- Linux-stable-mirror - lists.linaro.org

[PATCH] drm/dp_mst: Fix MST sideband message body length check

by Imre Deak

Fix the MST sideband message body length check, which must be at least 1 byte accounting for the message body CRC (aka message data CRC) at the end of the message. This fixes a case where an MST branch device returns a header with a correct header CRC (indicating a correctly received body length), with the body length being incorrectly set to 0. This will later lead to a memory corruption in drm_dp_sideband_append_payload() and the following errors in dmesg: UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25 index -1 is out of range for type 'u8 [48]' Call Trace: drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper] memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256) Call Trace: drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper] Cc: <stable(a)vger.kernel.org> Cc: Lyude Paul <lyude(a)redhat.com> Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/display/drm_dp_mst_topology.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c index ac90118b9e7a8..e6ee180815b20 100644 --- a/drivers/gpu/drm/display/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c @@ -320,6 +320,9 @@ static bool drm_dp_decode_sideband_msg_hdr(const struct drm_dp_mst_topology_mgr hdr->broadcast = (buf[idx] >> 7) & 0x1; hdr->path_msg = (buf[idx] >> 6) & 0x1; hdr->msg_len = buf[idx] & 0x3f; + if (hdr->msg_len < 1) /* min space for body CRC */ + return false; + idx++; hdr->somt = (buf[idx] >> 7) & 0x1; hdr->eomt = (buf[idx] >> 6) & 0x1; -- 2.44.2

9 months, 3 weeks

2
1
0 0

[PATCH 1/2] mm: Open-code PageTail in folio_flags() and const_folio_flags()

by Matthew Wilcox (Oracle)

It is unsafe to call PageTail() in dump_page() as page_is_fake_head() will almost certainly return true when called on a head page that is copied to the stack. That will cause the VM_BUG_ON_PGFLAGS() in const_folio_flags() to trigger when it shouldn't. Fortunately, we don't need to call PageTail() here; it's fine to have a pointer to a virtual alias of the page's flag word rather than the real page's flag word. Fixes: fae7d834c43c (mm: add __dump_folio()) Signed-off-by: Matthew Wilcox (Oracle) <willy(a)infradead.org> Cc: stable(a)vger.kernel.org --- include/linux/page-flags.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h index 2220bfec278e..cf46ac720802 100644 --- a/include/linux/page-flags.h +++ b/include/linux/page-flags.h @@ -306,7 +306,7 @@ static const unsigned long *const_folio_flags(const struct folio *folio, { const struct page *page = &folio->page; - VM_BUG_ON_PGFLAGS(PageTail(page), page); + VM_BUG_ON_PGFLAGS(page->compound_head & 1, page); VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page); return &page[n].flags; } @@ -315,7 +315,7 @@ static unsigned long *folio_flags(struct folio *folio, unsigned n) { struct page *page = &folio->page; - VM_BUG_ON_PGFLAGS(PageTail(page), page); + VM_BUG_ON_PGFLAGS(page->compound_head & 1, page); VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page); return &page[n].flags; } -- 2.45.2

9 months, 3 weeks

1
1
0 0

[PATCH v4 0/7] media: uvcvideo: Implement the Privacy GPIO as a evdev

by Ricardo Ribalda

Some notebooks have a button to disable the camera (not to be mistaken with the mechanical cover). This is a standard GPIO linked to the camera via the ACPI table. 4 years ago we added support for this button in UVC via the Privacy control. This has three issues: - If the camera has its own privacy control, it will be masked. - We need to power-up the camera to read the privacy control gpio. - Other drivers have not followed this approach and have used evdev. We tried to fix the power-up issues implementing "granular power saving" but it has been more complicated than anticipated... This patchset implements the Privacy GPIO as a evdev. The first patch of this set is already in Laurent's tree... but I include it to get some CI coverage. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v4: - Remove gpio entity, it is not needed. - Use unit->gpio.irq in free_irq to make smatch happy. - Link to v3: https://lore.kernel.org/r/20241112-uvc-subdev-v3-0-0ea573d41a18@chromium.org Changes in v3: - CodeStyle (Thanks Sakari) - Re-implement as input device - Make the code depend on UVC_INPUT_EVDEV - Link to v2: https://lore.kernel.org/r/20241108-uvc-subdev-v2-0-85d8a051a3d3@chromium.org Changes in v2: - Rebase on top of https://patchwork.linuxtv.org/project/linux-media/patch/20241106-uvc-crashr… - Create uvc_gpio_cleanup and uvc_gpio_deinit - Refactor quirk: do not disable irq - Change define number for MEDIA_ENT_F_GPIO - Link to v1: https://lore.kernel.org/r/20241031-uvc-subdev-v1-0-a68331cedd72@chromium.org --- Ricardo Ribalda (7): media: uvcvideo: Fix crash during unbind if gpio unit is in use media: uvcvideo: Factor out gpio functions to its own file media: uvcvideo: Re-implement privacy GPIO as an input device Revert "media: uvcvideo: Allow entity-defined get_info and get_cur" media: uvcvideo: Introduce UVC_QUIRK_PRIVACY_DURING_STREAM media: uvcvideo: Make gpio_unit entity-less media: uvcvideo: Remove UVC_EXT_GPIO entity drivers/media/usb/uvc/Kconfig | 2 +- drivers/media/usb/uvc/Makefile | 3 + drivers/media/usb/uvc/uvc_ctrl.c | 40 ++--------- drivers/media/usb/uvc/uvc_driver.c | 123 ++-------------------------------- drivers/media/usb/uvc/uvc_entity.c | 7 +- drivers/media/usb/uvc/uvc_gpio.c | 134 +++++++++++++++++++++++++++++++++++++ drivers/media/usb/uvc/uvc_status.c | 13 +++- drivers/media/usb/uvc/uvc_video.c | 4 ++ drivers/media/usb/uvc/uvcvideo.h | 43 +++++++----- 9 files changed, 195 insertions(+), 174 deletions(-) --- base-commit: 72ad4ff638047bbbdf3232178fea4bec1f429319 change-id: 20241030-uvc-subdev-89f4467a00b5 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

9 months, 3 weeks

1
1
0 0

[PATCH 5.15] Revert "drivers: clk: zynqmp: update divider round rate logic"

by jguittet.opensource＠witekio.com

From: Joel Guittet <jguittet(a)witekio.com> This reverts commit 9117fc44fd3a9538261e530ba5a022dfc9519620 which is commit 1fe15be1fb613534ecbac5f8c3f8744f757d237d upstream. It is reported to cause regressions in the 5.15.y tree, so revert it for now. Link: https://www.spinics.net/lists/kernel/msg5397998.html Signed-off-by: Joel Guittet <jguittet.opensource(a)witekio.com> --- drivers/clk/zynqmp/divider.c | 66 +++++++++++++++++++++++++++++++++--- 1 file changed, 61 insertions(+), 5 deletions(-) diff --git a/drivers/clk/zynqmp/divider.c b/drivers/clk/zynqmp/divider.c index e25c76ff2739..47a199346ddf 100644 --- a/drivers/clk/zynqmp/divider.c +++ b/drivers/clk/zynqmp/divider.c @@ -110,6 +110,52 @@ static unsigned long zynqmp_clk_divider_recalc_rate(struct clk_hw *hw, return DIV_ROUND_UP_ULL(parent_rate, value); } +static void zynqmp_get_divider2_val(struct clk_hw *hw, + unsigned long rate, + struct zynqmp_clk_divider *divider, + u32 *bestdiv) +{ + int div1; + int div2; + long error = LONG_MAX; + unsigned long div1_prate; + struct clk_hw *div1_parent_hw; + struct zynqmp_clk_divider *pdivider; + struct clk_hw *div2_parent_hw = clk_hw_get_parent(hw); + + if (!div2_parent_hw) + return; + + pdivider = to_zynqmp_clk_divider(div2_parent_hw); + if (!pdivider) + return; + + div1_parent_hw = clk_hw_get_parent(div2_parent_hw); + if (!div1_parent_hw) + return; + + div1_prate = clk_hw_get_rate(div1_parent_hw); + *bestdiv = 1; + for (div1 = 1; div1 <= pdivider->max_div;) { + for (div2 = 1; div2 <= divider->max_div;) { + long new_error = ((div1_prate / div1) / div2) - rate; + + if (abs(new_error) < abs(error)) { + *bestdiv = div2; + error = new_error; + } + if (divider->flags & CLK_DIVIDER_POWER_OF_TWO) + div2 = div2 << 1; + else + div2++; + } + if (pdivider->flags & CLK_DIVIDER_POWER_OF_TWO) + div1 = div1 << 1; + else + div1++; + } +} + /** * zynqmp_clk_divider_round_rate() - Round rate of divider clock * @hw: handle between common and hardware-specific interfaces @@ -128,7 +174,6 @@ static long zynqmp_clk_divider_round_rate(struct clk_hw *hw, u32 div_type = divider->div_type; u32 bestdiv; int ret; - u8 width; /* if read only, just return current value */ if (divider->flags & CLK_DIVIDER_READ_ONLY) { @@ -148,12 +193,23 @@ static long zynqmp_clk_divider_round_rate(struct clk_hw *hw, return DIV_ROUND_UP_ULL((u64)*prate, bestdiv); } - width = fls(divider->max_div); + bestdiv = zynqmp_divider_get_val(*prate, rate, divider->flags); + + /* + * In case of two divisors, compute best divider values and return + * divider2 value based on compute value. div1 will be automatically + * set to optimum based on required total divider value. + */ + if (div_type == TYPE_DIV2 && + (clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT)) { + zynqmp_get_divider2_val(hw, rate, divider, &bestdiv); + } - rate = divider_round_rate(hw, rate, prate, NULL, width, divider->flags); + if ((clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT) && divider->is_frac) + bestdiv = rate % *prate ? 1 : bestdiv; - if (divider->is_frac && (clk_hw_get_flags(hw) & CLK_SET_RATE_PARENT) && (rate % *prate)) - *prate = rate; + bestdiv = min_t(u32, bestdiv, divider->max_div); + *prate = rate * bestdiv; return rate; } -- 2.25.1

9 months, 3 weeks

2
1
0 0

[PATCH 6.1.y] mptcp: fix possible integer overflow in mptcp_reset_tout_timer

by Matthieu Baerts (NGI0)

From: Dmitry Kandybka <d.kandybka(a)gmail.com> commit b169e76ebad22cbd055101ee5aa1a7bed0e66606 upstream. In 'mptcp_reset_tout_timer', promote 'probe_timestamp' to unsigned long to avoid possible integer overflow. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Dmitry Kandybka <d.kandybka(a)gmail.com> Link: https://patch.msgid.link/20241107103657.1560536-1-d.kandybka@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflict in this version because commit d866ae9aaa43 ("mptcp: add a new sysctl for make after break timeout") is not in this version, and replaced TCP_TIMEWAIT_LEN in the expression. The fix can still be applied the same way: by forcing a cast to unsigned long for the first item. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/protocol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 1acd4e37a0ea..370afcac2623 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2708,8 +2708,8 @@ void mptcp_reset_tout_timer(struct mptcp_sock *msk, unsigned long fail_tout) if (!fail_tout && !inet_csk(sk)->icsk_mtup.probe_timestamp) return; - close_timeout = inet_csk(sk)->icsk_mtup.probe_timestamp - tcp_jiffies32 + jiffies + - TCP_TIMEWAIT_LEN; + close_timeout = (unsigned long)inet_csk(sk)->icsk_mtup.probe_timestamp - + tcp_jiffies32 + jiffies + TCP_TIMEWAIT_LEN; /* the close timeout takes precedence on the fail one, and here at least one of * them is active -- 2.45.2

9 months, 3 weeks

2
1
0 0

[PATCH 5.4] nvme: fix metadata handling in nvme-passthrough

by Hagar Hemdan

From: Puranjay Mohan <pjy(a)amazon.com> [ Upstream commit 7c2fd76048e95dd267055b5f5e0a48e6e7c81fd9 ] On an NVMe namespace that does not support metadata, it is possible to send an IO command with metadata through io-passthru. This allows issues like [1] to trigger in the completion code path. nvme_map_user_request() doesn't check if the namespace supports metadata before sending it forward. It also allows admin commands with metadata to be processed as it ignores metadata when bdev == NULL and may report success. Reject an IO command with metadata when the NVMe namespace doesn't support it and reject an admin command if it has metadata. [1] https://lore.kernel.org/all/mb61pcylvnym8.fsf@amazon.com/ Suggested-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Puranjay Mohan <pjy(a)amazon.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me> Reviewed-by: Anuj Gupta <anuj20.g(a)samsung.com> Signed-off-by: Keith Busch <kbusch(a)kernel.org> [ Move the changes from nvme_map_user_request() to nvme_submit_user_cmd() to make it work on 5.4 ] Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> --- drivers/nvme/host/core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 0676637e1eab..a841fd4929ad 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -921,11 +921,16 @@ static int nvme_submit_user_cmd(struct request_queue *q, bool write = nvme_is_write(cmd); struct nvme_ns *ns = q->queuedata; struct gendisk *disk = ns ? ns->disk : NULL; + bool supports_metadata = disk && blk_get_integrity(disk); + bool has_metadata = meta_buffer && meta_len; struct request *req; struct bio *bio = NULL; void *meta = NULL; int ret; + if (has_metadata && !supports_metadata) + return -EINVAL; + req = nvme_alloc_request(q, cmd, 0, NVME_QID_ANY); if (IS_ERR(req)) return PTR_ERR(req); @@ -940,7 +945,7 @@ static int nvme_submit_user_cmd(struct request_queue *q, goto out; bio = req->bio; bio->bi_disk = disk; - if (disk && meta_buffer && meta_len) { + if (has_metadata) { meta = nvme_add_user_metadata(bio, meta_buffer, meta_len, meta_seed, write); if (IS_ERR(meta)) { -- 2.40.1

9 months, 3 weeks

2
1
0 0

[PATCH 4.19] nvme: fix metadata handling in nvme-passthrough

by Hagar Hemdan

From: Puranjay Mohan <pjy(a)amazon.com> [ Upstream commit 7c2fd76048e95dd267055b5f5e0a48e6e7c81fd9 ] On an NVMe namespace that does not support metadata, it is possible to send an IO command with metadata through io-passthru. This allows issues like [1] to trigger in the completion code path. nvme_map_user_request() doesn't check if the namespace supports metadata before sending it forward. It also allows admin commands with metadata to be processed as it ignores metadata when bdev == NULL and may report success. Reject an IO command with metadata when the NVMe namespace doesn't support it and reject an admin command if it has metadata. [1] https://lore.kernel.org/all/mb61pcylvnym8.fsf@amazon.com/ Suggested-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Puranjay Mohan <pjy(a)amazon.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me> Reviewed-by: Anuj Gupta <anuj20.g(a)samsung.com> Signed-off-by: Keith Busch <kbusch(a)kernel.org> [ Move the changes from nvme_map_user_request() to nvme_submit_user_cmd() to make it work on 4.19 ] Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> --- drivers/nvme/host/core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 6adff541282b..fcf062f3b507 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -802,11 +802,16 @@ static int nvme_submit_user_cmd(struct request_queue *q, bool write = nvme_is_write(cmd); struct nvme_ns *ns = q->queuedata; struct gendisk *disk = ns ? ns->disk : NULL; + bool supports_metadata = disk && blk_get_integrity(disk); + bool has_metadata = meta_buffer && meta_len; struct request *req; struct bio *bio = NULL; void *meta = NULL; int ret; + if (has_metadata && !supports_metadata) + return -EINVAL; + req = nvme_alloc_request(q, cmd, 0, NVME_QID_ANY); if (IS_ERR(req)) return PTR_ERR(req); @@ -821,7 +826,7 @@ static int nvme_submit_user_cmd(struct request_queue *q, goto out; bio = req->bio; bio->bi_disk = disk; - if (disk && meta_buffer && meta_len) { + if (has_metadata) { meta = nvme_add_user_metadata(bio, meta_buffer, meta_len, meta_seed, write); if (IS_ERR(meta)) { -- 2.40.1

9 months, 3 weeks

2
1
0 0

[PATCH 6.6.y] mptcp: fix possible integer overflow in mptcp_reset_tout_timer

by Matthieu Baerts (NGI0)

From: Dmitry Kandybka <d.kandybka(a)gmail.com> commit b169e76ebad22cbd055101ee5aa1a7bed0e66606 upstream. In 'mptcp_reset_tout_timer', promote 'probe_timestamp' to unsigned long to avoid possible integer overflow. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Dmitry Kandybka <d.kandybka(a)gmail.com> Link: https://patch.msgid.link/20241107103657.1560536-1-d.kandybka@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflict in this version because commit d866ae9aaa43 ("mptcp: add a new sysctl for make after break timeout") is not in this version, and replaced TCP_TIMEWAIT_LEN in the expression. The fix can still be applied the same way: by forcing a cast to unsigned long for the first item. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/protocol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index b8357d7c6b3a..01f6ce970918 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2691,8 +2691,8 @@ void mptcp_reset_tout_timer(struct mptcp_sock *msk, unsigned long fail_tout) if (!fail_tout && !inet_csk(sk)->icsk_mtup.probe_timestamp) return; - close_timeout = inet_csk(sk)->icsk_mtup.probe_timestamp - tcp_jiffies32 + jiffies + - TCP_TIMEWAIT_LEN; + close_timeout = (unsigned long)inet_csk(sk)->icsk_mtup.probe_timestamp - + tcp_jiffies32 + jiffies + TCP_TIMEWAIT_LEN; /* the close timeout takes precedence on the fail one, and here at least one of * them is active -- 2.45.2

9 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 6.6 1/4] uprobes: sanitiize xol_free_insn_slot()

by Sasha Levin

From: Oleg Nesterov <oleg(a)redhat.com> [ Upstream commit c7b4133c48445dde789ed30b19ccb0448c7593f7 ] 1. Clear utask->xol_vaddr unconditionally, even if this addr is not valid, xol_free_insn_slot() should never return with utask->xol_vaddr != NULL. 2. Add a comment to explain why do we need to validate slot_addr. 3. Simplify the validation above. We can simply check offset < PAGE_SIZE, unsigned underflows are fine, it should work if slot_addr < area->vaddr. 4. Kill the unnecessary "slot_nr >= UINSNS_PER_PAGE" check, slot_nr must be valid if offset < PAGE_SIZE. The next patches will cleanup this function even more. Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20240929144235.GA9471@redhat.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/events/uprobes.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 6dac0b5798213..5ce3d189e33c2 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1629,8 +1629,8 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe) static void xol_free_insn_slot(struct task_struct *tsk) { struct xol_area *area; - unsigned long vma_end; unsigned long slot_addr; + unsigned long offset; if (!tsk->mm || !tsk->mm->uprobes_state.xol_area || !tsk->utask) return; @@ -1639,24 +1639,21 @@ static void xol_free_insn_slot(struct task_struct *tsk) if (unlikely(!slot_addr)) return; + tsk->utask->xol_vaddr = 0; area = tsk->mm->uprobes_state.xol_area; - vma_end = area->vaddr + PAGE_SIZE; - if (area->vaddr <= slot_addr && slot_addr < vma_end) { - unsigned long offset; - int slot_nr; - - offset = slot_addr - area->vaddr; - slot_nr = offset / UPROBE_XOL_SLOT_BYTES; - if (slot_nr >= UINSNS_PER_PAGE) - return; + offset = slot_addr - area->vaddr; + /* + * slot_addr must fit into [area->vaddr, area->vaddr + PAGE_SIZE). + * This check can only fail if the "[uprobes]" vma was mremap'ed. + */ + if (offset < PAGE_SIZE) { + int slot_nr = offset / UPROBE_XOL_SLOT_BYTES; clear_bit(slot_nr, area->bitmap); atomic_dec(&area->slot_count); smp_mb__after_atomic(); /* pairs with prepare_to_wait() */ if (waitqueue_active(&area->wq)) wake_up(&area->wq); - - tsk->utask->xol_vaddr = 0; } } -- 2.43.0

9 months, 3 weeks

2
4
0 0

[PATCH AUTOSEL 6.11 1/5] uprobes: sanitiize xol_free_insn_slot()

by Sasha Levin

From: Oleg Nesterov <oleg(a)redhat.com> [ Upstream commit c7b4133c48445dde789ed30b19ccb0448c7593f7 ] 1. Clear utask->xol_vaddr unconditionally, even if this addr is not valid, xol_free_insn_slot() should never return with utask->xol_vaddr != NULL. 2. Add a comment to explain why do we need to validate slot_addr. 3. Simplify the validation above. We can simply check offset < PAGE_SIZE, unsigned underflows are fine, it should work if slot_addr < area->vaddr. 4. Kill the unnecessary "slot_nr >= UINSNS_PER_PAGE" check, slot_nr must be valid if offset < PAGE_SIZE. The next patches will cleanup this function even more. Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20240929144235.GA9471@redhat.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/events/uprobes.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 56cd0c7f516d3..5df99a1223c22 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1639,8 +1639,8 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe) static void xol_free_insn_slot(struct task_struct *tsk) { struct xol_area *area; - unsigned long vma_end; unsigned long slot_addr; + unsigned long offset; if (!tsk->mm || !tsk->mm->uprobes_state.xol_area || !tsk->utask) return; @@ -1649,24 +1649,21 @@ static void xol_free_insn_slot(struct task_struct *tsk) if (unlikely(!slot_addr)) return; + tsk->utask->xol_vaddr = 0; area = tsk->mm->uprobes_state.xol_area; - vma_end = area->vaddr + PAGE_SIZE; - if (area->vaddr <= slot_addr && slot_addr < vma_end) { - unsigned long offset; - int slot_nr; - - offset = slot_addr - area->vaddr; - slot_nr = offset / UPROBE_XOL_SLOT_BYTES; - if (slot_nr >= UINSNS_PER_PAGE) - return; + offset = slot_addr - area->vaddr; + /* + * slot_addr must fit into [area->vaddr, area->vaddr + PAGE_SIZE). + * This check can only fail if the "[uprobes]" vma was mremap'ed. + */ + if (offset < PAGE_SIZE) { + int slot_nr = offset / UPROBE_XOL_SLOT_BYTES; clear_bit(slot_nr, area->bitmap); atomic_dec(&area->slot_count); smp_mb__after_atomic(); /* pairs with prepare_to_wait() */ if (waitqueue_active(&area->wq)) wake_up(&area->wq); - - tsk->utask->xol_vaddr = 0; } } -- 2.43.0

9 months, 3 weeks

2
5
0 0

[PATCH RFC can] can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation

by Marc Kleine-Budde

Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") introduced mcp251xfd_get_tef_len() to get the number of unhandled transmit events from the Transmit Event FIFO (TEF). As the TEF has no head index, the driver uses the TX-FIFO's tail index instead, assuming that send frames are completed. When calculating the number of unhandled TEF events, that commit didn't take mcp2518fd erratum DS80000789E 6. into account. According to that erratum, the FIFOCI bits of a FIFOSTA register, here the TX-FIFO tail index might be corrupted. However here it seems the bit indicating that the TX-FIFO is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct while the TX-FIFO tail index is. Assume that the TX-FIFO is indeed empty if: - Chip's head and tail index are equal (len == 0). - The TX-FIFO is less than half full. (The TX-FIFO empty case has already been checked at the beginning of this function.) - No free buffers in the TX ring. If the TX-FIFO is assumed to be empty, assume that the TEF is full and return the number of elements in the TX-FIFO (which equals the number of TEF elements). If these assumptions are false, the driver might read to many objects from the TEF. mcp251xfd_handle_tefif_one() checks the sequence numbers and will refuse to process old events. Reported-by: Renjaya Raga Zenta <renjaya.zenta(a)formulatrix.com> Closes: https://patch.msgid.link/CAJ7t6HgaeQ3a_OtfszezU=zB-FqiZXqrnATJ3UujNoQJJf7Gg… Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum") Not-yet-Cc: stable(a)vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 29 ++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c index d3ac865933fdf6c4ecdd80ad4d7accbff51eb0f8..e94321849fd7e69ed045eaeac3efec52fe077d96 100644 --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c @@ -21,6 +21,11 @@ static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta) return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF; } +static inline bool mcp251xfd_tx_fifo_sta_less_than_half_full(u32 fifo_sta) +{ + return fifo_sta & MCP251XFD_REG_FIFOSTA_TFHRFHIF; +} + static inline int mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv, u8 *tef_tail) @@ -147,7 +152,29 @@ mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p) BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len)); len = (chip_tx_tail << shift) - (tail << shift); - *len_p = len >> shift; + len >>= shift; + + /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI + * bits of a FIFOSTA register, here the TX-FIFO tail index + * might be corrupted. + * + * However here it seems the bit indicating that the TX-FIFO + * is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct + * while the TX-FIFO tail index is. + * + * We assume the TX-FIFO is empty, i.e. all pending CAN frames + * haven been send, if: + * - Chip's head and tail index are equal (len == 0). + * - The TX-FIFO is less than half full. + * (The TX-FIFO empty case has already been checked at the + * beginning of this function.) + * - No free buffers in the TX ring. + */ + if (len == 0 && mcp251xfd_tx_fifo_sta_less_than_half_full(fifo_sta) && + mcp251xfd_get_tx_free(tx_ring) == 0) + len = tx_ring->obj_num; + + *len_p = len; return 0; } --- base-commit: fcc79e1714e8c2b8e216dc3149812edd37884eef change-id: 20241115-mcp251xfd-fix-length-calculation-96d4a0ed11fe Best regards, -- Marc Kleine-Budde <mkl(a)pengutronix.de>

9 months, 3 weeks

2
2
0 0

[PATCH 5.10.y 0/4] fix error handling in mmap_region() and refactor (hotfixes)

by Lorenzo Stoakes

Critical fixes for mmap_region(), backported to 5.10.y. Some notes on differences from upstream: * We do NOT take commit 0fb4a7ad270b ("mm: refactor map_deny_write_exec()"), as this refactors code only introduced in 6.2. * We make reference in "mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling" to parisc, but the referenced functionality does not exist in this kernel. * In this kernel is_shared_maywrite() does not exist and the code uses VM_SHARED to determine whether mapping_map_writable() / mapping_unmap_writable() should be invoked. This backport therefore follows suit. * The vma_dummy_vm_ops static global doesn't exist in this kernel, so we use a local static variable in mmap_file() and vma_close(). * Each version of these series is confronted by a slightly different mmap_region(), so we must adapt the change for each stable version. The approach remains the same throughout, however, and we correctly avoid closing the VMA part way through any __mmap_region() operation. * In 5.10 we must handle VM_DENYWRITE. Since this is done at the top of the file-backed VMA handling logic, and importantly before mmap_file() invocation, this does not imply any additional difficult error handling on partial completion of mapping so has no significant impact. Lorenzo Stoakes (4): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour arch/arm64/include/asm/mman.h | 10 +++-- include/linux/mman.h | 7 +-- mm/internal.h | 19 ++++++++ mm/mmap.c | 82 +++++++++++++++++++++-------------- mm/nommu.c | 9 ++-- mm/shmem.c | 3 -- mm/util.c | 33 ++++++++++++++ 7 files changed, 117 insertions(+), 46 deletions(-) -- 2.47.0

9 months, 3 weeks

2
5
0 0

[PATCH 6.6] fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

by Bin Lan

From: Oleg Nesterov <oleg(a)redhat.com> [ Upstream commit 7601df8031fd67310af891897ef6cc0df4209305 ] lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call do_task_stat() at the same time and the process has NR_THREADS, it will spin with irqs disabled O(NR_CPUS * NR_THREADS) time. Change do_task_stat() to use sig->stats_lock to gather the statistics outside of ->siglock protected section, in the likely case this code will run lockless. Link: https://lkml.kernel.org/r/20240123153357.GA21857@redhat.com Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Dylan Hatch <dylanbhatch(a)google.com> Cc: Eric W. Biederman <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- fs/proc/array.c | 57 +++++++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 25 deletions(-) diff --git a/fs/proc/array.c b/fs/proc/array.c index 37b8061d84bb..34a47fb0c57f 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -477,13 +477,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, int permitted; struct mm_struct *mm; unsigned long long start_time; - unsigned long cmin_flt = 0, cmaj_flt = 0; - unsigned long min_flt = 0, maj_flt = 0; - u64 cutime, cstime, utime, stime; - u64 cgtime, gtime; + unsigned long cmin_flt, cmaj_flt, min_flt, maj_flt; + u64 cutime, cstime, cgtime, utime, stime, gtime; unsigned long rsslim = 0; unsigned long flags; int exit_code = task->exit_code; + struct signal_struct *sig = task->signal; + unsigned int seq = 1; state = *get_task_state(task); vsize = eip = esp = 0; @@ -511,12 +511,8 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, sigemptyset(&sigign); sigemptyset(&sigcatch); - cutime = cstime = 0; - cgtime = gtime = 0; if (lock_task_sighand(task, &flags)) { - struct signal_struct *sig = task->signal; - if (sig->tty) { struct pid *pgrp = tty_get_pgrp(sig->tty); tty_pgrp = pid_nr_ns(pgrp, ns); @@ -527,26 +523,9 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, num_threads = get_nr_threads(task); collect_sigign_sigcatch(task, &sigign, &sigcatch); - cmin_flt = sig->cmin_flt; - cmaj_flt = sig->cmaj_flt; - cutime = sig->cutime; - cstime = sig->cstime; - cgtime = sig->cgtime; rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); - /* add up live thread stats at the group level */ if (whole) { - struct task_struct *t = task; - do { - min_flt += t->min_flt; - maj_flt += t->maj_flt; - gtime += task_gtime(t); - } while_each_thread(task, t); - - min_flt += sig->min_flt; - maj_flt += sig->maj_flt; - gtime += sig->gtime; - if (sig->flags & (SIGNAL_GROUP_EXIT | SIGNAL_STOP_STOPPED)) exit_code = sig->group_exit_code; } @@ -561,6 +540,34 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, if (permitted && (!whole || num_threads < 2)) wchan = !task_is_running(task); + do { + seq++; /* 2 on the 1st/lockless path, otherwise odd */ + flags = read_seqbegin_or_lock_irqsave(&sig->stats_lock, &seq); + + cmin_flt = sig->cmin_flt; + cmaj_flt = sig->cmaj_flt; + cutime = sig->cutime; + cstime = sig->cstime; + cgtime = sig->cgtime; + + if (whole) { + struct task_struct *t; + + min_flt = sig->min_flt; + maj_flt = sig->maj_flt; + gtime = sig->gtime; + + rcu_read_lock(); + __for_each_thread(sig, t) { + min_flt += t->min_flt; + maj_flt += t->maj_flt; + gtime += task_gtime(t); + } + rcu_read_unlock(); + } + } while (need_seqretry(&sig->stats_lock, seq)); + done_seqretry_irqrestore(&sig->stats_lock, seq, flags); + if (whole) { thread_group_cputime_adjusted(task, &utime, &stime); } else { -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH 6.6] nvme: fix metadata handling in nvme-passthrough

by Hagar Hemdan

From: Puranjay Mohan <pjy(a)amazon.com> [ Upstream commit 7c2fd76048e95dd267055b5f5e0a48e6e7c81fd9 ] On an NVMe namespace that does not support metadata, it is possible to send an IO command with metadata through io-passthru. This allows issues like [1] to trigger in the completion code path. nvme_map_user_request() doesn't check if the namespace supports metadata before sending it forward. It also allows admin commands with metadata to be processed as it ignores metadata when bdev == NULL and may report success. Reject an IO command with metadata when the NVMe namespace doesn't support it and reject an admin command if it has metadata. [1] https://lore.kernel.org/all/mb61pcylvnym8.fsf@amazon.com/ Suggested-by: Christoph Hellwig <hch(a)lst.de> Signed-off-by: Puranjay Mohan <pjy(a)amazon.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Sagi Grimberg <sagi(a)grimberg.me> Reviewed-by: Anuj Gupta <anuj20.g(a)samsung.com> Signed-off-by: Keith Busch <kbusch(a)kernel.org> [ Minor changes to make it work on 6.6 ] Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> --- drivers/nvme/host/ioctl.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c index 875dee6ecd40..19a7f0160618 100644 --- a/drivers/nvme/host/ioctl.c +++ b/drivers/nvme/host/ioctl.c @@ -3,6 +3,7 @@ * Copyright (c) 2011-2014, Intel Corporation. * Copyright (c) 2017-2021 Christoph Hellwig. */ +#include <linux/blk-integrity.h> #include <linux/ptrace.h> /* for force_successful_syscall_return */ #include <linux/nvme_ioctl.h> #include <linux/io_uring.h> @@ -171,10 +172,15 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer, struct request_queue *q = req->q; struct nvme_ns *ns = q->queuedata; struct block_device *bdev = ns ? ns->disk->part0 : NULL; + bool supports_metadata = bdev && blk_get_integrity(bdev->bd_disk); + bool has_metadata = meta_buffer && meta_len; struct bio *bio = NULL; void *meta = NULL; int ret; + if (has_metadata && !supports_metadata) + return -EINVAL; + if (ioucmd && (ioucmd->flags & IORING_URING_CMD_FIXED)) { struct iov_iter iter; @@ -198,7 +204,7 @@ static int nvme_map_user_request(struct request *req, u64 ubuffer, if (bdev) bio_set_dev(bio, bdev); - if (bdev && meta_buffer && meta_len) { + if (has_metadata) { meta = nvme_add_user_metadata(req, meta_buffer, meta_len, meta_seed); if (IS_ERR(meta)) { -- 2.40.1

9 months, 3 weeks

2
7
0 0

[PATCH 6.1 0/2] Backport to fix CVE-2024-37021 and CVE-2024-36479

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> The fix of CVE-2024-36479: fpga: bridge: add owner module and take its refcount master rev 1da11f822042eb6ef4b6064dc048f157a7852529 The fix of CVE-2024-37021: fpga: manager: add owner module and take its refcount master rev 4d4d2d4346857bf778fafaa97d6f76bb1663e3c9 Marco Pagani (2): fpga: bridge: add owner module and take its refcount fpga: manager: add owner module and take its refcount Documentation/driver-api/fpga/fpga-bridge.rst | 7 +- Documentation/driver-api/fpga/fpga-mgr.rst | 34 ++++---- drivers/fpga/fpga-bridge.c | 57 +++++++------ drivers/fpga/fpga-mgr.c | 82 +++++++++++-------- include/linux/fpga/fpga-bridge.h | 10 ++- include/linux/fpga/fpga-mgr.h | 26 ++++-- 6 files changed, 132 insertions(+), 84 deletions(-) -- 2.43.0

9 months, 3 weeks

2
4
0 0

[PATCH 6.6/6.1] fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name

by Xiangyu Chen

From: Li Zhijian <lizhijian(a)fujitsu.com> [ Upstream commit 7f7b850689ac06a62befe26e1fd1806799e7f152 ] It's observed that a crash occurs during hot-remove a memory device, in which user is accessing the hugetlb. See calltrace as following: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790 Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s mirror dm_region_hash dm_log dm_mod CPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:do_user_addr_fault+0x2a0/0x790 Code: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41 RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046 RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658 R13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000 FS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x8d/0x190 ? do_user_addr_fault+0x2a0/0x790 ? report_bug+0x1c3/0x1d0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? do_user_addr_fault+0x2a0/0x790 ? exc_page_fault+0x31/0x200 exc_page_fault+0x68/0x200 <...snip...> BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI ---[ end trace 0000000000000000 ]--- BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dentry_name+0x1f4/0x440 <...snip...> ? dentry_name+0x2fa/0x440 vsnprintf+0x1f3/0x4f0 vprintk_store+0x23a/0x540 vprintk_emit+0x6d/0x330 _printk+0x58/0x80 dump_mapping+0x10b/0x1a0 ? __pfx_free_object_rcu+0x10/0x10 __dump_page+0x26b/0x3e0 ? vprintk_emit+0xe0/0x330 ? _printk+0x58/0x80 ? dump_page+0x17/0x50 dump_page+0x17/0x50 do_migrate_range+0x2f7/0x7f0 ? do_migrate_range+0x42/0x7f0 ? offline_pages+0x2f4/0x8c0 offline_pages+0x60a/0x8c0 memory_subsys_offline+0x9f/0x1c0 ? lockdep_hardirqs_on+0x77/0x100 ? _raw_spin_unlock_irqrestore+0x38/0x60 device_offline+0xe3/0x110 state_store+0x6e/0xc0 kernfs_fop_write_iter+0x143/0x200 vfs_write+0x39f/0x560 ksys_write+0x65/0xf0 do_syscall_64+0x62/0x130 Previously, some sanity check have been done in dump_mapping() before the print facility parsing '%pd' though, it's still possible to run into an invalid dentry.d_name.name. Since dump_mapping() only needs to dump the filename only, retrieve it by itself in a safer way to prevent an unnecessary crash. Note that either retrieving the filename with '%pd' or strncpy_from_kernel_nofault(), the filename could be unreliable. Signed-off-by: Li Zhijian <lizhijian(a)fujitsu.com> Link: https://lore.kernel.org/r/20240826055503.1522320-1-lizhijian@fujitsu.com Reviewed-by: Jan Kara <jack(a)suse.cz> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Xiangyu: Bp to fix CVE: CVE-2024-49934, modified strscpy step due to 6.1/6.6 need pass the max len to strscpy] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- fs/inode.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index 9cafde77e2b0..030e07b169c2 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -593,6 +593,7 @@ void dump_mapping(const struct address_space *mapping) struct hlist_node *dentry_first; struct dentry *dentry_ptr; struct dentry dentry; + char fname[64] = {}; unsigned long ino; /* @@ -628,11 +629,14 @@ void dump_mapping(const struct address_space *mapping) return; } + if (strncpy_from_kernel_nofault(fname, dentry.d_name.name, 63) < 0) + strscpy(fname, "<invalid>", 63); /* - * if dentry is corrupted, the %pd handler may still crash, - * but it's unlikely that we reach here with a corrupt mapping + * Even if strncpy_from_kernel_nofault() succeeded, + * the fname could be unreliable */ - pr_warn("aops:%ps ino:%lx dentry name:\"%pd\"\n", a_ops, ino, &dentry); + pr_warn("aops:%ps ino:%lx dentry name(?):\"%s\"\n", + a_ops, ino, fname); } void clear_inode(struct inode *inode) -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH 6.6] platform/x86: x86-android-tablets: Unregister devices in reverse order

by Bin Lan

From: Hans de Goede <hdegoede(a)redhat.com> [ Upstream commit 3de0f2627ef849735f155c1818247f58404dddfe ] Not all subsystems support a device getting removed while there are still consumers of the device with a reference to the device. One example of this is the regulator subsystem. If a regulator gets unregistered while there are still drivers holding a reference a WARN() at drivers/regulator/core.c:5829 triggers, e.g.: WARNING: CPU: 1 PID: 1587 at drivers/regulator/core.c:5829 regulator_unregister Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLADE_21.X64.0005.R00.1504101516 FFD8_X64_R_2015_04_10_1516 04/10/2015 RIP: 0010:regulator_unregister Call Trace: <TASK> regulator_unregister devres_release_group i2c_device_remove device_release_driver_internal bus_remove_device device_del device_unregister x86_android_tablet_remove On the Lenovo Yoga Tablet 2 series the bq24190 charger chip also provides a 5V boost converter output for powering USB devices connected to the micro USB port, the bq24190-charger driver exports this as a Vbus regulator. On the 830 (8") and 1050 ("10") models this regulator is controlled by a platform_device and x86_android_tablet_remove() removes platform_device-s before i2c_clients so the consumer gets removed first. But on the 1380 (13") model there is a lc824206xa micro-USB switch connected over I2C and the extcon driver for that controls the regulator. The bq24190 i2c-client *must* be registered first, because that creates the regulator with the lc824206xa listed as its consumer. If the regulator has not been registered yet the lc824206xa driver will end up getting a dummy regulator. Since in this case both the regulator provider and consumer are I2C devices, the only way to ensure that the consumer is unregistered first is to unregister the I2C devices in reverse order of in which they were created. For consistency and to avoid similar problems in the future change x86_android_tablet_remove() to unregister all device types in reverse order. Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> Link: https://lore.kernel.org/r/20240406125058.13624-1-hdegoede@redhat.com [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/platform/x86/x86-android-tablets/core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/platform/x86/x86-android-tablets/core.c b/drivers/platform/x86/x86-android-tablets/core.c index a0fa0b6859c9..63a348af83db 100644 --- a/drivers/platform/x86/x86-android-tablets/core.c +++ b/drivers/platform/x86/x86-android-tablets/core.c @@ -230,20 +230,20 @@ static void x86_android_tablet_remove(struct platform_device *pdev) { int i; - for (i = 0; i < serdev_count; i++) { + for (i = serdev_count - 1; i >= 0; i--) { if (serdevs[i]) serdev_device_remove(serdevs[i]); } kfree(serdevs); - for (i = 0; i < pdev_count; i++) + for (i = pdev_count - 1; i >= 0; i--) platform_device_unregister(pdevs[i]); kfree(pdevs); kfree(buttons); - for (i = 0; i < i2c_client_count; i++) + for (i = i2c_client_count - 1; i >= 0; i--) i2c_unregister_device(i2c_clients[i]); kfree(i2c_clients); -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH v2 5.4/5.10/5.15] cifs: Fix buffer overflow when parsing NFS reparse points

by Mahmoud Adam

From: Pali Rohár <pali(a)kernel.org> commit e2a8910af01653c1c268984855629d71fb81f404 upstream. ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev(). Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Pali Rohár <pali(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> [use variable name symlink_buf, the other buf->InodeType accesses are not used in current version so skip] Signed-off-by: Mahmoud Adam <mngyadam(a)amazon.com> --- v2: fix upstream format. https://lore.kernel.org/stable/20241122152943.76044-1-mngyadam@amazon.com/ fs/cifs/smb2ops.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 9ec67b76bc062..4f7639afa7627 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -2807,6 +2807,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf, /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */ len = le16_to_cpu(symlink_buf->ReparseDataLength); + if (len < sizeof(symlink_buf->InodeType)) { + cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); + return -EIO; + } + + len -= sizeof(symlink_buf->InodeType); if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) { cifs_dbg(VFS, "%lld not a supported symlink type\n", -- 2.40.1

9 months, 3 weeks

2
1
0 0

[PATCH v2 6.1] cifs: Fix buffer overflow when parsing NFS reparse points

by Mahmoud Adam

From: Pali Rohár <pali(a)kernel.org> commit e2a8910af01653c1c268984855629d71fb81f404 upstream. ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev(). Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Pali Rohár <pali(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> [use variable name symlink_buf, the other buf->InodeType accesses are not used in current version so skip] Signed-off-by: Mahmoud Adam <mngyadam(a)amazon.com> --- v2: fix upstream format. https://lore.kernel.org/stable/Z0Pd9slDKJNM0n3T@ca93ea81d97d/T/#m8cdb746a25… fs/smb/client/smb2ops.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c index d1e5ff9a3cd39..fcfbc096924a8 100644 --- a/fs/smb/client/smb2ops.c +++ b/fs/smb/client/smb2ops.c @@ -2897,6 +2897,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf, /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */ len = le16_to_cpu(symlink_buf->ReparseDataLength); + if (len < sizeof(symlink_buf->InodeType)) { + cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); + return -EIO; + } + + len -= sizeof(symlink_buf->InodeType); if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) { cifs_dbg(VFS, "%lld not a supported symlink type\n", -- 2.40.1

9 months, 3 weeks

2
1
0 0

[PATCH 6.1.y] wifi: rtw89: avoid to add interface to list twice when SER

by Xiangyu Chen

From: Chih-Kang Chang <gary.chang(a)realtek.com> [ Upstream commit 7dd5d2514a8ea58f12096e888b0bd050d7eae20a ] If SER L2 occurs during the WoWLAN resume flow, the add interface flow is triggered by ieee80211_reconfig(). However, due to rtw89_wow_resume() return failure, it will cause the add interface flow to be executed again, resulting in a double add list and causing a kernel panic. Therefore, we have added a check to prevent double adding of the list. list_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:37! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W O 6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7 Hardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021 Workqueue: events_freezable ieee80211_restart_work [mac80211] RIP: 0010:__list_add_valid_or_report+0x5e/0xb0 Code: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12 RSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246 RAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900 RDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001 RBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0 R10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060 R13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010 FS: 0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0 Call Trace: <TASK> ? __die_body+0x1f/0x70 ? die+0x3d/0x60 ? do_trap+0xa4/0x110 ? __list_add_valid_or_report+0x5e/0xb0 ? do_error_trap+0x6d/0x90 ? __list_add_valid_or_report+0x5e/0xb0 ? handle_invalid_op+0x30/0x40 ? __list_add_valid_or_report+0x5e/0xb0 ? exc_invalid_op+0x3c/0x50 ? asm_exc_invalid_op+0x16/0x20 ? __list_add_valid_or_report+0x5e/0xb0 rtw89_ops_add_interface+0x309/0x310 [rtw89_core 7c32b1ee6854761c0321027c8a58c5160e41f48f] drv_add_interface+0x5c/0x130 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc] ieee80211_reconfig+0x241/0x13d0 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc] ? finish_wait+0x3e/0x90 ? synchronize_rcu_expedited+0x174/0x260 ? sync_rcu_exp_done_unlocked+0x50/0x50 ? wake_bit_function+0x40/0x40 ieee80211_restart_work+0xf0/0x140 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc] process_scheduled_works+0x1e5/0x480 worker_thread+0xea/0x1e0 kthread+0xdb/0x110 ? move_linked_works+0x90/0x90 ? kthread_associate_blkcg+0xa0/0xa0 ret_from_fork+0x3b/0x50 ? kthread_associate_blkcg+0xa0/0xa0 ret_from_fork_asm+0x11/0x20 </TASK> Modules linked in: dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc rfcomm cmac uinput algif_hash algif_skcipher af_alg btusb btrtl iio_trig_hrtimer industrialio_sw_trigger btmtk industrialio_configfs btbcm btintel uvcvideo videobuf2_vmalloc iio_trig_sysfs videobuf2_memops videobuf2_v4l2 videobuf2_common uvc snd_hda_codec_hdmi veth snd_hda_intel snd_intel_dspcfg acpi_als snd_hda_codec industrialio_triggered_buffer kfifo_buf snd_hwdep industrialio i2c_piix4 snd_hda_core designware_i2s ip6table_nat snd_soc_max98357a xt_MASQUERADE xt_cgroup snd_soc_acp_rt5682_mach fuse rtw89_8922ae(O) rtw89_8922a(O) rtw89_pci(O) rtw89_core(O) 8021q mac80211(O) bluetooth ecdh_generic ecc cfg80211 r8152 mii joydev gsmi: Log Shutdown Reason 0x03 ---[ end trace 0000000000000000 ]--- Signed-off-by: Chih-Kang Chang <gary.chang(a)realtek.com> Signed-off-by: Ping-Ke Shih <pkshih(a)realtek.com> Link: https://patch.msgid.link/20240731070506.46100-4-pkshih@realtek.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/net/wireless/realtek/rtw89/mac80211.c | 4 +++- drivers/net/wireless/realtek/rtw89/util.h | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtw89/mac80211.c b/drivers/net/wireless/realtek/rtw89/mac80211.c index 3a108b13aa59..f7880499aeb0 100644 --- a/drivers/net/wireless/realtek/rtw89/mac80211.c +++ b/drivers/net/wireless/realtek/rtw89/mac80211.c @@ -105,7 +105,9 @@ static int rtw89_ops_add_interface(struct ieee80211_hw *hw, mutex_lock(&rtwdev->mutex); rtwvif->rtwdev = rtwdev; - list_add_tail(&rtwvif->list, &rtwdev->rtwvifs_list); + if (!rtw89_rtwvif_in_list(rtwdev, rtwvif)) + list_add_tail(&rtwvif->list, &rtwdev->rtwvifs_list); + INIT_WORK(&rtwvif->update_beacon_work, rtw89_core_update_beacon_work); rtw89_leave_ps_mode(rtwdev); diff --git a/drivers/net/wireless/realtek/rtw89/util.h b/drivers/net/wireless/realtek/rtw89/util.h index 1ae80b7561da..f9f52b5b63b9 100644 --- a/drivers/net/wireless/realtek/rtw89/util.h +++ b/drivers/net/wireless/realtek/rtw89/util.h @@ -14,6 +14,24 @@ #define rtw89_for_each_rtwvif(rtwdev, rtwvif) \ list_for_each_entry(rtwvif, &(rtwdev)->rtwvifs_list, list) +/* Before adding rtwvif to list, we need to check if it already exist, beacase + * in some case such as SER L2 happen during WoWLAN flow, calling reconfig + * twice cause the list to be added twice. + */ +static inline bool rtw89_rtwvif_in_list(struct rtw89_dev *rtwdev, + struct rtw89_vif *new) +{ + struct rtw89_vif *rtwvif; + + lockdep_assert_held(&rtwdev->mutex); + + rtw89_for_each_rtwvif(rtwdev, rtwvif) + if (rtwvif == new) + return true; + + return false; +} + /* The result of negative dividend and positive divisor is undefined, but it * should be one case of round-down or round-up. So, make it round-down if the * result is round-up. -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH 1/2] fs/ceph/mds_client: pass cred pointer to ceph_mds_auth_match()

by Max Kellermann

This eliminates a redundant get_current_cred() call, because ceph_mds_check_access() has already obtained this pointer. As a side effect, this also fixes a reference leak in ceph_mds_auth_match(): by omitting the get_current_cred() call, no additional cred reference is taken. Fixes: 596afb0b8933 ("ceph: add ceph_mds_check_access() helper") Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- fs/ceph/mds_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 6baec1387f7d..e8a5994de8b6 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -5615,9 +5615,9 @@ void send_flush_mdlog(struct ceph_mds_session *s) static int ceph_mds_auth_match(struct ceph_mds_client *mdsc, struct ceph_mds_cap_auth *auth, + const struct cred *cred, char *tpath) { - const struct cred *cred = get_current_cred(); u32 caller_uid = from_kuid(&init_user_ns, cred->fsuid); u32 caller_gid = from_kgid(&init_user_ns, cred->fsgid); struct ceph_client *cl = mdsc->fsc->client; @@ -5740,7 +5740,7 @@ int ceph_mds_check_access(struct ceph_mds_client *mdsc, char *tpath, int mask) for (i = 0; i < mdsc->s_cap_auths_num; i++) { struct ceph_mds_cap_auth *s = &mdsc->s_cap_auths[i]; - err = ceph_mds_auth_match(mdsc, s, tpath); + err = ceph_mds_auth_match(mdsc, s, cred, tpath); if (err < 0) { return err; } else if (err > 0) { -- 2.45.2

9 months, 3 weeks

3
5
0 0

[PATCH 5.15.y 0/4] fix error handling in mmap_region() and refactor (hotfixes)

by Lorenzo Stoakes

Critical fixes for mmap_region(), backported to 5.15.y. Some notes on differences from upstream: * We do NOT take commit 0fb4a7ad270b ("mm: refactor map_deny_write_exec()"), as this refactors code only introduced in 6.2. * We make reference in "mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling" to parisc, but the referenced functionality does not exist in this kernel. * In this kernel is_shared_maywrite() does not exist and the code uses VM_SHARED to determine whether mapping_map_writable() / mapping_unmap_writable() should be invoked. This backport therefore follows suit. * The vma_dummy_vm_ops static global doesn't exist in this kernel, so we use a local static variable in mmap_file() and vma_close(). * Each version of these series is confronted by a slightly different mmap_region(), so we must adapt the change for each stable version. The approach remains the same throughout, however, and we correctly avoid closing the VMA part way through any __mmap_region() operation. Lorenzo Stoakes (4): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour arch/arm64/include/asm/mman.h | 10 ++-- include/linux/mman.h | 7 +-- mm/internal.h | 19 ++++++++ mm/mmap.c | 86 +++++++++++++++++++++-------------- mm/nommu.c | 9 ++-- mm/shmem.c | 3 -- mm/util.c | 33 ++++++++++++++ 7 files changed, 119 insertions(+), 48 deletions(-) -- 2.47.0

9 months, 3 weeks

2
5
0 0

[PATCH RESEND 2 1/1] sched/syscalls: Allow setting niceness using sched_param struct

by Michael C. Pratt

From userspace, spawning a new process with, for example, posix_spawn(), only allows the user to work with the scheduling priority value defined by POSIX in the sched_param struct. However, sched_setparam() and similar syscalls lead to __sched_setscheduler() which rejects any new value for the priority other than 0 for non-RT schedule classes, a behavior that existed since Linux 2.6 or earlier. Linux translates the usage of the sched_param struct into it's own internal sched_attr struct during the syscall, but the user currently has no way to manage the other values within the sched_attr struct using only POSIX functions. The only other way to adjust niceness when using posix_spawn() would be to set the value after the process has started, but this introduces the risk of the process being dead before the syscall can set the priority afterward. To resolve this, allow the use of the priority value originally from the POSIX sched_param struct in order to set the niceness value instead of rejecting the priority value. Edit the sched_get_priority_*() POSIX syscalls in order to reflect the range of values accepted. Cc: stable(a)vger.kernel.org # Apply to kernel/sched/core.c Signed-off-by: Michael C. Pratt <mcpratt(a)pm.me> --- kernel/sched/syscalls.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c index 24f9f90b6574..43eb283e6281 100644 --- a/kernel/sched/syscalls.c +++ b/kernel/sched/syscalls.c @@ -785,6 +785,19 @@ static int _sched_setscheduler(struct task_struct *p, int policy, attr.sched_policy = policy; } + if (attr.sched_priority > MAX_PRIO-1) + return -EINVAL; + + /* + * If priority is set for SCHED_NORMAL or SCHED_BATCH, + * set the niceness instead, but only for user calls. + */ + if (check && attr.sched_priority > MAX_RT_PRIO-1 && + ((policy != SETPARAM_POLICY && fair_policy(policy)) || fair_policy(p->policy))) { + attr.sched_nice = PRIO_TO_NICE(attr.sched_priority); + attr.sched_priority = 0; + } + return __sched_setscheduler(p, &attr, check, true); } /** @@ -1532,9 +1545,11 @@ SYSCALL_DEFINE1(sched_get_priority_max, int, policy) case SCHED_RR: ret = MAX_RT_PRIO-1; break; - case SCHED_DEADLINE: case SCHED_NORMAL: case SCHED_BATCH: + ret = MAX_PRIO-1; + break; + case SCHED_DEADLINE: case SCHED_IDLE: case SCHED_EXT: ret = 0; @@ -1560,9 +1575,11 @@ SYSCALL_DEFINE1(sched_get_priority_min, int, policy) case SCHED_RR: ret = 1; break; - case SCHED_DEADLINE: case SCHED_NORMAL: case SCHED_BATCH: + ret = MAX_RT_PRIO; + break; + case SCHED_DEADLINE: case SCHED_IDLE: case SCHED_EXT: ret = 0; base-commit: 2d5404caa8c7bb5c4e0435f94b28834ae5456623 -- 2.30.2

9 months, 3 weeks

4
6
0 0

[PATCH] thermal: int3400: Fix display of current_uuid for active policy

by Srinivas Pandruvada

When the current_uuid attribute is set to active policy UUID, reading back the same attribute is displaying uuid as "INVALID" instead of active policy UUID on some platforms before Ice Lake. In platforms before Ice Lake, firmware provides list of supported thermal policies. In this case user space can select any of the supported thermal policy via a write to attribute "current_uuid". With the 'commit c7ff29763989 ("thermal: int340x: Update OS policy capability handshake")', OS policy handshake is updated to support Ice Lake and later platforms. But this treated priv->current_uuid_index=0 as invalid. This priv->current_uuid_index=0 is for active policy. Only priv->current_uuid_index=-1 is invalid. Fix this issue by treating priv->current_uuid_index=0 as valid. Fixes: c7ff29763989 ("thermal: int340x: Update OS policy capability handshake") Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> CC: stable(a)vger.kernel.org # 5.18+ --- drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c index b0c0f0ffdcb0..f547d386ae80 100644 --- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c @@ -137,7 +137,7 @@ static ssize_t current_uuid_show(struct device *dev, struct int3400_thermal_priv *priv = dev_get_drvdata(dev); int i, length = 0; - if (priv->current_uuid_index > 0) + if (priv->current_uuid_index >= 0) return sprintf(buf, "%s\n", int3400_thermal_uuids[priv->current_uuid_index]); -- 2.47.0

9 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 6.12 1/5] uprobes: sanitiize xol_free_insn_slot()

by Sasha Levin

From: Oleg Nesterov <oleg(a)redhat.com> [ Upstream commit c7b4133c48445dde789ed30b19ccb0448c7593f7 ] 1. Clear utask->xol_vaddr unconditionally, even if this addr is not valid, xol_free_insn_slot() should never return with utask->xol_vaddr != NULL. 2. Add a comment to explain why do we need to validate slot_addr. 3. Simplify the validation above. We can simply check offset < PAGE_SIZE, unsigned underflows are fine, it should work if slot_addr < area->vaddr. 4. Kill the unnecessary "slot_nr >= UINSNS_PER_PAGE" check, slot_nr must be valid if offset < PAGE_SIZE. The next patches will cleanup this function even more. Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20240929144235.GA9471@redhat.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/events/uprobes.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 4b52cb2ae6d62..cc605df73d72f 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1683,8 +1683,8 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe) static void xol_free_insn_slot(struct task_struct *tsk) { struct xol_area *area; - unsigned long vma_end; unsigned long slot_addr; + unsigned long offset; if (!tsk->mm || !tsk->mm->uprobes_state.xol_area || !tsk->utask) return; @@ -1693,24 +1693,21 @@ static void xol_free_insn_slot(struct task_struct *tsk) if (unlikely(!slot_addr)) return; + tsk->utask->xol_vaddr = 0; area = tsk->mm->uprobes_state.xol_area; - vma_end = area->vaddr + PAGE_SIZE; - if (area->vaddr <= slot_addr && slot_addr < vma_end) { - unsigned long offset; - int slot_nr; - - offset = slot_addr - area->vaddr; - slot_nr = offset / UPROBE_XOL_SLOT_BYTES; - if (slot_nr >= UINSNS_PER_PAGE) - return; + offset = slot_addr - area->vaddr; + /* + * slot_addr must fit into [area->vaddr, area->vaddr + PAGE_SIZE). + * This check can only fail if the "[uprobes]" vma was mremap'ed. + */ + if (offset < PAGE_SIZE) { + int slot_nr = offset / UPROBE_XOL_SLOT_BYTES; clear_bit(slot_nr, area->bitmap); atomic_dec(&area->slot_count); smp_mb__after_atomic(); /* pairs with prepare_to_wait() */ if (waitqueue_active(&area->wq)) wake_up(&area->wq); - - tsk->utask->xol_vaddr = 0; } } -- 2.43.0

9 months, 3 weeks

3
9
0 0

[PATCH] serial: sh-sci: Check if TX data was written to device in .tx_empty()

by Claudiu

From: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> On the Renesas RZ/G3S, when doing suspend to RAM, the uart_suspend_port() is called. The uart_suspend_port() calls 3 times the struct uart_port::ops::tx_empty() before shutting down the port. According to the documentation, the struct uart_port::ops::tx_empty() API tests whether the transmitter FIFO and shifter for the port is empty. The Renesas RZ/G3S SCIFA IP reports the number of data units stored in the transmit FIFO through the FDR (FIFO Data Count Register). The data units in the FIFOs are written in the shift register and transmitted from there. The TEND bit in the Serial Status Register reports if the data was transmitted from the shift register. In the previous code, in the tx_empty() API implemented by the sh-sci driver, it is considered that the TX is empty if the hardware reports the TEND bit set and the number of data units in the FIFO is zero. According to the HW manual, the TEND bit has the following meaning: 0: Transmission is in the waiting state or in progress. 1: Transmission is completed. It has been noticed that when opening the serial device w/o using it and then switch to a power saving mode, the tx_empty() call in the uart_port_suspend() function fails, leading to the "Unable to drain transmitter" message being printed on the console. This is because the TEND=0 if nothing has been transmitted and the FIFOs are empty. As the TEND=0 has double meaning (waiting state, in progress) we can't determined the scenario described above. Add a software workaround for this. This sets a variable if any data has been sent on the serial console (when using PIO) or if the DMA callback has been called (meaning something has been transmitted). In the tx_empty() API the status of the DMA transaction is also checked and if it is completed or in progress the code falls back in checking the hardware registers instead of relying on the software variable. Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.") Cc: stable(a)vger.kernel.org Signed-off-by: Claudiu Beznea <claudiu.beznea.uj(a)bp.renesas.com> --- Patch was initially part of series at [1]. Changes since [1]: - checked the s->chan_tx validity in sci_dma_check_tx_occurred() [1] https://lore.kernel.org/all/20241115134401.3893008-1-claudiu.beznea.uj@bp.r… drivers/tty/serial/sh-sci.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c index 136e0c257af1..680f0203fda4 100644 --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -157,6 +157,7 @@ struct sci_port { bool has_rtscts; bool autorts; + bool tx_occurred; }; #define SCI_NPORTS CONFIG_SERIAL_SH_SCI_NR_UARTS @@ -850,6 +851,7 @@ static void sci_transmit_chars(struct uart_port *port) { struct tty_port *tport = &port->state->port; unsigned int stopped = uart_tx_stopped(port); + struct sci_port *s = to_sci_port(port); unsigned short status; unsigned short ctrl; int count; @@ -885,6 +887,7 @@ static void sci_transmit_chars(struct uart_port *port) } sci_serial_out(port, SCxTDR, c); + s->tx_occurred = true; port->icount.tx++; } while (--count > 0); @@ -1241,6 +1244,8 @@ static void sci_dma_tx_complete(void *arg) if (kfifo_len(&tport->xmit_fifo) < WAKEUP_CHARS) uart_write_wakeup(port); + s->tx_occurred = true; + if (!kfifo_is_empty(&tport->xmit_fifo)) { s->cookie_tx = 0; schedule_work(&s->work_tx); @@ -1731,6 +1736,19 @@ static void sci_flush_buffer(struct uart_port *port) s->cookie_tx = -EINVAL; } } + +static void sci_dma_check_tx_occurred(struct sci_port *s) +{ + struct dma_tx_state state; + enum dma_status status; + + if (!s->chan_tx) + return; + + status = dmaengine_tx_status(s->chan_tx, s->cookie_tx, &state); + if (status == DMA_COMPLETE || status == DMA_IN_PROGRESS) + s->tx_occurred = true; +} #else /* !CONFIG_SERIAL_SH_SCI_DMA */ static inline void sci_request_dma(struct uart_port *port) { @@ -1740,6 +1758,10 @@ static inline void sci_free_dma(struct uart_port *port) { } +static void sci_dma_check_tx_occurred(struct sci_port *s) +{ +} + #define sci_flush_buffer NULL #endif /* !CONFIG_SERIAL_SH_SCI_DMA */ @@ -2076,6 +2098,12 @@ static unsigned int sci_tx_empty(struct uart_port *port) { unsigned short status = sci_serial_in(port, SCxSR); unsigned short in_tx_fifo = sci_txfill(port); + struct sci_port *s = to_sci_port(port); + + sci_dma_check_tx_occurred(s); + + if (!s->tx_occurred) + return TIOCSER_TEMT; return (status & SCxSR_TEND(port)) && !in_tx_fifo ? TIOCSER_TEMT : 0; } @@ -2247,6 +2275,7 @@ static int sci_startup(struct uart_port *port) dev_dbg(port->dev, "%s(%d)\n", __func__, port->line); + s->tx_occurred = false; sci_request_dma(port); ret = sci_request_irq(s); -- 2.39.2

9 months, 3 weeks

1
0
0 0

[PATCH v3] usb: typec: anx7411: fix OF node reference leaks in anx7411_typec_switch_probe()

by Joe Hattori

The refcounts of the OF nodes obtained in by of_get_child_by_name() calls in anx7411_typec_switch_probe() are not decremented. Add additional device_node fields to anx7411_data, and call of_node_put() on them in the error path and in the unregister functions. Fixes: e45d7337dc0e ("usb: typec: anx7411: Use of_get_child_by_name() instead of of_find_node_by_name()") Cc: stable(a)vger.kernel.org Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> --- Changes in v3: - Add new fields to anx7411_data. - Remove an unnecessary include. --- drivers/usb/typec/anx7411.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c index 95607efb9f7e..e714b04399fa 100644 --- a/drivers/usb/typec/anx7411.c +++ b/drivers/usb/typec/anx7411.c @@ -290,6 +290,8 @@ struct anx7411_data { struct power_supply *psy; struct power_supply_desc psy_desc; struct device *dev; + struct device_node *switch_node; + struct device_node *mux_node; }; static u8 snk_identity[] = { @@ -1099,6 +1101,7 @@ static void anx7411_unregister_mux(struct anx7411_data *ctx) if (ctx->typec.typec_mux) { typec_mux_unregister(ctx->typec.typec_mux); ctx->typec.typec_mux = NULL; + of_node_put(ctx->mux_node); } } @@ -1107,6 +1110,7 @@ static void anx7411_unregister_switch(struct anx7411_data *ctx) if (ctx->typec.typec_switch) { typec_switch_unregister(ctx->typec.typec_switch); ctx->typec.typec_switch = NULL; + of_node_put(ctx->switch_node); } } @@ -1114,28 +1118,29 @@ static int anx7411_typec_switch_probe(struct anx7411_data *ctx, struct device *dev) { int ret; - struct device_node *node; - node = of_get_child_by_name(dev->of_node, "orientation_switch"); - if (!node) + ctx->switch_node = of_get_child_by_name(dev->of_node, "orientation_switch"); + if (!ctx->switch_node) return 0; - ret = anx7411_register_switch(ctx, dev, &node->fwnode); + ret = anx7411_register_switch(ctx, dev, &ctx->switch_node->fwnode); if (ret) { dev_err(dev, "failed register switch"); + of_node_put(ctx->switch_node); return ret; } - node = of_get_child_by_name(dev->of_node, "mode_switch"); - if (!node) { + ctx->mux_node = of_get_child_by_name(dev->of_node, "mode_switch"); + if (!ctx->mux_node) { dev_err(dev, "no typec mux exist"); ret = -ENODEV; goto unregister_switch; } - ret = anx7411_register_mux(ctx, dev, &node->fwnode); + ret = anx7411_register_mux(ctx, dev, &ctx->mux_node->fwnode); if (ret) { dev_err(dev, "failed register mode switch"); + of_node_put(ctx->mux_node); ret = -ENODEV; goto unregister_switch; } -- 2.34.1

9 months, 3 weeks

2
1
0 0

[PATCH 0/7] drm/tidss: Interrupt fixes and cleanups

by Tomi Valkeinen

A collection of interrupt related fixes and cleanups. A few patches are from Devarsh and have been posted to dri-devel, which I've included here with a permission from Devarsh, so that we have all interrupt patches together. I have modified both of those patches compared to the posted versions. Tomi Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> --- Devarsh Thakkar (2): drm/tidss: Clear the interrupt status for interrupts being disabled drm/tidss: Fix race condition while handling interrupt registers Tomi Valkeinen (5): drm/tidss: Fix issue in irq handling causing irq-flood issue drm/tidss: Remove unused OCP error flag drm/tidss: Remove extra K2G check drm/tidss: Add printing of underflows drm/tidss: Rename 'wait_lock' to 'irq_lock' drivers/gpu/drm/tidss/tidss_dispc.c | 28 ++++++++++++++++------------ drivers/gpu/drm/tidss/tidss_drv.c | 2 +- drivers/gpu/drm/tidss/tidss_drv.h | 5 +++-- drivers/gpu/drm/tidss/tidss_irq.c | 34 +++++++++++++++++++++++----------- drivers/gpu/drm/tidss/tidss_irq.h | 4 +--- drivers/gpu/drm/tidss/tidss_plane.c | 8 ++++++++ drivers/gpu/drm/tidss/tidss_plane.h | 2 ++ 7 files changed, 54 insertions(+), 29 deletions(-) --- base-commit: 98f7e32f20d28ec452afb208f9cffc08448a2652 change-id: 20240918-tidss-irq-fix-f687b149a42c Best regards, -- Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com>

9 months, 3 weeks

3
10
0 0

[PATCH v2] usb: typec: anx7411: fix fwnode_handle reference leak

by Joe Hattori

An fwnode_handle and usb_role_switch are obtained with an incremented refcount in anx7411_typec_port_probe(), however the refcounts are not decremented in the error path. The fwnode_handle is also not decremented in the .remove() function. Therefore, call fwnode_handle_put() and usb_role_switch_put() accordingly. Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Cc: stable(a)vger.kernel.org Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> --- Changes in v2: - Call usb_role_switch_put() - Remove the port in anx7411_port_unregister(). --- drivers/usb/typec/anx7411.c | 47 +++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c index d1e7c487ddfb..95607efb9f7e 100644 --- a/drivers/usb/typec/anx7411.c +++ b/drivers/usb/typec/anx7411.c @@ -1021,6 +1021,16 @@ static void anx7411_port_unregister_altmodes(struct typec_altmode **adev) } } +static void anx7411_port_unregister(struct typec_params *typecp) +{ + fwnode_handle_put(typecp->caps.fwnode); + anx7411_port_unregister_altmodes(typecp->port_amode); + if (typecp->port) + typec_unregister_port(typecp->port); + if (typecp->role_sw) + usb_role_switch_put(typecp->role_sw); +} + static int anx7411_usb_mux_set(struct typec_mux_dev *mux, struct typec_mux_state *state) { @@ -1154,34 +1164,34 @@ static int anx7411_typec_port_probe(struct anx7411_data *ctx, ret = fwnode_property_read_string(fwnode, "power-role", &buf); if (ret) { dev_err(dev, "power-role not found: %d\n", ret); - return ret; + goto put_fwnode; } ret = typec_find_port_power_role(buf); if (ret < 0) - return ret; + goto put_fwnode; cap->type = ret; ret = fwnode_property_read_string(fwnode, "data-role", &buf); if (ret) { dev_err(dev, "data-role not found: %d\n", ret); - return ret; + goto put_fwnode; } ret = typec_find_port_data_role(buf); if (ret < 0) - return ret; + goto put_fwnode; cap->data = ret; ret = fwnode_property_read_string(fwnode, "try-power-role", &buf); if (ret) { dev_err(dev, "try-power-role not found: %d\n", ret); - return ret; + goto put_fwnode; } ret = typec_find_power_role(buf); if (ret < 0) - return ret; + goto put_fwnode; cap->prefer_role = ret; /* Get source pdos */ @@ -1193,7 +1203,7 @@ static int anx7411_typec_port_probe(struct anx7411_data *ctx, typecp->src_pdo_nr); if (ret < 0) { dev_err(dev, "source cap validate failed: %d\n", ret); - return -EINVAL; + goto put_fwnode; } typecp->caps_flags |= HAS_SOURCE_CAP; @@ -1207,7 +1217,7 @@ static int anx7411_typec_port_probe(struct anx7411_data *ctx, typecp->sink_pdo_nr); if (ret < 0) { dev_err(dev, "sink cap validate failed: %d\n", ret); - return -EINVAL; + goto put_fwnode; } for (i = 0; i < typecp->sink_pdo_nr; i++) { @@ -1251,13 +1261,21 @@ static int anx7411_typec_port_probe(struct anx7411_data *ctx, ret = PTR_ERR(ctx->typec.port); ctx->typec.port = NULL; dev_err(dev, "Failed to register type c port %d\n", ret); - return ret; + goto put_usb_role_switch; } typec_port_register_altmodes(ctx->typec.port, NULL, ctx, ctx->typec.port_amode, MAX_ALTMODE); return 0; + +put_usb_role_switch: + if (ctx->typec.role_sw) + usb_role_switch_put(ctx->typec.role_sw); +put_fwnode: + fwnode_handle_put(fwnode); + + return ret; } static int anx7411_typec_check_connection(struct anx7411_data *ctx) @@ -1523,8 +1541,7 @@ static int anx7411_i2c_probe(struct i2c_client *client) destroy_workqueue(plat->workqueue); free_typec_port: - typec_unregister_port(plat->typec.port); - anx7411_port_unregister_altmodes(plat->typec.port_amode); + anx7411_port_unregister(&plat->typec); free_typec_switch: anx7411_unregister_switch(plat); @@ -1548,17 +1565,11 @@ static void anx7411_i2c_remove(struct i2c_client *client) i2c_unregister_device(plat->spi_client); - if (plat->typec.role_sw) - usb_role_switch_put(plat->typec.role_sw); - anx7411_unregister_mux(plat); anx7411_unregister_switch(plat); - if (plat->typec.port) - typec_unregister_port(plat->typec.port); - - anx7411_port_unregister_altmodes(plat->typec.port_amode); + anx7411_port_unregister(&plat->typec); } static const struct i2c_device_id anx7411_id[] = { -- 2.34.1

9 months, 3 weeks

2
1
0 0

[PATCH 5.4/5.10/5.15] cifs: Fix buffer overflow when parsing NFS reparse points

by Mahmoud Adam

From: Pali Rohár <pali(a)kernel.org> upstream e2a8910af01653c1c268984855629d71fb81f404 commit. ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev(). Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points") Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.com> Signed-off-by: Pali Rohár <pali(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> [use variable name symlink_buf, the other buf->InodeType accesses are not used in current version so skip] Signed-off-by: Mahmoud Adam <mngyadam(a)amazon.com> --- This fixes CVE-2024-49996. fs/cifs/smb2ops.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c index 6c30fff8a029e..ee9a1e6550e3c 100644 --- a/fs/cifs/smb2ops.c +++ b/fs/cifs/smb2ops.c @@ -2971,6 +2971,12 @@ parse_reparse_posix(struct reparse_posix_data *symlink_buf, /* See MS-FSCC 2.1.2.6 for the 'NFS' style reparse tags */ len = le16_to_cpu(symlink_buf->ReparseDataLength); + if (len < sizeof(symlink_buf->InodeType)) { + cifs_dbg(VFS, "srv returned malformed nfs buffer\n"); + return -EIO; + } + + len -= sizeof(symlink_buf->InodeType); if (le64_to_cpu(symlink_buf->InodeType) != NFS_SPECFILE_LNK) { cifs_dbg(VFS, "%lld not a supported symlink type\n", -- 2.40.1

9 months, 3 weeks

3
3
0 0

[PATCH] ksmbd: fix use-after-free in SMB request handling

by Yunseong Kim

A race condition exists between SMB request handling in `ksmbd_conn_handler_loop()` and the freeing of `ksmbd_conn` in the workqueue handler `handle_ksmbd_work()`. This leads to a UAF. - KASAN: slab-use-after-free Read in handle_ksmbd_work - KASAN: slab-use-after-free in rtlock_slowlock_locked This race condition arises as follows: - `ksmbd_conn_handler_loop()` waits for `conn->r_count` to reach zero: `wait_event(conn->r_count_q, atomic_read(&conn->r_count) == 0);` - Meanwhile, `handle_ksmbd_work()` decrements `conn->r_count` using `atomic_dec_return(&conn->r_count)`, and if it reaches zero, calls `ksmbd_conn_free()`, which frees `conn`. - However, after `handle_ksmbd_work()` decrements `conn->r_count`, it may still access `conn->r_count_q` in the following line: `waitqueue_active(&conn->r_count_q)` or `wake_up(&conn->r_count_q)` This results in a UAF, as `conn` has already been freed. The discovery of this UAF can be referenced in the following PR for syzkaller's support for SMB requests. Link: https://github.com/google/syzkaller/pull/5524 Fixes: ee426bfb9d09 ("ksmbd: add refcnt to ksmbd_conn struct") Cc: linux-cifs(a)vger.kernel.org Cc: stable(a)vger.kernel.org # v6.6.55+, v6.10.14+, v6.11.3+ Cc: syzkaller(a)googlegroups.com Signed-off-by: Yunseong Kim <yskelg(a)gmail.com> --- fs/smb/server/server.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index e6cfedba9992..c8cc6fa6fc3e 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -276,8 +276,12 @@ static void handle_ksmbd_work(struct work_struct *wk) * disconnection. waitqueue_active is safe because it * uses atomic operation for condition. */ + atomic_inc(&conn->refcnt); if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q)) wake_up(&conn->r_count_q); + + if (atomic_dec_and_test(&conn->refcnt)) + kfree(conn); } /** -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH v2] x86/sev: Add missing RIP_REL_REF() invocations during sme_enable()

by Kevin Loughlin

commit 1c811d403afd ("x86/sev: Fix position dependent variable references in startup code") introduced RIP_REL_REF() to force RIP- relative accesses to global variables, as needed to prevent crashes during early SEV/SME startup code. For completeness, RIP_REL_REF() should be used with additional variables during sme_enable() [0]. Access these vars with RIP_REL_REF() to prevent problem reoccurence. [0] https://lore.kernel.org/all/CAMj1kXHnA0fJu6zh634=fbJswp59kSRAbhW+ubDGj1+NYw… Fixes: 1c811d403afd ("x86/sev: Fix position dependent variable references in startup code") Signed-off-by: Kevin Loughlin <kevinloughlin(a)google.com> Reviewed-by: Ard Biesheuvel <ardb(a)kernel.org> Reviewed-by: Tom Lendacky <thomas.lendacky(a)amd.com> --- v1 -> v2: Fix typo in commit message, add Ard's and Tom's "Reviewed-by" arch/x86/mm/mem_encrypt_identity.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c index e6c7686f443a..9fce5b87b8c5 100644 --- a/arch/x86/mm/mem_encrypt_identity.c +++ b/arch/x86/mm/mem_encrypt_identity.c @@ -565,7 +565,7 @@ void __head sme_enable(struct boot_params *bp) } RIP_REL_REF(sme_me_mask) = me_mask; - physical_mask &= ~me_mask; - cc_vendor = CC_VENDOR_AMD; + RIP_REL_REF(physical_mask) &= ~me_mask; + RIP_REL_REF(cc_vendor) = CC_VENDOR_AMD; cc_set_mask(me_mask); } -- 2.47.0.371.ga323438b13-goog

9 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 6.1 01/48] drm/vc4: hdmi: Avoid log spam for audio start failure

by Sasha Levin

From: Dom Cobley <popcornmix(a)gmail.com> [ Upstream commit b4e5646178e86665f5caef2894578600f597098a ] We regularly get dmesg error reports of: [ 18.184066] hdmi-audio-codec hdmi-audio-codec.3.auto: ASoC: error at snd_soc_dai_startup on i2s-hifi: -19 [ 18.184098] MAI: soc_pcm_open() failed (-19) These are generated for any disconnected hdmi interface when pulseaudio attempts to open the associated ALSA device (numerous times). Each open generates a kernel error message, generating general log spam. The error messages all come from _soc_pcm_ret in sound/soc/soc-pcm.c#L39 which suggests returning ENOTSUPP, rather that ENODEV will be quiet. And indeed it is. Signed-off-by: Dom Cobley <popcornmix(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-5-dave… Signed-off-by: Dave Stevenson <dave.stevenson(a)raspberrypi.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/vc4/vc4_hdmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c index 971801acbde60..51971035d8cbb 100644 --- a/drivers/gpu/drm/vc4/vc4_hdmi.c +++ b/drivers/gpu/drm/vc4/vc4_hdmi.c @@ -2156,7 +2156,7 @@ static int vc4_hdmi_audio_startup(struct device *dev, void *data) } if (!vc4_hdmi_audio_can_stream(vc4_hdmi)) { - ret = -ENODEV; + ret = -ENOTSUPP; goto out_dev_exit; } -- 2.43.0

9 months, 3 weeks

2
48
0 0

[PATCH v2 0/3] clk: qcom: Add support for multiple power-domains for a clock controller.

by Bryan O'Donoghue

v2: The main change in this version is Bjorn's pointing out that pm_runtime_* inside of the gdsc_enable/gdsc_disable path would be recursive and cause a lockdep splat. Dmitry alluded to this too. Bjorn pointed to stuff being done lower in the gdsc_register() routine that might be a starting point. I iterated around that idea and came up with patch #3. When a gdsc has no parent and the pd_list is non-NULL then attach that orphan GDSC to the clock controller power-domain list. Existing subdomain code in gdsc_register() will connect the parent GDSCs in the clock-controller to the clock-controller subdomain, the new code here does that same job for a list of power-domains the clock controller depends on. To Dmitry's point about MMCX and MCX dependencies for the registers inside of the clock controller, I have switched off all references in a test dtsi and confirmed that accessing the clock-controller regs themselves isn't required. On the second point I also verified my test branch with lockdep on which was a concern with the pm_domain version of this solution but I wanted to cover it anyway with the new approach for completeness sake. Here's the item-by-item list of changes: - Adds a patch to capture pm_genpd_add_subdomain() result code - Bryan - Changes changelog of second patch to remove singleton and generally to make the commit log easier to understand - Bjorn - Uses demv_pm_domain_attach_list - Vlad - Changes error check to if (ret < 0 && ret != -EEXIST) - Vlad - Retains passing &pd_data instead of NULL - because NULL doesn't do the same thing - Bryan/Vlad - Retains standalone function qcom_cc_pds_attach() because the pd_data enumeration looks neater in a standalone function - Bryan/Vlad - Drops pm_runtime in favour of gdsc_add_subdomain_list() for each power-domain in the pd_list. The pd_list will be whatever is pointed to by power-domains = <> in the dtsi - Bjorn - Link to v1: https://lore.kernel.org/r/20241118-b4-linux-next-24-11-18-clock-multiple-po… v1: On x1e80100 and it's SKUs the Camera Clock Controller - CAMCC has multiple power-domains which power it. Usually with a single power-domain the core platform code will automatically switch on the singleton power-domain for you. If you have multiple power-domains for a device, in this case the clock controller, you need to switch those power-domains on/off yourself. The clock controllers can also contain Global Distributed Switch Controllers - GDSCs which themselves can be referenced from dtsi nodes ultimately triggering a gdsc_en() in drivers/clk/qcom/gdsc.c. As an example: cci0: cci@ac4a000 { power-domains = <&camcc TITAN_TOP_GDSC>; }; This series adds the support to attach a power-domain list to the clock-controllers and the GDSCs those controllers provide so that in the case of the above example gdsc_toggle_logic() will trigger the power-domain list with pm_runtime_resume_and_get() and pm_runtime_put_sync() respectively. Signed-off-by: Bryan O'Donoghue <bryan.odonoghue(a)linaro.org> --- Bryan O'Donoghue (3): clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code clk: qcom: common: Add support for power-domain attachment driver: clk: qcom: Support attaching subdomain list to multiple parents drivers/clk/qcom/common.c | 21 +++++++++++++++++++++ drivers/clk/qcom/gdsc.c | 41 +++++++++++++++++++++++++++++++++++++++-- drivers/clk/qcom/gdsc.h | 1 + 3 files changed, 61 insertions(+), 2 deletions(-) --- base-commit: 744cf71b8bdfcdd77aaf58395e068b7457634b2c change-id: 20241118-b4-linux-next-24-11-18-clock-multiple-power-domains-a5f994dc452a Best regards, -- Bryan O'Donoghue <bryan.odonoghue(a)linaro.org>

9 months, 3 weeks

1
1
0 0

[PATCH v2 1/7] btrfs: fix double accounting of ordered extents during errors

by Qu Wenruo

[BUG] Btrfs will fail generic/750 randomly if its sector size is smaller than page size. One of the warning looks like this: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 90263 at fs/btrfs/ordered-data.c:360 can_finish_ordered_extent+0x33c/0x390 [btrfs] CPU: 1 UID: 0 PID: 90263 Comm: kworker/u18:1 Tainted: G OE 6.12.0-rc3-custom+ #79 Workqueue: events_unbound btrfs_async_reclaim_metadata_space [btrfs] pc : can_finish_ordered_extent+0x33c/0x390 [btrfs] lr : can_finish_ordered_extent+0xdc/0x390 [btrfs] Call trace: can_finish_ordered_extent+0x33c/0x390 [btrfs] btrfs_mark_ordered_io_finished+0x130/0x2b8 [btrfs] extent_writepage+0xfc/0x338 [btrfs] extent_write_cache_pages+0x1d4/0x4b8 [btrfs] btrfs_writepages+0x94/0x158 [btrfs] do_writepages+0x74/0x190 filemap_fdatawrite_wbc+0x88/0xc8 start_delalloc_inodes+0x180/0x3b0 [btrfs] btrfs_start_delalloc_roots+0x17c/0x288 [btrfs] shrink_delalloc+0x11c/0x280 [btrfs] flush_space+0x27c/0x310 [btrfs] btrfs_async_reclaim_metadata_space+0xcc/0x208 [btrfs] process_one_work+0x228/0x670 worker_thread+0x1bc/0x360 kthread+0x100/0x118 ret_from_fork+0x10/0x20 irq event stamp: 9784200 hardirqs last enabled at (9784199): [<ffffd21ec54dc01c>] _raw_spin_unlock_irqrestore+0x74/0x80 hardirqs last disabled at (9784200): [<ffffd21ec54db374>] _raw_spin_lock_irqsave+0x8c/0xa0 softirqs last enabled at (9784148): [<ffffd21ec472ff44>] handle_softirqs+0x45c/0x4b0 softirqs last disabled at (9784141): [<ffffd21ec46d01e4>] __do_softirq+0x1c/0x28 ---[ end trace 0000000000000000 ]--- BTRFS critical (device dm-2): bad ordered extent accounting, root=5 ino=1492 OE offset=1654784 OE len=57344 to_dec=49152 left=0 [CAUSE] There are several error paths not properly handling during folio writeback: 1) Partially submitted folio During extent_writepage_io() if some error happened (the only possible case is submit_one_sector() failed to grab an extent map), then we can have partially submitted folio. Since extent_writepage_io() failed, we need to call btrfs_mark_ordered_io_finished() to cleanup the submitted range. But we will call btrfs_mark_ordered_io_finished() for submitted range too, causing double accounting. 2) Partially created ordered extents We cal also fail at writepage_delalloc(), which will stop creating new ordered extents if it hit any error from btrfs_run_delalloc_range(). In that case, we will call btrfs_mark_ordered_io_finished() for ranges where there is no ordered extent at all. Both bugs are only affecting sector size < page size cases. [FIX] - Introduce a new member btrfs_bio_ctrl::last_submitted This will trace the last sector submitted through extent_writepage_io(). So for the above extent_writepage() case, we will know exactly which sectors are submitted and should not do the ordered extent accounting. - Clear the submit_bitmap for ranges where no ordered extent is created So if btrfs_run_delalloc_range() failed for a range, it will be not cleaned up. - Introduce a helper cleanup_ordered_extents() This will do a sector-by-sector cleanup with btrfs_bio_ctrl::last_submitted and btrfs_bio_ctrl::submit_bitmap into consideartion. Using @last_submitted is to avoid double accounting on the submitted ranges. Meanwhile using @submit_bitmap is to avoid touching ranges going through compression. cc: stable(a)vger.kernel.org # 5.15+ Signed-off-by: Qu Wenruo <wqu(a)suse.com> --- fs/btrfs/extent_io.c | 54 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 47 insertions(+), 7 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index e629d2ee152a..1c2246d36672 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -108,6 +108,14 @@ struct btrfs_bio_ctrl { * This is to avoid touching ranges covered by compression/inline. */ unsigned long submit_bitmap; + + /* + * The end (exclusive) of the last submitted range in the folio. + * + * This is for sector size < page size case where we may hit error + * half way. + */ + u64 last_submitted; }; static void submit_one_bio(struct btrfs_bio_ctrl *bio_ctrl) @@ -1254,11 +1262,18 @@ static noinline_for_stack int writepage_delalloc(struct btrfs_inode *inode, /* * We have some ranges that's going to be submitted asynchronously - * (compression or inline). These range have their own control + * (compression or inline, ret > 0). These range have their own control * on when to unlock the pages. We should not touch them - * anymore, so clear the range from the submission bitmap. + * anymore. + * + * We can also have some ranges where we didn't even call + * btrfs_run_delalloc_range() (as previous run failed, ret < 0). + * These error ranges should not be submitted nor cleaned up as + * there is no ordered extent allocated for them. + * + * For either cases, we should clear the submit_bitmap. */ - if (ret > 0) { + if (ret) { unsigned int start_bit = (found_start - page_start) >> fs_info->sectorsize_bits; unsigned int end_bit = (min(page_end + 1, found_start + found_len) - @@ -1435,6 +1450,7 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode, ret = submit_one_sector(inode, folio, cur, bio_ctrl, i_size); if (ret < 0) goto out; + bio_ctrl->last_submitted = cur + fs_info->sectorsize; submitted_io = true; } out: @@ -1453,6 +1469,24 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode, return ret; } +static void cleanup_ordered_extents(struct btrfs_inode *inode, + struct folio *folio, u64 file_pos, + u64 num_bytes, unsigned long *bitmap) +{ + struct btrfs_fs_info *fs_info = inode->root->fs_info; + unsigned int cur_bit = (file_pos - folio_pos(folio)) >> fs_info->sectorsize_bits; + + for_each_set_bit_from(cur_bit, bitmap, fs_info->sectors_per_page) { + u64 cur_pos = folio_pos(folio) + (cur_bit << fs_info->sectorsize_bits); + + if (cur_pos >= file_pos + num_bytes) + break; + + btrfs_mark_ordered_io_finished(inode, folio, cur_pos, + fs_info->sectorsize, false); + } +} + /* * the writepage semantics are similar to regular writepage. extent * records are inserted to lock ranges in the tree, and as dirty areas @@ -1492,6 +1526,7 @@ static int extent_writepage(struct folio *folio, struct btrfs_bio_ctrl *bio_ctrl * The proper bitmap can only be initialized until writepage_delalloc(). */ bio_ctrl->submit_bitmap = (unsigned long)-1; + bio_ctrl->last_submitted = page_start; ret = set_folio_extent_mapped(folio); if (ret < 0) goto done; @@ -1511,8 +1546,10 @@ static int extent_writepage(struct folio *folio, struct btrfs_bio_ctrl *bio_ctrl done: if (ret) { - btrfs_mark_ordered_io_finished(BTRFS_I(inode), folio, - page_start, PAGE_SIZE, !ret); + cleanup_ordered_extents(BTRFS_I(inode), folio, + bio_ctrl->last_submitted, + page_start + PAGE_SIZE - bio_ctrl->last_submitted, + &bio_ctrl->submit_bitmap); mapping_set_error(folio->mapping, ret); } @@ -2288,14 +2325,17 @@ void extent_write_locked_range(struct inode *inode, const struct folio *locked_f * extent_writepage_io() will do the truncation correctly. */ bio_ctrl.submit_bitmap = (unsigned long)-1; + bio_ctrl.last_submitted = cur; ret = extent_writepage_io(BTRFS_I(inode), folio, cur, cur_len, &bio_ctrl, i_size); if (ret == 1) goto next_page; if (ret) { - btrfs_mark_ordered_io_finished(BTRFS_I(inode), folio, - cur, cur_len, !ret); + cleanup_ordered_extents(BTRFS_I(inode), folio, + bio_ctrl.last_submitted, + cur_end + 1 - bio_ctrl.last_submitted, + &bio_ctrl.submit_bitmap); mapping_set_error(mapping, ret); } btrfs_folio_end_lock(fs_info, folio, cur, cur_len); -- 2.47.0

9 months, 3 weeks

1
0
0 0

[PATCH net v2] udp: Compute L4 checksum as usual when not segmenting the skb

by Jakub Sitnicki

If: 1) the user requested USO, but 2) there is not enough payload for GSO to kick in, and 3) the egress device doesn't offer checksum offload, then we want to compute the L4 checksum in software early on. In the case when we are not taking the GSO path, but it has been requested, the software checksum fallback in skb_segment doesn't get a chance to compute the full checksum, if the egress device can't do it. As a result we end up sending UDP datagrams with only a partial checksum filled in, which the peer will discard. Fixes: 10154dbded6d ("udp: Allow GSO transmit from devices with no checksum offload") Reported-by: Ivan Babrou <ivan(a)cloudflare.com> Signed-off-by: Jakub Sitnicki <jakub(a)cloudflare.com> Acked-by: Willem de Bruijn <willemdebruijn.kernel(a)gmail.com> Cc: stable(a)vger.kernel.org --- Changes in v2: - Fix typo in patch description - Link to v1: https://lore.kernel.org/r/20241010-uso-swcsum-fixup-v1-1-a63fbd0a414c@cloud… --- net/ipv4/udp.c | 4 +++- net/ipv6/udp.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 8accbf4cb295..2849b273b131 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -951,8 +951,10 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4, skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(datalen, cork->gso_size); + + /* Don't checksum the payload, skb will get segmented */ + goto csum_partial; } - goto csum_partial; } if (is_udplite) /* UDP-Lite */ diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 52dfbb2ff1a8..0cef8ae5d1ea 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -1266,8 +1266,10 @@ static int udp_v6_send_skb(struct sk_buff *skb, struct flowi6 *fl6, skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4; skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(datalen, cork->gso_size); + + /* Don't checksum the payload, skb will get segmented */ + goto csum_partial; } - goto csum_partial; } if (is_udplite)

9 months, 3 weeks

4
5
0 0

[PATCH AUTOSEL 6.6 01/15] xfrm: extract dst lookup parameters into a struct

by Sasha Levin

From: Eyal Birger <eyal.birger(a)gmail.com> [ Upstream commit e509996b16728e37d5a909a5c63c1bd64f23b306 ] Preparation for adding more fields to dst lookup functions without changing their signatures. Signed-off-by: Eyal Birger <eyal.birger(a)gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- include/net/xfrm.h | 26 +++++++++++++------------- net/ipv4/xfrm4_policy.c | 38 ++++++++++++++++---------------------- net/ipv6/xfrm6_policy.c | 28 +++++++++++++--------------- net/xfrm/xfrm_device.c | 11 ++++++++--- net/xfrm/xfrm_policy.c | 35 +++++++++++++++++++++++------------ 5 files changed, 73 insertions(+), 65 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index b280e7c460116..93207d87e1c7f 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -342,20 +342,23 @@ struct xfrm_if_cb { void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb); void xfrm_if_unregister_cb(void); +struct xfrm_dst_lookup_params { + struct net *net; + int tos; + int oif; + xfrm_address_t *saddr; + xfrm_address_t *daddr; + u32 mark; +}; + struct net_device; struct xfrm_type; struct xfrm_dst; struct xfrm_policy_afinfo { struct dst_ops *dst_ops; - struct dst_entry *(*dst_lookup)(struct net *net, - int tos, int oif, - const xfrm_address_t *saddr, - const xfrm_address_t *daddr, - u32 mark); - int (*get_saddr)(struct net *net, int oif, - xfrm_address_t *saddr, - xfrm_address_t *daddr, - u32 mark); + struct dst_entry *(*dst_lookup)(const struct xfrm_dst_lookup_params *params); + int (*get_saddr)(xfrm_address_t *saddr, + const struct xfrm_dst_lookup_params *params); int (*fill_dst)(struct xfrm_dst *xdst, struct net_device *dev, const struct flowi *fl); @@ -1728,10 +1731,7 @@ static inline int xfrm_user_policy(struct sock *sk, int optname, } #endif -struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif, - const xfrm_address_t *saddr, - const xfrm_address_t *daddr, - int family, u32 mark); +struct dst_entry *__xfrm_dst_lookup(int family, const struct xfrm_dst_lookup_params *params); struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp); diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index c33bca2c38415..01d4f6f4dbb8c 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -17,47 +17,41 @@ #include <net/ip.h> #include <net/l3mdev.h> -static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4, - int tos, int oif, - const xfrm_address_t *saddr, - const xfrm_address_t *daddr, - u32 mark) +static struct dst_entry *__xfrm4_dst_lookup(struct flowi4 *fl4, + const struct xfrm_dst_lookup_params *params) { struct rtable *rt; memset(fl4, 0, sizeof(*fl4)); - fl4->daddr = daddr->a4; - fl4->flowi4_tos = tos; - fl4->flowi4_l3mdev = l3mdev_master_ifindex_by_index(net, oif); - fl4->flowi4_mark = mark; - if (saddr) - fl4->saddr = saddr->a4; - - rt = __ip_route_output_key(net, fl4); + fl4->daddr = params->daddr->a4; + fl4->flowi4_tos = params->tos; + fl4->flowi4_l3mdev = l3mdev_master_ifindex_by_index(params->net, + params->oif); + fl4->flowi4_mark = params->mark; + if (params->saddr) + fl4->saddr = params->saddr->a4; + + rt = __ip_route_output_key(params->net, fl4); if (!IS_ERR(rt)) return &rt->dst; return ERR_CAST(rt); } -static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos, int oif, - const xfrm_address_t *saddr, - const xfrm_address_t *daddr, - u32 mark) +static struct dst_entry *xfrm4_dst_lookup(const struct xfrm_dst_lookup_params *params) { struct flowi4 fl4; - return __xfrm4_dst_lookup(net, &fl4, tos, oif, saddr, daddr, mark); + return __xfrm4_dst_lookup(&fl4, params); } -static int xfrm4_get_saddr(struct net *net, int oif, - xfrm_address_t *saddr, xfrm_address_t *daddr, - u32 mark) +static int xfrm4_get_saddr(xfrm_address_t *saddr, + const struct xfrm_dst_lookup_params *params) { struct dst_entry *dst; struct flowi4 fl4; - dst = __xfrm4_dst_lookup(net, &fl4, 0, oif, NULL, daddr, mark); + dst = __xfrm4_dst_lookup(&fl4, params); if (IS_ERR(dst)) return -EHOSTUNREACH; diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 444b0b4469a49..246a0cea77c26 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c @@ -23,23 +23,21 @@ #include <net/ip6_route.h> #include <net/l3mdev.h> -static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos, int oif, - const xfrm_address_t *saddr, - const xfrm_address_t *daddr, - u32 mark) +static struct dst_entry *xfrm6_dst_lookup(const struct xfrm_dst_lookup_params *params) { struct flowi6 fl6; struct dst_entry *dst; int err; memset(&fl6, 0, sizeof(fl6)); - fl6.flowi6_l3mdev = l3mdev_master_ifindex_by_index(net, oif); - fl6.flowi6_mark = mark; - memcpy(&fl6.daddr, daddr, sizeof(fl6.daddr)); - if (saddr) - memcpy(&fl6.saddr, saddr, sizeof(fl6.saddr)); + fl6.flowi6_l3mdev = l3mdev_master_ifindex_by_index(params->net, + params->oif); + fl6.flowi6_mark = params->mark; + memcpy(&fl6.daddr, params->daddr, sizeof(fl6.daddr)); + if (params->saddr) + memcpy(&fl6.saddr, params->saddr, sizeof(fl6.saddr)); - dst = ip6_route_output(net, NULL, &fl6); + dst = ip6_route_output(params->net, NULL, &fl6); err = dst->error; if (dst->error) { @@ -50,15 +48,14 @@ static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos, int oif, return dst; } -static int xfrm6_get_saddr(struct net *net, int oif, - xfrm_address_t *saddr, xfrm_address_t *daddr, - u32 mark) +static int xfrm6_get_saddr(xfrm_address_t *saddr, + const struct xfrm_dst_lookup_params *params) { struct dst_entry *dst; struct net_device *dev; struct inet6_dev *idev; - dst = xfrm6_dst_lookup(net, 0, oif, NULL, daddr, mark); + dst = xfrm6_dst_lookup(params); if (IS_ERR(dst)) return -EHOSTUNREACH; @@ -68,7 +65,8 @@ static int xfrm6_get_saddr(struct net *net, int oif, return -EHOSTUNREACH; } dev = idev->dev; - ipv6_dev_get_saddr(dev_net(dev), dev, &daddr->in6, 0, &saddr->in6); + ipv6_dev_get_saddr(dev_net(dev), dev, &params->daddr->in6, 0, + &saddr->in6); dst_release(dst); return 0; } diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 6346690d5c699..04dc0c8a83707 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -263,6 +263,8 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, dev = dev_get_by_index(net, xuo->ifindex); if (!dev) { + struct xfrm_dst_lookup_params params; + if (!(xuo->flags & XFRM_OFFLOAD_INBOUND)) { saddr = &x->props.saddr; daddr = &x->id.daddr; @@ -271,9 +273,12 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, daddr = &x->props.saddr; } - dst = __xfrm_dst_lookup(net, 0, 0, saddr, daddr, - x->props.family, - xfrm_smark_get(0, x)); + memset(&params, 0, sizeof(params)); + params.net = net; + params.saddr = saddr; + params.daddr = daddr; + params.mark = xfrm_smark_get(0, x); + dst = __xfrm_dst_lookup(x->props.family, &params); if (IS_ERR(dst)) return (is_packet_offload) ? -EINVAL : 0; diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index b699cc2ec35ac..1395d3de1ec70 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -251,10 +251,8 @@ static const struct xfrm_if_cb *xfrm_if_get_cb(void) return rcu_dereference(xfrm_if_cb); } -struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif, - const xfrm_address_t *saddr, - const xfrm_address_t *daddr, - int family, u32 mark) +struct dst_entry *__xfrm_dst_lookup(int family, + const struct xfrm_dst_lookup_params *params) { const struct xfrm_policy_afinfo *afinfo; struct dst_entry *dst; @@ -263,7 +261,7 @@ struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif, if (unlikely(afinfo == NULL)) return ERR_PTR(-EAFNOSUPPORT); - dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr, mark); + dst = afinfo->dst_lookup(params); rcu_read_unlock(); @@ -277,6 +275,7 @@ static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, xfrm_address_t *prev_daddr, int family, u32 mark) { + struct xfrm_dst_lookup_params params; struct net *net = xs_net(x); xfrm_address_t *saddr = &x->props.saddr; xfrm_address_t *daddr = &x->id.daddr; @@ -291,7 +290,14 @@ static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, daddr = x->coaddr; } - dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family, mark); + params.net = net; + params.saddr = saddr; + params.daddr = daddr; + params.tos = tos; + params.oif = oif; + params.mark = mark; + + dst = __xfrm_dst_lookup(family, &params); if (!IS_ERR(dst)) { if (prev_saddr != saddr) @@ -2424,15 +2430,15 @@ int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk) } static int -xfrm_get_saddr(struct net *net, int oif, xfrm_address_t *local, - xfrm_address_t *remote, unsigned short family, u32 mark) +xfrm_get_saddr(unsigned short family, xfrm_address_t *saddr, + const struct xfrm_dst_lookup_params *params) { int err; const struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); if (unlikely(afinfo == NULL)) return -EINVAL; - err = afinfo->get_saddr(net, oif, local, remote, mark); + err = afinfo->get_saddr(saddr, params); rcu_read_unlock(); return err; } @@ -2461,9 +2467,14 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl, remote = &tmpl->id.daddr; local = &tmpl->saddr; if (xfrm_addr_any(local, tmpl->encap_family)) { - error = xfrm_get_saddr(net, fl->flowi_oif, - &tmp, remote, - tmpl->encap_family, 0); + struct xfrm_dst_lookup_params params; + + memset(&params, 0, sizeof(params)); + params.net = net; + params.oif = fl->flowi_oif; + params.daddr = remote; + error = xfrm_get_saddr(tmpl->encap_family, &tmp, + &params); if (error) goto fail; local = &tmp; -- 2.43.0

9 months, 3 weeks

2
15
0 0

[PATCH AUTOSEL 5.10 01/33] drm/vc4: hvs: Set AXI panic modes for the HVS

by Sasha Levin

From: Dave Stevenson <dave.stevenson(a)raspberrypi.com> [ Upstream commit 014eccc9da7bfc76a3107fceea37dd60f1d63630 ] The HVS can change AXI request mode based on how full the COB FIFOs are. Until now the vc4 driver has been relying on the firmware to have set these to sensible values. With HVS channel 2 now being used for live video, change the panic mode for all channels to be explicitly set by the driver, and the same for all channels. Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-7-dave… Signed-off-by: Dave Stevenson <dave.stevenson(a)raspberrypi.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/vc4/vc4_hvs.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c index f8f2fc3d15f73..64a02e29b7cb1 100644 --- a/drivers/gpu/drm/vc4/vc4_hvs.c +++ b/drivers/gpu/drm/vc4/vc4_hvs.c @@ -688,6 +688,17 @@ static int vc4_hvs_bind(struct device *dev, struct device *master, void *data) dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC1); dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC2); + /* Set AXI panic mode. + * VC4 panics when < 2 lines in FIFO. + * VC5 panics when less than 1 line in the FIFO. + */ + dispctrl &= ~(SCALER_DISPCTRL_PANIC0_MASK | + SCALER_DISPCTRL_PANIC1_MASK | + SCALER_DISPCTRL_PANIC2_MASK); + dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC0); + dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC1); + dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC2); + HVS_WRITE(SCALER_DISPCTRL, dispctrl); ret = devm_request_irq(dev, platform_get_irq(pdev, 0), -- 2.43.0

9 months, 3 weeks

1
32
0 0

[PATCH AUTOSEL 5.15 01/36] drm/vc4: hvs: Set AXI panic modes for the HVS

by Sasha Levin

From: Dave Stevenson <dave.stevenson(a)raspberrypi.com> [ Upstream commit 014eccc9da7bfc76a3107fceea37dd60f1d63630 ] The HVS can change AXI request mode based on how full the COB FIFOs are. Until now the vc4 driver has been relying on the firmware to have set these to sensible values. With HVS channel 2 now being used for live video, change the panic mode for all channels to be explicitly set by the driver, and the same for all channels. Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-7-dave… Signed-off-by: Dave Stevenson <dave.stevenson(a)raspberrypi.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/vc4/vc4_hvs.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/gpu/drm/vc4/vc4_hvs.c b/drivers/gpu/drm/vc4/vc4_hvs.c index 3856ac289d380..69b2936a5f4ad 100644 --- a/drivers/gpu/drm/vc4/vc4_hvs.c +++ b/drivers/gpu/drm/vc4/vc4_hvs.c @@ -729,6 +729,17 @@ static int vc4_hvs_bind(struct device *dev, struct device *master, void *data) dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC1); dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC2); + /* Set AXI panic mode. + * VC4 panics when < 2 lines in FIFO. + * VC5 panics when less than 1 line in the FIFO. + */ + dispctrl &= ~(SCALER_DISPCTRL_PANIC0_MASK | + SCALER_DISPCTRL_PANIC1_MASK | + SCALER_DISPCTRL_PANIC2_MASK); + dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC0); + dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC1); + dispctrl |= VC4_SET_FIELD(2, SCALER_DISPCTRL_PANIC2); + HVS_WRITE(SCALER_DISPCTRL, dispctrl); ret = devm_request_irq(dev, platform_get_irq(pdev, 0), -- 2.43.0

9 months, 3 weeks

1
35
0 0

[PATCH AUTOSEL 6.6 01/61] drm/vc4: hdmi: Avoid log spam for audio start failure

by Sasha Levin

From: Dom Cobley <popcornmix(a)gmail.com> [ Upstream commit b4e5646178e86665f5caef2894578600f597098a ] We regularly get dmesg error reports of: [ 18.184066] hdmi-audio-codec hdmi-audio-codec.3.auto: ASoC: error at snd_soc_dai_startup on i2s-hifi: -19 [ 18.184098] MAI: soc_pcm_open() failed (-19) These are generated for any disconnected hdmi interface when pulseaudio attempts to open the associated ALSA device (numerous times). Each open generates a kernel error message, generating general log spam. The error messages all come from _soc_pcm_ret in sound/soc/soc-pcm.c#L39 which suggests returning ENOTSUPP, rather that ENODEV will be quiet. And indeed it is. Signed-off-by: Dom Cobley <popcornmix(a)gmail.com> Reviewed-by: Maxime Ripard <mripard(a)kernel.org> Link: https://patchwork.freedesktop.org/patch/msgid/20240621152055.4180873-5-dave… Signed-off-by: Dave Stevenson <dave.stevenson(a)raspberrypi.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/vc4/vc4_hdmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c index c6e986f71a26f..7cabfa1b883d2 100644 --- a/drivers/gpu/drm/vc4/vc4_hdmi.c +++ b/drivers/gpu/drm/vc4/vc4_hdmi.c @@ -2392,7 +2392,7 @@ static int vc4_hdmi_audio_startup(struct device *dev, void *data) } if (!vc4_hdmi_audio_can_stream(vc4_hdmi)) { - ret = -ENODEV; + ret = -ENOTSUPP; goto out_dev_exit; } -- 2.43.0

9 months, 3 weeks

1
60
0 0

[PATCH AUTOSEL 6.11 01/87] drm/xe/pciids: separate RPL-U and RPL-P PCI IDs

by Sasha Levin

From: Jani Nikula <jani.nikula(a)intel.com> [ Upstream commit d454902a690db47f1880f963514bbf0fc7a129a8 ] Avoid including PCI IDs for one platform to the PCI IDs of another. It's more clear to deal with them completely separately at the PCI ID macro level. Reviewed-by: Sai Teja Pottumuttu <sai.teja.pottumuttu(a)intel.com> Signed-off-by: Jani Nikula <jani.nikula(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/4868d36fbfa8c38ea2d490bca82cf… Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/xe/xe_pci.c | 1 + include/drm/intel/xe_pciids.h | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/xe/xe_pci.c b/drivers/gpu/drm/xe/xe_pci.c index 5929ac61dbe0a..dde4a929f5873 100644 --- a/drivers/gpu/drm/xe/xe_pci.c +++ b/drivers/gpu/drm/xe/xe_pci.c @@ -383,6 +383,7 @@ static const struct pci_device_id pciidlist[] = { XE_ADLS_IDS(INTEL_VGA_DEVICE, &adl_s_desc), XE_ADLP_IDS(INTEL_VGA_DEVICE, &adl_p_desc), XE_ADLN_IDS(INTEL_VGA_DEVICE, &adl_n_desc), + XE_RPLU_IDS(INTEL_VGA_DEVICE, &adl_p_desc), XE_RPLP_IDS(INTEL_VGA_DEVICE, &adl_p_desc), XE_RPLS_IDS(INTEL_VGA_DEVICE, &adl_s_desc), XE_DG1_IDS(INTEL_VGA_DEVICE, &dg1_desc), diff --git a/include/drm/intel/xe_pciids.h b/include/drm/intel/xe_pciids.h index 644872a35c352..7ee7524141f10 100644 --- a/include/drm/intel/xe_pciids.h +++ b/include/drm/intel/xe_pciids.h @@ -120,7 +120,6 @@ /* RPL-P */ #define XE_RPLP_IDS(MACRO__, ...) \ - XE_RPLU_IDS(MACRO__, ## __VA_ARGS__), \ MACRO__(0xA720, ## __VA_ARGS__), \ MACRO__(0xA7A0, ## __VA_ARGS__), \ MACRO__(0xA7A8, ## __VA_ARGS__), \ -- 2.43.0

9 months, 3 weeks

1
86
0 0

[PATCH AUTOSEL 5.4 1/5] media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera

by Sasha Levin

From: David Given <dg(a)cowlark.com> [ Upstream commit b2ec92bb5605452d539a7aa1e42345b95acd8583 ] Adds a quirk to make the NXP Semiconductors 1fc9:009b chipset work. lsusb for the device reports: Bus 003 Device 011: ID 1fc9:009b NXP Semiconductors IR VIDEO Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 239 Miscellaneous Device bDeviceSubClass 2 [unknown] bDeviceProtocol 1 Interface Association bMaxPacketSize0 64 idVendor 0x1fc9 NXP Semiconductors idProduct 0x009b IR VIDEO bcdDevice 1.01 iManufacturer 1 Guide sensmart iProduct 2 IR VIDEO iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x00c2 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xc0 Self Powered MaxPower 100mA Interface Association: bLength 8 bDescriptorType 11 bFirstInterface 0 bInterfaceCount 2 bFunctionClass 14 Video bFunctionSubClass 3 Video Interface Collection bFunctionProtocol 0 iFunction 3 IR Camera Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 14 Video bInterfaceSubClass 1 Video Control bInterfaceProtocol 0 iInterface 0 VideoControl Interface Descriptor: bLength 13 bDescriptorType 36 bDescriptorSubtype 1 (HEADER) bcdUVC 1.00 wTotalLength 0x0033 dwClockFrequency 6.000000MHz bInCollection 1 baInterfaceNr( 0) 1 VideoControl Interface Descriptor: bLength 18 bDescriptorType 36 bDescriptorSubtype 2 (INPUT_TERMINAL) bTerminalID 1 wTerminalType 0x0201 Camera Sensor bAssocTerminal 0 iTerminal 0 wObjectiveFocalLengthMin 0 wObjectiveFocalLengthMax 0 wOcularFocalLength 0 bControlSize 3 bmControls 0x00000000 VideoControl Interface Descriptor: bLength 9 bDescriptorType 36 bDescriptorSubtype 3 (OUTPUT_TERMINAL) bTerminalID 2 wTerminalType 0x0101 USB Streaming bAssocTerminal 0 bSourceID 1 iTerminal 0 VideoControl Interface Descriptor: bLength 11 bDescriptorType 36 bDescriptorSubtype 5 (PROCESSING_UNIT) Warning: Descriptor too short bUnitID 3 bSourceID 1 wMaxMultiplier 0 bControlSize 2 bmControls 0x00000000 iProcessing 0 bmVideoStandards 0x62 NTSC - 525/60 PAL - 525/60 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 1 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 14 Video bInterfaceSubClass 2 Video Streaming bInterfaceProtocol 0 iInterface 0 VideoStreaming Interface Descriptor: bLength 14 bDescriptorType 36 bDescriptorSubtype 1 (INPUT_HEADER) bNumFormats 1 wTotalLength 0x0055 bEndpointAddress 0x82 EP 2 IN bmInfo 0 bTerminalLink 2 bStillCaptureMethod 2 bTriggerSupport 0 bTriggerUsage 0 bControlSize 1 bmaControls( 0) 0 VideoStreaming Interface Descriptor: bLength 27 bDescriptorType 36 bDescriptorSubtype 4 (FORMAT_UNCOMPRESSED) bFormatIndex 1 bNumFrameDescriptors 1 guidFormat {e436eb7b-524f-11ce-9f53-0020af0ba770} bBitsPerPixel 16 bDefaultFrameIndex 1 bAspectRatioX 0 bAspectRatioY 0 bmInterlaceFlags 0x00 Interlaced stream or variable: No Fields per frame: 2 fields Field 1 first: No Field pattern: Field 1 only bCopyProtect 0 VideoStreaming Interface Descriptor: bLength 34 bDescriptorType 36 bDescriptorSubtype 5 (FRAME_UNCOMPRESSED) bFrameIndex 1 bmCapabilities 0x00 Still image unsupported wWidth 240 wHeight 322 dwMinBitRate 12364800 dwMaxBitRate 30912000 dwMaxVideoFrameBufferSize 154560 dwDefaultFrameInterval 400000 bFrameIntervalType 2 dwFrameInterval( 0) 400000 dwFrameInterval( 1) 1000000 VideoStreaming Interface Descriptor: bLength 10 bDescriptorType 36 bDescriptorSubtype 3 (STILL_IMAGE_FRAME) bEndpointAddress 0x00 EP 0 OUT bNumImageSizePatterns 1 wWidth( 0) 240 wHeight( 0) 322 bNumCompressionPatterns 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 1 bNumEndpoints 1 bInterfaceClass 14 Video bInterfaceSubClass 2 Video Streaming bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 5 Transfer Type Isochronous Synch Type Asynchronous Usage Type Data wMaxPacketSize 0x0400 1x 1024 bytes bInterval 1 Device Status: 0x0001 Self Powered Signed-off-by: David Given <dg(a)cowlark.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Reviewed-by: Ricardo Ribalda <ribalda(a)chromium.org> Link: https://lore.kernel.org/r/20240918180540.10830-2-dg@cowlark.com Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/usb/uvc/uvc_driver.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 2f913ea44b281..2c2ceb50500ce 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -2425,6 +2425,8 @@ static const struct uvc_device_info uvc_quirk_force_y8 = { * The Logitech cameras listed below have their interface class set to * VENDOR_SPEC because they don't announce themselves as UVC devices, even * though they are compliant. + * + * Sort these by vendor/product ID. */ static const struct usb_device_id uvc_ids[] = { /* LogiLink Wireless Webcam */ @@ -2893,6 +2895,15 @@ static const struct usb_device_id uvc_ids[] = { .bInterfaceProtocol = 0, .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_PROBE_MINMAX | UVC_QUIRK_IGNORE_SELECTOR_UNIT) }, + /* NXP Semiconductors IR VIDEO */ + { .match_flags = USB_DEVICE_ID_MATCH_DEVICE + | USB_DEVICE_ID_MATCH_INT_INFO, + .idVendor = 0x1fc9, + .idProduct = 0x009b, + .bInterfaceClass = USB_CLASS_VIDEO, + .bInterfaceSubClass = 1, + .bInterfaceProtocol = 0, + .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax }, /* Oculus VR Positional Tracker DK2 */ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE | USB_DEVICE_ID_MATCH_INT_INFO, -- 2.43.0

9 months, 3 weeks

1
4
0 0

[PATCH AUTOSEL 5.15 1/7] media: v4l: Add luma 16-bit interlaced pixel format

by Sasha Levin

From: Dmitry Perchanov <dmitry.perchanov(a)intel.com> [ Upstream commit a8f2cdd27d114ed6c3354a0e39502e6d56215804 ] The formats added by this patch are: V4L2_PIX_FMT_Y16I Interlaced lumina format primary use in RealSense Depth cameras with stereo stream for left and right image sensors. Signed-off-by: Dmitry Perchanov <dmitry.perchanov(a)intel.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Link: https://lore.kernel.org/r/568efbd75290e286b8ad9e7347b5f43745121020.camel@in… Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../userspace-api/media/v4l/pixfmt-y16i.rst | 73 +++++++++++++++++++ .../userspace-api/media/v4l/yuv-formats.rst | 1 + drivers/media/v4l2-core/v4l2-ioctl.c | 1 + include/uapi/linux/videodev2.h | 1 + 4 files changed, 76 insertions(+) create mode 100644 Documentation/userspace-api/media/v4l/pixfmt-y16i.rst diff --git a/Documentation/userspace-api/media/v4l/pixfmt-y16i.rst b/Documentation/userspace-api/media/v4l/pixfmt-y16i.rst new file mode 100644 index 0000000000000..74ba9e910a38f --- /dev/null +++ b/Documentation/userspace-api/media/v4l/pixfmt-y16i.rst @@ -0,0 +1,73 @@ +.. SPDX-License-Identifier: GFDL-1.1-no-invariants-or-later + +.. _V4L2-PIX-FMT-Y16I: + +************************** +V4L2_PIX_FMT_Y16I ('Y16I') +************************** + +Interleaved grey-scale image, e.g. from a stereo-pair + + +Description +=========== + +This is a grey-scale image with a depth of 16 bits per pixel, but with pixels +from 2 sources interleaved and unpacked. Each pixel is stored in a 16-bit word +in the little-endian order. The first pixel is from the left source. + +**Pixel unpacked representation.** +Left/Right pixels 16-bit unpacked - 16-bit for each interleaved pixel. + +.. flat-table:: + :header-rows: 0 + :stub-columns: 0 + + * - Y'\ :sub:`0L[7:0]` + - Y'\ :sub:`0L[15:8]` + - Y'\ :sub:`0R[7:0]` + - Y'\ :sub:`0R[15:8]` + +**Byte Order.** +Each cell is one byte. + +.. flat-table:: + :header-rows: 0 + :stub-columns: 0 + + * - start + 0: + - Y'\ :sub:`00Llow` + - Y'\ :sub:`00Lhigh` + - Y'\ :sub:`00Rlow` + - Y'\ :sub:`00Rhigh` + - Y'\ :sub:`01Llow` + - Y'\ :sub:`01Lhigh` + - Y'\ :sub:`01Rlow` + - Y'\ :sub:`01Rhigh` + * - start + 8: + - Y'\ :sub:`10Llow` + - Y'\ :sub:`10Lhigh` + - Y'\ :sub:`10Rlow` + - Y'\ :sub:`10Rhigh` + - Y'\ :sub:`11Llow` + - Y'\ :sub:`11Lhigh` + - Y'\ :sub:`11Rlow` + - Y'\ :sub:`11Rhigh` + * - start + 16: + - Y'\ :sub:`20Llow` + - Y'\ :sub:`20Lhigh` + - Y'\ :sub:`20Rlow` + - Y'\ :sub:`20Rhigh` + - Y'\ :sub:`21Llow` + - Y'\ :sub:`21Lhigh` + - Y'\ :sub:`21Rlow` + - Y'\ :sub:`21Rhigh` + * - start + 24: + - Y'\ :sub:`30Llow` + - Y'\ :sub:`30Lhigh` + - Y'\ :sub:`30Rlow` + - Y'\ :sub:`30Rhigh` + - Y'\ :sub:`31Llow` + - Y'\ :sub:`31Lhigh` + - Y'\ :sub:`31Rlow` + - Y'\ :sub:`31Rhigh` diff --git a/Documentation/userspace-api/media/v4l/yuv-formats.rst b/Documentation/userspace-api/media/v4l/yuv-formats.rst index 24b34cdfa6fea..78ee406d76479 100644 --- a/Documentation/userspace-api/media/v4l/yuv-formats.rst +++ b/Documentation/userspace-api/media/v4l/yuv-formats.rst @@ -269,5 +269,6 @@ image. pixfmt-yuv-luma pixfmt-y8i pixfmt-y12i + pixfmt-y16i pixfmt-uv8 pixfmt-m420 diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 7c596a85f34f5..c0937dfb00fd9 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -1267,6 +1267,7 @@ static void v4l_fill_fmtdesc(struct v4l2_fmtdesc *fmt) case V4L2_PIX_FMT_Y10P: descr = "10-bit Greyscale (MIPI Packed)"; break; case V4L2_PIX_FMT_Y8I: descr = "Interleaved 8-bit Greyscale"; break; case V4L2_PIX_FMT_Y12I: descr = "Interleaved 12-bit Greyscale"; break; + case V4L2_PIX_FMT_Y16I: descr = "Interleaved 16-bit Greyscale"; break; case V4L2_PIX_FMT_Z16: descr = "16-bit Depth"; break; case V4L2_PIX_FMT_INZI: descr = "Planar 10:16 Greyscale Depth"; break; case V4L2_PIX_FMT_CNF4: descr = "4-bit Depth Confidence (Packed)"; break; diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h index f5c6758464f25..b3dc7a67697da 100644 --- a/include/uapi/linux/videodev2.h +++ b/include/uapi/linux/videodev2.h @@ -731,6 +731,7 @@ struct v4l2_pix_format { #define V4L2_PIX_FMT_S5C_UYVY_JPG v4l2_fourcc('S', '5', 'C', 'I') /* S5C73M3 interleaved UYVY/JPEG */ #define V4L2_PIX_FMT_Y8I v4l2_fourcc('Y', '8', 'I', ' ') /* Greyscale 8-bit L/R interleaved */ #define V4L2_PIX_FMT_Y12I v4l2_fourcc('Y', '1', '2', 'I') /* Greyscale 12-bit L/R interleaved */ +#define V4L2_PIX_FMT_Y16I v4l2_fourcc('Y', '1', '6', 'I') /* Greyscale 16-bit L/R interleaved */ #define V4L2_PIX_FMT_Z16 v4l2_fourcc('Z', '1', '6', ' ') /* Depth data 16-bit */ #define V4L2_PIX_FMT_MT21C v4l2_fourcc('M', 'T', '2', '1') /* Mediatek compressed block mode */ #define V4L2_PIX_FMT_INZI v4l2_fourcc('I', 'N', 'Z', 'I') /* Intel Planar Greyscale 10-bit and Depth 16-bit */ -- 2.43.0

9 months, 3 weeks

1
6
0 0

[PATCH AUTOSEL 6.1 1/9] media: v4l: Add luma 16-bit interlaced pixel format

by Sasha Levin

From: Dmitry Perchanov <dmitry.perchanov(a)intel.com> [ Upstream commit a8f2cdd27d114ed6c3354a0e39502e6d56215804 ] The formats added by this patch are: V4L2_PIX_FMT_Y16I Interlaced lumina format primary use in RealSense Depth cameras with stereo stream for left and right image sensors. Signed-off-by: Dmitry Perchanov <dmitry.perchanov(a)intel.com> Reviewed-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Link: https://lore.kernel.org/r/568efbd75290e286b8ad9e7347b5f43745121020.camel@in… Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- .../userspace-api/media/v4l/pixfmt-y16i.rst | 73 +++++++++++++++++++ .../userspace-api/media/v4l/yuv-formats.rst | 1 + drivers/media/v4l2-core/v4l2-ioctl.c | 1 + include/uapi/linux/videodev2.h | 1 + 4 files changed, 76 insertions(+) create mode 100644 Documentation/userspace-api/media/v4l/pixfmt-y16i.rst diff --git a/Documentation/userspace-api/media/v4l/pixfmt-y16i.rst b/Documentation/userspace-api/media/v4l/pixfmt-y16i.rst new file mode 100644 index 0000000000000..74ba9e910a38f --- /dev/null +++ b/Documentation/userspace-api/media/v4l/pixfmt-y16i.rst @@ -0,0 +1,73 @@ +.. SPDX-License-Identifier: GFDL-1.1-no-invariants-or-later + +.. _V4L2-PIX-FMT-Y16I: + +************************** +V4L2_PIX_FMT_Y16I ('Y16I') +************************** + +Interleaved grey-scale image, e.g. from a stereo-pair + + +Description +=========== + +This is a grey-scale image with a depth of 16 bits per pixel, but with pixels +from 2 sources interleaved and unpacked. Each pixel is stored in a 16-bit word +in the little-endian order. The first pixel is from the left source. + +**Pixel unpacked representation.** +Left/Right pixels 16-bit unpacked - 16-bit for each interleaved pixel. + +.. flat-table:: + :header-rows: 0 + :stub-columns: 0 + + * - Y'\ :sub:`0L[7:0]` + - Y'\ :sub:`0L[15:8]` + - Y'\ :sub:`0R[7:0]` + - Y'\ :sub:`0R[15:8]` + +**Byte Order.** +Each cell is one byte. + +.. flat-table:: + :header-rows: 0 + :stub-columns: 0 + + * - start + 0: + - Y'\ :sub:`00Llow` + - Y'\ :sub:`00Lhigh` + - Y'\ :sub:`00Rlow` + - Y'\ :sub:`00Rhigh` + - Y'\ :sub:`01Llow` + - Y'\ :sub:`01Lhigh` + - Y'\ :sub:`01Rlow` + - Y'\ :sub:`01Rhigh` + * - start + 8: + - Y'\ :sub:`10Llow` + - Y'\ :sub:`10Lhigh` + - Y'\ :sub:`10Rlow` + - Y'\ :sub:`10Rhigh` + - Y'\ :sub:`11Llow` + - Y'\ :sub:`11Lhigh` + - Y'\ :sub:`11Rlow` + - Y'\ :sub:`11Rhigh` + * - start + 16: + - Y'\ :sub:`20Llow` + - Y'\ :sub:`20Lhigh` + - Y'\ :sub:`20Rlow` + - Y'\ :sub:`20Rhigh` + - Y'\ :sub:`21Llow` + - Y'\ :sub:`21Lhigh` + - Y'\ :sub:`21Rlow` + - Y'\ :sub:`21Rhigh` + * - start + 24: + - Y'\ :sub:`30Llow` + - Y'\ :sub:`30Lhigh` + - Y'\ :sub:`30Rlow` + - Y'\ :sub:`30Rhigh` + - Y'\ :sub:`31Llow` + - Y'\ :sub:`31Lhigh` + - Y'\ :sub:`31Rlow` + - Y'\ :sub:`31Rhigh` diff --git a/Documentation/userspace-api/media/v4l/yuv-formats.rst b/Documentation/userspace-api/media/v4l/yuv-formats.rst index 24b34cdfa6fea..78ee406d76479 100644 --- a/Documentation/userspace-api/media/v4l/yuv-formats.rst +++ b/Documentation/userspace-api/media/v4l/yuv-formats.rst @@ -269,5 +269,6 @@ image. pixfmt-yuv-luma pixfmt-y8i pixfmt-y12i + pixfmt-y16i pixfmt-uv8 pixfmt-m420 diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 6876ec25bc512..05c9820598478 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -1317,6 +1317,7 @@ static void v4l_fill_fmtdesc(struct v4l2_fmtdesc *fmt) case V4L2_PIX_FMT_IPU3_Y10: descr = "10-bit greyscale (IPU3 Packed)"; break; case V4L2_PIX_FMT_Y8I: descr = "Interleaved 8-bit Greyscale"; break; case V4L2_PIX_FMT_Y12I: descr = "Interleaved 12-bit Greyscale"; break; + case V4L2_PIX_FMT_Y16I: descr = "Interleaved 16-bit Greyscale"; break; case V4L2_PIX_FMT_Z16: descr = "16-bit Depth"; break; case V4L2_PIX_FMT_INZI: descr = "Planar 10:16 Greyscale Depth"; break; case V4L2_PIX_FMT_CNF4: descr = "4-bit Depth Confidence (Packed)"; break; diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h index 45fa03882ef18..08046beeeb049 100644 --- a/include/uapi/linux/videodev2.h +++ b/include/uapi/linux/videodev2.h @@ -767,6 +767,7 @@ struct v4l2_pix_format { #define V4L2_PIX_FMT_S5C_UYVY_JPG v4l2_fourcc('S', '5', 'C', 'I') /* S5C73M3 interleaved UYVY/JPEG */ #define V4L2_PIX_FMT_Y8I v4l2_fourcc('Y', '8', 'I', ' ') /* Greyscale 8-bit L/R interleaved */ #define V4L2_PIX_FMT_Y12I v4l2_fourcc('Y', '1', '2', 'I') /* Greyscale 12-bit L/R interleaved */ +#define V4L2_PIX_FMT_Y16I v4l2_fourcc('Y', '1', '6', 'I') /* Greyscale 16-bit L/R interleaved */ #define V4L2_PIX_FMT_Z16 v4l2_fourcc('Z', '1', '6', ' ') /* Depth data 16-bit */ #define V4L2_PIX_FMT_MT21C v4l2_fourcc('M', 'T', '2', '1') /* Mediatek compressed block mode */ #define V4L2_PIX_FMT_MM21 v4l2_fourcc('M', 'M', '2', '1') /* Mediatek 8-bit block mode, two non-contiguous planes */ -- 2.43.0

9 months, 3 weeks

1
8
0 0

[PATCH AUTOSEL 6.6 01/16] spi: spi-fsl-lpspi: Adjust type of scldiv

by Sasha Levin

From: Stefan Wahren <wahrenst(a)gmx.net> [ Upstream commit fa8ecda9876ac1e7b29257aa82af1fd0695496e2 ] The target value of scldiv is just a byte, but its calculation in fsl_lpspi_set_bitrate could be negative. So use an adequate type to store the result and avoid overflows. After that this needs range check adjustments, but this should make the code less opaque. Signed-off-by: Stefan Wahren <wahrenst(a)gmx.net> Reviewed-by: Frank Li <Frank.Li(a)nxp.com> Link: https://patch.msgid.link/20240930093056.93418-2-wahrenst@gmx.net Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/spi/spi-fsl-lpspi.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index 13313f07839b6..84881983d5d9f 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -315,9 +315,10 @@ static void fsl_lpspi_set_watermark(struct fsl_lpspi_data *fsl_lpspi) static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi) { struct lpspi_config config = fsl_lpspi->config; - unsigned int perclk_rate, scldiv, div; + unsigned int perclk_rate, div; u8 prescale_max; u8 prescale; + int scldiv; perclk_rate = clk_get_rate(fsl_lpspi->clk_per); prescale_max = fsl_lpspi->devtype_data->prescale_max; @@ -338,13 +339,13 @@ static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi) for (prescale = 0; prescale <= prescale_max; prescale++) { scldiv = div / (1 << prescale) - 2; - if (scldiv < 256) { + if (scldiv >= 0 && scldiv < 256) { fsl_lpspi->config.prescale = prescale; break; } } - if (scldiv >= 256) + if (scldiv < 0 || scldiv >= 256) return -EINVAL; writel(scldiv | (scldiv << 8) | ((scldiv >> 1) << 16), -- 2.43.0

9 months, 3 weeks

1
15
0 0

[PATCH AUTOSEL 6.11 01/20] gpio: free irqs that are still requested when the chip is being removed

by Sasha Levin

From: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> [ Upstream commit ec8b6f55b98146c41dcf15e8189eb43291e35e89 ] If we remove a GPIO chip that is also an interrupt controller with users not having freed some interrupts, we'll end up leaking resources as indicated by the following warning: remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'gpio' As there's no way of notifying interrupt users about the irqchip going away and the interrupt subsystem is not plugged into the driver model and so not all cases can be handled by devlinks, we need to make sure to free all interrupts before the complete the removal of the provider. Reviewed-by: Herve Codina <herve.codina(a)bootlin.com> Tested-by: Herve Codina <herve.codina(a)bootlin.com> Link: https://lore.kernel.org/r/20240919135104.3583-1-brgl@bgdev.pl Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpio/gpiolib.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index 337971080dfde..206757d155ef9 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -14,6 +14,7 @@ #include <linux/idr.h> #include <linux/interrupt.h> #include <linux/irq.h> +#include <linux/irqdesc.h> #include <linux/kernel.h> #include <linux/list.h> #include <linux/lockdep.h> @@ -710,6 +711,45 @@ bool gpiochip_line_is_valid(const struct gpio_chip *gc, } EXPORT_SYMBOL_GPL(gpiochip_line_is_valid); +static void gpiod_free_irqs(struct gpio_desc *desc) +{ + int irq = gpiod_to_irq(desc); + struct irq_desc *irqd = irq_to_desc(irq); + void *cookie; + + for (;;) { + /* + * Make sure the action doesn't go away while we're + * dereferencing it. Retrieve and store the cookie value. + * If the irq is freed after we release the lock, that's + * alright - the underlying maple tree lookup will return NULL + * and nothing will happen in free_irq(). + */ + scoped_guard(mutex, &irqd->request_mutex) { + if (!irq_desc_has_action(irqd)) + return; + + cookie = irqd->action->dev_id; + } + + free_irq(irq, cookie); + } +} + +/* + * The chip is going away but there may be users who had requested interrupts + * on its GPIO lines who have no idea about its removal and have no way of + * being notified about it. We need to free any interrupts still in use here or + * we'll leak memory and resources (like procfs files). + */ +static void gpiochip_free_remaining_irqs(struct gpio_chip *gc) +{ + struct gpio_desc *desc; + + for_each_gpio_desc_with_flag(gc, desc, FLAG_USED_AS_IRQ) + gpiod_free_irqs(desc); +} + static void gpiodev_release(struct device *dev) { struct gpio_device *gdev = to_gpio_device(dev); @@ -1122,6 +1162,7 @@ void gpiochip_remove(struct gpio_chip *gc) /* FIXME: should the legacy sysfs handling be moved to gpio_device? */ gpiochip_sysfs_unregister(gdev); gpiochip_free_hogs(gc); + gpiochip_free_remaining_irqs(gc); scoped_guard(mutex, &gpio_devices_lock) list_del_rcu(&gdev->list); -- 2.43.0

9 months, 3 weeks

1
19
0 0

[PATCH AUTOSEL 4.19] uprobes: sanitiize xol_free_insn_slot()

by Sasha Levin

From: Oleg Nesterov <oleg(a)redhat.com> [ Upstream commit c7b4133c48445dde789ed30b19ccb0448c7593f7 ] 1. Clear utask->xol_vaddr unconditionally, even if this addr is not valid, xol_free_insn_slot() should never return with utask->xol_vaddr != NULL. 2. Add a comment to explain why do we need to validate slot_addr. 3. Simplify the validation above. We can simply check offset < PAGE_SIZE, unsigned underflows are fine, it should work if slot_addr < area->vaddr. 4. Kill the unnecessary "slot_nr >= UINSNS_PER_PAGE" check, slot_nr must be valid if offset < PAGE_SIZE. The next patches will cleanup this function even more. Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20240929144235.GA9471@redhat.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/events/uprobes.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 3ca91daddc9f5..e4156acc004d3 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1332,8 +1332,8 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe) static void xol_free_insn_slot(struct task_struct *tsk) { struct xol_area *area; - unsigned long vma_end; unsigned long slot_addr; + unsigned long offset; if (!tsk->mm || !tsk->mm->uprobes_state.xol_area || !tsk->utask) return; @@ -1342,24 +1342,21 @@ static void xol_free_insn_slot(struct task_struct *tsk) if (unlikely(!slot_addr)) return; + tsk->utask->xol_vaddr = 0; area = tsk->mm->uprobes_state.xol_area; - vma_end = area->vaddr + PAGE_SIZE; - if (area->vaddr <= slot_addr && slot_addr < vma_end) { - unsigned long offset; - int slot_nr; - - offset = slot_addr - area->vaddr; - slot_nr = offset / UPROBE_XOL_SLOT_BYTES; - if (slot_nr >= UINSNS_PER_PAGE) - return; + offset = slot_addr - area->vaddr; + /* + * slot_addr must fit into [area->vaddr, area->vaddr + PAGE_SIZE). + * This check can only fail if the "[uprobes]" vma was mremap'ed. + */ + if (offset < PAGE_SIZE) { + int slot_nr = offset / UPROBE_XOL_SLOT_BYTES; clear_bit(slot_nr, area->bitmap); atomic_dec(&area->slot_count); smp_mb__after_atomic(); /* pairs with prepare_to_wait() */ if (waitqueue_active(&area->wq)) wake_up(&area->wq); - - tsk->utask->xol_vaddr = 0; } } -- 2.43.0

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.4 1/2] uprobes: sanitiize xol_free_insn_slot()

by Sasha Levin

From: Oleg Nesterov <oleg(a)redhat.com> [ Upstream commit c7b4133c48445dde789ed30b19ccb0448c7593f7 ] 1. Clear utask->xol_vaddr unconditionally, even if this addr is not valid, xol_free_insn_slot() should never return with utask->xol_vaddr != NULL. 2. Add a comment to explain why do we need to validate slot_addr. 3. Simplify the validation above. We can simply check offset < PAGE_SIZE, unsigned underflows are fine, it should work if slot_addr < area->vaddr. 4. Kill the unnecessary "slot_nr >= UINSNS_PER_PAGE" check, slot_nr must be valid if offset < PAGE_SIZE. The next patches will cleanup this function even more. Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20240929144235.GA9471@redhat.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/events/uprobes.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 6285674412f25..d338eeb30145b 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1640,8 +1640,8 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe) static void xol_free_insn_slot(struct task_struct *tsk) { struct xol_area *area; - unsigned long vma_end; unsigned long slot_addr; + unsigned long offset; if (!tsk->mm || !tsk->mm->uprobes_state.xol_area || !tsk->utask) return; @@ -1650,24 +1650,21 @@ static void xol_free_insn_slot(struct task_struct *tsk) if (unlikely(!slot_addr)) return; + tsk->utask->xol_vaddr = 0; area = tsk->mm->uprobes_state.xol_area; - vma_end = area->vaddr + PAGE_SIZE; - if (area->vaddr <= slot_addr && slot_addr < vma_end) { - unsigned long offset; - int slot_nr; - - offset = slot_addr - area->vaddr; - slot_nr = offset / UPROBE_XOL_SLOT_BYTES; - if (slot_nr >= UINSNS_PER_PAGE) - return; + offset = slot_addr - area->vaddr; + /* + * slot_addr must fit into [area->vaddr, area->vaddr + PAGE_SIZE). + * This check can only fail if the "[uprobes]" vma was mremap'ed. + */ + if (offset < PAGE_SIZE) { + int slot_nr = offset / UPROBE_XOL_SLOT_BYTES; clear_bit(slot_nr, area->bitmap); atomic_dec(&area->slot_count); smp_mb__after_atomic(); /* pairs with prepare_to_wait() */ if (waitqueue_active(&area->wq)) wake_up(&area->wq); - - tsk->utask->xol_vaddr = 0; } } -- 2.43.0

9 months, 3 weeks

1
1
0 0

[PATCH] iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on

by Jean-Baptiste Maneyrol via B4 Relay

From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> Currently suspending while sensors are one will result in timestamping continuing without gap at resume. It can work with monotonic clock but not with other clocks. Fix that by resetting timestamping. Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") Cc: stable(a)vger.kernel.org Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> --- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 93b5d7a3339ccff16b21bf6c40ed7b2311317cf4..03139e2e4eddbf37e154de2eb486549bc3bdb284 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -814,6 +814,8 @@ static int inv_icm42600_suspend(struct device *dev) static int inv_icm42600_resume(struct device *dev) { struct inv_icm42600_state *st = dev_get_drvdata(dev); + struct inv_icm42600_sensor_state *gyro_st = iio_priv(st->indio_gyro); + struct inv_icm42600_sensor_state *accel_st = iio_priv(st->indio_accel); int ret; mutex_lock(&st->lock); @@ -834,9 +836,12 @@ static int inv_icm42600_resume(struct device *dev) goto out_unlock; /* restore FIFO data streaming */ - if (st->fifo.on) + if (st->fifo.on) { + inv_sensors_timestamp_reset(&gyro_st->ts); + inv_sensors_timestamp_reset(&accel_st->ts); ret = regmap_write(st->map, INV_ICM42600_REG_FIFO_CONFIG, INV_ICM42600_FIFO_CONFIG_STREAM); + } out_unlock: mutex_unlock(&st->lock); --- base-commit: 9dd2270ca0b38ee16094817f4a53e7ba78e31567 change-id: 20241113-inv_icm42600-fix-timestamps-after-suspend-b7e421eaa40c Best regards, -- Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com>

9 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 5.15 1/2] uprobes: sanitiize xol_free_insn_slot()

by Sasha Levin

From: Oleg Nesterov <oleg(a)redhat.com> [ Upstream commit c7b4133c48445dde789ed30b19ccb0448c7593f7 ] 1. Clear utask->xol_vaddr unconditionally, even if this addr is not valid, xol_free_insn_slot() should never return with utask->xol_vaddr != NULL. 2. Add a comment to explain why do we need to validate slot_addr. 3. Simplify the validation above. We can simply check offset < PAGE_SIZE, unsigned underflows are fine, it should work if slot_addr < area->vaddr. 4. Kill the unnecessary "slot_nr >= UINSNS_PER_PAGE" check, slot_nr must be valid if offset < PAGE_SIZE. The next patches will cleanup this function even more. Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20240929144235.GA9471@redhat.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/events/uprobes.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index b37a6bde8a915..a0f846b2ac1ea 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1633,8 +1633,8 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe) static void xol_free_insn_slot(struct task_struct *tsk) { struct xol_area *area; - unsigned long vma_end; unsigned long slot_addr; + unsigned long offset; if (!tsk->mm || !tsk->mm->uprobes_state.xol_area || !tsk->utask) return; @@ -1643,24 +1643,21 @@ static void xol_free_insn_slot(struct task_struct *tsk) if (unlikely(!slot_addr)) return; + tsk->utask->xol_vaddr = 0; area = tsk->mm->uprobes_state.xol_area; - vma_end = area->vaddr + PAGE_SIZE; - if (area->vaddr <= slot_addr && slot_addr < vma_end) { - unsigned long offset; - int slot_nr; - - offset = slot_addr - area->vaddr; - slot_nr = offset / UPROBE_XOL_SLOT_BYTES; - if (slot_nr >= UINSNS_PER_PAGE) - return; + offset = slot_addr - area->vaddr; + /* + * slot_addr must fit into [area->vaddr, area->vaddr + PAGE_SIZE). + * This check can only fail if the "[uprobes]" vma was mremap'ed. + */ + if (offset < PAGE_SIZE) { + int slot_nr = offset / UPROBE_XOL_SLOT_BYTES; clear_bit(slot_nr, area->bitmap); atomic_dec(&area->slot_count); smp_mb__after_atomic(); /* pairs with prepare_to_wait() */ if (waitqueue_active(&area->wq)) wake_up(&area->wq); - - tsk->utask->xol_vaddr = 0; } } -- 2.43.0

9 months, 3 weeks

1
1
0 0

[PATCH AUTOSEL 6.1 1/3] uprobes: sanitiize xol_free_insn_slot()

by Sasha Levin

From: Oleg Nesterov <oleg(a)redhat.com> [ Upstream commit c7b4133c48445dde789ed30b19ccb0448c7593f7 ] 1. Clear utask->xol_vaddr unconditionally, even if this addr is not valid, xol_free_insn_slot() should never return with utask->xol_vaddr != NULL. 2. Add a comment to explain why do we need to validate slot_addr. 3. Simplify the validation above. We can simply check offset < PAGE_SIZE, unsigned underflows are fine, it should work if slot_addr < area->vaddr. 4. Kill the unnecessary "slot_nr >= UINSNS_PER_PAGE" check, slot_nr must be valid if offset < PAGE_SIZE. The next patches will cleanup this function even more. Signed-off-by: Oleg Nesterov <oleg(a)redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> Link: https://lore.kernel.org/r/20240929144235.GA9471@redhat.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/events/uprobes.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c index 9ee25351cecac..e3c616085137e 100644 --- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1632,8 +1632,8 @@ static unsigned long xol_get_insn_slot(struct uprobe *uprobe) static void xol_free_insn_slot(struct task_struct *tsk) { struct xol_area *area; - unsigned long vma_end; unsigned long slot_addr; + unsigned long offset; if (!tsk->mm || !tsk->mm->uprobes_state.xol_area || !tsk->utask) return; @@ -1642,24 +1642,21 @@ static void xol_free_insn_slot(struct task_struct *tsk) if (unlikely(!slot_addr)) return; + tsk->utask->xol_vaddr = 0; area = tsk->mm->uprobes_state.xol_area; - vma_end = area->vaddr + PAGE_SIZE; - if (area->vaddr <= slot_addr && slot_addr < vma_end) { - unsigned long offset; - int slot_nr; - - offset = slot_addr - area->vaddr; - slot_nr = offset / UPROBE_XOL_SLOT_BYTES; - if (slot_nr >= UINSNS_PER_PAGE) - return; + offset = slot_addr - area->vaddr; + /* + * slot_addr must fit into [area->vaddr, area->vaddr + PAGE_SIZE). + * This check can only fail if the "[uprobes]" vma was mremap'ed. + */ + if (offset < PAGE_SIZE) { + int slot_nr = offset / UPROBE_XOL_SLOT_BYTES; clear_bit(slot_nr, area->bitmap); atomic_dec(&area->slot_count); smp_mb__after_atomic(); /* pairs with prepare_to_wait() */ if (waitqueue_active(&area->wq)) wake_up(&area->wq); - - tsk->utask->xol_vaddr = 0; } } -- 2.43.0

9 months, 3 weeks

1
2
0 0

[PATCH AUTOSEL 5.10] kcsan: Turn report_filterlist_lock into a raw_spinlock

by Sasha Levin

From: Marco Elver <elver(a)google.com> [ Upstream commit 59458fa4ddb47e7891c61b4a928d13d5f5b00aa0 ] Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see splats like: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 10002, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 156674 | hardirqs last enabled at (156673): [<ffffffff81130bd9>] do_idle+0x1f9/0x240 | hardirqs last disabled at (156674): [<ffffffff82254f84>] sysvec_apic_timer_interrupt+0x14/0xc0 | softirqs last enabled at (0): [<ffffffff81099f47>] copy_process+0xfc7/0x4b60 | softirqs last disabled at (0): [<0000000000000000>] 0x0 | Preemption disabled at: | [<ffffffff814a3e2a>] paint_ptr+0x2a/0x90 | CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 | Call Trace: | <IRQ> | dump_stack_lvl+0x7e/0xc0 | dump_stack+0x1d/0x30 | __might_resched+0x1a2/0x270 | rt_spin_lock+0x68/0x170 | kcsan_skip_report_debugfs+0x43/0xe0 | print_report+0xb5/0x590 | kcsan_report_known_origin+0x1b1/0x1d0 | kcsan_setup_watchpoint+0x348/0x650 | __tsan_unaligned_write1+0x16d/0x1d0 | hrtimer_interrupt+0x3d6/0x430 | __sysvec_apic_timer_interrupt+0xe8/0x3a0 | sysvec_apic_timer_interrupt+0x97/0xc0 | </IRQ> On a detected data race, KCSAN's reporting logic checks if it should filter the report. That list is protected by the report_filterlist_lock *non-raw* spinlock which may sleep on RT kernels. Since KCSAN may report data races in any context, convert it to a raw_spinlock. This requires being careful about when to allocate memory for the filter list itself which can be done via KCSAN's debugfs interface. Concurrent modification of the filter list via debugfs should be rare: the chosen strategy is to optimistically pre-allocate memory before the critical section and discard if unused. Link: https://lore.kernel.org/all/20240925143154.2322926-1-ranxiaokai627@163.com/ Reported-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Tested-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Signed-off-by: Marco Elver <elver(a)google.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/kcsan/debugfs.c | 74 ++++++++++++++++++++---------------------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/kernel/kcsan/debugfs.c b/kernel/kcsan/debugfs.c index 62a52be8f6ba9..6a4ecd1a6fa5b 100644 --- a/kernel/kcsan/debugfs.c +++ b/kernel/kcsan/debugfs.c @@ -41,14 +41,8 @@ static struct { int used; /* number of elements used */ bool sorted; /* if elements are sorted */ bool whitelist; /* if list is a blacklist or whitelist */ -} report_filterlist = { - .addrs = NULL, - .size = 8, /* small initial size */ - .used = 0, - .sorted = false, - .whitelist = false, /* default is blacklist */ -}; -static DEFINE_SPINLOCK(report_filterlist_lock); +} report_filterlist; +static DEFINE_RAW_SPINLOCK(report_filterlist_lock); /* * The microbenchmark allows benchmarking KCSAN core runtime only. To run @@ -105,7 +99,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) return false; func_addr -= offset; /* Get function start */ - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); if (report_filterlist.used == 0) goto out; @@ -122,7 +116,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) ret = !ret; out: - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); return ret; } @@ -130,9 +124,9 @@ static void set_report_filterlist_whitelist(bool whitelist) { unsigned long flags; - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); report_filterlist.whitelist = whitelist; - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); } /* Returns 0 on success, error-code otherwise. */ @@ -140,6 +134,9 @@ static ssize_t insert_report_filterlist(const char *func) { unsigned long flags; unsigned long addr = kallsyms_lookup_name(func); + unsigned long *delay_free = NULL; + unsigned long *new_addrs = NULL; + size_t new_size = 0; ssize_t ret = 0; if (!addr) { @@ -147,32 +144,33 @@ static ssize_t insert_report_filterlist(const char *func) return -ENOENT; } - spin_lock_irqsave(&report_filterlist_lock, flags); +retry_alloc: + /* + * Check if we need an allocation, and re-validate under the lock. Since + * the report_filterlist_lock is a raw, cannot allocate under the lock. + */ + if (data_race(report_filterlist.used == report_filterlist.size)) { + new_size = (report_filterlist.size ?: 4) * 2; + delay_free = new_addrs = kmalloc_array(new_size, sizeof(unsigned long), GFP_KERNEL); + if (!new_addrs) + return -ENOMEM; + } - if (report_filterlist.addrs == NULL) { - /* initial allocation */ - report_filterlist.addrs = - kmalloc_array(report_filterlist.size, - sizeof(unsigned long), GFP_ATOMIC); - if (report_filterlist.addrs == NULL) { - ret = -ENOMEM; - goto out; - } - } else if (report_filterlist.used == report_filterlist.size) { - /* resize filterlist */ - size_t new_size = report_filterlist.size * 2; - unsigned long *new_addrs = - krealloc(report_filterlist.addrs, - new_size * sizeof(unsigned long), GFP_ATOMIC); - - if (new_addrs == NULL) { - /* leave filterlist itself untouched */ - ret = -ENOMEM; - goto out; + raw_spin_lock_irqsave(&report_filterlist_lock, flags); + if (report_filterlist.used == report_filterlist.size) { + /* Check we pre-allocated enough, and retry if not. */ + if (report_filterlist.used >= new_size) { + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + kfree(new_addrs); /* kfree(NULL) is safe */ + delay_free = new_addrs = NULL; + goto retry_alloc; } + if (report_filterlist.used) + memcpy(new_addrs, report_filterlist.addrs, report_filterlist.used * sizeof(unsigned long)); + delay_free = report_filterlist.addrs; /* free the old list */ + report_filterlist.addrs = new_addrs; /* switch to the new list */ report_filterlist.size = new_size; - report_filterlist.addrs = new_addrs; } /* Note: deduplicating should be done in userspace. */ @@ -180,9 +178,9 @@ static ssize_t insert_report_filterlist(const char *func) kallsyms_lookup_name(func); report_filterlist.sorted = false; -out: - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + kfree(delay_free); return ret; } @@ -199,13 +197,13 @@ static int show_info(struct seq_file *file, void *v) } /* show filter functions, and filter type */ - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); seq_printf(file, "\n%s functions: %s\n", report_filterlist.whitelist ? "whitelisted" : "blacklisted", report_filterlist.used == 0 ? "none" : ""); for (i = 0; i < report_filterlist.used; ++i) seq_printf(file, " %ps\n", (void *)report_filterlist.addrs[i]); - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); return 0; } -- 2.43.0

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 5.15] kcsan: Turn report_filterlist_lock into a raw_spinlock

by Sasha Levin

From: Marco Elver <elver(a)google.com> [ Upstream commit 59458fa4ddb47e7891c61b4a928d13d5f5b00aa0 ] Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see splats like: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 10002, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 156674 | hardirqs last enabled at (156673): [<ffffffff81130bd9>] do_idle+0x1f9/0x240 | hardirqs last disabled at (156674): [<ffffffff82254f84>] sysvec_apic_timer_interrupt+0x14/0xc0 | softirqs last enabled at (0): [<ffffffff81099f47>] copy_process+0xfc7/0x4b60 | softirqs last disabled at (0): [<0000000000000000>] 0x0 | Preemption disabled at: | [<ffffffff814a3e2a>] paint_ptr+0x2a/0x90 | CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 | Call Trace: | <IRQ> | dump_stack_lvl+0x7e/0xc0 | dump_stack+0x1d/0x30 | __might_resched+0x1a2/0x270 | rt_spin_lock+0x68/0x170 | kcsan_skip_report_debugfs+0x43/0xe0 | print_report+0xb5/0x590 | kcsan_report_known_origin+0x1b1/0x1d0 | kcsan_setup_watchpoint+0x348/0x650 | __tsan_unaligned_write1+0x16d/0x1d0 | hrtimer_interrupt+0x3d6/0x430 | __sysvec_apic_timer_interrupt+0xe8/0x3a0 | sysvec_apic_timer_interrupt+0x97/0xc0 | </IRQ> On a detected data race, KCSAN's reporting logic checks if it should filter the report. That list is protected by the report_filterlist_lock *non-raw* spinlock which may sleep on RT kernels. Since KCSAN may report data races in any context, convert it to a raw_spinlock. This requires being careful about when to allocate memory for the filter list itself which can be done via KCSAN's debugfs interface. Concurrent modification of the filter list via debugfs should be rare: the chosen strategy is to optimistically pre-allocate memory before the critical section and discard if unused. Link: https://lore.kernel.org/all/20240925143154.2322926-1-ranxiaokai627@163.com/ Reported-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Tested-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Signed-off-by: Marco Elver <elver(a)google.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/kcsan/debugfs.c | 74 ++++++++++++++++++++---------------------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/kernel/kcsan/debugfs.c b/kernel/kcsan/debugfs.c index 1d1d1b0e42489..f4623910fb1f2 100644 --- a/kernel/kcsan/debugfs.c +++ b/kernel/kcsan/debugfs.c @@ -46,14 +46,8 @@ static struct { int used; /* number of elements used */ bool sorted; /* if elements are sorted */ bool whitelist; /* if list is a blacklist or whitelist */ -} report_filterlist = { - .addrs = NULL, - .size = 8, /* small initial size */ - .used = 0, - .sorted = false, - .whitelist = false, /* default is blacklist */ -}; -static DEFINE_SPINLOCK(report_filterlist_lock); +} report_filterlist; +static DEFINE_RAW_SPINLOCK(report_filterlist_lock); /* * The microbenchmark allows benchmarking KCSAN core runtime only. To run @@ -110,7 +104,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) return false; func_addr -= offset; /* Get function start */ - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); if (report_filterlist.used == 0) goto out; @@ -127,7 +121,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) ret = !ret; out: - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); return ret; } @@ -135,9 +129,9 @@ static void set_report_filterlist_whitelist(bool whitelist) { unsigned long flags; - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); report_filterlist.whitelist = whitelist; - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); } /* Returns 0 on success, error-code otherwise. */ @@ -145,6 +139,9 @@ static ssize_t insert_report_filterlist(const char *func) { unsigned long flags; unsigned long addr = kallsyms_lookup_name(func); + unsigned long *delay_free = NULL; + unsigned long *new_addrs = NULL; + size_t new_size = 0; ssize_t ret = 0; if (!addr) { @@ -152,32 +149,33 @@ static ssize_t insert_report_filterlist(const char *func) return -ENOENT; } - spin_lock_irqsave(&report_filterlist_lock, flags); +retry_alloc: + /* + * Check if we need an allocation, and re-validate under the lock. Since + * the report_filterlist_lock is a raw, cannot allocate under the lock. + */ + if (data_race(report_filterlist.used == report_filterlist.size)) { + new_size = (report_filterlist.size ?: 4) * 2; + delay_free = new_addrs = kmalloc_array(new_size, sizeof(unsigned long), GFP_KERNEL); + if (!new_addrs) + return -ENOMEM; + } - if (report_filterlist.addrs == NULL) { - /* initial allocation */ - report_filterlist.addrs = - kmalloc_array(report_filterlist.size, - sizeof(unsigned long), GFP_ATOMIC); - if (report_filterlist.addrs == NULL) { - ret = -ENOMEM; - goto out; - } - } else if (report_filterlist.used == report_filterlist.size) { - /* resize filterlist */ - size_t new_size = report_filterlist.size * 2; - unsigned long *new_addrs = - krealloc(report_filterlist.addrs, - new_size * sizeof(unsigned long), GFP_ATOMIC); - - if (new_addrs == NULL) { - /* leave filterlist itself untouched */ - ret = -ENOMEM; - goto out; + raw_spin_lock_irqsave(&report_filterlist_lock, flags); + if (report_filterlist.used == report_filterlist.size) { + /* Check we pre-allocated enough, and retry if not. */ + if (report_filterlist.used >= new_size) { + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + kfree(new_addrs); /* kfree(NULL) is safe */ + delay_free = new_addrs = NULL; + goto retry_alloc; } + if (report_filterlist.used) + memcpy(new_addrs, report_filterlist.addrs, report_filterlist.used * sizeof(unsigned long)); + delay_free = report_filterlist.addrs; /* free the old list */ + report_filterlist.addrs = new_addrs; /* switch to the new list */ report_filterlist.size = new_size; - report_filterlist.addrs = new_addrs; } /* Note: deduplicating should be done in userspace. */ @@ -185,9 +183,9 @@ static ssize_t insert_report_filterlist(const char *func) kallsyms_lookup_name(func); report_filterlist.sorted = false; -out: - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + kfree(delay_free); return ret; } @@ -204,13 +202,13 @@ static int show_info(struct seq_file *file, void *v) } /* show filter functions, and filter type */ - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); seq_printf(file, "\n%s functions: %s\n", report_filterlist.whitelist ? "whitelisted" : "blacklisted", report_filterlist.used == 0 ? "none" : ""); for (i = 0; i < report_filterlist.used; ++i) seq_printf(file, " %ps\n", (void *)report_filterlist.addrs[i]); - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); return 0; } -- 2.43.0

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 6.1] kcsan: Turn report_filterlist_lock into a raw_spinlock

by Sasha Levin

From: Marco Elver <elver(a)google.com> [ Upstream commit 59458fa4ddb47e7891c61b4a928d13d5f5b00aa0 ] Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see splats like: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 10002, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 156674 | hardirqs last enabled at (156673): [<ffffffff81130bd9>] do_idle+0x1f9/0x240 | hardirqs last disabled at (156674): [<ffffffff82254f84>] sysvec_apic_timer_interrupt+0x14/0xc0 | softirqs last enabled at (0): [<ffffffff81099f47>] copy_process+0xfc7/0x4b60 | softirqs last disabled at (0): [<0000000000000000>] 0x0 | Preemption disabled at: | [<ffffffff814a3e2a>] paint_ptr+0x2a/0x90 | CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 | Call Trace: | <IRQ> | dump_stack_lvl+0x7e/0xc0 | dump_stack+0x1d/0x30 | __might_resched+0x1a2/0x270 | rt_spin_lock+0x68/0x170 | kcsan_skip_report_debugfs+0x43/0xe0 | print_report+0xb5/0x590 | kcsan_report_known_origin+0x1b1/0x1d0 | kcsan_setup_watchpoint+0x348/0x650 | __tsan_unaligned_write1+0x16d/0x1d0 | hrtimer_interrupt+0x3d6/0x430 | __sysvec_apic_timer_interrupt+0xe8/0x3a0 | sysvec_apic_timer_interrupt+0x97/0xc0 | </IRQ> On a detected data race, KCSAN's reporting logic checks if it should filter the report. That list is protected by the report_filterlist_lock *non-raw* spinlock which may sleep on RT kernels. Since KCSAN may report data races in any context, convert it to a raw_spinlock. This requires being careful about when to allocate memory for the filter list itself which can be done via KCSAN's debugfs interface. Concurrent modification of the filter list via debugfs should be rare: the chosen strategy is to optimistically pre-allocate memory before the critical section and discard if unused. Link: https://lore.kernel.org/all/20240925143154.2322926-1-ranxiaokai627@163.com/ Reported-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Tested-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Signed-off-by: Marco Elver <elver(a)google.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/kcsan/debugfs.c | 74 ++++++++++++++++++++---------------------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/kernel/kcsan/debugfs.c b/kernel/kcsan/debugfs.c index 1d1d1b0e42489..f4623910fb1f2 100644 --- a/kernel/kcsan/debugfs.c +++ b/kernel/kcsan/debugfs.c @@ -46,14 +46,8 @@ static struct { int used; /* number of elements used */ bool sorted; /* if elements are sorted */ bool whitelist; /* if list is a blacklist or whitelist */ -} report_filterlist = { - .addrs = NULL, - .size = 8, /* small initial size */ - .used = 0, - .sorted = false, - .whitelist = false, /* default is blacklist */ -}; -static DEFINE_SPINLOCK(report_filterlist_lock); +} report_filterlist; +static DEFINE_RAW_SPINLOCK(report_filterlist_lock); /* * The microbenchmark allows benchmarking KCSAN core runtime only. To run @@ -110,7 +104,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) return false; func_addr -= offset; /* Get function start */ - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); if (report_filterlist.used == 0) goto out; @@ -127,7 +121,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) ret = !ret; out: - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); return ret; } @@ -135,9 +129,9 @@ static void set_report_filterlist_whitelist(bool whitelist) { unsigned long flags; - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); report_filterlist.whitelist = whitelist; - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); } /* Returns 0 on success, error-code otherwise. */ @@ -145,6 +139,9 @@ static ssize_t insert_report_filterlist(const char *func) { unsigned long flags; unsigned long addr = kallsyms_lookup_name(func); + unsigned long *delay_free = NULL; + unsigned long *new_addrs = NULL; + size_t new_size = 0; ssize_t ret = 0; if (!addr) { @@ -152,32 +149,33 @@ static ssize_t insert_report_filterlist(const char *func) return -ENOENT; } - spin_lock_irqsave(&report_filterlist_lock, flags); +retry_alloc: + /* + * Check if we need an allocation, and re-validate under the lock. Since + * the report_filterlist_lock is a raw, cannot allocate under the lock. + */ + if (data_race(report_filterlist.used == report_filterlist.size)) { + new_size = (report_filterlist.size ?: 4) * 2; + delay_free = new_addrs = kmalloc_array(new_size, sizeof(unsigned long), GFP_KERNEL); + if (!new_addrs) + return -ENOMEM; + } - if (report_filterlist.addrs == NULL) { - /* initial allocation */ - report_filterlist.addrs = - kmalloc_array(report_filterlist.size, - sizeof(unsigned long), GFP_ATOMIC); - if (report_filterlist.addrs == NULL) { - ret = -ENOMEM; - goto out; - } - } else if (report_filterlist.used == report_filterlist.size) { - /* resize filterlist */ - size_t new_size = report_filterlist.size * 2; - unsigned long *new_addrs = - krealloc(report_filterlist.addrs, - new_size * sizeof(unsigned long), GFP_ATOMIC); - - if (new_addrs == NULL) { - /* leave filterlist itself untouched */ - ret = -ENOMEM; - goto out; + raw_spin_lock_irqsave(&report_filterlist_lock, flags); + if (report_filterlist.used == report_filterlist.size) { + /* Check we pre-allocated enough, and retry if not. */ + if (report_filterlist.used >= new_size) { + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + kfree(new_addrs); /* kfree(NULL) is safe */ + delay_free = new_addrs = NULL; + goto retry_alloc; } + if (report_filterlist.used) + memcpy(new_addrs, report_filterlist.addrs, report_filterlist.used * sizeof(unsigned long)); + delay_free = report_filterlist.addrs; /* free the old list */ + report_filterlist.addrs = new_addrs; /* switch to the new list */ report_filterlist.size = new_size; - report_filterlist.addrs = new_addrs; } /* Note: deduplicating should be done in userspace. */ @@ -185,9 +183,9 @@ static ssize_t insert_report_filterlist(const char *func) kallsyms_lookup_name(func); report_filterlist.sorted = false; -out: - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + kfree(delay_free); return ret; } @@ -204,13 +202,13 @@ static int show_info(struct seq_file *file, void *v) } /* show filter functions, and filter type */ - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); seq_printf(file, "\n%s functions: %s\n", report_filterlist.whitelist ? "whitelisted" : "blacklisted", report_filterlist.used == 0 ? "none" : ""); for (i = 0; i < report_filterlist.used; ++i) seq_printf(file, " %ps\n", (void *)report_filterlist.addrs[i]); - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); return 0; } -- 2.43.0

9 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 6.6 1/3] kcsan: Turn report_filterlist_lock into a raw_spinlock

by Sasha Levin

From: Marco Elver <elver(a)google.com> [ Upstream commit 59458fa4ddb47e7891c61b4a928d13d5f5b00aa0 ] Ran Xiaokai reports that with a KCSAN-enabled PREEMPT_RT kernel, we can see splats like: | BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 | preempt_count: 10002, expected: 0 | RCU nest depth: 0, expected: 0 | no locks held by swapper/1/0. | irq event stamp: 156674 | hardirqs last enabled at (156673): [<ffffffff81130bd9>] do_idle+0x1f9/0x240 | hardirqs last disabled at (156674): [<ffffffff82254f84>] sysvec_apic_timer_interrupt+0x14/0xc0 | softirqs last enabled at (0): [<ffffffff81099f47>] copy_process+0xfc7/0x4b60 | softirqs last disabled at (0): [<0000000000000000>] 0x0 | Preemption disabled at: | [<ffffffff814a3e2a>] paint_ptr+0x2a/0x90 | CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0+ #3 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 | Call Trace: | <IRQ> | dump_stack_lvl+0x7e/0xc0 | dump_stack+0x1d/0x30 | __might_resched+0x1a2/0x270 | rt_spin_lock+0x68/0x170 | kcsan_skip_report_debugfs+0x43/0xe0 | print_report+0xb5/0x590 | kcsan_report_known_origin+0x1b1/0x1d0 | kcsan_setup_watchpoint+0x348/0x650 | __tsan_unaligned_write1+0x16d/0x1d0 | hrtimer_interrupt+0x3d6/0x430 | __sysvec_apic_timer_interrupt+0xe8/0x3a0 | sysvec_apic_timer_interrupt+0x97/0xc0 | </IRQ> On a detected data race, KCSAN's reporting logic checks if it should filter the report. That list is protected by the report_filterlist_lock *non-raw* spinlock which may sleep on RT kernels. Since KCSAN may report data races in any context, convert it to a raw_spinlock. This requires being careful about when to allocate memory for the filter list itself which can be done via KCSAN's debugfs interface. Concurrent modification of the filter list via debugfs should be rare: the chosen strategy is to optimistically pre-allocate memory before the critical section and discard if unused. Link: https://lore.kernel.org/all/20240925143154.2322926-1-ranxiaokai627@163.com/ Reported-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Tested-by: Ran Xiaokai <ran.xiaokai(a)zte.com.cn> Signed-off-by: Marco Elver <elver(a)google.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- kernel/kcsan/debugfs.c | 74 ++++++++++++++++++++---------------------- 1 file changed, 36 insertions(+), 38 deletions(-) diff --git a/kernel/kcsan/debugfs.c b/kernel/kcsan/debugfs.c index 1d1d1b0e42489..f4623910fb1f2 100644 --- a/kernel/kcsan/debugfs.c +++ b/kernel/kcsan/debugfs.c @@ -46,14 +46,8 @@ static struct { int used; /* number of elements used */ bool sorted; /* if elements are sorted */ bool whitelist; /* if list is a blacklist or whitelist */ -} report_filterlist = { - .addrs = NULL, - .size = 8, /* small initial size */ - .used = 0, - .sorted = false, - .whitelist = false, /* default is blacklist */ -}; -static DEFINE_SPINLOCK(report_filterlist_lock); +} report_filterlist; +static DEFINE_RAW_SPINLOCK(report_filterlist_lock); /* * The microbenchmark allows benchmarking KCSAN core runtime only. To run @@ -110,7 +104,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) return false; func_addr -= offset; /* Get function start */ - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); if (report_filterlist.used == 0) goto out; @@ -127,7 +121,7 @@ bool kcsan_skip_report_debugfs(unsigned long func_addr) ret = !ret; out: - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); return ret; } @@ -135,9 +129,9 @@ static void set_report_filterlist_whitelist(bool whitelist) { unsigned long flags; - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); report_filterlist.whitelist = whitelist; - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); } /* Returns 0 on success, error-code otherwise. */ @@ -145,6 +139,9 @@ static ssize_t insert_report_filterlist(const char *func) { unsigned long flags; unsigned long addr = kallsyms_lookup_name(func); + unsigned long *delay_free = NULL; + unsigned long *new_addrs = NULL; + size_t new_size = 0; ssize_t ret = 0; if (!addr) { @@ -152,32 +149,33 @@ static ssize_t insert_report_filterlist(const char *func) return -ENOENT; } - spin_lock_irqsave(&report_filterlist_lock, flags); +retry_alloc: + /* + * Check if we need an allocation, and re-validate under the lock. Since + * the report_filterlist_lock is a raw, cannot allocate under the lock. + */ + if (data_race(report_filterlist.used == report_filterlist.size)) { + new_size = (report_filterlist.size ?: 4) * 2; + delay_free = new_addrs = kmalloc_array(new_size, sizeof(unsigned long), GFP_KERNEL); + if (!new_addrs) + return -ENOMEM; + } - if (report_filterlist.addrs == NULL) { - /* initial allocation */ - report_filterlist.addrs = - kmalloc_array(report_filterlist.size, - sizeof(unsigned long), GFP_ATOMIC); - if (report_filterlist.addrs == NULL) { - ret = -ENOMEM; - goto out; - } - } else if (report_filterlist.used == report_filterlist.size) { - /* resize filterlist */ - size_t new_size = report_filterlist.size * 2; - unsigned long *new_addrs = - krealloc(report_filterlist.addrs, - new_size * sizeof(unsigned long), GFP_ATOMIC); - - if (new_addrs == NULL) { - /* leave filterlist itself untouched */ - ret = -ENOMEM; - goto out; + raw_spin_lock_irqsave(&report_filterlist_lock, flags); + if (report_filterlist.used == report_filterlist.size) { + /* Check we pre-allocated enough, and retry if not. */ + if (report_filterlist.used >= new_size) { + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + kfree(new_addrs); /* kfree(NULL) is safe */ + delay_free = new_addrs = NULL; + goto retry_alloc; } + if (report_filterlist.used) + memcpy(new_addrs, report_filterlist.addrs, report_filterlist.used * sizeof(unsigned long)); + delay_free = report_filterlist.addrs; /* free the old list */ + report_filterlist.addrs = new_addrs; /* switch to the new list */ report_filterlist.size = new_size; - report_filterlist.addrs = new_addrs; } /* Note: deduplicating should be done in userspace. */ @@ -185,9 +183,9 @@ static ssize_t insert_report_filterlist(const char *func) kallsyms_lookup_name(func); report_filterlist.sorted = false; -out: - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); + kfree(delay_free); return ret; } @@ -204,13 +202,13 @@ static int show_info(struct seq_file *file, void *v) } /* show filter functions, and filter type */ - spin_lock_irqsave(&report_filterlist_lock, flags); + raw_spin_lock_irqsave(&report_filterlist_lock, flags); seq_printf(file, "\n%s functions: %s\n", report_filterlist.whitelist ? "whitelisted" : "blacklisted", report_filterlist.used == 0 ? "none" : ""); for (i = 0; i < report_filterlist.used; ++i) seq_printf(file, " %ps\n", (void *)report_filterlist.addrs[i]); - spin_unlock_irqrestore(&report_filterlist_lock, flags); + raw_spin_unlock_irqrestore(&report_filterlist_lock, flags); return 0; } -- 2.43.0

9 months, 3 weeks

1
2
0 0

[PATCH AUTOSEL 6.11 1/6] crypto: ecdsa - Avoid signed integer overflow on signature decoding

by Sasha Levin

From: Lukas Wunner <lukas(a)wunner.de> [ Upstream commit 3b0565c703503f832d6cd7ba805aafa3b330cb9d ] When extracting a signature component r or s from an ASN.1-encoded integer, ecdsa_get_signature_rs() subtracts the expected length "bufsize" from the ASN.1 length "vlen" (both of unsigned type size_t) and stores the result in "diff" (of signed type ssize_t). This results in a signed integer overflow if vlen > SSIZE_MAX + bufsize. The kernel is compiled with -fno-strict-overflow, which implies -fwrapv, meaning signed integer overflow is not undefined behavior. And the function does check for overflow: if (-diff >= bufsize) return -EINVAL; So the code is fine in principle but not very obvious. In the future it might trigger a false-positive with CONFIG_UBSAN_SIGNED_WRAP=y. Avoid by comparing the two unsigned variables directly and erroring out if "vlen" is too large. Signed-off-by: Lukas Wunner <lukas(a)wunner.de> Reviewed-by: Stefan Berger <stefanb(a)linux.ibm.com> Reviewed-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- crypto/ecdsa.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c index d5a10959ec281..80ef16ae6a40b 100644 --- a/crypto/ecdsa.c +++ b/crypto/ecdsa.c @@ -36,29 +36,24 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag, const void *value, size_t vlen, unsigned int ndigits) { size_t bufsize = ndigits * sizeof(u64); - ssize_t diff = vlen - bufsize; const char *d = value; - if (!value || !vlen) + if (!value || !vlen || vlen > bufsize + 1) return -EINVAL; - /* diff = 0: 'value' has exacly the right size - * diff > 0: 'value' has too many bytes; one leading zero is allowed that - * makes the value a positive integer; error on more - * diff < 0: 'value' is missing leading zeros + /* + * vlen may be 1 byte larger than bufsize due to a leading zero byte + * (necessary if the most significant bit of the integer is set). */ - if (diff > 0) { + if (vlen > bufsize) { /* skip over leading zeros that make 'value' a positive int */ if (*d == 0) { vlen -= 1; - diff--; d++; - } - if (diff) + } else { return -EINVAL; + } } - if (-diff >= bufsize) - return -EINVAL; ecc_digits_from_bytes(d, vlen, dest, ndigits); -- 2.43.0

9 months, 3 weeks

1
5
0 0

[PATCH AUTOSEL 6.12 1/6] crypto: ecdsa - Avoid signed integer overflow on signature decoding

by Sasha Levin

From: Lukas Wunner <lukas(a)wunner.de> [ Upstream commit 3b0565c703503f832d6cd7ba805aafa3b330cb9d ] When extracting a signature component r or s from an ASN.1-encoded integer, ecdsa_get_signature_rs() subtracts the expected length "bufsize" from the ASN.1 length "vlen" (both of unsigned type size_t) and stores the result in "diff" (of signed type ssize_t). This results in a signed integer overflow if vlen > SSIZE_MAX + bufsize. The kernel is compiled with -fno-strict-overflow, which implies -fwrapv, meaning signed integer overflow is not undefined behavior. And the function does check for overflow: if (-diff >= bufsize) return -EINVAL; So the code is fine in principle but not very obvious. In the future it might trigger a false-positive with CONFIG_UBSAN_SIGNED_WRAP=y. Avoid by comparing the two unsigned variables directly and erroring out if "vlen" is too large. Signed-off-by: Lukas Wunner <lukas(a)wunner.de> Reviewed-by: Stefan Berger <stefanb(a)linux.ibm.com> Reviewed-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- crypto/ecdsa.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c index d5a10959ec281..80ef16ae6a40b 100644 --- a/crypto/ecdsa.c +++ b/crypto/ecdsa.c @@ -36,29 +36,24 @@ static int ecdsa_get_signature_rs(u64 *dest, size_t hdrlen, unsigned char tag, const void *value, size_t vlen, unsigned int ndigits) { size_t bufsize = ndigits * sizeof(u64); - ssize_t diff = vlen - bufsize; const char *d = value; - if (!value || !vlen) + if (!value || !vlen || vlen > bufsize + 1) return -EINVAL; - /* diff = 0: 'value' has exacly the right size - * diff > 0: 'value' has too many bytes; one leading zero is allowed that - * makes the value a positive integer; error on more - * diff < 0: 'value' is missing leading zeros + /* + * vlen may be 1 byte larger than bufsize due to a leading zero byte + * (necessary if the most significant bit of the integer is set). */ - if (diff > 0) { + if (vlen > bufsize) { /* skip over leading zeros that make 'value' a positive int */ if (*d == 0) { vlen -= 1; - diff--; d++; - } - if (diff) + } else { return -EINVAL; + } } - if (-diff >= bufsize) - return -EINVAL; ecc_digits_from_bytes(d, vlen, dest, ndigits); -- 2.43.0

9 months, 3 weeks

1
5
0 0

[PATCH AUTOSEL 5.4 1/2] s390/cpum_sf: Handle CPU hotplug remove during sampling

by Sasha Levin

From: Thomas Richter <tmricht(a)linux.ibm.com> [ Upstream commit a0bd7dacbd51c632b8e2c0500b479af564afadf3 ] CPU hotplug remove handling triggers the following function call sequence: CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu() ... CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu() The s390 CPUMF sampling CPU hotplug handler invokes: s390_pmu_sf_offline_cpu() +--> cpusf_pmu_setup() +--> setup_pmc_cpu() +--> deallocate_buffers() This function de-allocates all sampling data buffers (SDBs) allocated for that CPU at event initialization. It also clears the PMU_F_RESERVED bit. The CPU is gone and can not be sampled. With the event still being active on the removed CPU, the CPU event hotplug support in kernel performance subsystem triggers the following function calls on the removed CPU: perf_event_exit_cpu() +--> perf_event_exit_cpu_context() +--> __perf_event_exit_context() +--> __perf_remove_from_context() +--> event_sched_out() +--> cpumsf_pmu_del() +--> cpumsf_pmu_stop() +--> hw_perf_event_update() to stop and remove the event. During removal of the event, the sampling device driver tries to read out the remaining samples from the sample data buffers (SDBs). But they have already been freed (and may have been re-assigned). This may lead to a use after free situation in which case the samples are most likely invalid. In the best case the memory has not been reassigned and still contains valid data. Remedy this situation and check if the CPU is still in reserved state (bit PMU_F_RESERVED set). In this case the SDBs have not been released an contain valid data. This is always the case when the event is removed (and no CPU hotplug off occured). If the PMU_F_RESERVED bit is not set, the SDB buffers are gone. Signed-off-by: Thomas Richter <tmricht(a)linux.ibm.com> Reviewed-by: Hendrik Brueckner <brueckner(a)linux.ibm.com> Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/s390/kernel/perf_cpum_sf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c index 4f251cd624d7e..6047ccb6f8e26 100644 --- a/arch/s390/kernel/perf_cpum_sf.c +++ b/arch/s390/kernel/perf_cpum_sf.c @@ -1862,7 +1862,9 @@ static void cpumsf_pmu_stop(struct perf_event *event, int flags) event->hw.state |= PERF_HES_STOPPED; if ((flags & PERF_EF_UPDATE) && !(event->hw.state & PERF_HES_UPTODATE)) { - hw_perf_event_update(event, 1); + /* CPU hotplug off removes SDBs. No samples to extract. */ + if (cpuhw->flags & PMU_F_RESERVED) + hw_perf_event_update(event, 1); event->hw.state |= PERF_HES_UPTODATE; } perf_pmu_enable(event->pmu); -- 2.43.0

9 months, 3 weeks

1
1
0 0

[PATCH AUTOSEL 5.15 1/6] epoll: annotate racy check

by Sasha Levin

From: Christian Brauner <brauner(a)kernel.org> [ Upstream commit 6474353a5e3d0b2cf610153cea0c61f576a36d0a ] Epoll relies on a racy fastpath check during __fput() in eventpoll_release() to avoid the hit of pointlessly acquiring a semaphore. Annotate that race by using WRITE_ONCE() and READ_ONCE(). Link: https://lore.kernel.org/r/66edfb3c.050a0220.3195df.001a.GAE@google.com Link: https://lore.kernel.org/r/20240925-fungieren-anbauen-79b334b00542@brauner Reviewed-by: Jan Kara <jack(a)suse.cz> Reported-by: syzbot+3b6b32dc50537a49bb4a(a)syzkaller.appspotmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/eventpoll.c | 6 ++++-- include/linux/eventpoll.h | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index b60edddf17870..7413b4a6ba282 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -696,7 +696,8 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi) to_free = NULL; head = file->f_ep; if (head->first == &epi->fllink && !epi->fllink.next) { - file->f_ep = NULL; + /* See eventpoll_release() for details. */ + WRITE_ONCE(file->f_ep, NULL); if (!is_file_epoll(file)) { struct epitems_head *v; v = container_of(head, struct epitems_head, epitems); @@ -1460,7 +1461,8 @@ static int attach_epitem(struct file *file, struct epitem *epi) spin_unlock(&file->f_lock); goto allocate; } - file->f_ep = head; + /* See eventpoll_release() for details. */ + WRITE_ONCE(file->f_ep, head); to_free = NULL; } hlist_add_head_rcu(&epi->fllink, file->f_ep); diff --git a/include/linux/eventpoll.h b/include/linux/eventpoll.h index 3337745d81bd6..0c0d00fcd131f 100644 --- a/include/linux/eventpoll.h +++ b/include/linux/eventpoll.h @@ -42,7 +42,7 @@ static inline void eventpoll_release(struct file *file) * because the file in on the way to be removed and nobody ( but * eventpoll ) has still a reference to this file. */ - if (likely(!file->f_ep)) + if (likely(!READ_ONCE(file->f_ep))) return; /* -- 2.43.0

9 months, 3 weeks

1
5
0 0

[PATCH AUTOSEL 6.1 1/7] epoll: annotate racy check

by Sasha Levin

From: Christian Brauner <brauner(a)kernel.org> [ Upstream commit 6474353a5e3d0b2cf610153cea0c61f576a36d0a ] Epoll relies on a racy fastpath check during __fput() in eventpoll_release() to avoid the hit of pointlessly acquiring a semaphore. Annotate that race by using WRITE_ONCE() and READ_ONCE(). Link: https://lore.kernel.org/r/66edfb3c.050a0220.3195df.001a.GAE@google.com Link: https://lore.kernel.org/r/20240925-fungieren-anbauen-79b334b00542@brauner Reviewed-by: Jan Kara <jack(a)suse.cz> Reported-by: syzbot+3b6b32dc50537a49bb4a(a)syzkaller.appspotmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/eventpoll.c | 6 ++++-- include/linux/eventpoll.h | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 7221072f39fad..f296ffb57d052 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -703,7 +703,8 @@ static int ep_remove(struct eventpoll *ep, struct epitem *epi) to_free = NULL; head = file->f_ep; if (head->first == &epi->fllink && !epi->fllink.next) { - file->f_ep = NULL; + /* See eventpoll_release() for details. */ + WRITE_ONCE(file->f_ep, NULL); if (!is_file_epoll(file)) { struct epitems_head *v; v = container_of(head, struct epitems_head, epitems); @@ -1467,7 +1468,8 @@ static int attach_epitem(struct file *file, struct epitem *epi) spin_unlock(&file->f_lock); goto allocate; } - file->f_ep = head; + /* See eventpoll_release() for details. */ + WRITE_ONCE(file->f_ep, head); to_free = NULL; } hlist_add_head_rcu(&epi->fllink, file->f_ep); diff --git a/include/linux/eventpoll.h b/include/linux/eventpoll.h index 3337745d81bd6..0c0d00fcd131f 100644 --- a/include/linux/eventpoll.h +++ b/include/linux/eventpoll.h @@ -42,7 +42,7 @@ static inline void eventpoll_release(struct file *file) * because the file in on the way to be removed and nobody ( but * eventpoll ) has still a reference to this file. */ - if (likely(!file->f_ep)) + if (likely(!READ_ONCE(file->f_ep))) return; /* -- 2.43.0

9 months, 3 weeks

1
6
0 0

[PATCH AUTOSEL 6.6 1/9] epoll: annotate racy check

by Sasha Levin

From: Christian Brauner <brauner(a)kernel.org> [ Upstream commit 6474353a5e3d0b2cf610153cea0c61f576a36d0a ] Epoll relies on a racy fastpath check during __fput() in eventpoll_release() to avoid the hit of pointlessly acquiring a semaphore. Annotate that race by using WRITE_ONCE() and READ_ONCE(). Link: https://lore.kernel.org/r/66edfb3c.050a0220.3195df.001a.GAE@google.com Link: https://lore.kernel.org/r/20240925-fungieren-anbauen-79b334b00542@brauner Reviewed-by: Jan Kara <jack(a)suse.cz> Reported-by: syzbot+3b6b32dc50537a49bb4a(a)syzkaller.appspotmail.com Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/eventpoll.c | 6 ++++-- include/linux/eventpoll.h | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 0ed73bc7d4652..bcaad495930c3 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -741,7 +741,8 @@ static bool __ep_remove(struct eventpoll *ep, struct epitem *epi, bool force) to_free = NULL; head = file->f_ep; if (head->first == &epi->fllink && !epi->fllink.next) { - file->f_ep = NULL; + /* See eventpoll_release() for details. */ + WRITE_ONCE(file->f_ep, NULL); if (!is_file_epoll(file)) { struct epitems_head *v; v = container_of(head, struct epitems_head, epitems); @@ -1498,7 +1499,8 @@ static int attach_epitem(struct file *file, struct epitem *epi) spin_unlock(&file->f_lock); goto allocate; } - file->f_ep = head; + /* See eventpoll_release() for details. */ + WRITE_ONCE(file->f_ep, head); to_free = NULL; } hlist_add_head_rcu(&epi->fllink, file->f_ep); diff --git a/include/linux/eventpoll.h b/include/linux/eventpoll.h index 3337745d81bd6..0c0d00fcd131f 100644 --- a/include/linux/eventpoll.h +++ b/include/linux/eventpoll.h @@ -42,7 +42,7 @@ static inline void eventpoll_release(struct file *file) * because the file in on the way to be removed and nobody ( but * eventpoll ) has still a reference to this file. */ - if (likely(!file->f_ep)) + if (likely(!READ_ONCE(file->f_ep))) return; /* -- 2.43.0

9 months, 3 weeks

1
8
0 0

[PATCH AUTOSEL 6.11 01/16] s390/pci: Sort PCI functions prior to creating virtual busses

by Sasha Levin

From: Niklas Schnelle <schnelle(a)linux.ibm.com> [ Upstream commit 0467cdde8c4320bbfdb31a8cff1277b202f677fc ] Instead of relying on the observed but not architected firmware behavior that PCI functions from the same card are listed in ascending RID order in clp_list_pci() ensure this by sorting. To allow for sorting separate the initial clp_list_pci() and creation of the virtual PCI busses. Note that fundamentally in our per-PCI function hotplug design non RID order of discovery is still possible. For example when the two PFs of a two port NIC are hotplugged after initial boot and in descending RID order. In this case the virtual PCI bus would be created by the second PF using that PF's UID as domain number instead of that of the first PF. Thus the domain number would then change from the UID of the second PF to that of the first PF on reboot but there is really nothing we can do about that since changing domain numbers at runtime seems even worse. This only impacts the domain number as the RIDs are consistent and thus even with just the second PF visible it will show up in the correct position on the virtual bus. Reviewed-by: Gerd Bayer <gbayer(a)linux.ibm.com> Signed-off-by: Niklas Schnelle <schnelle(a)linux.ibm.com> Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/s390/include/asm/pci.h | 5 ++- arch/s390/pci/pci.c | 69 ++++++++++++++++++++++++++++++++----- arch/s390/pci/pci_clp.c | 12 ++++--- arch/s390/pci/pci_event.c | 13 ++++--- 4 files changed, 82 insertions(+), 17 deletions(-) diff --git a/arch/s390/include/asm/pci.h b/arch/s390/include/asm/pci.h index 30820a649e6e7..fdec455892486 100644 --- a/arch/s390/include/asm/pci.h +++ b/arch/s390/include/asm/pci.h @@ -130,6 +130,7 @@ struct zpci_dev { u16 vfn; /* virtual function number */ u16 pchid; /* physical channel ID */ u16 maxstbl; /* Maximum store block size */ + u16 rid; /* RID as supplied by firmware */ u8 pfgid; /* function group ID */ u8 pft; /* pci function type */ u8 port; @@ -203,12 +204,14 @@ extern struct airq_iv *zpci_aif_sbv; ----------------------------------------------------------------------------- */ /* Base stuff */ struct zpci_dev *zpci_create_device(u32 fid, u32 fh, enum zpci_state state); +int zpci_add_device(struct zpci_dev *zdev); int zpci_enable_device(struct zpci_dev *); int zpci_disable_device(struct zpci_dev *); int zpci_scan_configured_device(struct zpci_dev *zdev, u32 fh); int zpci_deconfigure_device(struct zpci_dev *zdev); void zpci_device_reserved(struct zpci_dev *zdev); bool zpci_is_device_configured(struct zpci_dev *zdev); +int zpci_scan_devices(void); int zpci_hot_reset_device(struct zpci_dev *zdev); int zpci_register_ioat(struct zpci_dev *, u8, u64, u64, u64, u8 *); @@ -218,7 +221,7 @@ void zpci_update_fh(struct zpci_dev *zdev, u32 fh); /* CLP */ int clp_setup_writeback_mio(void); -int clp_scan_pci_devices(void); +int clp_scan_pci_devices(struct list_head *scan_list); int clp_query_pci_fn(struct zpci_dev *zdev); int clp_enable_fh(struct zpci_dev *zdev, u32 *fh, u8 nr_dma_as); int clp_disable_fh(struct zpci_dev *zdev, u32 *fh); diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c index cff4838fad216..e70318fba275a 100644 --- a/arch/s390/pci/pci.c +++ b/arch/s390/pci/pci.c @@ -29,6 +29,7 @@ #include <linux/pci.h> #include <linux/printk.h> #include <linux/lockdep.h> +#include <linux/list_sort.h> #include <asm/isc.h> #include <asm/airq.h> @@ -786,7 +787,6 @@ struct zpci_dev *zpci_create_device(u32 fid, u32 fh, enum zpci_state state) struct zpci_dev *zdev; int rc; - zpci_dbg(1, "add fid:%x, fh:%x, c:%d\n", fid, fh, state); zdev = kzalloc(sizeof(*zdev), GFP_KERNEL); if (!zdev) return ERR_PTR(-ENOMEM); @@ -806,6 +806,19 @@ struct zpci_dev *zpci_create_device(u32 fid, u32 fh, enum zpci_state state) mutex_init(&zdev->fmb_lock); mutex_init(&zdev->kzdev_lock); + return zdev; + +error: + zpci_dbg(0, "crt fid:%x, rc:%d\n", fid, rc); + kfree(zdev); + return ERR_PTR(rc); +} + +int zpci_add_device(struct zpci_dev *zdev) +{ + int rc; + + zpci_dbg(1, "add fid:%x, fh:%x, c:%d\n", zdev->fid, zdev->fh, zdev->state); rc = zpci_init_iommu(zdev); if (rc) goto error; @@ -817,15 +830,13 @@ struct zpci_dev *zpci_create_device(u32 fid, u32 fh, enum zpci_state state) spin_lock(&zpci_list_lock); list_add_tail(&zdev->entry, &zpci_list); spin_unlock(&zpci_list_lock); - - return zdev; + return 0; error_destroy_iommu: zpci_destroy_iommu(zdev); error: - zpci_dbg(0, "add fid:%x, rc:%d\n", fid, rc); - kfree(zdev); - return ERR_PTR(rc); + zpci_dbg(0, "add fid:%x, rc:%d\n", zdev->fid, rc); + return rc; } bool zpci_is_device_configured(struct zpci_dev *zdev) @@ -1083,6 +1094,49 @@ bool zpci_is_enabled(void) return s390_pci_initialized; } +static int zpci_cmp_rid(void *priv, const struct list_head *a, + const struct list_head *b) +{ + struct zpci_dev *za = container_of(a, struct zpci_dev, entry); + struct zpci_dev *zb = container_of(b, struct zpci_dev, entry); + + /* + * PCI functions without RID available maintain original order + * between themselves but sort before those with RID. + */ + if (za->rid == zb->rid) + return za->rid_available > zb->rid_available; + /* + * PCI functions with RID sort by RID ascending. + */ + return za->rid > zb->rid; +} + +static void zpci_add_devices(struct list_head *scan_list) +{ + struct zpci_dev *zdev, *tmp; + + list_sort(NULL, scan_list, &zpci_cmp_rid); + list_for_each_entry_safe(zdev, tmp, scan_list, entry) { + list_del_init(&zdev->entry); + zpci_add_device(zdev); + } +} + +int zpci_scan_devices(void) +{ + LIST_HEAD(scan_list); + int rc; + + rc = clp_scan_pci_devices(&scan_list); + if (rc) + return rc; + + zpci_add_devices(&scan_list); + zpci_bus_scan_busses(); + return 0; +} + static int __init pci_base_init(void) { int rc; @@ -1112,10 +1166,9 @@ static int __init pci_base_init(void) if (rc) goto out_irq; - rc = clp_scan_pci_devices(); + rc = zpci_scan_devices(); if (rc) goto out_find; - zpci_bus_scan_busses(); s390_pci_initialized = 1; return 0; diff --git a/arch/s390/pci/pci_clp.c b/arch/s390/pci/pci_clp.c index ee90a91ed8881..3049e4eb01fe7 100644 --- a/arch/s390/pci/pci_clp.c +++ b/arch/s390/pci/pci_clp.c @@ -164,8 +164,10 @@ static int clp_store_query_pci_fn(struct zpci_dev *zdev, zdev->port = response->port; zdev->uid = response->uid; zdev->fmb_length = sizeof(u32) * response->fmb_len; - zdev->rid_available = response->rid_avail; zdev->is_physfn = response->is_physfn; + zdev->rid_available = response->rid_avail; + if (zdev->rid_available) + zdev->rid = response->rid; if (!s390_pci_no_rid && zdev->rid_available) zdev->devfn = response->rid & ZPCI_RID_MASK_DEVFN; @@ -407,6 +409,7 @@ static int clp_find_pci(struct clp_req_rsp_list_pci *rrb, u32 fid, static void __clp_add(struct clp_fh_list_entry *entry, void *data) { + struct list_head *scan_list = data; struct zpci_dev *zdev; if (!entry->vendor_id) @@ -417,10 +420,11 @@ static void __clp_add(struct clp_fh_list_entry *entry, void *data) zpci_zdev_put(zdev); return; } - zpci_create_device(entry->fid, entry->fh, entry->config_state); + zdev = zpci_create_device(entry->fid, entry->fh, entry->config_state); + list_add_tail(&zdev->entry, scan_list); } -int clp_scan_pci_devices(void) +int clp_scan_pci_devices(struct list_head *scan_list) { struct clp_req_rsp_list_pci *rrb; int rc; @@ -429,7 +433,7 @@ int clp_scan_pci_devices(void) if (!rrb) return -ENOMEM; - rc = clp_list_pci(rrb, NULL, __clp_add); + rc = clp_list_pci(rrb, scan_list, __clp_add); clp_free_block(rrb); return rc; diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c index d4f19d33914cb..47f934f4e828e 100644 --- a/arch/s390/pci/pci_event.c +++ b/arch/s390/pci/pci_event.c @@ -340,6 +340,7 @@ static void __zpci_event_availability(struct zpci_ccdf_avail *ccdf) zdev = zpci_create_device(ccdf->fid, ccdf->fh, ZPCI_FN_STATE_CONFIGURED); if (IS_ERR(zdev)) break; + zpci_add_device(zdev); } else { /* the configuration request may be stale */ if (zdev->state != ZPCI_FN_STATE_STANDBY) @@ -349,10 +350,14 @@ static void __zpci_event_availability(struct zpci_ccdf_avail *ccdf) zpci_scan_configured_device(zdev, ccdf->fh); break; case 0x0302: /* Reserved -> Standby */ - if (!zdev) - zpci_create_device(ccdf->fid, ccdf->fh, ZPCI_FN_STATE_STANDBY); - else + if (!zdev) { + zdev = zpci_create_device(ccdf->fid, ccdf->fh, ZPCI_FN_STATE_STANDBY); + if (IS_ERR(zdev)) + break; + zpci_add_device(zdev); + } else { zpci_update_fh(zdev, ccdf->fh); + } break; case 0x0303: /* Deconfiguration requested */ if (zdev) { @@ -381,7 +386,7 @@ static void __zpci_event_availability(struct zpci_ccdf_avail *ccdf) break; case 0x0306: /* 0x308 or 0x302 for multiple devices */ zpci_remove_reserved_devices(); - clp_scan_pci_devices(); + zpci_scan_devices(); break; case 0x0308: /* Standby -> Reserved */ if (!zdev) -- 2.43.0

9 months, 3 weeks

1
15
0 0

[REQUEST] net: fec: Not yet ported PTP patches

by Csókás Bence

Hi! The following upstream commits have not been queued for stable due to missing `Fixes:` tags, but are strongly recommended for correct PTP operation on the i.MX 6 SoC family, please pick them. Our first priority would be 6.6, the last LTS, but obviously all stable versions would benefit. * 4374a1fe580a ("net: fec: Move `fec_ptp_read()` to the top of the file") * 713ebaed68d8 ("net: fec: Remove duplicated code") * bf8ca67e2167 [tree: net-next] ("net: fec: refactor PPS channel configuration") Bence

9 months, 3 weeks

4
11
0 0

[PATCH v2 2/2] of: address: Preserve the flags portion on 1:1 dma-ranges mapping

by Andrea della Porta

A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma translations. In this specific case, the current behaviour is to zero out the entire specifier so that the translation could be carried on as an offset from zero. This includes address specifier that has flags (e.g. PCI ranges). Once the flags portion has been zeroed, the translation chain is broken since the mapping functions will check the upcoming address specifier against mismatching flags, always failing the 1:1 mapping and its entire purpose of always succeeding. Set to zero only the address portion while passing the flags through. Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code") Cc: stable(a)vger.kernel.org Signed-off-by: Andrea della Porta <andrea.porta(a)suse.com> Tested-by: Herve Codina <herve.codina(a)bootlin.com> --- drivers/of/address.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/of/address.c b/drivers/of/address.c index 286f0c161e33..b3479586bd4d 100644 --- a/drivers/of/address.c +++ b/drivers/of/address.c @@ -455,7 +455,8 @@ static int of_translate_one(struct device_node *parent, struct of_bus *bus, } if (ranges == NULL || rlen == 0) { offset = of_read_number(addr, na); - memset(addr, 0, pna * 4); + /* set address to zero, pass flags through */ + memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4); pr_debug("empty ranges; 1:1 translation\n"); goto finish; } -- 2.35.3

9 months, 3 weeks

1
0
0 0

[PATCH 00/18] leds: switch to device_for_each_child_node_scoped()

by Javier Carrasco

This series switches from the device_for_each_child_node() macro to its scoped variant, which in general makes the code more robust if new early exits are added to the loops, because there is no need for explicit calls to fwnode_handle_put(). Depending on the complexity of the loop and its error handling, the code gets simplified and it gets easier to follow. The non-scoped variant of the macro is error-prone, and it has been the source of multiple bugs where the child node refcount was not decremented accordingly in error paths within the loops. The first patch of this series is a good example, which fixes that kind of bug that is regularly found in node iterators. The uses of device_for_each_child_node() with no early exits have been left untouched because their simpilicty justifies the non-scoped variant. Note that the child node is now declared in the macro, and therefore the explicit declaration is no longer required. The general functionality should not be affected by this modification. If functional changes are found, please report them back as errors. Signed-off-by: Javier Carrasco <javier.carrasco.cruz(a)gmail.com> --- Javier Carrasco (18): leds: flash: mt6360: fix device_for_each_child_node() refcounting in error paths leds: flash: mt6370: switch to device_for_each_child_node_scoped() leds: flash: leds-qcom-flash: switch to device_for_each_child_node_scoped() leds: aw200xx: switch to device_for_each_child_node_scoped() leds: cr0014114: switch to device_for_each_child_node_scoped() leds: el15203000: switch to device_for_each_child_node_scoped() leds: gpio: switch to device_for_each_child_node_scoped() leds: lm3532: switch to device_for_each_child_node_scoped() leds: lm3697: switch to device_for_each_child_node_scoped() leds: lp50xx: switch to device_for_each_child_node_scoped() leds: max77650: switch to device_for_each_child_node_scoped() leds: ns2: switch to device_for_each_child_node_scoped() leds: pca963x: switch to device_for_each_child_node_scoped() leds: pwm: switch to device_for_each_child_node_scoped() leds: sun50i-a100: switch to device_for_each_child_node_scoped() leds: tca6507: switch to device_for_each_child_node_scoped() leds: rgb: ktd202x: switch to device_for_each_child_node_scoped() leds: rgb: mt6370: switch to device_for_each_child_node_scoped() drivers/leds/flash/leds-mt6360.c | 3 +-- drivers/leds/flash/leds-mt6370-flash.c | 11 +++------- drivers/leds/flash/leds-qcom-flash.c | 4 +--- drivers/leds/leds-aw200xx.c | 7 ++----- drivers/leds/leds-cr0014114.c | 4 +--- drivers/leds/leds-el15203000.c | 14 ++++--------- drivers/leds/leds-gpio.c | 9 +++------ drivers/leds/leds-lm3532.c | 18 +++++++---------- drivers/leds/leds-lm3697.c | 18 ++++++----------- drivers/leds/leds-lp50xx.c | 21 +++++++------------ drivers/leds/leds-max77650.c | 18 ++++++----------- drivers/leds/leds-ns2.c | 7 ++----- drivers/leds/leds-pca963x.c | 11 +++------- drivers/leds/leds-pwm.c | 15 ++++---------- drivers/leds/leds-sun50i-a100.c | 27 +++++++++---------------- drivers/leds/leds-tca6507.c | 7 ++----- drivers/leds/rgb/leds-ktd202x.c | 8 +++----- drivers/leds/rgb/leds-mt6370-rgb.c | 37 ++++++++++------------------------ 18 files changed, 75 insertions(+), 164 deletions(-) --- base-commit: 92fc9636d1471b7f68bfee70c776f7f77e747b97 change-id: 20240926-leds_device_for_each_child_node_scoped-5a95255413fa Best regards, -- Javier Carrasco <javier.carrasco.cruz(a)gmail.com>

9 months, 3 weeks

3
3
0 0

[PATCH v2] iio: imu: inv_icm42600: fix spi burst write not supported

by Jean-Baptiste Maneyrol via B4 Relay

From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> Burst write with SPI is not working for all icm42600 chips. It was only used for setting user offsets with regmap_bulk_write. Add specific SPI regmap config for using only single write with SPI. Fixes: 9f9ff91b775b ("iio: imu: inv_icm42600: add SPI driver for inv_icm42600 driver") Cc: stable(a)vger.kernel.org Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> --- Changes in v2: - Add new spi specific regmap config instead of editing existing one. - Link to v1: https://lore.kernel.org/r/20241107-inv-icm42600-fix-spi-burst-write-not-sup… --- drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 15 +++++++++++++++ drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 ++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600.h b/drivers/iio/imu/inv_icm42600/inv_icm42600.h index 3a07e43e4cf154f3107c015c30248330d8e677f8..18787a43477b89db12caee597ab040af5c8f52d5 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600.h +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600.h @@ -403,6 +403,7 @@ struct inv_icm42600_sensor_state { typedef int (*inv_icm42600_bus_setup)(struct inv_icm42600_state *); extern const struct regmap_config inv_icm42600_regmap_config; +extern const struct regmap_config inv_icm42600_spi_regmap_config; extern const struct dev_pm_ops inv_icm42600_pm_ops; const struct iio_mount_matrix * diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c index 93b5d7a3339ccff16b21bf6c40ed7b2311317cf4..834c32cb07f354ab52e69bfeea8f00b6443e8dd9 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c @@ -87,6 +87,21 @@ const struct regmap_config inv_icm42600_regmap_config = { }; EXPORT_SYMBOL_NS_GPL(inv_icm42600_regmap_config, IIO_ICM42600); +/* define specific regmap for SPI not supporting burst write */ +const struct regmap_config inv_icm42600_spi_regmap_config = { + .name = "inv_icm42600", + .reg_bits = 8, + .val_bits = 8, + .max_register = 0x4FFF, + .ranges = inv_icm42600_regmap_ranges, + .num_ranges = ARRAY_SIZE(inv_icm42600_regmap_ranges), + .volatile_table = inv_icm42600_regmap_volatile_accesses, + .rd_noinc_table = inv_icm42600_regmap_rd_noinc_accesses, + .cache_type = REGCACHE_RBTREE, + .use_single_write = true, +}; +EXPORT_SYMBOL_NS_GPL(inv_icm42600_spi_regmap_config, IIO_ICM42600); + struct inv_icm42600_hw { uint8_t whoami; const char *name; diff --git a/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c b/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c index 3b6d05fce65d544524b25299c6d342af92cfd1e0..deb0cbd8b7fe6fcb562067afaca931c148f6fca6 100644 --- a/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c +++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c @@ -59,7 +59,8 @@ static int inv_icm42600_probe(struct spi_device *spi) return -EINVAL; chip = (uintptr_t)match; - regmap = devm_regmap_init_spi(spi, &inv_icm42600_regmap_config); + /* use SPI specific regmap */ + regmap = devm_regmap_init_spi(spi, &inv_icm42600_spi_regmap_config); if (IS_ERR(regmap)) return PTR_ERR(regmap); --- base-commit: c9f8285ec18c08fae0de08835eb8e5953339e664 change-id: 20241107-inv-icm42600-fix-spi-burst-write-not-supported-efe78d7379a5 Best regards, -- Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com>

9 months, 3 weeks

2
1
0 0

[PATCH] f2fs: fix to drop all discards after creating snapshot on lvm device

by Chao Yu

Piergiorgio reported a bug in bugzilla as below: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 969 at fs/f2fs/segment.c:1330 RIP: 0010:__submit_discard_cmd+0x27d/0x400 [f2fs] Call Trace: __issue_discard_cmd+0x1ca/0x350 [f2fs] issue_discard_thread+0x191/0x480 [f2fs] kthread+0xcf/0x100 ret_from_fork+0x31/0x50 ret_from_fork_asm+0x1a/0x30 w/ below testcase, it can reproduce this bug quickly: - pvcreate /dev/vdb - vgcreate myvg1 /dev/vdb - lvcreate -L 1024m -n mylv1 myvg1 - mount /dev/myvg1/mylv1 /mnt/f2fs - dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=20 - sync - rm /mnt/f2fs/file - sync - lvcreate -L 1024m -s -n mylv1-snapshot /dev/myvg1/mylv1 - umount /mnt/f2fs The root cause is: it will update discard_max_bytes of mounted lvm device to zero after creating snapshot on this lvm device, then, __submit_discard_cmd() will pass parameter @nr_sects w/ zero value to __blkdev_issue_discard(), it returns a NULL bio pointer, result in panic. This patch changes as below for fixing: 1. Let's drop all remained discards in f2fs_unfreeze() if snapshot of lvm device is created. 2. Checking discard_max_bytes before submitting discard during __submit_discard_cmd(). Cc: stable(a)vger.kernel.org Fixes: 35ec7d574884 ("f2fs: split discard command in prior to block layer") Reported-by: Piergiorgio Sartor <piergiorgio.sartor(a)nexgo.de> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219484 Signed-off-by: Chao Yu <chao(a)kernel.org> --- fs/f2fs/segment.c | 16 +++++++++------- fs/f2fs/super.c | 12 ++++++++++++ 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 7bdfe08ce9ea..af3fb3f6d9b5 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -1290,16 +1290,18 @@ static int __submit_discard_cmd(struct f2fs_sb_info *sbi, wait_list, issued); return 0; } - - /* - * Issue discard for conventional zones only if the device - * supports discard. - */ - if (!bdev_max_discard_sectors(bdev)) - return -EOPNOTSUPP; } #endif + /* + * stop issuing discard for any of below cases: + * 1. device is conventional zone, but it doesn't support discard. + * 2. device is regulare device, after snapshot it doesn't support + * discard. + */ + if (!bdev_max_discard_sectors(bdev)) + return -EOPNOTSUPP; + trace_f2fs_issue_discard(bdev, dc->di.start, dc->di.len); lstart = dc->di.lstart; diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index c0670cd61956..fc7d463dee15 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -1760,6 +1760,18 @@ static int f2fs_freeze(struct super_block *sb) static int f2fs_unfreeze(struct super_block *sb) { + struct f2fs_sb_info *sbi = F2FS_SB(sb); + + /* + * It will update discard_max_bytes of mounted lvm device to zero + * after creating snapshot on this lvm device, let's drop all + * remained discards. + * We don't need to disable real-time discard because discard_max_bytes + * will recover after removal of snapshot. + */ + if (test_opt(sbi, DISCARD) && !f2fs_hw_support_discard(sbi)) + f2fs_issue_discard_timeout(sbi); + clear_sbi_flag(F2FS_SB(sb), SBI_IS_FREEZING); return 0; } -- 2.40.1

9 months, 3 weeks

2
1
0 0

Re:

by Christoph Biedl

the Hide wrote... > Who should I contact regarding the following error > > > E: Malformed entry 5 in list file > /etc/apt/sources.list.d/additional-repositories.list (Component) > E: The list of sources could not be read. > E: _cache->open() failed, please report. Assuming you're using Debian and not some derivatve: Some Debian users mailing list, like <https://lists.debian.org/debian-user/> From the above error message I assume there's a format error in /etc/apt/sources.list.d/additional-repositories.list - so it was wise to include the content of that file in a message to that list. If it's actually a bug in apt, the Debian bug tracker was the place to go. This list here however is about development of the Linux kernel, the stable releases, so not quite the right place. Christoph

9 months, 3 weeks

1
0
0 0

[PATCH 2/3] drm/xe/guc_submit: fix race around pending_disable

by Matthew Auld

Currently in some testcases we can trigger: [drm] *ERROR* GT0: SCHED_DONE: Unexpected engine state 0x02b1, guc_id=8, runnable_state=0 [drm] *ERROR* GT0: G2H action 0x1002 failed (-EPROTO) len 3 msg 02 10 00 90 08 00 00 00 00 00 00 00 Looking at a snippet of corresponding ftrace for this GuC id we can see: 498.852891: xe_sched_msg_add: dev=0000:03:00.0, gt=0 guc_id=8, opcode=3 498.854083: xe_sched_msg_recv: dev=0000:03:00.0, gt=0 guc_id=8, opcode=3 498.855389: xe_exec_queue_kill: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x3, flags=0x0 498.855436: xe_exec_queue_lr_cleanup: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x83, flags=0x0 498.856767: xe_exec_queue_close: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x83, flags=0x0 498.862889: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0xa9, flags=0x0 498.863032: xe_exec_queue_scheduling_disable: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x2b9, flags=0x0 498.875596: xe_exec_queue_scheduling_done: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x2b9, flags=0x0 498.875604: xe_exec_queue_deregister: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x2b1, flags=0x0 499.074483: xe_exec_queue_deregister_done: dev=0000:03:00.0, 5:0x1, gt=0, width=1, guc_id=8, guc_state=0x2b1, flags=0x0 This looks to be the two scheduling_disable racing with each other, one from the suspend (opcode=3) and then again during lr cleanup. While those two operations are serialized, the G2H portion is not, therefore when marking the queue as pending_disabled and then firing off the first request, we proceed do the same again, however the first disable response only fires after this which then clears the pending_disabled. At this point the second comes back and is processed, however the pending_disabled is no longer set, hence triggering the warning. To fix this wait for pending_disabled when doing the lr cleanup and calling disable_scheduling_deregister. Also do the same for all other disable_scheduling callers. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3515 Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ --- drivers/gpu/drm/xe/xe_guc_submit.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c index f9ecee5364d8..f3c22b101916 100644 --- a/drivers/gpu/drm/xe/xe_guc_submit.c +++ b/drivers/gpu/drm/xe/xe_guc_submit.c @@ -767,12 +767,15 @@ static void disable_scheduling_deregister(struct xe_guc *guc, set_min_preemption_timeout(guc, q); smp_rmb(); - ret = wait_event_timeout(guc->ct.wq, !exec_queue_pending_enable(q) || - xe_guc_read_stopped(guc), HZ * 5); + ret = wait_event_timeout(guc->ct.wq, + (!exec_queue_pending_enable(q) && + !exec_queue_pending_disable(q)) || + xe_guc_read_stopped(guc), + HZ * 5); if (!ret) { struct xe_gpu_scheduler *sched = &q->guc->sched; - xe_gt_warn(q->gt, "Pending enable failed to respond\n"); + xe_gt_warn(q->gt, "Pending enable/disable failed to respond\n"); xe_sched_submission_start(sched); xe_gt_reset_async(q->gt); xe_sched_tdr_queue_imm(sched); @@ -1099,7 +1102,8 @@ guc_exec_queue_timedout_job(struct drm_sched_job *drm_job) * modifying state */ ret = wait_event_timeout(guc->ct.wq, - !exec_queue_pending_enable(q) || + (!exec_queue_pending_enable(q) && + !exec_queue_pending_disable(q)) || xe_guc_read_stopped(guc), HZ * 5); if (!ret || xe_guc_read_stopped(guc)) goto trigger_reset; @@ -1329,8 +1333,8 @@ static void __guc_exec_queue_process_msg_suspend(struct xe_sched_msg *msg) if (guc_exec_queue_allowed_to_change_state(q) && !exec_queue_suspended(q) && exec_queue_enabled(q)) { - wait_event(guc->ct.wq, q->guc->resume_time != RESUME_PENDING || - xe_guc_read_stopped(guc)); + wait_event(guc->ct.wq, (q->guc->resume_time != RESUME_PENDING || + xe_guc_read_stopped(guc)) && !exec_queue_pending_disable(q)); if (!xe_guc_read_stopped(guc)) { s64 since_resume_ms = -- 2.47.0

9 months, 3 weeks

2
1
0 0

[PATCH 5.10.y] scsi: core: Backport fixes for CVE-2021-47182

by Vasiliy Kovalev

The patch titled "scsi: core: Fix scsi_mode_sense() buffer length handling" addresses CVE-2021-47182, fixing the following issues in `scsi_mode_sense()` buffer length handling: 1. Incorrect handling of the allocation length field in the MODE SENSE(10) command, causing truncation of buffer lengths larger than 255 bytes. 2. Memory corruption when handling small buffer lengths due to lack of proper validation. Original patch submission: https://lore.kernel.org/all/20210820070255.682775-2-damien.lemoal@wdc.com/ CVE announcement in linux-cve-announce: https://lore.kernel.org/linux-cve-announce/2024041032-CVE-2021-47182-377e@g… Fixed versions: - Fixed in 5.15.5 with commit e15de347faf4 - Fixed in 5.16 with commit 17b49bcbf835 Official CVE entry: https://cve.org/CVERecord/?id=CVE-2021-47182 [PATCH 5.10.y] scsi: core: Fix scsi_mode_sense() buffer length handling

9 months, 3 weeks

2
2
0 0

[PATCH AUTOSEL 6.6 1/6] ASoC: audio-graph-card2: Purge absent supplies for device tree nodes

by Sasha Levin

From: John Watts <contact(a)jookia.org> [ Upstream commit f8da001ae7af0abd9f6250c02c01a1121074ca60 ] The audio graph card doesn't mark its subnodes such as multi {}, dpcm {} and c2c {} as not requiring any suppliers. This causes a hang as Linux waits for these phantom suppliers to show up on boot. Make it clear these nodes have no suppliers. Example error message: [ 15.208558] platform 2034000.i2s: deferred probe pending: platform: wait for supplier /sound/multi [ 15.208584] platform sound: deferred probe pending: asoc-audio-graph-card2: parse error Signed-off-by: John Watts <contact(a)jookia.org> Acked-by: Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> Link: https://patch.msgid.link/20241108-graph_dt_fix-v1-1-173e2f9603d6@jookia.org Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/soc/generic/audio-graph-card2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sound/soc/generic/audio-graph-card2.c b/sound/soc/generic/audio-graph-card2.c index b1c675c6b6db6..686e0dea2bc75 100644 --- a/sound/soc/generic/audio-graph-card2.c +++ b/sound/soc/generic/audio-graph-card2.c @@ -261,16 +261,19 @@ static enum graph_type __graph_get_type(struct device_node *lnk) if (of_node_name_eq(np, GRAPH_NODENAME_MULTI)) { ret = GRAPH_MULTI; + fw_devlink_purge_absent_suppliers(&np->fwnode); goto out_put; } if (of_node_name_eq(np, GRAPH_NODENAME_DPCM)) { ret = GRAPH_DPCM; + fw_devlink_purge_absent_suppliers(&np->fwnode); goto out_put; } if (of_node_name_eq(np, GRAPH_NODENAME_C2C)) { ret = GRAPH_C2C; + fw_devlink_purge_absent_suppliers(&np->fwnode); goto out_put; } -- 2.43.0

9 months, 3 weeks

2
7
0 0

[PATCH v1] mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM

by David Hildenbrand

We currently assume that there is at least one VMA in a MM, which isn't true. So we might end up having find_vma() return NULL, to then de-reference NULL. So properly handle find_vma() returning NULL. This fixes the report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline] RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194 Code: ... RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000 RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044 RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1 R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003 R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8 FS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709 __do_sys_migrate_pages mm/mempolicy.c:1727 [inline] __se_sys_migrate_pages mm/mempolicy.c:1723 [inline] __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Fixes: 39743889aaf7 ("[PATCH] Swap Migration V5: sys_migrate_pages interface") Reported-by: syzbot+3511625422f7aa637f0d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/673d2696.050a0220.3c9d61.012f.GAE@google.com/T/ Cc: <stable(a)vger.kernel.org> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Christoph Lameter <cl(a)linux.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Signed-off-by: David Hildenbrand <david(a)redhat.com> --- mm/mempolicy.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mm/mempolicy.c b/mm/mempolicy.c index b646fab3e45e1..fbb6127e4595a 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -1080,6 +1080,10 @@ static long migrate_to_node(struct mm_struct *mm, int source, int dest, mmap_read_lock(mm); vma = find_vma(mm, 0); + if (!vma) { + mmap_read_unlock(mm); + return 0; + } /* * This does not migrate the range, but isolates all pages that -- 2.47.0

9 months, 3 weeks

3
6
0 0

Linux 6.11.10

by Greg Kroah-Hartman

I'm announcing the release of the 6.11.10 kernel. All users of the 6.11 kernel series must upgrade. The updated 6.11.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.11.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/Kconfig | 3 arch/arm/kernel/head.S | 8 arch/arm/kernel/traps.c | 3 arch/arm/mm/mmu.c | 34 +- arch/arm64/Kconfig | 3 arch/arm64/include/asm/mman.h | 10 arch/loongarch/Kconfig | 3 arch/loongarch/include/asm/kasan.h | 13 - arch/loongarch/kernel/paravirt.c | 15 + arch/loongarch/kernel/smp.c | 2 arch/loongarch/mm/kasan_init.c | 46 +++ arch/mips/Kconfig | 3 arch/parisc/include/asm/mman.h | 5 arch/powerpc/Kconfig | 4 arch/riscv/Kconfig | 3 arch/s390/Kconfig | 3 arch/sh/Kconfig | 3 arch/x86/Kconfig | 3 arch/x86/Makefile | 5 arch/x86/entry/entry.S | 16 + arch/x86/include/asm/asm-prototypes.h | 3 arch/x86/kernel/cpu/amd.c | 11 arch/x86/kernel/cpu/common.c | 2 arch/x86/kernel/vmlinux.lds.S | 3 arch/x86/kvm/lapic.c | 29 +- arch/x86/kvm/vmx/nested.c | 30 ++ arch/x86/kvm/vmx/vmx.c | 6 arch/x86/mm/ioremap.c | 6 drivers/bluetooth/btintel.c | 5 drivers/char/tpm/tpm2-sessions.c | 7 drivers/firmware/arm_scmi/perf.c | 44 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 3 drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 13 - drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 2 drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 drivers/gpu/drm/amd/amdgpu/nv.c | 12 - drivers/gpu/drm/amd/amdgpu/soc15.c | 4 drivers/gpu/drm/amd/amdgpu/soc21.c | 12 - drivers/gpu/drm/amd/amdgpu/soc24.c | 2 drivers/gpu/drm/amd/amdgpu/vi.c | 8 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 117 +++++----- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 17 - drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_irq_params.h | 2 drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 drivers/gpu/drm/amd/display/dc/core/dc_state.c | 3 drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c | 11 drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 49 +--- drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h | 4 drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 4 drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c | 4 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 20 - drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_0_ppt.c | 5 drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 9 drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 8 drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h | 2 drivers/gpu/drm/bridge/tc358768.c | 21 + drivers/gpu/drm/i915/gt/uc/intel_gsc_fw.c | 50 ++-- drivers/gpu/drm/i915/i915_drv.h | 8 drivers/gpu/drm/i915/intel_device_info.c | 24 +- drivers/gpu/drm/i915/intel_device_info.h | 4 drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c | 59 ++--- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 11 drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 6 drivers/gpu/drm/panthor/panthor_mmu.c | 2 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 drivers/gpu/drm/xe/xe_bo.c | 43 +-- drivers/gpu/drm/xe/xe_bo_evict.c | 20 + drivers/gpu/drm/xe/xe_oa.c | 2 drivers/infiniband/core/addr.c | 2 drivers/mailbox/qcom-cpucp-mbox.c | 2 drivers/media/dvb-core/dvbdev.c | 15 - drivers/mmc/host/dw_mmc.c | 4 drivers/mmc/host/sunxi-mmc.c | 6 drivers/net/bonding/bond_main.c | 16 + drivers/net/bonding/bond_options.c | 82 ++++++- drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 drivers/net/ethernet/mellanox/mlx5/core/en_selftest.c | 4 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 15 + drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 32 ++ drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 25 +- drivers/net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 - drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 + drivers/net/ethernet/vertexcom/mse102x.c | 4 drivers/net/phy/phylink.c | 14 - drivers/perf/riscv_pmu_sbi.c | 4 drivers/pmdomain/arm/scmi_perf_domain.c | 3 drivers/pmdomain/core.c | 49 ++-- drivers/pmdomain/imx/imx93-blk-ctrl.c | 4 drivers/vdpa/mlx5/core/mr.c | 8 drivers/vdpa/solidrun/snet_main.c | 14 - drivers/vdpa/virtio_pci/vp_vdpa.c | 10 fs/btrfs/delayed-ref.c | 2 fs/nilfs2/btnode.c | 2 fs/nilfs2/gcinode.c | 4 fs/nilfs2/mdt.c | 1 fs/nilfs2/page.c | 2 fs/ocfs2/resize.c | 2 fs/ocfs2/super.c | 13 - fs/proc/task_mmu.c | 4 include/drm/intel/i915_pciids.h | 19 + include/linux/mman.h | 7 include/linux/pm_domain.h | 6 include/linux/sched/task_stack.h | 2 include/linux/sockptr.h | 4 include/net/bond_options.h | 2 kernel/Kconfig.kexec | 2 lib/buildid.c | 2 mm/mmap.c | 2 mm/mremap.c | 2 mm/nommu.c | 4 mm/page_alloc.c | 18 + mm/shmem.c | 5 mm/swap.c | 14 - net/bluetooth/hci_core.c | 2 net/dccp/ipv6.c | 2 net/ipv6/tcp_ipv6.c | 4 net/mptcp/pm_netlink.c | 3 net/mptcp/pm_userspace.c | 15 + net/mptcp/protocol.c | 16 - net/netlink/af_netlink.c | 31 -- net/netlink/af_netlink.h | 2 net/sched/cls_u32.c | 18 + net/sctp/ipv6.c | 19 + net/vmw_vsock/af_vsock.c | 3 net/vmw_vsock/virtio_transport_common.c | 9 samples/pktgen/pktgen_sample01_simple.sh | 2 security/integrity/evm/evm_main.c | 3 security/integrity/ima/ima_template_lib.c | 14 - sound/pci/hda/patch_realtek.c | 13 - tools/mm/page-types.c | 2 tools/testing/selftests/kvm/Makefile | 8 tools/testing/selftests/mm/hugetlb_dio.c | 7 tools/testing/selftests/tc-testing/tc-tests/filters/u32.json | 24 ++ 143 files changed, 1076 insertions(+), 533 deletions(-) Akash Goel (1): drm/panthor: Fix handling of partial GPU mapping of BOs Alex Deucher (2): Revert "drm/amd/pm: correct the workload setting" Revert "drm/amd/display: parse umc_info or vram_info based on ASIC" Alexandre Ferrieux (2): net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. net: sched: u32: Add test case for systematic hnode IDR leaks Alexandre Ghiti (1): drivers: perf: Fix wrong put_cpu() placement Andre Przywara (1): mmc: sunxi-mmc: Fix A100 compatible description Andrew Morton (1): mm: revert "mm: shmem: fix data-race in shmem_getattr()" Andy Yan (1): drm/rockchip: vop: Fix a dereferenced before check warning Ard Biesheuvel (1): x86/stackprotector: Work around strict Clang TLS symbol requirements Ashutosh Dixit (1): drm/xe/oa: Fix "Missing outer runtime PM protection" warning Aurelien Jarno (1): Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Baoquan He (1): x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Bibo Mao (1): LoongArch: Fix AP booting issue in VM mode Carolina Jubran (1): net/mlx5e: Disable loopback self-test on multi-PF netdev Chen Ridong (1): drm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle Christian König (2): drm/amdgpu: fix check in gmc_v9_0_get_vm_pte() drm/amdgpu: enable GTT fallback handling for dGPUs only Cristian Marussi (1): firmware: arm_scmi: Skip opp duplicates Dan Carpenter (1): fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args() Daniele Ceraolo Spurio (1): drm/i915/gsc: ARL-H and ARL-U need a newer GSC FW. Dave Airlie (3): nouveau: fw: sync dma after setup is called. nouveau: handle EBUSY and EAGAIN for GSP aux errors. nouveau/dp: handle retries for AUX CH transfers with GSP. Dave Vasilevsky (1): crash, powerpc: default to CRASH_DUMP=n on PPC_BOOK3S_32 David Rosca (1): drm/amdgpu: Fix video caps for H264 and HEVC encode maximum size Dillon Varone (1): drm/amd/display: Require minimum VBlank size for stutter optimization Dmitry Antipov (2): ocfs2: uncache inode which has failed entering the group ocfs2: fix UBSAN warning in ocfs2_verify_volume() Donet Tom (1): selftests: hugetlb_dio: fixup check for initial conditions to skip in the start Dragos Tatulea (1): net/mlx5e: kTLS, Fix incorrect page refcounting Eric Dumazet (1): sctp: fix possible UAF in sctp_v6_available() Francesco Dolcini (1): drm/bridge: tc358768: Fix DSI command tx Geliang Tang (2): mptcp: update local address flags when setting it mptcp: hold pm lock when deleting entry Greg Kroah-Hartman (1): Linux 6.11.10 Hajime Tazaki (1): nommu: pass NULL argument to vma_iter_prealloc() Hamish Claxton (1): drm/amd/display: Fix failure to read vram info due to static BP_RESULT Hangbin Liu (1): bonding: add ns target multicast address to slave device Harith G (1): ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Huacai Chen (3): LoongArch: Fix early_numa_add_cpu() usage for FDT systems LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits LoongArch: Make KASAN work with 5-level page-tables Jack Xiao (1): drm/amdgpu/mes12: correct kiq unmap latency Jakub Kicinski (1): netlink: terminate outstanding dump on socket close Jann Horn (1): mm/mremap: fix address wraparound in move_page_tables() Jarkko Sakkinen (1): tpm: Disable TPM on tpm2_create_primary() failure Jinjiang Tu (1): mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Jiri Olsa (1): lib/buildid: Fix build ID parsing logic Josef Bacik (1): btrfs: fix incorrect comparison for delayed refs Kailang Yang (2): ALSA: hda/realtek - Fixed Clevo platform headset Mic issue ALSA: hda/realtek - update set GPIO3 to default for Thinkpad with ALC1318 Kanglong Wang (1): LoongArch: Add WriteCombine shadow mapping in KASAN Kiran K (1): Bluetooth: btintel: Direct exception event to bluetooth stack Leo Li (1): drm/amd/display: Run idle optimizations at end of vblank handler Leon Romanovsky (1): Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" Lorenzo Stoakes (1): mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Luiz Augusto von Dentz (1): Bluetooth: hci_core: Fix calling mgmt_device_connected Maksym Glubokiy (1): ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Mario Limonciello (1): x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client Mark Bloch (1): net/mlx5: fs, lock FTE when checking if active Mateusz Guzik (1): evm: stop avoidably reading i_writecount in evm_file_release Matthew Auld (2): drm/xe: handle flat ccs during hibernation on igpu drm/xe: improve hibernation on igpu Matthew Brost (1): drm/xe: Restore system memory GGTT mappings Matthieu Baerts (NGI0) (1): mptcp: pm: use _rcu variant under rcu_read_lock Mauro Carvalho Chehab (1): media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Meghana Malladi (1): net: ti: icssg-prueth: Fix 1 PPS sync Michal Luczaj (4): virtio/vsock: Fix accept_queue memory leak vsock: Fix sk_error_queue memory leak virtio/vsock: Improve MSG_ZEROCOPY error handling net: Make copy_safe_from_sockptr() match documentation Moshe Shemesh (1): net/mlx5e: CT: Fix null-ptr-deref in add rule err flow Motiejus JakÅ`tys (1): tools/mm: fix compile error Nícolas F. R. A. Prado (1): net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol Paolo Abeni (2): mptcp: error out earlier on disconnect mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Parav Pandit (1): net/mlx5: Fix msix vectors to respect platform limit Peng Fan (1): pmdomain: imx93-blk-ctrl: correct remove path Philipp Stanner (1): vdpa: solidrun: Fix UB bug with devres Qun-Wei Lin (1): sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Rodrigo Siqueira (1): drm/amd/display: Adjust VSDB parser for replay feature Roman Gushchin (1): mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Russell King (Oracle) (2): net: phylink: ensure PHY momentary link-fails are handled ARM: fix cacheflush with PAN Ryan Seto (1): drm/amd/display: Handle dml allocation failure to avoid crash Ryusuke Konishi (2): nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Samasth Norway Ananda (1): ima: fix buffer overrun in ima_eventdigest_init_common Sean Christopherson (4): KVM: selftests: Disable strict aliasing KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled KVM: x86: Unconditionally set irr_pending when updating APICv state KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Si-Wei Liu (1): vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Sibi Sankar (4): mailbox: qcom-cpucp: Mark the irq with IRQF_NO_SUSPEND flag firmware: arm_scmi: Report duplicate opps as firmware bugs pmdomain: arm: Use FLAG_DEV_NAME_FW to ensure unique names pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag Stefan Wahren (1): net: vertexcom: mse102x: Fix tx_bytes calculation Tim Huang (1): drm/amd/pm: print pp_dpm_mclk in ascending order on SMU v14.0.0 Tom Chung (2): drm/amd/display: Change some variable name of psr drm/amd/display: Fix Panel Replay not update screen correctly Vijendar Mukunda (1): drm/amd: Fix initialization mistake for NBIO 7.7.0 Vitalii Mordan (1): stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines Wang Liang (1): net: fix data-races around sk->sk_forward_alloc Wei Fang (1): samples: pktgen: correct dev to DEV William Tu (1): net/mlx5e: clear xdp features on non-uplink representors Xiaoguang Wang (1): vp_vdpa: fix id_table array not null terminated error

9 months, 3 weeks

1
1
0 0

Linux 6.6.63

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.63 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/kernel/head.S | 8 arch/arm/mm/mmu.c | 34 +- arch/arm64/include/asm/mman.h | 10 arch/loongarch/include/asm/kasan.h | 2 arch/loongarch/kernel/smp.c | 2 arch/loongarch/mm/kasan_init.c | 41 ++- arch/parisc/include/asm/mman.h | 5 arch/x86/kvm/lapic.c | 29 +- arch/x86/kvm/vmx/nested.c | 30 +- arch/x86/kvm/vmx/vmx.c | 6 arch/x86/mm/ioremap.c | 6 drivers/bluetooth/btintel.c | 5 drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 7 drivers/gpu/drm/bridge/tc358768.c | 21 + drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 11 drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 drivers/infiniband/core/addr.c | 2 drivers/leds/leds-mlxreg.c | 16 - drivers/media/dvb-core/dvbdev.c | 15 - drivers/mmc/host/dw_mmc.c | 4 drivers/mmc/host/sunxi-mmc.c | 6 drivers/net/bonding/bond_main.c | 16 + drivers/net/bonding/bond_options.c | 82 ++++++ drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 15 - drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 40 +-- drivers/net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c | 18 - drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 23 - drivers/net/ethernet/stmicro/stmmac/stmmac_platform.h | 1 drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 - drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 drivers/net/ethernet/vertexcom/mse102x.c | 4 drivers/pmdomain/imx/imx93-blk-ctrl.c | 4 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 25 - drivers/vdpa/mlx5/core/mr.c | 8 drivers/vdpa/solidrun/snet_main.c | 14 - drivers/vdpa/virtio_pci/vp_vdpa.c | 10 fs/9p/vfs_inode.c | 17 - fs/nfsd/netns.h | 1 fs/nfsd/nfs4proc.c | 34 +- fs/nfsd/nfs4state.c | 1 fs/nfsd/xdr4.h | 1 fs/nilfs2/btnode.c | 2 fs/nilfs2/gcinode.c | 4 fs/nilfs2/mdt.c | 1 fs/nilfs2/page.c | 2 fs/ocfs2/resize.c | 2 fs/ocfs2/super.c | 13 - include/linux/damon.h | 17 + include/linux/mman.h | 28 +- include/linux/sockptr.h | 4 include/net/bond_options.h | 2 lib/buildid.c | 2 mm/damon/core.c | 84 +++++- mm/damon/dbgfs.c | 3 mm/damon/lru_sort.c | 2 mm/damon/reclaim.c | 2 mm/damon/sysfs-schemes.c | 2 mm/internal.h | 45 +++ mm/mmap.c | 128 +++++----- mm/mprotect.c | 2 mm/nommu.c | 11 mm/page_alloc.c | 3 mm/shmem.c | 5 net/bluetooth/hci_core.c | 2 net/mptcp/pm_netlink.c | 15 - net/mptcp/pm_userspace.c | 77 +++--- net/mptcp/protocol.c | 16 - net/netlink/af_netlink.c | 31 -- net/netlink/af_netlink.h | 2 net/sched/cls_u32.c | 54 ++-- net/sctp/ipv6.c | 19 + net/vmw_vsock/virtio_transport_common.c | 8 samples/pktgen/pktgen_sample01_simple.sh | 2 security/integrity/ima/ima_template_lib.c | 14 - sound/pci/hda/patch_realtek.c | 3 tools/mm/page-types.c | 2 83 files changed, 819 insertions(+), 424 deletions(-) Alexandre Ferrieux (1): net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Andre Przywara (1): mmc: sunxi-mmc: Fix A100 compatible description Andrew Morton (1): mm: revert "mm: shmem: fix data-race in shmem_getattr()" Andy Yan (1): drm/rockchip: vop: Fix a dereferenced before check warning Aurelien Jarno (1): Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Baoquan He (1): x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point Dave Airlie (1): nouveau: fw: sync dma after setup is called. Dmitry Antipov (2): ocfs2: uncache inode which has failed entering the group ocfs2: fix UBSAN warning in ocfs2_verify_volume() Dragos Tatulea (1): net/mlx5e: kTLS, Fix incorrect page refcounting Eric Dumazet (1): sctp: fix possible UAF in sctp_v6_available() Eric Van Hensbergen (1): fs/9p: fix uninitialized values during inode evict Francesco Dolcini (1): drm/bridge: tc358768: Fix DSI command tx Geliang Tang (5): mptcp: define more local variables sk mptcp: add userspace_pm_lookup_addr_by_id helper mptcp: update local address flags when setting it mptcp: hold pm lock when deleting entry mptcp: drop lookup_by_id in lookup_addr George Stark (1): leds: mlxreg: Use devm_mutex_init() for mutex initialization Greg Kroah-Hartman (1): Linux 6.6.63 Hajime Tazaki (1): nommu: pass NULL argument to vma_iter_prealloc() Hangbin Liu (1): bonding: add ns target multicast address to slave device Harith G (1): ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Huacai Chen (3): LoongArch: Fix early_numa_add_cpu() usage for FDT systems LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits LoongArch: Make KASAN work with 5-level page-tables Jakub Kicinski (1): netlink: terminate outstanding dump on socket close Jinjiang Tu (1): mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Jiri Olsa (1): lib/buildid: Fix build ID parsing logic Jisheng Zhang (3): net: stmmac: dwmac-intel-plat: use devm_stmmac_probe_config_dt() net: stmmac: dwmac-visconti: use devm_stmmac_probe_config_dt() net: stmmac: rename stmmac_pltfr_remove_no_dt to stmmac_pltfr_remove Kailang Yang (1): ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Kiran K (1): Bluetooth: btintel: Direct exception event to bluetooth stack Leon Romanovsky (1): Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" Lorenzo Stoakes (5): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor map_deny_write_exec() mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour Luiz Augusto von Dentz (1): Bluetooth: hci_core: Fix calling mgmt_device_connected Maksym Glubokiy (1): ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Mark Bloch (1): net/mlx5: fs, lock FTE when checking if active Matthieu Baerts (NGI0) (1): mptcp: pm: use _rcu variant under rcu_read_lock Mauro Carvalho Chehab (1): media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Meghana Malladi (1): net: ti: icssg-prueth: Fix 1 PPS sync Michal Luczaj (2): virtio/vsock: Fix accept_queue memory leak net: Make copy_safe_from_sockptr() match documentation Moshe Shemesh (1): net/mlx5e: CT: Fix null-ptr-deref in add rule err flow Motiejus JakÅ`tys (1): tools/mm: fix compile error Nícolas F. R. A. Prado (1): net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol Paolo Abeni (2): mptcp: error out earlier on disconnect mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Pedro Tammela (1): net/sched: cls_u32: replace int refcounts with proper refcounts Peng Fan (1): pmdomain: imx93-blk-ctrl: correct remove path Philipp Stanner (1): vdpa: solidrun: Fix UB bug with devres Rodrigo Siqueira (1): drm/amd/display: Adjust VSDB parser for replay feature Ryusuke Konishi (2): nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Samasth Norway Ananda (1): ima: fix buffer overrun in ima_eventdigest_init_common Sean Christopherson (3): KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled KVM: x86: Unconditionally set irr_pending when updating APICv state KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN SeongJae Park (5): mm/damon/core: implement scheme-specific apply interval mm/damon/core: handle zero {aggregation,ops_update} intervals mm/damon/core: check apply interval in damon_do_apply_schemes() mm/damon/core: handle zero schemes apply interval mm/damon/core: copy nr_accesses when splitting region Si-Wei Liu (1): vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Stefan Wahren (2): net: vertexcom: mse102x: Fix tx_bytes calculation staging: vchiq_arm: Get the rid off struct vchiq_2835_state Tvrtko Ursulin (1): drm/amd/pm: Vangogh: Fix kernel memory out of bounds write Umang Jain (1): staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation Vijendar Mukunda (1): drm/amd: Fix initialization mistake for NBIO 7.7.0 Vitalii Mordan (1): stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines Wei Fang (1): samples: pktgen: correct dev to DEV William Tu (1): net/mlx5e: clear xdp features on non-uplink representors Xiaoguang Wang (1): vp_vdpa: fix id_table array not null terminated error

9 months, 3 weeks

1
1
0 0

Linux 6.1.119

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.119 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/kernel/head.S | 8 arch/arm/mm/mmu.c | 34 +- arch/arm64/include/asm/mman.h | 10 arch/parisc/Kconfig | 1 arch/parisc/include/asm/cache.h | 11 arch/x86/kvm/lapic.c | 29 + arch/x86/kvm/vmx/nested.c | 30 + arch/x86/kvm/vmx/vmx.c | 6 arch/x86/mm/ioremap.c | 6 drivers/block/null_blk/main.c | 45 +- drivers/char/xillybus/xillybus_class.c | 7 drivers/char/xillybus/xillyusb.c | 22 + drivers/cxl/core/pci.c | 2 drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 3 drivers/gpu/drm/bridge/tc358768.c | 21 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 drivers/media/dvb-core/dvbdev.c | 15 drivers/mmc/host/dw_mmc.c | 4 drivers/mmc/host/sunxi-mmc.c | 6 drivers/net/bonding/bond_main.c | 16 drivers/net/bonding/bond_options.c | 82 ++++- drivers/net/ethernet/freescale/fec_main.c | 26 - drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 15 drivers/net/ethernet/vertexcom/mse102x.c | 4 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 25 - drivers/vdpa/mlx5/core/mr.c | 8 drivers/vdpa/virtio_pci/vp_vdpa.c | 10 fs/9p/vfs_inode.c | 23 - fs/nfsd/netns.h | 1 fs/nfsd/nfs4proc.c | 34 -- fs/nfsd/nfs4state.c | 1 fs/nfsd/xdr4.h | 1 fs/nilfs2/btnode.c | 2 fs/nilfs2/gcinode.c | 4 fs/nilfs2/mdt.c | 1 fs/nilfs2/page.c | 2 fs/ntfs3/file.c | 12 fs/ocfs2/resize.c | 2 fs/ocfs2/super.c | 13 fs/smb/server/smb2misc.c | 26 + fs/smb/server/smb2pdu.c | 48 +- include/linux/mman.h | 7 include/linux/sockptr.h | 27 + include/net/bond_options.h | 2 lib/buildid.c | 2 mm/internal.h | 19 + mm/mmap.c | 120 +++---- mm/nommu.c | 9 mm/page_alloc.c | 3 mm/shmem.c | 5 mm/util.c | 33 ++ net/bluetooth/hci_core.c | 2 net/bluetooth/hci_event.c | 163 ---------- net/bluetooth/iso.c | 32 - net/mptcp/pm_netlink.c | 15 net/mptcp/pm_userspace.c | 77 +++- net/mptcp/protocol.c | 16 net/netfilter/ipvs/ip_vs_ctl.c | 10 net/netlink/af_netlink.c | 31 - net/netlink/af_netlink.h | 2 net/nfc/llcp_sock.c | 12 net/sched/cls_u32.c | 54 +-- net/sched/sch_taprio.c | 10 net/vmw_vsock/virtio_transport_common.c | 8 samples/pktgen/pktgen_sample01_simple.sh | 2 security/integrity/ima/ima_template_lib.c | 14 sound/pci/hda/patch_realtek.c | 3 tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json | 22 + 72 files changed, 759 insertions(+), 583 deletions(-) Alexandre Ferrieux (1): net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Andre Przywara (1): mmc: sunxi-mmc: Fix A100 compatible description Andrew Morton (1): mm: revert "mm: shmem: fix data-race in shmem_getattr()" Andy Yan (1): drm/rockchip: vop: Fix a dereferenced before check warning Aurelien Jarno (1): Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Baoquan He (1): x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Chen Hanxiao (1): ipvs: properly dereference pe in ip_vs_add_service Christophe JAILLET (1): null_blk: Remove usage of the deprecated ida_simple_xx() API Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point Damien Le Moal (1): null_blk: Fix return value of nullb_device_power_store() Dan Carpenter (1): cxl/pci: fix error code in __cxl_hdm_decode_init() Dmitry Antipov (2): ocfs2: uncache inode which has failed entering the group ocfs2: fix UBSAN warning in ocfs2_verify_volume() Dragos Tatulea (1): net/mlx5e: kTLS, Fix incorrect page refcounting Eli Billauer (2): char: xillybus: Prevent use-after-free due to race condition char: xillybus: Fix trivial bug with mutex Eric Dumazet (2): net: add copy_safe_from_sockptr() helper nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies Eric Van Hensbergen (1): fs/9p: fix uninitialized values during inode evict Francesco Dolcini (1): drm/bridge: tc358768: Fix DSI command tx Geliang Tang (5): mptcp: define more local variables sk mptcp: add userspace_pm_lookup_addr_by_id helper mptcp: update local address flags when setting it mptcp: hold pm lock when deleting entry mptcp: drop lookup_by_id in lookup_addr Greg Kroah-Hartman (1): Linux 6.1.119 Hangbin Liu (1): bonding: add ns target multicast address to slave device Harith G (1): ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Jakub Kicinski (1): netlink: terminate outstanding dump on socket close Jinjiang Tu (1): mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Jiri Olsa (1): lib/buildid: Fix build ID parsing logic Kailang Yang (1): ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Konstantin Komarov (1): fs/ntfs3: Additional check in ntfs_file_release Lin.Cao (1): drm/amd: check num of link levels when update pcie param Lorenzo Stoakes (4): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour Luiz Augusto von Dentz (2): Bluetooth: hci_core: Fix calling mgmt_device_connected Bluetooth: ISO: Fix not validating setsockopt user input Lukas Bulwahn (1): Bluetooth: hci_event: Remove code to removed CONFIG_BT_HS Maksym Glubokiy (1): ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Mark Bloch (1): net/mlx5: fs, lock FTE when checking if active Matthieu Baerts (NGI0) (1): mptcp: pm: use _rcu variant under rcu_read_lock Mauro Carvalho Chehab (1): media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Michal Luczaj (2): virtio/vsock: Fix accept_queue memory leak net: Make copy_safe_from_sockptr() match documentation Mikulas Patocka (1): parisc: fix a possible DMA corruption Moshe Shemesh (1): net/mlx5e: CT: Fix null-ptr-deref in add rule err flow Namjae Jeon (2): ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() ksmbd: fix potencial out-of-bounds when buffer offset is invalid Paolo Abeni (2): mptcp: error out earlier on disconnect mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Pedro Tammela (1): net/sched: cls_u32: replace int refcounts with proper refcounts Ryusuke Konishi (2): nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Samasth Norway Ananda (1): ima: fix buffer overrun in ima_eventdigest_init_common Sean Christopherson (3): KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled KVM: x86: Unconditionally set irr_pending when updating APICv state KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Si-Wei Liu (1): vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Stefan Wahren (2): net: vertexcom: mse102x: Fix tx_bytes calculation staging: vchiq_arm: Get the rid off struct vchiq_2835_state Umang Jain (1): staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation Vijendar Mukunda (1): drm/amd: Fix initialization mistake for NBIO 7.7.0 Vladimir Oltean (1): net/sched: taprio: extend minimum interval restriction to entire cycle too Wei Fang (2): samples: pktgen: correct dev to DEV net: fec: remove .ndo_poll_controller to avoid deadlocks Xiaoguang Wang (1): vp_vdpa: fix id_table array not null terminated error Yu Kuai (1): null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'

9 months, 3 weeks

1
1
0 0

Linux 6.12.1

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.1 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- drivers/media/usb/uvc/uvc_driver.c | 2 +- mm/mmap.c | 13 ++++++++++++- net/vmw_vsock/hyperv_transport.c | 1 + 4 files changed, 15 insertions(+), 3 deletions(-) Benoit Sevens (1): media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Greg Kroah-Hartman (1): Linux 6.12.1 Hyunwoo Kim (1): hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Liam R. Howlett (1): mm/mmap: fix __mmap_region() error handling in rare merge failure case

9 months, 3 weeks

1
1
0 0

[PATCH stable 5.15/5.10 0/2] rcu-tasks: Idle tasks on offline CPUs are in quiescent states

by Krister Johansen

Paul, Neeraj, and Stable Team: I've run into a case with rcu_tasks_postscan where the warning introduced as part of 46aa886c4("rcu-tasks: Fix IPI failure handling in trc_wait_for_one_reader") is getting triggered when trc_wait_for_one_reader sends an IPI to a CPU that is offline. This is occurring on a platform that has hotplug slots available but not populated. I don't believe the bug is caused by this change, but I do think that Paul's commit that confines the postscan operation to just the active CPUs would help prevent this from happening. Would the RCU maintainers be amenable to having this patch backported to the 5.10 and 5.15 branches as well? I've attached cherry-picks of the relevant commits to minimize the additional work needed. Thanks, -K Paul E. McKenney (1): rcu-tasks: Idle tasks on offline CPUs are in quiescent states kernel/rcu/tasks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.25.1

9 months, 3 weeks

2
4
0 0

[PATCH 6.1] net: fix crash when config small gso_max_size/gso_ipv4_max_size

by Bin Lan

From: Wang Liang <wangliang74(a)huawei.com> [ Upstream commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 ] Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size. Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device") Signed-off-by: Wang Liang <wangliang74(a)huawei.com> Reviewed-by: Eric Dumazet <edumazet(a)google.com> Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Resolve minor conflicts to fix CVE-2024-50258 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- net/core/rtnetlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index afb52254a47e..45c54fb9ad03 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -1939,7 +1939,7 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = { [IFLA_NUM_TX_QUEUES] = { .type = NLA_U32 }, [IFLA_NUM_RX_QUEUES] = { .type = NLA_U32 }, [IFLA_GSO_MAX_SEGS] = { .type = NLA_U32 }, - [IFLA_GSO_MAX_SIZE] = { .type = NLA_U32 }, + [IFLA_GSO_MAX_SIZE] = NLA_POLICY_MIN(NLA_U32, MAX_TCP_HEADER + 1), [IFLA_PHYS_PORT_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, [IFLA_CARRIER_CHANGES] = { .type = NLA_U32 }, /* ignored */ [IFLA_PHYS_SWITCH_ID] = { .type = NLA_BINARY, .len = MAX_PHYS_ITEM_ID_LEN }, -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH 6.1] serial: sc16is7xx: fix invalid FIFO access with special register set

by Bin Lan

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> [ Upstream commit 7d3b793faaab1305994ce568b59d61927235f57b ] When enabling access to the special register set, Receiver time-out and RHR interrupts can happen. In this case, the IRQ handler will try to read from the FIFO thru the RHR register at address 0x00, but address 0x00 is mapped to DLL register, resulting in erroneous FIFO reading. Call graph example: sc16is7xx_startup(): entry sc16is7xx_ms_proc(): entry sc16is7xx_set_termios(): entry sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set sc16is7xx_port_irq() entry --> IIR is 0x0C sc16is7xx_handle_rx() entry sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is mapped to DLL (LCR=LCR_CONF_MODE_A) sc16is7xx_set_baud(): exit --> Restore access to general register set Fix the problem by claiming the efr_lock mutex when accessing the Special register set. Fixes: dfeae619d781 ("serial: sc16is7xx") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Link: https://lore.kernel.org/r/20240723125302.1305372-3-hugo@hugovil.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/tty/serial/sc16is7xx.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index a723df9b37dd..c07baf5d5a9c 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -545,6 +545,9 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) SC16IS7XX_MCR_CLKSEL_BIT, prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT); + + mutex_lock(&one->efr_lock); + /* Open the LCR divisors for configuration */ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, SC16IS7XX_LCR_CONF_MODE_A); @@ -558,6 +561,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) /* Put LCR back to the normal mode */ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + mutex_unlock(&one->efr_lock); + return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div); } -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH 6.6] serial: sc16is7xx: fix invalid FIFO access with special register set

by Bin Lan

From: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> [ Upstream commit 7d3b793faaab1305994ce568b59d61927235f57b ] When enabling access to the special register set, Receiver time-out and RHR interrupts can happen. In this case, the IRQ handler will try to read from the FIFO thru the RHR register at address 0x00, but address 0x00 is mapped to DLL register, resulting in erroneous FIFO reading. Call graph example: sc16is7xx_startup(): entry sc16is7xx_ms_proc(): entry sc16is7xx_set_termios(): entry sc16is7xx_set_baud(): DLH/DLL = $009C --> access special register set sc16is7xx_port_irq() entry --> IIR is 0x0C sc16is7xx_handle_rx() entry sc16is7xx_fifo_read(): --> unable to access FIFO (RHR) because it is mapped to DLL (LCR=LCR_CONF_MODE_A) sc16is7xx_set_baud(): exit --> Restore access to general register set Fix the problem by claiming the efr_lock mutex when accessing the Special register set. Fixes: dfeae619d781 ("serial: sc16is7xx") Cc: stable(a)vger.kernel.org Signed-off-by: Hugo Villeneuve <hvilleneuve(a)dimonoff.com> Link: https://lore.kernel.org/r/20240723125302.1305372-3-hugo@hugovil.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> [ Resolve minor conflicts ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/tty/serial/sc16is7xx.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 7a9924d9b294..f290fbe21d63 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -545,6 +545,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) SC16IS7XX_MCR_CLKSEL_BIT, prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT); + mutex_lock(&one->efr_lock); + /* Open the LCR divisors for configuration */ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, SC16IS7XX_LCR_CONF_MODE_A); @@ -558,6 +560,8 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud) /* Put LCR back to the normal mode */ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr); + mutex_unlock(&one->efr_lock); + return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div); } -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH 1/2] pmdomain: core: Add missing put_device()

by Ulf Hansson

When removing a genpd we don't clean up the genpd->dev correctly. Let's add the missing put_device() in genpd_free_data() to fix this. Fixes: 401ea1572de9 ("PM / Domain: Add struct device to genpd") Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> --- drivers/pmdomain/core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c index a6c8b85dd024..4d8b0d18bb4a 100644 --- a/drivers/pmdomain/core.c +++ b/drivers/pmdomain/core.c @@ -2183,6 +2183,7 @@ static int genpd_alloc_data(struct generic_pm_domain *genpd) static void genpd_free_data(struct generic_pm_domain *genpd) { + put_device(&genpd->dev); if (genpd_is_cpu_domain(genpd)) free_cpumask_var(genpd->cpus); if (genpd->free_states) -- 2.43.0

9 months, 3 weeks

1
0
0 0

[PATCH v2 bpf 2/2] bpf: fix OOB devmap writes when deleting elements

by Maciej Fijalkowski

Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case, one more thing needs to be addressed. When map is released from system via dev_map_free(), we iterate through all of the entries and an iterator variable is also an int, which implies OOB accesses. Again, change it to be u32. Example splat below: [ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000 [ 160.731662] #PF: supervisor read access in kernel mode [ 160.736876] #PF: error_code(0x0000) - not-present page [ 160.742095] PGD 0 P4D 0 [ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP [ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487 [ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 160.767642] Workqueue: events_unbound bpf_map_free_deferred [ 160.773308] RIP: 0010:dev_map_free+0x77/0x170 [ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff [ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202 [ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024 [ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000 [ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001 [ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122 [ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000 [ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000 [ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0 [ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 160.874092] PKRU: 55555554 [ 160.876847] Call Trace: [ 160.879338] <TASK> [ 160.881477] ? __die+0x20/0x60 [ 160.884586] ? page_fault_oops+0x15a/0x450 [ 160.888746] ? search_extable+0x22/0x30 [ 160.892647] ? search_bpf_extables+0x5f/0x80 [ 160.896988] ? exc_page_fault+0xa9/0x140 [ 160.900973] ? asm_exc_page_fault+0x22/0x30 [ 160.905232] ? dev_map_free+0x77/0x170 [ 160.909043] ? dev_map_free+0x58/0x170 [ 160.912857] bpf_map_free_deferred+0x51/0x90 [ 160.917196] process_one_work+0x142/0x370 [ 160.921272] worker_thread+0x29e/0x3b0 [ 160.925082] ? rescuer_thread+0x4b0/0x4b0 [ 160.929157] kthread+0xd4/0x110 [ 160.932355] ? kthread_park+0x80/0x80 [ 160.936079] ret_from_fork+0x2d/0x50 [ 160.943396] ? kthread_park+0x80/0x80 [ 160.950803] ret_from_fork_asm+0x11/0x20 [ 160.958482] </TASK> Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references") CC: stable(a)vger.kernel.org Reported-by: Jordy Zomer <jordyzomer(a)google.com> Suggested-by: Jordy Zomer <jordyzomer(a)google.com> Reviewed-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Acked-by: John Fastabend <john.fastabend(a)gmail.com> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> --- kernel/bpf/devmap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 7878be18e9d2..3aa002a47a96 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -184,7 +184,7 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr) static void dev_map_free(struct bpf_map *map) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); - int i; + u32 i; /* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0, * so the programs (can be more than one that used this map) were @@ -821,7 +821,7 @@ static long dev_map_delete_elem(struct bpf_map *map, void *key) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); struct bpf_dtab_netdev *old_dev; - int k = *(u32 *)key; + u32 k = *(u32 *)key; if (k >= map->max_entries) return -EINVAL; @@ -838,7 +838,7 @@ static long dev_map_hash_delete_elem(struct bpf_map *map, void *key) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); struct bpf_dtab_netdev *old_dev; - int k = *(u32 *)key; + u32 k = *(u32 *)key; unsigned long flags; int ret = -ENOENT; -- 2.34.1

9 months, 3 weeks

1
0
0 0

[PATCH v2 bpf 1/2] xsk: fix OOB map writes when deleting elements

by Maciej Fijalkowski

Jordy says: " In the xsk_map_delete_elem function an unsigned integer (map->max_entries) is compared with a user-controlled signed integer (k). Due to implicit type conversion, a large unsigned value for map->max_entries can bypass the intended bounds check: if (k >= map->max_entries) return -EINVAL; This allows k to hold a negative value (between -2147483648 and -2), which is then used as an array index in m->xsk_map[k], which results in an out-of-bounds access. spin_lock_bh(&m->lock); map_entry = &m->xsk_map[k]; // Out-of-bounds map_entry old_xs = unrcu_pointer(xchg(map_entry, NULL)); // Oob write if (old_xs) xsk_map_sock_delete(old_xs, map_entry); spin_unlock_bh(&m->lock); The xchg operation can then be used to cause an out-of-bounds write. Moreover, the invalid map_entry passed to xsk_map_sock_delete can lead to further memory corruption. " It indeed results in following splat: [76612.897343] BUG: unable to handle page fault for address: ffffc8fc2e461108 [76612.904330] #PF: supervisor write access in kernel mode [76612.909639] #PF: error_code(0x0002) - not-present page [76612.914855] PGD 0 P4D 0 [76612.917431] Oops: Oops: 0002 [#1] PREEMPT SMP [76612.921859] CPU: 11 UID: 0 PID: 10318 Comm: a.out Not tainted 6.12.0-rc1+ #470 [76612.929189] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [76612.939781] RIP: 0010:xsk_map_delete_elem+0x2d/0x60 [76612.944738] Code: 00 00 41 54 55 53 48 63 2e 3b 6f 24 73 38 4c 8d a7 f8 00 00 00 48 89 fb 4c 89 e7 e8 2d bf 05 00 48 8d b4 eb 00 01 00 00 31 ff <48> 87 3e 48 85 ff 74 05 e8 16 ff ff ff 4c 89 e7 e8 3e bc 05 00 31 [76612.963774] RSP: 0018:ffffc9002e407df8 EFLAGS: 00010246 [76612.969079] RAX: 0000000000000000 RBX: ffffc9002e461000 RCX: 0000000000000000 [76612.976323] RDX: 0000000000000001 RSI: ffffc8fc2e461108 RDI: 0000000000000000 [76612.983569] RBP: ffffffff80000001 R08: 0000000000000000 R09: 0000000000000007 [76612.990812] R10: ffffc9002e407e18 R11: ffff888108a38858 R12: ffffc9002e4610f8 [76612.998060] R13: ffff888108a38858 R14: 00007ffd1ae0ac78 R15: ffffc9002e4610c0 [76613.005303] FS: 00007f80b6f59740(0000) GS:ffff8897e0ec0000(0000) knlGS:0000000000000000 [76613.013517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [76613.019349] CR2: ffffc8fc2e461108 CR3: 000000011e3ef001 CR4: 00000000007726f0 [76613.026595] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [76613.033841] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [76613.041086] PKRU: 55555554 [76613.043842] Call Trace: [76613.046331] <TASK> [76613.048468] ? __die+0x20/0x60 [76613.051581] ? page_fault_oops+0x15a/0x450 [76613.055747] ? search_extable+0x22/0x30 [76613.059649] ? search_bpf_extables+0x5f/0x80 [76613.063988] ? exc_page_fault+0xa9/0x140 [76613.067975] ? asm_exc_page_fault+0x22/0x30 [76613.072229] ? xsk_map_delete_elem+0x2d/0x60 [76613.076573] ? xsk_map_delete_elem+0x23/0x60 [76613.080914] __sys_bpf+0x19b7/0x23c0 [76613.084555] __x64_sys_bpf+0x1a/0x20 [76613.088194] do_syscall_64+0x37/0xb0 [76613.091832] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [76613.096962] RIP: 0033:0x7f80b6d1e88d [76613.100592] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 [76613.119631] RSP: 002b:00007ffd1ae0ac68 EFLAGS: 00000206 ORIG_RAX: 0000000000000141 [76613.131330] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f80b6d1e88d [76613.142632] RDX: 0000000000000098 RSI: 00007ffd1ae0ad20 RDI: 0000000000000003 [76613.153967] RBP: 00007ffd1ae0adc0 R08: 0000000000000000 R09: 0000000000000000 [76613.166030] R10: 00007f80b6f77040 R11: 0000000000000206 R12: 00007ffd1ae0aed8 [76613.177130] R13: 000055ddf42ce1e9 R14: 000055ddf42d0d98 R15: 00007f80b6fab040 [76613.188129] </TASK> Fix this by simply changing key type from int to u32. Fixes: fbfc504a24f5 ("bpf: introduce new bpf AF_XDP map type BPF_MAP_TYPE_XSKMAP") CC: stable(a)vger.kernel.org Reported-by: Jordy Zomer <jordyzomer(a)google.com> Suggested-by: Jordy Zomer <jordyzomer(a)google.com> Reviewed-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Acked-by: John Fastabend <john.fastabend(a)gmail.com> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> --- net/xdp/xskmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xdp/xskmap.c b/net/xdp/xskmap.c index e1c526f97ce3..afa457506274 100644 --- a/net/xdp/xskmap.c +++ b/net/xdp/xskmap.c @@ -224,7 +224,7 @@ static long xsk_map_delete_elem(struct bpf_map *map, void *key) struct xsk_map *m = container_of(map, struct xsk_map, map); struct xdp_sock __rcu **map_entry; struct xdp_sock *old_xs; - int k = *(u32 *)key; + u32 k = *(u32 *)key; if (k >= map->max_entries) return -EINVAL; -- 2.34.1

9 months, 3 weeks

1
0
0 0

[PATCH] drm/v3d: Stop active perfmon if it is being destroyed

by Christian Gmeiner

From: Christian Gmeiner <cgmeiner(a)igalia.com> If the active performance monitor (v3d->active_perfmon) is being destroyed, stop it first. Currently, the active perfmon is not stopped during destruction, leaving the v3d->active_perfmon pointer stale. This can lead to undefined behavior and instability. This patch ensures that the active perfmon is stopped before being destroyed, aligning with the behavior introduced in commit 7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed"). Cc: stable(a)vger.kernel.org # v5.15+ Fixes: 26a4dc29b74a ("drm/v3d: Expose performance counters to userspace") Signed-off-by: Christian Gmeiner <cgmeiner(a)igalia.com> --- drivers/gpu/drm/v3d/v3d_perfmon.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/v3d/v3d_perfmon.c b/drivers/gpu/drm/v3d/v3d_perfmon.c index 00cd081d7873..909288d43f2f 100644 --- a/drivers/gpu/drm/v3d/v3d_perfmon.c +++ b/drivers/gpu/drm/v3d/v3d_perfmon.c @@ -383,6 +383,7 @@ int v3d_perfmon_destroy_ioctl(struct drm_device *dev, void *data, { struct v3d_file_priv *v3d_priv = file_priv->driver_priv; struct drm_v3d_perfmon_destroy *req = data; + struct v3d_dev *v3d = v3d_priv->v3d; struct v3d_perfmon *perfmon; mutex_lock(&v3d_priv->perfmon.lock); @@ -392,6 +393,10 @@ int v3d_perfmon_destroy_ioctl(struct drm_device *dev, void *data, if (!perfmon) return -EINVAL; + /* If the active perfmon is being destroyed, stop it first */ + if (perfmon == v3d->active_perfmon) + v3d_perfmon_stop(v3d, perfmon, false); + v3d_perfmon_put(perfmon); return 0; -- 2.47.0

9 months, 3 weeks

2
1
0 0

[PATCH] fs/proc/kcore.c: Clear ret value in read_kcore_iter after successful iov_iter_zero

by Jiri Olsa

If iov_iter_zero succeeds after failed copy_from_kernel_nofault, we need to reset the ret value to zero otherwise it will be returned as final return value of read_kcore_iter. This fixes objdump -d dump over /proc/kcore for me. Cc: stable(a)vger.kernel.org Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Fixes: 3d5854d75e31 ("fs/proc/kcore.c: allow translation of physical memory addresses") Signed-off-by: Jiri Olsa <jolsa(a)kernel.org> --- fs/proc/kcore.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c index 51446c59388f..c82c408e573e 100644 --- a/fs/proc/kcore.c +++ b/fs/proc/kcore.c @@ -600,6 +600,7 @@ static ssize_t read_kcore_iter(struct kiocb *iocb, struct iov_iter *iter) ret = -EFAULT; goto out; } + ret = 0; /* * We know the bounce buffer is safe to copy from, so * use _copy_to_iter() directly. -- 2.47.0

9 months, 3 weeks

3
2
0 0

[PATCH 0/3] i2c: atr: A few i2c-atr fixes

by Tomi Valkeinen

The first two are perhaps not strictly fixes, as they essentially add support for nested ATRs. The third one is a fix, thus stable is in cc. Tomi Signed-off-by: Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> --- Cosmin Tanislav (1): i2c: atr: Allow unmapped addresses from nested ATRs Tomi Valkeinen (2): i2c: atr: Fix lockdep for nested ATRs i2c: atr: Fix client detach drivers/i2c/i2c-atr.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) --- base-commit: adc218676eef25575469234709c2d87185ca223a change-id: 20241121-i2c-atr-fixes-6d52b9f5f0c1 Best regards, -- Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com>

9 months, 3 weeks

2
2
0 0

[PATCH 6.11 000/107] 6.11.10-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.11.10 release. There are 107 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 22 Nov 2024 12:56:14 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.11.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.11.10-rc1 Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Alexandre Ferrieux <alexandre.ferrieux(a)gmail.com> net: sched: u32: Add test case for systematic hnode IDR leaks Jiri Olsa <jolsa(a)kernel.org> lib/buildid: Fix build ID parsing logic Matthew Auld <matthew.auld(a)intel.com> drm/xe: improve hibernation on igpu Matthew Brost <matthew.brost(a)intel.com> drm/xe: Restore system memory GGTT mappings Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Hamish Claxton <hamishclaxton(a)gmail.com> drm/amd/display: Fix failure to read vram info due to static BP_RESULT Ryan Seto <ryanseto(a)amd.com> drm/amd/display: Handle dml allocation failure to avoid crash Dillon Varone <dillon.varone(a)amd.com> drm/amd/display: Require minimum VBlank size for stutter optimization Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Adjust VSDB parser for replay feature Jack Xiao <Jack.Xiao(a)amd.com> drm/amdgpu/mes12: correct kiq unmap latency Christian König <christian.koenig(a)amd.com> drm/amdgpu: enable GTT fallback handling for dGPUs only Tim Huang <tim.huang(a)amd.com> drm/amd/pm: print pp_dpm_mclk in ascending order on SMU v14.0.0 David Rosca <david.rosca(a)amd.com> drm/amdgpu: Fix video caps for H264 and HEVC encode maximum size Christian König <christian.koenig(a)amd.com> drm/amdgpu: fix check in gmc_v9_0_get_vm_pte() Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> drm/amd: Fix initialization mistake for NBIO 7.7.0 Dave Airlie <airlied(a)redhat.com> nouveau/dp: handle retries for AUX CH transfers with GSP. Dave Airlie <airlied(a)redhat.com> nouveau: handle EBUSY and EAGAIN for GSP aux errors. Dave Airlie <airlied(a)redhat.com> nouveau: fw: sync dma after setup is called. Sibi Sankar <quic_sibis(a)quicinc.com> pmdomain: core: Add GENPD_FLAG_DEV_NAME_FW flag Sibi Sankar <quic_sibis(a)quicinc.com> pmdomain: arm: Use FLAG_DEV_NAME_FW to ensure unique names Peng Fan <peng.fan(a)nxp.com> pmdomain: imx93-blk-ctrl: correct remove path Ashutosh Dixit <ashutosh.dixit(a)intel.com> drm/xe/oa: Fix "Missing outer runtime PM protection" warning Matthew Auld <matthew.auld(a)intel.com> drm/xe: handle flat ccs during hibernation on igpu Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: Fix DSI command tx Andre Przywara <andre.przywara(a)arm.com> mmc: sunxi-mmc: Fix A100 compatible description Sibi Sankar <quic_sibis(a)quicinc.com> firmware: arm_scmi: Report duplicate opps as firmware bugs Cristian Marussi <cristian.marussi(a)arm.com> firmware: arm_scmi: Skip opp duplicates Sibi Sankar <quic_sibis(a)quicinc.com> mailbox: qcom-cpucp: Mark the irq with IRQF_NO_SUSPEND flag Josef Bacik <josef(a)toxicpanda.com> btrfs: fix incorrect comparison for delayed refs Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/display: parse umc_info or vram_info based on ASIC" Aurelien Jarno <aurelien(a)aurel32.net> Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Donet Tom <donettom(a)linux.ibm.com> selftests: hugetlb_dio: fixup check for initial conditions to skip in the start Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Make KASAN work with 5-level page-tables Bibo Mao <maobibo(a)loongson.cn> LoongArch: Fix AP booting issue in VM mode Kanglong Wang <wangkanglong(a)loongson.cn> LoongArch: Add WriteCombine shadow mapping in KASAN Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix early_numa_add_cpu() usage for FDT systems Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: fix UBSAN warning in ocfs2_verify_volume() Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: use _rcu variant under rcu_read_lock Geliang Tang <geliang(a)kernel.org> mptcp: hold pm lock when deleting entry Geliang Tang <geliang(a)kernel.org> mptcp: update local address flags when setting it Maksym Glubokiy <maxgl.kernel(a)gmail.com> ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - update set GPIO3 to default for Thinkpad with ALC1318 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Roman Gushchin <roman.gushchin(a)linux.dev> mm: page_alloc: move mlocked flag clearance into free_pages_prepare() Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Disable TPM on tpm2_create_primary() failure Hajime Tazaki <thehajime(a)gmail.com> nommu: pass NULL argument to vma_iter_prealloc() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Sean Christopherson <seanjc(a)google.com> KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Sean Christopherson <seanjc(a)google.com> KVM: x86: Unconditionally set irr_pending when updating APICv state Sean Christopherson <seanjc(a)google.com> KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled Sean Christopherson <seanjc(a)google.com> KVM: selftests: Disable strict aliasing Mateusz Guzik <mjguzik(a)gmail.com> evm: stop avoidably reading i_writecount in evm_file_release Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> ima: fix buffer overrun in ima_eventdigest_init_common Xiaoguang Wang <lege.wang(a)jaguarmicro.com> vp_vdpa: fix id_table array not null terminated error Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Philipp Stanner <pstanner(a)redhat.com> vdpa: solidrun: Fix UB bug with devres Andrew Morton <akpm(a)linux-foundation.org> mm: revert "mm: shmem: fix data-race in shmem_getattr()" Jann Horn <jannh(a)google.com> mm/mremap: fix address wraparound in move_page_tables() Dan Carpenter <dan.carpenter(a)linaro.org> fs/proc/task_mmu: prevent integer overflow in pagemap_scan_get_args() Qun-Wei Lin <qun-wei.lin(a)mediatek.com> sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Dave Vasilevsky <dave(a)vasilevsky.ca> crash, powerpc: default to CRASH_DUMP=n on PPC_BOOK3S_32 Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: uncache inode which has failed entering the group Jinjiang Tu <tujinjiang(a)huawei.com> mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Ard Biesheuvel <ardb(a)kernel.org> x86/stackprotector: Work around strict Clang TLS symbol requirements Baoquan He <bhe(a)redhat.com> x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Mario Limonciello <mario.limonciello(a)amd.com> x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix Panel Replay not update screen correctly Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Change some variable name of psr Leo Li <sunpeng.li(a)amd.com> drm/amd/display: Run idle optimizations at end of vblank handler Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/pm: correct the workload setting" Motiejus JakÅ`tys <motiejus(a)jakstys.lt> tools/mm: fix compile error Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> ARM: fix cacheflush with PAN Harith G <harith.g(a)alifsemi.com> ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Hangbin Liu <liuhangbin(a)gmail.com> bonding: add ns target multicast address to slave device Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix 1 PPS sync Chen Ridong <chenridong(a)huawei.com> drm/vmwgfx: avoid null_ptr_deref in vmw_framebuffer_surface_create_handle Vitalii Mordan <mordan(a)ispras.ru> stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines Michal Luczaj <mhal(a)rbox.co> net: Make copy_safe_from_sockptr() match documentation Nícolas F. R. A. Prado <nfraprado(a)collabora.com> net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol Wei Fang <wei.fang(a)nxp.com> samples: pktgen: correct dev to DEV Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> net: phylink: ensure PHY momentary link-fails are handled Alexandre Ferrieux <alexandre.ferrieux(a)gmail.com> net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Akash Goel <akash.goel(a)arm.com> drm/panthor: Fix handling of partial GPU mapping of BOs Kiran K <kiran.k(a)intel.com> Bluetooth: btintel: Direct exception event to bluetooth stack Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix calling mgmt_device_connected Alexandre Ghiti <alexghiti(a)rivosinc.com> drivers: perf: Fix wrong put_cpu() placement Leon Romanovsky <leon(a)kernel.org> Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" Michal Luczaj <mhal(a)rbox.co> virtio/vsock: Improve MSG_ZEROCOPY error handling Michal Luczaj <mhal(a)rbox.co> vsock: Fix sk_error_queue memory leak Michal Luczaj <mhal(a)rbox.co> virtio/vsock: Fix accept_queue memory leak Daniele Ceraolo Spurio <daniele.ceraolospurio(a)intel.com> drm/i915/gsc: ARL-H and ARL-U need a newer GSC FW. Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Disable loopback self-test on multi-PF netdev Moshe Shemesh <moshe(a)nvidia.com> net/mlx5e: CT: Fix null-ptr-deref in add rule err flow William Tu <witu(a)nvidia.com> net/mlx5e: clear xdp features on non-uplink representors Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: kTLS, Fix incorrect page refcounting Mark Bloch <mbloch(a)nvidia.com> net/mlx5: fs, lock FTE when checking if active Parav Pandit <parav(a)nvidia.com> net/mlx5: Fix msix vectors to respect platform limit Paolo Abeni <pabeni(a)redhat.com> mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Paolo Abeni <pabeni(a)redhat.com> mptcp: error out earlier on disconnect Wang Liang <wangliang74(a)huawei.com> net: fix data-races around sk->sk_forward_alloc Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: vop: Fix a dereferenced before check warning Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix tx_bytes calculation Eric Dumazet <edumazet(a)google.com> sctp: fix possible UAF in sctp_v6_available() Jakub Kicinski <kuba(a)kernel.org> netlink: terminate outstanding dump on socket close ------------- Diffstat: Makefile | 4 +- arch/arm/Kconfig | 3 + arch/arm/kernel/head.S | 8 +- arch/arm/kernel/traps.c | 3 + arch/arm/mm/mmu.c | 34 +++--- arch/arm64/Kconfig | 3 + arch/arm64/include/asm/mman.h | 10 +- arch/loongarch/Kconfig | 3 + arch/loongarch/include/asm/kasan.h | 13 ++- arch/loongarch/kernel/paravirt.c | 15 +++ arch/loongarch/kernel/smp.c | 2 +- arch/loongarch/mm/kasan_init.c | 46 +++++++- arch/mips/Kconfig | 3 + arch/parisc/include/asm/mman.h | 5 +- arch/powerpc/Kconfig | 4 + arch/riscv/Kconfig | 3 + arch/s390/Kconfig | 3 + arch/sh/Kconfig | 3 + arch/x86/Kconfig | 3 + arch/x86/Makefile | 5 +- arch/x86/entry/entry.S | 16 +++ arch/x86/include/asm/asm-prototypes.h | 3 + arch/x86/kernel/cpu/amd.c | 11 ++ arch/x86/kernel/cpu/common.c | 2 + arch/x86/kernel/vmlinux.lds.S | 3 + arch/x86/kvm/lapic.c | 29 +++-- arch/x86/kvm/vmx/nested.c | 30 +++++- arch/x86/kvm/vmx/vmx.c | 6 +- arch/x86/mm/ioremap.c | 6 +- drivers/bluetooth/btintel.c | 5 +- drivers/char/tpm/tpm2-sessions.c | 7 +- drivers/firmware/arm_scmi/perf.c | 44 +++++--- drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 3 +- drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 13 ++- drivers/gpu/drm/amd/amdgpu/mes_v12_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 ++ drivers/gpu/drm/amd/amdgpu/nv.c | 12 +-- drivers/gpu/drm/amd/amdgpu/soc15.c | 4 +- drivers/gpu/drm/amd/amdgpu/soc21.c | 12 +-- drivers/gpu/drm/amd/amdgpu/soc24.c | 2 +- drivers/gpu/drm/amd/amdgpu/vi.c | 8 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 117 +++++++++++---------- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 +- .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 17 +-- .../amd/display/amdgpu_dm/amdgpu_dm_irq_params.h | 2 +- drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 +- drivers/gpu/drm/amd/display/dc/core/dc_state.c | 3 + .../dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c | 11 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 49 +++------ drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h | 4 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 5 +- drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 5 +- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 5 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 4 +- drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c | 4 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 20 +--- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_0_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 9 +- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 8 -- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h | 2 - drivers/gpu/drm/bridge/tc358768.c | 21 +++- drivers/gpu/drm/i915/gt/uc/intel_gsc_fw.c | 50 +++++---- drivers/gpu/drm/i915/i915_drv.h | 8 +- drivers/gpu/drm/i915/intel_device_info.c | 24 ++++- drivers/gpu/drm/i915/intel_device_info.h | 4 +- drivers/gpu/drm/nouveau/nvkm/engine/disp/r535.c | 61 ++++++----- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 11 +- drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c | 6 +- drivers/gpu/drm/panthor/panthor_mmu.c | 2 + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 2 + drivers/gpu/drm/xe/xe_bo.c | 43 ++++---- drivers/gpu/drm/xe/xe_bo_evict.c | 20 ++-- drivers/gpu/drm/xe/xe_oa.c | 2 + drivers/infiniband/core/addr.c | 2 - drivers/mailbox/qcom-cpucp-mbox.c | 2 +- drivers/media/dvb-core/dvbdev.c | 15 +-- drivers/mmc/host/dw_mmc.c | 4 +- drivers/mmc/host/sunxi-mmc.c | 6 +- drivers/net/bonding/bond_main.c | 16 ++- drivers/net/bonding/bond_options.c | 82 ++++++++++++++- drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +- .../ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- .../net/ethernet/mellanox/mlx5/core/en_selftest.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 19 +++- drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 32 +++++- .../net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 25 +++-- .../net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 ++- drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 +++ drivers/net/ethernet/vertexcom/mse102x.c | 4 +- drivers/net/phy/phylink.c | 14 +-- drivers/perf/riscv_pmu_sbi.c | 4 +- drivers/pmdomain/arm/scmi_perf_domain.c | 3 +- drivers/pmdomain/core.c | 49 ++++++--- drivers/pmdomain/imx/imx93-blk-ctrl.c | 4 +- drivers/vdpa/mlx5/core/mr.c | 8 +- drivers/vdpa/solidrun/snet_main.c | 14 ++- drivers/vdpa/virtio_pci/vp_vdpa.c | 10 +- fs/btrfs/delayed-ref.c | 2 +- fs/nilfs2/btnode.c | 2 - fs/nilfs2/gcinode.c | 4 +- fs/nilfs2/mdt.c | 1 - fs/nilfs2/page.c | 2 +- fs/ocfs2/resize.c | 2 + fs/ocfs2/super.c | 13 ++- fs/proc/task_mmu.c | 4 +- include/drm/intel/i915_pciids.h | 19 +++- include/linux/mman.h | 7 +- include/linux/pm_domain.h | 6 ++ include/linux/sched/task_stack.h | 2 + include/linux/sockptr.h | 4 +- include/net/bond_options.h | 2 + kernel/Kconfig.kexec | 2 +- lib/buildid.c | 2 +- mm/mmap.c | 2 +- mm/mremap.c | 2 +- mm/nommu.c | 4 +- mm/page_alloc.c | 18 +++- mm/shmem.c | 5 - mm/swap.c | 14 --- net/bluetooth/hci_core.c | 2 - net/dccp/ipv6.c | 2 +- net/ipv6/tcp_ipv6.c | 4 +- net/mptcp/pm_netlink.c | 3 +- net/mptcp/pm_userspace.c | 15 +++ net/mptcp/protocol.c | 16 ++- net/netlink/af_netlink.c | 31 ++---- net/netlink/af_netlink.h | 2 - net/sched/cls_u32.c | 18 +++- net/sctp/ipv6.c | 19 ++-- net/vmw_vsock/af_vsock.c | 3 + net/vmw_vsock/virtio_transport_common.c | 9 ++ samples/pktgen/pktgen_sample01_simple.sh | 2 +- security/integrity/evm/evm_main.c | 3 +- security/integrity/ima/ima_template_lib.c | 14 ++- sound/pci/hda/patch_realtek.c | 13 ++- tools/mm/page-types.c | 2 +- tools/testing/selftests/kvm/Makefile | 8 +- tools/testing/selftests/mm/hugetlb_dio.c | 7 ++ .../selftests/tc-testing/tc-tests/filters/u32.json | 24 +++++ 143 files changed, 1080 insertions(+), 537 deletions(-)

9 months, 3 weeks

11
117
0 0

[PATCH 6.6 00/82] 6.6.63-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.63 release. There are 82 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 22 Nov 2024 12:56:17 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.63-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.63-rc1 SeongJae Park <sj(a)kernel.org> mm/damon/core: copy nr_accesses when splitting region SeongJae Park <sj(a)kernel.org> mm/damon/core: handle zero schemes apply interval SeongJae Park <sj(a)kernel.org> mm/damon/core: check apply interval in damon_do_apply_schemes() Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: resolve faulty mmap_region() error path behaviour Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: refactor map_deny_write_exec() Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: unconditionally close VMAs on error Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: avoid unsafe VMA hook invocation when error arises on mmap hook George Stark <gnstark(a)salutedevices.com> leds: mlxreg: Use devm_mutex_init() for mutex initialization Eric Van Hensbergen <ericvh(a)kernel.org> fs/9p: fix uninitialized values during inode evict Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/amd/pm: Vangogh: Fix kernel memory out of bounds write Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: use _rcu variant under rcu_read_lock Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: drop lookup_by_id in lookup_addr Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: hold pm lock when deleting entry Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: update local address flags when setting it Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: add userspace_pm_lookup_addr_by_id helper Geliang Tang <geliang.tang(a)suse.com> mptcp: define more local variables sk Chuck Lever <chuck.lever(a)oracle.com> NFSD: Never decrement pending_async_copies on error Chuck Lever <chuck.lever(a)oracle.com> NFSD: Initialize struct nfsd4_copy earlier Chuck Lever <chuck.lever(a)oracle.com> NFSD: Limit the number of concurrent async COPY operations Chuck Lever <chuck.lever(a)oracle.com> NFSD: Async COPY result needs to return a write verifier Dai Ngo <dai.ngo(a)oracle.com> NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvbdev: fix the logic when DVB_DYNAMIC_MINORS is not set Jiri Olsa <jolsa(a)kernel.org> lib/buildid: Fix build ID parsing logic Umang Jain <umang.jain(a)ideasonboard.com> staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation Stefan Wahren <wahrenst(a)gmx.net> staging: vchiq_arm: Get the rid off struct vchiq_2835_state SeongJae Park <sj(a)kernel.org> mm/damon/core: handle zero {aggregation,ops_update} intervals SeongJae Park <sj(a)kernel.org> mm/damon/core: implement scheme-specific apply interval Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Adjust VSDB parser for replay feature Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> drm/amd: Fix initialization mistake for NBIO 7.7.0 Dave Airlie <airlied(a)redhat.com> nouveau: fw: sync dma after setup is called. Peng Fan <peng.fan(a)nxp.com> pmdomain: imx93-blk-ctrl: correct remove path Francesco Dolcini <francesco.dolcini(a)toradex.com> drm/bridge: tc358768: Fix DSI command tx Andre Przywara <andre.przywara(a)arm.com> mmc: sunxi-mmc: Fix A100 compatible description Aurelien Jarno <aurelien(a)aurel32.net> Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Make KASAN work with 5-level page-tables Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Disable KASAN if PGDIR_SIZE is too large for cpu_vabits Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Fix early_numa_add_cpu() usage for FDT systems Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: fix UBSAN warning in ocfs2_verify_volume() Maksym Glubokiy <maxgl.kernel(a)gmail.com> ALSA: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed Clevo platform headset Mic issue Hajime Tazaki <thehajime(a)gmail.com> nommu: pass NULL argument to vma_iter_prealloc() Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint Sean Christopherson <seanjc(a)google.com> KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Sean Christopherson <seanjc(a)google.com> KVM: x86: Unconditionally set irr_pending when updating APICv state Sean Christopherson <seanjc(a)google.com> KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> ima: fix buffer overrun in ima_eventdigest_init_common Xiaoguang Wang <lege.wang(a)jaguarmicro.com> vp_vdpa: fix id_table array not null terminated error Si-Wei Liu <si-wei.liu(a)oracle.com> vdpa/mlx5: Fix PA offset with unaligned starting iotlb map Philipp Stanner <pstanner(a)redhat.com> vdpa: solidrun: Fix UB bug with devres Andrew Morton <akpm(a)linux-foundation.org> mm: revert "mm: shmem: fix data-race in shmem_getattr()" Dmitry Antipov <dmantipov(a)yandex.ru> ocfs2: uncache inode which has failed entering the group Jinjiang Tu <tujinjiang(a)huawei.com> mm: fix NULL pointer dereference in alloc_pages_bulk_noprof Baoquan He <bhe(a)redhat.com> x86/mm: Fix a kdump kernel failure on SME system when CONFIG_IMA_KEXEC=y Motiejus JakÅ`tys <motiejus(a)jakstys.lt> tools/mm: fix compile error Harith G <harith.g(a)alifsemi.com> ARM: 9419/1: mm: Fix kernel memory mapping for xip kernels Hangbin Liu <liuhangbin(a)gmail.com> bonding: add ns target multicast address to slave device Meghana Malladi <m-malladi(a)ti.com> net: ti: icssg-prueth: Fix 1 PPS sync Vitalii Mordan <mordan(a)ispras.ru> stmmac: dwmac-intel-plat: fix call balance of tx_clk handling routines Jisheng Zhang <jszhang(a)kernel.org> net: stmmac: rename stmmac_pltfr_remove_no_dt to stmmac_pltfr_remove Jisheng Zhang <jszhang(a)kernel.org> net: stmmac: dwmac-visconti: use devm_stmmac_probe_config_dt() Jisheng Zhang <jszhang(a)kernel.org> net: stmmac: dwmac-intel-plat: use devm_stmmac_probe_config_dt() Michal Luczaj <mhal(a)rbox.co> net: Make copy_safe_from_sockptr() match documentation Nícolas F. R. A. Prado <nfraprado(a)collabora.com> net: stmmac: dwmac-mediatek: Fix inverted handling of mediatek,mac-wol Wei Fang <wei.fang(a)nxp.com> samples: pktgen: correct dev to DEV Alexandre Ferrieux <alexandre.ferrieux(a)gmail.com> net: sched: cls_u32: Fix u32's systematic failure to free IDR entries for hnodes. Pedro Tammela <pctammela(a)mojatatu.com> net/sched: cls_u32: replace int refcounts with proper refcounts Kiran K <kiran.k(a)intel.com> Bluetooth: btintel: Direct exception event to bluetooth stack Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix calling mgmt_device_connected Leon Romanovsky <leon(a)kernel.org> Revert "RDMA/core: Fix ENODEV error for iWARP test over vlan" Michal Luczaj <mhal(a)rbox.co> virtio/vsock: Fix accept_queue memory leak Moshe Shemesh <moshe(a)nvidia.com> net/mlx5e: CT: Fix null-ptr-deref in add rule err flow William Tu <witu(a)nvidia.com> net/mlx5e: clear xdp features on non-uplink representors Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: kTLS, Fix incorrect page refcounting Mark Bloch <mbloch(a)nvidia.com> net/mlx5: fs, lock FTE when checking if active Paolo Abeni <pabeni(a)redhat.com> mptcp: cope racing subflow creation in mptcp_rcv_space_adjust Paolo Abeni <pabeni(a)redhat.com> mptcp: error out earlier on disconnect Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: vop: Fix a dereferenced before check warning Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix tx_bytes calculation Eric Dumazet <edumazet(a)google.com> sctp: fix possible UAF in sctp_v6_available() Jakub Kicinski <kuba(a)kernel.org> netlink: terminate outstanding dump on socket close ------------- Diffstat: Makefile | 4 +- arch/arm/kernel/head.S | 8 +- arch/arm/mm/mmu.c | 34 +++--- arch/arm64/include/asm/mman.h | 10 +- arch/loongarch/include/asm/kasan.h | 2 +- arch/loongarch/kernel/smp.c | 2 +- arch/loongarch/mm/kasan_init.c | 41 ++++++- arch/parisc/include/asm/mman.h | 5 +- arch/x86/kvm/lapic.c | 29 +++-- arch/x86/kvm/vmx/nested.c | 30 ++++- arch/x86/kvm/vmx/vmx.c | 6 +- arch/x86/mm/ioremap.c | 6 +- drivers/bluetooth/btintel.c | 5 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_7.c | 6 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 7 +- drivers/gpu/drm/bridge/tc358768.c | 21 +++- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 11 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 8 +- drivers/infiniband/core/addr.c | 2 - drivers/leds/leds-mlxreg.c | 16 +-- drivers/media/dvb-core/dvbdev.c | 15 +-- drivers/mmc/host/dw_mmc.c | 4 +- drivers/mmc/host/sunxi-mmc.c | 6 +- drivers/net/bonding/bond_main.c | 16 ++- drivers/net/bonding/bond_options.c | 82 ++++++++++++- drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 2 +- .../ethernet/mellanox/mlx5/core/en_accel/ktls_tx.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 19 ++- .../net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 40 +++---- .../net/ethernet/stmicro/stmmac/dwmac-mediatek.c | 4 +- .../net/ethernet/stmicro/stmmac/dwmac-visconti.c | 18 +-- .../net/ethernet/stmicro/stmmac/stmmac_platform.c | 25 +--- .../net/ethernet/stmicro/stmmac/stmmac_platform.h | 1 - drivers/net/ethernet/ti/icssg/icssg_prueth.c | 13 ++- drivers/net/ethernet/ti/icssg/icssg_prueth.h | 12 ++ drivers/net/ethernet/vertexcom/mse102x.c | 4 +- drivers/pmdomain/imx/imx93-blk-ctrl.c | 4 +- .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 25 +--- drivers/vdpa/mlx5/core/mr.c | 8 +- drivers/vdpa/solidrun/snet_main.c | 14 ++- drivers/vdpa/virtio_pci/vp_vdpa.c | 10 +- fs/9p/vfs_inode.c | 17 +-- fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +++--- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + fs/nilfs2/btnode.c | 2 - fs/nilfs2/gcinode.c | 4 +- fs/nilfs2/mdt.c | 1 - fs/nilfs2/page.c | 2 +- fs/ocfs2/resize.c | 2 + fs/ocfs2/super.c | 13 ++- include/linux/damon.h | 17 ++- include/linux/mman.h | 28 ++++- include/linux/sockptr.h | 4 +- include/net/bond_options.h | 2 + lib/buildid.c | 2 +- mm/damon/core.c | 84 ++++++++++++-- mm/damon/dbgfs.c | 3 +- mm/damon/lru_sort.c | 2 + mm/damon/reclaim.c | 2 + mm/damon/sysfs-schemes.c | 2 +- mm/internal.h | 45 ++++++++ mm/mmap.c | 128 ++++++++++++--------- mm/mprotect.c | 2 +- mm/nommu.c | 11 +- mm/page_alloc.c | 3 +- mm/shmem.c | 5 - net/bluetooth/hci_core.c | 2 - net/mptcp/pm_netlink.c | 15 ++- net/mptcp/pm_userspace.c | 77 ++++++++----- net/mptcp/protocol.c | 16 ++- net/netlink/af_netlink.c | 31 ++--- net/netlink/af_netlink.h | 2 - net/sched/cls_u32.c | 54 +++++---- net/sctp/ipv6.c | 19 ++- net/vmw_vsock/virtio_transport_common.c | 8 ++ samples/pktgen/pktgen_sample01_simple.sh | 2 +- security/integrity/ima/ima_template_lib.c | 14 ++- sound/pci/hda/patch_realtek.c | 3 + tools/mm/page-types.c | 2 +- 83 files changed, 824 insertions(+), 429 deletions(-)

9 months, 3 weeks

10
91
0 0

[PATCH 6.12 0/3] 6.12.1-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.1 release. There are 3 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 22 Nov 2024 12:40:53 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.1-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.1-rc1 Liam R. Howlett <Liam.Howlett(a)Oracle.com> mm/mmap: fix __mmap_region() error handling in rare merge failure case Benoit Sevens <bsevens(a)google.com> media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Hyunwoo Kim <v4bel(a)theori.io> hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer ------------- Diffstat: Makefile | 4 ++-- drivers/media/usb/uvc/uvc_driver.c | 2 +- mm/mmap.c | 13 ++++++++++++- net/vmw_vsock/hyperv_transport.c | 1 + 4 files changed, 16 insertions(+), 4 deletions(-)

9 months, 3 weeks

10
12
0 0

+ nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() has been added to the -mm mm-hotfixes-unstable branch. Its filename is nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Subject: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry() Date: Wed, 20 Nov 2024 02:23:37 +0900 Syzbot reported that when searching for records in a directory where the inode's i_size is corrupted and has a large value, memory access outside the folio/page range may occur, or a use-after-free bug may be detected if KASAN is enabled. This is because nilfs_last_byte(), which is called by nilfs_find_entry() and others to calculate the number of valid bytes of directory data in a page from i_size and the page index, loses the upper 32 bits of the 64-bit size information due to an inappropriate type of local variable to which the i_size value is assigned. This caused a large byte offset value due to underflow in the end address calculation in the calling nilfs_find_entry(), resulting in memory access that exceeds the folio/page size. Fix this issue by changing the type of the local variable causing the bit loss from "unsigned int" to "u64". The return value of nilfs_last_byte() is also of type "unsigned int", but it is truncated so as not to exceed PAGE_SIZE and no bit loss occurs, so no change is required. Link: https://lkml.kernel.org/r/20241119172403.9292-1-konishi.ryusuke@gmail.com Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations") Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+96d5d14c47d97015c624(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=96d5d14c47d97015c624 Tested-by: syzbot+96d5d14c47d97015c624(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/nilfs2/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/nilfs2/dir.c~nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry +++ a/fs/nilfs2/dir.c @@ -70,7 +70,7 @@ static inline unsigned int nilfs_chunk_s */ static unsigned int nilfs_last_byte(struct inode *inode, unsigned long page_nr) { - unsigned int last_byte = inode->i_size; + u64 last_byte = inode->i_size; last_byte -= page_nr << PAGE_SHIFT; if (last_byte > PAGE_SIZE) _ Patches currently in -mm which might be from konishi.ryusuke(a)gmail.com are nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch

9 months, 3 weeks

1
0
0 0

+ kasan-make-report_lock-a-raw-spinlock.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kasan: make report_lock a raw spinlock has been added to the -mm mm-hotfixes-unstable branch. Its filename is kasan-make-report_lock-a-raw-spinlock.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jared Kangas <jkangas(a)redhat.com> Subject: kasan: make report_lock a raw spinlock Date: Tue, 19 Nov 2024 13:02:34 -0800 If PREEMPT_RT is enabled, report_lock is a sleeping spinlock and must not be locked when IRQs are disabled. However, KASAN reports may be triggered in such contexts. For example: char *s = kzalloc(1, GFP_KERNEL); kfree(s); local_irq_disable(); char c = *s; /* KASAN report here leads to spin_lock() */ local_irq_enable(); Make report_spinlock a raw spinlock to prevent rescheduling when PREEMPT_RT is enabled. Link: https://lkml.kernel.org/r/20241119210234.1602529-1-jkangas@redhat.com Signed-off-by: Jared Kangas <jkangas(a)redhat.com> Cc: Alexander Potapenko <glider(a)google.com> Cc: Andrey Konovalov <andreyknvl(a)gmail.com> Cc: Andrey Ryabinin <ryabinin.a.a(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: Vincenzo Frascino <vincenzo.frascino(a)arm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/kasan/report.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/kasan/report.c~kasan-make-report_lock-a-raw-spinlock +++ a/mm/kasan/report.c @@ -200,7 +200,7 @@ static inline void fail_non_kasan_kunit_ #endif /* CONFIG_KUNIT */ -static DEFINE_SPINLOCK(report_lock); +static DEFINE_RAW_SPINLOCK(report_lock); static void start_report(unsigned long *flags, bool sync) { @@ -211,7 +211,7 @@ static void start_report(unsigned long * lockdep_off(); /* Make sure we don't end up in loop. */ report_suppress_start(); - spin_lock_irqsave(&report_lock, *flags); + raw_spin_lock_irqsave(&report_lock, *flags); pr_err("==================================================================\n"); } @@ -221,7 +221,7 @@ static void end_report(unsigned long *fl trace_error_report_end(ERROR_DETECTOR_KASAN, (unsigned long)addr); pr_err("==================================================================\n"); - spin_unlock_irqrestore(&report_lock, *flags); + raw_spin_unlock_irqrestore(&report_lock, *flags); if (!test_bit(KASAN_BIT_MULTI_SHOT, &kasan_flags)) check_panic_on_warn("KASAN"); switch (kasan_arg_fault) { _ Patches currently in -mm which might be from jkangas(a)redhat.com are kasan-make-report_lock-a-raw-spinlock.patch

9 months, 3 weeks

1
0
0 0

+ mm-mempolicy-fix-migrate_to_node-assuming-there-is-at-least-one-vma-in-a-mm.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-mempolicy-fix-migrate_to_node-assuming-there-is-at-least-one-vma-in-a-mm.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david(a)redhat.com> Subject: mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM Date: Wed, 20 Nov 2024 21:11:51 +0100 We currently assume that there is at least one VMA in a MM, which isn't true. So we might end up having find_vma() return NULL, to then de-reference NULL. So properly handle find_vma() returning NULL. This fixes the report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline] RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194 Code: ... RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000 RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044 RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1 R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003 R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8 FS: 00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709 __do_sys_migrate_pages mm/mempolicy.c:1727 [inline] __se_sys_migrate_pages mm/mempolicy.c:1723 [inline] __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Link: https://lkml.kernel.org/r/20241120201151.9518-1-david@redhat.com Fixes: 39743889aaf7 ("[PATCH] Swap Migration V5: sys_migrate_pages interface") Signed-off-by: David Hildenbrand <david(a)redhat.com> Reported-by: syzbot+3511625422f7aa637f0d(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/673d2696.050a0220.3c9d61.012f.GAE@google.com/T/ Reviewed-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Reviewed-by: Christoph Lameter <cl(a)linux.com> Cc: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mempolicy.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/mm/mempolicy.c~mm-mempolicy-fix-migrate_to_node-assuming-there-is-at-least-one-vma-in-a-mm +++ a/mm/mempolicy.c @@ -1080,6 +1080,10 @@ static long migrate_to_node(struct mm_st mmap_read_lock(mm); vma = find_vma(mm, 0); + if (!vma) { + mmap_read_unlock(mm); + return 0; + } /* * This does not migrate the range, but isolates all pages that _ Patches currently in -mm which might be from david(a)redhat.com are mm-mempolicy-fix-migrate_to_node-assuming-there-is-at-least-one-vma-in-a-mm.patch

9 months, 3 weeks

1
0
0 0

+ mm-gup-handle-null-pages-in-unpin_user_pages.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/gup: handle NULL pages in unpin_user_pages() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-gup-handle-null-pages-in-unpin_user_pages.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: John Hubbard <jhubbard(a)nvidia.com> Subject: mm/gup: handle NULL pages in unpin_user_pages() Date: Wed, 20 Nov 2024 19:49:33 -0800 The recent addition of "pofs" (pages or folios) handling to gup has a flaw: it assumes that unpin_user_pages() handles NULL pages in the pages** array. That's not the case, as I discovered when I ran on a new configuration on my test machine. Fix this by skipping NULL pages in unpin_user_pages(), just like unpin_folios() already does. Details: when booting on x86 with "numa=fake=2 movablecore=4G" on Linux 6.12, and running this: tools/testing/selftests/mm/gup_longterm ...I get the following crash: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:sanity_check_pinned_pages+0x3a/0x2d0 ... Call Trace: <TASK> ? __die_body+0x66/0xb0 ? page_fault_oops+0x30c/0x3b0 ? do_user_addr_fault+0x6c3/0x720 ? irqentry_enter+0x34/0x60 ? exc_page_fault+0x68/0x100 ? asm_exc_page_fault+0x22/0x30 ? sanity_check_pinned_pages+0x3a/0x2d0 unpin_user_pages+0x24/0xe0 check_and_migrate_movable_pages_or_folios+0x455/0x4b0 __gup_longterm_locked+0x3bf/0x820 ? mmap_read_lock_killable+0x12/0x50 ? __pfx_mmap_read_lock_killable+0x10/0x10 pin_user_pages+0x66/0xa0 gup_test_ioctl+0x358/0xb20 __se_sys_ioctl+0x6b/0xc0 do_syscall_64+0x7b/0x150 entry_SYSCALL_64_after_hwframe+0x76/0x7e Link: https://lkml.kernel.org/r/20241121034933.77502-1-jhubbard@nvidia.com Fixes: 94efde1d1539 ("mm/gup: avoid an unnecessary allocation call for FOLL_LONGTERM cases") Signed-off-by: John Hubbard <jhubbard(a)nvidia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: Dave Airlie <airlied(a)redhat.com> Cc: Gerd Hoffmann <kraxel(a)redhat.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Dongwon Kim <dongwon.kim(a)intel.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Junxiao Chang <junxiao.chang(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/mm/gup.c~mm-gup-handle-null-pages-in-unpin_user_pages +++ a/mm/gup.c @@ -52,7 +52,12 @@ static inline void sanity_check_pinned_p */ for (; npages; npages--, pages++) { struct page *page = *pages; - struct folio *folio = page_folio(page); + struct folio *folio; + + if (!page) + continue; + + folio = page_folio(page); if (is_zero_page(page) || !folio_test_anon(folio)) @@ -409,6 +414,10 @@ void unpin_user_pages(struct page **page sanity_check_pinned_pages(pages, npages); for (i = 0; i < npages; i += nr) { + if (!pages[i]) { + nr = 1; + continue; + } folio = gup_folio_next(pages, npages, i, &nr); gup_put_folio(folio, nr, FOLL_PIN); } _ Patches currently in -mm which might be from jhubbard(a)nvidia.com are mm-gup-handle-null-pages-in-unpin_user_pages.patch

9 months, 3 weeks

1
0
0 0

+ fs-proc-kcorec-clear-ret-value-in-read_kcore_iter-after-successful-iov_iter_zero.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: fs/proc/kcore.c: clear ret value in read_kcore_iter after successful iov_iter_zero has been added to the -mm mm-hotfixes-unstable branch. Its filename is fs-proc-kcorec-clear-ret-value-in-read_kcore_iter-after-successful-iov_iter_zero.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jiri Olsa <jolsa(a)kernel.org> Subject: fs/proc/kcore.c: clear ret value in read_kcore_iter after successful iov_iter_zero Date: Fri, 22 Nov 2024 00:11:18 +0100 If iov_iter_zero succeeds after failed copy_from_kernel_nofault, we need to reset the ret value to zero otherwise it will be returned as final return value of read_kcore_iter. This fixes objdump -d dump over /proc/kcore for me. Link: https://lkml.kernel.org/r/20241121231118.3212000-1-jolsa@kernel.org Fixes: 3d5854d75e31 ("fs/proc/kcore.c: allow translation of physical memory addresses") Signed-off-by: Jiri Olsa <jolsa(a)kernel.org> Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Christian Brauner <brauner(a)kernel.org> Cc: <hca(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/proc/kcore.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/proc/kcore.c~fs-proc-kcorec-clear-ret-value-in-read_kcore_iter-after-successful-iov_iter_zero +++ a/fs/proc/kcore.c @@ -600,6 +600,7 @@ static ssize_t read_kcore_iter(struct ki ret = -EFAULT; goto out; } + ret = 0; /* * We know the bounce buffer is safe to copy from, so * use _copy_to_iter() directly. _ Patches currently in -mm which might be from jolsa(a)kernel.org are fs-proc-kcorec-clear-ret-value-in-read_kcore_iter-after-successful-iov_iter_zero.patch

9 months, 3 weeks

1
0
0 0

[PATCH v2] of: property: fw_devlink: Do not use interrupt-parent directly

by Samuel Holland

commit 7f00be96f125 ("of: property: Add device link support for interrupt-parent, dmas and -gpio(s)") started adding device links for the interrupt-parent property. commit 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") and commit f265f06af194 ("of: property: Fix fw_devlink handling of interrupts/interrupts-extended") later added full support for parsing the interrupts and interrupts-extended properties, which includes looking up the node of the parent domain. This made the handler for the interrupt-parent property redundant. In fact, creating device links based solely on interrupt-parent is problematic, because it can create spurious cycles. A node may have this property without itself being an interrupt controller or consumer. For example, this property is often present in the root node or a /soc bus node to set the default interrupt parent for child nodes. However, it is incorrect for the bus to depend on the interrupt controller, as some of the bus's children may not be interrupt consumers at all or may have a different interrupt parent. Resolving these spurious dependency cycles can cause an incorrect probe order for interrupt controller drivers. This was observed on a RISC-V system with both an APLIC and IMSIC under /soc, where interrupt-parent in /soc points to the APLIC, and the APLIC msi-parent points to the IMSIC. fw_devlink found three dependency cycles and attempted to probe the APLIC before the IMSIC. After applying this patch, there were no dependency cycles and the probe order was correct. Acked-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org Fixes: 4104ca776ba3 ("of: property: Add fw_devlink support for interrupts") Signed-off-by: Samuel Holland <samuel.holland(a)sifive.com> --- Changes in v2: - Fix typo in commit message - Add Fixes: tag and CC stable drivers/of/property.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/of/property.c b/drivers/of/property.c index 11b922fde7af..7bd8390f2fba 100644 --- a/drivers/of/property.c +++ b/drivers/of/property.c @@ -1213,7 +1213,6 @@ DEFINE_SIMPLE_PROP(iommus, "iommus", "#iommu-cells") DEFINE_SIMPLE_PROP(mboxes, "mboxes", "#mbox-cells") DEFINE_SIMPLE_PROP(io_channels, "io-channels", "#io-channel-cells") DEFINE_SIMPLE_PROP(io_backends, "io-backends", "#io-backend-cells") -DEFINE_SIMPLE_PROP(interrupt_parent, "interrupt-parent", NULL) DEFINE_SIMPLE_PROP(dmas, "dmas", "#dma-cells") DEFINE_SIMPLE_PROP(power_domains, "power-domains", "#power-domain-cells") DEFINE_SIMPLE_PROP(hwlocks, "hwlocks", "#hwlock-cells") @@ -1359,7 +1358,6 @@ static const struct supplier_bindings of_supplier_bindings[] = { { .parse_prop = parse_mboxes, }, { .parse_prop = parse_io_channels, }, { .parse_prop = parse_io_backends, }, - { .parse_prop = parse_interrupt_parent, }, { .parse_prop = parse_dmas, .optional = true, }, { .parse_prop = parse_power_domains, }, { .parse_prop = parse_hwlocks, }, -- 2.45.1

9 months, 3 weeks

2
1
0 0

[PATCH v2] iommu/arm-smmu: Defer probe of clients after smmu device bound

by Pratyush Brahma

Null pointer dereference occurs due to a race between smmu driver probe and client driver probe, when of_dma_configure() for client is called after the iommu_device_register() for smmu driver probe has executed but before the driver_bound() for smmu driver has been called. Following is how the race occurs: T1:Smmu device probe T2: Client device probe really_probe() arm_smmu_device_probe() iommu_device_register() really_probe() platform_dma_configure() of_dma_configure() of_dma_configure_id() of_iommu_configure() iommu_probe_device() iommu_init_device() arm_smmu_probe_device() arm_smmu_get_by_fwnode() driver_find_device_by_fwnode() driver_find_device() next_device() klist_next() /* null ptr assigned to smmu */ /* null ptr dereference while smmu->streamid_mask */ driver_bound() klist_add_tail() When this null smmu pointer is dereferenced later in arm_smmu_probe_device, the device crashes. Fix this by deferring the probe of the client device until the smmu device has bound to the arm smmu driver. Fixes: 021bb8420d44 ("iommu/arm-smmu: Wire up generic configuration support") Cc: stable(a)vger.kernel.org Co-developed-by: Prakash Gupta <quic_guptap(a)quicinc.com> Signed-off-by: Prakash Gupta <quic_guptap(a)quicinc.com> Signed-off-by: Pratyush Brahma <quic_pbrahma(a)quicinc.com> --- Changes in v2: Fix kernel test robot warning Add stable kernel list in cc Link to v1: https://lore.kernel.org/all/20241001055633.21062-1-quic_pbrahma@quicinc.com/ drivers/iommu/arm/arm-smmu/arm-smmu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c index 723273440c21..7c778b7eb8c8 100644 --- a/drivers/iommu/arm/arm-smmu/arm-smmu.c +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c @@ -1437,6 +1437,9 @@ static struct iommu_device *arm_smmu_probe_device(struct device *dev) goto out_free; } else { smmu = arm_smmu_get_by_fwnode(fwspec->iommu_fwnode); + if (!smmu) + return ERR_PTR(dev_err_probe(dev, -EPROBE_DEFER, + "smmu dev has not bound yet\n")); } ret = -EINVAL; -- 2.17.1

9 months, 3 weeks

3
8
0 0

linux-stable-rc.git: queue/6.12 VS. linux-6.12.y

by Sedat Dilek

Hi Greg and Sasha, Can you please check the queue/6.12 Git branch? Looks like it includes queue/6.11 material. Thanks. Best regards, -Sedat-

9 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] x86/stackprotector: Work around strict Clang TLS symbol" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 577c134d311b9b94598d7a0c86be1f431f823003 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111735-paging-quintet-7ce1@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 577c134d311b9b94598d7a0c86be1f431f823003 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel <ardb(a)kernel.org> Date: Tue, 5 Nov 2024 10:57:46 -0500 Subject: [PATCH] x86/stackprotector: Work around strict Clang TLS symbol requirements GCC and Clang both implement stack protector support based on Thread Local Storage (TLS) variables, and this is used in the kernel to implement per-task stack cookies, by copying a task's stack cookie into a per-CPU variable every time it is scheduled in. Both now also implement -mstack-protector-guard-symbol=, which permits the TLS variable to be specified directly. This is useful because it will allow to move away from using a fixed offset of 40 bytes into the per-CPU area on x86_64, which requires a lot of special handling in the per-CPU code and the runtime relocation code. However, while GCC is rather lax in its implementation of this command line option, Clang actually requires that the provided symbol name refers to a TLS variable (i.e., one declared with __thread), although it also permits the variable to be undeclared entirely, in which case it will use an implicit declaration of the right type. The upshot of this is that Clang will emit the correct references to the stack cookie variable in most cases, e.g., 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax 10f: R_386_32 __stack_chk_guard However, if a non-TLS definition of the symbol in question is visible in the same compilation unit (which amounts to the whole of vmlinux if LTO is enabled), it will drop the per-CPU prefix and emit a load from a bogus address. Work around this by using a symbol name that never occurs in C code, and emit it as an alias in the linker script. Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable") Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> Signed-off-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Tested-by: Nathan Chancellor <nathan(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://github.com/ClangBuiltLinux/linux/issues/1854 Link: https://lore.kernel.org/r/20241105155801.1779119-2-brgerst@gmail.com diff --git a/arch/x86/Makefile b/arch/x86/Makefile index cd75e78a06c1..5b773b34768d 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -142,9 +142,10 @@ ifeq ($(CONFIG_X86_32),y) ifeq ($(CONFIG_STACKPROTECTOR),y) ifeq ($(CONFIG_SMP),y) - KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard + KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \ + -mstack-protector-guard-symbol=__ref_stack_chk_guard else - KBUILD_CFLAGS += -mstack-protector-guard=global + KBUILD_CFLAGS += -mstack-protector-guard=global endif endif else diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S index 324686bca368..b7ea3e8e9ecc 100644 --- a/arch/x86/entry/entry.S +++ b/arch/x86/entry/entry.S @@ -51,3 +51,19 @@ EXPORT_SYMBOL_GPL(mds_verw_sel); .popsection THUNK warn_thunk_thunk, __warn_thunk + +#ifndef CONFIG_X86_64 +/* + * Clang's implementation of TLS stack cookies requires the variable in + * question to be a TLS variable. If the variable happens to be defined as an + * ordinary variable with external linkage in the same compilation unit (which + * amounts to the whole of vmlinux with LTO enabled), Clang will drop the + * segment register prefix from the references, resulting in broken code. Work + * around this by avoiding the symbol used in -mstack-protector-guard-symbol= + * entirely in the C code, and use an alias emitted by the linker script + * instead. + */ +#ifdef CONFIG_STACKPROTECTOR +EXPORT_SYMBOL(__ref_stack_chk_guard); +#endif +#endif diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h index 25466c4d2134..3674006e3974 100644 --- a/arch/x86/include/asm/asm-prototypes.h +++ b/arch/x86/include/asm/asm-prototypes.h @@ -20,3 +20,6 @@ extern void cmpxchg8b_emu(void); #endif +#if defined(__GENKSYMS__) && defined(CONFIG_STACKPROTECTOR) +extern unsigned long __ref_stack_chk_guard; +#endif diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index a5f221ea5688..f43bb974fc66 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -2089,8 +2089,10 @@ void syscall_init(void) #ifdef CONFIG_STACKPROTECTOR DEFINE_PER_CPU(unsigned long, __stack_chk_guard); +#ifndef CONFIG_SMP EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); #endif +#endif #endif /* CONFIG_X86_64 */ diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index b8c5741d2fb4..feb8102a9ca7 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -491,6 +491,9 @@ SECTIONS . = ASSERT((_end - LOAD_OFFSET <= KERNEL_IMAGE_SIZE), "kernel image bigger than KERNEL_IMAGE_SIZE"); +/* needed for Clang - see arch/x86/entry/entry.S */ +PROVIDE(__ref_stack_chk_guard = __stack_chk_guard); + #ifdef CONFIG_X86_64 /* * Per-cpu symbols which need to be offset from __per_cpu_load

9 months, 3 weeks

3
2
0 0

FAILED: patch "[PATCH] x86/stackprotector: Work around strict Clang TLS symbol" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 577c134d311b9b94598d7a0c86be1f431f823003 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111739-dimmed-aspirate-171d@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 577c134d311b9b94598d7a0c86be1f431f823003 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel <ardb(a)kernel.org> Date: Tue, 5 Nov 2024 10:57:46 -0500 Subject: [PATCH] x86/stackprotector: Work around strict Clang TLS symbol requirements GCC and Clang both implement stack protector support based on Thread Local Storage (TLS) variables, and this is used in the kernel to implement per-task stack cookies, by copying a task's stack cookie into a per-CPU variable every time it is scheduled in. Both now also implement -mstack-protector-guard-symbol=, which permits the TLS variable to be specified directly. This is useful because it will allow to move away from using a fixed offset of 40 bytes into the per-CPU area on x86_64, which requires a lot of special handling in the per-CPU code and the runtime relocation code. However, while GCC is rather lax in its implementation of this command line option, Clang actually requires that the provided symbol name refers to a TLS variable (i.e., one declared with __thread), although it also permits the variable to be undeclared entirely, in which case it will use an implicit declaration of the right type. The upshot of this is that Clang will emit the correct references to the stack cookie variable in most cases, e.g., 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax 10f: R_386_32 __stack_chk_guard However, if a non-TLS definition of the symbol in question is visible in the same compilation unit (which amounts to the whole of vmlinux if LTO is enabled), it will drop the per-CPU prefix and emit a load from a bogus address. Work around this by using a symbol name that never occurs in C code, and emit it as an alias in the linker script. Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable") Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> Signed-off-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Tested-by: Nathan Chancellor <nathan(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://github.com/ClangBuiltLinux/linux/issues/1854 Link: https://lore.kernel.org/r/20241105155801.1779119-2-brgerst@gmail.com diff --git a/arch/x86/Makefile b/arch/x86/Makefile index cd75e78a06c1..5b773b34768d 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -142,9 +142,10 @@ ifeq ($(CONFIG_X86_32),y) ifeq ($(CONFIG_STACKPROTECTOR),y) ifeq ($(CONFIG_SMP),y) - KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard + KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \ + -mstack-protector-guard-symbol=__ref_stack_chk_guard else - KBUILD_CFLAGS += -mstack-protector-guard=global + KBUILD_CFLAGS += -mstack-protector-guard=global endif endif else diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S index 324686bca368..b7ea3e8e9ecc 100644 --- a/arch/x86/entry/entry.S +++ b/arch/x86/entry/entry.S @@ -51,3 +51,19 @@ EXPORT_SYMBOL_GPL(mds_verw_sel); .popsection THUNK warn_thunk_thunk, __warn_thunk + +#ifndef CONFIG_X86_64 +/* + * Clang's implementation of TLS stack cookies requires the variable in + * question to be a TLS variable. If the variable happens to be defined as an + * ordinary variable with external linkage in the same compilation unit (which + * amounts to the whole of vmlinux with LTO enabled), Clang will drop the + * segment register prefix from the references, resulting in broken code. Work + * around this by avoiding the symbol used in -mstack-protector-guard-symbol= + * entirely in the C code, and use an alias emitted by the linker script + * instead. + */ +#ifdef CONFIG_STACKPROTECTOR +EXPORT_SYMBOL(__ref_stack_chk_guard); +#endif +#endif diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h index 25466c4d2134..3674006e3974 100644 --- a/arch/x86/include/asm/asm-prototypes.h +++ b/arch/x86/include/asm/asm-prototypes.h @@ -20,3 +20,6 @@ extern void cmpxchg8b_emu(void); #endif +#if defined(__GENKSYMS__) && defined(CONFIG_STACKPROTECTOR) +extern unsigned long __ref_stack_chk_guard; +#endif diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index a5f221ea5688..f43bb974fc66 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -2089,8 +2089,10 @@ void syscall_init(void) #ifdef CONFIG_STACKPROTECTOR DEFINE_PER_CPU(unsigned long, __stack_chk_guard); +#ifndef CONFIG_SMP EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); #endif +#endif #endif /* CONFIG_X86_64 */ diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index b8c5741d2fb4..feb8102a9ca7 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -491,6 +491,9 @@ SECTIONS . = ASSERT((_end - LOAD_OFFSET <= KERNEL_IMAGE_SIZE), "kernel image bigger than KERNEL_IMAGE_SIZE"); +/* needed for Clang - see arch/x86/entry/entry.S */ +PROVIDE(__ref_stack_chk_guard = __stack_chk_guard); + #ifdef CONFIG_X86_64 /* * Per-cpu symbols which need to be offset from __per_cpu_load

9 months, 3 weeks

3
2
0 0

FAILED: patch "[PATCH] x86/stackprotector: Work around strict Clang TLS symbol" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 577c134d311b9b94598d7a0c86be1f431f823003 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111736-handshake-thesaurus-43e6@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 577c134d311b9b94598d7a0c86be1f431f823003 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel <ardb(a)kernel.org> Date: Tue, 5 Nov 2024 10:57:46 -0500 Subject: [PATCH] x86/stackprotector: Work around strict Clang TLS symbol requirements GCC and Clang both implement stack protector support based on Thread Local Storage (TLS) variables, and this is used in the kernel to implement per-task stack cookies, by copying a task's stack cookie into a per-CPU variable every time it is scheduled in. Both now also implement -mstack-protector-guard-symbol=, which permits the TLS variable to be specified directly. This is useful because it will allow to move away from using a fixed offset of 40 bytes into the per-CPU area on x86_64, which requires a lot of special handling in the per-CPU code and the runtime relocation code. However, while GCC is rather lax in its implementation of this command line option, Clang actually requires that the provided symbol name refers to a TLS variable (i.e., one declared with __thread), although it also permits the variable to be undeclared entirely, in which case it will use an implicit declaration of the right type. The upshot of this is that Clang will emit the correct references to the stack cookie variable in most cases, e.g., 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax 10f: R_386_32 __stack_chk_guard However, if a non-TLS definition of the symbol in question is visible in the same compilation unit (which amounts to the whole of vmlinux if LTO is enabled), it will drop the per-CPU prefix and emit a load from a bogus address. Work around this by using a symbol name that never occurs in C code, and emit it as an alias in the linker script. Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable") Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> Signed-off-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Tested-by: Nathan Chancellor <nathan(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://github.com/ClangBuiltLinux/linux/issues/1854 Link: https://lore.kernel.org/r/20241105155801.1779119-2-brgerst@gmail.com diff --git a/arch/x86/Makefile b/arch/x86/Makefile index cd75e78a06c1..5b773b34768d 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -142,9 +142,10 @@ ifeq ($(CONFIG_X86_32),y) ifeq ($(CONFIG_STACKPROTECTOR),y) ifeq ($(CONFIG_SMP),y) - KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard + KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \ + -mstack-protector-guard-symbol=__ref_stack_chk_guard else - KBUILD_CFLAGS += -mstack-protector-guard=global + KBUILD_CFLAGS += -mstack-protector-guard=global endif endif else diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S index 324686bca368..b7ea3e8e9ecc 100644 --- a/arch/x86/entry/entry.S +++ b/arch/x86/entry/entry.S @@ -51,3 +51,19 @@ EXPORT_SYMBOL_GPL(mds_verw_sel); .popsection THUNK warn_thunk_thunk, __warn_thunk + +#ifndef CONFIG_X86_64 +/* + * Clang's implementation of TLS stack cookies requires the variable in + * question to be a TLS variable. If the variable happens to be defined as an + * ordinary variable with external linkage in the same compilation unit (which + * amounts to the whole of vmlinux with LTO enabled), Clang will drop the + * segment register prefix from the references, resulting in broken code. Work + * around this by avoiding the symbol used in -mstack-protector-guard-symbol= + * entirely in the C code, and use an alias emitted by the linker script + * instead. + */ +#ifdef CONFIG_STACKPROTECTOR +EXPORT_SYMBOL(__ref_stack_chk_guard); +#endif +#endif diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h index 25466c4d2134..3674006e3974 100644 --- a/arch/x86/include/asm/asm-prototypes.h +++ b/arch/x86/include/asm/asm-prototypes.h @@ -20,3 +20,6 @@ extern void cmpxchg8b_emu(void); #endif +#if defined(__GENKSYMS__) && defined(CONFIG_STACKPROTECTOR) +extern unsigned long __ref_stack_chk_guard; +#endif diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index a5f221ea5688..f43bb974fc66 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -2089,8 +2089,10 @@ void syscall_init(void) #ifdef CONFIG_STACKPROTECTOR DEFINE_PER_CPU(unsigned long, __stack_chk_guard); +#ifndef CONFIG_SMP EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); #endif +#endif #endif /* CONFIG_X86_64 */ diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index b8c5741d2fb4..feb8102a9ca7 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -491,6 +491,9 @@ SECTIONS . = ASSERT((_end - LOAD_OFFSET <= KERNEL_IMAGE_SIZE), "kernel image bigger than KERNEL_IMAGE_SIZE"); +/* needed for Clang - see arch/x86/entry/entry.S */ +PROVIDE(__ref_stack_chk_guard = __stack_chk_guard); + #ifdef CONFIG_X86_64 /* * Per-cpu symbols which need to be offset from __per_cpu_load

9 months, 3 weeks

3
2
0 0

FAILED: patch "[PATCH] x86/stackprotector: Work around strict Clang TLS symbol" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 577c134d311b9b94598d7a0c86be1f431f823003 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111737-undead-acutely-d4b1@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 577c134d311b9b94598d7a0c86be1f431f823003 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel <ardb(a)kernel.org> Date: Tue, 5 Nov 2024 10:57:46 -0500 Subject: [PATCH] x86/stackprotector: Work around strict Clang TLS symbol requirements GCC and Clang both implement stack protector support based on Thread Local Storage (TLS) variables, and this is used in the kernel to implement per-task stack cookies, by copying a task's stack cookie into a per-CPU variable every time it is scheduled in. Both now also implement -mstack-protector-guard-symbol=, which permits the TLS variable to be specified directly. This is useful because it will allow to move away from using a fixed offset of 40 bytes into the per-CPU area on x86_64, which requires a lot of special handling in the per-CPU code and the runtime relocation code. However, while GCC is rather lax in its implementation of this command line option, Clang actually requires that the provided symbol name refers to a TLS variable (i.e., one declared with __thread), although it also permits the variable to be undeclared entirely, in which case it will use an implicit declaration of the right type. The upshot of this is that Clang will emit the correct references to the stack cookie variable in most cases, e.g., 10d: 64 a1 00 00 00 00 mov %fs:0x0,%eax 10f: R_386_32 __stack_chk_guard However, if a non-TLS definition of the symbol in question is visible in the same compilation unit (which amounts to the whole of vmlinux if LTO is enabled), it will drop the per-CPU prefix and emit a load from a bogus address. Work around this by using a symbol name that never occurs in C code, and emit it as an alias in the linker script. Fixes: 3fb0fdb3bbe7 ("x86/stackprotector/32: Make the canary into a regular percpu variable") Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> Signed-off-by: Brian Gerst <brgerst(a)gmail.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Tested-by: Nathan Chancellor <nathan(a)kernel.org> Cc: stable(a)vger.kernel.org Link: https://github.com/ClangBuiltLinux/linux/issues/1854 Link: https://lore.kernel.org/r/20241105155801.1779119-2-brgerst@gmail.com diff --git a/arch/x86/Makefile b/arch/x86/Makefile index cd75e78a06c1..5b773b34768d 100644 --- a/arch/x86/Makefile +++ b/arch/x86/Makefile @@ -142,9 +142,10 @@ ifeq ($(CONFIG_X86_32),y) ifeq ($(CONFIG_STACKPROTECTOR),y) ifeq ($(CONFIG_SMP),y) - KBUILD_CFLAGS += -mstack-protector-guard-reg=fs -mstack-protector-guard-symbol=__stack_chk_guard + KBUILD_CFLAGS += -mstack-protector-guard-reg=fs \ + -mstack-protector-guard-symbol=__ref_stack_chk_guard else - KBUILD_CFLAGS += -mstack-protector-guard=global + KBUILD_CFLAGS += -mstack-protector-guard=global endif endif else diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S index 324686bca368..b7ea3e8e9ecc 100644 --- a/arch/x86/entry/entry.S +++ b/arch/x86/entry/entry.S @@ -51,3 +51,19 @@ EXPORT_SYMBOL_GPL(mds_verw_sel); .popsection THUNK warn_thunk_thunk, __warn_thunk + +#ifndef CONFIG_X86_64 +/* + * Clang's implementation of TLS stack cookies requires the variable in + * question to be a TLS variable. If the variable happens to be defined as an + * ordinary variable with external linkage in the same compilation unit (which + * amounts to the whole of vmlinux with LTO enabled), Clang will drop the + * segment register prefix from the references, resulting in broken code. Work + * around this by avoiding the symbol used in -mstack-protector-guard-symbol= + * entirely in the C code, and use an alias emitted by the linker script + * instead. + */ +#ifdef CONFIG_STACKPROTECTOR +EXPORT_SYMBOL(__ref_stack_chk_guard); +#endif +#endif diff --git a/arch/x86/include/asm/asm-prototypes.h b/arch/x86/include/asm/asm-prototypes.h index 25466c4d2134..3674006e3974 100644 --- a/arch/x86/include/asm/asm-prototypes.h +++ b/arch/x86/include/asm/asm-prototypes.h @@ -20,3 +20,6 @@ extern void cmpxchg8b_emu(void); #endif +#if defined(__GENKSYMS__) && defined(CONFIG_STACKPROTECTOR) +extern unsigned long __ref_stack_chk_guard; +#endif diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index a5f221ea5688..f43bb974fc66 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -2089,8 +2089,10 @@ void syscall_init(void) #ifdef CONFIG_STACKPROTECTOR DEFINE_PER_CPU(unsigned long, __stack_chk_guard); +#ifndef CONFIG_SMP EXPORT_PER_CPU_SYMBOL(__stack_chk_guard); #endif +#endif #endif /* CONFIG_X86_64 */ diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index b8c5741d2fb4..feb8102a9ca7 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -491,6 +491,9 @@ SECTIONS . = ASSERT((_end - LOAD_OFFSET <= KERNEL_IMAGE_SIZE), "kernel image bigger than KERNEL_IMAGE_SIZE"); +/* needed for Clang - see arch/x86/entry/entry.S */ +PROVIDE(__ref_stack_chk_guard = __stack_chk_guard); + #ifdef CONFIG_X86_64 /* * Per-cpu symbols which need to be offset from __per_cpu_load

9 months, 3 weeks

3
2
0 0

[PATCH] mm/huge_memory: Fix to make vma_adjust_trans_huge() use find_vma() correctly

by Jeongjun Park

vma_adjust_trans_huge() uses find_vma() to get the VMA, but find_vma() uses the returned pointer without any verification, even though it may return NULL. In this case, NULL pointer dereference may occur, so to prevent this, vma_adjust_trans_huge() should be fix to verify the return value of find_vma(). Cc: <stable(a)vger.kernel.org> Fixes: 685405020b9f ("mm/khugepaged: stop using vma linked list") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- mm/huge_memory.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 5734d5d5060f..db55b8abae2e 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2941,9 +2941,12 @@ void vma_adjust_trans_huge(struct vm_area_struct *vma, */ if (adjust_next > 0) { struct vm_area_struct *next = find_vma(vma->vm_mm, vma->vm_end); - unsigned long nstart = next->vm_start; - nstart += adjust_next; - split_huge_pmd_if_needed(next, nstart); + + if (likely(next)) { + unsigned long nstart = next->vm_start; + nstart += adjust_next; + split_huge_pmd_if_needed(next, nstart); + } } } --

9 months, 3 weeks

3
5
0 0

[PATCH] can: dev: can_set_termination(): Allow gpio sleep

by Nicolai Buchwitz

The current implementation of can_set_termination() sets the GPIO in a context which cannot sleep. This is an issue if the GPIO controller can sleep (e.g. since the concerning GPIO expander is connected via SPI or I2C). Thus, if the termination resistor is set (eg. with ip link), a warning splat will be issued in the kernel log. Fix this by setting the termination resistor with gpiod_set_value_cansleep() which instead of gpiod_set_value() allows it to sleep. Cc: stable(a)vger.kernel.org Signed-off-by: Nicolai Buchwitz <nb(a)tipi-net.de> --- drivers/net/can/dev/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c index 6792c14fd7eb..681643ab3780 100644 --- a/drivers/net/can/dev/dev.c +++ b/drivers/net/can/dev/dev.c @@ -468,7 +468,7 @@ static int can_set_termination(struct net_device *ndev, u16 term) else set = 0; - gpiod_set_value(priv->termination_gpio, set); + gpiod_set_value_cansleep(priv->termination_gpio, set); return 0; } -- 2.39.5

9 months, 3 weeks

3
4
0 0

tmpfs hang after v6.12-rc6

by Chuck Lever

I've found that NFS access to an exported tmpfs file system hangs indefinitely when the client first performs a GETATTR. The hanging nfsd thread is waiting for the inode lock in shmem_getattr(): task:nfsd state:D stack:0 pid:1775 tgid:1775 ppid:2 flags:0x00004000 Call Trace: <TASK> __schedule+0x770/0x7b0 schedule+0x33/0x50 schedule_preempt_disabled+0x19/0x30 rwsem_down_read_slowpath+0x206/0x230 down_read+0x3f/0x60 shmem_getattr+0x84/0xf0 vfs_getattr_nosec+0x9e/0xc0 vfs_getattr+0x49/0x50 fh_getattr+0x43/0x50 [nfsd] fh_fill_pre_attrs+0x4e/0xd0 [nfsd] nfsd4_open+0x51f/0x910 [nfsd] nfsd4_proc_compound+0x492/0x5d0 [nfsd] nfsd_dispatch+0x117/0x1f0 [nfsd] svc_process_common+0x3b2/0x5e0 [sunrpc] ? __pfx_nfsd_dispatch+0x10/0x10 [nfsd] svc_process+0xcf/0x130 [sunrpc] svc_recv+0x64e/0x750 [sunrpc] ? __wake_up_bit+0x4b/0x60 ? __pfx_nfsd+0x10/0x10 [nfsd] nfsd+0xc6/0xf0 [nfsd] kthread+0xed/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2e/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> I bisected the problem to: d949d1d14fa281ace388b1de978e8f2cd52875cf is the first bad commit commit d949d1d14fa281ace388b1de978e8f2cd52875cf Author: Jeongjun Park <aha310510(a)gmail.com> AuthorDate: Mon Sep 9 21:35:58 2024 +0900 Commit: Andrew Morton <akpm(a)linux-foundation.org> CommitDate: Mon Oct 28 21:40:39 2024 -0700 mm: shmem: fix data-race in shmem_getattr() ... Link: https://lkml.kernel.org/r/20240909123558.70229-1-aha310510@gmail.com Fixes: 44a30220bc0a ("shmem: recalculate file inode when fstat") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot <syzkaller(a)googlegroup.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> which first appeared in v6.12-rc6, and adds the line that is waiting on the inode lock when my NFS server hangs. I haven't yet found the process that is holding the inode lock for this inode. Because this commit addresses only a KCSAN splat that has been present since v4.3, and does not address a reported behavioral issue, I respectfully request that this commit be reverted immediately so that it does not appear in v6.12 final. Troubleshooting and testing should continue until a fix to the KCSAN issue can be found that does not deadlock NFS exports of tmpfs. -- Chuck Lever

9 months, 3 weeks

4
11
0 0

[PATCH 6.6] s390/pkey: Wipe copies of clear-key structures on failure

by Bin Lan

From: Holger Dengler <dengler(a)linux.ibm.com> [ Upstream commit d65d76a44ffe74c73298ada25b0f578680576073 ] Wipe all sensitive data from stack for all IOCTLs, which convert a clear-key into a protected- or secure-key. Reviewed-by: Harald Freudenberger <freude(a)linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki(a)linux.ibm.com> Acked-by: Heiko Carstens <hca(a)linux.ibm.com> Signed-off-by: Holger Dengler <dengler(a)linux.ibm.com> Signed-off-by: Alexander Gordeev <agordeev(a)linux.ibm.com> [ Resolve minor conflicts to fix CVE-2024-42156 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/s390/crypto/pkey_api.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c index d2ffdf2491da..70fcb5c40cfe 100644 --- a/drivers/s390/crypto/pkey_api.c +++ b/drivers/s390/crypto/pkey_api.c @@ -1366,9 +1366,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype, kcs.clrkey.clrkey, kcs.seckey.seckey); DEBUG_DBG("%s cca_clr2seckey()=%d\n", __func__, rc); - if (rc) - break; - if (copy_to_user(ucs, &kcs, sizeof(kcs))) + if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs))) rc = -EFAULT; memzero_explicit(&kcs, sizeof(kcs)); break; @@ -1401,9 +1399,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, kcp.protkey.protkey, &kcp.protkey.len, &kcp.protkey.type); DEBUG_DBG("%s pkey_clr2protkey()=%d\n", __func__, rc); - if (rc) - break; - if (copy_to_user(ucp, &kcp, sizeof(kcp))) + if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp))) rc = -EFAULT; memzero_explicit(&kcp, sizeof(kcp)); break; @@ -1555,11 +1551,14 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, if (copy_from_user(&kcs, ucs, sizeof(kcs))) return -EFAULT; apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries); - if (IS_ERR(apqns)) + if (IS_ERR(apqns)) { + memzero_explicit(&kcs, sizeof(kcs)); return PTR_ERR(apqns); + } kkey = kzalloc(klen, GFP_KERNEL); if (!kkey) { kfree(apqns); + memzero_explicit(&kcs, sizeof(kcs)); return -ENOMEM; } rc = pkey_clr2seckey2(apqns, kcs.apqn_entries, @@ -1569,15 +1568,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, kfree(apqns); if (rc) { kfree(kkey); + memzero_explicit(&kcs, sizeof(kcs)); break; } if (kcs.key) { if (kcs.keylen < klen) { kfree(kkey); + memzero_explicit(&kcs, sizeof(kcs)); return -EINVAL; } if (copy_to_user(kcs.key, kkey, klen)) { kfree(kkey); + memzero_explicit(&kcs, sizeof(kcs)); return -EFAULT; } } -- 2.43.0

9 months, 3 weeks

2
1
0 0

[PATCH 6.1] closures: Change BUG_ON() to WARN_ON()

by Bin Lan

From: Kent Overstreet <kent.overstreet(a)linux.dev> [ Upstream commit 339b84ab6b1d66900c27bd999271cb2ae40ce812 ] If a BUG_ON() can be hit in the wild, it shouldn't be a BUG_ON() For reference, this has popped up once in the CI, and we'll need more info to debug it: 03240 ------------[ cut here ]------------ 03240 kernel BUG at lib/closure.c:21! 03240 kernel BUG at lib/closure.c:21! 03240 Internal error: Oops - BUG: 00000000f2000800 [#1] SMP 03240 Modules linked in: 03240 CPU: 15 PID: 40534 Comm: kworker/u80:1 Not tainted 6.10.0-rc4-ktest-ga56da69799bd #25570 03240 Hardware name: linux,dummy-virt (DT) 03240 Workqueue: btree_update btree_interior_update_work 03240 pstate: 00001005 (nzcv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) 03240 pc : closure_put+0x224/0x2a0 03240 lr : closure_put+0x24/0x2a0 03240 sp : ffff0000d12071c0 03240 x29: ffff0000d12071c0 x28: dfff800000000000 x27: ffff0000d1207360 03240 x26: 0000000000000040 x25: 0000000000000040 x24: 0000000000000040 03240 x23: ffff0000c1f20180 x22: 0000000000000000 x21: ffff0000c1f20168 03240 x20: 0000000040000000 x19: ffff0000c1f20140 x18: 0000000000000001 03240 x17: 0000000000003aa0 x16: 0000000000003ad0 x15: 1fffe0001c326974 03240 x14: 0000000000000a1e x13: 0000000000000000 x12: 1fffe000183e402d 03240 x11: ffff6000183e402d x10: dfff800000000000 x9 : ffff6000183e402e 03240 x8 : 0000000000000001 x7 : 00009fffe7c1bfd3 x6 : ffff0000c1f2016b 03240 x5 : ffff0000c1f20168 x4 : ffff6000183e402e x3 : ffff800081391954 03240 x2 : 0000000000000001 x1 : 0000000000000000 x0 : 00000000a8000000 03240 Call trace: 03240 closure_put+0x224/0x2a0 03240 bch2_check_for_deadlock+0x910/0x1028 03240 bch2_six_check_for_deadlock+0x1c/0x30 03240 six_lock_slowpath.isra.0+0x29c/0xed0 03240 six_lock_ip_waiter+0xa8/0xf8 03240 __bch2_btree_node_lock_write+0x14c/0x298 03240 bch2_trans_lock_write+0x6d4/0xb10 03240 __bch2_trans_commit+0x135c/0x5520 03240 btree_interior_update_work+0x1248/0x1c10 03240 process_scheduled_works+0x53c/0xd90 03240 worker_thread+0x370/0x8c8 03240 kthread+0x258/0x2e8 03240 ret_from_fork+0x10/0x20 03240 Code: aa1303e0 d63f0020 a94363f7 17ffff8c (d4210000) 03240 ---[ end trace 0000000000000000 ]--- 03240 Kernel panic - not syncing: Oops - BUG: Fatal exception 03240 SMP: stopping secondary CPUs 03241 SMP: failed to stop secondary CPUs 13,15 03241 Kernel Offset: disabled 03241 CPU features: 0x00,00000003,80000008,4240500b 03241 Memory Limit: none 03241 ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception ]--- 03246 ========= FAILED TIMEOUT copygc_torture_no_checksum in 7200s Signed-off-by: Kent Overstreet <kent.overstreet(a)linux.dev> [ Resolve minor conflicts to fix CVE-2024-42252 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/md/bcache/closure.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/md/bcache/closure.c b/drivers/md/bcache/closure.c index d8d9394a6beb..18f21d4e9aaa 100644 --- a/drivers/md/bcache/closure.c +++ b/drivers/md/bcache/closure.c @@ -17,10 +17,16 @@ static inline void closure_put_after_sub(struct closure *cl, int flags) { int r = flags & CLOSURE_REMAINING_MASK; - BUG_ON(flags & CLOSURE_GUARD_MASK); - BUG_ON(!r && (flags & ~CLOSURE_DESTRUCTOR)); + if (WARN(flags & CLOSURE_GUARD_MASK, + "closure has guard bits set: %x (%u)", + flags & CLOSURE_GUARD_MASK, (unsigned) __fls(r))) + r &= ~CLOSURE_GUARD_MASK; if (!r) { + WARN(flags & ~CLOSURE_DESTRUCTOR, + "closure ref hit 0 with incorrect flags set: %x (%u)", + flags & ~CLOSURE_DESTRUCTOR, (unsigned) __fls(flags)); + if (cl->fn && !(flags & CLOSURE_DESTRUCTOR)) { atomic_set(&cl->remaining, CLOSURE_REMAINING_INITIALIZER); -- 2.43.0

9 months, 3 weeks

3
3
0 0

[PATCH] drm: renesas: rz-du: Increase supported resolutions

by Chris Brandt

The supported resolutions were misrepresented in earlier versions of hardware manuals. Fixes: 768e9e61b3b9 ("drm: renesas: Add RZ/G2L DU Support") Cc: stable(a)vger.kernel.org Signed-off-by: Chris Brandt <chris.brandt(a)renesas.com> --- drivers/gpu/drm/renesas/rz-du/rzg2l_du_kms.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/renesas/rz-du/rzg2l_du_kms.c b/drivers/gpu/drm/renesas/rz-du/rzg2l_du_kms.c index b99217b4e05d..90c6269ccd29 100644 --- a/drivers/gpu/drm/renesas/rz-du/rzg2l_du_kms.c +++ b/drivers/gpu/drm/renesas/rz-du/rzg2l_du_kms.c @@ -311,11 +311,11 @@ int rzg2l_du_modeset_init(struct rzg2l_du_device *rcdu) dev->mode_config.helper_private = &rzg2l_du_mode_config_helper; /* - * The RZ DU uses the VSP1 for memory access, and is limited - * to frame sizes of 1920x1080. + * The RZ DU was designed to support a frame size of 1920x1200 (landscape) + * or 1200x1920 (portrait). */ dev->mode_config.max_width = 1920; - dev->mode_config.max_height = 1080; + dev->mode_config.max_height = 1920; rcdu->num_crtcs = hweight8(rcdu->info->channels_mask); -- 2.34.1

9 months, 4 weeks

3
2
0 0

[PATCH v2] mm/gup: handle NULL pages in unpin_user_pages()

by John Hubbard

The recent addition of "pofs" (pages or folios) handling to gup has a flaw: it assumes that unpin_user_pages() handles NULL pages in the pages** array. That's not the case, as I discovered when I ran on a new configuration on my test machine. Fix this by skipping NULL pages in unpin_user_pages(), just like unpin_folios() already does. Details: when booting on x86 with "numa=fake=2 movablecore=4G" on Linux 6.12, and running this: tools/testing/selftests/mm/gup_longterm ...I get the following crash: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:sanity_check_pinned_pages+0x3a/0x2d0 ... Call Trace: <TASK> ? __die_body+0x66/0xb0 ? page_fault_oops+0x30c/0x3b0 ? do_user_addr_fault+0x6c3/0x720 ? irqentry_enter+0x34/0x60 ? exc_page_fault+0x68/0x100 ? asm_exc_page_fault+0x22/0x30 ? sanity_check_pinned_pages+0x3a/0x2d0 unpin_user_pages+0x24/0xe0 check_and_migrate_movable_pages_or_folios+0x455/0x4b0 __gup_longterm_locked+0x3bf/0x820 ? mmap_read_lock_killable+0x12/0x50 ? __pfx_mmap_read_lock_killable+0x10/0x10 pin_user_pages+0x66/0xa0 gup_test_ioctl+0x358/0xb20 __se_sys_ioctl+0x6b/0xc0 do_syscall_64+0x7b/0x150 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 94efde1d1539 ("mm/gup: avoid an unnecessary allocation call for FOLL_LONGTERM cases") Cc: David Hildenbrand <david(a)redhat.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: Dave Airlie <airlied(a)redhat.com> Cc: Gerd Hoffmann <kraxel(a)redhat.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Dongwon Kim <dongwon.kim(a)intel.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Junxiao Chang <junxiao.chang(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: John Hubbard <jhubbard(a)nvidia.com> --- Hi, This is based on v6.12. Changes since v1: Simplified by limiting the change to unpin_user_pages() and the associated sanity_check_pinned_pages(), thanks to David Hildenbrand for pointing out that issue in v1 [1]. [1] https://lore.kernel.org/20241119044923.194853-1-jhubbard@nvidia.com thanks, John Hubbard mm/gup.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/mm/gup.c b/mm/gup.c index ad0c8922dac3..7053f8114e01 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -52,7 +52,12 @@ static inline void sanity_check_pinned_pages(struct page **pages, */ for (; npages; npages--, pages++) { struct page *page = *pages; - struct folio *folio = page_folio(page); + struct folio *folio; + + if (!page) + continue; + + folio = page_folio(page); if (is_zero_page(page) || !folio_test_anon(folio)) @@ -409,6 +414,10 @@ void unpin_user_pages(struct page **pages, unsigned long npages) sanity_check_pinned_pages(pages, npages); for (i = 0; i < npages; i += nr) { + if (!pages[i]) { + nr = 1; + continue; + } folio = gup_folio_next(pages, npages, i, &nr); gup_put_folio(folio, nr, FOLL_PIN); } base-commit: adc218676eef25575469234709c2d87185ca223a -- 2.47.0

9 months, 4 weeks

2
1
0 0

[PATCH v2] gpio: exar: set value when external pull-up or pull-down is present

by Sai Kumar Cholleti

Setting GPIO direction = high, sometimes results in GPIO value = 0. If a GPIO is pulled high, the following construction results in the value being 0 when the desired value is 1: $ echo "high" > /sys/class/gpio/gpio336/direction $ cat /sys/class/gpio/gpio336/value 0 Before the GPIO direction is changed from an input to an output, exar_set_value() is called with value = 1, but since the GPIO is an input when exar_set_value() is called, _regmap_update_bits() reads a 1 due to an external pull-up. regmap_set_bits() sets force_write = false, so the value (1) is not written. When the direction is then changed, the GPIO becomes an output with the value of 0 (the hardware default). regmap_write_bits() sets force_write = true, so the value is always written by exar_set_value() and an external pull-up doesn't affect the outcome of setting direction = high. The same can happen when a GPIO is pulled low, but the scenario is a little more complicated. $ echo high > /sys/class/gpio/gpio351/direction $ cat /sys/class/gpio/gpio351/value 1 $ echo in > /sys/class/gpio/gpio351/direction $ cat /sys/class/gpio/gpio351/value 0 $ echo low > /sys/class/gpio/gpio351/direction $ cat /sys/class/gpio/gpio351/value 1 Fixes: 36fb7218e878 ("gpio: exar: switch to using regmap") Signed-off-by: Sai Kumar Cholleti <skmr537(a)gmail.com> Signed-off-by: Matthew McClain <mmcclain(a)noprivs.com> Cc: <stable(a)vger.kernel.org> --- drivers/gpio/gpio-exar.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/gpio/gpio-exar.c b/drivers/gpio/gpio-exar.c index 5170fe7599cd..dfc7a9ca3e62 100644 --- a/drivers/gpio/gpio-exar.c +++ b/drivers/gpio/gpio-exar.c @@ -99,11 +99,13 @@ static void exar_set_value(struct gpio_chip *chip, unsigned int offset, struct exar_gpio_chip *exar_gpio = gpiochip_get_data(chip); unsigned int addr = exar_offset_to_lvl_addr(exar_gpio, offset); unsigned int bit = exar_offset_to_bit(exar_gpio, offset); + unsigned int bit_value = value ? BIT(bit) : 0; - if (value) - regmap_set_bits(exar_gpio->regmap, addr, BIT(bit)); - else - regmap_clear_bits(exar_gpio->regmap, addr, BIT(bit)); + /* + * regmap_write_bits forces value to be written when an external + * pull up/down might otherwise indicate value was already set + */ + regmap_write_bits(exar_gpio->regmap, addr, BIT(bit), bit_value); } static int exar_direction_output(struct gpio_chip *chip, unsigned int offset, -- 2.34.1

9 months, 4 weeks

4
8
0 0

[PATCH] ARM: dts: socfpga: sodia: Fix mdio bus probe and PHY ID

by Nobuhiro Iwamatsu

From: Nobuhiro Iwamatsu <iwamatsu(a)nigauri.org> On SoCFPGA/Sodia board, mdio bus cannot be probed, so the PHY cannot be found and the network device does not work. ``` stmmaceth ff702000.ethernet eth0: __stmmac_open: Cannot attach to PHY (error: -19) ``` To probe the mdio bus, add "snps,dwmac-mdio" as compatible string of the mdio bus. Also the PHY ID connected to this board is 4. Therefore, change to 4. Fixes: 8fbc10b995a5 ("net: stmmac: check fwnode for phy device before scanning for phy") Cc: stable(a)vger.kernel.org # 6.3+ Signed-off-by: Nobuhiro Iwamatsu <iwamatsu(a)nigauri.org> --- arch/arm/boot/dts/intel/socfpga/socfpga_cyclone5_sodia.dts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/arm/boot/dts/intel/socfpga/socfpga_cyclone5_sodia.dts b/arch/arm/boot/dts/intel/socfpga/socfpga_cyclone5_sodia.dts index ce0d6514eeb571..e4794ccb8e413f 100644 --- a/arch/arm/boot/dts/intel/socfpga/socfpga_cyclone5_sodia.dts +++ b/arch/arm/boot/dts/intel/socfpga/socfpga_cyclone5_sodia.dts @@ -66,8 +66,10 @@ &gmac1 { mdio0 { #address-cells = <1>; #size-cells = <0>; - phy0: ethernet-phy@0 { - reg = <0>; + compatible = "snps,dwmac-mdio"; + + phy0: ethernet-phy@4 { + reg = <4>; rxd0-skew-ps = <0>; rxd1-skew-ps = <0>; rxd2-skew-ps = <0>; -- 2.45.2

9 months, 4 weeks

2
3
0 0

[PATCH] i2c: lpi2c: Avoid calling clk_get_rate during transfer

by Bin Lan

From: Alexander Stein <alexander.stein(a)ew.tq-group.com> [ Upstream commit 4268254a39484fc11ba991ae148bacbe75d9cc0a ] Instead of repeatedly calling clk_get_rate for each transfer, lock the clock rate and cache the value. A deadlock has been observed while adding tlv320aic32x4 audio codec to the system. When this clock provider adds its clock, the clk mutex is locked already, it needs to access i2c, which in return needs the mutex for clk_get_rate as well. Signed-off-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> Reviewed-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Reviewed-by: Andi Shyti <andi.shyti(a)kernel.org> Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> [ Resolve minor conflicts to fix CVE-2024-40965 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/i2c/busses/i2c-imx-lpi2c.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c index 678b30e90492..5d4f04a3c6d3 100644 --- a/drivers/i2c/busses/i2c-imx-lpi2c.c +++ b/drivers/i2c/busses/i2c-imx-lpi2c.c @@ -99,6 +99,7 @@ struct lpi2c_imx_struct { __u8 *rx_buf; __u8 *tx_buf; struct completion complete; + unsigned long rate_per; unsigned int msglen; unsigned int delivered; unsigned int block_data; @@ -207,9 +208,7 @@ static int lpi2c_imx_config(struct lpi2c_imx_struct *lpi2c_imx) lpi2c_imx_set_mode(lpi2c_imx); - clk_rate = clk_get_rate(lpi2c_imx->clks[0].clk); - if (!clk_rate) - return -EINVAL; + clk_rate = lpi2c_imx->rate_per; if (lpi2c_imx->mode == HS || lpi2c_imx->mode == ULTRA_FAST) filt = 0; @@ -590,6 +589,11 @@ static int lpi2c_imx_probe(struct platform_device *pdev) if (ret) return ret; + lpi2c_imx->rate_per = clk_get_rate(lpi2c_imx->clks[0].clk); + if (!lpi2c_imx->rate_per) + return dev_err_probe(&pdev->dev, -EINVAL, + "can't get I2C peripheral clock rate\n"); + pm_runtime_set_autosuspend_delay(&pdev->dev, I2C_PM_TIMEOUT); pm_runtime_use_autosuspend(&pdev->dev); pm_runtime_get_noresume(&pdev->dev); -- 2.43.0

9 months, 4 weeks

3
2
0 0

[PATCH 6.6] i2c: lpi2c: Avoid calling clk_get_rate during transfer

by Bin Lan

From: Alexander Stein <alexander.stein(a)ew.tq-group.com> [ Upstream commit 4268254a39484fc11ba991ae148bacbe75d9cc0a ] Instead of repeatedly calling clk_get_rate for each transfer, lock the clock rate and cache the value. A deadlock has been observed while adding tlv320aic32x4 audio codec to the system. When this clock provider adds its clock, the clk mutex is locked already, it needs to access i2c, which in return needs the mutex for clk_get_rate as well. Signed-off-by: Alexander Stein <alexander.stein(a)ew.tq-group.com> Reviewed-by: Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> Reviewed-by: Andi Shyti <andi.shyti(a)kernel.org> Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> [ Resolve minor conflicts to fix CVE-2024-40965 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/i2c/busses/i2c-imx-lpi2c.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c index 678b30e90492..5d4f04a3c6d3 100644 --- a/drivers/i2c/busses/i2c-imx-lpi2c.c +++ b/drivers/i2c/busses/i2c-imx-lpi2c.c @@ -99,6 +99,7 @@ struct lpi2c_imx_struct { __u8 *rx_buf; __u8 *tx_buf; struct completion complete; + unsigned long rate_per; unsigned int msglen; unsigned int delivered; unsigned int block_data; @@ -207,9 +208,7 @@ static int lpi2c_imx_config(struct lpi2c_imx_struct *lpi2c_imx) lpi2c_imx_set_mode(lpi2c_imx); - clk_rate = clk_get_rate(lpi2c_imx->clks[0].clk); - if (!clk_rate) - return -EINVAL; + clk_rate = lpi2c_imx->rate_per; if (lpi2c_imx->mode == HS || lpi2c_imx->mode == ULTRA_FAST) filt = 0; @@ -590,6 +589,11 @@ static int lpi2c_imx_probe(struct platform_device *pdev) if (ret) return ret; + lpi2c_imx->rate_per = clk_get_rate(lpi2c_imx->clks[0].clk); + if (!lpi2c_imx->rate_per) + return dev_err_probe(&pdev->dev, -EINVAL, + "can't get I2C peripheral clock rate\n"); + pm_runtime_set_autosuspend_delay(&pdev->dev, I2C_PM_TIMEOUT); pm_runtime_use_autosuspend(&pdev->dev); pm_runtime_get_noresume(&pdev->dev); -- 2.43.0

9 months, 4 weeks

2
1
0 0

[PATCH 0/5] scsi: ufs: Bug fixes for ufs core and platform drivers

by Manivannan Sadhasivam via B4 Relay

Hi, This series has several bug fixes that I encountered when the ufs-qcom driver was removed and inserted back. But the fixes are applicable to other platform glue drivers as well. This series is tested on Qcom RB5 development board based on SM8250 SoC. Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- Manivannan Sadhasivam (5): scsi: ufs: core: Cancel RTC work during ufshcd_remove() scsi: ufs: qcom: Only free platform MSIs when ESI is enabled scsi: ufs: pltfrm: Disable runtime PM during removal of glue drivers scsi: ufs: pltfrm: Drop PM runtime reference count after ufshcd_remove() scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove() drivers/ufs/core/ufshcd.c | 1 + drivers/ufs/host/cdns-pltfrm.c | 4 +--- drivers/ufs/host/tc-dwc-g210-pltfrm.c | 5 +---- drivers/ufs/host/ufs-exynos.c | 3 +-- drivers/ufs/host/ufs-hisi.c | 4 +--- drivers/ufs/host/ufs-mediatek.c | 5 +---- drivers/ufs/host/ufs-qcom.c | 7 ++++--- drivers/ufs/host/ufs-renesas.c | 4 +--- drivers/ufs/host/ufs-sprd.c | 5 +---- drivers/ufs/host/ufshcd-pltfrm.c | 16 ++++++++++++++++ drivers/ufs/host/ufshcd-pltfrm.h | 1 + 11 files changed, 29 insertions(+), 26 deletions(-) --- base-commit: 59b723cd2adbac2a34fc8e12c74ae26ae45bf230 change-id: 20241111-ufs_bug_fix-6d17f39afaa4 Best regards, -- Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org>

9 months, 4 weeks

4
15
0 0

Commit b1a28f2eb9ea ("NFS: nfs_async_write_reschedule_io must not recurse into the writeback code")

by Trond Myklebust

Hi, Can we please push commit b1a28f2eb9ea ("NFS: nfs_async_write_reschedule_io must not recurse into the writeback code") into stable kernel 5.15.x? The bug addressed by this patch is being seen to cause lockups on some production systems running kernels based on Linux 5.15.167. Thanks! Trond -- Trond Myklebust Linux NFS client maintainer, Hammerspace trond.myklebust(a)hammerspace.com

9 months, 4 weeks

2
1
0 0

[PATCH 6.1] media: aspeed: Fix memory overwrite if timing is 1600x900

by Bin Lan

From: Jammy Huang <jammy_huang(a)aspeedtech.com> [ Upstream commit c281355068bc258fd619c5aefd978595bede7bfe ] When capturing 1600x900, system could crash when system memory usage is tight. The way to reproduce this issue: 1. Use 1600x900 to display on host 2. Mount ISO through 'Virtual media' on OpenBMC's web 3. Run script as below on host to do sha continuously #!/bin/bash while [ [1] ]; do find /media -type f -printf '"%h/%f"\n' | xargs sha256sum done 4. Open KVM on OpenBMC's web The size of macro block captured is 8x8. Therefore, we should make sure the height of src-buf is 8 aligned to fix this issue. Signed-off-by: Jammy Huang <jammy_huang(a)aspeedtech.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/media/platform/aspeed/aspeed-video.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/aspeed/aspeed-video.c b/drivers/media/platform/aspeed/aspeed-video.c index 20f795ccc11b..c5af28bf0e96 100644 --- a/drivers/media/platform/aspeed/aspeed-video.c +++ b/drivers/media/platform/aspeed/aspeed-video.c @@ -1047,7 +1047,7 @@ static void aspeed_video_get_resolution(struct aspeed_video *video) static void aspeed_video_set_resolution(struct aspeed_video *video) { struct v4l2_bt_timings *act = &video->active_timings; - unsigned int size = act->width * act->height; + unsigned int size = act->width * ALIGN(act->height, 8); /* Set capture/compression frame sizes */ aspeed_video_calc_compressed_size(video, size); @@ -1064,7 +1064,7 @@ static void aspeed_video_set_resolution(struct aspeed_video *video) u32 width = ALIGN(act->width, 64); aspeed_video_write(video, VE_CAP_WINDOW, width << 16 | act->height); - size = width * act->height; + size = width * ALIGN(act->height, 8); } else { aspeed_video_write(video, VE_CAP_WINDOW, act->width << 16 | act->height); -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH STABLE 5.10] RDMA/restrack: Release MR/QP restrack when delete

by jiang.kun2＠zte.com.cn

From: tuqiang <tu.qiang35(a)zte.com.cn> The MR/QP restrack also needs to be released when delete it, otherwise it cause memory leak as the task struct won't be released. This problem has been fixed by the commit <dac153f2802d> ("RDMA/restrack: Release MR restrack when delete"), but still exists in the linux-5.10.y branch. Fixes: 13ef5539def7 ("RDMA/restrack: Count references to the verbs objects") Signed-off-by: tuqiang <tu.qiang35(a)zte.com.cn> Signed-off-by: Jiang Kun <jiang.kun2(a)zte.com.cn> Cc: stable(a)vger.kernel.org Cc: xu xin <xu.xin16(a)zte.com.cn> Cc: Doug Ledford <dledford(a)redhat.com> Cc: Jason Gunthorpe <jgg(a)ziepe.ca> Cc: Leon Romanovsky <leon(a)kernel.org> --- drivers/infiniband/core/restrack.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/restrack.c index bbbbec5b1593..d5a69c4a1891 100644 --- a/drivers/infiniband/core/restrack.c +++ b/drivers/infiniband/core/restrack.c @@ -326,8 +326,6 @@ void rdma_restrack_del(struct rdma_restrack_entry *res) rt = &dev->res[res->type]; old = xa_erase(&rt->xa, res->id); - if (res->type == RDMA_RESTRACK_MR || res->type == RDMA_RESTRACK_QP) - return; WARN_ON(old != res); res->valid = false; -- 2.18.4

9 months, 4 weeks

4
3
0 0

[PATCH] Revert "f2fs: remove unreachable lazytime mount option parsing"

by Jaegeuk Kim

This reverts commit 54f43a10fa257ad4af02a1d157fefef6ebcfa7dc. The above commit broke the lazytime mount, given mount("/dev/vdb", "/mnt/test", "f2fs", 0, "lazytime"); CC: stable(a)vger.kernel.org # 6.11+ Signed-off-by: Daniel Rosenberg <drosen(a)google.com> Signed-off-by: Jaegeuk Kim <jaegeuk(a)kernel.org> --- fs/f2fs/super.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 49519439b770..35c4394e4fc6 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -150,6 +150,8 @@ enum { Opt_mode, Opt_fault_injection, Opt_fault_type, + Opt_lazytime, + Opt_nolazytime, Opt_quota, Opt_noquota, Opt_usrquota, @@ -226,6 +228,8 @@ static match_table_t f2fs_tokens = { {Opt_mode, "mode=%s"}, {Opt_fault_injection, "fault_injection=%u"}, {Opt_fault_type, "fault_type=%u"}, + {Opt_lazytime, "lazytime"}, + {Opt_nolazytime, "nolazytime"}, {Opt_quota, "quota"}, {Opt_noquota, "noquota"}, {Opt_usrquota, "usrquota"}, @@ -922,6 +926,12 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount) f2fs_info(sbi, "fault_type options not supported"); break; #endif + case Opt_lazytime: + sb->s_flags |= SB_LAZYTIME; + break; + case Opt_nolazytime: + sb->s_flags &= ~SB_LAZYTIME; + break; #ifdef CONFIG_QUOTA case Opt_quota: case Opt_usrquota: -- 2.47.0.277.g8800431eea-goog

9 months, 4 weeks

4
10
0 0

[PATCH 6.1 000/321] 6.1.107-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.107 release. There are 321 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 29 Aug 2024 14:37:36 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.107-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.107-rc1 Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Input: MT - limit max slots Paolo Abeni <pabeni(a)redhat.com> selftests: net: more strict check in net_helper Yuri Benditovich <yuri.benditovich(a)daynix.com> net: change maximum number of UDP segments to 128 Dave Kleikamp <dave.kleikamp(a)oracle.com> Revert "jfs: fix shift-out-of-bounds in dbJoin" Jesse Brandeburg <jesse.brandeburg(a)intel.com> ice: fix W=1 headers mismatch Felix Fietkau <nbd(a)nbd.name> udp: fix receiving fraglist GSO packets Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Remove freeze_go_demote_ok Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Remove LM_FLAG_PRIORITY flag Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: don't withdraw if init_threads() got interrupted Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix another freeze/thaw hang Felix Fietkau <nbd(a)nbd.name> wifi: cfg80211: fix receiving mesh packets without RFC1042 header Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: fix potential null pointer dereference Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: drop bogus static keywords in A-MSDU rx Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: fix receiving mesh packets in forwarding=0 networks Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: fix flow dissection for forwarded packets Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: fix mesh forwarding Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: fix mesh path discovery based on unicast packets Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: add documentation for amsdu_mesh_control Willem de Bruijn <willemb(a)google.com> net: drop bad gso csum_start and offset in virtio_net_hdr Willem de Bruijn <willemb(a)google.com> net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation Yan Zhai <yan(a)cloudflare.com> gso: fix dodgy bit handling for GSO_UDP_L4 Andrew Melnychenko <andrew(a)daynix.com> udp: allow header check for dodgy GSO_UDP_L4 packets. Jan Höppner <hoeppner(a)linux.ibm.com> Revert "s390/dasd: Establish DMA alignment" Li RongQing <lirongqing(a)baidu.com> KVM: x86: fire timer when it is migrated and expired, and in oneshot mode Boyuan Zhang <boyuan.zhang(a)amd.com> drm/amdgpu/vcn: not pause dpg for unified queue Boyuan Zhang <boyuan.zhang(a)amd.com> drm/amdgpu/vcn: identify unified queue in sw init Lee, Chun-Yi <joeyli.kernel(a)gmail.com> Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO Trond Myklebust <trond.myklebust(a)hammerspace.com> nfsd: Fix a regression in nfsd_setattr() NeilBrown <neilb(a)suse.de> nfsd: don't call locks_release_private() twice concurrently Jeff Layton <jlayton(a)kernel.org> nfsd: drop the nfsd_put helper NeilBrown <neilb(a)suse.de> nfsd: call nfsd_last_thread() before final nfsd_put() NeilBrown <neilb(a)suse.de> NFSD: simplify error paths in nfsd_svc() NeilBrown <neilb(a)suse.de> nfsd: separate nfsd_last_thread() from nfsd_put() NeilBrown <neilb(a)suse.de> nfsd: Simplify code around svc_exit_thread() call in nfsd() Zi Yan <ziy(a)nvidia.com> mm/numa: no task_numa_fault() call if PTE is changed Zi Yan <ziy(a)nvidia.com> mm/numa: no task_numa_fault() call if PMD is changed Hailong Liu <hailong.liu(a)oppo.com> mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 Takashi Iwai <tiwai(a)suse.de> ALSA: timer: Relax start tick time check for slave timer elements Javier Carrasco <javier.carrasco.cruz(a)gmail.com> hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() Eric Dumazet <edumazet(a)google.com> tcp: do not export tcp_twsk_purge() Alex Hung <alex.hung(a)amd.com> Revert "drm/amd/display: Validate hw_points_num before using it" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "usb: gadget: uvc: cleanup request when not in correct state" Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: only decrement add_addr_accepted for MPJ req Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused flushed subflows Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused removed subflows Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: re-using ID of unused removed ADD_ADDR Peng Fan <peng.fan(a)nxp.com> pmdomain: imx: wait SSAR when i.MX93 power domain on Ben Whitten <ben.whitten(a)gmail.com> mmc: dw_mmc: allow biu and ciu clocks to defer Marc Zyngier <maz(a)kernel.org> KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 Nikolay Kuratov <kniv(a)yandex-team.ru> cxgb4: add forgotten u64 ivlan cast before shift Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination Werner Sembach <wse(a)tuxedocomputers.com> Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3 Siarhei Vishniakou <svv(a)google.com> HID: microsoft: Add rumble support to latest xbox controllers Jason Gerecke <jason.gerecke(a)wacom.com> HID: wacom: Defer calculation of resolution until resolution_code is known Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: Loongson64: Set timer mode in cpu-probe Candice Li <candice.li(a)amd.com> drm/amdgpu: Validate TA binary size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: the buffer of smb2 query dir response has at least 1 byte Chaotian Jing <chaotian.jing(a)mediatek.com> scsi: core: Fix the return value of scsi_logical_block_count() Griffin Kroah-Hartman <griffin(a)kroah.com> Bluetooth: MGMT: Add error handling to pair_device() Dan Carpenter <dan.carpenter(a)linaro.org> mmc: mmc_test: Fix NULL dereference on allocation failure Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dp: reset the link phy params before link training Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dp: fix the max supported bpp logic Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/dpu: don't play tricks with debug macros Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Fix dangling multicast addresses Sean Anderson <sean.anderson(a)linux.dev> net: xilinx: axienet: Always disable promiscuous mode Bharat Bhushan <bbhushan2(a)marvell.com> octeontx2-af: Fix CPT AF register offset calculation Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: flowtable: validate vlan header Eric Dumazet <edumazet(a)google.com> ipv6: prevent possible UAF in ip6_xmit() Eric Dumazet <edumazet(a)google.com> ipv6: fix possible UAF in ip6_finish_output2() Eric Dumazet <edumazet(a)google.com> ipv6: prevent UAF in ip6_send_skb() Stephen Hemminger <stephen(a)networkplumber.org> netem: fix return value if duplicate enqueue fails Joseph Huang <Joseph.Huang(a)garmin.com> net: dsa: mv88e6xxx: Fix out-of-bound access Dan Carpenter <dan.carpenter(a)linaro.org> dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix ICE_LAST_OFFSET formula Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: fix page reuse when PAGE_SIZE is over 8k Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: Pull out next_to_clean bump out of ice_put_rx_buf() Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: Store page count inside ice_rx_buf Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: Add xdp_buff to ice_rx_ring struct Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> ice: Prepare legacy-rx for upcoming XDP multi-buffer support Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix xfrm state handling when clearing active slave Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix xfrm real_dev null pointer dereference Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix null pointer deref in bond_ipsec_offload_ok Nikolay Aleksandrov <razor(a)blackwall.org> bonding: fix bond_ipsec_offload_ok return type Thomas Bogendoerfer <tbogendoerfer(a)suse.de> ip6_tunnel: Fix broken GRO Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Synchronize nft_counter_reset() against reader. Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> netfilter: nft_counter: Disable BH in nft_counter_offload_stats(). Kuniyuki Iwashima <kuniyu(a)amazon.com> kcm: Serialise kcm_sendmsg() for the same socket. Jeremy Kerr <jk(a)codeconstruct.com.au> net: mctp: test: Use correct skb for route input check Florian Westphal <fw(a)strlen.de> tcp: prevent concurrent execution of tcp_sk_exit_batch Eric Dumazet <edumazet(a)google.com> tcp/dccp: do not care about families in inet_twsk_purge() Eric Dumazet <edumazet(a)google.com> tcp/dccp: bypass empty buckets in inet_twsk_purge() Hangbin Liu <liuhangbin(a)gmail.com> selftests: udpgro: report error when receive failed Lucas Karpinski <lkarpins(a)redhat.com> selftests/net: synchronize udpgro tests' tx and rx connection Simon Horman <horms(a)kernel.org> tc-testing: don't access non-existent variable on exception Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: serialize access to the injection/extraction groups Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: fix QoS class for injected packets with "ocelot-8021q" Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and register injection Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: tag_ocelot: call only the relevant portion of __skb_vlan_pop() on TX Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: tag_ocelot: do not rely on skb_mac_header() for VLAN xmit Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: SMP: Fix assumption of Central always being Initiator Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_core: Fix LE quote calculation Lang Yu <Lang.Yu(a)amd.com> drm/amdkfd: reserve the BO before validating it Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator: Fix warning when controller is destroyed in probe Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> drm/amd/display: Adjust cursor position Filipe Manana <fdmanana(a)suse.com> btrfs: send: allow cloning non-aligned extent if it ends at i_size David Sterba <dsterba(a)suse.com> btrfs: replace sb::s_blocksize by fs_info::sectorsize Long Li <longli(a)microsoft.com> net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings Mikulas Patocka <mpatocka(a)redhat.com> dm suspend: return -ERESTARTSYS instead of -EINTR Breno Leitao <leitao(a)debian.org> i2c: tegra: Do not mark ACPI devices as irq safe Michał Mirosław <mirq-linux(a)rere.qmqm.pl> i2c: tegra: allow VI support to be compiled out Michał Mirosław <mirq-linux(a)rere.qmqm.pl> i2c: tegra: allow DVC support to be compiled out Aurelien Jarno <aurelien(a)aurel32.net> media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) Eric Dumazet <edumazet(a)google.com> gtp: pull network headers in gtp_dev_xmit() Phil Chang <phil.chang(a)mediatek.com> hrtimer: Prevent queuing of hrtimer without a function callback Jesse Zhang <jesse.zhang(a)amd.com> drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent Sagi Grimberg <sagi(a)grimberg.me> nvmet-rdma: fix possible bad dereference when freeing rsps Baokun Li <libaokun1(a)huawei.com> ext4: set the type of max_zeroout to unsigned int to avoid overflow Guanrui Huang <guanrui.huang(a)linux.alibaba.com> irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc Abdulrasaq Lawani <abdulrasaqolawani(a)gmail.com> fbdev: offb: replace of_node_put with __free(device_node) Krishna Kurapati <quic_kriskura(a)quicinc.com> usb: dwc3: core: Skip setting event buffers for host only controllers Gergo Koteles <soyer(a)irl.hu> platform/x86: lg-laptop: fix %s null argument warning Adrian Hunter <adrian.hunter(a)intel.com> clocksource: Make watchdog and suspend-timing multiplication overflow safe Biju Das <biju.das.jz(a)bp.renesas.com> irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time Alexander Gordeev <agordeev(a)linux.ibm.com> s390/iucv: fix receive buffer virtual vs physical address confusion Oreoluwa Babatunde <quic_obabatun(a)quicinc.com> openrisc: Call setup_memory() earlier in the init sequence NeilBrown <neilb(a)suse.de> NFS: avoid infinite loop in pnfs_update_layout. Hannes Reinecke <hare(a)suse.de> nvmet-tcp: do not continue for invalid icreq Jian Shen <shenjian15(a)huawei.com> net: hns3: add checking for vf id of mailbox Alexandre Belloni <alexandre.belloni(a)bootlin.com> rtc: nct3018y: fix possible NULL dereference Richard Fitzgerald <rf(a)opensource.cirrus.com> firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: bnep: Fix out-of-bound access Keith Busch <kbusch(a)kernel.org> nvme: clear caller pointer on identify failure Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> usb: gadget: fsl: Increase size of name buffer for endpoints Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: fix to do sanity check in update_sit_entry David Sterba <dsterba(a)suse.com> btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() David Sterba <dsterba(a)suse.com> btrfs: change BUG_ON to assertion in tree_move_down() David Sterba <dsterba(a)suse.com> btrfs: send: handle unexpected data in header buffer in begin_cmd() David Sterba <dsterba(a)suse.com> btrfs: handle invalid root reference found in may_destroy_subvol() David Sterba <dsterba(a)suse.com> btrfs: tests: allocate dummy fs_info and root in test_find_delalloc() David Sterba <dsterba(a)suse.com> btrfs: change BUG_ON to assertion when checking for delayed_node root David Sterba <dsterba(a)suse.com> btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item() Michael Ellerman <mpe(a)ellerman.id.au> powerpc/boot: Only free if realloc() succeeds Li zeming <zeming(a)nfschina.com> powerpc/boot: Handle allocation failure in simple_realloc() Helge Deller <deller(a)gmx.de> parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 Christophe Kerello <christophe.kerello(a)foss.st.com> memory: stm32-fmc2-ebi: check regmap_read return value Kees Cook <keescook(a)chromium.org> x86: Increase brk randomness entropy for 64-bit systems Li Nan <linan122(a)huawei.com> md: clean up invalid BUG_ON in md_ioctl Eric Dumazet <edumazet(a)google.com> netlink: hold nlk->cb_mutex longer in __netlink_dump_start() Martin Blumenstingl <martin.blumenstingl(a)googlemail.com> clocksource/drivers/arm_global_timer: Guard against division by zero Stefan Hajnoczi <stefanha(a)redhat.com> virtiofs: forbid newlines in tags Costa Shulyupin <costa.shul(a)redhat.com> hrtimer: Select housekeeping CPU during migration Erico Nunes <nunes.erico(a)gmail.com> drm/lima: set gp bus_stop bit before hard reset Kees Cook <keescook(a)chromium.org> net/sun3_82586: Avoid reading past buffer in debug output Philipp Stanner <pstanner(a)redhat.com> media: drivers/media/dvb-core: copy user arrays safely Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() Max Filippov <jcmvbkbc(a)gmail.com> fs: binfmt_elf_efpic: don't use missing interpreter's properties Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: pci: cx23885: check cx23885_vdev_init() return Neel Natu <neelnatu(a)google.com> kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files Jan Kara <jack(a)suse.cz> quota: Remove BUG_ON from dqget() Al Viro <viro(a)zeniv.linux.org.uk> fuse: fix UAF in rcu pathwalks Al Viro <viro(a)zeniv.linux.org.uk> afs: fix __afs_break_callback() / afs_drop_open_mmap() race Baokun Li <libaokun1(a)huawei.com> ext4: do not trim the group with corrupted block bitmap Daniel Wagner <dwagner(a)suse.de> nvmet-trace: avoid dereferencing pointer too early Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Refcounting fix in gfs2_thaw_super Zijun Hu <quic_zijuhu(a)quicinc.com> Bluetooth: hci_conn: Check non NULL function before calling for HFP offload Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: vop2: clear afbc en and transform bit for cluster window at linear mode Kees Cook <keescook(a)chromium.org> hwmon: (pc87360) Bounds check data->innr usage Bard Liao <yung-chuan.liao(a)linux.intel.com> ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data Kunwu Chan <chentao(a)kylinos.cn> powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu Ashish Mhetre <amhetre(a)nvidia.com> memory: tegra: Skip SID programming if SID registers aren't set Rob Clark <robdclark(a)chromium.org> drm/msm: Reduce fallout of fence signaling vs reclaim hangs Li Lingfeng <lilingfeng3(a)huawei.com> block: Fix lockdep warning in blk_mq_mark_tag_wait Samuel Holland <samuel.holland(a)sifive.com> arm64: Fix KASAN random tag seed initialization Masahiro Yamada <masahiroy(a)kernel.org> rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Masahiro Yamada <masahiroy(a)kernel.org> rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT Miguel Ojeda <ojeda(a)kernel.org> rust: work around `bindgen` 0.69.0 issue Miguel Ojeda <ojeda(a)kernel.org> kbuild: rust_is_available: handle failures calling `$RUSTC`/`$BINDGEN` Miguel Ojeda <ojeda(a)kernel.org> kbuild: rust_is_available: normalize version matching Antoniu Miclaus <antoniu.miclaus(a)analog.com> hwmon: (ltc2992) Avoid division by zero Chengfeng Ye <dg573847474(a)gmail.com> IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock Gustavo A. R. Silva <gustavoars(a)kernel.org> clk: visconti: Add bounds-checking coverage for struct visconti_pll_provider Mukesh Sisodiya <mukesh.sisodiya(a)intel.com> wifi: iwlwifi: fw: Fix debugfs command sending Miri Korenblit <miriam.rachel.korenblit(a)intel.com> wifi: iwlwifi: abort scan when rfkill on but device enabled Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: setattr_chown: Add missing initialization Mike Christie <michael.christie(a)oracle.com> scsi: spi: Fix sshdr use Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: qcom: venus: fix incorrect return value Mikko Perttunen <mperttunen(a)nvidia.com> drm/tegra: Zero-initialize iosys_map Christian Brauner <brauner(a)kernel.org> binfmt_misc: cleanup on filesystem umount Yu Kuai <yukuai3(a)huawei.com> md/raid5-cache: use READ_ONCE/WRITE_ONCE for 'conf->log' Chengfeng Ye <dg573847474(a)gmail.com> media: s5p-mfc: Fix potential deadlock on condlock Chengfeng Ye <dg573847474(a)gmail.com> staging: ks7010: disable bh on tx_dev_lock Alex Hung <alex.hung(a)amd.com> drm/amd/display: Validate hw_points_num before using it Michael Grzeschik <m.grzeschik(a)pengutronix.de> usb: gadget: uvc: cleanup request when not in correct state David Lechner <dlechner(a)baylibre.com> staging: iio: resolver: ad2s1210: fix use before initialization Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: radio-isa: use dev_name to fill in bus_info Philip Yang <Philip.Yang(a)amd.com> drm/amdkfd: Move dma unmapping after TLB flush Jarkko Nikula <jarkko.nikula(a)linux.intel.com> i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer Jarkko Nikula <jarkko.nikula(a)linux.intel.com> i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out Tomi Valkeinen <tomi.valkeinen(a)ideasonboard.com> drm/bridge: tc358768: Attempt to fix DSI horizontal timings Heiko Carstens <hca(a)linux.ibm.com> s390/smp,mcck: fix early IPI handling Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rtrs: Fix the problem of variable not initialized fully Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: riic: avoid potential division by zero Kamalesh Babulal <kamalesh.babulal(a)oracle.com> cgroup: Avoid extra dereference in css_populate_dir() Jeff Johnson <quic_jjohnson(a)quicinc.com> wifi: cw1200: Avoid processing an invalid TIM IE Paul E. McKenney <paulmck(a)kernel.org> rcu: Eliminate rcu_gp_slow_unregister() false positive Zhen Lei <thunder.leizhen(a)huawei.com> rcu: Dump memory object info if callback function is invalid Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix BA session teardown race Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: check wiphy mutex is held for wdev mutex Rand Deeb <rand.sec96(a)gmail.com> ssb: Fix division by zero issue in ssb_calc_clock_rate Lee Jones <lee(a)kernel.org> drm/amd/amdgpu/imu_v11_0: Increase buffer size to ensure all possible values can be stored Parsa Poorshikhian <parsa.poorsh(a)gmail.com> ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 Jie Wang <wangjie125(a)huawei.com> net: hns3: fix a deadlock problem when config TC during resetting Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: use the user's cfg after reset Jie Wang <wangjie125(a)huawei.com> net: hns3: fix wrong use of semaphore up Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Introduce nf_tables_getobj_single Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: nft_obj_filter fits into cb->ctx Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: A better name for nft_obj_filter Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Unconditionally allocate nft_obj_filter Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Audit log dump reset after the fact Florian Westphal <fw(a)strlen.de> netfilter: nf_queue: drop packets with cloned unconfirmed conntracks Donald Hunter <donald.hunter(a)gmail.com> netfilter: flowtable: initialise extack before use Tom Hughes <tom(a)compton.nu> netfilter: allow ipv6 fragments to arrive on different devices Eugene Syromiatnikov <esyr(a)redhat.com> mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size David Thompson <davthompson(a)nvidia.com> mlxbf_gige: disable RX filters until RX path initialized Yue Haibing <yuehaibing(a)huawei.com> mlxbf_gige: Remove two unused function declarations Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: check busy flag in MDIO operations Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: use read_poll_timeout instead delay loop Pawel Dembicki <paweldembicki(a)gmail.com> net: dsa: vsc73xx: pass value in phy_write operation Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> net: axienet: Fix register defines comment description Dan Carpenter <dan.carpenter(a)linaro.org> atm: idt77252: prevent use after free in dequeue_rx() Cosmin Ratiu <cratiu(a)nvidia.com> net/mlx5e: Correctly report errors for ethtool rx flows Dragos Tatulea <dtatulea(a)nvidia.com> net/mlx5e: Take state lock during tx timeout reporter Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli(a)intel.com> igc: Correct the launchtime offset Takashi Iwai <tiwai(a)suse.de> ALSA: usb: Fix UBSAN warning in parse_audio_unit() Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> fs/ntfs3: Do copy_to_user out of run_lock Pei Li <peili.dev(a)gmail.com> jfs: Fix shift-out-of-bounds in dbDiscardAG Edward Adam Davis <eadavis(a)qq.com> jfs: fix null ptr deref in dtInsertEntry Willem de Bruijn <willemb(a)google.com> fou: remove warn in gue_gro_receive on unsupported protocol yunshui <jiangyunshui(a)kylinos.cn> bpf, net: Use DEV_STAT_INC() Jan Kara <jack(a)suse.cz> udf: Fix bogus checksum computation in udf_rename() Jan Kara <jack(a)suse.cz> ext4: do not create EA inode under buffer lock Jan Kara <jack(a)suse.cz> ext4: fold quota accounting into ext4_xattr_inode_lookup_create() Li Zhong <floridsleeves(a)gmail.com> ext4: check the return value of ext4_xattr_inode_dec_ref() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: RFCOMM: Fix not validating setsockopt user input Alexei Starovoitov <ast(a)kernel.org> bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie. Kees Cook <keescook(a)chromium.org> bpf: Replace bpf_lpm_trie_key 0-length array with flexible array Donald Hunter <donald.hunter(a)gmail.com> docs/bpf: Document BPF_MAP_TYPE_LPM_TRIE map Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: check A-MSDU format more carefully Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: add a workaround for receiving non-standard mesh A-MSDU Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: fix receiving A-MSDU frames on mesh interfaces Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: remove mesh forwarding congestion check Felix Fietkau <nbd(a)nbd.name> wifi: cfg80211: factor out bridge tunnel / RFC1042 header check Felix Fietkau <nbd(a)nbd.name> wifi: cfg80211: move A-MSDU check in ieee80211_data_to_8023_exthdr Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: fix and simplify unencrypted drop check for mesh Gavrilov Ilia <Ilia.Gavrilov(a)infotecs.ru> pppoe: Fix memory leak in pppoe_sendmsg() Dmitry Antipov <dmantipov(a)yandex.ru> net: sctp: fix skb leak in sctp_inq_free() Allison Henderson <allison.henderson(a)oracle.com> net:rds: Fix possible deadlock in rds_message_put Jan Kara <jack(a)suse.cz> quota: Detect loops in quota tree Gao Xiang <xiang(a)kernel.org> erofs: avoid debugging output for (de)compressed data Edward Adam Davis <eadavis(a)qq.com> reiserfs: fix uninit-value in comp_keys Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: fix variable overflow triggered by sysbot Lizhi Xu <lizhi.xu(a)windriver.com> squashfs: squashfs_read_data need to check if the length is 0 Manas Ghandat <ghandatmanas(a)gmail.com> jfs: fix shift-out-of-bounds in dbJoin Jakub Kicinski <kuba(a)kernel.org> net: don't dump stack on queue timeout Yajun Deng <yajun.deng(a)linux.dev> net: sched: Print msecs when transmit queue time out Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: fix change_address deadlock during unregister Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: take wiphy lock for MAC addr change Ying Hsu <yinghsu(a)chromium.org> Bluetooth: Fix hci_link_tx_to RCU lock usage Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Stop using gfs2_make_fs_ro for withdraw Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Rework freeze / thaw logic Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Rename SDF_{FS_FROZEN => FREEZE_INITIATOR} Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Rename gfs2_freeze_lock{ => _shared } Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Rename the {freeze,thaw}_super callbacks Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Rename remaining "transaction" glock references Kees Cook <keescook(a)chromium.org> pid: Replace struct pid 1-element array with flex-array Thomas Gleixner <tglx(a)linutronix.de> posix-timers: Ensure timer ID search-loop limit is valid Andrii Nakryiko <andrii(a)kernel.org> bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log Andrii Nakryiko <andrii(a)kernel.org> bpf: Split off basic BPF verifier log into separate file Ivan Orlov <ivan.orlov0322(a)gmail.com> mm: khugepaged: fix kernel BUG in hpage_collapse_scan_file() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> nilfs2: initialize "struct nilfs_binfo_dat"->bi_pad field Ivan Orlov <ivan.orlov0322(a)gmail.com> 9P FS: Fix wild-memory-access write in v9fs_get_acl Theodore Ts'o <tytso(a)mit.edu> ext4, jbd2: add an optimized bmap for the journal inode Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: prevent WARNING in nilfs_dat_commit_end() Leon Hwang <leon.hwang(a)linux.dev> bpf: Fix updating attached freplace prog in prog_array map Claudio Imbrenda <imbrenda(a)linux.ibm.com> s390/uv: Panic for set and remove shared access UVC errors Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/jpeg2: properly set atomics vmid field Al Viro <viro(a)zeniv.linux.org.uk> memcg_write_event_control(): fix a user-triggerable oops Bas Nieuwenhuizen <bas(a)basnieuwenhuizen.nl> drm/amdgpu: Actually check flags for all context ops. Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: add dev extent item checks Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: properly take lock to read/update block group's zoned variables Waiman Long <longman(a)redhat.com> mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu Zhen Lei <thunder.leizhen(a)huawei.com> selinux: fix potential counting error in avc_add_xperms_decision() Max Kellermann <max.kellermann(a)ionos.com> fs/netfs/fscache_cookie: add missing "n_accesses" check Dan Carpenter <dan.carpenter(a)linaro.org> rtla/osnoise: Prevent NULL dereference in error handling Andi Shyti <andi.shyti(a)kernel.org> i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume Al Viro <viro(a)zeniv.linux.org.uk> fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE Alexander Lobakin <aleksander.lobakin(a)intel.com> bitmap: introduce generic optimized bitmap_size() Alexander Lobakin <aleksander.lobakin(a)intel.com> btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() Alexander Lobakin <aleksander.lobakin(a)intel.com> s390/cio: rename bitmap_size() -> idset_bitmap_size() Alexander Lobakin <aleksander.lobakin(a)intel.com> fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() Zhihao Cheng <chengzhihao1(a)huawei.com> vfs: Don't evict inode under the inode lru traversing context Mikulas Patocka <mpatocka(a)redhat.com> dm persistent data: fix memory allocation failure Khazhismel Kumykov <khazhy(a)google.com> dm resume: don't return EINVAL when signalled Haibo Xu <haibo1.xu(a)intel.com> arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE Nam Cao <namcao(a)linutronix.de> riscv: change XIP's kernel_map.size to be size of the entire kernel Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix error recovery leading to data corruption on ESE devices Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Mark XDomain as unplugged when router is removed Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration Juan José Arboleda <soyjuanarbol(a)gmail.com> ALSA: usb-audio: Support Yamaha P-125 quirk entry Lianqin Hu <hulianqin(a)vivo.com> ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Check USB endpoints when probing device Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Refine workqueue handling Eli Billauer <eli.billauer(a)gmail.com> char: xillybus: Don't destroy workqueue from work item running on it Jann Horn <jannh(a)google.com> fuse: Initialize beyond-EOF page contents before setting uptodate Mathieu Othacehe <othacehe(a)gnu.org> tty: atmel_serial: use the correct RTS flag. ------------- Diffstat: Documentation/bpf/map_lpm_trie.rst | 181 ++++++++++ Documentation/filesystems/gfs2-glocks.rst | 3 +- Makefile | 4 +- arch/arm64/kernel/acpi_numa.c | 2 +- arch/arm64/kernel/setup.c | 3 - arch/arm64/kernel/smp.c | 2 + arch/arm64/kvm/sys_regs.c | 6 + arch/arm64/kvm/vgic/vgic.h | 7 + arch/mips/kernel/cpu-probe.c | 4 + arch/openrisc/kernel/setup.c | 6 +- arch/parisc/kernel/irq.c | 4 +- arch/powerpc/boot/simple_alloc.c | 7 +- arch/powerpc/sysdev/xics/icp-native.c | 2 + arch/riscv/mm/init.c | 4 +- arch/s390/include/asm/uv.h | 5 +- arch/s390/kernel/early.c | 12 +- arch/s390/kernel/smp.c | 4 +- arch/x86/kernel/process.c | 5 +- arch/x86/kvm/lapic.c | 8 +- block/blk-mq-tag.c | 5 +- drivers/atm/idt77252.c | 9 +- drivers/bluetooth/hci_ldisc.c | 3 +- drivers/char/xillybus/xillyusb.c | 42 ++- drivers/clk/visconti/pll.c | 6 +- drivers/clocksource/arm_global_timer.c | 11 +- drivers/firmware/cirrus/cs_dsp.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 40 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c | 8 + drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 6 +- drivers/gpu/drm/amd/amdgpu/imu_v11_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 4 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 24 +- .../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 2 +- drivers/gpu/drm/bridge/tc358768.c | 215 ++++++++++-- drivers/gpu/drm/lima/lima_gp.c | 12 + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.h | 14 +- drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 3 + drivers/gpu/drm/msm/dp/dp_ctrl.c | 2 + drivers/gpu/drm/msm/dp/dp_panel.c | 19 +- drivers/gpu/drm/msm/msm_gem_shrinker.c | 2 +- drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 5 + drivers/gpu/drm/tegra/gem.c | 2 +- drivers/hid/hid-ids.h | 10 +- drivers/hid/hid-microsoft.c | 11 +- drivers/hid/wacom_wac.c | 4 +- drivers/hwmon/ltc2992.c | 8 +- drivers/hwmon/pc87360.c | 6 +- drivers/i2c/busses/i2c-qcom-geni.c | 4 +- drivers/i2c/busses/i2c-riic.c | 2 +- drivers/i2c/busses/i2c-tegra.c | 41 ++- drivers/i3c/master/mipi-i3c-hci/dma.c | 5 +- drivers/infiniband/hw/hfi1/chip.c | 5 +- drivers/infiniband/ulp/rtrs/rtrs.c | 2 +- drivers/input/input-mt.c | 3 + drivers/input/serio/i8042-acpipnpio.h | 20 +- drivers/input/serio/i8042.c | 10 +- drivers/irqchip/irq-gic-v3-its.c | 2 - drivers/irqchip/irq-renesas-rzg2l.c | 5 +- drivers/md/dm-clone-metadata.c | 5 - drivers/md/dm-ioctl.c | 22 +- drivers/md/dm.c | 4 +- drivers/md/md.c | 5 - drivers/md/persistent-data/dm-space-map-metadata.c | 4 +- drivers/md/raid5-cache.c | 47 +-- drivers/media/dvb-core/dvb_frontend.c | 12 +- drivers/media/pci/cx23885/cx23885-video.c | 8 + drivers/media/pci/solo6x10/solo6x10-offsets.h | 10 +- drivers/media/platform/qcom/venus/pm_helpers.c | 2 +- .../media/platform/samsung/s5p-mfc/s5p_mfc_enc.c | 2 +- drivers/media/radio/radio-isa.c | 2 +- drivers/memory/stm32-fmc2-ebi.c | 122 +++++-- drivers/memory/tegra/tegra186.c | 3 + drivers/mmc/core/mmc_test.c | 9 +- drivers/mmc/host/dw_mmc.c | 8 + drivers/net/bonding/bond_main.c | 21 +- drivers/net/bonding/bond_options.c | 2 +- drivers/net/dsa/mv88e6xxx/global1_atu.c | 3 +- drivers/net/dsa/ocelot/felix.c | 11 + drivers/net/dsa/vitesse-vsc73xx-core.c | 69 +++- drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 7 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 + .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 28 +- .../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 +- .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 3 + .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +- drivers/net/ethernet/i825xx/sun3_82586.c | 2 +- drivers/net/ethernet/intel/ice/ice_base.c | 4 +- drivers/net/ethernet/intel/ice/ice_lib.c | 8 +- drivers/net/ethernet/intel/ice/ice_main.c | 10 +- drivers/net/ethernet/intel/ice/ice_txrx.c | 117 +++---- drivers/net/ethernet/intel/ice/ice_txrx.h | 6 +- drivers/net/ethernet/intel/ice/ice_txrx_lib.c | 1 + drivers/net/ethernet/intel/igc/igc_defines.h | 15 + drivers/net/ethernet/intel/igc/igc_main.c | 7 + drivers/net/ethernet/intel/igc/igc_regs.h | 1 + drivers/net/ethernet/intel/igc/igc_tsn.c | 64 ++++ drivers/net/ethernet/intel/igc/igc_tsn.h | 1 + .../net/ethernet/marvell/octeontx2/af/rvu_cpt.c | 23 +- .../ethernet/mellanox/mlx5/core/en/reporter_tx.c | 2 + .../ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 2 +- .../net/ethernet/mellanox/mlxbf_gige/mlxbf_gige.h | 9 +- .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_main.c | 10 + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_regs.h | 2 + .../ethernet/mellanox/mlxbf_gige/mlxbf_gige_rx.c | 50 ++- drivers/net/ethernet/microsoft/mana/mana.h | 1 + drivers/net/ethernet/microsoft/mana/mana_en.c | 22 +- drivers/net/ethernet/mscc/ocelot.c | 91 ++++- drivers/net/ethernet/mscc/ocelot_fdma.c | 3 +- drivers/net/ethernet/mscc/ocelot_vsc7514.c | 4 + drivers/net/ethernet/xilinx/xilinx_axienet.h | 17 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 25 +- drivers/net/gtp.c | 3 + drivers/net/ppp/pppoe.c | 23 +- drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 6 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 2 +- drivers/net/wireless/st/cw1200/txrx.c | 2 +- drivers/nvme/host/core.c | 5 +- drivers/nvme/target/rdma.c | 16 +- drivers/nvme/target/tcp.c | 1 + drivers/nvme/target/trace.c | 6 +- drivers/nvme/target/trace.h | 28 +- drivers/platform/surface/aggregator/controller.c | 3 +- drivers/platform/x86/lg-laptop.c | 2 +- drivers/rtc/rtc-nct3018y.c | 6 +- drivers/s390/block/dasd.c | 36 +- drivers/s390/block/dasd_3990_erp.c | 10 +- drivers/s390/block/dasd_diag.c | 1 - drivers/s390/block/dasd_eckd.c | 58 ++- drivers/s390/block/dasd_int.h | 2 +- drivers/s390/cio/idset.c | 12 +- drivers/scsi/lpfc/lpfc_sli.c | 2 +- drivers/scsi/scsi_transport_spi.c | 4 +- drivers/soc/imx/imx93-pd.c | 5 +- drivers/ssb/main.c | 2 +- drivers/staging/iio/resolver/ad2s1210.c | 7 +- drivers/staging/ks7010/ks7010_sdio.c | 4 +- drivers/thunderbolt/switch.c | 1 + drivers/tty/serial/atmel_serial.c | 2 +- drivers/usb/dwc3/core.c | 13 + drivers/usb/gadget/udc/fsl_udc_core.c | 2 +- drivers/usb/host/xhci.c | 8 +- drivers/video/fbdev/offb.c | 3 +- fs/9p/xattr.c | 8 +- fs/afs/file.c | 8 +- fs/binfmt_elf_fdpic.c | 2 +- fs/binfmt_misc.c | 216 +++++++++--- fs/btrfs/delayed-inode.c | 4 +- fs/btrfs/disk-io.c | 2 + fs/btrfs/extent_io.c | 4 +- fs/btrfs/free-space-cache.c | 22 +- fs/btrfs/inode.c | 11 +- fs/btrfs/ioctl.c | 2 +- fs/btrfs/qgroup.c | 2 - fs/btrfs/reflink.c | 6 +- fs/btrfs/send.c | 63 +++- fs/btrfs/super.c | 2 +- fs/btrfs/tests/extent-io-tests.c | 28 +- fs/btrfs/tree-checker.c | 69 ++++ fs/erofs/decompressor.c | 8 +- fs/ext4/extents.c | 3 +- fs/ext4/mballoc.c | 3 + fs/ext4/super.c | 23 ++ fs/ext4/xattr.c | 158 ++++----- fs/f2fs/segment.c | 5 +- fs/file.c | 28 +- fs/fscache/cookie.c | 4 + fs/fuse/cuse.c | 3 +- fs/fuse/dev.c | 6 +- fs/fuse/fuse_i.h | 1 + fs/fuse/inode.c | 15 +- fs/fuse/virtio_fs.c | 10 + fs/gfs2/glock.c | 27 +- fs/gfs2/glock.h | 9 - fs/gfs2/glops.c | 66 ++-- fs/gfs2/incore.h | 2 +- fs/gfs2/inode.c | 2 +- fs/gfs2/lock_dlm.c | 5 - fs/gfs2/log.c | 2 - fs/gfs2/ops_fstype.c | 13 +- fs/gfs2/recovery.c | 28 +- fs/gfs2/super.c | 197 ++++++++--- fs/gfs2/super.h | 1 + fs/gfs2/sys.c | 2 +- fs/gfs2/util.c | 53 +-- fs/gfs2/util.h | 5 +- fs/inode.c | 39 ++- fs/jbd2/journal.c | 9 +- fs/jfs/jfs_dmap.c | 2 + fs/jfs/jfs_dtree.c | 2 + fs/kernfs/file.c | 8 +- fs/nfs/pnfs.c | 8 + fs/nfsd/nfs4proc.c | 4 + fs/nfsd/nfs4state.c | 2 +- fs/nfsd/nfsctl.c | 32 +- fs/nfsd/nfsd.h | 3 +- fs/nfsd/nfssvc.c | 85 ++--- fs/nfsd/vfs.c | 6 +- fs/nilfs2/btree.c | 1 + fs/nilfs2/dat.c | 11 + fs/nilfs2/direct.c | 1 + fs/ntfs3/bitmap.c | 4 +- fs/ntfs3/frecord.c | 75 +++- fs/ntfs3/fsntfs.c | 2 +- fs/ntfs3/index.c | 11 +- fs/ntfs3/ntfs_fs.h | 4 +- fs/ntfs3/super.c | 2 +- fs/quota/dquot.c | 5 +- fs/quota/quota_tree.c | 128 +++++-- fs/quota/quota_v2.c | 15 +- fs/reiserfs/stree.c | 2 +- fs/smb/server/smb2pdu.c | 3 +- fs/squashfs/block.c | 2 +- fs/squashfs/file.c | 3 +- fs/squashfs/file_direct.c | 6 +- fs/udf/namei.c | 1 - include/linux/bitmap.h | 20 +- include/linux/bpf_verifier.h | 23 +- include/linux/cpumask.h | 2 +- include/linux/dsa/ocelot.h | 47 +++ include/linux/fs.h | 5 + include/linux/if_vlan.h | 21 ++ include/linux/jbd2.h | 8 + include/linux/pid.h | 2 +- include/linux/sched/signal.h | 2 +- include/linux/sunrpc/svc.h | 13 - include/linux/udp.h | 2 +- include/linux/virtio_net.h | 35 +- include/net/cfg80211.h | 40 ++- include/net/inet_timewait_sock.h | 2 +- include/net/kcm.h | 1 + include/net/tcp.h | 2 +- include/scsi/scsi_cmnd.h | 2 +- include/soc/mscc/ocelot.h | 12 +- include/trace/events/huge_memory.h | 3 +- include/uapi/linux/bpf.h | 19 +- init/Kconfig | 7 +- kernel/bpf/Makefile | 3 +- kernel/bpf/log.c | 82 +++++ kernel/bpf/lpm_trie.c | 33 +- kernel/bpf/verifier.c | 69 ---- kernel/cgroup/cgroup.c | 4 +- kernel/pid.c | 7 +- kernel/pid_namespace.c | 2 +- kernel/rcu/rcu.h | 7 + kernel/rcu/srcutiny.c | 1 + kernel/rcu/srcutree.c | 1 + kernel/rcu/tasks.h | 1 + kernel/rcu/tiny.c | 1 + kernel/rcu/tree.c | 3 +- kernel/time/clocksource.c | 42 ++- kernel/time/hrtimer.c | 5 +- kernel/time/posix-timers.c | 31 +- lib/math/prime_numbers.c | 2 - mm/huge_memory.c | 30 +- mm/khugepaged.c | 20 ++ mm/memcontrol.c | 7 +- mm/memory-failure.c | 20 +- mm/memory.c | 29 +- mm/vmalloc.c | 11 +- net/bluetooth/bnep/core.c | 3 +- net/bluetooth/hci_conn.c | 11 +- net/bluetooth/hci_core.c | 24 +- net/bluetooth/mgmt.c | 4 + net/bluetooth/rfcomm/sock.c | 14 +- net/bluetooth/smp.c | 146 ++++---- net/bridge/br_netfilter_hooks.c | 6 +- net/core/filter.c | 8 +- net/core/skbuff.c | 8 +- net/dccp/ipv4.c | 2 +- net/dccp/ipv6.c | 6 - net/dsa/tag_ocelot.c | 37 +- net/ipv4/fou.c | 2 +- net/ipv4/inet_timewait_sock.c | 16 +- net/ipv4/tcp_ipv4.c | 16 +- net/ipv4/tcp_minisocks.c | 7 +- net/ipv4/tcp_offload.c | 3 + net/ipv4/udp_offload.c | 18 +- net/ipv6/ip6_output.c | 10 + net/ipv6/ip6_tunnel.c | 12 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 4 + net/ipv6/tcp_ipv6.c | 6 - net/iucv/iucv.c | 3 +- net/kcm/kcmsock.c | 4 + net/mac80211/agg-tx.c | 6 +- net/mac80211/debugfs_netdev.c | 3 - net/mac80211/driver-ops.c | 3 - net/mac80211/ieee80211_i.h | 1 - net/mac80211/iface.c | 27 +- net/mac80211/rx.c | 387 +++++++++++---------- net/mac80211/sta_info.c | 17 + net/mac80211/sta_info.h | 3 + net/mctp/test/route-test.c | 2 +- net/mptcp/diag.c | 2 +- net/mptcp/pm_netlink.c | 31 +- net/netfilter/nf_flow_table_inet.c | 3 + net/netfilter/nf_flow_table_ip.c | 3 + net/netfilter/nf_flow_table_offload.c | 2 +- net/netfilter/nf_tables_api.c | 225 +++++++----- net/netfilter/nfnetlink_queue.c | 35 +- net/netfilter/nft_counter.c | 9 +- net/netlink/af_netlink.c | 13 +- net/rds/recv.c | 13 +- net/sched/sch_generic.c | 11 +- net/sched/sch_netem.c | 47 ++- net/sctp/inqueue.c | 14 +- net/wireless/core.h | 8 +- net/wireless/util.c | 195 +++++++---- samples/bpf/map_perf_test_user.c | 2 +- samples/bpf/xdp_router_ipv4_user.c | 2 +- scripts/rust_is_available.sh | 41 ++- security/selinux/avc.c | 2 +- sound/core/timer.c | 2 +- sound/pci/hda/patch_realtek.c | 1 - sound/soc/sof/ipc4.c | 9 +- sound/usb/mixer.c | 7 + sound/usb/quirks-table.h | 1 + sound/usb/quirks.c | 2 + tools/include/linux/bitmap.h | 7 +- tools/include/uapi/linux/bpf.h | 19 +- tools/testing/selftests/bpf/progs/map_ptr_kern.c | 2 +- tools/testing/selftests/bpf/test_lpm_map.c | 18 +- tools/testing/selftests/core/close_range_test.c | 35 ++ tools/testing/selftests/net/net_helper.sh | 25 ++ tools/testing/selftests/net/udpgro.sh | 57 +-- tools/testing/selftests/net/udpgro_bench.sh | 5 +- tools/testing/selftests/net/udpgro_frglist.sh | 5 +- tools/testing/selftests/net/udpgso.c | 2 +- tools/testing/selftests/tc-testing/tdc.py | 1 - tools/tracing/rtla/src/osnoise_top.c | 11 +- 335 files changed, 4050 insertions(+), 2027 deletions(-)

9 months, 4 weeks

18
350
0 0

[PATCH v4] memfd: `MFD_NOEXEC_SEAL` should not imply `MFD_ALLOW_SEALING`

by Barnabás Pőcze

`MFD_NOEXEC_SEAL` should remove the executable bits and set `F_SEAL_EXEC` to prevent further modifications to the executable bits as per the comment in the uapi header file: not executable and sealed to prevent changing to executable However, commit 105ff5339f498a ("mm/memfd: add MFD_NOEXEC_SEAL and MFD_EXEC") that introduced this feature made it so that `MFD_NOEXEC_SEAL` unsets `F_SEAL_SEAL`, essentially acting as a superset of `MFD_ALLOW_SEALING`. Nothing implies that it should be so, and indeed up until the second version of the of the patchset[0] that introduced `MFD_EXEC` and `MFD_NOEXEC_SEAL`, `F_SEAL_SEAL` was not removed, however, it was changed in the third revision of the patchset[1] without a clear explanation. This behaviour is surprising for application developers, there is no documentation that would reveal that `MFD_NOEXEC_SEAL` has the additional effect of `MFD_ALLOW_SEALING`. Additionally, combined with `vm.memfd_noexec=2` it has the effect of making all memfds initially sealable. So do not remove `F_SEAL_SEAL` when `MFD_NOEXEC_SEAL` is requested, thereby returning to the pre-Linux 6.3 behaviour of only allowing sealing when `MFD_ALLOW_SEALING` is specified. Now, this is technically a uapi break. However, the damage is expected to be minimal. To trigger user visible change, a program has to do the following steps: - create memfd: - with `MFD_NOEXEC_SEAL`, - without `MFD_ALLOW_SEALING`; - try to add seals / check the seals. But that seems unlikely to happen intentionally since this change essentially reverts the kernel's behaviour to that of Linux <6.3, so if a program worked correctly on those older kernels, it will likely work correctly after this change. I have used Debian Code Search and GitHub to try to find potential breakages, and I could only find a single one. dbus-broker's memfd_create() wrapper is aware of this implicit `MFD_ALLOW_SEALING` behaviour, and tries to work around it[2]. This workaround will break. Luckily, this only affects the test suite, it does not affect the normal operations of dbus-broker. There is a PR with a fix[3]. I also carried out a smoke test by building a kernel with this change and booting an Arch Linux system into GNOME and Plasma sessions. There was also a previous attempt to address this peculiarity by introducing a new flag[4]. [0]: https://lore.kernel.org/lkml/20220805222126.142525-3-jeffxu@google.com/ [1]: https://lore.kernel.org/lkml/20221202013404.163143-3-jeffxu@google.com/ [2]: https://github.com/bus1/dbus-broker/blob/9eb0b7e5826fc76cad7b025bc46f267d4a… [3]: https://github.com/bus1/dbus-broker/pull/366 [4]: https://lore.kernel.org/lkml/20230714114753.170814-1-david@readahead.eu/ Cc: stable(a)vger.kernel.org Signed-off-by: Barnabás Pőcze <pobrn(a)protonmail.com> --- * v3: https://lore.kernel.org/linux-mm/20240611231409.3899809-1-jeffxu@chromium.o… * v2: https://lore.kernel.org/linux-mm/20240524033933.135049-1-jeffxu@google.com/ * v1: https://lore.kernel.org/linux-mm/20240513191544.94754-1-pobrn@protonmail.co… This fourth version returns to removing the inconsistency as opposed to documenting its existence, with the same code change as v1 but with a somewhat extended commit message. This is sent because I believe it is worth at least a try; it can be easily reverted if bigger application breakages are discovered than initially imagined. --- mm/memfd.c | 9 ++++----- tools/testing/selftests/memfd/memfd_test.c | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/mm/memfd.c b/mm/memfd.c index 7d8d3ab3fa37..8b7f6afee21d 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -356,12 +356,11 @@ SYSCALL_DEFINE2(memfd_create, inode->i_mode &= ~0111; file_seals = memfd_file_seals_ptr(file); - if (file_seals) { - *file_seals &= ~F_SEAL_SEAL; + if (file_seals) *file_seals |= F_SEAL_EXEC; - } - } else if (flags & MFD_ALLOW_SEALING) { - /* MFD_EXEC and MFD_ALLOW_SEALING are set */ + } + + if (flags & MFD_ALLOW_SEALING) { file_seals = memfd_file_seals_ptr(file); if (file_seals) *file_seals &= ~F_SEAL_SEAL; diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index 95af2d78fd31..7b78329f65b6 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -1151,7 +1151,7 @@ static void test_noexec_seal(void) mfd_def_size, MFD_CLOEXEC | MFD_NOEXEC_SEAL); mfd_assert_mode(fd, 0666); - mfd_assert_has_seals(fd, F_SEAL_EXEC); + mfd_assert_has_seals(fd, F_SEAL_SEAL | F_SEAL_EXEC); mfd_fail_chmod(fd, 0777); close(fd); } -- 2.45.2

9 months, 4 weeks

3
4
0 0

[PATCH 0/6] firmware: qcom: scm: Fixes for concurrency

by Krzysztof Kozlowski

SCM driver looks messy in terms of handling concurrency of probe. The driver exports interface which is guarded by global '__scm' variable but: 1. Lacks proper read barrier (commit adding write barriers mixed up READ_ONCE with a read barrier). 2. Lacks barriers or checks for '__scm' in multiple places. 3. Lacks probe error cleanup. I fixed here few visible things, but this was not tested extensively. I tried only SM8450. ARM32 and SC8280xp/X1E platforms would be useful for testing as well. All the issues here are non-urgent, IOW, they were here for some time (v6.10-rc1 and earlier). Best regards, Krzysztof --- Krzysztof Kozlowski (6): firmware: qcom: scm: Fix missing read barrier in qcom_scm_is_available() firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool() firmware: qcom: scm: Handle various probe ordering for qcom_scm_assign_mem() [RFC/RFT] firmware: qcom: scm: Cleanup global '__scm' on probe failures firmware: qcom: scm: smc: Handle missing SCM device firmware: qcom: scm: smc: Narrow 'mempool' variable scope drivers/firmware/qcom/qcom_scm-smc.c | 6 +++- drivers/firmware/qcom/qcom_scm.c | 55 +++++++++++++++++++++++++----------- 2 files changed, 44 insertions(+), 17 deletions(-) --- base-commit: 414c97c966b69e4a6ea7b32970fa166b2f9b9ef0 change-id: 20241119-qcom-scm-missing-barriers-and-all-sort-of-srap-a25d59074882 Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

9 months, 4 weeks

4
6
0 0

[PATCH v3 0/2] media: uvcvideo: Support partial control reads and minor changes

by Ricardo Ribalda

Some cameras do not return all the bytes requested from a control if it can fit in less bytes. Eg: returning 0xab instead of 0x00ab. Support these devices. Also, now that we are at it, improve uvc_query_ctrl() logging. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v3: - Improve documentation. - Do not change return sequence. - Use dev_ratelimit and dev_warn_once - Link to v2: https://lore.kernel.org/r/20241008-uvc-readless-v2-0-04d9d51aee56@chromium.… Changes in v2: - Rewrite error handling (Thanks Sakari) - Discard 2/3. It is not needed after rewriting the error handling. - Link to v1: https://lore.kernel.org/r/20241008-uvc-readless-v1-0-042ac4581f44@chromium.… --- Ricardo Ribalda (2): media: uvcvideo: Support partial control reads media: uvcvideo: Add more logging to uvc_query_ctrl() drivers/media/usb/uvc/uvc_video.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241008-uvc-readless-23f9b8cad0b3 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

9 months, 4 weeks

3
6
0 0

[PATCH] LoongArch: Explicitly specify code model in Makefile

by Huacai Chen

LoongArch's toolchain may change the default code model from normal to medium. This is unnecessary for kernel, and generates some relocations which cannot be handled by the module loader. So explicitly specify the code model to normal in Makefile (for Rust 'normal' is 'small'). Cc: stable(a)vger.kernel.org Tested-by: Haiyong Sun <sunhaiyong(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- arch/loongarch/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/loongarch/Makefile b/arch/loongarch/Makefile index ae3f80622f4c..567bd122a9ee 100644 --- a/arch/loongarch/Makefile +++ b/arch/loongarch/Makefile @@ -59,7 +59,7 @@ endif ifdef CONFIG_64BIT ld-emul = $(64bit-emul) -cflags-y += -mabi=lp64s +cflags-y += -mabi=lp64s -mcmodel=normal endif cflags-y += -pipe $(CC_FLAGS_NO_FPU) @@ -104,7 +104,7 @@ ifdef CONFIG_OBJTOOL KBUILD_CFLAGS += -fno-jump-tables endif -KBUILD_RUSTFLAGS += --target=loongarch64-unknown-none-softfloat +KBUILD_RUSTFLAGS += --target=loongarch64-unknown-none-softfloat -Ccode-model=small KBUILD_RUSTFLAGS_KERNEL += -Zdirect-access-external-data=yes KBUILD_RUSTFLAGS_MODULE += -Zdirect-access-external-data=no -- 2.43.5

9 months, 4 weeks

1
0
0 0

Re: [PATCH 6.11 000/107] 6.11.10-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

9 months, 4 weeks

1
0
0 0

[PATCH AUTOSEL 4.19] ARM: 9434/1: cfi: Fix compilation corner case

by Sasha Levin

From: Linus Walleij <linus.walleij(a)linaro.org> [ Upstream commit 4aea16b7cfb76bd3361858ceee6893ef5c9b5570 ] When enabling expert mode CONFIG_EXPERT and using that power user mode to disable the branch prediction hardening !CONFIG_HARDEN_BRANCH_PREDICTOR, the assembly linker in CLANG notices that some assembly in proc-v7.S does not have corresponding C call sites, i.e. the prototypes in proc-v7-bugs.c are enclosed in ifdef CONFIG_HARDEN_BRANCH_PREDICTOR so this assembly: SYM_TYPED_FUNC_START(cpu_v7_smc_switch_mm) SYM_TYPED_FUNC_START(cpu_v7_hvc_switch_mm) Results in: ld.lld: error: undefined symbol: __kcfi_typeid_cpu_v7_smc_switch_mm >>> referenced by proc-v7.S:94 (.../arch/arm/mm/proc-v7.S:94) >>> arch/arm/mm/proc-v7.o:(.text+0x108) in archive vmlinux.a ld.lld: error: undefined symbol: __kcfi_typeid_cpu_v7_hvc_switch_mm >>> referenced by proc-v7.S:105 (.../arch/arm/mm/proc-v7.S:105) >>> arch/arm/mm/proc-v7.o:(.text+0x124) in archive vmlinux.a Fix this by adding an additional requirement that CONFIG_HARDEN_BRANCH_PREDICTOR has to be enabled to compile these assembly calls. Closes: https://lore.kernel.org/oe-kbuild-all/202411041456.ZsoEiD7T-lkp@intel.com/ Reported-by: kernel test robot <lkp(a)intel.com> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> Signed-off-by: Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arm/mm/proc-v7.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S index e351d682c2e36..8bde80b31a861 100644 --- a/arch/arm/mm/proc-v7.S +++ b/arch/arm/mm/proc-v7.S @@ -94,7 +94,7 @@ ENTRY(cpu_v7_dcache_clean_area) ret lr ENDPROC(cpu_v7_dcache_clean_area) -#ifdef CONFIG_ARM_PSCI +#if defined(CONFIG_ARM_PSCI) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR) .arch_extension sec ENTRY(cpu_v7_smc_switch_mm) stmfd sp!, {r0 - r3} -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH AUTOSEL 5.4 1/2] ARM: 9434/1: cfi: Fix compilation corner case

by Sasha Levin

From: Linus Walleij <linus.walleij(a)linaro.org> [ Upstream commit 4aea16b7cfb76bd3361858ceee6893ef5c9b5570 ] When enabling expert mode CONFIG_EXPERT and using that power user mode to disable the branch prediction hardening !CONFIG_HARDEN_BRANCH_PREDICTOR, the assembly linker in CLANG notices that some assembly in proc-v7.S does not have corresponding C call sites, i.e. the prototypes in proc-v7-bugs.c are enclosed in ifdef CONFIG_HARDEN_BRANCH_PREDICTOR so this assembly: SYM_TYPED_FUNC_START(cpu_v7_smc_switch_mm) SYM_TYPED_FUNC_START(cpu_v7_hvc_switch_mm) Results in: ld.lld: error: undefined symbol: __kcfi_typeid_cpu_v7_smc_switch_mm >>> referenced by proc-v7.S:94 (.../arch/arm/mm/proc-v7.S:94) >>> arch/arm/mm/proc-v7.o:(.text+0x108) in archive vmlinux.a ld.lld: error: undefined symbol: __kcfi_typeid_cpu_v7_hvc_switch_mm >>> referenced by proc-v7.S:105 (.../arch/arm/mm/proc-v7.S:105) >>> arch/arm/mm/proc-v7.o:(.text+0x124) in archive vmlinux.a Fix this by adding an additional requirement that CONFIG_HARDEN_BRANCH_PREDICTOR has to be enabled to compile these assembly calls. Closes: https://lore.kernel.org/oe-kbuild-all/202411041456.ZsoEiD7T-lkp@intel.com/ Reported-by: kernel test robot <lkp(a)intel.com> Reviewed-by: Nathan Chancellor <nathan(a)kernel.org> Signed-off-by: Linus Walleij <linus.walleij(a)linaro.org> Signed-off-by: Russell King (Oracle) <rmk+kernel(a)armlinux.org.uk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- arch/arm/mm/proc-v7.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/mm/proc-v7.S b/arch/arm/mm/proc-v7.S index 48e0ef6f0dccf..aee85fd261f5d 100644 --- a/arch/arm/mm/proc-v7.S +++ b/arch/arm/mm/proc-v7.S @@ -91,7 +91,7 @@ ENTRY(cpu_v7_dcache_clean_area) ret lr ENDPROC(cpu_v7_dcache_clean_area) -#ifdef CONFIG_ARM_PSCI +#if defined(CONFIG_ARM_PSCI) && defined(CONFIG_HARDEN_BRANCH_PREDICTOR) .arch_extension sec ENTRY(cpu_v7_smc_switch_mm) stmfd sp!, {r0 - r3} -- 2.43.0

9 months, 4 weeks

1
1
0 0

[PATCH AUTOSEL 5.10 1/3] ALSA: usb-audio: Fix Yamaha P-125 Quirk Entry

by Sasha Levin

From: Eryk Zagorski <erykzagorski(a)gmail.com> [ Upstream commit 6f891ca15b017707840c9e7f5afd9fc6cfd7d8b1 ] This patch switches the P-125 quirk entry to use a composite quirk as the P-125 supplies both MIDI and Audio like many of the other Yamaha keyboards Signed-off-by: Eryk Zagorski <erykzagorski(a)gmail.com> Link: https://patch.msgid.link/20241111164520.9079-2-erykzagorski@gmail.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/usb/quirks-table.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h index c6104523dd79c..119c0bde74464 100644 --- a/sound/usb/quirks-table.h +++ b/sound/usb/quirks-table.h @@ -350,7 +350,6 @@ YAMAHA_DEVICE(0x105a, NULL), YAMAHA_DEVICE(0x105b, NULL), YAMAHA_DEVICE(0x105c, NULL), YAMAHA_DEVICE(0x105d, NULL), -YAMAHA_DEVICE(0x1718, "P-125"), { USB_DEVICE(0x0499, 0x1503), .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { @@ -485,6 +484,19 @@ YAMAHA_DEVICE(0x1718, "P-125"), } } }, +{ + USB_DEVICE(0x0499, 0x1718), + QUIRK_DRIVER_INFO { + /* .vendor_name = "Yamaha", */ + /* .product_name = "P-125", */ + QUIRK_DATA_COMPOSITE { + { QUIRK_DATA_STANDARD_AUDIO(1) }, + { QUIRK_DATA_STANDARD_AUDIO(2) }, + { QUIRK_DATA_MIDI_YAMAHA(3) }, + QUIRK_COMPOSITE_END + } + } +}, YAMAHA_DEVICE(0x2000, "DGP-7"), YAMAHA_DEVICE(0x2001, "DGP-5"), YAMAHA_DEVICE(0x2002, NULL), -- 2.43.0

9 months, 4 weeks

1
2
0 0

[PATCH AUTOSEL 5.15 1/4] ALSA: usb-audio: Fix Yamaha P-125 Quirk Entry

by Sasha Levin

From: Eryk Zagorski <erykzagorski(a)gmail.com> [ Upstream commit 6f891ca15b017707840c9e7f5afd9fc6cfd7d8b1 ] This patch switches the P-125 quirk entry to use a composite quirk as the P-125 supplies both MIDI and Audio like many of the other Yamaha keyboards Signed-off-by: Eryk Zagorski <erykzagorski(a)gmail.com> Link: https://patch.msgid.link/20241111164520.9079-2-erykzagorski@gmail.com Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- sound/usb/quirks-table.h | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h index dd98b4e13edac..4690b44987c05 100644 --- a/sound/usb/quirks-table.h +++ b/sound/usb/quirks-table.h @@ -350,7 +350,6 @@ YAMAHA_DEVICE(0x105a, NULL), YAMAHA_DEVICE(0x105b, NULL), YAMAHA_DEVICE(0x105c, NULL), YAMAHA_DEVICE(0x105d, NULL), -YAMAHA_DEVICE(0x1718, "P-125"), { USB_DEVICE(0x0499, 0x1503), .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { @@ -485,6 +484,19 @@ YAMAHA_DEVICE(0x1718, "P-125"), } } }, +{ + USB_DEVICE(0x0499, 0x1718), + QUIRK_DRIVER_INFO { + /* .vendor_name = "Yamaha", */ + /* .product_name = "P-125", */ + QUIRK_DATA_COMPOSITE { + { QUIRK_DATA_STANDARD_AUDIO(1) }, + { QUIRK_DATA_STANDARD_AUDIO(2) }, + { QUIRK_DATA_MIDI_YAMAHA(3) }, + QUIRK_COMPOSITE_END + } + } +}, YAMAHA_DEVICE(0x2000, "DGP-7"), YAMAHA_DEVICE(0x2001, "DGP-5"), YAMAHA_DEVICE(0x2002, NULL), -- 2.43.0

9 months, 4 weeks

1
3
0 0

[PATCH AUTOSEL 6.11 01/10] integrity: Use static_assert() to check struct sizes

by Sasha Levin

From: "Gustavo A. R. Silva" <gustavoars(a)kernel.org> [ Upstream commit 08ae3e5f5fc8edb9bd0c7ef9696ff29ef18b26ef ] Commit 38aa3f5ac6d2 ("integrity: Avoid -Wflex-array-member-not-at-end warnings") introduced tagged `struct evm_ima_xattr_data_hdr` and `struct ima_digest_data_hdr`. We want to ensure that when new members need to be added to the flexible structures, they are always included within these tagged structs. So, we use `static_assert()` to ensure that the memory layout for both the flexible structure and the tagged struct is the same after any changes. Signed-off-by: Gustavo A. R. Silva <gustavoars(a)kernel.org> Tested-by: Roberto Sassu <roberto.sassu(a)huawei.com> Reviewed-by: Roberto Sassu <roberto.sassu(a)huawei.com> Signed-off-by: Mimi Zohar <zohar(a)linux.ibm.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- security/integrity/integrity.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 660f76cb69d37..c2c2da6911233 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -37,6 +37,8 @@ struct evm_ima_xattr_data { ); u8 data[]; } __packed; +static_assert(offsetof(struct evm_ima_xattr_data, data) == sizeof(struct evm_ima_xattr_data_hdr), + "struct member likely outside of __struct_group()"); /* Only used in the EVM HMAC code. */ struct evm_xattr { @@ -65,6 +67,8 @@ struct ima_digest_data { ); u8 digest[]; } __packed; +static_assert(offsetof(struct ima_digest_data, digest) == sizeof(struct ima_digest_data_hdr), + "struct member likely outside of __struct_group()"); /* * Instead of wrapping the ima_digest_data struct inside a local structure -- 2.43.0

9 months, 4 weeks

1
9
0 0

[PATCH v2 0/2] media: uvcvideo: Support partial control reads and minor changes

by Ricardo Ribalda

Some cameras do not return all the bytes requested from a control if it can fit in less bytes. Eg: returning 0xab instead of 0x00ab. Support these devices. Also, now that we are at it, improve uvc_query_ctrl() logging. Signed-off-by: Ricardo Ribalda <ribalda(a)chromium.org> --- Changes in v2: - Rewrite error handling (Thanks Sakari) - Discard 2/3. It is not needed after rewriting the error handling. - Link to v1: https://lore.kernel.org/r/20241008-uvc-readless-v1-0-042ac4581f44@chromium.… --- Ricardo Ribalda (2): media: uvcvideo: Support partial control reads media: uvcvideo: Add more logging to uvc_query_ctrl() drivers/media/usb/uvc/uvc_video.c | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241008-uvc-readless-23f9b8cad0b3 Best regards, -- Ricardo Ribalda <ribalda(a)chromium.org>

9 months, 4 weeks

4
7
0 0

[PATCH 6.1] char: xillybus: Prevent use-after-free due to race condition

by Bin Lan

From: Eli Billauer <eli.billauer(a)gmail.com> [ Upstream commit 282a4b71816b6076029017a7bab3a9dcee12a920 ] The driver for XillyUSB devices maintains a kref reference count on each xillyusb_dev structure, which represents a physical device. This reference count reaches zero when the device has been disconnected and there are no open file descriptors that are related to the device. When this occurs, kref_put() calls cleanup_dev(), which clears up the device's data, including the structure itself. However, when xillyusb_open() is called, this reference count becomes tricky: This function needs to obtain the xillyusb_dev structure that relates to the inode's major and minor (as there can be several such). xillybus_find_inode() (which is defined in xillybus_class.c) is called for this purpose. xillybus_find_inode() holds a mutex that is global in xillybus_class.c to protect the list of devices, and releases this mutex before returning. As a result, nothing protects the xillyusb_dev's reference counter from being decremented to zero before xillyusb_open() increments it on its own behalf. Hence the structure can be freed due to a rare race condition. To solve this, a mutex is added. It is locked by xillyusb_open() before the call to xillybus_find_inode() and is released only after the kref counter has been incremented on behalf of the newly opened inode. This protects the kref reference counters of all xillyusb_dev structs from being decremented by xillyusb_disconnect() during this time segment, as the call to kref_put() in this function is done with the same lock held. There is no need to hold the lock on other calls to kref_put(), because if xillybus_find_inode() finds a struct, xillyusb_disconnect() has not made the call to remove it, and hence not made its call to kref_put(), which takes place afterwards. Hence preventing xillyusb_disconnect's call to kref_put() is enough to ensure that the reference doesn't reach zero before it's incremented by xillyusb_open(). It would have been more natural to increment the reference count in xillybus_find_inode() of course, however this function is also called by Xillybus' driver for PCIe / OF, which registers a completely different structure. Therefore, xillybus_find_inode() treats these structures as void pointers, and accordingly can't make any changes. Reported-by: Hyunwoo Kim <imv4bel(a)gmail.com> Suggested-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Eli Billauer <eli.billauer(a)gmail.com> Link: https://lore.kernel.org/r/20221030094209.65916-1-eli.billauer@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/char/xillybus/xillyusb.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/char/xillybus/xillyusb.c b/drivers/char/xillybus/xillyusb.c index 3a2a0fb3d928..45771b1a3716 100644 --- a/drivers/char/xillybus/xillyusb.c +++ b/drivers/char/xillybus/xillyusb.c @@ -185,6 +185,14 @@ struct xillyusb_dev { struct mutex process_in_mutex; /* synchronize wakeup_all() */ }; +/* + * kref_mutex is used in xillyusb_open() to prevent the xillyusb_dev + * struct from being freed during the gap between being found by + * xillybus_find_inode() and having its reference count incremented. + */ + +static DEFINE_MUTEX(kref_mutex); + /* FPGA to host opcodes */ enum { OPCODE_DATA = 0, @@ -1234,9 +1242,16 @@ static int xillyusb_open(struct inode *inode, struct file *filp) int rc; int index; + mutex_lock(&kref_mutex); + rc = xillybus_find_inode(inode, (void **)&xdev, &index); - if (rc) + if (rc) { + mutex_unlock(&kref_mutex); return rc; + } + + kref_get(&xdev->kref); + mutex_unlock(&kref_mutex); chan = &xdev->channels[index]; filp->private_data = chan; @@ -1272,8 +1287,6 @@ static int xillyusb_open(struct inode *inode, struct file *filp) ((filp->f_mode & FMODE_WRITE) && chan->open_for_write)) goto unmutex_fail; - kref_get(&xdev->kref); - if (filp->f_mode & FMODE_READ) chan->open_for_read = 1; @@ -1410,6 +1423,7 @@ static int xillyusb_open(struct inode *inode, struct file *filp) return rc; unmutex_fail: + kref_put(&xdev->kref, cleanup_dev); mutex_unlock(&chan->lock); return rc; } @@ -2244,7 +2258,9 @@ static void xillyusb_disconnect(struct usb_interface *interface) xdev->dev = NULL; + mutex_lock(&kref_mutex); kref_put(&xdev->kref, cleanup_dev); + mutex_unlock(&kref_mutex); } static struct usb_driver xillyusb_driver = { -- 2.43.0

9 months, 4 weeks

2
1
0 0

[PATCH v2 6.1.y 0/3] Backport to fix CVE-2024-36478

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> Backport to fix CVE-2024-36478 https://lore.kernel.org/linux-cve-announce/2024062136-CVE-2024-36478-d249@g… The CVE fix is "null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'" This required 2 extra commit to make sure the picks are clean: null_blk: Remove usage of the deprecated ida_simple_xx() API null_blk: Fix return value of nullb_device_power_store() Changes: V1 -> V2 Added the extra commit Fix return value of nullb_device_power_store() Christophe JAILLET (1): null_blk: Remove usage of the deprecated ida_simple_xx() API Damien Le Moal (1): null_blk: Fix return value of nullb_device_power_store() Yu Kuai (1): null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' drivers/block/null_blk/main.c | 45 ++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 16 deletions(-) -- 2.43.0

9 months, 4 weeks

3
7
0 0

[PATCH] statmount: fix security option retrieval

by Christian Brauner

Fix the inverted check for security_sb_show_options(). Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Link: https://lore.kernel.org/r/c8eaa647-5d67-49b6-9401-705afcb7e4d7@stanley.moun… Fixes: aefff51e1c29 ("statmount: retrieve security mount options") Cc: Cc: <stable(a)vger.kernel.org> # mainline only Signed-off-by: Christian Brauner <brauner(a)kernel.org> --- fs/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index 6b0a17487d0f..eb34a5160f64 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -5116,7 +5116,7 @@ static int statmount_opt_sec_array(struct kstatmount *s, struct seq_file *seq) buf_start = seq->buf + start; err = security_sb_show_options(seq, sb); - if (!err) + if (err) return err; if (unlikely(seq_has_overflowed(seq))) -- 2.45.2

9 months, 4 weeks

2
1
0 0

[PATCH 6.12.y v2] mm/mmap: fix __mmap_region() error handling in rare merge failure case

by Liam R. Howlett

From: "Liam R. Howlett" <Liam.Howlett(a)Oracle.com> The mmap_region() function tries to install a new vma, which requires a pre-allocation for the maple tree write due to the complex locking scenarios involved. Recent efforts to simplify the error recovery required the relocation of the preallocation of the maple tree nodes (via vma_iter_prealloc() calling mas_preallocate()) higher in the function. The relocation of the preallocation meant that, if there was a file associated with the vma and the driver call (mmap_file()) modified the vma flags, then a new merge of the new vma with existing vmas is attempted. During the attempt to merge the existing vma with the new vma, the vma iterator is used - the same iterator that would be used for the next write attempt to the tree. In the event of needing a further allocation and if the new allocations fails, the vma iterator (and contained maple state) will cleaned up, including freeing all previous allocations and will be reset internally. Upon returning to the __mmap_region() function, the error is available in the vma_merge_struct and can be used to detect the -ENOMEM status. Hitting an -ENOMEM scenario after the driver callback leaves the system in a state that undoing the mapping is worse than continuing by dipping into the reserve. A preallocation should be performed in the case of an -ENOMEM and the allocations were lost during the failure scenario. The __GFP_NOFAIL flag is used in the allocation to ensure the allocation succeeds after implicitly telling the driver that the mapping was happening. The range is already set in the vma_iter_store() call below, so it is not necessary and is dropped. Reported-by: syzbot+bc6bfc25a68b7a020ee1(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000 Fixes: 5de195060b2e2 ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: <stable(a)vger.kernel.org> --- mm/mmap.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) Changes since v1: - Don't bail out and force the allocation when the merge failure is -ENOMEM - Thanks Lorenzo diff --git a/mm/mmap.c b/mm/mmap.c index 79d541f1502b2..4f6e566d52faa 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1491,7 +1491,18 @@ static unsigned long __mmap_region(struct file *file, unsigned long addr, vm_flags = vma->vm_flags; goto file_expanded; } - vma_iter_config(&vmi, addr, end); + + /* + * In the unlikely even that more memory was needed, but + * not available for the vma merge, the vma iterator + * will have no memory reserved for the write we told + * the driver was happening. To keep up the ruse, + * ensure the allocation for the store succeeds. + */ + if (vmg_nomem(&vmg)) { + mas_preallocate(&vmi.mas, vma, + GFP_KERNEL|__GFP_NOFAIL); + } } vm_flags = vma->vm_flags; -- 2.43.0

9 months, 4 weeks

4
3
0 0

[PATCH v1] ufs: core: add missing post notify for power mode change

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When the power mode change is successful but the power mode hasn't actually changed, the post notification was missed. Similar to the approach with hibernate/clock scale/hce enable, having pre/post notifications in the same function will make it easier to maintain. Fixes: 7eb584db73be ("ufs: refactor configuring power mode") Cc: stable(a)vger.kernel.org #6.11.x Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index abbe7135a977..814402e93a1e 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -4651,9 +4651,6 @@ static int ufshcd_change_power_mode(struct ufs_hba *hba, dev_err(hba->dev, "%s: power mode change failed %d\n", __func__, ret); } else { - ufshcd_vops_pwr_change_notify(hba, POST_CHANGE, NULL, - pwr_mode); - memcpy(&hba->pwr_info, pwr_mode, sizeof(struct ufs_pa_layer_attr)); } @@ -4682,6 +4679,10 @@ int ufshcd_config_pwr_mode(struct ufs_hba *hba, ret = ufshcd_change_power_mode(hba, &final_params); + if (!ret) + ufshcd_vops_pwr_change_notify(hba, POST_CHANGE, NULL, + &final_params); + return ret; } EXPORT_SYMBOL_GPL(ufshcd_config_pwr_mode); -- 2.18.0

9 months, 4 weeks

1
0
0 0

[PATCH] fs: prevent data-race due to missing inode_lock when calling vfs_getattr

by Jeongjun Park

Many filesystems lock inodes before calling vfs_getattr, so there is no data-race for inodes. However, some functions in fs/stat.c that call vfs_getattr do not lock inodes, so the data-race occurs. Therefore, we need to apply a patch to remove the long-standing data-race for inodes in some functions that do not lock inodes. Cc: <stable(a)vger.kernel.org> Fixes: da9aa5d96bfe ("fs: remove vfs_statx_fd") Fixes: 0ef625bba6fb ("vfs: support statx(..., NULL, AT_EMPTY_PATH, ...)") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- fs/stat.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/stat.c b/fs/stat.c index 41e598376d7e..da532b611aa3 100644 --- a/fs/stat.c +++ b/fs/stat.c @@ -220,13 +220,21 @@ EXPORT_SYMBOL(vfs_getattr); */ int vfs_fstat(int fd, struct kstat *stat) { + const struct path *path; + struct inode *inode; struct fd f; int error; f = fdget_raw(fd); if (!fd_file(f)) return -EBADF; - error = vfs_getattr(&fd_file(f)->f_path, stat, STATX_BASIC_STATS, 0); + + path = &fd_file(f)->f_path; + inode = d_backing_inode(path->dentry); + + inode_lock_shared(inode); + error = vfs_getattr(path, stat, STATX_BASIC_STATS, 0); + inode_unlock_shared(inode); fdput(f); return error; } @@ -248,7 +256,11 @@ int getname_statx_lookup_flags(int flags) static int vfs_statx_path(struct path *path, int flags, struct kstat *stat, u32 request_mask) { + struct inode *inode = d_backing_inode(path->dentry); + + inode_lock_shared(inode); int error = vfs_getattr(path, stat, request_mask, flags); + inode_unlock_shared(inode); if (request_mask & STATX_MNT_ID_UNIQUE) { stat->mnt_id = real_mount(path->mnt)->mnt_id_unique; --

9 months, 4 weeks

5
8
0 0

[PATCH v2 1/2] KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status

by Oliver Upton

From: Raghavendra Rao Ananta <rananta(a)google.com> DDI0487K D13.1.1 describes the PMU overflow condition, which evaluates to true if any counter's global enable (PMCR_EL0.E), overflow flag (PMOVSSET_EL0[n]), and interrupt enable (PMINTENSET_EL1[n]) are all 1. Of note, this does not require a counter to be enabled (i.e. PMCNTENSET_EL0[n] = 1) to generate an overflow. Align kvm_pmu_overflow_status() with the reality of the architecture and stop using PMCNTENSET_EL0 as part of the overflow condition. The bug was discovered while running an SBSA PMU test [*], which only sets PMCR.E, PMOVSSET<0>, PMINTENSET<0>, and expects an overflow interrupt. Cc: stable(a)vger.kernel.org Fixes: 76d883c4e640 ("arm64: KVM: Add access handler for PMOVSSET and PMOVSCLR register") Link: https://github.com/ARM-software/sbsa-acs/blob/master/test_pool/pmu/operatin… Signed-off-by: Raghavendra Rao Ananta <rananta(a)google.com> [ oliver: massaged changelog ] Signed-off-by: Oliver Upton <oliver.upton(a)linux.dev> --- arch/arm64/kvm/pmu-emul.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/arm64/kvm/pmu-emul.c b/arch/arm64/kvm/pmu-emul.c index 8ad62284fa23..3855cc9d0ca5 100644 --- a/arch/arm64/kvm/pmu-emul.c +++ b/arch/arm64/kvm/pmu-emul.c @@ -381,7 +381,6 @@ static u64 kvm_pmu_overflow_status(struct kvm_vcpu *vcpu) if ((kvm_vcpu_read_pmcr(vcpu) & ARMV8_PMU_PMCR_E)) { reg = __vcpu_sys_reg(vcpu, PMOVSSET_EL0); - reg &= __vcpu_sys_reg(vcpu, PMCNTENSET_EL0); reg &= __vcpu_sys_reg(vcpu, PMINTENSET_EL1); } -- 2.39.5

9 months, 4 weeks

2
1
0 0

[PATCH] ALSA: hda: Poll jack events for LS7A HD-Audio

by Huacai Chen

LS7A HD-Audio disable interrupts and use polling mode due to hardware drawbacks. As a result, unsolicited jack events are also unusable. If we want to support headphone hotplug, we need to also poll jack events. Here we use 1500ms as the poll interval if no module parameter specify it. Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- sound/pci/hda/hda_intel.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c index b4540c5cd2a6..5060d5428caf 100644 --- a/sound/pci/hda/hda_intel.c +++ b/sound/pci/hda/hda_intel.c @@ -1867,6 +1867,8 @@ static int azx_first_init(struct azx *chip) bus->polling_mode = 1; bus->not_use_interrupts = 1; bus->access_sdnctl_in_dword = 1; + if (!chip->jackpoll_interval) + chip->jackpoll_interval = msecs_to_jiffies(1500); } err = pcim_iomap_regions(pci, 1 << 0, "ICH HD audio"); -- 2.43.5

9 months, 4 weeks

3
2
0 0

[PATCH] mm/gup: handle NULL pages in unpin_user_pages()

by John Hubbard

The recent addition of "pofs" (pages or folios) handling to gup has a flaw: it assumes that unpin_user_pages() handles NULL pages in the pages** array. That's not the case, as I discovered when I ran on a new configuration on my test machine. Fix this by skipping NULL pages in unpin_user_pages(), just like unpin_folios() already does. Details: when booting on x86 with "numa=fake=2 movablecore=4G" on Linux 6.12, and running this: tools/testing/selftests/mm/gup_longterm ...I get the following crash: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:sanity_check_pinned_pages+0x3a/0x2d0 ... Call Trace: <TASK> ? __die_body+0x66/0xb0 ? page_fault_oops+0x30c/0x3b0 ? do_user_addr_fault+0x6c3/0x720 ? irqentry_enter+0x34/0x60 ? exc_page_fault+0x68/0x100 ? asm_exc_page_fault+0x22/0x30 ? sanity_check_pinned_pages+0x3a/0x2d0 unpin_user_pages+0x24/0xe0 check_and_migrate_movable_pages_or_folios+0x455/0x4b0 __gup_longterm_locked+0x3bf/0x820 ? mmap_read_lock_killable+0x12/0x50 ? __pfx_mmap_read_lock_killable+0x10/0x10 pin_user_pages+0x66/0xa0 gup_test_ioctl+0x358/0xb20 __se_sys_ioctl+0x6b/0xc0 do_syscall_64+0x7b/0x150 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 94efde1d1539 ("mm/gup: avoid an unnecessary allocation call for FOLL_LONGTERM cases") Cc: David Hildenbrand <david(a)redhat.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Vivek Kasireddy <vivek.kasireddy(a)intel.com> Cc: Dave Airlie <airlied(a)redhat.com> Cc: Gerd Hoffmann <kraxel(a)redhat.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Dongwon Kim <dongwon.kim(a)intel.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Junxiao Chang <junxiao.chang(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: John Hubbard <jhubbard(a)nvidia.com> --- Hi, I got a nasty shock when I tried out a new test machine setup last night--I wish I'd noticed the problem earlier! But anyway, this should make it all better... I've asked Greg K-H to hold off on including commit 94efde1d1539 ("mm/gup: avoid an unnecessary allocation call for FOLL_LONGTERM cases") in linux-stable (6.11.y), but if this fix-to-the-fix looks good, then maybe both fixes can ultimately end up in stable. thanks, John Hubbard mm/gup.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/mm/gup.c b/mm/gup.c index ad0c8922dac3..6e417502728a 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -52,7 +52,12 @@ static inline void sanity_check_pinned_pages(struct page **pages, */ for (; npages; npages--, pages++) { struct page *page = *pages; - struct folio *folio = page_folio(page); + struct folio *folio; + + if (!page) + continue; + + folio = page_folio(page); if (is_zero_page(page) || !folio_test_anon(folio)) @@ -248,9 +253,14 @@ static inline struct folio *gup_folio_range_next(struct page *start, static inline struct folio *gup_folio_next(struct page **list, unsigned long npages, unsigned long i, unsigned int *ntails) { - struct folio *folio = page_folio(list[i]); + struct folio *folio; unsigned int nr; + if (!list[i]) + return NULL; + + folio = page_folio(list[i]); + for (nr = i + 1; nr < npages; nr++) { if (page_folio(list[nr]) != folio) break; @@ -410,6 +420,9 @@ void unpin_user_pages(struct page **pages, unsigned long npages) sanity_check_pinned_pages(pages, npages); for (i = 0; i < npages; i += nr) { folio = gup_folio_next(pages, npages, i, &nr); + if (!folio) + continue; + gup_put_folio(folio, nr, FOLL_PIN); } } -- 2.47.0

9 months, 4 weeks

2
2
0 0

[PATCH 6.1] drm/amd: check num of link levels when update pcie param

by Bin Lan

From: "Lin.Cao" <lincao12(a)amd.com> [ Upstream commit 406e8845356d18bdf3d3a23b347faf67706472ec ] In SR-IOV environment, the value of pcie_table->num_of_link_levels will be 0, and num_of_levels - 1 will cause array index out of bounds Signed-off-by: Lin.Cao <lincao12(a)amd.com> Acked-by: Jingwen Chen <Jingwen.Chen2(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> [ Resolve minor conflicts to fix CVE-2023-52812 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c index 3aab1caed2ac..e159f715c1c2 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c @@ -2498,6 +2498,9 @@ int smu_v13_0_update_pcie_parameters(struct smu_context *smu, uint32_t smu_pcie_arg; int ret, i; + if (!num_of_levels) + return 0; + if (!amdgpu_device_pcie_dynamic_switching_supported()) { if (pcie_table->pcie_gen[num_of_levels - 1] < pcie_gen_cap) pcie_gen_cap = pcie_table->pcie_gen[num_of_levels - 1]; -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH 8/9] drm/amd/display: Add hblank borrowing support

by Alex Hung

From: Chris Park <chris.park(a)amd.com> [WHY] Some DSC timing failed at bandwidth validation due to hactive can't be evenly divided on each ODM segment. [HOW] Borrow from hblank to increase hactive to support these timing. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Wenjing Liu <wenjing.liu(a)amd.com> Signed-off-by: Chris Park <chris.park(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- .../gpu/drm/amd/display/dc/core/dc_resource.c | 42 ++++++++++++++++++- drivers/gpu/drm/amd/display/dc/dc.h | 1 + .../gpu/drm/amd/display/dc/dc_spl_translate.c | 2 +- .../dc/dml2/dml21/dml21_translation_helper.c | 21 +++++++++- .../amd/display/dc/hwss/dcn32/dcn32_hwseq.c | 3 +- .../amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 7 +++- .../gpu/drm/amd/display/dc/inc/core_types.h | 2 + .../gpu/drm/amd/display/dc/link/link_dpms.c | 3 +- .../dc/resource/dcn32/dcn32_resource.c | 1 + 9 files changed, 75 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c index 619fad17de55..626f75b6ad00 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c @@ -2094,7 +2094,8 @@ int resource_get_odm_slice_dst_width(struct pipe_ctx *otg_master, count = resource_get_odm_slice_count(otg_master); h_active = timing->h_addressable + timing->h_border_left + - timing->h_border_right; + timing->h_border_right + + otg_master->hblank_borrow; width = h_active / count; if (otg_master->stream_res.tg) @@ -4026,6 +4027,41 @@ enum dc_status dc_validate_with_context(struct dc *dc, return res; } +/** + * decide_hblank_borrow - Decides the horizontal blanking borrow value for a given pipe context. + * @pipe_ctx: Pointer to the pipe context structure. + * + * This function calculates the horizontal blanking borrow value for a given pipe context based on the + * display stream compression (DSC) configuration. If the horizontal active pixels (hactive) are less + * than the total width of the DSC slices, it sets the hblank_borrow value to the difference. If the + * total horizontal timing minus the hblank_borrow value is less than 32, it resets the hblank_borrow + * value to 0. + */ +static void decide_hblank_borrow(struct pipe_ctx *pipe_ctx) +{ + uint32_t hactive; + uint32_t ceil_slice_width; + struct dc_stream_state *stream = NULL; + + if (!pipe_ctx) + return; + + stream = pipe_ctx->stream; + + if (stream->timing.flags.DSC) { + hactive = stream->timing.h_addressable + stream->timing.h_border_left + stream->timing.h_border_right; + + /* Assume if determined slices does not divide Hactive evenly, Hborrow is needed for padding*/ + if (hactive % stream->timing.dsc_cfg.num_slices_h != 0) { + ceil_slice_width = (hactive / stream->timing.dsc_cfg.num_slices_h) + 1; + pipe_ctx->hblank_borrow = ceil_slice_width * stream->timing.dsc_cfg.num_slices_h - hactive; + + if (stream->timing.h_total - hactive - pipe_ctx->hblank_borrow < 32) + pipe_ctx->hblank_borrow = 0; + } + } +} + /** * dc_validate_global_state() - Determine if hardware can support a given state * @@ -4064,6 +4100,10 @@ enum dc_status dc_validate_global_state( if (pipe_ctx->stream != stream) continue; + /* Decide whether hblank borrow is needed and save it in pipe_ctx */ + if (dc->debug.enable_hblank_borrow) + decide_hblank_borrow(pipe_ctx); + if (dc->res_pool->funcs->patch_unknown_plane_state && pipe_ctx->plane_state && pipe_ctx->plane_state->tiling_info.gfx9.swizzle == DC_SW_UNKNOWN) { diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h index 5f1b3ce67cd1..ec64061080fa 100644 --- a/drivers/gpu/drm/amd/display/dc/dc.h +++ b/drivers/gpu/drm/amd/display/dc/dc.h @@ -1070,6 +1070,7 @@ struct dc_debug_options { unsigned int scale_to_sharpness_policy; bool skip_full_updated_if_possible; unsigned int enable_oled_edp_power_up_opt; + bool enable_hblank_borrow; }; diff --git a/drivers/gpu/drm/amd/display/dc/dc_spl_translate.c b/drivers/gpu/drm/amd/display/dc/dc_spl_translate.c index 2fee0b92f1f5..a4907cfe3f08 100644 --- a/drivers/gpu/drm/amd/display/dc/dc_spl_translate.c +++ b/drivers/gpu/drm/amd/display/dc/dc_spl_translate.c @@ -122,7 +122,7 @@ void translate_SPL_in_params_from_pipe_ctx(struct pipe_ctx *pipe_ctx, struct spl spl_in->odm_slice_index = resource_get_odm_slice_index(pipe_ctx); // Make spl input basic out info output_size width point to stream h active spl_in->basic_out.output_size.width = - stream->timing.h_addressable + stream->timing.h_border_left + stream->timing.h_border_right; + stream->timing.h_addressable + stream->timing.h_border_left + stream->timing.h_border_right + pipe_ctx->hblank_borrow; // Make spl input basic out info output_size height point to v active spl_in->basic_out.output_size.height = stream->timing.v_addressable + stream->timing.v_border_bottom + stream->timing.v_border_top; diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c index f66493528f42..c6a5a8614679 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c @@ -445,6 +445,21 @@ static void populate_dml21_timing_config_from_stream_state(struct dml2_timing_cf timing->vblank_nom = timing->v_total - timing->v_active; } +/** + * adjust_dml21_hblank_timing_config_from_pipe_ctx - Adjusts the horizontal blanking timing configuration + * based on the pipe context. + * @timing: Pointer to the dml2_timing_cfg structure to be adjusted. + * @pipe: Pointer to the pipe_ctx structure containing the horizontal blanking borrow value. + * + * This function modifies the horizontal active and blank end timings by adding and subtracting + * the horizontal blanking borrow value from the pipe context, respectively. + */ +static void adjust_dml21_hblank_timing_config_from_pipe_ctx(struct dml2_timing_cfg *timing, struct pipe_ctx *pipe) +{ + timing->h_active += pipe->hblank_borrow; + timing->h_blank_end -= pipe->hblank_borrow; +} + static void populate_dml21_output_config_from_stream_state(struct dml2_link_output_cfg *output, struct dc_stream_state *stream, const struct pipe_ctx *pipe) { @@ -732,6 +747,7 @@ static const struct scaler_data *get_scaler_data_for_plane( temp_pipe->plane_state = pipe->plane_state; temp_pipe->plane_res.scl_data.taps = pipe->plane_res.scl_data.taps; temp_pipe->stream_res = pipe->stream_res; + temp_pipe->hblank_borrow = pipe->hblank_borrow; dml_ctx->config.callbacks.build_scaling_params(temp_pipe); break; } @@ -996,6 +1012,7 @@ bool dml21_map_dc_state_into_dml_display_cfg(const struct dc *in_dc, struct dc_s ASSERT(disp_cfg_stream_location >= 0 && disp_cfg_stream_location <= __DML2_WRAPPER_MAX_STREAMS_PLANES__); populate_dml21_timing_config_from_stream_state(&dml_dispcfg->stream_descriptors[disp_cfg_stream_location].timing, context->streams[stream_index], dml_ctx); + adjust_dml21_hblank_timing_config_from_pipe_ctx(&dml_dispcfg->stream_descriptors[disp_cfg_stream_location].timing, &context->res_ctx.pipe_ctx[stream_index]); populate_dml21_output_config_from_stream_state(&dml_dispcfg->stream_descriptors[disp_cfg_stream_location].output, context->streams[stream_index], &context->res_ctx.pipe_ctx[stream_index]); populate_dml21_stream_overrides_from_stream_state(&dml_dispcfg->stream_descriptors[disp_cfg_stream_location], context->streams[stream_index]); @@ -1134,12 +1151,12 @@ void dml21_populate_pipe_ctx_dlg_params(struct dml2_context *dml_ctx, struct dc_ struct dc_crtc_timing *timing = &pipe_ctx->stream->timing; union dml2_global_sync_programming *global_sync = &stream_programming->global_sync; - hactive = timing->h_addressable + timing->h_border_left + timing->h_border_right; + hactive = timing->h_addressable + timing->h_border_left + timing->h_border_right + pipe_ctx->hblank_borrow; vactive = timing->v_addressable + timing->v_border_bottom + timing->v_border_top; hblank_start = pipe_ctx->stream->timing.h_total - pipe_ctx->stream->timing.h_front_porch; vblank_start = pipe_ctx->stream->timing.v_total - pipe_ctx->stream->timing.v_front_porch; - hblank_end = hblank_start - timing->h_addressable - timing->h_border_left - timing->h_border_right; + hblank_end = hblank_start - timing->h_addressable - timing->h_border_left - timing->h_border_right - pipe_ctx->hblank_borrow; vblank_end = vblank_start - timing->v_addressable - timing->v_border_top - timing->v_border_bottom; if (dml_ctx->config.svp_pstate.callbacks.get_pipe_subvp_type(context, pipe_ctx) == SUBVP_PHANTOM) { diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c index d7f8b2dcaa6b..fa11f075d1f9 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn32/dcn32_hwseq.c @@ -1049,7 +1049,8 @@ void dcn32_update_dsc_on_stream(struct pipe_ctx *pipe_ctx, bool enable) } /* Enable DSC hw block */ - dsc_cfg.pic_width = (stream->timing.h_addressable + stream->timing.h_border_left + stream->timing.h_border_right) / opp_cnt; + dsc_cfg.pic_width = (stream->timing.h_addressable + pipe_ctx->hblank_borrow + + stream->timing.h_border_left + stream->timing.h_border_right) / opp_cnt; dsc_cfg.pic_height = stream->timing.v_addressable + stream->timing.v_border_top + stream->timing.v_border_bottom; dsc_cfg.pixel_encoding = stream->timing.pixel_encoding; dsc_cfg.color_depth = stream->timing.display_color_depth; diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c index 5de11e2837c0..307782592789 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c @@ -820,6 +820,7 @@ enum dc_status dcn401_enable_stream_timing( int opp_cnt = 1; int opp_inst[MAX_PIPES] = {0}; struct pipe_ctx *opp_heads[MAX_PIPES] = {0}; + struct dc_crtc_timing patched_crtc_timing = stream->timing; bool manual_mode; unsigned int tmds_div = PIXEL_RATE_DIV_NA; unsigned int unused_div = PIXEL_RATE_DIV_NA; @@ -874,9 +875,13 @@ enum dc_status dcn401_enable_stream_timing( if (dc->hwseq->funcs.PLAT_58856_wa && (!dc_is_dp_signal(stream->signal))) dc->hwseq->funcs.PLAT_58856_wa(context, pipe_ctx); + /* if we are borrowing from hblank, h_addressable needs to be adjusted */ + if (dc->debug.enable_hblank_borrow) + patched_crtc_timing.h_addressable = patched_crtc_timing.h_addressable + pipe_ctx->hblank_borrow; + pipe_ctx->stream_res.tg->funcs->program_timing( pipe_ctx->stream_res.tg, - &stream->timing, + &patched_crtc_timing, pipe_ctx->pipe_dlg_param.vready_offset, pipe_ctx->pipe_dlg_param.vstartup_start, pipe_ctx->pipe_dlg_param.vupdate_offset, diff --git a/drivers/gpu/drm/amd/display/dc/inc/core_types.h b/drivers/gpu/drm/amd/display/dc/inc/core_types.h index 3061dca47dd2..2edd5b38ce4f 100644 --- a/drivers/gpu/drm/amd/display/dc/inc/core_types.h +++ b/drivers/gpu/drm/amd/display/dc/inc/core_types.h @@ -478,6 +478,8 @@ struct pipe_ctx { /* subvp_index: only valid if the pipe is a SUBVP_MAIN*/ uint8_t subvp_index; struct pixel_rate_divider pixel_rate_divider; + /* pixels borrowed from hblank to hactive */ + uint8_t hblank_borrow; }; /* Data used for dynamic link encoder assignment. diff --git a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c index 41cab9ad6885..5d66bfc7fe6e 100644 --- a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c +++ b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c @@ -808,7 +808,8 @@ void link_set_dsc_on_stream(struct pipe_ctx *pipe_ctx, bool enable) enum optc_dsc_mode optc_dsc_mode; /* Enable DSC hw block */ - dsc_cfg.pic_width = (stream->timing.h_addressable + stream->timing.h_border_left + stream->timing.h_border_right) / opp_cnt; + dsc_cfg.pic_width = (stream->timing.h_addressable + pipe_ctx->hblank_borrow + + stream->timing.h_border_left + stream->timing.h_border_right) / opp_cnt; dsc_cfg.pic_height = stream->timing.v_addressable + stream->timing.v_border_top + stream->timing.v_border_bottom; dsc_cfg.pixel_encoding = stream->timing.pixel_encoding; dsc_cfg.color_depth = stream->timing.display_color_depth; diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c index 984d23bcbc27..12d247a7ec45 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c @@ -2804,6 +2804,7 @@ struct pipe_ctx *dcn32_acquire_free_pipe_as_secondary_opp_head( free_pipe->plane_res.xfm = pool->transforms[free_pipe_idx]; free_pipe->plane_res.dpp = pool->dpps[free_pipe_idx]; free_pipe->plane_res.mpcc_inst = pool->dpps[free_pipe_idx]->inst; + free_pipe->hblank_borrow = otg_master->hblank_borrow; if (free_pipe->stream->timing.flags.DSC == 1) { dcn20_acquire_dsc(free_pipe->stream->ctx->dc, &new_ctx->res_ctx, -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH 7/9] drm/amd/display: Limit VTotal range to max hw cap minus fp

by Alex Hung

From: Dillon Varone <dillon.varone(a)amd.com> [WHY & HOW] Hardware does not support the VTotal to be between fp2 lines of the maximum possible VTotal, so add a capability flag to track it and apply where necessary. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Jun Lei <jun.lei(a)amd.com> Reviewed-by: Anthony Koo <anthony.koo(a)amd.com> Signed-off-by: Dillon Varone <dillon.varone(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- drivers/gpu/drm/amd/display/dc/dc.h | 1 + .../dc/dml2/dml21/dml21_translation_helper.c | 27 +++++++++++++++++-- .../dc/resource/dcn30/dcn30_resource.c | 1 + .../dc/resource/dcn302/dcn302_resource.c | 1 + .../dc/resource/dcn303/dcn303_resource.c | 1 + .../dc/resource/dcn32/dcn32_resource.c | 1 + .../dc/resource/dcn321/dcn321_resource.c | 1 + .../dc/resource/dcn35/dcn35_resource.c | 1 + .../dc/resource/dcn351/dcn351_resource.c | 1 + .../dc/resource/dcn401/dcn401_resource.c | 1 + .../amd/display/modules/freesync/freesync.c | 13 ++++++++- 11 files changed, 46 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h index 943e52bb2c31..5f1b3ce67cd1 100644 --- a/drivers/gpu/drm/amd/display/dc/dc.h +++ b/drivers/gpu/drm/amd/display/dc/dc.h @@ -290,6 +290,7 @@ struct dc_caps { uint16_t subvp_vertical_int_margin_us; bool seamless_odm; uint32_t max_v_total; + bool vtotal_limited_by_fp2; uint32_t max_disp_clock_khz_at_vmin; uint8_t subvp_drr_vblank_start_margin_us; bool cursor_not_scaled; diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c index 138b4b1e42ed..f66493528f42 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_translation_helper.c @@ -339,11 +339,22 @@ void dml21_apply_soc_bb_overrides(struct dml2_initialize_instance_in_out *dml_in // } } +static unsigned int calc_max_hardware_v_total(const struct dc_stream_state *stream) +{ + unsigned int max_hw_v_total = stream->ctx->dc->caps.max_v_total; + + if (stream->ctx->dc->caps.vtotal_limited_by_fp2) { + max_hw_v_total -= stream->timing.v_front_porch + 1; + } + + return max_hw_v_total; +} + static void populate_dml21_timing_config_from_stream_state(struct dml2_timing_cfg *timing, struct dc_stream_state *stream, struct dml2_context *dml_ctx) { - unsigned int hblank_start, vblank_start; + unsigned int hblank_start, vblank_start, min_hardware_refresh_in_uhz; timing->h_active = stream->timing.h_addressable + stream->timing.h_border_left + stream->timing.h_border_right; timing->v_active = stream->timing.v_addressable + stream->timing.v_border_bottom + stream->timing.v_border_top; @@ -371,11 +382,23 @@ static void populate_dml21_timing_config_from_stream_state(struct dml2_timing_cf - stream->timing.v_border_top - stream->timing.v_border_bottom; timing->drr_config.enabled = stream->ignore_msa_timing_param; - timing->drr_config.min_refresh_uhz = stream->timing.min_refresh_in_uhz; timing->drr_config.drr_active_variable = stream->vrr_active_variable; timing->drr_config.drr_active_fixed = stream->vrr_active_fixed; timing->drr_config.disallowed = !stream->allow_freesync; + /* limit min refresh rate to DC cap */ + min_hardware_refresh_in_uhz = stream->timing.min_refresh_in_uhz; + if (stream->ctx->dc->caps.max_v_total != 0) { + min_hardware_refresh_in_uhz = div64_u64((stream->timing.pix_clk_100hz * 100000000ULL), + (stream->timing.h_total * (long long)calc_max_hardware_v_total(stream))); + } + + if (stream->timing.min_refresh_in_uhz > min_hardware_refresh_in_uhz) { + timing->drr_config.min_refresh_uhz = stream->timing.min_refresh_in_uhz; + } else { + timing->drr_config.min_refresh_uhz = min_hardware_refresh_in_uhz; + } + if (dml_ctx->config.callbacks.get_max_flickerless_instant_vtotal_increase && stream->ctx->dc->config.enable_fpo_flicker_detection == 1) timing->drr_config.max_instant_vtotal_delta = dml_ctx->config.callbacks.get_max_flickerless_instant_vtotal_increase(stream, false); diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c index cd31e4f16c14..bfd0eccbed28 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c @@ -2353,6 +2353,7 @@ static bool dcn30_resource_construct( dc->caps.dp_hdmi21_pcon_support = true; dc->caps.max_v_total = (1 << 15) - 1; + dc->caps.vtotal_limited_by_fp2 = true; /* read VBIOS LTTPR caps */ { diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn302/dcn302_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn302/dcn302_resource.c index 02af8b8f4d27..7baefc910a3d 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn302/dcn302_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn302/dcn302_resource.c @@ -1233,6 +1233,7 @@ static bool dcn302_resource_construct( dc->caps.extended_aux_timeout_support = true; dc->caps.dmcub_support = true; dc->caps.max_v_total = (1 << 15) - 1; + dc->caps.vtotal_limited_by_fp2 = true; /* Color pipeline capabilities */ dc->caps.color.dpp.dcn_arch = 1; diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn303/dcn303_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn303/dcn303_resource.c index 7002a8dd358a..8a57d46ad15f 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn303/dcn303_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn303/dcn303_resource.c @@ -1178,6 +1178,7 @@ static bool dcn303_resource_construct( dc->caps.extended_aux_timeout_support = true; dc->caps.dmcub_support = true; dc->caps.max_v_total = (1 << 15) - 1; + dc->caps.vtotal_limited_by_fp2 = true; /* Color pipeline capabilities */ dc->caps.color.dpp.dcn_arch = 1; diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c index 01d1a11d5545..984d23bcbc27 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c @@ -2189,6 +2189,7 @@ static bool dcn32_resource_construct( dc->caps.dmcub_support = true; dc->caps.seamless_odm = true; dc->caps.max_v_total = (1 << 15) - 1; + dc->caps.vtotal_limited_by_fp2 = true; /* Color pipeline capabilities */ dc->caps.color.dpp.dcn_arch = 1; diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c index 5cb74fd9cb7d..06b9479c8bd3 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c @@ -1742,6 +1742,7 @@ static bool dcn321_resource_construct( dc->caps.extended_aux_timeout_support = true; dc->caps.dmcub_support = true; dc->caps.max_v_total = (1 << 15) - 1; + dc->caps.vtotal_limited_by_fp2 = true; /* Color pipeline capabilities */ dc->caps.color.dpp.dcn_arch = 1; diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c index 09a5a9474903..89e2adcf2a28 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c @@ -1850,6 +1850,7 @@ static bool dcn35_resource_construct( dc->caps.zstate_support = true; dc->caps.ips_support = true; dc->caps.max_v_total = (1 << 15) - 1; + dc->caps.vtotal_limited_by_fp2 = true; /* Color pipeline capabilities */ dc->caps.color.dpp.dcn_arch = 1; diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c index fe382f9b6ff2..263a37c1cd3a 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c @@ -1829,6 +1829,7 @@ static bool dcn351_resource_construct( dc->caps.zstate_support = true; dc->caps.ips_support = true; dc->caps.max_v_total = (1 << 15) - 1; + dc->caps.vtotal_limited_by_fp2 = true; /* Color pipeline capabilities */ dc->caps.color.dpp.dcn_arch = 1; diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn401/dcn401_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn401/dcn401_resource.c index db93bac247c0..2a3dabfe3cea 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn401/dcn401_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn401/dcn401_resource.c @@ -1864,6 +1864,7 @@ static bool dcn401_resource_construct( dc->caps.extended_aux_timeout_support = true; dc->caps.dmcub_support = true; dc->caps.max_v_total = (1 << 15) - 1; + dc->caps.vtotal_limited_by_fp2 = true; if (ASICREV_IS_GC_12_0_1_A0(dc->ctx->asic_id.hw_internal_rev)) dc->caps.dcc_plane_width_limit = 7680; diff --git a/drivers/gpu/drm/amd/display/modules/freesync/freesync.c b/drivers/gpu/drm/amd/display/modules/freesync/freesync.c index f980a84dceef..2b3964529539 100644 --- a/drivers/gpu/drm/amd/display/modules/freesync/freesync.c +++ b/drivers/gpu/drm/amd/display/modules/freesync/freesync.c @@ -122,6 +122,17 @@ static unsigned int calc_duration_in_us_from_v_total( return duration_in_us; } +static unsigned int calc_max_hardware_v_total(const struct dc_stream_state *stream) +{ + unsigned int max_hw_v_total = stream->ctx->dc->caps.max_v_total; + + if (stream->ctx->dc->caps.vtotal_limited_by_fp2) { + max_hw_v_total -= stream->timing.v_front_porch + 1; + } + + return max_hw_v_total; +} + unsigned int mod_freesync_calc_v_total_from_refresh( const struct dc_stream_state *stream, unsigned int refresh_in_uhz) @@ -1016,7 +1027,7 @@ void mod_freesync_build_vrr_params(struct mod_freesync *mod_freesync, if (stream->ctx->dc->caps.max_v_total != 0 && stream->timing.h_total != 0) { min_hardware_refresh_in_uhz = div64_u64((stream->timing.pix_clk_100hz * 100000000ULL), - (stream->timing.h_total * (long long)stream->ctx->dc->caps.max_v_total)); + (stream->timing.h_total * (long long)calc_max_hardware_v_total(stream))); } /* Limit minimum refresh rate to what can be supported by hardware */ min_refresh_in_uhz = min_hardware_refresh_in_uhz > in_config->min_refresh_in_uhz ? -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH 6/9] drm/amd/display: Correct prefetch calculation

by Alex Hung

From: Lo-an Chen <lo-an.chen(a)amd.com> [WHY] The minimum value of the dst_y_prefetch_equ was not correct in prefetch calculation whice causes OPTC underflow. [HOW] Add the min operation of dst_y_prefetch_equ in prefetch calculation. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Lo-an Chen <lo-an.chen(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c b/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c index d851c081e376..8dabb1ac0b68 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c @@ -1222,6 +1222,7 @@ static dml_bool_t CalculatePrefetchSchedule(struct display_mode_lib_scratch_st * s->dst_y_prefetch_oto = s->Tvm_oto_lines + 2 * s->Tr0_oto_lines + s->Lsw_oto; s->dst_y_prefetch_equ = p->VStartup - (*p->TSetup + dml_max(p->TWait + p->TCalc, *p->Tdmdl)) / s->LineTime - (*p->DSTYAfterScaler + (dml_float_t) *p->DSTXAfterScaler / (dml_float_t)p->myPipe->HTotal); + s->dst_y_prefetch_equ = dml_min(s->dst_y_prefetch_equ, 63.75); // limit to the reg limit of U6.2 for DST_Y_PREFETCH #ifdef __DML_VBA_DEBUG__ dml_print("DML::%s: HTotal = %u\n", __func__, p->myPipe->HTotal); -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH 5/9] drm/amd/display: Add option to retrieve detile buffer size

by Alex Hung

From: Sung Lee <Sung.Lee(a)amd.com> [WHY] For better power profiling knowing the detile buffer size at a given point in time would be useful. [HOW] Add interface to retrieve detile buffer from dc state. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: Aric Cyr <aric.cyr(a)amd.com> Signed-off-by: Sung Lee <Sung.Lee(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- drivers/gpu/drm/amd/display/dc/core/dc.c | 18 ++++++++++++++++++ drivers/gpu/drm/amd/display/dc/dc.h | 2 ++ .../gpu/drm/amd/display/dc/inc/core_types.h | 1 + .../display/dc/resource/dcn31/dcn31_resource.c | 7 +++++++ .../display/dc/resource/dcn31/dcn31_resource.h | 3 +++ .../dc/resource/dcn314/dcn314_resource.c | 1 + .../dc/resource/dcn315/dcn315_resource.c | 1 + .../dc/resource/dcn316/dcn316_resource.c | 1 + .../display/dc/resource/dcn35/dcn35_resource.c | 1 + .../dc/resource/dcn351/dcn351_resource.c | 1 + 10 files changed, 36 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index 1dd26d5df6b9..49fe7dcf9372 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -6109,3 +6109,21 @@ struct dc_power_profile dc_get_power_profile_for_dc_state(const struct dc_state profile.power_level = dc->res_pool->funcs->get_power_profile(context); return profile; } + +/* + ********************************************************************************** + * dc_get_det_buffer_size_from_state() - extracts detile buffer size from dc state + * + * Called when DM wants to log detile buffer size from dc_state + * + ********************************************************************************** + */ +unsigned int dc_get_det_buffer_size_from_state(const struct dc_state *context) +{ + struct dc *dc = context->clk_mgr->ctx->dc; + + if (dc->res_pool->funcs->get_det_buffer_size) + return dc->res_pool->funcs->get_det_buffer_size(context); + else + return 0; +} diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h index b5613b71742f..943e52bb2c31 100644 --- a/drivers/gpu/drm/amd/display/dc/dc.h +++ b/drivers/gpu/drm/amd/display/dc/dc.h @@ -2551,6 +2551,8 @@ struct dc_power_profile { struct dc_power_profile dc_get_power_profile_for_dc_state(const struct dc_state *context); +unsigned int dc_get_det_buffer_size_from_state(const struct dc_state *context); + /* DSC Interfaces */ #include "dc_dsc.h" diff --git a/drivers/gpu/drm/amd/display/dc/inc/core_types.h b/drivers/gpu/drm/amd/display/dc/inc/core_types.h index 8597e866bfe6..3061dca47dd2 100644 --- a/drivers/gpu/drm/amd/display/dc/inc/core_types.h +++ b/drivers/gpu/drm/amd/display/dc/inc/core_types.h @@ -219,6 +219,7 @@ struct resource_funcs { * Get indicator of power from a context that went through full validation */ int (*get_power_profile)(const struct dc_state *context); + unsigned int (*get_det_buffer_size)(const struct dc_state *context); }; struct audio_support{ diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c index c16cf1c8f7f9..54ec3d8e920c 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c @@ -1720,6 +1720,12 @@ int dcn31_populate_dml_pipes_from_context( return pipe_cnt; } +unsigned int dcn31_get_det_buffer_size( + const struct dc_state *context) +{ + return context->bw_ctx.dml.ip.det_buffer_size_kbytes; +} + void dcn31_calculate_wm_and_dlg( struct dc *dc, struct dc_state *context, display_e2e_pipe_params_st *pipes, @@ -1842,6 +1848,7 @@ static struct resource_funcs dcn31_res_pool_funcs = { .update_bw_bounding_box = dcn31_update_bw_bounding_box, .patch_unknown_plane_state = dcn20_patch_unknown_plane_state, .get_panel_config_defaults = dcn31_get_panel_config_defaults, + .get_det_buffer_size = dcn31_get_det_buffer_size, }; static struct clock_source *dcn30_clock_source_create( diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.h b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.h index 901436591ed4..551ad912f7be 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.h +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.h @@ -63,6 +63,9 @@ struct resource_pool *dcn31_create_resource_pool( const struct dc_init_data *init_data, struct dc *dc); +unsigned int dcn31_get_det_buffer_size( + const struct dc_state *context); + /*temp: B0 specific before switch to dcn313 headers*/ #ifndef regPHYPLLF_PIXCLK_RESYNC_CNTL #define regPHYPLLF_PIXCLK_RESYNC_CNTL 0x007e diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c index c0f48c78e968..2794473f2aff 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c @@ -1777,6 +1777,7 @@ static struct resource_funcs dcn314_res_pool_funcs = { .patch_unknown_plane_state = dcn20_patch_unknown_plane_state, .get_panel_config_defaults = dcn314_get_panel_config_defaults, .get_preferred_eng_id_dpia = dcn314_get_preferred_eng_id_dpia, + .get_det_buffer_size = dcn31_get_det_buffer_size, }; static struct clock_source *dcn30_clock_source_create( diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c index 6c3295259a81..4ee33eb3381d 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c @@ -1845,6 +1845,7 @@ static struct resource_funcs dcn315_res_pool_funcs = { .patch_unknown_plane_state = dcn20_patch_unknown_plane_state, .get_panel_config_defaults = dcn315_get_panel_config_defaults, .get_power_profile = dcn315_get_power_profile, + .get_det_buffer_size = dcn31_get_det_buffer_size, }; static bool dcn315_resource_construct( diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c index 6edaaadcb173..79eddbafe3c2 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c @@ -1719,6 +1719,7 @@ static struct resource_funcs dcn316_res_pool_funcs = { .update_bw_bounding_box = dcn316_update_bw_bounding_box, .patch_unknown_plane_state = dcn20_patch_unknown_plane_state, .get_panel_config_defaults = dcn316_get_panel_config_defaults, + .get_det_buffer_size = dcn31_get_det_buffer_size, }; static bool dcn316_resource_construct( diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c index 6cc2960b6104..09a5a9474903 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c @@ -1778,6 +1778,7 @@ static struct resource_funcs dcn35_res_pool_funcs = { .patch_unknown_plane_state = dcn20_patch_unknown_plane_state, .get_panel_config_defaults = dcn35_get_panel_config_defaults, .get_preferred_eng_id_dpia = dcn35_get_preferred_eng_id_dpia, + .get_det_buffer_size = dcn31_get_det_buffer_size, }; static bool dcn35_resource_construct( diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c index d87e2641cda1..fe382f9b6ff2 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c @@ -1757,6 +1757,7 @@ static struct resource_funcs dcn351_res_pool_funcs = { .patch_unknown_plane_state = dcn20_patch_unknown_plane_state, .get_panel_config_defaults = dcn35_get_panel_config_defaults, .get_preferred_eng_id_dpia = dcn351_get_preferred_eng_id_dpia, + .get_det_buffer_size = dcn31_get_det_buffer_size, }; static bool dcn351_resource_construct( -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH 1/9] drm/amd/display: Add a left edge pixel if in YCbCr422 or YCbCr420 and odm

by Alex Hung

From: Peterson Guo <peterson.guo(a)amd.com> [WHY] On some cards when odm is used, the monitor will have 2 separate pipes split vertically. When compression is used on the YCbCr colour space on the second pipe to have correct colours, we need to read a pixel from the end of first pipe to accurately display colours. Hardware was programmed properly to account for this extra pixel but it was not calculated properly in software causing a split screen on some monitors. [HOW] The fix adjusts the second pipe's viewport and timings if the pixel encoding is YCbCr422 or YCbCr420. Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Reviewed-by: George Shen <george.shen(a)amd.com> Signed-off-by: Peterson Guo <peterson.guo(a)amd.com> Signed-off-by: Alex Hung <alex.hung(a)amd.com> --- .../dc/resource/dcn20/dcn20_resource.c | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c index 189d0c85872e..7a5b9aa5292c 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn20/dcn20_resource.c @@ -1510,6 +1510,7 @@ bool dcn20_split_stream_for_odm( if (prev_odm_pipe->plane_state) { struct scaler_data *sd = &prev_odm_pipe->plane_res.scl_data; + struct output_pixel_processor *opp = next_odm_pipe->stream_res.opp; int new_width; /* HACTIVE halved for odm combine */ @@ -1543,7 +1544,28 @@ bool dcn20_split_stream_for_odm( sd->viewport_c.x += dc_fixpt_floor(dc_fixpt_mul_int( sd->ratios.horz_c, sd->h_active - sd->recout.x)); sd->recout.x = 0; + + /* + * When odm is used in YcbCr422 or 420 colour space, a split screen + * will be seen with the previous calculations since the extra left + * edge pixel is accounted for in fmt but not in viewport. + * + * Below are calculations which fix the split by fixing the calculations + * if there is an extra left edge pixel. + */ + if (opp && opp->funcs->opp_get_left_edge_extra_pixel_count + && opp->funcs->opp_get_left_edge_extra_pixel_count( + opp, next_odm_pipe->stream->timing.pixel_encoding, + resource_is_pipe_type(next_odm_pipe, OTG_MASTER)) == 1) { + sd->h_active += 1; + sd->recout.width += 1; + sd->viewport.x -= dc_fixpt_ceil(dc_fixpt_mul_int(sd->ratios.horz, 1)); + sd->viewport_c.x -= dc_fixpt_ceil(dc_fixpt_mul_int(sd->ratios.horz, 1)); + sd->viewport_c.width += dc_fixpt_ceil(dc_fixpt_mul_int(sd->ratios.horz, 1)); + sd->viewport.width += dc_fixpt_ceil(dc_fixpt_mul_int(sd->ratios.horz, 1)); + } } + if (!next_odm_pipe->top_pipe) next_odm_pipe->stream_res.opp = pool->opps[next_odm_pipe->pipe_idx]; else @@ -2132,6 +2154,7 @@ bool dcn20_fast_validate_bw( ASSERT(0); } } + /* Actual dsc count per stream dsc validation*/ if (!dcn20_validate_dsc(dc, context)) { context->bw_ctx.dml.vba.ValidationStatus[context->bw_ctx.dml.vba.soc.num_states] = -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH v7 3/3] drm: adv7511: Drop dsi single lane support

by Biju Das

As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Reported-by: Hien Huynh <hien.huynh.px(a)renesas.com> Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Reviewed-by: Adam Ford <aford173(a)gmail.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v7: - No change. Changes in v6: - Added Rb tag from Adam. Changes in v5: - No change. Changes in v4: - Added link to ADV7533 data sheet. - Collected tags Changes in v3: - Updated commit header and description - Updated fixes tag - Dropped single lane support Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 5f195e91b3e6..122ad91e8a32 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -172,7 +172,7 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) of_property_read_u32(np, "adi,dsi-lanes", &num_lanes); - if (num_lanes < 1 || num_lanes > 4) + if (num_lanes < 2 || num_lanes > 4) return -EINVAL; adv->num_dsi_lanes = num_lanes; -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH v7 2/3] dt-bindings: display: adi,adv7533: Drop single lane support

by Biju Das

As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane from bindings. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- v6->v7: * No change. v5->v6: * No change. v4->v5: * No change. v3->v4: * Added link to ADV7533 data sheet. * Collected tags. v3: * New patch. --- .../devicetree/bindings/display/bridge/adi,adv7533.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml index df20a3c9c744..ec89115c74e4 100644 --- a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml +++ b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml @@ -90,7 +90,7 @@ properties: adi,dsi-lanes: description: Number of DSI data lanes connected to the DSI host. $ref: /schemas/types.yaml#/definitions/uint32 - enum: [ 1, 2, 3, 4 ] + enum: [ 2, 3, 4 ] "#sound-dai-cells": const: 0 -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH v7 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()

by Biju Das

The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v7: - Dropped check for host_node as of_node_put() is a no-op when called with a NULL pointer. - Added Rb tag from Laurent. Changes in v6: - Fixed memory leak by adding goto stattement in error path of adv7511_init_regulators(). Changes in v5: - Updated commit description. - restored host_node in struct adv7511. - Dropped of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Changes in v4: - Updated commit description. - Dropped host_node from struct adv7511 and instead used a local pointer in probe(). Also freeing of host_node pointer after use is done in probe(). Changes in v3: - Replace __free construct with readable of_node_put(). Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 10 ++++++++-- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 -- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..a13b3d8ab6ac 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c) return ret; ret = adv7511_init_regulators(adv7511); - if (ret) - return dev_err_probe(dev, ret, "failed to init regulators\n"); + if (ret) { + dev_err_probe(dev, ret, "failed to init regulators\n"); + goto err_of_node_put; + } /* * The power down GPIO is optional. If present, toggle it from active to @@ -1363,6 +1365,8 @@ static int adv7511_probe(struct i2c_client *i2c) i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: adv7511_uninit_regulators(adv7511); +err_of_node_put: + of_node_put(adv7511->host_node); return ret; } @@ -1371,6 +1375,8 @@ static void adv7511_remove(struct i2c_client *i2c) { struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + of_node_put(adv7511->host_node); + adv7511_uninit_regulators(adv7511); drm_bridge_remove(&adv7511->bridge); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5f195e91b3e6 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator"); -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH v6 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()

by Biju Das

The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v6: - Fixed memory leak by adding goto stattement in error path of adv7511_init_regulators(). Changes in v5: - Updated commit description. - restored host_node in struct adv7511. - Dropped of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Changes in v4: - Updated commit description. - Dropped host_node from struct adv7511 and instead used a local pointer in probe(). Also freeing of host_node pointer after use is done in probe(). Changes in v3: - Replace __free construct with readable of_node_put(). Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 12 ++++++++++-- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 -- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..f5525c12f0cd 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1241,8 +1241,10 @@ static int adv7511_probe(struct i2c_client *i2c) return ret; ret = adv7511_init_regulators(adv7511); - if (ret) - return dev_err_probe(dev, ret, "failed to init regulators\n"); + if (ret) { + dev_err_probe(dev, ret, "failed to init regulators\n"); + goto err_of_node_put; + } /* * The power down GPIO is optional. If present, toggle it from active to @@ -1363,6 +1365,9 @@ static int adv7511_probe(struct i2c_client *i2c) i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: adv7511_uninit_regulators(adv7511); +err_of_node_put: + if (adv7511->host_node) + of_node_put(adv7511->host_node); return ret; } @@ -1371,6 +1376,9 @@ static void adv7511_remove(struct i2c_client *i2c) { struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + if (adv7511->host_node) + of_node_put(adv7511->host_node); + adv7511_uninit_regulators(adv7511); drm_bridge_remove(&adv7511->bridge); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5f195e91b3e6 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator"); -- 2.43.0

9 months, 4 weeks

2
2
0 0

[PATCH v6 3/3] drm: adv7511: Drop dsi single lane support

by Biju Das

As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Reported-by: Hien Huynh <hien.huynh.px(a)renesas.com> Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Reviewed-by: Adam Ford <aford173(a)gmail.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v6: - Added Rb tag from Adam. Changes in v5: - No change. Changes in v4: - Added link to ADV7533 data sheet. - Collected tags Changes in v3: - Updated commit header and description - Updated fixes tag - Dropped single lane support Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 5f195e91b3e6..122ad91e8a32 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -172,7 +172,7 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) of_property_read_u32(np, "adi,dsi-lanes", &num_lanes); - if (num_lanes < 1 || num_lanes > 4) + if (num_lanes < 2 || num_lanes > 4) return -EINVAL; adv->num_dsi_lanes = num_lanes; -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH v6 2/3] dt-bindings: display: adi,adv7533: Drop single lane support

by Biju Das

As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane from bindings. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- v5->v6: * No change. v4->v5: * No change. v3->v4: * Added link to ADV7533 data sheet. * Collected tags. v3: * New patch. --- .../devicetree/bindings/display/bridge/adi,adv7533.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml index df20a3c9c744..ec89115c74e4 100644 --- a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml +++ b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml @@ -90,7 +90,7 @@ properties: adi,dsi-lanes: description: Number of DSI data lanes connected to the DSI host. $ref: /schemas/types.yaml#/definitions/uint32 - enum: [ 1, 2, 3, 4 ] + enum: [ 2, 3, 4 ] "#sound-dai-cells": const: 0 -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH v5 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()

by Biju Das

The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() uses the same. Fix this use-after-free issue by dropping of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v5: - Updated commit description. - restored host_node in struct adv7511. - Dropped of_node_put() in adv7533_parse_dt() and calling of_node_put() in error path of probe() and also in the remove(). Changes in v4: - Updated commit description. - Dropped host_node from struct adv7511 and instead used a local pointer in probe(). Also freeing of host_node pointer after use is done in probe(). Changes in v3: - Replace __free construct with readable of_node_put(). Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 5 +++++ drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 -- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..6cfdda04f52f 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1363,6 +1363,8 @@ static int adv7511_probe(struct i2c_client *i2c) i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: adv7511_uninit_regulators(adv7511); + if (adv7511->host_node) + of_node_put(adv7511->host_node); return ret; } @@ -1371,6 +1373,9 @@ static void adv7511_remove(struct i2c_client *i2c) { struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + if (adv7511->host_node) + of_node_put(adv7511->host_node); + adv7511_uninit_regulators(adv7511); drm_bridge_remove(&adv7511->bridge); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5f195e91b3e6 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -181,8 +181,6 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) if (!adv->host_node) return -ENODEV; - of_node_put(adv->host_node); - adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator"); -- 2.43.0

9 months, 4 weeks

2
2
0 0

[PATCH] ublk: fix error code for unsupported command

by Ming Lei

ENOTSUPP is for kernel use only, and shouldn't be sent to userspace. Fix it by replacing it with EOPNOTSUPP. Cc: stable(a)vger.kernel.org Fixes: bfbcef036396 ("ublk_drv: move ublk_get_device_from_id into ublk_ctrl_uring_cmd") Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- drivers/block/ublk_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index c6d18cd8af44..d4aed12dd436 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -3041,7 +3041,7 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd, ret = ublk_ctrl_end_recovery(ub, cmd); break; default: - ret = -ENOTSUPP; + ret = -EOPNOTSUPP; break; } -- 2.44.0

9 months, 4 weeks

2
1
0 0

[PATCH v2] usb: typec: anx7411: fix OF node reference leaks in anx7411_typec_switch_probe()

by Joe Hattori

The refcounts of the OF nodes obtained in by of_get_child_by_name() calls in anx7411_typec_switch_probe() are not decremented, so add fwnode_handle_put() calls to anx7411_unregister_switch() and anx7411_unregister_mux(). Fixes: e45d7337dc0e ("usb: typec: anx7411: Use of_get_child_by_name() instead of of_find_node_by_name()") Cc: stable(a)vger.kernel.org Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> --- Changed in v2: - Add the Cc: stable(a)vger.kernel.org tag. --- drivers/usb/typec/anx7411.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c index cdb7e8273823..d3c5d8f410ca 100644 --- a/drivers/usb/typec/anx7411.c +++ b/drivers/usb/typec/anx7411.c @@ -29,6 +29,8 @@ #include <linux/workqueue.h> #include <linux/power_supply.h> +#include "mux.h" + #define TCPC_ADDRESS1 0x58 #define TCPC_ADDRESS2 0x56 #define TCPC_ADDRESS3 0x54 @@ -1094,6 +1096,7 @@ static void anx7411_unregister_mux(struct anx7411_data *ctx) { if (ctx->typec.typec_mux) { typec_mux_unregister(ctx->typec.typec_mux); + fwnode_handle_put(ctx->typec.typec_mux->dev.fwnode); ctx->typec.typec_mux = NULL; } } @@ -1102,6 +1105,7 @@ static void anx7411_unregister_switch(struct anx7411_data *ctx) { if (ctx->typec.typec_switch) { typec_switch_unregister(ctx->typec.typec_switch); + fwnode_handle_put(ctx->typec.typec_switch->dev.fwnode); ctx->typec.typec_switch = NULL; } } -- 2.34.1

9 months, 4 weeks

2
1
0 0

[PATCH 6.6.y 0/6] mptcp: fix recent failed backports

by Matthieu Baerts (NGI0)

Greg recently reported 3 patches that could not be applied without conflict in v6.6: - e0266319413d ("mptcp: update local address flags when setting it") - f642c5c4d528 ("mptcp: hold pm lock when deleting entry") - db3eab8110bc ("mptcp: pm: use _rcu variant under rcu_read_lock") Conflicts, if any, have been resolved, and documented in each patch. Note that there are 3 extra patches added to avoid some conflicts: - 14cb0e0bf39b ("mptcp: define more local variables sk") - 06afe09091ee ("mptcp: add userspace_pm_lookup_addr_by_id helper") - af250c27ea1c ("mptcp: drop lookup_by_id in lookup_addr") The Stable-dep-of tags have been added to these patches. Geliang Tang (5): mptcp: define more local variables sk mptcp: add userspace_pm_lookup_addr_by_id helper mptcp: update local address flags when setting it mptcp: hold pm lock when deleting entry mptcp: drop lookup_by_id in lookup_addr Matthieu Baerts (NGI0) (1): mptcp: pm: use _rcu variant under rcu_read_lock net/mptcp/pm_netlink.c | 15 ++++---- net/mptcp/pm_userspace.c | 77 ++++++++++++++++++++++++++-------------- 2 files changed, 58 insertions(+), 34 deletions(-) -- 2.45.2

9 months, 4 weeks

3
8
0 0

[PATCH 6.1 0/5] Address CVE-2024-49974

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Backport the set of upstream patches that cap the number of concurrent background NFSv4.2 COPY operations. Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +++++++++++++++++------------------- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + 4 files changed, 20 insertions(+), 19 deletions(-) -- 2.47.0

9 months, 4 weeks

5
9
0 0

Fix build ID parsing logic in stable trees

by Jiri Olsa

hi, sending fix for buildid parsing that affects only stable trees after merging upstream fix [1]. Upstream then factored out the whole buildid parsing code, so it does not have the problem. I'm sending the fix for affected longterm trees 5.15 6.1 6.6 6.11. thanks, jirka [1] 905415ff3ffb ("lib/buildid: harden build ID parsing logic")

9 months, 4 weeks

5
17
0 0

[PATCH 6.1.y v2 0/4] fix error handling in mmap_region() and refactor (hotfixes)

by Lorenzo Stoakes

Critical fixes for mmap_region(), backported to 6.1.y. Some notes on differences from upstream: * We do NOT take commit 0fb4a7ad270b ("mm: refactor map_deny_write_exec()"), as this refactors code only introduced in 6.2. * We make reference in "mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling" to parisc, but the referenced functionality does not exist in this kernel. * In this kernel is_shared_maywrite() does not exist and the code uses VM_SHARED to determine whether mapping_map_writable() / mapping_unmap_writable() should be invoked. This backport therefore follows suit. * The vma_dummy_vm_ops static global doesn't exist in this kernel, so we use a local static variable in mmap_file() and vma_close(). * Each version of these series is confronted by a slightly different mmap_region(), so we must adapt the change for each stable version. The approach remains the same throughout, however, and we correctly avoid closing the VMA part way through any __mmap_region() operation. * This version of the kernel uses mas_preallocate() rather than the vma_iter_prealloc() wrapper and mas_destroy() rather than the vma_iter_free() wrapper, however the logic of rearranging the positioning of these remains the same, as well as avoiding the iterator leak we previously had on some error paths. v2: * Fix 6.1-specific memory leak if second attempt at merge succeeds. v1: https://lore.kernel.org/all/4cb9b846f0c4efcc4a2b21453eea4e4d0136efc8.173167… Lorenzo Stoakes (4): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour arch/arm64/include/asm/mman.h | 10 ++- include/linux/mman.h | 7 +- mm/internal.h | 19 ++++++ mm/mmap.c | 120 ++++++++++++++++++---------------- mm/nommu.c | 9 ++- mm/shmem.c | 3 - mm/util.c | 33 ++++++++++ 7 files changed, 130 insertions(+), 71 deletions(-) -- 2.47.0

9 months, 4 weeks

3
6
0 0

[PATCH 6.12.y] mm/mmap: fix __mmap_region() error handling in rare merge failure case

by Liam R. Howlett

From: "Liam R. Howlett" <Liam.Howlett(a)Oracle.com> The mmap_region() function tries to install a new vma, which requires a pre-allocation for the maple tree write due to the complex locking scenarios involved. Recent efforts to simplify the error recovery required the relocation of the preallocation of the maple tree nodes (via vma_iter_prealloc() calling mas_preallocate()) higher in the function. The relocation of the preallocation meant that, if there was a file associated with the vma and the driver call (mmap_file()) modified the vma flags, then a new merge of the new vma with existing vmas is attempted. During the attempt to merge the existing vma with the new vma, the vma iterator is used - the same iterator that would be used for the next write attempt to the tree. In the event of needing a further allocation and if the new allocations fails, the vma iterator (and contained maple state) will cleaned up, including freeing all previous allocations and will be reset internally. Upon returning to the __mmap_region() function, the error reason is lost and the function sets the vma iterator limits, and then tries to continue to store the new vma using vma_iter_store() - which expects preallocated nodes. A preallocation should be performed in case the allocations were lost during the failure scenario - there is no risk of over allocating. The range is already set in the vma_iter_store() call below, so it is not necessary. Reported-by: syzbot+bc6bfc25a68b7a020ee1(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000 Fixes: 5de195060b2e2 ("mm: resolve faulty mmap_region() error path behaviour") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)Oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Jann Horn <jannh(a)google.com> Cc: <stable(a)vger.kernel.org> --- mm/mmap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mm/mmap.c b/mm/mmap.c index 79d541f1502b2..5cef9a1981f1b 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1491,7 +1491,10 @@ static unsigned long __mmap_region(struct file *file, unsigned long addr, vm_flags = vma->vm_flags; goto file_expanded; } - vma_iter_config(&vmi, addr, end); + if (vma_iter_prealloc(&vmi, vma)) { + error = -ENOMEM; + goto unmap_and_free_file_vma; + } } vm_flags = vma->vm_flags; -- 2.43.0

9 months, 4 weeks

4
6
0 0

[PATCH] usb: typec: anx7411: fix fwnode_handle reference leak

by Joe Hattori

An fwnode_handle is obtained with an incremented refcount in anx7411_typec_port_probe(), however the refcount is not decremented in the error path or in the .remove() function. Therefore call fwnode_handle_put() accordingly. Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support") Cc: stable(a)vger.kernel.org Signed-off-by: Joe Hattori <joe(a)pf.is.s.u-tokyo.ac.jp> --- drivers/usb/typec/anx7411.c | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c index 7e61c3ac8777..d3c5d8f410ca 100644 --- a/drivers/usb/typec/anx7411.c +++ b/drivers/usb/typec/anx7411.c @@ -1023,6 +1023,12 @@ static void anx7411_port_unregister_altmodes(struct typec_altmode **adev) } } +static void anx7411_port_unregister(struct typec_params *typecp) +{ + fwnode_handle_put(typecp->caps.fwnode); + anx7411_port_unregister_altmodes(typecp->port_amode); +} + static int anx7411_usb_mux_set(struct typec_mux_dev *mux, struct typec_mux_state *state) { @@ -1158,34 +1164,34 @@ static int anx7411_typec_port_probe(struct anx7411_data *ctx, ret = fwnode_property_read_string(fwnode, "power-role", &buf); if (ret) { dev_err(dev, "power-role not found: %d\n", ret); - return ret; + goto put_fwnode; } ret = typec_find_port_power_role(buf); if (ret < 0) - return ret; + goto put_fwnode; cap->type = ret; ret = fwnode_property_read_string(fwnode, "data-role", &buf); if (ret) { dev_err(dev, "data-role not found: %d\n", ret); - return ret; + goto put_fwnode; } ret = typec_find_port_data_role(buf); if (ret < 0) - return ret; + goto put_fwnode; cap->data = ret; ret = fwnode_property_read_string(fwnode, "try-power-role", &buf); if (ret) { dev_err(dev, "try-power-role not found: %d\n", ret); - return ret; + goto put_fwnode; } ret = typec_find_power_role(buf); if (ret < 0) - return ret; + goto put_fwnode; cap->prefer_role = ret; /* Get source pdos */ @@ -1197,7 +1203,7 @@ static int anx7411_typec_port_probe(struct anx7411_data *ctx, typecp->src_pdo_nr); if (ret < 0) { dev_err(dev, "source cap validate failed: %d\n", ret); - return -EINVAL; + goto put_fwnode; } typecp->caps_flags |= HAS_SOURCE_CAP; @@ -1211,7 +1217,7 @@ static int anx7411_typec_port_probe(struct anx7411_data *ctx, typecp->sink_pdo_nr); if (ret < 0) { dev_err(dev, "sink cap validate failed: %d\n", ret); - return -EINVAL; + goto put_fwnode; } for (i = 0; i < typecp->sink_pdo_nr; i++) { @@ -1255,13 +1261,18 @@ static int anx7411_typec_port_probe(struct anx7411_data *ctx, ret = PTR_ERR(ctx->typec.port); ctx->typec.port = NULL; dev_err(dev, "Failed to register type c port %d\n", ret); - return ret; + goto put_fwnode; } typec_port_register_altmodes(ctx->typec.port, NULL, ctx, ctx->typec.port_amode, MAX_ALTMODE); return 0; + +put_fwnode: + fwnode_handle_put(fwnode); + + return ret; } static int anx7411_typec_check_connection(struct anx7411_data *ctx) @@ -1528,7 +1539,7 @@ static int anx7411_i2c_probe(struct i2c_client *client) free_typec_port: typec_unregister_port(plat->typec.port); - anx7411_port_unregister_altmodes(plat->typec.port_amode); + anx7411_port_unregister(&plat->typec); free_typec_switch: anx7411_unregister_switch(plat); @@ -1562,7 +1573,7 @@ static void anx7411_i2c_remove(struct i2c_client *client) if (plat->typec.port) typec_unregister_port(plat->typec.port); - anx7411_port_unregister_altmodes(plat->typec.port_amode); + anx7411_port_unregister(&plat->typec); } static const struct i2c_device_id anx7411_id[] = { -- 2.34.1

9 months, 4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm: revert "mm: shmem: fix data-race in shmem_getattr()"" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x d1aa0c04294e29883d65eac6c2f72fe95cc7c049 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111702-gonad-immobile-513e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d1aa0c04294e29883d65eac6c2f72fe95cc7c049 Mon Sep 17 00:00:00 2001 From: Andrew Morton <akpm(a)linux-foundation.org> Date: Fri, 15 Nov 2024 16:57:24 -0800 Subject: [PATCH] mm: revert "mm: shmem: fix data-race in shmem_getattr()" Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as suggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over NFS. As Hugh commented, "added just to silence a syzbot sanitizer splat: added where there has never been any practical problem". Link: https://lkml.kernel.org/r/ZzdxKF39VEmXSSyN@tissot.1015granger.net [1] Fixes: d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") Acked-by: Hugh Dickins <hughd(a)google.com> Cc: Chuck Lever <chuck.lever(a)oracle.com> Cc: Jeongjun Park <aha310510(a)gmail.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/shmem.c b/mm/shmem.c index e87f5d6799a7..568bb290bdce 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1166,9 +1166,7 @@ static int shmem_getattr(struct mnt_idmap *idmap, stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); - inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); - inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE;

9 months, 4 weeks

4
4
0 0

[PATCH 6.6.y 0/5] fix error handling in mmap_region() and refactor (hotfixes)

by Lorenzo Stoakes

Critical fixes for mmap_region(), backported to 6.6.y. Some notes on differences from upstream: * In this kernel is_shared_maywrite() does not exist and the code uses VM_SHARED to determine whether mapping_map_writable() / mapping_unmap_writable() should be invoked. This backport therefore follows suit. * Each version of these series is confronted by a slightly different mmap_region(), so we must adapt the change for each stable version. The approach remains the same throughout, however, and we correctly avoid closing the VMA part way through any __mmap_region() operation. Lorenzo Stoakes (5): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor map_deny_write_exec() mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour arch/arm64/include/asm/mman.h | 10 ++- arch/parisc/include/asm/mman.h | 5 +- include/linux/mman.h | 28 ++++++-- mm/internal.h | 45 ++++++++++++ mm/mmap.c | 128 ++++++++++++++++++--------------- mm/mprotect.c | 2 +- mm/nommu.c | 9 ++- mm/shmem.c | 3 - 8 files changed, 153 insertions(+), 77 deletions(-) -- 2.47.0

9 months, 4 weeks

5
10
0 0

[PATCH v5 3/3] drm: adv7511: Drop dsi single lane support

by Biju Das

As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Reported-by: Hien Huynh <hien.huynh.px(a)renesas.com> Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v5: - No change. Changes in v4: - Added link to ADV7533 data sheet. - Collected tags Changes in v3: - Updated commit header and description - Updated fixes tag - Dropped single lane support Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 5f195e91b3e6..122ad91e8a32 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -172,7 +172,7 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) of_property_read_u32(np, "adi,dsi-lanes", &num_lanes); - if (num_lanes < 1 || num_lanes > 4) + if (num_lanes < 2 || num_lanes > 4) return -EINVAL; adv->num_dsi_lanes = num_lanes; -- 2.43.0

9 months, 4 weeks

2
1
0 0

[PATCH 6.1 v2] parisc: fix a possible DMA corruption

by Bin Lan

From: Mikulas Patocka <mpatocka(a)redhat.com> [ Upstream commit 7ae04ba36b381bffe2471eff3a93edced843240f ] ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be possible that two unrelated 16-byte allocations share a cache line. If one of these allocations is written using DMA and the other is written using cached write, the value that was written with DMA may be corrupted. This commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 - that's the largest possible cache line size. As different parisc microarchitectures have different cache line size, we define arch_slab_minalign(), cache_line_size() and dma_get_cache_alignment() so that the kernel may tune slab cache parameters dynamically, based on the detected cache line size. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- arch/parisc/Kconfig | 1 + arch/parisc/include/asm/cache.h | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index 3341d4a42199..3a32b49d7ad0 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig @@ -18,6 +18,7 @@ config PARISC select ARCH_SUPPORTS_HUGETLBFS if PA20 select ARCH_SUPPORTS_MEMORY_FAILURE select ARCH_STACKWALK + select ARCH_HAS_CACHE_LINE_SIZE select ARCH_HAS_DEBUG_VM_PGTABLE select HAVE_RELIABLE_STACKTRACE select DMA_OPS diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h index e23d06b51a20..91e753f08eaa 100644 --- a/arch/parisc/include/asm/cache.h +++ b/arch/parisc/include/asm/cache.h @@ -20,7 +20,16 @@ #define SMP_CACHE_BYTES L1_CACHE_BYTES -#define ARCH_DMA_MINALIGN L1_CACHE_BYTES +#ifdef CONFIG_PA20 +#define ARCH_DMA_MINALIGN 128 +#else +#define ARCH_DMA_MINALIGN 32 +#endif +#define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */ + +#define arch_slab_minalign() ((unsigned)dcache_stride) +#define cache_line_size() dcache_stride +#define dma_get_cache_alignment cache_line_size #define __read_mostly __section(".data..read_mostly") -- 2.43.0

9 months, 4 weeks

1
0
0 0

FAILED: patch "[PATCH] mm: revert "mm: shmem: fix data-race in shmem_getattr()"" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x d1aa0c04294e29883d65eac6c2f72fe95cc7c049 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111703-uncork-sincerity-4d6e@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From d1aa0c04294e29883d65eac6c2f72fe95cc7c049 Mon Sep 17 00:00:00 2001 From: Andrew Morton <akpm(a)linux-foundation.org> Date: Fri, 15 Nov 2024 16:57:24 -0800 Subject: [PATCH] mm: revert "mm: shmem: fix data-race in shmem_getattr()" Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as suggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over NFS. As Hugh commented, "added just to silence a syzbot sanitizer splat: added where there has never been any practical problem". Link: https://lkml.kernel.org/r/ZzdxKF39VEmXSSyN@tissot.1015granger.net [1] Fixes: d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") Acked-by: Hugh Dickins <hughd(a)google.com> Cc: Chuck Lever <chuck.lever(a)oracle.com> Cc: Jeongjun Park <aha310510(a)gmail.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/shmem.c b/mm/shmem.c index e87f5d6799a7..568bb290bdce 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1166,9 +1166,7 @@ static int shmem_getattr(struct mnt_idmap *idmap, stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); - inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); - inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE;

9 months, 4 weeks

3
2
0 0

[PATCH 6.1] parisc: fix a possible DMA corruption

by Bin Lan

From: Mikulas Patocka <mpatocka(a)redhat.com> ARCH_DMA_MINALIGN was defined as 16 - this is too small - it may be possible that two unrelated 16-byte allocations share a cache line. If one of these allocations is written using DMA and the other is written using cached write, the value that was written with DMA may be corrupted. This commit changes ARCH_DMA_MINALIGN to be 128 on PA20 and 32 on PA1.1 - that's the largest possible cache line size. As different parisc microarchitectures have different cache line size, we define arch_slab_minalign(), cache_line_size() and dma_get_cache_alignment() so that the kernel may tune slab cache parameters dynamically, based on the detected cache line size. Signed-off-by: Mikulas Patocka <mpatocka(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Helge Deller <deller(a)gmx.de> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- arch/parisc/Kconfig | 1 + arch/parisc/include/asm/cache.h | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index 3341d4a42199..3a32b49d7ad0 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig @@ -18,6 +18,7 @@ config PARISC select ARCH_SUPPORTS_HUGETLBFS if PA20 select ARCH_SUPPORTS_MEMORY_FAILURE select ARCH_STACKWALK + select ARCH_HAS_CACHE_LINE_SIZE select ARCH_HAS_DEBUG_VM_PGTABLE select HAVE_RELIABLE_STACKTRACE select DMA_OPS diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h index e23d06b51a20..91e753f08eaa 100644 --- a/arch/parisc/include/asm/cache.h +++ b/arch/parisc/include/asm/cache.h @@ -20,7 +20,16 @@ #define SMP_CACHE_BYTES L1_CACHE_BYTES -#define ARCH_DMA_MINALIGN L1_CACHE_BYTES +#ifdef CONFIG_PA20 +#define ARCH_DMA_MINALIGN 128 +#else +#define ARCH_DMA_MINALIGN 32 +#endif +#define ARCH_KMALLOC_MINALIGN 16 /* ldcw requires 16-byte alignment */ + +#define arch_slab_minalign() ((unsigned)dcache_stride) +#define cache_line_size() dcache_stride +#define dma_get_cache_alignment cache_line_size #define __read_mostly __section(".data..read_mostly") -- 2.43.0

9 months, 4 weeks

2
2
0 0

[PATCH 6.1.y 0/2] Backport fix of CVE-2024-36915 to 6.1

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> Following series is a backport of CVE-2024-36915 The fix is "nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies" This required 1 extra commit to make sure the picks are clean: net: add copy_safe_from_sockptr() helper Eric Dumazet (2): net: add copy_safe_from_sockptr() helper nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies include/linux/sockptr.h | 25 +++++++++++++++++++++++++ net/nfc/llcp_sock.c | 12 ++++++------ 2 files changed, 31 insertions(+), 6 deletions(-) -- 2.43.0

9 months, 4 weeks

2
3
0 0

[PATCH v5 2/3] dt-bindings: display: adi,adv7533: Drop single lane support

by Biju Das

As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane from bindings. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- v4->v5: * No change. v3->v4: * Added link to ADV7533 data sheet. * Collected tags. v3: * New patch. --- .../devicetree/bindings/display/bridge/adi,adv7533.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml index df20a3c9c744..ec89115c74e4 100644 --- a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml +++ b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml @@ -90,7 +90,7 @@ properties: adi,dsi-lanes: description: Number of DSI data lanes connected to the DSI host. $ref: /schemas/types.yaml#/definitions/uint32 - enum: [ 1, 2, 3, 4 ] + enum: [ 2, 3, 4 ] "#sound-dai-cells": const: 0 -- 2.43.0

9 months, 4 weeks

1
0
0 0

[PATCH 6.1.y 0/7] mptcp: fix recent failed backports

by Matthieu Baerts (NGI0)

Greg recently reported 3 patches that could not be applied without conflict in v6.1: - e0266319413d ("mptcp: update local address flags when setting it") - f642c5c4d528 ("mptcp: hold pm lock when deleting entry") - db3eab8110bc ("mptcp: pm: use _rcu variant under rcu_read_lock") Conflicts, if any, have been resolved, and documented in each patch. Note that there are 3 extra patches added to avoid some conflicts: - 14cb0e0bf39b ("mptcp: define more local variables sk") - 06afe09091ee ("mptcp: add userspace_pm_lookup_addr_by_id helper") - af250c27ea1c ("mptcp: drop lookup_by_id in lookup_addr") The Stable-dep-of tags have been added to these patches. 1 extra patch has been included, it is supposed to be backported, but it was missing the Cc stable tag and it had conflicts: - ce7356ae3594 ("mptcp: cope racing subflow creation in mptcp_rcv_space_adjust") Geliang Tang (5): mptcp: define more local variables sk mptcp: add userspace_pm_lookup_addr_by_id helper mptcp: update local address flags when setting it mptcp: hold pm lock when deleting entry mptcp: drop lookup_by_id in lookup_addr Matthieu Baerts (NGI0) (1): mptcp: pm: use _rcu variant under rcu_read_lock Paolo Abeni (1): mptcp: cope racing subflow creation in mptcp_rcv_space_adjust net/mptcp/pm_netlink.c | 15 ++++---- net/mptcp/pm_userspace.c | 77 ++++++++++++++++++++++++++-------------- net/mptcp/protocol.c | 3 +- 3 files changed, 60 insertions(+), 35 deletions(-) -- 2.45.2

9 months, 4 weeks

2
8
0 0

[PATCH 6.11 000/184] 6.11.8-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.11.8 release. There are 184 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 14 Nov 2024 10:18:19 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.11.8-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.11.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.11.8-rc1 Hyunwoo Kim <v4bel(a)theori.io> vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans Hyunwoo Kim <v4bel(a)theori.io> hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Paul E. McKenney <paulmck(a)kernel.org> xtensa: Emulate one-byte cmpxchg Mingcong Bai <jeffbai(a)aosc.io> ASoC: amd: yc: fix internal mic on Xiaomi Book Pro 14 2022 Nirmoy Das <nirmoy.das(a)intel.com> drm/xe/guc/tlb: Flush g2h worker in case of tlb timeout Nirmoy Das <nirmoy.das(a)intel.com> drm/xe/ufence: Flush xe ordered_wq in case of ufence timeout Nirmoy Das <nirmoy.das(a)intel.com> drm/xe: Move LNL scheduling WA to xe_device.h Badal Nilawar <badal.nilawar(a)intel.com> drm/xe/guc/ct: Flush g2h worker in case of g2h response timeout Christoph Hellwig <hch(a)lst.de> block: fix queue limits checks in blk_rq_map_user_bvec for real Christoph Hellwig <hch(a)lst.de> block: rework bio splitting Johan Hovold <johan+linaro(a)kernel.org> firmware: qcom: scm: suppress download mode error Mukesh Ojha <quic_mojha(a)quicinc.com> firmware: qcom: scm: Refactor code to support multiple dload mode Muhammad Usama Anjum <usama.anjum(a)collabora.com> selftests: hugetlb_dio: check for initial conditions to skip in the start Andrei Vagin <avagin(a)google.com> ucounts: fix counter leak in inc_rlimit_get_ucounts() Andrew Kanner <andrew.kanner(a)gmail.com> ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Marc Zyngier <maz(a)kernel.org> irqchip/gic-v3: Force propagation of the active state with a read-back Umang Jain <umang.jain(a)ideasonboard.com> staging: vchiq_arm: Use devm_kzalloc() for vchiq_arm_state allocation Umang Jain <umang.jain(a)ideasonboard.com> staging: vchiq_arm: Use devm_kzalloc() for drv_mgmt allocation Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Fix connection issue with Pluggable UD-4VPD dock Qiang Yu <quic_qianyu(a)quicinc.com> clk: qcom: gcc-x1e80100: Fix halt_check for pipediv2 clocks Johan Hovold <johan+linaro(a)kernel.org> clk: qcom: videocc-sm8350: use HW_CTRL_TRIGGER for vcodec GDSCs Benoît Monin <benoit.monin(a)gmx.fr> USB: serial: option: add Quectel RG650V Reinhard Speyerer <rspmn(a)arcor.de> USB: serial: option: add Fibocom FG132 0x0112 composition Jack Wu <wojackbb(a)gmail.com> USB: serial: qcserial: add support for Sierra Wireless EM86xx Dan Carpenter <dan.carpenter(a)linaro.org> USB: serial: io_edgeport: fix use after free in debug printk Dan Carpenter <dan.carpenter(a)linaro.org> usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() Rex Nie <rex.nie(a)jaguarmicro.com> usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier Roger Quadros <rogerq(a)kernel.org> usb: dwc3: fix fault at system suspend if device was already runtime suspended Zijun Hu <quic_zijuhu(a)quicinc.com> usb: musb: sunxi: Fix accessing an released usb phy Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Add only on-board retimers when !CONFIG_USB4_DEBUGFS_MARGINING Hugh Dickins <hughd(a)google.com> mm/thp: fix deferred split unqueue naming and locking Wei Yang <richard.weiyang(a)gmail.com> mm/mlock: set the correct prev on failure SeongJae Park <sj(a)kernel.org> mm/damon/core: handle zero schemes apply interval SeongJae Park <sj(a)kernel.org> mm/damon/core: handle zero {aggregation,ops_update} intervals SeongJae Park <sj(a)kernel.org> mm/damon/core: avoid overflow in damon_feed_loop_next_input() Roman Gushchin <roman.gushchin(a)linux.dev> signal: restore the override_rlimit logic Masami Hiramatsu (Google) <mhiramat(a)kernel.org> objpool: fix to make percpu slot allocation more robust Qi Xi <xiqi2(a)huawei.com> fs/proc: fix compile warning about variable 'vmcore_mmap_ops' Barnabás Czémán <barnabas.czeman(a)mainlining.org> clk: qcom: clk-alpha-pll: Fix pll post div mask when width is not set Abel Vesa <abel.vesa(a)linaro.org> clk: qcom: gcc-x1e80100: Fix USB MP SS1 PHY GDSC pwrsts flags Liu Peibao <loven.liu(a)jaguarmicro.com> i2c: designware: do not hold SCL low when I2C_DYNAMIC_TAR_UPDATE is not set Trond Myklebust <trond.myklebust(a)hammerspace.com> filemap: Fix bounds checking in filemap_read() Benoit Sevens <bsevens(a)google.com> media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Shyam Sundar S K <Shyam-sundar.S-k(a)amd.com> platform/x86/amd/pmf: Add SMU metrics table support for 1Ah family 60h model Shyam Sundar S K <Shyam-sundar.S-k(a)amd.com> platform/x86/amd/pmf: Update SMU metrics table for 1AH family series Shyam Sundar S K <Shyam-sundar.S-k(a)amd.com> platform/x86/amd/pmf: Relocate CPU ID macros to the PMF header Filipe Manana <fdmanana(a)suse.com> btrfs: reinitialize delayed ref list after deleting it from the list Qu Wenruo <wqu(a)suse.com> btrfs: fix per-subvolume RO/RW flags with new mount API Haisu Wang <haisuwang(a)tencent.com> btrfs: fix the length of reserved qgroup to free Pavan Kumar Linga <pavan.kumar.linga(a)intel.com> idpf: fix idpf_vc_core_init error path Pavan Kumar Linga <pavan.kumar.linga(a)intel.com> idpf: avoid vport access in idpf_get_link_ksettings Gautam Menghani <gautam(a)linux.ibm.com> KVM: PPC: Book3S HV: Mask off LPCR_MER for a vCPU before running it to avoid spurious interrupts Koichiro Den <koichiro.den(a)gmail.com> mm/slab: fix warning caused by duplicate kmem_cache creation in kmem_buckets_create Mark Rutland <mark.rutland(a)arm.com> arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint Mark Rutland <mark.rutland(a)arm.com> arm64: Kconfig: Make SME depend on BROKEN for now Mark Brown <broonie(a)kernel.org> arm64/sve: Discard stale CPU state when handling SVE traps Geliang Tang <geliang(a)kernel.org> mptcp: use sock_kfree_s instead of kfree Stefan Wahren <wahrenst(a)gmx.net> net: vertexcom: mse102x: Fix possible double free of TX skb Jinjie Ruan <ruanjinjie(a)huawei.com> net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc() Kalesh Singh <kaleshsingh(a)google.com> tracing: Fix tracefs mount options Roberto Sassu <roberto.sassu(a)huawei.com> nfs: Fix KMSAN warning in decode_getfattr_attrs() Bart Van Assche <bvanassche(a)acm.org> scsi: ufs: core: Start the RTC update work later Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add quirk for HP 320 FHD Webcam Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: no admin perm to list endpoints Mikulas Patocka <mpatocka(a)redhat.com> dm: fix a crash if blk_alloc_disk fails Zichen Xie <zichenxie0106(a)gmail.com> dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix potential out-of-bounds access on the first resume Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: optimize dirty bit checking with find_next_bit when resizing Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix out-of-bounds access to the dirty bitset when resizing Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: fix flushing uninitialized delayed_work on cache_ctr error Ming-Hung Tsai <mtsai(a)redhat.com> dm cache: correct the number of origin blocks to match the target length David Gstir <david(a)sigma-star.at> KEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> thermal/drivers/qcom/lmh: Remove false lockdep backtrace Antonio Quartulli <antonio(a)mandelbit.com> drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Fix DPX valid mode check on GC 9.4.3 Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: Adjust debugfs register access permissions Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: Adjust debugfs eviction and IB access permissions Jann Horn <jannh(a)google.com> drm/panthor: Be stricter about IO mapping flags Liviu Dudau <liviu.dudau(a)arm.com> drm/panthor: Lock XArray when getting entries for the VM Aurabindo Pillai <aurabindo.pillai(a)amd.com> drm/amd/display: parse umc_info or vram_info based on ASIC Kenneth Feng <kenneth.feng(a)amd.com> drm/amd/pm: correct the workload setting Brendan King <brendan.king(a)imgtec.com> drm/imagination: Break an object reference loop Brendan King <brendan.king(a)imgtec.com> drm/imagination: Add a per-file PVR context list Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix brightness level not retained over reboot Kenneth Feng <kenneth.feng(a)amd.com> drm/amd/pm: always pick the pptable from IFWI Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> rpmsg: glink: Handle rejected intent request better Jarkko Sakkinen <jarkko(a)kernel.org> tpm: Lock TPM chip in tpm_pm_suspend() first Erik Schumacher <erik.schumacher(a)iris-sensing.com> pwm: imx-tpm: Use correct MODULO value for EPWM mode Balasubramani Vivekanandan <balasubramani.vivekanandan(a)intel.com> drm/xe: Set mask bits for CCS_MODE register Matthew Brost <matthew.brost(a)intel.com> drm/xe: Drop VM dma-resv lock on xe_sync_in_fence_get failure in exec IOCTL Matthew Brost <matthew.brost(a)intel.com> drm/xe: Fix possible exec queue leak in exec IOCTL Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp Jinjie Ruan <ruanjinjie(a)huawei.com> ksmbd: Fix the missing xa_store error check Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: check outstanding simultaneous SMB operations Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create Thomas Mühlbacher <tmuehlbacher(a)posteo.net> can: {cc770,sja1000}_isa: allow building on x86_64 Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes Marc Kleine-Budde <mkl(a)pengutronix.de> can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation Marc Kleine-Budde <mkl(a)pengutronix.de> can: m_can: m_can_close(): don't call free_irq() for IRQ-less devices Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: v4l2-tpg: prevent the risk of a division by zero Hans Verkuil <hverkuil(a)xs4all.nl> media: vivid: fix buffer overwrite when using > 32 buffers Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: pulse8-cec: fix data timestamp at pulse8_setup() Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: av7110: fix a spectre vulnerability Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: cx24116: prevent overflows on SNR calculus Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: s5p-jpeg: prevent buffer overflows Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: ar0521: don't overflow when checking PLL values Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: mgb4: protect driver against spectre Hans Verkuil <hverkuil-cisco(a)xs4all.nl> media: dvb-core: add missing buffer index check Jyri Sarha <jyri.sarha(a)linux.intel.com> ASoC: SOF: sof-client-probes-ipc4: Set param_size extension bits Amelie Delaunay <amelie.delaunay(a)foss.st.com> ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove Icenowy Zheng <uwu(a)icenowy.me> thermal/of: support thermal zones w/o trips subnode Emil Dahl Juhl <emdj(a)bang-olufsen.dk> tools/lib/thermal: Fix sampling handler context ptr Murad Masimov <m.masimov(a)maxima.ru> ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() Johannes Thumshirn <johannes.thumshirn(a)wdc.com> scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: adv7604: prevent underflow condition when reporting colorspace Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvb_frontend: don't play tricks with underflow values Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: dvbdev: prevent the risk of out of memory access Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> media: stb0899_algo: initialize cfr before using it Jarosław Janik <jaroslaw.janik(a)gmail.com> Revert "ALSA: hda/conexant: Mute speakers at suspend / shutdown" Wentao Liang <Wentao_liang_g(a)163.com> drivers: net: ionic: add missed debugfs cleanup to ionic_probe() error path Eric Dumazet <edumazet(a)google.com> net/smc: do not leave a dangling sk pointer in __smc_create() David Howells <dhowells(a)redhat.com> rxrpc: Fix missing locking causing hanging calls Johan Jonker <jbx6244(a)gmail.com> net: arc: rockchip: fix emac mdio node support Johan Jonker <jbx6244(a)gmail.com> net: arc: fix the device for dma_map_single/dma_unmap_single Philo Lu <lulie(a)linux.alibaba.com> virtio_net: Update rss when set queue Philo Lu <lulie(a)linux.alibaba.com> virtio_net: Sync rss config to device when virtnet_probe Philo Lu <lulie(a)linux.alibaba.com> virtio_net: Add hash_key_length check Philo Lu <lulie(a)linux.alibaba.com> virtio_net: Support dynamic rss indirection table size Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: wait for rcu grace period on net_device removal Nícolas F. R. A. Prado <nfraprado(a)collabora.com> net: stmmac: Fix unbalanced IRQ wake disable warning on single irq case Diogo Silva <diogompaissilva(a)gmail.com> net: phy: ti: add PHY_RST_AFTER_CLK_EN flag Peiyang Wang <wangpeiyang1(a)huawei.com> net: hns3: fix kernel crash when uninstalling driver Vitaly Lifshits <vitaly.lifshits(a)intel.com> e1000e: Remove Meteor Lake SMBUS workarounds Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: fix race condition by adding filter's intermediate sync state Mateusz Polchlopek <mateusz.polchlopek(a)intel.com> ice: change q_index variable type to s16 to store -1 value Dario Binacchi <dario.binacchi(a)amarulasolutions.com> can: c_can: fix {rx,tx}_errors statistics Suraj Gupta <suraj.gupta2(a)amd.com> net: xilinx: axienet: Enqueue Tx packets in dql before dmaengine starts Wei Fang <wei.fang(a)nxp.com> net: enetc: allocate vf_state during PF probes Xin Long <lucien.xin(a)gmail.com> sctp: properly validate chunk size in sctp_sf_ootb() Suraj Gupta <suraj.gupta2(a)amd.com> dt-bindings: net: xlnx,axi-ethernet: Correct phy-mode property value Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dpaa_eth: print FD status in CPU endianness in dpaa_eth_fd tracepoint Wei Fang <wei.fang(a)nxp.com> net: enetc: set MAC address to the VF net_device ChiYuan Huang <cy_huang(a)richtek.com> regulator: rtq2208: Fix uninitialized use of regulator_config Chen Ridong <chenridong(a)huawei.com> security/keys: fix slab-out-of-bounds in key_task_permission Mike Snitzer <snitzer(a)kernel.org> nfs: avoid i_lock contention in nfs_clear_invalid_mapping Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Further fixes to attribute delegation a/mtime changes Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix attribute delegation behaviour on exclusive create NeilBrown <neilb(a)suse.de> NFSv3: only use NFS timeout for MOUNT when protocols are compatible NeilBrown <neilb(a)suse.de> sunrpc: handle -ENOTCONN in xs_tcp_setup_socket() Corey Hickey <bugfood-c(a)fatooh.org> platform/x86/amd/pmc: Detect when STB is not available Jiri Kosina <jikos(a)kernel.org> HID: core: zero-initialize the report buffer Diederik de Haas <didi.debian(a)cknow.org> arm64: dts: rockchip: Correct GPIO polarity on brcm BT nodes Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: Fix the spi controller on rk3036 Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: drop grf reference from rk3036 hdmi Heiko Stuebner <heiko(a)sntech.de> ARM: dts: rockchip: fix rk3036 acodec node Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: remove orphaned pinctrl-names from pinephone pro Qingqing Zhou <quic_qqzhou(a)quicinc.com> firmware: qcom: scm: Return -EOPNOTSUPP for unsupported SHM bridge enabling Xinqi Zhang <quic_xinqzhan(a)quicinc.com> firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() Marek Vasut <marex(a)denx.de> arm64: dts: imx8mp-phyboard-pollux: Set Video PLL1 frequency to 506.8 MHz Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp: correct sdhc ipg clk Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8450 fix PIPE clock specification for pcie1 Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: remove num-slots property from rk3328-nanopi-r2s-plus Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Remove undocumented supports-emmc property Sergey Bostandzhyan <jin(a)mediatomb.cc> arm64: dts: rockchip: Add DTS for FriendlyARM NanoPi R2S Plus Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Fix bluetooth properties on rk3566 box demo Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: Drop regulator-init-microvolt from two boards Heiko Stuebner <heiko(a)sntech.de> arm64: dts: rockchip: fix i2c2 pinctrl-names property on anbernic-rg353p/v Diederik de Haas <didi.debian(a)cknow.org> arm64: dts: rockchip: Fix reset-gpios property on brcm BT nodes Diederik de Haas <didi.debian(a)cknow.org> arm64: dts: rockchip: Fix wakeup prop names on PineNote BT node Diederik de Haas <didi.debian(a)cknow.org> arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328 Rajendra Nayak <quic_rjendra(a)quicinc.com> EDAC/qcom: Make irq configuration optional Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> firmware: qcom: scm: fix a NULL-pointer dereference Sam Edwards <cfsworks(a)gmail.com> arm64: dts: rockchip: Designate Turing RK1's system power controller Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Start cooling maps numbering from zero on ROCK 5B Dragan Simic <dsimic(a)manjaro.org> arm64: dts: rockchip: Move L3 cache outside CPUs in RK3588(S) SoC dtsi Geert Uytterhoeven <geert+renesas(a)glider.be> arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator Geert Uytterhoeven <geert+renesas(a)glider.be> arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-eaidk-610 ------------- Diffstat: .../devicetree/bindings/net/xlnx,axi-ethernet.yaml | 2 +- Documentation/netlink/specs/mptcp_pm.yaml | 1 - Makefile | 4 +- arch/arm/boot/dts/rockchip/rk3036-kylin.dts | 4 +- arch/arm/boot/dts/rockchip/rk3036.dtsi | 14 +- arch/arm64/Kconfig | 1 + arch/arm64/boot/dts/freescale/imx8-ss-vpu.dtsi | 4 +- .../dts/freescale/imx8mp-phyboard-pollux-rdk.dts | 12 ++ arch/arm64/boot/dts/freescale/imx8mp.dtsi | 6 +- arch/arm64/boot/dts/freescale/imx8qxp-ss-vpu.dtsi | 8 ++ arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +- arch/arm64/boot/dts/rockchip/Makefile | 1 + arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 1 - arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts | 4 +- .../boot/dts/rockchip/rk3328-nanopi-r2s-plus.dts | 30 +++++ arch/arm64/boot/dts/rockchip/rk3328.dtsi | 3 +- arch/arm64/boot/dts/rockchip/rk3368-lion.dtsi | 1 - arch/arm64/boot/dts/rockchip/rk3399-eaidk-610.dts | 2 +- .../boot/dts/rockchip/rk3399-pinephone-pro.dts | 2 - arch/arm64/boot/dts/rockchip/rk3399-rock960.dtsi | 2 +- .../dts/rockchip/rk3399-sapphire-excavator.dts | 2 +- .../boot/dts/rockchip/rk3566-anbernic-rg353p.dts | 2 +- .../boot/dts/rockchip/rk3566-anbernic-rg353v.dts | 2 +- arch/arm64/boot/dts/rockchip/rk3566-box-demo.dts | 6 +- arch/arm64/boot/dts/rockchip/rk3566-lubancat-1.dts | 1 - arch/arm64/boot/dts/rockchip/rk3566-pinenote.dtsi | 6 +- arch/arm64/boot/dts/rockchip/rk3566-radxa-cm3.dtsi | 2 +- arch/arm64/boot/dts/rockchip/rk3568-lubancat-2.dts | 1 - arch/arm64/boot/dts/rockchip/rk3568-roc-pc.dts | 3 - arch/arm64/boot/dts/rockchip/rk3588-base.dtsi | 20 +-- arch/arm64/boot/dts/rockchip/rk3588-rock-5b.dts | 4 +- .../arm64/boot/dts/rockchip/rk3588-toybrick-x0.dts | 1 - .../arm64/boot/dts/rockchip/rk3588-turing-rk1.dtsi | 1 + arch/arm64/kernel/fpsimd.c | 1 + arch/arm64/kernel/smccc-call.S | 35 +---- arch/powerpc/kvm/book3s_hv.c | 12 ++ arch/xtensa/Kconfig | 1 + arch/xtensa/include/asm/cmpxchg.h | 2 + block/blk-map.c | 56 +++----- block/blk-merge.c | 146 ++++++++------------- block/blk-mq.c | 11 +- block/blk.h | 69 ++++++---- drivers/char/tpm/tpm-chip.c | 4 - drivers/char/tpm/tpm-interface.c | 32 +++-- drivers/clk/qcom/clk-alpha-pll.c | 2 +- drivers/clk/qcom/gcc-x1e80100.c | 12 +- drivers/clk/qcom/videocc-sm8350.c | 4 +- drivers/edac/qcom_edac.c | 8 +- drivers/firmware/arm_scmi/bus.c | 7 +- drivers/firmware/qcom/Kconfig | 11 -- drivers/firmware/qcom/qcom_scm.c | 77 +++++++++-- drivers/firmware/smccc/smccc.c | 4 - drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 10 +- drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 15 +++ drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 4 +- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 49 +++++-- drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h | 4 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 5 +- drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 5 +- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 5 +- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 4 +- drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c | 4 +- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 20 ++- .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 74 +---------- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 8 ++ drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h | 2 + drivers/gpu/drm/imagination/pvr_context.c | 33 +++++ drivers/gpu/drm/imagination/pvr_context.h | 21 +++ drivers/gpu/drm/imagination/pvr_device.h | 10 ++ drivers/gpu/drm/imagination/pvr_drv.c | 3 + drivers/gpu/drm/imagination/pvr_vm.c | 22 +++- drivers/gpu/drm/imagination/pvr_vm.h | 1 + drivers/gpu/drm/panthor/panthor_device.c | 4 + drivers/gpu/drm/panthor/panthor_mmu.c | 2 + drivers/gpu/drm/xe/regs/xe_gt_regs.h | 2 +- drivers/gpu/drm/xe/xe_device.h | 14 ++ drivers/gpu/drm/xe/xe_exec.c | 13 +- drivers/gpu/drm/xe/xe_gt_ccs_mode.c | 6 + drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 2 + drivers/gpu/drm/xe/xe_guc_ct.c | 9 ++ drivers/gpu/drm/xe/xe_wait_user_fence.c | 7 + drivers/hid/hid-core.c | 2 +- drivers/i2c/busses/i2c-designware-common.c | 6 +- drivers/i2c/busses/i2c-designware-core.h | 1 + drivers/irqchip/irq-gic-v3.c | 7 + drivers/md/dm-cache-target.c | 59 +++++---- drivers/md/dm-unstripe.c | 4 +- drivers/md/dm.c | 4 +- drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +- drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 + drivers/media/dvb-core/dvb_frontend.c | 4 +- drivers/media/dvb-core/dvb_vb2.c | 8 +- drivers/media/dvb-core/dvbdev.c | 17 ++- drivers/media/dvb-frontends/cx24116.c | 7 +- drivers/media/dvb-frontends/stb0899_algo.c | 2 +- drivers/media/i2c/adv7604.c | 26 ++-- drivers/media/i2c/ar0521.c | 4 +- drivers/media/pci/mgb4/mgb4_cmt.c | 2 + .../media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 ++- drivers/media/test-drivers/vivid/vivid-core.c | 2 +- drivers/media/test-drivers/vivid/vivid-core.h | 4 +- drivers/media/test-drivers/vivid/vivid-ctrls.c | 2 +- drivers/media/test-drivers/vivid/vivid-vid-cap.c | 2 +- drivers/media/usb/uvc/uvc_driver.c | 2 +- drivers/media/v4l2-core/v4l2-ctrls-api.c | 17 ++- drivers/net/can/c_can/c_can_main.c | 7 +- drivers/net/can/cc770/Kconfig | 2 +- drivers/net/can/m_can/m_can.c | 3 +- drivers/net/can/sja1000/Kconfig | 2 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c | 8 +- drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 10 +- drivers/net/ethernet/arc/emac_main.c | 27 ++-- drivers/net/ethernet/arc/emac_mdio.c | 9 +- .../net/ethernet/freescale/dpaa/dpaa_eth_trace.h | 2 +- drivers/net/ethernet/freescale/enetc/enetc_pf.c | 18 +-- drivers/net/ethernet/freescale/enetc/enetc_vf.c | 9 +- drivers/net/ethernet/hisilicon/hns3/hnae3.c | 5 +- drivers/net/ethernet/intel/e1000e/ich8lan.c | 17 +-- drivers/net/ethernet/intel/i40e/i40e.h | 1 + drivers/net/ethernet/intel/i40e/i40e_debugfs.c | 1 + drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +- drivers/net/ethernet/intel/ice/ice_ethtool_fdir.c | 3 +- drivers/net/ethernet/intel/ice/ice_fdir.h | 4 +- drivers/net/ethernet/intel/idpf/idpf.h | 4 +- drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 11 +- drivers/net/ethernet/intel/idpf/idpf_lib.c | 5 +- drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 3 +- .../net/ethernet/pensando/ionic/ionic_bus_pci.c | 1 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 + drivers/net/ethernet/vertexcom/mse102x.c | 5 +- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 4 +- drivers/net/phy/dp83848.c | 2 + drivers/net/virtio_net.c | 119 ++++++++++++++--- drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c | 2 +- drivers/platform/x86/amd/pmc/pmc.c | 5 + drivers/platform/x86/amd/pmf/core.c | 21 ++- drivers/platform/x86/amd/pmf/pmf.h | 55 ++++++++ drivers/platform/x86/amd/pmf/spc.c | 52 +++++--- drivers/pwm/pwm-imx-tpm.c | 4 +- drivers/regulator/rtq2208-regulator.c | 2 +- drivers/rpmsg/qcom_glink_native.c | 10 +- drivers/scsi/sd_zbc.c | 3 +- drivers/soc/qcom/llcc-qcom.c | 3 + drivers/staging/media/av7110/av7110.h | 4 +- drivers/staging/media/av7110/av7110_ca.c | 25 ++-- .../vc04_services/interface/vchiq_arm/vchiq_arm.c | 6 +- drivers/thermal/qcom/lmh.c | 7 + drivers/thermal/thermal_of.c | 21 ++- drivers/thunderbolt/retimer.c | 2 + drivers/thunderbolt/usb4.c | 2 +- drivers/ufs/core/ufshcd.c | 10 +- drivers/usb/dwc3/core.c | 25 ++-- drivers/usb/musb/sunxi.c | 2 - drivers/usb/serial/io_edgeport.c | 8 +- drivers/usb/serial/option.c | 6 + drivers/usb/serial/qcserial.c | 2 + .../usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 8 +- drivers/usb/typec/ucsi/ucsi_ccg.c | 2 + fs/btrfs/bio.c | 30 +++-- fs/btrfs/delayed-ref.c | 2 +- fs/btrfs/inode.c | 2 +- fs/btrfs/super.c | 25 +--- fs/nfs/inode.c | 70 ++++++---- fs/nfs/nfs4proc.c | 4 + fs/nfs/super.c | 10 +- fs/ocfs2/xattr.c | 3 +- fs/proc/vmcore.c | 9 +- fs/smb/server/connection.c | 1 + fs/smb/server/connection.h | 1 + fs/smb/server/mgmt/user_session.c | 15 ++- fs/smb/server/server.c | 20 +-- fs/smb/server/smb_common.c | 10 +- fs/smb/server/smb_common.h | 2 +- fs/tracefs/inode.c | 12 +- include/linux/arm-smccc.h | 32 +---- include/linux/bio.h | 4 +- include/linux/soc/qcom/llcc-qcom.h | 2 + include/linux/user_namespace.h | 3 +- include/net/netfilter/nf_tables.h | 4 + include/trace/events/rxrpc.h | 1 + kernel/signal.c | 3 +- kernel/ucount.c | 9 +- lib/objpool.c | 18 ++- mm/damon/core.c | 42 ++++-- mm/filemap.c | 2 +- mm/huge_memory.c | 35 +++-- mm/internal.h | 10 +- mm/memcontrol-v1.c | 25 ++++ mm/memcontrol.c | 8 +- mm/migrate.c | 4 +- mm/mlock.c | 9 +- mm/page_alloc.c | 1 - mm/slab_common.c | 31 +++-- mm/swap.c | 4 +- mm/vmscan.c | 4 +- net/mptcp/mptcp_pm_gen.c | 1 - net/mptcp/pm_userspace.c | 3 +- net/netfilter/nf_tables_api.c | 41 +++++- net/rxrpc/conn_client.c | 4 + net/sctp/sm_statefuns.c | 2 +- net/smc/af_smc.c | 4 +- net/sunrpc/xprtsock.c | 1 + net/vmw_vsock/hyperv_transport.c | 1 + net/vmw_vsock/virtio_transport_common.c | 1 + security/keys/keyring.c | 7 +- security/keys/trusted-keys/trusted_dcp.c | 9 +- sound/firewire/tascam/amdtp-tascam.c | 2 +- sound/pci/hda/patch_conexant.c | 2 - sound/soc/amd/yc/acp6x-mach.c | 7 + sound/soc/sof/sof-client-probes-ipc4.c | 1 + sound/soc/stm/stm32_spdifrx.c | 2 +- sound/usb/mixer.c | 1 + sound/usb/quirks.c | 2 + tools/lib/thermal/sampling.c | 2 + tools/testing/selftests/mm/hugetlb_dio.c | 19 ++- 218 files changed, 1518 insertions(+), 865 deletions(-)

9 months, 4 weeks

13
197
0 0

[PATCH 5.15.y] mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

by Matthieu Baerts (NGI0)

From: Paolo Abeni <pabeni(a)redhat.com> commit ce7356ae35943cc6494cc692e62d51a734062b7d upstream. Additional active subflows - i.e. created by the in kernel path manager - are included into the subflow list before starting the 3whs. A racing recvmsg() spooling data received on an already established subflow would unconditionally call tcp_cleanup_rbuf() on all the current subflows, potentially hitting a divide by zero error on the newly created ones. Explicitly check that the subflow is in a suitable state before invoking tcp_cleanup_rbuf(). Fixes: c76c6956566f ("mptcp: call tcp_cleanup_rbuf on subflows") Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Reviewed-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/02374660836e1b52afc91966b7535c8c5f7bafb0.173106087… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> [ Conflicts in protocol.c, because commit f410cbea9f3d ("tcp: annotate data-races around tp->window_clamp") has not been backported to this version. The conflict is easy to resolve, because only the context is different, but not the line to modify. ] Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- net/mptcp/protocol.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 34c98596350e..bcbb1f92ce24 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -1986,7 +1986,8 @@ static void mptcp_rcv_space_adjust(struct mptcp_sock *msk, int copied) slow = lock_sock_fast(ssk); WRITE_ONCE(ssk->sk_rcvbuf, rcvbuf); tcp_sk(ssk)->window_clamp = window_clamp; - tcp_cleanup_rbuf(ssk, 1); + if (tcp_can_send_ack(ssk)) + tcp_cleanup_rbuf(ssk, 1); unlock_sock_fast(ssk, slow); } } -- 2.45.2

10 months

1
0
0 0

[PATCH 6.1] ipvs: properly dereference pe in ip_vs_add_service

by Bin Lan

From: Chen Hanxiao <chenhx.fnst(a)fujitsu.com> [ Upstream commit cbd070a4ae62f119058973f6d2c984e325bce6e7 ] Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression Fixes: 39b972231536 ("ipvs: handle connections started by real-servers") Signed-off-by: Chen Hanxiao <chenhx.fnst(a)fujitsu.com> Acked-by: Julian Anastasov <ja(a)ssi.bg> Acked-by: Simon Horman <horms(a)kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> [ Resolve minor conflicts to fix CVE-2024-42322 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- net/netfilter/ipvs/ip_vs_ctl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 17a1b731a76b..18e37b32a5d6 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -1382,18 +1382,18 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, sched = NULL; } - /* Bind the ct retriever */ - RCU_INIT_POINTER(svc->pe, pe); - pe = NULL; - /* Update the virtual service counters */ if (svc->port == FTPPORT) atomic_inc(&ipvs->ftpsvc_counter); else if (svc->port == 0) atomic_inc(&ipvs->nullsvc_counter); - if (svc->pe && svc->pe->conn_out) + if (pe && pe->conn_out) atomic_inc(&ipvs->conn_out_counter); + /* Bind the ct retriever */ + RCU_INIT_POINTER(svc->pe, pe); + pe = NULL; + ip_vs_start_estimator(ipvs, &svc->stats); /* Count only IPv4 services for old get/setsockopt interface */ -- 2.43.0

10 months

1
0
0 0

[PATCH v4 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()

by Biju Das

The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() used the same. Fix this use-after-free issue with the below changes: 1. Drop host_node from struct adv7511 and instead use a local pointer in adv7511_probe(). 2. Update adv7533_parse_dt() to return the host_node. 3. Pass the host_node as a parameter to adv7533_attach_dsi(). 4. Call of_node_put() after use. Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v4: - Updated commit description. - Dropped host_node from struct adv7511 and instead used a local pointer in probe(). Also freeing of host_node pointer after use is done in probe(). Changes in v3: - Replace __free construct with readable of_node_put(). Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7511.h | 6 +++--- drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 22 ++++++++++++++------ drivers/gpu/drm/bridge/adv7511/adv7533.c | 20 +++++++++--------- 3 files changed, 29 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511.h b/drivers/gpu/drm/bridge/adv7511/adv7511.h index ec0b7f3d889c..9f3fae7cc597 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511.h +++ b/drivers/gpu/drm/bridge/adv7511/adv7511.h @@ -383,7 +383,6 @@ struct adv7511 { struct regulator_bulk_data *supplies; /* ADV7533 DSI RX related params */ - struct device_node *host_node; struct mipi_dsi_device *dsi; u8 num_dsi_lanes; bool use_timing_gen; @@ -417,8 +416,9 @@ enum drm_mode_status adv7533_mode_valid(struct adv7511 *adv, const struct drm_display_mode *mode); int adv7533_patch_registers(struct adv7511 *adv); int adv7533_patch_cec_registers(struct adv7511 *adv); -int adv7533_attach_dsi(struct adv7511 *adv); -int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv); +int adv7533_attach_dsi(struct adv7511 *adv, struct device_node *host_node); +struct device_node *adv7533_parse_dt(struct device_node *np, + struct adv7511 *adv); #ifdef CONFIG_DRM_I2C_ADV7511_AUDIO int adv7511_audio_init(struct device *dev, struct adv7511 *adv7511); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..3f1f309791a5 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1209,6 +1209,7 @@ static int adv7511_parse_dt(struct device_node *np, static int adv7511_probe(struct i2c_client *i2c) { struct adv7511_link_config link_config; + struct device_node *host_node = NULL; struct adv7511 *adv7511; struct device *dev = &i2c->dev; unsigned int val; @@ -1233,12 +1234,17 @@ static int adv7511_probe(struct i2c_client *i2c) if (ret && ret != -ENODEV) return ret; - if (adv7511->info->link_config) + if (adv7511->info->link_config) { ret = adv7511_parse_dt(dev->of_node, &link_config); - else - ret = adv7533_parse_dt(dev->of_node, adv7511); - if (ret) - return ret; + if (ret) + return ret; + } + + if (adv7511->info->has_dsi) { + host_node = adv7533_parse_dt(dev->of_node, adv7511); + if (IS_ERR(host_node)) + return PTR_ERR(host_node); + } ret = adv7511_init_regulators(adv7511); if (ret) @@ -1343,9 +1349,11 @@ static int adv7511_probe(struct i2c_client *i2c) } if (adv7511->info->has_dsi) { - ret = adv7533_attach_dsi(adv7511); + ret = adv7533_attach_dsi(adv7511, host_node); if (ret) goto err_unregister_audio; + + of_node_put(host_node); } return 0; @@ -1362,6 +1370,8 @@ static int adv7511_probe(struct i2c_client *i2c) err_i2c_unregister_edid: i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: + if (host_node) + of_node_put(host_node); adv7511_uninit_regulators(adv7511); return ret; diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5d0e55ef4028 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -131,7 +131,7 @@ int adv7533_patch_cec_registers(struct adv7511 *adv) ARRAY_SIZE(adv7533_cec_fixed_registers)); } -int adv7533_attach_dsi(struct adv7511 *adv) +int adv7533_attach_dsi(struct adv7511 *adv, struct device_node *host_node) { struct device *dev = &adv->i2c_main->dev; struct mipi_dsi_host *host; @@ -142,7 +142,7 @@ int adv7533_attach_dsi(struct adv7511 *adv) .node = NULL, }; - host = of_find_mipi_dsi_host_by_node(adv->host_node); + host = of_find_mipi_dsi_host_by_node(host_node); if (!host) return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); @@ -166,22 +166,22 @@ int adv7533_attach_dsi(struct adv7511 *adv) return 0; } -int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) +struct device_node *adv7533_parse_dt(struct device_node *np, + struct adv7511 *adv) { + struct device_node *host_node; u32 num_lanes; of_property_read_u32(np, "adi,dsi-lanes", &num_lanes); if (num_lanes < 1 || num_lanes > 4) - return -EINVAL; + return ERR_PTR(-EINVAL); adv->num_dsi_lanes = num_lanes; - adv->host_node = of_graph_get_remote_node(np, 0, 0); - if (!adv->host_node) - return -ENODEV; - - of_node_put(adv->host_node); + host_node = of_graph_get_remote_node(np, 0, 0); + if (!host_node) + return ERR_PTR(-ENODEV); adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator"); @@ -190,5 +190,5 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) adv->rgb = true; adv->embedded_sync = false; - return 0; + return host_node; } -- 2.43.0

10 months

2
2
0 0

[Patch v] drivers/card_reader/rtsx_usb: Restore interrupt based detection

by Sean Rhodes

This commit reintroduces interrupt-based card detection previously used in the rts5139 driver. This functionality was removed in commit 00d8521dcd23 ("staging: remove rts5139 driver code"). Reintroducing this mechanism fixes presence detection for certain card readers, which with the current driver, will taken approximately 20 seconds to enter S3 as `mmc_rescan` has to be frozen. Fixes: 00d8521dcd23 ("staging: remove rts5139 driver code") Cc: stable(a)vger.kernel.org Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sean Rhodes <sean(a)starlabs.systems> --- drivers/misc/cardreader/rtsx_usb.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/misc/cardreader/rtsx_usb.c b/drivers/misc/cardreader/rtsx_usb.c index f150d8769f19..285a748748d7 100644 --- a/drivers/misc/cardreader/rtsx_usb.c +++ b/drivers/misc/cardreader/rtsx_usb.c @@ -286,6 +286,7 @@ static int rtsx_usb_get_status_with_bulk(struct rtsx_ucr *ucr, u16 *status) int rtsx_usb_get_card_status(struct rtsx_ucr *ucr, u16 *status) { int ret; + u8 interrupt_val = 0; u16 *buf; if (!status) @@ -308,6 +309,20 @@ int rtsx_usb_get_card_status(struct rtsx_ucr *ucr, u16 *status) ret = rtsx_usb_get_status_with_bulk(ucr, status); } + rtsx_usb_read_register(ucr, CARD_INT_PEND, &interrupt_val); + /* Cross check presence with interrupts */ + if (*status & XD_CD) + if (!(interrupt_val & XD_INT)) + *status &= ~XD_CD; + + if (*status & SD_CD) + if (!(interrupt_val & SD_INT)) + *status &= ~SD_CD; + + if (*status & MS_CD) + if (!(interrupt_val & MS_INT)) + *status &= ~MS_CD; + /* usb_control_msg may return positive when success */ if (ret < 0) return ret; -- 2.45.2

10 months

1
0
0 0

[PATCH 6.1.y 0/2] Backport to fix CVE-2024-36478

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> Backport to fix CVE-2024-36478 https://lore.kernel.org/linux-cve-announce/2024062136-CVE-2024-36478-d249@g… The CVE fix is "null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'" This required 1 extra commit to make sure the picks are clean: null_blk: Remove usage of the deprecated ida_simple_xx() API Christophe JAILLET (1): null_blk: Remove usage of the deprecated ida_simple_xx() API Yu Kuai (1): null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' drivers/block/null_blk/main.c | 44 ++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 16 deletions(-) -- 2.43.0

10 months

2
4
0 0

[PATCH 6.6] leds: mlxreg: Use devm_mutex_init() for mutex initialization

by Bin Lan

From: George Stark <gnstark(a)salutedevices.com> [ Upstream commit efc347b9efee1c2b081f5281d33be4559fa50a16 ] In this driver LEDs are registered using devm_led_classdev_register() so they are automatically unregistered after module's remove() is done. led_classdev_unregister() calls module's led_set_brightness() to turn off the LEDs and that callback uses mutex which was destroyed already in module's remove() so use devm API instead. Signed-off-by: George Stark <gnstark(a)salutedevices.com> Reviewed-by: Andy Shevchenko <andy.shevchenko(a)gmail.com> Link: https://lore.kernel.org/r/20240411161032.609544-8-gnstark@salutedevices.com Signed-off-by: Lee Jones <lee(a)kernel.org> [ Resolve minor conflicts to fix CVE-2024-42129 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/leds/leds-mlxreg.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/drivers/leds/leds-mlxreg.c b/drivers/leds/leds-mlxreg.c index 39210653acf7..b1510cd32e47 100644 --- a/drivers/leds/leds-mlxreg.c +++ b/drivers/leds/leds-mlxreg.c @@ -257,6 +257,7 @@ static int mlxreg_led_probe(struct platform_device *pdev) { struct mlxreg_core_platform_data *led_pdata; struct mlxreg_led_priv_data *priv; + int err; led_pdata = dev_get_platdata(&pdev->dev); if (!led_pdata) { @@ -268,28 +269,21 @@ static int mlxreg_led_probe(struct platform_device *pdev) if (!priv) return -ENOMEM; - mutex_init(&priv->access_lock); + err = devm_mutex_init(&pdev->dev, &priv->access_lock); + if (err) + return err; + priv->pdev = pdev; priv->pdata = led_pdata; return mlxreg_led_config(priv); } -static int mlxreg_led_remove(struct platform_device *pdev) -{ - struct mlxreg_led_priv_data *priv = dev_get_drvdata(&pdev->dev); - - mutex_destroy(&priv->access_lock); - - return 0; -} - static struct platform_driver mlxreg_led_driver = { .driver = { .name = "leds-mlxreg", }, .probe = mlxreg_led_probe, - .remove = mlxreg_led_remove, }; module_platform_driver(mlxreg_led_driver); -- 2.43.0

10 months

1
0
0 0

[PATCH 6.1.y] net/sched: taprio: extend minimum interval restriction to entire cycle too

by Xiangyu Chen

From: Vladimir Oltean <vladimir.oltean(a)nxp.com> [ Upstream commit fb66df20a7201e60f2b13d7f95d031b31a8831d3 ] It is possible for syzbot to side-step the restriction imposed by the blamed commit in the Fixes: tag, because the taprio UAPI permits a cycle-time different from (and potentially shorter than) the sum of entry intervals. We need one more restriction, which is that the cycle time itself must be larger than N * ETH_ZLEN bit times, where N is the number of schedule entries. This restriction needs to apply regardless of whether the cycle time came from the user or was the implicit, auto-calculated value, so we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)" branch. This way covers both conditions and scenarios. Add a selftest which illustrates the issue triggered by syzbot. Fixes: b5b73b26b3ca ("taprio: Fix allowing too small intervals") Reported-by: syzbot+a7d2b1d5d1af83035567(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/0000000000007d66bc06196e7c66@google.com/ Signed-off-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Link: https://lore.kernel.org/r/20240527153955.553333-2-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- net/sched/sch_taprio.c | 10 ++++----- .../tc-testing/tc-tests/qdiscs/taprio.json | 22 +++++++++++++++++++ 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index 1d5cdc987abd..62219f23f76a 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -915,11 +915,6 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, list_for_each_entry(entry, &new->entries, list) cycle = ktime_add_ns(cycle, entry->interval); - if (!cycle) { - NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0"); - return -EINVAL; - } - if (cycle < 0 || cycle > INT_MAX) { NL_SET_ERR_MSG(extack, "'cycle_time' is too big"); return -EINVAL; @@ -928,6 +923,11 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, new->cycle_time = cycle; } + if (new->cycle_time < new->num_entries * length_to_duration(q, ETH_ZLEN)) { + NL_SET_ERR_MSG(extack, "'cycle_time' is too small"); + return -EINVAL; + } + return 0; } diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json index 08d4861c2e78..d04fed83332c 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json +++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json @@ -132,6 +132,28 @@ "echo \"1\" > /sys/bus/netdevsim/del_device" ] }, + { + "id": "831f", + "name": "Add taprio Qdisc with too short cycle-time", + "category": [ + "qdisc", + "taprio" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "echo \"1 1 8\" > /sys/bus/netdevsim/new_device" + ], + "cmdUnderTest": "$TC qdisc add dev $ETH root handle 1: taprio num_tc 2 queues 1@0 1@1 sched-entry S 01 200000 sched-entry S 02 200000 cycle-time 100 clockid CLOCK_TAI", + "expExitCode": "2", + "verifyCmd": "$TC qdisc show dev $ETH", + "matchPattern": "qdisc taprio 1: root refcnt", + "matchCount": "0", + "teardown": [ + "echo \"1\" > /sys/bus/netdevsim/del_device" + ] + }, { "id": "3e1e", "name": "Add taprio Qdisc with an invalid cycle-time", -- 2.43.0

10 months

1
0
0 0

[PATCH 6.1.y] net: fec: remove .ndo_poll_controller to avoid deadlocks

by Xiangyu Chen

From: Wei Fang <wei.fang(a)nxp.com> [ Upstream commit c2e0c58b25a0a0c37ec643255558c5af4450c9f5 ] There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid deadlocks"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed. Fixes: 7f5c6addcdc0 ("net/fec: add poll controller function for fec nic") Signed-off-by: Wei Fang <wei.fang(a)nxp.com> Link: https://lore.kernel.org/r/20240511062009.652918-1-wei.fang@nxp.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/net/ethernet/freescale/fec_main.c | 26 ----------------------- 1 file changed, 26 deletions(-) diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c index 0a5c3d27ed3b..aeab6c28892f 100644 --- a/drivers/net/ethernet/freescale/fec_main.c +++ b/drivers/net/ethernet/freescale/fec_main.c @@ -3508,29 +3508,6 @@ fec_set_mac_address(struct net_device *ndev, void *p) return 0; } -#ifdef CONFIG_NET_POLL_CONTROLLER -/** - * fec_poll_controller - FEC Poll controller function - * @dev: The FEC network adapter - * - * Polled functionality used by netconsole and others in non interrupt mode - * - */ -static void fec_poll_controller(struct net_device *dev) -{ - int i; - struct fec_enet_private *fep = netdev_priv(dev); - - for (i = 0; i < FEC_IRQ_NUM; i++) { - if (fep->irq[i] > 0) { - disable_irq(fep->irq[i]); - fec_enet_interrupt(fep->irq[i], dev); - enable_irq(fep->irq[i]); - } - } -} -#endif - static inline void fec_enet_set_netdev_features(struct net_device *netdev, netdev_features_t features) { @@ -3604,9 +3581,6 @@ static const struct net_device_ops fec_netdev_ops = { .ndo_tx_timeout = fec_timeout, .ndo_set_mac_address = fec_set_mac_address, .ndo_eth_ioctl = fec_enet_ioctl, -#ifdef CONFIG_NET_POLL_CONTROLLER - .ndo_poll_controller = fec_poll_controller, -#endif .ndo_set_features = fec_set_features, }; -- 2.43.0

10 months

1
0
0 0

[PATCHSET] xfs: bug fixes for 6.13

by Darrick J. Wong

Hi all, Bug fixes for 6.13. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. With a bit of luck, this should all go splendidly. Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=xf… --- Commits in this patchset: * xfs: fix off-by-one error in fsmap's end_daddr usage * xfs: metapath scrubber should use the already loaded inodes * xfs: keep quota directory inode loaded * xfs: return a 64-bit block count from xfs_btree_count_blocks * xfs: don't drop errno values when we fail to ficlone the entire range * xfs: separate healthy clearing mask during repair * xfs: set XFS_SICK_INO_SYMLINK_ZAPPED explicitly when zapping a symlink * xfs: mark metadir repair tempfiles with IRECOVERY * xfs: fix null bno_hint handling in xfs_rtallocate_rtg * xfs: fix error bailout in xfs_rtginode_create --- fs/xfs/libxfs/xfs_btree.c | 4 +- fs/xfs/libxfs/xfs_btree.h | 2 + fs/xfs/libxfs/xfs_ialloc_btree.c | 4 ++ fs/xfs/libxfs/xfs_rtgroup.c | 2 + fs/xfs/scrub/agheader.c | 6 ++- fs/xfs/scrub/agheader_repair.c | 6 ++- fs/xfs/scrub/fscounters.c | 2 + fs/xfs/scrub/health.c | 57 ++++++++++++++++++-------------- fs/xfs/scrub/ialloc.c | 4 +- fs/xfs/scrub/metapath.c | 68 +++++++++++++++----------------------- fs/xfs/scrub/refcount.c | 2 + fs/xfs/scrub/scrub.h | 6 +++ fs/xfs/scrub/symlink_repair.c | 3 +- fs/xfs/scrub/tempfile.c | 10 ++++-- fs/xfs/xfs_bmap_util.c | 2 + fs/xfs/xfs_file.c | 8 ++++ fs/xfs/xfs_fsmap.c | 38 ++++++++++++--------- fs/xfs/xfs_inode.h | 2 + fs/xfs/xfs_qm.c | 47 ++++++++++++++------------ fs/xfs/xfs_qm.h | 1 + fs/xfs/xfs_rtalloc.c | 2 + 21 files changed, 151 insertions(+), 125 deletions(-)

10 months

2
11
0 0

[PATCH 0/2] Backport fix of CVE-2024-36923 to 6.1 and 6.6

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> Following series is a backport of CVE-2024-36923 One for kernel 6.1 with [PATCH 6.1.y] header One for kernel 6.6 with [PATCH 6.6.y] header Eric Van Hensbergen (1): fs/9p: fix uninitialized values during inode evict fs/9p/vfs_inode.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) -- 2.43.0

10 months

1
2
0 0

[PATCH 5.10 0/5] Address CVE-2024-49974

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Backport the set of upstream patches that cap the number of concurrent background NFSv4.2 COPY operations. Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +++++++++++++++++------------------- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + 4 files changed, 20 insertions(+), 19 deletions(-) -- 2.47.0

10 months

1
5
0 0

[PATCH] mm: Respect mmap hint address when aligning for THP

by Kalesh Singh

Commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") updated __get_unmapped_area() to align the start address for the VMA to a PMD boundary if CONFIG_TRANSPARENT_HUGEPAGE=y. It does this by effectively looking up a region that is of size, request_size + PMD_SIZE, and aligning up the start to a PMD boundary. Commit 4ef9ad19e176 ("mm: huge_memory: don't force huge page alignment on 32 bit") opted out of this for 32bit due to regressions in mmap base randomization. Commit d4148aeab412 ("mm, mmap: limit THP alignment of anonymous mappings to PMD-aligned sizes") restricted this to only mmap sizes that are multiples of the PMD_SIZE due to reported regressions in some performance benchmarks -- which seemed mostly due to the reduced spatial locality of related mappings due to the forced PMD-alignment. Another unintended side effect has emerged: When a user specifies an mmap hint address, the THP alignment logic modifies the behavior, potentially ignoring the hint even if a sufficiently large gap exists at the requested hint location. Example Scenario: Consider the following simplified virtual address (VA) space: ... 0x200000-0x400000 --- VMA A 0x400000-0x600000 --- Hole 0x600000-0x800000 --- VMA B ... A call to mmap() with hint=0x400000 and len=0x200000 behaves differently: - Before THP alignment: The requested region (size 0x200000) fits into the gap at 0x400000, so the hint is respected. - After alignment: The logic searches for a region of size 0x400000 (len + PMD_SIZE) starting at 0x400000. This search fails due to the mapping at 0x600000 (VMA B), and the hint is ignored, falling back to arch_get_unmapped_area[_topdown](). In general the hint is effectively ignored, if there is any existing mapping in the below range: [mmap_hint + mmap_size, mmap_hint + mmap_size + PMD_SIZE) This changes the semantics of mmap hint; from ""Respect the hint if a sufficiently large gap exists at the requested location" to "Respect the hint only if an additional PMD-sized gap exists beyond the requested size". This has performance implications for allocators that allocate their heap using mmap but try to keep it "as contiguous as possible" by using the end of the exisiting heap as the address hint. With the new behavior it's more likely to get a much less contiguous heap, adding extra fragmentation and performance overhead. To restore the expected behavior; don't use thp_get_unmapped_area_vmflags() when the user provided a hint address. Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yang Shi <yang(a)os.amperecomputing.com> Cc: Rik van Riel <riel(a)surriel.com> Cc: Ryan Roberts <ryan.roberts(a)arm.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Minchan Kim <minchan(a)kernel.org> Cc: Hans Boehm <hboehm(a)google.com> Cc: Lokesh Gidra <lokeshgidra(a)google.com> Cc: <stable(a)vger.kernel.org> Fixes: efa7df3e3bb5 ("mm: align larger anonymous mappings on THP boundaries") Signed-off-by: Kalesh Singh <kaleshsingh(a)google.com> --- mm/mmap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/mmap.c b/mm/mmap.c index 79d541f1502b..2f01f1a8e304 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -901,6 +901,7 @@ __get_unmapped_area(struct file *file, unsigned long addr, unsigned long len, if (get_area) { addr = get_area(file, addr, len, pgoff, flags); } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE) + && !addr /* no hint */ && IS_ALIGNED(len, PMD_SIZE)) { /* Ensures that larger anonymous mappings are THP aligned. */ addr = thp_get_unmapped_area_vmflags(file, addr, len, base-commit: 2d5404caa8c7bb5c4e0435f94b28834ae5456623 -- 2.47.0.338.g60cca15819-goog

10 months

4
8
0 0

[PATCH 5.15 0/5] Address CVE-2024-49974

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Backport the set of upstream patches that cap the number of concurrent background NFSv4.2 COPY operations. Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +++++++++++++++++------------------- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + 4 files changed, 20 insertions(+), 19 deletions(-) -- 2.47.0

10 months

1
5
0 0

[PATCH 5.15 0/5] Address CVE-2024-49974

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Backport the set of upstream patches that cap the number of concurrent background NFSv4.2 COPY operations. Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +++++++++++++++++------------------- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + 4 files changed, 20 insertions(+), 19 deletions(-) -- 2.47.0

10 months

2
19
0 0

[PATCH 6.6 0/5] Address CVE-2024-49974

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Backport the set of upstream patches that cap the number of concurrent background NFSv4.2 COPY operations. Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +++++++++++++++++------------------- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + 4 files changed, 20 insertions(+), 19 deletions(-) -- 2.47.0

10 months

1
5
0 0

[RFC PATCH 1/2] libfs: Return ENOSPC when the directory offset range is exhausted

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Testing shows that the EBUSY error return from mtree_alloc_cyclic() leaks into user space. The ERRORS section of "man creat(2)" says: > EBUSY O_EXCL was specified in flags and pathname refers > to a block device that is in use by the system > (e.g., it is mounted). ENOSPC is closer to what applications expect in this situation. Note that the normal range of simple directory offset values is 2..2^63, so hitting this error is going to be rare to impossible. Fixes: 6faddda69f62 ("libfs: Add directory operations for stable offsets") Cc: <stable(a)vger.kernel.org> # v6.9+ Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/libfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/libfs.c b/fs/libfs.c index 46966fd8bcf9..bf67954b525b 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -288,7 +288,9 @@ int simple_offset_add(struct offset_ctx *octx, struct dentry *dentry) ret = mtree_alloc_cyclic(&octx->mt, &offset, dentry, DIR_OFFSET_MIN, LONG_MAX, &octx->next_offset, GFP_KERNEL); - if (ret < 0) + if (unlikely(ret == -EBUSY)) + return -ENOSPC; + if (unlikely(ret < 0)) return ret; offset_set(dentry, offset); -- 2.47.0

10 months

2
1
0 0

[PATCH v2] usb: dwc3: xilinx: make sure pipe clock is deselected in usb2 only mode

by Radhey Shyam Pandey

From: Neal Frager <neal.frager(a)amd.com> When the USB3 PHY is not defined in the Linux device tree, there could still be a case where there is a USB3 PHY is active on the board and enabled by the first stage bootloader. If serdes clock is being used then the USB will fail to enumerate devices in 2.0 only mode. To solve this, make sure that the PIPE clock is deselected whenever the USB3 PHY is not defined and guarantees that the USB2 only mode will work in all cases. Fixes: 9678f3361afc ("usb: dwc3: xilinx: Skip resets and USB3 register settings for USB2.0 mode") Cc: stable(a)vger.kernel.org Signed-off-by: Neal Frager <neal.frager(a)amd.com> Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey(a)amd.com> --- Changes for v2: - Add stable(a)vger.kernel.org in CC. --- drivers/usb/dwc3/dwc3-xilinx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/dwc3-xilinx.c b/drivers/usb/dwc3/dwc3-xilinx.c index e3738e1610db..a33a42ba0249 100644 --- a/drivers/usb/dwc3/dwc3-xilinx.c +++ b/drivers/usb/dwc3/dwc3-xilinx.c @@ -121,8 +121,11 @@ static int dwc3_xlnx_init_zynqmp(struct dwc3_xlnx *priv_data) * in use but the usb3-phy entry is missing from the device tree. * Therefore, skip these operations in this case. */ - if (!priv_data->usb3_phy) + if (!priv_data->usb3_phy) { + /* Deselect the PIPE Clock Select bit in FPD PIPE Clock register */ + writel(PIPE_CLK_DESELECT, priv_data->regs + XLNX_USB_FPD_PIPE_CLK); goto skip_usb3_phy; + } crst = devm_reset_control_get_exclusive(dev, "usb_crst"); if (IS_ERR(crst)) { base-commit: 744cf71b8bdfcdd77aaf58395e068b7457634b2c -- 2.34.1

10 months

2
1
0 0

FAILED: patch "[PATCH] drm/xe: improve hibernation on igpu" failed to apply to 6.11-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.11-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.11.y git checkout FETCH_HEAD git cherry-pick -x 46f1f4b0f3c2a2dff9887de7c66ccc7ef482bd83 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024111758-jumbo-neon-1b3c@gregkh' --subject-prefix 'PATCH 6.11.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 46f1f4b0f3c2a2dff9887de7c66ccc7ef482bd83 Mon Sep 17 00:00:00 2001 From: Matthew Auld <matthew.auld(a)intel.com> Date: Fri, 1 Nov 2024 17:01:57 +0000 Subject: [PATCH] drm/xe: improve hibernation on igpu The GGTT looks to be stored inside stolen memory on igpu which is not treated as normal RAM. The core kernel skips this memory range when creating the hibernation image, therefore when coming back from hibernation the GGTT programming is lost. This seems to cause issues with broken resume where GuC FW fails to load: [drm] *ERROR* GT0: load failed: status = 0x400000A0, time = 10ms, freq = 1250MHz (req 1300MHz), done = -1 [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01 [drm] *ERROR* GT0: firmware signature verification failed [drm] *ERROR* CRITICAL: Xe has declared device 0000:00:02.0 as wedged. Current GGTT users are kernel internal and tracked as pinned, so it should be possible to hook into the existing save/restore logic that we use for dgpu, where the actual evict is skipped but on restore we importantly restore the GGTT programming. This has been confirmed to fix hibernation on at least ADL and MTL, though likely all igpu platforms are affected. This also means we have a hole in our testing, where the existing s4 tests only really test the driver hooks, and don't go as far as actually rebooting and restoring from the hibernation image and in turn powering down RAM (and therefore losing the contents of stolen). v2 (Brost) - Remove extra newline and drop unnecessary parentheses. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/3275 Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Matthew Brost <matthew.brost(a)intel.com> Reviewed-by: Lucas De Marchi <lucas.demarchi(a)intel.com> Signed-off-by: Matthew Brost <matthew.brost(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20241101170156.213490-2-matth… (cherry picked from commit f2a6b8e396666d97ada8e8759dfb6a69d8df6380) Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c index 74f68289f74c..2a093540354e 100644 --- a/drivers/gpu/drm/xe/xe_bo.c +++ b/drivers/gpu/drm/xe/xe_bo.c @@ -948,7 +948,10 @@ int xe_bo_restore_pinned(struct xe_bo *bo) if (WARN_ON(!xe_bo_is_pinned(bo))) return -EINVAL; - if (WARN_ON(xe_bo_is_vram(bo) || !bo->ttm.ttm)) + if (WARN_ON(xe_bo_is_vram(bo))) + return -EINVAL; + + if (WARN_ON(!bo->ttm.ttm && !xe_bo_is_stolen(bo))) return -EINVAL; if (!mem_type_is_vram(place->mem_type)) @@ -1723,6 +1726,7 @@ int xe_bo_pin_external(struct xe_bo *bo) int xe_bo_pin(struct xe_bo *bo) { + struct ttm_place *place = &bo->placements[0]; struct xe_device *xe = xe_bo_device(bo); int err; @@ -1753,8 +1757,6 @@ int xe_bo_pin(struct xe_bo *bo) */ if (IS_DGFX(xe) && !(IS_ENABLED(CONFIG_DRM_XE_DEBUG) && bo->flags & XE_BO_FLAG_INTERNAL_TEST)) { - struct ttm_place *place = &(bo->placements[0]); - if (mem_type_is_vram(place->mem_type)) { xe_assert(xe, place->flags & TTM_PL_FLAG_CONTIGUOUS); @@ -1762,13 +1764,12 @@ int xe_bo_pin(struct xe_bo *bo) vram_region_gpu_offset(bo->ttm.resource)) >> PAGE_SHIFT; place->lpfn = place->fpfn + (bo->size >> PAGE_SHIFT); } + } - if (mem_type_is_vram(place->mem_type) || - bo->flags & XE_BO_FLAG_GGTT) { - spin_lock(&xe->pinned.lock); - list_add_tail(&bo->pinned_link, &xe->pinned.kernel_bo_present); - spin_unlock(&xe->pinned.lock); - } + if (mem_type_is_vram(place->mem_type) || bo->flags & XE_BO_FLAG_GGTT) { + spin_lock(&xe->pinned.lock); + list_add_tail(&bo->pinned_link, &xe->pinned.kernel_bo_present); + spin_unlock(&xe->pinned.lock); } ttm_bo_pin(&bo->ttm); @@ -1816,24 +1817,18 @@ void xe_bo_unpin_external(struct xe_bo *bo) void xe_bo_unpin(struct xe_bo *bo) { + struct ttm_place *place = &bo->placements[0]; struct xe_device *xe = xe_bo_device(bo); xe_assert(xe, !bo->ttm.base.import_attach); xe_assert(xe, xe_bo_is_pinned(bo)); - if (IS_DGFX(xe) && !(IS_ENABLED(CONFIG_DRM_XE_DEBUG) && - bo->flags & XE_BO_FLAG_INTERNAL_TEST)) { - struct ttm_place *place = &(bo->placements[0]); - - if (mem_type_is_vram(place->mem_type) || - bo->flags & XE_BO_FLAG_GGTT) { - spin_lock(&xe->pinned.lock); - xe_assert(xe, !list_empty(&bo->pinned_link)); - list_del_init(&bo->pinned_link); - spin_unlock(&xe->pinned.lock); - } + if (mem_type_is_vram(place->mem_type) || bo->flags & XE_BO_FLAG_GGTT) { + spin_lock(&xe->pinned.lock); + xe_assert(xe, !list_empty(&bo->pinned_link)); + list_del_init(&bo->pinned_link); + spin_unlock(&xe->pinned.lock); } - ttm_bo_unpin(&bo->ttm); } diff --git a/drivers/gpu/drm/xe/xe_bo_evict.c b/drivers/gpu/drm/xe/xe_bo_evict.c index 32043e1e5a86..b01bc20eb90b 100644 --- a/drivers/gpu/drm/xe/xe_bo_evict.c +++ b/drivers/gpu/drm/xe/xe_bo_evict.c @@ -34,9 +34,6 @@ int xe_bo_evict_all(struct xe_device *xe) u8 id; int ret; - if (!IS_DGFX(xe)) - return 0; - /* User memory */ for (mem_type = XE_PL_VRAM0; mem_type <= XE_PL_VRAM1; ++mem_type) { struct ttm_resource_manager *man = @@ -125,9 +122,6 @@ int xe_bo_restore_kernel(struct xe_device *xe) struct xe_bo *bo; int ret; - if (!IS_DGFX(xe)) - return 0; - spin_lock(&xe->pinned.lock); for (;;) { bo = list_first_entry_or_null(&xe->pinned.evicted,

10 months

3
2
0 0

[PATCH v2] ACPI: platform-profile: Fix CFI violation when accessing sysfs files

by Nathan Chancellor

When an attribute group is created with sysfs_create_group(), the ->sysfs_ops() callback is set to kobj_sysfs_ops, which sets the ->show() and ->store() callbacks to kobj_attr_show() and kobj_attr_store() respectively. These functions use container_of() to get the respective callback from the passed attribute, meaning that these callbacks need to be the same type as the callbacks in 'struct kobj_attribute'. However, the platform_profile sysfs functions have the type of the ->show() and ->store() callbacks in 'struct device_attribute', which results a CFI violation when accessing platform_profile or platform_profile_choices under /sys/firmware/acpi because the types do not match: CFI failure at kobj_attr_show+0x19/0x30 (target: platform_profile_choices_show+0x0/0x140; expected type: 0x7a69590c) There is no functional issue from the type mismatch because the layout of 'struct kobj_attribute' and 'struct device_attribute' are the same, so the container_of() cast does not break anything aside from CFI. Change the type of platform_profile_choices_show() and platform_profile_{show,store}() to match the callbacks in 'struct kobj_attribute' and update the attribute variables to match, which resolves the CFI violation. Cc: stable(a)vger.kernel.org Fixes: a2ff95e018f1 ("ACPI: platform: Add platform profile support") Reported-by: John Rowley <lkml(a)johnrowley.me> Closes: https://github.com/ClangBuiltLinux/linux/issues/2047 Tested-by: John Rowley <lkml(a)johnrowley.me> Reviewed-by: Sami Tolvanen <samitolvanen(a)google.com> Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- John reminded me that this is still an issue in 6.12: https://github.com/ClangBuiltLinux/linux/issues/2047#issuecomment-2482635093 I know Greg said this driver should be using a 'struct device' but I am not familiar with that conversion and there was never any follow up to me asking how it should be done. I think it would be best to pick this change up now and have that conversion be done properly by someone who is more familiar with this driver later. Changes in v2: - Rebase on linux-pm/acpi - Pick up Sami's reviewed-by tag - Adjust wording around why there is no functional issue from the mismatched types - Link to v1: https://lore.kernel.org/r/20240819-acpi-platform_profile-fix-cfi-violation-… --- drivers/acpi/platform_profile.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/acpi/platform_profile.c b/drivers/acpi/platform_profile.c index d2f7fd7743a13df1dac3100c885208f4418218a5..11278f785526d48243e16659cd78d0b717846a7f 100644 --- a/drivers/acpi/platform_profile.c +++ b/drivers/acpi/platform_profile.c @@ -22,8 +22,8 @@ static const char * const profile_names[] = { }; static_assert(ARRAY_SIZE(profile_names) == PLATFORM_PROFILE_LAST); -static ssize_t platform_profile_choices_show(struct device *dev, - struct device_attribute *attr, +static ssize_t platform_profile_choices_show(struct kobject *kobj, + struct kobj_attribute *attr, char *buf) { int len = 0; @@ -49,8 +49,8 @@ static ssize_t platform_profile_choices_show(struct device *dev, return len; } -static ssize_t platform_profile_show(struct device *dev, - struct device_attribute *attr, +static ssize_t platform_profile_show(struct kobject *kobj, + struct kobj_attribute *attr, char *buf) { enum platform_profile_option profile = PLATFORM_PROFILE_BALANCED; @@ -77,8 +77,8 @@ static ssize_t platform_profile_show(struct device *dev, return sysfs_emit(buf, "%s\n", profile_names[profile]); } -static ssize_t platform_profile_store(struct device *dev, - struct device_attribute *attr, +static ssize_t platform_profile_store(struct kobject *kobj, + struct kobj_attribute *attr, const char *buf, size_t count) { int err, i; @@ -115,12 +115,12 @@ static ssize_t platform_profile_store(struct device *dev, return count; } -static DEVICE_ATTR_RO(platform_profile_choices); -static DEVICE_ATTR_RW(platform_profile); +static struct kobj_attribute attr_platform_profile_choices = __ATTR_RO(platform_profile_choices); +static struct kobj_attribute attr_platform_profile = __ATTR_RW(platform_profile); static struct attribute *platform_profile_attrs[] = { - &dev_attr_platform_profile_choices.attr, - &dev_attr_platform_profile.attr, + &attr_platform_profile_choices.attr, + &attr_platform_profile.attr, NULL }; --- base-commit: d47a60e487fbb65bbbca3d99e59009f0a4acf34d change-id: 20240819-acpi-platform_profile-fix-cfi-violation-de278753bd5f Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

10 months

1
0
0 0

[PATCH] Revert "drm/amd/pm: correct the workload setting"

by Alex Deucher

This reverts commit 4a18810d0b6fb2b853b75d21117040a783f2ab66. This causes a regression in the workload selection. A more extensive fix is being worked on for mainline. For stable, revert. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3618 Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org # 6.11.x --- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 49 ++++++------------- drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h | 4 +- .../gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 5 +- .../amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 5 +- .../gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 4 +- .../gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c | 4 +- .../drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 20 ++------ .../drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 5 +- .../drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 9 ++-- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 8 --- drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h | 2 - 12 files changed, 36 insertions(+), 84 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c index ee1bcfaae3e3..80e60ea2d11e 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c @@ -1259,33 +1259,26 @@ static int smu_sw_init(void *handle) smu->watermarks_bitmap = 0; smu->power_profile_mode = PP_SMC_POWER_PROFILE_BOOTUP_DEFAULT; smu->default_power_profile_mode = PP_SMC_POWER_PROFILE_BOOTUP_DEFAULT; - smu->user_dpm_profile.user_workload_mask = 0; atomic_set(&smu->smu_power.power_gate.vcn_gated, 1); atomic_set(&smu->smu_power.power_gate.jpeg_gated, 1); atomic_set(&smu->smu_power.power_gate.vpe_gated, 1); atomic_set(&smu->smu_power.power_gate.umsch_mm_gated, 1); - smu->workload_priority[PP_SMC_POWER_PROFILE_BOOTUP_DEFAULT] = 0; - smu->workload_priority[PP_SMC_POWER_PROFILE_FULLSCREEN3D] = 1; - smu->workload_priority[PP_SMC_POWER_PROFILE_POWERSAVING] = 2; - smu->workload_priority[PP_SMC_POWER_PROFILE_VIDEO] = 3; - smu->workload_priority[PP_SMC_POWER_PROFILE_VR] = 4; - smu->workload_priority[PP_SMC_POWER_PROFILE_COMPUTE] = 5; - smu->workload_priority[PP_SMC_POWER_PROFILE_CUSTOM] = 6; + smu->workload_prority[PP_SMC_POWER_PROFILE_BOOTUP_DEFAULT] = 0; + smu->workload_prority[PP_SMC_POWER_PROFILE_FULLSCREEN3D] = 1; + smu->workload_prority[PP_SMC_POWER_PROFILE_POWERSAVING] = 2; + smu->workload_prority[PP_SMC_POWER_PROFILE_VIDEO] = 3; + smu->workload_prority[PP_SMC_POWER_PROFILE_VR] = 4; + smu->workload_prority[PP_SMC_POWER_PROFILE_COMPUTE] = 5; + smu->workload_prority[PP_SMC_POWER_PROFILE_CUSTOM] = 6; if (smu->is_apu || - !smu_is_workload_profile_available(smu, PP_SMC_POWER_PROFILE_FULLSCREEN3D)) { - smu->driver_workload_mask = - 1 << smu->workload_priority[PP_SMC_POWER_PROFILE_BOOTUP_DEFAULT]; - } else { - smu->driver_workload_mask = - 1 << smu->workload_priority[PP_SMC_POWER_PROFILE_FULLSCREEN3D]; - smu->default_power_profile_mode = PP_SMC_POWER_PROFILE_FULLSCREEN3D; - } + !smu_is_workload_profile_available(smu, PP_SMC_POWER_PROFILE_FULLSCREEN3D)) + smu->workload_mask = 1 << smu->workload_prority[PP_SMC_POWER_PROFILE_BOOTUP_DEFAULT]; + else + smu->workload_mask = 1 << smu->workload_prority[PP_SMC_POWER_PROFILE_FULLSCREEN3D]; - smu->workload_mask = smu->driver_workload_mask | - smu->user_dpm_profile.user_workload_mask; smu->workload_setting[0] = PP_SMC_POWER_PROFILE_BOOTUP_DEFAULT; smu->workload_setting[1] = PP_SMC_POWER_PROFILE_FULLSCREEN3D; smu->workload_setting[2] = PP_SMC_POWER_PROFILE_POWERSAVING; @@ -2355,20 +2348,17 @@ static int smu_switch_power_profile(void *handle, return -EINVAL; if (!en) { - smu->driver_workload_mask &= ~(1 << smu->workload_priority[type]); + smu->workload_mask &= ~(1 << smu->workload_prority[type]); index = fls(smu->workload_mask); index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0; workload[0] = smu->workload_setting[index]; } else { - smu->driver_workload_mask |= (1 << smu->workload_priority[type]); + smu->workload_mask |= (1 << smu->workload_prority[type]); index = fls(smu->workload_mask); index = index <= WORKLOAD_POLICY_MAX ? index - 1 : 0; workload[0] = smu->workload_setting[index]; } - smu->workload_mask = smu->driver_workload_mask | - smu->user_dpm_profile.user_workload_mask; - if (smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL && smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM) smu_bump_power_profile_mode(smu, workload, 0); @@ -3059,23 +3049,12 @@ static int smu_set_power_profile_mode(void *handle, uint32_t param_size) { struct smu_context *smu = handle; - int ret; if (!smu->pm_enabled || !smu->adev->pm.dpm_enabled || !smu->ppt_funcs->set_power_profile_mode) return -EOPNOTSUPP; - if (smu->user_dpm_profile.user_workload_mask & - (1 << smu->workload_priority[param[param_size]])) - return 0; - - smu->user_dpm_profile.user_workload_mask = - (1 << smu->workload_priority[param[param_size]]); - smu->workload_mask = smu->user_dpm_profile.user_workload_mask | - smu->driver_workload_mask; - ret = smu_bump_power_profile_mode(smu, param, param_size); - - return ret; + return smu_bump_power_profile_mode(smu, param, param_size); } static int smu_get_fan_control_mode(void *handle, u32 *fan_mode) diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h b/drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h index d60d9a12a47e..b44a185d07e8 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h +++ b/drivers/gpu/drm/amd/pm/swsmu/inc/amdgpu_smu.h @@ -240,7 +240,6 @@ struct smu_user_dpm_profile { /* user clock state information */ uint32_t clk_mask[SMU_CLK_COUNT]; uint32_t clk_dependency; - uint32_t user_workload_mask; }; #define SMU_TABLE_INIT(tables, table_id, s, a, d) \ @@ -558,8 +557,7 @@ struct smu_context { bool disable_uclk_switch; uint32_t workload_mask; - uint32_t driver_workload_mask; - uint32_t workload_priority[WORKLOAD_POLICY_MAX]; + uint32_t workload_prority[WORKLOAD_POLICY_MAX]; uint32_t workload_setting[WORKLOAD_POLICY_MAX]; uint32_t power_profile_mode; uint32_t default_power_profile_mode; diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c index 31fe512028f4..c0f6b59369b7 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c @@ -1455,6 +1455,7 @@ static int arcturus_set_power_profile_mode(struct smu_context *smu, return -EINVAL; } + if ((profile_mode == PP_SMC_POWER_PROFILE_CUSTOM) && (smu->smc_fw_version >= 0x360d00)) { if (size != 10) @@ -1522,14 +1523,14 @@ static int arcturus_set_power_profile_mode(struct smu_context *smu, ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetWorkloadMask, - smu->workload_mask, + 1 << workload_type, NULL); if (ret) { dev_err(smu->adev->dev, "Fail to set workload type %d\n", workload_type); return ret; } - smu_cmn_assign_power_profile(smu); + smu->power_profile_mode = profile_mode; return 0; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c index bb4ae529ae20..076620fa3ef5 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c @@ -2081,13 +2081,10 @@ static int navi10_set_power_profile_mode(struct smu_context *smu, long *input, u smu->power_profile_mode); if (workload_type < 0) return -EINVAL; - ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetWorkloadMask, - smu->workload_mask, NULL); + 1 << workload_type, NULL); if (ret) dev_err(smu->adev->dev, "[%s] Failed to set work load mask!", __func__); - else - smu_cmn_assign_power_profile(smu); return ret; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c index ca94c52663c0..0d3e1a121b67 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c @@ -1786,13 +1786,10 @@ static int sienna_cichlid_set_power_profile_mode(struct smu_context *smu, long * smu->power_profile_mode); if (workload_type < 0) return -EINVAL; - ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetWorkloadMask, - smu->workload_mask, NULL); + 1 << workload_type, NULL); if (ret) dev_err(smu->adev->dev, "[%s] Failed to set work load mask!", __func__); - else - smu_cmn_assign_power_profile(smu); return ret; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c index 952ee22cbc90..1fe020f1f4db 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c @@ -1079,7 +1079,7 @@ static int vangogh_set_power_profile_mode(struct smu_context *smu, long *input, } ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_ActiveProcessNotify, - smu->workload_mask, + 1 << workload_type, NULL); if (ret) { dev_err_once(smu->adev->dev, "Fail to set workload type %d\n", @@ -1087,7 +1087,7 @@ static int vangogh_set_power_profile_mode(struct smu_context *smu, long *input, return ret; } - smu_cmn_assign_power_profile(smu); + smu->power_profile_mode = profile_mode; return 0; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c index 62316a6707ef..cc0504b063fa 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu12/renoir_ppt.c @@ -890,14 +890,14 @@ static int renoir_set_power_profile_mode(struct smu_context *smu, long *input, u } ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_ActiveProcessNotify, - smu->workload_mask, + 1 << workload_type, NULL); if (ret) { dev_err_once(smu->adev->dev, "Fail to set workload type %d\n", workload_type); return ret; } - smu_cmn_assign_power_profile(smu); + smu->power_profile_mode = profile_mode; return 0; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c index 5dd7ceca64fe..d53e162dcd8d 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c @@ -2485,7 +2485,7 @@ static int smu_v13_0_0_set_power_profile_mode(struct smu_context *smu, DpmActivityMonitorCoeffInt_t *activity_monitor = &(activity_monitor_external.DpmActivityMonitorCoeffInt); int workload_type, ret = 0; - u32 workload_mask; + u32 workload_mask, selected_workload_mask; smu->power_profile_mode = input[size]; @@ -2552,7 +2552,7 @@ static int smu_v13_0_0_set_power_profile_mode(struct smu_context *smu, if (workload_type < 0) return -EINVAL; - workload_mask = 1 << workload_type; + selected_workload_mask = workload_mask = 1 << workload_type; /* Add optimizations for SMU13.0.0/10. Reuse the power saving profile */ if ((amdgpu_ip_version(smu->adev, MP1_HWIP, 0) == IP_VERSION(13, 0, 0) && @@ -2567,22 +2567,12 @@ static int smu_v13_0_0_set_power_profile_mode(struct smu_context *smu, workload_mask |= 1 << workload_type; } - smu->workload_mask |= workload_mask; ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetWorkloadMask, - smu->workload_mask, + workload_mask, NULL); - if (!ret) { - smu_cmn_assign_power_profile(smu); - if (smu->power_profile_mode == PP_SMC_POWER_PROFILE_POWERSAVING) { - workload_type = smu_cmn_to_asic_specific_index(smu, - CMN2ASIC_MAPPING_WORKLOAD, - PP_SMC_POWER_PROFILE_FULLSCREEN3D); - smu->power_profile_mode = smu->workload_mask & (1 << workload_type) - ? PP_SMC_POWER_PROFILE_FULLSCREEN3D - : PP_SMC_POWER_PROFILE_BOOTUP_DEFAULT; - } - } + if (!ret) + smu->workload_mask = selected_workload_mask; return ret; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c index 9d0b19419de0..b891a5e0a396 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c @@ -2499,14 +2499,13 @@ static int smu_v13_0_7_set_power_profile_mode(struct smu_context *smu, long *inp smu->power_profile_mode); if (workload_type < 0) return -EINVAL; - ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetWorkloadMask, - smu->workload_mask, NULL); + 1 << workload_type, NULL); if (ret) dev_err(smu->adev->dev, "[%s] Failed to set work load mask!", __func__); else - smu_cmn_assign_power_profile(smu); + smu->workload_mask = (1 << workload_type); return ret; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c index d9f0e7f81ed7..eaf80c5b3e4d 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c @@ -1508,11 +1508,12 @@ static int smu_v14_0_2_set_power_profile_mode(struct smu_context *smu, if (workload_type < 0) return -EINVAL; - ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetWorkloadMask, - smu->workload_mask, NULL); - + ret = smu_cmn_send_smc_msg_with_param(smu, + SMU_MSG_SetWorkloadMask, + 1 << workload_type, + NULL); if (!ret) - smu_cmn_assign_power_profile(smu); + smu->workload_mask = 1 << workload_type; return ret; } diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c index bdfc5e617333..91ad434bcdae 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c @@ -1138,14 +1138,6 @@ int smu_cmn_set_mp1_state(struct smu_context *smu, return ret; } -void smu_cmn_assign_power_profile(struct smu_context *smu) -{ - uint32_t index; - index = fls(smu->workload_mask); - index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0; - smu->power_profile_mode = smu->workload_setting[index]; -} - bool smu_cmn_is_audio_func_enabled(struct amdgpu_device *adev) { struct pci_dev *p = NULL; diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h index 8a801e389659..1de685defe85 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h +++ b/drivers/gpu/drm/amd/pm/swsmu/smu_cmn.h @@ -130,8 +130,6 @@ void smu_cmn_init_soft_gpu_metrics(void *table, uint8_t frev, uint8_t crev); int smu_cmn_set_mp1_state(struct smu_context *smu, enum pp_mp1_state mp1_state); -void smu_cmn_assign_power_profile(struct smu_context *smu); - /* * Helper function to make sysfs_emit_at() happy. Align buf to * the current page boundary and record the offset. -- 2.47.0

10 months

2
7
0 0

[PATCH v3 00/15] media: stm32: introduction of CSI / DCMIPP for STM32MP25

by Alain Volmat

This series introduces the camera pipeline support for the STM32MP25 SOC. The STM32MP25 has 3 pipelines, fed from a single camera input which can be either parallel or csi. This series adds the basic support for the 1st pipe (dump) which, in term of features is same as the one featured on the STM32MP13 SOC. It focuses on introduction of the CSI input stage for the DCMIPP, and the CSI specific new control code for the DCMIPP. One of the subdev of the DCMIPP, dcmipp_parallel is now renamed as dcmipp_input since it allows to not only control the parallel but also the csi interface. Signed-off-by: Alain Volmat <alain.volmat(a)foss.st.com> --- Changes in v3: * stm32-csi: use clk_bulk api * stm32-csiL perform reset control within the probe - Link to v2: https://lore.kernel.org/r/20241105-csi_dcmipp_mp25-v2-0-b9fc8a7273c2@foss.s… --- Alain Volmat (15): media: stm32: dcmipp: correct dma_set_mask_and_coherent mask value dt-bindings: media: add description of stm32 csi media: stm32: csi: addition of the STM32 CSI driver media: stm32: dcmipp: use v4l2_subdev_is_streaming media: stm32: dcmipp: replace s_stream with enable/disable_streams media: stm32: dcmipp: rename dcmipp_parallel into dcmipp_input media: stm32: dcmipp: add support for csi input into dcmipp-input media: stm32: dcmipp: add bayer 10~14 bits formats media: stm32: dcmipp: add 1X16 RGB / YUV formats support media: stm32: dcmipp: avoid duplicated format on enum in bytecap media: stm32: dcmipp: fill media ctl hw_revision field dt-bindings: media: add the stm32mp25 compatible of DCMIPP media: stm32: dcmipp: add core support for the stm32mp25 arm64: dts: st: add csi & dcmipp node in stm32mp25 arm64: dts: st: enable imx335/csi/dcmipp pipeline on stm32mp257f-ev1 .../devicetree/bindings/media/st,stm32-dcmipp.yaml | 53 +- .../bindings/media/st,stm32mp25-csi.yaml | 125 +++ MAINTAINERS | 8 + arch/arm64/boot/dts/st/stm32mp251.dtsi | 23 + arch/arm64/boot/dts/st/stm32mp257f-ev1.dts | 85 ++ drivers/media/platform/st/stm32/Kconfig | 14 + drivers/media/platform/st/stm32/Makefile | 1 + drivers/media/platform/st/stm32/stm32-csi.c | 1137 ++++++++++++++++++++ .../media/platform/st/stm32/stm32-dcmipp/Makefile | 2 +- .../st/stm32/stm32-dcmipp/dcmipp-bytecap.c | 128 ++- .../st/stm32/stm32-dcmipp/dcmipp-byteproc.c | 119 +- .../platform/st/stm32/stm32-dcmipp/dcmipp-common.h | 4 +- .../platform/st/stm32/stm32-dcmipp/dcmipp-core.c | 116 +- .../platform/st/stm32/stm32-dcmipp/dcmipp-input.c | 540 ++++++++++ .../st/stm32/stm32-dcmipp/dcmipp-parallel.c | 440 -------- 15 files changed, 2219 insertions(+), 576 deletions(-) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241007-csi_dcmipp_mp25-7779601f57da Best regards, -- Alain Volmat <alain.volmat(a)foss.st.com>

10 months

1
1
0 0

[PATCH] arm64: uaccess: Restrict user access to kernel memory in __copy_user_flushcache()

by Gax-c

From: Zichen Xie <zichenxie0106(a)gmail.com> raw_copy_from_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address. Change it to copy_from_user(). Fixes: 9e94fdade4d8 ("arm64: uaccess: simplify __copy_user_flushcache()") Signed-off-by: Zichen Xie <zichenxie0106(a)gmail.com> Cc: stable(a)vger.kernel.org --- arch/arm64/lib/uaccess_flushcache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm64/lib/uaccess_flushcache.c b/arch/arm64/lib/uaccess_flushcache.c index 7510d1a23124..fb138a3934db 100644 --- a/arch/arm64/lib/uaccess_flushcache.c +++ b/arch/arm64/lib/uaccess_flushcache.c @@ -24,7 +24,7 @@ unsigned long __copy_user_flushcache(void *to, const void __user *from, { unsigned long rc; - rc = raw_copy_from_user(to, from, n); + rc = copy_from_user(to, from, n); /* See above */ dcache_clean_pop((unsigned long)to, (unsigned long)to + n - rc); -- 2.34.1

10 months

3
2
0 0

[PATCH] perf: arm-ni: Fix attribute_group definition syntax

by Thomas Weißschuh

The sentinel NULL value does not make sense and is a syntax error in a structure definition. Remove it. Fixes: 4d5a7680f2b4 ("perf: Add driver for Arm NI-700 interconnect PMU") Cc: stable(a)vger.kernel.org Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> --- Cc stable because although this commit is not yet released, it most likely will be by the time it hits mainline. --- drivers/perf/arm-ni.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/perf/arm-ni.c b/drivers/perf/arm-ni.c index 90fcfe693439ef3e18e23c6351433ac3c5ea78b5..fd7a5e60e96302fada29cd44e7bf9c582e93e4ce 100644 --- a/drivers/perf/arm-ni.c +++ b/drivers/perf/arm-ni.c @@ -247,7 +247,6 @@ static struct attribute *arm_ni_other_attrs[] = { static const struct attribute_group arm_ni_other_attr_group = { .attrs = arm_ni_other_attrs, - NULL }; static const struct attribute_group *arm_ni_attr_groups[] = { --- base-commit: 4a5df37964673effcd9f84041f7423206a5ae5f2 change-id: 20241117-arm-ni-syntax-250a83058529 Best regards, -- Thomas Weißschuh <linux(a)weissschuh.net>

10 months

2
2
0 0

[PATCH 6.1.y 0/3] ext4: Fix warning related to siphash and ext4 filesystem mounting

by Vasiliy Kovalev

Found by syzbot (https://syzkaller.appspot.com/bug?extid=9177d065333561cd6fd0): EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode EXT4-fs (loop0): 1 truncate cleaned up EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. fscrypt: AES-256-CTS-CBC using implementation "cts-cbc-aes-aesni" ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4245 at fs/crypto/fname.c:567 fscrypt_fname_siphash+0xb9/0xf0 Modules linked in: CPU: 1 PID: 4245 Comm: syz-executor375 Not tainted 6.1.116-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:fscrypt_fname_siphash+0xb9/0xf0 fs/crypto/fname.c:567 Call Trace: <TASK> __ext4fs_dirhash+0xdd2/0x14c0 fs/ext4/hash.c:268 ext4fs_dirhash+0x1b8/0x320 fs/ext4/hash.c:322 htree_dirblock_to_tree+0x723/0x10d0 fs/ext4/namei.c:1125 ext4_htree_fill_tree+0x73d/0x13f0 fs/ext4/namei.c:1220 ext4_dx_readdir fs/ext4/dir.c:605 [inline] ext4_readdir+0x2e87/0x3880 fs/ext4/dir.c:142 iterate_dir+0x224/0x560 __do_sys_getdents64 fs/readdir.c:369 [inline] __se_sys_getdents64+0x209/0x4f0 fs/readdir.c:354 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 </TASK> These patches address a warning encountered when mounting ext4 filesystems with the default hash version set to SIPHASH while the casefold feature is not enabled. The warning occurs due to incorrect error handling and setup of the default hash version. [PATCH 1/3 ] ext4: factor out ext4_hash_info_init() Simplifies the ext4 filesystem setup by factoring out the ext4_hash_info_init function, with no functional change. [PATCH 2/3] ext4: filesystems without casefold feature cannot be mounted with siphash Ensures that ext4 filesystems with the default hash set to SIPHASH cannot be mounted if the casefold feature is not enabled. [PATCH 3/3] ext4: fix error message when rejecting the default hash Corrects the error message logic for rejecting filesystems with the default SIPHASH hash version, ensuring the error message doesn't incorrectly reference the casefold setup. Also moves the check to ext4_hash_info_init to ensure consistency.

10 months

1
3
0 0

[PATCH 6.6.y 0/2] ext4: Fix warning related to siphash and ext4 filesystem mounting

by Vasiliy Kovalev

Found by syzbot (https://syzkaller.appspot.com/bug?extid=340581ba9dceb7e06fb3) log (6.6.61): EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode EXT4-fs (loop0): 1 truncate cleaned up EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. fscrypt: AES-256-CTS-CBC using implementation "cts-cbc-aes-aesni" ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3775 at fs/crypto/fname.c:567 fscrypt_fname_siphash (fs/crypto/fname.c:567) CPU: 0 PID: 3775 Comm: fscrypt_fname_s Not tainted 6.6.61-un-def-alt1.kasan #1 RIP: 0010:fscrypt_fname_siphash (fs/crypto/fname.c:567 (discriminator 1)) Call Trace: <TASK> __ext4fs_dirhash (fs/ext4/hash.c:268) ext4fs_dirhash (fs/ext4/hash.c:322) htree_dirblock_to_tree (fs/ext4/namei.c:1127) ext4_htree_fill_tree (fs/ext4/namei.c:1222) ext4_readdir (fs/ext4/dir.c:608 fs/ext4/dir.c:142) iterate_dir (fs/readdir.c:106) __x64_sys_getdents64 (fs/readdir.c:406 fs/readdir.c:390 fs/readdir.c:390) do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81) ... </TASK> These patches address a warning encountered when mounting ext4 filesystems with the default hash version set to SIPHASH while the casefold feature is not enabled. The warning occurs due to incorrect error handling and setup of the default hash version. [PATCH 1/2] ext4: filesystems without casefold feature cannot be mounted with siphash Ensures that ext4 filesystems with the default hash set to SIPHASH cannot be mounted if the casefold feature is not enabled. [PATCH 2/2] ext4: fix error message when rejecting the default hash Corrects the error message logic for rejecting filesystems with the default SIPHASH hash version, ensuring the error message doesn't incorrectly reference the casefold setup. Also moves the check to ext4_hash_info_init to ensure consistency.

10 months

1
2
0 0

[PATCH 6.1.y 0/4] fix error handling in mmap_region() and refactor (hotfixes)

by Lorenzo Stoakes

Critical fixes for mmap_region(), backported to 6.1.y. Some notes on differences from upstream: * We do NOT take commit 0fb4a7ad270b ("mm: refactor map_deny_write_exec()"), as this refactors code only introduced in 6.2. * We make reference in "mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling" to parisc, but the referenced functionality does not exist in this kernel. * In this kernel is_shared_maywrite() does not exist and the code uses VM_SHARED to determine whether mapping_map_writable() / mapping_unmap_writable() should be invoked. This backport therefore follows suit. * The vma_dummy_vm_ops static global doesn't exist in this kernel, so we use a local static variable in mmap_file() and vma_close(). * Each version of these series is confronted by a slightly different mmap_region(), so we must adapt the change for each stable version. The approach remains the same throughout, however, and we correctly avoid closing the VMA part way through any __mmap_region() operation. * This version of the kernel uses mas_preallocate() rather than the vma_iter_prealloc() wrapper and mas_destroy() rather than the vma_iter_free() wrapper, however the logic of rearranging the positioning of these remains the same, as well as avoiding the iterator leak we previously had on some error paths. Lorenzo Stoakes (4): mm: avoid unsafe VMA hook invocation when error arises on mmap hook mm: unconditionally close VMAs on error mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling mm: resolve faulty mmap_region() error path behaviour arch/arm64/include/asm/mman.h | 10 ++- include/linux/mman.h | 7 +- mm/internal.h | 19 ++++++ mm/mmap.c | 119 ++++++++++++++++++---------------- mm/nommu.c | 9 ++- mm/shmem.c | 3 - mm/util.c | 33 ++++++++++ 7 files changed, 129 insertions(+), 71 deletions(-) -- 2.47.0

10 months

4
11
0 0

[PATCH 6.1] fs/ntfs3: Add rough attr alloc_size check

by Bin Lan

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit c4a8ba334262e9a5c158d618a4820e1b9c12495c ] Reported-by: syzbot+c6d94bedd910a8216d25(a)syzkaller.appspotmail.com Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- fs/ntfs3/record.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 7ab452710572..0cdff04d084b 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -329,6 +329,9 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) if (attr->nres.c_unit) return NULL; + + if (alloc_size > mi->sbi->volume.size) + return NULL; } return attr; -- 2.43.0

10 months

1
0
0 0

[PATCH 6.1.y] hv_netvsc: Don't free decrypted memory

by Xiangyu Chen

From: Rick Edgecombe <rick.p.edgecombe(a)intel.com> [ Upstream commit bbf9ac34677b57506a13682b31a2a718934c0e31 ] In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. The netvsc driver could free decrypted/shared pages if set_memory_decrypted() fails. Check the decrypted field in the gpadl to decide whether to free the memory. Signed-off-by: Rick Edgecombe <rick.p.edgecombe(a)intel.com> Signed-off-by: Michael Kelley <mhklinux(a)outlook.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Link: https://lore.kernel.org/r/20240311161558.1310-4-mhklinux@outlook.com Signed-off-by: Wei Liu <wei.liu(a)kernel.org> Message-ID: <20240311161558.1310-4-mhklinux(a)outlook.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> [Xiangyu: Bp to fix CVE: CVE-2024-36911 resolved the conflicts] Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/net/hyperv/netvsc.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c index 3a834d4e1c84..3735bfbd9e8e 100644 --- a/drivers/net/hyperv/netvsc.c +++ b/drivers/net/hyperv/netvsc.c @@ -155,15 +155,19 @@ static void free_netvsc_device(struct rcu_head *head) kfree(nvdev->extension); - if (nvdev->recv_original_buf) - vfree(nvdev->recv_original_buf); - else - vfree(nvdev->recv_buf); + if (!nvdev->recv_buf_gpadl_handle.decrypted) { + if (nvdev->recv_original_buf) + vfree(nvdev->recv_original_buf); + else + vfree(nvdev->recv_buf); + } - if (nvdev->send_original_buf) - vfree(nvdev->send_original_buf); - else - vfree(nvdev->send_buf); + if (!nvdev->send_buf_gpadl_handle.decrypted) { + if (nvdev->send_original_buf) + vfree(nvdev->send_original_buf); + else + vfree(nvdev->send_buf); + } bitmap_free(nvdev->send_section_map); -- 2.43.0

10 months

1
0
0 0

[PATCH 6.1] gpiolib: cdev: Fix use after free in lineinfo_changed_notify

by Xiangyu Chen

From: Zhongqiu Han <quic_zhonhan(a)quicinc.com> [ Upstream commit 02f6b0e1ec7e0e7d059dddc893645816552039da ] The use-after-free issue occurs as follows: when the GPIO chip device file is being closed by invoking gpio_chrdev_release(), watched_lines is freed by bitmap_free(), but the unregistration of lineinfo_changed_nb notifier chain failed due to waiting write rwsem. Additionally, one of the GPIO chip's lines is also in the release process and holds the notifier chain's read rwsem. Consequently, a race condition leads to the use-after-free of watched_lines. Here is the typical stack when issue happened: [free] gpio_chrdev_release() --> bitmap_free(cdev->watched_lines) <-- freed --> blocking_notifier_chain_unregister() --> down_write(&nh->rwsem) <-- waiting rwsem --> __down_write_common() --> rwsem_down_write_slowpath() --> schedule_preempt_disabled() --> schedule() [use] st54spi_gpio_dev_release() --> gpio_free() --> gpiod_free() --> gpiod_free_commit() --> gpiod_line_state_notify() --> blocking_notifier_call_chain() --> down_read(&nh->rwsem); <-- held rwsem --> notifier_call_chain() --> lineinfo_changed_notify() --> test_bit(xxxx, cdev->watched_lines) <-- use after free The side effect of the use-after-free issue is that a GPIO line event is being generated for userspace where it shouldn't. However, since the chrdev is being closed, userspace won't have the chance to read that event anyway. To fix the issue, call the bitmap_free() function after the unregistration of lineinfo_changed_nb notifier chain. Fixes: 51c1064e82e7 ("gpiolib: add new ioctl() for monitoring changes in line info") Signed-off-by: Zhongqiu Han <quic_zhonhan(a)quicinc.com> Link: https://lore.kernel.org/r/20240505141156.2944912-1-quic_zhonhan@quicinc.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/gpio/gpiolib-cdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index 55f640ef3fee..897d20996a8c 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -2860,9 +2860,9 @@ static int gpio_chrdev_release(struct inode *inode, struct file *file) struct gpio_chardev_data *cdev = file->private_data; struct gpio_device *gdev = cdev->gdev; - bitmap_free(cdev->watched_lines); blocking_notifier_chain_unregister(&gdev->notifier, &cdev->lineinfo_changed_nb); + bitmap_free(cdev->watched_lines); put_device(&gdev->dev); kfree(cdev); -- 2.43.0

10 months

1
0
0 0

[PATCH 6.6] drm/amd/pm: Vangogh: Fix kernel memory out of bounds write

by Bin Lan

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> [ Upstream commit 4aa923a6e6406b43566ef6ac35a3d9a3197fa3e8 ] KASAN reports that the GPU metrics table allocated in vangogh_tables_init() is not large enough for the memset done in smu_cmn_init_soft_gpu_metrics(). Condensed report follows: [ 33.861314] BUG: KASAN: slab-out-of-bounds in smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu] [ 33.861799] Write of size 168 at addr ffff888129f59500 by task mangoapp/1067 ... [ 33.861808] CPU: 6 UID: 1000 PID: 1067 Comm: mangoapp Tainted: G W 6.12.0-rc4 #356 1a56f59a8b5182eeaf67eb7cb8b13594dd23b544 [ 33.861816] Tainted: [W]=WARN [ 33.861818] Hardware name: Valve Galileo/Galileo, BIOS F7G0107 12/01/2023 [ 33.861822] Call Trace: [ 33.861826] <TASK> [ 33.861829] dump_stack_lvl+0x66/0x90 [ 33.861838] print_report+0xce/0x620 [ 33.861853] kasan_report+0xda/0x110 [ 33.862794] kasan_check_range+0xfd/0x1a0 [ 33.862799] __asan_memset+0x23/0x40 [ 33.862803] smu_cmn_init_soft_gpu_metrics+0x73/0x200 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.863306] vangogh_get_gpu_metrics_v2_4+0x123/0xad0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.864257] vangogh_common_get_gpu_metrics+0xb0c/0xbc0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.865682] amdgpu_dpm_get_gpu_metrics+0xcc/0x110 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.866160] amdgpu_get_gpu_metrics+0x154/0x2d0 [amdgpu 13b1bc364ec578808f676eba412c20eaab792779] [ 33.867135] dev_attr_show+0x43/0xc0 [ 33.867147] sysfs_kf_seq_show+0x1f1/0x3b0 [ 33.867155] seq_read_iter+0x3f8/0x1140 [ 33.867173] vfs_read+0x76c/0xc50 [ 33.867198] ksys_read+0xfb/0x1d0 [ 33.867214] do_syscall_64+0x90/0x160 ... [ 33.867353] Allocated by task 378 on cpu 7 at 22.794876s: [ 33.867358] kasan_save_stack+0x33/0x50 [ 33.867364] kasan_save_track+0x17/0x60 [ 33.867367] __kasan_kmalloc+0x87/0x90 [ 33.867371] vangogh_init_smc_tables+0x3f9/0x840 [amdgpu] [ 33.867835] smu_sw_init+0xa32/0x1850 [amdgpu] [ 33.868299] amdgpu_device_init+0x467b/0x8d90 [amdgpu] [ 33.868733] amdgpu_driver_load_kms+0x19/0xf0 [amdgpu] [ 33.869167] amdgpu_pci_probe+0x2d6/0xcd0 [amdgpu] [ 33.869608] local_pci_probe+0xda/0x180 [ 33.869614] pci_device_probe+0x43f/0x6b0 Empirically we can confirm that the former allocates 152 bytes for the table, while the latter memsets the 168 large block. Root cause appears that when GPU metrics tables for v2_4 parts were added it was not considered to enlarge the table to fit. The fix in this patch is rather "brute force" and perhaps later should be done in a smarter way, by extracting and consolidating the part version to size logic to a common helper, instead of brute forcing the largest possible allocation. Nevertheless, for now this works and fixes the out of bounds write. v2: * Drop impossible v3_0 case. (Mario) Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: 41cec40bc9ba ("drm/amd/pm: Vangogh: Add new gpu_metrics_v2_4 to acquire gpu_metrics") Cc: Mario Limonciello <mario.limonciello(a)amd.com> Cc: Evan Quan <evan.quan(a)amd.com> Cc: Wenyou Yang <WenYou.Yang(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Mario Limonciello <mario.limonciello(a)amd.com> Link: https://lore.kernel.org/r/20241025145639.19124-1-tursulin@igalia.com Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 0880f58f9609f0200483a49429af0f050d281703) Cc: stable(a)vger.kernel.org # v6.6+ Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c index f46cda889483..454216bd6f1d 100644 --- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c @@ -256,10 +256,9 @@ static int vangogh_tables_init(struct smu_context *smu) goto err0_out; smu_table->metrics_time = 0; - if (smu_version >= 0x043F3E00) - smu_table->gpu_metrics_table_size = sizeof(struct gpu_metrics_v2_3); - else - smu_table->gpu_metrics_table_size = sizeof(struct gpu_metrics_v2_2); + smu_table->gpu_metrics_table_size = sizeof(struct gpu_metrics_v2_2); + smu_table->gpu_metrics_table_size = max(smu_table->gpu_metrics_table_size, sizeof(struct gpu_metrics_v2_3)); + smu_table->gpu_metrics_table_size = max(smu_table->gpu_metrics_table_size, sizeof(struct gpu_metrics_v2_4)); smu_table->gpu_metrics_table = kzalloc(smu_table->gpu_metrics_table_size, GFP_KERNEL); if (!smu_table->gpu_metrics_table) goto err1_out; -- 2.43.0

10 months

1
0
0 0

[PATCH 2/2] docs: media: update location of the media patches

by Mauro Carvalho Chehab

Due to recent changes on the way we're maintaining media, the location of the main tree was updated. Change docs accordingly. Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> --- Documentation/admin-guide/media/building.rst | 2 +- Documentation/admin-guide/media/saa7134.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/media/building.rst b/Documentation/admin-guide/media/building.rst index a06473429916..7a413ba07f93 100644 --- a/Documentation/admin-guide/media/building.rst +++ b/Documentation/admin-guide/media/building.rst @@ -15,7 +15,7 @@ Please notice, however, that, if: you should use the main media development tree ``master`` branch: - https://git.linuxtv.org/media_tree.git/ + https://git.linuxtv.org/media.git/ In this case, you may find some useful information at the `LinuxTv wiki pages <https://linuxtv.org/wiki>`_: diff --git a/Documentation/admin-guide/media/saa7134.rst b/Documentation/admin-guide/media/saa7134.rst index 51eae7eb5ab7..18d7cbc897db 100644 --- a/Documentation/admin-guide/media/saa7134.rst +++ b/Documentation/admin-guide/media/saa7134.rst @@ -67,7 +67,7 @@ Changes / Fixes Please mail to linux-media AT vger.kernel.org unified diffs against the linux media git tree: - https://git.linuxtv.org/media_tree.git/ + https://git.linuxtv.org/media.git/ This is done by committing a patch at a clone of the git tree and submitting the patch using ``git send-email``. Don't forget to -- 2.47.0

10 months

2
1
0 0