new, nr_pages)) While objcg events should only be accounted for when the entire folio is zswapped, objcg charging should be performed regardlessly. Fix accordingly. After resolving the inconsistency, these warnings disappear. Fixes: b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") Cc: stable(a)vger.kernel.org Signed-off-by: Hyeonggon Yoo <42.hyeyoo(a)gmail.com> --- v1->v2: Fixed objcg events being accounted for on zswap failure. Fixed the incorrect description. I misunderstood that the base pages are going to be stored in zswap, but their zswap entries are freed immediately. Added a comment on why it charges pages that are going to be removed from zswap. mm/zswap.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index 6504174fbc6a..10b30ac46deb 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -1568,20 +1568,26 @@ bool zswap_store(struct folio *folio) bytes = zswap_store_page(page, objcg, pool); if (bytes < 0) - goto put_pool; + goto charge_zswap; compressed_bytes += bytes; } - if (objcg) { - obj_cgroup_charge_zswap(objcg, compressed_bytes); + if (objcg) count_objcg_events(objcg, ZSWPOUT, nr_pages); - } atomic_long_add(nr_pages, &zswap_stored_pages); count_vm_events(ZSWPOUT, nr_pages); ret = true; +charge_zswap: + /* + * Charge zswapped pages even when it failed to zswap the entire folio, + * because zswap_entry_free() will uncharge them anyway. + * Otherwise zswap charging will become inconsistent. + */ + if (objcg) + obj_cgroup_charge_zswap(objcg, compressed_bytes); put_pool: zswap_pool_put(pool); put_objcg: -- 2.47.1

3 months

3
7
0 0

[PATCH] power: supply: da9150-fg: fix potential overflow

by Ваторопин Андрей

From: Andrey Vatoropin <a.vatoropin(a)crpt.ru> Size of variable sd_gain equals four bytes - DA9150_QIF_SD_GAIN_SIZE. Size of variable shunt_val equals two bytes - DA9150_QIF_SHUNT_VAL_SIZE. The expression sd_gain * shunt_val is currently being evaluated using 32-bit arithmetic. So during the multiplication an overflow may occur. As the value of type 'u64' is used as storage for the eventual result, put ULL variable at the first position of each expression in order to give the compiler complete information about the proper arithmetic to use. According to C99 the guaranteed width for a variable of type 'unsigned long long' >= 64 bits. Remove the explicit cast to u64 as it is meaningless. Just for the sake of consistency, perform the similar trick with another expression concerning 'iavg'. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: a419b4fd9138 ("power: Add support for DA9150 Fuel-Gauge") Signed-off-by: Andrey Vatoropin <a.vatoropin(a)crpt.ru> --- drivers/power/supply/da9150-fg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/power/supply/da9150-fg.c b/drivers/power/supply/da9150-fg.c index 652c1f213af1..63bec706167c 100644 --- a/drivers/power/supply/da9150-fg.c +++ b/drivers/power/supply/da9150-fg.c @@ -247,7 +247,7 @@ static int da9150_fg_current_avg(struct da9150_fg *fg, DA9150_QIF_SD_GAIN_SIZE); da9150_fg_read_sync_end(fg); - div = (u64) (sd_gain * shunt_val * 65536ULL); + div = 65536ULL * sd_gain * shunt_val; do_div(div, 1000000); - res = (u64) (iavg * 1000000ULL); + res = 1000000ULL * iavg; do_div(res, div); -- 2.43.0

3 months

1
0
0 0

[PATCH] RDMA/erdma: Check page size value for erdma

by Ваторопин Андрей

From: Andrey Vatoropin <a.vatoropin(a)crpt.ru> The function ib_umem_find_best_pgsz may return a value of zero. If this occurs, the function ib_umem_num_dma_blocks could attempt to divide by zero, resulting in a division by zero error. To avoid this, please add a check to ensure that the variable is not zero before performing the division. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 6d1782919dc9 ("drm/cma: Introduce drm_gem_cma_dumb_create_internal()") Signed-off-by: Andrey Vatoropin <a.vatoropin(a)crpt.ru> --- drivers/infiniband/hw/erdma/erdma_verbs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c index 51d619edb6c5..7ad38fb84661 100644 --- a/drivers/infiniband/hw/erdma/erdma_verbs.c +++ b/drivers/infiniband/hw/erdma/erdma_verbs.c @@ -781,6 +781,10 @@ static int get_mtt_entries(struct erdma_dev *dev, struct erdma_mem *mem, mem->page_size = ib_umem_find_best_pgsz(mem->umem, req_page_size, virt); + if (!mem->page_size) { + ret = -EINVAL; + goto error_ret; + } mem->page_offset = start & (mem->page_size - 1); mem->mtt_nents = ib_umem_num_dma_blocks(mem->umem, mem->page_size); mem->page_cnt = mem->mtt_nents; mem->mtt = erdma_create_mtt(dev, MTT_SIZE(mem->page_cnt), force_continuous); -- 2.43.0

3 months

1
0
0 0

[PATCH 05/10] drm/amd/display: Fix seamless boot sequence

by Alex Hung

From: Lo-an Chen <lo-an.chen(a)amd.com> [WHY] When the system powers up eDP with external monitors in seamless boot sequence, stutter get enabled before TTU and HUBP registers being programmed, which resulting in underflow. [HOW] Enable TTU in hubp_init. Change the sequence that do not perpare_bandwidth and optimize_bandwidth while having seamless boot streams. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Lo-an Chen <lo-an.chen(a)amd.com> Signed-off-by: Paul Hsieh <paul.hsieh(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c | 3 ++- drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c | 3 ++- drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c | 3 ++- drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c | 3 ++- drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c | 2 ++ drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c | 2 ++ drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 3 ++- 8 files changed, 15 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index a5f511da1faa..a2b0331ef579 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -2192,7 +2192,7 @@ static enum dc_status dc_commit_state_no_check(struct dc *dc, struct dc_state *c dc_enable_stereo(dc, context, dc_streams, context->stream_count); - if (context->stream_count > get_seamless_boot_stream_count(context) || + if (get_seamless_boot_stream_count(context) == 0 || context->stream_count == 0) { /* Must wait for no flips to be pending before doing optimize bw */ hwss_wait_for_no_pipes_pending(dc, context); diff --git a/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c b/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c index fe741100c0f8..d347bb06577a 100644 --- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c +++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c @@ -129,7 +129,8 @@ bool hubbub3_program_watermarks( REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF); - hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) + hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); return wm_pending; } diff --git a/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c b/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c index 7fb5523f9722..b98505b240a7 100644 --- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c +++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c @@ -750,7 +750,8 @@ static bool hubbub31_program_watermarks( REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF);*/ - hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) + hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); return wm_pending; } diff --git a/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c b/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c index 5264dc26cce1..32a6be543105 100644 --- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c +++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c @@ -786,7 +786,8 @@ static bool hubbub32_program_watermarks( REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF);*/ - hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) + hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); hubbub32_force_usr_retraining_allow(hubbub, hubbub->ctx->dc->debug.force_usr_allow); diff --git a/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c b/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c index 5eb3da8d5206..dce7269959ce 100644 --- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c +++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c @@ -326,7 +326,8 @@ static bool hubbub35_program_watermarks( DCHUBBUB_ARB_MIN_REQ_OUTSTAND_COMMIT_THRESHOLD, 0xA);/*hw delta*/ REG_UPDATE(DCHUBBUB_ARB_HOSTVM_CNTL, DCHUBBUB_ARB_MAX_QOS_COMMIT_THRESHOLD, 0xF); - hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) + hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); hubbub32_force_usr_retraining_allow(hubbub, hubbub->ctx->dc->debug.force_usr_allow); diff --git a/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c b/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c index be0ac613675a..0da70b50e86d 100644 --- a/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c +++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c @@ -500,6 +500,8 @@ void hubp3_init(struct hubp *hubp) //hubp[i].HUBPREQ_DEBUG.HUBPREQ_DEBUG[26] = 1; REG_WRITE(HUBPREQ_DEBUG, 1 << 26); + REG_UPDATE(DCHUBP_CNTL, HUBP_TTU_DISABLE, 0); + hubp_reset(hubp); } diff --git a/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c b/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c index edd37898d550..f3a21c623f44 100644 --- a/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c +++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c @@ -168,6 +168,8 @@ void hubp32_init(struct hubp *hubp) { struct dcn20_hubp *hubp2 = TO_DCN20_HUBP(hubp); REG_WRITE(HUBPREQ_DEBUG_DB, 1 << 8); + + REG_UPDATE(DCHUBP_CNTL, HUBP_TTU_DISABLE, 0); } static struct hubp_funcs dcn32_hubp_funcs = { .hubp_enable_tripleBuffer = hubp2_enable_triplebuffer, diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c index 623cde76debf..b907ad1acedd 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c @@ -236,7 +236,8 @@ void dcn35_init_hw(struct dc *dc) } hws->funcs.init_pipes(dc, dc->current_state); - if (dc->res_pool->hubbub->funcs->allow_self_refresh_control) + if (dc->res_pool->hubbub->funcs->allow_self_refresh_control && + !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter) dc->res_pool->hubbub->funcs->allow_self_refresh_control(dc->res_pool->hubbub, !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter); } -- 2.43.0

3 months

1
0
0 0

[PATCH 05/10] drm/amd/display: Fix seamless boot sequence

by Alex Hung

From: Lo-an Chen <lo-an.chen(a)amd.com> [WHY] When the system powers up eDP with external monitors in seamless boot sequence, stutter get enabled before TTU and HUBP registers being programmed, which resulting in underflow. [HOW] Enable TTU in hubp_init. Change the sequence that do not perpare_bandwidth and optimize_bandwidth while having seamless boot streams. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Lo-an Chen <lo-an.chen(a)amd.com> Signed-off-by: Paul Hsieh <paul.hsieh(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- drivers/gpu/drm/amd/display/dc/core/dc.c | 2 +- drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c | 3 ++- drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c | 3 ++- drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c | 3 ++- drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c | 3 ++- drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c | 2 ++ drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c | 2 ++ drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 3 ++- 8 files changed, 15 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index a5f511da1faa..a2b0331ef579 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -2192,7 +2192,7 @@ static enum dc_status dc_commit_state_no_check(struct dc *dc, struct dc_state *c dc_enable_stereo(dc, context, dc_streams, context->stream_count); - if (context->stream_count > get_seamless_boot_stream_count(context) || + if (get_seamless_boot_stream_count(context) == 0 || context->stream_count == 0) { /* Must wait for no flips to be pending before doing optimize bw */ hwss_wait_for_no_pipes_pending(dc, context); diff --git a/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c b/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c index fe741100c0f8..d347bb06577a 100644 --- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c +++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn30/dcn30_hubbub.c @@ -129,7 +129,8 @@ bool hubbub3_program_watermarks( REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF); - hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) + hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); return wm_pending; } diff --git a/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c b/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c index 7fb5523f9722..b98505b240a7 100644 --- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c +++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn31/dcn31_hubbub.c @@ -750,7 +750,8 @@ static bool hubbub31_program_watermarks( REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF);*/ - hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) + hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); return wm_pending; } diff --git a/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c b/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c index 5264dc26cce1..32a6be543105 100644 --- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c +++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn32/dcn32_hubbub.c @@ -786,7 +786,8 @@ static bool hubbub32_program_watermarks( REG_UPDATE(DCHUBBUB_ARB_DF_REQ_OUTSTAND, DCHUBBUB_ARB_MIN_REQ_OUTSTAND, 0x1FF);*/ - hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) + hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); hubbub32_force_usr_retraining_allow(hubbub, hubbub->ctx->dc->debug.force_usr_allow); diff --git a/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c b/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c index 5eb3da8d5206..dce7269959ce 100644 --- a/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c +++ b/drivers/gpu/drm/amd/display/dc/hubbub/dcn35/dcn35_hubbub.c @@ -326,7 +326,8 @@ static bool hubbub35_program_watermarks( DCHUBBUB_ARB_MIN_REQ_OUTSTAND_COMMIT_THRESHOLD, 0xA);/*hw delta*/ REG_UPDATE(DCHUBBUB_ARB_HOSTVM_CNTL, DCHUBBUB_ARB_MAX_QOS_COMMIT_THRESHOLD, 0xF); - hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); + if (safe_to_lower || hubbub->ctx->dc->debug.disable_stutter) + hubbub1_allow_self_refresh_control(hubbub, !hubbub->ctx->dc->debug.disable_stutter); hubbub32_force_usr_retraining_allow(hubbub, hubbub->ctx->dc->debug.force_usr_allow); diff --git a/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c b/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c index be0ac613675a..0da70b50e86d 100644 --- a/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c +++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn30/dcn30_hubp.c @@ -500,6 +500,8 @@ void hubp3_init(struct hubp *hubp) //hubp[i].HUBPREQ_DEBUG.HUBPREQ_DEBUG[26] = 1; REG_WRITE(HUBPREQ_DEBUG, 1 << 26); + REG_UPDATE(DCHUBP_CNTL, HUBP_TTU_DISABLE, 0); + hubp_reset(hubp); } diff --git a/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c b/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c index edd37898d550..f3a21c623f44 100644 --- a/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c +++ b/drivers/gpu/drm/amd/display/dc/hubp/dcn32/dcn32_hubp.c @@ -168,6 +168,8 @@ void hubp32_init(struct hubp *hubp) { struct dcn20_hubp *hubp2 = TO_DCN20_HUBP(hubp); REG_WRITE(HUBPREQ_DEBUG_DB, 1 << 8); + + REG_UPDATE(DCHUBP_CNTL, HUBP_TTU_DISABLE, 0); } static struct hubp_funcs dcn32_hubp_funcs = { .hubp_enable_tripleBuffer = hubp2_enable_triplebuffer, diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c index 623cde76debf..b907ad1acedd 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c @@ -236,7 +236,8 @@ void dcn35_init_hw(struct dc *dc) } hws->funcs.init_pipes(dc, dc->current_state); - if (dc->res_pool->hubbub->funcs->allow_self_refresh_control) + if (dc->res_pool->hubbub->funcs->allow_self_refresh_control && + !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter) dc->res_pool->hubbub->funcs->allow_self_refresh_control(dc->res_pool->hubbub, !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter); } -- 2.43.0

3 months

1
0
0 0

[PATCH] s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS

by Nathan Chancellor

GCC changed the default C standard dialect from gnu17 to gnu23, which should not have impacted the kernel because it explicitly requests the gnu11 standard in the main Makefile. However, there are certain places in the s390 code that use their own CFLAGS without a '-std=' value, which break with this dialect change because of the kernel's own definitions of bool, false, and true conflicting with the C23 reserved keywords. include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant 11 | false = 0, | ^~~~~ include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards include/linux/types.h:35:33: error: 'bool' cannot be defined via 'typedef' 35 | typedef _Bool bool; | ^~~~ include/linux/types.h:35:33: note: 'bool' is a keyword with '-std=c23' onwards Add '-std=gnu11' to the decompressor and purgatory CFLAGS to eliminate these errors and make the C standard version of these areas match the rest of the kernel. Cc: stable(a)vger.kernel.org Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- I only see one other error in various files with a recent GCC 15.0.1 snapshot, which I can eliminate by dropping the version part of the condition for CONFIG_GCC_ASM_FLAG_OUTPUT_BROKEN. Is this a regression of the fix for the problem of GCC 14.2.0 or is something else doing on here? arch/s390/include/asm/bitops.h: Assembler messages: arch/s390/include/asm/bitops.h:60: Error: operand 1: syntax error; missing ')' after base register arch/s390/include/asm/bitops.h:60: Error: operand 2: syntax error; ')' not allowed here arch/s390/include/asm/bitops.h:60: Error: junk at end of line: `,4' arch/s390/include/asm/bitops.h:60: Error: operand 1: syntax error; missing ')' after base register arch/s390/include/asm/bitops.h:60: Error: operand 2: syntax error; ')' not allowed here arch/s390/include/asm/bitops.h:60: Error: junk at end of line: `,64' arch/s390/include/asm/bitops.h:60: Error: operand 1: syntax error; missing ')' after base register arch/s390/include/asm/bitops.h:60: Error: operand 2: syntax error; ')' not allowed here arch/s390/include/asm/bitops.h:60: Error: junk at end of line: `,4' make[6]: *** [scripts/Makefile.build:194: fs/gfs2/glock.o] Error 1 --- arch/s390/Makefile | 2 +- arch/s390/purgatory/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/s390/Makefile b/arch/s390/Makefile index 3f25498dac65..5fae311203c2 100644 --- a/arch/s390/Makefile +++ b/arch/s390/Makefile @@ -22,7 +22,7 @@ KBUILD_AFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -D__ASSEMBLY__ ifndef CONFIG_AS_IS_LLVM KBUILD_AFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO),$(aflags_dwarf)) endif -KBUILD_CFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -O2 -mpacked-stack +KBUILD_CFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -O2 -mpacked-stack -std=gnu11 KBUILD_CFLAGS_DECOMPRESSOR += -DDISABLE_BRANCH_PROFILING -D__NO_FORTIFY KBUILD_CFLAGS_DECOMPRESSOR += -D__DECOMPRESSOR KBUILD_CFLAGS_DECOMPRESSOR += -fno-delete-null-pointer-checks -msoft-float -mbackchain diff --git a/arch/s390/purgatory/Makefile b/arch/s390/purgatory/Makefile index 24eccaa29337..bdcf2a3b6c41 100644 --- a/arch/s390/purgatory/Makefile +++ b/arch/s390/purgatory/Makefile @@ -13,7 +13,7 @@ CFLAGS_sha256.o := -D__DISABLE_EXPORTS -D__NO_FORTIFY $(obj)/mem.o: $(srctree)/arch/s390/lib/mem.S FORCE $(call if_changed_rule,as_o_S) -KBUILD_CFLAGS := -fno-strict-aliasing -Wall -Wstrict-prototypes +KBUILD_CFLAGS := -std=gnu11 -fno-strict-aliasing -Wall -Wstrict-prototypes KBUILD_CFLAGS += -Wno-pointer-sign -Wno-sign-compare KBUILD_CFLAGS += -fno-zero-initialized-in-bss -fno-builtin -ffreestanding KBUILD_CFLAGS += -Os -m64 -msoft-float -fno-common --- base-commit: b2832409e00b6330781458d7db0080508a35a9a8 change-id: 20250122-s390-fix-std-for-gcc-15-0abfa4caf757 Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

3 months

3
6
0 0

[PATCH 6.13.y] scsi: storvsc: Ratelimit warning logs to prevent VM denial of service

by Easwar Hariharan

commit d2138eab8cde61e0e6f62d0713e45202e8457d6d upstream If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM. Closes: https://github.com/microsoft/WSL/issues/9173 Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250107-eahariha-ratelimit-storvsc-v1-1-7fc193d1… Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> --- drivers/scsi/storvsc_drv.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index d0b55c1fa908..b3c588b102d9 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -171,6 +171,12 @@ do { \ dev_warn(&(dev)->device, fmt, ##__VA_ARGS__); \ } while (0) +#define storvsc_log_ratelimited(dev, level, fmt, ...) \ +do { \ + if (do_logging(level)) \ + dev_warn_ratelimited(&(dev)->device, fmt, ##__VA_ARGS__); \ +} while (0) + struct vmscsi_request { u16 length; u8 srb_status; @@ -1177,7 +1183,7 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device, int loglevel = (stor_pkt->vm_srb.cdb[0] == TEST_UNIT_READY) ? STORVSC_LOGGING_WARN : STORVSC_LOGGING_ERROR; - storvsc_log(device, loglevel, + storvsc_log_ratelimited(device, loglevel, "tag#%d cmd 0x%x status: scsi 0x%x srb 0x%x hv 0x%x\n", scsi_cmd_to_rq(request->cmd)->tag, stor_pkt->vm_srb.cdb[0], -- 2.43.0

3 months

2
1
0 0

[PATCH v3 5.10 0/2] net: Backport to fix CVE-2024-56658

by Vasiliy Kovalev

Link: https://www.cve.org/CVERecord/?id=CVE-2024-56658 5.15: https://lore.kernel.org/all/20250115091642.335047-1-kovalev@altlinux.org/ --- v1: https://lore.kernel.org/all/20250115091913.335173-1-kovalev@altlinux.org/ v2: https://lore.kernel.org/all/20250121192730.155559-1-kovalev@altlinux.org/ v3: (Suggested-by [1]: Hazem Mohamed Abuelfotoh <abuehaze(a)amazon.com>) Added a backport of commit 41467d2ff4df ("net: net_namespace: Optimize the code") as a prerequisite for 0f6ede9fbc74 ("net: defer final 'struct net' free in netns dismantle"). [1] https://lore.kernel.org/all/20250127134248.25731-1-abuehaze@amazon.com/ [PATCH v3 5.10 1/2] net: net_namespace: Optimize the code [PATCH v3 5.10 2/2] net: defer final 'struct net' free in netns dismantle

3 months

2
4
0 0

Re: 6.12.10: Regression in Hans' commit 613f2150 leading to excessive sysfs entry recreation?

by Hans Verkuil

On 28/01/2025 09:57, Jens Schmidt wrote: > This is on Debian testing with the following kernel, built from > the tarball on kernel.org: > > Linux sappc1 6.12.10 #4 SMP PREEMPT_DYNAMIC Fri Jan 17 22:17:45 CET 2025 x86_64 GNU/Linux > > More by chance than anything else I noticed this sysfs entry: > > /devices/pci0000:00/0000:00:02.0/rc/rc0/input33 > ^^ > immediately after a reboot. After letting the system run for > a while the file name counter may well be in the thousands. > > I instrumented function drm_dp_cec_attach to dump the values > of the expressions involved in the following test: > > if (aux->cec.adap->capabilities == cec_caps && > aux->cec.adap->available_log_addrs == num_las) { > > The result was that on every call I have > > aux->cec.adap->capabilities == 0b1101111110 > cec_caps == 0b0101111110 > aux->cec.adap->available_log_addrs == 4 > num_las == 4 > > which triggers recreation of the sysfs entry. > > So the capabilities differ in CEC_CAP_REPLY_VENDOR_ID. If I > clear that bit in above test, I am back to normal, getting only > > /devices/pci0000:00/0000:00:02.0/rc/rc0/input1 > > and keeping that throughout the runtime of the system. > > Could this be related to commit > 613f21505b25a4f43f33de00f11afc059bedde2b? Well spotted! Yes, it is related to that commit. I'll take a closer look at this tomorrow since this test against cec_caps needs work. Regards, Hans

3 months

2
1
0 0

[PATCH AUTOSEL 6.13 01/15] media: cxd2841er: fix 64-bit division on gcc-9

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] It appears that do_div() once more gets confused by a complex expression that ends up not quite being constant despite __builtin_constant_p() thinking it is: ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! Use div_u64() instead, forcing the expression to be evaluated first, and making it a bit more readable. Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Reported-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> [hverkuil: added Closes tags] Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c index d925ca24183b5..415f1f91cc307 100644 --- a/drivers/media/dvb-frontends/cxd2841er.c +++ b/drivers/media/dvb-frontends/cxd2841er.c @@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) { - u64 tmp; - - tmp = (u64) ifhz * 16777216; - do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); - - return (u32) tmp; + return div_u64(ifhz * 16777216ull, + (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); } static u32 cxd2841er_calc_iffreq(u32 ifhz) -- 2.39.5

3 months

3
17
0 0

[PATCH] wifi: brcmfmac: use random seed flag for BCM4355 and BCM4364 firmware

by Aditya Garg

From: Aditya Garg <gargaditya08(a)live.com> Before 6.13, random seed to the firmware was given based on the logic whether the device had valid OTP or not, and such devices were found mainly on the T2 and Apple Silicon Macs. In 6.13, the logic was changed, and the device table was used for this purpose, so as to cover the special case of BCM43752 chip. During the transition, the device table for BCM4364 and BCM4355 Wi-Fi chips which had valid OTP was not modified, thus breaking Wi-Fi on these devices. This patch adds does the necessary changes, similar to the ones done for other chips. Fixes: ea11a89c3ac6 ("wifi: brcmfmac: add flag for random seed during firmware download") Cc: stable(a)vger.kernel.org Signed-off-by: Aditya Garg <gargaditya08(a)live.com> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c index e4395b1f8..d2caa80e9 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c @@ -2712,7 +2712,7 @@ static const struct pci_device_id brcmf_pcie_devid_table[] = { BRCMF_PCIE_DEVICE(BRCM_PCIE_4350_DEVICE_ID, WCC), BRCMF_PCIE_DEVICE_SUB(0x4355, BRCM_PCIE_VENDOR_ID_BROADCOM, 0x4355, WCC), BRCMF_PCIE_DEVICE(BRCM_PCIE_4354_RAW_DEVICE_ID, WCC), - BRCMF_PCIE_DEVICE(BRCM_PCIE_4355_DEVICE_ID, WCC), + BRCMF_PCIE_DEVICE(BRCM_PCIE_4355_DEVICE_ID, WCC_SEED), BRCMF_PCIE_DEVICE(BRCM_PCIE_4356_DEVICE_ID, WCC), BRCMF_PCIE_DEVICE(BRCM_PCIE_43567_DEVICE_ID, WCC), BRCMF_PCIE_DEVICE(BRCM_PCIE_43570_DEVICE_ID, WCC), @@ -2723,7 +2723,7 @@ static const struct pci_device_id brcmf_pcie_devid_table[] = { BRCMF_PCIE_DEVICE(BRCM_PCIE_43602_2G_DEVICE_ID, WCC), BRCMF_PCIE_DEVICE(BRCM_PCIE_43602_5G_DEVICE_ID, WCC), BRCMF_PCIE_DEVICE(BRCM_PCIE_43602_RAW_DEVICE_ID, WCC), - BRCMF_PCIE_DEVICE(BRCM_PCIE_4364_DEVICE_ID, WCC), + BRCMF_PCIE_DEVICE(BRCM_PCIE_4364_DEVICE_ID, WCC_SEED), BRCMF_PCIE_DEVICE(BRCM_PCIE_4365_DEVICE_ID, BCA), BRCMF_PCIE_DEVICE(BRCM_PCIE_4365_2G_DEVICE_ID, BCA), BRCMF_PCIE_DEVICE(BRCM_PCIE_4365_5G_DEVICE_ID, BCA), -- 2.39.5 (Apple Git-154)

3 months

3
3
0 0

[PATCH AUTOSEL 5.4] media: cxd2841er: fix 64-bit division on gcc-9

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] It appears that do_div() once more gets confused by a complex expression that ends up not quite being constant despite __builtin_constant_p() thinking it is: ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! Use div_u64() instead, forcing the expression to be evaluated first, and making it a bit more readable. Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Reported-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> [hverkuil: added Closes tags] Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c index 6b495fc36fd0c..51e890554457d 100644 --- a/drivers/media/dvb-frontends/cxd2841er.c +++ b/drivers/media/dvb-frontends/cxd2841er.c @@ -310,12 +310,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) { - u64 tmp; - - tmp = (u64) ifhz * 16777216; - do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); - - return (u32) tmp; + return div_u64(ifhz * 16777216ull, + (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); } static u32 cxd2841er_calc_iffreq(u32 ifhz) -- 2.39.5

3 months

1
0
0 0

[PATCH AUTOSEL 5.10 1/3] media: cxd2841er: fix 64-bit division on gcc-9

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] It appears that do_div() once more gets confused by a complex expression that ends up not quite being constant despite __builtin_constant_p() thinking it is: ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! Use div_u64() instead, forcing the expression to be evaluated first, and making it a bit more readable. Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Reported-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> [hverkuil: added Closes tags] Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c index 493ba8b6b8f62..b2c251135ce1c 100644 --- a/drivers/media/dvb-frontends/cxd2841er.c +++ b/drivers/media/dvb-frontends/cxd2841er.c @@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) { - u64 tmp; - - tmp = (u64) ifhz * 16777216; - do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); - - return (u32) tmp; + return div_u64(ifhz * 16777216ull, + (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); } static u32 cxd2841er_calc_iffreq(u32 ifhz) -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 5.15 1/3] media: cxd2841er: fix 64-bit division on gcc-9

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] It appears that do_div() once more gets confused by a complex expression that ends up not quite being constant despite __builtin_constant_p() thinking it is: ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! Use div_u64() instead, forcing the expression to be evaluated first, and making it a bit more readable. Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Reported-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> [hverkuil: added Closes tags] Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c index e9d1eef40c627..798da50421368 100644 --- a/drivers/media/dvb-frontends/cxd2841er.c +++ b/drivers/media/dvb-frontends/cxd2841er.c @@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) { - u64 tmp; - - tmp = (u64) ifhz * 16777216; - do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); - - return (u32) tmp; + return div_u64(ifhz * 16777216ull, + (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); } static u32 cxd2841er_calc_iffreq(u32 ifhz) -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 6.1 1/5] media: cxd2841er: fix 64-bit division on gcc-9

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] It appears that do_div() once more gets confused by a complex expression that ends up not quite being constant despite __builtin_constant_p() thinking it is: ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! Use div_u64() instead, forcing the expression to be evaluated first, and making it a bit more readable. Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Reported-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> [hverkuil: added Closes tags] Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c index e9d1eef40c627..798da50421368 100644 --- a/drivers/media/dvb-frontends/cxd2841er.c +++ b/drivers/media/dvb-frontends/cxd2841er.c @@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) { - u64 tmp; - - tmp = (u64) ifhz * 16777216; - do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); - - return (u32) tmp; + return div_u64(ifhz * 16777216ull, + (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); } static u32 cxd2841er_calc_iffreq(u32 ifhz) -- 2.39.5

3 months

1
4
0 0

[PATCH AUTOSEL 6.6 01/11] media: cxd2841er: fix 64-bit division on gcc-9

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] It appears that do_div() once more gets confused by a complex expression that ends up not quite being constant despite __builtin_constant_p() thinking it is: ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! Use div_u64() instead, forcing the expression to be evaluated first, and making it a bit more readable. Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Reported-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> [hverkuil: added Closes tags] Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c index d925ca24183b5..415f1f91cc307 100644 --- a/drivers/media/dvb-frontends/cxd2841er.c +++ b/drivers/media/dvb-frontends/cxd2841er.c @@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) { - u64 tmp; - - tmp = (u64) ifhz * 16777216; - do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); - - return (u32) tmp; + return div_u64(ifhz * 16777216ull, + (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); } static u32 cxd2841er_calc_iffreq(u32 ifhz) -- 2.39.5

3 months

1
10
0 0

[PATCH AUTOSEL 6.12 01/12] media: cxd2841er: fix 64-bit division on gcc-9

by Sasha Levin

From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ] It appears that do_div() once more gets confused by a complex expression that ends up not quite being constant despite __builtin_constant_p() thinking it is: ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined! Use div_u64() instead, forcing the expression to be evaluated first, and making it a bit more readable. Cc: Dan Carpenter <dan.carpenter(a)linaro.org> Reported-by: Naresh Kamboju <naresh.kamboju(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Reported-by: Linux Kernel Functional Testing <lkft(a)linaro.org> Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA… Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Hans Verkuil <hverkuil(a)xs4all.nl> [hverkuil: added Closes tags] Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/dvb-frontends/cxd2841er.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c index d925ca24183b5..415f1f91cc307 100644 --- a/drivers/media/dvb-frontends/cxd2841er.c +++ b/drivers/media/dvb-frontends/cxd2841er.c @@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv, static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz) { - u64 tmp; - - tmp = (u64) ifhz * 16777216; - do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000)); - - return (u32) tmp; + return div_u64(ifhz * 16777216ull, + (xtal == SONY_XTAL_24000) ? 48000000 : 41000000); } static u32 cxd2841er_calc_iffreq(u32 ifhz) -- 2.39.5

3 months

1
11
0 0

[PATCH 6.12.y] scsi: storvsc: Ratelimit warning logs to prevent VM denial of service

by Easwar Hariharan

commit d2138eab8cde61e0e6f62d0713e45202e8457d6d upstream If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM. Closes: https://github.com/microsoft/WSL/issues/9173 Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250107-eahariha-ratelimit-storvsc-v1-1-7fc193d1… Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> --- drivers/scsi/storvsc_drv.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index d0b55c1fa908..b3c588b102d9 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -171,6 +171,12 @@ do { \ dev_warn(&(dev)->device, fmt, ##__VA_ARGS__); \ } while (0) +#define storvsc_log_ratelimited(dev, level, fmt, ...) \ +do { \ + if (do_logging(level)) \ + dev_warn_ratelimited(&(dev)->device, fmt, ##__VA_ARGS__); \ +} while (0) + struct vmscsi_request { u16 length; u8 srb_status; @@ -1177,7 +1183,7 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device, int loglevel = (stor_pkt->vm_srb.cdb[0] == TEST_UNIT_READY) ? STORVSC_LOGGING_WARN : STORVSC_LOGGING_ERROR; - storvsc_log(device, loglevel, + storvsc_log_ratelimited(device, loglevel, "tag#%d cmd 0x%x status: scsi 0x%x srb 0x%x hv 0x%x\n", scsi_cmd_to_rq(request->cmd)->tag, stor_pkt->vm_srb.cdb[0], -- 2.43.0

3 months

3
4
0 0

[PATCH] libfs: fix infinite directory reads for offset dir

by ciprietti＠google.com

From: yangerkun <yangerkun(a)huawei.com> [ Upstream commit 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a ] After we switch tmpfs dir operations from simple_dir_operations to simple_offset_dir_operations, every rename happened will fill new dentry to dest dir's maple tree(&SHMEM_I(inode)->dir_offsets->mt) with a free key starting with octx->newx_offset, and then set newx_offset equals to free key + 1. This will lead to infinite readdir combine with rename happened at the same time, which fail generic/736 in xfstests(detail show as below). 1. create 5000 files(1 2 3...) under one dir 2. call readdir(man 3 readdir) once, and get one entry 3. rename(entry, "TEMPFILE"), then rename("TEMPFILE", entry) 4. loop 2~3, until readdir return nothing or we loop too many times(tmpfs break test with the second condition) We choose the same logic what commit 9b378f6ad48cf ("btrfs: fix infinite directory reads") to fix it, record the last_index when we open dir, and do not emit the entry which index >= last_index. The file->private_data now used in offset dir can use directly to do this, and we also update the last_index when we llseek the dir file. Fixes: a2e459555c5f ("shmem: stable directory offsets") Signed-off-by: yangerkun <yangerkun(a)huawei.com> Link: https://lore.kernel.org/r/20240731043835.1828697-1-yangerkun@huawei.com Reviewed-by: Chuck Lever <chuck.lever(a)oracle.com> [brauner: only update last_index after seek when offset is zero like Jan suggested] Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Andrea Ciprietti <ciprietti(a)google.com> --- fs/libfs.c | 39 ++++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/fs/libfs.c b/fs/libfs.c index dc0f7519045f..916c39e758b1 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -371,6 +371,15 @@ void simple_offset_destroy(struct offset_ctx *octx) xa_destroy(&octx->xa); } +static int offset_dir_open(struct inode *inode, struct file *file) +{ + struct offset_ctx *ctx = inode->i_op->get_offset_ctx(inode); + unsigned long next_offset = (unsigned long)ctx->next_offset; + + file->private_data = (void *)next_offset; + return 0; +} + /** * offset_dir_llseek - Advance the read position of a directory descriptor * @file: an open directory whose position is to be updated @@ -384,6 +393,9 @@ void simple_offset_destroy(struct offset_ctx *octx) */ static loff_t offset_dir_llseek(struct file *file, loff_t offset, int whence) { + struct inode *inode = file->f_inode; + struct offset_ctx *ctx = inode->i_op->get_offset_ctx(inode); + switch (whence) { case SEEK_CUR: offset += file->f_pos; @@ -397,7 +409,11 @@ static loff_t offset_dir_llseek(struct file *file, loff_t offset, int whence) } /* In this case, ->private_data is protected by f_pos_lock */ - file->private_data = NULL; + if (!offset) { + unsigned long next_offset = (unsigned long)ctx->next_offset; + + file->private_data = (void *)next_offset; + } return vfs_setpos(file, offset, U32_MAX); } @@ -427,7 +443,7 @@ static bool offset_dir_emit(struct dir_context *ctx, struct dentry *dentry) inode->i_ino, fs_umode_to_dtype(inode->i_mode)); } -static void *offset_iterate_dir(struct inode *inode, struct dir_context *ctx) +static void offset_iterate_dir(struct inode *inode, struct dir_context *ctx, long last_index) { struct offset_ctx *so_ctx = inode->i_op->get_offset_ctx(inode); XA_STATE(xas, &so_ctx->xa, ctx->pos); @@ -436,17 +452,21 @@ static void *offset_iterate_dir(struct inode *inode, struct dir_context *ctx) while (true) { dentry = offset_find_next(&xas); if (!dentry) - return ERR_PTR(-ENOENT); + return; + + if (dentry2offset(dentry) >= last_index) { + dput(dentry); + return; + } if (!offset_dir_emit(ctx, dentry)) { dput(dentry); - break; + return; } dput(dentry); ctx->pos = xas.xa_index + 1; } - return NULL; } /** @@ -473,22 +493,19 @@ static void *offset_iterate_dir(struct inode *inode, struct dir_context *ctx) static int offset_readdir(struct file *file, struct dir_context *ctx) { struct dentry *dir = file->f_path.dentry; + long last_index = (long)file->private_data; lockdep_assert_held(&d_inode(dir)->i_rwsem); if (!dir_emit_dots(file, ctx)) return 0; - /* In this case, ->private_data is protected by f_pos_lock */ - if (ctx->pos == 2) - file->private_data = NULL; - else if (file->private_data == ERR_PTR(-ENOENT)) - return 0; - file->private_data = offset_iterate_dir(d_inode(dir), ctx); + offset_iterate_dir(d_inode(dir), ctx, last_index); return 0; } const struct file_operations simple_offset_dir_operations = { + .open = offset_dir_open, .llseek = offset_dir_llseek, .iterate_shared = offset_readdir, .read = generic_read_dir, -- 2.48.1.262.g85cc9f2d1e-goog

3 months

5
5
0 0

[PATCH] ALSA: hda: Fix headset detection failure due to unstable sort

by Kuan-Wei Chiu

The auto_parser assumed sort() was stable, but the kernel's sort() uses heapsort, which has never been stable. After commit 0e02ca29a563 ("lib/sort: optimize heapsort with double-pop variation"), the order of equal elements changed, causing the headset to fail to work. Fix the issue by recording the original order of elements before sorting and using it as a tiebreaker for equal elements in the comparison function. Fixes: b9030a005d58 ("ALSA: hda - Use standard sort function in hda_auto_parser.c") Reported-by: Austrum <austrum.lab(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219158 Tested-by: Austrum <austrum.lab(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> --- sound/pci/hda/hda_auto_parser.c | 8 +++++++- sound/pci/hda/hda_auto_parser.h | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_auto_parser.c b/sound/pci/hda/hda_auto_parser.c index 84393f4f429d..8923813ce424 100644 --- a/sound/pci/hda/hda_auto_parser.c +++ b/sound/pci/hda/hda_auto_parser.c @@ -80,7 +80,11 @@ static int compare_input_type(const void *ap, const void *bp) /* In case one has boost and the other one has not, pick the one with boost first. */ - return (int)(b->has_boost_on_pin - a->has_boost_on_pin); + if (a->has_boost_on_pin != b->has_boost_on_pin) + return (int)(b->has_boost_on_pin - a->has_boost_on_pin); + + /* Keep the original order */ + return a->order - b->order; } /* Reorder the surround channels @@ -400,6 +404,8 @@ int snd_hda_parse_pin_defcfg(struct hda_codec *codec, reorder_outputs(cfg->speaker_outs, cfg->speaker_pins); /* sort inputs in the order of AUTO_PIN_* type */ + for (i = 0; i < cfg->num_inputs; i++) + cfg->inputs[i].order = i; sort(cfg->inputs, cfg->num_inputs, sizeof(cfg->inputs[0]), compare_input_type, NULL); diff --git a/sound/pci/hda/hda_auto_parser.h b/sound/pci/hda/hda_auto_parser.h index 579b11beac71..87af3d8c02f7 100644 --- a/sound/pci/hda/hda_auto_parser.h +++ b/sound/pci/hda/hda_auto_parser.h @@ -37,6 +37,7 @@ struct auto_pin_cfg_item { unsigned int is_headset_mic:1; unsigned int is_headphone_mic:1; /* Mic-only in headphone jack */ unsigned int has_boost_on_pin:1; + int order; }; struct auto_pin_cfg; -- 2.34.1

3 months

2
1
0 0

[PATCH 6.6.y] scsi: storvsc: Ratelimit warning logs to prevent VM denial of service

by Easwar Hariharan

commit d2138eab8cde61e0e6f62d0713e45202e8457d6d upstream If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM. Closes: https://github.com/microsoft/WSL/issues/9173 Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250107-eahariha-ratelimit-storvsc-v1-1-7fc193d1… Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> --- drivers/scsi/storvsc_drv.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index d0b55c1fa908..b3c588b102d9 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -171,6 +171,12 @@ do { \ dev_warn(&(dev)->device, fmt, ##__VA_ARGS__); \ } while (0) +#define storvsc_log_ratelimited(dev, level, fmt, ...) \ +do { \ + if (do_logging(level)) \ + dev_warn_ratelimited(&(dev)->device, fmt, ##__VA_ARGS__); \ +} while (0) + struct vmscsi_request { u16 length; u8 srb_status; @@ -1177,7 +1183,7 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device, int loglevel = (stor_pkt->vm_srb.cdb[0] == TEST_UNIT_READY) ? STORVSC_LOGGING_WARN : STORVSC_LOGGING_ERROR; - storvsc_log(device, loglevel, + storvsc_log_ratelimited(device, loglevel, "tag#%d cmd 0x%x status: scsi 0x%x srb 0x%x hv 0x%x\n", scsi_cmd_to_rq(request->cmd)->tag, stor_pkt->vm_srb.cdb[0], -- 2.43.0

3 months

3
4
0 0

[PATCH v3] drm/i915: Fix page cleanup on DMA remap failure

by Brian Geffon

When converting to folios the cleanup path of shmem_get_pages() was missed. When a DMA remap fails and the max segment size is greater than PAGE_SIZE it will attempt to retry the remap with a PAGE_SIZEd segment size. The cleanup code isn't properly using the folio apis and as a result isn't handling compound pages correctly. v2 -> v3: (Ville) Just use shmem_sg_free_table() as-is in the failure path of shmem_get_pages(). shmem_sg_free_table() will clear mapping unevictable but it will be reset when it retries in shmem_sg_alloc_table(). v1 -> v2: (Ville) Fixed locations where we were not clearing mapping unevictable. Cc: stable(a)vger.kernel.org Cc: Ville Syrjala <ville.syrjala(a)linux.intel.com> Cc: Vidya Srinivas <vidya.srinivas(a)intel.com> Link: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13487 Link: https://lore.kernel.org/lkml/20250116135636.410164-1-bgeffon@google.com/ Fixes: 0b62af28f249 ("i915: convert shmem_sg_free_table() to use a folio_batch") Signed-off-by: Brian Geffon <bgeffon(a)google.com> Suggested-by: Tomasz Figa <tfiga(a)google.com> --- drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c index fe69f2c8527d..ae3343c81a64 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c @@ -209,8 +209,6 @@ static int shmem_get_pages(struct drm_i915_gem_object *obj) struct address_space *mapping = obj->base.filp->f_mapping; unsigned int max_segment = i915_sg_segment_size(i915->drm.dev); struct sg_table *st; - struct sgt_iter sgt_iter; - struct page *page; int ret; /* @@ -239,9 +237,7 @@ static int shmem_get_pages(struct drm_i915_gem_object *obj) * for PAGE_SIZE chunks instead may be helpful. */ if (max_segment > PAGE_SIZE) { - for_each_sgt_page(page, sgt_iter, st) - put_page(page); - sg_free_table(st); + shmem_sg_free_table(st, mapping, false, false); kfree(st); max_segment = PAGE_SIZE; -- 2.48.1.262.g85cc9f2d1e-goog

3 months

4
3
0 0

[PATCH v6.12 hotfix] mm/zswap: fix inconsistent charging when zswap_store_page() fails

by Hyeonggon Yoo

Commit b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") mistakenly skipped charging any zswapped pages when a single call to zswap_store_page() failed, even if some pages in the folio are successfully stored in zswap. Making things worse, these not-charged pages are uncharged in zswap_entry_free(), making zswap charging inconsistent. This inconsistency triggers two warnings when following these steps: # On a machine with 64GiB of RAM and 36GiB of zswap $ stress-ng --bigheap 2 # wait until the OOM-killer kills stress-ng $ sudo reboot Two warnings are: in mm/memcontrol.c:163, function obj_cgroup_release(): WARN_ON_ONCE(nr_bytes & (PAGE_SIZE - 1)); in mm/page_counter.c:60, function page_counter_cancel(): if (WARN_ONCE(new < 0, "page_counter underflow: %ld nr_pages=%lu\n", new, nr_pages)) Charge zswapped pages even if some pages of the folio are not zswapped. After resolving the inconsistency, these warnings disappear. Fixes: b7c0ccdfbafd ("mm: zswap: support large folios in zswap_store()") Cc: stable(a)vger.kernel.org Signed-off-by: Hyeonggon Yoo <42.hyeyoo(a)gmail.com> --- mm/zswap.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/mm/zswap.c b/mm/zswap.c index 6504174fbc6a..92752cd05c75 100644 --- a/mm/zswap.c +++ b/mm/zswap.c @@ -1568,20 +1568,20 @@ bool zswap_store(struct folio *folio) bytes = zswap_store_page(page, objcg, pool); if (bytes < 0) - goto put_pool; + goto charge_zswap; compressed_bytes += bytes; } - if (objcg) { - obj_cgroup_charge_zswap(objcg, compressed_bytes); - count_objcg_events(objcg, ZSWPOUT, nr_pages); - } - atomic_long_add(nr_pages, &zswap_stored_pages); count_vm_events(ZSWPOUT, nr_pages); ret = true; +charge_zswap: + if (objcg) { + obj_cgroup_charge_zswap(objcg, compressed_bytes); + count_objcg_events(objcg, ZSWPOUT, nr_pages); + } put_pool: zswap_pool_put(pool); put_objcg: -- 2.47.1

3 months

5
7
0 0

[PATCH v5 0/7] drm: Add DSI/DP support for Renesas r8a779h0 V4M and grey-hawk board

by Tomi Valkeinen

Add everything needed to support the DSI output on Renesas r8a779h0 (V4M) SoC, and the DP output (via sn65dsi86 DSI to DP bridge) on the Renesas grey-hawk board. Overall the DSI and the board design is almost identical to Renesas r8a779g0 and white-hawk board. Note: the v4 no longer has the dts and the clk patches, as those have been merged to renesas-devel. Signed-off-by: Tomi Valkeinen <tomi.valkeinen+renesas(a)ideasonboard.com> --- Changes in v5: - Add minItems/maxItems to the top level cmms & vsps properties - Drop "minItems: 1" when not needed - Link to v4: https://lore.kernel.org/r/20241213-rcar-gh-dsi-v4-0-f8e41425207b@ideasonboa… Changes in v4: - Dropped patches merged to renesas-devel - Added new patch "dt-bindings: display: renesas,du: Add missing maxItems" to fix the bindings - Add the missing maxItems to "dt-bindings: display: renesas,du: Add r8a779h0" - Link to v3: https://lore.kernel.org/r/20241206-rcar-gh-dsi-v3-0-d74c2166fa15@ideasonboa… Changes in v3: - Update "Write DPTSR only if there are more than one crtc" patch to "Write DPTSR only if the second source exists" - Add Laurent's Rb - Link to v2: https://lore.kernel.org/r/20241205-rcar-gh-dsi-v2-0-42471851df86@ideasonboa… Changes in v2: - Add the DT binding with a new conditional block, so that we can set only the port@0 as required - Drop port@1 from r8a779h0.dtsi (there's no port@1) - Add a new patch to write DPTSR only if num_crtcs > 1 - Drop RCAR_DU_FEATURE_NO_DPTSR (not needed anymore) - Add Cc: stable to the fix, and move it as first patch - Added the tags from reviews - Link to v1: https://lore.kernel.org/r/20241203-rcar-gh-dsi-v1-0-738ae1a95d2a@ideasonboa… --- Tomi Valkeinen (7): drm/rcar-du: dsi: Fix PHY lock bit check drm/rcar-du: Write DPTSR only if the second source exists dt-bindings: display: renesas,du: Add missing constraints dt-bindings: display: renesas,du: Add r8a779h0 dt-bindings: display: bridge: renesas,dsi-csi2-tx: Add r8a779h0 drm/rcar-du: dsi: Add r8a779h0 support drm/rcar-du: Add support for r8a779h0 .../display/bridge/renesas,dsi-csi2-tx.yaml | 1 + .../devicetree/bindings/display/renesas,du.yaml | 67 ++++++++++++++++++++-- drivers/gpu/drm/renesas/rcar-du/rcar_du_drv.c | 18 ++++++ drivers/gpu/drm/renesas/rcar-du/rcar_du_group.c | 24 ++++++-- drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c | 4 +- .../gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h | 1 - 6 files changed, 102 insertions(+), 13 deletions(-) --- base-commit: adc218676eef25575469234709c2d87185ca223a change-id: 20241008-rcar-gh-dsi-9c01f5deeac8 Best regards, -- Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com>

3 months

3
6
0 0

[PATCH 6.1.y] scsi: storvsc: Ratelimit warning logs to prevent VM denial of service

by Easwar Hariharan

commit d2138eab8cde61e0e6f62d0713e45202e8457d6d upstream If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM. Closes: https://github.com/microsoft/WSL/issues/9173 Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20250107-eahariha-ratelimit-storvsc-v1-1-7fc193d1… Reviewed-by: Michael Kelley <mhklinux(a)outlook.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Easwar Hariharan <eahariha(a)linux.microsoft.com> --- drivers/scsi/storvsc_drv.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c index 0685cbe7f0eb..d47adab00f04 100644 --- a/drivers/scsi/storvsc_drv.c +++ b/drivers/scsi/storvsc_drv.c @@ -171,6 +171,12 @@ do { \ dev_warn(&(dev)->device, fmt, ##__VA_ARGS__); \ } while (0) +#define storvsc_log_ratelimited(dev, level, fmt, ...) \ +do { \ + if (do_logging(level)) \ + dev_warn_ratelimited(&(dev)->device, fmt, ##__VA_ARGS__); \ +} while (0) + struct vmscsi_request { u16 length; u8 srb_status; @@ -1168,7 +1174,7 @@ static void storvsc_on_io_completion(struct storvsc_device *stor_device, int loglevel = (stor_pkt->vm_srb.cdb[0] == TEST_UNIT_READY) ? STORVSC_LOGGING_WARN : STORVSC_LOGGING_ERROR; - storvsc_log(device, loglevel, + storvsc_log_ratelimited(device, loglevel, "tag#%d cmd 0x%x status: scsi 0x%x srb 0x%x hv 0x%x\n", scsi_cmd_to_rq(request->cmd)->tag, stor_pkt->vm_srb.cdb[0], -- 2.43.0

3 months

2
1
0 0

[PATCH v2 2/3] misc: pci_endpoint_test: Fix disyplaying irq_type after request_irq error

by Kunihiko Hayashi

There are two variables that indicate the interrupt type to be used in the next test execution, global "irq_type" and test->irq_type. The former is referenced from pci_endpoint_test_get_irq() to preserve the current type for ioctl(PCITEST_GET_IRQTYPE). In pci_endpoint_test_request_irq(), since this global variable is referenced when an error occurs, the unintended error message is displayed. For example, the following message shows "MSI 3" even if the current irq type becomes "MSI-X". # pcitest -i 2 pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3 SET IRQ TYPE TO MSI-X: NOT OKAY Fix this issue by using test->irq_type instead of global "irq_type". Cc: stable(a)vger.kernel.org Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype") Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko(a)socionext.com> --- drivers/misc/pci_endpoint_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/pci_endpoint_test.c b/drivers/misc/pci_endpoint_test.c index 302955c20979..a342587fc78a 100644 --- a/drivers/misc/pci_endpoint_test.c +++ b/drivers/misc/pci_endpoint_test.c @@ -235,7 +235,7 @@ static bool pci_endpoint_test_request_irq(struct pci_endpoint_test *test) return true; fail: - switch (irq_type) { + switch (test->irq_type) { case IRQ_TYPE_INTX: dev_err(dev, "Failed to request IRQ %d for Legacy\n", pci_irq_vector(pdev, i)); -- 2.25.1

3 months

2
1
0 0

Supplier Needed............

by Cesandra Pace

Attention: Sir/Madam, I am Cesandra Pace, a Research Assistant working with Pharma CURE Laboratory Ltd. We are Bio-pharmaceutical Company here in the U.K.I'm looking for a reliable businessman/individual in your region to represent this company in sourcing some of our basic raw materials used for the manufacturing of high quality Anti-Viral Vaccines, Cancer treatment medications and other lifesaving Pharmaceutical Products. When I receive a response from you, I shall divulge to you my intent for your consideration. Best regards, Cesandra Pace Research & Dev Dept- Pharma CURE Laboratory Ltd UK

3 months

1
0
0 0

Supplier Needed............

by Cesandra Pace

Attention: Sir/Madam, I am Cesandra Pace, a Research Assistant working with Pharma CURE Laboratory Ltd. We are Bio-pharmaceutical Company here in the U.K.I'm looking for a reliable businessman/individual in your region to represent this company in sourcing some of our basic raw materials used for the manufacturing of high quality Anti-Viral Vaccines, Cancer treatment medications and other lifesaving Pharmaceutical Products. When I receive a response from you, I shall divulge to you my intent for your consideration. Best regards, Cesandra Pace Research & Dev Dept- Pharma CURE Laboratory Ltd UK

3 months

1
0
0 0

[PATCH v2] xfs: Add error handling for xfs_reflink_cancel_cow_range

by Wentao Liang

In xfs_inactive(), xfs_reflink_cancel_cow_range() is called without error handling, risking unnoticed failures and inconsistent behavior compared to other parts of the code. Fix this issue by adding an error handling for the xfs_reflink_cancel_cow_range(), improving code robustness. Fixes: 6231848c3aa5 ("xfs: check for cow blocks before trying to clear them") Cc: <stable(a)vger.kernel.org> # v4.17 Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- fs/xfs/xfs_inode.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c index c8ad2606f928..1ff514b6c035 100644 --- a/fs/xfs/xfs_inode.c +++ b/fs/xfs/xfs_inode.c @@ -1404,8 +1404,11 @@ xfs_inactive( goto out; /* Try to clean out the cow blocks if there are any. */ - if (xfs_inode_has_cow_data(ip)) - xfs_reflink_cancel_cow_range(ip, 0, NULLFILEOFF, true); + if (xfs_inode_has_cow_data(ip)) { + error = xfs_reflink_cancel_cow_range(ip, 0, NULLFILEOFF, true); + if (error) + goto out; + } if (VFS_I(ip)->i_nlink != 0) { /* -- 2.42.0.windows.2

3 months

2
1
0 0

[PATCH v2] xfs: Propagate errors from xfs_reflink_cancel_cow_range in xfs_dax_write_iomap_end

by Wentao Liang

In xfs_dax_write_iomap_end(), directly return the result of xfs_reflink_cancel_cow_range() when !written, ensuring proper error propagation and improving code robustness. Fixes: ea6c49b784f0 ("xfs: support CoW in fsdax mode") Cc: <stable(a)vger.kernel.org> # v6.0 Reviewed-by: "Darrick J. Wong" <djwong(a)kernel.org> Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- fs/xfs/xfs_iomap.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/xfs/xfs_iomap.c b/fs/xfs/xfs_iomap.c index 50fa3ef89f6c..d61460309a78 100644 --- a/fs/xfs/xfs_iomap.c +++ b/fs/xfs/xfs_iomap.c @@ -976,10 +976,8 @@ xfs_dax_write_iomap_end( if (!xfs_is_cow_inode(ip)) return 0; - if (!written) { - xfs_reflink_cancel_cow_range(ip, pos, length, true); - return 0; - } + if (!written) + return xfs_reflink_cancel_cow_range(ip, pos, length, true); return xfs_reflink_end_cow(ip, pos, written); } -- 2.42.0.windows.2

3 months

2
1
0 0

[PATCH v2] ata: libata-sff: Ensure that we cannot write outside the allocated buffer

by Niklas Cassel

reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer. Cc: stable(a)vger.kernel.org Reported-by: reveliofuzzing <reveliofuzzing(a)gmail.com> Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63… Signed-off-by: Niklas Cassel <cassel(a)kernel.org> --- Changes since v1: -Add stable to Cc. drivers/ata/libata-sff.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c index 67f277e1c3bf..5a46c066abc3 100644 --- a/drivers/ata/libata-sff.c +++ b/drivers/ata/libata-sff.c @@ -601,7 +601,7 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) { struct ata_port *ap = qc->ap; struct page *page; - unsigned int offset; + unsigned int offset, count; if (!qc->cursg) { qc->curbytes = qc->nbytes; @@ -617,25 +617,27 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) page = nth_page(page, (offset >> PAGE_SHIFT)); offset %= PAGE_SIZE; - trace_ata_sff_pio_transfer_data(qc, offset, qc->sect_size); + /* don't overrun current sg */ + count = min(qc->cursg->length - qc->cursg_ofs, qc->sect_size); + + trace_ata_sff_pio_transfer_data(qc, offset, count); /* * Split the transfer when it splits a page boundary. Note that the * split still has to be dword aligned like all ATA data transfers. */ WARN_ON_ONCE(offset % 4); - if (offset + qc->sect_size > PAGE_SIZE) { + if (offset + count > PAGE_SIZE) { unsigned int split_len = PAGE_SIZE - offset; ata_pio_xfer(qc, page, offset, split_len); - ata_pio_xfer(qc, nth_page(page, 1), 0, - qc->sect_size - split_len); + ata_pio_xfer(qc, nth_page(page, 1), 0, count - split_len); } else { - ata_pio_xfer(qc, page, offset, qc->sect_size); + ata_pio_xfer(qc, page, offset, count); } - qc->curbytes += qc->sect_size; - qc->cursg_ofs += qc->sect_size; + qc->curbytes += count; + qc->cursg_ofs += count; if (qc->cursg_ofs == qc->cursg->length) { qc->cursg = sg_next(qc->cursg); -- 2.48.1

3 months

1
1
0 0

[PATCH] arm64: dts: rockchip: Fix broken tsadc pinctrl binding for rk3588

by Alexander Shiyan

There is no pinctrl "gpio" and "otpout" (probably designed as "output") handling in the tsadc driver. Let's use proper binding "default" and "sleep". Fixes: 32641b8ab1a5 ("arm64: dts: rockchip: add rk3588 thermal sensor") Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Shiyan <eagle.alexander923(a)gmail.com> --- arch/arm64/boot/dts/rockchip/rk3588-base.dtsi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi b/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi index a337f3fb8377..f141065eb69d 100644 --- a/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi @@ -2667,9 +2667,9 @@ tsadc: tsadc@fec00000 { rockchip,hw-tshut-temp = <120000>; rockchip,hw-tshut-mode = <0>; /* tshut mode 0:CRU 1:GPIO */ rockchip,hw-tshut-polarity = <0>; /* tshut polarity 0:LOW 1:HIGH */ - pinctrl-0 = <&tsadc_gpio_func>; - pinctrl-1 = <&tsadc_shut>; - pinctrl-names = "gpio", "otpout"; + pinctrl-0 = <&tsadc_shut>; + pinctrl-1 = <&tsadc_gpio_func>; + pinctrl-names = "default", "sleep"; #thermal-sensor-cells = <1>; status = "disabled"; }; -- 2.39.1

3 months

3
14
0 0

[PATCH v2] clk: renesas: r9a07g043: Fix HP clock source for RZ/Five SoC

by Prabhakar

From: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> According to the Rev.1.20 hardware manual for the RZ/Five SoC, the clock source for HP is derived from PLL6 divided by 2. This patch corrects the implementation by configuring HP as a fixed clock source instead of a MUX. The `CPG_PL6_ETH_SSEL` register, which is available on the RZ/G2UL SoC, is not present on the RZ/Five SoC, necessitating this change. Fixes: 95d48d270305ad2c ("clk: renesas: r9a07g043: Add support for RZ/Five SoC") Cc: stable(a)vger.kernel.org Reported-by: Hien Huynh <hien.huynh.px(a)renesas.com> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> --- v1->v2 - Fixed build warning for non-ARM64 arch, sel_pll6_2 defined but not used. --- drivers/clk/renesas/r9a07g043-cpg.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/clk/renesas/r9a07g043-cpg.c b/drivers/clk/renesas/r9a07g043-cpg.c index b97e9a7b9708..ad712e530328 100644 --- a/drivers/clk/renesas/r9a07g043-cpg.c +++ b/drivers/clk/renesas/r9a07g043-cpg.c @@ -90,7 +90,9 @@ static const struct clk_div_table dtable_1_32[] = { /* Mux clock tables */ static const char * const sel_pll3_3[] = { ".pll3_533", ".pll3_400" }; +#ifdef CONFIG_ARM64 static const char * const sel_pll6_2[] = { ".pll6_250", ".pll5_250" }; +#endif static const char * const sel_sdhi[] = { ".clk_533", ".clk_400", ".clk_266" }; static const u32 mtable_sdhi[] = { 1, 2, 3 }; @@ -138,7 +140,12 @@ static const struct cpg_core_clk r9a07g043_core_clks[] __initconst = { DEF_DIV("P2", R9A07G043_CLK_P2, CLK_PLL3_DIV2_4_2, DIVPL3A, dtable_1_32), DEF_FIXED("M0", R9A07G043_CLK_M0, CLK_PLL3_DIV2_4, 1, 1), DEF_FIXED("ZT", R9A07G043_CLK_ZT, CLK_PLL3_DIV2_4_2, 1, 1), +#ifdef CONFIG_ARM64 DEF_MUX("HP", R9A07G043_CLK_HP, SEL_PLL6_2, sel_pll6_2), +#endif +#ifdef CONFIG_RISCV + DEF_FIXED("HP", R9A07G043_CLK_HP, CLK_PLL6_250, 1, 1), +#endif DEF_FIXED("SPI0", R9A07G043_CLK_SPI0, CLK_DIV_PLL3_C, 1, 2), DEF_FIXED("SPI1", R9A07G043_CLK_SPI1, CLK_DIV_PLL3_C, 1, 4), DEF_SD_MUX("SD0", R9A07G043_CLK_SD0, SEL_SDHI0, SEL_SDHI0_STS, sel_sdhi, -- 2.43.0

3 months

2
1
0 0

[PATCH v3 0/4] Venus driver fixes to avoid possible OOB accesses

by Vikash Garodia

This series primarily adds check at relevant places in venus driver where there are possible OOB accesses due to unexpected payload from venus firmware. The patches describes the specific OOB possibility. Please review and share your feedback. Validated on sc7180(v4), rb5(v6) and db410c(v1). Changes in v3: - update the packet parsing logic in hfi_parser. The utility parsing api now returns the size of data parsed, accordingly the parser adjust the remaining bytes, taking care of OOB scenario as well (Bryan) - Link to v2: https://lore.kernel.org/r/20241128-venus_oob_2-v2-0-483ae0a464b8@quicinc.com Changes in v2: - init_codec to always update with latest payload from firmware (Dmitry/Bryan) - Rewrite the logic of packet parsing to consider payload size for different packet type (Bryan) - Consider reading sfr data till available space (Dmitry) - Add reviewed-by tags - Link to v1: https://lore.kernel.org/all/20241105-venus_oob-v1-0-8d4feedfe2bb@quicinc.co… Signed-off-by: Vikash Garodia <quic_vgarodia(a)quicinc.com> --- Vikash Garodia (4): media: venus: hfi_parser: add check to avoid out of bound access media: venus: hfi_parser: refactor hfi packet parsing logic media: venus: hfi: add check to handle incorrect queue size media: venus: hfi: add a check to handle OOB in sfr region drivers/media/platform/qcom/venus/hfi_parser.c | 94 +++++++++++++++++++------- drivers/media/platform/qcom/venus/hfi_venus.c | 15 +++- 2 files changed, 82 insertions(+), 27 deletions(-) --- base-commit: c7ccf3683ac9746b263b0502255f5ce47f64fe0a change-id: 20241115-venus_oob_2-21708239176a Best regards, -- Vikash Garodia <quic_vgarodia(a)quicinc.com>

3 months

1
4
0 0

[PATCH 1/2] mm/vma: fix gap check for unmapped_area with VM_GROWSDOWN

by Wei Yang

Current unmapped_area() may fail to get the available area. For example, we have a vma range like below: 0123456789abcdef m m A m m Let's assume start_gap is 0x2000 and stack_guard_gap is 0x1000. And now we are looking for free area with size 0x1000 within [0x2000, 0xd000]. The unmapped_area_topdown() could find address at 0x8000, while unmapped_area() fails. In original code before commit 3499a13168da ("mm/mmap: use maple tree for unmapped_area{_topdown}"), the logic is: * find a gap with total length, including alignment * adjust start address with alignment What we do now is: * find a gap with total length, including alignment * adjust start address with alignment * then compare the left range with total length This is not necessary to compare with total length again after start address adjusted. Also, it is not correct to minus 1 here. This may not trigger an issue in real world, since address are usually aligned with page size. Fixes: 58c5d0d6d522 ("mm/mmap: regression fix for unmapped_area{_topdown}") Signed-off-by: Wei Yang <richard.weiyang(a)gmail.com> CC: Liam R. Howlett <Liam.Howlett(a)Oracle.com> CC: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> CC: Vlastimil Babka <vbabka(a)suse.cz> CC: Jann Horn <jannh(a)google.com> CC: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Cc: <stable(a)vger.kernel.org> --- mm/vma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/vma.c b/mm/vma.c index 3f45a245e31b..d82fdbc710b0 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -2668,7 +2668,7 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info) gap += (info->align_offset - gap) & info->align_mask; tmp = vma_next(&vmi); if (tmp && (tmp->vm_flags & VM_STARTGAP_FLAGS)) { /* Avoid prev check if possible */ - if (vm_start_gap(tmp) < gap + length - 1) { + if (vm_start_gap(tmp) < gap + info->length) { low_limit = tmp->vm_end; vma_iter_reset(&vmi); goto retry; -- 2.34.1

3 months

2
3
0 0

[PATCH] drivers/hv: select PCI_HYPERV if PCI is enabled

by Hamza Mahfooz

We should select PCI_HYPERV here, otherwise it's possible for devices to not show up as expected, at least not in an orderly manner. Cc: stable(a)vger.kernel.org Cc: Wei Liu <wei.liu(a)kernel.org> Signed-off-by: Hamza Mahfooz <hamzamahfooz(a)linux.microsoft.com> --- drivers/hv/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig index 862c47b191af..6ee75b3f0fa6 100644 --- a/drivers/hv/Kconfig +++ b/drivers/hv/Kconfig @@ -9,6 +9,7 @@ config HYPERV select PARAVIRT select X86_HV_CALLBACK_VECTOR if X86 select OF_EARLY_FLATTREE if OF + select PCI_HYPERV if PCI help Select this option to run Linux as a Hyper-V client operating system. -- 2.47.1

3 months

3
5
0 0

[PATCH] hwmon: (peci/dimmtemp) Do not provide fake thresholds data

by Paul Fertser

When an Icelake or Sapphire Rapids CPU isn't providing the maximum and critical thresholds for particular DIMM the driver should return an error to the userspace instead of giving it stale (best case) or wrong (the structure contains all zeros after kzalloc() call) data. The issue can be reproduced by binding the peci driver while the host is fully booted and idle, this makes PECI interaction unreliable enough. Fixes: 73bc1b885dae ("hwmon: peci: Add dimmtemp driver") Fixes: 621995b6d795 ("hwmon: (peci/dimmtemp) Add Sapphire Rapids support") Cc: stable(a)vger.kernel.org Signed-off-by: Paul Fertser <fercerpav(a)gmail.com> --- drivers/hwmon/peci/dimmtemp.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/hwmon/peci/dimmtemp.c b/drivers/hwmon/peci/dimmtemp.c index d6762259dd69..fbe82d9852e0 100644 --- a/drivers/hwmon/peci/dimmtemp.c +++ b/drivers/hwmon/peci/dimmtemp.c @@ -127,8 +127,6 @@ static int update_thresholds(struct peci_dimmtemp *priv, int dimm_no) return 0; ret = priv->gen_info->read_thresholds(priv, dimm_order, chan_rank, &data); - if (ret == -ENODATA) /* Use default or previous value */ - return 0; if (ret) return ret; @@ -509,11 +507,11 @@ read_thresholds_icx(struct peci_dimmtemp *priv, int dimm_order, int chan_rank, u ret = peci_ep_pci_local_read(priv->peci_dev, 0, 13, 0, 2, 0xd4, &reg_val); if (ret || !(reg_val & BIT(31))) - return -ENODATA; /* Use default or previous value */ + return -ENODATA; ret = peci_ep_pci_local_read(priv->peci_dev, 0, 13, 0, 2, 0xd0, &reg_val); if (ret) - return -ENODATA; /* Use default or previous value */ + return -ENODATA; /* * Device 26, Offset 224e0: IMC 0 channel 0 -> rank 0 @@ -546,11 +544,11 @@ read_thresholds_spr(struct peci_dimmtemp *priv, int dimm_order, int chan_rank, u ret = peci_ep_pci_local_read(priv->peci_dev, 0, 30, 0, 2, 0xd4, &reg_val); if (ret || !(reg_val & BIT(31))) - return -ENODATA; /* Use default or previous value */ + return -ENODATA; ret = peci_ep_pci_local_read(priv->peci_dev, 0, 30, 0, 2, 0xd0, &reg_val); if (ret) - return -ENODATA; /* Use default or previous value */ + return -ENODATA; /* * Device 26, Offset 219a8: IMC 0 channel 0 -> rank 0 -- 2.34.1

3 months

3
7
0 0

[PATCH 02/20] perf/x86/intel: Fix ARCH_PERFMON_NUM_COUNTER_LEAF

by Dapeng Mi

From: Kan Liang <kan.liang(a)linux.intel.com> The EAX of the CPUID Leaf 023H enumerates the mask of valid sub-leaves. To tell the availability of the sub-leaf 1 (enumerate the counter mask), perf should check the bit 1 (0x2) of EAS, rather than bit 0 (0x1). The error is not user-visible on bare metal. Because the sub-leaf 0 and the sub-leaf 1 are always available. However, it may bring issues in a virtualization environment when a VMM only enumerates the sub-leaf 0. Fixes: eb467aaac21e ("perf/x86/intel: Support Architectural PerfMon Extension leaf") Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/events/intel/core.c | 4 ++-- arch/x86/include/asm/perf_event.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 5e8521a54474..12eb96219740 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -4966,8 +4966,8 @@ static void update_pmu_cap(struct x86_hybrid_pmu *pmu) if (ebx & ARCH_PERFMON_EXT_EQ) pmu->config_mask |= ARCH_PERFMON_EVENTSEL_EQ; - if (sub_bitmaps & ARCH_PERFMON_NUM_COUNTER_LEAF_BIT) { - cpuid_count(ARCH_PERFMON_EXT_LEAF, ARCH_PERFMON_NUM_COUNTER_LEAF, + if (sub_bitmaps & ARCH_PERFMON_NUM_COUNTER_LEAF) { + cpuid_count(ARCH_PERFMON_EXT_LEAF, ARCH_PERFMON_NUM_COUNTER_LEAF_BIT, &eax, &ebx, &ecx, &edx); pmu->cntr_mask64 = eax; pmu->fixed_cntr_mask64 = ebx; diff --git a/arch/x86/include/asm/perf_event.h b/arch/x86/include/asm/perf_event.h index adaeb8ca3a8a..71e2ae021374 100644 --- a/arch/x86/include/asm/perf_event.h +++ b/arch/x86/include/asm/perf_event.h @@ -197,7 +197,7 @@ union cpuid10_edx { #define ARCH_PERFMON_EXT_UMASK2 0x1 #define ARCH_PERFMON_EXT_EQ 0x2 #define ARCH_PERFMON_NUM_COUNTER_LEAF_BIT 0x1 -#define ARCH_PERFMON_NUM_COUNTER_LEAF 0x1 +#define ARCH_PERFMON_NUM_COUNTER_LEAF BIT(ARCH_PERFMON_NUM_COUNTER_LEAF_BIT) /* * Intel Architectural LBR CPUID detection/enumeration details: -- 2.40.1

3 months

3
4
0 0

[PATCH net 0/3] mptcp: fixes addressing syzbot reports

by Matthieu Baerts (NGI0)

Recently, a few issues linked to MPTCP have been reported by syzbot. All the remaining ones are addressed in this series. - Patch 1: Address "KMSAN: uninit-value in mptcp_incoming_options (2)". A fix for v5.11. - Patch 2: Address "WARNING in mptcp_pm_nl_set_flags (2)". A fix for v5.18. - Patch 3: Address "WARNING in __mptcp_clean_una (2)". A fix for v6.4, backported up to v6.1. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (1): mptcp: pm: only set fullmesh for subflow endp Paolo Abeni (2): mptcp: consolidate suboption status mptcp: handle fastopen disconnect correctly net/mptcp/options.c | 13 +++++-------- net/mptcp/pm_netlink.c | 3 ++- net/mptcp/protocol.c | 4 +++- net/mptcp/protocol.h | 30 ++++++++++++++++-------------- 4 files changed, 26 insertions(+), 24 deletions(-) --- base-commit: 15a901361ec3fb1c393f91880e1cbf24ec0a88bd change-id: 20250123-net-mptcp-syzbot-issues-ffdbbb9b85d7 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

3 months

2
4
0 0

+ kfence-skip-__gfp_thisnode-allocations-on-numa-systems.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kfence: skip __GFP_THISNODE allocations on NUMA systems has been added to the -mm mm-hotfixes-unstable branch. Its filename is kfence-skip-__gfp_thisnode-allocations-on-numa-systems.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Marco Elver <elver(a)google.com> Subject: kfence: skip __GFP_THISNODE allocations on NUMA systems Date: Fri, 24 Jan 2025 13:01:38 +0100 On NUMA systems, __GFP_THISNODE indicates that an allocation _must_ be on a particular node, and failure to allocate on the desired node will result in a failed allocation. Skip __GFP_THISNODE allocations if we are running on a NUMA system, since KFENCE can't guarantee which node its pool pages are allocated on. Link: https://lkml.kernel.org/r/20250124120145.410066-1-elver@google.com Fixes: 236e9f153852 ("kfence: skip all GFP_ZONEMASK allocations") Signed-off-by: Marco Elver <elver(a)google.com> Reported-by: Vlastimil Babka <vbabka(a)suse.cz> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Christoph Lameter <cl(a)linux.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Chistoph Lameter <cl(a)linux.com> Cc: Dmitriy Vyukov <dvyukov(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kfence/core.c | 2 ++ 1 file changed, 2 insertions(+) --- a/mm/kfence/core.c~kfence-skip-__gfp_thisnode-allocations-on-numa-systems +++ a/mm/kfence/core.c @@ -21,6 +21,7 @@ #include <linux/log2.h> #include <linux/memblock.h> #include <linux/moduleparam.h> +#include <linux/nodemask.h> #include <linux/notifier.h> #include <linux/panic_notifier.h> #include <linux/random.h> @@ -1084,6 +1085,7 @@ void *__kfence_alloc(struct kmem_cache * * properties (e.g. reside in DMAable memory). */ if ((flags & GFP_ZONEMASK) || + ((flags & __GFP_THISNODE) && num_online_nodes() > 1) || (s->flags & (SLAB_CACHE_DMA | SLAB_CACHE_DMA32))) { atomic_long_inc(&counters[KFENCE_COUNTER_SKIP_INCOMPAT]); return NULL; _ Patches currently in -mm which might be from elver(a)google.com are kfence-skip-__gfp_thisnode-allocations-on-numa-systems.patch

3 months

1
0
0 0

+ nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix possible int overflows in nilfs_fiemap() has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Subject: nilfs2: fix possible int overflows in nilfs_fiemap() Date: Sat, 25 Jan 2025 07:20:53 +0900 Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result by being prepared to go through potentially maxblocks == INT_MAX blocks, the value in n may experience an overflow caused by left shift of blkbits. While it is extremely unlikely to occur, play it safe and cast right hand expression to wider type to mitigate the issue. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com Fixes: 622daaff0a89 ("nilfs2: fiemap support") Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/inode.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/fs/nilfs2/inode.c~nilfs2-fix-possible-int-overflows-in-nilfs_fiemap +++ a/fs/nilfs2/inode.c @@ -1186,7 +1186,7 @@ int nilfs_fiemap(struct inode *inode, st if (size) { if (phys && blkphy << blkbits == phys + size) { /* The current extent goes on */ - size += n << blkbits; + size += (u64)n << blkbits; } else { /* Terminate the current extent */ ret = fiemap_fill_next_extent( @@ -1199,14 +1199,14 @@ int nilfs_fiemap(struct inode *inode, st flags = FIEMAP_EXTENT_MERGED; logical = blkoff << blkbits; phys = blkphy << blkbits; - size = n << blkbits; + size = (u64)n << blkbits; } } else { /* Start a new extent */ flags = FIEMAP_EXTENT_MERGED; logical = blkoff << blkbits; phys = blkphy << blkbits; - size = n << blkbits; + size = (u64)n << blkbits; } blkoff += n; } _ Patches currently in -mm which might be from n.zhandarovich(a)fintech.ru are nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch

3 months

1
0
0 0

[PATCH RESEND net] ptp: Ensure info->enable callback is always set

by Thomas Weißschuh

The ioctl and sysfs handlers unconditionally call the ->enable callback. Not all drivers implement that callback, leading to NULL dereferences. Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. Instead use a dummy callback if no better was specified by the driver. Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- drivers/ptp/ptp_clock.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c index b932425ddc6a3789504164a69d1b8eba47da462c..35a5994bf64f6373c08269d63aaeac3f4ab31ff0 100644 --- a/drivers/ptp/ptp_clock.c +++ b/drivers/ptp/ptp_clock.c @@ -217,6 +217,11 @@ static int ptp_getcycles64(struct ptp_clock_info *info, struct timespec64 *ts) return info->gettime64(info, ts); } +static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on) +{ + return -EOPNOTSUPP; +} + static void ptp_aux_kworker(struct kthread_work *work) { struct ptp_clock *ptp = container_of(work, struct ptp_clock, @@ -294,6 +299,9 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info, ptp->info->getcrosscycles = ptp->info->getcrosststamp; } + if (!ptp->info->enable) + ptp->info->enable = ptp_enable; + if (ptp->info->do_aux_work) { kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker); ptp->kworker = kthread_run_worker(0, "ptp%d", ptp->index); --- base-commit: c4b9570cfb63501638db720f3bee9f6dfd044b82 change-id: 20250122-ptp-enable-831339c62428 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

3 months

4
4
0 0

[PATCH v2] drm/i915: Fix page cleanup on DMA remap failure

by Brian Geffon

When converting to folios the cleanup path of shmem_get_pages() was missed. When a DMA remap fails and the max segment size is greater than PAGE_SIZE it will attempt to retry the remap with a PAGE_SIZEd segment size. The cleanup code isn't properly using the folio apis and as a result isn't handling compound pages correctly. v1 -> v2: (Ville) Fixed locations where we were not clearing mapping unevictable. Cc: stable(a)vger.kernel.org Cc: Ville Syrjala <ville.syrjala(a)linux.intel.com> Cc: Vidya Srinivas <vidya.srinivas(a)intel.com> Link: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13487 Link: https://lore.kernel.org/lkml/20250116135636.410164-1-bgeffon@google.com/ Fixes: 0b62af28f249 ("i915: convert shmem_sg_free_table() to use a folio_batch") Signed-off-by: Brian Geffon <bgeffon(a)google.com> Suggested-by: Tomasz Figa <tfiga(a)google.com> --- drivers/gpu/drm/i915/gem/i915_gem_object.h | 3 +-- drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 23 +++++++++------------- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 7 ++++--- 3 files changed, 14 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_object.h b/drivers/gpu/drm/i915/gem/i915_gem_object.h index 3dc61cbd2e11..0f122a12d4a5 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_object.h +++ b/drivers/gpu/drm/i915/gem/i915_gem_object.h @@ -843,8 +843,7 @@ int shmem_sg_alloc_table(struct drm_i915_private *i915, struct sg_table *st, size_t size, struct intel_memory_region *mr, struct address_space *mapping, unsigned int max_segment); -void shmem_sg_free_table(struct sg_table *st, struct address_space *mapping, - bool dirty, bool backup); +void shmem_sg_free_table(struct sg_table *st, bool dirty, bool backup); void __shmem_writeback(size_t size, struct address_space *mapping); #ifdef CONFIG_MMU_NOTIFIER diff --git a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c index fe69f2c8527d..b320d9dfd6d3 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_shmem.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_shmem.c @@ -29,16 +29,13 @@ static void check_release_folio_batch(struct folio_batch *fbatch) cond_resched(); } -void shmem_sg_free_table(struct sg_table *st, struct address_space *mapping, - bool dirty, bool backup) +void shmem_sg_free_table(struct sg_table *st, bool dirty, bool backup) { struct sgt_iter sgt_iter; struct folio_batch fbatch; struct folio *last = NULL; struct page *page; - mapping_clear_unevictable(mapping); - folio_batch_init(&fbatch); for_each_sgt_page(page, sgt_iter, st) { struct folio *folio = page_folio(page); @@ -180,10 +177,10 @@ int shmem_sg_alloc_table(struct drm_i915_private *i915, struct sg_table *st, return 0; err_sg: sg_mark_end(sg); + mapping_clear_unevictable(mapping); if (sg != st->sgl) { - shmem_sg_free_table(st, mapping, false, false); + shmem_sg_free_table(st, false, false); } else { - mapping_clear_unevictable(mapping); sg_free_table(st); } @@ -209,8 +206,6 @@ static int shmem_get_pages(struct drm_i915_gem_object *obj) struct address_space *mapping = obj->base.filp->f_mapping; unsigned int max_segment = i915_sg_segment_size(i915->drm.dev); struct sg_table *st; - struct sgt_iter sgt_iter; - struct page *page; int ret; /* @@ -239,9 +234,8 @@ static int shmem_get_pages(struct drm_i915_gem_object *obj) * for PAGE_SIZE chunks instead may be helpful. */ if (max_segment > PAGE_SIZE) { - for_each_sgt_page(page, sgt_iter, st) - put_page(page); - sg_free_table(st); + /* Leave the mapping unevictable while we retry */ + shmem_sg_free_table(st, false, false); kfree(st); max_segment = PAGE_SIZE; @@ -265,7 +259,8 @@ static int shmem_get_pages(struct drm_i915_gem_object *obj) return 0; err_pages: - shmem_sg_free_table(st, mapping, false, false); + mapping_clear_unevictable(mapping); + shmem_sg_free_table(st, false, false); /* * shmemfs first checks if there is enough memory to allocate the page * and reports ENOSPC should there be insufficient, along with the usual @@ -402,8 +397,8 @@ void i915_gem_object_put_pages_shmem(struct drm_i915_gem_object *obj, struct sg_ if (i915_gem_object_needs_bit17_swizzle(obj)) i915_gem_object_save_bit_17_swizzle(obj, pages); - shmem_sg_free_table(pages, file_inode(obj->base.filp)->i_mapping, - obj->mm.dirty, obj->mm.madv == I915_MADV_WILLNEED); + mapping_clear_unevictable(file_inode(obj->base.filp)->i_mapping); + shmem_sg_free_table(pages, obj->mm.dirty, obj->mm.madv == I915_MADV_WILLNEED); kfree(pages); obj->mm.dirty = false; } diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c index 10d8673641f7..37f51a04b838 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c @@ -232,7 +232,8 @@ static int i915_ttm_tt_shmem_populate(struct ttm_device *bdev, return 0; err_free_st: - shmem_sg_free_table(st, filp->f_mapping, false, false); + mapping_clear_unevictable(filp->f_mapping); + shmem_sg_free_table(st, false, false); return err; } @@ -243,8 +244,8 @@ static void i915_ttm_tt_shmem_unpopulate(struct ttm_tt *ttm) bool backup = ttm->page_flags & TTM_TT_FLAG_SWAPPED; struct sg_table *st = &i915_tt->cached_rsgt.table; - shmem_sg_free_table(st, file_inode(i915_tt->filp)->i_mapping, - backup, backup); + mapping_clear_unevictable(file_inode(i915_tt->filp)->i_mapping); + shmem_sg_free_table(st, backup, backup); } static void i915_ttm_tt_release(struct kref *ref) -- 2.48.0.rc2.279.g1de40edade-goog

3 months

3
5
0 0

[PATCH 1/2] drm/xe/devcoredump: Move exec queue snapshot to Contexts section

by Lucas De Marchi

Having the exec queue snapshot inside a "GuC CT" section was always wrong. Commit c28fd6c358db ("drm/xe/devcoredump: Improve section headings and add tile info") tried to fix that bug, but with that also broke the mesa tool that parses the devcoredump, hence it was reverted in commit 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool"). With the mesa tool also fixed, this can propagate as a fix on both kernel and userspace side to avoid unnecessary headache for a debug feature. Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Julia Filipchuk <julia.filipchuk(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_devcoredump.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c index 81dc7795c0651..a7946a76777e7 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.c +++ b/drivers/gpu/drm/xe/xe_devcoredump.c @@ -119,11 +119,7 @@ static ssize_t __xe_devcoredump_read(char *buffer, size_t count, drm_puts(&p, "\n**** GuC CT ****\n"); xe_guc_ct_snapshot_print(ss->guc.ct, &p); - /* - * Don't add a new section header here because the mesa debug decoder - * tool expects the context information to be in the 'GuC CT' section. - */ - /* drm_puts(&p, "\n**** Contexts ****\n"); */ + drm_puts(&p, "\n**** Contexts ****\n"); xe_guc_exec_queue_snapshot_print(ss->ge, &p); drm_puts(&p, "\n**** Job ****\n"); -- 2.48.0

3 months

2
6
0 0

[PATCH v2 1/2] drm/xe: Fix and re-enable xe_print_blob_ascii85()

by José Roberto de Souza

From: Lucas De Marchi <lucas.demarchi(a)intel.com> Commit 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") partially reverted some changes to workaround breakage caused to mesa tools. However, in doing so it also broke fetching the GuC log via debugfs since xe_print_blob_ascii85() simply bails out. The fix is to avoid the extra newlines: the devcoredump interface is line-oriented and adding random newlines in the middle breaks it. If a tool is able to parse it by looking at the data and checking for chars that are out of the ascii85 space, it can still do so. A format change that breaks the line-oriented output on devcoredump however needs better coordination with existing tools. v2: - added suffix description comment Reviewed-by: José Roberto de Souza <jose.souza(a)intel.com> Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Julia Filipchuk <julia.filipchuk(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") Fixes: ec1455ce7e35 ("drm/xe/devcoredump: Add ASCII85 dump helper function") Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_devcoredump.c | 33 +++++++++++------------------ drivers/gpu/drm/xe/xe_devcoredump.h | 2 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 ++- drivers/gpu/drm/xe/xe_guc_log.c | 4 +++- 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c index 81dc7795c0651..6f73b1ba0f2aa 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.c +++ b/drivers/gpu/drm/xe/xe_devcoredump.c @@ -395,42 +395,33 @@ int xe_devcoredump_init(struct xe_device *xe) /** * xe_print_blob_ascii85 - print a BLOB to some useful location in ASCII85 * - * The output is split to multiple lines because some print targets, e.g. dmesg - * cannot handle arbitrarily long lines. Note also that printing to dmesg in - * piece-meal fashion is not possible, each separate call to drm_puts() has a - * line-feed automatically added! Therefore, the entire output line must be - * constructed in a local buffer first, then printed in one atomic output call. + * The output is split to multiple print calls because some print targets, e.g. + * dmesg cannot handle arbitrarily long lines. These targets may add newline + * between calls. * * There is also a scheduler yield call to prevent the 'task has been stuck for * 120s' kernel hang check feature from firing when printing to a slow target * such as dmesg over a serial port. * - * TODO: Add compression prior to the ASCII85 encoding to shrink huge buffers down. - * * @p: the printer object to output to * @prefix: optional prefix to add to output string + * @suffix: optional suffix to add at the end. 0 disables it and is + * not added to the output, which is useful when using multiple calls + * to dump data to @p * @blob: the Binary Large OBject to dump out * @offset: offset in bytes to skip from the front of the BLOB, must be a multiple of sizeof(u32) * @size: the size in bytes of the BLOB, must be a multiple of sizeof(u32) */ -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size) { const u32 *blob32 = (const u32 *)blob; char buff[ASCII85_BUFSZ], *line_buff; size_t line_pos = 0; - /* - * Splitting blobs across multiple lines is not compatible with the mesa - * debug decoder tool. Note that even dropping the explicit '\n' below - * doesn't help because the GuC log is so big some underlying implementation - * still splits the lines at 512K characters. So just bail completely for - * the moment. - */ - return; - #define DMESG_MAX_LINE_LEN 800 -#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\n\0" */ + /* Always leave space for the suffix char and the \0 */ +#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "<suffix>\0" */ if (size & 3) drm_printf(p, "Size not word aligned: %zu", size); @@ -462,7 +453,6 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, line_pos += strlen(line_buff + line_pos); if ((line_pos + MIN_SPACE) >= DMESG_MAX_LINE_LEN) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; drm_puts(p, line_buff); @@ -474,10 +464,11 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, } } + if (suffix) + line_buff[line_pos++] = suffix; + if (line_pos) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; - drm_puts(p, line_buff); } diff --git a/drivers/gpu/drm/xe/xe_devcoredump.h b/drivers/gpu/drm/xe/xe_devcoredump.h index 6a17e6d601022..5391a80a4d1ba 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.h +++ b/drivers/gpu/drm/xe/xe_devcoredump.h @@ -29,7 +29,7 @@ static inline int xe_devcoredump_init(struct xe_device *xe) } #endif -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size); #endif diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c index 8b65c5e959cc2..50c8076b51585 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct.c +++ b/drivers/gpu/drm/xe/xe_guc_ct.c @@ -1724,7 +1724,8 @@ void xe_guc_ct_snapshot_print(struct xe_guc_ct_snapshot *snapshot, snapshot->g2h_outstanding); if (snapshot->ctb) - xe_print_blob_ascii85(p, "CTB data", snapshot->ctb, 0, snapshot->ctb_size); + xe_print_blob_ascii85(p, "CTB data", '\n', + snapshot->ctb, 0, snapshot->ctb_size); } else { drm_puts(p, "CT disabled\n"); } diff --git a/drivers/gpu/drm/xe/xe_guc_log.c b/drivers/gpu/drm/xe/xe_guc_log.c index 80151ff6a71f8..44482ea919924 100644 --- a/drivers/gpu/drm/xe/xe_guc_log.c +++ b/drivers/gpu/drm/xe/xe_guc_log.c @@ -207,8 +207,10 @@ void xe_guc_log_snapshot_print(struct xe_guc_log_snapshot *snapshot, struct drm_ remain = snapshot->size; for (i = 0; i < snapshot->num_chunks; i++) { size_t size = min(GUC_LOG_CHUNK_SIZE, remain); + const char *prefix = i ? NULL : "Log data"; + char suffix = i == snapshot->num_chunks - 1 ? '\n' : 0; - xe_print_blob_ascii85(p, i ? NULL : "Log data", snapshot->copy[i], 0, size); + xe_print_blob_ascii85(p, prefix, suffix, snapshot->copy[i], 0, size); remain -= size; } } -- 2.48.1

3 months

3
3
0 0

+ mm-kmemleak-fix-upper-boundary-check-for-physical-address-objects.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: kmemleak: fix upper boundary check for physical address objects has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-kmemleak-fix-upper-boundary-check-for-physical-address-objects.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Catalin Marinas <catalin.marinas(a)arm.com> Subject: mm: kmemleak: fix upper boundary check for physical address objects Date: Mon, 27 Jan 2025 18:42:33 +0000 Memblock allocations are registered by kmemleak separately, based on their physical address. During the scanning stage, it checks whether an object is within the min_low_pfn and max_low_pfn boundaries and ignores it otherwise. With the recent addition of __percpu pointer leak detection (commit 6c99d4eb7c5e ("kmemleak: enable tracking for percpu pointers")), kmemleak started reporting leaks in setup_zone_pageset() and setup_per_cpu_pageset(). These were caused by the node_data[0] object (initialised in alloc_node_data()) ending on the PFN_PHYS(max_low_pfn) boundary. The non-strict upper boundary check introduced by commit 84c326299191 ("mm: kmemleak: check physical address when scan") causes the pg_data_t object to be ignored (not scanned) and the __percpu pointers it contains to be reported as leaks. Make the max_low_pfn upper boundary check strict when deciding whether to ignore a physical address object and not scan it. Link: https://lkml.kernel.org/r/20250127184233.2974311-1-catalin.marinas@arm.com Fixes: 84c326299191 ("mm: kmemleak: check physical address when scan") Signed-off-by: Catalin Marinas <catalin.marinas(a)arm.com> Reported-by: Jakub Kicinski <kuba(a)kernel.org> Tested-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Cc: Patrick Wang <patrick.wang.shcn(a)gmail.com> Cc: <stable(a)vger.kernel.org> [6.0.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kmemleak.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/kmemleak.c~mm-kmemleak-fix-upper-boundary-check-for-physical-address-objects +++ a/mm/kmemleak.c @@ -1689,7 +1689,7 @@ static void kmemleak_scan(void) unsigned long phys = object->pointer; if (PHYS_PFN(phys) < min_low_pfn || - PHYS_PFN(phys + object->size) >= max_low_pfn) + PHYS_PFN(phys + object->size) > max_low_pfn) __paint_it(object, KMEMLEAK_BLACK); } _ Patches currently in -mm which might be from catalin.marinas(a)arm.com are mm-kmemleak-fix-upper-boundary-check-for-physical-address-objects.patch

3 months

1
0
0 0

[PATCH] Revert "mmc: sdhci_am654: Add sdhci_am654_start_signal_voltage_switch"

by Josua Mayer

This reverts commit 941a7abd4666912b84ab209396fdb54b0dae685d. This commit uses presence of device-tree properties vmmc-supply and vqmmc-supply for deciding whether to enable a quirk affecting timing of clock and data. The intention was to address issues observed with eMMC and SD on AM62 platforms. This new quirk is however also enabled for AM64 breaking microSD access on the SolidRun HimmingBoard-T which is supported in-tree since v6.11, causing a regression. During boot microSD initialization now fails with the error below: [ 2.008520] mmc1: SDHCI controller on fa00000.mmc [fa00000.mmc] using ADMA 64-bit [ 2.115348] mmc1: error -110 whilst initialising SD card The heuristics for enabling the quirk are clearly not correct as they break at least one but potentially many existing boards. Revert the change and restore original behaviour until a more appropriate method of selecting the quirk is derived. Fixes: <941a7abd4666> ("mtd: spi-nor: core: replace dummy buswidth from addr to data") Closes: https://lore.kernel.org/linux-mmc/a70fc9fc-186f-4165-a652-3de50733763a@soli… Cc: stable(a)vger.kernel.org # 6.13 Signed-off-by: Josua Mayer <josua(a)solid-run.com> --- drivers/mmc/host/sdhci_am654.c | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/drivers/mmc/host/sdhci_am654.c b/drivers/mmc/host/sdhci_am654.c index b73f673db92bbc042392995e715815e15ace6005..f75c31815ab00d17b5757063521f56ba5643babe 100644 --- a/drivers/mmc/host/sdhci_am654.c +++ b/drivers/mmc/host/sdhci_am654.c @@ -155,7 +155,6 @@ struct sdhci_am654_data { u32 tuning_loop; #define SDHCI_AM654_QUIRK_FORCE_CDTEST BIT(0) -#define SDHCI_AM654_QUIRK_SUPPRESS_V1P8_ENA BIT(1) }; struct window { @@ -357,29 +356,6 @@ static void sdhci_j721e_4bit_set_clock(struct sdhci_host *host, sdhci_set_clock(host, clock); } -static int sdhci_am654_start_signal_voltage_switch(struct mmc_host *mmc, struct mmc_ios *ios) -{ - struct sdhci_host *host = mmc_priv(mmc); - struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); - struct sdhci_am654_data *sdhci_am654 = sdhci_pltfm_priv(pltfm_host); - int ret; - - if ((sdhci_am654->quirks & SDHCI_AM654_QUIRK_SUPPRESS_V1P8_ENA) && - ios->signal_voltage == MMC_SIGNAL_VOLTAGE_180) { - if (!IS_ERR(mmc->supply.vqmmc)) { - ret = mmc_regulator_set_vqmmc(mmc, ios); - if (ret < 0) { - pr_err("%s: Switching to 1.8V signalling voltage failed,\n", - mmc_hostname(mmc)); - return -EIO; - } - } - return 0; - } - - return sdhci_start_signal_voltage_switch(mmc, ios); -} - static u8 sdhci_am654_write_power_on(struct sdhci_host *host, u8 val, int reg) { writeb(val, host->ioaddr + reg); @@ -868,11 +844,6 @@ static int sdhci_am654_get_of_property(struct platform_device *pdev, if (device_property_read_bool(dev, "ti,fails-without-test-cd")) sdhci_am654->quirks |= SDHCI_AM654_QUIRK_FORCE_CDTEST; - /* Suppress v1p8 ena for eMMC and SD with vqmmc supply */ - if (!!of_parse_phandle(dev->of_node, "vmmc-supply", 0) == - !!of_parse_phandle(dev->of_node, "vqmmc-supply", 0)) - sdhci_am654->quirks |= SDHCI_AM654_QUIRK_SUPPRESS_V1P8_ENA; - sdhci_get_of_property(pdev); return 0; @@ -969,7 +940,6 @@ static int sdhci_am654_probe(struct platform_device *pdev) goto err_pltfm_free; } - host->mmc_host_ops.start_signal_voltage_switch = sdhci_am654_start_signal_voltage_switch; host->mmc_host_ops.execute_tuning = sdhci_am654_execute_tuning; pm_runtime_get_noresume(dev); --- base-commit: ffd294d346d185b70e28b1a28abe367bbfe53c04 change-id: 20250127-am654-mmc-regression-ed289f8967c2 Best regards, -- Josua Mayer <josua(a)solid-run.com>

3 months

3
4
0 0

[PATCH] seccomp: passthrough uretprobe systemcall without filtering

by Eyal Birger

When attaching uretprobes to processes running inside docker, the attached process is segfaulted when encountering the retprobe. The reason is that now that uretprobe is a system call the default seccomp filters in docker block it as they only allow a specific set of known syscalls. This is true for other userspace applications which use seccomp to control their syscall surface. Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, it is impractical and there's very little point in forcing all userspace applications to explicitly allow it in order to avoid crashing tracked processes. Pass this systemcall through seccomp without depending on configuration. Fixes: ff474a78cef5 ("uprobe: Add uretprobe syscall to speed up return probe") Reported-by: Rafael Buchbinder <rafi(a)rbk.io> Link: https://lore.kernel.org/lkml/CAHsH6Gs3Eh8DFU0wq58c_LF8A4_+o6z456J7BidmcVY2A… Cc: stable(a)vger.kernel.org Signed-off-by: Eyal Birger <eyal.birger(a)gmail.com> --- The following reproduction script synthetically demonstrates the problem: cat > /tmp/x.c << EOF char *syscalls[] = { "write", "exit_group", "fstat", }; __attribute__((noinline)) int probed(void) { printf("Probed\n"); return 1; } void apply_seccomp_filter(char **syscalls, int num_syscalls) { scmp_filter_ctx ctx; ctx = seccomp_init(SCMP_ACT_KILL); for (int i = 0; i < num_syscalls; i++) { seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_syscall_resolve_name(syscalls[i]), 0); } seccomp_load(ctx); seccomp_release(ctx); } int main(int argc, char *argv[]) { int num_syscalls = sizeof(syscalls) / sizeof(syscalls[0]); apply_seccomp_filter(syscalls, num_syscalls); probed(); return 0; } EOF cat > /tmp/trace.bt << EOF uretprobe:/tmp/x:probed { printf("ret=%d\n", retval); } EOF gcc -o /tmp/x /tmp/x.c -lseccomp /usr/bin/bpftrace /tmp/trace.bt & sleep 5 # wait for uretprobe attach /tmp/x pkill bpftrace rm /tmp/x /tmp/x.c /tmp/trace.bt --- kernel/seccomp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 385d48293a5f..10a55c9b5c18 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1359,6 +1359,11 @@ int __secure_computing(const struct seccomp_data *sd) this_syscall = sd ? sd->nr : syscall_get_nr(current, current_pt_regs()); +#ifdef CONFIG_X86_64 + if (unlikely(this_syscall == __NR_uretprobe) && !in_ia32_syscall()) + return 0; +#endif + switch (mode) { case SECCOMP_MODE_STRICT: __secure_computing_strict(this_syscall); /* may call do_exit */ -- 2.43.0

3 months

10
34
0 0

[PATCH v2 0/2] Allow non-coherent video capture buffers on Rockchip ISP V1

by Mikhail Rudenko

This small series adds support for non-coherent video capture buffers on Rockchip ISP V1. Patch 1 fixes cache management for dmabuf's allocated by dma-contig allocator. Patch 2 allows non-coherent allocations on the rkisp1 capture queue. Some timing measurements are provided in the commit message of patch 2. Signed-off-by: Mikhail Rudenko <mike.rudenko(a)gmail.com> --- Changes in v2: - Fix vb2_dc_dmabuf_ops_{begin,end}_cpu_access() for non-coherent buffers. - Add cache management timing information to patch 2 commit message. - Link to v1: https://lore.kernel.org/r/20250102-b4-rkisp-noncoherent-v1-1-bba164f7132c@g… --- Mikhail Rudenko (2): media: videobuf2: Fix dmabuf cache sync/flush in dma-contig media: rkisp1: Allow non-coherent video capture buffers drivers/media/common/videobuf2/videobuf2-dma-contig.c | 14 ++++++++++++++ drivers/media/platform/rockchip/rkisp1/rkisp1-capture.c | 1 + 2 files changed, 15 insertions(+) --- base-commit: 94794b5ce4d90ab134b0b101a02fddf6e74c437d change-id: 20241231-b4-rkisp-noncoherent-ad6e7c7a68ba Best regards, -- Mikhail Rudenko <mike.rudenko(a)gmail.com>

3 months

2
3
0 0

[PATCH] acpi: nfit: fix narrowing conversion in acpi_nfit_ctl

by Murad Masimov

Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary bus families can be translated". This warning is emited if the argument is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first verifies that a user-provided value call_pkg->nd_family of type u64 is not equal to 0. Then the value is converted to int, and only after that is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid argument to acpi_nfit_ctl(), if call_pkg->nd_family is non-zero, while the lower 32 bits are zero. All checks of the input value should be applied to the original variable call_pkg->nd_family. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 6450ddbd5d8e ("ACPI: NFIT: Define runtime firmware activation commands") Cc: stable(a)vger.kernel.org Reported-by: syzbot+c80d8dc0d9fa81a3cd8c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c80d8dc0d9fa81a3cd8c Signed-off-by: Murad Masimov <m.masimov(a)mt-integration.ru> --- drivers/acpi/nfit/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c index a5d47819b3a4..ae035b93da08 100644 --- a/drivers/acpi/nfit/core.c +++ b/drivers/acpi/nfit/core.c @@ -485,7 +485,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm, cmd_mask = nd_desc->cmd_mask; if (cmd == ND_CMD_CALL && call_pkg->nd_family) { family = call_pkg->nd_family; - if (family > NVDIMM_BUS_FAMILY_MAX || + if (call_pkg->nd_family > NVDIMM_BUS_FAMILY_MAX || !test_bit(family, &nd_desc->bus_family_mask)) return -EINVAL; family = array_index_nospec(family, -- 2.39.2

3 months

4
5
0 0

[PATCH v2] irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured to fire FIQ

by Nick Chan

The CPU PMU in Apple SoCs can be configured to fire its interrupt in one of several ways, and since Apple A11 one of the method is FIQ. Only handle the PMC interrupt as a FIQ when the CPU PMU has been configured to fire FIQs. Cc: stable(a)vger.kernel.org Fixes: c7708816c944 ("irqchip/apple-aic: Wire PMU interrupts") Signed-off-by: Nick Chan <towinchenmi(a)gmail.com> --- Changes in v2: Fix the conditional to have the intented behavior of evaluating to true only when both PMCR0_IMODE is PMCR0_IMODE_FIQ and PMCR0_IACT is set by reverting the conditional to how it is before c7708816c944. Link to v1: https://lore.kernel.org/asahi/20250117170227.45243-1-towinchenmi@gmail.com/T - Nick Chan drivers/irqchip/irq-apple-aic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-apple-aic.c b/drivers/irqchip/irq-apple-aic.c index da5250f0155c..2b1684c60e3c 100644 --- a/drivers/irqchip/irq-apple-aic.c +++ b/drivers/irqchip/irq-apple-aic.c @@ -577,7 +577,8 @@ static void __exception_irq_entry aic_handle_fiq(struct pt_regs *regs) AIC_FIQ_HWIRQ(AIC_TMR_EL02_VIRT)); } - if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & PMCR0_IACT) { + if ((read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & (PMCR0_IMODE | PMCR0_IACT)) == + (FIELD_PREP(PMCR0_IMODE, PMCR0_IMODE_FIQ) | PMCR0_IACT)) { int irq; if (cpumask_test_cpu(smp_processor_id(), &aic_irqc->fiq_aff[AIC_CPU_PMU_P]->aff)) base-commit: 40384c840ea1944d7c5a392e8975ed088ecf0b37 -- 2.48.1

3 months

2
1
0 0

[PATCH 01/11] drm/i915: Make sure all planes in use by the joiner have their crtc included

by Ville Syrjala

From: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Any active plane needs to have its crtc included in the atomic state. For planes enabled via uapi that is all handler in the core. But when we use a plane for joiner the uapi code things the plane is disabled and therefore doesn't have a crtc. So we need to pull those in by hand. We do it first thing in intel_joiner_add_affected_crtcs() so that any newly added crtc will subsequently pull in all of its joined crtcs as well. The symptoms from failing to do this are: - duct tape in the form of commit 1d5b09f8daf8 ("drm/i915: Fix NULL ptr deref by checking new_crtc_state") - the plane's hw state will get overwritten by the disabled uapi state if it can't find the uapi counterpart plane in the atomic state from where it should copy the correct state Cc: stable(a)vger.kernel.org Signed-off-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> --- drivers/gpu/drm/i915/display/intel_display.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c index 7d68d652c1bc..2b31c8f4b7cd 100644 --- a/drivers/gpu/drm/i915/display/intel_display.c +++ b/drivers/gpu/drm/i915/display/intel_display.c @@ -6682,12 +6682,30 @@ static int intel_async_flip_check_hw(struct intel_atomic_state *state, struct in static int intel_joiner_add_affected_crtcs(struct intel_atomic_state *state) { struct drm_i915_private *i915 = to_i915(state->base.dev); + const struct intel_plane_state *plane_state; struct intel_crtc_state *crtc_state; + struct intel_plane *plane; struct intel_crtc *crtc; u8 affected_pipes = 0; u8 modeset_pipes = 0; int i; + /* + * Any plane which is in use by the joiner needs its crtc. + * Pull those in first as this will not have happened yet + * if the plane remains disabled according to uapi. + */ + for_each_new_intel_plane_in_state(state, plane, plane_state, i) { + crtc = to_intel_crtc(plane_state->hw.crtc); + if (!crtc) + continue; + + crtc_state = intel_atomic_get_crtc_state(&state->base, crtc); + if (IS_ERR(crtc_state)) + return PTR_ERR(crtc_state); + } + + /* Now pull in all joined crtcs */ for_each_new_intel_crtc_in_state(state, crtc, crtc_state, i) { affected_pipes |= crtc_state->joiner_pipes; if (intel_crtc_needs_modeset(crtc_state)) -- 2.45.3

3 months

1
0
0 0

[PATCH v5 -next 09/11] PCI: brcmstb: Fix for missing of_node_put

by Stanimir Varbanov

A call to of_parse_phandle() increments refcount, of_node_put must be called when done the work on it. Fix missing of_node_put() on the msi_np device node by using scope based of_node_put() cleanups. Cc: stable(a)vger.kernel.org # v5.10+ Fixes: 40ca1bf580ef ("PCI: brcmstb: Add MSI support") Signed-off-by: Stanimir Varbanov <svarbanov(a)suse.de> --- v4 -> v5: - New patch in the series. drivers/pci/controller/pcie-brcmstb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c index 744fe1a4cf9c..546056f7f0d3 100644 --- a/drivers/pci/controller/pcie-brcmstb.c +++ b/drivers/pci/controller/pcie-brcmstb.c @@ -1844,7 +1844,8 @@ static struct pci_ops brcm7425_pcie_ops = { static int brcm_pcie_probe(struct platform_device *pdev) { - struct device_node *np = pdev->dev.of_node, *msi_np; + struct device_node *msi_np __free(device_node) = NULL; + struct device_node *np = pdev->dev.of_node; struct pci_host_bridge *bridge; const struct pcie_cfg_data *data; struct brcm_pcie *pcie; -- 2.47.0

3 months

2
3
0 0

[PATCH] clk: renesas: r9a07g043: Fix HP clock source for RZ/Five SoC

by Prabhakar

From: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> According to the Rev.1.20 hardware manual for the RZ/Five SoC, the clock source for HP is derived from PLL6 divided by 2. This patch corrects the implementation by configuring HP as a fixed clock source instead of a MUX. The `CPG_PL6_ETH_SSEL` register, which is available on the RZ/G2UL SoC, is not present on the RZ/Five SoC, necessitating this change. Fixes: 95d48d270305ad2c ("clk: renesas: r9a07g043: Add support for RZ/Five SoC") Cc: stable(a)vger.kernel.org Reported-by: Hien Huynh <hien.huynh.px(a)renesas.com> Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> --- drivers/clk/renesas/r9a07g043-cpg.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/clk/renesas/r9a07g043-cpg.c b/drivers/clk/renesas/r9a07g043-cpg.c index b97e9a7b9708..da5aa015790c 100644 --- a/drivers/clk/renesas/r9a07g043-cpg.c +++ b/drivers/clk/renesas/r9a07g043-cpg.c @@ -138,7 +138,11 @@ static const struct cpg_core_clk r9a07g043_core_clks[] __initconst = { DEF_DIV("P2", R9A07G043_CLK_P2, CLK_PLL3_DIV2_4_2, DIVPL3A, dtable_1_32), DEF_FIXED("M0", R9A07G043_CLK_M0, CLK_PLL3_DIV2_4, 1, 1), DEF_FIXED("ZT", R9A07G043_CLK_ZT, CLK_PLL3_DIV2_4_2, 1, 1), +#ifdef CONFIG_ARM64 DEF_MUX("HP", R9A07G043_CLK_HP, SEL_PLL6_2, sel_pll6_2), +#else + DEF_FIXED("HP", R9A07G043_CLK_HP, CLK_PLL6_250, 1, 1), +#endif DEF_FIXED("SPI0", R9A07G043_CLK_SPI0, CLK_DIV_PLL3_C, 1, 2), DEF_FIXED("SPI1", R9A07G043_CLK_SPI1, CLK_DIV_PLL3_C, 1, 4), DEF_SD_MUX("SD0", R9A07G043_CLK_SD0, SEL_SDHI0, SEL_SDHI0_STS, sel_sdhi, -- 2.43.0

3 months

3
2
0 0

[PATCH] drm/ast: astdp: Fix timeout for enabling video signal

by Thomas Zimmermann

The ASTDP transmitter sometimes takes up to second for enabling the video signal, while the timeout is only 200 msec. This results in a kernel error message. Increase the timeout to 1 second. An example of the error message is shown below. [ 697.084433] ------------[ cut here ]------------ [ 697.091115] ast 0000:02:00.0: [drm] drm_WARN_ON(!__ast_dp_wait_enable(ast, enabled)) [ 697.091233] WARNING: CPU: 1 PID: 160 at drivers/gpu/drm/ast/ast_dp.c:232 ast_dp_set_enable+0x123/0x140 [ast] [...] [ 697.272469] RIP: 0010:ast_dp_set_enable+0x123/0x140 [ast] [...] [ 697.415283] Call Trace: [ 697.420727] <TASK> [ 697.425908] ? show_trace_log_lvl+0x196/0x2c0 [ 697.433304] ? show_trace_log_lvl+0x196/0x2c0 [ 697.440693] ? drm_atomic_helper_commit_modeset_enables+0x30a/0x470 [ 697.450115] ? ast_dp_set_enable+0x123/0x140 [ast] [ 697.458059] ? __warn.cold+0xaf/0xca [ 697.464713] ? ast_dp_set_enable+0x123/0x140 [ast] [ 697.472633] ? report_bug+0x134/0x1d0 [ 697.479544] ? handle_bug+0x58/0x90 [ 697.486127] ? exc_invalid_op+0x13/0x40 [ 697.492975] ? asm_exc_invalid_op+0x16/0x20 [ 697.500224] ? preempt_count_sub+0x14/0xc0 [ 697.507473] ? ast_dp_set_enable+0x123/0x140 [ast] [ 697.515377] ? ast_dp_set_enable+0x123/0x140 [ast] [ 697.523227] drm_atomic_helper_commit_modeset_enables+0x30a/0x470 [ 697.532388] drm_atomic_helper_commit_tail+0x58/0x90 [ 697.540400] ast_mode_config_helper_atomic_commit_tail+0x30/0x40 [ast] [ 697.550009] commit_tail+0xfe/0x1d0 [ 697.556547] drm_atomic_helper_commit+0x198/0x1c0 This is a cosmetical problem. Enabling the video signal still works even with the error message. The problem has always been present, but only recent versions of the ast driver warn about missing the timeout. Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: 4e29cc7c5c67 ("drm/ast: astdp: Replace ast_dp_set_on_off()") Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Jocelyn Falempe <jfalempe(a)redhat.com> Cc: Dave Airlie <airlied(a)redhat.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.13+ --- drivers/gpu/drm/ast/ast_dp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ast/ast_dp.c b/drivers/gpu/drm/ast/ast_dp.c index 30aad5c0112a1..2d7482a65f62a 100644 --- a/drivers/gpu/drm/ast/ast_dp.c +++ b/drivers/gpu/drm/ast/ast_dp.c @@ -201,7 +201,7 @@ static bool __ast_dp_wait_enable(struct ast_device *ast, bool enabled) if (enabled) vgacrdf_test |= AST_IO_VGACRDF_DP_VIDEO_ENABLE; - for (i = 0; i < 200; ++i) { + for (i = 0; i < 1000; ++i) { if (i) mdelay(1); vgacrdf = ast_get_index_reg_mask(ast, AST_IO_VGACRI, 0xdf, -- 2.48.1

3 months

2
1
0 0

[PATCH v2 5.10] net: defer final 'struct net' free in netns dismantle

by Vasiliy Kovalev

From: Eric Dumazet <edumazet(a)google.com> commit 0f6ede9fbc747e2553612271bce108f7517e7a45 upstream. Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) </IRQ> <TASK> asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) </TASK> Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4)) ksys_unshare (kernel/fork.c:3313) __x64_sys_unshare (kernel/fork.c:3382) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Dec 03 05:46:18 kernel: Freed by task 11: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) kasan_save_free_info (mm/kasan/generic.c:582) __kasan_slab_free (mm/kasan/common.c:271) kmem_cache_free (mm/slub.c:4579 mm/slub.c:4681) cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:647) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391) kthread (kernel/kthread.c:389) ret_from_fork (arch/x86/kernel/process.c:147) ret_from_fork_asm (arch/x86/entry/entry_64.S:257) Dec 03 05:46:18 kernel: Last potentially related work creation: kasan_save_stack (mm/kasan/common.c:48) __kasan_record_aux_stack (mm/kasan/generic.c:541) insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) __queue_work (kernel/workqueue.c:2340) queue_work_on (kernel/workqueue.c:2391) xfrm_policy_insert (net/xfrm/xfrm_policy.c:1610) xfrm_add_policy (net/xfrm/xfrm_user.c:2116) xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) netlink_rcv_skb (net/netlink/af_netlink.c:2536) xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) netlink_sendmsg (net/netlink/af_netlink.c:1886) sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) vfs_write (fs/read_write.c:590 fs/read_write.c:683) ksys_write (fs/read_write.c:736) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Dec 03 05:46:18 kernel: Second to last potentially related work creation: kasan_save_stack (mm/kasan/common.c:48) __kasan_record_aux_stack (mm/kasan/generic.c:541) insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186) __queue_work (kernel/workqueue.c:2340) queue_work_on (kernel/workqueue.c:2391) __xfrm_state_insert (./include/linux/workqueue.h:723 net/xfrm/xfrm_state.c:1150 net/xfrm/xfrm_state.c:1145 net/xfrm/xfrm_state.c:1513) xfrm_state_update (./include/linux/spinlock.h:396 net/xfrm/xfrm_state.c:1940) xfrm_add_sa (net/xfrm/xfrm_user.c:912) xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321) netlink_rcv_skb (net/netlink/af_netlink.c:2536) xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344) netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342) netlink_sendmsg (net/netlink/af_netlink.c:1886) sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165) vfs_write (fs/read_write.c:590 fs/read_write.c:683) ksys_write (fs/read_write.c:736) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fixes: a8a572a6b5f2 ("xfrm: dst_entries_init() per-net dst_ops") Reported-by: Ilya Maximets <i.maximets(a)ovn.org> Closes: https://lore.kernel.org/netdev/CANn89iKKYDVpB=MtmfH7nyv2p=rJWSLedO5k7wSZgtY… Signed-off-by: Eric Dumazet <edumazet(a)google.com> Acked-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- Backport to fix CVE-2024-56658 Link: https://www.cve.org/CVERecord/?id=CVE-2024-56658 --- v2: replace `net_drop_ns()` with `net_free()` to fix UAF: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x155/0x290 Call Trace: ? __warn+0xe7/0x1f0 ? refcount_warn_saturate+0x155/0x290 ? report_bug+0x1c1/0x210 ? handle_bug+0x38/0x90 ? __warn_printk+0xcb/0xfc ? exc_invalid_op+0x14/0x50 ? asm_exc_invalid_op+0x12/0x20 ? vprintk_func+0x98/0x140 ? refcount_warn_saturate+0x155/0x290 net_drop_ns.part.0+0xcf/0x130 cleanup_net+0x655/0x970 ? ops_free_list.part.0+0x4a0/0x4a0 ? _raw_spin_unlock_irq+0x24/0x80 ? lockdep_hardirqs_on_prepare+0x2b3/0x430 process_one_work+0x9ad/0x14e0 ? pwq_dec_nr_in_flight+0x300/0x300 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x622/0x1320 ? process_one_work+0x14e0/0x14e0 kthread+0x3ae/0x4a0 ? _raw_spin_unlock_irq+0x24/0x80 ? __kthread_bind_mask+0xc0/0xc0 ret_from_fork+0x1f/0x30 --- include/net/net_namespace.h | 1 + net/core/net_namespace.c | 27 ++++++++++++++++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index eb0e7731f3b1c8..df95d553923937 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -80,6 +80,7 @@ struct net { * or to unregister pernet ops * (pernet_ops_rwsem write locked). */ + struct llist_node defer_free_list; struct llist_node cleanup_list; /* namespaces on death row */ #ifdef CONFIG_KEYS diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index 6192a05ebcce2c..842637744ad690 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -452,10 +452,29 @@ static struct net *net_alloc(void) goto out; } +static LLIST_HEAD(defer_free_list); + +static void net_complete_free(void) +{ + struct llist_node *kill_list; + struct net *net, *next; + + /* Get the list of namespaces to free from last round. */ + kill_list = llist_del_all(&defer_free_list); + + llist_for_each_entry_safe(net, next, kill_list, defer_free_list) + kmem_cache_free(net_cachep, net); + +} + static void net_free(struct net *net) { - kfree(rcu_access_pointer(net->gen)); - kmem_cache_free(net_cachep, net); + if (refcount_dec_and_test(&net->passive)) { + kfree(rcu_access_pointer(net->gen)); + + /* Wait for an extra rcu_barrier() before final free. */ + llist_add(&net->defer_free_list, &defer_free_list); + } } void net_drop_ns(void *p) @@ -628,6 +647,8 @@ static void cleanup_net(struct work_struct *work) */ rcu_barrier(); + net_complete_free(); + /* Finally it is safe to free my network namespace structure */ list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) { list_del_init(&net->exit_list); @@ -636,7 +657,7 @@ static void cleanup_net(struct work_struct *work) key_remove_domain(net->key_domain); #endif put_user_ns(net->user_ns); - net_drop_ns(net); + net_free(net); } } -- 2.33.8

3 months

2
1
0 0

[PATCH] drm/gem: overflow in calculating DMA GEM size

by Ваторопин Андрей

From: Andrey Vatoropin <a.vatoropin(a)crpt.ru> Size of variable args->pitch equals four bytes. Size of variable args->height equals four bytes. The expression args->pitch * args->height is currently being evaluated using 32-bit arithmetic. During multiplication, an overflow may occur. Above the expression args->pitch * args->height there is a check for its minimum value. However, if args->pitch has a value greater than this minimum, that check is insufficient. Since a value of type 'u64' is used to store the eventual result, cast the first variable of each expression to 'u64' to provide the compiler with complete information about the appropriate arithmetic to use. This is similar to commit 0f8f8a643000 ("drm/i915/gem: Detect overflow in calculating dumb buffer size"). Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 6d1782919dc9 ("drm/cma: Introduce drm_gem_cma_dumb_create_internal()") Signed-off-by: Andrey Vatoropin <a.vatoropin(a)crpt.ru> --- drivers/gpu/drm/drm_gem_dma_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem_dma_helper.c b/drivers/gpu/drm/drm_gem_dma_helper.c index 870b90b78bc4..a8862f6f702a 100644 --- a/drivers/gpu/drm/drm_gem_dma_helper.c +++ b/drivers/gpu/drm/drm_gem_dma_helper.c @@ -272,8 +272,8 @@ int drm_gem_dma_dumb_create_internal(struct drm_file *file_priv, if (args->pitch < min_pitch) args->pitch = min_pitch; - if (args->size < args->pitch * args->height) - args->size = args->pitch * args->height; + if (args->size < mul_u32_u32(args->pitch, args->height)) + args->size = mul_u32_u32(args->pitch, args->height); dma_obj = drm_gem_dma_create_with_handle(file_priv, drm, args->size, &args->handle); -- 2.43.0

3 months

1
0
0 0

[PATCH 6.12 0/5] md/md-bitmap: move bitmap_{start, end}write to md upper layer

by Yu Kuai

From: Yu Kuai <yukuai3(a)huawei.com> This set fix reported problem: https://lore.kernel.org/all/CAJpMwyjmHQLvm6zg1cmQErttNNQPDAAXPKM3xgTjMhbfts… https://lore.kernel.org/all/ADF7D720-5764-4AF3-B68E-1845988737AA@flyingcirc… See details in patch 5. Yu Kuai (5): md/md-bitmap: factor behind write counters out from bitmap_{start/end}write() md/md-bitmap: remove the last parameter for bimtap_ops->endwrite() md: add a new callback pers->bitmap_sector() md/raid5: implement pers->bitmap_sector() md/md-bitmap: move bitmap_{start, end}write to md upper layer drivers/md/md-bitmap.c | 74 ++++++++++++++++---------- drivers/md/md-bitmap.h | 7 ++- drivers/md/md.c | 29 ++++++++++ drivers/md/md.h | 5 ++ drivers/md/raid1.c | 34 +++--------- drivers/md/raid1.h | 1 - drivers/md/raid10.c | 26 +-------- drivers/md/raid10.h | 1 - drivers/md/raid5-cache.c | 4 -- drivers/md/raid5.c | 111 ++++++++++++++++++++------------------- drivers/md/raid5.h | 4 -- 11 files changed, 149 insertions(+), 147 deletions(-) -- 2.39.2

3 months

2
10
0 0

[PATCH v2] irqchip/irq-mvebu-icu: Fix access to msi_data from irq_domain

by Stefan Eichenberger

Previously, we incorrectly cast irq_domain->host_data directly to mvebu_icu_msi_data. However, host_data actually stores a structure of type msi_domain_info. This incorrect assumption caused issues such as the thermal sensors of the CP110 platform malfunctioning. Specifically, the translation of the SEI interrupt to IRQ_TYPE_EDGE_RISING failed, preventing proper interrupt handling. The following error was observed: genirq: Setting trigger mode 4 for irq 85 failed (irq_chip_set_type_parent+0x0/0x34) armada_thermal f2400000.system-controller:thermal-sensor@70: Cannot request threaded IRQ 85 This commit resolves the issue by first casting host_data to msi_domain_info and then accessing the mvebu_icu_msi_data through msi_domain_info->chip_data. Cc: stable(a)vger.kernel.org Fixes: d929e4db22b6 ("irqchip/irq-mvebu-icu: Prepare for real per device MSI") Signed-off-by: Stefan Eichenberger <eichest(a)gmail.com> --- Changes in v2: * This patch is a v2 because it addresses the same issue as this patch: https://lore.kernel.org/all/20241217111623.92625-1-eichest@gmail.com/ * This time it addresses the underlying issue instead of adding a workaround (thanks to Thomas) drivers/irqchip/irq-mvebu-icu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/irqchip/irq-mvebu-icu.c b/drivers/irqchip/irq-mvebu-icu.c index b337f6c05f18..4eebed39880a 100644 --- a/drivers/irqchip/irq-mvebu-icu.c +++ b/drivers/irqchip/irq-mvebu-icu.c @@ -68,7 +68,8 @@ static int mvebu_icu_translate(struct irq_domain *d, struct irq_fwspec *fwspec, unsigned long *hwirq, unsigned int *type) { unsigned int param_count = static_branch_unlikely(&legacy_bindings) ? 3 : 2; - struct mvebu_icu_msi_data *msi_data = d->host_data; + struct msi_domain_info *info = d->host_data; + struct mvebu_icu_msi_data *msi_data = info->chip_data; struct mvebu_icu *icu = msi_data->icu; /* Check the count of the parameters in dt */ -- 2.45.2

3 months

3
2
0 0

[tip: timers/urgent] clocksource: Use get_random_bytes() in clocksource_verify_choose_cpus()

by tip-bot2 for Waiman Long

The following commit has been merged into the timers/urgent branch of tip: Commit-ID: 01cfc84024e9a6b619696a35d2e5662255001cd0 Gitweb: https://git.kernel.org/tip/01cfc84024e9a6b619696a35d2e5662255001cd0 Author: Waiman Long <longman(a)redhat.com> AuthorDate: Fri, 24 Jan 2025 20:54:42 -05:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Mon, 27 Jan 2025 10:30:59 +01:00 clocksource: Use get_random_bytes() in clocksource_verify_choose_cpus() The following bug report happened in a PREEMPT_RT kernel. BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2012, name: kwatchdog preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by kwatchdog/2012: #0: ffffffff8af2da60 (clocksource_mutex){+.+.}-{3:3}, at: clocksource_watchdog_kthread+0x13/0x50 #1: ffffffff8aa8d4d0 (cpu_hotplug_lock){++++}-{0:0}, at: clocksource_verify_percpu.part.0+0x5c/0x330 #2: ffff9fe02f5f33e0 ((batched_entropy_u32.lock)){+.+.}-{2:2}, at: get_random_u32+0x4f/0x110 Preemption disabled at: [<ffffffff88c1fe56>] clocksource_verify_percpu.part.0+0x66/0x330 CPU: 33 PID: 2012 Comm: kwatchdog Not tainted 5.14.0-503.23.1.el9_5.x86_64+rt-debug #1 Call Trace: <TASK> __might_resched.cold+0xf4/0x12f rt_spin_lock+0x4c/0x100 get_random_u32+0x4f/0x110 clocksource_verify_choose_cpus+0xab/0x1a0 clocksource_verify_percpu.part.0+0x6b/0x330 __clocksource_watchdog_kthread+0x193/0x1a0 clocksource_watchdog_kthread+0x18/0x50 kthread+0x114/0x140 ret_from_fork+0x2c/0x50 </TASK> This happens due to the fact that get_random_u32() is called in clocksource_verify_choose_cpus() with preemption disabled. If crng_ready() is true by the time get_random_u32() is called, The batched_entropy_32 local lock will be acquired. In a PREEMPT_RT enabled kernel, it is a rtmutex, which can't be acquireq with preemption disabled. Fix this problem by using the less random get_random_bytes() function which will not take any lock. In fact, it has the same random-ness as get_random_u32_below() when crng_ready() is false. Fixes: 7560c02bdffb ("clocksource: Check per-CPU clock synchronization when marked unstable") Signed-off-by: Waiman Long <longman(a)redhat.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Suggested-by: Paul E. McKenney <paulmck(a)kernel.org> Reviewed-by: Paul E. McKenney <paulmck(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/20250125015442.3740588-2-longman@redhat.com --- kernel/time/clocksource.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c index 77d9566..659c4b7 100644 --- a/kernel/time/clocksource.c +++ b/kernel/time/clocksource.c @@ -340,9 +340,13 @@ static void clocksource_verify_choose_cpus(void) * and no replacement CPU is selected. This gracefully handles * situations where verify_n_cpus is greater than the number of * CPUs that are currently online. + * + * The get_random_bytes() is used here to avoid taking lock with + * preemption disabled. */ for (i = 1; i < n; i++) { - cpu = get_random_u32_below(nr_cpu_ids); + get_random_bytes(&cpu, sizeof(cpu)); + cpu %= nr_cpu_ids; cpu = cpumask_next(cpu - 1, cpu_online_mask); if (cpu >= nr_cpu_ids) cpu = cpumask_first(cpu_online_mask);

3 months

1
0
0 0

[PATCH v8 01/13] drm/bridge: cdns-dsi: Fix connecting to next bridge

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> Fix the OF node pointer passed to the of_drm_find_bridge() call to find the next bridge in the display chain. The code to find the next panel (and create its panel-bridge) works fine, but to find the next (non-panel) bridge does not. To find the next bridge in the pipeline, we need to pass "np" - the OF node pointer of the next entity in the devicetree chain. Passing "of_node" to of_drm_find_bridge (which is what the code does currently) will fetch the bridge for the cdns-dsi which is not what's required. Fix that. Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Cc: Stable List <stable(a)vger.kernel.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index c7a0247e06ad..2f897ea5e80a 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -952,7 +952,7 @@ static int cdns_dsi_attach(struct mipi_dsi_host *host, bridge = drm_panel_bridge_add_typed(panel, DRM_MODE_CONNECTOR_DSI); } else { - bridge = of_drm_find_bridge(dev->dev.of_node); + bridge = of_drm_find_bridge(np); if (!bridge) bridge = ERR_PTR(-EINVAL); } -- 2.34.1

3 months

2
1
0 0

[PATCH v8 05/13] drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> Once the DSI Link and DSI Phy are initialized, the code needs to wait for Clk and Data Lanes to be ready, before continuing configuration. This is in accordance with the DSI Start-up procedure, found in the Technical Reference Manual of Texas Instrument's J721E SoC[0] which houses this DSI TX controller. If the previous bridge (or crtc/encoder) are configured pre-maturely, the input signal FIFO gets corrupt. This introduces a color-shift on the display. Allow the driver to wait for the clk and data lanes to get ready during DSI enable. [0]: See section 12.6.5.7.3 "Start-up Procedure" in J721E SoC TRM TRM Link: http://www.ti.com/lit/pdf/spruil1 Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Cc: Stable List <stable(a)vger.kernel.org> Tested-by: Dominik Haller <d.haller(a)phytec.de> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> Signed-off-by: Aradhya Bhatia <aradhya.bhatia(a)linux.dev> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index 87921a748cdb..6a77ca36cb9d 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -769,7 +769,7 @@ static void cdns_dsi_bridge_enable(struct drm_bridge *bridge) struct phy_configure_opts_mipi_dphy *phy_cfg = &output->phy_opts.mipi_dphy; unsigned long tx_byte_period; struct cdns_dsi_cfg dsi_cfg; - u32 tmp, reg_wakeup, div; + u32 tmp, reg_wakeup, div, status; int nlanes; if (WARN_ON(pm_runtime_get_sync(dsi->base.dev) < 0)) @@ -786,6 +786,19 @@ static void cdns_dsi_bridge_enable(struct drm_bridge *bridge) cdns_dsi_hs_init(dsi); cdns_dsi_init_link(dsi); + /* + * Now that the DSI Link and DSI Phy are initialized, + * wait for the CLK and Data Lanes to be ready. + */ + tmp = CLK_LANE_RDY; + for (int i = 0; i < nlanes; i++) + tmp |= DATA_LANE_RDY(i); + + if (readl_poll_timeout(dsi->regs + MCTL_MAIN_STS, status, + (tmp == (status & tmp)), 100, 500000)) + dev_err(dsi->base.dev, + "Timed Out: DSI-DPhy Clock and Data Lanes not ready.\n"); + writel(HBP_LEN(dsi_cfg.hbp) | HSA_LEN(dsi_cfg.hsa), dsi->regs + VID_HSIZE1); writel(HFP_LEN(dsi_cfg.hfp) | HACT_LEN(dsi_cfg.hact), -- 2.34.1

3 months

1
0
0 0

[PATCH v8 04/13] drm/bridge: cdns-dsi: Check return value when getting default PHY config

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> Check for the return value of the phy_mipi_dphy_get_default_config() call, and incase of an error, return back the same. Fixes: fced5a364dee ("drm/bridge: cdns: Convert to phy framework") Cc: Stable List <stable(a)vger.kernel.org> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> Signed-off-by: Aradhya Bhatia <aradhya.bhatia(a)linux.dev> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index 19cc8734a4c8..87921a748cdb 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -575,9 +575,11 @@ static int cdns_dsi_check_conf(struct cdns_dsi *dsi, if (ret) return ret; - phy_mipi_dphy_get_default_config(mode_clock * 1000, - mipi_dsi_pixel_format_to_bpp(output->dev->format), - nlanes, phy_cfg); + ret = phy_mipi_dphy_get_default_config(mode_clock * 1000, + mipi_dsi_pixel_format_to_bpp(output->dev->format), + nlanes, phy_cfg); + if (ret) + return ret; ret = cdns_dsi_adjust_phy_config(dsi, dsi_cfg, phy_cfg, mode, mode_valid_check); if (ret) -- 2.34.1

3 months

1
0
0 0

[PATCH v8 03/13] drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()

by Aradhya Bhatia

From: Aradhya Bhatia <a-bhatia1(a)ti.com> The crtc_* mode parameters do not get generated (duplicated in this case) from the regular parameters before the mode validation phase begins. The rest of the code conditionally uses the crtc_* parameters only during the bridge enable phase, but sticks to the regular parameters for mode validation. In this singular instance, however, the driver tries to use the crtc_clock parameter even during the mode validation, causing the validation to fail. Allow the D-Phy config checks to use mode->clock instead of mode->crtc_clock during mode_valid checks, like everywhere else in the driver. Fixes: fced5a364dee ("drm/bridge: cdns: Convert to phy framework") Cc: Stable List <stable(a)vger.kernel.org> Reviewed-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Signed-off-by: Aradhya Bhatia <a-bhatia1(a)ti.com> Signed-off-by: Aradhya Bhatia <aradhya.bhatia(a)linux.dev> --- drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c index b0a1a6774ea6..19cc8734a4c8 100644 --- a/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c +++ b/drivers/gpu/drm/bridge/cadence/cdns-dsi-core.c @@ -568,13 +568,14 @@ static int cdns_dsi_check_conf(struct cdns_dsi *dsi, struct phy_configure_opts_mipi_dphy *phy_cfg = &output->phy_opts.mipi_dphy; unsigned long dsi_hss_hsa_hse_hbp; unsigned int nlanes = output->dev->lanes; + int mode_clock = (mode_valid_check ? mode->clock : mode->crtc_clock); int ret; ret = cdns_dsi_mode2cfg(dsi, mode, dsi_cfg, mode_valid_check); if (ret) return ret; - phy_mipi_dphy_get_default_config(mode->crtc_clock * 1000, + phy_mipi_dphy_get_default_config(mode_clock * 1000, mipi_dsi_pixel_format_to_bpp(output->dev->format), nlanes, phy_cfg); -- 2.34.1

3 months

1
0
0 0

[PATCH 5.10] static_call: Replace pointless WARN_ON() in static_call_module_notify()

by Alexey Nepomnyashih

From: Thomas Gleixner <tglx(a)linutronix.de> commit fe513c2ef0a172a58f158e2e70465c4317f0a9a2 upstream. static_call_module_notify() triggers a WARN_ON(), when memory allocation fails in __static_call_add_module(). That's not really justified, because the failure case must be correctly handled by the well known call chain and the error code is passed through to the initiating userspace application. A memory allocation fail is not a fatal problem, but the WARN_ON() takes the machine out when panic_on_warn is set. Replace it with a pr_warn(). Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure") Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lkml.kernel.org/r/8734mf7pmb.ffs@tglx Signed-off-by: Alexey Nepomnyashih <sdl(a)nppct.ru> --- Backport to fix CVE-2024-49954 Link: https://nvd.nist.gov/vuln/detail/CVE-2024-49954 --- kernel/static_call.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/static_call.c b/kernel/static_call.c index e9408409eb46..a008250e2533 100644 --- a/kernel/static_call.c +++ b/kernel/static_call.c @@ -431,7 +431,7 @@ static int static_call_module_notify(struct notifier_block *nb, case MODULE_STATE_COMING: ret = static_call_add_module(mod); if (ret) { - WARN(1, "Failed to allocate memory for static calls"); + pr_warn("Failed to allocate memory for static calls\n"); static_call_del_module(mod); } break; -- 2.43.0

3 months

2
1
0 0

[PATCH 6.1.y] drm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()

by Imkanmod Khan

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> [ Upstream commit 2a3cfb9a24a28da9cc13d2c525a76548865e182c ] Since 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL before the call to dc_enable_dmub_notifications(), check beforehand to ensure there will not be a possible NULL-ptr-deref there. Also, since commit 1e88eb1b2c25 ("drm/amd/display: Drop CONFIG_DRM_AMD_DC_HDCP") there are two separate checks for NULL in 'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy(). Clean up by combining them all under one 'if'. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 81927e2808be ("drm/amd/display: Support for DMUB AUX") Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [ To fix CVE-2024-27041, I fix the merge conflict by still using macro CONFIG_DRM_AMD_DC_HDCP in the first adev->dm.dc check. ] Signed-off-by: Imkanmod Khan <imkanmodkhan(a)gmail.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 8dc0f70df24f..7b4d44dcb343 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -1882,14 +1882,14 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev) dc_deinit_callbacks(adev->dm.dc); #endif - if (adev->dm.dc) + if (adev->dm.dc) { dc_dmub_srv_destroy(&adev->dm.dc->ctx->dmub_srv); - - if (dc_enable_dmub_notifications(adev->dm.dc)) { - kfree(adev->dm.dmub_notify); - adev->dm.dmub_notify = NULL; - destroy_workqueue(adev->dm.delayed_hpd_wq); - adev->dm.delayed_hpd_wq = NULL; + if (dc_enable_dmub_notifications(adev->dm.dc)) { + kfree(adev->dm.dmub_notify); + adev->dm.dmub_notify = NULL; + destroy_workqueue(adev->dm.delayed_hpd_wq); + adev->dm.delayed_hpd_wq = NULL; + } } if (adev->dm.dmub_bo) -- 2.25.1

3 months

2
1
0 0

[PATCH 6.1.y] ext4: fix access to uninitialised lock in fc replay path

by Imkanmod Khan

From: "Luis Henriques (SUSE)" <luis.henriques(a)linux.dev> [ commit 23dfdb56581ad92a9967bcd720c8c23356af74c1 upstream ] The following kernel trace can be triggered with fstest generic/629 when executed against a filesystem with fast-commit feature enabled: INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x66/0x90 register_lock_class+0x759/0x7d0 __lock_acquire+0x85/0x2630 ? __find_get_block+0xb4/0x380 lock_acquire+0xd1/0x2d0 ? __ext4_journal_get_write_access+0xd5/0x160 _raw_spin_lock+0x33/0x40 ? __ext4_journal_get_write_access+0xd5/0x160 __ext4_journal_get_write_access+0xd5/0x160 ext4_reserve_inode_write+0x61/0xb0 __ext4_mark_inode_dirty+0x79/0x270 ? ext4_ext_replay_set_iblocks+0x2f8/0x450 ext4_ext_replay_set_iblocks+0x330/0x450 ext4_fc_replay+0x14c8/0x1540 ? jread+0x88/0x2e0 ? rcu_is_watching+0x11/0x40 do_one_pass+0x447/0xd00 jbd2_journal_recover+0x139/0x1b0 jbd2_journal_load+0x96/0x390 ext4_load_and_init_journal+0x253/0xd40 ext4_fill_super+0x2cc6/0x3180 ... In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in function ext4_check_bdev_write_error(). Unfortunately, at this point this spinlock has not been initialized yet. Moving it's initialization to an earlier point in __ext4_fill_super() fixes this splat. Signed-off-by: Luis Henriques (SUSE) <luis.henriques(a)linux.dev> Link: https://patch.msgid.link/20240718094356.7863-1-luis.henriques@linux.dev Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Cc: stable(a)kernel.org Signed-off-by: Imkanmod Khan <imkanmodkhan(a)gmail.com> --- fs/ext4/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 0b2591c07166..53f1deb049ec 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -5264,6 +5264,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) INIT_LIST_HEAD(&sbi->s_orphan); /* unlinked but open files */ mutex_init(&sbi->s_orphan_lock); + spin_lock_init(&sbi->s_bdev_wb_lock); + ext4_fast_commit_init(sb); sb->s_root = NULL; @@ -5514,7 +5516,6 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) * Save the original bdev mapping's wb_err value which could be * used to detect the metadata async write error. */ - spin_lock_init(&sbi->s_bdev_wb_lock); errseq_check_and_advance(&sb->s_bdev->bd_inode->i_mapping->wb_err, &sbi->s_bdev_wb_err); sb->s_bdev->bd_super = sb; -- 2.25.1

3 months

2
1
0 0

[PATCH 6.6.y] ext4: fix access to uninitialised lock in fc replay path

by Imkanmod Khan

From: "Luis Henriques (SUSE)" <luis.henriques(a)linux.dev> [ commit 23dfdb56581ad92a9967bcd720c8c23356af74c1 upstream ] The following kernel trace can be triggered with fstest generic/629 when executed against a filesystem with fast-commit feature enabled: INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x66/0x90 register_lock_class+0x759/0x7d0 __lock_acquire+0x85/0x2630 ? __find_get_block+0xb4/0x380 lock_acquire+0xd1/0x2d0 ? __ext4_journal_get_write_access+0xd5/0x160 _raw_spin_lock+0x33/0x40 ? __ext4_journal_get_write_access+0xd5/0x160 __ext4_journal_get_write_access+0xd5/0x160 ext4_reserve_inode_write+0x61/0xb0 __ext4_mark_inode_dirty+0x79/0x270 ? ext4_ext_replay_set_iblocks+0x2f8/0x450 ext4_ext_replay_set_iblocks+0x330/0x450 ext4_fc_replay+0x14c8/0x1540 ? jread+0x88/0x2e0 ? rcu_is_watching+0x11/0x40 do_one_pass+0x447/0xd00 jbd2_journal_recover+0x139/0x1b0 jbd2_journal_load+0x96/0x390 ext4_load_and_init_journal+0x253/0xd40 ext4_fill_super+0x2cc6/0x3180 ... In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in function ext4_check_bdev_write_error(). Unfortunately, at this point this spinlock has not been initialized yet. Moving it's initialization to an earlier point in __ext4_fill_super() fixes this splat. Signed-off-by: Luis Henriques (SUSE) <luis.henriques(a)linux.dev> Link: https://patch.msgid.link/20240718094356.7863-1-luis.henriques@linux.dev Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Cc: stable(a)kernel.org Signed-off-by: Imkanmod Khan <imkanmodkhan(a)gmail.com> --- fs/ext4/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 71ced0ada9a2..f019ce64eba4 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -5366,6 +5366,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) INIT_LIST_HEAD(&sbi->s_orphan); /* unlinked but open files */ mutex_init(&sbi->s_orphan_lock); + spin_lock_init(&sbi->s_bdev_wb_lock); + ext4_fast_commit_init(sb); sb->s_root = NULL; @@ -5586,7 +5588,6 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) * Save the original bdev mapping's wb_err value which could be * used to detect the metadata async write error. */ - spin_lock_init(&sbi->s_bdev_wb_lock); errseq_check_and_advance(&sb->s_bdev->bd_inode->i_mapping->wb_err, &sbi->s_bdev_wb_err); EXT4_SB(sb)->s_mount_state |= EXT4_ORPHAN_FS; -- 2.25.1

3 months

2
1
0 0

[PATCH AUTOSEL 6.1 1/2] RDMA/efa: Reset device on probe failure

by Sasha Levin

From: Michael Margolin <mrgolin(a)amazon.com> [ Upstream commit 123c13f10ed3627ba112172d8bd122a72cae226d ] Make sure the device is being reset on driver exit whatever the reason is, to keep the device aligned and allow it to close shared resources (e.g. admin queue). Reviewed-by: Firas Jahjah <firasj(a)amazon.com> Reviewed-by: Yonatan Nachum <ynachum(a)amazon.com> Signed-off-by: Michael Margolin <mrgolin(a)amazon.com> Link: https://patch.msgid.link/20241225131548.15155-1-mrgolin@amazon.com Reviewed-by: Gal Pressman <gal.pressman(a)linux.dev> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/infiniband/hw/efa/efa_main.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/infiniband/hw/efa/efa_main.c b/drivers/infiniband/hw/efa/efa_main.c index 15ee920811187..924940ca9de0a 100644 --- a/drivers/infiniband/hw/efa/efa_main.c +++ b/drivers/infiniband/hw/efa/efa_main.c @@ -452,7 +452,6 @@ static void efa_ib_device_remove(struct efa_dev *dev) ibdev_info(&dev->ibdev, "Unregister ib device\n"); ib_unregister_device(&dev->ibdev); efa_destroy_eqs(dev); - efa_com_dev_reset(&dev->edev, EFA_REGS_RESET_NORMAL); efa_release_doorbell_bar(dev); } @@ -623,12 +622,14 @@ static struct efa_dev *efa_probe_device(struct pci_dev *pdev) return ERR_PTR(err); } -static void efa_remove_device(struct pci_dev *pdev) +static void efa_remove_device(struct pci_dev *pdev, + enum efa_regs_reset_reason_types reset_reason) { struct efa_dev *dev = pci_get_drvdata(pdev); struct efa_com_dev *edev; edev = &dev->edev; + efa_com_dev_reset(edev, reset_reason); efa_com_admin_destroy(edev); efa_free_irq(dev, &dev->admin_irq); efa_disable_msix(dev); @@ -656,7 +657,7 @@ static int efa_probe(struct pci_dev *pdev, const struct pci_device_id *ent) return 0; err_remove_device: - efa_remove_device(pdev); + efa_remove_device(pdev, EFA_REGS_RESET_INIT_ERR); return err; } @@ -665,7 +666,7 @@ static void efa_remove(struct pci_dev *pdev) struct efa_dev *dev = pci_get_drvdata(pdev); efa_ib_device_remove(dev); - efa_remove_device(pdev); + efa_remove_device(pdev, EFA_REGS_RESET_NORMAL); } static struct pci_driver efa_pci_driver = { -- 2.39.5

3 months

1
1
0 0

[PATCH AUTOSEL 6.6 1/3] RDMA/efa: Reset device on probe failure

by Sasha Levin

From: Michael Margolin <mrgolin(a)amazon.com> [ Upstream commit 123c13f10ed3627ba112172d8bd122a72cae226d ] Make sure the device is being reset on driver exit whatever the reason is, to keep the device aligned and allow it to close shared resources (e.g. admin queue). Reviewed-by: Firas Jahjah <firasj(a)amazon.com> Reviewed-by: Yonatan Nachum <ynachum(a)amazon.com> Signed-off-by: Michael Margolin <mrgolin(a)amazon.com> Link: https://patch.msgid.link/20241225131548.15155-1-mrgolin@amazon.com Reviewed-by: Gal Pressman <gal.pressman(a)linux.dev> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/infiniband/hw/efa/efa_main.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/infiniband/hw/efa/efa_main.c b/drivers/infiniband/hw/efa/efa_main.c index 15ee920811187..924940ca9de0a 100644 --- a/drivers/infiniband/hw/efa/efa_main.c +++ b/drivers/infiniband/hw/efa/efa_main.c @@ -452,7 +452,6 @@ static void efa_ib_device_remove(struct efa_dev *dev) ibdev_info(&dev->ibdev, "Unregister ib device\n"); ib_unregister_device(&dev->ibdev); efa_destroy_eqs(dev); - efa_com_dev_reset(&dev->edev, EFA_REGS_RESET_NORMAL); efa_release_doorbell_bar(dev); } @@ -623,12 +622,14 @@ static struct efa_dev *efa_probe_device(struct pci_dev *pdev) return ERR_PTR(err); } -static void efa_remove_device(struct pci_dev *pdev) +static void efa_remove_device(struct pci_dev *pdev, + enum efa_regs_reset_reason_types reset_reason) { struct efa_dev *dev = pci_get_drvdata(pdev); struct efa_com_dev *edev; edev = &dev->edev; + efa_com_dev_reset(edev, reset_reason); efa_com_admin_destroy(edev); efa_free_irq(dev, &dev->admin_irq); efa_disable_msix(dev); @@ -656,7 +657,7 @@ static int efa_probe(struct pci_dev *pdev, const struct pci_device_id *ent) return 0; err_remove_device: - efa_remove_device(pdev); + efa_remove_device(pdev, EFA_REGS_RESET_INIT_ERR); return err; } @@ -665,7 +666,7 @@ static void efa_remove(struct pci_dev *pdev) struct efa_dev *dev = pci_get_drvdata(pdev); efa_ib_device_remove(dev); - efa_remove_device(pdev); + efa_remove_device(pdev, EFA_REGS_RESET_NORMAL); } static struct pci_driver efa_pci_driver = { -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 6.12 1/7] soc: qcom: pd-mapper: Add X1P42100

by Sasha Levin

From: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> [ Upstream commit e7282bf8a0e9bb8a4cb1be406674ff7bb7b264f2 ] X1P42100 is a cousin of X1E80100, and hence can make use of the latter's configuration. Do so. Signed-off-by: Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> Link: https://lore.kernel.org/r/20241221-topic-x1p4_soc-v1-3-55347831d73c@oss.qua… Signed-off-by: Bjorn Andersson <andersson(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/soc/qcom/qcom_pd_mapper.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/soc/qcom/qcom_pd_mapper.c b/drivers/soc/qcom/qcom_pd_mapper.c index 6e30f08761aa4..50aa54996901f 100644 --- a/drivers/soc/qcom/qcom_pd_mapper.c +++ b/drivers/soc/qcom/qcom_pd_mapper.c @@ -561,6 +561,7 @@ static const struct of_device_id qcom_pdm_domains[] __maybe_unused = { { .compatible = "qcom,sm8550", .data = sm8550_domains, }, { .compatible = "qcom,sm8650", .data = sm8550_domains, }, { .compatible = "qcom,x1e80100", .data = x1e80100_domains, }, + { .compatible = "qcom,x1p42100", .data = x1e80100_domains, }, {}, }; -- 2.39.5

3 months

1
6
0 0

[PATCH AUTOSEL 6.12 01/31] drm/virtio: New fence for every plane update

by Sasha Levin

From: Dongwon Kim <dongwon.kim(a)intel.com> [ Upstream commit d3c55b8ab6fe5fa2e7ab02efd36d09c39ee5022f ] Having a fence linked to a virtio_gpu_framebuffer in the plane update sequence would cause conflict when several planes referencing the same framebuffer (e.g. Xorg screen covering multi-displays configured for an extended mode) and those planes are updated concurrently. So it is needed to allocate a fence for every plane state instead of the framebuffer. Signed-off-by: Dongwon Kim <dongwon.kim(a)intel.com> [dmitry.osipenko(a)collabora.com: rebase, fix up, edit commit message] Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Reviewed-by: Rob Clark <robdclark(a)gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241020230803.247419-2-dmitr… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/virtio/virtgpu_drv.h | 7 ++++ drivers/gpu/drm/virtio/virtgpu_plane.c | 58 +++++++++++++++++--------- 2 files changed, 46 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h index 64c236169db88..5dc8eeaf7123c 100644 --- a/drivers/gpu/drm/virtio/virtgpu_drv.h +++ b/drivers/gpu/drm/virtio/virtgpu_drv.h @@ -194,6 +194,13 @@ struct virtio_gpu_framebuffer { #define to_virtio_gpu_framebuffer(x) \ container_of(x, struct virtio_gpu_framebuffer, base) +struct virtio_gpu_plane_state { + struct drm_plane_state base; + struct virtio_gpu_fence *fence; +}; +#define to_virtio_gpu_plane_state(x) \ + container_of(x, struct virtio_gpu_plane_state, base) + struct virtio_gpu_queue { struct virtqueue *vq; spinlock_t qlock; diff --git a/drivers/gpu/drm/virtio/virtgpu_plane.c b/drivers/gpu/drm/virtio/virtgpu_plane.c index a72a2dbda031c..7acd38b962c62 100644 --- a/drivers/gpu/drm/virtio/virtgpu_plane.c +++ b/drivers/gpu/drm/virtio/virtgpu_plane.c @@ -66,11 +66,28 @@ uint32_t virtio_gpu_translate_format(uint32_t drm_fourcc) return format; } +static struct +drm_plane_state *virtio_gpu_plane_duplicate_state(struct drm_plane *plane) +{ + struct virtio_gpu_plane_state *new; + + if (WARN_ON(!plane->state)) + return NULL; + + new = kzalloc(sizeof(*new), GFP_KERNEL); + if (!new) + return NULL; + + __drm_atomic_helper_plane_duplicate_state(plane, &new->base); + + return &new->base; +} + static const struct drm_plane_funcs virtio_gpu_plane_funcs = { .update_plane = drm_atomic_helper_update_plane, .disable_plane = drm_atomic_helper_disable_plane, .reset = drm_atomic_helper_plane_reset, - .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state, + .atomic_duplicate_state = virtio_gpu_plane_duplicate_state, .atomic_destroy_state = drm_atomic_helper_plane_destroy_state, }; @@ -138,11 +155,13 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane, struct drm_device *dev = plane->dev; struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo; vgfb = to_virtio_gpu_framebuffer(plane->state->fb); + vgplane_st = to_virtio_gpu_plane_state(plane->state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); - if (vgfb->fence) { + if (vgplane_st->fence) { struct virtio_gpu_object_array *objs; objs = virtio_gpu_array_alloc(1); @@ -151,13 +170,11 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane, virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]); virtio_gpu_array_lock_resv(objs); virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, - width, height, objs, vgfb->fence); + width, height, objs, + vgplane_st->fence); virtio_gpu_notify(vgdev); - - dma_fence_wait_timeout(&vgfb->fence->f, true, + dma_fence_wait_timeout(&vgplane_st->fence->f, true, msecs_to_jiffies(50)); - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; } else { virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, width, height, NULL, NULL); @@ -247,20 +264,23 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane, struct drm_device *dev = plane->dev; struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo; if (!new_state->fb) return 0; vgfb = to_virtio_gpu_framebuffer(new_state->fb); + vgplane_st = to_virtio_gpu_plane_state(new_state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); if (!bo || (plane->type == DRM_PLANE_TYPE_PRIMARY && !bo->guest_blob)) return 0; - if (bo->dumb && (plane->state->fb != new_state->fb)) { - vgfb->fence = virtio_gpu_fence_alloc(vgdev, vgdev->fence_drv.context, + if (bo->dumb) { + vgplane_st->fence = virtio_gpu_fence_alloc(vgdev, + vgdev->fence_drv.context, 0); - if (!vgfb->fence) + if (!vgplane_st->fence) return -ENOMEM; } @@ -270,15 +290,15 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane, static void virtio_gpu_plane_cleanup_fb(struct drm_plane *plane, struct drm_plane_state *state) { - struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; if (!state->fb) return; - vgfb = to_virtio_gpu_framebuffer(state->fb); - if (vgfb->fence) { - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; + vgplane_st = to_virtio_gpu_plane_state(state); + if (vgplane_st->fence) { + dma_fence_put(&vgplane_st->fence->f); + vgplane_st->fence = NULL; } } @@ -291,6 +311,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_output *output = NULL; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo = NULL; uint32_t handle; @@ -303,6 +324,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, if (plane->state->fb) { vgfb = to_virtio_gpu_framebuffer(plane->state->fb); + vgplane_st = to_virtio_gpu_plane_state(plane->state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); handle = bo->hw_res_handle; } else { @@ -322,11 +344,9 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, (vgdev, 0, plane->state->crtc_w, plane->state->crtc_h, - 0, 0, objs, vgfb->fence); + 0, 0, objs, vgplane_st->fence); virtio_gpu_notify(vgdev); - dma_fence_wait(&vgfb->fence->f, true); - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; + dma_fence_wait(&vgplane_st->fence->f, true); } if (plane->state->fb != old_state->fb) { -- 2.39.5

3 months

2
31
0 0

[PATCH AUTOSEL 5.4] tool api fs: Correctly encode errno for read/write open failures

by Sasha Levin

From: Ian Rogers <irogers(a)google.com> [ Upstream commit 05be17eed774aaf56f6b1e12714325ca3a266c04 ] Switch from returning -1 to -errno so that callers can determine types of failure. Reviewed-by: Namhyung Kim <namhyung(a)kernel.org> Signed-off-by: Ian Rogers <irogers(a)google.com> Acked-by: Arnaldo Carvalho de Melo <acme(a)redhat.com> Cc: Adrian Hunter <adrian.hunter(a)intel.com> Cc: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Cc: Andi Kleen <ak(a)linux.intel.com> Cc: Athira Rajeev <atrajeev(a)linux.vnet.ibm.com> Cc: Ben Gainey <ben.gainey(a)arm.com> Cc: Colin Ian King <colin.i.king(a)gmail.com> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Ilkka Koskinen <ilkka(a)os.amperecomputing.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: James Clark <james.clark(a)linaro.org> Cc: Jiri Olsa <jolsa(a)kernel.org> Cc: Kan Liang <kan.liang(a)linux.intel.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paran Lee <p4ranlee(a)gmail.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Steinar H. Gunderson <sesse(a)google.com> Cc: Steven Rostedt (VMware) <rostedt(a)goodmis.org> Cc: Thomas Falcon <thomas.falcon(a)intel.com> Cc: Weilin Wang <weilin.wang(a)intel.com> Cc: Yang Jihong <yangjihong(a)bytedance.com> Cc: Yang Li <yang.lee(a)linux.alibaba.com> Cc: Ze Gao <zegao2021(a)gmail.com> Cc: Zixian Cai <fzczx123(a)gmail.com> Cc: zhaimingbing <zhaimingbing(a)cmss.chinamobile.com> Link: https://lore.kernel.org/r/20241118225345.889810-3-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo <acme(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/lib/api/fs/fs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c index 4cc69675c2a9a..234c882f9029c 100644 --- a/tools/lib/api/fs/fs.c +++ b/tools/lib/api/fs/fs.c @@ -323,7 +323,7 @@ int filename__read_int(const char *filename, int *value) int fd = open(filename, O_RDONLY), err = -1; if (fd < 0) - return -1; + return -errno; if (read(fd, line, sizeof(line)) > 0) { *value = atoi(line); @@ -341,7 +341,7 @@ static int filename__read_ull_base(const char *filename, int fd = open(filename, O_RDONLY), err = -1; if (fd < 0) - return -1; + return -errno; if (read(fd, line, sizeof(line)) > 0) { *value = strtoull(line, NULL, base); @@ -428,7 +428,7 @@ int filename__write_int(const char *filename, int value) char buf[64]; if (fd < 0) - return err; + return -errno; sprintf(buf, "%d", value); if (write(fd, buf, sizeof(buf)) == sizeof(buf)) -- 2.39.5

3 months

1
0
0 0

[PATCH AUTOSEL 5.10 1/2] tool api fs: Correctly encode errno for read/write open failures

by Sasha Levin

From: Ian Rogers <irogers(a)google.com> [ Upstream commit 05be17eed774aaf56f6b1e12714325ca3a266c04 ] Switch from returning -1 to -errno so that callers can determine types of failure. Reviewed-by: Namhyung Kim <namhyung(a)kernel.org> Signed-off-by: Ian Rogers <irogers(a)google.com> Acked-by: Arnaldo Carvalho de Melo <acme(a)redhat.com> Cc: Adrian Hunter <adrian.hunter(a)intel.com> Cc: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Cc: Andi Kleen <ak(a)linux.intel.com> Cc: Athira Rajeev <atrajeev(a)linux.vnet.ibm.com> Cc: Ben Gainey <ben.gainey(a)arm.com> Cc: Colin Ian King <colin.i.king(a)gmail.com> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Ilkka Koskinen <ilkka(a)os.amperecomputing.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: James Clark <james.clark(a)linaro.org> Cc: Jiri Olsa <jolsa(a)kernel.org> Cc: Kan Liang <kan.liang(a)linux.intel.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paran Lee <p4ranlee(a)gmail.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Steinar H. Gunderson <sesse(a)google.com> Cc: Steven Rostedt (VMware) <rostedt(a)goodmis.org> Cc: Thomas Falcon <thomas.falcon(a)intel.com> Cc: Weilin Wang <weilin.wang(a)intel.com> Cc: Yang Jihong <yangjihong(a)bytedance.com> Cc: Yang Li <yang.lee(a)linux.alibaba.com> Cc: Ze Gao <zegao2021(a)gmail.com> Cc: Zixian Cai <fzczx123(a)gmail.com> Cc: zhaimingbing <zhaimingbing(a)cmss.chinamobile.com> Link: https://lore.kernel.org/r/20241118225345.889810-3-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo <acme(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/lib/api/fs/fs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c index 82f53d81a7a78..a0a6a907315f0 100644 --- a/tools/lib/api/fs/fs.c +++ b/tools/lib/api/fs/fs.c @@ -323,7 +323,7 @@ int filename__read_int(const char *filename, int *value) int fd = open(filename, O_RDONLY), err = -1; if (fd < 0) - return -1; + return -errno; if (read(fd, line, sizeof(line)) > 0) { *value = atoi(line); @@ -341,7 +341,7 @@ static int filename__read_ull_base(const char *filename, int fd = open(filename, O_RDONLY), err = -1; if (fd < 0) - return -1; + return -errno; if (read(fd, line, sizeof(line)) > 0) { *value = strtoull(line, NULL, base); @@ -428,7 +428,7 @@ int filename__write_int(const char *filename, int value) char buf[64]; if (fd < 0) - return err; + return -errno; sprintf(buf, "%d", value); if (write(fd, buf, sizeof(buf)) == sizeof(buf)) -- 2.39.5

3 months

1
1
0 0

[PATCH AUTOSEL 5.15 1/3] tool api fs: Correctly encode errno for read/write open failures

by Sasha Levin

From: Ian Rogers <irogers(a)google.com> [ Upstream commit 05be17eed774aaf56f6b1e12714325ca3a266c04 ] Switch from returning -1 to -errno so that callers can determine types of failure. Reviewed-by: Namhyung Kim <namhyung(a)kernel.org> Signed-off-by: Ian Rogers <irogers(a)google.com> Acked-by: Arnaldo Carvalho de Melo <acme(a)redhat.com> Cc: Adrian Hunter <adrian.hunter(a)intel.com> Cc: Alexander Shishkin <alexander.shishkin(a)linux.intel.com> Cc: Andi Kleen <ak(a)linux.intel.com> Cc: Athira Rajeev <atrajeev(a)linux.vnet.ibm.com> Cc: Ben Gainey <ben.gainey(a)arm.com> Cc: Colin Ian King <colin.i.king(a)gmail.com> Cc: Dominique Martinet <asmadeus(a)codewreck.org> Cc: Ilkka Koskinen <ilkka(a)os.amperecomputing.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: James Clark <james.clark(a)linaro.org> Cc: Jiri Olsa <jolsa(a)kernel.org> Cc: Kan Liang <kan.liang(a)linux.intel.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paran Lee <p4ranlee(a)gmail.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Steinar H. Gunderson <sesse(a)google.com> Cc: Steven Rostedt (VMware) <rostedt(a)goodmis.org> Cc: Thomas Falcon <thomas.falcon(a)intel.com> Cc: Weilin Wang <weilin.wang(a)intel.com> Cc: Yang Jihong <yangjihong(a)bytedance.com> Cc: Yang Li <yang.lee(a)linux.alibaba.com> Cc: Ze Gao <zegao2021(a)gmail.com> Cc: Zixian Cai <fzczx123(a)gmail.com> Cc: zhaimingbing <zhaimingbing(a)cmss.chinamobile.com> Link: https://lore.kernel.org/r/20241118225345.889810-3-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo <acme(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- tools/lib/api/fs/fs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/lib/api/fs/fs.c b/tools/lib/api/fs/fs.c index 82f53d81a7a78..a0a6a907315f0 100644 --- a/tools/lib/api/fs/fs.c +++ b/tools/lib/api/fs/fs.c @@ -323,7 +323,7 @@ int filename__read_int(const char *filename, int *value) int fd = open(filename, O_RDONLY), err = -1; if (fd < 0) - return -1; + return -errno; if (read(fd, line, sizeof(line)) > 0) { *value = atoi(line); @@ -341,7 +341,7 @@ static int filename__read_ull_base(const char *filename, int fd = open(filename, O_RDONLY), err = -1; if (fd < 0) - return -1; + return -errno; if (read(fd, line, sizeof(line)) > 0) { *value = strtoull(line, NULL, base); @@ -428,7 +428,7 @@ int filename__write_int(const char *filename, int value) char buf[64]; if (fd < 0) - return err; + return -errno; sprintf(buf, "%d", value); if (write(fd, buf, sizeof(buf)) == sizeof(buf)) -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 6.1 1/8] x86/kexec: Allocate PGD for x86_64 transition page tables separately

by Sasha Levin

From: David Woodhouse <dwmw(a)amazon.co.uk> [ Upstream commit 4b5bc2ec9a239bce261ffeafdd63571134102323 ] Now that the following fix: d0ceea662d45 ("x86/mm: Add _PAGE_NOPTISHADOW bit to avoid updating userspace page tables") stops kernel_ident_mapping_init() from scribbling over the end of a 4KiB PGD by assuming the following 4KiB will be a userspace PGD, there's no good reason for the kexec PGD to be part of a single 8KiB allocation with the control_code_page. ( It's not clear that that was the reason for x86_64 kexec doing it that way in the first place either; there were no comments to that effect and it seems to have been the case even before PTI came along. It looks like it was just a happy accident which prevented memory corruption on kexec. ) Either way, it definitely isn't needed now. Just allocate the PGD separately on x86_64, like i386 already does. Signed-off-by: David Woodhouse <dwmw(a)amazon.co.uk> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: Eric Biederman <ebiederm(a)xmission.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Link: https://lore.kernel.org/r/20241205153343.3275139-6-dwmw2@infradead.org Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/include/asm/kexec.h | 18 +++++++++--- arch/x86/kernel/machine_kexec_64.c | 45 ++++++++++++++++-------------- 2 files changed, 38 insertions(+), 25 deletions(-) diff --git a/arch/x86/include/asm/kexec.h b/arch/x86/include/asm/kexec.h index 256eee99afc8f..e2e1ec99c9998 100644 --- a/arch/x86/include/asm/kexec.h +++ b/arch/x86/include/asm/kexec.h @@ -16,6 +16,7 @@ # define PAGES_NR 4 #endif +# define KEXEC_CONTROL_PAGE_SIZE 4096 # define KEXEC_CONTROL_CODE_MAX_SIZE 2048 #ifndef __ASSEMBLY__ @@ -44,7 +45,6 @@ struct kimage; /* Maximum address we can use for the control code buffer */ # define KEXEC_CONTROL_MEMORY_LIMIT TASK_SIZE -# define KEXEC_CONTROL_PAGE_SIZE 4096 /* The native architecture */ # define KEXEC_ARCH KEXEC_ARCH_386 @@ -59,9 +59,6 @@ struct kimage; /* Maximum address we can use for the control pages */ # define KEXEC_CONTROL_MEMORY_LIMIT (MAXMEM-1) -/* Allocate one page for the pdp and the second for the code */ -# define KEXEC_CONTROL_PAGE_SIZE (4096UL + 4096UL) - /* The native architecture */ # define KEXEC_ARCH KEXEC_ARCH_X86_64 #endif @@ -146,6 +143,19 @@ struct kimage_arch { }; #else struct kimage_arch { + /* + * This is a kimage control page, as it must not overlap with either + * source or destination address ranges. + */ + pgd_t *pgd; + /* + * The virtual mapping of the control code page itself is used only + * during the transition, while the current kernel's pages are all + * in place. Thus the intermediate page table pages used to map it + * are not control pages, but instead just normal pages obtained + * with get_zeroed_page(). And have to be tracked (below) so that + * they can be freed. + */ p4d_t *p4d; pud_t *pud; pmd_t *pmd; diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c index 24b6eaacc81eb..5d61a342871b5 100644 --- a/arch/x86/kernel/machine_kexec_64.c +++ b/arch/x86/kernel/machine_kexec_64.c @@ -149,7 +149,8 @@ static void free_transition_pgtable(struct kimage *image) image->arch.pte = NULL; } -static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) +static int init_transition_pgtable(struct kimage *image, pgd_t *pgd, + unsigned long control_page) { pgprot_t prot = PAGE_KERNEL_EXEC_NOENC; unsigned long vaddr, paddr; @@ -160,7 +161,7 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) pte_t *pte; vaddr = (unsigned long)relocate_kernel; - paddr = __pa(page_address(image->control_code_page)+PAGE_SIZE); + paddr = control_page; pgd += pgd_index(vaddr); if (!pgd_present(*pgd)) { p4d = (p4d_t *)get_zeroed_page(GFP_KERNEL); @@ -219,7 +220,7 @@ static void *alloc_pgt_page(void *data) return p; } -static int init_pgtable(struct kimage *image, unsigned long start_pgtable) +static int init_pgtable(struct kimage *image, unsigned long control_page) { struct x86_mapping_info info = { .alloc_pgt_page = alloc_pgt_page, @@ -228,12 +229,12 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) .kernpg_flag = _KERNPG_TABLE_NOENC, }; unsigned long mstart, mend; - pgd_t *level4p; int result; int i; - level4p = (pgd_t *)__va(start_pgtable); - clear_page(level4p); + image->arch.pgd = alloc_pgt_page(image); + if (!image->arch.pgd) + return -ENOMEM; if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) { info.page_flag |= _PAGE_ENC; @@ -247,8 +248,8 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) mstart = pfn_mapped[i].start << PAGE_SHIFT; mend = pfn_mapped[i].end << PAGE_SHIFT; - result = kernel_ident_mapping_init(&info, - level4p, mstart, mend); + result = kernel_ident_mapping_init(&info, image->arch.pgd, + mstart, mend); if (result) return result; } @@ -263,8 +264,8 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) mstart = image->segment[i].mem; mend = mstart + image->segment[i].memsz; - result = kernel_ident_mapping_init(&info, - level4p, mstart, mend); + result = kernel_ident_mapping_init(&info, image->arch.pgd, + mstart, mend); if (result) return result; @@ -274,15 +275,19 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) * Prepare EFI systab and ACPI tables for kexec kernel since they are * not covered by pfn_mapped. */ - result = map_efi_systab(&info, level4p); + result = map_efi_systab(&info, image->arch.pgd); if (result) return result; - result = map_acpi_tables(&info, level4p); + result = map_acpi_tables(&info, image->arch.pgd); if (result) return result; - return init_transition_pgtable(image, level4p); + /* + * This must be last because the intermediate page table pages it + * allocates will not be control pages and may overlap the image. + */ + return init_transition_pgtable(image, image->arch.pgd, control_page); } static void load_segments(void) @@ -299,14 +304,14 @@ static void load_segments(void) int machine_kexec_prepare(struct kimage *image) { - unsigned long start_pgtable; + unsigned long control_page; int result; /* Calculate the offsets */ - start_pgtable = page_to_pfn(image->control_code_page) << PAGE_SHIFT; + control_page = page_to_pfn(image->control_code_page) << PAGE_SHIFT; /* Setup the identity mapped 64bit page table */ - result = init_pgtable(image, start_pgtable); + result = init_pgtable(image, control_page); if (result) return result; @@ -353,13 +358,12 @@ void machine_kexec(struct kimage *image) #endif } - control_page = page_address(image->control_code_page) + PAGE_SIZE; + control_page = page_address(image->control_code_page); __memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE); page_list[PA_CONTROL_PAGE] = virt_to_phys(control_page); page_list[VA_CONTROL_PAGE] = (unsigned long)control_page; - page_list[PA_TABLE_PAGE] = - (unsigned long)__pa(page_address(image->control_code_page)); + page_list[PA_TABLE_PAGE] = (unsigned long)__pa(image->arch.pgd); if (image->type == KEXEC_TYPE_DEFAULT) page_list[PA_SWAP_PAGE] = (page_to_pfn(image->swap_page) @@ -578,8 +582,7 @@ static void kexec_mark_crashkres(bool protect) /* Don't touch the control code page used in crash_kexec().*/ control = PFN_PHYS(page_to_pfn(kexec_crash_image->control_code_page)); - /* Control code page is located in the 2nd page. */ - kexec_mark_range(crashk_res.start, control + PAGE_SIZE - 1, protect); + kexec_mark_range(crashk_res.start, control - 1, protect); control += KEXEC_CONTROL_PAGE_SIZE; kexec_mark_range(control, crashk_res.end, protect); } -- 2.39.5

3 months

1
7
0 0

[PATCH AUTOSEL 6.6 1/9] x86/kexec: Allocate PGD for x86_64 transition page tables separately

by Sasha Levin

From: David Woodhouse <dwmw(a)amazon.co.uk> [ Upstream commit 4b5bc2ec9a239bce261ffeafdd63571134102323 ] Now that the following fix: d0ceea662d45 ("x86/mm: Add _PAGE_NOPTISHADOW bit to avoid updating userspace page tables") stops kernel_ident_mapping_init() from scribbling over the end of a 4KiB PGD by assuming the following 4KiB will be a userspace PGD, there's no good reason for the kexec PGD to be part of a single 8KiB allocation with the control_code_page. ( It's not clear that that was the reason for x86_64 kexec doing it that way in the first place either; there were no comments to that effect and it seems to have been the case even before PTI came along. It looks like it was just a happy accident which prevented memory corruption on kexec. ) Either way, it definitely isn't needed now. Just allocate the PGD separately on x86_64, like i386 already does. Signed-off-by: David Woodhouse <dwmw(a)amazon.co.uk> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Vivek Goyal <vgoyal(a)redhat.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: Eric Biederman <ebiederm(a)xmission.com> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Link: https://lore.kernel.org/r/20241205153343.3275139-6-dwmw2@infradead.org Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/include/asm/kexec.h | 18 +++++++++--- arch/x86/kernel/machine_kexec_64.c | 45 ++++++++++++++++-------------- 2 files changed, 38 insertions(+), 25 deletions(-) diff --git a/arch/x86/include/asm/kexec.h b/arch/x86/include/asm/kexec.h index c9f6a6c5de3cf..d54dd7084a3e1 100644 --- a/arch/x86/include/asm/kexec.h +++ b/arch/x86/include/asm/kexec.h @@ -16,6 +16,7 @@ # define PAGES_NR 4 #endif +# define KEXEC_CONTROL_PAGE_SIZE 4096 # define KEXEC_CONTROL_CODE_MAX_SIZE 2048 #ifndef __ASSEMBLY__ @@ -44,7 +45,6 @@ struct kimage; /* Maximum address we can use for the control code buffer */ # define KEXEC_CONTROL_MEMORY_LIMIT TASK_SIZE -# define KEXEC_CONTROL_PAGE_SIZE 4096 /* The native architecture */ # define KEXEC_ARCH KEXEC_ARCH_386 @@ -59,9 +59,6 @@ struct kimage; /* Maximum address we can use for the control pages */ # define KEXEC_CONTROL_MEMORY_LIMIT (MAXMEM-1) -/* Allocate one page for the pdp and the second for the code */ -# define KEXEC_CONTROL_PAGE_SIZE (4096UL + 4096UL) - /* The native architecture */ # define KEXEC_ARCH KEXEC_ARCH_X86_64 #endif @@ -146,6 +143,19 @@ struct kimage_arch { }; #else struct kimage_arch { + /* + * This is a kimage control page, as it must not overlap with either + * source or destination address ranges. + */ + pgd_t *pgd; + /* + * The virtual mapping of the control code page itself is used only + * during the transition, while the current kernel's pages are all + * in place. Thus the intermediate page table pages used to map it + * are not control pages, but instead just normal pages obtained + * with get_zeroed_page(). And have to be tracked (below) so that + * they can be freed. + */ p4d_t *p4d; pud_t *pud; pmd_t *pmd; diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c index 2fa12d1dc6760..8509d809a9f1b 100644 --- a/arch/x86/kernel/machine_kexec_64.c +++ b/arch/x86/kernel/machine_kexec_64.c @@ -149,7 +149,8 @@ static void free_transition_pgtable(struct kimage *image) image->arch.pte = NULL; } -static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) +static int init_transition_pgtable(struct kimage *image, pgd_t *pgd, + unsigned long control_page) { pgprot_t prot = PAGE_KERNEL_EXEC_NOENC; unsigned long vaddr, paddr; @@ -160,7 +161,7 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) pte_t *pte; vaddr = (unsigned long)relocate_kernel; - paddr = __pa(page_address(image->control_code_page)+PAGE_SIZE); + paddr = control_page; pgd += pgd_index(vaddr); if (!pgd_present(*pgd)) { p4d = (p4d_t *)get_zeroed_page(GFP_KERNEL); @@ -219,7 +220,7 @@ static void *alloc_pgt_page(void *data) return p; } -static int init_pgtable(struct kimage *image, unsigned long start_pgtable) +static int init_pgtable(struct kimage *image, unsigned long control_page) { struct x86_mapping_info info = { .alloc_pgt_page = alloc_pgt_page, @@ -228,12 +229,12 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) .kernpg_flag = _KERNPG_TABLE_NOENC, }; unsigned long mstart, mend; - pgd_t *level4p; int result; int i; - level4p = (pgd_t *)__va(start_pgtable); - clear_page(level4p); + image->arch.pgd = alloc_pgt_page(image); + if (!image->arch.pgd) + return -ENOMEM; if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) { info.page_flag |= _PAGE_ENC; @@ -247,8 +248,8 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) mstart = pfn_mapped[i].start << PAGE_SHIFT; mend = pfn_mapped[i].end << PAGE_SHIFT; - result = kernel_ident_mapping_init(&info, - level4p, mstart, mend); + result = kernel_ident_mapping_init(&info, image->arch.pgd, + mstart, mend); if (result) return result; } @@ -263,8 +264,8 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) mstart = image->segment[i].mem; mend = mstart + image->segment[i].memsz; - result = kernel_ident_mapping_init(&info, - level4p, mstart, mend); + result = kernel_ident_mapping_init(&info, image->arch.pgd, + mstart, mend); if (result) return result; @@ -274,15 +275,19 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable) * Prepare EFI systab and ACPI tables for kexec kernel since they are * not covered by pfn_mapped. */ - result = map_efi_systab(&info, level4p); + result = map_efi_systab(&info, image->arch.pgd); if (result) return result; - result = map_acpi_tables(&info, level4p); + result = map_acpi_tables(&info, image->arch.pgd); if (result) return result; - return init_transition_pgtable(image, level4p); + /* + * This must be last because the intermediate page table pages it + * allocates will not be control pages and may overlap the image. + */ + return init_transition_pgtable(image, image->arch.pgd, control_page); } static void load_segments(void) @@ -299,14 +304,14 @@ static void load_segments(void) int machine_kexec_prepare(struct kimage *image) { - unsigned long start_pgtable; + unsigned long control_page; int result; /* Calculate the offsets */ - start_pgtable = page_to_pfn(image->control_code_page) << PAGE_SHIFT; + control_page = page_to_pfn(image->control_code_page) << PAGE_SHIFT; /* Setup the identity mapped 64bit page table */ - result = init_pgtable(image, start_pgtable); + result = init_pgtable(image, control_page); if (result) return result; @@ -360,13 +365,12 @@ void machine_kexec(struct kimage *image) #endif } - control_page = page_address(image->control_code_page) + PAGE_SIZE; + control_page = page_address(image->control_code_page); __memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE); page_list[PA_CONTROL_PAGE] = virt_to_phys(control_page); page_list[VA_CONTROL_PAGE] = (unsigned long)control_page; - page_list[PA_TABLE_PAGE] = - (unsigned long)__pa(page_address(image->control_code_page)); + page_list[PA_TABLE_PAGE] = (unsigned long)__pa(image->arch.pgd); if (image->type == KEXEC_TYPE_DEFAULT) page_list[PA_SWAP_PAGE] = (page_to_pfn(image->swap_page) @@ -574,8 +578,7 @@ static void kexec_mark_crashkres(bool protect) /* Don't touch the control code page used in crash_kexec().*/ control = PFN_PHYS(page_to_pfn(kexec_crash_image->control_code_page)); - /* Control code page is located in the 2nd page. */ - kexec_mark_range(crashk_res.start, control + PAGE_SIZE - 1, protect); + kexec_mark_range(crashk_res.start, control - 1, protect); control += KEXEC_CONTROL_PAGE_SIZE; kexec_mark_range(control, crashk_res.end, protect); } -- 2.39.5

3 months

1
8
0 0

[PATCH AUTOSEL 6.12 01/14] ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params

by Sasha Levin

From: Bard Liao <yung-chuan.liao(a)linux.intel.com> [ Upstream commit 569922b82ca660f8b24e705f6cf674e6b1f99cc7 ] Each cpu DAI should associate with a widget. However, the topology might not create the right number of DAI widgets for aggregated amps. And it will cause NULL pointer deference. Check that the DAI widget associated with the CPU DAI is valid to prevent NULL pointer deference due to missing DAI widgets in topologies with aggregated amps. Signed-off-by: Bard Liao <yung-chuan.liao(a)linux.intel.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan(a)linux.intel.com> Reviewed-by: Péter Ujfalusi <peter.ujfalusi(a)linux.intel.com> Reviewed-by: Liam Girdwood <liam.r.girdwood(a)intel.com> Link: https://patch.msgid.link/20241203104853.56956-1-yung-chuan.liao@linux.intel… Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/sof/intel/hda-dai.c | 12 ++++++++++++ sound/soc/sof/intel/hda.c | 5 +++++ 2 files changed, 17 insertions(+) diff --git a/sound/soc/sof/intel/hda-dai.c b/sound/soc/sof/intel/hda-dai.c index 82f46ecd94301..2e58a264da556 100644 --- a/sound/soc/sof/intel/hda-dai.c +++ b/sound/soc/sof/intel/hda-dai.c @@ -503,6 +503,12 @@ int sdw_hda_dai_hw_params(struct snd_pcm_substream *substream, int ret; int i; + if (!w) { + dev_err(cpu_dai->dev, "%s widget not found, check amp link num in the topology\n", + cpu_dai->name); + return -EINVAL; + } + ops = hda_dai_get_ops(substream, cpu_dai); if (!ops) { dev_err(cpu_dai->dev, "DAI widget ops not set\n"); @@ -582,6 +588,12 @@ int sdw_hda_dai_hw_params(struct snd_pcm_substream *substream, */ for_each_rtd_cpu_dais(rtd, i, dai) { w = snd_soc_dai_get_widget(dai, substream->stream); + if (!w) { + dev_err(cpu_dai->dev, + "%s widget not found, check amp link num in the topology\n", + dai->name); + return -EINVAL; + } ipc4_copier = widget_to_copier(w); memcpy(&ipc4_copier->dma_config_tlv[cpu_dai_id], dma_config_tlv, sizeof(*dma_config_tlv)); diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c index 70fc08c8fc99e..f10ed4d102501 100644 --- a/sound/soc/sof/intel/hda.c +++ b/sound/soc/sof/intel/hda.c @@ -63,6 +63,11 @@ static int sdw_params_stream(struct device *dev, struct snd_soc_dapm_widget *w = snd_soc_dai_get_widget(d, params_data->substream->stream); struct snd_sof_dai_config_data data = { 0 }; + if (!w) { + dev_err(dev, "%s widget not found, check amp link num in the topology\n", + d->name); + return -EINVAL; + } data.dai_index = (params_data->link_id << 8) | d->id; data.dai_data = params_data->alh_stream_id; data.dai_node_id = data.dai_data; -- 2.39.5

3 months

1
13
0 0

[PATCH AUTOSEL 5.4 1/7] tun: fix group permission check

by Sasha Levin

From: Stas Sergeev <stsp2(a)yandex.ru> [ Upstream commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3 ] Currently tun checks the group permission even if the user have matched. Besides going against the usual permission semantic, this has a very interesting implication: if the tun group is not among the supplementary groups of the tun user, then effectively no one can access the tun device. CAP_SYS_ADMIN still can, but its the same as not setting the tun ownership. This patch relaxes the group checking so that either the user match or the group match is enough. This avoids the situation when no one can access the device even though the ownership is properly set. Also I simplified the logic by removing the redundant inversions: tun_not_capable() --> !tun_capable() Signed-off-by: Stas Sergeev <stsp2(a)yandex.ru> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/tun.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 0adce9bf7a1e5..87cc7d778c3cf 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -636,14 +636,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, return ret; } -static inline bool tun_not_capable(struct tun_struct *tun) +static inline bool tun_capable(struct tun_struct *tun) { const struct cred *cred = current_cred(); struct net *net = dev_net(tun->dev); - return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || - (gid_valid(tun->group) && !in_egroup_p(tun->group))) && - !ns_capable(net->user_ns, CAP_NET_ADMIN); + if (ns_capable(net->user_ns, CAP_NET_ADMIN)) + return 1; + if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner)) + return 1; + if (gid_valid(tun->group) && in_egroup_p(tun->group)) + return 1; + return 0; } static void tun_set_real_num_queues(struct tun_struct *tun) @@ -2838,7 +2842,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) !!(tun->flags & IFF_MULTI_QUEUE)) return -EINVAL; - if (tun_not_capable(tun)) + if (!tun_capable(tun)) return -EPERM; err = security_tun_dev_open(tun->security); if (err < 0) -- 2.39.5

3 months

1
6
0 0

[PATCH AUTOSEL 5.10 01/12] tun: fix group permission check

by Sasha Levin

From: Stas Sergeev <stsp2(a)yandex.ru> [ Upstream commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3 ] Currently tun checks the group permission even if the user have matched. Besides going against the usual permission semantic, this has a very interesting implication: if the tun group is not among the supplementary groups of the tun user, then effectively no one can access the tun device. CAP_SYS_ADMIN still can, but its the same as not setting the tun ownership. This patch relaxes the group checking so that either the user match or the group match is enough. This avoids the situation when no one can access the device even though the ownership is properly set. Also I simplified the logic by removing the redundant inversions: tun_not_capable() --> !tun_capable() Signed-off-by: Stas Sergeev <stsp2(a)yandex.ru> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/tun.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index c34c6f0d23efe..52ea9f81d388b 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -586,14 +586,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, return ret; } -static inline bool tun_not_capable(struct tun_struct *tun) +static inline bool tun_capable(struct tun_struct *tun) { const struct cred *cred = current_cred(); struct net *net = dev_net(tun->dev); - return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || - (gid_valid(tun->group) && !in_egroup_p(tun->group))) && - !ns_capable(net->user_ns, CAP_NET_ADMIN); + if (ns_capable(net->user_ns, CAP_NET_ADMIN)) + return 1; + if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner)) + return 1; + if (gid_valid(tun->group) && in_egroup_p(tun->group)) + return 1; + return 0; } static void tun_set_real_num_queues(struct tun_struct *tun) @@ -2772,7 +2776,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) !!(tun->flags & IFF_MULTI_QUEUE)) return -EINVAL; - if (tun_not_capable(tun)) + if (!tun_capable(tun)) return -EPERM; err = security_tun_dev_open(tun->security); if (err < 0) -- 2.39.5

3 months

1
11
0 0

[PATCH AUTOSEL 5.15 01/14] tun: fix group permission check

by Sasha Levin

From: Stas Sergeev <stsp2(a)yandex.ru> [ Upstream commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3 ] Currently tun checks the group permission even if the user have matched. Besides going against the usual permission semantic, this has a very interesting implication: if the tun group is not among the supplementary groups of the tun user, then effectively no one can access the tun device. CAP_SYS_ADMIN still can, but its the same as not setting the tun ownership. This patch relaxes the group checking so that either the user match or the group match is enough. This avoids the situation when no one can access the device even though the ownership is properly set. Also I simplified the logic by removing the redundant inversions: tun_not_capable() --> !tun_capable() Signed-off-by: Stas Sergeev <stsp2(a)yandex.ru> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/tun.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 959ca6b9cd138..a85f743aa1573 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -575,14 +575,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, return ret; } -static inline bool tun_not_capable(struct tun_struct *tun) +static inline bool tun_capable(struct tun_struct *tun) { const struct cred *cred = current_cred(); struct net *net = dev_net(tun->dev); - return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || - (gid_valid(tun->group) && !in_egroup_p(tun->group))) && - !ns_capable(net->user_ns, CAP_NET_ADMIN); + if (ns_capable(net->user_ns, CAP_NET_ADMIN)) + return 1; + if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner)) + return 1; + if (gid_valid(tun->group) && in_egroup_p(tun->group)) + return 1; + return 0; } static void tun_set_real_num_queues(struct tun_struct *tun) @@ -2718,7 +2722,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) !!(tun->flags & IFF_MULTI_QUEUE)) return -EINVAL; - if (tun_not_capable(tun)) + if (!tun_capable(tun)) return -EPERM; err = security_tun_dev_open(tun->security); if (err < 0) -- 2.39.5

3 months

1
13
0 0

[PATCH AUTOSEL 6.1 01/17] tun: fix group permission check

by Sasha Levin

From: Stas Sergeev <stsp2(a)yandex.ru> [ Upstream commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3 ] Currently tun checks the group permission even if the user have matched. Besides going against the usual permission semantic, this has a very interesting implication: if the tun group is not among the supplementary groups of the tun user, then effectively no one can access the tun device. CAP_SYS_ADMIN still can, but its the same as not setting the tun ownership. This patch relaxes the group checking so that either the user match or the group match is enough. This avoids the situation when no one can access the device even though the ownership is properly set. Also I simplified the logic by removing the redundant inversions: tun_not_capable() --> !tun_capable() Signed-off-by: Stas Sergeev <stsp2(a)yandex.ru> Reviewed-by: Willem de Bruijn <willemb(a)google.com> Acked-by: Jason Wang <jasowang(a)redhat.com> Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/tun.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index ea98d93138c12..a6c9f9062dbd4 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -574,14 +574,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb, return ret; } -static inline bool tun_not_capable(struct tun_struct *tun) +static inline bool tun_capable(struct tun_struct *tun) { const struct cred *cred = current_cred(); struct net *net = dev_net(tun->dev); - return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) || - (gid_valid(tun->group) && !in_egroup_p(tun->group))) && - !ns_capable(net->user_ns, CAP_NET_ADMIN); + if (ns_capable(net->user_ns, CAP_NET_ADMIN)) + return 1; + if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner)) + return 1; + if (gid_valid(tun->group) && in_egroup_p(tun->group)) + return 1; + return 0; } static void tun_set_real_num_queues(struct tun_struct *tun) @@ -2767,7 +2771,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) !!(tun->flags & IFF_MULTI_QUEUE)) return -EINVAL; - if (tun_not_capable(tun)) + if (!tun_capable(tun)) return -EPERM; err = security_tun_dev_open(tun->security); if (err < 0) -- 2.39.5

3 months

1
16
0 0

[PATCH AUTOSEL 6.6 01/19] wifi: rtw89: add crystal_cap check to avoid setting as overflow value

by Sasha Levin

From: Chih-Kang Chang <gary.chang(a)realtek.com> [ Upstream commit 7b98caea39676561f22db58752551161bb36462b ] In the original flow, the crystal_cap might be calculated as a negative value and set as an overflow value. Therefore, we added a check to limit the calculated crystal_cap value. Additionally, we shrank the crystal_cap adjustment according to specific CFO. Signed-off-by: Chih-Kang Chang <gary.chang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://patch.msgid.link/20241128055433.11851-7-pkshih@realtek.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/realtek/rtw89/phy.c | 11 ++++++----- drivers/net/wireless/realtek/rtw89/phy.h | 2 +- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c index fac83b718a30c..457c1dd31bf9d 100644 --- a/drivers/net/wireless/realtek/rtw89/phy.c +++ b/drivers/net/wireless/realtek/rtw89/phy.c @@ -2438,7 +2438,6 @@ static void rtw89_phy_cfo_set_crystal_cap(struct rtw89_dev *rtwdev, if (!force && cfo->crystal_cap == crystal_cap) return; - crystal_cap = clamp_t(u8, crystal_cap, 0, 127); if (chip->chip_id == RTL8852A || chip->chip_id == RTL8851B) { rtw89_phy_cfo_set_xcap_reg(rtwdev, true, crystal_cap); rtw89_phy_cfo_set_xcap_reg(rtwdev, false, crystal_cap); @@ -2552,7 +2551,7 @@ static void rtw89_phy_cfo_crystal_cap_adjust(struct rtw89_dev *rtwdev, s32 curr_cfo) { struct rtw89_cfo_tracking_info *cfo = &rtwdev->cfo_tracking; - s8 crystal_cap = cfo->crystal_cap; + int crystal_cap = cfo->crystal_cap; s32 cfo_abs = abs(curr_cfo); int sign; @@ -2569,15 +2568,17 @@ static void rtw89_phy_cfo_crystal_cap_adjust(struct rtw89_dev *rtwdev, } sign = curr_cfo > 0 ? 1 : -1; if (cfo_abs > CFO_TRK_STOP_TH_4) - crystal_cap += 7 * sign; + crystal_cap += 3 * sign; else if (cfo_abs > CFO_TRK_STOP_TH_3) - crystal_cap += 5 * sign; - else if (cfo_abs > CFO_TRK_STOP_TH_2) crystal_cap += 3 * sign; + else if (cfo_abs > CFO_TRK_STOP_TH_2) + crystal_cap += 1 * sign; else if (cfo_abs > CFO_TRK_STOP_TH_1) crystal_cap += 1 * sign; else return; + + crystal_cap = clamp(crystal_cap, 0, 127); rtw89_phy_cfo_set_crystal_cap(rtwdev, (u8)crystal_cap, false); rtw89_debug(rtwdev, RTW89_DBG_CFO, "X_cap{Curr,Default}={0x%x,0x%x}\n", diff --git a/drivers/net/wireless/realtek/rtw89/phy.h b/drivers/net/wireless/realtek/rtw89/phy.h index d6dc0cbbae43b..15ed23fa4218f 100644 --- a/drivers/net/wireless/realtek/rtw89/phy.h +++ b/drivers/net/wireless/realtek/rtw89/phy.h @@ -51,7 +51,7 @@ #define CFO_TRK_STOP_TH_4 (30 << 2) #define CFO_TRK_STOP_TH_3 (20 << 2) #define CFO_TRK_STOP_TH_2 (10 << 2) -#define CFO_TRK_STOP_TH_1 (00 << 2) +#define CFO_TRK_STOP_TH_1 (03 << 2) #define CFO_TRK_STOP_TH (2 << 2) #define CFO_SW_COMP_FINE_TUNE (2 << 2) #define CFO_PERIOD_CNT 15 -- 2.39.5

3 months

1
18
0 0

[PATCH AUTOSEL 6.12 01/29] wifi: rtw89: add crystal_cap check to avoid setting as overflow value

by Sasha Levin

From: Chih-Kang Chang <gary.chang(a)realtek.com> [ Upstream commit 7b98caea39676561f22db58752551161bb36462b ] In the original flow, the crystal_cap might be calculated as a negative value and set as an overflow value. Therefore, we added a check to limit the calculated crystal_cap value. Additionally, we shrank the crystal_cap adjustment according to specific CFO. Signed-off-by: Chih-Kang Chang <gary.chang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://patch.msgid.link/20241128055433.11851-7-pkshih@realtek.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/realtek/rtw89/phy.c | 11 ++++++----- drivers/net/wireless/realtek/rtw89/phy.h | 2 +- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c index 4b47b45f897cb..5c31639b4cade 100644 --- a/drivers/net/wireless/realtek/rtw89/phy.c +++ b/drivers/net/wireless/realtek/rtw89/phy.c @@ -3892,7 +3892,6 @@ static void rtw89_phy_cfo_set_crystal_cap(struct rtw89_dev *rtwdev, if (!force && cfo->crystal_cap == crystal_cap) return; - crystal_cap = clamp_t(u8, crystal_cap, 0, 127); if (chip->chip_id == RTL8852A || chip->chip_id == RTL8851B) { rtw89_phy_cfo_set_xcap_reg(rtwdev, true, crystal_cap); rtw89_phy_cfo_set_xcap_reg(rtwdev, false, crystal_cap); @@ -4015,7 +4014,7 @@ static void rtw89_phy_cfo_crystal_cap_adjust(struct rtw89_dev *rtwdev, s32 curr_cfo) { struct rtw89_cfo_tracking_info *cfo = &rtwdev->cfo_tracking; - s8 crystal_cap = cfo->crystal_cap; + int crystal_cap = cfo->crystal_cap; s32 cfo_abs = abs(curr_cfo); int sign; @@ -4036,15 +4035,17 @@ static void rtw89_phy_cfo_crystal_cap_adjust(struct rtw89_dev *rtwdev, } sign = curr_cfo > 0 ? 1 : -1; if (cfo_abs > CFO_TRK_STOP_TH_4) - crystal_cap += 7 * sign; + crystal_cap += 3 * sign; else if (cfo_abs > CFO_TRK_STOP_TH_3) - crystal_cap += 5 * sign; - else if (cfo_abs > CFO_TRK_STOP_TH_2) crystal_cap += 3 * sign; + else if (cfo_abs > CFO_TRK_STOP_TH_2) + crystal_cap += 1 * sign; else if (cfo_abs > CFO_TRK_STOP_TH_1) crystal_cap += 1 * sign; else return; + + crystal_cap = clamp(crystal_cap, 0, 127); rtw89_phy_cfo_set_crystal_cap(rtwdev, (u8)crystal_cap, false); rtw89_debug(rtwdev, RTW89_DBG_CFO, "X_cap{Curr,Default}={0x%x,0x%x}\n", diff --git a/drivers/net/wireless/realtek/rtw89/phy.h b/drivers/net/wireless/realtek/rtw89/phy.h index 7e335c02ee6fb..9bb9c9c8e7a1b 100644 --- a/drivers/net/wireless/realtek/rtw89/phy.h +++ b/drivers/net/wireless/realtek/rtw89/phy.h @@ -57,7 +57,7 @@ #define CFO_TRK_STOP_TH_4 (30 << 2) #define CFO_TRK_STOP_TH_3 (20 << 2) #define CFO_TRK_STOP_TH_2 (10 << 2) -#define CFO_TRK_STOP_TH_1 (00 << 2) +#define CFO_TRK_STOP_TH_1 (03 << 2) #define CFO_TRK_STOP_TH (2 << 2) #define CFO_SW_COMP_FINE_TUNE (2 << 2) #define CFO_PERIOD_CNT 15 -- 2.39.5

3 months

1
28
0 0

[PATCH AUTOSEL 6.13 01/35] wifi: ath12k: Fix for out-of bound access error

by Sasha Levin

From: Karol Przybylski <karprzy7(a)gmail.com> [ Upstream commit eb8c0534713865d190856f10bfc97cf0b88475b1 ] Selfgen stats are placed in a buffer using print_array_to_buf_index() function. Array length parameter passed to the function is too big, resulting in possible out-of bound memory error. Decreasing buffer size by one fixes faulty upper bound of passed array. Discovered in coverity scan, CID 1600742 and CID 1600758 Signed-off-by: Karol Przybylski <karprzy7(a)gmail.com> Acked-by: Kalle Valo <kvalo(a)kernel.org> Link: https://patch.msgid.link/20241105101132.374372-1-karprzy7@gmail.com Signed-off-by: Jeff Johnson <quic_jjohnson(a)quicinc.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c index c9980c0193d1d..43ea87e981f42 100644 --- a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c +++ b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c @@ -1562,7 +1562,8 @@ ath12k_htt_print_tx_selfgen_ac_stats_tlv(const void *tag_buf, u16 tag_len, le32_to_cpu(htt_stats_buf->ac_mu_mimo_ndp)); len += print_array_to_buf_index(buf, len, "ac_mu_mimo_brpollX_tried = ", 1, htt_stats_buf->ac_mu_mimo_brpoll, - ATH12K_HTT_TX_NUM_AC_MUMIMO_USER_STATS, "\n\n"); + ATH12K_HTT_TX_NUM_AC_MUMIMO_USER_STATS - 1, + "\n\n"); stats_req->buf_len = len; } @@ -1590,7 +1591,7 @@ ath12k_htt_print_tx_selfgen_ax_stats_tlv(const void *tag_buf, u16 tag_len, le32_to_cpu(htt_stats_buf->ax_mu_mimo_ndp)); len += print_array_to_buf_index(buf, len, "ax_mu_mimo_brpollX_tried = ", 1, htt_stats_buf->ax_mu_mimo_brpoll, - ATH12K_HTT_TX_NUM_AX_MUMIMO_USER_STATS, "\n"); + ATH12K_HTT_TX_NUM_AX_MUMIMO_USER_STATS - 1, "\n"); len += scnprintf(buf + len, buf_len - len, "ax_basic_trigger = %u\n", le32_to_cpu(htt_stats_buf->ax_basic_trigger)); len += scnprintf(buf + len, buf_len - len, "ax_ulmumimo_total_trigger = %u\n", -- 2.39.5

3 months

1
34
0 0

[PATCH AUTOSEL 5.4 1/2] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX

by Sasha Levin

From: Kuan-Wei Chiu <visitorckw(a)gmail.com> [ Upstream commit 3d6f83df8ff2d5de84b50377e4f0d45e25311c7a ] Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which leads to undefined behavior. To prevent this, cast 1 to u32 before performing the shift, ensuring well-defined behavior. This change explicitly avoids any potential overflow by ensuring that the shift occurs on an unsigned 32-bit integer. Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Acked-by: Petr Mladek <pmladek(a)suse.com> Link: https://lore.kernel.org/r/20240928113608.1438087-1-visitorckw@gmail.com Signed-off-by: Petr Mladek <pmladek(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/printk/printk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index ae1a97dd0c3cb..f6e1e154d9c18 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -457,7 +457,7 @@ static u32 clear_idx; /* record buffer */ #define LOG_ALIGN __alignof__(struct printk_log) #define __LOG_BUF_LEN (1 << CONFIG_LOG_BUF_SHIFT) -#define LOG_BUF_LEN_MAX (u32)(1 << 31) +#define LOG_BUF_LEN_MAX ((u32)1 << 31) static char __log_buf[__LOG_BUF_LEN] __aligned(LOG_ALIGN); static char *log_buf = __log_buf; static u32 log_buf_len = __LOG_BUF_LEN; -- 2.39.5

3 months

1
1
0 0

[PATCH AUTOSEL 5.10 1/3] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX

by Sasha Levin

From: Kuan-Wei Chiu <visitorckw(a)gmail.com> [ Upstream commit 3d6f83df8ff2d5de84b50377e4f0d45e25311c7a ] Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which leads to undefined behavior. To prevent this, cast 1 to u32 before performing the shift, ensuring well-defined behavior. This change explicitly avoids any potential overflow by ensuring that the shift occurs on an unsigned 32-bit integer. Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Acked-by: Petr Mladek <pmladek(a)suse.com> Link: https://lore.kernel.org/r/20240928113608.1438087-1-visitorckw@gmail.com Signed-off-by: Petr Mladek <pmladek(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/printk/printk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index a8af93cbc2936..3a7fd61c0e7be 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -420,7 +420,7 @@ static u64 clear_seq; /* record buffer */ #define LOG_ALIGN __alignof__(unsigned long) #define __LOG_BUF_LEN (1 << CONFIG_LOG_BUF_SHIFT) -#define LOG_BUF_LEN_MAX (u32)(1 << 31) +#define LOG_BUF_LEN_MAX ((u32)1 << 31) static char __log_buf[__LOG_BUF_LEN] __aligned(LOG_ALIGN); static char *log_buf = __log_buf; static u32 log_buf_len = __LOG_BUF_LEN; -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 5.15 1/3] printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX

by Sasha Levin

From: Kuan-Wei Chiu <visitorckw(a)gmail.com> [ Upstream commit 3d6f83df8ff2d5de84b50377e4f0d45e25311c7a ] Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which leads to undefined behavior. To prevent this, cast 1 to u32 before performing the shift, ensuring well-defined behavior. This change explicitly avoids any potential overflow by ensuring that the shift occurs on an unsigned 32-bit integer. Signed-off-by: Kuan-Wei Chiu <visitorckw(a)gmail.com> Acked-by: Petr Mladek <pmladek(a)suse.com> Link: https://lore.kernel.org/r/20240928113608.1438087-1-visitorckw@gmail.com Signed-off-by: Petr Mladek <pmladek(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/printk/printk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index 5e81d2a79d5cc..113990f38436e 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -403,7 +403,7 @@ static struct latched_seq clear_seq = { /* record buffer */ #define LOG_ALIGN __alignof__(unsigned long) #define __LOG_BUF_LEN (1 << CONFIG_LOG_BUF_SHIFT) -#define LOG_BUF_LEN_MAX (u32)(1 << 31) +#define LOG_BUF_LEN_MAX ((u32)1 << 31) static char __log_buf[__LOG_BUF_LEN] __aligned(LOG_ALIGN); static char *log_buf = __log_buf; static u32 log_buf_len = __LOG_BUF_LEN; -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 6.1 1/9] drm/virtio: New fence for every plane update

by Sasha Levin

From: Dongwon Kim <dongwon.kim(a)intel.com> [ Upstream commit d3c55b8ab6fe5fa2e7ab02efd36d09c39ee5022f ] Having a fence linked to a virtio_gpu_framebuffer in the plane update sequence would cause conflict when several planes referencing the same framebuffer (e.g. Xorg screen covering multi-displays configured for an extended mode) and those planes are updated concurrently. So it is needed to allocate a fence for every plane state instead of the framebuffer. Signed-off-by: Dongwon Kim <dongwon.kim(a)intel.com> [dmitry.osipenko(a)collabora.com: rebase, fix up, edit commit message] Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Reviewed-by: Rob Clark <robdclark(a)gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241020230803.247419-2-dmitr… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/virtio/virtgpu_drv.h | 7 ++++ drivers/gpu/drm/virtio/virtgpu_plane.c | 58 +++++++++++++++++--------- 2 files changed, 46 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h index 9b98470593b06..20a418f64533b 100644 --- a/drivers/gpu/drm/virtio/virtgpu_drv.h +++ b/drivers/gpu/drm/virtio/virtgpu_drv.h @@ -190,6 +190,13 @@ struct virtio_gpu_framebuffer { #define to_virtio_gpu_framebuffer(x) \ container_of(x, struct virtio_gpu_framebuffer, base) +struct virtio_gpu_plane_state { + struct drm_plane_state base; + struct virtio_gpu_fence *fence; +}; +#define to_virtio_gpu_plane_state(x) \ + container_of(x, struct virtio_gpu_plane_state, base) + struct virtio_gpu_queue { struct virtqueue *vq; spinlock_t qlock; diff --git a/drivers/gpu/drm/virtio/virtgpu_plane.c b/drivers/gpu/drm/virtio/virtgpu_plane.c index 4c09e313bebcd..0c073ba4974fb 100644 --- a/drivers/gpu/drm/virtio/virtgpu_plane.c +++ b/drivers/gpu/drm/virtio/virtgpu_plane.c @@ -66,11 +66,28 @@ uint32_t virtio_gpu_translate_format(uint32_t drm_fourcc) return format; } +static struct +drm_plane_state *virtio_gpu_plane_duplicate_state(struct drm_plane *plane) +{ + struct virtio_gpu_plane_state *new; + + if (WARN_ON(!plane->state)) + return NULL; + + new = kzalloc(sizeof(*new), GFP_KERNEL); + if (!new) + return NULL; + + __drm_atomic_helper_plane_duplicate_state(plane, &new->base); + + return &new->base; +} + static const struct drm_plane_funcs virtio_gpu_plane_funcs = { .update_plane = drm_atomic_helper_update_plane, .disable_plane = drm_atomic_helper_disable_plane, .reset = drm_atomic_helper_plane_reset, - .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state, + .atomic_duplicate_state = virtio_gpu_plane_duplicate_state, .atomic_destroy_state = drm_atomic_helper_plane_destroy_state, }; @@ -128,11 +145,13 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane, struct drm_device *dev = plane->dev; struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo; vgfb = to_virtio_gpu_framebuffer(plane->state->fb); + vgplane_st = to_virtio_gpu_plane_state(plane->state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); - if (vgfb->fence) { + if (vgplane_st->fence) { struct virtio_gpu_object_array *objs; objs = virtio_gpu_array_alloc(1); @@ -141,13 +160,11 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane, virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]); virtio_gpu_array_lock_resv(objs); virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, - width, height, objs, vgfb->fence); + width, height, objs, + vgplane_st->fence); virtio_gpu_notify(vgdev); - - dma_fence_wait_timeout(&vgfb->fence->f, true, + dma_fence_wait_timeout(&vgplane_st->fence->f, true, msecs_to_jiffies(50)); - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; } else { virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, width, height, NULL, NULL); @@ -237,20 +254,23 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane, struct drm_device *dev = plane->dev; struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo; if (!new_state->fb) return 0; vgfb = to_virtio_gpu_framebuffer(new_state->fb); + vgplane_st = to_virtio_gpu_plane_state(new_state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); if (!bo || (plane->type == DRM_PLANE_TYPE_PRIMARY && !bo->guest_blob)) return 0; - if (bo->dumb && (plane->state->fb != new_state->fb)) { - vgfb->fence = virtio_gpu_fence_alloc(vgdev, vgdev->fence_drv.context, + if (bo->dumb) { + vgplane_st->fence = virtio_gpu_fence_alloc(vgdev, + vgdev->fence_drv.context, 0); - if (!vgfb->fence) + if (!vgplane_st->fence) return -ENOMEM; } @@ -260,15 +280,15 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane, static void virtio_gpu_plane_cleanup_fb(struct drm_plane *plane, struct drm_plane_state *state) { - struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; if (!state->fb) return; - vgfb = to_virtio_gpu_framebuffer(state->fb); - if (vgfb->fence) { - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; + vgplane_st = to_virtio_gpu_plane_state(state); + if (vgplane_st->fence) { + dma_fence_put(&vgplane_st->fence->f); + vgplane_st->fence = NULL; } } @@ -281,6 +301,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_output *output = NULL; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo = NULL; uint32_t handle; @@ -293,6 +314,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, if (plane->state->fb) { vgfb = to_virtio_gpu_framebuffer(plane->state->fb); + vgplane_st = to_virtio_gpu_plane_state(plane->state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); handle = bo->hw_res_handle; } else { @@ -312,11 +334,9 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, (vgdev, 0, plane->state->crtc_w, plane->state->crtc_h, - 0, 0, objs, vgfb->fence); + 0, 0, objs, vgplane_st->fence); virtio_gpu_notify(vgdev); - dma_fence_wait(&vgfb->fence->f, true); - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; + dma_fence_wait(&vgplane_st->fence->f, true); } if (plane->state->fb != old_state->fb) { -- 2.39.5

3 months

1
8
0 0

[PATCH AUTOSEL 6.6 01/17] drm/virtio: New fence for every plane update

by Sasha Levin

From: Dongwon Kim <dongwon.kim(a)intel.com> [ Upstream commit d3c55b8ab6fe5fa2e7ab02efd36d09c39ee5022f ] Having a fence linked to a virtio_gpu_framebuffer in the plane update sequence would cause conflict when several planes referencing the same framebuffer (e.g. Xorg screen covering multi-displays configured for an extended mode) and those planes are updated concurrently. So it is needed to allocate a fence for every plane state instead of the framebuffer. Signed-off-by: Dongwon Kim <dongwon.kim(a)intel.com> [dmitry.osipenko(a)collabora.com: rebase, fix up, edit commit message] Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Reviewed-by: Rob Clark <robdclark(a)gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241020230803.247419-2-dmitr… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/virtio/virtgpu_drv.h | 7 ++++ drivers/gpu/drm/virtio/virtgpu_plane.c | 58 +++++++++++++++++--------- 2 files changed, 46 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h index 4126c384286bf..61fd37f95fbd9 100644 --- a/drivers/gpu/drm/virtio/virtgpu_drv.h +++ b/drivers/gpu/drm/virtio/virtgpu_drv.h @@ -191,6 +191,13 @@ struct virtio_gpu_framebuffer { #define to_virtio_gpu_framebuffer(x) \ container_of(x, struct virtio_gpu_framebuffer, base) +struct virtio_gpu_plane_state { + struct drm_plane_state base; + struct virtio_gpu_fence *fence; +}; +#define to_virtio_gpu_plane_state(x) \ + container_of(x, struct virtio_gpu_plane_state, base) + struct virtio_gpu_queue { struct virtqueue *vq; spinlock_t qlock; diff --git a/drivers/gpu/drm/virtio/virtgpu_plane.c b/drivers/gpu/drm/virtio/virtgpu_plane.c index a1ef657eba077..36de73e03bbfa 100644 --- a/drivers/gpu/drm/virtio/virtgpu_plane.c +++ b/drivers/gpu/drm/virtio/virtgpu_plane.c @@ -66,11 +66,28 @@ uint32_t virtio_gpu_translate_format(uint32_t drm_fourcc) return format; } +static struct +drm_plane_state *virtio_gpu_plane_duplicate_state(struct drm_plane *plane) +{ + struct virtio_gpu_plane_state *new; + + if (WARN_ON(!plane->state)) + return NULL; + + new = kzalloc(sizeof(*new), GFP_KERNEL); + if (!new) + return NULL; + + __drm_atomic_helper_plane_duplicate_state(plane, &new->base); + + return &new->base; +} + static const struct drm_plane_funcs virtio_gpu_plane_funcs = { .update_plane = drm_atomic_helper_update_plane, .disable_plane = drm_atomic_helper_disable_plane, .reset = drm_atomic_helper_plane_reset, - .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state, + .atomic_duplicate_state = virtio_gpu_plane_duplicate_state, .atomic_destroy_state = drm_atomic_helper_plane_destroy_state, }; @@ -138,11 +155,13 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane, struct drm_device *dev = plane->dev; struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo; vgfb = to_virtio_gpu_framebuffer(plane->state->fb); + vgplane_st = to_virtio_gpu_plane_state(plane->state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); - if (vgfb->fence) { + if (vgplane_st->fence) { struct virtio_gpu_object_array *objs; objs = virtio_gpu_array_alloc(1); @@ -151,13 +170,11 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane, virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]); virtio_gpu_array_lock_resv(objs); virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, - width, height, objs, vgfb->fence); + width, height, objs, + vgplane_st->fence); virtio_gpu_notify(vgdev); - - dma_fence_wait_timeout(&vgfb->fence->f, true, + dma_fence_wait_timeout(&vgplane_st->fence->f, true, msecs_to_jiffies(50)); - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; } else { virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, width, height, NULL, NULL); @@ -247,20 +264,23 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane, struct drm_device *dev = plane->dev; struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo; if (!new_state->fb) return 0; vgfb = to_virtio_gpu_framebuffer(new_state->fb); + vgplane_st = to_virtio_gpu_plane_state(new_state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); if (!bo || (plane->type == DRM_PLANE_TYPE_PRIMARY && !bo->guest_blob)) return 0; - if (bo->dumb && (plane->state->fb != new_state->fb)) { - vgfb->fence = virtio_gpu_fence_alloc(vgdev, vgdev->fence_drv.context, + if (bo->dumb) { + vgplane_st->fence = virtio_gpu_fence_alloc(vgdev, + vgdev->fence_drv.context, 0); - if (!vgfb->fence) + if (!vgplane_st->fence) return -ENOMEM; } @@ -270,15 +290,15 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane, static void virtio_gpu_plane_cleanup_fb(struct drm_plane *plane, struct drm_plane_state *state) { - struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; if (!state->fb) return; - vgfb = to_virtio_gpu_framebuffer(state->fb); - if (vgfb->fence) { - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; + vgplane_st = to_virtio_gpu_plane_state(state); + if (vgplane_st->fence) { + dma_fence_put(&vgplane_st->fence->f); + vgplane_st->fence = NULL; } } @@ -291,6 +311,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_output *output = NULL; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo = NULL; uint32_t handle; @@ -303,6 +324,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, if (plane->state->fb) { vgfb = to_virtio_gpu_framebuffer(plane->state->fb); + vgplane_st = to_virtio_gpu_plane_state(plane->state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); handle = bo->hw_res_handle; } else { @@ -322,11 +344,9 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, (vgdev, 0, plane->state->crtc_w, plane->state->crtc_h, - 0, 0, objs, vgfb->fence); + 0, 0, objs, vgplane_st->fence); virtio_gpu_notify(vgdev); - dma_fence_wait(&vgfb->fence->f, true); - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; + dma_fence_wait(&vgplane_st->fence->f, true); } if (plane->state->fb != old_state->fb) { -- 2.39.5

3 months

1
16
0 0

[PATCH AUTOSEL 6.13 01/34] drm/virtio: New fence for every plane update

by Sasha Levin

From: Dongwon Kim <dongwon.kim(a)intel.com> [ Upstream commit d3c55b8ab6fe5fa2e7ab02efd36d09c39ee5022f ] Having a fence linked to a virtio_gpu_framebuffer in the plane update sequence would cause conflict when several planes referencing the same framebuffer (e.g. Xorg screen covering multi-displays configured for an extended mode) and those planes are updated concurrently. So it is needed to allocate a fence for every plane state instead of the framebuffer. Signed-off-by: Dongwon Kim <dongwon.kim(a)intel.com> [dmitry.osipenko(a)collabora.com: rebase, fix up, edit commit message] Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Reviewed-by: Rob Clark <robdclark(a)gmail.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241020230803.247419-2-dmitr… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/virtio/virtgpu_drv.h | 7 ++++ drivers/gpu/drm/virtio/virtgpu_plane.c | 58 +++++++++++++++++--------- 2 files changed, 46 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h index 64c236169db88..5dc8eeaf7123c 100644 --- a/drivers/gpu/drm/virtio/virtgpu_drv.h +++ b/drivers/gpu/drm/virtio/virtgpu_drv.h @@ -194,6 +194,13 @@ struct virtio_gpu_framebuffer { #define to_virtio_gpu_framebuffer(x) \ container_of(x, struct virtio_gpu_framebuffer, base) +struct virtio_gpu_plane_state { + struct drm_plane_state base; + struct virtio_gpu_fence *fence; +}; +#define to_virtio_gpu_plane_state(x) \ + container_of(x, struct virtio_gpu_plane_state, base) + struct virtio_gpu_queue { struct virtqueue *vq; spinlock_t qlock; diff --git a/drivers/gpu/drm/virtio/virtgpu_plane.c b/drivers/gpu/drm/virtio/virtgpu_plane.c index a72a2dbda031c..7acd38b962c62 100644 --- a/drivers/gpu/drm/virtio/virtgpu_plane.c +++ b/drivers/gpu/drm/virtio/virtgpu_plane.c @@ -66,11 +66,28 @@ uint32_t virtio_gpu_translate_format(uint32_t drm_fourcc) return format; } +static struct +drm_plane_state *virtio_gpu_plane_duplicate_state(struct drm_plane *plane) +{ + struct virtio_gpu_plane_state *new; + + if (WARN_ON(!plane->state)) + return NULL; + + new = kzalloc(sizeof(*new), GFP_KERNEL); + if (!new) + return NULL; + + __drm_atomic_helper_plane_duplicate_state(plane, &new->base); + + return &new->base; +} + static const struct drm_plane_funcs virtio_gpu_plane_funcs = { .update_plane = drm_atomic_helper_update_plane, .disable_plane = drm_atomic_helper_disable_plane, .reset = drm_atomic_helper_plane_reset, - .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state, + .atomic_duplicate_state = virtio_gpu_plane_duplicate_state, .atomic_destroy_state = drm_atomic_helper_plane_destroy_state, }; @@ -138,11 +155,13 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane, struct drm_device *dev = plane->dev; struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo; vgfb = to_virtio_gpu_framebuffer(plane->state->fb); + vgplane_st = to_virtio_gpu_plane_state(plane->state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); - if (vgfb->fence) { + if (vgplane_st->fence) { struct virtio_gpu_object_array *objs; objs = virtio_gpu_array_alloc(1); @@ -151,13 +170,11 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane, virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]); virtio_gpu_array_lock_resv(objs); virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, - width, height, objs, vgfb->fence); + width, height, objs, + vgplane_st->fence); virtio_gpu_notify(vgdev); - - dma_fence_wait_timeout(&vgfb->fence->f, true, + dma_fence_wait_timeout(&vgplane_st->fence->f, true, msecs_to_jiffies(50)); - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; } else { virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y, width, height, NULL, NULL); @@ -247,20 +264,23 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane, struct drm_device *dev = plane->dev; struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo; if (!new_state->fb) return 0; vgfb = to_virtio_gpu_framebuffer(new_state->fb); + vgplane_st = to_virtio_gpu_plane_state(new_state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); if (!bo || (plane->type == DRM_PLANE_TYPE_PRIMARY && !bo->guest_blob)) return 0; - if (bo->dumb && (plane->state->fb != new_state->fb)) { - vgfb->fence = virtio_gpu_fence_alloc(vgdev, vgdev->fence_drv.context, + if (bo->dumb) { + vgplane_st->fence = virtio_gpu_fence_alloc(vgdev, + vgdev->fence_drv.context, 0); - if (!vgfb->fence) + if (!vgplane_st->fence) return -ENOMEM; } @@ -270,15 +290,15 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane, static void virtio_gpu_plane_cleanup_fb(struct drm_plane *plane, struct drm_plane_state *state) { - struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; if (!state->fb) return; - vgfb = to_virtio_gpu_framebuffer(state->fb); - if (vgfb->fence) { - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; + vgplane_st = to_virtio_gpu_plane_state(state); + if (vgplane_st->fence) { + dma_fence_put(&vgplane_st->fence->f); + vgplane_st->fence = NULL; } } @@ -291,6 +311,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, struct virtio_gpu_device *vgdev = dev->dev_private; struct virtio_gpu_output *output = NULL; struct virtio_gpu_framebuffer *vgfb; + struct virtio_gpu_plane_state *vgplane_st; struct virtio_gpu_object *bo = NULL; uint32_t handle; @@ -303,6 +324,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, if (plane->state->fb) { vgfb = to_virtio_gpu_framebuffer(plane->state->fb); + vgplane_st = to_virtio_gpu_plane_state(plane->state); bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]); handle = bo->hw_res_handle; } else { @@ -322,11 +344,9 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane, (vgdev, 0, plane->state->crtc_w, plane->state->crtc_h, - 0, 0, objs, vgfb->fence); + 0, 0, objs, vgplane_st->fence); virtio_gpu_notify(vgdev); - dma_fence_wait(&vgfb->fence->f, true); - dma_fence_put(&vgfb->fence->f); - vgfb->fence = NULL; + dma_fence_wait(&vgplane_st->fence->f, true); } if (plane->state->fb != old_state->fb) { -- 2.39.5

3 months

1
33
0 0

[PATCH AUTOSEL 5.4 1/2] sched: Don't try to catch up excess steal time.

by Sasha Levin

From: Suleiman Souhlal <suleiman(a)google.com> [ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] When steal time exceeds the measured delta when updating clock_task, we currently try to catch up the excess in future updates. However, this results in inaccurate run times for the future things using clock_task, in some situations, as they end up getting additional steal time that did not actually happen. This is because there is a window between reading the elapsed time in update_rq_clock() and sampling the steal time in update_rq_clock_task(). If the VCPU gets preempted between those two points, any additional steal time is accounted to the outgoing task even though the calculated delta did not actually contain any of that "stolen" time. When this race happens, we can end up with steal time that exceeds the calculated delta, and the previous code would try to catch up that excess steal time in future clock updates, which is given to the next, incoming task, even though it did not actually have any time stolen. This behavior is particularly bad when steal time can be very long, which we've seen when trying to extend steal time to contain the duration that the host was suspended [0]. When this happens, clock_task stays frozen, during which the running task stays running for the whole duration, since its run time doesn't increase. However the race can happen even under normal operation. Ideally we would read the elapsed cpu time and the steal time atomically, to prevent this race from happening in the first place, but doing so is non-trivial. Since the time between those two points isn't otherwise accounted anywhere, neither to the outgoing task nor the incoming task (because the "end of outgoing task" and "start of incoming task" timestamps are the same), I would argue that the right thing to do is to simply drop any excess steal time, in order to prevent these issues. [0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ Signed-off-by: Suleiman Souhlal <suleiman(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/sched/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 51ac62637e4ed..39ce8a3d8c573 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -176,13 +176,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) #endif #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING if (static_key_false((&paravirt_steal_rq_enabled))) { - steal = paravirt_steal_clock(cpu_of(rq)); + u64 prev_steal; + + steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); steal -= rq->prev_steal_time_rq; if (unlikely(steal > delta)) steal = delta; - rq->prev_steal_time_rq += steal; + rq->prev_steal_time_rq = prev_steal; delta -= steal; } #endif -- 2.39.5

3 months

1
1
0 0

[PATCH AUTOSEL 5.10 1/3] sched: Don't try to catch up excess steal time.

by Sasha Levin

From: Suleiman Souhlal <suleiman(a)google.com> [ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] When steal time exceeds the measured delta when updating clock_task, we currently try to catch up the excess in future updates. However, this results in inaccurate run times for the future things using clock_task, in some situations, as they end up getting additional steal time that did not actually happen. This is because there is a window between reading the elapsed time in update_rq_clock() and sampling the steal time in update_rq_clock_task(). If the VCPU gets preempted between those two points, any additional steal time is accounted to the outgoing task even though the calculated delta did not actually contain any of that "stolen" time. When this race happens, we can end up with steal time that exceeds the calculated delta, and the previous code would try to catch up that excess steal time in future clock updates, which is given to the next, incoming task, even though it did not actually have any time stolen. This behavior is particularly bad when steal time can be very long, which we've seen when trying to extend steal time to contain the duration that the host was suspended [0]. When this happens, clock_task stays frozen, during which the running task stays running for the whole duration, since its run time doesn't increase. However the race can happen even under normal operation. Ideally we would read the elapsed cpu time and the steal time atomically, to prevent this race from happening in the first place, but doing so is non-trivial. Since the time between those two points isn't otherwise accounted anywhere, neither to the outgoing task nor the incoming task (because the "end of outgoing task" and "start of incoming task" timestamps are the same), I would argue that the right thing to do is to simply drop any excess steal time, in order to prevent these issues. [0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ Signed-off-by: Suleiman Souhlal <suleiman(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/sched/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 7cf45d506688c..42dad8c8d6f28 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -279,13 +279,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) #endif #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING if (static_key_false((&paravirt_steal_rq_enabled))) { - steal = paravirt_steal_clock(cpu_of(rq)); + u64 prev_steal; + + steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); steal -= rq->prev_steal_time_rq; if (unlikely(steal > delta)) steal = delta; - rq->prev_steal_time_rq += steal; + rq->prev_steal_time_rq = prev_steal; delta -= steal; } #endif -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 5.15 1/3] sched: Don't try to catch up excess steal time.

by Sasha Levin

From: Suleiman Souhlal <suleiman(a)google.com> [ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] When steal time exceeds the measured delta when updating clock_task, we currently try to catch up the excess in future updates. However, this results in inaccurate run times for the future things using clock_task, in some situations, as they end up getting additional steal time that did not actually happen. This is because there is a window between reading the elapsed time in update_rq_clock() and sampling the steal time in update_rq_clock_task(). If the VCPU gets preempted between those two points, any additional steal time is accounted to the outgoing task even though the calculated delta did not actually contain any of that "stolen" time. When this race happens, we can end up with steal time that exceeds the calculated delta, and the previous code would try to catch up that excess steal time in future clock updates, which is given to the next, incoming task, even though it did not actually have any time stolen. This behavior is particularly bad when steal time can be very long, which we've seen when trying to extend steal time to contain the duration that the host was suspended [0]. When this happens, clock_task stays frozen, during which the running task stays running for the whole duration, since its run time doesn't increase. However the race can happen even under normal operation. Ideally we would read the elapsed cpu time and the steal time atomically, to prevent this race from happening in the first place, but doing so is non-trivial. Since the time between those two points isn't otherwise accounted anywhere, neither to the outgoing task nor the incoming task (because the "end of outgoing task" and "start of incoming task" timestamps are the same), I would argue that the right thing to do is to simply drop any excess steal time, in order to prevent these issues. [0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ Signed-off-by: Suleiman Souhlal <suleiman(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/sched/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index ed92b75f7e024..691af58c156e1 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -642,13 +642,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) #endif #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING if (static_key_false((&paravirt_steal_rq_enabled))) { - steal = paravirt_steal_clock(cpu_of(rq)); + u64 prev_steal; + + steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); steal -= rq->prev_steal_time_rq; if (unlikely(steal > delta)) steal = delta; - rq->prev_steal_time_rq += steal; + rq->prev_steal_time_rq = prev_steal; delta -= steal; } #endif -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 6.1 1/3] sched: Don't try to catch up excess steal time.

by Sasha Levin

From: Suleiman Souhlal <suleiman(a)google.com> [ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] When steal time exceeds the measured delta when updating clock_task, we currently try to catch up the excess in future updates. However, this results in inaccurate run times for the future things using clock_task, in some situations, as they end up getting additional steal time that did not actually happen. This is because there is a window between reading the elapsed time in update_rq_clock() and sampling the steal time in update_rq_clock_task(). If the VCPU gets preempted between those two points, any additional steal time is accounted to the outgoing task even though the calculated delta did not actually contain any of that "stolen" time. When this race happens, we can end up with steal time that exceeds the calculated delta, and the previous code would try to catch up that excess steal time in future clock updates, which is given to the next, incoming task, even though it did not actually have any time stolen. This behavior is particularly bad when steal time can be very long, which we've seen when trying to extend steal time to contain the duration that the host was suspended [0]. When this happens, clock_task stays frozen, during which the running task stays running for the whole duration, since its run time doesn't increase. However the race can happen even under normal operation. Ideally we would read the elapsed cpu time and the steal time atomically, to prevent this race from happening in the first place, but doing so is non-trivial. Since the time between those two points isn't otherwise accounted anywhere, neither to the outgoing task nor the incoming task (because the "end of outgoing task" and "start of incoming task" timestamps are the same), I would argue that the right thing to do is to simply drop any excess steal time, in order to prevent these issues. [0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ Signed-off-by: Suleiman Souhlal <suleiman(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/sched/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 54af671e8d510..3927904984fd5 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -704,13 +704,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) #endif #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING if (static_key_false((&paravirt_steal_rq_enabled))) { - steal = paravirt_steal_clock(cpu_of(rq)); + u64 prev_steal; + + steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); steal -= rq->prev_steal_time_rq; if (unlikely(steal > delta)) steal = delta; - rq->prev_steal_time_rq += steal; + rq->prev_steal_time_rq = prev_steal; delta -= steal; } #endif -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 6.6 1/3] sched: Don't try to catch up excess steal time.

by Sasha Levin

From: Suleiman Souhlal <suleiman(a)google.com> [ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] When steal time exceeds the measured delta when updating clock_task, we currently try to catch up the excess in future updates. However, this results in inaccurate run times for the future things using clock_task, in some situations, as they end up getting additional steal time that did not actually happen. This is because there is a window between reading the elapsed time in update_rq_clock() and sampling the steal time in update_rq_clock_task(). If the VCPU gets preempted between those two points, any additional steal time is accounted to the outgoing task even though the calculated delta did not actually contain any of that "stolen" time. When this race happens, we can end up with steal time that exceeds the calculated delta, and the previous code would try to catch up that excess steal time in future clock updates, which is given to the next, incoming task, even though it did not actually have any time stolen. This behavior is particularly bad when steal time can be very long, which we've seen when trying to extend steal time to contain the duration that the host was suspended [0]. When this happens, clock_task stays frozen, during which the running task stays running for the whole duration, since its run time doesn't increase. However the race can happen even under normal operation. Ideally we would read the elapsed cpu time and the steal time atomically, to prevent this race from happening in the first place, but doing so is non-trivial. Since the time between those two points isn't otherwise accounted anywhere, neither to the outgoing task nor the incoming task (because the "end of outgoing task" and "start of incoming task" timestamps are the same), I would argue that the right thing to do is to simply drop any excess steal time, in order to prevent these issues. [0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ Signed-off-by: Suleiman Souhlal <suleiman(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/sched/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 86606fb9e6bc6..c686d826a91cf 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -726,13 +726,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) #endif #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING if (static_key_false((&paravirt_steal_rq_enabled))) { - steal = paravirt_steal_clock(cpu_of(rq)); + u64 prev_steal; + + steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); steal -= rq->prev_steal_time_rq; if (unlikely(steal > delta)) steal = delta; - rq->prev_steal_time_rq += steal; + rq->prev_steal_time_rq = prev_steal; delta -= steal; } #endif -- 2.39.5

3 months

1
2
0 0

[PATCH AUTOSEL 6.12 1/7] sched: Don't try to catch up excess steal time.

by Sasha Levin

From: Suleiman Souhlal <suleiman(a)google.com> [ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] When steal time exceeds the measured delta when updating clock_task, we currently try to catch up the excess in future updates. However, this results in inaccurate run times for the future things using clock_task, in some situations, as they end up getting additional steal time that did not actually happen. This is because there is a window between reading the elapsed time in update_rq_clock() and sampling the steal time in update_rq_clock_task(). If the VCPU gets preempted between those two points, any additional steal time is accounted to the outgoing task even though the calculated delta did not actually contain any of that "stolen" time. When this race happens, we can end up with steal time that exceeds the calculated delta, and the previous code would try to catch up that excess steal time in future clock updates, which is given to the next, incoming task, even though it did not actually have any time stolen. This behavior is particularly bad when steal time can be very long, which we've seen when trying to extend steal time to contain the duration that the host was suspended [0]. When this happens, clock_task stays frozen, during which the running task stays running for the whole duration, since its run time doesn't increase. However the race can happen even under normal operation. Ideally we would read the elapsed cpu time and the steal time atomically, to prevent this race from happening in the first place, but doing so is non-trivial. Since the time between those two points isn't otherwise accounted anywhere, neither to the outgoing task nor the incoming task (because the "end of outgoing task" and "start of incoming task" timestamps are the same), I would argue that the right thing to do is to simply drop any excess steal time, in order to prevent these issues. [0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ Signed-off-by: Suleiman Souhlal <suleiman(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/sched/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index d07dc87787dff..9015c792830c2 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -766,13 +766,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) #endif #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING if (static_key_false((&paravirt_steal_rq_enabled))) { - steal = paravirt_steal_clock(cpu_of(rq)); + u64 prev_steal; + + steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); steal -= rq->prev_steal_time_rq; if (unlikely(steal > delta)) steal = delta; - rq->prev_steal_time_rq += steal; + rq->prev_steal_time_rq = prev_steal; delta -= steal; } #endif -- 2.39.5

3 months

1
6
0 0

[PATCH AUTOSEL 6.13 1/7] sched: Don't try to catch up excess steal time.

by Sasha Levin

From: Suleiman Souhlal <suleiman(a)google.com> [ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ] When steal time exceeds the measured delta when updating clock_task, we currently try to catch up the excess in future updates. However, this results in inaccurate run times for the future things using clock_task, in some situations, as they end up getting additional steal time that did not actually happen. This is because there is a window between reading the elapsed time in update_rq_clock() and sampling the steal time in update_rq_clock_task(). If the VCPU gets preempted between those two points, any additional steal time is accounted to the outgoing task even though the calculated delta did not actually contain any of that "stolen" time. When this race happens, we can end up with steal time that exceeds the calculated delta, and the previous code would try to catch up that excess steal time in future clock updates, which is given to the next, incoming task, even though it did not actually have any time stolen. This behavior is particularly bad when steal time can be very long, which we've seen when trying to extend steal time to contain the duration that the host was suspended [0]. When this happens, clock_task stays frozen, during which the running task stays running for the whole duration, since its run time doesn't increase. However the race can happen even under normal operation. Ideally we would read the elapsed cpu time and the steal time atomically, to prevent this race from happening in the first place, but doing so is non-trivial. Since the time between those two points isn't otherwise accounted anywhere, neither to the outgoing task nor the incoming task (because the "end of outgoing task" and "start of incoming task" timestamps are the same), I would argue that the right thing to do is to simply drop any excess steal time, in order to prevent these issues. [0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/ Signed-off-by: Suleiman Souhlal <suleiman(a)google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/sched/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 3e5a6bf587f91..296e77380318e 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -766,13 +766,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta) #endif #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING if (static_key_false((&paravirt_steal_rq_enabled))) { - steal = paravirt_steal_clock(cpu_of(rq)); + u64 prev_steal; + + steal = prev_steal = paravirt_steal_clock(cpu_of(rq)); steal -= rq->prev_steal_time_rq; if (unlikely(steal > delta)) steal = delta; - rq->prev_steal_time_rq += steal; + rq->prev_steal_time_rq = prev_steal; delta -= steal; } #endif -- 2.39.5

3 months

1
6
0 0

[PATCH AUTOSEL 5.4] btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling

by Sasha Levin

From: Josef Bacik <josef(a)toxicpanda.com> [ Upstream commit 6a4730b325aaa48f7a5d5ba97aff0a955e2d9cec ] This BUG_ON is meant to catch backref cache problems, but these can arise from either bugs in the backref cache or corruption in the extent tree. Fix it to be a proper error. Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/btrfs/relocation.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index 89ad7e12c08bb..062154c6a65f6 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -4789,8 +4789,18 @@ int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans, WARN_ON(!first_cow && level == 0); node = rc->backref_cache.path[level]; - BUG_ON(node->bytenr != buf->start && - node->new_bytenr != buf->start); + + /* + * If node->bytenr != buf->start and node->new_bytenr != + * buf->start then we've got the wrong backref node for what we + * expected to see here and the cache is incorrect. + */ + if (unlikely(node->bytenr != buf->start && node->new_bytenr != buf->start)) { + btrfs_err(fs_info, +"bytenr %llu was found but our backref cache was expecting %llu or %llu", + buf->start, node->bytenr, node->new_bytenr); + return -EUCLEAN; + } drop_node_buffer(node); extent_buffer_get(cow); -- 2.39.5

3 months

1
0
0 0

[PATCH AUTOSEL 5.10] btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling

by Sasha Levin

From: Josef Bacik <josef(a)toxicpanda.com> [ Upstream commit 6a4730b325aaa48f7a5d5ba97aff0a955e2d9cec ] This BUG_ON is meant to catch backref cache problems, but these can arise from either bugs in the backref cache or corruption in the extent tree. Fix it to be a proper error. Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/btrfs/relocation.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index 98e3b3749ec12..5b921e6ed94e2 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -3976,8 +3976,18 @@ int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans, WARN_ON(!first_cow && level == 0); node = rc->backref_cache.path[level]; - BUG_ON(node->bytenr != buf->start && - node->new_bytenr != buf->start); + + /* + * If node->bytenr != buf->start and node->new_bytenr != + * buf->start then we've got the wrong backref node for what we + * expected to see here and the cache is incorrect. + */ + if (unlikely(node->bytenr != buf->start && node->new_bytenr != buf->start)) { + btrfs_err(fs_info, +"bytenr %llu was found but our backref cache was expecting %llu or %llu", + buf->start, node->bytenr, node->new_bytenr); + return -EUCLEAN; + } btrfs_backref_drop_node_buffer(node); atomic_inc(&cow->refs); -- 2.39.5

3 months

1
0
0 0

[PATCH AUTOSEL 5.15 1/2] btrfs: fix data race when accessing the inode's disk_i_size at btrfs_drop_extents()

by Sasha Levin

From: Hao-ran Zheng <zhenghaoran154(a)gmail.com> [ Upstream commit 5324c4e10e9c2ce307a037e904c0d9671d7137d9 ] A data race occurs when the function `insert_ordered_extent_file_extent()` and the function `btrfs_inode_safe_disk_i_size_write()` are executed concurrently. The function `insert_ordered_extent_file_extent()` is not locked when reading inode->disk_i_size, causing `btrfs_inode_safe_disk_i_size_write()` to cause data competition when writing inode->disk_i_size, thus affecting the value of `modify_tree`. The specific call stack that appears during testing is as follows: ============DATA_RACE============ btrfs_drop_extents+0x89a/0xa060 [btrfs] insert_reserved_file_extent+0xb54/0x2960 [btrfs] insert_ordered_extent_file_extent+0xff5/0x1760 [btrfs] btrfs_finish_one_ordered+0x1b85/0x36a0 [btrfs] btrfs_finish_ordered_io+0x37/0x60 [btrfs] finish_ordered_fn+0x3e/0x50 [btrfs] btrfs_work_helper+0x9c9/0x27a0 [btrfs] process_scheduled_works+0x716/0xf10 worker_thread+0xb6a/0x1190 kthread+0x292/0x330 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 ============OTHER_INFO============ btrfs_inode_safe_disk_i_size_write+0x4ec/0x600 [btrfs] btrfs_finish_one_ordered+0x24c7/0x36a0 [btrfs] btrfs_finish_ordered_io+0x37/0x60 [btrfs] finish_ordered_fn+0x3e/0x50 [btrfs] btrfs_work_helper+0x9c9/0x27a0 [btrfs] process_scheduled_works+0x716/0xf10 worker_thread+0xb6a/0x1190 kthread+0x292/0x330 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 ================================= The main purpose of the check of the inode's disk_i_size is to avoid taking write locks on a btree path when we have a write at or beyond EOF, since in these cases we don't expect to find extent items in the root to drop. However if we end up taking write locks due to a data race on disk_i_size, everything is still correct, we only add extra lock contention on the tree in case there's concurrency from other tasks. If the race causes us to not take write locks when we actually need them, then everything is functionally correct as well, since if we find out we have extent items to drop and we took read locks (modify_tree set to 0), we release the path and retry again with write locks. Since this data race does not affect the correctness of the function, it is a harmless data race, use data_race() to check inode->disk_i_size. Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: Hao-ran Zheng <zhenghaoran154(a)gmail.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/btrfs/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c index 44160d4ad53e0..31b25cb2f5cc3 100644 --- a/fs/btrfs/file.c +++ b/fs/btrfs/file.c @@ -731,7 +731,7 @@ int btrfs_drop_extents(struct btrfs_trans_handle *trans, if (args->drop_cache) btrfs_drop_extent_cache(inode, args->start, args->end - 1, 0); - if (args->start >= inode->disk_i_size && !args->replace_extent) + if (data_race(args->start >= inode->disk_i_size) && !args->replace_extent) modify_tree = 0; update_refs = (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID); -- 2.39.5

3 months

1
1
0 0

[PATCH AUTOSEL 6.1 1/4] arm64/mm: Ensure adequate HUGE_MAX_HSTATE

by Sasha Levin

From: Anshuman Khandual <anshuman.khandual(a)arm.com> [ Upstream commit 1e5823c8e86de83a43d59a522b4de29066d3b306 ] This asserts that HUGE_MAX_HSTATE is sufficient enough preventing potential hugetlb_max_hstate runtime overflow in hugetlb_add_hstate() thus triggering a BUG_ON() there after. Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kernel(a)vger.kernel.org Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Link: https://lore.kernel.org/r/20241202064407.53807-1-anshuman.khandual@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arm64/mm/hugetlbpage.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c index 134dcf6bc650c..99810310efdda 100644 --- a/arch/arm64/mm/hugetlbpage.c +++ b/arch/arm64/mm/hugetlbpage.c @@ -544,6 +544,18 @@ pte_t huge_ptep_clear_flush(struct vm_area_struct *vma, static int __init hugetlbpage_init(void) { + /* + * HugeTLB pages are supported on maximum four page table + * levels (PUD, CONT PMD, PMD, CONT PTE) for a given base + * page size, corresponding to hugetlb_add_hstate() calls + * here. + * + * HUGE_MAX_HSTATE should at least match maximum supported + * HugeTLB page sizes on the platform. Any new addition to + * supported HugeTLB page sizes will also require changing + * HUGE_MAX_HSTATE as well. + */ + BUILD_BUG_ON(HUGE_MAX_HSTATE < 4); if (pud_sect_supported()) hugetlb_add_hstate(PUD_SHIFT - PAGE_SHIFT); -- 2.39.5

3 months

1
3
0 0

[PATCH AUTOSEL 6.6 1/5] arm64/mm: Ensure adequate HUGE_MAX_HSTATE

by Sasha Levin

From: Anshuman Khandual <anshuman.khandual(a)arm.com> [ Upstream commit 1e5823c8e86de83a43d59a522b4de29066d3b306 ] This asserts that HUGE_MAX_HSTATE is sufficient enough preventing potential hugetlb_max_hstate runtime overflow in hugetlb_add_hstate() thus triggering a BUG_ON() there after. Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kernel(a)vger.kernel.org Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Link: https://lore.kernel.org/r/20241202064407.53807-1-anshuman.khandual@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arm64/mm/hugetlbpage.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c index 13fd592228b18..a5e1588780b2c 100644 --- a/arch/arm64/mm/hugetlbpage.c +++ b/arch/arm64/mm/hugetlbpage.c @@ -526,6 +526,18 @@ pte_t huge_ptep_clear_flush(struct vm_area_struct *vma, static int __init hugetlbpage_init(void) { + /* + * HugeTLB pages are supported on maximum four page table + * levels (PUD, CONT PMD, PMD, CONT PTE) for a given base + * page size, corresponding to hugetlb_add_hstate() calls + * here. + * + * HUGE_MAX_HSTATE should at least match maximum supported + * HugeTLB page sizes on the platform. Any new addition to + * supported HugeTLB page sizes will also require changing + * HUGE_MAX_HSTATE as well. + */ + BUILD_BUG_ON(HUGE_MAX_HSTATE < 4); if (pud_sect_supported()) hugetlb_add_hstate(PUD_SHIFT - PAGE_SHIFT); -- 2.39.5

3 months

1
4
0 0

[PATCH AUTOSEL 6.12 1/6] arm64/mm: Ensure adequate HUGE_MAX_HSTATE

by Sasha Levin

From: Anshuman Khandual <anshuman.khandual(a)arm.com> [ Upstream commit 1e5823c8e86de83a43d59a522b4de29066d3b306 ] This asserts that HUGE_MAX_HSTATE is sufficient enough preventing potential hugetlb_max_hstate runtime overflow in hugetlb_add_hstate() thus triggering a BUG_ON() there after. Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kernel(a)vger.kernel.org Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Link: https://lore.kernel.org/r/20241202064407.53807-1-anshuman.khandual@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arm64/mm/hugetlbpage.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c index 5f1e2103888b7..0a6956bbfb326 100644 --- a/arch/arm64/mm/hugetlbpage.c +++ b/arch/arm64/mm/hugetlbpage.c @@ -508,6 +508,18 @@ pte_t huge_ptep_clear_flush(struct vm_area_struct *vma, static int __init hugetlbpage_init(void) { + /* + * HugeTLB pages are supported on maximum four page table + * levels (PUD, CONT PMD, PMD, CONT PTE) for a given base + * page size, corresponding to hugetlb_add_hstate() calls + * here. + * + * HUGE_MAX_HSTATE should at least match maximum supported + * HugeTLB page sizes on the platform. Any new addition to + * supported HugeTLB page sizes will also require changing + * HUGE_MAX_HSTATE as well. + */ + BUILD_BUG_ON(HUGE_MAX_HSTATE < 4); if (pud_sect_supported()) hugetlb_add_hstate(PUD_SHIFT - PAGE_SHIFT); -- 2.39.5

3 months

1
5
0 0

[PATCH AUTOSEL 6.13 1/7] arm64/mm: Ensure adequate HUGE_MAX_HSTATE

by Sasha Levin

From: Anshuman Khandual <anshuman.khandual(a)arm.com> [ Upstream commit 1e5823c8e86de83a43d59a522b4de29066d3b306 ] This asserts that HUGE_MAX_HSTATE is sufficient enough preventing potential hugetlb_max_hstate runtime overflow in hugetlb_add_hstate() thus triggering a BUG_ON() there after. Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will(a)kernel.org> Cc: Ard Biesheuvel <ardb(a)kernel.org> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: linux-arm-kernel(a)lists.infradead.org Cc: linux-kernel(a)vger.kernel.org Signed-off-by: Anshuman Khandual <anshuman.khandual(a)arm.com> Reviewed-by: Ryan Roberts <ryan.roberts(a)arm.com> Reviewed-by: Gavin Shan <gshan(a)redhat.com> Link: https://lore.kernel.org/r/20241202064407.53807-1-anshuman.khandual@arm.com Signed-off-by: Will Deacon <will(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arm64/mm/hugetlbpage.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c index 3215adf48a1b6..98a2a0e64e255 100644 --- a/arch/arm64/mm/hugetlbpage.c +++ b/arch/arm64/mm/hugetlbpage.c @@ -519,6 +519,18 @@ pte_t huge_ptep_clear_flush(struct vm_area_struct *vma, static int __init hugetlbpage_init(void) { + /* + * HugeTLB pages are supported on maximum four page table + * levels (PUD, CONT PMD, PMD, CONT PTE) for a given base + * page size, corresponding to hugetlb_add_hstate() calls + * here. + * + * HUGE_MAX_HSTATE should at least match maximum supported + * HugeTLB page sizes on the platform. Any new addition to + * supported HugeTLB page sizes will also require changing + * HUGE_MAX_HSTATE as well. + */ + BUILD_BUG_ON(HUGE_MAX_HSTATE < 4); if (pud_sect_supported()) hugetlb_add_hstate(PUD_SHIFT - PAGE_SHIFT); -- 2.39.5

3 months

1
6
0 0

[merged mm-stable] mm-compaction-fix-ubsan-shift-out-of-bounds-warning.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/compaction: fix UBSAN shift-out-of-bounds warning has been removed from the -mm tree. Its filename was mm-compaction-fix-ubsan-shift-out-of-bounds-warning.patch This patch was dropped because it was merged into the mm-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Liu Shixin <liushixin2(a)huawei.com> Subject: mm/compaction: fix UBSAN shift-out-of-bounds warning Date: Thu, 23 Jan 2025 10:10:29 +0800 syzkaller reported a UBSAN shift-out-of-bounds warning of (1UL << order) in isolate_freepages_block(). The bogus compound_order can be any value because it is union with flags. Add back the MAX_PAGE_ORDER check to fix the warning. Link: https://lkml.kernel.org/r/20250123021029.2826736-1-liushixin2@huawei.com Fixes: 3da0272a4c7d ("mm/compaction: correctly return failure with bogus compound_order in strict mode") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Reviewed-by: Kemeng Shi <shikemeng(a)huaweicloud.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/compaction.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/compaction.c~mm-compaction-fix-ubsan-shift-out-of-bounds-warning +++ a/mm/compaction.c @@ -631,7 +631,8 @@ static unsigned long isolate_freepages_b if (PageCompound(page)) { const unsigned int order = compound_order(page); - if (blockpfn + (1UL << order) <= end_pfn) { + if ((order <= MAX_PAGE_ORDER) && + (blockpfn + (1UL << order) <= end_pfn)) { blockpfn += (1UL << order) - 1; page += (1UL << order) - 1; nr_scanned += (1UL << order) - 1; _ Patches currently in -mm which might be from liushixin2(a)huawei.com are mm-page_isolation-avoid-call-folio_hstate-without-hugetlb_lock.patch

3 months

1
0
0 0

[PATCH 5.15.y] fs/ntfs3: Additional check in ntfs_file_release

by Suraj Jitindar Singh

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> commit 031d6f608290c847ba6378322d0986d08d1a645a upstream. Reported-by: syzbot+8c652f14a0fde76ff11d(a)syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Suraj Jitindar Singh <surajjs(a)amazon.com> --- fs/ntfs3/file.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c index af7e138064624..2d5d234a4533d 100644 --- a/fs/ntfs3/file.c +++ b/fs/ntfs3/file.c @@ -1192,8 +1192,16 @@ static int ntfs_file_release(struct inode *inode, struct file *file) int err = 0; /* If we are last writer on the inode, drop the block reservation. */ - if (sbi->options->prealloc && ((file->f_mode & FMODE_WRITE) && - atomic_read(&inode->i_writecount) == 1)) { + if (sbi->options->prealloc && + ((file->f_mode & FMODE_WRITE) && + atomic_read(&inode->i_writecount) == 1) + /* + * The only file when inode->i_fop = &ntfs_file_operations and + * init_rwsem(&ni->file.run_lock) is not called explicitly is MFT. + * + * Add additional check here. + */ + && inode->i_ino != MFT_REC_MFT) { ni_lock(ni); down_write(&ni->file.run_lock); -- 2.40.1

3 months

2
1
0 0

[PATCH 5.4 0/2] CVE-2024-49884

by Shaoying Xu

Backport CVE-2024-49884 fixes to stable 5.4. Baokun Li (1): ext4: fix slab-use-after-free in ext4_split_extent_at() Theodore Ts'o (1): ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path fs/ext4/ext4.h | 1 + fs/ext4/extents.c | 64 +++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 54 insertions(+), 11 deletions(-) -- 2.40.1

3 months

2
4
0 0

[PATCH 0/2] of: address: Fix empty resource handling in __of_address_resource_bounds()

by Thomas Weißschuh

Also add a kunit testcase to make sure the function works correctly now and doesn't regress in the future. Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> --- Thomas Weißschuh (2): of: address: Fix empty resource handling in __of_address_resource_bounds() of: address: Add kunit test for __of_address_resource_bounds() drivers/of/address.c | 17 +++---- drivers/of/of_private.h | 4 ++ drivers/of/of_test.c | 120 +++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 132 insertions(+), 9 deletions(-) --- base-commit: ffd294d346d185b70e28b1a28abe367bbfe53c04 change-id: 20250120-of-address-overflow-a59476362885 Best regards, -- Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>

3 months

2
2
0 0

[for-next][PATCH 2/2] tracing/osnoise: Fix resetting of tracepoints

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD disabled, but then that option is enabled and timerlat is removed, the tracepoints that were enabled on timerlat registration do not get disabled. If the option is disabled again and timelat is started, then it triggers a warning in the tracepoint code due to registering the tracepoint again without ever disabling it. Do not use the same user space defined options to know to disable the tracepoints when timerlat is removed. Instead, set a global flag when it is enabled and use that flag to know to disable the events. ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo timerlat > /sys/kernel/tracing/current_tracer ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo nop > /sys/kernel/tracing/current_tracer ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options ~# echo timerlat > /sys/kernel/tracing/current_tracer Triggers: ------------[ cut here ]------------ WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0 Modules linked in: CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:tracepoint_add_func+0x3b6/0x3f0 Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202 RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410 RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002 R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001 R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008 FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0 Call Trace: <TASK> ? __warn.cold+0xb7/0x14d ? tracepoint_add_func+0x3b6/0x3f0 ? report_bug+0xea/0x170 ? handle_bug+0x58/0x90 ? exc_invalid_op+0x17/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? __pfx_trace_sched_migrate_callback+0x10/0x10 ? tracepoint_add_func+0x3b6/0x3f0 ? __pfx_trace_sched_migrate_callback+0x10/0x10 ? __pfx_trace_sched_migrate_callback+0x10/0x10 tracepoint_probe_register+0x78/0xb0 ? __pfx_trace_sched_migrate_callback+0x10/0x10 osnoise_workload_start+0x2b5/0x370 timerlat_tracer_init+0x76/0x1b0 tracing_set_tracer+0x244/0x400 tracing_set_trace_write+0xa0/0xe0 vfs_write+0xfc/0x570 ? do_sys_openat2+0x9c/0xe0 ksys_write+0x72/0xf0 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Cc: stable(a)vger.kernel.org Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Tomas Glozar <tglozar(a)redhat.com> Cc: Gabriele Monaco <gmonaco(a)redhat.com> Cc: Luis Goncalves <lgoncalv(a)redhat.com> Cc: John Kacur <jkacur(a)redhat.com> Link: https://lore.kernel.org/20250123204159.4450c88e@gandalf.local.home Fixes: e88ed227f639e ("tracing/timerlat: Add user-space interface") Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- kernel/trace/trace_osnoise.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c index b9f96c77527d..23cbc24ed292 100644 --- a/kernel/trace/trace_osnoise.c +++ b/kernel/trace/trace_osnoise.c @@ -1229,6 +1229,8 @@ static void trace_sched_migrate_callback(void *data, struct task_struct *p, int } } +static bool monitor_enabled; + static int register_migration_monitor(void) { int ret = 0; @@ -1237,16 +1239,25 @@ static int register_migration_monitor(void) * Timerlat thread migration check is only required when running timerlat in user-space. * Thus, enable callback only if timerlat is set with no workload. */ - if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) + if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) { + if (WARN_ON_ONCE(monitor_enabled)) + return 0; + ret = register_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); + if (!ret) + monitor_enabled = true; + } return ret; } static void unregister_migration_monitor(void) { - if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) - unregister_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); + if (!monitor_enabled) + return; + + unregister_trace_sched_migrate_task(trace_sched_migrate_callback, NULL); + monitor_enabled = false; } #else static int register_migration_monitor(void) -- 2.45.2

3 months

1
0
0 0

[for-next][PATCH 1/2] rv: Reset per-task monitors also for idle tasks

by Steven Rostedt

From: Gabriele Monaco <gmonaco(a)redhat.com> RV per-task monitors are implemented through a monitor structure available for each task_struct. This structure is reset every time the monitor is (re-)started, to avoid inconsistencies if the monitor was activated previously. To do so, we reset the monitor on all threads using the macro for_each_process_thread. However, this macro excludes the idle tasks on each CPU. Idle tasks could be considered tasks on their own right and it should be up to the model whether to ignore them or not. Reset monitors also on the idle tasks for each present CPU whenever we reset all per-task monitors. Cc: stable(a)vger.kernel.org Cc: Juri Lelli <juri.lelli(a)redhat.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: John Kacur <jkacur(a)redhat.com> Link: https://lore.kernel.org/20250115151547.605750-2-gmonaco@redhat.com Fixes: 792575348ff7 ("rv/include: Add deterministic automata monitor definition via C macros") Signed-off-by: Gabriele Monaco <gmonaco(a)redhat.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- include/rv/da_monitor.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/rv/da_monitor.h b/include/rv/da_monitor.h index 9705b2a98e49..510c88bfabd4 100644 --- a/include/rv/da_monitor.h +++ b/include/rv/da_monitor.h @@ -14,6 +14,7 @@ #include <rv/automata.h> #include <linux/rv.h> #include <linux/bug.h> +#include <linux/sched.h> #ifdef CONFIG_RV_REACTORS @@ -324,10 +325,13 @@ static inline struct da_monitor *da_get_monitor_##name(struct task_struct *tsk) static void da_monitor_reset_all_##name(void) \ { \ struct task_struct *g, *p; \ + int cpu; \ \ read_lock(&tasklist_lock); \ for_each_process_thread(g, p) \ da_monitor_reset_##name(da_get_monitor_##name(p)); \ + for_each_present_cpu(cpu) \ + da_monitor_reset_##name(da_get_monitor_##name(idle_task(cpu))); \ read_unlock(&tasklist_lock); \ } \ \ -- 2.45.2

3 months

1
0
0 0

[PATCH 5.15.y] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()

by alvalan9＠foxmail.com

From: Ido Schimmel <idosch(a)nvidia.com> commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream. The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Suggested-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- net/ipv4/ip_tunnel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 2906b4329c23..9f9b7768cd19 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find(struct ip_tunnel_net *itn, struct ip_tunnel *t = NULL; struct hlist_head *head = ip_bucket(itn, parms); - hlist_for_each_entry_rcu(t, head, hash_node) { + hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) { if (local == t->parms.iph.saddr && remote == t->parms.iph.daddr && link == t->parms.link && -- 2.43.0

3 months

2
1
0 0

[PATCH 6.1.y] media: mtk-vcodec: potential null pointer deference in SCP

by Imkanmod Khan

From: Fullway Wang <fullwaywang(a)outlook.com> [ Upstream commit 53dbe08504442dc7ba4865c09b3bbf5fe849681b ] The return value of devm_kzalloc() needs to be checked to avoid NULL pointer deference. This is similar to CVE-2022-3113. Link: https://lore.kernel.org/linux-media/PH7PR20MB5925094DAE3FD750C7E39E01BF712@… Signed-off-by: Fullway Wang <fullwaywang(a)outlook.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> [ To fix CVE: CVE-2024-40973, modified the file path from drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c to drivers/media/platform/mediatek/vcodec/mtk_vcodec_fw_scp.c and minor conflict resolution ] Signed-off-by: Imkanmod Khan <imkanmodkhan(a)gmail.com> --- drivers/media/platform/mediatek/vcodec/mtk_vcodec_fw_scp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_fw_scp.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_fw_scp.c index d8e66b645bd8..27f08b1d34d1 100644 --- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_fw_scp.c +++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_fw_scp.c @@ -65,6 +65,8 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_scp_init(struct mtk_vcodec_dev *dev) } fw = devm_kzalloc(&dev->plat_dev->dev, sizeof(*fw), GFP_KERNEL); + if (!fw) + return ERR_PTR(-ENOMEM); fw->type = SCP; fw->ops = &mtk_vcodec_rproc_msg; fw->scp = scp; -- 2.25.1

3 months

2
1
0 0

[PATCH 6.6.y] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()

by alvalan9＠foxmail.com

From: Ido Schimmel <idosch(a)nvidia.com> commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream. The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Suggested-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- net/ipv4/ip_tunnel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index dd1803bf9c5c..b5d64cd3ab0a 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find(struct ip_tunnel_net *itn, struct ip_tunnel *t = NULL; struct hlist_head *head = ip_bucket(itn, parms); - hlist_for_each_entry_rcu(t, head, hash_node) { + hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) { if (local == t->parms.iph.saddr && remote == t->parms.iph.daddr && link == READ_ONCE(t->parms.link) && -- 2.34.1

3 months

2
1
0 0

[PATCH 6.1.y] drm/amd/display: fixed integer types and null check locations

by Imkanmod Khan

From: Sohaib Nadeem <sohaib.nadeem(a)amd.com> [ Upstream commit 0484e05d048b66d01d1f3c1d2306010bb57d8738 ] [why]: issues fixed: - comparison with wider integer type in loop condition which can cause infinite loops - pointer dereference before null check Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Josip Pavic <josip.pavic(a)amd.com> Acked-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Signed-off-by: Sohaib Nadeem <sohaib.nadeem(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Imkanmod Khan <imkanmodkhan(a)gmail.com> --- .../gpu/drm/amd/display/dc/bios/bios_parser2.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c index 4d2590964a20..75e44d8a7b40 100644 --- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c @@ -1862,19 +1862,21 @@ static enum bp_result get_firmware_info_v3_2( /* Vega12 */ smu_info_v3_2 = GET_IMAGE(struct atom_smu_info_v3_2, DATA_TABLES(smu_info)); - DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", smu_info_v3_2->gpuclk_ss_percentage); if (!smu_info_v3_2) return BP_RESULT_BADBIOSTABLE; + DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", smu_info_v3_2->gpuclk_ss_percentage); + info->default_engine_clk = smu_info_v3_2->bootup_dcefclk_10khz * 10; } else if (revision.minor == 3) { /* Vega20 */ smu_info_v3_3 = GET_IMAGE(struct atom_smu_info_v3_3, DATA_TABLES(smu_info)); - DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", smu_info_v3_3->gpuclk_ss_percentage); if (!smu_info_v3_3) return BP_RESULT_BADBIOSTABLE; + DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", smu_info_v3_3->gpuclk_ss_percentage); + info->default_engine_clk = smu_info_v3_3->bootup_dcefclk_10khz * 10; } @@ -2439,10 +2441,11 @@ static enum bp_result get_integrated_info_v11( info_v11 = GET_IMAGE(struct atom_integrated_system_info_v1_11, DATA_TABLES(integratedsysteminfo)); - DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", info_v11->gpuclk_ss_percentage); if (info_v11 == NULL) return BP_RESULT_BADBIOSTABLE; + DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", info_v11->gpuclk_ss_percentage); + info->gpu_cap_info = le32_to_cpu(info_v11->gpucapinfo); /* @@ -2654,11 +2657,12 @@ static enum bp_result get_integrated_info_v2_1( info_v2_1 = GET_IMAGE(struct atom_integrated_system_info_v2_1, DATA_TABLES(integratedsysteminfo)); - DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", info_v2_1->gpuclk_ss_percentage); if (info_v2_1 == NULL) return BP_RESULT_BADBIOSTABLE; + DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", info_v2_1->gpuclk_ss_percentage); + info->gpu_cap_info = le32_to_cpu(info_v2_1->gpucapinfo); /* @@ -2816,11 +2820,11 @@ static enum bp_result get_integrated_info_v2_2( info_v2_2 = GET_IMAGE(struct atom_integrated_system_info_v2_2, DATA_TABLES(integratedsysteminfo)); - DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", info_v2_2->gpuclk_ss_percentage); - if (info_v2_2 == NULL) return BP_RESULT_BADBIOSTABLE; + DC_LOG_BIOS("gpuclk_ss_percentage (unit of 0.001 percent): %d\n", info_v2_2->gpuclk_ss_percentage); + info->gpu_cap_info = le32_to_cpu(info_v2_2->gpucapinfo); /* -- 2.25.1

3 months

2
1
0 0

[PATCH v2 v5.15.y 0/2] Backporting the patches to fix CVE-2024-35966

by Keerthana K

Diff from v1: Adding a dependant patch [PATCH 1/2]. Link of v1: https://lore.kernel.org/stable/2025012010-manager-dreamlike-b5c1@gregkh/ Backporting 2 patches to fix CVE-2024-35966 Luiz Augusto von Dentz (2): Bluetooth: SCO: Fix not validating setsockopt user input Bluetooth: RFCOMM: Fix not validating setsockopt user input include/net/bluetooth/bluetooth.h | 9 +++++++++ net/bluetooth/rfcomm/sock.c | 14 +++++--------- net/bluetooth/sco.c | 19 ++++++++----------- 3 files changed, 22 insertions(+), 20 deletions(-) -- 2.39.4

3 months

2
3
0 0

[PATCH 5.10.y] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()

by alvalan9＠foxmail.com

From: Ido Schimmel <idosch(a)nvidia.com> commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream. The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Suggested-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- net/ipv4/ip_tunnel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 53cc17b1da34..cf9184928ede 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find(struct ip_tunnel_net *itn, struct ip_tunnel *t = NULL; struct hlist_head *head = ip_bucket(itn, parms); - hlist_for_each_entry_rcu(t, head, hash_node) { + hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) { if (local == t->parms.iph.saddr && remote == t->parms.iph.daddr && link == t->parms.link && -- 2.43.0

3 months

2
1
0 0

[PATCH 6.1.y] ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()

by alvalan9＠foxmail.com

From: Ido Schimmel <idosch(a)nvidia.com> commit 90e0569dd3d32f4f4d2ca691d3fa5a8a14a13c12 upstream. The per-netns IP tunnel hash table is protected by the RTNL mutex and ip_tunnel_find() is only called from the control path where the mutex is taken. Add a lockdep expression to hlist_for_each_entry_rcu() in ip_tunnel_find() in order to validate that the mutex is held and to silence the suspicious RCU usage warning [1]. [1] WARNING: suspicious RCU usage 6.12.0-rc3-custom-gd95d9a31aceb #139 Not tainted ----------------------------- net/ipv4/ip_tunnel.c:221 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by ip/362: #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60 stack backtrace: CPU: 12 UID: 0 PID: 362 Comm: ip Not tainted 6.12.0-rc3-custom-gd95d9a31aceb #139 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Call Trace: <TASK> dump_stack_lvl+0xba/0x110 lockdep_rcu_suspicious.cold+0x4f/0xd6 ip_tunnel_find+0x435/0x4d0 ip_tunnel_newlink+0x517/0x7a0 ipgre_newlink+0x14c/0x170 __rtnl_newlink+0x1173/0x19c0 rtnl_newlink+0x6c/0xa0 rtnetlink_rcv_msg+0x3cc/0xf60 netlink_rcv_skb+0x171/0x450 netlink_unicast+0x539/0x7f0 netlink_sendmsg+0x8c1/0xd80 ____sys_sendmsg+0x8f9/0xc20 ___sys_sendmsg+0x197/0x1e0 __sys_sendmsg+0x122/0x1f0 do_syscall_64+0xbb/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Suggested-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Ido Schimmel <idosch(a)nvidia.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241023123009.749764-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- net/ipv4/ip_tunnel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 67cabc40f1dc..73d7372afb43 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -218,7 +218,7 @@ static struct ip_tunnel *ip_tunnel_find(struct ip_tunnel_net *itn, struct ip_tunnel *t = NULL; struct hlist_head *head = ip_bucket(itn, parms); - hlist_for_each_entry_rcu(t, head, hash_node) { + hlist_for_each_entry_rcu(t, head, hash_node, lockdep_rtnl_is_held()) { if (local == t->parms.iph.saddr && remote == t->parms.iph.daddr && link == READ_ONCE(t->parms.link) && -- 2.34.1

3 months

2
1
0 0

[PATCH v2 v5.10.y] Bluetooth: RFCOMM: Fix not validating setsockopt user input

by Keerthana K

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ Upstream commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 ] syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064 Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level") Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Keerthana: No changes from v1 link to v1: https://lore.kernel.org/stable/2025012010-manager-dreamlike-b5c1@gregkh/] Signed-off-by: Keerthana K <keerthana.kalyanasundaram(a)broadcom.com> --- net/bluetooth/rfcomm/sock.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index ae6f80730561..56360da0827c 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -657,7 +657,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, switch (optname) { case RFCOMM_LM: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { + if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { err = -EFAULT; break; } @@ -692,7 +692,6 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, struct sock *sk = sock->sk; struct bt_security sec; int err = 0; - size_t len; u32 opt; BT_DBG("sk %p", sk); @@ -714,11 +713,9 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, sec.level = BT_SECURITY_LOW; - len = min_t(unsigned int, sizeof(sec), optlen); - if (copy_from_sockptr(&sec, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); + if (err) break; - } if (sec.level > BT_SECURITY_HIGH) { err = -EINVAL; @@ -734,10 +731,9 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); -- 2.39.4

3 months

2
1
0 0

[for-next][PATCH 09/14] rtla/timerlat_top: Set OSNOISE_WORKLOAD for kernel threads

by Steven Rostedt

From: Tomas Glozar <tglozar(a)redhat.com> When using rtla timerlat with userspace threads (-u or -U), rtla disables the OSNOISE_WORKLOAD option in /sys/kernel/tracing/osnoise/options. This option is not re-enabled in a subsequent run with kernel-space threads, leading to rtla collecting no results if the previous run exited abnormally: $ rtla timerlat top -u ^\Quit (core dumped) $ rtla timerlat top -k -d 1s Timer Latency 0 00:00:01 | IRQ Timer Latency (us) | Thread Timer Latency (us) CPU COUNT | cur min avg max | cur min avg max The issue persists until OSNOISE_WORKLOAD is set manually by running: $ echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options Set OSNOISE_WORKLOAD when running rtla with kernel-space threads if available to fix the issue. Cc: stable(a)vger.kernel.org Cc: John Kacur <jkacur(a)redhat.com> Cc: Luis Goncalves <lgoncalv(a)redhat.com> Link: https://lore.kernel.org/20250107144823.239782-4-tglozar@redhat.com Fixes: cdca4f4e5e8e ("rtla/timerlat_top: Add timerlat user-space support") Signed-off-by: Tomas Glozar <tglozar(a)redhat.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- tools/tracing/rtla/src/timerlat_top.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tools/tracing/rtla/src/timerlat_top.c b/tools/tracing/rtla/src/timerlat_top.c index d358cd39f360..f387597d3ac2 100644 --- a/tools/tracing/rtla/src/timerlat_top.c +++ b/tools/tracing/rtla/src/timerlat_top.c @@ -851,12 +851,15 @@ timerlat_top_apply_config(struct osnoise_tool *top, struct timerlat_top_params * } } - if (params->user_top) { - retval = osnoise_set_workload(top->context, 0); - if (retval) { - err_msg("Failed to set OSNOISE_WORKLOAD option\n"); - goto out_err; - } + /* + * Set workload according to type of thread if the kernel supports it. + * On kernels without support, user threads will have already failed + * on missing timerlat_fd, and kernel threads do not need it. + */ + retval = osnoise_set_workload(top->context, params->kernel_workload); + if (retval < -1) { + err_msg("Failed to set OSNOISE_WORKLOAD option\n"); + goto out_err; } if (isatty(STDOUT_FILENO) && !params->quiet) -- 2.45.2

3 months

1
0
0 0

[for-next][PATCH 08/14] rtla/timerlat_hist: Set OSNOISE_WORKLOAD for kernel threads

by Steven Rostedt

From: Tomas Glozar <tglozar(a)redhat.com> When using rtla timerlat with userspace threads (-u or -U), rtla disables the OSNOISE_WORKLOAD option in /sys/kernel/tracing/osnoise/options. This option is not re-enabled in a subsequent run with kernel-space threads, leading to rtla collecting no results if the previous run exited abnormally: $ rtla timerlat hist -u ^\Quit (core dumped) $ rtla timerlat hist -k -d 1s Index over: count: min: avg: max: ALL: IRQ Thr Usr count: 0 0 0 min: - - - avg: - - - max: - - - The issue persists until OSNOISE_WORKLOAD is set manually by running: $ echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options Set OSNOISE_WORKLOAD when running rtla with kernel-space threads if available to fix the issue. Cc: stable(a)vger.kernel.org Cc: John Kacur <jkacur(a)redhat.com> Cc: Luis Goncalves <lgoncalv(a)redhat.com> Link: https://lore.kernel.org/20250107144823.239782-3-tglozar@redhat.com Fixes: ed774f7481fa ("rtla/timerlat_hist: Add timerlat user-space support") Signed-off-by: Tomas Glozar <tglozar(a)redhat.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- tools/tracing/rtla/src/timerlat_hist.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tools/tracing/rtla/src/timerlat_hist.c b/tools/tracing/rtla/src/timerlat_hist.c index 53ded187b33a..d4bd02c01c53 100644 --- a/tools/tracing/rtla/src/timerlat_hist.c +++ b/tools/tracing/rtla/src/timerlat_hist.c @@ -1085,12 +1085,15 @@ timerlat_hist_apply_config(struct osnoise_tool *tool, struct timerlat_hist_param } } - if (params->user_hist) { - retval = osnoise_set_workload(tool->context, 0); - if (retval) { - err_msg("Failed to set OSNOISE_WORKLOAD option\n"); - goto out_err; - } + /* + * Set workload according to type of thread if the kernel supports it. + * On kernels without support, user threads will have already failed + * on missing timerlat_fd, and kernel threads do not need it. + */ + retval = osnoise_set_workload(tool->context, params->kernel_workload); + if (retval < -1) { + err_msg("Failed to set OSNOISE_WORKLOAD option\n"); + goto out_err; } return 0; -- 2.45.2

3 months

1
0
0 0

[for-next][PATCH 07/14] rtla/osnoise: Distinguish missing workload option

by Steven Rostedt

From: Tomas Glozar <tglozar(a)redhat.com> osnoise_set_workload returns -1 for both missing OSNOISE_WORKLOAD option and failure in setting the option. Return -1 for missing and -2 for failure to distinguish them. Cc: stable(a)vger.kernel.org Cc: John Kacur <jkacur(a)redhat.com> Cc: Luis Goncalves <lgoncalv(a)redhat.com> Link: https://lore.kernel.org/20250107144823.239782-2-tglozar@redhat.com Signed-off-by: Tomas Glozar <tglozar(a)redhat.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- tools/tracing/rtla/src/osnoise.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/tracing/rtla/src/osnoise.c b/tools/tracing/rtla/src/osnoise.c index 245e9344932b..699a83f538a8 100644 --- a/tools/tracing/rtla/src/osnoise.c +++ b/tools/tracing/rtla/src/osnoise.c @@ -867,7 +867,7 @@ int osnoise_set_workload(struct osnoise_context *context, bool onoff) retval = osnoise_options_set_option("OSNOISE_WORKLOAD", onoff); if (retval < 0) - return -1; + return -2; context->opt_workload = onoff; -- 2.45.2

3 months

1
0
0 0

[for-next][PATCH 04/14] rtla/timerlat_top: Stop timerlat tracer on signal

by Steven Rostedt

From: Tomas Glozar <tglozar(a)redhat.com> Currently, when either SIGINT from the user or SIGALRM from the duration timer is caught by rtla-timerlat, stop_tracing is set to break out of the main loop. This is not sufficient for cases where the timerlat tracer is producing more data than rtla can consume, since in that case, rtla is looping indefinitely inside tracefs_iterate_raw_events, never reaches the check of stop_tracing and hangs. In addition to setting stop_tracing, also stop the timerlat tracer on received signal (SIGINT or SIGALRM). This will stop new samples so that the existing samples may be processed and tracefs_iterate_raw_events eventually exits. Cc: stable(a)vger.kernel.org Cc: John Kacur <jkacur(a)redhat.com> Cc: Luis Goncalves <lgoncalv(a)redhat.com> Cc: Gabriele Monaco <gmonaco(a)redhat.com> Link: https://lore.kernel.org/20250116144931.649593-4-tglozar@redhat.com Fixes: a828cd18bc4a ("rtla: Add timerlat tool and timelart top mode") Signed-off-by: Tomas Glozar <tglozar(a)redhat.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- tools/tracing/rtla/src/timerlat_top.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/tracing/rtla/src/timerlat_top.c b/tools/tracing/rtla/src/timerlat_top.c index 059b468981e4..d21a21053917 100644 --- a/tools/tracing/rtla/src/timerlat_top.c +++ b/tools/tracing/rtla/src/timerlat_top.c @@ -900,9 +900,12 @@ static struct osnoise_tool } static int stop_tracing; +static struct trace_instance *top_inst = NULL; static void stop_top(int sig) { stop_tracing = 1; + if (top_inst) + trace_instance_stop(top_inst); } /* @@ -950,6 +953,13 @@ int timerlat_top_main(int argc, char *argv[]) } trace = &top->trace; + /* + * Save trace instance into global variable so that SIGINT can stop + * the timerlat tracer. + * Otherwise, rtla could loop indefinitely when overloaded. + */ + top_inst = trace; + retval = enable_timerlat(trace); if (retval) { @@ -1131,7 +1141,7 @@ int timerlat_top_main(int argc, char *argv[]) return_value = 0; - if (trace_is_off(&top->trace, &record->trace)) { + if (trace_is_off(&top->trace, &record->trace) && !stop_tracing) { printf("rtla timerlat hit stop tracing\n"); if (!params->no_aa) -- 2.45.2

3 months

1
0
0 0

[for-next][PATCH 03/14] rtla/timerlat_hist: Stop timerlat tracer on signal

by Steven Rostedt

From: Tomas Glozar <tglozar(a)redhat.com> Currently, when either SIGINT from the user or SIGALRM from the duration timer is caught by rtla-timerlat, stop_tracing is set to break out of the main loop. This is not sufficient for cases where the timerlat tracer is producing more data than rtla can consume, since in that case, rtla is looping indefinitely inside tracefs_iterate_raw_events, never reaches the check of stop_tracing and hangs. In addition to setting stop_tracing, also stop the timerlat tracer on received signal (SIGINT or SIGALRM). This will stop new samples so that the existing samples may be processed and tracefs_iterate_raw_events eventually exits. Cc: stable(a)vger.kernel.org Cc: John Kacur <jkacur(a)redhat.com> Cc: Luis Goncalves <lgoncalv(a)redhat.com> Cc: Gabriele Monaco <gmonaco(a)redhat.com> Link: https://lore.kernel.org/20250116144931.649593-3-tglozar@redhat.com Fixes: 1eeb6328e8b3 ("rtla/timerlat: Add timerlat hist mode") Signed-off-by: Tomas Glozar <tglozar(a)redhat.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- tools/tracing/rtla/src/timerlat_hist.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tools/tracing/rtla/src/timerlat_hist.c b/tools/tracing/rtla/src/timerlat_hist.c index 8b66387e5f35..f1edf1c8a7b0 100644 --- a/tools/tracing/rtla/src/timerlat_hist.c +++ b/tools/tracing/rtla/src/timerlat_hist.c @@ -1131,9 +1131,12 @@ static struct osnoise_tool } static int stop_tracing; +static struct trace_instance *hist_inst = NULL; static void stop_hist(int sig) { stop_tracing = 1; + if (hist_inst) + trace_instance_stop(hist_inst); } /* @@ -1180,6 +1183,12 @@ int timerlat_hist_main(int argc, char *argv[]) } trace = &tool->trace; + /* + * Save trace instance into global variable so that SIGINT can stop + * the timerlat tracer. + * Otherwise, rtla could loop indefinitely when overloaded. + */ + hist_inst = trace; retval = enable_timerlat(trace); if (retval) { @@ -1348,7 +1357,7 @@ int timerlat_hist_main(int argc, char *argv[]) return_value = 0; - if (trace_is_off(&tool->trace, &record->trace)) { + if (trace_is_off(&tool->trace, &record->trace) && !stop_tracing) { printf("rtla timerlat hit stop tracing\n"); if (!params->no_aa) -- 2.45.2

3 months

1
0
0 0

[for-next][PATCH 02/14] rtla: Add trace_instance_stop

by Steven Rostedt

From: Tomas Glozar <tglozar(a)redhat.com> Support not only turning trace on for the timerlat tracer, but also turning it off. This will be used in subsequent patches to stop the timerlat tracer without also wiping the trace buffer. Cc: stable(a)vger.kernel.org Cc: John Kacur <jkacur(a)redhat.com> Cc: Luis Goncalves <lgoncalv(a)redhat.com> Cc: Gabriele Monaco <gmonaco(a)redhat.com> Link: https://lore.kernel.org/20250116144931.649593-2-tglozar@redhat.com Signed-off-by: Tomas Glozar <tglozar(a)redhat.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- tools/tracing/rtla/src/trace.c | 8 ++++++++ tools/tracing/rtla/src/trace.h | 1 + 2 files changed, 9 insertions(+) diff --git a/tools/tracing/rtla/src/trace.c b/tools/tracing/rtla/src/trace.c index 170a706248ab..440323a997c6 100644 --- a/tools/tracing/rtla/src/trace.c +++ b/tools/tracing/rtla/src/trace.c @@ -196,6 +196,14 @@ int trace_instance_start(struct trace_instance *trace) return tracefs_trace_on(trace->inst); } +/* + * trace_instance_stop - stop tracing a given rtla instance + */ +int trace_instance_stop(struct trace_instance *trace) +{ + return tracefs_trace_off(trace->inst); +} + /* * trace_events_free - free a list of trace events */ diff --git a/tools/tracing/rtla/src/trace.h b/tools/tracing/rtla/src/trace.h index c7c92dc9a18a..76e1b77291ba 100644 --- a/tools/tracing/rtla/src/trace.h +++ b/tools/tracing/rtla/src/trace.h @@ -21,6 +21,7 @@ struct trace_instance { int trace_instance_init(struct trace_instance *trace, char *tool_name); int trace_instance_start(struct trace_instance *trace); +int trace_instance_stop(struct trace_instance *trace); void trace_instance_destroy(struct trace_instance *trace); struct trace_seq *get_trace_seq(void); -- 2.45.2

3 months

1
0
0 0

[PATCH for-current] wifi: ath12k: fix handling of 6 GHz rules

by Aditya Kumar Singh

In the US country code, to avoid including 6 GHz rules in the 5 GHz rules list, the number of 5 GHz rules is set to a default constant value of 4 (REG_US_5G_NUM_REG_RULES). However, if there are more than 4 valid 5 GHz rules, the current logic will bypass the legitimate 6 GHz rules. For example, if there are 5 valid 5 GHz rules and 1 valid 6 GHz rule, the current logic will only consider 4 of the 5 GHz rules, treating the last valid rule as a 6 GHz rule. Consequently, the actual 6 GHz rule is never processed, leading to the eventual disabling of 6 GHz channels. To fix this issue, instead of hardcoding the value to 4, use a helper function to determine the number of 6 GHz rules present in the 5 GHz rules list and ignore only those rules. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Cc: stable(a)vger.kernel.org Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Signed-off-by: Aditya Kumar Singh <aditya.kumar.singh(a)oss.qualcomm.com> --- drivers/net/wireless/ath/ath12k/wmi.c | 61 ++++++++++++++++++++++++++--------- drivers/net/wireless/ath/ath12k/wmi.h | 1 - 2 files changed, 45 insertions(+), 17 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c index a7625a3d1a3a9b1bbcf90cee30d3c707de03c439..296238c7ee0fd95045a3e0859d730e3bd73ec906 100644 --- a/drivers/net/wireless/ath/ath12k/wmi.c +++ b/drivers/net/wireless/ath/ath12k/wmi.c @@ -4852,6 +4852,22 @@ static struct ath12k_reg_rule return reg_rule_ptr; } +static u8 ath12k_wmi_ignore_num_extra_rules(struct ath12k_wmi_reg_rule_ext_params *rule, + u32 num_reg_rules) +{ + u8 num_invalid_5ghz_rules = 0; + u32 count, start_freq; + + for (count = 0; count < num_reg_rules; count++) { + start_freq = le32_get_bits(rule[count].freq_info, REG_RULE_START_FREQ); + + if (start_freq >= ATH12K_MIN_6G_FREQ) + num_invalid_5ghz_rules++; + } + + return num_invalid_5ghz_rules; +} + static int ath12k_pull_reg_chan_list_ext_update_ev(struct ath12k_base *ab, struct sk_buff *skb, struct ath12k_reg_info *reg_info) @@ -4862,6 +4878,7 @@ static int ath12k_pull_reg_chan_list_ext_update_ev(struct ath12k_base *ab, u32 num_2g_reg_rules, num_5g_reg_rules; u32 num_6g_reg_rules_ap[WMI_REG_CURRENT_MAX_AP_TYPE]; u32 num_6g_reg_rules_cl[WMI_REG_CURRENT_MAX_AP_TYPE][WMI_REG_MAX_CLIENT_TYPE]; + u8 num_invalid_5ghz_ext_rules; u32 total_reg_rules = 0; int ret, i, j; @@ -4955,20 +4972,6 @@ static int ath12k_pull_reg_chan_list_ext_update_ev(struct ath12k_base *ab, memcpy(reg_info->alpha2, &ev->alpha2, REG_ALPHA2_LEN); - /* FIXME: Currently FW includes 6G reg rule also in 5G rule - * list for country US. - * Having same 6G reg rule in 5G and 6G rules list causes - * intersect check to be true, and same rules will be shown - * multiple times in iw cmd. So added hack below to avoid - * parsing 6G rule from 5G reg rule list, and this can be - * removed later, after FW updates to remove 6G reg rule - * from 5G rules list. - */ - if (memcmp(reg_info->alpha2, "US", 2) == 0) { - reg_info->num_5g_reg_rules = REG_US_5G_NUM_REG_RULES; - num_5g_reg_rules = reg_info->num_5g_reg_rules; - } - reg_info->dfs_region = le32_to_cpu(ev->dfs_region); reg_info->phybitmap = le32_to_cpu(ev->phybitmap); reg_info->num_phy = le32_to_cpu(ev->num_phy); @@ -5071,8 +5074,29 @@ static int ath12k_pull_reg_chan_list_ext_update_ev(struct ath12k_base *ab, } } + ext_wmi_reg_rule += num_2g_reg_rules; + + /* Firmware might include 6 GHz reg rule in 5 GHz rule list + * for few countries along with separate 6 GHz rule. + * Having same 6 GHz reg rule in 5 GHz and 6 GHz rules list + * causes intersect check to be true, and same rules will be + * shown multiple times in iw cmd. + * Hence, avoid parsing 6 GHz rule from 5 GHz reg rule list + */ + num_invalid_5ghz_ext_rules = ath12k_wmi_ignore_num_extra_rules(ext_wmi_reg_rule, + num_5g_reg_rules); + + if (num_invalid_5ghz_ext_rules) { + ath12k_dbg(ab, ATH12K_DBG_WMI, + "CC: %s 5 GHz reg rules number %d from fw, %d number of invalid 5 GHz rules", + reg_info->alpha2, reg_info->num_5g_reg_rules, + num_invalid_5ghz_ext_rules); + + num_5g_reg_rules = num_5g_reg_rules - num_invalid_5ghz_ext_rules; + reg_info->num_5g_reg_rules = num_5g_reg_rules; + } + if (num_5g_reg_rules) { - ext_wmi_reg_rule += num_2g_reg_rules; reg_info->reg_rules_5g_ptr = create_ext_reg_rules_from_wmi(num_5g_reg_rules, ext_wmi_reg_rule); @@ -5084,7 +5108,12 @@ static int ath12k_pull_reg_chan_list_ext_update_ev(struct ath12k_base *ab, } } - ext_wmi_reg_rule += num_5g_reg_rules; + /* We have adjusted the number of 5 GHz reg rules above. But still those + * many rules needs to be adjusted in ext_wmi_reg_rule. + * + * NOTE: num_invalid_5ghz_ext_rules will be 0 for rest other cases. + */ + ext_wmi_reg_rule += (num_5g_reg_rules + num_invalid_5ghz_ext_rules); for (i = 0; i < WMI_REG_CURRENT_MAX_AP_TYPE; i++) { reg_info->reg_rules_6g_ap_ptr[i] = diff --git a/drivers/net/wireless/ath/ath12k/wmi.h b/drivers/net/wireless/ath/ath12k/wmi.h index 38aed18b99f4239e40d369181549b4bc78faa862..81248253a36872f6fd93db772b5394f3ef9d3bf9 100644 --- a/drivers/net/wireless/ath/ath12k/wmi.h +++ b/drivers/net/wireless/ath/ath12k/wmi.h @@ -4093,7 +4093,6 @@ struct ath12k_wmi_eht_rate_set_params { #define MAX_REG_RULES 10 #define REG_ALPHA2_LEN 2 #define MAX_6G_REG_RULES 5 -#define REG_US_5G_NUM_REG_RULES 4 enum wmi_start_event_param { WMI_VDEV_START_RESP_EVENT = 0, --- base-commit: c4e4e37afc8b8d178b0f00f607c30b3b81253597 change-id: 20250123-fix_6ghz_rules_handling-ff85f1efb30b

3 months

2
2
0 0

[PATCH v4 1/3] Drivers: hv: vmbus: Disable Suspend-to-Idle for VMBus

by Erni Sri Satya Vennela

This change is specific to Hyper-V VM user. If the Virtual Machine Connection window is focused, a Hyper-V VM user can unintentionally touch the keyboard/mouse when the VM is hibernating or resuming, and consequently the hibernation or resume operation can be aborted unexpectedly. Fix the issue by no longer registering the keyboard/mouse as wakeup devices (see the other two patches for the changes to drivers/input/serio/hyperv-keyboard.c and drivers/hid/hid-hyperv.c). The keyboard/mouse were registered as wakeup devices because the VM needs to be woken up from the Suspend-to-Idle state after a user runs "echo freeze > /sys/power/state". It seems like the Suspend-to-Idle feature has no real users in practice, so let's no longer support that by returning -EOPNOTSUPP if a user tries to use that. Fixes: 1a06d017fb3f ("Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM") Cc: stable(a)vger.kernel.org Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> Signed-off-by: Erni Sri Satya Vennela <ernis(a)linux.microsoft.com>> --- Changes in v4: * No change Changes in v3: * Add "Cc: stable(a)vger.kernel.org" in sign-off area. Changes in v2: * Add "#define vmbus_freeze NULL" when CONFIG_PM_SLEEP is not enabled. --- drivers/hv/vmbus_drv.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 6d89d37b069a..4df6b12bf6a1 100644 --- a/drivers/hv/vmbus_drv.c +++ b/drivers/hv/vmbus_drv.c @@ -900,6 +900,19 @@ static void vmbus_shutdown(struct device *child_device) } #ifdef CONFIG_PM_SLEEP +/* + * vmbus_freeze - Suspend-to-Idle + */ +static int vmbus_freeze(struct device *child_device) +{ +/* + * Do not support Suspend-to-Idle ("echo freeze > /sys/power/state") as + * that would require registering the Hyper-V synthetic mouse/keyboard + * devices as wakeup devices, which can abort hibernation/resume unexpectedly. + */ + return -EOPNOTSUPP; +} + /* * vmbus_suspend - Suspend a vmbus device */ @@ -938,6 +951,7 @@ static int vmbus_resume(struct device *child_device) return drv->resume(dev); } #else +#define vmbus_freeze NULL #define vmbus_suspend NULL #define vmbus_resume NULL #endif /* CONFIG_PM_SLEEP */ @@ -969,7 +983,7 @@ static void vmbus_device_release(struct device *device) */ static const struct dev_pm_ops vmbus_pm = { - .suspend_noirq = NULL, + .suspend_noirq = vmbus_freeze, .resume_noirq = NULL, .freeze_noirq = vmbus_suspend, .thaw_noirq = vmbus_resume, -- 2.34.1

3 months

3
3
0 0

[PATCH v2 00/22] media: i2c: ds90ub9xx: Error handling, UB9702 improvements

by Tomi Valkeinen

Hi, This series has two main parts: 1) add error handling all around, and 2) update the drivers according to latest (mostly non-public) information from TI. The "Update UB9702 init sequences" patch basically rewrites the init sequence from scratch, and to make that patch easier to read, the previous patch first removes the current init sequence. In the final version these two patches need to be squashed together. Tomi Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> --- Changes in v2: - Add new patch "media: i2c: ds90ub913: Fix returned fmt from .set_fmt()" - Reformat the reg write in "Speed-up I2C watchdog timer" - Add 'it' parameter to rxport for_each macros - Move 'enable_sscg' module parameter to DT - Change serializer 'i2c-addr' property to serializer 'reg' property - Split ub953 registers to a header file - Link to v1: https://lore.kernel.org/r/20250110-ub9xx-improvements-v1-0-e0b9a1f644da@ide… --- Jai Luthra (6): media: i2c: ds90ub953: Speed-up I2C watchdog timer media: dt-bindings: ti,ds90ub960: Add ti,enable-sscg property media: dt-bindings: ti,ds90ub960: Allow setting serializer address media: i2c: ds90ub960: Enable SSCG for UB9702 media: i2c: ds90ub960: Configure serializer using back-channel media: i2c: ds90ub9xx: Set serializer temperature ramp Tomi Valkeinen (16): media: i2c: ds90ub953: Fix error prints media: i2c: ds90ub913: Fix returned fmt from .set_fmt() media: i2c: ds90ub913: Align ub913_read() with other similar functions media: i2c: ds90ub9xx: Add err parameter to read/write funcs media: i2c: ds90ub960: Add error handling to multiple places media: i2c: ds90ub953: Add error handling to ub953_log_status() media: i2c: ds90ub913: Add error handling to ub913_log_status() media: i2c: ds90ub960: Move UB9702 registers to a separate section media: i2c: ds90ub960: Add UB9702 specific registers media: i2c: ds90ub960: Split ub960_init_tx_ports() media: i2c: ds90ub960: Refresh ub960_init_tx_ports_ub9702() media: i2c: ds90ub960: Add RX port iteration support media: i2c: ds90ub960: Move all RX port init code into ub960_init_rx_ports() media: i2c: ds90ub960: Remove old ub9702 RX port init code (SQUASH) media: i2c: ds90ub960: Update UB9702 init sequences media: i2c: ds90ub953: Move reg defines to a header file .../bindings/media/i2c/ti,ds90ub953.yaml | 77 +- .../bindings/media/i2c/ti,ds90ub960.yaml | 21 +- drivers/media/i2c/ds90ub913.c | 82 +- drivers/media/i2c/ds90ub953.c | 242 +-- drivers/media/i2c/ds90ub953.h | 104 + drivers/media/i2c/ds90ub960.c | 2264 +++++++++++++++----- 6 files changed, 2070 insertions(+), 720 deletions(-) --- base-commit: c4b7779abc6633677e6edb79e2809f4f61fde157 change-id: 20250110-ub9xx-improvements-9172b44eb0bc Best regards, -- Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com>

3 months

1
1
0 0

Re: [syzbot] [mptcp?] WARNING in mptcp_pm_nl_set_flags (2)

by syzbot

syzbot has bisected this issue to: commit 322ea3778965da72862cca2a0c50253aacf65fe6 Author: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Date: Mon Aug 19 19:45:26 2024 +0000 mptcp: pm: only mark 'subflow' endp as available bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=14f0bab0580000 start commit: d1bf27c4e176 dt-bindings: net: pse-pd: Fix unusual charact.. git tree: net final oops: https://syzkaller.appspot.com/x/report.txt?x=16f0bab0580000 console output: https://syzkaller.appspot.com/x/log.txt?x=12f0bab0580000 kernel config: https://syzkaller.appspot.com/x/.config?x=1c541fa8af5c9cc7 dashboard link: https://syzkaller.appspot.com/bug?extid=cd16e79c1e45f3fe0377 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11262218580000 Reported-by: syzbot+cd16e79c1e45f3fe0377(a)syzkaller.appspotmail.com Fixes: 322ea3778965 ("mptcp: pm: only mark 'subflow' endp as available") For information about bisection process see: https://goo.gl/tpsmEJ#bisection

3 months

1
0
0 0

[PATCH v1 1/2] mm: Clear uffd-wp PTE/PMD state on mremap()

by Ryan Roberts

When mremap()ing a memory region previously registered with userfaultfd as write-protected but without UFFD_FEATURE_EVENT_REMAP, an inconsistency in flag clearing leads to a mismatch between the vma flags (which have uffd-wp cleared) and the pte/pmd flags (which do not have uffd-wp cleared). This mismatch causes a subsequent mprotect(PROT_WRITE) to trigger a warning in page_table_check_pte_flags() due to setting the pte to writable while uffd-wp is still set. Fix this by always explicitly clearing the uffd-wp pte/pmd flags on any such mremap() so that the values are consistent with the existing clearing of VM_UFFD_WP. Be careful to clear the logical flag regardless of its physical form; a PTE bit, a swap PTE bit, or a PTE marker. Cover PTE, huge PMD and hugetlb paths. Co-developed-by: Mikołaj Lenczewski <miko.lenczewski(a)arm.com> Signed-off-by: Mikołaj Lenczewski <miko.lenczewski(a)arm.com> Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> Closes: https://lore.kernel.org/linux-mm/810b44a8-d2ae-4107-b665-5a42eae2d948@arm.c… Fixes: 63b2d4174c4a ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl") Cc: stable(a)vger.kernel.org --- include/linux/userfaultfd_k.h | 12 ++++++++++++ mm/huge_memory.c | 12 ++++++++++++ mm/hugetlb.c | 14 +++++++++++++- mm/mremap.c | 32 +++++++++++++++++++++++++++++++- 4 files changed, 68 insertions(+), 2 deletions(-) diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h index cb40f1a1d081..75342022d144 100644 --- a/include/linux/userfaultfd_k.h +++ b/include/linux/userfaultfd_k.h @@ -247,6 +247,13 @@ static inline bool vma_can_userfault(struct vm_area_struct *vma, vma_is_shmem(vma); } +static inline bool vma_has_uffd_without_event_remap(struct vm_area_struct *vma) +{ + struct userfaultfd_ctx *uffd_ctx = vma->vm_userfaultfd_ctx.ctx; + + return uffd_ctx && (uffd_ctx->features & UFFD_FEATURE_EVENT_REMAP) == 0; +} + extern int dup_userfaultfd(struct vm_area_struct *, struct list_head *); extern void dup_userfaultfd_complete(struct list_head *); void dup_userfaultfd_fail(struct list_head *); @@ -402,6 +409,11 @@ static inline bool userfaultfd_wp_async(struct vm_area_struct *vma) return false; } +static inline bool vma_has_uffd_without_event_remap(struct vm_area_struct *vma) +{ + return false; +} + #endif /* CONFIG_USERFAULTFD */ static inline bool userfaultfd_wp_use_markers(struct vm_area_struct *vma) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index c89aed1510f1..2654a9548749 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2212,6 +2212,16 @@ static pmd_t move_soft_dirty_pmd(pmd_t pmd) return pmd; } +static pmd_t clear_uffd_wp_pmd(pmd_t pmd) +{ + if (pmd_present(pmd)) + pmd = pmd_clear_uffd_wp(pmd); + else if (is_swap_pmd(pmd)) + pmd = pmd_swp_clear_uffd_wp(pmd); + + return pmd; +} + bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr, unsigned long new_addr, pmd_t *old_pmd, pmd_t *new_pmd) { @@ -2250,6 +2260,8 @@ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr, pgtable_trans_huge_deposit(mm, new_pmd, pgtable); } pmd = move_soft_dirty_pmd(pmd); + if (vma_has_uffd_without_event_remap(vma)) + pmd = clear_uffd_wp_pmd(pmd); set_pmd_at(mm, new_addr, new_pmd, pmd); if (force_flush) flush_pmd_tlb_range(vma, old_addr, old_addr + PMD_SIZE); diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 354eec6f7e84..cdbc55d5384f 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -5454,6 +5454,7 @@ static void move_huge_pte(struct vm_area_struct *vma, unsigned long old_addr, unsigned long new_addr, pte_t *src_pte, pte_t *dst_pte, unsigned long sz) { + bool need_clear_uffd_wp = vma_has_uffd_without_event_remap(vma); struct hstate *h = hstate_vma(vma); struct mm_struct *mm = vma->vm_mm; spinlock_t *src_ptl, *dst_ptl; @@ -5470,7 +5471,18 @@ static void move_huge_pte(struct vm_area_struct *vma, unsigned long old_addr, spin_lock_nested(src_ptl, SINGLE_DEPTH_NESTING); pte = huge_ptep_get_and_clear(mm, old_addr, src_pte); - set_huge_pte_at(mm, new_addr, dst_pte, pte, sz); + + if (need_clear_uffd_wp && pte_marker_uffd_wp(pte)) + huge_pte_clear(mm, new_addr, dst_pte, sz); + else { + if (need_clear_uffd_wp) { + if (pte_present(pte)) + pte = huge_pte_clear_uffd_wp(pte); + else if (is_swap_pte(pte)) + pte = pte_swp_clear_uffd_wp(pte); + } + set_huge_pte_at(mm, new_addr, dst_pte, pte, sz); + } if (src_ptl != dst_ptl) spin_unlock(src_ptl); diff --git a/mm/mremap.c b/mm/mremap.c index 60473413836b..cff7f552f909 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -138,6 +138,7 @@ static int move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, struct vm_area_struct *new_vma, pmd_t *new_pmd, unsigned long new_addr, bool need_rmap_locks) { + bool need_clear_uffd_wp = vma_has_uffd_without_event_remap(vma); struct mm_struct *mm = vma->vm_mm; pte_t *old_pte, *new_pte, pte; pmd_t dummy_pmdval; @@ -216,7 +217,18 @@ static int move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd, force_flush = true; pte = move_pte(pte, old_addr, new_addr); pte = move_soft_dirty_pte(pte); - set_pte_at(mm, new_addr, new_pte, pte); + + if (need_clear_uffd_wp && pte_marker_uffd_wp(pte)) + pte_clear(mm, new_addr, new_pte); + else { + if (need_clear_uffd_wp) { + if (pte_present(pte)) + pte = pte_clear_uffd_wp(pte); + else if (is_swap_pte(pte)) + pte = pte_swp_clear_uffd_wp(pte); + } + set_pte_at(mm, new_addr, new_pte, pte); + } } arch_leave_lazy_mmu_mode(); @@ -278,6 +290,15 @@ static bool move_normal_pmd(struct vm_area_struct *vma, unsigned long old_addr, if (WARN_ON_ONCE(!pmd_none(*new_pmd))) return false; + /* If this pmd belongs to a uffd vma with remap events disabled, we need + * to ensure that the uffd-wp state is cleared from all pgtables. This + * means recursing into lower page tables in move_page_tables(), and we + * can reuse the existing code if we simply treat the entry as "not + * moved". + */ + if (vma_has_uffd_without_event_remap(vma)) + return false; + /* * We don't have to worry about the ordering of src and dst * ptlocks because exclusive mmap_lock prevents deadlock. @@ -333,6 +354,15 @@ static bool move_normal_pud(struct vm_area_struct *vma, unsigned long old_addr, if (WARN_ON_ONCE(!pud_none(*new_pud))) return false; + /* If this pud belongs to a uffd vma with remap events disabled, we need + * to ensure that the uffd-wp state is cleared from all pgtables. This + * means recursing into lower page tables in move_page_tables(), and we + * can reuse the existing code if we simply treat the entry as "not + * moved". + */ + if (vma_has_uffd_without_event_remap(vma)) + return false; + /* * We don't have to worry about the ordering of src and dst * ptlocks because exclusive mmap_lock prevents deadlock. -- 2.43.0

3 months

5
12
0 0

[PATCH v2 RESEND] PCI: fix reference leak in pci_alloc_child_bus()

by Ma Ke

When device_register(&child->dev) failed, calling put_device() to explicitly release child->dev. Otherwise, it could cause double free problem. device_register() includes device_add(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - added the bug description about the comment of device_add(); - fixed the patch as suggestions; - added Cc and Fixes table. --- drivers/pci/probe.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c index 2e81ab0f5a25..ae12f92c6a9d 100644 --- a/drivers/pci/probe.c +++ b/drivers/pci/probe.c @@ -1174,7 +1174,10 @@ static struct pci_bus *pci_alloc_child_bus(struct pci_bus *parent, add_dev: pci_set_bus_msi_domain(child); ret = device_register(&child->dev); - WARN_ON(ret < 0); + if (WARN_ON(ret < 0)) { + put_device(&child->dev); + return NULL; + } pcibios_add_bus(child); -- 2.25.1

3 months

2
1
0 0

[REGRESSION] kernel panic at bitmap_get_stats+0x2b/0xa0 since 6.12

by Harshit Mogalapalli

Hi all, We started seeing panic during boot cycle on 6.12 upstream kernel. Data points: * This is reproducible on 6.12.9 * Also reproducible on 6.13 from yesterday. * Not reproducible on 6.11 So I looked at commits between 6.11-> 6.12 , and narrowed it down to a patch series which made changed to md-bitmap.c https://lore.kernel.org/all/20240826074452.1490072-1-yukuai1@huaweicloud.co… After narrowing down further: it is narrowed down to this commit ec6bb299c7c3 md/md-bitmap: add 'sync_size' into struct md_bitmap_stats #regzbot introduced: ec6bb299c7c3 Also, the panic points to the middle line below: sb = kmap_local_page(bitmap->storage.sb_page); * stats->sync_size = le64_to_cpu(sb->sync_size); kunmap_local(sb); Call trace is as follows: [ 21.427462] Oops: general protection fault, probably for non-canonical address 0x8730d3f80000028: 0000 [#1] PREEMPT SMP NOPTI [ 21.440104] CPU: 56 UID: 0 PID: 1531 Comm: mdadm Not tainted 6.13.0-master.20250121.ol8.x86_64 #1 [ 21.450019] Hardware name: Oracle Corporation ORACLE SERVER X9-2L/ASM,MTHRBD,2U, BIOS 62110100 07/15/2024 [ 21.460710] RIP: 0010:bitmap_get_stats+0x2b/0xa0 [ 21.465872] Code: 0f 1e fa 0f 1f 44 00 00 48 89 f2 48 85 ff 74 7d 48 8b 4f 50 48 2b 0d dc 9f e5 00 48 8b 35 e5 9f e5 00 48 c1 f9 06 48 c1 e1 0c <48> 8b 4c 31 28 48 89 4a 20 48 8b 4f 18 48 89 4a 10 48 8b 4f 10 48 [ 21.486849] RSP: 0018:ff3e5f658fc3fb18 EFLAGS: 00010206 [ 21.492690] RAX: ffffffff8d17d660 RBX: ff27d0600af69690 RCX: 094b3d0000000000 [ 21.500663] RDX: ff3e5f658fc3fb28 RSI: ff27d03f80000000 RDI: ff27d06008cd9c00 [ 21.507233] mlx5_core 0000:b1:00.0: Rate limit: 127 rates are supported, range: 0Mbps to 97656Mbps [ 21.508629] RBP: ff27d0604a737418 R08: 0000000000000000 R09: 0000000000000000 [ 21.508631] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000012c2000 [ 21.508631] R13: ff27d0604a737018 R14: ff27d0604a737000 R15: ff27d0604a737018 [ 21.508632] FS: 00007f61a01c98c0(0000) GS:ff27d07f7f600000(0000) knlGS:0000000000000000 [ 21.508634] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.508635] CR2: 000056503c28f458 CR3: 00000020c000c004 CR4: 0000000000771ef0 [ 21.518772] mlx5_core 0000:b1:00.0: E-Switch: Total vports 27, per vport: max uc(128) max mc(2048) [ 21.526600] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.526601] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 21.526602] PKRU: 55555554 [ 21.526603] Call Trace: [ 21.526604] <TASK> [ 21.535111] mlx5_core 0000:b1:00.0: Flow counters bulk query buffer size increased, bulk_query_len(8) [ 21.542533] ? show_trace_log_lvl+0x1b0/0x300 [ 21.542537] ? show_trace_log_lvl+0x1b0/0x300 [ 21.556126] mlx5_core 0000:b1:00.0: mlx5_pcie_event:301:(pid 529): PCIe slot advertised sufficient power (27W). [ 21.557983] ? md_seq_show+0x2d2/0x5b0 [ 21.557988] ? __die_body.cold+0x8/0x12 [ 21.641128] ? die_addr+0x3c/0x60 [ 21.645080] ? exc_general_protection+0x17d/0x400 [ 21.650574] ? asm_exc_general_protection+0x26/0x30 [ 21.656267] ? __pfx_bitmap_get_stats+0x10/0x10 [ 21.661568] ? bitmap_get_stats+0x2b/0xa0 [ 21.666277] md_seq_show+0x2d2/0x5b0 [ 21.670507] seq_read_iter+0x2b9/0x470 [ 21.674924] seq_read+0x12f/0x180 [ 21.678853] proc_reg_read+0x57/0xb0 [ 21.683074] vfs_read+0xf6/0x380 [ 21.686902] ? __seccomp_filter+0x30b/0x520 [ 21.691786] ksys_read+0x6c/0xf0 [ 21.695607] do_syscall_64+0x82/0x170 [ 21.699909] ? arch_exit_to_user_mode_prepare.isra.0+0x1e/0xd0 [ 21.706637] ? syscall_exit_to_user_mode+0x37/0x1a0 [ 21.712295] ? __memcg_slab_free_hook+0xf7/0x160 [ 21.717660] ? __x64_sys_close+0x3c/0x80 [ 21.722248] ? kmem_cache_free+0x400/0x460 [ 21.727028] ? syscall_exit_to_user_mode_prepare+0x174/0x1b0 [ 21.733553] ? arch_exit_to_user_mode_prepare.isra.0+0x1e/0xd0 [ 21.740270] ? syscall_exit_to_user_mode+0x37/0x1a0 [ 21.745913] ? do_syscall_64+0x8e/0x170 [ 21.750388] ? do_syscall_64+0x8e/0x170 [ 21.754857] ? clear_bhb_loop+0x45/0xa0 [ 21.759318] ? clear_bhb_loop+0x45/0xa0 [ 21.763772] ? clear_bhb_loop+0x45/0xa0 [ 21.768218] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 21.774014] RIP: 0033:0x7f619f862585 [ 21.778170] Code: fe ff ff 50 48 8d 3d 52 a8 06 00 e8 e5 08 02 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 d5 71 2a 00 8b 00 85 c0 75 0f 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 53 c3 66 90 41 54 49 89 d4 55 48 89 f5 53 89 [ 21.799471] RSP: 002b:00007ffe50c2d3c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 21.808099] RAX: ffffffffffffffda RBX: 000056503c2802a0 RCX: 00007f619f862585 [ 21.816240] RDX: 0000000000000400 RSI: 000056503c28d000 RDI: 0000000000000004 [ 21.824382] RBP: 0000000000000d68 R08: 0000000000000008 R09: 0000000000000001 [ 21.832518] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f619fb00860 [ 21.840654] R13: 00007f619fb013a0 R14: 000056503c280a50 R15: 000056503c281480 [ 21.848789] </TASK> [ 21.851389] Modules linked in: raid1 mgag200 drm_client_lib drm_shmem_helper drm_kms_helper sd_mod sg raid0 mlx5_core(+) ahci libahci drm crct10dif_pclmul ghash_clmulni_intel mlxfw sha512_ssse3 igb nvme sha256_ssse3 libata tls sha1_ssse3 megaraid_sas nvme_core pci_hyperv_intf psample dca nvme_auth i2c_algo_bit nfit(+) libnvdimm aesni_intel gf128mul crypto_simd cryptd [ 21.888253] ---[ end trace 0000000000000000 ]--- [ 22.452319] RIP: 0010:bitmap_get_stats+0x2b/0xa0 [ 22.457699] Code: 0f 1e fa 0f 1f 44 00 00 48 89 f2 48 85 ff 74 7d 48 8b 4f 50 48 2b 0d dc 9f e5 00 48 8b 35 e5 9f e5 00 48 c1 f9 06 48 c1 e1 0c <48> 8b 4c 31 28 48 89 4a 20 48 8b 4f 18 48 89 4a 10 48 8b 4f 10 48 [ 22.479037] RSP: 0018:ff3e5f658fc3fb18 EFLAGS: 00010206 [ 22.485067] RAX: ffffffff8d17d660 RBX: ff27d0600af69690 RCX: 094b3d0000000000 [ 22.493217] RDX: ff3e5f658fc3fb28 RSI: ff27d03f80000000 RDI: ff27d06008cd9c00 [ 22.501372] RBP: ff27d0604a737418 R08: 0000000000000000 R09: 0000000000000000 [ 22.509527] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000012c2000 [ 22.517686] R13: ff27d0604a737018 R14: ff27d0604a737000 R15: ff27d0604a737018 [ 22.525845] FS: 00007f61a01c98c0(0000) GS:ff27d07f7f600000(0000) knlGS:0000000000000000 [ 22.535089] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 22.541701] CR2: 000056503c28f458 CR3: 00000020c000c004 CR4: 0000000000771ef0 [ 22.549866] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 22.558040] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 22.566202] PKRU: 55555554 [ 22.569425] Kernel panic - not syncing: Fatal exception [ 22.576477] Kernel Offset: 0xb600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 22.654941] Rebooting in 60 seconds.. I would be happy to try any patches. Thanks, Harshit

3 months

2
5
0 0

[PATCH] audit: Initialize lsmctx to avoid memory allocation error

by Huacai Chen

Initialize the local variable lsmctx in audit_receive_msg(), so as to avoid memory allocation errors like: [ 258.074914] WARNING: CPU: 2 PID: 443 at mm/page_alloc.c:4727 __alloc_pages_noprof+0x4c8/0x1040 [ 258.074994] Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022 [ 258.074997] pc 900000000304d588 ra 9000000003059644 tp 9000000107774000 sp 9000000107777890 [ 258.075000] a0 0000000000040cc0 a1 0000000000000012 a2 0000000000000000 a3 0000000000000000 [ 258.075003] a4 9000000107777bd0 a5 0000000000000280 a6 0000000000000010 a7 0000000000000000 [ 258.075006] t0 9000000004b4c000 t1 0000000000000001 t2 1f3f37829c264c80 t3 000000000000002e [ 258.075009] t4 0000000000000000 t5 00000000000003f6 t6 90000001066b6310 t7 000000000000002f [ 258.075011] t8 000000000000003c u0 00000000000000b4 s9 900000010006f880 s0 9000000004a4b000 [ 258.075014] s1 0000000000000000 s2 9000000004a4b000 s3 9000000106673400 s4 9000000107777af0 [ 258.075017] s5 90000001066b6300 s6 0000000000000012 s7 fffffffffffff000 s8 0000000000000004 [ 258.075019] ra: 9000000003059644 ___kmalloc_large_node+0x84/0x1e0 [ 258.075026] ERA: 900000000304d588 __alloc_pages_noprof+0x4c8/0x1040 [ 258.075030] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 258.075040] PRMD: 00000004 (PPLV0 +PIE -PWE) [ 258.075045] EUEN: 00000007 (+FPE +SXE +ASXE -BTE) [ 258.075051] ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) [ 258.075056] ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0) [ 258.075061] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) [ 258.075064] CPU: 2 UID: 0 PID: 443 Comm: auditd Not tainted 6.13.0-rc1+ #1899 [ 258.075068] Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022 [ 258.075070] Stack : ffffffffffffffff 0000000000000000 9000000002debf5c 9000000107774000 [ 258.075077] 90000001077774f0 0000000000000000 90000001077774f8 900000000489e480 [ 258.075083] 9000000004b380e8 9000000004b380e0 9000000107777380 0000000000000001 [ 258.075089] 0000000000000001 9000000004a4b000 1f3f37829c264c80 90000001001a9b40 [ 258.075094] 9000000107774000 9000000004b080e8 00000000000003d4 9000000004b080e8 [ 258.075100] 9000000004a580e8 000000000000002d 0000000006ebc000 900000010006f880 [ 258.075106] 00000000000000b4 0000000000000000 0000000000000004 0000000000001277 [ 258.075112] 900000000489e480 90000001066b6300 0000000000000012 fffffffffffff000 [ 258.075118] 0000000000000004 900000000489e480 9000000002def6a8 00007ffff2ba4065 [ 258.075124] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d [ 258.075129] ... [ 258.075132] Call Trace: [ 258.075135] [<9000000002def6a8>] show_stack+0x30/0x148 [ 258.075146] [<9000000002debf58>] dump_stack_lvl+0x68/0xa0 [ 258.075152] [<9000000002e0fe18>] __warn+0x80/0x108 [ 258.075158] [<900000000407486c>] report_bug+0x154/0x268 [ 258.075163] [<90000000040ad468>] do_bp+0x2a8/0x320 [ 258.075172] [<9000000002dedda0>] handle_bp+0x120/0x1c0 [ 258.075178] [<900000000304d588>] __alloc_pages_noprof+0x4c8/0x1040 [ 258.075183] [<9000000003059640>] ___kmalloc_large_node+0x80/0x1e0 [ 258.075187] [<9000000003061504>] __kmalloc_noprof+0x2c4/0x380 [ 258.075192] [<9000000002f0f7ac>] audit_receive_msg+0x764/0x1530 [ 258.075199] [<9000000002f1065c>] audit_receive+0xe4/0x1c0 [ 258.075204] [<9000000003e5abe8>] netlink_unicast+0x340/0x450 [ 258.075211] [<9000000003e5ae9c>] netlink_sendmsg+0x1a4/0x4a0 [ 258.075216] [<9000000003d9ffd0>] __sock_sendmsg+0x48/0x58 [ 258.075222] [<9000000003da32f0>] __sys_sendto+0x100/0x170 [ 258.075226] [<9000000003da3374>] sys_sendto+0x14/0x28 [ 258.075229] [<90000000040ad574>] do_syscall+0x94/0x138 [ 258.075233] [<9000000002ded318>] handle_syscall+0xb8/0x158 [ 258.075239] [ 258.075241] ---[ end trace 0000000000000000 ]--- Cc: stable(a)vger.kernel.org Fixes: 6fba89813ccf333d ("lsm: ensure the correct LSM context releaser") Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 13d0144efaa3..5f5bf85bcc90 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1221,7 +1221,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, struct audit_buffer *ab; u16 msg_type = nlh->nlmsg_type; struct audit_sig_info *sig_data; - struct lsm_context lsmctx; + struct lsm_context lsmctx = { NULL, 0, 0 }; err = audit_netlink_ok(skb, msg_type); if (err) -- 2.47.1

3 months

1
0
0 0

[PATCH v3] scsi: ufs: fix use-after free in init error and remove paths

by André Draszik

devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshd allocation. During driver release or during error handling in ufshcd_pltfrm_init(), this structure is released as part of ufshcd_dealloc_host() before the (platform-) device associated with the crypto call above is released. Once this device is released, the crypto cleanup code will run, using the just-released 'struct ufs_hba::crypto_profile'. This causes a use-after-free situation: exynos-ufshc 14700000.ufs: ufshcd_pltfrm_init() failed -11 exynos-ufshc 14700000.ufs: probe with driver exynos-ufshc failed with error -11 Unable to handle kernel paging request at virtual address 01adafad6dadad88 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [01adafad6dadad88] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.13.0-rc5-next-20250106+ #70 Tainted: [W]=WARN Hardware name: Oriole (DT) pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kfree+0x60/0x2d8 lr : kvfree+0x44/0x60 sp : ffff80008009ba80 x29: ffff80008009ba90 x28: 0000000000000000 x27: ffffbcc6591e0130 x26: ffffbcc659309960 x25: ffffbcc658f89c50 x24: ffffbcc659539d80 x23: ffff22e000940040 x22: ffff22e001539010 x21: ffffbcc65714b22c x20: 6b6b6b6b6b6b6b6b x19: 01adafad6dadad80 x18: 0000000000000000 x17: ffffbcc6579fbac8 x16: ffffbcc657a04300 x15: ffffbcc657a027f4 x14: ffffbcc656f969cc x13: ffffbcc6579fdc80 x12: ffffbcc6579fb194 x11: ffffbcc6579fbc34 x10: 0000000000000000 x9 : ffffbcc65714b22c x8 : ffff80008009b880 x7 : 0000000000000000 x6 : ffff80008009b940 x5 : ffff80008009b8c0 x4 : ffff22e000940518 x3 : ffff22e006f54f40 x2 : ffffbcc657a02268 x1 : ffff80007fffffff x0 : ffffc1ffc0000000 Call trace: kfree+0x60/0x2d8 (P) kvfree+0x44/0x60 blk_crypto_profile_destroy_callback+0x28/0x70 devm_action_release+0x1c/0x30 release_nodes+0x6c/0x108 devres_release_all+0x98/0x100 device_unbind_cleanup+0x20/0x70 really_probe+0x218/0x2d0 In other words, the initialisation code flow is: platform-device probe ufshcd_pltfrm_init() ufshcd_alloc_host() scsi_host_alloc() allocation of struct ufs_hba creation of scsi-host devices devm_blk_crypto_profile_init() devm registration of cleanup handler using platform-device and during error handling of ufshcd_pltfrm_init() or during driver removal: ufshcd_dealloc_host() scsi_host_put() put_device(scsi-host) release of struct ufs_hba put_device(platform-device) crypto cleanup handler To fix this use-after free, change ufshcd_alloc_host() to register a devres action to automatically cleanup the underlying SCSI device on ufshcd destruction, without requiring explicit calls to ufshcd_dealloc_host(). This way: * the crypto profile and all other ufs_hba-owned resources are destroyed before SCSI (as they've been registered after) * a memleak is plugged in tc-dwc-g210-pci.c remove() as a side-effect * EXPORT_SYMBOL_GPL(ufshcd_dealloc_host) can be removed fully as it's not needed anymore * no future drivers using ufshcd_alloc_host() could ever forget adding the cleanup Fixes: cb77cb5abe1f ("blk-crypto: rename blk_keyslot_manager to blk_crypto_profile") Fixes: d76d9d7d1009 ("scsi: ufs: use devm_blk_ksm_init()") Cc: stable(a)vger.kernel.org Signed-off-by: André Draszik <andre.draszik(a)linaro.org> --- Changes in v3: - rename devres action handler to ufshcd_devres_release() (Bart) - Link to v2: https://lore.kernel.org/r/20250114-ufshcd-fix-v2-1-2dc627590a4a@linaro.org Changes in v2: - completely new approach using devres action for Scsi_host cleanup, to ensure ordering - add Fixes: and CC: stable tags (Eric) - Link to v1: https://lore.kernel.org/r/20250113-ufshcd-fix-v1-1-ca63d1d4bd55@linaro.org --- In my case, as per above trace I initially encountered an error in ufshcd_verify_dev_init(), which made me notice this problem both during error handling and release. For reproducing, it'd be possible to change that function to just return an error, or rmmod the platform glue driver. Other approaches for solving this issue I see are the following, but I believe this one here is the cleanest: * turn 'struct ufs_hba::crypto_profile' into a dynamically allocated pointer, in which case it doesn't matter if cleanup runs after scsi_host_put() * add an explicit devm_blk_crypto_profile_deinit() to be called by API users when necessary, e.g. before ufshcd_dealloc_host() in this case * register the crypto cleanup handler against the scsi-host device instead, like in v1 of this patch --- drivers/ufs/core/ufshcd.c | 27 +++++++++++++++++---------- drivers/ufs/host/ufshcd-pci.c | 2 -- drivers/ufs/host/ufshcd-pltfrm.c | 11 ++++------- include/ufs/ufshcd.h | 1 - 4 files changed, 21 insertions(+), 20 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 43ddae7318cb..8351795296bb 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -10279,16 +10279,6 @@ int ufshcd_system_thaw(struct device *dev) EXPORT_SYMBOL_GPL(ufshcd_system_thaw); #endif /* CONFIG_PM_SLEEP */ -/** - * ufshcd_dealloc_host - deallocate Host Bus Adapter (HBA) - * @hba: pointer to Host Bus Adapter (HBA) - */ -void ufshcd_dealloc_host(struct ufs_hba *hba) -{ - scsi_host_put(hba->host); -} -EXPORT_SYMBOL_GPL(ufshcd_dealloc_host); - /** * ufshcd_set_dma_mask - Set dma mask based on the controller * addressing capability @@ -10307,6 +10297,16 @@ static int ufshcd_set_dma_mask(struct ufs_hba *hba) return dma_set_mask_and_coherent(hba->dev, DMA_BIT_MASK(32)); } +/** + * ufshcd_devres_release - devres cleanup handler, invoked during release of + * hba->dev + * @host: pointer to SCSI host + */ +static void ufshcd_devres_release(void *host) +{ + scsi_host_put(host); +} + /** * ufshcd_alloc_host - allocate Host Bus Adapter (HBA) * @dev: pointer to device handle @@ -10334,6 +10334,13 @@ int ufshcd_alloc_host(struct device *dev, struct ufs_hba **hba_handle) err = -ENOMEM; goto out_error; } + + err = devm_add_action_or_reset(dev, ufshcd_devres_release, + host); + if (err) + return dev_err_probe(dev, err, + "failed to add ufshcd dealloc action\n"); + host->nr_maps = HCTX_TYPE_POLL + 1; hba = shost_priv(host); hba->host = host; diff --git a/drivers/ufs/host/ufshcd-pci.c b/drivers/ufs/host/ufshcd-pci.c index ea39c5d5b8cf..9cfcaad23cf9 100644 --- a/drivers/ufs/host/ufshcd-pci.c +++ b/drivers/ufs/host/ufshcd-pci.c @@ -562,7 +562,6 @@ static void ufshcd_pci_remove(struct pci_dev *pdev) pm_runtime_forbid(&pdev->dev); pm_runtime_get_noresume(&pdev->dev); ufshcd_remove(hba); - ufshcd_dealloc_host(hba); } /** @@ -605,7 +604,6 @@ ufshcd_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) err = ufshcd_init(hba, mmio_base, pdev->irq); if (err) { dev_err(&pdev->dev, "Initialization failed\n"); - ufshcd_dealloc_host(hba); return err; } diff --git a/drivers/ufs/host/ufshcd-pltfrm.c b/drivers/ufs/host/ufshcd-pltfrm.c index 505572d4fa87..adb0a65d9df5 100644 --- a/drivers/ufs/host/ufshcd-pltfrm.c +++ b/drivers/ufs/host/ufshcd-pltfrm.c @@ -488,13 +488,13 @@ int ufshcd_pltfrm_init(struct platform_device *pdev, if (err) { dev_err(dev, "%s: clock parse failed %d\n", __func__, err); - goto dealloc_host; + goto out; } err = ufshcd_parse_regulator_info(hba); if (err) { dev_err(dev, "%s: regulator init failed %d\n", __func__, err); - goto dealloc_host; + goto out; } ufshcd_init_lanes_per_dir(hba); @@ -502,14 +502,14 @@ int ufshcd_pltfrm_init(struct platform_device *pdev, err = ufshcd_parse_operating_points(hba); if (err) { dev_err(dev, "%s: OPP parse failed %d\n", __func__, err); - goto dealloc_host; + goto out; } err = ufshcd_init(hba, mmio_base, irq); if (err) { dev_err_probe(dev, err, "Initialization failed with error %d\n", err); - goto dealloc_host; + goto out; } pm_runtime_set_active(dev); @@ -517,8 +517,6 @@ int ufshcd_pltfrm_init(struct platform_device *pdev, return 0; -dealloc_host: - ufshcd_dealloc_host(hba); out: return err; } @@ -534,7 +532,6 @@ void ufshcd_pltfrm_remove(struct platform_device *pdev) pm_runtime_get_sync(&pdev->dev); ufshcd_remove(hba); - ufshcd_dealloc_host(hba); pm_runtime_disable(&pdev->dev); pm_runtime_put_noidle(&pdev->dev); } diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index da0fa5c65081..58eb6e897827 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -1311,7 +1311,6 @@ static inline void ufshcd_rmwl(struct ufs_hba *hba, u32 mask, u32 val, u32 reg) void ufshcd_enable_irq(struct ufs_hba *hba); void ufshcd_disable_irq(struct ufs_hba *hba); int ufshcd_alloc_host(struct device *, struct ufs_hba **); -void ufshcd_dealloc_host(struct ufs_hba *); int ufshcd_hba_enable(struct ufs_hba *hba); int ufshcd_init(struct ufs_hba *, void __iomem *, unsigned int); int ufshcd_link_recovery(struct ufs_hba *hba); --- base-commit: 4e16367cfe0ce395f29d0482b78970cce8e1db73 change-id: 20250113-ufshcd-fix-52409f2d32ff Best regards, -- André Draszik <andre.draszik(a)linaro.org>

3 months

2
2
0 0

+ mm-compaction-fix-ubsan-shift-out-of-bounds-warning.patch added to mm-unstable branch

by Andrew Morton

The patch titled Subject: mm/compaction: fix UBSAN shift-out-of-bounds warning has been added to the -mm mm-unstable branch. Its filename is mm-compaction-fix-ubsan-shift-out-of-bounds-warning.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Liu Shixin <liushixin2(a)huawei.com> Subject: mm/compaction: fix UBSAN shift-out-of-bounds warning Date: Thu, 23 Jan 2025 10:10:29 +0800 syzkaller reported a UBSAN shift-out-of-bounds warning of (1UL << order) in isolate_freepages_block(). The bogus compound_order can be any value because it is union with flags. Add back the MAX_PAGE_ORDER check to fix the warning. Link: https://lkml.kernel.org/r/20250123021029.2826736-1-liushixin2@huawei.com Fixes: 3da0272a4c7d ("mm/compaction: correctly return failure with bogus compound_order in strict mode") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Kemeng Shi <shikemeng(a)huaweicloud.com> Cc: Mattew Wilcox <willy(a)infradead.org> [English fixes] Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Nanyong Sun <sunnanyong(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/compaction.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/compaction.c~mm-compaction-fix-ubsan-shift-out-of-bounds-warning +++ a/mm/compaction.c @@ -631,7 +631,8 @@ static unsigned long isolate_freepages_b if (PageCompound(page)) { const unsigned int order = compound_order(page); - if (blockpfn + (1UL << order) <= end_pfn) { + if ((order <= MAX_PAGE_ORDER) && + (blockpfn + (1UL << order) <= end_pfn)) { blockpfn += (1UL << order) - 1; page += (1UL << order) - 1; nr_scanned += (1UL << order) - 1; _ Patches currently in -mm which might be from liushixin2(a)huawei.com are mm-page_isolation-avoid-call-folio_hstate-without-hugetlb_lock.patch mm-compaction-fix-ubsan-shift-out-of-bounds-warning.patch

3 months

1
0
0 0

[PATCH v5.10-v5.15] Bluetooth: RFCOMM: Fix not validating setsockopt user input

by Keerthana K

From: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [ Upstream commit a97de7bff13b1cc825c1b1344eaed8d6c2d3e695 ] syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064 Fixes: 9f2c8a03fbb3 ("Bluetooth: Replace RFCOMM link mode with security level") Fixes: bb23c0ab8246 ("Bluetooth: Add support for deferring RFCOMM connection setup") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Keerthana K <keerthana.kalyanasundaram(a)broadcom.com> --- net/bluetooth/rfcomm/sock.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 1db441db4..2dcb70f49 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -631,7 +631,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, switch (optname) { case RFCOMM_LM: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { + if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) { err = -EFAULT; break; } @@ -666,7 +666,6 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, struct sock *sk = sock->sk; struct bt_security sec; int err = 0; - size_t len; u32 opt; BT_DBG("sk %p", sk); @@ -688,11 +687,9 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, sec.level = BT_SECURITY_LOW; - len = min_t(unsigned int, sizeof(sec), optlen); - if (copy_from_sockptr(&sec, optval, len)) { - err = -EFAULT; + err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen); + if (err) break; - } if (sec.level > BT_SECURITY_HIGH) { err = -EINVAL; @@ -708,10 +705,9 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, break; } - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { - err = -EFAULT; + err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen); + if (err) break; - } if (opt) set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags); -- 2.39.4

3 months

4
4
0 0

[PATCH V2] cpufreq: s3c64xx: Fix compilation warning

by Viresh Kumar

The driver generates following warning when regulator support isn't enabled in the kernel. Fix it. drivers/cpufreq/s3c64xx-cpufreq.c: In function 's3c64xx_cpufreq_set_target': >> drivers/cpufreq/s3c64xx-cpufreq.c:55:22: warning: variable 'old_freq' set but not used [-Wunused-but-set-variable] 55 | unsigned int old_freq, new_freq; | ^~~~~~~~ >> drivers/cpufreq/s3c64xx-cpufreq.c:54:30: warning: variable 'dvfs' set but not used [-Wunused-but-set-variable] 54 | struct s3c64xx_dvfs *dvfs; | ^~~~ Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202501191803.CtfT7b2o-lkp@intel.com/ Cc: <stable(a)vger.kernel.org> # v5.4+ Signed-off-by: Viresh Kumar <viresh.kumar(a)linaro.org> --- V2: Move s3c64xx_dvfs_table too inside ifdef. drivers/cpufreq/s3c64xx-cpufreq.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/cpufreq/s3c64xx-cpufreq.c b/drivers/cpufreq/s3c64xx-cpufreq.c index c6bdfc308e99..9cef71528076 100644 --- a/drivers/cpufreq/s3c64xx-cpufreq.c +++ b/drivers/cpufreq/s3c64xx-cpufreq.c @@ -24,6 +24,7 @@ struct s3c64xx_dvfs { unsigned int vddarm_max; }; +#ifdef CONFIG_REGULATOR static struct s3c64xx_dvfs s3c64xx_dvfs_table[] = { [0] = { 1000000, 1150000 }, [1] = { 1050000, 1150000 }, @@ -31,6 +32,7 @@ static struct s3c64xx_dvfs s3c64xx_dvfs_table[] = { [3] = { 1200000, 1350000 }, [4] = { 1300000, 1350000 }, }; +#endif static struct cpufreq_frequency_table s3c64xx_freq_table[] = { { 0, 0, 66000 }, @@ -51,15 +53,16 @@ static struct cpufreq_frequency_table s3c64xx_freq_table[] = { static int s3c64xx_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index) { - struct s3c64xx_dvfs *dvfs; - unsigned int old_freq, new_freq; + unsigned int new_freq = s3c64xx_freq_table[index].frequency; int ret; +#ifdef CONFIG_REGULATOR + struct s3c64xx_dvfs *dvfs; + unsigned int old_freq; + old_freq = clk_get_rate(policy->clk) / 1000; - new_freq = s3c64xx_freq_table[index].frequency; dvfs = &s3c64xx_dvfs_table[s3c64xx_freq_table[index].driver_data]; -#ifdef CONFIG_REGULATOR if (vddarm && new_freq > old_freq) { ret = regulator_set_voltage(vddarm, dvfs->vddarm_min, -- 2.31.1.272.g89b43f80a514

3 months, 1 week

2
2
0 0

[PATCH 6.1.y] ext4: filesystems without casefold feature cannot be mounted with siphash

by Rajani kantha

From: Lizhi Xu <lizhi.xu(a)windriver.com> [ upstream commit 985b67cd86392310d9e9326de941c22fc9340eec ] When mounting the ext4 filesystem, if the default hash version is set to DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting. Reported-by: syzbot+340581ba9dceb7e06fb3(a)syzkaller.appspotmail.com Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Link: https://patch.msgid.link/20240605012335.44086-1-lizhi.xu@windriver.com Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Signed-off-by: Rajani Kantha <rajanikantha(a)engineer.com> --- fs/ext4/super.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 0b2591c07166..2e9c14e2370f 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3546,6 +3546,13 @@ int ext4_feature_set_ok(struct super_block *sb, int readonly) return 0; } #endif + if (EXT4_SB(sb)->s_es->s_def_hash_version == DX_HASH_SIPHASH && + !ext4_has_feature_casefold(sb)) { + ext4_msg(sb, KERN_ERR, + "Filesystem without casefold feature cannot be " + "mounted with siphash"); + return 0; + } if (readonly) return 1; -- 2.35.3

3 months, 1 week

1
0
0 0

[PATCH v2] atm/fore200e: Fix possible data race in fore200e_open()

by Gui-Dong Han

Protect access to fore200e->available_cell_rate with rate_mtx lock to prevent potential data race. In this case, since the update depends on a prior read, a data race could lead to a wrong fore200e.available_cell_rate value. The field fore200e.available_cell_rate is generally protected by the lock fore200e.rate_mtx when accessed. In all other read and write cases, this field is consistently protected by the lock, except for this case and during initialization. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Gui-Dong Han <2045gemini(a)gmail.com> --- v2: * Added a description of the data race hazard in fore200e_open(), as suggested by Jakub Kicinski and Simon Horman. --- drivers/atm/fore200e.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c index 4fea1149e003..f62e38571440 100644 --- a/drivers/atm/fore200e.c +++ b/drivers/atm/fore200e.c @@ -1374,7 +1374,9 @@ fore200e_open(struct atm_vcc *vcc) vcc->dev_data = NULL; + mutex_lock(&fore200e->rate_mtx); fore200e->available_cell_rate += vcc->qos.txtp.max_pcr; + mutex_unlock(&fore200e->rate_mtx); kfree(fore200e_vcc); return -EINVAL; -- 2.25.1

3 months, 1 week

3
3
0 0

urgent request for a quote

by manuel.rodrigues＠ene-kolla.pt

Hello, My name is wioleta. we would like to know if you export to Poland, as We have active projects that require most products as seen on your website. If yes, please kindly keep us informed upon your feedback so we can send our preferred listing for quote. For further information or have any questions, please do not hesitate to write us. Sten Arnlund Purchase Manager wioleta.raimer(a)invpolamd.com a: Vedwalterdige by 2, Holmerskulle, 432 68 Poland.

3 months, 1 week

1
0
0 0

[PATCH] posix-clock: Explicitly handle compat ioctls

by Thomas Weißschuh

Pointer arguments passed to ioctls need to pass through compat_ptr() to work correctly on s390; as explained in Documentation/driver-api/ioctl.rst. Plumb the compat_ioctl callback through 'struct posix_clock_operations' and handle the different ioctls cmds in the new ptp_compat_ioctl(). Using compat_ptr_ioctl is not possible. For the commands PTP_ENABLE_PPS/PTP_ENABLE_PPS2 on s390 it would corrupt the argument 0x80000000, aka BIT(31) to zero. Fixes: 0606f422b453 ("posix clocks: Introduce dynamic clocks") Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- drivers/ptp/ptp_chardev.c | 18 ++++++++++++++++++ drivers/ptp/ptp_clock.c | 1 + drivers/ptp/ptp_private.h | 7 +++++++ include/linux/posix-clock.h | 3 +++ kernel/time/posix-clock.c | 4 ++-- 5 files changed, 31 insertions(+), 2 deletions(-) diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c index ea96a14d72d141a4b255563b66bac8ed568b45e9..704af620c1173c12ee26b3b6c7982693e3c4c21f 100644 --- a/drivers/ptp/ptp_chardev.c +++ b/drivers/ptp/ptp_chardev.c @@ -4,6 +4,7 @@ * * Copyright (C) 2010 OMICRON electronics GmbH */ +#include <linux/compat.h> #include <linux/module.h> #include <linux/posix-clock.h> #include <linux/poll.h> @@ -507,6 +508,23 @@ long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, return err; } +#ifdef CONFIG_COMPAT +long ptp_compat_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, + unsigned long arg) +{ + switch (cmd) { + case PTP_ENABLE_PPS: + case PTP_ENABLE_PPS2: + /* These take in scalar arg, do not convert */ + break; + default: + arg = (unsigned long)compat_ptr(arg); + } + + return ptp_ioctl(pccontext, cmd, arg); +} +#endif + __poll_t ptp_poll(struct posix_clock_context *pccontext, struct file *fp, poll_table *wait) { diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c index 77a36e7bddd54e8f45eab317e687f033f57cc5bc..dec84b81cedfd13bcf8c97be6c3c27d73cd671f6 100644 --- a/drivers/ptp/ptp_clock.c +++ b/drivers/ptp/ptp_clock.c @@ -180,6 +180,7 @@ static struct posix_clock_operations ptp_clock_ops = { .clock_getres = ptp_clock_getres, .clock_settime = ptp_clock_settime, .ioctl = ptp_ioctl, + .compat_ioctl = ptp_compat_ioctl, .open = ptp_open, .release = ptp_release, .poll = ptp_poll, diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h index 18934e28469ee6e3bf9c9e6d1a1adb82808d88e6..13999a7af47a7b67ae8dc549351fbafef2ae402f 100644 --- a/drivers/ptp/ptp_private.h +++ b/drivers/ptp/ptp_private.h @@ -133,6 +133,13 @@ int ptp_set_pinfunc(struct ptp_clock *ptp, unsigned int pin, long ptp_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, unsigned long arg); +#ifdef CONFIG_COMPAT +long ptp_compat_ioctl(struct posix_clock_context *pccontext, unsigned int cmd, + unsigned long arg); +#else +#define ptp_compat_ioctl NULL +#endif + int ptp_open(struct posix_clock_context *pccontext, fmode_t fmode); int ptp_release(struct posix_clock_context *pccontext); diff --git a/include/linux/posix-clock.h b/include/linux/posix-clock.h index ef8619f489203eeb369ae580fc4d4b2439c94ae9..8bdc7aec5f7979c42752a233077620818d15acdd 100644 --- a/include/linux/posix-clock.h +++ b/include/linux/posix-clock.h @@ -54,6 +54,9 @@ struct posix_clock_operations { long (*ioctl)(struct posix_clock_context *pccontext, unsigned int cmd, unsigned long arg); + long (*compat_ioctl)(struct posix_clock_context *pccontext, unsigned int cmd, + unsigned long arg); + int (*open)(struct posix_clock_context *pccontext, fmode_t f_mode); __poll_t (*poll)(struct posix_clock_context *pccontext, struct file *file, diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c index 1af0bb2cc45c0aab843f77eb156992de469c8fb9..63184d92ef139c3fb9254745619ebca120fecce6 100644 --- a/kernel/time/posix-clock.c +++ b/kernel/time/posix-clock.c @@ -101,8 +101,8 @@ static long posix_clock_compat_ioctl(struct file *fp, if (!clk) return -ENODEV; - if (clk->ops.ioctl) - err = clk->ops.ioctl(pccontext, cmd, arg); + if (clk->ops.compat_ioctl) + err = clk->ops.compat_ioctl(pccontext, cmd, arg); put_posix_clock(clk); --- base-commit: 0bc21e701a6ffacfdde7f04f87d664d82e8a13bf change-id: 20250103-posix-clock-compat_ioctl-96fbac549146 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

3 months, 1 week

5
9
0 0

[PATCH 6.1.y] ssb: Fix potential NULL pointer dereference in ssb_device_uevent()

by Imkanmod Khan

From: Rand Deeb <rand.sec96(a)gmail.com> [ Upstream commit 789c17185fb0f39560496c2beab9b57ce1d0cbe7 ] The ssb_device_uevent() function first attempts to convert the 'dev' pointer to 'struct ssb_device *'. However, it mistakenly dereferences 'dev' before performing the NULL check, potentially leading to a NULL pointer dereference if 'dev' is NULL. To fix this issue, move the NULL check before dereferencing the 'dev' pointer, ensuring that the pointer is valid before attempting to use it. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Rand Deeb <rand.sec96(a)gmail.com> Signed-off-by: Kalle Valo <kvalo(a)kernel.org> Link: https://msgid.link/20240306123028.164155-1-rand.sec96@gmail.com Signed-off-by: Imkanmod Khan <imkanmodkhan(a)gmail.com> --- drivers/ssb/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/ssb/main.c b/drivers/ssb/main.c index d52e91258e98..aae50a5dfb57 100644 --- a/drivers/ssb/main.c +++ b/drivers/ssb/main.c @@ -341,11 +341,13 @@ static int ssb_bus_match(struct device *dev, struct device_driver *drv) static int ssb_device_uevent(struct device *dev, struct kobj_uevent_env *env) { - struct ssb_device *ssb_dev = dev_to_ssb_dev(dev); + struct ssb_device *ssb_dev; if (!dev) return -ENODEV; + ssb_dev = dev_to_ssb_dev(dev); + return add_uevent_var(env, "MODALIAS=ssb:v%04Xid%04Xrev%02X", ssb_dev->id.vendor, ssb_dev->id.coreid, -- 2.25.1

3 months, 1 week

2
1
0 0

[PATCH 5.15.y] platform/chrome: cros_ec_typec: Check for EC driver

by Laura Nao

From: Akihiko Odaki <akihiko.odaki(a)gmail.com> [ upstream commit 7464ff8bf2d762251b9537863db0e1caf9b0e402 ] The EC driver may not be initialized when cros_typec_probe is called, particulary when CONFIG_CROS_EC_CHARDEV=m. Signed-off-by: Akihiko Odaki <akihiko.odaki(a)gmail.com> Reviewed-by: Guenter Roeck <groeck(a)chromium.org> Link: https://lore.kernel.org/r/20220404041101.6276-1-akihiko.odaki@gmail.com Signed-off-by: Prashant Malani <pmalani(a)chromium.org> Signed-off-by: Laura Nao <laura.nao(a)collabora.com> --- This solves the kernel NULL pointer dereference exception detected by KernelCI on many x86_64 Chromebooks - see e.g.: https://staging.dashboard.kernelci.org:9000/test/maestro%3A6790c13e09f33884… drivers/platform/chrome/cros_ec_typec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c index 2b8bef0d7ee5..c065963b9a42 100644 --- a/drivers/platform/chrome/cros_ec_typec.c +++ b/drivers/platform/chrome/cros_ec_typec.c @@ -1123,6 +1123,9 @@ static int cros_typec_probe(struct platform_device *pdev) } ec_dev = dev_get_drvdata(&typec->ec->ec->dev); + if (!ec_dev) + return -EPROBE_DEFER; + typec->typec_cmd_supported = !!cros_ec_check_features(ec_dev, EC_FEATURE_TYPEC_CMD); typec->needs_mux_ack = !!cros_ec_check_features(ec_dev, EC_FEATURE_TYPEC_MUX_REQUIRE_AP_ACK); -- 2.30.2

3 months, 1 week

2
1
0 0

[PATCH 1/3] drm/xe: Fix and re-enable xe_print_blob_ascii85()

by José Roberto de Souza

From: Lucas De Marchi <lucas.demarchi(a)intel.com> Commit 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") partially reverted some changes to workaround breakage caused to mesa tools. However, in doing so it also broke fetching the GuC log via debugfs since xe_print_blob_ascii85() simply bails out. The fix is to avoid the extra newlines: the devcoredump interface is line-oriented and adding random newlines in the middle breaks it. If a tool is able to parse it by looking at the data and checking for chars that are out of the ascii85 space, it can still do so. A format change that breaks the line-oriented output on devcoredump however needs better coordination with existing tools. Reviewed-by: José Roberto de Souza <jose.souza(a)intel.com> Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Julia Filipchuk <julia.filipchuk(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") Fixes: ec1455ce7e35 ("drm/xe/devcoredump: Add ASCII85 dump helper function") Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_devcoredump.c | 30 +++++++++-------------------- drivers/gpu/drm/xe/xe_devcoredump.h | 2 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 ++- drivers/gpu/drm/xe/xe_guc_log.c | 4 +++- 4 files changed, 15 insertions(+), 24 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c index 81dc7795c0651..1c86e6456d60f 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.c +++ b/drivers/gpu/drm/xe/xe_devcoredump.c @@ -395,42 +395,30 @@ int xe_devcoredump_init(struct xe_device *xe) /** * xe_print_blob_ascii85 - print a BLOB to some useful location in ASCII85 * - * The output is split to multiple lines because some print targets, e.g. dmesg - * cannot handle arbitrarily long lines. Note also that printing to dmesg in - * piece-meal fashion is not possible, each separate call to drm_puts() has a - * line-feed automatically added! Therefore, the entire output line must be - * constructed in a local buffer first, then printed in one atomic output call. + * The output is split to multiple print calls because some print targets, e.g. + * dmesg cannot handle arbitrarily long lines. These targets may add newline + * between calls. * * There is also a scheduler yield call to prevent the 'task has been stuck for * 120s' kernel hang check feature from firing when printing to a slow target * such as dmesg over a serial port. * - * TODO: Add compression prior to the ASCII85 encoding to shrink huge buffers down. - * * @p: the printer object to output to * @prefix: optional prefix to add to output string * @blob: the Binary Large OBject to dump out * @offset: offset in bytes to skip from the front of the BLOB, must be a multiple of sizeof(u32) * @size: the size in bytes of the BLOB, must be a multiple of sizeof(u32) */ -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size) { const u32 *blob32 = (const u32 *)blob; char buff[ASCII85_BUFSZ], *line_buff; size_t line_pos = 0; - /* - * Splitting blobs across multiple lines is not compatible with the mesa - * debug decoder tool. Note that even dropping the explicit '\n' below - * doesn't help because the GuC log is so big some underlying implementation - * still splits the lines at 512K characters. So just bail completely for - * the moment. - */ - return; - #define DMESG_MAX_LINE_LEN 800 -#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\n\0" */ + /* Always leave space for the suffix char and the \0 */ +#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "<suffix>\0" */ if (size & 3) drm_printf(p, "Size not word aligned: %zu", size); @@ -462,7 +450,6 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, line_pos += strlen(line_buff + line_pos); if ((line_pos + MIN_SPACE) >= DMESG_MAX_LINE_LEN) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; drm_puts(p, line_buff); @@ -474,10 +461,11 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, } } + if (suffix) + line_buff[line_pos++] = suffix; + if (line_pos) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; - drm_puts(p, line_buff); } diff --git a/drivers/gpu/drm/xe/xe_devcoredump.h b/drivers/gpu/drm/xe/xe_devcoredump.h index 6a17e6d601022..5391a80a4d1ba 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.h +++ b/drivers/gpu/drm/xe/xe_devcoredump.h @@ -29,7 +29,7 @@ static inline int xe_devcoredump_init(struct xe_device *xe) } #endif -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size); #endif diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c index 8b65c5e959cc2..50c8076b51585 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct.c +++ b/drivers/gpu/drm/xe/xe_guc_ct.c @@ -1724,7 +1724,8 @@ void xe_guc_ct_snapshot_print(struct xe_guc_ct_snapshot *snapshot, snapshot->g2h_outstanding); if (snapshot->ctb) - xe_print_blob_ascii85(p, "CTB data", snapshot->ctb, 0, snapshot->ctb_size); + xe_print_blob_ascii85(p, "CTB data", '\n', + snapshot->ctb, 0, snapshot->ctb_size); } else { drm_puts(p, "CT disabled\n"); } diff --git a/drivers/gpu/drm/xe/xe_guc_log.c b/drivers/gpu/drm/xe/xe_guc_log.c index 80151ff6a71f8..44482ea919924 100644 --- a/drivers/gpu/drm/xe/xe_guc_log.c +++ b/drivers/gpu/drm/xe/xe_guc_log.c @@ -207,8 +207,10 @@ void xe_guc_log_snapshot_print(struct xe_guc_log_snapshot *snapshot, struct drm_ remain = snapshot->size; for (i = 0; i < snapshot->num_chunks; i++) { size_t size = min(GUC_LOG_CHUNK_SIZE, remain); + const char *prefix = i ? NULL : "Log data"; + char suffix = i == snapshot->num_chunks - 1 ? '\n' : 0; - xe_print_blob_ascii85(p, i ? NULL : "Log data", snapshot->copy[i], 0, size); + xe_print_blob_ascii85(p, prefix, suffix, snapshot->copy[i], 0, size); remain -= size; } } -- 2.48.1

3 months, 1 week

3
2
0 0

[PATCH 2/2] drm/xe: Fix and re-enable xe_print_blob_ascii85()

by Lucas De Marchi

Commit 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") partially reverted some changes to workaround breakage caused to mesa tools. However, in doing so it also broke fetching the GuC log via debugfs since xe_print_blob_ascii85() simply bails out. The fix is to avoid the extra newlines: the devcoredump interface is line-oriented and adding random newlines in the middle breaks it. If a tool is able to parse it by looking at the data and checking for chars that are out of the ascii85 space, it can still do so. A format change that breaks the line-oriented output on devcoredump however needs better coordination with existing tools. Cc: John Harrison <John.C.Harrison(a)Intel.com> Cc: Julia Filipchuk <julia.filipchuk(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: 70fb86a85dc9 ("drm/xe: Revert some changes that break a mesa debug tool") Fixes: ec1455ce7e35 ("drm/xe/devcoredump: Add ASCII85 dump helper function") Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- drivers/gpu/drm/xe/xe_devcoredump.c | 30 +++++++++-------------------- drivers/gpu/drm/xe/xe_devcoredump.h | 2 +- drivers/gpu/drm/xe/xe_guc_ct.c | 3 ++- drivers/gpu/drm/xe/xe_guc_log.c | 4 +++- 4 files changed, 15 insertions(+), 24 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_devcoredump.c b/drivers/gpu/drm/xe/xe_devcoredump.c index a7946a76777e7..d9b71bb690860 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.c +++ b/drivers/gpu/drm/xe/xe_devcoredump.c @@ -391,42 +391,30 @@ int xe_devcoredump_init(struct xe_device *xe) /** * xe_print_blob_ascii85 - print a BLOB to some useful location in ASCII85 * - * The output is split to multiple lines because some print targets, e.g. dmesg - * cannot handle arbitrarily long lines. Note also that printing to dmesg in - * piece-meal fashion is not possible, each separate call to drm_puts() has a - * line-feed automatically added! Therefore, the entire output line must be - * constructed in a local buffer first, then printed in one atomic output call. + * The output is split to multiple print calls because some print targets, e.g. + * dmesg cannot handle arbitrarily long lines. These targets may add newline + * between calls. * * There is also a scheduler yield call to prevent the 'task has been stuck for * 120s' kernel hang check feature from firing when printing to a slow target * such as dmesg over a serial port. * - * TODO: Add compression prior to the ASCII85 encoding to shrink huge buffers down. - * * @p: the printer object to output to * @prefix: optional prefix to add to output string * @blob: the Binary Large OBject to dump out * @offset: offset in bytes to skip from the front of the BLOB, must be a multiple of sizeof(u32) * @size: the size in bytes of the BLOB, must be a multiple of sizeof(u32) */ -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size) { const u32 *blob32 = (const u32 *)blob; char buff[ASCII85_BUFSZ], *line_buff; size_t line_pos = 0; - /* - * Splitting blobs across multiple lines is not compatible with the mesa - * debug decoder tool. Note that even dropping the explicit '\n' below - * doesn't help because the GuC log is so big some underlying implementation - * still splits the lines at 512K characters. So just bail completely for - * the moment. - */ - return; - #define DMESG_MAX_LINE_LEN 800 -#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "\n\0" */ + /* Always leave space for the suffix char and the \0 */ +#define MIN_SPACE (ASCII85_BUFSZ + 2) /* 85 + "<suffix>\0" */ if (size & 3) drm_printf(p, "Size not word aligned: %zu", size); @@ -458,7 +446,6 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, line_pos += strlen(line_buff + line_pos); if ((line_pos + MIN_SPACE) >= DMESG_MAX_LINE_LEN) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; drm_puts(p, line_buff); @@ -470,10 +457,11 @@ void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, } } + if (suffix) + line_buff[line_pos++] = suffix; + if (line_pos) { - line_buff[line_pos++] = '\n'; line_buff[line_pos++] = 0; - drm_puts(p, line_buff); } diff --git a/drivers/gpu/drm/xe/xe_devcoredump.h b/drivers/gpu/drm/xe/xe_devcoredump.h index 6a17e6d601022..5391a80a4d1ba 100644 --- a/drivers/gpu/drm/xe/xe_devcoredump.h +++ b/drivers/gpu/drm/xe/xe_devcoredump.h @@ -29,7 +29,7 @@ static inline int xe_devcoredump_init(struct xe_device *xe) } #endif -void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, +void xe_print_blob_ascii85(struct drm_printer *p, const char *prefix, char suffix, const void *blob, size_t offset, size_t size); #endif diff --git a/drivers/gpu/drm/xe/xe_guc_ct.c b/drivers/gpu/drm/xe/xe_guc_ct.c index 8b65c5e959cc2..50c8076b51585 100644 --- a/drivers/gpu/drm/xe/xe_guc_ct.c +++ b/drivers/gpu/drm/xe/xe_guc_ct.c @@ -1724,7 +1724,8 @@ void xe_guc_ct_snapshot_print(struct xe_guc_ct_snapshot *snapshot, snapshot->g2h_outstanding); if (snapshot->ctb) - xe_print_blob_ascii85(p, "CTB data", snapshot->ctb, 0, snapshot->ctb_size); + xe_print_blob_ascii85(p, "CTB data", '\n', + snapshot->ctb, 0, snapshot->ctb_size); } else { drm_puts(p, "CT disabled\n"); } diff --git a/drivers/gpu/drm/xe/xe_guc_log.c b/drivers/gpu/drm/xe/xe_guc_log.c index 80151ff6a71f8..44482ea919924 100644 --- a/drivers/gpu/drm/xe/xe_guc_log.c +++ b/drivers/gpu/drm/xe/xe_guc_log.c @@ -207,8 +207,10 @@ void xe_guc_log_snapshot_print(struct xe_guc_log_snapshot *snapshot, struct drm_ remain = snapshot->size; for (i = 0; i < snapshot->num_chunks; i++) { size_t size = min(GUC_LOG_CHUNK_SIZE, remain); + const char *prefix = i ? NULL : "Log data"; + char suffix = i == snapshot->num_chunks - 1 ? '\n' : 0; - xe_print_blob_ascii85(p, i ? NULL : "Log data", snapshot->copy[i], 0, size); + xe_print_blob_ascii85(p, prefix, suffix, snapshot->copy[i], 0, size); remain -= size; } } -- 2.48.0

3 months, 1 week

3
4
0 0

[PATCH] pwm: Ensure callbacks exist before calling them

by Uwe Kleine-König

If one of the waveform functions is called for a chip that only supports .apply(), we want that an error code is returned and not a NULL pointer exception. Fixes: 6c5126c6406d ("pwm: Provide new consumer API functions for waveforms") Cc: stable(a)vger.kernel.org Signed-off-by: Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> --- Hello, assuming nobody spots a problem I will send this patch to Linus next week for inclusion in -rc1. Best regards Uwe drivers/pwm/core.c | 13 +++++++++++-- include/linux/pwm.h | 17 +++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/drivers/pwm/core.c b/drivers/pwm/core.c index 9c733877e98e..1a36ee3cab91 100644 --- a/drivers/pwm/core.c +++ b/drivers/pwm/core.c @@ -242,6 +242,9 @@ int pwm_round_waveform_might_sleep(struct pwm_device *pwm, struct pwm_waveform * BUG_ON(WFHWSIZE < ops->sizeof_wfhw); + if (!pwmchip_supports_waveform(chip)) + return -EOPNOTSUPP; + if (!pwm_wf_valid(wf)) return -EINVAL; @@ -294,6 +297,9 @@ int pwm_get_waveform_might_sleep(struct pwm_device *pwm, struct pwm_waveform *wf BUG_ON(WFHWSIZE < ops->sizeof_wfhw); + if (!pwmchip_supports_waveform(chip) || !ops->read_waveform) + return -EOPNOTSUPP; + guard(pwmchip)(chip); if (!chip->operational) @@ -320,6 +326,9 @@ static int __pwm_set_waveform(struct pwm_device *pwm, BUG_ON(WFHWSIZE < ops->sizeof_wfhw); + if (!pwmchip_supports_waveform(chip)) + return -EOPNOTSUPP; + if (!pwm_wf_valid(wf)) return -EINVAL; @@ -592,7 +601,7 @@ static int __pwm_apply(struct pwm_device *pwm, const struct pwm_state *state) state->usage_power == pwm->state.usage_power) return 0; - if (ops->write_waveform) { + if (pwmchip_supports_waveform(chip)) { struct pwm_waveform wf; char wfhw[WFHWSIZE]; @@ -746,7 +755,7 @@ int pwm_get_state_hw(struct pwm_device *pwm, struct pwm_state *state) if (!chip->operational) return -ENODEV; - if (ops->read_waveform) { + if (pwmchip_supports_waveform(chip) && ops->read_waveform) { char wfhw[WFHWSIZE]; struct pwm_waveform wf; diff --git a/include/linux/pwm.h b/include/linux/pwm.h index 78827f312407..b8d78009e779 100644 --- a/include/linux/pwm.h +++ b/include/linux/pwm.h @@ -347,6 +347,23 @@ struct pwm_chip { struct pwm_device pwms[] __counted_by(npwm); }; +/** + * pwmchip_supports_waveform() - checks if the given chip supports waveform callbacks + * @chip: The pwm_chip to test + * + * Returns true iff the pwm chip support the waveform functions like + * pwm_set_waveform_might_sleep() and pwm_round_waveform_might_sleep() + */ +static inline bool pwmchip_supports_waveform(struct pwm_chip *chip) +{ + /* + * only check for .write_waveform(). If that is available, + * .round_waveform_tohw() and .round_waveform_fromhw() asserted to be + * available, too, in pwmchip_add(). + */ + return chip->ops->write_waveform != NULL; +} + static inline struct device *pwmchip_parent(const struct pwm_chip *chip) { return chip->dev.parent; base-commit: e8c59791ebb60790c74b2c3ab520f04a8a57219a prerequisite-patch-id: f5f481d393ddd1fd20a685c86cd4e93dd40d26c7 -- 2.47.1

3 months, 1 week

2
1
0 0

[PATCH] drm/v3d: Assign job pointer to NULL before signaling the fence

by Maíra Canal

In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466.573826] __handle_irq_event_percpu+0x60/0x228 [ 466.578546] handle_irq_event+0x54/0xb8 [ 466.582391] handle_fasteoi_irq+0xac/0x240 [ 466.586498] generic_handle_domain_irq+0x34/0x58 [ 466.591128] gic_handle_irq+0x48/0xd8 [ 466.594798] call_on_irq_stack+0x24/0x58 [ 466.598730] do_interrupt_handler+0x88/0x98 [ 466.602923] el0_interrupt+0x44/0xc0 [ 466.606508] __el0_irq_handler_common+0x18/0x28 [ 466.611050] el0t_64_irq_handler+0x10/0x20 [ 466.615156] el0t_64_irq+0x198/0x1a0 [ 466.618740] Code: 52800035 3607faf3 f9442e80 52800021 (f9406018) [ 466.624853] ---[ end trace 0000000000000000 ]--- [ 466.629483] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 466.636384] SMP: stopping secondary CPUs [ 466.640320] Kernel Offset: 0x100c400000 from 0xffffffc080000000 [ 466.646259] PHYS_OFFSET: 0x0 [ 466.649141] CPU features: 0x100,00000170,00901250,0200720b [ 466.654644] Memory Limit: none [ 466.657706] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Fix the crash by assigning the job pointer to NULL before signaling the fence. This ensures that the job pointer is cleared before any new job starts execution, preventing the race condition and the NULL pointer dereference crash. Cc: stable(a)vger.kernel.org Fixes: e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion") Signed-off-by: Maíra Canal <mcanal(a)igalia.com> --- drivers/gpu/drm/v3d/v3d_irq.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c index da203045df9b..72b6a119412f 100644 --- a/drivers/gpu/drm/v3d/v3d_irq.c +++ b/drivers/gpu/drm/v3d/v3d_irq.c @@ -107,8 +107,10 @@ v3d_irq(int irq, void *arg) v3d_job_update_stats(&v3d->bin_job->base, V3D_BIN); trace_v3d_bcl_irq(&v3d->drm, fence->seqno); - dma_fence_signal(&fence->base); + v3d->bin_job = NULL; + dma_fence_signal(&fence->base); + status = IRQ_HANDLED; } @@ -118,8 +120,10 @@ v3d_irq(int irq, void *arg) v3d_job_update_stats(&v3d->render_job->base, V3D_RENDER); trace_v3d_rcl_irq(&v3d->drm, fence->seqno); - dma_fence_signal(&fence->base); + v3d->render_job = NULL; + dma_fence_signal(&fence->base); + status = IRQ_HANDLED; } @@ -129,8 +133,10 @@ v3d_irq(int irq, void *arg) v3d_job_update_stats(&v3d->csd_job->base, V3D_CSD); trace_v3d_csd_irq(&v3d->drm, fence->seqno); - dma_fence_signal(&fence->base); + v3d->csd_job = NULL; + dma_fence_signal(&fence->base); + status = IRQ_HANDLED; } @@ -167,8 +173,10 @@ v3d_hub_irq(int irq, void *arg) v3d_job_update_stats(&v3d->tfu_job->base, V3D_TFU); trace_v3d_tfu_irq(&v3d->drm, fence->seqno); - dma_fence_signal(&fence->base); + v3d->tfu_job = NULL; + dma_fence_signal(&fence->base); + status = IRQ_HANDLED; } -- 2.39.5 (Apple Git-154)

3 months, 1 week

4
4
0 0

[tip: timers/urgent] hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING

by tip-bot2 for Frederic Weisbecker

The following commit has been merged into the timers/urgent branch of tip: Commit-ID: 53dac345395c0d2493cbc2f4c85fe38aef5b63f5 Gitweb: https://git.kernel.org/tip/53dac345395c0d2493cbc2f4c85fe38aef5b63f5 Author: Frederic Weisbecker <frederic(a)kernel.org> AuthorDate: Sat, 18 Jan 2025 00:24:33 +01:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Thu, 23 Jan 2025 20:06:35 +01:00 hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING hrtimers are migrated away from the dying CPU to any online target at the CPUHP_AP_HRTIMERS_DYING stage in order not to delay bandwidth timers handling tasks involved in the CPU hotplug forward progress. However wakeups can still be performed by the outgoing CPU after CPUHP_AP_HRTIMERS_DYING. Those can result again in bandwidth timers being armed. Depending on several considerations (crystal ball power management based election, earliest timer already enqueued, timer migration enabled or not), the target may eventually be the current CPU even if offline. If that happens, the timer is eventually ignored. The most notable example is RCU which had to deal with each and every of those wake-ups by deferring them to an online CPU, along with related workarounds: _ e787644caf76 (rcu: Defer RCU kthreads wakeup when CPU is dying) _ 9139f93209d1 (rcu/nocb: Fix RT throttling hrtimer armed from offline CPU) _ f7345ccc62a4 (rcu/nocb: Fix rcuog wake-up from offline softirq) The problem isn't confined to RCU though as the stop machine kthread (which runs CPUHP_AP_HRTIMERS_DYING) reports its completion at the end of its work through cpu_stop_signal_done() and performs a wake up that eventually arms the deadline server timer: WARNING: CPU: 94 PID: 588 at kernel/time/hrtimer.c:1086 hrtimer_start_range_ns+0x289/0x2d0 CPU: 94 UID: 0 PID: 588 Comm: migration/94 Not tainted Stopper: multi_cpu_stop+0x0/0x120 <- stop_machine_cpuslocked+0x66/0xc0 RIP: 0010:hrtimer_start_range_ns+0x289/0x2d0 Call Trace: <TASK> start_dl_timer enqueue_dl_entity dl_server_start enqueue_task_fair enqueue_task ttwu_do_activate try_to_wake_up complete cpu_stopper_thread Instead of providing yet another bandaid to work around the situation, fix it in the hrtimers infrastructure instead: always migrate away a timer to an online target whenever it is enqueued from an offline CPU. This will also allow to revert all the above RCU disgraceful hacks. Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") Reported-by: Vlad Poenaru <vlad.wing(a)gmail.com> Reported-by: Usama Arif <usamaarif642(a)gmail.com> Signed-off-by: Frederic Weisbecker <frederic(a)kernel.org> Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Tested-by: Paul E. McKenney <paulmck(a)kernel.org> Link: https://lore.kernel.org/all/20250117232433.24027-1-frederic@kernel.org Closes: 20241213203739.1519801-1-usamaarif642(a)gmail.com --- include/linux/hrtimer_defs.h | 1 +- kernel/time/hrtimer.c | 103 +++++++++++++++++++++++++++------- 2 files changed, 83 insertions(+), 21 deletions(-) diff --git a/include/linux/hrtimer_defs.h b/include/linux/hrtimer_defs.h index c3b4b7e..84a5045 100644 --- a/include/linux/hrtimer_defs.h +++ b/include/linux/hrtimer_defs.h @@ -125,6 +125,7 @@ struct hrtimer_cpu_base { ktime_t softirq_expires_next; struct hrtimer *softirq_next_timer; struct hrtimer_clock_base clock_base[HRTIMER_MAX_CLOCK_BASES]; + call_single_data_t csd; } ____cacheline_aligned; diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c index 4fb81f8..deb1aa3 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -58,6 +58,8 @@ #define HRTIMER_ACTIVE_SOFT (HRTIMER_ACTIVE_HARD << MASK_SHIFT) #define HRTIMER_ACTIVE_ALL (HRTIMER_ACTIVE_SOFT | HRTIMER_ACTIVE_HARD) +static void retrigger_next_event(void *arg); + /* * The timer bases: * @@ -111,7 +113,8 @@ DEFINE_PER_CPU(struct hrtimer_cpu_base, hrtimer_bases) = .clockid = CLOCK_TAI, .get_time = &ktime_get_clocktai, }, - } + }, + .csd = CSD_INIT(retrigger_next_event, NULL) }; static const int hrtimer_clock_to_base_table[MAX_CLOCKS] = { @@ -124,6 +127,14 @@ static const int hrtimer_clock_to_base_table[MAX_CLOCKS] = { [CLOCK_TAI] = HRTIMER_BASE_TAI, }; +static inline bool hrtimer_base_is_online(struct hrtimer_cpu_base *base) +{ + if (!IS_ENABLED(CONFIG_HOTPLUG_CPU)) + return true; + else + return likely(base->online); +} + /* * Functions and macros which are different for UP/SMP systems are kept in a * single place @@ -178,27 +189,54 @@ struct hrtimer_clock_base *lock_hrtimer_base(const struct hrtimer *timer, } /* - * We do not migrate the timer when it is expiring before the next - * event on the target cpu. When high resolution is enabled, we cannot - * reprogram the target cpu hardware and we would cause it to fire - * late. To keep it simple, we handle the high resolution enabled and - * disabled case similar. + * Check if the elected target is suitable considering its next + * event and the hotplug state of the current CPU. + * + * If the elected target is remote and its next event is after the timer + * to queue, then a remote reprogram is necessary. However there is no + * guarantee the IPI handling the operation would arrive in time to meet + * the high resolution deadline. In this case the local CPU becomes a + * preferred target, unless it is offline. + * + * High and low resolution modes are handled the same way for simplicity. * * Called with cpu_base->lock of target cpu held. */ -static int -hrtimer_check_target(struct hrtimer *timer, struct hrtimer_clock_base *new_base) +static bool hrtimer_suitable_target(struct hrtimer *timer, struct hrtimer_clock_base *new_base, + struct hrtimer_cpu_base *new_cpu_base, + struct hrtimer_cpu_base *this_cpu_base) { ktime_t expires; + /* + * The local CPU clockevent can be reprogrammed. Also get_target_base() + * guarantees it is online. + */ + if (new_cpu_base == this_cpu_base) + return true; + + /* + * The offline local CPU can't be the default target if the + * next remote target event is after this timer. Keep the + * elected new base. An IPI will we issued to reprogram + * it as a last resort. + */ + if (!hrtimer_base_is_online(this_cpu_base)) + return true; + expires = ktime_sub(hrtimer_get_expires(timer), new_base->offset); - return expires < new_base->cpu_base->expires_next; + + return expires >= new_base->cpu_base->expires_next; } -static inline -struct hrtimer_cpu_base *get_target_base(struct hrtimer_cpu_base *base, - int pinned) +static inline struct hrtimer_cpu_base *get_target_base(struct hrtimer_cpu_base *base, int pinned) { + if (!hrtimer_base_is_online(base)) { + int cpu = cpumask_any_and(cpu_online_mask, housekeeping_cpumask(HK_TYPE_TIMER)); + + return &per_cpu(hrtimer_bases, cpu); + } + #if defined(CONFIG_SMP) && defined(CONFIG_NO_HZ_COMMON) if (static_branch_likely(&timers_migration_enabled) && !pinned) return &per_cpu(hrtimer_bases, get_nohz_timer_target()); @@ -249,8 +287,8 @@ again: raw_spin_unlock(&base->cpu_base->lock); raw_spin_lock(&new_base->cpu_base->lock); - if (new_cpu_base != this_cpu_base && - hrtimer_check_target(timer, new_base)) { + if (!hrtimer_suitable_target(timer, new_base, new_cpu_base, + this_cpu_base)) { raw_spin_unlock(&new_base->cpu_base->lock); raw_spin_lock(&base->cpu_base->lock); new_cpu_base = this_cpu_base; @@ -259,8 +297,7 @@ again: } WRITE_ONCE(timer->base, new_base); } else { - if (new_cpu_base != this_cpu_base && - hrtimer_check_target(timer, new_base)) { + if (!hrtimer_suitable_target(timer, new_base, new_cpu_base, this_cpu_base)) { new_cpu_base = this_cpu_base; goto again; } @@ -706,8 +743,6 @@ static inline int hrtimer_is_hres_enabled(void) return hrtimer_hres_enabled; } -static void retrigger_next_event(void *arg); - /* * Switch to high resolution mode */ @@ -1195,6 +1230,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, u64 delta_ns, const enum hrtimer_mode mode, struct hrtimer_clock_base *base) { + struct hrtimer_cpu_base *this_cpu_base = this_cpu_ptr(&hrtimer_bases); struct hrtimer_clock_base *new_base; bool force_local, first; @@ -1206,10 +1242,16 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, * and enforce reprogramming after it is queued no matter whether * it is the new first expiring timer again or not. */ - force_local = base->cpu_base == this_cpu_ptr(&hrtimer_bases); + force_local = base->cpu_base == this_cpu_base; force_local &= base->cpu_base->next_timer == timer; /* + * Don't force local queuing if this enqueue happens on a unplugged + * CPU after hrtimer_cpu_dying() has been invoked. + */ + force_local &= this_cpu_base->online; + + /* * Remove an active timer from the queue. In case it is not queued * on the current CPU, make sure that remove_hrtimer() updates the * remote data correctly. @@ -1238,8 +1280,27 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, } first = enqueue_hrtimer(timer, new_base, mode); - if (!force_local) - return first; + if (!force_local) { + /* + * If the current CPU base is online, then the timer is + * never queued on a remote CPU if it would be the first + * expiring timer there. + */ + if (hrtimer_base_is_online(this_cpu_base)) + return first; + + /* + * Timer was enqueued remote because the current base is + * already offline. If the timer is the first to expire, + * kick the remote CPU to reprogram the clock event. + */ + if (first) { + struct hrtimer_cpu_base *new_cpu_base = new_base->cpu_base; + + smp_call_function_single_async(new_cpu_base->cpu, &new_cpu_base->csd); + } + return 0; + } /* * Timer was forced to stay on the current CPU to avoid

3 months, 1 week

1
0
0 0

Linux 6.6.74

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.74 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/x86/include/asm/special_insns.h | 2 arch/x86/xen/xen-asm.S | 2 block/blk-sysfs.c | 6 - block/genhd.c | 9 - drivers/acpi/resource.c | 6 - drivers/block/zram/zram_drv.c | 1 drivers/gpio/gpio-xilinx.c | 32 +++--- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 45 --------- drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 4 drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 drivers/gpu/drm/i915/display/intel_fb.c | 2 drivers/gpu/drm/nouveau/nouveau_fence.c | 6 - drivers/gpu/drm/v3d/v3d_irq.c | 4 drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 3 drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 3 drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 - drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 1 drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 7 - drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 5 - drivers/hwmon/tmp513.c | 7 - drivers/i2c/busses/i2c-rcar.c | 20 +++- drivers/i2c/i2c-atr.c | 2 drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 ++ drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 drivers/infiniband/hw/bnxt_re/ib_verbs.h | 4 drivers/infiniband/hw/bnxt_re/qplib_fp.c | 1 drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 drivers/irqchip/irq-gic-v3-its.c | 2 drivers/irqchip/irq-gic-v3.c | 2 drivers/irqchip/irqchip.c | 4 drivers/mtd/spi-nor/core.c | 2 drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 --- drivers/net/ethernet/freescale/fec_main.c | 19 ++- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 22 ++-- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 12 +- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 drivers/net/ethernet/ti/cpsw_ale.c | 14 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 + drivers/net/gtp.c | 42 +++++--- drivers/nvme/target/io-cmd-bdev.c | 2 drivers/pci/controller/pci-host-common.c | 4 drivers/pci/probe.c | 20 ++-- drivers/pmdomain/imx/imx8mp-blk-ctrl.c | 2 drivers/ufs/core/ufshcd.c | 9 + fs/cachefiles/daemon.c | 14 +- fs/cachefiles/internal.h | 3 fs/cachefiles/security.c | 6 - fs/file.c | 1 fs/hfs/super.c | 4 fs/iomap/buffered-io.c | 2 fs/nfsd/filecache.c | 18 ++- fs/nfsd/filecache.h | 1 fs/notify/fdinfo.c | 4 fs/ocfs2/extent_map.c | 8 + fs/overlayfs/copy_up.c | 16 +-- fs/overlayfs/export.c | 49 +++++----- fs/overlayfs/namei.c | 4 fs/overlayfs/overlayfs.h | 2 fs/proc/vmcore.c | 2 fs/smb/client/connect.c | 3 include/linux/hrtimer.h | 1 include/linux/poll.h | 10 +- include/linux/pruss_driver.h | 12 +- include/net/net_namespace.h | 3 kernel/cpu.c | 2 kernel/gen_kheaders.sh | 1 kernel/time/hrtimer.c | 11 ++ mm/filemap.c | 2 net/core/filter.c | 30 +++--- net/core/net_namespace.c | 31 ++++++ net/core/pktgen.c | 6 - net/dccp/ipv6.c | 2 net/ipv6/tcp_ipv6.c | 4 net/mac802154/iface.c | 4 net/mptcp/options.c | 6 - net/mptcp/protocol.h | 9 + net/openvswitch/actions.c | 4 net/vmw_vsock/af_vsock.c | 18 +++ net/vmw_vsock/virtio_transport_common.c | 36 +++++-- net/vmw_vsock/vsock_bpf.c | 9 + sound/pci/hda/patch_realtek.c | 1 tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 ++++++-- tools/testing/selftests/tc-testing/tc-tests/filters/flow.json | 4 90 files changed, 477 insertions(+), 313 deletions(-) Amir Goldstein (3): ovl: pass realinode to ovl_encode_real_fh() instead of realdentry ovl: support encoding fid from inode with no alias fs: relax assertions on failure to encode file handles Artem Chernyshev (1): pktgen: Avoid out-of-bounds access in get_imix_entries Christian König (1): drm/amdgpu: always sync the GFX pipe on ctx switch Dan Carpenter (1): nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Dave Airlie (1): nouveau/fence: handle cross device fences properly David Howells (1): kheaders: Ignore silly-rename files David Lechner (1): hwmon: (tmp513) Fix division of negative numbers Eric Dumazet (2): net: add exit_batch_rtnl() method gtp: use exit_batch_rtnl() method Greg Kroah-Hartman (2): Revert "drm/amdgpu: rework resume handling for display (v2)" Linux 6.6.74 Hans de Goede (1): ACPI: resource: acpi_dev_irq_override(): Check DMI match last Heiner Kallweit (1): net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Hongguang Gao (1): RDMA/bnxt_re: Fix to export port num to ib_query_qp Ian Forbes (1): drm/vmwgfx: Add new keep_resv BO param Ilya Maximets (1): openvswitch: fix lockup on tx to unregistering netdev with carrier Jakub Kicinski (1): selftests: tc-testing: reduce rshift value Jean-Baptiste Maneyrol (1): iio: imu: inv_icm42600: fix spi burst write not supported Joe Hattori (1): irqchip: Plug a OF node reference leak in platform_irqchip_probe() Juergen Gross (2): x86/asm: Make serialize() always_inline x86/xen: fix SLS mitigation in xen_hypercall_iret() Kairui Song (1): zram: fix potential UAF of zram table Kevin Groeneveld (1): net: fec: handle page_pool_dev_alloc_pages error Koichiro Den (1): hrtimers: Handle CPU state correctly on hotplug Kuniyuki Iwashima (2): gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: Destroy device along with udp socket's netns dismantle. Leo Stone (1): hfs: Sanity check the root record Leon Romanovsky (3): net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel net/mlx5e: Rely on reqid in IPsec tunnel mode net/mlx5e: Always start IPsec sequence number from 1 Lizhi Xu (1): mac802154: check local interfaces before deleting sdata list Luis Chamberlain (1): nvmet: propagate npwg topology MD Danish Anwar (1): soc: ti: pruss: Fix pruss APIs Manivannan Sadhasivam (1): scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Marco Nelissen (2): iomap: avoid avoid truncating 64-bit offset to 32 bits filemap: avoid truncating 64-bit offset to 32 bits Mark Zhang (1): net/mlx5: Clear port select structure when fail to create Max Kellermann (1): cachefiles: Parse the "secctx" immediately Maíra Canal (1): drm/v3d: Ensure job pointer is set to NULL after job completion Michal Luczaj (1): bpf: Fix bpf_sk_select_reuseport() memory leak Mohammed Anees (1): ocfs2: fix deadlock in ocfs2_get_system_file_inode Oleg Nesterov (1): poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Paolo Abeni (3): mptcp: be sure to send ack when mptcp-level window re-opens mptcp: fix spurious wake-up on under memory pressure selftests: mptcp: avoid spurious errors on disconnect Patrisious Haddad (1): net/mlx5: Fix RDMA TX steering prio Paulo Alcantara (1): smb: client: fix double free of TCP_Server_Info::hostname Pratyush Yadav (1): Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" Rik van Riel (1): fs/proc: fix softlockup in __read_vmcore (part 2) Sean Anderson (2): net: xilinx: axienet: Fix IRQ coalescing packet count overflow gpio: xilinx: Convert gpio_lock to raw spinlock Srinivasan Shanmugam (1): drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' Stefan Binding (1): ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Stefano Garzarella (5): vsock/bpf: return early if transport is not assigned vsock/virtio: discard packets if the transport changes vsock/virtio: cancel close work in the destructor vsock: reset socket state when de-assigning the transport vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Sudheer Kumar Doredla (1): net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Terry Tritton (1): Revert "PCI: Use preserve_config in place of pci_flags" Tomas Krcka (1): irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() Tomi Valkeinen (1): i2c: atr: Fix client detach Ville Syrjälä (1): drm/i915/fb: Relax clear color alignment to 64 bytes Wang Liang (1): net: fix data-races around sk->sk_forward_alloc Wolfram Sang (2): i2c: mux: demux-pinctrl: check initial mux selection, too i2c: rcar: fix NACK handling when being a target Xiaolei Wang (1): pmdomain: imx8mp-blk-ctrl: add missing loop break condition Yogesh Lal (1): irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Youzhong Yang (1): nfsd: add list_head nf_gc to struct nfsd_file Yu Kuai (1): block: fix uaf for flush rq while iterating tags Zhang Kunbo (1): fs: fix missing declaration of init_files

3 months, 1 week

1
1
0 0

Linux 6.1.127

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.127 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/x86/include/asm/special_insns.h | 2 arch/x86/xen/xen-asm.S | 2 block/blk-sysfs.c | 6 block/genhd.c | 9 drivers/acpi/resource.c | 6 drivers/base/regmap/regmap.c | 12 drivers/block/zram/zram_drv.c | 1 drivers/gpio/gpiolib-cdev.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 47 --- drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 6 drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 drivers/gpu/drm/i915/display/intel_fb.c | 2 drivers/gpu/drm/v3d/v3d_irq.c | 4 drivers/hwmon/tmp513.c | 7 drivers/i2c/busses/i2c-rcar.c | 20 + drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 drivers/iio/adc/rockchip_saradc.c | 2 drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 18 + drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 drivers/infiniband/sw/rxe/rxe_req.c | 6 drivers/irqchip/irq-gic-v3-its.c | 2 drivers/irqchip/irq-gic-v3.c | 2 drivers/irqchip/irqchip.c | 4 drivers/mtd/spi-nor/core.c | 2 drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 - drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 drivers/net/ethernet/ti/cpsw_ale.c | 14 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 drivers/net/gtp.c | 42 +- drivers/net/wireless/ath/ath10k/sdio.c | 4 drivers/nvme/target/io-cmd-bdev.c | 2 drivers/pci/controller/pci-host-common.c | 4 drivers/pci/probe.c | 20 - drivers/scsi/sg.c | 2 drivers/soc/imx/imx8mp-blk-ctrl.c | 2 drivers/ufs/core/ufshcd.c | 9 fs/cachefiles/daemon.c | 14 fs/cachefiles/internal.h | 3 fs/cachefiles/security.c | 6 fs/erofs/erofs_fs.h | 145 ++++------ fs/erofs/zmap.c | 133 ++++----- fs/file.c | 1 fs/hfs/super.c | 4 fs/iomap/buffered-io.c | 2 fs/nfsd/filecache.c | 18 - fs/nfsd/filecache.h | 1 fs/proc/vmcore.c | 2 include/linux/hrtimer.h | 1 include/linux/poll.h | 10 include/net/net_namespace.h | 3 kernel/cpu.c | 2 kernel/gen_kheaders.sh | 1 kernel/time/hrtimer.c | 11 mm/filemap.c | 2 net/core/filter.c | 30 +- net/core/net_namespace.c | 31 ++ net/core/pktgen.c | 6 net/dccp/ipv6.c | 2 net/ipv6/tcp_ipv6.c | 4 net/mac802154/iface.c | 4 net/mptcp/options.c | 6 net/openvswitch/actions.c | 4 net/vmw_vsock/af_vsock.c | 18 + net/vmw_vsock/virtio_transport_common.c | 36 +- sound/pci/hda/patch_realtek.c | 1 tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 ++ tools/testing/selftests/tc-testing/tc-tests/filters/flow.json | 4 71 files changed, 476 insertions(+), 378 deletions(-) Artem Chernyshev (1): pktgen: Avoid out-of-bounds access in get_imix_entries Dan Carpenter (1): nfp: bpf: prevent integer overflow in nfp_bpf_event_output() David Howells (1): kheaders: Ignore silly-rename files David Lechner (1): hwmon: (tmp513) Fix division of negative numbers Eric Dumazet (2): net: add exit_batch_rtnl() method gtp: use exit_batch_rtnl() method Gao Xiang (2): erofs: tidy up EROFS on-disk naming erofs: handle NONHEAD !delta[1] lclusters gracefully Greg Kroah-Hartman (3): Revert "drm/amdgpu: rework resume handling for display (v2)" Revert "regmap: detach regmap from dev on regmap_exit" Linux 6.1.127 Hans de Goede (1): ACPI: resource: acpi_dev_irq_override(): Check DMI match last Heiner Kallweit (1): net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Ilya Maximets (1): openvswitch: fix lockup on tx to unregistering netdev with carrier Jakub Kicinski (1): selftests: tc-testing: reduce rshift value Javier Carrasco (1): iio: adc: rockchip_saradc: fix information leak in triggered buffer Jean-Baptiste Maneyrol (2): iio: imu: inv_icm42600: fix spi burst write not supported iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Joe Hattori (1): irqchip: Plug a OF node reference leak in platform_irqchip_probe() Juergen Gross (2): x86/asm: Make serialize() always_inline x86/xen: fix SLS mitigation in xen_hypercall_iret() Kairui Song (1): zram: fix potential UAF of zram table Kang Yang (1): wifi: ath10k: avoid NULL pointer error during sdio remove Koichiro Den (1): hrtimers: Handle CPU state correctly on hotplug Kuniyuki Iwashima (2): gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: Destroy device along with udp socket's netns dismantle. Leo Stone (1): hfs: Sanity check the root record Lizhi Xu (1): mac802154: check local interfaces before deleting sdata list Luis Chamberlain (1): nvmet: propagate npwg topology Manivannan Sadhasivam (1): scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Marco Nelissen (2): iomap: avoid avoid truncating 64-bit offset to 32 bits filemap: avoid truncating 64-bit offset to 32 bits Mark Zhang (1): net/mlx5: Clear port select structure when fail to create Max Kellermann (1): cachefiles: Parse the "secctx" immediately Maíra Canal (1): drm/v3d: Ensure job pointer is set to NULL after job completion Michal Luczaj (1): bpf: Fix bpf_sk_select_reuseport() memory leak Oleg Nesterov (1): poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Paolo Abeni (2): mptcp: be sure to send ack when mptcp-level window re-opens selftests: mptcp: avoid spurious errors on disconnect Patrisious Haddad (1): net/mlx5: Fix RDMA TX steering prio Pratyush Yadav (1): Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" Rik van Riel (1): fs/proc: fix softlockup in __read_vmcore (part 2) Sean Anderson (1): net: xilinx: axienet: Fix IRQ coalescing packet count overflow Srinivasan Shanmugam (1): drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' Stefan Binding (1): ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Stefano Garzarella (4): vsock/virtio: discard packets if the transport changes vsock/virtio: cancel close work in the destructor vsock: reset socket state when de-assigning the transport vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Sudheer Kumar Doredla (1): net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Suraj Sonawane (1): scsi: sg: Fix slab-use-after-free read in sg_release() Terry Tritton (1): Revert "PCI: Use preserve_config in place of pci_flags" Tomas Krcka (1): irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() Ville Syrjälä (1): drm/i915/fb: Relax clear color alignment to 64 bytes Vitaly Prosyak (1): drm/amdgpu: fix usage slab after free Wang Liang (1): net: fix data-races around sk->sk_forward_alloc Wolfram Sang (2): i2c: mux: demux-pinctrl: check initial mux selection, too i2c: rcar: fix NACK handling when being a target Xiaolei Wang (1): pmdomain: imx8mp-blk-ctrl: add missing loop break condition Yogesh Lal (1): irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Youzhong Yang (1): nfsd: add list_head nf_gc to struct nfsd_file Yu Kuai (1): block: fix uaf for flush rq while iterating tags Zhang Kunbo (1): fs: fix missing declaration of init_files Zhongqiu Han (1): gpiolib: cdev: Fix use after free in lineinfo_changed_notify Zhu Yanjun (1): RDMA/rxe: Fix the qp flush warnings in req

3 months, 1 week

1
1
0 0

Linux 5.15.177

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.177 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/rockchip/rk3328.dtsi | 1 arch/riscv/kernel/traps.c | 6 - arch/x86/include/asm/special_insns.h | 2 arch/x86/xen/xen-asm.S | 2 block/bfq-iosched.c | 12 +- drivers/acpi/resource.c | 24 +++- drivers/base/regmap/regmap.c | 12 -- drivers/base/topology.c | 24 +++- drivers/gpio/gpiolib-cdev.c | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 45 ------- drivers/gpu/drm/amd/display/dc/dc.h | 2 drivers/gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 + drivers/gpu/drm/i915/display/intel_fb.c | 2 drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 12 +- drivers/gpu/drm/v3d/v3d_irq.c | 4 drivers/hwmon/tmp513.c | 7 - drivers/i2c/busses/i2c-rcar.c | 20 ++- drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 drivers/iio/adc/ad7124.c | 3 drivers/iio/adc/at91_adc.c | 2 drivers/iio/adc/rockchip_saradc.c | 2 drivers/iio/adc/ti-ads124s08.c | 4 drivers/iio/adc/ti-ads8688.c | 2 drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 drivers/iio/gyro/fxas21002c_core.c | 9 + drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 18 ++- drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 drivers/iio/imu/kmx61.c | 2 drivers/iio/inkern.c | 2 drivers/iio/light/vcnl4035.c | 2 drivers/iio/pressure/zpa2326.c | 2 drivers/irqchip/irq-gic-v3.c | 2 drivers/md/dm-ebs-target.c | 2 drivers/md/dm-thin.c | 5 drivers/md/persistent-data/dm-array.c | 19 ++- drivers/md/raid5.c | 14 +- drivers/mtd/spi-nor/core.c | 2 drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 --- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 95 +++++++++++++--- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 drivers/net/ethernet/ti/cpsw_ale.c | 14 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 + drivers/net/gtp.c | 42 ++++--- drivers/net/ieee802154/ca8210.c | 6 - drivers/nvme/target/io-cmd-bdev.c | 2 drivers/of/address.c | 76 +++++++++---- drivers/of/unittest-data/tests-address.dtsi | 9 + drivers/of/unittest.c | 109 +++++++++++++++++++ drivers/pci/controller/pci-host-common.c | 4 drivers/pci/probe.c | 20 +-- drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 53 +++++++-- drivers/phy/broadcom/phy-brcm-usb-init.h | 1 drivers/phy/broadcom/phy-brcm-usb.c | 8 - drivers/scsi/sg.c | 2 drivers/staging/iio/frequency/ad9832.c | 2 drivers/staging/iio/frequency/ad9834.c | 2 drivers/usb/class/usblp.c | 7 - drivers/usb/core/hub.c | 6 - drivers/usb/core/port.c | 7 - drivers/usb/dwc3/core.h | 1 drivers/usb/dwc3/gadget.c | 4 drivers/usb/gadget/function/f_fs.c | 2 drivers/usb/gadget/function/f_uac2.c | 1 drivers/usb/gadget/function/u_serial.c | 8 - drivers/usb/host/xhci-pci.c | 4 drivers/usb/serial/cp210x.c | 1 drivers/usb/serial/option.c | 4 drivers/usb/storage/unusual_devs.h | 7 + fs/afs/afs.h | 2 fs/afs/afs_vl.h | 1 fs/afs/vl_alias.c | 8 + fs/afs/vlclient.c | 2 fs/ceph/mds_client.c | 9 - fs/exfat/dir.c | 3 fs/exfat/fatent.c | 10 + fs/file.c | 1 fs/hfs/super.c | 4 fs/jbd2/commit.c | 4 fs/ksmbd/smb2pdu.c | 3 fs/nfsd/filecache.c | 18 +-- fs/nfsd/filecache.h | 1 fs/ocfs2/quota_global.c | 2 fs/ocfs2/quota_local.c | 10 - fs/proc/vmcore.c | 2 include/linux/blk-cgroup.h | 6 - include/linux/hrtimer.h | 1 include/linux/mlx5/device.h | 2 include/linux/mlx5/fs.h | 2 include/linux/poll.h | 10 + include/linux/usb.h | 3 include/linux/usb/hcd.h | 2 include/net/inet_connection_sock.h | 2 include/net/net_namespace.h | 3 kernel/cpu.c | 2 kernel/gen_kheaders.sh | 1 kernel/time/hrtimer.c | 11 + mm/filemap.c | 2 net/802/psnap.c | 4 net/core/filter.c | 30 +++-- net/core/net_namespace.c | 31 +++++ net/core/pktgen.c | 6 - net/dccp/ipv6.c | 2 net/ipv6/route.c | 2 net/ipv6/tcp_ipv6.c | 4 net/mac802154/iface.c | 4 net/mptcp/options.c | 12 +- net/mptcp/pm.c | 7 - net/mptcp/protocol.h | 2 net/netfilter/nf_conntrack_core.c | 5 net/netfilter/nf_tables_api.c | 15 +- net/sched/cls_flow.c | 3 net/sctp/sysctl.c | 14 +- net/tls/tls_sw.c | 2 net/vmw_vsock/af_vsock.c | 18 +++ net/vmw_vsock/virtio_transport_common.c | 36 ++++-- scripts/sorttable.h | 6 - sound/soc/mediatek/common/mtk-afe-platform-driver.c | 4 121 files changed, 819 insertions(+), 337 deletions(-) Aharon Landau (1): net/mlx5: Add priorities for counters in RDMA namespaces Akash M (1): usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Al Cooper (1): phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers Andrea della Porta (1): of: address: Preserve the flags portion on 1:1 dma-ranges mapping André Draszik (1): usb: dwc3: gadget: fix writing NYET threshold Antonio Pastor (1): net: 802: LLC+SNAP OID:PID lookup on start of skb data Anumula Murali Mohan Reddy (1): cxgb4: Avoid removal of uninserted tid Arnd Bergmann (1): xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals Artem Chernyshev (1): pktgen: Avoid out-of-bounds access in get_imix_entries Benjamin Coddington (1): tls: Fix tls_sw_sendmsg error handling Carlos Song (1): iio: gyro: fxas21002c: Fix missing data update in trigger handler Chen-Yu Tsai (1): ASoC: mediatek: disable buffer pre-allocation Chukun Pan (1): USB: serial: option: add MeiG Smart SRM815 Dan Carpenter (1): nfp: bpf: prevent integer overflow in nfp_bpf_event_output() David Howells (2): afs: Fix the maximum cell name length kheaders: Ignore silly-rename files David Lechner (1): hwmon: (tmp513) Fix division of negative numbers Dennis Lam (1): ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Eric Dumazet (4): net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute net: add exit_batch_rtnl() method gtp: use exit_batch_rtnl() method ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Fabio Estevam (1): iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Geliang Tang (1): mptcp: drop port parameter of mptcp_pm_add_addr_signal Greg Kroah-Hartman (3): Revert "drm/amdgpu: rework resume handling for display (v2)" Revert "regmap: detach regmap from dev on regmap_exit" Linux 5.15.177 Gui-Dong Han (1): md/raid5: fix atomicity violation in raid5_cache_count Hans de Goede (3): ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] ACPI: resource: acpi_dev_irq_override(): Check DMI match last Heiner Kallweit (1): net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Herve Codina (2): of: address: Fix address translation when address-size is greater than 2 of: address: Remove duplicated functions Jason Xing (1): tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Jason-JH.Lin (1): drm/mediatek: Add support for 180-degree rotation in the display driver Javier Carrasco (6): iio: pressure: zpa2326: fix information leak in triggered buffer iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer iio: light: vcnl4035: fix information leak in triggered buffer iio: imu: kmx61: fix information leak in triggered buffer iio: adc: ti-ads8688: fix information leak in triggered buffer iio: adc: rockchip_saradc: fix information leak in triggered buffer Jean-Baptiste Maneyrol (2): iio: imu: inv_icm42600: fix spi burst write not supported iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Joe Hattori (2): iio: adc: at91: call input_free_device() on allocated iio_dev iio: inkern: call iio_device_put() only on mapped devices Johan Hovold (1): USB: serial: cp210x: add Phoenix Contact UPS Device Joseph Qi (1): ocfs2: correct return value of ocfs2_local_free_info() Juergen Gross (2): x86/asm: Make serialize() always_inline x86/xen: fix SLS mitigation in xen_hypercall_iret() Jun Yan (1): USB: usblp: return error when setting unsupported protocol Justin Chen (3): phy: usb: Toggle the PHY power during init phy: usb: Use slow clock for wake enabled suspend phy: usb: Fix clock imbalance for suspend/resume Kai-Heng Feng (1): USB: core: Disable LPM only for non-suspended ports Kalesh AP (1): bnxt_en: Fix possible memory leak when hwrm_req_replace fails Keisuke Nishimura (1): ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Koichiro Den (1): hrtimers: Handle CPU state correctly on hotplug Krister Johansen (1): dm thin: make get_first_thin use rcu-safe list first function Kuan-Wei Chiu (1): scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Kuniyuki Iwashima (2): gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). gtp: Destroy device along with udp socket's netns dismantle. Leo Stone (1): hfs: Sanity check the root record Li Huafei (1): topology: Keep the cpumask unchanged when printing cpumap Lianqin Hu (1): usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Lizhi Xu (1): mac802154: check local interfaces before deleting sdata list Lubomir Rintel (1): usb-storage: Add max sectors quirk for Nokia 208 Luis Chamberlain (1): nvmet: propagate npwg topology Ma Ke (1): usb: fix reference leak in usb_new_device() Maor Gottlieb (1): net/mlx5: Refactor mlx5_get_flow_namespace Marco Nelissen (1): filemap: avoid truncating 64-bit offset to 32 bits Matthieu Baerts (NGI0) (5): sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy sctp: sysctl: rto_min/max: avoid using current->nsproxy sctp: sysctl: auth_enable: avoid using current->nsproxy sctp: sysctl: udp_port: avoid using current->nsproxy sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy Max Kellermann (1): ceph: give up on paths longer than PATH_MAX Maíra Canal (1): drm/v3d: Ensure job pointer is set to NULL after job completion Melissa Wen (1): drm/amd/display: increase MAX_SURFACES to the value supported by hw Michal Hrusecky (1): USB: serial: option: add Neoway N723-EA support Michal Luczaj (1): bpf: Fix bpf_sk_select_reuseport() memory leak Mikulas Patocka (1): dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY Ming-Hung Tsai (3): dm array: fix releasing a faulty array block twice in dm_array_cursor_end dm array: fix unreleased btree blocks on closing a faulty array cursor dm array: fix cursor index when skipping across block boundaries Nam Cao (1): riscv: Fix sleeping in invalid context in die() Oleg Nesterov (1): poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Pablo Neira Ayuso (2): netfilter: nf_tables: imbalance in flowtable binding netfilter: conntrack: clamp maximum hashtable size to INT_MAX Paolo Abeni (1): mptcp: fix TCP options overflow. Patrisious Haddad (1): net/mlx5: Fix RDMA TX steering prio Peter Geis (1): arm64: dts: rockchip: add hevc power domain clock to rk3328 Prashanth K (1): usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Pratyush Yadav (1): Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" Rik van Riel (1): fs/proc: fix softlockup in __read_vmcore (part 2) Rob Herring (3): of: unittest: Add bus address range parsing tests of/address: Add support for 3 address cell bus of: address: Store number of bus flag cells rather than bool Roman Li (1): drm/amd/display: Add check for granularity in dml ceil/floor helpers Ron Economos (1): Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals Sean Anderson (1): net: xilinx: axienet: Fix IRQ coalescing packet count overflow Stefano Garzarella (4): vsock/virtio: cancel close work in the destructor vsock: reset socket state when de-assigning the transport vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] vsock/virtio: discard packets if the transport changes Sudheer Kumar Doredla (1): net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Suraj Sonawane (1): scsi: sg: Fix slab-use-after-free read in sg_release() Tejun Heo (1): blk-cgroup: Fix UAF in blkcg_unpin_online() Terry Tritton (1): Revert "PCI: Use preserve_config in place of pci_flags" Uwe Kleine-König (1): iio: adc: ad7124: Disable all channels at probe time Ville Syrjälä (1): drm/i915/fb: Relax clear color alignment to 64 bytes Wang Liang (1): net: fix data-races around sk->sk_forward_alloc Wentao Liang (1): ksmbd: fix a missing return value check bug Wolfram Sang (2): i2c: mux: demux-pinctrl: check initial mux selection, too i2c: rcar: fix NACK handling when being a target Yogesh Lal (1): irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Youzhong Yang (1): nfsd: add list_head nf_gc to struct nfsd_file Yu Kuai (1): block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Yuezhang Mo (2): exfat: fix the infinite loop in exfat_readdir() exfat: fix the infinite loop in __exfat_free_cluster() Zhang Kunbo (1): fs: fix missing declaration of init_files Zhang Yi (1): jbd2: flush filesystem device before updating tail sequence Zhongqiu Duan (1): tcp/dccp: allow a connection when sk_max_ack_backlog is zero Zhongqiu Han (1): gpiolib: cdev: Fix use after free in lineinfo_changed_notify Zicheng Qu (2): staging: iio: ad9834: Correct phase range check staging: iio: ad9832: Correct phase range check

3 months, 1 week

1
1
0 0

[PATCH 6.12 000/121] 6.12.11-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.11 release. There are 121 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 24 Jan 2025 09:29:33 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.11-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.11-rc2 Ryan Lee <ryan.lee(a)canonical.com> apparmor: allocate xmatch for nullpdb inside aa_alloc_null Wayne Lin <Wayne.Lin(a)amd.com> drm/amd/display: Validate mdoe under MST LCT=1 case as well Nicholas Susanto <Nicholas.Susanto(a)amd.com> Revert "drm/amd/display: Enable urgent latency adjustments for DCN35" Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Do not wait for PSR disable on vbl enable Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Disable replay and psr while VRR is enabled Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix PSR-SU not support but still call the amdgpu_dm_psr_enable Christian König <christian.koenig(a)amd.com> drm/amdgpu: always sync the GFX pipe on ctx switch Kenneth Feng <kenneth.feng(a)amd.com> drm/amdgpu: disable gfxoff with the compute workload on gfx12 Gui Chengming <Jack.Gui(a)amd.com> drm/amdgpu: fix fw attestation for MP0_14_0_{2/3} Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/smu13: update powersave optimizations Ashutosh Dixit <ashutosh.dixit(a)intel.com> drm/xe/oa: Add missing VISACTL mux registers Matthew Brost <matthew.brost(a)intel.com> drm/xe: Mark ComputeCS read mode as UC on iGPU Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/fb: Relax clear color alignment to 64 bytes Xin Li (Intel) <xin(a)zytor.com> x86/fred: Fix the FRED RSP0 MSR out of sync with its per-CPU cache Frederic Weisbecker <frederic(a)kernel.org> timers/migration: Enforce group initialization visibility to tree walkers Frederic Weisbecker <frederic(a)kernel.org> timers/migration: Fix another race between hotplug and idle entry/exit Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Tomas Krcka <krckatom(a)amazon.de> irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> irqchip: Plug a OF node reference leak in platform_irqchip_probe() Steven Rostedt <rostedt(a)goodmis.org> tracing: gfp: Fix the GFP enum values shown for user space tracing tools Donet Tom <donettom(a)linux.ibm.com> mm: vmscan : pgdemote vmstat is not getting updated when MGLRU is enabled. Ryan Roberts <ryan.roberts(a)arm.com> mm: clear uffd-wp PTE/PMD state on mremap() Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Do not elevate mem_type change to full update Ryan Roberts <ryan.roberts(a)arm.com> selftests/mm: set allocated memory to non-zero content in cow test Guo Weikang <guoweikang.kernel(a)gmail.com> mm/kmemleak: fix percpu memory leak detection failure Xiaolei Wang <xiaolei.wang(a)windriver.com> pmdomain: imx8mp-blk-ctrl: add missing loop break condition Suren Baghdasaryan <surenb(a)google.com> tools: fix atomic_set() definition to set the value correctly Sean Anderson <sean.anderson(a)linux.dev> gpio: xilinx: Convert gpio_lock to raw spinlock Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Marco Nelissen <marco.nelissen(a)gmail.com> filemap: avoid truncating 64-bit offset to 32 bits Paul Fertser <fercerpav(a)gmail.com> net/ncsi: fix locking in Get MAC Address handling Takashi Iwai <tiwai(a)suse.de> drm/nouveau/disp: Fix missing backlight control on Macbook 5,1 Dave Airlie <airlied(a)redhat.com> nouveau/fence: handle cross device fences properly Stefano Garzarella <sgarzare(a)redhat.com> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Stefano Garzarella <sgarzare(a)redhat.com> vsock: reset socket state when de-assigning the transport Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: cancel close work in the destructor Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: discard packets if the transport changes Stefano Garzarella <sgarzare(a)redhat.com> vsock/bpf: return early if transport is not assigned Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Paolo Abeni <pabeni(a)redhat.com> selftests: mptcp: avoid spurious errors on disconnect Paolo Abeni <pabeni(a)redhat.com> mptcp: fix spurious wake-up on under memory pressure Paolo Abeni <pabeni(a)redhat.com> mptcp: be sure to send ack when mptcp-level window re-opens Tomi Valkeinen <tomi.valkeinen+renesas(a)ideasonboard.com> i2c: atr: Fix client detach Kairui Song <kasong(a)tencent.com> zram: fix potential UAF of zram table Luke D. Jones <luke(a)ljones.dev> ALSA: hda/realtek: fixup ASUS H7606W Luke D. Jones <luke(a)ljones.dev> ALSA: hda/realtek: fixup ASUS GA605W Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Juergen Gross <jgross(a)suse.com> x86/asm: Make serialize() always_inline Peter Zijlstra <peterz(a)infradead.org> sched/fair: Fix update_cfs_group() vs DELAY_DEQUEUE Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Tejun Heo <tj(a)kernel.org> sched_ext: Fix dsq_local_on selftest Hongguang Gao <hongguang.gao(a)broadcom.com> RDMA/bnxt_re: Fix to export port num to ib_query_qp David Vernet <void(a)manifault.com> scx: Fix maximal BPF selftest prog Ihor Solodrai <ihor.solodrai(a)pm.me> selftests/sched_ext: fix build after renames in sched_ext API Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Lizhi Xu <lizhi.xu(a)windriver.com> afs: Fix merge preference rule failure condition Marco Nelissen <marco.nelissen(a)gmail.com> iomap: avoid avoid truncating 64-bit offset to 32 bits Henry Huang <henry.hj(a)antgroup.com> sched_ext: keep running prev when prev->scx.slice != 0 Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: acpi_dev_irq_override(): Check DMI match last Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86: ISST: Add Clearwater Forest to support list Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86/intel: power-domains: Add Clearwater Forest support Jakub Kicinski <kuba(a)kernel.org> selftests: tc-testing: reduce rshift value Koichiro Den <koichiro.den(a)canonical.com> gpio: sim: lock up configfs that an instantiated device depends on Koichiro Den <koichiro.den(a)canonical.com> gpio: virtuser: lock up configfs that an instantiated device depends on Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Max Kellermann <max.kellermann(a)ionos.com> cachefiles: Parse the "secctx" immediately David Howells <dhowells(a)redhat.com> netfs: Fix non-contiguous donation between completed reads David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Zhang Kunbo <zhangkunbo(a)huawei.com> fs: fix missing declaration of init_files Brahmajit Das <brahmajit.xyz(a)gmail.com> fs/qnx6: Fix building with GCC 15 Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Paulo Alcantara <pc(a)manguebit.com> smb: client: fix double free of TCP_Server_Info::hostname David Lechner <dlechner(a)baylibre.com> hwmon: (ltc2991) Fix mixed signed/unsigned in DIV_ROUND_CLOSEST Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: testunit: on errors, repeat NACK until STOP Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: rcar: fix NACK handling when being a target Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Pratyush Yadav <pratyush(a)kernel.org> Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" David Lechner <dlechner(a)baylibre.com> hwmon: (tmp513) Fix division of negative numbers Chenyuan Yang <chenyuan0y(a)gmail.com> platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: fix serdev race Chenyuan Yang <chenyuan0y(a)gmail.com> platform/x86: dell-uart-backlight: fix serdev race Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> i2c: core: fix reference leak in i2c_register_adapter() MD Danish Anwar <danishanwar(a)ti.com> soc: ti: pruss: Fix pruss APIs Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> reset: rzg2l-usbphy-ctrl: Assign proper of node to the allocated device Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Add new keep_resv BO param Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Unreserve BO on error Yu-Chun Lin <eleanor15x(a)gmail.com> drm/tests: helpers: Fix compiler warning Jakub Kicinski <kuba(a)kernel.org> netdev: avoid CFI problems with sock priv helpers Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Always start IPsec sequence number from 1 Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Rely on reqid in IPsec tunnel mode Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Mark Zhang <markzhang(a)nvidia.com> net/mlx5: Clear port select structure when fail to create Chris Mi <cmi(a)nvidia.com> net/mlx5: SF, Fix add port error handling Yishai Hadas <yishaih(a)nvidia.com> net/mlx5: Fix a lockdep warning as part of the write combining test Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix RDMA TX steering prio Pavel Begunkov <asml.silence(a)gmail.com> net: make page_pool_ref_netmem work with net iovs Kevin Groeneveld <kgroeneveld(a)lenbrook.com> net: fec: handle page_pool_dev_alloc_pages error Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix IRQ coalescing packet count overflow Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Move endif to the end of Kconfig file Kuniyuki Iwashima <kuniyu(a)amazon.com> pfcp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Qu Wenruo <wqu(a)suse.com> btrfs: add the missing error handling inside get_canonical_dev_path Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: teo: Update documentation after previous changes Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Add correct PHY lane assignment Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Use ice_adapter for PTP shared data instead of auxdev Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Add ice_get_ctrl_ptp() wrapper to simplify the code Sergey Temerkhanov <sergey.temerkhanov(a)intel.com> ice: Introduce ice_get_phy_model() wrapper Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Fix ETH56G FC-FEC Rx offset value Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Fix quad registers read on E825 Karol Kolacinski <karol.kolacinski(a)intel.com> ice: Fix E825 initialization Artem Chernyshev <artem.chernyshev(a)red-soft.ru> pktgen: Avoid out-of-bounds access in get_imix_entries Ilya Maximets <i.maximets(a)ovn.org> openvswitch: fix lockup on tx to unregistering netdev with carrier Paul Barker <paul.barker.ct(a)bp.renesas.com> net: ravb: Fix max TX frame size for RZ/V2M Jakub Kicinski <kuba(a)kernel.org> eth: bnxt: always recalculate features after XDP clearing, fix null-deref Michal Luczaj <mhal(a)rbox.co> bpf: Fix bpf_sk_select_reuseport() memory leak Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Ard Biesheuvel <ardb(a)kernel.org> efi/zboot: Limit compression options to GZIP and ZSTD ------------- Diffstat: Makefile | 4 +- arch/x86/include/asm/special_insns.h | 2 +- arch/x86/kernel/fred.c | 8 +- drivers/acpi/resource.c | 6 +- drivers/block/zram/zram_drv.c | 1 + drivers/cpufreq/Kconfig | 4 +- drivers/cpuidle/governors/teo.c | 91 +++---- drivers/firmware/efi/Kconfig | 4 - drivers/firmware/efi/libstub/Makefile.zboot | 18 +- drivers/gpio/gpio-sim.c | 48 +++- drivers/gpio/gpio-virtuser.c | 49 +++- drivers/gpio/gpio-xilinx.c | 32 +-- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_fw_attestation.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 4 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 41 ++- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crc.c | 25 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 4 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.h | 2 +- .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 14 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c | 35 ++- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.h | 3 +- .../gpu/drm/amd/display/dc/dml/dcn35/dcn35_fpu.c | 4 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 11 +- drivers/gpu/drm/i915/display/intel_fb.c | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 6 +- drivers/gpu/drm/nouveau/nvkm/engine/disp/mcp77.c | 1 + drivers/gpu/drm/tests/drm_kunit_helpers.c | 3 +- drivers/gpu/drm/v3d/v3d_irq.c | 4 + drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 3 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 3 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 +- drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 1 + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 20 +- drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 7 +- drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 5 +- drivers/gpu/drm/xe/xe_hw_engine.c | 2 +- drivers/gpu/drm/xe/xe_oa.c | 1 + drivers/hwmon/ltc2991.c | 2 +- drivers/hwmon/tmp513.c | 7 +- drivers/i2c/busses/i2c-rcar.c | 20 +- drivers/i2c/i2c-atr.c | 2 +- drivers/i2c/i2c-core-base.c | 1 + drivers/i2c/i2c-slave-testunit.c | 19 +- drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 + drivers/infiniband/hw/bnxt_re/ib_verbs.h | 4 + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 1 + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 + drivers/irqchip/irq-gic-v3-its.c | 2 +- drivers/irqchip/irq-gic-v3.c | 2 +- drivers/irqchip/irqchip.c | 4 +- drivers/mtd/spi-nor/core.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 25 +- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +- drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 7 - drivers/net/ethernet/freescale/fec_main.c | 19 +- drivers/net/ethernet/intel/ice/ice.h | 5 + drivers/net/ethernet/intel/ice/ice_adapter.c | 6 + drivers/net/ethernet/intel/ice/ice_adapter.h | 22 +- drivers/net/ethernet/intel/ice/ice_adminq_cmd.h | 1 + drivers/net/ethernet/intel/ice/ice_common.c | 51 ++++ drivers/net/ethernet/intel/ice/ice_common.h | 1 + drivers/net/ethernet/intel/ice/ice_main.c | 6 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 165 +++++++----- drivers/net/ethernet/intel/ice/ice_ptp.h | 9 +- drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 2 +- drivers/net/ethernet/intel/ice/ice_ptp_hw.c | 285 +++++++++++---------- drivers/net/ethernet/intel/ice/ice_ptp_hw.h | 5 + drivers/net/ethernet/intel/ice/ice_type.h | 2 - .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 22 +- .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 12 +- .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 + .../net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 +- .../net/ethernet/mellanox/mlx5/core/sf/devlink.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/wc.c | 24 +- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/renesas/ravb_main.c | 1 + drivers/net/ethernet/ti/cpsw_ale.c | 14 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 + drivers/net/gtp.c | 26 +- drivers/net/pfcp.c | 15 +- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/platform/x86/dell/dell-uart-backlight.c | 5 +- .../x86/intel/speed_select_if/isst_if_common.c | 1 + drivers/platform/x86/intel/tpmi_power_domains.c | 1 + .../x86/lenovo-yoga-tab2-pro-1380-fastcharger.c | 5 +- drivers/pmdomain/imx/imx8mp-blk-ctrl.c | 2 +- drivers/reset/reset-rzg2l-usbphy-ctrl.c | 1 + drivers/ufs/core/ufshcd.c | 9 +- fs/afs/addr_prefs.c | 6 +- fs/btrfs/volumes.c | 4 + fs/cachefiles/daemon.c | 14 +- fs/cachefiles/internal.h | 3 +- fs/cachefiles/security.c | 6 +- fs/file.c | 1 + fs/hfs/super.c | 4 +- fs/iomap/buffered-io.c | 2 +- fs/netfs/read_collect.c | 9 +- fs/proc/vmcore.c | 2 + fs/qnx6/inode.c | 11 +- fs/smb/client/connect.c | 3 +- include/linux/hrtimer.h | 1 + include/linux/poll.h | 10 +- include/linux/pruss_driver.h | 12 +- include/linux/userfaultfd_k.h | 12 + include/net/page_pool/helpers.h | 2 +- include/trace/events/mmflags.h | 63 +++++ kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/sched/ext.c | 11 +- kernel/sched/fair.c | 6 +- kernel/time/hrtimer.c | 11 +- kernel/time/timer_migration.c | 43 +++- mm/filemap.c | 2 +- mm/huge_memory.c | 12 + mm/hugetlb.c | 14 +- mm/kmemleak.c | 2 +- mm/mremap.c | 32 ++- mm/vmscan.c | 3 + net/core/filter.c | 30 ++- net/core/netdev-genl-gen.c | 14 +- net/core/pktgen.c | 6 +- net/mac802154/iface.c | 4 + net/mptcp/options.c | 6 +- net/mptcp/protocol.h | 9 +- net/ncsi/internal.h | 2 + net/ncsi/ncsi-manage.c | 16 +- net/ncsi/ncsi-rsp.c | 19 +- net/openvswitch/actions.c | 4 +- net/vmw_vsock/af_vsock.c | 18 ++ net/vmw_vsock/virtio_transport_common.c | 38 ++- net/vmw_vsock/vsock_bpf.c | 9 + security/apparmor/policy.c | 1 + sound/pci/hda/patch_realtek.c | 3 + tools/net/ynl/ynl-gen-c.py | 16 +- tools/testing/selftests/mm/cow.c | 8 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 +++- .../selftests/sched_ext/ddsp_bogus_dsq_fail.bpf.c | 2 +- .../selftests/sched_ext/ddsp_vtimelocal_fail.bpf.c | 4 +- .../testing/selftests/sched_ext/dsp_local_on.bpf.c | 7 +- tools/testing/selftests/sched_ext/dsp_local_on.c | 5 +- .../selftests/sched_ext/enq_select_cpu_fails.bpf.c | 2 +- tools/testing/selftests/sched_ext/exit.bpf.c | 4 +- tools/testing/selftests/sched_ext/maximal.bpf.c | 8 +- .../selftests/sched_ext/select_cpu_dfl.bpf.c | 2 +- .../sched_ext/select_cpu_dfl_nodispatch.bpf.c | 2 +- .../selftests/sched_ext/select_cpu_dispatch.bpf.c | 2 +- .../sched_ext/select_cpu_dispatch_bad_dsq.bpf.c | 2 +- .../sched_ext/select_cpu_dispatch_dbl_dsp.bpf.c | 4 +- .../selftests/sched_ext/select_cpu_vtime.bpf.c | 8 +- .../tc-testing/tc-tests/filters/flow.json | 4 +- tools/testing/shared/linux/maple_tree.h | 2 +- tools/testing/vma/linux/atomic.h | 2 +- 157 files changed, 1327 insertions(+), 639 deletions(-)

3 months, 1 week

13
13
0 0

[PATCH 6.6.y] net/mlx5e: Don't call cleanup on profile rollback failure

by Imkanmod Khan

From: Cosmin Ratiu <cratiu(a)nvidia.com> [ Upstream commit 4dbc1d1a9f39c3711ad2a40addca04d07d9ab5d0 ] When profile rollback fails in mlx5e_netdev_change_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case. This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5e_priv_init, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] auxiliary_bus_remove+0x18/0x30 [ 745.557134] device_release_driver_internal+0x1df/0x240 [ 745.557654] bus_remove_device+0xd7/0x140 [ 745.558075] device_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] do_syscall_64+0x6d/0x140 [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b Fixes: 3ef14e463f6e ("net/mlx5e: Separate between netdev objects and mlx5e profiles initialization") Signed-off-by: Cosmin Ratiu <cratiu(a)nvidia.com> Reviewed-by: Dragos Tatulea <dtatulea(a)nvidia.com> Signed-off-by: Tariq Toukan <tariqt(a)nvidia.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Imkanmod Khan <imkanmodkhan(a)gmail.com> --- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c index 6e431f587c23..b34f57ab9755 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c @@ -6110,7 +6110,9 @@ static void mlx5e_remove(struct auxiliary_device *adev) mlx5e_dcbnl_delete_app(priv); unregister_netdev(priv->netdev); mlx5e_suspend(adev, state); - priv->profile->cleanup(priv); + /* Avoid cleanup if profile rollback failed. */ + if (priv->profile) + priv->profile->cleanup(priv); mlx5e_destroy_netdev(priv); mlx5e_devlink_port_unregister(mlx5e_dev); mlx5e_destroy_devlink(mlx5e_dev); -- 2.25.1

3 months, 1 week

2
1
0 0

[PATCH 5.15 000/127] 5.15.177-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.177 release. There are 127 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 24 Jan 2025 07:38:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.177-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.177-rc2 Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Suraj Sonawane <surajsonawane0215(a)gmail.com> scsi: sg: Fix slab-use-after-free read in sg_release() Juergen Gross <jgross(a)suse.com> x86/xen: fix SLS mitigation in xen_hypercall_iret() Youzhong Yang <youzhong(a)gmail.com> nfsd: add list_head nf_gc to struct nfsd_file Eric Dumazet <edumazet(a)google.com> ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: discard packets if the transport changes Tejun Heo <tj(a)kernel.org> blk-cgroup: Fix UAF in blkcg_unpin_online() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "regmap: detach regmap from dev on regmap_exit" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "drm/amdgpu: rework resume handling for display (v2)" Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: rockchip_saradc: fix information leak in triggered buffer Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix spi burst write not supported Terry Tritton <terry.tritton(a)linaro.org> Revert "PCI: Use preserve_config in place of pci_flags" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/fb: Relax clear color alignment to 64 bytes Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Zhongqiu Han <quic_zhonhan(a)quicinc.com> gpiolib: cdev: Fix use after free in lineinfo_changed_notify Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Marco Nelissen <marco.nelissen(a)gmail.com> filemap: avoid truncating 64-bit offset to 32 bits Stefano Garzarella <sgarzare(a)redhat.com> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Stefano Garzarella <sgarzare(a)redhat.com> vsock: reset socket state when de-assigning the transport Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: cancel close work in the destructor Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Juergen Gross <jgross(a)suse.com> x86/asm: Make serialize() always_inline Kairui Song <kasong(a)tencent.com> zram: fix potential UAF of zram table Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: acpi_dev_irq_override(): Check DMI match last David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Zhang Kunbo <zhangkunbo(a)huawei.com> fs: fix missing declaration of init_files Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: rcar: fix NACK handling when being a target Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Pratyush Yadav <pratyush(a)kernel.org> Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" David Lechner <dlechner(a)baylibre.com> hwmon: (tmp513) Fix division of negative numbers Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix RDMA TX steering prio Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: Refactor mlx5_get_flow_namespace Aharon Landau <aharonl(a)nvidia.com> net/mlx5: Add priorities for counters in RDMA namespaces Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix IRQ coalescing packet count overflow Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Eric Dumazet <edumazet(a)google.com> gtp: use exit_batch_rtnl() method Eric Dumazet <edumazet(a)google.com> net: add exit_batch_rtnl() method Artem Chernyshev <artem.chernyshev(a)red-soft.ru> pktgen: Avoid out-of-bounds access in get_imix_entries Michal Luczaj <mhal(a)rbox.co> bpf: Fix bpf_sk_select_reuseport() memory leak Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Justin Chen <justinpopo6(a)gmail.com> phy: usb: Fix clock imbalance for suspend/resume Justin Chen <justinpopo6(a)gmail.com> phy: usb: Use slow clock for wake enabled suspend Paolo Abeni <pabeni(a)redhat.com> mptcp: fix TCP options overflow. Geliang Tang <geliang.tang(a)suse.com> mptcp: drop port parameter of mptcp_pm_add_addr_signal Dennis Lam <dennis.lamerice(a)gmail.com> ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: correct return value of ocfs2_local_free_info() Justin Chen <justin.chen(a)broadcom.com> phy: usb: Toggle the PHY power during init Al Cooper <alcooperx(a)gmail.com> phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers Andrea della Porta <andrea.porta(a)suse.com> of: address: Preserve the flags portion on 1:1 dma-ranges mapping Rob Herring <robh(a)kernel.org> of: address: Store number of bus flag cells rather than bool Herve Codina <herve.codina(a)bootlin.com> of: address: Remove duplicated functions Herve Codina <herve.codina(a)bootlin.com> of: address: Fix address translation when address-size is greater than 2 Rob Herring <robh(a)kernel.org> of/address: Add support for 3 address cell bus Rob Herring <robh(a)kernel.org> of: unittest: Add bus address range parsing tests Peter Geis <pgwipeout(a)gmail.com> arm64: dts: rockchip: add hevc power domain clock to rk3328 Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> iio: adc: ad7124: Disable all channels at probe time Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: inkern: call iio_device_put() only on mapped devices Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: adc: at91: call input_free_device() on allocated iio_dev Fabio Estevam <festevam(a)gmail.com> iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Carlos Song <carlos.song(a)nxp.com> iio: gyro: fxas21002c: Fix missing data update in trigger handler Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: imu: kmx61: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: vcnl4035: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: pressure: zpa2326: fix information leak in triggered buffer Akash M <akash.m5(a)samsung.com> usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Prashanth K <quic_prashk(a)quicinc.com> usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Ma Ke <make_ruc2021(a)163.com> usb: fix reference leak in usb_new_device() Kai-Heng Feng <kaihengf(a)nvidia.com> USB: core: Disable LPM only for non-suspended ports Jun Yan <jerrysteve1101(a)gmail.com> USB: usblp: return error when setting unsupported protocol Lianqin Hu <hulianqin(a)vivo.com> usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Li Huafei <lihuafei1(a)huawei.com> topology: Keep the cpumask unchanged when printing cpumap André Draszik <andre.draszik(a)linaro.org> usb: dwc3: gadget: fix writing NYET threshold Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add Phoenix Contact UPS Device Lubomir Rintel <lrintel(a)redhat.com> usb-storage: Add max sectors quirk for Nokia 208 Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9832: Correct phase range check Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9834: Correct phase range check Michal Hrusecky <michal.hrusecky(a)turris.com> USB: serial: option: add Neoway N723-EA support Chukun Pan <amadeus(a)jmu.edu.cn> USB: serial: option: add MeiG Smart SRM815 Gui-Dong Han <2045gemini(a)gmail.com> md/raid5: fix atomicity violation in raid5_cache_count Kuan-Wei Chiu <visitorckw(a)gmail.com> scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Kairui Song <kasong(a)tencent.com> zram: fix uninitialized ZRAM not releasing backing device Dominique Martinet <dominique.martinet(a)atmark-techno.com> zram: check comp is non-NULL before calling comp_destroy Sergey Senozhatsky <senozhatsky(a)chromium.org> drivers/block/zram/zram_drv.c: do not keep dangling zcomp pointer after zram reset Melissa Wen <mwen(a)igalia.com> drm/amd/display: increase MAX_SURFACES to the value supported by hw Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Nam Cao <namcao(a)linutronix.de> riscv: Fix sleeping in invalid context in die() Roman Li <Roman.Li(a)amd.com> drm/amd/display: Add check for granularity in dml ceil/floor helpers Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: udp_port: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: auth_enable: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: rto_min/max: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY Krister Johansen <kjlx(a)templeofstupid.com> dm thin: make get_first_thin use rcu-safe list first function David Howells <dhowells(a)redhat.com> afs: Fix the maximum cell name length Wentao Liang <liangwentao(a)iscas.ac.cn> ksmbd: fix a missing return value check bug Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add support for 180-degree rotation in the display driver Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: conntrack: clamp maximum hashtable size to INT_MAX Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: imbalance in flowtable binding Benjamin Coddington <bcodding(a)redhat.com> tls: Fix tls_sw_sendmsg error handling Anumula Murali Mohan Reddy <anumula(a)chelsio.com> cxgb4: Avoid removal of uninserted tid Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix possible memory leak when hwrm_req_replace fails Eric Dumazet <edumazet(a)google.com> net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Zhongqiu Duan <dzq.aishenghu0(a)gmail.com> tcp/dccp: allow a connection when sk_max_ack_backlog is zero Jason Xing <kernelxing(a)tencent.com> tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Antonio Pastor <antonio.pastor(a)gmail.com> net: 802: LLC+SNAP OID:PID lookup on start of skb data Keisuke Nishimura <keisuke.nishimura(a)inria.fr> ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Chen-Yu Tsai <wenst(a)chromium.org> ASoC: mediatek: disable buffer pre-allocation Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in __exfat_free_cluster() Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in exfat_readdir() Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix cursor index when skipping across block boundaries Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix unreleased btree blocks on closing a faulty array cursor Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix releasing a faulty array block twice in dm_array_cursor_end Zhang Yi <yi.zhang(a)huawei.com> jbd2: flush filesystem device before updating tail sequence Max Kellermann <max.kellermann(a)ionos.com> ceph: give up on paths longer than PATH_MAX ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 1 + arch/riscv/kernel/traps.c | 6 +- arch/x86/include/asm/special_insns.h | 2 +- arch/x86/xen/xen-asm.S | 2 +- block/bfq-iosched.c | 12 ++- drivers/acpi/resource.c | 24 ++++- drivers/base/regmap/regmap.c | 12 --- drivers/base/topology.c | 24 ++++- drivers/block/zram/zram_drv.c | 24 ++--- drivers/gpio/gpiolib-cdev.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 45 +-------- drivers/gpu/drm/amd/display/dc/dc.h | 2 +- .../gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 ++ drivers/gpu/drm/i915/display/intel_fb.c | 2 +- drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 12 ++- drivers/gpu/drm/v3d/v3d_irq.c | 4 + drivers/hwmon/tmp513.c | 7 +- drivers/i2c/busses/i2c-rcar.c | 20 +++- drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/iio/adc/ad7124.c | 3 + drivers/iio/adc/at91_adc.c | 2 +- drivers/iio/adc/rockchip_saradc.c | 2 + drivers/iio/adc/ti-ads124s08.c | 4 +- drivers/iio/adc/ti-ads8688.c | 2 +- drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +- drivers/iio/gyro/fxas21002c_core.c | 11 ++- drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 18 +++- drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 +- drivers/iio/imu/kmx61.c | 2 +- drivers/iio/inkern.c | 2 +- drivers/iio/light/vcnl4035.c | 2 +- drivers/iio/pressure/zpa2326.c | 2 + drivers/irqchip/irq-gic-v3.c | 2 +- drivers/md/dm-ebs-target.c | 2 +- drivers/md/dm-thin.c | 5 +- drivers/md/persistent-data/dm-array.c | 19 ++-- drivers/md/raid5.c | 14 +-- drivers/mtd/spi-nor/core.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +--- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 95 ++++++++++++++---- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/ti/cpsw_ale.c | 14 +-- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 ++ drivers/net/gtp.c | 42 ++++---- drivers/net/ieee802154/ca8210.c | 6 +- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/of/address.c | 76 ++++++++++---- drivers/of/unittest-data/tests-address.dtsi | 9 +- drivers/of/unittest.c | 109 +++++++++++++++++++++ drivers/pci/controller/pci-host-common.c | 4 + drivers/pci/probe.c | 20 ++-- drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 53 ++++++++-- drivers/phy/broadcom/phy-brcm-usb-init.h | 1 - drivers/phy/broadcom/phy-brcm-usb.c | 8 +- drivers/scsi/sg.c | 2 +- drivers/staging/iio/frequency/ad9832.c | 2 +- drivers/staging/iio/frequency/ad9834.c | 2 +- drivers/usb/class/usblp.c | 7 +- drivers/usb/core/hub.c | 6 +- drivers/usb/core/port.c | 7 +- drivers/usb/dwc3/core.h | 1 + drivers/usb/dwc3/gadget.c | 4 +- drivers/usb/gadget/function/f_fs.c | 2 +- drivers/usb/gadget/function/f_uac2.c | 1 + drivers/usb/gadget/function/u_serial.c | 8 +- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 4 +- drivers/usb/storage/unusual_devs.h | 7 ++ fs/afs/afs.h | 2 +- fs/afs/afs_vl.h | 1 + fs/afs/vl_alias.c | 8 +- fs/afs/vlclient.c | 2 +- fs/ceph/mds_client.c | 9 +- fs/exfat/dir.c | 3 +- fs/exfat/fatent.c | 10 ++ fs/file.c | 1 + fs/hfs/super.c | 4 +- fs/jbd2/commit.c | 4 +- fs/ksmbd/smb2pdu.c | 3 + fs/nfsd/filecache.c | 18 ++-- fs/nfsd/filecache.h | 1 + fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 10 +- fs/proc/vmcore.c | 2 + include/linux/blk-cgroup.h | 6 +- include/linux/hrtimer.h | 1 + include/linux/mlx5/device.h | 2 + include/linux/mlx5/fs.h | 2 + include/linux/poll.h | 10 +- include/net/inet_connection_sock.h | 2 +- include/net/net_namespace.h | 3 + kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/time/hrtimer.c | 11 ++- mm/filemap.c | 2 +- net/802/psnap.c | 4 +- net/core/filter.c | 30 +++--- net/core/net_namespace.c | 31 +++++- net/core/pktgen.c | 6 +- net/dccp/ipv6.c | 2 +- net/ipv6/route.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mac802154/iface.c | 4 + net/mptcp/options.c | 12 ++- net/mptcp/pm.c | 7 +- net/mptcp/protocol.h | 2 +- net/netfilter/nf_conntrack_core.c | 5 +- net/netfilter/nf_tables_api.c | 15 ++- net/sched/cls_flow.c | 3 +- net/sctp/sysctl.c | 14 +-- net/tls/tls_sw.c | 2 +- net/vmw_vsock/af_vsock.c | 18 ++++ net/vmw_vsock/virtio_transport_common.c | 38 ++++--- scripts/sorttable.h | 6 +- .../soc/mediatek/common/mtk-afe-platform-driver.c | 4 +- 119 files changed, 830 insertions(+), 347 deletions(-)

3 months, 1 week

9
11
0 0

[PATCH] ASoC: da7213: Initialize the mutex

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> Initialize the struct da7213_priv::ctrl_lock mutex. Without it the following stack trace is displayed when rebooting and lockdep is enabled: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 0 PID: 180 at kernel/locking/mutex.c:564 __mutex_lock+0x254/0x4e4 CPU: 0 UID: 0 PID: 180 Comm: alsactl Not tainted 6.13.0-next-20250123-arm64-renesas-00002-g132083a22d3d #30 Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mutex_lock+0x254/0x4e4 lr : __mutex_lock+0x254/0x4e4 sp : ffff800082c13c00 x29: ffff800082c13c00 x28: ffff00001002b500 x27: 0000000000000000 x26: 0000000000000000 x25: ffff800080b30db4 x24: 0000000000000002 x23: ffff800082c13c70 x22: 0000ffffc2a68a70 x21: ffff000010348000 x20: 0000000000000000 x19: ffff00000be2e488 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 00000000000003c1 x13: 00000000000003c1 x12: 0000000000000000 x11: 0000000000000011 x10: 0000000000001420 x9 : ffff800082c13a70 x8 : 0000000000000001 x7 : ffff800082c13a50 x6 : ffff800082c139e0 x5 : ffff800082c14000 x4 : ffff800082c13a50 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00001002b500 Call trace: __mutex_lock+0x254/0x4e4 (P) mutex_lock_nested+0x20/0x28 da7213_volsw_locked_get+0x34/0x60 snd_ctl_elem_read+0xbc/0x114 snd_ctl_ioctl+0x878/0xa70 __arm64_sys_ioctl+0x94/0xc8 invoke_syscall+0x44/0x104 el0_svc_common.constprop.0+0xb4/0xd4 do_el0_svc+0x18/0x20 el0_svc+0x3c/0xf0 el0t_64_sync_handler+0xc0/0xc4 el0t_64_sync+0x154/0x158 irq event stamp: 7713 hardirqs last enabled at (7713): [<ffff800080170d94>] ktime_get_coarse_real_ts64+0xf0/0x10c hardirqs last disabled at (7712): [<ffff800080170d58>] ktime_get_coarse_real_ts64+0xb4/0x10c softirqs last enabled at (7550): [<ffff8000800179d4>] fpsimd_restore_current_state+0x30/0xb8 softirqs last disabled at (7548): [<ffff8000800179a8>] fpsimd_restore_current_state+0x4/0xb8 ---[ end trace 0000000000000000 ]--- Fixes: 64c3259b5f86 ("ASoC: da7213: Add new kcontrol for tonegen") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- sound/soc/codecs/da7213.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/soc/codecs/da7213.c b/sound/soc/codecs/da7213.c index ca4cc954efa8..eb97ac73ec06 100644 --- a/sound/soc/codecs/da7213.c +++ b/sound/soc/codecs/da7213.c @@ -2203,6 +2203,8 @@ static int da7213_i2c_probe(struct i2c_client *i2c) return ret; } + mutex_init(&da7213->ctrl_lock); + pm_runtime_set_autosuspend_delay(&i2c->dev, 100); pm_runtime_use_autosuspend(&i2c->dev); pm_runtime_set_active(&i2c->dev); -- 2.43.0

3 months, 1 week

2
1
0 0

[PATCH net] ptp: Ensure info->enable callback is always set

by Thomas Weißschuh

The ioctl and sysfs handlers unconditionally call the ->enable callback. Not all drivers implement that callback, leading to NULL dereferences. Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. Instead use a dummy callback if no better was specified by the driver. Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- drivers/ptp/ptp_clock.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c index b932425ddc6a3789504164a69d1b8eba47da462c..35a5994bf64f6373c08269d63aaeac3f4ab31ff0 100644 --- a/drivers/ptp/ptp_clock.c +++ b/drivers/ptp/ptp_clock.c @@ -217,6 +217,11 @@ static int ptp_getcycles64(struct ptp_clock_info *info, struct timespec64 *ts) return info->gettime64(info, ts); } +static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on) +{ + return -EOPNOTSUPP; +} + static void ptp_aux_kworker(struct kthread_work *work) { struct ptp_clock *ptp = container_of(work, struct ptp_clock, @@ -294,6 +299,9 @@ struct ptp_clock *ptp_clock_register(struct ptp_clock_info *info, ptp->info->getcrosscycles = ptp->info->getcrosststamp; } + if (!ptp->info->enable) + ptp->info->enable = ptp_enable; + if (ptp->info->do_aux_work) { kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker); ptp->kworker = kthread_run_worker(0, "ptp%d", ptp->index); --- base-commit: c4b9570cfb63501638db720f3bee9f6dfd044b82 change-id: 20250122-ptp-enable-831339c62428 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

3 months, 1 week

4
4
0 0

[Internal Review] [Patch] btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()

by Shubham Pushpkar

From: Zhihao Cheng <chengzhihao1(a)huawei.com> commit aec8e6bf839101784f3ef037dcdb9432c3f32343 ("btrfs: fix use-after-free of block device file in __btrfs_free_extra_devids()") Mounting btrfs from two images (which have the same one fsid and two different dev_uuids) in certain executing order may trigger an UAF for variable 'device->bdev_file' in __btrfs_free_extra_devids(). And following are the details: 1. Attach image_1 to loop0, attach image_2 to loop1, and scan btrfs devices by ioctl(BTRFS_IOC_SCAN_DEV): / btrfs_device_1 → loop0 fs_device \ btrfs_device_2 → loop1 2. mount /dev/loop0 /mnt btrfs_open_devices btrfs_device_1->bdev_file = btrfs_get_bdev_and_sb(loop0) btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree fail: btrfs_close_devices // -ENOMEM btrfs_close_bdev(btrfs_device_1) fput(btrfs_device_1->bdev_file) // btrfs_device_1->bdev_file is freed btrfs_close_bdev(btrfs_device_2) fput(btrfs_device_2->bdev_file) 3. mount /dev/loop1 /mnt btrfs_open_devices btrfs_get_bdev_and_sb(&bdev_file) // EIO, btrfs_device_1->bdev_file is not assigned, // which points to a freed memory area btrfs_device_2->bdev_file = btrfs_get_bdev_and_sb(loop1) btrfs_fill_super open_ctree btrfs_free_extra_devids if (btrfs_device_1->bdev_file) fput(btrfs_device_1->bdev_file) // UAF ! Fix it by setting 'device->bdev_file' as 'NULL' after closing the btrfs_device in btrfs_close_one_device(). Fixes: CVE-2024-50217 Fixes: 142388194191 ("btrfs: do not background blkdev_put()") CC: stable(a)vger.kernel.org # 4.19+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=219408 Signed-off-by: Zhihao Cheng <chengzhihao1(a)huawei.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> (cherry picked from commit aec8e6bf839101784f3ef037dcdb9432c3f32343) Signed-off-by: Shubham Pushpkar <spushpka(a)cisco.com> --- fs/btrfs/volumes.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index b9a0b26d08e1..ab2412542ce5 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -1176,6 +1176,7 @@ static void btrfs_close_one_device(struct btrfs_device *device) if (device->bdev) { fs_devices->open_devices--; device->bdev = NULL; + device->bdev_file = NULL; } clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state); btrfs_destroy_dev_zone_info(device); -- 2.35.6

3 months, 1 week

3
3
0 0

[PATCH] drm/amd/display: Check link_index before accessing dc->links[]

by Shubham Pushpkar

From: Alex Hung <alex.hung(a)amd.com> commit 8aa2864044b9d13e95fe224f32e808afbf79ecdf ("drm/amd/display: Check link_index before accessing dc->links[]") [WHY & HOW] dc->links[] has max size of MAX_LINKS and NULL is return when trying to access with out-of-bound index. This fixes 3 OVERRUN and 1 RESOURCE_LEAK issues reported by Coverity. Fixes: CVE-2024-46813 Reviewed-by: Harry Wentland <harry.wentland(a)amd.com> Acked-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 8aa2864044b9d13e95fe224f32e808afbf79ecdf) Signed-off-by: Shubham Pushpkar <spushpka(a)cisco.com> --- drivers/gpu/drm/amd/display/dc/core/dc_link_exports.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_exports.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_exports.c index f365773d5714..b5639e88c581 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc_link_exports.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_exports.c @@ -37,6 +37,9 @@ #include "dce/dce_i2c.h" struct dc_link *dc_get_link_at_index(struct dc *dc, uint32_t link_index) { + if (link_index >= MAX_LINKS) + return NULL; + return dc->links[link_index]; } -- 2.35.6

3 months, 1 week

3
2
0 0

[PATCH v2] Revert v6.2-rc1 and later "ARM: dts: bcm2835-rpi: Use firmware clocks for display"

by H. Nikolaus Schaller

This reverts commit 27ab05e1b7e5c5ec9b4f658e1b2464c0908298a6. I tried to upgrade a RasPi 3B+ with Waveshare 7inch HDMI LCD from 6.1.y to 6.6.y but found that the display is broken with this log message: [ 17.776315] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_drm_unregister [vc4]) [ 17.784034] platform 3f806000.vec: deferred probe pending Some tests revealed that while 6.1.y works, 6.2-rc1 is already broken but all newer kernels as well. And a bisect did lead me to this patch. I could repair several versions up to 6.13-rc7 by doing this revert. Newer kernels have just to take care of commit f702475b839c ("ARM: dts: bcm2835-rpi: Move duplicate firmware-clocks to bcm2835-rpi.dtsi") but that is straightforward. Fixes: 27ab05e1b7e5 ("ARM: dts: bcm2835-rpi: Use firmware clocks for display") Signed-off-by: H. Nikolaus Schaller <hns(a)goldelico.com> --- arch/arm/boot/dts/bcm2835-rpi-common.dtsi | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/arch/arm/boot/dts/bcm2835-rpi-common.dtsi b/arch/arm/boot/dts/bcm2835-rpi-common.dtsi index 4e7b4a592da7c..8a55b6cded592 100644 --- a/arch/arm/boot/dts/bcm2835-rpi-common.dtsi +++ b/arch/arm/boot/dts/bcm2835-rpi-common.dtsi @@ -7,23 +7,6 @@ #include <dt-bindings/power/raspberrypi-power.h> -&firmware { - firmware_clocks: clocks { - compatible = "raspberrypi,firmware-clocks"; - #clock-cells = <1>; - }; -}; - -&hdmi { - clocks = <&firmware_clocks 9>, - <&firmware_clocks 13>; - clock-names = "pixel", "hdmi"; -}; - &v3d { power-domains = <&power RPI_POWER_DOMAIN_V3D>; }; - -&vec { - clocks = <&firmware_clocks 15>; -}; -- 2.47.0

3 months, 1 week

4
5
0 0

[PATCH 6.1 00/64] 6.1.127-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.127 release. There are 64 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 24 Jan 2025 07:38:08 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.127-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.127-rc2 Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Juergen Gross <jgross(a)suse.com> x86/xen: fix SLS mitigation in xen_hypercall_iret() Youzhong Yang <youzhong(a)gmail.com> nfsd: add list_head nf_gc to struct nfsd_file Gao Xiang <xiang(a)kernel.org> erofs: handle NONHEAD !delta[1] lclusters gracefully Gao Xiang <xiang(a)kernel.org> erofs: tidy up EROFS on-disk naming Kang Yang <quic_kangyang(a)quicinc.com> wifi: ath10k: avoid NULL pointer error during sdio remove Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "regmap: detach regmap from dev on regmap_exit" Suraj Sonawane <surajsonawane0215(a)gmail.com> scsi: sg: Fix slab-use-after-free read in sg_release() Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rxe: Fix the qp flush warnings in req Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "drm/amdgpu: rework resume handling for display (v2)" Yu Kuai <yukuai3(a)huawei.com> block: fix uaf for flush rq while iterating tags Vitaly Prosyak <vitaly.prosyak(a)amd.com> drm/amdgpu: fix usage slab after free Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: rockchip_saradc: fix information leak in triggered buffer Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix spi burst write not supported Terry Tritton <terry.tritton(a)linaro.org> Revert "PCI: Use preserve_config in place of pci_flags" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/fb: Relax clear color alignment to 64 bytes Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Tomas Krcka <krckatom(a)amazon.de> irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> irqchip: Plug a OF node reference leak in platform_irqchip_probe() Xiaolei Wang <xiaolei.wang(a)windriver.com> pmdomain: imx8mp-blk-ctrl: add missing loop break condition Zhongqiu Han <quic_zhonhan(a)quicinc.com> gpiolib: cdev: Fix use after free in lineinfo_changed_notify Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Marco Nelissen <marco.nelissen(a)gmail.com> filemap: avoid truncating 64-bit offset to 32 bits Stefano Garzarella <sgarzare(a)redhat.com> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Stefano Garzarella <sgarzare(a)redhat.com> vsock: reset socket state when de-assigning the transport Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: cancel close work in the destructor Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: discard packets if the transport changes Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Paolo Abeni <pabeni(a)redhat.com> selftests: mptcp: avoid spurious errors on disconnect Paolo Abeni <pabeni(a)redhat.com> mptcp: be sure to send ack when mptcp-level window re-opens Kairui Song <kasong(a)tencent.com> zram: fix potential UAF of zram table Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Juergen Gross <jgross(a)suse.com> x86/asm: Make serialize() always_inline Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Marco Nelissen <marco.nelissen(a)gmail.com> iomap: avoid avoid truncating 64-bit offset to 32 bits Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: acpi_dev_irq_override(): Check DMI match last Jakub Kicinski <kuba(a)kernel.org> selftests: tc-testing: reduce rshift value Manivannan Sadhasivam <mani(a)kernel.org> scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Max Kellermann <max.kellermann(a)ionos.com> cachefiles: Parse the "secctx" immediately David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Zhang Kunbo <zhangkunbo(a)huawei.com> fs: fix missing declaration of init_files Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: rcar: fix NACK handling when being a target Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Pratyush Yadav <pratyush(a)kernel.org> Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" David Lechner <dlechner(a)baylibre.com> hwmon: (tmp513) Fix division of negative numbers Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Mark Zhang <markzhang(a)nvidia.com> net/mlx5: Clear port select structure when fail to create Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix RDMA TX steering prio Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix IRQ coalescing packet count overflow Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Eric Dumazet <edumazet(a)google.com> gtp: use exit_batch_rtnl() method Eric Dumazet <edumazet(a)google.com> net: add exit_batch_rtnl() method Artem Chernyshev <artem.chernyshev(a)red-soft.ru> pktgen: Avoid out-of-bounds access in get_imix_entries Ilya Maximets <i.maximets(a)ovn.org> openvswitch: fix lockup on tx to unregistering netdev with carrier Michal Luczaj <mhal(a)rbox.co> bpf: Fix bpf_sk_select_reuseport() memory leak Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() ------------- Diffstat: Makefile | 4 +- arch/x86/include/asm/special_insns.h | 2 +- arch/x86/xen/xen-asm.S | 2 +- block/blk-sysfs.c | 6 +- block/genhd.c | 9 +- drivers/acpi/resource.c | 6 +- drivers/base/regmap/regmap.c | 12 -- drivers/block/zram/zram_drv.c | 1 + drivers/gpio/gpiolib-cdev.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 47 +------ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 6 +- .../gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- drivers/gpu/drm/i915/display/intel_fb.c | 2 +- drivers/gpu/drm/v3d/v3d_irq.c | 4 + drivers/hwmon/tmp513.c | 7 +- drivers/i2c/busses/i2c-rcar.c | 20 ++- drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/iio/adc/rockchip_saradc.c | 2 + drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 18 ++- drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 +- drivers/infiniband/sw/rxe/rxe_req.c | 6 +- drivers/irqchip/irq-gic-v3-its.c | 2 +- drivers/irqchip/irq-gic-v3.c | 2 +- drivers/irqchip/irqchip.c | 4 +- drivers/mtd/spi-nor/core.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +-- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 + .../net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 +- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/ti/cpsw_ale.c | 14 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 + drivers/net/gtp.c | 42 +++--- drivers/net/wireless/ath/ath10k/sdio.c | 4 +- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/pci/controller/pci-host-common.c | 4 + drivers/pci/probe.c | 20 +-- drivers/scsi/sg.c | 2 +- drivers/soc/imx/imx8mp-blk-ctrl.c | 2 +- drivers/ufs/core/ufshcd.c | 9 +- fs/cachefiles/daemon.c | 14 +- fs/cachefiles/internal.h | 3 +- fs/cachefiles/security.c | 6 +- fs/erofs/erofs_fs.h | 143 +++++++++------------ fs/erofs/zmap.c | 133 ++++++++++--------- fs/file.c | 1 + fs/hfs/super.c | 4 +- fs/iomap/buffered-io.c | 2 +- fs/nfsd/filecache.c | 18 +-- fs/nfsd/filecache.h | 1 + fs/proc/vmcore.c | 2 + include/linux/hrtimer.h | 1 + include/linux/poll.h | 10 +- include/net/net_namespace.h | 3 + kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/time/hrtimer.c | 11 +- mm/filemap.c | 2 +- net/core/filter.c | 30 +++-- net/core/net_namespace.c | 31 ++++- net/core/pktgen.c | 6 +- net/dccp/ipv6.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mac802154/iface.c | 4 + net/mptcp/options.c | 6 +- net/openvswitch/actions.c | 4 +- net/vmw_vsock/af_vsock.c | 18 +++ net/vmw_vsock/virtio_transport_common.c | 38 ++++-- sound/pci/hda/patch_realtek.c | 1 + tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 +++++-- .../tc-testing/tc-tests/filters/flow.json | 4 +- 71 files changed, 477 insertions(+), 379 deletions(-)

3 months, 1 week

10
9
0 0

[PATCH] ASoC: acp: Support microphone from Lenovo Go S

by Mario Limonciello

From: Mario Limonciello <mario.limonciello(a)amd.com> On Lenovo Go S there is a DMIC connected to the ACP but the firmware has no `AcpDmicConnected` ACPI _DSD. Add a DMI entry for all possible Lenovo Go S SKUs to enable DMIC. Cc: nijs1(a)lenovo.com Cc: pgriffais(a)valvesoftware.com Cc: mpearson-lenovo(a)squebb.ca Cc: stable(a)vger.kernel.org Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- sound/soc/amd/yc/acp6x-mach.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c index ecf57a6cb7c37..b16587d8f97a8 100644 --- a/sound/soc/amd/yc/acp6x-mach.c +++ b/sound/soc/amd/yc/acp6x-mach.c @@ -304,6 +304,34 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { DMI_MATCH(DMI_PRODUCT_NAME, "83AS"), } }, + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "83L3"), + } + }, + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "83N6"), + } + }, + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "83Q2"), + } + }, + { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"), + } + }, { .driver_data = &acp6x_card, .matches = { -- 2.43.0

3 months, 1 week

2
1
0 0

[tip: timers/urgent] hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING

by tip-bot2 for Frederic Weisbecker

The following commit has been merged into the timers/urgent branch of tip: Commit-ID: b7a110336261147ccb373f4100cc88271c54bd91 Gitweb: https://git.kernel.org/tip/b7a110336261147ccb373f4100cc88271c54bd91 Author: Frederic Weisbecker <frederic(a)kernel.org> AuthorDate: Sat, 18 Jan 2025 00:24:33 +01:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Thu, 23 Jan 2025 11:47:23 +01:00 hrtimers: Force migrate away hrtimers queued after CPUHP_AP_HRTIMERS_DYING hrtimers are migrated away from the dying CPU to any online target at the CPUHP_AP_HRTIMERS_DYING stage in order not to delay bandwidth timers handling tasks involved in the CPU hotplug forward progress. However wakeups can still be performed by the outgoing CPU after CPUHP_AP_HRTIMERS_DYING. Those can result again in bandwidth timers being armed. Depending on several considerations (crystal ball power management based election, earliest timer already enqueued, timer migration enabled or not), the target may eventually be the current CPU even if offline. If that happens, the timer is eventually ignored. The most notable example is RCU which had to deal with each and every of those wake-ups by deferring them to an online CPU, along with related workarounds: _ e787644caf76 (rcu: Defer RCU kthreads wakeup when CPU is dying) _ 9139f93209d1 (rcu/nocb: Fix RT throttling hrtimer armed from offline CPU) _ f7345ccc62a4 (rcu/nocb: Fix rcuog wake-up from offline softirq) The problem isn't confined to RCU though as the stop machine kthread (which runs CPUHP_AP_HRTIMERS_DYING) reports its completion at the end of its work through cpu_stop_signal_done() and performs a wake up that eventually arms the deadline server timer: WARNING: CPU: 94 PID: 588 at kernel/time/hrtimer.c:1086 hrtimer_start_range_ns+0x289/0x2d0 CPU: 94 UID: 0 PID: 588 Comm: migration/94 Not tainted Stopper: multi_cpu_stop+0x0/0x120 <- stop_machine_cpuslocked+0x66/0xc0 RIP: 0010:hrtimer_start_range_ns+0x289/0x2d0 Call Trace: <TASK> start_dl_timer enqueue_dl_entity dl_server_start enqueue_task_fair enqueue_task ttwu_do_activate try_to_wake_up complete cpu_stopper_thread Instead of providing yet another bandaid to work around the situation, fix it in the hrtimers infrastructure instead: always migrate away a timer to an online target whenever it is enqueued from an offline CPU. This will also allow to revert all the above RCU disgraceful hacks. Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") Reported-by: Vlad Poenaru <vlad.wing(a)gmail.com> Reported-by: Usama Arif <usamaarif642(a)gmail.com> Signed-off-by: Frederic Weisbecker <frederic(a)kernel.org> Signed-off-by: Paul E. McKenney <paulmck(a)kernel.org> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Tested-by: Paul E. McKenney <paulmck(a)kernel.org> Link: https://lore.kernel.org/all/20250117232433.24027-1-frederic@kernel.org Closes: 20241213203739.1519801-1-usamaarif642(a)gmail.com --- include/linux/hrtimer_defs.h | 1 +- kernel/time/hrtimer.c | 103 +++++++++++++++++++++++++++------- 2 files changed, 83 insertions(+), 21 deletions(-) diff --git a/include/linux/hrtimer_defs.h b/include/linux/hrtimer_defs.h index c3b4b7e..84a5045 100644 --- a/include/linux/hrtimer_defs.h +++ b/include/linux/hrtimer_defs.h @@ -125,6 +125,7 @@ struct hrtimer_cpu_base { ktime_t softirq_expires_next; struct hrtimer *softirq_next_timer; struct hrtimer_clock_base clock_base[HRTIMER_MAX_CLOCK_BASES]; + call_single_data_t csd; } ____cacheline_aligned; diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c index 14bd09c..0feb38b 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -58,6 +58,8 @@ #define HRTIMER_ACTIVE_SOFT (HRTIMER_ACTIVE_HARD << MASK_SHIFT) #define HRTIMER_ACTIVE_ALL (HRTIMER_ACTIVE_SOFT | HRTIMER_ACTIVE_HARD) +static void retrigger_next_event(void *arg); + /* * The timer bases: * @@ -111,7 +113,8 @@ DEFINE_PER_CPU(struct hrtimer_cpu_base, hrtimer_bases) = .clockid = CLOCK_TAI, .get_time = &ktime_get_clocktai, }, - } + }, + .csd = CSD_INIT(retrigger_next_event, NULL) }; static const int hrtimer_clock_to_base_table[MAX_CLOCKS] = { @@ -124,6 +127,14 @@ static const int hrtimer_clock_to_base_table[MAX_CLOCKS] = { [CLOCK_TAI] = HRTIMER_BASE_TAI, }; +static inline bool hrtimer_base_is_online(struct hrtimer_cpu_base *base) +{ + if (!IS_ENABLED(CONFIG_HOTPLUG_CPU)) + return true; + else + return likely(base->online); +} + /* * Functions and macros which are different for UP/SMP systems are kept in a * single place @@ -183,27 +194,54 @@ struct hrtimer_clock_base *lock_hrtimer_base(const struct hrtimer *timer, } /* - * We do not migrate the timer when it is expiring before the next - * event on the target cpu. When high resolution is enabled, we cannot - * reprogram the target cpu hardware and we would cause it to fire - * late. To keep it simple, we handle the high resolution enabled and - * disabled case similar. + * Check if the elected target is suitable considering its next + * event and the hotplug state of the current CPU. + * + * If the elected target is remote and its next event is after the timer + * to queue, then a remote reprogram is necessary. However there is no + * guarantee the IPI handling the operation would arrive in time to meet + * the high resolution deadline. In this case the local CPU becomes a + * preferred target, unless it is offline. + * + * High and low resolution modes are handled the same way for simplicity. * * Called with cpu_base->lock of target cpu held. */ -static int -hrtimer_check_target(struct hrtimer *timer, struct hrtimer_clock_base *new_base) +static bool hrtimer_suitable_target(struct hrtimer *timer, struct hrtimer_clock_base *new_base, + struct hrtimer_cpu_base *new_cpu_base, + struct hrtimer_cpu_base *this_cpu_base) { ktime_t expires; + /* + * The local CPU clockevent can be reprogrammed. Also get_target_base() + * guarantees it is online. + */ + if (new_cpu_base == this_cpu_base) + return true; + + /* + * The offline local CPU can't be the default target if the + * next remote target event is after this timer. Keep the + * elected new base. An IPI will we issued to reprogram + * it as a last resort. + */ + if (!hrtimer_base_is_online(this_cpu_base)) + return true; + expires = ktime_sub(hrtimer_get_expires(timer), new_base->offset); - return expires < new_base->cpu_base->expires_next; + + return expires >= new_base->cpu_base->expires_next; } -static inline -struct hrtimer_cpu_base *get_target_base(struct hrtimer_cpu_base *base, - int pinned) +static inline struct hrtimer_cpu_base *get_target_base(struct hrtimer_cpu_base *base, int pinned) { + if (!hrtimer_base_is_online(base)) { + int cpu = cpumask_any_and(cpu_online_mask, housekeeping_cpumask(HK_TYPE_TIMER)); + + return &per_cpu(hrtimer_bases, cpu); + } + #if defined(CONFIG_SMP) && defined(CONFIG_NO_HZ_COMMON) if (static_branch_likely(&timers_migration_enabled) && !pinned) return &per_cpu(hrtimer_bases, get_nohz_timer_target()); @@ -254,8 +292,8 @@ again: raw_spin_unlock(&base->cpu_base->lock); raw_spin_lock(&new_base->cpu_base->lock); - if (new_cpu_base != this_cpu_base && - hrtimer_check_target(timer, new_base)) { + if (!hrtimer_suitable_target(timer, new_base, new_cpu_base, + this_cpu_base)) { raw_spin_unlock(&new_base->cpu_base->lock); raw_spin_lock(&base->cpu_base->lock); new_cpu_base = this_cpu_base; @@ -264,8 +302,7 @@ again: } WRITE_ONCE(timer->base, new_base); } else { - if (new_cpu_base != this_cpu_base && - hrtimer_check_target(timer, new_base)) { + if (!hrtimer_suitable_target(timer, new_base, new_cpu_base, this_cpu_base)) { new_cpu_base = this_cpu_base; goto again; } @@ -716,8 +753,6 @@ static inline int hrtimer_is_hres_enabled(void) return hrtimer_hres_enabled; } -static void retrigger_next_event(void *arg); - /* * Switch to high resolution mode */ @@ -1205,6 +1240,7 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, u64 delta_ns, const enum hrtimer_mode mode, struct hrtimer_clock_base *base) { + struct hrtimer_cpu_base *this_cpu_base = this_cpu_ptr(&hrtimer_bases); struct hrtimer_clock_base *new_base; bool force_local, first; @@ -1216,10 +1252,16 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, * and enforce reprogramming after it is queued no matter whether * it is the new first expiring timer again or not. */ - force_local = base->cpu_base == this_cpu_ptr(&hrtimer_bases); + force_local = base->cpu_base == this_cpu_base; force_local &= base->cpu_base->next_timer == timer; /* + * Don't force local queuing if this enqueue happens on a unplugged + * CPU after hrtimer_cpu_dying() has been invoked. + */ + force_local &= this_cpu_base->online; + + /* * Remove an active timer from the queue. In case it is not queued * on the current CPU, make sure that remove_hrtimer() updates the * remote data correctly. @@ -1248,8 +1290,27 @@ static int __hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim, } first = enqueue_hrtimer(timer, new_base, mode); - if (!force_local) - return first; + if (!force_local) { + /* + * If the current CPU base is online, then the timer is + * never queued on a remote CPU if it would be the first + * expiring timer there. + */ + if (hrtimer_base_is_online(this_cpu_base)) + return first; + + /* + * Timer was enqueued remote because the current base is + * already offline. If the timer is the first to expire, + * kick the remote CPU to reprogram the clock event. + */ + if (first) { + struct hrtimer_cpu_base *new_cpu_base = new_base->cpu_base; + + smp_call_function_single_async(new_cpu_base->cpu, &new_cpu_base->csd); + } + return 0; + } /* * Timer was forced to stay on the current CPU to avoid

3 months, 1 week

1
0
0 0

[PATCH 6.1.y] block: fix integer overflow in BLKSECDISCARD

by Rajani kantha

From: Alexey Dobriyan <adobriyan(a)gmail.com> [ upstream commit 697ba0b6ec4ae04afb67d3911799b5e2043b4455 ] I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com> Link: https://lore.kernel.org/r/9e64057f-650a-46d1-b9f7-34af391536ef@p183 Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Rajani Kantha <rajanikantha(a)engineer.com> --- block/ioctl.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/block/ioctl.c b/block/ioctl.c index c7390d8c9fc7..552da0ccbec0 100644 --- a/block/ioctl.c +++ b/block/ioctl.c @@ -115,7 +115,7 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode, return -EINVAL; filemap_invalidate_lock(inode->i_mapping); - err = truncate_bdev_range(bdev, mode, start, start + len - 1); + err = truncate_bdev_range(bdev, mode, start, end - 1); if (err) goto fail; err = blkdev_issue_discard(bdev, start >> 9, len >> 9, GFP_KERNEL); @@ -127,7 +127,7 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode, static int blk_ioctl_secure_erase(struct block_device *bdev, fmode_t mode, void __user *argp) { - uint64_t start, len; + uint64_t start, len, end; uint64_t range[2]; int err; @@ -142,11 +142,12 @@ static int blk_ioctl_secure_erase(struct block_device *bdev, fmode_t mode, len = range[1]; if ((start & 511) || (len & 511)) return -EINVAL; - if (start + len > bdev_nr_bytes(bdev)) + if (check_add_overflow(start, len, &end) || + end > bdev_nr_bytes(bdev)) return -EINVAL; filemap_invalidate_lock(bdev->bd_inode->i_mapping); - err = truncate_bdev_range(bdev, mode, start, start + len - 1); + err = truncate_bdev_range(bdev, mode, start, end - 1); if (!err) err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9, GFP_KERNEL); -- 2.35.3

3 months, 1 week

1
0
0 0

[PATCH 6.6.y] block: fix integer overflow in BLKSECDISCARD

by Rajani kantha

From: Alexey Dobriyan <adobriyan(a)gmail.com> [ upstream commit 697ba0b6ec4ae04afb67d3911799b5e2043b4455 ] I independently rediscovered commit 22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 block: fix overflow in blk_ioctl_discard() but for secure erase. Same problem: uint64_t r[2] = {512, 18446744073709551104ULL}; ioctl(fd, BLKSECDISCARD, r); will enter near infinite loop inside blkdev_issue_secure_erase(): a.out: attempt to access beyond end of device loop0: rw=5, sector=3399043073, nr_sectors = 1024 limit=2048 bio_check_eod: 3286214 callbacks suppressed Signed-off-by: Alexey Dobriyan <adobriyan(a)gmail.com> Link: https://lore.kernel.org/r/9e64057f-650a-46d1-b9f7-34af391536ef@p183 Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Rajani Kantha <rajanikantha(a)engineer.com> --- block/ioctl.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/block/ioctl.c b/block/ioctl.c index 378603334284..231537f79a8c 100644 --- a/block/ioctl.c +++ b/block/ioctl.c @@ -115,7 +115,7 @@ static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode, return -EINVAL; filemap_invalidate_lock(inode->i_mapping); - err = truncate_bdev_range(bdev, mode, start, start + len - 1); + err = truncate_bdev_range(bdev, mode, start, end - 1); if (err) goto fail; err = blkdev_issue_discard(bdev, start >> 9, len >> 9, GFP_KERNEL); @@ -127,7 +127,7 @@ static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode, static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode, void __user *argp) { - uint64_t start, len; + uint64_t start, len, end; uint64_t range[2]; int err; @@ -142,11 +142,12 @@ static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode, len = range[1]; if ((start & 511) || (len & 511)) return -EINVAL; - if (start + len > bdev_nr_bytes(bdev)) + if (check_add_overflow(start, len, &end) || + end > bdev_nr_bytes(bdev)) return -EINVAL; filemap_invalidate_lock(bdev->bd_inode->i_mapping); - err = truncate_bdev_range(bdev, mode, start, start + len - 1); + err = truncate_bdev_range(bdev, mode, start, end - 1); if (!err) err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9, GFP_KERNEL); -- 2.35.3

3 months, 1 week

1
0
0 0

[PATCH 6.6.y] cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value

by Rajani kantha

From: Anastasia Belova <abelova(a)astralinux.ru> [ upstream commit 5493f9714e4cdaf0ee7cec15899a231400cb1a9f ] cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> Reviewed-by: Perry Yuan <perry.yuan(a)amd.com> Signed-off-by: Viresh Kumar <viresh.kumar(a)linaro.org> <Raj: on 6.6, there don't have function amd_pstate_update_limits() so applied the NULL checking in amd_pstate_adjust_perf() only> Signed-off-by: Rajani Kantha <rajanikantha(a)engineer.com> --- drivers/cpufreq/amd-pstate.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c index cdead37d0823..a64baa97e358 100644 --- a/drivers/cpufreq/amd-pstate.c +++ b/drivers/cpufreq/amd-pstate.c @@ -579,8 +579,13 @@ static void amd_pstate_adjust_perf(unsigned int cpu, unsigned long max_perf, min_perf, des_perf, cap_perf, lowest_nonlinear_perf, max_freq; struct cpufreq_policy *policy = cpufreq_cpu_get(cpu); - struct amd_cpudata *cpudata = policy->driver_data; unsigned int target_freq; + struct amd_cpudata *cpudata; + + if (!policy) + return; + + cpudata = policy->driver_data; if (policy->min != cpudata->min_limit_freq || policy->max != cpudata->max_limit_freq) amd_pstate_update_min_max_limit(policy); -- 2.35.3

3 months, 1 week

1
1
0 0

SPI regression seen on ARM am335x in kernel 6.12.8 and 6.6.71

by Lars Pedersen

Hi. We have discovered an SPI regression when upgrading from 6.1.99 to a newer LTS version. Same error on kernel 6.6.71 and 6.12.8. I think we have identified the problem down to the reference clock calculation that seems to end up to zero in the spi-omap2-mcspi driver. Also we think it relates to commit 4c6ac5446d060f0bf435ccc8bc3aa7b7b5f718ad, where OMAP2_MCSPI_MAX_FREQ is used as fallback on error. In our case it seems to hit the else case. Snippets for device tree, spi-omap2-mcspi driver and kernel divide by zero error log with dynamic debug enabled. /Lars Pedersen diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c index 67441b2cd603..8fedfc7db1fa 100644 --- a/drivers/spi/spi-omap2-mcspi.c +++ b/drivers/spi/spi-omap2-mcspi.c @@ -1559,12 +1559,13 @@ static int omap2_mcspi_probe(struct platform_device *pdev) dev_err(&pdev->dev, "Cannot request IRQ"); goto free_ctlr; } - + dev_dbg(&pdev->dev, "DEBUG_EXTRA pre calc\n"); mcspi->ref_clk = devm_clk_get_optional_enabled(&pdev->dev, NULL); if (IS_ERR(mcspi->ref_clk)) mcspi->ref_clk_hz = OMAP2_MCSPI_MAX_FREQ; else mcspi->ref_clk_hz = clk_get_rate(mcspi->ref_clk); + dev_dbg(&pdev->dev, "DEBUG_EXTRA: ref_clk_hz %d\n", mcspi->ref_clk_hz); ctlr->max_speed_hz = mcspi->ref_clk_hz; ctlr->min_speed_hz = mcspi->ref_clk_hz >> 15; ---8<--- /dts-v1/; #include "am33xx.dtsi" #include <dt-bindings/interrupt-controller/irq.h> ... &spi0 { status = "okay"; pinctrl-names = "default"; pinctrl-0 = <&spi0_pins_default>; ti,spi-num-cs = <1>; flash@0 { compatible = "jedec,spi-nor"; reg = <0>; spi-tx-bus-width = <1>; spi-rx-bus-width = <1>; spi-max-frequency = <10000000>; partitions { compatible = "fixed-partitions"; #address-cells = <1>; #size-cells = <1>; partition@0 { reg = <0x0 0x1f00000>; label = "radio-program"; }; partition@1f00000 { reg = <0x1f00000 0xe0000>; label = "linux-data"; read-only; }; partition@1fe0000 { reg = <0x1fe0000 0x10000>; label = "radio-config"; read-only; }; partition@1ff0000 { reg = <0x1ff0000 0x10000>; label = "baseband-config"; read-only; }; }; }; }; ---8<--- Jan 16 11:30:53 ptxdist kernel: omap2_mcspi 48030000.spi: DEBUG_EXTRA pre calc Jan 16 11:30:54 ptxdist kernel: omap2_mcspi 48030000.spi: DEBUG_EXTRA: ref_clk_hz 0 Jan 16 11:30:54 ptxdist kernel: omap2_mcspi 48030000.spi: registered host spi0 Jan 16 11:30:54 ptxdist kernel: Division by zero in kernel. Jan 16 11:30:54 ptxdist kernel: CPU: 0 UID: 0 PID: 161 Comm: (udev-worker) Not tainted 6.12.8 #1 Jan 16 11:30:54 ptxdist kernel: Hardware name: Generic AM33XX (Flattened Device Tree) Jan 16 11:30:54 ptxdist kernel: Call trace: Jan 16 11:30:54 ptxdist kernel: dump_backtrace from show_stack+0x20/0x38 Jan 16 11:30:54 ptxdist kernel: r7:c4a7ff00 r6:c0cef6bc r5:00000000 r4:600f0113 Jan 16 11:30:54 ptxdist kernel: show_stack from dump_stack_lvl+0x40/0x78 Jan 16 11:30:54 ptxdist kernel: dump_stack_lvl from dump_stack+0x18/0x28 Jan 16 11:30:54 ptxdist kernel: r7:c4a7ff00 r6:00000008 r5:c477dbc0 r4:c4a7ec00 Jan 16 11:30:54 ptxdist kernel: dump_stack from __div0+0x24/0x34 Jan 16 11:30:54 ptxdist kernel: __div0 from Ldiv0+0x8/0x10 Jan 16 11:30:54 ptxdist kernel: omap2_mcspi_setup_transfer [spi_omap2_mcspi] from omap2_mcspi_setup+0x134/0x20c [spi_omap2_mcspi] Jan 16 11:30:54 ptxdist kernel: r9:c4a7ff28 r8:c477dbd0 r7:c4a7ff00 r6:c4a7ec00 r5:c2572c10 r4:00000001 Jan 16 11:30:54 ptxdist kernel: omap2_mcspi_setup [spi_omap2_mcspi] from spi_setup+0x124/0x4f8 Jan 16 11:30:54 ptxdist kernel: r9:c4a7edaf r8:00000000 r7:c2572c10 r6:c4a7fc00 r5:00000000 r4:c4a7ec00 Jan 16 11:30:54 ptxdist kernel: spi_setup from __spi_add_device+0x15c/0x300 Jan 16 11:30:54 ptxdist kernel: r6:c4a7fc00 r5:c4a7ec00 r4:c4a7ed9f Jan 16 11:30:54 ptxdist kernel: __spi_add_device from of_register_spi_devices+0x74/0x1a8 Jan 16 11:30:54 ptxdist kernel: r10:c0fe67cc r9:c4a7fd98 r8:c4a7fdd4 r7:c4a7ec00 r6:c4a7fc00 r5:00000000 Jan 16 11:30:54 ptxdist kernel: r4:cfce0df4 Jan 16 11:30:54 ptxdist kernel: of_register_spi_devices from spi_register_controller+0x3d0/0x4d0 Jan 16 11:30:54 ptxdist kernel: r9:c4a7fd98 r8:c0fe67d4 r7:c4a7fda0 r6:00000000 r5:c0fe67d4 r4:c4a7fc00 Jan 16 11:30:54 ptxdist kernel: spi_register_controller from devm_spi_register_controller+0x54/0xbc Jan 16 11:30:54 ptxdist kernel: r10:bf006108 r9:c2572c10 r8:c4a7fc00 r7:c2572c10 r6:c4a7fc00 r5:c4a7ff00 Jan 16 11:30:54 ptxdist kernel: r4:c46cd2c0 Jan 16 11:30:54 ptxdist kernel: devm_spi_register_controller from omap2_mcspi_probe+0x51c/0x5cc [spi_omap2_mcspi] Jan 16 11:30:54 ptxdist kernel: r7:c4a7fc00 r6:c2572c10 r5:c4a7ff00 r4:c2572c10 Jan 16 11:30:54 ptxdist kernel: omap2_mcspi_probe [spi_omap2_mcspi] from platform_probe+0x6c/0xd0 Jan 16 11:30:54 ptxdist kernel: r10:d0481ed0 r9:00000001 r8:00000000 r7:c1028ef8 r6:bf004014 r5:c2572c10 Jan 16 11:30:54 ptxdist kernel: r4:00000000 Jan 16 11:30:54 ptxdist kernel: platform_probe from really_probe+0xf0/0x3ec Jan 16 11:30:54 ptxdist kernel: r7:c1028ef8 r6:bf004014 r5:00000000 r4:c2572c10 Jan 16 11:30:54 ptxdist kernel: really_probe from __driver_probe_device+0xac/0x13c Jan 16 11:30:54 ptxdist kernel: r8:c27a50b4 r7:0000007d r6:c2572c10 r5:bf004014 r4:c2572c10 Jan 16 11:30:54 ptxdist kernel: __driver_probe_device from driver_probe_device+0x40/0xe4 Jan 16 11:30:54 ptxdist kernel: r5:bf004014 r4:c1071d9c Jan 16 11:30:54 ptxdist kernel: driver_probe_device from __driver_attach+0x154/0x204 Jan 16 11:30:54 ptxdist kernel: r7:00000000 r6:c2572c54 r5:bf004014 r4:c2572c10 Jan 16 11:30:54 ptxdist kernel: __driver_attach from bus_for_each_dev+0x8c/0xf0 Jan 16 11:30:54 ptxdist kernel: r7:00000000 r6:c20e96c0 r5:c06404ec r4:bf004014 Jan 16 11:30:54 ptxdist kernel: bus_for_each_dev from driver_attach+0x2c/0x44 Jan 16 11:30:54 ptxdist kernel: r7:c20e96c0 r6:00000000 r5:c27a5080 r4:bf004014 Jan 16 11:30:54 ptxdist kernel: driver_attach from bus_add_driver+0x104/0x244 Jan 16 11:30:54 ptxdist kernel: bus_add_driver from driver_register+0x8c/0x164 Jan 16 11:30:54 ptxdist kernel: r8:00000000 r7:bf004100 r6:c101f840 r5:a7ac7714 r4:bf004014 Jan 16 11:30:54 ptxdist kernel: driver_register from __platform_driver_register+0x2c/0x40 Jan 16 11:30:54 ptxdist kernel: r5:a7ac7714 r4:c0fac2fc Jan 16 11:30:54 ptxdist kernel: __platform_driver_register from omap2_mcspi_driver_init+0x38/0x1000 [spi_omap2_mcspi] Jan 16 11:30:54 ptxdist kernel: omap2_mcspi_driver_init [spi_omap2_mcspi] from do_one_initcall+0x68/0x2b8 Jan 16 11:30:54 ptxdist kernel: r5:c2a95800 r4:bf008000 Jan 16 11:30:54 ptxdist kernel: do_one_initcall from do_init_module+0x64/0x218 Jan 16 11:30:54 ptxdist kernel: r8:bf004100 r7:bf004100 r6:c477d240 r5:00000000 r4:bf004100 Jan 16 11:30:54 ptxdist kernel: do_init_module from load_module+0x7e4/0xa18 Jan 16 11:30:54 ptxdist kernel: r6:00000000 r5:00000000 r4:00000000 Jan 16 11:30:54 ptxdist kernel: load_module from init_module_from_file+0xa4/0xec Jan 16 11:30:54 ptxdist kernel: r10:c477c080 r9:c1054a48 r8:c477c080 r7:c1054a38 r6:b5b1d7f0 r5:c477c080 Jan 16 11:30:54 ptxdist kernel: r4:00000000 Jan 16 11:30:54 ptxdist kernel: init_module_from_file from sys_finit_module+0x244/0x39c Jan 16 11:30:54 ptxdist kernel: r6:00000001 r5:000000f4 r4:c2a95800 Jan 16 11:30:54 ptxdist kernel: sys_finit_module from __sys_trace_return+0x0/0x10 Jan 16 11:30:54 ptxdist kernel: Exception stack(0xd0481fa8 to 0xd0481ff0) Jan 16 11:30:54 ptxdist kernel: 1fa0: 14cb6a00 00000000 0000001a b5b1d7f0 00000000 00000000 Jan 16 11:30:54 ptxdist kernel: 1fc0: 14cb6a00 00000000 00826358 0000017b 008456d0 b6f75934 b5b1739d 00000000 Jan 16 11:30:54 ptxdist kernel: 1fe0: bee9d538 bee9d528 b5b16643 b6c5d262 Jan 16 11:30:54 ptxdist kernel: r10:0000017b r9:c2a95800 r8:c01002c4 r7:0000017b r6:00826358 r5:00000000 Jan 16 11:30:54 ptxdist kernel: r4:14cb6a00 Jan 16 11:30:54 ptxdist kernel: Division by zero in kernel. Jan 16 11:30:54 ptxdist kernel: CPU: 0 UID: 0 PID: 161 Comm: (udev-worker) Not tainted 6.12.8 #1 Jan 16 11:30:54 ptxdist kernel: Hardware name: Generic AM33XX (Flattened Device Tree) Jan 16 11:30:54 ptxdist kernel: Call trace: Jan 16 11:30:54 ptxdist kernel: dump_backtrace from show_stack+0x20/0x38 Jan 16 11:30:54 ptxdist kernel: r7:c4a7ff00 r6:c0cef6bc r5:00000000 r4:600f0113 Jan 16 11:30:54 ptxdist kernel: show_stack from dump_stack_lvl+0x40/0x78 Jan 16 11:30:54 ptxdist kernel: dump_stack_lvl from dump_stack+0x18/0x28 Jan 16 11:30:54 ptxdist kernel: r7:c4a7ff00 r6:00000008 r5:c477dbc0 r4:c4a7ec00 Jan 16 11:30:54 ptxdist kernel: dump_stack from __div0+0x24/0x34 Jan 16 11:30:54 ptxdist kernel: __div0 from Ldiv0+0x8/0x10 Jan 16 11:30:54 ptxdist kernel: omap2_mcspi_setup_transfer [spi_omap2_mcspi] from omap2_mcspi_setup+0x134/0x20c [spi_omap2_mcspi] Jan 16 11:30:54 ptxdist kernel: r9:c4a7ff28 r8:c477dbd0 r7:c4a7ff00 r6:c4a7ec00 r5:c2572c10 r4:00000001 Jan 16 11:30:54 ptxdist kernel: omap2_mcspi_setup [spi_omap2_mcspi] from spi_setup+0x124/0x4f8 Jan 16 11:30:54 ptxdist kernel: r9:c4a7edaf r8:00000000 r7:c2572c10 r6:c4a7fc00 r5:00000000 r4:c4a7ec00 Jan 16 11:30:54 ptxdist kernel: spi_setup from __spi_add_device+0x15c/0x300 Jan 16 11:30:54 ptxdist kernel: r6:c4a7fc00 r5:c4a7ec00 r4:c4a7ed9f Jan 16 11:30:54 ptxdist kernel: __spi_add_device from of_register_spi_devices+0x74/0x1a8 Jan 16 11:30:54 ptxdist kernel: r10:c0fe67cc r9:c4a7fd98 r8:c4a7fdd4 r7:c4a7ec00 r6:c4a7fc00 r5:00000000 Jan 16 11:30:54 ptxdist kernel: r4:cfce0df4 Jan 16 11:30:54 ptxdist kernel: of_register_spi_devices from spi_register_controller+0x3d0/0x4d0 Jan 16 11:30:54 ptxdist kernel: r9:c4a7fd98 r8:c0fe67d4 r7:c4a7fda0 r6:00000000 r5:c0fe67d4 r4:c4a7fc00 Jan 16 11:30:54 ptxdist kernel: spi_register_controller from devm_spi_register_controller+0x54/0xbc Jan 16 11:30:54 ptxdist kernel: r10:bf006108 r9:c2572c10 r8:c4a7fc00 r7:c2572c10 r6:c4a7fc00 r5:c4a7ff00 Jan 16 11:30:54 ptxdist kernel: r4:c46cd2c0 Jan 16 11:30:54 ptxdist kernel: devm_spi_register_controller from omap2_mcspi_probe+0x51c/0x5cc [spi_omap2_mcspi] Jan 16 11:30:54 ptxdist kernel: r7:c4a7fc00 r6:c2572c10 r5:c4a7ff00 r4:c2572c10 Jan 16 11:30:54 ptxdist kernel: omap2_mcspi_probe [spi_omap2_mcspi] from platform_probe+0x6c/0xd0 Jan 16 11:30:54 ptxdist kernel: r10:d0481ed0 r9:00000001 r8:00000000 r7:c1028ef8 r6:bf004014 r5:c2572c10 Jan 16 11:30:54 ptxdist kernel: r4:00000000 Jan 16 11:30:54 ptxdist kernel: platform_probe from really_probe+0xf0/0x3ec Jan 16 11:30:54 ptxdist kernel: r7:c1028ef8 r6:bf004014 r5:00000000 r4:c2572c10 Jan 16 11:30:54 ptxdist kernel: really_probe from __driver_probe_device+0xac/0x13c Jan 16 11:30:54 ptxdist kernel: r8:c27a50b4 r7:0000007d r6:c2572c10 r5:bf004014 r4:c2572c10 Jan 16 11:30:54 ptxdist kernel: __driver_probe_device from driver_probe_device+0x40/0xe4 Jan 16 11:30:54 ptxdist kernel: r5:bf004014 r4:c1071d9c Jan 16 11:30:54 ptxdist kernel: driver_probe_device from __driver_attach+0x154/0x204 Jan 16 11:30:54 ptxdist kernel: r7:00000000 r6:c2572c54 r5:bf004014 r4:c2572c10 Jan 16 11:30:54 ptxdist kernel: __driver_attach from bus_for_each_dev+0x8c/0xf0 Jan 16 11:30:54 ptxdist kernel: r7:00000000 r6:c20e96c0 r5:c06404ec r4:bf004014 Jan 16 11:30:54 ptxdist kernel: bus_for_each_dev from driver_attach+0x2c/0x44 Jan 16 11:30:54 ptxdist kernel: r7:c20e96c0 r6:00000000 r5:c27a5080 r4:bf004014 Jan 16 11:30:54 ptxdist kernel: driver_attach from bus_add_driver+0x104/0x244 Jan 16 11:30:54 ptxdist kernel: bus_add_driver from driver_register+0x8c/0x164 Jan 16 11:30:54 ptxdist kernel: r8:00000000 r7:bf004100 r6:c101f840 r5:a7ac7714 r4:bf004014 Jan 16 11:30:54 ptxdist kernel: driver_register from __platform_driver_register+0x2c/0x40 Jan 16 11:30:54 ptxdist kernel: r5:a7ac7714 r4:c0fac2fc Jan 16 11:30:54 ptxdist kernel: __platform_driver_register from omap2_mcspi_driver_init+0x38/0x1000 [spi_omap2_mcspi] Jan 16 11:30:54 ptxdist kernel: omap2_mcspi_driver_init [spi_omap2_mcspi] from do_one_initcall+0x68/0x2b8 Jan 16 11:30:54 ptxdist kernel: r5:c2a95800 r4:bf008000 Jan 16 11:30:54 ptxdist kernel: do_one_initcall from do_init_module+0x64/0x218 Jan 16 11:30:54 ptxdist kernel: r8:bf004100 r7:bf004100 r6:c477d240 r5:00000000 r4:bf004100 Jan 16 11:30:54 ptxdist kernel: do_init_module from load_module+0x7e4/0xa18 Jan 16 11:30:54 ptxdist kernel: r6:00000000 r5:00000000 r4:00000000 Jan 16 11:30:54 ptxdist kernel: load_module from init_module_from_file+0xa4/0xec Jan 16 11:30:54 ptxdist kernel: r10:c477c080 r9:c1054a48 r8:c477c080 r7:c1054a38 r6:b5b1d7f0 r5:c477c080 Jan 16 11:30:54 ptxdist kernel: r4:00000000 Jan 16 11:30:54 ptxdist kernel: init_module_from_file from sys_finit_module+0x244/0x39c Jan 16 11:30:54 ptxdist kernel: r6:00000001 r5:000000f4 r4:c2a95800 Jan 16 11:30:54 ptxdist kernel: sys_finit_module from __sys_trace_return+0x0/0x10 Jan 16 11:30:54 ptxdist kernel: Exception stack(0xd0481fa8 to 0xd0481ff0) Jan 16 11:30:54 ptxdist kernel: 1fa0: 14cb6a00 00000000 0000001a b5b1d7f0 00000000 00000000 Jan 16 11:30:54 ptxdist kernel: 1fc0: 14cb6a00 00000000 00826358 0000017b 008456d0 b6f75934 b5b1739d 00000000 Jan 16 11:30:55 ptxdist kernel: 1fe0: bee9d538 bee9d528 b5b16643 b6c5d262 Jan 16 11:30:55 ptxdist kernel: r10:0000017b r9:c2a95800 r8:c01002c4 r7:0000017b r6:00826358 r5:00000000 Jan 16 11:30:55 ptxdist kernel: r4:14cb6a00 Jan 16 11:30:55 ptxdist kernel: spi spi0.0: setup: speed 0, sample leading edge, clk normal Jan 16 11:30:55 ptxdist kernel: spi spi0.0: setup mode 0, 8 bits/w, 10000000 Hz max --> 0

3 months, 1 week

3
3
0 0

[PATCH] net/ncsi: wait for the last response to Deselect Package before configuring channel

by Paul Fertser

The NCSI state machine as it's currently implemented assumes that transition to the next logical state is performed either explicitly by calling `schedule_work(&ndp->work)` to re-queue itself or implicitly after processing the predefined (ndp->pending_req_num) number of replies. Thus to avoid the configuration FSM from advancing prematurely and getting out of sync with the process it's essential to not skip waiting for a reply. This patch makes the code wait for reception of the Deselect Package response for the last package probed before proceeding to channel configuration. Thanks go to Potin Lai and Cosmo Chou for the initial investigation and testing. Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict") Cc: stable(a)vger.kernel.org Signed-off-by: Paul Fertser <fercerpav(a)gmail.com> --- net/ncsi/ncsi-manage.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c index 5cf55bde366d..bf8e27b84a66 100644 --- a/net/ncsi/ncsi-manage.c +++ b/net/ncsi/ncsi-manage.c @@ -1373,6 +1373,12 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) nd->state = ncsi_dev_state_probe_package; break; case ncsi_dev_state_probe_package: + if (ndp->package_probe_id >= 8) { + /* Last package probed, finishing */ + ndp->flags |= NCSI_DEV_PROBED; + break; + } + ndp->pending_req_num = 1; nca.type = NCSI_PKT_CMD_SP; @@ -1489,13 +1495,8 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp) if (ret) goto error; - /* Probe next package */ + /* Probe next package after receiving response */ ndp->package_probe_id++; - if (ndp->package_probe_id >= 8) { - /* Probe finished */ - ndp->flags |= NCSI_DEV_PROBED; - break; - } nd->state = ncsi_dev_state_probe_package; ndp->active_package = NULL; break; -- 2.34.1

3 months, 1 week

2
1
0 0

[PATCH 5.4] net: xen-netback: hash.c: Use built-in RCU list checking

by Hagar Hemdan

From: Madhuparna Bhowmik <madhuparnabhowmik04(a)gmail.com> commit f3265971ded98a069ad699b51b8a5ab95e9e5be1 upstream. list_for_each_entry_rcu has built-in RCU and lock checking. Pass cond argument to list_for_each_entry_rcu. Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik04(a)gmail.com> Acked-by: Wei Liu <wei.liu(a)kernel.org> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> --- This is a dependency to fix CVE-2024-49936 in 5.4. diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c --- a/drivers/net/xen-netback/hash.c +++ b/drivers/net/xen-netback/hash.c @@ -51,7 +51,8 @@ static void xenvif_add_hash(struct xenvif *vif, const u8 *tag, found = false; oldest = NULL; - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { + list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, + lockdep_is_held(&vif->hash.cache.lock)) { /* Make sure we don't add duplicate entries */ if (entry->len == len && memcmp(entry->tag, tag, len) == 0) @@ -102,7 +103,8 @@ static void xenvif_flush_hash(struct xenvif *vif) spin_lock_irqsave(&vif->hash.cache.lock, flags); - list_for_each_entry_rcu(entry, &vif->hash.cache.list, link) { + list_for_each_entry_rcu(entry, &vif->hash.cache.list, link, + lockdep_is_held(&vif->hash.cache.lock)) { list_del_rcu(&entry->link); vif->hash.cache.count--; kfree_rcu(entry, rcu);

3 months, 1 week

2
3
0 0

Re: [PATCH] KVM: x86: switch hugepage recovery thread to vhost_task

by Alyssa Ross

On Wed, Jan 15, 2025 at 12:03:27PM -0700, Keith Busch wrote: > On Wed, Jan 15, 2025 at 06:10:05PM +0100, Paolo Bonzini wrote: > > You can implement something like pthread_once(): > > ... > > > Where to put it I don't know. It doesn't belong in > > include/linux/once.h. I'm okay with arch/x86/kvm/call_once.h and just > > pull it with #include "call_once.h". > > Thanks for the suggestion, I can work with that. As to where to put it, > I think the new 'struct once' needs to be a member of struct kvm_arch, > so I've put it in arch/x86/include/asm/. > > Here's the result with that folded in. If this is okay, I'll send a v2, > and can split out the call_once as a prep patch with your attribution if > you like. Has there been any progress here? I'm also affected by the crosvm regression, and it's been backported to the LTS stable kernel. (CCing the stable and regressions lists to make sure the regression is tracked.) #regzbot introduced: d96c77bd4eeb

3 months, 1 week

2
2
0 0

[PATCH 6.6 00/72] 6.6.74-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.74 release. There are 72 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 23 Jan 2025 17:45:02 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.74-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.74-rc1 Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Juergen Gross <jgross(a)suse.com> x86/xen: fix SLS mitigation in xen_hypercall_iret() Youzhong Yang <youzhong(a)gmail.com> nfsd: add list_head nf_gc to struct nfsd_file Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "drm/amdgpu: rework resume handling for display (v2)" Amir Goldstein <amir73il(a)gmail.com> fs: relax assertions on failure to encode file handles Amir Goldstein <amir73il(a)gmail.com> ovl: support encoding fid from inode with no alias Amir Goldstein <amir73il(a)gmail.com> ovl: pass realinode to ovl_encode_real_fh() instead of realdentry Mohammed Anees <pvmohammedanees2003(a)gmail.com> ocfs2: fix deadlock in ocfs2_get_system_file_inode Yu Kuai <yukuai3(a)huawei.com> block: fix uaf for flush rq while iterating tags Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix spi burst write not supported Terry Tritton <terry.tritton(a)linaro.org> Revert "PCI: Use preserve_config in place of pci_flags" Christian König <christian.koenig(a)amd.com> drm/amdgpu: always sync the GFX pipe on ctx switch Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/fb: Relax clear color alignment to 64 bytes Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Tomas Krcka <krckatom(a)amazon.de> irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> irqchip: Plug a OF node reference leak in platform_irqchip_probe() Xiaolei Wang <xiaolei.wang(a)windriver.com> pmdomain: imx8mp-blk-ctrl: add missing loop break condition Sean Anderson <sean.anderson(a)linux.dev> gpio: xilinx: Convert gpio_lock to raw spinlock Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Marco Nelissen <marco.nelissen(a)gmail.com> filemap: avoid truncating 64-bit offset to 32 bits Dave Airlie <airlied(a)redhat.com> nouveau/fence: handle cross device fences properly Stefano Garzarella <sgarzare(a)redhat.com> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Stefano Garzarella <sgarzare(a)redhat.com> vsock: reset socket state when de-assigning the transport Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: cancel close work in the destructor Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: discard packets if the transport changes Stefano Garzarella <sgarzare(a)redhat.com> vsock/bpf: return early if transport is not assigned Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Paolo Abeni <pabeni(a)redhat.com> selftests: mptcp: avoid spurious errors on disconnect Paolo Abeni <pabeni(a)redhat.com> mptcp: fix spurious wake-up on under memory pressure Paolo Abeni <pabeni(a)redhat.com> mptcp: be sure to send ack when mptcp-level window re-opens Tomi Valkeinen <tomi.valkeinen+renesas(a)ideasonboard.com> i2c: atr: Fix client detach Kairui Song <kasong(a)tencent.com> zram: fix potential UAF of zram table Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Juergen Gross <jgross(a)suse.com> x86/asm: Make serialize() always_inline Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Hongguang Gao <hongguang.gao(a)broadcom.com> RDMA/bnxt_re: Fix to export port num to ib_query_qp Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Marco Nelissen <marco.nelissen(a)gmail.com> iomap: avoid avoid truncating 64-bit offset to 32 bits Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: acpi_dev_irq_override(): Check DMI match last Jakub Kicinski <kuba(a)kernel.org> selftests: tc-testing: reduce rshift value Manivannan Sadhasivam <mani(a)kernel.org> scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Max Kellermann <max.kellermann(a)ionos.com> cachefiles: Parse the "secctx" immediately David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Zhang Kunbo <zhangkunbo(a)huawei.com> fs: fix missing declaration of init_files Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Paulo Alcantara <pc(a)manguebit.com> smb: client: fix double free of TCP_Server_Info::hostname Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: rcar: fix NACK handling when being a target Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Pratyush Yadav <pratyush(a)kernel.org> Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" David Lechner <dlechner(a)baylibre.com> hwmon: (tmp513) Fix division of negative numbers MD Danish Anwar <danishanwar(a)ti.com> soc: ti: pruss: Fix pruss APIs Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Add new keep_resv BO param Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Always start IPsec sequence number from 1 Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Rely on reqid in IPsec tunnel mode Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel Mark Zhang <markzhang(a)nvidia.com> net/mlx5: Clear port select structure when fail to create Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix RDMA TX steering prio Kevin Groeneveld <kgroeneveld(a)lenbrook.com> net: fec: handle page_pool_dev_alloc_pages error Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix IRQ coalescing packet count overflow Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Eric Dumazet <edumazet(a)google.com> gtp: use exit_batch_rtnl() method Eric Dumazet <edumazet(a)google.com> net: add exit_batch_rtnl() method Artem Chernyshev <artem.chernyshev(a)red-soft.ru> pktgen: Avoid out-of-bounds access in get_imix_entries Ilya Maximets <i.maximets(a)ovn.org> openvswitch: fix lockup on tx to unregistering netdev with carrier Michal Luczaj <mhal(a)rbox.co> bpf: Fix bpf_sk_select_reuseport() memory leak Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() ------------- Diffstat: Makefile | 4 +- arch/x86/include/asm/special_insns.h | 2 +- arch/x86/xen/xen-asm.S | 2 +- block/blk-sysfs.c | 6 +-- block/genhd.c | 9 ++-- drivers/acpi/resource.c | 6 +-- drivers/block/zram/zram_drv.c | 1 + drivers/gpio/gpio-xilinx.c | 32 +++++++------- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 45 +------------------- drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 4 +- .../gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- drivers/gpu/drm/i915/display/intel_fb.c | 2 +- drivers/gpu/drm/nouveau/nouveau_fence.c | 6 ++- drivers/gpu/drm/v3d/v3d_irq.c | 4 ++ drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 3 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 3 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 7 +--- drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 1 + drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 7 +--- drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c | 5 +-- drivers/hwmon/tmp513.c | 7 ++-- drivers/i2c/busses/i2c-rcar.c | 20 ++++++--- drivers/i2c/i2c-atr.c | 2 +- drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 +++++ drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 1 + drivers/infiniband/hw/bnxt_re/ib_verbs.h | 4 ++ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 1 + drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 + drivers/irqchip/irq-gic-v3-its.c | 2 +- drivers/irqchip/irq-gic-v3.c | 2 +- drivers/irqchip/irqchip.c | 4 +- drivers/mtd/spi-nor/core.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +-------- drivers/net/ethernet/freescale/fec_main.c | 19 ++++++--- .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 22 +++++----- .../mellanox/mlx5/core/en_accel/ipsec_fs.c | 12 +++--- .../mellanox/mlx5/core/en_accel/ipsec_offload.c | 11 +++-- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 + .../net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 +- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/ti/cpsw_ale.c | 14 +++---- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 +++ drivers/net/gtp.c | 42 +++++++++++-------- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/pci/controller/pci-host-common.c | 4 ++ drivers/pci/probe.c | 20 +++++---- drivers/pmdomain/imx/imx8mp-blk-ctrl.c | 2 +- drivers/ufs/core/ufshcd.c | 9 ++-- fs/cachefiles/daemon.c | 14 +++---- fs/cachefiles/internal.h | 3 +- fs/cachefiles/security.c | 6 +-- fs/file.c | 1 + fs/hfs/super.c | 4 +- fs/iomap/buffered-io.c | 2 +- fs/nfsd/filecache.c | 18 ++++---- fs/nfsd/filecache.h | 1 + fs/notify/fdinfo.c | 4 +- fs/ocfs2/extent_map.c | 8 +++- fs/overlayfs/copy_up.c | 16 +++---- fs/overlayfs/export.c | 49 ++++++++++++---------- fs/overlayfs/namei.c | 4 +- fs/overlayfs/overlayfs.h | 2 +- fs/proc/vmcore.c | 2 + fs/smb/client/connect.c | 3 +- include/linux/hrtimer.h | 1 + include/linux/poll.h | 10 ++++- include/linux/pruss_driver.h | 12 +++--- include/net/net_namespace.h | 3 ++ kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/time/hrtimer.c | 11 ++++- mm/filemap.c | 2 +- net/core/filter.c | 30 +++++++------ net/core/net_namespace.c | 31 +++++++++++++- net/core/pktgen.c | 6 +-- net/dccp/ipv6.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mac802154/iface.c | 4 ++ net/mptcp/options.c | 6 ++- net/mptcp/protocol.h | 9 +++- net/openvswitch/actions.c | 4 +- net/vmw_vsock/af_vsock.c | 18 ++++++++ net/vmw_vsock/virtio_transport_common.c | 38 ++++++++++++----- net/vmw_vsock/vsock_bpf.c | 9 ++++ sound/pci/hda/patch_realtek.c | 1 + tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 ++++++++++++++----- .../tc-testing/tc-tests/filters/flow.json | 4 +- 90 files changed, 479 insertions(+), 315 deletions(-)

3 months, 1 week

11
82
0 0

[PATCH 6.1 00/64] 6.1.127-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.127 release. There are 64 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 23 Jan 2025 17:45:02 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.127-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.127-rc1 Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Juergen Gross <jgross(a)suse.com> x86/xen: fix SLS mitigation in xen_hypercall_iret() Youzhong Yang <youzhong(a)gmail.com> nfsd: add list_head nf_gc to struct nfsd_file Gao Xiang <xiang(a)kernel.org> erofs: handle NONHEAD !delta[1] lclusters gracefully Gao Xiang <xiang(a)kernel.org> erofs: tidy up EROFS on-disk naming Kang Yang <quic_kangyang(a)quicinc.com> wifi: ath10k: avoid NULL pointer error during sdio remove Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "regmap: detach regmap from dev on regmap_exit" Suraj Sonawane <surajsonawane0215(a)gmail.com> scsi: sg: Fix slab-use-after-free read in sg_release() Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rxe: Fix the qp flush warnings in req Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "drm/amdgpu: rework resume handling for display (v2)" Yu Kuai <yukuai3(a)huawei.com> block: fix uaf for flush rq while iterating tags Vitaly Prosyak <vitaly.prosyak(a)amd.com> drm/amdgpu: fix usage slab after free Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: rockchip_saradc: fix information leak in triggered buffer Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix spi burst write not supported Terry Tritton <terry.tritton(a)linaro.org> Revert "PCI: Use preserve_config in place of pci_flags" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/fb: Relax clear color alignment to 64 bytes Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Tomas Krcka <krckatom(a)amazon.de> irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> irqchip: Plug a OF node reference leak in platform_irqchip_probe() Xiaolei Wang <xiaolei.wang(a)windriver.com> pmdomain: imx8mp-blk-ctrl: add missing loop break condition Zhongqiu Han <quic_zhonhan(a)quicinc.com> gpiolib: cdev: Fix use after free in lineinfo_changed_notify Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Marco Nelissen <marco.nelissen(a)gmail.com> filemap: avoid truncating 64-bit offset to 32 bits Stefano Garzarella <sgarzare(a)redhat.com> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Stefano Garzarella <sgarzare(a)redhat.com> vsock: reset socket state when de-assigning the transport Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: cancel close work in the destructor Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: discard packets if the transport changes Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Paolo Abeni <pabeni(a)redhat.com> selftests: mptcp: avoid spurious errors on disconnect Paolo Abeni <pabeni(a)redhat.com> mptcp: be sure to send ack when mptcp-level window re-opens Kairui Song <kasong(a)tencent.com> zram: fix potential UAF of zram table Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA Juergen Gross <jgross(a)suse.com> x86/asm: Make serialize() always_inline Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Marco Nelissen <marco.nelissen(a)gmail.com> iomap: avoid avoid truncating 64-bit offset to 32 bits Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: acpi_dev_irq_override(): Check DMI match last Jakub Kicinski <kuba(a)kernel.org> selftests: tc-testing: reduce rshift value Manivannan Sadhasivam <mani(a)kernel.org> scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers Max Kellermann <max.kellermann(a)ionos.com> cachefiles: Parse the "secctx" immediately David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Zhang Kunbo <zhangkunbo(a)huawei.com> fs: fix missing declaration of init_files Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: rcar: fix NACK handling when being a target Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Pratyush Yadav <pratyush(a)kernel.org> Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" David Lechner <dlechner(a)baylibre.com> hwmon: (tmp513) Fix division of negative numbers Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Mark Zhang <markzhang(a)nvidia.com> net/mlx5: Clear port select structure when fail to create Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix RDMA TX steering prio Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix IRQ coalescing packet count overflow Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Eric Dumazet <edumazet(a)google.com> gtp: use exit_batch_rtnl() method Eric Dumazet <edumazet(a)google.com> net: add exit_batch_rtnl() method Artem Chernyshev <artem.chernyshev(a)red-soft.ru> pktgen: Avoid out-of-bounds access in get_imix_entries Ilya Maximets <i.maximets(a)ovn.org> openvswitch: fix lockup on tx to unregistering netdev with carrier Michal Luczaj <mhal(a)rbox.co> bpf: Fix bpf_sk_select_reuseport() memory leak Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() ------------- Diffstat: Makefile | 4 +- arch/x86/include/asm/special_insns.h | 2 +- arch/x86/xen/xen-asm.S | 2 +- block/blk-sysfs.c | 6 +- block/genhd.c | 9 +- drivers/acpi/resource.c | 6 +- drivers/base/regmap/regmap.c | 12 -- drivers/block/zram/zram_drv.c | 1 + drivers/gpio/gpiolib-cdev.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 47 +------ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 6 +- .../gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- drivers/gpu/drm/i915/display/intel_fb.c | 2 +- drivers/gpu/drm/v3d/v3d_irq.c | 4 + drivers/hwmon/tmp513.c | 7 +- drivers/i2c/busses/i2c-rcar.c | 20 ++- drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/iio/adc/rockchip_saradc.c | 2 + drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 18 ++- drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 +- drivers/infiniband/sw/rxe/rxe_req.c | 6 +- drivers/irqchip/irq-gic-v3-its.c | 2 +- drivers/irqchip/irq-gic-v3.c | 2 +- drivers/irqchip/irqchip.c | 4 +- drivers/mtd/spi-nor/core.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +-- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 1 + .../net/ethernet/mellanox/mlx5/core/lag/port_sel.c | 4 +- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/ti/cpsw_ale.c | 14 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 + drivers/net/gtp.c | 42 +++--- drivers/net/wireless/ath/ath10k/sdio.c | 4 +- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/pci/controller/pci-host-common.c | 4 + drivers/pci/probe.c | 20 +-- drivers/scsi/sg.c | 2 +- drivers/soc/imx/imx8mp-blk-ctrl.c | 2 +- drivers/ufs/core/ufshcd.c | 9 +- fs/cachefiles/daemon.c | 14 +- fs/cachefiles/internal.h | 3 +- fs/cachefiles/security.c | 6 +- fs/erofs/erofs_fs.h | 143 +++++++++------------ fs/erofs/zmap.c | 133 ++++++++++--------- fs/file.c | 1 + fs/hfs/super.c | 4 +- fs/iomap/buffered-io.c | 2 +- fs/nfsd/filecache.c | 18 +-- fs/nfsd/filecache.h | 1 + fs/proc/vmcore.c | 2 + include/linux/hrtimer.h | 1 + include/linux/poll.h | 10 +- include/net/net_namespace.h | 3 + kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/time/hrtimer.c | 11 +- mm/filemap.c | 2 +- net/core/filter.c | 30 +++-- net/core/net_namespace.c | 31 ++++- net/core/pktgen.c | 6 +- net/dccp/ipv6.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mac802154/iface.c | 4 + net/mptcp/options.c | 6 +- net/openvswitch/actions.c | 4 +- net/vmw_vsock/af_vsock.c | 18 +++ net/vmw_vsock/virtio_transport_common.c | 38 ++++-- sound/pci/hda/patch_realtek.c | 1 + tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 +++++-- .../tc-testing/tc-tests/filters/flow.json | 4 +- 71 files changed, 477 insertions(+), 379 deletions(-)

3 months, 1 week

8
73
0 0

[PATCH 5.15 000/127] 5.15.177-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.177 release. There are 127 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 23 Jan 2025 17:45:02 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.177-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.177-rc1 Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Suraj Sonawane <surajsonawane0215(a)gmail.com> scsi: sg: Fix slab-use-after-free read in sg_release() Juergen Gross <jgross(a)suse.com> x86/xen: fix SLS mitigation in xen_hypercall_iret() Youzhong Yang <youzhong(a)gmail.com> nfsd: add list_head nf_gc to struct nfsd_file Eric Dumazet <edumazet(a)google.com> ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: discard packets if the transport changes Tejun Heo <tj(a)kernel.org> blk-cgroup: Fix UAF in blkcg_unpin_online() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "regmap: detach regmap from dev on regmap_exit" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "drm/amdgpu: rework resume handling for display (v2)" Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: rockchip_saradc: fix information leak in triggered buffer Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: fix spi burst write not supported Terry Tritton <terry.tritton(a)linaro.org> Revert "PCI: Use preserve_config in place of pci_flags" Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/fb: Relax clear color alignment to 64 bytes Koichiro Den <koichiro.den(a)canonical.com> hrtimers: Handle CPU state correctly on hotplug Yogesh Lal <quic_ylal(a)quicinc.com> irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly Zhongqiu Han <quic_zhonhan(a)quicinc.com> gpiolib: cdev: Fix use after free in lineinfo_changed_notify Rik van Riel <riel(a)surriel.com> fs/proc: fix softlockup in __read_vmcore (part 2) Marco Nelissen <marco.nelissen(a)gmail.com> filemap: avoid truncating 64-bit offset to 32 bits Stefano Garzarella <sgarzare(a)redhat.com> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Stefano Garzarella <sgarzare(a)redhat.com> vsock: reset socket state when de-assigning the transport Stefano Garzarella <sgarzare(a)redhat.com> vsock/virtio: cancel close work in the destructor Heiner Kallweit <hkallweit1(a)gmail.com> net: ethernet: xgbe: re-add aneg to supported features in PHY quirks Juergen Gross <jgross(a)suse.com> x86/asm: Make serialize() always_inline Kairui Song <kasong(a)tencent.com> zram: fix potential UAF of zram table Luis Chamberlain <mcgrof(a)kernel.org> nvmet: propagate npwg topology Oleg Nesterov <oleg(a)redhat.com> poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: acpi_dev_irq_override(): Check DMI match last David Howells <dhowells(a)redhat.com> kheaders: Ignore silly-rename files Zhang Kunbo <zhangkunbo(a)huawei.com> fs: fix missing declaration of init_files Leo Stone <leocstone(a)gmail.com> hfs: Sanity check the root record Lizhi Xu <lizhi.xu(a)windriver.com> mac802154: check local interfaces before deleting sdata list Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: rcar: fix NACK handling when being a target Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: mux: demux-pinctrl: check initial mux selection, too Pratyush Yadav <pratyush(a)kernel.org> Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" David Lechner <dlechner(a)baylibre.com> hwmon: (tmp513) Fix division of negative numbers Maíra Canal <mcanal(a)igalia.com> drm/v3d: Ensure job pointer is set to NULL after job completion Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix RDMA TX steering prio Maor Gottlieb <maorg(a)nvidia.com> net/mlx5: Refactor mlx5_get_flow_namespace Aharon Landau <aharonl(a)nvidia.com> net/mlx5: Add priorities for counters in RDMA namespaces Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix IRQ coalescing packet count overflow Dan Carpenter <dan.carpenter(a)linaro.org> nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Destroy device along with udp socket's netns dismantle. Kuniyuki Iwashima <kuniyu(a)amazon.com> gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). Eric Dumazet <edumazet(a)google.com> gtp: use exit_batch_rtnl() method Eric Dumazet <edumazet(a)google.com> net: add exit_batch_rtnl() method Artem Chernyshev <artem.chernyshev(a)red-soft.ru> pktgen: Avoid out-of-bounds access in get_imix_entries Michal Luczaj <mhal(a)rbox.co> bpf: Fix bpf_sk_select_reuseport() memory leak Sudheer Kumar Doredla <s-doredla(a)ti.com> net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() Justin Chen <justinpopo6(a)gmail.com> phy: usb: Fix clock imbalance for suspend/resume Justin Chen <justinpopo6(a)gmail.com> phy: usb: Use slow clock for wake enabled suspend Paolo Abeni <pabeni(a)redhat.com> mptcp: fix TCP options overflow. Geliang Tang <geliang.tang(a)suse.com> mptcp: drop port parameter of mptcp_pm_add_addr_signal Dennis Lam <dennis.lamerice(a)gmail.com> ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Joseph Qi <joseph.qi(a)linux.alibaba.com> ocfs2: correct return value of ocfs2_local_free_info() Justin Chen <justin.chen(a)broadcom.com> phy: usb: Toggle the PHY power during init Al Cooper <alcooperx(a)gmail.com> phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers Andrea della Porta <andrea.porta(a)suse.com> of: address: Preserve the flags portion on 1:1 dma-ranges mapping Rob Herring <robh(a)kernel.org> of: address: Store number of bus flag cells rather than bool Herve Codina <herve.codina(a)bootlin.com> of: address: Remove duplicated functions Herve Codina <herve.codina(a)bootlin.com> of: address: Fix address translation when address-size is greater than 2 Rob Herring <robh(a)kernel.org> of/address: Add support for 3 address cell bus Rob Herring <robh(a)kernel.org> of: unittest: Add bus address range parsing tests Peter Geis <pgwipeout(a)gmail.com> arm64: dts: rockchip: add hevc power domain clock to rk3328 Yu Kuai <yukuai3(a)huawei.com> block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> iio: adc: ad7124: Disable all channels at probe time Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: inkern: call iio_device_put() only on mapped devices Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> iio: adc: at91: call input_free_device() on allocated iio_dev Fabio Estevam <festevam(a)gmail.com> iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Carlos Song <carlos.song(a)nxp.com> iio: gyro: fxas21002c: Fix missing data update in trigger handler Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: adc: ti-ads8688: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: imu: kmx61: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: light: vcnl4035: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer Javier Carrasco <javier.carrasco.cruz(a)gmail.com> iio: pressure: zpa2326: fix information leak in triggered buffer Akash M <akash.m5(a)samsung.com> usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Prashanth K <quic_prashk(a)quicinc.com> usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Ma Ke <make_ruc2021(a)163.com> usb: fix reference leak in usb_new_device() Kai-Heng Feng <kaihengf(a)nvidia.com> USB: core: Disable LPM only for non-suspended ports Jun Yan <jerrysteve1101(a)gmail.com> USB: usblp: return error when setting unsupported protocol Lianqin Hu <hulianqin(a)vivo.com> usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Li Huafei <lihuafei1(a)huawei.com> topology: Keep the cpumask unchanged when printing cpumap André Draszik <andre.draszik(a)linaro.org> usb: dwc3: gadget: fix writing NYET threshold Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add Phoenix Contact UPS Device Lubomir Rintel <lrintel(a)redhat.com> usb-storage: Add max sectors quirk for Nokia 208 Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9832: Correct phase range check Zicheng Qu <quzicheng(a)huawei.com> staging: iio: ad9834: Correct phase range check Michal Hrusecky <michal.hrusecky(a)turris.com> USB: serial: option: add Neoway N723-EA support Chukun Pan <amadeus(a)jmu.edu.cn> USB: serial: option: add MeiG Smart SRM815 Gui-Dong Han <2045gemini(a)gmail.com> md/raid5: fix atomicity violation in raid5_cache_count Kuan-Wei Chiu <visitorckw(a)gmail.com> scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Kairui Song <kasong(a)tencent.com> zram: fix uninitialized ZRAM not releasing backing device Dominique Martinet <dominique.martinet(a)atmark-techno.com> zram: check comp is non-NULL before calling comp_destroy Sergey Senozhatsky <senozhatsky(a)chromium.org> drivers/block/zram/zram_drv.c: do not keep dangling zcomp pointer after zram reset Melissa Wen <mwen(a)igalia.com> drm/amd/display: increase MAX_SURFACES to the value supported by hw Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Nam Cao <namcao(a)linutronix.de> riscv: Fix sleeping in invalid context in die() Roman Li <Roman.Li(a)amd.com> drm/amd/display: Add check for granularity in dml ceil/floor helpers Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: udp_port: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: auth_enable: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: rto_min/max: avoid using current->nsproxy Matthieu Baerts (NGI0) <matttbe(a)kernel.org> sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Mikulas Patocka <mpatocka(a)redhat.com> dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY Krister Johansen <kjlx(a)templeofstupid.com> dm thin: make get_first_thin use rcu-safe list first function David Howells <dhowells(a)redhat.com> afs: Fix the maximum cell name length Wentao Liang <liangwentao(a)iscas.ac.cn> ksmbd: fix a missing return value check bug Jason-JH.Lin <jason-jh.lin(a)mediatek.com> drm/mediatek: Add support for 180-degree rotation in the display driver Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: conntrack: clamp maximum hashtable size to INT_MAX Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: imbalance in flowtable binding Benjamin Coddington <bcodding(a)redhat.com> tls: Fix tls_sw_sendmsg error handling Anumula Murali Mohan Reddy <anumula(a)chelsio.com> cxgb4: Avoid removal of uninserted tid Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> bnxt_en: Fix possible memory leak when hwrm_req_replace fails Eric Dumazet <edumazet(a)google.com> net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Zhongqiu Duan <dzq.aishenghu0(a)gmail.com> tcp/dccp: allow a connection when sk_max_ack_backlog is zero Jason Xing <kernelxing(a)tencent.com> tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Antonio Pastor <antonio.pastor(a)gmail.com> net: 802: LLC+SNAP OID:PID lookup on start of skb data Keisuke Nishimura <keisuke.nishimura(a)inria.fr> ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Chen-Yu Tsai <wenst(a)chromium.org> ASoC: mediatek: disable buffer pre-allocation Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in __exfat_free_cluster() Yuezhang Mo <Yuezhang.Mo(a)sony.com> exfat: fix the infinite loop in exfat_readdir() Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix cursor index when skipping across block boundaries Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix unreleased btree blocks on closing a faulty array cursor Ming-Hung Tsai <mtsai(a)redhat.com> dm array: fix releasing a faulty array block twice in dm_array_cursor_end Zhang Yi <yi.zhang(a)huawei.com> jbd2: flush filesystem device before updating tail sequence Max Kellermann <max.kellermann(a)ionos.com> ceph: give up on paths longer than PATH_MAX ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 1 + arch/riscv/kernel/traps.c | 6 +- arch/x86/include/asm/special_insns.h | 2 +- arch/x86/xen/xen-asm.S | 2 +- block/bfq-iosched.c | 12 ++- drivers/acpi/resource.c | 24 ++++- drivers/base/regmap/regmap.c | 12 --- drivers/base/topology.c | 24 ++++- drivers/block/zram/zram_drv.c | 24 ++--- drivers/gpio/gpiolib-cdev.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 45 +-------- drivers/gpu/drm/amd/display/dc/dc.h | 2 +- .../gpu/drm/amd/display/dc/dml/dml_inline_defs.h | 8 ++ drivers/gpu/drm/i915/display/intel_fb.c | 2 +- drivers/gpu/drm/mediatek/mtk_disp_ovl.c | 12 ++- drivers/gpu/drm/v3d/v3d_irq.c | 4 + drivers/hwmon/tmp513.c | 7 +- drivers/i2c/busses/i2c-rcar.c | 20 +++- drivers/i2c/muxes/i2c-demux-pinctrl.c | 4 +- drivers/iio/adc/ad7124.c | 3 + drivers/iio/adc/at91_adc.c | 2 +- drivers/iio/adc/rockchip_saradc.c | 2 + drivers/iio/adc/ti-ads124s08.c | 4 +- drivers/iio/adc/ti-ads8688.c | 2 +- drivers/iio/dummy/iio_simple_dummy_buffer.c | 2 +- drivers/iio/gyro/fxas21002c_core.c | 11 ++- drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 18 +++- drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 +- drivers/iio/imu/kmx61.c | 2 +- drivers/iio/inkern.c | 2 +- drivers/iio/light/vcnl4035.c | 2 +- drivers/iio/pressure/zpa2326.c | 2 + drivers/irqchip/irq-gic-v3.c | 2 +- drivers/md/dm-ebs-target.c | 2 +- drivers/md/dm-thin.c | 5 +- drivers/md/persistent-data/dm-array.c | 19 ++-- drivers/md/raid5.c | 14 +-- drivers/mtd/spi-nor/core.c | 2 +- drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 +--- drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 95 ++++++++++++++---- drivers/net/ethernet/netronome/nfp/bpf/offload.c | 3 +- drivers/net/ethernet/ti/cpsw_ale.c | 14 +-- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 6 ++ drivers/net/gtp.c | 42 ++++---- drivers/net/ieee802154/ca8210.c | 6 +- drivers/nvme/target/io-cmd-bdev.c | 2 +- drivers/of/address.c | 76 ++++++++++---- drivers/of/unittest-data/tests-address.dtsi | 9 +- drivers/of/unittest.c | 109 +++++++++++++++++++++ drivers/pci/controller/pci-host-common.c | 4 + drivers/pci/probe.c | 20 ++-- drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 53 ++++++++-- drivers/phy/broadcom/phy-brcm-usb-init.h | 1 - drivers/phy/broadcom/phy-brcm-usb.c | 8 +- drivers/scsi/sg.c | 2 +- drivers/staging/iio/frequency/ad9832.c | 2 +- drivers/staging/iio/frequency/ad9834.c | 2 +- drivers/usb/class/usblp.c | 7 +- drivers/usb/core/hub.c | 6 +- drivers/usb/core/port.c | 7 +- drivers/usb/dwc3/core.h | 1 + drivers/usb/dwc3/gadget.c | 4 +- drivers/usb/gadget/function/f_fs.c | 2 +- drivers/usb/gadget/function/f_uac2.c | 1 + drivers/usb/gadget/function/u_serial.c | 8 +- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/option.c | 4 +- drivers/usb/storage/unusual_devs.h | 7 ++ fs/afs/afs.h | 2 +- fs/afs/afs_vl.h | 1 + fs/afs/vl_alias.c | 8 +- fs/afs/vlclient.c | 2 +- fs/ceph/mds_client.c | 9 +- fs/exfat/dir.c | 3 +- fs/exfat/fatent.c | 10 ++ fs/file.c | 1 + fs/hfs/super.c | 4 +- fs/jbd2/commit.c | 4 +- fs/ksmbd/smb2pdu.c | 3 + fs/nfsd/filecache.c | 18 ++-- fs/nfsd/filecache.h | 1 + fs/ocfs2/quota_global.c | 2 +- fs/ocfs2/quota_local.c | 10 +- fs/proc/vmcore.c | 2 + include/linux/blk-cgroup.h | 6 +- include/linux/hrtimer.h | 1 + include/linux/mlx5/device.h | 2 + include/linux/mlx5/fs.h | 2 + include/linux/poll.h | 10 +- include/net/inet_connection_sock.h | 2 +- include/net/net_namespace.h | 3 + kernel/cpu.c | 2 +- kernel/gen_kheaders.sh | 1 + kernel/time/hrtimer.c | 11 ++- mm/filemap.c | 2 +- net/802/psnap.c | 4 +- net/core/filter.c | 30 +++--- net/core/net_namespace.c | 31 +++++- net/core/pktgen.c | 6 +- net/dccp/ipv6.c | 2 +- net/ipv6/route.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mac802154/iface.c | 4 + net/mptcp/options.c | 12 ++- net/mptcp/pm.c | 7 +- net/mptcp/protocol.h | 2 +- net/netfilter/nf_conntrack_core.c | 5 +- net/netfilter/nf_tables_api.c | 15 ++- net/sched/cls_flow.c | 3 +- net/sctp/sysctl.c | 14 +-- net/tls/tls_sw.c | 2 +- net/vmw_vsock/af_vsock.c | 18 ++++ net/vmw_vsock/virtio_transport_common.c | 38 ++++--- scripts/sorttable.h | 6 +- .../soc/mediatek/common/mtk-afe-platform-driver.c | 4 +- 119 files changed, 830 insertions(+), 347 deletions(-)

3 months, 1 week

8
135
0 0

[PATCH 5.10] ibmvnic: Add tx check to prevent skb leak

by Denis Arefev

From: Nick Child <nnac123(a)linux.ibm.com> From: Nick Child <nnac123(a)linux.ibm.com> commit 0983d288caf984de0202c66641577b739caad561 upstream. Below is a summary of how the driver stores a reference to an skb during transmit: tx_buff[free_map[consumer_index]]->skb = new_skb; free_map[consumer_index] = IBMVNIC_INVALID_MAP; consumer_index ++; Where variable data looks like this: free_map == [4, IBMVNIC_INVALID_MAP, IBMVNIC_INVALID_MAP, 0, 3] consumer_index^ tx_buff == [skb=null, skb=<ptr>, skb=<ptr>, skb=null, skb=null] The driver has checks to ensure that free_map[consumer_index] pointed to a valid index but there was no check to ensure that this index pointed to an unused/null skb address. So, if, by some chance, our free_map and tx_buff lists become out of sync then we were previously risking an skb memory leak. This could then cause tcp congestion control to stop sending packets, eventually leading to ETIMEDOUT. Therefore, add a conditional to ensure that the skb address is null. If not then warn the user (because this is still a bug that should be patched) and free the old pointer to prevent memleak/tcp problems. Signed-off-by: Nick Child <nnac123(a)linux.ibm.com> Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> [Denis: minor fix to resolve merge conflict.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2024-41066 Link: https://nvd.nist.gov/vuln/detail/CVE-2024-41066 --- drivers/net/ethernet/ibm/ibmvnic.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c index 84da6ccaf339..439796975cbf 100644 --- a/drivers/net/ethernet/ibm/ibmvnic.c +++ b/drivers/net/ethernet/ibm/ibmvnic.c @@ -1625,6 +1625,18 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) (tx_pool->consumer_index + 1) % tx_pool->num_buffers; tx_buff = &tx_pool->tx_buff[index]; + + /* Sanity checks on our free map to make sure it points to an index + * that is not being occupied by another skb. If skb memory is + * not freed then we see congestion control kick in and halt tx. + */ + if (unlikely(tx_buff->skb)) { + dev_warn_ratelimited(dev, "TX free map points to untracked skb (%s %d idx=%d)\n", + skb_is_gso(skb) ? "tso_pool" : "tx_pool", + queue_num, bufidx); + dev_kfree_skb_any(tx_buff->skb); + } + tx_buff->skb = skb; tx_buff->data_dma[0] = data_dma_addr; tx_buff->data_len[0] = skb->len; -- 2.43.0

3 months, 1 week

2
1
0 0

[for-next][PATCH 2/2] atomic64: Use arch_spin_locks instead of raw_spin_locks

by Steven Rostedt

From: Steven Rostedt <rostedt(a)goodmis.org> raw_spin_locks can be traced by lockdep or tracing itself. Atomic64 operations can be used in the tracing infrastructure. When an architecture does not have true atomic64 operations it can use the generic version that disables interrupts and uses spin_locks. The tracing ring buffer code uses atomic64 operations for the time keeping. But because some architectures use the default operations, the locking inside the atomic operations can cause an infinite recursion. As atomic64 is an architecture specific operation, it should not be using raw_spin_locks() but instead arch_spin_locks as that is the purpose of arch_spin_locks. To be used in architecture specific implementations of generic infrastructure like atomic64 operations. Cc: stable(a)vger.kernel.org Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Andreas Larsson <andreas(a)gaisler.com> Link: https://lore.kernel.org/20250120235721.574973242@goodmis.org Fixes: c84897c0ff592 ("ring-buffer: Remove 32bit timestamp logic") Closes: https://lore.kernel.org/all/86fb4f86-a0e4-45a2-a2df-3154acc4f086@gaisler.co… Reported-by: Ludwig Rydberg <ludwig.rydberg(a)gaisler.com> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> Reviewed-by: Masami Hiramatsu (Google) <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt(a)goodmis.org> --- lib/atomic64.c | 78 +++++++++++++++++++++++++++++++------------------- 1 file changed, 48 insertions(+), 30 deletions(-) diff --git a/lib/atomic64.c b/lib/atomic64.c index caf895789a1e..1a72bba36d24 100644 --- a/lib/atomic64.c +++ b/lib/atomic64.c @@ -25,15 +25,15 @@ * Ensure each lock is in a separate cacheline. */ static union { - raw_spinlock_t lock; + arch_spinlock_t lock; char pad[L1_CACHE_BYTES]; } atomic64_lock[NR_LOCKS] __cacheline_aligned_in_smp = { [0 ... (NR_LOCKS - 1)] = { - .lock = __RAW_SPIN_LOCK_UNLOCKED(atomic64_lock.lock), + .lock = __ARCH_SPIN_LOCK_UNLOCKED, }, }; -static inline raw_spinlock_t *lock_addr(const atomic64_t *v) +static inline arch_spinlock_t *lock_addr(const atomic64_t *v) { unsigned long addr = (unsigned long) v; @@ -45,12 +45,14 @@ static inline raw_spinlock_t *lock_addr(const atomic64_t *v) s64 generic_atomic64_read(const atomic64_t *v) { unsigned long flags; - raw_spinlock_t *lock = lock_addr(v); + arch_spinlock_t *lock = lock_addr(v); s64 val; - raw_spin_lock_irqsave(lock, flags); + local_irq_save(flags); + arch_spin_lock(lock); val = v->counter; - raw_spin_unlock_irqrestore(lock, flags); + arch_spin_unlock(lock); + local_irq_restore(flags); return val; } EXPORT_SYMBOL(generic_atomic64_read); @@ -58,11 +60,13 @@ EXPORT_SYMBOL(generic_atomic64_read); void generic_atomic64_set(atomic64_t *v, s64 i) { unsigned long flags; - raw_spinlock_t *lock = lock_addr(v); + arch_spinlock_t *lock = lock_addr(v); - raw_spin_lock_irqsave(lock, flags); + local_irq_save(flags); + arch_spin_lock(lock); v->counter = i; - raw_spin_unlock_irqrestore(lock, flags); + arch_spin_unlock(lock); + local_irq_restore(flags); } EXPORT_SYMBOL(generic_atomic64_set); @@ -70,11 +74,13 @@ EXPORT_SYMBOL(generic_atomic64_set); void generic_atomic64_##op(s64 a, atomic64_t *v) \ { \ unsigned long flags; \ - raw_spinlock_t *lock = lock_addr(v); \ + arch_spinlock_t *lock = lock_addr(v); \ \ - raw_spin_lock_irqsave(lock, flags); \ + local_irq_save(flags); \ + arch_spin_lock(lock); \ v->counter c_op a; \ - raw_spin_unlock_irqrestore(lock, flags); \ + arch_spin_unlock(lock); \ + local_irq_restore(flags); \ } \ EXPORT_SYMBOL(generic_atomic64_##op); @@ -82,12 +88,14 @@ EXPORT_SYMBOL(generic_atomic64_##op); s64 generic_atomic64_##op##_return(s64 a, atomic64_t *v) \ { \ unsigned long flags; \ - raw_spinlock_t *lock = lock_addr(v); \ + arch_spinlock_t *lock = lock_addr(v); \ s64 val; \ \ - raw_spin_lock_irqsave(lock, flags); \ + local_irq_save(flags); \ + arch_spin_lock(lock); \ val = (v->counter c_op a); \ - raw_spin_unlock_irqrestore(lock, flags); \ + arch_spin_unlock(lock); \ + local_irq_restore(flags); \ return val; \ } \ EXPORT_SYMBOL(generic_atomic64_##op##_return); @@ -96,13 +104,15 @@ EXPORT_SYMBOL(generic_atomic64_##op##_return); s64 generic_atomic64_fetch_##op(s64 a, atomic64_t *v) \ { \ unsigned long flags; \ - raw_spinlock_t *lock = lock_addr(v); \ + arch_spinlock_t *lock = lock_addr(v); \ s64 val; \ \ - raw_spin_lock_irqsave(lock, flags); \ + local_irq_save(flags); \ + arch_spin_lock(lock); \ val = v->counter; \ v->counter c_op a; \ - raw_spin_unlock_irqrestore(lock, flags); \ + arch_spin_unlock(lock); \ + local_irq_restore(flags); \ return val; \ } \ EXPORT_SYMBOL(generic_atomic64_fetch_##op); @@ -131,14 +141,16 @@ ATOMIC64_OPS(xor, ^=) s64 generic_atomic64_dec_if_positive(atomic64_t *v) { unsigned long flags; - raw_spinlock_t *lock = lock_addr(v); + arch_spinlock_t *lock = lock_addr(v); s64 val; - raw_spin_lock_irqsave(lock, flags); + local_irq_save(flags); + arch_spin_lock(lock); val = v->counter - 1; if (val >= 0) v->counter = val; - raw_spin_unlock_irqrestore(lock, flags); + arch_spin_unlock(lock); + local_irq_restore(flags); return val; } EXPORT_SYMBOL(generic_atomic64_dec_if_positive); @@ -146,14 +158,16 @@ EXPORT_SYMBOL(generic_atomic64_dec_if_positive); s64 generic_atomic64_cmpxchg(atomic64_t *v, s64 o, s64 n) { unsigned long flags; - raw_spinlock_t *lock = lock_addr(v); + arch_spinlock_t *lock = lock_addr(v); s64 val; - raw_spin_lock_irqsave(lock, flags); + local_irq_save(flags); + arch_spin_lock(lock); val = v->counter; if (val == o) v->counter = n; - raw_spin_unlock_irqrestore(lock, flags); + arch_spin_unlock(lock); + local_irq_restore(flags); return val; } EXPORT_SYMBOL(generic_atomic64_cmpxchg); @@ -161,13 +175,15 @@ EXPORT_SYMBOL(generic_atomic64_cmpxchg); s64 generic_atomic64_xchg(atomic64_t *v, s64 new) { unsigned long flags; - raw_spinlock_t *lock = lock_addr(v); + arch_spinlock_t *lock = lock_addr(v); s64 val; - raw_spin_lock_irqsave(lock, flags); + local_irq_save(flags); + arch_spin_lock(lock); val = v->counter; v->counter = new; - raw_spin_unlock_irqrestore(lock, flags); + arch_spin_unlock(lock); + local_irq_restore(flags); return val; } EXPORT_SYMBOL(generic_atomic64_xchg); @@ -175,14 +191,16 @@ EXPORT_SYMBOL(generic_atomic64_xchg); s64 generic_atomic64_fetch_add_unless(atomic64_t *v, s64 a, s64 u) { unsigned long flags; - raw_spinlock_t *lock = lock_addr(v); + arch_spinlock_t *lock = lock_addr(v); s64 val; - raw_spin_lock_irqsave(lock, flags); + local_irq_save(flags); + arch_spin_lock(lock); val = v->counter; if (val != u) v->counter += a; - raw_spin_unlock_irqrestore(lock, flags); + arch_spin_unlock(lock); + local_irq_restore(flags); return val; } -- 2.45.2

3 months, 1 week

2
4
0 0

[REGRESSION] vsocket timeout with kata containers agent 3.10.1 and kernel 6.6.70

by Simon Kaegi

#regzbot introduced v6.6.69..v6.6.70 #regzbot introduced: ad91a2dacbf8c26a446658cdd55e8324dfeff1e7 We hit this regression when updating our guest vm kernel from 6.6.69 to 6.6.70 -- bisecting, this problem was introduced in ad91a2dacbf8c26a446658cdd55e8324dfeff1e7 -- net: restrict SO_REUSEPORT to inet sockets We're getting a timeout when trying to connect to the vsocket in the guest VM when launching a kata containers 3.10.1 agent which unsurprisingly ... uses a vsocket to communicate back to the host. We updated this commit and added an additional sk_is_vsock check and recompiled and this works correctly for us. - if (valbool && !sk_is_inet(sk)) + if (valbool && !(sk_is_inet(sk) || sk_is_vsock(sk))) My understanding is limited here so I've added Stefano as he is likely to better understand what makes sense here. This commit was backported from v6.13 to v6.12.8..6.12.9. -Simon

3 months, 1 week

2
6
0 0

[PATCH 5.4.y] signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die

by Finn Thain

From: "Eric W. Biederman" <ebiederm(a)xmission.com> [ Upstream commit a3616a3c02722d1edb95acc7fceade242f6553ba ] In the fpsp040 code when copyin or copyout fails call force_sigsegv(SIGSEGV) instead of do_exit(SIGSEGV). This solves a couple of problems. Because do_exit embeds the ptrace stop PTRACE_EVENT_EXIT a complete stack frame needs to be present for that to work correctly. There is always the information needed for a ptrace stop where get_signal is called. So exiting with a signal solves the ptrace issue. Further exiting with a signal ensures that all of the threads in a process are killed not just the thread that malfunctioned. Which avoids confusing userspace. To make force_sigsegv(SIGSEGV) work in fpsp040_die modify the code to save all of the registers and jump to ret_from_exception (which ultimately calls get_signal) after fpsp040_die returns. v2: Updated the branches to use gas's pseudo ops that automatically calculate the best branch instruction to use for the purpose. v1: https://lkml.kernel.org/r/87a6m8kgtx.fsf_-_@disp2133 Link: https://lkml.kernel.org/r/87tukghjfs.fsf_-_@disp2133 Acked-by: Geert Uytterhoeven <geert(a)linux-m68k.org> Signed-off-by: "Eric W. Biederman" <ebiederm(a)xmission.com> Signed-off-by: Finn Thain <fthain(a)linux-m68k.org> --- arch/m68k/fpsp040/skeleton.S | 3 ++- arch/m68k/kernel/traps.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/m68k/fpsp040/skeleton.S b/arch/m68k/fpsp040/skeleton.S index 31a9c634c81e..081922c72daa 100644 --- a/arch/m68k/fpsp040/skeleton.S +++ b/arch/m68k/fpsp040/skeleton.S @@ -502,7 +502,8 @@ in_ea: .section .fixup,"ax" .even 1: - jbra fpsp040_die + jbsr fpsp040_die + jbra .Lnotkern .section __ex_table,"a" .align 4 diff --git a/arch/m68k/kernel/traps.c b/arch/m68k/kernel/traps.c index 35f706d836c5..c6f18dc5884b 100644 --- a/arch/m68k/kernel/traps.c +++ b/arch/m68k/kernel/traps.c @@ -1155,7 +1155,7 @@ asmlinkage void set_esp0(unsigned long ssp) */ asmlinkage void fpsp040_die(void) { - do_exit(SIGSEGV); + force_sigsegv(SIGSEGV); } #ifdef CONFIG_M68KFPU_EMU

3 months, 1 week

2
1
0 0

[PATCH 5.4.y] m68k: Add missing mmap_read_lock() to sys_cacheflush()

by Finn Thain

From: Liam Howlett <liam.howlett(a)oracle.com> [ Upstream commit f829b4b212a315b912cb23fd10aaf30534bb5ce9 ] When the superuser flushes the entire cache, the mmap_read_lock() is not taken, but mmap_read_unlock() is called. Add the missing mmap_read_lock() call. Fixes: cd2567b6850b1648 ("m68k: call find_vma with the mmap_sem held in sys_cacheflush()") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Reviewed-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Link: https://lore.kernel.org/r/20210407200032.764445-1-Liam.Howlett@Oracle.com Signed-off-by: Geert Uytterhoeven <geert(a)linux-m68k.org> [ mmap_read_lock() open-coded using down_read() as was done prior to v5.8 ] Signed-off-by: Finn Thain <fthain(a)linux-m68k.org> --- arch/m68k/kernel/sys_m68k.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/m68k/kernel/sys_m68k.c b/arch/m68k/kernel/sys_m68k.c index 6363ec83a290..38dcc1a2097d 100644 --- a/arch/m68k/kernel/sys_m68k.c +++ b/arch/m68k/kernel/sys_m68k.c @@ -388,6 +388,8 @@ sys_cacheflush (unsigned long addr, int scope, int cache, unsigned long len) ret = -EPERM; if (!capable(CAP_SYS_ADMIN)) goto out; + + down_read(&current->mm->mmap_sem); } else { struct vm_area_struct *vma;

3 months, 1 week

2
1
0 0

Re: [PATCH] KVM: x86: switch hugepage recovery thread to vhost_task

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Found matching upstream commit: d96c77bd4eeba469bddbbb14323d2191684da82a WARNING: Author mismatch between patch and found commit: Backport author: Keith Busch<kbusch(a)kernel.org> Commit author: Paolo Bonzini<pbonzini(a)redhat.com> Status in newer kernel trees: 6.12.y | Present (different SHA1: 91248a2e4101) Note: The patch differs from the upstream commit: --- 1: d96c77bd4eeba < -: ------------- KVM: x86: switch hugepage recovery thread to vhost_task -: ------------- > 1: d7ca669c0cbba KVM: x86: switch hugepage recovery thread to vhost_task --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.12.y | Success | Success | | stable/linux-6.6.y | Failed | N/A | | stable/linux-6.1.y | Failed | N/A | | stable/linux-5.15.y | Failed | N/A | | stable/linux-5.10.y | Failed | N/A | | stable/linux-5.4.y | Failed | N/A |

3 months, 1 week

1
0
0 0

Re: [PATCH] KVM: x86: switch hugepage recovery thread to vhost_task

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Found matching upstream commit: d96c77bd4eeba469bddbbb14323d2191684da82a WARNING: Author mismatch between patch and found commit: Backport author: Keith Busch<kbusch(a)kernel.org> Commit author: Paolo Bonzini<pbonzini(a)redhat.com> Status in newer kernel trees: 6.12.y | Present (different SHA1: 91248a2e4101) Note: The patch differs from the upstream commit: --- 1: d96c77bd4eeba < -: ------------- KVM: x86: switch hugepage recovery thread to vhost_task -: ------------- > 1: e24606748e041 KVM: x86: switch hugepage recovery thread to vhost_task --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.12.y | Success | Success | | stable/linux-6.6.y | Failed | N/A | | stable/linux-6.1.y | Failed | N/A | | stable/linux-5.15.y | Failed | N/A | | stable/linux-5.10.y | Failed | N/A | | stable/linux-5.4.y | Failed | N/A |

3 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mptcp: don't always assume copied data in" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 551844f26da2a9f76c0a698baaffa631d1178645 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025010605-obscurity-buckshot-fc5f@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 551844f26da2a9f76c0a698baaffa631d1178645 Mon Sep 17 00:00:00 2001 From: Paolo Abeni <pabeni(a)redhat.com> Date: Mon, 30 Dec 2024 19:12:31 +0100 Subject: [PATCH] mptcp: don't always assume copied data in mptcp_cleanup_rbuf() Under some corner cases the MPTCP protocol can end-up invoking mptcp_cleanup_rbuf() when no data has been copied, but such helper assumes the opposite condition. Explicitly drop such assumption and performs the costly call only when strictly needed - before releasing the msk socket lock. Fixes: fd8976790a6c ("mptcp: be careful on MPTCP-level ack.") Cc: stable(a)vger.kernel.org Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20241230-net-mptcp-rbuf-fixes-v1-2-8608af434ceb@ke… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 27afdb7e2071..5307fff9d995 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -528,13 +528,13 @@ static void mptcp_send_ack(struct mptcp_sock *msk) mptcp_subflow_send_ack(mptcp_subflow_tcp_sock(subflow)); } -static void mptcp_subflow_cleanup_rbuf(struct sock *ssk) +static void mptcp_subflow_cleanup_rbuf(struct sock *ssk, int copied) { bool slow; slow = lock_sock_fast(ssk); if (tcp_can_send_ack(ssk)) - tcp_cleanup_rbuf(ssk, 1); + tcp_cleanup_rbuf(ssk, copied); unlock_sock_fast(ssk, slow); } @@ -551,7 +551,7 @@ static bool mptcp_subflow_could_cleanup(const struct sock *ssk, bool rx_empty) (ICSK_ACK_PUSHED2 | ICSK_ACK_PUSHED))); } -static void mptcp_cleanup_rbuf(struct mptcp_sock *msk) +static void mptcp_cleanup_rbuf(struct mptcp_sock *msk, int copied) { int old_space = READ_ONCE(msk->old_wspace); struct mptcp_subflow_context *subflow; @@ -559,14 +559,14 @@ static void mptcp_cleanup_rbuf(struct mptcp_sock *msk) int space = __mptcp_space(sk); bool cleanup, rx_empty; - cleanup = (space > 0) && (space >= (old_space << 1)); - rx_empty = !__mptcp_rmem(sk); + cleanup = (space > 0) && (space >= (old_space << 1)) && copied; + rx_empty = !__mptcp_rmem(sk) && copied; mptcp_for_each_subflow(msk, subflow) { struct sock *ssk = mptcp_subflow_tcp_sock(subflow); if (cleanup || mptcp_subflow_could_cleanup(ssk, rx_empty)) - mptcp_subflow_cleanup_rbuf(ssk); + mptcp_subflow_cleanup_rbuf(ssk, copied); } } @@ -2220,9 +2220,6 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, copied += bytes_read; - /* be sure to advertise window change */ - mptcp_cleanup_rbuf(msk); - if (skb_queue_empty(&msk->receive_queue) && __mptcp_move_skbs(msk)) continue; @@ -2271,6 +2268,7 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, } pr_debug("block timeout %ld\n", timeo); + mptcp_cleanup_rbuf(msk, copied); err = sk_wait_data(sk, &timeo, NULL); if (err < 0) { err = copied ? : err; @@ -2278,6 +2276,8 @@ static int mptcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, } } + mptcp_cleanup_rbuf(msk, copied); + out_err: if (cmsg_flags && copied >= 0) { if (cmsg_flags & MPTCP_CMSG_TS)

3 months, 1 week

3
2
0 0

[PATCH 6.1.y] ipv6: Fix soft lockups in fib6_select_path under high next hop churn

by Rajani kantha

From: Omid Ehtemam-Haghighi <omid.ehtemamhaghighi(a)menlosecurity.com> [ Upstream commit d9ccb18f83ea2bb654289b6ecf014fd267cc988b ] Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core—indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb Fixes: 66f5d6ce53e6 ("ipv6: replace rwlock with rcu and spinlock in fib6_table") Reported-by: Adrian Oliver <kernel(a)aoliver.ca> Signed-off-by: Omid Ehtemam-Haghighi <omid.ehtemamhaghighi(a)menlosecurity.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Ido Schimmel <idosch(a)idosch.org> Cc: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: Simon Horman <horms(a)kernel.org> Reviewed-by: David Ahern <dsahern(a)kernel.org> Link: https://patch.msgid.link/20241106010236.1239299-1-omid.ehtemamhaghighi@menl… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Rajani Kantha <rajanikantha(a)engineer.com> --- net/ipv6/ip6_fib.c | 8 +- net/ipv6/route.c | 45 ++- tools/testing/selftests/net/Makefile | 1 + .../net/ipv6_route_update_soft_lockup.sh | 262 ++++++++++++++++++ 4 files changed, 297 insertions(+), 19 deletions(-) create mode 100755 tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 0b45ef8b7ee2..b6a7cbd6bee0 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1180,8 +1180,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, while (sibling) { if (sibling->fib6_metric == rt->fib6_metric && rt6_qualify_for_ecmp(sibling)) { - list_add_tail(&rt->fib6_siblings, - &sibling->fib6_siblings); + list_add_tail_rcu(&rt->fib6_siblings, + &sibling->fib6_siblings); break; } sibling = rcu_dereference_protected(sibling->fib6_next, @@ -1242,7 +1242,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_siblings) sibling->fib6_nsiblings--; rt->fib6_nsiblings = 0; - list_del_init(&rt->fib6_siblings); + list_del_rcu(&rt->fib6_siblings); rt6_multipath_rebalance(next_sibling); return err; } @@ -1955,7 +1955,7 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn, &rt->fib6_siblings, fib6_siblings) sibling->fib6_nsiblings--; rt->fib6_nsiblings = 0; - list_del_init(&rt->fib6_siblings); + list_del_rcu(&rt->fib6_siblings); rt6_multipath_rebalance(next_sibling); } diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 5ae3ff6ffb7e..f3268bac9f19 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -420,8 +420,8 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, struct flowi6 *fl6, int oif, bool have_oif_match, const struct sk_buff *skb, int strict) { - struct fib6_info *sibling, *next_sibling; struct fib6_info *match = res->f6i; + struct fib6_info *sibling; if (!match->nh && (!match->fib6_nsiblings || have_oif_match)) goto out; @@ -447,8 +447,8 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, if (fl6->mp_hash <= atomic_read(&match->fib6_nh->fib_nh_upper_bound)) goto out; - list_for_each_entry_safe(sibling, next_sibling, &match->fib6_siblings, - fib6_siblings) { + list_for_each_entry_rcu(sibling, &match->fib6_siblings, + fib6_siblings) { const struct fib6_nh *nh = sibling->fib6_nh; int nh_upper_bound; @@ -5189,14 +5189,18 @@ static void ip6_route_mpath_notify(struct fib6_info *rt, * nexthop. Since sibling routes are always added at the end of * the list, find the first sibling of the last route appended */ + rcu_read_lock(); + if ((nlflags & NLM_F_APPEND) && rt_last && rt_last->fib6_nsiblings) { - rt = list_first_entry(&rt_last->fib6_siblings, - struct fib6_info, - fib6_siblings); + rt = list_first_or_null_rcu(&rt_last->fib6_siblings, + struct fib6_info, + fib6_siblings); } if (rt) inet6_rt_notify(RTM_NEWROUTE, rt, info, nlflags); + + rcu_read_unlock(); } static bool ip6_route_mpath_should_notify(const struct fib6_info *rt) @@ -5541,17 +5545,21 @@ static size_t rt6_nlmsg_size(struct fib6_info *f6i) nexthop_for_each_fib6_nh(f6i->nh, rt6_nh_nlmsg_size, &nexthop_len); } else { - struct fib6_info *sibling, *next_sibling; struct fib6_nh *nh = f6i->fib6_nh; + struct fib6_info *sibling; nexthop_len = 0; if (f6i->fib6_nsiblings) { rt6_nh_nlmsg_size(nh, &nexthop_len); - list_for_each_entry_safe(sibling, next_sibling, - &f6i->fib6_siblings, fib6_siblings) { + rcu_read_lock(); + + list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, + fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } + + rcu_read_unlock(); } nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws); } @@ -5715,7 +5723,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb, lwtunnel_fill_encap(skb, dst->lwtstate, RTA_ENCAP, RTA_ENCAP_TYPE) < 0) goto nla_put_failure; } else if (rt->fib6_nsiblings) { - struct fib6_info *sibling, *next_sibling; + struct fib6_info *sibling; struct nlattr *mp; mp = nla_nest_start_noflag(skb, RTA_MULTIPATH); @@ -5727,14 +5735,21 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb, 0) < 0) goto nla_put_failure; - list_for_each_entry_safe(sibling, next_sibling, - &rt->fib6_siblings, fib6_siblings) { + rcu_read_lock(); + + list_for_each_entry_rcu(sibling, &rt->fib6_siblings, + fib6_siblings) { if (fib_add_nexthop(skb, &sibling->fib6_nh->nh_common, sibling->fib6_nh->fib_nh_weight, - AF_INET6, 0) < 0) + AF_INET6, 0) < 0) { + rcu_read_unlock(); + goto nla_put_failure; + } } + rcu_read_unlock(); + nla_nest_end(skb, mp); } else if (rt->nh) { if (nla_put_u32(skb, RTA_NH_ID, rt->nh->id)) @@ -6171,7 +6186,7 @@ void inet6_rt_notify(int event, struct fib6_info *rt, struct nl_info *info, err = -ENOBUFS; seq = info->nlh ? info->nlh->nlmsg_seq : 0; - skb = nlmsg_new(rt6_nlmsg_size(rt), gfp_any()); + skb = nlmsg_new(rt6_nlmsg_size(rt), GFP_ATOMIC); if (!skb) goto errout; @@ -6184,7 +6199,7 @@ void inet6_rt_notify(int event, struct fib6_info *rt, struct nl_info *info, goto errout; } rtnl_notify(skb, net, info->portid, RTNLGRP_IPV6_ROUTE, - info->nlh, gfp_any()); + info->nlh, GFP_ATOMIC); return; errout: if (err < 0) diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index 48d1a68be1d5..080860a8826b 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -72,6 +72,7 @@ TEST_GEN_PROGS += sk_bind_sendto_listen TEST_GEN_PROGS += sk_connect_zero_addr TEST_PROGS += test_ingress_egress_chaining.sh TEST_GEN_FILES += nat6to4.o +TEST_PROGS += ipv6_route_update_soft_lockup.sh TEST_FILES := settings diff --git a/tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh b/tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh new file mode 100755 index 000000000000..a6b2b1f9c641 --- /dev/null +++ b/tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh @@ -0,0 +1,262 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# Testing for potential kernel soft lockup during IPv6 routing table +# refresh under heavy outgoing IPv6 traffic. If a kernel soft lockup +# occurs, a kernel panic will be triggered to prevent associated issues. +# +# +# Test Environment Layout +# +# ┌----------------┐ ┌----------------┐ +# | SOURCE_NS | | SINK_NS | +# | NAMESPACE | | NAMESPACE | +# |(iperf3 clients)| |(iperf3 servers)| +# | | | | +# | | | | +# | ┌-----------| nexthops |---------┐ | +# | |veth_source|<--------------------------------------->|veth_sink|<┐ | +# | └-----------|2001:0DB8:1::0:1/96 2001:0DB8:1::1:1/96 |---------┘ | | +# | | ^ 2001:0DB8:1::1:2/96 | | | +# | | . . | fwd | | +# | ┌---------┐ | . . | | | +# | | IPv6 | | . . | V | +# | | routing | | . 2001:0DB8:1::1:80/96| ┌-----┐ | +# | | table | | . | | lo | | +# | | nexthop | | . └--------┴-----┴-┘ +# | | update | | ............................> 2001:0DB8:2::1:1/128 +# | └-------- ┘ | +# └----------------┘ +# +# The test script sets up two network namespaces, source_ns and sink_ns, +# connected via a veth link. Within source_ns, it continuously updates the +# IPv6 routing table by flushing and inserting IPV6_NEXTHOP_ADDR_COUNT nexthop +# IPs destined for SINK_LOOPBACK_IP_ADDR in sink_ns. This refresh occurs at a +# rate of 1/ROUTING_TABLE_REFRESH_PERIOD per second for TEST_DURATION seconds. +# +# Simultaneously, multiple iperf3 clients within source_ns generate heavy +# outgoing IPv6 traffic. Each client is assigned a unique port number starting +# at 5000 and incrementing sequentially. Each client targets a unique iperf3 +# server running in sink_ns, connected to the SINK_LOOPBACK_IFACE interface +# using the same port number. +# +# The number of iperf3 servers and clients is set to half of the total +# available cores on each machine. +# +# NOTE: We have tested this script on machines with various CPU specifications, +# ranging from lower to higher performance as listed below. The test script +# effectively triggered a kernel soft lockup on machines running an unpatched +# kernel in under a minute: +# +# - 1x Intel Xeon E-2278G 8-Core Processor @ 3.40GHz +# - 1x Intel Xeon E-2378G Processor 8-Core @ 2.80GHz +# - 1x AMD EPYC 7401P 24-Core Processor @ 2.00GHz +# - 1x AMD EPYC 7402P 24-Core Processor @ 2.80GHz +# - 2x Intel Xeon Gold 5120 14-Core Processor @ 2.20GHz +# - 1x Ampere Altra Q80-30 80-Core Processor @ 3.00GHz +# - 2x Intel Xeon Gold 5120 14-Core Processor @ 2.20GHz +# - 2x Intel Xeon Silver 4214 24-Core Processor @ 2.20GHz +# - 1x AMD EPYC 7502P 32-Core @ 2.50GHz +# - 1x Intel Xeon Gold 6314U 32-Core Processor @ 2.30GHz +# - 2x Intel Xeon Gold 6338 32-Core Processor @ 2.00GHz +# +# On less performant machines, you may need to increase the TEST_DURATION +# parameter to enhance the likelihood of encountering a race condition leading +# to a kernel soft lockup and avoid a false negative result. +# +# NOTE: The test may not produce the expected result in virtualized +# environments (e.g., qemu) due to differences in timing and CPU handling, +# which can affect the conditions needed to trigger a soft lockup. + +source lib.sh +source net_helper.sh + +TEST_DURATION=300 +ROUTING_TABLE_REFRESH_PERIOD=0.01 + +IPERF3_BITRATE="300m" + + +IPV6_NEXTHOP_ADDR_COUNT="128" +IPV6_NEXTHOP_ADDR_MASK="96" +IPV6_NEXTHOP_PREFIX="2001:0DB8:1" + + +SOURCE_TEST_IFACE="veth_source" +SOURCE_TEST_IP_ADDR="2001:0DB8:1::0:1/96" + +SINK_TEST_IFACE="veth_sink" +# ${SINK_TEST_IFACE} is populated with the following range of IPv6 addresses: +# 2001:0DB8:1::1:1 to 2001:0DB8:1::1:${IPV6_NEXTHOP_ADDR_COUNT} +SINK_LOOPBACK_IFACE="lo" +SINK_LOOPBACK_IP_MASK="128" +SINK_LOOPBACK_IP_ADDR="2001:0DB8:2::1:1" + +nexthop_ip_list="" +termination_signal="" +kernel_softlokup_panic_prev_val="" + +terminate_ns_processes_by_pattern() { + local ns=$1 + local pattern=$2 + + for pid in $(ip netns pids ${ns}); do + [ -e /proc/$pid/cmdline ] && grep -qe "${pattern}" /proc/$pid/cmdline && kill -9 $pid + done +} + +cleanup() { + echo "info: cleaning up namespaces and terminating all processes within them..." + + + # Terminate iperf3 instances running in the source_ns. To avoid race + # conditions, first iterate over the PIDs and terminate those + # associated with the bash shells running the + # `while true; do iperf3 -c ...; done` loops. In a second iteration, + # terminate the individual `iperf3 -c ...` instances. + terminate_ns_processes_by_pattern ${source_ns} while + terminate_ns_processes_by_pattern ${source_ns} iperf3 + + # Repeat the same process for sink_ns + terminate_ns_processes_by_pattern ${sink_ns} while + terminate_ns_processes_by_pattern ${sink_ns} iperf3 + + # Check if any iperf3 instances are still running. This could happen + # if a core has entered an infinite loop and the timeout for detecting + # the soft lockup has not expired, but either the test interval has + # already elapsed or the test was terminated manually (e.g., with ^C) + for pid in $(ip netns pids ${source_ns}); do + if [ -e /proc/$pid/cmdline ] && grep -qe 'iperf3' /proc/$pid/cmdline; then + echo "FAIL: unable to terminate some iperf3 instances. Soft lockup is underway. A kernel panic is on the way!" + exit ${ksft_fail} + fi + done + + if [ "$termination_signal" == "SIGINT" ]; then + echo "SKIP: Termination due to ^C (SIGINT)" + elif [ "$termination_signal" == "SIGALRM" ]; then + echo "PASS: No kernel soft lockup occurred during this ${TEST_DURATION} second test" + fi + + cleanup_ns ${source_ns} ${sink_ns} + + sysctl -qw kernel.softlockup_panic=${kernel_softlokup_panic_prev_val} +} + +setup_prepare() { + setup_ns source_ns sink_ns + + ip -n ${source_ns} link add name ${SOURCE_TEST_IFACE} type veth peer name ${SINK_TEST_IFACE} netns ${sink_ns} + + # Setting up the Source namespace + ip -n ${source_ns} addr add ${SOURCE_TEST_IP_ADDR} dev ${SOURCE_TEST_IFACE} + ip -n ${source_ns} link set dev ${SOURCE_TEST_IFACE} qlen 10000 + ip -n ${source_ns} link set dev ${SOURCE_TEST_IFACE} up + ip netns exec ${source_ns} sysctl -qw net.ipv6.fib_multipath_hash_policy=1 + + # Setting up the Sink namespace + ip -n ${sink_ns} addr add ${SINK_LOOPBACK_IP_ADDR}/${SINK_LOOPBACK_IP_MASK} dev ${SINK_LOOPBACK_IFACE} + ip -n ${sink_ns} link set dev ${SINK_LOOPBACK_IFACE} up + ip netns exec ${sink_ns} sysctl -qw net.ipv6.conf.${SINK_LOOPBACK_IFACE}.forwarding=1 + + ip -n ${sink_ns} link set ${SINK_TEST_IFACE} up + ip netns exec ${sink_ns} sysctl -qw net.ipv6.conf.${SINK_TEST_IFACE}.forwarding=1 + + + # Populate nexthop IPv6 addresses on the test interface in the sink_ns + echo "info: populating ${IPV6_NEXTHOP_ADDR_COUNT} IPv6 addresses on the ${SINK_TEST_IFACE} interface ..." + for IP in $(seq 1 ${IPV6_NEXTHOP_ADDR_COUNT}); do + ip -n ${sink_ns} addr add ${IPV6_NEXTHOP_PREFIX}::$(printf "1:%x" "${IP}")/${IPV6_NEXTHOP_ADDR_MASK} dev ${SINK_TEST_IFACE}; + done + + # Preparing list of nexthops + for IP in $(seq 1 ${IPV6_NEXTHOP_ADDR_COUNT}); do + nexthop_ip_list=$nexthop_ip_list" nexthop via ${IPV6_NEXTHOP_PREFIX}::$(printf "1:%x" $IP) dev ${SOURCE_TEST_IFACE} weight 1" + done +} + + +test_soft_lockup_during_routing_table_refresh() { + # Start num_of_iperf_servers iperf3 servers in the sink_ns namespace, + # each listening on ports starting at 5001 and incrementing + # sequentially. Since iperf3 instances may terminate unexpectedly, a + # while loop is used to automatically restart them in such cases. + echo "info: starting ${num_of_iperf_servers} iperf3 servers in the sink_ns namespace ..." + for i in $(seq 1 ${num_of_iperf_servers}); do + cmd="iperf3 --bind ${SINK_LOOPBACK_IP_ADDR} -s -p $(printf '5%03d' ${i}) --rcv-timeout 200 &>/dev/null" + ip netns exec ${sink_ns} bash -c "while true; do ${cmd}; done &" &>/dev/null + done + + # Wait for the iperf3 servers to be ready + for i in $(seq ${num_of_iperf_servers}); do + port=$(printf '5%03d' ${i}); + wait_local_port_listen ${sink_ns} ${port} tcp + done + + # Continuously refresh the routing table in the background within + # the source_ns namespace + ip netns exec ${source_ns} bash -c " + while \$(ip netns list | grep -q ${source_ns}); do + ip -6 route add ${SINK_LOOPBACK_IP_ADDR}/${SINK_LOOPBACK_IP_MASK} ${nexthop_ip_list}; + sleep ${ROUTING_TABLE_REFRESH_PERIOD}; + ip -6 route delete ${SINK_LOOPBACK_IP_ADDR}/${SINK_LOOPBACK_IP_MASK}; + done &" + + # Start num_of_iperf_servers iperf3 clients in the source_ns namespace, + # each sending TCP traffic on sequential ports starting at 5001. + # Since iperf3 instances may terminate unexpectedly (e.g., if the route + # to the server is deleted in the background during a route refresh), a + # while loop is used to automatically restart them in such cases. + echo "info: starting ${num_of_iperf_servers} iperf3 clients in the source_ns namespace ..." + for i in $(seq 1 ${num_of_iperf_servers}); do + cmd="iperf3 -c ${SINK_LOOPBACK_IP_ADDR} -p $(printf '5%03d' ${i}) --length 64 --bitrate ${IPERF3_BITRATE} -t 0 --connect-timeout 150 &>/dev/null" + ip netns exec ${source_ns} bash -c "while true; do ${cmd}; done &" &>/dev/null + done + + echo "info: IPv6 routing table is being updated at the rate of $(echo "1/${ROUTING_TABLE_REFRESH_PERIOD}" | bc)/s for ${TEST_DURATION} seconds ..." + echo "info: A kernel soft lockup, if detected, results in a kernel panic!" + + wait +} + +# Make sure 'iperf3' is installed, skip the test otherwise +if [ ! -x "$(command -v "iperf3")" ]; then + echo "SKIP: 'iperf3' is not installed. Skipping the test." + exit ${ksft_skip} +fi + +# Determine the number of cores on the machine +num_of_iperf_servers=$(( $(nproc)/2 )) + +# Check if we are running on a multi-core machine, skip the test otherwise +if [ "${num_of_iperf_servers}" -eq 0 ]; then + echo "SKIP: This test is not valid on a single core machine!" + exit ${ksft_skip} +fi + +# Since the kernel soft lockup we're testing causes at least one core to enter +# an infinite loop, destabilizing the host and likely affecting subsequent +# tests, we trigger a kernel panic instead of reporting a failure and +# continuing +kernel_softlokup_panic_prev_val=$(sysctl -n kernel.softlockup_panic) +sysctl -qw kernel.softlockup_panic=1 + +handle_sigint() { + termination_signal="SIGINT" + cleanup + exit ${ksft_skip} +} + +handle_sigalrm() { + termination_signal="SIGALRM" + cleanup + exit ${ksft_pass} +} + +trap handle_sigint SIGINT +trap handle_sigalrm SIGALRM + +(sleep ${TEST_DURATION} && kill -s SIGALRM $$)& + +setup_prepare +test_soft_lockup_during_routing_table_refresh -- 2.35.3

3 months, 1 week

2
1
0 0

[PATCH 6.6.y] RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop

by alvalan9＠foxmail.com

From: Selvin Xavier <selvin.xavier(a)broadcom.com> [ Upstream commit 8be3e5b0c96beeefe9d5486b96575d104d3e7d17 ] Driver waits indefinitely for the fifo occupancy to go below a threshold as soon as the pacing interrupt is received. This can cause soft lockup on one of the processors, if the rate of DB is very high. Add a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th if the loop is taking more time. Pacing will be continuing until the occupancy is below the threshold. This is ensured by the checks in bnxt_re_pacing_timer_exp and further scheduling the work for pacing based on the fifo occupancy. Fixes: 2ad4e6303a6d ("RDMA/bnxt_re: Implement doorbell pacing algorithm") Link: https://patch.msgid.link/r/1728373302-19530-7-git-send-email-selvin.xavier@… Reviewed-by: Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> Reviewed-by: Chandramohan Akula <chandramohan.akula(a)broadcom.com> Signed-off-by: Selvin Xavier <selvin.xavier(a)broadcom.com> Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> [ Add the declaration of variable pacing_data to make it work on 6.6.y ] Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- drivers/infiniband/hw/bnxt_re/main.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c index c7e51cc2ea26..082a383c4913 100644 --- a/drivers/infiniband/hw/bnxt_re/main.c +++ b/drivers/infiniband/hw/bnxt_re/main.c @@ -485,6 +485,8 @@ static void bnxt_re_set_default_pacing_data(struct bnxt_re_dev *rdev) static void __wait_for_fifo_occupancy_below_th(struct bnxt_re_dev *rdev) { u32 read_val, fifo_occup; + struct bnxt_qplib_db_pacing_data *pacing_data = rdev->qplib_res.pacing_data; + u32 retry_fifo_check = 1000; /* loop shouldn't run infintely as the occupancy usually goes * below pacing algo threshold as soon as pacing kicks in. @@ -500,6 +502,14 @@ static void __wait_for_fifo_occupancy_below_th(struct bnxt_re_dev *rdev) if (fifo_occup < rdev->qplib_res.pacing_data->pacing_th) break; + if (!retry_fifo_check--) { + dev_info_once(rdev_to_dev(rdev), + "%s: fifo_occup = 0x%xfifo_max_depth = 0x%x pacing_th = 0x%x\n", + __func__, fifo_occup, pacing_data->fifo_max_depth, + pacing_data->pacing_th); + break; + } + } } -- 2.43.0

3 months, 1 week

2
1
0 0

[PATCH 5.10.y] m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal

by Finn Thain

From: Al Viro <viro(a)zeniv.linux.org.uk> [ Upstream commit 50e43a57334400668952f8e551c9d87d3ed2dfef ] We get there when sigreturn has performed obscene acts on kernel stack; in particular, the location of pt_regs has shifted. We are about to call syscall_trace(), which might stop for tracer. If that happens, we'd better have task_pt_regs() returning correct result... Fucked-up-by: Al Viro <viro(a)zeniv.linux.org.uk> Fixes: bd6f56a75bb2 ("m68k: Missing syscall_trace() on sigreturn") Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Tested-by: Michael Schmitz <schmitzmic(a)gmail.com> Reviewed-by: Michael Schmitz <schmitzmic(a)gmail.com> Tested-by: Finn Thain <fthain(a)linux-m68k.org> Link: https://lore.kernel.org/r/YP2dMWeV1LkHiOpr@zeniv-ca.linux.org.uk Signed-off-by: Geert Uytterhoeven <geert(a)linux-m68k.org> Signed-off-by: Finn Thain <fthain(a)linux-m68k.org> --- arch/m68k/kernel/entry.S | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S index 417d8f0e8962..0d03b4f2077b 100644 --- a/arch/m68k/kernel/entry.S +++ b/arch/m68k/kernel/entry.S @@ -182,6 +182,8 @@ ENTRY(ret_from_signal) movel %curptr@(TASK_STACK),%a1 tstb %a1@(TINFO_FLAGS+2) jge 1f + lea %sp@(SWITCH_STACK_SIZE),%a1 + movel %a1,%curptr@(TASK_THREAD+THREAD_ESP0) jbsr syscall_trace 1: RESTORE_SWITCH_STACK addql #4,%sp

3 months, 1 week

2
1
0 0

Re: [PATCH] KVM: x86: switch hugepage recovery thread to vhost_task

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Found matching upstream commit: d96c77bd4eeba469bddbbb14323d2191684da82a WARNING: Author mismatch between patch and found commit: Backport author: Sean Christopherson<seanjc(a)google.com> Commit author: Paolo Bonzini<pbonzini(a)redhat.com> Status in newer kernel trees: 6.12.y | Present (different SHA1: 91248a2e4101) Note: The patch differs from the upstream commit: --- Failed to apply patch cleanly, falling back to interdiff... --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.12.y | Failed | N/A | | stable/linux-6.6.y | Failed | N/A | | stable/linux-6.1.y | Failed | N/A | | stable/linux-5.15.y | Failed | N/A | | stable/linux-5.10.y | Failed | N/A | | stable/linux-5.4.y | Failed | N/A |

3 months, 1 week

1
0
0 0

[PATCH 5.10] serial: imx: Introduce timeout when waiting on transmitter empty

by Denis Arefev

From: Esben Haabendal <esben(a)geanix.com> commit e533e4c62e9993e62e947ae9bbec34e4c7ae81c2 upstream. By waiting at most 1 second for USR2_TXDC to be set, we avoid a potential deadlock. In case of the timeout, there is not much we can do, so we simply ignore the transmitter state and optimistically try to continue. Signed-off-by: Esben Haabendal <esben(a)geanix.com> Acked-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Link: https://lore.kernel.org/r/919647898c337a46604edcabaf13d42d80c0915d.17128376… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [Denis: minor fix to resolve merge conflict.] Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- Backport fix for CVE-2024-40967 Link: https://nvd.nist.gov/vuln/detail/CVE-2024-40967 --- drivers/tty/serial/imx.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c index 6e49928bb864..5abf6685fe3c 100644 --- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -27,6 +27,7 @@ #include <linux/of.h> #include <linux/of_device.h> #include <linux/io.h> +#include <linux/iopoll.h> #include <linux/dma-mapping.h> #include <asm/irq.h> @@ -2006,8 +2007,8 @@ imx_uart_console_write(struct console *co, const char *s, unsigned int count) { struct imx_port *sport = imx_uart_ports[co->index]; struct imx_port_ucrs old_ucr; - unsigned int ucr1; - unsigned long flags = 0; + unsigned long flags; + unsigned int ucr1, usr2; int locked = 1; if (sport->port.sysrq) @@ -2038,8 +2039,8 @@ imx_uart_console_write(struct console *co, const char *s, unsigned int count) * Finally, wait for transmitter to become empty * and restore UCR1/2/3 */ - while (!(imx_uart_readl(sport, USR2) & USR2_TXDC)); - + read_poll_timeout_atomic(imx_uart_readl, usr2, usr2 & USR2_TXDC, + 0, USEC_PER_SEC, false, sport, USR2); imx_uart_ucrs_restore(sport, &old_ucr); if (locked) -- 2.43.0

3 months, 1 week

2
1
0 0

Re: [PATCH] KVM: x86: switch hugepage recovery thread to vhost_task

by Sasha Levin

[ Sasha's backport helper bot ] Hi, Found matching upstream commit: d96c77bd4eeba469bddbbb14323d2191684da82a Status in newer kernel trees: 6.12.y | Present (different SHA1: 91248a2e4101) Note: The patch differs from the upstream commit: --- Failed to apply patch cleanly, falling back to interdiff... --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.12.y | Failed | N/A | | stable/linux-6.6.y | Failed | N/A | | stable/linux-6.1.y | Failed | N/A | | stable/linux-5.15.y | Failed | N/A | | stable/linux-5.10.y | Failed | N/A | | stable/linux-5.4.y | Failed | N/A |

3 months, 1 week

1
0
0 0

[PATCH 6.6] ipv6: Fix soft lockups in fib6_select_path under high next hop churn

by Rajani kantha

From: Omid Ehtemam-Haghighi <omid.ehtemamhaghighi(a)menlosecurity.com> [ Upstream commit d9ccb18f83ea2bb654289b6ecf014fd267cc988b ] Soft lockups have been observed on a cluster of Linux-based edge routers located in a highly dynamic environment. Using the `bird` service, these routers continuously update BGP-advertised routes due to frequently changing nexthop destinations, while also managing significant IPv6 traffic. The lockups occur during the traversal of the multipath circular linked-list in the `fib6_select_path` function, particularly while iterating through the siblings in the list. The issue typically arises when the nodes of the linked list are unexpectedly deleted concurrently on a different core—indicated by their 'next' and 'previous' elements pointing back to the node itself and their reference count dropping to zero. This results in an infinite loop, leading to a soft lockup that triggers a system panic via the watchdog timer. Apply RCU primitives in the problematic code sections to resolve the issue. Where necessary, update the references to fib6_siblings to annotate or use the RCU APIs. Include a test script that reproduces the issue. The script periodically updates the routing table while generating a heavy load of outgoing IPv6 traffic through multiple iperf3 clients. It consistently induces infinite soft lockups within a couple of minutes. Kernel log: 0 [ffffbd13003e8d30] machine_kexec at ffffffff8ceaf3eb 1 [ffffbd13003e8d90] __crash_kexec at ffffffff8d0120e3 2 [ffffbd13003e8e58] panic at ffffffff8cef65d4 3 [ffffbd13003e8ed8] watchdog_timer_fn at ffffffff8d05cb03 4 [ffffbd13003e8f08] __hrtimer_run_queues at ffffffff8cfec62f 5 [ffffbd13003e8f70] hrtimer_interrupt at ffffffff8cfed756 6 [ffffbd13003e8fd0] __sysvec_apic_timer_interrupt at ffffffff8cea01af 7 [ffffbd13003e8ff0] sysvec_apic_timer_interrupt at ffffffff8df1b83d -- <IRQ stack> -- 8 [ffffbd13003d3708] asm_sysvec_apic_timer_interrupt at ffffffff8e000ecb [exception RIP: fib6_select_path+299] RIP: ffffffff8ddafe7b RSP: ffffbd13003d37b8 RFLAGS: 00000287 RAX: ffff975850b43600 RBX: ffff975850b40200 RCX: 0000000000000000 RDX: 000000003fffffff RSI: 0000000051d383e4 RDI: ffff975850b43618 RBP: ffffbd13003d3800 R8: 0000000000000000 R9: ffff975850b40200 R10: 0000000000000000 R11: 0000000000000000 R12: ffffbd13003d3830 R13: ffff975850b436a8 R14: ffff975850b43600 R15: 0000000000000007 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 9 [ffffbd13003d3808] ip6_pol_route at ffffffff8ddb030c 10 [ffffbd13003d3888] ip6_pol_route_input at ffffffff8ddb068c 11 [ffffbd13003d3898] fib6_rule_lookup at ffffffff8ddf02b5 12 [ffffbd13003d3928] ip6_route_input at ffffffff8ddb0f47 13 [ffffbd13003d3a18] ip6_rcv_finish_core.constprop.0 at ffffffff8dd950d0 14 [ffffbd13003d3a30] ip6_list_rcv_finish.constprop.0 at ffffffff8dd96274 15 [ffffbd13003d3a98] ip6_sublist_rcv at ffffffff8dd96474 16 [ffffbd13003d3af8] ipv6_list_rcv at ffffffff8dd96615 17 [ffffbd13003d3b60] __netif_receive_skb_list_core at ffffffff8dc16fec 18 [ffffbd13003d3be0] netif_receive_skb_list_internal at ffffffff8dc176b3 19 [ffffbd13003d3c50] napi_gro_receive at ffffffff8dc565b9 20 [ffffbd13003d3c80] ice_receive_skb at ffffffffc087e4f5 [ice] 21 [ffffbd13003d3c90] ice_clean_rx_irq at ffffffffc0881b80 [ice] 22 [ffffbd13003d3d20] ice_napi_poll at ffffffffc088232f [ice] 23 [ffffbd13003d3d80] __napi_poll at ffffffff8dc18000 24 [ffffbd13003d3db8] net_rx_action at ffffffff8dc18581 25 [ffffbd13003d3e40] __do_softirq at ffffffff8df352e9 26 [ffffbd13003d3eb0] run_ksoftirqd at ffffffff8ceffe47 27 [ffffbd13003d3ec0] smpboot_thread_fn at ffffffff8cf36a30 28 [ffffbd13003d3ee8] kthread at ffffffff8cf2b39f 29 [ffffbd13003d3f28] ret_from_fork at ffffffff8ce5fa64 30 [ffffbd13003d3f50] ret_from_fork_asm at ffffffff8ce03cbb Fixes: 66f5d6ce53e6 ("ipv6: replace rwlock with rcu and spinlock in fib6_table") Reported-by: Adrian Oliver <kernel(a)aoliver.ca> Signed-off-by: Omid Ehtemam-Haghighi <omid.ehtemamhaghighi(a)menlosecurity.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Ido Schimmel <idosch(a)idosch.org> Cc: Kuniyuki Iwashima <kuniyu(a)amazon.com> Cc: Simon Horman <horms(a)kernel.org> Reviewed-by: David Ahern <dsahern(a)kernel.org> Link: https://patch.msgid.link/20241106010236.1239299-1-omid.ehtemamhaghighi@menl… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Rajani Kantha <rajanikantha(a)engineer.com> --- net/ipv6/ip6_fib.c | 8 +- net/ipv6/route.c | 45 ++- tools/testing/selftests/net/Makefile | 1 + .../net/ipv6_route_update_soft_lockup.sh | 262 ++++++++++++++++++ 4 files changed, 297 insertions(+), 19 deletions(-) create mode 100755 tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index afa9073567dc..023ac39041a2 100644 --- a/net/ipv6/ip6_fib.c +++ b/net/ipv6/ip6_fib.c @@ -1179,8 +1179,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, while (sibling) { if (sibling->fib6_metric == rt->fib6_metric && rt6_qualify_for_ecmp(sibling)) { - list_add_tail(&rt->fib6_siblings, - &sibling->fib6_siblings); + list_add_tail_rcu(&rt->fib6_siblings, + &sibling->fib6_siblings); break; } sibling = rcu_dereference_protected(sibling->fib6_next, @@ -1241,7 +1241,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt, fib6_siblings) sibling->fib6_nsiblings--; rt->fib6_nsiblings = 0; - list_del_init(&rt->fib6_siblings); + list_del_rcu(&rt->fib6_siblings); rt6_multipath_rebalance(next_sibling); return err; } @@ -1954,7 +1954,7 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn, &rt->fib6_siblings, fib6_siblings) sibling->fib6_nsiblings--; rt->fib6_nsiblings = 0; - list_del_init(&rt->fib6_siblings); + list_del_rcu(&rt->fib6_siblings); rt6_multipath_rebalance(next_sibling); } diff --git a/net/ipv6/route.c b/net/ipv6/route.c index fc5c53462025..c5cee40a658b 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -418,8 +418,8 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, struct flowi6 *fl6, int oif, bool have_oif_match, const struct sk_buff *skb, int strict) { - struct fib6_info *sibling, *next_sibling; struct fib6_info *match = res->f6i; + struct fib6_info *sibling; if (!match->nh && (!match->fib6_nsiblings || have_oif_match)) goto out; @@ -445,8 +445,8 @@ void fib6_select_path(const struct net *net, struct fib6_result *res, if (fl6->mp_hash <= atomic_read(&match->fib6_nh->fib_nh_upper_bound)) goto out; - list_for_each_entry_safe(sibling, next_sibling, &match->fib6_siblings, - fib6_siblings) { + list_for_each_entry_rcu(sibling, &match->fib6_siblings, + fib6_siblings) { const struct fib6_nh *nh = sibling->fib6_nh; int nh_upper_bound; @@ -5186,14 +5186,18 @@ static void ip6_route_mpath_notify(struct fib6_info *rt, * nexthop. Since sibling routes are always added at the end of * the list, find the first sibling of the last route appended */ + rcu_read_lock(); + if ((nlflags & NLM_F_APPEND) && rt_last && rt_last->fib6_nsiblings) { - rt = list_first_entry(&rt_last->fib6_siblings, - struct fib6_info, - fib6_siblings); + rt = list_first_or_null_rcu(&rt_last->fib6_siblings, + struct fib6_info, + fib6_siblings); } if (rt) inet6_rt_notify(RTM_NEWROUTE, rt, info, nlflags); + + rcu_read_unlock(); } static bool ip6_route_mpath_should_notify(const struct fib6_info *rt) @@ -5538,17 +5542,21 @@ static size_t rt6_nlmsg_size(struct fib6_info *f6i) nexthop_for_each_fib6_nh(f6i->nh, rt6_nh_nlmsg_size, &nexthop_len); } else { - struct fib6_info *sibling, *next_sibling; struct fib6_nh *nh = f6i->fib6_nh; + struct fib6_info *sibling; nexthop_len = 0; if (f6i->fib6_nsiblings) { rt6_nh_nlmsg_size(nh, &nexthop_len); - list_for_each_entry_safe(sibling, next_sibling, - &f6i->fib6_siblings, fib6_siblings) { + rcu_read_lock(); + + list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, + fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } + + rcu_read_unlock(); } nexthop_len += lwtunnel_get_encap_size(nh->fib_nh_lws); } @@ -5712,7 +5720,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb, lwtunnel_fill_encap(skb, dst->lwtstate, RTA_ENCAP, RTA_ENCAP_TYPE) < 0) goto nla_put_failure; } else if (rt->fib6_nsiblings) { - struct fib6_info *sibling, *next_sibling; + struct fib6_info *sibling; struct nlattr *mp; mp = nla_nest_start_noflag(skb, RTA_MULTIPATH); @@ -5724,14 +5732,21 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb, 0) < 0) goto nla_put_failure; - list_for_each_entry_safe(sibling, next_sibling, - &rt->fib6_siblings, fib6_siblings) { + rcu_read_lock(); + + list_for_each_entry_rcu(sibling, &rt->fib6_siblings, + fib6_siblings) { if (fib_add_nexthop(skb, &sibling->fib6_nh->nh_common, sibling->fib6_nh->fib_nh_weight, - AF_INET6, 0) < 0) + AF_INET6, 0) < 0) { + rcu_read_unlock(); + goto nla_put_failure; + } } + rcu_read_unlock(); + nla_nest_end(skb, mp); } else if (rt->nh) { if (nla_put_u32(skb, RTA_NH_ID, rt->nh->id)) @@ -6168,7 +6183,7 @@ void inet6_rt_notify(int event, struct fib6_info *rt, struct nl_info *info, err = -ENOBUFS; seq = info->nlh ? info->nlh->nlmsg_seq : 0; - skb = nlmsg_new(rt6_nlmsg_size(rt), gfp_any()); + skb = nlmsg_new(rt6_nlmsg_size(rt), GFP_ATOMIC); if (!skb) goto errout; @@ -6181,7 +6196,7 @@ void inet6_rt_notify(int event, struct fib6_info *rt, struct nl_info *info, goto errout; } rtnl_notify(skb, net, info->portid, RTNLGRP_IPV6_ROUTE, - info->nlh, gfp_any()); + info->nlh, GFP_ATOMIC); return; errout: if (err < 0) diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index 91a48efb140b..efaf0e0bc459 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -91,6 +91,7 @@ TEST_PROGS += test_vxlan_mdb.sh TEST_PROGS += test_bridge_neigh_suppress.sh TEST_PROGS += test_vxlan_nolocalbypass.sh TEST_PROGS += test_bridge_backup_port.sh +TEST_PROGS += ipv6_route_update_soft_lockup.sh TEST_FILES := settings TEST_FILES += in_netns.sh lib.sh net_helper.sh setup_loopback.sh setup_veth.sh diff --git a/tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh b/tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh new file mode 100755 index 000000000000..a6b2b1f9c641 --- /dev/null +++ b/tools/testing/selftests/net/ipv6_route_update_soft_lockup.sh @@ -0,0 +1,262 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# Testing for potential kernel soft lockup during IPv6 routing table +# refresh under heavy outgoing IPv6 traffic. If a kernel soft lockup +# occurs, a kernel panic will be triggered to prevent associated issues. +# +# +# Test Environment Layout +# +# ┌----------------┐ ┌----------------┐ +# | SOURCE_NS | | SINK_NS | +# | NAMESPACE | | NAMESPACE | +# |(iperf3 clients)| |(iperf3 servers)| +# | | | | +# | | | | +# | ┌-----------| nexthops |---------┐ | +# | |veth_source|<--------------------------------------->|veth_sink|<┐ | +# | └-----------|2001:0DB8:1::0:1/96 2001:0DB8:1::1:1/96 |---------┘ | | +# | | ^ 2001:0DB8:1::1:2/96 | | | +# | | . . | fwd | | +# | ┌---------┐ | . . | | | +# | | IPv6 | | . . | V | +# | | routing | | . 2001:0DB8:1::1:80/96| ┌-----┐ | +# | | table | | . | | lo | | +# | | nexthop | | . └--------┴-----┴-┘ +# | | update | | ............................> 2001:0DB8:2::1:1/128 +# | └-------- ┘ | +# └----------------┘ +# +# The test script sets up two network namespaces, source_ns and sink_ns, +# connected via a veth link. Within source_ns, it continuously updates the +# IPv6 routing table by flushing and inserting IPV6_NEXTHOP_ADDR_COUNT nexthop +# IPs destined for SINK_LOOPBACK_IP_ADDR in sink_ns. This refresh occurs at a +# rate of 1/ROUTING_TABLE_REFRESH_PERIOD per second for TEST_DURATION seconds. +# +# Simultaneously, multiple iperf3 clients within source_ns generate heavy +# outgoing IPv6 traffic. Each client is assigned a unique port number starting +# at 5000 and incrementing sequentially. Each client targets a unique iperf3 +# server running in sink_ns, connected to the SINK_LOOPBACK_IFACE interface +# using the same port number. +# +# The number of iperf3 servers and clients is set to half of the total +# available cores on each machine. +# +# NOTE: We have tested this script on machines with various CPU specifications, +# ranging from lower to higher performance as listed below. The test script +# effectively triggered a kernel soft lockup on machines running an unpatched +# kernel in under a minute: +# +# - 1x Intel Xeon E-2278G 8-Core Processor @ 3.40GHz +# - 1x Intel Xeon E-2378G Processor 8-Core @ 2.80GHz +# - 1x AMD EPYC 7401P 24-Core Processor @ 2.00GHz +# - 1x AMD EPYC 7402P 24-Core Processor @ 2.80GHz +# - 2x Intel Xeon Gold 5120 14-Core Processor @ 2.20GHz +# - 1x Ampere Altra Q80-30 80-Core Processor @ 3.00GHz +# - 2x Intel Xeon Gold 5120 14-Core Processor @ 2.20GHz +# - 2x Intel Xeon Silver 4214 24-Core Processor @ 2.20GHz +# - 1x AMD EPYC 7502P 32-Core @ 2.50GHz +# - 1x Intel Xeon Gold 6314U 32-Core Processor @ 2.30GHz +# - 2x Intel Xeon Gold 6338 32-Core Processor @ 2.00GHz +# +# On less performant machines, you may need to increase the TEST_DURATION +# parameter to enhance the likelihood of encountering a race condition leading +# to a kernel soft lockup and avoid a false negative result. +# +# NOTE: The test may not produce the expected result in virtualized +# environments (e.g., qemu) due to differences in timing and CPU handling, +# which can affect the conditions needed to trigger a soft lockup. + +source lib.sh +source net_helper.sh + +TEST_DURATION=300 +ROUTING_TABLE_REFRESH_PERIOD=0.01 + +IPERF3_BITRATE="300m" + + +IPV6_NEXTHOP_ADDR_COUNT="128" +IPV6_NEXTHOP_ADDR_MASK="96" +IPV6_NEXTHOP_PREFIX="2001:0DB8:1" + + +SOURCE_TEST_IFACE="veth_source" +SOURCE_TEST_IP_ADDR="2001:0DB8:1::0:1/96" + +SINK_TEST_IFACE="veth_sink" +# ${SINK_TEST_IFACE} is populated with the following range of IPv6 addresses: +# 2001:0DB8:1::1:1 to 2001:0DB8:1::1:${IPV6_NEXTHOP_ADDR_COUNT} +SINK_LOOPBACK_IFACE="lo" +SINK_LOOPBACK_IP_MASK="128" +SINK_LOOPBACK_IP_ADDR="2001:0DB8:2::1:1" + +nexthop_ip_list="" +termination_signal="" +kernel_softlokup_panic_prev_val="" + +terminate_ns_processes_by_pattern() { + local ns=$1 + local pattern=$2 + + for pid in $(ip netns pids ${ns}); do + [ -e /proc/$pid/cmdline ] && grep -qe "${pattern}" /proc/$pid/cmdline && kill -9 $pid + done +} + +cleanup() { + echo "info: cleaning up namespaces and terminating all processes within them..." + + + # Terminate iperf3 instances running in the source_ns. To avoid race + # conditions, first iterate over the PIDs and terminate those + # associated with the bash shells running the + # `while true; do iperf3 -c ...; done` loops. In a second iteration, + # terminate the individual `iperf3 -c ...` instances. + terminate_ns_processes_by_pattern ${source_ns} while + terminate_ns_processes_by_pattern ${source_ns} iperf3 + + # Repeat the same process for sink_ns + terminate_ns_processes_by_pattern ${sink_ns} while + terminate_ns_processes_by_pattern ${sink_ns} iperf3 + + # Check if any iperf3 instances are still running. This could happen + # if a core has entered an infinite loop and the timeout for detecting + # the soft lockup has not expired, but either the test interval has + # already elapsed or the test was terminated manually (e.g., with ^C) + for pid in $(ip netns pids ${source_ns}); do + if [ -e /proc/$pid/cmdline ] && grep -qe 'iperf3' /proc/$pid/cmdline; then + echo "FAIL: unable to terminate some iperf3 instances. Soft lockup is underway. A kernel panic is on the way!" + exit ${ksft_fail} + fi + done + + if [ "$termination_signal" == "SIGINT" ]; then + echo "SKIP: Termination due to ^C (SIGINT)" + elif [ "$termination_signal" == "SIGALRM" ]; then + echo "PASS: No kernel soft lockup occurred during this ${TEST_DURATION} second test" + fi + + cleanup_ns ${source_ns} ${sink_ns} + + sysctl -qw kernel.softlockup_panic=${kernel_softlokup_panic_prev_val} +} + +setup_prepare() { + setup_ns source_ns sink_ns + + ip -n ${source_ns} link add name ${SOURCE_TEST_IFACE} type veth peer name ${SINK_TEST_IFACE} netns ${sink_ns} + + # Setting up the Source namespace + ip -n ${source_ns} addr add ${SOURCE_TEST_IP_ADDR} dev ${SOURCE_TEST_IFACE} + ip -n ${source_ns} link set dev ${SOURCE_TEST_IFACE} qlen 10000 + ip -n ${source_ns} link set dev ${SOURCE_TEST_IFACE} up + ip netns exec ${source_ns} sysctl -qw net.ipv6.fib_multipath_hash_policy=1 + + # Setting up the Sink namespace + ip -n ${sink_ns} addr add ${SINK_LOOPBACK_IP_ADDR}/${SINK_LOOPBACK_IP_MASK} dev ${SINK_LOOPBACK_IFACE} + ip -n ${sink_ns} link set dev ${SINK_LOOPBACK_IFACE} up + ip netns exec ${sink_ns} sysctl -qw net.ipv6.conf.${SINK_LOOPBACK_IFACE}.forwarding=1 + + ip -n ${sink_ns} link set ${SINK_TEST_IFACE} up + ip netns exec ${sink_ns} sysctl -qw net.ipv6.conf.${SINK_TEST_IFACE}.forwarding=1 + + + # Populate nexthop IPv6 addresses on the test interface in the sink_ns + echo "info: populating ${IPV6_NEXTHOP_ADDR_COUNT} IPv6 addresses on the ${SINK_TEST_IFACE} interface ..." + for IP in $(seq 1 ${IPV6_NEXTHOP_ADDR_COUNT}); do + ip -n ${sink_ns} addr add ${IPV6_NEXTHOP_PREFIX}::$(printf "1:%x" "${IP}")/${IPV6_NEXTHOP_ADDR_MASK} dev ${SINK_TEST_IFACE}; + done + + # Preparing list of nexthops + for IP in $(seq 1 ${IPV6_NEXTHOP_ADDR_COUNT}); do + nexthop_ip_list=$nexthop_ip_list" nexthop via ${IPV6_NEXTHOP_PREFIX}::$(printf "1:%x" $IP) dev ${SOURCE_TEST_IFACE} weight 1" + done +} + + +test_soft_lockup_during_routing_table_refresh() { + # Start num_of_iperf_servers iperf3 servers in the sink_ns namespace, + # each listening on ports starting at 5001 and incrementing + # sequentially. Since iperf3 instances may terminate unexpectedly, a + # while loop is used to automatically restart them in such cases. + echo "info: starting ${num_of_iperf_servers} iperf3 servers in the sink_ns namespace ..." + for i in $(seq 1 ${num_of_iperf_servers}); do + cmd="iperf3 --bind ${SINK_LOOPBACK_IP_ADDR} -s -p $(printf '5%03d' ${i}) --rcv-timeout 200 &>/dev/null" + ip netns exec ${sink_ns} bash -c "while true; do ${cmd}; done &" &>/dev/null + done + + # Wait for the iperf3 servers to be ready + for i in $(seq ${num_of_iperf_servers}); do + port=$(printf '5%03d' ${i}); + wait_local_port_listen ${sink_ns} ${port} tcp + done + + # Continuously refresh the routing table in the background within + # the source_ns namespace + ip netns exec ${source_ns} bash -c " + while \$(ip netns list | grep -q ${source_ns}); do + ip -6 route add ${SINK_LOOPBACK_IP_ADDR}/${SINK_LOOPBACK_IP_MASK} ${nexthop_ip_list}; + sleep ${ROUTING_TABLE_REFRESH_PERIOD}; + ip -6 route delete ${SINK_LOOPBACK_IP_ADDR}/${SINK_LOOPBACK_IP_MASK}; + done &" + + # Start num_of_iperf_servers iperf3 clients in the source_ns namespace, + # each sending TCP traffic on sequential ports starting at 5001. + # Since iperf3 instances may terminate unexpectedly (e.g., if the route + # to the server is deleted in the background during a route refresh), a + # while loop is used to automatically restart them in such cases. + echo "info: starting ${num_of_iperf_servers} iperf3 clients in the source_ns namespace ..." + for i in $(seq 1 ${num_of_iperf_servers}); do + cmd="iperf3 -c ${SINK_LOOPBACK_IP_ADDR} -p $(printf '5%03d' ${i}) --length 64 --bitrate ${IPERF3_BITRATE} -t 0 --connect-timeout 150 &>/dev/null" + ip netns exec ${source_ns} bash -c "while true; do ${cmd}; done &" &>/dev/null + done + + echo "info: IPv6 routing table is being updated at the rate of $(echo "1/${ROUTING_TABLE_REFRESH_PERIOD}" | bc)/s for ${TEST_DURATION} seconds ..." + echo "info: A kernel soft lockup, if detected, results in a kernel panic!" + + wait +} + +# Make sure 'iperf3' is installed, skip the test otherwise +if [ ! -x "$(command -v "iperf3")" ]; then + echo "SKIP: 'iperf3' is not installed. Skipping the test." + exit ${ksft_skip} +fi + +# Determine the number of cores on the machine +num_of_iperf_servers=$(( $(nproc)/2 )) + +# Check if we are running on a multi-core machine, skip the test otherwise +if [ "${num_of_iperf_servers}" -eq 0 ]; then + echo "SKIP: This test is not valid on a single core machine!" + exit ${ksft_skip} +fi + +# Since the kernel soft lockup we're testing causes at least one core to enter +# an infinite loop, destabilizing the host and likely affecting subsequent +# tests, we trigger a kernel panic instead of reporting a failure and +# continuing +kernel_softlokup_panic_prev_val=$(sysctl -n kernel.softlockup_panic) +sysctl -qw kernel.softlockup_panic=1 + +handle_sigint() { + termination_signal="SIGINT" + cleanup + exit ${ksft_skip} +} + +handle_sigalrm() { + termination_signal="SIGALRM" + cleanup + exit ${ksft_pass} +} + +trap handle_sigint SIGINT +trap handle_sigalrm SIGALRM + +(sleep ${TEST_DURATION} && kill -s SIGALRM $$)& + +setup_prepare +test_soft_lockup_during_routing_table_refresh -- 2.35.3

3 months, 1 week

2
1
0 0

[PATCH 5.4.y] m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal

by Finn Thain

From: Al Viro <viro(a)zeniv.linux.org.uk> [ Upstream commit 50e43a57334400668952f8e551c9d87d3ed2dfef ] We get there when sigreturn has performed obscene acts on kernel stack; in particular, the location of pt_regs has shifted. We are about to call syscall_trace(), which might stop for tracer. If that happens, we'd better have task_pt_regs() returning correct result... Fucked-up-by: Al Viro <viro(a)zeniv.linux.org.uk> Fixes: bd6f56a75bb2 ("m68k: Missing syscall_trace() on sigreturn") Signed-off-by: Al Viro <viro(a)zeniv.linux.org.uk> Tested-by: Michael Schmitz <schmitzmic(a)gmail.com> Reviewed-by: Michael Schmitz <schmitzmic(a)gmail.com> Tested-by: Finn Thain <fthain(a)linux-m68k.org> Link: https://lore.kernel.org/r/YP2dMWeV1LkHiOpr@zeniv-ca.linux.org.uk Signed-off-by: Geert Uytterhoeven <geert(a)linux-m68k.org> Signed-off-by: Finn Thain <fthain(a)linux-m68k.org> --- arch/m68k/kernel/entry.S | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S index 417d8f0e8962..0d03b4f2077b 100644 --- a/arch/m68k/kernel/entry.S +++ b/arch/m68k/kernel/entry.S @@ -182,6 +182,8 @@ ENTRY(ret_from_signal) movel %curptr@(TASK_STACK),%a1 tstb %a1@(TINFO_FLAGS+2) jge 1f + lea %sp@(SWITCH_STACK_SIZE),%a1 + movel %a1,%curptr@(TASK_THREAD+THREAD_ESP0) jbsr syscall_trace 1: RESTORE_SWITCH_STACK addql #4,%sp

3 months, 1 week

2
1
0 0

[PATCH 5.10.y] signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die

by Finn Thain

From: "Eric W. Biederman" <ebiederm(a)xmission.com> [ Upstream commit a3616a3c02722d1edb95acc7fceade242f6553ba ] In the fpsp040 code when copyin or copyout fails call force_sigsegv(SIGSEGV) instead of do_exit(SIGSEGV). This solves a couple of problems. Because do_exit embeds the ptrace stop PTRACE_EVENT_EXIT a complete stack frame needs to be present for that to work correctly. There is always the information needed for a ptrace stop where get_signal is called. So exiting with a signal solves the ptrace issue. Further exiting with a signal ensures that all of the threads in a process are killed not just the thread that malfunctioned. Which avoids confusing userspace. To make force_sigsegv(SIGSEGV) work in fpsp040_die modify the code to save all of the registers and jump to ret_from_exception (which ultimately calls get_signal) after fpsp040_die returns. v2: Updated the branches to use gas's pseudo ops that automatically calculate the best branch instruction to use for the purpose. v1: https://lkml.kernel.org/r/87a6m8kgtx.fsf_-_@disp2133 Link: https://lkml.kernel.org/r/87tukghjfs.fsf_-_@disp2133 Acked-by: Geert Uytterhoeven <geert(a)linux-m68k.org> Signed-off-by: "Eric W. Biederman" <ebiederm(a)xmission.com> Signed-off-by: Finn Thain <fthain(a)linux-m68k.org> --- arch/m68k/fpsp040/skeleton.S | 3 ++- arch/m68k/kernel/traps.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/m68k/fpsp040/skeleton.S b/arch/m68k/fpsp040/skeleton.S index 31a9c634c81e..081922c72daa 100644 --- a/arch/m68k/fpsp040/skeleton.S +++ b/arch/m68k/fpsp040/skeleton.S @@ -502,7 +502,8 @@ in_ea: .section .fixup,"ax" .even 1: - jbra fpsp040_die + jbsr fpsp040_die + jbra .Lnotkern .section __ex_table,"a" .align 4 diff --git a/arch/m68k/kernel/traps.c b/arch/m68k/kernel/traps.c index 35f706d836c5..c6f18dc5884b 100644 --- a/arch/m68k/kernel/traps.c +++ b/arch/m68k/kernel/traps.c @@ -1155,7 +1155,7 @@ asmlinkage void set_esp0(unsigned long ssp) */ asmlinkage void fpsp040_die(void) { - do_exit(SIGSEGV); + force_sigsegv(SIGSEGV); } #ifdef CONFIG_M68KFPU_EMU

3 months, 1 week

2
1
0 0

[PATCH v3] s390/pci: Fix SR-IOV for PFs initially in standby

by Niklas Schnelle

Since commit 25f39d3dcb48 ("s390/pci: Ignore RID for isolated VFs") PFs which are not initially configured but in standby are considered isolated. That is they create only a single function PCI domain. Due to the PCI domains being created on discovery, this means that even if they are configured later on, sibling PFs and their child VFs will not be added to their PCI domain breaking SR-IOV expectations. The reason the referenced commit ignored standby PFs for the creation of multi-function PCI subhierarchies, was to work around a PCI domain renumbering scenario on reboot. The renumbering would occur after removing a previously in standby PF, whose domain number is used for its configured sibling PFs and their child VFs, but which itself remained in standby. When this is followed by a reboot, the sibling PF is used instead to determine the PCI domain number of it and its child VFs. In principle it is not possible to know which standby PFs will be configured later and which may be removed. The PCI domain and root bus are pre-requisites for hotplug slots so the decision of which functions belong to which domain can not be postponed. With the renumbering occurring only in rare circumstances and being generally benign, accept it as an oddity and fix SR-IOV for initially standby PFs simply by allowing them to create PCI domains. Cc: stable(a)vger.kernel.org Reviewed-by: Gerd Bayer <gbayer(a)linux.ibm.com> Fixes: 25f39d3dcb48 ("s390/pci: Ignore RID for isolated VFs") Signed-off-by: Niklas Schnelle <schnelle(a)linux.ibm.com> --- Changes in v3: - Add R-b from Gerd - Add Cc: stable… - Add commas (Sandy) Changes in v2: - Reword commit message --- arch/s390/pci/pci_bus.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/s390/pci/pci_bus.c b/arch/s390/pci/pci_bus.c index d5ace00d10f04285f899284481f1e426187d4ff4..857afbc4828f0c677f88cc80dd4a5fff104a615a 100644 --- a/arch/s390/pci/pci_bus.c +++ b/arch/s390/pci/pci_bus.c @@ -171,7 +171,6 @@ void zpci_bus_scan_busses(void) static bool zpci_bus_is_multifunction_root(struct zpci_dev *zdev) { return !s390_pci_no_rid && zdev->rid_available && - zpci_is_device_configured(zdev) && !zdev->vfn; } --- base-commit: 6b7afe1a2b6905e42fe45bd7015f20baa856e28e change-id: 20250116-fix_standby_pf-e1d51394e9b3 Best regards, -- Niklas Schnelle

3 months, 1 week

1
0
0 0

[PATCH] powerpc/pseries/iommu: Don't unset window if it was never set

by Shivaprasad G Bhat

On pSeries, when user attempts to use the same vfio container used by different iommu group, the spapr_tce_set_window() returns -EPERM and the subsequent cleanup leads to the below crash. Kernel attempted to read user page (308) - exploit attempt? BUG: Kernel NULL pointer dereference on read at 0x00000308 Faulting instruction address: 0xc0000000001ce358 Oops: Kernel access of bad area, sig: 11 [#1] NIP: c0000000001ce358 LR: c0000000001ce05c CTR: c00000000005add0 <snip> NIP [c0000000001ce358] spapr_tce_unset_window+0x3b8/0x510 LR [c0000000001ce05c] spapr_tce_unset_window+0xbc/0x510 Call Trace: spapr_tce_unset_window+0xbc/0x510 (unreliable) tce_iommu_attach_group+0x24c/0x340 [vfio_iommu_spapr_tce] vfio_container_attach_group+0xec/0x240 [vfio] vfio_group_fops_unl_ioctl+0x548/0xb00 [vfio] sys_ioctl+0x754/0x1580 system_call_exception+0x13c/0x330 system_call_vectored_common+0x15c/0x2ec <snip> --- interrupt: 3000 Fix this by having null check for the tbl passed to the spapr_tce_unset_window(). Fixes: f431a8cde7f1 ("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries") Cc: stable(a)vger.kernel.org Reported-by: Vaishnavi Bhat <vaish123(a)in.ibm.com> Signed-off-by: Shivaprasad G Bhat <sbhat(a)linux.ibm.com> --- arch/powerpc/platforms/pseries/iommu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c index 534cd159e9ab..78b895b568b3 100644 --- a/arch/powerpc/platforms/pseries/iommu.c +++ b/arch/powerpc/platforms/pseries/iommu.c @@ -2205,6 +2205,9 @@ static long spapr_tce_unset_window(struct iommu_table_group *table_group, int nu const char *win_name; int ret = -ENODEV; + if (!tbl) /* The table was never created OR window was never opened */ + return 0; + mutex_lock(&dma_win_init_mutex); if ((num == 0) && is_default_window_table(table_group, tbl))

3 months, 1 week

2
1
0 0

[PATCH v4 RESEND] powerpc/pseries/eeh: Fix get PE state translation

by Narayana Murty N

The PE Reset State "0" returned by RTAS calls "ibm_read_slot_reset_[state|state2]" indicates that the reset is deactivated and the PE is in a state where MMIO and DMA are allowed. However, the current implementation of "pseries_eeh_get_state()" does not reflect this, causing drivers to incorrectly assume that MMIO and DMA operations cannot be resumed. The userspace drivers as a part of EEH recovery using VFIO ioctls fail to detect when the recovery process is complete. The VFIO_EEH_PE_GET_STATE ioctl does not report the expected EEH_PE_STATE_NORMAL state, preventing userspace drivers from functioning properly on pseries systems. The patch addresses this issue by updating 'pseries_eeh_get_state()' to include "EEH_STATE_MMIO_ENABLED" and "EEH_STATE_DMA_ENABLED" in the result mask for PE Reset State "0". This ensures correct state reporting to the callers, aligning the behavior with the PAPR specification and fixing the bug in EEH recovery for VFIO user workflows. Fixes: 00ba05a12b3c ("powerpc/pseries: Cleanup on pseries_eeh_get_state()") Cc: <stable(a)vger.kernel.org> Reviewed-by: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Signed-off-by: Narayana Murty N <nnmlinux(a)linux.ibm.com> --- Changelog: V1:https://lore.kernel.org/all/20241107042027.338065-1-nnmlinux@linux.ibm.c… --added Fixes tag for "powerpc/pseries: Cleanup on pseries_eeh_get_state()". V2:https://lore.kernel.org/stable/20241212075044.10563-1-nnmlinux%40linux.i… --Updated the patch description to include it in the stable kernel tree. V3:https://lore.kernel.org/all/87v7vm8pwz.fsf@gmail.com/ --Updated commit description. --- arch/powerpc/platforms/pseries/eeh_pseries.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c index 1893f66371fa..b12ef382fec7 100644 --- a/arch/powerpc/platforms/pseries/eeh_pseries.c +++ b/arch/powerpc/platforms/pseries/eeh_pseries.c @@ -580,8 +580,10 @@ static int pseries_eeh_get_state(struct eeh_pe *pe, int *delay) switch(rets[0]) { case 0: - result = EEH_STATE_MMIO_ACTIVE | - EEH_STATE_DMA_ACTIVE; + result = EEH_STATE_MMIO_ACTIVE | + EEH_STATE_DMA_ACTIVE | + EEH_STATE_MMIO_ENABLED | + EEH_STATE_DMA_ENABLED; break; case 1: result = EEH_STATE_RESET_ACTIVE | -- 2.47.1

3 months, 1 week

2
1
0 0

[PATCH] KVM: arm64/sve: Ensure SVE is trapped after guest exit

by Mark Rutland

There is a period of time after returning from a KVM_RUN ioctl where userspace may use SVE without trapping, but the kernel can unexpectedly discard the live SVE state. Eric Auger has observed this causing QEMU crashes where SVE is used by memmove(): https://issues.redhat.com/browse/RHEL-68997 The only state discarded is the user SVE state of the task which issued the KVM_RUN ioctl. Other tasks are unaffected, plain FPSIMD state is unaffected, and kernel state is unaffected. This happens because fpsimd_kvm_prepare() incorrectly manipulates the FPSIMD/SVE state. When the vCPU is loaded, fpsimd_kvm_prepare() unconditionally clears TIF_SVE but does not reconfigure CPACR_EL1.ZEN to trap userspace SVE usage. If the vCPU does not use FPSIMD/SVE and hyp does not save the host's FPSIMD/SVE state, the kernel may return to userspace with TIF_SVE clear while SVE is still enabled in CPACR_EL1.ZEN. Subsequent userspace usage of SVE will not be trapped, and the next save of userspace FPSIMD/SVE state will only store the FPSIMD portion due to TIF_SVE being clear, discarding any SVE state. The broken logic was originally introduced in commit: 93ae6b01bafee8fa ("KVM: arm64: Discard any SVE state when entering KVM guests") ... though at the time fp_user_discard() would reconfigure CPACR_EL1.ZEN to trap subsequent SVE usage, masking the issue until that logic was removed in commit: 8c845e2731041f0f ("arm64/sve: Leave SVE enabled on syscall if we don't context switch") Avoid this issue by reconfiguring CPACR_EL1.ZEN when clearing TIF_SVE. At the same time, add a comment to explain why current->thread.fp_type must be set even though the FPSIMD state is not foreign. A similar issue exists when SME is enabled, and will require further rework. As SME currently depends on BROKEN, a BUILD_BUG() and comment are added for now, and this issue will need to be fixed properly in a follow-up patch. Commit 93ae6b01bafee8fa also introduced an unintended ptrace ABI change. Unconditionally clearing TIF_SVE regardless of whether the state is foreign discards saved SVE state created by ptrace after syscall entry. Avoid this by only clearing TIF_SVE when the FPSIMD/SVE state is not foreign. When the state is foreign, KVM hyp code does not need to save any host state, and so this will not affect KVM. There appear to be further issues with unintentional SVE state discarding, largely impacting ptrace and signal handling, which will need to be addressed in separate patches. Reported-by: Eric Auger <eauger(a)redhat.com> Reported-by: Wilco Dijkstra <wilco.dijkstra(a)arm.com> Cc: stable(a)vger.kernel.org Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Florian Weimer <fweimer(a)redhat.com> Cc: Jeremy Linton <jeremy.linton(a)arm.com> Cc: Marc Zyngier <maz(a)kernel.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Oliver Upton <oliver.upton(a)linux.dev> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Will Deacon <will(a)kernel.org> Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> --- arch/arm64/kernel/fpsimd.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) I believe there are some other issues in this area, but I'm sending this out on its own because I beleive the other issues are more complex while this is self-contained, and people are actively hitting this case in production. I intend to follow-up with fixes for the other cases I mention in the commit message, and for the SME case with the BUILD_BUG_ON(). Mark. diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c index 8c4c1a2186cc5..e4053a90ed240 100644 --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c @@ -1711,8 +1711,24 @@ void fpsimd_kvm_prepare(void) */ get_cpu_fpsimd_context(); - if (test_and_clear_thread_flag(TIF_SVE)) { - sve_to_fpsimd(current); + if (!test_thread_flag(TIF_FOREIGN_FPSTATE) && + test_and_clear_thread_flag(TIF_SVE)) { + sve_user_disable(); + + /* + * The KVM hyp code doesn't set fp_type when saving the host's + * FPSIMD state. Set fp_type here in case the hyp code saves + * the host state. + * + * If hyp code does not save the host state, then the host + * state remains live on the CPU and saved fp_type is + * irrelevant until it is overwritten by a later call to + * fpsimd_save_user_state(). + * + * This is *NOT* sufficient when CONFIG_ARM64_SME=y, where + * fp_type can be FP_STATE_SVE regardless of TIF_SVE. + */ + BUILD_BUG_ON(IS_ENABLED(CONFIG_ARM64_SME)); current->thread.fp_type = FP_STATE_FPSIMD; } -- 2.30.2

3 months, 1 week

4
7
0 0

[PATCH RESEND] drm/komeda: Add check for komeda_get_layer_fourcc_list()

by Haoxiang Li

Add check for the return value of komeda_get_layer_fourcc_list() to catch the potential exception. Fixes: 5d51f6c0da1b ("drm/komeda: Add writeback support") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <haoxiang_li2024(a)163.com> --- drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c b/drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c index ebccb74306a7..f30b3d5eeca5 100644 --- a/drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c +++ b/drivers/gpu/drm/arm/display/komeda/komeda_wb_connector.c @@ -160,6 +160,10 @@ static int komeda_wb_connector_add(struct komeda_kms_dev *kms, formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl, kwb_conn->wb_layer->layer_type, &n_formats); + if (!formats) { + kfree(kwb_conn); + return -ENOMEM; + } err = drm_writeback_connector_init(&kms->base, wb_conn, &komeda_wb_connector_funcs, -- 2.25.1

3 months, 1 week

2
1
0 0

[PATCH 6.1.y] net: fix data-races around sk->sk_forward_alloc

by alvalan9＠foxmail.com

From: Wang Liang <wangliang74(a)huawei.com> commit 073d89808c065ac4c672c0a613a71b27a80691cb upstream. Syzkaller reported this warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 16 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x1c5/0x1e0 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc5 #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:inet_sock_destruct+0x1c5/0x1e0 Code: 24 12 4c 89 e2 5b 48 c7 c7 98 ec bb 82 41 5c e9 d1 18 17 ff 4c 89 e6 5b 48 c7 c7 d0 ec bb 82 41 5c e9 bf 18 17 ff 0f 0b eb 83 <0f> 0b eb 97 0f 0b eb 87 0f 0b e9 68 ff ff ff 66 66 2e 0f 1f 84 00 RSP: 0018:ffffc9000008bd90 EFLAGS: 00010206 RAX: 0000000000000300 RBX: ffff88810b172a90 RCX: 0000000000000007 RDX: 0000000000000002 RSI: 0000000000000300 RDI: ffff88810b172a00 RBP: ffff88810b172a00 R08: ffff888104273c00 R09: 0000000000100007 R10: 0000000000020000 R11: 0000000000000006 R12: ffff88810b172a00 R13: 0000000000000004 R14: 0000000000000000 R15: ffff888237c31f78 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc63fecac8 CR3: 000000000342e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x88/0x130 ? inet_sock_destruct+0x1c5/0x1e0 ? report_bug+0x18e/0x1a0 ? handle_bug+0x53/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? inet_sock_destruct+0x1c5/0x1e0 __sk_destruct+0x2a/0x200 rcu_do_batch+0x1aa/0x530 ? rcu_do_batch+0x13b/0x530 rcu_core+0x159/0x2f0 handle_softirqs+0xd3/0x2b0 ? __pfx_smpboot_thread_fn+0x10/0x10 run_ksoftirqd+0x25/0x30 smpboot_thread_fn+0xdd/0x1d0 kthread+0xd3/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]--- Its possible that two threads call tcp_v6_do_rcv()/sk_forward_alloc_add() concurrently when sk->sk_state == TCP_LISTEN with sk->sk_lock unlocked, which triggers a data-race around sk->sk_forward_alloc: tcp_v6_rcv tcp_v6_do_rcv skb_clone_and_charge_r sk_rmem_schedule __sk_mem_schedule sk_forward_alloc_add() skb_set_owner_r sk_mem_charge sk_forward_alloc_add() __kfree_skb skb_release_all skb_release_head_state sock_rfree sk_mem_uncharge sk_forward_alloc_add() sk_mem_reclaim // set local var reclaimable __sk_mem_reclaim sk_forward_alloc_add() In this syzkaller testcase, two threads call tcp_v6_do_rcv() with skb->truesize=768, the sk_forward_alloc changes like this: (cpu 1) | (cpu 2) | sk_forward_alloc ... | ... | 0 __sk_mem_schedule() | | +4096 = 4096 | __sk_mem_schedule() | +4096 = 8192 sk_mem_charge() | | -768 = 7424 | sk_mem_charge() | -768 = 6656 ... | ... | sk_mem_uncharge() | | +768 = 7424 reclaimable=7424 | | | sk_mem_uncharge() | +768 = 8192 | reclaimable=8192 | __sk_mem_reclaim() | | -4096 = 4096 | __sk_mem_reclaim() | -8192 = -4096 != 0 The skb_clone_and_charge_r() should not be called in tcp_v6_do_rcv() when sk->sk_state is TCP_LISTEN, it happens later in tcp_v6_syn_recv_sock(). Fix the same issue in dccp_v6_do_rcv(). Suggested-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets") Signed-off-by: Wang Liang <wangliang74(a)huawei.com> Link: https://patch.msgid.link/20241107023405.889239-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Alva Lan <alvalan9(a)foxmail.com> --- Backport to fix CVE-2024-53124. Link: https://nvd.nist.gov/vuln/detail/CVE-2024-53124 --- net/dccp/ipv6.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index d90bb941f2ad..8f5f56b1e5f8 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -615,7 +615,7 @@ static int dccp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) by tcp. Feel free to propose better solution. --ANK (980728) */ - if (np->rxopt.all) + if (np->rxopt.all && sk->sk_state != DCCP_LISTEN) opt_skb = skb_clone_and_charge_r(skb, sk); if (sk->sk_state == DCCP_OPEN) { /* Fast path */ diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 06b4acbfd314..0ccaa78f6ff3 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1463,7 +1463,7 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) by tcp. Feel free to propose better solution. --ANK (980728) */ - if (np->rxopt.all) + if (np->rxopt.all && sk->sk_state != TCP_LISTEN) opt_skb = skb_clone_and_charge_r(skb, sk); reason = SKB_DROP_REASON_NOT_SPECIFIED; @@ -1502,8 +1502,6 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb) if (nsk != sk) { if (tcp_child_process(sk, nsk, skb)) goto reset; - if (opt_skb) - __kfree_skb(opt_skb); return 0; } } else -- 2.43.0

3 months, 1 week

4
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror