- Linux-stable-mirror - lists.linaro.org

[regression] frozen usb mouse pointer at boot

by Linux regression tracking (Thorsten Leemhuis)

Hi, Thorsten here, the Linux kernel's regression tracker. I noticed a report about a linux-6.6.y regression in bugzilla.kernel.org that appears to be caused by this commit from Dan applied by Greg: 15fffc6a5624b1 ("driver core: Fix uevent_show() vs driver detach race") [v6.11-rc3, v6.10.5, v6.6.46, v6.1.105, v5.15.165, v5.10.224, v5.4.282, v4.19.320] The reporter did not check yet if mainline is affected; decided to forward the report by mail nevertheless, as the maintainer for the subsystem is also the maintainer for the stable tree. ;-) To quote from https://bugzilla.kernel.org/show_bug.cgi?id=219244 : > The symptoms of this bug are as follows: > > - After booting (to the graphical login screen) the mouse pointer > would frozen and only after unplugging and plugging-in again the usb > plug of the mouse would the mouse be working as expected. > - If one would log in without fixing the mouse issue, the mouse > pointer would still be frozen after login. > - The usb keyboard usually is not affected even though plugged into > the same usb-hub - thus logging in is possible. > - The mouse pointer is also frozen if the usb connector is plugged > into a different usb-port (different from the usb-hub) > - The pointer is moveable via the inbuilt synaptics trackpad > > > The kernel log shows almost the same messages (not sure if the > differences mean anything in regards to this bug) for the initial > recognizing the mouse (frozen mouse pointer) and the re-plugged-in mouse > (and subsequently moveable mouse pointer): > > [kernel] [ 8.763158] usb 1-2.2.1.2: new low-speed USB device number 10 using xhci_hcd > [kernel] [ 8.956028] usb 1-2.2.1.2: New USB device found, idVendor=045e, idProduct=00cb, bcdDevice= 1.04 > [kernel] [ 8.956036] usb 1-2.2.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 > [kernel] [ 8.956039] usb 1-2.2.1.2: Product: Microsoft Basic Optical Mouse v2.0 > [kernel] [ 8.956041] usb 1-2.2.1.2: Manufacturer: Microsoft > [kernel] [ 8.963554] input: Microsoft Microsoft Basic Optical Mouse v2.0 as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.2/1-2.2.1/1-2.2.1.2/1-2.2.1.2:1.0/0003:045E:00CB.0002/input/input18 > [kernel] [ 8.964417] hid-generic 0003:045E:00CB.0002: input,hidraw1: USB HID v1.11 Mouse [Microsoft Microsoft Basic Optical Mouse v2.0 ] on usb-0000:00:14.0-2.2.1.2/input0 > > [kernel] [ 31.258381] usb 1-2.2.1.2: USB disconnect, device number 10 > [kernel] [ 31.595051] usb 1-2.2.1.2: new low-speed USB device number 16 using xhci_hcd > [kernel] [ 31.804002] usb 1-2.2.1.2: New USB device found, idVendor=045e, idProduct=00cb, bcdDevice= 1.04 > [kernel] [ 31.804010] usb 1-2.2.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 > [kernel] [ 31.804013] usb 1-2.2.1.2: Product: Microsoft Basic Optical Mouse v2.0 > [kernel] [ 31.804016] usb 1-2.2.1.2: Manufacturer: Microsoft > [kernel] [ 31.812933] input: Microsoft Microsoft Basic Optical Mouse v2.0 as /devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.2/1-2.2.1/1-2.2.1.2/1-2.2.1.2:1.0/0003:045E:00CB.0004/input/input20 > [kernel] [ 31.814028] hid-generic 0003:045E:00CB.0004: input,hidraw1: USB HID v1.11 Mouse [Microsoft Microsoft Basic Optical Mouse v2.0 ] on usb-0000:00:14.0-2.2.1.2/input0 > > Differences: > > ../0003:045E:00CB.0002/input/input18 vs ../0003:045E:00CB.0004/input/input20 > > and > > hid-generic 0003:045E:00CB.0002 vs hid-generic 0003:045E:00CB.0004 > > > The connector / usb-port was not changed in this case! > > > The symptoms of this bug have been present at one point in the > recent > past, but with kernel v6.6.45 (or maybe even some version before that) > it was fine. But with 6.6.45 it seems to be definitely fine. > > But with v6.6.46 the symptoms returned. That's the reason I > suspected > the kernel to be the cause of this issue. So I did some bisecting - > which wasn't easy because that bug would often times not appear if the > system was simply rebooted into the test kernel. > As the bug would definitely appear on the affected kernels (v6.6.46 > ff) after shutting down the system for the night and booting the next > day, I resorted to simulating the over-night powering-off by shutting > the system down, unplugging the power and pressing the power button to > get rid of residual voltage. But even then a few times the bug would > only appear if I repeated this procedure before booting the system again > with the respective kernel. > > This is on a Thinkpad with Kaby Lake and integrated Intel graphics. > Even though it is a laptop, it is used as a desktop device, and the > internal battery is disconnected, the removable battery is removed as > the system is plugged-in via the power cord at all times (when in use)! > Also, the system has no power (except for the bios battery, of > course) > over night as the power outlet is switched off if the device is not in use. > > Not sure if this affects the issue - or how it does. But for > successful bisecting I had to resort to the above procedure. > > Bisecting the issue (between the release commits of v6.6.45 and > v6.6.46) resulted in this commit [1] being the probable culprit. > > I then tested kernel v6.6.49. It still produced the bug for me. So I > reverted the changes of the assumed "bad commit" and re-compiled kernel > v6.6.49. With this modified kernel the bug seems to be gone. > > Now, I assume the commit has a reason for being introduced, but > maybe > needs some adjusting in order to avoid this bug I'm experiencing on my > system. > Also, I can't say why the issue appeared in the past even without > this > commit being present, as I haven't bisected any kernel version before > v6.6.45. > > > [1]: > > 4d035c743c3e391728a6f81cbf0f7f9ca700cf62 is the first bad commit > commit 4d035c743c3e391728a6f81cbf0f7f9ca700cf62 > Author: Dan Williams <dan.j.williams(a)intel.com> > Date: Fri Jul 12 12:42:09 2024 -0700 > > driver core: Fix uevent_show() vs driver detach race > > commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c upstream. > > uevent_show() wants to de-reference dev->driver->name. There is no clean See the ticket for more details. Note, you have to use bugzilla to reach the reporter, as I sadly[1] can not CCed them in mails like this. Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat) -- Everything you wanna know about Linux kernel regression tracking: https://linux-regtracking.leemhuis.info/about/#tldr If I did something stupid, please tell me, as explained on that page. [1] because bugzilla.kernel.org tells users upon registration their "email address will never be displayed to logged out users" P.S.: let me use this mail to also add the report to the list of tracked regressions to ensure it's doesn't fall through the cracks: #regzbot introduced: 4d035c743c3e391728a6f81cbf0f7f9ca700cf62 #regzbot from: brmails+k #regzbot duplicate: https://bugzilla.kernel.org/show_bug.cgi?id=219244 #regzbot title: driver core: frozen usb mouse pointer at boot #regzbot ignore-activity

9 months, 2 weeks

3
5
0 0

+ mm-avoid-unconditional-one-tick-sleep-when-swapcache_prepare-fails.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: avoid unconditional one-tick sleep when swapcache_prepare fails has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-avoid-unconditional-one-tick-sleep-when-swapcache_prepare-fails.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Barry Song <v-songbaohua(a)oppo.com> Subject: mm: avoid unconditional one-tick sleep when swapcache_prepare fails Date: Fri, 27 Sep 2024 09:19:36 +1200 Commit 13ddaf26be32 ("mm/swap: fix race when skipping swapcache") introduced an unconditional one-tick sleep when `swapcache_prepare()` fails, which has led to reports of UI stuttering on latency-sensitive Android devices. To address this, we can use a waitqueue to wake up tasks that fail `swapcache_prepare()` sooner, instead of always sleeping for a full tick. While tasks may occasionally be woken by an unrelated `do_swap_page()`, this method is preferable to two scenarios: rapid re-entry into page faults, which can cause livelocks, and multiple millisecond sleeps, which visibly degrade user experience. Oven's testing shows that a single waitqueue resolves the UI stuttering issue. If a 'thundering herd' problem becomes apparent later, a waitqueue hash similar to `folio_wait_table[PAGE_WAIT_TABLE_SIZE]` for page bit locks can be introduced. Link: https://lkml.kernel.org/r/20240926211936.75373-1-21cnbao@gmail.com Fixes: 13ddaf26be32 ("mm/swap: fix race when skipping swapcache") Signed-off-by: Barry Song <v-songbaohua(a)oppo.com> Reported-by: Oven Liyang <liyangouwen1(a)oppo.com> Tested-by: Oven Liyang <liyangouwen1(a)oppo.com> Cc: Kairui Song <kasong(a)tencent.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Chris Li <chrisl(a)kernel.org> Cc: Hugh Dickins <hughd(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Yosry Ahmed <yosryahmed(a)google.com> Cc: SeongJae Park <sj(a)kernel.org> Cc: Kalesh Singh <kaleshsingh(a)google.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) --- a/mm/memory.c~mm-avoid-unconditional-one-tick-sleep-when-swapcache_prepare-fails +++ a/mm/memory.c @@ -4192,6 +4192,8 @@ static struct folio *alloc_swap_folio(st } #endif /* CONFIG_TRANSPARENT_HUGEPAGE */ +static DECLARE_WAIT_QUEUE_HEAD(swapcache_wq); + /* * We enter with non-exclusive mmap_lock (to exclude vma changes, * but allow concurrent faults), and pte mapped but not yet locked. @@ -4204,6 +4206,7 @@ vm_fault_t do_swap_page(struct vm_fault { struct vm_area_struct *vma = vmf->vma; struct folio *swapcache, *folio = NULL; + DECLARE_WAITQUEUE(wait, current); struct page *page; struct swap_info_struct *si = NULL; rmap_t rmap_flags = RMAP_NONE; @@ -4302,7 +4305,9 @@ vm_fault_t do_swap_page(struct vm_fault * Relax a bit to prevent rapid * repeated page faults. */ + add_wait_queue(&swapcache_wq, &wait); schedule_timeout_uninterruptible(1); + remove_wait_queue(&swapcache_wq, &wait); goto out_page; } need_clear_cache = true; @@ -4609,8 +4614,10 @@ unlock: pte_unmap_unlock(vmf->pte, vmf->ptl); out: /* Clear the swap cache pin for direct swapin after PTL unlock */ - if (need_clear_cache) + if (need_clear_cache) { swapcache_clear(si, entry, nr_pages); + wake_up(&swapcache_wq); + } if (si) put_swap_device(si); return ret; @@ -4625,8 +4632,10 @@ out_release: folio_unlock(swapcache); folio_put(swapcache); } - if (need_clear_cache) + if (need_clear_cache) { swapcache_clear(si, entry, nr_pages); + wake_up(&swapcache_wq); + } if (si) put_swap_device(si); return ret; _ Patches currently in -mm which might be from v-songbaohua(a)oppo.com are mm-avoid-unconditional-one-tick-sleep-when-swapcache_prepare-fails.patch

9 months, 2 weeks

1
0
0 0

+ selftests-mm-fixed-incorrect-buffer-mirror-size-in-hmm2-double_map-test.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test has been added to the -mm mm-hotfixes-unstable branch. Its filename is selftests-mm-fixed-incorrect-buffer-mirror-size-in-hmm2-double_map-test.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Donet Tom <donettom(a)linux.ibm.com> Subject: selftests/mm: fix incorrect buffer->mirror size in hmm2 double_map test Date: Fri, 27 Sep 2024 00:07:52 -0500 The hmm2 double_map test was failing due to an incorrect buffer->mirror size. The buffer->mirror size was 6, while buffer->ptr size was 6 * PAGE_SIZE. The test failed because the kernel's copy_to_user function was attempting to copy a 6 * PAGE_SIZE buffer to buffer->mirror. Since the size of buffer->mirror was incorrect, copy_to_user failed. This patch corrects the buffer->mirror size to 6 * PAGE_SIZE. Test Result without this patch ============================== # RUN hmm2.hmm2_device_private.double_map ... # hmm-tests.c:1680:double_map:Expected ret (-14) == 0 (0) # double_map: Test terminated by assertion # FAIL hmm2.hmm2_device_private.double_map not ok 53 hmm2.hmm2_device_private.double_map Test Result with this patch =========================== # RUN hmm2.hmm2_device_private.double_map ... # OK hmm2.hmm2_device_private.double_map ok 53 hmm2.hmm2_device_private.double_map Link: https://lkml.kernel.org/r/20240927050752.51066-1-donettom@linux.ibm.com Fixes: fee9f6d1b8df ("mm/hmm/test: add selftests for HMM") Signed-off-by: Donet Tom <donettom(a)linux.ibm.com> Reviewed-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Cc: J��r��me Glisse <jglisse(a)redhat.com> Cc: Kees Cook <keescook(a)chromium.org> Cc: Mark Brown <broonie(a)kernel.org> Cc: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> Cc: Ritesh Harjani (IBM) <ritesh.list(a)gmail.com> Cc: Shuah Khan <shuah(a)kernel.org> Cc: Ralph Campbell <rcampbell(a)nvidia.com> Cc: Jason Gunthorpe <jgg(a)mellanox.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/hmm-tests.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/testing/selftests/mm/hmm-tests.c~selftests-mm-fixed-incorrect-buffer-mirror-size-in-hmm2-double_map-test +++ a/tools/testing/selftests/mm/hmm-tests.c @@ -1657,7 +1657,7 @@ TEST_F(hmm2, double_map) buffer->fd = -1; buffer->size = size; - buffer->mirror = malloc(npages); + buffer->mirror = malloc(size); ASSERT_NE(buffer->mirror, NULL); /* Reserve a range of addresses. */ _ Patches currently in -mm which might be from donettom(a)linux.ibm.com are selftests-mm-fixed-incorrect-buffer-mirror-size-in-hmm2-double_map-test.patch

9 months, 2 weeks

1
0
0 0

+ device-dax-correct-pgoff-align-in-dax_set_mapping.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: device-dax: correct pgoff align in dax_set_mapping() has been added to the -mm mm-hotfixes-unstable branch. Its filename is device-dax-correct-pgoff-align-in-dax_set_mapping.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Kun(llfl)" <llfl(a)linux.alibaba.com> Subject: device-dax: correct pgoff align in dax_set_mapping() Date: Fri, 27 Sep 2024 15:45:09 +0800 pgoff should be aligned using ALIGN_DOWN() instead of ALIGN(). Otherwise, vmf->address not aligned to fault_size will be aligned to the next alignment, that can result in memory failure getting the wrong address. Link: https://lkml.kernel.org/r/23c02a03e8d666fef11bbe13e85c69c8b4ca0624.17274216… Fixes: b9b5777f09be ("device-dax: use ALIGN() for determining pgoff") Signed-off-by: Kun(llfl) <llfl(a)linux.alibaba.com> Tested-by: JianXiong Zhao <zhaojianxiong.zjx(a)alibaba-inc.com> Cc: Joao Martins <joao.m.martins(a)oracle.com> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/dax/device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/dax/device.c~device-dax-correct-pgoff-align-in-dax_set_mapping +++ a/drivers/dax/device.c @@ -86,7 +86,7 @@ static void dax_set_mapping(struct vm_fa nr_pages = 1; pgoff = linear_page_index(vmf->vma, - ALIGN(vmf->address, fault_size)); + ALIGN_DOWN(vmf->address, fault_size)); for (i = 0; i < nr_pages; i++) { struct page *page = pfn_to_page(pfn_t_to_pfn(pfn) + i); _ Patches currently in -mm which might be from llfl(a)linux.alibaba.com are device-dax-correct-pgoff-align-in-dax_set_mapping.patch

9 months, 2 weeks

1
0
0 0

[PATCH 5.15.y] vfio/pci: fix potential memory leak in vfio_intx_enable()

by Oleksandr Tymoshenko

From: Ye Bin <yebin10(a)huawei.com> [ Upstream commit 82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2 ] If kzalloc() failed will lead to 'name' memory leak. Fixes: 18c198c96a81 ("vfio/pci: Create persistent INTx handler") Signed-off-by: Ye Bin <yebin10(a)huawei.com> Reviewed-by: Kevin Tian <kevin.tian(a)intel.com> Acked-by: Reinette Chatre <reinette.chatre(a)intel.com> Link: https://lore.kernel.org/r/20240415015029.3699844-1-yebin10@huawei.com Signed-off-by: Alex Williamson <alex.williamson(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Oleksandr Tymoshenko <ovt(a)google.com> --- drivers/vfio/pci/vfio_pci_intrs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c index cb55f96b4f03..f20512c413f7 100644 --- a/drivers/vfio/pci/vfio_pci_intrs.c +++ b/drivers/vfio/pci/vfio_pci_intrs.c @@ -181,8 +181,10 @@ static int vfio_intx_enable(struct vfio_pci_core_device *vdev, return -ENOMEM; vdev->ctx = kzalloc(sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL); - if (!vdev->ctx) + if (!vdev->ctx) { + kfree(name); return -ENOMEM; + } vdev->num_ctx = 1; -- 2.46.1.824.gd892dcdcdd-goog

9 months, 2 weeks

1
0
0 0

[PATCH] tools/nolibc: s390: include std.h

by Thomas Weißschuh

arch-s390.h uses types from std.h, but does not include it. Depending on the inclusion order the compilation can fail. Include std.h explicitly to avoid these errors. Fixes: 404fa87c0eaf ("tools/nolibc: s390: provide custom implementation for sys_fork") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> --- tools/include/nolibc/arch-s390.h | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/include/nolibc/arch-s390.h b/tools/include/nolibc/arch-s390.h index 2ec13d8b9a2db80efa8d6cbbbd01bfa3d0059de2..f9ab83a219b8a2d5e53b0b303d8bf0bf78280d5f 100644 --- a/tools/include/nolibc/arch-s390.h +++ b/tools/include/nolibc/arch-s390.h @@ -10,6 +10,7 @@ #include "compiler.h" #include "crt.h" +#include "std.h" /* Syscalls for s390: * - registers are 64-bit --- base-commit: e477dba5442c0af7acb9e8bbbbde1108a37ed39c change-id: 20240927-nolibc-s390-std-h-cbb13f70fa73 Best regards, -- Thomas Weißschuh <thomas.weissschuh(a)linutronix.de>

9 months, 2 weeks

1
0
0 0

[PATCH 6.1.y] vfio/pci: fix potential memory leak in vfio_intx_enable()

by Oleksandr Tymoshenko

From: Ye Bin <yebin10(a)huawei.com> [ Upstream commit 82b951e6fbd31d85ae7f4feb5f00ddd4c5d256e2 ] If kzalloc() failed will lead to 'name' memory leak. Fixes: 18c198c96a81 ("vfio/pci: Create persistent INTx handler") Signed-off-by: Ye Bin <yebin10(a)huawei.com> Reviewed-by: Kevin Tian <kevin.tian(a)intel.com> Acked-by: Reinette Chatre <reinette.chatre(a)intel.com> Link: https://lore.kernel.org/r/20240415015029.3699844-1-yebin10@huawei.com Signed-off-by: Alex Williamson <alex.williamson(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Oleksandr Tymoshenko <ovt(a)google.com> --- drivers/vfio/pci/vfio_pci_intrs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c index 03246a59b553..5cbcde32ff79 100644 --- a/drivers/vfio/pci/vfio_pci_intrs.c +++ b/drivers/vfio/pci/vfio_pci_intrs.c @@ -215,8 +215,10 @@ static int vfio_intx_enable(struct vfio_pci_core_device *vdev, return -ENOMEM; vdev->ctx = kzalloc(sizeof(struct vfio_pci_irq_ctx), GFP_KERNEL_ACCOUNT); - if (!vdev->ctx) + if (!vdev->ctx) { + kfree(name); return -ENOMEM; + } vdev->num_ctx = 1; -- 2.46.1.824.gd892dcdcdd-goog

9 months, 2 weeks

1
0
0 0

[PATCH v5.4-v4.19] crypto: aead,cipher - zeroize key buffer after use

by hsimeliere.opensource＠witekio.com

From: Hailey Mothershead <hailmo(a)amazon.com> commit 23e4099bdc3c8381992f9eb975c79196d6755210 upstream. I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding cryptographic information should be zeroized once they are no longer needed. Accomplish this by using kfree_sensitive for buffers that previously held the private key. Signed-off-by: Hailey Mothershead <hailmo(a)amazon.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource(a)witekio.com> --- crypto/aead.c | 3 +-- crypto/cipher.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/crypto/aead.c b/crypto/aead.c index 9688ada13981..f8b2cd0567f1 100644 --- a/crypto/aead.c +++ b/crypto/aead.c @@ -45,8 +45,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key, alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); memcpy(alignbuffer, key, keylen); ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen); - memset(alignbuffer, 0, keylen); - kfree(buffer); + kzfree(buffer); return ret; } diff --git a/crypto/cipher.c b/crypto/cipher.c index 57836c30a49a..3d3fa8d0d533 100644 --- a/crypto/cipher.c +++ b/crypto/cipher.c @@ -38,8 +38,7 @@ static int setkey_unaligned(struct crypto_tfm *tfm, const u8 *key, alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1); memcpy(alignbuffer, key, keylen); ret = cia->cia_setkey(tfm, alignbuffer, keylen); - memset(alignbuffer, 0, keylen); - kfree(buffer); + kzfree(buffer); return ret; } -- 2.43.0

9 months, 2 weeks

1
0
0 0

self-debug using ptrace bad behavior?

by Sim Brahmi

Hello, I am unsure if this is the 'correct' behavior for ptrace. If you run ptrace_traceme followed by ptrace_attach, then the process attaches its own parent to itself and cannot be attached by another thing. The attach call errors out, but GDB does report something attached to it. I am unsure if Bash does this itself perhaps. It's a bit hard for me to reason about because my debugging skills are bad and trying 'strace' with bash -c ./thing, or just on the thing itself gives -1 on both ptrace calls as strace attaches to it. similarly with GDB. Unsure how to debug this. https://gist.github.com/x64-elf-sh42/83393e319ad8280b8704fbe3f499e381 to compile simply: gcc test.c -o thingy This code works on my machine which is: Linux 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux GDB -p on the pid reports that another pid is attached and the operation is illegal. That other pid is the bash shell that i spawned this binary from (code in gist). it's useful for anti-debugging, but it seems odd it will attach it's parent to the process since that's not actually doing the attach call. If anything i'd expect the pid attached to itself, rather than the parent getting attached. The first call to ptrace (traceme) gets return value 0. The second call (attach) gets return value -1. That does seem correct, but yet there is something 'attached' when i try to use GDB. If I only do the traceme call, it does not get attached by Bash, so it looks totally like the 'attach' call has a side effect of attaching the parent, rather than just only failing. Kind regards, ~sh42

9 months, 2 weeks

1
0
0 0

How do we track regressions affecting multiple (stable) trees?

by Christian Heusel

Hello everyone, I wondered a few times in the last months how we could properly track regressions for the stable series, as I'm always a bit unsure how proper use of regzbot would look for these cases. For issues that affect mainline usually just the commit itself is specified with the relevant "#regzbot introduced: ..." invocation, but how would one do this if the stable trees are also affected? Do we need to specify "#regzbot introduced" for each backported version of the upstream commit?! IMO this is especially interesting because sometimes getting a patchset to fix the older trees can take quite some time since possibly backport dependencies have to be found or even custom patches need to be written, as it i.e. was the case [here][0]. This led to fixes for the linux-6.1.y branch landing a bit later which would be good to track with regzbot so it does not fall through the cracks. Maybe there already is a regzbot facility to do this that I have just missed, but I thought if there is people on the lists will know :) Cheers, Chris P.S.: I hope everybody had a great time at the conferences! I hope to also make it next year .. [0]: https://lore.kernel.org/all/66bcb6f68172f_adbf529471@willemb.c.googlers.com…

9 months, 2 weeks

2
1
0 0

Re: [PATCH 6.11 00/12] 6.11.1-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

9 months, 2 weeks

1
0
0 0

[PATCH 1/1] USB: serial: option: add Telit FN920C04 MBIM compositions

by Daniele Palmas

Add the following Telit FN920C04 compositions: 0x10a2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag) T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 17 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10a2 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=92c4c4d8 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10a7: MBIM + tty (AT) + tty (AT) + tty (diag) T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 18 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10a7 Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=92c4c4d8 C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms 0x10aa: MBIM + tty (AT) + tty (diag) + DPL (data packet logging) + adb T: Bus=03 Lev=01 Prnt=03 Port=06 Cnt=01 Dev#= 15 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=10aa Rev=05.15 S: Manufacturer=Telit Cinterion S: Product=FN920 S: SerialNumber=92c4c4d8 C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Daniele Palmas <dnlplm(a)gmail.com> --- drivers/usb/serial/option.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index 176f38750ad5..6dcb73586e0b 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -1380,10 +1380,16 @@ static const struct usb_device_id option_ids[] = { .driver_info = NCTRL(0) | RSVD(1) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a0, 0xff), /* Telit FN20C04 (rmnet) */ .driver_info = RSVD(0) | NCTRL(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a2, 0xff), /* Telit FN920C04 (MBIM) */ + .driver_info = NCTRL(4) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a4, 0xff), /* Telit FN20C04 (rmnet) */ .driver_info = RSVD(0) | NCTRL(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a7, 0xff), /* Telit FN920C04 (MBIM) */ + .driver_info = NCTRL(4) }, { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10a9, 0xff), /* Telit FN20C04 (rmnet) */ .driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10aa, 0xff), /* Telit FN920C04 (MBIM) */ + .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) }, { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) }, { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM), -- 2.37.1

9 months, 2 weeks

2
1
0 0

[PATCH] ext4: fix off by one issue in alloc_flex_gd()

by libaokun＠huaweicloud.com

From: Baokun Li <libaokun1(a)huawei.com> Wesley reported an issue: ================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ------------[ cut here ]------------ kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 RIP: 0010:ext4_resize_fs+0x1212/0x12d0 Call Trace: __ext4_ioctl+0x4e0/0x1800 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0x99/0xd0 x64_sys_call+0x1206/0x20d0 do_syscall_64+0x72/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== While reviewing the patch, Honza found that when adjusting resize_bg in alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than flexbg_size. The reproduction of the problem requires the following: o_group = flexbg_size * 2 * n; o_size = (o_group + 1) * group_size; n_group: [o_group + flexbg_size, o_group + flexbg_size * 2) o_size = (n_group + 1) * group_size; Take n=0,flexbg_size=16 as an example: last:15 |o---------------|--------------n-| o_group:0 resize to n_group:30 The corresponding reproducer is: img=test.img truncate -s 600M $img mkfs.ext4 -F $img -b 1024 -G 16 8M dev=`losetup -f --show $img` mkdir -p /tmp/test mount $dev /tmp/test resize2fs $dev 248M Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE() to prevent the issue from happening again. Reported-by: Wesley Hershberger <wesley.hershberger(a)canonical.com> Closes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2081231 Reported-by: Stéphane Graber <stgraber(a)stgraber.org> Closes: https://lore.kernel.org/all/20240925143325.518508-1-aleksandr.mikhalitsyn@c… Tested-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn(a)canonical.com> Tested-by: Eric Sandeen <sandeen(a)redhat.com> Fixes: 665d3e0af4d3 ("ext4: reduce unnecessary memory allocation in alloc_flex_gd()") Cc: stable(a)vger.kernel.org Signed-off-by: Baokun Li <libaokun1(a)huawei.com> --- fs/ext4/resize.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c index e04eb08b9060..397970121d43 100644 --- a/fs/ext4/resize.c +++ b/fs/ext4/resize.c @@ -253,9 +253,9 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned int flexbg_size, /* Avoid allocating large 'groups' array if not needed */ last_group = o_group | (flex_gd->resize_bg - 1); if (n_group <= last_group) - flex_gd->resize_bg = 1 << fls(n_group - o_group + 1); + flex_gd->resize_bg = 1 << fls(n_group - o_group); else if (n_group - last_group < flex_gd->resize_bg) - flex_gd->resize_bg = 1 << max(fls(last_group - o_group + 1), + flex_gd->resize_bg = 1 << max(fls(last_group - o_group), fls(n_group - last_group)); flex_gd->groups = kmalloc_array(flex_gd->resize_bg, -- 2.46.0

9 months, 2 weeks

4
4
0 0

[PATCH 0/2 v5.10] Fix CVE-2024-38588

by Shivani Agarwal

From: Shivani Agarwal <shivania2(a)vmware.com> Hi, To Fix CVE-2024-38588 e60b613df8b6 is required, but it has a dependency on aebfd12521d9. Therefore backported both patches for v5.10. Thanks, Shivani Shivani Agarwal (2): x86/ibt,ftrace: Search for __fentry__ location ftrace: Fix possible use-after-free issue in ftrace_location() arch/x86/kernel/kprobes/core.c | 11 +----- kernel/bpf/trampoline.c | 20 ++-------- kernel/kprobes.c | 8 +--- kernel/trace/ftrace.c | 71 ++++++++++++++++++++++++++-------- 4 files changed, 63 insertions(+), 47 deletions(-) -- 2.39.4

9 months, 2 weeks

2
3
0 0

[PATCH 5.10] drm/vmwgfx: Remove rcu locks from user resources

by Huang Xiaojia

[ Upstream commit a309c7194e8a2f8bd4539b9449917913f6c2cd50 ] User resource lookups used rcu to avoid two extra atomics. Unfortunately the rcu paths were buggy and it was easy to make the driver crash by submitting command buffers from two different threads. Because the lookups never show up in performance profiles replace them with a regular spin lock which fixes the races in accesses to those shared resources. Fixes kernel oops'es in IGT's vmwgfx execution_buffer stress test and seen crashes with apps using shared resources. Fixes: e14c02e6b699 ("drm/vmwgfx: Look up objects without taking a reference") Signed-off-by: Huang Xiaojia <huangxiaojia2(a)huawei.com> --- drivers/gpu/drm/drm_hashtab.c | 5 +- drivers/gpu/drm/vmwgfx/ttm_object.c | 55 +++---- drivers/gpu/drm/vmwgfx/ttm_object.h | 14 -- drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 42 ------ drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 27 +--- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 176 +++++++++++------------ drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 35 ----- include/drm/drm_hashtab.h | 2 + 8 files changed, 105 insertions(+), 251 deletions(-) diff --git a/drivers/gpu/drm/drm_hashtab.c b/drivers/gpu/drm/drm_hashtab.c index c50fa6f0709f..a61642835542 100644 --- a/drivers/gpu/drm/drm_hashtab.c +++ b/drivers/gpu/drm/drm_hashtab.c @@ -74,8 +74,8 @@ void drm_ht_verbose_list(struct drm_open_hash *ht, unsigned long key) DRM_DEBUG("count %d, key: 0x%08lx\n", count++, entry->key); } -static struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht, - unsigned long key) +struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht, + unsigned long key) { struct drm_hash_item *entry; struct hlist_head *h_list; @@ -91,6 +91,7 @@ static struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht, } return NULL; } +EXPORT_SYMBOL(drm_ht_find_key); static struct hlist_node *drm_ht_find_key_rcu(struct drm_open_hash *ht, unsigned long key) diff --git a/drivers/gpu/drm/vmwgfx/ttm_object.c b/drivers/gpu/drm/vmwgfx/ttm_object.c index 16077785ad47..72a4aaeba0c7 100644 --- a/drivers/gpu/drm/vmwgfx/ttm_object.c +++ b/drivers/gpu/drm/vmwgfx/ttm_object.c @@ -137,6 +137,20 @@ ttm_object_file_ref(struct ttm_object_file *tfile) return tfile; } +static int ttm_tfile_find_ref(struct drm_open_hash *ht, + uint32_t key, + struct drm_hash_item **item) +{ + struct hlist_node *h_node; + + h_node = drm_ht_find_key(ht, key); + if (!h_node) + return -EINVAL; + + *item = hlist_entry(h_node, struct drm_hash_item, head); + return 0; +} + static void ttm_object_file_destroy(struct kref *kref) { struct ttm_object_file *tfile = @@ -225,41 +239,6 @@ void ttm_base_object_unref(struct ttm_base_object **p_base) kref_put(&base->refcount, ttm_release_base); } -/** - * ttm_base_object_noref_lookup - look up a base object without reference - * @tfile: The struct ttm_object_file the object is registered with. - * @key: The object handle. - * - * This function looks up a ttm base object and returns a pointer to it - * without refcounting the pointer. The returned pointer is only valid - * until ttm_base_object_noref_release() is called, and the object - * pointed to by the returned pointer may be doomed. Any persistent usage - * of the object requires a refcount to be taken using kref_get_unless_zero(). - * Iff this function returns successfully it needs to be paired with - * ttm_base_object_noref_release() and no sleeping- or scheduling functions - * may be called inbetween these function callse. - * - * Return: A pointer to the object if successful or NULL otherwise. - */ -struct ttm_base_object * -ttm_base_object_noref_lookup(struct ttm_object_file *tfile, uint32_t key) -{ - struct drm_hash_item *hash; - struct drm_open_hash *ht = &tfile->ref_hash[TTM_REF_USAGE]; - int ret; - - rcu_read_lock(); - ret = drm_ht_find_item_rcu(ht, key, &hash); - if (ret) { - rcu_read_unlock(); - return NULL; - } - - __release(RCU); - return drm_hash_entry(hash, struct ttm_ref_object, hash)->obj; -} -EXPORT_SYMBOL(ttm_base_object_noref_lookup); - struct ttm_base_object *ttm_base_object_lookup(struct ttm_object_file *tfile, uint32_t key) { @@ -268,15 +247,15 @@ struct ttm_base_object *ttm_base_object_lookup(struct ttm_object_file *tfile, struct drm_open_hash *ht = &tfile->ref_hash[TTM_REF_USAGE]; int ret; - rcu_read_lock(); - ret = drm_ht_find_item_rcu(ht, key, &hash); + spin_lock(&tfile->lock); + ret = ttm_tfile_find_ref(ht, key, &hash); if (likely(ret == 0)) { base = drm_hash_entry(hash, struct ttm_ref_object, hash)->obj; if (!kref_get_unless_zero(&base->refcount)) base = NULL; } - rcu_read_unlock(); + spin_unlock(&tfile->lock); return base; } diff --git a/drivers/gpu/drm/vmwgfx/ttm_object.h b/drivers/gpu/drm/vmwgfx/ttm_object.h index ede26df87c93..d16334e5d509 100644 --- a/drivers/gpu/drm/vmwgfx/ttm_object.h +++ b/drivers/gpu/drm/vmwgfx/ttm_object.h @@ -359,18 +359,4 @@ extern int ttm_prime_handle_to_fd(struct ttm_object_file *tfile, */ #define TTM_OBJ_EXTRA_SIZE 128 -struct ttm_base_object * -ttm_base_object_noref_lookup(struct ttm_object_file *tfile, uint32_t key); - -/** - * ttm_base_object_noref_release - release a base object pointer looked up - * without reference - * - * Releases a base object pointer looked up with ttm_base_object_noref_lookup(). - */ -static inline void ttm_base_object_noref_release(void) -{ - __acquire(RCU); - rcu_read_unlock(); -} #endif diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c index 9a66ba254326..eb76cca4b29c 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c @@ -976,48 +976,6 @@ int vmw_user_bo_lookup(struct ttm_object_file *tfile, return 0; } -/** - * vmw_user_bo_noref_lookup - Look up a vmw user buffer object without reference - * @tfile: The TTM object file the handle is registered with. - * @handle: The user buffer object handle. - * - * This function looks up a struct vmw_user_bo and returns a pointer to the - * struct vmw_buffer_object it derives from without refcounting the pointer. - * The returned pointer is only valid until vmw_user_bo_noref_release() is - * called, and the object pointed to by the returned pointer may be doomed. - * Any persistent usage of the object requires a refcount to be taken using - * ttm_bo_reference_unless_doomed(). Iff this function returns successfully it - * needs to be paired with vmw_user_bo_noref_release() and no sleeping- - * or scheduling functions may be called inbetween these function calls. - * - * Return: A struct vmw_buffer_object pointer if successful or negative - * error pointer on failure. - */ -struct vmw_buffer_object * -vmw_user_bo_noref_lookup(struct ttm_object_file *tfile, u32 handle) -{ - struct vmw_user_buffer_object *vmw_user_bo; - struct ttm_base_object *base; - - base = ttm_base_object_noref_lookup(tfile, handle); - if (!base) { - DRM_ERROR("Invalid buffer object handle 0x%08lx.\n", - (unsigned long)handle); - return ERR_PTR(-ESRCH); - } - - if (unlikely(ttm_base_object_type(base) != ttm_buffer_type)) { - ttm_base_object_noref_release(); - DRM_ERROR("Invalid buffer object handle 0x%08lx.\n", - (unsigned long)handle); - return ERR_PTR(-EINVAL); - } - - vmw_user_bo = container_of(base, struct vmw_user_buffer_object, - prime.base); - return &vmw_user_bo->vbo; -} - /** * vmw_user_bo_reference - Open a handle to a vmw user buffer object. * diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h index fa285c20d6da..0f7a0f9169f8 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h @@ -768,12 +768,7 @@ extern int vmw_user_resource_lookup_handle( uint32_t handle, const struct vmw_user_resource_conv *converter, struct vmw_resource **p_res); -extern struct vmw_resource * -vmw_user_resource_noref_lookup_handle(struct vmw_private *dev_priv, - struct ttm_object_file *tfile, - uint32_t handle, - const struct vmw_user_resource_conv * - converter); + extern int vmw_stream_claim_ioctl(struct drm_device *dev, void *data, struct drm_file *file_priv); extern int vmw_stream_unref_ioctl(struct drm_device *dev, void *data, @@ -811,15 +806,6 @@ static inline bool vmw_resource_mob_attached(const struct vmw_resource *res) return !RB_EMPTY_NODE(&res->mob_node); } -/** - * vmw_user_resource_noref_release - release a user resource pointer looked up - * without reference - */ -static inline void vmw_user_resource_noref_release(void) -{ - ttm_base_object_noref_release(); -} - /** * Buffer object helper functions - vmwgfx_bo.c */ @@ -880,17 +866,6 @@ extern void vmw_bo_unmap(struct vmw_buffer_object *vbo); extern void vmw_bo_move_notify(struct ttm_buffer_object *bo, struct ttm_resource *mem); extern void vmw_bo_swap_notify(struct ttm_buffer_object *bo); -extern struct vmw_buffer_object * -vmw_user_bo_noref_lookup(struct ttm_object_file *tfile, u32 handle); - -/** - * vmw_user_bo_noref_release - release a buffer object pointer looked up - * without reference - */ -static inline void vmw_user_bo_noref_release(void) -{ - ttm_base_object_noref_release(); -} /** * vmw_bo_adjust_prio - Adjust the buffer object eviction priority diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c index 616f6cb62278..c1aab5ee2a35 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c @@ -285,20 +285,26 @@ static void vmw_execbuf_rcache_update(struct vmw_res_cache_entry *rcache, rcache->valid_handle = 0; } +enum vmw_val_add_flags { + vmw_val_add_flag_none = 0, + vmw_val_add_flag_noctx = 1 << 0, +}; + /** - * vmw_execbuf_res_noref_val_add - Add a resource described by an unreferenced - * rcu-protected pointer to the validation list. + * vmw_execbuf_res_val_add - Add a resource to the validation list. * * @sw_context: Pointer to the software context. * @res: Unreferenced rcu-protected pointer to the resource. * @dirty: Whether to change dirty status. + * @flags: specifies whether to use the context or not * * Returns: 0 on success. Negative error code on failure. Typical error codes * are %-EINVAL on inconsistency and %-ESRCH if the resource was doomed. */ -static int vmw_execbuf_res_noref_val_add(struct vmw_sw_context *sw_context, - struct vmw_resource *res, - u32 dirty) +static int vmw_execbuf_res_val_add(struct vmw_sw_context *sw_context, + struct vmw_resource *res, + u32 dirty, + u32 flags) { struct vmw_private *dev_priv = res->dev_priv; int ret; @@ -313,24 +319,30 @@ static int vmw_execbuf_res_noref_val_add(struct vmw_sw_context *sw_context, if (dirty) vmw_validation_res_set_dirty(sw_context->ctx, rcache->private, dirty); - vmw_user_resource_noref_release(); return 0; } - priv_size = vmw_execbuf_res_size(dev_priv, res_type); - ret = vmw_validation_add_resource(sw_context->ctx, res, priv_size, - dirty, (void **)&ctx_info, - &first_usage); - vmw_user_resource_noref_release(); - if (ret) - return ret; + if ((flags & vmw_val_add_flag_noctx) != 0) { + ret = vmw_validation_add_resource(sw_context->ctx, res, 0, dirty, + (void **)&ctx_info, NULL); + if (ret) + return ret; - if (priv_size && first_usage) { - ret = vmw_cmd_ctx_first_setup(dev_priv, sw_context, res, - ctx_info); - if (ret) { - VMW_DEBUG_USER("Failed first usage context setup.\n"); + } else { + priv_size = vmw_execbuf_res_size(dev_priv, res_type); + ret = vmw_validation_add_resource(sw_context->ctx, res, priv_size, + dirty, (void **)&ctx_info, + &first_usage); + if (ret) return ret; + + if (priv_size && first_usage) { + ret = vmw_cmd_ctx_first_setup(dev_priv, sw_context, res, + ctx_info); + if (ret) { + VMW_DEBUG_USER("Failed first usage context setup.\n"); + return ret; + } } } @@ -338,43 +350,6 @@ static int vmw_execbuf_res_noref_val_add(struct vmw_sw_context *sw_context, return 0; } -/** - * vmw_execbuf_res_noctx_val_add - Add a non-context resource to the resource - * validation list if it's not already on it - * - * @sw_context: Pointer to the software context. - * @res: Pointer to the resource. - * @dirty: Whether to change dirty status. - * - * Returns: Zero on success. Negative error code on failure. - */ -static int vmw_execbuf_res_noctx_val_add(struct vmw_sw_context *sw_context, - struct vmw_resource *res, - u32 dirty) -{ - struct vmw_res_cache_entry *rcache; - enum vmw_res_type res_type = vmw_res_type(res); - void *ptr; - int ret; - - rcache = &sw_context->res_cache[res_type]; - if (likely(rcache->valid && rcache->res == res)) { - if (dirty) - vmw_validation_res_set_dirty(sw_context->ctx, - rcache->private, dirty); - return 0; - } - - ret = vmw_validation_add_resource(sw_context->ctx, res, 0, dirty, - &ptr, NULL); - if (ret) - return ret; - - vmw_execbuf_rcache_update(rcache, res, ptr); - - return 0; -} - /** * vmw_view_res_val_add - Add a view and the surface it's pointing to to the * validation list @@ -393,13 +368,13 @@ static int vmw_view_res_val_add(struct vmw_sw_context *sw_context, * First add the resource the view is pointing to, otherwise it may be * swapped out when the view is validated. */ - ret = vmw_execbuf_res_noctx_val_add(sw_context, vmw_view_srf(view), - vmw_view_dirtying(view)); + ret = vmw_execbuf_res_val_add(sw_context, vmw_view_srf(view), + vmw_view_dirtying(view), vmw_val_add_flag_noctx); if (ret) return ret; - return vmw_execbuf_res_noctx_val_add(sw_context, view, - VMW_RES_DIRTY_NONE); + return vmw_execbuf_res_val_add(sw_context, view, VMW_RES_DIRTY_NONE, + vmw_val_add_flag_noctx); } /** @@ -470,8 +445,9 @@ static int vmw_resource_context_res_add(struct vmw_private *dev_priv, if (IS_ERR_OR_NULL(res)) continue; - ret = vmw_execbuf_res_noctx_val_add(sw_context, res, - VMW_RES_DIRTY_SET); + ret = vmw_execbuf_res_val_add(sw_context, res, + VMW_RES_DIRTY_SET, + vmw_val_add_flag_noctx); if (unlikely(ret != 0)) return ret; } @@ -485,9 +461,9 @@ static int vmw_resource_context_res_add(struct vmw_private *dev_priv, if (vmw_res_type(entry->res) == vmw_res_view) ret = vmw_view_res_val_add(sw_context, entry->res); else - ret = vmw_execbuf_res_noctx_val_add - (sw_context, entry->res, - vmw_binding_dirtying(entry->bt)); + ret = vmw_execbuf_res_val_add(sw_context, entry->res, + vmw_binding_dirtying(entry->bt), + vmw_val_add_flag_noctx); if (unlikely(ret != 0)) break; } @@ -653,7 +629,8 @@ vmw_cmd_res_check(struct vmw_private *dev_priv, { struct vmw_res_cache_entry *rcache = &sw_context->res_cache[res_type]; struct vmw_resource *res; - int ret; + int ret = 0; + bool needs_unref = false; if (p_res) *p_res = NULL; @@ -678,17 +655,18 @@ vmw_cmd_res_check(struct vmw_private *dev_priv, if (ret) return ret; - res = vmw_user_resource_noref_lookup_handle - (dev_priv, sw_context->fp->tfile, *id_loc, converter); - if (IS_ERR(res)) { + ret = vmw_user_resource_lookup_handle + (dev_priv, sw_context->fp->tfile, *id_loc, converter, &res); + if (ret != 0) { VMW_DEBUG_USER("Could not find/use resource 0x%08x.\n", (unsigned int) *id_loc); - return PTR_ERR(res); + return ret; } + needs_unref = true; - ret = vmw_execbuf_res_noref_val_add(sw_context, res, dirty); + ret = vmw_execbuf_res_val_add(sw_context, res, dirty, vmw_val_add_flag_none); if (unlikely(ret != 0)) - return ret; + goto res_check_done; if (rcache->valid && rcache->res == res) { rcache->valid_handle = true; @@ -703,7 +681,11 @@ vmw_cmd_res_check(struct vmw_private *dev_priv, if (p_res) *p_res = res; - return 0; +res_check_done: + if (needs_unref) + vmw_resource_unreference(&res); + + return ret; } /** @@ -1166,14 +1148,14 @@ static int vmw_translate_mob_ptr(struct vmw_private *dev_priv, int ret; vmw_validation_preload_bo(sw_context->ctx); - vmw_bo = vmw_user_bo_noref_lookup(sw_context->fp->tfile, handle); - if (IS_ERR(vmw_bo)) { + ret = vmw_user_bo_lookup(sw_context->fp->tfile, handle, &vmw_bo, NULL); + if (ret != 0) { VMW_DEBUG_USER("Could not find or use MOB buffer.\n"); return PTR_ERR(vmw_bo); } ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo, true, false); - vmw_user_bo_noref_release(); + ttm_bo_put(&vmw_bo->base); if (unlikely(ret != 0)) return ret; @@ -1221,14 +1203,14 @@ static int vmw_translate_guest_ptr(struct vmw_private *dev_priv, int ret; vmw_validation_preload_bo(sw_context->ctx); - vmw_bo = vmw_user_bo_noref_lookup(sw_context->fp->tfile, handle); - if (IS_ERR(vmw_bo)) { + ret = vmw_user_bo_lookup(sw_context->fp->tfile, handle, &vmw_bo, NULL); + if (ret != 0) { VMW_DEBUG_USER("Could not find or use GMR region.\n"); return PTR_ERR(vmw_bo); } ret = vmw_validation_add_bo(sw_context->ctx, vmw_bo, false, false); - vmw_user_bo_noref_release(); + ttm_bo_put(&vmw_bo->base); if (unlikely(ret != 0)) return ret; @@ -2024,8 +2006,9 @@ static int vmw_cmd_set_shader(struct vmw_private *dev_priv, res = vmw_shader_lookup(vmw_context_res_man(ctx), cmd->body.shid, cmd->body.type); if (!IS_ERR(res)) { - ret = vmw_execbuf_res_noctx_val_add(sw_context, res, - VMW_RES_DIRTY_NONE); + ret = vmw_execbuf_res_val_add(sw_context, res, + VMW_RES_DIRTY_NONE, + vmw_val_add_flag_noctx); if (unlikely(ret != 0)) return ret; @@ -2227,8 +2210,9 @@ static int vmw_cmd_dx_set_shader(struct vmw_private *dev_priv, return PTR_ERR(res); } - ret = vmw_execbuf_res_noctx_val_add(sw_context, res, - VMW_RES_DIRTY_NONE); + ret = vmw_execbuf_res_val_add(sw_context, res, + VMW_RES_DIRTY_NONE, + vmw_val_add_flag_noctx); if (ret) return ret; } @@ -2735,8 +2719,8 @@ static int vmw_cmd_dx_bind_shader(struct vmw_private *dev_priv, return PTR_ERR(res); } - ret = vmw_execbuf_res_noctx_val_add(sw_context, res, - VMW_RES_DIRTY_NONE); + ret = vmw_execbuf_res_val_add(sw_context, res, VMW_RES_DIRTY_NONE, + vmw_val_add_flag_noctx); if (ret) { VMW_DEBUG_USER("Error creating resource validation node.\n"); return ret; @@ -3058,8 +3042,8 @@ static int vmw_cmd_dx_bind_streamoutput(struct vmw_private *dev_priv, vmw_dx_streamoutput_set_size(res, cmd->body.sizeInBytes); - ret = vmw_execbuf_res_noctx_val_add(sw_context, res, - VMW_RES_DIRTY_NONE); + ret = vmw_execbuf_res_val_add(sw_context, res, VMW_RES_DIRTY_NONE, + vmw_val_add_flag_noctx); if (ret) { DRM_ERROR("Error creating resource validation node.\n"); return ret; @@ -3108,8 +3092,8 @@ static int vmw_cmd_dx_set_streamoutput(struct vmw_private *dev_priv, return 0; } - ret = vmw_execbuf_res_noctx_val_add(sw_context, res, - VMW_RES_DIRTY_NONE); + ret = vmw_execbuf_res_val_add(sw_context, res, VMW_RES_DIRTY_NONE, + vmw_val_add_flag_noctx); if (ret) { DRM_ERROR("Error creating resource validation node.\n"); return ret; @@ -4008,22 +3992,26 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv, if (ret) return ret; - res = vmw_user_resource_noref_lookup_handle + ret = vmw_user_resource_lookup_handle (dev_priv, sw_context->fp->tfile, handle, - user_context_converter); - if (IS_ERR(res)) { + user_context_converter, &res); + if (ret != 0) { VMW_DEBUG_USER("Could not find or user DX context 0x%08x.\n", (unsigned int) handle); - return PTR_ERR(res); + return ret; } - ret = vmw_execbuf_res_noref_val_add(sw_context, res, VMW_RES_DIRTY_SET); - if (unlikely(ret != 0)) + ret = vmw_execbuf_res_val_add(sw_context, res, VMW_RES_DIRTY_SET, + vmw_val_add_flag_none); + if (unlikely(ret != 0)) { + vmw_resource_unreference(&res); return ret; + } sw_context->dx_ctx_node = vmw_execbuf_info_from_res(sw_context, res); sw_context->man = vmw_context_res_man(res); + vmw_resource_unreference(&res); return 0; } diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c index 26f88d64879f..64f9f407752b 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c @@ -282,41 +282,6 @@ int vmw_user_resource_lookup_handle(struct vmw_private *dev_priv, return ret; } -/** - * vmw_user_resource_lookup_handle - lookup a struct resource from a - * TTM user-space handle and perform basic type checks - * - * @dev_priv: Pointer to a device private struct - * @tfile: Pointer to a struct ttm_object_file identifying the caller - * @handle: The TTM user-space handle - * @converter: Pointer to an object describing the resource type - * @p_res: On successful return the location pointed to will contain - * a pointer to a refcounted struct vmw_resource. - * - * If the handle can't be found or is associated with an incorrect resource - * type, -EINVAL will be returned. - */ -struct vmw_resource * -vmw_user_resource_noref_lookup_handle(struct vmw_private *dev_priv, - struct ttm_object_file *tfile, - uint32_t handle, - const struct vmw_user_resource_conv - *converter) -{ - struct ttm_base_object *base; - - base = ttm_base_object_noref_lookup(tfile, handle); - if (!base) - return ERR_PTR(-ESRCH); - - if (unlikely(ttm_base_object_type(base) != converter->object_type)) { - ttm_base_object_noref_release(); - return ERR_PTR(-EINVAL); - } - - return converter->base_obj_to_res(base); -} - /** * Helper function that looks either a surface or bo. * diff --git a/include/drm/drm_hashtab.h b/include/drm/drm_hashtab.h index bb95ff011baf..fe5ad4793a15 100644 --- a/include/drm/drm_hashtab.h +++ b/include/drm/drm_hashtab.h @@ -49,6 +49,8 @@ struct drm_open_hash { u8 order; }; +struct hlist_node *drm_ht_find_key(struct drm_open_hash *ht, unsigned long key); + int drm_ht_create(struct drm_open_hash *ht, unsigned int order); int drm_ht_insert_item(struct drm_open_hash *ht, struct drm_hash_item *item); int drm_ht_just_insert_please(struct drm_open_hash *ht, struct drm_hash_item *item, -- 2.34.1

9 months, 2 weeks

2
1
0 0

[PATCH v2] Revert "vrf: Remove unnecessary RCU-bh critical section"

by greearb＠candelatech.com

From: Ben Greear <greearb(a)candelatech.com> This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853. dev_queue_xmit_nit needs to run with bh locking, otherwise it conflicts with packets coming in from a nic in softirq context and packets being transmitted from user context. ================================ WARNING: inconsistent lock state 6.11.0 #1 Tainted: G W -------------------------------- inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30 {IN-SOFTIRQ-W} state was registered at: lock_acquire+0x19a/0x4f0 _raw_spin_lock+0x27/0x40 packet_rcv+0xa33/0x1320 __netif_receive_skb_core.constprop.0+0xcb0/0x3a90 __netif_receive_skb_list_core+0x2c9/0x890 netif_receive_skb_list_internal+0x610/0xcc0 napi_complete_done+0x1c0/0x7c0 igb_poll+0x1dbb/0x57e0 [igb] __napi_poll.constprop.0+0x99/0x430 net_rx_action+0x8e7/0xe10 handle_softirqs+0x1b7/0x800 __irq_exit_rcu+0x91/0xc0 irq_exit_rcu+0x5/0x10 [snip] other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(rlock-AF_PACKET); <Interrupt> lock(rlock-AF_PACKET); *** DEADLOCK *** Call Trace: <TASK> dump_stack_lvl+0x73/0xa0 mark_lock+0x102e/0x16b0 __lock_acquire+0x9ae/0x6170 lock_acquire+0x19a/0x4f0 _raw_spin_lock+0x27/0x40 tpacket_rcv+0x863/0x3b30 dev_queue_xmit_nit+0x709/0xa40 vrf_finish_direct+0x26e/0x340 [vrf] vrf_l3_out+0x5f4/0xe80 [vrf] __ip_local_out+0x51e/0x7a0 [snip] Fixes: 504fc6f4f7f6 ("vrf: Remove unnecessary RCU-bh critical section") Link: https://lore.kernel.org/netdev/05765015-f727-2f30-58da-2ad6fa7ea99f@candela… Signed-off-by: Ben Greear <greearb(a)candelatech.com> --- v2: Edit patch description. drivers/net/vrf.c | 2 ++ net/core/dev.c | 1 + 2 files changed, 3 insertions(+) diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index 4d8ccaf9a2b4..4087f72f0d2b 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -608,7 +608,9 @@ static void vrf_finish_direct(struct sk_buff *skb) eth_zero_addr(eth->h_dest); eth->h_proto = skb->protocol; + rcu_read_lock_bh(); dev_queue_xmit_nit(skb, vrf_dev); + rcu_read_unlock_bh(); skb_pull(skb, ETH_HLEN); } diff --git a/net/core/dev.c b/net/core/dev.c index cd479f5f22f6..566e69a38eed 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2285,6 +2285,7 @@ EXPORT_SYMBOL_GPL(dev_nit_active); /* * Support routine. Sends outgoing frames to any network * taps currently in use. + * BH must be disabled before calling this. */ void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev) -- 2.42.0

9 months, 2 weeks

4
5
0 0

[PATCH] virtio: console: Fix atomicity violation in fill_readbuf()

by Qiu-ji Chen

The atomicity violation issue is due to the invalidation of the function port_has_data()'s check caused by concurrency. Imagine a scenario where a port that contains data passes the validity check but is simultaneously assigned a value with no data. This could result in an empty port passing the validity check, potentially leading to a null pointer dereference error later in the program, which is inconsistent. To address this issue, we believe there is a problem with the original logic. Since the validity check and the read operation were separated, it could lead to inconsistencies between the data that passes the check and the data being read. Therefore, we moved the main logic of the port_has_data function into this function and placed the read operation within a lock, ensuring that the validity check and read operation are not separated, thus resolving the problem. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 203baab8ba31 ("virtio: console: Introduce function to hand off data from host to readers") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/char/virtio_console.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index de7d720d99fa..5aaf07f71a4c 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -656,10 +656,14 @@ static ssize_t fill_readbuf(struct port *port, u8 __user *out_buf, struct port_buffer *buf; unsigned long flags; - if (!out_count || !port_has_data(port)) + if (!out_count) return 0; - buf = port->inbuf; + spin_lock_irqsave(&port->inbuf_lock, flags); + buf = port->inbuf = get_inbuf(port); + spin_unlock_irqrestore(&port->inbuf_lock, flags); + if (!buf) + return 0; out_count = min(out_count, buf->len - buf->offset); if (to_user) { -- 2.34.1

9 months, 2 weeks

1
0
0 0

[PATCH] drivers:media:radio: Fix atomicity violation in fmc_send_cmd()

by Qiu-ji Chen

Atomicity violation occurs when the fmc_send_cmd() function is executed simultaneously with the modification of the fmdev->resp_skb value. Consider a scenario where, after passing the validity check within the function, a non-null fmdev->resp_skb variable is assigned a null value. This results in an invalid fmdev->resp_skb variable passing the validity check. As seen in the later part of the function, skb = fmdev->resp_skb; when the invalid fmdev->resp_skb passes the check, a null pointer dereference error may occur at line 478, evt_hdr = (void *)skb->data; To address this issue, it is recommended to include the validity check of fmdev->resp_skb within the locked section of the function. This modification ensures that the value of fmdev->resp_skb does not change during the validation process, thereby maintaining its validity. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/media/radio/wl128x/fmdrv_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c index 3d36f323a8f8..4d032436691c 100644 --- a/drivers/media/radio/wl128x/fmdrv_common.c +++ b/drivers/media/radio/wl128x/fmdrv_common.c @@ -466,11 +466,12 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 fm_op, u16 type, void *payload, jiffies_to_msecs(FM_DRV_TX_TIMEOUT) / 1000); return -ETIMEDOUT; } + spin_lock_irqsave(&fmdev->resp_skb_lock, flags); if (!fmdev->resp_skb) { + spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); fmerr("Response SKB is missing\n"); return -EFAULT; } - spin_lock_irqsave(&fmdev->resp_skb_lock, flags); skb = fmdev->resp_skb; fmdev->resp_skb = NULL; spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags); -- 2.34.1

9 months, 2 weeks

1
0
0 0

[PATCH 6.1.y] btrfs: calculate the right space for delayed refs when updating global reserve

by Diogo Jahchan Koike

From: Filipe Manana <fdmanana(a)suse.com> commit f8f210dc84709804c9f952297f2bfafa6ea6b4bd upstream. When updating the global block reserve, we account for the 6 items needed by an unlink operation and the 6 delayed references for each one of those items. However the calculation for the delayed references is not correct in case we have the free space tree enabled, as in that case we need to touch the free space tree as well and therefore need twice the number of bytes. So use the btrfs_calc_delayed_ref_bytes() helper to calculate the number of bytes need for the delayed references at btrfs_update_global_block_rsv(). Reviewed-by: Josef Bacik <josef(a)toxicpanda.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> [Diogo: this patch has been cherry-picked from the original commit; conflicts included lack of a define (picked from commit 5630e2bcfe223) and lack of btrfs_calc_delayed_ref_bytes (picked from commit 0e55a54502b97) - changed const struct -> struct for compatibility.] Signed-off-by: Diogo Jahchan Koike <djahchankoike(a)gmail.com> --- Fixes WARNING in btrfs_chunk_alloc (2) [0] [0]: https://syzkaller.appspot.com/bug?extid=57de2b05959bc1e659af --- fs/btrfs/block-rsv.c | 16 +++++++++------- fs/btrfs/block-rsv.h | 12 ++++++++++++ fs/btrfs/delayed-ref.h | 21 +++++++++++++++++++++ 3 files changed, 42 insertions(+), 7 deletions(-) diff --git a/fs/btrfs/block-rsv.c b/fs/btrfs/block-rsv.c index ec96285357e0..f7e3d6c2e302 100644 --- a/fs/btrfs/block-rsv.c +++ b/fs/btrfs/block-rsv.c @@ -378,17 +378,19 @@ void btrfs_update_global_block_rsv(struct btrfs_fs_info *fs_info) /* * But we also want to reserve enough space so we can do the fallback - * global reserve for an unlink, which is an additional 5 items (see the - * comment in __unlink_start_trans for what we're modifying.) + * global reserve for an unlink, which is an additional + * BTRFS_UNLINK_METADATA_UNITS items. * * But we also need space for the delayed ref updates from the unlink, - * so its 10, 5 for the actual operation, and 5 for the delayed ref - * updates. + * so add BTRFS_UNLINK_METADATA_UNITS units for delayed refs, one for + * each unlink metadata item. */ - min_items += 10; - + min_items += BTRFS_UNLINK_METADATA_UNITS; + num_bytes = max_t(u64, num_bytes, - btrfs_calc_insert_metadata_size(fs_info, min_items)); + btrfs_calc_insert_metadata_size(fs_info, min_items) + + btrfs_calc_delayed_ref_bytes(fs_info, + BTRFS_UNLINK_METADATA_UNITS)); spin_lock(&sinfo->lock); spin_lock(&block_rsv->lock); diff --git a/fs/btrfs/block-rsv.h b/fs/btrfs/block-rsv.h index 578c3497a455..662c52b4bd44 100644 --- a/fs/btrfs/block-rsv.h +++ b/fs/btrfs/block-rsv.h @@ -50,6 +50,18 @@ struct btrfs_block_rsv { u64 qgroup_rsv_reserved; }; +/* + * Number of metadata items necessary for an unlink operation: + * + * 1 for the possible orphan item + * 1 for the dir item + * 1 for the dir index + * 1 for the inode ref + * 1 for the inode + * 1 for the parent inode + */ +#define BTRFS_UNLINK_METADATA_UNITS 6 + void btrfs_init_block_rsv(struct btrfs_block_rsv *rsv, enum btrfs_rsv_type type); void btrfs_init_root_block_rsv(struct btrfs_root *root); struct btrfs_block_rsv *btrfs_alloc_block_rsv(struct btrfs_fs_info *fs_info, diff --git a/fs/btrfs/delayed-ref.h b/fs/btrfs/delayed-ref.h index d6304b690ec4..5c6bb23d45a5 100644 --- a/fs/btrfs/delayed-ref.h +++ b/fs/btrfs/delayed-ref.h @@ -253,6 +253,27 @@ extern struct kmem_cache *btrfs_delayed_extent_op_cachep; int __init btrfs_delayed_ref_init(void); void __cold btrfs_delayed_ref_exit(void); +static inline u64 btrfs_calc_delayed_ref_bytes(struct btrfs_fs_info *fs_info, + int num_delayed_refs) +{ + u64 num_bytes; + + num_bytes = btrfs_calc_insert_metadata_size(fs_info, num_delayed_refs); + + /* + * We have to check the mount option here because we could be enabling + * the free space tree for the first time and don't have the compat_ro + * option set yet. + * + * We need extra reservations if we have the free space tree because + * we'll have to modify that tree as well. + */ + if (btrfs_test_opt(fs_info, FREE_SPACE_TREE)) + num_bytes *= 2; + + return num_bytes; +} + static inline void btrfs_init_generic_ref(struct btrfs_ref *generic_ref, int action, u64 bytenr, u64 len, u64 parent) { -- 2.43.0

9 months, 2 weeks

2
1
0 0

[PATCH 6.1] wifi: mac80211: Avoid address calculations via out of bounds array indexing

by Xiangyu Chen

From: Kenton Groombridge <concord(a)gentoo.org> [ Upstream commit 2663d0462eb32ae7c9b035300ab6b1523886c718 ] req->n_channels must be set before req->channels[] can be used. This patch fixes one of the issues encountered in [1]. [ 83.964255] UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:364:4 [ 83.964258] index 0 is out of range for type 'struct ieee80211_channel *[]' [...] [ 83.964264] Call Trace: [ 83.964267] <TASK> [ 83.964269] dump_stack_lvl+0x3f/0xc0 [ 83.964274] __ubsan_handle_out_of_bounds+0xec/0x110 [ 83.964278] ieee80211_prep_hw_scan+0x2db/0x4b0 [ 83.964281] __ieee80211_start_scan+0x601/0x990 [ 83.964291] nl80211_trigger_scan+0x874/0x980 [ 83.964295] genl_family_rcv_msg_doit+0xe8/0x160 [ 83.964298] genl_rcv_msg+0x240/0x270 [...] [1] https://bugzilla.kernel.org/show_bug.cgi?id=218810 Co-authored-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Kees Cook <kees(a)kernel.org> Signed-off-by: Kenton Groombridge <concord(a)gentoo.org> Link: https://msgid.link/20240605152218.236061-1-concord@gentoo.org Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- net/mac80211/scan.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index 62c22ff329ad..d81b49fb6458 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -357,7 +357,8 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_sub_if_data *sdata) struct cfg80211_scan_request *req; struct cfg80211_chan_def chandef; u8 bands_used = 0; - int i, ielen, n_chans; + int i, ielen; + u32 *n_chans; u32 flags = 0; req = rcu_dereference_protected(local->scan_req, @@ -367,34 +368,34 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_sub_if_data *sdata) return false; if (ieee80211_hw_check(&local->hw, SINGLE_SCAN_ON_ALL_BANDS)) { + local->hw_scan_req->req.n_channels = req->n_channels; + for (i = 0; i < req->n_channels; i++) { local->hw_scan_req->req.channels[i] = req->channels[i]; bands_used |= BIT(req->channels[i]->band); } - - n_chans = req->n_channels; } else { do { if (local->hw_scan_band == NUM_NL80211_BANDS) return false; - n_chans = 0; + n_chans = &local->hw_scan_req->req.n_channels; + *n_chans = 0; for (i = 0; i < req->n_channels; i++) { if (req->channels[i]->band != local->hw_scan_band) continue; - local->hw_scan_req->req.channels[n_chans] = + local->hw_scan_req->req.channels[(*n_chans)++] = req->channels[i]; - n_chans++; + bands_used |= BIT(req->channels[i]->band); } local->hw_scan_band++; - } while (!n_chans); + } while (!*n_chans); } - local->hw_scan_req->req.n_channels = n_chans; ieee80211_prepare_scan_chandef(&chandef, req->scan_width); if (req->flags & NL80211_SCAN_FLAG_MIN_PREQ_CONTENT) -- 2.43.0

9 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] mptcp: pm: Fix uaf in __timer_delete_sync" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x b4cd80b0338945a94972ac3ed54f8338d2da2076 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024091330-reps-craftsman-ab67@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: b4cd80b03389 ("mptcp: pm: Fix uaf in __timer_delete_sync") d58300c3185b ("mptcp: validate 'id' when stopping the ADD_ADDR retransmit timer") f7dafee18538 ("mptcp: use mptcp_addr_info in mptcp_options_received") dc87efdb1a5c ("mptcp: add mptcp reset option support") 557963c383e8 ("mptcp: move to next addr when subflow creation fail") d88c476f4a7d ("mptcp: export lookup_anno_list_by_saddr") efd13b71a3fa ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From b4cd80b0338945a94972ac3ed54f8338d2da2076 Mon Sep 17 00:00:00 2001 From: Edward Adam Davis <eadavis(a)qq.com> Date: Tue, 10 Sep 2024 17:58:56 +0800 Subject: [PATCH] mptcp: pm: Fix uaf in __timer_delete_sync There are two paths to access mptcp_pm_del_add_timer, result in a race condition: CPU1 CPU2 ==== ==== net_rx_action napi_poll netlink_sendmsg __napi_poll netlink_unicast process_backlog netlink_unicast_kernel __netif_receive_skb genl_rcv __netif_receive_skb_one_core netlink_rcv_skb NF_HOOK genl_rcv_msg ip_local_deliver_finish genl_family_rcv_msg ip_protocol_deliver_rcu genl_family_rcv_msg_doit tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit tcp_v4_do_rcv mptcp_nl_remove_addrs_list tcp_rcv_established mptcp_pm_remove_addrs_and_subflows tcp_data_queue remove_anno_list_by_saddr mptcp_incoming_options mptcp_pm_del_add_timer mptcp_pm_del_add_timer kfree(entry) In remove_anno_list_by_saddr(running on CPU2), after leaving the critical zone protected by "pm.lock", the entry will be released, which leads to the occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1). Keeping a reference to add_timer inside the lock, and calling sk_stop_timer_sync() with this reference, instead of "entry->add_timer". Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock, do not directly access any members of the entry outside the pm lock, which can avoid similar "entry->x" uaf. Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") Cc: stable(a)vger.kernel.org Reported-and-tested-by: syzbot+f3a31fb909db9b2a5c4d(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f3a31fb909db9b2a5c4d Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Signed-off-by: Edward Adam Davis <eadavis(a)qq.com> Acked-by: Paolo Abeni <pabeni(a)redhat.com> Link: https://patch.msgid.link/tencent_7142963A37944B4A74EF76CD66EA3C253609@qq.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index f891bc714668..ad935d34c973 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -334,15 +334,21 @@ mptcp_pm_del_add_timer(struct mptcp_sock *msk, { struct mptcp_pm_add_entry *entry; struct sock *sk = (struct sock *)msk; + struct timer_list *add_timer = NULL; spin_lock_bh(&msk->pm.lock); entry = mptcp_lookup_anno_list_by_saddr(msk, addr); - if (entry && (!check_id || entry->addr.id == addr->id)) + if (entry && (!check_id || entry->addr.id == addr->id)) { entry->retrans_times = ADD_ADDR_RETRANS_MAX; + add_timer = &entry->add_timer; + } + if (!check_id && entry) + list_del(&entry->list); spin_unlock_bh(&msk->pm.lock); - if (entry && (!check_id || entry->addr.id == addr->id)) - sk_stop_timer_sync(sk, &entry->add_timer); + /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */ + if (add_timer) + sk_stop_timer_sync(sk, add_timer); return entry; } @@ -1462,7 +1468,6 @@ static bool remove_anno_list_by_saddr(struct mptcp_sock *msk, entry = mptcp_pm_del_add_timer(msk, addr, false); if (entry) { - list_del(&entry->list); kfree(entry); return true; }

9 months, 2 weeks

3
5
0 0

[PATCH 6.6.y] bnxt_en: Cap the size of HWRM_PORT_PHY_QCFG forwarded response

by Samasth Norway Ananda

From: Michael Chan <michael.chan(a)broadcom.com> commit 7d9df38c9c037ab84502ce7eeae9f1e1e7e72603 upstream. Firmware interface 1.10.2.118 has increased the size of HWRM_PORT_PHY_QCFG response beyond the maximum size that can be forwarded. When the VF's link state is not the default auto state, the PF will need to forward the response back to the VF to indicate the forced state. This regression may cause the VF to fail to initialize. Fix it by capping the HWRM_PORT_PHY_QCFG response to the maximum 96 bytes. The SPEEDS2_SUPPORTED flag needs to be cleared because the new speeds2 fields are beyond the legacy structure. Also modify bnxt_hwrm_fwd_resp() to print a warning if the message size exceeds 96 bytes to make this failure more obvious. Fixes: 84a911db8305 ("bnxt_en: Update firmware interface to 1.10.2.118") Reviewed-by: Somnath Kotur <somnath.kotur(a)broadcom.com> Reviewed-by: Pavan Chebbi <pavan.chebbi(a)broadcom.com> Signed-off-by: Michael Chan <michael.chan(a)broadcom.com> Link: https://lore.kernel.org/r/20240612231736.57823-1-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [Samasth: backport to 6.6.y] Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> --- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 51 +++++++++++++++++++ .../net/ethernet/broadcom/bnxt/bnxt_sriov.c | 12 ++++- 2 files changed, 61 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h index 0116f67593e3a..f323c77aaea0e 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h @@ -1195,6 +1195,57 @@ struct bnxt_ntuple_filter { #define BNXT_FLTR_UPDATE 1 }; +/* Compat version of hwrm_port_phy_qcfg_output capped at 96 bytes. The + * first 95 bytes are identical to hwrm_port_phy_qcfg_output in bnxt_hsi.h. + * The last valid byte in the compat version is different. + */ +struct hwrm_port_phy_qcfg_output_compat { + __le16 error_code; + __le16 req_type; + __le16 seq_id; + __le16 resp_len; + u8 link; + u8 active_fec_signal_mode; + __le16 link_speed; + u8 duplex_cfg; + u8 pause; + __le16 support_speeds; + __le16 force_link_speed; + u8 auto_mode; + u8 auto_pause; + __le16 auto_link_speed; + __le16 auto_link_speed_mask; + u8 wirespeed; + u8 lpbk; + u8 force_pause; + u8 module_status; + __le32 preemphasis; + u8 phy_maj; + u8 phy_min; + u8 phy_bld; + u8 phy_type; + u8 media_type; + u8 xcvr_pkg_type; + u8 eee_config_phy_addr; + u8 parallel_detect; + __le16 link_partner_adv_speeds; + u8 link_partner_adv_auto_mode; + u8 link_partner_adv_pause; + __le16 adv_eee_link_speed_mask; + __le16 link_partner_adv_eee_link_speed_mask; + __le32 xcvr_identifier_type_tx_lpi_timer; + __le16 fec_cfg; + u8 duplex_state; + u8 option_flags; + char phy_vendor_name[16]; + char phy_vendor_partnumber[16]; + __le16 support_pam4_speeds; + __le16 force_pam4_link_speed; + __le16 auto_pam4_link_speed_mask; + u8 link_partner_pam4_adv_speeds; + u8 valid; +}; + struct bnxt_link_info { u8 phy_type; u8 media_type; diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c index dde327f2c57ee..ac9a0c039b776 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c @@ -942,8 +942,11 @@ static int bnxt_hwrm_fwd_resp(struct bnxt *bp, struct bnxt_vf_info *vf, struct hwrm_fwd_resp_input *req; int rc; - if (BNXT_FWD_RESP_SIZE_ERR(msg_size)) + if (BNXT_FWD_RESP_SIZE_ERR(msg_size)) { + netdev_warn_once(bp->dev, "HWRM fwd response too big (%d bytes)\n", + msg_size); return -EINVAL; + } rc = hwrm_req_init(bp, req, HWRM_FWD_RESP); if (!rc) { @@ -1077,7 +1080,7 @@ static int bnxt_vf_set_link(struct bnxt *bp, struct bnxt_vf_info *vf) rc = bnxt_hwrm_exec_fwd_resp( bp, vf, sizeof(struct hwrm_port_phy_qcfg_input)); } else { - struct hwrm_port_phy_qcfg_output phy_qcfg_resp = {0}; + struct hwrm_port_phy_qcfg_output_compat phy_qcfg_resp = {}; struct hwrm_port_phy_qcfg_input *phy_qcfg_req; phy_qcfg_req = @@ -1088,6 +1091,11 @@ static int bnxt_vf_set_link(struct bnxt *bp, struct bnxt_vf_info *vf) mutex_unlock(&bp->link_lock); phy_qcfg_resp.resp_len = cpu_to_le16(sizeof(phy_qcfg_resp)); phy_qcfg_resp.seq_id = phy_qcfg_req->seq_id; + /* New SPEEDS2 fields are beyond the legacy structure, so + * clear the SPEEDS2_SUPPORTED flag. + */ + phy_qcfg_resp.option_flags &= + ~PORT_PHY_QCAPS_RESP_FLAGS2_SPEEDS2_SUPPORTED; phy_qcfg_resp.valid = 1; if (vf->flags & BNXT_VF_LINK_UP) { -- 2.45.2

9 months, 2 weeks

2
1
0 0

[PATCH 5.10] bpf: Fix mismatch memory accounting for devmap maps

by Pu Lehui

From: Pu Lehui <pulehui(a)huawei.com> Commit 70294d8bc31f ("bpf: Eliminate rlimit-based memory accounting for devmap maps") relies on the v5.11+ basic mechanism of memcg-based memory accounting [0]. The commit cannot be independently backported to the 5.10 stable branch, otherwise the related memory when creating devmap will be unrestricted and the associated bpf selftest map_ptr will fail. Let's roll back to rlimit-based memory accounting mode for devmap and re-adapt the commit 225da02acdc9 ("bpf: Fix DEVMAP_HASH overflow check on 32-bit arches") to the 5.10 stable branch. Link: https://lore.kernel.org/bpf/20201201215900.3569844-1-guro@fb.com [0] Fixes: 225da02acdc9 ("bpf: Fix DEVMAP_HASH overflow check on 32-bit arches") Fixes: 70294d8bc31f ("bpf: Eliminate rlimit-based memory accounting for devmap maps") Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/devmap.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 07b5edb2c70f..7eb1282edc8e 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -109,6 +109,8 @@ static inline struct hlist_head *dev_map_index_hash(struct bpf_dtab *dtab, static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) { u32 valsize = attr->value_size; + u64 cost = 0; + int err; /* check sanity of attributes. 2 value sizes supported: * 4 bytes: ifindex @@ -136,11 +138,21 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) return -EINVAL; dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); + cost += (u64) sizeof(struct hlist_head) * dtab->n_buckets; + } else { + cost += (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *); + } + /* if map size is larger than memlock limit, reject it */ + err = bpf_map_charge_init(&dtab->map.memory, cost); + if (err) + return -EINVAL; + + if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { dtab->dev_index_head = dev_map_create_hash(dtab->n_buckets, dtab->map.numa_node); if (!dtab->dev_index_head) - return -ENOMEM; + goto free_charge; spin_lock_init(&dtab->index_lock); } else { @@ -148,10 +160,14 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) sizeof(struct bpf_dtab_netdev *), dtab->map.numa_node); if (!dtab->netdev_map) - return -ENOMEM; + goto free_charge; } return 0; + +free_charge: + bpf_map_charge_finish(&dtab->map.memory); + return -ENOMEM; } static struct bpf_map *dev_map_alloc(union bpf_attr *attr) -- 2.34.1

9 months, 2 weeks

4
6
0 0

mcp251xfd: please add to the stable trees

by Marc Kleine-Budde

Hello stable-team, Francesco Dolcini reported a regression on v6.6.52 [1], it turns out since v6.6.51~34 a.k.a. 5ea24ddc26a7 ("can: mcp251xfd: rx: add workaround for erratum DS80000789E 6 of mcp2518fd") the mcp25xfd driver is broken. Cherry picking the following commits fixes the problem: 51b2a7216122 ("can: mcp251xfd: properly indent labels") a7801540f325 ("can: mcp251xfd: move mcp251xfd_timestamp_start()/stop() into mcp251xfd_chip_start/stop()") Please pick these patches for - 6.10.x - 6.6.x - 6.1.x [1] https://lore.kernel.org/all/20240923115310.GA138774@francesco-nb regards, Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung Nürnberg | Phone: +49-5121-206917-129 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-9 |

9 months, 2 weeks

2
1
0 0

[PATCH stable 6.6] Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex"

by Ping-Ke Shih

This reverts commit 268f84a827534c4e4c2540a4e29daa73359fc0a5. The reverted commit is based on implementation of wiphy locking that isn't planned to redo on a stable kernel, so revert it to avoid warning: WARNING: CPU: 0 PID: 9 at net/wireless/core.h:231 disconnect_work+0xb8/0x144 [cfg80211] CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.51-00141-ga1649b6f8ed6 #7 Hardware name: Freescale i.MX6 SoloX (Device Tree) Workqueue: events disconnect_work [cfg80211] unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x58/0x70 dump_stack_lvl from __warn+0x70/0x1c0 __warn from warn_slowpath_fmt+0x16c/0x294 warn_slowpath_fmt from disconnect_work+0xb8/0x144 [cfg80211] disconnect_work [cfg80211] from process_one_work+0x204/0x620 process_one_work from worker_thread+0x1b0/0x474 worker_thread from kthread+0x10c/0x12c kthread from ret_from_fork+0x14/0x24 Reported-by: petter(a)technux.se Closes: https://lore.kernel.org/linux-wireless/9e98937d781c990615ef27ee0c858ff9@tec… Cc: Johannes Berg <johannes(a)sipsolutions.net> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> --- net/wireless/core.h | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/net/wireless/core.h b/net/wireless/core.h index c955be6c6daa..f0a3a2317638 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -228,7 +228,6 @@ void cfg80211_register_wdev(struct cfg80211_registered_device *rdev, static inline void wdev_lock(struct wireless_dev *wdev) __acquires(wdev) { - lockdep_assert_held(&wdev->wiphy->mtx); mutex_lock(&wdev->mtx); __acquire(wdev->mtx); } @@ -236,16 +235,11 @@ static inline void wdev_lock(struct wireless_dev *wdev) static inline void wdev_unlock(struct wireless_dev *wdev) __releases(wdev) { - lockdep_assert_held(&wdev->wiphy->mtx); __release(wdev->mtx); mutex_unlock(&wdev->mtx); } -static inline void ASSERT_WDEV_LOCK(struct wireless_dev *wdev) -{ - lockdep_assert_held(&wdev->wiphy->mtx); - lockdep_assert_held(&wdev->mtx); -} +#define ASSERT_WDEV_LOCK(wdev) lockdep_assert_held(&(wdev)->mtx) static inline bool cfg80211_has_monitors_only(struct cfg80211_registered_device *rdev) { -- 2.25.1

9 months, 2 weeks

3
2
0 0

[PATCH -stable,5.10 0/2] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains a backport for fixes for 5.10-stable: The following list shows the backported patches, I am using original commit IDs for reference: 1) 29b359cf6d95 ("netfilter: nft_set_pipapo: walk over current view on netlink dump") 2) efefd4f00c96 ("netfilter: nf_tables: missing iterator type in lookup walk") Please, apply, Thanks Pablo Neira Ayuso (2): netfilter: nft_set_pipapo: walk over current view on netlink dump netfilter: nf_tables: missing iterator type in lookup walk include/net/netfilter/nf_tables.h | 13 +++++++++++++ net/netfilter/nf_tables_api.c | 5 +++++ net/netfilter/nft_lookup.c | 1 + net/netfilter/nft_set_pipapo.c | 6 ++++-- 4 files changed, 23 insertions(+), 2 deletions(-) -- 2.30.2

9 months, 2 weeks

2
3
0 0

Power consumption fix for ACP 7 devices

by Mario Limonciello

Hi, Can you please bring this commit into linux-6.11.y? commit c35fad6f7e0d ("ASoC: amd: acp: add ZSC control register programming sequence") This helps with power consumption on the affected platforms. Thanks,

9 months, 2 weeks

2
1
0 0

[PATCH 6.6 000/186] 6.6.30-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.30 release. There are 186 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 02 May 2024 10:30:27 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.30-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.30-rc1 Matthew Wilcox (Oracle) <willy(a)infradead.org> bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS Rahul Rameshbabu <rrameshbabu(a)nvidia.com> net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec Rahul Rameshbabu <rrameshbabu(a)nvidia.com> macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst Rahul Rameshbabu <rrameshbabu(a)nvidia.com> macsec: Enable devices to advertise whether they update sk_buff md_dst during offloads Mingzheng Xing <xingmingzheng(a)iscas.ac.cn> Revert "riscv: kdump: fix crashkernel reserving problem on RISC-V" Amir Goldstein <amir73il(a)gmail.com> ovl: fix memory leak in ovl_parse_param() Johan Hovold <johan+linaro(a)kernel.org> phy: qcom: qmp-combo: fix VCO div offset on v5_5nm and v6 Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: smbus: fix NULL function pointer dereference Xuewen Yan <xuewen.yan(a)unisoc.com> sched/eevdf: Prevent vlag from going out of bounds in reweight_eevdf() Tianchen Ding <dtcccc(a)linux.alibaba.com> sched/eevdf: Fix miscalculation in reweight_entity() when se is not curr Tianchen Ding <dtcccc(a)linux.alibaba.com> sched/eevdf: Always update V if se->on_rq when reweighting Hans de Goede <hdegoede(a)redhat.com> phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered Samuel Holland <samuel.holland(a)sifive.com> riscv: Fix loading 64-bit NOMMU kernels past the start of RAM Samuel Holland <samuel.holland(a)sifive.com> riscv: Fix TASK_SIZE on 64-bit NOMMU Baoquan He <bhe(a)redhat.com> riscv: fix VMALLOC_START definition Fenghua Yu <fenghua.yu(a)intel.com> dmaengine: idxd: Fix oops during rmmod on single-CPU platforms Sean Anderson <sean.anderson(a)linux.dev> dma: xilinx_dpdma: Fix locking Rex Zhang <rex.zhang(a)intel.com> dmaengine: idxd: Convert spinlock to mutex to lock evl workqueue Gabor Juhos <j4g8y7(a)gmail.com> phy: qcom: m31: match requested regulator name with dt schema Sebastian Reichel <sebastian.reichel(a)collabora.com> phy: rockchip: naneng-combphy: Fix mux on rk3588 Sebastian Reichel <sebastian.reichel(a)collabora.com> phy: rockchip-snps-pcie3: fix clearing PHP_GRF_PCIESEL_CON bits Michal Tomek <mtdev79b(a)gmail.com> phy: rockchip-snps-pcie3: fix bifurcation on rk3588 Marcel Ziswiler <marcel.ziswiler(a)toradex.com> phy: freescale: imx8m-pcie: fix pcie link-up instability Mikhail Kobuk <m.kobuk(a)ispras.ru> phy: marvell: a3700-comphy: Fix hardcoded array size Mikhail Kobuk <m.kobuk(a)ispras.ru> phy: marvell: a3700-comphy: Fix out of bounds read Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> soundwire: amd: fix for wake interrupt handling for clockstop mode Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> idma64: Don't try to serve interrupts when device is powered off Akhil R <akhilrajeev(a)nvidia.com> dmaengine: tegra186: Fix residual calculation Arnd Bergmann <arnd(a)arndb.de> dmaengine: owl: fix register access functions Matthew Wilcox (Oracle) <willy(a)infradead.org> mm: turn folio_test_hugetlb into a PageType Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/tdx: Preserve shared bit on mprotect() Stephen Boyd <swboyd(a)chromium.org> phy: qcom: qmp-combo: Fix VCO div offset on v3 Stephen Boyd <swboyd(a)chromium.org> phy: qcom: qmp-combo: Fix register base for QSERDES_DP_PHY_MODE Arnd Bergmann <arnd(a)arndb.de> mtd: diskonchip: work around ubsan link failure Yick Xie <yick.xie(a)gmail.com> udp: preserve the connected status if only UDP cmsg Nam Cao <namcao(a)linutronix.de> fbdev: fix incorrect address computation in deferred IO Andrey Ryabinin <ryabinin.a.a(a)gmail.com> stackdepot: respect __GFP_NOLOCKDEP allocation flag Peter Münster <pm(a)a16n.net> net: b44: set pause params only when interface is up Rahul Rameshbabu <rrameshbabu(a)nvidia.com> ethernet: Add helper for assigning packet type when dest address does not match device address Vanshidhar Konda <vanshikonda(a)os.amperecomputing.com> ACPI: CPPC: Fix access width used for PCC registers Jarred White <jarredwhite(a)linux.microsoft.com> ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro Jarred White <jarredwhite(a)linux.microsoft.com> ACPI: CPPC: Use access_width over bit_width for system memory accesses Guanrui Huang <guanrui.huang(a)linux.alibaba.com> irqchip/gic-v3-its: Prevent double free on error Mukul Joshi <mukul.joshi(a)amd.com> drm/amdgpu: Fix leak when GPU memory allocation fails Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Assign correct bits for SDMA HDP flush Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3 Iskander Amara <iskander.amara(a)theobroma-systems.com> arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma Manivannan Sadhasivam <mani(a)kernel.org> arm64: dts: qcom: sm8450: Fix the msi-map entries Johan Hovold <johan+linaro(a)kernel.org> arm64: dts: qcom: sc8280xp: add missing PCIe minimum OPP Jiantao Shan <shanjiantao(a)loongson.cn> LoongArch: Fix access error when read fault on a write-only VMA Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix callchain parse error with kernel tracepoint events Sean Christopherson <seanjc(a)google.com> cpu: Re-enable CPU mitigations by default for !X86 architectures Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: fix information leak in btrfs_ioctl_logical_to_ino() Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: scrub: run relocation repair when/only needed Qu Wenruo <wqu(a)suse.com> btrfs: fix wrong block_start calculation for btrfs_drop_extent_map_range() Sweet Tea Dorminy <sweettea-kernel(a)dorminy.me> btrfs: fallback if compressed IO fails for ENOSPC Nam Cao <namcao(a)linutronix.de> HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up Steve French <stfrench(a)microsoft.com> smb3: fix lock ordering potential deadlock in cifs_sync_mid_result Steve French <stfrench(a)microsoft.com> smb3: missing lock when picking channel Gustavo A. R. Silva <gustavoars(a)kernel.org> smb: client: Fix struct_group() usage in __packed structs Matthew Wilcox (Oracle) <willy(a)infradead.org> mm: support page_mapcount() on page_has_type() pages Matthew Wilcox (Oracle) <willy(a)infradead.org> mm: create FOLIO_FLAG_FALSE and FOLIO_TYPE_OPS macros Mantas Pucka <mantas(a)8devices.com> mmc: sdhci-msm: pervent access to suspended controller Peter Xu <peterx(a)redhat.com> mm/hugetlb: fix missing hugetlb_lock for resv uncharge Christian Marangi <ansuelsmth(a)gmail.com> mtd: rawnand: qcom: Fix broken OP_RESET_DEVICE command in qcom_misc_cmd_type_exec() Johan Hovold <johan+linaro(a)kernel.org> Bluetooth: qca: fix NULL-deref on non-serdev setup Johan Hovold <johan+linaro(a)kernel.org> Bluetooth: qca: fix NULL-deref on non-serdev suspend WangYuli <wangyuli(a)uniontech.com> Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853 Nathan Chancellor <nathan(a)kernel.org> Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old() Aswin Unnikrishnan <aswinunni01(a)gmail.com> rust: remove `params` from `module` macro example Miguel Ojeda <ojeda(a)kernel.org> kbuild: rust: force `alloc` extern to allow "empty" Rust files Miguel Ojeda <ojeda(a)kernel.org> kbuild: rust: remove unneeded `@rustc_cfg` to avoid ICE Conor Dooley <conor.dooley(a)microchip.com> rust: make mutually exclusive with CFI_CLANG Laine Taffin Altman <alexanderaltman(a)me.com> rust: init: remove impl Zeroable for Infallible Alice Ryhl <aliceryhl(a)google.com> rust: don't select CONSTRUCTORS David Kaplan <david.kaplan(a)amd.com> x86/cpu: Fix check for RDPKRU in __show_regs() Miaohe Lin <linmiaohe(a)huawei.com> fork: defer linking file vma until vma is fully initialized Terry Tritton <terry.tritton(a)linaro.org> selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID) Terry Tritton <terry.tritton(a)linaro.org> selftests/seccomp: Change the syscall used in KILL_THREAD test Terry Tritton <terry.tritton(a)linaro.org> selftests/seccomp: user_notification_addfd check nextfd is available Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: check the inode number is not the invalid value of zero Jeff Layton <jlayton(a)kernel.org> squashfs: convert to new timestamp accessors Christian König <ckoenig.leichtzumerken(a)gmail.com> drm/ttm: stop pooling cached NUMA pages v2 Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm, treewide: introduce NR_PAGE_ORDERS Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix visible VRAM handling during faults Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add shared fdinfo stats Alex Deucher <alexander.deucher(a)amd.com> drm: add drm_gem_object_is_shared_for_memory_stats() helper David Hildenbrand <david(a)redhat.com> mm/madvise: make MADV_POPULATE_(READ|WRITE) handle VM_FAULT_RETRY properly Lorenzo Stoakes <lstoakes(a)gmail.com> mm/gup: explicitly define and check internal GUP flags, disallow FOLL_TOUCH Sean Christopherson <seanjc(a)google.com> KVM: x86/pmu: Set enable bits for GP counters in PERF_GLOBAL_CTRL at "RESET" Sean Christopherson <seanjc(a)google.com> KVM: x86/pmu: Zero out PMU metadata on AMD if PMU is disabled Kuniyuki Iwashima <kuniyu(a)amazon.com> af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc(). Sabrina Dubroca <sd(a)queasysnail.net> tls: fix lockless read of strp->msg_ready in ->poll Jason Reeder <jreeder(a)ti.com> net: ethernet: ti: am65-cpts: Fix PTPv1 message type on TX packets Jacob Keller <jacob.e.keller(a)intel.com> ice: fix LAG and VF lock dependency in ice_reset_vf() Sudheer Mogilappagari <sudheer.mogilappagari(a)intel.com> iavf: Fix TC config comparison with existing adapter TC config Erwan Velu <e.velu(a)criteo.com> i40e: Report MFS in decimal base instead of hex Sindhu Devale <sindhu.devale(a)intel.com> i40e: Do not use WQ_MEM_RECLAIM flag for workqueue Dan Carpenter <dan.carpenter(a)linaro.org> net: ti: icssg-prueth: Fix signedness bug in prueth_init_rx_chns() MD Danish Anwar <danishanwar(a)ti.com> net: phy: dp83869: Fix MII mode failure Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: honor table dormant flag from netdev release event path Michael Heimpold <michael.heimpold(a)chargebyte.com> ARM: dts: imx6ull-tarragon: fix USB over-current polarity Jakub Kicinski <kuba(a)kernel.org> eth: bnxt: fix counting packets discarded due to OOM and netpoll Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix incorrect list API usage Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix warning during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix memory leak during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Rate limit error message Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum_acl_tcam: Fix race in region ID allocation Amit Cohen <amcohen(a)nvidia.com> mlxsw: Use refcount_t for reference counting Hyunwoo Kim <v4bel(a)theori.io> net: openvswitch: Fix Use-After-Free in ovs_ct_exit Ismael Luceno <iluceno(a)suse.de> ipvs: Fix checksumming on GSO of SCTP packets Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Bluetooth: qca: set power_ctrl_enabled on NULL returned by gpiod_get_optional() Chun-Yi Lee <jlee(a)suse.com> Bluetooth: hci_sync: Using hci_cmd_sync_submit when removing Adv Monitor Sean Wang <sean.wang(a)mediatek.com> Bluetooth: btusb: mediatek: Fix double free of skb in coredump Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix failing to MGMT_OP_ADD_UUID/MGMT_OP_REMOVE_UUID Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix sending HCI_OP_READ_ENC_KEY_SIZE Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: btusb: Fix triggering coredump implementation for QCA Prathamesh Shete <pshete(a)nvidia.com> gpio: tegra186: Fix tegra186_gpio_is_accessible() check Daniel Golle <daniel(a)makrotopia.org> net: phy: mediatek-ge-soc: follow netdev LED trigger semantics Hyunwoo Kim <v4bel(a)theori.io> net: gtp: Fix Use-After-Free in gtp_dellink Eric Dumazet <edumazet(a)google.com> net: usb: ax88179_178a: stop lying about skb->truesize Eric Dumazet <edumazet(a)google.com> ipv4: check for NULL idev in ip_route_use_hint() Eric Dumazet <edumazet(a)google.com> net: fix sk_memory_allocated_{add|sub} vs softirqs Adam Li <adamli(a)os.amperecomputing.com> net: make SK_MEMORY_PCPU_RESERV tunable Jakub Kicinski <kuba(a)kernel.org> tools: ynl: don't ignore errors in NLMSG_DONE messages Duoming Zhou <duoming(a)zju.edu.cn> ax25: Fix netdev refcount issue Paul Geurts <paul_geurts(a)live.nl> NFC: trf7970a: disable all regulators on removal Matthias Schiffer <matthias.schiffer(a)ew.tq-group.com> net: dsa: mv88e6xx: fix supported_interfaces setup in mv88e6250_phylink_get_caps() Dan Williams <dan.j.williams(a)intel.com> cxl/core: Fix potential payload size confusion in cxl_mem_get_poison() Vikas Gupta <vikas.gupta(a)broadcom.com> bnxt_en: Fix the PCI-AER routines Vikas Gupta <vikas.gupta(a)broadcom.com> bnxt_en: refactor reset close code Hangbin Liu <liuhangbin(a)gmail.com> bridge/br_netlink.c: no need to return void function Eric Dumazet <edumazet(a)google.com> icmp: prevent possible NULL dereferences from icmp_build_probe() Andrei Simion <andrei.simion(a)microchip.com> ARM: dts: microchip: at91-sama7g5ek: Replace regulator-suspend-voltage with the valid property Ido Schimmel <idosch(a)nvidia.com> mlxsw: core_env: Fix driver initialization with old firmware Ido Schimmel <idosch(a)nvidia.com> mlxsw: core: Unregister EMAD trap using FORWARD action Justin Chen <justin.chen(a)broadcom.com> net: bcmasp: fix memory leak when bringing down interface David Bauer <mail(a)david-bauer.net> vxlan: drop packets from invalid src-address Duanqiang Wen <duanqiangwen(a)net-swift.com> net: libwx: fix alloc msix vectors failed Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix unaligned le16 access Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: remove link before AP Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211_hwsim: init peer measurement result Patrik Jakobsson <patrik.r.jakobsson(a)gmail.com> drm/gma500: Remove lid code Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: mvm: return uid from iwl_mvm_build_scan_cmd Avraham Stern <avraham.stern(a)intel.com> wifi: iwlwifi: mvm: remove old PASN station when adding a new one Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: split mesh fast tx cache into local/proxied/forwarded Colin Ian King <colin.i.king(a)intel.com> wifi: mac80211: clean up assignments to pointer cache. Alexey Brodkin <Alexey.Brodkin(a)synopsys.com> ARC: [plat-hsdk]: Remove misplaced interrupt-cells property Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> gpio: tangier: Use correct type for the IRQ chip data Maximilian Luz <luzmaximilian(a)gmail.com> arm64: dts: qcom: sc8180x: Fix ss_phy_irq for secondary USB controller Jose Ignacio Tornos Martinez <jtornosm(a)redhat.com> arm64: dts: rockchip: regulator for sd needs to be always on for BPI-R2Pro Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt2712: fix validation errors Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7986: prefix BPI-R3 cooling maps with "map-" Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7986: drop invalid thermal block clock Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7986: reorder nodes Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7986: drop "#reset-cells" from Ethernet controller Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7986: drop invalid properties from ethsys Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7986: reorder properties Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: fix ethernet controller "compatible" Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: fix IR nodename Rafał Miłecki <rafal(a)milecki.pl> arm64: dts: mediatek: mt7622: fix clock controllers Pin-yen Lin <treapking(a)chromium.org> arm64: dts: mediatek: mt8183-kukui: Use default min voltage for MT6358 Pin-yen Lin <treapking(a)chromium.org> arm64: dts: mediatek: mt8195-cherry: Update min voltage constraint for MT6315 Pin-yen Lin <treapking(a)chromium.org> arm64: dts: mediatek: mt8192-asurada: Update min voltage constraint for MT6315 Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: cherry: Describe CPU supplies AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> arm64: dts: mediatek: cherry: Add platform thermal configuration Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: mt8195: Add missing gce-client-reg to mutex1 Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: mt8195: Add missing gce-client-reg to mutex Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: mt8195: Add missing gce-client-reg to vpp/vdosys Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: mt8192: Add missing gce-client-reg to mutex Ikjoon Jang <ikjn(a)chromium.org> arm64: dts: mediatek: mt8183: Add power-domains properity to mfgcfg Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro dts Quentin Schulz <quentin.schulz(a)theobroma-systems.com> arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma Iskander Amara <iskander.amara(a)theobroma-systems.com> arm64: dts: rockchip: fix alphabetical ordering RK3399 puma Quentin Schulz <quentin.schulz(a)theobroma-systems.com> arm64: dts: rockchip: enable internal pull-up on Q7_USB_ID for RK3399 Puma Arınç ÜNAL <arinc.unal(a)arinc9.com> arm64: dts: rockchip: set PHY address of MT7531 switch to 0x1f Yaraslau Furman <yaro330(a)gmail.com> HID: logitech-dj: allow mice to use all types of reports Zhang Lixu <lixu.zhang(a)intel.com> HID: intel-ish-hid: ipc: Fix dev_err usage with uninitialized dev->devc Takayuki Nagata <tnagata(a)redhat.com> cifs: reinstate original behavior again for forceuid/forcegid Paulo Alcantara <pc(a)manguebit.com> smb: client: fix rename(2) regression against samba David Howells <dhowells(a)redhat.com> cifs: Fix reacquisition of volume cookie on still-live connection ------------- Diffstat: Documentation/admin-guide/kdump/vmcoreinfo.rst | 6 +- Documentation/admin-guide/sysctl/net.rst | 5 + Makefile | 4 +- arch/Kconfig | 8 + arch/arc/boot/dts/hsdk.dts | 1 - arch/arm/boot/dts/microchip/at91-sama7g5ek.dts | 8 +- .../boot/dts/nxp/imx/imx6ull-tarragon-common.dtsi | 1 + arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 8 +- arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 3 +- arch/arm64/boot/dts/mediatek/mt7622.dtsi | 34 ++-- .../boot/dts/mediatek/mt7986a-bananapi-bpi-r3.dts | 6 +- arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 215 ++++++++++----------- arch/arm64/boot/dts/mediatek/mt8183-kukui.dtsi | 1 - arch/arm64/boot/dts/mediatek/mt8183.dtsi | 1 + arch/arm64/boot/dts/mediatek/mt8192-asurada.dtsi | 6 +- arch/arm64/boot/dts/mediatek/mt8192.dtsi | 1 + arch/arm64/boot/dts/mediatek/mt8195-cherry.dtsi | 141 +++++++++++++- arch/arm64/boot/dts/mediatek/mt8195.dtsi | 5 + arch/arm64/boot/dts/qcom/sc8180x.dtsi | 2 +- arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 5 + arch/arm64/boot/dts/qcom/sm8450.dtsi | 16 +- .../boot/dts/rockchip/rk3399-pinebook-pro.dts | 1 - arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 31 ++- arch/arm64/boot/dts/rockchip/rk3568-bpi-r2-pro.dts | 6 +- arch/arm64/kvm/hyp/include/nvhe/gfp.h | 2 +- arch/loongarch/include/asm/perf_event.h | 8 + arch/loongarch/mm/fault.c | 4 +- arch/riscv/include/asm/page.h | 2 +- arch/riscv/include/asm/pgtable.h | 4 +- arch/riscv/kernel/setup.c | 13 ++ arch/riscv/mm/init.c | 2 +- arch/sparc/kernel/traps_64.c | 2 +- arch/x86/Kconfig | 11 +- arch/x86/include/asm/coco.h | 5 +- arch/x86/include/asm/pgtable_types.h | 3 +- arch/x86/kernel/process_64.c | 2 +- arch/x86/kvm/pmu.c | 30 ++- arch/x86/kvm/vmx/pmu_intel.c | 16 +- drivers/acpi/cppc_acpi.c | 72 +++++-- drivers/bluetooth/btmtk.c | 7 +- drivers/bluetooth/btusb.c | 11 +- drivers/bluetooth/hci_qca.c | 27 ++- drivers/cxl/core/mbox.c | 38 ++-- drivers/dma/idma64.c | 4 + drivers/dma/idxd/cdev.c | 5 +- drivers/dma/idxd/debugfs.c | 4 +- drivers/dma/idxd/device.c | 8 +- drivers/dma/idxd/idxd.h | 2 +- drivers/dma/idxd/init.c | 2 +- drivers/dma/idxd/irq.c | 4 +- drivers/dma/idxd/perfmon.c | 9 +- drivers/dma/owl-dma.c | 4 +- drivers/dma/tegra186-gpc-dma.c | 3 + drivers/dma/xilinx/xilinx_dpdma.c | 13 +- drivers/gpio/gpio-tangier.c | 9 +- drivers/gpio/gpio-tegra186.c | 20 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_fdinfo.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 33 ++-- drivers/gpu/drm/amd/amdgpu/amdgpu_object.h | 28 +-- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 73 ++++--- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 3 + drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 3 +- drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 24 ++- drivers/gpu/drm/gma500/Makefile | 1 - drivers/gpu/drm/gma500/psb_device.c | 5 +- drivers/gpu/drm/gma500/psb_drv.h | 9 - drivers/gpu/drm/gma500/psb_lid.c | 80 -------- drivers/gpu/drm/ttm/tests/ttm_device_test.c | 2 +- drivers/gpu/drm/ttm/ttm_pool.c | 54 ++++-- drivers/hid/hid-logitech-dj.c | 4 +- drivers/hid/i2c-hid/i2c-hid-core.c | 9 - drivers/hid/intel-ish-hid/ipc/ipc.c | 2 +- drivers/i2c/i2c-core-base.c | 12 +- drivers/irqchip/irq-gic-v3-its.c | 9 +- drivers/mmc/host/sdhci-msm.c | 16 +- drivers/mtd/nand/raw/diskonchip.c | 4 +- drivers/mtd/nand/raw/qcom_nandc.c | 7 +- drivers/net/dsa/mv88e6xxx/chip.c | 56 +++++- drivers/net/dsa/mv88e6xxx/port.h | 23 ++- drivers/net/ethernet/broadcom/asp2/bcmasp_intf.c | 21 +- drivers/net/ethernet/broadcom/b44.c | 14 +- drivers/net/ethernet/broadcom/bnxt/bnxt.c | 80 ++++---- drivers/net/ethernet/intel/i40e/i40e_main.c | 6 +- drivers/net/ethernet/intel/iavf/iavf_main.c | 30 ++- drivers/net/ethernet/intel/ice/ice_vf_lib.c | 16 +- .../ethernet/mellanox/mlx5/core/en_accel/macsec.c | 1 + drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +- .../mellanox/mlxsw/core_acl_flex_actions.c | 16 +- .../ethernet/mellanox/mlxsw/core_acl_flex_keys.c | 9 +- drivers/net/ethernet/mellanox/mlxsw/core_env.c | 20 +- drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c | 11 +- .../ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 132 ++++++++----- .../ethernet/mellanox/mlxsw/spectrum_acl_tcam.h | 5 +- .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 15 +- .../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 8 +- drivers/net/ethernet/ti/am65-cpts.c | 5 + drivers/net/ethernet/ti/icssg/icssg_prueth.c | 8 +- drivers/net/ethernet/wangxun/libwx/wx_lib.c | 2 +- drivers/net/gtp.c | 3 +- drivers/net/macsec.c | 46 ++++- drivers/net/phy/dp83869.c | 3 +- drivers/net/phy/mediatek-ge-soc.c | 43 +++-- drivers/net/usb/ax88179_178a.c | 11 +- drivers/net/vxlan/vxlan_core.c | 4 + .../net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 2 + drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 3 +- drivers/net/wireless/virtual/mac80211_hwsim.c | 2 +- drivers/nfc/trf7970a.c | 42 ++-- drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 6 +- drivers/phy/marvell/phy-mvebu-a3700-comphy.c | 9 +- drivers/phy/qualcomm/phy-qcom-m31.c | 2 +- drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 12 +- drivers/phy/qualcomm/phy-qcom-qmp.h | 2 + drivers/phy/rockchip/phy-rockchip-naneng-combphy.c | 36 +++- drivers/phy/rockchip/phy-rockchip-snps-pcie3.c | 31 ++- drivers/phy/ti/phy-tusb1210.c | 23 +-- drivers/soundwire/amd_manager.c | 15 ++ drivers/soundwire/amd_manager.h | 3 +- drivers/video/fbdev/core/fb_defio.c | 2 +- fs/btrfs/backref.c | 12 +- fs/btrfs/extent_map.c | 2 +- fs/btrfs/inode.c | 13 +- fs/btrfs/scrub.c | 18 +- fs/btrfs/tests/extent-map-tests.c | 5 + fs/overlayfs/params.c | 11 +- fs/proc/page.c | 7 +- fs/smb/client/cifsfs.c | 1 + fs/smb/client/cifsglob.h | 2 + fs/smb/client/cifspdu.h | 4 +- fs/smb/client/fs_context.c | 12 ++ fs/smb/client/fs_context.h | 2 + fs/smb/client/fscache.c | 13 ++ fs/smb/client/misc.c | 3 + fs/smb/client/smb2pdu.h | 2 +- fs/smb/client/transport.c | 7 +- fs/squashfs/inode.c | 11 +- include/drm/drm_gem.h | 13 ++ include/drm/ttm/ttm_pool.h | 2 +- include/linux/etherdevice.h | 25 +++ include/linux/mm.h | 8 +- include/linux/mmzone.h | 6 +- include/linux/page-flags.h | 146 ++++++++------ include/net/af_unix.h | 3 + include/net/bluetooth/hci_core.h | 4 + include/net/macsec.h | 1 + include/net/sock.h | 41 ++-- include/net/tls.h | 3 +- include/trace/events/mmflags.h | 1 + init/Kconfig | 2 +- kernel/bounds.c | 2 +- kernel/cpu.c | 4 +- kernel/crash_core.c | 7 +- kernel/fork.c | 18 +- kernel/sched/fair.c | 34 ++-- lib/stackdepot.c | 4 +- lib/test_meminit.c | 2 +- mm/compaction.c | 2 +- mm/gup.c | 59 +++--- mm/hugetlb.c | 27 +-- mm/internal.h | 11 +- mm/kmsan/init.c | 2 +- mm/madvise.c | 17 +- mm/page_alloc.c | 13 +- mm/page_reporting.c | 2 +- mm/show_mem.c | 8 +- mm/vmstat.c | 12 +- net/ax25/af_ax25.c | 2 +- net/bluetooth/hci_event.c | 5 +- net/bluetooth/l2cap_sock.c | 7 +- net/bluetooth/mgmt.c | 24 ++- net/bluetooth/sco.c | 7 +- net/bridge/br_netlink.c | 2 +- net/core/sock.c | 1 + net/core/sysctl_net_core.c | 9 + net/ethernet/eth.c | 12 +- net/ipv4/icmp.c | 12 +- net/ipv4/route.c | 3 + net/ipv4/udp.c | 5 +- net/ipv6/udp.c | 5 +- net/mac80211/mesh.c | 8 +- net/mac80211/mesh.h | 36 +++- net/mac80211/mesh_pathtbl.c | 37 ++-- net/mac80211/mlme.c | 9 +- net/mac80211/rx.c | 13 +- net/netfilter/ipvs/ip_vs_proto_sctp.c | 6 +- net/netfilter/nft_chain_filter.c | 4 +- net/openvswitch/conntrack.c | 4 +- net/tls/tls.h | 2 +- net/tls/tls_strp.c | 6 +- net/unix/garbage.c | 2 +- rust/Makefile | 1 - rust/kernel/init.rs | 11 +- rust/macros/lib.rs | 12 -- scripts/Makefile.build | 2 +- tools/net/ynl/lib/ynl.py | 1 + tools/testing/selftests/seccomp/seccomp_bpf.c | 41 +++- 198 files changed, 1787 insertions(+), 1132 deletions(-)

9 months, 2 weeks

16
206
0 0

[PATCH 0/3] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Sligth modifications are applied to the context of the patches for cleanly applying. Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (2): fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/internal.h | 14 ++++++ fs/namespace.c | 13 ------ fs/stat.c | 123 ++++++++++++++++++++++++++++++++++++----------------- include/linux/fs.h | 17 ++++++++ 4 files changed, 116 insertions(+), 51 deletions(-) --- base-commit: 049be94099ea5ba8338526c5a4f4f404b9dcaf54 change-id: 20240918-statx-stable-linux-6-10-y-17c3ec7497c8 Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

9 months, 2 weeks

4
8
0 0

stable request: netfilter: make cgroupsv2 matching work with namespaces

by Florian Westphal

Hello, please consider picking up: 7f3287db6543 ("netfilter: nft_socket: make cgroupsv2 matching work with namespaces") and its followup fix, 7052622fccb1 ("netfilter: nft_socket: Fix a NULL vs IS_ERR() bug in nft_socket_cgroup_subtree_level()") It should cherry-pick fine for 6.1 and later. I'm not sure a 5.15 backport is worth it, as its not a crash fix and noone has reported this problem so far with a 5.15 kernel.

9 months, 2 weeks

3
2
0 0

[PATCH 6.1 00/26] xfs backports to catch 6.1.y up to 6.6

by Leah Rumancik

Hello again, Here is the next set of XFS backports, this set is for 6.1.y and I will be following up with a set for 5.15.y later. There were some good suggestions made at LSF to survey test coverage to cut back on testing but I've been a bit swamped and a backport set was overdue. So for this set, I have run the auto group 3 x 8 configs with no regressions seen. Let me know if you spot any issues. This set has already been ack'd on the XFS list. Thanks, Leah https://lkml.iu.edu/hypermail/linux/kernel/2212.0/04860.html 52f31ed22821 [1/1] xfs: dquot shrinker doesn't check for XFS_DQFLAG_FREEING https://lore.kernel.org/linux-xfs/ef8a958d-741f-5bfd-7b2f-db65bf6dc3ac@huaw… 4da112513c01 [1/1] xfs: Fix deadlock on xfs_inodegc_worker https://www.spinics.net/lists/linux-xfs/msg68547.html 601a27ea09a3 [1/1] xfs: fix extent busy updating https://www.spinics.net/lists/linux-xfs/msg67254.html c85007e2e394 [1/1] xfs: don't use BMBT btree split workers for IO completion fixes from start of the series https://lore.kernel.org/linux-xfs/20230209221825.3722244-1-david@fromorbit.… [00/42] xfs: per-ag centric allocation alogrithms 1dd0510f6d4b [01/42] xfs: fix low space alloc deadlock f08f984c63e9 [02/42] xfs: prefer free inodes at ENOSPC over chunk allocation d5753847b216 [03/42] xfs: block reservation too large for minleft allocation https://lore.kernel.org/linux-xfs/Y+Z7TZ9o+KgXLcV8@magnolia/ 60b730a40c43 [1/1] xfs: fix uninitialized variable access https://lore.kernel.org/linux-xfs/20230228051250.1238353-1-david@fromorbit.… 0c7273e494dd [1/1] xfs: quotacheck failure can race with background inode inactivation https://lore.kernel.org/linux-xfs/20230412024907.GP360889@frogsfrogsfrogs/ 8ee81ed581ff [1/1] xfs: fix BUG_ON in xfs_getbmap() https://www.spinics.net/lists/linux-xfs/msg71062.html [0/4] xfs: bug fixes for 6.4-rc1 [1/4] xfs: don't unconditionally null args->pag in xfs_bmap_btalloc_at_eof skip, fix for a commit from 6.3 8e698ee72c4e [2/4] xfs: set bnobt/cntbt numrecs correctly when formatting new AGs [3/4] xfs: flush dirty data and drain directios before scrubbing cow fork skip, scrub [4/4] xfs: don't allocate into the data fork for an unshare request skip, more of an optimization than a fix 1bba82fe1afa [5/4] xfs: fix negative array access in xfs_getbmap (fix of 8ee81ed) https://lore.kernel.org/linux-xfs/20230517000449.3997582-1-david@fromorbit.… [0/4] xfs: bug fixes for 6.4-rcX 89a4bf0dc385 [1/4] xfs: buffer pins need to hold a buffer reference [2/4] xfs: restore allocation trylock iteration skip, for issue introduced in 6.3 cb042117488d [3/4] xfs: defered work could create precommits (dependency for patch 4) 82842fee6e59 [4/4] xfs: fix AGF vs inode cluster buffer deadlock https://lore.kernel.org/linux-xfs/20240612225148.3989713-1-david@fromorbit.… 348a1983cf4c (fix for 82842fee6e5) [1/1] xfs: fix unlink vs cluster buffer instantiation race https://lore.kernel.org/linux-xfs/20230530001928.2967218-1-david@fromorbit.… d4d12c02b [1/1] xfs: collect errors from inodegc for unlinked inode recovery https://lore.kernel.org/linux-xfs/20230524121041.GA4128075@ceph-admin/ c3b880acadc9 [1/1] xfs: fix ag count overflow during growfs 4b827b3f305d [1/1] xfs: remove WARN when dquot cache insertion fails requested on list to reduce bot noise https://www.spinics.net/lists/linux-xfs/msg73214.html 5cf32f63b0f4 [1/2] xfs: fix the calculation for "end" and "length" [2/2] introduces new feature, skipping https://lore.kernel.org/linux-xfs/20230913102942.601271-1-ruansy.fnst@fujit… 3c90c01e4934 [1/1] xfs: correct calculation for agend and blockcount (fixes 5cf32) https://lore.kernel.org/all/20230901160020.GT28186@frogsfrogsfrogs/ 68b957f64fca [1/1] xfs: load uncached unlinked inodes into memory on demand https://www.spinics.net/lists/linux-xfs/msg74960.html [0/3] xfs: reload entire iunlink lists f12b96683d69 [1/3] xfs: use i_prev_unlinked to distinguish inodes that are not on the unlinked list 83771c50e42b [2/3] xfs: reload entire unlinked bucket lists (dependency of 49813a21ed) 49813a21ed57 [3/3] xfs: make inode unlinked bucket recovery work with quotacheck (dependency for 537c013) https://lore.kernel.org/all/169565629026.1982077.12646061547002741492.stgit… 537c013b140d [1/1] xfs: fix reloading entire unlinked bucket lists (fix of 68b957f64fca) Darrick J. Wong (8): xfs: fix uninitialized variable access xfs: load uncached unlinked inodes into memory on demand xfs: fix negative array access in xfs_getbmap xfs: use i_prev_unlinked to distinguish inodes that are not on the unlinked list xfs: reload entire unlinked bucket lists xfs: make inode unlinked bucket recovery work with quotacheck xfs: fix reloading entire unlinked bucket lists xfs: set bnobt/cntbt numrecs correctly when formatting new AGs Dave Chinner (12): xfs: dquot shrinker doesn't check for XFS_DQFLAG_FREEING xfs: don't use BMBT btree split workers for IO completion xfs: fix low space alloc deadlock xfs: prefer free inodes at ENOSPC over chunk allocation xfs: block reservation too large for minleft allocation xfs: quotacheck failure can race with background inode inactivation xfs: buffer pins need to hold a buffer reference xfs: defered work could create precommits xfs: fix AGF vs inode cluster buffer deadlock xfs: collect errors from inodegc for unlinked inode recovery xfs: remove WARN when dquot cache insertion fails xfs: fix unlink vs cluster buffer instantiation race Long Li (1): xfs: fix ag count overflow during growfs Shiyang Ruan (2): xfs: fix the calculation for "end" and "length" xfs: correct calculation for agend and blockcount Wengang Wang (1): xfs: fix extent busy updating Wu Guanghao (1): xfs: Fix deadlock on xfs_inodegc_worker Ye Bin (1): xfs: fix BUG_ON in xfs_getbmap() fs/xfs/libxfs/xfs_ag.c | 19 ++- fs/xfs/libxfs/xfs_alloc.c | 69 +++++++-- fs/xfs/libxfs/xfs_bmap.c | 16 +- fs/xfs/libxfs/xfs_bmap.h | 2 + fs/xfs/libxfs/xfs_bmap_btree.c | 19 ++- fs/xfs/libxfs/xfs_btree.c | 18 ++- fs/xfs/libxfs/xfs_fs.h | 2 + fs/xfs/libxfs/xfs_ialloc.c | 17 +++ fs/xfs/libxfs/xfs_log_format.h | 9 +- fs/xfs/libxfs/xfs_trans_inode.c | 113 +------------- fs/xfs/xfs_attr_inactive.c | 1 - fs/xfs/xfs_bmap_util.c | 18 +-- fs/xfs/xfs_buf_item.c | 88 ++++++++--- fs/xfs/xfs_dquot.c | 1 - fs/xfs/xfs_export.c | 14 ++ fs/xfs/xfs_extent_busy.c | 1 + fs/xfs/xfs_fsmap.c | 1 + fs/xfs/xfs_fsops.c | 13 +- fs/xfs/xfs_icache.c | 58 +++++-- fs/xfs/xfs_icache.h | 4 +- fs/xfs/xfs_inode.c | 260 ++++++++++++++++++++++++++++---- fs/xfs/xfs_inode.h | 36 ++++- fs/xfs/xfs_inode_item.c | 149 ++++++++++++++++++ fs/xfs/xfs_inode_item.h | 1 + fs/xfs/xfs_itable.c | 11 ++ fs/xfs/xfs_log_recover.c | 19 ++- fs/xfs/xfs_mount.h | 11 +- fs/xfs/xfs_notify_failure.c | 15 +- fs/xfs/xfs_qm.c | 72 ++++++--- fs/xfs/xfs_super.c | 1 + fs/xfs/xfs_trace.h | 46 ++++++ fs/xfs/xfs_trans.c | 9 +- 32 files changed, 841 insertions(+), 272 deletions(-) -- 2.46.0.792.g87dc391469-goog

9 months, 2 weeks

3
29
0 0

Request to apply patches to v6.6 to fix thunderbolt issue

by Wan, Qin (Thin Client RnD)

Hello, There is an issue found on v6.6.16: Plug in thunderbolt G4 dock with monitor connected after system boots up. The monitor shows nothing when wake up from S3 sometimes. The failure rate is above 50%. The kernel reports “UBSAN: shift-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:4416:36”. The call stack is shown at the bottom of this email. This failure is fixed in v6.9-rc1. We request to merge below commit to v6.6. 6b8ac54f31f985d3abb0b4212187838dd8ea4227 thunderbolt: Fix debug log when DisplayPort adapter not available for pairing fe8a0293c922ee8bc1ff0cf9048075afb264004a thunderbolt: Use tb_tunnel_dbg() where possible to make logging more consistent d27bd2c37d4666bce25ec4d9ac8c6b169992f0f0 thunderbolt: Expose tb_tunnel_xxx() log macros to the rest of the driver 8648c6465c025c488e2855c209c0dea1a1a15184 thunderbolt: Create multiple DisplayPort tunnels if there are more DP IN/OUT pairs f73edddfa2a64a185c65a33f100778169c92fc25 thunderbolt: Use constants for path weight and priority 4d24db0c801461adeefd7e0bdc98c79c60ccefb0 thunderbolt: Use weight constants in tb_usb3_consumed_bandwidth() aa673d606078da36ebc379f041c794228ac08cb5 thunderbolt: Make is_gen4_link() available to the rest of the driver 582e70b0d3a412d15389a3c9c07a44791b311715 thunderbolt: Change bandwidth reservations to comply USB4 v2 2bfeca73e94567c1a117ca45d2e8a25d63e5bd2c 　thunderbolt: Introduce tb_port_path_direction_downstream() 　　956c3abe72fb6a651b8cf77c28462f7e5b6a48b1 　thunderbolt: Introduce tb_for_each_upstream_port_on_path() 　　c4ff14436952c3d0dd05769d76cf48e73a253b48 　thunderbolt: Introduce tb_switch_depth() 　　81af2952e60603d12415e1a6fd200f8073a2ad8b 　thunderbolt: Add support for asymmetric link 　　3e36528c1127b20492ffaea53930bcc3df46a718 　thunderbolt: Configure asymmetric link if needed and bandwidth allows 　　b4734507ac55cc7ea1380e20e83f60fcd7031955 　thunderbolt: Improve DisplayPort tunnel setup process to be more robust 　When failure happened, the kernel log reports Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414673] UBSAN: shift-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:4416:36 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414674] shift exponent -1 is negative Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414675] CPU: 0 PID: 145 Comm: kworker/0:2 Tainted: G U 6.6.16 #108 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414677] Hardware name: HP HP Elite t660 Thin Client/8D05, BIOS W44 Ver. 00.14.00 07/19/2024 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414678] Workqueue: events output_poll_execute [drm_kms_helper] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414695] Call Trace: Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414697] <TASK> Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414698] dump_stack_lvl+0x48/0x70 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414703] dump_stack+0x10/0x20 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414705] __ubsan_handle_shift_out_of_bounds+0x156/0x310 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414708] ? krealloc+0x98/0x100 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414711] ? drm_atomic_get_private_obj_state+0x167/0x1a0 [drm] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414733] drm_dp_atomic_release_time_slots.cold+0x17/0x3d [drm_display_helper] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414743] intel_dp_mst_atomic_check+0x9a/0x170 [i915] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414831] drm_atomic_helper_check_modeset+0x4bb/0xe20 [drm_kms_helper] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414842] ? __kmem_cache_alloc_node+0x1b3/0x320 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414845] ? __ww_mutex_lock.constprop.0+0x39/0xa00 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414848] intel_atomic_check+0x113/0x2b50 [i915] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414936] drm_atomic_check_only+0x692/0xb80 [drm] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414956] drm_atomic_commit+0x57/0xd0 [drm] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414972] ? _pfx__drm_printfn_info+0x10/0x10 [drm] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.414999] drm_client_modeset_commit_atomic+0x1f1/0x230 [drm] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415019] drm_client_modeset_commit_locked+0x5b/0x170 [drm] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415038] ? mutex_lock+0x13/0x50 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415040] drm_client_modeset_commit+0x27/0x50 [drm] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415058] __drm_fb_helper_restore_fbdev_mode_unlocked+0xd2/0x100 [drm_kms_helper] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415068] drm_fb_helper_hotplug_event+0x11a/0x140 [drm_kms_helper] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415077] intel_fbdev_output_poll_changed+0x6f/0xb0 [i915] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415156] output_poll_execute+0x23e/0x290 [drm_kms_helper] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415166] ? intelfb_dirty+0x41/0x80 [i915] Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415236] process_one_work+0x178/0x360 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415238] ? __pfx_worker_thread+0x10/0x10 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415240] worker_thread+0x307/0x430 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415241] ? __pfx_worker_thread+0x10/0x10 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415242] kthread+0xf4/0x130 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415245] ? __pfx_kthread+0x10/0x10 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415247] ret_from_fork+0x43/0x70 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415249] ? __pfx_kthread+0x10/0x10 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415250] ret_from_fork_asm+0x1b/0x30 Sep 6 08:10:29 HP7c5758fc4d4f kernel: [ 89.415252] </TASK> Thanks, Wanqin 　

9 months, 2 weeks

3
3
0 0

[PATCH 6.6.y] x86/mm: Switch to new Intel CPU model defines

by Ricardo Neri

From: Tony Luck <tony.luck(a)intel.com> [ Upstream commit 2eda374e883ad297bd9fe575a16c1dc850346075 ] New CPU #defines encode vendor and family as well as model. [ dhansen: vertically align 0's in invlpg_miss_ids[] ] Signed-off-by: Tony Luck <tony.luck(a)intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Link: https://lore.kernel.org/all/20240424181518.41946-1-tony.luck%40intel.com [ Ricardo: I used the old match macro X86_MATCH_INTEL_FAM6_MODEL() instead of X86_MATCH_VFM() as in the upstream commit. ] Signed-off-by: Ricardo Neri <ricardo.neri-calderon(a)linux.intel.com> --- I tested this backport on an Alder Lake system. Now pr_info("Incomplete global flushes, disabling PCID") is back in dmesg. I also tested on a Meteor Lake system, which is not affected by the INVLPG issue. The message in question is not there before and after the backport, as expected. This backport fixes the last remaining caller of x86_match_cpu() that does not use the family of X86_MATCH_*() macros. Thomas Lindroth intially reported the regression in https://lore.kernel.org/all/eb709d67-2a8d-412f-905d-f3777d897bfa@gmail.com/ Maybe Tony and/or the x86 maintainers can ack this backport? --- arch/x86/mm/init.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c index 679893ea5e68..6215dfa23578 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -261,21 +261,17 @@ static void __init probe_page_size_mask(void) } } -#define INTEL_MATCH(_model) { .vendor = X86_VENDOR_INTEL, \ - .family = 6, \ - .model = _model, \ - } /* * INVLPG may not properly flush Global entries * on these CPUs when PCIDs are enabled. */ static const struct x86_cpu_id invlpg_miss_ids[] = { - INTEL_MATCH(INTEL_FAM6_ALDERLAKE ), - INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ), - INTEL_MATCH(INTEL_FAM6_ATOM_GRACEMONT ), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S), + X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE, 0), + X86_MATCH_INTEL_FAM6_MODEL(ALDERLAKE_L, 0), + X86_MATCH_INTEL_FAM6_MODEL(ATOM_GRACEMONT, 0), + X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE, 0), + X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE_P, 0), + X86_MATCH_INTEL_FAM6_MODEL(RAPTORLAKE_S, 0), {} }; -- 2.34.1

9 months, 2 weeks

3
2
0 0

[PATCH 6.1.y 0/2] x86: Complete backports for x86_match_cpu()

by Ricardo Neri

Hi, Upstream commit 93022482b294 ("x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL") introduced a flags member to struct x86_cpu_id. Bit 0 of x86_cpu.id.flags must be set to 1 for x86_match_cpu() to work correctly. This upstream commit has been backported to 6.1.y. Callers that use the X86_MATCH_*() family of macros to compose the argument of x86_match_cpu() function correctly. Callers that use their own custom mechanisms may not work if they fail to set x86_cpu_id.flags correctly. There are two remaining callers in 6.1.y that use their own mechanisms: setup_pcid() and rapl_msr_probe(). The former caused a regression that Thomas Lindroth reported in [1]. The latter works by luck but it still populates its x86_cpu_id[] array incorrectly. I backported two patches that fix these bugs in mainline. Hopefully the authors and/or maintainers can ack the backports? I tested these patches in Alder Lake and Meteor Lake systems as the two involved callers behave differently on these two systems. I wrote the testing details in each patch separately. Thanks and BR, Ricardo [1]. https://lore.kernel.org/all/eb709d67-2a8d-412f-905d-f3777d897bfa@gmail.com/ Sumeet Pawnikar (1): powercap: RAPL: fix invalid initialization for pl4_supported field Tony Luck (1): x86/mm: Switch to new Intel CPU model defines arch/x86/mm/init.c | 16 ++++++---------- drivers/powercap/intel_rapl_msr.c | 12 ++++++------ 2 files changed, 12 insertions(+), 16 deletions(-) -- 2.34.1

9 months, 2 weeks

2
4
0 0

[PATCH 0/1] ext4: fix crash on BUG_ON in ext4_alloc_group_tables

by Alexander Mikhalitsyn

A long story behind this one, first of all, we (LXD project folks) started to see issues in our tests on GitHub Actions ubuntu22.04 runners after they've got updated from 6.5 to 6.8-based kernel and this was reported on Launchpad tracker [1] by Wesley Hershberger. At the same time, Stéphane Graber from LXC containers project saw the same problem on Incus testsuite (also on Github Actions). Then we had a debugging session together with Stéphane and he found a quite minimalistic reproducer: curl https://pkgs.zabbly.com/get/incus-daily | sudo sh sudo apt-get install lvm2 --yes sudo incus storage create default lvm volume.size=25MiB size=1GiB sudo incus image copy images:alpine/edge local: --alias testimage sudo incus profile device add default root disk pool=default path=/ size=3GiB sudo incus create testimage a1 this thing produces the following output in kernel logs: [ 33.882936] EXT4-fs (dm-5): mounted filesystem 8aaf41b2-6ac0-4fa8-b92b-77d10e1d16ca r/w with ordered data mode. Quota mode: none. [ 33.888365] EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks [ 33.888740] ------------[ cut here ]------------ [ 33.888742] kernel BUG at fs/ext4/resize.c:324! [ 33.889075] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 33.889503] CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 [ 33.890039] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 33.890705] RIP: 0010:ext4_resize_fs+0x1212/0x12d0 [ 33.891063] Code: b8 45 31 c0 4c 89 ff 45 31 c9 31 c9 ba 0e 08 00 00 48 c7 c6 68 75 65 b8 e8 2b 79 01 00 41 b8 ea ff ff ff 41 5f e9 8d f1 ff ff <0f> 0b 48 83 bd 70 ff ff ff 00 75 32 45 31 c0 e9 53 f1 ff ff 41 b8 [ 33.892701] RSP: 0018:ffffa97f413f3cc8 EFLAGS: 00010202 [ 33.893081] RAX: 0000000000000018 RBX: 0000000000000001 RCX: 00000000fffffff0 [ 33.893639] RDX: 0000000000000017 RSI: 0000000000000016 RDI: 00000000e8c2c810 [ 33.894197] RBP: ffffa97f413f3d90 R08: 0000000000000000 R09: 0000000000008000 [ 33.894755] R10: ffffa97f413f3cc8 R11: ffffa2c1845bfc80 R12: 0000000000000000 [ 33.895317] R13: ffffa2c1843d6000 R14: 0000000000008000 R15: ffffa2c199963000 [ 33.895877] FS: 00007f46efd17000(0000) GS:ffffa2c89fc40000(0000) knlGS:0000000000000000 [ 33.896524] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.896954] CR2: 00005630a4a1cc88 CR3: 000000010532c000 CR4: 0000000000350eb0 [ 33.897516] Call Trace: [ 33.897638] <TASK> [ 33.897728] ? show_regs+0x6d/0x80 [ 33.897942] ? die+0x3c/0xa0 [ 33.898106] ? do_trap+0xe5/0x110 [ 33.898311] ? do_error_trap+0x6e/0x90 [ 33.898555] ? ext4_resize_fs+0x1212/0x12d0 [ 33.898844] ? exc_invalid_op+0x57/0x80 [ 33.899101] ? ext4_resize_fs+0x1212/0x12d0 [ 33.899387] ? asm_exc_invalid_op+0x1f/0x30 [ 33.899675] ? ext4_resize_fs+0x1212/0x12d0 [ 33.899961] ? ext4_resize_fs+0x745/0x12d0 [ 33.900239] __ext4_ioctl+0x4e0/0x1800 [ 33.900489] ? srso_alias_return_thunk+0x5/0xfbef5 [ 33.900832] ? putname+0x5b/0x70 [ 33.901028] ? srso_alias_return_thunk+0x5/0xfbef5 [ 33.901374] ? do_sys_openat2+0x87/0xd0 [ 33.901632] ? srso_alias_return_thunk+0x5/0xfbef5 [ 33.901981] ? srso_alias_return_thunk+0x5/0xfbef5 [ 33.902324] ? __x64_sys_openat+0x59/0xa0 [ 33.902595] ext4_ioctl+0x12/0x20 [ 33.902802] ? ext4_ioctl+0x12/0x20 [ 33.903031] __x64_sys_ioctl+0x99/0xd0 [ 33.903277] x64_sys_call+0x1206/0x20d0 [ 33.903534] do_syscall_64+0x72/0x110 [ 33.903771] ? srso_alias_return_thunk+0x5/0xfbef5 [ 33.904115] ? irqentry_exit+0x3f/0x50 [ 33.904362] ? srso_alias_return_thunk+0x5/0xfbef5 [ 33.904707] ? exc_page_fault+0x1aa/0x7b0 [ 33.904979] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 33.905349] RIP: 0033:0x7f46efe3294f [ 33.905579] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 [ 33.907321] RSP: 002b:00007ffe9b8833a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 33.907926] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f46efe3294f [ 33.908487] RDX: 00007ffe9b8834a0 RSI: 0000000040086610 RDI: 0000000000000004 [ 33.909046] RBP: 00005630a4a0b0e0 R08: 0000000000000000 R09: 00007ffe9b8832d7 [ 33.909605] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 [ 33.910165] R13: 00005630a4a0c580 R14: 00005630a4a10400 R15: 0000000000000000 [ 33.910740] </TASK> [ 33.910837] Modules linked in: [ 33.911049] ---[ end trace 0000000000000000 ]--- [ 33.911428] RIP: 0010:ext4_resize_fs+0x1212/0x12d0 [ 33.911810] Code: b8 45 31 c0 4c 89 ff 45 31 c9 31 c9 ba 0e 08 00 00 48 c7 c6 68 75 65 b8 e8 2b 79 01 00 41 b8 ea ff ff ff 41 5f e9 8d f1 ff ff <0f> 0b 48 83 bd 70 ff ff ff 00 75 32 45 31 c0 e9 53 f1 ff ff 41 b8 [ 33.913928] RSP: 0018:ffffa97f413f3cc8 EFLAGS: 00010202 [ 33.914313] RAX: 0000000000000018 RBX: 0000000000000001 RCX: 00000000fffffff0 [ 33.914909] RDX: 0000000000000017 RSI: 0000000000000016 RDI: 00000000e8c2c810 [ 33.915482] RBP: ffffa97f413f3d90 R08: 0000000000000000 R09: 0000000000008000 [ 33.916258] R10: ffffa97f413f3cc8 R11: ffffa2c1845bfc80 R12: 0000000000000000 [ 33.917027] R13: ffffa2c1843d6000 R14: 0000000000008000 R15: ffffa2c199963000 [ 33.917884] FS: 00007f46efd17000(0000) GS:ffffa2c89fc40000(0000) knlGS:0000000000000000 [ 33.918818] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.919322] CR2: 00005630a4a1cc88 CR3: 000000010532c000 CR4: 0000000000350eb0 [ 44.072293] ------------[ cut here ]------------ This patch is attempt to fix it and I can confirm that after applying it everything works just fine. At the same time, I'm not knowledgable in ext4 filesystem code so careful review is required here. Kind regards, Alex Cc: stable(a)vger.kernel.org # v6.8+ Fixes: 665d3e0af4d3 ("ext4: reduce unnecessary memory allocation in alloc_flex_gd()") Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2081231 [1] Cc: "Theodore Ts'o" <tytso(a)mit.edu> Cc: Andreas Dilger <adilger.kernel(a)dilger.ca> Cc: Jan Kara <jack(a)suse.cz> Cc: Baokun Li <libaokun1(a)huawei.com> Cc: Stéphane Graber <stgraber(a)stgraber.org> Cc: Christian Brauner <brauner(a)kernel.org> Cc: <linux-kernel(a)vger.kernel.org> Cc: <linux-fsdevel(a)vger.kernel.org> Cc: <linux-ext4(a)vger.kernel.org> Reported-by: Wesley Hershberger <wesley.hershberger(a)canonical.com> Reported-by: Stéphane Graber <stgraber(a)stgraber.org> Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn(a)canonical.com> Alexander Mikhalitsyn (1): ext4: fix BUG at fs/ext4/resize.c fs/ext4/resize.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) -- 2.34.1

9 months, 2 weeks

5
18
0 0

RTL8852BE wifi no longer working after 6.11 upgrade

by Marcel Weißenbach

Hi there, i upgraded my Archlinux testing setup from 6.10.9 to 6.11 and noticed that my wifi is no longer working. Here is the output from the working 6.10.x Kernel 04:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8852BE PCIe 802.11ax Wireless Network Controller Subsystem: AzureWave Device 5470 Kernel driver in use: rtw89_8852be Kernel modules: rtw89_8852be On 6.11, loading the Kernel Module fails. After veryfing it is not an Archlinux issue by manually building the Kernel from kernel.org manually, i can verify, it happens with an vanilla Kernel too. Here are the relevant parts from dmesg [...] [ 4.687462] rtw89_8852be 0000:04:00.0: [ERR]FWDL path ready [ 4.687472] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x1E0 = 0x23 [ 4.687477] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x83F0 = 0x70000 [ 4.687486] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 4.687501] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 4.687516] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f3b [ 4.687531] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 4.687546] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f3f [ 4.687561] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 4.687576] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f57 [ 4.687591] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 4.687606] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f4f [ 4.687621] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 4.687636] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccdf [ 4.687651] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 4.687666] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f37 [ 4.687681] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 4.687696] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f53 [ 6.376153] rtw89_8852be 0000:04:00.0: [ERR]FWDL path ready [ 6.376163] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x1E0 = 0x23 [ 6.376168] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x83F0 = 0x70000 [ 6.376178] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f4b [ 6.376193] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f43 [ 6.376208] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f4b [ 6.376223] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f41 [ 6.376238] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f3f [ 6.376253] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 6.376268] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 6.376283] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f57 [ 6.376298] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f47 [ 6.376313] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 6.376327] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 6.376342] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccdf [ 6.376357] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f35 [ 6.376372] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 6.376387] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 7.135332] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control off [ 8.097173] rtw89_8852be 0000:04:00.0: [ERR]FWDL path ready [ 8.097183] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x1E0 = 0x23 [ 8.097188] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x83F0 = 0x70000 [ 8.097197] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f53 [ 8.097212] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f4b [ 8.097227] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 8.097242] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f2f [ 8.097257] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f4b [ 8.097272] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 8.097287] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 8.097302] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f31 [ 8.097317] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f33 [ 8.097332] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f33 [ 8.097347] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccdb [ 8.097362] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f33 [ 8.097377] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 8.097391] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 8.097406] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccdb [ 9.817051] rtw89_8852be 0000:04:00.0: [ERR]FWDL path ready [ 9.817059] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x1E0 = 0x23 [ 9.817063] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x83F0 = 0x70000 [ 9.817072] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 9.817087] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 9.817102] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccdf [ 9.817117] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccdf [ 9.817133] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccf7 [ 9.817147] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f3d [ 9.817162] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f35 [ 9.817177] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 9.817192] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 9.817207] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 9.817222] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f55 [ 9.817237] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f53 [ 9.817252] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f47 [ 9.817267] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f47 [ 9.817282] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 11.536604] rtw89_8852be 0000:04:00.0: [ERR]FWDL path ready [ 11.536615] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x1E0 = 0x23 [ 11.536621] rtw89_8852be 0000:04:00.0: [ERR]fwdl 0x83F0 = 0x70000 [ 11.536632] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f35 [ 11.536648] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f55 [ 11.536664] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890cce1 [ 11.536680] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f7f [ 11.536697] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 11.536713] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890cce3 [ 11.536730] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f31 [ 11.536746] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 11.536762] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f4b [ 11.536778] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f35 [ 11.536794] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f47 [ 11.536809] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 11.536825] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f47 [ 11.536842] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb8901f57 [ 11.536859] rtw89_8852be 0000:04:00.0: [ERR]fw PC = 0xb890ccd9 [ 11.536874] rtw89_8852be 0000:04:00.0: failed to setup chip information [ 11.537455] rtw89_8852be 0000:04:00.0: probe with driver rtw89_8852be failed with error -110 [...] The whole dmesg can be found here (with an Download button on the top right): https://ignaz.org/nextcloud/index.php/s/gMtZCxS5wjtWSYc Best Regards Marcel #regzbot introduced: v6.10.9..v6.11

9 months, 2 weeks

2
7
0 0

[PATCH v2] rust: sync: require `T: Sync` for `LockedBy::access`

by Alice Ryhl

The `LockedBy::access` method only requires a shared reference to the owner, so if we have shared access to the `LockedBy` from several threads at once, then two threads could call `access` in parallel and both obtain a shared reference to the inner value. Thus, require that `T: Sync` when calling the `access` method. An alternative is to require `T: Sync` in the `impl Sync for LockedBy`. This patch does not choose that approach as it gives up the ability to use `LockedBy` with `!Sync` types, which is okay as long as you only use `access_mut`. Cc: stable(a)vger.kernel.org Fixes: 7b1f55e3a984 ("rust: sync: introduce `LockedBy`") Signed-off-by: Alice Ryhl <aliceryhl(a)google.com> --- Changes in v2: - Use a `where T: Sync` on `access` instead of changing `impl Sync for LockedBy`. - Link to v1: https://lore.kernel.org/r/20240912-locked-by-sync-fix-v1-1-26433cbccbd2@goo… --- rust/kernel/sync/locked_by.rs | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/rust/kernel/sync/locked_by.rs b/rust/kernel/sync/locked_by.rs index babc731bd5f6..ce2ee8d87865 100644 --- a/rust/kernel/sync/locked_by.rs +++ b/rust/kernel/sync/locked_by.rs @@ -83,8 +83,12 @@ pub struct LockedBy<T: ?Sized, U: ?Sized> { // SAFETY: `LockedBy` can be transferred across thread boundaries iff the data it protects can. unsafe impl<T: ?Sized + Send, U: ?Sized> Send for LockedBy<T, U> {} -// SAFETY: `LockedBy` serialises the interior mutability it provides, so it is `Sync` as long as the -// data it protects is `Send`. +// SAFETY: If `T` is not `Sync`, then parallel shared access to this `LockedBy` allows you to use +// `access_mut` to hand out `&mut T` on one thread at the time. The requirement that `T: Send` is +// sufficient to allow that. +// +// If `T` is `Sync`, then the `access` method also becomes available, which allows you to obtain +// several `&T` from several threads at once. However, this is okay as `T` is `Sync`. unsafe impl<T: ?Sized + Send, U: ?Sized> Sync for LockedBy<T, U> {} impl<T, U> LockedBy<T, U> { @@ -118,7 +122,10 @@ impl<T: ?Sized, U> LockedBy<T, U> { /// /// Panics if `owner` is different from the data protected by the lock used in /// [`new`](LockedBy::new). - pub fn access<'a>(&'a self, owner: &'a U) -> &'a T { + pub fn access<'a>(&'a self, owner: &'a U) -> &'a T + where + T: Sync, + { build_assert!( size_of::<U>() > 0, "`U` cannot be a ZST because `owner` wouldn't be unique" @@ -127,7 +134,10 @@ pub fn access<'a>(&'a self, owner: &'a U) -> &'a T { panic!("mismatched owners"); } - // SAFETY: `owner` is evidence that the owner is locked. + // SAFETY: `owner` is evidence that there are only shared references to the owner for the + // duration of 'a, so it's not possible to use `Self::access_mut` to obtain a mutable + // reference to the inner value that aliases with this shared reference. The type is `Sync` + // so there are no other requirements. unsafe { &*self.data.get() } } --- base-commit: 93dc3be19450447a3a7090bd1dfb9f3daac3e8d2 change-id: 20240912-locked-by-sync-fix-07193df52f98 Best regards, -- Alice Ryhl <aliceryhl(a)google.com>

9 months, 2 weeks

3
3
0 0

[merged mm-hotfixes-stable] ocfs2-fix-uninit-value-in-ocfs2_get_block.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix uninit-value in ocfs2_get_block() has been removed from the -mm tree. Its filename was ocfs2-fix-uninit-value-in-ocfs2_get_block.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Joseph Qi <joseph.qi(a)linux.alibaba.com> Subject: ocfs2: fix uninit-value in ocfs2_get_block() Date: Wed, 25 Sep 2024 17:06:00 +0800 syzbot reported an uninit-value BUG: BUG: KMSAN: uninit-value in ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 do_mpage_readpage+0xc45/0x2780 fs/mpage.c:225 mpage_readahead+0x43f/0x840 fs/mpage.c:374 ocfs2_readahead+0x269/0x320 fs/ocfs2/aops.c:381 read_pages+0x193/0x1110 mm/readahead.c:160 page_cache_ra_unbounded+0x901/0x9f0 mm/readahead.c:273 do_page_cache_ra mm/readahead.c:303 [inline] force_page_cache_ra+0x3b1/0x4b0 mm/readahead.c:332 force_page_cache_readahead mm/internal.h:347 [inline] generic_fadvise+0x6b0/0xa90 mm/fadvise.c:106 vfs_fadvise mm/fadvise.c:185 [inline] ksys_fadvise64_64 mm/fadvise.c:199 [inline] __do_sys_fadvise64 mm/fadvise.c:214 [inline] __se_sys_fadvise64 mm/fadvise.c:212 [inline] __x64_sys_fadvise64+0x1fb/0x3a0 mm/fadvise.c:212 x64_sys_call+0xe11/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:222 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because when ocfs2_extent_map_get_blocks() fails, p_blkno is uninitialized. So the error log will trigger the above uninit-value access. The error log is out-of-date since get_blocks() was removed long time ago. And the error code will be logged in ocfs2_extent_map_get_blocks() once ocfs2_get_cluster() fails, so fix this by only logging inode and block. Link: https://syzkaller.appspot.com/bug?extid=9709e73bae885b05314b Link: https://lkml.kernel.org/r/20240925090600.3643376-1-joseph.qi@linux.alibaba.… Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: syzbot+9709e73bae885b05314b(a)syzkaller.appspotmail.com Tested-by: syzbot+9709e73bae885b05314b(a)syzkaller.appspotmail.com Cc: Heming Zhao <heming.zhao(a)suse.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/aops.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/fs/ocfs2/aops.c~ocfs2-fix-uninit-value-in-ocfs2_get_block +++ a/fs/ocfs2/aops.c @@ -156,9 +156,8 @@ int ocfs2_get_block(struct inode *inode, err = ocfs2_extent_map_get_blocks(inode, iblock, &p_blkno, &count, &ext_flags); if (err) { - mlog(ML_ERROR, "Error %d from get_blocks(0x%p, %llu, 1, " - "%llu, NULL)\n", err, inode, (unsigned long long)iblock, - (unsigned long long)p_blkno); + mlog(ML_ERROR, "get_blocks() failed, inode: 0x%p, " + "block: %llu\n", inode, (unsigned long long)iblock); goto bail; } _ Patches currently in -mm which might be from joseph.qi(a)linux.alibaba.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: kselftests: mm: fix wrong __NR_userfaultfd value has been removed from the -mm tree. Its filename was kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Subject: kselftests: mm: fix wrong __NR_userfaultfd value Date: Mon, 23 Sep 2024 10:38:36 +0500 grep -rnIF "#define __NR_userfaultfd" tools/include/uapi/asm-generic/unistd.h:681:#define __NR_userfaultfd 282 arch/x86/include/generated/uapi/asm/unistd_32.h:374:#define __NR_userfaultfd 374 arch/x86/include/generated/uapi/asm/unistd_64.h:327:#define __NR_userfaultfd 323 arch/x86/include/generated/uapi/asm/unistd_x32.h:282:#define __NR_userfaultfd (__X32_SYSCALL_BIT + 323) arch/arm/include/generated/uapi/asm/unistd-eabi.h:347:#define __NR_userfaultfd (__NR_SYSCALL_BASE + 388) arch/arm/include/generated/uapi/asm/unistd-oabi.h:359:#define __NR_userfaultfd (__NR_SYSCALL_BASE + 388) include/uapi/asm-generic/unistd.h:681:#define __NR_userfaultfd 282 The number is dependent on the architecture. The above data shows that: x86 374 x86_64 323 The value of __NR_userfaultfd was changed to 282 when asm-generic/unistd.h was included. It makes the test to fail every time as the correct number of this syscall on x86_64 is 323. Fix the header to asm/unistd.h. Link: https://lkml.kernel.org/r/20240923053836.3270393-1-usama.anjum@collabora.com Fixes: a5c6bc590094 ("selftests/mm: remove local __NR_* definitions") Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Reviewed-by: Shuah Khan <skhan(a)linuxfoundation.org> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/pagemap_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/testing/selftests/mm/pagemap_ioctl.c~kselftests-mm-fix-wrong-__nr_userfaultfd-value +++ a/tools/testing/selftests/mm/pagemap_ioctl.c @@ -15,7 +15,7 @@ #include <sys/ioctl.h> #include <sys/stat.h> #include <math.h> -#include <asm-generic/unistd.h> +#include <asm/unistd.h> #include <pthread.h> #include <sys/resource.h> #include <assert.h> _ Patches currently in -mm which might be from usama.anjum(a)collabora.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] compilerh-specify-correct-attribute-for-rodatac_jump_table.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: compiler.h: specify correct attribute for .rodata..c_jump_table has been removed from the -mm tree. Its filename was compilerh-specify-correct-attribute-for-rodatac_jump_table.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Tiezhu Yang <yangtiezhu(a)loongson.cn> Subject: compiler.h: specify correct attribute for .rodata..c_jump_table Date: Tue, 24 Sep 2024 14:27:10 +0800 Currently, there is an assembler message when generating kernel/bpf/core.o under CONFIG_OBJTOOL with LoongArch compiler toolchain: Warning: setting incorrect section attributes for .rodata..c_jump_table This is because the section ".rodata..c_jump_table" should be readonly, but there is a "W" (writable) part of the flags: $ readelf -S kernel/bpf/core.o | grep -A 1 "rodata..c" [34] .rodata..c_j[...] PROGBITS 0000000000000000 0000d2e0 0000000000000800 0000000000000000 WA 0 0 8 There is no above issue on x86 due to the generated section flag is only "A" (allocatable). In order to silence the warning on LoongArch, specify the attribute like ".rodata..c_jump_table,\"a\",@progbits #" explicitly, then the section attribute of ".rodata..c_jump_table" must be readonly in the kernel/bpf/core.o file. Before: $ objdump -h kernel/bpf/core.o | grep -A 1 "rodata..c" 21 .rodata..c_jump_table 00000800 0000000000000000 0000000000000000 0000d2e0 2**3 CONTENTS, ALLOC, LOAD, RELOC, DATA After: $ objdump -h kernel/bpf/core.o | grep -A 1 "rodata..c" 21 .rodata..c_jump_table 00000800 0000000000000000 0000000000000000 0000d2e0 2**3 CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA By the way, AFAICT, maybe the root cause is related with the different compiler behavior of various archs, so to some extent this change is a workaround for LoongArch, and also there is no effect for x86 which is the only port supported by objtool before LoongArch with this patch. Link: https://lkml.kernel.org/r/20240924062710.1243-1-yangtiezhu@loongson.cn Signed-off-by: Tiezhu Yang <yangtiezhu(a)loongson.cn> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> [6.9+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/compiler.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/linux/compiler.h~compilerh-specify-correct-attribute-for-rodatac_jump_table +++ a/include/linux/compiler.h @@ -133,7 +133,7 @@ void ftrace_likely_update(struct ftrace_ #define annotate_unreachable() __annotate_unreachable(__COUNTER__) /* Annotate a C jump table to allow objtool to follow the code flow */ -#define __annotate_jump_table __section(".rodata..c_jump_table") +#define __annotate_jump_table __section(".rodata..c_jump_table,\"a\",@progbits #") #else /* !CONFIG_OBJTOOL */ #define annotate_reachable() _ Patches currently in -mm which might be from yangtiezhu(a)loongson.cn are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-fix-deadlock-in-ocfs2_get_system_file_inode.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: fix deadlock in ocfs2_get_system_file_inode has been removed from the -mm tree. Its filename was ocfs2-fix-deadlock-in-ocfs2_get_system_file_inode.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Mohammed Anees <pvmohammedanees2003(a)gmail.com> Subject: ocfs2: fix deadlock in ocfs2_get_system_file_inode Date: Tue, 24 Sep 2024 09:32:57 +0000 syzbot has found a possible deadlock in ocfs2_get_system_file_inode [1]. The scenario is depicted here, CPU0 CPU1 lock(&ocfs2_file_ip_alloc_sem_key); lock(&osb->system_file_mutex); lock(&ocfs2_file_ip_alloc_sem_key); lock(&osb->system_file_mutex); The function calls which could lead to this are: CPU0 ocfs2_mknod - lock(&ocfs2_file_ip_alloc_sem_key); . . . ocfs2_get_system_file_inode - lock(&osb->system_file_mutex); CPU1 - ocfs2_fill_super - lock(&osb->system_file_mutex); . . . ocfs2_read_virt_blocks - lock(&ocfs2_file_ip_alloc_sem_key); This issue can be resolved by making the down_read -> down_read_try in the ocfs2_read_virt_blocks. [1] https://syzkaller.appspot.com/bug?extid=e0055ea09f1f5e6fabdd Link: https://lkml.kernel.org/r/20240924093257.7181-1-pvmohammedanees2003@gmail.c… Signed-off-by: Mohammed Anees <pvmohammedanees2003(a)gmail.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: <syzbot+e0055ea09f1f5e6fabdd(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=e0055ea09f1f5e6fabdd Tested-by: syzbot+e0055ea09f1f5e6fabdd(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/extent_map.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/fs/ocfs2/extent_map.c~ocfs2-fix-deadlock-in-ocfs2_get_system_file_inode +++ a/fs/ocfs2/extent_map.c @@ -973,7 +973,13 @@ int ocfs2_read_virt_blocks(struct inode } while (done < nr) { - down_read(&OCFS2_I(inode)->ip_alloc_sem); + if (!down_read_trylock(&OCFS2_I(inode)->ip_alloc_sem)) { + rc = -EAGAIN; + mlog(ML_ERROR, + "Inode #%llu ip_alloc_sem is temporarily unavailable\n", + (unsigned long long)OCFS2_I(inode)->ip_blkno); + break; + } rc = ocfs2_extent_map_get_blocks(inode, v_block + done, &p_block, &p_count, NULL); up_read(&OCFS2_I(inode)->ip_alloc_sem); _ Patches currently in -mm which might be from pvmohammedanees2003(a)gmail.com are ocfs2-fix-typo-in-comment.patch

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: ocfs2: reserve space for inline xattr before attaching reflink tree has been removed from the -mm tree. Its filename was ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Subject: ocfs2: reserve space for inline xattr before attaching reflink tree Date: Wed, 18 Sep 2024 06:38:44 +0000 One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@o… Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) --- a/fs/ocfs2/refcounttree.c~ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree +++ a/fs/ocfs2/refcounttree.c @@ -25,6 +25,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4148,8 +4149,9 @@ static int __ocfs2_reflink(struct dentry int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4175,6 +4177,26 @@ static int __ocfs2_reflink(struct dentry goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; + struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4182,7 +4204,7 @@ static int __ocfs2_reflink(struct dentry goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); --- a/fs/ocfs2/xattr.c~ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree +++ a/fs/ocfs2/xattr.c @@ -6511,16 +6511,7 @@ static int ocfs2_reflink_xattr_inline(st } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); _ Patches currently in -mm which might be from gautham.ananthakrishna(a)oracle.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm: migrate: annotate data-race in migrate_folio_unmap() has been removed from the -mm tree. Its filename was mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Jeongjun Park <aha310510(a)gmail.com> Subject: mm: migrate: annotate data-race in migrate_folio_unmap() Date: Tue, 24 Sep 2024 22:00:53 +0900 I found a report from syzbot [1] This report shows that the value can be changed, but in reality, the value of __folio_set_movable() cannot be changed because it holds the folio refcount. Therefore, it is appropriate to add an annotate to make KCSAN ignore that data-race. [1] ================================================================== BUG: KCSAN: data-race in __filemap_remove_folio / migrate_pages_batch write to 0xffffea0004b81dd8 of 8 bytes by task 6348 on cpu 0: page_cache_delete mm/filemap.c:153 [inline] __filemap_remove_folio+0x1ac/0x2c0 mm/filemap.c:233 filemap_remove_folio+0x6b/0x1f0 mm/filemap.c:265 truncate_inode_folio+0x42/0x50 mm/truncate.c:178 shmem_undo_range+0x25b/0xa70 mm/shmem.c:1028 shmem_truncate_range mm/shmem.c:1144 [inline] shmem_evict_inode+0x14d/0x530 mm/shmem.c:1272 evict+0x2f0/0x580 fs/inode.c:731 iput_final fs/inode.c:1883 [inline] iput+0x42a/0x5b0 fs/inode.c:1909 dentry_unlink_inode+0x24f/0x260 fs/dcache.c:412 __dentry_kill+0x18b/0x4c0 fs/dcache.c:615 dput+0x5c/0xd0 fs/dcache.c:857 __fput+0x3fb/0x6d0 fs/file_table.c:439 ____fput+0x1c/0x30 fs/file_table.c:459 task_work_run+0x13a/0x1a0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xbe/0x130 kernel/entry/common.c:218 do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffffea0004b81dd8 of 8 bytes by task 6342 on cpu 1: __folio_test_movable include/linux/page-flags.h:699 [inline] migrate_folio_unmap mm/migrate.c:1199 [inline] migrate_pages_batch+0x24c/0x1940 mm/migrate.c:1797 migrate_pages_sync mm/migrate.c:1963 [inline] migrate_pages+0xff1/0x1820 mm/migrate.c:2072 do_mbind mm/mempolicy.c:1390 [inline] kernel_mbind mm/mempolicy.c:1533 [inline] __do_sys_mbind mm/mempolicy.c:1607 [inline] __se_sys_mbind+0xf76/0x1160 mm/mempolicy.c:1603 __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1603 x64_sys_call+0x2b4d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:238 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0xffff888127601078 -> 0x0000000000000000 Link: https://lkml.kernel.org/r/20240924130053.107490-1-aha310510@gmail.com Fixes: 7e2a5e5ab217 ("mm: migrate: use __folio_test_movable()") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/migrate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/migrate.c~mm-migrate-annotate-data-race-in-migrate_folio_unmap +++ a/mm/migrate.c @@ -1196,7 +1196,7 @@ static int migrate_folio_unmap(new_folio int rc = -EAGAIN; int old_page_state = 0; struct anon_vma *anon_vma = NULL; - bool is_lru = !__folio_test_movable(src); + bool is_lru = data_race(!__folio_test_movable(src)); bool locked = false; bool dst_locked = false; _ Patches currently in -mm which might be from aha310510(a)gmail.com are mm-percpu-fix-typo-to-pcpu_alloc_noprof-description.patch mm-shmem-fix-data-race-in-shmem_getattr.patch

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-simplify-refs-in-memfd_alloc_folio.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: simplify refs in memfd_alloc_folio has been removed from the -mm tree. Its filename was mm-hugetlb-simplify-refs-in-memfd_alloc_folio.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Steve Sistare <steven.sistare(a)oracle.com> Subject: mm/hugetlb: simplify refs in memfd_alloc_folio Date: Wed, 4 Sep 2024 12:41:08 -0700 The folio_try_get in memfd_alloc_folio is not necessary. Delete it, and delete the matching folio_put in memfd_pin_folios. This also avoids leaking a ref if the memfd_alloc_folio call to hugetlb_add_to_page_cache fails. That error path is also broken in a second way -- when its folio_put causes the ref to become 0, it will implicitly call free_huge_folio, but then the path *explicitly* calls free_huge_folio. Delete the latter. This is a continuation of the fix "mm/hugetlb: fix memfd_pin_folios free_huge_pages leak" [steven.sistare(a)oracle.com: remove explicit call to free_huge_folio(), per Matthew] Link: https://lkml.kernel.org/r/Zti-7nPVMcGgpcbi@casper.infradead.org Link: https://lkml.kernel.org/r/1725481920-82506-1-git-send-email-steven.sistare@… Link: https://lkml.kernel.org/r/1725478868-61732-1-git-send-email-steven.sistare@… Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Steve Sistare <steven.sistare(a)oracle.com> Suggested-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 4 +--- mm/memfd.c | 3 +-- 2 files changed, 2 insertions(+), 5 deletions(-) --- a/mm/gup.c~mm-hugetlb-simplify-refs-in-memfd_alloc_folio +++ a/mm/gup.c @@ -3615,7 +3615,7 @@ long memfd_pin_folios(struct file *memfd pgoff_t start_idx, end_idx, next_idx; struct folio *folio = NULL; struct folio_batch fbatch; - struct hstate *h = NULL; + struct hstate *h; long ret = -EINVAL; if (start < 0 || start > end || !max_folios) @@ -3659,8 +3659,6 @@ long memfd_pin_folios(struct file *memfd &fbatch); if (folio) { folio_put(folio); - if (h) - folio_put(folio); folio = NULL; } --- a/mm/memfd.c~mm-hugetlb-simplify-refs-in-memfd_alloc_folio +++ a/mm/memfd.c @@ -89,13 +89,12 @@ struct folio *memfd_alloc_folio(struct f numa_node_id(), NULL, gfp_mask); - if (folio && folio_try_get(folio)) { + if (folio) { err = hugetlb_add_to_page_cache(folio, memfd->f_mapping, idx); if (err) { folio_put(folio); - free_huge_folio(folio); return ERR_PTR(err); } folio_unlock(folio); _ Patches currently in -mm which might be from steven.sistare(a)oracle.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-gup-fix-memfd_pin_folios-alloc-race-panic.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/gup: fix memfd_pin_folios alloc race panic has been removed from the -mm tree. Its filename was mm-gup-fix-memfd_pin_folios-alloc-race-panic.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Steve Sistare <steven.sistare(a)oracle.com> Subject: mm/gup: fix memfd_pin_folios alloc race panic Date: Tue, 3 Sep 2024 07:25:21 -0700 If memfd_pin_folios tries to create a hugetlb page, but someone else already did, then folio gets the value -EEXIST here: folio = memfd_alloc_folio(memfd, start_idx); if (IS_ERR(folio)) { ret = PTR_ERR(folio); if (ret != -EEXIST) goto err; then on the next trip through the "while start_idx" loop we panic here: if (folio) { folio_put(folio); To fix, set the folio to NULL on error. Link: https://lkml.kernel.org/r/1725373521-451395-6-git-send-email-steven.sistare… Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Steve Sistare <steven.sistare(a)oracle.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 1 + 1 file changed, 1 insertion(+) --- a/mm/gup.c~mm-gup-fix-memfd_pin_folios-alloc-race-panic +++ a/mm/gup.c @@ -3702,6 +3702,7 @@ long memfd_pin_folios(struct file *memfd ret = PTR_ERR(folio); if (ret != -EEXIST) goto err; + folio = NULL; } } } _ Patches currently in -mm which might be from steven.sistare(a)oracle.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/gup: fix memfd_pin_folios hugetlb page allocation has been removed from the -mm tree. Its filename was mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Steve Sistare <steven.sistare(a)oracle.com> Subject: mm/gup: fix memfd_pin_folios hugetlb page allocation Date: Tue, 3 Sep 2024 07:25:20 -0700 When memfd_pin_folios -> memfd_alloc_folio creates a hugetlb page, the index is wrong. The subsequent call to filemap_get_folios_contig thus cannot find it, and fails, and memfd_pin_folios loops forever. To fix, adjust the index for the huge_page_order. memfd_alloc_folio also forgets to unlock the folio, so the next touch of the page calls hugetlb_fault which blocks forever trying to take the lock. Unlock it. Link: https://lkml.kernel.org/r/1725373521-451395-5-git-send-email-steven.sistare… Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Steve Sistare <steven.sistare(a)oracle.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memfd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/mm/memfd.c~mm-gup-fix-memfd_pin_folios-hugetlb-page-allocation +++ a/mm/memfd.c @@ -79,10 +79,13 @@ struct folio *memfd_alloc_folio(struct f * alloc from. Also, the folio will be pinned for an indefinite * amount of time, so it is not expected to be migrated away. */ - gfp_mask = htlb_alloc_mask(hstate_file(memfd)); + struct hstate *h = hstate_file(memfd); + + gfp_mask = htlb_alloc_mask(h); gfp_mask &= ~(__GFP_HIGHMEM | __GFP_MOVABLE); + idx >>= huge_page_order(h); - folio = alloc_hugetlb_folio_reserve(hstate_file(memfd), + folio = alloc_hugetlb_folio_reserve(h, numa_node_id(), NULL, gfp_mask); @@ -95,6 +98,7 @@ struct folio *memfd_alloc_folio(struct f free_huge_folio(folio); return ERR_PTR(err); } + folio_unlock(folio); return folio; } return ERR_PTR(-ENOMEM); _ Patches currently in -mm which might be from steven.sistare(a)oracle.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: fix memfd_pin_folios resv_huge_pages leak has been removed from the -mm tree. Its filename was mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Steve Sistare <steven.sistare(a)oracle.com> Subject: mm/hugetlb: fix memfd_pin_folios resv_huge_pages leak Date: Tue, 3 Sep 2024 07:25:19 -0700 memfd_pin_folios followed by unpin_folios leaves resv_huge_pages elevated if the pages were not already faulted in. During a normal page fault, resv_huge_pages is consumed here: hugetlb_fault() alloc_hugetlb_folio() dequeue_hugetlb_folio_vma() dequeue_hugetlb_folio_nodemask() dequeue_hugetlb_folio_node_exact() free_huge_pages-- resv_huge_pages-- During memfd_pin_folios, the page is created by calling alloc_hugetlb_folio_nodemask instead of alloc_hugetlb_folio, and resv_huge_pages is not modified: memfd_alloc_folio() alloc_hugetlb_folio_nodemask() dequeue_hugetlb_folio_nodemask() dequeue_hugetlb_folio_node_exact() free_huge_pages-- alloc_hugetlb_folio_nodemask has other callers that must not modify resv_huge_pages. Therefore, to fix, define an alternate version of alloc_hugetlb_folio_nodemask for this call site that adjusts resv_huge_pages. Link: https://lkml.kernel.org/r/1725373521-451395-4-git-send-email-steven.sistare… Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Steve Sistare <steven.sistare(a)oracle.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/hugetlb.h | 10 ++++++++++ mm/hugetlb.c | 17 +++++++++++++++++ mm/memfd.c | 9 ++++----- 3 files changed, 31 insertions(+), 5 deletions(-) --- a/include/linux/hugetlb.h~mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak +++ a/include/linux/hugetlb.h @@ -692,6 +692,9 @@ struct folio *alloc_hugetlb_folio(struct struct folio *alloc_hugetlb_folio_nodemask(struct hstate *h, int preferred_nid, nodemask_t *nmask, gfp_t gfp_mask, bool allow_alloc_fallback); +struct folio *alloc_hugetlb_folio_reserve(struct hstate *h, int preferred_nid, + nodemask_t *nmask, gfp_t gfp_mask); + int hugetlb_add_to_page_cache(struct folio *folio, struct address_space *mapping, pgoff_t idx); void restore_reserve_on_error(struct hstate *h, struct vm_area_struct *vma, @@ -1058,6 +1061,13 @@ static inline struct folio *alloc_hugetl { return NULL; } + +static inline struct folio * +alloc_hugetlb_folio_reserve(struct hstate *h, int preferred_nid, + nodemask_t *nmask, gfp_t gfp_mask) +{ + return NULL; +} static inline struct folio * alloc_hugetlb_folio_nodemask(struct hstate *h, int preferred_nid, --- a/mm/hugetlb.c~mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak +++ a/mm/hugetlb.c @@ -2390,6 +2390,23 @@ struct folio *alloc_buddy_hugetlb_folio_ return folio; } +struct folio *alloc_hugetlb_folio_reserve(struct hstate *h, int preferred_nid, + nodemask_t *nmask, gfp_t gfp_mask) +{ + struct folio *folio; + + spin_lock_irq(&hugetlb_lock); + folio = dequeue_hugetlb_folio_nodemask(h, gfp_mask, preferred_nid, + nmask); + if (folio) { + VM_BUG_ON(!h->resv_huge_pages); + h->resv_huge_pages--; + } + + spin_unlock_irq(&hugetlb_lock); + return folio; +} + /* folio migration callback function */ struct folio *alloc_hugetlb_folio_nodemask(struct hstate *h, int preferred_nid, nodemask_t *nmask, gfp_t gfp_mask, bool allow_alloc_fallback) --- a/mm/memfd.c~mm-hugetlb-fix-memfd_pin_folios-resv_huge_pages-leak +++ a/mm/memfd.c @@ -82,11 +82,10 @@ struct folio *memfd_alloc_folio(struct f gfp_mask = htlb_alloc_mask(hstate_file(memfd)); gfp_mask &= ~(__GFP_HIGHMEM | __GFP_MOVABLE); - folio = alloc_hugetlb_folio_nodemask(hstate_file(memfd), - numa_node_id(), - NULL, - gfp_mask, - false); + folio = alloc_hugetlb_folio_reserve(hstate_file(memfd), + numa_node_id(), + NULL, + gfp_mask); if (folio && folio_try_get(folio)) { err = hugetlb_add_to_page_cache(folio, memfd->f_mapping, _ Patches currently in -mm which might be from steven.sistare(a)oracle.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/hugetlb: fix memfd_pin_folios free_huge_pages leak has been removed from the -mm tree. Its filename was mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Steve Sistare <steven.sistare(a)oracle.com> Subject: mm/hugetlb: fix memfd_pin_folios free_huge_pages leak Date: Tue, 3 Sep 2024 07:25:18 -0700 memfd_pin_folios followed by unpin_folios fails to restore free_huge_pages if the pages were not already faulted in, because the folio refcount for pages created by memfd_alloc_folio never goes to 0. memfd_pin_folios needs another folio_put to undo the folio_try_get below: memfd_alloc_folio() alloc_hugetlb_folio_nodemask() dequeue_hugetlb_folio_nodemask() dequeue_hugetlb_folio_node_exact() folio_ref_unfreeze(folio, 1); ; adds 1 refcount folio_try_get() ; adds 1 refcount hugetlb_add_to_page_cache() ; adds 512 refcount (on x86) With the fix, after memfd_pin_folios + unpin_folios, the refcount for the (unfaulted) page is 512, which is correct, as the refcount for a faulted unpinned page is 513. Link: https://lkml.kernel.org/r/1725373521-451395-3-git-send-email-steven.sistare… Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Steve Sistare <steven.sistare(a)oracle.com> Acked-by: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/mm/gup.c~mm-hugetlb-fix-memfd_pin_folios-free_huge_pages-leak +++ a/mm/gup.c @@ -3615,7 +3615,7 @@ long memfd_pin_folios(struct file *memfd pgoff_t start_idx, end_idx, next_idx; struct folio *folio = NULL; struct folio_batch fbatch; - struct hstate *h; + struct hstate *h = NULL; long ret = -EINVAL; if (start < 0 || start > end || !max_folios) @@ -3659,6 +3659,8 @@ long memfd_pin_folios(struct file *memfd &fbatch); if (folio) { folio_put(folio); + if (h) + folio_put(folio); folio = NULL; } _ Patches currently in -mm which might be from steven.sistare(a)oracle.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] mm-filemap-fix-filemap_get_folios_contig-thp-panic.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/filemap: fix filemap_get_folios_contig THP panic has been removed from the -mm tree. Its filename was mm-filemap-fix-filemap_get_folios_contig-thp-panic.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Steve Sistare <steven.sistare(a)oracle.com> Subject: mm/filemap: fix filemap_get_folios_contig THP panic Date: Tue, 3 Sep 2024 07:25:17 -0700 Patch series "memfd-pin huge page fixes". Fix multiple bugs that occur when using memfd_pin_folios with hugetlb pages and THP. The hugetlb bugs only bite when the page is not yet faulted in when memfd_pin_folios is called. The THP bug bites when the starting offset passed to memfd_pin_folios is not huge page aligned. See the commit messages for details. This patch (of 5): memfd_pin_folios on memory backed by THP panics if the requested start offset is not huge page aligned: BUG: kernel NULL pointer dereference, address: 0000000000000036 RIP: 0010:filemap_get_folios_contig+0xdf/0x290 RSP: 0018:ffffc9002092fbe8 EFLAGS: 00010202 RAX: 0000000000000002 RBX: 0000000000000002 RCX: 0000000000000002 The fault occurs here, because xas_load returns a folio with value 2: filemap_get_folios_contig() for (folio = xas_load(&xas); folio && xas.xa_index <= end; folio = xas_next(&xas)) { ... if (!folio_try_get(folio)) <-- BOOM "2" is an xarray sibling entry. We get it because memfd_pin_folios does not round the indices passed to filemap_get_folios_contig to huge page boundaries for THP, so we load from the middle of a huge page range see a sibling. (It does round for hugetlbfs, at the is_file_hugepages test). To fix, if the folio is a sibling, then return the next index as the starting point for the next call to filemap_get_folios_contig. Link: https://lkml.kernel.org/r/1725373521-451395-1-git-send-email-steven.sistare… Link: https://lkml.kernel.org/r/1725373521-451395-2-git-send-email-steven.sistare… Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Steve Sistare <steven.sistare(a)oracle.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/filemap.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/mm/filemap.c~mm-filemap-fix-filemap_get_folios_contig-thp-panic +++ a/mm/filemap.c @@ -2196,6 +2196,10 @@ unsigned filemap_get_folios_contig(struc if (xa_is_value(folio)) goto update_start; + /* If we landed in the middle of a THP, continue at its end. */ + if (xa_is_sibling(folio)) + goto update_start; + if (!folio_try_get(folio)) goto retry; _ Patches currently in -mm which might be from steven.sistare(a)oracle.com are

9 months, 2 weeks

1
0
0 0

[merged mm-hotfixes-stable] tools-fix-shared-radix-tree-build.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: tools: fix shared radix-tree build has been removed from the -mm tree. Its filename was tools-fix-shared-radix-tree-build.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Subject: tools: fix shared radix-tree build Date: Tue, 24 Sep 2024 19:07:24 +0100 The shared radix-tree build is not correctly recompiling when lib/maple_tree.c and lib/test_maple_tree.c are modified - fix this by adding these core components to the SHARED_DEPS list. Additionally, add missing header guards to shared header files. Link: https://lkml.kernel.org/r/20240924180724.112169-1-lorenzo.stoakes@oracle.com Fixes: 74579d8dab47 ("tools: separate out shared radix-tree components") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Tested-by: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/shared/maple-shared.h | 4 ++++ tools/testing/shared/shared.h | 4 ++++ tools/testing/shared/shared.mk | 4 +++- tools/testing/shared/xarray-shared.h | 4 ++++ 4 files changed, 15 insertions(+), 1 deletion(-) --- a/tools/testing/shared/maple-shared.h~tools-fix-shared-radix-tree-build +++ a/tools/testing/shared/maple-shared.h @@ -1,4 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0+ */ +#ifndef __MAPLE_SHARED_H__ +#define __MAPLE_SHARED_H__ #define CONFIG_DEBUG_MAPLE_TREE #define CONFIG_MAPLE_SEARCH @@ -7,3 +9,5 @@ #include <stdlib.h> #include <time.h> #include "linux/init.h" + +#endif /* __MAPLE_SHARED_H__ */ --- a/tools/testing/shared/shared.h~tools-fix-shared-radix-tree-build +++ a/tools/testing/shared/shared.h @@ -1,4 +1,6 @@ /* SPDX-License-Identifier: GPL-2.0 */ +#ifndef __SHARED_H__ +#define __SHARED_H__ #include <linux/types.h> #include <linux/bug.h> @@ -31,3 +33,5 @@ #ifndef dump_stack #define dump_stack() assert(0) #endif + +#endif /* __SHARED_H__ */ --- a/tools/testing/shared/shared.mk~tools-fix-shared-radix-tree-build +++ a/tools/testing/shared/shared.mk @@ -15,7 +15,9 @@ SHARED_DEPS = Makefile ../shared/shared. ../../../include/linux/maple_tree.h \ ../../../include/linux/radix-tree.h \ ../../../lib/radix-tree.h \ - ../../../include/linux/idr.h + ../../../include/linux/idr.h \ + ../../../lib/maple_tree.c \ + ../../../lib/test_maple_tree.c ifndef SHIFT SHIFT=3 --- a/tools/testing/shared/xarray-shared.h~tools-fix-shared-radix-tree-build +++ a/tools/testing/shared/xarray-shared.h @@ -1,4 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0+ */ +#ifndef __XARRAY_SHARED_H__ +#define __XARRAY_SHARED_H__ #define XA_DEBUG #include "shared.h" + +#endif /* __XARRAY_SHARED_H__ */ _ Patches currently in -mm which might be from lorenzo.stoakes(a)oracle.com are selftests-mm-add-pkey_sighandler_xx-hugetlb_dio-to-gitignore.patch mm-refactor-mm_access-to-not-return-null.patch mm-refactor-mm_access-to-not-return-null-fix.patch mm-madvise-unrestrict-process_madvise-for-current-process.patch

9 months, 2 weeks

1
0
0 0

[PATCH] NFSv4: fix a mount deadlock in NFS v4.1 client

by Oleksandr Tymoshenko

nfs41_init_clientid does not signal a failure condition from nfs4_proc_exchange_id and nfs4_proc_create_session to a client which may lead to mount syscall indefinitely blocked in the following stack trace: nfs_wait_client_init_complete nfs41_discover_server_trunking nfs4_discover_server_trunking nfs4_init_client nfs4_set_client nfs4_create_server nfs4_try_get_tree vfs_get_tree do_new_mount __se_sys_mount and the client stuck in uninitialized state. In addition to this all subsequent mount calls would also get blocked in nfs_match_client waiting for the uninitialized client to finish initialization: nfs_wait_client_init_complete nfs_match_client nfs_get_client nfs4_set_client nfs4_create_server nfs4_try_get_tree vfs_get_tree do_new_mount __se_sys_mount To avoid this situation propagate error condition to the mount thread and let mount syscall fail properly. Signed-off-by: Oleksandr Tymoshenko <ovt(a)google.com> --- fs/nfs/nfs4state.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index 877f682b45f2..54ad3440ad2b 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c @@ -335,8 +335,8 @@ int nfs41_init_clientid(struct nfs_client *clp, const struct cred *cred) if (!(clp->cl_exchange_flags & EXCHGID4_FLAG_CONFIRMED_R)) nfs4_state_start_reclaim_reboot(clp); nfs41_finish_session_reset(clp); - nfs_mark_client_ready(clp, NFS_CS_READY); out: + nfs_mark_client_ready(clp, status == 0 ? NFS_CS_READY : status); return status; } --- base-commit: ad618736883b8970f66af799e34007475fe33a68 change-id: 20240906-nfs-mount-deadlock-fix-55c14b38e088 Best regards, -- Oleksandr Tymoshenko <ovt(a)google.com>

9 months, 2 weeks

4
10
0 0

[tip: x86/urgent] x86/tdx: Fix "in-kernel MMIO" check

by tip-bot2 for Alexey Gladkov (Intel)

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: d4fc4d01471528da8a9797a065982e05090e1d81 Gitweb: https://git.kernel.org/tip/d4fc4d01471528da8a9797a065982e05090e1d81 Author: Alexey Gladkov (Intel) <legion(a)kernel.org> AuthorDate: Fri, 13 Sep 2024 19:05:56 +02:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Thu, 26 Sep 2024 09:45:04 -07:00 x86/tdx: Fix "in-kernel MMIO" check TDX only supports kernel-initiated MMIO operations. The handle_mmio() function checks if the #VE exception occurred in the kernel and rejects the operation if it did not. However, userspace can deceive the kernel into performing MMIO on its behalf. For example, if userspace can point a syscall to an MMIO address, syscall does get_user() or put_user() on it, triggering MMIO #VE. The kernel will treat the #VE as in-kernel MMIO. Ensure that the target MMIO address is within the kernel before decoding instruction. Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") Signed-off-by: Alexey Gladkov (Intel) <legion(a)kernel.org> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Reviewed-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Acked-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/565a804b80387970460a4ebc67c88d1380f61ad1.172623… --- arch/x86/coco/tdx/tdx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index da8b66d..327c45c 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -16,6 +16,7 @@ #include <asm/insn-eval.h> #include <asm/pgtable.h> #include <asm/set_memory.h> +#include <asm/traps.h> /* MMIO direction */ #define EPT_READ 0 @@ -433,6 +434,11 @@ static int handle_mmio(struct pt_regs *regs, struct ve_info *ve) return -EINVAL; } + if (!fault_in_kernel_space(ve->gla)) { + WARN_ONCE(1, "Access to userspace address is not supported"); + return -EINVAL; + } + /* * Reject EPT violation #VEs that split pages. *

9 months, 2 weeks

1
0
0 0

[PATCH] RISC-V: Fix building rust when using GCC toolchain

by Jason Montleon

Clang does not support '-mno-riscv-attribute' resulting in the error error: unknown argument: '-mno-riscv-attribute' Not setting BINDGEN_TARGET_riscv results in the in the error error: unsupported argument 'medany' to option '-mcmodel=' for target \ 'unknown' error: unknown target triple 'unknown' Signed-off-by: Jason Montleon <jmontleo(a)redhat.com> Cc: stable(a)vger.kernel.org --- rust/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rust/Makefile b/rust/Makefile index f168d2c98a15..73eceaaae61e 100644 --- a/rust/Makefile +++ b/rust/Makefile @@ -228,11 +228,12 @@ bindgen_skip_c_flags := -mno-fp-ret-in-387 -mpreferred-stack-boundary=% \ -fzero-call-used-regs=% -fno-stack-clash-protection \ -fno-inline-functions-called-once -fsanitize=bounds-strict \ -fstrict-flex-arrays=% -fmin-function-alignment=% \ - --param=% --param asan-% + --param=% --param asan-% -mno-riscv-attribute # Derived from `scripts/Makefile.clang`. BINDGEN_TARGET_x86 := x86_64-linux-gnu BINDGEN_TARGET_arm64 := aarch64-linux-gnu +BINDGEN_TARGET_riscv := riscv64-linux-gnu BINDGEN_TARGET := $(BINDGEN_TARGET_$(SRCARCH)) # All warnings are inhibited since GCC builds are very experimental, base-commit: ad060dbbcfcfcba624ef1a75e1d71365a98b86d8 -- 2.46.0

9 months, 2 weeks

4
9
0 0

[PATCH 0/4] ov08x40: Enable use of ov08x40 on Qualcomm X1E80100 CRD

by Bryan O'Donoghue

This series brings fixes and updates to ov08x40 which allows for use of this sensor on the Qualcomm x1e80100 CRD but also on any other dts based system. Firstly there's a fix for the pseudo burst mode code that was added in 8f667d202384 ("media: ov08x40: Reduce start streaming time"). Not every I2C controller can handle an arbitrary sized write, this is the case on Qualcomm CAMSS/CCI I2C sensor interfaces which limit the transaction size and communicate this limit via I2C quirks. A simple fix to optionally break up the large submitted burst into chunks not exceeding adapter->quirk size fixes. Secondly then is addition of a yaml description for the ov08x40 and extension of the driver to support OF probe and powering on of the power rails from the driver instead of from ACPI. Once done the sensor works without further modification on the Qualcomm x1e80100 CRD. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> --- Bryan O'Donoghue (4): media: ov08x40: Fix burst write sequence media: dt-bindings: Add OmniVision OV08X40 media: ov08x40: Rename ext_clk to xvclk media: ov08x40: Add OF probe support .../bindings/media/i2c/ovti,ov08x40.yaml | 130 ++++++++++++++++ drivers/media/i2c/ov08x40.c | 172 ++++++++++++++++++--- 2 files changed, 283 insertions(+), 19 deletions(-) --- base-commit: 2b7275670032a98cba266bd1b8905f755b3e650f change-id: 20240926-b4-master-24-11-25-ov08x40-c6f477aaa6a4 Best regards, -- Bryan O'Donoghue <bryan.odonoghue(a)linaro.org>

9 months, 2 weeks

1
1
0 0

[PATCH v2] btrfs: drop the backref cache during relocation if we commit

by Josef Bacik

Since the inception of relocation we have maintained the backref cache across transaction commits, updating the backref cache with the new bytenr whenever we COW'ed blocks that were in the cache, and then updating their bytenr once we detected a transaction id change. This works as long as we're only ever modifying blocks, not changing the structure of the tree. However relocation does in fact change the structure of the tree. For example, if we are relocating a data extent, we will look up all the leaves that point to this data extent. We will then call do_relocation() on each of these leaves, which will COW down to the leaf and then update the file extent location. But, a key feature of do_relocation is the pending list. This is all the pending nodes that we modified when we updated the file extent item. We will then process all of these blocks via finish_pending_nodes, which calls do_relocation() on all of the nodes that led up to that leaf. The purpose of this is to make sure we don't break sharing unless we absolutely have to. Consider the case that we have 3 snapshots that all point to this leaf through the same nodes, the initial COW would have created a whole new path. If we did this for all 3 snapshots we would end up with 3x the number of nodes we had originally. To avoid this we will cycle through each of the snapshots that point to each of these nodes and update their pointers to point at the new nodes. Once we update the pointer to the new node we will drop the node we removed the link for and all of its children via btrfs_drop_subtree(). This is essentially just btrfs_drop_snapshot(), but for an arbitrary point in the snapshot. The problem with this is that we will never reflect this in the backref cache. If we do this btrfs_drop_snapshot() for a node that is in the backref tree, we will leave the node in the backref tree. This becomes a problem when we change the transid, as now the backref cache has entire subtrees that no longer exist, but exist as if they still are pointed to by the same roots. In the best case scenario you end up with "adding refs to an existing tree ref" errors from insert_inline_extent_backref(), where we attempt to link in nodes on roots that are no longer valid. Worst case you will double free some random block and re-use it when there's still references to the block. This is extremely subtle, and the consequences are quite bad. There isn't a way to make sure our backref cache is consistent between transid's. In order to fix this we need to simply evict the entire backref cache anytime we cross transid's. This reduces performance in that we have to rebuild this backref cache every time we change transid's, but fixes the bug. This has existed since relocation was added, and is a pretty critical bug. There's a lot more cleanup that can be done now that this functionality is going away, but this patch is as small as possible in order to fix the problem and make it easy for us to backport it to all the kernels it needs to be backported to. Followup series will dismantle more of this code and simplify relocation drastically to remove this functionality. We have a reproducer that reproduced the corruption within a few minutes of running. With this patch it survives several iterations/hours of running the reproducer. Fixes: 3fd0a5585eb9 ("Btrfs: Metadata ENOSPC handling for balance") Cc: stable(a)vger.kernel.org Reviewed-by: Boris Burkov <boris(a)bur.io> Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> --- fs/btrfs/backref.c | 12 ++++--- fs/btrfs/relocation.c | 75 ++----------------------------------------- 2 files changed, 11 insertions(+), 76 deletions(-) diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c index e2f478ecd7fd..f8e1d5b2c512 100644 --- a/fs/btrfs/backref.c +++ b/fs/btrfs/backref.c @@ -3179,10 +3179,14 @@ void btrfs_backref_release_cache(struct btrfs_backref_cache *cache) btrfs_backref_cleanup_node(cache, node); } - cache->last_trans = 0; - - for (i = 0; i < BTRFS_MAX_LEVEL; i++) - ASSERT(list_empty(&cache->pending[i])); + for (i = 0; i < BTRFS_MAX_LEVEL; i++) { + while (!list_empty(&cache->pending[i])) { + node = list_first_entry(&cache->pending[i], + struct btrfs_backref_node, + list); + btrfs_backref_cleanup_node(cache, node); + } + } ASSERT(list_empty(&cache->pending_edge)); ASSERT(list_empty(&cache->useless_node)); ASSERT(list_empty(&cache->changed)); diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index ea4ed85919ec..cf1dfeaaf2d8 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -232,70 +232,6 @@ static struct btrfs_backref_node *walk_down_backref( return NULL; } -static void update_backref_node(struct btrfs_backref_cache *cache, - struct btrfs_backref_node *node, u64 bytenr) -{ - struct rb_node *rb_node; - rb_erase(&node->rb_node, &cache->rb_root); - node->bytenr = bytenr; - rb_node = rb_simple_insert(&cache->rb_root, node->bytenr, &node->rb_node); - if (rb_node) - btrfs_backref_panic(cache->fs_info, bytenr, -EEXIST); -} - -/* - * update backref cache after a transaction commit - */ -static int update_backref_cache(struct btrfs_trans_handle *trans, - struct btrfs_backref_cache *cache) -{ - struct btrfs_backref_node *node; - int level = 0; - - if (cache->last_trans == 0) { - cache->last_trans = trans->transid; - return 0; - } - - if (cache->last_trans == trans->transid) - return 0; - - /* - * detached nodes are used to avoid unnecessary backref - * lookup. transaction commit changes the extent tree. - * so the detached nodes are no longer useful. - */ - while (!list_empty(&cache->detached)) { - node = list_entry(cache->detached.next, - struct btrfs_backref_node, list); - btrfs_backref_cleanup_node(cache, node); - } - - while (!list_empty(&cache->changed)) { - node = list_entry(cache->changed.next, - struct btrfs_backref_node, list); - list_del_init(&node->list); - BUG_ON(node->pending); - update_backref_node(cache, node, node->new_bytenr); - } - - /* - * some nodes can be left in the pending list if there were - * errors during processing the pending nodes. - */ - for (level = 0; level < BTRFS_MAX_LEVEL; level++) { - list_for_each_entry(node, &cache->pending[level], list) { - BUG_ON(!node->pending); - if (node->bytenr == node->new_bytenr) - continue; - update_backref_node(cache, node, node->new_bytenr); - } - } - - cache->last_trans = 0; - return 1; -} - static bool reloc_root_is_dead(const struct btrfs_root *root) { /* @@ -551,9 +487,6 @@ static int clone_backref_node(struct btrfs_trans_handle *trans, struct btrfs_backref_edge *new_edge; struct rb_node *rb_node; - if (cache->last_trans > 0) - update_backref_cache(trans, cache); - rb_node = rb_simple_search(&cache->rb_root, src->commit_root->start); if (rb_node) { node = rb_entry(rb_node, struct btrfs_backref_node, rb_node); @@ -3698,11 +3631,9 @@ static noinline_for_stack int relocate_block_group(struct reloc_control *rc) break; } restart: - if (update_backref_cache(trans, &rc->backref_cache)) { - btrfs_end_transaction(trans); - trans = NULL; - continue; - } + if (rc->backref_cache.last_trans != trans->transid) + btrfs_backref_release_cache(&rc->backref_cache); + rc->backref_cache.last_trans = trans->transid; ret = find_next_extent(rc, path, &key); if (ret < 0) -- 2.43.0

9 months, 2 weeks

1
0
0 0

[PATCH] btrfs: drop the backref cache during relocation if we commit

by Josef Bacik

Since the inception of relocation we have maintained the backref cache across transaction commits, updating the backref cache with the new bytenr whenever we COW'ed blocks that were in the cache, and then updating their bytenr once we detected a transaction id change. This works as long as we're only ever modifying blocks, not changing the structure of the tree. However relocation does in fact change the structure of the tree. For example, if we are relocating a data extent, we will look up all the leaves that point to this data extent. We will then call do_relocation() on each of these leaves, which will COW down to the leaf and then update the file extent location. But, a key feature of do_relocation is the pending list. This is all the pending nodes that we modified when we updated the file extent item. We will then process all of these blocks via finish_pending_nodes, which calls do_relocation() on all of the nodes that led up to that leaf. The purpose of this is to make sure we don't break sharing unless we absolutely have to. Consider the case that we have 3 snapshots that all point to this leaf through the same nodes, the initial COW would have created a whole new path. If we did this for all 3 snapshots we would end up with 3x the number of nodes we had originally. To avoid this we will cycle through each of the snapshots that point to each of these nodes and update their pointers to point at the new nodes. Once we update the pointer to the new node we will drop the node we removed the link for and all of its children via btrfs_drop_subtree(). This is essentially just btrfs_drop_snapshot(), but for an arbitrary point in the snapshot. The problem with this is that we will never reflect this in the backref cache. If we do this btrfs_drop_snapshot() for a node that is in the backref tree, we will leave the node in the backref tree. This becomes a problem when we change the transid, as now the backref cache has entire subtrees that no longer exist, but exist as if they still are pointed to by the same roots. In the best case scenario you end up with "adding refs to an existing tree ref" errors from insert_inline_extent_backref(), where we attempt to link in nodes on roots that are no longer valid. Worst case you will double free some random block and re-use it when there's still references to the block. This is extremely subtle, and the consequences are quite bad. There isn't a way to make sure our backref cache is consistent between transid's. In order to fix this we need to simply evict the entire backref cache anytime we cross transid's. This reduces performance in that we have to rebuild this backref cache every time we change transid's, but fixes the bug. This has existed since relocation was added, and is a pretty critical bug. There's a lot more cleanup that can be done now that this functionality is going away, but this patch is as small as possible in order to fix the problem and make it easy for us to backport it to all the kernels it needs to be backported to. Followup series will dismantle more of this code and simplify relocation drastically to remove this functionality. We have a reproducer that reproduced the corruption within a few minutes of running. With this patch it survives several iterations/hours of running the reproducer. Fixes: 3fd0a5585eb9 ("Btrfs: Metadata ENOSPC handling for balance") Cc: stable(a)vger.kernel.org Signed-off-by: Josef Bacik <josef(a)toxicpanda.com> --- fs/btrfs/backref.c | 12 ++++--- fs/btrfs/relocation.c | 76 +++---------------------------------------- 2 files changed, 13 insertions(+), 75 deletions(-) diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c index e2f478ecd7fd..f8e1d5b2c512 100644 --- a/fs/btrfs/backref.c +++ b/fs/btrfs/backref.c @@ -3179,10 +3179,14 @@ void btrfs_backref_release_cache(struct btrfs_backref_cache *cache) btrfs_backref_cleanup_node(cache, node); } - cache->last_trans = 0; - - for (i = 0; i < BTRFS_MAX_LEVEL; i++) - ASSERT(list_empty(&cache->pending[i])); + for (i = 0; i < BTRFS_MAX_LEVEL; i++) { + while (!list_empty(&cache->pending[i])) { + node = list_first_entry(&cache->pending[i], + struct btrfs_backref_node, + list); + btrfs_backref_cleanup_node(cache, node); + } + } ASSERT(list_empty(&cache->pending_edge)); ASSERT(list_empty(&cache->useless_node)); ASSERT(list_empty(&cache->changed)); diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index ea4ed85919ec..aaa9cac213f1 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -232,70 +232,6 @@ static struct btrfs_backref_node *walk_down_backref( return NULL; } -static void update_backref_node(struct btrfs_backref_cache *cache, - struct btrfs_backref_node *node, u64 bytenr) -{ - struct rb_node *rb_node; - rb_erase(&node->rb_node, &cache->rb_root); - node->bytenr = bytenr; - rb_node = rb_simple_insert(&cache->rb_root, node->bytenr, &node->rb_node); - if (rb_node) - btrfs_backref_panic(cache->fs_info, bytenr, -EEXIST); -} - -/* - * update backref cache after a transaction commit - */ -static int update_backref_cache(struct btrfs_trans_handle *trans, - struct btrfs_backref_cache *cache) -{ - struct btrfs_backref_node *node; - int level = 0; - - if (cache->last_trans == 0) { - cache->last_trans = trans->transid; - return 0; - } - - if (cache->last_trans == trans->transid) - return 0; - - /* - * detached nodes are used to avoid unnecessary backref - * lookup. transaction commit changes the extent tree. - * so the detached nodes are no longer useful. - */ - while (!list_empty(&cache->detached)) { - node = list_entry(cache->detached.next, - struct btrfs_backref_node, list); - btrfs_backref_cleanup_node(cache, node); - } - - while (!list_empty(&cache->changed)) { - node = list_entry(cache->changed.next, - struct btrfs_backref_node, list); - list_del_init(&node->list); - BUG_ON(node->pending); - update_backref_node(cache, node, node->new_bytenr); - } - - /* - * some nodes can be left in the pending list if there were - * errors during processing the pending nodes. - */ - for (level = 0; level < BTRFS_MAX_LEVEL; level++) { - list_for_each_entry(node, &cache->pending[level], list) { - BUG_ON(!node->pending); - if (node->bytenr == node->new_bytenr) - continue; - update_backref_node(cache, node, node->new_bytenr); - } - } - - cache->last_trans = 0; - return 1; -} - static bool reloc_root_is_dead(const struct btrfs_root *root) { /* @@ -551,9 +487,6 @@ static int clone_backref_node(struct btrfs_trans_handle *trans, struct btrfs_backref_edge *new_edge; struct rb_node *rb_node; - if (cache->last_trans > 0) - update_backref_cache(trans, cache); - rb_node = rb_simple_search(&cache->rb_root, src->commit_root->start); if (rb_node) { node = rb_entry(rb_node, struct btrfs_backref_node, rb_node); @@ -3698,10 +3631,11 @@ static noinline_for_stack int relocate_block_group(struct reloc_control *rc) break; } restart: - if (update_backref_cache(trans, &rc->backref_cache)) { - btrfs_end_transaction(trans); - trans = NULL; - continue; + if (rc->backref_cache.last_trans == 0) { + rc->backref_cache.last_trans = trans->transid; + } else if (rc->backref_cache.last_trans != trans->transid) { + btrfs_backref_release_cache(&rc->backref_cache); + rc->backref_cache.last_trans = trans->transid; } ret = find_next_extent(rc, path, &key); -- 2.43.0

9 months, 2 weeks

2
5
0 0

[PATCH 6.1] mm/memory_hotplug: prevent accessing by index=-1

by Mikhail Lobanov

From: Anastasia Belova <abelova(a)astralinux.ru> commit 5958d35917e1296f46dfc8b8c959732efd6d8d5d upstream. nid may be equal to NUMA_NO_NODE=-1. Prevent accessing node_data array by invalid index with check for nid. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e83a437faa62 ("mm/memory_hotplug: introduce "auto-movable" online policy") Signed-off-by: Anastasia Belova <abelova(a)astralinux.ru> Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Oscar Salvador <osalvador(a)suse.de> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Mikhail Lobanov <m.lobanov(a)rosalinux.ru> --- mm/memory_hotplug.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c index dc17618bad8b..90f0cc9a298a 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c @@ -783,7 +783,6 @@ static bool auto_movable_can_online_movable(int nid, struct memory_group *group, unsigned long kernel_early_pages, movable_pages; struct auto_movable_group_stats group_stats = {}; struct auto_movable_stats stats = {}; - pg_data_t *pgdat = NODE_DATA(nid); struct zone *zone; int i; @@ -794,6 +793,8 @@ static bool auto_movable_can_online_movable(int nid, struct memory_group *group, auto_movable_stats_account_zone(&stats, zone); } else { for (i = 0; i < MAX_NR_ZONES; i++) { + pg_data_t *pgdat = NODE_DATA(nid); + zone = pgdat->node_zones + i; if (populated_zone(zone)) auto_movable_stats_account_zone(&stats, zone); -- 2.43.0

9 months, 2 weeks

1
0
0 0

[PATCH 0/4] binder: several fixes for frozen notification

by Carlos Llamas

These are all fixes for the frozen notification patch [1], which as of today hasn't landed in mainline yet. As such, this patchset is rebased on top of the char-misc-next branch. [1] https://lore.kernel.org/all/20240709070047.4055369-2-yutingtseng@google.com/ Cc: stable(a)vger.kernel.org Cc: Yu-Ting Tseng <yutingtseng(a)google.com> Cc: Alice Ryhl <aliceryhl(a)google.com> Cc: Todd Kjos <tkjos(a)google.com> Cc: Martijn Coenen <maco(a)google.com> Cc: Arve Hjønnevåg <arve(a)android.com> Cc: Viktor Martensson <vmartensson(a)google.com> Carlos Llamas (4): binder: fix node UAF in binder_add_freeze_work() binder: fix OOB in binder_add_freeze_work() binder: fix freeze UAF in binder_release_work() binder: fix BINDER_WORK_FROZEN_BINDER debug logs drivers/android/binder.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) -- 2.46.0.792.g87dc391469-goog

9 months, 2 weeks

4
20
0 0

[PATCH v6.6] nvme-pci: qdepth 1 quirk

by Gagniuc, Alexandru

Please consider adding the following commit to v6.6: 83bdfcbdbe5d ("nvme-pci: qdepth 1 quirk") This resolves filesystem corruption and random drive drop-outs on machines with O2micro NVME drives, including a number of HP Thinclients. Alex

9 months, 2 weeks

1
0
0 0

[PATCH 5.15] Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex"

by Fedor Pchelkin

This reverts commit 89795eeba6d13b5ba432425dd43c34c66f2cebde. The reverted commit is based on implementation of wiphy locking that isn't planned to redo on a stable kernel, so revert it to avoid warnings in different parts of wireless stack where wdev_lock() is held, like: WARNING: CPU: 0 PID: 4296 at net/wireless/core.h:220 cfg80211_is_all_idle net/wireless/sme.c:662 [inline] WARNING: CPU: 0 PID: 4296 at net/wireless/core.h:220 disconnect_work+0x236/0x320 net/wireless/sme.c:676 Modules linked in: CPU: 0 PID: 4296 Comm: kworker/0:4 Not tainted 5.15.166-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: events disconnect_work RIP: 0010:wdev_lock net/wireless/core.h:220 [inline] Call Trace: <TASK> process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457 kthread+0x3f6/0x4f0 kernel/kthread.c:334 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- net/wireless/core.h | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/net/wireless/core.h b/net/wireless/core.h index be186b5a15f3..1720abf36f92 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -217,7 +217,6 @@ void cfg80211_register_wdev(struct cfg80211_registered_device *rdev, static inline void wdev_lock(struct wireless_dev *wdev) __acquires(wdev) { - lockdep_assert_held(&wdev->wiphy->mtx); mutex_lock(&wdev->mtx); __acquire(wdev->mtx); } @@ -225,16 +224,11 @@ static inline void wdev_lock(struct wireless_dev *wdev) static inline void wdev_unlock(struct wireless_dev *wdev) __releases(wdev) { - lockdep_assert_held(&wdev->wiphy->mtx); __release(wdev->mtx); mutex_unlock(&wdev->mtx); } -static inline void ASSERT_WDEV_LOCK(struct wireless_dev *wdev) -{ - lockdep_assert_held(&wdev->wiphy->mtx); - lockdep_assert_held(&wdev->mtx); -} +#define ASSERT_WDEV_LOCK(wdev) lockdep_assert_held(&(wdev)->mtx) static inline bool cfg80211_has_monitors_only(struct cfg80211_registered_device *rdev) { -- 2.39.5

9 months, 2 weeks

1
0
0 0

[PATCH 6.1] Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex"

by Fedor Pchelkin

This reverts commit 19d13ec00a8b1d60c5cc06bd0006b91d5bd8d46f. The reverted commit is based on implementation of wiphy locking that isn't planned to redo on a stable kernel, so revert it to avoid warnings in different parts of wireless stack where wdev_lock() is held, like: WARNING: CPU: 0 PID: 4727 at net/wireless/core.h:231 cfg80211_is_all_idle net/wireless/sme.c:692 [inline] WARNING: CPU: 0 PID: 4727 at net/wireless/core.h:231 disconnect_work+0x246/0x340 net/wireless/sme.c:706 Modules linked in: CPU: 0 PID: 4727 Comm: kworker/0:8 Not tainted 6.1.111-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events disconnect_work RIP: 0010:wdev_lock net/wireless/core.h:231 [inline] Call Trace: <TASK> process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439 kthread+0x28d/0x320 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- net/wireless/core.h | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/net/wireless/core.h b/net/wireless/core.h index 8118b8614ac6..ee980965a7cf 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -228,7 +228,6 @@ void cfg80211_register_wdev(struct cfg80211_registered_device *rdev, static inline void wdev_lock(struct wireless_dev *wdev) __acquires(wdev) { - lockdep_assert_held(&wdev->wiphy->mtx); mutex_lock(&wdev->mtx); __acquire(wdev->mtx); } @@ -236,16 +235,11 @@ static inline void wdev_lock(struct wireless_dev *wdev) static inline void wdev_unlock(struct wireless_dev *wdev) __releases(wdev) { - lockdep_assert_held(&wdev->wiphy->mtx); __release(wdev->mtx); mutex_unlock(&wdev->mtx); } -static inline void ASSERT_WDEV_LOCK(struct wireless_dev *wdev) -{ - lockdep_assert_held(&wdev->wiphy->mtx); - lockdep_assert_held(&wdev->mtx); -} +#define ASSERT_WDEV_LOCK(wdev) lockdep_assert_held(&(wdev)->mtx) static inline bool cfg80211_has_monitors_only(struct cfg80211_registered_device *rdev) { -- 2.39.5

9 months, 2 weeks

1
0
0 0

Re: [PATCH stable 6.6] Revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex"

by Fedor Pchelkin

The patch was also backported to 5.15 and 6.1 stables where it's causing the same splats. https://lore.kernel.org/stable/20240918-d150ee61d40b8f327d65bbf3-pchelkin@i… Need to revert it there, too. Should I send the explicit reverts to the mailing list? -- Thank you, Fedor

9 months, 2 weeks

1
1
0 0

[PATCH] mm: migrate: annotate data-race in migrate_folio_unmap()

by Jeongjun Park

I found a report from syzbot [1] This report shows that the value can be changed, but in reality, the value of __folio_set_movable() cannot be changed because it holds the folio refcount. Therefore, it is appropriate to add an annotate to make KCSAN ignore that data-race. [1] ================================================================== BUG: KCSAN: data-race in __filemap_remove_folio / migrate_pages_batch write to 0xffffea0004b81dd8 of 8 bytes by task 6348 on cpu 0: page_cache_delete mm/filemap.c:153 [inline] __filemap_remove_folio+0x1ac/0x2c0 mm/filemap.c:233 filemap_remove_folio+0x6b/0x1f0 mm/filemap.c:265 truncate_inode_folio+0x42/0x50 mm/truncate.c:178 shmem_undo_range+0x25b/0xa70 mm/shmem.c:1028 shmem_truncate_range mm/shmem.c:1144 [inline] shmem_evict_inode+0x14d/0x530 mm/shmem.c:1272 evict+0x2f0/0x580 fs/inode.c:731 iput_final fs/inode.c:1883 [inline] iput+0x42a/0x5b0 fs/inode.c:1909 dentry_unlink_inode+0x24f/0x260 fs/dcache.c:412 __dentry_kill+0x18b/0x4c0 fs/dcache.c:615 dput+0x5c/0xd0 fs/dcache.c:857 __fput+0x3fb/0x6d0 fs/file_table.c:439 ____fput+0x1c/0x30 fs/file_table.c:459 task_work_run+0x13a/0x1a0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xbe/0x130 kernel/entry/common.c:218 do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffffea0004b81dd8 of 8 bytes by task 6342 on cpu 1: __folio_test_movable include/linux/page-flags.h:699 [inline] migrate_folio_unmap mm/migrate.c:1199 [inline] migrate_pages_batch+0x24c/0x1940 mm/migrate.c:1797 migrate_pages_sync mm/migrate.c:1963 [inline] migrate_pages+0xff1/0x1820 mm/migrate.c:2072 do_mbind mm/mempolicy.c:1390 [inline] kernel_mbind mm/mempolicy.c:1533 [inline] __do_sys_mbind mm/mempolicy.c:1607 [inline] __se_sys_mbind+0xf76/0x1160 mm/mempolicy.c:1603 __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1603 x64_sys_call+0x2b4d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:238 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0xffff888127601078 -> 0x0000000000000000 Reported-by: syzbot <syzkaller(a)googlegroups.com> Cc: stable(a)vger.kernel.org Fixes: 7e2a5e5ab217 ("mm: migrate: use __folio_test_movable()") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- mm/migrate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/migrate.c b/mm/migrate.c index 923ea80ba744..368ab3878fa6 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -1118,7 +1118,7 @@ static int migrate_folio_unmap(new_folio_t get_new_folio, int rc = -EAGAIN; int old_page_state = 0; struct anon_vma *anon_vma = NULL; - bool is_lru = !__folio_test_movable(src); + bool is_lru = data_race(!__folio_test_movable(src)); bool locked = false; bool dst_locked = false; --

9 months, 2 weeks

2
1
0 0

[PATCH v3 03/10] media: qcom: camss: Fix potential crash if domain attach fails

by Vikram Sharma

Fix a potential crash in camss by ensuring detach is skipped if attach is unsuccessful. Fixes: d89751c61279 ("media: qcom: camss: Add support for named power-domains") CC: stable(a)vger.kernel.org Signed-off-by: Vikram Sharma <quic_vikramsa(a)quicinc.com> --- drivers/media/platform/qcom/camss/camss.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c index d64985ca6e88..b6658df37709 100644 --- a/drivers/media/platform/qcom/camss/camss.c +++ b/drivers/media/platform/qcom/camss/camss.c @@ -2131,8 +2131,7 @@ static int camss_configure_pd(struct camss *camss) camss->genpd = dev_pm_domain_attach_by_name(camss->dev, camss->res->pd_name); if (IS_ERR(camss->genpd)) { - ret = PTR_ERR(camss->genpd); - goto fail_pm; + return PTR_ERR(camss->genpd); } } @@ -2149,7 +2148,7 @@ static int camss_configure_pd(struct camss *camss) ret = -ENODEV; else ret = PTR_ERR(camss->genpd); - goto fail_pm; + return ret; } camss->genpd_link = device_link_add(camss->dev, camss->genpd, DL_FLAG_STATELESS | DL_FLAG_PM_RUNTIME | -- 2.25.1

9 months, 2 weeks

1
0
0 0

[PATCH] arm64: dts: rockchip: Move L3 cache under CPUs in RK356x SoC dtsi

by Dragan Simic

Move the "l3_cache" node under the "cpus" node in the dtsi file for Rockchip RK356x SoCs. There's no need for this cache node to be at the higher level. Fixes: 8612169a05c5 ("arm64: dts: rockchip: Add cache information to the SoC dtsi for RK356x") Cc: stable(a)vger.kernel.org Signed-off-by: Dragan Simic <dsimic(a)manjaro.org> --- arch/arm64/boot/dts/rockchip/rk356x.dtsi | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/arch/arm64/boot/dts/rockchip/rk356x.dtsi b/arch/arm64/boot/dts/rockchip/rk356x.dtsi index 4690be841a1c..9f7136e5d553 100644 --- a/arch/arm64/boot/dts/rockchip/rk356x.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk356x.dtsi @@ -113,19 +113,19 @@ cpu3: cpu@300 { d-cache-sets = <128>; next-level-cache = <&l3_cache>; }; - }; - /* - * There are no private per-core L2 caches, but only the - * L3 cache that appears to the CPU cores as L2 caches - */ - l3_cache: l3-cache { - compatible = "cache"; - cache-level = <2>; - cache-unified; - cache-size = <0x80000>; - cache-line-size = <64>; - cache-sets = <512>; + /* + * There are no private per-core L2 caches, but only the + * L3 cache that appears to the CPU cores as L2 caches + */ + l3_cache: l3-cache { + compatible = "cache"; + cache-level = <2>; + cache-unified; + cache-size = <0x80000>; + cache-line-size = <64>; + cache-sets = <512>; + }; }; cpu0_opp_table: opp-table-0 {

9 months, 2 weeks

3
5
0 0

[PATCH net] gso: fix gso fraglist segmentation after pull from frag_list

by Willem de Bruijn

From: Willem de Bruijn <willemb(a)google.com> Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest. Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediate… Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") Signed-off-by: Willem de Bruijn <willemb(a)google.com> Cc: stable(a)vger.kernel.org --- Tested: - tools/testing/selftests/net/udpgro_fwd.sh - kunit gso_test_func converted to calling __udp_gso_segment - below manual end-to-end test: (which probably repeats a lot of udpgro_fwd.sh, in hindsight..) (won't repeat this on any resubmits, given how long it is) #!/bin/bash ip netns add test1 ip netns add test2 ip netns add test3 ip link add dev veth0 netns test1 type veth peer name veth0 netns test2 ip link add dev veth1 netns test2 type veth peer name veth1 netns test3 ip netns exec test1 ip link set dev veth0 up ip netns exec test2 ip link set dev veth0 up ip netns exec test2 ip link set dev veth1 up ip netns exec test3 ip link set dev veth1 up ip netns exec test1 ip addr add 10.0.8.1/24 dev veth0 ip netns exec test2 ip addr add 10.0.8.2/24 dev veth0 ip netns exec test2 ip addr add 10.0.9.2/24 dev veth1 ip netns exec test3 ip addr add 10.0.9.3/24 dev veth1 ip -6 -netns test1 addr add fdaa::1 dev veth0 ip -6 -netns test2 addr add fdaa::2 dev veth0 ip -6 -netns test2 addr add fdbb::2 dev veth1 ip -6 -netns test3 addr add fdbb::3 dev veth1 ip netns exec test2 sysctl -w net.ipv4.ip_forward=1 ip netns exec test2 sysctl -w net.ipv6.conf.all.forwarding=1 ip -netns test1 route add default via 10.0.8.2 ip -netns test3 route add default via 10.0.9.2 ip -6 -netns test1 route add fdaa::2 dev veth0 ip -6 -netns test2 route add fdaa::1 dev veth0 ip -6 -netns test2 route add fdbb::3 dev veth1 ip -6 -netns test3 route add fdbb::2 dev veth1 ip -6 -netns test1 route add default via fdaa::2 ip -6 -netns test3 route add default via fdbb::2 ip netns exec test1 ethtool -K veth0 gso off tx-udp-segmentation off ip netns exec test2 ethtool -K veth0 gro on rx-gro-list on rx-udp-gro-forwarding on ip netns exec test2 ethtool -K veth1 gso off tx-udp-segmentation off ip netns exec test2 tc qdisc add dev veth0 clsact ip netns exec test2 tc filter add dev veth0 ingress bpf direct-action obj tc_pull.o sec tc ip netns exec test3 /mnt/shared/udpgso_bench_rx & \ ip netns exec test1 /mnt/shared/udpgso_bench_tx -l 5 -4 -D 10.0.9.3 -s 60000 -S 0 -z ip netns exec test3 /mnt/shared/udpgso_bench_rx & \ ip netns exec test1 /mnt/shared/udpgso_bench_tx -l 5 -6 -D fdbb::3 -s 60000 -S 0 -z With trivial BPF program: $ cat ~/work/tc_pull.c // SPDX-License-Identifier: GPL-2.0 #include <linux/bpf.h> #include <linux/pkt_cls.h> #include <linux/types.h> #include <bpf/bpf_helpers.h> __attribute__((section("tc"))) int tc_cls_prog(struct __sk_buff *skb) { bpf_skb_pull_data(skb, skb->len); return TC_ACT_OK; } --- net/ipv4/udp_offload.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index d842303587af..e457fa9143a6 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -296,8 +296,16 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, return NULL; } - if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) - return __udp_gso_segment_list(gso_skb, features, is_ipv6); + if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) { + /* Detect modified geometry and pass these to skb_segment. */ + if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size) + return __udp_gso_segment_list(gso_skb, features, is_ipv6); + + /* Setup csum, as fraglist skips this in udp4_gro_receive. */ + gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head; + gso_skb->csum_offset = offsetof(struct udphdr, check); + gso_skb->ip_summed = CHECKSUM_PARTIAL; + } skb_pull(gso_skb, sizeof(*uh)); -- 2.46.0.792.g87dc391469-goog

9 months, 2 weeks

2
12
0 0

[PATCHv3] usbnet: fix cyclical race on disconnect with work queue

by Oliver Neukum

The work can submit URBs and the URBs can schedule the work. This cycle needs to be broken, when a device is to be stopped. Use a flag to do so. This is a design issue as old as the driver. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") CC: stable(a)vger.kernel.org --- v2: fix PM reference issue v3: drop unneeded memory ordering primitives drivers/net/usb/usbnet.c | 37 ++++++++++++++++++++++++++++--------- include/linux/usb/usbnet.h | 15 +++++++++++++++ 2 files changed, 43 insertions(+), 9 deletions(-) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 18eb5ba436df..2506aa8c603e 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -464,10 +464,15 @@ static enum skb_state defer_bh(struct usbnet *dev, struct sk_buff *skb, void usbnet_defer_kevent (struct usbnet *dev, int work) { set_bit (work, &dev->flags); - if (!schedule_work (&dev->kevent)) - netdev_dbg(dev->net, "kevent %s may have been dropped\n", usbnet_event_names[work]); - else - netdev_dbg(dev->net, "kevent %s scheduled\n", usbnet_event_names[work]); + if (!usbnet_going_away(dev)) { + if (!schedule_work(&dev->kevent)) + netdev_dbg(dev->net, + "kevent %s may have been dropped\n", + usbnet_event_names[work]); + else + netdev_dbg(dev->net, + "kevent %s scheduled\n", usbnet_event_names[work]); + } } EXPORT_SYMBOL_GPL(usbnet_defer_kevent); @@ -535,7 +540,8 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags) tasklet_schedule (&dev->bh); break; case 0: - __usbnet_queue_skb(&dev->rxq, skb, rx_start); + if (!usbnet_going_away(dev)) + __usbnet_queue_skb(&dev->rxq, skb, rx_start); } } else { netif_dbg(dev, ifdown, dev->net, "rx: stopped\n"); @@ -843,9 +849,18 @@ int usbnet_stop (struct net_device *net) /* deferred work (timer, softirq, task) must also stop */ dev->flags = 0; - del_timer_sync (&dev->delay); - tasklet_kill (&dev->bh); + del_timer_sync(&dev->delay); + tasklet_kill(&dev->bh); cancel_work_sync(&dev->kevent); + + /* We have cyclic dependencies. Those calls are needed + * to break a cycle. We cannot fall into the gaps because + * we have a flag + */ + tasklet_kill(&dev->bh); + del_timer_sync(&dev->delay); + cancel_work_sync(&dev->kevent); + if (!pm) usb_autopm_put_interface(dev->intf); @@ -1171,7 +1186,8 @@ usbnet_deferred_kevent (struct work_struct *work) status); } else { clear_bit (EVENT_RX_HALT, &dev->flags); - tasklet_schedule (&dev->bh); + if (!usbnet_going_away(dev)) + tasklet_schedule(&dev->bh); } } @@ -1196,7 +1212,8 @@ usbnet_deferred_kevent (struct work_struct *work) usb_autopm_put_interface(dev->intf); fail_lowmem: if (resched) - tasklet_schedule (&dev->bh); + if (!usbnet_going_away(dev)) + tasklet_schedule(&dev->bh); } } @@ -1559,6 +1576,7 @@ static void usbnet_bh (struct timer_list *t) } else if (netif_running (dev->net) && netif_device_present (dev->net) && netif_carrier_ok(dev->net) && + !usbnet_going_away(dev) && !timer_pending(&dev->delay) && !test_bit(EVENT_RX_PAUSED, &dev->flags) && !test_bit(EVENT_RX_HALT, &dev->flags)) { @@ -1606,6 +1624,7 @@ void usbnet_disconnect (struct usb_interface *intf) usb_set_intfdata(intf, NULL); if (!dev) return; + usbnet_mark_going_away(dev); xdev = interface_to_usbdev (intf); diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h index 9f08a584d707..0b9f1e598e3a 100644 --- a/include/linux/usb/usbnet.h +++ b/include/linux/usb/usbnet.h @@ -76,8 +76,23 @@ struct usbnet { # define EVENT_LINK_CHANGE 11 # define EVENT_SET_RX_MODE 12 # define EVENT_NO_IP_ALIGN 13 +/* This one is special, as it indicates that the device is going away + * there are cyclic dependencies between tasklet, timer and bh + * that must be broken + */ +# define EVENT_UNPLUG 31 }; +static inline bool usbnet_going_away(struct usbnet *ubn) +{ + return test_bit(EVENT_UNPLUG, &ubn->flags); +} + +static inline void usbnet_mark_going_away(struct usbnet *ubn) +{ + set_bit(EVENT_UNPLUG, &ubn->flags); +} + static inline struct usb_driver *driver_of(struct usb_interface *intf) { return to_usb_driver(intf->dev.driver); -- 2.46.0

9 months, 2 weeks

2
1
0 0

Re: [PATCH -next 1/2] kobject: fix memory leak in kset_register() due to uninitialized kset->kobj.ktype

by Greg KH

On Thu, Sep 26, 2024 at 10:56:24AM +0800, cuigaosheng wrote: > On 2024/9/25 20:19, Greg KH wrote: > > > On Wed, Sep 25, 2024 at 08:07:46PM +0800, Gaosheng Cui wrote: > > > If a kset with uninitialized kset->kobj.ktype be registered, > > Does that happen today with any in-kernel code? If so, let's fix those > > kset instances, right? > > I didn't find this kset instance in kernel code,itwas discovered through code review. Great, then it is not a real issue :) > > > kset_register() will return error, and the kset.kobj.name allocated > > > by kobject_set_name() will be leaked. > > > > > > To mitigate this, we free the name in kset_register() when an error > > > is encountered due to uninitialized kset->kobj.ktype. > > How did you hit this? > > I am testing kernel functionality through fault injection, and I discovered > it whenI was locating the issue fixed by another patch, I haven't found this > wrong usage in the kernel, but we can construct it by fault injection, "fault injection" also shows things that are impossible to ever have happen as well, so our "need" to fix them is usually very low, right? thanks, greg k-h

9 months, 2 weeks

1
0
0 0

Re: Patch "ASoC: SOF: mediatek: Add missing board compatible" has been added to the 6.10-stable tree

by Pascal Ernster

[2024-09-19 21:36] Sasha Levin: > This is a note to let you know that I've just added the patch titled > > ASoC: SOF: mediatek: Add missing board compatible > > to the 6.10-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > asoc-sof-mediatek-add-missing-board-compatible.patch > and it can be found in the queue-6.10 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Hi Sasha, it seems that in your commits to the stable-queue repo on 2024-09-19 around 15:36 -0400 / 19:36 UTC, every patch was added twice. This affects all supported stable version branches from 6.10 down to 4.19 (a single commit per version branch): https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… Regards Pascal

9 months, 2 weeks

2
2
0 0

[PATCH 6.1 27/26] xfs: journal geometry is not properly bounds checked

by Leah Rumancik

From: Dave Chinner <dchinner(a)redhat.com> [ Upstream commit f1e1765aad7de7a8b8102044fc6a44684bc36180 ] If the journal geometry results in a sector or log stripe unit validation problem, it indicates that we cannot set the log up to safely write to the the journal. In these cases, we must abort the mount because the corruption needs external intervention to resolve. Similarly, a journal that is too large cannot be written to safely, either, so we shouldn't allow those geometries to mount, either. If the log is too small, we risk having transaction reservations overruning the available log space and the system hanging waiting for space it can never provide. This is purely a runtime hang issue, not a corruption issue as per the first cases listed above. We abort mounts of the log is too small for V5 filesystems, but we must allow v4 filesystems to mount because, historically, there was no log size validity checking and so some systems may still be out there with undersized logs. The problem is that on V4 filesystems, when we discover a log geometry problem, we skip all the remaining checks and then allow the log to continue mounting. This mean that if one of the log size checks fails, we skip the log stripe unit check. i.e. we allow the mount because a "non-fatal" geometry is violated, and then fail to check the hard fail geometries that should fail the mount. Move all these fatal checks to the superblock verifier, and add a new check for the two log sector size geometry variables having the same values. This will prevent any attempt to mount a log that has invalid or inconsistent geometries long before we attempt to mount the log. However, for the minimum log size checks, we can only do that once we've setup up the log and calculated all the iclog sizes and roundoffs. Hence this needs to remain in the log mount code after the log has been initialised. It is also the only case where we should allow a v4 filesystem to continue running, so leave that handling in place, too. Signed-off-by: Dave Chinner <dchinner(a)redhat.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Darrick J. Wong <djwong(a)kernel.org> Signed-off-by: Leah Rumancik <leah.rumancik(a)gmail.com> --- Notes: A new fix for the latest 6.1.y backport series just came in. Ran some tests on it as well and all looks good. Please include with the original set. Thanks, Leah fs/xfs/libxfs/xfs_sb.c | 56 +++++++++++++++++++++++++++++++++++++++++- fs/xfs/xfs_log.c | 47 +++++++++++------------------------ 2 files changed, 70 insertions(+), 33 deletions(-) diff --git a/fs/xfs/libxfs/xfs_sb.c b/fs/xfs/libxfs/xfs_sb.c index bf2cca78304e..c24a38272cb7 100644 --- a/fs/xfs/libxfs/xfs_sb.c +++ b/fs/xfs/libxfs/xfs_sb.c @@ -413,7 +413,6 @@ xfs_validate_sb_common( sbp->sb_inodelog < XFS_DINODE_MIN_LOG || sbp->sb_inodelog > XFS_DINODE_MAX_LOG || sbp->sb_inodesize != (1 << sbp->sb_inodelog) || - sbp->sb_logsunit > XLOG_MAX_RECORD_BSIZE || sbp->sb_inopblock != howmany(sbp->sb_blocksize,sbp->sb_inodesize) || XFS_FSB_TO_B(mp, sbp->sb_agblocks) < XFS_MIN_AG_BYTES || XFS_FSB_TO_B(mp, sbp->sb_agblocks) > XFS_MAX_AG_BYTES || @@ -431,6 +430,61 @@ xfs_validate_sb_common( return -EFSCORRUPTED; } + /* + * Logs that are too large are not supported at all. Reject them + * outright. Logs that are too small are tolerated on v4 filesystems, + * but we can only check that when mounting the log. Hence we skip + * those checks here. + */ + if (sbp->sb_logblocks > XFS_MAX_LOG_BLOCKS) { + xfs_notice(mp, + "Log size 0x%x blocks too large, maximum size is 0x%llx blocks", + sbp->sb_logblocks, XFS_MAX_LOG_BLOCKS); + return -EFSCORRUPTED; + } + + if (XFS_FSB_TO_B(mp, sbp->sb_logblocks) > XFS_MAX_LOG_BYTES) { + xfs_warn(mp, + "log size 0x%llx bytes too large, maximum size is 0x%llx bytes", + XFS_FSB_TO_B(mp, sbp->sb_logblocks), + XFS_MAX_LOG_BYTES); + return -EFSCORRUPTED; + } + + /* + * Do not allow filesystems with corrupted log sector or stripe units to + * be mounted. We cannot safely size the iclogs or write to the log if + * the log stripe unit is not valid. + */ + if (sbp->sb_versionnum & XFS_SB_VERSION_SECTORBIT) { + if (sbp->sb_logsectsize != (1U << sbp->sb_logsectlog)) { + xfs_notice(mp, + "log sector size in bytes/log2 (0x%x/0x%x) must match", + sbp->sb_logsectsize, 1U << sbp->sb_logsectlog); + return -EFSCORRUPTED; + } + } else if (sbp->sb_logsectsize || sbp->sb_logsectlog) { + xfs_notice(mp, + "log sector size in bytes/log2 (0x%x/0x%x) are not zero", + sbp->sb_logsectsize, sbp->sb_logsectlog); + return -EFSCORRUPTED; + } + + if (sbp->sb_logsunit > 1) { + if (sbp->sb_logsunit % sbp->sb_blocksize) { + xfs_notice(mp, + "log stripe unit 0x%x bytes must be a multiple of block size", + sbp->sb_logsunit); + return -EFSCORRUPTED; + } + if (sbp->sb_logsunit > XLOG_MAX_RECORD_BSIZE) { + xfs_notice(mp, + "log stripe unit 0x%x bytes over maximum size (0x%x bytes)", + sbp->sb_logsunit, XLOG_MAX_RECORD_BSIZE); + return -EFSCORRUPTED; + } + } + /* Validate the realtime geometry; stolen from xfs_repair */ if (sbp->sb_rextsize * sbp->sb_blocksize > XFS_MAX_RTEXTSIZE || sbp->sb_rextsize * sbp->sb_blocksize < XFS_MIN_RTEXTSIZE) { diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c index d9aa5eab02c3..59c982297503 100644 --- a/fs/xfs/xfs_log.c +++ b/fs/xfs/xfs_log.c @@ -639,7 +639,6 @@ xfs_log_mount( int num_bblks) { struct xlog *log; - bool fatal = xfs_has_crc(mp); int error = 0; int min_logfsbs; @@ -661,53 +660,37 @@ xfs_log_mount( mp->m_log = log; /* - * Validate the given log space and drop a critical message via syslog - * if the log size is too small that would lead to some unexpected - * situations in transaction log space reservation stage. + * Now that we have set up the log and it's internal geometry + * parameters, we can validate the given log space and drop a critical + * message via syslog if the log size is too small. A log that is too + * small can lead to unexpected situations in transaction log space + * reservation stage. The superblock verifier has already validated all + * the other log geometry constraints, so we don't have to check those + * here. * - * Note: we can't just reject the mount if the validation fails. This - * would mean that people would have to downgrade their kernel just to - * remedy the situation as there is no way to grow the log (short of - * black magic surgery with xfs_db). + * Note: For v4 filesystems, we can't just reject the mount if the + * validation fails. This would mean that people would have to + * downgrade their kernel just to remedy the situation as there is no + * way to grow the log (short of black magic surgery with xfs_db). * - * We can, however, reject mounts for CRC format filesystems, as the + * We can, however, reject mounts for V5 format filesystems, as the * mkfs binary being used to make the filesystem should never create a * filesystem with a log that is too small. */ min_logfsbs = xfs_log_calc_minimum_size(mp); - if (mp->m_sb.sb_logblocks < min_logfsbs) { xfs_warn(mp, "Log size %d blocks too small, minimum size is %d blocks", mp->m_sb.sb_logblocks, min_logfsbs); - error = -EINVAL; - } else if (mp->m_sb.sb_logblocks > XFS_MAX_LOG_BLOCKS) { - xfs_warn(mp, - "Log size %d blocks too large, maximum size is %lld blocks", - mp->m_sb.sb_logblocks, XFS_MAX_LOG_BLOCKS); - error = -EINVAL; - } else if (XFS_FSB_TO_B(mp, mp->m_sb.sb_logblocks) > XFS_MAX_LOG_BYTES) { - xfs_warn(mp, - "log size %lld bytes too large, maximum size is %lld bytes", - XFS_FSB_TO_B(mp, mp->m_sb.sb_logblocks), - XFS_MAX_LOG_BYTES); - error = -EINVAL; - } else if (mp->m_sb.sb_logsunit > 1 && - mp->m_sb.sb_logsunit % mp->m_sb.sb_blocksize) { - xfs_warn(mp, - "log stripe unit %u bytes must be a multiple of block size", - mp->m_sb.sb_logsunit); - error = -EINVAL; - fatal = true; - } - if (error) { + /* * Log check errors are always fatal on v5; or whenever bad * metadata leads to a crash. */ - if (fatal) { + if (xfs_has_crc(mp)) { xfs_crit(mp, "AAIEEE! Log failed size checks. Abort!"); ASSERT(0); + error = -EINVAL; goto out_free_log; } xfs_crit(mp, "Log size out of supported range."); -- 2.46.0.792.g87dc391469-goog

9 months, 2 weeks

1
0
0 0

Re: rtw88: rtw8822cu: Kernel warning in cfg80211: disconnect_work at net/wireless/core.h:231 on CPU 0

by Johannes Berg

On Wed, 2024-09-25 at 03:30 +0000, Ping-Ke Shih wrote: > I think the cause is picking commit 268f84a82753 > ("wifi: cfg80211: check wiphy mutex is held for wdev mutex"), and > cfg80211_is_all_idle() called by disconnect_work() uses wdev_lock() > but not wiphy_lock(). Yeah seems like a stable only problem (CC them), this is with kernel version 6.6.51-00141-ga1649b6f8ed6 according to the warning. > I'm not sure if we should simply revert the picked commit 268f84a82753 > or should pick more commits. I don't see why it was picked up in the first place, so I guess I'd say remove it. We won't want to redo the locking on a stable kernel, I'd think. > By the way, I think the latest kernel will not throw these messages. Agree, that seems unlikely. johannes

9 months, 2 weeks

3
2
0 0

[STABLE REGRESSION] Possible missing backport of x86_match_cpu() change in v6.1.96

by Thomas Lindroth

I upgraded from kernel 6.1.94 to 6.1.99 on one of my machines and noticed that the dmesg line "Incomplete global flushes, disabling PCID" had disappeared from the log. That message comes from commit c26b9e193172f48cd0ccc64285337106fb8aa804, which disables PCID support on some broken hardware in arch/x86/mm/init.c: #define INTEL_MATCH(_model) { .vendor = X86_VENDOR_INTEL, \ .family = 6, \ .model = _model, \ } /* * INVLPG may not properly flush Global entries * on these CPUs when PCIDs are enabled. */ static const struct x86_cpu_id invlpg_miss_ids[] = { INTEL_MATCH(INTEL_FAM6_ALDERLAKE ), INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ), INTEL_MATCH(INTEL_FAM6_ALDERLAKE_N ), INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ), INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P), INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S), {} ... if (x86_match_cpu(invlpg_miss_ids)) { pr_info("Incomplete global flushes, disabling PCID"); setup_clear_cpu_cap(X86_FEATURE_PCID); return; } arch/x86/mm/init.c, which has that code, hasn't changed in 6.1.94 -> 6.1.99. However I found a commit changing how x86_match_cpu() behaves in 6.1.96: commit 8ab1361b2eae44077fef4adea16228d44ffb860c Author: Tony Luck <tony.luck(a)intel.com> Date: Mon May 20 15:45:33 2024 -0700 x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL I suspect this broke the PCID disabling code in arch/x86/mm/init.c. The commit message says: "Add a new flags field to struct x86_cpu_id that has a bit set to indicate that this entry in the array is valid. Update X86_MATCH*() macros to set that bit. Change the end-marker check in x86_match_cpu() to just check the flags field for this bit." But the PCID disabling code in 6.1.99 does not make use of the X86_MATCH*() macros; instead, it defines a new INTEL_MATCH() macro without the X86_CPU_ID_FLAG_ENTRY_VALID flag. I looked in upstream git and found an existing fix: commit 2eda374e883ad297bd9fe575a16c1dc850346075 Author: Tony Luck <tony.luck(a)intel.com> Date: Wed Apr 24 11:15:18 2024 -0700 x86/mm: Switch to new Intel CPU model defines New CPU #defines encode vendor and family as well as model. [ dhansen: vertically align 0's in invlpg_miss_ids[] ] Signed-off-by: Tony Luck <tony.luck(a)intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Link: https://lore.kernel.org/all/20240424181518.41946-1-tony.luck%40intel.com diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c index 679893ea5e68..6b43b6480354 100644 --- a/arch/x86/mm/init.c +++ b/arch/x86/mm/init.c @@ -261,21 +261,17 @@ static void __init probe_page_size_mask(void) } } -#define INTEL_MATCH(_model) { .vendor = X86_VENDOR_INTEL, \ - .family = 6, \ - .model = _model, \ - } /* * INVLPG may not properly flush Global entries * on these CPUs when PCIDs are enabled. */ static const struct x86_cpu_id invlpg_miss_ids[] = { - INTEL_MATCH(INTEL_FAM6_ALDERLAKE ), - INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ), - INTEL_MATCH(INTEL_FAM6_ATOM_GRACEMONT ), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S), + X86_MATCH_VFM(INTEL_ALDERLAKE, 0), + X86_MATCH_VFM(INTEL_ALDERLAKE_L, 0), + X86_MATCH_VFM(INTEL_ATOM_GRACEMONT, 0), + X86_MATCH_VFM(INTEL_RAPTORLAKE, 0), + X86_MATCH_VFM(INTEL_RAPTORLAKE_P, 0), + X86_MATCH_VFM(INTEL_RAPTORLAKE_S, 0), {} }; The fix removed the custom INTEL_MATCH macro and uses the X86_MATCH*() macros with X86_CPU_ID_FLAG_ENTRY_VALID. This fixed commit was never backported to 6.1, so it looks like a stable series regression due to a missing backport. If I apply the fix patch on 6.1.99, the PCID disabling code activates again. I had to change all the INTEL_* definitions to the old definitions to make it build: static const struct x86_cpu_id invlpg_miss_ids[] = { - INTEL_MATCH(INTEL_FAM6_ALDERLAKE ), - INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ), - INTEL_MATCH(INTEL_FAM6_ALDERLAKE_N ), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P), - INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S), + X86_MATCH_VFM(INTEL_FAM6_ALDERLAKE, 0), + X86_MATCH_VFM(INTEL_FAM6_ALDERLAKE_L, 0), + X86_MATCH_VFM(INTEL_FAM6_ALDERLAKE_N, 0), + X86_MATCH_VFM(INTEL_FAM6_RAPTORLAKE, 0), + X86_MATCH_VFM(INTEL_FAM6_RAPTORLAKE_P, 0), + X86_MATCH_VFM(INTEL_FAM6_RAPTORLAKE_S, 0), {} }; I only looked at the code in arch/x86/mm/init.c, so there may be other uses of x86_match_cpu() in the kernel that are also broken in 6.1.99. This email is meant as a bug report, not a pull request. Someone else should confirm the problem and submit the appropriate fix.

9 months, 2 weeks

6
7
0 0

[PATCH 5.4.y] selftests: breakpoints: Fix a typo of function name

by Samasth Norway Ananda

From: Masami Hiramatsu <mhiramat(a)kernel.org> commit 5b06eeae52c02dd0d9bc8488275a1207d410870b upstream. Since commit 5821ba969511 ("selftests: Add test plan API to kselftest.h and adjust callers") accidentally introduced 'a' typo in the front of run_test() function, breakpoint_test_arm64.c became not able to be compiled. Remove the 'a' from arun_test(). Fixes: 5821ba969511 ("selftests: Add test plan API to kselftest.h and adjust callers") Reported-by: Jun Takahashi <takahashi.jun_s(a)aa.socionext.com> Signed-off-by: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Kees Cook <keescook(a)chromium.org> Reviewed-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Shuah Khan <skhan(a)linuxfoundation.org> [Samasth: bp to 5.4.y] Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> --- tools/testing/selftests/breakpoints/breakpoint_test_arm64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/breakpoints/breakpoint_test_arm64.c b/tools/testing/selftests/breakpoints/breakpoint_test_arm64.c index 58ed5eeab7094..ad41ea69001bc 100644 --- a/tools/testing/selftests/breakpoints/breakpoint_test_arm64.c +++ b/tools/testing/selftests/breakpoints/breakpoint_test_arm64.c @@ -109,7 +109,7 @@ static bool set_watchpoint(pid_t pid, int size, int wp) return false; } -static bool arun_test(int wr_size, int wp_size, int wr, int wp) +static bool run_test(int wr_size, int wp_size, int wr, int wp) { int status; siginfo_t siginfo; -- 2.45.2

9 months, 2 weeks

2
1
0 0

[PATCH v2 1/2] drm/xe/vm: move xa_alloc to prevent UAF

by Matthew Auld

Evil user can guess the next id of the vm before the ioctl completes and then call vm destroy ioctl to trigger UAF since create ioctl is still referencing the same vm. Move the xa_alloc all the way to the end to prevent this. v2: - Rebase Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_vm.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index 31fe31db3fdc..ce9dca4d4e87 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -1765,10 +1765,6 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, if (IS_ERR(vm)) return PTR_ERR(vm); - err = xa_alloc(&xef->vm.xa, &id, vm, xa_limit_32b, GFP_KERNEL); - if (err) - goto err_close_and_put; - if (xe->info.has_asid) { down_write(&xe->usm.lock); err = xa_alloc_cyclic(&xe->usm.asid_to_vm, &asid, vm, @@ -1776,12 +1772,11 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, &xe->usm.next_asid, GFP_KERNEL); up_write(&xe->usm.lock); if (err < 0) - goto err_free_id; + goto err_close_and_put; vm->usm.asid = asid; } - args->vm_id = id; vm->xef = xe_file_get(xef); /* Record BO memory for VM pagetable created against client */ @@ -1794,10 +1789,15 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, args->reserved[0] = xe_bo_main_addr(vm->pt_root[0]->bo, XE_PAGE_SIZE); #endif + /* user id alloc must always be last in ioctl to prevent UAF */ + err = xa_alloc(&xef->vm.xa, &id, vm, xa_limit_32b, GFP_KERNEL); + if (err) + goto err_close_and_put; + + args->vm_id = id; + return 0; -err_free_id: - xa_erase(&xef->vm.xa, id); err_close_and_put: xe_vm_close_and_put(vm); -- 2.46.1

9 months, 2 weeks

3
2
0 0

[PATCH V2] rpmsg: glink: Add abort_tx check in intent wait

by Deepak Kumar Singh

From: Sarannya S <quic_sarannya(a)quicinc.com> On remote susbsystem restart rproc will stop glink subdev which will trigger qcom_glink_native_remove, any ongoing intent wait should be aborted from there otherwise this wait delays glink send which potentially delays glink channel removal as well. This further introduces delay in ssr notification to other remote subsystems from rproc. Currently qcom_glink_native_remove is not setting channel->intent_received, so any ongoing intent wait is not aborted on remote susbsystem restart. abort_tx flag can be used as a condition to abort in such cases. Adding abort_tx flag check in intent wait, to abort intent wait from qcom_glink_native_remove. Fixes: c05dfce0b89e ("rpmsg: glink: Wait for intent, not just request ack") Cc: stable(a)vger.kernel.org Signed-off-by: Sarannya S <quic_sarannya(a)quicinc.com> Signed-off-by: Deepak Kumar Singh <quic_deesin(a)quicinc.com> --- drivers/rpmsg/qcom_glink_native.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c index 82d460ff4777..ff828531c36f 100644 --- a/drivers/rpmsg/qcom_glink_native.c +++ b/drivers/rpmsg/qcom_glink_native.c @@ -438,7 +438,6 @@ static void qcom_glink_handle_intent_req_ack(struct qcom_glink *glink, static void qcom_glink_intent_req_abort(struct glink_channel *channel) { - WRITE_ONCE(channel->intent_req_result, 0); wake_up_all(&channel->intent_req_wq); } @@ -1354,8 +1353,9 @@ static int qcom_glink_request_intent(struct qcom_glink *glink, goto unlock; ret = wait_event_timeout(channel->intent_req_wq, - READ_ONCE(channel->intent_req_result) >= 0 && - READ_ONCE(channel->intent_received), + (READ_ONCE(channel->intent_req_result) >= 0 && + READ_ONCE(channel->intent_received)) || + glink->abort_tx, 10 * HZ); if (!ret) { dev_err(glink->dev, "intent request timed out\n"); -- 2.34.1

9 months, 2 weeks

2
1
0 0

nfsv41: stale file handles after VM shutdown/poweron - but works during warm reboot

by Christian Theune

Hi, we're experiencing a weird NFS (client?) issue when we cold restart a Linux virtual machine running an NFS server. The client will reconnect when the server comes back but we end up with stale file handles and have to unmount/remount. Initially I thought we did something stupid running the `soft` option and wanted to convert to `hard,timeo=6,retrans=10` but noticed that our original problems that caused me to investigate did not go away when changing the mount options. The issue seems to be (surprisingly!) caused when restarting the NFS server VM using a "cold boot" approach: calling shutdown and then having the VM started with a fresh Qemu process. When restarting the NFS server VM using a warm reboot we do not see stale file handles. This appears not to be a race condition or timeouts happening as its reliably reproducable in either direction - I've tried dozens of times and it always works with a reboot and always ends up with stale file handles when shutting down/starting a fresh VM. I've played around with shutting off the NFS server service and introducing delays before cold and warm restarts but the symptoms remain the same. I've tried reading through man pages, kernel documentation, and kernel code but haven't found anything that points to me doing something wrong. The nfsd and client settings are all at their defaults in /proc (at least I didn't find any config management modifying them and peeking at a few of them they ran at their defaults). The issue can be observed on 5.15.164 as well as 6.11. We've been running identical setups for many years and haven't observed this issue until a few months ago. We’ve been running with 5.15 for a while now and I think this might have been introduced somewhere along the way. I've added the client side kernel traces here. Network traffic was not enlightening. I tried chopping the traces into parts that reflect what happens on the server. Setup ===== Server and client are both Qemu/KVM VMs running NixOS with a (for practical purposes) vanilla kernel (two one line patches that change the `bridge-stp` and `request-key` helper paths). Mount: <server>:/srv/nfs/shared on /mnt/nfs/shared type nfs4 (rw,relatime,vers=4.2,rsize=8192,wsize=8192,namlen=255,hard,proto=tcp6,timeo=100,retrans=30,sec=sys,clientaddr=<v6network>::1137,local_lock=none,addr=<v6network>::1136) Export: /srv/nfs/shared <server>(rw,sync,root_squash,no_subtree_check) <client>(rw,sync,root_squash,no_subtree_check) Case 1 (cold reboot - ends up broken) ===================================== We're stopping the server, waiting for a bit and then poweroff. Basically: server> systemctl stop nfs-server; sleep 30; poweroff The poweroff causes the VM to be automatically restarted after a few seconds with a fresh Qemu process - but with all identical settings from the previous instance. The client sees the following rpc and nfs trace: server> systemctl stop nfs-server client kernel log> [ 4965.503048] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4965.503975] RPC: state 8 conn 1 dead 0 zapped 1 sk_shutdown 1 [ 4965.505105] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4965.505930] RPC: state 9 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 4965.506712] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4965.507469] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 4965.508261] RPC: xs_close xprt 000000004f6bb8b0 [ 4965.509108] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4965.509916] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 server> sleep 30 client kernel log> [ 4998.558930] nfs4_renew_state: start [ 4998.559497] <-- nfs41_proc_async_sequence status=0 [ 4998.560074] nfs4_renew_state: done [ 4998.560473] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 4998.561379] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 4998.562442] encode_sequence: sessionid=1727262693:2026340752:2:0 seqid=47 slotid=0 max_slotid=0 cache_this=0 [ 4998.563650] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 4998.564385] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:788: ok (0) [ 4998.565372] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 4998.566606] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 4998.567594] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4998.567596] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 4998.567600] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 4998.569979] RPC: xs_close xprt 000000004f6bb8b0 [ 4998.570565] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 4998.571276] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5001.630875] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5001.631969] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:745: ok (0) [ 5001.632890] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5001.634262] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 5001.635306] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5001.635308] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5001.635312] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 5001.637871] RPC: xs_close xprt 000000004f6bb8b0 [ 5001.638465] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5001.639237] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5004.702871] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5004.703851] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:1012: ok (0) [ 5004.704995] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5004.706752] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 5004.708103] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5004.708106] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5004.708110] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 5004.711656] RPC: xs_close xprt 000000004f6bb8b0 [ 5004.712489] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5004.713521] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5007.774811] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5007.775819] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:811: ok (0) [ 5007.776749] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5007.778362] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 5007.779413] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5007.779416] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5007.779420] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 5007.782197] RPC: xs_close xprt 000000004f6bb8b0 [ 5007.782884] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5007.783757] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5010.846776] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5010.847884] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:920: ok (0) [ 5010.848923] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5010.850346] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 [ 5010.851478] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5010.851480] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5010.851484] RPC: xs_error_report client 000000004f6bb8b0, error=111... [ 5010.854398] RPC: xs_close xprt 000000004f6bb8b0 [ 5010.855067] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5010.855829] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5013.918740] RPC: xs_connect scheduled xprt 000000004f6bb8b0 [ 5013.919802] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:691: ok (0) [ 5013.920747] RPC: worker connecting xprt 000000004f6bb8b0 via tcp to <v6network>::1136 (port 2049) [ 5013.922364] RPC: 000000004f6bb8b0 connect status 115 connected 0 sock state 2 server> poweroff (server powers off and gets restarted) client kernel log> [ 5082.014329] RPC: xs_tcp_state_change client 000000004f6bb8b0... [ 5082.015431] RPC: state 1 conn 0 dead 0 zapped 1 sk_shutdown 0 [ 5082.016693] RPC: xs_tcp_send_request(116) = 0 [ 5082.032137] nfs41_sequence_process ERROR: -10052 Reset session [ 5082.033051] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5082.033883] nfs41_sequence_process: Error -10052 free the slot [ 5082.034713] nfs41_sequence_call_done ERROR -10052 [ 5082.035406] nfs4_schedule_lease_recovery: scheduling lease recovery for server <server> [ 5082.036710] nfs41_sequence_call_done rpc_cred 000000001946c07d [ 5082.037565] RPC: xs_tcp_send_request(100) = 0 [ 5082.038660] NFS: Got error -10052 from the server on DESTROY_SESSION. Session has been destroyed regardless... [ 5082.040040] --> nfs4_proc_create_session clp=00000000872dbfe2 session=00000000b29d3016 [ 5082.041071] nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64 [ 5082.042467] nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16 [ 5082.044069] nfs4_schedule_state_renewal: requeueing work. Lease period = 5 [ 5082.045066] RPC: xs_tcp_send_request(196) = 0 [ 5082.046099] nfs4_reset_session: session reset failed with status -10022 for server <server>! [ 5082.047361] nfs4_handle_reclaim_lease_error: handled error -10022 for server <server> [ 5082.048601] RPC: xs_tcp_send_request(244) = 0 [ 5082.049712] --> nfs4_proc_create_session clp=00000000872dbfe2 session=00000000b29d3016 [ 5082.050852] nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64 [ 5082.052201] nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16 [ 5082.053763] RPC: xs_tcp_send_request(196) = 0 [ 5082.055159] --> nfs4_setup_session_slot_tables [ 5082.055770] --> nfs4_realloc_slot_table: max_reqs=30, tbl->max_slots 30 [ 5082.056681] nfs4_realloc_slot_table: tbl=00000000cf1ff1fa slots=0000000002cd9cdc max_slots=30 [ 5082.057752] <-- nfs4_realloc_slot_table: return 0 [ 5082.058328] --> nfs4_realloc_slot_table: max_reqs=16, tbl->max_slots 16 [ 5082.059207] nfs4_realloc_slot_table: tbl=000000005982b642 slots=0000000017686be5 max_slots=16 [ 5082.060307] <-- nfs4_realloc_slot_table: return 0 [ 5082.060912] slot table setup returned 0 [ 5082.061403] nfs4_proc_create_session client>seqid 2 sessionid 1727263096:1126483273:1:0 [ 5082.062737] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5082.063857] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5082.064781] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=1 slotid=0 max_slotid=0 cache_this=0 [ 5082.066063] RPC: xs_tcp_send_request(132) = 0 [ 5082.068110] decode_attr_lease_time: lease time=90 [ 5082.068780] decode_attr_maxfilesize: maxfilesize=0 [ 5082.069411] decode_attr_maxread: maxread=1024 [ 5082.070006] decode_attr_maxwrite: maxwrite=1024 [ 5082.070612] decode_attr_time_delta: time_delta=0 0 [ 5082.071227] decode_attr_pnfstype: bitmap is 0 [ 5082.071810] decode_attr_layout_blksize: bitmap is 0 [ 5082.072452] decode_attr_clone_blksize: bitmap is 0 [ 5082.073090] decode_attr_change_attr_type: bitmap is 0 [ 5082.073735] decode_attr_xattrsupport: XATTR support=false [ 5082.074414] decode_fsinfo: xdr returned 0! [ 5082.075357] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5082.076299] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5082.077212] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5082.077909] nfs41_sequence_process: Error 0 free the slot [ 5082.078569] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5082.079571] nfs4_schedule_state_renewal: requeueing work. Lease period = 60 [ 5082.080520] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5082.081506] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5082.082376] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=2 slotid=0 max_slotid=0 cache_this=0 [ 5082.083612] RPC: xs_tcp_send_request(124) = 0 [ 5082.113634] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5082.114614] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5082.115482] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5082.116142] nfs41_sequence_process: Error 0 free the slot [ 5082.116772] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5082.117766] <-- nfs41_proc_reclaim_complete status=0 [ 5082.118379] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=16 [ 5082.119308] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5082.120110] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5082.120805] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5082.121690] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5082.122438] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 The client now shows the following error when trying to access files on the NFS mountpoint (shared is a directory in /mnt/nfs that is the mountpoint): client> ls /mnt/nfs/ ls: cannot access '/mnt/nfs/shared': Stale file handle shared While doing that, the client kernel log continues: [ 5121.788081] NFS: nfs_weak_revalidate: inode 33681408 is valid [ 5121.788941] NFS: revalidating (0:50/33681408) [ 5121.789816] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5121.790950] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5121.791958] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5121.792904] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=3 slotid=0 max_slotid=0 cache_this=0 [ 5121.794289] RPC: xs_tcp_send_request(172) = 0 [ 5121.799020] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5121.800014] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5121.800876] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5121.801562] nfs41_sequence_process: Error 0 free the slot [ 5121.802232] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5121.803240] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5121.804471] NFS: revalidating (0:50/33681408) [ 5121.805080] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5121.805968] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5121.806955] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5121.807885] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=4 slotid=0 max_slotid=0 cache_this=0 [ 5121.809522] RPC: xs_tcp_send_request(172) = 0 [ 5121.810845] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5121.811864] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5121.812791] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5121.813501] nfs41_sequence_process: Error 0 free the slot [ 5121.814207] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5121.815242] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5121.816279] NFS: nfs_weak_revalidate: inode 33681408 is invalid [ 5121.817311] NFS: revalidating (0:50/33681408) [ 5121.828500] NFS: nfs_weak_revalidate: inode 33681408 is invalid [ 5146.013099] nfs4_renew_state: start [ 5146.013647] nfs4_renew_state: failed to call renewd. Reason: lease not expired [ 5146.014510] nfs4_schedule_state_renewal: requeueing work. Lease period = 36 [ 5146.015356] nfs4_renew_state: done [ 5155.718411] NFS: nfs_weak_revalidate: inode 33681408 is valid [ 5155.719976] NFS: revalidating (0:50/33681408) [ 5155.720628] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5155.721545] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5155.722519] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5155.726973] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=6 slotid=0 max_slotid=0 cache_this=0 [ 5155.728990] RPC: xs_tcp_send_request(172) = 0 [ 5155.731070] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5155.732292] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5155.733384] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5155.734088] nfs41_sequence_process: Error 0 free the slot [ 5155.734867] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5155.741211] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5155.742647] NFS: revalidating (0:50/33681408) [ 5155.748003] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5155.748977] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5155.750066] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5155.754045] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=7 slotid=0 max_slotid=0 cache_this=0 [ 5155.757104] RPC: xs_tcp_send_request(172) = 0 [ 5155.759310] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5155.760383] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5155.761233] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5155.761870] nfs41_sequence_process: Error 0 free the slot [ 5155.762585] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5155.768250] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5155.769224] NFS: nfs_weak_revalidate: inode 33681408 is invalid [ 5155.771968] NFS: revalidating (0:50/33681408) [ 5155.772574] --> nfs41_call_sync_prepare data->seq_server 00000000862cf9f3 [ 5155.773522] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5155.774379] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5155.779036] encode_sequence: sessionid=1727263096:1126483273:1:0 seqid=8 slotid=0 max_slotid=0 cache_this=0 [ 5155.780960] RPC: xs_tcp_send_request(172) = 0 [ 5155.781797] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5155.782721] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5155.783734] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5155.784485] nfs41_sequence_process: Error 0 free the slot [ 5155.785084] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5155.789037] nfs_revalidate_inode: (0:50/33681408) getattr failed, error=-116 [ 5155.789873] NFS: nfs_weak_revalidate: inode 33681408 is invalid Unmounting and remounting the mountpoint puts the client into a working state again. Case 2 (ends up in a working state) =================================== Here, we also shutdown the NFS server, wait for a bit, but then perform a "warm" reboot. server> systemctl stop nfs-server ; sleep 30 seconds; reboot system The individual steps as seen from the client: server> systemctl stop nfs-server client kernel log> [ 5511.593152] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5511.593997] RPC: state 8 conn 1 dead 0 zapped 1 sk_shutdown 1 [ 5511.594763] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5511.595581] RPC: state 9 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5511.596371] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5511.597131] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5511.597957] RPC: xs_close xprt 0000000005eb3fd3 [ 5511.599868] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5511.600621] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 server> sleep 30; reboot [ 5526.935766] nfs4_renew_state: start [ 5526.936259] nfs4_renew_state: failed to call renewd. Reason: lease not expired [ 5526.937164] nfs4_schedule_state_renewal: requeueing work. Lease period = 36 [ 5526.938060] nfs4_renew_state: done [ 5563.799229] nfs4_renew_state: start [ 5563.799869] <-- nfs41_proc_async_sequence status=0 [ 5563.800512] nfs4_renew_state: done [ 5563.800990] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5563.802030] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5563.803244] encode_sequence: sessionid=1727263096:1126483275:2:0 seqid=43 slotid=0 max_slotid=0 cache_this=0 [ 5563.804487] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5563.805269] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:914: ok (0) [ 5563.806376] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5563.807676] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5578.071084] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5578.072089] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5578.072898] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5578.074168] RPC: xs_close xprt 0000000005eb3fd3 [ 5578.074806] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5578.075629] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5578.076533] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5578.077353] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:791: ok (0) [ 5578.078422] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5578.079767] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5581.143007] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5581.144027] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5581.144804] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5581.146013] RPC: xs_close xprt 0000000005eb3fd3 [ 5581.146667] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5581.147475] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5584.150918] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5584.151952] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:842: ok (0) [ 5584.153297] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5584.154840] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5587.223096] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5587.224119] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5587.224971] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5587.226296] RPC: xs_close xprt 0000000005eb3fd3 [ 5587.227011] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5587.227878] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5590.230822] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5590.231841] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:893: ok (0) [ 5590.232897] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5590.234566] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5593.302883] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5593.303910] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5593.304850] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5593.306104] RPC: xs_close xprt 0000000005eb3fd3 [ 5593.306799] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5593.307585] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5596.310840] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5596.311711] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:925: ok (0) [ 5596.312594] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5596.314192] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 The server is booting and the client recovers while logging this: [ 5602.390691] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5602.391719] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:980: ok (0) [ 5602.392668] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5602.394223] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5605.462614] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5605.463527] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5605.464312] RPC: xs_error_report client 0000000005eb3fd3, error=113... [ 5605.465430] RPC: xs_close xprt 0000000005eb3fd3 [ 5605.466074] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5605.466903] RPC: state 7 conn 0 dead 0 zapped 1 sk_shutdown 3 [ 5608.470590] RPC: xs_connect scheduled xprt 0000000005eb3fd3 [ 5608.471618] RPC: xs_bind 0000:0000:0000:0000:0000:0000:0000:0000:1015: ok (0) [ 5608.472730] RPC: worker connecting xprt 0000000005eb3fd3 via tcp to 2a02:238:f030:1c3::1136 (port 2049) [ 5608.474014] RPC: 0000000005eb3fd3 connect status 115 connected 0 sock state 2 [ 5609.495200] RPC: xs_tcp_state_change client 0000000005eb3fd3... [ 5609.496171] RPC: state 1 conn 0 dead 0 zapped 1 sk_shutdown 0 [ 5609.497356] RPC: xs_tcp_send_request(116) = 0 [ 5609.511115] nfs41_sequence_process ERROR: -10052 Reset session [ 5609.512033] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5609.512809] nfs41_sequence_process: Error -10052 free the slot [ 5609.513589] nfs41_sequence_call_done ERROR -10052 [ 5609.514246] nfs4_schedule_lease_recovery: scheduling lease recovery for server <server> [ 5609.515446] nfs41_sequence_call_done rpc_cred 000000001946c07d [ 5609.516272] RPC: xs_tcp_send_request(100) = 0 [ 5609.517198] NFS: Got error -10052 from the server on DESTROY_SESSION. Session has been destroyed regardless... [ 5609.518645] --> nfs4_proc_create_session clp=0000000002fc3705 session=000000009488146a [ 5609.519601] nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64 [ 5609.520801] nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16 [ 5609.523115] nfs4_schedule_state_renewal: requeueing work. Lease period = 5 [ 5609.524103] RPC: xs_tcp_send_request(196) = 0 [ 5609.525090] nfs4_reset_session: session reset failed with status -10022 for server <server>! [ 5609.526350] nfs4_handle_reclaim_lease_error: handled error -10022 for server <server> [ 5609.527548] RPC: xs_tcp_send_request(244) = 0 [ 5609.528414] --> nfs4_proc_create_session clp=0000000002fc3705 session=000000009488146a [ 5609.529500] nfs4_init_channel_attrs: Fore Channel : max_rqst_sz=1049620 max_resp_sz=1049480 max_ops=8 max_reqs=64 [ 5609.530905] nfs4_init_channel_attrs: Back Channel : max_rqst_sz=4096 max_resp_sz=4096 max_resp_sz_cached=0 max_ops=2 max_reqs=16 [ 5609.532526] RPC: xs_tcp_send_request(196) = 0 [ 5609.533669] --> nfs4_setup_session_slot_tables [ 5609.534365] --> nfs4_realloc_slot_table: max_reqs=30, tbl->max_slots 30 [ 5609.535199] nfs4_realloc_slot_table: tbl=000000009c22d728 slots=0000000025e05bce max_slots=30 [ 5609.536186] <-- nfs4_realloc_slot_table: return 0 [ 5609.536744] --> nfs4_realloc_slot_table: max_reqs=16, tbl->max_slots 16 [ 5609.537734] nfs4_realloc_slot_table: tbl=0000000002a05f6b slots=000000009aa80389 max_slots=16 [ 5609.538775] <-- nfs4_realloc_slot_table: return 0 [ 5609.539446] slot table setup returned 0 [ 5609.539994] nfs4_proc_create_session client>seqid 2 sessionid 1727263639:3068450331:1:0 [ 5609.541129] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5609.542047] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5609.543029] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=1 slotid=0 max_slotid=0 cache_this=0 [ 5609.544295] RPC: xs_tcp_send_request(132) = 0 [ 5609.545479] decode_attr_lease_time: lease time=90 [ 5609.546158] decode_attr_maxfilesize: maxfilesize=0 [ 5609.546798] decode_attr_maxread: maxread=1024 [ 5609.547357] decode_attr_maxwrite: maxwrite=1024 [ 5609.547943] decode_attr_time_delta: time_delta=0 0 [ 5609.548482] decode_attr_pnfstype: bitmap is 0 [ 5609.549005] decode_attr_layout_blksize: bitmap is 0 [ 5609.549534] decode_attr_clone_blksize: bitmap is 0 [ 5609.550125] decode_attr_change_attr_type: bitmap is 0 [ 5609.550766] decode_attr_xattrsupport: XATTR support=false [ 5609.551413] decode_fsinfo: xdr returned 0! [ 5609.552242] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5609.553039] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5609.553917] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5609.554541] nfs41_sequence_process: Error 0 free the slot [ 5609.555273] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5609.560764] nfs4_schedule_state_renewal: requeueing work. Lease period = 60 [ 5609.562070] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5609.563074] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5609.563980] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=2 slotid=0 max_slotid=0 cache_this=0 [ 5609.565352] RPC: xs_tcp_send_request(124) = 0 [ 5609.644135] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5609.645214] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5609.646049] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5609.646722] nfs41_sequence_process: Error 0 free the slot [ 5609.647369] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5609.648352] <-- nfs41_proc_reclaim_complete status=0 [ 5609.648964] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=16 [ 5609.649813] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5609.650544] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5609.651237] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5609.652134] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5609.652874] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5632.396766] NFS: permission(0:50/33681408), mask=0x81, res=-10 [ 5632.397471] NFS: revalidating (0:50/33681408) [ 5632.397973] --> nfs41_call_sync_prepare data->seq_server 000000001a362fd8 [ 5632.398705] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5632.399547] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5632.400600] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=3 slotid=0 max_slotid=0 cache_this=0 [ 5632.401933] RPC: xs_tcp_send_request(172) = 0 [ 5632.406551] decode_attr_type: type=040000 [ 5632.407276] decode_attr_change: change attribute=7 [ 5632.407922] decode_attr_size: file size=18 [ 5632.408428] decode_attr_fsid: fsid=(0x7de545f823d44d4e/0xadabff1eec0b0f80) [ 5632.409210] decode_attr_fileid: fileid=33681408 [ 5632.409752] decode_attr_fs_locations: fs_locations done, error = 0 [ 5632.410441] decode_attr_mode: file mode=0775 [ 5632.410944] decode_attr_nlink: nlink=3 [ 5632.411464] decode_attr_owner: uid=0 [ 5632.411953] decode_attr_group: gid=900 [ 5632.412473] decode_attr_rdev: rdev=(0x0:0x0) [ 5632.412982] decode_attr_space_used: space used=0 [ 5632.413558] decode_attr_time_access: atime=1727245731 [ 5632.414115] decode_attr_time_metadata: ctime=1727245730 [ 5632.414746] decode_attr_time_modify: mtime=1727245730 [ 5632.415336] decode_attr_mounted_on_fileid: fileid=33681408 [ 5632.416084] decode_getfattr_attrs: xdr returned 0 [ 5632.416712] decode_getfattr_generic: xdr returned 0 [ 5632.417833] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5632.418779] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5632.419659] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5632.420315] nfs41_sequence_process: Error 0 free the slot [ 5632.421024] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5632.422037] NFS: nfs_update_inode(0:50/33681408 fh_crc=0xd3a763c6 ct=2 info=0x427e7f) [ 5632.423110] NFS: (0:50/33681408) revalidation complete [ 5632.423890] NFS: permission(0:50/33681408), mask=0x1, res=0 [ 5632.424892] NFS: nfs_weak_revalidate: inode 33681408 is valid [ 5632.428895] NFS: permission(0:50/33681408), mask=0x81, res=0 [ 5632.429693] NFS: revalidating (0:50/33681408) [ 5632.430402] --> nfs41_call_sync_prepare data->seq_server 000000001a362fd8 [ 5632.431191] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5632.432112] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5632.433025] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=4 slotid=0 max_slotid=0 cache_this=0 [ 5632.434228] RPC: xs_tcp_send_request(172) = 0 [ 5632.435149] decode_attr_type: type=040000 [ 5632.435692] decode_attr_change: change attribute=7 [ 5632.436237] decode_attr_size: file size=18 [ 5632.436738] decode_attr_fsid: fsid=(0x7de545f823d44d4e/0xadabff1eec0b0f80) [ 5632.437518] decode_attr_fileid: fileid=33681408 [ 5632.438052] decode_attr_fs_locations: fs_locations done, error = 0 [ 5632.438796] decode_attr_mode: file mode=0775 [ 5632.439312] decode_attr_nlink: nlink=3 [ 5632.439772] decode_attr_owner: uid=0 [ 5632.440147] decode_attr_group: gid=900 [ 5632.440582] decode_attr_rdev: rdev=(0x0:0x0) [ 5632.441272] decode_attr_space_used: space used=0 [ 5632.441998] decode_attr_time_access: atime=1727245731 [ 5632.442796] decode_attr_time_metadata: ctime=1727245730 [ 5632.443613] decode_attr_time_modify: mtime=1727245730 [ 5632.444374] decode_attr_mounted_on_fileid: fileid=33681408 [ 5632.445216] decode_getfattr_attrs: xdr returned 0 [ 5632.445948] decode_getfattr_generic: xdr returned 0 [ 5632.447188] --> nfs4_alloc_slot used_slots=0001 highest_used=0 max_slots=30 [ 5632.448043] <-- nfs4_alloc_slot used_slots=0003 highest_used=1 slotid=1 [ 5632.448876] nfs4_free_slot: slotid 1 highest_used_slotid 0 [ 5632.449551] nfs41_sequence_process: Error 0 free the slot [ 5632.450206] nfs4_free_slot: slotid 0 highest_used_slotid 4294967295 [ 5632.451060] NFS: nfs_update_inode(0:50/33681408 fh_crc=0xd3a763c6 ct=2 info=0x427e7f) [ 5632.451966] NFS: (0:50/33681408) revalidation complete [ 5632.452663] NFS: nfs_weak_revalidate: inode 33681408 is valid [ 5632.453284] NFS: permission(0:50/33681408), mask=0x24, res=0 [ 5632.454370] NFS: open dir(/) [ 5632.454787] NFS: readdir(/) starting at cookie 0 [ 5632.455619] NFS: nfs_do_filldir() filling ended @ cookie 512 [ 5632.456475] NFS: readdir(/) returns 0 [ 5632.457038] NFS: permission(0:50/33681408), mask=0x81, res=0 [ 5632.457862] NFS: revalidating (0:50/1677168) [ 5632.458536] --> nfs41_call_sync_prepare data->seq_server 000000001a362fd8 [ 5632.459514] --> nfs4_alloc_slot used_slots=0000 highest_used=4294967295 max_slots=30 [ 5632.460527] <-- nfs4_alloc_slot used_slots=0001 highest_used=0 slotid=0 [ 5632.461465] encode_sequence: sessionid=1727263639:3068450331:1:0 seqid=5 slotid=0 max_slotid=0 cache_this=0 [ 5632.462847] RPC: xs_tcp_send_request(184) = 0 I’m at the point where I’m considering that this might be a bug. Hugs, Christian -- Christian Theune · ct(a)flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · https://flyingcircus.io Leipziger Str. 70/71 · 06108 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian Theune, Christian Zagrodnick

9 months, 2 weeks

2
3
0 0

[PATCH] r8169: Potential divizion by zero in rtl_set_coalesce()

by George Rurikov

Variable 'scale', whose possible value set allows a zero value in a check at r8169_main.c:2014, is used as a denominator at r8169_main.c:2040 and r8169_main.c:2042. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 2815b30535a0 ("r8169: merge scale for tx and rx irq coalescing") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/net/ethernet/realtek/r8169_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c index 45ac8befba29..b97e68cfcfad 100644 --- a/drivers/net/ethernet/realtek/r8169_main.c +++ b/drivers/net/ethernet/realtek/r8169_main.c @@ -2011,7 +2011,7 @@ static int rtl_set_coalesce(struct net_device *dev, coal_usec_max = max(ec->rx_coalesce_usecs, ec->tx_coalesce_usecs); scale = rtl_coalesce_choose_scale(tp, coal_usec_max, &cp01); - if (scale < 0) + if (scale <= 0) return scale; /* Accept max_frames=1 we returned in rtl_get_coalesce. Accept it -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

9 months, 2 weeks

2
1
0 0

[PATCH 5.10.y 5.15.y] gpiolib: cdev: Ignore reconfiguration without direction

by Kent Gibson

[ Upstream commit b440396387418fe2feaacd41ca16080e7a8bc9ad ] linereq_set_config() behaves badly when direction is not set. The configuration validation is borrowed from linereq_create(), where, to verify the intent of the user, the direction must be set to in order to effect a change to the electrical configuration of a line. But, when applied to reconfiguration, that validation does not allow for the unset direction case, making it possible to clear flags set previously without specifying the line direction. Adding to the inconsistency, those changes are not immediately applied by linereq_set_config(), but will take effect when the line value is next get or set. For example, by requesting a configuration with no flags set, an output line with GPIO_V2_LINE_FLAG_ACTIVE_LOW and GPIO_V2_LINE_FLAG_OPEN_DRAIN set could have those flags cleared, inverting the sense of the line and changing the line drive to push-pull on the next line value set. Skip the reconfiguration of lines for which the direction is not set, and only reconfigure the lines for which direction is set. Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL") Signed-off-by: Kent Gibson <warthog618(a)gmail.com> Link: https://lore.kernel.org/r/20240626052925.174272-3-warthog618@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/gpio/gpiolib-cdev.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index c2f9d95d1086..fe0926ce0068 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -1186,15 +1186,18 @@ static long linereq_set_config_unlocked(struct linereq *lr, for (i = 0; i < lr->num_lines; i++) { desc = lr->lines[i].desc; flags = gpio_v2_line_config_flags(lc, i); + /* + * Lines not explicitly reconfigured as input or output + * are left unchanged. + */ + if (!(flags & GPIO_V2_LINE_DIRECTION_FLAGS)) + continue; + polarity_change = (!!test_bit(FLAG_ACTIVE_LOW, &desc->flags) != ((flags & GPIO_V2_LINE_FLAG_ACTIVE_LOW) != 0)); gpio_v2_line_config_flags_to_desc_flags(flags, &desc->flags); - /* - * Lines have to be requested explicitly for input - * or output, else the line will be treated "as is". - */ if (flags & GPIO_V2_LINE_FLAG_OUTPUT) { int val = gpio_v2_line_config_output_value(lc, i); @@ -1202,7 +1205,7 @@ static long linereq_set_config_unlocked(struct linereq *lr, ret = gpiod_direction_output(desc, val); if (ret) return ret; - } else if (flags & GPIO_V2_LINE_FLAG_INPUT) { + } else { ret = gpiod_direction_input(desc); if (ret) return ret; -- 2.39.5

9 months, 2 weeks

1
0
0 0

[PATCH 6.1.y 6.6.y] gpiolib: cdev: Ignore reconfiguration without direction

by Kent Gibson

[ Upstream commit b440396387418fe2feaacd41ca16080e7a8bc9ad ] linereq_set_config() behaves badly when direction is not set. The configuration validation is borrowed from linereq_create(), where, to verify the intent of the user, the direction must be set to in order to effect a change to the electrical configuration of a line. But, when applied to reconfiguration, that validation does not allow for the unset direction case, making it possible to clear flags set previously without specifying the line direction. Adding to the inconsistency, those changes are not immediately applied by linereq_set_config(), but will take effect when the line value is next get or set. For example, by requesting a configuration with no flags set, an output line with GPIO_V2_LINE_FLAG_ACTIVE_LOW and GPIO_V2_LINE_FLAG_OPEN_DRAIN set could have those flags cleared, inverting the sense of the line and changing the line drive to push-pull on the next line value set. Skip the reconfiguration of lines for which the direction is not set, and only reconfigure the lines for which direction is set. Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL") Signed-off-by: Kent Gibson <warthog618(a)gmail.com> Link: https://lore.kernel.org/r/20240626052925.174272-3-warthog618@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> --- drivers/gpio/gpiolib-cdev.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index d526a4c91e82..545998e9f6ad 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -1565,12 +1565,14 @@ static long linereq_set_config_unlocked(struct linereq *lr, line = &lr->lines[i]; desc = lr->lines[i].desc; flags = gpio_v2_line_config_flags(lc, i); - gpio_v2_line_config_flags_to_desc_flags(flags, &desc->flags); - edflags = flags & GPIO_V2_LINE_EDGE_DETECTOR_FLAGS; /* - * Lines have to be requested explicitly for input - * or output, else the line will be treated "as is". + * Lines not explicitly reconfigured as input or output + * are left unchanged. */ + if (!(flags & GPIO_V2_LINE_DIRECTION_FLAGS)) + continue; + gpio_v2_line_config_flags_to_desc_flags(flags, &desc->flags); + edflags = flags & GPIO_V2_LINE_EDGE_DETECTOR_FLAGS; if (flags & GPIO_V2_LINE_FLAG_OUTPUT) { int val = gpio_v2_line_config_output_value(lc, i); @@ -1578,7 +1580,7 @@ static long linereq_set_config_unlocked(struct linereq *lr, ret = gpiod_direction_output(desc, val); if (ret) return ret; - } else if (flags & GPIO_V2_LINE_FLAG_INPUT) { + } else { ret = gpiod_direction_input(desc); if (ret) return ret; -- 2.39.5

9 months, 2 weeks

1
0
0 0

[PATCH -next 0/2] Fix memory leaks for kobject

by Gaosheng Cui

Fix two memory leaks for kobject name, thanks! Gaosheng Cui (2): kobject: fix memory leak in kset_register() due to uninitialized kset->kobj.ktype kobject: fix memory leak when kobject_add_varg() returns error lib/kobject.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.25.1

9 months, 2 weeks

3
6
0 0

[PATCH v9 1/3] ufs: core: fix the issue of ICU failure

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When setting the ICU bit without using read-modify-write, SQRTCy will restart SQ again and receive an RTC return error code 2 (Failure - SQ not stopped). Additionally, the error log has been modified so that this type of error can be observed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Reviewed-by: Bao D. Nguyen <quic_nguyenb(a)quicinc.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/ufs/core/ufs-mcq.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index 5891cdacd0b3..3903947dbed1 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) struct scsi_cmnd *cmd = lrbp->cmd; struct ufs_hw_queue *hwq; void __iomem *reg, *opr_sqd_base; - u32 nexus, id, val; + u32 nexus, id, val, rtc; int err; if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) @@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id); writel(nexus, opr_sqd_base + REG_SQCTI); - /* SQRTCy.ICU = 1 */ - writel(SQ_ICU, opr_sqd_base + REG_SQRTC); + /* Initiate Cleanup */ + writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, + opr_sqd_base + REG_SQRTC); /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ reg = opr_sqd_base + REG_SQRTS; err = read_poll_timeout(readl, val, val & SQ_CUS, 20, MCQ_POLL_US, false, reg); - if (err) - dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", - __func__, id, task_tag, - FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); + rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)); + if (err || rtc) + dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n", + __func__, id, task_tag, err, rtc); if (ufshcd_mcq_sq_start(hba, hwq)) err = -ETIMEDOUT; -- 2.45.2

9 months, 2 weeks

1
0
0 0

+ ocfs2-fix-uninit-value-in-ocfs2_get_block.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: fix uninit-value in ocfs2_get_block() has been added to the -mm mm-hotfixes-unstable branch. Its filename is ocfs2-fix-uninit-value-in-ocfs2_get_block.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Joseph Qi <joseph.qi(a)linux.alibaba.com> Subject: ocfs2: fix uninit-value in ocfs2_get_block() Date: Wed, 25 Sep 2024 17:06:00 +0800 syzbot reported an uninit-value BUG: BUG: KMSAN: uninit-value in ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159 do_mpage_readpage+0xc45/0x2780 fs/mpage.c:225 mpage_readahead+0x43f/0x840 fs/mpage.c:374 ocfs2_readahead+0x269/0x320 fs/ocfs2/aops.c:381 read_pages+0x193/0x1110 mm/readahead.c:160 page_cache_ra_unbounded+0x901/0x9f0 mm/readahead.c:273 do_page_cache_ra mm/readahead.c:303 [inline] force_page_cache_ra+0x3b1/0x4b0 mm/readahead.c:332 force_page_cache_readahead mm/internal.h:347 [inline] generic_fadvise+0x6b0/0xa90 mm/fadvise.c:106 vfs_fadvise mm/fadvise.c:185 [inline] ksys_fadvise64_64 mm/fadvise.c:199 [inline] __do_sys_fadvise64 mm/fadvise.c:214 [inline] __se_sys_fadvise64 mm/fadvise.c:212 [inline] __x64_sys_fadvise64+0x1fb/0x3a0 mm/fadvise.c:212 x64_sys_call+0xe11/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:222 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because when ocfs2_extent_map_get_blocks() fails, p_blkno is uninitialized. So the error log will trigger the above uninit-value access. The error log is out-of-date since get_blocks() was removed long time ago. And the error code will be logged in ocfs2_extent_map_get_blocks() once ocfs2_get_cluster() fails, so fix this by only logging inode and block. Link: https://syzkaller.appspot.com/bug?extid=9709e73bae885b05314b Link: https://lkml.kernel.org/r/20240925090600.3643376-1-joseph.qi@linux.alibaba.… Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem") Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: syzbot+9709e73bae885b05314b(a)syzkaller.appspotmail.com Tested-by: syzbot+9709e73bae885b05314b(a)syzkaller.appspotmail.com Cc: Heming Zhao <heming.zhao(a)suse.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/aops.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/fs/ocfs2/aops.c~ocfs2-fix-uninit-value-in-ocfs2_get_block +++ a/fs/ocfs2/aops.c @@ -156,9 +156,8 @@ int ocfs2_get_block(struct inode *inode, err = ocfs2_extent_map_get_blocks(inode, iblock, &p_blkno, &count, &ext_flags); if (err) { - mlog(ML_ERROR, "Error %d from get_blocks(0x%p, %llu, 1, " - "%llu, NULL)\n", err, inode, (unsigned long long)iblock, - (unsigned long long)p_blkno); + mlog(ML_ERROR, "get_blocks() failed, inode: 0x%p, " + "block: %llu\n", inode, (unsigned long long)iblock); goto bail; } _ Patches currently in -mm which might be from joseph.qi(a)linux.alibaba.com are ocfs2-fix-uninit-value-in-ocfs2_get_block.patch

9 months, 2 weeks

1
0
0 0

[PATCH v5 5/5] tpm: flush the auth session only when /dev/tpm0 is open

by Jarkko Sakkinen

Instead of flushing and reloading the auth session for every single transaction, keep the session open unless /dev/tpm0 is used. In practice this means applying TPM2_SA_CONTINUE_SESSION to the session attributes. Flush the session always when /dev/tpm0 is written. Reported-by: Pengyu Ma <mapengyu(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v5: - No changes. v4: - Changed as bug. v3: - Refined the commit message. - Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when /dev/tpm0 is open. It is not required as the auth session is flushed, not saved. v2: - A new patch. --- drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-dev-common.c | 1 + drivers/char/tpm/tpm-interface.c | 1 + drivers/char/tpm/tpm2-sessions.c | 3 +++ 4 files changed, 6 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 0ea00e32f575..7a6bb30d1f32 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) rc = tpm_try_get_ops(chip); if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 4eaa8e05c291..a3ed7a99a394 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, #ifdef CONFIG_TCG_TPM2_HMAC if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index bfa47d48b0f2..2363018fa8fb 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev) if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { #ifdef CONFIG_TCG_TPM2_HMAC + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; #endif diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index a8d3d5d52178..38b92ad9e75f 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, } #ifdef CONFIG_TCG_TPM2_HMAC + /* The first write to /dev/tpm{rm0} will flush the session. */ + attributes |= TPM2_SA_CONTINUE_SESSION; + /* * The Architecture Guide requires us to strip trailing zeros * before computing the HMAC -- 2.46.1

9 months, 2 weeks

2
9
0 0

Re: [PATCH v2] mm: vmscan.c: fix OOM on swap stress test

by Chris Li

I forgot to CC stable on this fix. Chris On Thu, Sep 5, 2024 at 1:08 AM Chris Li <chrisl(a)kernel.org> wrote: > > I found a regression on mm-unstable during my swap stress test, > using tmpfs to compile linux. The test OOM very soon after > the make spawns many cc processes. > > It bisects down to this change: 33dfe9204f29b415bbc0abb1a50642d1ba94f5e9 > (mm/gup: clear the LRU flag of a page before adding to LRU batch) > > Yu Zhao propose the fix: "I think this is one of the potential side > effects -- Huge mentioned earlier about isolate_lru_folios():" > > I test that with it the swap stress test no longer OOM. > > Link: https://lore.kernel.org/r/CAOUHufYi9h0kz5uW3LHHS3ZrVwEq-kKp8S6N-MZUmErNAXoX… > Fixes: 33dfe9204f29 ("mm/gup: clear the LRU flag of a page before adding to LRU batch") > Suggested-by: Yu Zhao <yuzhao(a)google.com> > Suggested-by: Hugh Dickins <hughd(a)google.com> > Tested-by: Chris Li <chrisl(a)kernel.org> > Closes: https://lore.kernel.org/all/CAF8kJuNP5iTj2p07QgHSGOJsiUfYpJ2f4R1Q5-3BN9JiD9… > Signed-off-by: Chris Li <chrisl(a)kernel.org> > --- > Changes in v2: > - Add Closes tag suggested by Yu and Thorsten. > - Link to v1: https://lore.kernel.org/r/20240904-lru-flag-v1-1-36638d6a524c@kernel.org > --- > mm/vmscan.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/vmscan.c b/mm/vmscan.c > index a9b6a8196f95..96abf4a52382 100644 > --- a/mm/vmscan.c > +++ b/mm/vmscan.c > @@ -4323,7 +4323,7 @@ static bool sort_folio(struct lruvec *lruvec, struct folio *folio, struct scan_c > } > > /* ineligible */ > - if (zone > sc->reclaim_idx) { > + if (!folio_test_lru(folio) || zone > sc->reclaim_idx) { > gen = folio_inc_gen(lruvec, folio, false); > list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]); > return true; > > --- > base-commit: 756ca36d643324d028b325a170e73e392b9590cd > change-id: 20240904-lru-flag-2af2f955740e > > Best regards, > -- > Chris Li <chrisl(a)kernel.org> >

9 months, 2 weeks

2
1
0 0

[PATCH] drm/i915/hdcp: fix connector refcounting

by Jani Nikula

We acquire a connector reference before scheduling an HDCP prop work, and expect the work function to release the reference. However, if the work was already queued, it won't be queued multiple times, and the reference is not dropped. Release the reference immediately if the work was already queued. Fixes: a6597faa2d59 ("drm/i915: Protect workers against disappearing connectors") Cc: Sean Paul <seanpaul(a)chromium.org> Cc: Suraj Kandpal <suraj.kandpal(a)intel.com> Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v5.10+ Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> --- I don't know that we have any bugs open about this. Or how it would manifest itself. Memory leak on driver unload? I just spotted this while reading the code for other reasons. --- drivers/gpu/drm/i915/display/intel_hdcp.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_hdcp.c b/drivers/gpu/drm/i915/display/intel_hdcp.c index 2afa92321b08..cad309602617 100644 --- a/drivers/gpu/drm/i915/display/intel_hdcp.c +++ b/drivers/gpu/drm/i915/display/intel_hdcp.c @@ -1097,7 +1097,8 @@ static void intel_hdcp_update_value(struct intel_connector *connector, hdcp->value = value; if (update_property) { drm_connector_get(&connector->base); - queue_work(i915->unordered_wq, &hdcp->prop_work); + if (!queue_work(i915->unordered_wq, &hdcp->prop_work)) + drm_connector_put(&connector->base); } } @@ -2531,7 +2532,8 @@ void intel_hdcp_update_pipe(struct intel_atomic_state *state, mutex_lock(&hdcp->mutex); hdcp->value = DRM_MODE_CONTENT_PROTECTION_DESIRED; drm_connector_get(&connector->base); - queue_work(i915->unordered_wq, &hdcp->prop_work); + if (!queue_work(i915->unordered_wq, &hdcp->prop_work)) + drm_connector_put(&connector->base); mutex_unlock(&hdcp->mutex); } @@ -2548,7 +2550,9 @@ void intel_hdcp_update_pipe(struct intel_atomic_state *state, */ if (!desired_and_not_enabled && !content_protection_type_changed) { drm_connector_get(&connector->base); - queue_work(i915->unordered_wq, &hdcp->prop_work); + if (!queue_work(i915->unordered_wq, &hdcp->prop_work)) + drm_connector_put(&connector->base); + } } -- 2.39.2

9 months, 2 weeks

2
1
0 0

[PATCH] sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime

by Bao Chenglong

From: Zheng Zucheng <zhengzucheng(a)huawei.com> mainline inclusion from mainline-v6.11-rc2 commit 77baa5bafcbe1b2a15ef9c37232c21279c95481c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAIN7J Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- In extreme test scenarios: the 14th field utime in /proc/xx/stat is greater than sum_exec_runtime, utime = 18446744073709518790 ns, rtime = 135989749728000 ns In cputime_adjust() process, stime is greater than rtime due to mul_u64_u64_div_u64() precision problem. before call mul_u64_u64_div_u64(), stime = 175136586720000, rtime = 135989749728000, utime = 1416780000. after call mul_u64_u64_div_u64(), stime = 135989949653530 unsigned reversion occurs because rtime is less than stime. utime = rtime - stime = 135989749728000 - 135989949653530 = -199925530 = (u64)18446744073709518790 Trigger condition: 1). User task run in kernel mode most of time 2). ARM64 architecture 3). TICK_CPU_ACCOUNTING=y CONFIG_VIRT_CPU_ACCOUNTING_NATIVE is not set Fix mul_u64_u64_div_u64() conversion precision by reset stime to rtime Fixes: 3dc167ba5729 ("sched/cputime: Improve cputime_adjust()") Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Link: https://lkml.kernel.org/r/20240726023235.217771-1-zhengzucheng@huawei.com Signed-off-by: Zheng Zucheng <zhengzucheng(a)huawei.com> --- kernel/sched/cputime.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/sched/cputime.c b/kernel/sched/cputime.c index af7952f12e6c..b453f8a6a7c7 100644 --- a/kernel/sched/cputime.c +++ b/kernel/sched/cputime.c @@ -595,6 +595,12 @@ void cputime_adjust(struct task_cputime *curr, struct prev_cputime *prev, } stime = mul_u64_u64_div_u64(stime, rtime, stime + utime); + /* + * Because mul_u64_u64_div_u64() can approximate on some + * achitectures; enforce the constraint that: a*b/(b+c) <= a. + */ + if (unlikely(stime > rtime)) + stime = rtime; update: /* -- 2.34.1

9 months, 2 weeks

1
0
0 0

[PATCH] Revert "ALSA: memalloc: Workaround for Xen PV"

by Ariadne Conill

This patch attempted to work around a DMA issue involving Xen, but causes subtle kernel memory corruption. When I brought up this patch in the XenDevel matrix channel, I was told that it had been requested by the Qubes OS developers because they were trying to fix an issue where the sound stack would fail after a few hours of uptime. They wound up disabling SG buffering entirely instead as a workaround. Accordingly, I propose that we should revert this workaround patch, since it causes kernel memory corruption and that the ALSA and Xen communities should collaborate on fixing the underlying problem in such a way that SG buffering works correctly under Xen. This reverts commit 53466ebdec614f915c691809b0861acecb941e30. Signed-off-by: Ariadne Conill <ariadne(a)ariadne.space> Cc: stable(a)vger.kernel.org Cc: xen-devel(a)lists.xenproject.org Cc: alsa-devel(a)alsa-project.org Cc: Takashi Iwai <tiwai(a)suse.de> --- sound/core/memalloc.c | 87 +++++++++---------------------------------- 1 file changed, 18 insertions(+), 69 deletions(-) diff --git a/sound/core/memalloc.c b/sound/core/memalloc.c index f901504b5afc..81025f50a542 100644 --- a/sound/core/memalloc.c +++ b/sound/core/memalloc.c @@ -541,15 +541,16 @@ static void *snd_dma_noncontig_alloc(struct snd_dma_buffer *dmab, size_t size) struct sg_table *sgt; void *p; -#ifdef CONFIG_SND_DMA_SGBUF - if (cpu_feature_enabled(X86_FEATURE_XENPV)) - return snd_dma_sg_fallback_alloc(dmab, size); -#endif sgt = dma_alloc_noncontiguous(dmab->dev.dev, size, dmab->dev.dir, DEFAULT_GFP, 0); #ifdef CONFIG_SND_DMA_SGBUF - if (!sgt && !get_dma_ops(dmab->dev.dev)) + if (!sgt && !get_dma_ops(dmab->dev.dev)) { + if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_WC_SG) + dmab->dev.type = SNDRV_DMA_TYPE_DEV_WC_SG_FALLBACK; + else + dmab->dev.type = SNDRV_DMA_TYPE_DEV_SG_FALLBACK; return snd_dma_sg_fallback_alloc(dmab, size); + } #endif if (!sgt) return NULL; @@ -716,38 +717,19 @@ static const struct snd_malloc_ops snd_dma_sg_wc_ops = { /* Fallback SG-buffer allocations for x86 */ struct snd_dma_sg_fallback { - bool use_dma_alloc_coherent; size_t count; struct page **pages; - /* DMA address array; the first page contains #pages in ~PAGE_MASK */ - dma_addr_t *addrs; }; static void __snd_dma_sg_fallback_free(struct snd_dma_buffer *dmab, struct snd_dma_sg_fallback *sgbuf) { - size_t i, size; - - if (sgbuf->pages && sgbuf->addrs) { - i = 0; - while (i < sgbuf->count) { - if (!sgbuf->pages[i] || !sgbuf->addrs[i]) - break; - size = sgbuf->addrs[i] & ~PAGE_MASK; - if (WARN_ON(!size)) - break; - if (sgbuf->use_dma_alloc_coherent) - dma_free_coherent(dmab->dev.dev, size << PAGE_SHIFT, - page_address(sgbuf->pages[i]), - sgbuf->addrs[i] & PAGE_MASK); - else - do_free_pages(page_address(sgbuf->pages[i]), - size << PAGE_SHIFT, false); - i += size; - } - } + bool wc = dmab->dev.type == SNDRV_DMA_TYPE_DEV_WC_SG_FALLBACK; + size_t i; + + for (i = 0; i < sgbuf->count && sgbuf->pages[i]; i++) + do_free_pages(page_address(sgbuf->pages[i]), PAGE_SIZE, wc); kvfree(sgbuf->pages); - kvfree(sgbuf->addrs); kfree(sgbuf); } @@ -756,36 +738,24 @@ static void *snd_dma_sg_fallback_alloc(struct snd_dma_buffer *dmab, size_t size) struct snd_dma_sg_fallback *sgbuf; struct page **pagep, *curp; size_t chunk, npages; - dma_addr_t *addrp; dma_addr_t addr; void *p; - - /* correct the type */ - if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_SG) - dmab->dev.type = SNDRV_DMA_TYPE_DEV_SG_FALLBACK; - else if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_WC_SG) - dmab->dev.type = SNDRV_DMA_TYPE_DEV_WC_SG_FALLBACK; + bool wc = dmab->dev.type == SNDRV_DMA_TYPE_DEV_WC_SG_FALLBACK; sgbuf = kzalloc(sizeof(*sgbuf), GFP_KERNEL); if (!sgbuf) return NULL; - sgbuf->use_dma_alloc_coherent = cpu_feature_enabled(X86_FEATURE_XENPV); size = PAGE_ALIGN(size); sgbuf->count = size >> PAGE_SHIFT; sgbuf->pages = kvcalloc(sgbuf->count, sizeof(*sgbuf->pages), GFP_KERNEL); - sgbuf->addrs = kvcalloc(sgbuf->count, sizeof(*sgbuf->addrs), GFP_KERNEL); - if (!sgbuf->pages || !sgbuf->addrs) + if (!sgbuf->pages) goto error; pagep = sgbuf->pages; - addrp = sgbuf->addrs; - chunk = (PAGE_SIZE - 1) << PAGE_SHIFT; /* to fit in low bits in addrs */ + chunk = size; while (size > 0) { chunk = min(size, chunk); - if (sgbuf->use_dma_alloc_coherent) - p = dma_alloc_coherent(dmab->dev.dev, chunk, &addr, DEFAULT_GFP); - else - p = do_alloc_pages(dmab->dev.dev, chunk, &addr, false); + p = do_alloc_pages(dmab->dev.dev, chunk, &addr, wc); if (!p) { if (chunk <= PAGE_SIZE) goto error; @@ -797,25 +767,17 @@ static void *snd_dma_sg_fallback_alloc(struct snd_dma_buffer *dmab, size_t size) size -= chunk; /* fill pages */ npages = chunk >> PAGE_SHIFT; - *addrp = npages; /* store in lower bits */ curp = virt_to_page(p); - while (npages--) { + while (npages--) *pagep++ = curp++; - *addrp++ |= addr; - addr += PAGE_SIZE; - } } p = vmap(sgbuf->pages, sgbuf->count, VM_MAP, PAGE_KERNEL); if (!p) goto error; - - if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_WC_SG_FALLBACK) - set_pages_array_wc(sgbuf->pages, sgbuf->count); - dmab->private_data = sgbuf; /* store the first page address for convenience */ - dmab->addr = sgbuf->addrs[0] & PAGE_MASK; + dmab->addr = snd_sgbuf_get_addr(dmab, 0); return p; error: @@ -825,23 +787,10 @@ static void *snd_dma_sg_fallback_alloc(struct snd_dma_buffer *dmab, size_t size) static void snd_dma_sg_fallback_free(struct snd_dma_buffer *dmab) { - struct snd_dma_sg_fallback *sgbuf = dmab->private_data; - - if (dmab->dev.type == SNDRV_DMA_TYPE_DEV_WC_SG_FALLBACK) - set_pages_array_wb(sgbuf->pages, sgbuf->count); vunmap(dmab->area); __snd_dma_sg_fallback_free(dmab, dmab->private_data); } -static dma_addr_t snd_dma_sg_fallback_get_addr(struct snd_dma_buffer *dmab, - size_t offset) -{ - struct snd_dma_sg_fallback *sgbuf = dmab->private_data; - size_t index = offset >> PAGE_SHIFT; - - return (sgbuf->addrs[index] & PAGE_MASK) | (offset & ~PAGE_MASK); -} - static int snd_dma_sg_fallback_mmap(struct snd_dma_buffer *dmab, struct vm_area_struct *area) { @@ -856,8 +805,8 @@ static const struct snd_malloc_ops snd_dma_sg_fallback_ops = { .alloc = snd_dma_sg_fallback_alloc, .free = snd_dma_sg_fallback_free, .mmap = snd_dma_sg_fallback_mmap, - .get_addr = snd_dma_sg_fallback_get_addr, /* reuse vmalloc helpers */ + .get_addr = snd_dma_vmalloc_get_addr, .get_page = snd_dma_vmalloc_get_page, .get_chunk_size = snd_dma_vmalloc_get_chunk_size, }; -- 2.39.2

9 months, 2 weeks

5
12
0 0

[Intel-wired-lan][PATCH iwl-net] idpf: use actual mbx receive payload length

by Joshua Hay

When a mailbox message is received, the driver is checking for a non 0 datalen in the controlq descriptor. If it is valid, the payload is attached to the ctlq message to give to the upper layer. However, the payload response size given to the upper layer was taken from the buffer metadata which is _always_ the max buffer size. This meant the API was returning 4K as the payload size for all messages. This went unnoticed since the virtchnl exchange response logic was checking for a response size less than 0 (error), not less than exact size, or not greater than or equal to the max mailbox buffer size (4K). All of these checks will pass in the success case since the size provided is always 4K. However, this breaks anyone that wants to validate the exact response size. Fetch the actual payload length from the value provided in the descriptor data_len field (instead of the buffer metadata). Unfortunately, this means we lose some extra error parsing for variable sized virtchnl responses such as create vport and get ptypes. However, the original checks weren't really helping anyways since the size was _always_ 4K. Fixes: 34c21fa894a1 ("idpf: implement virtchnl transaction manager") Cc: stable(a)vger.kernel.org # 6.9+ Signed-off-by: Joshua Hay <joshua.a.hay(a)intel.com> Reviewed-by: Przemek Kitszel <przemyslaw.kitszel(a)intel.com> --- drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c index 70986e12da28..3c0f97650d72 100644 --- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c +++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c @@ -666,7 +666,7 @@ idpf_vc_xn_forward_reply(struct idpf_adapter *adapter, if (ctlq_msg->data_len) { payload = ctlq_msg->ctx.indirect.payload->va; - payload_size = ctlq_msg->ctx.indirect.payload->size; + payload_size = ctlq_msg->data_len; } xn->reply_sz = payload_size; @@ -1295,10 +1295,6 @@ int idpf_send_create_vport_msg(struct idpf_adapter *adapter, err = reply_sz; goto free_vport_params; } - if (reply_sz < IDPF_CTLQ_MAX_BUF_LEN) { - err = -EIO; - goto free_vport_params; - } return 0; @@ -2602,9 +2598,6 @@ int idpf_send_get_rx_ptype_msg(struct idpf_vport *vport) if (reply_sz < 0) return reply_sz; - if (reply_sz < IDPF_CTLQ_MAX_BUF_LEN) - return -EIO; - ptypes_recvd += le16_to_cpu(ptype_info->num_ptypes); if (ptypes_recvd > max_ptype) return -EINVAL; -- 2.39.2

9 months, 2 weeks

2
1
0 0

+ kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kselftests: mm: fix wrong __NR_userfaultfd value has been added to the -mm mm-hotfixes-unstable branch. Its filename is kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Subject: kselftests: mm: fix wrong __NR_userfaultfd value Date: Mon, 23 Sep 2024 10:38:36 +0500 grep -rnIF "#define __NR_userfaultfd" tools/include/uapi/asm-generic/unistd.h:681:#define __NR_userfaultfd 282 arch/x86/include/generated/uapi/asm/unistd_32.h:374:#define __NR_userfaultfd 374 arch/x86/include/generated/uapi/asm/unistd_64.h:327:#define __NR_userfaultfd 323 arch/x86/include/generated/uapi/asm/unistd_x32.h:282:#define __NR_userfaultfd (__X32_SYSCALL_BIT + 323) arch/arm/include/generated/uapi/asm/unistd-eabi.h:347:#define __NR_userfaultfd (__NR_SYSCALL_BASE + 388) arch/arm/include/generated/uapi/asm/unistd-oabi.h:359:#define __NR_userfaultfd (__NR_SYSCALL_BASE + 388) include/uapi/asm-generic/unistd.h:681:#define __NR_userfaultfd 282 The number is dependent on the architecture. The above data shows that: x86 374 x86_64 323 The value of __NR_userfaultfd was changed to 282 when asm-generic/unistd.h was included. It makes the test to fail every time as the correct number of this syscall on x86_64 is 323. Fix the header to asm/unistd.h. Link: https://lkml.kernel.org/r/20240923053836.3270393-1-usama.anjum@collabora.com Fixes: a5c6bc590094 ("selftests/mm: remove local __NR_* definitions") Signed-off-by: Muhammad Usama Anjum <usama.anjum(a)collabora.com> Reviewed-by: Shuah Khan <skhan(a)linuxfoundation.org> Reviewed-by: David Hildenbrand <david(a)redhat.com> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- tools/testing/selftests/mm/pagemap_ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/testing/selftests/mm/pagemap_ioctl.c~kselftests-mm-fix-wrong-__nr_userfaultfd-value +++ a/tools/testing/selftests/mm/pagemap_ioctl.c @@ -15,7 +15,7 @@ #include <sys/ioctl.h> #include <sys/stat.h> #include <math.h> -#include <asm-generic/unistd.h> +#include <asm/unistd.h> #include <pthread.h> #include <sys/resource.h> #include <assert.h> _ Patches currently in -mm which might be from usama.anjum(a)collabora.com are kselftests-mm-fix-wrong-__nr_userfaultfd-value.patch

9 months, 2 weeks

1
0
0 0

+ compilerh-specify-correct-attribute-for-rodatac_jump_table.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: compiler.h: specify correct attribute for .rodata..c_jump_table has been added to the -mm mm-hotfixes-unstable branch. Its filename is compilerh-specify-correct-attribute-for-rodatac_jump_table.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Tiezhu Yang <yangtiezhu(a)loongson.cn> Subject: compiler.h: specify correct attribute for .rodata..c_jump_table Date: Tue, 24 Sep 2024 14:27:10 +0800 Currently, there is an assembler message when generating kernel/bpf/core.o under CONFIG_OBJTOOL with LoongArch compiler toolchain: Warning: setting incorrect section attributes for .rodata..c_jump_table This is because the section ".rodata..c_jump_table" should be readonly, but there is a "W" (writable) part of the flags: $ readelf -S kernel/bpf/core.o | grep -A 1 "rodata..c" [34] .rodata..c_j[...] PROGBITS 0000000000000000 0000d2e0 0000000000000800 0000000000000000 WA 0 0 8 There is no above issue on x86 due to the generated section flag is only "A" (allocatable). In order to silence the warning on LoongArch, specify the attribute like ".rodata..c_jump_table,\"a\",@progbits #" explicitly, then the section attribute of ".rodata..c_jump_table" must be readonly in the kernel/bpf/core.o file. Before: $ objdump -h kernel/bpf/core.o | grep -A 1 "rodata..c" 21 .rodata..c_jump_table 00000800 0000000000000000 0000000000000000 0000d2e0 2**3 CONTENTS, ALLOC, LOAD, RELOC, DATA After: $ objdump -h kernel/bpf/core.o | grep -A 1 "rodata..c" 21 .rodata..c_jump_table 00000800 0000000000000000 0000000000000000 0000d2e0 2**3 CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA By the way, AFAICT, maybe the root cause is related with the different compiler behavior of various archs, so to some extent this change is a workaround for LoongArch, and also there is no effect for x86 which is the only port supported by objtool before LoongArch with this patch. Link: https://lkml.kernel.org/r/20240924062710.1243-1-yangtiezhu@loongson.cn Signed-off-by: Tiezhu Yang <yangtiezhu(a)loongson.cn> Cc: Josh Poimboeuf <jpoimboe(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> [6.9+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/compiler.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/linux/compiler.h~compilerh-specify-correct-attribute-for-rodatac_jump_table +++ a/include/linux/compiler.h @@ -133,7 +133,7 @@ void ftrace_likely_update(struct ftrace_ #define annotate_unreachable() __annotate_unreachable(__COUNTER__) /* Annotate a C jump table to allow objtool to follow the code flow */ -#define __annotate_jump_table __section(".rodata..c_jump_table") +#define __annotate_jump_table __section(".rodata..c_jump_table,\"a\",@progbits #") #else /* !CONFIG_OBJTOOL */ #define annotate_reachable() _ Patches currently in -mm which might be from yangtiezhu(a)loongson.cn are compilerh-specify-correct-attribute-for-rodatac_jump_table.patch

9 months, 2 weeks

1
0
0 0

+ ocfs2-fix-deadlock-in-ocfs2_get_system_file_inode.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: fix deadlock in ocfs2_get_system_file_inode has been added to the -mm mm-hotfixes-unstable branch. Its filename is ocfs2-fix-deadlock-in-ocfs2_get_system_file_inode.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Mohammed Anees <pvmohammedanees2003(a)gmail.com> Subject: ocfs2: fix deadlock in ocfs2_get_system_file_inode Date: Tue, 24 Sep 2024 09:32:57 +0000 syzbot has found a possible deadlock in ocfs2_get_system_file_inode [1]. The scenario is depicted here, CPU0 CPU1 lock(&ocfs2_file_ip_alloc_sem_key); lock(&osb->system_file_mutex); lock(&ocfs2_file_ip_alloc_sem_key); lock(&osb->system_file_mutex); The function calls which could lead to this are: CPU0 ocfs2_mknod - lock(&ocfs2_file_ip_alloc_sem_key); . . . ocfs2_get_system_file_inode - lock(&osb->system_file_mutex); CPU1 - ocfs2_fill_super - lock(&osb->system_file_mutex); . . . ocfs2_read_virt_blocks - lock(&ocfs2_file_ip_alloc_sem_key); This issue can be resolved by making the down_read -> down_read_try in the ocfs2_read_virt_blocks. [1] https://syzkaller.appspot.com/bug?extid=e0055ea09f1f5e6fabdd Link: https://lkml.kernel.org/r/20240924093257.7181-1-pvmohammedanees2003@gmail.c… Signed-off-by: Mohammed Anees <pvmohammedanees2003(a)gmail.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: <syzbot+e0055ea09f1f5e6fabdd(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=e0055ea09f1f5e6fabdd Tested-by: syzbot+e0055ea09f1f5e6fabdd(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/extent_map.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/fs/ocfs2/extent_map.c~ocfs2-fix-deadlock-in-ocfs2_get_system_file_inode +++ a/fs/ocfs2/extent_map.c @@ -973,7 +973,13 @@ int ocfs2_read_virt_blocks(struct inode } while (done < nr) { - down_read(&OCFS2_I(inode)->ip_alloc_sem); + if (!down_read_trylock(&OCFS2_I(inode)->ip_alloc_sem)) { + rc = -EAGAIN; + mlog(ML_ERROR, + "Inode #%llu ip_alloc_sem is temporarily unavailable\n", + (unsigned long long)OCFS2_I(inode)->ip_blkno); + break; + } rc = ocfs2_extent_map_get_blocks(inode, v_block + done, &p_block, &p_count, NULL); up_read(&OCFS2_I(inode)->ip_alloc_sem); _ Patches currently in -mm which might be from pvmohammedanees2003(a)gmail.com are ocfs2-fix-deadlock-in-ocfs2_get_system_file_inode.patch ocfs2-fix-typo-in-comment.patch

9 months, 2 weeks

1
0
0 0

+ ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: ocfs2: reserve space for inline xattr before attaching reflink tree has been added to the -mm mm-hotfixes-unstable branch. Its filename is ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Subject: ocfs2: reserve space for inline xattr before attaching reflink tree Date: Wed, 18 Sep 2024 06:38:44 +0000 One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case upto 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@o… Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) --- a/fs/ocfs2/refcounttree.c~ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree +++ a/fs/ocfs2/refcounttree.c @@ -25,6 +25,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4148,8 +4149,9 @@ static int __ocfs2_reflink(struct dentry int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4175,6 +4177,26 @@ static int __ocfs2_reflink(struct dentry goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; + struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4182,7 +4204,7 @@ static int __ocfs2_reflink(struct dentry goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); --- a/fs/ocfs2/xattr.c~ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree +++ a/fs/ocfs2/xattr.c @@ -6511,16 +6511,7 @@ static int ocfs2_reflink_xattr_inline(st } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); _ Patches currently in -mm which might be from gautham.ananthakrishna(a)oracle.com are ocfs2-reserve-space-for-inline-xattr-before-attaching-reflink-tree.patch

9 months, 2 weeks

1
0
0 0

+ mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: migrate: annotate data-race in migrate_folio_unmap() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jeongjun Park <aha310510(a)gmail.com> Subject: mm: migrate: annotate data-race in migrate_folio_unmap() Date: Tue, 24 Sep 2024 22:00:53 +0900 I found a report from syzbot [1] This report shows that the value can be changed, but in reality, the value of __folio_set_movable() cannot be changed because it holds the folio refcount. Therefore, it is appropriate to add an annotate to make KCSAN ignore that data-race. [1] ================================================================== BUG: KCSAN: data-race in __filemap_remove_folio / migrate_pages_batch write to 0xffffea0004b81dd8 of 8 bytes by task 6348 on cpu 0: page_cache_delete mm/filemap.c:153 [inline] __filemap_remove_folio+0x1ac/0x2c0 mm/filemap.c:233 filemap_remove_folio+0x6b/0x1f0 mm/filemap.c:265 truncate_inode_folio+0x42/0x50 mm/truncate.c:178 shmem_undo_range+0x25b/0xa70 mm/shmem.c:1028 shmem_truncate_range mm/shmem.c:1144 [inline] shmem_evict_inode+0x14d/0x530 mm/shmem.c:1272 evict+0x2f0/0x580 fs/inode.c:731 iput_final fs/inode.c:1883 [inline] iput+0x42a/0x5b0 fs/inode.c:1909 dentry_unlink_inode+0x24f/0x260 fs/dcache.c:412 __dentry_kill+0x18b/0x4c0 fs/dcache.c:615 dput+0x5c/0xd0 fs/dcache.c:857 __fput+0x3fb/0x6d0 fs/file_table.c:439 ____fput+0x1c/0x30 fs/file_table.c:459 task_work_run+0x13a/0x1a0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xbe/0x130 kernel/entry/common.c:218 do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffffea0004b81dd8 of 8 bytes by task 6342 on cpu 1: __folio_test_movable include/linux/page-flags.h:699 [inline] migrate_folio_unmap mm/migrate.c:1199 [inline] migrate_pages_batch+0x24c/0x1940 mm/migrate.c:1797 migrate_pages_sync mm/migrate.c:1963 [inline] migrate_pages+0xff1/0x1820 mm/migrate.c:2072 do_mbind mm/mempolicy.c:1390 [inline] kernel_mbind mm/mempolicy.c:1533 [inline] __do_sys_mbind mm/mempolicy.c:1607 [inline] __se_sys_mbind+0xf76/0x1160 mm/mempolicy.c:1603 __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1603 x64_sys_call+0x2b4d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:238 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0xffff888127601078 -> 0x0000000000000000 Link: https://lkml.kernel.org/r/20240924130053.107490-1-aha310510@gmail.com Fixes: 7e2a5e5ab217 ("mm: migrate: use __folio_test_movable()") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Zi Yan <ziy(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/migrate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/migrate.c~mm-migrate-annotate-data-race-in-migrate_folio_unmap +++ a/mm/migrate.c @@ -1196,7 +1196,7 @@ static int migrate_folio_unmap(new_folio int rc = -EAGAIN; int old_page_state = 0; struct anon_vma *anon_vma = NULL; - bool is_lru = !__folio_test_movable(src); + bool is_lru = data_race(!__folio_test_movable(src)); bool locked = false; bool dst_locked = false; _ Patches currently in -mm which might be from aha310510(a)gmail.com are mm-migrate-annotate-data-race-in-migrate_folio_unmap.patch mm-percpu-fix-typo-to-pcpu_alloc_noprof-description.patch

9 months, 2 weeks

1
0
0 0

[PATCH v5 4/5] tpm: Allocate chip->auth in tpm2_start_auth_session()

by Jarkko Sakkinen

Move allocation of chip->auth to tpm2_start_auth_session() so that the field can be used as flag to tell whether auth session is active or not. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v5: - No changes. v4: - Change to bug. v3: - No changes. v2: - A new patch. --- drivers/char/tpm/tpm2-sessions.c | 43 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 1aef5b1f9c90..a8d3d5d52178 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -484,7 +484,8 @@ static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v, sha256_final(&sctx, out); } -static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) +static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip, + struct tpm2_auth *auth) { struct crypto_kpp *kpp; struct kpp_request *req; @@ -543,7 +544,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) sg_set_buf(&s[0], chip->null_ec_key_x, EC_PT_SZ); sg_set_buf(&s[1], chip->null_ec_key_y, EC_PT_SZ); kpp_request_set_input(req, s, EC_PT_SZ*2); - sg_init_one(d, chip->auth->salt, EC_PT_SZ); + sg_init_one(d, auth->salt, EC_PT_SZ); kpp_request_set_output(req, d, EC_PT_SZ); crypto_kpp_compute_shared_secret(req); kpp_request_free(req); @@ -554,8 +555,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) * This works because KDFe fully consumes the secret before it * writes the salt */ - tpm2_KDFe(chip->auth->salt, "SECRET", x, chip->null_ec_key_x, - chip->auth->salt); + tpm2_KDFe(auth->salt, "SECRET", x, chip->null_ec_key_x, auth->salt); out: crypto_free_kpp(kpp); @@ -854,6 +854,8 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, /* manually close the session if it wasn't consumed */ tpm2_flush_context(chip, auth->handle); memzero_explicit(auth, sizeof(*auth)); + kfree(auth); + chip->auth = NULL; } else { /* reset for next use */ auth->session = TPM_HEADER_SIZE; @@ -882,6 +884,8 @@ void tpm2_end_auth_session(struct tpm_chip *chip) tpm2_flush_context(chip, auth->handle); memzero_explicit(auth, sizeof(*auth)); + kfree(auth); + chip->auth = NULL; } EXPORT_SYMBOL(tpm2_end_auth_session); @@ -970,25 +974,29 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) */ int tpm2_start_auth_session(struct tpm_chip *chip) { + struct tpm2_auth *auth; struct tpm_buf buf; - struct tpm2_auth *auth = chip->auth; - int rc; u32 null_key; + int rc; - if (!auth) { - dev_warn_once(&chip->dev, "auth session is not active\n"); + if (chip->auth) { + dev_warn_once(&chip->dev, "auth session is active\n"); return 0; } + auth = kzalloc(sizeof(*auth), GFP_KERNEL); + if (!auth) + return -ENOMEM; + rc = tpm2_load_null(chip, &null_key); if (rc) - goto out; + goto err; auth->session = TPM_HEADER_SIZE; rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS); if (rc) - goto out; + goto err; /* salt key handle */ tpm_buf_append_u32(&buf, null_key); @@ -1000,7 +1008,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce)); /* append encrypted salt and squirrel away unencrypted in auth */ - tpm_buf_append_salt(&buf, chip); + tpm_buf_append_salt(&buf, chip, auth); /* session type (HMAC, audit or policy) */ tpm_buf_append_u8(&buf, TPM2_SE_HMAC); @@ -1021,10 +1029,13 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_destroy(&buf); - if (rc) - goto out; + if (rc == TPM2_RC_SUCCESS) { + chip->auth = auth; + return 0; + } - out: +err: + kfree(auth); return rc; } EXPORT_SYMBOL(tpm2_start_auth_session); @@ -1371,10 +1382,6 @@ int tpm2_sessions_init(struct tpm_chip *chip) if (rc) return rc; - chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); - if (!chip->auth) - return -ENOMEM; - return rc; } #endif /* CONFIG_TCG_TPM2_HMAC */ -- 2.46.1

9 months, 2 weeks

2
3
0 0

[PATCH] soc: qcom: pd_mapper: fix ADSP PD maps

by Dmitry Baryshkov

On X1E8 devices root ADSP domain should have tms/pdr_enabled registered. Change the PDM domain data that is used for X1E80100 ADSP. Fixes: bd6db1f1486e ("soc: qcom: pd_mapper: Add X1E80100") Cc: stable(a)vger.kernel.org Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> --- drivers/soc/qcom/qcom_pd_mapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/qcom/qcom_pd_mapper.c b/drivers/soc/qcom/qcom_pd_mapper.c index c940f4da28ed..9d33a8c71778 100644 --- a/drivers/soc/qcom/qcom_pd_mapper.c +++ b/drivers/soc/qcom/qcom_pd_mapper.c @@ -519,7 +519,7 @@ static const struct qcom_pdm_domain_data *sm8550_domains[] = { static const struct qcom_pdm_domain_data *x1e80100_domains[] = { &adsp_audio_pd, - &adsp_root_pd, + &adsp_root_pd_pdr, &adsp_charger_pd, &adsp_sensor_pd, &cdsp_root_pd, --- base-commit: 32ffa5373540a8d1c06619f52d019c6cdc948bb4 change-id: 20240918-x1e-fix-pdm-pdr-b7c4d978aaf3 Best regards, -- Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org>

9 months, 2 weeks

4
6
0 0

[alternative-merged] padata-honor-the-callers-alignment-in-case-of-chunk_size-0.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: padata: honor the caller's alignment in case of chunk_size 0 has been removed from the -mm tree. Its filename was padata-honor-the-callers-alignment-in-case-of-chunk_size-0.patch This patch was dropped because an alternative patch was or shall be merged ------------------------------------------------------ From: Kamlesh Gurudasani <kamlesh(a)ti.com> Subject: padata: honor the caller's alignment in case of chunk_size 0 Date: Thu, 22 Aug 2024 02:32:52 +0530 In the case where we are forcing the ps.chunk_size to be at least 1, we are ignoring the caller's alignment. Move the forcing of ps.chunk_size to be at least 1 before rounding it up to caller's alignment, so that caller's alignment is honored. While at it, use max() to force the ps.chunk_size to be at least 1 to improve readability. Link: https://lkml.kernel.org/r/20240822-max-v1-1-cb4bc5b1c101@ti.com Fixes: 6d45e1c948a8 ("padata: Fix possible divide-by-0 panic in padata_mt_helper()") Signed-off-by: Kamlesh Gurudasani <kamlesh(a)ti.com> Acked-by: Waiman Long <longman(a)redhat.com> Cc: Daniel Jordan <daniel.m.jordan(a)oracle.com> Cc: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: Steffen Klassert <steffen.klassert(a)secunet.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/padata.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) --- a/kernel/padata.c~padata-honor-the-callers-alignment-in-case-of-chunk_size-0 +++ a/kernel/padata.c @@ -509,21 +509,17 @@ void __init padata_do_multithreaded(stru /* * Chunk size is the amount of work a helper does per call to the - * thread function. Load balance large jobs between threads by + * thread function. Load balance large jobs between threads by * increasing the number of chunks, guarantee at least the minimum * chunk size from the caller, and honor the caller's alignment. + * Ensure chunk_size is at least 1 to prevent divide-by-0 + * panic in padata_mt_helper(). */ ps.chunk_size = job->size / (ps.nworks * load_balance_factor); ps.chunk_size = max(ps.chunk_size, job->min_chunk); + ps.chunk_size = max(ps.chunk_size, 1ul); ps.chunk_size = roundup(ps.chunk_size, job->align); - /* - * chunk_size can be 0 if the caller sets min_chunk to 0. So force it - * to at least 1 to prevent divide-by-0 panic in padata_mt_helper().` - */ - if (!ps.chunk_size) - ps.chunk_size = 1U; - list_for_each_entry(pw, &works, pw_list) if (job->numa_aware) { int old_node = atomic_read(&last_used_nid); _ Patches currently in -mm which might be from kamlesh(a)ti.com are

9 months, 2 weeks

1
0
0 0

[PATCH v6 3/3] x86/sgx: Resolve EREMOVE page vs EAUG page data race

by Dmitrii Kuvaiskii

Two enclave threads may try to add and remove the same enclave page simultaneously (e.g., if the SGX runtime supports both lazy allocation and MADV_DONTNEED semantics). Consider some enclave page added to the enclave. User space decides to temporarily remove this page (e.g., emulating the MADV_DONTNEED semantics) on CPU1. At the same time, user space performs a memory access on the same page on CPU2, which results in a #PF and ultimately in sgx_vma_fault(). Scenario proceeds as follows: /* * CPU1: User space performs * ioctl(SGX_IOC_ENCLAVE_REMOVE_PAGES) * on enclave page X */ sgx_encl_remove_pages() { mutex_lock(&encl->lock); entry = sgx_encl_load_page(encl); /* * verify that page is * trimmed and accepted */ mutex_unlock(&encl->lock); /* * remove PTE entry; cannot * be performed under lock */ sgx_zap_enclave_ptes(encl); /* * Fault on CPU2 on same page X */ sgx_vma_fault() { /* * PTE entry was removed, but the * page is still in enclave's xarray */ xa_load(&encl->page_array) != NULL -> /* * SGX driver thinks that this page * was swapped out and loads it */ mutex_lock(&encl->lock); /* * this is effectively a no-op */ entry = sgx_encl_load_page_in_vma(); /* * add PTE entry * * *BUG*: a PTE is installed for a * page in process of being removed */ vmf_insert_pfn(...); mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; } /* * continue with page removal */ mutex_lock(&encl->lock); sgx_encl_free_epc_page(epc_page) { /* * remove page via EREMOVE */ /* * free EPC page */ sgx_free_epc_page(epc_page); } xa_erase(&encl->page_array); mutex_unlock(&encl->lock); } Here, CPU1 removed the page. However CPU2 installed the PTE entry on the same page. This enclave page becomes perpetually inaccessible (until another SGX_IOC_ENCLAVE_REMOVE_PAGES ioctl). This is because the page is marked accessible in the PTE entry but is not EAUGed, and any subsequent access to this page raises a fault: with the kernel believing there to be a valid VMA, the unlikely error code X86_PF_SGX encountered by code path do_user_addr_fault() -> access_error() causes the SGX driver's sgx_vma_fault() to be skipped and user space receives a SIGSEGV instead. The userspace SIGSEGV handler cannot perform EACCEPT because the page was not EAUGed. Thus, the user space is stuck with the inaccessible page. Fix this race by forcing the fault handler on CPU2 to back off if the page is currently being removed (on CPU1). This is achieved by setting SGX_ENCL_PAGE_BUSY flag right-before the first mutex_unlock() in sgx_encl_remove_pages(). Upon loading the page, CPU2 checks whether this page is busy, and if yes then CPU2 backs off and waits until the page is completely removed. After that, any memory access to this page results in a normal "allocate and EAUG a page on #PF" flow. Additionally fix a similar race: user space converts a normal enclave page to a TCS page (via SGX_IOC_ENCLAVE_MODIFY_TYPES) on CPU1, and at the same time, user space performs a memory access on the same page on CPU2. This fix is not strictly necessary (this particular race would indicate a bug in a user space application), but it gives a consistent rule: if an enclave page is under certain operation by the kernel with the mapping removed, then other threads trying to access that page are temporarily blocked and should retry. Fixes: 9849bb27152c1 ("x86/sgx: Support complete page removal") Fixes: 45d546b8c109d ("x86/sgx: Support modifying SGX page type") Cc: stable(a)vger.kernel.org Reviewed-by: Kai Huang <kai.huang(a)intel.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.h | 3 ++- arch/x86/kernel/cpu/sgx/ioctl.c | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h index b566b8ad5f33..96b11e8fb770 100644 --- a/arch/x86/kernel/cpu/sgx/encl.h +++ b/arch/x86/kernel/cpu/sgx/encl.h @@ -22,7 +22,8 @@ /* 'desc' bits holding the offset in the VA (version array) page. */ #define SGX_ENCL_PAGE_VA_OFFSET_MASK GENMASK_ULL(11, 3) -/* 'desc' bit indicating that the page is busy (being reclaimed). */ +/* 'desc' bit indicating that the page is busy (being reclaimed, removed or + * converted to a TCS page). */ #define SGX_ENCL_PAGE_BUSY BIT(2) /* diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c index b65ab214bdf5..c6f936440438 100644 --- a/arch/x86/kernel/cpu/sgx/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/ioctl.c @@ -969,12 +969,22 @@ static long sgx_enclave_modify_types(struct sgx_encl *encl, /* * Do not keep encl->lock because of dependency on * mmap_lock acquired in sgx_zap_enclave_ptes(). + * + * Releasing encl->lock leads to a data race: while CPU1 + * performs sgx_zap_enclave_ptes() and removes the PTE + * entry for the enclave page, CPU2 may attempt to load + * this page (because the page is still in enclave's + * xarray). To prevent CPU2 from loading the page, mark + * the page as busy before unlock and unmark after lock + * again. */ + entry->desc |= SGX_ENCL_PAGE_BUSY; mutex_unlock(&encl->lock); sgx_zap_enclave_ptes(encl, addr); mutex_lock(&encl->lock); + entry->desc &= ~SGX_ENCL_PAGE_BUSY; sgx_mark_page_reclaimable(entry->epc_page); } @@ -1141,7 +1151,14 @@ static long sgx_encl_remove_pages(struct sgx_encl *encl, /* * Do not keep encl->lock because of dependency on * mmap_lock acquired in sgx_zap_enclave_ptes(). + * + * Releasing encl->lock leads to a data race: while CPU1 + * performs sgx_zap_enclave_ptes() and removes the PTE entry + * for the enclave page, CPU2 may attempt to load this page + * (because the page is still in enclave's xarray). To prevent + * CPU2 from loading the page, mark the page as busy. */ + entry->desc |= SGX_ENCL_PAGE_BUSY; mutex_unlock(&encl->lock); sgx_zap_enclave_ptes(encl, addr); -- 2.43.0

9 months, 2 weeks

2
1
0 0

[PATCH 2/8] drm/sched: Always wake up correct scheduler in drm_sched_entity_push_job

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Since drm_sched_entity_modify_sched() can modify the entities run queue, lets make sure to only dereference the pointer once so both adding and waking up are guaranteed to be consistent. Alternative of moving the spin_unlock to after the wake up would for now be more problematic since the same lock is taken inside drm_sched_rq_update_fifo(). v2: * Improve commit message. (Philipp) * Cache the scheduler pointer directly. (Christian) Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: b37aced31eb0 ("drm/scheduler: implement a function to modify sched list") Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Luben Tuikov <ltuikov89(a)gmail.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: David Airlie <airlied(a)gmail.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: Philipp Stanner <pstanner(a)redhat.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.7+ Reviewed-by: Christian König <christian.koenig(a)amd.com> --- drivers/gpu/drm/scheduler/sched_entity.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index 0e002c17fcb6..a75eede8bf8d 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -599,6 +599,9 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) /* first job wakes up scheduler */ if (first) { + struct drm_gpu_scheduler *sched; + struct drm_sched_rq *rq; + /* Add the entity to the run queue */ spin_lock(&entity->rq_lock); if (entity->stopped) { @@ -608,13 +611,16 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) return; } - drm_sched_rq_add_entity(entity->rq, entity); + rq = entity->rq; + sched = rq->sched; + + drm_sched_rq_add_entity(rq, entity); spin_unlock(&entity->rq_lock); if (drm_sched_policy == DRM_SCHED_POLICY_FIFO) drm_sched_rq_update_fifo(entity, submit_ts); - drm_sched_wakeup(entity->rq->sched); + drm_sched_wakeup(sched); } } EXPORT_SYMBOL(drm_sched_entity_push_job); -- 2.46.0

9 months, 2 weeks

3
4
0 0

[PATCH] firmware/sysfb: Disable sysfb for firmware buffers with unknown parent

by Thomas Zimmermann

The sysfb framebuffer handling only operates on graphics devices that provide the system's firmware framebuffer. If that device is not known, assume that any graphics device has been initialized by firmware. Fixes a problem on i915 where sysfb does not release the firmware framebuffer after the native graphics driver loaded. Reported-by: Borah, Chaitanya Kumar <chaitanya.kumar.borah(a)intel.com> Closes: https://lore.kernel.org/dri-devel/SJ1PR11MB6129EFB8CE63D1EF6D932F94B96F2@SJ… Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12160 Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: b49420d6a1ae ("video/aperture: optionally match the device in sysfb_disable()") Cc: Javier Martinez Canillas <javierm(a)redhat.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Helge Deller <deller(a)gmx.de> Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: dri-devel(a)lists.freedesktop.org Cc: Linux regression tracking (Thorsten Leemhuis) <regressions(a)leemhuis.info> Cc: <stable(a)vger.kernel.org> # v6.11+ --- drivers/firmware/sysfb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c index 02a07d3d0d40..a3df782fa687 100644 --- a/drivers/firmware/sysfb.c +++ b/drivers/firmware/sysfb.c @@ -67,9 +67,11 @@ static bool sysfb_unregister(void) void sysfb_disable(struct device *dev) { struct screen_info *si = &screen_info; + struct device *parent; mutex_lock(&disable_lock); - if (!dev || dev == sysfb_parent_dev(si)) { + parent = sysfb_parent_dev(si); + if (!dev || !parent || dev == parent) { sysfb_unregister(); disabled = true; } -- 2.46.0

9 months, 2 weeks

3
2
0 0

[PATCH] drm: Add check for encoder in intel_get_crtc_new_encoder()

by George Rurikov

If the video card driver could not find the connector assigned to the current video controller, or if the hardware status has changed so that a pre-existing connector is no longer active, none of the state connectors will meet the assignment criteria for the current crtc video controller. In the drm_WARN function, encoder->base.dev is called, so '&encoder->base.dev' will be dereferenced since encoder will still be initialized NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e12d6218fda2 ("drm/i915: Reduce bigjoiner special casing") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/gpu/drm/i915/display/intel_display.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c index b4ef4d59da1a..1f25b12e5f67 100644 --- a/drivers/gpu/drm/i915/display/intel_display.c +++ b/drivers/gpu/drm/i915/display/intel_display.c @@ -819,9 +819,11 @@ intel_get_crtc_new_encoder(const struct intel_atomic_state *state, num_encoders++; } - drm_WARN(state->base.dev, num_encoders != 1, + if (encoder) { + drm_WARN(state->base.dev, num_encoders != 1, "%d encoders for pipe %c\n", num_encoders, pipe_name(primary_crtc->pipe)); + } return encoder; } -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

9 months, 2 weeks

2
2
0 0

[PATCH 6.1 0/1] f2fs: convert to MAX_SBI_FLAG instead of 32 in stat_show()

by Nikita Zhandarovich

This patch addresses an open issue of buffer overflow in f2fs function stat_show(). On the off chance that si->sbi->s_flag had one of its bits (on the higher end) set to 1, for_each_set_bit() will loop more than s_flag[] can afford, leading in turn to erroneous array access. The issue in question has been fixed in commit 5bb9c111cd98 ("f2fs: convert to MAX_SBI_FLAG instead of 32 in stat_show()") and cherry-picked for 6.1 stable branch. Modified patch can now be cleanly applied to linux-6.1.y. All of the changes made to the patch in order to adapt it are described at the end of commit message in [PATCH 6.1 1/1] f2fs: convert to MAX_SBI_FLAG instead of 32 in stat_show().

9 months, 2 weeks

1
1
0 0

[PATCH] drm/vc4: Fix atomicity violation in vc4_crtc_send_vblank()

by Qiu-ji Chen

Atomicity violation occurs when the vc4_crtc_send_vblank function is executed simultaneously with modifications to crtc->state or crtc->state->event. Consider a scenario where both crtc->state and crtc->state->event are non-null. They can pass the validity check, but at the same time, crtc->state or crtc->state->event could be set to null. In this case, the validity check in vc4_crtc_send_vblank might act on the old crtc->state and crtc->state->event (before locking), allowing invalid values to pass the validity check, leading to null pointer dereference. To address this issue, it is recommended to include the validity check of crtc->state and crtc->state->event within the locking section of the function. This modification ensures that the values of crtc->state->event and crtc->state do not change during the validation process, maintaining their valid conditions. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 68e4a69aec4d ("drm/vc4: crtc: Create vblank reporting function") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/gpu/drm/vc4/vc4_crtc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c index 8b5a7e5eb146..98885f519827 100644 --- a/drivers/gpu/drm/vc4/vc4_crtc.c +++ b/drivers/gpu/drm/vc4/vc4_crtc.c @@ -575,10 +575,12 @@ void vc4_crtc_send_vblank(struct drm_crtc *crtc) struct drm_device *dev = crtc->dev; unsigned long flags; - if (!crtc->state || !crtc->state->event) + spin_lock_irqsave(&dev->event_lock, flags); + if (!crtc->state || !crtc->state->event) { + spin_unlock_irqrestore(&dev->event_lock, flags); return; + } - spin_lock_irqsave(&dev->event_lock, flags); drm_crtc_send_vblank_event(crtc, crtc->state->event); crtc->state->event = NULL; spin_unlock_irqrestore(&dev->event_lock, flags); -- 2.34.1

9 months, 2 weeks

2
2
0 0

[PATCH] nvme: rdma: Add check for queue in nvmet_rdma_cm_handler()

by George Rurikov

After having been assigned to a NULL value at rdma.c:1758, pointer 'queue' is passed as 1st parameter in call to function 'nvmet_rdma_queue_established' at rdma.c:1773, as 1st parameter in call to function 'nvmet_rdma_queue_disconnect' at rdma.c:1787 and as 2nd parameter in call to function 'nvmet_rdma_queue_connect_fail' at rdma.c:1800, where it is dereferenced. I understand, that driver is confident that the RDMA_CM_EVENT_CONNECT_REQUEST event will occur first and perform initialization, but maliciously prepared hardware could send events in violation of the protocol. Nothing guarantees that the sequence of events will start with RDMA_CM_EVENT_CONNECT_REQUEST. Found by Linux Verification Center (linuxtesting.org) with SVACE Fixes: e1a2ee249b19 ("nvmet-rdma: Fix use after free in nvmet_rdma_cm_handler()") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/nvme/target/rdma.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c index 1b6264fa5803..becebc95f349 100644 --- a/drivers/nvme/target/rdma.c +++ b/drivers/nvme/target/rdma.c @@ -1770,8 +1770,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, ret = nvmet_rdma_queue_connect(cm_id, event); break; case RDMA_CM_EVENT_ESTABLISHED: - nvmet_rdma_queue_established(queue); - break; + if (!queue) { + nvmet_rdma_queue_established(queue); + break; + } case RDMA_CM_EVENT_ADDR_CHANGE: if (!queue) { struct nvmet_rdma_port *port = cm_id->context; @@ -1782,8 +1784,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, fallthrough; case RDMA_CM_EVENT_DISCONNECTED: case RDMA_CM_EVENT_TIMEWAIT_EXIT: - nvmet_rdma_queue_disconnect(queue); - break; + if (!queue) { + nvmet_rdma_queue_disconnect(queue); + break; + } case RDMA_CM_EVENT_DEVICE_REMOVAL: ret = nvmet_rdma_device_removal(cm_id, queue); break; @@ -1793,8 +1797,10 @@ static int nvmet_rdma_cm_handler(struct rdma_cm_id *cm_id, fallthrough; case RDMA_CM_EVENT_UNREACHABLE: case RDMA_CM_EVENT_CONNECT_ERROR: - nvmet_rdma_queue_connect_fail(cm_id, queue); - break; + if (!queue) { + nvmet_rdma_queue_connect_fail(cm_id, queue); + break; + } default: pr_err("received unrecognized RDMA CM event %d\n", event->event); -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

9 months, 2 weeks

1
0
0 0

[PATCH 2/2] clk: samsung: Fixes PLL locktime for PLL142XX used on FSD platfom

by Varada Pavani

Add PLL locktime for PLL142XX controller. Fixes: 4f346005aaed ("clk: samsung: fsd: Add initial clock support") Cc: stable(a)vger.kernel.org Signed-off-by: Varada Pavani <v.pavani(a)samsung.com> --- drivers/clk/samsung/clk-pll.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/clk/samsung/clk-pll.c b/drivers/clk/samsung/clk-pll.c index 4be879ab917e..d4c5ae20de4f 100644 --- a/drivers/clk/samsung/clk-pll.c +++ b/drivers/clk/samsung/clk-pll.c @@ -206,6 +206,7 @@ static const struct clk_ops samsung_pll3000_clk_ops = { */ /* Maximum lock time can be 270 * PDIV cycles */ #define PLL35XX_LOCK_FACTOR (270) +#define PLL142XX_LOCK_FACTOR (150) #define PLL35XX_MDIV_MASK (0x3FF) #define PLL35XX_PDIV_MASK (0x3F) @@ -272,7 +273,11 @@ static int samsung_pll35xx_set_rate(struct clk_hw *hw, unsigned long drate, } /* Set PLL lock time. */ - writel_relaxed(rate->pdiv * PLL35XX_LOCK_FACTOR, + if (pll->type == pll_142xx) + writel_relaxed(rate->pdiv * PLL142XX_LOCK_FACTOR, + pll->lock_reg); + else + writel_relaxed(rate->pdiv * PLL35XX_LOCK_FACTOR, pll->lock_reg); /* Change PLL PMS values */ -- 2.17.1

9 months, 2 weeks

1
0
0 0

[PATCH] drm: Add check for encoder in intel_get_crtc_new_encoder()

by George Rurikov

If the video card driver could not find the connector assigned to the current video controller, or if the hardware status has changed so that a pre-existing connector is no longer active, none of the state connectors will meet the assignment criteria for the current crtc video controller. In the drm_WARN function, encoder->base.dev is called, so '&encoder->base.dev' will be dereferenced since encoder will still be initialized NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e12d6218fda2 ("drm/i915: Reduce bigjoiner special casing") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/gpu/drm/i915/display/intel_display.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c index b4ef4d59da1a..1f25b12e5f67 100644 --- a/drivers/gpu/drm/i915/display/intel_display.c +++ b/drivers/gpu/drm/i915/display/intel_display.c @@ -819,9 +819,11 @@ intel_get_crtc_new_encoder(const struct intel_atomic_state *state, num_encoders++; } - drm_WARN(state->base.dev, num_encoders != 1, + if (encoder) { + drm_WARN(state->base.dev, num_encoders != 1, "%d encoders for pipe %c\n", num_encoders, pipe_name(primary_crtc->pipe)); + } return encoder; } -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

9 months, 2 weeks

1
0
0 0

[PATCH] drm: Add check for encoder in intel_get_crtc_new_encoder()

by George Rurikov

If the video card driver could not find the connector assigned to the current video controller, or if the hardware status has changed so that a pre-existing connector is no longer active, none of the state connectors will meet the assignment criteria for the current crtc video controller. In the drm_WARN function, encoder->base.dev is called, so '&encoder->base.dev' will be dereferenced since encoder will still be initialized NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e12d6218fda2 ("drm/i915: Reduce bigjoiner special casing") Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/gpu/drm/i915/display/intel_display.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c index b4ef4d59da1a..a5e24d64f909 100644 --- a/drivers/gpu/drm/i915/display/intel_display.c +++ b/drivers/gpu/drm/i915/display/intel_display.c @@ -819,9 +819,10 @@ intel_get_crtc_new_encoder(const struct intel_atomic_state *state, num_encoders++; } - drm_WARN(state->base.dev, num_encoders != 1, - "%d encoders for pipe %c\n", - num_encoders, pipe_name(primary_crtc->pipe)); + if (encoder) + drm_WARN(state->base.dev, num_encoders != 1, + "%d encoders for pipe %c\n", + num_encoders, pipe_name(primary_crtc->pipe)); return encoder; } -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

9 months, 2 weeks

1
0
0 0

[PATCH 3/8] drm/sched: Always increment correct scheduler score

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Entities run queue can change during drm_sched_entity_push_job() so make sure to update the score consistently. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: d41a39dda140 ("drm/scheduler: improve job distribution with multiple queues") Cc: Nirmoy Das <nirmoy.das(a)amd.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Luben Tuikov <ltuikov89(a)gmail.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: David Airlie <airlied(a)gmail.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.9+ Reviewed-by: Christian König <christian.koenig(a)amd.com> Reviewed-by: Nirmoy Das <nirmoy.das(a)intel.com> --- drivers/gpu/drm/scheduler/sched_entity.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index a75eede8bf8d..b2cf3e0c1838 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -586,7 +586,6 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) ktime_t submit_ts; trace_drm_sched_job(sched_job, entity); - atomic_inc(entity->rq->sched->score); WRITE_ONCE(entity->last_user, current->group_leader); /* @@ -614,6 +613,7 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) rq = entity->rq; sched = rq->sched; + atomic_inc(sched->score); drm_sched_rq_add_entity(rq, entity); spin_unlock(&entity->rq_lock); -- 2.46.0

9 months, 2 weeks

1
0
0 0

[PATCH 1/8] drm/sched: Add locking to drm_sched_entity_modify_sched

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Without the locking amdgpu currently can race between amdgpu_ctx_set_entity_priority() (via drm_sched_entity_modify_sched()) and drm_sched_job_arm(), leading to the latter accesing potentially inconsitent entity->sched_list and entity->num_sched_list pair. v2: * Improve commit message. (Philipp) Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: b37aced31eb0 ("drm/scheduler: implement a function to modify sched list") Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Luben Tuikov <ltuikov89(a)gmail.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: David Airlie <airlied(a)gmail.com> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: Philipp Stanner <pstanner(a)redhat.com> Cc: <stable(a)vger.kernel.org> # v5.7+ Reviewed-by: Christian König <christian.koenig(a)amd.com> --- drivers/gpu/drm/scheduler/sched_entity.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index 567e5ace6d0c..0e002c17fcb6 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -133,8 +133,10 @@ void drm_sched_entity_modify_sched(struct drm_sched_entity *entity, { WARN_ON(!num_sched_list || !sched_list); + spin_lock(&entity->rq_lock); entity->sched_list = sched_list; entity->num_sched_list = num_sched_list; + spin_unlock(&entity->rq_lock); } EXPORT_SYMBOL(drm_sched_entity_modify_sched); -- 2.46.0

9 months, 2 weeks

1
0
0 0

[PATCH v3] mac802154: Fix potential RCU dereference issue in mac802154_scan_worker

by Jiawei Ye

In the `mac802154_scan_worker` function, the `scan_req->type` field was accessed after the RCU read-side critical section was unlocked. According to RCU usage rules, this is illegal and can lead to unpredictable behavior, such as accessing memory that has been updated or causing use-after-free issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the `scan_req->type` value is now stored in a local variable `scan_req_type` while still within the RCU read-side critical section. The `scan_req_type` is then used after the RCU lock is released, ensuring that the type value is safely accessed without violating RCU rules. Fixes: e2c3e6f53a7a ("mac802154: Handle active scanning") Cc: stable(a)vger.kernel.org Signed-off-by: Jiawei Ye <jiawei.ye(a)foxmail.com> Acked-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- Changelog: v1 -> v2: - Repositioned the enum nl802154_scan_types scan_req_type declaration between struct cfg802154_scan_request *scan_req and struct ieee802154_sub_if_data *sdata to comply with the reverse Christmas tree rule. v2 -> v3: - Add Cc stable tag and Acked-by. --- net/mac802154/scan.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/mac802154/scan.c b/net/mac802154/scan.c index 1c0eeaa76560..a6dab3cc3ad8 100644 --- a/net/mac802154/scan.c +++ b/net/mac802154/scan.c @@ -176,6 +176,7 @@ void mac802154_scan_worker(struct work_struct *work) struct ieee802154_local *local = container_of(work, struct ieee802154_local, scan_work.work); struct cfg802154_scan_request *scan_req; + enum nl802154_scan_types scan_req_type; struct ieee802154_sub_if_data *sdata; unsigned int scan_duration = 0; struct wpan_phy *wpan_phy; @@ -209,6 +210,7 @@ void mac802154_scan_worker(struct work_struct *work) } wpan_phy = scan_req->wpan_phy; + scan_req_type = scan_req->type; scan_req_duration = scan_req->duration; /* Look for the next valid chan */ @@ -246,7 +248,7 @@ void mac802154_scan_worker(struct work_struct *work) goto end_scan; } - if (scan_req->type == NL802154_SCAN_ACTIVE) { + if (scan_req_type == NL802154_SCAN_ACTIVE) { ret = mac802154_transmit_beacon_req(local, sdata); if (ret) dev_err(&sdata->dev->dev, -- 2.34.1

9 months, 2 weeks

3
2
0 0

[PATCH v6 2/3] x86/sgx: Resolve EAUG race where losing thread returns SIGBUS

by Dmitrii Kuvaiskii

Imagine an mmap()'d file. Two threads touch the same address at the same time and fault. Both allocate a physical page and race to install a PTE for that page. Only one will win the race. The loser frees its page, but still continues handling the fault as a success and returns VM_FAULT_NOPAGE from the fault handler. The same race can happen with SGX. But there's a bug: the loser in the SGX steers into a failure path. The loser EREMOVE's the winner's EPC page, then returns SIGBUS, likely killing the app. Fix the SGX loser's behavior. Check whether another thread already allocated the page and if yes, return with VM_FAULT_NOPAGE. The race can be illustrated as follows: /* /* * Fault on CPU1 * Fault on CPU2 * on enclave page X * on enclave page X */ */ sgx_vma_fault() { sgx_vma_fault() { xa_load(&encl->page_array) xa_load(&encl->page_array) == NULL --> == NULL --> sgx_encl_eaug_page() { sgx_encl_eaug_page() { ... ... /* /* * alloc encl_page * alloc encl_page */ */ mutex_lock(&encl->lock); /* * alloc EPC page */ epc_page = sgx_alloc_epc_page(...); /* * add page to enclave's xarray */ xa_insert(&encl->page_array, ...); /* * add page to enclave via EAUG * (page is in pending state) */ /* * add PTE entry */ vmf_insert_pfn(...); mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; } } /* * All good up to here: enclave page * successfully added to enclave, * ready for EACCEPT from user space */ mutex_lock(&encl->lock); /* * alloc EPC page */ epc_page = sgx_alloc_epc_page(...); /* * add page to enclave's xarray, * this fails with -EBUSY as this * page was already added by CPU2 */ xa_insert(&encl->page_array, ...); err_out_shrink: sgx_encl_free_epc_page(epc_page) { /* * remove page via EREMOVE * * *BUG*: page added by CPU2 is * yanked from enclave while it * remains accessible from OS * perspective (PTE installed) */ /* * free EPC page */ sgx_free_epc_page(epc_page); } mutex_unlock(&encl->lock); /* * *BUG*: SIGBUS is returned * for a valid enclave page */ return VM_FAULT_SIGBUS; } } Fixes: 5a90d2c3f5ef ("x86/sgx: Support adding of pages to an initialized enclave") Cc: stable(a)vger.kernel.org Reported-by: Marcelina Kościelnicka <mwk(a)invisiblethingslab.com> Suggested-by: Kai Huang <kai.huang(a)intel.com> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.c | 36 ++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index c0a3c00284c8..2aa7ced0e4a0 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -337,6 +337,16 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, if (!test_bit(SGX_ENCL_INITIALIZED, &encl->flags)) return VM_FAULT_SIGBUS; + mutex_lock(&encl->lock); + + /* + * Multiple threads may try to fault on the same page concurrently. + * Re-check if another thread has already done that. + */ + encl_page = xa_load(&encl->page_array, PFN_DOWN(addr)); + if (encl_page) + goto done; + /* * Ignore internal permission checking for dynamically added pages. * They matter only for data added during the pre-initialization @@ -345,23 +355,23 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, */ secinfo_flags = SGX_SECINFO_R | SGX_SECINFO_W | SGX_SECINFO_X; encl_page = sgx_encl_page_alloc(encl, addr - encl->base, secinfo_flags); - if (IS_ERR(encl_page)) - return VM_FAULT_OOM; - - mutex_lock(&encl->lock); + if (IS_ERR(encl_page)) { + vmret = VM_FAULT_OOM; + goto err_out_unlock; + } epc_page = sgx_encl_load_secs(encl); if (IS_ERR(epc_page)) { if (PTR_ERR(epc_page) == -EBUSY) vmret = VM_FAULT_NOPAGE; - goto err_out_unlock; + goto err_out_encl; } epc_page = sgx_alloc_epc_page(encl_page, false); if (IS_ERR(epc_page)) { if (PTR_ERR(epc_page) == -EBUSY) vmret = VM_FAULT_NOPAGE; - goto err_out_unlock; + goto err_out_encl; } va_page = sgx_encl_grow(encl, false); @@ -376,10 +386,6 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, ret = xa_insert(&encl->page_array, PFN_DOWN(encl_page->desc), encl_page, GFP_KERNEL); - /* - * If ret == -EBUSY then page was created in another flow while - * running without encl->lock - */ if (ret) goto err_out_shrink; @@ -389,7 +395,7 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, ret = __eaug(&pginfo, sgx_get_epc_virt_addr(epc_page)); if (ret) - goto err_out; + goto err_out_eaug; encl_page->encl = encl; encl_page->epc_page = epc_page; @@ -408,20 +414,20 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, mutex_unlock(&encl->lock); return VM_FAULT_SIGBUS; } +done: mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; -err_out: +err_out_eaug: xa_erase(&encl->page_array, PFN_DOWN(encl_page->desc)); - err_out_shrink: sgx_encl_shrink(encl, va_page); err_out_epc: sgx_encl_free_epc_page(epc_page); +err_out_encl: + kfree(encl_page); err_out_unlock: mutex_unlock(&encl->lock); - kfree(encl_page); - return vmret; } -- 2.43.0

9 months, 2 weeks

1
0
0 0

[PATCH v6 1/3] x86/sgx: Split SGX_ENCL_PAGE_BEING_RECLAIMED into two flags

by Dmitrii Kuvaiskii

The page reclaimer thread sets SGX_ENC_PAGE_BEING_RECLAIMED flag when the enclave page is being reclaimed (moved to the backing store). This flag however has two logical meanings: 1. Don't attempt to load the enclave page (the page is busy), see __sgx_encl_load_page(). 2. Don't attempt to remove the PCMD page corresponding to this enclave page (the PCMD page is busy), see reclaimer_writing_to_pcmd(). To reflect these two meanings, split SGX_ENCL_PAGE_BEING_RECLAIMED into two flags: SGX_ENCL_PAGE_BUSY and SGX_ENCL_PAGE_PCMD_BUSY. Currently, both flags are set only when the enclave page is being reclaimed (by the page reclaimer thread). A future commit will introduce new cases when the enclave page is being operated on; these new cases will set only the SGX_ENCL_PAGE_BUSY flag. Cc: stable(a)vger.kernel.org Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> Reviewed-by: Haitao Huang <haitao.huang(a)linux.intel.com> Reviewed-by: Jarkko Sakkinen <jarkko(a)kernel.org> Acked-by: Kai Huang <kai.huang(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.c | 16 +++++++--------- arch/x86/kernel/cpu/sgx/encl.h | 10 ++++++++-- arch/x86/kernel/cpu/sgx/main.c | 4 ++-- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index 279148e72459..c0a3c00284c8 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -46,10 +46,10 @@ static int sgx_encl_lookup_backing(struct sgx_encl *encl, unsigned long page_ind * a check if an enclave page sharing the PCMD page is in the process of being * reclaimed. * - * The reclaimer sets the SGX_ENCL_PAGE_BEING_RECLAIMED flag when it - * intends to reclaim that enclave page - it means that the PCMD page - * associated with that enclave page is about to get some data and thus - * even if the PCMD page is empty, it should not be truncated. + * The reclaimer sets the SGX_ENCL_PAGE_PCMD_BUSY flag when it intends to + * reclaim that enclave page - it means that the PCMD page associated with that + * enclave page is about to get some data and thus even if the PCMD page is + * empty, it should not be truncated. * * Context: Enclave mutex (&sgx_encl->lock) must be held. * Return: 1 if the reclaimer is about to write to the PCMD page @@ -77,8 +77,7 @@ static int reclaimer_writing_to_pcmd(struct sgx_encl *encl, * Stop when reaching the SECS page - it does not * have a page_array entry and its reclaim is * started and completed with enclave mutex held so - * it does not use the SGX_ENCL_PAGE_BEING_RECLAIMED - * flag. + * it does not use the SGX_ENCL_PAGE_PCMD_BUSY flag. */ if (addr == encl->base + encl->size) break; @@ -91,8 +90,7 @@ static int reclaimer_writing_to_pcmd(struct sgx_encl *encl, * VA page slot ID uses same bit as the flag so it is important * to ensure that the page is not already in backing store. */ - if (entry->epc_page && - (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED)) { + if (entry->epc_page && (entry->desc & SGX_ENCL_PAGE_PCMD_BUSY)) { reclaimed = 1; break; } @@ -257,7 +255,7 @@ static struct sgx_encl_page *__sgx_encl_load_page(struct sgx_encl *encl, /* Entry successfully located. */ if (entry->epc_page) { - if (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED) + if (entry->desc & SGX_ENCL_PAGE_BUSY) return ERR_PTR(-EBUSY); return entry; diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h index f94ff14c9486..b566b8ad5f33 100644 --- a/arch/x86/kernel/cpu/sgx/encl.h +++ b/arch/x86/kernel/cpu/sgx/encl.h @@ -22,8 +22,14 @@ /* 'desc' bits holding the offset in the VA (version array) page. */ #define SGX_ENCL_PAGE_VA_OFFSET_MASK GENMASK_ULL(11, 3) -/* 'desc' bit marking that the page is being reclaimed. */ -#define SGX_ENCL_PAGE_BEING_RECLAIMED BIT(3) +/* 'desc' bit indicating that the page is busy (being reclaimed). */ +#define SGX_ENCL_PAGE_BUSY BIT(2) + +/* + * 'desc' bit indicating that PCMD page associated with the enclave page is + * busy (because the enclave page is being reclaimed). + */ +#define SGX_ENCL_PAGE_PCMD_BUSY BIT(3) struct sgx_encl_page { unsigned long desc; diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c index f3f1461273ee..da59f034b769 100644 --- a/arch/x86/kernel/cpu/sgx/main.c +++ b/arch/x86/kernel/cpu/sgx/main.c @@ -205,7 +205,7 @@ static void sgx_encl_ewb(struct sgx_epc_page *epc_page, void *va_slot; int ret; - encl_page->desc &= ~SGX_ENCL_PAGE_BEING_RECLAIMED; + encl_page->desc &= ~(SGX_ENCL_PAGE_BUSY | SGX_ENCL_PAGE_PCMD_BUSY); va_page = list_first_entry(&encl->va_pages, struct sgx_va_page, list); @@ -341,7 +341,7 @@ static void sgx_reclaim_pages(void) goto skip; } - encl_page->desc |= SGX_ENCL_PAGE_BEING_RECLAIMED; + encl_page->desc |= SGX_ENCL_PAGE_BUSY | SGX_ENCL_PAGE_PCMD_BUSY; mutex_unlock(&encl_page->encl->lock); continue; -- 2.43.0

9 months, 2 weeks

1
0
0 0

[PATCH] sched/fair: Fix integer underflow

by Pierre Gondois

(struct sg_lb_stats).idle_cpus is of type 'unsigned int'. (local->idle_cpus - busiest->idle_cpus) can underflow to UINT_MAX for instance, and max_t(long, 0, UINT_MAX) will output UINT_MAX. Use lsub_positive() instead of max_t(). Fixes: 0b0695f2b34a ("sched/fair: Rework load_balance()") cc: stable(a)vger.kernel.org Signed-off-by: Pierre Gondois <pierre.gondois(a)arm.com> --- kernel/sched/fair.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 9057584ec06d..6d9124499f52 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -10775,8 +10775,8 @@ static inline void calculate_imbalance(struct lb_env *env, struct sd_lb_stats *s * idle CPUs. */ env->migration_type = migrate_task; - env->imbalance = max_t(long, 0, - (local->idle_cpus - busiest->idle_cpus)); + env->imbalance = local->idle_cpus; + lsub_positive(&env->imbalance, busiest->idle_cpus); } #ifdef CONFIG_NUMA -- 2.25.1

9 months, 2 weeks

2
3
0 0

[PATCHv2] usb: yurex: make waiting on yurex_write interruptible

by Oliver Neukum

The IO yurex_write() needs to wait for in order to have a device ready for writing again can take a long time time. Consequently the sleep is done in an interruptible state. Therefore others waiting for yurex_write() itself to finish should use mutex_lock_interruptible. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Fixes: 6bc235a2e24a5 ("USB: add driver for Meywa-Denki & Kayac YUREX") --- v2: fix uninitialized variable drivers/usb/misc/iowarrior.c | 4 ---- drivers/usb/misc/yurex.c | 5 ++++- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index cfc985001e5b..65cc53431976 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -892,7 +892,6 @@ static int iowarrior_probe(struct usb_interface *interface, static void iowarrior_disconnect(struct usb_interface *interface) { struct iowarrior *dev = usb_get_intfdata(interface); - int minor = dev->minor; usb_deregister_dev(interface, &iowarrior_class); @@ -916,9 +915,6 @@ static void iowarrior_disconnect(struct usb_interface *interface) mutex_unlock(&dev->mutex); iowarrior_delete(dev); } - - dev_info(&interface->dev, "I/O-Warror #%d now disconnected\n", - minor - IOWARRIOR_MINOR_BASE); } /* usb specific object needed to register this driver with the usb subsystem */ diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 4a9859e03f6b..316634f782c6 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -444,7 +444,10 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, if (count == 0) goto error; - mutex_lock(&dev->io_mutex); + retval = mutex_lock_interruptible(&dev->io_mutex); + if (retval < 0) + return -EINTR; + if (dev->disconnected) { /* already disconnected */ mutex_unlock(&dev->io_mutex); retval = -ENODEV; -- 2.46.1

9 months, 2 weeks

2
1
0 0

[PATCH] drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check

by Ma Ke

The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. Cc: stable(a)vger.kernel.org Fixes: dd86dc2f9ae1 ("drm/sti: implement atomic_check for the planes") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/sti/sti_hqvdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/sti/sti_hqvdp.c b/drivers/gpu/drm/sti/sti_hqvdp.c index 0fb48ac044d8..abab92df78bd 100644 --- a/drivers/gpu/drm/sti/sti_hqvdp.c +++ b/drivers/gpu/drm/sti/sti_hqvdp.c @@ -1037,6 +1037,9 @@ static int sti_hqvdp_atomic_check(struct drm_plane *drm_plane, return 0; crtc_state = drm_atomic_get_crtc_state(state, crtc); + if (IS_ERR(crtc_state)) + return PTR_ERR(crtc_state); + mode = &crtc_state->mode; dst_x = new_plane_state->crtc_x; dst_y = new_plane_state->crtc_y; -- 2.25.1

9 months, 2 weeks

2
1
0 0

[PATCH v2] drm/sti: avoid potential dereference of error pointers

by Ma Ke

The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. Cc: stable(a)vger.kernel.org Fixes: dd86dc2f9ae1 ("drm/sti: implement atomic_check for the planes") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the Fixes tag according to suggestions; - added necessary blank line. --- drivers/gpu/drm/sti/sti_cursor.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/sti/sti_cursor.c b/drivers/gpu/drm/sti/sti_cursor.c index db0a1eb53532..c59fcb4dca32 100644 --- a/drivers/gpu/drm/sti/sti_cursor.c +++ b/drivers/gpu/drm/sti/sti_cursor.c @@ -200,6 +200,9 @@ static int sti_cursor_atomic_check(struct drm_plane *drm_plane, return 0; crtc_state = drm_atomic_get_crtc_state(state, crtc); + if (IS_ERR(crtc_state)) + return PTR_ERR(crtc_state); + mode = &crtc_state->mode; dst_x = new_plane_state->crtc_x; dst_y = new_plane_state->crtc_y; -- 2.25.1

9 months, 2 weeks

2
1
0 0

[PATCH RESEND] drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check

by Ma Ke

The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. Cc: stable(a)vger.kernel.org Fixes: dd86dc2f9ae1 ("drm/sti: implement atomic_check for the planes") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/sti/sti_gdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/sti/sti_gdp.c b/drivers/gpu/drm/sti/sti_gdp.c index 43c72c2604a0..f046f5f7ad25 100644 --- a/drivers/gpu/drm/sti/sti_gdp.c +++ b/drivers/gpu/drm/sti/sti_gdp.c @@ -638,6 +638,9 @@ static int sti_gdp_atomic_check(struct drm_plane *drm_plane, mixer = to_sti_mixer(crtc); crtc_state = drm_atomic_get_crtc_state(state, crtc); + if (IS_ERR(crtc_state)) + return PTR_ERR(crtc_state); + mode = &crtc_state->mode; dst_x = new_plane_state->crtc_x; dst_y = new_plane_state->crtc_y; -- 2.25.1

9 months, 2 weeks

2
2
0 0

[PATCH] mm: migrate: fix data-race in migrate_folio_unmap()

by Jeongjun Park

I found a report from syzbot [1] When __folio_test_movable() is called in migrate_folio_unmap() to read folio->mapping, a data race occurs because the folio is read without protecting it with folio_lock. This can cause unintended behavior because folio->mapping is initialized to a NULL value. Therefore, I think it is appropriate to call __folio_test_movable() under the protection of folio_lock to prevent data-race. [1] ================================================================== BUG: KCSAN: data-race in __filemap_remove_folio / migrate_pages_batch write to 0xffffea0004b81dd8 of 8 bytes by task 6348 on cpu 0: page_cache_delete mm/filemap.c:153 [inline] __filemap_remove_folio+0x1ac/0x2c0 mm/filemap.c:233 filemap_remove_folio+0x6b/0x1f0 mm/filemap.c:265 truncate_inode_folio+0x42/0x50 mm/truncate.c:178 shmem_undo_range+0x25b/0xa70 mm/shmem.c:1028 shmem_truncate_range mm/shmem.c:1144 [inline] shmem_evict_inode+0x14d/0x530 mm/shmem.c:1272 evict+0x2f0/0x580 fs/inode.c:731 iput_final fs/inode.c:1883 [inline] iput+0x42a/0x5b0 fs/inode.c:1909 dentry_unlink_inode+0x24f/0x260 fs/dcache.c:412 __dentry_kill+0x18b/0x4c0 fs/dcache.c:615 dput+0x5c/0xd0 fs/dcache.c:857 __fput+0x3fb/0x6d0 fs/file_table.c:439 ____fput+0x1c/0x30 fs/file_table.c:459 task_work_run+0x13a/0x1a0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xbe/0x130 kernel/entry/common.c:218 do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffffea0004b81dd8 of 8 bytes by task 6342 on cpu 1: __folio_test_movable include/linux/page-flags.h:699 [inline] migrate_folio_unmap mm/migrate.c:1199 [inline] migrate_pages_batch+0x24c/0x1940 mm/migrate.c:1797 migrate_pages_sync mm/migrate.c:1963 [inline] migrate_pages+0xff1/0x1820 mm/migrate.c:2072 do_mbind mm/mempolicy.c:1390 [inline] kernel_mbind mm/mempolicy.c:1533 [inline] __do_sys_mbind mm/mempolicy.c:1607 [inline] __se_sys_mbind+0xf76/0x1160 mm/mempolicy.c:1603 __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1603 x64_sys_call+0x2b4d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:238 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0xffff888127601078 -> 0x0000000000000000 Reported-by: syzbot <syzkaller(a)googlegroups.com> Cc: stable(a)vger.kernel.org Fixes: 7e2a5e5ab217 ("mm: migrate: use __folio_test_movable()") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- mm/migrate.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/migrate.c b/mm/migrate.c index 923ea80ba744..e62dac12406b 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -1118,7 +1118,7 @@ static int migrate_folio_unmap(new_folio_t get_new_folio, int rc = -EAGAIN; int old_page_state = 0; struct anon_vma *anon_vma = NULL; - bool is_lru = !__folio_test_movable(src); + bool is_lru; bool locked = false; bool dst_locked = false; @@ -1172,6 +1172,7 @@ static int migrate_folio_unmap(new_folio_t get_new_folio, locked = true; if (folio_test_mlocked(src)) old_page_state |= PAGE_WAS_MLOCKED; + is_lru = !__folio_test_movable(src); if (folio_test_writeback(src)) { /* --

9 months, 2 weeks

3
5
0 0

[PATCH v2] drm/sched: Fix dynamic job-flow control race

by Rob Clark

From: Rob Clark <robdclark(a)chromium.org> Fixes a race condition reported here: https://github.com/AsahiLinux/linux/issues/309#issuecomment-2238968609 The whole premise of lockless access to a single-producer-single- consumer queue is that there is just a single producer and single consumer. That means we can't call drm_sched_can_queue() (which is about queueing more work to the hw, not to the spsc queue) from anywhere other than the consumer (wq). This call in the producer is just an optimization to avoid scheduling the consuming worker if it cannot yet queue more work to the hw. It is safe to drop this optimization to avoid the race condition. Suggested-by: Asahi Lina <lina(a)asahilina.net> Fixes: a78422e9dff3 ("drm/sched: implement dynamic job-flow control") Closes: https://github.com/AsahiLinux/linux/issues/309 Cc: stable(a)vger.kernel.org Signed-off-by: Rob Clark <robdclark(a)chromium.org> --- drivers/gpu/drm/scheduler/sched_entity.c | 4 ++-- drivers/gpu/drm/scheduler/sched_main.c | 7 ++----- include/drm/gpu_scheduler.h | 2 +- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c index 58c8161289fe..567e5ace6d0c 100644 --- a/drivers/gpu/drm/scheduler/sched_entity.c +++ b/drivers/gpu/drm/scheduler/sched_entity.c @@ -380,7 +380,7 @@ static void drm_sched_entity_wakeup(struct dma_fence *f, container_of(cb, struct drm_sched_entity, cb); drm_sched_entity_clear_dep(f, cb); - drm_sched_wakeup(entity->rq->sched, entity); + drm_sched_wakeup(entity->rq->sched); } /** @@ -612,7 +612,7 @@ void drm_sched_entity_push_job(struct drm_sched_job *sched_job) if (drm_sched_policy == DRM_SCHED_POLICY_FIFO) drm_sched_rq_update_fifo(entity, submit_ts); - drm_sched_wakeup(entity->rq->sched, entity); + drm_sched_wakeup(entity->rq->sched); } } EXPORT_SYMBOL(drm_sched_entity_push_job); diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index ab53ab486fe6..6f27cab0b76d 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -1013,15 +1013,12 @@ EXPORT_SYMBOL(drm_sched_job_cleanup); /** * drm_sched_wakeup - Wake up the scheduler if it is ready to queue * @sched: scheduler instance - * @entity: the scheduler entity * * Wake up the scheduler if we can queue jobs. */ -void drm_sched_wakeup(struct drm_gpu_scheduler *sched, - struct drm_sched_entity *entity) +void drm_sched_wakeup(struct drm_gpu_scheduler *sched) { - if (drm_sched_can_queue(sched, entity)) - drm_sched_run_job_queue(sched); + drm_sched_run_job_queue(sched); } /** diff --git a/include/drm/gpu_scheduler.h b/include/drm/gpu_scheduler.h index fe8edb917360..9c437a057e5d 100644 --- a/include/drm/gpu_scheduler.h +++ b/include/drm/gpu_scheduler.h @@ -574,7 +574,7 @@ void drm_sched_entity_modify_sched(struct drm_sched_entity *entity, void drm_sched_tdr_queue_imm(struct drm_gpu_scheduler *sched); void drm_sched_job_cleanup(struct drm_sched_job *job); -void drm_sched_wakeup(struct drm_gpu_scheduler *sched, struct drm_sched_entity *entity); +void drm_sched_wakeup(struct drm_gpu_scheduler *sched); bool drm_sched_wqueue_ready(struct drm_gpu_scheduler *sched); void drm_sched_wqueue_stop(struct drm_gpu_scheduler *sched); void drm_sched_wqueue_start(struct drm_gpu_scheduler *sched); -- 2.46.0

9 months, 2 weeks

3
3
0 0

[PATCH] usb: yurex: make waiting on yurex_write interruptible

by Oliver Neukum

The IO yurex_write() needs to wait for in order to have a device ready for writing again can take a long time time. Consequently the sleep is done in an interruptible state. Therefore others waiting for yurex_write() itself to finish should use mutex_lock_interruptible. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Fixes: 6bc235a2e24a5 ("USB: add driver for Meywa-Denki & Kayac YUREX") --- drivers/usb/misc/yurex.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c index 4a9859e03f6b..0deffdc8205f 100644 --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -430,7 +430,7 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, size_t count, loff_t *ppos) { struct usb_yurex *dev; - int i, set = 0, retval = 0; + int i, set = 0, retval; char buffer[16 + 1]; char *data = buffer; unsigned long long c, c2 = 0; @@ -444,7 +444,10 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer, if (count == 0) goto error; - mutex_lock(&dev->io_mutex); + retval = mutex_lock_interruptible(&dev->io_mutex); + if (retval < 0) + return -EINTR; + if (dev->disconnected) { /* already disconnected */ mutex_unlock(&dev->io_mutex); retval = -ENODEV; -- 2.46.1

9 months, 2 weeks

2
2
0 0

[PATCH] zram: don't free statically defined names

by Andrey Skvortsov

The change is similar to that is used in comp_algorithm_set. This is detected by KASAN. ================================================================== Unable to handle kernel paging request at virtual address ffffffffc1edc3c8 KASAN: maybe wild-memory-access in range [0x0003fffe0f6e1e40-0x0003fffe0f6e1e47] Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000427dc000 [ffffffffc1edc3c8] pgd=00000000430e7003, p4d=00000000430e7003, pud=00000000430e8003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] SMP Tainted: [W]=WARN, [C]=CRAP, [N]=TEST Hardware name: Pine64 PinePhone (1.2) (DT) pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kfree+0x60/0x3a0 lr : zram_destroy_comps+0x98/0x198 [zram] sp : ffff800089b57450 x29: ffff800089b57460 x28: 0000000000000004 x27: ffff800082833010 x26: 1fffe00000c8039c x25: 1fffe00000ba5004 x24: ffff000005d28000 x23: ffff800082533178 x22: ffff80007b71eaa8 x21: ffff000006401ce8 x20: ffff80007b70f7a0 x19: ffffffffc1edc3c0 x18: 1ffff00010506d6b x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000808e85e4 x14: ffff8000808e8478 x13: ffff80008003fa50 x12: ffff80008003f87c x11: ffff800080011550 x10: ffff800081ee63f0 x9 : ffff80007b71eaa8 x8 : ffff80008003fa50 x7 : ffff80008003f87c x6 : 00000018a10e2f30 x5 : 00ffffffffffffff x4 : ffff00000ec93200 x3 : ffff00000bbee6e0 x2 : 0000000000000000 x1 : 0000000000000000 x0 : fffffdffc0000000 Call trace: kfree+0x60/0x3a0 zram_destroy_comps+0x98/0x198 [zram] zram_reset_device+0x22c/0x4a8 [zram] reset_store+0x1bc/0x2d8 [zram] dev_attr_store+0x44/0x80 sysfs_kf_write+0xfc/0x188 kernfs_fop_write_iter+0x28c/0x428 vfs_write+0x4dc/0x9b8 ksys_write+0x100/0x1f8 __arm64_sys_write+0x74/0xb8 invoke_syscall+0xd8/0x260 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 Code: b26287e0 d34cfe73 f2dfbfe0 8b131813 (f9400660) ================================================================== Signed-off-by: Andrey Skvortsov <andrej.skvortzov(a)gmail.com> Fixes: 684826f8271a ("zram: free secondary algorithms names") Cc: <stable(a)vger.kernel.org> --- drivers/block/zram/zram_drv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index c3d245617083d..d9d2c36658f59 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2116,7 +2116,9 @@ static void zram_destroy_comps(struct zram *zram) } for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { - kfree(zram->comp_algs[prio]); + /* Do not free statically defined compression algorithms */ + if (zram->comp_algs[prio] != default_compressor) + kfree(zram->comp_algs[prio]); zram->comp_algs[prio] = NULL; } -- 2.45.2

9 months, 2 weeks

3
6
0 0

[PATCH v2] zram: don't free statically defined names

by Andrey Skvortsov

The change is similar to that is used in comp_algorithm_set. default_compressor is used for ZRAM_PRIMARY_COMP only, but if CONFIG_ZRAM_MULTI_COMP isn't set, then ZRAM_PRIMARY_COMP and ZRAM_SECONDARY_COMP are the same. This is detected by KASAN. ================================================================== Call trace: kfree+0x60/0x3a0 zram_destroy_comps+0x98/0x198 [zram] zram_reset_device+0x22c/0x4a8 [zram] reset_store+0x1bc/0x2d8 [zram] dev_attr_store+0x44/0x80 sysfs_kf_write+0xfc/0x188 kernfs_fop_write_iter+0x28c/0x428 vfs_write+0x4dc/0x9b8 ksys_write+0x100/0x1f8 __arm64_sys_write+0x74/0xb8 invoke_syscall+0xd8/0x260 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xc8 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x190/0x198 ================================================================== Signed-off-by: Andrey Skvortsov <andrej.skvortzov(a)gmail.com> Fixes: 684826f8271a ("zram: free secondary algorithms names") Cc: <stable(a)vger.kernel.org> --- Changes in v2: - removed comment from source code about freeing statically defined compression - removed part of KASAN report from commit description - added information about CONFIG_ZRAM_MULTI_COMP into commit description drivers/block/zram/zram_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index c3d245617083d..4a9cdb7fe8878 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2116,7 +2116,8 @@ static void zram_destroy_comps(struct zram *zram) } for (prio = ZRAM_SECONDARY_COMP; prio < ZRAM_MAX_COMPS; prio++) { - kfree(zram->comp_algs[prio]); + if (zram->comp_algs[prio] != default_compressor) + kfree(zram->comp_algs[prio]); zram->comp_algs[prio] = NULL; } -- 2.45.2

9 months, 2 weeks

2
1
0 0

[PATCH v2] drm/xe: fix UAF around queue destruction

by Matthew Auld

We currently do stuff like queuing the final destruction step on a random system wq, which will outlive the driver instance. With bad timing we can teardown the driver with one or more work workqueue still being alive leading to various UAF splats. Add a fini step to ensure user queues are properly torn down. At this point GuC should already be nuked so queue itself should no longer be referenced from hw pov. v2 (Matt B) - Looks much safer to use a waitqueue and then just wait for the xa_array to become empty before triggering the drain. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2317 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_device.c | 6 +++++- drivers/gpu/drm/xe/xe_device_types.h | 3 +++ drivers/gpu/drm/xe/xe_guc_submit.c | 26 +++++++++++++++++++++++++- drivers/gpu/drm/xe/xe_guc_types.h | 2 ++ 4 files changed, 35 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c index cb5a9fd820cf..90b3478ed7cd 100644 --- a/drivers/gpu/drm/xe/xe_device.c +++ b/drivers/gpu/drm/xe/xe_device.c @@ -297,6 +297,9 @@ static void xe_device_destroy(struct drm_device *dev, void *dummy) if (xe->unordered_wq) destroy_workqueue(xe->unordered_wq); + if (xe->destroy_wq) + destroy_workqueue(xe->destroy_wq); + ttm_device_fini(&xe->ttm); } @@ -360,8 +363,9 @@ struct xe_device *xe_device_create(struct pci_dev *pdev, xe->preempt_fence_wq = alloc_ordered_workqueue("xe-preempt-fence-wq", 0); xe->ordered_wq = alloc_ordered_workqueue("xe-ordered-wq", 0); xe->unordered_wq = alloc_workqueue("xe-unordered-wq", 0, 0); + xe->destroy_wq = alloc_workqueue("xe-destroy-wq", 0, 0); if (!xe->ordered_wq || !xe->unordered_wq || - !xe->preempt_fence_wq) { + !xe->preempt_fence_wq || !xe->destroy_wq) { /* * Cleanup done in xe_device_destroy via * drmm_add_action_or_reset register above diff --git a/drivers/gpu/drm/xe/xe_device_types.h b/drivers/gpu/drm/xe/xe_device_types.h index 5ad96d283a71..515385b916cc 100644 --- a/drivers/gpu/drm/xe/xe_device_types.h +++ b/drivers/gpu/drm/xe/xe_device_types.h @@ -422,6 +422,9 @@ struct xe_device { /** @unordered_wq: used to serialize unordered work, mostly display */ struct workqueue_struct *unordered_wq; + /** @destroy_wq: used to serialize user destroy work, like queue */ + struct workqueue_struct *destroy_wq; + /** @tiles: device tiles */ struct xe_tile tiles[XE_MAX_TILES_PER_DEVICE]; diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index fbbe6a487bbb..ae2f85cc2d08 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -276,10 +276,26 @@ static struct workqueue_struct *get_submit_wq(struct xe_guc *guc) } #endif +static void xe_guc_submit_fini(struct xe_guc *guc) +{ + struct xe_device *xe = guc_to_xe(guc); + struct xe_gt *gt = guc_to_gt(guc); + int ret; + + ret = wait_event_timeout( + guc->submission_state.fini_wq, + xa_empty(&guc->submission_state.exec_queue_lookup), HZ * 5); + + drain_workqueue(xe->destroy_wq); + + xe_gt_assert(gt, ret); +} + static void guc_submit_fini(struct drm_device *drm, void *arg) { struct xe_guc *guc = arg; + xe_guc_submit_fini(guc); xa_destroy(&guc->submission_state.exec_queue_lookup); free_submit_wq(guc); } @@ -345,6 +361,8 @@ int xe_guc_submit_init(struct xe_guc *guc, unsigned int num_ids) xa_init(&guc->submission_state.exec_queue_lookup); + init_waitqueue_head(&guc->submission_state.fini_wq); + primelockdep(guc); return drmm_add_action_or_reset(&xe->drm, guc_submit_fini, guc); @@ -361,6 +379,9 @@ static void __release_guc_id(struct xe_guc *guc, struct xe_exec_queue *q, u32 xa xe_guc_id_mgr_release_locked(&guc->submission_state.idm, q->guc->id, q->width); + + if (xa_empty(&guc->submission_state.exec_queue_lookup)) + wake_up(&guc->submission_state.fini_wq); } static int alloc_guc_id(struct xe_guc *guc, struct xe_exec_queue *q) @@ -1268,13 +1289,16 @@ static void __guc_exec_queue_fini_async(struct work_struct *w) static void guc_exec_queue_fini_async(struct xe_exec_queue *q) { + struct xe_guc *guc = exec_queue_to_guc(q); + struct xe_device *xe = guc_to_xe(guc); + INIT_WORK(&q->guc->fini_async, __guc_exec_queue_fini_async); /* We must block on kernel engines so slabs are empty on driver unload */ if (q->flags & EXEC_QUEUE_FLAG_PERMANENT || exec_queue_wedged(q)) __guc_exec_queue_fini_async(&q->guc->fini_async); else - queue_work(system_wq, &q->guc->fini_async); + queue_work(xe->destroy_wq, &q->guc->fini_async); } static void __guc_exec_queue_fini(struct xe_guc *guc, struct xe_exec_queue *q) diff --git a/drivers/gpu/drm/xe/xe_guc_types.h b/drivers/gpu/drm/xe/xe_guc_types.h index 546ac6350a31..69046f698271 100644 --- a/drivers/gpu/drm/xe/xe_guc_types.h +++ b/drivers/gpu/drm/xe/xe_guc_types.h @@ -81,6 +81,8 @@ struct xe_guc { #endif /** @submission_state.enabled: submission is enabled */ bool enabled; + /** @submission_state.fini_wq: submit fini wait queue */ + wait_queue_head_t fini_wq; } submission_state; /** @hwconfig: Hardware config state */ struct { -- 2.46.1

9 months, 2 weeks

2
1
0 0

[PATCH 1/2] drm/xe/vm: move xa_alloc to prevent UAF

by Matthew Auld

Evil user can guess the next id of the vm before the ioctl completes and then call vm destroy ioctl to trigger UAF since create ioctl is still referencing the same vm. Move the xa_alloc all the way to the end to prevent this. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_vm.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index a3d7cb7cfd22..f7182ef3d8e6 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -1765,12 +1765,6 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, if (IS_ERR(vm)) return PTR_ERR(vm); - mutex_lock(&xef->vm.lock); - err = xa_alloc(&xef->vm.xa, &id, vm, xa_limit_32b, GFP_KERNEL); - mutex_unlock(&xef->vm.lock); - if (err) - goto err_close_and_put; - if (xe->info.has_asid) { down_write(&xe->usm.lock); err = xa_alloc_cyclic(&xe->usm.asid_to_vm, &asid, vm, @@ -1778,12 +1772,11 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, &xe->usm.next_asid, GFP_KERNEL); up_write(&xe->usm.lock); if (err < 0) - goto err_free_id; + goto err_close_and_put; vm->usm.asid = asid; } - args->vm_id = id; vm->xef = xe_file_get(xef); /* Record BO memory for VM pagetable created against client */ @@ -1796,12 +1789,17 @@ int xe_vm_create_ioctl(struct drm_device *dev, void *data, args->reserved[0] = xe_bo_main_addr(vm->pt_root[0]->bo, XE_PAGE_SIZE); #endif - return 0; - -err_free_id: + /* user id alloc must always be last in ioctl to prevent UAF */ mutex_lock(&xef->vm.lock); - xa_erase(&xef->vm.xa, id); + err = xa_alloc(&xef->vm.xa, &id, vm, xa_limit_32b, GFP_KERNEL); mutex_unlock(&xef->vm.lock); + if (err) + goto err_close_and_put; + + args->vm_id = id; + + return 0; + err_close_and_put: xe_vm_close_and_put(vm); -- 2.46.1

9 months, 2 weeks

2
1
0 0

RESEND. syzbot: KASAN: slab-out-of-bounds Read in xlog_pack_data

by Andrey Kalachev

Hi, I found that the syzbot bug 'KASAN: slab-out-of-bounds Read in xlog_pack_data' [1] has been fixed in master branch since v6.4-rc6-11-gf1e1765aad7d [2]. But, it still exist in LTS kernels: 5.4, 5.10, 5.15 [3], 6.1 [4] Common c-reproducer code can be found here [5]. I've made backport f1e1765aad7d ("xfs: journal geometry is not properly bounds checked") Patch for v5.15 & v6.1 is same with original upstream code. Patches for v5.4 and v5.10 has some cosmetic variations: `xfs_has_crc(mp)` call replaced by `xfs_sb_version_hascrc(&mp->m_sb)` at most. I would be grateful for any assistance. Regards, AK [1] https://syzkaller.appspot.com/bug?extid=b7854dc75e15ffc8c2ae [2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… [3] https://syzkaller.appspot.com/bug?extid=66f256de193ab682584f [4] https://syzkaller.appspot.com/bug?extid=904ffc7f25c759741787 [5] https://syzkaller.appspot.com/text?tag=ReproC&x=152f7343280000 Reported-by: syzbot+66f256de193ab682584f(a)syzkaller.appspotmail.com Reported-by: syzbot+904ffc7f25c759741787(a)syzkaller.appspotmail.com

9 months, 2 weeks

1
3
0 0

Re: [PATCH] x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load

by John Allen

On Mon, Sep 23, 2024 at 03:41:12PM +0000, John Allen wrote: > A problem was introduced with f69759b ("x86/CPU/AMD: Move Zenbleed check to > the Zen2 init function") where a bit in the DE_CFG MSR is getting set after > a microcode late load. > > The problem is that the microcode late load path calls into > amd_check_microcode and subsequently zen2_zenbleed_check. Since the patch > removes the cpu_has_amd_erratum check from zen2_zenbleed_check, this will > cause all non-Zen2 cpus to go through the function and set the bit in the > DE_CFG MSR. > > Call into the zenbleed fix path on Zen2 cpus only. > > Fixes: f69759be251d ("x86/CPU/AMD: Move Zenbleed check to the Zen2 init function") Should probably go into stable as well. Cc: <stable(a)vger.kernel.org> > Signed-off-by: John Allen <john.allen(a)amd.com> > --- > arch/x86/kernel/cpu/amd.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c > index 015971adadfc..368344e1394b 100644 > --- a/arch/x86/kernel/cpu/amd.c > +++ b/arch/x86/kernel/cpu/amd.c > @@ -1202,5 +1202,6 @@ void amd_check_microcode(void) > if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) > return; > > - on_each_cpu(zenbleed_check_cpu, NULL, 1); > + if (boot_cpu_has(X86_FEATURE_ZEN2)) > + on_each_cpu(zenbleed_check_cpu, NULL, 1); > } > -- > 2.34.1 >

9 months, 2 weeks

1
0
0 0

[PATCH] i2c/synquacer: Deal with optional PCLK correctly

by Ard Biesheuvel

From: Ard Biesheuvel <ardb(a)kernel.org> ACPI boot does not provide clocks and regulators, but instead, provides the PCLK rate directly, and enables the clock in firmware. So deal gracefully with this. Fixes: 55750148e559 ("i2c: synquacer: Fix an error handling path in synquacer_i2c_probe()") Cc: <stable(a)vger.kernel.org> Cc: Andi Shyti <andi.shyti(a)kernel.org> Cc: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- https://lore.kernel.org/all/CAMj1kXFH+zB_YuUS+vaEpguhuVGLYbQw55VNDCxnBfSPe6… drivers/i2c/busses/i2c-synquacer.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/i2c/busses/i2c-synquacer.c b/drivers/i2c/busses/i2c-synquacer.c index 4eccbcd0fbfc..bbb9062669e4 100644 --- a/drivers/i2c/busses/i2c-synquacer.c +++ b/drivers/i2c/busses/i2c-synquacer.c @@ -550,12 +550,13 @@ static int synquacer_i2c_probe(struct platform_device *pdev) device_property_read_u32(&pdev->dev, "socionext,pclk-rate", &i2c->pclkrate); - pclk = devm_clk_get_enabled(&pdev->dev, "pclk"); + pclk = devm_clk_get_optional_enabled(&pdev->dev, "pclk"); if (IS_ERR(pclk)) return dev_err_probe(&pdev->dev, PTR_ERR(pclk), "failed to get and enable clock\n"); - i2c->pclkrate = clk_get_rate(pclk); + if (pclk) + i2c->pclkrate = clk_get_rate(pclk); if (i2c->pclkrate < SYNQUACER_I2C_MIN_CLK_RATE || i2c->pclkrate > SYNQUACER_I2C_MAX_CLK_RATE) -- 2.46.0.662.g92d0881bb0-goog

9 months, 2 weeks

5
5
0 0

[PATCH] drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS

by Thomas Zimmermann

FB_DAMAGE_CLIPS is a plane property for damage handling. Its UAPI should only use UAPI types. Hence replace struct drm_rect with struct drm_mode_rect in drm_atomic_plane_set_property(). Both types are identical in practice, so there's no change in behavior. Reported-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Closes: https://lore.kernel.org/dri-devel/Zu1Ke1TuThbtz15E@intel.com/ Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Fixes: d3b21767821e ("drm: Add a new plane property to send damage during plane update") Cc: Lukasz Spintzyk <lukasz.spintzyk(a)displaylink.com> Cc: Deepak Rawat <drawat(a)vmware.com> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Thomas Hellstrom <thellstrom(a)vmware.com> Cc: David Airlie <airlied(a)gmail.com> Cc: Simona Vetter <simona(a)ffwll.ch> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Maxime Ripard <mripard(a)kernel.org> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v5.0+ --- drivers/gpu/drm/drm_atomic_uapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic_uapi.c b/drivers/gpu/drm/drm_atomic_uapi.c index 7936c2023955..370dc676e3aa 100644 --- a/drivers/gpu/drm/drm_atomic_uapi.c +++ b/drivers/gpu/drm/drm_atomic_uapi.c @@ -543,7 +543,7 @@ static int drm_atomic_plane_set_property(struct drm_plane *plane, &state->fb_damage_clips, val, -1, - sizeof(struct drm_rect), + sizeof(struct drm_mode_rect), &replaced); return ret; } else if (property == plane->scaling_filter_property) { -- 2.46.0

9 months, 2 weeks

2
1
0 0

[PATCH v3] pinctrl: stm32: check devm_kasprintf() returned value

by Ma Ke

devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v3: - modified the code style according to suggestions. Changes in v2: - modified the patch according to suggestions, added braces; - modified the typo. --- drivers/pinctrl/stm32/pinctrl-stm32.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c index a8673739871d..5b7fa77c1184 100644 --- a/drivers/pinctrl/stm32/pinctrl-stm32.c +++ b/drivers/pinctrl/stm32/pinctrl-stm32.c @@ -1374,10 +1374,15 @@ static int stm32_gpiolib_register_bank(struct stm32_pinctrl *pctl, struct fwnode for (i = 0; i < npins; i++) { stm32_pin = stm32_pctrl_get_desc_pin_from_gpio(pctl, bank, i); - if (stm32_pin && stm32_pin->pin.name) + if (stm32_pin && stm32_pin->pin.name) { names[i] = devm_kasprintf(dev, GFP_KERNEL, "%s", stm32_pin->pin.name); - else + if (!names[i]) { + err = -ENOMEM; + goto err_clk; + } + } else { names[i] = NULL; + } } bank->gpio_chip.names = (const char * const *)names; -- 2.25.1

9 months, 2 weeks

2
1
0 0

[PATCH] pinctrl: check devm_kasprintf() returned value

by Ma Ke

devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a0f160ffcb83 ("pinctrl: add pinctrl/GPIO driver for Apple SoCs") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/pinctrl/pinctrl-apple-gpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/pinctrl/pinctrl-apple-gpio.c b/drivers/pinctrl/pinctrl-apple-gpio.c index 3751c7de37aa..f861e63f4115 100644 --- a/drivers/pinctrl/pinctrl-apple-gpio.c +++ b/drivers/pinctrl/pinctrl-apple-gpio.c @@ -474,6 +474,9 @@ static int apple_gpio_pinctrl_probe(struct platform_device *pdev) for (i = 0; i < npins; i++) { pins[i].number = i; pins[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "PIN%u", i); + if (!pins[i].name) + return -ENOMEM; + pins[i].drv_data = pctl; pin_names[i] = pins[i].name; pin_nums[i] = i; -- 2.25.1

9 months, 2 weeks

2
1
0 0

[PATCH] drm/xe: fix UAF around queue destruction

by Matthew Auld

We currently do stuff like queuing the final destruction step on a random system wq, which will outlive the driver instance. With bad timing we can teardown the driver with one or more work workqueue still being alive leading to various UAF splats. Add a fini step to ensure user queues are properly torn down. At this point GuC should already be nuked so queue itself should no longer be referenced from hw pov. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2317 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_device.c | 6 +++++- drivers/gpu/drm/xe/xe_device_types.h | 3 +++ drivers/gpu/drm/xe/xe_guc_submit.c | 32 +++++++++++++++++++++++++++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c index cb5a9fd820cf..90b3478ed7cd 100644 --- a/drivers/gpu/drm/xe/xe_device.c +++ b/drivers/gpu/drm/xe/xe_device.c @@ -297,6 +297,9 @@ static void xe_device_destroy(struct drm_device *dev, void *dummy) if (xe->unordered_wq) destroy_workqueue(xe->unordered_wq); + if (xe->destroy_wq) + destroy_workqueue(xe->destroy_wq); + ttm_device_fini(&xe->ttm); } @@ -360,8 +363,9 @@ struct xe_device *xe_device_create(struct pci_dev *pdev, xe->preempt_fence_wq = alloc_ordered_workqueue("xe-preempt-fence-wq", 0); xe->ordered_wq = alloc_ordered_workqueue("xe-ordered-wq", 0); xe->unordered_wq = alloc_workqueue("xe-unordered-wq", 0, 0); + xe->destroy_wq = alloc_workqueue("xe-destroy-wq", 0, 0); if (!xe->ordered_wq || !xe->unordered_wq || - !xe->preempt_fence_wq) { + !xe->preempt_fence_wq || !xe->destroy_wq) { /* * Cleanup done in xe_device_destroy via * drmm_add_action_or_reset register above diff --git a/drivers/gpu/drm/xe/xe_device_types.h b/drivers/gpu/drm/xe/xe_device_types.h index 5ad96d283a71..515385b916cc 100644 --- a/drivers/gpu/drm/xe/xe_device_types.h +++ b/drivers/gpu/drm/xe/xe_device_types.h @@ -422,6 +422,9 @@ struct xe_device { /** @unordered_wq: used to serialize unordered work, mostly display */ struct workqueue_struct *unordered_wq; + /** @destroy_wq: used to serialize user destroy work, like queue */ + struct workqueue_struct *destroy_wq; + /** @tiles: device tiles */ struct xe_tile tiles[XE_MAX_TILES_PER_DEVICE]; diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index fbbe6a487bbb..66441efa0bcd 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -276,10 +276,37 @@ static struct workqueue_struct *get_submit_wq(struct xe_guc *guc) } #endif +static void guc_exec_queue_fini_async(struct xe_exec_queue *q); + +static void xe_guc_submit_fini(struct xe_guc *guc) +{ + struct xe_device *xe = guc_to_xe(guc); + struct xe_exec_queue *q; + unsigned long index; + + mutex_lock(&guc->submission_state.lock); + xa_for_each(&guc->submission_state.exec_queue_lookup, index, q) { + struct xe_gpu_scheduler *sched = &q->guc->sched; + + xe_assert(xe, !kref_read(&q->refcount)); + + xe_sched_submission_stop(sched); + + if (exec_queue_registered(q) && !exec_queue_wedged(q)) + guc_exec_queue_fini_async(q); + } + mutex_unlock(&guc->submission_state.lock); + + drain_workqueue(xe->destroy_wq); + + xe_assert(xe, xa_empty(&guc->submission_state.exec_queue_lookup)); +} + static void guc_submit_fini(struct drm_device *drm, void *arg) { struct xe_guc *guc = arg; + xe_guc_submit_fini(guc); xa_destroy(&guc->submission_state.exec_queue_lookup); free_submit_wq(guc); } @@ -1268,13 +1295,16 @@ static void __guc_exec_queue_fini_async(struct work_struct *w) static void guc_exec_queue_fini_async(struct xe_exec_queue *q) { + struct xe_guc *guc = exec_queue_to_guc(q); + struct xe_device *xe = guc_to_xe(guc); + INIT_WORK(&q->guc->fini_async, __guc_exec_queue_fini_async); /* We must block on kernel engines so slabs are empty on driver unload */ if (q->flags & EXEC_QUEUE_FLAG_PERMANENT || exec_queue_wedged(q)) __guc_exec_queue_fini_async(&q->guc->fini_async); else - queue_work(system_wq, &q->guc->fini_async); + queue_work(xe->destroy_wq, &q->guc->fini_async); } static void __guc_exec_queue_fini(struct xe_guc *guc, struct xe_exec_queue *q) -- 2.46.0

9 months, 2 weeks

2
2
0 0

Fix for kernel crash when changing amd-pstate modes

by Mario Limonciello

Hi, This commit from mainline fixes a crash found in kernel 6.11 if users change modes with amd-pstate. commit 49243adc715e ("cpufreq/amd-pstate: Add the missing cpufreq_cpu_put()") Please backport to 6.11.y. Earlier kernels should not be affected. Thanks!

9 months, 2 weeks

2
1
0 0

Fixes for DRM node limits

by Mario Limonciello

Hi, With systems that have 8 GPUs nodes + an integrated BMC, the BMC can't work properly because of limits of DRM nodes in the kernel. This is fixed in Linus tree with these commits: Can you please backport to 6.6.y and later? commit 5fbca8b48b30 ("drm: Use XArray instead of IDR for minors") commit 45c4d994b82b ("accel: Use XArray instead of IDR for minors") commit 071d583e01c8 ("drm: Expand max DRM device number to full MINORBITS") Thanks,

9 months, 2 weeks

2
1
0 0

[PATCH v8 1/3] ufs: core: fix the issue of ICU failure

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When setting the ICU bit without using read-modify-write, SQRTCy will restart SQ again and receive an RTC return error code 2 (Failure - SQ not stopped). Additionally, the error log has been modified so that this type of error can be observed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Reviewed-by: Bao D. Nguyen <quic_nguyenb(a)quicinc.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/ufs/core/ufs-mcq.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index 5891cdacd0b3..3903947dbed1 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) struct scsi_cmnd *cmd = lrbp->cmd; struct ufs_hw_queue *hwq; void __iomem *reg, *opr_sqd_base; - u32 nexus, id, val; + u32 nexus, id, val, rtc; int err; if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) @@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id); writel(nexus, opr_sqd_base + REG_SQCTI); - /* SQRTCy.ICU = 1 */ - writel(SQ_ICU, opr_sqd_base + REG_SQRTC); + /* Initiate Cleanup */ + writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, + opr_sqd_base + REG_SQRTC); /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ reg = opr_sqd_base + REG_SQRTS; err = read_poll_timeout(readl, val, val & SQ_CUS, 20, MCQ_POLL_US, false, reg); - if (err) - dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", - __func__, id, task_tag, - FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); + rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)); + if (err || rtc) + dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n", + __func__, id, task_tag, err, rtc); if (ufshcd_mcq_sq_start(hba, hwq)) err = -ETIMEDOUT; -- 2.45.2

9 months, 2 weeks

1
0
0 0

[PATCH v4 2/2] ufs: core: requeue aborted request

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> ufshcd_abort_all froce abort all on-going command and the host will automatically fill in the OCS field of the corresponding response with OCS_ABORTED based on different working modes. MCQ mode: aborts a command using SQ cleanup, The host controller will post a Completion Queue entry with OCS = ABORTED. SDB mode: aborts a command using UTRLCLR. Task Management response which means a Transfer Request was aborted. For these two cases, set a flag to notify SCSI to requeue the command after receiving response with OCS_ABORTED. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 34 +++++++++++++++++++--------------- include/ufs/ufshcd.h | 3 +++ 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a6f818cdef0e..615da47c1727 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3006,6 +3006,7 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) ufshcd_prepare_lrbp_crypto(scsi_cmd_to_rq(cmd), lrbp); lrbp->req_abort_skip = false; + lrbp->abort_initiated_by_err = false; ufshcd_comp_scsi_upiu(hba, lrbp); @@ -5404,7 +5405,10 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp, } break; case OCS_ABORTED: - result |= DID_ABORT << 16; + if (lrbp->abort_initiated_by_err) + result |= DID_REQUEUE << 16; + else + result |= DID_ABORT << 16; break; case OCS_INVALID_COMMAND_STATUS: result |= DID_REQUEUE << 16; @@ -6471,26 +6475,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) struct scsi_device *sdev = cmd->device; struct Scsi_Host *shost = sdev->host; struct ufs_hba *hba = shost_priv(shost); - struct ufshcd_lrb *lrbp = &hba->lrb[tag]; - struct ufs_hw_queue *hwq; - unsigned long flags; *ret = ufshcd_try_to_abort_task(hba, tag); dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, *ret ? "failed" : "succeeded"); - /* Release cmd in MCQ mode if abort succeeds */ - if (hba->mcq_enabled && (*ret == 0)) { - hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); - if (!hwq) - return 0; - spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) - ufshcd_release_scsi_cmd(hba, lrbp); - spin_unlock_irqrestore(&hwq->cq_lock, flags); - } - return *ret == 0; } @@ -7561,6 +7551,20 @@ int ufshcd_try_to_abort_task(struct ufs_hba *hba, int tag) goto out; } + /* + * When the host software receives a "FUNCTION COMPLETE", set flag + * to requeue command after receive response with OCS_ABORTED + * SDB mode: UTRLCLR Task Management response which means a Transfer + * Request was aborted. + * MCQ mode: Host will post to CQ with OCS_ABORTED after SQ cleanup + * This flag is set because ufshcd_abort_all forcibly aborts all + * commands, and the host will automatically fill in the OCS field + * of the corresponding response with OCS_ABORTED. + * Therefore, upon receiving this response, it needs to be requeued. + */ + if (!err) + lrbp->abort_initiated_by_err = true; + err = ufshcd_clear_cmd(hba, tag); if (err) dev_err(hba->dev, "%s: Failed clearing cmd at tag %d, err %d\n", diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index 0fd2aebac728..15b357672ca5 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -173,6 +173,8 @@ struct ufs_pm_lvl_states { * @crypto_key_slot: the key slot to use for inline crypto (-1 if none) * @data_unit_num: the data unit number for the first block for inline crypto * @req_abort_skip: skip request abort task flag + * @abort_initiated_by_err: The flag is specifically used to handle aborts + * caused by errors due to host/device communication */ struct ufshcd_lrb { struct utp_transfer_req_desc *utr_descriptor_ptr; @@ -202,6 +204,7 @@ struct ufshcd_lrb { #endif bool req_abort_skip; + bool abort_initiated_by_err; }; /** -- 2.45.2

9 months, 2 weeks

3
16
0 0

[PATCH v3] crypto: Removing CRYPTO_AES_GCM_P10.

by Danny Tsen

Data mismatch found when testing ipsec tunnel with AES/GCM crypto. Disabling CRYPTO_AES_GCM_P10 in Kconfig for this feature. Fixes: fd0e9b3e2ee6 ("crypto: p10-aes-gcm - An accelerated AES/GCM stitched implementation") Fixes: cdcecfd9991f ("crypto: p10-aes-gcm - Glue code for AES/GCM stitched implementation") Fixes: 45a4672b9a6e2 ("crypto: p10-aes-gcm - Update Kconfig and Makefile") Signed-off-by: Danny Tsen <dtsen(a)linux.ibm.com> --- arch/powerpc/crypto/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/powerpc/crypto/Kconfig b/arch/powerpc/crypto/Kconfig index 09ebcbdfb34f..46a4c85e85e2 100644 --- a/arch/powerpc/crypto/Kconfig +++ b/arch/powerpc/crypto/Kconfig @@ -107,6 +107,7 @@ config CRYPTO_AES_PPC_SPE config CRYPTO_AES_GCM_P10 tristate "Stitched AES/GCM acceleration support on P10 or later CPU (PPC)" + depends on BROKEN depends on PPC64 && CPU_LITTLE_ENDIAN && VSX select CRYPTO_LIB_AES select CRYPTO_ALGAPI -- 2.43.0

9 months, 2 weeks

5
5
0 0

[PATCH] platform/x86: ideapad-laptop: Stop calling i8042_command()

by Hans de Goede

Commit 07a4a4fc83dd ("ideapad: add Lenovo IdeaPad Z570 support (part 2)") added an i8042_command(..., I8042_CMD_AUX_[EN|DIS]ABLE) call to the ideapad-laptop driver to suppress the touchpad events at the PS/2 AUX controller level. Commit c69e7d843d2c ("platform/x86: ideapad-laptop: Only toggle ps2 aux port on/off on select models") limited this to only do this by default on the IdeaPad Z570 to replace a growing list of models on which the i8042_command() call was disabled by quirks because it was causing issues. A recent report shows that this is causing issues even on the Z570 for which it was originally added because it can happen on resume before the i8042 controller's own resume() method has run: [ 50.241235] ideapad_acpi VPC2004:00: PM: calling acpi_subsys_resume+0x0/0x5d @ 4492, parent: PNP0C09:00 [ 50.242055] snd_hda_intel 0000:00:0e.0: PM: pci_pm_resume+0x0/0xed returned 0 after 13511 usecs [ 50.242120] snd_hda_codec_realtek hdaudioC0D0: PM: calling hda_codec_pm_resume+0x0/0x19 [snd_hda_codec] @ 4518, parent: 0000:00:0e.0 [ 50.247406] i8042: [49434] a8 -> i8042 (command) [ 50.247468] ideapad_acpi VPC2004:00: PM: acpi_subsys_resume+0x0/0x5d returned 0 after 6220 usecs ... [ 50.247883] i8042 kbd 00:01: PM: calling pnp_bus_resume+0x0/0x9d @ 4492, parent: pnp0 [ 50.247894] i8042 kbd 00:01: PM: pnp_bus_resume+0x0/0x9d returned 0 after 0 usecs [ 50.247906] i8042 aux 00:02: PM: calling pnp_bus_resume+0x0/0x9d @ 4492, parent: pnp0 [ 50.247916] i8042 aux 00:02: PM: pnp_bus_resume+0x0/0x9d returned 0 after 0 usecs ... [ 50.248301] i8042 i8042: PM: calling platform_pm_resume+0x0/0x41 @ 4492, parent: platform [ 50.248377] i8042: [49434] 55 <- i8042 (flush, kbd) [ 50.248407] i8042: [49435] aa -> i8042 (command) [ 50.248601] i8042: [49435] 00 <- i8042 (return) [ 50.248604] i8042: [49435] i8042 controller selftest: 0x0 != 0x55 Dmitry (input subsys maintainer) pointed out that just sending KEY_TOUCHPAD_OFF/KEY_TOUCHPAD_ON which the ideapad-laptop driver already does should be sufficient and that it then is up to userspace to filter out touchpad events after having received a KEY_TOUCHPAD_OFF. Given all the problems the i8042_command() call has been causing just removing it indeed seems best, so this removes it completely. Note that this only impacts the Ideapad Z570 since it was already disabled by default on all other models. Fixes: c69e7d843d2c ("platform/x86: ideapad-laptop: Only toggle ps2 aux port on/off on select models") Reported-by: Jonathan Denose <jdenose(a)chromium.org> Closes: https://lore.kernel.org/linux-input/20231102075243.1.Idb37ff8043a29f607beab… Suggested-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Cc: Maxim Mikityanskiy <maxtram95(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/platform/x86/ideapad-laptop.c | 37 --------------------------- 1 file changed, 37 deletions(-) diff --git a/drivers/platform/x86/ideapad-laptop.c b/drivers/platform/x86/ideapad-laptop.c index 1ace711f7442..255fb56ec9ee 100644 --- a/drivers/platform/x86/ideapad-laptop.c +++ b/drivers/platform/x86/ideapad-laptop.c @@ -18,7 +18,6 @@ #include <linux/device.h> #include <linux/dmi.h> #include <linux/fb.h> -#include <linux/i8042.h> #include <linux/init.h> #include <linux/input.h> #include <linux/input/sparse-keymap.h> @@ -144,7 +143,6 @@ struct ideapad_private { bool hw_rfkill_switch : 1; bool kbd_bl : 1; bool touchpad_ctrl_via_ec : 1; - bool ctrl_ps2_aux_port : 1; bool usb_charging : 1; } features; struct { @@ -182,12 +180,6 @@ MODULE_PARM_DESC(set_fn_lock_led, "Enable driver based updates of the fn-lock LED on fn-lock changes. " "If you need this please report this to: platform-driver-x86(a)vger.kernel.org"); -static bool ctrl_ps2_aux_port; -module_param(ctrl_ps2_aux_port, bool, 0444); -MODULE_PARM_DESC(ctrl_ps2_aux_port, - "Enable driver based PS/2 aux port en-/dis-abling on touchpad on/off toggle. " - "If you need this please report this to: platform-driver-x86(a)vger.kernel.org"); - static bool touchpad_ctrl_via_ec; module_param(touchpad_ctrl_via_ec, bool, 0444); MODULE_PARM_DESC(touchpad_ctrl_via_ec, @@ -1560,7 +1552,6 @@ static void ideapad_fn_lock_led_exit(struct ideapad_private *priv) static void ideapad_sync_touchpad_state(struct ideapad_private *priv, bool send_events) { unsigned long value; - unsigned char param; int ret; /* Without reading from EC touchpad LED doesn't switch state */ @@ -1568,15 +1559,6 @@ static void ideapad_sync_touchpad_state(struct ideapad_private *priv, bool send_ if (ret) return; - /* - * Some IdeaPads don't really turn off touchpad - they only - * switch the LED state. We (de)activate KBC AUX port to turn - * touchpad off and on. We send KEY_TOUCHPAD_OFF and - * KEY_TOUCHPAD_ON to not to get out of sync with LED - */ - if (priv->features.ctrl_ps2_aux_port) - i8042_command(&param, value ? I8042_CMD_AUX_ENABLE : I8042_CMD_AUX_DISABLE); - /* * On older models the EC controls the touchpad and toggles it on/off * itself, in this case we report KEY_TOUCHPAD_ON/_OFF. Some models do @@ -1699,23 +1681,6 @@ static const struct dmi_system_id hw_rfkill_list[] = { {} }; -/* - * On some models the EC toggles the touchpad muted LED on touchpad toggle - * hotkey presses, but the EC does not actually disable the touchpad itself. - * On these models the driver needs to explicitly enable/disable the i8042 - * (PS/2) aux port. - */ -static const struct dmi_system_id ctrl_ps2_aux_port_list[] = { - { - /* Lenovo Ideapad Z570 */ - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), - DMI_MATCH(DMI_PRODUCT_VERSION, "Ideapad Z570"), - }, - }, - {} -}; - static void ideapad_check_features(struct ideapad_private *priv) { acpi_handle handle = priv->adev->handle; @@ -1725,8 +1690,6 @@ static void ideapad_check_features(struct ideapad_private *priv) set_fn_lock_led || dmi_check_system(set_fn_lock_led_list); priv->features.hw_rfkill_switch = hw_rfkill_switch || dmi_check_system(hw_rfkill_list); - priv->features.ctrl_ps2_aux_port = - ctrl_ps2_aux_port || dmi_check_system(ctrl_ps2_aux_port_list); priv->features.touchpad_ctrl_via_ec = touchpad_ctrl_via_ec; if (!read_ec_data(handle, VPCCMD_R_FAN, &val)) -- 2.45.2

9 months, 2 weeks

3
16
0 0

[PATCH 5.10/5.15 0/2] crypto: inside_secure - Avoid dma map if size is zero

by Nikita Zhandarovich

The following patch addresses the issue of unchecked calls to dma_map_sg() in safexcel_send_req() as these macros may return 0 in case of unsuccessful mapping. This outcome in turn requires unmapping of previously mapped buffers. The fix has already been backported to the following stable branches: v6.6: https://lore.kernel.org/all/20240122235813.608624333@linuxfoundation.org/ v6.1: https://lore.kernel.org/all/20240122235752.938797245@linuxfoundation.org/ The issue in question can be fixed in 5.10 and 5.15 stable branches by backporting the following 2 upstream commits. Both can be cleanly applied to kernel versions mentioned above. [PATCH 5.10/5.15 1/2] crypto: inside_secure - Avoid dma map if size is zero [PATCH 5.10/5.15 2/2] crypto: safexcel - Add error handling for dma_map_sg() calls First patch is a prerequisite to main fix and removes warnings in case of a call to dma_map_sg() with size 0 and allows for clean application of the main fix. Second (and main) patch adds proper handling of dma_map_sg() erroneous behaviour.

9 months, 3 weeks

1
2
0 0

[PATCH v5 3/5] tpm: flush the null key only when /dev/tpm0 is accessed

by Jarkko Sakkinen

Instead of flushing and reloading the null key for every single auth session, flush it only when: 1. User space needs to access /dev/tpm{rm}0. 2. When going to sleep. 3. When unregistering the chip. This removes the need to load and swap the null key between TPM and regular memory per transaction, when the user space is not using the chip. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v5: - No changes. v4: - Changed to bug fix as not having the patch there is a major hit to bootup times. v3: - Unchanged. v2: - Refined the commit message. - Added tested-by from Pengyu Ma <mapengyu(a)gmail.com>. - Removed spurious pr_info() statement. --- drivers/char/tpm/tpm-chip.c | 13 +++++++++++++ drivers/char/tpm/tpm-dev-common.c | 7 +++++++ drivers/char/tpm/tpm-interface.c | 9 +++++++-- drivers/char/tpm/tpm2-cmd.c | 3 +++ drivers/char/tpm/tpm2-sessions.c | 17 ++++++++++++++--- include/linux/tpm.h | 2 ++ 6 files changed, 46 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 854546000c92..0ea00e32f575 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -674,6 +674,19 @@ EXPORT_SYMBOL_GPL(tpm_chip_register); */ void tpm_chip_unregister(struct tpm_chip *chip) { +#ifdef CONFIG_TCG_TPM2_HMAC + int rc; + + rc = tpm_try_get_ops(chip); + if (!rc) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; + } + tpm_put_ops(chip); + } +#endif + tpm_del_legacy_sysfs(chip); if (tpm_is_hwrng_enabled(chip)) hwrng_unregister(&chip->hwrng); diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 30b4c288c1bb..4eaa8e05c291 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -27,6 +27,13 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, struct tpm_header *header = (void *)buf; ssize_t ret, len; +#ifdef CONFIG_TCG_TPM2_HMAC + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; + } +#endif + ret = tpm2_prepare_space(chip, space, buf, bufsiz); /* If the command is not implemented by the TPM, synthesize a * response with a TPM2_RC_COMMAND_CODE return for user-space. diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 5da134f12c9a..bfa47d48b0f2 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -379,10 +379,15 @@ int tpm_pm_suspend(struct device *dev) rc = tpm_try_get_ops(chip); if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) + if (chip->flags & TPM_CHIP_FLAG_TPM2) { +#ifdef CONFIG_TCG_TPM2_HMAC + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; +#endif tpm2_shutdown(chip, TPM2_SU_STATE); - else + } else { rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + } tpm_put_ops(chip); } diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 1e856259219e..aba024cbe7c5 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -364,6 +364,9 @@ void tpm2_flush_context(struct tpm_chip *chip, u32 handle) struct tpm_buf buf; int rc; + if (!handle) + return; + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT); if (rc) { dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n", diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index a856adef18d3..1aef5b1f9c90 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -920,11 +920,19 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) u32 tmp_null_key; int rc; + /* fast path */ + if (chip->null_key) { + *null_key = chip->null_key; + return 0; + } + rc = tpm2_load_context(chip, chip->null_key_context, &offset, &tmp_null_key); if (rc != -EINVAL) { - if (!rc) + if (!rc) { + chip->null_key = tmp_null_key; *null_key = tmp_null_key; + } goto err; } @@ -934,6 +942,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) /* Return the null key if the name has not been changed: */ if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + chip->null_key = tmp_null_key; *null_key = tmp_null_key; return 0; } @@ -1006,7 +1015,6 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append_u16(&buf, TPM_ALG_SHA256); rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); - tpm2_flush_context(chip, null_key); if (rc == TPM2_RC_SUCCESS) rc = tpm2_parse_start_auth_session(auth, &buf); @@ -1338,7 +1346,10 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) rc = tpm2_save_context(chip, null_key, chip->null_key_context, sizeof(chip->null_key_context), &offset); - tpm2_flush_context(chip, null_key); + if (rc) + tpm2_flush_context(chip, null_key); + else + chip->null_key = null_key; } /* Map all errors to -ENODEV: */ diff --git a/include/linux/tpm.h b/include/linux/tpm.h index e93ee8d936a9..4eb39db80e05 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -205,6 +205,8 @@ struct tpm_chip { #ifdef CONFIG_TCG_TPM2_HMAC /* details for communication security via sessions */ + /* loaded null key */ + u32 null_key; /* saved context for NULL seed */ u8 null_key_context[TPM2_MAX_CONTEXT_SIZE]; /* name of NULL seed */ -- 2.46.1

9 months, 3 weeks

1
0
0 0

[PATCH v2] mac802154: Fix potential RCU dereference issue in mac802154_scan_worker

by Jiawei Ye

In the `mac802154_scan_worker` function, the `scan_req->type` field was accessed after the RCU read-side critical section was unlocked. According to RCU usage rules, this is illegal and can lead to unpredictable behavior, such as accessing memory that has been updated or causing use-after-free issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the `scan_req->type` value is now stored in a local variable `scan_req_type` while still within the RCU read-side critical section. The `scan_req_type` is then used after the RCU lock is released, ensuring that the type value is safely accessed without violating RCU rules. Fixes: e2c3e6f53a7a ("mac802154: Handle active scanning") Signed-off-by: Jiawei Ye <jiawei.ye(a)foxmail.com> Cc: stable(a)vger.kernel.org Acked-by: Miquel Raynal <miquel.raynal(a)bootlin.com> --- Changelog: v1->v2: -Repositioned the enum nl802154_scan_types scan_req_type declaration between struct cfg802154_scan_request *scan_req and struct ieee802154_sub_if_data *sdata to comply with the reverse Christmas tree rule. --- net/mac802154/scan.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/mac802154/scan.c b/net/mac802154/scan.c index 1c0eeaa76560..a6dab3cc3ad8 100644 --- a/net/mac802154/scan.c +++ b/net/mac802154/scan.c @@ -176,6 +176,7 @@ void mac802154_scan_worker(struct work_struct *work) struct ieee802154_local *local = container_of(work, struct ieee802154_local, scan_work.work); struct cfg802154_scan_request *scan_req; + enum nl802154_scan_types scan_req_type; struct ieee802154_sub_if_data *sdata; unsigned int scan_duration = 0; struct wpan_phy *wpan_phy; @@ -209,6 +210,7 @@ void mac802154_scan_worker(struct work_struct *work) } wpan_phy = scan_req->wpan_phy; + scan_req_type = scan_req->type; scan_req_duration = scan_req->duration; /* Look for the next valid chan */ @@ -246,7 +248,7 @@ void mac802154_scan_worker(struct work_struct *work) goto end_scan; } - if (scan_req->type == NL802154_SCAN_ACTIVE) { + if (scan_req_type == NL802154_SCAN_ACTIVE) { ret = mac802154_transmit_beacon_req(local, sdata); if (ret) dev_err(&sdata->dev->dev, -- 2.34.1

9 months, 3 weeks

1
0
0 0

[PATCH] drm/xe/guc_submit: fix UAF in run_job()

by Matthew Auld

The initial kref from dma_fence_init() should match up with whatever signals the fence, however here we are submitting the job first to the hw and only then grabbing the extra ref and even then we touch some fence state before this. This might be too late if the fence is signalled before we can grab the extra ref. Rather always grab the refcount early before we do the submission part. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2811 Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_guc_submit.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index fbbe6a487bbb..b33f3d23a068 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -766,12 +766,15 @@ guc_exec_queue_run_job(struct drm_sched_job *drm_job) struct xe_guc *guc = exec_queue_to_guc(q); struct xe_device *xe = guc_to_xe(guc); bool lr = xe_exec_queue_is_lr(q); + struct dma_fence *fence; xe_assert(xe, !(exec_queue_destroyed(q) || exec_queue_pending_disable(q)) || exec_queue_banned(q) || exec_queue_suspended(q)); trace_xe_sched_job_run(job); + dma_fence_get(job->fence); + if (!exec_queue_killed_or_banned_or_wedged(q) && !xe_sched_job_is_error(job)) { if (!exec_queue_registered(q)) register_exec_queue(q); @@ -782,12 +785,16 @@ guc_exec_queue_run_job(struct drm_sched_job *drm_job) if (lr) { xe_sched_job_set_error(job, -EOPNOTSUPP); - return NULL; + fence = NULL; } else if (test_and_set_bit(JOB_FLAG_SUBMIT, &job->fence->flags)) { - return job->fence; + fence = job->fence; } else { - return dma_fence_get(job->fence); + fence = dma_fence_get(job->fence); } + + dma_fence_put(job->fence); + + return fence; } static void guc_exec_queue_free_job(struct drm_sched_job *drm_job) -- 2.46.0

9 months, 3 weeks

2
2
0 0

[PATCH 1/3] xfs: Do not unshare ranges beyond EOF

by Julian Sun

Attempting to unshare extents beyond EOF will trigger the need zeroing case, which in turn triggers a warning. Therefore, let's skip the unshare process if extents are beyond EOF. Reported-and-tested-by: syzbot+296b1c84b9cbf306e5a0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=296b1c84b9cbf306e5a0 Fixes: 32a38a499104 ("iomap: use write_begin to read pages to unshare") Inspired-by: Dave Chinner <david(a)fromorbit.com> Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/xfs/xfs_reflink.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c index 6fde6ec8092f..65509ff6aba0 100644 --- a/fs/xfs/xfs_reflink.c +++ b/fs/xfs/xfs_reflink.c @@ -3,6 +3,7 @@ * Copyright (C) 2016 Oracle. All Rights Reserved. * Author: Darrick J. Wong <darrick.wong(a)oracle.com> */ +#include "linux/fs.h" #include "xfs.h" #include "xfs_fs.h" #include "xfs_shared.h" @@ -1669,6 +1670,9 @@ xfs_reflink_unshare( if (!xfs_is_reflink_inode(ip)) return 0; + /* don't try to unshare any ranges beyond EOF. */ + if (offset + len > i_size_read(inode)) + len = i_size_read(inode) - offset; trace_xfs_reflink_unshare(ip, offset, len); -- 2.39.2

9 months, 3 weeks

3
3
0 0

[PATCH 5.10 0/1] rtlwifi: rtl8192de: fix ofdm power compensation

by Nikita Zhandarovich

This patch aims to prevent reliably encountered buffer overflow in rtl92d_dm_txpower_tracking_callback_thermalmeter() caused by accessing 'ofdm_index[]' array of size 2 with index 'i' equal to 2, which in turn is possible if value of 'is2t' is 'true'. The issue in question has been fixed by the following upstream patch that can be cleanly applied to 5.10 stable branch.

9 months, 3 weeks

1
1
0 0

[PATCH 3/3] vfs: return -EOVERFLOW in generic_remap_checks() when overflow check fails

by Julian Sun

Keep it consistent with the handling of the same check within generic_copy_file_checks(). Also, returning -EOVERFLOW in this case is more appropriate. Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/remap_range.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/remap_range.c b/fs/remap_range.c index 6fdeb3c8cb70..a26521ded5c8 100644 --- a/fs/remap_range.c +++ b/fs/remap_range.c @@ -42,7 +42,7 @@ static int generic_remap_checks(struct file *file_in, loff_t pos_in, /* The start of both ranges must be aligned to an fs block. */ if (!IS_ALIGNED(pos_in, bs) || !IS_ALIGNED(pos_out, bs)) - return -EINVAL; + return -EOVERFLOW; /* Ensure offsets don't wrap. */ if (check_add_overflow(pos_in, count, &tmp) || -- 2.39.2

9 months, 3 weeks

4
7
0 0

[PATCH] dmaengine: dw: Select only supported masters for ACPI devices

by Serge Semin

The recently submitted fix-commit revealed a problem in the iDMA32 platform code. Even though the controller supported only a single master the dw_dma_acpi_filter() method hard-coded two master interfaces with IDs 0 and 1. As a result the sanity check implemented in the commit b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") got incorrect interface data width and thus prevented the client drivers from configuring the DMA-channel with the EINVAL error returned. E.g. the next error was printed for the PXA2xx SPI controller driver trying to configure the requested channels: > [ 164.525604] pxa2xx_spi_pci 0000:00:07.1: DMA slave config failed > [ 164.536105] pxa2xx_spi_pci 0000:00:07.1: failed to get DMA TX descriptor > [ 164.543213] spidev spi-SPT0001:00: SPI transfer failed: -16 The problem would have been spotted much earlier if the iDMA32 controller supported more than one master interfaces. But since it supports just a single master and the iDMA32-specific code just ignores the master IDs in the CTLLO preparation method, the issue has been gone unnoticed so far. Fix the problem by specifying a single master ID for both memory and peripheral devices on the ACPI-based platforms if there is only one master available on the controller. Thus the issue noticed for the iDMA32 controllers will be eliminated and the ACPI-probed DW DMA controllers will be configured with the correct master ID by default. Cc: stable(a)vger.kernel.org Fixes: b336268dde75 ("dmaengine: dw: Add peripheral bus width verification") Fixes: 199244d69458 ("dmaengine: dw: add support of iDMA 32-bit hardware") Reported-by: Ferry Toth <fntoth(a)gmail.com> Closes: https://lore.kernel.org/dmaengine/ZuXbCKUs1iOqFu51@black.fi.intel.com/ Reported-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Closes: https://lore.kernel.org/dmaengine/ZuXgI-VcHpMgbZ91@black.fi.intel.com/ Signed-off-by: Serge Semin <fancer.lancer(a)gmail.com> --- Note I haven't got any device with the Intel Merrifield iDMA32 + SPI PXA2xx pair to test out the solution. So any tests are very welcome. But based on Andy' (see the reported-by links) and my investigations the fix seems correct. --- drivers/dma/dw/acpi.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/dma/dw/acpi.c b/drivers/dma/dw/acpi.c index c510c109d2c3..efbe8baeccbc 100644 --- a/drivers/dma/dw/acpi.c +++ b/drivers/dma/dw/acpi.c @@ -8,15 +8,25 @@ static bool dw_dma_acpi_filter(struct dma_chan *chan, void *param) { + struct dw_dma *dw = to_dw_dma(chan->device); struct acpi_dma_spec *dma_spec = param; struct dw_dma_slave slave = { .dma_dev = dma_spec->dev, .src_id = dma_spec->slave_id, .dst_id = dma_spec->slave_id, .m_master = 0, - .p_master = 1, }; + /* + * Fallback to using a single interface for both memory and peripheral + * device if there is only one master I/F supported (e.g. iDMA32) + */ + if (dw->pdata->nr_masters == 0) + slave.p_master = 0; + else + slave.p_master = 1; + + return dw_dma_filter(chan, &slave); } -- 2.43.0

9 months, 3 weeks

3
6
0 0

[PATCH] fbcon: Fix a NULL pointer dereference issue in fbcon_putcs

by Qianqiang Liu

syzbot has found a NULL pointer dereference bug in fbcon [1]. This issue is caused by ops->putcs being a NULL pointer. We need to check the pointer before using it. [1] https://syzkaller.appspot.com/bug?extid=3d613ae53c031502687a Cc: stable(a)vger.kernel.org Reported-and-tested-by: syzbot+3d613ae53c031502687a(a)syzkaller.appspotmail.com Signed-off-by: Qianqiang Liu <qianqiang.liu(a)163.com> --- drivers/video/fbdev/core/fbcon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 3f7333dca508..96c1262cc981 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -1284,7 +1284,7 @@ static void fbcon_putcs(struct vc_data *vc, const u16 *s, unsigned int count, struct fbcon_display *p = &fb_display[vc->vc_num]; struct fbcon_ops *ops = info->fbcon_par; - if (!fbcon_is_inactive(vc, info)) + if (!fbcon_is_inactive(vc, info) && ops->putcs) ops->putcs(vc, info, s, count, real_y(p, ypos), xpos, get_color(vc, info, scr_readw(s), 1), get_color(vc, info, scr_readw(s), 0)); -- 2.39.2

9 months, 3 weeks

2
2
0 0

[PATCH 5.4] bpf: Fix DEVMAP_HASH overflow check on 32-bit arches

by Pu Lehui

From: Toke Høiland-Jørgensen <toke(a)redhat.com> [ Upstream commit 281d464a34f540de166cee74b723e97ac2515ec3 ] The devmap code allocates a number hash buckets equal to the next power of two of the max_entries value provided when creating the map. When rounding up to the next power of two, the 32-bit variable storing the number of buckets can overflow, and the code checks for overflow by checking if the truncated 32-bit value is equal to 0. However, on 32-bit arches the rounding up itself can overflow mid-way through, because it ends up doing a left-shift of 32 bits on an unsigned long value. If the size of an unsigned long is four bytes, this is undefined behaviour, so there is no guarantee that we'll end up with a nice and tidy 0-value at the end. Syzbot managed to turn this into a crash on arm32 by creating a DEVMAP_HASH with max_entries > 0x80000000 and then trying to update it. Fix this by moving the overflow check to before the rounding up operation. Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index") Link: https://lore.kernel.org/r/000000000000ed666a0611af6818@google.com Reported-and-tested-by: syzbot+8cd36f6b65f3cafd400a(a)syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Message-ID: <20240307120340.99577-2-toke(a)redhat.com> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- kernel/bpf/devmap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 4b2819b0a05a..2370fc31169f 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -130,10 +130,13 @@ static int dev_map_init_map(struct bpf_dtab *dtab, union bpf_attr *attr) cost = (u64) sizeof(struct list_head) * num_possible_cpus(); if (attr->map_type == BPF_MAP_TYPE_DEVMAP_HASH) { - dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); - - if (!dtab->n_buckets) /* Overflow check */ + /* hash table size must be power of 2; roundup_pow_of_two() can + * overflow into UB on 32-bit arches, so check that first + */ + if (dtab->map.max_entries > 1UL << 31) return -EINVAL; + + dtab->n_buckets = roundup_pow_of_two(dtab->map.max_entries); cost += (u64) sizeof(struct hlist_head) * dtab->n_buckets; } else { cost += (u64) dtab->map.max_entries * sizeof(struct bpf_dtab_netdev *); -- 2.34.1

9 months, 3 weeks

1
0
0 0

[PATCH] Input: adp5588-keys - Added checking of key and key_val variables

by Denis Arefev

If the adp5588_read function returns 0, then there will be an overflow of the kpad->keycode buffer. If the adp5588_read function returns a negative value, then the logic is broken - the wrong value is used as an index of the kpad->keycode array. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org # v5.10+ Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/input/keyboard/adp5588-keys.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c index 1b0279393df4..d05387f9c11f 100644 --- a/drivers/input/keyboard/adp5588-keys.c +++ b/drivers/input/keyboard/adp5588-keys.c @@ -526,14 +526,17 @@ static void adp5588_report_events(struct adp5588_kpad *kpad, int ev_cnt) int i; for (i = 0; i < ev_cnt; i++) { - int key = adp5588_read(kpad->client, KEY_EVENTA + i); - int key_val = key & KEY_EV_MASK; - int key_press = key & KEY_EV_PRESSED; + int key, key_val, key_press; + key = adp5588_read(kpad->client, KEY_EVENTA + i); + if (key < 0) + continue; + key_val = key & KEY_EV_MASK; + key_press = key & KEY_EV_PRESSED; if (key_val >= GPI_PIN_BASE && key_val <= GPI_PIN_END) { /* gpio line used as IRQ source */ adp5588_gpio_irq_handle(kpad, key_val, key_press); - } else { + } else if (key_val > 0) { int row = (key_val - 1) / ADP5588_COLS_MAX; int col = (key_val - 1) % ADP5588_COLS_MAX; int code = MATRIX_SCAN_CODE(row, col, kpad->row_shift); -- 2.25.1

9 months, 3 weeks

1
0
0 0

[PATCH v7 2/4] ufs: core: requeue aborted request

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> Regarding the specification of MCQ: Aborts a command using SQ cleanup, The host controller will post a Completion Queue entry with OCS = ABORTED. ufshcd_abort_all forcibly aborts all on-going commands. In MCQ mode, set a variable to notify SCSI to requeue the command after receiving response with OCS_ABORTED. This approach would then be consistent with legacy SDB mode. Below is ufshcd_err_handler legacy SDB flow: ufshcd_err_handler() ufshcd_abort_all() ufshcd_abort_one() ufshcd_try_to_abort_task() ufshcd_complete_requests() ufshcd_transfer_req_compl() ufshcd_poll() get outstanding_lock clear outstanding_reqs tag release outstanding_lock __ufshcd_transfer_req_compl() ufshcd_compl_one_cqe() cmd->result = DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() ufshcd_intr() ufshcd_sl_intr() ufshcd_transfer_req_compl() ufshcd_poll() get outstanding_lock clear outstanding_reqs tag release outstanding_lock __ufshcd_transfer_req_compl() ufshcd_compl_one_cqe() cmd->result = DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done(); Below is ufshcd_err_handler MCQ flow: ufshcd_err_handler() ufshcd_abort_all() ufshcd_abort_one() ufshcd_try_to_abort_task() ufshcd_complete_requests() ufshcd_mcq_compl_pending_transfer() ufshcd_mcq_poll_cqe_lock() ufshcd_mcq_process_cqe() ufshcd_compl_one_cqe() cmd->result = DID_ABORT // should change to DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() ufs_mtk_mcq_intr() ufshcd_mcq_poll_cqe_lock() ufshcd_mcq_process_cqe() ufshcd_compl_one_cqe() cmd->result = DID_ABORT // should change to DID_REQUEUE ufshcd_release_scsi_cmd() scsi_done() So what we need to correct is to notify SCSI to requeue when MCQ mode receives OCS: ABORTED. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 40 ++++++++++++++++++++++++--------------- include/ufs/ufshcd.h | 8 ++++++++ 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index a6f818cdef0e..4f9c7a632465 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -3006,6 +3006,7 @@ static int ufshcd_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd) ufshcd_prepare_lrbp_crypto(scsi_cmd_to_rq(cmd), lrbp); lrbp->req_abort_skip = false; + lrbp->abort_initiated_by = UFS_NO_ABORT; ufshcd_comp_scsi_upiu(hba, lrbp); @@ -5404,10 +5405,19 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp, } break; case OCS_ABORTED: - result |= DID_ABORT << 16; + if (lrbp->abort_initiated_by == UFS_ERR_HANDLER) + result |= DID_REQUEUE << 16; + else + result |= DID_ABORT << 16; + dev_warn(hba->dev, + "OCS aborted from controller = %x for tag %d\n", + ocs, lrbp->task_tag); break; case OCS_INVALID_COMMAND_STATUS: result |= DID_REQUEUE << 16; + dev_warn(hba->dev, + "OCS invaild from controller = %x for tag %d\n", + ocs, lrbp->task_tag); break; case OCS_INVALID_CMD_TABLE_ATTR: case OCS_INVALID_PRDT_ATTR: @@ -6471,26 +6481,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) struct scsi_device *sdev = cmd->device; struct Scsi_Host *shost = sdev->host; struct ufs_hba *hba = shost_priv(shost); - struct ufshcd_lrb *lrbp = &hba->lrb[tag]; - struct ufs_hw_queue *hwq; - unsigned long flags; *ret = ufshcd_try_to_abort_task(hba, tag); dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag, hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1, *ret ? "failed" : "succeeded"); - /* Release cmd in MCQ mode if abort succeeds */ - if (hba->mcq_enabled && (*ret == 0)) { - hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd)); - if (!hwq) - return 0; - spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) - ufshcd_release_scsi_cmd(hba, lrbp); - spin_unlock_irqrestore(&hwq->cq_lock, flags); - } - return *ret == 0; } @@ -7561,6 +7557,20 @@ int ufshcd_try_to_abort_task(struct ufs_hba *hba, int tag) goto out; } + /* + * When the host software receives a "FUNCTION COMPLETE", set this + * variable to requeue command after receive response with OCS_ABORTED + * + * MCQ mode: Host will post to CQ with OCS_ABORTED after SQ cleanup + * + * This variable is set because error handler ufshcd_abort_all forcibly + * aborts all commands, and the host controller will automatically + * fill in the OCS field of the corresponding response with OCS_ABORTED. + * Therefore, upon receiving this response, it needs to be requeued. + */ + if (!err && hba->mcq_enabled && ufshcd_eh_in_progress(hba)) + lrbp->abort_initiated_by = UFS_ERR_HANDLER; + err = ufshcd_clear_cmd(hba, tag); if (err) dev_err(hba->dev, "%s: Failed clearing cmd at tag %d, err %d\n", diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h index 0fd2aebac728..61a7dc489511 100644 --- a/include/ufs/ufshcd.h +++ b/include/ufs/ufshcd.h @@ -145,6 +145,11 @@ enum ufs_pm_level { UFS_PM_LVL_MAX }; +enum ufs_abort_by { + UFS_NO_ABORT, + UFS_ERR_HANDLER, +}; + struct ufs_pm_lvl_states { enum ufs_dev_pwr_mode dev_state; enum uic_link_state link_state; @@ -173,6 +178,8 @@ struct ufs_pm_lvl_states { * @crypto_key_slot: the key slot to use for inline crypto (-1 if none) * @data_unit_num: the data unit number for the first block for inline crypto * @req_abort_skip: skip request abort task flag + * @abort_initiated_by: This variable is used to store the scenario in + * which the abort occurs */ struct ufshcd_lrb { struct utp_transfer_req_desc *utr_descriptor_ptr; @@ -202,6 +209,7 @@ struct ufshcd_lrb { #endif bool req_abort_skip; + int abort_initiated_by; }; /** -- 2.45.2

9 months, 3 weeks

1
0
0 0

[PATCH v7 1/4] ufs: core: fix the issue of ICU failure

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When setting the ICU bit without using read-modify-write, SQRTCy will restart SQ again and receive an RTC return error code 2 (Failure - SQ not stopped). Additionally, the error log has been modified so that this type of error can be observed. Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode") Cc: stable(a)vger.kernel.org Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> Reviewed-by: Bao D. Nguyen <quic_nguyenb(a)quicinc.com> Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/ufs/core/ufs-mcq.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c index 5891cdacd0b3..3903947dbed1 100644 --- a/drivers/ufs/core/ufs-mcq.c +++ b/drivers/ufs/core/ufs-mcq.c @@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) struct scsi_cmnd *cmd = lrbp->cmd; struct ufs_hw_queue *hwq; void __iomem *reg, *opr_sqd_base; - u32 nexus, id, val; + u32 nexus, id, val, rtc; int err; if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC) @@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba *hba, int task_tag) opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id); writel(nexus, opr_sqd_base + REG_SQCTI); - /* SQRTCy.ICU = 1 */ - writel(SQ_ICU, opr_sqd_base + REG_SQRTC); + /* Initiate Cleanup */ + writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU, + opr_sqd_base + REG_SQRTC); /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */ reg = opr_sqd_base + REG_SQRTS; err = read_poll_timeout(readl, val, val & SQ_CUS, 20, MCQ_POLL_US, false, reg); - if (err) - dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n", - __func__, id, task_tag, - FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg))); + rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)); + if (err || rtc) + dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n", + __func__, id, task_tag, err, rtc); if (ufshcd_mcq_sq_start(hba, hwq)) err = -ETIMEDOUT; -- 2.45.2

9 months, 3 weeks

1
0
0 0

[PATCH 5.10/5.15 0/1] tty: add the option to have a tty reject a new ldisc

by Gavrilov Ilia

Syzkaller reports a sleeping function called from invalid context in do_con_write() in the 5.10 and 5.15 stable releases. The issue has been fixed by the following upstream patch that was adapted to 5.10 and 5.15. All of the changes made to the patch in order to adapt it are described at the end of the commit message. This patch has already been backported to the following stable branches: v6.9 - https://lore.kernel.org/all/20240625085551.368621044@linuxfoundation.org/ v6.6 - https://lore.kernel.org/all/20240625085539.398852153@linuxfoundation.org/ v6.1 - https://lore.kernel.org/all/20240625085527.625846117@linuxfoundation.org/ Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. Linus Torvalds (1): tty: add the option to have a tty reject a new ldisc drivers/tty/tty_ldisc.c | 6 ++++++ drivers/tty/vt/vt.c | 10 ++++++++++ include/linux/tty_driver.h | 8 ++++++++ 3 files changed, 24 insertions(+) -- 2.39.2

9 months, 3 weeks

1
1
0 0

[PATCH v1] usb: typec: Fix arg check for usb_power_delivery_unregister_capabilities

by Amit Sunil Dhamne

usb_power_delivery_register_capabilities() returns ERR_PTR in case of failure. usb_power_delivery_unregister_capabilities() we only check argument ("cap") for NULL. A more robust check would be checking for ERR_PTR as well. Cc: stable(a)vger.kernel.org Fixes: 662a60102c12 ("usb: typec: Separate USB Power Delivery from USB Type-C") Signed-off-by: Amit Sunil Dhamne <amitsd(a)google.com> Reviewed-by: Badhri Jagan Sridharan <badhri(a)google.com> --- drivers/usb/typec/pd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/typec/pd.c b/drivers/usb/typec/pd.c index d78c04a421bc..761fe4dddf1b 100644 --- a/drivers/usb/typec/pd.c +++ b/drivers/usb/typec/pd.c @@ -519,7 +519,7 @@ EXPORT_SYMBOL_GPL(usb_power_delivery_register_capabilities); */ void usb_power_delivery_unregister_capabilities(struct usb_power_delivery_capabilities *cap) { - if (!cap) + if (IS_ERR_OR_NULL(cap)) return; device_for_each_child(&cap->dev, NULL, remove_pdo); base-commit: 68d4209158f43a558c5553ea95ab0c8975eab18c -- 2.46.0.792.g87dc391469-goog

9 months, 3 weeks

3
4
0 0

syzbot: KASAN: slab-out-of-bounds Read in xlog_pack_data

by Andrey Kalachev

Hi, I found that the syzbot bug 'KASAN: slab-out-of-bounds Read in xlog_pack_data' [1] has been fixed in master branch since v6.4-rc6-11-gf1e1765aad7d [2]. But, it still exist in LTS kernels: 5.4, 5.10, 5.15 [3], 6.1 [4] Common c-reproducer code can be found here [5]. I've made backport f1e1765aad7d ("xfs: journal geometry is not properly bounds checked") Patch for v5.15 & v6.1 is same with original upstream code. Patches for v5.4 and v5.10 has some cosmetic variations: `xfs_has_crc(mp)` call replaced by `xfs_sb_version_hascrc(&mp->m_sb)` at most. I would be grateful for any assistance. Regards, AK [1] https://syzkaller.appspot.com/bug?extid=b7854dc75e15ffc8c2ae [2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… [3] https://syzkaller.appspot.com/bug?extid=66f256de193ab682584f [4] https://syzkaller.appspot.com/bug?extid=904ffc7f25c759741787 [5] https://syzkaller.appspot.com/text?tag=ReproC&x=152f7343280000 Reported-by: syzbot+66f256de193ab682584f(a)syzkaller.appspotmail.com Reported-by: syzbot+904ffc7f25c759741787(a)syzkaller.appspotmail.com

9 months, 3 weeks

1
3
0 0

[PATCH v2 5.10.y] udf: Fold udf_getblk() into udf_bread()

by Sergey Shtylyov

Subject: [PATCH v2 5.10.y] udf: Fold udf_getblk() into udf_bread() From: Jan Kara <jack(a)suse.cz> [ Upstream commit 32f123a3f34283f9c6446de87861696f0502b02e ] udf_getblk() has a single call site. Fold it there. [Sergey: moved back to using udf_get_block() and buffer_{mapped|new}().] Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- This patch prevents NULL pointer dereference in case sb_getblk() fails... Changes in version 2: - mentioned the original commit. fs/udf/inode.c | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) Index: linux-stable/fs/udf/inode.c =================================================================== --- linux-stable.orig/fs/udf/inode.c +++ linux-stable/fs/udf/inode.c @@ -458,30 +458,6 @@ abort: return err; } -static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, - int create, int *err) -{ - struct buffer_head *bh; - struct buffer_head dummy; - - dummy.b_state = 0; - dummy.b_blocknr = -1000; - *err = udf_get_block(inode, block, &dummy, create); - if (!*err && buffer_mapped(&dummy)) { - bh = sb_getblk(inode->i_sb, dummy.b_blocknr); - if (buffer_new(&dummy)) { - lock_buffer(bh); - memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); - set_buffer_uptodate(bh); - unlock_buffer(bh); - mark_buffer_dirty_inode(bh, inode); - } - return bh; - } - - return NULL; -} - /* Extend the file with new blocks totaling 'new_block_bytes', * return the number of extents added */ @@ -1197,10 +1173,27 @@ struct buffer_head *udf_bread(struct ino int create, int *err) { struct buffer_head *bh = NULL; + struct buffer_head dummy; + + dummy.b_state = 0; + dummy.b_blocknr = -1000; + *err = udf_get_block(inode, block, &dummy, create); + if (*err || !buffer_mapped(&dummy)) + return NULL; - bh = udf_getblk(inode, block, create, err); - if (!bh) + bh = sb_getblk(inode->i_sb, dummy.b_blocknr); + if (!bh) { + *err = -ENOMEM; return NULL; + } + if (buffer_new(&dummy)) { + lock_buffer(bh); + memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); + set_buffer_uptodate(bh); + unlock_buffer(bh); + mark_buffer_dirty_inode(bh, inode); + return bh; + } if (buffer_uptodate(bh)) return bh;

9 months, 3 weeks

1
0
0 0

[PATCH v2 6.1.y] udf: Fold udf_getblk() into udf_bread()

by Sergey Shtylyov

From: Jan Kara <jack(a)suse.cz> [ Upstream commit 32f123a3f34283f9c6446de87861696f0502b02e ] udf_getblk() has a single call site. Fold it there. [Sergey: moved back to using udf_get_block() and buffer_{mapped|new}().] Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- This patch prevents NULL pointer dereference in case sb_getblk() fails... Changes in version 2: - mentioned the original commit. fs/udf/inode.c | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) Index: linux-stable/fs/udf/inode.c =================================================================== --- linux-stable.orig/fs/udf/inode.c +++ linux-stable/fs/udf/inode.c @@ -459,30 +459,6 @@ abort: return err; } -static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, - int create, int *err) -{ - struct buffer_head *bh; - struct buffer_head dummy; - - dummy.b_state = 0; - dummy.b_blocknr = -1000; - *err = udf_get_block(inode, block, &dummy, create); - if (!*err && buffer_mapped(&dummy)) { - bh = sb_getblk(inode->i_sb, dummy.b_blocknr); - if (buffer_new(&dummy)) { - lock_buffer(bh); - memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); - set_buffer_uptodate(bh); - unlock_buffer(bh); - mark_buffer_dirty_inode(bh, inode); - } - return bh; - } - - return NULL; -} - /* Extend the file with new blocks totaling 'new_block_bytes', * return the number of extents added */ @@ -1198,10 +1174,27 @@ struct buffer_head *udf_bread(struct ino int create, int *err) { struct buffer_head *bh = NULL; + struct buffer_head dummy; + + dummy.b_state = 0; + dummy.b_blocknr = -1000; + *err = udf_get_block(inode, block, &dummy, create); + if (*err || !buffer_mapped(&dummy)) + return NULL; - bh = udf_getblk(inode, block, create, err); - if (!bh) + bh = sb_getblk(inode->i_sb, dummy.b_blocknr); + if (!bh) { + *err = -ENOMEM; return NULL; + } + if (buffer_new(&dummy)) { + lock_buffer(bh); + memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); + set_buffer_uptodate(bh); + unlock_buffer(bh); + mark_buffer_dirty_inode(bh, inode); + return bh; + } if (bh_read(bh, 0) >= 0) return bh;

9 months, 3 weeks

1
0
0 0

[PATCH 18/21] drm/amd/display: Add HDR workaround for specific eDP

by Aurabindo Pillai

From: Alex Hung <alex.hung(a)amd.com> [WHY & HOW] Some eDP panels suffer from flicking when HDR is enabled in KDE. This quirk works around it by skipping VSC that is incompatible with eDP panels. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3151 Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 11 ++++++++++- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 ++++ drivers/gpu/drm/amd/display/dc/dc_types.h | 1 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 3fe7fe707a8a..3bf2db3b3059 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -6735,12 +6735,21 @@ create_stream_for_sink(struct drm_connector *connector, if (stream->signal == SIGNAL_TYPE_DISPLAY_PORT || stream->signal == SIGNAL_TYPE_DISPLAY_PORT_MST || stream->signal == SIGNAL_TYPE_EDP) { + const struct dc_edid_caps *edid_caps; + unsigned int disable_colorimetry = 0; + + if (aconnector->dc_sink) { + edid_caps = &aconnector->dc_sink->edid_caps; + disable_colorimetry = edid_caps->panel_patch.disable_colorimetry; + } + // // should decide stream support vsc sdp colorimetry capability // before building vsc info packet // stream->use_vsc_sdp_for_colorimetry = stream->link->dpcd_caps.dpcd_rev.raw >= 0x14 && - stream->link->dpcd_caps.dprx_feature.bits.VSC_SDP_COLORIMETRY_SUPPORTED; + stream->link->dpcd_caps.dprx_feature.bits.VSC_SDP_COLORIMETRY_SUPPORTED && + !disable_colorimetry; if (stream->out_transfer_func.tf == TRANSFER_FUNCTION_GAMMA22) tf = TRANSFER_FUNC_GAMMA_22; diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c index 39b82c73a0dd..b62b0406a6d1 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c @@ -73,6 +73,10 @@ static void apply_edid_quirks(struct edid *edid, struct dc_edid_caps *edid_caps) DRM_DEBUG_DRIVER("Clearing DPCD 0x317 on monitor with panel id %X\n", panel_id); edid_caps->panel_patch.remove_sink_ext_caps = true; break; + case drm_edid_encode_panel_id('S', 'D', 'C', 0x4154): + DRM_DEBUG_DRIVER("Disabling VSC on monitor with panel id %X\n", panel_id); + edid_caps->panel_patch.disable_colorimetry = true; + break; default: return; } diff --git a/drivers/gpu/drm/amd/display/dc/dc_types.h b/drivers/gpu/drm/amd/display/dc/dc_types.h index 2bbafd1cdce4..b0b7102fdbc7 100644 --- a/drivers/gpu/drm/amd/display/dc/dc_types.h +++ b/drivers/gpu/drm/amd/display/dc/dc_types.h @@ -178,6 +178,7 @@ struct dc_panel_patch { unsigned int skip_avmute; unsigned int mst_start_top_delay; unsigned int remove_sink_ext_caps; + unsigned int disable_colorimetry; uint8_t blankstream_before_otg_off; }; -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH 12/21] drm/amd/display: avoid set dispclk to 0

by Aurabindo Pillai

From: Charlene Liu <Charlene.Liu(a)amd.com> [why] set dispclk to 0 cause stability issue. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Charlene Liu <Charlene.Liu(a)amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> --- drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c index da9101b83e8c..70abd32ce2ad 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c @@ -766,6 +766,7 @@ static const struct dc_debug_options debug_defaults_drv = { .disable_dmub_reallow_idle = false, .static_screen_wait_frames = 2, .notify_dpia_hr_bw = true, + .min_disp_clk_khz = 50000, }; static const struct dc_panel_config panel_config_defaults = { -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH 03/21] drm/amd/display: Restore Optimized pbn Value if Failed to Disable DSC

by Aurabindo Pillai

From: Fangzhi Zuo <Jerry.Zuo(a)amd.com> Existing last step of dsc policy is to restore pbn value under minimum compression when try to greedily disable dsc for a stream failed to fit in MST bw. Optimized dsc params result from optimization step is not necessarily the minimum compression, therefore it is not correct to restore the pbn under minimum compression rate. Restore the pbn under minimum compression instead of the value from optimized pbn could result in the dsc params not correct at the modeset where atomic_check failed due to not enough bw. One or more monitors connected could not light up in such case. Restore the optimized pbn value, instead of using the pbn value under minimum compression. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Fangzhi Zuo <Jerry.Zuo(a)amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> --- .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 358c4bff1c40..88b9f4df8fd9 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -1026,6 +1026,7 @@ static int try_disable_dsc(struct drm_atomic_state *state, int remaining_to_try = 0; int ret; uint16_t fec_overhead_multiplier_x1000 = get_fec_overhead_multiplier(dc_link); + int var_pbn; for (i = 0; i < count; i++) { if (vars[i + k].dsc_enabled @@ -1056,13 +1057,18 @@ static int try_disable_dsc(struct drm_atomic_state *state, break; DRM_DEBUG_DRIVER("MST_DSC index #%d, try no compression\n", next_index); + var_pbn = vars[next_index].pbn; vars[next_index].pbn = kbps_to_peak_pbn(params[next_index].bw_range.stream_kbps, fec_overhead_multiplier_x1000); ret = drm_dp_atomic_find_time_slots(state, params[next_index].port->mgr, params[next_index].port, vars[next_index].pbn); - if (ret < 0) + if (ret < 0) { + DRM_DEBUG_DRIVER("%s:%d MST_DSC index #%d, failed to set pbn to the state, %d\n", + __func__, __LINE__, next_index, ret); + vars[next_index].pbn = var_pbn; return ret; + } ret = drm_dp_mst_atomic_check(state); if (ret == 0) { @@ -1070,14 +1076,17 @@ static int try_disable_dsc(struct drm_atomic_state *state, vars[next_index].dsc_enabled = false; vars[next_index].bpp_x16 = 0; } else { - DRM_DEBUG_DRIVER("MST_DSC index #%d, restore minimum compression\n", next_index); - vars[next_index].pbn = kbps_to_peak_pbn(params[next_index].bw_range.max_kbps, fec_overhead_multiplier_x1000); + DRM_DEBUG_DRIVER("MST_DSC index #%d, restore optimized pbn value\n", next_index); + vars[next_index].pbn = var_pbn; ret = drm_dp_atomic_find_time_slots(state, params[next_index].port->mgr, params[next_index].port, vars[next_index].pbn); - if (ret < 0) + if (ret < 0) { + DRM_DEBUG_DRIVER("%s:%d MST_DSC index #%d, failed to set pbn to the state, %d\n", + __func__, __LINE__, next_index, ret); return ret; + } } tried[next_index] = true; -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH 01/21] drm/amd/display: update DML2 policy EnhancedPrefetchScheduleAccelerationFinal DCN35

by Aurabindo Pillai

From: Yihan Zhu <Yihan.Zhu(a)amd.com> [WHY & HOW] Mismatch in DCN35 DML2 cause bw validation failed to acquire unexpected DPP pipe to cause grey screen and system hang. Remove EnhancedPrefetchScheduleAccelerationFinal value override to match HW spec. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Charlene Liu <charlene.liu(a)amd.com> Signed-off-by: Yihan Zhu <Yihan.Zhu(a)amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> --- drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c index c4c52173ef22..11c904ae2958 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_policy.c @@ -303,7 +303,6 @@ void build_unoptimized_policy_settings(enum dml_project_id project, struct dml_m if (project == dml_project_dcn35 || project == dml_project_dcn351) { policy->DCCProgrammingAssumesScanDirectionUnknownFinal = false; - policy->EnhancedPrefetchScheduleAccelerationFinal = 0; policy->AllowForPStateChangeOrStutterInVBlankFinal = dml_prefetch_support_uclk_fclk_and_stutter_if_possible; /*new*/ policy->UseOnlyMaxPrefetchModes = 1; } -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH 5/10] Input: adp5588-keys - added a check key_val

by Denis Arefev

No upstream commit exists for this commit. If the adp5588_read function returns 0, then there will be an overflow of the kpad->keycode[key_val - 1] buffer. If the adp5588_read function returns a negative value, then the logic is broken - the wrong value is used as an index of the kpad->keycode array. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 69a4af606ed4 ("Input: adp5588-keys - support GPI events for ADP5588 devices") Cc: stable(a)vger.kernel.org Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/input/keyboard/adp5588-keys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c index 90a59b973d00..19be8054eb5f 100644 --- a/drivers/input/keyboard/adp5588-keys.c +++ b/drivers/input/keyboard/adp5588-keys.c @@ -272,6 +272,8 @@ static void adp5588_report_events(struct adp5588_kpad *kpad, int ev_cnt) int key = adp5588_read(kpad->client, Key_EVENTA + i); int key_val = key & KEY_EV_MASK; + if (key_val <= 0) + continue; if (key_val >= GPI_PIN_BASE && key_val <= GPI_PIN_END) { for (j = 0; j < kpad->gpimapsize; j++) { if (key_val == kpad->gpimap[j].pin) { -- 2.25.1

9 months, 3 weeks

2
1
0 0

[PATCH v2 4.19/5.4/5.10 0/1] RDMA/cxgb4: Fix potential null-ptr-deref in pass_establish()

by Nikita Zhandarovich

The following patch aims to fix a possible NULL-ptr-dereference that occurs if a call to get_ep_from_tid() fails to assign nonzero value. Upstream commit 283861a4c52c1ea4df3dd1b6fc75a50796ce3524 has been backported up to version 5.15. For some reason, older stable branches have been ignored. This backport can be cleanly applied to 4.19, 5.4 and 5.10 versions. v2: Add stable maintainers as patch recepients.

9 months, 3 weeks

1
1
0 0

[PATCH 5.10/5.15 0/1] drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll()

by Nikita Zhandarovich

This patch addresses issues of integer overflow and possibly erroneous integer promotion in skl_ddi_calculate_wrpll() and skl_ddi_hdmi_pll_dividers() in kernel versions 5.10 and 5.15. The problem has been fixed in upstream and stable versions up to 6.1 with commit: 5b5115726601 ("drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll()") Due to changes to skl_ddi_calculate_wrpll() return value the patch had to be slightly modified during cherry-picking, leaving the original fix intact, and can now be cleanly applied to 5.10 and 5.15 kernels.

9 months, 3 weeks

1
1
0 0

[PATCH 5/10] Input: adp5588-keys - added a check key_val

by Denis Arefev

No upstream commit exists for this commit. If the adp5588_read function returns 0, then there will be an overflow of the kpad->keycode[key_val - 1] buffer. If the adp5588_read function returns a negative value, then the logic is broken - the wrong value is used as an index of the kpad->keycode array. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/input/keyboard/adp5588-keys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c index 90a59b973d00..19be8054eb5f 100644 --- a/drivers/input/keyboard/adp5588-keys.c +++ b/drivers/input/keyboard/adp5588-keys.c @@ -272,6 +272,8 @@ static void adp5588_report_events(struct adp5588_kpad *kpad, int ev_cnt) int key = adp5588_read(kpad->client, Key_EVENTA + i); int key_val = key & KEY_EV_MASK; + if (key_val <= 0) + continue; if (key_val >= GPI_PIN_BASE && key_val <= GPI_PIN_END) { for (j = 0; j < kpad->gpimapsize; j++) { if (key_val == kpad->gpimap[j].pin) { -- 2.25.1

9 months, 3 weeks

1
0
0 0

Re: [PATCH net 3/3] net: enetc: reset xdp_tx_in_flight when updating bpf program

by Subbaraya Sundeep

On 2024-09-19 at 14:11:04, Wei Fang (wei.fang(a)nxp.com) wrote: > When running "xdp-bench tx eno0" to test the XDP_TX feature of ENETC > on LS1028A, it was found that if the command was re-run multiple times, > Rx could not receive the frames, and the result of xdo-bench showed > that the rx rate was 0. > > root@ls1028ardb:~# ./xdp-bench tx eno0 > Hairpinning (XDP_TX) packets on eno0 (ifindex 3; driver fsl_enetc) > Summary 2046 rx/s 0 err,drop/s > Summary 0 rx/s 0 err,drop/s > Summary 0 rx/s 0 err,drop/s > Summary 0 rx/s 0 err,drop/s > > By observing the Rx PIR and CIR registers, we found that CIR is always > equal to 0x7FF and PIR is always 0x7FE, which means that the Rx ring > is full and can no longer accommodate other Rx frames. Therefore, it > is obvious that the RX BD ring has not been cleaned up. > > Further analysis of the code revealed that the Rx BD ring will only > be cleaned if the "cleaned_cnt > xdp_tx_in_flight" condition is met. > Therefore, some debug logs were added to the driver and the current > values of cleaned_cnt and xdp_tx_in_flight were printed when the Rx > BD ring was full. The logs are as follows. > > [ 178.762419] [XDP TX] >> cleaned_cnt:1728, xdp_tx_in_flight:2140 > [ 178.771387] [XDP TX] >> cleaned_cnt:1941, xdp_tx_in_flight:2110 > [ 178.776058] [XDP TX] >> cleaned_cnt:1792, xdp_tx_in_flight:2110 > > From the results, we can see that the maximum value of xdp_tx_in_flight > has reached 2140. However, the size of the Rx BD ring is only 2048. This > is incredible, so checked the code again and found that the driver did > not reset xdp_tx_in_flight when installing or uninstalling bpf program, > resulting in xdp_tx_in_flight still retaining the value after the last > command was run. > > Fixes: c33bfaf91c4c ("net: enetc: set up XDP program under enetc_reconfigure()") > Cc: stable(a)vger.kernel.org > Signed-off-by: Wei Fang <wei.fang(a)nxp.com> Reviewed-by: Subbaraya Sundeep <sbhatta(a)marvell.com> Thanks, Sundeep

9 months, 3 weeks

1
0
0 0

[PATCH 6.1.y] udf: Fold udf_getblk() into udf_bread()

by Sergey Shtylyov

From: Jan Kara <jack(a)suse.cz> udf_getblk() has a single call site. Fold it there. [Sergey: moved back to using udf_get_block() and buffer_{mapped|new}().] Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- This patch prevents NULL pointer dereference in case sb_getblk() fails... fs/udf/inode.c | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) Index: linux-stable/fs/udf/inode.c =================================================================== --- linux-stable.orig/fs/udf/inode.c +++ linux-stable/fs/udf/inode.c @@ -459,30 +459,6 @@ abort: return err; } -static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, - int create, int *err) -{ - struct buffer_head *bh; - struct buffer_head dummy; - - dummy.b_state = 0; - dummy.b_blocknr = -1000; - *err = udf_get_block(inode, block, &dummy, create); - if (!*err && buffer_mapped(&dummy)) { - bh = sb_getblk(inode->i_sb, dummy.b_blocknr); - if (buffer_new(&dummy)) { - lock_buffer(bh); - memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); - set_buffer_uptodate(bh); - unlock_buffer(bh); - mark_buffer_dirty_inode(bh, inode); - } - return bh; - } - - return NULL; -} - /* Extend the file with new blocks totaling 'new_block_bytes', * return the number of extents added */ @@ -1198,10 +1174,27 @@ struct buffer_head *udf_bread(struct ino int create, int *err) { struct buffer_head *bh = NULL; + struct buffer_head dummy; + + dummy.b_state = 0; + dummy.b_blocknr = -1000; + *err = udf_get_block(inode, block, &dummy, create); + if (*err || !buffer_mapped(&dummy)) + return NULL; - bh = udf_getblk(inode, block, create, err); - if (!bh) + bh = sb_getblk(inode->i_sb, dummy.b_blocknr); + if (!bh) { + *err = -ENOMEM; return NULL; + } + if (buffer_new(&dummy)) { + lock_buffer(bh); + memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); + set_buffer_uptodate(bh); + unlock_buffer(bh); + mark_buffer_dirty_inode(bh, inode); + return bh; + } if (bh_read(bh, 0) >= 0) return bh;

9 months, 3 weeks

1
1
0 0

[PATCH] scsi: megaraid: Remove redundant check in megasas_init_fw()

by George Rurikov

This is cosmetic fix. The memory for 'fusion' (instance->ctrl_context) is allocated in megasas_alloc_ctrl_mem() in a call to megasas_alloc_fusion_context(). A possible allocation error is handled after megasas_alloc_ctrl_mem() with a fail_alloc_dma_buf label transition. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: stable(a)vger.kernel.org Signed-off-by: George Rurikov <g.ryurikov(a)securitycode.ru> --- drivers/scsi/megaraid/megaraid_sas_base.c | 111 +++++++++++----------- 1 file changed, 54 insertions(+), 57 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c index 6c79c350a4d5..e4823680e009 100644 --- a/drivers/scsi/megaraid/megaraid_sas_base.c +++ b/drivers/scsi/megaraid/megaraid_sas_base.c @@ -6149,68 +6149,65 @@ static int megasas_init_fw(struct megasas_instance *instance) scratch_pad_1 = megasas_readl (instance, &instance->reg_set->outbound_scratch_pad_1); - /* Check max MSI-X vectors */ - if (fusion) { - if (instance->adapter_type == THUNDERBOLT_SERIES) { - /* Thunderbolt Series*/ - instance->msix_vectors = (scratch_pad_1 - & MR_MAX_REPLY_QUEUES_OFFSET) + 1; - } else { - instance->msix_vectors = ((scratch_pad_1 - & MR_MAX_REPLY_QUEUES_EXT_OFFSET) - >> MR_MAX_REPLY_QUEUES_EXT_OFFSET_SHIFT) + 1; - - /* - * For Invader series, > 8 MSI-x vectors - * supported by FW/HW implies combined - * reply queue mode is enabled. - * For Ventura series, > 16 MSI-x vectors - * supported by FW/HW implies combined - * reply queue mode is enabled. - */ - switch (instance->adapter_type) { - case INVADER_SERIES: - if (instance->msix_vectors > 8) - instance->msix_combined = true; - break; - case AERO_SERIES: - case VENTURA_SERIES: - if (instance->msix_vectors > 16) - instance->msix_combined = true; - break; - } - if (rdpq_enable) - instance->is_rdpq = (scratch_pad_1 & MR_RDPQ_MODE_OFFSET) ? - 1 : 0; + if (instance->adapter_type == THUNDERBOLT_SERIES) { + /* Thunderbolt Series*/ + instance->msix_vectors = (scratch_pad_1 + & MR_MAX_REPLY_QUEUES_OFFSET) + 1; + } else { + instance->msix_vectors = ((scratch_pad_1 + & MR_MAX_REPLY_QUEUES_EXT_OFFSET) + >> MR_MAX_REPLY_QUEUES_EXT_OFFSET_SHIFT) + 1; - if (instance->adapter_type >= INVADER_SERIES && - !instance->msix_combined) { - instance->msix_load_balance = true; - instance->smp_affinity_enable = false; - } + /* + * For Invader series, > 8 MSI-x vectors + * supported by FW/HW implies combined + * reply queue mode is enabled. + * For Ventura series, > 16 MSI-x vectors + * supported by FW/HW implies combined + * reply queue mode is enabled. + */ + switch (instance->adapter_type) { + case INVADER_SERIES: + if (instance->msix_vectors > 8) + instance->msix_combined = true; + break; + case AERO_SERIES: + case VENTURA_SERIES: + if (instance->msix_vectors > 16) + instance->msix_combined = true; + break; + } - /* Save 1-15 reply post index address to local memory - * Index 0 is already saved from reg offset - * MPI2_REPLY_POST_HOST_INDEX_OFFSET - */ - for (loop = 1; loop < MR_MAX_MSIX_REG_ARRAY; loop++) { - instance->reply_post_host_index_addr[loop] = - (u32 __iomem *) - ((u8 __iomem *)instance->reg_set + - MPI2_SUP_REPLY_POST_HOST_INDEX_OFFSET - + (loop * 0x10)); - } + if (rdpq_enable) + instance->is_rdpq = (scratch_pad_1 & MR_RDPQ_MODE_OFFSET) ? + 1 : 0; + + if (instance->adapter_type >= INVADER_SERIES && + !instance->msix_combined) { + instance->msix_load_balance = true; + instance->smp_affinity_enable = false; } - dev_info(&instance->pdev->dev, - "firmware supports msix\t: (%d)", - instance->msix_vectors); - if (msix_vectors) - instance->msix_vectors = min(msix_vectors, - instance->msix_vectors); - } else /* MFI adapters */ - instance->msix_vectors = 1; + /* Save 1-15 reply post index address to local memory + * Index 0 is already saved from reg offset + * MPI2_REPLY_POST_HOST_INDEX_OFFSET + */ + for (loop = 1; loop < MR_MAX_MSIX_REG_ARRAY; loop++) { + instance->reply_post_host_index_addr[loop] = + (u32 __iomem *) + ((u8 __iomem *)instance->reg_set + + MPI2_SUP_REPLY_POST_HOST_INDEX_OFFSET + + (loop * 0x10)); + } + } + + dev_info(&instance->pdev->dev, + "firmware supports msix\t: (%d)", + instance->msix_vectors); + if (msix_vectors) + instance->msix_vectors = min(msix_vectors, + instance->msix_vectors); /* -- 2.34.1 Заявление о конфиденциальности Данное электронное письмо и любые приложения к нему являются конфиденциальными и предназначены исключительно для адресата. Если Вы не являетесь адресатом данного письма, пожалуйста, уведомите немедленно отправителя, не раскрывайте содержание другим лицам, не используйте его в каких-либо целях, не храните и не копируйте информацию любым способом.

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 6.10 09/18] spi: spidev: Add an entry for elgin,jg10309-01

by Sasha Levin

From: Fabio Estevam <festevam(a)gmail.com> [ Upstream commit 5f3eee1eef5d0edd23d8ac0974f56283649a1512 ] The rv1108-elgin-r1 board has an LCD controlled via SPI in userspace. The marking on the LCD is JG10309-01. Add the "elgin,jg10309-01" compatible string. Signed-off-by: Fabio Estevam <festevam(a)gmail.com> Reviewed-by: Heiko Stuebner <heiko(a)sntech.de> Link: https://patch.msgid.link/20240828180057.3167190-2-festevam@gmail.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/spi/spidev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c index 5304728c68c2..14bf0fa65bef 100644 --- a/drivers/spi/spidev.c +++ b/drivers/spi/spidev.c @@ -731,6 +731,7 @@ static int spidev_of_check(struct device *dev) static const struct of_device_id spidev_dt_ids[] = { { .compatible = "cisco,spi-petra", .data = &spidev_of_check }, { .compatible = "dh,dhcom-board", .data = &spidev_of_check }, + { .compatible = "elgin,jg10309-01", .data = &spidev_of_check }, { .compatible = "lineartechnology,ltc2488", .data = &spidev_of_check }, { .compatible = "lwn,bk4", .data = &spidev_of_check }, { .compatible = "menlo,m53cpld", .data = &spidev_of_check }, -- 2.43.0

9 months, 3 weeks

2
2
0 0

[PATCH 5.4.y 1/1] inet: inet_defrag: prevent sk release while still in use

by Saeed Mirzamohammadi

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit 18685451fc4e546fc0e718580d32df3c0e5c8272 ] ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. Fixes: 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn().") Diagnosed-by: Eric Dumazet <edumazet(a)google.com> Reported-by: xingwei lee <xrivendell7(a)gmail.com> Reported-by: yue sun <samsun1006219(a)gmail.com> Reported-by: syzbot+e5167d7144a62715044c(a)syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw(a)strlen.de> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20240326101845.30836-1-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> (cherry picked from commit 7d0567842b78390dd9b60f00f1d8f838d540e325) CVE: CVE-2024-26921 Cc: stable(a)vger.kernel.org # 5.4 Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- include/linux/skbuff.h | 5 +- net/core/sock_destructor.h | 12 +++++ net/ipv4/inet_fragment.c | 70 ++++++++++++++++++++----- net/ipv4/ip_fragment.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- 5 files changed, 72 insertions(+), 19 deletions(-) create mode 100644 net/core/sock_destructor.h diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 29ccc33a1c627..3191d0ffc6e9a 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -704,10 +704,7 @@ struct sk_buff { struct list_head list; }; - union { - struct sock *sk; - int ip_defrag_offset; - }; + struct sock *sk; union { ktime_t tstamp; diff --git a/net/core/sock_destructor.h b/net/core/sock_destructor.h new file mode 100644 index 0000000000000..2f396e6bfba5a --- /dev/null +++ b/net/core/sock_destructor.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +#ifndef _NET_CORE_SOCK_DESTRUCTOR_H +#define _NET_CORE_SOCK_DESTRUCTOR_H +#include <net/tcp.h> + +static inline bool is_skb_wmem(const struct sk_buff *skb) +{ + return skb->destructor == sock_wfree || + skb->destructor == __sock_wfree || + (IS_ENABLED(CONFIG_INET) && skb->destructor == tcp_wfree); +} +#endif diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index e0e8a65d561ec..12ef3cb26676d 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -24,6 +24,8 @@ #include <net/ip.h> #include <net/ipv6.h> +#include "../core/sock_destructor.h" + /* Use skb->cb to track consecutive/adjacent fragments coming at * the end of the queue. Nodes in the rb-tree queue will * contain "runs" of one or more adjacent fragments. @@ -39,6 +41,7 @@ struct ipfrag_skb_cb { }; struct sk_buff *next_frag; int frag_run_len; + int ip_defrag_offset; }; #define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) @@ -359,12 +362,12 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, */ if (!last) fragrun_create(q, skb); /* First fragment. */ - else if (last->ip_defrag_offset + last->len < end) { + else if (FRAG_CB(last)->ip_defrag_offset + last->len < end) { /* This is the common case: skb goes to the end. */ /* Detect and discard overlaps. */ - if (offset < last->ip_defrag_offset + last->len) + if (offset < FRAG_CB(last)->ip_defrag_offset + last->len) return IPFRAG_OVERLAP; - if (offset == last->ip_defrag_offset + last->len) + if (offset == FRAG_CB(last)->ip_defrag_offset + last->len) fragrun_append_to_last(q, skb); else fragrun_create(q, skb); @@ -381,13 +384,13 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, parent = *rbn; curr = rb_to_skb(parent); - curr_run_end = curr->ip_defrag_offset + + curr_run_end = FRAG_CB(curr)->ip_defrag_offset + FRAG_CB(curr)->frag_run_len; - if (end <= curr->ip_defrag_offset) + if (end <= FRAG_CB(curr)->ip_defrag_offset) rbn = &parent->rb_left; else if (offset >= curr_run_end) rbn = &parent->rb_right; - else if (offset >= curr->ip_defrag_offset && + else if (offset >= FRAG_CB(curr)->ip_defrag_offset && end <= curr_run_end) return IPFRAG_DUP; else @@ -401,7 +404,7 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, rb_insert_color(&skb->rbnode, &q->rb_fragments); } - skb->ip_defrag_offset = offset; + FRAG_CB(skb)->ip_defrag_offset = offset; return IPFRAG_OK; } @@ -411,13 +414,28 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, struct sk_buff *parent) { struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments); - struct sk_buff **nextp; + void (*destructor)(struct sk_buff *); + unsigned int orig_truesize = 0; + struct sk_buff **nextp = NULL; + struct sock *sk = skb->sk; int delta; + if (sk && is_skb_wmem(skb)) { + /* TX: skb->sk might have been passed as argument to + * dst->output and must remain valid until tx completes. + * + * Move sk to reassembled skb and fix up wmem accounting. + */ + orig_truesize = skb->truesize; + destructor = skb->destructor; + } + if (head != skb) { fp = skb_clone(skb, GFP_ATOMIC); - if (!fp) - return NULL; + if (!fp) { + head = skb; + goto out_restore_sk; + } FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; if (RB_EMPTY_NODE(&skb->rbnode)) FRAG_CB(parent)->next_frag = fp; @@ -426,6 +444,12 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, &q->rb_fragments); if (q->fragments_tail == skb) q->fragments_tail = fp; + + if (orig_truesize) { + /* prevent skb_morph from releasing sk */ + skb->sk = NULL; + skb->destructor = NULL; + } skb_morph(skb, head); FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; rb_replace_node(&head->rbnode, &skb->rbnode, @@ -433,13 +457,13 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, consume_skb(head); head = skb; } - WARN_ON(head->ip_defrag_offset != 0); + WARN_ON(FRAG_CB(head)->ip_defrag_offset != 0); delta = -head->truesize; /* Head of list must not be cloned. */ if (skb_unclone(head, GFP_ATOMIC)) - return NULL; + goto out_restore_sk; delta += head->truesize; if (delta) @@ -455,7 +479,7 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, clone = alloc_skb(0, GFP_ATOMIC); if (!clone) - return NULL; + goto out_restore_sk; skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; skb_frag_list_init(head); for (i = 0; i < skb_shinfo(head)->nr_frags; i++) @@ -472,6 +496,21 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, nextp = &skb_shinfo(head)->frag_list; } +out_restore_sk: + if (orig_truesize) { + int ts_delta = head->truesize - orig_truesize; + + /* if this reassembled skb is fragmented later, + * fraglist skbs will get skb->sk assigned from head->sk, + * and each frag skb will be released via sock_wfree. + * + * Update sk_wmem_alloc. + */ + head->sk = sk; + head->destructor = destructor; + refcount_add(ts_delta, &sk->sk_wmem_alloc); + } + return nextp; } EXPORT_SYMBOL(inet_frag_reasm_prepare); @@ -479,6 +518,8 @@ EXPORT_SYMBOL(inet_frag_reasm_prepare); void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, void *reasm_data, bool try_coalesce) { + struct sock *sk = is_skb_wmem(head) ? head->sk : NULL; + const unsigned int head_truesize = head->truesize; struct sk_buff **nextp = (struct sk_buff **)reasm_data; struct rb_node *rbn; struct sk_buff *fp; @@ -541,6 +582,9 @@ void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, skb_mark_not_on_list(head); head->prev = NULL; head->tstamp = q->stamp; + + if (sk) + refcount_add(sum_truesize - head_truesize, &sk->sk_wmem_alloc); } EXPORT_SYMBOL(inet_frag_reasm_finish); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index fad803d2d711e..ec2264adf2a6a 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -377,6 +377,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -479,7 +480,6 @@ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user) struct ipq *qp; __IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS); - skb_orphan(skb); /* Lookup (or create) queue header */ qp = ip_find(net, ip_hdr(skb), user, vif); diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index fed9666a2f7da..cab68c63ea65e 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -296,6 +296,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -461,7 +462,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) hdr = ipv6_hdr(skb); fhdr = (struct frag_hdr *)skb_transport_header(skb); - skb_orphan(skb); fq = fq_find(net, fhdr->identification, user, hdr, skb->dev ? skb->dev->ifindex : 0); if (fq == NULL) { -- 2.45.2

9 months, 3 weeks

1
0
0 0

[PATCH 5.10.y 1/1] inet: inet_defrag: prevent sk release while still in use

by Saeed Mirzamohammadi

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit 18685451fc4e546fc0e718580d32df3c0e5c8272 ] ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. Fixes: 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn().") Diagnosed-by: Eric Dumazet <edumazet(a)google.com> Reported-by: xingwei lee <xrivendell7(a)gmail.com> Reported-by: yue sun <samsun1006219(a)gmail.com> Reported-by: syzbot+e5167d7144a62715044c(a)syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw(a)strlen.de> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20240326101845.30836-1-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> (cherry picked from commit 7d0567842b78390dd9b60f00f1d8f838d540e325) CVE: CVE-2024-26921 Cc: stable(a)vger.kernel.org # 5.10 Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- include/linux/skbuff.h | 5 +- net/core/sock_destructor.h | 12 +++++ net/ipv4/inet_fragment.c | 70 ++++++++++++++++++++----- net/ipv4/ip_fragment.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- 5 files changed, 72 insertions(+), 19 deletions(-) create mode 100644 net/core/sock_destructor.h diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 31755d496b01d..31ae4b74d4352 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -733,10 +733,7 @@ struct sk_buff { struct list_head list; }; - union { - struct sock *sk; - int ip_defrag_offset; - }; + struct sock *sk; union { ktime_t tstamp; diff --git a/net/core/sock_destructor.h b/net/core/sock_destructor.h new file mode 100644 index 0000000000000..2f396e6bfba5a --- /dev/null +++ b/net/core/sock_destructor.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +#ifndef _NET_CORE_SOCK_DESTRUCTOR_H +#define _NET_CORE_SOCK_DESTRUCTOR_H +#include <net/tcp.h> + +static inline bool is_skb_wmem(const struct sk_buff *skb) +{ + return skb->destructor == sock_wfree || + skb->destructor == __sock_wfree || + (IS_ENABLED(CONFIG_INET) && skb->destructor == tcp_wfree); +} +#endif diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index e0e8a65d561ec..12ef3cb26676d 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -24,6 +24,8 @@ #include <net/ip.h> #include <net/ipv6.h> +#include "../core/sock_destructor.h" + /* Use skb->cb to track consecutive/adjacent fragments coming at * the end of the queue. Nodes in the rb-tree queue will * contain "runs" of one or more adjacent fragments. @@ -39,6 +41,7 @@ struct ipfrag_skb_cb { }; struct sk_buff *next_frag; int frag_run_len; + int ip_defrag_offset; }; #define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) @@ -359,12 +362,12 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, */ if (!last) fragrun_create(q, skb); /* First fragment. */ - else if (last->ip_defrag_offset + last->len < end) { + else if (FRAG_CB(last)->ip_defrag_offset + last->len < end) { /* This is the common case: skb goes to the end. */ /* Detect and discard overlaps. */ - if (offset < last->ip_defrag_offset + last->len) + if (offset < FRAG_CB(last)->ip_defrag_offset + last->len) return IPFRAG_OVERLAP; - if (offset == last->ip_defrag_offset + last->len) + if (offset == FRAG_CB(last)->ip_defrag_offset + last->len) fragrun_append_to_last(q, skb); else fragrun_create(q, skb); @@ -381,13 +384,13 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, parent = *rbn; curr = rb_to_skb(parent); - curr_run_end = curr->ip_defrag_offset + + curr_run_end = FRAG_CB(curr)->ip_defrag_offset + FRAG_CB(curr)->frag_run_len; - if (end <= curr->ip_defrag_offset) + if (end <= FRAG_CB(curr)->ip_defrag_offset) rbn = &parent->rb_left; else if (offset >= curr_run_end) rbn = &parent->rb_right; - else if (offset >= curr->ip_defrag_offset && + else if (offset >= FRAG_CB(curr)->ip_defrag_offset && end <= curr_run_end) return IPFRAG_DUP; else @@ -401,7 +404,7 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, rb_insert_color(&skb->rbnode, &q->rb_fragments); } - skb->ip_defrag_offset = offset; + FRAG_CB(skb)->ip_defrag_offset = offset; return IPFRAG_OK; } @@ -411,13 +414,28 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, struct sk_buff *parent) { struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments); - struct sk_buff **nextp; + void (*destructor)(struct sk_buff *); + unsigned int orig_truesize = 0; + struct sk_buff **nextp = NULL; + struct sock *sk = skb->sk; int delta; + if (sk && is_skb_wmem(skb)) { + /* TX: skb->sk might have been passed as argument to + * dst->output and must remain valid until tx completes. + * + * Move sk to reassembled skb and fix up wmem accounting. + */ + orig_truesize = skb->truesize; + destructor = skb->destructor; + } + if (head != skb) { fp = skb_clone(skb, GFP_ATOMIC); - if (!fp) - return NULL; + if (!fp) { + head = skb; + goto out_restore_sk; + } FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; if (RB_EMPTY_NODE(&skb->rbnode)) FRAG_CB(parent)->next_frag = fp; @@ -426,6 +444,12 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, &q->rb_fragments); if (q->fragments_tail == skb) q->fragments_tail = fp; + + if (orig_truesize) { + /* prevent skb_morph from releasing sk */ + skb->sk = NULL; + skb->destructor = NULL; + } skb_morph(skb, head); FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; rb_replace_node(&head->rbnode, &skb->rbnode, @@ -433,13 +457,13 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, consume_skb(head); head = skb; } - WARN_ON(head->ip_defrag_offset != 0); + WARN_ON(FRAG_CB(head)->ip_defrag_offset != 0); delta = -head->truesize; /* Head of list must not be cloned. */ if (skb_unclone(head, GFP_ATOMIC)) - return NULL; + goto out_restore_sk; delta += head->truesize; if (delta) @@ -455,7 +479,7 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, clone = alloc_skb(0, GFP_ATOMIC); if (!clone) - return NULL; + goto out_restore_sk; skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; skb_frag_list_init(head); for (i = 0; i < skb_shinfo(head)->nr_frags; i++) @@ -472,6 +496,21 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, nextp = &skb_shinfo(head)->frag_list; } +out_restore_sk: + if (orig_truesize) { + int ts_delta = head->truesize - orig_truesize; + + /* if this reassembled skb is fragmented later, + * fraglist skbs will get skb->sk assigned from head->sk, + * and each frag skb will be released via sock_wfree. + * + * Update sk_wmem_alloc. + */ + head->sk = sk; + head->destructor = destructor; + refcount_add(ts_delta, &sk->sk_wmem_alloc); + } + return nextp; } EXPORT_SYMBOL(inet_frag_reasm_prepare); @@ -479,6 +518,8 @@ EXPORT_SYMBOL(inet_frag_reasm_prepare); void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, void *reasm_data, bool try_coalesce) { + struct sock *sk = is_skb_wmem(head) ? head->sk : NULL; + const unsigned int head_truesize = head->truesize; struct sk_buff **nextp = (struct sk_buff **)reasm_data; struct rb_node *rbn; struct sk_buff *fp; @@ -541,6 +582,9 @@ void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, skb_mark_not_on_list(head); head->prev = NULL; head->tstamp = q->stamp; + + if (sk) + refcount_add(sum_truesize - head_truesize, &sk->sk_wmem_alloc); } EXPORT_SYMBOL(inet_frag_reasm_finish); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index fad803d2d711e..ec2264adf2a6a 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -377,6 +377,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -479,7 +480,6 @@ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user) struct ipq *qp; __IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS); - skb_orphan(skb); /* Lookup (or create) queue header */ qp = ip_find(net, ip_hdr(skb), user, vif); diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index c129ad334eb39..8c2163f95711c 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -296,6 +296,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -471,7 +472,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) hdr = ipv6_hdr(skb); fhdr = (struct frag_hdr *)skb_transport_header(skb); - skb_orphan(skb); fq = fq_find(net, fhdr->identification, user, hdr, skb->dev ? skb->dev->ifindex : 0); if (fq == NULL) { -- 2.45.2

9 months, 3 weeks

1
0
0 0

[PATCH 5.15.y 1/1] inet: inet_defrag: prevent sk release while still in use

by Saeed Mirzamohammadi

From: Florian Westphal <fw(a)strlen.de> [ Upstream commit 18685451fc4e546fc0e718580d32df3c0e5c8272 ] ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. Fixes: 7026b1ddb6b8 ("netfilter: Pass socket pointer down through okfn().") Diagnosed-by: Eric Dumazet <edumazet(a)google.com> Reported-by: xingwei lee <xrivendell7(a)gmail.com> Reported-by: yue sun <samsun1006219(a)gmail.com> Reported-by: syzbot+e5167d7144a62715044c(a)syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw(a)strlen.de> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://lore.kernel.org/r/20240326101845.30836-1-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> (cherry picked from commit 7d0567842b78390dd9b60f00f1d8f838d540e325) CVE: CVE-2024-26921 Cc: stable(a)vger.kernel.org # 5.15 Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- include/linux/skbuff.h | 7 +-- net/ipv4/inet_fragment.c | 70 ++++++++++++++++++++----- net/ipv4/ip_fragment.c | 2 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +- 4 files changed, 60 insertions(+), 21 deletions(-) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index b230c422dc3b9..7f52562fac19c 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -660,8 +660,6 @@ typedef unsigned char *sk_buff_data_t; * @rbnode: RB tree node, alternative to next/prev for netem/tcp * @list: queue head * @sk: Socket we are owned by - * @ip_defrag_offset: (aka @sk) alternate use of @sk, used in - * fragmentation management * @dev: Device we arrived on/are leaving by * @dev_scratch: (aka @dev) alternate use of @dev when @dev would be %NULL * @cb: Control buffer. Free for use by every layer. Put private vars here @@ -778,10 +776,7 @@ struct sk_buff { struct list_head list; }; - union { - struct sock *sk; - int ip_defrag_offset; - }; + struct sock *sk; union { ktime_t tstamp; diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index 341096807100c..7e38170111999 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c @@ -24,6 +24,8 @@ #include <net/ip.h> #include <net/ipv6.h> +#include "../core/sock_destructor.h" + /* Use skb->cb to track consecutive/adjacent fragments coming at * the end of the queue. Nodes in the rb-tree queue will * contain "runs" of one or more adjacent fragments. @@ -39,6 +41,7 @@ struct ipfrag_skb_cb { }; struct sk_buff *next_frag; int frag_run_len; + int ip_defrag_offset; }; #define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb)) @@ -390,12 +393,12 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, */ if (!last) fragrun_create(q, skb); /* First fragment. */ - else if (last->ip_defrag_offset + last->len < end) { + else if (FRAG_CB(last)->ip_defrag_offset + last->len < end) { /* This is the common case: skb goes to the end. */ /* Detect and discard overlaps. */ - if (offset < last->ip_defrag_offset + last->len) + if (offset < FRAG_CB(last)->ip_defrag_offset + last->len) return IPFRAG_OVERLAP; - if (offset == last->ip_defrag_offset + last->len) + if (offset == FRAG_CB(last)->ip_defrag_offset + last->len) fragrun_append_to_last(q, skb); else fragrun_create(q, skb); @@ -412,13 +415,13 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, parent = *rbn; curr = rb_to_skb(parent); - curr_run_end = curr->ip_defrag_offset + + curr_run_end = FRAG_CB(curr)->ip_defrag_offset + FRAG_CB(curr)->frag_run_len; - if (end <= curr->ip_defrag_offset) + if (end <= FRAG_CB(curr)->ip_defrag_offset) rbn = &parent->rb_left; else if (offset >= curr_run_end) rbn = &parent->rb_right; - else if (offset >= curr->ip_defrag_offset && + else if (offset >= FRAG_CB(curr)->ip_defrag_offset && end <= curr_run_end) return IPFRAG_DUP; else @@ -432,7 +435,7 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb, rb_insert_color(&skb->rbnode, &q->rb_fragments); } - skb->ip_defrag_offset = offset; + FRAG_CB(skb)->ip_defrag_offset = offset; return IPFRAG_OK; } @@ -442,13 +445,28 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, struct sk_buff *parent) { struct sk_buff *fp, *head = skb_rb_first(&q->rb_fragments); - struct sk_buff **nextp; + void (*destructor)(struct sk_buff *); + unsigned int orig_truesize = 0; + struct sk_buff **nextp = NULL; + struct sock *sk = skb->sk; int delta; + if (sk && is_skb_wmem(skb)) { + /* TX: skb->sk might have been passed as argument to + * dst->output and must remain valid until tx completes. + * + * Move sk to reassembled skb and fix up wmem accounting. + */ + orig_truesize = skb->truesize; + destructor = skb->destructor; + } + if (head != skb) { fp = skb_clone(skb, GFP_ATOMIC); - if (!fp) - return NULL; + if (!fp) { + head = skb; + goto out_restore_sk; + } FRAG_CB(fp)->next_frag = FRAG_CB(skb)->next_frag; if (RB_EMPTY_NODE(&skb->rbnode)) FRAG_CB(parent)->next_frag = fp; @@ -457,6 +475,12 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, &q->rb_fragments); if (q->fragments_tail == skb) q->fragments_tail = fp; + + if (orig_truesize) { + /* prevent skb_morph from releasing sk */ + skb->sk = NULL; + skb->destructor = NULL; + } skb_morph(skb, head); FRAG_CB(skb)->next_frag = FRAG_CB(head)->next_frag; rb_replace_node(&head->rbnode, &skb->rbnode, @@ -464,13 +488,13 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, consume_skb(head); head = skb; } - WARN_ON(head->ip_defrag_offset != 0); + WARN_ON(FRAG_CB(head)->ip_defrag_offset != 0); delta = -head->truesize; /* Head of list must not be cloned. */ if (skb_unclone(head, GFP_ATOMIC)) - return NULL; + goto out_restore_sk; delta += head->truesize; if (delta) @@ -486,7 +510,7 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, clone = alloc_skb(0, GFP_ATOMIC); if (!clone) - return NULL; + goto out_restore_sk; skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; skb_frag_list_init(head); for (i = 0; i < skb_shinfo(head)->nr_frags; i++) @@ -503,6 +527,21 @@ void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb, nextp = &skb_shinfo(head)->frag_list; } +out_restore_sk: + if (orig_truesize) { + int ts_delta = head->truesize - orig_truesize; + + /* if this reassembled skb is fragmented later, + * fraglist skbs will get skb->sk assigned from head->sk, + * and each frag skb will be released via sock_wfree. + * + * Update sk_wmem_alloc. + */ + head->sk = sk; + head->destructor = destructor; + refcount_add(ts_delta, &sk->sk_wmem_alloc); + } + return nextp; } EXPORT_SYMBOL(inet_frag_reasm_prepare); @@ -510,6 +549,8 @@ EXPORT_SYMBOL(inet_frag_reasm_prepare); void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, void *reasm_data, bool try_coalesce) { + struct sock *sk = is_skb_wmem(head) ? head->sk : NULL; + const unsigned int head_truesize = head->truesize; struct sk_buff **nextp = (struct sk_buff **)reasm_data; struct rb_node *rbn; struct sk_buff *fp; @@ -572,6 +613,9 @@ void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head, skb_mark_not_on_list(head); head->prev = NULL; head->tstamp = q->stamp; + + if (sk) + refcount_add(sum_truesize - head_truesize, &sk->sk_wmem_alloc); } EXPORT_SYMBOL(inet_frag_reasm_finish); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index fad803d2d711e..ec2264adf2a6a 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -377,6 +377,7 @@ static int ip_frag_queue(struct ipq *qp, struct sk_buff *skb) } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -479,7 +480,6 @@ int ip_defrag(struct net *net, struct sk_buff *skb, u32 user) struct ipq *qp; __IP_INC_STATS(net, IPSTATS_MIB_REASMREQDS); - skb_orphan(skb); /* Lookup (or create) queue header */ qp = ip_find(net, ip_hdr(skb), user, vif); diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 2e5b090d7c89f..0ec5ec5a5b45a 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -297,6 +297,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb, } skb_dst_drop(skb); + skb_orphan(skb); return -EINPROGRESS; insert_error: @@ -472,7 +473,6 @@ int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) hdr = ipv6_hdr(skb); fhdr = (struct frag_hdr *)skb_transport_header(skb); - skb_orphan(skb); fq = fq_find(net, fhdr->identification, user, hdr, skb->dev ? skb->dev->ifindex : 0); if (fq == NULL) { -- 2.45.2

9 months, 3 weeks

1
0
0 0

[PATCH v4 5/5] tpm: flush the auth session only when /dev/tpm0 is open

by Jarkko Sakkinen

Instead of flushing and reloading the auth session for every single transaction, keep the session open unless /dev/tpm0 is used. In practice this means applying TPM2_SA_CONTINUE_SESSION to the session attributes. Flush the session always when /dev/tpm0 is written. Reported-by: Pengyu Ma <mapengyu(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219229 Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 7ca110f2679b ("tpm: Address !chip->auth in tpm_buf_append_hmac_session*()") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Changed as bug. v3: - Refined the commit message. - Removed the conditional for applying TPM2_SA_CONTINUE_SESSION only when /dev/tpm0 is open. It is not required as the auth session is flushed, not saved. v2: - A new patch. --- drivers/char/tpm/tpm-chip.c | 1 + drivers/char/tpm/tpm-dev-common.c | 1 + drivers/char/tpm/tpm-interface.c | 1 + drivers/char/tpm/tpm2-sessions.c | 3 +++ 4 files changed, 6 insertions(+) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 0ea00e32f575..7a6bb30d1f32 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -680,6 +680,7 @@ void tpm_chip_unregister(struct tpm_chip *chip) rc = tpm_try_get_ops(chip); if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 4eaa8e05c291..a3ed7a99a394 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -29,6 +29,7 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, #ifdef CONFIG_TCG_TPM2_HMAC if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index bfa47d48b0f2..2363018fa8fb 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -381,6 +381,7 @@ int tpm_pm_suspend(struct device *dev) if (!rc) { if (chip->flags & TPM_CHIP_FLAG_TPM2) { #ifdef CONFIG_TCG_TPM2_HMAC + tpm2_end_auth_session(chip); tpm2_flush_context(chip, chip->null_key); chip->null_key = 0; #endif diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 6371e0ee88b0..e9d3a6a9d397 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -333,6 +333,9 @@ void tpm_buf_append_hmac_session(struct tpm_chip *chip, struct tpm_buf *buf, } #ifdef CONFIG_TCG_TPM2_HMAC + /* The first write to /dev/tpm{rm0} will flush the session. */ + attributes |= TPM2_SA_CONTINUE_SESSION; + /* * The Architecture Guide requires us to strip trailing zeros * before computing the HMAC -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH v4 4/5] tpm: Allocate chip->auth in tpm2_start_auth_session()

by Jarkko Sakkinen

Move allocation of chip->auth to tpm2_start_auth_session() so that the field can be used as flag to tell whether auth session is active or not. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: 699e3efd6c64 ("tpm: Add HMAC session start and end functions") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Change to bug. v3: - No changes. v2: - A new patch. --- drivers/char/tpm/tpm2-sessions.c | 43 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 42eb910e9acc..6371e0ee88b0 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -484,7 +484,8 @@ static void tpm2_KDFe(u8 z[EC_PT_SZ], const char *str, u8 *pt_u, u8 *pt_v, sha256_final(&sctx, out); } -static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) +static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip, + struct tpm2_auth *auth) { struct crypto_kpp *kpp; struct kpp_request *req; @@ -543,7 +544,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) sg_set_buf(&s[0], chip->null_ec_key_x, EC_PT_SZ); sg_set_buf(&s[1], chip->null_ec_key_y, EC_PT_SZ); kpp_request_set_input(req, s, EC_PT_SZ*2); - sg_init_one(d, chip->auth->salt, EC_PT_SZ); + sg_init_one(d, auth->salt, EC_PT_SZ); kpp_request_set_output(req, d, EC_PT_SZ); crypto_kpp_compute_shared_secret(req); kpp_request_free(req); @@ -554,8 +555,7 @@ static void tpm_buf_append_salt(struct tpm_buf *buf, struct tpm_chip *chip) * This works because KDFe fully consumes the secret before it * writes the salt */ - tpm2_KDFe(chip->auth->salt, "SECRET", x, chip->null_ec_key_x, - chip->auth->salt); + tpm2_KDFe(auth->salt, "SECRET", x, chip->null_ec_key_x, auth->salt); out: crypto_free_kpp(kpp); @@ -854,6 +854,8 @@ int tpm_buf_check_hmac_response(struct tpm_chip *chip, struct tpm_buf *buf, /* manually close the session if it wasn't consumed */ tpm2_flush_context(chip, auth->handle); memzero_explicit(auth, sizeof(*auth)); + kfree(auth); + chip->auth = NULL; } else { /* reset for next use */ auth->session = TPM_HEADER_SIZE; @@ -882,6 +884,8 @@ void tpm2_end_auth_session(struct tpm_chip *chip) tpm2_flush_context(chip, auth->handle); memzero_explicit(auth, sizeof(*auth)); + kfree(auth); + chip->auth = NULL; } EXPORT_SYMBOL(tpm2_end_auth_session); @@ -969,25 +973,29 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) */ int tpm2_start_auth_session(struct tpm_chip *chip) { + struct tpm2_auth *auth; struct tpm_buf buf; - struct tpm2_auth *auth = chip->auth; - int rc; u32 null_key; + int rc; - if (!auth) { - dev_warn_once(&chip->dev, "auth session is not active\n"); + if (chip->auth) { + dev_warn_once(&chip->dev, "auth session is active\n"); return 0; } + auth = kzalloc(sizeof(*auth), GFP_KERNEL); + if (!auth) + return -ENOMEM; + rc = tpm2_load_null(chip, &null_key); if (rc) - goto out; + goto err; auth->session = TPM_HEADER_SIZE; rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_START_AUTH_SESS); if (rc) - goto out; + goto err; /* salt key handle */ tpm_buf_append_u32(&buf, null_key); @@ -999,7 +1007,7 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append(&buf, auth->our_nonce, sizeof(auth->our_nonce)); /* append encrypted salt and squirrel away unencrypted in auth */ - tpm_buf_append_salt(&buf, chip); + tpm_buf_append_salt(&buf, chip, auth); /* session type (HMAC, audit or policy) */ tpm_buf_append_u8(&buf, TPM2_SE_HMAC); @@ -1020,10 +1028,13 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_destroy(&buf); - if (rc) - goto out; + if (rc == TPM2_RC_SUCCESS) { + chip->auth = auth; + return 0; + } - out: +err: + kfree(auth); return rc; } EXPORT_SYMBOL(tpm2_start_auth_session); @@ -1375,10 +1386,6 @@ int tpm2_sessions_init(struct tpm_chip *chip) if (rc) return rc; - chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); - if (!chip->auth) - return -ENOMEM; - return rc; } #endif /* CONFIG_TCG_TPM2_HMAC */ -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH v4 3/5] tpm: flush the null key only when /dev/tpm0 is accessed

by Jarkko Sakkinen

Instead of flushing and reloading the null key for every single auth session, flush it only when: 1. User space needs to access /dev/tpm{rm}0. 2. When going to sleep. 3. When unregistering the chip. This removes the need to load and swap the null key between TPM and regular memory per transaction, when the user space is not using the chip. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Tested-by: Pengyu Ma <mapengyu(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Changed to bug fix as not having the patch there is a major hit to bootup times. v3: - Unchanged. v2: - Refined the commit message. - Added tested-by from Pengyu Ma <mapengyu(a)gmail.com>. - Removed spurious pr_info() statement. --- drivers/char/tpm/tpm-chip.c | 13 +++++++++++++ drivers/char/tpm/tpm-dev-common.c | 7 +++++++ drivers/char/tpm/tpm-interface.c | 9 +++++++-- drivers/char/tpm/tpm2-cmd.c | 3 +++ drivers/char/tpm/tpm2-sessions.c | 17 ++++++++++++++--- include/linux/tpm.h | 2 ++ 6 files changed, 46 insertions(+), 5 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 854546000c92..0ea00e32f575 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -674,6 +674,19 @@ EXPORT_SYMBOL_GPL(tpm_chip_register); */ void tpm_chip_unregister(struct tpm_chip *chip) { +#ifdef CONFIG_TCG_TPM2_HMAC + int rc; + + rc = tpm_try_get_ops(chip); + if (!rc) { + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; + } + tpm_put_ops(chip); + } +#endif + tpm_del_legacy_sysfs(chip); if (tpm_is_hwrng_enabled(chip)) hwrng_unregister(&chip->hwrng); diff --git a/drivers/char/tpm/tpm-dev-common.c b/drivers/char/tpm/tpm-dev-common.c index 30b4c288c1bb..4eaa8e05c291 100644 --- a/drivers/char/tpm/tpm-dev-common.c +++ b/drivers/char/tpm/tpm-dev-common.c @@ -27,6 +27,13 @@ static ssize_t tpm_dev_transmit(struct tpm_chip *chip, struct tpm_space *space, struct tpm_header *header = (void *)buf; ssize_t ret, len; +#ifdef CONFIG_TCG_TPM2_HMAC + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; + } +#endif + ret = tpm2_prepare_space(chip, space, buf, bufsiz); /* If the command is not implemented by the TPM, synthesize a * response with a TPM2_RC_COMMAND_CODE return for user-space. diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 5da134f12c9a..bfa47d48b0f2 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -379,10 +379,15 @@ int tpm_pm_suspend(struct device *dev) rc = tpm_try_get_ops(chip); if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) + if (chip->flags & TPM_CHIP_FLAG_TPM2) { +#ifdef CONFIG_TCG_TPM2_HMAC + tpm2_flush_context(chip, chip->null_key); + chip->null_key = 0; +#endif tpm2_shutdown(chip, TPM2_SU_STATE); - else + } else { rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + } tpm_put_ops(chip); } diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 1e856259219e..aba024cbe7c5 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -364,6 +364,9 @@ void tpm2_flush_context(struct tpm_chip *chip, u32 handle) struct tpm_buf buf; int rc; + if (!handle) + return; + rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_FLUSH_CONTEXT); if (rc) { dev_warn(&chip->dev, "0x%08x was not flushed, out of memory\n", diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index a62f64e21511..42eb910e9acc 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -920,11 +920,19 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) u32 tmp_null_key; int rc; + /* fast path */ + if (chip->null_key) { + *null_key = chip->null_key; + return 0; + } + rc = tpm2_load_context(chip, chip->null_key_context, &offset, &tmp_null_key); if (rc != -EINVAL) { - if (!rc) + if (!rc) { + chip->null_key = tmp_null_key; *null_key = tmp_null_key; + } return rc; } dev_info(&chip->dev, "the null key has been reset\n"); @@ -935,6 +943,7 @@ static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) /* Return the null key if the name has not been changed: */ if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + chip->null_key = tmp_null_key; *null_key = tmp_null_key; return 0; } @@ -1005,7 +1014,6 @@ int tpm2_start_auth_session(struct tpm_chip *chip) tpm_buf_append_u16(&buf, TPM_ALG_SHA256); rc = tpm_transmit_cmd(chip, &buf, 0, "start auth session"); - tpm2_flush_context(chip, null_key); if (rc == TPM2_RC_SUCCESS) rc = tpm2_parse_start_auth_session(auth, &buf); @@ -1337,7 +1345,10 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) rc = tpm2_save_context(chip, null_key, chip->null_key_context, sizeof(chip->null_key_context), &offset); - tpm2_flush_context(chip, null_key); + if (rc) + tpm2_flush_context(chip, null_key); + else + chip->null_key = null_key; } if (rc < 0) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index e93ee8d936a9..4eb39db80e05 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -205,6 +205,8 @@ struct tpm_chip { #ifdef CONFIG_TCG_TPM2_HMAC /* details for communication security via sessions */ + /* loaded null key */ + u32 null_key; /* saved context for NULL seed */ u8 null_key_context[TPM2_MAX_CONTEXT_SIZE]; /* name of NULL seed */ -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH v4 2/5] tpm: Return on tpm2_create_primary() failure in tpm2_load_null()

by Jarkko Sakkinen

tpm2_load_null() ignores the return value of tpm2_create_primary(). Further, it does not heal from the situation when memcmp() returns zero. Address this by returning on failure and saving the null key if there was no detected interference in the bus. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: eb24c9788cd9 ("tpm: disable the TPM if NULL name changes") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v3: - Update log messages. Previously the log message incorrectly stated on load failure that integrity check had been failed, even tho the check is done *after* the load operation. v2: - Refined the commit message. - Reverted tpm2_create_primary() changes. They are not required if tmp_null_key is used as the parameter. --- drivers/char/tpm/tpm2-sessions.c | 38 +++++++++++++++++--------------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index 795f4c7c6adb..a62f64e21511 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -915,32 +915,34 @@ static int tpm2_parse_start_auth_session(struct tpm2_auth *auth, static int tpm2_load_null(struct tpm_chip *chip, u32 *null_key) { - int rc; unsigned int offset = 0; /* dummy offset for null seed context */ u8 name[SHA256_DIGEST_SIZE + 2]; + u32 tmp_null_key; + int rc; rc = tpm2_load_context(chip, chip->null_key_context, &offset, - null_key); - if (rc != -EINVAL) + &tmp_null_key); + if (rc != -EINVAL) { + if (!rc) + *null_key = tmp_null_key; return rc; + } + dev_info(&chip->dev, "the null key has been reset\n"); - /* an integrity failure may mean the TPM has been reset */ - dev_err(&chip->dev, "NULL key integrity failure!\n"); - /* check the null name against what we know */ - tpm2_create_primary(chip, TPM2_RH_NULL, NULL, name); - if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) - /* name unchanged, assume transient integrity failure */ + rc = tpm2_create_primary(chip, TPM2_RH_NULL, &tmp_null_key, name); + if (rc) return rc; - /* - * Fatal TPM failure: the NULL seed has actually changed, so - * the TPM must have been illegally reset. All in-kernel TPM - * operations will fail because the NULL primary can't be - * loaded to salt the sessions, but disable the TPM anyway so - * userspace programmes can't be compromised by it. - */ - dev_err(&chip->dev, "NULL name has changed, disabling TPM due to interference\n"); - chip->flags |= TPM_CHIP_FLAG_DISABLE; + /* Return the null key if the name has not been changed: */ + if (memcmp(name, chip->null_key_name, sizeof(name)) == 0) { + *null_key = tmp_null_key; + return 0; + } + + /* Deduce from the name change TPM interference: */ + dev_err(&chip->dev, "the null key integrity check failedh\n"); + tpm2_flush_context(chip, tmp_null_key); + chip->flags |= TPM_CHIP_FLAG_DISABLE; return rc; } -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH v4 1/5] tpm: Return on tpm2_create_null_primary() failure

by Jarkko Sakkinen

tpm2_sessions_init() does not ignores the result of saving the null key. Address this by printing either TPM or POSIX error code, and returning -ENODEV back to the caller. Cc: stable(a)vger.kernel.org # v6.10+ Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation") Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> --- v4: - Fixed up stable version. v3: - Handle TPM and POSIX error separately and return -ENODEV always back to the caller. v2: - Refined the commit message. --- drivers/char/tpm/tpm2-sessions.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c index d3521aadd43e..795f4c7c6adb 100644 --- a/drivers/char/tpm/tpm2-sessions.c +++ b/drivers/char/tpm/tpm2-sessions.c @@ -1338,7 +1338,13 @@ static int tpm2_create_null_primary(struct tpm_chip *chip) tpm2_flush_context(chip, null_key); } - return rc; + if (rc < 0) + dev_err(&chip->dev, "saving the null key failed with error %d\n", rc); + else if (rc > 0) + dev_err(&chip->dev, "saving the null key failed with TPM error 0x%04X\n", rc); + + /* Map all errors to -ENODEV: */ + return rc ? -ENODEV : rc; } /** @@ -1354,7 +1360,7 @@ int tpm2_sessions_init(struct tpm_chip *chip) rc = tpm2_create_null_primary(chip); if (rc) - dev_err(&chip->dev, "TPM: security failed (NULL seed derivation): %d\n", rc); + return rc; chip->auth = kmalloc(sizeof(*chip->auth), GFP_KERNEL); if (!chip->auth) -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH 5.10.y] udf: Fold udf_getblk() into udf_bread()

by Sergey Shtylyov

From: Jan Kara <jack(a)suse.cz> udf_getblk() has a single call site. Fold it there. [Sergey: moved back to using udf_get_block() and buffer_{mapped|new}().] Signed-off-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> --- This patch prevents NULL pointer dereference in case sb_getblk() fails... fs/udf/inode.c | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) Index: linux-stable/fs/udf/inode.c =================================================================== --- linux-stable.orig/fs/udf/inode.c +++ linux-stable/fs/udf/inode.c @@ -458,30 +458,6 @@ abort: return err; } -static struct buffer_head *udf_getblk(struct inode *inode, udf_pblk_t block, - int create, int *err) -{ - struct buffer_head *bh; - struct buffer_head dummy; - - dummy.b_state = 0; - dummy.b_blocknr = -1000; - *err = udf_get_block(inode, block, &dummy, create); - if (!*err && buffer_mapped(&dummy)) { - bh = sb_getblk(inode->i_sb, dummy.b_blocknr); - if (buffer_new(&dummy)) { - lock_buffer(bh); - memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); - set_buffer_uptodate(bh); - unlock_buffer(bh); - mark_buffer_dirty_inode(bh, inode); - } - return bh; - } - - return NULL; -} - /* Extend the file with new blocks totaling 'new_block_bytes', * return the number of extents added */ @@ -1197,10 +1173,27 @@ struct buffer_head *udf_bread(struct ino int create, int *err) { struct buffer_head *bh = NULL; + struct buffer_head dummy; + + dummy.b_state = 0; + dummy.b_blocknr = -1000; + *err = udf_get_block(inode, block, &dummy, create); + if (*err || !buffer_mapped(&dummy)) + return NULL; - bh = udf_getblk(inode, block, create, err); - if (!bh) + bh = sb_getblk(inode->i_sb, dummy.b_blocknr); + if (!bh) { + *err = -ENOMEM; return NULL; + } + if (buffer_new(&dummy)) { + lock_buffer(bh); + memset(bh->b_data, 0x00, inode->i_sb->s_blocksize); + set_buffer_uptodate(bh); + unlock_buffer(bh); + mark_buffer_dirty_inode(bh, inode); + return bh; + } if (buffer_uptodate(bh)) return bh;

9 months, 3 weeks

1
0
0 0

stable request for kernel 6.1/6.6 for commit f3c89983cb4f ("block: Fix where bio IO priority gets set")

by Jinpu Wang

Hi Greg, hi Sasha, Please applied f3c89983cb4f ("block: Fix where bio IO priority gets set") to stable 6.1+, it applies cleanly to v6.1.110/v6.6.51. Thx! Jinpu Wang @ IONOS

9 months, 3 weeks

1
0
0 0

Request to revert "wifi: cfg80211: check wiphy mutex is held for wdev mutex" from 5.15/6.1/6.6

by Fedor Pchelkin

Hi, Upstream commit 1474bc87fe57 ("wifi: cfg80211: check wiphy mutex is held for wdev mutex") has been backported recently to 5.15/6.1/6.6 stable branches. After that we started seeing numerous lockdep assertion splats in these kernels originating from different parts of wireless stack where wdev_lock() is called. There is also a huge pile of them already found in Syzbot [1,2,3]. Digging more into the issue it appears that the blamed commit is a part of a much larger series [4] with locking cleanups and improvements for the whole wireless subsystem. The series was merged at 6.7. The cover letter for the series says: There's a kind of pointless commit in there that adds some wiphy locking assertions to the wdev as an intermediate step, I can remove that if you think that's better. We ran with it at that intermediate stage for a while to test things. So backporting this commit to stable branches without taking the series as a whole is pointless and just leads to bogus lockdep assertion splats there. The series itself is an improvement and cleanup work and therefore is not considered as material for old stable kernels. The solution which comes to mind is to revert this backported patch from the affected stable branches. Namely: - 5.15 https://lore.kernel.org/stable/20240901160825.013135421@linuxfoundation.org/ - 6.1 https://lore.kernel.org/stable/20240827143842.546537850@linuxfoundation.org/ - 6.6 https://lore.kernel.org/stable/20240827143846.794100356@linuxfoundation.org/ The intention why it was suddenly backported to these branches a year after merge-to-upstream is not clear actually: there are no stable or Fixes tags in commit message, and I don't find any public request for explicit backport on mailing lists. Please let me know if you can revert the commits yourself or I have to prepare and send them to you. [1]: https://syzkaller.appspot.com/bug?extid=310a1a9715fc1c9ead61 [2]: https://syzkaller.appspot.com/bug?extid=b730e8b6bc76d07fe10b [3]: https://syzkaller.appspot.com/bug?extid=09501cf606ec2823fafa [4]: https://lore.kernel.org/linux-wireless/20230828115927.116700-41-johannes@si… -- Thanks, Fedor

9 months, 3 weeks

1
0
0 0

Linux 6.10.11

by Greg Kroah-Hartman

I'm announcing the release of the 6.10.11 kernel. All users of the 6.10 kernel series must upgrade. The updated 6.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/netlink/specs/mptcp_pm.yaml | 1 Makefile | 2 arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++ arch/powerpc/kernel/setup-common.c | 1 arch/powerpc/mm/mem.c | 2 arch/riscv/boot/dts/starfive/jh7110-common.dtsi | 6 arch/riscv/mm/cacheflush.c | 12 arch/s390/Kconfig | 13 + arch/s390/boot/startup.c | 3 arch/x86/hyperv/hv_init.c | 5 arch/x86/include/asm/mshyperv.h | 1 arch/x86/kernel/cpu/mshyperv.c | 20 + drivers/clk/sophgo/clk-cv18xx-ip.c | 2 drivers/clocksource/hyperv_timer.c | 16 + drivers/cxl/acpi.c | 40 +++ drivers/cxl/core/region.c | 23 + drivers/cxl/cxl.h | 3 drivers/cxl/cxlmem.h | 2 drivers/dma-buf/heaps/cma_heap.c | 2 drivers/firmware/qcom/qcom_qseecom_uefisecapp.c | 4 drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 5 drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 76 ++++++ drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.h | 11 drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 63 ++++- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h | 6 drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.h | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 57 ---- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 7 drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 1 drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 3 drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 20 - drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 20 - drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_phy.c | 55 +--- drivers/gpu/drm/amd/include/atomfirmware.h | 4 drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 drivers/gpu/drm/drm_syncobj.c | 17 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ram.h | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp100.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp102.c | 1 drivers/gpu/drm/xe/compat-i915-headers/i915_drv.h | 2 drivers/gpu/drm/xe/xe_bo.c | 6 drivers/gpu/drm/xe/xe_drm_client.c | 45 +++ drivers/gpu/drm/xe/xe_gsc.c | 4 drivers/gpu/drm/xe/xe_wa.c | 10 drivers/hid/hid-asus.c | 3 drivers/hid/hid-ids.h | 3 drivers/hid/hid-multitouch.c | 33 ++ drivers/hwmon/pmbus/pmbus.h | 6 drivers/hwmon/pmbus/pmbus_core.c | 17 + drivers/input/mouse/synaptics.c | 1 drivers/input/serio/i8042-acpipnpio.h | 9 drivers/input/touchscreen/ads7846.c | 2 drivers/input/touchscreen/edt-ft5x06.c | 6 drivers/md/dm-integrity.c | 4 drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 drivers/net/dsa/ocelot/felix_vsc9959.c | 11 drivers/net/ethernet/faraday/ftgmac100.h | 2 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 drivers/net/ethernet/intel/ice/ice_lib.c | 15 - drivers/net/ethernet/intel/ice/ice_switch.c | 4 drivers/net/ethernet/intel/igb/igb_main.c | 17 + drivers/net/ethernet/jme.c | 10 drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 3 drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 59 +++- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 ++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 drivers/net/ethernet/wangxun/libwx/wx_type.h | 6 drivers/net/phy/dp83822.c | 35 +- drivers/net/phy/vitesse.c | 14 - drivers/net/usb/ipheth.c | 18 - drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/perf/riscv_pmu_sbi.c | 7 drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 drivers/platform/surface/surface_aggregator_registry.c | 58 ++++ drivers/platform/x86/asus-wmi.c | 16 + drivers/platform/x86/panasonic-laptop.c | 58 +++- drivers/soundwire/stream.c | 8 drivers/spi/spi-geni-qcom.c | 17 - drivers/spi/spi-nxp-fspi.c | 5 drivers/spi/spi-zynqmp-gqspi.c | 30 +- drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +- drivers/usb/typec/ucsi/ucsi.c | 44 ++- drivers/usb/typec/ucsi/ucsi.h | 1 fs/bcachefs/extents.c | 23 + fs/bcachefs/fs-io-buffered.c | 149 +++--------- fs/bcachefs/fs.c | 8 fs/bcachefs/fs.h | 7 fs/bcachefs/fsck.c | 18 + fs/btrfs/inode.c | 1 fs/nfs/delegation.c | 15 - fs/nfs/nfs4proc.c | 9 fs/nfs/pnfs.c | 5 fs/smb/client/cifsencrypt.c | 2 fs/smb/server/mgmt/share_config.c | 15 - fs/smb/server/mgmt/share_config.h | 4 fs/smb/server/mgmt/tree_connect.c | 9 fs/smb/server/mgmt/tree_connect.h | 4 fs/smb/server/smb2pdu.c | 11 fs/smb/server/smb_common.c | 9 fs/smb/server/smb_common.h | 2 include/linux/mlx5/mlx5_ifc.h | 12 include/linux/virtio_net.h | 3 kernel/cgroup/cpuset.c | 33 +- kernel/trace/trace_kprobe.c | 25 +- kernel/trace/trace_osnoise.c | 10 mm/memory.c | 27 +- net/hsr/hsr_device.c | 67 ++++- net/hsr/hsr_forward.c | 37 ++ net/hsr/hsr_framereg.c | 12 net/hsr/hsr_framereg.h | 2 net/hsr/hsr_main.h | 4 net/hsr/hsr_netlink.c | 1 net/ipv4/fou_core.c | 4 net/mptcp/pm_netlink.c | 13 - net/netfilter/nft_socket.c | 7 scripts/kconfig/merge_config.sh | 2 sound/soc/codecs/peb2466.c | 3 sound/soc/intel/common/soc-acpi-intel-lnl-match.c | 1 sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 1 sound/soc/meson/axg-card.c | 3 tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 3 tools/testing/selftests/net/lib/csum.c | 16 + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 134 files changed, 1308 insertions(+), 550 deletions(-) Alex Deucher (1): drm/amdgpu/atomfirmware: Silence UBSAN warning Alexander Gordeev (1): s390/mm: Pin identity mapping base to zero Alexandre Ghiti (1): drivers: perf: Fix smp_processor_id() use in preemptible code Alison Schofield (1): cxl: Restore XOR'd position bits during address translation Anders Roxell (1): scripts: kconfig: merge_config: config files: add a trailing newline Andy Shevchenko (1): eeprom: digsy_mtc: Fix 93xx46 driver probe failure AngeloGioacchino Del Regno (1): drm/mediatek: Set sensible cursor width/height values to fix crash Anirudh Rayabharam (Microsoft) (1): x86/hyperv: fix kexec crash due to VP assist page corruption Arseniy Krasnov (1): ASoC: meson: axg-card: fix 'use-after-free' Asbjørn Sloth Tønnesen (1): netlink: specs: mptcp: fix port endianness Bard Liao (2): ASoC: Intel: soc-acpi-intel-lnl-match: add missing empty item ASoC: Intel: soc-acpi-intel-mtl-match: add missing empty item Ben Skeggs (1): drm/nouveau/fb: restore init() for ramgp102 Benjamin Poirier (1): net/mlx5: Fix bridge mode operations when there are no VFs Bert Karwatzki (1): wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Bouke Sybren Haarsma (2): drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Carolina Jubran (3): net/mlx5: Explicitly set scheduling element and TSAR type net/mlx5: Add missing masks and QoS bit masks for scheduling elements net/mlx5: Verify support for scheduling element and TSAR type Charlie Jenkins (1): riscv: Disable preemption while handling PR_RISCV_CTX_SW_FENCEI_OFF ChenXiaoSong (1): smb/server: fix return value of smb2_open() Christophe Leroy (1): powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Cosmin Ratiu (1): net/mlx5: Correct TASR typo into TSAR Cruise (1): drm/amd/display: Disable error correction if it's not supported Dan Carpenter (1): firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire() Daniele Ceraolo Spurio (2): drm/xe: fix WA 14018094691 drm/xe: use devm instead of drmm for managed bo David (Ming Qiang) Wu (2): drm/amd/amdgpu: apply command submission parser for JPEG v1 drm/amd/amdgpu: apply command submission parser for JPEG v2+ David Howells (1): cifs: Fix signature miscalculation Dexuan Cui (1): clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor Dmitry Savin (1): HID: multitouch: Add support for GT7868Q Edward Adam Davis (1): mptcp: pm: Fix uaf in __timer_delete_sync FUKAUMI Naoki (1): arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Felix Kaechele (1): Input: edt-ft5x06 - add support for FocalTech FT8201 Florian Westphal (1): netfilter: nft_socket: fix sk refcount leaks Foster Snowhill (4): usbnet: ipheth: remove extraneous rx URB length check usbnet: ipheth: drop RX URBs with no payload usbnet: ipheth: do not stop RX on failing RX callback usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman (1): Linux 6.10.11 Han Xu (1): spi: nxp-fspi: fix the KASAN report out-of-bounds bug Hans de Goede (2): platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Heikki Krogerus (1): usb: typec: ucsi: Fix cable registration Ilya Bakoulin (1): drm/amd/display: Fix FEC_READY write on DP LT Jacky Chou (1): net: ftgmac100: Enable TX interrupt to avoid TX timeout Jacob Keller (1): ice: fix accounting for filters shared by multiple VSIs Jameson Thies (2): usb: typec: ucsi: Always set number of alternate modes usb: typec: ucsi: Only set number of plug altmodes after registration Jani Nikula (1): drm/xe/display: fix compat IS_DISPLAY_STEP() range end Jeff Layton (1): btrfs: update target inode's ctime on unlink Jeongjun Park (1): net: hsr: prevent NULL pointer dereference in hsr_proxy_announce() Jiawen Wu (1): net: libwx: fix number of Rx and Tx descriptors Jinjie Ruan (2): spi: geni-qcom: Undo runtime PM changes at driver exit time spi: geni-qcom: Fix incorrect free_irq() sequence Jonathan Denose (1): Input: synaptics - enable SMBus for HP Elitebook 840 G2 Kent Overstreet (3): bcachefs: Fix bch2_extents_match() false positive bcachefs: Revert lockless buffered IO path bcachefs: Don't delete open files in online fsck Krzysztof Kozlowski (1): soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Li Qiang (1): clk/sophgo: Using BUG() instead of unreachable() in mmux_get_parent_id() Linus Torvalds (1): mm: avoid leaving partial pfn mappings around in error case Lorenzo Stoakes (1): minmax: reduce min/max macro expansion in atomisp driver Lukasz Majewski (1): net: hsr: Send supervisory frames to HSR network with ProxyNodeTable data Luke D. Jones (2): hid-asus: add ROG Ally X prod ID to quirk list platform/x86: asus-wmi: Add quirk for ROG Ally X Maher Sanalla (1): net/mlx5: Update the list of the PCI supported devices Marek Vasut (1): Input: ads7846 - ratelimit the spi_sync error message Martyna Szapar-Mudlaw (1): ice: Fix lldp packets dropping after changing the number of channels Masami Hiramatsu (Google) (1): tracing/kprobes: Fix build error when find_module() is not available Matthew Auld (2): drm/xe/client: fix deadlock in show_meminfo() drm/xe/client: add missing bo locking in show_meminfo() Matthieu Baerts (NGI0) (1): selftests: mptcp: join: restrict fullmesh endp on 1st sf Maximilian Luz (5): platform/surface: aggregator_registry: Add Support for Surface Pro 10 platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 platform/surface: aggregator_registry: Add support for Surface Laptop Studio 2 platform/surface: aggregator_registry: Add fan and thermal sensor support for Surface Laptop 5 platform/surface: aggregator_registry: Add support for Surface Laptop 6 Michal Luczaj (1): selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Michal Schmidt (1): ice: fix VSI lists confusion when adding VLANs Mika Westerberg (1): pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Mikulas Patocka (1): dm-integrity: fix a race condition when accessing recalc_sector Moon Yeounsu (1): net: ethernet: use ip_hdrlen() instead of bit shift Muhammad Usama Anjum (1): fou: fix initialization of grc Namjae Jeon (2): ksmbd: override fsids for share path check ksmbd: override fsids for smb2_query_info() Naveen Mamindlapalli (1): octeontx2-af: Modify SMQ flush sequence to drop packets Ngai-Mint Kwan (1): drm/xe/xe2lpm: Extend Wa_16021639441 Nikita Zhandarovich (1): drm/i915/guc: prevent a possible int overflow in wq offsets Patryk Biel (1): hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Pawel Dembicki (1): net: phy: vitesse: repair vsc73xx autonegotiation Peiyang Wang (1): net: hns3: use correct release function during uninitialization Quentin Schulz (2): arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Rob Clark (1): drm/msm/adreno: Fix error return if missing firmware-name Sean Anderson (3): spi: zynqmp-gqspi: Scale timeout by data size selftests: net: csum: Fix checksums for packets with non-zero padding net: dpaa: Pad packets to ETH_ZLEN Shahar Shitrit (2): net/mlx5e: Add missing link modes to ptys2ethtool_map net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Sriram Yagnaraman (1): igb: Always call igb_xdp_ring_update_tail() under Tx lock Steven Rostedt (1): tracing/osnoise: Fix build when timerlat is not enabled Su Hui (1): ASoC: codecs: avoid possible garbage value in peb2466_reg_read() T.J. Mercier (2): drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl dma-buf: heaps: Fix off-by-one in CMA heap fault handler Takashi Iwai (1): Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Tobias Jakobi (2): drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct() drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct() Tomas Paukrt (1): net: phy: dp83822: Fix NULL pointer dereference on DP83825 devices Trond Myklebust (2): NFSv4: Fix clearing of layout segments in layoutreturn NFS: Avoid unnecessary rescanning of the per-server delegation list Waiman Long (1): cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug Willem de Bruijn (1): net: tighten bad gso csum offset check in virtio_net_hdr Xiaoliang Yang (1): net: dsa: felix: ignore pending status of TAS module when it's disabled Xingyu Wu (1): riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting PLL0 rate to 1.5GHz Yinjie Yao (1): drm/amdgpu: Update kmd_fw_shared for VCN5 peng guo (1): cxl/core: Fix incorrect vendor debug UUID define

9 months, 3 weeks

1
1
0 0

Linux 6.6.52

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.52 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 +++ arch/powerpc/kernel/setup-common.c | 1 arch/powerpc/mm/mem.c | 2 arch/riscv/boot/dts/starfive/jh7110-starfive-visionfive-2.dtsi | 4 arch/x86/hyperv/hv_init.c | 5 arch/x86/include/asm/mshyperv.h | 1 arch/x86/kernel/cpu/mshyperv.c | 4 drivers/cxl/cxlmem.h | 2 drivers/dma-buf/heaps/cma_heap.c | 2 drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 76 ++++++++ drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.h | 11 + drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_phy.c | 55 ++---- drivers/gpu/drm/amd/include/atomfirmware.h | 4 drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 + drivers/gpu/drm/drm_syncobj.c | 17 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ram.h | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp100.c | 2 drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp102.c | 1 drivers/hid/hid-ids.h | 2 drivers/hid/hid-multitouch.c | 33 +++ drivers/hwmon/pmbus/pmbus.h | 6 drivers/hwmon/pmbus/pmbus_core.c | 17 + drivers/iio/adc/ad7124.c | 58 ++---- drivers/infiniband/hw/mlx5/main.c | 2 drivers/input/mouse/synaptics.c | 1 drivers/input/serio/i8042-acpipnpio.h | 9 drivers/input/touchscreen/ads7846.c | 2 drivers/md/dm-integrity.c | 4 drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 drivers/net/dsa/ocelot/felix_vsc9959.c | 11 - drivers/net/ethernet/faraday/ftgmac100.h | 2 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 drivers/net/ethernet/intel/ice/ice_lib.c | 15 - drivers/net/ethernet/intel/ice/ice_switch.c | 4 drivers/net/ethernet/intel/igb/igb_main.c | 17 + drivers/net/ethernet/jme.c | 10 - drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 3 drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 59 +++++- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 + drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 +++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/mellanox/mlx5/core/port.c | 2 drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 drivers/net/ethernet/xilinx/xilinx_axienet.h | 3 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 drivers/net/phy/vitesse.c | 14 - drivers/net/usb/ipheth.c | 18 + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 drivers/nvmem/core.c | 13 + drivers/nvmem/u-boot-env.c | 91 +++++----- drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 drivers/platform/surface/surface_aggregator_registry.c | 8 drivers/platform/x86/panasonic-laptop.c | 58 +++++- drivers/soundwire/stream.c | 8 drivers/spi/spi-geni-qcom.c | 17 - drivers/spi/spi-nxp-fspi.c | 5 drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 ++ fs/btrfs/inode.c | 1 fs/nfs/delegation.c | 15 - fs/nfs/nfs4proc.c | 9 fs/nfs/pnfs.c | 5 fs/smb/client/cifsencrypt.c | 2 fs/smb/server/mgmt/share_config.c | 15 + fs/smb/server/mgmt/share_config.h | 4 fs/smb/server/mgmt/tree_connect.c | 9 fs/smb/server/mgmt/tree_connect.h | 4 fs/smb/server/smb2pdu.c | 11 - fs/smb/server/smb_common.c | 9 fs/smb/server/smb_common.h | 2 include/linux/mlx5/mlx5_ifc.h | 12 + include/linux/mlx5/port.h | 2 include/linux/nvmem-consumer.h | 1 include/linux/property.h | 8 include/linux/virtio_net.h | 3 kernel/trace/trace_osnoise.c | 10 - mm/memory.c | 27 ++ net/ipv4/fou_core.c | 4 net/mptcp/pm_netlink.c | 13 - net/netfilter/nft_socket.c | 7 scripts/kconfig/merge_config.sh | 2 sound/soc/codecs/peb2466.c | 3 sound/soc/meson/axg-card.c | 3 tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 3 tools/testing/selftests/net/csum.c | 16 + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 91 files changed, 741 insertions(+), 325 deletions(-) Alex Deucher (1): drm/amdgpu/atomfirmware: Silence UBSAN warning Anders Roxell (1): scripts: kconfig: merge_config: config files: add a trailing newline Andy Shevchenko (1): eeprom: digsy_mtc: Fix 93xx46 driver probe failure Anirudh Rayabharam (Microsoft) (1): x86/hyperv: fix kexec crash due to VP assist page corruption Arseniy Krasnov (1): ASoC: meson: axg-card: fix 'use-after-free' Ben Skeggs (1): drm/nouveau/fb: restore init() for ramgp102 Benjamin Poirier (1): net/mlx5: Fix bridge mode operations when there are no VFs Bert Karwatzki (1): wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Bouke Sybren Haarsma (2): drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Carolina Jubran (3): net/mlx5: Explicitly set scheduling element and TSAR type net/mlx5: Add missing masks and QoS bit masks for scheduling elements net/mlx5: Verify support for scheduling element and TSAR type ChenXiaoSong (1): smb/server: fix return value of smb2_open() Christophe Leroy (1): powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Cosmin Ratiu (1): net/mlx5: Correct TASR typo into TSAR Cruise (1): drm/amd/display: Disable error correction if it's not supported David (Ming Qiang) Wu (1): drm/amd/amdgpu: apply command submission parser for JPEG v1 David Howells (1): cifs: Fix signature miscalculation Dmitry Savin (1): HID: multitouch: Add support for GT7868Q Dumitru Ceclan (1): iio: adc: ad7124: fix DT configuration parsing Edward Adam Davis (1): mptcp: pm: Fix uaf in __timer_delete_sync FUKAUMI Naoki (1): arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Florian Westphal (1): netfilter: nft_socket: fix sk refcount leaks Foster Snowhill (4): usbnet: ipheth: remove extraneous rx URB length check usbnet: ipheth: drop RX URBs with no payload usbnet: ipheth: do not stop RX on failing RX callback usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman (1): Linux 6.6.52 Han Xu (1): spi: nxp-fspi: fix the KASAN report out-of-bounds bug Hans de Goede (2): platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Ilya Bakoulin (1): drm/amd/display: Fix FEC_READY write on DP LT Jacky Chou (1): net: ftgmac100: Enable TX interrupt to avoid TX timeout Jacob Keller (1): ice: fix accounting for filters shared by multiple VSIs Jeff Layton (1): btrfs: update target inode's ctime on unlink Jinjie Ruan (2): spi: geni-qcom: Undo runtime PM changes at driver exit time spi: geni-qcom: Fix incorrect free_irq() sequence John Thomson (1): nvmem: u-boot-env: error if NVMEM device is too small Jonathan Cameron (3): device property: Add cleanup.h based fwnode_handle_put() scope based cleanup. device property: Introduce device_for_each_child_node_scoped() iio: adc: ad7124: Switch from of specific to fwnode based property handling Jonathan Denose (1): Input: synaptics - enable SMBus for HP Elitebook 840 G2 Krzysztof Kozlowski (1): soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Linus Torvalds (1): mm: avoid leaving partial pfn mappings around in error case Lorenzo Stoakes (1): minmax: reduce min/max macro expansion in atomisp driver Maher Sanalla (1): net/mlx5: Update the list of the PCI supported devices Marek Vasut (1): Input: ads7846 - ratelimit the spi_sync error message Martyna Szapar-Mudlaw (1): ice: Fix lldp packets dropping after changing the number of channels Matthieu Baerts (NGI0) (1): selftests: mptcp: join: restrict fullmesh endp on 1st sf Maximilian Luz (2): platform/surface: aggregator_registry: Add Support for Surface Pro 10 platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Michal Luczaj (1): selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Michal Schmidt (1): ice: fix VSI lists confusion when adding VLANs Mika Westerberg (1): pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Mikulas Patocka (1): dm-integrity: fix a race condition when accessing recalc_sector Moon Yeounsu (1): net: ethernet: use ip_hdrlen() instead of bit shift Muhammad Usama Anjum (1): fou: fix initialization of grc Namjae Jeon (2): ksmbd: override fsids for share path check ksmbd: override fsids for smb2_query_info() Naveen Mamindlapalli (1): octeontx2-af: Modify SMQ flush sequence to drop packets Nikita Zhandarovich (1): drm/i915/guc: prevent a possible int overflow in wq offsets Patrisious Haddad (1): IB/mlx5: Rename 400G_8X speed to comply to naming convention Patryk Biel (1): hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Pawel Dembicki (1): net: phy: vitesse: repair vsc73xx autonegotiation Peiyang Wang (1): net: hns3: use correct release function during uninitialization Quentin Schulz (2): arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Rafał Miłecki (4): nvmem: core: add nvmem_dev_size() helper nvmem: u-boot-env: use nvmem_add_one_cell() nvmem subsystem helper nvmem: u-boot-env: use nvmem device helpers nvmem: u-boot-env: improve coding style Rob Clark (1): drm/msm/adreno: Fix error return if missing firmware-name Sean Anderson (3): net: xilinx: axienet: Fix race in axienet_stop selftests: net: csum: Fix checksums for packets with non-zero padding net: dpaa: Pad packets to ETH_ZLEN Shahar Shitrit (2): net/mlx5e: Add missing link modes to ptys2ethtool_map net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Sriram Yagnaraman (1): igb: Always call igb_xdp_ring_update_tail() under Tx lock Steven Rostedt (1): tracing/osnoise: Fix build when timerlat is not enabled Su Hui (1): ASoC: codecs: avoid possible garbage value in peb2466_reg_read() T.J. Mercier (2): drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl dma-buf: heaps: Fix off-by-one in CMA heap fault handler Takashi Iwai (1): Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Trond Myklebust (2): NFSv4: Fix clearing of layout segments in layoutreturn NFS: Avoid unnecessary rescanning of the per-server delegation list Willem de Bruijn (1): net: tighten bad gso csum offset check in virtio_net_hdr William Qiu (1): riscv: dts: starfive: add assigned-clock* to limit frquency Xiaoliang Yang (1): net: dsa: felix: ignore pending status of TAS module when it's disabled peng guo (1): cxl/core: Fix incorrect vendor debug UUID define

9 months, 3 weeks

1
1
0 0

Linux 6.1.111

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.111 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++- arch/powerpc/kernel/setup-common.c | 1 arch/powerpc/mm/mem.c | 2 drivers/cxl/cxlmem.h | 2 drivers/dma-buf/heaps/cma_heap.c | 2 drivers/gpu/drm/amd/include/atomfirmware.h | 4 drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 drivers/hid/hid-ids.h | 2 drivers/hid/hid-multitouch.c | 33 ++ drivers/hwmon/pmbus/pmbus.h | 6 drivers/hwmon/pmbus/pmbus_core.c | 17 + drivers/input/mouse/synaptics.c | 1 drivers/input/serio/i8042-acpipnpio.h | 9 drivers/input/touchscreen/ads7846.c | 2 drivers/md/dm-integrity.c | 4 drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 drivers/net/ethernet/faraday/ftgmac100.h | 2 drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 drivers/net/ethernet/intel/ice/ice_switch.c | 2 drivers/net/ethernet/intel/igb/igb_main.c | 17 + drivers/net/ethernet/jme.c | 10 drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 15 + drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 177 +++++++++++++++- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 drivers/net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 ++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 drivers/net/ethernet/xilinx/xilinx_axienet.h | 3 drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 drivers/net/phy/vitesse.c | 14 - drivers/net/usb/ipheth.c | 5 drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 drivers/platform/surface/surface_aggregator_registry.c | 8 drivers/platform/x86/panasonic-laptop.c | 58 ++++- drivers/soc/ti/omap_prm.c | 2 drivers/soundwire/stream.c | 8 drivers/spi/spi-geni-qcom.c | 22 - drivers/spi/spi-nxp-fspi.c | 5 drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +- fs/btrfs/inode.c | 1 fs/nfs/delegation.c | 15 - fs/nfs/nfs4proc.c | 9 fs/nfs/pnfs.c | 5 fs/ntfs3/attrlist.c | 4 fs/ntfs3/bitmap.c | 4 fs/ntfs3/frecord.c | 4 fs/ntfs3/super.c | 2 fs/smb/server/mgmt/share_config.c | 15 + fs/smb/server/mgmt/share_config.h | 4 fs/smb/server/mgmt/tree_connect.c | 9 fs/smb/server/mgmt/tree_connect.h | 4 fs/smb/server/smb2pdu.c | 11 fs/smb/server/smb_common.c | 9 fs/smb/server/smb_common.h | 2 include/linux/mlx5/mlx5_ifc.h | 12 - include/linux/virtio_net.h | 3 mm/memory.c | 27 +- net/ipv4/fou.c | 4 net/mptcp/pm_netlink.c | 13 - net/netfilter/nft_socket.c | 7 scripts/kconfig/merge_config.sh | 2 sound/soc/meson/axg-card.c | 3 tools/testing/selftests/bpf/prog_tests/sockmap_listen.c | 3 68 files changed, 603 insertions(+), 173 deletions(-) Alex Deucher (1): drm/amdgpu/atomfirmware: Silence UBSAN warning Anders Roxell (1): scripts: kconfig: merge_config: config files: add a trailing newline Andy Shevchenko (1): eeprom: digsy_mtc: Fix 93xx46 driver probe failure Arseniy Krasnov (1): ASoC: meson: axg-card: fix 'use-after-free' Benjamin Poirier (1): net/mlx5: Fix bridge mode operations when there are no VFs Bouke Sybren Haarsma (2): drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Carolina Jubran (3): net/mlx5: Explicitly set scheduling element and TSAR type net/mlx5: Add missing masks and QoS bit masks for scheduling elements net/mlx5: Verify support for scheduling element and TSAR type ChenXiaoSong (1): smb/server: fix return value of smb2_open() Christophe Leroy (1): powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Cosmin Ratiu (1): net/mlx5: Correct TASR typo into TSAR Dmitry Savin (1): HID: multitouch: Add support for GT7868Q Edward Adam Davis (1): mptcp: pm: Fix uaf in __timer_delete_sync FUKAUMI Naoki (1): arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Florian Westphal (1): netfilter: nft_socket: fix sk refcount leaks Foster Snowhill (1): usbnet: ipheth: fix carrier detection in modes 1 and 4 Greg Kroah-Hartman (1): Linux 6.1.111 Han Xu (1): spi: nxp-fspi: fix the KASAN report out-of-bounds bug Hans de Goede (2): platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Jacky Chou (1): net: ftgmac100: Enable TX interrupt to avoid TX timeout Jacob Keller (1): ice: fix accounting for filters shared by multiple VSIs Jeff Layton (1): btrfs: update target inode's ctime on unlink Jinjie Ruan (2): spi: geni-qcom: Undo runtime PM changes at driver exit time spi: geni-qcom: Fix incorrect free_irq() sequence Jonathan Denose (1): Input: synaptics - enable SMBus for HP Elitebook 840 G2 Konstantin Komarov (1): fs/ntfs3: Use kvfree to free memory allocated by kvmalloc Krzysztof Kozlowski (1): soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Kunwu Chan (1): pmdomain: ti: Add a null pointer check to the omap_prm_domain_init Linus Torvalds (1): mm: avoid leaving partial pfn mappings around in error case Lorenzo Stoakes (1): minmax: reduce min/max macro expansion in atomisp driver Maher Sanalla (1): net/mlx5: Update the list of the PCI supported devices Marek Vasut (1): Input: ads7846 - ratelimit the spi_sync error message Maximilian Luz (2): platform/surface: aggregator_registry: Add Support for Surface Pro 10 platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Michal Luczaj (1): selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Mika Westerberg (1): pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID Mikulas Patocka (1): dm-integrity: fix a race condition when accessing recalc_sector Moon Yeounsu (1): net: ethernet: use ip_hdrlen() instead of bit shift Muhammad Usama Anjum (1): fou: fix initialization of grc Namjae Jeon (2): ksmbd: override fsids for share path check ksmbd: override fsids for smb2_query_info() Naveen Mamindlapalli (2): octeontx2-af: Set XOFF on other child transmit schedulers during SMQ flush octeontx2-af: Modify SMQ flush sequence to drop packets Nikita Zhandarovich (1): drm/i915/guc: prevent a possible int overflow in wq offsets Patryk Biel (1): hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Pawel Dembicki (1): net: phy: vitesse: repair vsc73xx autonegotiation Quentin Schulz (2): arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Rob Clark (1): drm/msm/adreno: Fix error return if missing firmware-name Sean Anderson (2): net: xilinx: axienet: Fix race in axienet_stop net: dpaa: Pad packets to ETH_ZLEN Shahar Shitrit (1): net/mlx5e: Add missing link modes to ptys2ethtool_map Sriram Yagnaraman (1): igb: Always call igb_xdp_ring_update_tail() under Tx lock T.J. Mercier (1): dma-buf: heaps: Fix off-by-one in CMA heap fault handler Takashi Iwai (1): Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Trond Myklebust (2): NFSv4: Fix clearing of layout segments in layoutreturn NFS: Avoid unnecessary rescanning of the per-server delegation list Uwe Kleine-König (1): spi: geni-qcom: Convert to platform remove callback returning void Willem de Bruijn (1): net: tighten bad gso csum offset check in virtio_net_hdr peng guo (1): cxl/core: Fix incorrect vendor debug UUID define

9 months, 3 weeks

1
1
0 0

[PATCH 1/5] drm/i915/gem: fix bitwise and logical AND mixup

by Jani Nikula

CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND is an int, defaulting to 250. When the wakeref is non-zero, it's either -1 or a dynamically allocated pointer, depending on CONFIG_DRM_I915_DEBUG_RUNTIME_PM. It's likely that the code works by coincidence with the bitwise AND, but with CONFIG_DRM_I915_DEBUG_RUNTIME_PM=y, there's the off chance that the condition evaluates to false, and intel_wakeref_auto() doesn't get called. Switch to the intended logical AND. Fixes: ad74457a6b5a ("drm/i915/dgfx: Release mmap on rpm suspend") Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Anshuman Gupta <anshuman.gupta(a)intel.com> Cc: Andi Shyti <andi.shyti(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v6.1+ Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> --- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c index 5c72462d1f57..c157ade48c39 100644 --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c @@ -1131,7 +1131,7 @@ static vm_fault_t vm_fault_ttm(struct vm_fault *vmf) GEM_WARN_ON(!i915_ttm_cpu_maps_iomem(bo->resource)); } - if (wakeref & CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND) + if (wakeref && CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND) intel_wakeref_auto(&to_i915(obj->base.dev)->runtime_pm.userfault_wakeref, msecs_to_jiffies_timeout(CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND)); -- 2.39.2

9 months, 3 weeks

4
4
0 0

AMD Family 0x1a RAPL reading fixes

by Mario Limonciello

Hi, There were some fixes for RAPL reading issues recently on some AMD systems. Can you please bring this commit to 6.6.y, 6.10.y and 6.11.y? commit 166df51097a2 ("powercap/intel_rapl: Add support for AMD family 1Ah") Can you also please bring this commit to 6.10.y and 6.11.y? commit 26096aed255f ("powercap/intel_rapl: Fix the energy-pkg event for AMD CPUs") Thanks!

9 months, 3 weeks

1
0
0 0

[PATCH v2] drm/panic: Fix uninitialized spinlock acquisition with CONFIG_DRM_PANIC=n

by Lyude Paul

It turns out that if you happen to have a kernel config where CONFIG_DRM_PANIC is disabled and spinlock debugging is enabled, along with KMS being enabled - we'll end up trying to acquire an uninitialized spin_lock with drm_panic_lock() when we try to do a commit: rvkms rvkms.0: [drm:drm_atomic_commit] committing 0000000068d2ade1 INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 4 PID: 1347 Comm: modprobe Not tainted 6.10.0-rc1Lyude-Test+ #272 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20240524-3.fc40 05/24/2024 Call Trace: <TASK> dump_stack_lvl+0x77/0xa0 assign_lock_key+0x114/0x120 register_lock_class+0xa8/0x2c0 __lock_acquire+0x7d/0x2bd0 ? __vmap_pages_range_noflush+0x3a8/0x550 ? drm_atomic_helper_swap_state+0x2ad/0x3a0 lock_acquire+0xec/0x290 ? drm_atomic_helper_swap_state+0x2ad/0x3a0 ? lock_release+0xee/0x310 _raw_spin_lock_irqsave+0x4e/0x70 ? drm_atomic_helper_swap_state+0x2ad/0x3a0 drm_atomic_helper_swap_state+0x2ad/0x3a0 drm_atomic_helper_commit+0xb1/0x270 drm_atomic_commit+0xaf/0xe0 ? __pfx___drm_printfn_info+0x10/0x10 drm_client_modeset_commit_atomic+0x1a1/0x250 drm_client_modeset_commit_locked+0x4b/0x180 drm_client_modeset_commit+0x27/0x50 __drm_fb_helper_restore_fbdev_mode_unlocked+0x76/0x90 drm_fb_helper_set_par+0x38/0x40 fbcon_init+0x3c4/0x690 visual_init+0xc0/0x120 do_bind_con_driver+0x409/0x4c0 do_take_over_console+0x233/0x280 do_fb_registered+0x11f/0x210 fbcon_fb_registered+0x2c/0x60 register_framebuffer+0x248/0x2a0 __drm_fb_helper_initial_config_and_unlock+0x58a/0x720 drm_fbdev_generic_client_hotplug+0x6e/0xb0 drm_client_register+0x76/0xc0 _RNvXs_CsHeezP08sTT_5rvkmsNtB4_5RvkmsNtNtCs1cdwasc6FUb_6kernel8platform6Driver5probe+0xed2/0x1060 [rvkms] ? _RNvMs_NtCs1cdwasc6FUb_6kernel8platformINtB4_7AdapterNtCsHeezP08sTT_5rvkms5RvkmsE14probe_callbackBQ_+0x2b/0x70 [rvkms] ? acpi_dev_pm_attach+0x25/0x110 ? platform_probe+0x6a/0xa0 ? really_probe+0x10b/0x400 ? __driver_probe_device+0x7c/0x140 ? driver_probe_device+0x22/0x1b0 ? __device_attach_driver+0x13a/0x1c0 ? __pfx___device_attach_driver+0x10/0x10 ? bus_for_each_drv+0x114/0x170 ? __device_attach+0xd6/0x1b0 ? bus_probe_device+0x9e/0x120 ? device_add+0x288/0x4b0 ? platform_device_add+0x75/0x230 ? platform_device_register_full+0x141/0x180 ? rust_helper_platform_device_register_simple+0x85/0xb0 ? _RNvMs2_NtCs1cdwasc6FUb_6kernel8platformNtB5_6Device13create_simple+0x1d/0x60 ? _RNvXs0_CsHeezP08sTT_5rvkmsNtB5_5RvkmsNtCs1cdwasc6FUb_6kernel6Module4init+0x11e/0x160 [rvkms] ? 0xffffffffc083f000 ? init_module+0x20/0x1000 [rvkms] ? kernfs_xattr_get+0x3e/0x80 ? do_one_initcall+0x148/0x3f0 ? __lock_acquire+0x5ef/0x2bd0 ? __lock_acquire+0x5ef/0x2bd0 ? __lock_acquire+0x5ef/0x2bd0 ? put_cpu_partial+0x51/0x1d0 ? lock_acquire+0xec/0x290 ? put_cpu_partial+0x51/0x1d0 ? lock_release+0xee/0x310 ? put_cpu_partial+0x51/0x1d0 ? fs_reclaim_acquire+0x69/0xf0 ? lock_acquire+0xec/0x290 ? fs_reclaim_acquire+0x69/0xf0 ? kfree+0x22f/0x340 ? lock_release+0xee/0x310 ? kmalloc_trace_noprof+0x48/0x340 ? do_init_module+0x22/0x240 ? kmalloc_trace_noprof+0x155/0x340 ? do_init_module+0x60/0x240 ? __se_sys_finit_module+0x2e0/0x3f0 ? do_syscall_64+0xa4/0x180 ? syscall_exit_to_user_mode+0x108/0x140 ? do_syscall_64+0xb0/0x180 ? vma_end_read+0xd0/0xe0 ? do_user_addr_fault+0x309/0x640 ? clear_bhb_loop+0x45/0xa0 ? clear_bhb_loop+0x45/0xa0 ? clear_bhb_loop+0x45/0xa0 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Fix this by stubbing these macros out when this config option isn't enabled, along with fixing the unused variable warning that introduces. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Fixes: e2a1cda3e0c7 ("drm/panic: Add drm panic locking") Cc: <stable(a)vger.kernel.org> # v6.10+ --- V2: * Use static inline instead of macros so we don't need __maybe_unused --- drivers/gpu/drm/drm_atomic_helper.c | 2 +- include/drm/drm_panic.h | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index 43cdf39019a44..5186d2114a503 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -3015,7 +3015,7 @@ int drm_atomic_helper_swap_state(struct drm_atomic_state *state, bool stall) { int i, ret; - unsigned long flags; + unsigned long flags = 0; struct drm_connector *connector; struct drm_connector_state *old_conn_state, *new_conn_state; struct drm_crtc *crtc; diff --git a/include/drm/drm_panic.h b/include/drm/drm_panic.h index 54085d5d05c34..f4e1fa9ae607a 100644 --- a/include/drm/drm_panic.h +++ b/include/drm/drm_panic.h @@ -64,6 +64,8 @@ struct drm_scanout_buffer { }; +#ifdef CONFIG_DRM_PANIC + /** * drm_panic_trylock - try to enter the panic printing critical section * @dev: struct drm_device @@ -149,4 +151,16 @@ struct drm_scanout_buffer { #define drm_panic_unlock(dev, flags) \ raw_spin_unlock_irqrestore(&(dev)->mode_config.panic_lock, flags) +#else + +static inline bool drm_panic_trylock(struct drm_device *dev, unsigned long flags) +{ + return true; +} + +static inline void drm_panic_lock(struct drm_device *dev, unsigned long flags) {} +static inline void drm_panic_unlock(struct drm_device *dev, unsigned long flags) {} + +#endif + #endif /* __DRM_PANIC_H__ */ base-commit: bf05aeac230e390a5aee4bd3dc978b0c4d7e745f -- 2.46.0

9 months, 3 weeks

2
2
0 0

[PATCH] ACPI: video: Add backlight=native quirk for Dell OptiPlex 5480 AIO

by Hans de Goede

Dell All In One (AIO) models released after 2017 may use a backlight controller board connected to an UART. In DSDT this uart port will be defined as: Name (_HID, "DELL0501") Name (_CID, EisaId ("PNP0501") The Dell OptiPlex 5480 AIO has an ACPI device for one if its UARTs with the above _HID + _CID. Loading the dell-uart-backlight driver fails with the following errors: [ 18.261353] dell_uart_backlight serial0-0: Timed out waiting for response. [ 18.261356] dell_uart_backlight serial0-0: error -ETIMEDOUT: getting firmware version [ 18.261359] dell_uart_backlight serial0-0: probe with driver dell_uart_backlight failed with error -110 Indicating that there is no backlight controller board attached to the UART, while the GPU's native backlight control method does work. Add a quirk to use the GPU's native backlight control method on this model. Fixes: cd8e468efb4f ("ACPI: video: Add Dell UART backlight controller detection") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/acpi/video_detect.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c index b70e84e8049a..015bd8e66c1c 100644 --- a/drivers/acpi/video_detect.c +++ b/drivers/acpi/video_detect.c @@ -844,6 +844,15 @@ static const struct dmi_system_id video_detect_dmi_table[] = { * controller board in their ACPI tables (and may even have one), but * which need native backlight control nevertheless. */ + { + /* https://github.com/zabbly/linux/issues/26 */ + .callback = video_detect_force_native, + /* Dell OptiPlex 5480 AIO */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), + DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 5480 AIO"), + }, + }, { /* https://bugzilla.redhat.com/show_bug.cgi?id=2303936 */ .callback = video_detect_force_native, -- 2.46.0

9 months, 3 weeks

1
0
0 0

[PATCH 0/6] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Comparing to the original patches, the helper vfs_empty_path() is moved to stat.c from linux/fs.h, because get_user() is only available in fs.h since v5.7, where commit 80fbaf1c3f29 ('rcuwait: Add @State argument to rcuwait_wait_event()') added linux/sched/signal.h to rcuwait.h, and uaccess.h finally got its way to fs.h along the path uaccess.h -> sched/task.h -> sched/signal.h -> rcuwait.h -> percpu-rwsem.h -> fs.h. uaccess.h cannot be directly included in fs.h before v5.7, where commit df23e2be3d24 ('acpi: Remove header dependency') removed proc_fs.h from acpi/acpi_bus.h, preventing arch/x86/boot/compressed/cmdline.c from indirectly including fs.h. Otherwise, the function set_fs() defined in asm/uaccess.h will get into cmdline.c, which contains another set_fs(), resulting conflicting function definations. There is no users of vfs_empty_path() except stat.c, and as a result, putting it in stat.c is acceptable. The existing vfs_statx_fd(), which is removed since v5.10, is utilized to implement short-circuit handling of NULL and "" paths, instead of introducing vfs_statx_path(), simplifying the implementation. Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (2): fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Christoph Hellwig (2): fs: implement vfs_stat and vfs_lstat in terms of vfs_fstatat fs: move vfs_fstatat out of line Linus Torvalds (1): vfs: mostly undo glibc turning 'fstat()' into 'fstatat(AT_EMPTY_PATH)' Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/stat.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++----- include/linux/fs.h | 26 ++++++++++-------------- 2 files changed, 63 insertions(+), 21 deletions(-) --- base-commit: 661f109c057497c8baf507a2562ceb9f9fb3cbc2 change-id: 20240918-statx-stable-linux-5-4-y-a79d4268600d Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

9 months, 3 weeks

1
6
0 0

[PATCH 0/4] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Modifications are applied to vfs_statx_path(). In the original patch, vfs_statx_path() was created to warp around the call to vfs_getattr() after filename_lookup() in vfs_statx(). Since the coresponding code is different in 5.15 and 5.10, the content of vfs_statx_path() is modified to match this. The original patch also moved path_mounted() from namespace.c to internal.h, which is not applicable for 5.15 and 5.10 since it has not been introduced before 6.5. The original patch also used CLASS(fd_raw, ) to convert a file descriptor number provided from the user space in to a struct and automatically release it afterwards. Since CLASS mechanism is only available since 6.1.79, obtaining and releasing fd struct is done manually. do_statx() was directly handling filename string instead of a struct filename * before 5.18, as a result short-circuiting is implemented in do_statx() instead of sys_statx, without the need of introducing do_statx_fd(). Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (2): fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Linus Torvalds (1): vfs: mostly undo glibc turning 'fstat()' into 'fstatat(AT_EMPTY_PATH)' Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/stat.c | 73 +++++++++++++++++++++++++++++++++++++++++++++--------- include/linux/fs.h | 17 +++++++++++++ 2 files changed, 78 insertions(+), 12 deletions(-) --- base-commit: 3a5928702e7120f83f703fd566082bfb59f1a57e change-id: 20240918-statx-stable-linux-5-15-y-9a30358a7d47 Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

9 months, 3 weeks

1
4
0 0

[PATCH 0/5] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Modifications are applied to vfs_statx_path(). In the original patch, vfs_statx_path() was created to warp around the call to vfs_getattr() after filename_lookup() in vfs_statx(). Since the coresponding code is different in 6.1, the content of vfs_statx_path() is modified to match this. The original patch also moved path_mounted() from namespace.c to internal.h, which is not applicable for 6.1 since it has not been introduced before 6.5. Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (3): file: add fd_raw cleanup class fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Linus Torvalds (1): vfs: mostly undo glibc turning 'fstat()' into 'fstatat(AT_EMPTY_PATH)' Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/internal.h | 2 + fs/stat.c | 101 ++++++++++++++++++++++++++++++++++++++++----------- include/linux/file.h | 1 + include/linux/fs.h | 17 +++++++++ 4 files changed, 99 insertions(+), 22 deletions(-) --- base-commit: 5f55cad62cc9d8d29dd3556e0243b14355725ffb change-id: 20240918-statx-stable-linux-6-1-y-37e6ca691c9b Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

9 months, 3 weeks

1
5
0 0

[PATCH 0/4] Backport statx(..., NULL, AT_EMPTY_PATH, ...)

by Miao Wang via B4 Relay

Commit 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") added support for passing in NULL when AT_EMPTY_PATH is given, improving performance when statx is used for fetching stat informantion from a given fd, which is especially important for 32-bit platforms. This commit also improved the performance when an empty string is given by short-circuiting the handling of such paths. This series is based on the commits in the Linus’ tree. Modifications are applied to vfs_statx_path(). In the original patch, vfs_statx_path() was created to warp around the call to vfs_getattr() after filename_lookup() in vfs_statx(). Since the coresponding code is different in 6.6, the content of vfs_statx_path() is modified to match this. Tested-by: Xi Ruoyao <xry111(a)xry111.site> Signed-off-by: Miao Wang <shankerwangmiao(a)gmail.com> --- Christian Brauner (3): file: add fd_raw cleanup class fs: new helper vfs_empty_path() stat: use vfs_empty_path() helper Mateusz Guzik (1): vfs: support statx(..., NULL, AT_EMPTY_PATH, ...) fs/internal.h | 14 +++++++ fs/namespace.c | 13 ------ fs/stat.c | 113 ++++++++++++++++++++++++++++++++++++--------------- include/linux/file.h | 1 + include/linux/fs.h | 17 ++++++++ 5 files changed, 112 insertions(+), 46 deletions(-) --- base-commit: 6d1dc55b5bab93ef868d223b740d527ee7501063 change-id: 20240918-statx-stable-linux-6-6-y-02566b94440d Best regards, -- Miao Wang <shankerwangmiao(a)gmail.com>

9 months, 3 weeks

1
4
0 0

[PATCH 5.10] crypto: tcrypt - Fix missing return value check

by Denis Arefev

From: Tianjia Zhang <tianjia.zhang(a)linux.alibaba.com> [ Upstream commit 7b3d52683b3a47c0ba1dfd6b5994a3a795b06972 ] There are several places where the return value check of crypto_aead_setkey and crypto_aead_setauthsize were lost. It is necessary to add these checks. At the same time, move the crypto_aead_setauthsize() call out of the loop, and only need to call it once after load transform. Fixes: 53f52d7aecb4 ("crypto: tcrypt - Added speed tests for AEAD crypto alogrithms in tcrypt test suite") Signed-off-by: Tianjia Zhang <tianjia.zhang(a)linux.alibaba.com> Reviewed-by: Vitaly Chikunov <vt(a)altlinux.org> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- crypto/tcrypt.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c index 7972d2784b3b..580c50afa587 100644 --- a/crypto/tcrypt.c +++ b/crypto/tcrypt.c @@ -290,6 +290,11 @@ static void test_mb_aead_speed(const char *algo, int enc, int secs, } ret = crypto_aead_setauthsize(tfm, authsize); + if (ret) { + pr_err("alg: aead: Failed to setauthsize for %s: %d\n", algo, + ret); + goto out_free_tfm; + } for (i = 0; i < num_mb; ++i) if (testmgr_alloc_buf(data[i].xbuf)) { @@ -315,7 +320,7 @@ static void test_mb_aead_speed(const char *algo, int enc, int secs, for (i = 0; i < num_mb; ++i) { data[i].req = aead_request_alloc(tfm, GFP_KERNEL); if (!data[i].req) { - pr_err("alg: skcipher: Failed to allocate request for %s\n", + pr_err("alg: aead: Failed to allocate request for %s\n", algo); while (i--) aead_request_free(data[i].req); @@ -565,13 +570,19 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs, sgout = &sg[9]; tfm = crypto_alloc_aead(algo, 0, 0); - if (IS_ERR(tfm)) { pr_err("alg: aead: Failed to load transform for %s: %ld\n", algo, PTR_ERR(tfm)); goto out_notfm; } + ret = crypto_aead_setauthsize(tfm, authsize); + if (ret) { + pr_err("alg: aead: Failed to setauthsize for %s: %d\n", algo, + ret); + goto out_noreq; + } + crypto_init_wait(&wait); printk(KERN_INFO "\ntesting speed of %s (%s) %s\n", algo, get_driver_name(crypto_aead, tfm), e); @@ -607,8 +618,13 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs, break; } } + ret = crypto_aead_setkey(tfm, key, *keysize); - ret = crypto_aead_setauthsize(tfm, authsize); + if (ret) { + pr_err("setkey() failed flags=%x: %d\n", + crypto_aead_get_flags(tfm), ret); + goto out; + } iv_len = crypto_aead_ivsize(tfm); if (iv_len) @@ -618,15 +634,8 @@ static void test_aead_speed(const char *algo, int enc, unsigned int secs, printk(KERN_INFO "test %u (%d bit key, %d byte blocks): ", i, *keysize * 8, *b_size); - memset(tvmem[0], 0xff, PAGE_SIZE); - if (ret) { - pr_err("setkey() failed flags=%x\n", - crypto_aead_get_flags(tfm)); - goto out; - } - sg_init_aead(sg, xbuf, *b_size + (enc ? 0 : authsize), assoc, aad_size); -- 2.25.1

9 months, 3 weeks

1
0
0 0

[PATCH 6.1] drm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()

by Denis Arefev

From: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> [ Upstream commit 2a3cfb9a24a28da9cc13d2c525a76548865e182c ] Since 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL before the call to dc_enable_dmub_notifications(), check beforehand to ensure there will not be a possible NULL-ptr-deref there. Also, since commit 1e88eb1b2c25 ("drm/amd/display: Drop CONFIG_DRM_AMD_DC_HDCP") there are two separate checks for NULL in 'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy(). Clean up by combining them all under one 'if'. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 81927e2808be ("drm/amd/display: Support for DMUB AUX") Signed-off-by: Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Denis Arefev <arefev(a)swemel.ru> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 393e32259a77..4850aed54604 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -1876,14 +1876,14 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev) dc_deinit_callbacks(adev->dm.dc); #endif - if (adev->dm.dc) + if (adev->dm.dc) { dc_dmub_srv_destroy(&adev->dm.dc->ctx->dmub_srv); - - if (dc_enable_dmub_notifications(adev->dm.dc)) { - kfree(adev->dm.dmub_notify); - adev->dm.dmub_notify = NULL; - destroy_workqueue(adev->dm.delayed_hpd_wq); - adev->dm.delayed_hpd_wq = NULL; + if (dc_enable_dmub_notifications(adev->dm.dc)) { + kfree(adev->dm.dmub_notify); + adev->dm.dmub_notify = NULL; + destroy_workqueue(adev->dm.delayed_hpd_wq); + adev->dm.delayed_hpd_wq = NULL; + } } if (adev->dm.dmub_bo) -- 2.25.1

9 months, 3 weeks

1
0
0 0

[PATCH] drbd: Fix atomicity violation in drbd_uuid_set_bm()

by Qiu-ji Chen

The violation of atomicity occurs when the drbd_uuid_set_bm function is executed simultaneously with modifying the value of device->ldev->md.uuid[UI_BITMAP]. Consider a scenario where, while device->ldev->md.uuid[UI_BITMAP] passes the validity check when its value is not zero, the value of device->ldev->md.uuid[UI_BITMAP] is written to zero. In this case, the check in drbd_uuid_set_bm might refer to the old value of device->ldev->md.uuid[UI_BITMAP] (before locking), which allows an invalid value to pass the validity check, resulting in inconsistency. To address this issue, it is recommended to include the data validity check within the locked section of the function. This modification ensures that the value of device->ldev->md.uuid[UI_BITMAP] does not change during the validation process, thereby maintaining its integrity. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 9f2247bb9b75 ("drbd: Protect accesses to the uuid set with a spinlock") Cc: stable(a)vger.kernel.org Signed-off-by: Qiu-ji Chen <chenqiuji666(a)gmail.com> --- drivers/block/drbd/drbd_main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c index a9e49b212341..abafc4edf9ed 100644 --- a/drivers/block/drbd/drbd_main.c +++ b/drivers/block/drbd/drbd_main.c @@ -3399,10 +3399,12 @@ void drbd_uuid_new_current(struct drbd_device *device) __must_hold(local) void drbd_uuid_set_bm(struct drbd_device *device, u64 val) __must_hold(local) { unsigned long flags; - if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) + spin_lock_irqsave(&device->ldev->md.uuid_lock, flags); + if (device->ldev->md.uuid[UI_BITMAP] == 0 && val == 0) { + spin_unlock_irqrestore(&device->ldev->md.uuid_lock, flags); return; + } - spin_lock_irqsave(&device->ldev->md.uuid_lock, flags); if (val == 0) { drbd_uuid_move_history(device); device->ldev->md.uuid[UI_HISTORY_START] = device->ldev->md.uuid[UI_BITMAP]; -- 2.34.1

9 months, 3 weeks

3
2
0 0

[PATCH 6.6 00/91] 6.6.52-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.52 release. There are 91 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 Sep 2024 11:42:05 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.52-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.52-rc1 William Qiu <william.qiu(a)starfivetech.com> riscv: dts: starfive: add assigned-clock* to limit frquency Arseniy Krasnov <avkrasnov(a)salutedevices.com> ASoC: meson: axg-card: fix 'use-after-free' Mika Westerberg <mika.westerberg(a)linux.intel.com> pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID David Howells <dhowells(a)redhat.com> cifs: Fix signature miscalculation Su Hui <suhui(a)nfschina.com> ASoC: codecs: avoid possible garbage value in peb2466_reg_read() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/i915/guc: prevent a possible int overflow in wq offsets Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Fix incorrect free_irq() sequence Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Undo runtime PM changes at driver exit time David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amd/amdgpu: apply command submission parser for JPEG v1 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/atomfirmware: Silence UBSAN warning Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/fb: restore init() for ramgp102 T.J. Mercier <tjmercier(a)google.com> dma-buf: heaps: Fix off-by-one in CMA heap fault handler T.J. Mercier <tjmercier(a)google.com> drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: fix the KASAN report out-of-bounds bug Steven Rostedt <rostedt(a)goodmis.org> tracing/osnoise: Fix build when timerlat is not enabled Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Xiaoliang Yang <xiaoliang.yang_1(a)nxp.com> net: dsa: felix: ignore pending status of TAS module when it's disabled Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: make cgroupsv2 matching work with namespaces Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Sean Anderson <sean.anderson(a)linux.dev> selftests: net: csum: Fix checksums for packets with non-zero padding Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Modify SMQ flush sequence to drop packets Muhammad Usama Anjum <usama.anjum(a)collabora.com> fou: fix initialization of grc Benjamin Poirier <bpoirier(a)nvidia.com> net/mlx5: Fix bridge mode operations when there are no VFs Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Verify support for scheduling element and TSAR type Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Correct TASR typo into TSAR Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Add missing masks and QoS bit masks for scheduling elements Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Explicitly set scheduling element and TSAR type Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Patrisious Haddad <phaddad(a)nvidia.com> IB/mlx5: Rename 400G_8X speed to comply to naming convention Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link modes to ptys2ethtool_map Maher Sanalla <msanalla(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> igb: Always call igb_xdp_ring_update_tail() under Tx lock Michal Schmidt <mschmidt(a)redhat.com> ice: fix VSI lists confusion when adding VLANs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix accounting for filters shared by multiple VSIs Martyna Szapar-Mudlaw <martyna.szapar-mudlaw(a)linux.intel.com> ice: Fix lldp packets dropping after changing the number of channels Patryk Biel <pbiel7(a)gmail.com> hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Michal Luczaj <mhal(a)rbox.co> selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() peng guo <engguopeng(a)buaa.edu.cn> cxl/core: Fix incorrect vendor debug UUID define Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Fix 93xx46 driver probe failure Ilya Bakoulin <ilya.bakoulin(a)amd.com> drm/amd/display: Fix FEC_READY write on DP LT Cruise <cruise.hung(a)amd.com> drm/amd/display: Disable error correction if it's not supported FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix race in axienet_stop Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid leaving partial pfn mappings around in error case Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> x86/hyperv: fix kexec crash due to VP assist page corruption Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a race condition when accessing recalc_sector Willem de Bruijn <willemb(a)google.com> net: tighten bad gso csum offset check in virtio_net_hdr Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> minmax: reduce min/max macro expansion in atomisp driver Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: restrict fullmesh endp on 1st sf Edward Adam Davis <eadavis(a)qq.com> mptcp: pm: Fix uaf in __timer_delete_sync Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Avoid unnecessary rescanning of the per-server delegation list Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix clearing of layout segments in layoutreturn ChenXiaoSong <chenxiaosong(a)kylinos.cn> smb/server: fix return value of smb2_open() Alexander Gordeev <agordeev(a)linux.ibm.com> s390/mm: Prevent lowcore vs identity mapping overlap Takashi Iwai <tiwai(a)suse.de> Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Rob Clark <robdclark(a)chromium.org> drm/msm/adreno: Fix error return if missing firmware-name Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add Support for Surface Pro 10 Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Dmitry Savin <envelsavinds(a)gmail.com> HID: multitouch: Add support for GT7868Q Jonathan Denose <jdenose(a)google.com> Input: synaptics - enable SMBus for HP Elitebook 840 G2 Marek Vasut <marex(a)denx.de> Input: ads7846 - ratelimit the spi_sync error message Jeff Layton <jlayton(a)kernel.org> btrfs: update target inode's ctime on unlink Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: use correct release function during uninitialization Bert Karwatzki <spasswolf(a)web.de> wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: do not stop RX on failing RX callback Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: drop RX URBs with no payload Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: remove extraneous rx URB length check Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for smb2_query_info() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for share path check John Thomson <git(a)johnthomson.fastmail.com.au> nvmem: u-boot-env: error if NVMEM device is too small Rafał Miłecki <rafal(a)milecki.pl> nvmem: u-boot-env: improve coding style Rafał Miłecki <rafal(a)milecki.pl> nvmem: u-boot-env: use nvmem device helpers Rafał Miłecki <rafal(a)milecki.pl> nvmem: u-boot-env: use nvmem_add_one_cell() nvmem subsystem helper Rafał Miłecki <rafal(a)milecki.pl> nvmem: core: add nvmem_dev_size() helper Dumitru Ceclan <mitrutzceclan(a)gmail.com> iio: adc: ad7124: fix DT configuration parsing Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: adc: ad7124: Switch from of specific to fwnode based property handling Jonathan Cameron <Jonathan.Cameron(a)huawei.com> device property: Introduce device_for_each_child_node_scoped() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> device property: Add cleanup.h based fwnode_handle_put() scope based cleanup. ------------- Diffstat: Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++++++++- arch/powerpc/kernel/setup-common.c | 1 + arch/powerpc/mm/mem.c | 2 - .../dts/starfive/jh7110-starfive-visionfive-2.dtsi | 4 + arch/s390/kernel/setup.c | 19 ++++- arch/x86/hyperv/hv_init.c | 5 +- arch/x86/include/asm/mshyperv.h | 1 - arch/x86/kernel/cpu/mshyperv.c | 4 +- drivers/cxl/cxlmem.h | 2 +- drivers/dma-buf/heaps/cma_heap.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 76 +++++++++++++++++- drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.h | 11 +++ .../amd/display/dc/link/protocols/link_dp_phy.c | 53 ++++++------- drivers/gpu/drm/amd/include/atomfirmware.h | 4 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 +++ drivers/gpu/drm/drm_syncobj.c | 17 +++- drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/fb/ram.h | 2 + drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp100.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp102.c | 1 + drivers/hid/hid-ids.h | 2 + drivers/hid/hid-multitouch.c | 33 ++++++++ drivers/hwmon/pmbus/pmbus.h | 6 ++ drivers/hwmon/pmbus/pmbus_core.c | 17 +++- drivers/iio/adc/ad7124.c | 58 ++++++-------- drivers/infiniband/hw/mlx5/main.c | 2 +- drivers/input/mouse/synaptics.c | 1 + drivers/input/serio/i8042-acpipnpio.h | 9 +++ drivers/input/touchscreen/ads7846.c | 2 +- drivers/md/dm-integrity.c | 4 +- drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 11 ++- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 ++- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- drivers/net/ethernet/intel/ice/ice_lib.c | 15 ++-- drivers/net/ethernet/intel/ice/ice_switch.c | 4 +- drivers/net/ethernet/intel/igb/igb_main.c | 17 +++- drivers/net/ethernet/jme.c | 10 +-- drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 3 +- .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 59 +++++++++++--- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 +++ .../net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 +++++++----- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/port.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 ++ drivers/net/ethernet/xilinx/xilinx_axienet.h | 3 + drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 ++ drivers/net/phy/vitesse.c | 14 ---- drivers/net/usb/ipheth.c | 18 +++-- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/nvmem/core.c | 13 ++++ drivers/nvmem/u-boot-env.c | 91 +++++++++++----------- drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 + .../platform/surface/surface_aggregator_registry.c | 8 +- drivers/platform/x86/panasonic-laptop.c | 58 +++++++++++--- drivers/soundwire/stream.c | 8 +- drivers/spi/spi-geni-qcom.c | 17 ++-- drivers/spi/spi-nxp-fspi.c | 5 +- drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +++++-- fs/btrfs/inode.c | 1 + fs/nfs/delegation.c | 15 ++-- fs/nfs/nfs4proc.c | 9 ++- fs/nfs/pnfs.c | 5 +- fs/smb/client/cifsencrypt.c | 2 +- fs/smb/server/mgmt/share_config.c | 15 +++- fs/smb/server/mgmt/share_config.h | 4 +- fs/smb/server/mgmt/tree_connect.c | 9 ++- fs/smb/server/mgmt/tree_connect.h | 4 +- fs/smb/server/smb2pdu.c | 11 ++- fs/smb/server/smb_common.c | 9 ++- fs/smb/server/smb_common.h | 2 + include/linux/mlx5/mlx5_ifc.h | 12 ++- include/linux/mlx5/port.h | 2 +- include/linux/nvmem-consumer.h | 1 + include/linux/property.h | 8 ++ include/linux/virtio_net.h | 3 +- kernel/trace/trace_osnoise.c | 10 +-- mm/memory.c | 27 +++++-- net/ipv4/fou_core.c | 4 +- net/mptcp/pm_netlink.c | 13 +++- net/netfilter/nft_socket.c | 48 ++++++++++-- scripts/kconfig/merge_config.sh | 2 + sound/soc/codecs/peb2466.c | 3 +- sound/soc/meson/axg-card.c | 3 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 3 +- tools/testing/selftests/net/csum.c | 16 +++- tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 +- 92 files changed, 797 insertions(+), 329 deletions(-)

9 months, 3 weeks

11
105
0 0

[PATCH 6.10 000/121] 6.10.11-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.10.11 release. There are 121 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 Sep 2024 11:42:05 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.10.11-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.10.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.10.11-rc1 Jameson Thies <jthies(a)google.com> usb: typec: ucsi: Only set number of plug altmodes after registration Arseniy Krasnov <avkrasnov(a)salutedevices.com> ASoC: meson: axg-card: fix 'use-after-free' Mika Westerberg <mika.westerberg(a)linux.intel.com> pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID David Howells <dhowells(a)redhat.com> cifs: Fix signature miscalculation Jani Nikula <jani.nikula(a)intel.com> drm/xe/display: fix compat IS_DISPLAY_STEP() range end Su Hui <suhui(a)nfschina.com> ASoC: codecs: avoid possible garbage value in peb2466_reg_read() Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> drm/i915/guc: prevent a possible int overflow in wq offsets Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Fix incorrect free_irq() sequence Jinjie Ruan <ruanjinjie(a)huawei.com> spi: geni-qcom: Undo runtime PM changes at driver exit time Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-mtl-match: add missing empty item Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: Intel: soc-acpi-intel-lnl-match: add missing empty item Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing/kprobes: Fix build error when find_module() is not available Matthew Auld <matthew.auld(a)intel.com> drm/xe/client: add missing bo locking in show_meminfo() Matthew Auld <matthew.auld(a)intel.com> drm/xe/client: fix deadlock in show_meminfo() David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amd/amdgpu: apply command submission parser for JPEG v2+ David (Ming Qiang) Wu <David.Wu3(a)amd.com> drm/amd/amdgpu: apply command submission parser for JPEG v1 Tobias Jakobi <tjakobi(a)math.uni-bielefeld.de> drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct() Tobias Jakobi <tjakobi(a)math.uni-bielefeld.de> drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/atomfirmware: Silence UBSAN warning Ben Skeggs <bskeggs(a)nvidia.com> drm/nouveau/fb: restore init() for ramgp102 T.J. Mercier <tjmercier(a)google.com> dma-buf: heaps: Fix off-by-one in CMA heap fault handler T.J. Mercier <tjmercier(a)google.com> drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> soundwire: stream: Revert "soundwire: stream: fix programming slave ports for non-continous port maps" Han Xu <han.xu(a)nxp.com> spi: nxp-fspi: fix the KASAN report out-of-bounds bug Steven Rostedt <rostedt(a)goodmis.org> tracing/osnoise: Fix build when timerlat is not enabled Asbjørn Sloth Tønnesen <ast(a)fiberby.net> netlink: specs: mptcp: fix port endianness Sean Anderson <sean.anderson(a)linux.dev> net: dpaa: Pad packets to ETH_ZLEN Xiaoliang Yang <xiaoliang.yang_1(a)nxp.com> net: dsa: felix: ignore pending status of TAS module when it's disabled Jeongjun Park <aha310510(a)gmail.com> net: hsr: prevent NULL pointer dereference in hsr_proxy_announce() Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: make cgroupsv2 matching work with namespaces Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Charlie Jenkins <charlie(a)rivosinc.com> riscv: Disable preemption while handling PR_RISCV_CTX_SW_FENCEI_OFF Alexandre Ghiti <alexghiti(a)rivosinc.com> drivers: perf: Fix smp_processor_id() use in preemptible code Sean Anderson <sean.anderson(a)linux.dev> selftests: net: csum: Fix checksums for packets with non-zero padding Tomas Paukrt <tomaspaukrt(a)email.cz> net: phy: dp83822: Fix NULL pointer dereference on DP83825 devices Jacky Chou <jacky_chou(a)aspeedtech.com> net: ftgmac100: Enable TX interrupt to avoid TX timeout Naveen Mamindlapalli <naveenm(a)marvell.com> octeontx2-af: Modify SMQ flush sequence to drop packets Muhammad Usama Anjum <usama.anjum(a)collabora.com> fou: fix initialization of grc Benjamin Poirier <bpoirier(a)nvidia.com> net/mlx5: Fix bridge mode operations when there are no VFs Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Verify support for scheduling element and TSAR type Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5: Correct TASR typo into TSAR Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Add missing masks and QoS bit masks for scheduling elements Carolina Jubran <cjubran(a)nvidia.com> net/mlx5: Explicitly set scheduling element and TSAR type Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link mode to ptys2ext_ethtool_map Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5e: Add missing link modes to ptys2ethtool_map Maher Sanalla <msanalla(a)nvidia.com> net/mlx5: Update the list of the PCI supported devices Sriram Yagnaraman <sriram.yagnaraman(a)est.tech> igb: Always call igb_xdp_ring_update_tail() under Tx lock Michal Schmidt <mschmidt(a)redhat.com> ice: fix VSI lists confusion when adding VLANs Jacob Keller <jacob.e.keller(a)intel.com> ice: fix accounting for filters shared by multiple VSIs Martyna Szapar-Mudlaw <martyna.szapar-mudlaw(a)linux.intel.com> ice: Fix lldp packets dropping after changing the number of channels Patryk Biel <pbiel7(a)gmail.com> hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >= 1.2 Eric Dumazet <edumazet(a)google.com> net: hsr: remove seqnr_lock Lukasz Majewski <lukma(a)denx.de> net: hsr: Send supervisory frames to HSR network with ProxyNodeTable data Michal Luczaj <mhal(a)rbox.co> selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected() Alison Schofield <alison.schofield(a)intel.com> cxl: Restore XOR'd position bits during address translation peng guo <engguopeng(a)buaa.edu.cn> cxl/core: Fix incorrect vendor debug UUID define Li Qiang <liqiang01(a)kylinos.cn> clk/sophgo: Using BUG() instead of unreachable() in mmux_get_parent_id() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> eeprom: digsy_mtc: Fix 93xx46 driver probe failure Ilya Bakoulin <ilya.bakoulin(a)amd.com> drm/amd/display: Fix FEC_READY write on DP LT Cruise <cruise.hung(a)amd.com> drm/amd/display: Disable error correction if it's not supported Xingyu Wu <xingyu.wu(a)starfivetech.com> riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting PLL0 rate to 1.5GHz Dan Carpenter <dan.carpenter(a)linaro.org> firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire() FUKAUMI Naoki <naoki(a)radxa.com> arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Don't delete open files in online fsck Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Revert lockless buffered IO path Kent Overstreet <kent.overstreet(a)linux.dev> bcachefs: Fix bch2_extents_match() false positive Linus Torvalds <torvalds(a)linux-foundation.org> mm: avoid leaving partial pfn mappings around in error case Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> x86/hyperv: fix kexec crash due to VP assist page corruption Dexuan Cui <decui(a)microsoft.com> clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor Mikulas Patocka <mpatocka(a)redhat.com> dm-integrity: fix a race condition when accessing recalc_sector Jiawen Wu <jiawenwu(a)trustnetic.com> net: libwx: fix number of Rx and Tx descriptors Willem de Bruijn <willemb(a)google.com> net: tighten bad gso csum offset check in virtio_net_hdr Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> minmax: reduce min/max macro expansion in atomisp driver Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: join: restrict fullmesh endp on 1st sf Edward Adam Davis <eadavis(a)qq.com> mptcp: pm: Fix uaf in __timer_delete_sync Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array Hans de Goede <hdegoede(a)redhat.com> platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Avoid unnecessary rescanning of the per-server delegation list Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4: Fix clearing of layout segments in layoutreturn ChenXiaoSong <chenxiaosong(a)kylinos.cn> smb/server: fix return value of smb2_open() Alexander Gordeev <agordeev(a)linux.ibm.com> s390/mm: Pin identity mapping base to zero Alexander Gordeev <agordeev(a)linux.ibm.com> s390/mm: Prevent lowcore vs identity mapping overlap Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: use devm instead of drmm for managed bo Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/xe: fix WA 14018094691 Ngai-Mint Kwan <ngai-mint.kwan(a)linux.intel.com> drm/xe/xe2lpm: Extend Wa_16021639441 Takashi Iwai <tiwai(a)suse.de> Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table Rob Clark <robdclark(a)chromium.org> drm/msm/adreno: Fix error return if missing firmware-name Sean Anderson <sean.anderson(a)linux.dev> spi: zynqmp-gqspi: Scale timeout by data size Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop 6 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add fan and thermal sensor support for Surface Laptop 5 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Studio 2 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator_registry: Add Support for Surface Pro 10 Luke D. Jones <luke(a)ljones.dev> platform/x86: asus-wmi: Add quirk for ROG Ally X Anders Roxell <anders.roxell(a)linaro.org> scripts: kconfig: merge_config: config files: add a trailing newline Waiman Long <longman(a)redhat.com> cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug Felix Kaechele <felix(a)kaechele.ca> Input: edt-ft5x06 - add support for FocalTech FT8201 Dmitry Savin <envelsavinds(a)gmail.com> HID: multitouch: Add support for GT7868Q Luke D. Jones <luke(a)ljones.dev> hid-asus: add ROG Ally X prod ID to quirk list Jonathan Denose <jdenose(a)google.com> Input: synaptics - enable SMBus for HP Elitebook 840 G2 Marek Vasut <marex(a)denx.de> Input: ads7846 - ratelimit the spi_sync error message Jeff Layton <jlayton(a)kernel.org> btrfs: update target inode's ctime on unlink Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: use correct release function during uninitialization Yinjie Yao <yinjie.yao(a)amd.com> drm/amdgpu: Update kmd_fw_shared for VCN5 Bert Karwatzki <spasswolf(a)web.de> wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL Pawel Dembicki <paweldembicki(a)gmail.com> net: phy: vitesse: repair vsc73xx autonegotiation Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Max Bouke Sybren Haarsma <boukehaarsma23(a)gmail.com> drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero Moon Yeounsu <yyyynoom(a)gmail.com> net: ethernet: use ip_hdrlen() instead of bit shift Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: fix carrier detection in modes 1 and 4 Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: do not stop RX on failing RX callback Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: drop RX URBs with no payload Foster Snowhill <forst(a)pen.gy> usbnet: ipheth: remove extraneous rx URB length check Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for smb2_query_info() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: override fsids for share path check AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> drm/mediatek: Set sensible cursor width/height values to fix crash Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: typec: ucsi: Fix cable registration Jameson Thies <jthies(a)google.com> usb: typec: ucsi: Always set number of alternate modes ------------- Diffstat: Documentation/netlink/specs/mptcp_pm.yaml | 1 - Makefile | 4 +- arch/arm64/boot/dts/rockchip/rk3328-rock-pi-e.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 36 ++++- arch/powerpc/kernel/setup-common.c | 1 + arch/powerpc/mm/mem.c | 2 - arch/riscv/boot/dts/starfive/jh7110-common.dtsi | 6 + arch/riscv/mm/cacheflush.c | 12 +- arch/s390/Kconfig | 13 ++ arch/s390/boot/startup.c | 3 +- arch/s390/kernel/setup.c | 19 ++- arch/x86/hyperv/hv_init.c | 5 +- arch/x86/include/asm/mshyperv.h | 1 - arch/x86/kernel/cpu/mshyperv.c | 20 ++- drivers/clk/sophgo/clk-cv18xx-ip.c | 2 +- drivers/clocksource/hyperv_timer.c | 16 ++- drivers/cxl/acpi.c | 40 ++++++ drivers/cxl/core/region.c | 23 ++-- drivers/cxl/cxl.h | 3 + drivers/cxl/cxlmem.h | 2 +- drivers/dma-buf/heaps/cma_heap.c | 2 +- drivers/firmware/qcom/qcom_qseecom_uefisecapp.c | 4 + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 5 +- drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.c | 76 ++++++++++- drivers/gpu/drm/amd/amdgpu/jpeg_v1_0.h | 11 ++ drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 63 ++++++++- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h | 6 + drivers/gpu/drm/amd/amdgpu/jpeg_v2_5.c | 2 + drivers/gpu/drm/amd/amdgpu/jpeg_v3_0.c | 1 + drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.c | 1 + drivers/gpu/drm/amd/amdgpu/jpeg_v4_0.h | 1 - drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.c | 57 +------- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_3.h | 7 +- drivers/gpu/drm/amd/amdgpu/jpeg_v4_0_5.c | 1 + drivers/gpu/drm/amd/amdgpu/jpeg_v5_0_0.c | 3 +- .../drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c | 20 +-- .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 20 +-- .../amd/display/dc/link/protocols/link_dp_phy.c | 53 ++++---- drivers/gpu/drm/amd/include/atomfirmware.h | 4 +- drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++ drivers/gpu/drm/drm_syncobj.c | 17 ++- drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 +- drivers/gpu/drm/msm/adreno/adreno_gpu.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/fb/ram.h | 2 + drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp100.c | 2 +- drivers/gpu/drm/nouveau/nvkm/subdev/fb/ramgp102.c | 1 + drivers/gpu/drm/xe/compat-i915-headers/i915_drv.h | 2 +- drivers/gpu/drm/xe/xe_bo.c | 6 +- drivers/gpu/drm/xe/xe_drm_client.c | 45 ++++++- drivers/gpu/drm/xe/xe_gsc.c | 4 +- drivers/gpu/drm/xe/xe_wa.c | 10 ++ drivers/hid/hid-asus.c | 3 + drivers/hid/hid-ids.h | 3 + drivers/hid/hid-multitouch.c | 33 +++++ drivers/hwmon/pmbus/pmbus.h | 6 + drivers/hwmon/pmbus/pmbus_core.c | 17 ++- drivers/input/mouse/synaptics.c | 1 + drivers/input/serio/i8042-acpipnpio.h | 9 ++ drivers/input/touchscreen/ads7846.c | 2 +- drivers/input/touchscreen/edt-ft5x06.c | 6 + drivers/md/dm-integrity.c | 4 +- drivers/misc/eeprom/digsy_mtc_eeprom.c | 2 +- drivers/net/dsa/ocelot/felix_vsc9959.c | 11 +- drivers/net/ethernet/faraday/ftgmac100.h | 2 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 9 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +- drivers/net/ethernet/intel/ice/ice_lib.c | 15 ++- drivers/net/ethernet/intel/ice/ice_switch.c | 4 +- drivers/net/ethernet/intel/igb/igb_main.c | 17 ++- drivers/net/ethernet/jme.c | 10 +- drivers/net/ethernet/marvell/octeontx2/af/rvu.h | 3 +- .../net/ethernet/marvell/octeontx2/af/rvu_nix.c | 59 ++++++-- .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 10 ++ .../net/ethernet/mellanox/mlx5/core/esw/legacy.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 51 ++++--- drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/qos.c | 7 + drivers/net/ethernet/wangxun/libwx/wx_type.h | 6 +- drivers/net/phy/dp83822.c | 35 +++-- drivers/net/phy/vitesse.c | 14 -- drivers/net/usb/ipheth.c | 18 +-- drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- drivers/perf/riscv_pmu_sbi.c | 7 +- drivers/pinctrl/intel/pinctrl-meteorlake.c | 1 + .../platform/surface/surface_aggregator_registry.c | 58 +++++++- drivers/platform/x86/asus-wmi.c | 16 ++- drivers/platform/x86/panasonic-laptop.c | 58 ++++++-- drivers/soundwire/stream.c | 8 +- drivers/spi/spi-geni-qcom.c | 17 ++- drivers/spi/spi-nxp-fspi.c | 5 +- drivers/spi/spi-zynqmp-gqspi.c | 30 ++++- drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +++- drivers/usb/typec/ucsi/ucsi.c | 44 +++--- drivers/usb/typec/ucsi/ucsi.h | 1 - fs/bcachefs/extents.c | 23 +++- fs/bcachefs/fs-io-buffered.c | 149 ++++++--------------- fs/bcachefs/fs.c | 8 ++ fs/bcachefs/fs.h | 7 + fs/bcachefs/fsck.c | 18 +++ fs/btrfs/inode.c | 1 + fs/nfs/delegation.c | 15 +-- fs/nfs/nfs4proc.c | 9 +- fs/nfs/pnfs.c | 5 +- fs/smb/client/cifsencrypt.c | 2 +- fs/smb/server/mgmt/share_config.c | 15 ++- fs/smb/server/mgmt/share_config.h | 4 +- fs/smb/server/mgmt/tree_connect.c | 9 +- fs/smb/server/mgmt/tree_connect.h | 4 +- fs/smb/server/smb2pdu.c | 11 +- fs/smb/server/smb_common.c | 9 +- fs/smb/server/smb_common.h | 2 + include/linux/mlx5/mlx5_ifc.h | 12 +- include/linux/virtio_net.h | 3 +- kernel/cgroup/cpuset.c | 33 ++--- kernel/trace/trace_kprobe.c | 25 +++- kernel/trace/trace_osnoise.c | 10 +- mm/memory.c | 27 +++- net/hsr/hsr_device.c | 102 +++++++++----- net/hsr/hsr_forward.c | 41 +++++- net/hsr/hsr_framereg.c | 12 ++ net/hsr/hsr_framereg.h | 2 + net/hsr/hsr_main.h | 10 +- net/hsr/hsr_netlink.c | 3 +- net/ipv4/fou_core.c | 4 +- net/mptcp/pm_netlink.c | 13 +- net/netfilter/nft_socket.c | 48 ++++++- scripts/kconfig/merge_config.sh | 2 + sound/soc/codecs/peb2466.c | 3 +- sound/soc/intel/common/soc-acpi-intel-lnl-match.c | 1 + sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 1 + sound/soc/meson/axg-card.c | 3 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 3 +- tools/testing/selftests/net/lib/csum.c | 16 ++- tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 +- 135 files changed, 1378 insertions(+), 587 deletions(-)

9 months, 3 weeks

11
133
0 0

[PATCH 6.1] drm/amdkfd: Skip handle mapping SVM range with no GPU access

by Murad Masimov

From: Philip Yang <Philip.Yang(a)amd.com> commit 8c45b31909b730f9c7b146588e038f9c6553394d upstream. If the SVM range has no GPU access nor access-in-place attribute, validate and map to GPU should skip the range. Add NULL pointer check if find_first_bit(ctx->bitmap, MAX_GPU_INSTANCE) returns MAX_GPU_INSTANCE as gpuidx if ctx->bitmap is empty. Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> Reviewed-by: Alex Sierra <alex.sierra(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [m.masimov(a)maxima.ru: In order to adapt this patch to branch 6.1 ctx was treated as a variable and not as a pointer.] Signed-off-by: Murad Masimov <m.masimov(a)maxima.ru> --- drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c index 7fa5e70f1aac..a44781b66af9 100644 --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c @@ -1491,6 +1491,8 @@ static void *kfd_svm_page_owner(struct kfd_process *p, int32_t gpuidx) struct kfd_process_device *pdd; pdd = kfd_process_device_from_gpuidx(p, gpuidx); + if (!pdd) + return NULL; return SVM_ADEV_PGMAP_OWNER(pdd->dev->adev); } @@ -1561,10 +1563,10 @@ static int svm_range_validate_and_map(struct mm_struct *mm, } if (bitmap_empty(ctx.bitmap, MAX_GPU_INSTANCE)) { - if (!prange->mapped_to_gpu) - return 0; - bitmap_copy(ctx.bitmap, prange->bitmap_access, MAX_GPU_INSTANCE); + if (!prange->mapped_to_gpu || + bitmap_empty(ctx.bitmap, MAX_GPU_INSTANCE)) + return 0; } if (prange->actual_loc && !prange->ttm_res) { -- 2.39.2

9 months, 3 weeks

1
0
0 0

[PATCH] ALSA: hda/realtek: fix mute/micmute LED for HP mt645 G8

by nikolai.afanasenkov＠hp.com

From: Nikolai Afanasenkov <nikolai.afanasenkov(a)hp.com> The HP Elite mt645 G8 Mobile Thin Client uses an ALC236 codec and needs the ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF quirk to enable the mute and micmute LED functionality. This patch adds the system ID of the HP Elite mt645 G8 to the `alc269_fixup_tbl` in `patch_realtek.c` to enable the required quirk. Cc: stable(a)vger.kernel.org Signed-off-by: Nikolai Afanasenkov <nikolai.afanasenkov(a)hp.com> --- sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index 452c6e7c20e2..5ad5a901f9b6 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -10396,6 +10396,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8caf, "HP Elite mt645 G8 Mobile Thin Client", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), SND_PCI_QUIRK(0x103c, 0x8cbd, "HP Pavilion Aero Laptop 13-bg0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS), SND_PCI_QUIRK(0x103c, 0x8cdd, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2), SND_PCI_QUIRK(0x103c, 0x8cde, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2), -- 2.34.1

9 months, 3 weeks

2
1
0 0

[PATCH RFC V5 1/1] ocfs2: reserve space for inline xattr before attaching reflink tree

by Gautham Ananthakrishna

One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case upto 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix. Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink") Cc: stable(a)vger.kernel.org Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna(a)oracle.com> --- fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++-- fs/ocfs2/xattr.c | 11 +---------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c index 25c8ec3c8c3a5..80f441878dc1f 100644 --- a/fs/ocfs2/refcounttree.c +++ b/fs/ocfs2/refcounttree.c @@ -25,6 +25,7 @@ #include "namei.h" #include "ocfs2_trace.h" #include "file.h" +#include "symlink.h" #include <linux/bio.h> #include <linux/blkdev.h> @@ -4155,8 +4156,9 @@ static int __ocfs2_reflink(struct dentry *old_dentry, int ret; struct inode *inode = d_inode(old_dentry); struct buffer_head *new_bh = NULL; + struct ocfs2_inode_info *oi = OCFS2_I(inode); - if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) { + if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) { ret = -EINVAL; mlog_errno(ret); goto out; @@ -4182,6 +4184,26 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto out_unlock; } + if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) && + (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) { + /* + * Adjust extent record count to reserve space for extended attribute. + * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). + */ + struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode); + + if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && + !(ocfs2_inode_is_fast_symlink(new_inode))) { + struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data; + struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data; + struct ocfs2_extent_list *el = &new_di->id2.i_list; + int inline_size = le16_to_cpu(old_di->i_xattr_inline_size); + + le16_add_cpu(&el->l_count, -(inline_size / + sizeof(struct ocfs2_extent_rec))); + } + } + ret = ocfs2_create_reflink_node(inode, old_bh, new_inode, new_bh, preserve); if (ret) { @@ -4189,7 +4211,7 @@ static int __ocfs2_reflink(struct dentry *old_dentry, goto inode_unlock; } - if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) { + if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) { ret = ocfs2_reflink_xattrs(inode, old_bh, new_inode, new_bh, preserve); diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 6510ad783c912..2c572b336ba48 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -6511,16 +6511,7 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args) } new_oi = OCFS2_I(args->new_inode); - /* - * Adjust extent record count to reserve space for extended attribute. - * Inline data count had been adjusted in ocfs2_duplicate_inline_data(). - */ - if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) && - !(ocfs2_inode_is_fast_symlink(args->new_inode))) { - struct ocfs2_extent_list *el = &new_di->id2.i_list; - le16_add_cpu(&el->l_count, -(inline_size / - sizeof(struct ocfs2_extent_rec))); - } + spin_lock(&new_oi->ip_lock); new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL; new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features); -- 2.43.5

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 4.19] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index f8b0fa2dbe37..b43f25b3c99d 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -243,6 +243,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.hints & HV_X64_ENLIGHTENED_VMCS_RECOMMENDED) { -- 2.43.0

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.4] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index 51d95c4b692c..cebbcc6c36ae 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -256,6 +256,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.hints & HV_X64_ENLIGHTENED_VMCS_RECOMMENDED) { -- 2.43.0

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.10] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index 021cd067733e..a91aad434d03 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -275,6 +275,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.hints & HV_X64_ENLIGHTENED_VMCS_RECOMMENDED) { -- 2.43.0

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.15] x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency

by Sasha Levin

From: Michael Kelley <mhklinux(a)outlook.com> [ Upstream commit 8fcc514809de41153b43ccbe1a0cdf7f72b78e7e ] A Linux guest on Hyper-V gets the TSC frequency from a synthetic MSR, if available. In this case, set X86_FEATURE_TSC_KNOWN_FREQ so that Linux doesn't unnecessarily do refined TSC calibration when setting up the TSC clocksource. With this change, a message such as this is no longer output during boot when the TSC is used as the clocksource: [ 1.115141] tsc: Refined TSC clocksource calibration: 2918.408 MHz Furthermore, the guest and host will have exactly the same view of the TSC frequency, which is important for features such as the TSC deadline timer that are emulated by the Hyper-V host. Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Roman Kisel <romank(a)linux.microsoft.com> Link: https://lore.kernel.org/r/20240606025559.1631-1-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240606025559.1631-1-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/x86/kernel/cpu/mshyperv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/mshyperv.c b/arch/x86/kernel/cpu/mshyperv.c index 8d3c649a1769..3794b223fd69 100644 --- a/arch/x86/kernel/cpu/mshyperv.c +++ b/arch/x86/kernel/cpu/mshyperv.c @@ -322,6 +322,7 @@ static void __init ms_hyperv_init_platform(void) ms_hyperv.misc_features & HV_FEATURE_FREQUENCY_MSRS_AVAILABLE) { x86_platform.calibrate_tsc = hv_get_tsc_khz; x86_platform.calibrate_cpu = hv_get_tsc_khz; + setup_force_cpu_cap(X86_FEATURE_TSC_KNOWN_FREQ); } if (ms_hyperv.priv_high & HV_ISOLATION) { -- 2.43.0

9 months, 3 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror