- Linux-stable-mirror - lists.linaro.org

[PATCH v5] usb: dwc3: Avoid waking up gadget during startxfer

by Prashanth K

When operating in High-Speed, it is observed that DSTS[USBLNKST] doesn't update link state immediately after receiving the wakeup interrupt. Since wakeup event handler calls the resume callbacks, there is a chance that function drivers can perform an ep queue, which in turn tries to perform remote wakeup from send_gadget_ep_cmd(STARTXFER). This happens because DSTS[[21:18] wasn't updated to U0 yet, it's observed that the latency of DSTS can be in order of milli-seconds. Hence avoid calling gadget_wakeup during startxfer to prevent unnecessarily issuing remote wakeup to host. Fixes: c36d8e947a56 ("usb: dwc3: gadget: put link to U0 before Start Transfer") Cc: <stable(a)vger.kernel.org> Suggested-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Prashanth K <quic_prashk(a)quicinc.com> --- v5: Further rewording of the comment in function. v4: Rewording the comment in function definition. v3: Added notes on top the function definition. v2: Refactored the patch as suggested in v1 discussion. drivers/usb/dwc3/gadget.c | 41 ++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 24 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89fc690fdf34..291bc549935b 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -287,6 +287,23 @@ static int __dwc3_gadget_wakeup(struct dwc3 *dwc, bool async); * * Caller should handle locking. This function will issue @cmd with given * @params to @dep and wait for its completion. + * + * According to the programming guide, if the link state is in L1/L2/U3, + * then sending the Start Transfer command may not complete. The + * programming guide suggested to bring the link state back to ON/U0 by + * performing remote wakeup prior to sending the command. However, don't + * initiate remote wakeup when the user/function does not send wakeup + * request via wakeup ops. Send the command when it's allowed. + * + * Notes: + * For L1 link state, issuing a command requires the clearing of + * GUSB2PHYCFG.SUSPENDUSB2, which turns on the signal required to complete + * the given command (usually within 50us). This should happen within the + * command timeout set by driver. No additional step is needed. + * + * For L2 or U3 link state, the gadget is in USB suspend. Care should be + * taken when sending Start Transfer command to ensure that it's done after + * USB resume. */ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, struct dwc3_gadget_ep_cmd_params *params) @@ -327,30 +344,6 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); } - if (DWC3_DEPCMD_CMD(cmd) == DWC3_DEPCMD_STARTTRANSFER) { - int link_state; - - /* - * Initiate remote wakeup if the link state is in U3 when - * operating in SS/SSP or L1/L2 when operating in HS/FS. If the - * link state is in U1/U2, no remote wakeup is needed. The Start - * Transfer command will initiate the link recovery. - */ - link_state = dwc3_gadget_get_link_state(dwc); - switch (link_state) { - case DWC3_LINK_STATE_U2: - if (dwc->gadget->speed >= USB_SPEED_SUPER) - break; - - fallthrough; - case DWC3_LINK_STATE_U3: - ret = __dwc3_gadget_wakeup(dwc, false); - dev_WARN_ONCE(dwc->dev, ret, "wakeup failed --> %d\n", - ret); - break; - } - } - /* * For some commands such as Update Transfer command, DEPCMDPARn * registers are reserved. Since the driver often sends Update Transfer -- 2.25.1

10 months, 3 weeks

2
1
0 0

[PATCH 1/1] alloc_tag: fix allocation tag reporting when CONFIG_MODULES=n

by Suren Baghdasaryan

codetag_module_init() is used to initialize sections containing allocation tags. This function is used to initialize module sections as well as core kernel sections, in which case the module parameter is set to NULL. This function has to be called even when CONFIG_MODULES=n to initialize core kernel allocation tag sections. When CONFIG_MODULES=n, this function is a NOP, which is wrong. This leads to /proc/allocinfo reported as empty. Fix this by making it independent of CONFIG_MODULES. Fixes: 916cc5167cc6 ("lib: code tagging framework") Signed-off-by: Suren Baghdasaryan <surenb(a)google.com> Cc: stable(a)vger.kernel.org # v6.10 --- lib/codetag.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/lib/codetag.c b/lib/codetag.c index 5ace625f2328..afa8a2d4f317 100644 --- a/lib/codetag.c +++ b/lib/codetag.c @@ -125,7 +125,6 @@ static inline size_t range_size(const struct codetag_type *cttype, cttype->desc.tag_size; } -#ifdef CONFIG_MODULES static void *get_symbol(struct module *mod, const char *prefix, const char *name) { DECLARE_SEQ_BUF(sb, KSYM_NAME_LEN); @@ -155,6 +154,15 @@ static struct codetag_range get_section_range(struct module *mod, }; } +static const char *get_mod_name(__maybe_unused struct module *mod) +{ +#ifdef CONFIG_MODULES + if (mod) + return mod->name; +#endif + return "(built-in)"; +} + static int codetag_module_init(struct codetag_type *cttype, struct module *mod) { struct codetag_range range; @@ -164,8 +172,7 @@ static int codetag_module_init(struct codetag_type *cttype, struct module *mod) range = get_section_range(mod, cttype->desc.section); if (!range.start || !range.stop) { pr_warn("Failed to load code tags of type %s from the module %s\n", - cttype->desc.section, - mod ? mod->name : "(built-in)"); + cttype->desc.section, get_mod_name(mod)); return -EINVAL; } @@ -199,6 +206,7 @@ static int codetag_module_init(struct codetag_type *cttype, struct module *mod) return 0; } +#ifdef CONFIG_MODULES void codetag_load_module(struct module *mod) { struct codetag_type *cttype; @@ -248,9 +256,6 @@ bool codetag_unload_module(struct module *mod) return unload_ok; } - -#else /* CONFIG_MODULES */ -static int codetag_module_init(struct codetag_type *cttype, struct module *mod) { return 0; } #endif /* CONFIG_MODULES */ struct codetag_type * base-commit: 9287e4adbc6ab8fa04d25eb82e097fed877a4642 -- 2.46.0.295.g3b9ea8a38a-goog

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ata: libata-core: Fix null pointer dereference on error" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5d92c7c566dc76d96e0e19e481d926bbe6631c1e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024070108-cabana-swifter-f1c9@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 5d92c7c566dc ("ata: libata-core: Fix null pointer dereference on error") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Sat, 29 Jun 2024 14:42:11 +0200 Subject: [PATCH] ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") Cc: stable(a)vger.kernel.org Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: John Garry <john.g.garry(a)oracle.com> Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index efb5195da60c..bdccf4ea251a 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5517,6 +5517,9 @@ static void ata_host_release(struct kref *kref) for (i = 0; i < host->n_ports; i++) { struct ata_port *ap = host->ports[i]; + if (!ap) + continue; + kfree(ap->pmp_link); kfree(ap->slave_link); kfree(ap->ncq_sense_buf);

10 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] ata: libata-core: Fix null pointer dereference on error" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 5d92c7c566dc76d96e0e19e481d926bbe6631c1e # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024070107-underrate-unusable-ddb9@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 5d92c7c566dc ("ata: libata-core: Fix null pointer dereference on error") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5d92c7c566dc76d96e0e19e481d926bbe6631c1e Mon Sep 17 00:00:00 2001 From: Niklas Cassel <cassel(a)kernel.org> Date: Sat, 29 Jun 2024 14:42:11 +0200 Subject: [PATCH] ata: libata-core: Fix null pointer dereference on error If the ata_port_alloc() call in ata_host_alloc() fails, ata_host_release() will get called. However, the code in ata_host_release() tries to free ata_port struct members unconditionally, which can lead to the following: BUG: unable to handle page fault for address: 0000000000003990 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 10 PID: 594 Comm: (udev-worker) Not tainted 6.10.0-rc5 #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:ata_host_release.cold+0x2f/0x6e [libata] Code: e4 4d 63 f4 44 89 e2 48 c7 c6 90 ad 32 c0 48 c7 c7 d0 70 33 c0 49 83 c6 0e 41 RSP: 0018:ffffc90000ebb968 EFLAGS: 00010246 RAX: 0000000000000041 RBX: ffff88810fb52e78 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88813b3218c0 RDI: ffff88813b3218c0 RBP: ffff88810fb52e40 R08: 0000000000000000 R09: 6c65725f74736f68 R10: ffffc90000ebb738 R11: 73692033203a746e R12: 0000000000000004 R13: 0000000000000000 R14: 0000000000000011 R15: 0000000000000006 FS: 00007f6cc55b9980(0000) GS:ffff88813b300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000003990 CR3: 00000001122a2000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? ata_host_release.cold+0x2f/0x6e [libata] ? ata_host_release.cold+0x2f/0x6e [libata] release_nodes+0x35/0xb0 devres_release_group+0x113/0x140 ata_host_alloc+0xed/0x120 [libata] ata_host_alloc_pinfo+0x14/0xa0 [libata] ahci_init_one+0x6c9/0xd20 [ahci] Do not access ata_port struct members unconditionally. Fixes: 633273a3ed1c ("libata-pmp: hook PMP support and enable it") Cc: stable(a)vger.kernel.org Reviewed-by: Damien Le Moal <dlemoal(a)kernel.org> Reviewed-by: Hannes Reinecke <hare(a)suse.de> Reviewed-by: John Garry <john.g.garry(a)oracle.com> Link: https://lore.kernel.org/r/20240629124210.181537-7-cassel@kernel.org Signed-off-by: Niklas Cassel <cassel(a)kernel.org> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c index efb5195da60c..bdccf4ea251a 100644 --- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -5517,6 +5517,9 @@ static void ata_host_release(struct kref *kref) for (i = 0; i < host->n_ports; i++) { struct ata_port *ap = host->ports[i]; + if (!ap) + continue; + kfree(ap->pmp_link); kfree(ap->slave_link); kfree(ap->ncq_sense_buf);

10 months, 3 weeks

2
1
0 0

[PATCH v3] mm: Fix race between __split_huge_pmd_locked() and GUP-fast

by Ryan Roberts

__split_huge_pmd_locked() can be called for a present THP, devmap or (non-present) migration entry. It calls pmdp_invalidate() unconditionally on the pmdp and only determines if it is present or not based on the returned old pmd. This is a problem for the migration entry case because pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a present pmd. On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future call to pmd_present() will return true. And therefore any lockless pgtable walker could see the migration entry pmd in this state and start interpretting the fields as if it were present, leading to BadThings (TM). GUP-fast appears to be one such lockless pgtable walker. x86 does not suffer the above problem, but instead pmd_mkinvalid() will corrupt the offset field of the swap entry within the swap pte. See link below for discussion of that problem. Fix all of this by only calling pmdp_invalidate() for a present pmd. And for good measure let's add a warning to all implementations of pmdp_invalidate[_ad](). I've manually reviewed all other pmdp_invalidate[_ad]() call sites and believe all others to be conformant. This is a theoretical bug found during code review. I don't have any test case to trigger it in practice. Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/ Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path") Signed-off-by: Ryan Roberts <ryan.roberts(a)arm.com> --- Right v3; this goes back to the original approach in v1 to fix core-mm rather than push the fix into arm64, since we discovered that x86 can't handle pmd_mkinvalid() being called for non-present pmds either. I'm pulling in more arch maintainers because this version adds some warnings in arch code to help spot incorrect usage. Although Catalin had already accepted v2 (fixing arm64) [2] into for-next/fixes, he's agreed to either remove or revert it. Changes since v1 [1] ==================== - Improve pmdp_mkinvalid() docs to make it clear it can only be called for present pmd (per JohnH, Zi Yan) - Added warnings to arch overrides of pmdp_invalidate[_ad]() (per Zi Yan) - Moved comment next to new location of pmpd_invalidate() (per Zi Yan) [1] https://lore.kernel.org/linux-mm/20240425170704.3379492-1-ryan.roberts@arm.… [2] https://lore.kernel.org/all/20240430133138.732088-1-ryan.roberts@arm.com/ Thanks, Ryan Documentation/mm/arch_pgtable_helpers.rst | 6 ++- arch/powerpc/mm/book3s64/pgtable.c | 1 + arch/s390/include/asm/pgtable.h | 4 +- arch/sparc/mm/tlb.c | 1 + arch/x86/mm/pgtable.c | 2 + mm/huge_memory.c | 49 ++++++++++++----------- mm/pgtable-generic.c | 2 + 7 files changed, 39 insertions(+), 26 deletions(-) diff --git a/Documentation/mm/arch_pgtable_helpers.rst b/Documentation/mm/arch_pgtable_helpers.rst index 2466d3363af7..ad50ca6f495e 100644 --- a/Documentation/mm/arch_pgtable_helpers.rst +++ b/Documentation/mm/arch_pgtable_helpers.rst @@ -140,7 +140,8 @@ PMD Page Table Helpers +---------------------------+--------------------------------------------------+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD | +---------------------------+--------------------------------------------------+ -| pmd_mkinvalid | Invalidates a mapped PMD [1] | +| pmd_mkinvalid | Invalidates a present PMD; do not call for | +| | non-present PMD [1] | +---------------------------+--------------------------------------------------+ | pmd_set_huge | Creates a PMD huge mapping | +---------------------------+--------------------------------------------------+ @@ -196,7 +197,8 @@ PUD Page Table Helpers +---------------------------+--------------------------------------------------+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD | +---------------------------+--------------------------------------------------+ -| pud_mkinvalid | Invalidates a mapped PUD [1] | +| pud_mkinvalid | Invalidates a present PUD; do not call for | +| | non-present PUD [1] | +---------------------------+--------------------------------------------------+ | pud_set_huge | Creates a PUD huge mapping | +---------------------------+--------------------------------------------------+ diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c index 83823db3488b..2975ea0841ba 100644 --- a/arch/powerpc/mm/book3s64/pgtable.c +++ b/arch/powerpc/mm/book3s64/pgtable.c @@ -170,6 +170,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { unsigned long old_pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return __pmd(old_pmd); diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h index 60950e7a25f5..480bea44559d 100644 --- a/arch/s390/include/asm/pgtable.h +++ b/arch/s390/include/asm/pgtable.h @@ -1768,8 +1768,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma, static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long addr, pmd_t *pmdp) { - pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); + pmd_t pmd; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID); return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd); } diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c index b44d79d778c7..ef69127d7e5e 100644 --- a/arch/sparc/mm/tlb.c +++ b/arch/sparc/mm/tlb.c @@ -249,6 +249,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, { pmd_t old, entry; + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); old = pmdp_establish(vma, address, pmdp, entry); flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index d007591b8059..103cbccf1d7d 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -631,6 +631,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); + /* * No flush is necessary. Once an invalid PTE is established, the PTE's * access and dirty bits cannot be updated. diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 89f58c7603b2..dd1fc105f70b 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -2493,32 +2493,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, return __split_huge_zero_page_pmd(vma, haddr, pmd); } - /* - * Up to this point the pmd is present and huge and userland has the - * whole access to the hugepage during the split (which happens in - * place). If we overwrite the pmd with the not-huge version pointing - * to the pte here (which of course we could if all CPUs were bug - * free), userland could trigger a small page size TLB miss on the - * small sized TLB while the hugepage TLB entry is still established in - * the huge TLB. Some CPU doesn't like that. - * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum - * 383 on page 105. Intel should be safe but is also warns that it's - * only safe if the permission and cache attributes of the two entries - * loaded in the two TLB is identical (which should be the case here). - * But it is generally safer to never allow small and huge TLB entries - * for the same virtual address to be loaded simultaneously. So instead - * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the - * current pmd notpresent (atomically because here the pmd_trans_huge - * must remain set at all times on the pmd until the split is complete - * for this pmd), then we flush the SMP TLB and finally we write the - * non-huge version of the pmd entry with pmd_populate. - */ - old_pmd = pmdp_invalidate(vma, haddr, pmd); - - pmd_migration = is_pmd_migration_entry(old_pmd); + pmd_migration = is_pmd_migration_entry(*pmd); if (unlikely(pmd_migration)) { swp_entry_t entry; + old_pmd = *pmd; entry = pmd_to_swp_entry(old_pmd); page = pfn_swap_entry_to_page(entry); write = is_writable_migration_entry(entry); @@ -2529,6 +2508,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd, soft_dirty = pmd_swp_soft_dirty(old_pmd); uffd_wp = pmd_swp_uffd_wp(old_pmd); } else { + /* + * Up to this point the pmd is present and huge and userland has + * the whole access to the hugepage during the split (which + * happens in place). If we overwrite the pmd with the not-huge + * version pointing to the pte here (which of course we could if + * all CPUs were bug free), userland could trigger a small page + * size TLB miss on the small sized TLB while the hugepage TLB + * entry is still established in the huge TLB. Some CPU doesn't + * like that. See + * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum + * 383 on page 105. Intel should be safe but is also warns that + * it's only safe if the permission and cache attributes of the + * two entries loaded in the two TLB is identical (which should + * be the case here). But it is generally safer to never allow + * small and huge TLB entries for the same virtual address to be + * loaded simultaneously. So instead of doing "pmd_populate(); + * flush_pmd_tlb_range();" we first mark the current pmd + * notpresent (atomically because here the pmd_trans_huge must + * remain set at all times on the pmd until the split is + * complete for this pmd), then we flush the SMP TLB and finally + * we write the non-huge version of the pmd entry with + * pmd_populate. + */ + old_pmd = pmdp_invalidate(vma, haddr, pmd); page = pmd_page(old_pmd); folio = page_folio(page); if (pmd_dirty(old_pmd)) { diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 4fcd959dcc4d..a78a4adf711a 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -198,6 +198,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp) pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp)); flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE); return old; @@ -208,6 +209,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address, pmd_t *pmdp) { + VM_WARN_ON_ONCE(!pmd_present(*pmdp)); return pmdp_invalidate(vma, address, pmdp); } #endif -- 2.25.1

10 months, 3 weeks

5
8
0 0

[PATCH] MIPS: fw: Gracefully handle unknown firmware protocols

by Bjørn Mork

Boards based on the same SoC family can use different boot loaders. These may pass numeric arguments which we erroneously interpret as command line or environment pointers. Such errors will cause boot to halt at an early stage since commit 056a68cea01e ("mips: allow firmware to pass RNG seed to kernel"). One known example of this issue is a HPE switch using a BootWare boot loader. It was found to pass these arguments to the kernel: 0x00020000 0x00060000 0xfffdffff 0x0000416c We can avoid hanging by validating that both passed pointers are in KSEG1 as expected. Cc: stable(a)vger.kernel.org Fixes: 14aecdd41921 ("MIPS: FW: Add environment variable processing.") Signed-off-by: Bjørn Mork <bjorn(a)mork.no> --- arch/mips/fw/lib/cmdline.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/mips/fw/lib/cmdline.c b/arch/mips/fw/lib/cmdline.c index 892765b742bb..51238c4f9455 100644 --- a/arch/mips/fw/lib/cmdline.c +++ b/arch/mips/fw/lib/cmdline.c @@ -22,7 +22,7 @@ void __init fw_init_cmdline(void) int i; /* Validate command line parameters. */ - if ((fw_arg0 >= CKSEG0) || (fw_arg1 < CKSEG0)) { + if (fw_arg0 >= CKSEG0 || fw_arg1 < CKSEG0 || fw_arg1 >= CKSEG2) { fw_argc = 0; _fw_argv = NULL; } else { @@ -31,7 +31,7 @@ void __init fw_init_cmdline(void) } /* Validate environment pointer. */ - if (fw_arg2 < CKSEG0) + if (fw_arg2 < CKSEG0 || fw_arg2 >= CKSEG2) _fw_envp = NULL; else _fw_envp = (int *)fw_arg2; -- 2.39.2

10 months, 3 weeks

4
9
0 0

[PATCH] btrfs: qgroup: add missing extent changeset release

by Fedor Pchelkin

The extent changeset may have some additional memory dynamically allocated for ulist in result of clear_record_extent_bits() execution. Release it after the local changeset is no longer needed in BTRFS_QGROUP_MODE_DISABLED case. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+81670362c283f3dd889c(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/000000000000aa8c0c060ade165e@google.com Fixes: af0e2aab3b70 ("btrfs: qgroup: flush reservations during quota disable") Cc: stable(a)vger.kernel.org # 6.10+ Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- fs/btrfs/qgroup.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 5d57a285d59b..4f1fa5d427e1 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -4345,9 +4345,10 @@ static int __btrfs_qgroup_release_data(struct btrfs_inode *inode, if (btrfs_qgroup_mode(inode->root->fs_info) == BTRFS_QGROUP_MODE_DISABLED) { extent_changeset_init(&changeset); - return clear_record_extent_bits(&inode->io_tree, start, - start + len - 1, - EXTENT_QGROUP_RESERVED, &changeset); + ret = clear_record_extent_bits(&inode->io_tree, start, + start + len - 1, + EXTENT_QGROUP_RESERVED, &changeset); + goto out; } /* In release case, we shouldn't have @reserved */ -- 2.39.2

10 months, 3 weeks

4
8
0 0

[PATCH v3] firmware_loader: Block path traversal

by Jann Horn

Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously. Cc: stable(a)vger.kernel.org Reviewed-by: Danilo Krummrich <dakr(a)kernel.org> Fixes: abb139e75c2c ("firmware: teach the kernel to load firmware files directly from the filesystem") Signed-off-by: Jann Horn <jannh(a)google.com> --- Changes in v3: - replace name_contains_dotdot implementation (Danilo) - add missing \n in log format string (Danilo) - Link to v2: https://lore.kernel.org/r/20240823-firmware-traversal-v2-1-880082882709@goo… Changes in v2: - describe fix in commit message (dakr) - write check more clearly and with comment in separate helper (dakr) - document new restriction in comment above request_firmware() (dakr) - warn when new restriction is triggered - Link to v1: https://lore.kernel.org/r/20240820-firmware-traversal-v1-1-8699ffaa9276@goo… --- drivers/base/firmware_loader/main.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index a03ee4b11134..324a9a3c087a 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -849,6 +849,26 @@ static void fw_log_firmware_info(const struct firmware *fw, const char *name, {} #endif +/* + * Reject firmware file names with ".." path components. + * There are drivers that construct firmware file names from device-supplied + * strings, and we don't want some device to be able to tell us "I would like to + * be sent my firmware from ../../../etc/shadow, please". + * + * Search for ".." surrounded by either '/' or start/end of string. + * + * This intentionally only looks at the firmware name, not at the firmware base + * directory or at symlink contents. + */ +static bool name_contains_dotdot(const char *name) +{ + size_t name_len = strlen(name); + + return strcmp(name, "..") == 0 || strncmp(name, "../", 3) == 0 || + strstr(name, "/../") != NULL || + (name_len >= 3 && strcmp(name+name_len-3, "/..") == 0); +} + /* called from request_firmware() and request_firmware_work_func() */ static int _request_firmware(const struct firmware **firmware_p, const char *name, @@ -869,6 +889,14 @@ _request_firmware(const struct firmware **firmware_p, const char *name, goto out; } + if (name_contains_dotdot(name)) { + dev_warn(device, + "Firmware load for '%s' refused, path contains '..' component\n", + name); + ret = -EINVAL; + goto out; + } + ret = _request_firmware_prepare(&fw, name, device, buf, size, offset, opt_flags); if (ret <= 0) /* error or already assigned */ @@ -946,6 +974,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name, * @name will be used as $FIRMWARE in the uevent environment and * should be distinctive enough not to be confused with any other * firmware image for this or any other device. + * It must not contain any ".." path components - "foo/bar..bin" is + * allowed, but "foo/../bar.bin" is not. * * Caller must hold the reference count of @device. * --- base-commit: b0da640826ba3b6506b4996a6b23a429235e6923 change-id: 20240820-firmware-traversal-6df8501b0fe4 -- Jann Horn <jannh(a)google.com>

10 months, 3 weeks

2
1
0 0

[PATCH 1/2] drm/v3d: Disable preemption while updating GPU stats

by Tvrtko Ursulin

From: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> We forgot to disable preemption around the write_seqcount_begin/end() pair while updating GPU stats: [ ] WARNING: CPU: 2 PID: 12 at include/linux/seqlock.h:221 __seqprop_assert.isra.0+0x128/0x150 [v3d] [ ] Workqueue: v3d_bin drm_sched_run_job_work [gpu_sched] <...snip...> [ ] Call trace: [ ] __seqprop_assert.isra.0+0x128/0x150 [v3d] [ ] v3d_job_start_stats.isra.0+0x90/0x218 [v3d] [ ] v3d_bin_job_run+0x23c/0x388 [v3d] [ ] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched] [ ] process_one_work+0x62c/0xb48 [ ] worker_thread+0x468/0x5b0 [ ] kthread+0x1c4/0x1e0 [ ] ret_from_fork+0x10/0x20 Fix it. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> Fixes: 6abe93b621ab ("drm/v3d: Fix race-condition between sysfs/fdinfo and interrupt handler") Cc: Maíra Canal <mcanal(a)igalia.com> Cc: <stable(a)vger.kernel.org> # v6.10+ Acked-by: Maíra Canal <mcanal(a)igalia.com> --- drivers/gpu/drm/v3d/v3d_sched.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/v3d/v3d_sched.c b/drivers/gpu/drm/v3d/v3d_sched.c index 42d4f4a2dba2..cc2e5a89467b 100644 --- a/drivers/gpu/drm/v3d/v3d_sched.c +++ b/drivers/gpu/drm/v3d/v3d_sched.c @@ -136,6 +136,8 @@ v3d_job_start_stats(struct v3d_job *job, enum v3d_queue queue) struct v3d_stats *local_stats = &file->stats[queue]; u64 now = local_clock(); + preempt_disable(); + write_seqcount_begin(&local_stats->lock); local_stats->start_ns = now; write_seqcount_end(&local_stats->lock); @@ -143,6 +145,8 @@ v3d_job_start_stats(struct v3d_job *job, enum v3d_queue queue) write_seqcount_begin(&global_stats->lock); global_stats->start_ns = now; write_seqcount_end(&global_stats->lock); + + preempt_enable(); } static void @@ -164,8 +168,10 @@ v3d_job_update_stats(struct v3d_job *job, enum v3d_queue queue) struct v3d_stats *local_stats = &file->stats[queue]; u64 now = local_clock(); + preempt_disable(); v3d_stats_update(local_stats, now); v3d_stats_update(global_stats, now); + preempt_enable(); } static struct dma_fence *v3d_bin_job_run(struct drm_sched_job *sched_job) -- 2.44.0

10 months, 3 weeks

2
1
0 0

[RESEND PATCH v1] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0

by Hailong Liu

The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code. Fixes: e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations") Signed-off-by: Hailong Liu <hailong.liu(a)oppo.com> Reported-by: Tangquan Zheng <zhengtangquan(a)oppo.com> Cc: <stable(a)vger.kernel.org> CC: Barry Song <21cnbao(a)gmail.com> CC: Baoquan He <bhe(a)redhat.com> CC: Matthew Wilcox <willy(a)infradead.org> --- mm/vmalloc.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 6b783baf12a1..af2de36549d6 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3584,15 +3584,8 @@ vm_area_alloc_pages(gfp_t gfp, int nid, page = alloc_pages_noprof(alloc_gfp, order); else page = alloc_pages_node_noprof(nid, alloc_gfp, order); - if (unlikely(!page)) { - if (!nofail) - break; - - /* fall back to the zero order allocations */ - alloc_gfp |= __GFP_NOFAIL; - order = 0; - continue; - } + if (unlikely(!page)) + break; /* * Higher order allocations must be able to be treated as --- Sorry for fat fingers. with .rej file. resend this. Baoquan suggests set page_shift to 0 if fallback in (2 and concern about performance of retry with order-0. But IMO with retry, - Save memory usage if high order allocation failed. - Keep consistancy with align and page-shift. - make use of bulk allocator with order-0 [2] https://lore.kernel.org/lkml/20240725035318.471-1-hailong.liu@oppo.com/ -- 2.30.0

10 months, 3 weeks

6
29
0 0

[PATCH] vfs: fix race between evice_inodes() and find_inode()&iput()

by Julian Sun

Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug. Reported-by: syzbot+67ba3c42bcbb4665d3ad(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad CC: stable(a)vger.kernel.org Fixes: 63997e98a3be ("split invalidate_inodes()") Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/inode.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/inode.c b/fs/inode.c index 3a41f83a4ba5..011f630777d0 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -723,6 +723,10 @@ void evict_inodes(struct super_block *sb) continue; spin_lock(&inode->i_lock); + if (atomic_read(&inode->i_count)) { + spin_unlock(&inode->i_lock); + continue; + } if (inode->i_state & (I_NEW | I_FREEING | I_WILL_FREE)) { spin_unlock(&inode->i_lock); continue; -- 2.39.2

10 months, 3 weeks

4
5
0 0

[PATCH] f2fs: Do not check the FI_DIRTY_INODE flag when umounting a ro fs.

by Julian Sun

Hi, all. Recently syzbot reported a bug as following: kernel BUG at fs/f2fs/inode.c:896! CPU: 1 UID: 0 PID: 5217 Comm: syz-executor605 Not tainted 6.11.0-rc4-syzkaller-00033-g872cf28b8df9 #0 RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 Call Trace: <TASK> evict+0x532/0x950 fs/inode.c:704 dispose_list fs/inode.c:747 [inline] evict_inodes+0x5f9/0x690 fs/inode.c:797 generic_shutdown_super+0x9d/0x2d0 fs/super.c:627 kill_block_super+0x44/0x90 fs/super.c:1696 kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898 deactivate_locked_super+0xc4/0x130 fs/super.c:473 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 task_work_run+0x24f/0x310 kernel/task_work.c:228 ptrace_notify+0x2d2/0x380 kernel/signal.c:2402 ptrace_report_syscall include/linux/ptrace.h:415 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The syzbot constructed the following scenario: concurrently creating directories and setting the file system to read-only. In this case, while f2fs was making dir, the filesystem switched to readonly, and when it tried to clear the dirty flag, it triggered this code path: f2fs_mkdir()-> f2fs_sync_fs()->f2fs_write_checkpoint() ->f2fs_readonly(). This resulted FI_DIRTY_INODE flag not being cleared, which eventually led to a bug being triggered during the FI_DIRTY_INODE check in f2fs_evict_inode(). In this case, we cannot do anything further, so if filesystem is readonly, do not trigger the BUG. Instead, clean up resources to the best of our ability to prevent triggering subsequent resource leak checks. If there is anything important I'm missing, please let me know, thanks. Reported-by: syzbot+ebea2790904673d7c618(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ebea2790904673d7c618 Fixes: ca7d802a7d8e ("f2fs: detect dirty inode in evict_inode") CC: stable(a)vger.kernel.org Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/f2fs/inode.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index aef57172014f..52d273383ec2 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -892,8 +892,12 @@ void f2fs_evict_inode(struct inode *inode) atomic_read(&fi->i_compr_blocks)); if (likely(!f2fs_cp_error(sbi) && - !is_sbi_flag_set(sbi, SBI_CP_DISABLED))) - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)); + !is_sbi_flag_set(sbi, SBI_CP_DISABLED))) { + if (!f2fs_readonly(sbi->sb)) + f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)); + else + f2fs_inode_synced(inode); + } else f2fs_inode_synced(inode); -- 2.39.2

10 months, 3 weeks

2
2
0 0

[PATCH] remoteproc: k3-r5: Fix error handling when power-up failed

by Jan Kiszka

From: Jan Kiszka <jan.kiszka(a)siemens.com> By simply bailing out, the driver was violating its rule and internal assumptions that either both or no rproc should be initialized. E.g., this could cause the first core to be available but not the second one, leading to crashes on its shutdown later on while trying to dereference that second instance. Fixes: 61f6f68447ab ("remoteproc: k3-r5: Wait for core0 power-up before powering up core1") Signed-off-by: Jan Kiszka <jan.kiszka(a)siemens.com> --- drivers/remoteproc/ti_k3_r5_remoteproc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c index 39a47540c590..eb09d2e9b32a 100644 --- a/drivers/remoteproc/ti_k3_r5_remoteproc.c +++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c @@ -1332,7 +1332,7 @@ static int k3_r5_cluster_rproc_init(struct platform_device *pdev) dev_err(dev, "Timed out waiting for %s core to power up!\n", rproc->name); - return ret; + goto err_powerup; } } @@ -1348,6 +1348,7 @@ static int k3_r5_cluster_rproc_init(struct platform_device *pdev) } } +err_powerup: rproc_del(rproc); err_add: k3_r5_reserved_mem_exit(kproc); -- 2.43.0

10 months, 3 weeks

4
8
0 0

[PATCHv6 1/4] x86/tdx: Introduce wrappers to read and write TD metadata

by Kirill A. Shutemov

The TDG_VM_WR TDCALL is used to ask the TDX module to change some TD-specific VM configuration. There is currently only one user in the kernel of this TDCALL leaf. More will be added shortly. Refactor to make way for more users of TDG_VM_WR who will need to modify other TD configuration values. Add a wrapper for the TDG_VM_RD TDCALL that requests TD-specific metadata from the TDX module. There are currently no users for TDG_VM_RD. Mark it as __maybe_unused until the first user appears. This is preparation for enumeration and enabling optional TD features. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Reviewed-by: Kai Huang <kai.huang(a)intel.com> Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- arch/x86/coco/tdx/tdx.c | 32 ++++++++++++++++++++++++++----- arch/x86/include/asm/shared/tdx.h | 1 + 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2bac2553..64717a96a936 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -77,6 +77,32 @@ static inline void tdcall(u64 fn, struct tdx_module_args *args) panic("TDCALL %lld failed (Buggy TDX module!)\n", fn); } +/* Read TD-scoped metadata */ +static inline u64 __maybe_unused tdg_vm_rd(u64 field, u64 *value) +{ + struct tdx_module_args args = { + .rdx = field, + }; + u64 ret; + + ret = __tdcall_ret(TDG_VM_RD, &args); + *value = args.r8; + + return ret; +} + +/* Write TD-scoped metadata */ +static inline u64 tdg_vm_wr(u64 field, u64 value, u64 mask) +{ + struct tdx_module_args args = { + .rdx = field, + .r8 = value, + .r9 = mask, + }; + + return __tdcall(TDG_VM_WR, &args); +} + /** * tdx_mcall_get_report0() - Wrapper to get TDREPORT0 (a.k.a. TDREPORT * subtype 0) using TDG.MR.REPORT TDCALL. @@ -924,10 +950,6 @@ static void tdx_kexec_finish(void) void __init tdx_early_init(void) { - struct tdx_module_args args = { - .rdx = TDCS_NOTIFY_ENABLES, - .r9 = -1ULL, - }; u64 cc_mask; u32 eax, sig[3]; @@ -946,7 +968,7 @@ void __init tdx_early_init(void) cc_set_mask(cc_mask); /* Kernel does not use NOTIFY_ENABLES and does not need random #VEs */ - tdcall(TDG_VM_WR, &args); + tdg_vm_wr(TDCS_NOTIFY_ENABLES, 0, -1ULL); /* * All bits above GPA width are reserved and kernel treats shared bit diff --git a/arch/x86/include/asm/shared/tdx.h b/arch/x86/include/asm/shared/tdx.h index fdfd41511b02..7e12cfa28bec 100644 --- a/arch/x86/include/asm/shared/tdx.h +++ b/arch/x86/include/asm/shared/tdx.h @@ -16,6 +16,7 @@ #define TDG_VP_VEINFO_GET 3 #define TDG_MR_REPORT 4 #define TDG_MEM_PAGE_ACCEPT 6 +#define TDG_VM_RD 7 #define TDG_VM_WR 8 /* TDCS fields. To be used by TDG.VM.WR and TDG.VM.RD module calls */ -- 2.45.2

10 months, 3 weeks

2
1
0 0

[git:media_stage/master] media: sun4i_csi: Implement link validate for sun4i_csi subdev

by Laurent Pinchart

This is an automatic generated email to let you know that the following patch were queued: Subject: media: sun4i_csi: Implement link validate for sun4i_csi subdev Author: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Date: Wed Jun 19 02:46:16 2024 +0300 The sun4i_csi driver doesn't implement link validation for the subdev it registers, leaving the link between the subdev and its source unvalidated. Fix it, using the v4l2_subdev_link_validate() helper. Fixes: 577bbf23b758 ("media: sunxi: Add A10 CSI driver") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Acked-by: Chen-Yu Tsai <wens(a)csie.org> Reviewed-by: Tomi Valkeinen <tomi.valkeinen+renesas(a)ideasonboard.com> Acked-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +++++ 1 file changed, 5 insertions(+) --- diff --git a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c index 097a3a08ef7d..dbb26c7b2f8d 100644 --- a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c +++ b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c @@ -39,6 +39,10 @@ static const struct media_entity_operations sun4i_csi_video_entity_ops = { .link_validate = v4l2_subdev_link_validate, }; +static const struct media_entity_operations sun4i_csi_subdev_entity_ops = { + .link_validate = v4l2_subdev_link_validate, +}; + static int sun4i_csi_notify_bound(struct v4l2_async_notifier *notifier, struct v4l2_subdev *subdev, struct v4l2_async_connection *asd) @@ -214,6 +218,7 @@ static int sun4i_csi_probe(struct platform_device *pdev) subdev->internal_ops = &sun4i_csi_subdev_internal_ops; subdev->flags = V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; subdev->entity.function = MEDIA_ENT_F_VID_IF_BRIDGE; + subdev->entity.ops = &sun4i_csi_subdev_entity_ops; subdev->owner = THIS_MODULE; snprintf(subdev->name, sizeof(subdev->name), "sun4i-csi-0"); v4l2_set_subdevdata(subdev, csi);

10 months, 3 weeks

1
0
0 0

[PATCH 1/1] nvme-pci: add NVME_QUIRK_BOGUS_NID for Samsung PM173X

by Saeed Mirzamohammadi

This adds a quirk to fix the Samsung PM1733a and PM173X reporting bogus eui64 so they are not marked as "non globally unique" duplicates. Cc: <stable(a)vger.kernel.org> Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi(a)oracle.com> --- drivers/nvme/host/pci.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index 5b95c94ee40f2..c0b1caba1c893 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -3359,6 +3359,10 @@ static const struct pci_device_id nvme_id_table[] = { .driver_data = NVME_QUIRK_DELAY_BEFORE_CHK_RDY | NVME_QUIRK_DISABLE_WRITE_ZEROES| NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE(0x144d, 0xa824), /* Samsung PM173X */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x144d, 0xa825), /* Samsung PM1733a */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, { PCI_DEVICE(0x1987, 0x5012), /* Phison E12 */ .driver_data = NVME_QUIRK_BOGUS_NID, }, { PCI_DEVICE(0x1987, 0x5016), /* Phison E16 */ -- 2.39.2

10 months, 3 weeks

6
13
0 0

Re: [PATCH] x86/hyperv: fix kexec crash due to VP assist page corruption

by Vitaly Kuznetsov

Anirudh Rayabharam <anirudh(a)anirudhrb.com> writes: > On Mon, Aug 26, 2024 at 02:36:44PM +0200, Vitaly Kuznetsov wrote: >> Anirudh Rayabharam <anirudh(a)anirudhrb.com> writes: >> >> > From: Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> >> > >> > 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go >> > online/offline") introduces a new cpuhp state for hyperv initialization. >> > >> > cpuhp_setup_state() returns the state number if state is CPUHP_AP_ONLINE_DYN >> > or CPUHP_BP_PREPARE_DYN and 0 for all other states. For the hyperv case, >> > since a new cpuhp state was introduced it would return 0. However, >> > in hv_machine_shutdown(), the cpuhp_remove_state() call is conditioned upon >> > "hyperv_init_cpuhp > 0". This will never be true and so hv_cpu_die() won't be >> > called on all CPUs. This means the VP assist page won't be reset. When the >> > kexec kernel tries to setup the VP assist page again, the hypervisor corrupts >> > the memory region of the old VP assist page causing a panic in case the kexec >> > kernel is using that memory elsewhere. This was originally fixed in dfe94d4086e4 >> > ("x86/hyperv: Fix kexec panic/hang issues"). >> > >> > Set hyperv_init_cpuhp to CPUHP_AP_HYPERV_ONLINE upon successful setup so that >> > the hyperv cpuhp state is removed correctly on kexec and the necessary cleanup >> > takes place. >> > >> > Cc: stable(a)vger.kernel.org >> > Fixes: 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline") >> > Signed-off-by: Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> >> > --- >> > arch/x86/hyperv/hv_init.c | 4 ++-- >> > 1 file changed, 2 insertions(+), 2 deletions(-) >> > >> > diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c >> > index 17a71e92a343..81d1981a75d1 100644 >> > --- a/arch/x86/hyperv/hv_init.c >> > +++ b/arch/x86/hyperv/hv_init.c >> > @@ -607,7 +607,7 @@ void __init hyperv_init(void) >> > >> > register_syscore_ops(&hv_syscore_ops); >> > >> > - hyperv_init_cpuhp = cpuhp; >> > + hyperv_init_cpuhp = CPUHP_AP_HYPERV_ONLINE; >> >> Do we really need 'hyperv_init_cpuhp' at all? I.e. post-change (which >> LGTM btw), I can only see one usage in hv_machine_shutdown(): >> >> if (kexec_in_progress && hyperv_init_cpuhp > 0) >> cpuhp_remove_state(hyperv_init_cpuhp); >> >> and I'm wondering if the 'hyperv_init_cpuhp' check is really >> needed. This only case where this check would fail is if we're crashing >> in between ms_hyperv_init_platform() and hyperv_init() afaiu. Does it > > Or if we fail to setup the cpuhp state for some reason but don't > actually crash and then later do a kexec? I see this can happen for CPUHP_AP_ONLINE_DYN/CPUHP_BP_PREPARE_DYN because we run out of free slots (40/20), but here we have our own dedicated CPUHP_AP_HYPERV_ONLINE and other failure paths seem to be exotic... > > I guess I was just trying to be extra safe and make sure we have > actually setup the cpuhp state before calling cpuhp_remove_state() > for it. However, looking elsewhere in the kernel code I don't > see anybody doing this for custom states... > >> hurt if we try cpuhp_remove_state() anyway? > > cpuhp_invoke_callback() would trigger a WARNING if we try to remove a > cpuhp state that was never setup. > > 184 if (cpuhp_step_empty(bringup, step)) { > 185 WARN_ON_ONCE(1); > 186 return 0; > 187 } > Personally, I'd say that getting an extra WARN for such a corner case (failing to setup cpuhp state or crashing in between ms_hyperv_init_platform() and hyperv_init()) is OK. Alternatively, we can convert hyperv_init_cpuhp to a boolean to make it a bit more staitforward but as it's uncomon to do it for other states, it's likely an overkill. -- Vitaly

10 months, 3 weeks

2
1
0 0

[PATCH v2 1/1] nfsstat01: Update client RPC calls for kernel 6.9

by Petr Vorel

6.9 moved client RPC calls to namespace in "Make nfs stats visible in network NS" patchet. https://lore.kernel.org/linux-nfs/cover.1708026931.git.josef@toxicpanda.com/ Signed-off-by: Petr Vorel <pvorel(a)suse.cz> --- Changes v1->v2: * Point out whole patchset, not just single commit * Add a comment about the patchset Hi all, could you please ack this so that we have fixed mainline? FYI Some parts has been backported, e.g.: d47151b79e322 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces") to all stable/LTS: 5.4.276, 5.10.217, 5.15.159, 6.1.91, 6.6.31. But most of that is not yet (but planned to be backported), e.g. 93483ac5fec62 ("nfsd: expose /proc/net/sunrpc/nfsd in net namespaces") see Chuck's patchset for 6.6 https://lore.kernel.org/linux-nfs/20240812223604.32592-1-cel@kernel.org/ Once all kernels up to 5.4 fixed we should update the version. Kind regards, Petr testcases/network/nfs/nfsstat01/nfsstat01.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/testcases/network/nfs/nfsstat01/nfsstat01.sh b/testcases/network/nfs/nfsstat01/nfsstat01.sh index c2856eff1f..1beecbec43 100755 --- a/testcases/network/nfs/nfsstat01/nfsstat01.sh +++ b/testcases/network/nfs/nfsstat01/nfsstat01.sh @@ -15,7 +15,14 @@ get_calls() local calls opt [ "$name" = "rpc" ] && opt="r" || opt="n" - ! tst_net_use_netns && [ "$nfs_f" != "nfs" ] && type="rhost" + + if tst_net_use_netns; then + # "Make nfs stats visible in network NS" patchet + # https://lore.kernel.org/linux-nfs/cover.1708026931.git.josef@toxicpanda.com/ + tst_kvcmp -ge "6.9" && [ "$nfs_f" = "nfs" ] && type="rhost" + else + [ "$nfs_f" != "nfs" ] && type="rhost" + fi if [ "$type" = "lhost" ]; then calls="$(grep $name /proc/net/rpc/$nfs_f | cut -d' ' -f$field)" -- 2.45.2

10 months, 3 weeks

6
13
0 0

[PATCH] mmc : fix for check cqe halt.

by Seunghwan Baek

To check if mmc cqe is in halt state, need to check set/clear of CQHCI_HALT bit. At this time, we need to check with &, not &&. Fixes: 0653300224a6 ("mmc: cqhci: rename cqhci.c to cqhci-core.c") Cc: stable(a)vger.kernel.org Signed-off-by: Seunghwan Baek <sh8267.baek(a)samsung.com> --- drivers/mmc/host/cqhci-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mmc/host/cqhci-core.c b/drivers/mmc/host/cqhci-core.c index c14d7251d0bb..a02da26a1efd 100644 --- a/drivers/mmc/host/cqhci-core.c +++ b/drivers/mmc/host/cqhci-core.c @@ -617,7 +617,7 @@ static int cqhci_request(struct mmc_host *mmc, struct mmc_request *mrq) cqhci_writel(cq_host, 0, CQHCI_CTL); mmc->cqe_on = true; pr_debug("%s: cqhci: CQE on\n", mmc_hostname(mmc)); - if (cqhci_readl(cq_host, CQHCI_CTL) && CQHCI_HALT) { + if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT) { pr_err("%s: cqhci: CQE failed to exit halt state\n", mmc_hostname(mmc)); } -- 2.17.1

10 months, 3 weeks

2
2
0 0

[PATCH] powerpc/qspinlock: Fix deadlock in MCS queue

by Nysal Jan K.A.

If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the "next" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's "next" pointer is set by its successor in the queue. This results in lockups similar to the following. watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs: CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ▼ | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ▼ | Interrupt | (happens before "nodes[0].lock = B") | | | ▼ | spin_lock_irqsave(A) | | | ▼ | id = qnodesp->count++ | nodes[1].lock = A | | | ▼ | Tail of MCS queue | | spin_lock_irqsave(A) ▼ | Head of MCS queue ▼ | CPU0 is previous tail ▼ | Spin indefinitely ▼ (until "nodes[1].next != NULL") prev = get_tail_qnode(A, CPU0) | ▼ prev == &qnodes[CPU0].nodes[0] (as qnodes[CPU0].nodes[0].lock == A) | ▼ WRITE_ONCE(prev->next, node) | ▼ Spin indefinitely (until nodes[0].locked == 1) Thanks to Saket Kumar Bhaskar for help with recreating the issue Fixes: 84990b169557 ("powerpc/qspinlock: add mcs queueing for contended waiters") Cc: stable(a)vger.kernel.org # v6.2+ Reported-by: Geetika Moolchandani <geetika(a)linux.ibm.com> Reported-by: Vaishnavi Bhat <vaish123(a)in.ibm.com> Reported-by: Jijo Varghese <vargjijo(a)in.ibm.com> Signed-off-by: Nysal Jan K.A. <nysal(a)linux.ibm.com> --- arch/powerpc/lib/qspinlock.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/powerpc/lib/qspinlock.c b/arch/powerpc/lib/qspinlock.c index 5de4dd549f6e..59861c665cef 100644 --- a/arch/powerpc/lib/qspinlock.c +++ b/arch/powerpc/lib/qspinlock.c @@ -697,6 +697,12 @@ static __always_inline void queued_spin_lock_mcs_queue(struct qspinlock *lock, b } release: + /* + * Clear the lock, as another CPU might see stale values if an + * interrupt occurs after we increment qnodesp->count but before + * node->lock is initialized + */ + node->lock = NULL; qnodesp->count--; /* release the node */ } -- 2.46.0

10 months, 3 weeks

2
2
0 0

[PATCH v3] usb: dwc3: core: Prevent USB core invalid event buffer address access

by Selvarasu Ganesan

This commit addresses an issue where the USB core could access an invalid event buffer address during runtime suspend, potentially causing SMMU faults and other memory issues in Exynos platforms. The problem arises from the following sequence. 1. In dwc3_gadget_suspend, there is a chance of a timeout when moving the USB core to the halt state after clearing the run/stop bit by software. 2. In dwc3_core_exit, the event buffer is cleared regardless of the USB core's status, which may lead to an SMMU faults and other memory issues. if the USB core tries to access the event buffer address. To prevent this hardware quirk on Exynos platforms, this commit ensures that the event buffer address is not cleared by software when the USB core is active during runtime suspend by checking its status before clearing the buffer address. Cc: stable(a)vger.kernel.org # v6.1+ Signed-off-by: Selvarasu Ganesan <selvarasu.g(a)samsung.com> --- Changes in v3: - Added comment on why we need this fix. - Included platform name in commit message. - Removed Fixes tag as no issue on the previous commits, and updated Cc tag. - Link to v2: https://lore.kernel.org/lkml/20240808120507.1464-1-selvarasu.g@samsung.com/ Changes in v2: - Added separate check for USB controller status before cleaning the event buffer. - Link to v1: https://lore.kernel.org/lkml/20240722145617.537-1-selvarasu.g@samsung.com/ --- drivers/usb/dwc3/core.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 734de2a8bd21..ccc3895dbd7f 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -564,9 +564,17 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc) void dwc3_event_buffers_cleanup(struct dwc3 *dwc) { struct dwc3_event_buffer *evt; + u32 reg; if (!dwc->ev_buf) return; + /* + * Exynos platforms may not be able to access event buffer if the + * controller failed to halt on dwc3_core_exit(). + */ + reg = dwc3_readl(dwc->regs, DWC3_DSTS); + if (!(reg & DWC3_DSTS_DEVCTRLHLT)) + return; evt = dwc->ev_buf; -- 2.17.1

10 months, 3 weeks

3
8
0 0

+ codetag-debug-mark-codetags-for-poisoned-page-as-empty.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: codetag: debug: mark codetags for poisoned page as empty has been added to the -mm mm-hotfixes-unstable branch. Its filename is codetag-debug-mark-codetags-for-poisoned-page-as-empty.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Hao Ge <gehao(a)kylinos.cn> Subject: codetag: debug: mark codetags for poisoned page as empty Date: Mon, 26 Aug 2024 00:36:49 +0800 When PG_hwpoison pages are freed they are treated differently in free_pages_prepare() and instead of being released they are isolated. Page allocation tag counters are decremented at this point since the page is considered not in use. Later on when such pages are released by unpoison_memory(), the allocation tag counters will be decremented again and the following warning gets reported: [ 113.930443][ T3282] ------------[ cut here ]------------ [ 113.931105][ T3282] alloc_tag was not set [ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164 [ 113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4 [ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18 [ 113.943003][ T3282] Tainted: [W]=WARN [ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164 [ 113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164 [ 113.946706][ T3282] sp : ffff800087093a10 [ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0 [ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000 [ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000 [ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff [ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210 [ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339 [ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0 [ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff [ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001 [ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000 [ 113.957962][ T3282] Call trace: [ 113.958350][ T3282] pgalloc_tag_sub.part.66+0x154/0x164 [ 113.959000][ T3282] pgalloc_tag_sub+0x14/0x1c [ 113.959539][ T3282] free_unref_page+0xf4/0x4b8 [ 113.960096][ T3282] __folio_put+0xd4/0x120 [ 113.960614][ T3282] folio_put+0x24/0x50 [ 113.961103][ T3282] unpoison_memory+0x4f0/0x5b0 [ 113.961678][ T3282] hwpoison_unpoison+0x30/0x48 [hwpoison_inject] [ 113.962436][ T3282] simple_attr_write_xsigned.isra.34+0xec/0x1cc [ 113.963183][ T3282] simple_attr_write+0x38/0x48 [ 113.963750][ T3282] debugfs_attr_write+0x54/0x80 [ 113.964330][ T3282] full_proxy_write+0x68/0x98 [ 113.964880][ T3282] vfs_write+0xdc/0x4d0 [ 113.965372][ T3282] ksys_write+0x78/0x100 [ 113.965875][ T3282] __arm64_sys_write+0x24/0x30 [ 113.966440][ T3282] invoke_syscall+0x7c/0x104 [ 113.966984][ T3282] el0_svc_common.constprop.1+0x88/0x104 [ 113.967652][ T3282] do_el0_svc+0x2c/0x38 [ 113.968893][ T3282] el0_svc+0x3c/0x1b8 [ 113.969379][ T3282] el0t_64_sync_handler+0x98/0xbc [ 113.969980][ T3282] el0t_64_sync+0x19c/0x1a0 [ 113.970511][ T3282] ---[ end trace 0000000000000000 ]--- To fix this, clear the page tag reference after the page got isolated and accounted for. Link: https://lkml.kernel.org/r/20240825163649.33294-1-hao.ge@linux.dev Fixes: d224eb0287fb ("codetag: debug: mark codetags for reserved pages as empty") Signed-off-by: Hao Ge <gehao(a)kylinos.cn> Reviewed-by: Miaohe Lin <linmiaohe(a)huawei.com> Acked-by: Suren Baghdasaryan <surenb(a)google.com> Cc: David Hildenbrand <david(a)redhat.com> Cc: Hao Ge <gehao(a)kylinos.cn> Cc: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Pasha Tatashin <pasha.tatashin(a)soleen.com> Cc: <stable(a)vger.kernel.org> [6.10+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_alloc.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/mm/page_alloc.c~codetag-debug-mark-codetags-for-poisoned-page-as-empty +++ a/mm/page_alloc.c @@ -1054,6 +1054,13 @@ __always_inline bool free_pages_prepare( reset_page_owner(page, order); page_table_check_free(page, order); pgalloc_tag_sub(page, 1 << order); + + /* + * The page is isolated and accounted for. + * Mark the codetag as empty to avoid accounting error + * when the page is freed by unpoison_memory(). + */ + clear_page_tag_ref(page); return false; } _ Patches currently in -mm which might be from gehao(a)kylinos.cn are mm-slub-add-check-for-s-flags-in-the-alloc_tagging_slab_free_hook.patch codetag-debug-mark-codetags-for-poisoned-page-as-empty.patch mm-cma-change-the-addition-of-totalcma_pages-in-the-cma_init_reserved_mem.patch

10 months, 3 weeks

1
0
0 0

[PATCH 1/1] PM / devfreq: Fix buffer overflow in trans_stat_show

by Koichiro Den

From: Christian Marangi <ansuelsmth(a)gmail.com> Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error. Link: https://lore.kernel.org/all/20231024183016.14648-2-ansuelsmth@gmail.com/ Cc: stable(a)vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218041 Fixes: e552bbaf5b98 ("PM / devfreq: Add sysfs node for representing frequency transition information.") Signed-off-by: Christian Marangi <ansuelsmth(a)gmail.com> Signed-off-by: Chanwoo Choi <cw00.choi(a)samsung.com> (backported from commit 08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4) [koichiroden: Adjusted context due to missing commits: commit b5d281f6c16d ("PM / devfreq: Rework freq_table to be local to devfreq struct") commit a03dacb0316f ("PM / devfreq: Add cpu based scaling support to passive governor") commit 483d557ee9a3 ("PM / devfreq: Clean up the devfreq instance name in sysfs attr") commit 1ebd0bc0e8ad ("PM / devfreq: Move statistics to separate struct devfreq_stats") commit 14a343968199 ("PM / devfreq: Add clearing transitions stats") commit b76b3479dab9 ("PM / devfreq: Change time stats to 64-bit") commit 5c0f6c795957 ("PM / devfreq: Add new interrupt_driven flag for governors")] CVE-2023-52614 Signed-off-by: Koichiro Den <koichiro.den(a)canonical.com> --- Documentation/ABI/testing/sysfs-class-devfreq | 2 + drivers/devfreq/devfreq.c | 60 +++++++++++++------ 2 files changed, 43 insertions(+), 19 deletions(-) diff --git a/Documentation/ABI/testing/sysfs-class-devfreq b/Documentation/ABI/testing/sysfs-class-devfreq index 75897e2fde43..f95b69551b60 100644 --- a/Documentation/ABI/testing/sysfs-class-devfreq +++ b/Documentation/ABI/testing/sysfs-class-devfreq @@ -61,6 +61,8 @@ Description: In order to activate this ABI, the devfreq target device driver should provide the list of available frequencies with its profile. + If the transition table is bigger than PAGE_SIZE, reading + this will return an -EFBIG error. What: /sys/class/devfreq/.../userspace/set_freq Date: September 2011 diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c index 31e6cb5211bc..7a6115c23ec8 100644 --- a/drivers/devfreq/devfreq.c +++ b/drivers/devfreq/devfreq.c @@ -1403,12 +1403,12 @@ static ssize_t trans_stat_show(struct device *dev, struct device_attribute *attr, char *buf) { struct devfreq *devfreq = to_devfreq(dev); - ssize_t len; + ssize_t len = 0; int i, j; unsigned int max_state = devfreq->profile->max_state; if (max_state == 0) - return sprintf(buf, "Not Supported.\n"); + return scnprintf(buf, PAGE_SIZE, "Not Supported.\n"); mutex_lock(&devfreq->lock); if (!devfreq->stop_polling && @@ -1418,32 +1418,54 @@ static ssize_t trans_stat_show(struct device *dev, } mutex_unlock(&devfreq->lock); - len = sprintf(buf, " From : To\n"); - len += sprintf(buf + len, " :"); - for (i = 0; i < max_state; i++) - len += sprintf(buf + len, "%10lu", - devfreq->profile->freq_table[i]); + len += scnprintf(buf + len, PAGE_SIZE - len, " From : To\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, " :"); + for (i = 0; i < max_state; i++) { + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu", + devfreq->profile->freq_table[i]); + } + if (len >= PAGE_SIZE - 1) + return PAGE_SIZE - 1; - len += sprintf(buf + len, " time(ms)\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, " time(ms)\n"); for (i = 0; i < max_state; i++) { + if (len >= PAGE_SIZE - 1) + break; if (devfreq->profile->freq_table[i] == devfreq->previous_freq) { - len += sprintf(buf + len, "*"); + len += scnprintf(buf + len, PAGE_SIZE - len, "*"); } else { - len += sprintf(buf + len, " "); + len += scnprintf(buf + len, PAGE_SIZE - len, " "); + } + if (len >= PAGE_SIZE - 1) + break; + + len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu:", + devfreq->profile->freq_table[i]); + for (j = 0; j < max_state; j++) { + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10u", + devfreq->trans_table[(i * max_state) + j]); } - len += sprintf(buf + len, "%10lu:", - devfreq->profile->freq_table[i]); - for (j = 0; j < max_state; j++) - len += sprintf(buf + len, "%10u", - devfreq->trans_table[(i * max_state) + j]); - len += sprintf(buf + len, "%10u\n", - jiffies_to_msecs(devfreq->time_in_state[i])); + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10u\n", + jiffies_to_msecs(devfreq->time_in_state[i])); + } + + if (len < PAGE_SIZE - 1) + len += scnprintf(buf + len, PAGE_SIZE - len, "Total transition : %u\n", + devfreq->total_trans); + + if (len >= PAGE_SIZE - 1) { + pr_warn_once("devfreq transition table exceeds PAGE_SIZE. Disabling\n"); + return -EFBIG; } - len += sprintf(buf + len, "Total transition : %u\n", - devfreq->total_trans); return len; } static DEVICE_ATTR_RO(trans_stat); -- 2.43.0

10 months, 3 weeks

1
1
0 0

[PATCH v4] usb: dwc3: Avoid waking up gadget during startxfer

by Prashanth K

When operating in High-Speed, it is observed that DSTS[USBLNKST] doesn't update link state immediately after receiving the wakeup interrupt. Since wakeup event handler calls the resume callbacks, there is a chance that function drivers can perform an ep queue, which in turn tries to perform remote wakeup from send_gadget_ep_cmd(STARTXFER). This happens because DSTS[[21:18] wasn't updated to U0 yet, it's observed that the latency of DSTS can be in order of milli-seconds. Hence avoid calling gadget_wakeup during startxfer to prevent unnecessarily issuing remote wakeup to host. Fixes: c36d8e947a56 ("usb: dwc3: gadget: put link to U0 before Start Transfer") Cc: <stable(a)vger.kernel.org> Suggested-by: Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> Signed-off-by: Prashanth K <quic_prashk(a)quicinc.com> --- v4: Rewording the comment in function definition. v3: Added notes on top the function definition. v2: Refactored the patch as suggested in v1 discussion. drivers/usb/dwc3/gadget.c | 38 ++++++++++++++------------------------ 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index 89fc690fdf34..ea583d24aa37 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -287,6 +287,20 @@ static int __dwc3_gadget_wakeup(struct dwc3 *dwc, bool async); * * Caller should handle locking. This function will issue @cmd with given * @params to @dep and wait for its completion. + * + * According to databook, while issuing StartXfer command if the link is in L1/L2/U3, + * then the command may not complete and timeout, hence software must bring the link + * back to ON state by performing remote wakeup. However, since issuing a command in + * USB2 speeds requires the clearing of GUSB2PHYCFG.SUSPENDUSB2, which turns on the + * signal required to complete the given command (usually within 50us). This should + * happen within the command timeout set by driver. Hence we don't expect to trigger + * a remote wakeup from here; instead it should be done by wakeup ops. + * + * Special note: If wakeup ops is triggered for remote wakeup, care should be taken + * if StartXfer command needs to be sent soon after. The wakeup ops is asynchronous + * and the link state may not transition to ON state yet. And after receiving wakeup + * event, device would no longer be in U3, and any link transition afterwards needs + * to be adressed with wakeup ops. */ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, struct dwc3_gadget_ep_cmd_params *params) @@ -327,30 +341,6 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned int cmd, dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); } - if (DWC3_DEPCMD_CMD(cmd) == DWC3_DEPCMD_STARTTRANSFER) { - int link_state; - - /* - * Initiate remote wakeup if the link state is in U3 when - * operating in SS/SSP or L1/L2 when operating in HS/FS. If the - * link state is in U1/U2, no remote wakeup is needed. The Start - * Transfer command will initiate the link recovery. - */ - link_state = dwc3_gadget_get_link_state(dwc); - switch (link_state) { - case DWC3_LINK_STATE_U2: - if (dwc->gadget->speed >= USB_SPEED_SUPER) - break; - - fallthrough; - case DWC3_LINK_STATE_U3: - ret = __dwc3_gadget_wakeup(dwc, false); - dev_WARN_ONCE(dwc->dev, ret, "wakeup failed --> %d\n", - ret); - break; - } - } - /* * For some commands such as Update Transfer command, DEPCMDPARn * registers are reserved. Since the driver often sends Update Transfer -- 2.25.1

10 months, 3 weeks

2
1
0 0

[PATCHv5, REBASED 3/4] x86/tdx: Dynamically disable SEPT violations from causing #VEs

by Kirill A. Shutemov

Memory access #VE's are hard for Linux to handle in contexts like the entry code or NMIs. But other OSes need them for functionality. There's a static (pre-guest-boot) way for a VMM to choose one or the other. But VMMs don't always know which OS they are booting, so they choose to deliver those #VE's so the "other" OSes will work. That, unfortunately has left us in the lurch and exposed to these hard-to-handle #VEs. The TDX module has introduced a new feature. Even if the static configuration is "send nasty #VE's", the kernel can dynamically request that they be disabled. Check if the feature is available and disable SEPT #VE if possible. If the TD allowed to disable/enable SEPT #VEs, the ATTR_SEPT_VE_DISABLE attribute is no longer reliable. It reflects the initial state of the control for the TD, but it will not be updated if someone (e.g. bootloader) changes it before the kernel starts. Kernel must check TDCS_TD_CTLS bit to determine if SEPT #VEs are enabled or disabled. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Fixes: 373e715e31bf ("x86/tdx: Panic on bad configs that #VE on "private" memory access") Cc: stable(a)vger.kernel.org --- arch/x86/coco/tdx/tdx.c | 76 ++++++++++++++++++++++++------- arch/x86/include/asm/shared/tdx.h | 10 +++- 2 files changed, 69 insertions(+), 17 deletions(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 08ce488b54d0..ba3103877b21 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -78,7 +78,7 @@ static inline void tdcall(u64 fn, struct tdx_module_args *args) } /* Read TD-scoped metadata */ -static inline u64 __maybe_unused tdg_vm_rd(u64 field, u64 *value) +static inline u64 tdg_vm_rd(u64 field, u64 *value) { struct tdx_module_args args = { .rdx = field, @@ -193,6 +193,62 @@ static void __noreturn tdx_panic(const char *msg) __tdx_hypercall(&args); } +/* + * The kernel cannot handle #VEs when accessing normal kernel memory. Ensure + * that no #VE will be delivered for accesses to TD-private memory. + * + * TDX 1.0 does not allow the guest to disable SEPT #VE on its own. The VMM + * controls if the guest will receive such #VE with TD attribute + * ATTR_SEPT_VE_DISABLE. + * + * Newer TDX module allows the guest to control if it wants to receive SEPT + * violation #VEs. + * + * Check if the feature is available and disable SEPT #VE if possible. + * + * If the TD allowed to disable/enable SEPT #VEs, the ATTR_SEPT_VE_DISABLE + * attribute is no longer reliable. It reflects the initial state of the + * control for the TD, but it will not be updated if someone (e.g. bootloader) + * changes it before the kernel starts. Kernel must check TDCS_TD_CTLS bit to + * determine if SEPT #VEs are enabled or disabled. + */ +static void disable_sept_ve(u64 td_attr) +{ + const char *msg = "TD misconfiguration: SEPT #VE has to be disabled"; + bool debug = td_attr & ATTR_DEBUG; + u64 config, controls; + + /* Is this TD allowed to disable SEPT #VE */ + tdg_vm_rd(TDCS_CONFIG_FLAGS, &config); + if (!(config & TDCS_CONFIG_FLEXIBLE_PENDING_VE)) { + /* No SEPT #VE controls for the guest: check the attribute */ + if (td_attr & ATTR_SEPT_VE_DISABLE) + return; + + /* Relax SEPT_VE_DISABLE check for debug TD for backtraces */ + if (debug) + pr_warn("%s\n", msg); + else + tdx_panic(msg); + return; + } + + /* Check if SEPT #VE has been disabled before us */ + tdg_vm_rd(TDCS_TD_CTLS, &controls); + if (controls & TD_CTLS_PENDING_VE_DISABLE) + return; + + /* Keep #VEs enabled for splats in debugging environments */ + if (debug) + return; + + /* Disable SEPT #VEs */ + tdg_vm_wr(TDCS_TD_CTLS, TD_CTLS_PENDING_VE_DISABLE, + TD_CTLS_PENDING_VE_DISABLE); + + return; +} + static void tdx_setup(u64 *cc_mask) { struct tdx_module_args args = {}; @@ -218,24 +274,12 @@ static void tdx_setup(u64 *cc_mask) gpa_width = args.rcx & GENMASK(5, 0); *cc_mask = BIT_ULL(gpa_width - 1); + td_attr = args.rdx; + /* Kernel does not use NOTIFY_ENABLES and does not need random #VEs */ tdg_vm_wr(TDCS_NOTIFY_ENABLES, 0, -1ULL); - /* - * The kernel can not handle #VE's when accessing normal kernel - * memory. Ensure that no #VE will be delivered for accesses to - * TD-private memory. Only VMM-shared memory (MMIO) will #VE. - */ - td_attr = args.rdx; - if (!(td_attr & ATTR_SEPT_VE_DISABLE)) { - const char *msg = "TD misconfiguration: SEPT_VE_DISABLE attribute must be set."; - - /* Relax SEPT_VE_DISABLE check for debug TD. */ - if (td_attr & ATTR_DEBUG) - pr_warn("%s\n", msg); - else - tdx_panic(msg); - } + disable_sept_ve(td_attr); } /* diff --git a/arch/x86/include/asm/shared/tdx.h b/arch/x86/include/asm/shared/tdx.h index 7e12cfa28bec..fecb2a6e864b 100644 --- a/arch/x86/include/asm/shared/tdx.h +++ b/arch/x86/include/asm/shared/tdx.h @@ -19,9 +19,17 @@ #define TDG_VM_RD 7 #define TDG_VM_WR 8 -/* TDCS fields. To be used by TDG.VM.WR and TDG.VM.RD module calls */ +/* TDX TD-Scope Metadata. To be used by TDG.VM.WR and TDG.VM.RD */ +#define TDCS_CONFIG_FLAGS 0x1110000300000016 +#define TDCS_TD_CTLS 0x1110000300000017 #define TDCS_NOTIFY_ENABLES 0x9100000000000010 +/* TDCS_CONFIG_FLAGS bits */ +#define TDCS_CONFIG_FLEXIBLE_PENDING_VE BIT_ULL(1) + +/* TDCS_TD_CTLS bits */ +#define TD_CTLS_PENDING_VE_DISABLE BIT_ULL(0) + /* TDX hypercall Leaf IDs */ #define TDVMCALL_MAP_GPA 0x10001 #define TDVMCALL_GET_QUOTE 0x10002 -- 2.43.0

10 months, 3 weeks

2
3
0 0

[PATCH net 0/4] mptcp: close subflow when receiving TCP+FIN and misc.

by Matthieu Baerts (NGI0)

Here are different fixes: Patch 1 closes the subflow after having received a FIN, instead of leaving it half-closed until the end of the MPTCP connection. A fix for v5.12. Patch 2 validates the previous patch. Patch 3 is a fix for a recent fix to check both directions for the backup flag. It can follow the 'Fixes' commit and be backported up to v5.7. Patch 4 adds a missing \n at the end of pr_debug(), causing debug messages to be displayed with a delay, which confuses the debugger. A fix for v5.6. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Note: Peter's email address has been removed from the Cc list, because it is bouncing. --- Matthieu Baerts (NGI0) (4): mptcp: close subflow when receiving TCP+FIN selftests: mptcp: join: cannot rm sf if closed mptcp: sched: check both backup in retrans mptcp: pr_debug: add missing \n at the end net/mptcp/fastopen.c | 4 +- net/mptcp/options.c | 50 ++++++++++----------- net/mptcp/pm.c | 28 ++++++------ net/mptcp/pm_netlink.c | 20 ++++----- net/mptcp/protocol.c | 59 +++++++++++++------------ net/mptcp/protocol.h | 4 +- net/mptcp/sched.c | 4 +- net/mptcp/sockopt.c | 4 +- net/mptcp/subflow.c | 56 ++++++++++++----------- tools/testing/selftests/net/mptcp/mptcp_join.sh | 11 ++--- 10 files changed, 122 insertions(+), 118 deletions(-) --- base-commit: 31a972959ae57691a1e4f539399b2674ae576086 change-id: 20240826-net-mptcp-close-extra-sf-fin-19d4e5aa4c9c Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

10 months, 3 weeks

4
7
0 0

[PATCH v4 6/7] vdpa: solidrun: Fix UB bug with devres

by Philipp Stanner

In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to pcim_iomap_regions() is placed on the stack. Neither pcim_iomap_regions() nor the functions it calls copy that string. Should the string later ever be used, this, consequently, causes undefined behavior since the stack frame will by then have disappeared. Fix the bug by allocating the strings on the heap through devm_kasprintf(). Cc: stable(a)vger.kernel.org # v6.3 Fixes: 51a8f9d7f587 ("virtio: vdpa: new SolidNET DPU driver.") Reported-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Closes: https://lore.kernel.org/all/74e9109a-ac59-49e2-9b1d-d825c9c9f891@wanadoo.fr/ Suggested-by: Andy Shevchenko <andy(a)kernel.org> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> --- drivers/vdpa/solidrun/snet_main.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/vdpa/solidrun/snet_main.c b/drivers/vdpa/solidrun/snet_main.c index 99428a04068d..c8b74980dbd1 100644 --- a/drivers/vdpa/solidrun/snet_main.c +++ b/drivers/vdpa/solidrun/snet_main.c @@ -555,7 +555,7 @@ static const struct vdpa_config_ops snet_config_ops = { static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) { - char name[50]; + char *name; int ret, i, mask = 0; /* We don't know which BAR will be used to communicate.. * We will map every bar with len > 0. @@ -573,7 +573,10 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) return -ENODEV; } - snprintf(name, sizeof(name), "psnet[%s]-bars", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "psnet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + ret = pcim_iomap_regions(pdev, mask, name); if (ret) { SNET_ERR(pdev, "Failed to request and map PCI BARs\n"); @@ -590,10 +593,13 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) static int snet_open_vf_bar(struct pci_dev *pdev, struct snet *snet) { - char name[50]; + char *name; int ret; - snprintf(name, sizeof(name), "snet[%s]-bar", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "snet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + /* Request and map BAR */ ret = pcim_iomap_regions(pdev, BIT(snet->psnet->cfg.vf_bar), name); if (ret) { -- 2.46.0

10 months, 3 weeks

1
0
0 0

[PATCH 6.1.y] KVM: x86: fire timer when it is migrated and expired, and in oneshot mode

by David Hunter

From: Li RongQing <lirongqing(a)baidu.com> [ Upstream Commit 8e6ed96cdd5001c55fccc80a17f651741c1ca7d2] when the vCPU was migrated, if its timer is expired, KVM _should_ fire the timer ASAP, zeroing the deadline here will cause the timer to immediately fire on the destination Cc: Sean Christopherson <seanjc(a)google.com> Cc: Peter Shier <pshier(a)google.com> Cc: Jim Mattson <jmattson(a)google.com> Cc: Wanpeng Li <wanpengli(a)tencent.com> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Signed-off-by: Li RongQing <lirongqing(a)baidu.com> Link: https://lore.kernel.org/r/20230106040625.8404-1-lirongqing@baidu.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> (cherry picked from commit 8e6ed96cdd5001c55fccc80a17f651741c1ca7d2) The code was able to compile without errors or warnings. Signed-off-by: David Hunter <david.hunter.linux(a)gmail.com> --- arch/x86/kvm/lapic.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index c90fef0258c5..3cd590ace95a 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -1843,8 +1843,12 @@ static bool set_target_expiration(struct kvm_lapic *apic, u32 count_reg) if (unlikely(count_reg != APIC_TMICT)) { deadline = tmict_to_ns(apic, kvm_lapic_get_reg(apic, count_reg)); - if (unlikely(deadline <= 0)) - deadline = apic->lapic_timer.period; + if (unlikely(deadline <= 0)) { + if (apic_lvtt_period(apic)) + deadline = apic->lapic_timer.period; + else + deadline = 0; + } else if (unlikely(deadline > apic->lapic_timer.period)) { pr_info_ratelimited( "kvm: vcpu %i: requested lapic timer restore with " -- 2.43.0

10 months, 3 weeks

4
7
0 0

[PATCH v5 3/3] x86/sgx: Resolve EREMOVE page vs EAUG page data race

by Dmitrii Kuvaiskii

Two enclave threads may try to add and remove the same enclave page simultaneously (e.g., if the SGX runtime supports both lazy allocation and MADV_DONTNEED semantics). Consider some enclave page added to the enclave. User space decides to temporarily remove this page (e.g., emulating the MADV_DONTNEED semantics) on CPU1. At the same time, user space performs a memory access on the same page on CPU2, which results in a #PF and ultimately in sgx_vma_fault(). Scenario proceeds as follows: /* * CPU1: User space performs * ioctl(SGX_IOC_ENCLAVE_REMOVE_PAGES) * on enclave page X */ sgx_encl_remove_pages() { mutex_lock(&encl->lock); entry = sgx_encl_load_page(encl); /* * verify that page is * trimmed and accepted */ mutex_unlock(&encl->lock); /* * remove PTE entry; cannot * be performed under lock */ sgx_zap_enclave_ptes(encl); /* * Fault on CPU2 on same page X */ sgx_vma_fault() { /* * PTE entry was removed, but the * page is still in enclave's xarray */ xa_load(&encl->page_array) != NULL -> /* * SGX driver thinks that this page * was swapped out and loads it */ mutex_lock(&encl->lock); /* * this is effectively a no-op */ entry = sgx_encl_load_page_in_vma(); /* * add PTE entry * * *BUG*: a PTE is installed for a * page in process of being removed */ vmf_insert_pfn(...); mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; } /* * continue with page removal */ mutex_lock(&encl->lock); sgx_encl_free_epc_page(epc_page) { /* * remove page via EREMOVE */ /* * free EPC page */ sgx_free_epc_page(epc_page); } xa_erase(&encl->page_array); mutex_unlock(&encl->lock); } Here, CPU1 removed the page. However CPU2 installed the PTE entry on the same page. This enclave page becomes perpetually inaccessible (until another SGX_IOC_ENCLAVE_REMOVE_PAGES ioctl). This is because the page is marked accessible in the PTE entry but is not EAUGed, and any subsequent access to this page raises a fault: with the kernel believing there to be a valid VMA, the unlikely error code X86_PF_SGX encountered by code path do_user_addr_fault() -> access_error() causes the SGX driver's sgx_vma_fault() to be skipped and user space receives a SIGSEGV instead. The userspace SIGSEGV handler cannot perform EACCEPT because the page was not EAUGed. Thus, the user space is stuck with the inaccessible page. Fix this race by forcing the fault handler on CPU2 to back off if the page is currently being removed (on CPU1). This is achieved by setting SGX_ENCL_PAGE_BUSY flag right-before the first mutex_unlock() in sgx_encl_remove_pages(). Upon loading the page, CPU2 checks whether this page is busy, and if yes then CPU2 backs off and waits until the page is completely removed. After that, any memory access to this page results in a normal "allocate and EAUG a page on #PF" flow. Additionally fix a similar race: user space converts a normal enclave page to a TCS page (via SGX_IOC_ENCLAVE_MODIFY_TYPES) on CPU1, and at the same time, user space performs a memory access on the same page on CPU2. This fix is not strictly necessary (this particular race would indicate a bug in a user space application), but it gives a consistent rule: if an enclave page is under certain operation by the kernel with the mapping removed, then other threads trying to access that page are temporarily blocked and should retry. Fixes: 9849bb27152c ("x86/sgx: Support complete page removal") Cc: stable(a)vger.kernel.org Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.h | 3 ++- arch/x86/kernel/cpu/sgx/ioctl.c | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h index b566b8ad5f33..96b11e8fb770 100644 --- a/arch/x86/kernel/cpu/sgx/encl.h +++ b/arch/x86/kernel/cpu/sgx/encl.h @@ -22,7 +22,8 @@ /* 'desc' bits holding the offset in the VA (version array) page. */ #define SGX_ENCL_PAGE_VA_OFFSET_MASK GENMASK_ULL(11, 3) -/* 'desc' bit indicating that the page is busy (being reclaimed). */ +/* 'desc' bit indicating that the page is busy (being reclaimed, removed or + * converted to a TCS page). */ #define SGX_ENCL_PAGE_BUSY BIT(2) /* diff --git a/arch/x86/kernel/cpu/sgx/ioctl.c b/arch/x86/kernel/cpu/sgx/ioctl.c index 5d390df21440..ee619f2b3414 100644 --- a/arch/x86/kernel/cpu/sgx/ioctl.c +++ b/arch/x86/kernel/cpu/sgx/ioctl.c @@ -969,12 +969,22 @@ static long sgx_enclave_modify_types(struct sgx_encl *encl, /* * Do not keep encl->lock because of dependency on * mmap_lock acquired in sgx_zap_enclave_ptes(). + * + * Releasing encl->lock leads to a data race: while CPU1 + * performs sgx_zap_enclave_ptes() and removes the PTE + * entry for the enclave page, CPU2 may attempt to load + * this page (because the page is still in enclave's + * xarray). To prevent CPU2 from loading the page, mark + * the page as busy before unlock and unmark after lock + * again. */ + entry->desc |= SGX_ENCL_PAGE_BUSY; mutex_unlock(&encl->lock); sgx_zap_enclave_ptes(encl, addr); mutex_lock(&encl->lock); + entry->desc &= ~SGX_ENCL_PAGE_BUSY; sgx_mark_page_reclaimable(entry->epc_page); } @@ -1141,7 +1151,14 @@ static long sgx_encl_remove_pages(struct sgx_encl *encl, /* * Do not keep encl->lock because of dependency on * mmap_lock acquired in sgx_zap_enclave_ptes(). + * + * Releasing encl->lock leads to a data race: while CPU1 + * performs sgx_zap_enclave_ptes() and removes the PTE entry + * for the enclave page, CPU2 may attempt to load this page + * (because the page is still in enclave's xarray). To prevent + * CPU2 from loading the page, mark the page as busy. */ + entry->desc |= SGX_ENCL_PAGE_BUSY; mutex_unlock(&encl->lock); sgx_zap_enclave_ptes(encl, addr); -- 2.43.0

10 months, 3 weeks

3
2
0 0

[PATCH v5 2/3] x86/sgx: Resolve EAUG race where losing thread returns SIGBUS

by Dmitrii Kuvaiskii

Imagine an mmap()'d file. Two threads touch the same address at the same time and fault. Both allocate a physical page and race to install a PTE for that page. Only one will win the race. The loser frees its page, but still continues handling the fault as a success and returns VM_FAULT_NOPAGE from the fault handler. The same race can happen with SGX. But there's a bug: the loser in the SGX steers into a failure path. The loser EREMOVE's the winner's EPC page, then returns SIGBUS, likely killing the app. Fix the SGX loser's behavior. Check whether another thread already allocated the page and if yes, return with VM_FAULT_NOPAGE. The race can be illustrated as follows: /* /* * Fault on CPU1 * Fault on CPU2 * on enclave page X * on enclave page X */ */ sgx_vma_fault() { sgx_vma_fault() { xa_load(&encl->page_array) xa_load(&encl->page_array) == NULL --> == NULL --> sgx_encl_eaug_page() { sgx_encl_eaug_page() { ... ... /* /* * alloc encl_page * alloc encl_page */ */ mutex_lock(&encl->lock); /* * alloc EPC page */ epc_page = sgx_alloc_epc_page(...); /* * add page to enclave's xarray */ xa_insert(&encl->page_array, ...); /* * add page to enclave via EAUG * (page is in pending state) */ /* * add PTE entry */ vmf_insert_pfn(...); mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; } } /* * All good up to here: enclave page * successfully added to enclave, * ready for EACCEPT from user space */ mutex_lock(&encl->lock); /* * alloc EPC page */ epc_page = sgx_alloc_epc_page(...); /* * add page to enclave's xarray, * this fails with -EBUSY as this * page was already added by CPU2 */ xa_insert(&encl->page_array, ...); err_out_shrink: sgx_encl_free_epc_page(epc_page) { /* * remove page via EREMOVE * * *BUG*: page added by CPU2 is * yanked from enclave while it * remains accessible from OS * perspective (PTE installed) */ /* * free EPC page */ sgx_free_epc_page(epc_page); } mutex_unlock(&encl->lock); /* * *BUG*: SIGBUS is returned * for a valid enclave page */ return VM_FAULT_SIGBUS; } } Fixes: 5a90d2c3f5ef ("x86/sgx: Support adding of pages to an initialized enclave") Cc: stable(a)vger.kernel.org Reported-by: Marcelina Kościelnicka <mwk(a)invisiblethingslab.com> Suggested-by: Kai Huang <kai.huang(a)intel.com> Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.c | 36 ++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index c0a3c00284c8..2aa7ced0e4a0 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -337,6 +337,16 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, if (!test_bit(SGX_ENCL_INITIALIZED, &encl->flags)) return VM_FAULT_SIGBUS; + mutex_lock(&encl->lock); + + /* + * Multiple threads may try to fault on the same page concurrently. + * Re-check if another thread has already done that. + */ + encl_page = xa_load(&encl->page_array, PFN_DOWN(addr)); + if (encl_page) + goto done; + /* * Ignore internal permission checking for dynamically added pages. * They matter only for data added during the pre-initialization @@ -345,23 +355,23 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, */ secinfo_flags = SGX_SECINFO_R | SGX_SECINFO_W | SGX_SECINFO_X; encl_page = sgx_encl_page_alloc(encl, addr - encl->base, secinfo_flags); - if (IS_ERR(encl_page)) - return VM_FAULT_OOM; - - mutex_lock(&encl->lock); + if (IS_ERR(encl_page)) { + vmret = VM_FAULT_OOM; + goto err_out_unlock; + } epc_page = sgx_encl_load_secs(encl); if (IS_ERR(epc_page)) { if (PTR_ERR(epc_page) == -EBUSY) vmret = VM_FAULT_NOPAGE; - goto err_out_unlock; + goto err_out_encl; } epc_page = sgx_alloc_epc_page(encl_page, false); if (IS_ERR(epc_page)) { if (PTR_ERR(epc_page) == -EBUSY) vmret = VM_FAULT_NOPAGE; - goto err_out_unlock; + goto err_out_encl; } va_page = sgx_encl_grow(encl, false); @@ -376,10 +386,6 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, ret = xa_insert(&encl->page_array, PFN_DOWN(encl_page->desc), encl_page, GFP_KERNEL); - /* - * If ret == -EBUSY then page was created in another flow while - * running without encl->lock - */ if (ret) goto err_out_shrink; @@ -389,7 +395,7 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, ret = __eaug(&pginfo, sgx_get_epc_virt_addr(epc_page)); if (ret) - goto err_out; + goto err_out_eaug; encl_page->encl = encl; encl_page->epc_page = epc_page; @@ -408,20 +414,20 @@ static vm_fault_t sgx_encl_eaug_page(struct vm_area_struct *vma, mutex_unlock(&encl->lock); return VM_FAULT_SIGBUS; } +done: mutex_unlock(&encl->lock); return VM_FAULT_NOPAGE; -err_out: +err_out_eaug: xa_erase(&encl->page_array, PFN_DOWN(encl_page->desc)); - err_out_shrink: sgx_encl_shrink(encl, va_page); err_out_epc: sgx_encl_free_epc_page(epc_page); +err_out_encl: + kfree(encl_page); err_out_unlock: mutex_unlock(&encl->lock); - kfree(encl_page); - return vmret; } -- 2.43.0

10 months, 3 weeks

3
2
0 0

[PATCH v5 1/3] x86/sgx: Split SGX_ENCL_PAGE_BEING_RECLAIMED into two flags

by Dmitrii Kuvaiskii

The page reclaimer thread sets SGX_ENC_PAGE_BEING_RECLAIMED flag when the enclave page is being reclaimed (moved to the backing store). This flag however has two logical meanings: 1. Don't attempt to load the enclave page (the page is busy), see __sgx_encl_load_page(). 2. Don't attempt to remove the PCMD page corresponding to this enclave page (the PCMD page is busy), see reclaimer_writing_to_pcmd(). To reflect these two meanings, split SGX_ENCL_PAGE_BEING_RECLAIMED into two flags: SGX_ENCL_PAGE_BUSY and SGX_ENCL_PAGE_PCMD_BUSY. Currently, both flags are set only when the enclave page is being reclaimed (by the page reclaimer thread). A future commit will introduce new cases when the enclave page is being operated on; these new cases will set only the SGX_ENCL_PAGE_BUSY flag. Cc: stable(a)vger.kernel.org Signed-off-by: Dmitrii Kuvaiskii <dmitrii.kuvaiskii(a)intel.com> Reviewed-by: Haitao Huang <haitao.huang(a)linux.intel.com> Acked-by: Kai Huang <kai.huang(a)intel.com> --- arch/x86/kernel/cpu/sgx/encl.c | 16 +++++++--------- arch/x86/kernel/cpu/sgx/encl.h | 10 ++++++++-- arch/x86/kernel/cpu/sgx/main.c | 4 ++-- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/encl.c b/arch/x86/kernel/cpu/sgx/encl.c index 279148e72459..c0a3c00284c8 100644 --- a/arch/x86/kernel/cpu/sgx/encl.c +++ b/arch/x86/kernel/cpu/sgx/encl.c @@ -46,10 +46,10 @@ static int sgx_encl_lookup_backing(struct sgx_encl *encl, unsigned long page_ind * a check if an enclave page sharing the PCMD page is in the process of being * reclaimed. * - * The reclaimer sets the SGX_ENCL_PAGE_BEING_RECLAIMED flag when it - * intends to reclaim that enclave page - it means that the PCMD page - * associated with that enclave page is about to get some data and thus - * even if the PCMD page is empty, it should not be truncated. + * The reclaimer sets the SGX_ENCL_PAGE_PCMD_BUSY flag when it intends to + * reclaim that enclave page - it means that the PCMD page associated with that + * enclave page is about to get some data and thus even if the PCMD page is + * empty, it should not be truncated. * * Context: Enclave mutex (&sgx_encl->lock) must be held. * Return: 1 if the reclaimer is about to write to the PCMD page @@ -77,8 +77,7 @@ static int reclaimer_writing_to_pcmd(struct sgx_encl *encl, * Stop when reaching the SECS page - it does not * have a page_array entry and its reclaim is * started and completed with enclave mutex held so - * it does not use the SGX_ENCL_PAGE_BEING_RECLAIMED - * flag. + * it does not use the SGX_ENCL_PAGE_PCMD_BUSY flag. */ if (addr == encl->base + encl->size) break; @@ -91,8 +90,7 @@ static int reclaimer_writing_to_pcmd(struct sgx_encl *encl, * VA page slot ID uses same bit as the flag so it is important * to ensure that the page is not already in backing store. */ - if (entry->epc_page && - (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED)) { + if (entry->epc_page && (entry->desc & SGX_ENCL_PAGE_PCMD_BUSY)) { reclaimed = 1; break; } @@ -257,7 +255,7 @@ static struct sgx_encl_page *__sgx_encl_load_page(struct sgx_encl *encl, /* Entry successfully located. */ if (entry->epc_page) { - if (entry->desc & SGX_ENCL_PAGE_BEING_RECLAIMED) + if (entry->desc & SGX_ENCL_PAGE_BUSY) return ERR_PTR(-EBUSY); return entry; diff --git a/arch/x86/kernel/cpu/sgx/encl.h b/arch/x86/kernel/cpu/sgx/encl.h index f94ff14c9486..b566b8ad5f33 100644 --- a/arch/x86/kernel/cpu/sgx/encl.h +++ b/arch/x86/kernel/cpu/sgx/encl.h @@ -22,8 +22,14 @@ /* 'desc' bits holding the offset in the VA (version array) page. */ #define SGX_ENCL_PAGE_VA_OFFSET_MASK GENMASK_ULL(11, 3) -/* 'desc' bit marking that the page is being reclaimed. */ -#define SGX_ENCL_PAGE_BEING_RECLAIMED BIT(3) +/* 'desc' bit indicating that the page is busy (being reclaimed). */ +#define SGX_ENCL_PAGE_BUSY BIT(2) + +/* + * 'desc' bit indicating that PCMD page associated with the enclave page is + * busy (because the enclave page is being reclaimed). + */ +#define SGX_ENCL_PAGE_PCMD_BUSY BIT(3) struct sgx_encl_page { unsigned long desc; diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c index 166692f2d501..e94b09c43673 100644 --- a/arch/x86/kernel/cpu/sgx/main.c +++ b/arch/x86/kernel/cpu/sgx/main.c @@ -204,7 +204,7 @@ static void sgx_encl_ewb(struct sgx_epc_page *epc_page, void *va_slot; int ret; - encl_page->desc &= ~SGX_ENCL_PAGE_BEING_RECLAIMED; + encl_page->desc &= ~(SGX_ENCL_PAGE_BUSY | SGX_ENCL_PAGE_PCMD_BUSY); va_page = list_first_entry(&encl->va_pages, struct sgx_va_page, list); @@ -340,7 +340,7 @@ static void sgx_reclaim_pages(void) goto skip; } - encl_page->desc |= SGX_ENCL_PAGE_BEING_RECLAIMED; + encl_page->desc |= SGX_ENCL_PAGE_BUSY | SGX_ENCL_PAGE_PCMD_BUSY; mutex_unlock(&encl_page->encl->lock); continue; -- 2.43.0

10 months, 3 weeks

2
1
0 0

[PATCH net] net: drop bad gso csum_start and offset in virtio_net_hdr

by Willem de Bruijn

From: Willem de Bruijn <willemb(a)google.com> Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Migitage with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests. Link: https://syzkaller.appspot.com/bug?extid=e1db31216c789f552871 Link: https://lore.kernel.org/netdev/20240723223109.2196886-1-kuba@kernel.org Fixes: e269d79c7d35 ("net: missing check virtio") Cc: stable(a)vger.kernel.org Signed-off-by: Willem de Bruijn <willemb(a)google.com> --- include/linux/virtio_net.h | 16 +++++----------- net/ipv4/tcp_offload.c | 3 +++ net/ipv4/udp_offload.c | 3 +++ 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index d1d7825318c32..6c395a2600e8d 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -56,7 +56,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, unsigned int thlen = 0; unsigned int p_off = 0; unsigned int ip_proto; - u64 ret, remainder, gso_size; if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { @@ -99,16 +98,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, u32 off = __virtio16_to_cpu(little_endian, hdr->csum_offset); u32 needed = start + max_t(u32, thlen, off + sizeof(__sum16)); - if (hdr->gso_size) { - gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); - ret = div64_u64_rem(skb->len, gso_size, &remainder); - if (!(ret && (hdr->gso_size > needed) && - ((remainder > needed) || (remainder == 0)))) { - return -EINVAL; - } - skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG; - } - if (!pskb_may_pull(skb, needed)) return -EINVAL; @@ -182,6 +171,11 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (gso_type != SKB_GSO_UDP_L4) return -EINVAL; break; + case SKB_GSO_TCPV4: + case SKB_GSO_TCPV6: + if (skb->csum_offset != offsetof(struct tcphdr, check)) + return -EINVAL; + break; } /* Kernel has a special handling for GSO_BY_FRAGS. */ diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c index 4b791e74529e1..9e49ffcc77071 100644 --- a/net/ipv4/tcp_offload.c +++ b/net/ipv4/tcp_offload.c @@ -140,6 +140,9 @@ struct sk_buff *tcp_gso_segment(struct sk_buff *skb, if (thlen < sizeof(*th)) goto out; + if (unlikely(skb->csum_start != skb->transport_header)) + goto out; + if (!pskb_may_pull(skb, thlen)) goto out; diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index aa2e0a28ca613..f521152c40871 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -278,6 +278,9 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, if (gso_skb->len <= sizeof(*uh) + mss) return ERR_PTR(-EINVAL); + if (unlikely(gso_skb->csum_start != gso_skb->transport_header)) + return ERR_PTR(-EINVAL); + if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { /* Packet is from an untrusted source, reset gso_segs. */ skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), -- 2.46.0.rc1.232.g9752f9e123-goog

10 months, 3 weeks

10
25
0 0

[PATCH v2] spi: rockchip: Resolve unbalanced runtime PM / system PM handling

by Brian Norris

Commit e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure. Fixes: e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") Cc: <stable(a)vger.kernel.org> Reported-by: "Ondřej Jirman" <megi(a)xff.cz> Closes: https://lore.kernel.org/lkml/20220621154218.sau54jeij4bunf56@core/ Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- Changes in v2: - fix unused 'rs' warning drivers/spi/spi-rockchip.c | 23 +++++++---------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c index e1ecd96c7858..0bb33c43b1b4 100644 --- a/drivers/spi/spi-rockchip.c +++ b/drivers/spi/spi-rockchip.c @@ -945,14 +945,16 @@ static int rockchip_spi_suspend(struct device *dev) { int ret; struct spi_controller *ctlr = dev_get_drvdata(dev); - struct rockchip_spi *rs = spi_controller_get_devdata(ctlr); ret = spi_controller_suspend(ctlr); if (ret < 0) return ret; - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); + ret = pm_runtime_force_suspend(dev); + if (ret < 0) { + spi_controller_resume(ctlr); + return ret; + } pinctrl_pm_select_sleep_state(dev); @@ -963,25 +965,14 @@ static int rockchip_spi_resume(struct device *dev) { int ret; struct spi_controller *ctlr = dev_get_drvdata(dev); - struct rockchip_spi *rs = spi_controller_get_devdata(ctlr); pinctrl_pm_select_default_state(dev); - ret = clk_prepare_enable(rs->apb_pclk); + ret = pm_runtime_force_resume(dev); if (ret < 0) return ret; - ret = clk_prepare_enable(rs->spiclk); - if (ret < 0) - clk_disable_unprepare(rs->apb_pclk); - - ret = spi_controller_resume(ctlr); - if (ret < 0) { - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); - } - - return 0; + return spi_controller_resume(ctlr); } #endif /* CONFIG_PM_SLEEP */ -- 2.46.0.295.g3b9ea8a38a-goog

10 months, 3 weeks

1
0
0 0

Re: [PATCH 6.10 000/273] 6.10.7-rc1 review

by Ronald Warsow

Hi Greg no regressions here on x86_64 (RKL, Intel 11th Gen. CPU) Thanks Tested-by: Ronald Warsow <rwarsow(a)gmx.de>

10 months, 3 weeks

1
0
0 0

[PATCH 12/14] drm/amd/display: Block timing sync for different signals in PMO

by Hamza Mahfooz

From: Dillon Varone <dillon.varone(a)amd.com> PMO assumes that like timings can be synchronized, but DC only allows this if the signal types match. Cc: stable(a)vger.kernel.org Reviewed-by: Austin Zheng <austin.zheng(a)amd.com> Signed-off-by: Dillon Varone <dillon.varone(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- .../display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c index 3bb5eb2e79ae..d63558ee3135 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_pmo/dml2_pmo_dcn4_fams2.c @@ -941,7 +941,8 @@ static void build_synchronized_timing_groups( for (j = i + 1; j < display_config->display_config.num_streams; j++) { if (memcmp(master_timing, &display_config->display_config.stream_descriptors[j].timing, - sizeof(struct dml2_timing_cfg)) == 0) { + sizeof(struct dml2_timing_cfg)) == 0 && + display_config->display_config.stream_descriptors[i].output.output_encoder == display_config->display_config.stream_descriptors[j].output.output_encoder) { set_bit_in_bitfield(&pmo->scratch.pmo_dcn4.synchronized_timing_group_masks[timing_group_idx], j); set_bit_in_bitfield(&stream_mapped_mask, j); } -- 2.46.0

10 months, 3 weeks

1
0
0 0

[PATCH 11/14] drm/amd/display: fix graphics hang in multi-display mst case

by Hamza Mahfooz

From: Gabe Teeger <Gabe.Teeger(a)amd.com> [what] Graphics hang observed with 3 displays connected to DP2.0 mst dock. [why] There's a mismatch in dml and dc between the assignments of hpo link encoders. [how] Add a new array in dml that tracks the current mapping of HPO stream encoders to HPO link encoders in dc. Cc: stable(a)vger.kernel.org Reviewed-by: Sung joon Kim <sungjoon.kim(a)amd.com> Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Gabe Teeger <Gabe.Teeger(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- .../amd/display/dc/dml2/dml2_internal_types.h | 2 +- .../display/dc/dml2/dml2_translation_helper.c | 67 +++++++++---------- .../display/dc/dml2/dml2_translation_helper.h | 2 +- .../gpu/drm/amd/display/dc/dml2/dml2_utils.c | 12 +--- 4 files changed, 34 insertions(+), 49 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_internal_types.h b/drivers/gpu/drm/amd/display/dc/dml2/dml2_internal_types.h index 3ba184be25d3..140ec01545db 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_internal_types.h +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_internal_types.h @@ -101,7 +101,7 @@ struct dml2_wrapper_scratch { struct dml2_dml_to_dc_pipe_mapping dml_to_dc_pipe_mapping; bool enable_flexible_pipe_mapping; bool plane_duplicate_exists; - unsigned int dp2_mst_stream_count; + int hpo_stream_to_link_encoder_mapping[MAX_HPO_DP2_ENCODERS]; }; struct dml2_helper_det_policy_scratch { diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c index 7e39873832bf..bde4250853b1 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c @@ -733,8 +733,7 @@ static void populate_dml_timing_cfg_from_stream_state(struct dml_timing_cfg_st * } static void populate_dml_output_cfg_from_stream_state(struct dml_output_cfg_st *out, unsigned int location, - const struct dc_stream_state *in, const struct pipe_ctx *pipe, - unsigned int dp2_mst_stream_count) + const struct dc_stream_state *in, const struct pipe_ctx *pipe, struct dml2_context *dml2) { unsigned int output_bpc; @@ -747,8 +746,8 @@ static void populate_dml_output_cfg_from_stream_state(struct dml_output_cfg_st * case SIGNAL_TYPE_DISPLAY_PORT_MST: case SIGNAL_TYPE_DISPLAY_PORT: out->OutputEncoder[location] = dml_dp; - if (is_dp2p0_output_encoder(pipe, dp2_mst_stream_count)) - out->OutputEncoder[location] = dml_dp2p0; + if (dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[location] != -1) + out->OutputEncoder[dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[location]] = dml_dp2p0; break; case SIGNAL_TYPE_EDP: out->OutputEncoder[location] = dml_edp; @@ -1199,36 +1198,6 @@ static void dml2_populate_pipe_to_plane_index_mapping(struct dml2_context *dml2, } } -static unsigned int calculate_dp2_mst_stream_count(struct dc_state *context) -{ - int i, j; - unsigned int dp2_mst_stream_count = 0; - - for (i = 0; i < context->stream_count; i++) { - struct dc_stream_state *stream = context->streams[i]; - - if (!stream || stream->signal != SIGNAL_TYPE_DISPLAY_PORT_MST) - continue; - - for (j = 0; j < MAX_PIPES; j++) { - struct pipe_ctx *pipe_ctx = &context->res_ctx.pipe_ctx[j]; - - if (!pipe_ctx || !pipe_ctx->stream) - continue; - - if (stream != pipe_ctx->stream) - continue; - - if (pipe_ctx->stream_res.hpo_dp_stream_enc && pipe_ctx->link_res.hpo_dp_link_enc) { - dp2_mst_stream_count++; - break; - } - } - } - - return dp2_mst_stream_count; -} - static void populate_dml_writeback_cfg_from_stream_state(struct dml_writeback_cfg_st *out, unsigned int location, const struct dc_stream_state *in) { @@ -1269,6 +1238,30 @@ static void populate_dml_writeback_cfg_from_stream_state(struct dml_writeback_cf } } } + +static void dml2_map_hpo_stream_encoder_to_hpo_link_encoder_index(struct dml2_context *dml2, struct dc_state *context) +{ + int i; + struct pipe_ctx *current_pipe_context; + + /* Scratch gets reset to zero in dml, but link encoder instance can be zero, so reset to -1 */ + for (i = 0; i < MAX_HPO_DP2_ENCODERS; i++) { + dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[i] = -1; + } + + /* If an HPO stream encoder is allocated to a pipe, get the instance of it's allocated HPO Link encoder */ + for (i = 0; i < MAX_PIPES; i++) { + current_pipe_context = &context->res_ctx.pipe_ctx[i]; + if (current_pipe_context->stream && + current_pipe_context->stream_res.hpo_dp_stream_enc && + current_pipe_context->link_res.hpo_dp_link_enc && + dc_is_dp_signal(current_pipe_context->stream->signal)) { + dml2->v20.scratch.hpo_stream_to_link_encoder_mapping[current_pipe_context->stream_res.hpo_dp_stream_enc->inst] = + current_pipe_context->link_res.hpo_dp_link_enc->inst; + } + } +} + void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_state *context, struct dml_display_cfg_st *dml_dispcfg) { int i = 0, j = 0, k = 0; @@ -1291,8 +1284,8 @@ void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_stat if (dml2->v20.dml_core_ctx.ip.hostvm_enable) dml2->v20.dml_core_ctx.policy.AllowForPStateChangeOrStutterInVBlankFinal = dml_prefetch_support_uclk_fclk_and_stutter; - dml2->v20.scratch.dp2_mst_stream_count = calculate_dp2_mst_stream_count(context); dml2_populate_pipe_to_plane_index_mapping(dml2, context); + dml2_map_hpo_stream_encoder_to_hpo_link_encoder_index(dml2, context); for (i = 0; i < context->stream_count; i++) { current_pipe_context = NULL; @@ -1313,7 +1306,7 @@ void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_stat ASSERT(disp_cfg_stream_location >= 0 && disp_cfg_stream_location <= __DML2_WRAPPER_MAX_STREAMS_PLANES__); populate_dml_timing_cfg_from_stream_state(&dml_dispcfg->timing, disp_cfg_stream_location, context->streams[i]); - populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_stream_location, context->streams[i], current_pipe_context, dml2->v20.scratch.dp2_mst_stream_count); + populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_stream_location, context->streams[i], current_pipe_context, dml2); /*Call site for populate_dml_writeback_cfg_from_stream_state*/ populate_dml_writeback_cfg_from_stream_state(&dml_dispcfg->writeback, disp_cfg_stream_location, context->streams[i]); @@ -1378,7 +1371,7 @@ void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_stat if (j >= 1) { populate_dml_timing_cfg_from_stream_state(&dml_dispcfg->timing, disp_cfg_plane_location, context->streams[i]); - populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_plane_location, context->streams[i], current_pipe_context, dml2->v20.scratch.dp2_mst_stream_count); + populate_dml_output_cfg_from_stream_state(&dml_dispcfg->output, disp_cfg_plane_location, context->streams[i], current_pipe_context, dml2); switch (context->streams[i]->debug.force_odm_combine_segments) { case 2: dml2->v20.dml_core_ctx.policy.ODMUse[disp_cfg_plane_location] = dml_odm_use_policy_combine_2to1; diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.h b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.h index 55659b22d87f..d764773938f4 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.h +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.h @@ -36,6 +36,6 @@ void dml2_translate_socbb_params(const struct dc *in_dc, struct soc_bounding_box void dml2_translate_soc_states(const struct dc *in_dc, struct soc_states_st *out, int num_states); void map_dc_state_into_dml_display_cfg(struct dml2_context *dml2, struct dc_state *context, struct dml_display_cfg_st *dml_dispcfg); void dml2_update_pipe_ctx_dchub_regs(struct _vcs_dpi_dml_display_rq_regs_st *rq_regs, struct _vcs_dpi_dml_display_dlg_regs_st *disp_dlg_regs, struct _vcs_dpi_dml_display_ttu_regs_st *disp_ttu_regs, struct pipe_ctx *out); -bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe, unsigned int dp2_mst_stream_count); +bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe); #endif //__DML2_TRANSLATION_HELPER_H__ diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c index 9e8ff3a9718e..9a33158b63bf 100644 --- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c +++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_utils.c @@ -153,7 +153,7 @@ unsigned int dml2_util_get_maximum_odm_combine_for_output(bool force_odm_4to1, e } } -bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe_ctx, unsigned int dp2_mst_stream_count) +bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe_ctx) { if (pipe_ctx == NULL || pipe_ctx->stream == NULL) return false; @@ -161,14 +161,6 @@ bool is_dp2p0_output_encoder(const struct pipe_ctx *pipe_ctx, unsigned int dp2_m /* If this assert is hit then we have a link encoder dynamic management issue */ ASSERT(pipe_ctx->stream_res.hpo_dp_stream_enc ? pipe_ctx->link_res.hpo_dp_link_enc != NULL : true); - /* Count MST hubs once by treating only 1st remote sink in topology as an encoder */ - if (pipe_ctx->stream->link && pipe_ctx->stream->link->remote_sinks[0] && dp2_mst_stream_count > 1) { - return (pipe_ctx->stream_res.hpo_dp_stream_enc && - pipe_ctx->link_res.hpo_dp_link_enc && - dc_is_dp_signal(pipe_ctx->stream->signal) && - (pipe_ctx->stream->link->remote_sinks[0]->sink_id == pipe_ctx->stream->sink->sink_id)); - } - return (pipe_ctx->stream_res.hpo_dp_stream_enc && pipe_ctx->link_res.hpo_dp_link_enc && dc_is_dp_signal(pipe_ctx->stream->signal)); @@ -181,7 +173,7 @@ bool is_dtbclk_required(const struct dc *dc, struct dc_state *context) for (i = 0; i < dc->res_pool->pipe_count; i++) { if (!context->res_ctx.pipe_ctx[i].stream) continue; - if (is_dp2p0_output_encoder(&context->res_ctx.pipe_ctx[i], context->bw_ctx.dml2->v20.scratch.dp2_mst_stream_count)) + if (is_dp2p0_output_encoder(&context->res_ctx.pipe_ctx[i])) return true; } return false; -- 2.46.0

10 months, 3 weeks

1
0
0 0

[PATCH 08/14] drm/amd/display: fix dccg root clock optimization related hang

by Hamza Mahfooz

From: Qili Lu <qili.lu(a)amd.com> [Why] enable dpp rcg before we disable dppclk in hw_init cause system hang/reboot [How] we remove dccg rcg related code from init into a separate function and call it after we init pipe Cc: stable(a)vger.kernel.org # 6.10+ Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas(a)amd.com> Signed-off-by: Qili Lu <qili.lu(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 14 +++++++++----- .../gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h | 1 + .../drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 4 ++++ drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h | 1 + 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c index 889f39694cb7..8b3722a0011b 100644 --- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c +++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c @@ -1721,10 +1721,6 @@ void dccg35_init(struct dccg *dccg) dccg35_set_dpstreamclk_root_clock_gating(dccg, otg_inst, false); } - if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) - for (otg_inst = 0; otg_inst < 4; otg_inst++) - dccg35_set_dppclk_root_clock_gating(dccg, otg_inst, 0); - /* dccg35_enable_global_fgcg_rep( dccg, dccg->ctx->dc->debug.enable_fine_grain_clock_gating.bits @@ -2303,6 +2299,14 @@ static void dccg35_disable_symclk_se_cb( /* DMU PHY sequence switches SYMCLK_BE (link_enc_inst) to ref clock once PHY is turned off */ } +void dccg35_root_gate_disable_control(struct dccg *dccg, uint32_t pipe_idx, uint32_t disable_clock_gating) +{ + + if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) { + dccg35_set_dppclk_root_clock_gating(dccg, pipe_idx, disable_clock_gating); + } +} + static const struct dccg_funcs dccg35_funcs_new = { .update_dpp_dto = dccg35_update_dpp_dto_cb, .dpp_root_clock_control = dccg35_dpp_root_clock_control_cb, @@ -2363,7 +2367,7 @@ static const struct dccg_funcs dccg35_funcs = { .enable_symclk_se = dccg35_enable_symclk_se, .disable_symclk_se = dccg35_disable_symclk_se, .set_dtbclk_p_src = dccg35_set_dtbclk_p_src, - + .dccg_root_gate_disable_control = dccg35_root_gate_disable_control, }; struct dccg *dccg35_create( diff --git a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h index 1586a45ca3bd..51f98c5c51c4 100644 --- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h +++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.h @@ -241,6 +241,7 @@ struct dccg *dccg35_create( void dccg35_init(struct dccg *dccg); void dccg35_enable_global_fgcg_rep(struct dccg *dccg, bool value); +void dccg35_root_gate_disable_control(struct dccg *dccg, uint32_t pipe_idx, uint32_t disable_clock_gating); #endif //__DCN35_DCCG_H__ diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c index fbbb20b9dbee..7ed75c5fe25e 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c @@ -271,6 +271,10 @@ void dcn35_init_hw(struct dc *dc) dc->res_pool->hubbub->funcs->allow_self_refresh_control(dc->res_pool->hubbub, !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter); } + if (res_pool->dccg->funcs->dccg_root_gate_disable_control) { + for (i = 0; i < res_pool->pipe_count; i++) + res_pool->dccg->funcs->dccg_root_gate_disable_control(res_pool->dccg, i, 0); + } for (i = 0; i < res_pool->audio_count; i++) { struct audio *audio = res_pool->audios[i]; diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h b/drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h index d619eb229a62..e94e9ba60f55 100644 --- a/drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h +++ b/drivers/gpu/drm/amd/display/dc/inc/hw/dccg.h @@ -213,6 +213,7 @@ struct dccg_funcs { uint32_t otg_inst); void (*set_dto_dscclk)(struct dccg *dccg, uint32_t dsc_inst); void (*set_ref_dscclk)(struct dccg *dccg, uint32_t dsc_inst); + void (*dccg_root_gate_disable_control)(struct dccg *dccg, uint32_t pipe_idx, uint32_t disable_clock_gating); }; #endif //__DAL_DCCG_H__ -- 2.46.0

10 months, 3 weeks

1
0
0 0

[PATCH 03/14] drm/amd/display: Lock DC and exit IPS when changing backlight

by Hamza Mahfooz

From: Leo Li <sunpeng.li(a)amd.com> Backlight updates require aux and/or register access. Therefore, driver needs to disallow IPS beforehand. So, acquire the dc lock before calling into dc to update backlight - we should be doing this regardless of IPS. Then, while the lock is held, disallow IPS before calling into dc, then allow IPS afterwards (if it was previously allowed). Cc: stable(a)vger.kernel.org # 6.10+ Reviewed-by: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Reviewed-by: Roman Li <roman.li(a)amd.com> Signed-off-by: Leo Li <sunpeng.li(a)amd.com> Signed-off-by: Hamza Mahfooz <hamza.mahfooz(a)amd.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c index 351f8b0fe7a1..fa26b8d59f23 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c @@ -4512,7 +4512,7 @@ static void amdgpu_dm_backlight_set_level(struct amdgpu_display_manager *dm, struct amdgpu_dm_backlight_caps caps; struct dc_link *link; u32 brightness; - bool rc; + bool rc, reallow_idle = false; amdgpu_dm_update_backlight_caps(dm, bl_idx); caps = dm->backlight_caps[bl_idx]; @@ -4525,6 +4525,12 @@ static void amdgpu_dm_backlight_set_level(struct amdgpu_display_manager *dm, link = (struct dc_link *)dm->backlight_link[bl_idx]; /* Change brightness based on AUX property */ + mutex_lock(&dm->dc_lock); + if (dm->dc->caps.ips_support && dm->dc->ctx->dmub_srv->idle_allowed) { + dc_allow_idle_optimizations(dm->dc, false); + reallow_idle = true; + } + if (caps.aux_support) { rc = dc_link_set_backlight_level_nits(link, true, brightness, AUX_BL_DEFAULT_TRANSITION_TIME_MS); @@ -4536,6 +4542,11 @@ static void amdgpu_dm_backlight_set_level(struct amdgpu_display_manager *dm, DRM_DEBUG("DM: Failed to update backlight on eDP[%d]\n", bl_idx); } + if (dm->dc->caps.ips_support && reallow_idle) + dc_allow_idle_optimizations(dm->dc, true); + + mutex_unlock(&dm->dc_lock); + if (rc) dm->actual_brightness[bl_idx] = user_brightness; } -- 2.46.0

10 months, 3 weeks

1
0
0 0

[PATCH] drm/amdgpu/mes: fix mes ring buffer overflow

by Alex Deucher

From: Jack Xiao <Jack.Xiao(a)amd.com> wait memory room until enough before writing mes packets to avoid ring buffer overflow. v2: squash in sched_hw_submission fix Backport from 6.11. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3571 Fixes: de3246254156 ("drm/amdgpu: cleanup MES11 command submission") Fixes: fffe347e1478 ("drm/amdgpu: cleanup MES12 command submission") Signed-off-by: Jack Xiao <Jack.Xiao(a)amd.com> Acked-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13) Cc: stable(a)vger.kernel.org # 6.10.x (cherry picked from commit 11752c013f562a1124088a35bd314aa0e9f0e88f) --- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 ++ drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 18 ++++++++++++++---- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c index 06f0a6534a94..88ffb15e25cc 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c @@ -212,6 +212,8 @@ int amdgpu_ring_init(struct amdgpu_device *adev, struct amdgpu_ring *ring, */ if (ring->funcs->type == AMDGPU_RING_TYPE_KIQ) sched_hw_submission = max(sched_hw_submission, 256); + if (ring->funcs->type == AMDGPU_RING_TYPE_MES) + sched_hw_submission = 8; else if (ring == &adev->sdma.instance[0].page) sched_hw_submission = 256; diff --git a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c index 32d4519541c6..e1a66d585f5e 100644 --- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c @@ -163,7 +163,7 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, const char *op_str, *misc_op_str; unsigned long flags; u64 status_gpu_addr; - u32 status_offset; + u32 seq, status_offset; u64 *status_ptr; signed long r; int ret; @@ -191,6 +191,13 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, if (r) goto error_unlock_free; + seq = ++ring->fence_drv.sync_seq; + r = amdgpu_fence_wait_polling(ring, + seq - ring->fence_drv.num_fences_mask, + timeout); + if (r < 1) + goto error_undo; + api_status = (struct MES_API_STATUS *)((char *)pkt + api_status_off); api_status->api_completion_fence_addr = status_gpu_addr; api_status->api_completion_fence_value = 1; @@ -203,8 +210,7 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, mes_status_pkt.header.dwsize = API_FRAME_SIZE_IN_DWORDS; mes_status_pkt.api_status.api_completion_fence_addr = ring->fence_drv.gpu_addr; - mes_status_pkt.api_status.api_completion_fence_value = - ++ring->fence_drv.sync_seq; + mes_status_pkt.api_status.api_completion_fence_value = seq; amdgpu_ring_write_multiple(ring, &mes_status_pkt, sizeof(mes_status_pkt) / 4); @@ -224,7 +230,7 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, dev_dbg(adev->dev, "MES msg=%d was emitted\n", x_pkt->header.opcode); - r = amdgpu_fence_wait_polling(ring, ring->fence_drv.sync_seq, timeout); + r = amdgpu_fence_wait_polling(ring, seq, timeout); if (r < 1 || !*status_ptr) { if (misc_op_str) @@ -247,6 +253,10 @@ static int mes_v11_0_submit_pkt_and_poll_completion(struct amdgpu_mes *mes, amdgpu_device_wb_free(adev, status_offset); return 0; +error_undo: + dev_err(adev->dev, "MES ring buffer is full.\n"); + amdgpu_ring_undo(ring); + error_unlock_free: spin_unlock_irqrestore(&mes->ring_lock, flags); -- 2.46.0

10 months, 3 weeks

3
3
0 0

[PATCH v2 1/2] ufs: core: complete scsi command after release

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When the error handler successfully aborts a MCQ request, it only releases the command and does not notify the SCSI layer. This may cause another abort after 30 seconds timeout. This patch notifies the SCSI layer to requeue the request. Below is error log [ 14.183804][ T74] ufshcd-mtk 112b0000.ufshci: ufshcd_err_handler started; HBA state eh_non_fatal; powered 1; shutting down 0; saved_err = 4; saved_uic_err = 64; force_reset = 0 [ 14.256164][ T74] ufshcd-mtk 112b0000.ufshci: ufshcd_try_to_abort_task: cmd pending in the device. tag = 19 [ 14.257511][ T74] ufshcd-mtk 112b0000.ufshci: Aborting tag 19 / CDB 0x35 succeeded [ 34.287949][ T8] ufshcd-mtk 112b0000.ufshci: ufshcd_abort: Device abort task at tag 19 [ 34.290514][ T8] ufshcd-mtk 112b0000.ufshci: ufshcd_mcq_abort: skip abort. cmd at tag 19 already completed. Fixes:93e6c0e19d5b ("scsi: ufs: core: Clear cmd if abort succeeds in MCQ mode") Cc: <stable(a)vger.kernel.org> 6.6.x Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 0b3d0c8e0dda..4bcd4e5b62bd 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -6482,8 +6482,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) if (!hwq) return 0; spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) + if (ufshcd_cmd_inflight(lrbp->cmd)) { + struct scsi_cmnd *cmd = lrbp->cmd; + set_host_byte(cmd, DID_REQUEUE); ufshcd_release_scsi_cmd(hba, lrbp); + scsi_done(cmd); + } spin_unlock_irqrestore(&hwq->cq_lock, flags); } -- 2.45.2

10 months, 3 weeks

2
1
0 0

[PATCH 6.6.y] NFSD: simplify error paths in nfsd_svc()

by cel＠kernel.org

From: NeilBrown <neilb(a)suse.de> [ Upstream commit bf32075256e9dd9c6b736859e2c5813981339908 ] The error paths in nfsd_svc() are needlessly complex and can result in a final call to svc_put() without nfsd_last_thread() being called. This results in the listening sockets not being closed properly. The per-netns setup provided by nfsd_startup_new() and removed by nfsd_shutdown_net() is needed precisely when there are running threads. So we don't need nfsd_up_before. We don't need to know if it *was* up. We only need to know if any threads are left. If none are, then we must call nfsd_shutdown_net(). But we don't need to do that explicitly as nfsd_last_thread() does that for us. So simply call nfsd_last_thread() before the last svc_put() if there are no running threads. That will always do the right thing. Also discard: pr_info("nfsd: last server has exited, flushing export cache\n"); It may not be true if an attempt to start the first server failed, and it isn't particularly helpful and it simply reports normal behaviour. Signed-off-by: NeilBrown <neilb(a)suse.de> Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> --- fs/nfsd/nfssvc.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) Reported-by: Li Lingfeng <lilingfeng3(a)huawei.com> Suggested-by: Li Lingfeng <lilingfeng3(a)huawei.com> Tested-by: Li Lingfeng <lilingfeng3(a)huawei.com> diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c index 7911c4b3b5d3..710a54c7dffc 100644 --- a/fs/nfsd/nfssvc.c +++ b/fs/nfsd/nfssvc.c @@ -567,7 +567,6 @@ void nfsd_last_thread(struct net *net) return; nfsd_shutdown_net(net); - pr_info("nfsd: last server has exited, flushing export cache\n"); nfsd_export_flush(net); } @@ -783,7 +782,6 @@ int nfsd_svc(int nrservs, struct net *net, const struct cred *cred) { int error; - bool nfsd_up_before; struct nfsd_net *nn = net_generic(net, nfsd_net_id); struct svc_serv *serv; @@ -803,8 +801,6 @@ nfsd_svc(int nrservs, struct net *net, const struct cred *cred) error = nfsd_create_serv(net); if (error) goto out; - - nfsd_up_before = nn->nfsd_net_up; serv = nn->nfsd_serv; error = nfsd_startup_net(net, cred); @@ -812,17 +808,15 @@ nfsd_svc(int nrservs, struct net *net, const struct cred *cred) goto out_put; error = svc_set_num_threads(serv, NULL, nrservs); if (error) - goto out_shutdown; + goto out_put; error = serv->sv_nrthreads; - if (error == 0) - nfsd_last_thread(net); -out_shutdown: - if (error < 0 && !nfsd_up_before) - nfsd_shutdown_net(net); out_put: /* Threads now hold service active */ if (xchg(&nn->keep_active, 0)) svc_put(serv); + + if (serv->sv_nrthreads == 0) + nfsd_last_thread(net); svc_put(serv); out: mutex_unlock(&nfsd_mutex); -- 2.45.1

10 months, 3 weeks

3
3
0 0

Backport request to fix a WARNING in input_mt_init_slots

by George Kennedy

Hello, We have seen a WARNING message while fuzzing with syzkaller. Kernel 5.15.165 on an x86_64 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 1592 at mm/page_alloc.c:5398 __alloc_pages+0x4aa/0x5b0 mm/page_alloc.c:5398 Modules linked in: CPU: 1 PID: 1592 Comm: syz-executor777 Not tainted 5.15.165-rc1-305-ge122be7431ef1-syzk #1 Hardware name: Red Hat KVM, BIOS 1.16.0-4.module+el8.9.0+90052+d3bf71d8 04/01/2014 RIP: 0010:__alloc_pages+0x4aa/0x5b0 mm/page_alloc.c:5398 Code: 00 48 89 44 24 58 e9 fa fc ff ff 48 89 f2 48 89 c7 44 89 c6 e8 77 32 f2 ff 49 89 c7 e9 72 fd ff ff 80 e7 20 0f 85 d8 fe ff ff <0f> 0b e9 d1 fe ff ff a9 00 00 08 00 75 48 89 da 80 e2 7f a9 00 00 RSP: 0018:ffff88801c18fb58 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000400c0 RCX: 0000000000000000 RDX: dffffc0000000000 RSI: 0000000000000017 RDI: 0000000000040dc0 RBP: 1ffff11003831f6f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000017 R14: 0000000000000000 R15: 0000000000000000 FS: 00007ff8aaa97740(0000) GS:ffff888107080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff8aa38a520 CR3: 0000000022534000 CR4: 00000000000006e0 Call Trace: <TASK> alloc_pages+0x21e/0x3d0 mm/mempolicy.c:2185 kmalloc_order+0x31/0xb0 mm/slab_common.c:966 kmalloc_order_trace+0x19/0xa0 mm/slab_common.c:982 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] input_mt_init_slots+0xf6/0x620 drivers/input/input-mt.c:49 uinput_create_device+0x1e6/0x6e0 drivers/input/misc/uinput.c:327 uinput_ioctl_handler.isra.0+0x46f/0x15e0 drivers/input/misc/uinput.c:870 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x199/0x220 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6c/0xd6 RIP: 0033:0x7ff8aa38a53d Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 79 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc7eebe838 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff8aa38a53d RDX: 0000000000000000 RSI: 0000000000005501 RDI: 0000000000000003 RBP: 00000000004017a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 431bde82d7b634db R13: 00007ffc7eebe960 R14: 0000000000000000 R15: 0000000000000000 </TASK> ---[ end trace ced5c0b641032976 ]--- Fix commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… Can you please backport this commit to stable kernels on 5.15.y (and other stable kernels 6.1.y, 6.6.y) commit: 99d3bf5f7377 ("Input: MT - limit max slots") author Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> 2024-07-29 21:51:30 +0900 committer Linus Torvalds <torvalds(a)linux-foundation.org> 2024-07-29 10:44:48 -0700 commit 99d3bf5f7377d42f8be60a6b9cb60fb0be34dceb (patch) tree 78dd9dff2065f2eaf5a9e981f84d56eed2346d10 parent 3894840a7a11aa06cc3b0d5a2d1b5f6878127903 (diff) download linux-99d3bf5f7377d42f8be60a6b9cb60fb0be34dceb.tar.gz Input: MT - limit max slots syzbot is reporting too large allocation at input_mt_init_slots(), for num_slots is supplied from userspace using ioctl(UI_DEV_CREATE). Since nobody knows possible max slots, this patch chose 1024. Reported-by: syzbot <syzbot+0122fa359a69694395d5(a)syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5 Suggested-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Diffstat -rw-r--r-- drivers/input/input-mt.c 3 1 files changed, 3 insertions, 0 deletions diff --git a/drivers/input/input-mt.c b/drivers/input/input-mt.c index 14b53dac1253bf..6b04a674f832a0 100644 --- a/drivers/input/input-mt.c +++ b/drivers/input/input-mt.c @@ -46,6 +46,9 @@ int input_mt_init_slots(struct input_dev *dev, unsigned int num_slots, return 0; if (mt) return mt->num_slots != num_slots ? -EINVAL : 0; + /* Arbitrary limit for avoiding too large memory allocation. */ + if (num_slots > 1024) + return -EINVAL; mt = kzalloc(struct_size(mt, slots, num_slots), GFP_KERNEL); if (!mt)

10 months, 3 weeks

3
2
0 0

[PATCH 1/2] firmware: tegra: bpmp: drop unused mbox_client_to_bpmp()

by Krzysztof Kozlowski

mbox_client_to_bpmp() is not used, W=1 builds: drivers/firmware/tegra/bpmp.c:28:1: error: unused function 'mbox_client_to_bpmp' [-Werror,-Wunused-function] Fixes: cdfa358b248e ("firmware: tegra: Refactor BPMP driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/firmware/tegra/bpmp.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/drivers/firmware/tegra/bpmp.c b/drivers/firmware/tegra/bpmp.c index c1590d3aa9cb..c3a1dc344961 100644 --- a/drivers/firmware/tegra/bpmp.c +++ b/drivers/firmware/tegra/bpmp.c @@ -24,12 +24,6 @@ #define MSG_RING BIT(1) #define TAG_SZ 32 -static inline struct tegra_bpmp * -mbox_client_to_bpmp(struct mbox_client *client) -{ - return container_of(client, struct tegra_bpmp, mbox.client); -} - static inline const struct tegra_bpmp_ops * channel_to_ops(struct tegra_bpmp_channel *channel) { -- 2.43.0

10 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] igc: Fix qbv tx latency by setting gtxoffset" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082754-tricking-facsimile-011e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 6c3fc0b1c3d0 ("igc: Fix qbv tx latency by setting gtxoffset") 790835fcc0cb ("igc: Correct the launchtime offset") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 From: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Date: Sun, 7 Jul 2024 08:53:18 -0400 Subject: [PATCH] igc: Fix qbv tx latency by setting gtxoffset A large tx latency issue was discovered during testing when only QBV was enabled. The issue occurs because gtxoffset was not set when QBV is active, it was only set when launch time is active. The patch "igc: Correct the launchtime offset" only sets gtxoffset when the launchtime_enable field is set by the user. Enabling launchtime_enable ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as LaunchT in the SW user manual). Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: "The latency between transmission scheduling (launch time) and the time the packet is transmitted to the network is listed in Table 7-61." However, the patch misinterprets the phrase "launch time" in that section by assuming it specifically refers to the LaunchT register, whereas it actually denotes the generic term for when a packet is released from the internal buffer to the MAC transmit logic. This launch time, as per that section, also implicitly refers to the QBV gate open time, where a packet waits in the buffer for the QBV gate to open. Therefore, latency applies whenever QBV is in use. TSN features such as QBU and QAV reuse QBV, making the latency universal to TSN features. Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that the term "launch time" used in Section 7.5.2.6 is not clear and can be easily misinterpreted. Avi will update this section to: "When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission scheduling and the time the packet is transmitted to the network is listed in Table 7-61." Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to write to gtxoffset, aligning with the newly updated SW User Manual. Tested: 1. Enrol taprio on talker board base-time 0 cycle-time 1000000 flags 0x2 index 0 cmd S gatemask 0x1 interval1 index 0 cmd S gatemask 0x1 interval2 Note: interval1 = interval for a 64 bytes packet to go through interval2 = cycle-time - interval1 2. Take tcpdump on listener board 3. Use udp tai app on talker to send packets to listener 4. Check the timestamp on listener via wireshark Test Result: 100 Mbps: 113 ~193 ns 1000 Mbps: 52 ~ 84 ns 2500 Mbps: 95 ~ 223 ns Note that the test result is similar to the patch "igc: Correct the launchtime offset". Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") Signed-off-by: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c index ada751430517..d68fa7f3d5f0 100644 --- a/drivers/net/ethernet/intel/igc/igc_tsn.c +++ b/drivers/net/ethernet/intel/igc/igc_tsn.c @@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter) struct igc_hw *hw = &adapter->hw; u16 txoffset; - if (!is_any_launchtime(adapter)) + if (!igc_tsn_is_tx_mode_in_tsn(adapter)) return; switch (adapter->link_speed) {

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] igc: Fix qbv tx latency by setting gtxoffset" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082732-calculus-unviable-28eb@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 6c3fc0b1c3d0 ("igc: Fix qbv tx latency by setting gtxoffset") 790835fcc0cb ("igc: Correct the launchtime offset") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 From: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Date: Sun, 7 Jul 2024 08:53:18 -0400 Subject: [PATCH] igc: Fix qbv tx latency by setting gtxoffset A large tx latency issue was discovered during testing when only QBV was enabled. The issue occurs because gtxoffset was not set when QBV is active, it was only set when launch time is active. The patch "igc: Correct the launchtime offset" only sets gtxoffset when the launchtime_enable field is set by the user. Enabling launchtime_enable ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as LaunchT in the SW user manual). Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: "The latency between transmission scheduling (launch time) and the time the packet is transmitted to the network is listed in Table 7-61." However, the patch misinterprets the phrase "launch time" in that section by assuming it specifically refers to the LaunchT register, whereas it actually denotes the generic term for when a packet is released from the internal buffer to the MAC transmit logic. This launch time, as per that section, also implicitly refers to the QBV gate open time, where a packet waits in the buffer for the QBV gate to open. Therefore, latency applies whenever QBV is in use. TSN features such as QBU and QAV reuse QBV, making the latency universal to TSN features. Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that the term "launch time" used in Section 7.5.2.6 is not clear and can be easily misinterpreted. Avi will update this section to: "When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission scheduling and the time the packet is transmitted to the network is listed in Table 7-61." Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to write to gtxoffset, aligning with the newly updated SW User Manual. Tested: 1. Enrol taprio on talker board base-time 0 cycle-time 1000000 flags 0x2 index 0 cmd S gatemask 0x1 interval1 index 0 cmd S gatemask 0x1 interval2 Note: interval1 = interval for a 64 bytes packet to go through interval2 = cycle-time - interval1 2. Take tcpdump on listener board 3. Use udp tai app on talker to send packets to listener 4. Check the timestamp on listener via wireshark Test Result: 100 Mbps: 113 ~193 ns 1000 Mbps: 52 ~ 84 ns 2500 Mbps: 95 ~ 223 ns Note that the test result is similar to the patch "igc: Correct the launchtime offset". Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") Signed-off-by: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c index ada751430517..d68fa7f3d5f0 100644 --- a/drivers/net/ethernet/intel/igc/igc_tsn.c +++ b/drivers/net/ethernet/intel/igc/igc_tsn.c @@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter) struct igc_hw *hw = &adapter->hw; u16 txoffset; - if (!is_any_launchtime(adapter)) + if (!igc_tsn_is_tx_mode_in_tsn(adapter)) return; switch (adapter->link_speed) {

10 months, 3 weeks

1
0
0 0

[PATCH for stable 0/2] ASoC: topology: Fix loading topology issue

by Amadeusz Sławiński

Commit 97ab304ecd95 ("ASoC: topology: Fix references to freed memory") is a problematic fix for issue in topology loading code, which was cherry-picked to stable. It was later corrected in 0298f51652be ("ASoC: topology: Fix route memory corruption"), however to apply cleanly e0e7bc2cbee9 ("ASoC: topology: Clean up route loading") also needs to be applied. Link: https://lore.kernel.org/linux-sound/ZrwUCnrtKQ61LWFS@sashalap/T/#mbfd273adf… Amadeusz Sławiński (2): ASoC: topology: Clean up route loading ASoC: topology: Fix route memory corruption sound/soc/soc-topology.c | 32 ++++++++------------------------ 1 file changed, 8 insertions(+), 24 deletions(-) base-commit: 878fbff41def4649a2884e9d33bb423f5a7726b0 -- 2.34.1

10 months, 3 weeks

2
11
0 0

"s390/dasd: Remove DMA alignment" for stable

by Jan Höppner

Hi, the stable tag was missing for the following commit: commit 2a07bb64d801 ("s390/dasd: Remove DMA alignment") The change needs to be applied for kernel 6.0+ essentially reverting bc792884b76f ("s390/dasd: Establish DMA alignment"). The patch fixes filesystem errors especially for XFS when DASD devices are formatted with a blocksize smaller than 4096 bytes. The commit 2a07bb64d801 ("s390/dasd: Remove DMA alignment") should apply cleanly for kernel 6.9+. There was a refactoring happening at the time with the following two commits (just for context, not required as prereqs!): commit 0127a47f58c6 ("dasd: move queue setup to common code") commit fde07a4d74e3 ("dasd: use the atomic queue limits API") For everything before 6.9 a simple git revert for commit bc792884b76f ("s390/dasd: Establish DMA alignment") should work just fine. If you run into any conflicts, need separate patches, or have any questions, please let me know. Thanks a lot and apologies for the inconvenience! regards, Jan

10 months, 3 weeks

2
3
0 0

[PATCH 6.1 0/2] VCN power saving improvements

by Mario Limonciello

From: Mario Limonciello <mario.limonciello(a)amd.com> This is a backport of patches from 6.11-rc1 that improve power savings for VCN when hardware accelerated video playback is active. Boyuan Zhang (2): drm/amdgpu/vcn: identify unified queue in sw init drm/amdgpu/vcn: not pause dpg for unified queue drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 ++++++++++++------------- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 + 2 files changed, 27 insertions(+), 27 deletions(-) -- 2.43.0

10 months, 3 weeks

2
3
0 0

[PATCH 6.1.y 5.15.y 5.10.y 5.4.y 4.19.y] Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO

by Harshit Mogalapalli

From: "Lee, Chun-Yi" <joeyli.kernel(a)gmail.com> commit 9c33663af9ad115f90c076a1828129a3fbadea98 upstream. This patch adds code to check HCI_UART_PROTO_READY flag before accessing hci_uart->proto. It fixes the race condition in hci_uart_tty_ioctl() between HCIUARTSETPROTO and HCIUARTGETPROTO. This issue bug found by Yu Hao and Weiteng Chen: BUG: general protection fault in hci_uart_tty_ioctl [1] The information of C reproducer can also reference the link [2] Reported-by: Yu Hao <yhao016(a)ucr.edu> Closes: https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDe… [1] Reported-by: Weiteng Chen <wchen130(a)ucr.edu> Closes: https://lore.kernel.org/lkml/CA+UBctDPEvHdkHMwD340=n02rh+jNRJNNQ5LBZNA+Wm4K… [2] Signed-off-by: "Lee, Chun-Yi" <jlee(a)suse.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> [Harshit: bp to stable kernels] Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> --- This is backport of a fix for CVE-2023-31083, it applies cleanly to all stable trees and I have build tested this. drivers/bluetooth/hci_ldisc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index 865112e96ff9..c1feebd9e3a0 100644 --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -770,7 +770,8 @@ static int hci_uart_tty_ioctl(struct tty_struct *tty, unsigned int cmd, break; case HCIUARTGETPROTO: - if (test_bit(HCI_UART_PROTO_SET, &hu->flags)) + if (test_bit(HCI_UART_PROTO_SET, &hu->flags) && + test_bit(HCI_UART_PROTO_READY, &hu->flags)) err = hu->proto->id; else err = -EUNATCH; -- 2.45.2

10 months, 3 weeks

2
2
0 0

FAILED: patch "[PATCH] net: ngbe: Fix phy mode set to external phy" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x f2916c83d746eb99f50f42c15cf4c47c2ea5f3b3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082635-dislike-tipping-1bee@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: f2916c83d746 ("net: ngbe: Fix phy mode set to external phy") bc2426d74aa3 ("net: ngbe: convert phylib to phylink") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f2916c83d746eb99f50f42c15cf4c47c2ea5f3b3 Mon Sep 17 00:00:00 2001 From: Mengyuan Lou <mengyuanlou(a)net-swift.com> Date: Tue, 20 Aug 2024 11:04:25 +0800 Subject: [PATCH] net: ngbe: Fix phy mode set to external phy The MAC only has add the TX delay and it can not be modified. MAC and PHY are both set the TX delay cause transmission problems. So just disable TX delay in PHY, when use rgmii to attach to external phy, set PHY_INTERFACE_MODE_RGMII_RXID to phy drivers. And it is does not matter to internal phy. Fixes: bc2426d74aa3 ("net: ngbe: convert phylib to phylink") Signed-off-by: Mengyuan Lou <mengyuanlou(a)net-swift.com> Cc: stable(a)vger.kernel.org # 6.3+ Reviewed-by: Jacob Keller <jacob.e.keller(a)intel.com> Link: https://patch.msgid.link/E6759CF1387CF84C+20240820030425.93003-1-mengyuanlo… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c b/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c index ec54b18c5fe7..a5e9b779c44d 100644 --- a/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c +++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c @@ -124,8 +124,12 @@ static int ngbe_phylink_init(struct wx *wx) MAC_SYM_PAUSE | MAC_ASYM_PAUSE; config->mac_managed_pm = true; - phy_mode = PHY_INTERFACE_MODE_RGMII_ID; - __set_bit(PHY_INTERFACE_MODE_RGMII_ID, config->supported_interfaces); + /* The MAC only has add the Tx delay and it can not be modified. + * So just disable TX delay in PHY, and it is does not matter to + * internal phy. + */ + phy_mode = PHY_INTERFACE_MODE_RGMII_RXID; + __set_bit(PHY_INTERFACE_MODE_RGMII_RXID, config->supported_interfaces); phylink = phylink_create(config, NULL, phy_mode, &ngbe_mac_ops); if (IS_ERR(phylink))

10 months, 3 weeks

3
2
0 0

FAILED: patch "[PATCH] ksmbd: fix race condition between destroy_previous_session()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 76e98a158b207771a6c9a0de0a60522a446a3447 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082626-succulent-engraver-73cd@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 76e98a158b20 ("ksmbd: fix race condition between destroy_previous_session() and smb2 operations()") d484d621d40f ("ksmbd: add durable scavenger timer") c8efcc786146 ("ksmbd: add support for durable handles v1/v2") fa9415d4024f ("ksmbd: mark SMB2_SESSION_EXPIRED to session when destroying previous session") c2a721eead71 ("ksmbd: lazy v2 lease break on smb2_write()") d47d9886aeef ("ksmbd: send v2 lease break notification for directory") eb547407f357 ("ksmbd: downgrade RWH lease caching state to RH for directory") 2e450920d58b ("ksmbd: move oplock handling after unlock parent dir") 4274a9dc6aeb ("ksmbd: separately allocate ci per dentry") 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76e98a158b207771a6c9a0de0a60522a446a3447 Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Sat, 17 Aug 2024 14:03:49 +0900 Subject: [PATCH] ksmbd: fix race condition between destroy_previous_session() and smb2 operations() If there is ->PreviousSessionId field in the session setup request, The session of the previous connection should be destroyed. During this, if the smb2 operation requests in the previous session are being processed, a racy issue could happen with ksmbd_destroy_file_table(). This patch sets conn->status to KSMBD_SESS_NEED_RECONNECT to block incoming operations and waits until on-going operations are complete (i.e. idle) before desctorying the previous session. Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") Cc: stable(a)vger.kernel.org # v6.6+ Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-25040 Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index 09e1e7771592..7889df8112b4 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -165,11 +165,43 @@ void ksmbd_all_conn_set_status(u64 sess_id, u32 status) up_read(&conn_list_lock); } -void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id) +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn) { wait_event(conn->req_running_q, atomic_read(&conn->req_running) < 2); } +int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id) +{ + struct ksmbd_conn *conn; + int rc, retry_count = 0, max_timeout = 120; + int rcount = 1; + +retry_idle: + if (retry_count >= max_timeout) + return -EIO; + + down_read(&conn_list_lock); + list_for_each_entry(conn, &conn_list, conns_list) { + if (conn->binding || xa_load(&conn->sessions, sess_id)) { + if (conn == curr_conn) + rcount = 2; + if (atomic_read(&conn->req_running) >= rcount) { + rc = wait_event_timeout(conn->req_running_q, + atomic_read(&conn->req_running) < rcount, + HZ); + if (!rc) { + up_read(&conn_list_lock); + retry_count++; + goto retry_idle; + } + } + } + } + up_read(&conn_list_lock); + + return 0; +} + int ksmbd_conn_write(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h index 5c2845e47cf2..5b947175c048 100644 --- a/fs/smb/server/connection.h +++ b/fs/smb/server/connection.h @@ -145,7 +145,8 @@ extern struct list_head conn_list; extern struct rw_semaphore conn_list_lock; bool ksmbd_conn_alive(struct ksmbd_conn *conn); -void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id); +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn); +int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id); struct ksmbd_conn *ksmbd_conn_alloc(void); void ksmbd_conn_free(struct ksmbd_conn *conn); bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c); diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c index 162a12685d2c..99416ce9f501 100644 --- a/fs/smb/server/mgmt/user_session.c +++ b/fs/smb/server/mgmt/user_session.c @@ -311,6 +311,7 @@ void destroy_previous_session(struct ksmbd_conn *conn, { struct ksmbd_session *prev_sess; struct ksmbd_user *prev_user; + int err; down_write(&sessions_table_lock); down_write(&conn->session_lock); @@ -325,8 +326,16 @@ void destroy_previous_session(struct ksmbd_conn *conn, memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) goto out; + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT); + err = ksmbd_conn_wait_idle_sess_id(conn, id); + if (err) { + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); + goto out; + } + ksmbd_destroy_file_table(&prev_sess->file_table); prev_sess->state = SMB2_SESSION_EXPIRED; + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ksmbd_launch_ksmbd_durable_scavenger(); out: up_write(&conn->session_lock); diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 3f4c56a10a86..cb7f487c96af 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2213,7 +2213,7 @@ int smb2_session_logoff(struct ksmbd_work *work) ksmbd_conn_unlock(conn); ksmbd_close_session_fds(work); - ksmbd_conn_wait_idle(conn, sess_id); + ksmbd_conn_wait_idle(conn); /* * Re-lookup session to validate if session is deleted

10 months, 3 weeks

3
2
0 0

[PATCH 6.6 0/2] VCN power saving improvements

by Mario Limonciello

From: Mario Limonciello <mario.limonciello(a)amd.com> This is a backport of patches from 6.11-rc1 that improve power savings for VCN when hardware accelerated video playback is active. Boyuan Zhang (2): drm/amdgpu/vcn: identify unified queue in sw init drm/amdgpu/vcn: not pause dpg for unified queue drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 53 ++++++++++++------------- drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.h | 1 + 2 files changed, 27 insertions(+), 27 deletions(-) -- 2.43.0

10 months, 3 weeks

2
3
0 0

[PATCH 5.10.y] nfsd: Don't call freezable_schedule_timeout() after each successful page allocation in svc_alloc_arg().

by Kuniyuki Iwashima

When commit 390390240145 ("nfsd: don't allow nfsd threads to be signalled.") is backported to 5.10, it was adjusted considering commit 3feac2b55293 ("sunrpc: exclude from freezer when waiting for requests:"). However, 3feac2b55293 is based on commit f6e70aab9dfe ("SUNRPC: refresh rq_pages using a bulk page allocator"), which converted page-by-page allocation to a batch allocation, so schedule_timeout() is placed un-nested. As a result, the backported commit 7229200f6866 ("nfsd: don't allow nfsd threads to be signalled.") placed freezable_schedule_timeout() in the wrong place. Now, freezable_schedule_timeout() is called after every successful page allocation, and we see 30%+ performance regression on 5.10.220 in our test suite. Let's move it to the correct place so that freezable_schedule_timeout() is called only when page allocation fails. Fixes: 7229200f6866 ("nfsd: don't allow nfsd threads to be signalled.") Reported-by: Hughdan Liu <hughliu(a)amazon.com> Signed-off-by: Kuniyuki Iwashima <kuniyu(a)amazon.com> --- net/sunrpc/svc_xprt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c index d1eacf3358b8..60782504ad3e 100644 --- a/net/sunrpc/svc_xprt.c +++ b/net/sunrpc/svc_xprt.c @@ -679,8 +679,8 @@ static int svc_alloc_arg(struct svc_rqst *rqstp) set_current_state(TASK_RUNNING); return -EINTR; } + freezable_schedule_timeout(msecs_to_jiffies(500)); } - freezable_schedule_timeout(msecs_to_jiffies(500)); rqstp->rq_pages[i] = p; } rqstp->rq_page_end = &rqstp->rq_pages[i]; -- 2.30.2

10 months, 3 weeks

3
2
0 0

[PATCH 6.1.y 0/7] NFSD updates for LTS 6.1.y

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Address an NFSD crasher that was noted here: https://lore.kernel.org/linux-nfs/65ee9c0d-e89e-b3e5-f542-103a0ee4745c@huaw… To apply the fix cleanly, backport a few NFSD patches into v6.1.y that have been in the other LTS kernels for a while. Reported-by: Li LingFeng <lilingfeng3(a)huawei.com> Suggested-by: Li LingFeng <lilingfeng3(a)huawei.com> Tested-by: Li LingFeng <lilingfeng3(a)huawei.com> Jeff Layton (1): nfsd: drop the nfsd_put helper NeilBrown (5): nfsd: Simplify code around svc_exit_thread() call in nfsd() nfsd: separate nfsd_last_thread() from nfsd_put() NFSD: simplify error paths in nfsd_svc() nfsd: call nfsd_last_thread() before final nfsd_put() nfsd: don't call locks_release_private() twice concurrently Trond Myklebust (1): nfsd: Fix a regression in nfsd_setattr() fs/nfsd/nfs4proc.c | 4 ++ fs/nfsd/nfs4state.c | 2 +- fs/nfsd/nfsctl.c | 32 ++++++++------ fs/nfsd/nfsd.h | 3 +- fs/nfsd/nfssvc.c | 85 ++++++++++---------------------------- fs/nfsd/vfs.c | 6 ++- include/linux/sunrpc/svc.h | 13 ------ 7 files changed, 51 insertions(+), 94 deletions(-) -- 2.45.1

10 months, 3 weeks

2
8
0 0

[PATCH stable 6.6 1/2] bpf: Fix a kernel verifier crash in stacksafe()

by Shung-Hsi Yu

From: Yonghong Song <yonghong.song(a)linux.dev> [ Upstream commit bed2eb964c70b780fb55925892a74f26cb590b25 ] Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") Cc: Eduard Zingerman <eddyz87(a)gmail.com> Reported-by: Daniel Hodges <hodgesd(a)meta.com> Acked-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> shung-hsi.yu: "exact" variable is bool instead enum because commit 4f81c16f50ba ("bpf: Recognize that two registers are safe when their ranges match") is not present. Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- kernel/bpf/verifier.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 171045b6956d..3f1a9cd7fc9e 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16124,8 +16124,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, spi = i / BPF_REG_SIZE; if (exact && - old->stack[spi].slot_type[i % BPF_REG_SIZE] != - cur->stack[spi].slot_type[i % BPF_REG_SIZE]) + (i >= cur->allocated_stack || + old->stack[spi].slot_type[i % BPF_REG_SIZE] != + cur->stack[spi].slot_type[i % BPF_REG_SIZE])) return false; if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) && !exact) { -- 2.46.0

10 months, 3 weeks

2
2
0 0

[PATCH stable 5.10] bpf: Allow reads from uninit stack

by Maxim Mikityanskiy

From: Eduard Zingerman <eddyz87(a)gmail.com> [ Upstream commit 6715df8d5d24655b9fd368e904028112b54c7de1 ] This commits updates the following functions to allow reads from uninitialized stack locations when env->allow_uninit_stack option is enabled: - check_stack_read_fixed_off() - check_stack_range_initialized(), called from: - check_stack_read_var_off() - check_helper_mem_access() Such change allows to relax logic in stacksafe() to treat STACK_MISC and STACK_INVALID in a same way and make the following stack slot configurations equivalent: | Cached state | Current state | | stack slot | stack slot | |------------------+------------------| | STACK_INVALID or | STACK_INVALID or | | STACK_MISC | STACK_SPILL or | | | STACK_MISC or | | | STACK_ZERO or | | | STACK_DYNPTR | This leads to significant verification speed gains (see below). The idea was suggested by Andrii Nakryiko [1] and initial patch was created by Alexei Starovoitov [2]. Currently the env->allow_uninit_stack is allowed for programs loaded by users with CAP_PERFMON or CAP_SYS_ADMIN capabilities. A number of test cases from verifier/*.c were expecting uninitialized stack access to be an error. These test cases were updated to execute in unprivileged mode (thus preserving the tests). The test progs/test_global_func10.c expected "invalid indirect read from stack" error message because of the access to uninitialized memory region. This error is no longer possible in privileged mode. The test is updated to provoke an error "invalid indirect access to stack" because of access to invalid stack address (such error is not verified by progs/test_global_func*.c series of tests). The following tests had to be removed because these can't be made unprivileged: - verifier/sock.c: - "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value" BPF_PROG_TYPE_SCHED_CLS programs are not executed in unprivileged mode. - verifier/var_off.c: - "indirect variable-offset stack access, max_off+size > max_initialized" - "indirect variable-offset stack access, uninitialized" These tests verify that access to uninitialized stack values is detected when stack offset is not a constant. However, variable stack access is prohibited in unprivileged mode, thus these tests are no longer valid. * * * Here is veristat log comparing this patch with current master on a set of selftest binaries listed in tools/testing/selftests/bpf/veristat.cfg and cilium BPF binaries (see [3]): $ ./veristat -e file,prog,states -C -f 'states_pct<-30' master.log current.log File Program States (A) States (B) States (DIFF) -------------------------- -------------------------- ---------- ---------- ---------------- bpf_host.o tail_handle_ipv6_from_host 349 244 -105 (-30.09%) bpf_host.o tail_handle_nat_fwd_ipv4 1320 895 -425 (-32.20%) bpf_lxc.o tail_handle_nat_fwd_ipv4 1320 895 -425 (-32.20%) bpf_sock.o cil_sock4_connect 70 48 -22 (-31.43%) bpf_sock.o cil_sock4_sendmsg 68 46 -22 (-32.35%) bpf_xdp.o tail_handle_nat_fwd_ipv4 1554 803 -751 (-48.33%) bpf_xdp.o tail_lb_ipv4 6457 2473 -3984 (-61.70%) bpf_xdp.o tail_lb_ipv6 7249 3908 -3341 (-46.09%) pyperf600_bpf_loop.bpf.o on_event 287 145 -142 (-49.48%) strobemeta.bpf.o on_event 15915 4772 -11143 (-70.02%) strobemeta_nounroll2.bpf.o on_event 17087 3820 -13267 (-77.64%) xdp_synproxy_kern.bpf.o syncookie_tc 21271 6635 -14636 (-68.81%) xdp_synproxy_kern.bpf.o syncookie_xdp 23122 6024 -17098 (-73.95%) -------------------------- -------------------------- ---------- ---------- ---------------- Note: I limited selection by states_pct<-30%. Inspection of differences in pyperf600_bpf_loop behavior shows that the following patch for the test removes almost all differences: - a/tools/testing/selftests/bpf/progs/pyperf.h + b/tools/testing/selftests/bpf/progs/pyperf.h @ -266,8 +266,8 @ int __on_event(struct bpf_raw_tracepoint_args *ctx) } if (event->pthread_match || !pidData->use_tls) { - void* frame_ptr; - FrameData frame; + void* frame_ptr = 0; + FrameData frame = {}; Symbol sym = {}; int cur_cpu = bpf_get_smp_processor_id(); W/o this patch the difference comes from the following pattern (for different variables): static bool get_frame_data(... FrameData *frame ...) { ... bpf_probe_read_user(&frame->f_code, ...); if (!frame->f_code) return false; ... bpf_probe_read_user(&frame->co_name, ...); if (frame->co_name) ...; } int __on_event(struct bpf_raw_tracepoint_args *ctx) { FrameData frame; ... get_frame_data(... &frame ...) // indirectly via a bpf_loop & callback ... } SEC("raw_tracepoint/kfree_skb") int on_event(struct bpf_raw_tracepoint_args* ctx) { ... ret |= __on_event(ctx); ret |= __on_event(ctx); ... } With regards to value `frame->co_name` the following is important: - Because of the conditional `if (!frame->f_code)` each call to __on_event() produces two states, one with `frame->co_name` marked as STACK_MISC, another with it as is (and marked STACK_INVALID on a first call). - The call to bpf_probe_read_user() does not mark stack slots corresponding to `&frame->co_name` as REG_LIVE_WRITTEN but it marks these slots as BPF_MISC, this happens because of the following loop in the check_helper_call(): for (i = 0; i < meta.access_size; i++) { err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, BPF_WRITE, -1, false); if (err) return err; } Note the size of the write, it is a one byte write for each byte touched by a helper. The BPF_B write does not lead to write marks for the target stack slot. - Which means that w/o this patch when second __on_event() call is verified `if (frame->co_name)` will propagate read marks first to a stack slot with STACK_MISC marks and second to a stack slot with STACK_INVALID marks and these states would be considered different. [1] https://lore.kernel.org/bpf/CAEf4BzY3e+ZuC6HUa8dCiUovQRg2SzEk7M-dSkqNZyn=xE… [2] https://lore.kernel.org/bpf/CAADnVQKs2i1iuZ5SUGuJtxWVfGYR9kDgYKhq3rNV+kBLQC… [3] git@github.com:anakryiko/cilium.git Suggested-by: Andrii Nakryiko <andrii(a)kernel.org> Co-developed-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Eduard Zingerman <eddyz87(a)gmail.com> Acked-by: Andrii Nakryiko <andrii(a)kernel.org> Link: https://lore.kernel.org/r/20230219200427.606541-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Maxim Mikityanskiy <maxim(a)isovalent.com> --- Backporting to address the complexity regression introduced by commit 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info"), that affects Cilium built with LLVM 18. kernel/bpf/verifier.c | 11 +- .../selftests/bpf/progs/test_global_func10.c | 31 +++ tools/testing/selftests/bpf/verifier/calls.c | 13 +- .../bpf/verifier/helper_access_var_len.c | 104 ++++++--- .../testing/selftests/bpf/verifier/int_ptr.c | 9 +- .../selftests/bpf/verifier/search_pruning.c | 13 +- tools/testing/selftests/bpf/verifier/sock.c | 27 --- .../selftests/bpf/verifier/spill_fill.c | 211 ++++++++++++++++++ .../testing/selftests/bpf/verifier/var_off.c | 52 ----- 9 files changed, 342 insertions(+), 129 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/test_global_func10.c diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ad115ccc2fe0..60db311480d0 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2807,6 +2807,8 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, continue; if (type == STACK_MISC) continue; + if (type == STACK_INVALID && env->allow_uninit_stack) + continue; verbose(env, "invalid read from stack off %d+%d size %d\n", off, i, size); return -EACCES; @@ -2844,6 +2846,8 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env, continue; if (type == STACK_ZERO) continue; + if (type == STACK_INVALID && env->allow_uninit_stack) + continue; verbose(env, "invalid read from stack off %d+%d size %d\n", off, i, size); return -EACCES; @@ -4300,7 +4304,8 @@ static int check_stack_range_initialized( stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE]; if (*stype == STACK_MISC) goto mark; - if (*stype == STACK_ZERO) { + if ((*stype == STACK_ZERO) || + (*stype == STACK_INVALID && env->allow_uninit_stack)) { if (clobber) { /* helper can write anything into the stack */ *stype = STACK_MISC; @@ -9492,6 +9497,10 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) continue; + if (env->allow_uninit_stack && + old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC) + continue; + /* explored stack has more populated slots than current stack * and these slots were used */ diff --git a/tools/testing/selftests/bpf/progs/test_global_func10.c b/tools/testing/selftests/bpf/progs/test_global_func10.c new file mode 100644 index 000000000000..8fba3f3649e2 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/test_global_func10.c @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: GPL-2.0-only +#include <stddef.h> +#include <linux/bpf.h> +#include <bpf/bpf_helpers.h> +#include "bpf_misc.h" + +struct Small { + long x; +}; + +struct Big { + long x; + long y; +}; + +__noinline int foo(const struct Big *big) +{ + if (!big) + return 0; + + return bpf_get_prandom_u32() < big->y; +} + +SEC("cgroup_skb/ingress") +__failure __msg("invalid indirect access to stack") +int global_func10(struct __sk_buff *skb) +{ + const struct Small small = {.x = skb->len }; + + return foo((struct Big *)&small) ? 1 : 0; +} diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c index eb888c8479c3..4b0628cd2d03 100644 --- a/tools/testing/selftests/bpf/verifier/calls.c +++ b/tools/testing/selftests/bpf/verifier/calls.c @@ -1948,19 +1948,22 @@ * that fp-8 stack slot was unused in the fall-through * branch and will accept the program incorrectly */ - BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2), + BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), + BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 2, 2), BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_JMP_IMM(BPF_JA, 0, 0, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .fixup_map_hash_48b = { 6 }, - .errstr = "invalid indirect read from stack R2 off -8+0 size 8", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_XDP, + .fixup_map_hash_48b = { 7 }, + .errstr_unpriv = "invalid indirect read from stack R2 off -8+0 size 8", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "calls: ctx read at start of subprog", diff --git a/tools/testing/selftests/bpf/verifier/helper_access_var_len.c b/tools/testing/selftests/bpf/verifier/helper_access_var_len.c index 0ab7f1dfc97a..0e24aa11c457 100644 --- a/tools/testing/selftests/bpf/verifier/helper_access_var_len.c +++ b/tools/testing/selftests/bpf/verifier/helper_access_var_len.c @@ -29,19 +29,30 @@ { "helper access to variable memory: stack, bitwise AND, zero included", .insns = { - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), - BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), - BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), - BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), - BPF_MOV64_IMM(BPF_REG_3, 0), - BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), + /* set max stack size */ + BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), + /* set r3 to a random value */ + BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), + BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), + /* use bitwise AND to limit r3 range to [0, 64] */ + BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 64), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), + BPF_MOV64_IMM(BPF_REG_4, 0), + /* Call bpf_ringbuf_output(), it is one of a few helper functions with + * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. + * For unpriv this should signal an error, because memory at &fp[-64] is + * not initialized. + */ + BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), BPF_EXIT_INSN(), }, - .errstr = "invalid indirect read from stack R1 off -64+0 size 64", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_TRACEPOINT, + .fixup_map_ringbuf = { 4 }, + .errstr_unpriv = "invalid indirect read from stack R2 off -64+0 size 64", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "helper access to variable memory: stack, bitwise AND + JMP, wrong max", @@ -183,20 +194,31 @@ { "helper access to variable memory: stack, JMP, no min check", .insns = { - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), - BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), - BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), - BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), - BPF_MOV64_IMM(BPF_REG_3, 0), - BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), + /* set max stack size */ + BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), + /* set r3 to a random value */ + BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), + BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), + /* use JMP to limit r3 range to [0, 64] */ + BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 64, 6), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), + BPF_MOV64_IMM(BPF_REG_4, 0), + /* Call bpf_ringbuf_output(), it is one of a few helper functions with + * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. + * For unpriv this should signal an error, because memory at &fp[-64] is + * not initialized. + */ + BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .errstr = "invalid indirect read from stack R1 off -64+0 size 64", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_TRACEPOINT, + .fixup_map_ringbuf = { 4 }, + .errstr_unpriv = "invalid indirect read from stack R2 off -64+0 size 64", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "helper access to variable memory: stack, JMP (signed), no min check", @@ -564,29 +586,41 @@ { "helper access to variable memory: 8 bytes leak", .insns = { - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), - BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), + /* set max stack size */ + BPF_ST_MEM(BPF_DW, BPF_REG_10, -128, 0), + /* set r3 to a random value */ + BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32), + BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), + /* Note: fp[-32] left uninitialized */ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), - BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), - BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), - BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), - BPF_MOV64_IMM(BPF_REG_3, 0), - BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), - BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), + /* Limit r3 range to [1, 64] */ + BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 63), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 1), + BPF_MOV64_IMM(BPF_REG_4, 0), + /* Call bpf_ringbuf_output(), it is one of a few helper functions with + * ARG_CONST_SIZE_OR_ZERO parameter allowed in unpriv mode. + * For unpriv this should signal an error, because memory region [1, 64] + * at &fp[-64] is not fully initialized. + */ + BPF_EMIT_CALL(BPF_FUNC_ringbuf_output), + BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .errstr = "invalid indirect read from stack R1 off -64+32 size 64", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_TRACEPOINT, + .fixup_map_ringbuf = { 3 }, + .errstr_unpriv = "invalid indirect read from stack R2 off -64+32 size 64", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "helper access to variable memory: 8 bytes no leak (init memory)", diff --git a/tools/testing/selftests/bpf/verifier/int_ptr.c b/tools/testing/selftests/bpf/verifier/int_ptr.c index 070893fb2900..02d9e004260b 100644 --- a/tools/testing/selftests/bpf/verifier/int_ptr.c +++ b/tools/testing/selftests/bpf/verifier/int_ptr.c @@ -54,12 +54,13 @@ /* bpf_strtoul() */ BPF_EMIT_CALL(BPF_FUNC_strtoul), - BPF_MOV64_IMM(BPF_REG_0, 1), + BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .result = REJECT, - .prog_type = BPF_PROG_TYPE_CGROUP_SYSCTL, - .errstr = "invalid indirect read from stack R4 off -16+4 size 8", + .result_unpriv = REJECT, + .errstr_unpriv = "invalid indirect read from stack R4 off -16+4 size 8", + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "ARG_PTR_TO_LONG misaligned", diff --git a/tools/testing/selftests/bpf/verifier/search_pruning.c b/tools/testing/selftests/bpf/verifier/search_pruning.c index 7e36078f8f48..949cbe460248 100644 --- a/tools/testing/selftests/bpf/verifier/search_pruning.c +++ b/tools/testing/selftests/bpf/verifier/search_pruning.c @@ -128,9 +128,10 @@ BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, - .errstr = "invalid read from stack off -16+0 size 8", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_TRACEPOINT, + .errstr_unpriv = "invalid read from stack off -16+0 size 8", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, { "allocated_stack", @@ -187,6 +188,8 @@ BPF_EXIT_INSN(), }, .flags = BPF_F_TEST_STATE_FREQ, - .errstr = "invalid read from stack off -8+1 size 8", - .result = REJECT, + .errstr_unpriv = "invalid read from stack off -8+1 size 8", + .result_unpriv = REJECT, + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, }, diff --git a/tools/testing/selftests/bpf/verifier/sock.c b/tools/testing/selftests/bpf/verifier/sock.c index 8c224eac93df..59d976d22867 100644 --- a/tools/testing/selftests/bpf/verifier/sock.c +++ b/tools/testing/selftests/bpf/verifier/sock.c @@ -530,33 +530,6 @@ .prog_type = BPF_PROG_TYPE_SCHED_CLS, .result = ACCEPT, }, -{ - "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value", - .insns = { - BPF_MOV64_IMM(BPF_REG_2, 0), - BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), - BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), - BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - BPF_MOV64_IMM(BPF_REG_4, 1), - BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), - BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), - BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), - BPF_LD_MAP_FD(BPF_REG_1, 0), - BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .fixup_sk_storage_map = { 14 }, - .prog_type = BPF_PROG_TYPE_SCHED_CLS, - .result = REJECT, - .errstr = "invalid indirect read from stack", -}, { "bpf_map_lookup_elem(smap, &key)", .insns = { diff --git a/tools/testing/selftests/bpf/verifier/spill_fill.c b/tools/testing/selftests/bpf/verifier/spill_fill.c index 0b943897aaf6..1e76841b7bfa 100644 --- a/tools/testing/selftests/bpf/verifier/spill_fill.c +++ b/tools/testing/selftests/bpf/verifier/spill_fill.c @@ -104,3 +104,214 @@ .result = ACCEPT, .retval = POINTER_VALUE, }, +{ + "Spill and refill a u32 const scalar. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u32 *)(r10 -8) */ + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -8), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=20 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,off=20 R2=pkt R3=pkt_end R4=20 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,off=20,r=20 R2=pkt,r=20 R3=pkt_end R4=20 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill a u32 const, refill from another half of the uninit u32 from the stack", + .insns = { + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u32 *)(r10 -4) fp-8=????rrrr*/ + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -4), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result_unpriv = REJECT, + .errstr_unpriv = "invalid read from stack off -4+0 size 4", + /* in privileged mode reads from uninitialized stack locations are permitted */ + .result = ACCEPT, +}, +{ + "Spill a u32 const scalar. Refill as u16. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u16 *)(r10 -8) */ + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -8), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid access to packet", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill u32 const scalars. Refill as u64. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r6 = 0 */ + BPF_MOV32_IMM(BPF_REG_6, 0), + /* r7 = 20 */ + BPF_MOV32_IMM(BPF_REG_7, 20), + /* *(u32 *)(r10 -4) = r6 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_6, -4), + /* *(u32 *)(r10 -8) = r7 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_7, -8), + /* r4 = *(u64 *)(r10 -8) */ + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -8), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid access to packet", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill a u32 const scalar. Refill as u16 from fp-6. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u16 *)(r10 -6) */ + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_10, -6), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=umax=65535 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,umax=65535 R2=pkt R3=pkt_end R4=20 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid access to packet", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill and refill a u32 const scalar at non 8byte aligned stack addr. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + /* r4 = 20 */ + BPF_MOV32_IMM(BPF_REG_4, 20), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* *(u32 *)(r10 -4) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -4), + /* r4 = *(u32 *)(r10 -4), */ + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -4), + /* r0 = r2 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r0 += r4 R0=pkt R2=pkt R3=pkt_end R4=umax=U32_MAX */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), + /* if (r0 > r3) R0=pkt,umax=U32_MAX R2=pkt R3=pkt_end R4= */ + BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), + /* r0 = *(u32 *)r2 R0=pkt,umax=U32_MAX R2=pkt R3=pkt_end R4= */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = REJECT, + .errstr = "invalid access to packet", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill and refill a umax=40 bounded scalar. Offset to skb->data", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, + offsetof(struct __sk_buff, data_end)), + BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, + offsetof(struct __sk_buff, tstamp)), + BPF_JMP_IMM(BPF_JLE, BPF_REG_4, 40, 2), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + /* *(u32 *)(r10 -8) = r4 R4=umax=40 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = (*u32 *)(r10 - 8) */ + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_10, -8), + /* r2 += r4 R2=pkt R4=umax=40 */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_4), + /* r0 = r2 R2=pkt,umax=40 R4=umax=40 */ + BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), + /* r2 += 20 R0=pkt,umax=40 R2=pkt,umax=40 */ + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 20), + /* if (r2 > r3) R0=pkt,umax=40 R2=pkt,off=20,umax=40 */ + BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 1), + /* r0 = *(u32 *)r0 R0=pkt,r=20,umax=40 R2=pkt,off=20,r=20,umax=40 */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, +{ + "Spill a u32 scalar at fp-4 and then at fp-8", + .insns = { + /* r4 = 4321 */ + BPF_MOV32_IMM(BPF_REG_4, 4321), + /* *(u32 *)(r10 -4) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -4), + /* *(u32 *)(r10 -8) = r4 */ + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_4, -8), + /* r4 = *(u64 *)(r10 -8) */ + BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, diff --git a/tools/testing/selftests/bpf/verifier/var_off.c b/tools/testing/selftests/bpf/verifier/var_off.c index eab1f7f56e2f..dc92a29f0d74 100644 --- a/tools/testing/selftests/bpf/verifier/var_off.c +++ b/tools/testing/selftests/bpf/verifier/var_off.c @@ -212,31 +212,6 @@ .result = REJECT, .prog_type = BPF_PROG_TYPE_LWT_IN, }, -{ - "indirect variable-offset stack access, max_off+size > max_initialized", - .insns = { - /* Fill only the second from top 8 bytes of the stack. */ - BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0), - /* Get an unknown value. */ - BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), - /* Make it small and 4-byte aligned. */ - BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), - BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 16), - /* Add it to fp. We now have either fp-12 or fp-16, but we don't know - * which. fp-12 size 8 is partially uninitialized stack. - */ - BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), - /* Dereference it indirectly. */ - BPF_LD_MAP_FD(BPF_REG_1, 0), - BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .fixup_map_hash_8b = { 5 }, - .errstr = "invalid indirect read from stack R2 var_off", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_LWT_IN, -}, { "indirect variable-offset stack access, min_off < min_initialized", .insns = { @@ -289,33 +264,6 @@ .result = ACCEPT, .prog_type = BPF_PROG_TYPE_CGROUP_SKB, }, -{ - "indirect variable-offset stack access, uninitialized", - .insns = { - BPF_MOV64_IMM(BPF_REG_2, 6), - BPF_MOV64_IMM(BPF_REG_3, 28), - /* Fill the top 16 bytes of the stack. */ - BPF_ST_MEM(BPF_W, BPF_REG_10, -16, 0), - BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), - /* Get an unknown value. */ - BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 0), - /* Make it small and 4-byte aligned. */ - BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 4), - BPF_ALU64_IMM(BPF_SUB, BPF_REG_4, 16), - /* Add it to fp. We now have either fp-12 or fp-16, we don't know - * which, but either way it points to initialized stack. - */ - BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_10), - BPF_MOV64_IMM(BPF_REG_5, 8), - /* Dereference it indirectly. */ - BPF_EMIT_CALL(BPF_FUNC_getsockopt), - BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_EXIT_INSN(), - }, - .errstr = "invalid indirect read from stack R4 var_off", - .result = REJECT, - .prog_type = BPF_PROG_TYPE_SOCK_OPS, -}, { "indirect variable-offset stack access, ok", .insns = { -- 2.45.2

10 months, 3 weeks

5
6
0 0

FAILED: patch "[PATCH] mm/numa: no task_numa_fault() call if PTE is changed" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 40b760cfd44566bca791c80e0720d70d75382b84 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081934-embargo-primer-a23e@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 40b760cfd445 ("mm/numa: no task_numa_fault() call if PTE is changed") d2136d749d76 ("mm: support multi-size THP numa balancing") 6b0ed7b3c775 ("mm: factor out the numa mapping rebuilding into a new helper") ec1778807a80 ("mm: mprotect: use a folio in change_pte_range()") 6695cf68b15c ("mm: memory: use a folio in do_numa_page()") 73eab3ca481e ("mm: migrate: convert migrate_misplaced_page() to migrate_misplaced_folio()") 2ac9e99f3b21 ("mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio()") df57721f9a63 ("Merge tag 'x86_shstk_for_6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40b760cfd44566bca791c80e0720d70d75382b84 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Fri, 9 Aug 2024 10:59:04 -0400 Subject: [PATCH] mm/numa: no task_numa_fault() call if PTE is changed When handling a numa page fault, task_numa_fault() should be called by a process that restores the page table of the faulted folio to avoid duplicated stats counting. Commit b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") restructured do_numa_page() and did not avoid task_numa_fault() call in the second page table check after a numa migration failure. Fix it by making all !pte_same() return immediately. This issue can cause task_numa_fault() being called more than necessary and lead to unexpected numa balancing results (It is hard to tell whether the issue will cause positive or negative performance impact due to duplicated numa fault counting). Link: https://lkml.kernel.org/r/20240809145906.1513458-2-ziy@nvidia.com Fixes: b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reported-by: "Huang, Ying" <ying.huang(a)intel.com> Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.inte… Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index 34f8402d2046..3c01d68065be 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -5295,7 +5295,7 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) if (unlikely(!pte_same(old_pte, vmf->orig_pte))) { pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; + return 0; } pte = pte_modify(old_pte, vma->vm_page_prot); @@ -5358,23 +5358,19 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) if (!migrate_misplaced_folio(folio, vma, target_nid)) { nid = target_nid; flags |= TNF_MIGRATED; - } else { - flags |= TNF_MIGRATE_FAIL; - vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, - vmf->address, &vmf->ptl); - if (unlikely(!vmf->pte)) - goto out; - if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { - pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; - } - goto out_map; + task_numa_fault(last_cpupid, nid, nr_pages, flags); + return 0; } -out: - if (nid != NUMA_NO_NODE) - task_numa_fault(last_cpupid, nid, nr_pages, flags); - return 0; + flags |= TNF_MIGRATE_FAIL; + vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, + vmf->address, &vmf->ptl); + if (unlikely(!vmf->pte)) + return 0; + if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { + pte_unmap_unlock(vmf->pte, vmf->ptl); + return 0; + } out_map: /* * Make it present again, depending on how arch implements @@ -5387,7 +5383,10 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) numa_rebuild_single_mapping(vmf, vma, vmf->address, vmf->pte, writable); pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; + + if (nid != NUMA_NO_NODE) + task_numa_fault(last_cpupid, nid, nr_pages, flags); + return 0; } static inline vm_fault_t create_huge_pmd(struct vm_fault *vmf)

10 months, 3 weeks

3
2
0 0

Re: Patch "drm/amdkfd: Move dma unmapping after TLB flush" has been added to the 6.6-stable tree

by Felix Kuehling

This patch introduced a regression. If you want to backport it, I'd recommend including this fix as well: commit 9c29282ecbeeb1b43fced3055c6a5bb244b9390b Author: Lang Yu <Lang.Yu(a)amd.com> Date: Thu Jan 11 12:27:07 2024 +0800 drm/amdkfd: reserve the BO before validating it Fix a warning. v2: Avoid unmapping attachment repeatedly when ERESTARTSYS. v3: Lock the BO before accessing ttm->sg to avoid race conditions.(Felix) [ 41.708711] WARNING: CPU: 0 PID: 1463 at drivers/gpu/drm/ttm/ttm_bo.c:846 ttm_bo_validate+0x146/0x1b0 [ttm] [ 41.708989] Call Trace: [ 41.708992] <TASK> [ 41.708996] ? show_regs+0x6c/0x80 [ 41.709000] ? ttm_bo_validate+0x146/0x1b0 [ttm] [ 41.709008] ? __warn+0x93/0x190 [ 41.709014] ? ttm_bo_validate+0x146/0x1b0 [ttm] [ 41.709024] ? report_bug+0x1f9/0x210 [ 41.709035] ? handle_bug+0x46/0x80 [ 41.709041] ? exc_invalid_op+0x1d/0x80 [ 41.709048] ? asm_exc_invalid_op+0x1f/0x30 [ 41.709057] ? amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x2c/0x80 [amdgpu] [ 41.709185] ? ttm_bo_validate+0x146/0x1b0 [ttm] [ 41.709197] ? amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x2c/0x80 [amdgpu] [ 41.709337] ? srso_alias_return_thunk+0x5/0x7f [ 41.709346] kfd_mem_dmaunmap_attachment+0x9e/0x1e0 [amdgpu] [ 41.709467] amdgpu_amdkfd_gpuvm_dmaunmap_mem+0x56/0x80 [amdgpu] [ 41.709586] kfd_ioctl_unmap_memory_from_gpu+0x1b7/0x300 [amdgpu] [ 41.709710] kfd_ioctl+0x1ec/0x650 [amdgpu] [ 41.709822] ? __pfx_kfd_ioctl_unmap_memory_from_gpu+0x10/0x10 [amdgpu] [ 41.709945] ? srso_alias_return_thunk+0x5/0x7f [ 41.709949] ? tomoyo_file_ioctl+0x20/0x30 [ 41.709959] __x64_sys_ioctl+0x9c/0xd0 [ 41.709967] do_syscall_64+0x3f/0x90 [ 41.709973] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fixes: 101b8104307e ("drm/amdkfd: Move dma unmapping after TLB flush") Signed-off-by: Lang Yu <Lang.Yu(a)amd.com> Reviewed-by: Felix Kuehling <Felix.Kuehling(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Regards, Felix On 2024-08-20 8:00, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > drm/amdkfd: Move dma unmapping after TLB flush > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > drm-amdkfd-move-dma-unmapping-after-tlb-flush.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 23f8ef0f6e5deee5814fda6ec2e2ee4c2f19a384 > Author: Philip Yang <Philip.Yang(a)amd.com> > Date: Mon Sep 11 14:44:22 2023 -0400 > > drm/amdkfd: Move dma unmapping after TLB flush > > [ Upstream commit 101b8104307eac734f2dfa4d3511430b0b631c73 ] > > Otherwise GPU may access the stale mapping and generate IOMMU > IO_PAGE_FAULT. > > Move this to inside p->mutex to prevent multiple threads mapping and > unmapping concurrently race condition. > > After kfd_mem_dmaunmap_attachment is removed from unmap_bo_from_gpuvm, > kfd_mem_dmaunmap_attachment is called if failed to map to GPUs, and > before free the mem attachment in case failed to unmap from GPUs. > > Signed-off-by: Philip Yang <Philip.Yang(a)amd.com> > Reviewed-by: Felix Kuehling <Felix.Kuehling(a)amd.com> > Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h > index 2fe9860725bd9..5e4fb33b97351 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h > @@ -303,6 +303,7 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu(struct amdgpu_device *adev, > struct kgd_mem *mem, void *drm_priv); > int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu( > struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv); > +void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv); > int amdgpu_amdkfd_gpuvm_sync_memory( > struct amdgpu_device *adev, struct kgd_mem *mem, bool intr); > int amdgpu_amdkfd_gpuvm_map_gtt_bo_to_kernel(struct kgd_mem *mem, > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c > index 62c1dc9510a41..c2d1d57a6c668 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c > @@ -733,7 +733,7 @@ kfd_mem_dmaunmap_sg_bo(struct kgd_mem *mem, > enum dma_data_direction dir; > > if (unlikely(!ttm->sg)) { > - pr_err("SG Table of BO is UNEXPECTEDLY NULL"); > + pr_debug("SG Table of BO is NULL"); > return; > } > > @@ -1202,8 +1202,6 @@ static void unmap_bo_from_gpuvm(struct kgd_mem *mem, > amdgpu_vm_clear_freed(adev, vm, &bo_va->last_pt_update); > > amdgpu_sync_fence(sync, bo_va->last_pt_update); > - > - kfd_mem_dmaunmap_attachment(mem, entry); > } > > static int update_gpuvm_pte(struct kgd_mem *mem, > @@ -1258,6 +1256,7 @@ static int map_bo_to_gpuvm(struct kgd_mem *mem, > > update_gpuvm_pte_failed: > unmap_bo_from_gpuvm(mem, entry, sync); > + kfd_mem_dmaunmap_attachment(mem, entry); > return ret; > } > > @@ -1862,8 +1861,10 @@ int amdgpu_amdkfd_gpuvm_free_memory_of_gpu( > mem->va + bo_size * (1 + mem->aql_queue)); > > /* Remove from VM internal data structures */ > - list_for_each_entry_safe(entry, tmp, &mem->attachments, list) > + list_for_each_entry_safe(entry, tmp, &mem->attachments, list) { > + kfd_mem_dmaunmap_attachment(mem, entry); > kfd_mem_detach(entry); > + } > > ret = unreserve_bo_and_vms(&ctx, false, false); > > @@ -2037,6 +2038,23 @@ int amdgpu_amdkfd_gpuvm_map_memory_to_gpu( > return ret; > } > > +void amdgpu_amdkfd_gpuvm_dmaunmap_mem(struct kgd_mem *mem, void *drm_priv) > +{ > + struct kfd_mem_attachment *entry; > + struct amdgpu_vm *vm; > + > + vm = drm_priv_to_vm(drm_priv); > + > + mutex_lock(&mem->lock); > + > + list_for_each_entry(entry, &mem->attachments, list) { > + if (entry->bo_va->base.vm == vm) > + kfd_mem_dmaunmap_attachment(mem, entry); > + } > + > + mutex_unlock(&mem->lock); > +} > + > int amdgpu_amdkfd_gpuvm_unmap_memory_from_gpu( > struct amdgpu_device *adev, struct kgd_mem *mem, void *drm_priv) > { > diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > index d33ba4fe9ad5b..045280c2b607c 100644 > --- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > +++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c > @@ -1432,17 +1432,21 @@ static int kfd_ioctl_unmap_memory_from_gpu(struct file *filep, > goto sync_memory_failed; > } > } > - mutex_unlock(&p->mutex); > > - if (flush_tlb) { > - /* Flush TLBs after waiting for the page table updates to complete */ > - for (i = 0; i < args->n_devices; i++) { > - peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); > - if (WARN_ON_ONCE(!peer_pdd)) > - continue; > + /* Flush TLBs after waiting for the page table updates to complete */ > + for (i = 0; i < args->n_devices; i++) { > + peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); > + if (WARN_ON_ONCE(!peer_pdd)) > + continue; > + if (flush_tlb) > kfd_flush_tlb(peer_pdd, TLB_FLUSH_HEAVYWEIGHT); > - } > + > + /* Remove dma mapping after tlb flush to avoid IO_PAGE_FAULT */ > + amdgpu_amdkfd_gpuvm_dmaunmap_mem(mem, peer_pdd->drm_priv); > } > + > + mutex_unlock(&p->mutex); > + > kfree(devices_arr); > > return 0;

10 months, 3 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 61ebe5a747da649057c37be1c37eb934b4af79ca # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081918-payday-symphonic-ac65@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 61ebe5a747da ("mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0") 88ae5fb755b0 ("mm: vmalloc: enable memory allocation profiling") e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations") 3ba2c3ff98ea ("Merge tag 'modules-6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 61ebe5a747da649057c37be1c37eb934b4af79ca Mon Sep 17 00:00:00 2001 From: Hailong Liu <hailong.liu(a)oppo.com> Date: Thu, 8 Aug 2024 20:19:56 +0800 Subject: [PATCH] mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0 The __vmap_pages_range_noflush() assumes its argument pages** contains pages with the same page shift. However, since commit e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations"), if gfp_flags includes __GFP_NOFAIL with high order in vm_area_alloc_pages() and page allocation failed for high order, the pages** may contain two different page shifts (high order and order-0). This could lead __vmap_pages_range_noflush() to perform incorrect mappings, potentially resulting in memory corruption. Users might encounter this as follows (vmap_allow_huge = true, 2M is for PMD_SIZE): kvmalloc(2M, __GFP_NOFAIL|GFP_X) __vmalloc_node_range_noprof(vm_flags=VM_ALLOW_HUGE_VMAP) vm_area_alloc_pages(order=9) ---> order-9 allocation failed and fallback to order-0 vmap_pages_range() vmap_pages_range_noflush() __vmap_pages_range_noflush(page_shift = 21) ----> wrong mapping happens We can remove the fallback code because if a high-order allocation fails, __vmalloc_node_range_noprof() will retry with order-0. Therefore, it is unnecessary to fallback to order-0 here. Therefore, fix this by removing the fallback code. Link: https://lkml.kernel.org/r/20240808122019.3361-1-hailong.liu@oppo.com Fixes: e9c3cda4d86e ("mm, vmalloc: fix high order __GFP_NOFAIL allocations") Signed-off-by: Hailong Liu <hailong.liu(a)oppo.com> Reported-by: Tangquan Zheng <zhengtangquan(a)oppo.com> Reviewed-by: Baoquan He <bhe(a)redhat.com> Reviewed-by: Uladzislau Rezki (Sony) <urezki(a)gmail.com> Acked-by: Barry Song <baohua(a)kernel.org> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 6b783baf12a1..af2de36549d6 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3584,15 +3584,8 @@ vm_area_alloc_pages(gfp_t gfp, int nid, page = alloc_pages_noprof(alloc_gfp, order); else page = alloc_pages_node_noprof(nid, alloc_gfp, order); - if (unlikely(!page)) { - if (!nofail) - break; - - /* fall back to the zero order allocations */ - alloc_gfp |= __GFP_NOFAIL; - order = 0; - continue; - } + if (unlikely(!page)) + break; /* * Higher order allocations must be able to be treated as

10 months, 3 weeks

3
2
0 0

[PATCH v6.6.y] ALSA: timer: Relax start tick time check for slave timer elements

by Takashi Iwai

commit ccbfcac05866ebe6eb3bc6d07b51d4ed4fcde436 upstream. The recent addition of a sanity check for a too low start tick time seems breaking some applications that uses aloop with a certain slave timer setup. They may have the initial resolution 0, hence it's treated as if it were a too low value. Relax and skip the check for the slave timer instance for addressing the regression. Fixes: 4a63bd179fa8 ("ALSA: timer: Set lower bound of start tick time") Cc: <stable(a)vger.kernel.org> Link: https://github.com/raspberrypi/linux/issues/6294 Link: https://patch.msgid.link/20240810084833.10939-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai(a)suse.de> --- Greg, this is a backport for 6.6.y and older stable kernels that failed to cherry-pick the original one. sound/core/timer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index a0b515981ee9..230babace502 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -556,7 +556,7 @@ static int snd_timer_start1(struct snd_timer_instance *timeri, /* check the actual time for the start tick; * bail out as error if it's way too low (< 100us) */ - if (start) { + if (start && !(timer->hw.flags & SNDRV_TIMER_HW_SLAVE)) { if ((u64)snd_timer_hw_resolution(timer) * ticks < 100000) { result = -EINVAL; goto unlock; -- 2.43.0

10 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 6.1 01/61] drm/amd/display: Assign linear_pitch_alignment even for VM

by Sasha Levin

From: Alvin Lee <alvin.lee2(a)amd.com> [ Upstream commit 984debc133efa05e62f5aa1a7a1dd8ca0ef041f4 ] [Description] Assign linear_pitch_alignment so we don't cause a divide by 0 error in VM environments Reviewed-by: Sohaib Nadeem <sohaib.nadeem(a)amd.com> Acked-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Alvin Lee <alvin.lee2(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/core/dc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index f415733f1a979..d7bca680805d3 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -1265,6 +1265,7 @@ struct dc *dc_create(const struct dc_init_data *init_params) return NULL; if (init_params->dce_environment == DCE_ENV_VIRTUAL_HW) { + dc->caps.linear_pitch_alignment = 64; if (!dc_construct_ctx(dc, init_params)) goto destruct_dc; } else { -- 2.43.0

10 months, 3 weeks

2
62
0 0

[PATCH AUTOSEL 5.10 01/38] drm/amdgpu: fix overflowed array index read warning

by Sasha Levin

From: Tim Huang <Tim.Huang(a)amd.com> [ Upstream commit ebbc2ada5c636a6a63d8316a3408753768f5aa9f ] Clear overflowed array index read warning by cast operation. Signed-off-by: Tim Huang <Tim.Huang(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c index 15ee13c3bd9e1..6976f61be7341 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c @@ -368,8 +368,9 @@ static ssize_t amdgpu_debugfs_ring_read(struct file *f, char __user *buf, size_t size, loff_t *pos) { struct amdgpu_ring *ring = file_inode(f)->i_private; - int r, i; uint32_t value, result, early[3]; + loff_t i; + int r; if (*pos & 3 || size & 3) return -EINVAL; -- 2.43.0

10 months, 3 weeks

3
40
0 0

FAILED: patch "[PATCH] ksmbd: fix race condition between destroy_previous_session()" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 76e98a158b207771a6c9a0de0a60522a446a3447 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082625-savior-clinic-1a91@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 76e98a158b20 ("ksmbd: fix race condition between destroy_previous_session() and smb2 operations()") d484d621d40f ("ksmbd: add durable scavenger timer") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 76e98a158b207771a6c9a0de0a60522a446a3447 Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Sat, 17 Aug 2024 14:03:49 +0900 Subject: [PATCH] ksmbd: fix race condition between destroy_previous_session() and smb2 operations() If there is ->PreviousSessionId field in the session setup request, The session of the previous connection should be destroyed. During this, if the smb2 operation requests in the previous session are being processed, a racy issue could happen with ksmbd_destroy_file_table(). This patch sets conn->status to KSMBD_SESS_NEED_RECONNECT to block incoming operations and waits until on-going operations are complete (i.e. idle) before desctorying the previous session. Fixes: c8efcc786146 ("ksmbd: add support for durable handles v1/v2") Cc: stable(a)vger.kernel.org # v6.6+ Reported-by: zdi-disclosures(a)trendmicro.com # ZDI-CAN-25040 Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c index 09e1e7771592..7889df8112b4 100644 --- a/fs/smb/server/connection.c +++ b/fs/smb/server/connection.c @@ -165,11 +165,43 @@ void ksmbd_all_conn_set_status(u64 sess_id, u32 status) up_read(&conn_list_lock); } -void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id) +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn) { wait_event(conn->req_running_q, atomic_read(&conn->req_running) < 2); } +int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id) +{ + struct ksmbd_conn *conn; + int rc, retry_count = 0, max_timeout = 120; + int rcount = 1; + +retry_idle: + if (retry_count >= max_timeout) + return -EIO; + + down_read(&conn_list_lock); + list_for_each_entry(conn, &conn_list, conns_list) { + if (conn->binding || xa_load(&conn->sessions, sess_id)) { + if (conn == curr_conn) + rcount = 2; + if (atomic_read(&conn->req_running) >= rcount) { + rc = wait_event_timeout(conn->req_running_q, + atomic_read(&conn->req_running) < rcount, + HZ); + if (!rc) { + up_read(&conn_list_lock); + retry_count++; + goto retry_idle; + } + } + } + } + up_read(&conn_list_lock); + + return 0; +} + int ksmbd_conn_write(struct ksmbd_work *work) { struct ksmbd_conn *conn = work->conn; diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h index 5c2845e47cf2..5b947175c048 100644 --- a/fs/smb/server/connection.h +++ b/fs/smb/server/connection.h @@ -145,7 +145,8 @@ extern struct list_head conn_list; extern struct rw_semaphore conn_list_lock; bool ksmbd_conn_alive(struct ksmbd_conn *conn); -void ksmbd_conn_wait_idle(struct ksmbd_conn *conn, u64 sess_id); +void ksmbd_conn_wait_idle(struct ksmbd_conn *conn); +int ksmbd_conn_wait_idle_sess_id(struct ksmbd_conn *curr_conn, u64 sess_id); struct ksmbd_conn *ksmbd_conn_alloc(void); void ksmbd_conn_free(struct ksmbd_conn *conn); bool ksmbd_conn_lookup_dialect(struct ksmbd_conn *c); diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c index 162a12685d2c..99416ce9f501 100644 --- a/fs/smb/server/mgmt/user_session.c +++ b/fs/smb/server/mgmt/user_session.c @@ -311,6 +311,7 @@ void destroy_previous_session(struct ksmbd_conn *conn, { struct ksmbd_session *prev_sess; struct ksmbd_user *prev_user; + int err; down_write(&sessions_table_lock); down_write(&conn->session_lock); @@ -325,8 +326,16 @@ void destroy_previous_session(struct ksmbd_conn *conn, memcmp(user->passkey, prev_user->passkey, user->passkey_sz)) goto out; + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_RECONNECT); + err = ksmbd_conn_wait_idle_sess_id(conn, id); + if (err) { + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); + goto out; + } + ksmbd_destroy_file_table(&prev_sess->file_table); prev_sess->state = SMB2_SESSION_EXPIRED; + ksmbd_all_conn_set_status(id, KSMBD_SESS_NEED_NEGOTIATE); ksmbd_launch_ksmbd_durable_scavenger(); out: up_write(&conn->session_lock); diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 3f4c56a10a86..cb7f487c96af 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2213,7 +2213,7 @@ int smb2_session_logoff(struct ksmbd_work *work) ksmbd_conn_unlock(conn); ksmbd_close_session_fds(work); - ksmbd_conn_wait_idle(conn, sess_id); + ksmbd_conn_wait_idle(conn); /* * Re-lookup session to validate if session is deleted

10 months, 3 weeks

3
2
0 0

[PATCH stable 6.10 1/2] bpf: Fix a kernel verifier crash in stacksafe()

by Shung-Hsi Yu

From: Yonghong Song <yonghong.song(a)linux.dev> [ Upstream commit bed2eb964c70b780fb55925892a74f26cb590b25 ] Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") Cc: Eduard Zingerman <eddyz87(a)gmail.com> Reported-by: Daniel Hodges <hodgesd(a)meta.com> Acked-by: Eduard Zingerman <eddyz87(a)gmail.com> Signed-off-by: Yonghong Song <yonghong.song(a)linux.dev> Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- I see this patch itself was already picked up[1] by Sasha. This thread additional includes the associated selftest that was sent in the same series (not entirely sure if backporting selftest goes against the stable backporting rule though). 1: https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/com… --- kernel/bpf/verifier.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a8845cc299fe..521bd7efae03 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16881,8 +16881,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, spi = i / BPF_REG_SIZE; if (exact != NOT_EXACT && - old->stack[spi].slot_type[i % BPF_REG_SIZE] != - cur->stack[spi].slot_type[i % BPF_REG_SIZE]) + (i >= cur->allocated_stack || + old->stack[spi].slot_type[i % BPF_REG_SIZE] != + cur->stack[spi].slot_type[i % BPF_REG_SIZE])) return false; if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) -- 2.46.0

10 months, 3 weeks

2
2
0 0

VCN power consumption improvement for 6.10.y

by Mario Limonciello

Hi, The following patches in 6.11-rc1 help VCN power consumption on a lot of modern products. Can we please take then to 6.10.y so more people can get the power savings? commit ecfa23c8df7e ("drm/amdgpu/vcn: identify unified queue in sw init") commit 7d75ef3736a0 ("drm/amdgpu/vcn: not pause dpg for unified queue") I've also sent out backports to both 6.6.y and 6.1.y separately. Thanks!

10 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 5.15 01/47] drm/amd/display: Assign linear_pitch_alignment even for VM

by Sasha Levin

From: Alvin Lee <alvin.lee2(a)amd.com> [ Upstream commit 984debc133efa05e62f5aa1a7a1dd8ca0ef041f4 ] [Description] Assign linear_pitch_alignment so we don't cause a divide by 0 error in VM environments Reviewed-by: Sohaib Nadeem <sohaib.nadeem(a)amd.com> Acked-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Alvin Lee <alvin.lee2(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/core/dc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c index ef151a1bc31cd..12e4beca5e840 100644 --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -1107,6 +1107,7 @@ struct dc *dc_create(const struct dc_init_data *init_params) return NULL; if (init_params->dce_environment == DCE_ENV_VIRTUAL_HW) { + dc->caps.linear_pitch_alignment = 64; if (!dc_construct_ctx(dc, init_params)) goto destruct_dc; } else { -- 2.43.0

10 months, 3 weeks

2
47
0 0

[PATCH AUTOSEL 6.10 001/121] drm/amd/display: Enable RCO for PHYSYMCLK in DCN35

by Sasha Levin

From: Daniel Miess <daniel.miess(a)amd.com> [ Upstream commit f2303026a5b6327247ba61152d00199b2d1be294 ] [Why & How] Enable root clock optimization for PHYSYMCLK and only disable it when it's actively being used v2: Fix array-index-out-of-bounds in dcn35_calc_blocks_to_gate Reviewed-by: Roman Li <roman.li(a)amd.com> Reviewed-by: Charlene Liu <charlene.liu(a)amd.com> Acked-by: Wayne Lin <wayne.lin(a)amd.com> Signed-off-by: Daniel Miess <daniel.miess(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/dc.h | 1 + .../gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c | 45 ------------------- .../amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 32 +++++++++++++ .../amd/display/dc/hwss/dcn35/dcn35_hwseq.h | 2 + .../amd/display/dc/hwss/dcn35/dcn35_init.c | 1 + .../amd/display/dc/hwss/dcn351/dcn351_init.c | 1 + .../display/dc/hwss/hw_sequencer_private.h | 4 ++ 7 files changed, 41 insertions(+), 45 deletions(-) diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h index 3c33c3bcbe2cb..fe0025f2167fa 100644 --- a/drivers/gpu/drm/amd/display/dc/dc.h +++ b/drivers/gpu/drm/amd/display/dc/dc.h @@ -701,6 +701,7 @@ enum pg_hw_pipe_resources { PG_OPTC, PG_DPSTREAM, PG_HDMISTREAM, + PG_PHYSYMCLK, PG_HW_PIPE_RESOURCES_NUM_ELEMENT }; diff --git a/drivers/gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c b/drivers/gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c index 58dd3c5bbff09..024dcf3057a05 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c +++ b/drivers/gpu/drm/amd/display/dc/dcn35/dcn35_dccg.c @@ -451,32 +451,22 @@ static void dccg35_set_physymclk_root_clock_gating( case 0: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYASYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYA_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; case 1: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYBSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYB_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; case 2: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYCSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYC_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; case 3: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYDSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYD_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; case 4: REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, PHYESYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYE_REFCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); break; default: BREAK_TO_DEBUGGER(); @@ -499,16 +489,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYASYMCLK_CLOCK_CNTL, PHYASYMCLK_EN, 1, PHYASYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYA_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYASYMCLK_CLOCK_CNTL, PHYASYMCLK_EN, 0, PHYASYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYA_REFCLK_ROOT_GATE_DISABLE, 1); } break; case 1: @@ -516,16 +500,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYBSYMCLK_CLOCK_CNTL, PHYBSYMCLK_EN, 1, PHYBSYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYB_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYBSYMCLK_CLOCK_CNTL, PHYBSYMCLK_EN, 0, PHYBSYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYB_REFCLK_ROOT_GATE_DISABLE, 1); } break; case 2: @@ -533,16 +511,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYCSYMCLK_CLOCK_CNTL, PHYCSYMCLK_EN, 1, PHYCSYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYC_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYCSYMCLK_CLOCK_CNTL, PHYCSYMCLK_EN, 0, PHYCSYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYC_REFCLK_ROOT_GATE_DISABLE, 1); } break; case 3: @@ -550,16 +522,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYDSYMCLK_CLOCK_CNTL, PHYDSYMCLK_EN, 1, PHYDSYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYD_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYDSYMCLK_CLOCK_CNTL, PHYDSYMCLK_EN, 0, PHYDSYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYD_REFCLK_ROOT_GATE_DISABLE, 1); } break; case 4: @@ -567,16 +533,10 @@ static void dccg35_set_physymclk( REG_UPDATE_2(PHYESYMCLK_CLOCK_CNTL, PHYESYMCLK_EN, 1, PHYESYMCLK_SRC_SEL, clk_src); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYE_REFCLK_ROOT_GATE_DISABLE, 0); } else { REG_UPDATE_2(PHYESYMCLK_CLOCK_CNTL, PHYESYMCLK_EN, 0, PHYESYMCLK_SRC_SEL, 0); -// if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) -// REG_UPDATE(DCCG_GATE_DISABLE_CNTL4, -// PHYE_REFCLK_ROOT_GATE_DISABLE, 1); } break; default: @@ -714,11 +674,6 @@ void dccg35_init(struct dccg *dccg) dccg35_set_dpstreamclk_root_clock_gating(dccg, otg_inst, false); } - if (dccg->ctx->dc->debug.root_clock_optimization.bits.physymclk) - for (otg_inst = 0; otg_inst < 5; otg_inst++) - dccg35_set_physymclk_root_clock_gating(dccg, otg_inst, - false); - if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) for (otg_inst = 0; otg_inst < 4; otg_inst++) dccg35_set_dppclk_root_clock_gating(dccg, otg_inst, 0); diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c index dcced89c07b38..5f60da72c6f58 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c @@ -506,6 +506,17 @@ void dcn35_dpstream_root_clock_control(struct dce_hwseq *hws, unsigned int dp_hp } } +void dcn35_physymclk_root_clock_control(struct dce_hwseq *hws, unsigned int phy_inst, bool clock_on) +{ + if (!hws->ctx->dc->debug.root_clock_optimization.bits.physymclk) + return; + + if (hws->ctx->dc->res_pool->dccg->funcs->set_physymclk_root_clock_gating) { + hws->ctx->dc->res_pool->dccg->funcs->set_physymclk_root_clock_gating( + hws->ctx->dc->res_pool->dccg, phy_inst, clock_on); + } +} + void dcn35_dsc_pg_control( struct dce_hwseq *hws, unsigned int dsc_inst, @@ -1041,6 +1052,13 @@ void dcn35_calc_blocks_to_gate(struct dc *dc, struct dc_state *context, if (pipe_ctx->stream_res.hpo_dp_stream_enc) update_state->pg_pipe_res_update[PG_DPSTREAM][pipe_ctx->stream_res.hpo_dp_stream_enc->inst] = false; } + + for (i = 0; i < dc->link_count; i++) { + update_state->pg_pipe_res_update[PG_PHYSYMCLK][dc->links[i]->link_enc_hw_inst] = true; + if (dc->links[i]->type != dc_connection_none) + update_state->pg_pipe_res_update[PG_PHYSYMCLK][dc->links[i]->link_enc_hw_inst] = false; + } + /*domain24 controls all the otg, mpc, opp, as long as one otg is still up, avoid enabling OTG PG*/ for (i = 0; i < dc->res_pool->timing_generator_count; i++) { struct timing_generator *tg = dc->res_pool->timing_generators[i]; @@ -1138,6 +1156,10 @@ void dcn35_calc_blocks_to_ungate(struct dc *dc, struct dc_state *context, } } + for (i = 0; i < dc->link_count; i++) + if (dc->links[i]->type != dc_connection_none) + update_state->pg_pipe_res_update[PG_PHYSYMCLK][dc->links[i]->link_enc_hw_inst] = true; + for (i = 0; i < dc->res_pool->hpo_dp_stream_enc_count; i++) { if (context->res_ctx.is_hpo_dp_stream_enc_acquired[i] && dc->res_pool->hpo_dp_stream_enc[i]) { @@ -1288,6 +1310,11 @@ void dcn35_root_clock_control(struct dc *dc, dc->hwseq->funcs.dpstream_root_clock_control(dc->hwseq, i, power_on); } + for (i = 0; i < dc->res_pool->dig_link_enc_count; i++) + if (update_state->pg_pipe_res_update[PG_PHYSYMCLK][i]) + if (dc->hwseq->funcs.physymclk_root_clock_control) + dc->hwseq->funcs.physymclk_root_clock_control(dc->hwseq, i, power_on); + } for (i = 0; i < dc->res_pool->res_cap->num_dsc; i++) { if (update_state->pg_pipe_res_update[PG_DSC][i]) { @@ -1313,6 +1340,11 @@ void dcn35_root_clock_control(struct dc *dc, dc->hwseq->funcs.dpstream_root_clock_control(dc->hwseq, i, power_on); } + for (i = 0; i < dc->res_pool->dig_link_enc_count; i++) + if (update_state->pg_pipe_res_update[PG_PHYSYMCLK][i]) + if (dc->hwseq->funcs.physymclk_root_clock_control) + dc->hwseq->funcs.physymclk_root_clock_control(dc->hwseq, i, power_on); + } } diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h index f0ea7d1511ae6..e27b3609020ff 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.h @@ -39,6 +39,8 @@ void dcn35_dpp_root_clock_control(struct dce_hwseq *hws, unsigned int dpp_inst, void dcn35_dpstream_root_clock_control(struct dce_hwseq *hws, unsigned int dp_hpo_inst, bool clock_on); +void dcn35_physymclk_root_clock_control(struct dce_hwseq *hws, unsigned int phy_inst, bool clock_on); + void dcn35_enable_power_gating_plane(struct dce_hwseq *hws, bool enable); void dcn35_set_dmu_fgcg(struct dce_hwseq *hws, bool enable); diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c index 199781233fd5f..987e09d9246e4 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_init.c @@ -148,6 +148,7 @@ static const struct hwseq_private_funcs dcn35_private_funcs = { .enable_power_gating_plane = dcn35_enable_power_gating_plane, .dpp_root_clock_control = dcn35_dpp_root_clock_control, .dpstream_root_clock_control = dcn35_dpstream_root_clock_control, + .physymclk_root_clock_control = dcn35_physymclk_root_clock_control, .program_all_writeback_pipes_in_tree = dcn30_program_all_writeback_pipes_in_tree, .update_odm = dcn35_update_odm, .set_hdr_multiplier = dcn10_set_hdr_multiplier, diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c index a53092cd619b1..2e0d23ae8fee5 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c +++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn351/dcn351_init.c @@ -147,6 +147,7 @@ static const struct hwseq_private_funcs dcn351_private_funcs = { .enable_power_gating_plane = dcn35_enable_power_gating_plane, .dpp_root_clock_control = dcn35_dpp_root_clock_control, .dpstream_root_clock_control = dcn35_dpstream_root_clock_control, + .physymclk_root_clock_control = dcn35_physymclk_root_clock_control, .program_all_writeback_pipes_in_tree = dcn30_program_all_writeback_pipes_in_tree, .update_odm = dcn35_update_odm, .set_hdr_multiplier = dcn10_set_hdr_multiplier, diff --git a/drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer_private.h b/drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer_private.h index 341219cf41442..9553a7d34c3e9 100644 --- a/drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer_private.h +++ b/drivers/gpu/drm/amd/display/dc/hwss/hw_sequencer_private.h @@ -124,6 +124,10 @@ struct hwseq_private_funcs { struct dce_hwseq *hws, unsigned int dpp_inst, bool clock_on); + void (*physymclk_root_clock_control)( + struct dce_hwseq *hws, + unsigned int phy_inst, + bool clock_on); void (*dpp_pg_control)(struct dce_hwseq *hws, unsigned int dpp_inst, bool power_on); -- 2.43.0

10 months, 3 weeks

3
122
0 0

[PATCH AUTOSEL 4.19 01/14] drm/amdgpu: fix overflowed array index read warning

by Sasha Levin

From: Tim Huang <Tim.Huang(a)amd.com> [ Upstream commit ebbc2ada5c636a6a63d8316a3408753768f5aa9f ] Clear overflowed array index read warning by cast operation. Signed-off-by: Tim Huang <Tim.Huang(a)amd.com> Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> Reviewed-by: Christian König <christian.koenig(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c index 93794a85f83d8..d1efab2270340 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c @@ -497,8 +497,9 @@ static ssize_t amdgpu_debugfs_ring_read(struct file *f, char __user *buf, size_t size, loff_t *pos) { struct amdgpu_ring *ring = file_inode(f)->i_private; - int r, i; uint32_t value, result, early[3]; + loff_t i; + int r; if (*pos & 3 || size & 3) return -EINVAL; -- 2.43.0

10 months, 3 weeks

2
14
0 0

[git:media_stage/master] media: videobuf2: Drop minimum allocation requirement of 2 buffers

by Laurent Pinchart

This is an automatic generated email to let you know that the following patch were queued: Subject: media: videobuf2: Drop minimum allocation requirement of 2 buffers Author: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Date: Mon Aug 26 02:24:49 2024 +0300 When introducing the ability for drivers to indicate the minimum number of buffers they require an application to allocate, commit 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") also introduced a global minimum of 2 buffers. It turns out this breaks the Renesas R-Car VSP test suite, where a test that allocates a single buffer fails when two buffers are used. One may consider debatable whether test suite failures without failures in production use cases should be considered as a regression, but operation with a single buffer is a valid use case. While full frame rate can't be maintained, memory-to-memory devices can still be used with a decent efficiency, and requiring applications to allocate multiple buffers for single-shot use cases with capture devices would just waste memory. For those reasons, fix the regression by dropping the global minimum of buffers. Individual drivers can still set their own minimum. Fixes: 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Reviewed-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Acked-by: Tomasz Figa <tfiga(a)chromium.org> Link: https://lore.kernel.org/r/20240825232449.25905-1-laurent.pinchart+renesas@i… Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> drivers/media/common/videobuf2/videobuf2-core.c | 7 ------- 1 file changed, 7 deletions(-) --- diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c index 500a4e0c84ab..29a8d876e6c2 100644 --- a/drivers/media/common/videobuf2/videobuf2-core.c +++ b/drivers/media/common/videobuf2/videobuf2-core.c @@ -2632,13 +2632,6 @@ int vb2_core_queue_init(struct vb2_queue *q) if (WARN_ON(q->supports_requests && q->min_queued_buffers)) return -EINVAL; - /* - * The minimum requirement is 2: one buffer is used - * by the hardware while the other is being processed by userspace. - */ - if (q->min_reqbufs_allocation < 2) - q->min_reqbufs_allocation = 2; - /* * If the driver needs 'min_queued_buffers' in the queue before * calling start_streaming() then the minimum requirement is

10 months, 3 weeks

1
0
0 0

[PATCH] media: videobuf2: Drop minimum allocation requirement of 2 buffers

by Laurent Pinchart

When introducing the ability for drivers to indicate the minimum number of buffers they require an application to allocate, commit 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") also introduced a global minimum of 2 buffers. It turns out this breaks the Renesas R-Car VSP test suite, where a test that allocates a single buffer fails when two buffers are used. One may consider debatable whether test suite failures without failures in production use cases should be considered as a regression, but operation with a single buffer is a valid use case. While full frame rate can't be maintained, memory-to-memory devices can still be used with a decent efficiency, and requiring applications to allocate multiple buffers for single-shot use cases with capture devices would just waste memory. For those reasons, fix the regression by dropping the global minimum of buffers. Individual drivers can still set their own minimum. Fixes: 6662edcd32cc ("media: videobuf2: Add min_reqbufs_allocation field to vb2_queue structure") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> --- drivers/media/common/videobuf2/videobuf2-core.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c index 500a4e0c84ab..29a8d876e6c2 100644 --- a/drivers/media/common/videobuf2/videobuf2-core.c +++ b/drivers/media/common/videobuf2/videobuf2-core.c @@ -2632,13 +2632,6 @@ int vb2_core_queue_init(struct vb2_queue *q) if (WARN_ON(q->supports_requests && q->min_queued_buffers)) return -EINVAL; - /* - * The minimum requirement is 2: one buffer is used - * by the hardware while the other is being processed by userspace. - */ - if (q->min_reqbufs_allocation < 2) - q->min_reqbufs_allocation = 2; - /* * If the driver needs 'min_queued_buffers' in the queue before * calling start_streaming() then the minimum requirement is base-commit: a043ea54bbb975ca9239c69fd17f430488d33522 -- Regards, Laurent Pinchart

10 months, 3 weeks

4
5
0 0

[PATCH v5] EDAC/ti: Fix possible null pointer dereference in _emif_get_id()

by Ma Ke

In _emif_get_id(), of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 86a18ee21e5e ("EDAC, ti: Add support for TI keystone and DRA7xx EDAC") Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202408160935.A6QFliqt-lkp@intel.com/ Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v5: - According to the developer's suggestion, added an inspection of function of_translate_address(). However, kernel test robot reported a build warning, so the inspection is removed here, reverting to the modification solution of patch v3. Changes in v4: - added the check of of_translate_address() as suggestions. Changes in v3: - added the patch operations omitted in PATCH v2 RESEND compared to PATCH v2. Sorry for my oversight. Changes in v2: - added Cc stable line. --- drivers/edac/ti_edac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c index 29723c9592f7..6f3da8d99eab 100644 --- a/drivers/edac/ti_edac.c +++ b/drivers/edac/ti_edac.c @@ -207,6 +207,9 @@ static int _emif_get_id(struct device_node *node) int my_id = 0; addrp = of_get_address(node, 0, NULL, NULL); + if (!addrp) + return -EINVAL; + my_addr = (u32)of_translate_address(node, addrp); for_each_matching_node(np, ti_edac_of_match) { @@ -214,6 +217,9 @@ static int _emif_get_id(struct device_node *node) continue; addrp = of_get_address(np, 0, NULL, NULL); + if (!addrp) + return -EINVAL; + addr = (u32)of_translate_address(np, addrp); edac_printk(KERN_INFO, EDAC_MOD_NAME, -- 2.25.1

10 months, 3 weeks

2
1
0 0

[PATCH net v2] ionic: Prevent tx_timeout due to frequent doorbell ringing

by Brett Creeley

With recent work to the doorbell workaround code a small hole was introduced that could cause a tx_timeout. This happens if the rx dbell_deadline goes beyond the netdev watchdog timeout set by the driver (i.e. 2 seconds). Fix this by changing the netdev watchdog timeout to 5 seconds and reduce the max rx dbell_deadline to 4 seconds. The test that can reproduce the issue being fixed is a multi-queue send test via pktgen with the "burst" setting to 1. This causes the queue's doorbell to be rung on every packet sent to the driver, which may result in the device missing doorbells due to the high doorbell rate. Cc: stable(a)vger.kernel.org Fixes: 4ded136c78f8 ("ionic: add work item for missed-doorbell check") Signed-off-by: Brett Creeley <brett.creeley(a)amd.com> Reviewed-by: Shannon Nelson <shannon.nelson(a)amd.com> --- v2: - Drop budget == 0 patch to expedite getting this patch merged due to the budget == 0 patch being more complicated than we originally thought. v1: - https://lore.kernel.org/netdev/20240813234122.53083-1-brett.creeley@amd.com/ drivers/net/ethernet/pensando/ionic/ionic_dev.h | 2 +- drivers/net/ethernet/pensando/ionic/ionic_lif.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h index c647033f3ad2..f2f07bf88545 100644 --- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h +++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h @@ -32,7 +32,7 @@ #define IONIC_ADMIN_DOORBELL_DEADLINE (HZ / 2) /* 500ms */ #define IONIC_TX_DOORBELL_DEADLINE (HZ / 100) /* 10ms */ #define IONIC_RX_MIN_DOORBELL_DEADLINE (HZ / 100) /* 10ms */ -#define IONIC_RX_MAX_DOORBELL_DEADLINE (HZ * 5) /* 5s */ +#define IONIC_RX_MAX_DOORBELL_DEADLINE (HZ * 4) /* 4s */ struct ionic_dev_bar { void __iomem *vaddr; diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c index aa0cc31dfe6e..86774d9922d8 100644 --- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c +++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c @@ -3220,7 +3220,7 @@ int ionic_lif_alloc(struct ionic *ionic) netdev->netdev_ops = &ionic_netdev_ops; ionic_ethtool_set_ops(netdev); - netdev->watchdog_timeo = 2 * HZ; + netdev->watchdog_timeo = 5 * HZ; netif_carrier_off(netdev); lif->identity = lid; -- 2.17.1

10 months, 3 weeks

2
1
0 0

[PATCH net 2/2] net: mctp-serial: Fix missing escapes on transmit

by Matt Johnston

0x7d and 0x7e bytes are meant to be escaped in the data portion of frames, but this didn't occur since next_chunk_len() had an off-by-one error. That also resulted in the final byte of a payload being written as a separate tty write op. The chunk prior to an escaped byte would be one byte short, and the next call would never test the txpos+1 case, which is where the escaped byte was located. That meant it never hit the escaping case in mctp_serial_tx_work(). Example Input: 01 00 08 c8 7e 80 02 Previous incorrect chunks from next_chunk_len(): 01 00 08 c8 7e 80 02 With this fix: 01 00 08 c8 7e 80 02 Cc: stable(a)vger.kernel.org Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding") Signed-off-by: Matt Johnston <matt(a)codeconstruct.com.au> --- drivers/net/mctp/mctp-serial.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c index d7db11355909..82890e983847 100644 --- a/drivers/net/mctp/mctp-serial.c +++ b/drivers/net/mctp/mctp-serial.c @@ -91,8 +91,8 @@ static int next_chunk_len(struct mctp_serial *dev) * will be those non-escaped bytes, and does not include the escaped * byte. */ - for (i = 1; i + dev->txpos + 1 < dev->txlen; i++) { - if (needs_escape(dev->txbuf[dev->txpos + i + 1])) + for (i = 1; i + dev->txpos < dev->txlen; i++) { + if (needs_escape(dev->txbuf[dev->txpos + i])) break; }

10 months, 3 weeks

2
1
0 0

[PATCH] drm/sched: Fix UB pointer dereference

by Philipp Stanner

In drm_sched_job_init(), commit 56e449603f0a ("drm/sched: Convert the GPU scheduler to variable number of run-queues") implemented a call to drm_err(), which uses the job's scheduler pointer as a parameter. job->sched, however, is not yet valid as it gets set by drm_sched_job_arm(), which is always called after drm_sched_job_init(). Since the scheduler code has no control over how the API-User has allocated or set 'job', the pointer's dereference is undefined behavior. Fix the UB by replacing drm_err() with pr_err(). Cc: <stable(a)vger.kernel.org> # 6.7+ Fixes: 56e449603f0a ("drm/sched: Convert the GPU scheduler to variable number of run-queues") Reported-by: Danilo Krummrich <dakr(a)redhat.com> Closes: https://lore.kernel.org/lkml/20231108022716.15250-1-dakr@redhat.com/ Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> --- drivers/gpu/drm/scheduler/sched_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c index 7e90c9f95611..356c30fa24a8 100644 --- a/drivers/gpu/drm/scheduler/sched_main.c +++ b/drivers/gpu/drm/scheduler/sched_main.c @@ -797,7 +797,7 @@ int drm_sched_job_init(struct drm_sched_job *job, * or worse--a blank screen--leave a trail in the * logs, so this can be debugged easier. */ - drm_err(job->sched, "%s: entity has no rq!\n", __func__); + pr_err("*ERROR* %s: entity has no rq!\n", __func__); return -ENOENT; } -- 2.46.0

10 months, 3 weeks

3
4
0 0

[PATCH net 00/15] mptcp: more fixes for the in-kernel PM

by Matthieu Baerts (NGI0)

Here is a new batch of fixes for the MPTCP in-kernel path-manager: Patch 1 ensures the address ID is set to 0 when the path-manager sends an ADD_ADDR for the address of the initial subflow. The same fix is applied when a new subflow is created re-using this special address. A fix for v6.0. Patch 2 is similar, but for the case where an endpoint is removed: if this endpoint was used for the initial address, it is important to send a RM_ADDR with this ID set to 0, and look for existing subflows with the ID set to 0. A fix for v6.0 as well. Patch 3 validates the two previous patches. Patch 4 makes the PM selecting an "active" path to send an address notification in an ACK, instead of taking the first path in the list. A fix for v5.11. Patch 5 fixes skipping the establishment of a new subflow if a previous subflow using the same pair of addresses is being closed. A fix for v5.13. Patch 6 resets the ID linked to the initial subflow when the linked endpoint is re-added, possibly with a different ID. A fix for v6.0. Patch 7 validates the three previous patches. Patch 8 is a small fix for the MPTCP Join selftest, when being used with older subflows not supporting all MIB counters. A fix for a commit introduced in v6.4, but backported up to v5.10. Patch 9 avoids the PM to try to close the initial subflow multiple times, and increment counters while nothing happened. A fix for v5.10. Patch 10 stops incrementing local_addr_used and add_addr_accepted counters when dealing with the address ID 0, because these counters are not taking into account the initial subflow, and are then not decremented when the linked addresses are removed. A fix for v6.0. Patch 11 validates the previous patch. Patch 12 avoids the PM to send multiple SUB_CLOSED events for the initial subflow. A fix for v5.12. Patch 13 validates the previous patch. Patch 14 stops treating the ADD_ADDR 0 as a new address, and accepts it in order to re-create the initial subflow if it has been closed, even if the limit for *new* addresses -- not taking into account the address of the initial subflow -- has been reached. A fix for v5.10. Patch 15 validates the previous patch. Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> --- Matthieu Baerts (NGI0) (15): mptcp: pm: reuse ID 0 after delete and re-add mptcp: pm: fix RM_ADDR ID for the initial subflow selftests: mptcp: join: check removing ID 0 endpoint mptcp: pm: send ACK on an active subflow mptcp: pm: skip connecting to already established sf mptcp: pm: reset MPC endp ID when re-added selftests: mptcp: join: check re-adding init endp with != id selftests: mptcp: join: no extra msg if no counter mptcp: pm: do not remove already closed subflows mptcp: pm: fix ID 0 endp usage after multiple re-creations selftests: mptcp: join: check re-re-adding ID 0 endp mptcp: avoid duplicated SUB_CLOSED events selftests: mptcp: join: validate event numbers mptcp: pm: ADD_ADDR 0 is not a new address selftests: mptcp: join: check re-re-adding ID 0 signal net/mptcp/pm.c | 4 +- net/mptcp/pm_netlink.c | 87 ++++++++++---- net/mptcp/protocol.c | 6 + net/mptcp/protocol.h | 5 +- tools/testing/selftests/net/mptcp/mptcp_join.sh | 149 ++++++++++++++++++++---- tools/testing/selftests/net/mptcp/mptcp_lib.sh | 4 + 6 files changed, 207 insertions(+), 48 deletions(-) --- base-commit: 8af174ea863c72f25ce31cee3baad8a301c0cf0f change-id: 20240826-net-mptcp-more-pm-fix-ffa61a36f817 Best regards, -- Matthieu Baerts (NGI0) <matttbe(a)kernel.org>

10 months, 3 weeks

3
17
0 0

[PATCH] x86/hyperv: fix kexec crash due to VP assist page corruption

by Anirudh Rayabharam

From: Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline") introduces a new cpuhp state for hyperv initialization. cpuhp_setup_state() returns the state number if state is CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN and 0 for all other states. For the hyperv case, since a new cpuhp state was introduced it would return 0. However, in hv_machine_shutdown(), the cpuhp_remove_state() call is conditioned upon "hyperv_init_cpuhp > 0". This will never be true and so hv_cpu_die() won't be called on all CPUs. This means the VP assist page won't be reset. When the kexec kernel tries to setup the VP assist page again, the hypervisor corrupts the memory region of the old VP assist page causing a panic in case the kexec kernel is using that memory elsewhere. This was originally fixed in dfe94d4086e4 ("x86/hyperv: Fix kexec panic/hang issues"). Set hyperv_init_cpuhp to CPUHP_AP_HYPERV_ONLINE upon successful setup so that the hyperv cpuhp state is removed correctly on kexec and the necessary cleanup takes place. Cc: stable(a)vger.kernel.org Fixes: 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline") Signed-off-by: Anirudh Rayabharam (Microsoft) <anirudh(a)anirudhrb.com> --- arch/x86/hyperv/hv_init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c index 17a71e92a343..81d1981a75d1 100644 --- a/arch/x86/hyperv/hv_init.c +++ b/arch/x86/hyperv/hv_init.c @@ -607,7 +607,7 @@ void __init hyperv_init(void) register_syscore_ops(&hv_syscore_ops); - hyperv_init_cpuhp = cpuhp; + hyperv_init_cpuhp = CPUHP_AP_HYPERV_ONLINE; if (cpuid_ebx(HYPERV_CPUID_FEATURES) & HV_ACCESS_PARTITION_ID) hv_get_partition_id(); @@ -637,7 +637,7 @@ void __init hyperv_init(void) clean_guest_os_id: wrmsrl(HV_X64_MSR_GUEST_OS_ID, 0); hv_ivm_msr_write(HV_X64_MSR_GUEST_OS_ID, 0); - cpuhp_remove_state(cpuhp); + cpuhp_remove_state(CPUHP_AP_HYPERV_ONLINE); free_ghcb_page: free_percpu(hv_ghcb_pg); free_vp_assist_page: -- 2.45.2

10 months, 3 weeks

2
2
0 0

[PATCH] wifi: wfx: repair open network AP mode

by A. Sverdlin

From: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> RSN IE missing in beacon is normal in open networks. Avoid returning -ENODEV in this case. Steps to reproduce: $ cat /etc/wpa_supplicant.conf network={ ssid="testNet" mode=2 key_mgmt=NONE } $ wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf nl80211: Beacon set failed: -22 (Invalid argument) Failed to set beacon parameters Interface initialization failed wlan0: interface state UNINITIALIZED->DISABLED wlan0: AP-DISABLED wlan0: Unable to setup interface. Failed to initialize AP interface After the change: $ wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf Successfully initialized wpa_supplicant wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLED Cc: stable(a)vger.kernel.org Fixes: fe0a7776d4d1 ("wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()") Signed-off-by: Alexander Sverdlin <alexander.sverdlin(a)siemens.com> --- drivers/net/wireless/silabs/wfx/sta.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/silabs/wfx/sta.c b/drivers/net/wireless/silabs/wfx/sta.c index 216d43c8bd6e..7c04810dbf3d 100644 --- a/drivers/net/wireless/silabs/wfx/sta.c +++ b/drivers/net/wireless/silabs/wfx/sta.c @@ -352,8 +352,11 @@ static int wfx_set_mfp_ap(struct wfx_vif *wvif) ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, skb->data + ieoffset, skb->len - ieoffset); - if (unlikely(!ptr)) + if (!ptr) { + /* No RSN IE is fine in open networks */ + ret = 0; goto free_skb; + } ptr += pairwise_cipher_suite_count_offset; if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb))) -- 2.46.0

10 months, 3 weeks

4
6
0 0

FAILED: patch "[PATCH] igc: Fix qbv tx latency by setting gtxoffset" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082742-getting-scoured-1475@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 6c3fc0b1c3d0 ("igc: Fix qbv tx latency by setting gtxoffset") 790835fcc0cb ("igc: Correct the launchtime offset") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 From: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Date: Sun, 7 Jul 2024 08:53:18 -0400 Subject: [PATCH] igc: Fix qbv tx latency by setting gtxoffset A large tx latency issue was discovered during testing when only QBV was enabled. The issue occurs because gtxoffset was not set when QBV is active, it was only set when launch time is active. The patch "igc: Correct the launchtime offset" only sets gtxoffset when the launchtime_enable field is set by the user. Enabling launchtime_enable ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as LaunchT in the SW user manual). Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: "The latency between transmission scheduling (launch time) and the time the packet is transmitted to the network is listed in Table 7-61." However, the patch misinterprets the phrase "launch time" in that section by assuming it specifically refers to the LaunchT register, whereas it actually denotes the generic term for when a packet is released from the internal buffer to the MAC transmit logic. This launch time, as per that section, also implicitly refers to the QBV gate open time, where a packet waits in the buffer for the QBV gate to open. Therefore, latency applies whenever QBV is in use. TSN features such as QBU and QAV reuse QBV, making the latency universal to TSN features. Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that the term "launch time" used in Section 7.5.2.6 is not clear and can be easily misinterpreted. Avi will update this section to: "When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission scheduling and the time the packet is transmitted to the network is listed in Table 7-61." Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to write to gtxoffset, aligning with the newly updated SW User Manual. Tested: 1. Enrol taprio on talker board base-time 0 cycle-time 1000000 flags 0x2 index 0 cmd S gatemask 0x1 interval1 index 0 cmd S gatemask 0x1 interval2 Note: interval1 = interval for a 64 bytes packet to go through interval2 = cycle-time - interval1 2. Take tcpdump on listener board 3. Use udp tai app on talker to send packets to listener 4. Check the timestamp on listener via wireshark Test Result: 100 Mbps: 113 ~193 ns 1000 Mbps: 52 ~ 84 ns 2500 Mbps: 95 ~ 223 ns Note that the test result is similar to the patch "igc: Correct the launchtime offset". Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") Signed-off-by: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c index ada751430517..d68fa7f3d5f0 100644 --- a/drivers/net/ethernet/intel/igc/igc_tsn.c +++ b/drivers/net/ethernet/intel/igc/igc_tsn.c @@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter) struct igc_hw *hw = &adapter->hw; u16 txoffset; - if (!is_any_launchtime(adapter)) + if (!igc_tsn_is_tx_mode_in_tsn(adapter)) return; switch (adapter->link_speed) {

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] igc: Fix qbv tx latency by setting gtxoffset" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082740-citadel-facelift-bc00@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 6c3fc0b1c3d0 ("igc: Fix qbv tx latency by setting gtxoffset") 790835fcc0cb ("igc: Correct the launchtime offset") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 6c3fc0b1c3d073bd6fc3bf43dbd0e64240537464 Mon Sep 17 00:00:00 2001 From: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Date: Sun, 7 Jul 2024 08:53:18 -0400 Subject: [PATCH] igc: Fix qbv tx latency by setting gtxoffset A large tx latency issue was discovered during testing when only QBV was enabled. The issue occurs because gtxoffset was not set when QBV is active, it was only set when launch time is active. The patch "igc: Correct the launchtime offset" only sets gtxoffset when the launchtime_enable field is set by the user. Enabling launchtime_enable ultimately sets the register IGC_TXQCTL_QUEUE_MODE_LAUNCHT (referred to as LaunchT in the SW user manual). Section 7.5.2.6 of the IGC i225/6 SW User Manual Rev 1.2.4 states: "The latency between transmission scheduling (launch time) and the time the packet is transmitted to the network is listed in Table 7-61." However, the patch misinterprets the phrase "launch time" in that section by assuming it specifically refers to the LaunchT register, whereas it actually denotes the generic term for when a packet is released from the internal buffer to the MAC transmit logic. This launch time, as per that section, also implicitly refers to the QBV gate open time, where a packet waits in the buffer for the QBV gate to open. Therefore, latency applies whenever QBV is in use. TSN features such as QBU and QAV reuse QBV, making the latency universal to TSN features. Discussed with i226 HW owner (Shalev, Avi) and we were in agreement that the term "launch time" used in Section 7.5.2.6 is not clear and can be easily misinterpreted. Avi will update this section to: "When TQAVCTRL.TRANSMIT_MODE = TSN, the latency between transmission scheduling and the time the packet is transmitted to the network is listed in Table 7-61." Fix this issue by using igc_tsn_is_tx_mode_in_tsn() as a condition to write to gtxoffset, aligning with the newly updated SW User Manual. Tested: 1. Enrol taprio on talker board base-time 0 cycle-time 1000000 flags 0x2 index 0 cmd S gatemask 0x1 interval1 index 0 cmd S gatemask 0x1 interval2 Note: interval1 = interval for a 64 bytes packet to go through interval2 = cycle-time - interval1 2. Take tcpdump on listener board 3. Use udp tai app on talker to send packets to listener 4. Check the timestamp on listener via wireshark Test Result: 100 Mbps: 113 ~193 ns 1000 Mbps: 52 ~ 84 ns 2500 Mbps: 95 ~ 223 ns Note that the test result is similar to the patch "igc: Correct the launchtime offset". Fixes: 790835fcc0cb ("igc: Correct the launchtime offset") Signed-off-by: Faizal Rahim <faizal.abdul.rahim(a)linux.intel.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Acked-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Tested-by: Mor Bar-Gabay <morx.bar.gabay(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c index ada751430517..d68fa7f3d5f0 100644 --- a/drivers/net/ethernet/intel/igc/igc_tsn.c +++ b/drivers/net/ethernet/intel/igc/igc_tsn.c @@ -61,7 +61,7 @@ void igc_tsn_adjust_txtime_offset(struct igc_adapter *adapter) struct igc_hw *hw = &adapter->hw; u16 txoffset; - if (!is_any_launchtime(adapter)) + if (!igc_tsn_is_tx_mode_in_tsn(adapter)) return; switch (adapter->link_speed) {

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ksmbd: the buffer of smb2 query dir response has at least 1" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x ce61b605a00502c59311d0a4b1f58d62b48272d0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082604-depose-iphone-7d55@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: ce61b605a005 ("ksmbd: the buffer of smb2 query dir response has at least 1 byte") e2b76ab8b5c9 ("ksmbd: add support for read compound") e202a1e8634b ("ksmbd: no response from compound read") 7b7d709ef7cf ("ksmbd: add missing compound request handing in some commands") 81a94b27847f ("ksmbd: use kvzalloc instead of kvmalloc") 38c8a9a52082 ("smb: move client and server files to common directory fs/smb") 30210947a343 ("ksmbd: fix racy issue under cocurrent smb2 tree disconnect") abcc506a9a71 ("ksmbd: fix racy issue from smb2 close and logoff with multichannel") ea174a918939 ("ksmbd: destroy expired sessions") f5c779b7ddbd ("ksmbd: fix racy issue from session setup and logoff") 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") 34e8ccf9ce24 ("ksmbd: set NegotiateContextCount once instead of every inc") 42bc6793e452 ("Merge tag 'pull-lock_rename_child' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into ksmbd-for-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ce61b605a00502c59311d0a4b1f58d62b48272d0 Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Tue, 20 Aug 2024 22:07:38 +0900 Subject: [PATCH] ksmbd: the buffer of smb2 query dir response has at least 1 byte When STATUS_NO_MORE_FILES status is set to smb2 query dir response, ->StructureSize is set to 9, which mean buffer has 1 byte. This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to flex-array. Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays") Cc: stable(a)vger.kernel.org # v6.1+ Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 0bc9edf22ba4..e9204180919e 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -4409,7 +4409,8 @@ int smb2_query_dir(struct ksmbd_work *work) rsp->OutputBufferLength = cpu_to_le32(0); rsp->Buffer[0] = 0; rc = ksmbd_iov_pin_rsp(work, (void *)rsp, - sizeof(struct smb2_query_directory_rsp)); + offsetof(struct smb2_query_directory_rsp, Buffer) + + 1); if (rc) goto err_out; } else {

10 months, 3 weeks

3
4
0 0

[PATCH] spi: rockchip: Resolve unbalanced runtime PM / system PM handling

by Brian Norris

Commit e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure. Fixes: e882575efc77 ("spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops") Cc: <stable(a)vger.kernel.org> Reported-by: "Ondřej Jirman" <megi(a)xff.cz> Closes: https://lore.kernel.org/lkml/20220621154218.sau54jeij4bunf56@core/ Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- drivers/spi/spi-rockchip.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c index e1ecd96c7858..f30af4316b8b 100644 --- a/drivers/spi/spi-rockchip.c +++ b/drivers/spi/spi-rockchip.c @@ -951,8 +951,11 @@ static int rockchip_spi_suspend(struct device *dev) if (ret < 0) return ret; - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); + ret = pm_runtime_force_suspend(dev); + if (ret < 0) { + spi_controller_resume(ctlr); + return ret; + } pinctrl_pm_select_sleep_state(dev); @@ -967,21 +970,11 @@ static int rockchip_spi_resume(struct device *dev) pinctrl_pm_select_default_state(dev); - ret = clk_prepare_enable(rs->apb_pclk); + ret = pm_runtime_force_resume(dev); if (ret < 0) return ret; - ret = clk_prepare_enable(rs->spiclk); - if (ret < 0) - clk_disable_unprepare(rs->apb_pclk); - - ret = spi_controller_resume(ctlr); - if (ret < 0) { - clk_disable_unprepare(rs->spiclk); - clk_disable_unprepare(rs->apb_pclk); - } - - return 0; + return spi_controller_resume(ctlr); } #endif /* CONFIG_PM_SLEEP */ -- 2.46.0.295.g3b9ea8a38a-goog

10 months, 3 weeks

2
1
0 0

[PATCH] drm/vmwgfx: Cleanup kms setup without 3d

by Zack Rusin

Do not validate format equality for the non 3d cases to allow xrgb to argb copies and make sure the dx binding flags are only used on dx compatible surfaces. Fixes basic 2d kms setup on configurations without 3d. There's little practical benefit to it because kms framebuffer coherence is disabled on configurations without 3d but with those changes the code actually makes sense. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v6.9+ Cc: Maaz Mombasawala <maaz.mombasawala(a)broadcom.com> Cc: Martin Krastev <martin.krastev(a)broadcom.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 9 --------- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 9 ++++++--- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 288ed0bb75cb..b5fc5a9e123a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1339,15 +1339,6 @@ static int vmw_kms_new_framebuffer_surface(struct vmw_private *dev_priv, return -EINVAL; } - /* - * For DX, surface format validation is done when surface->scanout - * is set. - */ - if (!has_sm4_context(dev_priv) && format != surface->metadata.format) { - DRM_ERROR("Invalid surface format for requested mode.\n"); - return -EINVAL; - } - vfbs = kzalloc(sizeof(*vfbs), GFP_KERNEL); if (!vfbs) { ret = -ENOMEM; diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index 1625b30d9970..5721c74da3e0 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c @@ -2276,9 +2276,12 @@ int vmw_dumb_create(struct drm_file *file_priv, const struct SVGA3dSurfaceDesc *desc = vmw_surface_get_desc(format); SVGA3dSurfaceAllFlags flags = SVGA3D_SURFACE_HINT_TEXTURE | SVGA3D_SURFACE_HINT_RENDERTARGET | - SVGA3D_SURFACE_SCREENTARGET | - SVGA3D_SURFACE_BIND_SHADER_RESOURCE | - SVGA3D_SURFACE_BIND_RENDER_TARGET; + SVGA3D_SURFACE_SCREENTARGET; + + if (vmw_surface_is_dx_screen_target_format(format)) { + flags |= SVGA3D_SURFACE_BIND_SHADER_RESOURCE | + SVGA3D_SURFACE_BIND_RENDER_TARGET; + } /* * Without mob support we're just going to use raw memory buffer -- 2.43.0

10 months, 3 weeks

1
0
0 0

[PATCH] cpuidle: haltpoll: Fix guest_halt_poll_ns failed to take effect

by Yanhao Dong

From: ysay <ysaydong(a)gmail.com> When guest_halt_poll_allow_shrink=N,setting guest_halt_poll_ns from a large value to 0 does not reset the CPU polling time, despite guest_halt_poll_ns being intended as a mandatory maximum time limit. The problem was situated in the adjust_poll_limit() within drivers/cpuidle/governors/haltpoll.c:79. Specifically, when guest_halt_poll_allow_shrink was set to N, resetting guest_halt_poll_ns to zero did not lead to executing any section of code that adjusts dev->poll_limit_ns. The issue has been resolved by relocating the check and assignment for dev->poll_limit_ns outside of the conditional block. This ensures that every modification to guest_halt_poll_ns properly influences the CPU polling time. Signed-off-by: ysay <ysaydong(a)gmail.com> Fixes: 2cffe9f6b96f ("cpuidle: add haltpoll governor") --- drivers/cpuidle/governors/haltpoll.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/cpuidle/governors/haltpoll.c b/drivers/cpuidle/governors/haltpoll.c index 663b7f164..99c6260d7 100644 --- a/drivers/cpuidle/governors/haltpoll.c +++ b/drivers/cpuidle/governors/haltpoll.c @@ -78,26 +78,22 @@ static int haltpoll_select(struct cpuidle_driver *drv, static void adjust_poll_limit(struct cpuidle_device *dev, u64 block_ns) { - unsigned int val; + unsigned int val = dev->poll_limit_ns; /* Grow cpu_halt_poll_us if * cpu_halt_poll_us < block_ns < guest_halt_poll_us */ if (block_ns > dev->poll_limit_ns && block_ns <= guest_halt_poll_ns) { - val = dev->poll_limit_ns * guest_halt_poll_grow; + val *= guest_halt_poll_grow; if (val < guest_halt_poll_grow_start) val = guest_halt_poll_grow_start; - if (val > guest_halt_poll_ns) - val = guest_halt_poll_ns; trace_guest_halt_poll_ns_grow(val, dev->poll_limit_ns); - dev->poll_limit_ns = val; } else if (block_ns > guest_halt_poll_ns && guest_halt_poll_allow_shrink) { unsigned int shrink = guest_halt_poll_shrink; - val = dev->poll_limit_ns; if (shrink == 0) { val = 0; } else { @@ -108,8 +104,12 @@ static void adjust_poll_limit(struct cpuidle_device *dev, u64 block_ns) } trace_guest_halt_poll_ns_shrink(val, dev->poll_limit_ns); - dev->poll_limit_ns = val; } + + if (val > guest_halt_poll_ns) + val = guest_halt_poll_ns; + + dev->poll_limit_ns = val; } /** -- 2.43.5

10 months, 3 weeks

2
1
0 0

[PATCH 2/2] mmc : fix for check cqe halt.

by Seunghwan Baek

To check if mmc cqe is in halt state, need to check set/clear of CQHCI_HALT bit. At this time, we need to check with &, not &&. Therefore, code to check whether cqe is in halt state is modified to cqhci_halted, which has already been implemented. Fixes: 0653300224a6 ("mmc: cqhci: rename cqhci.c to cqhci-core.c") Cc: stable(a)vger.kernel.org Signed-off-by: Seunghwan Baek <sh8267.baek(a)samsung.com> --- drivers/mmc/host/cqhci-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mmc/host/cqhci-core.c b/drivers/mmc/host/cqhci-core.c index c14d7251d0bb..3d5bcb92c78e 100644 --- a/drivers/mmc/host/cqhci-core.c +++ b/drivers/mmc/host/cqhci-core.c @@ -282,7 +282,7 @@ static void __cqhci_enable(struct cqhci_host *cq_host) cqhci_writel(cq_host, cqcfg, CQHCI_CFG); - if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT) + if (cqhci_halted(cq_host)) cqhci_writel(cq_host, 0, CQHCI_CTL); mmc->cqe_on = true; @@ -617,7 +617,7 @@ static int cqhci_request(struct mmc_host *mmc, struct mmc_request *mrq) cqhci_writel(cq_host, 0, CQHCI_CTL); mmc->cqe_on = true; pr_debug("%s: cqhci: CQE on\n", mmc_hostname(mmc)); - if (cqhci_readl(cq_host, CQHCI_CTL) && CQHCI_HALT) { + if (cqhci_halted(cq_host)) { pr_err("%s: cqhci: CQE failed to exit halt state\n", mmc_hostname(mmc)); } -- 2.17.1

10 months, 3 weeks

2
2
0 0

[PATCH] binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined

by Max Filippov

create_elf_fdpic_tables() does not correctly account the space for the AUX vector when an architecture has ELF_HWCAP2 defined. Prior to the commit 10e29251be0e ("binfmt_elf_fdpic: fix /proc/<pid>/auxv") it resulted in the last entry of the AUX vector being set to zero, but with that change it results in a kernel BUG. Fix that by adding one to the number of AUXV entries (nitems) when ELF_HWCAP2 is defined. Fixes: 10e29251be0e ("binfmt_elf_fdpic: fix /proc/<pid>/auxv") Cc: stable(a)vger.kernel.org Reported-by: Greg Ungerer <gregungerer(a)westnet.com.au> Closes: https://lore.kernel.org/lkml/5b51975f-6d0b-413c-8b38-39a6a45e8821@westnet.c… Signed-off-by: Max Filippov <jcmvbkbc(a)gmail.com> --- fs/binfmt_elf_fdpic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index c11289e1301b..a5cb45cb30c8 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -594,6 +594,9 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, if (bprm->have_execfd) nitems++; +#ifdef ELF_HWCAP2 + nitems++; +#endif csp = sp; sp -= nitems * 2 * sizeof(unsigned long); -- 2.39.2

10 months, 3 weeks

3
2
0 0

[tip: x86/urgent] x86/tdx: Fix data leak in mmio_read()

by tip-bot2 for Kirill A. Shutemov

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: b6fb565a2d15277896583d471b21bc14a0c99661 Gitweb: https://git.kernel.org/tip/b6fb565a2d15277896583d471b21bc14a0c99661 Author: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> AuthorDate: Mon, 26 Aug 2024 15:53:04 +03:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Mon, 26 Aug 2024 12:45:19 -07:00 x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ] Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") Reported-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240826125304.1566719-1-kirill.shutemov%40linu… --- arch/x86/coco/tdx/tdx.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2ba..da8b66d 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -389,7 +389,6 @@ static bool mmio_read(int size, unsigned long addr, unsigned long *val) .r12 = size, .r13 = EPT_READ, .r14 = addr, - .r15 = *val, }; if (__tdx_hypercall(&args))

10 months, 3 weeks

1
0
0 0

[PATCH] x86/tdx: Fix data leak in mmio_read()

by Kirill A. Shutemov

The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable on the stack to the VMM. Do not send the original value of *val to the VMM. Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Reported-by: Sean Christopherson <seanjc(a)google.com> Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") Cc: stable(a)vger.kernel.org # v5.19+ --- arch/x86/coco/tdx/tdx.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2bac2553..da8b66dce0da 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -389,7 +389,6 @@ static bool mmio_read(int size, unsigned long addr, unsigned long *val) .r12 = size, .r13 = EPT_READ, .r14 = addr, - .r15 = *val, }; if (__tdx_hypercall(&args)) -- 2.43.0

10 months, 3 weeks

2
2
0 0

[PATCH] codetag: debug: mark codetags for pages which transitioned from being poison to unpoison as empty

by Hao Ge

From: Hao Ge <gehao(a)kylinos.cn> The PG_hwpoison page will be caught and isolated on the entrance to the free buddy page pool. so,when we clear this flag and return it to the buddy system,mark codetags for pages as empty. It was detected by [1] and the following WARN occurred: [ 113.930443][ T3282] ------------[ cut here ]------------ [ 113.931105][ T3282] alloc_tag was not set [ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164 [ 113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4 [ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18 [ 113.943003][ T3282] Tainted: [W]=WARN [ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 [ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164 [ 113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164 [ 113.946706][ T3282] sp : ffff800087093a10 [ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0 [ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000 [ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000 [ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff [ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210 [ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339 [ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0 [ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff [ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001 [ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000 [ 113.957962][ T3282] Call trace: [ 113.958350][ T3282] pgalloc_tag_sub.part.66+0x154/0x164 [ 113.959000][ T3282] pgalloc_tag_sub+0x14/0x1c [ 113.959539][ T3282] free_unref_page+0xf4/0x4b8 [ 113.960096][ T3282] __folio_put+0xd4/0x120 [ 113.960614][ T3282] folio_put+0x24/0x50 [ 113.961103][ T3282] unpoison_memory+0x4f0/0x5b0 [ 113.961678][ T3282] hwpoison_unpoison+0x30/0x48 [hwpoison_inject] [ 113.962436][ T3282] simple_attr_write_xsigned.isra.34+0xec/0x1cc [ 113.963183][ T3282] simple_attr_write+0x38/0x48 [ 113.963750][ T3282] debugfs_attr_write+0x54/0x80 [ 113.964330][ T3282] full_proxy_write+0x68/0x98 [ 113.964880][ T3282] vfs_write+0xdc/0x4d0 [ 113.965372][ T3282] ksys_write+0x78/0x100 [ 113.965875][ T3282] __arm64_sys_write+0x24/0x30 [ 113.966440][ T3282] invoke_syscall+0x7c/0x104 [ 113.966984][ T3282] el0_svc_common.constprop.1+0x88/0x104 [ 113.967652][ T3282] do_el0_svc+0x2c/0x38 [ 113.968893][ T3282] el0_svc+0x3c/0x1b8 [ 113.969379][ T3282] el0t_64_sync_handler+0x98/0xbc [ 113.969980][ T3282] el0t_64_sync+0x19c/0x1a0 [ 113.970511][ T3282] ---[ end trace 0000000000000000 ]--- Link [1]: https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/sysc… Fixes: a8fc28dad6d5 ("alloc_tag: introduce clear_page_tag_ref() helper function") Cc: stable(a)vger.kernel.org # v6.10 Signed-off-by: Hao Ge <gehao(a)kylinos.cn> --- mm/memory-failure.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 7066fc84f351..570388c41532 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2623,6 +2623,12 @@ int unpoison_memory(unsigned long pfn) folio_put(folio); if (TestClearPageHWPoison(p)) { + /* the PG_hwpoison page will be caught and isolated + * on the entrance to the free buddy page pool. + * so,when we clear this flag and return it to the buddy system, + * clear it's codetag + */ + clear_page_tag_ref(p); folio_put(folio); ret = 0; } -- 2.25.1

10 months, 3 weeks

3
14
0 0

[PATCH] Fixes: 496d0a648509 ("cpuidle: Fix guest_halt_poll_ns failed to take effect when setting guest_halt_poll_allow_shrink=N")

by Yanhao Dong

From: ysay <ysaydong(a)gmail.com> When guest_halt_poll_allow_shrink=N,setting guest_halt_poll_ns from a large value to 0 does not reset the CPU polling time, despite guest_halt_poll_ns being intended as a mandatory maximum time limit. The problem was situated in the adjust_poll_limit() within drivers/cpuidle/governors/haltpoll.c:79. Specifically, when guest_halt_poll_allow_shrink was set to N, resetting guest_halt_poll_ns to zero did not lead to executing any section of code that adjusts dev->poll_limit_ns. The issue has been resolved by relocating the check and assignment for dev->poll_limit_ns outside of the conditional block. This ensures that every modification to guest_halt_poll_ns properly influences the CPU polling time. Signed-off-by: ysay <ysaydong(a)gmail.com> --- drivers/cpuidle/governors/haltpoll.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/cpuidle/governors/haltpoll.c b/drivers/cpuidle/governors/haltpoll.c index 663b7f164..99c6260d7 100644 --- a/drivers/cpuidle/governors/haltpoll.c +++ b/drivers/cpuidle/governors/haltpoll.c @@ -78,26 +78,22 @@ static int haltpoll_select(struct cpuidle_driver *drv, static void adjust_poll_limit(struct cpuidle_device *dev, u64 block_ns) { - unsigned int val; + unsigned int val = dev->poll_limit_ns; /* Grow cpu_halt_poll_us if * cpu_halt_poll_us < block_ns < guest_halt_poll_us */ if (block_ns > dev->poll_limit_ns && block_ns <= guest_halt_poll_ns) { - val = dev->poll_limit_ns * guest_halt_poll_grow; + val *= guest_halt_poll_grow; if (val < guest_halt_poll_grow_start) val = guest_halt_poll_grow_start; - if (val > guest_halt_poll_ns) - val = guest_halt_poll_ns; trace_guest_halt_poll_ns_grow(val, dev->poll_limit_ns); - dev->poll_limit_ns = val; } else if (block_ns > guest_halt_poll_ns && guest_halt_poll_allow_shrink) { unsigned int shrink = guest_halt_poll_shrink; - val = dev->poll_limit_ns; if (shrink == 0) { val = 0; } else { @@ -108,8 +104,12 @@ static void adjust_poll_limit(struct cpuidle_device *dev, u64 block_ns) } trace_guest_halt_poll_ns_shrink(val, dev->poll_limit_ns); - dev->poll_limit_ns = val; } + + if (val > guest_halt_poll_ns) + val = guest_halt_poll_ns; + + dev->poll_limit_ns = val; } /** -- 2.43.5

10 months, 3 weeks

3
2
0 0

[tip: x86/urgent] x86/tdx: Fix data leak in mmio_read()

by tip-bot2 for Kirill A. Shutemov

The following commit has been merged into the x86/urgent branch of tip: Commit-ID: eb786ee1390b8fbba633c01a971709c6906fd8bf Gitweb: https://git.kernel.org/tip/eb786ee1390b8fbba633c01a971709c6906fd8bf Author: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> AuthorDate: Mon, 26 Aug 2024 15:53:04 +03:00 Committer: Dave Hansen <dave.hansen(a)linux.intel.com> CommitterDate: Mon, 26 Aug 2024 07:04:09 -07:00 x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable on the stack to the VMM. Do not send the original value of *val to the VMM. Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") Reported-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Signed-off-by: Dave Hansen <dave.hansen(a)linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/20240826125304.1566719-1-kirill.shutemov%40linu… --- arch/x86/coco/tdx/tdx.c | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 078e2ba..da8b66d 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -389,7 +389,6 @@ static bool mmio_read(int size, unsigned long addr, unsigned long *val) .r12 = size, .r13 = EPT_READ, .r14 = addr, - .r15 = *val, }; if (__tdx_hypercall(&args))

10 months, 3 weeks

1
0
0 0

[proposal] binfmt_misc: pass binfmt_misc flags to the interpreter

by Thorsten Glaser

commit 2347961b11d4079deace3c81dceed460c08a8fc1 I would like to propose this commit from 5.12 for stable, or rather, ask whether it’s a candidate and leave the exact picking/backporting to the experts (if it has other commits as prerequisites and/or later fixups). This is because qemu-user needs it, and it arrived just too late for the current Debian LTS kernel (5.10), and qemu-user in Debian until yesterday had a workaround, but now doesn’t because it’s in the stable kernel (6.1), so qemu-user-static cannot be just used as-is on Debian LTS any more. I’d like it to be applied to 5.10 (obviously), but perhaps others would appreciate more broad coverage. Thanks in advance, //mirabilos -- „Cool, /usr/share/doc/mksh/examples/uhr.gz ist ja ein Grund, mksh auf jedem System zu installieren.“ -- XTaran auf der OpenRheinRuhr, ganz begeistert (EN: “[…]uhr.gz is a reason to install mksh on every system.”)

10 months, 3 weeks

2
2
0 0

[PATCH] btrfs: fix the race between umount and btrfs-cleaner

by Julian Sun

There is a race condition generic_shutdown_super() and __btrfs_run_defrag_inode(). Consider the following scenario: umount thread: btrfs-cleaner thread: btrfs_run_delayed_iputs() ->run_delayed_iput_locked() ->iput(inode) // Here the inode (ie ino 261) will be cleared and freed btrfs_kill_super() ->generic_shutdown_super() btrfs_run_defrag_inodes() ->__btrfs_run_defrag_inode() ->btrfs_iget(ino) // The inode 261 was recreated with i_count=1 // and added to the sb list ->evict_inodes(sb) // After some work // inode 261 was added ->iput(inode) // to the dispose list ->iput_funal() ->evict(inode) ->evict(inode) Now, we have two threads simultaneously evicting the same inode, which led to a bug. The above behavior can be confirmed by the log I added for debugging and the log printed when BUG was triggered. Due to space limitations, I cannot paste the full diff and here is a brief describtion. First, within __btrfs_run_defrag_inode(), set inode->i_state |= (1<<19) just before calling iput(). Within the dispose_list(), check the flag, if the flag was set, then pr_info("bug! double evict! crash will happen! state is 0x%lx\n", inode->i_state); Here is the printed log when the BUG was triggered: [ 190.686726][ T2336] bug! double evict! crash will happen! state is 0x80020 [ 190.687647][ T2336] ------------[ cut here ]------------ [ 190.688294][ T2336] kernel BUG at fs/inode.c:626! [ 190.688939][ T2336] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 190.689792][ T2336] CPU: 1 PID: 2336 Comm: a.out Not tainted 6.10.0-rc2-00223-g0c529ab65ef8-dirty #109 [ 190.690894][ T2336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 190.692111][ T2336] RIP: 0010:clear_inode+0x15b/0x190 // some logs... [ 190.704501][ T2336] btrfs_evict_inode+0x529/0xe80 [ 190.706966][ T2336] evict+0x2ed/0x6c0 [ 190.707209][ T2336] dispose_list+0x62/0x260 [ 190.707490][ T2336] evict_inodes+0x34e/0x450 To prevent this behavior, we need to set BTRFS_FS_CLOSING_START before kill_anon_super() to ensure that btrfs_run_defrag_inodes() doesn't continue working after unmount. Reported-and-tested-by: syzbot+67ba3c42bcbb4665d3ad(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad CC: stable(a)vger.kernel.org Fixes: c146afad2c7f ("Btrfs: mount ro and remount support") Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/btrfs/super.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c index f05cce7c8b8d..f7e87fe583ab 100644 --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c @@ -2093,6 +2093,7 @@ static int btrfs_get_tree(struct fs_context *fc) static void btrfs_kill_super(struct super_block *sb) { struct btrfs_fs_info *fs_info = btrfs_sb(sb); + set_bit(BTRFS_FS_CLOSING_START, &fs_info->flags); kill_anon_super(sb); btrfs_free_fs_info(fs_info); } -- 2.39.2

10 months, 3 weeks

3
5
0 0

FAILED: patch "[PATCH] thermal: of: Fix OF node leak in of_thermal_zone_find() error" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082600-trodden-majesty-7be0@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: c0a1ef9c5be7 ("thermal: of: Fix OF node leak in of_thermal_zone_find() error paths") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 21:58:23 +0200 Subject: [PATCH] thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Terminating for_each_available_child_of_node() loop requires dropping OF node reference, so bailing out on errors misses this. Solve the OF node reference leak with scoped for_each_available_child_of_node_scoped(). Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Link: https://patch.msgid.link/20240814195823.437597-3-krzysztof.kozlowski@linaro… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index b08a9b64718d..1f252692815a 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -184,14 +184,14 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int * Search for each thermal zone, a defined sensor * corresponding to the one passed as parameter */ - for_each_available_child_of_node(np, tz) { + for_each_available_child_of_node_scoped(np, child) { int count, i; - count = of_count_phandle_with_args(tz, "thermal-sensors", + count = of_count_phandle_with_args(child, "thermal-sensors", "#thermal-sensor-cells"); if (count <= 0) { - pr_err("%pOFn: missing thermal sensor\n", tz); + pr_err("%pOFn: missing thermal sensor\n", child); tz = ERR_PTR(-EINVAL); goto out; } @@ -200,18 +200,19 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int int ret; - ret = of_parse_phandle_with_args(tz, "thermal-sensors", + ret = of_parse_phandle_with_args(child, "thermal-sensors", "#thermal-sensor-cells", i, &sensor_specs); if (ret < 0) { - pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", tz, ret); + pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", child, ret); tz = ERR_PTR(ret); goto out; } if ((sensor == sensor_specs.np) && id == (sensor_specs.args_count ? sensor_specs.args[0] : 0)) { - pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, tz); + pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, child); + tz = no_free_ptr(child); goto out; } }

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] thermal: of: Fix OF node leak in of_thermal_zone_find() error" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082659-veto-ladies-d1b3@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: c0a1ef9c5be7 ("thermal: of: Fix OF node leak in of_thermal_zone_find() error paths") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 21:58:23 +0200 Subject: [PATCH] thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Terminating for_each_available_child_of_node() loop requires dropping OF node reference, so bailing out on errors misses this. Solve the OF node reference leak with scoped for_each_available_child_of_node_scoped(). Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Link: https://patch.msgid.link/20240814195823.437597-3-krzysztof.kozlowski@linaro… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index b08a9b64718d..1f252692815a 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -184,14 +184,14 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int * Search for each thermal zone, a defined sensor * corresponding to the one passed as parameter */ - for_each_available_child_of_node(np, tz) { + for_each_available_child_of_node_scoped(np, child) { int count, i; - count = of_count_phandle_with_args(tz, "thermal-sensors", + count = of_count_phandle_with_args(child, "thermal-sensors", "#thermal-sensor-cells"); if (count <= 0) { - pr_err("%pOFn: missing thermal sensor\n", tz); + pr_err("%pOFn: missing thermal sensor\n", child); tz = ERR_PTR(-EINVAL); goto out; } @@ -200,18 +200,19 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int int ret; - ret = of_parse_phandle_with_args(tz, "thermal-sensors", + ret = of_parse_phandle_with_args(child, "thermal-sensors", "#thermal-sensor-cells", i, &sensor_specs); if (ret < 0) { - pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", tz, ret); + pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", child, ret); tz = ERR_PTR(ret); goto out; } if ((sensor == sensor_specs.np) && id == (sensor_specs.args_count ? sensor_specs.args[0] : 0)) { - pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, tz); + pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, child); + tz = no_free_ptr(child); goto out; } }

10 months, 3 weeks

1
0
0 0

[PATCH v2] firmware_loader: Block path traversal

by Jann Horn

Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously. Cc: stable(a)vger.kernel.org Fixes: abb139e75c2c ("firmware: teach the kernel to load firmware files directly from the filesystem") Signed-off-by: Jann Horn <jannh(a)google.com> --- Changes in v2: - describe fix in commit message (dakr) - write check more clearly and with comment in separate helper (dakr) - document new restriction in comment above request_firmware() (dakr) - warn when new restriction is triggered - Link to v1: https://lore.kernel.org/r/20240820-firmware-traversal-v1-1-8699ffaa9276@goo… --- drivers/base/firmware_loader/main.c | 41 +++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index a03ee4b11134..dd47ce9a761f 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -849,6 +849,37 @@ static void fw_log_firmware_info(const struct firmware *fw, const char *name, {} #endif +/* + * Reject firmware file names with ".." path components. + * There are drivers that construct firmware file names from device-supplied + * strings, and we don't want some device to be able to tell us "I would like to + * be sent my firmware from ../../../etc/shadow, please". + * + * Search for ".." surrounded by either '/' or start/end of string. + * + * This intentionally only looks at the firmware name, not at the firmware base + * directory or at symlink contents. + */ +static bool name_contains_dotdot(const char *name) +{ + size_t name_len = strlen(name); + size_t i; + + if (name_len < 2) + return false; + for (i = 0; i < name_len - 1; i++) { + /* do we see a ".." sequence? */ + if (name[i] != '.' || name[i+1] != '.') + continue; + + /* is it a path component? */ + if ((i == 0 || name[i-1] == '/') && + (i == name_len - 2 || name[i+2] == '/')) + return true; + } + return false; +} + /* called from request_firmware() and request_firmware_work_func() */ static int _request_firmware(const struct firmware **firmware_p, const char *name, @@ -869,6 +900,14 @@ _request_firmware(const struct firmware **firmware_p, const char *name, goto out; } + if (name_contains_dotdot(name)) { + dev_warn(device, + "Firmware load for '%s' refused, path contains '..' component", + name); + ret = -EINVAL; + goto out; + } + ret = _request_firmware_prepare(&fw, name, device, buf, size, offset, opt_flags); if (ret <= 0) /* error or already assigned */ @@ -946,6 +985,8 @@ _request_firmware(const struct firmware **firmware_p, const char *name, * @name will be used as $FIRMWARE in the uevent environment and * should be distinctive enough not to be confused with any other * firmware image for this or any other device. + * It must not contain any ".." path components - "foo/bar..bin" is + * allowed, but "foo/../bar.bin" is not. * * Caller must hold the reference count of @device. * --- base-commit: b0da640826ba3b6506b4996a6b23a429235e6923 change-id: 20240820-firmware-traversal-6df8501b0fe4 -- Jann Horn <jannh(a)google.com>

10 months, 3 weeks

6
11
0 0

[PATCH v3 2/7] media: sun4i_csi: Implement link validate for sun4i_csi subdev

by Laurent Pinchart

The sun4i_csi driver doesn't implement link validation for the subdev it registers, leaving the link between the subdev and its source unvalidated. Fix it, using the v4l2_subdev_link_validate() helper. Fixes: 577bbf23b758 ("media: sunxi: Add A10 CSI driver") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Acked-by: Chen-Yu Tsai <wens(a)csie.org> Reviewed-by: Tomi Valkeinen <tomi.valkeinen+renesas(a)ideasonboard.com> --- drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c index 097a3a08ef7d..dbb26c7b2f8d 100644 --- a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c +++ b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c @@ -39,6 +39,10 @@ static const struct media_entity_operations sun4i_csi_video_entity_ops = { .link_validate = v4l2_subdev_link_validate, }; +static const struct media_entity_operations sun4i_csi_subdev_entity_ops = { + .link_validate = v4l2_subdev_link_validate, +}; + static int sun4i_csi_notify_bound(struct v4l2_async_notifier *notifier, struct v4l2_subdev *subdev, struct v4l2_async_connection *asd) @@ -214,6 +218,7 @@ static int sun4i_csi_probe(struct platform_device *pdev) subdev->internal_ops = &sun4i_csi_subdev_internal_ops; subdev->flags = V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; subdev->entity.function = MEDIA_ENT_F_VID_IF_BRIDGE; + subdev->entity.ops = &sun4i_csi_subdev_entity_ops; subdev->owner = THIS_MODULE; snprintf(subdev->name, sizeof(subdev->name), "sun4i-csi-0"); v4l2_set_subdevdata(subdev, csi); -- Regards, Laurent Pinchart

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] thermal: of: Fix OF node leak in thermal_of_trips_init()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x afc954fd223ded70b1fa000767e2531db55cce58 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082654-puppy-crying-cf89@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: afc954fd223d ("thermal: of: Fix OF node leak in thermal_of_trips_init() error path") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From afc954fd223ded70b1fa000767e2531db55cce58 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 21:58:21 +0200 Subject: [PATCH] thermal: of: Fix OF node leak in thermal_of_trips_init() error path Terminating for_each_child_of_node() loop requires dropping OF node reference, so bailing out after thermal_of_populate_trip() error misses this. Solve the OF node reference leak with scoped for_each_child_of_node_scoped(). Fixes: d0c75fa2c17f ("thermal/of: Initialize trip points separately") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Link: https://patch.msgid.link/20240814195823.437597-1-krzysztof.kozlowski@linaro… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index aa34b6e82e26..30f8d6e70484 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -125,7 +125,7 @@ static int thermal_of_populate_trip(struct device_node *np, static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *ntrips) { struct thermal_trip *tt; - struct device_node *trips, *trip; + struct device_node *trips; int ret, count; trips = of_get_child_by_name(np, "trips"); @@ -150,7 +150,7 @@ static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *n *ntrips = count; count = 0; - for_each_child_of_node(trips, trip) { + for_each_child_of_node_scoped(trips, trip) { ret = thermal_of_populate_trip(trip, &tt[count++]); if (ret) goto out_kfree;

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] thermal: of: Fix OF node leak in thermal_of_trips_init()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x afc954fd223ded70b1fa000767e2531db55cce58 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082655-virtuous-reggae-54f4@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: afc954fd223d ("thermal: of: Fix OF node leak in thermal_of_trips_init() error path") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From afc954fd223ded70b1fa000767e2531db55cce58 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 21:58:21 +0200 Subject: [PATCH] thermal: of: Fix OF node leak in thermal_of_trips_init() error path Terminating for_each_child_of_node() loop requires dropping OF node reference, so bailing out after thermal_of_populate_trip() error misses this. Solve the OF node reference leak with scoped for_each_child_of_node_scoped(). Fixes: d0c75fa2c17f ("thermal/of: Initialize trip points separately") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Link: https://patch.msgid.link/20240814195823.437597-1-krzysztof.kozlowski@linaro… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index aa34b6e82e26..30f8d6e70484 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -125,7 +125,7 @@ static int thermal_of_populate_trip(struct device_node *np, static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *ntrips) { struct thermal_trip *tt; - struct device_node *trips, *trip; + struct device_node *trips; int ret, count; trips = of_get_child_by_name(np, "trips"); @@ -150,7 +150,7 @@ static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *n *ntrips = count; count = 0; - for_each_child_of_node(trips, trip) { + for_each_child_of_node_scoped(trips, trip) { ret = thermal_of_populate_trip(trip, &tt[count++]); if (ret) goto out_kfree;

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e3e4bf58bad1576ac732a1429f53e3d4bfb82b4b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082650-decompose-customer-0b61@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: e3e4bf58bad1 ("drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1") a03ebf116303 ("drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell") 94b1e028e15c ("drm/amdgpu/sdma5.2: add begin/end_use ring callbacks") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e3e4bf58bad1576ac732a1429f53e3d4bfb82b4b Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Wed, 14 Aug 2024 10:28:24 -0400 Subject: [PATCH] drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1 The workaround seems to cause stability issues on other SDMA 5.2.x IPs. Fixes: a03ebf116303 ("drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3556 Acked-by: Ruijing Dong <ruijing.dong(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 2dc3851ef7d9c5439ea8e9623fc36878f3b40649) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c index af1e90159ce3..2e72d445415f 100644 --- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c +++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c @@ -176,14 +176,16 @@ static void sdma_v5_2_ring_set_wptr(struct amdgpu_ring *ring) DRM_DEBUG("calling WDOORBELL64(0x%08x, 0x%016llx)\n", ring->doorbell_index, ring->wptr << 2); WDOORBELL64(ring->doorbell_index, ring->wptr << 2); - /* SDMA seems to miss doorbells sometimes when powergating kicks in. - * Updating the wptr directly will wake it. This is only safe because - * we disallow gfxoff in begin_use() and then allow it again in end_use(). - */ - WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR), - lower_32_bits(ring->wptr << 2)); - WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI), - upper_32_bits(ring->wptr << 2)); + if (amdgpu_ip_version(adev, SDMA0_HWIP, 0) == IP_VERSION(5, 2, 1)) { + /* SDMA seems to miss doorbells sometimes when powergating kicks in. + * Updating the wptr directly will wake it. This is only safe because + * we disallow gfxoff in begin_use() and then allow it again in end_use(). + */ + WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR), + lower_32_bits(ring->wptr << 2)); + WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI), + upper_32_bits(ring->wptr << 2)); + } } else { DRM_DEBUG("Not using doorbell -- " "mmSDMA%i_GFX_RB_WPTR == 0x%08x "

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e3e4bf58bad1576ac732a1429f53e3d4bfb82b4b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082649-shading-anyhow-2d3e@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: e3e4bf58bad1 ("drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1") a03ebf116303 ("drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell") 94b1e028e15c ("drm/amdgpu/sdma5.2: add begin/end_use ring callbacks") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e3e4bf58bad1576ac732a1429f53e3d4bfb82b4b Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Wed, 14 Aug 2024 10:28:24 -0400 Subject: [PATCH] drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1 The workaround seems to cause stability issues on other SDMA 5.2.x IPs. Fixes: a03ebf116303 ("drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3556 Acked-by: Ruijing Dong <ruijing.dong(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 2dc3851ef7d9c5439ea8e9623fc36878f3b40649) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c index af1e90159ce3..2e72d445415f 100644 --- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c +++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c @@ -176,14 +176,16 @@ static void sdma_v5_2_ring_set_wptr(struct amdgpu_ring *ring) DRM_DEBUG("calling WDOORBELL64(0x%08x, 0x%016llx)\n", ring->doorbell_index, ring->wptr << 2); WDOORBELL64(ring->doorbell_index, ring->wptr << 2); - /* SDMA seems to miss doorbells sometimes when powergating kicks in. - * Updating the wptr directly will wake it. This is only safe because - * we disallow gfxoff in begin_use() and then allow it again in end_use(). - */ - WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR), - lower_32_bits(ring->wptr << 2)); - WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI), - upper_32_bits(ring->wptr << 2)); + if (amdgpu_ip_version(adev, SDMA0_HWIP, 0) == IP_VERSION(5, 2, 1)) { + /* SDMA seems to miss doorbells sometimes when powergating kicks in. + * Updating the wptr directly will wake it. This is only safe because + * we disallow gfxoff in begin_use() and then allow it again in end_use(). + */ + WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR), + lower_32_bits(ring->wptr << 2)); + WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI), + upper_32_bits(ring->wptr << 2)); + } } else { DRM_DEBUG("Not using doorbell -- " "mmSDMA%i_GFX_RB_WPTR == 0x%08x "

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e3e4bf58bad1576ac732a1429f53e3d4bfb82b4b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082648-curry-rack-be6b@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: e3e4bf58bad1 ("drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1") a03ebf116303 ("drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell") 94b1e028e15c ("drm/amdgpu/sdma5.2: add begin/end_use ring callbacks") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e3e4bf58bad1576ac732a1429f53e3d4bfb82b4b Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Wed, 14 Aug 2024 10:28:24 -0400 Subject: [PATCH] drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1 The workaround seems to cause stability issues on other SDMA 5.2.x IPs. Fixes: a03ebf116303 ("drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3556 Acked-by: Ruijing Dong <ruijing.dong(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> (cherry picked from commit 2dc3851ef7d9c5439ea8e9623fc36878f3b40649) Cc: stable(a)vger.kernel.org diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c index af1e90159ce3..2e72d445415f 100644 --- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c +++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c @@ -176,14 +176,16 @@ static void sdma_v5_2_ring_set_wptr(struct amdgpu_ring *ring) DRM_DEBUG("calling WDOORBELL64(0x%08x, 0x%016llx)\n", ring->doorbell_index, ring->wptr << 2); WDOORBELL64(ring->doorbell_index, ring->wptr << 2); - /* SDMA seems to miss doorbells sometimes when powergating kicks in. - * Updating the wptr directly will wake it. This is only safe because - * we disallow gfxoff in begin_use() and then allow it again in end_use(). - */ - WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR), - lower_32_bits(ring->wptr << 2)); - WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI), - upper_32_bits(ring->wptr << 2)); + if (amdgpu_ip_version(adev, SDMA0_HWIP, 0) == IP_VERSION(5, 2, 1)) { + /* SDMA seems to miss doorbells sometimes when powergating kicks in. + * Updating the wptr directly will wake it. This is only safe because + * we disallow gfxoff in begin_use() and then allow it again in end_use(). + */ + WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR), + lower_32_bits(ring->wptr << 2)); + WREG32(sdma_v5_2_get_reg_offset(adev, ring->me, mmSDMA0_GFX_RB_WPTR_HI), + upper_32_bits(ring->wptr << 2)); + } } else { DRM_DEBUG("Not using doorbell -- " "mmSDMA%i_GFX_RB_WPTR == 0x%08x "

10 months, 3 weeks

1
0
0 0

[PATCH v4 2/2] dmaengine: dw-edma: Do not enable watermark interrupts for HDMA

by Mrinmay Sarkar

DW_HDMA_V0_LIE and DW_HDMA_V0_RIE are initialized as BIT(3) and BIT(4) respectively in dw_hdma_control enum. But as per HDMA register these bits are corresponds to LWIE and RWIE bit i.e local watermark interrupt enable and remote watermarek interrupt enable. In linked list mode LWIE and RWIE bits only enable the local and remote watermark interrupt. Since the watermark interrupts are not used but enabled, this leads to spurious interrupts getting generated. So remove the code that enables them to avoid generating spurious watermark interrupts. And also rename DW_HDMA_V0_LIE to DW_HDMA_V0_LWIE and DW_HDMA_V0_RIE to DW_HDMA_V0_RWIE as there is no LIE and RIE bits in HDMA and those bits are corresponds to LWIE and RWIE bits. Fixes: e74c39573d35 ("dmaengine: dw-edma: Add support for native HDMA") cc: stable(a)vger.kernel.org Signed-off-by: Mrinmay Sarkar <quic_msarkar(a)quicinc.com> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> Reviewed-by: Serge Semin <fancer.lancer(a)gmail.com> --- drivers/dma/dw-edma/dw-hdma-v0-core.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/drivers/dma/dw-edma/dw-hdma-v0-core.c b/drivers/dma/dw-edma/dw-hdma-v0-core.c index 2addaca..e3f8db4 100644 --- a/drivers/dma/dw-edma/dw-hdma-v0-core.c +++ b/drivers/dma/dw-edma/dw-hdma-v0-core.c @@ -17,8 +17,8 @@ enum dw_hdma_control { DW_HDMA_V0_CB = BIT(0), DW_HDMA_V0_TCB = BIT(1), DW_HDMA_V0_LLP = BIT(2), - DW_HDMA_V0_LIE = BIT(3), - DW_HDMA_V0_RIE = BIT(4), + DW_HDMA_V0_LWIE = BIT(3), + DW_HDMA_V0_RWIE = BIT(4), DW_HDMA_V0_CCS = BIT(8), DW_HDMA_V0_LLE = BIT(9), }; @@ -195,25 +195,14 @@ static void dw_hdma_v0_write_ll_link(struct dw_edma_chunk *chunk, static void dw_hdma_v0_core_write_chunk(struct dw_edma_chunk *chunk) { struct dw_edma_burst *child; - struct dw_edma_chan *chan = chunk->chan; u32 control = 0, i = 0; - int j; if (chunk->cb) control = DW_HDMA_V0_CB; - j = chunk->bursts_alloc; - list_for_each_entry(child, &chunk->burst->list, list) { - j--; - if (!j) { - control |= DW_HDMA_V0_LIE; - if (!(chan->dw->chip->flags & DW_EDMA_CHIP_LOCAL)) - control |= DW_HDMA_V0_RIE; - } - + list_for_each_entry(child, &chunk->burst->list, list) dw_hdma_v0_write_ll_data(chunk, i++, control, child->sz, child->sar, child->dar); - } control = DW_HDMA_V0_LLP | DW_HDMA_V0_TCB; if (!chunk->cb) -- 2.7.4

10 months, 3 weeks

1
0
0 0

[PATCH v4 1/2] dmaengine: dw-edma: Fix unmasking STOP and ABORT interrupts for HDMA

by Mrinmay Sarkar

The current logic is enabling both STOP_INT_MASK and ABORT_INT_MASK bit. This is apparently masking those particular interrupts rather than unmasking the same. If the interrupts are masked, they would never get triggered. So fix the issue by unmasking the STOP and ABORT interrupts properly. Fixes: e74c39573d35 ("dmaengine: dw-edma: Add support for native HDMA") cc: stable(a)vger.kernel.org Signed-off-by: Mrinmay Sarkar <quic_msarkar(a)quicinc.com> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- drivers/dma/dw-edma/dw-hdma-v0-core.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/dma/dw-edma/dw-hdma-v0-core.c b/drivers/dma/dw-edma/dw-hdma-v0-core.c index 10e8f07..2addaca 100644 --- a/drivers/dma/dw-edma/dw-hdma-v0-core.c +++ b/drivers/dma/dw-edma/dw-hdma-v0-core.c @@ -247,10 +247,11 @@ static void dw_hdma_v0_core_start(struct dw_edma_chunk *chunk, bool first) if (first) { /* Enable engine */ SET_CH_32(dw, chan->dir, chan->id, ch_en, BIT(0)); - /* Interrupt enable&unmask - done, abort */ - tmp = GET_CH_32(dw, chan->dir, chan->id, int_setup) | - HDMA_V0_STOP_INT_MASK | HDMA_V0_ABORT_INT_MASK | - HDMA_V0_LOCAL_STOP_INT_EN | HDMA_V0_LOCAL_ABORT_INT_EN; + /* Interrupt unmask - stop, abort */ + tmp = GET_CH_32(dw, chan->dir, chan->id, int_setup); + tmp &= ~(HDMA_V0_STOP_INT_MASK | HDMA_V0_ABORT_INT_MASK); + /* Interrupt enable - stop, abort */ + tmp |= HDMA_V0_LOCAL_STOP_INT_EN | HDMA_V0_LOCAL_ABORT_INT_EN; if (!(dw->chip->flags & DW_EDMA_CHIP_LOCAL)) tmp |= HDMA_V0_REMOTE_STOP_INT_EN | HDMA_V0_REMOTE_ABORT_INT_EN; SET_CH_32(dw, chan->dir, chan->id, int_setup, tmp); -- 2.7.4

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: check re-using ID of unused ADD_ADDR" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x a13d5aad4dd9a309eecdc33cfd75045bd5f376a3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082625-canon-squeeze-24ab@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: a13d5aad4dd9 ("selftests: mptcp: join: check re-using ID of unused ADD_ADDR") b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a13d5aad4dd9a309eecdc33cfd75045bd5f376a3 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 19 Aug 2024 21:45:20 +0200 Subject: [PATCH] selftests: mptcp: join: check re-using ID of unused ADD_ADDR This test extends "delete re-add signal" to validate the previous commit. An extra address is announced by the server, but this address cannot be used by the client. The result is that no subflow will be established to this address. Later, the server will delete this extra endpoint, and set a new one, with a valid address, but re-using the same ID. Before the previous commit, the server would not have been able to announce this new address. While at it, extra checks have been added to validate the expected numbers of MPJ, ADD_ADDR and RM_ADDR. The 'Fixes' tag here below is the same as the one from the previous commit: this patch here is not fixing anything wrong in the selftests, but it validates the previous fix for an issue introduced by this commit ID. Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-2-38035d40de5b… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index 9ea6d698e9d3..25077ccf31d2 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -3601,9 +3601,11 @@ endpoint_tests() # remove and re-add if reset "delete re-add signal" && mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then - pm_nl_set_limits $ns1 1 1 - pm_nl_set_limits $ns2 1 1 + pm_nl_set_limits $ns1 0 2 + pm_nl_set_limits $ns2 2 2 pm_nl_add_endpoint $ns1 10.0.2.1 id 1 flags signal + # broadcast IP: no packet for this address will be received on ns1 + pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal test_linkfail=4 speed=20 \ run_tests $ns1 $ns2 10.0.1.1 & local tests_pid=$! @@ -3615,15 +3617,21 @@ endpoint_tests() chk_mptcp_info subflows 1 subflows 1 pm_nl_del_endpoint $ns1 1 10.0.2.1 + pm_nl_del_endpoint $ns1 2 224.0.0.1 sleep 0.5 chk_subflow_nr "after delete" 1 chk_mptcp_info subflows 0 subflows 0 - pm_nl_add_endpoint $ns1 10.0.2.1 flags signal + pm_nl_add_endpoint $ns1 10.0.2.1 id 1 flags signal + pm_nl_add_endpoint $ns1 10.0.3.1 id 2 flags signal wait_mpj $ns2 - chk_subflow_nr "after re-add" 2 - chk_mptcp_info subflows 1 subflows 1 + chk_subflow_nr "after re-add" 3 + chk_mptcp_info subflows 2 subflows 2 mptcp_lib_kill_wait $tests_pid + + chk_join_nr 3 3 3 + chk_add_nr 4 4 + chk_rm_nr 2 1 invert fi }

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] selftests: mptcp: join: check re-using ID of unused ADD_ADDR" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x a13d5aad4dd9a309eecdc33cfd75045bd5f376a3 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082624-upchuck-frail-8d79@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: a13d5aad4dd9 ("selftests: mptcp: join: check re-using ID of unused ADD_ADDR") b5e2fb832f48 ("selftests: mptcp: add explicit test case for remove/readd") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a13d5aad4dd9a309eecdc33cfd75045bd5f376a3 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 19 Aug 2024 21:45:20 +0200 Subject: [PATCH] selftests: mptcp: join: check re-using ID of unused ADD_ADDR This test extends "delete re-add signal" to validate the previous commit. An extra address is announced by the server, but this address cannot be used by the client. The result is that no subflow will be established to this address. Later, the server will delete this extra endpoint, and set a new one, with a valid address, but re-using the same ID. Before the previous commit, the server would not have been able to announce this new address. While at it, extra checks have been added to validate the expected numbers of MPJ, ADD_ADDR and RM_ADDR. The 'Fixes' tag here below is the same as the one from the previous commit: this patch here is not fixing anything wrong in the selftests, but it validates the previous fix for an issue introduced by this commit ID. Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-2-38035d40de5b… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh index 9ea6d698e9d3..25077ccf31d2 100755 --- a/tools/testing/selftests/net/mptcp/mptcp_join.sh +++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh @@ -3601,9 +3601,11 @@ endpoint_tests() # remove and re-add if reset "delete re-add signal" && mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then - pm_nl_set_limits $ns1 1 1 - pm_nl_set_limits $ns2 1 1 + pm_nl_set_limits $ns1 0 2 + pm_nl_set_limits $ns2 2 2 pm_nl_add_endpoint $ns1 10.0.2.1 id 1 flags signal + # broadcast IP: no packet for this address will be received on ns1 + pm_nl_add_endpoint $ns1 224.0.0.1 id 2 flags signal test_linkfail=4 speed=20 \ run_tests $ns1 $ns2 10.0.1.1 & local tests_pid=$! @@ -3615,15 +3617,21 @@ endpoint_tests() chk_mptcp_info subflows 1 subflows 1 pm_nl_del_endpoint $ns1 1 10.0.2.1 + pm_nl_del_endpoint $ns1 2 224.0.0.1 sleep 0.5 chk_subflow_nr "after delete" 1 chk_mptcp_info subflows 0 subflows 0 - pm_nl_add_endpoint $ns1 10.0.2.1 flags signal + pm_nl_add_endpoint $ns1 10.0.2.1 id 1 flags signal + pm_nl_add_endpoint $ns1 10.0.3.1 id 2 flags signal wait_mpj $ns2 - chk_subflow_nr "after re-add" 2 - chk_mptcp_info subflows 1 subflows 1 + chk_subflow_nr "after re-add" 3 + chk_mptcp_info subflows 2 subflows 2 mptcp_lib_kill_wait $tests_pid + + chk_join_nr 3 3 3 + chk_add_nr 4 4 + chk_rm_nr 2 1 invert fi }

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mptcp: pm: check add_addr_accept_max before accepting new" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082607-slush-clavicle-60dd@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 0137a3c7c2ea ("mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR") 1c1f72137598 ("mptcp: pm: only decrement add_addr_accepted for MPJ req") 322ea3778965 ("mptcp: pm: only mark 'subflow' endp as available") f448451aa62d ("mptcp: pm: remove mptcp_pm_remove_subflow()") ef34a6ea0cab ("mptcp: pm: re-using ID of unused flushed subflows") edd8b5d868a4 ("mptcp: pm: re-using ID of unused removed subflows") 4b317e0eb287 ("mptcp: fix NL PM announced address accounting") 6a09788c1a66 ("mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID") 9bbec87ecfe8 ("mptcp: unify pm get_local_id interfaces") dc886bce753c ("mptcp: export local_address") 8b1c94da1e48 ("mptcp: only send RM_ADDR in nl_cmd_remove") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 19 Aug 2024 21:45:28 +0200 Subject: [PATCH] mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR The limits might have changed in between, it is best to check them before accepting new ADD_ADDR. Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-10-38035d40de5… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 882781571c7b..28a9a3726146 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -848,8 +848,8 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk, /* Note: if the subflow has been closed before, this * add_addr_accepted counter will not be decremented. */ - msk->pm.add_addr_accepted--; - WRITE_ONCE(msk->pm.accept_addr, true); + if (--msk->pm.add_addr_accepted < mptcp_pm_get_add_addr_accept_max(msk)) + WRITE_ONCE(msk->pm.accept_addr, true); } } }

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mptcp: pm: only mark 'subflow' endp as available" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 322ea3778965da72862cca2a0c50253aacf65fe6 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082626-citadel-cortex-f8ef@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 322ea3778965 ("mptcp: pm: only mark 'subflow' endp as available") f448451aa62d ("mptcp: pm: remove mptcp_pm_remove_subflow()") ef34a6ea0cab ("mptcp: pm: re-using ID of unused flushed subflows") edd8b5d868a4 ("mptcp: pm: re-using ID of unused removed subflows") 4b317e0eb287 ("mptcp: fix NL PM announced address accounting") 6a09788c1a66 ("mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID") 9bbec87ecfe8 ("mptcp: unify pm get_local_id interfaces") dc886bce753c ("mptcp: export local_address") 8b1c94da1e48 ("mptcp: only send RM_ADDR in nl_cmd_remove") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 322ea3778965da72862cca2a0c50253aacf65fe6 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 19 Aug 2024 21:45:26 +0200 Subject: [PATCH] mptcp: pm: only mark 'subflow' endp as available Adding the following warning ... WARN_ON_ONCE(msk->pm.local_addr_used == 0) ... before decrementing the local_addr_used counter helped to find a bug when running the "remove single address" subtest from the mptcp_join.sh selftests. Removing a 'signal' endpoint will trigger the removal of all subflows linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used counter, which is wrong in this case because this counter is linked to 'subflow' endpoints, and here it is a 'signal' endpoint that is being removed. Now, the counter is decremented, only if the ID is being used outside of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and if the ID is not 0 -- local_addr_used is not taking into account these ones. This marking of the ID as being available, and the decrement is done no matter if a subflow using this ID is currently available, because the subflow could have been closed before. Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-8-38035d40de5b… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 44fc1c5959ac..4cf7cc851f80 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -833,10 +833,10 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk, if (rm_type == MPTCP_MIB_RMSUBFLOW) __MPTCP_INC_STATS(sock_net(sk), rm_type); } - if (rm_type == MPTCP_MIB_RMSUBFLOW) - __set_bit(rm_id ? rm_id : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap); - else if (rm_type == MPTCP_MIB_RMADDR) + + if (rm_type == MPTCP_MIB_RMADDR) __MPTCP_INC_STATS(sock_net(sk), rm_type); + if (!removed) continue; @@ -846,8 +846,6 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk, if (rm_type == MPTCP_MIB_RMADDR) { msk->pm.add_addr_accepted--; WRITE_ONCE(msk->pm.accept_addr, true); - } else if (rm_type == MPTCP_MIB_RMSUBFLOW) { - msk->pm.local_addr_used--; } } } @@ -1441,6 +1439,14 @@ static bool mptcp_pm_remove_anno_addr(struct mptcp_sock *msk, return ret; } +static void __mark_subflow_endp_available(struct mptcp_sock *msk, u8 id) +{ + /* If it was marked as used, and not ID 0, decrement local_addr_used */ + if (!__test_and_set_bit(id ? : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap) && + id && !WARN_ON_ONCE(msk->pm.local_addr_used == 0)) + msk->pm.local_addr_used--; +} + static int mptcp_nl_remove_subflow_and_signal_addr(struct net *net, const struct mptcp_pm_addr_entry *entry) { @@ -1474,11 +1480,11 @@ static int mptcp_nl_remove_subflow_and_signal_addr(struct net *net, spin_lock_bh(&msk->pm.lock); mptcp_pm_nl_rm_subflow_received(msk, &list); spin_unlock_bh(&msk->pm.lock); - } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { - /* If the subflow has been used, but now closed */ + } + + if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { spin_lock_bh(&msk->pm.lock); - if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap)) - msk->pm.local_addr_used--; + __mark_subflow_endp_available(msk, list.ids[0]); spin_unlock_bh(&msk->pm.lock); } @@ -1516,6 +1522,7 @@ static int mptcp_nl_remove_id_zero_address(struct net *net, spin_lock_bh(&msk->pm.lock); mptcp_pm_remove_addr(msk, &list); mptcp_pm_nl_rm_subflow_received(msk, &list); + __mark_subflow_endp_available(msk, 0); spin_unlock_bh(&msk->pm.lock); release_sock(sk); @@ -1917,6 +1924,7 @@ static void mptcp_pm_nl_fullmesh(struct mptcp_sock *msk, spin_lock_bh(&msk->pm.lock); mptcp_pm_nl_rm_subflow_received(msk, &list); + __mark_subflow_endp_available(msk, list.ids[0]); mptcp_pm_create_subflow_or_signal_addr(msk); spin_unlock_bh(&msk->pm.lock); }

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mptcp: pm: remove mptcp_pm_remove_subflow()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x f448451aa62d54be16acb0034223c17e0d12bc69 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082655-frostily-embellish-9960@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: f448451aa62d ("mptcp: pm: remove mptcp_pm_remove_subflow()") ef34a6ea0cab ("mptcp: pm: re-using ID of unused flushed subflows") edd8b5d868a4 ("mptcp: pm: re-using ID of unused removed subflows") 4b317e0eb287 ("mptcp: fix NL PM announced address accounting") 9bbec87ecfe8 ("mptcp: unify pm get_local_id interfaces") dc886bce753c ("mptcp: export local_address") 8b1c94da1e48 ("mptcp: only send RM_ADDR in nl_cmd_remove") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f448451aa62d54be16acb0034223c17e0d12bc69 Mon Sep 17 00:00:00 2001 From: "Matthieu Baerts (NGI0)" <matttbe(a)kernel.org> Date: Mon, 19 Aug 2024 21:45:25 +0200 Subject: [PATCH] mptcp: pm: remove mptcp_pm_remove_subflow() This helper is confusing. It is in pm.c, but it is specific to the in-kernel PM and it cannot be used by the userspace one. Also, it simply calls one in-kernel specific function with the PM lock, while the similar mptcp_pm_remove_addr() helper requires the PM lock. What's left is the pr_debug(), which is not that useful, because a similar one is present in the only function called by this helper: mptcp_pm_nl_rm_subflow_received() After these modifications, this helper can be marked as 'static', and the lock can be taken only once in mptcp_pm_flush_addrs_and_subflows(). Note that it is not a bug fix, but it will help backporting the following commits. Fixes: 0ee4261a3681 ("mptcp: implement mptcp_pm_remove_subflow") Cc: stable(a)vger.kernel.org Reviewed-by: Mat Martineau <martineau(a)kernel.org> Signed-off-by: Matthieu Baerts (NGI0) <matttbe(a)kernel.org> Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-7-38035d40de5b… Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c index 23bb89c94e90..925123e99889 100644 --- a/net/mptcp/pm.c +++ b/net/mptcp/pm.c @@ -60,16 +60,6 @@ int mptcp_pm_remove_addr(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_ return 0; } -int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list) -{ - pr_debug("msk=%p, rm_list_nr=%d", msk, rm_list->nr); - - spin_lock_bh(&msk->pm.lock); - mptcp_pm_nl_rm_subflow_received(msk, rm_list); - spin_unlock_bh(&msk->pm.lock); - return 0; -} - /* path manager event handlers */ void mptcp_pm_new_connection(struct mptcp_sock *msk, const struct sock *ssk, int server_side) diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c index 2c26696b820e..44fc1c5959ac 100644 --- a/net/mptcp/pm_netlink.c +++ b/net/mptcp/pm_netlink.c @@ -857,8 +857,8 @@ static void mptcp_pm_nl_rm_addr_received(struct mptcp_sock *msk) mptcp_pm_nl_rm_addr_or_subflow(msk, &msk->pm.rm_list_rx, MPTCP_MIB_RMADDR); } -void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, - const struct mptcp_rm_list *rm_list) +static void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, + const struct mptcp_rm_list *rm_list) { mptcp_pm_nl_rm_addr_or_subflow(msk, rm_list, MPTCP_MIB_RMSUBFLOW); } @@ -1471,7 +1471,9 @@ static int mptcp_nl_remove_subflow_and_signal_addr(struct net *net, !(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT)); if (remove_subflow) { - mptcp_pm_remove_subflow(msk, &list); + spin_lock_bh(&msk->pm.lock); + mptcp_pm_nl_rm_subflow_received(msk, &list); + spin_unlock_bh(&msk->pm.lock); } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) { /* If the subflow has been used, but now closed */ spin_lock_bh(&msk->pm.lock); @@ -1617,18 +1619,14 @@ static void mptcp_pm_remove_addrs_and_subflows(struct mptcp_sock *msk, alist.ids[alist.nr++] = entry->addr.id; } + spin_lock_bh(&msk->pm.lock); if (alist.nr) { - spin_lock_bh(&msk->pm.lock); msk->pm.add_addr_signaled -= alist.nr; mptcp_pm_remove_addr(msk, &alist); - spin_unlock_bh(&msk->pm.lock); } - if (slist.nr) - mptcp_pm_remove_subflow(msk, &slist); - + mptcp_pm_nl_rm_subflow_received(msk, &slist); /* Reset counters: maybe some subflows have been removed before */ - spin_lock_bh(&msk->pm.lock); bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1); msk->pm.local_addr_used = 0; spin_unlock_bh(&msk->pm.lock); diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h index 60c6b073d65f..a1c1b0ff1ce1 100644 --- a/net/mptcp/protocol.h +++ b/net/mptcp/protocol.h @@ -1026,7 +1026,6 @@ int mptcp_pm_announce_addr(struct mptcp_sock *msk, const struct mptcp_addr_info *addr, bool echo); int mptcp_pm_remove_addr(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list); -int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list); void mptcp_pm_remove_addrs(struct mptcp_sock *msk, struct list_head *rm_list); void mptcp_free_local_addr_list(struct mptcp_sock *msk); @@ -1133,8 +1132,6 @@ static inline u8 subflow_get_local_id(const struct mptcp_subflow_context *subflo void __init mptcp_pm_nl_init(void); void mptcp_pm_nl_work(struct mptcp_sock *msk); -void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk, - const struct mptcp_rm_list *rm_list); unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk); unsigned int mptcp_pm_get_add_addr_accept_max(const struct mptcp_sock *msk); unsigned int mptcp_pm_get_subflows_max(const struct mptcp_sock *msk);

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] thermal: of: Fix OF node leak in thermal_of_zone_register()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 662b52b761bfe0ba970e5823759798faf809b896 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082656-step-coeditor-e1ab@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 662b52b761bf ("thermal: of: Fix OF node leak in thermal_of_zone_register()") 698a1eb1f75e ("thermal: core: Store zone ops in struct thermal_zone_device") 9b0a62758665 ("thermal: core: Store zone trips table in struct thermal_zone_device") 755113d76786 ("thermal/debugfs: Add thermal cooling device debugfs information") d654362d53a8 ("Merge tag 'thermal-v6.8-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/thermal/linux into thermal") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 662b52b761bfe0ba970e5823759798faf809b896 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 21:58:22 +0200 Subject: [PATCH] thermal: of: Fix OF node leak in thermal_of_zone_register() thermal_of_zone_register() calls of_thermal_zone_find() which will iterate over OF nodes with for_each_available_child_of_node() to find matching thermal zone node. When it finds such, it exits the loop and returns the node. Prematurely ending for_each_available_child_of_node() loops requires dropping OF node reference, thus success of of_thermal_zone_find() means that caller must drop the reference. Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Link: https://patch.msgid.link/20240814195823.437597-2-krzysztof.kozlowski@linaro… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index 30f8d6e70484..b08a9b64718d 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -491,7 +491,8 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * trips = thermal_of_trips_init(np, &ntrips); if (IS_ERR(trips)) { pr_err("Failed to find trip points for %pOFn id=%d\n", sensor, id); - return ERR_CAST(trips); + ret = PTR_ERR(trips); + goto out_of_node_put; } ret = thermal_of_monitor_init(np, &delay, &pdelay); @@ -519,6 +520,7 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * goto out_kfree_trips; } + of_node_put(np); kfree(trips); ret = thermal_zone_device_enable(tz); @@ -533,6 +535,8 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * out_kfree_trips: kfree(trips); +out_of_node_put: + of_node_put(np); return ERR_PTR(ret); }

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] thermal: of: Fix OF node leak in thermal_of_zone_register()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 662b52b761bfe0ba970e5823759798faf809b896 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082656-bacterium-output-c8b2@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 662b52b761bf ("thermal: of: Fix OF node leak in thermal_of_zone_register()") 698a1eb1f75e ("thermal: core: Store zone ops in struct thermal_zone_device") 9b0a62758665 ("thermal: core: Store zone trips table in struct thermal_zone_device") 755113d76786 ("thermal/debugfs: Add thermal cooling device debugfs information") d654362d53a8 ("Merge tag 'thermal-v6.8-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/thermal/linux into thermal") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 662b52b761bfe0ba970e5823759798faf809b896 Mon Sep 17 00:00:00 2001 From: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Date: Wed, 14 Aug 2024 21:58:22 +0200 Subject: [PATCH] thermal: of: Fix OF node leak in thermal_of_zone_register() thermal_of_zone_register() calls of_thermal_zone_find() which will iterate over OF nodes with for_each_available_child_of_node() to find matching thermal zone node. When it finds such, it exits the loop and returns the node. Prematurely ending for_each_available_child_of_node() loops requires dropping OF node reference, thus success of of_thermal_zone_find() means that caller must drop the reference. Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") Cc: All applicable <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Chen-Yu Tsai <wenst(a)chromium.org> Reviewed-by: Daniel Lezcano <daniel.lezcano(a)linaro.org> Link: https://patch.msgid.link/20240814195823.437597-2-krzysztof.kozlowski@linaro… Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index 30f8d6e70484..b08a9b64718d 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -491,7 +491,8 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * trips = thermal_of_trips_init(np, &ntrips); if (IS_ERR(trips)) { pr_err("Failed to find trip points for %pOFn id=%d\n", sensor, id); - return ERR_CAST(trips); + ret = PTR_ERR(trips); + goto out_of_node_put; } ret = thermal_of_monitor_init(np, &delay, &pdelay); @@ -519,6 +520,7 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * goto out_kfree_trips; } + of_node_put(np); kfree(trips); ret = thermal_zone_device_enable(tz); @@ -533,6 +535,8 @@ static struct thermal_zone_device *thermal_of_zone_register(struct device_node * out_kfree_trips: kfree(trips); +out_of_node_put: + of_node_put(np); return ERR_PTR(ret); }

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] smb3: fix broken cached reads when posix locks" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x e4be320eeca842a3d7648258ee3673f1755a5a59 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082640-fragrant-tarnish-604d@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: e4be320eeca8 ("smb3: fix broken cached reads when posix locks") 3ee1a1fc3981 ("cifs: Cut over to using netfslib") 69c3c023af25 ("cifs: Implement netfslib hooks") edea94a69730 ("cifs: Add mempools for cifs_io_request and cifs_io_subrequest structs") 1a5b4edd97ce ("cifs: Move cifs_loose_read_iter() and cifs_file_write_iter() to file.c") ab58fbdeebc7 ("cifs: Use more fields from netfs_io_subrequest") a975a2f22cdc ("cifs: Replace cifs_writedata with a wrapper around netfs_io_subrequest") 753b67eb630d ("cifs: Replace cifs_readdata with a wrapper around netfs_io_subrequest") 0f7c0f3f5150 ("cifs: Use alternative invalidation to using launder_folio") 2e9d7e4b984a ("mm: Remove the PG_fscache alias for PG_private_2") 2ff1e97587f4 ("netfs: Replace PG_fscache by setting folio->private and marking dirty") f3dc1bdb6b0b ("cifs: Fix writeback data corruption") d1bba17e20d5 ("Merge tag '6.8-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4be320eeca842a3d7648258ee3673f1755a5a59 Mon Sep 17 00:00:00 2001 From: Steve French <stfrench(a)microsoft.com> Date: Thu, 15 Aug 2024 18:31:36 -0500 Subject: [PATCH] smb3: fix broken cached reads when posix locks Mandatory locking is enforced for cached reads, which violates default posix semantics, and also it is enforced inconsistently. This affected recent versions of libreoffice, and can be demonstrated by opening a file twice from the same client, locking it from handle one and trying to read from it from handle two (which fails, returning EACCES). There is already a mount option "forcemandatorylock" (which defaults to off), so with this change only when the user intentionally specifies "forcemandatorylock" on mount will we break posix semantics on read to a locked range (ie we will only fail in this case, if the user mounts with "forcemandatorylock"). An earlier patch fixed the write path. Fixes: 85160e03a79e ("CIFS: Implement caching mechanism for mandatory brlocks") Cc: stable(a)vger.kernel.org Cc: Pavel Shilovsky <piastryyy(a)gmail.com> Reviewed-by: David Howells <dhowells(a)redhat.com> Reported-by: abartlet(a)samba.org Reported-by: Kevin Ottens <kevin.ottens(a)enioka.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 1fc66bcf49eb..f9b302cb8233 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -2912,9 +2912,7 @@ cifs_strict_readv(struct kiocb *iocb, struct iov_iter *to) if (!CIFS_CACHE_READ(cinode)) return netfs_unbuffered_read_iter(iocb, to); - if (cap_unix(tcon->ses) && - (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) && - ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0)) { + if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0) { if (iocb->ki_flags & IOCB_DIRECT) return netfs_unbuffered_read_iter(iocb, to); return netfs_buffered_read_iter(iocb, to);

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] smb3: fix broken cached reads when posix locks" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x e4be320eeca842a3d7648258ee3673f1755a5a59 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082639-canning-dress-147e@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: e4be320eeca8 ("smb3: fix broken cached reads when posix locks") 3ee1a1fc3981 ("cifs: Cut over to using netfslib") 69c3c023af25 ("cifs: Implement netfslib hooks") edea94a69730 ("cifs: Add mempools for cifs_io_request and cifs_io_subrequest structs") 1a5b4edd97ce ("cifs: Move cifs_loose_read_iter() and cifs_file_write_iter() to file.c") ab58fbdeebc7 ("cifs: Use more fields from netfs_io_subrequest") a975a2f22cdc ("cifs: Replace cifs_writedata with a wrapper around netfs_io_subrequest") 753b67eb630d ("cifs: Replace cifs_readdata with a wrapper around netfs_io_subrequest") 0f7c0f3f5150 ("cifs: Use alternative invalidation to using launder_folio") 2e9d7e4b984a ("mm: Remove the PG_fscache alias for PG_private_2") 2ff1e97587f4 ("netfs: Replace PG_fscache by setting folio->private and marking dirty") f3dc1bdb6b0b ("cifs: Fix writeback data corruption") d1bba17e20d5 ("Merge tag '6.8-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4be320eeca842a3d7648258ee3673f1755a5a59 Mon Sep 17 00:00:00 2001 From: Steve French <stfrench(a)microsoft.com> Date: Thu, 15 Aug 2024 18:31:36 -0500 Subject: [PATCH] smb3: fix broken cached reads when posix locks Mandatory locking is enforced for cached reads, which violates default posix semantics, and also it is enforced inconsistently. This affected recent versions of libreoffice, and can be demonstrated by opening a file twice from the same client, locking it from handle one and trying to read from it from handle two (which fails, returning EACCES). There is already a mount option "forcemandatorylock" (which defaults to off), so with this change only when the user intentionally specifies "forcemandatorylock" on mount will we break posix semantics on read to a locked range (ie we will only fail in this case, if the user mounts with "forcemandatorylock"). An earlier patch fixed the write path. Fixes: 85160e03a79e ("CIFS: Implement caching mechanism for mandatory brlocks") Cc: stable(a)vger.kernel.org Cc: Pavel Shilovsky <piastryyy(a)gmail.com> Reviewed-by: David Howells <dhowells(a)redhat.com> Reported-by: abartlet(a)samba.org Reported-by: Kevin Ottens <kevin.ottens(a)enioka.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 1fc66bcf49eb..f9b302cb8233 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -2912,9 +2912,7 @@ cifs_strict_readv(struct kiocb *iocb, struct iov_iter *to) if (!CIFS_CACHE_READ(cinode)) return netfs_unbuffered_read_iter(iocb, to); - if (cap_unix(tcon->ses) && - (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) && - ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0)) { + if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0) { if (iocb->ki_flags & IOCB_DIRECT) return netfs_unbuffered_read_iter(iocb, to); return netfs_buffered_read_iter(iocb, to);

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] smb3: fix broken cached reads when posix locks" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x e4be320eeca842a3d7648258ee3673f1755a5a59 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082638-decidable-mug-0c43@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: e4be320eeca8 ("smb3: fix broken cached reads when posix locks") 3ee1a1fc3981 ("cifs: Cut over to using netfslib") 69c3c023af25 ("cifs: Implement netfslib hooks") edea94a69730 ("cifs: Add mempools for cifs_io_request and cifs_io_subrequest structs") 1a5b4edd97ce ("cifs: Move cifs_loose_read_iter() and cifs_file_write_iter() to file.c") ab58fbdeebc7 ("cifs: Use more fields from netfs_io_subrequest") a975a2f22cdc ("cifs: Replace cifs_writedata with a wrapper around netfs_io_subrequest") 753b67eb630d ("cifs: Replace cifs_readdata with a wrapper around netfs_io_subrequest") 0f7c0f3f5150 ("cifs: Use alternative invalidation to using launder_folio") 2e9d7e4b984a ("mm: Remove the PG_fscache alias for PG_private_2") 2ff1e97587f4 ("netfs: Replace PG_fscache by setting folio->private and marking dirty") f3dc1bdb6b0b ("cifs: Fix writeback data corruption") d1bba17e20d5 ("Merge tag '6.8-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4be320eeca842a3d7648258ee3673f1755a5a59 Mon Sep 17 00:00:00 2001 From: Steve French <stfrench(a)microsoft.com> Date: Thu, 15 Aug 2024 18:31:36 -0500 Subject: [PATCH] smb3: fix broken cached reads when posix locks Mandatory locking is enforced for cached reads, which violates default posix semantics, and also it is enforced inconsistently. This affected recent versions of libreoffice, and can be demonstrated by opening a file twice from the same client, locking it from handle one and trying to read from it from handle two (which fails, returning EACCES). There is already a mount option "forcemandatorylock" (which defaults to off), so with this change only when the user intentionally specifies "forcemandatorylock" on mount will we break posix semantics on read to a locked range (ie we will only fail in this case, if the user mounts with "forcemandatorylock"). An earlier patch fixed the write path. Fixes: 85160e03a79e ("CIFS: Implement caching mechanism for mandatory brlocks") Cc: stable(a)vger.kernel.org Cc: Pavel Shilovsky <piastryyy(a)gmail.com> Reviewed-by: David Howells <dhowells(a)redhat.com> Reported-by: abartlet(a)samba.org Reported-by: Kevin Ottens <kevin.ottens(a)enioka.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 1fc66bcf49eb..f9b302cb8233 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -2912,9 +2912,7 @@ cifs_strict_readv(struct kiocb *iocb, struct iov_iter *to) if (!CIFS_CACHE_READ(cinode)) return netfs_unbuffered_read_iter(iocb, to); - if (cap_unix(tcon->ses) && - (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) && - ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0)) { + if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0) { if (iocb->ki_flags & IOCB_DIRECT) return netfs_unbuffered_read_iter(iocb, to); return netfs_buffered_read_iter(iocb, to);

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] smb3: fix broken cached reads when posix locks" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x e4be320eeca842a3d7648258ee3673f1755a5a59 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082637-juvenile-trickle-8a0f@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: e4be320eeca8 ("smb3: fix broken cached reads when posix locks") 3ee1a1fc3981 ("cifs: Cut over to using netfslib") 69c3c023af25 ("cifs: Implement netfslib hooks") edea94a69730 ("cifs: Add mempools for cifs_io_request and cifs_io_subrequest structs") 1a5b4edd97ce ("cifs: Move cifs_loose_read_iter() and cifs_file_write_iter() to file.c") ab58fbdeebc7 ("cifs: Use more fields from netfs_io_subrequest") a975a2f22cdc ("cifs: Replace cifs_writedata with a wrapper around netfs_io_subrequest") 753b67eb630d ("cifs: Replace cifs_readdata with a wrapper around netfs_io_subrequest") 0f7c0f3f5150 ("cifs: Use alternative invalidation to using launder_folio") 2e9d7e4b984a ("mm: Remove the PG_fscache alias for PG_private_2") 2ff1e97587f4 ("netfs: Replace PG_fscache by setting folio->private and marking dirty") f3dc1bdb6b0b ("cifs: Fix writeback data corruption") d1bba17e20d5 ("Merge tag '6.8-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4be320eeca842a3d7648258ee3673f1755a5a59 Mon Sep 17 00:00:00 2001 From: Steve French <stfrench(a)microsoft.com> Date: Thu, 15 Aug 2024 18:31:36 -0500 Subject: [PATCH] smb3: fix broken cached reads when posix locks Mandatory locking is enforced for cached reads, which violates default posix semantics, and also it is enforced inconsistently. This affected recent versions of libreoffice, and can be demonstrated by opening a file twice from the same client, locking it from handle one and trying to read from it from handle two (which fails, returning EACCES). There is already a mount option "forcemandatorylock" (which defaults to off), so with this change only when the user intentionally specifies "forcemandatorylock" on mount will we break posix semantics on read to a locked range (ie we will only fail in this case, if the user mounts with "forcemandatorylock"). An earlier patch fixed the write path. Fixes: 85160e03a79e ("CIFS: Implement caching mechanism for mandatory brlocks") Cc: stable(a)vger.kernel.org Cc: Pavel Shilovsky <piastryyy(a)gmail.com> Reviewed-by: David Howells <dhowells(a)redhat.com> Reported-by: abartlet(a)samba.org Reported-by: Kevin Ottens <kevin.ottens(a)enioka.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 1fc66bcf49eb..f9b302cb8233 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -2912,9 +2912,7 @@ cifs_strict_readv(struct kiocb *iocb, struct iov_iter *to) if (!CIFS_CACHE_READ(cinode)) return netfs_unbuffered_read_iter(iocb, to); - if (cap_unix(tcon->ses) && - (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) && - ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0)) { + if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0) { if (iocb->ki_flags & IOCB_DIRECT) return netfs_unbuffered_read_iter(iocb, to); return netfs_buffered_read_iter(iocb, to);

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] smb3: fix broken cached reads when posix locks" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x e4be320eeca842a3d7648258ee3673f1755a5a59 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082636-freehand-sliding-9738@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: e4be320eeca8 ("smb3: fix broken cached reads when posix locks") 3ee1a1fc3981 ("cifs: Cut over to using netfslib") 69c3c023af25 ("cifs: Implement netfslib hooks") edea94a69730 ("cifs: Add mempools for cifs_io_request and cifs_io_subrequest structs") 1a5b4edd97ce ("cifs: Move cifs_loose_read_iter() and cifs_file_write_iter() to file.c") ab58fbdeebc7 ("cifs: Use more fields from netfs_io_subrequest") a975a2f22cdc ("cifs: Replace cifs_writedata with a wrapper around netfs_io_subrequest") 753b67eb630d ("cifs: Replace cifs_readdata with a wrapper around netfs_io_subrequest") 0f7c0f3f5150 ("cifs: Use alternative invalidation to using launder_folio") 2e9d7e4b984a ("mm: Remove the PG_fscache alias for PG_private_2") 2ff1e97587f4 ("netfs: Replace PG_fscache by setting folio->private and marking dirty") f3dc1bdb6b0b ("cifs: Fix writeback data corruption") d1bba17e20d5 ("Merge tag '6.8-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4be320eeca842a3d7648258ee3673f1755a5a59 Mon Sep 17 00:00:00 2001 From: Steve French <stfrench(a)microsoft.com> Date: Thu, 15 Aug 2024 18:31:36 -0500 Subject: [PATCH] smb3: fix broken cached reads when posix locks Mandatory locking is enforced for cached reads, which violates default posix semantics, and also it is enforced inconsistently. This affected recent versions of libreoffice, and can be demonstrated by opening a file twice from the same client, locking it from handle one and trying to read from it from handle two (which fails, returning EACCES). There is already a mount option "forcemandatorylock" (which defaults to off), so with this change only when the user intentionally specifies "forcemandatorylock" on mount will we break posix semantics on read to a locked range (ie we will only fail in this case, if the user mounts with "forcemandatorylock"). An earlier patch fixed the write path. Fixes: 85160e03a79e ("CIFS: Implement caching mechanism for mandatory brlocks") Cc: stable(a)vger.kernel.org Cc: Pavel Shilovsky <piastryyy(a)gmail.com> Reviewed-by: David Howells <dhowells(a)redhat.com> Reported-by: abartlet(a)samba.org Reported-by: Kevin Ottens <kevin.ottens(a)enioka.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 1fc66bcf49eb..f9b302cb8233 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -2912,9 +2912,7 @@ cifs_strict_readv(struct kiocb *iocb, struct iov_iter *to) if (!CIFS_CACHE_READ(cinode)) return netfs_unbuffered_read_iter(iocb, to); - if (cap_unix(tcon->ses) && - (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) && - ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0)) { + if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0) { if (iocb->ki_flags & IOCB_DIRECT) return netfs_unbuffered_read_iter(iocb, to); return netfs_buffered_read_iter(iocb, to);

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] smb3: fix broken cached reads when posix locks" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x e4be320eeca842a3d7648258ee3673f1755a5a59 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082635-cycle-universal-c044@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: e4be320eeca8 ("smb3: fix broken cached reads when posix locks") 3ee1a1fc3981 ("cifs: Cut over to using netfslib") 69c3c023af25 ("cifs: Implement netfslib hooks") edea94a69730 ("cifs: Add mempools for cifs_io_request and cifs_io_subrequest structs") 1a5b4edd97ce ("cifs: Move cifs_loose_read_iter() and cifs_file_write_iter() to file.c") ab58fbdeebc7 ("cifs: Use more fields from netfs_io_subrequest") a975a2f22cdc ("cifs: Replace cifs_writedata with a wrapper around netfs_io_subrequest") 753b67eb630d ("cifs: Replace cifs_readdata with a wrapper around netfs_io_subrequest") 0f7c0f3f5150 ("cifs: Use alternative invalidation to using launder_folio") 2e9d7e4b984a ("mm: Remove the PG_fscache alias for PG_private_2") 2ff1e97587f4 ("netfs: Replace PG_fscache by setting folio->private and marking dirty") f3dc1bdb6b0b ("cifs: Fix writeback data corruption") d1bba17e20d5 ("Merge tag '6.8-rc1-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From e4be320eeca842a3d7648258ee3673f1755a5a59 Mon Sep 17 00:00:00 2001 From: Steve French <stfrench(a)microsoft.com> Date: Thu, 15 Aug 2024 18:31:36 -0500 Subject: [PATCH] smb3: fix broken cached reads when posix locks Mandatory locking is enforced for cached reads, which violates default posix semantics, and also it is enforced inconsistently. This affected recent versions of libreoffice, and can be demonstrated by opening a file twice from the same client, locking it from handle one and trying to read from it from handle two (which fails, returning EACCES). There is already a mount option "forcemandatorylock" (which defaults to off), so with this change only when the user intentionally specifies "forcemandatorylock" on mount will we break posix semantics on read to a locked range (ie we will only fail in this case, if the user mounts with "forcemandatorylock"). An earlier patch fixed the write path. Fixes: 85160e03a79e ("CIFS: Implement caching mechanism for mandatory brlocks") Cc: stable(a)vger.kernel.org Cc: Pavel Shilovsky <piastryyy(a)gmail.com> Reviewed-by: David Howells <dhowells(a)redhat.com> Reported-by: abartlet(a)samba.org Reported-by: Kevin Ottens <kevin.ottens(a)enioka.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/client/file.c b/fs/smb/client/file.c index 1fc66bcf49eb..f9b302cb8233 100644 --- a/fs/smb/client/file.c +++ b/fs/smb/client/file.c @@ -2912,9 +2912,7 @@ cifs_strict_readv(struct kiocb *iocb, struct iov_iter *to) if (!CIFS_CACHE_READ(cinode)) return netfs_unbuffered_read_iter(iocb, to); - if (cap_unix(tcon->ses) && - (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) && - ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0)) { + if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0) { if (iocb->ki_flags & IOCB_DIRECT) return netfs_unbuffered_read_iter(iocb, to); return netfs_buffered_read_iter(iocb, to);

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] mmc: mtk-sd: receive cmd8 data when hs400 tuning fail" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082654-stood-dollop-a306@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 9374ae912dbb ("mmc: mtk-sd: receive cmd8 data when hs400 tuning fail") b98e7e8daf0e ("mmc: Avoid open coding by using mmc_op_tuning()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d Mon Sep 17 00:00:00 2001 From: Mengqi Zhang <mengqi.zhang(a)mediatek.com> Date: Tue, 16 Jul 2024 09:37:04 +0800 Subject: [PATCH] mmc: mtk-sd: receive cmd8 data when hs400 tuning fail When we use cmd8 as the tuning command in hs400 mode, the command response sent back by some eMMC devices cannot be correctly sampled by MTK eMMC controller at some weak sample timing. In this case, command timeout error may occur. So we must receive the following data to make sure the next cmd8 send correctly. Signed-off-by: Mengqi Zhang <mengqi.zhang(a)mediatek.com> Fixes: c4ac38c6539b ("mmc: mtk-sd: Add HS400 online tuning support") Cc: stable(a)vger.stable.com Link: https://lore.kernel.org/r/20240716013704.10578-1-mengqi.zhang@mediatek.com Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c index a94835b8ab93..e386f78e3267 100644 --- a/drivers/mmc/host/mtk-sd.c +++ b/drivers/mmc/host/mtk-sd.c @@ -1230,7 +1230,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events, } if (!sbc_error && !(events & MSDC_INT_CMDRDY)) { - if (events & MSDC_INT_CMDTMO || + if ((events & MSDC_INT_CMDTMO && !host->hs400_tuning) || (!mmc_op_tuning(cmd->opcode) && !host->hs400_tuning)) /* * should not clear fifo/interrupt as the tune data @@ -1323,9 +1323,9 @@ static void msdc_start_command(struct msdc_host *host, static void msdc_cmd_next(struct msdc_host *host, struct mmc_request *mrq, struct mmc_command *cmd) { - if ((cmd->error && - !(cmd->error == -EILSEQ && - (mmc_op_tuning(cmd->opcode) || host->hs400_tuning))) || + if ((cmd->error && !host->hs400_tuning && + !(cmd->error == -EILSEQ && + mmc_op_tuning(cmd->opcode))) || (mrq->sbc && mrq->sbc->error)) msdc_request_done(host, mrq); else if (cmd == mrq->sbc)

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/amdgpu: fix eGPU hotplug regression" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 9cead81eff635e3b3cbce51b40228f3bdc6f2b8c # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082614-overnight-phonebook-e864@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 9cead81eff63 ("drm/amdgpu: fix eGPU hotplug regression") b32563859d6f ("drm/amdgpu: Do not wait for MP0_C2PMSG_33 IFWI init in SRIOV") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9cead81eff635e3b3cbce51b40228f3bdc6f2b8c Mon Sep 17 00:00:00 2001 From: Alex Deucher <alexander.deucher(a)amd.com> Date: Mon, 19 Aug 2024 11:14:29 -0400 Subject: [PATCH] drm/amdgpu: fix eGPU hotplug regression The driver needs to wait for the on board firmware to finish its initialization before probing the card. Commit 959056982a9b ("drm/amdgpu: Fix discovery initialization failure during pci rescan") switched from using msleep() to using usleep_range() which seems to have caused init failures on some navi1x boards. Switch back to msleep(). Fixes: 959056982a9b ("drm/amdgpu: Fix discovery initialization failure during pci rescan") Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3559 Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3500 Reviewed-by: Hawking Zhang <Hawking.Zhang(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: Ma Jun <Jun.Ma2(a)amd.com> (cherry picked from commit c69b07f7bbc905022491c45097923d3487479529) Cc: stable(a)vger.kernel.org # 6.10.x diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c index ac108fca64fe..7b561e8e3caf 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c @@ -278,7 +278,7 @@ static int amdgpu_discovery_read_binary_from_mem(struct amdgpu_device *adev, msg = RREG32(mmMP0_SMN_C2PMSG_33); if (msg & 0x80000000) break; - usleep_range(1000, 1100); + msleep(1); } }

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/xe: prevent UAF around preempt fence" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x 730b72480e29f63fd644f5fa57c9d46109428953 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082602-sneezing-kettle-88ca@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: 730b72480e29 ("drm/xe: prevent UAF around preempt fence") 731e46c03228 ("drm/xe/exec_queue: Rename xe_exec_queue::compute to xe_exec_queue::lr") b3181f433206 ("drm/xe/vm: Simplify if condition") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 730b72480e29f63fd644f5fa57c9d46109428953 Mon Sep 17 00:00:00 2001 From: Matthew Auld <matthew.auld(a)intel.com> Date: Wed, 14 Aug 2024 12:01:30 +0100 Subject: [PATCH] drm/xe: prevent UAF around preempt fence The fence lock is part of the queue, therefore in the current design anything locking the fence should then also hold a ref to the queue to prevent the queue from being freed. However, currently it looks like we signal the fence and then drop the queue ref, but if something is waiting on the fence, the waiter is kicked to wake up at some later point, where upon waking up it first grabs the lock before checking the fence state. But if we have already dropped the queue ref, then the lock might already be freed as part of the queue, leading to uaf. To prevent this, move the fence lock into the fence itself so we don't run into lifetime issues. Alternative might be to have device level lock, or only release the queue in the fence release callback, however that might require pushing to another worker to avoid locking issues. Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342 References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020 Signed-off-by: Matthew Auld <matthew.auld(a)intel.com> Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.8+ Reviewed-by: Matthew Brost <matthew.brost(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240814110129.825847-2-matth… (cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b) Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> diff --git a/drivers/gpu/drm/xe/xe_exec_queue.c b/drivers/gpu/drm/xe/xe_exec_queue.c index 16f24f4a7062..9731dcd0b1bd 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue.c +++ b/drivers/gpu/drm/xe/xe_exec_queue.c @@ -643,7 +643,6 @@ int xe_exec_queue_create_ioctl(struct drm_device *dev, void *data, if (xe_vm_in_preempt_fence_mode(vm)) { q->lr.context = dma_fence_context_alloc(1); - spin_lock_init(&q->lr.lock); err = xe_vm_add_compute_exec_queue(vm, q); if (XE_IOCTL_DBG(xe, err)) diff --git a/drivers/gpu/drm/xe/xe_exec_queue_types.h b/drivers/gpu/drm/xe/xe_exec_queue_types.h index a35ce24c9798..f6ee0ae80fd6 100644 --- a/drivers/gpu/drm/xe/xe_exec_queue_types.h +++ b/drivers/gpu/drm/xe/xe_exec_queue_types.h @@ -126,8 +126,6 @@ struct xe_exec_queue { u32 seqno; /** @lr.link: link into VM's list of exec queues */ struct list_head link; - /** @lr.lock: preemption fences lock */ - spinlock_t lock; } lr; /** @ops: submission backend exec queue operations */ diff --git a/drivers/gpu/drm/xe/xe_preempt_fence.c b/drivers/gpu/drm/xe/xe_preempt_fence.c index e8b8ae5c6485..c453f45328b1 100644 --- a/drivers/gpu/drm/xe/xe_preempt_fence.c +++ b/drivers/gpu/drm/xe/xe_preempt_fence.c @@ -128,8 +128,9 @@ xe_preempt_fence_arm(struct xe_preempt_fence *pfence, struct xe_exec_queue *q, { list_del_init(&pfence->link); pfence->q = xe_exec_queue_get(q); + spin_lock_init(&pfence->lock); dma_fence_init(&pfence->base, &preempt_fence_ops, - &q->lr.lock, context, seqno); + &pfence->lock, context, seqno); return &pfence->base; } diff --git a/drivers/gpu/drm/xe/xe_preempt_fence_types.h b/drivers/gpu/drm/xe/xe_preempt_fence_types.h index b54b5c29b533..312c3372a49f 100644 --- a/drivers/gpu/drm/xe/xe_preempt_fence_types.h +++ b/drivers/gpu/drm/xe/xe_preempt_fence_types.h @@ -25,6 +25,8 @@ struct xe_preempt_fence { struct xe_exec_queue *q; /** @preempt_work: work struct which issues preemption */ struct work_struct preempt_work; + /** @lock: dma-fence fence lock */ + spinlock_t lock; /** @error: preempt fence is in error state */ int error; };

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] drm/xe/display: Make display suspend/resume work on discrete" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x ddf6492e0e508b7c2b42c8d5a4ac82bd38ef0dd5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082656-unexposed-simply-c596@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: ddf6492e0e50 ("drm/xe/display: Make display suspend/resume work on discrete") e7b180b22022 ("drm/xe: Prepare display for D3Cold") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ddf6492e0e508b7c2b42c8d5a4ac82bd38ef0dd5 Mon Sep 17 00:00:00 2001 From: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Date: Tue, 6 Aug 2024 12:50:44 +0200 Subject: [PATCH] drm/xe/display: Make display suspend/resume work on discrete We should unpin before evicting all memory, and repin after GT resume. This way, we preserve the contents of the framebuffers, and won't hang on resume due to migration engine not being restored yet. Signed-off-by: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: stable(a)vger.kernel.org # v6.8+ Reviewed-by: Uma Shankar <uma.shankar(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240806105044.596842-3-maart… Signed-off-by: Maarten Lankhorst,,, <maarten.lankhorst(a)linux.intel.com> (cherry picked from commit cb8f81c1753187995b7a43e79c12959f14eb32d3) Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> diff --git a/drivers/gpu/drm/xe/display/xe_display.c b/drivers/gpu/drm/xe/display/xe_display.c index ca4468c82078..49de4e4f8a75 100644 --- a/drivers/gpu/drm/xe/display/xe_display.c +++ b/drivers/gpu/drm/xe/display/xe_display.c @@ -283,6 +283,27 @@ static bool suspend_to_idle(void) return false; } +static void xe_display_flush_cleanup_work(struct xe_device *xe) +{ + struct intel_crtc *crtc; + + for_each_intel_crtc(&xe->drm, crtc) { + struct drm_crtc_commit *commit; + + spin_lock(&crtc->base.commit_lock); + commit = list_first_entry_or_null(&crtc->base.commit_list, + struct drm_crtc_commit, commit_entry); + if (commit) + drm_crtc_commit_get(commit); + spin_unlock(&crtc->base.commit_lock); + + if (commit) { + wait_for_completion(&commit->cleanup_done); + drm_crtc_commit_put(commit); + } + } +} + void xe_display_pm_suspend(struct xe_device *xe, bool runtime) { bool s2idle = suspend_to_idle(); @@ -300,6 +321,8 @@ void xe_display_pm_suspend(struct xe_device *xe, bool runtime) if (!runtime) intel_display_driver_suspend(xe); + xe_display_flush_cleanup_work(xe); + intel_dp_mst_suspend(xe); intel_hpd_cancel_work(xe); diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c index de3b5df65e48..9a3f618d22dc 100644 --- a/drivers/gpu/drm/xe/xe_pm.c +++ b/drivers/gpu/drm/xe/xe_pm.c @@ -91,13 +91,13 @@ int xe_pm_suspend(struct xe_device *xe) for_each_gt(gt, xe, id) xe_gt_suspend_prepare(gt); + xe_display_pm_suspend(xe, false); + /* FIXME: Super racey... */ err = xe_bo_evict_all(xe); if (err) goto err; - xe_display_pm_suspend(xe, false); - for_each_gt(gt, xe, id) { err = xe_gt_suspend(gt); if (err) { @@ -151,11 +151,11 @@ int xe_pm_resume(struct xe_device *xe) xe_irq_resume(xe); - xe_display_pm_resume(xe, false); - for_each_gt(gt, xe, id) xe_gt_resume(gt); + xe_display_pm_resume(xe, false); + err = xe_bo_restore_user(xe); if (err) goto err; @@ -363,10 +363,11 @@ int xe_pm_runtime_suspend(struct xe_device *xe) mutex_unlock(&xe->mem_access.vram_userfault.lock); if (xe->d3cold.allowed) { + xe_display_pm_suspend(xe, true); + err = xe_bo_evict_all(xe); if (err) goto out; - xe_display_pm_suspend(xe, true); } for_each_gt(gt, xe, id) {

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] ksmbd: the buffer of smb2 query dir response has at least 1" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x ce61b605a00502c59311d0a4b1f58d62b48272d0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024082603-lend-finishing-4d83@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: ce61b605a005 ("ksmbd: the buffer of smb2 query dir response has at least 1 byte") e2b76ab8b5c9 ("ksmbd: add support for read compound") e202a1e8634b ("ksmbd: no response from compound read") 7b7d709ef7cf ("ksmbd: add missing compound request handing in some commands") 81a94b27847f ("ksmbd: use kvzalloc instead of kvmalloc") 38c8a9a52082 ("smb: move client and server files to common directory fs/smb") 30210947a343 ("ksmbd: fix racy issue under cocurrent smb2 tree disconnect") abcc506a9a71 ("ksmbd: fix racy issue from smb2 close and logoff with multichannel") ea174a918939 ("ksmbd: destroy expired sessions") f5c779b7ddbd ("ksmbd: fix racy issue from session setup and logoff") 74d7970febf7 ("ksmbd: fix racy issue from using ->d_parent and ->d_name") 34e8ccf9ce24 ("ksmbd: set NegotiateContextCount once instead of every inc") 42bc6793e452 ("Merge tag 'pull-lock_rename_child' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into ksmbd-for-next") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From ce61b605a00502c59311d0a4b1f58d62b48272d0 Mon Sep 17 00:00:00 2001 From: Namjae Jeon <linkinjeon(a)kernel.org> Date: Tue, 20 Aug 2024 22:07:38 +0900 Subject: [PATCH] ksmbd: the buffer of smb2 query dir response has at least 1 byte When STATUS_NO_MORE_FILES status is set to smb2 query dir response, ->StructureSize is set to 9, which mean buffer has 1 byte. This issue occurs because ->Buffer[1] in smb2_query_directory_rsp to flex-array. Fixes: eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays") Cc: stable(a)vger.kernel.org # v6.1+ Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 0bc9edf22ba4..e9204180919e 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -4409,7 +4409,8 @@ int smb2_query_dir(struct ksmbd_work *work) rsp->OutputBufferLength = cpu_to_le32(0); rsp->Buffer[0] = 0; rc = ksmbd_iov_pin_rsp(work, (void *)rsp, - sizeof(struct smb2_query_directory_rsp)); + offsetof(struct smb2_query_directory_rsp, Buffer) + + 1); if (rc) goto err_out; } else {

10 months, 3 weeks

1
0
0 0

[PATCH v2 2/7] media: sun4i_csi: Implement link validate for sun4i_csi subdev

by Laurent Pinchart

The sun4i_csi driver doesn't implement link validation for the subdev it registers, leaving the link between the subdev and its source unvalidated. Fix it, using the v4l2_subdev_link_validate() helper. Fixes: 577bbf23b758 ("media: sunxi: Add A10 CSI driver") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Acked-by: Chen-Yu Tsai <wens(a)csie.org> --- drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c index 097a3a08ef7d..dbb26c7b2f8d 100644 --- a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c +++ b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c @@ -39,6 +39,10 @@ static const struct media_entity_operations sun4i_csi_video_entity_ops = { .link_validate = v4l2_subdev_link_validate, }; +static const struct media_entity_operations sun4i_csi_subdev_entity_ops = { + .link_validate = v4l2_subdev_link_validate, +}; + static int sun4i_csi_notify_bound(struct v4l2_async_notifier *notifier, struct v4l2_subdev *subdev, struct v4l2_async_connection *asd) @@ -214,6 +218,7 @@ static int sun4i_csi_probe(struct platform_device *pdev) subdev->internal_ops = &sun4i_csi_subdev_internal_ops; subdev->flags = V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; subdev->entity.function = MEDIA_ENT_F_VID_IF_BRIDGE; + subdev->entity.ops = &sun4i_csi_subdev_entity_ops; subdev->owner = THIS_MODULE; snprintf(subdev->name, sizeof(subdev->name), "sun4i-csi-0"); v4l2_set_subdevdata(subdev, csi); -- Regards, Laurent Pinchart

10 months, 3 weeks

2
1
0 0

[PATCH] mt76: mt7915: check devm_kasprintf() returned value

by Ma Ke

devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 6ae39b7c7ed4 ("wifi: mt76: mt7921: Support temp sensor") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/wireless/mediatek/mt76/mt7915/init.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c index a978f434dc5e..7bc3b4cd3592 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c @@ -194,6 +194,8 @@ static int mt7915_thermal_init(struct mt7915_phy *phy) name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7915_%s", wiphy_name(wiphy)); + if (!name) + return -ENOMEM; cdev = thermal_cooling_device_register(name, phy, &mt7915_thermal_ops); if (!IS_ERR(cdev)) { -- 2.25.1

10 months, 3 weeks

1
0
0 0

[PATCH] wifi: mt76: mt7921: Check devm_kasprintf() returned value

by Ma Ke

devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 6ae39b7c7ed4 ("wifi: mt76: mt7921: Support temp sensor") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/wireless/mediatek/mt76/mt7921/init.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/init.c b/drivers/net/wireless/mediatek/mt76/mt7921/init.c index ef0c721d26e3..5ab395d9d93e 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/init.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/init.c @@ -52,6 +52,8 @@ static int mt7921_thermal_init(struct mt792x_phy *phy) name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7921_%s", wiphy_name(wiphy)); + if (!name) + return -ENOMEM; hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, name, phy, mt7921_hwmon_groups); -- 2.25.1

10 months, 3 weeks

1
0
0 0

[PATCH] bus: mhi: host: pci_generic: Fix the name for the Telit FE990A

by Fabio Porcedda

Add a mhi_pci_dev_info struct specific for the Telit FE990A modem in order to use the correct product name. Cc: stable(a)vger.kernel.org # 6.1+ Fixes: 0724869ede9c ("bus: mhi: host: pci_generic: add support for Telit FE990 modem") Signed-off-by: Fabio Porcedda <fabio.porcedda(a)gmail.com> --- drivers/bus/mhi/host/pci_generic.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/bus/mhi/host/pci_generic.c b/drivers/bus/mhi/host/pci_generic.c index 14a11880bcea..fb701c67f763 100644 --- a/drivers/bus/mhi/host/pci_generic.c +++ b/drivers/bus/mhi/host/pci_generic.c @@ -680,6 +680,15 @@ static const struct mhi_pci_dev_info mhi_telit_fn990_info = { .mru_default = 32768, }; +static const struct mhi_pci_dev_info mhi_telit_fe990a_info = { + .name = "telit-fe990a", + .config = &modem_telit_fn990_config, + .bar_num = MHI_PCI_DEFAULT_BAR_NUM, + .dma_data_width = 32, + .sideband_wake = false, + .mru_default = 32768, +}; + /* Keep the list sorted based on the PID. New VID should be added as the last entry */ static const struct pci_device_id mhi_pci_id_table[] = { { PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0304), @@ -697,9 +706,9 @@ static const struct pci_device_id mhi_pci_id_table[] = { /* Telit FN990 */ { PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x0308, 0x1c5d, 0x2010), .driver_data = (kernel_ulong_t) &mhi_telit_fn990_info }, - /* Telit FE990 */ + /* Telit FE990A */ { PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x0308, 0x1c5d, 0x2015), - .driver_data = (kernel_ulong_t) &mhi_telit_fn990_info }, + .driver_data = (kernel_ulong_t) &mhi_telit_fe990a_info }, { PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0308), .driver_data = (kernel_ulong_t) &mhi_qcom_sdx65_info }, { PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0309), -- 2.46.0

10 months, 3 weeks

2
2
0 0

[PATCH v3 7/9] vdpa: solidrun: Fix UB bug with devres

by Philipp Stanner

In psnet_open_pf_bar() and snet_open_vf_bar() a string later passed to pcim_iomap_regions() is placed on the stack. Neither pcim_iomap_regions() nor the functions it calls copy that string. Should the string later ever be used, this, consequently, causes undefined behavior since the stack frame will by then have disappeared. Fix the bug by allocating the strings on the heap through devm_kasprintf(). Cc: stable(a)vger.kernel.org # v6.3 Fixes: 51a8f9d7f587 ("virtio: vdpa: new SolidNET DPU driver.") Reported-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Closes: https://lore.kernel.org/all/74e9109a-ac59-49e2-9b1d-d825c9c9f891@wanadoo.fr/ Suggested-by: Andy Shevchenko <andy(a)kernel.org> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> --- drivers/vdpa/solidrun/snet_main.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/vdpa/solidrun/snet_main.c b/drivers/vdpa/solidrun/snet_main.c index 99428a04068d..67235f6190ef 100644 --- a/drivers/vdpa/solidrun/snet_main.c +++ b/drivers/vdpa/solidrun/snet_main.c @@ -555,7 +555,7 @@ static const struct vdpa_config_ops snet_config_ops = { static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) { - char name[50]; + char *name; int ret, i, mask = 0; /* We don't know which BAR will be used to communicate.. * We will map every bar with len > 0. @@ -573,7 +573,10 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) return -ENODEV; } - snprintf(name, sizeof(name), "psnet[%s]-bars", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "psnet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; + ret = pcim_iomap_regions(pdev, mask, name); if (ret) { SNET_ERR(pdev, "Failed to request and map PCI BARs\n"); @@ -590,10 +593,12 @@ static int psnet_open_pf_bar(struct pci_dev *pdev, struct psnet *psnet) static int snet_open_vf_bar(struct pci_dev *pdev, struct snet *snet) { - char name[50]; + char *name; int ret; - snprintf(name, sizeof(name), "snet[%s]-bar", pci_name(pdev)); + name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "psnet[%s]-bars", pci_name(pdev)); + if (!name) + return -ENOMEM; /* Request and map BAR */ ret = pcim_iomap_regions(pdev, BIT(snet->psnet->cfg.vf_bar), name); if (ret) { -- 2.46.0

10 months, 3 weeks

3
3
0 0

[PATCH RESEND] wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he

by Ma Ke

Fix the NULL pointer dereference in mt7996_mcu_sta_bfer_he routine adding an sta interface to the mt7996 driver. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c index 2e4fa9f48dfb..cba28d8d5562 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c @@ -1544,6 +1544,9 @@ mt7996_mcu_sta_bfer_he(struct ieee80211_sta *sta, struct ieee80211_vif *vif, u8 nss_mcs = mt7996_mcu_get_sta_nss(mcs_map); u8 snd_dim, sts; + if (!vc) + return; + bf->tx_mode = MT_PHY_TYPE_HE_SU; mt7996_mcu_sta_sounding_rate(bf); -- 2.25.1

10 months, 3 weeks

1
0
0 0

[PATCH 6.11 regression fix] ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder

by Hans de Goede

Since commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component via COMP_DUMMY()") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the "dummy" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] <TASK> ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0. Fixes: 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards") Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- sound/soc/intel/boards/bxt_rt298.c | 2 +- sound/soc/intel/boards/bytcht_cx2072x.c | 2 +- sound/soc/intel/boards/bytcht_da7213.c | 2 +- sound/soc/intel/boards/bytcht_es8316.c | 2 +- sound/soc/intel/boards/bytcr_rt5640.c | 2 +- sound/soc/intel/boards/bytcr_rt5651.c | 2 +- sound/soc/intel/boards/bytcr_wm5102.c | 2 +- sound/soc/intel/boards/cht_bsw_rt5645.c | 2 +- sound/soc/intel/boards/cht_bsw_rt5672.c | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c index dce6a2086f2a..6da1517c53c6 100644 --- a/sound/soc/intel/boards/bxt_rt298.c +++ b/sound/soc/intel/boards/bxt_rt298.c @@ -605,7 +605,7 @@ static int broxton_audio_probe(struct platform_device *pdev) int i; for (i = 0; i < ARRAY_SIZE(broxton_rt298_dais); i++) { - if (card->dai_link[i].codecs->name && + if (card->dai_link[i].num_codecs && !strncmp(card->dai_link[i].codecs->name, "i2c-INT343A:00", I2C_NAME_SIZE)) { if (!strncmp(card->name, "broxton-rt298", diff --git a/sound/soc/intel/boards/bytcht_cx2072x.c b/sound/soc/intel/boards/bytcht_cx2072x.c index c014d85a08b2..df3c2a7b64d2 100644 --- a/sound/soc/intel/boards/bytcht_cx2072x.c +++ b/sound/soc/intel/boards/bytcht_cx2072x.c @@ -241,7 +241,7 @@ static int snd_byt_cht_cx2072x_probe(struct platform_device *pdev) /* fix index of codec dai */ for (i = 0; i < ARRAY_SIZE(byt_cht_cx2072x_dais); i++) { - if (byt_cht_cx2072x_dais[i].codecs->name && + if (byt_cht_cx2072x_dais[i].num_codecs && !strcmp(byt_cht_cx2072x_dais[i].codecs->name, "i2c-14F10720:00")) { dai_index = i; diff --git a/sound/soc/intel/boards/bytcht_da7213.c b/sound/soc/intel/boards/bytcht_da7213.c index f4ac3ddd148b..08c598b7e1ee 100644 --- a/sound/soc/intel/boards/bytcht_da7213.c +++ b/sound/soc/intel/boards/bytcht_da7213.c @@ -245,7 +245,7 @@ static int bytcht_da7213_probe(struct platform_device *pdev) /* fix index of codec dai */ for (i = 0; i < ARRAY_SIZE(dailink); i++) { - if (dailink[i].codecs->name && + if (dailink[i].num_codecs && !strcmp(dailink[i].codecs->name, "i2c-DLGS7213:00")) { dai_index = i; break; diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c index 2fcec2e02bb5..77b91ea4dc32 100644 --- a/sound/soc/intel/boards/bytcht_es8316.c +++ b/sound/soc/intel/boards/bytcht_es8316.c @@ -546,7 +546,7 @@ static int snd_byt_cht_es8316_mc_probe(struct platform_device *pdev) /* fix index of codec dai */ for (i = 0; i < ARRAY_SIZE(byt_cht_es8316_dais); i++) { - if (byt_cht_es8316_dais[i].codecs->name && + if (byt_cht_es8316_dais[i].num_codecs && !strcmp(byt_cht_es8316_dais[i].codecs->name, "i2c-ESSX8316:00")) { dai_index = i; diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c index a64d1989e28a..db4a33680d94 100644 --- a/sound/soc/intel/boards/bytcr_rt5640.c +++ b/sound/soc/intel/boards/bytcr_rt5640.c @@ -1677,7 +1677,7 @@ static int snd_byt_rt5640_mc_probe(struct platform_device *pdev) /* fix index of codec dai */ for (i = 0; i < ARRAY_SIZE(byt_rt5640_dais); i++) { - if (byt_rt5640_dais[i].codecs->name && + if (byt_rt5640_dais[i].num_codecs && !strcmp(byt_rt5640_dais[i].codecs->name, "i2c-10EC5640:00")) { dai_index = i; diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c index 80c841b000a3..8514b79f389b 100644 --- a/sound/soc/intel/boards/bytcr_rt5651.c +++ b/sound/soc/intel/boards/bytcr_rt5651.c @@ -910,7 +910,7 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev) /* fix index of codec dai */ for (i = 0; i < ARRAY_SIZE(byt_rt5651_dais); i++) { - if (byt_rt5651_dais[i].codecs->name && + if (byt_rt5651_dais[i].num_codecs && !strcmp(byt_rt5651_dais[i].codecs->name, "i2c-10EC5651:00")) { dai_index = i; diff --git a/sound/soc/intel/boards/bytcr_wm5102.c b/sound/soc/intel/boards/bytcr_wm5102.c index cccb5e90c0fe..e5a7cc606aa9 100644 --- a/sound/soc/intel/boards/bytcr_wm5102.c +++ b/sound/soc/intel/boards/bytcr_wm5102.c @@ -605,7 +605,7 @@ static int snd_byt_wm5102_mc_probe(struct platform_device *pdev) /* find index of codec dai */ for (i = 0; i < ARRAY_SIZE(byt_wm5102_dais); i++) { - if (byt_wm5102_dais[i].codecs->name && + if (byt_wm5102_dais[i].num_codecs && !strcmp(byt_wm5102_dais[i].codecs->name, "wm5102-codec")) { dai_index = i; diff --git a/sound/soc/intel/boards/cht_bsw_rt5645.c b/sound/soc/intel/boards/cht_bsw_rt5645.c index eb41b7115d01..1da9ceee4d59 100644 --- a/sound/soc/intel/boards/cht_bsw_rt5645.c +++ b/sound/soc/intel/boards/cht_bsw_rt5645.c @@ -569,7 +569,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev) /* set correct codec name */ for (i = 0; i < ARRAY_SIZE(cht_dailink); i++) - if (cht_dailink[i].codecs->name && + if (cht_dailink[i].num_codecs && !strcmp(cht_dailink[i].codecs->name, "i2c-10EC5645:00")) { dai_index = i; diff --git a/sound/soc/intel/boards/cht_bsw_rt5672.c b/sound/soc/intel/boards/cht_bsw_rt5672.c index be2d1a8dbca8..d68e5bc755de 100644 --- a/sound/soc/intel/boards/cht_bsw_rt5672.c +++ b/sound/soc/intel/boards/cht_bsw_rt5672.c @@ -466,7 +466,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev) /* find index of codec dai */ for (i = 0; i < ARRAY_SIZE(cht_dailink); i++) { - if (cht_dailink[i].codecs->name && + if (cht_dailink[i].num_codecs && !strcmp(cht_dailink[i].codecs->name, RT5672_I2C_DEFAULT)) { dai_index = i; break; -- 2.46.0

10 months, 3 weeks

4
4
0 0

[PATCH v1 1/2] ufs: core: complete scsi command after release

by peter.wang＠mediatek.com

From: Peter Wang <peter.wang(a)mediatek.com> When the error handler successfully aborts a MCQ request, it only releases the command and does not notify the SCSI layer. This may cause another abort after 30 seconds timeout. This patch notifies the SCSI layer to requeue the request. Below is error log [ 14.183804][ T74] ufshcd-mtk 112b0000.ufshci: ufshcd_err_handler started; HBA state eh_non_fatal; powered 1; shutting down 0; saved_err = 4; saved_uic_err = 64; force_reset = 0 [ 14.256164][ T74] ufshcd-mtk 112b0000.ufshci: ufshcd_try_to_abort_task: cmd pending in the device. tag = 19 [ 14.257511][ T74] ufshcd-mtk 112b0000.ufshci: Aborting tag 19 / CDB 0x35 succeeded [ 34.287949][ T8] ufshcd-mtk 112b0000.ufshci: ufshcd_abort: Device abort task at tag 19 [ 34.290514][ T8] ufshcd-mtk 112b0000.ufshci: ufshcd_mcq_abort: skip abort. cmd at tag 19 already completed. Fixes:93e6c0e19d5b ("scsi: ufs: core: Clear cmd if abort succeeds in MCQ mode") Cc: <stable(a)vger.kernel.org> 6.6.x Signed-off-by: Peter Wang <peter.wang(a)mediatek.com> --- drivers/ufs/core/ufshcd.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index 0b3d0c8e0dda..4bcd4e5b62bd 100644 --- a/drivers/ufs/core/ufshcd.c +++ b/drivers/ufs/core/ufshcd.c @@ -6482,8 +6482,12 @@ static bool ufshcd_abort_one(struct request *rq, void *priv) if (!hwq) return 0; spin_lock_irqsave(&hwq->cq_lock, flags); - if (ufshcd_cmd_inflight(lrbp->cmd)) + if (ufshcd_cmd_inflight(lrbp->cmd)) { + struct scsi_cmnd *cmd = lrbp->cmd; + set_host_byte(cmd, DID_REQUEUE); ufshcd_release_scsi_cmd(hba, lrbp); + scsi_done(cmd); + } spin_unlock_irqrestore(&hwq->cq_lock, flags); } -- 2.45.2

10 months, 3 weeks

3
2
0 0

Re: [tip: perf/core] perf/core: Fix hardlockup failure caused by perf throttle

by Pengfei Xu

Hi Jihong and perf experts, Greetings! There was "BUG: soft lockup in asm_sysvec_apic_timer_interrupt" in v6.11-rc4 mainline kernel by local syzkaller Intel internal kernel testing. Bisected and found first bad commit: " 15def34e2635 perf/core: Fix hardlockup failure caused by perf throttle " After reverted above commit on top of v6.11-rc4 mainline kernel, this issue was gone. And this issue could be reproduced in 1200s. All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/240823_212601_asm_sysv… Syzkaller repro code: https://github.com/xupengfe/syzkaller_logs/blob/main/240823_212601_asm_sysv… Syzkaller repro syscall steps: https://github.com/xupengfe/syzkaller_logs/blob/main/240823_212601_asm_sysv… Syzkaller report: https://github.com/xupengfe/syzkaller_logs/blob/main/240823_212601_asm_sysv… Kconfig(make olddefconfig): https://github.com/xupengfe/syzkaller_logs/blob/main/240823_212601_asm_sysv… Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/240823_212601_asm_sysv… bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/240823_212601_asm_sysve… Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/240823_212601_asm_sysv… " [ 22.518698] hrtimer: interrupt took 13103 ns [ 30.382700] clocksource: Long readout interval, skipping watchdog check: cs_nsec: 2079936720 wd_nsec: 2079936828 [ 378.038693] clocksource: Long readout interval, skipping watchdog check: cs_nsec: 7719948786 wd_nsec: 7719948793 [ 736.508865] watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:193160] [ 736.509218] Modules linked in: [ 736.509369] irq event stamp: 15405229 [ 736.509539] hardirqs last enabled at (15405228): [<ffffffff8579c9de>] irqentry_exit+0x3e/0xa0 [ 736.509947] hardirqs last disabled at (15405229): [<ffffffff8579ae14>] sysvec_apic_timer_interrupt+0x14/0xc0 [ 736.510383] softirqs last enabled at (9218742): [<ffffffff81289fb9>] __irq_exit_rcu+0xa9/0x120 [ 736.510776] softirqs last disabled at (9218745): [<ffffffff81289fb9>] __irq_exit_rcu+0xa9/0x120 [ 736.511167] CPU: 0 UID: 0 PID: 193160 Comm: repro Not tainted 6.11.0-rc4-47ac09b91bef+ #1 [ 736.511529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 736.512039] RIP: 0010:__rcu_read_unlock+0x284/0x560 [ 736.512272] Code: 8f 00 00 00 84 d2 0f 84 87 00 00 00 bf 09 00 00 00 e8 d0 0b dc ff 4d 85 f6 0f 84 68 fe ff ff e8 f2 83 26 00 fb 0f 1f 44 00 00 <e9> 58 fe ff ff 0f 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 [ 736.513091] RSP: 0018:ffff88806c609938 EFLAGS: 00000212 [ 736.513330] RAX: 0000000000e956e0 RBX: ffff88806c649600 RCX: 1ffffffff14ae71b [ 736.513648] RDX: 0000000000000000 RSI: 0000000000000101 RDI: 0000000000000000 [ 736.513974] RBP: ffff88806c609968 R08: 0000000000000001 R09: fffffbfff14a92b5 [ 736.514289] R10: ffffffff8a5495af R11: 0000000000000001 R12: ffff88801379ca00 [ 736.514606] R13: ffff88801379ca00 R14: 0000000000000200 R15: ffffffff86e619c0 [ 736.514935] FS: 00007f095e148740(0000) GS:ffff88806c600000(0000) knlGS:0000000000000000 [ 736.515293] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 736.515555] CR2: 0000000020000000 CR3: 0000000021944006 CR4: 0000000000770ef0 [ 736.515888] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 736.516215] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 [ 736.516539] PKRU: 55555554 [ 736.516672] Call Trace: [ 736.516798] <IRQ> [ 736.516907] ? show_regs+0xa8/0xc0 [ 736.517080] ? watchdog_timer_fn+0x52f/0x6b0 [ 736.517284] ? __pfx_watchdog_timer_fn+0x10/0x10 [ 736.517503] ? __hrtimer_run_queues+0x5d6/0xb10 [ 736.517733] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 736.517975] ? hrtimer_interrupt+0x324/0x7a0 [ 736.518193] ? __sysvec_apic_timer_interrupt+0x10b/0x410 [ 736.518443] ? debug_smp_processor_id+0x20/0x30 [ 736.518663] ? sysvec_apic_timer_interrupt+0x4b/0xc0 [ 736.518901] ? asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 736.519162] ? __rcu_read_unlock+0x284/0x560 [ 736.519370] ? __rcu_read_unlock+0x27e/0x560 [ 736.519579] __is_insn_slot_addr+0x14c/0x2a0 [ 736.519791] kernel_text_address+0x64/0xe0 [ 736.519991] __kernel_text_address+0x16/0x50 [ 736.520199] unwind_get_return_address+0x8c/0x100 [ 736.520424] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 736.520671] arch_stack_walk+0xa7/0x170 [ 736.520878] stack_trace_save+0x97/0xd0 [ 736.521064] ? __pfx_stack_trace_save+0x10/0x10 [ 736.521276] ? __pfx_mark_lock.part.0+0x10/0x10 [ 736.521499] kasan_save_stack+0x2c/0x60 [ 736.521681] ? kasan_save_stack+0x2c/0x60 [ 736.521870] ? kasan_save_track+0x18/0x40 [ 736.522057] ? kasan_save_free_info+0x3f/0x60 [ 736.522267] ? __kasan_slab_free+0x115/0x1a0 [ 736.522467] ? kfree+0xfe/0x330 [ 736.522622] ? free_ctx+0x22/0x30 [ 736.522788] ? rcu_core+0x877/0x18f0 [ 736.522967] ? rcu_core_si+0x12/0x20 [ 736.523142] ? handle_softirqs+0x1c7/0x870 [ 736.523334] ? __irq_exit_rcu+0xa9/0x120 [ 736.523519] ? irq_exit_rcu+0x12/0x30 [ 736.523693] ? sysvec_apic_timer_interrupt+0xa5/0xc0 [ 736.523922] ? asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 736.524165] ? lock_acquire+0x1ff/0x580 [ 736.524352] ? _raw_spin_lock+0x38/0x50 [ 736.524534] ? do_fcntl+0xa95/0x1400 [ 736.524709] ? __x64_sys_fcntl+0x179/0x210 [ 736.524906] ? x64_sys_call+0x5b9/0x20d0 [ 736.525094] ? do_syscall_64+0x6d/0x140 [ 736.525276] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 736.525529] ? __pfx___lock_acquire+0x10/0x10 [ 736.525736] ? do_raw_spin_trylock+0xbf/0x190 [ 736.525949] ? free_unref_page_commit+0x3c0/0xfb0 [ 736.526176] ? __this_cpu_preempt_check+0x21/0x30 [ 736.526399] ? lock_acquire+0x1de/0x580 [ 736.526587] ? free_ctx+0x22/0x30 [ 736.526753] kasan_save_track+0x18/0x40 [ 736.526944] kasan_save_free_info+0x3f/0x60 [ 736.527146] __kasan_slab_free+0x115/0x1a0 [ 736.527341] ? free_ctx+0x22/0x30 [ 736.527503] kfree+0xfe/0x330 [ 736.527655] ? rcu_core+0x875/0x18f0 [ 736.527833] free_ctx+0x22/0x30 [ 736.527991] rcu_core+0x877/0x18f0 [ 736.528165] ? __pfx_rcu_core+0x10/0x10 [ 736.528365] rcu_core_si+0x12/0x20 [ 736.528535] handle_softirqs+0x1c7/0x870 [ 736.528734] __irq_exit_rcu+0xa9/0x120 [ 736.528915] irq_exit_rcu+0x12/0x30 [ 736.529085] sysvec_apic_timer_interrupt+0xa5/0xc0 [ 736.529309] </IRQ> [ 736.529414] <TASK> [ 736.529522] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 736.529762] RIP: 0010:lock_acquire+0x1ff/0x580 [ 736.529974] Code: 48 83 c4 28 e8 72 73 37 04 b8 ff ff ff ff 65 0f c1 05 fd b6 c0 7e 83 f8 01 0f 85 d9 02 00 00 4d 85 ff 74 06 fb 0f 1f 44 00 00 <48> b8 00 00 00 00 00 fc ff df 48 01 c3 48 c7 03 00 00 00 00 48 c7 [ 736.530786] RSP: 0018:ffff88801aa0fcd0 EFLAGS: 00000206 [ 736.531031] RAX: 0000000000000001 RBX: 1ffff11003541f9e RCX: 1ffff11003541f82 [ 736.531348] RDX: 1ffff110026f3b07 RSI: 0000000000000001 RDI: 0000000000000000 [ 736.531668] RBP: ffff88801aa0fdb8 R08: 0000000000000000 R09: fffffbfff14a92b5 [ 736.531994] R10: ffffffff8a5495af R11: 0000000000000001 R12: 0000000000000001 [ 736.532318] R13: 0000000000000000 R14: ffff88800f65a028 R15: 0000000000000200 [ 736.532660] ? __pfx_lock_acquire+0x10/0x10 [ 736.532860] ? _raw_spin_unlock+0x31/0x60 [ 736.533063] ? up_write+0x1c0/0x550 [ 736.533234] ? fasync_helper+0x77/0xc0 [ 736.533420] _raw_spin_lock+0x38/0x50 [ 736.533595] ? do_fcntl+0xa95/0x1400 [ 736.533775] do_fcntl+0xa95/0x1400 [ 736.533948] ? __pfx_do_fcntl+0x10/0x10 [ 736.534137] ? trace_hardirqs_on+0x51/0x60 [ 736.534336] ? seqcount_lockdep_reader_access.constprop.0+0xc0/0xd0 [ 736.534619] ? __sanitizer_cov_trace_cmp4+0x1a/0x20 [ 736.534853] ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20 [ 736.535104] ? security_file_fcntl+0x9d/0xd0 [ 736.535315] __x64_sys_fcntl+0x179/0x210 [ 736.535508] x64_sys_call+0x5b9/0x20d0 [ 736.535687] do_syscall_64+0x6d/0x140 [ 736.535866] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 736.536099] RIP: 0033:0x7f095de3ee5d [ 736.536273] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48 [ 736.537075] RSP: 002b:00007ffea8175048 EFLAGS: 00000217 ORIG_RAX: 0000000000000048 [ 736.537411] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f095de3ee5d [ 736.537736] RDX: 0000000000002400 RSI: 0000000000000004 RDI: 0000000000000003 [ 736.538053] RBP: 00007ffea8175060 R08: 00007ffea8175060 R09: 00007ffea8175060 [ 736.538371] R10: 00007ffea8175060 R11: 0000000000000217 R12: 00007ffea81751d8 [ 736.538689] R13: 000000000040547a R14: 0000000000407df8 R15: 00007f095e193000 [ 736.539023] </TASK> [ 736.539132] Kernel panic - not syncing: softlockup: hung tasks " Hope it's helpful. Thanks! --- If you don't need the following environment to reproduce the problem or if you already have one reproduced environment, please ignore the following information. How to reproduce: git clone https://gitlab.com/xupengfe/repro_vm_env.git cd repro_vm_env tar -xvf repro_vm_env.tar.gz cd repro_vm_env; ./start3.sh // it needs qemu-system-x86_64 and I used v7.1.0 // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel // You could change the bzImage_xxx as you want // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version You could use below command to log in, there is no password for root. ssh -p 10023 root@localhost After login vm(virtual machine) successfully, you could transfer reproduced binary to the vm by below way, and reproduce the problem in vm: gcc -pthread -o repro repro.c scp -P 10023 repro root@localhost:/root/ Get the bzImage for target kernel: Please use target kconfig and copy it to kernel_src/.config make olddefconfig make -jx bzImage //x should equal or less than cpu num your pc has Fill the bzImage file into above start3.sh to load the target kernel in vm. Tips: If you already have qemu-system-x86_64, please ignore below info. If you want to install qemu v7.1.0 version: git clone https://github.com/qemu/qemu.git cd qemu git checkout -f v7.1.0 mkdir build cd build yum install -y ninja-build.x86_64 yum -y install libslirp-devel.x86_64 ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp make make install Best Regards, Thanks! On 2023-04-17 at 10:46:22 -0000, tip-bot2 for Yang Jihong wrote: > The following commit has been merged into the perf/core branch of tip: > > Commit-ID: 15def34e2635ab7e0e96f1bc32e1b69609f14942 > Gitweb: https://git.kernel.org/tip/15def34e2635ab7e0e96f1bc32e1b69609f14942 > Author: Yang Jihong <yangjihong1(a)huawei.com> > AuthorDate: Mon, 27 Feb 2023 10:35:08 +08:00 > Committer: Peter Zijlstra <peterz(a)infradead.org> > CommitterDate: Fri, 14 Apr 2023 16:08:22 +02:00 > > perf/core: Fix hardlockup failure caused by perf throttle > > commit e050e3f0a71bf ("perf: Fix broken interrupt rate throttling") > introduces a change in throttling threshold judgment. Before this, > compare hwc->interrupts and max_samples_per_tick, then increase > hwc->interrupts by 1, but this commit reverses order of these two > behaviors, causing the semantics of max_samples_per_tick to change. > In literal sense of "max_samples_per_tick", if hwc->interrupts == > max_samples_per_tick, it should not be throttled, therefore, the judgment > condition should be changed to "hwc->interrupts > max_samples_per_tick". > > In fact, this may cause the hardlockup to fail, The minimum value of > max_samples_per_tick may be 1, in this case, the return value of > __perf_event_account_interrupt function is 1. > As a result, nmi_watchdog gets throttled, which would stop PMU (Use x86 > architecture as an example, see x86_pmu_handle_irq). > > Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling") > Signed-off-by: Yang Jihong <yangjihong1(a)huawei.com> > Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org> > Link: https://lkml.kernel.org/r/20230227023508.102230-1-yangjihong1@huawei.com > --- > kernel/events/core.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/kernel/events/core.c b/kernel/events/core.c > index fb3e436..82b95b8 100644 > --- a/kernel/events/core.c > +++ b/kernel/events/core.c > @@ -9433,8 +9433,8 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle) > hwc->interrupts = 1; > } else { > hwc->interrupts++; > - if (unlikely(throttle > - && hwc->interrupts >= max_samples_per_tick)) { > + if (unlikely(throttle && > + hwc->interrupts > max_samples_per_tick)) { > __this_cpu_inc(perf_throttled_count); > tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS); > hwc->interrupts = MAX_INTERRUPTS;

10 months, 3 weeks

1
0
0 0

[PATCH] perf/x86/intel: Limit the period on Haswell

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: <NMI> ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far. Fixes: 3a632cb229bf ("perf/x86/intel: Add simple Haswell PMU support") Reported-by: Li Huafei <lihuafei1(a)huawei.com> Closes: https://lore.kernel.org/lkml/20240729223328.327835-1-lihuafei1@huawei.com/ Suggested-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: Vince Weaver <vincent.weaver(a)maine.edu> Cc: stable(a)vger.kernel.org --- arch/x86/events/intel/core.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index e8bd45556c30..605ed19043ed 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -4634,6 +4634,25 @@ static enum hybrid_cpu_type adl_get_hybrid_cpu_type(void) return HYBRID_INTEL_CORE; } +static inline bool erratum_hsw11(struct perf_event *event) +{ + return (event->hw.config & INTEL_ARCH_EVENT_MASK) == + X86_CONFIG(.event=0xc0, .umask=0x01); +} + +/* + * The HSW11 requires a period larger than 100 which is the same as the BDM11. + * A minimum period of 128 is enforced as well for the INST_RETIRED.ALL. + * + * The message 'interrupt took too long' can be observed on any counter which + * was armed with a period < 32 and two events expired in the same NMI. + * A minimum period of 32 is enforced for the rest of the events. + */ +static void hsw_limit_period(struct perf_event *event, s64 *left) +{ + *left = max(*left, erratum_hsw11(event) ? 128 : 32); +} + /* * Broadwell: * @@ -4651,8 +4670,7 @@ static enum hybrid_cpu_type adl_get_hybrid_cpu_type(void) */ static void bdw_limit_period(struct perf_event *event, s64 *left) { - if ((event->hw.config & INTEL_ARCH_EVENT_MASK) == - X86_CONFIG(.event=0xc0, .umask=0x01)) { + if (erratum_hsw11(event)) { if (*left < 128) *left = 128; *left &= ~0x3fULL; @@ -6821,6 +6839,7 @@ __init int intel_pmu_init(void) x86_pmu.hw_config = hsw_hw_config; x86_pmu.get_event_constraints = hsw_get_event_constraints; + x86_pmu.limit_period = hsw_limit_period; x86_pmu.lbr_double_abort = true; extra_attr = boot_cpu_has(X86_FEATURE_RTM) ? hsw_format_attr : nhm_format_attr; -- 2.38.1

10 months, 3 weeks

2
1
0 0

[PATCH] crypto: sa2ul - fix memory leak in sa_cra_init_aead()

by Ma Ke

Currently the resource allocated by crypto_alloc_shash() is not freed in case crypto_alloc_aead() fails, resulting in memory leak. Add crypto_free_shash() to fix it. Found by code review. Cc: stable(a)vger.kernel.org Fixes: d2c8ac187fc9 ("crypto: sa2ul - Add AEAD algorithm support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/crypto/sa2ul.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c index 461eca40e878..b5af621f7f17 100644 --- a/drivers/crypto/sa2ul.c +++ b/drivers/crypto/sa2ul.c @@ -1740,7 +1740,8 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash, ctx->shash = crypto_alloc_shash(hash, 0, CRYPTO_ALG_NEED_FALLBACK); if (IS_ERR(ctx->shash)) { dev_err(sa_k3_dev, "base driver %s couldn't be loaded\n", hash); - return PTR_ERR(ctx->shash); + ret = PTR_ERR(ctx->shash); + goto err_free_shash; } ctx->fallback.aead = crypto_alloc_aead(fallback, 0, @@ -1749,7 +1750,8 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash, if (IS_ERR(ctx->fallback.aead)) { dev_err(sa_k3_dev, "fallback driver %s couldn't be loaded\n", fallback); - return PTR_ERR(ctx->fallback.aead); + ret = PTR_ERR(ctx->fallback.aead); + goto err_free_shash; } crypto_aead_set_reqsize(tfm, sizeof(struct aead_request) + @@ -1757,19 +1759,23 @@ static int sa_cra_init_aead(struct crypto_aead *tfm, const char *hash, ret = sa_init_ctx_info(&ctx->enc, data); if (ret) - return ret; + goto err_free_shash; ret = sa_init_ctx_info(&ctx->dec, data); - if (ret) { - sa_free_ctx_info(&ctx->enc, data); - return ret; - } + if (ret) + goto err_free_ctx_info; dev_dbg(sa_k3_dev, "%s(0x%p) sc-ids(0x%x(0x%pad), 0x%x(0x%pad))\n", __func__, tfm, ctx->enc.sc_id, &ctx->enc.sc_phys, ctx->dec.sc_id, &ctx->dec.sc_phys); return ret; + +err_free_ctx_info: + sa_free_ctx_info(&ctx->enc, data); +err_free_shash: + crypto_free_shash(ctx->shash); + return ret; } static int sa_cra_init_aead_sha1(struct crypto_aead *tfm) -- 2.25.1

10 months, 3 weeks

2
1
0 0

[git:media_stage/master] media: venus: fix use after free bug in venus_remove due to race condition

by Hans Verkuil

This is an automatic generated email to let you know that the following patch were queued: Subject: media: venus: fix use after free bug in venus_remove due to race condition Author: Zheng Wang <zyytlz.wz(a)163.com> Date: Tue Jun 18 14:55:59 2024 +0530 in venus_probe, core->work is bound with venus_sys_error_handler, which is used to handle error. The code use core->sys_err_done to make sync work. The core->work is started in venus_event_notify. If we call venus_remove, there might be an unfished work. The possible sequence is as follows: CPU0 CPU1 |venus_sys_error_handler venus_remove | hfi_destroy | venus_hfi_destroy | kfree(hdev); | |hfi_reinit |venus_hfi_queues_reinit |//use hdev Fix it by canceling the work in venus_remove. Cc: stable(a)vger.kernel.org Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") Signed-off-by: Zheng Wang <zyytlz.wz(a)163.com> Signed-off-by: Dikshita Agarwal <quic_dikshita(a)quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov(a)gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> drivers/media/platform/qcom/venus/core.c | 1 + 1 file changed, 1 insertion(+) --- diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c index 165c947a6703..84e95a46dfc9 100644 --- a/drivers/media/platform/qcom/venus/core.c +++ b/drivers/media/platform/qcom/venus/core.c @@ -430,6 +430,7 @@ static void venus_remove(struct platform_device *pdev) struct device *dev = core->dev; int ret; + cancel_delayed_work_sync(&core->work); ret = pm_runtime_get_sync(dev); WARN_ON(ret < 0);

10 months, 3 weeks

1
0
0 0

[PATCH RESEND] drm/nouveau: fix a possible null pointer dereference

by Ma Ke

In ch7006_encoder_get_modes(), the return value of drm_mode_duplicate() is used directly in drm_mode_probed_add(), which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable(a)vger.kernel.org Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/i2c/ch7006_drv.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/i2c/ch7006_drv.c b/drivers/gpu/drm/i2c/ch7006_drv.c index 131512a5f3bd..48bf6e4e8bdb 100644 --- a/drivers/gpu/drm/i2c/ch7006_drv.c +++ b/drivers/gpu/drm/i2c/ch7006_drv.c @@ -229,6 +229,7 @@ static int ch7006_encoder_get_modes(struct drm_encoder *encoder, { struct ch7006_priv *priv = to_ch7006_priv(encoder); const struct ch7006_mode *mode; + struct drm_display_mode *encoder_mode = NULL; int n = 0; for (mode = ch7006_modes; mode->mode.clock; mode++) { @@ -236,8 +237,11 @@ static int ch7006_encoder_get_modes(struct drm_encoder *encoder, ~mode->valid_norms & 1<<priv->norm) continue; - drm_mode_probed_add(connector, - drm_mode_duplicate(encoder->dev, &mode->mode)); + encoder_mode = drm_mode_duplicate(encoder->dev, &mode->mode); + if (!encoder_mode) + return 0; + + drm_mode_probed_add(connector, encoder_mode); n++; } -- 2.25.1

10 months, 3 weeks

1
0
0 0

[PATCH v5 1/2] locking/lockdep: Avoid creating new name string literals in lockdep_set_subclass()

by Ahmed Ehab

Syzbot reports a problem that a warning will be triggered while searching a lock class in look_up_lock_class(). The cause of the issue is that a new name is created and used by lockdep_set_subclass() instead of using the existing one. This results in two lock classes with the same key but different name pointers and a WARN_ONCE() is triggered because of that in look_up_lock_class(). To fix this, change lockdep_set_subclass() to use the existing name instead of a new one. Hence, no new name will be created by lockdep_set_subclass(). Hence, the warning is avoided. Reported-by: <syzbot+7f4a6f7f7051474e40ad(a)syzkaller.appspotmail.com> Fixes: de8f5e4f2dc1f ("lockdep: Introduce wait-type checks") Cc: <stable(a)vger.kernel.org> Signed-off-by: Ahmed Ehab <bottaawesome633(a)gmail.com> --- v4->v5: - Changed the subject - Changed the changelog to be more detailed include/linux/lockdep.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h index 08b0d1d9d78b..df8fa5929de7 100644 --- a/include/linux/lockdep.h +++ b/include/linux/lockdep.h @@ -173,7 +173,7 @@ static inline void lockdep_init_map(struct lockdep_map *lock, const char *name, (lock)->dep_map.lock_type) #define lockdep_set_subclass(lock, sub) \ - lockdep_init_map_type(&(lock)->dep_map, #lock, (lock)->dep_map.key, sub,\ + lockdep_init_map_type(&(lock)->dep_map, (lock)->dep_map.name, (lock)->dep_map.key, sub,\ (lock)->dep_map.wait_type_inner, \ (lock)->dep_map.wait_type_outer, \ (lock)->dep_map.lock_type) -- 2.45.2

10 months, 3 weeks

1
0
0 0

[PATCH AUTOSEL 6.10 01/24] drm/mediatek: Set sensible cursor width/height values to fix crash

by Sasha Levin

From: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> [ Upstream commit 042b8711a0beafb2c3b888bebe3c300ab4c817fa ] Hardware-speaking, there is no feature-reduced cursor specific plane, so this driver reserves the last all Overlay plane as a Cursor plane, but sets the maximum cursor width/height to the maximum value that the full overlay plane can use. While this could be ok, it raises issues with common userspace using libdrm (especially Mutter, but other compositors too) which will crash upon performing allocations and/or using said cursor plane. Reduce the maximum width/height for the cursor to 512x512 pixels, value taken from IGT's maximum cursor size test, which succeeds. Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Reviewed-by: Fei Shao <fshao(a)chromium.org> Tested-by: Fei Shao <fshao(a)chromium.org> Reviewed-by: Daniel Stone <daniels(a)collabora.com> Reviewed-by: CK Hu <ck.hu(a)mediatek.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20240718082410.204459-… Signed-off-by: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index 56f409ad7f390..ab2bace792e46 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -539,8 +539,8 @@ static int mtk_drm_kms_init(struct drm_device *drm) } /* IGT will check if the cursor size is configured */ - drm->mode_config.cursor_width = drm->mode_config.max_width; - drm->mode_config.cursor_height = drm->mode_config.max_height; + drm->mode_config.cursor_width = 512; + drm->mode_config.cursor_height = 512; /* Use OVL device for all DMA memory allocations */ crtc = drm_crtc_from_index(drm, 0); -- 2.43.0

10 months, 3 weeks

2
25
0 0

[PATCH AUTOSEL 6.6 01/20] ksmbd: override fsids for share path check

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit a018c1b636e79b60149b41151ded7c2606d8606e ] Sangsoo reported that a DAC denial error occurred when accessing files through the ksmbd thread. This patch override fsids for share path check. Reported-by: Sangsoo Lee <constant.lee(a)samsung.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/smb/server/mgmt/share_config.c | 15 ++++++++++++--- fs/smb/server/mgmt/share_config.h | 4 +++- fs/smb/server/mgmt/tree_connect.c | 9 +++++---- fs/smb/server/mgmt/tree_connect.h | 4 ++-- fs/smb/server/smb2pdu.c | 2 +- fs/smb/server/smb_common.c | 9 +++++++-- fs/smb/server/smb_common.h | 2 ++ 7 files changed, 32 insertions(+), 13 deletions(-) diff --git a/fs/smb/server/mgmt/share_config.c b/fs/smb/server/mgmt/share_config.c index e0a6b758094fc..d8d03070ae44b 100644 --- a/fs/smb/server/mgmt/share_config.c +++ b/fs/smb/server/mgmt/share_config.c @@ -15,6 +15,7 @@ #include "share_config.h" #include "user_config.h" #include "user_session.h" +#include "../connection.h" #include "../transport_ipc.h" #include "../misc.h" @@ -120,12 +121,13 @@ static int parse_veto_list(struct ksmbd_share_config *share, return 0; } -static struct ksmbd_share_config *share_config_request(struct unicode_map *um, +static struct ksmbd_share_config *share_config_request(struct ksmbd_work *work, const char *name) { struct ksmbd_share_config_response *resp; struct ksmbd_share_config *share = NULL; struct ksmbd_share_config *lookup; + struct unicode_map *um = work->conn->um; int ret; resp = ksmbd_ipc_share_config_request(name); @@ -181,7 +183,14 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, KSMBD_SHARE_CONFIG_VETO_LIST(resp), resp->veto_list_sz); if (!ret && share->path) { + if (__ksmbd_override_fsids(work, share)) { + kill_share(share); + share = NULL; + goto out; + } + ret = kern_path(share->path, 0, &share->vfs_path); + ksmbd_revert_fsids(work); if (ret) { ksmbd_debug(SMB, "failed to access '%s'\n", share->path); @@ -214,7 +223,7 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, return share; } -struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, +struct ksmbd_share_config *ksmbd_share_config_get(struct ksmbd_work *work, const char *name) { struct ksmbd_share_config *share; @@ -227,7 +236,7 @@ struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, if (share) return share; - return share_config_request(um, name); + return share_config_request(work, name); } bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, diff --git a/fs/smb/server/mgmt/share_config.h b/fs/smb/server/mgmt/share_config.h index 5f591751b9236..d4ac2dd4de204 100644 --- a/fs/smb/server/mgmt/share_config.h +++ b/fs/smb/server/mgmt/share_config.h @@ -11,6 +11,8 @@ #include <linux/path.h> #include <linux/unicode.h> +struct ksmbd_work; + struct ksmbd_share_config { char *name; char *path; @@ -68,7 +70,7 @@ static inline void ksmbd_share_config_put(struct ksmbd_share_config *share) __ksmbd_share_config_put(share); } -struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, +struct ksmbd_share_config *ksmbd_share_config_get(struct ksmbd_work *work, const char *name); bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, const char *filename); diff --git a/fs/smb/server/mgmt/tree_connect.c b/fs/smb/server/mgmt/tree_connect.c index d2c81a8a11dda..94a52a75014a4 100644 --- a/fs/smb/server/mgmt/tree_connect.c +++ b/fs/smb/server/mgmt/tree_connect.c @@ -16,17 +16,18 @@ #include "user_session.h" struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, - const char *share_name) +ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name) { struct ksmbd_tree_conn_status status = {-ENOENT, NULL}; struct ksmbd_tree_connect_response *resp = NULL; struct ksmbd_share_config *sc; struct ksmbd_tree_connect *tree_conn = NULL; struct sockaddr *peer_addr; + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; int ret; - sc = ksmbd_share_config_get(conn->um, share_name); + sc = ksmbd_share_config_get(work, share_name); if (!sc) return status; @@ -61,7 +62,7 @@ ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, struct ksmbd_share_config *new_sc; ksmbd_share_config_del(sc); - new_sc = ksmbd_share_config_get(conn->um, share_name); + new_sc = ksmbd_share_config_get(work, share_name); if (!new_sc) { pr_err("Failed to update stale share config\n"); status.ret = -ESTALE; diff --git a/fs/smb/server/mgmt/tree_connect.h b/fs/smb/server/mgmt/tree_connect.h index 6377a70b811c8..a42cdd0510411 100644 --- a/fs/smb/server/mgmt/tree_connect.h +++ b/fs/smb/server/mgmt/tree_connect.h @@ -13,6 +13,7 @@ struct ksmbd_share_config; struct ksmbd_user; struct ksmbd_conn; +struct ksmbd_work; enum { TREE_NEW = 0, @@ -50,8 +51,7 @@ static inline int test_tree_conn_flag(struct ksmbd_tree_connect *tree_conn, struct ksmbd_session; struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, - const char *share_name); +ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name); void ksmbd_tree_connect_put(struct ksmbd_tree_connect *tcon); int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 592a2cdfd0670..646c874d151a8 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -1955,7 +1955,7 @@ int smb2_tree_connect(struct ksmbd_work *work) ksmbd_debug(SMB, "tree connect request for tree %s treename %s\n", name, treename); - status = ksmbd_tree_conn_connect(conn, sess, name); + status = ksmbd_tree_conn_connect(work, name); if (status.ret == KSMBD_TREE_CONN_STATUS_OK) rsp->hdr.Id.SyncId.TreeId = cpu_to_le32(status.tree_conn->id); else diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index 474dadf6b7b8b..13818ecb6e1b2 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -732,10 +732,10 @@ bool is_asterisk(char *p) return p && p[0] == '*'; } -int ksmbd_override_fsids(struct ksmbd_work *work) +int __ksmbd_override_fsids(struct ksmbd_work *work, + struct ksmbd_share_config *share) { struct ksmbd_session *sess = work->sess; - struct ksmbd_share_config *share = work->tcon->share_conf; struct cred *cred; struct group_info *gi; unsigned int uid; @@ -775,6 +775,11 @@ int ksmbd_override_fsids(struct ksmbd_work *work) return 0; } +int ksmbd_override_fsids(struct ksmbd_work *work) +{ + return __ksmbd_override_fsids(work, work->tcon->share_conf); +} + void ksmbd_revert_fsids(struct ksmbd_work *work) { const struct cred *cred; diff --git a/fs/smb/server/smb_common.h b/fs/smb/server/smb_common.h index f1092519c0c28..4a3148b0167f5 100644 --- a/fs/smb/server/smb_common.h +++ b/fs/smb/server/smb_common.h @@ -447,6 +447,8 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command); int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp); +int __ksmbd_override_fsids(struct ksmbd_work *work, + struct ksmbd_share_config *share); int ksmbd_override_fsids(struct ksmbd_work *work); void ksmbd_revert_fsids(struct ksmbd_work *work); -- 2.43.0

10 months, 3 weeks

2
21
0 0

[PATCH] pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins

by Huang-Huang Bao

The base iomux offsets for each GPIO pin line are accumulatively calculated based off iomux width flag in rockchip_pinctrl_get_soc_data. If the iomux width flag is one of IOMUX_WIDTH_4BIT, IOMUX_WIDTH_3BIT or IOMUX_WIDTH_2BIT, the base offset for next pin line would increase by 8 bytes, otherwise it would increase by 4 bytes. Despite most of GPIO2-B iomux have 2-bit data width, which can be fit into 4 bytes space with write mask, it actually take 8 bytes width for whole GPIO2-B line. Commit e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins") wrongly set iomux width flag to 0, causing all base iomux offset for line after GPIO2-B to be calculated wrong. Fix the iomux width flag to IOMUX_WIDTH_2BIT so the offset after GPIO2-B is correctly increased by 8, matching the actual width of GPIO2-B iomux. Fixes: e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins") Cc: stable(a)vger.kernel.org Reported-by: Richard Kojedzinszky <richard(a)kojedz.in> Closes: https://lore.kernel.org/linux-rockchip/4f29b743202397d60edfb3c725537415@koj… Tested-by: Richard Kojedzinszky <richard(a)kojedz.in> Signed-off-by: Huang-Huang Bao <i(a)eh5.me> --- I have double checked the iomux offsets in debug message match iomux register definitions in "GRF Register Description" section in RK3328 TRM[1]. [1]: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1… Kernel pinctrl debug message with dyndbg="file pinctrl-rockchip.c +p": rockchip-pinctrl pinctrl: bank 0, iomux 0 has iom_offset 0x0 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 0, iomux 1 has iom_offset 0x4 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 0, iomux 2 has iom_offset 0x8 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 0, iomux 3 has iom_offset 0xc drv_offset 0x0 rockchip-pinctrl pinctrl: bank 1, iomux 0 has iom_offset 0x10 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 1, iomux 1 has iom_offset 0x14 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 1, iomux 2 has iom_offset 0x18 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 1, iomux 3 has iom_offset 0x1c drv_offset 0x0 rockchip-pinctrl pinctrl: bank 2, iomux 0 has iom_offset 0x20 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 2, iomux 1 has iom_offset 0x24 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 2, iomux 2 has iom_offset 0x2c drv_offset 0x0 rockchip-pinctrl pinctrl: bank 2, iomux 3 has iom_offset 0x34 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 3, iomux 0 has iom_offset 0x38 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 3, iomux 1 has iom_offset 0x40 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 3, iomux 2 has iom_offset 0x48 drv_offset 0x0 rockchip-pinctrl pinctrl: bank 3, iomux 3 has iom_offset 0x4c drv_offset 0x0 The "Closes" links to test report from original reporter with original issue contained, which was not delivered to any mailing list thus not available on the web. Added CC stable as the problematic e8448a6c817c fixed by this patch was recently merged to stable kernels. Sorry for the inconvenience caused, Huang-Huang drivers/pinctrl/pinctrl-rockchip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c index 3f56991f5b89..f6da91941fbd 100644 --- a/drivers/pinctrl/pinctrl-rockchip.c +++ b/drivers/pinctrl/pinctrl-rockchip.c @@ -3813,7 +3813,7 @@ static struct rockchip_pin_bank rk3328_pin_banks[] = { PIN_BANK_IOMUX_FLAGS(0, 32, "gpio0", 0, 0, 0, 0), PIN_BANK_IOMUX_FLAGS(1, 32, "gpio1", 0, 0, 0, 0), PIN_BANK_IOMUX_FLAGS(2, 32, "gpio2", 0, - 0, + IOMUX_WIDTH_2BIT, IOMUX_WIDTH_3BIT, 0), PIN_BANK_IOMUX_FLAGS(3, 32, "gpio3", base-commit: 4376e966ecb78c520b0faf239d118ecfab42a119 -- 2.45.2

10 months, 3 weeks

5
5
0 0

WARNING: CPU: 1 PID: 1 at arch/x86/mm/pti.c kernel 6.10.6 x86

by Roberto CORRADO

[ 4.546432] ------------[ cut here ]------------ [ 4.546498] WARNING: CPU: 1 PID: 1 at arch/x86/mm/pti.c:256 pti_clone_pgtable+0x1ad/0x310 [ 4.546593] Modules linked in: [ 4.546660] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.10.6 #1 [ 4.546730] Hardware name: null [ 4.546818] EIP: pti_clone_pgtable+0x1ad/0x310 [ 4.546886] Code: 00 89 f8 e8 25 fd ff ff 89 45 d4 85 c0 74 1d 8b 08 31 d2 89 55 f0 8b 75 f0 89 c8 25 80 00 00 00 89 45 ec 8b 45 ec 09 f0 74 13 <0f> 0b 0f 0b e9 64 ff ff ff 2e 8d b4 26 00 00 00 00 66 90 89 c8 31 [ 4.547003] EAX: 00000080 EBX: 00000000 ECX: 092001e3 EDX: 00000000 [ 4.547073] ESI: 00000000 EDI: c92e76a8 EBP: c11e1f7c ESP: c11e1f4c [ 4.547142] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010202 [ 4.547214] CR0: 80050033 CR2: c9314e44 CR3: 09cd4000 CR4: 000006f0 [ 4.547284] Call Trace: [ 4.547365] ? show_regs.part.0+0x1c/0x24 [ 4.547435] ? show_regs.cold+0x7/0xc [ 4.547501] ? __warn.cold+0x42/0xe5 [ 4.547567] ? pti_clone_pgtable+0x1ad/0x310 [ 4.547634] ? report_bug+0xd7/0x180 [ 4.547703] ? exc_overflow+0x40/0x40 [ 4.547770] ? handle_bug+0x35/0x70 [ 4.547835] ? exc_invalid_op+0x18/0x60 [ 4.547902] ? handle_exception+0x133/0x133 [ 4.547971] ? __SCT__tp_func_ma_write+0x8/0x8 [ 4.548038] ? exc_overflow+0x40/0x40 [ 4.548104] ? pti_clone_pgtable+0x1ad/0x310 [ 4.548171] ? exc_overflow+0x40/0x40 [ 4.548236] ? pti_clone_pgtable+0x1ad/0x310 [ 4.548304] ? __SCT__tp_func_ma_write+0x8/0x8 [ 4.548392] ? rest_init+0xb8/0xb8 [ 4.548459] pti_finalize+0x30/0x80 [ 4.548525] kernel_init+0x66/0x120 [ 4.548590] ret_from_fork+0x38/0x60 [ 4.548657] ? rest_init+0xb8/0xb8 [ 4.548723] ret_from_fork_asm+0x12/0x1c [ 4.548789] entry_INT80_32+0xf0/0xf0 [ 4.548857] ---[ end trace 0000000000000000 ]--- [ 4.548925] ------------[ cut here ]------------ [ 4.548989] WARNING: CPU: 1 PID: 1 at arch/x86/mm/pti.c:394 pti_clone_pgtable+0x1af/0x310 [ 4.549077] Modules linked in: [ 4.549141] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 6.10.6 #1 [ 4.549226] Hardware name: null [ 4.549312] EIP: pti_clone_pgtable+0x1af/0x310 [ 4.549397] Code: f8 e8 25 fd ff ff 89 45 d4 85 c0 74 1d 8b 08 31 d2 89 55 f0 8b 75 f0 89 c8 25 80 00 00 00 89 45 ec 8b 45 ec 09 f0 74 13 0f 0b <0f> 0b e9 64 ff ff ff 2e 8d b4 26 00 00 00 00 66 90 89 c8 31 d2 89 [ 4.549514] EAX: 00000080 EBX: 00000000 ECX: 092001e3 EDX: 00000000 [ 4.549584] ESI: 00000000 EDI: c92e76a8 EBP: c11e1f7c ESP: c11e1f4c [ 4.549653] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010202 [ 4.549724] CR0: 80050033 CR2: c9314e44 CR3: 09cd4000 CR4: 000006f0 [ 4.549794] Call Trace: [ 4.549855] ? show_regs.part.0+0x1c/0x24 [ 4.549923] ? show_regs.cold+0x7/0xc [ 4.549989] ? __warn.cold+0x42/0xe5 [ 4.550054] ? pti_clone_pgtable+0x1af/0x310 [ 4.550121] ? report_bug+0xd7/0x180 [ 4.550188] ? exc_overflow+0x40/0x40 [ 4.550254] ? handle_bug+0x35/0x70 [ 4.550319] ? exc_invalid_op+0x18/0x60 [ 4.550404] ? handle_exception+0x133/0x133 [ 4.550472] ? __SCT__tp_func_ma_write+0x8/0x8 [ 4.550540] ? exc_overflow+0x40/0x40 [ 4.550605] ? pti_clone_pgtable+0x1af/0x310 [ 4.550672] ? exc_overflow+0x40/0x40 [ 4.550737] ? pti_clone_pgtable+0x1af/0x310 [ 4.550805] ? __SCT__tp_func_ma_write+0x8/0x8 [ 4.550873] ? rest_init+0xb8/0xb8 [ 4.550938] pti_finalize+0x30/0x80 [ 4.551004] kernel_init+0x66/0x120 [ 4.551069] ret_from_fork+0x38/0x60 [ 4.551135] ? rest_init+0xb8/0xb8 [ 4.551201] ret_from_fork_asm+0x12/0x1c [ 4.551267] entry_INT80_32+0xf0/0xf0 [ 4.551344] ---[ end trace 0000000000000000 ]--- [ 4.551428] ------------[ cut here ]------------ [ 4.551493] WARNING: CPU: 1 PID: 1 at arch/x86/mm/pti.c:256 pti_clone_pgtable+0x1ad/0x310 [ 4.551581] Modules linked in: [ 4.551645] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 6.10.6 #1 [ 4.551729] Hardware name: null [ 4.551816] EIP: pti_clone_pgtable+0x1ad/0x310 [ 4.551882] Code: 00 89 f8 e8 25 fd ff ff 89 45 d4 85 c0 74 1d 8b 08 31 d2 89 55 f0 8b 75 f0 89 c8 25 80 00 00 00 89 45 ec 8b 45 ec 09 f0 74 13 <0f> 0b 0f 0b e9 64 ff ff ff 2e 8d b4 26 00 00 00 00 66 90 89 c8 31 [ 4.551998] EAX: 00000080 EBX: 00000000 ECX: 092001e3 EDX: 00000000 [ 4.552068] ESI: 00000000 EDI: c9200000 EBP: c11e1f7c ESP: c11e1f4c [ 4.552138] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010202 [ 4.552209] CR0: 80050033 CR2: c9314e44 CR3: 09cd4000 CR4: 000006f0 [ 4.552278] Call Trace: [ 4.552351] ? show_regs.part.0+0x1c/0x24 [ 4.552422] ? show_regs.cold+0x7/0xc [ 4.552488] ? __warn.cold+0x42/0xe5 [ 4.552554] ? pti_clone_pgtable+0x1ad/0x310 [ 4.552620] ? report_bug+0xd7/0x180 [ 4.552688] ? exc_overflow+0x40/0x40 [ 4.552753] ? handle_bug+0x35/0x70 [ 4.552818] ? exc_invalid_op+0x18/0x60 [ 4.552884] ? handle_exception+0x133/0x133 [ 4.552952] ? unregister_dcbevent_notifier+0x10/0x20 [ 4.553022] ? exc_overflow+0x40/0x40 [ 4.553087] ? pti_clone_pgtable+0x1ad/0x310 [ 4.553155] ? exc_overflow+0x40/0x40 [ 4.553220] ? pti_clone_pgtable+0x1ad/0x310 [ 4.553287] ? 0xc8100000 [ 4.553368] ? 0xc8100000 [ 4.553432] ? rest_init+0xb8/0xb8 [ 4.553498] pti_finalize+0x5e/0x80 [ 4.553564] kernel_init+0x66/0x120 [ 4.553629] ret_from_fork+0x38/0x60 [ 4.553695] ? rest_init+0xb8/0xb8 [ 4.553761] ret_from_fork_asm+0x12/0x1c [ 4.553827] entry_INT80_32+0xf0/0xf0 [ 4.553895] ---[ end trace 0000000000000000 ]--- [ 4.553961] ------------[ cut here ]------------ [ 4.554026] WARNING: CPU: 1 PID: 1 at arch/x86/mm/pti.c:394 pti_clone_pgtable+0x1af/0x310 [ 4.554114] Modules linked in: [ 4.554178] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 6.10.6 #1 [ 4.554262] Hardware name: null [ 4.554366] EIP: pti_clone_pgtable+0x1af/0x310 [ 4.554433] Code: f8 e8 25 fd ff ff 89 45 d4 85 c0 74 1d 8b 08 31 d2 89 55 f0 8b 75 f0 89 c8 25 80 00 00 00 89 45 ec 8b 45 ec 09 f0 74 13 0f 0b <0f> 0b e9 64 ff ff ff 2e 8d b4 26 00 00 00 00 66 90 89 c8 31 d2 89 [ 4.554549] EAX: 00000080 EBX: 00000000 ECX: 092001e3 EDX: 00000000 [ 4.554618] ESI: 00000000 EDI: c9200000 EBP: c11e1f7c ESP: c11e1f4c [ 4.554687] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010202 [ 4.554758] CR0: 80050033 CR2: c9314e44 CR3: 09cd4000 CR4: 000006f0 [ 4.554828] Call Trace: [ 4.554890] ? show_regs.part.0+0x1c/0x24 [ 4.554957] ? show_regs.cold+0x7/0xc [ 4.555024] ? __warn.cold+0x42/0xe5 [ 4.555089] ? pti_clone_pgtable+0x1af/0x310 [ 4.555156] ? report_bug+0xd7/0x180 [ 4.555223] ? exc_overflow+0x40/0x40 [ 4.555289] ? handle_bug+0x35/0x70 [ 4.555384] ? exc_invalid_op+0x18/0x60 [ 4.555456] ? handle_exception+0x133/0x133 [ 4.555523] ? unregister_dcbevent_notifier+0x10/0x20 [ 4.555592] ? exc_overflow+0x40/0x40 [ 4.555658] ? pti_clone_pgtable+0x1af/0x310 [ 4.555725] ? exc_overflow+0x40/0x40 [ 4.555790] ? pti_clone_pgtable+0x1af/0x310 [ 4.555857] ? 0xc8100000 [ 4.555921] ? 0xc8100000 [ 4.556788] ? rest_init+0xb8/0xb8 [ 4.556854] pti_finalize+0x5e/0x80 [ 4.556920] kernel_init+0x66/0x120 [ 4.556986] ret_from_fork+0x38/0x60 [ 4.557052] ? rest_init+0xb8/0xb8 [ 4.557117] ret_from_fork_asm+0x12/0x1c [ 4.557183] entry_INT80_32+0xf0/0xf0 [ 4.557252] ---[ end trace 0000000000000000 ]---

10 months, 3 weeks

1
0
0 0

[PATCH v5 RESEND] EDAC/ti: Fix possible null pointer dereference in _emif_get_id()

by Ma Ke

In _emif_get_id(), of_get_address() may return NULL which is later dereferenced. Fix this bug by adding NULL check. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 86a18ee21e5e ("EDAC, ti: Add support for TI keystone and DRA7xx EDAC") Reported-by: kernel test robot <lkp(a)intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202408160935.A6QFliqt-lkp@intel.com/ Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v5: - According to the developer's suggestion, added an inspection of function of_translate_address(). However, kernel test robot reported a build warning, so the inspection is removed here, reverting to the modification solution of patch v3. Changes in v4: - added the check of of_translate_address() as suggestions. Changes in v3: - added the patch operations omitted in PATCH v2 RESEND compared to PATCH v2. Sorry for my oversight. Changes in v2: - added Cc stable line. --- drivers/edac/ti_edac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c index 29723c9592f7..6f3da8d99eab 100644 --- a/drivers/edac/ti_edac.c +++ b/drivers/edac/ti_edac.c @@ -207,6 +207,9 @@ static int _emif_get_id(struct device_node *node) int my_id = 0; addrp = of_get_address(node, 0, NULL, NULL); + if (!addrp) + return -EINVAL; + my_addr = (u32)of_translate_address(node, addrp); for_each_matching_node(np, ti_edac_of_match) { @@ -214,6 +217,9 @@ static int _emif_get_id(struct device_node *node) continue; addrp = of_get_address(np, 0, NULL, NULL); + if (!addrp) + return -EINVAL; + addr = (u32)of_translate_address(np, addrp); edac_printk(KERN_INFO, EDAC_MOD_NAME, -- 2.25.1

10 months, 3 weeks

1
0
0 0

[PATCH] PCI: dra7xx: Fix threaded IRQ handler registration

by Siddharth Vadapalli

Commit da87d35a6e51 ("PCI: dra7xx: Use threaded IRQ handler for "dra7xx-pcie-main" IRQ") switched from devm_request_irq() to devm_request_threaded_irq(). In this process, the "handler" and the "thread_fn" parameters were erroneously interchanged, with "NULL" being passed as the "handler" and "dra7xx_pcie_irq_handler()" being registered as the function to be called in a threaded interrupt context. Fix this by interchanging the "handler" and "thread_fn" parameters. While at it, correct the indentation. Fixes: da87d35a6e51 ("PCI: dra7xx: Use threaded IRQ handler for "dra7xx-pcie-main" IRQ") Cc: <stable(a)vger.kernel.org> Reported-by: Udit Kumar <u-kumar1(a)ti.com> Signed-off-by: Siddharth Vadapalli <s-vadapalli(a)ti.com> --- Hello, This patch is based on commit d2bafcf224f3 Merge tag 'cgroup-for-6.11-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup of Mainline Linux. Regards, Siddharth. drivers/pci/controller/dwc/pci-dra7xx.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/pci/controller/dwc/pci-dra7xx.c b/drivers/pci/controller/dwc/pci-dra7xx.c index 4fe3b0cb72ec..4c64ac27af40 100644 --- a/drivers/pci/controller/dwc/pci-dra7xx.c +++ b/drivers/pci/controller/dwc/pci-dra7xx.c @@ -849,8 +849,9 @@ static int dra7xx_pcie_probe(struct platform_device *pdev) } dra7xx->mode = mode; - ret = devm_request_threaded_irq(dev, irq, NULL, dra7xx_pcie_irq_handler, - IRQF_SHARED, "dra7xx-pcie-main", dra7xx); + ret = devm_request_threaded_irq(dev, irq, dra7xx_pcie_irq_handler, NULL, + IRQF_SHARED, "dra7xx-pcie-main", + dra7xx); if (ret) { dev_err(dev, "failed to request irq\n"); goto err_gpio; -- 2.40.1

10 months, 3 weeks

1
1
0 0

+ mm-memcontrol-respect-zswapwriteback-setting-from-parent-cg-too.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/memcontrol: respect zswap.writeback setting from parent cg too has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-memcontrol-respect-zswapwriteback-setting-from-parent-cg-too.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Mike Yuan <me(a)yhndnzj.com> Subject: mm/memcontrol: respect zswap.writeback setting from parent cg too Date: Fri, 23 Aug 2024 16:27:06 +0000 Currently, the behavior of zswap.writeback wrt. the cgroup hierarchy seems a bit odd. Unlike zswap.max, it doesn't honor the value from parent cgroups. This surfaced when people tried to globally disable zswap writeback, i.e. reserve physical swap space only for hibernation [1] - disabling zswap.writeback only for the root cgroup results in subcgroups with zswap.writeback=3D1 still performing writeback. The inconsistency became more noticeable after I introduced the MemoryZSwapWriteback=3D systemd unit setting [2] for controlling the knob. The patch assumed that the kernel would enforce the value of parent cgroups. It could probably be workarounded from systemd's side, by going up the slice unit tree and inheriting the value. Yet I think it's more sensible to make it behave consistently with zswap.max and friends. [1] https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate= #Disable_zswap_writeback_to_use_the_swap_space_only_for_hibernation [2] https://github.com/systemd/systemd/pull/31734 Link: https://lkml.kernel.org/r/20240823162506.12117-1-me@yhndnzj.com Fixes: 501a06fe8e4c ("zswap: memcontrol: implement zswap writeback disablin= g") Signed-off-by: Mike Yuan <me(a)yhndnzj.com> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Acked-by: Yosry Ahmed <yosryahmed(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Michal Koutn�� <mkoutny(a)suse.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Roman Gushchin <roman.gushchin(a)linux.dev> Cc: Shakeel Butt <shakeel.butt(a)linux.dev> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- Documentation/admin-guide/cgroup-v2.rst | 7 ++++--- mm/memcontrol.c | 12 +++++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) --- a/Documentation/admin-guide/cgroup-v2.rst~mm-memcontrol-respect-zswapwriteback-setting-from-parent-cg-too +++ a/Documentation/admin-guide/cgroup-v2.rst @@ -1717,9 +1717,10 @@ The following nested keys are defined. entries fault back in or are written out to disk. memory.zswap.writeback - A read-write single value file. The default value is "1". The - initial value of the root cgroup is 1, and when a new cgroup is - created, it inherits the current value of its parent. + A read-write single value file. The default value is "1". + Note that this setting is hierarchical, i.e. the writeback would be + implicitly disabled for child cgroups if the upper hierarchy + does so. When this is set to 0, all swapping attempts to swapping devices are disabled. This included both zswap writebacks, and swapping due --- a/mm/memcontrol.c~mm-memcontrol-respect-zswapwriteback-setting-from-parent-cg-too +++ a/mm/memcontrol.c @@ -3613,8 +3613,7 @@ mem_cgroup_css_alloc(struct cgroup_subsy memcg1_soft_limit_reset(memcg); #ifdef CONFIG_ZSWAP memcg->zswap_max = PAGE_COUNTER_MAX; - WRITE_ONCE(memcg->zswap_writeback, - !parent || READ_ONCE(parent->zswap_writeback)); + WRITE_ONCE(memcg->zswap_writeback, true); #endif page_counter_set_high(&memcg->swap, PAGE_COUNTER_MAX); if (parent) { @@ -5320,7 +5319,14 @@ void obj_cgroup_uncharge_zswap(struct ob bool mem_cgroup_zswap_writeback_enabled(struct mem_cgroup *memcg) { /* if zswap is disabled, do not block pages going to the swapping device */ - return !zswap_is_enabled() || !memcg || READ_ONCE(memcg->zswap_writeback); + if (!zswap_is_enabled()) + return true; + + for (; memcg; memcg = parent_mem_cgroup(memcg)) + if (!READ_ONCE(memcg->zswap_writeback)) + return false; + + return true; } static u64 zswap_current_read(struct cgroup_subsys_state *css, _ Patches currently in -mm which might be from me(a)yhndnzj.com are mm-memcontrol-respect-zswapwriteback-setting-from-parent-cg-too.patch documentation-cgroup-v2-clarify-that-zswapwriteback-is-ignored-if-zswap-is-disabled.patch selftests-test_zswap-add-test-for-hierarchical-zswapwriteback.patch

10 months, 3 weeks

1
0
0 0

patch "usb: cdnsp: fix for Link TRB with TC" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: cdnsp: fix for Link TRB with TC to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. From 740f2e2791b98e47288b3814c83a3f566518fed2 Mon Sep 17 00:00:00 2001 From: Pawel Laszczak <pawell(a)cadence.com> Date: Wed, 21 Aug 2024 06:07:42 +0000 Subject: usb: cdnsp: fix for Link TRB with TC Stop Endpoint command on LINK TRB with TC bit set to 1 causes that internal cycle bit can have incorrect state after command complete. In consequence empty transfer ring can be incorrectly detected when EP is resumed. NOP TRB before LINK TRB avoid such scenario. Stop Endpoint command is then on NOP TRB and internal cycle bit is not changed and have correct value. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: <stable(a)vger.kernel.org> Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> Reviewed-by: Peter Chen <peter.chen(a)kernel.org> Link: https://lore.kernel.org/r/PH7PR07MB953878279F375CCCE6C6F40FDD8E2@PH7PR07MB9… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/cdns3/cdnsp-gadget.h | 3 +++ drivers/usb/cdns3/cdnsp-ring.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h index dbee6f085277..84887dfea763 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.h +++ b/drivers/usb/cdns3/cdnsp-gadget.h @@ -811,6 +811,7 @@ struct cdnsp_stream_info { * generate Missed Service Error Event. * Set skip flag when receive a Missed Service Error Event and * process the missed tds on the endpoint ring. + * @wa1_nop_trb: hold pointer to NOP trb. */ struct cdnsp_ep { struct usb_ep endpoint; @@ -838,6 +839,8 @@ struct cdnsp_ep { #define EP_UNCONFIGURED BIT(7) bool skip; + union cdnsp_trb *wa1_nop_trb; + }; /** diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c index a60c0cb991cd..dbd83d321bca 100644 --- a/drivers/usb/cdns3/cdnsp-ring.c +++ b/drivers/usb/cdns3/cdnsp-ring.c @@ -1904,6 +1904,23 @@ int cdnsp_queue_bulk_tx(struct cdnsp_device *pdev, struct cdnsp_request *preq) if (ret) return ret; + /* + * workaround 1: STOP EP command on LINK TRB with TC bit set to 1 + * causes that internal cycle bit can have incorrect state after + * command complete. In consequence empty transfer ring can be + * incorrectly detected when EP is resumed. + * NOP TRB before LINK TRB avoid such scenario. STOP EP command is + * then on NOP TRB and internal cycle bit is not changed and have + * correct value. + */ + if (pep->wa1_nop_trb) { + field = le32_to_cpu(pep->wa1_nop_trb->trans_event.flags); + field ^= TRB_CYCLE; + + pep->wa1_nop_trb->trans_event.flags = cpu_to_le32(field); + pep->wa1_nop_trb = NULL; + } + /* * Don't give the first TRB to the hardware (by toggling the cycle bit) * until we've finished creating all the other TRBs. The ring's cycle @@ -1999,6 +2016,17 @@ int cdnsp_queue_bulk_tx(struct cdnsp_device *pdev, struct cdnsp_request *preq) send_addr = addr; } + if (cdnsp_trb_is_link(ring->enqueue + 1)) { + field = TRB_TYPE(TRB_TR_NOOP) | TRB_IOC; + if (!ring->cycle_state) + field |= TRB_CYCLE; + + pep->wa1_nop_trb = ring->enqueue; + + cdnsp_queue_trb(pdev, ring, 0, 0x0, 0x0, + TRB_INTR_TARGET(0), field); + } + cdnsp_check_trb_math(preq, enqd_len); ret = cdnsp_giveback_first_trb(pdev, pep, preq->request.stream_id, start_cycle, start_trb); -- 2.46.0

10 months, 3 weeks

1
0
0 0

[PATCH v2] drm/i915/dp_mst: Fix MST state after a sink reset

by Imre Deak

In some cases the sink can reset itself after it was configured into MST mode, without the driver noticing the disconnected state. For instance the reset may happen in the middle of a modeset, or the (long) HPD pulse generated may be not long enough for the encoder detect handler to observe the HPD's deasserted state. In this case the sink's DPCD register programmed to enable MST will be reset, while the driver still assumes MST is still enabled. Detect this condition, which will tear down and recreate/re-enable the MST topology. v2: - Add a code comment about adjusting the expected DP_MSTM_CTRL register value for SST + SideBand. (Suraj, Jani) - Print a debug message about detecting the link reset. (Jani) - Verify the DPCD MST state only if it wasn't already determined that the sink is disconnected. Cc: stable(a)vger.kernel.org Cc: Jani Nikula <jani.nikula(a)intel.com> Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/11195 Reviewed-by: Suraj Kandpal <suraj.kandpal(a)intel.com> (v1) Signed-off-by: Imre Deak <imre.deak(a)intel.com> --- drivers/gpu/drm/i915/display/intel_dp.c | 12 +++++++ drivers/gpu/drm/i915/display/intel_dp_mst.c | 40 +++++++++++++++++++++ drivers/gpu/drm/i915/display/intel_dp_mst.h | 1 + 3 files changed, 53 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c index 6a0c7ae654f40..789c2f78826d0 100644 --- a/drivers/gpu/drm/i915/display/intel_dp.c +++ b/drivers/gpu/drm/i915/display/intel_dp.c @@ -5999,6 +5999,18 @@ intel_dp_detect(struct drm_connector *connector, else status = connector_status_disconnected; + if (status != connector_status_disconnected && + !intel_dp_mst_verify_dpcd_state(intel_dp)) + /* + * This requires retrying detection for instance to re-enable + * the MST mode that got reset via a long HPD pulse. The retry + * will happen either via the hotplug handler's retry logic, + * ensured by setting the connector here to SST/disconnected, + * or via a userspace connector probing in response to the + * hotplug uevent sent when removing the MST connectors. + */ + status = connector_status_disconnected; + if (status == connector_status_disconnected) { memset(&intel_dp->compliance, 0, sizeof(intel_dp->compliance)); memset(intel_connector->dp.dsc_dpcd, 0, sizeof(intel_connector->dp.dsc_dpcd)); diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.c b/drivers/gpu/drm/i915/display/intel_dp_mst.c index 45d2230d1801b..15541932b809e 100644 --- a/drivers/gpu/drm/i915/display/intel_dp_mst.c +++ b/drivers/gpu/drm/i915/display/intel_dp_mst.c @@ -2062,3 +2062,43 @@ void intel_dp_mst_prepare_probe(struct intel_dp *intel_dp) intel_mst_set_probed_link_params(intel_dp, link_rate, lane_count); } + +/* + * intel_dp_mst_verify_dpcd_state - verify the MST SW enabled state wrt. the DPCD + * @intel_dp: DP port object + * + * Verify if @intel_dp's MST enabled SW state matches the corresponding DPCD + * state. A long HPD pulse - not long enough to be detected as a disconnected + * state - could've reset the DPCD state, which requires tearing + * down/recreating the MST topology. + * + * Returns %true if the SW MST enabled and DPCD states match, %false + * otherwise. + */ +bool intel_dp_mst_verify_dpcd_state(struct intel_dp *intel_dp) +{ + struct intel_display *display = to_intel_display(intel_dp); + struct intel_connector *connector = intel_dp->attached_connector; + struct intel_digital_port *dig_port = dp_to_dig_port(intel_dp); + struct intel_encoder *encoder = &dig_port->base; + int ret; + u8 val; + + if (!intel_dp->is_mst) + return true; + + ret = drm_dp_dpcd_readb(intel_dp->mst_mgr.aux, DP_MSTM_CTRL, &val); + + /* Adjust the expected register value for SST + SideBand. */ + if (ret < 0 || val != (DP_MST_EN | DP_UP_REQ_EN | DP_UPSTREAM_IS_SRC)) { + drm_dbg_kms(display->drm, + "[CONNECTOR:%d:%s][ENCODER:%d:%s] MST mode got reset, removing topology (ret=%d, ctrl=0x%02x)\n", + connector->base.base.id, connector->base.name, + encoder->base.base.id, encoder->base.name, + ret, val); + + return false; + } + + return true; +} diff --git a/drivers/gpu/drm/i915/display/intel_dp_mst.h b/drivers/gpu/drm/i915/display/intel_dp_mst.h index fba76454fa67f..8343804ce3f8d 100644 --- a/drivers/gpu/drm/i915/display/intel_dp_mst.h +++ b/drivers/gpu/drm/i915/display/intel_dp_mst.h @@ -28,5 +28,6 @@ int intel_dp_mst_atomic_check_link(struct intel_atomic_state *state, bool intel_dp_mst_crtc_needs_modeset(struct intel_atomic_state *state, struct intel_crtc *crtc); void intel_dp_mst_prepare_probe(struct intel_dp *intel_dp); +bool intel_dp_mst_verify_dpcd_state(struct intel_dp *intel_dp); #endif /* __INTEL_DP_MST_H__ */ -- 2.44.2

10 months, 3 weeks

1
0
0 0

[PATCH v3 1/3] mm/memcontrol: respect zswap.writeback setting from parent cg too

by Mike Yuan

Currently, the behavior of zswap.writeback wrt. the cgroup hierarchy seems a bit odd. Unlike zswap.max, it doesn't honor the value from parent cgroups. This surfaced when people tried to globally disable zswap writeback, i.e. reserve physical swap space only for hibernation [1] - disabling zswap.writeback only for the root cgroup results in subcgroups with zswap.writeback=1 still performing writeback. The inconsistency became more noticeable after I introduced the MemoryZSwapWriteback= systemd unit setting [2] for controlling the knob. The patch assumed that the kernel would enforce the value of parent cgroups. It could probably be workarounded from systemd's side, by going up the slice unit tree and inheriting the value. Yet I think it's more sensible to make it behave consistently with zswap.max and friends. [1] https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Dis… [2] https://github.com/systemd/systemd/pull/31734 Changes in v3: - Additionally drop inheritance of zswap.writeback setting on cgroup creation, which is no longer needed Link to v2: https://lore.kernel.org/linux-kernel/20240816144344.18135-1-me@yhndnzj.com/ Changes in v2: - Actually base on latest tree (is_zswap_enabled() -> zswap_is_enabled()) - Update Documentation/admin-guide/cgroup-v2.rst to reflect the change Link to v1: https://lore.kernel.org/linux-kernel/20240814171800.23558-1-me@yhndnzj.com/ Cc: Nhat Pham <nphamcs(a)gmail.com> Cc: Yosry Ahmed <yosryahmed(a)google.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Michal Koutný <mkoutny(a)suse.com> Fixes: 501a06fe8e4c ("zswap: memcontrol: implement zswap writeback disabling") Cc: <stable(a)vger.kernel.org> Signed-off-by: Mike Yuan <me(a)yhndnzj.com> Reviewed-by: Nhat Pham <nphamcs(a)gmail.com> Acked-by: Yosry Ahmed <yosryahmed(a)google.com> --- Documentation/admin-guide/cgroup-v2.rst | 7 ++++--- mm/memcontrol.c | 12 +++++++++--- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/Documentation/admin-guide/cgroup-v2.rst b/Documentation/admin-guide/cgroup-v2.rst index 86311c2907cd..95c18bc17083 100644 --- a/Documentation/admin-guide/cgroup-v2.rst +++ b/Documentation/admin-guide/cgroup-v2.rst @@ -1717,9 +1717,10 @@ The following nested keys are defined. entries fault back in or are written out to disk. memory.zswap.writeback - A read-write single value file. The default value is "1". The - initial value of the root cgroup is 1, and when a new cgroup is - created, it inherits the current value of its parent. + A read-write single value file. The default value is "1". + Note that this setting is hierarchical, i.e. the writeback would be + implicitly disabled for child cgroups if the upper hierarchy + does so. When this is set to 0, all swapping attempts to swapping devices are disabled. This included both zswap writebacks, and swapping due diff --git a/mm/memcontrol.c b/mm/memcontrol.c index f29157288b7d..d563fb515766 100644 --- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -3613,8 +3613,7 @@ mem_cgroup_css_alloc(struct cgroup_subsys_state *parent_css) memcg1_soft_limit_reset(memcg); #ifdef CONFIG_ZSWAP memcg->zswap_max = PAGE_COUNTER_MAX; - WRITE_ONCE(memcg->zswap_writeback, - !parent || READ_ONCE(parent->zswap_writeback)); + WRITE_ONCE(memcg->zswap_writeback, true); #endif page_counter_set_high(&memcg->swap, PAGE_COUNTER_MAX); if (parent) { @@ -5320,7 +5319,14 @@ void obj_cgroup_uncharge_zswap(struct obj_cgroup *objcg, size_t size) bool mem_cgroup_zswap_writeback_enabled(struct mem_cgroup *memcg) { /* if zswap is disabled, do not block pages going to the swapping device */ - return !zswap_is_enabled() || !memcg || READ_ONCE(memcg->zswap_writeback); + if (!zswap_is_enabled()) + return true; + + for (; memcg; memcg = parent_mem_cgroup(memcg)) + if (!READ_ONCE(memcg->zswap_writeback)) + return false; + + return true; } static u64 zswap_current_read(struct cgroup_subsys_state *css, base-commit: 47ac09b91befbb6a235ab620c32af719f8208399 -- 2.46.0

10 months, 3 weeks

1
0
0 0

[PATCH] pinctrl: single: fix potential NULL dereference in pcs_get_function()

by Ma Ke

pinmux_generic_get_function() can return NULL and the pointer 'function' was dereferenced without checking against NULL. Add checking of pointer 'function' in pcs_get_function(). Found by code review. Cc: stable(a)vger.kernel.org Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/pinctrl/pinctrl-single.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c index 4c6bfabb6bd7..4da3c3f422b6 100644 --- a/drivers/pinctrl/pinctrl-single.c +++ b/drivers/pinctrl/pinctrl-single.c @@ -345,6 +345,8 @@ static int pcs_get_function(struct pinctrl_dev *pctldev, unsigned pin, return -ENOTSUPP; fselector = setting->func; function = pinmux_generic_get_function(pctldev, fselector); + if (!function) + return -EINVAL; *func = function->data; if (!(*func)) { dev_err(pcs->dev, "%s could not find function%i\n", -- 2.25.1

10 months, 3 weeks

2
1
0 0

[PATCH net 1/3] net: txgbe: add IO address in I2C platform device data

by Jiawen Wu

Consider the necessity of reading/writing the IO address to acquire and release the lock between software and firmware, add the IO address as the platform data to register I2C platform device. Cc: stable(a)vger.kernel.org Fixes: c625e72561f6 ("net: txgbe: Register I2C platform device") Signed-off-by: Jiawen Wu <jiawenwu(a)trustnetic.com> --- drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c | 5 +++++ include/linux/platform_data/i2c-wx.h | 11 +++++++++++ 2 files changed, 16 insertions(+) create mode 100644 include/linux/platform_data/i2c-wx.h diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c index 5f502265f0a6..781a3a34aa4c 100644 --- a/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c +++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c @@ -9,6 +9,7 @@ #include <linux/i2c.h> #include <linux/pci.h> #include <linux/platform_device.h> +#include <linux/platform_data/i2c-wx.h> #include <linux/regmap.h> #include <linux/pcs/pcs-xpcs.h> #include <linux/phylink.h> @@ -618,6 +619,7 @@ static const struct regmap_config i2c_regmap_config = { static int txgbe_i2c_register(struct txgbe *txgbe) { + struct txgbe_i2c_platform_data pdata = {}; struct platform_device_info info = {}; struct platform_device *i2c_dev; struct regmap *i2c_regmap; @@ -636,6 +638,9 @@ static int txgbe_i2c_register(struct txgbe *txgbe) info.fwnode = software_node_fwnode(txgbe->nodes.group[SWNODE_I2C]); info.name = "i2c_designware"; info.id = pci_dev_id(pdev); + pdata.hw_addr = wx->hw_addr; + info.data = &pdata; + info.size_data = sizeof(pdata); info.res = &DEFINE_RES_IRQ(pdev->irq); info.num_res = 1; diff --git a/include/linux/platform_data/i2c-wx.h b/include/linux/platform_data/i2c-wx.h new file mode 100644 index 000000000000..b46777fa1d85 --- /dev/null +++ b/include/linux/platform_data/i2c-wx.h @@ -0,0 +1,11 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* Copyright (c) 2015 - 2024 Beijing WangXun Technology Co., Ltd. */ + +#ifndef _I2C_WX_H_ +#define _I2C_WX_H_ + +struct txgbe_i2c_platform_data { + void __iomem *hw_addr; +}; + +#endif /* _I2C_WX_H_ */ -- 2.27.0

10 months, 3 weeks

2
1
0 0

[PATCH AUTOSEL 4.19 1/6] usbnet: ipheth: race between ipheth_close and error handling

by Sasha Levin

From: Oliver Neukum <oneukum(a)suse.com> [ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] ipheth_sndbulk_callback() can submit carrier_work as a part of its error handling. That means that the driver must make sure that the work is cancelled after it has made sure that no more URB can terminate with an error condition. Hence the order of actions in ipheth_close() needs to be inverted. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Foster Snowhill <forst(a)pen.gy> Tested-by: Georgi Valkov <gvalkov(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/usb/ipheth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index cea005cc7b2ab..c762335587a43 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -407,8 +407,8 @@ static int ipheth_close(struct net_device *net) { struct ipheth_device *dev = netdev_priv(net); - cancel_delayed_work_sync(&dev->carrier_work); netif_stop_queue(net); + cancel_delayed_work_sync(&dev->carrier_work); return 0; } -- 2.43.0

10 months, 3 weeks

1
5
0 0

[PATCH AUTOSEL 5.4 1/7] usbnet: ipheth: race between ipheth_close and error handling

by Sasha Levin

From: Oliver Neukum <oneukum(a)suse.com> [ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] ipheth_sndbulk_callback() can submit carrier_work as a part of its error handling. That means that the driver must make sure that the work is cancelled after it has made sure that no more URB can terminate with an error condition. Hence the order of actions in ipheth_close() needs to be inverted. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Foster Snowhill <forst(a)pen.gy> Tested-by: Georgi Valkov <gvalkov(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/usb/ipheth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index 73ad78f47763c..7814856636907 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net) { struct ipheth_device *dev = netdev_priv(net); - cancel_delayed_work_sync(&dev->carrier_work); netif_stop_queue(net); + cancel_delayed_work_sync(&dev->carrier_work); return 0; } -- 2.43.0

10 months, 3 weeks

1
6
0 0

[PATCH AUTOSEL 5.10 1/9] usbnet: ipheth: race between ipheth_close and error handling

by Sasha Levin

From: Oliver Neukum <oneukum(a)suse.com> [ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] ipheth_sndbulk_callback() can submit carrier_work as a part of its error handling. That means that the driver must make sure that the work is cancelled after it has made sure that no more URB can terminate with an error condition. Hence the order of actions in ipheth_close() needs to be inverted. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Foster Snowhill <forst(a)pen.gy> Tested-by: Georgi Valkov <gvalkov(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/usb/ipheth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index 06d9f19ca142a..0774d753dd316 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net) { struct ipheth_device *dev = netdev_priv(net); - cancel_delayed_work_sync(&dev->carrier_work); netif_stop_queue(net); + cancel_delayed_work_sync(&dev->carrier_work); return 0; } -- 2.43.0

10 months, 3 weeks

1
8
0 0

[PATCH AUTOSEL 5.15 1/9] usbnet: ipheth: race between ipheth_close and error handling

by Sasha Levin

From: Oliver Neukum <oneukum(a)suse.com> [ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ] ipheth_sndbulk_callback() can submit carrier_work as a part of its error handling. That means that the driver must make sure that the work is cancelled after it has made sure that no more URB can terminate with an error condition. Hence the order of actions in ipheth_close() needs to be inverted. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Signed-off-by: Foster Snowhill <forst(a)pen.gy> Tested-by: Georgi Valkov <gvalkov(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/net/usb/ipheth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c index d56e276e4d805..4485388dcff2e 100644 --- a/drivers/net/usb/ipheth.c +++ b/drivers/net/usb/ipheth.c @@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net) { struct ipheth_device *dev = netdev_priv(net); - cancel_delayed_work_sync(&dev->carrier_work); netif_stop_queue(net); + cancel_delayed_work_sync(&dev->carrier_work); return 0; } -- 2.43.0

10 months, 3 weeks

1
8
0 0

[PATCH AUTOSEL 6.1 01/13] ksmbd: override fsids for share path check

by Sasha Levin

From: Namjae Jeon <linkinjeon(a)kernel.org> [ Upstream commit a018c1b636e79b60149b41151ded7c2606d8606e ] Sangsoo reported that a DAC denial error occurred when accessing files through the ksmbd thread. This patch override fsids for share path check. Reported-by: Sangsoo Lee <constant.lee(a)samsung.com> Signed-off-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- fs/smb/server/mgmt/share_config.c | 15 ++++++++++++--- fs/smb/server/mgmt/share_config.h | 4 +++- fs/smb/server/mgmt/tree_connect.c | 9 +++++---- fs/smb/server/mgmt/tree_connect.h | 4 ++-- fs/smb/server/smb2pdu.c | 2 +- fs/smb/server/smb_common.c | 9 +++++++-- fs/smb/server/smb_common.h | 2 ++ 7 files changed, 32 insertions(+), 13 deletions(-) diff --git a/fs/smb/server/mgmt/share_config.c b/fs/smb/server/mgmt/share_config.c index e0a6b758094fc..d8d03070ae44b 100644 --- a/fs/smb/server/mgmt/share_config.c +++ b/fs/smb/server/mgmt/share_config.c @@ -15,6 +15,7 @@ #include "share_config.h" #include "user_config.h" #include "user_session.h" +#include "../connection.h" #include "../transport_ipc.h" #include "../misc.h" @@ -120,12 +121,13 @@ static int parse_veto_list(struct ksmbd_share_config *share, return 0; } -static struct ksmbd_share_config *share_config_request(struct unicode_map *um, +static struct ksmbd_share_config *share_config_request(struct ksmbd_work *work, const char *name) { struct ksmbd_share_config_response *resp; struct ksmbd_share_config *share = NULL; struct ksmbd_share_config *lookup; + struct unicode_map *um = work->conn->um; int ret; resp = ksmbd_ipc_share_config_request(name); @@ -181,7 +183,14 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, KSMBD_SHARE_CONFIG_VETO_LIST(resp), resp->veto_list_sz); if (!ret && share->path) { + if (__ksmbd_override_fsids(work, share)) { + kill_share(share); + share = NULL; + goto out; + } + ret = kern_path(share->path, 0, &share->vfs_path); + ksmbd_revert_fsids(work); if (ret) { ksmbd_debug(SMB, "failed to access '%s'\n", share->path); @@ -214,7 +223,7 @@ static struct ksmbd_share_config *share_config_request(struct unicode_map *um, return share; } -struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, +struct ksmbd_share_config *ksmbd_share_config_get(struct ksmbd_work *work, const char *name) { struct ksmbd_share_config *share; @@ -227,7 +236,7 @@ struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, if (share) return share; - return share_config_request(um, name); + return share_config_request(work, name); } bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, diff --git a/fs/smb/server/mgmt/share_config.h b/fs/smb/server/mgmt/share_config.h index 5f591751b9236..d4ac2dd4de204 100644 --- a/fs/smb/server/mgmt/share_config.h +++ b/fs/smb/server/mgmt/share_config.h @@ -11,6 +11,8 @@ #include <linux/path.h> #include <linux/unicode.h> +struct ksmbd_work; + struct ksmbd_share_config { char *name; char *path; @@ -68,7 +70,7 @@ static inline void ksmbd_share_config_put(struct ksmbd_share_config *share) __ksmbd_share_config_put(share); } -struct ksmbd_share_config *ksmbd_share_config_get(struct unicode_map *um, +struct ksmbd_share_config *ksmbd_share_config_get(struct ksmbd_work *work, const char *name); bool ksmbd_share_veto_filename(struct ksmbd_share_config *share, const char *filename); diff --git a/fs/smb/server/mgmt/tree_connect.c b/fs/smb/server/mgmt/tree_connect.c index d2c81a8a11dda..94a52a75014a4 100644 --- a/fs/smb/server/mgmt/tree_connect.c +++ b/fs/smb/server/mgmt/tree_connect.c @@ -16,17 +16,18 @@ #include "user_session.h" struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, - const char *share_name) +ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name) { struct ksmbd_tree_conn_status status = {-ENOENT, NULL}; struct ksmbd_tree_connect_response *resp = NULL; struct ksmbd_share_config *sc; struct ksmbd_tree_connect *tree_conn = NULL; struct sockaddr *peer_addr; + struct ksmbd_conn *conn = work->conn; + struct ksmbd_session *sess = work->sess; int ret; - sc = ksmbd_share_config_get(conn->um, share_name); + sc = ksmbd_share_config_get(work, share_name); if (!sc) return status; @@ -61,7 +62,7 @@ ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, struct ksmbd_share_config *new_sc; ksmbd_share_config_del(sc); - new_sc = ksmbd_share_config_get(conn->um, share_name); + new_sc = ksmbd_share_config_get(work, share_name); if (!new_sc) { pr_err("Failed to update stale share config\n"); status.ret = -ESTALE; diff --git a/fs/smb/server/mgmt/tree_connect.h b/fs/smb/server/mgmt/tree_connect.h index 6377a70b811c8..a42cdd0510411 100644 --- a/fs/smb/server/mgmt/tree_connect.h +++ b/fs/smb/server/mgmt/tree_connect.h @@ -13,6 +13,7 @@ struct ksmbd_share_config; struct ksmbd_user; struct ksmbd_conn; +struct ksmbd_work; enum { TREE_NEW = 0, @@ -50,8 +51,7 @@ static inline int test_tree_conn_flag(struct ksmbd_tree_connect *tree_conn, struct ksmbd_session; struct ksmbd_tree_conn_status -ksmbd_tree_conn_connect(struct ksmbd_conn *conn, struct ksmbd_session *sess, - const char *share_name); +ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name); void ksmbd_tree_connect_put(struct ksmbd_tree_connect *tcon); int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess, diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 4ba6bf1535da1..d97c7982bb3ee 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -1971,7 +1971,7 @@ int smb2_tree_connect(struct ksmbd_work *work) ksmbd_debug(SMB, "tree connect request for tree %s treename %s\n", name, treename); - status = ksmbd_tree_conn_connect(conn, sess, name); + status = ksmbd_tree_conn_connect(work, name); if (status.ret == KSMBD_TREE_CONN_STATUS_OK) rsp->hdr.Id.SyncId.TreeId = cpu_to_le32(status.tree_conn->id); else diff --git a/fs/smb/server/smb_common.c b/fs/smb/server/smb_common.c index e90a1e8c1951d..bdcdc0fc9cad5 100644 --- a/fs/smb/server/smb_common.c +++ b/fs/smb/server/smb_common.c @@ -729,10 +729,10 @@ bool is_asterisk(char *p) return p && p[0] == '*'; } -int ksmbd_override_fsids(struct ksmbd_work *work) +int __ksmbd_override_fsids(struct ksmbd_work *work, + struct ksmbd_share_config *share) { struct ksmbd_session *sess = work->sess; - struct ksmbd_share_config *share = work->tcon->share_conf; struct cred *cred; struct group_info *gi; unsigned int uid; @@ -772,6 +772,11 @@ int ksmbd_override_fsids(struct ksmbd_work *work) return 0; } +int ksmbd_override_fsids(struct ksmbd_work *work) +{ + return __ksmbd_override_fsids(work, work->tcon->share_conf); +} + void ksmbd_revert_fsids(struct ksmbd_work *work) { const struct cred *cred; diff --git a/fs/smb/server/smb_common.h b/fs/smb/server/smb_common.h index f1092519c0c28..4a3148b0167f5 100644 --- a/fs/smb/server/smb_common.h +++ b/fs/smb/server/smb_common.h @@ -447,6 +447,8 @@ int ksmbd_extract_shortname(struct ksmbd_conn *conn, int ksmbd_smb_negotiate_common(struct ksmbd_work *work, unsigned int command); int ksmbd_smb_check_shared_mode(struct file *filp, struct ksmbd_file *curr_fp); +int __ksmbd_override_fsids(struct ksmbd_work *work, + struct ksmbd_share_config *share); int ksmbd_override_fsids(struct ksmbd_work *work); void ksmbd_revert_fsids(struct ksmbd_work *work); -- 2.43.0

10 months, 3 weeks

1
12
0 0

[PATCH net] net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response

by Haiyang Zhang

The mana_hwc_rx_event_handler() / mana_hwc_handle_resp() calls complete(&ctx->comp_event) before posting the wqe back. It's possible that other callers, like mana_create_txq(), start the next round of mana_hwc_send_request() before the posting of wqe. And if the HW is fast enough to respond, it can hit no_wqe error on the HW channel, then the response message is lost. The mana driver may fail to create queues and open, because of waiting for the HW response and timed out. Sample dmesg: [ 528.610840] mana 39d4:00:02.0: HWC: Request timed out! [ 528.614452] mana 39d4:00:02.0: Failed to send mana message: -110, 0x0 [ 528.618326] mana 39d4:00:02.0 enP14804s2: Failed to create WQ object: -110 To fix it, move posting of rx wqe before complete(&ctx->comp_event). Cc: stable(a)vger.kernel.org Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Haiyang Zhang <haiyangz(a)microsoft.com> --- .../net/ethernet/microsoft/mana/hw_channel.c | 62 ++++++++++--------- 1 file changed, 34 insertions(+), 28 deletions(-) diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c index cafded2f9382..a00f915c5188 100644 --- a/drivers/net/ethernet/microsoft/mana/hw_channel.c +++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c @@ -52,9 +52,33 @@ static int mana_hwc_verify_resp_msg(const struct hwc_caller_ctx *caller_ctx, return 0; } +static int mana_hwc_post_rx_wqe(const struct hwc_wq *hwc_rxq, + struct hwc_work_request *req) +{ + struct device *dev = hwc_rxq->hwc->dev; + struct gdma_sge *sge; + int err; + + sge = &req->sge; + sge->address = (u64)req->buf_sge_addr; + sge->mem_key = hwc_rxq->msg_buf->gpa_mkey; + sge->size = req->buf_len; + + memset(&req->wqe_req, 0, sizeof(struct gdma_wqe_request)); + req->wqe_req.sgl = sge; + req->wqe_req.num_sge = 1; + req->wqe_req.client_data_unit = 0; + + err = mana_gd_post_and_ring(hwc_rxq->gdma_wq, &req->wqe_req, NULL); + if (err) + dev_err(dev, "Failed to post WQE on HWC RQ: %d\n", err); + return err; +} + static void mana_hwc_handle_resp(struct hw_channel_context *hwc, u32 resp_len, - const struct gdma_resp_hdr *resp_msg) + struct hwc_work_request *rx_req) { + const struct gdma_resp_hdr *resp_msg = rx_req->buf_va; struct hwc_caller_ctx *ctx; int err; @@ -62,6 +86,7 @@ static void mana_hwc_handle_resp(struct hw_channel_context *hwc, u32 resp_len, hwc->inflight_msg_res.map)) { dev_err(hwc->dev, "hwc_rx: invalid msg_id = %u\n", resp_msg->response.hwc_msg_id); + mana_hwc_post_rx_wqe(hwc->rxq, rx_req); return; } @@ -75,30 +100,13 @@ static void mana_hwc_handle_resp(struct hw_channel_context *hwc, u32 resp_len, memcpy(ctx->output_buf, resp_msg, resp_len); out: ctx->error = err; - complete(&ctx->comp_event); -} - -static int mana_hwc_post_rx_wqe(const struct hwc_wq *hwc_rxq, - struct hwc_work_request *req) -{ - struct device *dev = hwc_rxq->hwc->dev; - struct gdma_sge *sge; - int err; - - sge = &req->sge; - sge->address = (u64)req->buf_sge_addr; - sge->mem_key = hwc_rxq->msg_buf->gpa_mkey; - sge->size = req->buf_len; - memset(&req->wqe_req, 0, sizeof(struct gdma_wqe_request)); - req->wqe_req.sgl = sge; - req->wqe_req.num_sge = 1; - req->wqe_req.client_data_unit = 0; + /* Must post rx wqe before complete(), otherwise the next rx may + * hit no_wqe error. + */ + mana_hwc_post_rx_wqe(hwc->rxq, rx_req); - err = mana_gd_post_and_ring(hwc_rxq->gdma_wq, &req->wqe_req, NULL); - if (err) - dev_err(dev, "Failed to post WQE on HWC RQ: %d\n", err); - return err; + complete(&ctx->comp_event); } static void mana_hwc_init_event_handler(void *ctx, struct gdma_queue *q_self, @@ -235,14 +243,12 @@ static void mana_hwc_rx_event_handler(void *ctx, u32 gdma_rxq_id, return; } - mana_hwc_handle_resp(hwc, rx_oob->tx_oob_data_size, resp); + mana_hwc_handle_resp(hwc, rx_oob->tx_oob_data_size, rx_req); - /* Do no longer use 'resp', because the buffer is posted to the HW - * in the below mana_hwc_post_rx_wqe(). + /* Can no longer use 'resp', because the buffer is posted to the HW + * in mana_hwc_handle_resp() above. */ resp = NULL; - - mana_hwc_post_rx_wqe(hwc_rxq, rx_req); } static void mana_hwc_tx_event_handler(void *ctx, u32 gdma_txq_id, -- 2.34.1

10 months, 3 weeks

4
4
0 0

ASUS GA402XY (ACL285) Headset mic not working with 6.9 and 6.10 kernel

by Andrey Kashtanov

Greetings! I've run into a problem with an external microphone (3.5 jack headset) and fresh kernels (6.9, 6.10) When using the 6.9 or the 6.10 kernel system doesn't see an external mic from the headset (3.5 jack). Instead, there's only an internal mic plugged/available in the system. When using the 6.8 kernel or less it's okay, I can use mic from the headset. So currently I'm on 6.8.12. Also opened a bug on bugzilla ( https://bugzilla.kernel.org/show_bug.cgi?id=219158) Laptop Model: Asus ROG G14 GA402XY Codec: Realtek ALC285 + Cirrus logic cs35l41 OS: Debian Testing Kernel: 6.9.x, 6.10 represents the issue, 6.8.x no DE: Gnome 46, wayland What I've tried: - Play with snd_hda_intel model parameters from here: https://www.kernel.org/doc/html/latest/sound/hd-audio/models.html?highlight… ex: options snd_hda_intel model=dell-headset-mic - Retask jack with hdajackretask - Install a fresh system on another ssd (latest PopOS) - after kernel update to 6.9.x (from the repository) it's the same issue.

10 months, 3 weeks

1
0
0 0

Re: Patch "Input: bcm5974 - check endpoint type before starting traffic" has been added to the 6.1-stable tree

by Dmitry Torokhov

On Mon, Aug 19, 2024 at 10:25:08AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > Input: bcm5974 - check endpoint type before starting traffic > > to the 6.1-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > input-bcm5974-check-endpoint-type-before-starting-tr.patch > and it can be found in the queue-6.1 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. Please drop it, it was reverted. Thanks. -- Dmitry

10 months, 3 weeks

2
1
0 0

RE: Patch "drm/amdgpu/gfx11: need acquire mutex before access CP_VMID_RESET v2" has been added to the 6.6-stable tree

by Deucher, Alexander

[Public] > -----Original Message----- > From: Sasha Levin <sashal(a)kernel.org> > Sent: Wednesday, August 21, 2024 9:33 AM > To: stable-commits(a)vger.kernel.org; Xiao, Jack <Jack.Xiao(a)amd.com> > Cc: Deucher, Alexander <Alexander.Deucher(a)amd.com>; Koenig, Christian > <Christian.Koenig(a)amd.com>; Pan, Xinhui <Xinhui.Pan(a)amd.com>; David > Airlie <airlied(a)gmail.com>; Daniel Vetter <daniel(a)ffwll.ch> > Subject: Patch "drm/amdgpu/gfx11: need acquire mutex before access > CP_VMID_RESET v2" has been added to the 6.6-stable tree > > This is a note to let you know that I've just added the patch titled > > drm/amdgpu/gfx11: need acquire mutex before access CP_VMID_RESET v2 > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable- > queue.git;a=summary > > The filename of the patch is: > drm-amdgpu-gfx11-need-acquire-mutex-before-access-cp.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, please let > <stable(a)vger.kernel.org> know about it. > This patch is not stable material. Please drop for stable. Thanks, Alex > > > commit 72516630230bee2668c491fdafcac27c565a5ad5 > Author: Jack Xiao <Jack.Xiao(a)amd.com> > Date: Tue Dec 19 17:10:34 2023 +0800 > > drm/amdgpu/gfx11: need acquire mutex before access CP_VMID_RESET v2 > > [ Upstream commit 4b5c5f5ad38b9435518730cc7f8f1e8de9c5cb2f ] > > It's required to take the gfx mutex before access to CP_VMID_RESET, > for there is a race condition with CP firmware to write the register. > > v2: add extra code to ensure the mutex releasing is successful. > > Signed-off-by: Jack Xiao <Jack.Xiao(a)amd.com> > Reviewed-by: Hawking Zhang <Hawking.Zhang(a)amd.com> > Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c > b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c > index c81e98f0d17ff..17a09e96b30fc 100644 > --- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c > +++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c > @@ -4430,11 +4430,43 @@ static int gfx_v11_0_wait_for_idle(void *handle) > return -ETIMEDOUT; > } > > +static int gfx_v11_0_request_gfx_index_mutex(struct amdgpu_device *adev, > + int req) > +{ > + u32 i, tmp, val; > + > + for (i = 0; i < adev->usec_timeout; i++) { > + /* Request with MeId=2, PipeId=0 */ > + tmp = REG_SET_FIELD(0, CP_GFX_INDEX_MUTEX, REQUEST, > req); > + tmp = REG_SET_FIELD(tmp, CP_GFX_INDEX_MUTEX, > CLIENTID, 4); > + WREG32_SOC15(GC, 0, regCP_GFX_INDEX_MUTEX, tmp); > + > + val = RREG32_SOC15(GC, 0, regCP_GFX_INDEX_MUTEX); > + if (req) { > + if (val == tmp) > + break; > + } else { > + tmp = REG_SET_FIELD(tmp, CP_GFX_INDEX_MUTEX, > + REQUEST, 1); > + > + /* unlocked or locked by firmware */ > + if (val != tmp) > + break; > + } > + udelay(1); > + } > + > + if (i >= adev->usec_timeout) > + return -EINVAL; > + > + return 0; > +} > + > static int gfx_v11_0_soft_reset(void *handle) { > u32 grbm_soft_reset = 0; > u32 tmp; > - int i, j, k; > + int r, i, j, k; > struct amdgpu_device *adev = (struct amdgpu_device *)handle; > > tmp = RREG32_SOC15(GC, 0, regCP_INT_CNTL); @@ -4474,6 > +4506,13 @@ static int gfx_v11_0_soft_reset(void *handle) > } > } > > + /* Try to acquire the gfx mutex before access to CP_VMID_RESET */ > + r = gfx_v11_0_request_gfx_index_mutex(adev, 1); > + if (r) { > + DRM_ERROR("Failed to acquire the gfx mutex during soft > reset\n"); > + return r; > + } > + > WREG32_SOC15(GC, 0, regCP_VMID_RESET, 0xfffffffe); > > // Read CP_VMID_RESET register three times. > @@ -4482,6 +4521,13 @@ static int gfx_v11_0_soft_reset(void *handle) > RREG32_SOC15(GC, 0, regCP_VMID_RESET); > RREG32_SOC15(GC, 0, regCP_VMID_RESET); > > + /* release the gfx mutex */ > + r = gfx_v11_0_request_gfx_index_mutex(adev, 0); > + if (r) { > + DRM_ERROR("Failed to release the gfx mutex during soft > reset\n"); > + return r; > + } > + > for (i = 0; i < adev->usec_timeout; i++) { > if (!RREG32_SOC15(GC, 0, regCP_HQD_ACTIVE) && > !RREG32_SOC15(GC, 0, regCP_GFX_HQD_ACTIVE))

10 months, 3 weeks

2
1
0 0

Re: Patch "serial: pch: Don't disable interrupts while acquiring lock in ISR." has been added to the 6.1-stable tree

by Jiri Slaby

On 21. 08. 24, 15:37, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > serial: pch: Don't disable interrupts while acquiring lock in ISR. > > to the 6.1-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > serial-pch-don-t-disable-interrupts-while-acquiring-.patch > and it can be found in the queue-6.1 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. I feel so. It does not fix anything real. It is a prep for d47dd323bf959. So unless you take that too, this one does not make sense on its own. > commit 2e7194802a740ab6ef47e19e56bd1b06c03610d3 > Author: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> > Date: Fri Mar 1 22:45:28 2024 +0100 > > serial: pch: Don't disable interrupts while acquiring lock in ISR. > > [ Upstream commit f8ff23ebce8c305383c8070e1ea3b08a69eb1e8d ] > > The interrupt service routine is always invoked with disabled > interrupts. > > Remove the _irqsave() from the locking functions in the interrupts > service routine/ pch_uart_interrupt(). > > Signed-off-by: Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> > Link: https://lore.kernel.org/r/20240301215246.891055-16-bigeasy@linutronix.de > Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c > index abff1c6470f6a..d638e890ef6f0 100644 > --- a/drivers/tty/serial/pch_uart.c > +++ b/drivers/tty/serial/pch_uart.c > @@ -1023,11 +1023,10 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id) > u8 lsr; > int ret = 0; > unsigned char iid; > - unsigned long flags; > int next = 1; > u8 msr; > > - spin_lock_irqsave(&priv->lock, flags); > + spin_lock(&priv->lock); > handled = 0; > while (next) { > iid = pch_uart_hal_get_iid(priv); > @@ -1087,7 +1086,7 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id) > handled |= (unsigned int)ret; > } > > - spin_unlock_irqrestore(&priv->lock, flags); > + spin_unlock(&priv->lock); > return IRQ_RETVAL(handled); > } > -- js suse labs

10 months, 3 weeks

2
1
0 0

6.8.2->vanilla 6.10.6: regression: oops on heavy compiltons

by Piotr Oniszczuk

Hi, In my development i’m using ryzen9 based builder machine. OS is ArchLinux. It worked perfectly stable with 6.8.2 kernel. Recently I updated to 6.10.6 kernel and….started to have regular oops at heavy compilations (12c/24t loaded 8..12h constantly compiling) Only single change is kernel: 6.8.2->6.10.6 6.10.6 is vanilla mainline (no any ArchLinux patches) When i have ooops - dmesg is like below. For me this looks like regression... [root@minimyth2-x8664 piotro]# dmesg [ 0.000000] Linux version 6.10.6-12 (linux@archlinux) (gcc (GCC) 13.2.1 20230801, GNU ld (GNU Binutils) 2.41.0) #1 SMP PREEMPT_DYNAMIC Mon, 19 Aug 2024 11:27:15 +0000 [ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-linux-nvme root=UUID=78029aac-358d-4ce1-b48f-0c910bc10436 rw rootflags=rw,noatime cgroup_disable=memory mitigations=off [ 0.000000] BIOS-provided physical RAM map: [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009d3ff] usable [ 0.000000] BIOS-e820: [mem 0x000000000009d400-0x000000000009ffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000000e0000-0x00000000000fffff] reserved [ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x0000000009bfefff] usable [ 0.000000] BIOS-e820: [mem 0x0000000009bff000-0x0000000009ffffff] reserved [ 0.000000] BIOS-e820: [mem 0x000000000a000000-0x000000000a1fffff] usable [ 0.000000] BIOS-e820: [mem 0x000000000a200000-0x000000000a210fff] ACPI NVS [ 0.000000] BIOS-e820: [mem 0x000000000a211000-0x000000000affffff] usable [ 0.000000] BIOS-e820: [mem 0x000000000b000000-0x000000000b01ffff] reserved [ 0.000000] BIOS-e820: [mem 0x000000000b020000-0x00000000bb3f7fff] usable [ 0.000000] BIOS-e820: [mem 0x00000000bb3f8000-0x00000000bcbaafff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000bcbab000-0x00000000bcbdcfff] ACPI data [ 0.000000] BIOS-e820: [mem 0x00000000bcbdd000-0x00000000bd28afff] ACPI NVS [ 0.000000] BIOS-e820: [mem 0x00000000bd28b000-0x00000000bddfefff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000bddff000-0x00000000beffffff] usable [ 0.000000] BIOS-e820: [mem 0x00000000bf000000-0x00000000bfffffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000f0000000-0x00000000f7ffffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fd100000-0x00000000fd1fffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fd500000-0x00000000fd6fffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fea00000-0x00000000fea0ffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000feb80000-0x00000000fec01fff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fec10000-0x00000000fec10fff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fec30000-0x00000000fec30fff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fed00000-0x00000000fed00fff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fed40000-0x00000000fed44fff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fed80000-0x00000000fed8ffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fedc2000-0x00000000fedcffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fedd4000-0x00000000fedd5fff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000ff000000-0x00000000ffffffff] reserved [ 0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000043f2fffff] usable [ 0.000000] BIOS-e820: [mem 0x000000043f300000-0x000000043fffffff] reserved [ 0.000000] NX (Execute Disable) protection: active [ 0.000000] APIC: Static calls initialized [ 0.000000] SMBIOS 3.3.0 present. [ 0.000000] DMI: To Be Filled By O.E.M. B450M Pro4-F R2.0/B450M Pro4-F R2.0, BIOS P10.08 01/19/2024 [ 0.000000] DMI: Memory slots populated: 2/4 [ 0.000000] tsc: Fast TSC calibration using PIT [ 0.000000] tsc: Detected 4099.961 MHz processor [ 0.000527] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved [ 0.000529] e820: remove [mem 0x000a0000-0x000fffff] usable [ 0.000538] last_pfn = 0x43f300 max_arch_pfn = 0x400000000 [ 0.000544] total RAM covered: 3071M [ 0.000729] Found optimal setting for mtrr clean up [ 0.000729] gran_size: 64K chunk_size: 64M num_reg: 3 lose cover RAM: 0G [ 0.000732] MTRR map: 7 entries (3 fixed + 4 variable; max 20), built from 9 variable MTRRs [ 0.000733] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT [ 0.001245] e820: update [mem 0xbcd40000-0xbcd4ffff] usable ==> reserved [ 0.001250] e820: update [mem 0xc0000000-0xffffffff] usable ==> reserved [ 0.001254] last_pfn = 0xbf000 max_arch_pfn = 0x400000000 [ 0.004712] Using GB pages for direct mapping [ 0.004906] RAMDISK: [mem 0x21f2b000-0x2cf8cfff] [ 0.004909] ACPI: Early table checksum verification disabled [ 0.004912] ACPI: RSDP 0x00000000000F05B0 000024 (v02 ALASKA) [ 0.004915] ACPI: XSDT 0x00000000BD273728 0000B4 (v01 ALASKA A M I 01072009 AMI 01000013) [ 0.004920] ACPI: FACP 0x00000000BCBD6000 000114 (v06 ALASKA A M I 01072009 AMI 00010013) [ 0.004924] ACPI: DSDT 0x00000000BCBCF000 00643E (v02 ALASKA A M I 01072009 INTL 20120913) [ 0.004926] ACPI: FACS 0x00000000BD26E000 000040 [ 0.004928] ACPI: SSDT 0x00000000BCBDC000 00092A (v02 AMD AmdTable 00000002 MSFT 04000000) [ 0.004930] ACPI: SSDT 0x00000000BCBD8000 003CB6 (v02 AMD AMD AOD 00000001 INTL 20120913) [ 0.004933] ACPI: SSDT 0x00000000BCBD7000 000164 (v02 ALASKA CPUSSDT 01072009 AMI 01072009) [ 0.004935] ACPI: FIDT 0x00000000BCBCE000 00009C (v01 ALASKA A M I 01072009 AMI 00010013) [ 0.004937] ACPI: MCFG 0x00000000BCBCD000 00003C (v01 ALASKA A M I 01072009 MSFT 00010013) [ 0.004939] ACPI: AAFT 0x00000000BCBCC000 0000C9 (v01 ALASKA OEMAAFT 01072009 MSFT 00000097) [ 0.004941] ACPI: HPET 0x00000000BCBCB000 000038 (v01 ALASKA A M I 01072009 AMI 00000005) [ 0.004944] ACPI: PCCT 0x00000000BCBCA000 00006E (v02 AMD AmdTable 00000001 AMD 00000001) [ 0.004946] ACPI: SSDT 0x00000000BCBC3000 00603B (v02 AMD AmdTable 00000001 AMD 00000001) [ 0.004948] ACPI: CRAT 0x00000000BCBC1000 0016D0 (v01 AMD AmdTable 00000001 AMD 00000001) [ 0.004950] ACPI: CDIT 0x00000000BCBC0000 000029 (v01 AMD AmdTable 00000001 AMD 00000001) [ 0.004952] ACPI: SSDT 0x00000000BCBBC000 0037C4 (v02 AMD MYRTLE 00000001 INTL 20120913) [ 0.004954] ACPI: SSDT 0x00000000BCBBB000 0000BF (v01 AMD AmdTable 00001000 INTL 20120913) [ 0.004956] ACPI: WSMT 0x00000000BCBBA000 000028 (v01 ALASKA A M I 01072009 AMI 00010013) [ 0.004958] ACPI: APIC 0x00000000BCBB9000 00015E (v03 ALASKA A M I 01072009 AMI 00010013) [ 0.004961] ACPI: SSDT 0x00000000BCBB7000 0010AF (v02 AMD MYRTLE 00000001 INTL 20120913) [ 0.004963] ACPI: FPDT 0x00000000BCBB6000 000044 (v01 ALASKA A M I 01072009 AMI 01000013) [ 0.004964] ACPI: Reserving FACP table memory at [mem 0xbcbd6000-0xbcbd6113] [ 0.004965] ACPI: Reserving DSDT table memory at [mem 0xbcbcf000-0xbcbd543d] [ 0.004966] ACPI: Reserving FACS table memory at [mem 0xbd26e000-0xbd26e03f] [ 0.004967] ACPI: Reserving SSDT table memory at [mem 0xbcbdc000-0xbcbdc929] [ 0.004967] ACPI: Reserving SSDT table memory at [mem 0xbcbd8000-0xbcbdbcb5] [ 0.004968] ACPI: Reserving SSDT table memory at [mem 0xbcbd7000-0xbcbd7163] [ 0.004969] ACPI: Reserving FIDT table memory at [mem 0xbcbce000-0xbcbce09b] [ 0.004969] ACPI: Reserving MCFG table memory at [mem 0xbcbcd000-0xbcbcd03b] [ 0.004970] ACPI: Reserving AAFT table memory at [mem 0xbcbcc000-0xbcbcc0c8] [ 0.004971] ACPI: Reserving HPET table memory at [mem 0xbcbcb000-0xbcbcb037] [ 0.004971] ACPI: Reserving PCCT table memory at [mem 0xbcbca000-0xbcbca06d] [ 0.004972] ACPI: Reserving SSDT table memory at [mem 0xbcbc3000-0xbcbc903a] [ 0.004973] ACPI: Reserving CRAT table memory at [mem 0xbcbc1000-0xbcbc26cf] [ 0.004973] ACPI: Reserving CDIT table memory at [mem 0xbcbc0000-0xbcbc0028] [ 0.004974] ACPI: Reserving SSDT table memory at [mem 0xbcbbc000-0xbcbbf7c3] [ 0.004975] ACPI: Reserving SSDT table memory at [mem 0xbcbbb000-0xbcbbb0be] [ 0.004975] ACPI: Reserving WSMT table memory at [mem 0xbcbba000-0xbcbba027] [ 0.004976] ACPI: Reserving APIC table memory at [mem 0xbcbb9000-0xbcbb915d] [ 0.004977] ACPI: Reserving SSDT table memory at [mem 0xbcbb7000-0xbcbb80ae] [ 0.004977] ACPI: Reserving FPDT table memory at [mem 0xbcbb6000-0xbcbb6043] [ 0.005026] No NUMA configuration found [ 0.005027] Faking a node at [mem 0x0000000000000000-0x000000043f2fffff] [ 0.005029] NODE_DATA(0) allocated [mem 0x43f2fb000-0x43f2fffff] [ 0.005050] Zone ranges: [ 0.005051] DMA [mem 0x0000000000001000-0x0000000000ffffff] [ 0.005052] DMA32 [mem 0x0000000001000000-0x00000000ffffffff] [ 0.005053] Normal [mem 0x0000000100000000-0x000000043f2fffff] [ 0.005054] Device empty [ 0.005055] Movable zone start for each node [ 0.005055] Early memory node ranges [ 0.005056] node 0: [mem 0x0000000000001000-0x000000000009cfff] [ 0.005057] node 0: [mem 0x0000000000100000-0x0000000009bfefff] [ 0.005058] node 0: [mem 0x000000000a000000-0x000000000a1fffff] [ 0.005059] node 0: [mem 0x000000000a211000-0x000000000affffff] [ 0.005059] node 0: [mem 0x000000000b020000-0x00000000bb3f7fff] [ 0.005060] node 0: [mem 0x00000000bddff000-0x00000000beffffff] [ 0.005061] node 0: [mem 0x0000000100000000-0x000000043f2fffff] [ 0.005063] Initmem setup node 0 [mem 0x0000000000001000-0x000000043f2fffff] [ 0.005067] On node 0, zone DMA: 1 pages in unavailable ranges [ 0.005083] On node 0, zone DMA: 99 pages in unavailable ranges [ 0.005222] On node 0, zone DMA32: 1025 pages in unavailable ranges [ 0.005236] On node 0, zone DMA32: 17 pages in unavailable ranges [ 0.008749] On node 0, zone DMA32: 32 pages in unavailable ranges [ 0.008854] On node 0, zone DMA32: 10759 pages in unavailable ranges [ 0.026310] On node 0, zone Normal: 4096 pages in unavailable ranges [ 0.026338] On node 0, zone Normal: 3328 pages in unavailable ranges [ 0.026708] ACPI: PM-Timer IO Port: 0x808 [ 0.026714] CPU topo: Ignoring hot-pluggable APIC ID 0 in present package. [ 0.026718] ACPI: LAPIC_NMI (acpi_id[0xff] high edge lint[0x1]) [ 0.026729] IOAPIC[0]: apic_id 25, version 33, address 0xfec00000, GSI 0-23 [ 0.026735] IOAPIC[1]: apic_id 26, version 33, address 0xfec01000, GSI 24-55 [ 0.026736] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl) [ 0.026738] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 low level) [ 0.026741] ACPI: Using ACPI (MADT) for SMP configuration information [ 0.026742] ACPI: HPET id: 0x10228201 base: 0xfed00000 [ 0.026749] CPU topo: Max. logical packages: 1 [ 0.026749] CPU topo: Max. logical dies: 1 [ 0.026750] CPU topo: Max. dies per package: 1 [ 0.026754] CPU topo: Max. threads per core: 2 [ 0.026754] CPU topo: Num. cores per package: 12 [ 0.026755] CPU topo: Num. threads per package: 24 [ 0.026756] CPU topo: Allowing 24 present CPUs plus 0 hotplug CPUs [ 0.026756] CPU topo: Rejected CPUs 8 [ 0.026775] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff] [ 0.026777] PM: hibernation: Registered nosave memory: [mem 0x0009d000-0x0009dfff] [ 0.026777] PM: hibernation: Registered nosave memory: [mem 0x0009e000-0x0009ffff] [ 0.026778] PM: hibernation: Registered nosave memory: [mem 0x000a0000-0x000dffff] [ 0.026779] PM: hibernation: Registered nosave memory: [mem 0x000e0000-0x000fffff] [ 0.026780] PM: hibernation: Registered nosave memory: [mem 0x09bff000-0x09ffffff] [ 0.026781] PM: hibernation: Registered nosave memory: [mem 0x0a200000-0x0a210fff] [ 0.026783] PM: hibernation: Registered nosave memory: [mem 0x0b000000-0x0b01ffff] [ 0.026784] PM: hibernation: Registered nosave memory: [mem 0xbb3f8000-0xbcbaafff] [ 0.026784] PM: hibernation: Registered nosave memory: [mem 0xbcbab000-0xbcbdcfff] [ 0.026785] PM: hibernation: Registered nosave memory: [mem 0xbcbdd000-0xbd28afff] [ 0.026786] PM: hibernation: Registered nosave memory: [mem 0xbd28b000-0xbddfefff] [ 0.026787] PM: hibernation: Registered nosave memory: [mem 0xbf000000-0xbfffffff] [ 0.026788] PM: hibernation: Registered nosave memory: [mem 0xc0000000-0xefffffff] [ 0.026788] PM: hibernation: Registered nosave memory: [mem 0xf0000000-0xf7ffffff] [ 0.026789] PM: hibernation: Registered nosave memory: [mem 0xf8000000-0xfd0fffff] [ 0.026789] PM: hibernation: Registered nosave memory: [mem 0xfd100000-0xfd1fffff] [ 0.026790] PM: hibernation: Registered nosave memory: [mem 0xfd200000-0xfd4fffff] [ 0.026790] PM: hibernation: Registered nosave memory: [mem 0xfd500000-0xfd6fffff] [ 0.026791] PM: hibernation: Registered nosave memory: [mem 0xfd700000-0xfe9fffff] [ 0.026792] PM: hibernation: Registered nosave memory: [mem 0xfea00000-0xfea0ffff] [ 0.026792] PM: hibernation: Registered nosave memory: [mem 0xfea10000-0xfeb7ffff] [ 0.026793] PM: hibernation: Registered nosave memory: [mem 0xfeb80000-0xfec01fff] [ 0.026793] PM: hibernation: Registered nosave memory: [mem 0xfec02000-0xfec0ffff] [ 0.026794] PM: hibernation: Registered nosave memory: [mem 0xfec10000-0xfec10fff] [ 0.026794] PM: hibernation: Registered nosave memory: [mem 0xfec11000-0xfec2ffff] [ 0.026795] PM: hibernation: Registered nosave memory: [mem 0xfec30000-0xfec30fff] [ 0.026795] PM: hibernation: Registered nosave memory: [mem 0xfec31000-0xfecfffff] [ 0.026796] PM: hibernation: Registered nosave memory: [mem 0xfed00000-0xfed00fff] [ 0.026797] PM: hibernation: Registered nosave memory: [mem 0xfed01000-0xfed3ffff] [ 0.026797] PM: hibernation: Registered nosave memory: [mem 0xfed40000-0xfed44fff] [ 0.026798] PM: hibernation: Registered nosave memory: [mem 0xfed45000-0xfed7ffff] [ 0.026798] PM: hibernation: Registered nosave memory: [mem 0xfed80000-0xfed8ffff] [ 0.026799] PM: hibernation: Registered nosave memory: [mem 0xfed90000-0xfedc1fff] [ 0.026799] PM: hibernation: Registered nosave memory: [mem 0xfedc2000-0xfedcffff] [ 0.026800] PM: hibernation: Registered nosave memory: [mem 0xfedd0000-0xfedd3fff] [ 0.026801] PM: hibernation: Registered nosave memory: [mem 0xfedd4000-0xfedd5fff] [ 0.026801] PM: hibernation: Registered nosave memory: [mem 0xfedd6000-0xfeffffff] [ 0.026802] PM: hibernation: Registered nosave memory: [mem 0xff000000-0xffffffff] [ 0.026803] [mem 0xc0000000-0xefffffff] available for PCI devices [ 0.026804] Booting paravirtualized kernel on bare hardware [ 0.026806] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6370452778343963 ns [ 0.031310] setup_percpu: NR_CPUS:320 nr_cpumask_bits:24 nr_cpu_ids:24 nr_node_ids:1 [ 0.032484] percpu: Embedded 66 pages/cpu s233472 r8192 d28672 u524288 [ 0.032489] pcpu-alloc: s233472 r8192 d28672 u524288 alloc=1*2097152 [ 0.032491] pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07 [ 0.032495] pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15 [ 0.032499] pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23 [ 0.032513] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-linux-nvme root=UUID=78029aac-358d-4ce1-b48f-0c910bc10436 rw rootflags=rw,noatime cgroup_disable=memory mitigations=off [ 0.032610] cgroup: Disabling memory control group subsystem [ 0.032623] Unknown kernel command line parameters "BOOT_IMAGE=/boot/vmlinuz-linux-nvme", will be passed to user space. [ 0.032639] random: crng init done [ 0.032640] printk: log_buf_len individual max cpu contribution: 4096 bytes [ 0.032640] printk: log_buf_len total cpu_extra contributions: 94208 bytes [ 0.032641] printk: log_buf_len min size: 131072 bytes [ 0.032785] printk: log_buf_len: 262144 bytes [ 0.032786] printk: early log buf free: 116968(89%) [ 0.034095] Dentry cache hash table entries: 2097152 (order: 12, 16777216 bytes, linear) [ 0.034775] Inode-cache hash table entries: 1048576 (order: 11, 8388608 bytes, linear) [ 0.034906] Fallback order for Node 0: 0 [ 0.034912] Built 1 zonelists, mobility grouping on. Total pages: 4174947 [ 0.034913] Policy zone: Normal [ 0.035122] mem auto-init: stack:all(zero), heap alloc:on, heap free:off [ 0.035128] software IO TLB: area num 32. [ 0.072942] Memory: 16108000K/16699788K available (18432K kernel code, 2197K rwdata, 13412K rodata, 3500K init, 3552K bss, 591528K reserved, 0K cma-reserved) [ 0.073133] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=24, Nodes=1 [ 0.073191] ftrace: allocating 49905 entries in 195 pages [ 0.079639] ftrace: allocated 195 pages with 4 groups [ 0.079709] Dynamic Preempt: full [ 0.079780] rcu: Preemptible hierarchical RCU implementation. [ 0.079780] rcu: RCU restricting CPUs from NR_CPUS=320 to nr_cpu_ids=24. [ 0.079781] rcu: RCU priority boosting: priority 1 delay 500 ms. [ 0.079782] Trampoline variant of Tasks RCU enabled. [ 0.079782] Rude variant of Tasks RCU enabled. [ 0.079783] Tracing variant of Tasks RCU enabled. [ 0.079783] rcu: RCU calculated value of scheduler-enlistment delay is 30 jiffies. [ 0.079784] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=24 [ 0.079798] RCU Tasks: Setting shift to 5 and lim to 1 rcu_task_cb_adjust=1. [ 0.079800] RCU Tasks Rude: Setting shift to 5 and lim to 1 rcu_task_cb_adjust=1. [ 0.079802] RCU Tasks Trace: Setting shift to 5 and lim to 1 rcu_task_cb_adjust=1. [ 0.081836] NR_IRQS: 20736, nr_irqs: 1160, preallocated irqs: 16 [ 0.082022] rcu: srcu_init: Setting srcu_struct sizes based on contention. [ 0.082129] kfence: initialized - using 2097152 bytes for 255 objects at 0x(____ptrval____)-0x(____ptrval____) [ 0.082156] spurious 8259A interrupt: IRQ7. [ 0.082171] Console: colour dummy device 80x25 [ 0.082172] printk: legacy console [tty0] enabled [ 0.082211] ACPI: Core revision 20240322 [ 0.082312] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 133484873504 ns [ 0.082326] APIC: Switch to symmetric I/O mode setup [ 0.082457] x2apic: IRQ remapping doesn't support X2APIC mode [ 0.082519] APIC: Switched APIC routing to: physical flat [ 0.083117] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 [ 0.098994] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x3b193a2cd8f, max_idle_ns: 440795361324 ns [ 0.098997] Calibrating delay loop (skipped), value calculated using timer frequency.. 8203.58 BogoMIPS (lpj=13666536) [ 0.099007] Zenbleed: please update your microcode for the most optimal fix [ 0.099010] x86/cpu: User Mode Instruction Prevention (UMIP) activated [ 0.099052] LVT offset 1 assigned for vector 0xf9 [ 0.099177] LVT offset 2 assigned for vector 0xf4 [ 0.099212] Last level iTLB entries: 4KB 1024, 2MB 1024, 4MB 512 [ 0.099213] Last level dTLB entries: 4KB 2048, 2MB 2048, 4MB 1024, 1GB 0 [ 0.099215] process: using mwait in idle threads [ 0.099217] Spectre V2 : User space: Vulnerable [ 0.099218] Speculative Store Bypass: Vulnerable [ 0.099221] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' [ 0.099222] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' [ 0.099222] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers' [ 0.099223] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256 [ 0.099224] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'compacted' format. [ 0.116939] Freeing SMP alternatives memory: 40K [ 0.116940] pid_max: default: 32768 minimum: 301 [ 0.116969] LSM: initializing lsm=capability,landlock,lockdown,yama,bpf [ 0.116983] landlock: Up and running. [ 0.116984] Yama: becoming mindful. [ 0.116987] LSM support for eBPF active [ 0.117015] Mount-cache hash table entries: 32768 (order: 6, 262144 bytes, linear) [ 0.117030] Mountpoint-cache hash table entries: 32768 (order: 6, 262144 bytes, linear) [ 0.224562] smpboot: CPU0: AMD Ryzen 9 3900 12-Core Processor (family: 0x17, model: 0x71, stepping: 0x0) [ 0.224699] Performance Events: Fam17h+ core perfctr, AMD PMU driver. [ 0.224702] ... version: 0 [ 0.224703] ... bit width: 48 [ 0.224703] ... generic registers: 6 [ 0.224704] ... value mask: 0000ffffffffffff [ 0.224705] ... max period: 00007fffffffffff [ 0.224705] ... fixed-purpose events: 0 [ 0.224705] ... event mask: 000000000000003f [ 0.224767] signal: max sigframe size: 1776 [ 0.224781] rcu: Hierarchical SRCU implementation. [ 0.224781] rcu: Max phase no-delay instances is 1000. [ 0.225002] NMI watchdog: Enabled. Permanently consumes one hw-PMU counter. [ 0.225122] smp: Bringing up secondary CPUs ... [ 0.225177] smpboot: x86: Booting SMP configuration: [ 0.225178] .... node #0, CPUs: #1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11 #12 #13 #14 #15 #16 #17 #18 #19 #20 #21 #22 #23 [ 0.272357] smp: Brought up 1 node, 24 CPUs [ 0.272357] smpboot: Total of 24 processors activated (196876.04 BogoMIPS) [ 0.276059] devtmpfs: initialized [ 0.276059] x86/mm: Memory block size: 128MB [ 0.276676] ACPI: PM: Registering ACPI NVS region [mem 0x0a200000-0x0a210fff] (69632 bytes) [ 0.276676] ACPI: PM: Registering ACPI NVS region [mem 0xbcbdd000-0xbd28afff] (7004160 bytes) [ 0.276676] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6370867519511994 ns [ 0.276676] futex hash table entries: 8192 (order: 7, 524288 bytes, linear) [ 0.276676] pinctrl core: initialized pinctrl subsystem [ 0.276676] PM: RTC time: 18:06:09, date: 2024-08-20 [ 0.276676] NET: Registered PF_NETLINK/PF_ROUTE protocol family [ 0.276676] DMA: preallocated 2048 KiB GFP_KERNEL pool for atomic allocations [ 0.276676] DMA: preallocated 2048 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations [ 0.276676] DMA: preallocated 2048 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations [ 0.276676] audit: initializing netlink subsys (disabled) [ 0.276676] audit: type=2000 audit(1724177169.193:1): state=initialized audit_enabled=0 res=1 [ 0.276676] thermal_sys: Registered thermal governor 'fair_share' [ 0.276676] thermal_sys: Registered thermal governor 'bang_bang' [ 0.276676] thermal_sys: Registered thermal governor 'step_wise' [ 0.276676] thermal_sys: Registered thermal governor 'user_space' [ 0.276676] thermal_sys: Registered thermal governor 'power_allocator' [ 0.276676] cpuidle: using governor ladder [ 0.276676] cpuidle: using governor menu [ 0.276676] Detected 1 PCC Subspaces [ 0.276676] Registering PCC driver as Mailbox controller [ 0.276676] acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5 [ 0.279005] PCI: ECAM [mem 0xf0000000-0xf7ffffff] (base 0xf0000000) for domain 0000 [bus 00-7f] [ 0.279012] PCI: Using configuration type 1 for base access [ 0.279098] kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible. [ 0.279104] HugeTLB: registered 1.00 GiB page size, pre-allocated 0 pages [ 0.279104] HugeTLB: 16380 KiB vmemmap can be freed for a 1.00 GiB page [ 0.279104] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages [ 0.279104] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page [ 0.279104] Demotion targets for Node 0: null [ 0.279104] ACPI: Added _OSI(Module Device) [ 0.279104] ACPI: Added _OSI(Processor Device) [ 0.279104] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.279104] ACPI: Added _OSI(Processor Aggregator Device) [ 0.283937] ACPI: 8 ACPI AML tables successfully acquired and loaded [ 0.285919] ACPI: [Firmware Bug]: BIOS _OSI(Linux) query ignored [ 0.286660] ACPI: _OSC evaluation for CPUs failed, trying _PDC [ 0.286660] ACPI: Interpreter enabled [ 0.286660] ACPI: PM: (supports S0 S3 S4 S5) [ 0.286660] ACPI: Using IOAPIC for interrupt routing [ 0.286660] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug [ 0.286660] PCI: Ignoring E820 reservations for host bridge windows [ 0.286660] ACPI: Enabled 3 GPEs in block 00 to 1F [ 0.294651] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff]) [ 0.294656] acpi PNP0A08:00: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI EDR HPX-Type3] [ 0.294710] acpi PNP0A08:00: _OSC: platform does not support [SHPCHotplug LTR DPC] [ 0.294805] acpi PNP0A08:00: _OSC: OS now controls [PCIeHotplug PME AER PCIeCapability] [ 0.294812] acpi PNP0A08:00: [Firmware Info]: ECAM [mem 0xf0000000-0xf7ffffff] for domain 0000 [bus 00-7f] only partially covers this bridge [ 0.295065] PCI host bridge to bus 0000:00 [ 0.295066] pci_bus 0000:00: root bus resource [io 0x0000-0x03af window] [ 0.295068] pci_bus 0000:00: root bus resource [io 0x03e0-0x0cf7 window] [ 0.295070] pci_bus 0000:00: root bus resource [io 0x03b0-0x03df window] [ 0.295070] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window] [ 0.295071] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000dffff window] [ 0.295072] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfec2ffff window] [ 0.295073] pci_bus 0000:00: root bus resource [mem 0xfee00000-0xffffffff window] [ 0.295074] pci_bus 0000:00: root bus resource [bus 00-ff] [ 0.295086] pci 0000:00:00.0: [1022:1480] type 00 class 0x060000 conventional PCI endpoint [ 0.295167] pci 0000:00:01.0: [1022:1482] type 00 class 0x060000 conventional PCI endpoint [ 0.295219] pci 0000:00:01.1: [1022:1483] type 01 class 0x060400 PCIe Root Port [ 0.295237] pci 0000:00:01.1: PCI bridge to [bus 01] [ 0.295243] pci 0000:00:01.1: bridge window [mem 0xfc700000-0xfc7fffff] [ 0.295308] pci 0000:00:01.1: PME# supported from D0 D3hot D3cold [ 0.295429] pci 0000:00:01.3: [1022:1483] type 01 class 0x060400 PCIe Root Port [ 0.295447] pci 0000:00:01.3: PCI bridge to [bus 02-06] [ 0.295451] pci 0000:00:01.3: bridge window [io 0xf000-0xffff] [ 0.295453] pci 0000:00:01.3: bridge window [mem 0xfc500000-0xfc6fffff] [ 0.295466] pci 0000:00:01.3: enabling Extended Tags [ 0.295518] pci 0000:00:01.3: PME# supported from D0 D3hot D3cold [ 0.295647] pci 0000:00:02.0: [1022:1482] type 00 class 0x060000 conventional PCI endpoint [ 0.295701] pci 0000:00:03.0: [1022:1482] type 00 class 0x060000 conventional PCI endpoint [ 0.295749] pci 0000:00:03.1: [1022:1483] type 01 class 0x060400 PCIe Root Port [ 0.295767] pci 0000:00:03.1: PCI bridge to [bus 07] [ 0.295772] pci 0000:00:03.1: bridge window [mem 0xfa000000-0xfc0fffff] [ 0.295779] pci 0000:00:03.1: bridge window [mem 0xe0000000-0xefffffff 64bit pref] [ 0.295787] pci 0000:00:03.1: enabling Extended Tags [ 0.295839] pci 0000:00:03.1: PME# supported from D0 D3hot D3cold [ 0.295955] pci 0000:00:04.0: [1022:1482] type 00 class 0x060000 conventional PCI endpoint [ 0.296007] pci 0000:00:05.0: [1022:1482] type 00 class 0x060000 conventional PCI endpoint [ 0.296060] pci 0000:00:07.0: [1022:1482] type 00 class 0x060000 conventional PCI endpoint [ 0.296106] pci 0000:00:07.1: [1022:1484] type 01 class 0x060400 PCIe Root Port [ 0.296121] pci 0000:00:07.1: PCI bridge to [bus 08] [ 0.296135] pci 0000:00:07.1: enabling Extended Tags [ 0.296175] pci 0000:00:07.1: PME# supported from D0 D3hot D3cold [ 0.296264] pci 0000:00:08.0: [1022:1482] type 00 class 0x060000 conventional PCI endpoint [ 0.296311] pci 0000:00:08.1: [1022:1484] type 01 class 0x060400 PCIe Root Port [ 0.296327] pci 0000:00:08.1: PCI bridge to [bus 09] [ 0.296331] pci 0000:00:08.1: bridge window [mem 0xfc200000-0xfc4fffff] [ 0.296342] pci 0000:00:08.1: enabling Extended Tags [ 0.296386] pci 0000:00:08.1: PME# supported from D0 D3hot D3cold [ 0.296495] pci 0000:00:14.0: [1022:790b] type 00 class 0x0c0500 conventional PCI endpoint [ 0.296590] pci 0000:00:14.3: [1022:790e] type 00 class 0x060100 conventional PCI endpoint [ 0.296691] pci 0000:00:18.0: [1022:1440] type 00 class 0x060000 conventional PCI endpoint [ 0.296713] pci 0000:00:18.1: [1022:1441] type 00 class 0x060000 conventional PCI endpoint [ 0.296734] pci 0000:00:18.2: [1022:1442] type 00 class 0x060000 conventional PCI endpoint [ 0.296754] pci 0000:00:18.3: [1022:1443] type 00 class 0x060000 conventional PCI endpoint [ 0.296774] pci 0000:00:18.4: [1022:1444] type 00 class 0x060000 conventional PCI endpoint [ 0.296794] pci 0000:00:18.5: [1022:1445] type 00 class 0x060000 conventional PCI endpoint [ 0.296814] pci 0000:00:18.6: [1022:1446] type 00 class 0x060000 conventional PCI endpoint [ 0.296834] pci 0000:00:18.7: [1022:1447] type 00 class 0x060000 conventional PCI endpoint [ 0.297074] pci 0000:01:00.0: [2646:5013] type 00 class 0x010802 PCIe Endpoint [ 0.297122] pci 0000:01:00.0: BAR 0 [mem 0xfc700000-0xfc703fff 64bit] [ 0.297723] pci 0000:01:00.0: 31.504 Gb/s available PCIe bandwidth, limited by 8.0 GT/s PCIe x4 link at 0000:00:01.1 (capable of 63.012 Gb/s with 16.0 GT/s PCIe x4 link) [ 0.298140] pci 0000:00:01.1: PCI bridge to [bus 01] [ 0.298197] pci 0000:02:00.0: [1022:43d5] type 00 class 0x0c0330 PCIe Legacy Endpoint [ 0.298216] pci 0000:02:00.0: BAR 0 [mem 0xfc6a0000-0xfc6a7fff 64bit] [ 0.298259] pci 0000:02:00.0: enabling Extended Tags [ 0.298320] pci 0000:02:00.0: PME# supported from D3hot D3cold [ 0.298462] pci 0000:02:00.1: [1022:43c8] type 00 class 0x010601 PCIe Legacy Endpoint [ 0.298512] pci 0000:02:00.1: BAR 5 [mem 0xfc680000-0xfc69ffff] [ 0.298521] pci 0000:02:00.1: ROM [mem 0xfc600000-0xfc67ffff pref] [ 0.298527] pci 0000:02:00.1: enabling Extended Tags [ 0.298571] pci 0000:02:00.1: PME# supported from D3hot D3cold [ 0.298655] pci 0000:02:00.2: [1022:43c6] type 01 class 0x060400 PCIe Switch Upstream Port [ 0.298686] pci 0000:02:00.2: PCI bridge to [bus 03-06] [ 0.298692] pci 0000:02:00.2: bridge window [io 0xf000-0xffff] [ 0.298694] pci 0000:02:00.2: bridge window [mem 0xfc500000-0xfc5fffff] [ 0.298717] pci 0000:02:00.2: enabling Extended Tags [ 0.298766] pci 0000:02:00.2: PME# supported from D3hot D3cold [ 0.298869] pci 0000:00:01.3: PCI bridge to [bus 02-06] [ 0.298954] pci 0000:03:00.0: [1022:43c7] type 01 class 0x060400 PCIe Switch Downstream Port [ 0.298985] pci 0000:03:00.0: PCI bridge to [bus 04] [ 0.299019] pci 0000:03:00.0: enabling Extended Tags [ 0.299086] pci 0000:03:00.0: PME# supported from D3hot D3cold [ 0.299197] pci 0000:03:01.0: [1022:43c7] type 01 class 0x060400 PCIe Switch Downstream Port [ 0.299228] pci 0000:03:01.0: PCI bridge to [bus 05] [ 0.299235] pci 0000:03:01.0: bridge window [io 0xf000-0xffff] [ 0.299238] pci 0000:03:01.0: bridge window [mem 0xfc500000-0xfc5fffff] [ 0.299262] pci 0000:03:01.0: enabling Extended Tags [ 0.299329] pci 0000:03:01.0: PME# supported from D3hot D3cold [ 0.299439] pci 0000:03:04.0: [1022:43c7] type 01 class 0x060400 PCIe Switch Downstream Port [ 0.299471] pci 0000:03:04.0: PCI bridge to [bus 06] [ 0.299503] pci 0000:03:04.0: enabling Extended Tags [ 0.299569] pci 0000:03:04.0: PME# supported from D3hot D3cold [ 0.299691] pci 0000:02:00.2: PCI bridge to [bus 03-06] [ 0.299738] pci 0000:03:00.0: PCI bridge to [bus 04] [ 0.299816] pci 0000:05:00.0: [10ec:8168] type 00 class 0x020000 PCIe Endpoint [ 0.299845] pci 0000:05:00.0: BAR 0 [io 0xf000-0xf0ff] [ 0.299883] pci 0000:05:00.0: BAR 2 [mem 0xfc504000-0xfc504fff 64bit] [ 0.299907] pci 0000:05:00.0: BAR 4 [mem 0xfc500000-0xfc503fff 64bit] [ 0.300072] pci 0000:05:00.0: supports D1 D2 [ 0.300072] pci 0000:05:00.0: PME# supported from D0 D1 D2 D3hot D3cold [ 0.300342] pci 0000:03:01.0: PCI bridge to [bus 05] [ 0.300390] pci 0000:03:04.0: PCI bridge to [bus 06] [ 0.300468] pci 0000:07:00.0: [10de:01d1] type 00 class 0x030000 PCIe Endpoint [ 0.300480] pci 0000:07:00.0: BAR 0 [mem 0xfb000000-0xfbffffff] [ 0.300490] pci 0000:07:00.0: BAR 1 [mem 0xe0000000-0xefffffff 64bit pref] [ 0.300500] pci 0000:07:00.0: BAR 3 [mem 0xfa000000-0xfaffffff 64bit] [ 0.300513] pci 0000:07:00.0: ROM [mem 0xfc000000-0xfc01ffff pref] [ 0.300528] pci 0000:07:00.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff] [ 0.300624] pci 0000:07:00.0: disabling ASPM on pre-1.1 PCIe device. You can enable it with 'pcie_aspm=force' [ 0.300632] pci 0000:00:03.1: PCI bridge to [bus 07] [ 0.300673] pci 0000:08:00.0: [1022:148a] type 00 class 0x130000 PCIe Endpoint [ 0.300708] pci 0000:08:00.0: enabling Extended Tags [ 0.300842] pci 0000:00:07.1: PCI bridge to [bus 08] [ 0.300887] pci 0000:09:00.0: [1022:1485] type 00 class 0x130000 PCIe Endpoint [ 0.300929] pci 0000:09:00.0: enabling Extended Tags [ 0.301077] pci 0000:09:00.1: [1022:1486] type 00 class 0x108000 PCIe Endpoint [ 0.301097] pci 0000:09:00.1: BAR 2 [mem 0xfc300000-0xfc3fffff] [ 0.301112] pci 0000:09:00.1: BAR 5 [mem 0xfc400000-0xfc401fff] [ 0.301121] pci 0000:09:00.1: enabling Extended Tags [ 0.301242] pci 0000:09:00.3: [1022:149c] type 00 class 0x0c0330 PCIe Endpoint [ 0.301254] pci 0000:09:00.3: BAR 0 [mem 0xfc200000-0xfc2fffff 64bit] [ 0.301283] pci 0000:09:00.3: enabling Extended Tags [ 0.301328] pci 0000:09:00.3: PME# supported from D0 D3hot D3cold [ 0.301424] pci 0000:00:08.1: PCI bridge to [bus 09] [ 0.301699] ACPI: PCI: Interrupt link LNKA configured for IRQ 0 [ 0.301733] ACPI: PCI: Interrupt link LNKB configured for IRQ 0 [ 0.301762] ACPI: PCI: Interrupt link LNKC configured for IRQ 0 [ 0.301798] ACPI: PCI: Interrupt link LNKD configured for IRQ 0 [ 0.301831] ACPI: PCI: Interrupt link LNKE configured for IRQ 0 [ 0.301857] ACPI: PCI: Interrupt link LNKF configured for IRQ 0 [ 0.301884] ACPI: PCI: Interrupt link LNKG configured for IRQ 0 [ 0.301910] ACPI: PCI: Interrupt link LNKH configured for IRQ 0 [ 0.302340] iommu: Default domain type: Translated [ 0.302340] iommu: DMA domain TLB invalidation policy: lazy mode [ 0.302429] SCSI subsystem initialized [ 0.302435] libata version 3.00 loaded. [ 0.302435] ACPI: bus type USB registered [ 0.302435] usbcore: registered new interface driver usbfs [ 0.302435] usbcore: registered new interface driver hub [ 0.302435] usbcore: registered new device driver usb [ 0.302435] pps_core: LinuxPPS API ver. 1 registered [ 0.302435] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti(a)linux.it> [ 0.302435] PTP clock support registered [ 0.302435] EDAC MC: Ver: 3.0.0 [ 0.302592] NetLabel: Initializing [ 0.302592] NetLabel: domain hash size = 128 [ 0.302592] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO [ 0.302592] NetLabel: unlabeled traffic allowed by default [ 0.302592] mctp: management component transport protocol core [ 0.302592] NET: Registered PF_MCTP protocol family [ 0.302592] PCI: Using ACPI for IRQ routing [ 0.306769] PCI: pci_cache_line_size set to 64 bytes [ 0.307148] e820: reserve RAM buffer [mem 0x0009d400-0x0009ffff] [ 0.307149] e820: reserve RAM buffer [mem 0x09bff000-0x0bffffff] [ 0.307150] e820: reserve RAM buffer [mem 0x0a200000-0x0bffffff] [ 0.307151] e820: reserve RAM buffer [mem 0x0b000000-0x0bffffff] [ 0.307151] e820: reserve RAM buffer [mem 0xbb3f8000-0xbbffffff] [ 0.307152] e820: reserve RAM buffer [mem 0xbf000000-0xbfffffff] [ 0.307153] e820: reserve RAM buffer [mem 0x43f300000-0x43fffffff] [ 0.307162] pci 0000:07:00.0: vgaarb: setting as boot VGA device [ 0.307162] pci 0000:07:00.0: vgaarb: bridge control possible [ 0.307162] pci 0000:07:00.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none [ 0.307162] vgaarb: loaded [ 0.307162] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0 [ 0.307162] hpet0: 3 comparators, 32-bit 14.318180 MHz counter [ 0.309045] clocksource: Switched to clocksource tsc-early [ 0.309129] VFS: Disk quotas dquot_6.6.0 [ 0.309136] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) [ 0.309176] pnp: PnP ACPI init [ 0.309228] system 00:00: [mem 0xf0000000-0xf7ffffff] has been reserved [ 0.309248] system 00:01: [mem 0xfeb80000-0xfebfffff] has been reserved [ 0.309292] system 00:02: [mem 0xfd100000-0xfd1fffff] has been reserved [ 0.309428] system 00:04: [io 0x0280-0x028f] has been reserved [ 0.309429] system 00:04: [io 0x0290-0x029f] has been reserved [ 0.309430] system 00:04: [io 0x02a0-0x02af] has been reserved [ 0.309431] system 00:04: [io 0x02b0-0x02bf] has been reserved [ 0.309595] pnp 00:05: [dma 0 disabled] [ 0.309755] system 00:06: [io 0x04d0-0x04d1] has been reserved [ 0.309756] system 00:06: [io 0x040b] has been reserved [ 0.309757] system 00:06: [io 0x04d6] has been reserved [ 0.309758] system 00:06: [io 0x0c00-0x0c01] has been reserved [ 0.309758] system 00:06: [io 0x0c14] has been reserved [ 0.309759] system 00:06: [io 0x0c50-0x0c51] has been reserved [ 0.309760] system 00:06: [io 0x0c52] has been reserved [ 0.309761] system 00:06: [io 0x0c6c] has been reserved [ 0.309762] system 00:06: [io 0x0c6f] has been reserved [ 0.309762] system 00:06: [io 0x0cd8-0x0cdf] has been reserved [ 0.309763] system 00:06: [io 0x0800-0x089f] has been reserved [ 0.309764] system 00:06: [io 0x0b00-0x0b0f] has been reserved [ 0.309765] system 00:06: [io 0x0b20-0x0b3f] has been reserved [ 0.309766] system 00:06: [io 0x0900-0x090f] has been reserved [ 0.309767] system 00:06: [io 0x0910-0x091f] has been reserved [ 0.309768] system 00:06: [mem 0xfec00000-0xfec00fff] could not be reserved [ 0.309769] system 00:06: [mem 0xfec01000-0xfec01fff] could not be reserved [ 0.309770] system 00:06: [mem 0xfedc0000-0xfedc0fff] has been reserved [ 0.309772] system 00:06: [mem 0xfee00000-0xfee00fff] has been reserved [ 0.309772] system 00:06: [mem 0xfed80000-0xfed8ffff] could not be reserved [ 0.309774] system 00:06: [mem 0xfec10000-0xfec10fff] has been reserved [ 0.309775] system 00:06: [mem 0xff000000-0xffffffff] has been reserved [ 0.310078] pnp: PnP ACPI: found 7 devices [ 0.315286] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns [ 0.315327] NET: Registered PF_INET protocol family [ 0.315450] IP idents hash table entries: 262144 (order: 9, 2097152 bytes, linear) [ 0.325182] tcp_listen_portaddr_hash hash table entries: 8192 (order: 5, 131072 bytes, linear) [ 0.325198] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear) [ 0.325255] TCP established hash table entries: 131072 (order: 8, 1048576 bytes, linear) [ 0.325462] TCP bind hash table entries: 65536 (order: 9, 2097152 bytes, linear) [ 0.325561] TCP: Hash tables configured (established 131072 bind 65536) [ 0.325609] MPTCP token hash table entries: 16384 (order: 6, 393216 bytes, linear) [ 0.325643] UDP hash table entries: 8192 (order: 6, 262144 bytes, linear) [ 0.325673] UDP-Lite hash table entries: 8192 (order: 6, 262144 bytes, linear) [ 0.325718] NET: Registered PF_UNIX/PF_LOCAL protocol family [ 0.325724] NET: Registered PF_XDP protocol family [ 0.325734] pci 0000:00:01.1: PCI bridge to [bus 01] [ 0.325737] pci 0000:00:01.1: bridge window [mem 0xfc700000-0xfc7fffff] [ 0.325743] pci 0000:03:00.0: PCI bridge to [bus 04] [ 0.325754] pci 0000:03:01.0: PCI bridge to [bus 05] [ 0.325756] pci 0000:03:01.0: bridge window [io 0xf000-0xffff] [ 0.325760] pci 0000:03:01.0: bridge window [mem 0xfc500000-0xfc5fffff] [ 0.325768] pci 0000:03:04.0: PCI bridge to [bus 06] [ 0.325778] pci 0000:02:00.2: PCI bridge to [bus 03-06] [ 0.325780] pci 0000:02:00.2: bridge window [io 0xf000-0xffff] [ 0.325784] pci 0000:02:00.2: bridge window [mem 0xfc500000-0xfc5fffff] [ 0.325791] pci 0000:00:01.3: PCI bridge to [bus 02-06] [ 0.325793] pci 0000:00:01.3: bridge window [io 0xf000-0xffff] [ 0.325795] pci 0000:00:01.3: bridge window [mem 0xfc500000-0xfc6fffff] [ 0.325801] pci 0000:00:03.1: PCI bridge to [bus 07] [ 0.325803] pci 0000:00:03.1: bridge window [mem 0xfa000000-0xfc0fffff] [ 0.325805] pci 0000:00:03.1: bridge window [mem 0xe0000000-0xefffffff 64bit pref] [ 0.325809] pci 0000:00:07.1: PCI bridge to [bus 08] [ 0.325815] pci 0000:00:08.1: PCI bridge to [bus 09] [ 0.325817] pci 0000:00:08.1: bridge window [mem 0xfc200000-0xfc4fffff] [ 0.325822] pci_bus 0000:00: resource 4 [io 0x0000-0x03af window] [ 0.325823] pci_bus 0000:00: resource 5 [io 0x03e0-0x0cf7 window] [ 0.325824] pci_bus 0000:00: resource 6 [io 0x03b0-0x03df window] [ 0.325825] pci_bus 0000:00: resource 7 [io 0x0d00-0xffff window] [ 0.325826] pci_bus 0000:00: resource 8 [mem 0x000a0000-0x000dffff window] [ 0.325827] pci_bus 0000:00: resource 9 [mem 0xc0000000-0xfec2ffff window] [ 0.325828] pci_bus 0000:00: resource 10 [mem 0xfee00000-0xffffffff window] [ 0.325829] pci_bus 0000:01: resource 1 [mem 0xfc700000-0xfc7fffff] [ 0.325830] pci_bus 0000:02: resource 0 [io 0xf000-0xffff] [ 0.325830] pci_bus 0000:02: resource 1 [mem 0xfc500000-0xfc6fffff] [ 0.325831] pci_bus 0000:03: resource 0 [io 0xf000-0xffff] [ 0.325832] pci_bus 0000:03: resource 1 [mem 0xfc500000-0xfc5fffff] [ 0.325833] pci_bus 0000:05: resource 0 [io 0xf000-0xffff] [ 0.325834] pci_bus 0000:05: resource 1 [mem 0xfc500000-0xfc5fffff] [ 0.325835] pci_bus 0000:07: resource 1 [mem 0xfa000000-0xfc0fffff] [ 0.325835] pci_bus 0000:07: resource 2 [mem 0xe0000000-0xefffffff 64bit pref] [ 0.325836] pci_bus 0000:09: resource 1 [mem 0xfc200000-0xfc4fffff] [ 0.326214] PCI: CLS 64 bytes, default 64 [ 0.326225] PCI-DMA: Using software bounce buffering for IO (SWIOTLB) [ 0.326226] software IO TLB: mapped [mem 0x00000000b73f8000-0x00000000bb3f8000] (64MB) [ 0.326256] LVT offset 0 assigned for vector 0x400 [ 0.326258] Trying to unpack rootfs image as initramfs... [ 0.330895] perf: AMD IBS detected (0x000003ff) [ 0.332400] Initialise system trusted keyrings [ 0.332408] Key type blacklist registered [ 0.332434] workingset: timestamp_bits=41 max_order=22 bucket_order=0 [ 0.332439] zbud: loaded [ 0.332545] integrity: Platform Keyring initialized [ 0.332547] integrity: Machine keyring initialized [ 0.340673] Key type asymmetric registered [ 0.340675] Asymmetric key parser 'x509' registered [ 0.340833] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 242) [ 0.340872] io scheduler mq-deadline registered [ 0.340873] io scheduler kyber registered [ 0.340883] io scheduler bfq registered [ 0.341928] pcieport 0000:00:01.1: PME: Signaling with IRQ 26 [ 0.341969] pcieport 0000:00:01.1: AER: enabled with IRQ 26 [ 0.342065] pcieport 0000:00:01.3: PME: Signaling with IRQ 27 [ 0.342106] pcieport 0000:00:01.3: AER: enabled with IRQ 27 [ 0.342197] pcieport 0000:00:03.1: PME: Signaling with IRQ 28 [ 0.342233] pcieport 0000:00:03.1: AER: enabled with IRQ 28 [ 0.342365] pcieport 0000:00:07.1: PME: Signaling with IRQ 30 [ 0.342398] pcieport 0000:00:07.1: AER: enabled with IRQ 30 [ 0.342472] pcieport 0000:00:08.1: PME: Signaling with IRQ 31 [ 0.342513] pcieport 0000:00:08.1: AER: enabled with IRQ 31 [ 0.342969] shpchp: Standard Hot Plug PCI Controller Driver version: 0.4 [ 0.343044] input: Power Button as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0C:00/input/input0 [ 0.343059] ACPI: button: Power Button [PWRB] [ 0.343075] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input1 [ 0.345501] ACPI: button: Power Button [PWRF] [ 0.348832] Estimated ratio of average max frequency by base frequency (times 1024): 1232 [ 0.348846] Monitor-Mwait will be used to enter C-1 state [ 0.348851] ACPI: \_PR_.C000: Found 2 idle states [ 0.348921] ACPI: \_PR_.C002: Found 2 idle states [ 0.348993] ACPI: \_PR_.C004: Found 2 idle states [ 0.349043] ACPI: \_PR_.C006: Found 2 idle states [ 0.349091] ACPI: \_PR_.C008: Found 2 idle states [ 0.349141] ACPI: \_PR_.C00A: Found 2 idle states [ 0.349211] ACPI: \_PR_.C00C: Found 2 idle states [ 0.349282] ACPI: \_PR_.C00E: Found 2 idle states [ 0.349349] ACPI: \_PR_.C010: Found 2 idle states [ 0.349418] ACPI: \_PR_.C012: Found 2 idle states [ 0.349492] ACPI: \_PR_.C014: Found 2 idle states [ 0.349562] ACPI: \_PR_.C016: Found 2 idle states [ 0.349611] ACPI: \_PR_.C001: Found 2 idle states [ 0.349659] ACPI: \_PR_.C003: Found 2 idle states [ 0.349727] ACPI: \_PR_.C005: Found 2 idle states [ 0.349795] ACPI: \_PR_.C007: Found 2 idle states [ 0.349860] ACPI: \_PR_.C009: Found 2 idle states [ 0.349946] ACPI: \_PR_.C00B: Found 2 idle states [ 0.350021] ACPI: \_PR_.C00D: Found 2 idle states [ 0.350087] ACPI: \_PR_.C00F: Found 2 idle states [ 0.350154] ACPI: \_PR_.C011: Found 2 idle states [ 0.350218] ACPI: \_PR_.C013: Found 2 idle states [ 0.350281] ACPI: \_PR_.C015: Found 2 idle states [ 0.350343] ACPI: \_PR_.C017: Found 2 idle states [ 0.350506] Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled [ 0.350656] 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A [ 0.352195] Non-volatile memory driver v1.3 [ 0.352196] Linux agpgart interface v0.103 [ 0.352232] ACPI: bus type drm_connector registered [ 0.353115] ahci 0000:02:00.1: version 3.0 [ 0.353228] ahci 0000:02:00.1: SSS flag set, parallel bus scan disabled [ 0.353271] ahci 0000:02:00.1: AHCI vers 0001.0301, 32 command slots, 6 Gbps, SATA mode [ 0.353273] ahci 0000:02:00.1: 4/8 ports implemented (port mask 0x33) [ 0.353274] ahci 0000:02:00.1: flags: 64bit ncq sntf stag pm led clo only pmp pio slum part sxs deso sadm sds apst [ 0.353572] scsi host0: ahci [ 0.353635] scsi host1: ahci [ 0.353687] scsi host2: ahci [ 0.353746] scsi host3: ahci [ 0.353791] scsi host4: ahci [ 0.353847] scsi host5: ahci [ 0.353896] scsi host6: ahci [ 0.353947] scsi host7: ahci [ 0.353963] ata1: SATA max UDMA/133 abar m131072@0xfc680000 port 0xfc680100 irq 37 lpm-pol 3 [ 0.353965] ata2: SATA max UDMA/133 abar m131072@0xfc680000 port 0xfc680180 irq 37 lpm-pol 3 [ 0.353966] ata3: DUMMY [ 0.353966] ata4: DUMMY [ 0.353968] ata5: SATA max UDMA/133 abar m131072@0xfc680000 port 0xfc680300 irq 37 lpm-pol 3 [ 0.353969] ata6: SATA max UDMA/133 abar m131072@0xfc680000 port 0xfc680380 irq 37 lpm-pol 3 [ 0.353970] ata7: DUMMY [ 0.353970] ata8: DUMMY [ 0.354035] usbcore: registered new interface driver usbserial_generic [ 0.354038] usbserial: USB Serial support registered for generic [ 0.354075] rtc_cmos 00:03: RTC can wake from S4 [ 0.354252] rtc_cmos 00:03: registered as rtc0 [ 0.354279] rtc_cmos 00:03: setting system clock to 2024-08-20T18:06:09 UTC (1724177169) [ 0.354298] rtc_cmos 00:03: alarms up to one month, y3k, 114 bytes nvram [ 0.354326] amd_pstate: driver load is disabled, boot with specific mode to enable this [ 0.354436] ledtrig-cpu: registered to indicate activity on CPUs [ 0.354502] vesafb: mode is 640x480x32, linelength=2560, pages=0 [ 0.354503] vesafb: scrolling: redraw [ 0.354504] vesafb: Truecolor: size=8:8:8:8, shift=24:16:8:0 [ 0.354510] vesafb: framebuffer at 0xe0000000, mapped to 0x000000002650fc98, using 1216k, total 1216k [ 0.354529] fbcon: Deferring console take-over [ 0.354529] fb0: VESA VGA frame buffer device [ 0.354537] hid: raw HID events driver (C) Jiri Kosina [ 0.354575] drop_monitor: Initializing network drop monitor service [ 0.354633] Initializing XFRM netlink socket [ 0.354652] NET: Registered PF_INET6 protocol family [ 0.452105] Freeing initrd memory: 180616K [ 0.454777] Segment Routing with IPv6 [ 0.454779] RPL Segment Routing with IPv6 [ 0.454790] In-situ OAM (IOAM) with IPv6 [ 0.454814] NET: Registered PF_PACKET protocol family [ 0.455609] microcode: Current revision: 0x08701030 [ 0.455889] resctrl: L3 allocation detected [ 0.455890] resctrl: MB allocation detected [ 0.455890] resctrl: L3 monitoring detected [ 0.455908] IPI shorthand broadcast: enabled [ 0.456871] sched_clock: Marking stable (455603833, 280415)->(458727803, -2843555) [ 0.456945] Timer migration: 2 hierarchy levels; 8 children per group; 2 crossnode level [ 0.457050] registered taskstats version 1 [ 0.457399] Loading compiled-in X.509 certificates [ 0.459726] Loaded X.509 cert 'Build time autogenerated kernel key: 95ece764cfce3af14865b3218c7a308c3720a6eb' [ 0.462211] zswap: loaded using pool lz4/z3fold [ 0.462238] Demotion targets for Node 0: null [ 0.462369] Key type .fscrypt registered [ 0.462370] Key type fscrypt-provisioning registered [ 0.462570] PM: Magic number: 4:490:140 [ 0.462634] acpi device:11: hash matches [ 0.462713] RAS: Correctable Errors collector initialized. [ 0.470364] clk: Disabling unused clocks [ 0.470366] PM: genpd: Disabling unused power domains [ 0.831843] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [ 0.832472] ata1.00: ATA-9: ADATA SU800, 02K0S86D, max UDMA/133 [ 0.832490] ata1.00: 1000215216 sectors, multi 1: LBA48 NCQ (depth 32), AA [ 0.832852] ata1.00: Features: Dev-Sleep [ 0.833307] ata1.00: configured for UDMA/133 [ 0.845169] ahci 0000:02:00.1: port does not support device sleep [ 0.845260] scsi 0:0:0:0: Direct-Access ATA ADATA SU800 S86D PQ: 0 ANSI: 5 [ 0.845395] sd 0:0:0:0: [sda] 1000215216 512-byte logical blocks: (512 GB/477 GiB) [ 0.845401] sd 0:0:0:0: [sda] Write Protect is off [ 0.845402] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00 [ 0.845407] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 0.845416] sd 0:0:0:0: [sda] Preferred minimum I/O size 512 bytes [ 0.846320] sda: sda1 sda2 sda3 [ 0.846366] sd 0:0:0:0: [sda] Attached SCSI disk [ 1.157224] ata2: SATA link down (SStatus 0 SControl 300) [ 1.334043] tsc: Refined TSC clocksource calibration: 4099.997 MHz [ 1.334052] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x3b195c4884e, max_idle_ns: 440795370048 ns [ 1.334137] clocksource: Switched to clocksource tsc [ 1.471596] ata5: SATA link down (SStatus 0 SControl 330) [ 1.783765] ata6: SATA link down (SStatus 0 SControl 330) [ 1.784892] Freeing unused decrypted memory: 2028K [ 1.785158] Freeing unused kernel image (initmem) memory: 3500K [ 1.785169] Write protecting the kernel read-only data: 32768k [ 1.785391] Freeing unused kernel image (rodata/data gap) memory: 924K [ 1.795786] x86/mm: Checked W+X mappings: passed, no W+X pages found. [ 1.795790] rodata_test: all tests were successful [ 1.795793] Run /init as init process [ 1.795794] with arguments: [ 1.795795] /init [ 1.795796] with environment: [ 1.795796] HOME=/ [ 1.795797] TERM=linux [ 1.795797] BOOT_IMAGE=/boot/vmlinuz-linux-nvme [ 1.800790] fbcon: Taking over console [ 1.800836] Console: switching to colour frame buffer device 80x30 [ 1.906539] xhci_hcd 0000:02:00.0: xHCI Host Controller [ 1.906546] xhci_hcd 0000:02:00.0: new USB bus registered, assigned bus number 1 [ 1.910104] nvme nvme0: pci function 0000:01:00.0 [ 1.915230] nvme nvme0: D3 entry latency set to 10 seconds [ 1.917840] nvme nvme0: 24/0/0 default/read/poll queues [ 1.920256] nvme0n1: p1 p2 p3 [ 1.961860] xhci_hcd 0000:02:00.0: hcc params 0x0200ef81 hci version 0x110 quirks 0x0000000000000010 [ 1.962019] xhci_hcd 0000:02:00.0: xHCI Host Controller [ 1.962021] xhci_hcd 0000:02:00.0: new USB bus registered, assigned bus number 2 [ 1.962023] xhci_hcd 0000:02:00.0: Host supports USB 3.1 Enhanced SuperSpeed [ 1.962078] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.10 [ 1.962080] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 1.962081] usb usb1: Product: xHCI Host Controller [ 1.962082] usb usb1: Manufacturer: Linux 6.10.6-12 xhci-hcd [ 1.962083] usb usb1: SerialNumber: 0000:02:00.0 [ 1.962164] hub 1-0:1.0: USB hub found [ 1.962177] hub 1-0:1.0: 10 ports detected [ 1.962384] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM. [ 1.962397] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 6.10 [ 1.962398] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 1.962399] usb usb2: Product: xHCI Host Controller [ 1.962400] usb usb2: Manufacturer: Linux 6.10.6-12 xhci-hcd [ 1.962401] usb usb2: SerialNumber: 0000:02:00.0 [ 1.962441] hub 2-0:1.0: USB hub found [ 1.962448] hub 2-0:1.0: 4 ports detected [ 1.962499] usb: port power management may be unreliable [ 1.962604] xhci_hcd 0000:09:00.3: xHCI Host Controller [ 1.962607] xhci_hcd 0000:09:00.3: new USB bus registered, assigned bus number 3 [ 1.962704] xhci_hcd 0000:09:00.3: hcc params 0x0278ffe5 hci version 0x110 quirks 0x0000000000000010 [ 1.962847] xhci_hcd 0000:09:00.3: xHCI Host Controller [ 1.962848] xhci_hcd 0000:09:00.3: new USB bus registered, assigned bus number 4 [ 1.962850] xhci_hcd 0000:09:00.3: Host supports USB 3.1 Enhanced SuperSpeed [ 1.962868] usb usb3: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.10 [ 1.962869] usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 1.962870] usb usb3: Product: xHCI Host Controller [ 1.962871] usb usb3: Manufacturer: Linux 6.10.6-12 xhci-hcd [ 1.962872] usb usb3: SerialNumber: 0000:09:00.3 [ 1.962908] hub 3-0:1.0: USB hub found [ 1.962913] hub 3-0:1.0: 4 ports detected [ 1.963006] usb usb4: We don't know the algorithms for LPM for this host, disabling LPM. [ 1.963016] usb usb4: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 6.10 [ 1.963017] usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1 [ 1.963018] usb usb4: Product: xHCI Host Controller [ 1.963019] usb usb4: Manufacturer: Linux 6.10.6-12 xhci-hcd [ 1.963019] usb usb4: SerialNumber: 0000:09:00.3 [ 1.963057] hub 4-0:1.0: USB hub found [ 1.963062] hub 4-0:1.0: 4 ports detected [ 2.205258] Console: switching to colour dummy device 80x25 [ 2.205272] nouveau 0000:07:00.0: vgaarb: deactivate vga console [ 2.205298] nouveau 0000:07:00.0: NVIDIA G72 (046100a3) [ 2.415140] nouveau 0000:07:00.0: bios: version 05.72.22.43.35 [ 2.415405] nouveau 0000:07:00.0: fb: 128 MiB DDR2 [ 2.469167] nouveau 0000:07:00.0: DRM: VRAM: 124 MiB [ 2.469168] nouveau 0000:07:00.0: DRM: GART: 512 MiB [ 2.469169] nouveau 0000:07:00.0: DRM: TMDS table version 1.1 [ 2.469170] nouveau 0000:07:00.0: DRM: TMDS table script pointers not stubbed [ 2.469171] nouveau 0000:07:00.0: DRM: DCB version 3.0 [ 2.469172] nouveau 0000:07:00.0: DRM: DCB outp 00: 01000300 00000028 [ 2.469173] nouveau 0000:07:00.0: DRM: DCB outp 01: 02011310 00000028 [ 2.469174] nouveau 0000:07:00.0: DRM: DCB outp 02: 01011312 00000000 [ 2.469175] nouveau 0000:07:00.0: DRM: DCB outp 03: 020223f1 00c0c080 [ 2.469176] nouveau 0000:07:00.0: DRM: DCB conn 00: 0000 [ 2.469177] nouveau 0000:07:00.0: DRM: DCB conn 01: 2130 [ 2.469178] nouveau 0000:07:00.0: DRM: DCB conn 02: 0210 [ 2.469178] nouveau 0000:07:00.0: DRM: DCB conn 03: 0211 [ 2.469179] nouveau 0000:07:00.0: DRM: DCB conn 04: 0213 [ 2.469699] nouveau 0000:07:00.0: DRM: MM: using M2MF for buffer copies [ 2.475140] [drm] Initialized nouveau 1.4.0 20120801 for 0000:07:00.0 on minor 0 [ 2.475159] nouveau 0000:07:00.0: DRM: Setting dpms mode 3 on TV encoder (output 3) [ 2.583625] nouveau 0000:07:00.0: [drm] Cannot find any crtc or sizes [ 2.693635] nouveau 0000:07:00.0: [drm] Cannot find any crtc or sizes [ 2.806972] nouveau 0000:07:00.0: [drm] Cannot find any crtc or sizes [ 2.923646] nouveau 0000:07:00.0: [drm] Cannot find any crtc or sizes [ 3.001689] SGI XFS with ACLs, security attributes, realtime, scrub, repair, quota, no debug enabled [ 3.008914] XFS (nvme0n1p2): Mounting V5 Filesystem 78029aac-358d-4ce1-b48f-0c910bc10436 [ 3.018967] XFS (nvme0n1p2): Ending clean mount [ 3.036959] nouveau 0000:07:00.0: [drm] Cannot find any crtc or sizes [ 3.075285] systemd[1]: systemd 255-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified) [ 3.075289] systemd[1]: Detected architecture x86-64. [ 3.075905] systemd[1]: Hostname set to <minimyth2-aarch64-next>. [ 3.310464] systemd[1]: bpf-lsm: LSM BPF program attached [ 3.377445] systemd[1]: /etc/systemd/system/sleep-on-inactivity.service:6: Failed to parse service type, ignoring: daemon [ 3.387664] systemd[1]: Queued start job for default target Graphical Interface. [ 3.430634] systemd[1]: Created slice Slice /system/getty. [ 3.430786] systemd[1]: Created slice Slice /system/modprobe. [ 3.430902] systemd[1]: Created slice Slice /system/systemd-fsck. [ 3.431019] systemd[1]: Created slice Slice /system/tmux. [ 3.431098] systemd[1]: Created slice User and Session Slice. [ 3.431139] systemd[1]: Started Dispatch Password Requests to Console Directory Watch. [ 3.431170] systemd[1]: Started Forward Password Requests to Wall Directory Watch. [ 3.431258] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point. [ 3.431288] systemd[1]: Reached target Local Encrypted Volumes. [ 3.431305] systemd[1]: Reached target Local Integrity Protected Volumes. [ 3.431326] systemd[1]: Reached target Host and Network Name Lookups. [ 3.431340] systemd[1]: Reached target Path Units. [ 3.431356] systemd[1]: Reached target Remote File Systems. [ 3.431373] systemd[1]: Reached target Slice Units. [ 3.431395] systemd[1]: Reached target Local Verity Protected Volumes. [ 3.431436] systemd[1]: Listening on Device-mapper event daemon FIFOs. [ 3.431703] systemd[1]: Listening on LVM2 poll daemon socket. [ 3.433732] systemd[1]: Listening on RPCbind Server Activation Socket. [ 3.433777] systemd[1]: Reached target RPC Port Mapper. [ 3.434505] systemd[1]: Listening on Process Core Dump Socket. [ 3.434584] systemd[1]: Listening on Journal Socket (/dev/log). [ 3.434645] systemd[1]: Listening on Journal Socket. [ 3.434869] systemd[1]: Listening on Network Service Netlink Socket. [ 3.434907] systemd[1]: TPM2 PCR Extension (Varlink) was skipped because of an unmet condition check (ConditionSecurity=measured-uki). [ 3.435321] systemd[1]: Listening on udev Control Socket. [ 3.435391] systemd[1]: Listening on udev Kernel Socket. [ 3.435975] systemd[1]: Mounting Huge Pages File System... [ 3.436279] systemd[1]: Mounting POSIX Message Queue File System... [ 3.436538] systemd[1]: Mounting NFSD configuration filesystem... [ 3.436808] systemd[1]: Mounting Kernel Debug File System... [ 3.437086] systemd[1]: Mounting Kernel Trace File System... [ 3.437125] systemd[1]: Kernel Module supporting RPCSEC_GSS was skipped because of an unmet condition check (ConditionPathExists=/etc/krb5.keytab). [ 3.437457] systemd[1]: Starting Create List of Static Device Nodes... [ 3.437763] systemd[1]: Starting Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling... [ 3.438071] systemd[1]: Starting Load Kernel Module configfs... [ 3.438401] systemd[1]: Starting Load Kernel Module dm_mod... [ 3.438723] systemd[1]: Starting Load Kernel Module drm... [ 3.439207] systemd[1]: Starting Load Kernel Module fuse... [ 3.439538] systemd[1]: Starting Load Kernel Module loop... [ 3.439620] systemd[1]: File System Check on Root Device was skipped because of an unmet condition check (ConditionPathIsReadWrite=!/). [ 3.440337] systemd[1]: Starting Journal Service... [ 3.440915] systemd[1]: Starting Load Kernel Modules... [ 3.441337] systemd[1]: Starting Generate network units from Kernel command line... [ 3.441383] systemd[1]: TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki). [ 3.441775] systemd[1]: Starting Remount Root and Kernel File Systems... [ 3.441831] systemd[1]: TPM2 SRK Setup (Early) was skipped because of an unmet condition check (ConditionSecurity=measured-uki). [ 3.442213] systemd[1]: Starting Coldplug All udev Devices... [ 3.442990] systemd[1]: Mounted Huge Pages File System. [ 3.443083] systemd[1]: Mounted POSIX Message Queue File System. [ 3.443150] systemd[1]: Mounted Kernel Debug File System. [ 3.443216] systemd[1]: Mounted Kernel Trace File System. [ 3.443349] systemd[1]: Finished Create List of Static Device Nodes. [ 3.443534] systemd[1]: modprobe(a)configfs.service: Deactivated successfully. [ 3.443605] systemd[1]: Finished Load Kernel Module configfs. [ 3.443773] systemd[1]: modprobe(a)drm.service: Deactivated successfully. [ 3.443822] systemd[1]: Finished Load Kernel Module drm. [ 3.444207] systemd[1]: Mounting Kernel Configuration File System... [ 3.444519] systemd[1]: Starting Create Static Device Nodes in /dev gracefully... [ 3.445620] systemd[1]: Finished Generate network units from Kernel command line. [ 3.445676] systemd[1]: Reached target Preparation for Network. [ 3.445980] loop: module loaded [ 3.446215] systemd[1]: modprobe(a)loop.service: Deactivated successfully. [ 3.446270] systemd[1]: Finished Load Kernel Module loop. [ 3.446764] systemd[1]: Finished Remount Root and Kernel File Systems. [ 3.447242] systemd[1]: Rebuild Hardware Database was skipped because of an unmet condition check (ConditionNeedsUpdate=/etc). [ 3.447577] systemd[1]: Starting Load/Save OS Random Seed... [ 3.447602] systemd[1]: TPM2 SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki). [ 3.447816] systemd[1]: Mounted Kernel Configuration File System. [ 3.449700] systemd-journald[483]: Collecting audit messages is disabled. [ 3.451114] device-mapper: uevent: version 1.0.3 [ 3.451200] device-mapper: ioctl: 4.48.0-ioctl (2023-03-01) initialised: dm-devel(a)lists.linux.dev [ 3.451287] fuse: init (API version 7.40) [ 3.451539] systemd[1]: modprobe(a)dm_mod.service: Deactivated successfully. [ 3.451597] systemd[1]: Finished Load Kernel Module dm_mod. [ 3.451744] systemd[1]: modprobe(a)fuse.service: Deactivated successfully. [ 3.451795] systemd[1]: Finished Load Kernel Module fuse. [ 3.452157] systemd[1]: Mounting FUSE Control File System... [ 3.452195] systemd[1]: Repartition Root Disk was skipped because no trigger condition checks were met. [ 3.453918] systemd[1]: Finished Load/Save OS Random Seed. [ 3.454982] systemd[1]: Mounted FUSE Control File System. [ 3.455999] sd 0:0:0:0: Attached scsi generic sg0 type 0 [ 3.462659] systemd[1]: Finished Create Static Device Nodes in /dev gracefully. [ 3.462745] systemd[1]: Create System Users was skipped because no trigger condition checks were met. [ 3.463073] systemd[1]: Starting Create Static Device Nodes in /dev... [ 3.469292] systemd[1]: Started Journal Service. [ 3.473672] systemd-journald[483]: Received client request to flush runtime journal. [ 3.476629] systemd-journald[483]: /var/log/journal/1a15c5c01ee34ffb8beb42df7c18ff94/system.journal: Journal file uses a different sequence number ID, rotating. [ 3.476633] systemd-journald[483]: Rotating system journal. [ 3.483888] RPC: Registered named UNIX socket transport module. [ 3.483891] RPC: Registered udp transport module. [ 3.483892] RPC: Registered tcp transport module. [ 3.483892] RPC: Registered tcp-with-tls transport module. [ 3.483893] RPC: Registered tcp NFSv4.1 backchannel transport module. [ 3.484834] nct6775: Found NCT6779D or compatible chip at 0x2e:0x290 [ 3.545102] ryzen_smu: CPUID: family 0x17, model 0x71, stepping 0x0, package 0x2 [ 3.545142] piix4_smbus 0000:00:14.0: SMBus Host Controller at 0xb00, revision 0 [ 3.545147] piix4_smbus 0000:00:14.0: Using register 0x02 for SMBus port selection [ 3.545167] input: PC Speaker as /devices/platform/pcspkr/input/input2 [ 3.545281] piix4_smbus 0000:00:14.0: Auxiliary SMBus Host Controller at 0xb20 [ 3.545285] ryzen_smu: SMU v46.73.0 [ 3.546291] acpi_cpufreq: overriding BIOS provided _PSD data [ 3.551915] RAPL PMU: API unit is 2^-32 Joules, 1 fixed counters, 163840 ms ovfl timer [ 3.551917] RAPL PMU: hw unit of domain package 2^-16 Joules [ 3.553285] ccp 0000:09:00.1: ccp: unable to access the device: you might be running a broken BIOS. [ 3.553298] ccp 0000:09:00.1: psp enabled [ 3.558005] cryptd: max_cpu_qlen set to 1000 [ 3.563149] sp5100_tco: SP5100/SB800 TCO WatchDog Timer Driver [ 3.563215] sp5100-tco sp5100-tco: Using 0xfeb00000 for watchdog MMIO address [ 3.563443] sp5100-tco sp5100-tco: initialized. heartbeat=60 sec (nowayout=0) [ 3.572167] AVX2 version of gcm_enc/dec engaged. [ 3.572209] AES CTR mode by8 optimization enabled [ 3.634695] Adding 16776188k swap on /dev/nvme0n1p3. Priority:-2 extents:1 across:16776188k SS [ 3.636579] r8169 0000:05:00.0 eth0: RTL8168h/8111h, 9c:6b:00:00:6d:71, XID 541, IRQ 79 [ 3.636585] r8169 0000:05:00.0 eth0: jumbo features [frames: 9194 bytes, tx checksumming: ko] [ 3.644292] r8169 0000:05:00.0 enp5s0: renamed from eth0 [ 3.721283] kvm_amd: TSC scaling supported [ 3.721286] kvm_amd: Nested Virtualization enabled [ 3.721287] kvm_amd: Nested Paging enabled [ 3.721288] kvm_amd: LBR virtualization supported [ 3.721289] kvm_amd: SEV enabled (ASIDs 1 - 509) [ 3.721289] kvm_amd: SEV-ES disabled (ASIDs 0 - 0) [ 3.721312] kvm_amd: Virtual VMLOAD VMSAVE supported [ 3.721313] kvm_amd: Virtual GIF supported [ 3.729283] MCE: In-kernel MCE decoding enabled. [ 3.765212] AMD Address Translation Library initialized [ 3.765252] intel_rapl_common: Found RAPL domain package [ 3.765257] intel_rapl_common: Found RAPL domain core [ 3.766513] cfg80211: Loading compiled-in X.509 certificates for regulatory database [ 3.768252] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' [ 3.768356] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600' [ 3.768582] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 [ 3.768585] cfg80211: failed to load regulatory.db [ 4.564164] EXT4-fs (sda2): mounted filesystem b6d62eed-a5ba-4cf0-a2d7-6404683db3e3 r/w with ordered data mode. Quota mode: none. [ 4.659302] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this. [ 4.696961] Generic FE-GE Realtek PHY r8169-0-500:00: attached PHY driver (mii_bus:phy_addr=r8169-0-500:00, irq=MAC) [ 4.887113] r8169 0000:05:00.0 enp5s0: Link is Down [ 4.917880] br0: port 1(enp5s0) entered blocking state [ 4.917883] br0: port 1(enp5s0) entered disabled state [ 4.917889] r8169 0000:05:00.0 enp5s0: entered allmulticast mode [ 4.917970] r8169 0000:05:00.0 enp5s0: entered promiscuous mode [ 4.929839] tun: Universal TUN/TAP device driver, 1.6 [ 5.965626] br0: port 2(tap0) entered blocking state [ 5.965631] br0: port 2(tap0) entered disabled state [ 5.965641] tap0: entered allmulticast mode [ 5.965683] tap0: entered promiscuous mode [ 5.965710] br0: port 2(tap0) entered blocking state [ 5.965711] br0: port 2(tap0) entered forwarding state [ 5.986178] Bridge firewalling registered [ 6.077746] RPC: Registered rdma transport module. [ 6.077749] RPC: Registered rdma backchannel transport module. [ 6.201067] NFSD: Using nfsdcld client tracking operations. [ 6.201069] NFSD: no clients to reclaim, skipping NFSv4 grace period (net f0000000) [ 8.035190] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control rx/tx [ 8.035240] br0: port 1(enp5s0) entered blocking state [ 8.035244] br0: port 1(enp5s0) entered forwarding state [ 11.275932] netfs: FS-Cache loaded [ 11.313446] Key type dns_resolver registered [ 11.468243] NFS: Registering the id_resolver key type [ 11.468249] Key type id_resolver registered [ 11.468250] Key type id_legacy registered [ 619.427729] nouveau 0000:07:00.0: fifo: CACHE_ERROR - ch 0 [(udev-worker)[348]] subc 4 mthd 0000 data 00000039 [ 619.427757] nouveau 0000:07:00.0: fifo: CACHE_ERROR - ch 0 [(udev-worker)[348]] subc 4 mthd 0180 data 80000006 [ 622.607683] PM: suspend entry (deep) [ 622.612781] Filesystems sync: 0.005 seconds [ 622.613128] Freezing user space processes [ 622.614262] Freezing user space processes completed (elapsed 0.001 seconds) [ 622.614265] OOM killer disabled. [ 622.614266] Freezing remaining freezable tasks [ 622.615362] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 622.615391] printk: Suspending console(s) (use no_console_suspend to debug) [ 622.618100] serial 00:05: disabled [ 622.618143] r8169 0000:05:00.0 enp5s0: Link is Down [ 622.653931] sd 0:0:0:0: [sda] Synchronizing SCSI cache [ 622.654096] ata1.00: Entering standby power mode [ 622.717981] ACPI: PM: Preparing to enter system sleep state S3 [ 623.247496] ACPI: PM: Saving platform NVS memory [ 623.247597] Disabling non-boot CPUs ... [ 623.249082] smpboot: CPU 1 is now offline [ 623.250726] smpboot: CPU 2 is now offline [ 623.252344] smpboot: CPU 3 is now offline [ 623.254070] smpboot: CPU 4 is now offline [ 623.255710] smpboot: CPU 5 is now offline [ 623.257304] smpboot: CPU 6 is now offline [ 623.259019] smpboot: CPU 7 is now offline [ 623.260713] smpboot: CPU 8 is now offline [ 623.262291] smpboot: CPU 9 is now offline [ 623.263847] smpboot: CPU 10 is now offline [ 623.265360] smpboot: CPU 11 is now offline [ 623.266966] smpboot: CPU 12 is now offline [ 623.268544] smpboot: CPU 13 is now offline [ 623.270111] smpboot: CPU 14 is now offline [ 623.271657] smpboot: CPU 15 is now offline [ 623.273135] smpboot: CPU 16 is now offline [ 623.274750] smpboot: CPU 17 is now offline [ 623.276257] smpboot: CPU 18 is now offline [ 623.277731] smpboot: CPU 19 is now offline [ 623.279351] smpboot: CPU 20 is now offline [ 623.280835] smpboot: CPU 21 is now offline [ 623.282273] smpboot: CPU 22 is now offline [ 623.283897] smpboot: CPU 23 is now offline [ 623.284335] ACPI: PM: Low-level resume complete [ 623.284354] ACPI: PM: Restoring platform NVS memory [ 623.284413] LVT offset 0 assigned for vector 0x400 [ 623.284914] Enabling non-boot CPUs ... [ 623.284961] smpboot: Booting Node 0 Processor 1 APIC 0x2 [ 623.287428] ACPI: \_PR_.C002: Found 2 idle states [ 623.287895] CPU1 is up [ 623.287919] smpboot: Booting Node 0 Processor 2 APIC 0x4 [ 623.290265] ACPI: \_PR_.C004: Found 2 idle states [ 623.291326] CPU2 is up [ 623.291342] smpboot: Booting Node 0 Processor 3 APIC 0x8 [ 623.293803] ACPI: \_PR_.C006: Found 2 idle states [ 623.294532] CPU3 is up [ 623.294549] smpboot: Booting Node 0 Processor 4 APIC 0xa [ 623.296931] ACPI: \_PR_.C008: Found 2 idle states [ 623.297604] CPU4 is up [ 623.297622] smpboot: Booting Node 0 Processor 5 APIC 0xc [ 623.300009] ACPI: \_PR_.C00A: Found 2 idle states [ 623.300825] CPU5 is up [ 623.300842] smpboot: Booting Node 0 Processor 6 APIC 0x10 [ 623.303308] ACPI: \_PR_.C00C: Found 2 idle states [ 623.304162] CPU6 is up [ 623.304180] smpboot: Booting Node 0 Processor 7 APIC 0x12 [ 623.306577] ACPI: \_PR_.C00E: Found 2 idle states [ 623.307493] CPU7 is up [ 623.307512] smpboot: Booting Node 0 Processor 8 APIC 0x14 [ 623.309918] ACPI: \_PR_.C010: Found 2 idle states [ 623.310831] CPU8 is up [ 623.310849] smpboot: Booting Node 0 Processor 9 APIC 0x18 [ 623.313337] ACPI: \_PR_.C012: Found 2 idle states [ 623.314177] CPU9 is up [ 623.314196] smpboot: Booting Node 0 Processor 10 APIC 0x1a [ 623.316611] ACPI: \_PR_.C014: Found 2 idle states [ 623.317508] CPU10 is up [ 623.317528] smpboot: Booting Node 0 Processor 11 APIC 0x1c [ 623.319936] ACPI: \_PR_.C016: Found 2 idle states [ 623.320847] CPU11 is up [ 623.320863] smpboot: Booting Node 0 Processor 12 APIC 0x1 [ 623.323316] ACPI: \_PR_.C001: Found 2 idle states [ 623.324222] CPU12 is up [ 623.324256] smpboot: Booting Node 0 Processor 13 APIC 0x3 [ 623.326660] ACPI: \_PR_.C003: Found 2 idle states [ 623.327530] CPU13 is up [ 623.327549] smpboot: Booting Node 0 Processor 14 APIC 0x5 [ 623.329935] ACPI: \_PR_.C005: Found 2 idle states [ 623.330858] CPU14 is up [ 623.330876] smpboot: Booting Node 0 Processor 15 APIC 0x9 [ 623.333278] ACPI: \_PR_.C007: Found 2 idle states [ 623.334209] CPU15 is up [ 623.334230] smpboot: Booting Node 0 Processor 16 APIC 0xb [ 623.336655] ACPI: \_PR_.C009: Found 2 idle states [ 623.337538] CPU16 is up [ 623.337556] smpboot: Booting Node 0 Processor 17 APIC 0xd [ 623.339984] ACPI: \_PR_.C00B: Found 2 idle states [ 623.340870] CPU17 is up [ 623.340888] smpboot: Booting Node 0 Processor 18 APIC 0x11 [ 623.343311] ACPI: \_PR_.C00D: Found 2 idle states [ 623.344217] CPU18 is up [ 623.344238] smpboot: Booting Node 0 Processor 19 APIC 0x13 [ 623.346664] ACPI: \_PR_.C00F: Found 2 idle states [ 623.347547] CPU19 is up [ 623.347567] smpboot: Booting Node 0 Processor 20 APIC 0x15 [ 623.349994] ACPI: \_PR_.C011: Found 2 idle states [ 623.350883] CPU20 is up [ 623.350900] smpboot: Booting Node 0 Processor 21 APIC 0x19 [ 623.353338] ACPI: \_PR_.C013: Found 2 idle states [ 623.354237] CPU21 is up [ 623.354260] smpboot: Booting Node 0 Processor 22 APIC 0x1b [ 623.356699] ACPI: \_PR_.C015: Found 2 idle states [ 623.357561] CPU22 is up [ 623.357576] smpboot: Booting Node 0 Processor 23 APIC 0x1d [ 623.360011] ACPI: \_PR_.C017: Found 2 idle states [ 623.360897] CPU23 is up [ 623.362651] ACPI: PM: Waking up from system sleep state S3 [ 623.364743] xhci_hcd 0000:02:00.0: xHC error in resume, USBSTS 0x401, Reinit [ 623.364746] usb usb1: root hub lost power or was reset [ 623.364747] usb usb2: root hub lost power or was reset [ 623.365217] serial 00:05: activated [ 623.422418] nvme nvme0: D3 entry latency set to 10 seconds [ 623.423896] nvme nvme0: 24/0/0 default/read/poll queues [ 623.564151] r8169 0000:05:00.0 enp5s0: Link is Down [ 623.564446] OOM killer enabled. [ 623.564447] Restarting tasks ... done. [ 623.564748] random: crng reseeded on system resumption [ 623.565010] PM: suspend exit [ 623.630810] br0: port 1(enp5s0) entered disabled state [ 623.680471] ata5: SATA link down (SStatus 0 SControl 330) [ 623.680496] ata6: SATA link down (SStatus 0 SControl 330) [ 623.680521] ata2: SATA link down (SStatus 0 SControl 300) [ 623.834259] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [ 623.836103] sd 0:0:0:0: [sda] Starting disk [ 623.836969] ata1.00: configured for UDMA/133 [ 623.847173] ahci 0000:02:00.1: port does not support device sleep [ 626.666788] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control rx/tx [ 626.666812] br0: port 1(enp5s0) entered blocking state [ 626.666815] br0: port 1(enp5s0) entered forwarding state [ 628.418137] systemd-journald[483]: /var/log/journal/1a15c5c01ee34ffb8beb42df7c18ff94/user-1000.journal: Journal file uses a different sequence number ID, rotating. [ 5156.157003] r8169 0000:05:00.0 enp5s0: Link is Down [ 5156.157055] br0: port 1(enp5s0) entered disabled state [ 5171.228350] nfs: server 192.168.1.254 not responding, timed out [ 5171.384430] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control rx/tx [ 5171.384449] br0: port 1(enp5s0) entered blocking state [ 5171.384453] br0: port 1(enp5s0) entered forwarding state [ 5171.760464] r8169 0000:05:00.0 enp5s0: Link is Down [ 5172.399804] br0: port 1(enp5s0) entered disabled state [ 5173.253100] nfs: server 192.168.1.254 not responding, timed out [ 5175.003514] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control rx/tx [ 5175.003552] br0: port 1(enp5s0) entered blocking state [ 5175.003558] br0: port 1(enp5s0) entered forwarding state [ 5175.283114] nfs: server 192.168.1.254 not responding, timed out [ 5177.306424] nfs: server 192.168.1.254 not responding, timed out [ 5179.333093] nfs: server 192.168.1.254 not responding, timed out [ 5181.359766] nfs: server 192.168.1.254 not responding, timed out [ 5183.386423] nfs: server 192.168.1.254 not responding, timed out [ 5183.410951] r8169 0000:05:00.0 enp5s0: Link is Down [ 5183.410995] br0: port 1(enp5s0) entered disabled state [ 5185.413101] nfs: server 192.168.1.254 not responding, timed out [ 5186.590549] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control rx/tx [ 5186.590566] br0: port 1(enp5s0) entered blocking state [ 5186.590570] br0: port 1(enp5s0) entered forwarding state [ 5187.439771] nfs: server 192.168.1.254 not responding, timed out [ 5189.468715] nfs: server 192.168.1.254 not responding, timed out [ 5191.496418] nfs: server 192.168.1.254 not responding, timed out [ 5193.519762] nfs: server 192.168.1.254 not responding, timed out [ 5195.546419] nfs: server 192.168.1.254 not responding, timed out [ 5197.576429] nfs: server 192.168.1.254 not responding, timed out [ 5199.599761] nfs: server 192.168.1.254 not responding, timed out [ 5201.626429] nfs: server 192.168.1.254 not responding, timed out [ 5203.174817] r8169 0000:05:00.0 enp5s0: Link is Down [ 5203.174868] br0: port 1(enp5s0) entered disabled state [ 5203.653086] nfs: server 192.168.1.254 not responding, timed out [ 5205.679768] nfs: server 192.168.1.254 not responding, timed out [ 5206.322990] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control rx/tx [ 5206.323024] br0: port 1(enp5s0) entered blocking state [ 5206.323027] br0: port 1(enp5s0) entered forwarding state [ 5207.706426] nfs: server 192.168.1.254 not responding, timed out [ 5209.733086] nfs: server 192.168.1.254 not responding, timed out [ 5211.759747] nfs: server 192.168.1.254 not responding, timed out [ 5215.066419] nfs: server 192.168.1.254 not responding, timed out [ 5218.266424] nfs: server 192.168.1.254 not responding, timed out [ 5221.469748] nfs: server 192.168.1.254 not responding, timed out [ 5224.666438] nfs: server 192.168.1.254 not responding, timed out [ 5227.866414] nfs: server 192.168.1.254 not responding, timed out [ 5231.069775] nfs: server 192.168.1.254 not responding, timed out [ 5234.266419] nfs: server 192.168.1.254 not responding, timed out [ 5237.466416] nfs: server 192.168.1.254 not responding, timed out [ 5240.666428] nfs: server 192.168.1.254 not responding, timed out [ 5243.866414] nfs: server 192.168.1.254 not responding, timed out [ 5247.066413] nfs: server 192.168.1.254 not responding, timed out [ 5250.269761] nfs: server 192.168.1.254 not responding, timed out [ 5253.466428] nfs: server 192.168.1.254 not responding, timed out [ 5256.666411] nfs: server 192.168.1.254 not responding, timed out [ 5259.866413] nfs: server 192.168.1.254 not responding, timed out [ 5263.066423] nfs: server 192.168.1.254 not responding, timed out [ 5266.266415] nfs: server 192.168.1.254 not responding, timed out [ 5269.466403] nfs: server 192.168.1.254 not responding, timed out [ 5272.666810] nfs: server 192.168.1.254 not responding, timed out [ 5275.869734] nfs: server 192.168.1.254 not responding, timed out [ 5279.066401] nfs: server 192.168.1.254 not responding, timed out [ 5282.266406] nfs: server 192.168.1.254 not responding, timed out [ 5285.469740] nfs: server 192.168.1.254 not responding, timed out [ 5288.669735] nfs: server 192.168.1.254 not responding, timed out [ 5291.866410] nfs: server 192.168.1.254 not responding, timed out [ 5295.069727] nfs: server 192.168.1.254 not responding, timed out [ 5298.266401] nfs: server 192.168.1.254 not responding, timed out [ 5301.466399] nfs: server 192.168.1.254 not responding, timed out [ 5304.669731] nfs: server 192.168.1.254 not responding, timed out [ 5307.866402] nfs: server 192.168.1.254 not responding, timed out [ 5311.066411] nfs: server 192.168.1.254 not responding, timed out [ 5314.266398] nfs: server 192.168.1.254 not responding, timed out [ 5317.466413] nfs: server 192.168.1.254 not responding, timed out [ 5320.666398] nfs: server 192.168.1.254 not responding, timed out [ 5323.869759] nfs: server 192.168.1.254 not responding, timed out [ 5327.066392] nfs: server 192.168.1.254 not responding, timed out [12205.194840] hrtimer: interrupt took 9891 ns [75056.352583] PM: suspend entry (deep) [75056.360356] Filesystems sync: 0.007 seconds [75056.360576] Freezing user space processes [75056.361699] Freezing user space processes completed (elapsed 0.001 seconds) [75056.361701] OOM killer disabled. [75056.361701] Freezing remaining freezable tasks [75056.362790] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [75056.362806] printk: Suspending console(s) (use no_console_suspend to debug) [75056.365493] serial 00:05: disabled [75056.365545] r8169 0000:05:00.0 enp5s0: Link is Down [75056.397790] sd 0:0:0:0: [sda] Synchronizing SCSI cache [75056.397935] ata1.00: Entering standby power mode [75056.467281] ACPI: PM: Preparing to enter system sleep state S3 [75056.991314] ACPI: PM: Saving platform NVS memory [75056.991416] Disabling non-boot CPUs ... [75056.992892] smpboot: CPU 1 is now offline [75056.994740] smpboot: CPU 2 is now offline [75056.996410] smpboot: CPU 3 is now offline [75056.998198] smpboot: CPU 4 is now offline [75056.999862] smpboot: CPU 5 is now offline [75057.001498] smpboot: CPU 6 is now offline [75057.003243] smpboot: CPU 7 is now offline [75057.004888] smpboot: CPU 8 is now offline [75057.006604] smpboot: CPU 9 is now offline [75057.008250] smpboot: CPU 10 is now offline [75057.009916] smpboot: CPU 11 is now offline [75057.011616] smpboot: CPU 12 is now offline [75057.013213] smpboot: CPU 13 is now offline [75057.014746] smpboot: CPU 14 is now offline [75057.016319] smpboot: CPU 15 is now offline [75057.017912] smpboot: CPU 16 is now offline [75057.019635] smpboot: CPU 17 is now offline [75057.021170] smpboot: CPU 18 is now offline [75057.022666] smpboot: CPU 19 is now offline [75057.024356] smpboot: CPU 20 is now offline [75057.025938] smpboot: CPU 21 is now offline [75057.028006] smpboot: CPU 22 is now offline [75057.029565] smpboot: CPU 23 is now offline [75057.030071] ACPI: PM: Low-level resume complete [75057.030089] ACPI: PM: Restoring platform NVS memory [75057.030148] LVT offset 0 assigned for vector 0x400 [75057.030650] Enabling non-boot CPUs ... [75057.030700] smpboot: Booting Node 0 Processor 1 APIC 0x2 [75057.033526] ACPI: \_PR_.C002: Found 2 idle states [75057.034714] CPU1 is up [75057.034731] smpboot: Booting Node 0 Processor 2 APIC 0x4 [75057.037094] ACPI: \_PR_.C004: Found 2 idle states [75057.038026] CPU2 is up [75057.038041] smpboot: Booting Node 0 Processor 3 APIC 0x8 [75057.040492] ACPI: \_PR_.C006: Found 2 idle states [75057.041397] CPU3 is up [75057.041421] smpboot: Booting Node 0 Processor 4 APIC 0xa [75057.043808] ACPI: \_PR_.C008: Found 2 idle states [75057.044712] CPU4 is up [75057.044730] smpboot: Booting Node 0 Processor 5 APIC 0xc [75057.047125] ACPI: \_PR_.C00A: Found 2 idle states [75057.048037] CPU5 is up [75057.048060] smpboot: Booting Node 0 Processor 6 APIC 0x10 [75057.050536] ACPI: \_PR_.C00C: Found 2 idle states [75057.051388] CPU6 is up [75057.051407] smpboot: Booting Node 0 Processor 7 APIC 0x12 [75057.053811] ACPI: \_PR_.C00E: Found 2 idle states [75057.054717] CPU7 is up [75057.054734] smpboot: Booting Node 0 Processor 8 APIC 0x14 [75057.057150] ACPI: \_PR_.C010: Found 2 idle states [75057.058059] CPU8 is up [75057.058077] smpboot: Booting Node 0 Processor 9 APIC 0x18 [75057.060560] ACPI: \_PR_.C012: Found 2 idle states [75057.061401] CPU9 is up [75057.061418] smpboot: Booting Node 0 Processor 10 APIC 0x1a [75057.063827] ACPI: \_PR_.C014: Found 2 idle states [75057.064731] CPU10 is up [75057.064750] smpboot: Booting Node 0 Processor 11 APIC 0x1c [75057.067166] ACPI: \_PR_.C016: Found 2 idle states [75057.068071] CPU11 is up [75057.068090] smpboot: Booting Node 0 Processor 12 APIC 0x1 [75057.070526] ACPI: \_PR_.C001: Found 2 idle states [75057.071447] CPU12 is up [75057.071484] smpboot: Booting Node 0 Processor 13 APIC 0x3 [75057.073879] ACPI: \_PR_.C003: Found 2 idle states [75057.074754] CPU13 is up [75057.074772] smpboot: Booting Node 0 Processor 14 APIC 0x5 [75057.077156] ACPI: \_PR_.C005: Found 2 idle states [75057.078081] CPU14 is up [75057.078099] smpboot: Booting Node 0 Processor 15 APIC 0x9 [75057.080501] ACPI: \_PR_.C007: Found 2 idle states [75057.081435] CPU15 is up [75057.081457] smpboot: Booting Node 0 Processor 16 APIC 0xb [75057.083875] ACPI: \_PR_.C009: Found 2 idle states [75057.084764] CPU16 is up [75057.084780] smpboot: Booting Node 0 Processor 17 APIC 0xd [75057.087196] ACPI: \_PR_.C00B: Found 2 idle states [75057.088110] CPU17 is up [75057.088128] smpboot: Booting Node 0 Processor 18 APIC 0x11 [75057.090536] ACPI: \_PR_.C00D: Found 2 idle states [75057.091448] CPU18 is up [75057.091465] smpboot: Booting Node 0 Processor 19 APIC 0x13 [75057.093881] ACPI: \_PR_.C00F: Found 2 idle states [75057.094779] CPU19 is up [75057.094796] smpboot: Booting Node 0 Processor 20 APIC 0x15 [75057.097225] ACPI: \_PR_.C011: Found 2 idle states [75057.098121] CPU20 is up [75057.098161] smpboot: Booting Node 0 Processor 21 APIC 0x19 [75057.100580] ACPI: \_PR_.C013: Found 2 idle states [75057.101466] CPU21 is up [75057.101484] smpboot: Booting Node 0 Processor 22 APIC 0x1b [75057.103928] ACPI: \_PR_.C015: Found 2 idle states [75057.104797] CPU22 is up [75057.104819] smpboot: Booting Node 0 Processor 23 APIC 0x1d [75057.107262] ACPI: \_PR_.C017: Found 2 idle states [75057.108145] CPU23 is up [75057.109940] ACPI: PM: Waking up from system sleep state S3 [75057.112374] xhci_hcd 0000:02:00.0: xHC error in resume, USBSTS 0x401, Reinit [75057.112379] usb usb1: root hub lost power or was reset [75057.112380] usb usb2: root hub lost power or was reset [75057.112874] serial 00:05: activated [75057.170027] nvme nvme0: D3 entry latency set to 10 seconds [75057.171504] nvme nvme0: 24/0/0 default/read/poll queues [75057.281384] r8169 0000:05:00.0 enp5s0: Link is Down [75057.284773] OOM killer enabled. [75057.284774] Restarting tasks ... done. [75057.285005] random: crng reseeded on system resumption [75057.285023] PM: suspend exit [75057.398045] br0: port 1(enp5s0) entered disabled state [75057.424388] ata5: SATA link down (SStatus 0 SControl 330) [75057.424414] ata6: SATA link down (SStatus 0 SControl 330) [75057.424439] ata2: SATA link down (SStatus 0 SControl 300) [75057.581459] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [75057.583307] sd 0:0:0:0: [sda] Starting disk [75057.584229] ata1.00: configured for UDMA/133 [75057.594442] ahci 0000:02:00.1: port does not support device sleep [75060.372242] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control rx/tx [75060.372266] br0: port 1(enp5s0) entered blocking state [75060.372269] br0: port 1(enp5s0) entered forwarding state [75860.665039] PM: suspend entry (deep) [75860.683829] Filesystems sync: 0.018 seconds [75860.684080] Freezing user space processes [75860.685216] Freezing user space processes completed (elapsed 0.001 seconds) [75860.685218] OOM killer disabled. [75860.685218] Freezing remaining freezable tasks [75860.686305] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [75860.686325] printk: Suspending console(s) (use no_console_suspend to debug) [75860.688973] serial 00:05: disabled [75860.689113] r8169 0000:05:00.0 enp5s0: Link is Down [75860.711191] sd 0:0:0:0: [sda] Synchronizing SCSI cache [75860.711309] ata1.00: Entering standby power mode [75860.775098] ACPI: PM: Preparing to enter system sleep state S3 [75861.311474] ACPI: PM: Saving platform NVS memory [75861.311568] Disabling non-boot CPUs ... [75861.313034] smpboot: CPU 1 is now offline [75861.314741] smpboot: CPU 2 is now offline [75861.316431] smpboot: CPU 3 is now offline [75861.318020] smpboot: CPU 4 is now offline [75861.319647] smpboot: CPU 5 is now offline [75861.321225] smpboot: CPU 6 is now offline [75861.322861] smpboot: CPU 7 is now offline [75861.324575] smpboot: CPU 8 is now offline [75861.326157] smpboot: CPU 9 is now offline [75861.327669] smpboot: CPU 10 is now offline [75861.329244] smpboot: CPU 11 is now offline [75861.330891] smpboot: CPU 12 is now offline [75861.332412] smpboot: CPU 13 is now offline [75861.333886] smpboot: CPU 14 is now offline [75861.335405] smpboot: CPU 15 is now offline [75861.336907] smpboot: CPU 16 is now offline [75861.338481] smpboot: CPU 17 is now offline [75861.339952] smpboot: CPU 18 is now offline [75861.341446] smpboot: CPU 19 is now offline [75861.343097] smpboot: CPU 20 is now offline [75861.344578] smpboot: CPU 21 is now offline [75861.346499] smpboot: CPU 22 is now offline [75861.348026] smpboot: CPU 23 is now offline [75861.348456] ACPI: PM: Low-level resume complete [75861.348475] ACPI: PM: Restoring platform NVS memory [75861.348534] LVT offset 0 assigned for vector 0x400 [75861.349037] Enabling non-boot CPUs ... [75861.349087] smpboot: Booting Node 0 Processor 1 APIC 0x2 [75861.351551] ACPI: \_PR_.C002: Found 2 idle states [75861.352276] CPU1 is up [75861.352291] smpboot: Booting Node 0 Processor 2 APIC 0x4 [75861.354667] ACPI: \_PR_.C004: Found 2 idle states [75861.355335] CPU2 is up [75861.355351] smpboot: Booting Node 0 Processor 3 APIC 0x8 [75861.357813] ACPI: \_PR_.C006: Found 2 idle states [75861.358510] CPU3 is up [75861.358527] smpboot: Booting Node 0 Processor 4 APIC 0xa [75861.360917] ACPI: \_PR_.C008: Found 2 idle states [75861.361813] CPU4 is up [75861.361832] smpboot: Booting Node 0 Processor 5 APIC 0xc [75861.364234] ACPI: \_PR_.C00A: Found 2 idle states [75861.365154] CPU5 is up [75861.365172] smpboot: Booting Node 0 Processor 6 APIC 0x10 [75861.367652] ACPI: \_PR_.C00C: Found 2 idle states [75861.368500] CPU6 is up [75861.368517] smpboot: Booting Node 0 Processor 7 APIC 0x12 [75861.370927] ACPI: \_PR_.C00E: Found 2 idle states [75861.371830] CPU7 is up [75861.371848] smpboot: Booting Node 0 Processor 8 APIC 0x14 [75861.374262] ACPI: \_PR_.C010: Found 2 idle states [75861.375169] CPU8 is up [75861.375186] smpboot: Booting Node 0 Processor 9 APIC 0x18 [75861.377671] ACPI: \_PR_.C012: Found 2 idle states [75861.378512] CPU9 is up [75861.378528] smpboot: Booting Node 0 Processor 10 APIC 0x1a [75861.380949] ACPI: \_PR_.C014: Found 2 idle states [75861.381842] CPU10 is up [75861.381858] smpboot: Booting Node 0 Processor 11 APIC 0x1c [75861.384278] ACPI: \_PR_.C016: Found 2 idle states [75861.385180] CPU11 is up [75861.385200] smpboot: Booting Node 0 Processor 12 APIC 0x1 [75861.387643] ACPI: \_PR_.C001: Found 2 idle states [75861.388560] CPU12 is up [75861.388602] smpboot: Booting Node 0 Processor 13 APIC 0x3 [75861.391005] ACPI: \_PR_.C003: Found 2 idle states [75861.391863] CPU13 is up [75861.391880] smpboot: Booting Node 0 Processor 14 APIC 0x5 [75861.394265] ACPI: \_PR_.C005: Found 2 idle states [75861.395193] CPU14 is up [75861.395209] smpboot: Booting Node 0 Processor 15 APIC 0x9 [75861.397613] ACPI: \_PR_.C007: Found 2 idle states [75861.398544] CPU15 is up [75861.398563] smpboot: Booting Node 0 Processor 16 APIC 0xb [75861.400975] ACPI: \_PR_.C009: Found 2 idle states [75861.401874] CPU16 is up [75861.401915] smpboot: Booting Node 0 Processor 17 APIC 0xd [75861.404341] ACPI: \_PR_.C00B: Found 2 idle states [75861.405223] CPU17 is up [75861.405248] smpboot: Booting Node 0 Processor 18 APIC 0x11 [75861.407671] ACPI: \_PR_.C00D: Found 2 idle states [75861.408572] CPU18 is up [75861.408594] smpboot: Booting Node 0 Processor 19 APIC 0x13 [75861.411029] ACPI: \_PR_.C00F: Found 2 idle states [75861.411898] CPU19 is up [75861.411922] smpboot: Booting Node 0 Processor 20 APIC 0x15 [75861.414359] ACPI: \_PR_.C011: Found 2 idle states [75861.415241] CPU20 is up [75861.415264] smpboot: Booting Node 0 Processor 21 APIC 0x19 [75861.417703] ACPI: \_PR_.C013: Found 2 idle states [75861.418595] CPU21 is up [75861.418617] smpboot: Booting Node 0 Processor 22 APIC 0x1b [75861.421070] ACPI: \_PR_.C015: Found 2 idle states [75861.421911] CPU22 is up [75861.421935] smpboot: Booting Node 0 Processor 23 APIC 0x1d [75861.424382] ACPI: \_PR_.C017: Found 2 idle states [75861.425257] CPU23 is up [75861.427033] ACPI: PM: Waking up from system sleep state S3 [75861.429340] xhci_hcd 0000:02:00.0: xHC error in resume, USBSTS 0x401, Reinit [75861.429344] usb usb1: root hub lost power or was reset [75861.429345] usb usb2: root hub lost power or was reset [75861.429734] serial 00:05: activated [75861.486937] nvme nvme0: D3 entry latency set to 10 seconds [75861.488395] nvme nvme0: 24/0/0 default/read/poll queues [75861.621838] r8169 0000:05:00.0 enp5s0: Link is Down [75861.622169] OOM killer enabled. [75861.622171] Restarting tasks ... done. [75861.622401] random: crng reseeded on system resumption [75861.622421] PM: suspend exit [75861.718489] br0: port 1(enp5s0) entered disabled state [75861.741232] ata5: SATA link down (SStatus 0 SControl 330) [75861.741258] ata6: SATA link down (SStatus 0 SControl 330) [75861.741490] ata2: SATA link down (SStatus 0 SControl 300) [75861.898589] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [75861.900341] sd 0:0:0:0: [sda] Starting disk [75861.901250] ata1.00: configured for UDMA/133 [75861.911447] ahci 0000:02:00.1: port does not support device sleep [75864.693199] r8169 0000:05:00.0 enp5s0: Link is Up - 1Gbps/Full - flow control rx/tx [75864.693223] br0: port 1(enp5s0) entered blocking state [75864.693226] br0: port 1(enp5s0) entered forwarding state [86041.349844] ------------[ cut here ]------------ [86041.349850] kernel BUG at mm/zswap.c:1005! [86041.349862] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [86041.349867] CPU: 5 PID: 2798071 Comm: llvm-tblgen Not tainted 6.10.6-12 #1 349ceb515693b41153483eac7819a5fb2832d2bf [86041.349872] Hardware name: To Be Filled By O.E.M. B450M Pro4-F R2.0/B450M Pro4-F R2.0, BIOS P10.08 01/19/2024 [86041.349876] RIP: 0010:zswap_decompress+0x1ef/0x200 [86041.349884] Code: ef e8 95 2a ce ff 84 c0 0f 85 1f ff ff ff e9 fb fe ff ff 0f 0b 48 8d 7b 10 e8 0d a9 a4 00 c7 43 10 00 00 00 00 8b 43 30 eb 86 <0f> 0b 0f 0b e8 f8 9b a3 00 0f 1f 84 00 00 00 00 00 90 90 90 90 90 [86041.349889] RSP: 0000:ffffb98f823ebb90 EFLAGS: 00010282 [86041.349892] RAX: 00000000ffffffea RBX: ffff9bf22e8c1e08 RCX: ffff9bef137774ba [86041.349894] RDX: 0000000000000002 RSI: 0000000000000438 RDI: ffff9bf22e8b2af0 [86041.349897] RBP: ffff9bef58cd2b98 R08: ffff9bee8baf07e0 R09: ffff9bef13777080 [86041.349899] R10: 0000000000000022 R11: ffff9bee8baf1000 R12: fffff782422ebc00 [86041.349902] R13: ffff9bef13777080 R14: ffff9bef01e3d6e0 R15: ffff9bf22e8c1e48 [86041.349904] FS: 00007f4bda31d280(0000) GS:ffff9bf22e880000(0000) knlGS:0000000000000000 [86041.349908] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [86041.349910] CR2: 000000001665d010 CR3: 0000000191a2c000 CR4: 0000000000350ef0 [86041.349914] Call Trace: [86041.349918] <TASK> [86041.349920] ? die+0x36/0x90 [86041.349925] ? do_trap+0xdd/0x100 [86041.349929] ? zswap_decompress+0x1ef/0x200 [86041.349932] ? do_error_trap+0x6a/0x90 [86041.349935] ? zswap_decompress+0x1ef/0x200 [86041.349938] ? exc_invalid_op+0x50/0x70 [86041.349943] ? zswap_decompress+0x1ef/0x200 [86041.349946] ? asm_exc_invalid_op+0x1a/0x20 [86041.349951] ? zswap_decompress+0x1ef/0x200 [86041.349955] zswap_load+0x109/0x120 [86041.349958] swap_read_folio+0x64/0x450 [86041.349963] swapin_readahead+0x463/0x4e0 [86041.349967] do_swap_page+0x436/0xd70 [86041.349972] ? __pte_offset_map+0x1b/0x180 [86041.349976] __handle_mm_fault+0x85d/0x1070 [86041.349979] ? sched_tick+0xee/0x2f0 [86041.349985] handle_mm_fault+0x18d/0x320 [86041.349988] do_user_addr_fault+0x177/0x6a0 [86041.349993] exc_page_fault+0x7e/0x180 [86041.349996] asm_exc_page_fault+0x26/0x30 [86041.350000] RIP: 0033:0x7453b9 [86041.350019] Code: 00 48 8d 0c 49 4c 8d 04 ca 48 8b 0f 4c 39 c2 75 19 e9 7f 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 48 83 c2 18 49 39 d0 74 6b <48> 39 0a 75 f2 48 89 84 24 90 00 00 00 4c 39 73 10 0f 84 2f 02 00 [86041.350024] RSP: 002b:00007ffe67b93c80 EFLAGS: 00010206 [86041.350027] RAX: 0000000016659250 RBX: 00007ffe67b93db0 RCX: 000000000f1aad40 [86041.350030] RDX: 000000001665d010 RSI: 00007ffe67b93cd8 RDI: 00007ffe67b93cd0 [86041.350032] RBP: 0000000000000001 R08: 000000001665d088 R09: 0000000000000000 [86041.350035] R10: 00007f4bda030610 R11: 00007f4bda0d6200 R12: 0000000016661210 [86041.350038] R13: 00007ffe67b94a58 R14: 000000000ba280a8 R15: 0000000000000006 [86041.350041] </TASK> [86041.350043] Modules linked in: tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs rpcrdma rdma_cm iw_cm ib_cm ib_core br_netfilter iptable_filter xt_physdev tun bridge stp llc ext4 crc16 mbcache jbd2 amd_atl intel_rapl_msr intel_rapl_common cfg80211 edac_mce_amd kvm_amd rfkill kvm crct10dif_pclmul crc32_pclmul polyval_clmulni r8169 polyval_generic gf128mul ghash_clmulni_intel sha512_ssse3 realtek sha256_ssse3 sha1_ssse3 aesni_intel mdio_devres crypto_simd sp5100_tco k10temp gpio_amdpt cryptd wmi_bmof pcspkr ccp libphy i2c_piix4 acpi_cpufreq rapl zenpower ryzen_smu gpio_generic mac_hid nfsd auth_rpcgss nfs_acl lockd grace nct6775 nct6775_core hwmon_vid sg sunrpc crypto_user fuse dm_mod loop nfnetlink bpf_preload ip_tables x_tables xfs libcrc32c crc32c_generic drm_ttm_helper ttm video gpu_sched i2c_algo_bit drm_gpuvm drm_exec mxm_wmi nvme crc32c_intel drm_display_helper xhci_pci nvme_core xhci_pci_renesas wmi virtio_net net_failover failover dimlib virtio_blk virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev [86041.350106] [last unloaded: nouveau] [86041.350125] ---[ end trace 0000000000000000 ]--- [86041.350128] RIP: 0010:zswap_decompress+0x1ef/0x200 [86041.350131] Code: ef e8 95 2a ce ff 84 c0 0f 85 1f ff ff ff e9 fb fe ff ff 0f 0b 48 8d 7b 10 e8 0d a9 a4 00 c7 43 10 00 00 00 00 8b 43 30 eb 86 <0f> 0b 0f 0b e8 f8 9b a3 00 0f 1f 84 00 00 00 00 00 90 90 90 90 90 [86041.350137] RSP: 0000:ffffb98f823ebb90 EFLAGS: 00010282 [86041.350139] RAX: 00000000ffffffea RBX: ffff9bf22e8c1e08 RCX: ffff9bef137774ba [86041.350142] RDX: 0000000000000002 RSI: 0000000000000438 RDI: ffff9bf22e8b2af0 [86041.350145] RBP: ffff9bef58cd2b98 R08: ffff9bee8baf07e0 R09: ffff9bef13777080 [86041.350147] R10: 0000000000000022 R11: ffff9bee8baf1000 R12: fffff782422ebc00 [86041.350150] R13: ffff9bef13777080 R14: ffff9bef01e3d6e0 R15: ffff9bf22e8c1e48 [86041.350152] FS: 00007f4bda31d280(0000) GS:ffff9bf22e880000(0000) knlGS:0000000000000000 [86041.350156] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [86041.350158] CR2: 000000001665d010 CR3: 0000000191a2c000 CR4: 0000000000350ef0 [86041.350162] ------------[ cut here ]------------ [86041.350164] WARNING: CPU: 5 PID: 2798071 at kernel/exit.c:825 do_exit+0x88b/0xac0 [86041.350170] Modules linked in: tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs rpcrdma rdma_cm iw_cm ib_cm ib_core br_netfilter iptable_filter xt_physdev tun bridge stp llc ext4 crc16 mbcache jbd2 amd_atl intel_rapl_msr intel_rapl_common cfg80211 edac_mce_amd kvm_amd rfkill kvm crct10dif_pclmul crc32_pclmul polyval_clmulni r8169 polyval_generic gf128mul ghash_clmulni_intel sha512_ssse3 realtek sha256_ssse3 sha1_ssse3 aesni_intel mdio_devres crypto_simd sp5100_tco k10temp gpio_amdpt cryptd wmi_bmof pcspkr ccp libphy i2c_piix4 acpi_cpufreq rapl zenpower ryzen_smu gpio_generic mac_hid nfsd auth_rpcgss nfs_acl lockd grace nct6775 nct6775_core hwmon_vid sg sunrpc crypto_user fuse dm_mod loop nfnetlink bpf_preload ip_tables x_tables xfs libcrc32c crc32c_generic drm_ttm_helper ttm video gpu_sched i2c_algo_bit drm_gpuvm drm_exec mxm_wmi nvme crc32c_intel drm_display_helper xhci_pci nvme_core xhci_pci_renesas wmi virtio_net net_failover failover dimlib virtio_blk virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev [86041.350211] [last unloaded: nouveau] [86041.350231] CPU: 5 PID: 2798071 Comm: llvm-tblgen Tainted: G D 6.10.6-12 #1 349ceb515693b41153483eac7819a5fb2832d2bf [86041.350236] Hardware name: To Be Filled By O.E.M. B450M Pro4-F R2.0/B450M Pro4-F R2.0, BIOS P10.08 01/19/2024 [86041.350239] RIP: 0010:do_exit+0x88b/0xac0 [86041.350242] Code: 89 a3 48 06 00 00 48 89 6c 24 10 48 8b 83 68 08 00 00 e9 ff fd ff ff 48 8b bb 28 06 00 00 31 f6 e8 da e1 ff ff e9 a1 fd ff ff <0f> 0b e9 eb f7 ff ff 4c 89 e6 bf 05 06 00 00 e8 c1 2b 01 00 e9 66 [86041.350248] RSP: 0000:ffffb98f823ebed8 EFLAGS: 00010282 [86041.350250] RAX: 0000000400000000 RBX: ffff9bf042adc100 RCX: 0000000000000000 [86041.350252] RDX: 0000000000000001 RSI: 0000000000002710 RDI: ffff9bef09907380 [86041.350255] RBP: ffff9bef81c55580 R08: 0000000000000000 R09: 0000000000000003 [86041.350258] R10: ffffb98f823eb850 R11: ffff9bf23f2ad7a8 R12: 000000000000000b [86041.350261] R13: ffff9bef09907380 R14: ffffffffa65fa463 R15: ffffb98f823ebae8 [86041.350263] FS: 00007f4bda31d280(0000) GS:ffff9bf22e880000(0000) knlGS:0000000000000000 [86041.350267] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [86041.350269] CR2: 000000001665d010 CR3: 0000000191a2c000 CR4: 0000000000350ef0 [86041.350272] Call Trace: [86041.350274] <TASK> [86041.350276] ? __warn+0x80/0x120 [86041.350280] ? do_exit+0x88b/0xac0 [86041.350283] ? report_bug+0x164/0x190 [86041.350288] ? handle_bug+0x3c/0x80 [86041.350291] ? exc_invalid_op+0x17/0x70 [86041.350294] ? asm_exc_invalid_op+0x1a/0x20 [86041.350297] ? do_exit+0x88b/0xac0 [86041.350300] ? do_exit+0x6f/0xac0 [86041.350303] ? do_user_addr_fault+0x177/0x6a0 [86041.350307] make_task_dead+0x81/0x170 [86041.350310] rewind_stack_and_make_dead+0x16/0x20 [86041.350314] RIP: 0033:0x7453b9 [86041.350319] Code: 00 48 8d 0c 49 4c 8d 04 ca 48 8b 0f 4c 39 c2 75 19 e9 7f 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 48 83 c2 18 49 39 d0 74 6b <48> 39 0a 75 f2 48 89 84 24 90 00 00 00 4c 39 73 10 0f 84 2f 02 00 [86041.350324] RSP: 002b:00007ffe67b93c80 EFLAGS: 00010206 [86041.350327] RAX: 0000000016659250 RBX: 00007ffe67b93db0 RCX: 000000000f1aad40 [86041.350330] RDX: 000000001665d010 RSI: 00007ffe67b93cd8 RDI: 00007ffe67b93cd0 [86041.350332] RBP: 0000000000000001 R08: 000000001665d088 R09: 0000000000000000 [86041.350335] R10: 00007f4bda030610 R11: 00007f4bda0d6200 R12: 0000000016661210 [86041.350337] R13: 00007ffe67b94a58 R14: 000000000ba280a8 R15: 0000000000000006 [86041.350341] </TASK> [86041.350342] ---[ end trace 0000000000000000 ]--- [86041.579617] BUG: kernel NULL pointer dereference, address: 0000000000000008 [86041.579627] #PF: supervisor write access in kernel mode [86041.579630] #PF: error_code(0x0002) - not-present page [86041.579632] PGD 0 P4D 0 [86041.579636] Oops: Oops: 0002 [#2] PREEMPT SMP NOPTI [86041.579640] CPU: 5 PID: 2798071 Comm: llvm-tblgen Tainted: G D W 6.10.6-12 #1 349ceb515693b41153483eac7819a5fb2832d2bf [86041.579645] Hardware name: To Be Filled By O.E.M. B450M Pro4-F R2.0/B450M Pro4-F R2.0, BIOS P10.08 01/19/2024 [86041.579649] RIP: 0010:__blk_flush_plug+0x89/0x150 [86041.579655] Code: de 48 89 5c 24 08 48 89 5c 24 10 48 39 c1 74 7c 49 8b 46 20 48 8b 34 24 48 39 c6 74 5b 49 8b 4e 20 49 8b 56 28 48 8b 44 24 08 <48> 89 59 08 48 89 4c 24 08 48 89 02 48 89 50 08 49 89 76 20 49 89 [86041.579660] RSP: 0018:ffffb98f823ebc30 EFLAGS: 00010286 [86041.579662] RAX: ffffb98f823ebc38 RBX: ffffb98f823ebc38 RCX: 0000000000000000 [86041.579665] RDX: 0000000101887e59 RSI: ffffb98f823ebce8 RDI: ffffb98f823ebcc8 [86041.579667] RBP: 0000000000000001 R08: ffff9bef14e7c248 R09: 0000000000000050 [86041.579669] R10: 0000000000400023 R11: 0000000000000001 R12: dead000000000122 [86041.579672] R13: dead000000000100 R14: ffffb98f823ebcc8 R15: 0000000000000000 [86041.579674] FS: 0000000000000000(0000) GS:ffff9bf22e880000(0000) knlGS:0000000000000000 [86041.579677] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [86041.579679] CR2: 0000000000000008 CR3: 0000000103bfe000 CR4: 0000000000350ef0 [86041.579682] Call Trace: [86041.579685] <TASK> [86041.579689] ? __die+0x23/0x70 [86041.579694] ? page_fault_oops+0x173/0x5a0 [86041.579698] ? exc_page_fault+0x7e/0x180 [86041.579702] ? asm_exc_page_fault+0x26/0x30 [86041.579706] ? __blk_flush_plug+0x89/0x150 [86041.579709] schedule+0x99/0xf0 [86041.579714] schedule_preempt_disabled+0x15/0x30 [86041.579716] rwsem_down_write_slowpath+0x1eb/0x640 [86041.579720] down_write+0x5a/0x60 [86041.579723] free_pgtables+0xc6/0x1e0 [86041.579728] exit_mmap+0x16b/0x3a0 [86041.579733] __mmput+0x3e/0x130 [86041.579736] do_exit+0x2ac/0xac0 [86041.579741] ? do_user_addr_fault+0x177/0x6a0 [86041.579743] make_task_dead+0x81/0x170 [86041.579746] rewind_stack_and_make_dead+0x16/0x20 [86041.579750] RIP: 0033:0x7453b9 [86041.579768] Code: Unable to access opcode bytes at 0x74538f. [86041.579770] RSP: 002b:00007ffe67b93c80 EFLAGS: 00010206 [86041.579772] RAX: 0000000016659250 RBX: 00007ffe67b93db0 RCX: 000000000f1aad40 [86041.579774] RDX: 000000001665d010 RSI: 00007ffe67b93cd8 RDI: 00007ffe67b93cd0 [86041.579776] RBP: 0000000000000001 R08: 000000001665d088 R09: 0000000000000000 [86041.579778] R10: 00007f4bda030610 R11: 00007f4bda0d6200 R12: 0000000016661210 [86041.579781] R13: 00007ffe67b94a58 R14: 000000000ba280a8 R15: 0000000000000006 [86041.579784] </TASK> [86041.579785] Modules linked in: tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs rpcrdma rdma_cm iw_cm ib_cm ib_core br_netfilter iptable_filter xt_physdev tun bridge stp llc ext4 crc16 mbcache jbd2 amd_atl intel_rapl_msr intel_rapl_common cfg80211 edac_mce_amd kvm_amd rfkill kvm crct10dif_pclmul crc32_pclmul polyval_clmulni r8169 polyval_generic gf128mul ghash_clmulni_intel sha512_ssse3 realtek sha256_ssse3 sha1_ssse3 aesni_intel mdio_devres crypto_simd sp5100_tco k10temp gpio_amdpt cryptd wmi_bmof pcspkr ccp libphy i2c_piix4 acpi_cpufreq rapl zenpower ryzen_smu gpio_generic mac_hid nfsd auth_rpcgss nfs_acl lockd grace nct6775 nct6775_core hwmon_vid sg sunrpc crypto_user fuse dm_mod loop nfnetlink bpf_preload ip_tables x_tables xfs libcrc32c crc32c_generic drm_ttm_helper ttm video gpu_sched i2c_algo_bit drm_gpuvm drm_exec mxm_wmi nvme crc32c_intel drm_display_helper xhci_pci nvme_core xhci_pci_renesas wmi virtio_net net_failover failover dimlib virtio_blk virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev [86041.579842] [last unloaded: nouveau] [86041.579858] CR2: 0000000000000008 [86041.579861] ---[ end trace 0000000000000000 ]--- [86041.579863] RIP: 0010:zswap_decompress+0x1ef/0x200 [86041.579867] Code: ef e8 95 2a ce ff 84 c0 0f 85 1f ff ff ff e9 fb fe ff ff 0f 0b 48 8d 7b 10 e8 0d a9 a4 00 c7 43 10 00 00 00 00 8b 43 30 eb 86 <0f> 0b 0f 0b e8 f8 9b a3 00 0f 1f 84 00 00 00 00 00 90 90 90 90 90 [86041.579872] RSP: 0000:ffffb98f823ebb90 EFLAGS: 00010282 [86041.579875] RAX: 00000000ffffffea RBX: ffff9bf22e8c1e08 RCX: ffff9bef137774ba [86041.579877] RDX: 0000000000000002 RSI: 0000000000000438 RDI: ffff9bf22e8b2af0 [86041.579880] RBP: ffff9bef58cd2b98 R08: ffff9bee8baf07e0 R09: ffff9bef13777080 [86041.579882] R10: 0000000000000022 R11: ffff9bee8baf1000 R12: fffff782422ebc00 [86041.579884] R13: ffff9bef13777080 R14: ffff9bef01e3d6e0 R15: ffff9bf22e8c1e48 [86041.579886] FS: 0000000000000000(0000) GS:ffff9bf22e880000(0000) knlGS:0000000000000000 [86041.579889] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [86041.579891] CR2: 0000000000000008 CR3: 0000000103bfe000 CR4: 0000000000350ef0 [86041.579893] note: llvm-tblgen[2798071] exited with irqs disabled [86041.579895] Fixing recursive fault but reboot is needed! [86041.579897] BUG: scheduling while atomic: llvm-tblgen/2798071/0x00000000 [86041.579899] Modules linked in: tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs netfs rpcrdma rdma_cm iw_cm ib_cm ib_core br_netfilter iptable_filter xt_physdev tun bridge stp llc ext4 crc16 mbcache jbd2 amd_atl intel_rapl_msr intel_rapl_common cfg80211 edac_mce_amd kvm_amd rfkill kvm crct10dif_pclmul crc32_pclmul polyval_clmulni r8169 polyval_generic gf128mul ghash_clmulni_intel sha512_ssse3 realtek sha256_ssse3 sha1_ssse3 aesni_intel mdio_devres crypto_simd sp5100_tco k10temp gpio_amdpt cryptd wmi_bmof pcspkr ccp libphy i2c_piix4 acpi_cpufreq rapl zenpower ryzen_smu gpio_generic mac_hid nfsd auth_rpcgss nfs_acl lockd grace nct6775 nct6775_core hwmon_vid sg sunrpc crypto_user fuse dm_mod loop nfnetlink bpf_preload ip_tables x_tables xfs libcrc32c crc32c_generic drm_ttm_helper ttm video gpu_sched i2c_algo_bit drm_gpuvm drm_exec mxm_wmi nvme crc32c_intel drm_display_helper xhci_pci nvme_core xhci_pci_renesas wmi virtio_net net_failover failover dimlib virtio_blk virtio_pci virtio_pci_legacy_dev virtio_pci_modern_dev [86041.579933] [last unloaded: nouveau] [86041.579950] CPU: 5 PID: 2798071 Comm: llvm-tblgen Tainted: G D W 6.10.6-12 #1 349ceb515693b41153483eac7819a5fb2832d2bf [86041.579954] Hardware name: To Be Filled By O.E.M. B450M Pro4-F R2.0/B450M Pro4-F R2.0, BIOS P10.08 01/19/2024 [86041.579957] Call Trace: [86041.579959] <TASK> [86041.579960] dump_stack_lvl+0x64/0x80 [86041.579965] __schedule_bug+0x56/0x70 [86041.579970] __schedule+0x10d1/0x1520 [86041.579973] ? __wake_up_klogd.part.0+0x3c/0x60 [86041.579978] ? vprintk_emit+0x176/0x2a0 [86041.579981] ? _printk+0x64/0x80 [86041.579984] do_task_dead+0x42/0x50 [86041.579988] make_task_dead+0x149/0x170 [86041.579991] rewind_stack_and_make_dead+0x16/0x20 [86041.579994] RIP: 0033:0x7453b9 [86041.579997] Code: Unable to access opcode bytes at 0x74538f. [86041.579999] RSP: 002b:00007ffe67b93c80 EFLAGS: 00010206 [86041.580002] RAX: 0000000016659250 RBX: 00007ffe67b93db0 RCX: 000000000f1aad40 [86041.580004] RDX: 000000001665d010 RSI: 00007ffe67b93cd8 RDI: 00007ffe67b93cd0 [86041.580006] RBP: 0000000000000001 R08: 000000001665d088 R09: 0000000000000000 [86041.580008] R10: 00007f4bda030610 R11: 00007f4bda0d6200 R12: 0000000016661210 [86041.580011] R13: 00007ffe67b94a58 R14: 000000000ba280a8 R15: 0000000000000006 [86041.580014] </TASK> [86260.530317] systemd[1]: systemd-journald.service: State 'stop-watchdog' timed out. Killing. [86260.530377] systemd[1]: systemd-journald.service: Killing process 483 (systemd-journal) with signal SIGKILL. [86350.780590] systemd[1]: systemd-journald.service: Processes still around after SIGKILL. Ignoring. [86441.030515] systemd[1]: systemd-journald.service: State 'final-sigterm' timed out. Killing. [86441.030574] systemd[1]: systemd-journald.service: Killing process 483 (systemd-journal) with signal SIGKILL. [86531.280569] systemd[1]: systemd-journald.service: Processes still around after final SIGKILL. Entering failed mode. [86531.280585] systemd[1]: systemd-journald.service: Failed with result 'watchdog'. [86531.280685] systemd[1]: systemd-journald.service: Unit process 483 (systemd-journal) remains running after unit stopped. [86531.289108] systemd[1]: systemd-journald.service: Scheduled restart job, restart counter is at 1. [86531.289280] systemd[1]: systemd-journald.service: Found left-over process 483 (systemd-journal) in control group while starting unit. Ignoring. [86531.289285] systemd[1]: systemd-journald.service: This usually indicates unclean termination of a previous run, or service implementation deficiencies. [86531.323344] systemd[1]: Starting Journal Service... [86531.330820] systemd-journald[2799374]: Collecting audit messages is disabled. [86531.331902] systemd-journald[2799374]: File /var/log/journal/1a15c5c01ee34ffb8beb42df7c18ff94/system.journal corrupted or uncleanly shut down, renaming and replacing. [86531.338702] systemd[1]: Started Journal Service. [root@minimyth2-x8664 piotro]#

10 months, 3 weeks

2
2
0 0

[PATCH] driver core: Fix an uninitialized variable is used by __device_attach()

by Zijun Hu

From: Zijun Hu <quic_zijuhu(a)quicinc.com> An uninitialized variable @data.have_async may be used as analyzed by the following inline comments: static int __device_attach(struct device *dev, bool allow_async) { // if @allow_async is true. ... struct device_attach_data data = { .dev = dev, .check_async = allow_async, .want_async = false, }; // @data.have_async is not initialized. ... ret = bus_for_each_drv(dev->bus, NULL, &data, __device_attach_driver); // @data.have_async must not be set by __device_attach_driver() if // @dev->bus does not have driver which allows probe asynchronously if (!ret && allow_async && data.have_async) { // Above @data.have_async is not uninitialized but used. ... } ... } It may be unnecessary to trigger the second pass probing asynchronous drivers for the device @dev. Fixed by initializing @data.have_async to false. Fixes: 765230b5f084 ("driver-core: add asynchronous probing support for drivers") Cc: stable(a)vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu(a)quicinc.com> --- drivers/base/dd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/base/dd.c b/drivers/base/dd.c index 9b745ba54de1..b0c44b0846aa 100644 --- a/drivers/base/dd.c +++ b/drivers/base/dd.c @@ -1021,6 +1021,7 @@ static int __device_attach(struct device *dev, bool allow_async) .dev = dev, .check_async = allow_async, .want_async = false, + .have_async = false, }; if (dev->parent) --- base-commit: 87ee9981d1f86ee9b1623a46c7f9e4ac24461fe4 change-id: 20240823-fix_have_async-3a135618d91b Best regards, -- Zijun Hu <quic_zijuhu(a)quicinc.com>

10 months, 3 weeks

3
11
0 0

[tip: irq/urgent] irqchip/gic-v3: Init SRE before poking sysregs

by tip-bot2 for Mark Rutland

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: 71c8e2a7c822ee557b07d9bb49028dd269c87b2e Gitweb: https://git.kernel.org/tip/71c8e2a7c822ee557b07d9bb49028dd269c87b2e Author: Mark Rutland <mark.rutland(a)arm.com> AuthorDate: Thu, 22 Aug 2024 11:23:08 +01:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Fri, 23 Aug 2024 12:45:45 +02:00 irqchip/gic-v3: Init SRE before poking sysregs The GICv3 driver pokes GICv3 system registers in gic_prio_init() before gic_cpu_sys_reg_init() ensures that GICv3 system registers have been enabled by writing to ICC_SRE_EL1.SRE. On arm64 this is benign as has_useable_gicv3_cpuif() runs earlier during cpufeature detection, and this enables the GICv3 system registers. On 32-bit arm when booting on an FVP using the boot-wrapper, the accesses in gic_prio_init() end up being UNDEFINED and crashes the kernel during boot. This is a regression introduced by the addition of gic_prio_init(). Fix this by factoring out the SRE initialization into a new function and calling it early in the three paths where SRE may not have been initialized: (1) gic_init_bases(), before the primary CPU pokes GICv3 sysregs in gic_prio_init(). (2) gic_starting_cpu(), before secondary CPUs initialize GICv3 sysregs in gic_cpu_init(). (3) gic_cpu_pm_notifier(), before CPUs re-initialize GICv3 sysregs in gic_cpu_sys_reg_init(). Fixes: d447bf09a4013541 ("irqchip/gic-v3: Detect GICD_CTRL.DS and SCR_EL3.FIQ earlier") Signed-off-by: Mark Rutland <mark.rutland(a)arm.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Reviewed-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/irqchip/irq-gic-v3.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c index c19083b..74f21e0 100644 --- a/drivers/irqchip/irq-gic-v3.c +++ b/drivers/irqchip/irq-gic-v3.c @@ -1154,14 +1154,8 @@ static void gic_update_rdist_properties(void) gic_data.rdists.has_vpend_valid_dirty ? "Valid+Dirty " : ""); } -static void gic_cpu_sys_reg_init(void) +static void gic_cpu_sys_reg_enable(void) { - int i, cpu = smp_processor_id(); - u64 mpidr = gic_cpu_to_affinity(cpu); - u64 need_rss = MPIDR_RS(mpidr); - bool group0; - u32 pribits; - /* * Need to check that the SRE bit has actually been set. If * not, it means that SRE is disabled at EL2. We're going to @@ -1172,6 +1166,16 @@ static void gic_cpu_sys_reg_init(void) if (!gic_enable_sre()) pr_err("GIC: unable to set SRE (disabled at EL2), panic ahead\n"); +} + +static void gic_cpu_sys_reg_init(void) +{ + int i, cpu = smp_processor_id(); + u64 mpidr = gic_cpu_to_affinity(cpu); + u64 need_rss = MPIDR_RS(mpidr); + bool group0; + u32 pribits; + pribits = gic_get_pribits(); group0 = gic_has_group0(); @@ -1333,6 +1337,7 @@ static int gic_check_rdist(unsigned int cpu) static int gic_starting_cpu(unsigned int cpu) { + gic_cpu_sys_reg_enable(); gic_cpu_init(); if (gic_dist_supports_lpis()) @@ -1498,6 +1503,7 @@ static int gic_cpu_pm_notifier(struct notifier_block *self, if (cmd == CPU_PM_EXIT) { if (gic_dist_security_disabled()) gic_enable_redist(true); + gic_cpu_sys_reg_enable(); gic_cpu_sys_reg_init(); } else if (cmd == CPU_PM_ENTER && gic_dist_security_disabled()) { gic_write_grpen1(0); @@ -2070,6 +2076,7 @@ static int __init gic_init_bases(phys_addr_t dist_phys_base, gic_update_rdist_properties(); + gic_cpu_sys_reg_enable(); gic_prio_init(); gic_dist_init(); gic_cpu_init();

10 months, 3 weeks

1
0
0 0

FAILED: patch "[PATCH] i2c: tegra: Do not mark ACPI devices as irq safe" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 14d069d92951a3e150c0a81f2ca3b93e54da913b # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081950-amaze-wriggle-3057@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 14d069d92951 ("i2c: tegra: Do not mark ACPI devices as irq safe") 4f5d68c85914 ("i2c: tegra: allow VI support to be compiled out") a55efa7edf37 ("i2c: tegra: allow DVC support to be compiled out") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 14d069d92951a3e150c0a81f2ca3b93e54da913b Mon Sep 17 00:00:00 2001 From: Breno Leitao <leitao(a)debian.org> Date: Tue, 13 Aug 2024 09:12:53 -0700 Subject: [PATCH] i2c: tegra: Do not mark ACPI devices as irq safe On ACPI machines, the tegra i2c module encounters an issue due to a mutex being called inside a spinlock. This leads to the following bug: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 ... Call trace: __might_sleep __mutex_lock_common mutex_lock_nested acpi_subsys_runtime_resume rpm_resume tegra_i2c_xfer The problem arises because during __pm_runtime_resume(), the spinlock &dev->power.lock is acquired before rpm_resume() is called. Later, rpm_resume() invokes acpi_subsys_runtime_resume(), which relies on mutexes, triggering the error. To address this issue, devices on ACPI are now marked as not IRQ-safe, considering the dependency of acpi_subsys_runtime_resume() on mutexes. Fixes: bd2fdedbf2ba ("i2c: tegra: Add the ACPI support") Cc: <stable(a)vger.kernel.org> # v5.17+ Co-developed-by: Michael van der Westhuizen <rmikey(a)meta.com> Signed-off-by: Michael van der Westhuizen <rmikey(a)meta.com> Signed-off-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Dmitry Osipenko <digetx(a)gmail.com> Reviewed-by: Andy Shevchenko <andy(a)kernel.org> Signed-off-by: Andi Shyti <andi.shyti(a)kernel.org> diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c index 85b31edc558d..1df5b4204142 100644 --- a/drivers/i2c/busses/i2c-tegra.c +++ b/drivers/i2c/busses/i2c-tegra.c @@ -1802,9 +1802,9 @@ static int tegra_i2c_probe(struct platform_device *pdev) * domain. * * VI I2C device shouldn't be marked as IRQ-safe because VI I2C won't - * be used for atomic transfers. + * be used for atomic transfers. ACPI device is not IRQ safe also. */ - if (!IS_VI(i2c_dev)) + if (!IS_VI(i2c_dev) && !has_acpi_companion(i2c_dev->dev)) pm_runtime_irq_safe(i2c_dev->dev); pm_runtime_enable(i2c_dev->dev);

10 months, 3 weeks

2
2
0 0

[PATCH v2 03/36] soc: fsl: cpm1: tsa: Fix tsa_write8()

by Herve Codina

The tsa_write8() parameter is an u32 value. This is not consistent with the function itself. Indeed, tsa_write8() writes an 8bits value. Be consistent and use an u8 parameter value. Fixes: 1d4ba0b81c1c ("soc: fsl: cpm1: Add support for TSA") Cc: stable(a)vger.kernel.org Signed-off-by: Herve Codina <herve.codina(a)bootlin.com> --- drivers/soc/fsl/qe/tsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/fsl/qe/tsa.c b/drivers/soc/fsl/qe/tsa.c index 6c5741cf5e9d..53968ea84c88 100644 --- a/drivers/soc/fsl/qe/tsa.c +++ b/drivers/soc/fsl/qe/tsa.c @@ -140,7 +140,7 @@ static inline void tsa_write32(void __iomem *addr, u32 val) iowrite32be(val, addr); } -static inline void tsa_write8(void __iomem *addr, u32 val) +static inline void tsa_write8(void __iomem *addr, u8 val) { iowrite8(val, addr); } -- 2.45.0

10 months, 3 weeks

2
1
0 0

[PATCH v2 01/36] soc: fsl: cpm1: qmc: Update TRNSYNC only in transparent mode

by Herve Codina

The TRNSYNC feature is available (and enabled) only in transparent mode. Since commit 7cc9bda9c163 ("soc: fsl: cpm1: qmc: Handle timeslot entries at channel start() and stop()") TRNSYNC register is updated in transparent and hdlc mode. In hdlc mode, the address of the TRNSYNC register is used by the QMC for other internal purpose. Even if no weird results were observed in hdlc mode, touching this register in this mode is wrong. Update TRNSYNC only in transparent mode. Fixes: 7cc9bda9c163 ("soc: fsl: cpm1: qmc: Handle timeslot entries at channel start() and stop()") Cc: stable(a)vger.kernel.org Signed-off-by: Herve Codina <herve.codina(a)bootlin.com> --- drivers/soc/fsl/qe/qmc.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/drivers/soc/fsl/qe/qmc.c b/drivers/soc/fsl/qe/qmc.c index 76bb496305a0..bacabf731dcb 100644 --- a/drivers/soc/fsl/qe/qmc.c +++ b/drivers/soc/fsl/qe/qmc.c @@ -940,11 +940,13 @@ static int qmc_chan_start_rx(struct qmc_chan *chan) goto end; } - ret = qmc_setup_chan_trnsync(chan->qmc, chan); - if (ret) { - dev_err(chan->qmc->dev, "chan %u: setup TRNSYNC failed (%d)\n", - chan->id, ret); - goto end; + if (chan->mode == QMC_TRANSPARENT) { + ret = qmc_setup_chan_trnsync(chan->qmc, chan); + if (ret) { + dev_err(chan->qmc->dev, "chan %u: setup TRNSYNC failed (%d)\n", + chan->id, ret); + goto end; + } } /* Restart the receiver */ @@ -982,11 +984,13 @@ static int qmc_chan_start_tx(struct qmc_chan *chan) goto end; } - ret = qmc_setup_chan_trnsync(chan->qmc, chan); - if (ret) { - dev_err(chan->qmc->dev, "chan %u: setup TRNSYNC failed (%d)\n", - chan->id, ret); - goto end; + if (chan->mode == QMC_TRANSPARENT) { + ret = qmc_setup_chan_trnsync(chan->qmc, chan); + if (ret) { + dev_err(chan->qmc->dev, "chan %u: setup TRNSYNC failed (%d)\n", + chan->id, ret); + goto end; + } } /* -- 2.45.0

10 months, 3 weeks

2
1
0 0

[PATCH] usb: dwc3: qcom: fix NULL pointer dereference on dwc3_qcom_read_usb2_speed

by Faisal Hassan

Null pointer dereference occurs when accessing 'hcd' to detect speed from dwc3_qcom_suspend after the xhci-hcd is unbound. To avoid this issue, ensure to check for NULL in dwc3_qcom_read_usb2_speed. echo xhci-hcd.0.auto > /sys/bus/platform/drivers/xhci-hcd/unbind xhci_plat_remove() -> usb_put_hcd() -> hcd_release() -> kfree(hcd) Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 Call trace: dwc3_qcom_suspend.part.0+0x17c/0x2d0 [dwc3_qcom] dwc3_qcom_runtime_suspend+0x2c/0x40 [dwc3_qcom] pm_generic_runtime_suspend+0x30/0x44 __rpm_callback+0x4c/0x190 rpm_callback+0x6c/0x80 rpm_suspend+0x10c/0x620 pm_runtime_work+0xc8/0xe0 process_one_work+0x1e4/0x4f4 worker_thread+0x64/0x43c kthread+0xec/0x100 ret_from_fork+0x10/0x20 Fixes: c5f14abeb52b ("usb: dwc3: qcom: fix peripheral and OTG suspend") Cc: stable(a)vger.kernel.org Signed-off-by: Faisal Hassan <quic_faisalh(a)quicinc.com> --- drivers/usb/dwc3/dwc3-qcom.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c index 88fb6706a18d..0c7846478655 100644 --- a/drivers/usb/dwc3/dwc3-qcom.c +++ b/drivers/usb/dwc3/dwc3-qcom.c @@ -319,13 +319,15 @@ static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom, int port_index) { struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); - struct usb_device *udev; + struct usb_device __maybe_unused *udev; struct usb_hcd __maybe_unused *hcd; /* * FIXME: Fix this layering violation. */ hcd = platform_get_drvdata(dwc->xhci); + if (!hcd) + return USB_SPEED_UNKNOWN; #ifdef CONFIG_USB udev = usb_hub_find_child(hcd->self.root_hub, port_index + 1); -- 2.17.1

10 months, 4 weeks

5
9
0 0

[PATCH] pidfd: prevent creation of pidfds for kthreads

by Christian Brauner

It's currently possible to create pidfds for kthreads but it is unclear what that is supposed to mean. Until we have use-cases for it and we figured out what behavior we want block the creation of pidfds for kthreads. Fixes: 32fcb426ec00 ("pid: add pidfd_open()") Cc: stable(a)vger.kernel.org Signed-off-by: Christian Brauner <brauner(a)kernel.org> --- kernel/fork.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index cc760491f201..18bdc87209d0 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2053,11 +2053,24 @@ static int __pidfd_prepare(struct pid *pid, unsigned int flags, struct file **re */ int pidfd_prepare(struct pid *pid, unsigned int flags, struct file **ret) { - bool thread = flags & PIDFD_THREAD; - - if (!pid || !pid_has_task(pid, thread ? PIDTYPE_PID : PIDTYPE_TGID)) + if (!pid) return -EINVAL; + scoped_guard(rcu) { + struct task_struct *tsk; + + if (flags & PIDFD_THREAD) + tsk = pid_task(pid, PIDTYPE_PID); + else + tsk = pid_task(pid, PIDTYPE_TGID); + if (!tsk) + return -EINVAL; + + /* Don't create pidfds for kernel threads for now. */ + if (tsk->flags & PF_KTHREAD) + return -EINVAL; + } + return __pidfd_prepare(pid, flags, ret); } @@ -2403,6 +2416,12 @@ __latent_entropy struct task_struct *copy_process( if (clone_flags & CLONE_PIDFD) { int flags = (clone_flags & CLONE_THREAD) ? PIDFD_THREAD : 0; + /* Don't create pidfds for kernel threads for now. */ + if (args->kthread) { + retval = -EINVAL; + goto bad_fork_free_pid; + } + /* Note that no task has been attached to @pid yet. */ retval = __pidfd_prepare(pid, flags, &pidfile); if (retval < 0) -- 2.43.0

10 months, 4 weeks

6
12
0 0

[PATCH RESEND] pinctrl: single: fix potential NULL dereference in pcs_get_function()

by Ma Ke

pinmux_generic_get_function() can return NULL and the pointer 'function' was dereferenced without checking against NULL. Add checking of pointer 'function' in pcs_get_function(). Found by code review. Cc: stable(a)vger.kernel.org Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/pinctrl/pinctrl-single.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c index 4c6bfabb6bd7..4da3c3f422b6 100644 --- a/drivers/pinctrl/pinctrl-single.c +++ b/drivers/pinctrl/pinctrl-single.c @@ -345,6 +345,8 @@ static int pcs_get_function(struct pinctrl_dev *pctldev, unsigned pin, return -ENOTSUPP; fselector = setting->func; function = pinmux_generic_get_function(pctldev, fselector); + if (!function) + return -EINVAL; *func = function->data; if (!(*func)) { dev_err(pcs->dev, "%s could not find function%i\n", -- 2.25.1

10 months, 4 weeks

2
2
0 0

Please apply commit 31e97d7c9ae3 ("media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)") to 6.1.y

by Salvatore Bonaccorso

Hi While building 6.1.106 based verson for Debian I noticed that all 32bit architectures did fail to build: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=i386&ver=6.1.106-… The problem is known as https://lore.kernel.org/lkml/18c6df0d-45ed-450c-9eda-95160a2bbb8e@gmail.com/ This now affects as well 6.1.y as the commits 867046cc7027 ("minmax: relax check to allow comparison between unsigned arguments and signed constants") and 4ead534fba42 ("minmax: allow comparisons of 'int' against 'unsigned char/short'") were backported to 6.1.106. Thus, can you please pick as well 31e97d7c9ae3 ("media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)") for 6.1.y? Note I suspect it is required as well for 5.15.164 (as the commits were backported there as well and 31e97d7c9ae3 now missing there). Regards, Salvatore

10 months, 4 weeks

2
1
0 0

[PATCH v3 01/10] OPP: Fix support for required OPPs for multiple PM domains

by Ulf Hansson

It has turned out that having _set_required_opps() to recursively call dev_pm_opp_set_opp() to set the required OPPs, doesn't really work as well as we expected. More precisely, at each recursive call to dev_pm_opp_set_opp() we are changing an OPP for a required_dev that belongs to a required-OPP table. The problem with this, is that we may have several devices sharing the same required-OPP table, which leads to an incorrect behaviour in regards to aggregating the per device votes. To fix the problem for a required-OPP table belonging to a PM domain, which is the only existing usecase for now, let's simply replace the call to dev_pm_opp_set_opp() in _set_required_opps() by a call to _set_opp_level(). Moving forward we may potentially need to add support for other types of required-OPP tables. In this case, the aggregation needs to be thought of. Fixes: e37440e7e2c2 ("OPP: Call dev_pm_opp_set_opp() for required OPPs") Cc: stable(a)vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> --- Changes in v3: - Clarified the commitmsg. Changes in v2: - Clarified the commitmsg. - Addressed some comments from Viresh. - Drop calls to _add_opp_dev() for required_devs. --- drivers/opp/core.c | 56 ++++++++++++++++++---------------------------- 1 file changed, 22 insertions(+), 34 deletions(-) diff --git a/drivers/opp/core.c b/drivers/opp/core.c index 5f4598246a87..494f8860220d 100644 --- a/drivers/opp/core.c +++ b/drivers/opp/core.c @@ -1061,6 +1061,27 @@ static int _set_opp_bw(const struct opp_table *opp_table, return 0; } +static int _set_opp_level(struct device *dev, struct dev_pm_opp *opp) +{ + unsigned int level = 0; + int ret = 0; + + if (opp) { + if (opp->level == OPP_LEVEL_UNSET) + return 0; + + level = opp->level; + } + + /* Request a new performance state through the device's PM domain. */ + ret = dev_pm_domain_set_performance_state(dev, level); + if (ret) + dev_err(dev, "Failed to set performance state %u (%d)\n", level, + ret); + + return ret; +} + /* This is only called for PM domain for now */ static int _set_required_opps(struct device *dev, struct opp_table *opp_table, struct dev_pm_opp *opp, bool up) @@ -1091,7 +1112,7 @@ static int _set_required_opps(struct device *dev, struct opp_table *opp_table, if (devs[index]) { required_opp = opp ? opp->required_opps[index] : NULL; - ret = dev_pm_opp_set_opp(devs[index], required_opp); + ret = _set_opp_level(devs[index], required_opp); if (ret) return ret; } @@ -1102,27 +1123,6 @@ static int _set_required_opps(struct device *dev, struct opp_table *opp_table, return 0; } -static int _set_opp_level(struct device *dev, struct dev_pm_opp *opp) -{ - unsigned int level = 0; - int ret = 0; - - if (opp) { - if (opp->level == OPP_LEVEL_UNSET) - return 0; - - level = opp->level; - } - - /* Request a new performance state through the device's PM domain. */ - ret = dev_pm_domain_set_performance_state(dev, level); - if (ret) - dev_err(dev, "Failed to set performance state %u (%d)\n", level, - ret); - - return ret; -} - static void _find_current_opp(struct device *dev, struct opp_table *opp_table) { struct dev_pm_opp *opp = ERR_PTR(-ENODEV); @@ -2457,18 +2457,6 @@ static int _opp_attach_genpd(struct opp_table *opp_table, struct device *dev, } } - /* - * Add the virtual genpd device as a user of the OPP table, so - * we can call dev_pm_opp_set_opp() on it directly. - * - * This will be automatically removed when the OPP table is - * removed, don't need to handle that here. - */ - if (!_add_opp_dev(virt_dev, opp_table->required_opp_tables[index])) { - ret = -ENOMEM; - goto err; - } - opp_table->required_devs[index] = virt_dev; index++; name++; -- 2.34.1

10 months, 4 weeks

1
0
0 0

[PATCH 1/3] thermal: of: Fix OF node leak in thermal_of_trips_init() error path

by Krzysztof Kozlowski

Terminating for_each_child_of_node() loop requires dropping OF node reference, so bailing out after thermal_of_populate_trip() error misses this. Solve the OF node reference leak with scoped for_each_child_of_node_scoped(). Fixes: d0c75fa2c17f ("thermal/of: Initialize trip points separately") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/thermal/thermal_of.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c index aa34b6e82e26..30f8d6e70484 100644 --- a/drivers/thermal/thermal_of.c +++ b/drivers/thermal/thermal_of.c @@ -125,7 +125,7 @@ static int thermal_of_populate_trip(struct device_node *np, static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *ntrips) { struct thermal_trip *tt; - struct device_node *trips, *trip; + struct device_node *trips; int ret, count; trips = of_get_child_by_name(np, "trips"); @@ -150,7 +150,7 @@ static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *n *ntrips = count; count = 0; - for_each_child_of_node(trips, trip) { + for_each_child_of_node_scoped(trips, trip) { ret = thermal_of_populate_trip(trip, &tt[count++]); if (ret) goto out_kfree; -- 2.43.0

10 months, 4 weeks

5
14
0 0

[PATCH] binder: fix UAF caused by offsets overwrite

by Carlos Llamas

Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section. Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") Cc: Todd Kjos <tkjos(a)google.com> Cc: stable(a)vger.kernel.org Signed-off-by: Carlos Llamas <cmllamas(a)google.com> --- drivers/android/binder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 905290c98c3c..e8643c69d426 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3422,6 +3422,7 @@ static void binder_transaction(struct binder_proc *proc, */ copy_size = object_offset - user_offset; if (copy_size && (user_offset > object_offset || + object_offset > tr->data_size || binder_alloc_copy_user_to_buffer( &target_proc->alloc, t->buffer, user_offset, -- 2.46.0.295.g3b9ea8a38a-goog

10 months, 4 weeks

1
0
0 0

+ revert-mm-skip-cma-pages-when-they-are-not-available-update.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: revert-mm-skip-cma-pages-when-they-are-not-available-update has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-mm-skip-cma-pages-when-they-are-not-available-update.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Usama Arif <usamaarif642(a)gmail.com> Subject: revert-mm-skip-cma-pages-when-they-are-not-available-update Date: Wed, 21 Aug 2024 20:26:07 +0100 also revert b7108d66318a ("Multi-gen LRU: skip CMA pages when they are not eligible"), per Johannes Link: https://lkml.kernel.org/r/9060a32d-b2d7-48c0-8626-1db535653c54@gmail.com Link: https://lkml.kernel.org/r/357ac325-4c61-497a-92a3-bdbd230d5ec9@gmail.com Fixes: 5da226dbfce3 ("mm: skip CMA pages when they are not available") Signed-off-by: Usama Arif <usamaarif642(a)gmail.com> Acked-by: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Bharata B Rao <bharata(a)amd.com> Cc: Breno Leitao <leitao(a)debian.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Rik van Riel <riel(a)surriel.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yu Zhao <yuzhao(a)google.com> Cc: Zhaoyang Huang <huangzhaoyang(a)gmail.com> Cc: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) --- a/mm/vmscan.c~revert-mm-skip-cma-pages-when-they-are-not-available-update +++ a/mm/vmscan.c @@ -4253,25 +4253,6 @@ void lru_gen_soft_reclaim(struct mem_cgr #endif /* CONFIG_MEMCG */ -#ifdef CONFIG_CMA -/* - * It is waste of effort to scan and reclaim CMA pages if it is not available - * for current allocation context. Kswapd can not be enrolled as it can not - * distinguish this scenario by using sc->gfp_mask = GFP_KERNEL - */ -static bool skip_cma(struct folio *folio, struct scan_control *sc) -{ - return !current_is_kswapd() && - gfp_migratetype(sc->gfp_mask) != MIGRATE_MOVABLE && - folio_migratetype(folio) == MIGRATE_CMA; -} -#else -static bool skip_cma(struct folio *folio, struct scan_control *sc) -{ - return false; -} -#endif - /****************************************************************************** * the eviction ******************************************************************************/ @@ -4319,7 +4300,7 @@ static bool sort_folio(struct lruvec *lr } /* ineligible */ - if (zone > sc->reclaim_idx || skip_cma(folio, sc)) { + if (zone > sc->reclaim_idx) { gen = folio_inc_gen(lruvec, folio, false); list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]); return true; _ Patches currently in -mm which might be from usamaarif642(a)gmail.com are revert-mm-skip-cma-pages-when-they-are-not-available.patch revert-mm-skip-cma-pages-when-they-are-not-available-update.patch

10 months, 4 weeks

1
0
0 0

[PATCH RESEND] drm/amd/display: avoid using null object of framebuffer

by Ma Ke

Instead of using state->fb->obj[0] directly, get object from framebuffer by calling drm_gem_fb_get_obj() and return error code when object is null to avoid using null object of framebuffer. Cc: stable(a)vger.kernel.org Fixes: 5d945cbcd4b1 ("drm/amd/display: Create a file dedicated to planes") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c index a83bd0331c3b..5cb11cc2d063 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c @@ -28,6 +28,7 @@ #include <drm/drm_blend.h> #include <drm/drm_gem_atomic_helper.h> #include <drm/drm_plane_helper.h> +#include <drm/drm_gem_framebuffer_helper.h> #include <drm/drm_fourcc.h> #include "amdgpu.h" @@ -935,10 +936,14 @@ static int amdgpu_dm_plane_helper_prepare_fb(struct drm_plane *plane, } afb = to_amdgpu_framebuffer(new_state->fb); - obj = new_state->fb->obj[0]; + obj = drm_gem_fb_get_obj(new_state->fb, 0); + if (!obj) { + DRM_ERROR("Failed to get obj from framebuffer\n"); + return -EINVAL; + } + rbo = gem_to_amdgpu_bo(obj); adev = amdgpu_ttm_adev(rbo->tbo.bdev); - r = amdgpu_bo_reserve(rbo, true); if (r) { dev_err(adev->dev, "fail to reserve bo (%d)\n", r); -- 2.25.1

10 months, 4 weeks

2
3
0 0

FAILED: patch "[PATCH] riscv: entry: always initialize regs->a0 to -ENOSYS" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 61119394631f219e23ce98bcc3eb993a64a8ea64 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081917-flanked-clear-e564@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 61119394631f ("riscv: entry: always initialize regs->a0 to -ENOSYS") 05d450aabd73 ("riscv: Support RANDOMIZE_KSTACK_OFFSET") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 61119394631f219e23ce98bcc3eb993a64a8ea64 Mon Sep 17 00:00:00 2001 From: Celeste Liu <coelacanthushex(a)gmail.com> Date: Thu, 27 Jun 2024 22:23:39 +0800 Subject: [PATCH] riscv: entry: always initialize regs->a0 to -ENOSYS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise when the tracer changes syscall number to -1, the kernel fails to initialize a0 with -ENOSYS and subsequently fails to return the error code of the failed syscall to userspace. For example, it will break strace syscall tampering. Fixes: 52449c17bdd1 ("riscv: entry: set a0 = -ENOSYS only when syscall != -1") Reported-by: "Dmitry V. Levin" <ldv(a)strace.io> Reviewed-by: Björn Töpel <bjorn(a)rivosinc.com> Cc: stable(a)vger.kernel.org Signed-off-by: Celeste Liu <CoelacanthusHex(a)gmail.com> Link: https://lore.kernel.org/r/20240627142338.5114-2-CoelacanthusHex@gmail.com Signed-off-by: Palmer Dabbelt <palmer(a)rivosinc.com> diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 05a16b1f0aee..51ebfd23e007 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -319,6 +319,7 @@ void do_trap_ecall_u(struct pt_regs *regs) regs->epc += 4; regs->orig_a0 = regs->a0; + regs->a0 = -ENOSYS; riscv_v_vstate_discard(regs); @@ -328,8 +329,7 @@ void do_trap_ecall_u(struct pt_regs *regs) if (syscall >= 0 && syscall < NR_syscalls) syscall_handler(regs, syscall); - else if (syscall != -1) - regs->a0 = -ENOSYS; + /* * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(), * so the maximum stack offset is 1k bytes (10 bits).

10 months, 4 weeks

2
1
0 0

[PATCH 1/2] soc: qcom: pmic_glink: fix scope of __pmic_glink_lock in pmic_glink_rpmsg_probe()

by Krzysztof Kozlowski

File-scope "__pmic_glink_lock" mutex protects the filke-scope "__pmic_glink", thus reference to it should be obtained under the lock, just like pmic_glink_rpmsg_remove() is doing. Otherwise we have a race during if PMIC GLINK device removal: the pmic_glink_rpmsg_probe() function could store local reference before mutex in driver removal is acquired. Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- drivers/soc/qcom/pmic_glink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/soc/qcom/pmic_glink.c b/drivers/soc/qcom/pmic_glink.c index 9606222993fd..452f30a9354d 100644 --- a/drivers/soc/qcom/pmic_glink.c +++ b/drivers/soc/qcom/pmic_glink.c @@ -217,10 +217,11 @@ static void pmic_glink_pdr_callback(int state, char *svc_path, void *priv) static int pmic_glink_rpmsg_probe(struct rpmsg_device *rpdev) { - struct pmic_glink *pg = __pmic_glink; + struct pmic_glink *pg; int ret = 0; mutex_lock(&__pmic_glink_lock); + pg = __pmic_glink; if (!pg) { ret = dev_err_probe(&rpdev->dev, -ENODEV, "no pmic_glink device to attach to\n"); goto out_unlock; -- 2.43.0

10 months, 4 weeks

1
0
0 0

[PATCH v3 0/2] bfs: fix null-ptr-deref and possible warning in bfs_move_block() func

by kovalev＠altlinux.org

https://syzkaller.appspot.com/bug?extid=d98fd19acd08b36ff422 [PATCH v3 1/2] bfs: prevent null pointer dereference in bfs_move_block() v3: Changed the error handling [PATCH v3 2/2] bfs: ensure buffer is marked uptodate before marking it dirty v3: Replaced the buffer up-to-date check with an error exit by forcefully setting the buffer as up-to-date before call mark_buffer_dirty()

10 months, 4 weeks

1
2
0 0

[PATCH 6.1.y 2/2 V2] KVM: x86: Fix lapic timer interrupt lost after loading a snapshot.

by David Hunter

From: Haitao Shan <hshan(a)google.com> When running android emulator (which is based on QEMU 2.12) on certain Intel hosts with kernel version 6.3-rc1 or above, guest will freeze after loading a snapshot. This is almost 100% reproducible. By default, the android emulator will use snapshot to speed up the next launching of the same android guest. So this breaks the android emulator badly. I tested QEMU 8.0.4 from Debian 12 with an Ubuntu 22.04 guest by running command "loadvm" after "savevm". The same issue is observed. At the same time, none of our AMD platforms is impacted. More experiments show that loading the KVM module with "enable_apicv=false" can workaround it. The issue started to show up after commit 8e6ed96cdd50 ("KVM: x86: fire timer when it is migrated and expired, and in oneshot mode"). However, as is pointed out by Sean Christopherson, it is introduced by commit 967235d32032 ("KVM: vmx: clear pending interrupts on KVM_SET_LAPIC"). commit 8e6ed96cdd50 ("KVM: x86: fire timer when it is migrated and expired, and in oneshot mode") just makes it easier to hit the issue. Having both commits, the oneshot lapic timer gets fired immediately inside the KVM_SET_LAPIC call when loading the snapshot. On Intel platforms with APIC virtualization and posted interrupt processing, this eventually leads to setting the corresponding PIR bit. However, the whole PIR bits get cleared later in the same KVM_SET_LAPIC call by apicv_post_state_restore. This leads to timer interrupt lost. The fix is to move vmx_apicv_post_state_restore to the beginning of the KVM_SET_LAPIC call and rename to vmx_apicv_pre_state_restore. What vmx_apicv_post_state_restore does is actually clearing any former apicv state and this behavior is more suitable to carry out in the beginning. Fixes: 967235d32032 ("KVM: vmx: clear pending interrupts on KVM_SET_LAPIC") Cc: stable(a)vger.kernel.org Suggested-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: Haitao Shan <hshan(a)google.com> Link: https://lore.kernel.org/r/20230913000215.478387-1-hshan@google.com Signed-off-by: Sean Christopherson <seanjc(a)google.com> Signed-off-by: David Hunter <david.hunter.linux(a)gmail.com> --- arch/x86/kvm/vmx/vmx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 87abf4eebf8a..4040075bbd5a 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -8203,6 +8203,7 @@ static struct kvm_x86_ops vmx_x86_ops __initdata = { .load_eoi_exitmap = vmx_load_eoi_exitmap, .apicv_pre_state_restore = vmx_apicv_pre_state_restore, .check_apicv_inhibit_reasons = vmx_check_apicv_inhibit_reasons, + .required_apicv_inhibits = VMX_REQUIRED_APICV_INHIBITS, .hwapic_irr_update = vmx_hwapic_irr_update, .hwapic_isr_update = vmx_hwapic_isr_update, .guest_apic_has_interrupt = vmx_guest_apic_has_interrupt, -- 2.43.0

10 months, 4 weeks

1
1
0 0

[PATCH v2 2/7] media: sun4i_csi: Implement link validate for sun4i_csi subdev

by Laurent Pinchart

The sun4i_csi driver doesn't implement link validation for the subdev it registers, leaving the link between the subdev and its source unvalidated. Fix it, using the v4l2_subdev_link_validate() helper. Fixes: 577bbf23b758 ("media: sunxi: Add A10 CSI driver") Cc: stable(a)vger.kernel.org Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Acked-by: Chen-Yu Tsai <wens(a)csie.org> --- drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c index 097a3a08ef7d..dbb26c7b2f8d 100644 --- a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c +++ b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c @@ -39,6 +39,10 @@ static const struct media_entity_operations sun4i_csi_video_entity_ops = { .link_validate = v4l2_subdev_link_validate, }; +static const struct media_entity_operations sun4i_csi_subdev_entity_ops = { + .link_validate = v4l2_subdev_link_validate, +}; + static int sun4i_csi_notify_bound(struct v4l2_async_notifier *notifier, struct v4l2_subdev *subdev, struct v4l2_async_connection *asd) @@ -214,6 +218,7 @@ static int sun4i_csi_probe(struct platform_device *pdev) subdev->internal_ops = &sun4i_csi_subdev_internal_ops; subdev->flags = V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS; subdev->entity.function = MEDIA_ENT_F_VID_IF_BRIDGE; + subdev->entity.ops = &sun4i_csi_subdev_entity_ops; subdev->owner = THIS_MODULE; snprintf(subdev->name, sizeof(subdev->name), "sun4i-csi-0"); v4l2_set_subdevdata(subdev, csi); -- Regards, Laurent Pinchart

10 months, 4 weeks

1
0
0 0

[PATCH V3] video/aperture: optionally match the device in sysfb_disable()

by Alex Deucher

In aperture_remove_conflicting_pci_devices(), we currently only call sysfb_disable() on vga class devices. This leads to the following problem when the pimary device is not VGA compatible: 1. A PCI device with a non-VGA class is the boot display 2. That device is probed first and it is not a VGA device so sysfb_disable() is not called, but the device resources are freed by aperture_detach_platform_device() 3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable() 4. NULL pointer dereference via sysfb_disable() since the resources have already been freed by aperture_detach_platform_device() when it was called by the other device. Fix this by passing a device pointer to sysfb_disable() and checking the device to determine if we should execute it or not. v2: Fix build when CONFIG_SCREEN_INFO is not set v3: Move device check into the mutex Drop primary variable in aperture_remove_conflicting_pci_devices() Drop __init on pci sysfb_pci_dev_is_enabled() Fixes: 5ae3716cfdcd ("video/aperture: Only remove sysfb on the default vga pci device") Cc: Javier Martinez Canillas <javierm(a)redhat.com> Cc: Thomas Zimmermann <tzimmermann(a)suse.de> Cc: Helge Deller <deller(a)gmx.de> Cc: Sam Ravnborg <sam(a)ravnborg.org> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org --- drivers/firmware/sysfb.c | 19 +++++++++++++------ drivers/of/platform.c | 2 +- drivers/video/aperture.c | 11 +++-------- include/linux/sysfb.h | 4 ++-- 4 files changed, 19 insertions(+), 17 deletions(-) diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c index 880ffcb50088..ac4680dc463f 100644 --- a/drivers/firmware/sysfb.c +++ b/drivers/firmware/sysfb.c @@ -39,6 +39,8 @@ static struct platform_device *pd; static DEFINE_MUTEX(disable_lock); static bool disabled; +static struct device *sysfb_parent_dev(const struct screen_info *si); + static bool sysfb_unregister(void) { if (IS_ERR_OR_NULL(pd)) @@ -52,6 +54,7 @@ static bool sysfb_unregister(void) /** * sysfb_disable() - disable the Generic System Framebuffers support + * @dev: the device to check if non-NULL * * This disables the registration of system framebuffer devices that match the * generic drivers that make use of the system framebuffer set up by firmware. @@ -61,17 +64,21 @@ static bool sysfb_unregister(void) * Context: The function can sleep. A @disable_lock mutex is acquired to serialize * against sysfb_init(), that registers a system framebuffer device. */ -void sysfb_disable(void) +void sysfb_disable(struct device *dev) { + struct screen_info *si = &screen_info; + mutex_lock(&disable_lock); - sysfb_unregister(); - disabled = true; + if (!dev || dev == sysfb_parent_dev(si)) { + sysfb_unregister(); + disabled = true; + } mutex_unlock(&disable_lock); } EXPORT_SYMBOL_GPL(sysfb_disable); #if defined(CONFIG_PCI) -static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) +static bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) { /* * TODO: Try to integrate this code into the PCI subsystem @@ -87,13 +94,13 @@ static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) return true; } #else -static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) +static bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) { return false; } #endif -static __init struct device *sysfb_parent_dev(const struct screen_info *si) +static struct device *sysfb_parent_dev(const struct screen_info *si) { struct pci_dev *pdev; diff --git a/drivers/of/platform.c b/drivers/of/platform.c index 389d4ea6bfc1..ef622d41eb5b 100644 --- a/drivers/of/platform.c +++ b/drivers/of/platform.c @@ -592,7 +592,7 @@ static int __init of_platform_default_populate_init(void) * This can happen for example on DT systems that do EFI * booting and may provide a GOP handle to the EFI stub. */ - sysfb_disable(); + sysfb_disable(NULL); of_platform_device_create(node, NULL, NULL); of_node_put(node); } diff --git a/drivers/video/aperture.c b/drivers/video/aperture.c index 561be8feca96..2b5a1e666e9b 100644 --- a/drivers/video/aperture.c +++ b/drivers/video/aperture.c @@ -293,7 +293,7 @@ int aperture_remove_conflicting_devices(resource_size_t base, resource_size_t si * ask for this, so let's assume that a real driver for the display * was already probed and prevent sysfb to register devices later. */ - sysfb_disable(); + sysfb_disable(NULL); aperture_detach_devices(base, size); @@ -346,15 +346,10 @@ EXPORT_SYMBOL(__aperture_remove_legacy_vga_devices); */ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *name) { - bool primary = false; resource_size_t base, size; int bar, ret = 0; - if (pdev == vga_default_device()) - primary = true; - - if (primary) - sysfb_disable(); + sysfb_disable(&pdev->dev); for (bar = 0; bar < PCI_STD_NUM_BARS; ++bar) { if (!(pci_resource_flags(pdev, bar) & IORESOURCE_MEM)) @@ -370,7 +365,7 @@ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *na * that consumes the VGA framebuffer I/O range. Remove this * device as well. */ - if (primary) + if (pdev == vga_default_device()) ret = __aperture_remove_legacy_vga_devices(pdev); return ret; diff --git a/include/linux/sysfb.h b/include/linux/sysfb.h index c9cb657dad08..bef5f06a91de 100644 --- a/include/linux/sysfb.h +++ b/include/linux/sysfb.h @@ -58,11 +58,11 @@ struct efifb_dmi_info { #ifdef CONFIG_SYSFB -void sysfb_disable(void); +void sysfb_disable(struct device *dev); #else /* CONFIG_SYSFB */ -static inline void sysfb_disable(void) +static inline void sysfb_disable(struct device *dev) { } -- 2.46.0

10 months, 4 weeks

3
3
0 0

[PATCH] usb: cdnsp: fix for Link TRB with TC

by Pawel Laszczak

Stop Endpoint command on LINK TRB with TC bit set to 1 causes that internal cycle bit can have incorrect state after command complete. In consequence empty transfer ring can be incorrectly detected when EP is resumed. NOP TRB before LINK TRB avoid such scenario. Stop Endpoint command is then on NOP TRB and internal cycle bit is not changed and have correct value. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: <stable(a)vger.kernel.org> Signed-off-by: Pawel Laszczak <pawell(a)cadence.com> --- drivers/usb/cdns3/cdnsp-gadget.h | 3 +++ drivers/usb/cdns3/cdnsp-ring.c | 28 ++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h index e1b5801fdddf..9a5577a772af 100644 --- a/drivers/usb/cdns3/cdnsp-gadget.h +++ b/drivers/usb/cdns3/cdnsp-gadget.h @@ -811,6 +811,7 @@ struct cdnsp_stream_info { * generate Missed Service Error Event. * Set skip flag when receive a Missed Service Error Event and * process the missed tds on the endpoint ring. + * @wa1_nop_trb: hold pointer to NOP trb. */ struct cdnsp_ep { struct usb_ep endpoint; @@ -838,6 +839,8 @@ struct cdnsp_ep { #define EP_UNCONFIGURED BIT(7) bool skip; + union cdnsp_trb *wa1_nop_trb; + }; /** diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c index 275a6a2fa671..75724e60653c 100644 --- a/drivers/usb/cdns3/cdnsp-ring.c +++ b/drivers/usb/cdns3/cdnsp-ring.c @@ -1904,6 +1904,23 @@ int cdnsp_queue_bulk_tx(struct cdnsp_device *pdev, struct cdnsp_request *preq) if (ret) return ret; + /* + * workaround 1: STOP EP command on LINK TRB with TC bit set to 1 + * causes that internal cycle bit can have incorrect state after + * command complete. In consequence empty transfer ring can be + * incorrectly detected when EP is resumed. + * NOP TRB before LINK TRB avoid such scenario. STOP EP command is + * then on NOP TRB and internal cycle bit is not changed and have + * correct value. + */ + if (pep->wa1_nop_trb) { + field = le32_to_cpu(pep->wa1_nop_trb->trans_event.flags); + field ^= TRB_CYCLE; + + pep->wa1_nop_trb->trans_event.flags = cpu_to_le32(field); + pep->wa1_nop_trb = NULL; + } + /* * Don't give the first TRB to the hardware (by toggling the cycle bit) * until we've finished creating all the other TRBs. The ring's cycle @@ -1999,6 +2016,17 @@ int cdnsp_queue_bulk_tx(struct cdnsp_device *pdev, struct cdnsp_request *preq) send_addr = addr; } + if (cdnsp_trb_is_link(ring->enqueue + 1)) { + field = TRB_TYPE(TRB_TR_NOOP) | TRB_IOC; + if (!ring->cycle_state) + field |= TRB_CYCLE; + + pep->wa1_nop_trb = ring->enqueue; + + cdnsp_queue_trb(pdev, ring, 0, 0x0, 0x0, + TRB_INTR_TARGET(0), field); + } + cdnsp_check_trb_math(preq, enqd_len); ret = cdnsp_giveback_first_trb(pdev, pep, preq->request.stream_id, start_cycle, start_trb); -- 2.43.0

10 months, 4 weeks

2
3
0 0

[PATCH net v3] net: ngbe: Fix phy mode set to external phy

by Mengyuan Lou

The MAC only has add the TX delay and it can not be modified. MAC and PHY are both set the TX delay cause transmission problems. So just disable TX delay in PHY, when use rgmii to attach to external phy, set PHY_INTERFACE_MODE_RGMII_RXID to phy drivers. And it is does not matter to internal phy. Fixes: bc2426d74aa3 ("net: ngbe: convert phylib to phylink") Signed-off-by: Mengyuan Lou <mengyuanlou(a)net-swift.com> Cc: stable(a)vger.kernel.org # 6.3+ --- v3: -Rebase the fix commit for net. v2: -Add a comment for the code modification. -Add the problem in commit messages. https://lore.kernel.org/netdev/E9C427FDDCF0CBC3+20240812103025.42417-1-meng… v1: https://lore.kernel.org/netdev/C1587837D62D1BC0+20240806082520.29193-1-meng… drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c b/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c index ec54b18c5fe7..a5e9b779c44d 100644 --- a/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c +++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_mdio.c @@ -124,8 +124,12 @@ static int ngbe_phylink_init(struct wx *wx) MAC_SYM_PAUSE | MAC_ASYM_PAUSE; config->mac_managed_pm = true; - phy_mode = PHY_INTERFACE_MODE_RGMII_ID; - __set_bit(PHY_INTERFACE_MODE_RGMII_ID, config->supported_interfaces); + /* The MAC only has add the Tx delay and it can not be modified. + * So just disable TX delay in PHY, and it is does not matter to + * internal phy. + */ + phy_mode = PHY_INTERFACE_MODE_RGMII_RXID; + __set_bit(PHY_INTERFACE_MODE_RGMII_RXID, config->supported_interfaces); phylink = phylink_create(config, NULL, phy_mode, &ngbe_mac_ops); if (IS_ERR(phylink)) -- 2.43.2

10 months, 4 weeks

3
2
0 0

[PATCH 01/12] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3

by Marc Zyngier

On a system with a GICv3, if a guest hasn't been configured with GICv3 and that the host is not capable of GICv2 emulation, a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2. We therefore try to emulate the SGI access, only to hit a NULL pointer as no private interrupt is allocated (no GIC, remember?). The obvious fix is to give the guest what it deserves, in the shape of a UNDEF exception. Reported-by: Alexander Potapenko <glider(a)google.com> Signed-off-by: Marc Zyngier <maz(a)kernel.org> Cc: stable(a)vger.kernel.org --- arch/arm64/kvm/sys_regs.c | 6 ++++++ arch/arm64/kvm/vgic/vgic.h | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/arch/arm64/kvm/sys_regs.c b/arch/arm64/kvm/sys_regs.c index c90324060436..31e49da867ff 100644 --- a/arch/arm64/kvm/sys_regs.c +++ b/arch/arm64/kvm/sys_regs.c @@ -33,6 +33,7 @@ #include <trace/events/kvm.h> #include "sys_regs.h" +#include "vgic/vgic.h" #include "trace.h" @@ -435,6 +436,11 @@ static bool access_gic_sgi(struct kvm_vcpu *vcpu, { bool g1; + if (!kvm_has_gicv3(vcpu->kvm)) { + kvm_inject_undefined(vcpu); + return false; + } + if (!p->is_write) return read_from_write_only(vcpu, p, r); diff --git a/arch/arm64/kvm/vgic/vgic.h b/arch/arm64/kvm/vgic/vgic.h index ba8f790431bd..8532bfe3fed4 100644 --- a/arch/arm64/kvm/vgic/vgic.h +++ b/arch/arm64/kvm/vgic/vgic.h @@ -346,4 +346,11 @@ void vgic_v4_configure_vsgis(struct kvm *kvm); void vgic_v4_get_vlpi_state(struct vgic_irq *irq, bool *val); int vgic_v4_request_vpe_irq(struct kvm_vcpu *vcpu, int irq); +static inline bool kvm_has_gicv3(struct kvm *kvm) +{ + return (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif) && + irqchip_in_kernel(kvm) && + kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3); +} + #endif -- 2.39.2

10 months, 4 weeks

2
4
0 0

[PATCH] firmware_loader: Block path traversal

by Jann Horn

Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously. Cc: stable(a)vger.kernel.org Fixes: abb139e75c2c ("firmware: teach the kernel to load firmware files directly from the filesystem") Signed-off-by: Jann Horn <jannh(a)google.com> --- I wasn't sure whether to mark this one for stable or not - but I think since there seems to be at least one PCI device model which could trigger firmware loading with directory traversal, we should probably backport the fix? --- drivers/base/firmware_loader/main.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index a03ee4b11134..a32be64f3bf5 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -864,7 +864,15 @@ _request_firmware(const struct firmware **firmware_p, const char *name, if (!firmware_p) return -EINVAL; - if (!name || name[0] == '\0') { + /* + * Reject firmware file names with "/../" sequences in them. + * There are drivers that construct firmware file names from + * device-supplied strings, and we don't want some device to be able + * to tell us "I would like to be sent my firmware from + * ../../../etc/shadow, please". + */ + if (!name || name[0] == '\0' || + strstr(name, "/../") != NULL || strncmp(name, "../", 3) == 0) { ret = -EINVAL; goto out; } --- base-commit: b0da640826ba3b6506b4996a6b23a429235e6923 change-id: 20240820-firmware-traversal-6df8501b0fe4 -- Jann Horn <jannh(a)google.com>

10 months, 4 weeks

4
7
0 0

Patch "drm/amd/display: Don't register panel_power_savings on OLED panels"

by Gergo Koteles

Hi Greg, I think commit 76cb763e6ea62e838ccc8f7a1ea4246d690fccc9 should be applied to 6.10 kernel to disable Adaptive Backlight Management for OLED displays. Thanks, Gergo Koteles

10 months, 4 weeks

2
1
0 0

[PATCH 5.15.y 00/18] Backport "make svc_stat per-net instead of global"

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Following up on https://lore.kernel.org/linux-nfs/d4b235df-4ee5-4824-9d48-e3b3c1f1f4d1@orac… Here is a backport series targeting origin/linux-5.15.y that closes the information leak described in the above thread. Review comments welcome. Chuck Lever (6): NFSD: Refactor nfsd_reply_cache_free_locked() NFSD: Rename nfsd_reply_cache_alloc() NFSD: Replace nfsd_prune_bucket() NFSD: Refactor the duplicate reply cache shrinker NFSD: Rewrite synopsis of nfsd_percpu_counters_init() NFSD: Fix frame size warning in svc_export_parse() Jeff Layton (2): nfsd: move reply cache initialization into nfsd startup nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Josef Bacik (10): sunrpc: don't change ->sv_stats if it doesn't exist nfsd: stop setting ->pg_stats for unused stats sunrpc: pass in the sv_stats struct through svc_create_pooled sunrpc: remove ->pg_stats from svc_program sunrpc: use the struct net as the svc proc private nfsd: rename NFSD_NET_* to NFSD_STATS_* nfsd: expose /proc/net/sunrpc/nfsd in net namespaces nfsd: make all of the nfsd stats per-network namespace nfsd: remove nfsd_stats, make th_cnt a global counter nfsd: make svc_stat per-network namespace instead of global fs/lockd/svc.c | 3 - fs/nfs/callback.c | 3 - fs/nfsd/export.c | 32 ++++-- fs/nfsd/export.h | 4 +- fs/nfsd/netns.h | 25 ++++- fs/nfsd/nfs4proc.c | 6 +- fs/nfsd/nfscache.c | 202 ++++++++++++++++++++++--------------- fs/nfsd/nfsctl.c | 24 ++--- fs/nfsd/nfsd.h | 1 + fs/nfsd/nfsfh.c | 3 +- fs/nfsd/nfssvc.c | 24 +++-- fs/nfsd/stats.c | 52 ++++------ fs/nfsd/stats.h | 83 ++++++--------- fs/nfsd/trace.h | 22 ++++ fs/nfsd/vfs.c | 6 +- include/linux/sunrpc/svc.h | 5 +- net/sunrpc/stats.c | 2 +- net/sunrpc/svc.c | 36 ++++--- 18 files changed, 302 insertions(+), 231 deletions(-) -- 2.45.2

10 months, 4 weeks

2
19
0 0

[PATCH 6.6.y] stm32mp15: WARNING after poweroff command

by Christoph Niedermaier

Hi stable team, I would suggest to apply the patch 470a66268856 ("i2c: stm32f7: Add atomic_xfer method to driver") from 6.7-rc1 to the stable Kernel 6.6.y. Here is why: After the commit 6e9df38f359a ("mfd: stpmic1: Add PMIC poweroff via sys-off handler") from 6.5-rc1 the following WARNING appears after calling the poweroff command: [ 791.813369] systemd-shutdown[1]: Syncing filesystems and block devices. [ 792.865580] systemd-shutdown[1]: Sending SIGTERM to remaining processes... [ 792.921103] systemd-journald[101]: Received SIGTERM from PID 1 (systemd-shutdow). [ 792.936515] systemd-shutdown[1]: Sending SIGKILL to remaining processes... [ 792.968715] systemd-shutdown[1]: Unmounting file systems. [ 792.979332] (sd-remount)[315]: Remounting '/' read-only with options ''. [ 793.219266] EXT4-fs (mmcblk2p4): re-mounted f7da42a1-2eed-4d39-a31e-e0ffadb97b28 ro. Quota mode: disabled. [ 793.238398] systemd-shutdown[1]: All filesystems unmounted. [ 793.242736] systemd-shutdown[1]: Deactivating swaps. [ 793.248004] systemd-shutdown[1]: All swaps deactivated. [ 793.252937] systemd-shutdown[1]: Detaching loop devices. [ 793.272548] systemd-shutdown[1]: All loop devices detached. [ 793.276918] systemd-shutdown[1]: Stopping MD devices. [ 793.282790] systemd-shutdown[1]: All MD devices stopped. [ 793.287128] systemd-shutdown[1]: Detaching DM devices. [ 793.292995] systemd-shutdown[1]: All DM devices detached. [ 793.297731] systemd-shutdown[1]: All filesystems, swaps, loop devices, MD devices and DM devices detached. [ 793.320636] systemd-shutdown[1]: Syncing filesystems and block devices. [ 793.326078] systemd-shutdown[1]: Powering off. [ 793.348421] reboot: Power down [ 793.350129] ------------[ cut here ]------------ [ 793.354691] WARNING: CPU: 0 PID: 1 at drivers/i2c/i2c-core.h:42 i2c_transfer+0x5d/0x7c [ 793.362617] No atomic I2C transfer handler for 'i2c-2' [ 793.367780] Modules linked in: [ 793.370838] CPU: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.6.41-lardisbox2-00053-g41e0b7f0166f #12 [ 793.380047] Hardware name: STM32 (Device Tree Support) [ 793.385122] unwind_backtrace from show_stack+0xb/0xc [ 793.390215] show_stack from dump_stack_lvl+0x2b/0x34 [ 793.395202] dump_stack_lvl from __warn+0x5d/0xc4 [ 793.399993] __warn from warn_slowpath_fmt+0x55/0xa8 [ 793.404887] warn_slowpath_fmt from i2c_transfer+0x5d/0x7c [ 793.410387] i2c_transfer from regmap_i2c_read+0x41/0x6c [ 793.415681] regmap_i2c_read from _regmap_raw_read+0x87/0xe8 [ 793.421378] _regmap_raw_read from _regmap_bus_read+0x21/0x38 [ 793.427079] _regmap_bus_read from _regmap_read+0x55/0x9c [ 793.432477] _regmap_read from _regmap_update_bits+0x71/0xa4 [ 793.438175] _regmap_update_bits from regmap_update_bits_base+0x2f/0x42 [ 793.444784] regmap_update_bits_base from stpmic1_power_off+0x19/0x20 [ 793.451188] stpmic1_power_off from sys_off_notify+0x1b/0x38 [ 793.456880] sys_off_notify from notifier_call_chain+0x57/0x78 [ 793.462668] notifier_call_chain from atomic_notifier_call_chain+0x11/0x16 [ 793.469562] atomic_notifier_call_chain from do_kernel_power_off+0x21/0x38 [ 793.476461] do_kernel_power_off from __do_sys_reboot+0xdf/0x150 [ 793.482456] __do_sys_reboot from ret_fast_syscall+0x1/0x5c [ 793.488042] Exception stack(0xf0815fa8 to 0xf0815ff0) [ 793.493017] 5fa0: 00000000 00000000 fee1dead 28121969 4321fedc 00000000 [ 793.501218] 5fc0: 00000000 00000000 00000000 00000058 0001884c 00000003 00000000 00018140 [ 793.509414] 5fe0: 00000058 bee18c34 b6c20cdd b6b995a6 [ 793.514478] ---[ end trace 000000000000000 This can be eliminated by backporting the above mentioned patch. I tested it with a DHCOM stm32mp157c on a PDK2 board. Thanks and regards Christoph

10 months, 4 weeks

2
1
0 0

Re: Patch "gtp: pull network headers in gtp_dev_xmit()" has been added to the 6.10-stable tree

by Pablo Neira Ayuso

Hi Sasha, Greg, Could you cherry-pick this patch for other -stable kernels? I confirm this applies up to >= 4.19-stable since it already includes pskb_inet_may_pull(). Thanks. On Mon, Aug 19, 2024 at 10:20:22AM -0400, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > gtp: pull network headers in gtp_dev_xmit() > > to the 6.10-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > gtp-pull-network-headers-in-gtp_dev_xmit.patch > and it can be found in the queue-6.10 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 70c490935879f95a7d81403d107e7aa9a0bd7b31 > Author: Eric Dumazet <edumazet(a)google.com> > Date: Thu Aug 8 13:24:55 2024 +0000 > > gtp: pull network headers in gtp_dev_xmit() > > [ Upstream commit 3a3be7ff9224f424e485287b54be00d2c6bd9c40 ] > > syzbot/KMSAN reported use of uninit-value in get_dev_xmit() [1] > > We must make sure the IPv4 or Ipv6 header is pulled in skb->head > before accessing fields in them. > > Use pskb_inet_may_pull() to fix this issue. > > [1] > BUG: KMSAN: uninit-value in ipv6_pdp_find drivers/net/gtp.c:220 [inline] > BUG: KMSAN: uninit-value in gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline] > BUG: KMSAN: uninit-value in gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281 > ipv6_pdp_find drivers/net/gtp.c:220 [inline] > gtp_build_skb_ip6 drivers/net/gtp.c:1229 [inline] > gtp_dev_xmit+0x1424/0x2540 drivers/net/gtp.c:1281 > __netdev_start_xmit include/linux/netdevice.h:4913 [inline] > netdev_start_xmit include/linux/netdevice.h:4922 [inline] > xmit_one net/core/dev.c:3580 [inline] > dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3596 > __dev_queue_xmit+0x358c/0x5610 net/core/dev.c:4423 > dev_queue_xmit include/linux/netdevice.h:3105 [inline] > packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 > packet_snd net/packet/af_packet.c:3145 [inline] > packet_sendmsg+0x90e3/0xa3a0 net/packet/af_packet.c:3177 > sock_sendmsg_nosec net/socket.c:730 [inline] > __sock_sendmsg+0x30f/0x380 net/socket.c:745 > __sys_sendto+0x685/0x830 net/socket.c:2204 > __do_sys_sendto net/socket.c:2216 [inline] > __se_sys_sendto net/socket.c:2212 [inline] > __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212 > x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Uninit was created at: > slab_post_alloc_hook mm/slub.c:3994 [inline] > slab_alloc_node mm/slub.c:4037 [inline] > kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4080 > kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583 > __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674 > alloc_skb include/linux/skbuff.h:1320 [inline] > alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6526 > sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2815 > packet_alloc_skb net/packet/af_packet.c:2994 [inline] > packet_snd net/packet/af_packet.c:3088 [inline] > packet_sendmsg+0x749c/0xa3a0 net/packet/af_packet.c:3177 > sock_sendmsg_nosec net/socket.c:730 [inline] > __sock_sendmsg+0x30f/0x380 net/socket.c:745 > __sys_sendto+0x685/0x830 net/socket.c:2204 > __do_sys_sendto net/socket.c:2216 [inline] > __se_sys_sendto net/socket.c:2212 [inline] > __x64_sys_sendto+0x125/0x1d0 net/socket.c:2212 > x64_sys_call+0x3799/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:45 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > CPU: 0 UID: 0 PID: 7115 Comm: syz.1.515 Not tainted 6.11.0-rc1-syzkaller-00043-g94ede2a3e913 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 > > Fixes: 999cb275c807 ("gtp: add IPv6 support") > Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") > Signed-off-by: Eric Dumazet <edumazet(a)google.com> > Cc: Harald Welte <laforge(a)gnumonks.org> > Reviewed-by: Pablo Neira Ayuso <pablo(a)netfilter.org> > Link: https://patch.msgid.link/20240808132455.3413916-1-edumazet@google.com > Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c > index 427b91aca50d3..0696faf60013e 100644 > --- a/drivers/net/gtp.c > +++ b/drivers/net/gtp.c > @@ -1269,6 +1269,9 @@ static netdev_tx_t gtp_dev_xmit(struct sk_buff *skb, struct net_device *dev) > if (skb_cow_head(skb, dev->needed_headroom)) > goto tx_err; > > + if (!pskb_inet_may_pull(skb)) > + goto tx_err; > + > skb_reset_inner_headers(skb); > > /* PDP context lookups in gtp_build_skb_*() need rcu read-side lock. */

10 months, 4 weeks

2
1
0 0

+ padata-honor-the-callers-alignment-in-case-of-chunk_size-0.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: padata: honor the caller's alignment in case of chunk_size 0 has been added to the -mm mm-hotfixes-unstable branch. Its filename is padata-honor-the-callers-alignment-in-case-of-chunk_size-0.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Kamlesh Gurudasani <kamlesh(a)ti.com> Subject: padata: honor the caller's alignment in case of chunk_size 0 Date: Thu, 22 Aug 2024 02:32:52 +0530 In the case where we are forcing the ps.chunk_size to be at least 1, we are ignoring the caller's alignment. Move the forcing of ps.chunk_size to be at least 1 before rounding it up to caller's alignment, so that caller's alignment is honored. While at it, use max() to force the ps.chunk_size to be at least 1 to improve readability. Link: https://lkml.kernel.org/r/20240822-max-v1-1-cb4bc5b1c101@ti.com Fixes: 6d45e1c948a8 ("padata: Fix possible divide-by-0 panic in padata_mt_helper()") Signed-off-by: Kamlesh Gurudasani <kamlesh(a)ti.com> Cc: Daniel Jordan <daniel.m.jordan(a)oracle.com> Cc: Herbert Xu <herbert(a)gondor.apana.org.au> Cc: Steffen Klassert <steffen.klassert(a)secunet.com> Cc: Waiman Long <longman(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/padata.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) --- a/kernel/padata.c~padata-honor-the-callers-alignment-in-case-of-chunk_size-0 +++ a/kernel/padata.c @@ -509,21 +509,17 @@ void __init padata_do_multithreaded(stru /* * Chunk size is the amount of work a helper does per call to the - * thread function. Load balance large jobs between threads by + * thread function. Load balance large jobs between threads by * increasing the number of chunks, guarantee at least the minimum * chunk size from the caller, and honor the caller's alignment. + * Ensure chunk_size is at least 1 to prevent divide-by-0 + * panic in padata_mt_helper(). */ ps.chunk_size = job->size / (ps.nworks * load_balance_factor); ps.chunk_size = max(ps.chunk_size, job->min_chunk); + ps.chunk_size = max(ps.chunk_size, 1ul); ps.chunk_size = roundup(ps.chunk_size, job->align); - /* - * chunk_size can be 0 if the caller sets min_chunk to 0. So force it - * to at least 1 to prevent divide-by-0 panic in padata_mt_helper().` - */ - if (!ps.chunk_size) - ps.chunk_size = 1U; - list_for_each_entry(pw, &works, pw_list) if (job->numa_aware) { int old_node = atomic_read(&last_used_nid); _ Patches currently in -mm which might be from kamlesh(a)ti.com are padata-honor-the-callers-alignment-in-case-of-chunk_size-0.patch

10 months, 4 weeks

1
0
0 0

+ revert-mm-skip-cma-pages-when-they-are-not-available.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: Revert "mm: skip CMA pages when they are not available" has been added to the -mm mm-hotfixes-unstable branch. Its filename is revert-mm-skip-cma-pages-when-they-are-not-available.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Usama Arif <usamaarif642(a)gmail.com> Subject: Revert "mm: skip CMA pages when they are not available" Date: Wed, 21 Aug 2024 20:26:07 +0100 This reverts commit 5da226dbfce3a2f44978c2c7cf88166e69a6788b. lruvec->lru_lock is highly contended and is held when calling isolate_lru_folios. If the lru has a large number of CMA folios consecutively, while the allocation type requested is not MIGRATE_MOVABLE, isolate_lru_folios can hold the lock for a very long time while it skips those. For FIO workload, ~150million order=0 folios were skipped to isolate a few ZONE_DMA folios [1]. This can cause lockups [1] and high memory pressure for extended periods of time [2]. [1] https://lore.kernel.org/all/CAOUHufbkhMZYz20aM_3rHZ3OcK4m2puji2FGpUpn_-DevG… [2] https://lore.kernel.org/all/ZrssOrcJIDy8hacI@gmail.com/ Link: https://lkml.kernel.org/r/9060a32d-b2d7-48c0-8626-1db535653c54@gmail.com Fixes: 5da226dbfce3 ("mm: skip CMA pages when they are not available") Signed-off-by: Usama Arif <usamaarif642(a)gmail.com> Cc: Bharata B Rao <bharata(a)amd.com> Cc: Breno Leitao <leitao(a)debian.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Rik van Riel <riel(a)surriel.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yu Zhao <yuzhao(a)google.com> Cc: Zhaoyang Huang <huangzhaoyang(a)gmail.com> Cc: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/vmscan.c | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) --- a/mm/vmscan.c~revert-mm-skip-cma-pages-when-they-are-not-available +++ a/mm/vmscan.c @@ -1604,25 +1604,6 @@ static __always_inline void update_lru_s } -#ifdef CONFIG_CMA -/* - * It is waste of effort to scan and reclaim CMA pages if it is not available - * for current allocation context. Kswapd can not be enrolled as it can not - * distinguish this scenario by using sc->gfp_mask = GFP_KERNEL - */ -static bool skip_cma(struct folio *folio, struct scan_control *sc) -{ - return !current_is_kswapd() && - gfp_migratetype(sc->gfp_mask) != MIGRATE_MOVABLE && - folio_migratetype(folio) == MIGRATE_CMA; -} -#else -static bool skip_cma(struct folio *folio, struct scan_control *sc) -{ - return false; -} -#endif - /* * Isolating page from the lruvec to fill in @dst list by nr_to_scan times. * @@ -1669,8 +1650,7 @@ static unsigned long isolate_lru_folios( nr_pages = folio_nr_pages(folio); total_scan += nr_pages; - if (folio_zonenum(folio) > sc->reclaim_idx || - skip_cma(folio, sc)) { + if (folio_zonenum(folio) > sc->reclaim_idx) { nr_skipped[folio_zonenum(folio)] += nr_pages; move_to = &folios_skipped; goto move; @@ -4273,6 +4253,25 @@ void lru_gen_soft_reclaim(struct mem_cgr #endif /* CONFIG_MEMCG */ +#ifdef CONFIG_CMA +/* + * It is waste of effort to scan and reclaim CMA pages if it is not available + * for current allocation context. Kswapd can not be enrolled as it can not + * distinguish this scenario by using sc->gfp_mask = GFP_KERNEL + */ +static bool skip_cma(struct folio *folio, struct scan_control *sc) +{ + return !current_is_kswapd() && + gfp_migratetype(sc->gfp_mask) != MIGRATE_MOVABLE && + folio_migratetype(folio) == MIGRATE_CMA; +} +#else +static bool skip_cma(struct folio *folio, struct scan_control *sc) +{ + return false; +} +#endif + /****************************************************************************** * the eviction ******************************************************************************/ _ Patches currently in -mm which might be from usamaarif642(a)gmail.com are revert-mm-skip-cma-pages-when-they-are-not-available.patch

10 months, 4 weeks

1
0
0 0

RE: RE: [PATCH 12/13] drm/amd/display: Fix a typo in revert commit

by Li, Roman

[Public] Thank you, Jiri, for your feedback. I've dropped this patch from DC v.3.2.297. We will follow-up on this separately and merge it after you do confirm the issue you reported is fixed. Thanks, Roman > -----Original Message----- > From: Jiri Slaby <jirislaby(a)kernel.org> > Sent: Monday, August 19, 2024 4:37 AM > To: Li, Roman <Roman.Li(a)amd.com>; amd-gfx(a)lists.freedesktop.org > Cc: Wentland, Harry <Harry.Wentland(a)amd.com>; Li, Sun peng (Leo) > <Sunpeng.Li(a)amd.com>; Siqueira, Rodrigo <Rodrigo.Siqueira(a)amd.com>; > Pillai, Aurabindo <Aurabindo.Pillai(a)amd.com>; Lin, Wayne > <Wayne.Lin(a)amd.com>; Gutierrez, Agustin <Agustin.Gutierrez(a)amd.com>; > Chung, ChiaHsuan (Tom) <ChiaHsuan.Chung(a)amd.com>; Zuo, Jerry > <Jerry.Zuo(a)amd.com>; Mohamed, Zaeem <Zaeem.Mohamed(a)amd.com> > Subject: Re: RE: [PATCH 12/13] drm/amd/display: Fix a typo in revert commit > > On 16. 08. 24, 21:30, Li, Roman wrote: > > [Public] > > > > Wiil update commit message as: > > > > ------------- > > drm/amd/display: Fix MST DSC lightup > > > > [Why] > > Secondary monitor does not come up due to MST DSC bw calculation > regression. > > This patch is only related to this. It does not fix that issue on its own at all. > > > [How] > > Fix bug in try_disable_dsc() > > This update is worse than the original, IMO. > > Could you write saner commit logs in the whole amdgpu overall? > > If you insist on those [why] and [how] parts, something like: > """ > [Why] > The linked commit below misreverted one hunk in try_disable_dsc(). > > [How] > Fix that by using proper (original) 'max_kbps' instead of bogus 'stream_kbps'. > "" > > > Fixes: 4b6564cb120c ("drm/amd/display: Fix MST BW calculation > > Regression") > > > > Cc: mario.limonciello(a)amd.com > > Cc: alexander.deucher(a)amd.com > > Cc: stable(a)vger.kernel.org > > Reported-by: jirislaby(a)kernel.org > > Care to fix up your machinery so that listed people are really CCed? I received a > copy of neither the original (4b6564cb120c), nor this one. > > Nor any mentions in the linked #3495 at all. > > I would have told you that 4b6564cb120c is bogus. Immediately when it hit > me as it differs from our (SUSE) in-tree revert in exactly this hunk. If I have > known about this in the first place... > > And you would have received a Tested-by if it had worked. > > Given all the above, amdgpu workflow appears to be very ill. Please fix it. > > > Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3495 > > Closes: https://bugzilla.suse.com/show_bug.cgi?id=1228093 > > Reviewed-by: Roman Li <roman.li(a)amd.com> > > Signed-off-by: Fangzhi Zuo <Jerry.Zuo(a)amd.com> > > Signed-off-by: Roman Li <roman.li(a)amd.com> > > Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> > > > > > >> -----Original Message----- > >> From: Roman.Li(a)amd.com <Roman.Li(a)amd.com> > >> Sent: Thursday, August 15, 2024 6:45 PM > >> To: amd-gfx(a)lists.freedesktop.org > >> Cc: Wentland, Harry <Harry.Wentland(a)amd.com>; Li, Sun peng (Leo) > >> <Sunpeng.Li(a)amd.com>; Siqueira, Rodrigo <Rodrigo.Siqueira(a)amd.com>; > >> Pillai, Aurabindo <Aurabindo.Pillai(a)amd.com>; Li, Roman > >> <Roman.Li(a)amd.com>; Lin, Wayne <Wayne.Lin(a)amd.com>; Gutierrez, > >> Agustin <Agustin.Gutierrez(a)amd.com>; Chung, ChiaHsuan (Tom) > >> <ChiaHsuan.Chung(a)amd.com>; Zuo, Jerry <Jerry.Zuo(a)amd.com>; > Mohamed, > >> Zaeem <Zaeem.Mohamed(a)amd.com>; Zuo, Jerry <Jerry.Zuo(a)amd.com> > >> Subject: [PATCH 12/13] drm/amd/display: Fix a typo in revert commit > >> > >> From: Fangzhi Zuo <Jerry.Zuo(a)amd.com> > >> > >> A typo is fixed for "drm/amd/display: Fix MST BW calculation Regression" > >> > >> Fixes: 4b6564cb120c ("drm/amd/display: Fix MST BW calculation > >> Regression") > >> > >> Reviewed-by: Roman Li <roman.li(a)amd.com> > >> Signed-off-by: Fangzhi Zuo <Jerry.Zuo(a)amd.com> > >> Signed-off-by: Roman Li <roman.li(a)amd.com> > >> --- > >> drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | > 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git > >> a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c > >> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c > >> index 958fad0d5307..5e08ca700c3f 100644 > >> --- > a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c > >> +++ > b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c > >> @@ -1066,7 +1066,7 @@ static int try_disable_dsc(struct > >> drm_atomic_state *state, > >> vars[next_index].dsc_enabled = false; > >> vars[next_index].bpp_x16 = 0; > >> } else { > >> - vars[next_index].pbn = > >> kbps_to_peak_pbn(params[next_index].bw_range.stream_kbps, > >> fec_overhead_multiplier_x1000); > >> + vars[next_index].pbn = > >> kbps_to_peak_pbn(params[next_index].bw_range.max_kbps, > >> fec_overhead_multiplier_x1000); > >> ret = drm_dp_atomic_find_time_slots(state, > >> > >> params[next_index].port->mgr, > >> > >> params[next_index].port, > > > thanks, > -- > js > suse labs

10 months, 4 weeks

3
4
0 0

[PATCH] net: stmmac: Check NULL ptr on lvts_data in qcom_ethqos_probe()

by Ma Ke

of_device_get_match_data() can return NULL if of_match_device failed, and the pointer 'data' was dereferenced without checking against NULL. Add checking of pointer 'data' in qcom_ethqos_probe(). Cc: stable(a)vger.kernel.org Fixes: a7c30e62d4b8 ("net: stmmac: Add driver for Qualcomm ethqos") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c index 901a3c1959fa..f18393fe58a4 100644 --- a/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c +++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.c @@ -838,6 +838,9 @@ static int qcom_ethqos_probe(struct platform_device *pdev) ethqos->mac_base = stmmac_res.addr; data = of_device_get_match_data(dev); + if (!data) + return -ENODEV; + ethqos->por = data->por; ethqos->num_por = data->num_por; ethqos->rgmii_config_loopback_en = data->rgmii_config_loopback_en; -- 2.25.1

10 months, 4 weeks

3
2
0 0

[PATCH] bpftool: check for NULL ptr of btf in codegen_subskel_datasecs

by Ma Ke

bpf_object__btf() can return NULL value. If bpf_object__btf returns null, do not progress through codegen_subskel_datasecs(). This avoids a null ptr dereference. Found by code review, complie tested only. Cc: stable(a)vger.kernel.org Fixes: 00389c58ffe9 ("bpftool: Add support for subskeletons") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- tools/bpf/bpftool/gen.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c index 5a4d3240689e..7ce62f280310 100644 --- a/tools/bpf/bpftool/gen.c +++ b/tools/bpf/bpftool/gen.c @@ -334,6 +334,9 @@ static int codegen_subskel_datasecs(struct bpf_object *obj, const char *obj_name const char *sec_name, *var_name; __u32 var_type_id; + if (!btf) + return -EINVAL; + d = btf_dump__new(btf, codegen_btf_dump_printf, NULL, NULL); if (!d) return -errno; -- 2.25.1

10 months, 4 weeks

2
1
0 0

[PATCH v2] gfs2: fix double destroy_workqueue error

by Julian Sun

When gfs2_fill_super() fails, destroy_workqueue() is called within gfs2_gl_hash_clear(), and the subsequent code path calls destroy_workqueue() on the same work queue again. This issue can be fixed by setting the work queue pointer to NULL after the first destroy_workqueue() call and checking for a NULL pointer before attempting to destroy the work queue again. Reported-by: syzbot+d34c2a269ed512c531b0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d34c2a269ed512c531b0 Fixes: 30e388d57367 ("gfs2: Switch to a per-filesystem glock workqueue") Cc: stable(a)vger.kernel.org Signed-off-by: Julian Sun <sunjunchao2870(a)gmail.com> --- fs/gfs2/glock.c | 1 + fs/gfs2/ops_fstype.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c index 32991cb22023..5838039d78e3 100644 --- a/fs/gfs2/glock.c +++ b/fs/gfs2/glock.c @@ -2273,6 +2273,7 @@ void gfs2_gl_hash_clear(struct gfs2_sbd *sdp) gfs2_free_dead_glocks(sdp); glock_hash_walk(dump_glock_func, sdp); destroy_workqueue(sdp->sd_glock_wq); + sdp->sd_glock_wq = NULL; } static const char *state2str(unsigned state) diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index 0561edd6cc86..5c0e1b24d6ec 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c @@ -1308,7 +1308,8 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc) fail_delete_wq: destroy_workqueue(sdp->sd_delete_wq); fail_glock_wq: - destroy_workqueue(sdp->sd_glock_wq); + if (sdp->sd_glock_wq) + destroy_workqueue(sdp->sd_glock_wq); fail_free: free_sbd(sdp); sb->s_fs_info = NULL; -- 2.39.2

10 months, 4 weeks

2
1
0 0

KASAN: null-ptr-deref in bpf_core_calc_relo_insn

by Liu RuiTong

https://bugzilla.kernel.org/show_bug.cgi?id=219181#c0 Hello,I found a bug in the Linux kernel version 6.11.0-rc4 using syzkaller. The poc file is ``` //gcc poc.c -o poc --static #define _GNU_SOURCE #include <endian.h> #include <errno.h> #include <pthread.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/syscall.h> #include <sys/types.h> #include <time.h> #include <unistd.h> #include <linux/futex.h> #ifndef __NR_bpf #define __NR_bpf 321 #endif static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static void thread_start(void* (*fn)(void*), void* arg) { pthread_t th; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); int i = 0; for (; i < 100; i++) { if (pthread_create(&th, &attr, fn, arg) == 0) { pthread_attr_destroy(&attr); return; } if (errno == EAGAIN) { usleep(50); continue; } break; } exit(1); } #define BITMASK(bf_off,bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) #define STORE_BY_BITMASK(type,htobe,addr,val,bf_off,bf_len) *(type*)(addr) = htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) typedef struct { int state; } event_t; static void event_init(event_t* ev) { ev->state = 0; } static void event_reset(event_t* ev) { ev->state = 0; } static void event_set(event_t* ev) { if (ev->state) exit(1); __atomic_store_n(&ev->state, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &ev->state, FUTEX_WAKE | FUTEX_PRIVATE_FLAG, 1000000); } static void event_wait(event_t* ev) { while (!__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, 0); } static int event_isset(event_t* ev) { return __atomic_load_n(&ev->state, __ATOMIC_ACQUIRE); } static int event_timedwait(event_t* ev, uint64_t timeout) { uint64_t start = current_time_ms(); uint64_t now = start; for (;;) { uint64_t remain = timeout - (now - start); struct timespec ts; ts.tv_sec = remain / 1000; ts.tv_nsec = (remain % 1000) * 1000 * 1000; syscall(SYS_futex, &ev->state, FUTEX_WAIT | FUTEX_PRIVATE_FLAG, 0, &ts); if (__atomic_load_n(&ev->state, __ATOMIC_ACQUIRE)) return 1; now = current_time_ms(); if (now - start > timeout) return 0; } } struct thread_t { int created, call; event_t ready, done; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { event_wait(&th->ready); event_reset(&th->ready); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); event_set(&th->done); } return 0; } static void loop(void) { if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } int i, call, thread; for (call = 0; call < 3; call++) { for (thread = 0; thread < (int)(sizeof(threads) / sizeof(threads[0])); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; event_init(&th->ready); event_init(&th->done); event_set(&th->done); thread_start(thr, th); } if (!event_isset(&th->done)) continue; event_reset(&th->done); th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); event_set(&th->ready); if (call == 1) break; event_timedwait(&th->done, 50); break; } } for (i = 0; i < 100 && __atomic_load_n(&running, __ATOMIC_RELAXED); i++) sleep_ms(1); } uint64_t r[1] = {0xffffffffffffffff}; void execute_call(int call) { intptr_t res = 0; switch (call) { case 0: *(uint64_t*)0x20004e40 = 0x20004c80; *(uint16_t*)0x20004c80 = 0xeb9f; *(uint8_t*)0x20004c82 = 1; *(uint8_t*)0x20004c83 = 0; *(uint32_t*)0x20004c84 = 0x18; *(uint32_t*)0x20004c88 = 0; *(uint32_t*)0x20004c8c = 0xc; *(uint32_t*)0x20004c90 = 0xc; *(uint32_t*)0x20004c94 = 0xa; *(uint32_t*)0x20004c98 = 8; *(uint16_t*)0x20004c9c = 0; *(uint8_t*)0x20004c9e = 0; STORE_BY_BITMASK(uint8_t, , 0x20004c9f, 5, 0, 7); STORE_BY_BITMASK(uint8_t, , 0x20004c9f, 0, 7, 1); *(uint32_t*)0x20004ca0 = 6; *(uint8_t*)0x20004ca4 = 0; *(uint8_t*)0x20004ca5 = 0x30; *(uint8_t*)0x20004ca6 = 0; *(uint8_t*)0x20004ca7 = 0x30; *(uint8_t*)0x20004ca8 = 0x61; *(uint8_t*)0x20004ca9 = 0x1e; *(uint8_t*)0x20004caa = 0x2f; *(uint8_t*)0x20004cab = 0x30; *(uint8_t*)0x20004cac = 0x2e; *(uint8_t*)0x20004cad = 0; *(uint64_t*)0x20004e48 = 0; *(uint32_t*)0x20004e50 = 0x2e; *(uint32_t*)0x20004e54 = 0; *(uint32_t*)0x20004e58 = 1; *(uint32_t*)0x20004e5c = 0x40; res = syscall(__NR_bpf, /*cmd=*/0x12ul, /*arg=*/0x20004e40ul, /*size=*/0x20ul); if (res != -1) r[0] = res; break; case 1: *(uint32_t*)0x20000480 = 6; *(uint32_t*)0x20000484 = 0x27; *(uint64_t*)0x20000488 = 0x20000d40; *(uint8_t*)0x20000d40 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000d41, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d41, 0, 4, 4); *(uint16_t*)0x20000d42 = 0; *(uint32_t*)0x20000d44 = 8; *(uint8_t*)0x20000d48 = 0; *(uint8_t*)0x20000d49 = 0; *(uint16_t*)0x20000d4a = 0; *(uint32_t*)0x20000d4c = 7; *(uint8_t*)0x20000d50 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000d51, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d51, 1, 4, 4); *(uint16_t*)0x20000d52 = 0; *(uint32_t*)0x20000d54 = -1; *(uint8_t*)0x20000d58 = 0; *(uint8_t*)0x20000d59 = 0; *(uint16_t*)0x20000d5a = 0; *(uint32_t*)0x20000d5c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000d60, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000d60, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000d60, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d61, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d61, 0, 4, 4); *(uint16_t*)0x20000d62 = 0; *(uint32_t*)0x20000d64 = 0x14; STORE_BY_BITMASK(uint8_t, , 0x20000d68, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000d68, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000d68, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d69, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d69, 0, 4, 4); *(uint16_t*)0x20000d6a = 0; *(uint32_t*)0x20000d6c = 0; *(uint8_t*)0x20000d70 = 0x85; *(uint8_t*)0x20000d71 = 0; *(uint16_t*)0x20000d72 = 0; *(uint32_t*)0x20000d74 = 0x83; STORE_BY_BITMASK(uint8_t, , 0x20000d78, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000d78, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000d78, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d79, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d79, 0, 4, 4); *(uint16_t*)0x20000d7a = 0; *(uint32_t*)0x20000d7c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000d80, 5, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000d80, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000d80, 5, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d81, 9, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d81, 0, 4, 4); *(uint16_t*)0x20000d82 = 1; *(uint32_t*)0x20000d84 = 0; *(uint8_t*)0x20000d88 = 0x95; *(uint8_t*)0x20000d89 = 0; *(uint16_t*)0x20000d8a = 0; *(uint32_t*)0x20000d8c = 0; *(uint8_t*)0x20000d90 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000d91, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000d91, 1, 4, 4); *(uint16_t*)0x20000d92 = 0; *(uint32_t*)0x20000d94 = -1; *(uint8_t*)0x20000d98 = 0; *(uint8_t*)0x20000d99 = 0; *(uint16_t*)0x20000d9a = 0; *(uint32_t*)0x20000d9c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000da0, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000da0, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000da0, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000da1, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000da1, 0, 4, 4); *(uint16_t*)0x20000da2 = 0; *(uint32_t*)0x20000da4 = 0; *(uint8_t*)0x20000da8 = 0x85; *(uint8_t*)0x20000da9 = 0; *(uint16_t*)0x20000daa = 0; *(uint32_t*)0x20000dac = 0x86; *(uint8_t*)0x20000db0 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000db1, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000db1, 0, 4, 4); *(uint16_t*)0x20000db2 = 0; *(uint32_t*)0x20000db4 = 0x25702020; *(uint8_t*)0x20000db8 = 0; *(uint8_t*)0x20000db9 = 0; *(uint16_t*)0x20000dba = 0; *(uint32_t*)0x20000dbc = 0x20202000; STORE_BY_BITMASK(uint8_t, , 0x20000dc0, 3, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000dc0, 3, 3, 2); STORE_BY_BITMASK(uint8_t, , 0x20000dc0, 3, 5, 3); STORE_BY_BITMASK(uint8_t, , 0x20000dc1, 0xa, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dc1, 1, 4, 4); *(uint16_t*)0x20000dc2 = 0xfff8; *(uint32_t*)0x20000dc4 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000dc8, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000dc8, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000dc8, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dc9, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dc9, 0xa, 4, 4); *(uint16_t*)0x20000dca = 0; *(uint32_t*)0x20000dcc = 0; STORE_BY_BITMASK(uint8_t, , 0x20000dd0, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000dd0, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000dd0, 0, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dd1, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dd1, 0, 4, 4); *(uint16_t*)0x20000dd2 = 0; *(uint32_t*)0x20000dd4 = 0xfffffff8; STORE_BY_BITMASK(uint8_t, , 0x20000dd8, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000dd8, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000dd8, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dd9, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000dd9, 0, 4, 4); *(uint16_t*)0x20000dda = 0; *(uint32_t*)0x20000ddc = 8; STORE_BY_BITMASK(uint8_t, , 0x20000de0, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000de0, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000de0, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000de1, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000de1, 0, 4, 4); *(uint16_t*)0x20000de2 = 0; *(uint32_t*)0x20000de4 = 0xffff; *(uint8_t*)0x20000de8 = 0x85; *(uint8_t*)0x20000de9 = 0; *(uint16_t*)0x20000dea = 0; *(uint32_t*)0x20000dec = 6; *(uint8_t*)0x20000df0 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000df1, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000df1, 0, 4, 4); *(uint16_t*)0x20000df2 = 0; *(uint32_t*)0x20000df4 = 0x256c6c64; *(uint8_t*)0x20000df8 = 0; *(uint8_t*)0x20000df9 = 0; *(uint16_t*)0x20000dfa = 0; *(uint32_t*)0x20000dfc = 0x20202000; STORE_BY_BITMASK(uint8_t, , 0x20000e00, 3, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e00, 3, 3, 2); STORE_BY_BITMASK(uint8_t, , 0x20000e00, 3, 5, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e01, 0xa, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e01, 1, 4, 4); *(uint16_t*)0x20000e02 = 0xfff8; *(uint32_t*)0x20000e04 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000e08, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e08, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000e08, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e09, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e09, 0xa, 4, 4); *(uint16_t*)0x20000e0a = 0; *(uint32_t*)0x20000e0c = 0; STORE_BY_BITMASK(uint8_t, , 0x20000e10, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e10, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000e10, 0, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e11, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e11, 0, 4, 4); *(uint16_t*)0x20000e12 = 0; *(uint32_t*)0x20000e14 = 0xfffffff8; STORE_BY_BITMASK(uint8_t, , 0x20000e18, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e18, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000e18, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e19, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e19, 0, 4, 4); *(uint16_t*)0x20000e1a = 0; *(uint32_t*)0x20000e1c = 8; STORE_BY_BITMASK(uint8_t, , 0x20000e20, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e20, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000e20, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e21, 3, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e21, 0, 4, 4); *(uint16_t*)0x20000e22 = 0; *(uint32_t*)0x20000e24 = 7; *(uint8_t*)0x20000e28 = 0x85; *(uint8_t*)0x20000e29 = 0; *(uint16_t*)0x20000e2a = 0; *(uint32_t*)0x20000e2c = 6; *(uint8_t*)0x20000e30 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000e31, 8, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e31, 5, 4, 4); *(uint16_t*)0x20000e32 = 0; *(uint32_t*)0x20000e34 = 1; *(uint8_t*)0x20000e38 = 0; *(uint8_t*)0x20000e39 = 0; *(uint16_t*)0x20000e3a = 0; *(uint32_t*)0x20000e3c = 0; *(uint8_t*)0x20000e40 = 0x18; STORE_BY_BITMASK(uint8_t, , 0x20000e41, 6, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e41, 6, 4, 4); *(uint16_t*)0x20000e42 = 0; *(uint32_t*)0x20000e44 = 4; *(uint8_t*)0x20000e48 = 0; *(uint8_t*)0x20000e49 = 0; *(uint16_t*)0x20000e4a = 0; *(uint32_t*)0x20000e4c = 0xfffffffb; STORE_BY_BITMASK(uint8_t, , 0x20000e50, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e50, 1, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000e50, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e51, 1, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e51, 9, 4, 4); *(uint16_t*)0x20000e52 = 0; *(uint32_t*)0x20000e54 = 0; STORE_BY_BITMASK(uint8_t, , 0x20000e58, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e58, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000e58, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e59, 2, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e59, 0, 4, 4); *(uint16_t*)0x20000e5a = 0; *(uint32_t*)0x20000e5c = 0; *(uint8_t*)0x20000e60 = 0x85; *(uint8_t*)0x20000e61 = 0; *(uint16_t*)0x20000e62 = 0; *(uint32_t*)0x20000e64 = 0x84; STORE_BY_BITMASK(uint8_t, , 0x20000e68, 7, 0, 3); STORE_BY_BITMASK(uint8_t, , 0x20000e68, 0, 3, 1); STORE_BY_BITMASK(uint8_t, , 0x20000e68, 0xb, 4, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e69, 0, 0, 4); STORE_BY_BITMASK(uint8_t, , 0x20000e69, 0, 4, 4); *(uint16_t*)0x20000e6a = 0; *(uint32_t*)0x20000e6c = 0; *(uint8_t*)0x20000e70 = 0x95; *(uint8_t*)0x20000e71 = 0; *(uint16_t*)0x20000e72 = 0; *(uint32_t*)0x20000e74 = 0; *(uint64_t*)0x20000490 = 0x20000040; memcpy((void*)0x20000040, "GPL\000", 4); *(uint32_t*)0x20000498 = 0xb; *(uint32_t*)0x2000049c = 0xc0; *(uint64_t*)0x200004a0 = 0x20000c80; *(uint32_t*)0x200004a8 = 0x41100; *(uint32_t*)0x200004ac = 0x38; memset((void*)0x200004b0, 0, 16); *(uint32_t*)0x200004c0 = 0; *(uint32_t*)0x200004c4 = 0x25; *(uint32_t*)0x200004c8 = r[0]; *(uint32_t*)0x200004cc = 8; *(uint64_t*)0x200004d0 = 0; *(uint32_t*)0x200004d8 = 0; *(uint32_t*)0x200004dc = 0x10; *(uint64_t*)0x200004e0 = 0x200002c0; *(uint32_t*)0x200002c0 = 0; *(uint32_t*)0x200002c4 = 0; *(uint32_t*)0x200002c8 = 0; *(uint32_t*)0x200002cc = 9; *(uint32_t*)0x200004e8 = 1; *(uint32_t*)0x200004ec = 0; *(uint32_t*)0x200004f0 = 0; *(uint32_t*)0x200004f4 = 9; *(uint64_t*)0x200004f8 = 0x20000380; *(uint32_t*)0x20000380 = -1; *(uint32_t*)0x20000384 = -1; *(uint32_t*)0x20000388 = -1; *(uint64_t*)0x20000500 = 0x200003c0; *(uint32_t*)0x200003c0 = 1; *(uint32_t*)0x200003c4 = 4; *(uint32_t*)0x200003c8 = 0xb; *(uint32_t*)0x200003cc = 6; *(uint32_t*)0x200003d0 = 2; *(uint32_t*)0x200003d4 = 2; *(uint32_t*)0x200003d8 = 1; *(uint32_t*)0x200003dc = 0; *(uint32_t*)0x200003e0 = 5; *(uint32_t*)0x200003e4 = 4; *(uint32_t*)0x200003e8 = 0xe; *(uint32_t*)0x200003ec = 0xb; *(uint32_t*)0x200003f0 = 2; *(uint32_t*)0x200003f4 = 0x1000003; *(uint32_t*)0x200003f8 = 2; *(uint32_t*)0x200003fc = 3; *(uint32_t*)0x20000400 = 2; *(uint32_t*)0x20000404 = 5; *(uint32_t*)0x20000408 = 0xa; *(uint32_t*)0x2000040c = 5; *(uint32_t*)0x20000410 = 3; *(uint32_t*)0x20000414 = 1; *(uint32_t*)0x20000418 = 0xa; *(uint32_t*)0x2000041c = 3; *(uint32_t*)0x20000420 = 3; *(uint32_t*)0x20000424 = 3; *(uint32_t*)0x20000428 = 5; *(uint32_t*)0x2000042c = 8; *(uint32_t*)0x20000430 = 3; *(uint32_t*)0x20000434 = 1; *(uint32_t*)0x20000438 = 5; *(uint32_t*)0x2000043c = 5; *(uint32_t*)0x20000440 = 0; *(uint32_t*)0x20000444 = 2; *(uint32_t*)0x20000448 = 0; *(uint32_t*)0x2000044c = 7; *(uint32_t*)0x20000508 = 0x10; *(uint32_t*)0x2000050c = 0x10000; syscall(__NR_bpf, /*cmd=*/5ul, /*arg=*/0x20000480ul, /*size=*/0x90ul); break; case 2: *(uint32_t*)0x20000440 = -1; *(uint64_t*)0x20000448 = 0x200003c0; *(uint32_t*)0x200003c0 = 0; *(uint64_t*)0x20000450 = 0; *(uint64_t*)0x20000458 = 0; syscall(__NR_bpf, /*cmd=*/2ul, /*arg=*/0x20000440ul, /*size=*/0x20ul); break; } } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/0x32ul, /*fd=*/-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; } ``` And here is the crash information ``` [ 89.482115] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI [ 89.482639] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 89.482979] CPU: 1 UID: 0 PID: 214 Comm: test Not tainted 6.11.0-rc4 #1 [ 89.483276] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 89.483632] RIP: 0010:bpf_core_calc_relo_insn+0x11e/0x1e90 [ 89.483885] Code: 48 8b 85 28 fd ff ff 4c 89 ef 44 8b 70 04 44 89 f6 e8 96 a5 f8 ff 48 89 c2 49 89 c4 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14c [ 89.484686] RSP: 0018:ffff888108f373d0 EFLAGS: 00010246 [ 89.484924] RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: ffffffff816c8b8b [ 89.485247] RDX: 0000000000000000 RSI: ffffffff816c8bea RDI: 0000000000000004 [ 89.485563] RBP: ffff888108f376c0 R08: ffff888108f37778 R09: ffff88810991c000 [ 89.485880] R10: 0000000000000004 R11: ffff888103ab1c90 R12: 0000000000000000 [ 89.486197] R13: ffff888103ddfe00 R14: 0000000000000004 R15: ffff88810991c000 [ 89.486514] FS: 00007f94a2d15640(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 89.486874] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 89.487128] CR2: 0000000020000480 CR3: 0000000106058000 CR4: 00000000003006f0 [ 89.487439] Call Trace: [ 89.487553] <TASK> [ 89.487654] ? show_regs+0x93/0xa0 [ 89.487815] ? die_addr+0x50/0xd0 [ 89.487972] ? exc_general_protection+0x19f/0x320 [ 89.488185] ? asm_exc_general_protection+0x26/0x30 [ 89.488405] ? btf_type_by_id+0xeb/0x1a0 [ 89.488584] ? btf_type_by_id+0x14a/0x1a0 [ 89.488766] ? bpf_core_calc_relo_insn+0x11e/0x1e90 [ 89.488989] ? __printk_safe_exit+0x9/0x20 [ 89.489175] ? stack_depot_save_flags+0x616/0x7c0 [ 89.489392] ? bpf_prog_load+0x151c/0x2450 [ 89.489594] ? kasan_save_stack+0x34/0x50 [ 89.489792] ? kasan_save_stack+0x24/0x50 [ 89.489987] ? __pfx_bpf_core_calc_relo_insn+0x10/0x10 [ 89.490231] ? bpf_check+0x6744/0xba00 [ 89.490415] ? bpf_prog_load+0x151c/0x2450 [ 89.490612] ? __sys_bpf+0x12be/0x5290 [ 89.490795] ? __x64_sys_bpf+0x78/0xc0 [ 89.490979] ? do_syscall_64+0xa6/0x1a0 [ 89.491167] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.491417] ? __pfx_vsnprintf+0x10/0x10 [ 89.491611] ? sort_r+0x45/0x5f0 [ 89.491774] ? _copy_to_user+0x77/0x90 [ 89.491954] ? bpf_verifier_vlog+0x25b/0x690 [ 89.492150] ? __pfx_sort+0x10/0x10 [ 89.492314] ? verbose+0xde/0x170 [ 89.492470] ? kasan_unpoison+0x27/0x60 [ 89.492648] ? __kasan_slab_alloc+0x30/0x70 [ 89.492837] ? __kmalloc_cache_noprof+0xf0/0x270 [ 89.493050] bpf_core_apply+0x48b/0xaf0 [ 89.493228] ? btf_name_by_offset+0x13a/0x180 [ 89.493431] ? __pfx_bpf_core_apply+0x10/0x10 [ 89.493631] ? __pfx_check_btf_line+0x10/0x10 [ 89.493830] ? bpf_check_uarg_tail_zero+0x142/0x1c0 [ 89.494051] ? __pfx_bpf_check_uarg_tail_zero+0x10/0x10 [ 89.494286] bpf_check+0x6744/0xba00 [ 89.494458] ? kasan_save_stack+0x34/0x50 [ 89.494653] ? kasan_save_stack+0x24/0x50 [ 89.494848] ? kasan_save_track+0x14/0x30 [ 89.495039] ? __kasan_kmalloc+0x7f/0x90 [ 89.495232] ? __pfx_bpf_check+0x10/0x10 [ 89.495426] ? pcpu_chunk_relocate+0x145/0x1c0 [ 89.495640] ? mutex_unlock+0x7e/0xd0 [ 89.495820] ? kasan_unpoison+0x27/0x60 [ 89.496008] ? __kasan_slab_alloc+0x30/0x70 [ 89.496208] ? __kmalloc_cache_noprof+0xf0/0x270 [ 89.496430] ? kasan_save_track+0x14/0x30 [ 89.496622] ? __kasan_kmalloc+0x7f/0x90 [ 89.496810] ? selinux_bpf_prog_load+0x15b/0x1c0 [ 89.497024] bpf_prog_load+0x151c/0x2450 [ 89.497206] ? __pfx_bpf_prog_load+0x10/0x10 [ 89.497405] ? avc_has_perm+0x175/0x2f0 [ 89.497585] ? __pte_offset_map+0x12f/0x1f0 [ 89.497774] ? bpf_check_uarg_tail_zero+0x142/0x1c0 [ 89.497994] ? selinux_bpf+0xdd/0x120 [ 89.498163] ? security_bpf+0x8d/0xb0 [ 89.498333] __sys_bpf+0x12be/0x5290 [ 89.498500] ? folio_add_lru+0x58/0x80 [ 89.498675] ? __pfx___sys_bpf+0x10/0x10 [ 89.498855] ? __pfx_down_read_trylock+0x10/0x10 [ 89.499069] ? __pfx___handle_mm_fault+0x10/0x10 [ 89.499283] ? do_user_addr_fault+0x595/0x1220 [ 89.499524] __x64_sys_bpf+0x78/0xc0 [ 89.499738] ? exc_page_fault+0xae/0x180 [ 89.499928] do_syscall_64+0xa6/0x1a0 [ 89.500109] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.500361] RIP: 0033:0x44ceed [ 89.500512] Code: c3 e8 d7 1e 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 018 [ 89.501348] RSP: 002b:00007f94a2d15178 EFLAGS: 00000287 ORIG_RAX: 0000000000000141 [ 89.501695] RAX: ffffffffffffffda RBX: 00007f94a2d15640 RCX: 000000000044ceed [ 89.502013] RDX: 0000000000000090 RSI: 0000000020000480 RDI: 0000000000000005 [ 89.502323] RBP: 00007f94a2d151a0 R08: 0000000000000000 R09: 0000000000000000 [ 89.502635] R10: 0000000000000000 R11: 0000000000000287 R12: 00007f94a2d15640 [ 89.502949] R13: 0000000000000000 R14: 00000000004160d0 R15: 00007f94a2cf5000 [ 89.503269] </TASK> [ 89.503376] Modules linked in: [ 89.503586] ---[ end trace 0000000000000000 ]--- [ 89.503793] RIP: 0010:bpf_core_calc_relo_insn+0x11e/0x1e90 [ 89.504045] Code: 48 8b 85 28 fd ff ff 4c 89 ef 44 8b 70 04 44 89 f6 e8 96 a5 f8 ff 48 89 c2 49 89 c4 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14c [ 89.504860] RSP: 0018:ffff888108f373d0 EFLAGS: 00010246 [ 89.505112] RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: ffffffff816c8b8b [ 89.505441] RDX: 0000000000000000 RSI: ffffffff816c8bea RDI: 0000000000000004 [ 89.505768] RBP: ffff888108f376c0 R08: ffff888108f37778 R09: ffff88810991c000 [ 89.506099] R10: 0000000000000004 R11: ffff888103ab1c90 R12: 0000000000000000 [ 89.506427] R13: ffff888103ddfe00 R14: 0000000000000004 R15: ffff88810991c000 [ 89.506754] FS: 00007f94a2d15640(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000 [ 89.507129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 89.507398] CR2: 0000000020000480 CR3: 0000000106058000 CR4: 00000000003006f0 ``` I use gdb debug it,and found that the lack of a NULL check before using local_type has led to a null pointer dereference vulnerability. ``` ───────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────────────────────────────── RAX 0xdffffc0000000000 RBX 0xdffffc0000000000 RCX 0xffffffff816c8b8b (btf_type_by_id+235) ◂— 0x404be85576e53944 RDX 0x0 RDI 0x4 RSI 0xffffffff816c8bea (btf_type_by_id+330) ◂— 0xe0894c5d5be43145 R8 0xffff88811669f778 ◂— 0x0 R9 0xffff888115f48000 ◂— 0x0 R10 0x4 R11 0xffff888104562080 ◂— 0x0 R12 0x0 R13 0xffff8881135b7000 —▸ 0xffff8881166280c2 ◂— 0x0 R14 0x4 R15 0xffff888115f48000 ◂— 0x0 RBP 0xffff88811669f6c0 —▸ 0xffff88811669f798 —▸ 0xffffffff8160fcb0 (check_btf_line) ◂— 0x56415741e5894855 RSP 0xffff88811669f3d0 ◂— 0x1ffff11022cd3e92 *RIP 0xffffffff8173e51e (bpf_core_calc_relo_insn+286) ◂— 0x83e0894c0214b60f ────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────────────── 0xffffffff8173e505 <bpf_core_calc_relo_insn+261> call btf_type_by_id <btf_type_by_id> 0xffffffff8173e50a <bpf_core_calc_relo_insn+266> mov rdx, rax 0xffffffff8173e50d <bpf_core_calc_relo_insn+269> mov r12, rax 0xffffffff8173e510 <bpf_core_calc_relo_insn+272> movabs rax, 0xdffffc0000000000 0xffffffff8173e51a <bpf_core_calc_relo_insn+282> shr rdx, 3 <fixed_percpu_data+3> ► 0xffffffff8173e51e <bpf_core_calc_relo_insn+286> movzx edx, byte ptr [rdx + rax] 0xffffffff8173e522 <bpf_core_calc_relo_insn+290> mov rax, r12 0xffffffff8173e525 <bpf_core_calc_relo_insn+293> and eax, 7 <fixed_percpu_data+7> 0xffffffff8173e528 <bpf_core_calc_relo_insn+296> add eax, 3 <fixed_percpu_data+3> 0xffffffff8173e52b <bpf_core_calc_relo_insn+299> cmp al, dl 0xffffffff8173e52d <bpf_core_calc_relo_insn+301> jl bpf_core_calc_relo_insn+311 <bpf_core_calc_relo_insn+311> ─────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────────── In file: /home/ubuntu/fuzz/linux-6.11-rc4/tools/lib/bpf/relo_core.c:1300 1295 char spec_buf[256]; 1296 int i, j, err; 1297 1298 local_id = relo->type_id; 1299 local_type = btf_type_by_id(local_btf, local_id); ► 1300 local_name = btf__name_by_offset(local_btf, local_type->name_off); 1301 if (!local_name) 1302 return -EINVAL; 1303 1304 err = bpf_core_parse_spec(prog_name, local_btf, relo, local_spec); 1305 if (err) { ─────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────────── ```

10 months, 4 weeks

3
5
0 0

[PATCH] fuse: use unsigned type for getxattr/listxattr size truncation

by Jann Horn

The existing code uses min_t(ssize_t, outarg.size, XATTR_LIST_MAX) when parsing the FUSE daemon's response to a zero-length getxattr/listxattr request. On 32-bit kernels, where ssize_t and outarg.size are the same size, this is wrong: The min_t() will pass through any size values that are negative when interpreted as signed. fuse_listxattr() will then return this userspace-supplied negative value, which callers will treat as an error value. This kind of bug pattern can lead to fairly bad security bugs because of how error codes are used in the Linux kernel. If a caller were to convert the numeric error into an error pointer, like so: struct foo *func(...) { int len = fuse_getxattr(..., NULL, 0); if (len < 0) return ERR_PTR(len); ... } then it would end up returning this userspace-supplied negative value cast to a pointer - but the caller of this function wouldn't recognize it as an error pointer (IS_ERR_VALUE() only detects values in the narrow range in which legitimate errno values are), and so it would just be treated as a kernel pointer. I think there is at least one theoretical codepath where this could happen, but that path would involve virtio-fs with submounts plus some weird SELinux configuration, so I think it's probably not a concern in practice. Cc: stable(a)vger.kernel.org Fixes: 63401ccdb2ca ("fuse: limit xattr returned size") Signed-off-by: Jann Horn <jannh(a)google.com> --- fs/fuse/xattr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/fuse/xattr.c b/fs/fuse/xattr.c index 5b423fdbb13f..9f568d345c51 100644 --- a/fs/fuse/xattr.c +++ b/fs/fuse/xattr.c @@ -81,7 +81,7 @@ ssize_t fuse_getxattr(struct inode *inode, const char *name, void *value, } ret = fuse_simple_request(fm, &args); if (!ret && !size) - ret = min_t(ssize_t, outarg.size, XATTR_SIZE_MAX); + ret = min_t(size_t, outarg.size, XATTR_SIZE_MAX); if (ret == -ENOSYS) { fm->fc->no_getxattr = 1; ret = -EOPNOTSUPP; @@ -143,7 +143,7 @@ ssize_t fuse_listxattr(struct dentry *entry, char *list, size_t size) } ret = fuse_simple_request(fm, &args); if (!ret && !size) - ret = min_t(ssize_t, outarg.size, XATTR_LIST_MAX); + ret = min_t(size_t, outarg.size, XATTR_LIST_MAX); if (ret > 0 && size) ret = fuse_verify_xattr_list(list, ret); if (ret == -ENOSYS) { --- base-commit: b0da640826ba3b6506b4996a6b23a429235e6923 change-id: 20240819-fuse-oob-error-fix-664d082176d5 -- Jann Horn <jannh(a)google.com>

10 months, 4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/numa: no task_numa_fault() call if PTE is changed" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 40b760cfd44566bca791c80e0720d70d75382b84 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081933-cheddar-oak-0777@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 40b760cfd445 ("mm/numa: no task_numa_fault() call if PTE is changed") d2136d749d76 ("mm: support multi-size THP numa balancing") 6b0ed7b3c775 ("mm: factor out the numa mapping rebuilding into a new helper") ec1778807a80 ("mm: mprotect: use a folio in change_pte_range()") 6695cf68b15c ("mm: memory: use a folio in do_numa_page()") 73eab3ca481e ("mm: migrate: convert migrate_misplaced_page() to migrate_misplaced_folio()") 2ac9e99f3b21 ("mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio()") df57721f9a63 ("Merge tag 'x86_shstk_for_6.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40b760cfd44566bca791c80e0720d70d75382b84 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Fri, 9 Aug 2024 10:59:04 -0400 Subject: [PATCH] mm/numa: no task_numa_fault() call if PTE is changed When handling a numa page fault, task_numa_fault() should be called by a process that restores the page table of the faulted folio to avoid duplicated stats counting. Commit b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") restructured do_numa_page() and did not avoid task_numa_fault() call in the second page table check after a numa migration failure. Fix it by making all !pte_same() return immediately. This issue can cause task_numa_fault() being called more than necessary and lead to unexpected numa balancing results (It is hard to tell whether the issue will cause positive or negative performance impact due to duplicated numa fault counting). Link: https://lkml.kernel.org/r/20240809145906.1513458-2-ziy@nvidia.com Fixes: b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reported-by: "Huang, Ying" <ying.huang(a)intel.com> Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.inte… Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index 34f8402d2046..3c01d68065be 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -5295,7 +5295,7 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) if (unlikely(!pte_same(old_pte, vmf->orig_pte))) { pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; + return 0; } pte = pte_modify(old_pte, vma->vm_page_prot); @@ -5358,23 +5358,19 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) if (!migrate_misplaced_folio(folio, vma, target_nid)) { nid = target_nid; flags |= TNF_MIGRATED; - } else { - flags |= TNF_MIGRATE_FAIL; - vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, - vmf->address, &vmf->ptl); - if (unlikely(!vmf->pte)) - goto out; - if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { - pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; - } - goto out_map; + task_numa_fault(last_cpupid, nid, nr_pages, flags); + return 0; } -out: - if (nid != NUMA_NO_NODE) - task_numa_fault(last_cpupid, nid, nr_pages, flags); - return 0; + flags |= TNF_MIGRATE_FAIL; + vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, + vmf->address, &vmf->ptl); + if (unlikely(!vmf->pte)) + return 0; + if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { + pte_unmap_unlock(vmf->pte, vmf->ptl); + return 0; + } out_map: /* * Make it present again, depending on how arch implements @@ -5387,7 +5383,10 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) numa_rebuild_single_mapping(vmf, vma, vmf->address, vmf->pte, writable); pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; + + if (nid != NUMA_NO_NODE) + task_numa_fault(last_cpupid, nid, nr_pages, flags); + return 0; } static inline vm_fault_t create_huge_pmd(struct vm_fault *vmf)

10 months, 4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/numa: no task_numa_fault() call if PTE is changed" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 40b760cfd44566bca791c80e0720d70d75382b84 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081932-vastly-ice-7932@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: 40b760cfd445 ("mm/numa: no task_numa_fault() call if PTE is changed") d2136d749d76 ("mm: support multi-size THP numa balancing") 6b0ed7b3c775 ("mm: factor out the numa mapping rebuilding into a new helper") ec1778807a80 ("mm: mprotect: use a folio in change_pte_range()") 6695cf68b15c ("mm: memory: use a folio in do_numa_page()") 73eab3ca481e ("mm: migrate: convert migrate_misplaced_page() to migrate_misplaced_folio()") 2ac9e99f3b21 ("mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 40b760cfd44566bca791c80e0720d70d75382b84 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Fri, 9 Aug 2024 10:59:04 -0400 Subject: [PATCH] mm/numa: no task_numa_fault() call if PTE is changed When handling a numa page fault, task_numa_fault() should be called by a process that restores the page table of the faulted folio to avoid duplicated stats counting. Commit b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") restructured do_numa_page() and did not avoid task_numa_fault() call in the second page table check after a numa migration failure. Fix it by making all !pte_same() return immediately. This issue can cause task_numa_fault() being called more than necessary and lead to unexpected numa balancing results (It is hard to tell whether the issue will cause positive or negative performance impact due to duplicated numa fault counting). Link: https://lkml.kernel.org/r/20240809145906.1513458-2-ziy@nvidia.com Fixes: b99a342d4f11 ("NUMA balancing: reduce TLB flush via delaying mapping on hint page fault") Signed-off-by: Zi Yan <ziy(a)nvidia.com> Reported-by: "Huang, Ying" <ying.huang(a)intel.com> Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.inte… Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/memory.c b/mm/memory.c index 34f8402d2046..3c01d68065be 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -5295,7 +5295,7 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) if (unlikely(!pte_same(old_pte, vmf->orig_pte))) { pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; + return 0; } pte = pte_modify(old_pte, vma->vm_page_prot); @@ -5358,23 +5358,19 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) if (!migrate_misplaced_folio(folio, vma, target_nid)) { nid = target_nid; flags |= TNF_MIGRATED; - } else { - flags |= TNF_MIGRATE_FAIL; - vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, - vmf->address, &vmf->ptl); - if (unlikely(!vmf->pte)) - goto out; - if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { - pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; - } - goto out_map; + task_numa_fault(last_cpupid, nid, nr_pages, flags); + return 0; } -out: - if (nid != NUMA_NO_NODE) - task_numa_fault(last_cpupid, nid, nr_pages, flags); - return 0; + flags |= TNF_MIGRATE_FAIL; + vmf->pte = pte_offset_map_lock(vma->vm_mm, vmf->pmd, + vmf->address, &vmf->ptl); + if (unlikely(!vmf->pte)) + return 0; + if (unlikely(!pte_same(ptep_get(vmf->pte), vmf->orig_pte))) { + pte_unmap_unlock(vmf->pte, vmf->ptl); + return 0; + } out_map: /* * Make it present again, depending on how arch implements @@ -5387,7 +5383,10 @@ static vm_fault_t do_numa_page(struct vm_fault *vmf) numa_rebuild_single_mapping(vmf, vma, vmf->address, vmf->pte, writable); pte_unmap_unlock(vmf->pte, vmf->ptl); - goto out; + + if (nid != NUMA_NO_NODE) + task_numa_fault(last_cpupid, nid, nr_pages, flags); + return 0; } static inline vm_fault_t create_huge_pmd(struct vm_fault *vmf)

10 months, 4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/numa: no task_numa_fault() call if PMD is changed" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x fd8c35a92910f4829b7c99841f39b1b952c259d5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081953-corncob-gab-6fce@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: fd8c35a92910 ("mm/numa: no task_numa_fault() call if PMD is changed") 667ffc31aa95 ("mm: huge_memory: use a folio in do_huge_pmd_numa_page()") 73eab3ca481e ("mm: migrate: convert migrate_misplaced_page() to migrate_misplaced_folio()") 2ac9e99f3b21 ("mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio()") 4e096ae1801e ("mm: convert migrate_pages() to work on folios") 2ef7dbb26990 ("migrate_pages: try migrate in batch asynchronously firstly") a21d2133215b ("migrate_pages: move split folios processing out of migrate_pages_batch()") fb3592c41a44 ("migrate_pages: fix deadlock in batched migration") f9366f4c2a29 ("include/linux/migrate.h: remove unneeded externs") cd7755800eb5 ("mm: change to return bool for isolate_movable_page()") f7f9c00dfaff ("mm: change to return bool for isolate_lru_page()") be2d57563822 ("mm: change to return bool for folio_isolate_lru()") 6f7d760e86fa ("migrate_pages: move THP/hugetlb migration support check to simplify code") 7e12beb8ca2a ("migrate_pages: batch flushing TLB") ebe75e475106 ("migrate_pages: share more code between _unmap and _move") 80562ba0d837 ("migrate_pages: move migrate_folio_unmap()") 5dfab109d519 ("migrate_pages: batch _unmap and _move") 64c8902ed441 ("migrate_pages: split unmap_and_move() to _unmap() and _move()") 42012e0436d4 ("migrate_pages: restrict number of pages to migrate in batch") e5bfff8b10e4 ("migrate_pages: separate hugetlb folios migration") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fd8c35a92910f4829b7c99841f39b1b952c259d5 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Fri, 9 Aug 2024 10:59:05 -0400 Subject: [PATCH] mm/numa: no task_numa_fault() call if PMD is changed When handling a numa page fault, task_numa_fault() should be called by a process that restores the page table of the faulted folio to avoid duplicated stats counting. Commit c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") restructured do_huge_pmd_numa_page() and did not avoid task_numa_fault() call in the second page table check after a numa migration failure. Fix it by making all !pmd_same() return immediately. This issue can cause task_numa_fault() being called more than necessary and lead to unexpected numa balancing results (It is hard to tell whether the issue will cause positive or negative performance impact due to duplicated numa fault counting). Link: https://lkml.kernel.org/r/20240809145906.1513458-3-ziy@nvidia.com Fixes: c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") Reported-by: "Huang, Ying" <ying.huang(a)intel.com> Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.inte… Signed-off-by: Zi Yan <ziy(a)nvidia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index f4be468e06a4..67c86a5d64a6 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1685,7 +1685,7 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { spin_unlock(vmf->ptl); - goto out; + return 0; } pmd = pmd_modify(oldpmd, vma->vm_page_prot); @@ -1728,22 +1728,16 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) if (!migrate_misplaced_folio(folio, vma, target_nid)) { flags |= TNF_MIGRATED; nid = target_nid; - } else { - flags |= TNF_MIGRATE_FAIL; - vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); - if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { - spin_unlock(vmf->ptl); - goto out; - } - goto out_map; + task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); + return 0; } -out: - if (nid != NUMA_NO_NODE) - task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); - - return 0; - + flags |= TNF_MIGRATE_FAIL; + vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); + if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { + spin_unlock(vmf->ptl); + return 0; + } out_map: /* Restore the PMD */ pmd = pmd_modify(oldpmd, vma->vm_page_prot); @@ -1753,7 +1747,10 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) set_pmd_at(vma->vm_mm, haddr, vmf->pmd, pmd); update_mmu_cache_pmd(vma, vmf->address, vmf->pmd); spin_unlock(vmf->ptl); - goto out; + + if (nid != NUMA_NO_NODE) + task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); + return 0; } /*

10 months, 4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/numa: no task_numa_fault() call if PMD is changed" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x fd8c35a92910f4829b7c99841f39b1b952c259d5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081952-handstand-rematch-5948@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: fd8c35a92910 ("mm/numa: no task_numa_fault() call if PMD is changed") 667ffc31aa95 ("mm: huge_memory: use a folio in do_huge_pmd_numa_page()") 73eab3ca481e ("mm: migrate: convert migrate_misplaced_page() to migrate_misplaced_folio()") 2ac9e99f3b21 ("mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio()") 4e096ae1801e ("mm: convert migrate_pages() to work on folios") 2ef7dbb26990 ("migrate_pages: try migrate in batch asynchronously firstly") a21d2133215b ("migrate_pages: move split folios processing out of migrate_pages_batch()") fb3592c41a44 ("migrate_pages: fix deadlock in batched migration") f9366f4c2a29 ("include/linux/migrate.h: remove unneeded externs") cd7755800eb5 ("mm: change to return bool for isolate_movable_page()") f7f9c00dfaff ("mm: change to return bool for isolate_lru_page()") be2d57563822 ("mm: change to return bool for folio_isolate_lru()") 6f7d760e86fa ("migrate_pages: move THP/hugetlb migration support check to simplify code") 7e12beb8ca2a ("migrate_pages: batch flushing TLB") ebe75e475106 ("migrate_pages: share more code between _unmap and _move") 80562ba0d837 ("migrate_pages: move migrate_folio_unmap()") 5dfab109d519 ("migrate_pages: batch _unmap and _move") 64c8902ed441 ("migrate_pages: split unmap_and_move() to _unmap() and _move()") 42012e0436d4 ("migrate_pages: restrict number of pages to migrate in batch") e5bfff8b10e4 ("migrate_pages: separate hugetlb folios migration") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fd8c35a92910f4829b7c99841f39b1b952c259d5 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Fri, 9 Aug 2024 10:59:05 -0400 Subject: [PATCH] mm/numa: no task_numa_fault() call if PMD is changed When handling a numa page fault, task_numa_fault() should be called by a process that restores the page table of the faulted folio to avoid duplicated stats counting. Commit c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") restructured do_huge_pmd_numa_page() and did not avoid task_numa_fault() call in the second page table check after a numa migration failure. Fix it by making all !pmd_same() return immediately. This issue can cause task_numa_fault() being called more than necessary and lead to unexpected numa balancing results (It is hard to tell whether the issue will cause positive or negative performance impact due to duplicated numa fault counting). Link: https://lkml.kernel.org/r/20240809145906.1513458-3-ziy@nvidia.com Fixes: c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") Reported-by: "Huang, Ying" <ying.huang(a)intel.com> Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.inte… Signed-off-by: Zi Yan <ziy(a)nvidia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index f4be468e06a4..67c86a5d64a6 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1685,7 +1685,7 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { spin_unlock(vmf->ptl); - goto out; + return 0; } pmd = pmd_modify(oldpmd, vma->vm_page_prot); @@ -1728,22 +1728,16 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) if (!migrate_misplaced_folio(folio, vma, target_nid)) { flags |= TNF_MIGRATED; nid = target_nid; - } else { - flags |= TNF_MIGRATE_FAIL; - vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); - if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { - spin_unlock(vmf->ptl); - goto out; - } - goto out_map; + task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); + return 0; } -out: - if (nid != NUMA_NO_NODE) - task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); - - return 0; - + flags |= TNF_MIGRATE_FAIL; + vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); + if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { + spin_unlock(vmf->ptl); + return 0; + } out_map: /* Restore the PMD */ pmd = pmd_modify(oldpmd, vma->vm_page_prot); @@ -1753,7 +1747,10 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) set_pmd_at(vma->vm_mm, haddr, vmf->pmd, pmd); update_mmu_cache_pmd(vma, vmf->address, vmf->pmd); spin_unlock(vmf->ptl); - goto out; + + if (nid != NUMA_NO_NODE) + task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); + return 0; } /*

10 months, 4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/numa: no task_numa_fault() call if PMD is changed" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x fd8c35a92910f4829b7c99841f39b1b952c259d5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081951-fable-brewery-9048@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: fd8c35a92910 ("mm/numa: no task_numa_fault() call if PMD is changed") 667ffc31aa95 ("mm: huge_memory: use a folio in do_huge_pmd_numa_page()") 73eab3ca481e ("mm: migrate: convert migrate_misplaced_page() to migrate_misplaced_folio()") 2ac9e99f3b21 ("mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio()") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fd8c35a92910f4829b7c99841f39b1b952c259d5 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Fri, 9 Aug 2024 10:59:05 -0400 Subject: [PATCH] mm/numa: no task_numa_fault() call if PMD is changed When handling a numa page fault, task_numa_fault() should be called by a process that restores the page table of the faulted folio to avoid duplicated stats counting. Commit c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") restructured do_huge_pmd_numa_page() and did not avoid task_numa_fault() call in the second page table check after a numa migration failure. Fix it by making all !pmd_same() return immediately. This issue can cause task_numa_fault() being called more than necessary and lead to unexpected numa balancing results (It is hard to tell whether the issue will cause positive or negative performance impact due to duplicated numa fault counting). Link: https://lkml.kernel.org/r/20240809145906.1513458-3-ziy@nvidia.com Fixes: c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") Reported-by: "Huang, Ying" <ying.huang(a)intel.com> Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.inte… Signed-off-by: Zi Yan <ziy(a)nvidia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index f4be468e06a4..67c86a5d64a6 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1685,7 +1685,7 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { spin_unlock(vmf->ptl); - goto out; + return 0; } pmd = pmd_modify(oldpmd, vma->vm_page_prot); @@ -1728,22 +1728,16 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) if (!migrate_misplaced_folio(folio, vma, target_nid)) { flags |= TNF_MIGRATED; nid = target_nid; - } else { - flags |= TNF_MIGRATE_FAIL; - vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); - if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { - spin_unlock(vmf->ptl); - goto out; - } - goto out_map; + task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); + return 0; } -out: - if (nid != NUMA_NO_NODE) - task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); - - return 0; - + flags |= TNF_MIGRATE_FAIL; + vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); + if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { + spin_unlock(vmf->ptl); + return 0; + } out_map: /* Restore the PMD */ pmd = pmd_modify(oldpmd, vma->vm_page_prot); @@ -1753,7 +1747,10 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) set_pmd_at(vma->vm_mm, haddr, vmf->pmd, pmd); update_mmu_cache_pmd(vma, vmf->address, vmf->pmd); spin_unlock(vmf->ptl); - goto out; + + if (nid != NUMA_NO_NODE) + task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); + return 0; } /*

10 months, 4 weeks

2
1
0 0

FAILED: patch "[PATCH] mm/numa: no task_numa_fault() call if PMD is changed" failed to apply to 6.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.10.y git checkout FETCH_HEAD git cherry-pick -x fd8c35a92910f4829b7c99841f39b1b952c259d5 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024081950-jolliness-crux-7fe1@gregkh' --subject-prefix 'PATCH 6.10.y' HEAD^.. Possible dependencies: fd8c35a92910 ("mm/numa: no task_numa_fault() call if PMD is changed") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fd8c35a92910f4829b7c99841f39b1b952c259d5 Mon Sep 17 00:00:00 2001 From: Zi Yan <ziy(a)nvidia.com> Date: Fri, 9 Aug 2024 10:59:05 -0400 Subject: [PATCH] mm/numa: no task_numa_fault() call if PMD is changed When handling a numa page fault, task_numa_fault() should be called by a process that restores the page table of the faulted folio to avoid duplicated stats counting. Commit c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") restructured do_huge_pmd_numa_page() and did not avoid task_numa_fault() call in the second page table check after a numa migration failure. Fix it by making all !pmd_same() return immediately. This issue can cause task_numa_fault() being called more than necessary and lead to unexpected numa balancing results (It is hard to tell whether the issue will cause positive or negative performance impact due to duplicated numa fault counting). Link: https://lkml.kernel.org/r/20240809145906.1513458-3-ziy@nvidia.com Fixes: c5b5a3dd2c1f ("mm: thp: refactor NUMA fault handling") Reported-by: "Huang, Ying" <ying.huang(a)intel.com> Closes: https://lore.kernel.org/linux-mm/87zfqfw0yw.fsf@yhuang6-desk2.ccr.corp.inte… Signed-off-by: Zi Yan <ziy(a)nvidia.com> Acked-by: David Hildenbrand <david(a)redhat.com> Cc: Baolin Wang <baolin.wang(a)linux.alibaba.com> Cc: "Huang, Ying" <ying.huang(a)intel.com> Cc: Kefeng Wang <wangkefeng.wang(a)huawei.com> Cc: Mel Gorman <mgorman(a)suse.de> Cc: Yang Shi <shy828301(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/mm/huge_memory.c b/mm/huge_memory.c index f4be468e06a4..67c86a5d64a6 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1685,7 +1685,7 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { spin_unlock(vmf->ptl); - goto out; + return 0; } pmd = pmd_modify(oldpmd, vma->vm_page_prot); @@ -1728,22 +1728,16 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) if (!migrate_misplaced_folio(folio, vma, target_nid)) { flags |= TNF_MIGRATED; nid = target_nid; - } else { - flags |= TNF_MIGRATE_FAIL; - vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); - if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { - spin_unlock(vmf->ptl); - goto out; - } - goto out_map; + task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); + return 0; } -out: - if (nid != NUMA_NO_NODE) - task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); - - return 0; - + flags |= TNF_MIGRATE_FAIL; + vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); + if (unlikely(!pmd_same(oldpmd, *vmf->pmd))) { + spin_unlock(vmf->ptl); + return 0; + } out_map: /* Restore the PMD */ pmd = pmd_modify(oldpmd, vma->vm_page_prot); @@ -1753,7 +1747,10 @@ vm_fault_t do_huge_pmd_numa_page(struct vm_fault *vmf) set_pmd_at(vma->vm_mm, haddr, vmf->pmd, pmd); update_mmu_cache_pmd(vma, vmf->address, vmf->pmd); spin_unlock(vmf->ptl); - goto out; + + if (nid != NUMA_NO_NODE) + task_numa_fault(last_cpupid, nid, HPAGE_PMD_NR, flags); + return 0; } /*

10 months, 4 weeks

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror